DPtech FW1000 Series Application Firewall User Manual v5.0

DPtech FW1000 Series Application
Firewall User Manual
Manual version: v5.0

Software version: FW1000-X86III-B311CM005D022P01PATCH37.bin
Released date: 2021-03-06
DPtech FW1000 Series Application Firewall User Manual v5.0.docx
Declaration
Copyright © 2008-2021 Hangzhou DPtech Co., Ltd. All rights reserved. All rights reserved.
Without the written permission of the company, any unit or individual shall not excerpt or
copy part or all of the content of this book without authorization, and shall not spread it in any
form.
is a trademark of Hangzhou DPtech Co., Ltd.

All other trademarks or registered trademarks appearing in this manual are owned by their
respective owners.
Due to product version upgrades or other reasons, the contents of this manual may change.
Hangzhou DPtech Technology Co., Ltd. reserves the right to modify the contents of this
manual without any notice or prompt. This manual is only used as a guide. Hangzhou
DPtech Technology Co., Ltd. makes every effort to provide accurate information in this
manual. However, Hangzhou DPtech Technology Co., Ltd. does not guarantee that the
contents of the manual are completely free of errors. All statements and information in this
manual And suggestions do not constitute any express or implied guarantee.
Hangzhou DPtech Technologies Co., Ltd.

Address: 6th Floor, Zhongcai Building, No. 68, Tonghe Road, Binjiang District, Hangzhou
Post Code: 310051
Website: http://www.dptech.com
Technical forum：http://forum.dptech.com
7x24 hours technical service hotline: 400-6100-598
Conventions
GUI conventions
Convention Description
Multi-level menus are separated by“ > ”. Such as System Management >
>
Administrator.
Boldface Button name. Such as click OK button.
Sign conventions
Convention Description
An alert that calls attention to important information that if ignored can result in data
corruption, data loss, or damage to hardware or software.
An alert that contains supplementary or additional information.

Contents
1 Getting Started...................................................................................................................................... 1-1
1.1 Product overview ............................................................................................................................... 1-1
1.2 Introduction to Web management system ......................................................................................... 1-1
1.2.1 Cautions .................................................................................................................................. 1-2
1.2.2 Log in to the Web management system .................................................................................. 1-2
1.2.3 Page layout introduction .......................................................................................................... 1-3
1.3 Basic configuration and maintenance ............................................................................................... 1-4
1.3.1 Telnet / SSH remote management device ............................................................................... 1-4
1.3.2 Restrictions on specific IP / specific protocol management devices ....................................... 1-6
1.3.3 Save / upload the configuration file ......................................................................................... 1-9
1.3.4 Webpage upgrade software version ..................................................................................... 1-10
1.4 Introduction to common operations ................................................................................................. 1-12
2 Device Monitor ...................................................................................................................................... 2-1
2.1 System monitoring ............................................................................................................................. 2-1
2.1.1 Device information / status ...................................................................................................... 2-1
2.1.2 CPU statistics .......................................................................................................................... 2-2
2.1.3 Flow statistics .......................................................................................................................... 2-3
2.2 Session monitoring ............................................................................................................................ 2-4
2.2.1 Session statistics ..................................................................................................................... 2-4
2.2.2 Session list .............................................................................................................................. 2-5
2.2.3 Session ranking ....................................................................................................................... 2-6
3 Basic Configuration .............................................................................................................................. 3-1
3.1 OVC ................................................................................................................................................... 3-1
3.1.1 OVC technology introduction .................................................................................................. 3-1
3.1.2 OVC configuration ................................................................................................................... 3-5
3.2 VRF .................................................................................................................................................... 3-6
3.3 Virtual system .................................................................................................................................... 3-8
3.3.1 Introduction .............................................................................................................................. 3-8
3.3.2 Virtual system configuration .................................................................................................... 3-8
3.3.3 Virtual system parameter settings ........................................................................................... 3-9
4 System Management............................................................................................................................ 4-1

4.1 Login management ............................................................................................................................ 4-1
4.1.1 Administrator ........................................................................................................................... 4-1
4.1.2 Management protocol.............................................................................................................. 4-7
Copyright © Hangzhou DPtech Technologies Co., Ltd. I

4.2 Version management ....................................................................................................................... 4-10

4.2.1 Software version.................................................................................................................... 4-10
4.2.2 Patch management ............................................................................................................... 4-11
4.2.3 Feature library ....................................................................................................................... 4-12
4.3 Configuration file .............................................................................................................................. 4-17
4.3.1 Configuration file ................................................................................................................... 4-17
4.4 System configuration ....................................................................................................................... 4-18
4.5 Time management ........................................................................................................................... 4-19
4.5.1 NTP overview ........................................................................................................................ 4-19
4.5.2 System time........................................................................................................................... 4-20
4.5.3 NTP time synchronization ..................................................................................................... 4-21
4.5.4 NTP time synchronization (IPv6) ........................................................................................... 4-22
4.6 Digital certificate .............................................................................................................................. 4-22
4.6.1 Certificate request ................................................................................................................. 4-23
4.6.2 Certificate management ........................................................................................................ 4-24
4.6.3 Certificate authority ............................................................................................................... 4-27
4.7 Forwarding configuration ................................................................................................................. 4-30
4.7.1 Forwarding ............................................................................................................................ 4-30
4.7.2 Forwarding mode .................................................................................................................. 4-31
4.7.3 Equal-cost Route Load Balancing ......................................................................................... 4-31
4.8 Session configuration ...................................................................................................................... 4-32
4.8.1 Session log configuration ...................................................................................................... 4-32
4.8.2 Session parameter ................................................................................................................ 4-33
4.8.3 Session detection .................................................................................................................. 4-34
4.8.4 Session forwarding ................................................................................................................ 4-34
4.9 Warning configuration ...................................................................................................................... 4-35
4.10 SNMP ............................................................................................................................................. 4-35
4.10.1 SNMP overview ................................................................................................................... 4-35
4.10.2 SNMP configuration ............................................................................................................. 4-37
4.10.3 SNMPv3 .............................................................................................................................. 4-40
4.10.4 SNMP host........................................................................................................................... 4-41
4.10.5 RMON configuration ............................................................................................................ 4-42
5 Object Management ............................................................................................................................. 5-1

5.1 Security zone ..................................................................................................................................... 5-1
5.2 IP address .......................................................................................................................................... 5-2
5.2.1 IP address ............................................................................................................................... 5-2
5.2.2 IP address group ..................................................................................................................... 5-3
Copyright © Hangzhou DPtech Technologies Co., Ltd. II

5.3 IPv6 address ...................................................................................................................................... 5-3

5.4 MAC address ..................................................................................................................................... 5-4
5.4.1 MAC address ........................................................................................................................... 5-4
5.4.2 MAC address group ................................................................................................................ 5-5
5.5 User ................................................................................................................................................... 5-6
5.5.1 User ......................................................................................................................................... 5-6
5.6 Domain name .................................................................................................................................... 5-7
5.7 Service ............................................................................................................................................... 5-7
5.7.1 Predefined service ................................................................................................................... 5-7
5.7.2 User-defined service ............................................................................................................... 5-8
5.7.3 Service group .......................................................................................................................... 5-9
5.8 Time ................................................................................................................................................... 5-9
6 Interface Management.......................................................................................................................... 6-1
6.1 Networking configuration ................................................................................................................... 6-1
6.2 Interface configuration ....................................................................................................................... 6-2
6.2.1 Interface configuration ............................................................................................................. 6-2
6.2.2 Interface rate beyond warning ................................................................................................. 6-3
6.3 Port aggregation ................................................................................................................................ 6-4
6.3.1 Introduction .............................................................................................................................. 6-4
6.3.2 Port aggregation configuration ................................................................................................ 6-5
6.3.3 LACP configuration ................................................................................................................. 6-6
6.3.4 Aggregation group status ........................................................................................................ 6-7
6.4 Port mirroring ..................................................................................................................................... 6-8
6.4.1 Local mirror ............................................................................................................................. 6-8
6.4.2 Remote source mirror.............................................................................................................. 6-9
6.5 Logic interface ................................................................................................................................. 6-10
6.5.1 Subinterface .......................................................................................................................... 6-10
6.5.2 Loopback interface ................................................................................................................ 6-11
6.5.3 PPP interface configuration ................................................................................................... 6-11
6.5.4 Template interface ................................................................................................................. 6-12
6.5.5 IPsec interface configuration ................................................................................................. 6-13
6.6 IPv6 tunnel ....................................................................................................................................... 6-13
6.7 GRE ................................................................................................................................................. 6-14
7 VLAN Management .............................................................................................................................. 7-1
7.1 VLAN ................................................................................................................................................. 7-1
7.1.1 VLAN configuration ................................................................................................................. 7-1
7.1.2 VLAN flow statistics ................................................................................................................. 7-2
Copyright © Hangzhou DPtech Technologies Co., Ltd. III

7.1.3 VLAN frame manage ............................................................................................................... 7-2

7.2 VLAN interface................................................................................................................................... 7-3
7.2.1 VLAN interface configuration .................................................................................................. 7-3
7.2.2 Display VLAN interface ........................................................................................................... 7-4
8 Route Management .............................................................................................................................. 8-1

8.1 Routing table...................................................................................................................................... 8-1
8.1.1 IPv4 routing table .................................................................................................................... 8-1
8.1.2 IPv6 routing table .................................................................................................................... 8-2
8.2 Static route......................................................................................................................................... 8-4
8.2.1 IPv4 static route ....................................................................................................................... 8-4
8.2.2 IPv6 static route ....................................................................................................................... 8-7
8.3 Policy-based routing .......................................................................................................................... 8-8
8.3.1 IPv4 policy-based routing ........................................................................................................ 8-8
8.3.2 IPv6 policy based routing ...................................................................................................... 8-11
8.4 RIP ................................................................................................................................................... 8-12
8.4.1 RIP......................................................................................................................................... 8-12
8.4.2 RIPng..................................................................................................................................... 8-15
8.5 OSPF ............................................................................................................................................... 8-18
8.5.1 OSPF protocol ....................................................................................................................... 8-18
8.5.2 Configure OSPF protocol ...................................................................................................... 8-18
8.5.3 OSPFv3 protocol ................................................................................................................... 8-23
8.6 ISIS .................................................................................................................................................. 8-26
8.6.1 Configure ISIS ....................................................................................................................... 8-27
8.6.2 ISIS neighbor ......................................................................................................................... 8-28
8.6.3 ISIS LSP ................................................................................................................................ 8-28
8.7 BGP ................................................................................................................................................. 8-29
8.7.1 Configure BGP protocol ........................................................................................................ 8-30
8.7.2 Configure BGP-VPN.............................................................................................................. 8-32
8.7.3 BGP neighbor information ..................................................................................................... 8-33
8.8 GUARD ............................................................................................................................................ 8-33
8.9 MPLS ............................................................................................................................................... 8-34
8.9.1 MPLS forwarding configuration ............................................................................................. 8-35
8.9.2 Static configuration ................................................................................................................ 8-35
8.9.3 LDP Protocol ......................................................................................................................... 8-36
8.9.4 L2VPN ................................................................................................................................... 8-39
8.9.5 Display L3VPN forward ......................................................................................................... 8-43
8.9.6 TE static configuration ........................................................................................................... 8-43
Copyright © Hangzhou DPtech Technologies Co., Ltd. IV

8.9.7 TE tunnel configuration ......................................................................................................... 8-45

8.10 IPv4 multicast................................................................................................................................. 8-47
8.10.1 Basic configuration .............................................................................................................. 8-47
8.10.2 IGMP Snooping ................................................................................................................... 8-48
8.10.3 Multicast VLAN .................................................................................................................... 8-51
8.10.4 IGMP.................................................................................................................................... 8-52
8.10.5 PIM ...................................................................................................................................... 8-59
8.10.6 MSDP .................................................................................................................................. 8-64
8.10.7 Multicast VPN ...................................................................................................................... 8-67
8.10.8 Multicast source proxying .................................................................................................... 8-69
8.10.9 Multicast static routing ......................................................................................................... 8-70
8.10.10 Multicast routing table ........................................................................................................ 8-71
8.11 IPv6 multicast routing ..................................................................................................................... 8-73
8.11.1 Basic configuration .............................................................................................................. 8-74
8.11.2 MLD Snooping ..................................................................................................................... 8-74
8.11.3 MLD ..................................................................................................................................... 8-78
8.11.4 PIM ...................................................................................................................................... 8-82
8.11.5 Multicast routing table .......................................................................................................... 8-89
9 Network Protocol .................................................................................................................................. 9-1
9.1 DHCPv4 ............................................................................................................................................. 9-1
9.1.1 DHCP ...................................................................................................................................... 9-1
9.1.2 DHCPv4 relay agent configuration .......................................................................................... 9-3
9.2 DHCPv6 ............................................................................................................................................. 9-4
9.2.1 DHCPv6 server ....................................................................................................................... 9-4
9.2.2 DHCPv6 relay agent configuration .......................................................................................... 9-5
9.3 ARP .................................................................................................................................................... 9-6
9.3.1 ARP table................................................................................................................................. 9-6
9.3.2 ARP configuration .................................................................................................................... 9-7
9.3.3 Basic defense of ARP............................................................................................................ 9-10
9.3.4 Advanced defense ................................................................................................................. 9-12
9.4 ND .................................................................................................................................................... 9-15
9.4.1 ND configuration .................................................................................................................... 9-15
9.4.2 Anti-ND attack of fixed source MAC/IP ................................................................................. 9-15
9.5 MAC ................................................................................................................................................. 9-16
9.5.1 MAC table .............................................................................................................................. 9-16
9.5.2 Static MAC configuration ....................................................................................................... 9-17
9.5.3 MAC address configuration ................................................................................................... 9-17
Copyright © Hangzhou DPtech Technologies Co., Ltd. V

9.6 STP .................................................................................................................................................. 9-18

9.6.1 Select STP ............................................................................................................................ 9-18
9.6.2 Spanning tree protocol configuration .................................................................................... 9-19
9.6.3 Status .................................................................................................................................... 9-20
9.7 DNS ................................................................................................................................................. 9-22
9.8 ICMP option ..................................................................................................................................... 9-24
9.9 IPv6 autoconfig ................................................................................................................................ 9-25
9.10 Diagnostic tools.............................................................................................................................. 9-25
9.10.1 Ping...................................................................................................................................... 9-26
9.10.2 Tracert ................................................................................................................................. 9-28
9.10.3 Remote capture ................................................................................................................... 9-30
10 Authentication Configuration ............................................................................................................. 10-1
10.1 Authentication configuration ........................................................................................................... 10-1
10.1.1 Global configuration............................................................................................................. 10-1
10.1.2 Authentication page customization ...................................................................................... 10-2
10.2 Authentication policy ...................................................................................................................... 10-2
10.3 Authentication user ........................................................................................................................ 10-3
10.4 Authentication server ..................................................................................................................... 10-4
11 ACL management ............................................................................................................................. 11-1
11.1 Inbound ACL .................................................................................................................................. 11-1
11.1.1 IPV4 ACL ............................................................................................................................. 11-1
11.1.2 IPV6 ACL ............................................................................................................................. 11-2
11.1.3 Resource allocation ............................................................................................................. 11-3
12 QoS Management ............................................................................................................................. 12-1
12.1 Basic QoS ...................................................................................................................................... 12-1
12.1.1 CoS priority mapping ........................................................................................................... 12-1
12.1.2 Congestion management .................................................................................................... 12-2
12.1.3 Congestion avoidance ......................................................................................................... 12-3
12.2 QoS policy...................................................................................................................................... 12-4
12.2.1 QoS flow template ............................................................................................................... 12-4
12.2.2 QoS policy configuration...................................................................................................... 12-5
12.2.3 QoS policy show .................................................................................................................. 12-5
12.3 Port rate limit .................................................................................................................................. 12-6
13 High Availability ................................................................................................................................. 13-1
13.1 Management defend ...................................................................................................................... 13-1
13.2 Overload protect ............................................................................................................................ 13-1
Copyright © Hangzhou DPtech Technologies Co., Ltd. VI

