Related Manuals for H3C SecBlade
Summary of Contents for H3C SecBlade
- Page 1 H3C SecBlade IPS Cards User Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document version: 5PW104-20101210...
- Page 2 SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V G, V G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice.
- Page 3 Preface The H3C SecBlade IPS Cards User Manual describes the SecBlade IPS cards’ overview, features, and login methods, and the configurations on the switches and routers that hold the cards. This preface includes: Audience • • Conventions About the H3C SecBlade IPS Cards Document Set •...
- Page 4 An alert that calls attention to essential information. IMPORTANT An alert that contains additional or supplementary information. NOTE An alert that provides helpful information. About the H3C SecBlade IPS Cards Document Set The H3C SecBlade IPS cards documentation set includes: Category Documents Purposes Marketing brochures Describe product specifications and benefits.
- Page 5 Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] –...
-
Page 6: Table Of Contents
Main Characteristics·························································································································································2 Main Functions ··································································································································································3 Features········································································································································································· 5 Feature List ·········································································································································································5 Login·············································································································································································· 6 Switch/Router and SecBlade IPS Card Network Configuration··············································································· 9 LSWM1IPS10 Card Configuration ·································································································································9 Configuration Overview ··········································································································································9 Configuration Procedure······································································································································· 10 Configuration Example ········································································································································· 14 LSQ1IPSSC0 Card Configuration (Only for the S7500E Switch and Supporting OAA Configuration)·············· 17 Configuration Overview ·······································································································································... - Page 7 Index ···········································································································································································78...
-
Page 8: Overview
• Features: Describes the features of the SecBlade IPS cards. For how to configure these features, see the H3C Intrusion Prevention System Web-Based Configuration Guide. Login: Describes how to log in to the web interface of the SecBlade IPS cards. -
Page 9: Secblade Ips Cards Overview
H3C SecBlade IPS cards are based on the latest hardware platform and architecture of H3C. They support distributed deployment, centralized management and flexible scalability, and can be managed using a web browser. H3C SecBlade IPS cards can be inserted to the main network devices to satisfy the traffic management needs of users. -
Page 10: Main Functions
URL filtering SecBlade IPS cards provide the URL filtering function, which allows you to define URL filtering rules that support regular expression to filter specific web pages. Application based bandwidth control... - Page 11 SecBlade IPS cards support local and distributed management modes. For a network with one or a small number of SecBlade IPS cards deployed, you can manage the cards through the web interface embedded. For a network with a large number of SecBlade IPS cards deployed, you can implement unified upgrade, monitoring, analysis and policy management for the cards through the H3C security management center SecCenter.
-
Page 12: Features
Features Feature List Table 1 Feature list of SecBlade IPS cards Module Features Web overview Device management User management Network management High reliability Time table management Web Configuration Actions management Log management URL filtering Anti-virus DDoS protection Bandwidth management Blacklist... -
Page 13: Login
Connect the RJ 45 connector to the console port of the SecBlade IPS card, and connect the DB9 female connector to the serial port of the PC. Then connect the management port of the SecBlade IPS card to the network interface of the PC by using a crossover Ethernet cable. - Page 14 The PC then displays the Power On Self Test (POST) information of the IPS card. After the POST, you are prompted to enter the password (the default password is H3C, which is case-sensitive). Enter the correct password to enter the CLI of the IPS card.
- Page 15 Do not log in to the web interface through both HTTP and HTTPS at the same time from a PC. • User After the first login, H3C recommends changing the default password. For more information, see Management H3C Intrusion Prevention System Web-Based Configuration Guide.
-
Page 16: Switch/Router And Secblade Ips Card Network Configuration
10GE interface connected to the SecBlade IPS card. The switch performs normal Layer-3 forwarding to the packets and then sends them to the SecBlade IPS card through its internal 10GE interface. The detailed data forwarding process is as follows. -
Page 17: Configuration Procedure
Configure the internal 10GE interface as an Access interface, add it to a VLAN for example VLAN • 100 (which must be consistent with the VLAN ID configured on the OAA configuration page of the SecBlade IPS card), and configure the interface’s port-connect-mode as extended. Save the configuration. •... - Page 18 To do… Use the command… Remarks For SNMP v3: snmp-agent group v3 Required group-name By default, the SNMP group configured Create an SNMP group and set its [ authentication | privacy ] with the snmp-agent group v3 command access right [ read-view read-view ] uses non-authentication and [ write-view write-view ]...
