HP 200 Unified Threat Management (UTM) Appliance Series Rychlý návod

HP Firewalls and UTM Devices Getting Started Guide Part number: 5998-4163 Software version: F1000-A-EI:

4 • Protection against external attacks, internal network protection, traffic monitoring, email filtering, Web filtering, application layer filtering

94 Step Command Remarks 4. Set a daylight saving time scheme. • Set a non-recurring scheme: clock summer-time zone-name one-off start-time start-d

95 Enabling displaying the copyright statement The device by default displays the copyright statement when a Telnet or SSH user logs in, or when a co

96 { Method 1—Press Enter after the last command keyword. At the system prompt, enter the banner message and end with the delimiter character %. For

97 When multiple users configure a setting in system view, only the last configuration applies. To configure the maximum number of concurrent users:

98 Figure 72 Rebooting the device 2. If necessary, select Check whether the configuration is saved to the configuration file for next reboot. If y

99 Task Command Remarks Schedule a reboot. • Schedule a reboot to occur at a specific time and date: schedule reboot at hh:mm [ date ] • Schedule

100 • After job execution, the configuration interface, view, and user status that you have before job execution restores even if the job ran a comm

101 Step Command Remarks 4. Add commands to the job. • Configure a command to run at a specific time and date: time time-id at time date command co

102 [Firewall-job-pc1] time 2 repeating at 18:00 week-day mon tue wed thu fri command shutdown [Firewall-job-pc1] quit # Create a job named pc2, and

103 To set the port status detection timer: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the port status detection timer. sh

5 Figure 6 Rear view 1: Rear chassis cover handle (do not use this handle to lift the chassis) 2: (Optional) Air filter 3: Chassis handle 4: Ground

104 Hardware Feature compatible Firewall module 12500/10500 Enhanced FW: Yes Others: No U200-A Yes U200-S No You can set the temperature thresholds

105 To ensure management continuity, you can configure the device to monitor the NMS connected interface for IP address changes and notify the NMS to

106 Verifying and diagnosing transceiver modules This section describes how to verify and diagnose transceiver modules. Verifying transceiver m

107 Displaying and maintaining device management For diagnosis or troubleshooting, you can use separate display commands to collect running statu

108 Task Command Remarks Display basic device temperature information. display environment [ cpu ] [ | { begin | exclude | include } regular-expressi

109 Task Command Remarks Display the exception handling method. display system-failure [ | { begin | exclude | include } regular-expression ] Availab

110 Managing users Local users are a set of user attributes configured on the local device. A local user is uniquely identified by username. To enabl

111 2. Click Add. Figure 75 Adding a local user 3. Configure a local user, as described in Table 19. 4. Click Apply. Table 19 Configuration item

112 Item Description Virtual Device Set the virtual device to which a user belongs. Every time a user logs in through the Web interface, the user log

113 Figure 77 Creating a local user c. Enter Emily as the username. d. Select the user privilege level Monitor. e. Select the service type Web.

6 Appearance Figure 7 Firewall module for 5800 switches Figure 8 Firewall module for 7500E/9500E/12500 switches Figure 9 Firewall module for 6600/

114 Configuring source IP-based Telnet login control Step Command Remarks 1. Enter system view. system-view N/A 2. Create a basic ACL and enter it

115 Step Command Remarks 3. Configure an ACL rule. rule [ rule-id ] { permit | deny } rule-string N/A 4. Exit advanced ACL view. quit N/A 5. Ente

116 Figure 78 Network diagram Configuration procedure # Configure basic ACL 2000, and configure rule 1 to permit packets sourced from Host B, and r

117 Step Command Remarks 3. Configure an ACL rule. rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { sour-addr sour-wild

118 Figure 79 Network diagram Configuration procedure # Create ACL 2000, and configure rule 1 to permit packets sourced from Host B, and rule 2 to

119 Step Command Remarks 3. Create rules for this ACL. rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { sour-addr sour-

120 [Firewall] ip http acl 2030 Displaying online users Online users refer to the users who have passed authentication and got online. You can view i

121 Using the CLI At the command-line interface (CLI), you can enter text commands to configure, manage, and monitor your device. Figure 82 CLI examp

122 Figure 83 Understanding command-line parameters For example, to set the system time to 10:30:20, February 23, 2010, enter the following command

123 Figure 84 CLI view hierarchy Entering system view from user view Task Command Enter system view from user view. system-view Returning to the

7 • External attack protection, internal network protection, traffic monitoring, URL filtering, application layer filtering. • ASPF • Email alarm,

124 Accessing the CLI online help The CLI online help is context sensitive. You can enter a question mark at any prompt or in any position of a comma

125 Entering a command When you enter a command, you can use keys or hotkeys to edit the command line, or use abbreviated keywords or keyword aliases

126 Configuring and using command keyword aliases The command keyword alias function allows you to replace the first keyword of a non-undo command or

127 Step Command Remarks 3. Display hotkeys. display hotkey [ | { begin | exclude | include } regular-expression ] Optional. Available in any view.

