HP A-F1000-E Getting Started Manual

High-end firewalls
Hide thumbs

Advertisement

Quick Links

Table of Contents
HP High-End Firewalls
Getting Started Guide
Part number: 5998-2626
Software version: A-F1000-E/Firewall module: R3166P13
A-F5000-A5: R3206P14
Document version: 6PW100-20110909

Advertisement

Table of Contents
loading

  Also See for HP A-F1000-E

  Summary of Contents for HP A-F1000-E

  • Page 1 HP High-End Firewalls Getting Started Guide Part number: 5998-2626 Software version: A-F1000-E/Firewall module: R3166P13 A-F5000-A5: R3206P14 Document version: 6PW100-20110909...
  • Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...
  • Page 3: Table Of Contents

    Contents Overview ······································································································································································ 1 Product overview·······························································································································································1 Firewall A-F1000-E···················································································································································1 Firewall A-F5000······················································································································································2 HP firewall modules ·················································································································································2 Application scenarios ·······················································································································································4 A-F1000-E application·············································································································································4 A-F5000 application················································································································································5 Firewall module application····································································································································6 Login methods ······························································································································································ 7 Login methods····································································································································································7 User interface overview ····················································································································································8 Users and user interfaces·········································································································································9 Numbering user interfaces ······································································································································9 CLI login······································································································································································10...
  • Page 4 Configuration requirements·································································································································· 44 Login procedure····················································································································································· 44 Modem login authentication modes ···················································································································· 48 Configuring none authentication for modem login···························································································· 48 Configuring password authentication for modem login···················································································· 50 Configuring scheme authentication for modem login ······················································································· 51 Configuring common settings for modem login (optional)················································································ 53 Displaying and maintaining CLI login ·························································································································...
  • Page 5 Enabling the display of copyright information············································································································ 96 Configuring banners······················································································································································ 96 Introduction to banners ········································································································································· 96 Configuring banners ············································································································································· 97 Configuring the maximum number of concurrent users ····························································································· 98 Configuring the exception handling method··············································································································· 98 Rebooting the firewall···················································································································································· 99 Rebooting the firewall in the CLI·························································································································· 99 Configuring a scheduled task ·····································································································································100 What is a scheduled task ···································································································································100 Configuration approaches ·································································································································100...
  • Page 6 Switching user privilege level·····························································································································133 Modifying the level of a command ···················································································································134 Saving the current configuration ································································································································134 Displaying and maintaining CLI ·································································································································134 Support and other resources ·································································································································· 135 Contacting HP ······························································································································································135 Subscription service ············································································································································135 Related information······················································································································································135 Documents ····························································································································································135 Websites·······························································································································································135 Conventions ··································································································································································136...
  • Page 7: Overview

    Product overview Application scenarios • Product overview Firewall A-F1000-E The HP A-F1000-E firewall (hereinafter referred as the A-F1000-E) is designed for large- and medium-sized networks. It supports the following functions: Traditional firewall functions • • Virtual firewall, security zone, attack protection, URL filtering Application Specific Packet Filter (ASPF), which can monitor connection processes and user •...
  • Page 8: Firewall A-F5000

    Figure 1 Appearance of the A-F1000-E Firewall A-F5000 The HP A-F5000 firewall (hereinafter referred to as the A-F5000) provides security protection for large enterprises, carriers, and data centers. It adopts multi-core multi-threaded and ASIC processors to construct a distributed architecture, which allows for the separation of the system management and service processing, making it a firewall that has the highest, distributed security processing capability.
  • Page 9 A firewall module provides two GE ports and two GE combo interfaces. It is connected to the main network device through the internal 10GE port. The HP main network device’s rear card has the line-speed forwarding capability, ensuring fast data forwarding with the firewall module. The firewall modules are equipped with dedicated, multi-core processors and high-speed caches.
  • Page 10: Application Scenarios

    The firewall modules also have similar software functions to the A-F1000-E. You can regard a firewall module as an A-F1000-E firewall that is connected to the main network device through their 10 GE ports. The difference lies in that the A-F1000-E firewall uses physical ports to forward data, and the firewall module uses logical interfaces (subinterfaces and VLAN interfaces) of the 10 GE port to forward data.
  • Page 11: A-F5000 Application

    Figure 6 Network diagram for the A-F1000-E application A-F5000 application Large data centers are connected to the 10G core network usually through a 10G Ethernet. The A-F5000 firewall has a 10G processing capability and abundant port features. It can be deployed at the egress of a network to protect security for the internal network.
  • Page 12: Firewall Module Application

    Firewall module application Firewall modules work with the main network devices (such as A5800/A7500/A9500/A12500 switches and A6600/A8800 routers). Deployed at the egress of a network, the firewall modules can protect against external attacks and implement security access control of the internal network by using security zones.
  • Page 13: Login Methods

    Login through the web interface • • NMS login In addition to these login methods, HP firewall modules also support login from the network device (a switch or router) that accommodates the firewall module. Table 1 Login methods Login method...
  • Page 14: User Interface Overview

