If you want to	See
Get to know the product's general appearance, functionality, or role in real networks	Product introduction
Manage devices by setting up a Web environment, monitor the running status of the device, or use the setup wizard for a basic feature	System information,Device login
Quickly configure WAN and LAN port settings from the Web page of the device	Fast configuration
Configure features related to WAN or LAN ports from the Web page of the device, or configure advanced features, such as port mapping and one-to-one NAT mapping	Network
Configure bandwidth management and network behavior management features from the Web page of the device	Network behaviors
Configure device and network security settings from the Web page of the device, such as firewall, connection limit, MAC address filter, and ARP attack prevention	Network security
Configure portal authentication settings from the Web page of the device	Authentication
Configure IPsec VPN or L2TP VPN settings from the Web page of the device	Virtual network
Configure static DNS, dynamic DNS, or static routing from the Web page of the device	Advanced settings
Perform device maintenance operations from the Web page of the device, such as software upgrade or remote management	System tool
Configure wireless AC settings from the Web page of the device	Wireless AC

Product introduction

About the product

The H3C SR router series is a collection of ICT converged gateways independently developed by H3C. Shipped with Comware 9, an advanced network operating system, H3C SR routers have amazing performance in both computing and storage. With a brand new hardware platform and an open and programmable design philosophy, this router series empowers various industries such as carrier, government, power, finance, education, and enterprise.

Table 1 Router list

Product

Description

SR6602-I/SR6602-IE

· Provides 12 GE copper ports and 20 10-GE fiber ports.

· Supports one FIP expansion slot and various types of interface subcards.

Major features

The device provides various software features, such as load balancing with multiple WAN ports, network behavior management, IPsec, and L2TP VPN. On the Web page of the device, you can quickly configure the desired features.

· Multi-WAN load balancing

Support for multiple WAN ports allows bandwidth-based load balancing and line backup, satisfying the need to use access services from different carriers. Users can distribute network traffic across lines based on their real bandwidth, making full use of bandwidth resources. The failure of a carrier line does not affect network stability, because the other lines can still function normally.

· Enterprise-level VPN

Support for IPsec VPN and L2TP VPN enables enterprises to set up virtual private networks over the Internet.

· Network behavior management

Supports identifying and controlling traffic of common Internet applications such as gaming applications and shopping applications.

· High-performance firewall

The built-in firewall can protect the network against various professional external attacks, such as DDoS attacks.

· Network traffic rate limiting

The IP-based traffic control feature can effectively control the upstream and downstream traffic of specific users, preventing excessive bandwidth usage by P2P software.

· Traffic filtering with security policies

By configuring source-, destination-, or port-based traffic filtering policies for firewalls, you can enable the device to permit or deny traffic from specific applications.

Device login

IMPORTANT:

· This chapter only describes how to log in to the Web interface of the device for the first time.

· As a best practice, use Chrome 57 or later, or Firefox 124 or later, to access the Web interface of the device.

Prerequisites

After you complete hardware installation, make sure the management PC and network meet basic requirements for logging in to the Web interface of the device. For more information about hardware installation, see the installation guide for your model.

Management PC requirements

Make sure the management PC is installed with an Ethernet adapter.

Set up a network connection

Specify an IP address for the management PC

You can use one of following methods to specify an IP address for the management PC:

· Automatically obtain the IP address (recommended): Select Obtain an IP address automatically and Obtain DNS server address automatically, which are the default settings on the PC for the device to assign an IP address to the management PC automatically.

· Specify a static IP address: Specify the IP address of the PC on the same network segment as the IP address of the LAN interface on the device. The default IP address of the LAN interface is 192.168.0.1 with mask 255.255.254.0.

In this example, the management PC is installed with Windows 7.

To specify an IP address for the management PC:

1. Click the network icon in the lower right corner of the desktop, that is, in the task bar, and then click Open Network and Sharing Center.
2. Click Local Area Connection, and then click Properties.
3. Double click Internet Protocol Version 4 (TCP/IPv4).
4. Configure an IP address for the PC: a. Configure the PC to automatically an IP address and DNS server address, or specify an IP address for the PC. Make sure the specified IP address is on the same network segment as the default IP address of the device. b. Click OK. c. Click OK in the Local Area Connection Properties dialog box.

Verify network connectivity between the management PC and the router

1. Click the Start button in the bottom left corner of your screen, and select Run in the Start menu.

2. In the Run dialog box that opens, enter ping 192.168.0.1, which is the IP address of the device, and click OK. This step enters the default IP address of the device as an example.

3. If the dialog box that opens displays a response from the device, the network is connected. If no response is displayed, check your network connection.

Disable the proxy server

If the current management PC uses a proxy server to access the Internet, disable the proxy service as follows:

1. Launch the Internet Explorer, and select Tools > Internet Options from the main menu. The Internet Options window opens.
2. Click the Connections tab, and then click LAN settings. Verify that the Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections) is not selected, and then click OK.

Log in to the Web interface of the device

1. Launch the Web browser on the PC and enter http://192.168.0.1 in the address bar, and press Enter.

The Web login page opens.

2. Enter the username and password, both of which are admin (case-sensitive) by default, and then click Login or Enter.

NOTE:

For security purposes, change the default password at first login as prompted and save the new password.

System information

About this feature

System information allows you to obtain device operation information, use the wizard to configure basic settings, and obtain technology support.

View system information

CPU usage and memory usage

Webpage: System Information > System Information

View CPU usage and memory usage

Parameters

Parameter	Description
CPU Usage	CPU usage information on the device. To view the current and average CPU usage, click the CPU Usage area.
Memory Usage	Memory usage information on the device. To view the current and average memory usage, click the Memory Usage area.

Endpoints

Webpage: System Information > System Information

View information about the endpoints that access the device.

Parameters

Parameter	Description
Endpoints	To view information about the endpoints that access the device in the LAN, click the Endpoints area. The endpoints include the following: · DHCP endpoints. · Static IP endpoints. · PPPoE endpoints. · DHCP endpoints. · Portal endpoints.
Top 5 Endpoints by Traffic Rate	Top 5 endpoints by traffic rate. To view traffic ranking of all endpoints that access the device, click View more.
Endpoint IP Address	IP address of the endpoint that accesses the device.
Username	Endpoint access username.
Access Method	Endpoint access method, including: · Static IP: The endpoint uses a fixed IP address to access the network. · DHCP: The endpoint uses an IP address assigned by the device to access the network. · Portal: The endpoint access the network through portal authentication.
Interface	Interface on the device used by the endpoint to access the network.
Endpoint MAC Address	MAC address of the endpoint that accesses the device.
Uplink Rate(Kbps)	Uplink traffic rate of the endpoint.
Downlink Rate(Kbps)	Downlink traffic rate of the endpoint.
Online Duration	Endpoint network access duration.
Traffic Details	Details of traffic usage on the endpoint.

Interface rate

Perform this task to interface rate information, including uplink traffic, current uplink rate, downlink traffic, current downlink rate, WAN interface status, and network access parameters You can also reconnect an interface or disconnect an interface, or refresh interface information.

Procedure

Webpage: System Information > System Information

To view interface rate information, click the Interface rate area.

System logs

Perform this task to view system log information of the device, including:

· Log information of the device.

· Log statistics.

Procedure

Webpage: System Information > System Information

To view system log information, click the System Logs area.

Device information

Perform this task to view device information, including system time and device model.

Procedure

Webpage: System Information > System Information

In the System Time area, you can view the system time and up time of the device. In the Device Model area, you can view the device model, serial number, Boot ROM version, hardware version, and software version.

Parameters

Parameter	Description
System Time	System time of the device.
Uptime	Device uptime.
Device Model	Model of the device.
Serial Number	Serial number of the device.
Boot ROM Version	Boot ROM version of the device. To view this field, click View more in the device information area.
Hardware Version	Hardware version of the device. To view this field, click View more in the device information area.
Software Version	Software version of the device.

Interface status

Perform this task to view WAN interface status and LAN interface status.

Procedure

Webpage: System Information > System Information

To view information about a WAN interface or LAN interface, click the interface icon in the Interface Status area to access the WAN Settings page or LAN Settings page.

· WAN Settings page:

· LAN Settings page:

Parameters

Parameter	Description
Interface Status	WAN interface status and LAN interface status. To view information about a WAN interface or LAN interface, click the interface icon in the Interface Status area to access the WAN Settings page or LAN Settings page, respectively.

Flash usage

Perform this task to view the storage space usage of the flash memory.

Procedure

Webpage: System Information > System Information

Perform this task to view the space usage of the flash memory.

Parameters

Parameter	Description
Flash Usage	Flash usage information on the device. In the lower right corner of the page, you can view the space usage of the flash.

Quick access

Perform this task to quickly configure network settings.

Webpage: System Information > Quick Access

On this page, you can click links as needed to configure the corresponding features.

Parameters

Parameter	Description
Network Configuration	You can click the following links to configure network access settings: · Connect to the Internet—Click the Connect to the Internet link to go to the WAN Settings page. · LAN Settings—Click the LAN Settings link to go to the LAN Settings page. · NAT Settings—Click the NAT Settings link to go to the NAT Settings page.
Network Behavior Management	You can click the following links to manage network behaviors: · Global Control—Click the Global Control link to go to the Network Behaviors > Global Control page. · Network Behavior Management Policies—Click the Network Behavior Management Policies link to go to the Network Behaviors > Network behavior management policy page. · Bandwidth Limit—Click the Bandwidth Limit link to go to the Bandwidth Management > Bandwidth limits page. · Connection Limit—Click the Connection Limit link to go to the Connection Limit > Connection Limits page. · Traffic Statistics Ranking—Click the Traffic Statistics Ranking link to go to the Traffic Ranking > Global control page.
Access Security	You can click the following links to configure the settings about user access security: · User Management—Click the User Management link to go to the User Management > User Settings page. · VPN Settings—Click the VPN Settings link to go to the IPsec VPN > IPsec policy page. · Wechat/Portal Authentication—Click the Wechat/Portal Authentication link to go to the Portal Authentication > Authentication Settings page. · MAC Address Filtering—Click the MAC Address Filtering link to go to the MAC Address Filter > MAC Filter Setting page. · Firewall—Click the Firewall link to go to the Firewall page. · ARP Attack Protection—Click the ARP Attack Protection link to go to the ARP Attack Protect > The Management of Arp Learning page.
System maintenance	You can click the following links to configure device maintenance functions: · Configuration Management—Click the Configuration Management link to go to the View Config page. · Reboot—Click the Reboot link to go to the Reboot Now page. · System Upgrade—Click the System Upgrade link to go to the Software Upgrade page. · Remote Management(Web,Telnet)—Click the Remote Management(Web,Telnet) link to go to the Remote Login > Ping page. · User FAQ—Click the User FAQ link to go to the User FAQ page. · Network Diagnostics—Click the Network Diagnostics link to go to the Diagnostics > Tracert page.

Technology support

If you experience an issue in using the product, please contact us in any of the following ways:

· Hotline

· Email

· Website

· WeChat

Figure 1 Technology support

Fast configuration

About this feature

Through fast configuration, you can fast complete basic WAN and LAN settings. Then, users in LANs can access the external network.

Configure WAN settings

About this task

The device supports the following WAN access scenarios:

· Single-WAN—If the user leases only one service provider network, select the single-WAN scenario.

· Dual-WAN—If the user leases two service provider networks, select the dual-WAN scenario.

The configuration procedure is the same for both scenarios.

The device supports three link modes for accessing the WAN: PPP over Ethernet (PPPoE), Dynamic Host Configuration Protocol (DHCP), and fixed IP.

Table 2 Link modes

Link mode	Description	Application scenarios
PPPoE	PPPoE is a protocol for establishing point-to-point connections over Ethernet. It is typically used for authentication and dial-up connections in broadband access environments. When accessing a WAN through PPPoE, a user must provide the specific account and password information. Then, the router uses this information to establish a dial-up connection for the user to access the Internet.	PPPoE is suitable for home broadband access. It is applicable to households and small businesses that require dial-up connections. Users can connect their home LANs to the Internet through broadband modems such as Asymmetric Digital Subscriber Line (ADSL) modems.
DHCP	DHCP is a network connection mode that dynamically allocates IP addresses. When a device connects to the network, it sends requests to the DHCP server. The server then dynamically allocates network parameters such as IP address, subnet mask, gateway, and DNS server, which allow the device to quickly connect to the network and obtain the necessary IP configuration.	DHCP is suitable for large LANs or enterprise networks. DHCP automatically allocates IP addresses through the DHCP server in the network. DHCP facilitates IP address allocation for numerous devices and reduces the workload of manual IP configuration.
Static IP	In this mode, you must manually configure a static IP address, subnet mask, gateway, DNS server, and other network parameters to a device. These settings do not change with the connection status of the device.	In this mode, you must manually configure a fixed IP address for a network device, ensuring that the device always uses the same IP address. This mode is typically suitable for network devices that require stable, long-term IP address allocations and do not need frequent changes for stable access.

Procedure

Webpage: Fast Configuration > Scenario Selection

Select a scenario.
Access the WAN in the PPPoE mode.
Access the WAN in the DHCP mode.
Access the WAN in the static IP mode.

Parameters

Parameter	Description
Scenario Selection	Select the scenario for the device to access the WAN. When configuring this parameter, select a scenario as needed. · If you lease only one service provider network, select Single WAN. · If you lease two service provider networks, select Dual WANs. The configuration procedure is the same for both scenarios.
Line1 or Line2	Select the physical interface WANx for accessing the WAN.
Link mode	Link mode used to access the WAN. Options include: · PPPoE—The interface accesses the WAN through broadband dialup. · DHCP—The interface automatically obtains an IP address from the DHCP server to access the WAN. · Static IP—The interface uses a fixed IP address provided by a service provider to access the WAN.
User name	Username for authentication. This parameter is provided by a service provider. You can configure this parameter when the link mode is PPPoE.
Password	Password for authentication. This parameter is provided by a service provider. You can configure this parameter when the link mode is PPPoE.
IP address	When the link mode is static IP, you can enter only a class A, B, or C IP address. This parameter is required when the link mode is static IP.
IP mask	Mask or mask length for the IP address, for example, 255.255.255.0. This parameter is required when the link mode is static IP.
Gateway Address	Gateway address used to access the WAN. You can enter only a class A, B, or C IP address. This parameter is required when the link mode is static IP.
DNS1 and DNS2	DNS server addresses for accessing the WAN. DNS server DNS1 is preferentially used. If DNS server DNS1 fails to resolve a domain name, DNS server DNS2 is used.
NAT	Specify whether to enable NAT. With NAT enabled, multiple devices on the LAN share one public IP.

Configure LAN settings

About this task

After WAN settings are completed, click Next to access the LAN settings page.

Procedure

Webpage: Fast Configuration > WAN Config > LAN Config

On the LAN settings page, configure the local IP address, IP mask, and other parameters as needed.

Parameters

Parameter	Description
Local IP Address	IP address used by the device in the LAN.
IP Mask	Mask or mask length for the IP address, for example, 255.255.255.0.
DHCP Server	Specify whether to enable the DHCP server. With the DHCP server enabled, the device acts as the DHCP server and allocates IP addresses to hosts in the LAN.
IP Distribution Range	Start IP address and end IP address of the IP addresses to be allocated.
Gateway Address	Gateway address that the device allocates to hosts in the LAN.
DNS	DNS server IP address that the device allocates to clients.

Configure license installation

Procedure

Webpage: Fast Configuration > > WAN Config > LAN Config > Install Licenses.

4. View the installed licenses.

5. Install a license online.

6. Configure later or complete the configuration.

If you are not to install licenses or update the signature library now, click Configure Later to skip the configuration and access the next web page.

If you have completed license setup, click Finish to proceed to the next web page.

Parameters

Parameter

Description

Test

Test whether the license management platform specified by the domain name can provide online automatic license installation.

· If the LED is gray, it indicates that the platform is being tested.

· If the LED is red, it indicates that the platform cannot provide online automatic license installation.

· If the LED is green, it indicates that the platform cannot provide online automatic license installation.

Configure wireless AC settings

Procedure

Webpage: Fast Configuration > > WAN Config > LAN Config > Install Licenses > Configure Wireless AC Settings.

Configure wireless AC settings. Specify the radio band management mode, SSID name, forwarding mode, authentication mode, and other parameters.

Parameters

Parameter	Description
Radio band management mode for wireless services	Select the band management mode. Options include Merge and Separate. To use the same SSID for the 2.4GHz and 5GHz bands, select Merge. To use different SSIDs for the 2.4GHz and 5GHz bands, select Separate.
SSID-1 name	Specify the SSID name that can be detected by wireless clients through scanning. If you select the Merge mode, you can specify only one SSID. If you select the Separate mode, specify the 2.4G SSID and the 5G SSID. An SSID name is a case-sensitive string of 1 to 31 characters. Only Chinese characters, letters, digits, spaces, and special characters ~!@#$%^&*()_+-={}\|[]:;’<>,./ are supported. One Chinese character is three characters long.
Forwarding mode	Select the forwarding mode: · Centralized forwarding—APs pass through client data traffic to the AC and the AC forwards client data traffic. · Local forwarding—APs forward client data traffic directly.
Authentication mode	Select the authentication mode: · None—Allows users to access the wireless network directly without entering any password. In this mode, authentication parameters are not required. · Static PSK authentication—Requires users to enter the correct password to access the wireless network.
Security mode	Select the security mode. Options include WPA, WPA2, WPA or WPA2, and WPA3-SAE, with an ascending security performance.
Cipher suite	Select the cipher suite based on the selected security mode: · In WPA security mode, the default cipher suite is TKIP. You can change it to CCMP or TKIP or CCMP as needed. · In WPA2 security mode, the default cipher suite is CCMP. You can change it to TKIP or TKIP or CCMP as needed. · In WPA or WPA2 security mode, the default cipher suite is TKIP or CCMP. You can change it to TKIP or CCMP as needed. · In WPA3-SAE mode, the default cipher suite is GCMP. You cannot change the default cipher suite. Select the WPA3-SAE mode: ¡ In mandatory mode, WPA3-incapable clients cannot access the wireless network. ¡ In optional mode, both WPA3-capable and WPA3-incapable clients can access the wireless network.
PSK	Passphrase indicates entering a password in string format. Rawkey indicates entering a password in hexadecimal format.

