Você está na página 1de 146

The privilege of HCNA/HCNP/HCIE:

With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
1Comprehensive E-Learning Courses e n

m/
ContentAll Huawei Career Certification E-Learning courses
c o

i .
Methods to get the E-learning privilege : submit Huawei Account and email being used for Huawei Account
registration to Learning@huawei.com . we
u a
2 Training Material Download
. h
Content: Huawei product training material and Huawei career certification
n g training material
MethodLogon http://learning.huawei.com/en and enter HuaWei n iTraining/Classroom Training ,then you can
ar

download training material in the specific training introductionepage.


3 Priority to participate in Huawei Online Open Class(LVC) /
l

: /
ContentThe Huawei career certification training covering
t p all ICT technical domains like R&S, UC&C, Security,
Storage and so on, which are conducted by Huawei ht professional instructors
MethodThe plan and participate method please
s : refer to LVC Open Courses Schedule
e

4Learning Tool: eNSP c


ur is a graphical network simulation tool which is developed by

eNSP (Enterprise Network SimulationoPlatform)


smainly simulates enterprise routers, switches as close to the real hardware as

Huawei and free of charge. eNSP


R e
it possible, which makes theglab practice available and easy without any real device.
i nup Huawei Technical Forum which allows candidates to discuss technical issues with

r n
In addition, Huawei has built
Huawei experts , share
e a exam experiences with others or be acquainted with Huawei Products(
L
http://support.huawei.com/ecommunity/
r e
Mo
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1
CSBN-HCNA-Security
Lab Guide
e n
m /
c o
ISSUE 2.00 i .
w e
hua
.
ing
n
ear
l
://
p
htt
s :
rce
u
so
Re
n g
n i
a r
L e
r e
Mo
ISSUE 2.00 .............................................................................................................................................................. 1
1 Overview ............................................................................................................................................................ 3
1.1 Application Scope ........................................................................................................................................ 3
1.2 Introduction of Firewall Products ................................................................................................................ 3
1.2.1 USG2200 Description....................................................................................................................... 3
1.2.2 USG5120 Description....................................................................................................................... 5
1.2.3 USG5150 Description....................................................................................................................... 6
e n
1.2.4 Physical Port Naming Methods ........................................................................................................ 8
m /
c o
1.3 Terminal Security Products .......................................................................................................................... 9
1.3.1 Introduction of the TSM Products .................................................................................................... 9
i .
w e
1.3.2 TSM System Deployment ................................................................................................................. 9

ua
1.3.3 TSM Performance Specifications ................................................................................................... 11
h
.
1.4 Diagram of Network Elements .................................................................................................................. 13

ng
2 How to Login Firewall ..................................................................................................................................... 13
i
n
2.1 Login Through the Console Port ............................................................................................................... 13

ar
2.2 Login Through Web Management Interface (Default Web-manager) ....................................................... 16
e
l
2.3 Remote Login Through Telnet ................................................................................................................... 17

//
2.4 Remote Login Through SSH ..................................................................................................................... 21
:
p
2.5 Login Through the Web ............................................................................................................................. 26

tt
3 Firewall Basic Configuration ............................................................................................................................ 31

h
3.1 Firewall System Managment ..................................................................................................................... 31

:
4 Firewall Security Forwarding Policy ................................................................................................................ 40
s
ce
2.1 Configuring IP Address-Based Forwarding Policy .................................................................................... 40

r
5 Network Address Translate Lab........................................................................................................................ 46
u
so
5.1 NAT Outbound Lab ................................................................................................................................... 46

Re
5.2 NAT inbound & NAT Server Lab .............................................................................................................. 50
6 Firewall Networking Lab.................................................................................................................................. 56

n g
6.1 VLAN Lab (Configuring the Communications Between VLANs Through the Vlanif Interface) ............. 70

n i
6.2 E1 Lab ....................................................................................................................................................... 78

a r
6.3 SA Lab ....................................................................................................................................................... 86

L e
6.4 3G Lab ....................................................................................................................................................... 92

r e
7 VPN Lab ........................................................................................................................................................... 97

Mo 7.1 L2TPVPN LabClient-Initialized VPN ............................................................................................... 97


7.2 GRE VPN Lab ......................................................................................................................................... 105
8 IPSec VPN Lab ............................................................................................................................................... 111
8.1 Configuring Point-to-Point IPSec Tunnel ................................................................................................ 111
9 SSL VPN Lab ................................................................................................................................................. 121
9.1 Web Proxy/File Sharing/Port Forwarding/Network Extention ................................................................ 121
e n
m /

1 c o
i .
w e
a
Overview
u
. h
n g
n i
ar
This document describes the configuration and deployment of Huawei security products. You can understand

e
the lab on security products and have the capability of deploying devices and operating offices.
l
: //
1.1 Application Scope p
h tt
This document is applicable to the lab described in the security product training courses for Huawei system
security engineers.
s :
ce
The lab is applicable to the following products:
r
USG2200&5100 V300R001
u
o are Layer-2 switching ports. You must allocate VLANs for the
s
Note: Eight LAN ports of the USG2100
e ports can be configured with IP addresses. Only the Layer-3 VLAN ports
R
USG2100 because only the VLAN

g
(Vlanif) can be added to the Security Zone.
n
n i
a r
Le1.2 Introduction of Firewall Products
r e
Mo 1.2.1 USG2200 Description
Chassis size
The USG2200 consists of integrated chassis and extension interface card. The size of the integrated chassis is
43.6 mm (H) x 442mm (W) x 414mm (D), which can be installed in the 19-inch standard cabinet.
Front panel
The power and fan of the USG2200 are embedded so that you cannot view the power and fan on the exterior.
The USG2200 series include the USG2210, USG2220, USG2230, and USG2250. These products all support
AC power. The USG2250 also supports DC power.

Front panel of the USG2200 (DC type)

Front panel of the USG2200 (AC type)

e n
m /
c o
i .
w e
h ua
1. AC/DC power socket 2. AC/DC power switch
.
3. system reset button

ng
4. Console port 5. Flash card slot 6. USB2.0 ports
7. GE Combo ports

n i
Rear panel
e ar
l
//
The rear panel layout of the USG2210, USG2220, USG2230, and USG2250 is the same. The real panel

:
provides four MIC slots on the left and two FIC slots on the right.
p
Rear panel of the USG2200 h tt
s :
r ce
u
so
Re
n g
n i
a r 1. MIC1/DMIC1 slot 2. MIC2/DMIC2 slot 3. MIC3 slot

L e 4. MIC4 slot
7. slot identifier
5. FIC5/DFIC5 slot
8. grounding termination
6. FIC6 slot

r e
Mo Slot locations and numbering
The FIC5 slot supports a DFIC interface card.

Slot locations and numbering diagram of the USG2200


MIC1 and MIC3 can accommodate two MIC interface cards or a DMIC interface card.
MIC2 and MIC4 can accommodate two MIC interface cards or a DMIC interface card.

1.2.2 USG5120 Description


Chassis size
The USG5120 consists of integrated chassis and extension interface card. The size of the integrated chassis is

n
86.1mm (H) x 442mm (W) x 414mm (D), which can be installed in the 19-inch standard cabinet.
Front panel
/ e
The USG5120 supports AC and DC power types. The following figure shows the front panel of the
o m
USG5120.
.c
e i
w
Front panel of the USG5120 (DC type)
h ua
.
i ng
n
e ar
l
: //
Front panel of the USG5120 (AC type)
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e1. indicators 2. system reset button 3. Console port

re
4. Flash card slot 5. USB2.0 ports 6. 10/100/1000M Ethernet ports

Mo 7. 10/100/1000M Ethernet ports 8. GE Combo port 2 09. GE Combo port 3

10. Clip jack 11. AC/DC power socket 12. AC/DC power switch

13. ESD jack 14. dust-proof panel

Rear panel
e n
m /
1. MIC1/DMIC1 slot 2. MIC2/DMIC2 slot 3. MIC3 slot
c o
4. MIC4 slot 5. FIC5/DFIC5 slot 6. FIC6/DFIC6 slot
i .
w e
ua
7. FIC7 slot 8. FIC8 slot 9. slot location

10. grounding termination


. h
i ng
Slot locations and numbering
n
rat the lower part of the FIC5 and
Besides a DFIC interface card, you must also insert an FIC interface card a
e panel at the upper part of the
FIC6 slots of the USG5120. To prevent the dust, you must install aldust-proof
/ /interface card.
Slot locations and numbering diagram of the USG5120 p:
DFIC slot to enclose the rear panel. The FIC7 slot supports a DFIC

t t
h
s :
c e
u r
s o
1.2.3 USG5150
R e Description
Chassis size
n g
n i
The USG5150 consists of integrated chassis and extension interface card. The size of the integrated chassis is
130.5mm (H)rx 442mm (W) x 414mm (D), which can be installed in the 19-inch standard cabinet.
e a panel

LFront

e
The power and fan modules of the USG5150 support hop swapping. The following figures show the front
r
Mo panels of the USG5150 of the AC and DC types.
Front panel of the USG5150 (DC type)
e n
Front panel of the USG5150 (AC type)
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
://
p
htt
1. air filter
s :
2. indicators 3. system reset button

ce
4. Console port 5. Flash card slot 6. USB2.0 ports
7. GE Combo port 0
r
8. GE Combo port 1

u
9. GE Combo port 2

so
10. GE Combo port 3 11. fan module 12. ESD jack

Re
13. dust-proof panel 14. AC/DC power module 1 15. AC/DC power module 0

Rear panel
n g
n i
a r
Rear panel of the USG5150

L e
r e
Mo
e n
m /
c o
i .
w e
1. MIC1/DMIC1 slot 2. MIC2/DMIC2 slot 3. MIC3 slot

h ua
.
4. MIC4 slot 5. FIC5/DFIC5 slot 6. FIC6/DFIC6 slot

ng
7. FIC7/DFIC7 slot 8. FIC8/DFIC8 slot 9. FIC9 slot
10. FIC10 slot 11. grounding termination

n i
Slot locations and numbering
e ar
l
Besides a DFIC interface card, you must also insert an FIC interface card at the lower part of the FIC5, FIC6,

//
FIC7, and FIC8 slots of the USG5150. To prevent the dust, you must install a dust-proof panel at the upper
:
part of the DFIC slot to enclose the rear panel.
p
Slot locations and numbering diagram of the USG5150
h tt
s :
r ce
u
so
Re
n g
n i
r
aand FIC10 do not support the 1GE interface card, 4GE interface card, 1GPON interface card,
The FIC9 and FIC10 support only FIC interface cards.
e
L interface card, or 32POTS interface card.
The FIC9

r e
16POTS

o
M 1.2.4 Physical Port Naming Methods
The naming principles for the physical ports are as follows:
The ports are numbered from bottom to top and from left to right. The physical port naming format is
interface-type X/0/Y. Where, interface-type indicates the interface type (such as the Ethernet interface), X
indicates the slot number, and 0 indicates the sub-card. At present, the interface card does not support the
sub-card. Therefore, the card number is always 0. Y indicates the port number. The slot number of the main
board is 0.
Assume that a 5FSW interface card is installed in slot 2 of the USG. The port numbers are Ethernet2/0/0,
Ethernet2/0/1, Ethernet2/0/2, Ethernet2/0/3, and Ethernet2/0/4.

1.3 Terminal Security Products


1.3.1 Introduction of the TSM Products
The terminal security management (TSM) product is developed to manage the enterprise internal networks to
e n
m
ensure the smooth operation of the enterprise internal networks and the security of terminals and enterprise
/
information. To help the enterprise construct secure networks, Huawei designs the TSM product, which
c o
provides integrated internal network security solution and implement control and management from
i .
terminals to service systems.
w e
ua
Based on the TSM Agent function, the TSM product provides six functions, namely, security access control,

h
terminal security management, patch management, terminal user behavior management, software distribution,
.
ng
and asset management. The core objective of the TSM product is to establish the network access control

i
mechanism. The basic functions of the TSM product are security check, access control, and security repair.
n
ar
The TSM product effectively controls the increasing access points, including the access of enterprise

e
employees, visitors, partners, and temporary employees. The TSM product can detect and isolate the terminal
l
//
hosts that threaten the enterprise networks, thus improving the network security capability.

1.3.2 TSM System Deployment p :


t t TSM management center, TSM Manager, TSM
The TSM system consists of the following components:
h
:
Controller, scanner, security access control gateway, 802.1x switch, and TSM Agent.
s
TSM management center
c edesigned for the hierarchical networking. It is responsible for
The TSM management center is special
u r Microsoft Windows operating system (OS) patch templates, policy
o tasks.
assigning licenses for the TSM Manager,
s
Re manages the TSM Manager, license of the TSM Manager, policy template,
templates, and software distribution
The TSM management center
Microsoft Windows OS
n gpatch, and software distribution task.
TSM Manager
n i
a r is the TSM management server. The administrator can log in to the TSM Manager using
The TSM Manager

L e Explorer to perform routine maintenance.


the Internet

e
The TSM Manager provides the following functions: system configuration, organization personnel
rmanagement,
Mo advertisement
security policy management, patch management, software distribution, asset management,
management, and report management.
TSM Controller
The TSM Manager is the TSM control server. The TSM Controller authenticates the terminal users, perform
security checks on terminal hosts, and implement minimum authorized access control.
The TSM Controller provides the following functions: providing services for the TSM Agent, Web Agent
plug-in, and Web client and controlling the access of terminal hosts by interconnecting with the security
access control gateways or 802.1x switch.
Scanner
The scanner detects and manages the existing devices on the network, especially the quantity of terminals on
which the TSM Agent is installed or is not installed. The administrator can refer to this information when
stipulating or adjusting the TSM Agent deployment policies.
The TSM Agent is a phase of the TSM service. The TSM service is divided into trail and promotion phases.
The final objective of the TSM service is to achieve overall coverage of networks. During the step-by-step
deployment of the TSM service, you must focus on how to ensure that all the terminals install the TSM
Agent so that the terminal security does not become the weakest link in the network security system.
The scanner helps the administrator to detect terminals on which the TSM Agent is not installed. Based on
the scanning tasks, the scanner can identify the terminals on which the TSM Agent is installed or not installed.
e n
The administrator can identify the terminal hosts that are required or are not required to install the TSM
m /
Agent. The scanner supports real-time enabling or disabling the scanning tasks. The scanner supports the
c o
periodical scanning tasks and one-time scanning tasks. The scanner can detect devices based on the IP
i .
address segment and APP table. When new devices access the controlled network or TSM Agent is
w e
ua
uninstalled, the scanner can inform the administrator of the event by emails. The scanner supports the
h
management of devices in groups.
.
Security access control gateway
i ng
n
The security access control gateway controls the permissions of the network access. It grants different

ar
permissions to terminal users and terminals based on roles and security status.
e
l
The security access control gateway provides the following functions: granting the network access

//
permissions to terminal users based on the information provided by the TSM Controller, preventing the
:
p
external unauthorized terminal users from accessing the controlled networks, preventing the internal

tt
legitimate but insecure terminal users from accessing the controlled network, isolating the terminal users who
h
connect to the controlled network but are not authenticated, supporting the escape channel.
802.1x switch
s :
ce
The 802.1x switch controls the access of the terminal hosts. With the port control technology, only the

r
authenticated terminal hosts can access the controlled network.
u
so
The TSM server corresponds to the IEEE802.1x authentication server system. The user access layer devices

Re
function as the IEEE802.1x access control units. The IEEE802.1x user access system is integrated in the
TSM Agent.

n g
The physical ports of the access control unit are classified into controlled port and non-controlled port. The

n i
non-controlled port is in bidirectional connection status. It is used to transmit the EAPOL protocol frames. It

a r
ensures that the access control unit can receive the authentication EAPOL packets from the user access

L e
system anytime. The controlled port is enabled only when the user is authenticated. The controlled port

r e
transmits network resources and services.