    Login method Default state Logging in By default, you can log in to a device through modems. The default user through privilege level of modem login users is 3. modems By default, you can log in to a device through web. If the web function is disabled, you need to log in to the device through the console port, and complete the following configuration: •...
  • Page 15: Users And User Interfaces

    VTY (virtual type terminal) user interface: Used to manage and monitor users that log in via VTY. A • VTY port is a logical terminal line used for Telnet or SSH access. Users and user interfaces Only one user can use a user interface at a time. The configuration made in a user interface view applies to any login user.
  • Page 16: Cli Login

    CLI login Overview The CLI enables you to interact with a device by typing text commands. At the CLI, you can instruct your device to perform a given task by typing a text command and then pressing Enter to submit it to your device.
  • Page 17: Login Procedure

    Setting Default Stop bits Data bits Login procedure As shown in Figure 9, use the console cable shipped with the device to connect the PC and the device. Plug the DB-9 connector of the console cable into the serial port of the PC, and plug the RJ-45 connector into the console port of your device.
  • Page 18 Figure 10 Connection description Figure 11 Specify the serial port used to establish the connection...
  • Page 19 Figure 12 Set the properties of the serial port Turn on the device. You are prompted to press Enter if the device successfully completes the power-on self test (POST). A prompt such as <HP> appears after you press Enter, as shown in Figure Figure 13 Configuration page Execute commands to configure the device or check the running status of the device.
  • Page 20: Console Login Authentication Modes

    Console login authentication modes The following authentication modes are available for console port login: none, password, and scheme. none—Requires no username and password at the next login through the console port. This mode • is insecure. • password—Requires password authentication at the next login through the console port. Keep your password.
  • Page 21: Configuring Password Authentication For Console Login

    (optional).” After the configuration, the next time you log in to the device through the console port, you are prompted to press enter. A prompt such as <HP> appears after you press Enter, as shown in Figure Figure 14 Configuration page...
  • Page 22: Configuring Scheme Authentication For Console Login

    (optional).” When you log in to the device through the console port after configuration, you are prompted to enter a login password. A prompt such as <HP> appears after you input the password and press Enter, as shown Figure Figure 15 Configuration page...
  • Page 23 By default, you can log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, “Configuration requirements.” Configuration procedure Follow these steps to configure scheme authentication for console login: To do…...
  • Page 24 After the configuration, when you log in to the device through the console port, you are prompted to enter a login username and password. A prompt such as <HP> appears after you input the password and username and press Enter, as shown in...
  • Page 25: Configuring Common Settings For Console Login (Optional)

    Figure 16 Configuration page Configuring common settings for console login (optional) Follow these steps to configure common settings for console port login Use the To do… Remarks command… Enter system view system-view — Optional Enable display of copyright copyright-info information enable Enabled by default.
  • Page 26 Optional By default, the terminal display type is ANSI. The device supports two types of terminal display: ANSI and VT100. HP recommends you to set the display type of both the device and the client to Configure the type terminal type VT100.
  • Page 27: Logging In Through Telnet

    CAUTION: The common settings configured for console login take effect immediately. If you configure the common settings after you log in through the console port, the current connection may be interrupted, so you should use another login method. After you configure common settings for console login, you need to modify the settings on the terminal to make them consistent with those on the device.
  • Page 28: Configuring None Authentication For Telnet Login

    scheme—Requires username and password authentication at the next login through Telnet. • Authentication falls into local authentication and remote authentication. To use local authentication, configure a local user and related parameters. To use remote authentication, configure the username and password on the remote authentication server. Keep your username and password. The following table lists Telnet login configurations for different authentication modes.
  • Page 29: Configuring Password Authentication For Telnet Login

    To do… Use the command… Remarks Required Specify the none authentication authentication-mode none By default, authentication mode for mode VTY user interfaces is scheme. Required Configure the command level for login users on the current user user privilege level level By default, the default command interfaces level is 0 for VTY user interfaces.
  • Page 30: Configuring Scheme Authentication For Telnet Login

    (optional).” When you log in to the device through Telnet again, perform the following steps: You are required to enter the login password. A prompt such as <HP> appears after you enter the • correct password and press Enter, as shown in Figure •...
  • Page 31 By default, you can log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, “Configuration requirements.” Configuration procedure Follow these steps to configure scheme authentication for Telnet login To do…...
  • Page 32 RADIUS or HWTACACS server. When you log in to the device through Telnet again: You are required to enter the login username and password. A prompt such as <HP> appears after • you enter the correct username (for example, admin) and password and press Enter, as shown in Figure •...
  • Page 33: Configuring Common Settings For Vty User Interfaces (Optional)

    If “All user interfaces are used, please try later!” is displayed, it means the current login users • exceed the maximum number. Please try later. Figure 20 Configuration page Configuring common settings for VTY user interfaces (optional) Follow these steps to configure Common settings for VTY user interfaces: To do…...
  • Page 34 To do… Use the command… Remarks Optional Enable the terminal shell service Enabled by default. Optional Enable the current user interface(s) to protocol inbound { all By default, both protocols are supported. support either Telnet, | ssh | telnet } The configuration takes effect next time you SSH, or both of them log in.
  • Page 35: Configuring The Device To Log In To A Telnet Server As A Telnet Client

