The privilege of HCNA/HCNP/HCIE: With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy: Logon http://learning.huawei.com/en and enter Huawei Training/e-Learning
You can access Huawei Career Ce rtification and Basic Technology e-Learning
:
courses. You can access all the e-Learning courses which marked marked for HCIE Certification Users.
: Please associate HCIE certificate information with your Huawei account, and
email the account to
[email protected] to to apply for HCIE e-Learning privilege.
: Huawei product training material material and Huawei career certification training material. Logon http://learning.huawei.com/en and enter Huawei Training/Classroom Training ,then you can download
:
training material in the specific training introduction page.
Huawei Online Open Class (LVC)
The Huawei career certification training training and product training covering covering all ICT technical domains like R&S, UC&C, Security, Storage and so on, which are conducted by Huawei professional instructors.
eNSP :Simulate single Router&Switch device and large network.
WLAN Planner :Network planning tools for WLAN AP products.
In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with Huawei experts , share exam experiences with others or be acquainted with Huawei Products.
HUAWEI TECHNOLOGIES CO., LTD.
CSBN-HCNA-Security Lab Guide ISSUE 2.50
CSBN-HCNA-Security Lab Guide ISSUE 2.50
ISSUE 2.50 .............................................................................................................................................................. 1 1 Overview ............................................................................................................................................................ 3 1.1 Application Scope ........................................................................................................................................ 3 1.2 Introduction of Firewall P roducts ................................................................................................................ 3 1.3 Terminal Security Products ........................................................................................................................ 10 1.4 Diagram of Network Elements .................................................................................................................. 14 1.5 Security Declaration .................................................................................................................................. 15 2 How to Login Firewall ...................................................................................................................................... 16 2.1 Login Through the Console Port ............................................................................................................... 16 2.2 Login Through Web Management Interface (Default Web-manager) ....................................................... 19 2.3 Remote Login Through Telnet ................................................................................................................... 20 2.4 Remote Login Through SSH ..................................................................................................................... 25 2.5 Login Through the Web ............................................................................................................................. 31 3 Firewall Basic Configuration ............................................................................................................................ 36 3.1 Firewall System Managment ..................................................................................................................... 36 4 Firewall Security Forwarding Policy ................................................................................................................ 45 2.1 Configuring IP Address-Based Forwarding Policy .................................................................................... 45 5 Network Address Translate Lab ........................................................................................................................ 49 5.1 Source NAT Lab ........................................................................................................................................ 49 5.2 Source NAT & NAT Server Lab ................................................................................................................ 54
1
Overview
This document describes the configuration and deployment of Huawei security products. You can understand the lab on security products and have the capability of deploying devices and operating offices.
1.1 Application Scope This document is applicable to the lab described in the security product training courses for Huawei system security engineers. The lab is applicable to the following products:
Name
Description ·USB ports allow you to insert USB devices for system
USB2.0
software upgrades Interface status indicators 0 to 7 (green)
·Steady on: The link is connected. ·Blink (8 Hz): Data is being sent or received. ·Off: The link is disconnected.
PWR
·Steady on: The power module works properly.
indicator
·Off: The power module is faulty or the power cable is
(green)
disconnected. ·Steady on: The system is powering on or restarting. ·Blink (0.5 Hz): The system is running normally.
Name Console port (RJ45)
Description Console ports allow you to locally connect to the device. The serial number that uniquely identifies the device. When
ESN
applying for a license file, you must provide the ESN of the device.
1.2.2 USG6330 Description
Device Overview
The USG6330/6350/6360 uses an integrated chassis that contains the fixed interface board, power module, and fan module. You can also add some optional modules, such as hard disk, additional power module, and expansion cards, to improve system reliability and add more ports. The size of the integrated chassis is 44.4 mm (H) x 442mm (W) x 421mm (D), which can be installed in the 19-i nch standard cabinet.
Front panel
The front panel of the USG6330 provides fixed ports, ESD jack, and expansion slots. Figure b elow illustrates the front panel of the USG6330.
electical port. Expansion slot
Provides two WSIC slots. The equipment end of the wrist strap is inserted into the
ESD jack
ESD jack. For the wrist strap to be effective, ensure that the device is already grounded.
Rear panel
The rear panel of the USG6330 provides the power module, protective ground terminal, and hard disk slot for optional hard disk combination. Figure below illustrates the rear panel of the USG6330.
Name Slot numbering
Description Indicates the layout of the slots, including the slot number and
1.2.3 USG6550 Description
Device Overview
The USG6550 uses an integrated chassis that contains the fixed interface board, power module, and fan module. You can also add some optional modules, such as hard disk, additional power module, and expansion cards, to improve system reliability and add more ports. The size of the integrated chassis is 44.4 mm (H) x 442mm (W) x 421mm (D), which can be installed in the 19-i nch standard cabinet.
Front panel
The front panel of the USG6550 provides fixed ports, ESD jack, and expansion slots. Figure b elow illustrates the front panel of the USG6550.
8-11(SFP) Expansion slot
GE optical ports Provides two WSIC slots. The equipment end of the wrist strap is inserted into the
ESD jack
ESD jack. For the wrist strap to be effective, ensure that the device is already grounded.
Rear panel
The rear panel of the USG6550 provides the power module, protective ground terminal, and hard disk slot for optional hard disk combination. Figure below illustrates the rear panel of the USG6550.
Name Slot numbering
Description Indicates the layout of the slots, including the slot number and
1.2.4 Physical Port Naming Methods Interfaces are numbered in the format of "interface type A/B/C", where:
A is the slot number of the interface card.
B is the daughter card number, which is 0 because no daughter card is installed now.
C is the interface number, which begins with 0 and is numbered from bottom t o top and left to right.
Assume that a 5FSW interface card is installed in slot 2 of the NGFW. The port numbers are Ethernet2/0/0, Ethernet2/0/1, Ethernet2/0/2, Ethernet2/0/3, and Ethernet2/0/4.