Mo TSM Agent
Functioning as a TSM system component, the TSM Agent is installed on the terminal host. It interconnects
with the TSM Manager. The TSM Agent implements the security management policies stipulated by the
administrator on the TSM Manager.
The TSM Agent can provide the Web Agent plug-in on the terminal hosts in the TSM Agent or plug-in
registration mode, according to the installation wizards.
The TSM Agent provides the following functions: identity authentication, security authentication, asset
management, patch management, software distribution, and advertisement management.
TSM system networking diagram
Authentication pre-domain

TSM Manager + TSM Controller + TSM Controller + FTP TSM Controller + FTP
Scanner + FTP + Authentication + Primary database + Mirroring database
database

Isolation
LAN domain
Anti-virus server Patch server

e n
Router

m /
Security access control
gateway
c o
Service system A Service system B

i .
e
Authentication post-domain

w
ua
Switch Switch

. h
i ng
n
Terminals
e ar
l
: //
t p
1.3.3 TSM Performance Specifications h t
Performance specifications of the TSM:

es specifications of the TSM Controller during identity


Controller

c
The following table describes the performance
r
u
authentication and policy implementation.
Performance Item o
e s Performance Specifications
The maximumRterminal users supported by 10000

n g
one TSM Controller

n
Numberi of terminal hosts that can be 2500

a r
authenticated by a TSM Controller per

Le Network connection success rate of the In the case that a TSM Controller can
minute

r e terminal host perform 2500 times of identity

Mo authentications per minute, the


network connection success rate of
the terminal host is higher than 99%.
Terminal host authentication delay In the case that a TSM Controller can
perform 2500 times of identity
authentications per minute, the
terminal host authentication delay is
shorter than or equal to 10s.
Performance Item Performance Specifications
The maximum duration for saving the 6 months
illegitimate information
Interval for detecting heartbeat with the 30s
security access control gateway

Performance specifications of the TSM Agent


The following table describes the performance specifications of the TSM Agent during identity
e n
authentication and policy implementation.
m /
Performance Item Performance
c o
Specifications
i .
3s
w e
ua
Microsoft Windows XP authentication duration when no
policy is implemented

. h
ng
Microsoft Windows XP maximum memory usage when 29MB
no policy is implemented

n i
ar
Microsoft Windows XP maximum memory usage when 35MB
all policies are implemented

l e
//
Microsoft Windows Vista authentication duration when no 3s
policy is implemented

p :
tt
Microsoft Windows Vista maximum memory usage when 30MB
no policy is implemented
h
s :
Microsoft Windows Vista maximum memory usage when 36MB

ce
all policies are implemented
Average CPU usage.
u r with the TSM Controller 15%

s o
Interval for detecting heartbeat 30s

Re
n g
n i
a r
Le
r e
Mo
1.4 Diagram of Network Elements

Internet PC

Network Cloud USG Firewall


e n
m /
c o
i .
Laptop Router
w e
h ua
.
i ng
n
Server
ar
Wireless Station

l e
: //
p
h tt
s :
r ce

2
u
so
Re How to Login Firewall
i ng
r n
e a
2.1LLogin Through the Console Port
r eObjectives
Mo
Lab

Through this task, you will know how to configure the terminal to access the device through the console
port, thus implementing the configuration and management on the device.

Lab Devices

One PC and USG firewall.

Lab Topology
Management PC USG

COM 1
Console
Interface

RS-232

e n
m /
c o
Consiguration Procedure
.
After the connection to the device is established, power on both devices, and ensure thatithe
Step 1
w e
devices run normally.
Run the terminal emulation program (such as the HyperTerminal on Windowsu
a
Step 2
. hTerminal. The
XP) on the PC.
Choose Start > All programs > Accessories > Communications > Hyper
n g
iUSG, such as COMM1.
Connection Description dialog box is displayed.
Step 3
r
In Name, enter the name of the connection between the PC and the n
Then, select an icon in Icon, as shown in below figure.
e a
/ l
: /
t p
h t
s :
c e
u r
s o
Re
n g
n i
a r
Le
e 4 Click OK. The Connect dialog box is displayed.
rStep
Mo Step 5 Select a serial interface (such as COM1) from the Connect using drop-down list for the
connection between the PC and the USG, as shown in below figure.
e n
m /
c o
i .
w e
h ua
.
Step 6 Click OK. The COM1 Properties dialog box is displayed.
i ng
n
ar
Step 7 Set the communication parameters of the port, as shown in below figure.

l e
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo

Step 8 Click OK or Restore Defaults.


Step 9 On the PC emulation terminal, click Enter. After passing the authentication configured on the
USG, enter the user name and password according to the prompt. The user interview is
displayed, and the device is logged in to.
Result Verification

Please confirm if you can log in the USG through the Console port successfully or not?
Yes No

2.2 Login Through Web Management Interface (Default n


Web-manager) / e
o m
Lab Objectives
. c
e i
w
Through this task, you will know how to connect to USG firewall though default web-management
a
interface.
h u
Lab Devices
g .
One USG firewall and one PC.
i n
r n
Lab Topology
e a
/l
Management PC
G0/0/0
: /
p
192.168.0.1/24 USG
192.168.0.2/24
t
ht
Ethernet

s :
COM 1

c e Console
Interface

u r
s o RS-232

Re
Cable

n g
n i
Configuration Procedure
Step 1
a r therunconnection
After to the device is established, power on both devices, and ensure that the

L e devices normally.

e
Step 2 Connect USG GE0/0/0 and PC by network cable.
rStep 3 Set the IP address of PC to 192.168.0.2/24.
M o
Step 4 Input http://192.168.0.1 to browser on PC, login USG firewall with the default account
(admin/Admin@123).
e n
m /
c o
i .
w e
h ua
.
i ng
n
Note
e ar
l
By default, the HTTP protocol is enabled. The default user name is admin and the password is
Admin@123.
: //
p
Result Verification
h tt
:
Check whether you have logged in the web GUI.
s
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
2.3 Remote Login Through Telnet
Lab Objectives

Through this task, you will know how to configure the terminal to access the device through Telnet, thus
implementing the configuration and management on the device.
Lab Devices

One PC and one USG Firewall.

Lab Topology

G0/0/1
Management PC 10.1.1.1/24 USG
10.1.1.2/24
Ethernet Port
e n
m /
COM 1
Console
c o
Interface
i .
w e
ua
RS-232

h
Cable

.
Configureation Procedure (CLI)
ing
n
ar
Step 1 Enter the user view of the USG through the console port.
Step 2 Enable telnet service.
l e
[USG] telnet server enable
: //
tp
Info: The Telnet server has been enabled.

Step 3
h t
Set the IP address of the interface of the USG.

s
For example, a local user connects: to GigabitEthernet0/0/1 of the USG through Telnet. The IP
c e the subnet mask is 255.255.255.0.
address of the interface is 10.1.1.1;
<USG> system-view r
o u
s
[USG] interface GigabitEthernet0/0/1
e
R
[USG-GigabitEthernet0/0/1] ip address 10.1.1.1 255.255.255.0

g
[USG-GigabitEthernet0/0/1] quit
n
Step 4
n iuser information of the USG.
Set the

a rFor example, the authentication mode of the user interface on the virtual type terminal (VTY)
Le isin AAA; the Telnet user name is user1; the password is password@123; the password is stored

re cipher text at level 3.

Mo <USG> system-view
[USG] user-interface vty 0 4
[USG-ui-vty0-4] authentication-mode aaa
[USG-ui-vty0-4] protocol inbound telnet
[USG-ui-vty0-4] quit
[USG] aaa
[USG-aaa] local-user user1 password cipher password@123
[USG-aaa] local-user user1 service-type telnet
[USG-aaa] local-user user1 level 3

Step 5 Connect interface GigabitEthernet 0/0/1. Set the PC IP address to 10.10.10.9/255.0.0.0.


Step 6 The following takes a Windows OS for example. On the PC, choose Start > Run. The Run
window is displayed. Enter telnet 10.1.1.1 in Open (for example, the IP address of the connected
interface is 10.1.1.1), as shown in below figure.

e n
m /
c o
i .
w e
h ua
.
Step 7 Click OK, and the PC starts to connect to the USG
i ng
Step 8
n
ar
After passing the authentication configured on the USG, you can enter the user view and log in
to the device.

l e
/ go to 2.1 for the reference.
Configuration Procedure (WEB)
Step 1 /
:and enable the telnet management access.
Log into USG web GUI through GE0/0/0. Details please
Step 2 p
t GE0/0/1 and click . Shown as below figure:
t
Configure the IP address of USG to 10.1.1.1/24,

h
Choose Network > Interface > Interface, select

s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
Thinking:
p
tt
Why should configure the Telnet management access function? (Answer: allow the administrator to
h
manage firewall through this interface by Telnet.)

Step 3
s :
Configure the Tenlnet user. (telnetuser/Admin@123)

r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
u aThe Run
Step 4 The following takes a Windows OS for example. On the PC, choose Start > Run.
. h of the connected
window is displayed. Enter telnet 10.1.1.1 in Open (for example, the IP address
interface is 10.1.1.1), as shown in below figure.
n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
Step 5 Click OK, connect USG.
s o with telnet account (telnetuser/Admin@123), you can login USG
Re
Step 6 After the authentication
firewall.
Result Verification
n g
n iif you can log in the USG by telnet successfully or not?
r
Please confirm
a
L e Yes No

r e Remote Login Through SSH


2.4
MoLab Objectives
Through this task, you will know how to configure the terminal to access the device through SSH, thus
implementing the configuration and management on the device.

Lab Devices

One PC and one USG fIrewall.


Lab Topology

G0/0/1
Management PC 10.1.1.1/24 USG
10.1.1.2/24
Ethernet Port

COM 1
Console
Interface
e n
m /
RS-232
c o
Cable

i .
w e
ua
Configureation Procedure (CLI)
Step 1 Telnet to USG device.
. h
Step 2 Enter the user view of the USG through the console port.
i ng
n
ar
<USG> system-view
[USG] interface GigabitEthernet0/0/1
l e
//
[USG-GigabitEthernet0/0/1] ip address 10.1.1.1 255.255.255.0
[USG-GigabitEthernet0/0/1] quit
p :
Step 3
t
Configure SSH mangamen access on GE0/0/1.t
h
<USG>system-view
s :0/0/1
e
[USG]interface GigabitEthernet
c
u r
[USG-GigabitEthernet0/0/1]service-manage enable

s o
[USG-GigabitEthernet0/0/1]service-manage ssh permit

R e
[USG-GigabitEthernet0/0/1]quit

Step 4
g
Create SSH users Client001.
n
n i the VTY user interface.
Configure

a r[USG] user-interface vty 0 4


Le [USG-ui-vty0-4] authentication-mode aaa

e [USG-ui-vty0-4] protocol inbound ssh

Mor [USG-ui-vty0-4] quit


Create SSH user Client001, and configure the authentication mode as password.
[USG] ssh user client001
[USG] ssh user client001 authentication-type password
Set the password of SSH user Client001 to Admin@123.
[USG] aaa
[USG-aaa] local-user client001 password cipher Admin@123
[USG-aaa] local-user client001 service-type ssh
[USG-aaa] quit

Step 5 Configure the service mode for SSH user Client001 as STelnet, and enable the STelnet service.

[USG] ssh user client001 service-type stelnet


[USG] stelnet server enable

Configuration Procedure (WEB)


Step 1 After the connection to the device is established, power on both devices, and ensure that the
devices run normally.
e n
Step 2 Configure the IP address of USG to 10.1.1.1/24, and enable the SSH management access.
m /
Choose Network > Interface > Interface, select GE0/0/1 and click
c o
. Shown as below figure:

i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e3
Step Configure the SSH user account. (sshuser/Admin@123).

Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo

Step 4 Enable STelnet service. Choose System > Admin > Settings, in the SSH configuration list,
enable STelnet service.
e n
m /
c o
i .
w e
h ua
.
i ng
Step 5 n
ar
Configure the IP address of PC as 10.1.1.2/24. Then login USG by using Putty client through
SSH.

l e
Result Verification

Double-click Putty on the desktop, choose ssh to connect: /


/
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
Yes to security alert:

e n
m /
c o
i .
w e
h ua
Input the ssh user account and login:
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
2.5 Login Through the Web
Lab Objectives

Through this task, you will know how to configure the terminal to access the device through Web, thus
implementing the configuration and management on the device.
Lab Devices

One PC and one USG firewall.

Lab Topology

G0/0/1
Management PC 10.1.1.1/24 USG
10.1.1.2/24
Ethernet Port

e n
m /
c o
Cable

i .
w e
h ua
.
ng
Configureation Procedure (CLI)
Step 1 Telnet/SSH to USG.
n i
Step 2 Set the IP address of the PC to 10.1.1.2/24.
e ar
Step 3
l
//
Configure the IP address of GE0/0/1.

<USG>system-view
p :
t
[USG] interface GigabitEthernet 0/0/1
[USG-GigabitEthernet0/0/1]ip address t
h 10.1.1.1 24

Step 4
s : on GE0/0/1.
Configure HTTP and Https management

c e
<USG>system-view
u r 0/0/1
o
[USG]interface GigabitEthernet
s
R e
[USG-GigabitEthernet0/0/1]service-manage
[USG-GigabitEthernet0/0/1]service-manage
enable
http permit

n g
[USG-GigabitEthernet0/0/1]service-manage https permit

n i
r
[USG-GigabitEthernet0/0/1]quit

Step 5 aEnable the Web management function. By default, the HTTP protocol has been enabled. Here
Le we enable the HTTPS protocol.
re [USG] web-manager security enable port 8088

Mo Note
Paremeter security indicate https management, if there is no parementer security, USG will enable HTTP
management by default.
Note
Can not to configure the same port to HTTP and HTTPS. That will be conflict.

Step 6 Configure Web user.

[USG] aaa
[USG-aaa] local-user webuser password cipher Admin@123
[USG-aaa] local-user webuser service-type web
[USG-aaa] local-user webuser level 3

Step 7 Check the configuration.

Use the Web browser on the PC to access http://10.1.1.1, enter the user name (webuser) and
password (Admin@123), and check whether you can log in to the USG. If the login succeeds,
the configuration is successful. If the login fails, check the configuration.

e n
Configuration Procedure (WEB)
m /
Step 1
c o
After the connection to the device is established, power on both devices, and ensure that the
devices run normally.
i .
Step 2 e
w as below
Configure the IP address of USG to 10.1.1.1/24, and enable the HTTP & HTTPS management
access. Choose Network > Interface > Interface, select GE0/0/1 and click
u a
. Shown
figure:
. h
n g
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
Step 3 Enable Web management. Enable the HTTP/HTTPS management, configure the HTTPS port as
8088. Choose System > Admin > Settings, click the check box of HTTP and HTTPS service.
Shown as below figure.
e n
m /
c o
Step 4 Configure the web user accunt. (webuser/Admin@123).
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo

Step 5 Configure the IP address of PC as 10.1.1.100/24. Input https://10.1.1.1:8080 on PCs browser to


login.
Result Verification

The Security Alert, click Yes to continue.

e n
m /
c o
i .
w e
hua
.
ing
n
ear
l
://
p
htt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
3 Firewall Basic Configuration

3.1 Firewall System Managment


e n
m /
Lab Objectives
c o
Configure the hostname.
i .
Configure the system time.
w e
Configure the SNMP server.
h ua
.
Configure the log server.

ng
Configure license.
Configure the file backup and recover.
n i
Lab Device
e ar
l
//
One USG firewall and one PC.

Lab Topologyc
p :
h tt
s :
ce
Management PC USG
Ethernet Port G0/0/1

u r
192.168.0.2 192.168.0.1/24

so
Re
ng
Cable

n i
a r
Configuration Procedure (CLI)
Step 1 e After the connection to the device is established, power on both devices, and ensure that the
L devices run normally.
r e Login USG firewall through Console/Telnet/SSH. Details please refer to 2.1-2.6. (omitted.)
Mo Step 2
Step 3 Configure the hostname of USG.

<USG>system-view
[USG]sysname USG_A
[USG_A]

Step 4 Configure the system time.

<sysname>clock datetime 0:0:0 2009/01/01


Step 5 Configuring SNMP Server.

Configure SNMP version to v2c.


[USG] snmp-agent sys-info version v2c
Setting the SNMP Community Name.
[USG] snmp-agent community read public
[USG] snmp-agent community write private
Configuring User Information.
[USG] snmp-agent usm-user v3 test NMS1
e n
Configure SNMP trap.
m /
[USG]snmp-agent trap enable
c o
[USG]snmp-agent target-host trap address udp-domain 192.168.1.2 params securityname
i .
swebUser v2c
w e
u a
h
Thinking:
Whats function of SNMP Agent Trap?
g .actively. If there is no
(Answer: SNMP Agent Trap command makes device send alert to SNMP server
SNMP Trap, SNMP server will just send query message to device i
n
r n and device response server
periodicity.)
e a
Step 6 Configuring log server.
/ l
: /
Enable the information center.
t p
htlogs.
[USG] info-center enable
Configure the source interface that sends

s
[USG] info-center loghost source :GigabitEthernet 0/0/1
Configure a log host whose e
r c name is local2 . The IP address of the log host is 192.168.1.1, and

u
the output language is English.
[USG] info-center o
s loghost 192.168.1.1 facility local2 language english
e of the information severity level to informational. The information about the
R
Set the threshold

g
PPP module and the IP module can be output.
[USG]ninfo-center source acl channel loghost log level informational
n i info-center source ip channel loghost log level informational
a r[USG]

Step 7 e Import License


L
re [USG]license file hda1:/license.dat

Mo Step 8 Configure the system backup and recover.

Set USG as FTP server.