- Page 19 Create security zones and add the interfaces of the switch to corresponding security zones. Create a segment and add internal and external zones to the segment. • Follow these steps to configure the SecBlade IPS card: To do… Use the command…...
- Page 20 Displaying the configuration After completing above configurations, you can use the display command in any view of the SecBlade IPS card to view forwarding information on the internal 10GE interface and verify you configurations. To do…...
-
Page 21: Configuration Example
Configure the switch # Configure the H3C new MIB style. That is, the sysOID and private MIB are both under H3C enterprise ID 25506. You need to reboot the switch to validate the configuration (You can reboot the switch after completing all configurations). - Page 22 [Sysname-if]ip address 192.168.0.11 255.255.255.0 [Sysname-if] undo shutdown [Sysname-if] quit # Log in to the web interface of the SecBlade IPS card. The username and password are both admin. Figure 6 Log into the SecBlade IPS card # Configure OAA. •...
- Page 23 Figure 8 Connectivity test result # Configure security zones. After completing OAA configuration on the SecBlade IPS card and the S5800/S5820X, you can add any physical ports of the S5800/S5820X to a security zone except the internal interface. In this example, Create internal security zone Inside add GigabitEthernet 1/0/15 to the internal security...
-
Page 24: Lsq1Ipssc0 Card Configuration (Only For The S7500E Switch And Supporting Oaa Configuration)
SecBlade IPS card through its 10GE interface automatically. After processing the traffic, the SecBlade IPS card sends it back to the switch through its internal 10GE interface, and the switch forwards the traffic. The detailed data forwarding process is as follows. -
Page 25: Configuration Procedure
(which must be consistent with the VLAN ID configured on the OAA configuration page of the SecBlade IPS card), configure the interface to permit packets of VLAN 2 through VLAN 4094 to pass, and configure its connection mode as extended. - Page 26 Use the command… Remarks Required snmp-agent sys-info { contact sys-contact | location Currently, the SecBlade IPS card only Set the SNMP version sys-location | version { all | supports SNMPv3. { v1 | v2c | v3 }* } } By default, SNMPv3 applies.
- Page 27 Enter the view of the 10GE interface interface Ten-GigabitEthernet Required connected to interface-number the SecBlade IPS card Required Configure the port link-type { access | link type of the By default, the link type of an interface is hybrid | trunk } interface access.
- Page 28 Create security zones and add the interfaces of the switch to corresponding security zones. • Create a segment and add internal and external zones to the segment. • Follow these steps to configure the SecBlade IPS card: To do… Use the command… Remarks...
-
Page 29: Configuration Example
Displaying the configuration After completing above configurations, you can use the display command in any view of the SecBlade IPS card to view forwarding information on the internal 10GE interface and verify you configurations. To do…... - Page 30 Configure the switch # Configure the H3C new MIB style. That is, the sysOID and private MIB are both under H3C enterprise ID 25506. You need to reboot the switch to validate the configuration (You can reboot the switch after completing all configurations).
- Page 31 IP address through the web interface. <Sysname> system-view [Sysname] interface meth0/2 [Sysname-if]ip address 192.168.0.11 255.255.255.0 [Sysname-if] undo shutdown [Sysname-if] quit # Log in to the web interface of the SecBlade IPS card. The username and password are both admin.
- Page 32 Figure 13 Log into the SecBlade IPS card # Configure OAA. Configure the OAA client and the internal interface and test the connectivity to the switch. • Figure 14 Configure the OAA client After completing configuration, click Test Connectivity. If the following message appears, the switch is...
- Page 33 Figure 15 Connectivity test result # Configure security zones. After completing OAA configuration on the SecBlade IPS card and the S7500E, you can add any physical ports of the S7500E to a security zone except the internal interface. In this example, create internal security zone Inside and add GigabitEthernet 3/0/1 and...
-
Page 34: Lsb1Ips1A0 Card Configuration
The LSB1IPS1A0 card is only for the Comware V3 S9500 switches. Configuration Overview The switch and the SecBlade IPS card are connected through internal 10GE interfaces. The switch uses VLAN interfaces to perform Layer 3 forwarding. Configure redirection on the internal and external network interfaces of the switch to redirect incoming IP packets matching the VLAN interface to the internal 10GE interface connected to the SecBlade IPS card. -
Page 35: Configuration Procedure
A packet with a broadcast or unknown MAC address is broadcast in the VLAN. Therefore, it is • forwarded to the SecBlade IPS card through the 10GE interface, and the card sends it back to the switch after processing. Then, the switch resends it through ports in the VLAN, including the receiving interface. - Page 36 Required Enter the view of the 10GE interface interface-type interface connected to the Required interface-number SecBlade IPS card Configure the link type of the port link-type trunk Required interface as trunk Required Permit the packets of specified port trunk permit vlan { vlan-id-list |...