1.3 Terminal Security Products 1.3.1 Introduction of the Agile Controller Agile Controller is a user- and application-based network resource auto control system developed by Huawei. As the brain on smart campus networks, Agile Controller dynamically allocates network and security resources on the entire campus network based on software-defined networking (SDN), enabling networks to
1.3.2 Agile Controller System Deployment
Network
Access
Device (NAD)
Agile Controller supports a variety of NADs, including WLAN ACs and APs, Huawei Portal switches, standard 802.1x switches, and Huawei security access control gateways (SACGs).
The Agile Controller deployment is flexible to meet different network conditions and requirements. In centralized networking, all Agile Controller servers are centrally deployed, usually in the enterprise data center. This networking mode applies to centralized networks with large bandwidth (such as campus networks) as well as networks with small branch networks.
Authenticationpre-domain TSMManager+TSMController+ Scanner+FTP+Authentication database
TSMController+FTPTSMController+FTP +Primarydatabase +Mirroringdatabase
Isolation domain
LAN Anti-virusserver
Patchserver
Router Securityaccesscontrol gateway ServicesystemA
ServicesystemB
Authenticationpost-domain
performance item
value
Memory Usage
40 to 50 MB
Authentication Time (Non-802.1x)
≤ 3s
Authentication Time (802.1x)
≤ 10s
Authentication Time (802.1x certificate)
≤ 15s
PS: testing PC using a 2 GHz CPU, 4GB memory, and Operating Windows 7 system.
1.4 Diagram of Network Elements
Internet
Network Cloud
Laptop
PC
USG Firewall
Router
Server
1.5 Security Declaration 1.5.1 Encryption Algorithm Declaration Currently, the device uses the following encryption algorithms: DES, 3DES, AES, RSA, SHA1, SHA-2, and MD5. The encryption algorithm depends on the applicable scenario. Use the recommended encryption algorithm; otherwise, security defense requirements may be not met.
For the symmetrical encryption algorithm, use AES with the key of 128 bits or more.
For the asymmetrical encryption algorithm, use RSA with the key of 2048 bits or more.
For the hash algorithm, use SHA2 with the key of 256 bits or more.
For the HMAC algorithm, use HMAC-SHA2.
DES, 3DES, RSA and AES are reversible encryption algorithm. If protocols are used for i nterconnection, the locally stored password must b e reversible.
SHA1, SHA2, and MD5 are irreversible encryption algorithm. The irreversible encryption algorithm must be used for the administrator password.
1.5.2 Feature Usage Declaration The device can transfer files through FTP, TFTP, SFTPv1, SFTPv2, and FTPS. Using FTP, TFTP or
2
How to Login Firewall
2.1 Login Through the Console Port Lab Objectives
Through this task, you will know how to configure the terminal to access the device through the console port, thus implementing the configuration and management on the device. Lab Devices
One PC and NGFW firewall. Lab Topology
Management PC
USG
Step 4
Click OK. The Connect dialog box is displayed.
Step 5
Select a serial interface (such as COM1) from the Connect using drop-down list for the connection between the PC and the NGFW, as shown in below figure.
Step 7
Click OK or Restore Defaults.
2.2 Login Through Web Management Interface (Default Web-manager) Lab Objectives
Through this task, you will know how to connect to NGFW firewall though default web-management interface. Lab Devices
One NGFW (USG6000) and one PC. Lab Topology
Management PC 192.168.0.2/24
G0/0/0 192.168.0.1/24
USG
Ethernet
COM 1
Console Interface RS-232 Cable
2.3 Remote Login Through Telnet Lab Objectives
Through this task, you will know how to configure the terminal to access the device through Telnet, thus implementing the configuration and management on the device.
[USG] telnet server enable
Step 3
Set the IP address of the interface of the NGFW. For example, a local user connects to GigabitEthernet1/0/1 of the NGFW through Telnet. The IP address of the interface is 10.1.1.1; the s ubnet mask is 255.255.255.0. a) Set the IP address, and permit service-manage through telnet [USG] interface GigabitEthernet 0/0/1 [USG-GigabitEthernet0/0/1] ip address 10.1.1.1 24 [USG-GigabitEthernet0/0/1] service-manage enable [USG-GigabitEthernet0/0/1] service-manage telnet permit [USG-GigabitEthernet0/0/1] quit b) Add the interface to the trust zone. [USG] firewall zone trust [USG-zone-trust] add interface GigabitEthernet0/0/1 [USG-zone-trust] quit
Step 4
Set the user information of the NGFW. For example, the authentication mode of the user interface on the virtual type terminal (VTY) is AAA; the Telnet user name is telnetuser; the password is password@123; the password is stored in cipher text at level 3. [USG] user-interface vty 0 4
Step 6
After passing the authentication configured on the NGFW, you can enter the user view and log in to the device.
Configuration Procedure (WEB)
Step 1
Log into NGFW web GUI through GE0/0/0. Details please go to 2.1 f or the reference.
Step 2
Enable telnet service. a)
Choose System > Admin > Settings
b) Click to select check box of telnet service
Thinking: Why should configure the Telnet management access function? (Answer: allow the
administrator to manage firewall through this i nterface by Telnet.)
Step 4
Configure the Tenlnet user. (telnetuser/Admin@123)
*
Without the owner's prior written consent,
*
* no decompiling or reverse-engineering shall be allowed. * * Notice:
*
*
*
This is a private communication system.
*
Unauthorized access or use may lead to prosecution.