Basic configurations including IP address and network connection. (Omitted)
Enable FTP server function; configure FTP account and FTP path.
<USG>system-view
[USG]ftp server enable
Info:Start FTP server
[USG]aaa
[USG-aaa]local-user ftpuser password cipher Ftppass#
[USG-aaa]local-user ftpuser service-type ftp
[USG-aaa]local-user ftpuser level 3
[USG-aaa]local-user ftpuser ftp-directory hda1:/
Configure FTP acl.
[USG]acl 2002
e n
[USG-acl-basic-2002]rule permit source any logging
m /
[USG-acl-basic-2002]quit
c o
[USG]ftp acl 2002
i .
w e
Log in USG FTP server from terminal PC.
hua
.
Configure system backup.
i ng
Run get command to download file to terminal PC.
n
ar
The following takes a Windows OS for example. On the PC, choose Start > Run. The Run
e
window is displayed. Input cmd and click OK
l
//
C:\Documents and Settings\Administrator> ftp 192.168.0.1
:
Connected to 192.168.0.1.
p
220 FTP service ready.
User (192.168.0.1:(none)): ftpuser htt
s :
331 Password required for ftpuser.
Password:
r ce
o
230 User logged in.
u
s
Re okay.
ftp> get flash:/vrpcfg.zip.bak
200 Port command

n g ASCII mode data connection for vrpcfg.cfg.


150 Opening

n
226iTransfer complete.
a rftp: got 5203 bytetime 0.01Seconds 346.87Kbytes/sec.
Le ftp> lcd
re
Local directory now C:\Documents and Settings\Administrator.

Mo
ftp>
Configure system recover.
Run put command to upload files to USG device.
ftp> put vrpcfg.cfg
200 Port command okay.
150 Opening ASCII mode data connection for vrpcfg.cfg.
226 Transfer complete.
ftp: send 5203 bytetime 0.00Seconds 5203000.00Kbytes/sec.
By using startup saved-configuration vrpcfg.cfg command to configure the next-startup
configuration file.
<sysname> startup saved-configuration vrpcfg.cfg

Configuration Procedure (WEB)


Step 1 After the connection to the device is established, power on both devices, and ensure that the devices
run normally.
Step 2 Login USG through Web GUI. How to login through web please refer to 2.2 or 2.5. (Omitted.)
Step 3 e n
/
Configure the hostname of USG. Login to the USG through http://192.168.0.1, in the system
information of system panel, you will the system information and change the system name.
o m
.c
e i
w
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
Step 4 u
oby manually.
Go to System > Configuration > Time to configure the system time.
s
Re
Set the system time

n g
n i
a r
Le
r e
Mo

You can set the time zone, date and system time by manually, or select the configuration mode
to choose use NTP server to synchronize the time.
e n
m /
c o
i .
w e
Step 5 Configuring SNMP V2c Server. The server address is 192.168.1.2.
u a devices
. h
Go to System > Configuration > SNMP, Set the parameters for connecting managed
to the NMS. Click Apply.
n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Step 6 Reserver.
g
Configuring log

Go tonLog > Log Configuration > Information Center Configuration, click the enable
n i box of information center switch.
a rcheck

Le
r e
Mo

Choose Log > Log Configuration > Syslog Configuration. Select parameter Log Host
Source Interface in Configure Syslog. Select GE0/0/0 as the log host source interface. Click
Apply.

e n
m /
c o
Adding a Log Host. Choose Log > Log Configuration > Syslog Configuration. Click Add in
Log Host List. Enter or select parameters, Click Apply.
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
Step 7 Configure the License h tt
s :
ce
Check the ESN code. Log in to the device. Choose System > Dashboard > Status. The ESN

r
is SN in System Information.
u
so
Re
n g
n i
a r
L e
r e
Mo

Go to System > Maintenance > License Management. Check the license state.
e n
m /
c o
i .
w e
Go to System > Maintenance > License Management. Select Local Manual Activation

ua
from the License Activation Mode. Click Browse. Select the license file to be uploaded.
h
Click Activate to activate the current license file.
.
i ng
n
e ar
l
: //
p
h tt
Step 8
s :
Configure the system backup and recover.

Configure system backup.c


e
u r > Configuration Management.
o file in use. For the next startup configuration file, click Select, the
Choose System > Maintenance
s
ReFile Management window is displayed.
Check the configuration
Configuration

n g
n i
a r
Le
r e
Mo
e n
m /
o
indicatescthe
Click to download the configuration file to local PC to backup it.
i .
configuration file is in use, indicates the configuration file is not in use.
w e
u a
. h
n g
n i
a r
l e
/ /
p :
t t
h
Configure system recover:
s :
c
Click Upload. The Upload File
e window is displayed.

u r
s o
Re
n g
n i
a r
Le
r e
Mo Click Browse. Select the configuration file to be uploaded. Click Import to upload the
configuration file.
e n
After the configuration file is successfully uploaded, return to the Configuration File
m /
c
Management window. The corresponding file is displayed in the list. Click to configure the o
i .
current configuration file as the next startup configuration file. The user should re-startup the
device to complete updating system configuration.
w e
ua
Choose System > Maintenance > Restart. Enter the password of the current login user in
h
.
Password. Click Save and Restart to save the configuration and restart the system.

i ng
n
e ar
l
: //
p
h tt
s :
r ce
Result Verification
u
o > Configuration Management to check the next startup configuration
s
Re
Choose System > Maintenance
file.

n g
n i
a r
Le
r e
Mo
4 Firewall Security Forwarding Policy

2.1 Configuring IP Address-Based Forwarding Policy


e n
m /
Lab Objectives
c o
This section provides an example for controlling the access based on IP addresses.
i .
w e
ua
Lab Device

One USG firewall and two PCs.


. h
Lab Topologyc
ing
n
e ar
Trust
lUntrust Internet Server

//
Internal User USG 1.1.1.2/24
192.168.5.2/24 G0/0/0 G0/0/1

:
192.168.5.1/24 1.1.1.1/24
192.168.5.3/24
p
192.168.5.4/24

htt
s :
Configuration Procedure (CLI)
r ce
u
so
Step 1 Set IP addresses for interfaces and add the interfaces to security zones.

R e
<USG>system-view

g
[USG]interface GigabitEthernet 0/0/0
n
n i
[USG-GigabitEthernet0/0/2]ip address 192.168.5.1 24

r
a [USG]interface GigabitEthernet 0/0/1
[USG-GigabitEthernet0/0/2]quit

e
L [USG-GigabitEthernet0/0/3]ip address 1.1.1.1 24
r e
Mo [USG-GigabitEthernet0/0/3]quit
[USG]firewall zone trust
[USG-zone-trust]add interface GigabitEthernet 0/0/0
[USG-zone-trust]quit
[USG]firewall zone untrust
[USG-zone-untrust]add interface GigabitEthernet0/0/1
[USG-zone-untrust]quit
Step 2 Configure address set ip_deny, and add the denied IP addresses to the address set.

[USG]ip address-set ip_deny type object


[USG-object-address-set-ip_deny]address 192.168.5.2 mask 32
[USG-object-address-set-ip_deny]address 192.168.5.3 mask 32
[USG-object-address-set-ip_deny]address 192.168.5.4 mask 32
[USG-object-address-set-ip_deny]quit

Step 3
n
Create a forwarding policy preventing some special IP addresses from accessing the Internet.

[USG]policy interzone trust untrust outbound


/ e
[USG-policy-interzone-trust-untrust-outbound]policy 0
o m
.c
i
[USG-policy-interzone-trust-untrust-outbound-0]policy source address-set ip_deny
[USG-policy-interzone-trust-untrust-outbound-0]action deny
w e
[USG-policy-interzone-trust-untrust-outbound-0]quit
u a
Step 4 Create a forwarding policy allowing the 192.168.5.0/24 network to access the
. h Internet and
reference the Web filtering policy.
n g
i
n192.168.5.0 mask 24
r
[USG-policy-interzone-trust-untrust-outbound]policy 1

e
[USG-policy-interzone-trust-untrust-outbound-1]policy source a
[USG-policy-interzone-trust-untrust-outbound-1]action
/ l permit

:
[USG-policy-interzone-trust-untrust-outbound-1]quit /
t p
[USG-policy-interzone-trust-untrust-outbound]quit

Step 5 Disable default packet filtering. ht


s : deny interzone trust untrust
e
[USG] firewall packet-filter default
Thinking:
r c
o u
Why should we deny the default packet-filter between trust and untrust zone? What will happen if we
didnt do like this?
e sflow arrived at firewall, firewall will check the forwarding policy one by one.
R
(Answer: When the traffic

g
If we dont deny the default packet-filter between trust and untrust zone, the packet which source address
n
i
segment is not 192.168.5.0/24
will forwardnit as well.)
didnt hit the policy 1 will match the default forwarding policy, firewall

a r
L e Procedure (WEB)
Configuration

r e
Step 1 Set IP addresses for interfaces and add the interfaces to security zones. Shown as the below

M o figure:
e n
m /
c o
i .
w e
h ua
.
i ng
n
ar
Repeat the previous steps to configure interface GigabitEthernet 0/0/1.
e
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
Step 2 Configure an address group named deny_ip and add the IP addresses not permitted to access the
Internet to the address group. Choose Firewall > Address > Address Group. In Address
Group List, click to access the Add Address Group interface. Configure a name and
description information for the address group. Click to add the denied IP address.
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
Step 3
s :
Configure a forwarding policy denying Internet accesses of users whose IP addresses are in the

ce
deny_ip address group. Choose Firewall > Security Policy > Forward Policy. Click the
r
u
Forward Policy tab. In Forward Policy List, click .

so
Re
n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
Step 4
l
//
Configure another forwarding policy permitting users on network segment 192.168.5.0/24 to
access the Internet and reference the Web filtering policy in the forwarding policy. Choose

p :
Firewall > Security Policy > Forward Policy. Click the Forward Policy tab. In Forward
Policy List, click .
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo

Step 5 Disable default packet filtering.


e n
m /
c o
i .
w e
h ua
.
i ng
n
Thinking:
e ar
l
Why should we deny the default packet-filter between trust and untrust zone? What will happen if we
didnt do like this?
: //
p
(Answer: When the traffic flow arrived at firewall, firewall will check the forwarding policy one by one.

tt
If we dont deny the default packet-filter between trust and untrust zone, the packet which source address
h
segment is not 192.168.5.0/24 didnt hit the policy 1 will match the default forwarding policy, firewall
will forward it as well.)
s :
Result Verification
r ce
u
so
Check whether the Internet accesses of the three PCs whose IP addresses are respectively 192.168.5.2,

Re
192.168.5.3, and 192.168.5.4 are denied.
Check whether users with other IP addresses on network segment 192.168.5.0/24 can access the Internet.

n g
n i
a r
L e
r e
Mo
5 Network Address Translate Lab

5.1 NAT Outbound Lab


e n
m /
Lab Objectives
c o
Through this task, you will able to know the detail configuration of NAT outbound.
i .
w e
ua
Lab Device

One USG firewall and one PC.


. h
Lab Topologyc
i ng
n
ar
G0/0/0 G0/0/1
192.168.1.1/24
e
2.2.2.1/24
l
: //
p
tt
PC1 Trust Untrust PC2
192.168.1.10/24
h 2.2.2.10/24

s :
Configuration Procedure (CLI)
r ce
u
so
Step 1 Set the IP address of PC1 and PC2 as 192.168.1.10/24 and 2.2.2.10/24 respectively. (omitted)
Step 2
R e
Set the IP addresses of interfaces, and then add the interfaces to security zones.

n g GigabitEthernet 0/0/0
[USG]interface

n i
[USG-GigabitEthernet0/0/0]ip address 192.168.1.1 255.255.255.0

a r[USG-GigabitEthernet0/0/0]quit
Le [USG]interface GigabitEthernet 0/0/1
re
[USG-GigabitEthernet0/0/1]ip address 2.2.2.1 255.255.255.0

Mo
[USG-GigabitEthernet0/0/1]quit

[USG]firewall zone trust


[USG-zone-trust]add interface GigabitEthernet 0/0/0
[USG-zone-trust]quit
[USG]firewall zone untrust
[USG-zone-untrust]add interface GigabitEthernet 0/0/1
[USG-zone-untrust]quit
Step 3 Configure interzone packet filtering to ensure normal network communication.

[USG]policy interzone trust untrust outbound


[USG-policy-interzone-trust-untrust-outbound-0]action permit
[USG-policy-interzone-trust-untrust-outbound-0]policy source 192.168.1.0 mask 24

Step 4 Configure IP address pool 1, the range of the address is 2.2.2.2 2.2.2.5

[USG]nat address-group 1 2.2.2.2 2.2.2.5

Step 5 Configure the NAT outbound policy


e n
m /
[USG]nat-policy interzone trust untrust outbound
c o
[USG-nat-policy-interzone-trust-untrust-outbound]policy 1
i .
[USG-nat-policy-interzone-trust-untrust-outbound-1]action source-nat
w e
ua
[USG-nat-policy-interzone-trust-untrust-outbound-1]policy destination 2.2.2.10 0.0.0.255
[USG-nat-policy-interzone-trust-untrust-outbound-1]address-group 1
. h
ng
[USG-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.1.10 0.0.0.255
[USG-nat-policy-interzone-trust-untrust-outbound-1]quit
n i
ar
[USG-nat-policy-interzone-trust-untrust-outbound]quit

Configuration Procedure (WEB)


l e
/ /and 2.2.2.10/24 respectively. (omitted)
Step 1
:
Set the IP address of PC1 and PC2 as 192.168.1.10/24
Set the IP addresses of GE0/0/0 and GE0/0/1, p
Step 2
t t and then add the interfaces to security zones.

h the configuration. Shown as theof interfaces,


Choose Network > Interface > Interface. In Interface List, click Configure

:
interfaces. Click Apply when you finished below figure:

e s
r c
o u
s
Re
n g
n i
a r
Le
re
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
rcommunication. Choose
Step 3
Firewall > Security Policy > Forward Policy. Click the e
a
Configure interzone packet filtering to ensure normal network
l Forward Policy tab. In Forward
/the configuration. Shown as the below
Policy List, click
: /
. Click Apply when you finished
figure:
t p
h t
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo

Step 4 Configure IP address pool 1, the range of the address is 2.2.2.2 2.2.2.5. Choose Firewall >
NAT > Source NAT. Click the NAT Address Pool tab. In NAT Address Pool List, click .
Click Apply when you finished the configuration. Shown as the below figure:
e n
m /
c o
i .
w e
u aClick the
Step 5
hyou finished the
Configure the NAT outbound policyChoose Firewall > NAT > Source NAT.
.
n g
Source NAT tab. In Source NAT Policy List, click . Click Apply when
configuration. Shown as the below figure:
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo

Result Verification

Verify the configuration of nat-policy.


[USG]dis nat-policy interzone trust untrust outbound
nat-policy interzone trust untrust outbound
policy 1 (0 times matched)
action source-nat
policy service service-set ip
policy source 192.168.1.0 0.0.0.255
policy destination 2.2.2.0 0.0.0.255
address-group 1
Ping from PC1 to PC2
PC1>ping 2.2.2.10
e n
Ping 2.2.2.10: 32 data bytes, Press Ctrl_C to break
m /
From 2.2.2.10: bytes=32 seq=1 ttl=127 time=79 ms
c o
From 2.2.2.10: bytes=32 seq=2 ttl=127 time=31 ms
i .
From 2.2.2.10: bytes=32 seq=3 ttl=127 time=94 ms
w e
From 2.2.2.10: bytes=32 seq=4 ttl=127 time=62 ms
h ua
From 2.2.2.10: bytes=32 seq=5 ttl=127 time=94 ms
.
--- 2.2.2.10 ping statistics ---
i ng
n
ar
5 packet(s) transmitted

e
5 packet(s) received

l
//
0.00% packet loss
round-trip min/avg/max = 31/72/94 ms
p :
tt
Check the address translation by using display firewall session table command:
[USG]dis firewall session table
h
Current Total Sessions : 15
s :
icmp
e
VPN:public --> public 192.168.1.10:45346[2.2.2.5:45346]-->2.2.2.10:2048
icmp VPN:public --> publicc192.168.1.10:45602[2.2.2.5:45602]-->2.2.2.10:2048
u r 192.168.1.10:45858[2.2.2.5:45858]-->2.2.2.10:2048
opublic 192.168.1.10:46114[2.2.2.5:46114]-->2.2.2.10:2048
icmp VPN:public --> public
s
Re--> public 192.168.1.10:46370[2.2.2.5:46370]-->2.2.2.10:2048
icmp VPN:public -->

wegcan see that the source address of 192.168.1.10 has translated to 2.2.2.5 which in the
icmp VPN:public
From the result n
n i
r
address pool.

5.2 L
a
e inbound & NAT Server Lab
NAT
r eObjectives
Mo
Lab

Through this experiment, you will able to configure the NAT server. And also know how to configure the
bidectional NAT.

Lab Device

One USG firewall, one PC and one server.