- Page 37 Create security zones and add internal 10GE interfaces that belong to different internal and • external network VLANs to corresponding security zones. Create segments and add internal and external zones to corresponding segments. • Follow these steps to configure the SecBlade IPS card: To do… Use the command… Remarks Enter system view system-view —...
-
Page 38: Configuration Example
Displaying the configuration After completing above configurations, you can use the display command in any view of the SecBlade IPS card to view forwarding information on the internal 10GE interface and verify you configurations. To do…... - Page 39 GigabitEthernet 3/1/1 and GigabitEthernet 4/1/1, ensuring that a response packet is processed by the SecBlade IPS card that processed the corresponding request packet. Configure the interface swap table of the SecBlade IPS cards and configure security zones and • segments.
- Page 40 [Sysname]interface Vlan-interface 30 [Sysname-Vlan-interface30] ip address 30.0.0.1 255.0.0.0 [Sysname-Vlan-interface30] quit # Configure the link type of the 10GE interfaces connected to the SecBlade IPS cards as trunk, and disable MAC address learning on the interfaces. [Sysname] interface GigabitEthernet3/1/1 [Sysname-GigabitEthernet3/1/1] port link-type trunk...
- Page 41 [Sysname-if]ip address 192.168.0.21 255.255.255.0 [Sysname-if] undo shutdown [Sysname-if] quit # Log in to the web interface of the SecBlade IPS cards using default user name admin and default password admin. Figure 20 Log in to the SecBlade IPS card web interface # Select System Management >...
-
Page 42: Lsr1Ips1A1 Card Configuration
SecBlade IPS card through its 10GE interface automatically. After processing the traffic, the SecBlade IPS card sends it back to the switch through its internal 10GE interface, and the switch forwards the traffic. The detailed data forwarding process is as follows. -
Page 43: Configuration Procedure
The switch redirects the packets to the SecBlade IPS card. After processing the packets, the SecBlade IPS card forwards them back to the switch. The switch forwards the packets out its internal network interface. Configuration Procedure Configuring the switch Configure the switch as follows. - Page 44 To do… Use the command… Remarks snmp-agent sys-info Required { contact sys-contact | Currently, the SecBlade IPS card only supports Set the SNMP version location sys-location | SNMPv3. version { all | { v1 | v2c By default, SNMPv3 applies.
- Page 45 10GE interface Ten-GigabitEthernet Required the internal connected to the interface-number 10GE SecBlade IPS card interface Required Configure the link port link-type { access | By default, the link type of an interface is type of the interface hybrid | trunk } access.
- Page 46 Create security zones and add the interfaces of the switch to corresponding security zones. Create a segment and add internal and external zones to the segment. • Follow these steps to configure the SecBlade IPS card: To do… Use the command…...
-
Page 47: Configuration Example
Displaying the configuration After completing above configurations, you can use the display command in any view of the SecBlade IPS card to view forwarding information on the internal 10GE interface and verify you configurations. To do…... - Page 48 Configure the switch # Configure the H3C new MIB style. That is, the sysOID and private MIB are both under H3C enterprise ID 25506. You need to reboot the switch to validate the configuration (You can reboot the switch after completing all configurations).
- Page 49 [Sysname-if]ip address 192.168.0.11 255.255.255.0 [Sysname-if] undo shutdown [Sysname-if] quit # Log in to the web interface of the SecBlade IPS card. The username and password are both admin. Figure 25 Log into the SecBlade IPS card # Configure OAA. Configure the OAA client and the internal interface and test the connectivity to the switch.
- Page 50 Figure 27 Connectivity test result # Configure security zones. After completing OAA configuration on the SecBlade IPS card and the S9500E, you can add any physical ports of the S9500E to a security zone except the internal interface. In this example, create internal security zone Inside add GigabitEthernet 3/0/1 and GigabitEthernet...
-
Page 51: Lst1Ips1A1 Card Configuration
SecBlade IPS card through its 10GE interface automatically. After processing the traffic, the SecBlade IPS card sends the traffic back to the switch through its internal 10GE interface, and the switch forwards the traffic. The detailed data forwarding process is as follows. -
Page 52: Configuration Procedure
Remarks Enter system view system-view — Required • new: Specifies the MIB style H3C new. With this style, both the sysOID and private MIB of the switch are located under the H3C enterprise ID 25506. • compatible: Specifies the MIB style H3C compatible. - Page 53 Use the command… Remarks Required snmp-agent sys-info { contact sys-contact | location Currently, the SecBlade IPS card only Set the SNMP version sys-location | version { all | supports SNMPv3. { v1 | v2c | v3 }* } } By default, SNMPv3 applies.