    Configuring the device to log in to a Telnet server as a Telnet client Configuration prerequisites You have logged in to the device. By default, you can log in to the device through the console port without authentication and have user privilege level 3 after login.
  • Page 36: Configuring The Ssh Server

    Figure 22 SSH login diagram IP network Telnet client Telnet server The following table shows the configuration requirements of SSH login. Object Requirements Configure the IP address of the management Ethernet interface, and make sure the SSH server and client can reach each other.( By default, the IP address of the management SSH server Ethernet interface is 192.168.0.1/24.) Configure the authentication mode and other settings.
  • Page 37 To do… Use the command… Remarks user-interface vty Enter one or more VTY user first-number — interface views [ last-number ] Required Specify the scheme authentication authentication-mode By default, authentication mode for VTY user mode scheme interfaces is scheme. Enable the current user interface to Optional protocol inbound { all | support either Telnet, SSH, or both...
  • Page 38: Configuring The Ssh Client To Log In To The Ssh Server

    To do… Use the command… Remarks Optional Specify the command level of the authorization-attribute local user level level By default, the command level is 0. Required Specify the service type for the service-type ssh local user By default, no service type is specified. Return to system view quit —...
  • Page 39: Logging In Through The Aux Port

    Figure 23 Log in to another device from the current device NOTE: If the SSH client and the SSH server are not in the same subnet, make sure that the two devices can reach each other. Configuration procedure Follow these steps to configure the SSH client to log in to the SSH server: To do…...
  • Page 40: Aux Login Authentication Modes

    AUX login authentication modes NOTE: By default, password authentication is adopted for AUX port login. The following authentication modes are available for AUX port login: none, password, and scheme. • none—Requires no username and password at the next login through the AUX port. This mode is insecure.
  • Page 41: Configuring None Authentication For Aux Login

    (optional)." After the configuration, next time you log in to the device through the AUX port, you are prompted to press enter. A prompt such as <HP> appears after you press Enter, as shown in Figure Figure 25 Configuration page...
  • Page 42: Configuring Scheme Authentication For Aux Login

    After the configuration, next time you log in to the device through the AUX port, you are prompted to enter a login password. A prompt such as <HP> appears after you input the password and press Enter, as shown in...
  • Page 43 By default, you can log in to the device through the AUX port with password authentication and have user privilege level 0 after login. For information about logging in to the device with the default configuration, “Configuration requirements.” Configuration procedure Follow these steps to configure scheme authentication for AUX login: To do…...
  • Page 44 RADIUS or HWTACACS server. After the configuration, when you log in to the device through the AUX port, you are prompted to enter a login password. A prompt such as <HP> appears after you input the password and press Enter, as shown in...
  • Page 45: Configuring Common Settings For Aux Login (Optional)

    Figure 27 Configuration page Configuring common settings for AUX login (optional) Follow these steps to configure common settings for AUX login: To do… Use the command… Remarks Enter system view system-view — Optional Enable display of copyright copyright-info enable information Enabled by default.
  • Page 46 By default, the terminal display type is ANSI. The device supports two types of terminal display: ANSI and VT100. HP recommends you to set the display type of both the device and the client to VT100. If the device and the...
  • Page 47: Configuration Requirements

    Configuration requirements The following table shows the configuration requirements of AUX login. Object Requirements Configure the authentication mode. For more information, see “Configuring none Device authentication for AUX login,” “Configuring password authentication for AUX login,” and “Configuring scheme authentication for AUX login.”...
  • Page 48 Figure 29 Connection description Figure 30 Specify the serial port used to establish the connection...
  • Page 49 Figure 31 Set the properties of the serial port Turn on the device. You are prompted to enter the login password if the device successfully completes the power-on self test (POST). A prompt such as <HP> appears after you press Enter, as shown in...
  • Page 50: Logging In Through Modems

    Logging in through modems Introduction The administrator can use two modems to remotely maintain a switch through its AUX port over the Public Switched Telephone Network (PSTN) when the IP network connection is broken. Configuration requirements By default, no authentication is needed when you log in through modems, and the default user privilege level is 3.
  • Page 51 CAUTION: Note the following device settings: The baud rate of the AUX port is lower than the transmission rate of the modem. Otherwise, packets • may be lost. The parity check mode, stop bits, and data bits of the AUX port adopt the default settings. •...
  • Page 52 Figure 34 Connection Description Figure 35 Enter the phone number...
  • Page 53 Figure 36 Dial the number Character string CONNECT9600 is displayed on the terminal. Then a prompt such as <HP> appears when you press Enter. Figure 37 Configuration page Execute commands to configure the device or check the running status of the device. To get help, type ?.
  • Page 54: Modem Login Authentication Modes