Lab Topologyc

G0/0/0 G0/0/1
192.168.1.1/24 2.2.2.1/24

DMZ Untrust
FTP Server PC
192.168.1.2/24 2.2.2.2/24
e n
Configuration Procedure (CLI)
m /
Step 1
c
Set the IP address of server and PC as 192.168.1.2/24 and 2.2.2.2/24 respectively. (omitted)o
Step 2 i .
e
Set the IP addresses of GE0/0/0 and GE0/0/1. And then add the interfaces to security zones.
w
[USG]interface GigabitEthernet 0/0/0
u a
[USG-GigabitEthernet0/0/0]ip address 192.168.1.1 255.255.255.0
. h
[USG-GigabitEthernet0/0/0]quit
n g
[USG]interface GigabitEthernet 0/0/1
n i
[USG-GigabitEthernet0/0/1]ip address 2.2.2.1 255.255.255.0
a r
[USG-GigabitEthernet0/0/1]quit
l e
/ /
[USG]firewall zone DMZ :
p 0/0/0
t
ht
[USG-zone-dmz]add interface GigabitEthernet
[USG-zone-dmz]quit

s :
e GigabitEthernet 0/0/1
[USG]firewall zone untrust

r c
[USG-zone-untrust]add interface

o
[USG-zone-untrust]quit u
Step 3
e s
R
Configure interzone packet filtering to ensure normal network communication.

g
[USG]policy interzone dmz untrust inbound
n
n i
[USG-policy-interzone-dmz-untrust-inbound]policy 0

r[USG-policy-interzone-dmz-untrust-inbound-0]policy destination 192.168.1.2 0.0.0.255


a [USG-policy-interzone-dmz-untrust-inbound-0]policy service service-set ftp
e
L [USG-policy-interzone-dmz-untrust-inbound-0]action permit
e 4 Configure the NAT server. Create the mapping relations between the public IP addresses and
rStep
Mo private IP addresses of internal servers.

[USG]nat server protocol tcp global 2.2.2.4 ftp inside 192.168.1.2 ftp

Step 5 Configure the NAT address pool.

[USG] nat address-group 1 192.168.1.10 192.168.1.20

Step 6 Apply the NAT ALG function to the DMZ-Untrust interzone to ensure that the server provides
FTP services for extranet users normally.
[USG] firewall interzone dmz untrust
[USG-interzone-dmz-untrust] detect ftp
[USG-interzone-dmz-untrust] quit

Step 7 Create a NAT policy for the DMZ-Untrust interzone, define the range of source IP addresses for
NAT, and bind the NAT policy to NAT address pool 1.

[USG] nat-policy interzone dmz untrust inbound


[USG-nat-policy-interzone-dmz-untrust-inbound] policy 0
[USG-nat-policy-interzone-dmz-untrust-inbound-0] policy source 2.2.2.0 0.0.0.255
e n
[USG-nat-policy-interzone-dmz-untrust-inbound-0] action source-nat
m /
c o
.
[USG-nat-policy-interzone-dmz-untrust-inbound-0] address-group 1
[USG-nat-policy-interzone-dmz-untrust-inbound-0] quit
e i
w
ua
[USG-nat-policy-interzone-dmz-untrust-inbound] quit

. h
Configuration Procedure (WEB)
i ng
Step 1
n
Set the IP address of server and PC as 192.168.1.10/24 and 2.2.2.10/24 respectively. (omitted)
rinterfaces to security zones.
Step 2 a
e click of interfaces, Configure
Set the IP addresses of GE0/0/0 and GE0/0/1, and then add the
Choose Network > Interface > Interface. In InterfacelList,
/ / Shown as the below figure:
interfaces. Click Apply when you finished the configuration.

p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
e n
m /
c o
i .
w e
h ua
.
ng
Step 3 Configure interzone packet filtering to ensure normal network communication. Choose
Firewall > Security Policy > Forward Policy. Click the Forward Policy tab. In Forward

n i
ar
Policy List, click . Click Apply when you finished the configuration. Shown as the below
figure:

l e
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e4
Mo Step Configure the NAT server. Create the mapping relations between the public IP addresses and
private IP addresses of internal servers. Choose Firewall > NAT > Virtual Server. In Address
Mapping List, click . Click Apply when you finished the configuration. Shown as the below
figure:
e n
m /
c o
i .
w e
h ua
.
ng
Step 5 Configure the NAT address pool. Choose Firewall > NAT > Source NAT. Click the NAT
Address Pool tab. In NAT Address Pool List, click .
n i
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
Step 6
rCreate a NAT policy for the DMZ-Untrust interzone, define the range of source IP addresses for
aClick the Source NAT tab. In Source NAT Policy List, click
NAT, and bind the NAT policy to NAT address pool 1. Choose Firewall > NAT > Source NAT.

L e .

r e
Mo
e n
m /
c o
i .
w e
hua
.
i ng
n
e ar
l
: //
p
Result Verification htt
s :
ce
Login PC (2.2.2.2/24) and access to the FTP server (2.2.2.4), then check the below infomations.

r
Check the NAT server mapping relationship by using display nat server command.
u
[USG]dis nat server
s o information:
Re : 0
Server in private network
id
zone
n g : ---
n i
r
interface : ---

a
e inside-start-addr : 192.168.1.2
global-start-addr : 2.2.2.4 global-end-addr : ---

L inside-end-addr : ---

r e global-start-port : --- global-end-port : ---

Mo insideport : ---
globalvpn : public insidevpn : public
protocol : --- vrrp : ---
no-reverse : no

Total 1 NAT servers


In the web GUI, Choose Firewall > Monitor > Session Table, check FTP session.
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
//
6 p :
h tt
Firewall Daul-system
: Hot Backup Lab
es
r c
o u
6.1 Firewall Daul-system
e s Hot Backup Lab
R
Lab Objectives
n g
n i to configure firewall dual-system hot backup both on CLI and Web GUI. The USG is
Be familiar with how
deployed on arservice node serving as a security device. Both upstream and downstream devices are switches.
e aUSG_B work in active/standby mode and their service interfaces work at Layer 3.
L
USG_A and

r eDevice
Mo
Lab

1. 2 same model USG2200 or USG5000 series firewalls, 2 switches and 2 PCs.


2. At least 3 service interface on each firewall.
Lab Topologyc

Master
USG_A
Backup Group 1
G0/0/0 G0/0/1
Virtual IP Address
10.100.10.2/24 202.38.10.2/24
10.100.10.1/24 PC2
202.38.10.100/24
E2/0/0
10.0.0.1/24

e n
PC1
10.100.10.100/24 E2/0/0
m /
Trust
10.0.0.2/24
Untrust
c o
G0/0/0 G0/0/1 Backup Group 2
i .
10.100.10.3/24 202.38.10.3/24 Virtual IP Address
202.38.10.1/24
w e
ua
Backup
USG_B

. h
ng
Configuration Procedure (CLI)

n
Step 1 Complete the configurations of the upstream and downstream interfaces of USG_A. Set IP i
ar
addresses for interfaces and add the interfaces to security zones.

<USG_A> system-view
l e
[USG_A] interface GigabitEthernet 0/0/0
: //
[USG_A-GigabitEthernet0/0/0] ip address 10.100.10.2 24
p
[USG_A-GigabitEthernet0/0/0] quit
htt
:
[USG_A] interface GigabitEthernet 0/0/1

e s
[USG_A-GigabitEthernet0/0/3] ip address 202.38.10.2 24

r
[USG_A-GigabitEthernet0/0/3]cquit

o u
[USG_A] firewall zone trust
[USG_A-zone-trust] s
Requit
add interface GigabitEthernet 0/0/0
[USG_A-zone-trust]

n g zone untrust
[USG_A] firewall

n i
[USG_A-zone-untrust] add interface GigabitEthernet 0/0/1

a r
[USG_A-zone-untrust] quit

LeCreate VRRP backup group 1 on interface GigabitEthernet 0/0/0, and add it to the VGMP
re
management group whose status is Master.

Mo
[USG_A] interface GigabitEthernet 0/0/0
[USG_A-GigabitEthernet0/0/1] vrrp vrid 1 virtual-ip 10.100.10.1 master
[USG_A-GigabitEthernet0/0/1] quit
Create VRRP backup group 2 on interface GigabitEthernet 0/0/1, and add it to the VGMP
management group whose status is Master.
[USG_A] interface GigabitEthernet 0/0/1
[USG_A-GigabitEthernet0/0/3] vrrp vrid 2 virtual-ip 202.38.10.1 master
[USG_A-GigabitEthernet0/0/3] quit

Step 2 Configure the interzone packet filtering.

[USG] firewall packet-filter default permit interzone trust untrust

Step 3 Complete the heartbeat link configuration on USG_A.

Set the IP address of interface Ethernet 0/0/2.


[USG_A] interface Ethernet2/0/0
[USG_A-Ethernet0/0/2] ip address 10.0.0.1 24
e n
[USG_A-Ethernet0/0/2] quit
m /
c o
Add interface Ethernet 0/0/2 to the DMZ.
i .
[USG_A] firewall zone dmz
w e
ua
[USG_A-zone-dmz] add interface Ethernet2/0/0
[USG_A-zone-dmz] quit
. h
Specify interface Ethernet 0/0/2 as the heartbeat interface.
ing
[USG_A] hrp interface Ethernet2/0/0
n
Step 4 Enable the HRP backup function.
e ar
l
//
[USG_A] hrp enable

p :
Step 5 Configure the forward policy for the Trust-Untrust interzone.

t t outbound
h
HRP_M[USG_A] policy interzone trust untrust

s :
HRP_M[USG_A-policy-interzone-trust-untrust-outbound] policy 1

c e
HRP_M[USG_A-policy-interzone-trust-untrust-outbound-1] policy source 10.100.10.0 0.0.0.255

u r
HRP_M[USG_A-policy-interzone-trust-untrust-outbound-1] action permit

s o
HRP_M[USG_A-policy-interzone-trust-untrust-outbound-1] quit

R e
HRP_M[USG_A-policy-interzone-trust-untrust-outbound] quit

g on USG_B are the same as those on USG_A except that:


Step 6 Configure USG_B.
n
i
The configurations
n
a r
Le Add service interfaces GigabitEthernet 0/0/1 and GigabitEthernet 0/0/0 of USG_B to the
The IP addresses of interfaces on USG_B are different from those of interfaces on USG_A.

r e VGMP management group whose status is Slave.

Mo Step 7 Configure the switches.

On the switches, add the three interfaces of each switch to the same VLAN. For configuration
commands, refer to related documents of the switch.

Step 8 Configures static routes.

Configure static routes on PCs on the internal network. Set the virtual IP address of the VRRP
backup group as the next-hop IP address for reaching other subnets.
Configuration Procedure (WEB)
Step 1 Set the IP addresses of interfaces on USG_A, and add the interfaces to security zones. Choose
Network > Interface > Interface, In Interface List, click of the interface, On the Modify
GigabitEthernet Interface page, complete the configurations then click Apply.

e n
m /
c o
i .
w e
h ua
.
Step 2 Configure a forwarding policy for USG_A. i ng
n
r Choose Firewall > Security
a
eof Implicit under trust->untrust and
Forwarding policy between the Trust zone to access the Untrust zone:

/ l
/
Policy > Forward Policy, In Forward Policy List, click

p : set Action to permit.


untrust -> trust. On the Modify Forward Policy page,

t t
h
s :
c e
u r
s o
Re
n g
n i
a r
eFirewall DMZ local policy: choose Firewall > Security Policy > Local Policy, in access control
L over the device list, choose the default policy and modify the action to permit, click Apply.
r e
Mo
e n
m /
c o
i .
w e
a backup
Step 3 Configure the VRRP backup group 1 and backup group 2 of USG_A, and add theuVRRP
group to the active management group.
. h
Choose System > High Availability > HRP, Click Add in VRID List, n
g
n i On the Add VRID page,
configure VRRP backup group 1.
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r VRRP backup group 2 as above.
Le
Configure

r e
Mo
e n
m /
c o
i .
w e
h ua
.
ng
Step 4 Specify the HRP backup channel on USG_A and enable HRP. Choose System > High
Availability > HRP. Click Enable HRP, Select FE2/0/0 as the HRP backup channel on the
Configure HRP page. Click Apply.
n i
e ar
l
://
p
h tt
s :
The configurations on USG_Bc
e
ur on USG_B are different from those of interfaces on USG_A.
are similar to those on USG_A except that: (ommitted)

The IP addresses ofointerfaces

The service R es of USG_B, namely, interfaces GE0/0/1 and GE0/0/0, are added to the
interfaces
standbygmanagement group
i n
r n
e a
Result Verification
L Run the display vrrp command on USG_A to check the status of the interfaces in the VRRP backup
r e group. If the following information is displayed, the VRRP backup group is successfully created.
Mo HRP_M<USG_A>dis vrrp
16:12:02 2013/06/08
GigabitEthernet0/0/1 | Virtual Router 2
VRRP Group : Master
state : Master
Virtual IP : 202.38.10.1
Virtual MAC : 0000-5e00-0102
Primary IP : 202.38.10.2
PriorityRun : 120
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0
Advertisement Timer : 1
Auth Type : NONE
Check TTL : YES
e n
m /
GigabitEthernet0/0/0 | Virtual Router 1
c o
VRRP Group : Master
i .
state : Master
w e
Virtual IP : 10.100.10.1
h ua
Virtual MAC : 0000-5e00-0101
.
Primary IP : 10.100.10.2
i ng
n
ar
PriorityRun : 120

e
PriorityConfig : 100

l
//
MasterPriority : 120
Preempt : YES Delay Time : 0
p :
tt
Advertisement Timer : 1
Auth Type : NONE
h
Check TTL : YES
s :
ce
Run the display hrp state command on USG_A to check the current HRP status. If the following

r
output is displayed, an HRP relationship is successfully established.
u
s o
HRP_M<USG_A>dis hrp state

Re state is: MASTER


16:15:31 2013/06/08

g
The firewall's config
n
n istate of virtual routers configured as master:
r
Current
a
L e GigabitEthernet0/0/1
GigabitEthernet0/0/0
vrid 2 : master
vrid 1 : master

r e
Mo Ping the virtual IP address 10.100.10.1 of VRRP group 1 on PC1 in the Trust zone. Then check the
sessions on USG_A.
HRP_M<USG_A>display firewall session table
16:17:36 2013/06/08
Current Total Sessions : 1
icmp VPN:public --> public 10.100.10.100:1-->10.100.10.1:2048

The virtual IP address of VRRP group 1 can be pinged on PC1 after the VRRP groups are
configured correctly.
PC2 is the server in the Untrust zone. PC1 on trust zone can ping the server on Untrust zone. Check
session information on USG_A and USG_B.
HRP_M<USG_A>display firewall session table
16:19:42 2013/06/08e
Current Total Sessions : 1
icmp VPN:public --> public 10.100.10.100:1-->202.38.10.100:2048

HRP_S<USG_B>display firewall session table


e n
16:03:19 2013/06/08
m /
Current Total Sessions : 1
c o
icmp VPN:public --> public Remote 10.100.10.100:1-->202.38.10.100:2048
i .
w e
As shown in the previous information, a session tagged with Remote is created on USG_B, indicating
a check the
that the session is successfully synchronized after you configure dual-system hot backup.
u
. h
Run ping 202.38.10.100 -t on PC1, and unplug network cable from GE0/0/0 on USG_A,
firewall status and packet dropout status.
n g
n i
a r
l e
/ /
p :
t
7 h t
s :
Firewall
c e User Management Lab
u r
s o
Re
n g
7.1 Internet n i access user authentication lab. (Authentication
exemption a r and local password authentication)
L e
e
Lab Objectives
r
Mo authenticate
This section describes how to exempt intranet users from authentication and using local password to
internet access user.

Lab Device

One USG firewall, one PC.


Lab Topologyc

Auth.
Exemption user
G0/0/0 Internet Server
192.168.0.2/24 USG Eth1/0/0
192.168.0.1/24 1.1.1.2/24
1.1.1.1/24

Local password G0/0/1


auth, user 192.1681.1/24
192.168.1.2/24

e n
/
Auth. Exemption traffic flow

m
Local password auth. Traffic flow

c o
i .
Configuration Procedure (WEB)
w e
ua
Step 1 Configure the basic parameters of the interfaces and add the interface to security zones. Add
h
.
GE0/0/0 to guest zone, adds GE0/0/1 to trust zone and add Eth1/0/0 to untrust zone. (ommitted)
Step 2 Configure the default route. Assume that the next-hop IP address is 1.1.1.2.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
Step 3
a r
Create authentication exemption user group. Choose User > Internet Access User > Group/User.