13.3 Hotbakcup ...................................................................................................................................... 13-2

13.3.1 Hotbackup configuration ...................................................................................................... 13-4
13.3.2 State and maintenance of hotbackup .................................................................................. 13-6
13.4 Session synchronous ..................................................................................................................... 13-6
13.5 VRRP ............................................................................................................................................. 13-7
13.5.1 VRRP introduction ............................................................................................................... 13-7
13.5.2 IPv4 VRRP ........................................................................................................................ 13-10
13.5.3 IPv6 VRRP ........................................................................................................................ 13-10
13.6 VRRP synchronization ................................................................................................................. 13-11
13.7 Interface synchronization group................................................................................................... 13-11
13.8 BFD .............................................................................................................................................. 13-12
13.8.1 BFD.................................................................................................................................... 13-12
13.8.2 BFD manual configuration ................................................................................................. 13-13
13.8.3 BFD session information ................................................................................................... 13-14
13.9 ULDP ........................................................................................................................................... 13-15
13.9.1 ULDP configuration ........................................................................................................... 13-15
13.9.2 ULDP show ........................................................................................................................ 13-15
14 Log Management .............................................................................................................................. 14-1

14.1 System log ..................................................................................................................................... 14-1
14.1.1 Latest log ............................................................................................................................. 14-1
14.1.2 System log query ................................................................................................................. 14-2
14.1.3 System log file management ............................................................................................... 14-2
14.1.4 System log configuration ..................................................................................................... 14-3
14.2 Operation log ................................................................................................................................. 14-4
14.2.1 Latest log ............................................................................................................................. 14-4
14.2.2 Operation log query ............................................................................................................. 14-5
14.2.3 Operation Log File Management ......................................................................................... 14-6
14.2.4 Operation log configuration ................................................................................................. 14-7
14.3 Diagnosis log ................................................................................................................................. 14-7
14.4 Service log configuration ............................................................................................................... 14-8
14.5 Service log query ........................................................................................................................... 14-1
14.5.1 IPS log ................................................................................................................................. 14-1
14.5.2 Anti-virus Log ....................................................................................................................... 14-1
14.5.3 RMON log ............................................................................................................................ 14-2
14.5.4 ARP monitoring log .............................................................................................................. 14-2
14.5.5 IDS collaboration log ........................................................................................................... 14-3
14.5.6 Session limit log ................................................................................................................... 14-3
Copyright © Hangzhou DPtech Technologies Co., Ltd. VII

14.5.7 IPv4 packet filtering log ....................................................................................................... 14-3

14.5.8 Basic attack log ................................................................................................................... 14-4
14.5.9 Blacklist log .......................................................................................................................... 14-4
14.5.10 DDoS protection log........................................................................................................... 14-5
15 Security Policy .................................................................................................................................. 15-1

15.1 IPv4 Packet filtering ....................................................................................................................... 15-1
15.1.1 IPv4 Packet filtering policy .................................................................................................. 15-1
15.1.2 IPv4 packet filtering log ....................................................................................................... 15-6
15.1.3 IPv4 Packet filtering log search ........................................................................................... 15-7
15.2 IPv6 packet filtering ....................................................................................................................... 15-8
15.2.1 IPv6 packet filtering policy ................................................................................................... 15-8
15.2.2 IPv6 packet filtering log ..................................................................................................... 15-10
15.3 IPv4 packet filtering policy redundancy analysis ......................................................................... 15-11
16 NAT Configuration............................................................................................................................. 16-1
16.1 NAT overview ................................................................................................................................. 16-1
16.2 NAT feature description ................................................................................................................. 16-2
16.2.1 Source NAT ......................................................................................................................... 16-2
16.2.2 Destination NAT ................................................................................................................... 16-3
16.2.3 Static NAT ............................................................................................................................ 16-4
16.2.4 NAT with different mapping methods ................................................................................... 16-4
16.2.5 Port block NAT ..................................................................................................................... 16-6
16.2.6 NAT-associated VRRP ........................................................................................................ 16-8
16.2.7 NAT and security policy coordination .................................................................................. 16-9
16.3 Source NAT .................................................................................................................................. 16-11
16.3.1 Source NAT ....................................................................................................................... 16-11
16.3.2 Address pool ...................................................................................................................... 16-14
16.4 Port block NAT ............................................................................................................................. 16-15
16.4.1 Port block NAT ................................................................................................................... 16-15
16.4.2 Port block resource............................................................................................................ 16-16
16.5 Destination NAT ........................................................................................................................... 16-17
16.6 Static NAT .................................................................................................................................... 16-18
16.6.1 One to one NAT ................................................................................................................. 16-18
16.6.2 N toN NAT.......................................................................................................................... 16-19
16.7 NAT66 .......................................................................................................................................... 16-19
16.7.1 NAT66 source NAT ............................................................................................................ 16-20
16.7.2 NAT66 destination NAT ..................................................................................................... 16-21
16.7.3 NAT66 one-to-one NAT ..................................................................................................... 16-21
Copyright © Hangzhou DPtech Technologies Co., Ltd. VIII

16.7.4 NAT66 address pool .......................................................................................................... 16-22

17 ALG Configuration ............................................................................................................................ 17-1
17.1 ALG configuration .......................................................................................................................... 17-1
17.1.1 ALG configuration ................................................................................................................ 17-1
17.1.2 User-defined ALG ................................................................................................................ 17-2
17.2 DNS ALG ....................................................................................................................................... 17-2
18 VPN ................................................................................................................................................... 18-1
18.1 IPsec .............................................................................................................................................. 18-1
18.1.1 System configuration ........................................................................................................... 18-1
18.1.2 Connection configuration ..................................................................................................... 18-3
18.1.3 XAuth configuration ........................................................................................................... 18-10
18.1.4 IPsec management............................................................................................................ 18-11
18.1.5 Display connection ............................................................................................................ 18-12
18.2 SSL VPN ...................................................................................................................................... 18-13
18.2.1 Basic configuration ............................................................................................................ 18-14
18.2.2 Resource management ..................................................................................................... 18-19
18.2.3 User management ............................................................................................................. 18-21
18.2.4 Authentication policy .......................................................................................................... 18-22
18.2.5 Log management............................................................................................................... 18-23
18.2.6 Report query ...................................................................................................................... 18-25
18.3 L2TP ............................................................................................................................................ 18-29
18.3.1 L2TP .................................................................................................................................. 18-29
18.3.2 Authentication .................................................................................................................... 18-29
18.3.3 Domain .............................................................................................................................. 18-30
18.3.4 Interface configuration ....................................................................................................... 18-31
18.3.5 Profile ................................................................................................................................ 18-31
18.3.6 Online ................................................................................................................................ 18-32
18.4 PPTP............................................................................................................................................ 18-32
18.5 SMS authentication ...................................................................................................................... 18-33
19 Attack Protection ............................................................................................................................... 19-1
19.1 Session limit ................................................................................................................................... 19-1
19.1.1 Session limit ........................................................................................................................ 19-1
19.1.2 Destination address limit ..................................................................................................... 19-2
19.1.3 Session limit log configuration ............................................................................................. 19-3
19.2 DDoS protection............................................................................................................................. 19-4
19.2.1 Basic protection ................................................................................................................... 19-4
Copyright © Hangzhou DPtech Technologies Co., Ltd. IX

19.2.2 IPv6 basic protection ........................................................................................................... 19-5

19.2.3 SYN Flood protection .......................................................................................................... 19-7
19.2.4 IPv6 SYN Flood protection .................................................................................................. 19-8
19.2.5 DDoS log configuration ....................................................................................................... 19-9
19.3 User / MAC / IP binding ............................................................................................................... 19-10
19.3.1 Auto-learning ..................................................................................................................... 19-10
19.3.2 MAC/IP binding .................................................................................................................. 19-12
19.3.3 Binding intercept log query ................................................................................................ 19-14
19.4 Basic attack protection ................................................................................................................. 19-14
19.4.1 Basic attack protection ...................................................................................................... 19-14
19.4.2 Basic attack protection log query ...................................................................................... 19-15
19.5 Network behavior management ................................................................................................... 19-16
19.6 Black list ....................................................................................................................................... 19-17
19.6.1 IPv4 black list configuration ............................................................................................... 19-17
19.6.2 IPv6 black list configuration ............................................................................................... 19-18
19.6.3 Black list query .................................................................................................................. 19-19
19.6.4 Black list log query............................................................................................................. 19-19
20 Application Security .......................................................................................................................... 20-1

20.1 Anti-virus ........................................................................................................................................ 20-1
20.1.1 Anti-virus signature management ........................................................................................ 20-1
20.1.2 Anti-virus policy.................................................................................................................... 20-2
20.1.3 Anti-virus log ........................................................................................................................ 20-4
20.2 IPS ................................................................................................................................................. 20-4
20.2.1 IPS signature management ................................................................................................. 20-5
20.2.2 IPS rule ................................................................................................................................ 20-6
20.2.3 IPS policy ............................................................................................................................. 20-7
20.2.4 IPS log ................................................................................................................................. 20-8
20.3 Access control ................................................................................................................................ 20-9
20.3.1 Access control ..................................................................................................................... 20-9
20.3.2 Application object ............................................................................................................... 20-10
20.3.3 URL filtering ....................................................................................................................... 20-10
20.4 Online behavior management...................................................................................................... 20-13
20.4.1 Traffic statistic .................................................................................................................... 20-13
20.4.2 Behavior analysis .............................................................................................................. 20-14
20.4.3 Advanced configuration ..................................................................................................... 20-14
20.4.4 Keyword filtering ................................................................................................................ 20-16
20.4.5 Behavior control................................................................................................................. 20-17
Copyright © Hangzhou DPtech Technologies Co., Ltd. X

20.5 Bandwidth management .............................................................................................................. 20-18

20.5.1 Bandwidth speed limit........................................................................................................ 20-18
20.5.2 QoS basic setting .............................................................................................................. 20-20
20.6 IDS collaboration log .................................................................................................................... 20-22
21 Link Load Balancing ......................................................................................................................... 21-1

21.1 Introduction .................................................................................................................................... 21-1
21.1.1 Basic concepts .................................................................................................................... 21-1
21.1.2 Basic scheduling strategy .................................................................................................... 21-2
21.1.3 Link configuration ................................................................................................................ 21-3
21.1.4 Link information preview ...................................................................................................... 21-4
21.2 Health monitoring ........................................................................................................................... 21-5
21.2.1 Health monitoring ................................................................................................................ 21-5
21.2.2 Monitored object .................................................................................................................. 21-6
21.3 ISP ................................................................................................................................................. 21-7
22 IPv6 Transition Technology ............................................................................................................... 22-1
22.1 NAT64 ............................................................................................................................................ 22-1
22.1.1 Prefix Configuration ............................................................................................................. 22-1
22.1.2 NAT64 address .................................................................................................................... 22-1
22.1.3 NAT-PT configuration .......................................................................................................... 22-3
22.1.4 Address pool ........................................................................................................................ 22-4
22.2 DS-Lite address ............................................................................................................................. 22-5
22.2.1 DS-Lite address ................................................................................................................... 22-5
22.2.2 DS-Lite transfer ................................................................................................................... 22-6
22.2.3 Address pool ........................................................................................................................ 22-8
Copyright © Hangzhou DPtech Technologies Co., Ltd. XI

1 Getting Started
1.1 Product overview
Nowadays, new business and new applications such as Web2.0, audio / video, P2P, cloud
computing emerge endlessly. Traditional port-based router which can only do application
identification and access control cannot meet the need of security protection for various kinds of
new application. To solve this problem, DPtech has introduced a new series product based on
multi-core processor architecture. The DPtech FW1000 series product integrate application layer
with application layer security, adopting the sole technology "parallel flow filter engine" and
matching all security policies once. Even if the application layer function is expanding and the
signature database is increasing, the performance of the product will not be degraded and
network latency will not be increased.
DPtech FW1000 series are the leading application routers in the industry. Based on DPtech’s
independent intellectual property rights, the product has high-performance hardware
architecture APP-X and L2 ~ 7 converged operating system ConPlat. The unmatchable high
availability, high performance and high reliability make the DPtech FW1000 Series application
routers can be deployed in a variety of complex scenarios such as data centers, large campus
networks, and so on. In addition, the feature-rich and scalable application router solution, but
also simplifies the network security architecture, and greatly reduces the overall cost of
ownership of the enterprise network.
1.2 Introduction to Web management system

DPtech FW1000 has a powerful Web management system. Through it, users do not need to
enter complex commands and configure the device through simple page configuration. The
network topology of the login Web management interface is shown in the following figure.
Copyright © Hangzhou DPtech Technologies Co., Ltd. 1-1

Figure 1-1 Network topology
1.2.1 Cautions
To access to the Web management system, you should pay attention to the following:
 Make sure that the client host and the device management interface communicate normally.
 IE9.0 or above is recommended. The screen resolution is 1440 * 900 and above.
 The default number of connections that the administrator uses HTTP or HTTPS protocol to
log in to the Web management system is 5.
 The default IP address of the device is 192.168.0.1/24.
 The initial user can use the default user login, the user name is admin, the password is
admin_default. It is recommended to change the password after logging in for the first time.
For details, please refer to the section on administrator configuration.
 Web management system does not support to use the back, forward, refresh operations of
web broswer, because these may cause the Web browser page display is not normal.
 After user logs in, if the Web interface does not operate for more than 5 minutes, the system
will time out and return to the login page. You must log in again to continue. Of course, the
user can modify the timeout time. For details, please refer to the "Administrator" section.
1.2.2 Log in to the Web management system
The ways to log in to the Web management system are as follows:
(1) Open the IE browser, use HTTP or HTTPS way to connect the device management address,
enter the Web user login interface, as shown in the following figure.

Figure 1-2 Web interface user login interface
(2) Configure the following:
 Enter the correct user name and password. The default user name is admin and the
password is admin_default.
 Enter the verification code according to the interface prompt, not case sensitive.
 Select language, Chinese or English. After selecting the language, the interface will display
the corresponding language.
(3) Click the Login button to log in to the Web management system.
1.2.3 Page layout introduction
The functions of the DPX8000 system are configured through different function pages. The
layout of the Web management page is shown in the following figure.

Figure 1-3 Page layout
The description of each area is shown in the following table.
Table 1-1 Each description
No. Name Description
Display the function menu of all the modules of the device. After selecting the
(1) Navigation Bar menu item, the corresponding function page is displayed in the configuration
area
Display the name of the device, the basic function of the label and business
(2) Shortcut bar function tag fast switch, to provide restart, exit and other shortcut function
button
Configuration
(3) In the configuration area, the function modules are configured in detail
area
1.3 Basic configuration and maintenance
1.3.1 Telnet / SSH remote management device
To ensure network connectivity, manage the device remotely through the following configuration
procedures.