*
***********************************************************
2.4 Remote Login Through SSH Lab Objectives
Through this task, you will know how to configure the terminal to access the device through SSH, thus implementing the configuration and management on the device. Lab Devices
One PC and one NGFW fIrewall. Lab Topology
Management PC 10.1.1.2/24
G1/0/1 10.1.1.1/24
USG
[USG-GigabitEthernet1/0/1] quit
Step 4 Set the user information of the NGFW. a) Configure the VTY user interface [USG] user-interface vty 0 4 [USG-ui-vty0-4] authentication-mode aaa [USG-ui-vty0-4]quit b) Create SSH user sshuser, and configure the authentication mode as password. [USG] aaa [USG-aaa] manager-user sshuser [USG-aaa-manager-use-sshuser] service-type ssh [USG-aaa-manager-use-sshuser] level 3 [USG-aaa-manager-use-sshuser] ssh authentication-type password [USG-aaa-manager-use-sshuser] password Enter Password: Confirm Password: [USG-aaa-manager-use-sshuser] ssh service-type telnet [USG-aaa-manager-use-sshuser] quit
Step 5
Create rsa local-key-pair. [USG] rsa local-key-pair create
Configuration Procedure (WEB)
Step 1
After the connection to the device is established, power on both devices, and ensure that the devices run normally.
Step 2
Configure the login interface.
Step 3
Configure the SSH user account. (sshuser/Admin@123). a) Choose System > Admin > Administrators, click Add
b) Set the user name as sshuser, password as Admin@123, and add STelnet service type.
Step 5
Configure the IP address of PC as 10.1.1.2/24. Then login N GFW by using Putty client through SSH.
”Yes” to security alert:
2.5 Login Through the Web Lab Objectives
Through this task, you will know how to configure the terminal to access the device through Web, thus implementing the configuration and management on the device. Lab Devices
One PC and one NGFW firewall. Lab Topology
Management PC 10.1.1.2/24
G1/0/1 10.1.1.1/24
USG
Ethernet Port
Cable
Configureation Procedure (CLI)
Confirm Password: [USG-aaa-manager-use-webuser] level 3 [USG-aaa-manager-use-webuser] service-type web [USG-aaa-manager-use-webuser] quit
Step 5
Check the configuration. Set the PC address as 10.1.1.2/24. Use the Web browser on the PC to access http://10.1.1.1, enter the user name ( webuser) and password ( Admin@123 ), and check whether you can log in to the NGFW. If the login succeeds, the configuration is successful. If the login fails, check the configuration.
Configuration Procedure (WEB)
Step 1
After the connection to the device is established, power on both devices, and ensure that the devices run normally.
Step 2
Configure the login interface. a) Choose Network > Interface, select the interface you want to configure, for example, GE1/0/1. b) Set the security zone, IP address and permit management-access through HTTPS.
b) Set the user name as webuser, password as Admin@123, and add WEB service type.
Step 5
Configure the IP address of PC as 10.1.1.100/24. Input https://10.1.1.1:2000 on PC’s browser to login.
Result Verification
The Security Alert, click ‘Yes’ to continue.
3
Firewall Basic Configuration
3.1 Firewall System Managment Lab Objectives
Configure the hostname. Configure the system time. Configure the SNMP server. Configure the log server. Configure license. Configure the file backup and recover.
[NGFW]sysname NGFW_A [NGFW_A]
Step 4
Configure the system time.
clock datetime 0:0:0 2009/01/01
Step 5
Configuring SNMP Server. Configure SNMP version to v2c. [NGFW] snmp-agent sys-info version v2c Setting the SNMP Community Name. [NGFW] snmp-agent community read public [NGFW] snmp-agent community write private Configuring User Information. [NGFW] snmp-agent usm-user v3 test NMS1 Configure SNMP trap. [NGFW]snmp-agent trap enable [NGFW]snmp-agent target-host trap address udp-domain 192.168.1.2 params securityname swebUser v2c
Thinking: What’s function of SNMP Agent Trap?
(Answer: SNMP Agent Trap command makes device send alert to SNMP server actively. If there is no SNMP Trap, SNMP server will just send query message to device and device response server
Enable FTP server function; configure FTP account and FTP path. system-view [NGFW]ftp server enable Info:Start FTP server [NGFW]aaa [NGFW-aaa] local-user ftpuser password cipher Ftppass# [NGFW-aaa] local-user ftpuser service-type ftp [NGFW-aaa] local-user ftpuser level 3 [NGFW-aaa] local-user ftpuser ftp-directory hda1:/ Configure FTP acl. [NGFW]acl 2002 [NGFW-acl-basic-2002]rule permit source any logging [NGFW-acl-basic-2002]quit [NGFW]ftp acl 2002 Log in NGFW FTP server from terminal PC. Configure system backup. Run get command to download file to terminal PC. The following takes a Windows OS for example. On the PC, choose Start > Run. The Run
200 Port command okay. 150 Opening ASCII mode data connection for vrpcfg.cfg. 226 Transfer complete. ftp: send 5203 byte,time 0.00Seconds 5203000.00Kbytes/sec. By using startup saved-configuration vrpcfg.cfg command to configure the next-startup configuration file. startup saved-configuration vrpcfg.cfg Configuration Procedure (WEB)
Step 1
After the connection to the device is established, power on both devices, and ensure t hat the devices run normally.
Step 2
Login NGFW through Web GUI. How to login through web please refer to 2.2 or 2.5. (Omitted.)
Step 3
Configure the hostname of NGFW. Login to the NGFW through http://192.168.0.1, in the system information of system panel, you will the system information and change the system name.
You can set the time zone, date and system time by manually, or select the configuration mode to choose use NTP server to synchronize the ti me.
Step 6
Configuring log server. Go to Log > Log Configuration > Information Center Configuration, click the enable check box of information center switch.
Choose Log > Log Configuration > Syslog Configuration. Select parameter Log Host Source Interface in Configure Syslog. Select GE0/0/0 as the log host source interface. Click Apply.
Go to System > Maintenance > License Management . Check the license state.
Check the configuration file in use. For the next startup configuration file, click Select, the Configuration File Management window is displayed.
Click
to download the configuration file to local PC to backup it.
configuration file is in use,
indicates the configuration file is not in use.
indicates the
Click Browse. Select the configuration file to be uploaded. Click Import to upload the configuration file.