L e In Organizational Structure, select root. Click Add in Member Management and select
Create Group, create a group named Guest.

r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
Step 4
u
Create a user authentication policy Guest specifically for the subnet 192.168.0.0/24. Choose

so
User > Internet Access User > Authentication Policy, click Add Enter or select parameters,

Re
Click Apply.

n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
Step 5 n
ar
Create local password authentication user and user group. Choose User > Internet Access User >
Group/User. In Organizational Structure, select root. Click Add in Member Management

l
and select Create Group, name the new group as Normal.e
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
e n
m /
c o
In Organizational Structure, select Normal. In Member Management, select Add, choose
create a user, create a new user user01/Admin@123.
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
Step 6 Create a user authentication policy Normal specifically for the subnet 192.168.1.0/24.

e n
m /
c o
i .
w e
h ua
g.
Step 7 Add a new forwarding policy for exemption authentication user. Selectnsource as Guest, the
destination as untrust, add select user as guest, action as permit. ni
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
L e
e untrust, the user is normal and action is permit.
Step 8 Add a new forwarding policy for local password authentication user. Source is turst, destination is
r
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
Step 6
a r
Configuring Global Parameters. Choose User > Internet Access User > Authentication Item.
Click the Global Configuration tab. Configure the Redirection Authentication Mode as HTTP

L e and the Authentication Port is 8888.

r e
Mo
e n
m /
c o
i .
w e
h ua
.
When users access the service, the device pushes the authentication URL to the users for authentication.
Thinking: Whats the difference between HTTP and HTTPS?
i ng
n
Answer: HTTP indicates that the Web browser exchanges with the device through HTTP. HTTPS

ar
indicates that the Web browser exchanges with the device through HTTPS.
e
Result Verification
l
/account and password, they can access to
: /
After a guest connects to the intranet, there is no need to enter
internet. p
t will redirect the uaser authentication page, ask
h t
When the normal employee access to internet, USG firewall

:
the user to enter accout and password. Only when user entered the right account and password, they can
s
access to the network resource.
c e
u r
s o
Re
n g
n i

8
a r
Le
re Firewall Networking Lab
Mo
8.1 VLAN Lab (Configuring the Communications Between
VLANs Through the Vlanif Interface)
Lab Objectives

Upon completion of this experiment, you will able to know how to configure the Communications
between VLANs through the Vlanif Interface.

Lab Device

One USG firewall, four PCs.

Lab Topologyc

As shown in the figure below, the VLAN100 of the USG includes Ethernet 4/0/0 and Ethernet 4/0/1. The
VLAN200 includes Ethernet 4/0/2 and Ethernet 4/0/3. It is required that the hosts in VLAN100 and
VLAN200 can communicate with each other.
e n
m /
c o
VLAN 100 VLAN 200
i .
Ethernet Ethernet Ethernet w e
Ethernet
2/0/0 2/0/1 2/0/2
h ua
2/0/3
.
i ng
n
ar
e130.1.1.0/24
l
120.1.1.0/24
: //
p
Configuration Procedure (CLI)
h tt
Step 1
s :
Configure VLANs and add interfaces.

Create VLAN100.
r ce
o u
<USG> system-view
[USG] vlan 100 s
Requit
[USG-vlan-100]

n g 2/0/0 to VLAN100.
Add Ethernet

n i interface Ethernet 4/0/0


[USG]

a r[USG-Ethernet2/0/0] port access vlan 100


Le [USG-Ethernet2/0/0] quit
r e Add Ethernet 2/0/1 to VLAN100.

Mo [USG] interface Ethernet 4/0/1


[USG-Ethernet2/0/1] port access vlan 100
[USG-Ethernet2/0/1] quit
Create VLAN200.
[USG] vlan 200
[USG-vlan-200] quit
Add Ethernet 2/0/2 to VLAN200.
[USG] interface Ethernet 4/0/2
[USG-Ethernet2/0/2] port access vlan 200
[USG-Ethernet2/0/2] quit
Add Ethernet 2/0/3 to VLAN200.
[USG] interface Ethernet 4/0/3
[USG-Ethernet2/0/3] port access vlan 200
[USG-Ethernet2/0/3] quit

Step 2 Configure Vlanif interfaces.

e n
Set the IP address of Vlanif 100.
m /
[USG] interface vlanif 100
c o
[USG-Vlanif100] ip address 120.1.1.1 24
i .
[USG-Vlanif100] quit
w e
ua
Set the IP address of Vlanif 200.
[USG] interface vlanif 200
. h
ng
[USG-Vlanif200] ip address 130.1.1.1 24
[USG-Vlanif200] quit
n i
Step 3
a r packet filtering to ensure
Add interfaces to corresponding security zones and configure interzone
normal network communication.
l e
[USG]firewall zone trust
/ /
[USG-zone-trust]add interface Vlanif 100 :
t p
ht
[USG-zone-trust]quit
[USG]firewall zone untrust
s :Vlanif 200
e
[USG-zone-untrust]add interface
c
[USG-zone-trust]quit
u rtrust untrust inbound
o
[USG]policy interzone
s
R e
[USG-policy-interzone-trust-untrust-inbound]policy 0
[USG-policy-interzone-trust-untrust-inbound-0]action permit

n g
[USG-policy-interzone-trust-untrust-inbound-0]quit

n i
r[USG]policy interzone trust untrust outbound
[USG-policy-interzone-trust-untrust-inbound]quit

a
Le [USG-policy-interzone-trust-untrust-outbound]policy 0
r e [USG-policy-interzone-trust-untrust-outbound-0]action permit

Mo [USG-policy-interzone-trust-untrust-outbound-0]quit
[USG-policy-interzone-trust-untrust-outbound]quit

Step 4 Set the IP address of the host gateway that belongs to VLAN100 to 120.1.1.1 and set that
belongs to VLAN200 to 130.1.1.1.
Configuration Procedure (WEB)
Step 1 Configure VLANs and add interfaces.

Add Ethernet 2/0/0 Ethernet 2/0/1 to VLAN100 and add the interface to trust zone. Choose
Network > Interface > Interface. Click of the line where the entry to be modified resides.

e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
AddiEthernet 2/0/2 Ethernet 2/0/3 to VLAN200 and add the interface to trust zone. Choose
r n
ea Network > Interface > Interface. Click of the line where the entry to be modified resides.
L
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
Step 2
socreate
Create Vlanif interfaces
Interface. Click e
and add them to the security zones. Choose Network > Interface >

R
Add, vlanif 100 and vlanif 200. Shown as below figure.

n g
n i
a r
Le
r e
Mo
e n
m /
c o
i .
w e
hua
.
ing
n
ear
l
://
p
htt
s :
rce
u
so
Re
n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
Step 3
s :
Configure interzone packet filtering to ensure normal network communication. Choose

r ce
Firewall > Security Policy > Forward Policy. Click Add in Forward Policy List. Enter or
select parameters which shown as below figure.
u
so
Re
n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
Step 4 Set the IP address of the host gateway that belongs to VLAN100 to 120.1.1.1 and set that
belongs to VLAN200 to 130.1.1.1.

Result Verification

After the configuration, the hosts in VLAN100 and VLAN200 can ping through each other
PC2>ping 120.1.1.2

Ping 120.1.1.2: 32 data bytes, Press Ctrl_C to break


From 120.1.1.2: bytes=32 seq=1 ttl=127 time=47 ms
From 120.1.1.2: bytes=32 seq=2 ttl=127 time=31 ms
From 120.1.1.2: bytes=32 seq=3 ttl=127 time=47 ms
From 120.1.1.2: bytes=32 seq=4 ttl=127 time=31 ms
From 120.1.1.2: bytes=32 seq=5 ttl=127 time=47 ms
e n
m /
--- 120.1.1.2 ping statistics ---
c o
5 packet(s) transmitted
i .
5 packet(s) received
w e
0.00% packet loss
h ua
round-trip min/avg/max = 31/40/47 ms
.
i ng
n
ar
PC1>ping 130.1.1.2

l e
From 130.1.1.2: bytes=32 seq=1 ttl=127 time=16 ms //
Ping 130.1.1.2: 32 data bytes, Press Ctrl_C to break

From 130.1.1.2: bytes=32 seq=2 ttl=127 time=31pms


:
t t ms
h
From 130.1.1.2: bytes=32 seq=3 ttl=127 time=31

: time=47 ms
From 130.1.1.2: bytes=32 seq=4 ttl=127 time=31 ms
s
e
From 130.1.1.2: bytes=32 seq=5 ttl=127
c
r
--- 130.1.1.2 ping statisticsu---
s o
Re
5 packet(s) transmitted

g loss
5 packet(s) received
n
i min/avg/max = 16/31/47 ms
0.00% packet
n
a r
round-trip

L e
r e E1 Lab
8.2
o
M Lab Objectives
Configure the E1 interface so that the PCs can conmnunication with each through E1 cable.

Lab Device

Two USG firewalls, two PCs and one E1 cable.


Lab Topologyc

USG-A USG-B PC2:


PC1: 192.168.2.1
192.168.1.1 G0/0/1: E1 1/0/0: E1 1/0/0: G0/0/1:
192.168.1.254 200.200.200.1 200.200.200.2 192.168.2.254

e n
m /
Configuration Procedure (CLI)
c o
Step 1 Configure E1 interface, set the the work mode of interface as E1 mode.
i .
w e
ua
<USG-A>system-view
[USG-A]controller E1 1/0/0
. h
ng
[USG-A-E1 1/0/0]using e1
[USG-A-E1 1/0/0]quit
n i
ar
<USG-B>system-view
[USG-B]controller E1 1/0/0
l e
//
[USG-B-E1 1/0/0]using e1
[USG-B-E1 1/0/0]quit
p :
Configure the IP address of Serial1/0/0:0. t
Step 2
h t
[USG-A]interface Serial1/0/0:0
s :200.200.200.1 255.255.255.0
e
[USG-A-Serial1/0/0:0]ip address
[USG-A-Serial1/0/0:0]quitc
u r
o address 200.200.200.2 255.255.255.0
[USG-B]interface Serial1/0/0:0
s
Re
[USG-B-Serial1/0/0:0]ip

g
[USG-B-Serial1/0/0:0]quit

Add thenSerial1/0/0:0 to Untrust zone.


Step 3
n i
a r[USG-A]firewall zone untrust
Le [USG-A-zone-untrust]add interface Serial1/0/0:0

r e [USG-A-zone-untrust]quit

Mo
[USG-B]firewall zone untrust
[USG-B-zone-untrust]add interface Serial1/0/0:0
[USG-B-zone-untrust]quit

Step 4 Configure the IP address of GigabitEthernet 0/0/1.

[USG-A]interface GigabitEthernet 0/0/1


[USG-A-GigabitEthernet0/0/1]ip address 192.168.1.254 255.255.255.0
[USG-A-GigabitEthernet0/0/1]description to PC1
[USG-A-GigabitEthernet0/0/1]quit
[USG-B]interface GigabitEthernet 0/0/1
[USG-B-GigabitEthernet0/0/1]ip address 192.168.2.254 255.255.255.0
[USG-B-GigabitEthernet0/0/1]description to PC2
[USG-B-GigabitEthernet0/0/1]quit

Step 5 Add GigabitEthernet 0/0/1into Trust zone.

[USG-A]firewall zone trust


e n
[USG-A-zone-trust]add interface GigabitEthernet 0/0/1
m /
[USG-A-zone-trust]quit
c o
[USG-B]firewall zone trust
i .
[USG-B-zone-trust]add interface GigabitEthernet 0/0/1
w e
ua
[USG-B-zone-trust]quit

Step 6
. h
Configure interzone packet filtering to ensure normal network communication.

[USG-A]firewall packet-filter default permit all


i ng
n
ar
[USG-B]firewall packet-filter default permit all

Step 7 Configure the default route.


l e
/ /
[USG-A]ip route-static 0.0.0.0 0.0.0.0 200.200.200.2

p :
[USG-B]ip route-static 0.0.0.0 0.0.0.0 200.200.200.1

t t
Configuration Procedure (WEB)
h
Step 1
s : Click>Apply
Configure E1 interface. Choose Network Interface > Interface. In Interface List, click

c e
of E1 4/0/0, Configure E1 interfaces. when you finished the configuration. Shown
as the below figure:
u r
s o
R e
n g
n i
a r
Le
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
Step 2 p
Click Configure Timeslot Binding select the Binding Mode asBinding All into One

tt
Serial Port Click Add. Leave other configurations as default. Click Apply.
h
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo

After E1 1/0/0 is configured, new interface Serial 1/0/0:0 (Layer-3 interface) is displayed in
Interface List.
e n
m /
Step 3
o
Add interface Serial 1/0/0:0 to untrust zone and add GigabitEthernet0/0/1 to trust zone. Choose
c
List. Then enter or select parameters listed in the following:
i .
Network > Interface > Interface. Click in the row where Serial 1/0/0:0 resides in Interface

w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
Keep default values for other parameters.

s :
ce
Step 4 Configure USG_B. (The procedure is the same as USG_A except the IP addresses. Omitted
here.)
u r
so
Step 5 Configure interzone packet filtering to ensure normal network communication on USG_A and

Re
USG_B. Choose Firewall > Security Policy > Forward Policy. Click Add in Forward Policy
List. Enter or select parameters which shown as below figure.

n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
htt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
Step 6 Configure the route on USG-A and USG-B to ensure normal network communication. Choose
Router > Static > Static Route, click Add, Enter or select parameters which shown as below
figure.

Static route configuration on USG-A


e n
m /
c o
i .
w e
h ua
Static route configuration on USG-B
.
i ng
n
e ar
l
: //
p
htt
s :
r ce
u
so
Re
n g
Result Verification
n i
a r
Ping from 192.168.1.1 to 192.168.2.1 on USG_A should be sccuessful.

L e
In Web GUI of USG_A, choose System > Maintenance > Diagnosis Center. Click the Ping tab. Enter
192.168.2.1 in Host Name or IP Address. Click Advance; enter 192.168.1.1 in Source IP Address.

r e
Mo <USG-A>PING 192.168.2.1
56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=255 time=10 ms
Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=20 ms
Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=10 ms
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/12/20 ms
Ping from 192.168.2.1 to 192.168.1.1 on USG_A should be sccuessful.
In Web GUI of USG_B, choose System > Maintenance > Diagnosis Center. Click the Ping tab. Enter
e n
192.168.1.1 in Host Name or IP Address. Click Advance; enter 192.168.2.1 in Source IP Address:
m /
<USG-B>PING 192.168.1.1
c o
56 data bytes, press CTRL_C to break
i .
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=10 ms
w e
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=20 ms
h ua
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=255 time=10 ms
.
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=10 ms
i ng
n
Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=10 ms

e ar
--- 192.168.1.1 ping statistics ---
l
5 packet(s) transmitted
: //
p
tt
5 packet(s) received

h
0.00% packet loss

:
round-trip min/avg/max = 10/12/20 ms
s
r ce
8.3 SA Lab u
e so
Lab Objectives
R
n g
Configure the SA interface so that the PCs can conmnunication with each through E1 cable.

Lab Device
n i
a rfirewalls, 2 PCs and one V35 cable.
Le
Two USG

e
Lab Topologyc
r
Mo
USG-A USG-B PC2:
PC1 192.168.2.1
192.168.1.1 G0/0/1: Serial4/0/0: Serial4/0/0: G0/0/1:
192.168.1.254 100.100.100.1 100.100.100.2 192.168.2.254
Configuration Procedure (CLI)
Step 1 Set the IP address of the Serial 4/0/0 interface on USG_A and USG_B.

<USG-A->system-view
[USG-A]interface Serial 4/0/0
[USG-A-Serial4/0/0]ip address 100.100.100.1 255.255.255.0
<USG-B>system-view
e n
[USG-B]interface Serial 4/0/0
m /
[USG-B-Serial4/0/0]ip address 100.100.100.2 255.255.255.0
c o
Step 2 Restart the interface to active the configuration.
i .
w e
ua
[USG-A-Serial4/0/0]shutdown
[USG-A-Serial4/0/0]undo shutdown
. h
[USG-B-Serial4/0/0]shutdown
i ng
n
ar
[USG-B-Serial4/0/0]undo shutdown

Step 3 Add the Serial 4/0/0 to untrust zone.


l e
[USG-A]firewall zone untrust
: //
p
tt
[USG-A-zone-untrust]add interface Serial4/0/0
[USG-A-zone-untrust]quit
h
s :
e
[USG-B]firewall zone untrust
[USG-B-zone-untrust]addc
u r interface Serial4/0/0

o
[USG-B-zone-untrust]quit
s
Step 4
R e 0/0/1 to trust zone.
Add the GigabitEthernet

n g zone trust
[USG-A]firewall

n i
[USG-A-zone-trust]add interface GigabitEthernet 0/0/1

a r[USG-A-zone-trust]quit
Le [USG-B]firewall zone trust
r e
Mo [USG-B-zone-trust]add interface GigabitEthernet 0/0/1
[USG-B-zone-trust]quit

Step 5 Configure interzone packet filtering to ensure normal network communication.

[USG-A]firewall packet-filter default permit all

[USG-B]firewall packet-filter default permit all

Step 6 Configure the default route.


[USG-A]ip route-static 0.0.0.0 0.0.0.0 100.100.100.2

[USG-B]ip route-static 0.0.0.0 0.0.0.0 100.100.100.1

Configuration Procedure (WEB)


Step 1 Configure Serial 4/0/0 interface on USG_A. Choose Network > Interface > Interface. In
Interface List, click of Serial 4/0/0, Configure Serial interfaces. Click Apply when you
finished the configuration. Shown as the below figure:
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
Step 2 h tt
Configure USG_B. (The procedure is the same as USG_A except the IP addresses. Omitted
here.)
s :
Step 3
c e on USG_A and USG_B to ensure normal network
Configure interzone packet filtering

u rparameters
communication. Choose Firewall > Security Policy > Forward Policy. Click Add in Forward

s o
Policy List. Enter or select which shown as below figure.