1.3.1.1 Configure remote user management
(1) Select Basic > System Management > Login Management > Management Protocol >
Telnet/SSH Login Management from navigation tree to enter the Telnet/SSH login
management page, as shown in the following figure.
(2) Click the Enable Telnet and select Enable User Name Password Authentication. By
default, local password authentication is enabled, but the default password is empty. You
need to configure the local password for Telnet.
(3) Click the Enable SSH and click the Enable User Name Password Authentication. Click
the Submit button as shown in the following figure.
Figure 1-4 Telnet/SSH login management
1.3.1.2 Log in to the device using Telnet
When you use the Telnet client to log in to the device and choose to enable user name password
authentication, the default user name is admin and the password is admin_default, as shown in
the following figure.
Figure 1-5 Log in to the device using Telnet

1.3.1.3 Log in to the device using SSH
Use the SSH client to log in to the device. The default user name is admin and the password is
admin_default, as shown in the following figure.
Figure 1-6 Log in to the device using SSH
1.3.2 Restrictions on specific IP / specific protocol management devices
1.3.2.1 Configuration requirement
Management Host A will not restricted by any kinds of devices. Host B can only access the
device through the HTTP protocol. Host D can access the device only through SSH or HTTPS.
Other devices cannot access the device.
1.3.2.2 Network topology
Figure 1-7 Network topology

1.3.2.3 Configuration steps
1. Configure the IP address of the login device interface

(1) Select Basic > Interface Management > Networking Configuration from navigation tree
to enter the networking configuration page.
(2) Click the "IP settings" configuration item, configure the interface gige0_2 address as
192.168.1.1/24, the interface gige0_3 address as 211.136.1.1/24, as shown in the following
figure.
Figure 1-8 Networking configuration
(3) When the configuration is finished, click the Confirm button on the top right of the page.
2. Configure Telnet/SSH Login Management to allow users access to the device
(1) Select Basic > System Management > Management Protocol > Telnet/SSH Login
Management from navigation tree to enter the Telnet/SSH login management page.
Configure the Telnet/SSH login management page, as shown in the following figure.
(2) Enable Telnet or enable SSH, use username and password authentication.
(3) Add the host IP address of Host A and Host D to the Telnet / SSH login list.
(4) After you finished the above configuration, click the Submit button, as shown in the
following figure.

Figure 1-9 Telnet / SSH login management
3. Configure the Web allows login IP address list and specify an IP Access for the Device
Web interface
(1) Select Basic > System Management > Management Protocol > HTTP/HTTPS Login
Management from navigation tree to enter the HTTP/HTTPS login management page, as
shown in the following figure.
(2) Add the host IP address of Host A, Host B, and Host D to the "Web login configuration", as
Figure 1-10 Web login configuration
4. Configure the limited interface service and use specific protocols to access the device
(1) Select Basic > System Management > Management Protocol > Limited Interface
Service from navigation tree to enter the interface service limit page, as shown in the
following figure.
(2) The management interface does not allow interface services. The VLAN interface can only
use the HTTP protocol to access the device. The physical port can use SSH and HTTPS to
access the device, as shown in the following figure.

Figure 1-11 Limited interface service
1.3.2.4 Verify the configuration
Respectively, hosts use different ways to access the device and get the following results:
 Host A can access the device through HTTP, HTTPS, Telnet, SSH, and Ping protocols.
 Host B can access the device through the HTTP protocol and use HTTPS, Telnet, SSH, and
Ping to access the device.
 Host C uses HTTP, HTTPS, Telnet, SSH, and Ping protocol to access the device.
 Host D can access the device through HTTPS or SSH, and use HTTP, Telnet, and Ping to
access the device.
1.3.3 Save / upload the configuration file
Save the current configuration file to the device; export the saved configuration file to the local.
Upload the local profile to the device.
1. Save the configuration file
(1) Select Basic > System Management > Configuration File > Configuration File from
navigation tree to enter the configuration file page, as shown in the following figure.
(2) Click the New Config button, enter file name; click the icon to save the configuration
file to the device. The other configuration icons appear as shown in the following figure.
Figure 1-12 Configuration file
(3) Click the icon to save the configuration file to the local device.

1.3.3.2 Upload the local file to the device
(1) Select Basic > System Management > Configuration File > Configuration File from
(2) Click the Import button, and click File Path to select the local configuration file.
(3) Click the Import button to upload the configuration file to the device.
1.3.4 Webpage upgrade software version
1. Upload version
(1) Select Basic > System Management > Software Version from navigation tree to enter the
software version page.
(2) Click the Browse button to select the software version file to be upgraded.
(3) Click the Upload Version button, the system starts to download the software version, this
process takes some time, please be patient.
2. The software version at next reboot

Click the Next Running Version button and select a software version for the next reboot, you
can also click the Upload version button to upload a software version, as shown in the
following.

Figure 1-13 Upload and next running version
3. Reboot
When you upload the software version, you can click the next running version button. Then the
device downloads software version automatically and restarts after download.
You can also manually restart the device by clicking the button in the upper right
corner on the Webpage.
1.3.4.2 Web page upgrade software version
1. Upload the software version

(1) Select Basic > System Management > Software Version > Main Software Version from
navigation tree to enter the main software version page, as shown in the following figure.
(2) Click the Browse button to select the local software version file.
(3) Click the Upload version button, the system began to upload the software version to the
device, this process takes some time, please be patient.
2. Set the next boot software version
After selecting a software version, you click the Upload and next version button, as shown in

Figure 1-14 Upload and next version
3. Restart the device
Click the button manually in the upper right corner on the Web page to restart the
device.
1.4 Introduction to common operations

Device Web interface contains some common operations. In the text, the involved common
operation of the place will not be a specific introduction.
1. Confirmation and cancellation
The two buttons confirmation and cancellation are in the upper right corner of the page:
 Confirm: after the parameter is set, make the configuration take effect.
 Cancel: cancel the configuration that did not take effect.
2. Add and delete configurations
In the configuration list, it generally provides two functions: add and delete.
 Add: click the icon to add a new configuration below the existing configuration.
 Delete: click the icon, the configuration becomes red and waits to be deleted. This
configuration can be deleted if you click the Submit button in the upper right corner on the
webpage. If you don’t want to delete this configuration, you can click the Delete icon again.
You cannot modify the configuration which waits to be deleted.

3. Import and export

Import export function to export the active configuration to a local backup, or import the local
configuration file into the configuration list to generate the configuration in batches. The
operation is as follows:
 Export: save the configuration locally.

 Import: import the local configuration file. Use the <Browse> button to select a local file,
including overlay import and append import. Override the import of imported configuration
information will overwrite the original configuration information, additional import that is
based on the original configuration information to add new configuration information.
If the configuration file is the same as the existing configuration in the configuration list, it can not
be imported successfully.
4. Page turn operation

The page turn operation can help users quickly locate and find the configuration content. The
specific description is shown as follows:
 Click the drop-down box to select a page in all pages.
 Click the drop-down box to select each page to display several

configurations, the options include 10,25,50,100,200.
 : turn forward one page.
 : turn to the first page.
 : turn back one page.
 : turn to the last page.

5. Common icons
Table 1-2 Common icons
Icon Name Description
Copy or add A new configuration below the existing configuration
Delete Delete a configuration item or configuration file
Save Save the current configuration file
Export The export profile to the local

Icon Name Description
 Switch: the device automatically restarts and switches to the

selected configuration
Switch or roll back
 Rollback: the device does not reboot only to roll back to the
selected configuration
Enforce or force offline Sort the order in which you can adjust the policy.
Insert Insert a new configuration item above the configuration item.
Forced to withdraw or To force an online administrator or online user to force an exit or

force off the assembly line offline.

2 Device Monitor
2.1 System monitoring
System monitoring mainly includes three modules: device information / state, CPU statistics and
flow statistics.
 Device status: the configuration information such as device name, time, device size, serial
number, slot number, power number, fan number, and PCB version are displayed. The
power of the device, the status of the fan, and the status of each slot.
 CPU statistics: the main way to count the way the last 30 seconds, 1 minute, 5 minutes each
CPU core usage, and a graphical to show the last 24 hours of data core and control the
average utilization of the core.
 Flow statistics: the last 24 hours of data traffic information is displayed graphically.
2.1.1 Device information / status
Select Basic > Device Monitor > System Monitoring > Device Information/Status from
navigation tree to enter the device information/status page, as shown in the following figure. This
page allows you to view the device information, device status, and slot status.
1. Device information /status
The device information mainly shows the basic information of the device, as shown in the
following figure.

Figure 2-1 Device information / status
The parameters of device information /status are shown in the following:
 System name: the name of the system, default is DPTECH.

 System time: the system displays the time and time zone. It can be modified manually and
can be synchronized through NTP.
 System time zone: the current time zone of the system.
 Software version: the software version of the device.
 Factory default management port: device default management interface.
 Factory default management port address: device default management port IP address.
 Memory size: the memory capacity of the device.
 External information: the type and capacity of the device.
 Device serial number: serial number of the device.
 PCB hardware version: PCB hardware version information.
 CPLD hardware version: device CPLD hardware version information.
 Conboot Version: device Conboot version information.
Device status information displays the current health status of the device, including CPU,
memory, hard disk, CF card usage, fan and power status, and CPU and motherboard
temperature. The green indicator light indicates normal operation, the red indicator light
indicates that the threshold is exceeded or damaged. Move the mouse over the indicator light to
display the device status.
2.1.2 CPU statistics
Select Basic > Device Monitor > System Monitoring > CPU Statistics from navigation tree to

enter the CPU Statistics page, as shown in the following figure.
Figure 2-2 CPU statistics
The CPU statistics page shows the CPU usage of the device, and the CPU usage of the
specified slot can be selected by slot selection. The figure above shows the CPU usage of slot 1,
that is, the control board and the data core, the average usage statistics table for 30 seconds, 1
minute and 5 minutes before the current time, and all the control cores and the average
utilization curve of the data core for each period in 24 hours. In the statistics table, the average
utilization rate of the control kernel is shown in columns 0 to 11, and the table is blue. The 12 to
15 columns show the average utilization rate of the data core and the table is white. In the graph,
the blue curve represents the average utilization of the control nucleus, and the yellow curve
represents the average utilization of the data core.
 Different product models, the total number of multi-core inconsistent.

 The number of control cores can be changed through the vcpu configuration in Basic >
System Management > Device Settings, removing the multinucleas outside the control
core as the data core.
2.1.3 Flow statistics
Select Basic > Device Monitor > System Monitoring > Flow statistics from navigation tree to
enter the flow statistics page, as shown in the following figure.

Figure 2-3 Session statistics
The flow statistics page shows the average flow curve for each time period of the device in 24
hours. The unit is Kbit / s. The unit size is related to the size of the traffic.
2.2 Session monitoring
2.2.1 Session statistics
Select Basic > Device Monitor > Session Monitoring > Session Statistics from navigation
tree to enter the session statistics page. The display information includes overall statistics,
accurate statistics, and session charts.
1. Overall statistics
The overall statistics show the session statistics of the equipment business board. As shown in

Figure 2-4 Overall statistics
The overall statistics show session statistics that can be refreshed automatically or manually.
The parameters of overall statistic are shown in the following:
 Spec: the maximum number of sessions.

 Current concurrency: the current total number of sessions.
 Connect per second: the number of new sessions per second.
 IPv4 open: IPv4 current session count.
 IPv4 TCP open: the number of IPv4 current sessions under the TCP protocol.
 IPv4 UDP open: the number of IPv4 current sessions under the UDP protocol.
 Other IPv4 open: the number of other IPv4 current sessions.
 IPv6 open: IPv6 current session number.
 IPv6 TCP open: the number of IPv6 sessions currently under TCP protocol.
 IPv6 UDP open: the number of IPv6 sessions currently under UDP protocol.
 Other IPv4 open: the number of other IPv6 current sessions.
As above, the session statistics trend chart displays the session statistics of different type
devices. Users can select multiple protocols to view. Different protocols are shown as different
color curves.
2.2.2 Session list
Select Basic > Device Monitor > Session Monitoring > Session List from navigation tree to
enter the session list, as shown in the following figure.

Figure 2-5 Session list
The query conditions include slot number, session type, protocol type, initiator source IP address,
initiator source port, originator destination IP address, initiator destination port, and policy name.
If not configured, it indicates that the query condition is not filtered.
Click the Query button to display the query results in the conversation list. Click the <Delete>
button to reset all session queries.
The parameters in the session list are as follows:
 No.: the number of the session detail entry.

 Protocol type: the protocol type of the session.
 Session status: display the status of the session details.
 Create time: the time the session was created.
 Left time / aging time: display the remaining lifetime of this session.
 Initiator Source Address:Port -> Destination Address:Port: source address of the originator /
port and destination address / port.
 Responder Source Address: Port -> Destination Address:Port: number of packets sent by
the initiator and the number of bytes.
 Response Source Address: Port -> Destination Address: Port: source address of the
responder / port and destination address / port.
 Number of responding packets / bytes: number of messages sent by the responder and
number of bytes.
 Detail information: after enabling, the detail information of the conversation will be
displayed.
2.2.3 Session ranking
Select Basic > Device Monitor > Session Monitoring > Session Ranking from navigation tree
to enter the session ranking, as shown in the following figure.

Figure 2-6 Session ranking
The query conditions include slot number, statistical mode and ranking. If not configured, it
means that the query conditions are not ranked.
The parameters of session ranking are described below:
 No.: indicates the serial number of the session information.

 IP address: indicates the source IP address or destination IP address of the session after
the query.
 Session number: indicates the number of sessions that are queried.

3 Basic Configuration
3.1 OVC
3.1.1 OVC technology introduction
OVC (OS-Level Virtual Context) technology is a virtualization technology that virtualizes a

physical device into multiple logical devices. After OVC virtualization, multiple logical devices on
the same physical device have independent hardware, software, forwarding entries,
management plane and log, and the operation of each logical device does not affect each other.
OVC technology to achieve the resources and management of virtualization, physical device
resources pooled, the rapid deployment of business and adjustment is no longer limited by the
physical device itself, to achieve the cost of construction and operation and maintenance,
flexible on-demand deployment, complete fault isolation And so on, effectively solve the
multi-service security isolation and resource allocation on demand. For the network security to
the dynamic, flexible cloud service model to create a change in the basic conditions.
3.1.1.1 Definition of basic technical terms
 Public OVC: the default OVC instance that exists in the system initial state, called public
OVC, and all resources are used by public OVC.
 Ordinary OVC: other OVC instances outside the public OVC are called ordinary OVC. After
creating an ordinary OVC, any resources in the system that are not assigned to normal OVC
belong to public OVC.
3.1.1.2 OVC architecture and realization principle
OVC technology is an operating system-level virtualization technology that enables 1: N

virtualization. The OVC system architecture is shown below.

Figure 3-1 OVC system architecture
Through the system-level virtualization technology, you can assign a series of hardware and
software resources for each OVC to separate ports, CPUs, memory resources, number of
sessions, new, concurrent, throughput, number of routing entries, and number of security
policies. Flexible customization of OVC's actual specifications.
OVC virtualization technology allows the system for each virtual device for independent process
management, memory management, disk management, there is no switching between the
virtual devices and scheduling resources and performance loss, while the support through the
operating system virtualization, Can achieve each OVC from the management plane, control
plane, data plane, business plane all-round isolation, the formation of each completely
independent of the logical device. The operating system kernel completes the scheduling
between OVC virtual devices and allocates hardware resources for each OVC virtual device
according to a pre-set resource template.
3.1.1.3 Manage plane virtualization
As shown in the following figure, OVC implements the 1: N virtualization of the physical device.
Each OVC can be regarded as a standalone device. The user can access and manage the OVC
through the network interface belonging to each OVC. Each OVC has a separate HTTP / CLI /
SNMP / SYSLOG configuration management protocol process, the configuration file is stored
separately, can be independently restart and configuration recovery. Each OVC has a separate
administrator and log files, the system log and operation log can be independently output to the
log monitoring server. Each OVC is managed by the corresponding administrator, and each OVC
is not visible to each other.