128 output such as logs. If you have entered nothing, the system does not display the command-line prompt after the output. To enable redisplaying en

129 Viewing history commands You can use arrow keys to access history commands in Windows 200x and Windows XP Terminal or Telnet. In Windows 9x Hyper

130 To display all output at one time and refresh the screen continuously until the last screen is displayed: Task Command Remarks Disable pausing b

131 Character Meaning Examples _ If it is at the beginning or the end of a regular expression, it equals ^ or $. In other cases, it equals comma, spa

132 Character Meaning Examples character1\w Matches character1character2. character2 must be a number, letter, or underline, and \w equals [A-Za-z0-9

133 Table 28 Command levels and user privilege levels Level Privilege Default set of commands 0 Visit Includes commands for network diagnosis and com

8 Appearance U200-A Figure 10 U200-A front view 1: Copper Ethernet ports (GE0 to GE5) 2: Console port (CONSOLE) 3: USB port 4: CF ejector button 5:

134 Step Command Remarks 5. Configure the authentication mode for SSH users as password. For more information, see System Management and Maintenance

135 Step Command Remarks 5. Configure the user privilege level. user privilege level level By default, the user privilege level for users logged in

136 # Display the commands a Telnet user can use after login. Because the user privilege level is 1, a Telnet user can use more commands now. <Sys

137 Configuring the authentication parameters for user privilege level switching A user can switch to a lower privilege level without authentication.

138 Switching to a higher user privilege level Before you switch to a higher user privilege level, obtain the required authentication data as describ

139 Changing the level of a command Every command in a view has a default command level. The default command level scheme is sufficient for the secur

140 Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.com/support Befo

141 Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text

142 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as

143 Index A 187HC 188HD 189HE 190HF 191HH 192HL 193HM 194HO 195HP 196HR 197HS 198HT 199HU 200HV A Accessing the CLI online help,468H124 Adding a We

9 U200-S Figure 12 U200-S front view 1: Copper Ethernet ports (GE0 to GE4) 2: Console port (CONSOLE) 3: USB port 4: CF ejector button 5: CF card slo

144 R Rebooting the device,97 Related information,14 0 S Saving the running configuration,13 9 Scheduling jobs,99 Setting the idle timeout timer at

10 Figure 14 Network diagram Virtual firewall application The F1000-A-EI/F1000-S-EI supports the virtual firewall function. You can create multiple

11 Figure 16 Network diagram F1000-E Deployed at the egress of an enterprise network, F1000-E firewalls can protect against external attacks, ensure

12 F5000 Large data centers are connected to the 10G core network usually through a 10G Ethernet. The F5000 firewall has a 10G processing capability a

13 Figure 19 Network diagram Enhanced firewall modules Clound computing data center application The Enhanced firewall modules can provide high-perfo

Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitt

14 Enterprise network applicatoin Deployed in the core switch or the aggregation switch of an enterprise network, the Enhanced firewall module provide

15 UTM Firewall application The UTM Security Products can be deployed at the exits of small- to medium-sized enterprise networks to defend against att

16 Figure 24 Network diagram

17 Login overview This chapter describes the available login methods and introduces the related concepts. Login methods at a glance You can access th

18 Login method Default setting and configuration requirements Accessing the device through SNMP By default, SNMP login is disabled. To use SNMP ser

19 A relative number uniquely identifies a user interface among all user interfaces that are the same type. The number format is user interface type

20 Logging in to the CLI By default, the first time you access the CLI you must log in through the console port. At the CLI, you can configure Telnet

21 Figure 26 Connection description Figure 27 Specifying the serial port used to establish the connection

22 Figure 28 Setting the properties of the serial port 5. Power on the device and press Enter at the prompt. Figure 29 CLI 6. At the default us

23 • Scheme—Uses the AAA module to provide local or remote console login authentication. You must provide a username and password for accessing the

i Contents Overview ··································································································································

24 Configuring password authentication for console login Step Command Remarks 1. Enter system view. system-view N/A 2. Enter console user interfa

25 Step Command Remarks 3. Enable scheme authentication. authentication-mode scheme Whether local, RADIUS, or HWTACACS authentication is adopted dep