R e
n g
n i
a r
Le
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
htt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e4
Step Configure the route on USG-A and USG-B to ensure normal network communication. Choose

Mo Router > Static > Static Route, click Add, Enter or select parameters which shown as below
figure.

Static route configuration on USG-A


e n
m /
c o
i .
w e
h ua
Static route configuration on USG-B
.
i ng
n
e ar
l
://
p
htt
s :
r ce
u
so
Re
n g
Result Verification
n i
a r
Ping from 192.168.1.1 to 192.168.2.1 on USG_A should be sccuessful.

L e
In Web GUI of USG_A, choose System > Maintenance > Diagnosis Center. Click the Ping tab. Enter
192.168.2.1 in Host Name or IP Address. Click Advance; enter 192.168.1.1 in Source IP Address.

r e
Mo <USG-A>PING 192.168.2.1
56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=255 time=10 ms
Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=20 ms
Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=10 ms
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/12/20 ms
Ping from 192.168.2.1 to 192.168.1.1 on USG_A should be sccuessful.
In Web GUI of USG_B, choose System > Maintenance > Diagnosis Center. Click the Ping tab. Enter
e n
192.168.1.1 in Host Name or IP Address. Click Advance; enter 192.168.2.1 in Source IP Address:
m /
<USG-B>PING 192.168.1.1
c o
56 data bytes, press CTRL_C to break
i .
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=10 ms
w e
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=20 ms
h ua
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=255 time=10 ms
.
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=10 ms
ing
n
Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=10 ms

e ar
--- 192.168.1.1 ping statistics ---
l
5 packet(s) transmitted
: //
p
tt
5 packet(s) received

h
0.00% packet loss

:
round-trip min/avg/max = 10/12/20 ms
s
r ce
8.4 3G Lab u
e so
Lab Objectives
R
n g this task you will know how to configure 3G function.
When installed the 3G interface card on USG firewall, we can configure 3G fuction to access internet

n i
through 3G. Through

Lab Device r
e a
L
One USG2110-X firewall, one USB 3G card and one PC.

r eTopologyc
Mo
Lab

Cellular 2/0/0

Intranet

USG
Configuration Procedure (WEB)
Step 1 Configure the basic parameters of the interfaces. Choose Network > Interface > Interface. In
Interface List, click of GE0/0/1. In Modify GigabitEthernet Interface, the configurations are
as below figure:

e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
:
Keep the default settings for other parameters and click Apply.
s
Step 2
ce 3G networks.
Configure 3G dial-up for accessing
Basic Configuration, ther
Choose Wireless&DSL > 3G > Settings. In

u
configurations are as shown in below figure.

s o
R e
n g
n i
a r
Le
r e
Mo

In the Advanced area, select Obtain an IP Address Automatically and Obtain DNS Server
Address Automatically. Click Apply.
Step 3 Configure DHCP to allow the users to automatically obtain the IP addresses. Choose Network >
DHCP Server > Settings. In DHCP Service Information List click Add, the configurations
are as follow:

e n
Select the Enable check box corresponding to DHCP Service in Configure DHCP Basic
m /
Parameter.
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
ce
Keep the default settings for other parameters. Click Apply.

Step 4
u r
Configure interzone packet filtering to ensure normal network communication. Choose

so
Firewall > Security Policy > Forward Policy. Click Add in Forward Policy List. Enter or

Re
select parameters which shown as below figure.

n g
n i
a r
L e
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
Step 5 n
ar
Configure the PC (assume that the PC runs Windows 7). Right-click My Network Places and
click Properties. The Network Connections window is displayed. Select the Local Area

l e
Connection of the network adapter, and right-click Properties. The Local Area Connection

//
Properties window is displayed.

p :
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo

Select Internet Protocol (TCP/IP), and click Properties. The Internet Protocol (TCP/IP)
Properties page is displayed. Select Obtain an IP address automatically and Obtain DNS
server address automatically.
e n
m /
c o
i .
w e
hua
.
ing
n
ear
l
://
p
htt
s :
rce
u
so
Re
n g
n i
a r
L e
r e
Mo
Result Verification

Check wether the PC can access to internet.


Check whether 3G dial-up succeeds by displaying the current status. Choose Wireless&DSL > 3G >
Settings. View Current Status and Signal Intensity. If Disconnected is displayed, 3G dial-up fails and
you need to check the configuration. If Signal Intensity is weak, the connection rate is affected, and you
need to adjust the position of the antennas or device.

e n
m /
c o
i .
w e
ua

e
9
ar
n
ng
. h
i VPN Lab
l
: VPN
9.1 L2TPVPN LabClient-Initialized //
tp
Lab Objectives
h t
s :
Through this task, you will know how to configure the Client-Initialized L2TP.

Lab Device
r ce
u
so
One USG and two PCs.

Lab Topologyc
Re
n g
n i
a r
L e
r e
Mo

Configuration Procedure (CLI)


Step 1 Configure the LNS side. Set the IP address of the interface.
<USG> system-view
[USG] sysname LNS
[LNS] interface GigabitEthernet 0/0/1
[LNS-GigabitEthernet0/0/1] ip address 192.168.2.1 255.255.255.0
[LNS-GigabitEthernet0/0/1] quit
[LNS] interface GigabitEthernet 0/0/0
[LNS-GigabitEthernet0/0/0] ip address 192.168.1.1 255.255.255.0
[LNS-GigabitEthernet0/0/0] quit
e n
Step 2 Create and configure the virtual interface template.
m /
c o
[LNS] interface virtual-template 1
i .
[LNS-Virtual-Template1] ip address 192.168.0.1 255.255.255.0
w e
ua
[LNS-Virtual-Template1] ppp authentication-mode chap
[LNS-Virtual-Template1] quit
. h
Step 3 Enable L2TP.
i ng
n
ar
[LNS] l2tp enable

Step 4 Create and configure an L2TP group.


l e
[LNS] l2tp-group 1
: //
[LNS-l2tp1] tunnel name LNS
p
[LNS-l2tp1] allow l2tp virtual-template 1tremote client1
[LNS-l2tp1] tunnel authentication h
t
[LNS-l2tp1] tunnel password s : Password123
c e the IP address for the LAC client. Set the user name and
cipher

Step 5
r on the LAC client side).
Define an address pool and allocate
u
o
password (the same as those
s
e
[LNS-aaa] ipRpool 1 192.168.0.2 192.168.0.100
[LNS]aaa

n g local-user vpdnuser password cipher Hello123


i quit
[LNS-aaa]
n
r[LNS-aaa]

Step 6 eaAllocate an IP address for the peer interface from the IP address pool.
L [LNS] interface virtual-template 1
re
Mo
[LNS-Virtual-Template1] remote address pool 1
[LNS-Virtual-Template1] quit

Step 7 Add the interface to the security zones and configure the interzone packet filtering.

[LNC]firewall zone trust


[LNC-zone-trust]add interface GigabitEthernet 0/0/0
[LNC-zone-trust]add interface virtual-template 1
[LNC-zone-trust]quit
[LNC]firewall zone untrust
[LNC-zone-untrust]add interface GigabitEthernet 0/0/1
[LNC-zone-untrust]quit
[LNC]policy interzone untrust trust inbound
[LNC-policy-interzone-trust-untrust-inbound]policy 0
[LNC-policy-interzone-trust-untrust-inbound-0]action permit

Step 8 Configure the LAC client side. The LAC client must be installed with the L2TP client software
and is connected to the Internet in dialing mode. The following takes the Secoway VPN Client
e n
m /
o
as an example. Click to establish a new connection according the New Connection
Wizard. Choose Create a new connection by inputing paremeters, then clicks Next.
.c
e i
w
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
Step 9
a r
Set LNS Server IP, Username, and Passwordvpdnuser/Hello123on the Basic Settings page.

L e Click Next.

r e
Mo
e n
m /
c o
i .
w e
hua
.
ing
n
e ar
l
/ModeCHAPSelect Enable Tunnel
Step 10 Input Tunnel Nameclient1and Authentication /
: Passwordpassword123. Complete to
t p
Authentication and input the Tunnel Authentication
create L2TP connection. Click Next.
h t
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo

Step 11 Click the connection already created, and click Connect.


e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
Configuration Procedure (WEB)
l
/ Choose Network > Interface >
Step 1 /
: Configure interfaces. Click Apply when
Configure the LNS side. Set the IP address of the interface.
Interface. In Interface List, click p
you finished the configuration. Shown as thetbelow figure:
of GE0/0/1,

ht
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo

Step 2 Configure the security forwarding poliy. Choose Firewall > Security Policy > Forward Policy.
Click the Forward Policy tab. In Forward Policy List, click . Click Apply when you
finished the configuration. Shown as the below figure:.
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e3
Step Configure the L2TP parameters. Choose VPN > L2TP > L2TP. In Configure L2TP, select the

Mo Enable check box of L2TP, and then click Apply.


Step 4 In L2TP Group List, click Add. Set Group Type to LNS. Click Add to create user vpdnuser
(vpdnuser/Hello123).

e n
m /
c o
i .
w e
h ua
.
i ng
n
ar
Step 5 Configure other L2TP parameters. Tunnel Name on Peer must be the same as Tunnel Name
on Local configured on the LAC side. The peer tunnel name should be client1/Password123.

l e
: //
p
h tt
s :
r ce
u
so
Re
Step 6
n g
Configure the server address and address pool. As shown in below figure. Click Apply after

n i
finished all the configurations.

a r
L e
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
Step 7
l
Configura LAC client. Steps are the same as CLI configuration procedure, see step 8 step 11 in
configuration procedure (CLI) for your reference.
: //
Result Verification
tp
Check the VPN users by using display l2tp tunnel t
h command on LNS side.
[LNS] display l2tp tunnel
s :
ce
Total tunnel = 1
LocalTID RemoteTID r
u
RemoteAddress Port Sessions RemoteName
1 1
s o 192.168.2.2 1701 1 client1
In the web GUI, Choose e
R VPN > L2TP > Monitor. If the ID of the L2TP tunnel exists, the L2TP tunnel

g
is successfully established.
n
n i
a r
Le
r e Click Number of Sessions to view the detailed session information.
Mo
e n
m /
c o
9.2 GRE VPN Lab i .
w e
ua
Lab Objectives

. h
Upon completion this experiment, you will able to know how to configure GER VPN.

Lab Device
ing
n
ar
One USG firewall, and two PCs.

Lab Topologyc
l e
: //
p
GRE Tunnel

USG_A
htt USG_B

:
G0/0/1

s
192.13.2.1/24

ce
Tunnel 0 Tunnel 0

r
10.1.2.1/24 G0/0/1 10.1.3.1/24
u 192.13.2.2/24

so
G0/0/0 G0/0/0

Re
192.168.0.1/24 192.168.1.1/24

n g
n i
a r
L e PC A PC B

r e 192.168.0.2/24 192.168.1.2/24

Mo
Configuration Procedure (CLI)
Step 1 Configeure the IP address of PCs. (omitted)
Step 2 Configure the IP address of firewall interface.

Configure USG_A
[USG_A]interface GigabitEthernet 0/0/0
[USG_A-GigabitEthernet0/0/0]ip address 192.168.0.1 24
[USG_A-GigabitEthernet0/0/0]qu
[USG_A]interface GigabitEthernet 0/0/1
[USG_A-GigabitEthernet0/0/1]ip add 192.13.2.1 30
Configure USG_B
[USG_B]interface GigabitEthernet 0/0/0
[USG_B-GigabitEthernet0/0/0]ip address 192.168.1.1 24
[USG_B-GigabitEthernet0/0/0]qu
e n
[USG_B]interface GigabitEthernet 0/0/1
m /
[USG_B-GigabitEthernet0/0/1]ip add 192.13.2.2 30
c o
Add the interfaces into security zones and configure the interzone packet filtering policy. .
Step 3
e i
Configure USG_A
a w
[USG_A]firewall zone trust
h u
[USG_A-zone-trust]add interface GigabitEthernet 0/0/0
g .
i n
n
[USG_A-zone-trust]quit
[USG_A]firewall zone untrust
[USG_A-zone-untrust]add interface GigabitEthernet e a r
/ l 0/0/1
[USG_A-zone-untrust]quit
/
[USG_A]firewall packet-filter default permit:interzone trust untrust direction outbound
t p interzone trust untrust direction inbound
ht
[USG_A]firewall packet-filter default permit
Configure USG_B
[USG_B]firewall zone trust
s :
c e GigabitEthernet 0/0/0
[USG_B-zone-trust]add interface
[USG_B-zone-trust]quitr
ouuntrust
[USG_B]firewallszone

Re
[USG_B-zone-untrust]add interface GigabitEthernet 0/0/1

n g
[USG_B-zone-untrust]quit

n i
[USG_B]firewall packet-filter default permit interzone trust untrust direction outbound

a r[USG_B]firewall packet-filter default permit interzone trust untrust direction inbound


4 e Configure the tunnel interface, add the tunnel interface into untrust zone.
Step L

r e
o
Configure USG_A

M [USG_A]interface Tunnel 0
[USG_A-Tunnel0]tunnel-protocol gre
[USG_A-Tunnel0]ip address 10.1.2.1 24
[USG_A-Tunnel0]source 192.13.2.1
[USG_A-Tunnel0]destination 192.13.2.2
[USG_A-Tunnel0]quit
[USG_A]firewall zone untrust
[USG_A-zone-untrust]add interface Tunnel 0
[USG_A-zone-untrust]quit
Configure USG_B
[USG_B]interface Tunnel 0
[USG_B-Tunnel0]tunnel-protocol gre
[USG_B-Tunnel0]ip address 10.1.3.1 24
[USG_B-Tunnel0]source 192.13.2.2
[USG_B-Tunnel0]destination 192.13.2.1
e n
[USG_B-Tunnel0]quit
m /
[USG_B]firewall zone untrust
c o
[USG_B-zone-untrust]add interface Tunnel 0
i .
[USG_B-zone-untrust]quit
w e
Step 5 Configure the static route.
h ua
.
ng
Configure USG_A
[USG_A]ip route-static 192.168.1.0 24 Tunnel 0
n i
ar
Configure USG_B
[USG_B]ip route-static 192.168.0.0 24 Tunnel 0
l e
Configuration Procedure (WEB)
: //
Step 1 Configeure the IP address of PCs. (omitted)p
t Choose Network > Interface > Interface. In
Step 2
h t
Configure the IP address of firewall interface.
Interface List, click
:
of interfaces.
s
Configure USG_A
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
e n
m /
c o
i .
w e
hua
Configure USG_B
.
ing
n
ear
l
://
p
htt
s :
rce
u
so
Re
n g
n i
a r
L e
r e
Mo
Step 3 Configure the interzone packet filtering policy to ensure normal network communication.
Choose Firewall > Security Policy > Local Policy. In Forward Policy List, click .

Configure USG_A

e n
m /
c o
i .
w e
h ua
.
i ng
n
Configuration on USG_B is the same as USG_A.
e ar
l
//
Step 4 Configure the tunnel interface, and add the tunnel interface into untrust zone. Choose VPN >

:
GRE > GRE. In GRE Interface List, click Add. Configure GRE interface parameters, shown
p
tt
as below figure:

Configure USG_A
h
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo

Configure USG_B
e n
m /
c o
i .
w e
h ua
.
i ng
n
ar
e
l
/ Route. In Static Route List, click
Step 5
/
: which shown as below figures:
Configure the static route. Choose Route > Static > Static

p
Add. On Add Static Route, set the following parameters
t
Configure USG_A
h t
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
Configure USG_B
e n
m /
c o
i .
w e
h ua
.
ng
Result Verification

PCA and PCB can ping from each other.


n i
e ar
l
: //
p
h tt

so
u r ce
s :
10 IPSec VPN Lab
Re
g
in
10.1 Configuring
n
Point-to-Point IPSec Tunnel
a
Lab Objectivesr
e
L this task, you will know how to configure point-point IPSec tunnel with the fixed public IP
Through

r e address in peer end.


MoLab Device
Two USG firewalls and two PCs.
Lab Topologyc

USG_A USG_B
G0/0/1 G0/0/1
10.10.10.1/24 10.10.10.2/24

G0/0/0 G0/0/0
192.168.0.1/24 192.168.1.1/24

e n
m /
Host 1 Host 2
c o
192.168.0.2/24 192.168.1.2/24
i .
w e
ua
Configuration Procedure (CLI)

Configure USG_A
. h
n g(omitted)
Step 1
iTrust zone and the Untrust
Basic configurations which contain IP address of PC and USG interface.
n
Step 2
r
Configure the default interzone packet filtering policy between the
a
zone.

