Related Manuals for H3C SecPath F5000-AI-20
Summary of Contents for H3C SecPath F5000-AI-20
- Page 1 H3C SecPath F5000-AI-20[40] Firewalls Installation Guide New H3C Technologies Co., Ltd. http://www.h3c.com Document version: 6W100-20211224...
- Page 2 The information in this document is subject to change without notice. All contents in this document, including statements, information, and recommendations, are believed to be accurate, but they are presented without warranty of any kind, express or implied. H3C shall not be liable for technical or editorial errors or omissions contained herein.
- Page 3 Preface This installation guide describes the procedure for installing H3C SecPath F5000-AI firewall series. It includes the following sections: preparing for installation, installing the firewall, logging in to the firewall, hardware replacement, hardware management and maintenance, and troubleshooting. This preface includes the following topics about the documentation: •...
- Page 4 Convention Description Folder. Symbols Convention Description An alert that calls attention to important information that if not understood or followed WARNING! can result in personal injury. An alert that calls attention to important information that if not understood or followed CAUTION: can result in data loss, data corruption, or damage to hardware or software.
- Page 5 It is normal that the port numbers, sample output, screenshots, and other information in the examples differ from what you have on your device. Documentation feedback You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.
-
Page 6: Table Of Contents
Contents 1 Preparing for installation ·········································································· 1-1 Safety recommendations ································································································································ 1-1 Safety symbols ········································································································································ 1-1 General safety recommendations ··········································································································· 1-1 Electrical safety ······································································································································· 1-2 Laser safety ············································································································································· 1-2 Handling safety ······································································································································· 1-2 Examining the installation site ························································································································· 1-3 Weight support ········································································································································ 1-3 Temperature and humidity ······················································································································... - Page 7 Displaying the CPU usage of the firewall ········································································································ 5-3 Displaying the memory usage of the firewall··································································································· 5-3 Displaying the operational status of power supplies ······················································································· 5-4 Displaying the operational status of fan trays ································································································· 5-4 Displaying the temperature information of the firewall ···················································································· 5-5 Displaying the operational statistics of the firewall ··························································································...
-
Page 8: Preparing For Installation
Preparing for installation H3C SecPath F5000-AI firewall series includes the F5000-AI-20 and F5000-AI-40 models. Safety recommendations To avoid any equipment damage or bodily injury, read the following safety recommendations before installation. Note that the recommendations do not cover every possible hazardous condition. -
Page 9: Electrical Safety
Symbol Description Transported and stored avoiding humidity, rains and wet floor. Electrical safety • Carefully examine your work area for possible hazards such as moist floors, ungrounded power extension cables, and missing safety grounds. • Locate the emergency power-off switch in the room before installation. Shut the power off at once in case accident occurs. -
Page 10: Examining The Installation Site
Examining the installation site The firewall can only be used indoors. To make sure the firewall operates correctly and to prolong its service lifetime, the installation site must meet the following requirements. Weight support Make sure the floor can support the total weight of the rack, chassis, modules, and all other components. -
Page 11: Cooling System
Table1-4 Harmful gas limits in an equipment room Max. (mg/m 0.006 0.05 0.01 0.04 Cooling system For adequate heat dissipation of the device, follow these guidelines: • Make sure the installation site has a good cooling system. • Reserve a minimum clearance of 100 mm (3.94 in) around the air inlet and outlet vents. •... -
Page 12: Esd Prevention
ESD prevention To prevent electrostatic discharge (ESD), use the following guidelines: • Make sure the firewall and the rack are reliably grounded. • Take dust-proof measures for the equipment room. Make sure the equipment room meets the dust control requirements described in "Cleanliness." •... -
Page 13: Lightning Protection
• Inductance coupling. • Electromagnetic wave radiation. • Common impedance (including the grounding system) coupling. To prevent EMI, use the following guidelines: • If AC power is used, use a single-phase three-wire power receptacle with protection earth (PE) to filter interference from the power grid. •... -
Page 14: Installation Accessories
Diagonal pliers ESD wrist strap Wire-stripping pliers Crimping tool Installation accessories Table1-6 Installation accessories 地线 M6 rack screw M4 mounting bracket screw Cage nut Grounding cable Mounting brackets with Slide rails and cable management Console cable chassis rails brackets Pre-installation checklist Table1-7 Checklist before installation Item Requirements... - Page 15 Item Requirements and when you install and remove a transceiver module. • Put the removed interface modules on an ESD workbench, with the PCB upward, or put them in ESD bags for future use. • Take effective measures to protect the power system from the power grid system.