Figure 3-2 OVC configuration management
3.1.1.4 Control plane virtualization
Each OVC will initiate its own management process to manage the system resources it owns
and also initiate its own protocol processes (such as OSPF, ISIS, BGP, and other routing
protocols) to maintain their respective protocols. Each OVC runs a separate protocol process,
and each process does not interfere with each other.
As shown in the following figure, OVC1 enables OSPF / ISIS, OVC2 is enabled for OSPF / RIP /
BGP, OVC3 enables ISIS / BGP, and they have separate processes. Any OVC protocol process
failure does not affect other OVC counterparts normal operation.
Figure 3-3 Control plane virtualization

The benefits of controlling flat virtualization are fault isolation between OVC. As shown in the
following figure, the OSPF process in the OVC2 causes the OSPF protocol of the OVC to fail to
operate normally. The OSPF processes in other OVCs can still run normally and are not affected
at all.
Figure 3-4 Fault isolation between OVC
3.1.1.5 Data plane virtualization
When creating OVC, the system divides the interface resources, which are managed by their
own virtual data planes, and are completely isolated between the different OVCs. When traffic
flows to an OVC interface, it only queries the forwarding entries belonging to the OVC and can
only be forwarded from the interfaces that belong to the OVC. At the same time, the routing
protocols can only be run on these interface resources, ensure that each OVC forwarding entry
contains only the interfaces that belong to this OVC, so that different OVC routes and forwarding
are completely isolated.
In the security device, the message forwarding session needs to be established to record some
status information. In order to ensure the complete isolation of each OVC forwarding information,
each OVC has a separate session table. When the packet is forwarded, it only queries , Maintain
the session table belonging to this OVC, each OVC session does not interfere with each other, to
ensure that each OVC address space and forwarding information completely independent.
3.1.1.6 Service plane virtualization
In addition to network resource virtualization, OVC virtualization technology also implements a

full range of L4 ~ 7-layer business virtualization, such as firewall, IPS, load balancing, flow
control, traffic cleaning, and the network, security and application of all resources And
decomposed into different granularity of service resources, the highest administrator in the
creation of ordinary OVC and allocation of resources can be flexible allocation of L2 ~ 7 full
range of business resources.
As shown in the following figure, after the system resources are pooled, each OVC can
independently configure the security policies of the related services, and process its own L4 ~ 7

services independently. The OVC security services are completely isolated. Completely realize
L4 ~ 7 layer virtualization.
Figure 3-5 Service plane virtualization
3.1.2 OVC configuration
Select Basic > Basic Configuration > OVC from navigation tree to enter the OVC configuration
page, as shown in the following figure.
Figure 3-6 OVC configuration
OVC configuration function is not enabled by default, click the "Enable OVC configuration", click
the Submit button. The enable OVC configuration function is the prerequisite for creating,
modifying, and deleting OVC configurations.
The parameters of OVC configuration are described below:
 Name: OVC name. Chinese or English. Once the configuration has been issued, the OVC
name does not support modification. The valid OVC name cannot be empty and cannot
contain illegal characters (~ `! @ # $% ^ & * \ '' <>), Can not be duplicated with the existing

OVC name, the number of bytes cannot exceed 31 (A single Chinese character occupies 3
bytes, a single English character occupies 1 byte).
 Virtual system: static display of the current OVC belongs to the virtual system, does not
support the configuration. The newly created OVC defaults to PublicSystem.
 Interface: OVC interface resources. Click the list item to pop up the interface list window.
The interface list window of OVC_0 is only used to display public interface resources and
cannot be configured. The interface list window that is not OVC_0 shows the interface that
belongs to the OVC and the interface that can be used by this OVC. You can add or remove
interface resources for OVC by checking or checking the check box of the interface.
 Management services: administrators based on this OVC access page permissions. Check
that the administrator based on this OVC has access to the Web page, otherwise it does not
have.
Since the device command line cannot display Chinese characters, it is recommended that the
OVC name be configured as a commandable character, such as numbers, letters, or
underscores. Otherwise, the OVC can not be accessed from the command line.
3.2 VRF
VRF is a VPN routing and forwarding instance (VPN Routing & Forwarding Instance), is a router
routing table to allow multiple routing and forwarding instances of the computer network
technology. Each routing instance is independent of each other, and the same or overlapping IP
address does not conflict. VRF can not only isolate the network paths on the same device, but
also enhance the security of the network without encryption and authentication.
Each VRF can be seen as a virtual router, as if it were a dedicated PE device. The virtual router
includes the following elements:
 A separate routing table, including, of course, a separate address space;

 A set of interfaces belonging to this VRF;
 A group of routing protocols used only for this VRF.
For each PE, one or more VRFs can be maintained while maintaining a public network routing
table (also called a global routing table). Multiple VRF instances are independent of each other.
VRF can solve the problem:
 Implementation of a similar PE function, routing different VPN users.

 Solve the problem of address overlap. A client device that supports both client devices with
private addresses and private addresses, or multiple VPNs that use the same address
space. You can also support the creation of overlapping VPN, the so-called overlapping
VPN refers to the same site at the same time belong to multiple VPN situation.

VRF configuration The main functions include turning off VRF and creating, modifying, deleting
VRF, and configuring interface resources for VRF.
Select Basic > Basic Configuration > VRF from navigation tree to enter the VRF configuration
Figure 3-7 VRF configuration
VRF configuration function is not enabled by default, check "Open VRF configuration", click the
Submit button to open. The VRF configuration is a prerequisite for creating, modifying, and
deleting VRF configurations. VRF and OVC cannot be turned on at the same time. When VRF is
closed, all existing VRFs are deleted.
The parameters of VRF configuration are shown in the following:
 Name: VRF name. Chinese or English. A valid VRF name cannot be empty, cannot contain
illegal characters (~ `! @ # $% ^ & * \ '' <>), Cannot be duplicated with the existing VRF
name, the name of the number of bytes cannot exceed 31 (A single Chinese character
occupies 3 bytes, a single English character occupies 1 byte).
 Virtual system: static display VRF belongs to the virtual system, does not support user
configuration. The new VRF displays PublicSystem by default.
 Interface: VRF interface resources. Click the configuration item to pop up the interface
configuration window. The interface configuration window of VRF_0 is only used to display
public interface resources and cannot be configured. The interfaces configured in the
non-VRF_0 interface show the interfaces that belong to the VRF and the interfaces that can
be used by this VRF. Add or remove interface resources for VRF by checking or checking
the check boxes of the interfaces.
Since the device command line can not display Chinese characters, it is recommended that the
VRF name be configured as a commandable character, such as a number, a letter, or an
underscore. Otherwise, the VRF can not be accessed from the command line.

3.3 Virtual system
3.3.1 Introduction
Virtual system is a physical device can be logically divided into multiple virtual devices, the
virtual system is a function of the original physical device, a subset. Each virtual system can be
seen as a completely independent device, which has independent system resources,
administrators, security policies.
Virtual systems are mostly deployed in the operator's or IDC room network, by the operator to
buy and maintain physical device, users can rent one or more virtual devices, and manage their
own part of the resources.
Traditional equipment deployment defects:
 More divisional divisions lead to the need for multiple independent equipment to be
deployed, resulting in higher ownership and maintenance costs.
 Multiple stand-alone devices will occupy more rack space and provide additional complexity
for integrated wiring.
 The increase in physical devices means an increase in the number of network elements that
need to be managed in the network. It is necessary to increase the complexity of network
management.
Virtual system role:
 Deploying an independent security policy for a business or department by dividing multiple

logical devices (virtual systems) on the same physical device.
 Virtual systems greatly reduce the amount of capital invested by users.
 Virtual systems enhance the flexibility of security policy deployment by adding or removing
virtual systems directly to physical devices when changes in user business or new business
units are generated.
3.3.2 Virtual system configuration
Select Basic > Basic Configuration > VSM > VSM configuration from navigation tree to enter
the VSM configuration page, as shown in the following figure.

Figure 3-8 Virtual system configuration
Virtual system is not turned on by default, check "Open virtual system configuration", click the
Submit button to open. Open the virtual system is a new, modify, delete the premise of the
virtual system.
Virtual system support import and export functions. Virtual system configuration import for the
overlay import, will delete all users have configured the virtual system. Export the configuration
file can be imported directly, you can also edit and then import.
Configuration list The parameters are as follows:
 Name: the name of the virtual system. Chinese or English. The legal virtual system name
can not be empty, can not contain illegal characters (~ `! @ # $% ^ & * \ '' <>), Can not be
duplicated with the existing virtual system name, the name of the number of bytes can not
More than 63 (single Chinese characters accounted for 3 bytes, a single English characters
accounted for 1 byte).
 ID: ID number of the virtual system.
 Type: the type of virtual system.
 Resource: you can select the interface resources of the virtual system.
Because the device command line can not display Chinese characters, it is recommended that
the virtual system name be configured as a command line recognizable character, such as
numbers, letters, or underscores. Otherwise, the virtual system can not be accessed from the
command line.
3.3.3 Virtual system parameter settings
Select Basic > Basic Configuration > VSM > Virtual System Parameter Settings from
navigation tree to enter the virtual system parameter settings page, as shown in the following
figure.

Figure 3-9 Virtual system parameter settings
The configuration parameters are as follows:
 Name: the name of the virtual system.

 Session count limit: the maximum number of sessions allowed in this virtual system, in
thousands.
 Rate limit: the maximum rate allowed for new sessions, in seconds.
 Throughout limit: set the maximum throughput, in Mbps.
 CPU using rate limit: set the maximum CPU usage, in percent.
 Memory using rate limit: set the maximum memory usage, in percentage.
 Configuration specs limit: set the maximum number of packet filtering configurations.
If the parameter is set to 0 or blank, it is not restricted. Click the Submit button when the
configuration is completed.

4 System Management
4.1 Login management
4.1.1 Administrator
4.1.1.1 Administrator configuration
Select Basic > System Management > Administrator > Administrator from navigation tree to
enter the administrator configuration page. The functions of the administrator sub-module
include the current Web login administrator, administrator settings, administrator authentication
settings, and login parameter settings.
1. Administrator configuration
In the administrator settings list, you can configure the administrator account name, password,
permissions and other information, as shown in the following figure.
Figure 4-1 Administrator configuration
By default, you cannot modify and delete the configuration information of admin account. You
can click the icon to increase administrator account. The configuration items of administrator
configuration are shown as follows:
 Administrator: the name of the administrator account. The user name must begin with a
letter, consisting of letters, numbers, "_" or "-" 3 to 20 characters.
 Description: the description of the administrator account.
 Password: the password of the administrator account. Password length is 10-128, which
does not contain the user name, must contain the upper and lower case letters, numbers
and special symbols in the four categories of three.

 Confirm password: same as password.

 Virtual system: virtual system for administrator account login.
 Web configuration range: administrator account login device configurable range of Web
system. Including Super, System Configuration, Business Configuration, Log Configuration
and Readonly five configuration range.
 Administrator level: including 1,2,3,4,5 five levels, 1 is highest, 5 is smallest.
 Allow login IP: allow the IP address to log in to the Web management system.
 Status: display the status of the administrator account, including normal and locked.
Administrator cannot log in to the system after it had been locked.
2. Administrator authentication configuration

The system provides four authentication methods, local authentication, RADIUS authentication,
TACACS+ authentication, and LDAP authentication. The default is local authentication. To
configure other authentication methods, click the corresponding check boxes, as shown in the
following figure.
Figure 4-2 Administrator authentication configuration
Introduction of four authentication methods:
 Local certification
The authentication service for local authentication is provided by the device itself. When the
administrator logs in to the device, the device sends the received identity authentication request
information to the corresponding authentication module for processing. The authentication
module compares the user account information stored in the local database. If the username
and password match successfully, it returns a success message. If it matches If it fails, it returns
a failure message.
 RADIUS authentication
When RADIUS authentication is selected as the authentication method, a third-party RADIUS
server provides authentication services. The account and password information used by the
administrator when logging in is stored in the RADIUS server. When the administrator performs
the login operation, the device forwards the received identity authentication request information
to a third-party RADIUS server, and the RADIUS server sends the user information to the user

after receiving the request information. The name and password are compared with the
information stored locally on the RADIUS server. If the match is consistent, a success message
is returned, and if the match is inconsistent, a failure message is returned. RADIUS
authentication uses UDP protocol transmission, using port 1812 for authentication and port 1813
for accounting.
 TACACS+ certification
When the authentication method is TACACS+ authentication, the authentication server is Cisco
TACACS+. When the TACACS+ authentication method is adopted, the transmission protocol
adopts the TCP protocol, and the port number is 49. TACACS+ (Terminal Access Controller
Access-Control System Plus) authentication method is also an AAA-based management method
like RADIUS, including authentication (Authentication), authorization (Authorization), and
accounting (Accounting) functions.
 LDAP authentication
When the authentication method is LDAP (Lightweight Directory Access Protocol), the device
forwards the identity authentication request to the LDAP server. LDAP is similar to a simple
database that stores the username and password data of the firewall authentication process.
LDAP technology is currently used more commonly, and the device currently supports a
standard third-party LDAP server as an authentication server.
3. Login parameter configuration

Login parameters are mainly the configuration of basic information for users to log in to the
device, such as timeout time, lock settings, passwords, and authentication user permissions.
Figure 4-3 Login parameter configuration
The login parameter setting configuration parameter description is as follows:
 Timeout time: If you do not perform any operation for a period of time, the system will pop up
a timeout prompt and you need to log in again. The default timeout period is 300 seconds.

 Wrong login lock times: the number of logins locked due to incorrect password. The options
are 3, 4, and 5, and the default number is 5.
 Automatic unlocking time after locking: the selectable range is 1~65535, the unit is second.
The default automatic unlocking time is 1800 seconds.
 Maximum number of logins for a single user: the maximum number of users allowed to log
in to the device via the Web with the same administrator account.
 The maximum number of web users to log in: the maximum number of users allowed to log
in to the device through the web. The value of this parameter ranges from 1 to 32. By default,
the maximum number of users allowed to log in via Web is 5.
 Password strength: The password strength is divided into three levels: high, medium and
low.
 High: The length is between 10 and 128, and the password does not contain the user
name; it must contain three of the four types of uppercase letters, lowercase letters,
numbers, and special symbols.
 Medium: The length is between 8~128, and the password does not contain the user
name.
 Low: By default, the length is between 8 and 128. The minimum length depends on the
minimum length of low-strength passwords.
 Minimum length of low-strength password: the value range is 1~16, and the default value is
8.
 Password validity period: the range of password validity period. You can choose permanent
validity or specific days. The range of days is 1~365.
 Remote authentication administrator configuration range: including five configuration ranges
of Super, System Configuration, Business Configuration, Log Configuration and Readonly. It
can only be configured when non-local authentication is selected in the authentication
settings.
 Remote authentication administrator level: the level of remote authentication users.
Including five levels 1, 2, 3, 4, and 5. It can be configured only when non-local
authentication is selected in the authentication settings. The user level here refers to the
user's authority. This level only applies when the currently logged-in user modifies other
user attributes, such as modifying other user passwords, user groups, and user rights. 1 is
the highest, you can modify all users of level 1~5, users of other levels cannot modify users
of the same level, but can only modify users with lower authority than themselves. For
example, users with authority 2 can only modify users with authority 3, 4, and 5.
4. Separation of the three powers of the administrator
Click the Enable button to enable the function of separating the three powers of the
administrator.