Network

WAN settings

About this feature

A wide area network (WAN) provides telecommunication services over a large geographical area. The Internet is a huge WAN network.

Typically, a device provides multiple WAN interfaces for WAN access.

Scene

About this task

Table 3 Access scenarios

Access scenario	Description	Application scenarios
Single-WAN Scenario	The device connects to the WAN by using a single WAN interface.	Select this scenario if your network service is provided by only one service provider.
Multi-WAN Scenario	The device connects to the WAN by using multiple WAN interfaces.	Select this scenario if your network service is provided by two service providers.

Procedure

Webpage: Network > WAN Settings > Scenario

To configure the single-WAN scenario or multi-WAN scenario for the device:

1. Select the single-WAN Scenario or multi-WAN Scenario as needed.

2. Select interfaces for accessing the WAN.

3. Click Apply

Parameters

Parameter	Description
Scenario	Select the single-WAN scenario or multi-WAN scenario as needed.
Single-WAN Scenario	The device uses a single WAN interface to access the WAN. In the single-WAN scenario, select the interface for accessing the WAN from the Line1 list.
Multi-WAN Scenario	The device uses multiple WAN interfaces to access the WAN. In the multi-WAN scenario, select the interfaces for accessing the WAN from the Line1, Line2, Line3, and Line4 lists.

Configure WAN settings

About this task

The device supports accessing the WAN through physical interfaces.

The device supports three modes for accessing the WAN: PPPoE, DHCP, and fixed IP.

Table 4 WAN connection modes

Connection mode	Description	Application scenarios
PPPoE	PPPoE is a protocol for establishing point-to-point connections over Ethernet. It is typically used for authentication and dial-up connections in broadband access environments. When accessing a WAN through PPPoE, a user must provide the specific account and password information. Then, the router uses this information to establish a dial-up connection for the user to access the Internet.	PPPoE is suitable for home broadband access. It is applicable to households and small businesses that require dial-up connections. Users can connect their home LANs to the Internet through broadband modems such as Asymmetric Digital Subscriber Line (ADSL) modems.
DHCP	DHCP is a network connection mode that dynamically allocates IP addresses. When a device connects to the network, it sends requests to the DHCP server. The server then dynamically allocates network parameters such as IP address, subnet mask, gateway, and DNS server, which allow the device to quickly connect to the network and obtain the necessary IP configuration.	DHCP is suitable for large LANs or enterprise networks. DHCP automatically allocates IP addresses through the DHCP server in the network. DHCP facilitates IP address allocation for numerous devices and reduces the workload of manual IP configuration.
Fixed IP	In this mode, you must manually configure a static IP address, subnet mask, gateway, DNS server, and other network parameters to a device. These settings do not change with the connection status of the device.	In this mode, you must manually configure a fixed IP address for a network device, ensuring that the device always uses the same IP address. This mode is typically suitable for network devices that require stable, long-term IP address allocations and do not need frequent changes for stable access.

Procedure

Webpage: Network > WAN Settings > WAN Settings

Configure the WAN interface to access the WAN in the PPPoE mode.
Configure the WAN interface to access the WAN in the DHCP mode.
Configure the WAN interface to access the WAN in the fixed IP mode.

Parameters

Parameter	Description
Line	Sequence number of the line accessing the WAN.
WAN Interface	WAN interface for accessing the WAN.
Connection Mode	Connection mode used to access the WAN. Options include: · PPPoE—The interface accesses the WAN through broadband dialup. · DHCP—The interface automatically obtains an IP address from the DHCP server to access the WAN. · Fixed IP—The interface uses a fixed IP address provided by a service provider to access the WAN.
User ID	Username for authentication. This parameter is provided by a service provider. You can configure this parameter when the connection mode is PPPoE.
User Password	Password for authentication. This parameter is provided by a service provider. You can configure this parameter when the connection mode is PPPoE.
Online Mode	Only the Always Online option is supported in the current software version. When the connection mode is PPPoE, this option is selected by default and cannot be cleared.
IP Address	When the connection mode is fixed IP, you can enter only a class A, B, or C IP address. You must configure this parameter when the connection mode is fixed IP.
Subnet Mask	Mask or mask length for the IP address, for example, 255.255.255.0. You must configure this parameter when the connection mode is fixed IP.
Gateway	Gateway address used to access the WAN. You can enter only a class A, B, or C IP address. You must configure this parameter when the connection mode is fixed IP.
DNS1 and DNS2	DNS server addresses for accessing the WAN. DNS server DNS1 is preferentially used. If DNS server DNS1 fails to resolve a domain name, DNS server DNS2 is used.
NAT	Specify whether multiple devices on the LAN share one public IP. If you select On, perform one of the following tasks as needed: · If only one public IP exists, do not select Use Address Pool for Translation. · If multiple public IPs exist, select Use Address Pool for Translation, and select an existing NAT address pool. To add an address pool, click Add Address Pool on the right.
TCP MSS	Maximum segment size (MSS) of TCP packets for the interface.
MTU	Maximum transmission unit (MTU) for the interface.
Link Detection	This feature improves the link availability by detecting the link status to the specified IP address or domain name. Select one of the following options as needed: · To detect the link status, select Enable. · To disable link detection, select Disable.
Detection Address	IP address for link detection. When link detection is enabled, you must configure this parameter.
Detection Interval	Link detection interval. When link detection is enabled, you must configure this parameter.
MAC	MAC address for accessing the WAN.
Actions	Edit configuration.

Edit Multi-WAN Policy

About this task

You can configure settings on this page only in the multi-WAN scenario.

Table 5 Multi-WAN-interface load sharing policies

Multi-WAN policy	Description	Application scenarios
Average load sharing	Each link shares the load equally.	The WAN interfaces belong to the same service provider and each link has the same bandwidth.
Bandwidth proportion-based load sharing	Each link shares the load proportionally.	The WAN interfaces belong to the same service provider but each link has different bandwidth.
Service provider-based load sharing	Each link shares the load equally.	The WAN interfaces belong to different service providers, and each service provider provides the same link bandwidth.
Multilink advanced load sharing	Each link shares the load proportionally.	WAN interfaces belong to different service providers, and each service provider provides links with different bandwidth.
Link backup	Select one link as the main link and use the other links as backup links to ensure network stability.	If you require high network stability, set up backup links.

Procedure

Webpage: Network > WAN Settings > Edit Multi-WAN Policy

When multiple WANs belong to the same service provider, perform the following tasks:

1. Select Average load sharing or Bandwidth proportion-based load sharing.

2. Click Apply

When multiple WANs belong to different service providers, perform the following tasks:

1. Select Service provider-based load sharing or Multilink advanced load sharing.

2. Click Apply.

To configure link backup:

1. Select the main link and the backup link

2. Click Apply.

Parameters

Parameter	Description
When multiple WANs belong to the same service provider, the following parameters are available: · Average load sharing · Bandwidth proportion-based load sharing	1. When multiple WAN interfaces of the device access the same service provider line, you can select a load sharing mode as needed: ¡ If all links have the same bandwidth, select Average load sharing. ¡ If the links have different bandwidth values, select Bandwidth proportion-based load sharing, and allocate the link bandwidth ratios. 2. Click Apply to make the configuration take effect.
When multiple WANs belong to different service providers, the following parameters are available: · Service provider-based load sharing · Multilink advanced load sharing	1. When multiple WAN interfaces of the device access different service provider lines, you can select a load sharing mode as needed: ¡ If all service providers provide the same bandwidth, select Service provider-based load sharing, and select the service provider and default link for each WAN interface. ¡ If service providers provide different bandwidth values, select Multilink advanced load sharing, allocate the link bandwidth ratios, and select the service provider and default link for each WAN interface. 2. Click Apply to make the configuration take effect.
Link backup	When you access the WAN through multiple WAN interfaces, select one link as the main link and use the other links as backup links to ensure network stability. To configure link backup, first select the Main link (please select the WAN interface for the main link) option and the corresponding Linen. Then, select the Backup link (please select the WAN interface for the backup link) option, and select the corresponding Linem. To implement link backup, make sure n and m are different. If the selected main link has link detection enabled on the WAN Settings > WAN Settings page, the system will change the actual main link that takes effect according to the link detection result. If the selected main link does not have link detection enabled, the system will change the actual main link that takes effect according to the physical state of the corresponding interface.
Allocate Link Bandwidth Ratio	Set the default link bandwidth ratio for each link. When configuring this parameter, make sure the bandwidth ratio is not 0 for at least one link. You must configure this parameter after you select bandwidth proportion-based load sharing or multilink advanced load sharing for the multi-WAN policy. NOTE: Enter an integer in the range of 0 to 100 for this parameter.

Parameter

Description

When multiple WANs belong to the same service provider, the following parameters are available:

· Average load sharing

· Bandwidth proportion-based load sharing

1. When multiple WAN interfaces of the device access the same service provider line, you can select a load sharing mode as needed:

¡ If all links have the same bandwidth, select Average load sharing.

¡ If the links have different bandwidth values, select Bandwidth proportion-based load sharing, and allocate the link bandwidth ratios.

2. Click Apply to make the configuration take effect.

When multiple WANs belong to different service providers, the following parameters are available:

· Service provider-based load sharing

· Multilink advanced load sharing

1. When multiple WAN interfaces of the device access different service provider lines, you can select a load sharing mode as needed:

¡ If all service providers provide the same bandwidth, select Service provider-based load sharing, and select the service provider and default link for each WAN interface.

¡ If service providers provide different bandwidth values, select Multilink advanced load sharing, allocate the link bandwidth ratios, and select the service provider and default link for each WAN interface.

2. Click Apply to make the configuration take effect.

Link backup

When you access the WAN through multiple WAN interfaces, select one link as the main link and use the other links as backup links to ensure network stability. To configure link backup, first select the Main link (please select the WAN interface for the main link) option and the corresponding Linen. Then, select the Backup link (please select the WAN interface for the backup link) option, and select the corresponding Linem. To implement link backup, make sure n and m are different.

If the selected main link has link detection enabled on the WAN Settings > WAN Settings page, the system will change the actual main link that takes effect according to the link detection result. If the selected main link does not have link detection enabled, the system will change the actual main link that takes effect according to the physical state of the corresponding interface.

Allocate Link Bandwidth Ratio

Set the default link bandwidth ratio for each link. When configuring this parameter, make sure the bandwidth ratio is not 0 for at least one link.

You must configure this parameter after you select bandwidth proportion-based load sharing or multilink advanced load sharing for the multi-WAN policy.

NOTE:

Enter an integer in the range of 0 to 100 for this parameter.

Last hop holding

Procedure

Webpage: Network > WAN Settings > Last Hop Holding

Configure last hop holding for the WAN interface.

Parameters

Parameter	Description
Enable last hop holding	Specify whether to enable last hop holding. With this feature enabled in the multi-WAN scenario, packets entering the LAN and the corresponding return packets leaving the LAN will be forwarded through the same WAN interface.

LAN settings

About this feature

Perform this task to configure a LAN interface for connecting to the internal network, enable DHCP, and assign the interface to VLANs.

DHCP is a LAN protocol mainly used for allocating IP addresses to hosts in a LAN. DHCP supports the following allocation mechanisms:

· Dynamic allocation—Configure this feature on an interface. This feature dynamically assigns IP addresses to hosts. When the lease of an IP address expires or an IP address is explicitly rejected by a host, the IP address can be used by another host. This allocation mechanism applies if you want to assign an IP address to a host for a limited period of time.

· Static allocation—Static IP addresses are not bound to interfaces, and they are bound to the host NIC MAC addresses. A static IP address can be used permanently. This allocation mechanism applies if you want to assign an IP address to a host permanently.

Configure LAN interface settings

About this task

Perform this task to configure an IP address for the GE interface connecting to the internal network or create a VLAN and its VLAN interface.

Procedure

Webpage: Network > LAN Settings > LAN Settings

On this page, you can perform the following operations: · Display detailed information of the added LANs. · Add LANs. · Delete the existing LANs. · Edit the existing LANs.
To add a LAN: 1. Click Add. In the Add LAN dialog box that opens, set the VLAN ID, IP address, subnet mask, and other parameters as needed. 2. Click Apply.
To delete existing LANs: 3. Select the LANs you want to delete. 4. Click Delete. Then, click OK in the confirmation dialog box that opens.
To edit an existing LAN: 5. Click the Edit icon in the Actions column for the LAN you want to edit. In the dialog box that opens, edit the relevant parameters as needed. 6. Click Apply.

Parameters

Parameter	Description
Interface Name	Name of the VLAN interface.
VLAN ID	ID of the VLAN interface.
IP Address	IP address of the VLAN interface.
Subnet Mask	Subnet mask or mask length for the IP address, for example, 255.255.255.0
TCP MSS	MSS of TCP packets for the VLAN interface.
MTU	MTU value allowed by this VLAN interface.
Enable DHCP	Specify whether to enable the DHCP server. If you enable this feature, the device will dynamically assign IP addresses to clients (such as computers) connected to the device. By default, the DHCP server is disabled.
Start Address of Pool	Start IP address of the DHCP server address pool.
End Address of Pool	End IP address of the DHCP server address pool, which cannot be lower than the start IP address of the pool.
Excluded Address	IP address that cannot be allocated to clients, for example, gateway address.
Gateway Address	Gateway address for the address pool. If you do not configure a gateway address, the network might be interrupted.
DNS Server 1 and DNS Server 2	When the DHCP server assigns an IP address, it can also assign DNS server addresses, among which DNS server 1 is preferentially used for domain name resolution. If DNS server 1 fails to resolve a domain name, DNS server 2 is used.
Address Lease	Lease duration of the IP address that the DHCP server assigns to the client. After the lease duration expires, the DHCP server will reclaim the IP address, and the client must re-apply for an IP address from the router (clients typically re-apply automatically).
Actions	Edit or delete configuration.

Configure VLANs

About this task

Assign the LAN interfaces on the device to the specified VLAN, so that hosts in the same VLAN can communicate and hosts in different VLANs cannot directly communicate.

Restrictions and guidelines

· When you configure a VLAN as the PVID for an interface on the detailed port configuration page, make sure the VLAN has already been created.

· Plan the VLANs to which each LAN interface belongs on the device, and create the corresponding VLAN interface on the LAN configuration page.

· The PVID identifies the default VLAN of a port. Untagged packets received on a port are considered as the packets from the port PVID.

Procedure

Webpage: Network > LAN Settings > VLAN Division

On this page, you can perform the following operations:

· Display information about VLANs that a port permits.

· Configure the VLANs that a port permits.

Configure the VLANs that a port permits.

Parameters

Parameter	Description
Port Name	LAN interface to be assigned to VLANs.
PVID	Default VLAN for this port.
Permitted VLANs	All VLANs permitted by the LAN interface.
Available VLANs	All VLANs created on the device. When configuring this parameter, select VLAN IDs from the available VLAN list or click the available VLAN list option to select all VLANs. Then, click the right arrow button to add the port to the selected VLANs.
Selected VLANs	VLANs to which this interface has been assigned When configuring this parameter, select VLAN IDs from the selected VLAN list or click the selected VLAN list option to select all VLANs. Then, click the left arrow button to remove the port from the selected VLANs.
Actions	Edit configuration.

Configure static DHCP

About this task

To assign fixed IP addresses to some clients, configure static DHCP to bind client MAC addresses to IP addresses.

Make sure static client IP addresses are not contained in the WAN interface IP address range specified on the device.

Enable DHCP on any interface. To use only static DHCP to allocate IP addresses, you must also delete DHCP settings on the interface.

Procedure

Webpage: Network > LAN Settings > Static DHCP

On this page, you can perform the following operations: · Display detailed information about the existing static DHCP bindings. · Add static DHCP bindings. · Delete static DHCP bindings. · Edit existing static DHCP bindings.
To add a static DHCP binding: 1. Click Add. In the Add Static DHCP Binding dialog box that opens, configure the interface, client MAC address, client IP, and other parameters as needed. 2. Click Apply.
To delete an existing static DHCP binding: 1. Select the static DHCP bindings you want to delete. 2. Click Delete. Then, click OK in the confirmation dialog box that opens.
To edit an existing static DHCP binding: 1. Click the Edit icon in the Actions column for the static DHCP binding you want to edit. In the dialog box that opens, edit the relevant configuration items as needed. 2. Click Apply.

Parameters

Item	Description
Serial Number	Number of a static DHCP policy.
Interface	VLAN interface created on the device. The policy binds the IP address and MAC address obtained from a specific interface.
Client MAC	MAC address of a client. The MAC address cannot be all-0s or all-Fs.
Client IP	IP address assigned to the client.
Subnet Mask	Subnet mask or mask length for the IP address, for example, 255.255.255.0
Description	Description of the policy.
Actions	Edit or delete configuration.