[USG_A]policy interzone trust untrust inbound /l


e
: / 0
p
[USG_A-policy-interzone-trust-untrust-inbound]policy
t
h t
[USG_A-policy-interzone-trust-untrust-inbound-0]action
[USG_A-policy-interzone-trust-untrust-inbound-0]qu
permit

s :
[USG_A-policy-interzone-trust-untrust-inbound]qu

c e untrust outbound
[USG_A]policy interzone trust

u r
[USG_A-policy-interzone-trust-untrust-outbound]policy 0

s o
[USG_A-policy-interzone-trust-untrust-outbound-0]action permit

R e
[USG_A-policy-interzone-trust-untrust-outbound-0]qu

n g packet-filter default permit interzone local untrust direction inbound


[USG_A-policy-interzone-trust-untrust-outbound]qu

n i
[USG_B]firewall

a r[USG_B]firewall packet-filter default permit interzone local untrust direction outbound

3 e Configure ACL on USG_A to define the data flow to be protected.


Step L

r e [USG_A]acl 3000

Mo [USG_A-acl-adv-3000]rule permit ip source 192.168.0.0 0.0.0.255 destination 192.168.1.0


0.0.0.255
[USG_A-acl-adv-3000]quit

Step 4 Configure static routes from USG_A to the peer end.

[USG_A] ip route-static 192.168.1.0 255.255.255.0 10.10.10.2


Step 5 Create IPSec proposals on USG_A. (by default, the encapsulation mode for IPSec is the tunnel
mode, the security protocol for IPSec is ESP. The authentication algorithm for ESP is MD5, and
the encryption algorithm for ESP is DES. The configurations are optional.)

[USG_A] ipsec proposal tran1


[USG_A-ipsec-proposal-tran1]encapsulation-mode tunnel
[USG_A-ipsec-proposal-tran1]transform esp
[USG_A-ipsec-proposal-tran1]esp authentication-algorithm md5
[USG_A-ipsec-proposal-tran1]esp encryption-algorithm des
e n
[USG_A-ipsec-proposal-tran1]quit
m /
Step 6 Create IKE proposals on USG_A. (By default, the authentication mode for IKE is pre-shared
c o
key, the authentication algorithm for IKE is SHA1, the integrity algorithm for IKE is
i .
e
HMAC-SHA1-96. The configurations are optional.)
w
ua
[USG_A] ike proposal 10
[USG_A-ike-proposal-10] authentication-method pre-share
. h
ng
[USG_A-ike-proposal-10] authentication-algorithm sha1
[USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96
n i
[USG_A-ike-proposal-10] quit
e ar
Step 7
l
//
Configure IKE peers.

[USG_A]ike peer b
p :
[USG_A-ike-peer-b]ike-proposal 10
t t
h
[USG_A-ike-peer-b]remote-address 10.10.10.2

[USG_A-ike-peer-b]quit es
:
[USG_A-ike-peer-b]pre-shared-key abcde

r c
Step 8
u
Create IPSec policies on USG_A
o
e s map1 10 isakmp
[USG_A] ipsec policy
R
[USG_A-ipsec-policy-isakmp-map1-10] security acl 3000

n g
[USG_A-ipsec-policy-isakmp-map1-10] proposal tran1

n i
r[USG_A-ipsec-policy-manual-map1-10] quit
[USG_A-ipsec-policy-isakmp-map1-10] ike-peer b

a
e Apply IPSec policies to interfaces on USG_A
Step L
9

r e
Mo [USG_A] interface GigabitEthernet 0/0/1
[USG_A-GigabitEthernet0/0/1] ipsec policy map1
Configure USG_B

Step 10 Basic configurations which contain IP address of PC and USG interface. (omitted)
Step 11 Configure the default interzone packet filtering policy between the Trust zone and the Untrust
zone.

[USG_B]policy interzone trust untrust inbound


[USG_B-policy-interzone-trust-untrust-inbound]policy 0
[USG_B-policy-interzone-trust-untrust-inbound-0]action permit
[USG_B-policy-interzone-trust-untrust-inbound-0]qu
[USG_B-policy-interzone-trust-untrust-inbound]qu
[USG_B]policy interzone trust untrust outbound
[USG_B-policy-interzone-trust-untrust-outbound]policy 0
[USG_B-policy-interzone-trust-untrust-outbound-0]action permit
[USG_B-policy-interzone-trust-untrust-outbound-0]qu
e n
[USG_B-policy-interzone-trust-untrust-outbound]qu
m /
c
[USG_B]firewall packet-filter default permit interzone local untrust direction inboundo
i .
[USG_B]firewall packet-filter default permit interzone local untrust direction outbound

Step 12 w e
a
Configure ACL on USG_B to define the data flow to be protected.

[USG_B]acl 3000
h u
g . 192.168.0.0
n
[USG_B-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination
0.0.00.255
n i
[USG_B-acl-adv-3000]quit
a r
Step 13 Configure static routes from USG_B to the peer end.
l e
/ /
:
[USG_B] ip route-static 192.168.0.0 255.255.255.0 10.10.10.1
pthe encapsulation mode for IPSec is the tunnel
Step 14 t
htTheThe
Create IPSec proposals on USG_B. (by default,
mode, the security protocol for IPSec is ESP. authentication algorithm for ESP is MD5, and

[USG_B] ipsec proposal tran1s


:
the encryption algorithm for ESP is DES. configurations are optional.)

c e
u r
[USG_B-ipsec-proposal-tran1]encapsulation-mode tunnel

s o
[USG_B-ipsec-proposal-tran1]transform esp

R e
[USG_B-ipsec-proposal-tran1]esp authentication-algorithm md5

g
[USG_B-ipsec-proposal-tran1]esp encryption-algorithm des
n
iIKE proposals on USG_B. (By default, the authentication mode for IKE is pre-shared key,
[USG_B-ipsec-proposal-tran1]quit
n
Step 15
a r
Create

Le HMAC-SHA1-96. The configurations are optional.)


the authentication algorithm for IKE is SHA1, the integrity algorithm for IKE is

r e [USG_B] ike proposal 10

Mo [USG_B-ike-proposal-10] authentication-method pre-share


[USG_B-ike-proposal-10] authentication-algorithm sha1
[USG_B-ike-proposal-10] integrity-algorithm hmac-sha1-96
[USG_B-ike-proposal-10] quit
Step 16 Configure IKE peers.

[USG_B]ike peer a
[USG_B-ike-peer-b]ike-proposal 10
[USG_B-ike-peer-b]remote-address 10.10.10.1
[USG_B-ike-peer-b]pre-shared-key abcde
[USG_B-ike-peer-b]quit

Step 17 Create IPSec policies on USG_B.

[USG_B] ipsec policy map1 10 isakmp


[USG_B-ipsec-policy-isakmp-map1-10] security acl 3000
[USG_B-ipsec-policy-isakmp-map1-10] proposal tran1
e n
[USG_B-ipsec-policy-isakmp-map1-10] ike-peer a
m /
[USG_B-ipsec-policy-manual-map1-10] quit
c o
Step 18 Apply IPSec policies to interfaces on USG_B
i .
[USG_B] interface GigabitEthernet 0/0/1
w e
[USG_B-GigabitEthernet0/0/1] ipsec policy map1
h ua
.
ng
Configuration Procedure (WEB)

Configure USG_A
n i
Step 19 a rinterface. (omitted)
e the Trust zone and the Untrust
Basic configurations which contain IP address of PC and USG
Step 20 l
/zone and the Untrust zone.
Configure the default interzone packet filtering policy between

: /
zone. Configure the security policy between the Local

t p
h t
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
Step 21
g
Configure a static route from USG_A to network B, with the next-hop IP address of 1.1.1.2.
n
i
Choose Route > Static > Static Route. In Static Route List, click Add. On the Add Static

n
Route page, configure the following parameters.
r
ea
L
r e
Mo
e n
m /
c o
i .
w e
h ua
.
ng
Step 22 Configure IKE phase 1 and IKE phase 2. Choose VPN > IPSec > IKE Negotiation. Click
Phase 1, set IKE phase 1 parameters on the Add Phase 1 page, Pre-Shared Key is set to abcde.

n i
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo
Step 23 Click of ike_b to create IKE phase 2. Configure IKE phase 2 parameters on the Add Phase
2 page, Click Apply.
e n
m /
c o
i .
w e
ua
Step 24 Apply the IPSec policy. Choose VPN > IPSec > IPSec Policy. Click Add, Configure IPSec
policy parameters on the Add IPSec Policy page, configure the data flow to be protected by
IPSec tunnel.
. h
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
e so
R
Step 25
n g- NONE
Bind the IPSec policy to interfaces. Choose VPN > IPSec > IPSec Policy, Click Applied to

n i
interface: - of policy1, Select GE0/0/1 from the drop-down list. Click Apply.

a r
L e
r e
Mo
NOTE:
e n
m /
The configuration of USG_B is simiral with USG_A except the static route, peer end IP address and data
c o
.
flow to be protected. For those three different parts of configuration, please see below procedures. Others
omitted.
i e
Result Verification
a w
After the configuration is complete, ping an IP address of network B from network u
can be pinged through successfully. Run the display ike sa and display ipsec sa .
h A. The IP address

n gfollowing information is
commands on USG_A
and USG_B to view the establishment of SAs. For example, for USG_B, if the
n i
displayed, it indicates that the IKE SA and IPSec SA are established successfully.
a r
l e
<USG_B> display ike sa
/ /
current ike sa number: 2
p :
t phase vpn
---------------------------------------------------------------------------------------------------
t
conn-id peer
hflag

10.10.10.1es
: RD
---------------------------------------------------------------------------------------------------
101
r c v2:2 public
100
u
10.10.10.1 RD v2:1 public

flag meaninge
so
R ST--STAYALIVE RL--REPLACED FD--FADING
g
RD--READY
n
i
TO--TIMEOUT TD--DELETING NEG--NEGOTIATING DDPD
n check the establishment of a security association (SA) on USG_A and USG_B. For
r
In Web GUI,
a on USG_A, if the following information is displayed, an IPSec tunnel is established
L e
example,
successfully.Choose VPN > IPSec > Monitor.

r e In IPSec Traffic Statistics, click Refresh to view traffic statistics of all IPSec tunnels
Mo
e n
m /
c o
i .
w e
h ua
.
In SA Monitoring, select IKE SA List and click Refresh to view information about the established IKE
SA.
i ng
n
e ar
l
: //
p
tRefresh to view information about the established
h t
In SA Monitoring, select IPSec SA List and click
IPSec SA.
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e
Mo
11 SSL VPN Lab

e n
11.1 Web Proxy/File Sharing/Port Forwarding/Network om /
Extention .c i
w e
Lab Objectives
u a
.
Through this task, you will know how to configure below functions of SSL VPN:h
Web Porxy
i ng
n
ar
Port Forwading
File sharing
l e
Network extension
: //
p
tt
Lab Device

One USG firewall and two PCs.


h
Lab Topologyc
s :
G0/0/0
r ce G0/0/1
u
so
192.168.1.1/24 10.10.10.1/24

Re
ng
PC 2 USG PC 1
192.168.1.2/24
n i 10.10.10.2/24

Configuration r
a Procedure (WEB)
1 e Basic configurations which contain IP address of PC and USG interface. (omitted)
Step L

r e 2 virtual
Step Cretate a virtual gateway. Choose VPN > SSL VPN > VG Management. Click Add. Name the

Mo
gataway as Test and configure the basic information about the virtual gateway.
e n
m /
c o
i .
w e
Choose VPN > SSL VPN > VG Menu, choose Test which created just now.ua
Step 3
. h
n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
s o
Re
n g
n i
a r
Le
r e 4 Create user account. Click VG Test, choose VPNDB configuration, click
Mo Step
a new user named TestUser, and password is password123
to create
e n
m /
o
Enable Web porxy service. In the VG Menu navigation tree, choose VG Menu > test >iWeb
.c
Step 5
w e the
a
Proxy. In the Web Proxy group box, select the check box of Enable web proxy to enable
Web proxy function.
h u
g .
i n
r n
e a
/ l
/
: click the Web-link Resource tab. Click
In the Web Proxy Resource Management group box,
Add to add resources of the Web mail server. t
p
ht
s :
c e
u r
s o
Re
n g
n i
a r
Step L
6
e Enable file sharing function. Choose VPN > SSL VPN > VG Menu. In the VG Menu
r e function
navigation tree, choose VG Menu > test > File Sharing. Select the Enable file sharing

Mo check box.

Click Add. Configure the file sharing resources in SMB type.


Step 7 Enable port forwarding function. Choose VPN > SSL VPN > VG Menu. In the VG Menu
e n
navigation tree, choose VG Menu > test > Port Forwarding. Select the Enable port
forwarding function check box.
m /
c o
i .
w e
h ua
.
i ng
n
ar
Click Add to configure the FTP service of port forwarding resources.

l e
: //
p
h tt
s :
r ce
u
so
Step 8 Enable network extension function. In the VG Menu navigation tree, choose VG Menu > test >
Network Extension. Select the Enable network extension function check box to enable the

Re
network extension function.

n g
n i
a r
L e
r e In the IP Address Allocation Mode of the Client group box, allocate the IP address to the

Mo client.
In the Client Routing Mode group box, click Split Tunnel.
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
Result Verification h tt
s :
ce
Open USG SSL VPN page through https://10.10.10.1 , using the account just created to login.

u r
so
Re
n g
n i
a r
L e
r e
Mo

After login successfully, you will see the Web Porcy, File Sharing, Port Forwarding and Network
extension services.
e n
m /
c o
i .
w e
h ua
.
ng
Click Test Web Server, another IE tab will display, and the USG address will be added to the server
i
address.
n
e ar
l
//
Clicks file sharing resource, you will be asked to log in file share server to fetch the file resources.
:
p
h tt
s :
r ce
o u
Under the port forwarding, s
Re
click Start to start the por forwarding service, try to connect the test server
by using telnet.

n g
n i
a r
Le
r e
Mo
Start network extension service under network extension service.
After started, check the IP address of PC, you will find that PC got an IP address from the addresspool
configured on USG.

e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i

12
a r
L e
r e UTM Lab
Mo
12.1 Virus Database or IPS Signature Database Update
Lab Objectives

Get firamily with how to update AV database and IPS singnature database through schedule online update.
1. Update AV database and IPS singnature database through security service center with scheduled
time;
2. Confirure IPS schedule online update function, update time is 02:00 am;
3. Configure AV database schedule online update function; the update time is 01:00 am.

Lab Device

1. One USG2000/5000 firewall (V3R1 version), One PC.


2. Firewall can access to internet.

Lab Topology
e n
1
m /
c o
i .
2
w e
h ua
.
i ng
n
UTM
e ar Security Service
Firewall
l Center

//
Intranet

p :
Item Device
USG(whose signature database t
t Data
(1)
h Interface numberGigabitEthernet 0/0/0
s :
and virus database need to be IP address192.168.17.3/24
updated)
c e Secuirty zoneTrust

u r database Next-hop IP address: 192.168.17.254


o need to be Firewall can access to internet
(2) USG(whose signature

updated)e
s
and virus database

R
n g
n i (CLI)
Configuration Procedure

a r basic configuration.
Step 1 Firewall
LeConfigure firewall IP address and add the interface into security zones. Then configure the default
r e route and security forwarding policy. (Omitted)
Mo Step 2 Set the running mode to UTM.
<USG> system-view
[USG] runmode utm
NOTE: Switching the running mode takes effect only after the device restart. You are advised to
save configurations and restart the device as prompted.

Step 3 Configure the security service center update.