-
Page 16: Installing The Firewall
Keep the tamper-proof seal on a mounting screw on the chassis cover intact, and if you want to open the chassis, contact the local agent of H3C for permission. Otherwise, H3C shall not be liable for any consequence caused thereby. - Page 17 Figure2-1 Firewall installation flow Start Ground the device Install the device in a 19-inch rack Install power supplies Install fan trays Install interface modules Install drives Connect Ethernet interface cables Connect power cords Verify the installation...
-
Page 18: Grounding The Firewall
Grounding the firewall WARNING! • Correctly connecting the firewall grounding cable is crucial to lightning protection and EMI protection. Before installing or using the firewall, connect the grounding cable to it correctly. • Do not connect the firewall grounding cable to a fire main or lightning rod. As shown in Figure2-2, the firewall provides a primary grounding point at the rear panel and an auxiliary grounding point at the left side. - Page 19 Table2-2 Firewall dimensions and rack requirements Firewall dimensions Rack requirements • • Height—88.1 mm (3.47 in) A minimum of 1 m (3.28 ft) in depth • (recommended). Width—440 mm (17.32 in) • • A minimum of 100 mm (3.94 in) between the front Total depth—775.5 mm (30.53 in) rack posts and the front door.
-
Page 20: Installing A Power Supply
Figure2-4 Attaching the mounting brackets and chassis rails to the firewall One person supports the bottom of the firewall, align the chassis rails with the slide rails, and slide the slide rails into the chassis rails until the mounting brackets are flush with the front rack posts. - Page 21 No power supply is provided with the firewall. Purchase power supplies as required. The installation procedures for AC and DC power supplies are similar. The following procedure installs an AC power supply. To install a power supply: To install the power supply in slot PWR1, remove the filler panel from the slot. To install the power supply in slot PWR2, skip this step.
-
Page 22: Installing A Fan Tray
Installing a fan tray CAUTION: • Before installation, make sure the airflow direction provided by the fan tray meets the requirements for installation ventilation. • The firewall comes with both fan tray slots empty. To ensure good ventilation, you must install two fan trays of the same model before powering on the firewall. -
Page 23: Installing An Interface Module
Installing an interface module CAUTION: • The firewall does not support hot swapping of interface modules. • To avoid module damage, do not touch the surface-mounted components on an interface module directly with your hands. • Install a filler panel in each empty interface module slot to prevent dust and ensure good ventilation in the chassis. -
Page 24: Connecting Ethernet Cables
The firewall does not come with any drives and cannot recognize drives from other vendors. Purchase drives from H3C as needed. To install a drive: Wear an ESD wrist strap and make sure it makes good skin contact and is reliably grounded. - Page 25 QSFP+ transceiver modules. For the transceiver module specifications, see "GE fiber Ethernet port", "10 GE fiber Ethernet port" and "40 GE fiber Ethernet port." No transceiver module is provided with the firewall. As a best practice, use H3C transceiver modules.
-
Page 26: Connecting The Power Cord
Install a transceiver module. Pull the bail latch on the transceiver module upwards to catch the knob on the top of the transceiver module. Take the transceiver module by its two sides and push the end without the bail latch gently into the port until it snaps into place. Remove the dust cap from the optical fiber connector, and use dust free paper and absolute alcohol to clean the end face of the fiber connector. -
Page 27: Connecting A Dc Power Cord
Figure2-15 Connecting an AC power cord Connecting a DC power cord Correctly orient the DC power cord plug with the power receptacle on the power supply, and insert the plug into the receptacle. Use a removable cable tie to secure the DC power cord to the power supply handle. Connect the other end of the power cord to the DC power source. -
Page 28: Verifying The Installation
Figure2-16 Connecting a DC power cord Verifying the installation After installation, verify that: • There is enough space for heat dissipation around the firewall, and the firewall is steady. • All screws are fastened. • The grounding cable and power cord are securely connected. •... -
Page 29: Accessing The Firewall For The First Time
The fan blades are rotating and air is exhausted from the air outlet vents. • The configuration terminal displays the following: System is starting... Press Ctrl+D to access BASIC-BOOTWARE MENU... Press Ctrl+T to start heavy memory test..Booting Normal Extended BootWare The Extended BootWare is self-decompressing..Done. **************************************************************************** H3C SecPath BootWare, Version 1.03... - Page 30 **************************************************************************** Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. Compiled Date : Mar 28 2017 Memory Type : DDR3 SDRAM Memory Size : 32768MB Flash Size : 8MB sda0 Size : 3728MB CPLD Version : 1.0 PCB Version : Ver.B BootWare Validating...
-
Page 31: Logging In To The Firewall
Known-Answer tests in the kernel passed. Starting Known-Answer tests in the engine. Known-answer test for SHA1 passed. Known-answer test for HMAC-SHA1 passed. Known-answer test for AES passed. Known-answer test for RSA(signature/verification) passed. Known-answer test for RSA(encrypt/decrypt) passed. Known-answer test for DSA(signature/verification) passed. Known-answer test for random number generator passed. -
Page 32: Logging In From The Web Interface
Flow control—None. Logging in from the Web interface IMPORTANT: After accessing the Web interface with the default account, modify the password of the default account or create a new administrator account and delete the default account as a best practice. At the first login from the Web interface, you can use the default account or use an account created from the CLI. -
Page 33: Hardware Replacement
Hardware replacement CAUTION: Wear an ESD wrist strap or ESD gloves for hardware maintenance. They are not provided with the firewall. Prepare them yourself. Replacing a fan tray WARNING! • To avoid bodily injury, do not touch an operating fan tray. •... -
Page 34: Replacing An Interface Module
Turn off the power source and then remove the power cord from the power supply. To remove a DC power cord, squeeze the upper and lower sides of the plug and then pull the plug out. Figure4-2 Removing a power cord Holding the handle on the power supply with one hand, press the retaining latch on the power supply to the right with your thumb, and pull the power supply part way out of the slot. -
Page 35: Replacing A Drive
Install a new module. For the installation procedure, see "Installing an interface module." Figure4-4 Removing an interface module Replacing a drive CAUTION: • To avoid storage medium damage, execute the command from the CLI to unmount all umount the file systems before removing a drive. •... -
Page 36: Replacing A Transceiver Module
Replacing a transceiver module WARNING! Disconnected optical fibers or transceiver modules might emit invisible laser light. Do not stare into beams or view directly with optical instruments when the switch is operating. When you replace a transceiver module, make sure the two transceiver modules connected by the same optical fiber are the same type. -
Page 37: Hardware Management And Maintenance
H3C Comware Software, Version 7.1.064, Alpha 9606P03 Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved. H3C SecPath F5000-AI-40 uptime is 0 weeks, 0 days, 0 hours, 31 minutes Boot image: sda0:/Main-CMW710-BOOT-A9606P03.bin Boot image version: 7.1.064, Alpha 9606P03 Compiled Apr 27 2017 16:00:00 System image: sda0:/Main-CMW710-SYSTEM-A9606P03.bin... -
Page 38: Displaying The Electrical Label Information For The Firewall
DEVICE_SERIAL_NUMBER : 210235A1XYH175000008 MAC_ADDRESS : 1CAB-3497-D7DE MANUFACTURING_DATE : 2019-06-11 VENDOR_NAME : H3C Fan 0: The operation is not supported on the specified fan. Fan 1: The operation is not supported on the specified fan. Fan 2: The operation is not supported on the specified fan. -
Page 39: Displaying The Cpu Usage Of The Firewall
Displaying the CPU usage of the firewall Use the command to display the CPU usage of the firewall. display cpu-usage <Sysname> display cpu-usage Slot 1 CPU 0 CPU usage: 0% in last 5 seconds 0% in last 1 minute 0% in last 5 minutes Table5-2 Output description Field Description... -
Page 40: Displaying The Operational Status Of Power Supplies
Field Description FreeRatio Free memory ratio. -/+ Buffers/Cache:used = Mem:Used – Mem:Buffers – Mem:Cached, which indicates the physical memory used by applications. -/+ Buffers/Cache -/+ Buffers/Cache:free = Mem:Free + Mem:Buffers + Mem:Cached, which indicates the physical memory available for applications. Swap Swap memory. -
Page 41: Displaying The Temperature Information Of The Firewall
Field Description • NoSupport—The fan tray is not supported. • FanDirectionFault—The fan tray airflow direction is inconsistent with the expected fan tray direction. Fan tray speed. The fan tray adjusts its speed automatically to adapt to the device Speed temperature. Inflow and outflow temperature sensors are used to monitor the device temperature. -
Page 42: Displaying The Operational Statistics Of The Firewall
Displaying the operational statistics of the firewall When you perform routine maintenance or the system fails, you might need to view the operational information of each functional module for locating failures. Typically you need to run display commands one by one. To collect more information one time, you can execute the display command in any view to display or save the operational statistics of diagnostic-information... -