View allocated DHCP bindings

About this task

After static or dynamic DHCP is configured on interfaces, you can view the IP addresses allocated to DHCP clients.

Procedure

Webpage: Network > LAN Settings > Allocated DHCP Bindings

Display detailed information about the allocated DHCP bindings on the device.

Parameters

Parameter	Description
DHCP Server Interface	VLAN interface with DHCP enabled on the device.
DHCP Client IP	IP address of a client.
DHCP Client MAC	MAC address of a client.
Lease Expiration Time	Lease duration of the IP address that the DHCP server assigns to the client. After the lease duration expires, the DHCP server will reclaim the IP address, and the client must re-apply for an IP address from the router (clients typically re-apply automatically).

Port management

About this task

On the port management page, you can view the port type, duplex mode, speed, and MAC address of each physical port, set the physical status of a port, and modify the duplex mode and speed of a port.

Procedure

Webpage: Network > Port Management

On this page, you can perform the following operations:

· Display detailed port information on the device.

· Edit port settings.

To edit port settings:

1. Click the Edit icon in the Actions column for the port you want to edit. In the dialog box that opens, edit the relevant configuration items as needed.

2. Click Apply.

Parameters

Parameter	Description
Physical Interface	Physical interface of the device. For example, WAN1 or LAN1.
Port Type	Specify a port type. Options include: · WAN: Interface for accessing a WAN. · LAN: Interface for accessing a LAN.
Duplex Mode	Operating mode of the port. Options include: · Auto: Both the duplex mode and speed of the port are determined by autonegotiation between this port and the remote port. · Full Duplex: The port can receive data packets while sending data packets. · Half Duplex: The port can only send or receive packets at the same time.
Speed	Speed of the port. Options include Auto, 10Mbps, 100Mbps, and 1Gbps.
MAC Address	MAC address of the port.
Physical Status	Operating state of the port. Options include: · Up: The port is brought up. · Down: The port is shut down. When the port type is LAN, you cannot edit this parameter, and the port is up by default.
Fiber/Copper Mode	Operating mode of the port. Options include: · Fiber Port: The port operates as a fiber port. · Copper Port: The port operates as copper port.
Actions	Edit configuration.

NAT settings

About this feature

Network Address Translation (NAT) translates an IP in the IP packet header to another IP address. It enables private hosts to access external networks and external hosts to access private network resources.

NAT supports the following address translation methods:

· Port mapping—Allows multiple internal servers (for example, Web, mail, and FTP servers) to provide services for external hosts by using one public IP address and different port numbers. This method saves public IP address resources.

· One-to-one mapping—Creates a fixed mapping between a private address and a public address. Use this method for fixed network access requirements. This method is preferred if you need to use a fixed public IP address to access an internal server.

NAT provides the following advanced features:

· NAT hairpin—Allows internal users to access internal servers through NAT addresses. This feature is applicable if you want the gateway to control the internal user traffic destined for the internal server that provides services for external users through a public IP address.

· NAT ALG—If an application layer service (for example, FTP or DNS) exists between the internal and external networks, enable NAT ALG for the application layer protocol. It makes sure the data connection of this protocol can be correctly established after address translation.

Configure port mapping

Procedure

Webpage: Network > NAT Settings > Port mapping

On this page, you can perform the following operations: · Display detailed information about the existing port mappings. · Add NAT port mappings. · Delete existing NAT port mappings. · Edit existing NAT port mappings.
To add a NAT port mapping: 1. Click Add. In the Add NAT Port Mapping dialog box that opens, configure the protocol type, global IP address, global port number, and other parameters. 2. Click Apply.
To delete existing NAT port mappings: 1. Select the NAT port mappings to be deleted. 2. Click Delete. In the dialog box that opens, click Yes.
To edit an existing NAT port mapping: 1. Click the Edit icon in the Actions column for the target NAT port mapping. In the Edit NAT Port Mapping dialog box that opens, edit the settings as required. 2. Click Apply.

Parameters

Parameter	Description
Interface	You can use the IP address of the selected WAN interface as the global IP address.
Protocol Type	Transport layer protocol used by the internal host. Options include: · TCP. · UDP. · TCP+UDP.
Global IP Address	Public IP address type. Options include: · Current IP Address—IP address of the selected WAN interface. · Other IP Addresses—Another public IP address of the device.
Global Port Number	Open ports for the public IP address. Options include: · FTP—Select this option when the internal host provides FTP services. · Telnet—Select this option when the internal host provides Telnet services. · User-Defined Ports—Select this option when the internal host provides services other than FTP and Telnet, and enter the port number range used by the services. Make sure the start port number is not larger than the end port number.
Local IP Address	IP address of the internal host that provides specific services.
Local Port Number	Open service ports on the internal host.
Actions	Edit or delete configuration.

Configure one-to-one mappings

About this task

If the device has only one public address, do not configure a one-to-one mapping by using the public address.

Procedure

Webpage: Network > NAT Settings > One-to-one mapping

On this page, you can perform the following operations: · Display detailed information about the existing one-to-one mappings. · Enable the one-to-one mapping feature. · Add one-to-one mappings. · Delete existing one-to-one mappings. · Edit existing one-to-one mappings.
To enable the one-to-one mapping feature, select Enable for the One-to-one Mappings field.
To add a one-to-one NAT mapping: 1. Click Add. In the Add NAT One-to-One Mapping dialog box that opens, configure the local IP address, global IP address, and other parameters. 2. Click Apply.
To delete existing one-to-one NAT mappings: 1. Select the one-to-one mappings to be deleted. 2. Click Delete. In the dialog box that opens, click Yes.
To edit an existing one-to-one NAT mapping: 1. Click the Edit icon in the Actions column for the target one-to-one mapping. In the Edit NAT One-to-One Mapping dialog box that opens, edit the settings as required. 2. Click Apply.

Parameters

Parameter	Description
Local IP Address	IP address of the internal host that provides specific services.
Global IP Address	Public IP address of the device.
Specify Permitted Destination IP Addresses	Destination IP address range that can be accessed by the internal host. · If you select this option and configure an address range, the device performs address translation on only packets with destination IP addresses within the address range. · If you do not select this option, the device performs address translation on all packets from the internal network to the external network.
Actions	Edit configuration.

Configure NAT hairpin

About this task

Before you configure NAT hairpin, perform more than one of the following tasks:

· Configure a mapping between the internal server IP address and port and the public IP address and port on the Port mapping page.

· Configure a mapping between the private user IP address and public IP address on the One-to-one mapping page.

Procedure

Webpage: Network > NAT Settings > Advanced Settings

To configure NAT hairpin:

1. Select Enable NAT Hairpin.

2. Click Apply.

Parameters

Parameter	Description
NAT Hairpin	Select whether to enable NAT hairpin, and then click Apply to have the configuration take effect. If you enable NAT hairpin, both internal and external users can access internal servers by using public IP addresses.

Configure NAT ALG

Procedure

Webpage: Network > NAT Settings > Advanced Settings

To configure NAT ALG:

1. Enable NAT ALG for protocols as required.

2. Click Apply.

Parameters

Parameter

Description

NAT ALG

To make sure data connections of certain application layer protocols can still be correctly established after address translation, enable NAT ALG for the protocols.

Options include:

· Enable NAT ALG for DNS.

· Enable NAT ALG for FTP.

· Enable NAT ALG for H.323.

· Enable NAT ALG for ICMP-Error Packets.

· Enable NAT ALG for ILS.

· Enable NAT ALG for MGCP.

· Enable NAT ALG for NBT.

· Enable NAT ALG for PPTP.

· Enable NAT ALG for RTSP.

· Enable NAT ALG for RSH.

· Enable NAT ALG for SCCP.

· Enable NAT ALG for SIP.

· Enable NAT ALG for SQLNET.

· Enable NAT ALG for TFTP.

· Enable NAT ALG for XDMCP.

For the configuration to take effect, click Apply.

Network behaviors

User groups

About this task

A user group is a group of host names or IP addresses. A user group can contain multiple members, which can be host names, IP addresses, or IP address ranges. User groups can be used by some features (for example, bandwidth management) to identify packets.

Restriction and guidelines

· A user group can contain only IPv4 addresses.

· The start address in an IP address range must be lower than the end address.

Procedure

Webpage: Network Behaviors > User Groups

On this page, you can perform the following operations: · Display user group details. · Add a user group. · Delete user groups. · Edit a user group.
To add a user group: 1. Click Add. The Add User Group dialog box opens. Configure the name, description, IP address, and other parameters for the user group. 2. Click OK.
To delete user groups: 1. Select the user groups to be deleted. 2. Click the Delete button. Then, click OK in the confirmation dialog box that opens.
To edit a user group: 1. Click the edit icon in the Actions column for the user group to be edited. The Edit User Group dialog box opens. Edit related parameters. 2. Click Apply.

Parameters

Parameter	Description
User Group Name	Name of the address group. The name can be used to indicate the characteristics of addresses in the user group. The name cannot be the word any (case insensitive)
User Group Content	IP addresses or hostnames added to the user group.
Description	Description of the user group.
Hostname	Enter a hostname to add the host to the user group.
IP Address	Enter an IP address to add it to the user group. After you enter an IP address, click the →→ icon on the right to submit it.
IP Address Range	Enter an IP address range to add it to the user group. After you enter a start address and an end address, click the →→ icon on the right to submit the IP address range.
Exclude IP Address	IP addresses to be excluded. After you enter an excluded IP address, click the →→ icon on the right to submit it.
Actions	You can edit, delete, and view the details of a user group.

Time range groups

About this task

If you want to some features (for example, bandwidth management or network behavior management) to take effect only during the specified time period, you can create a time range group and reference it when configuring a feature.

A time range group can contain one or more time ranges. Time ranges have the following types:

· Periodic—This type of time range begins and ends on a recurring basis. For example, 8:00 am to 12:00 am every Monday.

· Absolute—This type of time range begins on a specific date and ends on a specific date. For example, 8:00 am on January 1, 2015 to 6:00 pm on January 3, 2015.

The active period of a time range group is calculated as follows:

· Combining all periodic statements.

· Combining all absolute statements.

· Taking the intersection of the two statement sets as the active period of the time range group.

Suppose you configure the following time ranges:

· Periodic time range—08:30 to 12:00 and 13:30 to 18:00 on Monday through Friday.

· Absolute time range—10:00 to 12:00 and 14:00 to 16:00 on April 1, 2015 through April 30, 2015.

The active period is 10:00 to 12:00 and 14:00 to 16:00 on Monday through Friday during April 1, 2015 through April 30, 2015.

Restrictions and guidelines

· You can create a maximum of 1024 time range groups.

· Do not configure a time range group both at the CLI and on the Web interface.

· A time range group can contain a maximum of 32 periodic time ranges and a maximum of 12 absolute time ranges.

Procedure

Webpage: Network Behaviors > Time Range Groups

On this page, you can perform the following operations: · Display time range group details. · Add a time range group. · Delete time range groups. · Edit a time range group.
To add a time range group: 1. Click Add. The Add Time Range Group dialog box opens. Configure the name, time range, and other parameters for the time range group. 2. Click Apply.
To delete time range groups: 1. Select the time range groups to be deleted. 2. Click the Delete button. Then, click OK in the confirmation dialog box that opens.
To edit a time range group: 1. Click the edit icon in the Actions column for the time range group to be edited. The Edit Time Range Group dialog box opens. Edit related parameters. 2. Click Apply.

Parameters

Parameter	Description
Time Range Group Name	Name of the time range group. The name can be used to indicate the characteristics of time ranges in the time range group. The name cannot be the word any (case insensitive)
Time Ranges	Active time of the time range group. You can configure the following time ranges: · Periodic: This type of time range begins and ends on a recurring basis. Select days of the week, enter the start time and end time, and click the plus sign. · Absolute: This type of time range begins on a specific date and ends on a specific date. Select the start and end dates, enter the start time and end time, and click the plus sign.
Used	Indicates whether the time range group has been used by a policy: · Yes. · No.
Actions	You can edit or delete the time range group.

Bandwidth management

About this task

Bandwidth management can perform fine-grained control over traffic based on user groups and time range groups.

Configure bandwidth limits

Procedure

Webpage: Network Behaviors > Bandwidth Management > Bandwidth limits

On this page, you can perform the following operations: · Display time range group details. · Add a bandwidth policy. · Delete bandwidth policies. · Edit a bandwidth policy.
To add a bandwidth policy: 1. Click Add. The Bandwidth Policy dialog box opens. Configure the application interface, user range, bandwidth limit, restricted period, and other parameters for the bandwidth policy. 2. Click Apply.
To delete bandwidth policies: 1. Select the bandwidth policies to be deleted. 2. Click the Delete button. Then, click OK in the confirmation dialog box that opens.
To edit a bandwidth policy: 1. Click the edit icon in the Actions column for the bandwidth policy to be edited. The Edit Bandwidth Policy dialog box opens. Edit related parameters. 2. Click Apply.

Parameters

Parameter	Description
Application Interface	Interface on which packets are received.
User Range	User group to be limited. You can select an existing user group. You can also create a user group by clicking Add User Group on the right.
Upload Bandwidth	Maximum upload bandwidth for users in the user group. The unit is Mbps. You must configure this parameter according to the actual uplink bandwidth provided by your ISP.
Download Bandwidth	Maximum download bandwidth for users in the user group. The unit is Mbps. You must configure this parameter according to the actual downlink bandwidth provided by your ISP.
Bandwidth Assignment	You can select either of the following bandwidth assignment methods: · Shared: All addresses in the user group share the specified bandwidth. · Exclusive: Each address in the user group exclusively uses the specified bandwidth.
Restricted Period	Time when the bandwidth policy is in effect. Options include: · All Time Ranges · Select Existing Time Range Group You can also create a time range group by clicking Add Time Range Group on the right.
Actions	You can edit or delete the bandwidth policy.

Configure bandwidth guarantee

Restriction and guidelines

· A bandwidth guarantee policy takes effect on an interface only if the output bandwidth of the interface has been configured.

· An interface can be bound to only one bandwidth guarantee policy. A bandwidth guarantee policy can be configured with multiple match rules. A match rule can be configured with multiple match criteria. The guaranteed bandwidth is the total bandwidth guaranteed for all matching users.

Procedure

Webpage: Network Behaviors > Bandwidth Management > Bandwidth guarantee

On this page, you can perform the following operations: · Set the output bandwidth for each WAN interface. · Add a bandwidth guarantee policy. · Delete bandwidth guarantee policies. · Edit a bandwidth guarantee policy.
To set the output bandwidth for each WAN interface: 1. Enter the output bandwidth for each WAN interface. 2. Click Apply.
To add a bandwidth guarantee policy: 1. Click Add. The Create Bandwidth Guarantee Policy dialog box opens. Configure the policy name, application Interface, and other parameters for the bandwidth guarantee policy. 2. Click Add. The Create Match Rule dialog box opens. Configure the queue type, guaranteed bandwidth, and match criteria, and then click Apply. 3. Click Apply on the Create Bandwidth Guarantee Policy dialog box.
To delete bandwidth guarantee policies: 1. Select the bandwidth guarantee policies to be deleted. 2. Click the Delete button. Then, click OK in the confirmation dialog box that opens.
To edit a bandwidth guarantee policy: 1. Click the edit icon in the Actions column for the bandwidth guarantee policy to be edited. The Edit Bandwidth Guarantee Policy dialog box opens. Edit related parameters. 2. Click Apply.

Parameters

Parameter	Description
Policy Name	Name of the bandwidth guarantee policy.
Application Interface	Interface to apply the bandwidth guarantee policy.
Queue Type	Queue for matching traffic. EF has a higher forwarding priority than AF.
Guaranteed Bandwidth	Total bandwidth guaranteed for all matching users.
Protocol	Protocol name.
Protocol Type	Protocol number.
Local Subnet/Mask	Source subnet/mask used to match the source IP address of packets.
Local Port	Source port range used to match the source port of packets.
Destination Subnet/Mask	Destination subnet/mask used to match the destination IP address of packets.
Peer Port	Destination port range used to match the destination port of packets.
Actions	You can edit or delete the bandwidth policy.

Network behaviors

About this feature

The network behavior management function controls user access to applications and websites, allowing more precise control based on user groups and time ranges.

Configure global control

About this task

For a network behavior management policy and the URL filtering feature to take effect, you must enable network behaviors on this page.

Procedure

Webpage: Network Behaviors > Network Behaviors > Global Control

To configure global control:

1. Select Enable Network Behaviors.

2. Click Apply.

Parameters

Parameter	Description
Global control	Select whether to enable network behavior management. After you enable this feature, the device will work based on the configured network behavior management policy.

Configure a network behavior management policy

Restriction and guidelines

Do not block HTTP in the application control feature because the URL filtering function is based on it. Blocking HTTP will affect the device's ability to recognize URLs, causing URL filtering to fail.

Procedure

Webpage: Network Behaviors > Network Behaviors > Network Behavior Management Policy

On this page, you can perform the following operations: · Display network behavior management policy details. · Add a network behavior management policy. · Delete network behavior management policies. · Edit a network behavior management policy.
To add a network behavior management policy: 1. Click Add. The Create Network Behavior Management Policy dialog box opens. Configure the policy name, user range, restricted period, and other parameters for the network behavior management policy. 2. Click OK.
To delete network behavior management policies: 1. Select the network behavior management policies to be deleted. 2. Click the Delete button. Then, click OK in the confirmation dialog box that opens.
To edit a network behavior management policy: 1. Click the edit icon in the Actions column for the network behavior management policy to edited. Edit related parameters. 2. Click Apply.