    Modem login authentication modes The following authentication modes are available for modem dial-in login: none, password, and scheme. none—Requires no username and password at the next login through modems. This mode is insecure. • • password—Requires password authentication at the next login through the console port. Keep your password.
  • Page 55 VTY user interfaces (optional).” After the configuration, when you log in to the device through modems, you are prompted to press Enter. A prompt such as <HP> appears after you press Enter, as shown in Figure Figure 38 Configuration page...
  • Page 56: Configuring Password Authentication For Modem Login

    VTY user interfaces (optional).” After the configuration, when you log in to the device through modems, you are prompted to enter a login password. A prompt such as <HP> appears after you input the password and press Enter, as shown Figure...
  • Page 57: Configuring Scheme Authentication For Modem Login

    Figure 39 Configuration page Configuring scheme authentication for modem login Configuration prerequisites You have logged in to the device. By default, you can log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, “Configuration requirements.”...
  • Page 58 To do… Use the command… Remarks Optional • By default, command authorization is not enabled. • By default, command level for a login user depends on the user privilege level. The user is authorized the command with the default level not higher than the user privilege level. Enable command command authorization With the command authorization...
  • Page 59: Configuring Common Settings For Modem Login (Optional)

    After the configuration, when you log in to the device through modems, you are prompted to enter a login username and password. A prompt such as <HP> appears after you input the password and username and press Enter, as shown in...
  • Page 60 To do… Use the command… Remarks Enter system view system-view — Optional Enable display of copyright copyright-info enable information Enabled by default. user-interface aux Enter one or more AUX user first-number — interface views [ last-number ] Optional Configure Configure the By default ,the baud rate is 9600 bps.
  • Page 61 Optional By default, the terminal display type is ANSI. The device supports two types of terminal display: ANSI and VT100. HP recommends you to set the display type of both the device and the Configure the client to VT100. If the device and the client use...
  • Page 62: Displaying And Maintaining Cli Login

    CAUTION: The common settings configured for AUX login take effect immediately. If you configure the common • settings after you log in through the AUX port, the current connection may be interrupted, so you should use another login method. After you configure common settings for AUX login, you need to modify the settings on the terminal to make them consistent with those on the device.
  • Page 63: Web Login

    If you log in to the device through the web interface after the software version of the device changes, • HP recommends you to delete the temporary Internet files on IE; otherwise, the web page content may not be displayed correctly.
  • Page 64: Modifying The Default Web Login Information

    [HP-hidecmd] zone add interface GigabitEthernet0/1 to management Configuring the web login function If the web function is disabled, log in to the device via the console port, and perform the following...
  • Page 65: Configuring Http Login

    HTTP login—The Hypertext Transfer Protocol (HTTP) is used for transferring web page information • across the Internet. It is an application-layer protocol in the TCP/IP protocol suite. The connection-oriented Transport Control Protocol (TCP) is adopted at the transport layer. Currently, the device supports HTTP 1.0.
  • Page 66: Configuring Https Login

    To do… Use the command… Remarks Required Specify the Telnet service type service-type web By default, no service type is configured for for the local user the local user. Exit to system view quit — Enter management Ethernet interface interface-type Required interface view interfac-number...
  • Page 67 To do… Use the command… Remarks Optional By default, the HTTPS service is not associated with any certificate-based attribute access control policy. • Associating the HTTPS service with a certificate-based Associate the HTTPS attribute access control policy enables the device to service with a ip https certificate control the access rights of clients.
  • Page 68: Displaying And Maintaining Web Login

    Displaying and maintaining web login To do… Use the command… Remarks Display information about web users display web users Available in any view Display HTTP state information display ip http Available in any view Display HTTPS state information display ip https Available in any view Web login example HTTP login example...
  • Page 69: Https Login Example

    Figure 43 Web login page # Type the user name, password, verify code, select English, and click Login. The homepage appears. After login, you can configure device settings through the web interface. HTTPS login example Network requirements As shown in Figure 44, to prevent unauthorized users from accessing the Device, configure HTTPS login as follows:...
  • Page 70 Figure 44 Network diagram for configuring HTTPS login Firewall Configuration procedure Configure the Firewall that acts as the HTTPS server # Configure a PKI entity, configure the common name of the entity as http-server1, and the FQDN of the entity as ssl.security.com. <Firewall system-view [Firewall] pki entity en [Firewall-pki-entity-en] common-name http-server1...
  • Page 71: Troubleshooting Web Login Problems

    [Firewall-pki-cert-attribute-group-mygroup1] quit # Create a certificate attribute-based access control policy myacp. Configure a certificate attribute-based access control rule, specifying that a certificate is considered valid when it matches an attribute rule in certificate attribute group myacp. [Firewall] pki certificate access-control-policy myacp [Firewall-pki-cert-acp-myacp] rule 1 permit mygroup1 [Firewall-pki-cert-acp-myacp] quit # Associate the HTTPS service with SSL server policy myssl.
  • Page 72 Solution for Microsoft Internet Explorer Open the Internet Explorer, and select Tools > Internet Options. • • Click the Security tab, and select a Web content zone to specify its security settings, as shown in Figure Figure 45 Internet Explorer setting (I) •...
  • Page 73 Figure 46 Internet Explorer setting (II) Click OK in the Security Settings dialog box. • Solution for Mozilla Firefox Open the Firefox Web browser, and then select Tools > Options. • Click the Content tab, select the Enable JavaScript check box, and click OK. •...
  • Page 74 Figure 47 Firefox web browser setting...
  • Page 75: Nms Login