26 The next time you attempt to log in through the console port, you must provide the configured login username and password. Configuring common cons

27 Step Command Remarks 9. Specify the terminal display type. terminal type { ansi | vt100 } By default, the terminal display type is ANSI. The devi

28 Table 5 shows the Telnet server and client configuration required for a successful Telnet login. Table 5 Telnet server and Telnet client configura

29 Authentication mode Configuration tasks Reference Scheme Enable scheme authentication on the VTY user interface. Configure local or remote authen

30 Figure 31 Telnetting to the device without authentication Configuring password authentication for Telnet login Step Command Remarks 1. Enter s

31 Figure 32 Password authentication interface for Telnet login Configuring scheme authentication for Telnet login When scheme authentication is us

32 Step Command Remarks 3. Enter one or multiple VTY user interface views. user-interface vty first-number [ last-number ] N/A 4. Enable scheme aut

33 Step Command Remarks 14. Configure common settings for VTY user interfaces. See "Configuring common VTY user interface settings (optional).&

ii Configuring scheme authentication for AUX login ···························································································· 42Con

34 Step Command Remarks 4. Enable the user interfaces to support Telnet, SSH, or both of them. protocol inbound { all | ssh | telnet } Optional. By

35 Figure 34 Telnetting from the device to a Telnet server To use the device to log in to a Telnet server: Step Command Remarks 1. Enter system v

36 Table 7 SSH server and client requirements Device role Requirements SSH server Assign an IP address to an interface of the device, and make sure

37 Step Command Remarks 4. Enter one or multiple VTY user interface views. user-interface vty first-number [ last-number ] N/A 5. Enable scheme aut

38 Step Command Remarks 14. Specify SSH service for the user. service-type ssh By default, the system-predefined user admin can use terminal servic

39 Hardware Feature compatible F1000-E Yes F5000 Yes Firewall module No U200-A No U200-S No As shown in Figure 37, to perform local login through t

40 Authentication mode Configuration tasks Reference Scheme Enable scheme authentication on the AUX user interface. Configure local or remote authen

41 Figure 38 Accessing the CLI through the AUX port without authentication Configuring password authentication for AUX login Step Command Remarks

42 Figure 39 Password authentication interface for AUX login Configuring scheme authentication for AUX login When scheme authentication is used, yo

43 Step Command Remarks 3. Enable scheme authentication. authentication-mode scheme By default, password authentication is enabled on AUX user inter

iii Configuration guidelines ·························································································································

44 Figure 40 Scheme authentication interface for AUX login Configuring common settings for AUX login (optional) Some common settings configured fo

45 Step Command Remarks 6. Specify the number of stop bits. stopbits { 1 | 1.5 | 2 } The default is 1. Stop bits indicate the end of a character. Th

46 The port properties of the terminal emulation program must be the same as the default settings of the AUX port, which are shown in the following t

47 Figure 41 Connecting the AUX port to a terminal 3. If the PC is off, turn on the PC. 4. Launch the terminal emulation program and configure t

48 Figure 43 Specifying the serial port used to establish the connection Figure 44 Setting the properties of the serial port 5. Power on the dev

49 Figure 45 CLI 6. At the default user view prompt <HP>, enter commands to configure the device or check the running status of the device.

50 Task Command Remarks Send messages to user interfaces. send { all | num1 | { aux | console | vty } num2 } Available in user view.

51 Logging in to the Web interface The device provides a built-in Web server for you to configure the device through a Web browser. Web login is by d

52 Up to five users can concurrently log in to the device through the Web interface. Figure 46 Web login page Adding a Web login account Perform th

53 Table 10 Basic Web login configuration requirements Object Requirements Device Assign an IP address to an interface. Configure routes to make su

iv Configuring and using command keyword aliases ························································································· 354H126154

54 Step Command Remarks 10. Specify the command level of the local user. authorization-attribute level level No command level is configured for the

55 Step Command Remarks 3. Associate the HTTPS service with an SSL server policy. ip https ssl-server-policy policy-name Optional. By default, the H

56 Step Command Remarks 7. Associate the HTTPS service with an ACL. ip https acl acl-number By default, the HTTPS service is not associated with any

57 Displaying and maintaining Web login Task Command Remarks Display information about Web users. display web users [ | { begin | exclude | incl

58 2. Verify the configuration: # On the PC, launch a Web browser and enter the IP address of the interface in the address bar. The Web login page a

59 # Create a PKI domain, specify the trusted CA as new-ca, the URL of the server for certificate request as http://10.1.2.2/certsrv/mscep/mscep.dll,

60 On the host, run the IE browser, and then enter http://10.1.2.2/certsrv in the address bar and request a certificate for the host as prompted. 3.