Parameters

Parameter	Description
Policy Name	Name of the network behavior management policy.
User Range	Address group to be controlled. You can select an existing user group. You can also create a user group by clicking Add User Group on the right.
Time Range	Time when the network behavior management policy is in effect. You can select all time ranges or select an existing time range group. You can also create a time range group by clicking Add Time Range Group on the right.
Application Control	Select network applications and select an action to take on the applications. The following actions are available: · Block: Block access to the applications. · No Blocking or Rate Limit: Do not limit access to the applications. · Rate Limit: Rate limit access to the applications. You can set the maximum uplink bandwidth and maximum downlink bandwidth per user.
Application Control Logs	Log network behaviors. When a packet matches a network behavior management policy, an application control log is generated.
Actions	You can edit or delete a network behavior management policy.

Signature library management

About this task

The device uses signatures to identify application layer traffic. The device supports application signature library and URL signature library. You can update signature libraries to the most recent version for network behavior management.

The following methods are available for updating signature libraries on the device:

· Local update: The administrator manually obtains the most up-to-date signature file and import it to the device for update.

· Online update: Enables the device to automatically download and import the most up-to-date signature file to the device for upgrade.

Restriction and guidelines

· Make sure the license has been installed and is effective before the update.

· Do not perform signature library update when the device's free memory reaches an alarm threshold. If you fail to do so, the signature library update will fail, which affects network behavior management.

· For a successful online update, make sure the device can obtain the official website's IP address through static or dynamic domain name resolution and can reach it.

Procedure

Webpage: Network Behaviors > Signature Library Management

Configure signature library update

· Perform a local update.

· Perform an online update.

Parameters

Parameter	Description
Perform a local update.	Updates a signature library on the device by using a locally stored signature file.
Perform an online update.	If the device can access the signature library service area on the company's website, you can use this method update the signature library.

Traffic ranking

About this feature

On the Global control tab, you can enable or disable user traffic ranking and application traffic ranking.

· If user traffic ranking is enabled, you can view the user traffic data on the user traffic ranking tab.

· If application traffic ranking is enabled, you can view the application traffic data on the application traffic ranking tab.

Configure global control

Restriction and guidelines

If portal configuration exists on an interface, the name of the interface is not displayed on the global control tab. After you delete the portal configuration from the interface, the interface can be displayed on the global control tab.

Procedure

Webpage: Network Behaviors > Traffic Ranking > Global Control

To configure application traffic ranking:

1. Select On for the Application traffic ranking option.

To configure user traffic ranking:

1. On the interface list, you can click the On/Off button for an interface to disable or enable traffic ranking for static IP users and DHCP users on the interface.

To add an intranet segment:

1. Click the edit icon in the Actions column for an interface to open the Add intranet segment page. Configure IP addresses.

2. Click OK.

Parameters

Parameter	Description
Application traffic ranking	Choose to whether enable application traffic ranking. If this function is enabled, the page displays the traffic ranking information for applications.
User traffic ranking	Choose to whether enable user traffic ranking. If this function is enabled, the page displays the traffic statistics for connected endpoints.
Interface Name	Interface an endpoint uses to access the network, for example VLAN1.
Intranet Segment	The system performs traffic statistics and ranking only for IP addresses within the intranet segment. The default intranet segment is the network segment directly connected to the interface. To ensure network connectivity, you must correctly configure the intranet segment. If the intranet segment changes, edit it in time.
Actions	Click the edit icon to add an intranet segment for the VLAN interface.

Configure user traffic ranking

Restriction and guidelines

The user traffic ranking function for authentication users is always enabled, and does not need your operation. To view the traffic ranking for authentication-free users, you must first enable traffic ranking for the related interfaces on the global control page.

Procedure

Webpage: Network Behaviors > Traffic Ranking > User Traffic Ranking

Display user traffic ranking details, including endpoint IP address, endpoint name, and username.

Parameters

Parameter	Description
Endpoint IP	IP address of the connected endpoint.
Endpoint Name	Name of the connected endpoint.
Username	Username of the connected endpoint.
Access Method	The following access methods are available: · Static IP: An endpoint uses a statically assigned IP address to access the network. · DHCP: An endpoint uses a DHCP-assigned IP address to access the network. · Portal: An endpoint uses portal authentication to access the network. · PPPoE: An endpoint uses PPPoE to access the network. · L2TP: An endpoint uses L2TP to access the network.
Interface	Interface an endpoint uses to access the network, for example VLAN1.
Endpoint MAC Address	MAC address of the connected endpoint.
Uplink Rate	Rate of the uplink traffic of the endpoint.
Downlink Rate	Rate of the downlink traffic of the endpoint.
Online Duration	Amount of time the endpoint is online.
Actions	Click the rate limit icon to configure the upload bandwidth and download bandwidth for an interface.

Configure application traffic ranking

Restriction and guidelines

To configure application traffic ranking, you must first enable application traffic ranking on the global control page.

Procedure

Webpage: Network Behaviors > Traffic Ranking > Application Traffic Ranking

Display application traffic ranking details, including application type, uplink rate, and downlink rate.

Parameters

Parameter	Description
Application Type	Type of the application.
Uplink Rate	Real-time rate of the traffic from the endpoint to the application.
Downlink Rate	Real-time rate of the traffic from the application to the endpoint.
Today’s Uplink Traffic	Size of the traffic from the endpoint to the application on the current day.
Today’s Downlink Traffic	Size of the traffic from the application to the endpoint on the current day.
Today’s Total Traffic	Total size of the traffic from the application to the endpoint and the traffic from the endpoint to the application on the current day.
Actions	Click the Details icon in the Actions column for an interface to enter the details page. This page displays the application traffic information.

Network security

Firewall

About this feature

The firewall function matches network packets with a series of firewall rules, blocks illegal packets and forwards legal packets, protecting network security for users.

Restriction and guidelines

· After a packet matches a firewall rule, it will no longer match other rules. To avoid incorrect packet filtering actions because of rule matching errors, set the priorities for firewall rules to appropriate values.

· A firewall rule takes effect only on incoming packets of interfaces.

· Before adding firewall rules, first complete the configuration on the External Networks page.

· To specify the time ranges for a firewall rule, you can go to the Time Range Groups page to configure a time range group.

Procedure

Webpage: Network security > Firewall

On this page, you can perform the following operations: · Add a firewall rule. · Delete firewall rules. · Edit a firewall rule. · Display firewall rules.
To add a firewall rule: 1. Click Add. The Add Firewall Rule page opens. Configure the interface, protocol, priority, and other parameters. 2. Click Apply.
To delete firewall rules: 1. Select the firewall rules to be deleted. 2. Click the Delete button. The confirmation dialog box opens. 3. Click Apply.
To edit a firewall rule: 1. Click the edit icon in the Actions column for the firewall rule to be edited. The Edit Firewall Rule dialog box opens. Edit related parameters. 2. Click Apply.

Parameters

Parameter	Description
Interface	Interface on which packets are received.
Protocol	Protocol type of packets. · To control transport layer packets, select TCP or UDP. · To control ICMP packets such as ping and tracert packets, select ICMP. · To control all packets, select All.
Source IP Address/Mask	Enter the source IP address/mask used to match packets. If you enter any, packets with any source IP address are matched.
Destination IP Address/Mask	Enter the destination IP address/mask used to match packets. If you enter any, packets with any destination IP address are matched.
Destination Port	Enter a destination port or destination port range used to match packets. For example, you can enter 80 to match HTTP packets.
Time Range	Time when the firewall rule is in effect. You can select an existing time range group.
Security Action	Select the action to take on matching packets. Options include: · Permit. · Deny.
Priority	Configure a priority for the firewall rule. The following methods are available: · Auto-Assigned: The system automatically assigns a priority to the rule. The priorities of rules are assigned in the rule creation order at a step of 5. A rule created earlier has a higher priority. · User-Defined: Specify a user-defined priority for the rule. The smaller the number, the higher the priority.
Description	Enter a description for the rule.

Attack defense

About this feature

DDoS attacks are a type of attack that are widely present on the Internet. They can cause greater harm than traditional DoS attacks. This feature protects devices and networks from the following DDoS attacks:

· Single-packet attack—Attackers use malformed packets to launch an attack, aiming to disable the target system. For example, the Land attack packet is a TCP packet with both the source IP and destination IP being the target IP. This attack exhausts the target server's connection resources, causing it to be unable to handle normal services.

· Abnormal flow attacks:

¡ Scanning attack—Attackers scan host addresses and ports, probe the target network topology and open service ports to prepare for further intrusion into the target system.

¡ Flood attack—Attackers send a large number of forged requests to the target system, causing the target system to be overwhelmed with useless information, thus unable to provide normal services to legitimate users.

The device can defend against the following DDoS attacks:

· Single-packet attacks—Fraggle attacks, Land attacks, WinNuke attacks, TCP flag attacks, ICMP unreachable packet attacks, ICMP redirect packet attacks, Smurf attacks, IP source route attacks, IP record route attacks, and large ICMP packet attacks.

· Abnormal flow attacks—Scanning attacks, SYN flood attacks, UDP flood attacks, and ICMP flood attacks.

Attack defense

About this task

Attack defense protects systems or networks from malicious attacks and ensures their security and normal operation.

Procedure

Webpage: Network Security > Attack Defense > Attack Defense

On this page, you can perform the following operations: · Display the existing attack defense policies. · Add attack defense policies. · Delete attack defense policies. · Edit existing attack defense policies.
To add an attack defense policy: 1. Click Add. In the Add Attack Defense Configuration dialog box that opens, select an interface and attack defense types. 2. Click Apply.
To delete attack defense policies: 1. Select the attack defense policies to be deleted, and then click Delete. 2. In the dialog box that opens, click Yes.
To edit an existing attack defense policy: 1. Click the Edit icon in the Actions column for the target attack defense policy. In the Edit Attack Defense Configuration dialog box that opens, edit the settings as required. 2. Click Apply.

Parameters

Parameter

Description

Interface

Interface that receives the attack packets. The attack defense policy takes effect on the specified interface.

Attack Defense

Attack defense types. Options include:

· Single-Packet Attack Defense—Protects the system from malformed packet attacks. Options include:

¡ Fraggle attack defense—Protects the device from fraggle attacks. For a fraggle attack, the attacker sends UDP packets in which the source IP address is the victim's IP address to the subnet broadcast address. Each host on the subnet returns a reply to the victim, which causes network congestion or host crashes.

¡ Land attack defense—Protects the device from Land attacks. For a Land attack, the attacker sends the victim TCP SYN packets, which contain the victim's IP address as the source and destination IP addresses. After receiving such packets, the victim suffers from internal response storms, consuming a large number of CPU resources.

¡ WinNuke attack defense—Protects the device from WinNuke attacks. For a WinNuke attack, the attacker exploits the Out-of-Band (OOB) vulnerabilities in NetBIOS to launch an attack to the victim, causing host crashes or blue screen.

¡ TCP flag attack defense—Protects the device from TCP flag attacks. For a TCP flag attack, the attacker sends TCP packets with unconventional TCP flags to the target host to probe its operating system type. If the operating system fails to process such packets correctly, the host crashes.

¡ ICMP destination unreachable message attack defense—Protects the device from ICMP destination unreachable message attacks. For an ICMP destination unreachable message attack, the attacker sends ICMP destination unreachable packets in order to cut off network connections of the target host.

¡ ICMP redirect message attack defense—Protects the device from ICMP redirect message attacks. For an ICMP redirect message attack, the attacker sends ICMP redirect messages to modify the victim's routing table. As a result, the victim cannot forward IP packets correctly.

¡ Smurf attack defense—Protects the device from smurf attacks. For a smurf attack, the attacker broadcasts an ICMP echo request to a subnet. The source IP address in the request is the victim's IP address. Every receiver on the subnet will send an ICMP echo reply to the victim, causing network congestion or system crashes.

¡ Source routing option attack defense—Protects the device from source route option attacks. For a source route option attack, the attacker exploits the source route option in the IP header to probe the network topology.

¡ Record route option attack defense—Protects the device from record route option attacks. For a record route option attack, the attacker exploits the record route option in the IP header to probe the network topology.

¡ Large ICMP packet attack defense—Protects the device from large ICMP packet attacks. For a large ICMP packet attack, the attacker sends large ICMP packets to the target to make it crash.

· Abnormal Flow Attack Defense—Protects the system from forged requests that affect normal services. Options include:

¡ Scanning attack defense—Protects hosts from IP sweep and port scan attacks that probe the network topology and open service ports for further intrusion.

¡ SYN flood attack defense—Sets the enabling status of SYN flood attack defense and threshold for triggering SYN flood attack defense. For a SYN flood attack, the attacker sends the target a large number of SYN packets that consume the connection resources of the target. As a result, the target cannot establish new connections.

¡ UDP flood attack defense—Sets the enabling status of UDP flood attack defense and threshold for triggering UDP flood attack defense. For a UDP flood attack, the attacker sends the target a large number of UDP packets, making the target too busy to process normal services.

¡ ICMP flood attack defense—Sets the enabling status of ICMP flood attack defense and threshold for triggering ICMP flood attack defense. For an ICMP flood attack, the attacker sends the target a large number of ICMP requests, making the target too busy to process normal packets.

Attack defense statistics

About this task

Use this feature to obtain statistics about single-packet attack defense and abnormal flow attack defense.

Procedure

Webpage: Network Security > Attack Defense > Attack Defense Statistics

View statistics about single-packet attack defense and abnormal flow attack defense separately, and export the statistics to an Excel file.

Parameters

Parameter	Description
No.	Attack number.
Attack Type	Type of the attack, which is one of the detailed single-packet attack types or abnormal flow attack types.
Total Attack Times	Total number of times that the device suffered from the attack. This field is displayed when you view single-packet attack defense statistics.
Last Occurred At	Most recent time when the device suffered from the attack.
Attacked Interface/Security Zone	Interface or security zone attacked on the device.
Attacked IP	IP address of the attacker.
Details	Detailed information about the attack, including the attack number, attack type, source address, destination address, defense action, date, and time.

Blacklist management

About this task

After enabling scanning attack defense, you can add source IP addresses to the blacklist. Then, the device drops packets sourced from the IP addresses within a certain period of time.

To view IP addresses added to the blacklist, navigate to the Blacklist Management page. This page records the blacklist information, including the IP address, MAC address, type, and action.

Procedure

Webpage: Network Security > Attack Defense > Blacklist Management

Record blacklist information.

Connection limit

About this feature

Use connection limit to limit per-IP connections for better resource allocation and attack prevention.

When the number of TCP or UDP connections from an IP address exceeds the connection limit, no connections from the IP address are permitted until the connection count falls below the connection limit.

Network connection limits

About this task

Perform this task to limit the number of connections from each IP address in an IP address range. You can limit the total number of connections received on all interfaces from one IP address.

Restrictions and guidelines

· If you specify an IP address range for a network connection limit rule, the rule limits the maximum number of network connections for each IP address within that range based on the configured upper limit. If the start and end IP addresses of the address range are the same, the rule limits only the number of network connections for that IP address.

· You can add multiple network connection limit rules. For the rules that contain overlapping IP addresses, the rule added first has higher priority. When you configure a network connection limit rule, if you specify an IP address that has been specified in an existing rule, the existing rule will not be overwritten. The connection limit setting configured earlier applies.

· You can delete and edit existing rules in the network connection limit rule list. You cannot edit the priority for any rule. For more information about the priority for a rule to take effect, see the guidelines described above.

· Network connection limit only limits network connections initiated by internal IP addresses to the Internet, rather than the connections initiated to the device itself or other internal IP addresses, or the connections initiated from the Internet to internal IP addresses.

· The total number of connections equals the sum of TCP connections, UDP connections, and other connections, such as ICMP connections. New connections can be established from an IP address only if the number of established connections from the IP address has not reached the configured upper limit. For example, to establish a TCP connection from a specific IP address, make sure the total number of established connections does not exceed the upper limit of total connections. In addition, make sure the numbers of TCP connections, UDP connections, and other connections do not exceed their respective upper limit.

· If you set the TCP connection upper limit to 0, no TCP connections are allowed to be established. If you leave the TCP connection upper limit unspecified, the number of TCP connections is not limited, but the total connection upper limit still applies. This restriction also applies to the UDP connection upper limit.

· Each VLAN-based network connection limit rule specifies the upper limit for the number of network connections that can be established within a specific VLAN. The upper limit applies to the total number of connections from all IP addresses within the VLAN, instead of the number of connections for each individual IP address.

· The total number of connections equals the sum of TCP connections, UDP connections, and other connections, such as ICMP connections. New connections can be established from a VLAN only if the number of established connections within the VLAN has not reached the configured upper limit. For example, to establish a TCP connection from a specific IP address in a VLAN, make sure the total number of established connections within the VLAN does not exceed the upper limit of total connections. In addition, make sure the numbers of TCP connections and UDP connections do not exceed their respective upper limit.

Procedure

Webpage: Network Security > Connection Limit > Connection Limits

On this page, you can perform the following operations: · Enable or disable network connection limit. · Add a network connection limit rule. · Delete network connection limit rules. · Edit a network connection limit rule. · Display network connection limit rule information.
To add a network connection limit rule: 7. Click Add. In the dialog box that opens, configure the parameters as needed. 8. Click Apply.
To delete network connection limit rules: 1. Select one or multiple network connection limit rules, and click Delete. 2. In the dialog box that opens, click OK.
To edit a network connection limit rule: 1. Click the Edit icon in the Operation column for a network connection limit rule. In the dialog box that opens, edit the parameters as needed. 2. Click Apply.

Parameters

Parameter	Description
Enable Network Connection Limit/Disable Network Connection Limit	Specify whether to enable the network connection limit feature. If you enable this feature, the device will operate based on the configured network connection limit rule. By default, this feature is disabled.
Connection limit address range	Start and end IP addresses of an IP address range to which the rule applies.
Per-IP connection upper limit	Total maximum number of network connections sourced from each IP address.
Per-IP TCP connection upper limit	Total maximum number of TCP connections sourced from each IP address.
Per-IP UDP connection upper limit	Total maximum number of UDP connections sourced from each IP address.
Description	Description of the rule.

VLAN-based connection limits

About this task

Perform this task to limit the number of connections from each IP address on a VLAN interface. You can limit the number of connections received on the specified VLAN interface.

Procedure

Webpage: Network Security > Connection Limit > VLAN-based Connection Limits

On this page, you can performs the following operations: · Enable or disable VLAN-based network connection limit. · Add a VLAN-based network connection limit rule. · Delete VLAN-based network connection limit rules. · Edit a VLAN-based network connection limit rule. · Display VLAN-based network connection limit rule information.
To add a VLAN-based network connection limit rule: 1. Click Add. In the dialog box that opens, configure the parameters as needed. 2. Click Apply.
To delete VLAN-based network connection limit rules: 1. Select one or multiple VLAN-based network connection limit rules, and click Delete. 2. In the dialog box that opens, click OK.
To edit a VLAN-based network connection limit rule: 1. Click the Edit icon in the Operation column for a VLAN-based network connection limit rule. In the dialog box that opens, edit the parameters as needed. 2. Click Apply.

Parameters

Parameter	Description
Enable/Disable VLAN-based network connection limit	Specify whether to enable the VLAN-based network connection limit feature. If you enable this feature, the device will operate based on the configured VLAN-based network connection limit rule. By default, this feature is disabled.
VLAN interface	VLAN interface to which the rule applies.
Per-IP connection upper limit	Total maximum number of network connections sourced from the specified VLAN interface.
Per-IP TCP connection upper limit	Total maximum number of TCP connections sourced from the specified VLAN interface.
Per-IP UDP connection upper limit	Total maximum number of UDP connections sourced from the specified VLAN interface.
Description	Description of the rule.

MAC address filter

About this feature

If you want to permit or deny packets sent by specific devices, you can configure MAC address filter on the specified VLAN interfaces. MAC address filter filters packets that are sourced from specific MAC addresses based on blacklist or whitelist.

This feature supports the following filter modes:

· Whitelist: In whitelist filter mode, the device permits only the packets with the MAC addresses on the whitelist to access the external network.

· Blacklist: In blacklist filter mode, the device denies only the packets with the blacklisted MAC addresses from accessing the external network.

MAC filter settings

Restrictions and guidelines

· If you want to enable whitelist MAC address filter on the interface that connects to the management endpoint, make sure the MAC address of the management endpoint has already been added to the whitelist.

· The letters in the MAC address are case insensitive.

Procedure

Webpage: Network Security > MAC Address Filter > MAC Filter Settings

To configure MAC filter settings:

1. Select Whitelist or Blacklist in the Filter Mode column, and select Enable in the Status column.

2. Click Apply.

Parameters

Parameter	Description
Interface	Interface to which the MAC address filter policy applies.
Filter Mode	MAC address filter mode. Options are: · Whitelist: In whitelist filter mode, the device permits only the packets with the MAC addresses on the whitelist to access the external network. · Blacklist: In blacklist filter mode, the device denies only the packets with the blacklisted MAC addresses from accessing the external network.
Status	Whether to enable the MAC address filter feature. · If you enable this feature, the device will control Internet access for hosts based on the MAC addresses in the MAC address list. · If you disable this feature, all hosts in the LAN can access the Internet.

MAC blacklist and whitelist management

About this task

Perform this task to add or delete MAC address for the whitelist or blacklist.

Configure the whitelist

Webpage: Network Security > MAC Address Filter > MAC Black and White List Management > Whitelist

On this page, you can perform the following operations: · Display detailed information about MAC addresses added to the whitelist. · Add a MAC address to the whitelist. · Delete MAC addresses from the whitelist. · Edit a MAC address in the whitelist.
To add a MAC address to the whitelist: 1. Click Add. In the dialog box that opens, enter the MAC address and description. 2. Click Apply.
To delete MAC addresses from the whitelist: 1. Select one or multiple MAC addresses. 2. Click Delete. In the dialog box that opens, click Yes.
To edit a MAC address in the whitelist: 1. Click the Edit icon in the Operation column for a MAC address. In the dialog box that opens, edit the parameters as needed. 2. Click Apply.

Parameters

Parameter	Description
No.	Sequence number of the MAC blacklist and whitelist management policy.
Filter Mode	Type of the MAC address filter policy. Options are: · Whitelist: With whitelist configured, the device permits only the packets with the MAC addresses on the whitelist to access the external network. · Blacklist: With blacklist configured, the device denies only the packets with the blacklisted MAC addresses from accessing the external network.
MAC Address	MAC address to which the policy applies. All-0 or all-F MAC addresses are not supported.
Description	Description of the policy.
Actions	Allow you to edit or delete an existing policy.

Configure the blacklist

Webpage: Network Security > MAC Address Filter > MAC Black and White List Management > Blacklist

For the blacklist configuration procedure and parameters, see "Configure the whitelist."

ARP attack protection

About this feature

ARP is inherently vulnerable. An attacker can exploit ARP vulnerabilities to attack network devices. The device offers a variety of ARP attack protection techniques to prevent, detect, and resolve ARP attacks and viruses in a LAN.

Dynamic ARP learning

About this task

You can enable or disable dynamic ARP learning on interfaces. If you disable dynamic ARP learning on an interface, it cannot learn new dynamic ARP entries, which enhances security. As a best practice, disable dynamic ARP learning for an interface that has learned the ARP entries for all legitimate users.

Procedure

Webpage: Network Security > ARP Attack Protect > Dynamic Arp Learning

Turn on or off the dynamic ARP learning feature in the ARP Learning column for an interface.

Parameters

Parameter	Description
Port	Interface, for example, Vlan-interface1.
Port Type	Type of the interface.
ARP Learning	Dynamic ARP learning enabling status. Options include: · Open—Dynamic ARP learning is enabled on the interface. · Close—Dynamic ARP learning is disabled on the interface. As a best practice, disable dynamic ARP learning for an interface that has learned the ARP entries for all legitimate users. When DHCP allocates IP addresses, temporary dynamic ARP entries are generated and displayed on the Dynamic ARP Management page. The ARP Learning switch does not take effect on such entries.

Dynamic ARP management

About this task

On the Dynamic ARP management page, you can manage dynamic ARP entries, and configure ARP scanning or fixed ARP. ARP scanning scans the users in a LAN and creates dynamic ARP entries for them. Fixed ARP converts the dynamic ARP entries to static ones. ARP scanning is typically used together with fixed ARP on a small-scale and stable network. To prevent the device from learning incorrect ARP entries, disable dynamic ARP learning after configuring ARP scanning and fixed ARP.

Procedure

Webpage: Network Security > ARP Attack Protect > Dynamic ARP Management

On this page, you can perform the following operations:

· Display dynamic ARP entries for the specified interface.

· Delete dynamic ARP entries.

· Scan IP addresses within the specified address range on an interface and automatically create dynamic ARP entries for them.

· Convert dynamic ARP entries to static ones.

To delete dynamic ARP entries:

1. Select the dynamic ARP entries to be deleted, and then click Delete.

2. In the dialog box that opens, click Yes.

To scan IP addresses within the specified address range on an interface and automatically create dynamic ARP entries for them:

1. Click Scan. In the SCAN ARP dialog box that opens, select an interface and specify an address range.

2. Click Apply.

Parameters

Parameter	Description
IP Address	IP address in the dynamic ARP entry.
MAC Address	MAC address in the dynamic ARP entry.
Type	Type of the dynamic ARP entry. The value is fixed at Dynamic, which indicates that the ARP entry is dynamically learned or generated during IP allocation through DHCP.
VLAN	VLAN to which the ARP entry belongs.
Interface	Interface to which the ARP entry belongs.
Actions	Edit configuration.

Authentication

Portal authentication

Portal authentication controls user access to networks by authenticating user identities.

Web-based portal authentication allows users to perform authentication through a Web browser without installing client software. Users input username and password on a Web page. The device authenticates the user identities, and controls user access to the network according to the authentication result.

You can configure auth-free rules to allow specific users to access network resources without portal authentication. The match criteria for an auth-free rule include MAC address, IP address, and domain name.

Configure authentication settings

Procedure

Webpage: Authentication > Portal Authentication > Authentication Settings

Enable Web authentication, configure the relevant parameters, and then click Apply to complete the configuration.

Parameters

Parameter	Description
Enabling Web Authentication Service	To use the portal authentication service, you must enable the Web authentication service.
Session Timeout	Set the timeout time for portal sessions.
Authentication Service Interface	Select the interface on which portal authentication will be enabled.
Language of Authentication Page	Select the language of the portal authentication page.
Allow Password Change	Select whether to allow portal users to change their login passwords.
Background Images	Select the image file to be used as the background image on the authentication page. The image must have a resolution of 1440×900, does not exceed 255 K, and must be named as background-logon.jpg.

Manage authentication-free MAC addresses

Procedure

Webpage: Authentication > Portal Authentication > AuthN-Free MACs

On this page, you can perform the following operations: · View authentication-free MAC addresses that have been added. · Add an authentication-free MAC address. · Delete authentication-free MAC addresses. · Edit an authentication-free MAC address.
To add an authentication-free MAC address: 1. Click Add, and then enter the desired MAC address in the dialog box that opens. 2. Click Apply.
To delete authentication-free MAC addresses: 1. Select the desired authentication-free MAC addresses, and then click Delete above the MAC address list. 2. Click Yes.
To delete an authentication-free MAC address, click the Delete or Edit icon in the Actions column for that MAC address.

Parameters

Parameter	Description
MAC Address	Specify an MAC address for the auth-free rule. Users of the MAC address can access network resources without portal authentication. Make sure the specified MAC address does not contain only 0 or F.
Description	Enter a rule description for easy use.

Manage authentication-free IP addresses

Procedure

Webpage: Authentication > Portal Authentication > AuthN-Free IPs

On this page, you can perform the following operations: · View authentication-free IP addresses that have been added. · Add an authentication-free IP address. · Delete authentication-free IP addresses. · Edit an authentication-free IP address.
To add an authentication-free IP address: 1. Click Add, and then configure the related parameters as needed. 2. Click Apply.
To delete authentication-free IP addresses: 1. Select the desired authentication-free IP addresses, and then click Delete above the IP address list. 2. Click Yes.
To delete an authentication-free IP address, click the Delete or Edit icon in the Actions column for that IP address.

Parameters

Parameter	Description
IP Address	Specify an IP address for the auth-free rule.
Address Type	Select an address type. Supported options include Source Address and Destination Address.
Description	Enter a rule description for easy use.

PPPoE server

About this task

To provide PPPoE broadband dialup services that can allocate IP addresses and perform authentication for dialup users, configure the PPPoE server.

Restrictions and guidelines

After you complete the configuration in this section, the device acts as a PPPoE server to allocate IP addresses and perform authentication for dialup users. To have the device provide Internet access services for dialup users, you must configure the WAN settings in addition to the PPPoE server settings. To configure the WAN settings, access the Fast Configuration or Network > WAN Settings page.

Procedure

Webpage: Authentication > PPPoE Server

On this page, you can perform the following operations:

· View PPPoE servers that have been added.

· Add a PPPoE server.

· Delete PPPoE servers.

To add a PPPoE server:

1. Click Add, and then configure the related parameters as needed.

2. Click Apply.

To delete PPPoE servers:

1. Select the desired PPPoE servers, and then click Delete above the PPPoE server list.

2. Click Yes.

Parameters

Parameter	Description
Apply To	Select an interface to provide PPPoE dialup services.
VT Interface Address	Virtual-template (VT) interface IP address, which enables the PPPoE server to allocate IP addresses.
User Address Pool	Enter the IP addresses to be allocated to PPPoE dialup users.
DNS Server 1	IPv4 address of the primary DNS server assigned to PPPoE dialup users.
DNS Server 2	IPv4 address of the secondary DNS server assigned to PPPoE dialup users.
Max. Endpoints Allowed on Server	Specify the maximum number of users that can dial up for Internet access via the PPPoE server.

User management

This feature enables you to manage user accounts for users that need to access the external network through the device. The user account information includes user credentials (username and password) and network service information (including available services and validity period). During identity authentication (such as portal authentication and PPPoE authentication), the device will use user account information to authenticate users. Only users that pass identity authentication can access the external network.

Manage user settings

Prerequisites

To bind a user account to a client MAC address, you must first obtain the MAC address of the client NIC.

Procedure

Webpage: Authentication > User Management > User Settings

On this page, you can perform the following operations: · View user accounts that have been added. · Add a user account. · Delete user accounts. · Edit a user account.
To add a user account: 1. Click Add, and then configure the related parameters as needed. 2. Click Apply.
To delete user accounts: 1. Select the desired user accounts, and then click Delete above the user account list. 2. Click Yes.
To edit a user account: 1. Click the Edit icon in the Actions column for the desired user account, and then edit the related settings as needed in the dialog box that opens. 2. Click Apply.

Parameters

Parameter	Description
Username	Account name.
State	Options include Active and Blocked. · To have the account take effect immediately after configuration, select Active. · If the account does not need to take effect immediately after configuration, select Blocked.
Password	Enter a password. If you do not configure a password, no password is required by the system during user authentication. As a best practice to enhance security, configure a password for the user account.
Service Type	Select authentication methods that can be used by the user account. Options include Portal and PPP.
MAC Binding	Select whether to bind the user account to a MAC address. · To bind the user account to a MAC address, select Enable and enter a MAC address in the format of xx-xx-xx-xx-xx-xx, for example, 00-e0-fc-00-58-29. ·During authentication, the device will match the specified MAC address with the real MAC address of the user that uses this account. The user fails authentication if the two MAC addresses are different. · If you select Disable, this user account can be used to access the external network from any endpoint.
Expiration Date	Select whether to configure a validity period for the user account as needed. · If you select Set and configure a validity period, users that use this user account can pass authentication only within the validity period. · If you select Not Set, users that use this user account can always pass authentication.
Description	Configure a user account description for easy user identification and management.

View online users

About this task

Perform this task to view information about online users.

Procedure

Webpage: Authentication > User Management > Online User

View information about online users.

Virtual network

IPsec VPN

IPsec VPN is a virtual private network established by using the IPsec technology. IPsec transmits data through a secure channel established between two endpoints. Such a secure channel is usually called an IPsec tunnel.

· IPsec is a security framework that involves the following protocols and algorithms:

·Authentication Header (AH).

· Encapsulating Security Payload (ESP).

· Internet Key Exchange (IKE).

· Algorithms for authentication and encryption.

AH and ESP provide security services. IKE performs automatic key exchange.

The device supports the following IPsec VPN networking modes:

· HQ-branch mode—Each branch gateway of an enterprise establishes an IPsec tunnel to the gateway of the headquarters (HQ). Branches can securely communicate with the HQ through IPsec.

· Branch-branch mode—Within an enterprise, each two branch gateways can establish an IPsec tunnel for communication security.

Manage IPsec policies

Webpage: Virtual Network > IPsec VPN > IPsec Policy

On this page, you can perform the following operations:

· View IPsec policies that have been added.

· Add an IPsec policy

· Delete IPsec policies.

· Edit an IPsec policy.

Configure basic IPsec settings

Restrictions and guidelines

· When the device acts as a HQ gateway, you can only one IPsec policy in HQ gateway mode for an interface. When you select an interface for an IPsec policy in HQ gateway mode, make sure that interface has not been configured with an HQ gateway-mode IPsec policy.

· When you add protected data flows, do not configure multiple protected flows with the same IP address but different masks, for example, 192.168.1.1/24 and 192.168.1.1/16.

Procedure

1. Click Add to add an IPsec policy, and then configure the related parameters as needed.

2. Click Advanced Settings to complete the basic configuration and enter the IKE configuration page.

Parameters

Parameter	Description
Name	IPsec policy name.
Interface	Interface from which packets are received. The IPsec policy will be applied to the selected interface. Make sure the selected interface can reach the peer device.
Network Mode	IPsec VPN networking mode: · Branch Gateway: The device acts as a branch gateway and establishes an IPsec tunnel with the HQ gateway. After you select this mode, you must specify the peer IP address for IPsec tunnel establishment. The peer IP address is often the WAN interface address of the HQ gateway or peer branch gateway. · Headquarters Gateway: The device acts as an HQ gateway and establishes IPsec tunnels with branch gateways.
Authentication Method	Authentication method for the IPsec tunnel. In the current software version, only the pre-shared key (PSK) method is supported.
Preshared Key	Authentication password for the IPsec tunnel. Make sure the specified pre-shared key (PSK) is the same as that on the peer device, which must be negotiated and advertised in advance.
ID	ID of the protected data flow.
Protocol	Protocol type of packets protected by the IPsec tunnel. · To control packets of a network layer protocol, select IP, IGMP, GRE, IPINIP, or OSPF. · To control packets of a transport layer protocol, select TCP or UDP. · To control packets of an ICMP, such as Ping and Tracert, select ICMP.
Local Subnet/Mask	Network segment protected by the IPsec tunnel at the local end, for example, 1.1.1.1/24.
Local Port	Port protected by the IPsec tunnel at the local end. This parameter is required when the protected protocol is TCP or UDP.
Peer Subnet/Mask	Network segment protected by the IPsec tunnel at the peer end, for example, 2.2.2.2/24.
Peer Port	Port protected by the IPsec tunnel at the peer end. This parameter is required when the protected protocol is TCP or UDP.