- Page 54 Configuring the SecBlade IPS card Configure the SecBlade IPS card as follows. • Configure the IP address of the management interface at the CLI and use the IP address to login to the web interface of the SecBlade IPS card.
- Page 55 The internal interface external zone. connects to the switch. Displaying the configuration Use the following command in any view of the SecBlade IPS card to view forwarding information of the internal 10GE interface: To do… Use the command… Display the running status and forwarding...
-
Page 56: Configuration Example
31, the switch has one SRPU installed in slot 0, one switching board installed in slot 4, and one SecBlade IPS card installed in slot 5. The switch uses GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2 to connect to the internal network, uses GigabitEthernet 4/0/20 to connect to the external network, and uses its internal interface Ten-GigabitEthernet 5/0/1 to connect to the SecBlade IPS card’s internal interface Ten-GigabitEthernet 0/0. - Page 57 # Configure the H3C new MIB style. That is, the sysOID and private MIB are both under H3C enterprise ID 25506. You need to reboot the switch to validate the configuration (You can reboot the switch after completing all configurations).
- Page 58 [Sysname-if]ip address 192.168.0.11 255.255.255.0 [Sysname-if] undo shutdown [Sysname-if] quit # Log in to the web interface of the SecBlade IPS card. The username and password are both admin. Figure 32 Log into the SecBlade IPS card # Configure OAA. Configure the OAA client and the internal interface and test the connectivity to the switch.
- Page 59 Figure 34 Connectivity test result # Configure security zones. After completing OAA configuration on the SecBlade IPS card and the S12500, you can add any physical ports of the S12500 to a security zone except the internal interface. In this example, create internal security zone Inside and add GigabitEthernet 4/0/1 and...
-
Page 60: Spe-Ips-200 Card Configuration
SecBlade IPS card through its 10GE interface. After processing the traffic, the SecBlade IPS card sends the traffic back to the router through its internal 10GE interface, and the router forwards the traffic. The detailed data forwarding process is as follows. - Page 61 Disabled by default. Required snmp-agent sys-info { contact sys-contact | location sys-location The SecBlade IPS card supports only Set the SNMP version | version { all | { v1 | v2c | SNMPv3. v3 }* } } By default, SNMPv3 applies.
- Page 62 Create security zones and add the interfaces of the router to the security zones. • • Create a segment and add the internal zone and the external zone to the segment. Table 4 Follow these steps to configure the SecBlade IPS card: To do… Use the command… Remarks...
- Page 63 The internal interface zone. connects to the router. Displaying the configuration Use the following command in any view of the SecBlade IPS card to view the forwarding information of the internal 10GE interface: To do… Use the command… Display the running status and forwarding...
-
Page 64: Configuration Example
38, the router has one SRPU inserted in slot 0, two switching boards inserted in slots 3 and 4, and one SecBlade IPS card inserted in slot 5. The router uses GigabitEthernet 3/0/0 to connect to the internal network, uses GigabitEthernet 3/0/1 to connect to the external network, and uses its internal interface Ten-GigabitEthernet 5/0/0 to connect to the SecBlade IPS card’s internal interface... - Page 65 [Sysname-if]ip address 192.168.0.11 255.255.255.0 [Sysname-if] undo shutdown [Sysname-if] quit # Log in to the web interface of the SecBlade IPS card. The username and password are both admin. Figure 39 Log into the SecBlade IPS card # Configure OAA. Configure the OAA client and the internal interface and test the connectivity between the OAA •...
- Page 66 Figure 41 Connectivity test result # Configure security zones. After completing OAA configuration on the SecBlade IPS card and the router, you can add any physical ports of the router except the internal interface to a security zone. In this example, create internal security zone Inside and add GigabitEthernet 3/0/0 to the internal zone,...