After enabling this function, only the default three accounts can be used to log in to the device. It
is recommended that users do not enable it.
4.1.1.2 Web authority management
The system predefines five basic rights: Super, System Configuration, Business Configuration,
Log Configuration, Readonly. Through the rational allocation of authority, so that the managers
of different responsibilities can only access the functional modules within the scope of this
authority, and enhance the confidentiality of the system, is an effective means of security
management.
 Super role: refers to the system's highest administrative authority, the role of the account
has all the functional modules of the system configuration management authority.
 System role: refers to the configuration management rights that have the system.
 Business configuration role refers to the configuration management rights that have the
system business module.
 Log configuration role refers to the configuration access that has the system-related log
module.
 Readonly configuration role refers to the relevant module has the right to view.
The system supports the custom management authority, so that users can customize the access
rights of the administrator account according to the actual management requirements, so that
the access of the service modules of the system can be more effectively controlled.
Select Basic > System Management > Administrator > Web Authority Management from
navigation tree to enter the web authority management page.
Figure 4-4 Web authority management
The system supports custom management rights, so that users can customize the access rights

of the administrator account according to the actual management requirements, so that the
access of the service modules of the system can be more effectively controlled.
The parameters of Web authority management page are shown in the following:
 Name: the name of the administrative privilege. Each function can manage the function
modules are listed in the corresponding "configuration view" list item.
 Scope: a function module with view permission.
 Reboot: whether to restart the device permissions.
 Privilege: Is there a privilege to configure the corresponding module?
Five pre-defined administrative privileges cannot be modified and deleted. Click the icon to
customize the administrative rights. Once the configuration is complete, click the Submit button
at the top right of the page.
4.1.1.3 Currently online administrator
Figure 4-5 Current online administrator
The current online administrator displays the information as shown in the following:
 The current Web logon administrator displays the information as follows:

 Administrator: the account name of the current login Web management system.
 Login time: the start time of the Web management system.
 Last operation time: the last time the Web page was operated.
 Login IP address: the IP address of the Web management system.
 Operation: when multiple administrators log in to the Web management system at the same
time, the account with the highest privilege can force to quit other administrators by clicking
on the icon.
When the same login address is repeated in the multi-browser or multi-tab. When logging in to
the device Web interface, multiple records appear in the "Current Web Login Administrator" list
due to browser caching. Directly shutting down the browser cannot be completely exited, there is
a security risk, only in the login timeout or forced to exit after the operation will be completely out,

while the list will delete the record. Therefore, it is recommended that the administrator log in to
the device's Web interface and do not log in repeatedly. Click the button at the top right
of the page to exit the device web interface.
4.1.2 Management protocol
4.1.2.1 Web access protocol configuration
The Web access protocol configuration module provides the basic configuration of Web access
functions, including HTTP and HTTPS protocol configuration, USB key authentication
configuration.
Select Basic > System Management > Administrator > Web Access Protocol Configuration
from navigation tree to enter the Web access protocol configuration page, as shown in the
following figure.
Figure 4-6 Web access protocol configuration
The parameters of the Web access protocol configuration page are described as follows:
 HTTP protocol configuration: After enabling the HTTP protocol, you can access the Web
management system through the HTTP protocol, and the port number is 80 by default.
 HTTPS protocol configuration: After the HTTPS protocol is enabled, the Web management
system can be accessed through the HTTPS protocol. The default port number is 443. The
encryption strength includes four levels: high, medium high, medium, and low. After

enabling administrator certificate authentication, you need to install a certificate to access

the Web management system.
 USB_KEY authentication configuration: After enabling USB_KEY authentication, users
need to perform USB_KEY authentication before accessing the Web management system.
The port number is 8443 by default.
 Login mode configuration: choose page login or fingerprint login, fingerprint login requires
the device to be equipped with a fingerprint reader.
 Web allows login IP address list: only the address network segment added to the list can
access the web management system of the device. Select whether to enable the local log
sending function. After enabling, the system will send logs to the local when there is a web
connection operation.
 Web allows login MAC address list: only MAC addresses added to the list can access the
device's Web management system.
 Web allows login time: Only within the configured start and end time can access the device's
Web management system.
 Web attack protection configuration: the read timeout time is the maximum buffer time for
accessing the web management system, the default is 20s, and the value range is 1~360s;
the write timeout time is the maximum buffer time for updating the web management system,
the default is 60s, and the value range is 1~360s; The number of concurrent connections
refers to the number of sessions that access the Web management system at the same
time. The default is 100, and the value range is 5~200.
After the configuration is complete, you need to click the Submit button at the top right of the
page.
4.1.2.2 Telnet/SSH login management
Telnet / SSH login management is used to set the remote user login mode, and set the address
to allow remote users to log on.
Select Basic > System Management > Administrator > Telnet/SSH login management from
navigation tree to enter the Telnet/SSH login management page, as shown in the following
figure.

Figure 4-7 Telnet/SSH login management
Telnet / SSH login management parameters are as follows:
 Telnet needs to configure the following parameters:

 Port: Telnet port number, defaults to 23.
 Maximum number of Telnet users: the maximum number of users connected through
Telnet, 1 to 32.
 Enable password authentication: after selecting, you can connect the device directly
through Telnet and do not need to enter the password.
 Enable local password authentication: when selected, you need to enter the local
password when connecting to the device via Telnet. The local password is empty by
default and needs to be configured manually.
 Enable username and password authentication: after selecting, connect the user's
username and password when connecting to the device via Telnet. By default, the user
name is admin and the password is admin_default.
 SSH needs to configure the following parameters:
 Ports: SSH port number, defaults to 22.
 SSH maximum number of SSH users: the maximum number of users connected
through SSH, in the range of 1 to 32.
 Enable user name Password authentication: connect the device via SSH to enter the
user name and password.
 Enable public key authentication: connect the device through SSH to public key
authentication and import the SSH public key.
 SSH public key configuration: different users corresponding to the different SSH public key,
through the "Browse" button from the local import SSH public key, by clicking the icon to
add multiple public key information.
 Telnet / SSH Allows the login address list: adds an address segment that allows logging in to
the device through Telnet and SSH.
 Telnet/SSH allowed login address list: add the address segment that allows login to the
device through Telnet and SSH.

 After the configuration is completed, you need to click the <Confirm> button at the top right
of the page.
 By default, the terminal output function is disabled, and you don’t need to use the <Disable
terminal output> button; in order to view the debugging information, the terminal output
function will be enabled through the "terminal monitor" command. At this time, the
debugging information will be displayed continuously. It is inconvenient to turn off this
function. You can turn it off by clicking the <Disable Terminal Output> button on the web
interface.
4.1.2.3 Limited interface service
Interface service restrictions are restrictions on the protocols used by each business interface to
access the Web management system. Protocols include HTTPS, HTTP, Telnet, SSH and Ping
protocols.
Select Basic > System Management >Administrator > Management Protocol from
navigation tree to enter the limited interface service page, as shown in the following figure.
Figure 4-8 Limited interface service
The configuration method is as follows:
(1) Click the drop-down list of interface names and select one of the interfaces;
(2) Click the services to be restricted, one or more can be restricted;
(3) Click the OK button on the upper right to make the configuration effective.
After the interface service restriction takes effect, the device no longer provides the
corresponding interface service, and the outside world cannot access the device through the
corresponding method. Each configuration is only for one interface, you can click the icon to
add multiple configurations.
4.2 Version management
4.2.1 Software version
The software version module provides the function of managing and upgrading the device
software version.
Select Basic > System Management > Version Management > Software Version from
navigation tree to enter the software version page, as shown in the following figure.

Figure 4-9 Software version
In the software version configuration page, you can see the current system running software
version information. The "current status" is displayed as "next start", which is the current system
running version. The currently running version can only be saved but cannot be deleted.
Click the Upload and next version button. The selected software version will be used when you
reboot the system.
Software version can be uploaded locally or online. If you click the Upload and next version or
Upload restart button, the corresponding operation will be executed after software upgrade.
 Due to storage space limitations, it is recommended that the number of software versions
stored on the device is not more than 2.
 Please backup the configuration before upgrading to avoid data loss.
4.2.2 Patch management
Hot patch is the patch version based on a software version, upgrade the hot patch will not
change the software version, nor restart the device.
Select Basic > System Management > Version Management > Patch Management from
navigation tree to enter the patch management page, as shown in the following figure.

Figure 4-10 Patch management
After the hot patch is imported, the system will automatically upgrade the related function
modules to repair the related defects. When using hot patches, follow the instructions in the hot
patch release notice.
4.2.3 Feature library
The signature database upgrade module provides automatic and manual upgrade of APP, URL
filtering, AV and IPS signature databases, as well as license file management for each signature
database.
4.2.3.1 APP
Select Basic > System Management > Version Management > Feature library > APP from
navigation tree to enter the APP page, as shown in the following figure.
Figure 4-11 APP
The APP feature database upgrade page mainly includes the following three functions:

1. Version information
The version information area displays the version information of the APP feature library. The
parameter description is as follows:
 Current version: Including the release date, current version number and update time of the
signature database version.
 Historical version: including the release date and historical version number of the signature
database version.
 Validity period: The validity period of the current signature database version requires the
purchase of a license.
 Version rollback: This function is used to roll back the signature database to the historical
version.
Version rollback operation method:
(2) Click the rollback button, a confirmation dialog box will pop up.
(3) Click the OK button, the page displays the upgrade progress bar, as shown in the following
figure.
Figure 4-12 Upgrade progress bar
(4) After the upgrade progress is completed, you can return to the historical version. You can
also click the Cancel Upgrade button to abort the version rollback.
2. Online upgrade settings
(1) Click the "Enable automatic upgrade" checkbox corresponding to the "Automatic upgrade
enable" parameter. "Upgrade mode" changed from non-configurable to configurable.
(2) Select "Automatic download and upgrade" or "Prompt for new version information" in the
"Upgrade method" drop-down box.
 Automatic download and upgrade: After configuring the online upgrade, the system will
automatically upgrade the signature database when the upgrade time is reached.
 Prompt the new version information: After configuring the online upgrade, when the
upgrade time is reached, the system will prompt that there is a new version of the
signature database, and the user can choose whether to upgrade the signature
database according to needs.
(3) Click the con corresponding to "Start Time", and configure the start time of the updated
signature database in the pop-up calendar box.
(4) Click the Save button, the "Interval Time" changes from non-configurable to configurable.

(5) In the "Interval Time" drop-down box, select the interval time for automatic version upgrade.
The options are 1~30, and the unit is days. For example, if the interval is selected as 3 days,
the signature database will be automatically detected and updated every 3 days from the
start time.
(6) In the "Upgrade Address" text box, you can configure the address of the signature database
to be automatically upgraded. The default is the signature database upgrade address of
DPtech's official website. Keep the default. If you have any questions, please contact
technical service personnel.
(7) After the configuration is complete, click the Save button again.
(8) If you need to upgrade the signature database immediately, you can click the Upgrade Now
button under the condition that the upgrade address is correct, and the upgrade progress
bar shown in Figure 4-11 will pop up for immediate upgrade.
3. Local upgrade
(1) Click the Browse button to select the local APP signature database file.
(2) Click the OK button, and the upgrade progress bar will pop up for local upgrade，as shown
in Figure 4-12
4.2.3.2 URL
Select Basic > System Management > Version Management > Feature library > URL from
navigation tree to enter the URL page, as shown in the following figure.
Figure 4-13 URL
The update method of the URL classification filtering signature database is exactly the same as

the APP signature database. For details, please refer to "APP Signature Database".
4.2.3.3 AV
Select Basic > System Management > Version Management > Feature library > AV from
navigation tree to enter the AV page, as shown in the following figure.
Figure 4-14 AV
The configuration method of the AV feature library is exactly the same as the APP feature library.
For more information, please refer to "APP Feature Library".
4.2.3.4 IPS
Select Basic > System Management > Version Management > Feature library > IPS from
navigation tree to enter the IPS page, as shown in the following figure.

Figure 4-15 IPS
The configuration method of the IPS signature database is exactly the same as the APP
signature database. For details, please refer to "APP Signature Database".
4.2.3.5 License
License file management is used to register license information files and export the registered
license files.
Select Basic > System Management > Version Management > Feature library > License
from navigation tree to enter the License page, as shown in the following figure.

Figure 4-16 License
The method of importing and exporting the license file of each feature library is the same. Taking
the APP feature library as an example, the method is as follows:
(1) Click the <Browse> button and select the local license file.
(2) Click the <File Import> button to import the local license file.
(3) For signature databases that have registered licenses, click the corresponding <File
Export> button to save the license file locally.
For how to apply for a license file, please contact technical service personnel.
4.3 Configuration file
4.3.1 Configuration file
The configuration file module provides the function of saving the user's current configuration.
With this feature, when multiple devices in the network are configured and configured, users can
import configurations on a device, import them locally, and then import them from other devices,
thus reducing duplication. In the hot standby environment, you can synchronize the host
configuration to the backup machine by synchronizing the configuration function.
Select Basic > System Management > Configuration File > Configuration File from

Figure 4-17 Configuration file
When you switch the configuration file between different software versions, you can switch the
configuration file if you are upgrading from the software version corresponding to the
configuration file to the next software version of the device. Otherwise, a functional abnormality
may occur. Please consult technical service personnel if the software version is compatible with
the upgrade.
4.4 System configuration

Select Basic > System Management > System Configuration from navigation tree to enter
the system parameter page, as shown in the following figure. All parameters can be kept by
default.

Figure 4-18 System parameter
4.5 Time management
4.5.1 NTP overview
NTP (Network Time Protocol) is a protocol used to synchronize computer time. It allows the
computer to synchronize with the server or reference clock (such as quartz clock, GPS, etc.) to
provide high-precision time correction, and can be encrypted to confirm the way to prevent
malicious protocol attacks.
By configuring the clock server to correct the device's time (Client mode), the device can also
provide clock synchronization services (Server mode) for other hosts as a reference clock.
Supports IPv4 and IPv6 clock synchronization.
1. NTP Client mode
When the device is configured as an NTP client, multiple reference clocks can be configured.
Each reference clock can be set to a different priority level. The device uses a statistical
algorithm to filter the time from different servers to select the best source and path to correct the
host time. The NTP service is still running even if the device can not contact a clock server for a
long time.
As an NTP client, the device supports the standard NTP protocol and supports both domain
name and IP address. It can be synchronized from different NTP servers in the Internet or
through the clock server in the LAN.