Configure IKE settings

Procedure

1. Configure the IKE settings as needed.

2. Click the IPsec Settings tab.

Parameters

Parameter	Description
Negotiation Mode	Peer negotiation mode. Options include: · Main Mode: This mode involves multiple negotiation steps and is suitable for scenarios with higher identity protection requirements. The device performs identity verification only after the key is exchanged. · Aggressive Mode: This mode involves fewer negotiation steps than the main mode, and is suitable for scenarios with lower identity protection requirements. The device performs identity verification and key exchange simultaneously. The aggressive mode is available when the IKE version is V1. As a best practice, select the aggressive mode if the device's public IP address is dynamically assigned.
Local ID	Local ID type and local ID used for IKE authentication. · If the IKE ID type of the peer end is IP Address, select IP Address as the ID type of local end. If the IKE negotiation mode is the main mode, you must select IP Address as the ID type of the local end. By default, set the output interface IP address as the local ID. · If the IKE ID type of the peer end is FQDN, select FQDN as the ID type of the local end and specify the local FQDN as the local ID. · If the IKE ID type of the peer end is User-FQDN, select User-FQDN as the ID type of the local end and specify the local user FQDN as the local ID.
Remote ID	Peer ID type and peer ID used for IKE authentication. · If the IKE ID type of the local end is IP Address, select IP Address as the ID type of peer end. If the IKE negotiation mode is the main mode, you must select IP Address as the ID type of the peer end. By default, set the output interface IP address as the peer ID. · If the IKE ID type of the local end is FQDN, select FQDN as the ID type of the peer end and specify the peer FQDN as the peer ID. · If the IKE ID type of the local end is User-FQDN, select User-FQDN as the ID type of the peer end and specify the peer user FQDN as the peer ID.
DPD	Select whether to enable dead peer detection (DPD). DPD detects dead peers and the device will delete the IPsec tunnels established with dead peers. · DPD Retry Interval: If the device cannot detect the peer before the interval elapses, it determines that the peer is inactive. The timeout timer is in the range of 2 to 300 seconds.
Algorithm Suite	Encryption and authentication algorithms used for IKE interaction. · Recommended: Use the recommended algorithm suite. The two ends of an IPsec tunnel must be configured with the same recommended algorithm suite. · Customize: User-defined algorithms for IKE. ¡ Authentication Algorithm: Authentication algorithm for IKE. The two ends of an IPsec tunnel must use the same authentication algorithm. ¡ Encryption Algorithm: Encryption algorithm for IKE. The two ends of an IPsec tunnel must use the same encryption algorithm. ¡ PFS: When one key is compromised, PFS can protect other keys. The two ends of an IPsec tunnel must use the same PFS setting.
SA Lifetime	Interval for IKE renegotiation. After the specified interval elapses, the IKE parameters will be renegotiated. As a best practice, set a SA lifetime equal to or longer than 600 seconds.

Configure IPsec settings

Procedure

Configure IPsec settings.

Parameters

Parameter	Description
Algorithm Suite	Encryption and authentication algorithms used by the IPsec tunnel. · Recommended: Use the recommended algorithm suite. The two ends of an IPsec tunnel must be configured with the same recommended algorithm suite. · Customize: User-defined algorithms for the IPsec tunnel. ¡ Security Protocol: Verify the integrity of IP packets to determine whether they have been tampered during transmission. The two ends of an IPsec tunnel must be configured with the same security protocol. ¡ ESP Authentication Algorithm: Authentication algorithm for ESP. The two ends of an IPsec tunnel must be configured with the same ESP authentication algorithm. ¡ ESP Encryption Algorithm: Encryption algorithm for ESP. The two ends of an IPsec tunnel must be configured with the same ESP encryption algorithm.
Encapsulation Mode	Encapsulation mode of the IPsec tunnel. · Transport: Select this mode when the IPsec tunnel is established between hosts. · Tunnel: Select this mode when the IPsec tunnel is established between between gateways. If both the local and peer IPsec-protected network segments are private networks, select Tunnel as the encapsulation mode. The two ends of an IPsec tunnel must be configured with the same encapsulation mode.
PFS	PFS algorithm for the IPsec tunnel. If the local end is configured with the PFS feature, make sure the peer end is configured the PFS feature and the two ends are specified with the same DH group. If you fail to do so, the negotiation will fail.
Time-Based SA Lifetime	Interval for IPsec renegotiation. After the specified interval elapses, the IPsec parameters will be renegotiated.
Traffic-Based SA Lifetime	Traffic size that triggers IPsec renegotiation. If the traffic size exceeds the specified value, the IPsec parameters will be renegotiated.
Trigger Mode	IPsec renegotiation triggering mode. · Traffic-Based: After IPsec tunnel settings are deployed, the two peers establish an IPsec tunnel only when the traffic to be sent meets the IPsec protection requirements. · Auto: After IPsec tunnel settings are deployed or the IPsec tunnel is disconnected unexpectedly, the two peers automatically establish an IPsec tunnel and retain that tunnel for a long time. This action occurs regardless of whether the traffic to be sent meets the IPsec protection requirements.

Monitor information

Procedure

Webpage: Virtual Network > IPsec VPN > Monitor Information

View IPsec policies that have been added.
To delete an IPsec VPN tunnel, click the Delete icon in the Actions column for that tunnel.

Parameters

Parameter	Description
Policy Name	Name of the IPsec policy associated with the IPsec VPN tunnel.
Status	Status of the established IPsec VPN tunnel. This field is available only for IPsec VPN tunnels that have been successfully established. For such an IPsec VPN tunnel, this field displays UP.
Interface	Interface from which packets are received. The IPsec policy is applied to the interface.
Local Address	Output interface address of the local device.
Peer Address	Output interface address of the peer device.
Security Proposals	Algorithms used by IPsec VPN.

L2TP server

Perform this task to configure basic L2TP server parameters and enable L2TP.

To provide a secure, cost-effective solution for remote users (such as branches and travelers) of an enterprise to access resources in the internal network of the enterprise, configure an L2TP server.

An L2TP server is a device that can process PPP and L2TP protocol packets. Typically, an L2TP server is deployed on the border of the internal network of an enterprise.

L2TP configuration

Webpage: Virtual Network > L2TP Server > L2TP Config

On this page, you can performs the following operations: · Enable and disable the L2TP server. · Add an L2TP group. · Delete L2TP groups. · Edit an L2TP group.
To add an L2TP group: 1. Click Add. In the dialog box that opens, configure the parameters as required. 2. Click Apply.
To delete L2TP groups: 1. Select the target L2TP groups and click Delete. 2. In the dialog box that opens, click OK.
To edit an L2TP group: 1. Click the edit icon in the Actions column for an L2TP group. In the dialog box that opens, edit the L2TP group settings. 2. Click Apply.

Parameters

Parameter	Description
L2TP Server	Select whether to enable the L2TP server. If the L2TP server is enabled, the L2TP server will provide a secure, cost-effective solution for remote users (such as branches and travelers) of an enterprise to access resources in the internal network of the enterprise. By default, the L2TP server is disabled.
Peer Tunnel Name	Tunnel name of the L2TP client. Select this options as needed. If you select this options, enter the tunnel name of the L2TP client. The name is a string of 1 to 31 characters and does not support pound signs (#), hyphens (-), or spaces.
Local Tunnel Name	Tunnel name of the L2TP server. The name is a string of 1 to 31 characters and supports only uppercase and lowercase letters, digits, and underscores (_).
Tunnel Authentication	Select whether to enable L2TP tunnel authentication. If L2TP tunnel authentication is enabled, enter the tunnel password. The tunnel authentication feature enhances security. To use this feature, you must enable tunnel authentication on both the L2TP server and L2TP client and make sure their passwords are the same. The tunnel password does not support pound signs (#), question marks (?), semicolons (;), or spaces.
PPP Authentication Method	Authentication method for L2TP users, including: · None—Authentication will not be performed on users. Use this authentication method with caution because it is of the lowest security. · PAP—A two-way handshake authentication will be performed on users. This authentication method is of medium security. · CHAP—A three-way handshake authentication will be performed on users. This authentication method is of the highest security.
VT Interface Address	VT interface IP address that enables the L2TP server to allocate IP addresses to L2TP clients or users.
Subnet Mask	Subnet mask for the VT interface IP address, for example, 255.255.255.0.
DNS1 DNS2	Addresses of the primary and secondary DNS servers for L2TP clients or users. The addresses of the primary and secondary DNS servers must be different.
User Address Pool	IP addresses that can be assigned to L2TP clients. The user address pool cannot include VT interface IP addresses that have been configured.
Hello Interval	Interval for sending hello messages between the L2TP server and client, in seconds. Hello messages check the tunnel connectivity between the LAC and LNS.
Flow Control	Select whether tot enable flow control. · If you select Enable, when L2TP data packets are transmitted and received, the sequence numbers carried in packets are used to identify whether packets are lost and reorder packets. This feature improves the correctness and reliability of L2TP data packet transmission. For this feature to take effect, enable flow control on either of the L2TP server and L2TP client. · If you select Disable, packets will not be detected or reordered.
Mandatory CHAP Authentication	Select whether tot enable mandatory CHAP authentication. · If you select Enable, the L2TP server will use CHAP to perform authentication again for a user after the L2TP client authenticates the user. This feature enhances the security. To enable mandatory CHAP authentication, make sure the PPP authentication method is set to CHAP. · If you select Disable, the L2TP server will not perform mandatory CHAP renegotiation for users. For users that do not support second CHAP authentication, disable this feature as a best practice.
Mandatory LCP Renegotiation	Select whether tot enable mandatory LCP renegotiation. · If you select Enable, the L2TP server will use LCP renegotiation to perform LCP negotiation and authentication again for a user after the L2TP client authenticates the user. This feature enhances the security. If you enable both mandatory LCP renegotiation and mandatory CHAP authentication, only mandatory LCP renegotiation takes effect. · If you select Disable, the L2TP server will not perform mandatory LCP renegotiation for users. For users that do not support LCP negotiation, disable this feature as a best practice.

Tunnel information

Webpage: Virtual Network > L2TP Server > Tunnel Information

View L2TP tunnel information.

Parameters

Parameter	Description
Local Tunnel ID	ID of the tunnel established on the local.
Peer Tunnel ID	ID of the tunnel established on the peer.
Peer Tunnel Port	Service port used for the connection between the L2TP client and server.
Peer Tunnel IP Address	IP address of the L2TP client.
Session Number	Number of sessions established between the L2TP server and client.
Peer Tunnel Name	Tunnel name of the L2TP client.
Actions	Actions that can be taken on each tunnel information entry.

L2TP client

Perform this task to configure basic L2TP client parameters and enable L2TP.

To provide a secure, cost-effective solution for branches of an enterprise to access resources in the internal network of the enterprise, configure an L2TP client.

An L2TP client is a device that can process PPP and L2TP protocol packets. Typically, an L2TP client is deployed on the egress of an enterprise branch.

L2TP configuration

Webpage: Virtual Network > L2TP Cllient > L2TP Config

On this page, you can performs the following operations: · Enable and disable the L2TP client. · Add an L2TP group. · Delete L2TP groups. · Edit an L2TP group.
To add an L2TP group: 1. Click Add. In the dialog box that opens, configure the parameters as required. 2. Click Apply.
To delete L2TP groups: 1. Select the target L2TP groups and click Delete. 2. Click Apply.
To edit an L2TP group: 1. Click the edit icon in the Actions column for an L2TP group. In the dialog box that opens, edit the L2TP group settings. 2. Click Apply.

Parameters

Parameter	Description
L2TP Group Number	L2TP group number on the L2TP client.
L2TP Client	Select whether to enable the L2TP client. If this feature is enabled, the device will act as the L2TP client can access the internal resources of the enterprise.
Local Tunnel Name	Tunnel name of the L2TP client. The name is a string of 1 to 31 characters and supports only uppercase and lowercase letters, digits, and underscores (_).
Address Allocation Method	Method for allocating an IP address to the virtual PPP interface after the L2TP tunnel is established, including: · Static—The administrator of the L2TP server manually specifies an IP address to the L2TP client. · Dynamic—The L2TP server dynamically allocates an IP address tp the virtual PPP interface. By default, Dynamic is selected.
Tunnel Authentication	Select whether to enable L2TP tunnel authentication. If you enable L2TP tunnel authentication, enter the runnel password. The tunnel authentication feature enhances security. To use this feature, you must enable tunnel authentication on both the L2TP server and L2TP client and make sure their passwords are the same. The tunnel password does not support pound signs (#), question marks (?), semicolons (;), or spaces.
PPP Authentication Method	Authentication method for L2TP users, including: · None—Authentication will not be performed on users. Use this authentication method with caution because it is of the lowest security. · PAP—A two-way handshake authentication will be performed on users. This authentication method is of medium security. · CHAP—A three-way handshake authentication will be performed on users. This authentication method is of the highest security.
Username	Username for authentication. The username is a string of 1 to 55 characters and cannot contain question marks (?). This field is required when PAP and CHAP is specified as the PPP authentication method.
Password	Password for authentication, corresponding to the specified username. The password is a string of 1 to 63 characters. This field is required when PAP and CHAP is specified as the PPP authentication method.
L2TP Server Address	IP address or domain name of the L2TP server.
Hello Interval	Interval for sending hello messages between the L2TP server and client, in seconds. Hello messages check the tunnel connectivity between the LAC and LNS.
Flow Control	Select whether tot enable mandatory LCP renegotiation. · If you select Enable, when L2TP data packets are transmitted and received, the sequence numbers carried in packets are used to identify whether packets are lost and reorder packets. This feature improves the correctness and reliability of L2TP data packet transmission. For this feature to take effect, enable flow control on either of the L2TP server and L2TP client. · If you select Disable, packets will not be detected or reordered.

Tunnel information

Webpage: Virtual Network > L2TP Client > Tunnel Information

View L2TP tunnel information.

Parameters

Parameter	Description
Local Tunnel ID	ID of the tunnel established on the local.
Peer Tunnel ID	ID of the tunnel established on the peer.
Peer Tunnel Port	Service port used for the connection between the L2TP client and server.
Local Address	IP address of the L2TP client.
Peer Tunnel IP Address	IP address of the L2TP server.
Session Number	Number of sessions established between the L2TP server and client.
Actions	Actions that can be taken on each tunnel information entry.

Advanced settings

Application services

About this feature

This feature allows you to configure Domain Name System (DNS) settings. DNS is a distributed database used by TCP/IP applications to translate domain names into IP addresses. Application services mainly include static DNS (SDNS) and dynamic DNS (DDNS). Configure SDNS

Introduction

DNS provides only the static mappings between domain names and IP addresses. If you use a domain name to access services (such as Web, mail, or FTP) provided by the device, the system automatically checks the static name resolution table for an IP address.

Procedure

Webpage: Advanced Settings > Application Services > SDNS

On this page, you can perform the following operations: · Display detailed SDNS entry information. · Add an SDNS entry. · Delete SDNS entries. · Edit an SDNS entry.
To add an SDNS entry: 1. Click Add. In the dialog box that opens, enter a domain name and an IP address. 2. Click Apply.
To delete SDNS entries: 1. Select one or multiple SDNS entries. 2. Click Delete. 3. In the dialog box that opens, click Yes.
To edit an SDNS entry: 1. Click the Edit icon in the Operation column for an SDNS entry. In the dialog box that opens, edit the parameters as needed. 2. Click Apply.

Parameters

Parameter	Description
Domain Name	Domain name to be assigned to the network device. Make sure the domain name has a one-to-one correspondence with the device IP address.
IP Address	IP address of the network device, which corresponds to the domain name.

Configure DDNS

Introduction

Perform this task to configure DDNS for users to access services (such as Web, mail, or FTP) provided by a device's WAN interface through a fixed domain name when the WAN interface IP changes. For example, the WAN interface IP might change because of broadband dial-up.

Before you configure DDNS, make sure you have registered an account with the DDNS service provider (such as PeanutHull). Then, if the WAN interface IP address of the device changes, the device will automatically notify the DDNS server to update the mapping between the IP address and the fixed domain name.

Restrictions and guidelines

For a device to apply for a domain from the DDNS server, make sure the WAN interface on the device is an IP address on the public network.

Procedure

Webpage: Advanced Settings > Application Services > DDNS

On this page, you can perform the following operations: · Display detailed DDNS entry information. · Add a DDNS entry. · Delete DDNS entries. · Edit a DDNS entry.
To add a DDNS entry: 1. Click Add. In the dialog box that opens, select a WAN interface, and enter the domain name, username, and password registered with the service provider. 2. Click Apply.
To delete DDNS entries: 1. Select one or multiple DDNS entries. 2. Click Delete. 3. In the dialog box that opens, click Yes.
To edit a DDNS entry: 1. Click the Edit icon in the Operation column for a DDNS entry. In the dialog box that opens, edit the parameters as needed. 2. Click Apply.