    NMS login NMS login overview A Network Management Station (NMS) runs the SNMP client software. It offers a user-friendly interface to facilitate network management. An agent is a program that resides in the device. It receives and handles requests from the NMS. An NMS is a manager in an SNMP enabled network, whereas agents are managed by the NMS.
  • Page 76: Configuring Nms Login

    Configuring NMS login Connect the Ethernet port of the PC to the management Ethernet interface of the firewall module over an IP network, as shown in Figure 48. Make sure the PC and the firewall module can reach each other. Figure 48 Network diagram for configuring NMS login Follow these steps to configure SNMPv3 settings: To do…...
  • Page 77: Nms Login Example

    To do… Use the command… Remarks snmp-agent community Configure an Required { read | write } Directly SNMP community-name [ acl Use either approach. community acl-number ] The direction configuration snmp-agent group { v1 | approach is for SNMPv1 or Configure v2c } group-name SNMPv2c.
  • Page 78 Figure 49 IMC login page Type the username and password, and then click Login. The IMC homepage appears, as shown in Figure Figure 50 IMC homepage Log in to the IMC and configure SNMP settings for the IMC to find the device. After the device is found, you can manage and maintain the device through the IMC.
  • Page 79: Logging In To The Firewall Module From The Network Device

    Required Configure the user privilege level user privilege level level 0 by default. HP recommends you to set it to 3. Logging in to the firewall module Use the following command to log in to the firewall module. After login, the terminal screen displays the CLI of the firewall module.
  • Page 80: Monitoring And Managing The Firewall Module On The Network Device

    Configuring the ACSEI protocol Introduction to ACSEI ACSEI is an HP-proprietary protocol. It provides a method for exchanging information between ACFP clients and ACFP server so that the ACFP server and clients can cooperate to run a service. As a supporting protocol of ACFP, ACSEI also has two entities: server and client.
  • Page 81 An ACSEI server can register multiple ACSEI clients. ACSEI timers An ACSEI server uses two timers, the clock synchronization timer and the monitoring timer. The clock synchronization timer is used to periodically trigger the ACSEI server to send clock • synchronization advertisements to ACSEI clients.
  • Page 82: Example For Monitoring And Managing The Firewall Module From The Network Device

    To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter interface view Required interface-number Disabled by default. NOTE: The Comware platform can run only one ACSEI Enable the ACSEI client acsei-client enable client, that is, the ACSEI client can be enabled on only one interface at a time.
  • Page 83 Network diagram Figure 51 Network diagram for monitoring and managing the firewall module Configuration procedure The following configuration uses a switch as an example. The configuration on a router is the same. Log in to the firewall module from the network device # Configure the AUX user interface of the firewall module.
  • Page 84 Warning: This command may lose the data on the hard disk if the OAP is not being shut down! Continue? [Y/N]:y Reboot OAP by command. The output shows that you can restart the firewall module on the network device. Display the ACSEI server configuration information on the network device. <Switch>...
  • Page 85: Basic Configuration

    Basic configuration You can perform the following basic configuration in the web or at the CLI: System name and user password. Modify the system name and the password of the current user. For • more information, see the chapters “Device management configuration” and “User management.” Service management.
  • Page 86: Configuring The System Name And User Password

    Figure 52 Basic configuration wizard: 1/6 Configuring the system name and user password Click Next on the first page of the basic configuration wizard to enter the basic information configuration page, as shown in Figure...
  • Page 87: Configuring Service Management

    Figure 53 Basic configuration wizard: 2/6 (basic information) Table 2 Basic information configuration items Item Description Sysname Set the system name. Modify Current User Specify whether to modify the login password of the current user. Password To modify the password of the current user, set the new password and the confirm New Password password, and the two passwords must be identical.
  • Page 88 Figure 54 Basic configuration wizard: 3/6 (service management) Table 3 Service management configuration items Item Description Specify whether to enable FTP on the device. Disabled by default. Specify whether to enable telnet on the device. Telnet Disabled by default. Specify whether to enable HTTP on the device, and set the HTTP port number. Disabled by default.
  • Page 89: Configuring The Ip Address For An Interface

    Item Description Specify whether to enable HTTPS on the device, and set the HTTPS port number. Disabled by default. IMPORTANT: • If the current user logged in to the web interface through HTTPS, disabling HTTPS or modifying the HTTPS port number will result in disconnection with the device; HTTPS therefore, perform the operation with caution.
  • Page 90: Configuring Nat

    Table 4 Interface IP address configuration items Item Description Set the approach for obtaining the IP address, including: • None: The IP address of the interface is not specified, that is, the interface has no IP address. • Static Address: Specify the IP address for the interface IMPORTANT: manually;...
  • Page 91: Completing The Configuration Wizard