2. NTP Server mode

The device provides clock synchronization services for other hosts or devices in the network as
NTP Server. As the reference clock, the time required for the device itself must be accurate, so
first of all need to ensure that the device itself has been from the reliable reference clock to
obtain accurate clock data. Through the clock synchronization within the LAN, the system time
accuracy of up to 0.1ms, through the Internet reference clock for time synchronization, precision
between 1-50ms.
As an NTP server, the device adopts the international standard NTP protocol, which can provide
clock synchronization service for NTP clients of different types of different vendors in the network,
and has good compatibility.
3. NTP authentication
Enabling the NTP function has little effect on the performance of the system. However, when a
large number of NTP clients are connected to the NTP server at the same time, the NTP server's
CPU, memory and other resources are lost, which affects the performance of the NTP server.
Therefore, in order to prevent malicious attacks such as abnormal connection requests, or
intentionally control the number of NTP client connections, the need to use authentication
technology.
NTP clock synchronization of the device has a professional authentication function. The
authentication function requires authentication. Both parties must match the pre-defined key to
communicate successfully, so that only the valid client can establish the NTP connection with the
device.
In addition, the device can also configure the network segment of the NTP client that is allowed
to access. Ensure that only requests within the specified network range can be accessed,
making the NTP connection safer and more reliable.
4.5.2 System time
Select Basic > System Management > Time Management from navigation tree to enter the
time management page, as shown in the following figure.
Figure 4-19 System time

4.5.3 NTP time synchronization
NTP time synchronization page, as shown in the following figure.
Figure 4-20 NTP
The parameters of NTP time synchronization are shown in the following:
 Local clock acts as reference clock: if checked, configure the local clock as the reference
clock. The clock level is configured from 1 to 15 and defaults to 8.
 Enable authentication: if checked, configure key id and key.
 NTP server: when the device is a client, you need to configure the following parameters. To
add NTP server configuration information, click the icon.

 NTP server address: you can choose to configure the NTP server IP address or NTP
server domain name.
 Authentication key id: configure the authentication key of the NTP server.
 Minpoll, Minpoll: minimum polling interval: configure the maximum and minimum polling
interval, in the range of 4 to 17.
 Prefer: configure the priority level.
 Version: configure the version number, in the range of 2 to 4 and default to 4.
NTP client network segment configuration: If no network segment is allowed to access, you need
not configure the NTP client segment. If you want to restrict network segment access, you need
to configure it. Click the icon to add the configuration.
 NTP client network segment: configure the network segment to allow access.
 Mask: configure the mask that allows access to the network segment.
Once the configuration is complete, click the Submit button at the top right of the page.

4.5.4 NTP time synchronization (IPv6)
NTP time synchronization page, as shown in the following figure.
Figure 4-21 NTP (IPv6)
If the device is an NTP server, click the “Enable NTP Server (IPv6)”. If the device functions as an
NTP client, click the “Enable NTP Client (IPv6)” and click the “please configure” at the same time,
and then configure the IPv6 address of the NTP server.
Figure 4-22 NTP server configuration (IPv6)
After you finished the above configuration, click the Submit button at the top right of the page.
4.6 Digital certificate

The device's digital certificate module has the following features:
 As a certificate authority, the device generates a root certificate, and then issues a device
certificate for itself, issuing a user certificate for the client.
 The device requests a certificate from the CA server.

4.6.1 Certificate request
Select Basic > System Management > Digital Certificate > Certificate Request from
navigation tree to enter the certificate request configuration page, as shown in the following
figure.
Figure 4-23 Certificate request
The device information configuration function is the basic information that the device needs to
provide when applying for a certificate, including common name, IP address, country, province,
city, organization, department, certificate validity period, certificate type and encryption mode.
The CA server configuration function is the CA server information that needs to be configured
when the device requests the certificate online. The parameters are as follows:
 CA identifier: the identifier of the CA server.

 Request URL: the URL of the CA server.
 Certificate application: set the certificate application, divided into "manual online access"
and "SCEP automatic access" in two ways. Select "SCEP automatic access", need to
configure the "number of certificate inquiries" and "certificate query interval"
 Number of certificate queries: the number of automatic queries when the certificate
request is suspended is in the range of 1 to 100.
 Certificate query interval: when the certificate application is suspended automatically
query the time interval, in minutes, in the range of 1 to 1000.
 Verify root certificate fingerprint: if you click, you need to set the root certificate
authentication algorithm and the root certificate fingerprint. The device will verify the root

certificate according to the set root certificate authentication algorithm and the root
certificate fingerprint. If the verification fingerprint fails, the certificate application fails. If you
do not check the CA root certificate is not verified, directly accepted.
 Root certificate authentication algorithm: root certificate authentication algorithm,
including "MD5" and "SHA1" options.
 Root certificate fingerprint: the result of using the set authentication algorithm to hash
the certificate is composed of 0-9 and AF characters. When "MD5" mode is selected,
the string length is 32, select "SHA1" Mode, the string length is 40.
The CRL server configuration function means that the device obtains CRL information online.
Can be automatically obtained from the certificate, you can also manually configure the CRL
URL address to obtain.
4.6.2 Certificate management
Select Basic > System Management > Digital Certificate > Certificate Management from
navigation tree to enter the certificate application and management page, as shown in the
following figure.
Figure 4-24 Certificate management
1. Key management
Key management functions include automatic generation of keys, import of export key files, and
display of key information.
Click the Auto-generate keys button. The device automatically generates a key pair according
to the device information configured in the "Certificate Request Information Configuration"
module. Click the Show Key Info button to view the key information.

 The key length is the length selected in the "Encryption Mode" column of the certificate
configuration page. Therefore, please configure identity information first and then generate
the key.
 After the key pair (public key and private key) is generated, the public key information will be
used for the registration of the certificate and the private key will be saved to the device.
Public and private keys must be paired.
 The rebuild key will overwrite the original key pair. At this time, the original certificate will be
deleted. Therefore, please be careful to use this feature.
2. Certificate request
The certificate request function is used when the device requests a CA certificate from the CA
server, including offline application and online application:
 Offline application certificate: Click the Generate Offline Request Information button to
generate the certificate request information according to the device information configured
in the "Certificate Request Information Configuration" module. Send this information to the
security administrator for a digital certificate application on the CA server.
 Online application for a certificate: Click the Submit online application information button,
the page shows the generated application information. If the application is successful, the
"certificate application is successful". When the CA server is set up for automatic issuance,
the two certificates are displayed directly in the Certificate Management list, where
"rootcert.cer" is the CA root certificate for which it was obtained, and "usercert.cer" was the
local certificate for the application.
 If the CA server receives the application and hangs, and "Certificate Request Method"
selects "Manual Online Get", it prompts "Successfully Submit Request Information". In
this case, the device does not automatically query the CA server. If you want to check
the status of the submitted application, click Get Online Certificate in Certificate
Management. After the CA server receives the query, it will return the status of the
submitted application, which is divided into "certificate application success", "certificate
application is suspended" and "certificate application is rejected".
 If the CA server receives the application and hangs and the "Certificate Request
Method" selects "SCEP Auto Acquire", it prompts "Successfully Submit the Certificate
Request Information to enter the Polling". In this case, the device periodically inquires
whether the application is successful to the CA server based on the set number of
"certificate inquiry times" and "certificate query interval". The certificate of successful
application will be saved by the device.
Click the Show Certificate Request button to view the certificate request information.
3. Certificate management
Certificate management functions include offline import of certificates, online access to
certificates, and export of certificate files.
 To import a certificate offline: click the Import Certificate Offline button to bring up the pfx
password and path configuration window. Click the Submit button when the configuration is
complete. If the imported certificate conforms to the encoding format (currently supporting

PEM and DER encoding formats) and is signed and valid, this certificate overwrites the
original certificate in the device and displays the certificate information in the certificate list.
If the import fails, it will prompt you for the reason for the import failure.
 Obtain the certificate online: Click the Get Certificate Online button. If the certificate is
successful, the certificate management list will display the newly obtained certificate
information. If the certificate fails, the system will prompt the reason for the failure.
 Export the certificate file: Click the Export Certificate File button to export the certificate file
to the local level.
The operations of the certificate management list are shown in the following:
 View: click the icon to view the certificate details in the new page that opens.
 Delete: click the icon, then click the Submit button at the top right of the page to delete
the certificate.
 When you import a certificate, you need to pay attention to the order of certificate import.
Only after you import the CA certificate, you can import the Local certificate.
 When importing a Local certificate, make sure that the existing private key in the device
matches the public key of the Local certificate. When you restore the certificate
configuration, you need to import the key file before importing the corresponding Local
certificate.
 Before importing, you need to confirm that the system time of the device is correct. If the
error occurs, the error will result in certificate authentication.
 Online access to the certificate function for CA server support online to obtain a certificate,
and it shuts down the automatic issue of the certificate function.
4. CRL management
The CRL management functions include offline import CRL, start / stop CRL queries, and export
CRL files.
 Offline import CRL: click the Offline Import CRL button, the path selection window is
popped up, select the local CRL file path, click the Submit button. If the imported CRL file
conforms to the encoding format (currently supports PEM and DER encoding formats), the
import is successful and overwrites the original CRL file, and the CRL list shows the
imported CRL information. If the import fails, the reason for the failure is prompted.
 Start / stop CRL query: click the Start CRL Query button to synchronize the CRL
information of the CA server to the device. If the query fails, the reason for the failure is
indicated. Click the Stop CRL Query button to stop CRL synchronization, but the device
retains the previously updated CRL information.
 Import CRL file: click the Export CRL File button to export the CRL file to the local level.
The operating function of the CRL management list is described as follows:
 View: click the icon to view the CRL details in the new page that opens.

 Delete: click the icon, then click the Submit button at the top right of the page to delete
the CRL.
4.6.3 Certificate authority
Select Basic > System Management > Digital Certificate > Certificate authority from
navigation tree to enter the certificate authority page. The certificate authority features include
Certificate Authority (CA) information, User Certificate Request Information, Certificate Authority
(CA) management, and User Certificate Management. The following are introduced separately
as shown in the following figure.
1. Certificate Authority (CA) information
Click "Certificate Authority (CA)" to expand the configuration parameters, as shown in the
following figure.
Figure 4-25 Certificate Authority (CA) information
Certificate Authority (CA) information is the basic information that the device needs to provide as
a certificate authority, including common name, E-mail, country, province, city, organization /
company, department, certificate type, and encryption method.
2. User request information
Click "User Request Information" to expand the configuration parameters, as shown in the
following figure.

Figure 4-26 User request information
User certificate application information is the basic information that users need to provide to the
device when applying for a certificate, including common name, E-mail, country, province, city,
organization / company, department, RSA key length, certificate (* pfx) And the validity period of
the user certificate. Certificate (* pfx) The password is the password for the certificate file. If the
configuration is to install the certificate, you need to configure this password.
CA information, device information, common name of user information should be avoided.
3. Certificate Authority (CA) Management

Click "Certificate Authority (CA) Management" to expand the function button, as shown in the
following figure.
Figure 4-27 Certificate Authority (CA) Management
Certificate Authority (CA) management includes the following features:
 Build / update CA: click the Build / Update CA button to display the prompt message
(configure CA information before updating or generating CA. If the current CA status is "CA

Exist", the current CA will be destroyed. All certificates issued to the user are invalid. Update
the CA need to update the device certificate at the same time. Are you sure you want to
create / update the CA ?, and click Submit to create / update the CA certificate.
 Delete CA: click the Delete CA button to display the prompt message (if the current CA
status is "CA Exist") will destroy the current CA. Deleting the CA will invalidate all certificates
issued by the CA to the user. / Update the device certificate. Are you sure you want to delete
this CA?), Click the Submit to delete the CA certificate.
 Update device cert: click the Update Device Cert button to bring up the message (update
the device certificate before updating or generating the device certificate.) Updating the
device certificate will delete the original certificate and private key! You need to restart the
SSL after updating the device certificate VPN process. Are you sure you want to update the
device certificate?) And click the Submit button to update the device certificate.
 User certificate state: click the Build User Cert button, pop-up message (generate user
certificate, please configure the user application information. Are you sure to "issued" to this
user certificate?), Click the Submit button to generate a user certificate. The newly
generated user certificate is displayed in the list of issued user certificates.
 Download the USB-KEY plugin: download USB-KEY control user certificate will be imported
into the USB-KEY, through the USB-KEY certificate certification.
4. User certificate management
Click "Certificate Management" to expand the list of certificates, as shown in the following figure.
Figure 4-28 certificate management
The operational function of the list of issued user certificates is described as follows:
 View: click the icon to view the certificate details in the new page that opens.
 Save: click the icon to save the certificate to the local.
 Download: click the icon to download the user certificate to the USB-KEY.
 Revoked certificate: click the icon to revoke the certificate. The revoked user certificate
is displayed in the list of revoked user certificates.
 Delete: click the icon to delete the user certificate. The certificate issued to the user will
still be available.
The operational function of the revoked list of user certificates is described as follows:

 Click the icon to cancel the revoked user certificate. The revoked user certificate will be
displayed on the list of issued user certificate lists.
 Click the icon to delete the revoked user certificate. This certificate will be permanently
disabled.
4.7 Forwarding configuration

The forwarding configuration module includes forwarding basic configuration, forwarding mode
configuration, ND configuration, and Layer 2 unknown multicast drop configuration. The
forwarding configuration is used to select whether the forwarding mode of the device is to be
forwarded or forwarded normally. The ND configuration can prevent the neighbor from
automatically discovering the function. The forwarding configuration is used to select the
forwarding mode of the device. Layer Unknown The multicast drop configuration is used to
discard Layer 2 unknown multicast packets.
4.7.1 Forwarding
Select Basic > System Management > Forwarding Configuration > Forwarding from
navigation tree to enter the forwarding page, as shown in the following figure.
Figure 4-29 Forwarding configuration
The parameters of forwarding basic configuration page are shown in the following:
 IPv6 forwarding configuration: click to enable IPv6 packets to be forwarded.

 Virtual fragment reassembly configuration: click to enable fragment reassembly function. IP
virtual fragmentation can be used to check, sort and cache the fragmented packets to
ensure that the subsequent service module processing is the correct fragmented message.
It can also detect the fragmentation attack and enhance the security of the device.
 IP forwarding configuration: disable the function that the device modifies the TTL value of IP
packets which are received by the device.
 TCP time stamp configuration: click to enable TCP timestamp.

4.7.2 Forwarding mode
Select Basic > System Management > Forwarding Configuration > Forwarding Mode from
navigation tree to enter the forwarding mode page, as shown in the following figure.
Figure 4-30 Forwarding mode
There are three forwarding modes:
 After forwarding acceleration is enabled, the device uses high-speed cache to process
message forwarding based on data stream technology.
 If you enable the same message to be accelerated by the device multiple times, the device
will accelerate the forwarding of the same message that has passed the device multiple
times.
After normal forwarding is enabled, the device will look up the matching route in the routing table
according to the destination address of the message to determine an optimal message
forwarding path, and encapsulate the message according to the protocol used on the data link
layer. Finally, Message forwarding
4.7.3 Equal-cost Route Load Balancing
Equal cost routing (ECMP, Equal Cost Multi-path) refers to when there are multiple different
routing paths with the same cost value to the same destination IP or destination network
segment, IP data packets are sent in turn on these links. Equal-cost routing protocols can
improve link utilization, realize network load balancing and route redundancy backup.
Select Basic > System Management > Forwarding Configuration > Equal-cost Route Load
Balancing from navigation tree to enter the equal-cost route load balancing page, as shown in
Figure 4-31 Equal-cost route load balancing
The device supports the flow-by-flow method to achieve load sharing of equal-cost routes. It

distinguishes data flows according to the "source IP address" or "source IP address +

destination IP address" field of the message, so that the messages belonging to the same data
flow are forwarded on the same path.
4.8 Session configuration
4.8.1 Session log configuration
Select Basic > System Management > Session Log Configuration from navigation tree to
enter the session log configuration page, as shown in the following figure.
Figure 4-32 Session log configuration
Check to enable session log, you need to configure the following parameters:
 Log type: The type of log, including NAT session log and normal log, can be selected at the
same time.
 Log format: log format, you can choose flow log format or Syslog format. There are 6 flow
log formats and 7 Syslog formats. Among them, Syslog log type is suitable for Syslog server;
Flow log type (message encryption) is suitable for UMC server.
 Log sample: For the log sample, click on "Details" to open the "Session log format
description" page, with detailed instructions for each log format.
 Log sending timing: The log sending timing, you can choose the end of the session, new
session or send all.
 Log server sharing mode: the log server sharing mode, including load sharing, replication
sending and designated source network segment sending. Load sharing means that the
local device performs polling and distribution according to the configured log server list;
copying sending means sending the log intact to each configured log server; designated

source network segment sending means sending the packets of the specified source
network segment to the specified log server.
 Log source IP address: the source IP address for sending session logs.
 Log source port: the source port for sending session logs.
 Log server port: the port number of the log server.
 Log server list: The IP address of the server receiving the log. Click the configuration item to
configure the log server. Multiple log servers can be configured at the same time. When the
log server sharing mode is selected as "specified source network segment sending", the
session source network segment needs to be configured here.
The configuration parameters of the port block allocation log part are similar to the configuration
parameters of the session log part, and will not be repeated here.
After the configuration is completed, you need to click the <OK> button at the top right of the
page to make the configuration effective.
4.8.2 Session parameter
Select Basic > System Management > Session Parameter from navigation tree to enter the
session parameter page, as shown in the following figure.
Figure 4-33 Session parameter
The information on the session parameters page is described as follows:
 GRE configuration: set to enable GRE deep inspection.