4
Firewall Security Forwarding Policy
2.1 Configuring IP Address-Based Forwarding Policy Lab Objectives
This section provides an example for controlling the access based on IP addresses. Lab Device
One NGFW and two PCs. Lab Topology
Internal User 192.168.5.2/24 192.168.5.3/24 192.168.5.4/24
Trust G1/0/3 192.168.5.1/24
USG
Untrust G1/0/1 1.1.1.1/24
Internet Server 1.1.1.2/24
Step 2
Configure address set ip_deny , and add the denied IP addresses to the address set. [NGFW]ip address-set ip_deny type object [NGFW-object-address-set-ip_deny] address 192.168.5.2 mask 32 [NGFW-object-address-set-ip_deny] address 192.168.5.3 mask 32 [NGFW-object-address-set-ip_deny] address 192.168.5.4 mask 32 [NGFW-object-address-set-ip_deny] quit
Step 3
Create a forwarding policy preventing some special IP addresses from accessing the Internet. [NGFW]security-policy [NGFW-policy-security] rule name policy_deny [NGFW-policy-security-rule-policy_deny] source-zone trust [NGFW-policy-security-rule-policy_deny] destination-zone untrust [NGFW-policy-security-rule-policy_deny] source-address address-set ip_deny [NGFW-policy-security-rule-policy_deny] action deny [NGFW-policy-security-rule-policy_deny] quit
Step 4
Create a forwarding policy allowing the 192.168.5.0/24 network to access the Internet and reference the Web filtering policy. [NGFW-policy-security] rule name policy_permit [NGFW-policy-security-rule-policy_permit] source-zone trust [NGFW-policy-security-rule-policy_permit] destination-zone untrust
Step 2
Configure an address group named ip_deny and add the IP addresses not permitted to access the Internet to the address group. Choose Object > Address > Address. In Address List, click to access the Add Address interface. Configure a name and IP information .
Step 5
Configure another security policy permitting users on network segment 192.168.5.0/24 to access the Internet and reference the Web filtering policy i n the forwarding policy. Choose Policy > Security Policy > Security Policy. Click the Security Policy tab. In Security Policy List, click .
5
Network Address Translate Lab
5.1 Source NAT Lab Lab Objectives
Through this task, you will able to know the detail configuration of source NAT. Lab Device
One NGFW firewall and one PC. Lab Topology
[NGFW-zone-untrust]add interface GigabitEthernet 1/0/1 [NGFW-zone-untrust]quit
Step 3
Configure interzone packet filtering to ensure normal network communication. [NGFW] security-policy [NGFW-policy-security] rule name source_nat [NGFW-policy-security-rule-source_nat] source-addresss 192.168.1.0 24 [NGFW-policy-security-rule-source_nat] source-zone trust [NGFW-policy-security-rule-source_nat] destination-zone untrust [NGFW-policy-security-rule-source_nat] action permit
Step 4
Configure IP address pool 1, the range of the address is 2.2.2.2 – 2.2.2.5 [NGFW] nat address-group 1 [NGFW-nat-address-group-1] section 2.2.2.2 2.2.2.5
Step 5
Configure the NAT outbound policy。 [NGFW] nat-policy [NGFW-policy-nat] rule name source_nat [NGFW-policy-nat-rule-source_nat] destination-address 2.2.2.10 24 [NGFW-policy-nat-rule-source_nat] source-address 192.168.1.0 24 [NGFW-policy-nat-rule-source_nat] source-zone trust
Step 4
Configure IP address pool 1, the range of the address is 2.2.2.2 – 2.2.2.5. Choose Policy > NAT
icmp
VPN:public --> public 192.168.1.10:45346[2.2.2.5:45346]-->2.2.2.10:2048
icmp
VPN:public --> public 192.168.1.10:45602[2.2.2.5:45602]-->2.2.2.10:2048
icmp
VPN:public --> public 192.168.1.10:45858[2.2.2.5:45858]-->2.2.2.10:2048
icmp
VPN:public --> public 192.168.1.10:46114[2.2.2.5:46114]-->2.2.2.10:2048
icmp
VPN:public --> public 192.168.1.10:46370[2.2.2.5:46370]-->2.2.2.10:2048
From the result we can see that the source address of 192.168.1.10 has translated to 2.2.2.5 which in the address pool.
5.2 Source NAT & NAT Server Lab Lab Objectives
Through this experiment, you will able to configure the NAT server. And also know how to configure the bidectional NAT. Lab Device
One NGFW firewall, one PC and one server. Lab Topology
G1/0/0
G1/0/1
[NGFW]firewall zone untrust [NGFW-zone-untrust]add interface GigabitEthernet 1/0/1 [NGFW-zone-untrust]quit
Step 3
Configure interzone packet filtering to ensure normal network communication. [NGFW] security-policy [NGFW-policy-security] rule name bidectinal_nat [NGFW-policy-security-rule-bidectinal_nat] source-zone untrust [NGFW-policy-security-rule-bidectinal_nat] destination-zone dmz [NGFW-policy-security-rule-bidectinal_nat] destination-address 192.168.1.2 32 [NGFW-policy-security-rule-bidectinal_nat] service ftp [NGFW-policy-security-rule-bidectinal_nat] action permit
Step 4
Configure the NAT server. Create the mapping relations between the public IP a ddresses and private IP addresses of internal servers. [NGFW] nat server ftpserver protocol tcp global 2.2.2.4 ftp inside 192.168.1.2 ftp
Step 5
Configure the NAT address pool. [NGFW] nat address-group 2 [NGFW-nat-address-group-2] section 192.168.1.10 192.168.1.20
Step 6
(Optional. By default, ‘detect ftp’ has been configured under system view of firewall ) Apply the NAT ALG function to the DMZ-Untrust interzone to ensure that the server provides FTP
Step 4
Configure the NAT server. Create the mapping relations between the public IP a ddresses and private IP addresses of internal servers. Choose Policy > NAT Policy> Server Mapping. In Server Mapping List
li k
Cli k OK when you finished the configuration. Shown as the
Step 6
Create a NAT policy for the DMZ-Untrust interzone, define the range of s ource IP addresses for NAT, and bind the NAT policy to NAT address pool 1. Choose Policy > NAT Policy> Source NAT. Click the Source NAT tab. In Source NAT Policy List, click
.