    Table 5 NAT configuration items Item Description Interface Select an interface on which the NAT configuration will be applied. Specify whether to enable dynamic NAT on the interface. If dynamic NAT is enabled, the IP address of the interface will be used as the IP Dynamic NAT address of a matched packet after the translation.
  • Page 92 Figure 57 Basic configuration wizard: 6/6 This page lists all configurations you have made in the basic configuration wizard. Confirm the configurations. To modify your configuration, click Prev to go back to the previous page; if no modification is needed, click Finish to execute all configurations.
  • Page 93: Device Management

    Device management Device management overview Device management functions enable you to check the operating status and configure the running parameters of devices. Configuring the device name NOTE: You can configure the device name in the web interface or the comand line interface (CLI). Configuring the device name in the web interface The current system name is on the very top of the navigation tree, as shown in Figure...
  • Page 94: Configuring The System Time

    To do… Use the command… Remarks Optional Configure the device name sysname sysname The device name depends on the device model. Configuring the system time NOTE: The firewall modules synchronize the time with the NTP server (a primary networking device installed •...
  • Page 95 Configuring the system time Select Device Management > System Time from the navigation tree, and you will enter the System Time tab page, as shown in Figure 60. Click the System Time Configuration text to open a calendar, as shown Figure Figure 61 Calendar page You can modify the system time either in the System Time Configuration text box, or through the calendar...
  • Page 96 Figure 62 Network time Table 6 Network time configuration items Item Description Clock status Displays the synchronization status of the system clock. Set the IP address of the local clock source to 127.127.1.u, where u ranges from 0 to 3, representing the NTP process ID. •...
  • Page 97 Item Description Set NTP authentication key. The NTP authentication feature should be enabled for a system running NTP in a network where there is a high security demand. This Key 1 feature enhances the network security by means of client-server key authentication, which prohibits a client from synchronizing with a device that has failed authentication.
  • Page 98: Configuring The System Time In The Cli

    After the above configuration, you can see that the current system time displayed on the System Time page is the same for Device A and Device B. Configuration guidelines • A device can act as a server to synchronize the clock of other devices only after its clock has been synchronized.
  • Page 99 Table 7 System time configuration Configuration System time configured Example Configure: clock datetime 1:00 2007/1/1 date-time System time configured: 01:00:00 UTC Mon 01/01/2007 Configure: clock timezone zone-time add 1 The original system time ± System time configured: 02:00:00 zone-time Sat “zone-offset”...
  • Page 100 Configuration System time configured Example Configure: clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 and clock datetime If “date-time” is not in the daylight 1:00 2008/1/1 saving time range, the system time configured is “date-time”. System time configured: 01:00:00 UTC Tue 01/01/2008 “date-time”...
  • Page 101: Setting The Idle Timeout Timer

    Configuration System time configured Example Configure: clock timezone zone-time add 1, clock summer-time ss one-off 1:00 2008/1/1 1:00 If “date-time” is not in the daylight 2008/8/8 2 and clock datetime 1:00 2007/1/1 saving time range, the system time configured is “date-time”. System time configured: 01:00:00 zone-time Mon 01/01/2007 “date-time”...
  • Page 102: Setting The Idle Timeout Timer In The Cli

    Setting the idle timeout timer in the CLI You can set the idle timeout timer for a logged-in user. After a user logs in to the firewall, if the user does not perform any operation before the timer expires, the firewall automatically tears down the connection to the user.
  • Page 103: Configuring Banners

    login banner—Login welcome information, displayed when password or scheme authentication is • configured. • motd (Message of the Day) banner—Welcome information displayed before authentication. legal banner—Also called license information, displayed when a user logs in. If entering Y or • pressing the Enter key, the user enters the authentication or login process.
  • Page 104: Configuring The Maximum Number Of Concurrent Users

    Method II—Type a character after the command keywords at the first line, and then press Enter. • Type the banner information, and finish your setting with the character you typed at the first line. The start character and the end character are not part of the banner information. For example, to configure a banner like “Have a nice day.
  • Page 105: Rebooting The Firewall

    To do… Use the command… Remarks Enter system view system-view — Optional Configure the exception system-failure { maintain | By default, the system adopts the reboot handling method reboot } method to handle exceptions. Rebooting the firewall Rebooting the firewall in the web interface Select Device Management >...
  • Page 106: Configuring A Scheduled Task

    Power off and then power on the firewall. This method is also called “hard reboot” or “cold start”. • It will cause data loss and hardware damage. HP does not recommend this method. • Reboot the firewall at the CLI immediately.
  • Page 107 Configuring a scheduled Configuring a scheduled Comparison item task—approach 1 task—approach 2 Applicable range Small Large Simple Complex Configuration Only the schedule job command is The job, view, and time commands involved. are involved. Can multiple scheduled tasks be configured? Can a task contain If you use the schedule job command You can use the time command in job...
  • Page 108 Configuring a scheduled task—approach 1 Follow these steps to configure a scheduled task: To do… Use the command… Remarks schedule job at time Required Specify a command to be [ date ] view view Use either command executed at the specified time command Available in user view •...
  • Page 109: Scheduled Task Configuration Example