 Long session parameter setting: Set the long session aging time.

 TCP session parameter settings: set the aging time of the ESTABLISHED, SYN_SENT,
SYN_RECV, FIN_WAIT, TIME_WAIT, CLOSE, CLOSE_WAIT, LAST_ACK state of the TCP
session.
 UDP session parameter setting: set the aging time of the NEW and ESTABLISHED state of
the UDP session.
 GRE session parameter settings: set the aging time of the NEW and ESTABLISHED states
of the GRE session.
 PPTP GRE session parameter setting: Set the aging time of the NEW and ESTABLISHED
state of PPTP GRE session.
 ESP session parameter setting: Set the aging time of the NEW state of the ESP session.
 Other session parameter settings:
 DNS: Set the aging time of the NEW state of the DNS session.
 ICMP: Set the aging time of the NEW state of the ICMP session.
 ICMPv6: Set the aging time of the NEW state of ICMPv6 sessions.
 General protocol: Set the aging time of the NEW state of the general protocol session.
 User-defined protocol settings: Set the transport layer protocol, port and aging time of the
user-defined protocol.
4.8.3 Session detection
Select Basic > System Management > Session Detection from navigation tree to enter the
session detection page, as shown in the following figure.
Figure 4-34 Session detection
4.8.4 Session forwarding
Select Basic > System Management > Session Forwarding from navigation tree to enter the
session forwarding page, as shown in the following figure.
Figure 4-35 Session forwarding

4.9 Warning configuration

Select Basic > System Management > Warning Configuration from navigation tree to enter
the warning configuration page, as shown in the following figure.
Figure 4-36 Warning threshold configuration
The parameters of warning threshold configuration page are shown in the following:
 Interface bandwidth usage warning threshold configuration: all interface bandwidth

utilization upper and lower limit configuration, beyond the threshold range, will send alarm
log and display in the system log and diagnostic log. The threshold is in the range of 1 to
100. By default, the upper limit is 95% and the lower limit is 80%.
 Interface CRC error warning threshold configuration: all interface CRC error threshold
Upper and lower limit configuration, beyond the threshold range, will send alarm log and
display in the system log and diagnostic log. The threshold is in the range of 1 to 100. By
default, the upper limit is 50pps and the lower limit is 10pps.
4.10 SNMP
4.10.1 SNMP overview
With the development of network, more and more applications and devices are used in the
network. Many enterprises must face a problem that how to manage these network devices. This
problem can be solved by users using SNMP (Simple Network Management Protocol). Devices
are configured with standard SNMP and abundant MIB resources, which allow users to monitor,
manage, and control all kinds of resources on the devices through network management tools.

SNMP uses the special form of the Client / Server model: the agent / management station model.
The management and maintenance of the network is done through the interaction between the
management station and the SNMP agent. Each SNMP agent is responsible for responding to
various queries from the SNMP management station about MIB information.
4.10.1.1 SNMP basic principle
For network management, the required data is the device configuration, parameters, status and
other information, the face of the operation is read and set. Due to the large number of network
equipment, in order to be able to get a variety of information in a timely manner, while requiring
equipment to take the initiative to report information, need to use SNMP protocol.
SNMP network management protocol is actually through the management of a series of devices
Get, Set, Trap operation to achieve the ultimate monitoring and management purposes.
 Get: Reads the status of network devices.

 Set: Remote configuration of device parameters.
 Trap: Important information for the management station to obtain equipment in a timely
manner.
Specifically, SNMP defines five message types: Get-Request, Get-Response, Get-Next-Request,
Set-Request, Trap.
 Get-Request, Get-Next-Request and Get-Response

The SNMP management station retrieves information from a network device with an SNMP
agent with a Get-Request message, while the SNMP agent responds with a Get-Response
message. Get-Next-Request is used in conjunction with Get-Request to query the column
elements in a particular table object.
 Set-Request
The SNMP management station uses Set-Request to remotely configure the network device
(including device name, device attribute, delete device, or make a device attribute valid / invalid).
 Trap
The SNMP agent uses Trap to send unsolicited messages to the SNMP management station,
which is typically used to describe the occurrence of an event. By configuring the Trap function,
the device can send configuration change information to the network management tool in real
time without waiting for the network management tool to poll the query. By configuring the SNMP
Trap function, the device can report the error situation to the network management tool at any
time, for example, when the CPU utilization exceeds the set threshold.
The SNMP management process mainly involves two roles: NMS and Agent.
 NMS
Also known as the management station, network management system, is the system console, to

provide the interface to the administrator to obtain the equipment configuration, parameters,
status and other information. The management station communicates with the agent, executes
the corresponding Set and Get operations, and receives the alarm packets sent by the agent.
 Agent
Network management agent, responsible for the management station and equipment SNMP
operation of the transfer. Between the management station and the device, communicate with
the management station and respond to requests from the management station, such as
obtaining the corresponding data from the device or setting the device accordingly. The agent
has the ability to send alarm packets to the management station using the Trap defined in the
MIB according to the status of the device.
4.10.1.2 MIB introduction
MIB (Management Information Base) is the standard for network management data. In this
standard, the data items, data types, and operations allowed in each data item must be stored
by the network proxy device. Through the access to these data items access, you can get all the
statistical content of the device. And then through a number of statistical analysis of the contents
of the equipment can be a comprehensive analysis of the basic network management.
The MIB specifies the variables that are maintained by the network element (that is, information
that can be processed and set by the process). The MIB gives the data structure of a collection
of all possible managed objects in a network.
4.10.1.3 SNMP version support
The device supports SNMPv1, SNMPv2c and SNMPv3.

Where SNMPv1 is community-certified. The role of the community name is similar to the
password, used to limit the network management tool access to the device. If the SNMP
community name does not match, the related message will be discarded.
SNMPv2c also uses community name authentication. SNMPv1 is also compatible with the
expansion of the SNMPv1 function: it provides more types of operations, support for more data
types, providing a richer error code, to more easily distinguish between errors.
SNMPv3 is mainly enhanced in terms of security, has a higher constraint on the identification of
authentication, an increase of a variety of authentication protocols and encryption algorithms,
SNMPv1, SNMPV2c higher security.
4.10.2 SNMP configuration
Select Basic > System Management > SNMP Configuration > SNMP configuration from
navigation tree to enter the SNMP configuration page. Configurable items include SNMP version
configuration, SNMP trap configuration, device information configuration, and IP address list
configuration.

1. SNMP version configuration

Select the version and configure the corresponding community word, the device can enable
multiple versions at the same time. SNMPv3 parameters need to be configured separately. For
details, refer to the section "SNMPv3 Configuration".
Figure 4-37 SNMP version configuration
SNMPv1 and SNMPv2c group word parameters are the same, when the two are selected at the
same time, modify any party's word, the other side of the corresponding group word will change.
2. SNMP Trap configuration

SNMP Trap is configured to send trap messages to the management station, as shown in the
following figure.
Figure 4-38 SNMP Trap configuration

The SNMP trap configuration parameters are as follows:
 Destiny host: IP address of the management station.

 Destiny port: the port number of the management station.
 Version: SNMP Trap version, including SNMPv1, SNMPv2c, SNMPv3.
 Trap community: SNMP Trap. When this group name is used to send SNMPv1 or SNMPv2c
traps, the management station checks the Trap packets. When not configured, use the
default Trap community word.
 When SNMPv3 is selected for Trap version, you can configure the following
parameters:
 Username: SNMP Trap user name. This user name must be configured when the
device sends SNMPv3 Trap.
 Authentication protocol: optional include None, MD5 and SHA, and None means that
the authentication protocol is not enabled.
 Authentication password: the password corresponding to the authentication protocol, at
least 8 characters. When the authentication protocol is not enabled, the authentication
password is not configurable.
 Encryption algorithm: None include AES, and None. Select None to not enable the
encryption algorithm.
 Encryption password: the password corresponding to the encryption algorithm, at least
8 characters. Encryption password is not configurable when the encryption algorithm is
not enabled.
 When a device configuration changes, the device sends the corresponding trap information
to the management station.
3. Device information
After the configuration of the device information is completed, it will be recorded in the device
MIB, and the management station will know the location of the device and the contact
information of the administrator after reading the device information, as shown in the following
figure.
Figure 4-39 Device information
The parameters of device information configuration are shown in the following:
 Device location: the physical location of the device, for example, beijing
 Contact information: contact information for the device, for example, admin@mail.com

After all the configuration is complete, click the Submit button at the top right of the page to
make the configuration take effect.
4.10.3 SNMPv3
Select Basic > System Management > SNMP Configuration > SNMPv3 from navigation tree
to enter the SNMPv3 configuration page, as shown in the following figure.
Figure 4-40 SNMPv3
The parameters of SNMPv3 list are shown in the following:
 Username: SNMPv3 user name.

 Authentication protocol: the authentication protocol used by SNMPv3 users. The options
include None, MD5, and SHA, and None means that the authentication protocol is not
enabled.
 Authentication password: the password corresponding to the authentication protocol, at
least 8 characters. When the authentication protocol is not enabled, the authentication
password configuration is invalid.
 Encryption protocol: the encryption protocol used by SNMPv3 users. The options include
None, AES, and DES. Select None to not enable the encryption protocol.
 Encryption password: the password corresponding to the encryption protocol, at least 8
characters. Encryption password configuration is invalid when encryption protocol is not
enabled.
 User read authority: SNMPv3 user Read access to device MIB node. Click the configuration
item, pop-up permissions configuration window, as shown in the following figure.

Figure 4-41 Permission configuration window
The parameters of privilege configuration are shown in the following:

 View name: description of user rights.
 Included OID: the OID of the device MIB node. The Include OID has been added to
indicate that this node can be accessed and can be added.
 Excluded OID: the OID of the device MIB node. The Exclude OID that has been added
indicates that the node cannot be accessed and can be added.
 User write authority: SNMPv3 user writes permission to device MIB node. The configuration
method is the same as the user read permission
After all the configuration is complete, click the Confirm button at the top right of the page to
make the configuration take effect.
4.10.4 SNMP host
Select Basic > System Management > SNMP Configuration > SNMP Host from navigation
tree to enter the SNMP host page, as shown in the following figure.
Figure 4-42 SNMP host

Add the address information of the management station. Only the addresses specified in the IP
address list have access to the device MIB library. After all configurations are completed, click
the <OK> button at the top right of the page to make the configuration effective.
4.10.5 RMON configuration
RMON (Remote Network Monitoring) is a standard monitoring specification, based on the SNMP
architecture, which can transmit network monitoring data between different network monitors (or
probes) and console systems. Users can use these network monitoring data to diagnose
network faults, network planning and performance adjustments.
The RMON configuration module provides three functions: alarm entries, historical entries, and
logs. Through configuration interfaces and sampling parameters, it obtains network traffic data
and monitors network operation.
4.10.5.1 Alarm
The alarm function means that the management device monitors the value of the specified MIB
variable. When the value reaches the alarm threshold, the managed device automatically
records the log and sends a Trap message to the management device.
Select Basic >System Management > RMON Configuration > Alarm to enter the alarm entry
configuration page, as shown in the following figure.
Figure 4-43 Alarm
The parameter description of the alarm entry configuration list is as follows:
 Interface name: The interface of the device being monitored.

 Sampling information: sampling variable name, sampling method, alarm threshold and other
information.
 Sampling interval (seconds): the time interval of sampling, the value range is 5~65535, the
unit is second.
The sampling information configuration window is shown in the figure below.

Figure 4-44 Sampling information window
The configuration list parameters of the sampling information window are described as follows:
 Event ID: the serial number of the sampling event.

 Event type: the type of alarm event, including log, trap, trap&log.
 log: Record event-related information in the event log table of the RMON MIB of this
device, so that the management device can view it through SNMP GET operations.
 trap: Send a Trap message to the management device to inform the occurrence of the
event.
 trap&log: Not only record logs on the device, but also send trap messages to the
management device.
 Variable name
 etherStatsDropevents: packet loss events.
 etherStatsOctets: the number of bytes.
 etherStatsPkts: the number of packets.
 etherStatsBroadcastPkts: the number of broadcast packets.
 etherStatsMulticastPkts: the number of multicast packets.
 etherStatsCrcerror: The number of packets with CRC error.
 etherStatsUndersizePkts: the number of packets that are too small.
 etherStatsOversizePkts: the number of oversize packets.
 etherStatsFragments: The number of packets that are too small and have parity errors.
 etherStatsJabbers: The number of packets that are too large and have parity errors.
 etherStasCollisions: the number of conflicting packets.
 etherStas64: The number of packets with length <=64 bytes.
 etherStas127: The number of packets with a length of 66~127 bytes.
 etherStas511: The number of packets with a length of 256 to 511 bytes.


 Sampling type: The sampling type includes relative and absolute. Relative is the relative
value of this sample and the previous sample, and absolute is the absolute value of this
sample.
 Upper threshold: the upper limit of the allowable sampling variable, after which the device
will actively send Trap.
 Lower Threshold: The lower limit of the allowed sampling variables, after which the device
will actively send Trap.
4.10.5.2 Statistics
Select Basic >System Management > RMON Configuration > Statistics to enter the statistics
entry page, as shown in the following figure.
Figure 4-45 Statistics
The display information of the statistics entry is explained as follows:
 Statistical table: display the interface name of the statistical table.

 Number of packet loss events: Display the number of current network packet loss events.
 Bytes: Display the current network traffic bytes.
 Number of packets: Display the number of data packets currently transmitted by the
network.
 Number of broadcast packets: Display the number of broadcast packets of current network
traffic.
 Number of multicast packets: Display the number of multicast packets of current network
traffic.
 Check the number of error packets: display the number of error packets in the current
network traffic.
 Number of small packets: Display the number of small packets in the current network traffic.
 Number of oversized packets: Display the number of oversized packets in the current
network traffic.
 Number of packets that are too small and check error: Display the number of packets that
are too small and check error in the current network traffic.
 Number of packets that are too large and check error: Display the number of packets that
are too large and check error in the current network traffic.