global-start-addr : 2.2.2.4
global-end-addr
: ---
inside-start-addr : 192.168.1.2
inside-end-addr
: ---
global-start-port : 21(ftp)
global-end-port
: ---
insideport
: 21(ftp)
globalvpn
: public
insidevpn
: public
protocol
: tcp
vrrp
: ---
no-reverse
: no
Total
1 NAT servers
6
Firewall Daul-system Hot Backup Lab
6.1 Firewall Daul-system Hot Backup Lab Lab Objectives
Be familiar with how to configure firewall dual-system hot backup both on CLI and Web GUI. The NGFW is deployed on a service node serving as a security device. Both upstream and downstream devices are switches. NGFW_A and NGFW_B work in active/standby mode and their service interfaces work at Layer 3.
Lab Device
system-view [NGFW_A] interface GigabitEthernet 1/0/1 [NGFW_A-GigabitEthernet1/0/1] ip address 10.2.0.1 255.255.255.0 [NGFW_A-GigabitEthernet1/0/1] quit [NGFW_A] interface GigabitEthernet 1/0/3 [NGFW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0 [NGFW_A-GigabitEthernet1/0/3] quit [NGFW_A] firewall zone trust [NGFW_A-zone-trust] add interface GigabitEthernet 1/0/3 [NGFW_A-zone-trust] quit [NGFW_A] firewall zone untrust [NGFW_A-zone-untrust] add interface GigabitEthernet 1/0/1 [NGFW_A-zone-untrust] quit
Create VRRP backup group 1 on i nterface GigabitEthernet 1/0/1, and add it to the VGMP management group whose status is Active. [NGFW_A] interface GigabitEthernet 1/0/1 [NGFW_A-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 active [NGFW_A-GigabitEthernet1/0/1] quit
Create VRRP backup group 2 on interface GigabitEthernet 1/0/3, and add it to the VGMP management group whose status is Active.
HRP_A[NGFW_A-policy-security-ru HRP_A[NGFW_A-policy-security-rule-policy_s le-policy_sec] ec] source-zone trust HRP_A[NGFW_A-policy-security-ru HRP_A[NGFW_A-policy-security-rule-policy_s le-policy_sec] ec] destination-zone untrust HRP_A[NGFW_A-policy-security-ru HRP_A[NGFW_A-policy-security-rule-policy_s le-policy_sec] ec] action permit HRP_A[NGFW_A-policy-security-ru HRP_A[NGFW_A-policy-security-rule-policy_s le-policy_sec] ec] quit HRP_A[NGFW_A-policy-security]ru HRP_A[NGFW_A-policy-security]rule le name local_trust HRP_A[NGFW_A-policy-security-ru HRP_A[NGFW_A-policy-security-rule-local_tru le-local_trust] st]source-zone source-zone trust local HRP_A[NGFW_A-policy-security-ru HRP_A[NGFW_A-policy-security-rule-local_tru le-local_trust] st]destination-zone destination-zone trust local HRP_A[NGFW_A-policy-security-ru HRP_A[NGFW_A-policy-security-rule-local_tru le-local_trust] st]action action permit HRP_A[NGFW_A-policy-security-ru HRP_A[NGFW_A-policy-security-rule-local_tru le-local_trust] st]quit quit
Step 4 Enable the HRP backup function. [NGFW_A] hrp enable
Step 5 Configure NGFW_B. The configurations on NGFW_B are the same as those on NGFW_A except that:
The IP addresses of interfaces on NGFW_B are different from those of interfaces on NGFW_A.
Add service interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/3 of NGFW_B to the VGMP management group whose status is Standby .
Step 6 Configure the switches.
Step 2 Configure a forwarding policy for NG FW_A. Forwarding policy between the Trust zone to access the Untrust zone: Choose Policy > Security Policy > Security Policy, In Security Policy List, click Add, Configure security policy policy_sec and policy_sec and set the parameters as follows:
Step 3 Configure the VRRP backup group 1 and backup group 2 of NGFW_A. Choose System > High Availability > Dual-System Hot Backup, Click Edit, Select the Enable check box and set the parameters as follows:
GigabitEthernet1/0/1 | Virtual Router 1 VRRP Group : Active state : Active Virtual IP : 1.1.1.1 Virtual MAC : 0000-5e00-0101 Primary IP : 10.2.0.1 PriorityRun : 120 PriorityConfig:100 ActivePriority : 120 Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES
GigabitEthernet1/0/3 | Virtual Router 2 VRRP Group : Active state : Active Virtual IP : 10.3.0.3 Virtual MAC : 0000-5e00-0102 Primary IP : 10.3.0.1
The virtual IP address of VRRP group 2 can be pinged on PC1 after the VRRP groups are configured correctly. PC2 is the server in the Untrust zone. PC1 on trust zone can ping t he server on Untrust zone. Check session information on NGFW_A and NGFW_B. HRP_Adisplay firewall session table Current Total Sessions : 1 icmp
VPN:public --> public 10.3.0.100:1-->1.1.1.2:2048
HRP_Sdisplay firewall session table Current Total Sessions : 1 icmp
VPN:public --> public
Remote 10.3.0.100:1-->1.1.1.2:2048
As shown in the previous information, a session tagged with Remote is created on NGFW_B, indicating that the session is successfully synchronized after you configure dual-system hot backup. Run ‘ping 1.1.1.2 -t’ on PC1, and unplug network cable from GE1/0/1 on NGFW_A, check the firewall status and packet dropout status.
7
Firewall User Management Lab
7.1 Internet access user authentication lab. (Authentication exemption and local password authentication) Lab Objectives
This section describes how to exempt intranet users from authentication and using local password to authenticate internet access user. Lab Device
Step 3
Create authentication exemption user group. Choose Object > User > Group/User . In Organizational Structure, select Default. Click Add in Member Management and select Create Group, create a group named “ auth_exemption ”.