61 Figure 50 Internet Explorer setting (I) 3. Click Custom Level. The dialog box Security Settings appears. 4. Enable Run ActiveX controls and pl

62 Figure 51 Internet Explorer setting (II) 5. Click OK in the Security Settings dialog box. Configuring Firefox Web browser settings 1. Open the

63 Figure 52 Firefox Web browser setting

1 Overview This documentation is applicable to the following firewall and UTM products: • HP F1000-S-EI firewall (hereinafter referred to as the F100

64 Accessing the device through SNMP NOTE: Accessing the device through SNMP is not supported in FIPS mode. You can run SNMP on an NMS to access

65 Step Command Remarks 2. Enable the SNMP agent. snmp-agent Optional. By default, the SNMP agent is disabled. You can enable SNMP agent with this c

66 Step Command Remarks 4. Configure the SNMP access right. • (Approach 1) Specify the SNMP NMS access right directly by configuring an SNMP commun

67 2. Configure the NMS: Make sure the NMS has the same SNMP settings, including the username as the firewall. If not, the firewall cannot be discov

68 Logging in to the firewall module from the network device Feature and hardware compatibility Hardware Feature compatible F1000-A-EI/F1000-S-EI No

69 After login, the terminal screen displays the CLI of the firewall module. To return to the CLI on the device, press Ctrl+K. Monitoring and managin

70 An ACSEI server can register multiple ACSEI clients. ACSEI timers An ACSEI server uses two timers, the clock synchronization timer and the monito

71 Configuring ACSEI client on the firewall module Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view interface in

72 Figure 55 Network diagram Configuration procedure This example uses a switch. The configuration on a router is the same. 1. Log in to the firew

73 # acsei server acsei timer clock-sync 10 acsei timer monitor 10 # return [Switch] The output shows that the clock synchronization timer and m

2 Figure 1 Front view 1: Combo interfaces 2: Console port (CONSOLE) 3: USB port (reserved for future use) Figure 2 Rear view 1: Power module slo

74 Basic configuration Overview Basic configuration information include: • Device name and login password—Modify the system name and the password of

75 Figure 56 Basic configuration wizard—1/6 3. Click Next. The page for basic configuration appears.

76 Figure 57 Basic configuration wizard—2/6 (basic information) 4. Configure the parameters as described in Table 11. Table 11 Configuration item

77 Figure 58 Basic configuration wizard—3/6 (service management) 6. Configure the parameters as described in Table 12. Table 12 Configuration item

78 Item Description HTTPS Specify whether to enable HTTPS on the device, and set the HTTPS port number. Disabled by default. IMPORTANT: • If the cu

79 Table 13 Configuration items Item Description IP Configuration Set the approach for obtaining the IP address, including: • None—The IP address of

80 Table 14 Configuration items Item Description Interface Select an interface on which the NAT configuration will be applied. Dynamic NAT Specify w

81 Figure 61 Basic configuration wizard—6/6 On this page, you can set whether to save the current configuration to the startup configuration file (

82 Step Command Remarks 4. Configure NAT. • To configure a static NAT mapping: a. nat static local-ip [ vpn-instance local-name ] global-ip [ vp

83 Step Command Remarks 9. Add the interface to the security zone. import interface interface-type interface-number [ vlan vlan-list ] By default, G

3 • Support for management by its own Web-based management system or by IMC The F1000-E uses a multi-core processor and provides the following interf

84 Managing the device Device management includes monitoring the operating status of devices and configuring their running parameters. The configurat

85 To configure the device name: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the device name. sysname sysname The d

86 Figure 64 Calendar page 3. Modify the system time either in the System Time Configuration text box, or through the calendar page. You can perfo

87 Table 15 Configuration items Item Description Clock status Displays the synchronization status of the system clock. Local Reference Source Set th

88 Figure 66 Setting the time zone 3. Configure the time zone and daylight saving time as described in Table 16. 4. Click Apply. Table 16 Configu

89 Figure 68 Network diagram Configuration procedure 1. On Device A, configure the local clock as the reference clock, with the stratum 2: a. Sel

90 Figure 70 Configuring Device A as the NTP server of Device B 3. Verifying the configuration After the configuration, you can see that the curre

91 Configuration guidelines You can change the system time by configuring the relative time, time zone, and daylight saving time. The configuration r

92 Command Effective system time Configuration example System time 1, 3 date-time outside the daylight saving time range: date-time clock datetime 1

93 Command Effective system time Configuration example System time 1, 2, 3 or 1, 3, 2 date-time ± zone-offset outside the daylight saving time range: