Port Mapping; Firewall Log - Huawei AR1200-S Configuration Manual

Huawei AR1200-S Series Enterprise Routers
Configuration Guide - Security
Whitelist
The whitelist prevents specified IP addresses from being added to the blacklist. The IP addresses
in the whitelist will not be added to the static or dynamic blacklist. An entry in the whitelist is
represented by the source VPN and IP address.
The whitelist applies to the network where some devices send valid service packets that resemble
IP address scanning attack packets or port scanning attack packets. The whitelist prevents these
devices from being added to the blacklist.
The whitelist entries on the AR1200-S can only be manually added.

Port Mapping

Application-layer protocols use well-known ports for communication. Port mapping defines new
port numbers for different application-layer protocols, which protect the server against service-
specific attacks.
Port mapping applies to service-sensitive features such as ASPF and Network Address
Translation (NAT). For example, the FTP server 10.10.10.10 on an enterprise intranet provides
the FTP service through port 2121. When accessing the FTP server through a NAT server, users
must use port 2121. By default, port 21 is used for FTP packets. The FTP server cannot identify
the FTP packets that use port 21. In this case, you need to map port 2121 to the FTP protocol.
After port mapping, the NAT server can identify the FTP packets that use port 2121 and send
the FTP packets to the FTP server. This enables users to access the FTP server.
Virtual Firewall
Recently, more small-scale private networks have been established. Most of these private
networks belong to small-scale enterprises. Such enterprises have the following requirements:
l
l
Logically, the AR1200-S can be divided into multiple virtual firewalls to serve multiple small-
scale private networks. By using the virtual firewall function, an ISP can lease the network
security services to the enterprises.
A virtual firewall integrates a VPN instance and a security instance. The virtual firewall provides
a private routing plane and security service for the virtual firewall users. The VPN instance and
the security instance provide the following functions:
l
l

Firewall Log

The firewall records the behaviors and status of the firewall in real time. For example, the attack
defense measures and the detection of malicious attacks are recorded in the firewall log.
The firewall logs are categorized into the following types:
Issue 02 (2012-03-30)
High security
Insufficient costs to afford a private security device
VPN instance: provides independent VPN routes for the users under each virtual firewall.
These VPN routes are used to forward the packets received by each virtual firewall.
Security instance: provides independent security services for the users under each virtual
firewall. The security instance contains private interfaces, zones, interzones, ACL rules,
and NAT rules. In addition, it provides the security services such as address binding,
blacklist, address translation, packet filtering, traffic statistics and monitoring, attack
defense, ASPF, and NAT for the users under the virtual firewalls.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3 Firewall Configuration
46