Set the domain name of the security service center.
[USG] security server domain sec.huawei.com
Enable DNS resolve function.
[USG] dns resolve
Configure the IP address of DNS server.
[USG] dns server 61.139.2.69

Step 4 Configure the scheduled online update of the USG.

e n
Enable the scheduled online update for the IPS and AV.
m /
[USG] update schedule ips enable
c o
[USG] uupdate schedule av enable
i .
Set the time of the scheduled online update.
w e
ua
[USG] update schedule ips daily 0200
[USG] update schedule AV daily 0100
. h
ng
Install the newest IPS signature version.
[USG] update apply ips
n i
Configuration Procedure (WEB)
ear
l
Step 1 Enbale UTM function. Choose UTM > Settings > Settings, Select Enable, enable the UTM. Click
Apply.
: //
p
h tt
s :
r ce
u
so
Re
Step 2 Configure security service center. Choose System > Maintenance > Update Center. Do not select

n g
Open corresponding to Internal Update. In the Domain Name of Security Service Server text
i
box, enter the domain name: sec.huawei.com.
n
a r
L e
r e
Mo
Step 3 Add DNS server. Choose network > DNS > DNS. In DNS Server List, input the IP address of DNS
server. Then click Add.

e n
m /
Step 4 Configure the scheduled online update of the USG. Choose System > Maintenance > Update
c o
update time. Click Apply.
i .
Center. Select Anti Virus or Intrusion Prevention, click Secheduled Update, input the daily

w e
h ua
.
i ng
n
e ar
l
://
p
h tt
s :
rce
u
so
Re
Result Verification
n g
n i
Result: (CLI)
r display update configuration command, check internal update information.
1.aRun
Le<USG2200>display update configuration
r e 11:04:44 2013/06/09

Mo ==============Update configuration information==============


Internal update mode : Disable
Internal update server :-
Internal update port :-
IPS :
Application confirmation : Disable
Schedule update : Enable
Schedule update frequency : Daily
Schedule update time : 02:00
AV :
Schedule update : Enable
Schedule update frequency : Daily
Schedule update time : 01:00
============================================================
2. Run display ips version and display av version, check the version of the updated signature
e n
database or virus database. If the updated version meets requirements, the update succeeds.
m /
<USG2200> display ips version
c o
11:05:57 2013/06/09
i .
==================Update information list===================
w e
Current version :
h ua
Version number : 20130606.011
.
Engine version : 4.5.6.37
i ng
Engine size : 5757574 bytes
n
Signature database version : 20130606.011
e ar
Signature database size : 696352 bytes
/ l
Update time
: /
: 09:00:32 2013/06/09

t p
Issue time of the update file : 07:44:08 2013/06/06

h t
Backup version :
s : : 20130522.011
Version number
c e : 4.5.6.37
Engine version
u r
Engine size
o : 5757574 bytes
s version : 20130522.011
e
Signature database
R size : 695019 bytes
Updateg
Signature database

i n time : 17:01:57 2013/06/08

r n time of the update file : 04:49:34 2013/05/22


Issue

ea
L Factory default version :
r e Version number : 0.000

Mo Engine version : 0.0.0.0


Engine size : 0 bytes
Signature database version : 0.000
Signature database size : 0 bytes
Update time : 00:00:00 0000/00/00
Issue time of the update file : 00:00:00 0000/00/00
============================================================
<USG2200>display av version
11:06:56 2013/06/09
==================Update information list===================
Current version :
Version number : 20130608.009
Engine version : 1.1.1.4
Engine size : 4106904 bytes
e n
Signature database version : 20130608.009
m /
Signature database size : 111325927 bytes
c o
Update time : 08:48:44 2013/06/09
i .
Issue time of the update file : 16:29:53 2013/06/08
w e
hua
Backup version :
.
Version number : 20130527.004
ing
n
ar
Engine version : 1.1.1.4

e
Engine size : 4106904 bytes
Signature database version : 20130527.004
/ l
Signature database size /
:2013/06/08
: 111538965 bytes
Update time
t p
: 17:45:41
Issue time of the update file : 09:57:49t2013/05/27
h
s :
Factory default version :
c e : 0.000
Version number
u r
Engine version
s o : 0.0.0.0
Engine size
R e : 0 bytes

g
Signature database version : 0.000

i n database size : 0 bytes


Signature

r n time
Update : 00:00:00 0000/00/00

e a Issue time of the update file : 00:00:00 0000/00/00


L ============================================================
r e Result: (WEB)

Mo Check AV database version information.


e n
m /
Check IPS version information.
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
h tt
s :
12.2 UTM IPS Lab
r ce
Lab Objectives u
oto protect enterprise internal PC and HTTP server.
e s
Configure IPS function on USG
R
Lab Device
n g
n i
1. One USG2000/5000 firewall (V3R1 version), one PC.

a r can access to internet.


2. The firewall

Le
r e
Mo
Lab Topologyc

Trust Untrust
UTM Firewall
G0/0/0 G0/0/1
10.0.0.1/24 192.168.17.3/24

192.168.17.254/24
Ethernet2/0/0
10.0.10.1/24 HTTP Server

n
Internal

/ e
o m
.c
e i
w
HTTP Server
h ua
.
DMZ
i ng
n
ar
Configuration Procedure (CLI)
Step 1 Set the running mode to UTM.
l e
<USG> system-view
: //
[USG] runmode utm
p
tonly after the device restart. You are advised to
t
hprompted.
NOTE: Switching the running mode takes effect

:
save configurations and restart the device as

Step 2 Configure the basic configuration ofsUSG. (omitted)


c e
Please pay attention; we needrto configure the default route to let the firewall access to internet. The
o u connect interface IP address.
s0.0.0.0 0 192.168.17.254
next-hop address is the directly
e
R
[USG] ip route-static

n g
Step 3 Enable the IPS function and configure its working mode as protective.

n i enable
r ips mode protective
[USG] ips

a
LeConfigure the IPS policy to protect the HTTP server on the intranet.
[USG]

r e a. Create an IPS policy. Create IPS policy protecthttp.


Mo [USG] ips policy protecthttp
b. Create a signature set for the pre-defined signatures in the IPS policy and configure the status and
response mode of the signature set.
Create signature set abc.
[USG-ips-policy-protecthttp] signature-set abc
Add the signatures of the to-server direction to the signature set.
[USG-ips-policy-protecthttp-signset-abc] direction enable
[USG-ips-policy-protecthttp-signset-abc] direction to-server
Add the signatures whose severity levels are higher than or equal to critical to the signature set.
[USG-ips-policy-protecthttp-signset-abc] severity enable
[USG-ips-policy-protecthttp-signset-abc] severity above critical
Add the signatures of the HTTP protocol to the signature set.
[USG-ips-policy-protecthttp-signset-abc] protocol enable
[USG-ips-policy-protecthttp-signset-abc] protocol http
Enable the signature set and configure the response mode as block.
e n
[USG-ips-policy-protecthttp-signset-abc] signature-set enable
m /
[USG-ips-policy-protecthttp-signset-abc] signature-set action block
c o
[USG-ips-policy-protecthttp-signset-abc] return
i .
w e
Step 4 Configure the IPS policy to protect the PC on the intranet. Create IPS policy protectpc, and
reference the policy template default for the IPS policy.
h ua
.
ng
<USG> system-view
[USG] ips policy protectpc copy-from template default
n i
ar
[USG-ips-policy-protectpc] quit

Step 5 Apply the IPS policy.


l e
/ /the interzone between the DMZ and the
Apply IPS policy protecthttp in the inbound direction of
Untrust zone.
p :
[USG] policy interzone dmz untrust inbound t
ht policy 0
:
[USG-policy-interzone-dmz-untrust-inbound]

e s
[USG-policy-interzone-dmz-untrust-inbound-0] policy service service-set http

r c
[USG-policy-interzone-dmz-untrust-inbound-0] policy destination 10.0.10.0 0.0.0.255

o u
[USG-policy-interzone-dmz-untrust-inbound-0] action permit

e s
[USG-policy-interzone-dmz-untrust-inbound-0] policy ips protecthttp
R
[USG-policy-interzone-dmz-untrust-inbound-0] return

n g protectpc in the outbound direction of the interzone between the Trust zone and
Apply IPS policy

n i zone.
the Untrust

a r system-view
<USG>
e[USG] policy interzone trust untrust outbound
L [USG-policy-interzone-trust-untrust-outbound] policy 1
r e
Mo [USG-policy-interzone-trust-untrust-outbound-1] policy service service-set http
[USG-policy-interzone-trust-untrust-outbound-1] policy source 10.0.0.0 0.0.0.255
[USG-policy-interzone-trust-untrust-outbound-1] action permit
[USG-policy-interzone-trust-untrust-outbound-1] policy ips protectpc

Configuration Procedure (WEB)


Step 1 Complete the firewall basic configuration. (Omitted)
Step 2 Set the running mode to UTM. Choose UTM > Settings > Settings. Select Enable to enable the
UTM. Click Apply. Choose Save configurations and restart device or Restart device, click
Confirm.

It is recommended to choose Save configurations and restart device to save the configurations
and then restart the device. Otherwise, after the device restarts, the unsaved configurations will be
lost.

e n
m /
c o
i .
w e
u a connect
Step 3 Configure static routing to ensure the network connection. The next-hop is the directly

Add. In Add Static Route, input the next-hop address and click Apply. .
h List, click
interface IP address on router. Choose Router > Static > Static Route. In Static Route

n g
n i
a r
l e
/ /
p :
t t
h
s :
c e
u r
Step 4 enable IPS function and o
s configure IPS mode. Choose UTM > Intrusion Prevention > Policy.
Click the IPS Policyetab. In the Configure Global Parameter group box , the configurations are as
R
g
follows:

n
i Enable
n
IPS Function:
r Mode: Protective
a
Le
Working

r e Privilege Policy: NONE


Mo
e n
m /
c o
i .
w e
ua the IPS
Step 5 Configure the IPS policy to protect the HTTP server on the intranet.

Create IPS policy protecthttp. Choose UTM > Intrusion Prevention > Policy.hClick
g . named
n
Policy tab. In IPS Policy List, click Add. In Add IPS Policy, create an IPS policy
protecthttp. Click Apply.
n i
a r
l e
/ /
p :
t
ht
s :
c e
u r
s o
Re
n g
Createran
i
aIn Signature Set List, click Add. In Add Signature Set, configure the below parameters and
signature set in the IPS policy and configure the status and response mode of the signature
e
Lclick Apply.
set.

r e
Mo
e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
: //
p
tt
Apply the IPS policy. Choose Firewall > Security Policy > Forward Policy. In Forward Policy
h
List, click Add, configure the below parameters. And click Apply.

s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo

Step 6 Configure IPS policy to protect PC.


Create IPS policy protectpc. Choose UTM > Intrusion Prevention > Policy. Click the IPS Policy
tab. In IPS Policy List, click Add. In Add IPS Policy, create an IPS policy named protectpc. Click
Apply.

e n
m /
c o
i .
w e
h ua
.
ng
Apply the IPS policy. Choose Firewall > Security Policy > Forward Policy. In Forward Policy
i
n
List, click Add, configure the below parameters. And click Apply.

e ar
l
: //
p
h tt
s :
r ce
u
so
Re
n g
n i
a r
L e
r e
Mo Result Verification

1. When a malicious user on the Internet launches HTTP attacks with a severity level higher than
major to the intranet HTTP server, the connection is blocked.
2. When a user wants to access the spite website, the connection will be blocked.
12.3 UTM AV Lab
Lab Objectives

Be familiar with the configuration of the AV for intranet users accessing Web pages and FTP servers on
the Internet

Lab Device

1. One USG2000 or USG5000 firewall (V3R1 version), one PC.


2. The firewall can access to internet.
e n
m /
Lab Topologyc
c o
i .
Trust UTM Fiwall Untrust
w e
ua
G0/0/0 G0/0/1
Internal 10.0.0.1/24 192.168.17.3/24
. h
192.168.17.25/24
ng
i Server
nHTTP

ar
PC
10.0.0.100/24

l e
Configuration Procedure (CLI)
: //
Step 1 Set the running mode to UTM. p
<USG> system-view
h tt
[USG] runmode utm
s :
Switching the running mode takes
c e effect only after the device restart. You are advised to save
configurations and restart ther
u device as prompted.
oof the USG. (Omitted)
s
Rewe need to configure the default route to let the firewall access to internet. The
Step 2 Configure the basic data

g is the directly connect interface IP address.


Please pay attention;

i n
next-hop address

[USG]nip route-static 0.0.0.0 0 192.168.17.254

Step 3 e arAV global parameters.


L [USG] av enable
Set

re [USG] av scan-level 2
Mo [USG] av max-decompress-layer 10

Step 4 Create an AV policy and complete the public configuration of the AV policy.

[USG] av policy policy1


[USG-av-policy-policy1] description http and ftp server
[USG-av-policy-policy1] password-protected-file action permit
[USG-av-policy-policy1] deep-compressed-file action permit
[USG-av-policy-policy1] malformed-file action permit
[USG-av-policy-policy1] large-file action permit

Step 5 Configure the AV policy for the files transmitted through HTTP.

[USG-av-policy-policy1] undo smtp enable


[USG-av-policy-policy1] undo pop3 enable
[USG-av-policy-policy1] http action block
[USG-av-policy-policy1] undo http upload enable

e n
[USG-av-policy-policy1] http web-push-notification find-virus
m /
[USG-av-policy-policy1] http scan-mode intelliscan
c o
[USG-av-policy-policy1] http enable
i .
[USG-av-policy-policy1] http max-file-size 10
w e
ua
[USG-av-policy-policy1] http download enable
[USG-av-policy-policy1] http resume-transfer enable
. h
Step 6 Configure the AV policy for the files transmitted through FTP.
i ng
[USG-av-policy-policy1] ftp action block n
r risks
e a
[USG-av-policy-policy1] ftp push-notification the file has security
[USG-av-policy-policy1] ftp scan-mode intelliscan
/ l
[USG-av-policy-policy1] ftp enable
: /
[USG-av-policy-policy1] ftp max-file-size 10 p
[USG-av-policy-policy1] ftp upload enablet
t
h
s : enable
[USG-av-policy-policy1] ftp download enable

c e
[USG-av-policy-policy1] ftp resume-transfer

u r
[USG-av-policy-policy1] quit

s o in the interzone between the DMZ and the Untrust zone, and apply the
Step 7 Configure the firewall policy

R e intranet hosts against viruses.


AV policy, thus protecting

n g
[USG] policy interzone trust untrust outbound

n i
[USG-policy-interzone-trust-untrust-outbound] policy 5

a r
[USG-policy-interzone-trust-untrust-outbound-5] action permit

Le[USG-policy-interzone-trust-untrust-outbound-5] policy source address-set internal

r e [USG-policy-interzone-trust-untrust-outbound-5] policy av policy1

MoConfiguration Procedure (WEB)


Step 1 Configure the basic parameters of the interfaces. (Omitted)
Step 2 Configure static routing to ensure the network connection. Choose Router > Static > Static Route. In
Static Route List, click Add. In Add Static Route configure the next-hop addres to 192.168.17.254
and click Apply.
e n
m /
c o
Step 3 Set the running mode to UTM. Choose UTM > Settings > Settings. Select Enable to enable the
i .
e
UTM. Click Apply. Choose Save configurations and restart device or Restart device, click
Confirm.

It is recommended to choose Save configurations and restart device to save u


w
aconfigurations
h the
and then restart the device. Otherwise, after the device restarts, the unsaved.configurations
n g will be

i
lost.

r n
e a
/ l
: /
t p
ht
s : > Anti Virus > Policy. In Configure Global Parameter
e click Apply.
Step 4 Set AV global parameters. Choose UTM
c
r
configure the below parameters and

o u
s
Re
n g
n i
a r
Le
re
Mo
Step 5 Create an AV policy. Choose UTM > Anti Virus > Policy. In AV Policy List, click Add. In Add
Policy, create an AV policy named policy1. Click Apply.
e n
m /
c o
Step 6 In HTTP Settings, configure the paremeters as below:
i .
w e
h ua
.
i ng
n
ear
l
: //
p
h tt
s :
ce
Step 7 In FTP Settings, configure the parameters as below:
r
u
so
1. In the SMTP Settings area, clear the Virus Scan check box to disable the AV scanning for

Re
SMTP.
2. In the POP3 Settings area, clear the Virus Scan check box to disable the AV scanning for
POP3.
n g
n i
a r
L e
r e
Mo
Step 8 Apply the AV policy. Choose Firewall > Security Policy > Forward Policy. In Forward Policy List,
click Add, configure the parameters as below, and then click Apply.

e n
m /
c o
i .
w e
h ua
.
i ng
n
e ar
l
://
Result Verification p
t blocks the connection.
h t
When users access Web pages containing viruses, the USG

:
When users upload or download files containing viruses, the USG blocks the connection.
s
c e
u r
s o
Re
n g
n i
a r
Le
re
Mo
The privilege of HCNA/HCNP/HCIE:
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
1Comprehensive E-Learning Courses e n

m/
ContentAll Huawei Career Certification E-Learning courses
c o

i .
Methods to get the E-learning privilege : submit Huawei Account and email being used for Huawei Account
registration to Learning@huawei.com . we
u a
2 Training Material Download
. h
Content: Huawei product training material and Huawei career certification
n g training material
MethodLogon http://learning.huawei.com/en and enter HuaWei n iTraining/Classroom Training ,then you can
ar

download training material in the specific training introductionepage.


3 Priority to participate in Huawei Online Open Class(LVC) /
l

: /
ContentThe Huawei career certification training covering
t p all ICT technical domains like R&S, UC&C, Security,
Storage and so on, which are conducted by Huawei ht professional instructors
MethodThe plan and participate method please
s : refer to LVC Open Courses Schedule
e

4Learning Tool: eNSP c


ur is a graphical network simulation tool which is developed by

eNSP (Enterprise Network SimulationoPlatform)


smainly simulates enterprise routers, switches as close to the real hardware as

Huawei and free of charge. eNSP


R e
it possible, which makes theglab practice available and easy without any real device.
i nup Huawei Technical Forum which allows candidates to discuss technical issues with

r n
In addition, Huawei has built
Huawei experts , share
e a exam experiences with others or be acquainted with Huawei Products(
L
http://support.huawei.com/ecommunity/
r e
Mo
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1