Step 4
Create a user authentication policy Guest specifically for the subnet 192.168.0.0/24. Choose Policy > Authentication Policy, click Add Enter or select parameters, Click OK.
In Organizational Structure , select Normal. In Member Management , select Add, choose create a user , create a new user user01/Admin@123.
Step 6 Create a user authentication policy Normal specifically for the subnet 192.168.1.0/24.
Step 8
Add a new forwarding policy for local password authentication user. Source is turst, destination is untrust, the user is normal and action is permit.
Step 9 Configuring Redirection webpage After Successful Authentication. C hoose Object > User > Authentication Item. Click the Global Configuration tab. Configure the Redirect to the latest web page.
8 8.1 L2TP VPN Lab
VPN Lab
Client-Initialized VPN
Lab Objectives
Through this task, you will know how to configure the Client-Initialized L2TP. Lab Device
One USG6000 Firewall and two PCs. Lab Topology
LAC Client
L2TP VPN Tunnel
LNS 192.168.1.2/24
192.168.2.2/24
GE1/0/1 192.168.2.1/24
GE1/0/0 192.168.1.1/24
Step 3
Enable L2TP. [LNS] l2tp enable
Step 4
Create and configure an L2TP group. [LNS] l2tp-group 1 [LNS-l2tp1] tunnel name LNS [LNS-l2tp1] allow l2tp virtual-template 1 remote client1 [LNS-l2tp1] tunnel authentication [LNS-l2tp1] tunnel password cipher Huawei@123
Step 5
Define an address pool and allocate the IP address for the LAC client. Set the user name and password (the same as those on the LAC LAC client side). [LNS] user-manage user vpdnuser [LNS-localuser-pc1] password Admin@123 [LNS-localuser-pc1] parent-group /default [LNS] aaa [LNS-aaa] domain default [LNS-aaa-domain-default] ip pool 1 192.168.0.2 192.168.0.100 [LNS-aaa-default] quit
Step 6
Allocate an IP address for the peer interface from the IP address pool. [LNS] interface virtual-template 1
[LNS-policy-security-rule-un [LNS-policy-security-rule-untrust_trus trust_trust] t]source-zone source-zone untrust [LNS-policy-security-rule-un [LNS-policy-security-rule-untrust_trus trust_trust] t]destination-zone destination-zone trust [LNS-policy-security-rule-un [LNS-policy-security-rule-untrust_trus trust_trust] t]destination-address destination-address 192.168.1.0 24 [LNS-policy-security-rule-un [LNS-policy-security-rule-untrust_trus trust_trust] t]quit quit [LNS-policy-security]rule [LNS-policy-security]rule name local_untrust [LNS-policy-security-rule-loca [LNS-policy-security-rule-local_untrust] l_untrust]source-zone source-zone local [LNS-policy-security-rule-loca [LNS-policy-security-rule-local_untrust] l_untrust]destination-zone destination-zone untrust [LNS-policy-security-rule-loca [LNS-policy-security-rule-local_untrust] l_untrust]source-address source-address 192.168.2.1 24 [LNS-policy-security-rule-loca [LNS-policy-security-rule-local_untrust] l_untrust]quit quit [LNS-policy-security]rule [LNS-policy-security]rule name untrust_local [LNS-policy-security-rule-un [LNS-policy-security-rule-untrust_local trust_local]] source-zone untrust [LNS-policy-security-rule-un [LNS-policy-security-rule-untrust_local trust_local]] destination-zone local [LNS-policy-security-rule-un [LNS-policy-security-rule-untrust_local trust_local]] destination-address 192.168.2.1 24 [LNS-policy-security-rule-un [LNS-policy-security-rule-untrust_local trust_local]] quit quit
Step 8
Configure the LAC client side. The LAC client must be installed with t he L2TP client software and is connected to the Internet in dialing mode. The following takes the Secoway VPN Client as an example. Click to establish a new connection according the New Connection Wizard. Choose Create a new connection by inputing paremeters , then clicks Next.
Step 10
Input Tunnel Name(client1 )and Authentication Mode(CHAP)。Select Enable Tunnel Authentication and input the Tunnel Authentication Password(Huawei@123 ). Complete to create L2TP connection. Click Next
Configuration Procedure (WEB)
Step 1
Configure the LNS side. Set the IP address of the i nterface. Choose Network > Interface > Interface. In Interface List , click of GE1/0/1, Configure interfaces. Click Apply when you finished the configuration Shown as the below figure:
Step 5
Configure other L2TP parameters. Tunnel Name on Peer must be the same as Tunnel Name on Local configured on the LAC side. The peer tunnel name should be client1/Password123.