Parameters

Parameter	Description
WAN Interface	WAN interface that provides services on the device, for example, WAN0.
Domain Name	Domain name to be assigned to the device. Make sure you have registered the domain name with the DDNS service provider (such as PeanutHull).
Service Provider	DDNS service provider. · Options include www.3322.org, ORAY (PeanutHull), and Others. If the server address is different from the default setting, select the Modify Server Address option, and then edit the DDNS server address in the Server Address field. · If you select Others, you must enter the DDNS server IP address in the Server Address field.
Update Interval	Interval at which the device sends update requests to the server. You must specify the number of days, hours, and minutes. If you set the interval to 0, the device will send update requests only when the WAN interface IP address changes or the state of the WAN interface changes from down to up.
Account Settings	DDNS account information Options include: · Username: Username registered with the DDNS service provider. · Password: Password registered with the DDNS service provider.
Status	DDNS connection status: · Connected: The WAN interface has established a DDNS connection with the domain name. · Disconnected: The WAN interface has not established a DDNS connection with the domain name.
Operation	Allow you to edit or delete a specific entry.

Static routing

Introduction

Static routes are manually configured. If a network's topology is simple and stable, you only need to configure static routes for the network to work correctly. For example, you can configure a static route based on the network egress interface and the gateway IP address for correct communication.

If multiple static routes are available to reach the same destination, you can assign different preference values to the static routes. The lower the preference value of a static route, the higher the preference of the route.

Restrictions and guidelines

If the interface associated with the next hop in a static route becomes invalid, the static route will not be deleted from the local device. To resolve this issue, you need to check your network environment and edit the static route settings.

Procedure

Webpage: Advanced Settings > Static Routing

On this page, you can perform the following operations: · Display detailed static route information. · Add a static route. · Delete static routes. · Edit a static route.
To add a static route: 1. Click Add. In the dialog box that opens, configure the parameters, such as destination IP address, mask length, and next hop. 2. Click Apply.
To delete static routes: 1. Select one or multiple static routes. 2. Click Delete. 3. In the dialog box that opens, click Yes.
To edit a static route: 1. Click the Edit icon in the Operation column for a static route. In the dialog box that opens, edit the parameters as needed. 2. Click Apply.

Parameters

Parameter	Description
Destination IP address	Destination network address of the static route.
Mask length	Mask length of the destination network address, for example, 24.
Next hop	IP address of the next router that data will pass through before reaching the destination. Follow these guidelines when you configure this parameter: · If you can determine the output interface of packets, select the Output interface option and set the next hop IP address. Make sure the next hop address and the output interface reside on the same network segment. · If you cannot determine the output interface, do not select the Output interface option. The device will select an appropriate output interface based on the specified next hop IP address.
Preference	Preference of the static route. The smaller the value, the higher the preference.
Description	Description of the static route.
Operation	Allow you to edit or delete a specific entry.

Policy-based routing

Introduction

Policy-based routing (PBR) enables you to forward packets flexibly based on packet characteristics by configuring a policy that contains a set of packet matching criteria and actions. For example, you can configure a PBR policy to forward packets with the specified source or destination IP address to the specified next hop or out of the specified interface.

Procedure

Webpage: Advanced Settings > Policy Based Routing

On this page, you can perform the following operations: · Display detailed PBR policy information. · Add a PBR policy. · Delete PBR policies. · Edit a PBR policy.
To add a PBR policy: 1. Click Add. In the dialog box that opens, configure the parameters, such as protocol type, source address range, and destination address range. 2. Click Apply.
To delete PBR policies: 1. Select one or multiple PBR policies. 2. Click Delete. 3. In the dialog box that opens, click Yes.
To edit a PBR policy: 1. Click the Edit icon in the Actions column for a PBR policy. In the dialog box that opens, edit the parameters as needed. 2. Click Apply.

Parameters

Parameter	Description
Protocol Type	Protocol type of packets. Follow these guidelines when you configure this parameter: · To match packets of a transport layer protocol, select TCP or UDP. · To match packets of a network layer protocol, select IP. · To match packets of the ICMP protocol, such as ping or tracert packets, select ICMP. · To match packets of other protocols, select Protocol Number and then enter a protocol number.
Source Address Range	Source IP address range of the PBR policy. To specify an address range, separate the start and end IP addresses with a hyphen (-), for example, 1.1.1.1-1.1.1.2. To specify only one IP address, enter that IP address as both start and end IP addresses.
Destination Address Range	Destination IP address range of the PBR policy. To specify an address range, separate the start and end IP addresses with a hyphen (-), for example, 1.1.1.1-1.1.1.2. To specify only one IP address, enter that IP address as both start and end IP addresses.
Source Port Numbers	Source port numbers of the PBR policy. This parameter is required only when the Protocol Type is TCP or UDP.
Destination Port Numbers	Destination port numbers of the PBR policy. This parameter is required only when the Protocol Type is TCP or UDP.
Validity Period	Time range for the PBR policy to take effect. To specify a whole day, set the valid period to 00:00-24:00.
Output Interface/Next Hop	Output interface and next hop IP address used to forward matching packets.
Description	Description of the PBR policy.
Actions	Allow you to edit or delete a specific entry.

SNMP

About SNMP

Simple Network Management Protocol (SNMP) allows you to use a network management system (NMS), such as MIB Browser, to access and manage devices. With SNMP configured, devices automatically send traps or informs to the NMS when a critical event (such as interface going up or coming down, high CPU utilization, and memory exhaustion) occurs.

The device supports SNMPv1, SNMPv2c, and SNMPv3. SNMPv3 is more secure than SNMPv1 and SNMPv2c.

· SNMPv1 and SNMPv2c use a community name for authentication.

· SNMPv3 uses a username for authentication and you must configure an authentication key and a privacy key to ensure communication security.

¡ The username and authentication key are used to authenticate the NMSs to prevent invalid NMSs from accessing the device.

¡ The privacy key is used to encrypt the messages transmitted between the NMS and the device to prevent the messages from being eavesdropped.

Before you configure SNMP, make sure the NMS and the device use the same SNMP version.

Configure SNMPv1 and SNMPv2c

CAUTION:

· The NMS and device must use the same SNMP passwords. SNMP passwords include read-only password and read-write password. A minimum of one must be configured.

· To obtain parameter values from the device, configure only a read-only password.

· To obtain and set parameter values on the device, configure a read and write password.

Procedure

Webpage: Advanced Settings > SNMP

To configure SNMPv1 and SNMPv2c:

1. Enable SNMP, and set the SNMP version and password.

2. Click Apply.

Parameters

Parameter	Description
SNMP	Whether to enable SNMP. If SNMP is enabled, the device allows you to manage the device through an NMS (such as MIB Browser), including status monitoring, data acquisition, and troubleshooting.
SNMP Version	Select the SNMP version used by the device as needed. · If the NMS uses SNMPv1 or SNMPv2c, select SNMPv1 and SNMPv2c. · If the NMS uses SNMPv3, select SNMPv3.
SNMP Password	Options are Read-only password and Read-write password. You must select either of them. This parameter is required only when the SNMP version is SNMPv1 or SNMPv2c. · To obtain parameter values from the device, configure only a read-only password. · To obtain and set parameter values on the device, configure a read and write password.
Trust Host IPv4 Address	Enter the IP address of an NMS. Only the specified NMS can manage the device. If you do not configure this parameter, all NMSs that use correct SNMP passwords can manage the device.
Trap Target Host IPv4 Address/Domain	Enter the IP address or domain name of the host to receive the notifications.
Contact Information	Enter the contact information of the device administrator, a string of 1 to 255 characters. Network maintenance engineers can use the contact information to get in touch with the manufacturer in case of network failures. Question marks and carriage returns are not supported. The string cannot contain only spaces.
Device Location	Enter the physical location of the device, a string of 1 to 255 characters. Question marks and carriage returns are not supported. The string cannot contain only spaces.

Configure SNMPv3

CAUTION:

Configure the same username, authentication password, and privacy password for an NMS and the device.

Procedure

Webpage: Advanced Settings > SNMP

To configure SNMPv3:

1. Enable SNMP, and set the SNMP version, username, and authentication key.

2. Click Apply.

Parameters

Parameter	Description
SNMP	Whether to enable SNMP. If SNMP is enabled, the device allows you to manage the device through an NMS (such as MIB Browser), including status monitoring, data acquisition, and troubleshooting.
SNMP Version	Select the SNMP version used by the device as needed. · If the NMS uses SNMPv1 or SNMPv2c, select SNMPv1 and SNMPv2c. · If the NMS uses SNMPv3, select SNMPv3.
Username	Specify a username.
Authentication Key	Specify the authentication key.
Privacy Key	Specify the privacy key.
Trust Host IPv4 Address	Enter the IP address of an NMS. Only the specified NMS can manage the device. If you do not configure this parameter, all NMSs that use correct SNMP username, authentication key, and privacy key can manage the device.
Trap Target Host IPv4 Address/Domain	Enter the IP address or domain name of the host to receive the notifications.
Contact Information	Enter the contact information of the device administrator, a string of 1 to 255 characters. Network maintenance engineers can use the contact information to get in touch with the manufacturer in case of network failures. Question marks and carriage returns are not supported. The string cannot contain only spaces.
Device Location	Enter the physical location of the device, a string of 1 to 255 characters. Question marks and carriage returns are not supported. The string cannot contain only spaces.

System tool

Basic settings

About this feature

Use this feature to configure device information and set the system time.

The device information includes device name, device location, and contact information. The device name is editable, but the device location and contact information cannot be edited.

The system time includes date, time, and time zone. Correct system time is essential to network management and communication. Configure the system time correctly before you run the device on the network.

You can use the following methods to obtain the system time:

· Manually set the date and time—After you specify the date and time, the device will use its internal clock signal for timing. If the device restarts, the system time will be reset to the factory default.

· Automatic time synchronization—The device uses the time obtained from the NTP server as the current system time and periodically synchronizes the time with the NTP server. The device can resynchronize the system time of the NTP server after it restarts. As a best practice, use automatic time synchronization if an NTP server is available in your network to provide more accurate time.

Restrictions and guidelines

· Whether default NTP servers are configured for the device depends on the device model.

· You can use default NTP servers or specify NTP servers as needed. The device automatically obtains the UTC time from an available NTP server that provides highest time precision. If none of NTP servers is available, the device uses its internal clock signal. After an NTP server recovers, the device will synchronize time with the NTP server again.

Device Info

For easy management of devices on the network, you must set the device information, including the device name, location, and the network administrator's contact information.

As a best practice, use Google Chrome 57.0 or higher, or Mozilla Firefox 124 or higher.

Procedure

Webpage: System Tool > Basic Settings > Device Info.

Set device information, including the device name, location, and the network administrator's contact information.

Parameters

Parameter	Description
Device Name	Enter the device name, for example, device model.IP address.
Device Location	Enter the location of the device.
Contact Information	Enter the contact information of the network administrator.

Date/Time

Set the system time by using either of the following methods:

· Manually set the date and time.

· Enable automatic date and time synchronization.

Obtain the time zone of the device. Configure the time zone of the device as the time zone of the geographical area where the device is located. For example, if the device is in China, select Beijing, Chongqing, Hong Kong SAR, Urumqi (GMT+ 8:00 AM). If the device is in the United States, select Central Time (US & Canada) (GMT-06:00).

Procedure

Webpage: System Tool > Basic Settings > Date/Time

Set the system time.

Select Manually set the clock to set the system time to the current time in the geographic area where the device is located.

1. Specify the year, month, and day.

2. Select the time. The minute and second values available on the Web interface are multiples of 3 (00, 03, 06, 09, ..., 57). You can use the up or down arrows to fine tune the values. For example, to set the minute value to 20, select 18 first, and then click the up arrow twice to get 20.

3. Select the time zone of the place where the device is located.

4. Click Apply.

1. Select Automatically synchronize the clock with a trusted time source on the network.

2. In the NTP Server 1 field, enter the IP address of NTP server 1.

3. In the NTP Server 2 field, enter the IP address of NTP server 2.

4. Select the time zone of the place where the device is located.

5. Click Apply.

Parameters

Parameter	Description
System Time	Current system time.
Manually set the clock	Manually set the system date and time. If the device restarts, the system time will revert to the factory default time.
Automatically synchronize the clock with a trusted time source on the network	For time consistency between the device and the NTP server, make sure the device uses the same time zone as that configured on the NTP server.
NTP Server 1	Enter the IP address or domain name for NTP server 1.
NTP Server 2	Enter the IP address or domain name for NTP server 2.
Default NTP Server List	Click Default NTP Server List to identify the default NTP servers.
Time Zone	Set the time zone.

Diagnostics

Tracert

Procedure

Webpage: System Tool > Diagnostics > Tracert

Perform this task to trace the path that the packets traverse from source to destination.

To start the test, click Start.

Parameters

Parameter	Description
Destination IP or Hostname	Enter the destination IP address or host name.
Result	Displays the tracert result.

Ping

Procedure

Webpage: System Tool > Diagnostics > Ping

Perform this task to test the reachability of the destination IP address.

To start the test, click Start. The system displays the test process and result on this page, including packet sending information and average RTT to the specified host.

Parameters

Parameter	Description
Destination IP or Hostname	Enter the destination IP address or host name.
Result	The system displays the test process and result on this page, including packet sending information and average RTT to the specified host.

Diagnostics

Procedure

Webpage: System Tool > Diagnostics > Diagnostic Export

Diagnostic information provides operation information for each functional module to help troubleshoot issues. The device automatically saves this information as a ZIP file to your endpoint.

To start collecting diagnostic information, click Collect.

Parameters

N/A

Port mirroring

Procedure

Webpage: System Tool > Diagnostics > Port Mirroring

Port mirroring copies the packets passing through a port to a port that connects to a data monitoring device for traffic monitoring, performance analysis, and fault diagnostics.

Parameters

Parameter	Description
Layer 2	Select Layer 2 if the source device and the destination device communicate at Layer 2.
Layer 3	Select Layer 3 if the source device and the destination device communicate at Layer 3.
Source Port	Select the source port.
Direction	Select a direction for the source port. · To copy only packets received by the mirroring source, select Inbound. · To copy only packets sent from the mirroring source, select Outbound. · To copy packets received by and sent from the mirroring source, select Both.
+	To add more source ports, click the + icon.
Destination Port	Select the destination port, which connects to a data monitoring device.

Packet capture

CAUTION:

Before you use this feature, make sure the storage medium has sufficient space to store the packet capture file. If the storage space is insufficient, the packet capture task will be stopped before it is completed.

Procedure

Webpage: System Tool > Diagnostics > Packet capture

Use this tool to capture data packets for fault analysis.

To start packet capture, click Start. The system displays the packet capture process and the current number of captured packets on this page.

During the packet capture process, you can click Cancel to terminate the current operation and export captured file flash--packetCapture.pcap.

Parameters

Parameter	Description
Interface	Select the interface on which packets are to be captured. Any WAN interface on the router can be selected.
Bytes to Capture	Set the size of packets to be captured, in bytes. The capture length parameter represents the maximum length that the device can capture from a packet. Packets larger than this value will be truncated. A longer capture length increases the packet processing time and reduces the number of packets that tcpdump can cache, which might result in packet loss. Therefore, the smaller the capture length while still capturing the desired packets, the better.
Protocol	Specify protocol types for capturing packets as needed. If you select ALL, all packets on the interface will be captured.
Max Packet File Size	Set the maximum size of the file that stores captured packets, in MB.
Duration	Set the packet capture duration, in seconds.
Source Host	Select the source host.
Destination Host	Select the destination host.
Any	To capture packets from all the source or destination hosts, select this option.
By IP	To capture packets from or destined for the specified IP address, select this option.
By MAC	To capture packets from or destined for the specified MAC address, select this option.

Admin accounts

Webpage: System Tool > Admin Accounts

Perform this task to manage and maintain the admin accounts used by users to log in to the device. You can add, edit, or delete admin accounts.
Click Add to add an admin account. 1. Enter the administrator name in the Username field. 2. In the Password field, enter the admin password. 3. In the Confirm Password field, re-enter the password you set and make sure they are the same. 4. Select the role for the account at login from the User Roles list. 5. Select the network services allowed for the administrator account from Permitted Access Types. 6. Enter the maximum number of concurrent online users allowed in the Max Concurrent Online Users field. 7. In the FTP Directory field, enter the path for the administrator to access the device through FTP. 8. Click OK.
To edit an administrator account, click the edit icon in the Actions column for that account. 1. In the Reset Password field, enter a new password. 2. In the Confirm Password field, confirm the new password by entering the password again. 3. Select a new role for the account from the User Roles list. 4. Select the network services allowed for the administrator account from Permitted Access Types. 5. Enter the maximum number of concurrent online users allowed in the Max Concurrent Online Users field. 6. In the FTP Directory field, enter the path for the administrator to access the device through FTP. 7. Click OK.
To delete an administrator account, click the delete icon in the Actions column for that account, and then click Yes in the dialog box that opens.

Parameters

Parameter	Description
Username	Enter the administrator name.
Password	Enter a password. If you do not configure a password, no password is required by the system when a user uses this account to log in to the device. To improve security, configure a password for the admin account.
Confirm Password	Re-enter your password and make sure it matches the one you have set.
User Roles	Select the role for the account at login. · To assign the highest administrative privilege to this admin account, select Administrator. · To assign only the view privilege to this admin account, select Operator.
Permitted Access Types	Select access services. · To assign the console service to this admin account, select Console. The console service allows users to log in to the device from the console port. · To assign the Telnet service to this admin account, select Telnet. The Telnet service allows users to Telnet to the device from a Telnet client when the device acts as a Telnet server. · To assign the FTP service to this admin account, select FTP. The FTP service allows users to access the file system resources on the device from an FTP client when the device acts as an FTP server. · To assign the Web service to this admin account, select WEB. The Web service allows users to log in to the device from the Web interface. · To assign the SSH service to this admin account, select SSH. · The SSH service allows users to log in to the device from an SSH client when the device acts as an SSH server. SSH login is more secure than Telnet login.
Max Concurrent Online Users	Set the maximum number of concurrent users that can use this admin account. If you do not set a limit, the device does not limit the number of concurrent users that use this admin account. This setting does not limit the number of concurrent users that use this admin account to log in to the device through FTP.
FTP Directory	Enter a working directory, for example, flash:/dpi. You must configure this parameter if the admin account is assigned the FTP service. As a best practice to enter a valid working directory, first access the System Tool > Upgrade > File Management page to view existing file paths.
Change Password	Enter a new password. After you change the password of an admin account, users that use this admin account must change the password again at the next login.