    Scheduled task configuration example Network requirements Configure scheduled tasks on the Firewall to enable interfaces GigabitEthernet 0/1, GigabitEthernet 0/2, and GigabitEthernet 0/3 at 8:00 and disabled them at 18:00 on working days every week, to control the access of the PCs connected to these interfaces. Figure 67 Network diagram for scheduled task configuration Configuration procedure # Enter system view.
  • Page 110: Configuring Temperature Alarm Thresholds For A Card

    [Firewall] job pc3 # Configure the task to be executed in the view of GigabitEthernet 0/3. [Firewall-job-pc3] view GigabitEthernet 0/3 # Configure the Firewall to start GigabitEthernet 0/3 at 8:00 on working days every week. [Firewall-job-pc3] time 1 repeating at 8:00 week-day mon tue wed thu fri command undo shutdown # Configure the Firewall to shut down GigabitEthernet 0/3 at 18:00 on working days every week.
  • Page 111: Identifying And Diagnosing Pluggable Transceivers

    For this purpose, the system will save the 16-bit index for an interface after the card where the interface resides or the logical interface is removed. If you repeatedly insert and remove different subcards/interface cards or create/delete a large number of logical interfaces, the interface indexes will be used up, and new interfaces cannot be created.
  • Page 112: Identifying A Pluggable Transceiver

    HP interface-number ] by HP only. NOTE: A vendor name of HP indicates an HP-customized anti-spoofing transceiver. Use the display transceiver • command to verify it. Electrical label information is also called permanent configuration data or archive information, which is •...
  • Page 113 To do… Use the command… Remarks Display the information of the users that have logged in to the device display configure-user Available in any view but are not under user view Display or save the operation statistics of multiple functional display diagnostic-information Available in any view modules...
  • Page 114: User Management

    User management Configuring local users NOTE: The firewall supports configuring local users only in the web interface. Local user overview Local users are a set of user accounts configured on the firewall. A local user is uniquely identified by username. To enable users using a certain network service to pass local authentication, you must add corresponding entries to the local user database on the firewall.
  • Page 115: Local User Configuration Example

    Figure 69 Add a local user Table 10 Local user configuration items Item Description Enter a username. A username is case sensitive, and cannot contain any of these characters: “/”, “\”, “:”, “|”, “*”, “?”, “<”, “>”, “@” and “"”. User Name IMPORTANT: A username may contain spaces.
  • Page 116: Configuring User Login Control

    Type telnet as the username. • • Select Visitor as the user privilege level. Select Telnet as the service type. • Type 123456 as the password. • • Type 123456 as the confirm password. Click Apply. • Configuring user login control NOTE: The firewall supports configuring user login control only in the command line interface (CLI).
  • Page 117 To do… Use the command… Remarks rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard Configure rules for this ACL Required | any } | time-range time-name | fragment | logging ]* Exit the basic ACL view quit —...
  • Page 118 To do… Use the command… Remarks Create an Ethernet frame header Required ACL and enter its view, or enter the acl number acl-number By default, no advanced ACL view of an existing Ethernet frame [ match-order { config | auto } ] exists.
  • Page 119: Configuring Source Ip-Based Login Control Over Nms Users

    [Firewall-ui-vty0-4] acl 2000 inbound Configuring source IP-based login control over NMS users Administrators can use a network management station (NMS) to remotely log in and manage the Firewall through the Simple Network Management Protocol (SNMP). By using an ACL, you can control SNMP user access to the Firewall.
  • Page 120: Configuring Source Ip-Based Login Control Over Web Users

    Source IP-based login control over NMS users configuration example Network requirements As shown in Figure 72, configure the Firewall to allow only NMS users from Host A and Host B to access. Figure 72 Network diagram for configuring source IP-based login control over NMS users Configuration procedure # Create ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to permit packets sourced from Host A.
  • Page 121 To do… Use the command… Remarks Create a basic ACL and enter its Required acl [ ipv6 ] number acl-number view, or enter the view of an [ match-order { config | auto } ] By default, no basic ACL exists. existing basic ACL rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard...
  • Page 122: Displaying Online Users

    Displaying online users NOTE: The firewall supports configuring user login control only in the web interface. Overview Online users here refer to users getting online after passing AAA authentication. Displaying online users Select User > Online User from the navigation tree. The online user list appears, as shown in Figure This list shows all current online users.
  • Page 123: Cli Configuration

    CLI allows you to input more information in one command line. Figure 75 CLI example Entering the CLI HP devices provide multiple methods for entering the CLI, such as through the console port, through Telnet, and through SSH. For more information, see Getting Started Guide. Command conventions Command conventions help you understand command meanings.
  • Page 124: Undo Form Of A Command

    A line starting with the # sign is comments. NOTE: The keywords of HP command lines are case insensitive. Take the clock datetime time date command as an example to understand the meaning of the command line parameters according to...
  • Page 125: Entering System View