-
Page 67: Im-Ips Card Configuration
SecBlade IPS card through its 10GE interface. After processing the traffic, the SecBlade IPS card sends the traffic back to the router through its internal 10GE interface, and the router forwards the traffic. The detailed data forwarding process is as follows. -
Page 68: Configuration Procedure
Disabled by default. Required snmp-agent sys-info { contact sys-contact | location sys-location The SecBlade IPS card supports only Set the SNMP version | version { all | { v1 | v2c | SNMPv3. v3 }* } } By default, SNMPv3 applies. - Page 69 Enter the view of the 10GE interface interface Ten-GigabitEthernet Required connected to the interface-number SecBlade IPS card Required Configure the link port link-type { access | hybrid | type of the interface By default, the link type of an trunk } as trunk interface is access.
- Page 70 Create security zones and add the interfaces of the router to the security zones. • Create a segment and add the internal zone and the external zone to the segment. • Table 6 Follow these steps to configure the SecBlade IPS card: To do… Use the command… Remarks...
-
Page 71: Configuration Example
The internal interface external zone. connects to the router. Displaying the configuration Use the following command in any view of the SecBlade IPS card to view the forwarding information of the internal 10GE interface: To do… Use the command…... - Page 72 Configure the router # Configure the H3C new MIB style. With this style, the sysOID and the private MIB are both under H3C enterprise ID 25506. You need to reboot the router to validate the configuration (you can reboot the router after completing all configurations).
- Page 73 [Sysname-if]ip address 192.168.0.11 255.255.255.0 [Sysname-if] undo shutdown [Sysname-if] quit # Log in to the web interface of the SecBlade IPS card. The username and password are both admin. Figure 46 Log in to the SecBlade IPS card # Configure OAA.
- Page 74 Figure 48 Connectivity test result # Configure security zones. After completing OAA configuration on the SecBlade IPS card and the router, you can add any physical ports of the router except the internal interface to a security zone. In this example, create internal security zone Inside add GigabitEthernet 1/0/1 and GigabitEthernet...
- Page 75 Figure 49 Create a security zone # Configure a segment. Figure 50 Create a segment Figure 51 Configure the segment...
-
Page 76: Appendix-Oaa Configuration
Appendix-OAA Configuration NOTE: The OAA client and the OAA server mentioned in the following configuration procedure and configuration examples indicate the ACFP client and the ACFP server in the OAA architecture. Overview Basic data communication networks comprise of routers and switches, which forward data packets. As data networks develop, more and more services run on them. -
Page 77: Oaa Collaboration
Interface-connecting component: It connects the interface of the routing/switching component to • that of the independent service component, allowing the devices of two manufacturers to be interconnected. OAA Collaboration OAA collaboration means that the independent service component can send instructions to the routing/switching component to change its functions. - Page 78 Figure 53 OAA configuration Table 8 describes OAA client configuration items. Table 8 OAA client configuration items Item Description Specify whether to enable ACFP client. ACFP Client The ACFP client is enabled by default. Set the username of the OAA client. The username should be the same with the Username related configuration of the SNMP on the OAA server.
-
Page 79: Oaa Configuration Example
OAA Configuration Example Network requirements The intranet is interconnected to the Internet through Device B that acts as the ACFP server. • Device A is connected to Device B to control the traffic on Device B and analyze the traffic from the •... - Page 80 Figure 55 OAA configuration Type v3user as the username. • Type 192.168.1.1 as the IP address of the OAA server. • Type 100 as VLAN ID. • • Type 192.168.1.2 as the IP address. Type 255.255.255.0 as subnet mask. • Click Apply.
- Page 81 Add interface GigabitEthernet 4/0/1. • • Click Apply. # Add an external security zone. • Click Add. Type zone2 as the name. • Add interface GigabitEthernet 4/0/2. • • Click Apply. # Add segment 0. • Select System Management > Network Management > Segment Configuration, and click Add Segment, as shown in Figure 58.
- Page 82 Figure 60 Rule management Figure 61 Add a rule Select URL Filter Policy from the Policy drop-down list. • Type rule1 as the name. •...
- Page 83 Type filter www.abc.com as the description. • • Select the By fixed string check box and type www.abc.com. Select Any time from the Time Table drop-down list, and Block from the Action Set drop-down list. • Click Apply. • # Add a policy application. Select URL Filtering >...
- Page 84 Figure 64 Activate the configuration...
- Page 85 Index Configuring OAA Client Feature List IM-IPS Card Configuration Introduction to the Manual Introduction LSB1IPS1A0 Card Configuration LSQ1IPSSC0 Card Configuration (Only for the S7500E Switch and Supporting OAA Configuration) LSR1IPS1A1 Card Configuration LST1IPS1A1 Card Configuration LSWM1IPS10 Card Configuration Main Characteristics Main Functions OAA Configuration Example Overview...