Remote management

Ping

Procedure

Webpage: System Tools > Remote Management > Ping

The ping function can test network connectivity and promptly inform you of the network status.

Parameters

Parameter	Description
Permit ping	Select this option to allow the interface to receive ping packets.
Apply	Click to commit the configuration.

Telnet

Procedure

Webpage: System Tools > Remote Management > Telnet

Telnet provides remote login services. You can use Telnet to log in to the device from a PC to remotely manage the device.
In the Administrator IP Address List section, click Add.

Parameters

Parameter	Description
Telnet	Click the slide button to enable or disable the Telnet service.
IPv4 Listening Port	Enter the number of the port used by the Telnet service to log in to the device through IPv4.
IPv6 Listening Port	Enter the number of the port used by the Telnet service to log in to the device through IPv6.
Apply	Click to commit the configuration.
Add/Edit	Click to add or edit the administrator IP address list.
IP Address	Enter the IP address of the administrator.
IP Address Range	Enter the IP address range of the administrator. Make sure the start address is lower than the end address. The specified IP address can be outside the specified IP address range.
Start	Specify the start address of the address range allowed to access the device through Telnet.
End	Specify the end address of the address range allowed to access the device through Telnet.
Excluded Addresses	Specify IP addresses that cannot access the device through Telnet. The specified IP addresses must be within the IP address range.
Apply	Click to commit the configuration.

SSH

Procedure

Webpage: System Tools > Remote Management > SSH

SSH is used to achieve secure remote access and file transfer in unsecure network environments through encryption and authentication mechanisms. When the device acts as an SSH server, it can provide the following services:

· Stelnet—Secure Telnet. Stelnet functions the same as Telnet but offers a more secure and reliable access method.

· SFTP—Secure FTP. SFTP provides a secure and reliable network file transfer service, allowing users to safely log into devices for file management while ensuring the security of file transfers.

· SCP—Secure Copy. SCP can provide secure file copying functionality.

Parameters

Parameter	Description
Stelnet	Click the slide button to enable or disable the Stelnet service.
SFTP	Click the slide button to enable or disable the SFTP service.
SCP	Click the slide button to enable or disable the SCP service.

HTTP/HTTPS

Procedure

Webpage: System Tools > Remote Management > HTTP/HTTPS

Perform this task to configure the HTTP and HTTPS Web login methods. HTTPS provides higher security performance than HTTP. You can log into the Web interface of the device on a PC using HTTP or HTTPS and then perform intuitive configuration and management of the device.
To add an administrator IP address entry, click Add. Specify the IP address, IP address range, and excluded addresses as needed.

Parameters

Parameter	Description
HTTP Service Port	Enter the port number used to log into the device through HTTP. As a best practice, use a port number larger than 10000.
HTTPS Service Port	Enter the port number used to log into the device through HTTPS. As a best practice, use a port number larger than 10000.
Login Timeout Timer	Enter the idle timeout on the Web interface. By default, the timeout is 10 minutes. When the idle time of an administrator exceeds the timeout, the system automatically logs the administrator out. The configuration takes effect at the next login of each administrator.
Apply	Click to commit the configuration.
Add	Add an IP address or IP address range allowed to access the Web interface of the device.
IP Address	Enter an IP address allowed to access the Web interface of the device.
IP Address Range	Enter an IP address range allowed to access the Web interface of the device. Make sure the start address is lower than the end address. The specified IP address can be outside the specified IP address range.
Start	Enter the start address of the IP address range allowed to access the Web interface of the device.
End	Enter the end address of the IP address range allowed to access the Web interface of the device.
Excluded Addresses	Specify IP addresses that cannot access the Web interface of the device. The specified IP addresses must be within the IP address range.
Apply	Click to commit the configuration. By default, the device allows using any address in the subnet of 1.1.1.1 to 255.255.255.255 to access the Web interface. You can change the permitted IP addresses as needed. Make sure the setting is correct so that the administrator can access the Web interface properly. As a best practice, add the address subnet of a VLAN interface to the administrator IP address list and do not delete the address.
Cancel	Cancel the administrator IP address configuration.

Cloud service

Procedure

Webpage: System Tools > Remote Management > Cloud Service

This feature enables the device to establish a remote management tunnel with the H3C cloud server through Internet. This allows the network administrators to remotely manage and maintain devices distributed across different regions through the cloud server.

Parameters

Parameter	Description
Cloud Service	Select whether to enable the cloud service.
Server domain name	Enter the domain name of the cloud platform.
Sysname	Enter the sysname of the device.
Connection State	Displays the current cloud connection state.
Management State	Displays the current management state.
Apply	Click to commit the configuration.
QR codes	Use your cellphone to scan the QR code at the left to download the Cloudnet app. After logging into the Cloudnet app, you can manage and maintain the device remotely.

Configuration management

View the current configuration

Webpage: System Tools > Config Management > View Config

Perform this task to view the current configuration of the device, such as the device version number and interface IP address.

Restore the factory configuration

Procedure

Webpage: System Tools > Config Management > Restore Config

If the device does not have a configuration file or the configuration file is corrupted, for the device to start up and operate correctly, you can use this feature to restore the factory configuration of the device.

Parameters

Parameter	Description
Reset	Restore the factory configuration and restart the device.

Restore the device from a backup

Procedure

Webpage: System Tools > Config Management > Save Config

· After configuring the device, for the configuration to take effect after the device restarts, access this page and save the running configuration on the device. · If the device is configured incorrectly, you can restore the device from a backup for the device to operate correctly again. · To export the current configuration file as a backup, use the Export Running Configuration feature.
To export the current configuration: 1. Click Export Running Configuration. 2. Select the save method. ¡ To the next-startup configuration file—Save the running configuration to the root directory of the storage media as the main next-startup configuration file. ¡ To file—Save the running configuration to the specified file. The device then sets the file as the main next-startup configuration file. 3. Click Apply.
To restore the device from a backup: 1. Click Restore from Backup. 2. Browse to the target backup configuration file. 3. Click Apply. For the restored backup to take effect, restart the device manually.
To download the current configuration to the local PC, click Export Running Configuration.

Parameters

Parameter	Description
Save Running Configuration	After configuring the device, for the configuration to take effect after the device restarts, click this button.
To the next-startup configuration file	Save the running configuration to the root directory of the storage media as the main next-startup configuration file.
To file	Enter the name of a configuration file. The device then sets the file as the main next-startup configuration file.
Restore from Backup	If the device is configured incorrectly, you can restore the device from a backup for the device to operate correctly again.
Select File	Select the backup configuration file in the specified directory.
Export Running Configuration	To export the current configuration file as a backup, click this button.

Upgrade

Procedure

Webpage: System Tools > Upgrade > Software Upgrade

Perform this task to upgrade the device version and manage files on the device. To address current software vulnerabilities or update application features, perform version upgrade:

· Manual Upgrade—Upload a local .ipe file to the device and upgrade the device with the file.

· Auto Upgrade—Trigger the device to download the most recent software package from the cloud platform and upgrade.

To perform manual upgrade:

1. Click Manual Upgrade.

2. Click Select File and browse to the target .ipe file.

3. For the device to restart immediately upon upgrade completion, select Reboot Now.

4. Click Apply.

To perform auto upgrade, click Auto Upgrade. The device then attempts to download the most recent software package from the cloud platform and performs upgrade.

Parameters

Parameter	Description
Manual Upgrade	Upload a local .ipe file to the device and upgrade the device with the file.
Select File	Browse to the target .ipe file.
Restart Now	Configure the device to restart immediately upon upgrade completion.
Auto Upgrade	Trigger the device to download the most recent software package from the cloud platform and performs upgrade. Before triggering auto upgrade, configure the cloud service and make sure the device is successfully connected to the cloud platform. To configure the cloud service, access System Tools > Remote Management > Cloud Service.

File management

Procedure

Webpage: System Tools > Upgrade > File Management

File management supports the following operations: · Upload—Upload local files to the device. · Delete—Delete files on the device. · Download—Download files on the device to the local host.
To upload a file: 1. Click Upload. 2. Click Select File and browse to the target file. 3. Click Apply.
To delete files: 1. Select the target files, and then click Delete. 2. In the confirmation dialog box that opens, click Yes.
To download files, select the target files, and then click Download.

Parameters

Parameter	Description
Upload	Upload local files to the device. For example, before performing a manual system upgrade, you must upload the corresponding .ipe file to the device.
Select File	Select the file in the specified directory.
Delete	Delete files on the device. You can perform this task to delete non-essential files to free up space on the device. To avoid system errors, do not delete version files.
Download	Download files on the device to the local host. You can download files as needed for backup or data analysis purposes.

License management

NOTE:

To avoid operation failures, make sure no one else is performing license management tasks on the same device when you are managing licenses.

To use license-based features, you must purchase a license key, request for the activation file, and install the license.

License configuration

Procedure

Webpage: System Tools > License Management > License configuration

You can install a license automatically online or manually through a local host.

To perform online license installation:

1. Click Online Automatic Installation.

2. Specify the domain name of the license management platform.

3. Click Test to check if the license management platform can provide the online auto license installation service.

¡ If the LED color is gray, it indicates that the platform is being tested.

¡ If the LED color is red, it indicates that the platform cannot provide the online auto license installation service.

¡ If the LED color is green, it indicates that the platform supports the online auto license installation service.

4. Enter the license key.

¡ The official license key is included in the license certificate.

¡ To obtain a temporary license key, contact Technical Support. To verify if a product supports temporary licensing, see the product license support documentation.

¡ Enter the customer company/organization name, customer company/organization name, applicant name, applicant phone number, and applicant email address.

5. Click Apply.

To perform local manual license installation:

1. Click Local Manual Installation.

2. Select the license activation file.

3. Click Apply.

Parameters

Parameter	Description
Online Automatic Installation	You can directly use the purchased license key to authorize the device for features associated with the license. Manual application and installation of the activation file are not required.
Location	Location where the license and the corresponding features will take effect.
License management platform domain name	Specify the domain name of the license management platform.
Test	Check if the license management platform can provide the online auto license installation service. · If the LED color is gray, it indicates that the platform is being tested. · If the LED color is red, it indicates that the platform cannot provide the online auto license installation service. · If the LED color is green, it indicates that the platform supports the online auto license installation service.
License Key	Enter the license key. · The official license key is included in the license certificate. · To obtain a temporary license key, contact Technical Support. To verify if a product supports temporary licensing, see the product license support documentation.
Customer company/organization	Enter the company or organization name of the customer.
Company/Organization	Enter the name of the applicant company or organization.
Contact person	Enter the name of the contact person.
Phone number	Enter the phone number of the contact person.
Email address	Enter the email address of the contact person.
Zip code	Enter the zip code of the contact person.
Address	Enter the address of the contact person.
Project name	Enter the project name.
Local Manual Installation	After obtaining the requested license activation file, you must install the activation file on the device to use the license-based features.
Select a license file	Select the license activation file.

Obtain the DID

NOTE:

· Please keep the activation file safe and back it up to prevent accidental loss.

· Do not open the activation file. If you do so, the file format might change, rendering the file invalid.

· To avoid licensing errors, do not change the name of the activation file.

· If you have entered the correct information on the H3C license management platform, but the application of the activation file still fails, contact Technical Support.

Procedure

Webpage: System Tools > License Management > Obtain DID

Click the Obtain DID tab. Obtain the device SN and DID. Then, you can request for the license activation file.

1. Purchase a license certificate and obtain the license key.

2. Obtain the device SN and DID.

3. Log in to the H3C license management platform at http://www.h3c.com/cn/License, and obtain the license activation file. For more information, access http://www.h3c.com/cn/home/qr/default.htm?id=602.

Parameters

Parameter	Description
Location	Location where the license and the corresponding features will take effect.

License and features

Procedure

Webpage: System Tools > License Management > License and features

Perform this task to view features that require licensing.

Parameters

Parameter	Description
Location	Location where the license and the corresponding features will take effect.
Feature name	Name of a feature supported by the device that requires licensing.
Licensed or Not	· Whether the feature is licensed. A value of Y indicates licensed · and a value of N indicates unlicensed.
Status	License status of the feature. Options include: · Formal—A formal license is installed for the feature and the license is valid. · Trial—A trial license is installed for the feature and the license is valid. · Pre-licensed—A license is pre-installed for the feature in factory settings and the license is valid. · - —No valid license is installed for the feature. To use the feature, install a corresponding license.
Advanced Search	Find the corresponding license and feature information using any combination of location, feature name, license status, or status.
Search	Find license and feature information.
Reset	Reset the filtering criteria.
Refresh	Refresh the license and feature information in the list.

Compress

NOTE:

Compressing a license might cause the DID information to change. Before compressing the license storage area, make sure all the license activation files requested by using the old DID files have been installed.

Procedure

Webpage: System Tools > License Management > Compress

Expired licenses will continue to occupy the license storage area. If the license storage area is used up, new licenses cannot be installed. In this case, you can compress the license storage area to release some space.

1. Identify the remaining number of available activation files that can be installed.

Remaining number of available activation files = Total number of available activation files - Number of installed activation files

2. If the number of activation files to be installed is larger than the remaining number, click Compress the release some space. Otherwise, do not compress the license storage area.

Parameters

Parameter	Description
Location	Location where the license and the corresponding features will take effect.
Compress	Compress the license storage area to release some space.

Reboot

Reboot Now

NOTE:

Restarting a device might cause service interruption. Please be cautious.

Procedure

Webpage: System Tools > Reboot > Reboot Now

Perform this task to immediately restart the device

Parameters

Parameter	Description
Immediate Restart	Perform this task to immediately restart the device
Save configuration	Select whether to save the running configure before restarting the device.
Forced restart without any checks	Configure the device to restart directly without performing any checks.

Scheduled Reboot

Procedure

Webpage: System Tools > Reboot > Scheduled Reboot

Perform this task to restart the device as scheduled.

Parameters

Parameter	Description
Scheduled Reboot	Perform this task to restart the device as scheduled.
Effective Time	Set the specific time for weekly device reboot.
Apply	Click to commit the configuration.

System logs

NOTE:

For the log server to obtain logs sent by the device, make sure the device and the log server can ping each other successfully.

About this task

The device generates system logs during operation. The logs record administrator configurations on the device, changes in device status, and significant internal events, providing users with reference for maintenance and troubleshooting.

You can send logs to the log server for centralized management or view them directly on a web page.

As shown in Table 6, system logs are divided into eight severity levels, with the severity of each level decreasing sequentially from 0 to 7.

Table 6 Log severity levels

Value	Severity level	Description
0	emergency	The system is unusable. For example, the system authorization has expired.
1	alert	Action must be taken immediately. For example, traffic on an interface exceeds the upper limit.
2	critical	Critical condition. For example, the device temperature exceeds the upper limit, the power module fails, or the fan tray fails.
3	error	Error condition. For example, the link state changes.
4	warning	Warning condition. For example, an interface is disconnected, or the memory resources are used up.
5	notification	Normal but significant condition. For example, a terminal logs in to the device, or the device reboots.
6	informational	Informational message. For example, a command or a ping operation is executed.
7	debugging	Debugging message.

Procedure

Webpage: System Tools > System Logs

Perform this task to manage and display log messages.

Parameters

Parameter	Description
Send to Log Server	Enter the IP address of domain name address of the log server.
Apply	Click to commit the configuration.
Web Operation Logging	With this feature enabled, you can view operation logs on the System Logs page from the Web interface.
Advanced Search	Search for corresponding system logs using any combination of time, module, severity level, and description.
Time	Filter system logs by time.
Module	Filter system logs by module.
Level	Filter system logs by severity level.
Description	Filter system logs by description.
Clear	Clear the log information recorded on the router.
Export	Export the log information on the device to the local PC.
Refresh	Refresh the system log information

Wireless AC

For more information, see the AC-related documentation.

H3C SR6602-I[IE] AI-Powered ICT Converged Gateways Web Configuration Guide (V9)-R9141-6W101

Specify an IP address for the management PC

Verify network connectivity between the management PC and the router

Parameters

Parameters

Procedure

Procedure

Procedure

Parameters

Procedure

Parameters

Procedure

Parameters

Parameters

About this task

Procedure

Parameters

About this task

Procedure

Parameters

Procedure

Parameters

Procedure

Parameters

About this task

Procedure

Parameters

About this task

Procedure

Parameters

About this task

Procedure

Parameters

Procedure

Parameters

About this task

Procedure

Parameters

About this task

Restrictions and guidelines

Procedure

Parameters

About this task

Procedure

Parameters

About this task

Procedure

Parameters

About this task

Procedure

Parameters

NAT settings

About this feature

Procedure

Parameters

Configure one-to-one mappings

About this task

Procedure

Parameters

About this task

Procedure

Parameters

Configure NAT ALG

Procedure

Parameters

Procedure

Parameters

Procedure

Parameters

About this task

Procedure

Parameters

Restriction and guidelines

Procedure

Parameters

About this feature

About this task

Procedure

Parameters

Restriction and guidelines