    CLI views adopt a hierarchical structure, as shown in Figure • After logging in to the switch, you are in user view. The prompt of user view is <device name>. In user view, you can perform display, debugging, and file management operations, set the system time, restart your device, and perform FTP and Telnet operations.
  • Page 126: Exiting The Current View

    Exiting the current view The CLI is divided into different command views. Each view has a set of specific commands and defines the effective scope of the commands. The commands available to you at any given time depend on the view you are in.
  • Page 127: Typing Commands

    logging Send log information to terminal monitor Send information output to current terminal trapping Send trap information to terminal If ? is at the position of an argument, the CLI displays a description about this argument. For example: <sysname> system-view [sysname] interface vlan-interface ? <1-4094>...
  • Page 128: Typing Incomplete Keywords

    Function If you press Tab after entering part of a keyword, the system automatically completes the keyword: • If finding a unique match, the system substitutes the complete keyword for the incomplete one and displays it in the next line. •...
  • Page 129: Configuring Cli Hotkeys

    Follow these steps to configure command aliases: To do… Use the command… Remarks Enter system view system-view — Required Disabled by default, which means Enable the command alias function command-alias enable you cannot configure command aliases. Required command-alias mapping cmdkey Configure a command alias alias Not configured by default.
  • Page 130: Redisplaying Input But Not Submitted Commands

    Hotkey Function Ctrl+P Displays the previous command in the history command buffer. Ctrl+R Redisplays the current line information. Ctrl+V Pastes the content in the clipboard. Deletes all the characters in a continuous string to the left of the Ctrl+W cursor. Ctrl+X Deletes all the characters to the left of the cursor.
  • Page 131: Checking Command-Line Errors

    NOTE: With this feature enabled: If you have no input at the command line prompt and the system outputs system information such as • logs, the system will not display the command line prompt after the output. If the system outputs system information when you are typing interactive information (not YES/NO for •...
  • Page 132: Configuring The History Buffer Size

    The commands saved in the history command buffer are in the same format in which you typed the • commands. If you type an incomplete command, the command saved in the history command buffer is also an incomplete one. • If you execute the same command repeatedly, the switch saves only the earliest record.
  • Page 133: Filtering Output Information

    Disabling multi-screen display Use the following command to disable the multi-screen display function. All the output information is displayed at one time and the screen is refreshed continuously until the last screen is displayed. To do… Use the command… Remarks Required By default, a login user uses the settings of the screen-length command.
  • Page 134 Character Meaning Remarks Matches the preceding or For example, “def|int” only matches a character succeeding character string string containing “def” or “int”. If it is at the beginning or the end of a regular expression, it equals ^ or $. For example, “a_b”...
  • Page 135 Character Meaning Remarks Matches a string containing For example, “\Bt” matches “t” in “install”, but not \Bcharacter character, and no space is allowed “t” in “big top”. before character. Matches character1character2. For example, “v\w” matches “vlan”, with “v” being character2 must be a number, letter, character1\w character1, and “l”...
  • Page 136: Configuring User Privilege And Command Levels

    Configuring user privilege and command levels Introduction To avoid unauthorized access, the switch defines user privilege levels and command levels. User privilege levels correspond to command levels. When a user at a specific privilege level logs in, the user can only use commands at that level, or lower levels.
  • Page 137 To do… Use the command… Remarks user-interface { first-num1 Enter user interface view [ last-num1 ] | { aux | console | — vty } first-num2 [ last-num2 ] } Required By default, the authentication Specify the scheme authentication mode for VTY and AUX users is authentication-mode scheme mode password, and no authentication is...
  • Page 138 If the authentication mode of a user interface is none or password, the user privilege level of users • logging into the user interface is the user interface level. Follow these steps to configure the user privilege level under a user interface (SSH publickey authentication type): To do…...
  • Page 139: Switching User Privilege Level

    After the user relogs in, the user privilege restores to the original level. To avoid problems, HP recommends that administrators log in to the switch by using a lower • privilege level and view switch operating parameters, and when they have to maintain the switch, they can switch to a higher level temporarily •...
  • Page 140: Modifying The Level Of A Command

    CAUTION: HP recommends you to use the default command level or modify the command level under the guidance of professional staff. An improper change of the command level may bring inconvenience to your maintenance and operation, or even potential security problems.
  • Page 141: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
  • Page 142: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
  • Page 143 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
  • Page 144: Index

    Configuring the system time,88 Configuring user login control,1 10 NMS login example,71 Configuring user privilege and command levels,130 NMS login overview,69 Contacting HP,135 Controlling the CLI display,126 Conventions,136 Overview,10 Device management overview,87 Product overview,1 Displaying and maintaining CLI,134 Displaying and maintaining CLI...
  • Page 145 Troubleshooting web login problems,65 Using the CLI online help,120 Typing commands,121 Web login example,62 Undo form of a command,1 18 Web login overview,57 User interface overview,8 What is CLI?,1 17 Using command history,125...

This manual is also suitable for:

A-f5000

Table of Contents