Page 43: Rebooting The Firewall
To display the alarming information or fault detection parameters of a transceiver module: Task Command Remarks display transceiver Display the current alarm alarm interface Available for all transceiver information of the transceiver interface-type modules. module in a specific interface. interface-number Rebooting the firewall CAUTION: •... -
Page 44: Troubleshooting
Troubleshooting Power supply failure Symptom The firewall cannot be powered on, and the power LED (PWR0/PWR1) on the front panel is off. Solution To solve the issue: Power off the firewall. Verify that the power supply is as required by the firewall. Verify that the power cords of the firewall are firmly connected. -
Page 45: Password Loss
If the following alarm information is generated, the temperature of the firewall has reached the warning-level high temperature alarm threshold, Jul 6 11:16:15:872 2020 H3C DEV/4/TEMPERATURE_WARNING: -Context=1; Temp erature is greater than the high-temperature warning threshold on slot 1 sensor inflow 1. Current temperature is 74 degrees centigrade. -
Page 46: Appendix A Chassis Views And Technical Specifications
Appendix A Chassis views and technical specifications H3C SecPath F5000-AI firewall series includes the F5000-AI-20 and F5000-AI-40 models. Chassis views Front panel The firewall provides eight interface module slots and two drive slots on the front panel. Figure7-1 Front panel... -
Page 47: Interface Modules
Figure7-2 Rear panel (1) 10/100/1000BASE-T copper port (combo interface) (2) 1000BASE-X fiber port (combo interface) (3) Console port (4) USB port (5) Fan tray slot FAN0 (6) Fan tray slot FAN1 (7) Power supply slot PWR0 (8) Grounding screw (9) Power supply slot PWR1 (10) Management Ethernet port GE1/0/0 Interface modules CAUTION:... - Page 48 Figure7-3 NSQM1TG8A front view (1) LED (2) 10GBASE-R fiber Ethernet ports (3) Captive screw (4) Ejector lever NSQM1QG2A The NSQM1QG2A interface module provides two 40GBASE-R fiber Ethernet ports. Figure7-4 NSQM1QG2A front view (1) LED (2) 40GBASE-R fiber Ethernet ports (3) Captive screw (4) Ejector lever NSQM1G4XS4 The NSQM1G4XS4 interface module provides four 10GBASE-R fiber Ethernet ports (10G-SR/LR)
-
Page 49: Power Supplies
Figure7-6 NSQM1GT8A front view (1) LED (2) 10/100/1000BASE-T copper Ethernet ports (3) Captive screw (4) Ejector lever NSQM1GP8A The NSQM1GP8A interface module provides eight 1000BASE-X fiber Ethernet ports. Figure7-7 NSQM1GP8A front view (1) LED (2) 1000BASE-X fiber Ethernet ports (3) Captive screw (4) Ejector lever NSQM1GT4PFCA The NSQM1GT4PFCA interface module provides four 10/100/1000BASE-T copper Ethernet ports... -
Page 50: Fan Trays
AC power supply Figure7-9 AC power supply front view (1) Retaining latch (2) Handle (3) Power receptacle DC power supply Figure7-10 DC power supply front view (1) Retaining latch (2) Handle (3) Power receptacle Fan trays The firewall provides two fan tray slots FAN0 and FAN1. No fan trays are provided with the firewall. Purchase fan trays for the firewall as required. -
Page 51: Technical Specifications
FAN-20F-2-A fan tray Figure7-11 FAN-20F-2-A fan tray (1) Handle (2) Alarm LED FAN-20B-2-A fan tray Figure7-12 FAN-20B-2-A fan tray (1) Handle (2) Alarm LED Technical specifications Dimensions and weights The weight of the firewall includes the chassis and its removable components, as shown in Table7-2. -
Page 52: Memory And Storage Media
Table7-2 Dimensions and weights Model Dimensions (H × W × D) Weight F5000-AI-20/F5000-AI-40 88.1 × 440 × 660 mm (3.47 × 17.32 × 25.98 in) chassis (excluding rubber feet 20.1 kg (44.31 lb) (excluding rubber feet and mounting brackets) and mounting brackets) NSQM1TG8A 19.8 ×... -
Page 53: Fan Tray Specifications
Item Specification Maximum input current 5 A to 10 A Maximum power 650 W Table7-6 DC power supply specifications Item Specification Model PSR650B-12D1 Rated input voltage range –40 VDC to –60 VDC Maximum input current 12 A to 22 A Maximum power 650 W Fan tray specifications... -
Page 54: Port Specifications
Connection to the serial port of a local PC to run the terminal Services emulation program • NOTE: For more information about transceiver modules, see H3C Transceiver Modules User Guide. GE copper port Table7-10 GE copper port specifications Item Specification... - Page 55 Item Specification Interface speed 1000 Mbps Duplex mode Full duplex Table7-12 1000BASE-X SFP transceiver module specifications (1) Central Fiber diameter Mode bandwidth Transceiver module wavelength Fiber mode (µm) (MHz*km) (nm) 50/125 SFP-GE-SX-MM850-A 62.5/125 9/125 SFP-GE-LX-SM1310-A 1310 50/125 500/400 62.5/125 SFP-GE-LH40-SM1310 1310 9/125 SFP-GE-LH40-SM1550...