8.2 GRE VPN Lab Lab Objectives
Upon completion this experiment, you will able to k now how to configure GER VPN. Lab Device
Two USG6000 Firewalls , and two PCs. Lab Topology
GRE Tunnel NGFW_A
NGFW_B
G1/0/1 192.13.2.1/24
Tunnel 0 10.1.2.1/24
G1/0/1 192.13.2.2/24 G1/0/0 192.168.0.1/24
PC A
Tunnel 0 10.1.3.1/24 G1/0/0 192.168.1.1/24
Step 3
Add the interfaces into security zones and configure the interzone packet filtering policy. Configure NGFW_A [NGFW_A]firewall zone trust [NGFW_A-zone-trust] add interface GigabitEthernet 1/0/0 [NGFW_A-zone-trust] quit [NGFW_A]firewall zone untrust [NGFW_A-zone-untrust] add interface GigabitEthernet 1/0/1 [NGFW_A-zone-untrust] quit [NGFW_A]security-policy [NGFW_A-policy-security]rule name policy_sec [NGFW_A-policy-security-rule-policy_sec] source-zone trust untrust local [NGFW_A-policy-security-rule-policy_sec] destination-zone trust untrust local [NGFW_A-policy-security-rule-policy_sec] action permit [NGFW_A-policy-security-rule-policy_sec] quit
Configure NGFW_B [NGFW_B]firewall zone trust [NGFW_B-zone-trust] add interface GigabitEthernet 1/0/0 [NGFW_B-zone-trust] quit [NGFW_B]firewall zone untrust [NGFW_B-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW_B]interface Tunnel 0 [NGFW_B-Tunnel0] tunnel-protocol gre [NGFW_B-Tunnel0] ip address 10.1.3.1 24 [NGFW_B-Tunnel0] source 192.13.2.2 [NGFW_B-Tunnel0] destination 192.13.2.1 [NGFW_B-Tunnel0] quit [NGFW_B]firewall zone untrust [NGFW_B-zone-untrust]add interface Tunnel 0 [NGFW_B-zone-untrust]quit
Step 5
Configure the static route. Configure NGFW_A [NGFW_A] ip route-static 192.168.1.0 24 Tunnel 0 Configure NGFW_B [NGFW_B]ip route-static 192.168.0.0 24 Tunnel 0
Configuration Procedure (WEB)
Step 1
Configeure the IP address of PCs. (omitted)
Step 2
Configure the IP address of firewall interface. Choose Network > Interface. In Interface List , click of interfaces. Configure NGFW_A
Configure NGFW_B
Configuration on NGFW_B is the same as NGFW_A.
Step 4
Configure the tunnel interface, and add the tunnel interface into untrust zone. Choose Network > GRE > GRE. In GRE Interface List , click Add. Configure GRE interface parameters, shown as below figure: Configure NGFW_A
Configure NGFW_A
Configure NGFW_B
9
IPSec VPN Lab
9.1 Configuring Point-to-Point IPSec Tunnel Lab Objectives
Through this task, you will know how to configure point-point IPSec tunnel with the fixed public IP address in peer end. Lab Device
Two USG6000 Firewalls and two PCs. Lab Topology
NGFW_A
NGFW_B G1/0/1 1.1.3.1/24
G1/0/1 1.1.3.2/24
[NGFW_A-policy-security-rule-policy_sec1] action permit [NGFW_A-policy-security-rule-policy_sec1] quit [NGFW_A-policy-security]rule name policy_sec2 [NGFW_A-policy-security-rule-policy_sec2] source-zone local untrust [NGFW_A-policy-security-rule-policy_sec2] destination-zone local untrust [NGFW_A-policy-security-rule-policy_sec2] source-address 1.1.3.0 24 [NGFW_A-policy-security-rule-policy_sec2] destination-address 1.1.3.0 24 [NGFW_A-policy-security-rule-policy_sec2] action permit [NGFW_A-policy-security-rule-policy_sec2] quit
Step 3
Configure ACL on NGFW_A to define the data flow to be pr otected. [NGFW_A] acl 3000 [NGFW_A-acl-adv-3000]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[NGFW_A-acl-adv-3000]quit
Step 4
Configure static routes from NGFW_A to the peer end. [NGFW_A] ip route-static 10.1.2.0 255.255.255.0 1.1.3.2
Step 5
Create IPSec proposals on NGFW_A. (by default configuration.) [ NGFW_A] ipsec proposal tran1
[NGFW_A-ipsec-proposal-tran1]quit
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ipsec policy map1 Configure NGFW_B
Step 10
Basic configurations which contain IP address of PC and NGFW interface. (omitted)
Step 11
Configure the default interzone packet filtering policy between the Trust zone and the Untrust zone. [NGFW_B]security-policy [NGFW_B-policy-security]rule name policy_sec1 [NGFW_B-policy-security-rule-policy_sec1] source-zone trust untrust [NGFW_B-policy-security-rule-policy_sec1] destination-zone trust untrust [NGFW_B-policy-security-rule-policy_sec1] source-address 10.1.1.0 24 [NGFW_B-policy-security-rule-policy_sec1] source-address 10.1.2.0 24 [NGFW_B-policy-security-rule-policy_sec1] destination-address 10.1.1.0 24 [NGFW_B-policy-security-rule-policy_sec1] destination-address 10.1.2.0 24 [NGFW_B-policy-security-rule-policy_sec1] action permit [NGFW_B-policy-security-rule-policy_sec1] quit [NGFW_B-policy-security]rule name policy_sec2 [NGFW_B-policy-security-rule-policy_sec2] source-zone local untrust [NGFW_B-policy-security-rule-policy_sec2] destination-zone local untrust [NGFW_B-policy-security-rule-policy_sec2] source-address 1.1.3.0 24
Step 16
Configure IKE peers. [NGFW_B]ike peer a [NGFW_B-ike-peer-b]ike-proposal 10 [NGFW_B-ike-peer-b]remote-address 1.1.3.1 [NGFW_B-ike-peer-b]pre-shared-key huawei [NGFW_B-ike-peer-b]quit
Step 17
Create IPSec policies on NGFW_B. [NGFW_B] ipsec policy map1 10 isakmp [NGFW_B-ipsec-policy-isakmp-map1-10] security acl 3000 [NGFW_B-ipsec-policy-isakmp-map1-10] proposal tran1 [NGFW_B-ipsec-policy-isakmp-map1-10] ike-peer a [NGFW_B-ipsec-policy-manual-map1-10] quit
Step 18
Apply IPSec policies to interfaces on NGFW_B
[NGFW_B] interface GigabitEthernet 1/0/1 [NGFW_B-GigabitEthernet1/0/1] ipsec policy map1 Configuration Procedure (WEB)
Configure NGFW_A
Step 19
Basic configurations which contain IP address of
PC and NGFW interface. (omitted)
Step 22
Configure IPSec tunnel. Choose Network > IPSec > IPSec , Click Add ,Choose Site-to-site Scenario .
and NGFW_B to view the establishment of SAs. For example, for NGFW_B, if the following information is displayed, it indicates that the IKE SA and IPSec SA are established successfully. display ike sa current ike sa number: 2 --------------------------------------------------------------------------------------------------conn-id
peer
flag
phase
vpn
--------------------------------------------------------------------------------------------------101
1.1.3.1
RD
v2:2
public
100
1.1.3.1
RD
v2:1
public
flag meaning RD--READY
ST--STAYALIVE
TO--TIMEOUT
TD--DELETING
RL--REPLACED NEG--NEGOTIATING
FD--FADING D — DPD
In Web GUI, check the establishment of a security association (SA) on NGFW_A and NGFW_B. For example, on NGFW_A, if the following information is displayed, an IPSec tunnel is established successfully.Choose Network> IPSec > Monitor.
