Port Mapping - Huawei S9700 Series Configuration Manual

S9700 Core Routing Switch
Configuration Guide - SPU
The whitelist applies to the network where some devices send valid service packets that resemble
IP address scanning attack packets or port scanning attack packets. The whitelist prevents these
devices from being added to the blacklist.
The whitelist entries on the SPU can only be manually added.

Port Mapping

Application-layer protocols use well-known ports for communication. Port mapping defines new
port numbers for different application-layer protocols, which protect the server against service-
specific attacks.
Port mapping applies to service-sensitive features such as ASPF and Network Address
Translation (NAT). For example, the FTP server 10.10.10.10 on an enterprise intranet provides
the FTP service through port 2121. When accessing the FTP server through a NAT server, users
must use port 2121. By default, port 21 is used for FTP packets. The FTP server cannot identify
the FTP packets that use port 21. In this case, you need to map port 2121 to the FTP protocol.
After port mapping, the NAT server can identify the FTP packets that use port 2121 and send
the FTP packets to the FTP server. This enables users to access the FTP server.
Virtual Firewall
Recently, more small-scale private networks have been established. Most of these private
networks belong to small-scale enterprises. Such enterprises have the following requirements:
l
l
Logically, the SPU can be divided into multiple virtual firewalls to serve multiple small-scale
private networks. By using the virtual firewall function, an ISP can lease the network security
services to the enterprises.
A virtual firewall integrates a VPN instance and a security instance. The virtual firewall provides
a private routing plane and security service for the virtual firewall users. The VPN instance and
the security instance provide the following functions:
l
l
Firewall Log
The firewall records the behaviors and status of the firewall in real time. For example, the attack
defense measures and the detection of malicious attacks are recorded in the firewall log.
The firewall logs are categorized into the following types:
l
l
l
Issue 01 (2012-03-15)
High security
Insufficient costs to afford a private security device
VPN instance: provides independent VPN routes for the users under each virtual firewall.
These VPN routes are used to forward the packets received by each virtual firewall.
Security instance: provides independent security services for the users under each virtual
firewall. The security instance contains private interfaces, zones, interzones, ACL rules,
and NAT rules. In addition, it provides the security services such as address binding,
blacklist, address translation, packet filtering, traffic statistics and monitoring, attack
defense, ASPF, and NAT for the users under the virtual firewalls.
Session log: sent to the log server in real time.
Blacklist log: sent to the information center in real time.
Attack log and statistics log: sent to the information center periodically.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 Firewall Configuration
30