- Page 56 Transmission Transmitted optical Received optical Transceiver module distance power (dBm) power (dBm) SFP-GE-LH40-SM1310 40 km (24.85 miles) –5 to +5 –22 to –3 SFP-GE-LH40-SM1550 40 km (24.85 miles) –4 to +1 –21 to –3 SFP-GE-LH80-SM1550 80 km (49.71 miles) –4 to +5 –22 to –3 SFP-GE-LH100-SM1550 100 km (62.14 miles)
- Page 57 Central Fiber Fiber diameter Mode bandwidth Transceiver module wavelength mode (µm) (MHz*km) (nm) SFP-XG-LX-SM1310 1310 9/125 SFP-XG-LH40-SM1550 1550 9/125 Table7-16 SFP+ transceiver module specifications (2) Transmitted Received Transmission Transmission Transceiver module optical power optical power distance speed (dBm) (dBm) 300 m (984.25 ft) 82 m (269.03 ft) 66 m (216.54 ft) SFP-XG-SX-MM850-A...
-
Page 58: Appendix B Leds
Item Specification Interface speed LAN PHY: 40 Gbps Table7-18 QSFP+ transceiver module specifications (1) Central Fiber Mode Transceiver module wavelength Fiber mode diameter bandwidth (nm) (µm) (MHz*km) 2000 QSFP-40G-SR4-MM850 50/125 4700 Four lanes: • 1271 • QSFP-40G-LR4-WDM1300 1291 9/125 • 1311 •... -
Page 59: Interface Module Leds
Mark Status Description The system is starting or loading Flashing green (8 Hz) software. The firewall is not powered on or has failed. Steady green The fan tray is operating correctly. Fan status LED FAN0 and FAN1 The fan tray has failed. The power supply is operating Steady green correctly. -
Page 60: Appendix C Cables
Mark Status Description The port is receiving or sending Flashing green data at 10 Gbps. 10GBASE-R Steady green A 10 Gbps link is present. No link is present. The port is receiving or sending Flashing green data at 40 Gbps. 40GBASE-R Steady green A 40 Gbps link is present. -
Page 61: Ethernet Twisted Pair Cable
Ethernet twisted pair cable Introduction An Ethernet twisted pair cable consists of four pairs of insulated copper wires twisted together. Every wire uses a different color, and has a diameter of about 1 mm (0.04 in). A pair of twisted copper cables can cancel the electromagnetic radiation of each other, and reduce interference of external sources. - Page 62 • Standard 568A—pin 1: white/green stripe, pin 2: green solid, pin 3: white/orange stripe, pin 4: blue solid, pin 5: white/blue stripe, pin 6: orange solid, pin 7: white/brown stripe, pin 8: brown solid. • Standard 568B—pin 1: white/orange stripe, pin 2: orange solid, pin 3: white/green stripe, pin 4: blue solid, pin 5: white/blue stripe, pin 6: green solid, pin 7: white/brown stripe, pin 8: brown solid.
- Page 63 Figure9-4 Crossover cable white/orange orange white/green blue white/blue green white/brown brown Crossover cable white/green green white/orange blue white/blue orange white/brown brown Select an Ethernet twisted pair cable according to the RJ-45 Ethernet port type on your device. An RJ-45 Ethernet port can be MDI (for routers and PCs) or MDIX (for switches). Table9-3 Table9-4 show their pinouts.
-
Page 64: Making An Ethernet Twisted Pair Cable
10Base-T/100Base-TX 1000Base-T Signal Function Signal Function Sends data BIDA- Bi-directional data cable A- Reserved BIDC+ Bi-directional data cable C+ Reserved BIDC- Bi-directional data cable C- To ensure normal communication, the pins for sending data on one port must correspond to the pins for receiving data on the peer port. - Page 65 Item Single mode fiber Multi-mode fiber Uses lasers as the light source often Uses LEDs as the light source often within Light source and within campus backbones for distance LANs or distances of a couple hundred transmission distance of several thousand meters meters within a campus network Table9-6 Allowed maximum tensile force and crush load Period of force...