10
SSL VPN Lab
10.1 Web Proxy/File Sharing/Port Forwarding/Network Extention Lab Objectives
Through this task, you will know how to configure below functions of SSL VPN:
Web Porxy
Configure user objects and authentication. Create a user group object and a user object for a top executive.Choose Object > User >User/Group.Click default and set the following parameters.
Create a user group. Set the following parameters. Click OK .
Create a user group object and a user object for an employee. Choose Object > User > User/Group. Select default. In Member Management , click Add, select Create Group, and set the following parameters. Click OK
Configure an authentication domain. Choose Object > User > Authentication Domain. Click default and set the following parameters. Click OK .
Click Next. Step4
Select the services to be enabled.Select Web Proxy / Network Extension /File Sharing and Port Forwarding
Add web proxy resource Webmail as follows:
Repeat the preceding steps to add web proxy resource ERP as follows:
Click OK . Click Next .
Step7
Configure Configur e the network extensio extension n function. functi on. Set the range of IP addresses available availabl e to the network
extension function as follows:
Click OK . Click Next. Step8
Enable the file sharing function and add file sharing resources. In the Configure File Sharing area,
parameters parameters described in the following following table. Click Next .
In Port Forwarding Resource List, click Add. Set the following parameters for a port forwarding resource named SQL. Click Next.
Step10
Configure SSL VPN role authorization/users.Under User/User Group List, click Add. Add all users that use the SSL VPN service to the user list. user_0001 is used as an example. Click OK . Click Finish.
Under List of Authorized Roles, click Add.Add director user group to a role and associate corresponding permissions. Click OK .
Step11
Configure security policies to allow users to use SSL VPN services. Choose Policy > Security Policy > Security Policy. Click Add. Configure security policy policy_sslvpn_1 and set the
parameters as follows:
Click OK . Repeat the preceding steps to configure security policy policy_sslvpn_2 as follows:
Configuration Verification
3.
After logging in to the SSL VPN gateway using the top executive account user_0001, you can use the Web Proxy / File Sharing / Port Forwarding and Network Extension.
5.
File Sharing: Click Study and enter the user name and password. user_0001 then can view and
download the enterprise's internal files.
6.
Port Forwarding: Click Start , user_0001 then can use SQL database software to import business
information.
11
UTM Lab
11.1 Virus Database or IPS Signature Database Update Lab Objectives
Get firamily with how to update AV database and IPS singnature database through schedule online update. 1.
Update AV database and IPS singnature database through security service center with scheduled time;
2.
Confirure IPS schedule online update function, update time is 02:00 am;
3.
Configure AV database schedule online update function; the update time is 01:00 a m.
Lab Device
Secuirty zone:Trust (2)
NGFW(whose
signature
database and virus database
Next-hop IP address: 192.168.17.254 Firewall can access to internet
need to be updated)
Configuration Procedure (WEB)
Step 1 Configure security service center. Choose System > Upgrade Center. Click Server IP Address to configure upgrade center information.
Result Verification Result:
1. Run display update configuration command, check internal update information. display update configuration 11:49:24
2015/05/06
Application Confirmation : Disable Schedule Update
: Enable
Schedule Update Frequency : Daily Schedule Update Time
: 02:00
------------------------------------------------------------
2. Run display version ips-sdb and display version av-sdb, check the version of the updated signature database or virus database. If the updated version meets requirements, the u pdate succeeds. display version ips-sdb 14:02:35
2015/05/06
IPS SDB Update Information List: ---------------------------------------------------------------Current Version: Signature Database Version
: 2014082604
Signature Database Size(byte) : 1849702 Update Time
: 13:44:29 2015/03/31
Issue Time of the Update File : 15:15:43 2014/08/26
Backup Version: Signature Database Version
:
14:03:42
2015/05/06
AV SDB Update Information List: ---------------------------------------------------------------Current Version: Signature Database Version
: 2014091500
Signature Database Size(byte) : 115294666 Update Time
: 13:44:29 2015/03/31
Issue Time of the Update File : 01:50:47 2014/09/15
Backup Version: Signature Database Version
:
Signature Database Size(byte) : 0 Update Time
: 00:00:00 0000/00/00
Issue Time of the Update File : 00:00:00 0000/00/00 ----------------------------------------------------------------
11.2 UTM IPS Lab Lab Objectives
Configure IPS function on NGFW to protect enterprise internal PC and HTTP server.
Step 3 Under this IPS policy, add a new signature filter.
Step 4 Configure the security policy, agssin the IPS policy under security policy.
2.When the user download the test file, connection will be blocked. 3.In the device dashboard, you can check the threat log list.
11.3 UTM AV Lab Lab Objectives
Be familiar with the configuration of the AV for intranet users accessing Web pages on the Internet Lab Device
One USG6000 firewall, two PCs. Lab Topology Trust
G1/0/1 Internal Network 10.1.8.22/24
Firewall
Untrust
G1/0/2 10.1.10.22/24
PC 10.1.8.100/24
HTTP Server 10.1.10.11/24
Configuration Procedure
Step 1 Configure the basic parameters of the i nterfaces. (Omitted) Step 2 Configure AV policy. Choose “Object > Security Profiles > Anti-Virus ”, Click “ Add” create one AV policy named “AV_Policy”.