 Number of conflicting packets: Display the number of conflicting packets in the current
network traffic.
 Inter-partition statistics of received packets (length): Display statistics of received packets
between partitions, based on packet length.
The results of the configuration in the alarm table are displayed in the statistics table. The
detailed information of "Inter-partition statistical length of received package" needs to be viewed
by clicking "click to view" under its list item.
Figure 4-46 Statistics
4.10.5.3 History
Select Basic >System Management > RMON Configuration > History to enter the history
Figure 4-47 History
The parameters of the history entry configuration list are described as follows:
 Interface name: The interface of the device being monitored.

 Buckets value: the number of entries displayed in the History statistics entry.
 Sampling interval (seconds): the time interval of sampling, the value range is 5~3600, the
unit is second.
 After the historical entry is configured, click the OK button at the top right of the page to view
the corresponding historical traffic statistics in the historical statistics entry.
4.10.5.4 History_stat
Select Basic >System Management > RMON Configuration > History_stat to enter the
history_stat page, as shown in the following figure.

Figure 4-48 History_stat
The display information of history statistics entry items is explained as follows:
 Interface name: Display the interface name of the history statistics entry.
 Sampling ID: Display the serial numbers of the most recent samples, the number of which
depends on the buckets value.
 Event packet loss count: display the number of packet loss events sampled in history.
 Byte count: Display the byte count of historical sampling.
 Number of packets: Display the number of transmitted data packets sampled in history.
 Number of broadcast packets: Display the number of broadcast packets sampled in history.
 Check the number of error packets: display the number of error packets sampled in history.
 Number of small packets: display the number of small packets sampled in history.
 Number of large packets: Display the number of large packets sampled in history.
 The number of packets that are too small and the inspection error: displays the number of
packets that are too small and the inspection error of the historical sampling.
 The number of packets that are too large and the inspection errors: Display the number of
historically sampled packets that are too large and inspection errors.
 Number of conflict packets: Display the number of conflict packets sampled in history.
 Bandwidth utilization: display the bandwidth utilization of historical sampling.
4.10.5.5 RMON log
The user can view the RMON log configuration function and delete the logs.
Select Basic > System Management > RMON Configuration > RMON Log to enter the history
Figure 4-49 RMON Log

5 Object Management
5.1 Security zone
The device implements the default security mechanism through the security zone, and the
security zone implements access control based on the interface. By default, the device has three
security zones, which are Trust (for intranet PCs, intranet devices, intranet servers), Untrust
(public network environment), and DMZ (for public network mapping servers). The priority of
these three security domains cannot be changed. Of course, users can also customize the
security domain and priority. If no security policy is configured, the higher-priority security zone
can access the lower-priority security zone, and the lower-priority security zone cannot access
the higher-priority security zone. If no security policy is configured, the two security domains of
the same security level cannot communicate with each other.
Select Basic > Object Management > Security Zone from navigation tree to enter the security
zone host page, as shown in the following figure.
Figure 5-1 Security zone
Advanced configuration > Inter-Domain / Intra-Domain Actions:
 High-priority to low-priority pass: this is the default inter-domain action of the device.
 All passed: all security domains can access each other without any priority of security
domains.
 All packet loss: do not allow inter-domain access.
Intra-domain action: The user can choose whether to drop packets in the security zone. If you
choose to drop packets, each interface in the security zone cannot access each other. If you do
not choose packet loss, each interface in the security zone can access each other.

5.2 IP address
The IP address module is composed by IP address object configuration and IP address object
configuration group. There two configurations can be referenced by packet filtering policy, NAT
policy.
5.2.1 IP address
Select Basic > Object Management > IP Address > IP Address from navigation tree to enter
the IP address page, as shown in the following figure.
Figure 5-2 IP address
Besides increase, modify, and delete function, the IP address object also provides query function.
The query function can be queried by name or by IP address. If queried by name, this function
support fuzzy matching and not case sensitive. For example, if you enter the letter a, the system
will match all address objects that contain a or A in the name.
The synchronization feature synchronizes the configuration of the IP address object to other
security policies. These security policies include packet filtering policy, NAT, session limit, stream
definition, policy routing, and DNS transparent proxy policy.
The parameters of the IP address object list are shown in the following:
 No.: the sequence number of the IP address object.

 Name: the name of the IP address object.
 Description: include IP address range and IP address / mask.
 IP address range: it usually is used to configure continuous IP addresses but these IP
addresses are not in the same subnet. It also allows you to add the exception IP
address to delete a single IP address or multiple IP addresses.
 IP address / mask: it usually is used to configure a subnet. It also allows you to add the
exception IP address to delete a single IP address or multiple IP addresses.
 IP address range: the description of the IP address object.

 Reference counter: the number and module name that the address object is referenced by
other modules. This function only supports to display the packet filtering and address object
group reference address object. When other modules reference address object, this
function does not support to display the module configuration information.
IP address\wildcard can be directly configured in the IP address object. Currently, only IPv4
packet filtering and source NAT support the address segment in the format of IP
address\wildcard.
5.2.2 IP address group
Select Basic > Object Management > IP Address > IP Address Group from navigation tree to
enter the IP address object group configuration page, as shown in the following figure.
Figure 5-3 IP address group
IP address group, which is the collection of IP address object elements. This function and
configuration method is basically the same. It should be noted that there are two ways to
configure the address object parameters:
 If an IP address object is configured, you can select the configured IP address object
directly.
 If the IP address object is not configured, you can configure a new IP address objected in
the pop-up configuration window.
5.3 IPv6 address

The IPv6 address module is configured with an IPv6 address object. The configuration method is
basically the same as the IPv4 address object. This function does not support query and
synchronization function.
Select Basic > Object Management > IPv6 Address from navigation tree to enter the IPv6

address configuration page, as shown in the following figure.
Figure 5-4 IPv6 address
IPv6 address objects have the functions of creating, deleting, modifying, copying, importing,
exporting, and clearing, and they do not support query.
The configuration parameters in the IPv6 address object list are described as follows:
 Serial number: the serial number of the IPv6 address object.

 Name: IPv6 address object name.
 Content: Including IP address range, exception IP address range, IP address/mask.
 Description: The description information of the IPv6 address object.
 Object reference: the number of times that the IPv6 address object is referenced by other
modules and the module name, etc. Click the icon to display the module name and detailed
parameters of the referenced IPv6 address object.
5.4 MAC address

MAC address module is mainly configured MAC object and MAC group, for IPv6 packet filtering
and other security policy reference.
5.4.1 MAC address
Select Basic > Object Management > MAC Address > MAC Address from navigation tree to
enter the MAC address configuration page, as shown in the following figure.

Figure 5-5 MAC object
When configuring a MAC object, note that the MAC address format entered is HH: HH: HH: HH:
HH: HH.
MAC objects support new, modify, delete, import and export, emptying and query functions. The
query function supports fuzzy matching and is case insensitive. For example, if you enter the
letter a, the system will match all address objects that contain a or A in the name.
5.4.2 MAC address group
Select Basic > Object Management > MAC Address > MAC Address Group from navigation
tree to enter the MAC address group configuration page, as shown in the following figure.
Figure 5-6 MAC address group
MAC group for the MAC object collection, function and configuration methods and MAC objects
are basically the same. It should be noted that there are two ways to configure MAC object
parameters:
 When a MAC object is configured, the configured MAC object is directly selected.
 When a MAC object is not configured, a new MAC object can be created in the pop-up
configuration window.

5.5 User
5.5.1 User
5.5.1.1 User import
Select Basic > Object Management > User > User Import from navigation tree to enter the
user import configuration page, as shown in the following figure.
Figure 5-7 User import
The configuration parameters imported in CSV mode are described as follows:
Click the Browse button, select the local CSV file, and click the Add Import button to import in
CSV.
5.5.1.2 LDAP server list
Select Basic > Object Management > User > User Import from navigation tree to enter the
user import configuration page, as shown in the following figure.
Figure 5-8 LDAP server list
The configuration parameters imported in LDAP mode are described as follows:
 Serial number: The serial number of the list imported by LDAP.

 Name: LDAP authentication user name.
 Description: LDAP authentication user description information.
 Server configuration: including server version, IP address, port number, user name attribute
name, user group attribute name, Base DN, administrator DN, administrator password.

 Operation: add and delete operations can be performed.
5.6 Domain name

Select Basic > Object Management > Domain Name from navigation tree to enter the domain
name page, as shown in the following figure.
Figure 5-9 Domain name
The domain name module provides the function of querying its corresponding IP address
according to the domain name. Enter the domain name to be queried, click the Submit button in
the upper right corner on the webpage, and the IP address corresponding to the domain name is
displayed in the list.
On the premise, if you want to query the IP address through the domain name successfully, the
DNS server records the corresponding relationship of domain name and IP address.
5.7 Service
The service module includes 3 sub-modules: predefined service, custom service and service
group. The system predefines 28 service objects, the user can customize the service object, or
add predefined and custom service objects to the created service group.
5.7.1 Predefined service
Select Basic > Object Management > Service > Predefined Service from navigation tree to
enter the predefined service page, as shown in the following figure.

Figure 5-10 Predefined service
The system defines 28 service objects. In the predefined service page, you can view the protocol
type, message type, message code, source port, and destination port.
5.7.2 User-defined service
Select Basic > Object Management > Service > Custom service from navigation tree to enter
the custom service page, as shown in the following figure.
Figure 5-11 User-defined service
Besides increase, modify, and delete function, the custom service also provides query function.
The query function can be queried by name or by IP address. If queried by name, this function
support fuzzy matching and not case sensitive. For example, if you enter the letter a, the system
will match all address objects that contain a or A in the name.
The synchronization feature synchronizes the configuration of the custom service to other
security policies. These security policies include packet filtering policy, NAT, session limit, stream
definition.
The parameters of custom service configuration are shown in the following:
 Serial number: the serial number of the custom service.

 Name: the name of the custom service.
 Content: custom protocol, message / message code, source port / destination port.

 Description: the description of the custom service.

 Reference count: the number of times that the custom service is referenced by other
modules and the module name. Click the icon to display the module name and detailed
parameters that the custom service is referenced.
5.7.3 Service group
Select Basic > Object Management > Service > Service Group from navigation tree to enter
the service group page, as shown in the following figure.
Figure 5-12 Service group
The service group configuration method is basically the same as the predefined service. The
parameters of service group are shown in the following:
 Name: the name of the predefined service.

 Object list: the system pre-defined services and custom services that allows you to select.
 Description: the description of the service group.
 Reference count: the number and name of the service group that is referenced by other
modules. Click icon to display the module name and the detailed parameters of the
referenced service group.
5.8 Time
Select Basic > Object Management > Time from navigation tree to enter the time page, as
Figure 5-13 Time object
The time object is mainly used to configure different time ranges. These time ranges can be
referenced by different policies. The time range has three kinds of configurations, including:
 Always: unlimited time, there is no effective time limit.

 Relative time: periodic effective time. The effective time is a fixed time in some days of the
week.
 Absolute time: the specified effective time. The effective time is the time range you
configured.
 Combination time: Combine the collection time period of each specific time period.

6 Interface Management
6.1 Networking configuration
All the physical interfaces of the device are configured in the networking configuration module,
including the working mode of the interface and the corresponding interface type, interface
description, IP configuration, VLAN configuration, open / close interface, and valid IP / MAC
address information.
Select Basic > Interface Management > Networking configuration from navigation tree to
enter the networking configuration, as shown in the following figure.
Figure 6-1 Networking configuration
The working mode of the device interface can be configured as a Layer 2 interface and a Layer 3
interface. Support two and three forwarding, two three layers of hybrid forwarding. If the
destination MAC address received by the device matches the MAC address of the VLAN
interface or the physical layer of the Layer 3 physical interface, the Layer 3 forwarding is carried
out through the VLAN interface of the device or the physical interface. If the destination MAC
address received by the device is not a VLAN interface And the MAC address of the physical
port, the Layer 2 relay is forwarded through the Layer 2 interface.

The physical interface of the device has two modes, Access and Trunk.
 The packets received by the Access port are sent to the corresponding VLAN. The message
sent by the Access port removes the VLAN tag from the destination port.
 Trunk links can be used to transmit data of multiple VLAN tags on the same link.
The Layer 2 interface needs to be configured with VLANs and default VLANs. If not configured,
the system is automatically configured as "vlan: 1 default vlan: 1".
The physical interface of the device is divided into management interface and service port. The
management port is used only by the management device and cannot forward the service data,
thus avoiding the situation that the interface cannot manage the device. Business port, including
LAN and WAN for the two types, the role is basically the same, the LAN port is generally used in
the LAN, the WAN port used in the LAN exit.
Layer 3 interface requires IP settings, the IP address of the method has the following four:
 Static IP: Manually configure IP addresses and masks to support IPv4 and IPv6 addresses.
Among them, the add and delete operations are only valid for IPv4 addresses and IPv6
addresses.
 PPPoE: obtain an IP address by user name and password authentication.
 DHCP: obtain an IPv4 address through a DHCP server in the local area network.
 DHCPv6: obtain an IPv6 address through the DHCPv6 server.
After you finished the above configuration, click the Submit button at the top right of the page,
then configuration take effect.
6.2 Interface configuration
6.2.1 Interface configuration
The service interface is a Layer 3 physical interface with an interface type of LAN or WAN. The
device provides the setting of rate setting, duplex setting, MTU, TCP_MSS, etc., which can
control the rate of the service interface. At the same time, the device issues an alarm when the
interface rate exceeds the threshold and real-time monitors the interface abnormality.
Select Basic > Interface Management > Ethernet Port > Ethernet Port from navigation tree to
enter the Ethernet port page, as shown in the following figure.

Figure 6-2 Interface configuration
The parameters of the interface configuration are shown in the following:
 Enable/disable: select to enable or disable the interface. The interface does not forward
traffic data.
 Rate status: the interface supports 100M and 1000M rates. It can also be configured as
auto-negotiation. The system automatically selects the interface rate according to the actual
traffic size.
 Duplex setting: configuration items include full-duplex, half-duplex, and auto-negotiation,
and are recommended for full-duplex or auto-negotiation. The general interface may also
have incoming packets when sending packets. The half-duplex state may affect the rate at
which packets are processed.
 MTU: configure the MTU of the interface to prevent packet loss or large packets from
blocking the link.
 TCP_MSS: configure TCP_MSS to prevent packet loss when establishing a TCP
connection.
 Zero clearing: click the icon to clear all traffic information for that interface.
6.2.2 Interface rate beyond warning
Select Basic > Interface Management > Business Interface > Interface Rate beyond
Warning from navigation tree to enter the Ethernet port traffic statistic page, as shown in the
following figure.

Figure 6-3 Interface rate beyond warning
Select the physical interface in the port name to configure the maximum sending rate and the
maximum received packet rate. When the interface rate exceeds the maximum value, the device
will generate the system log with the interface rate exceeding the limit. The administrator can
find the abnormal interface according to the prompt of the log information.
6.3 Port aggregation
6.3.1 Introduction
6.3.1.1 Port aggregation description
The aggregation type of a device is divided into static aggregation (no LACP protocol is enabled)
and dynamic aggregation (enabling static LACP). The "dynamic aggregation with fast cycle" in
the global configuration is not checked by default. When not checked, LACP packets are sent
once every 30 seconds. When checked, LACP packets are sent once every 1 second. Ensure
that the LACP packets on both devices are consistent.
Static aggregation is manually configured by the user. Do not allow the system to automatically
add or remove ports from the aggregation group. The aggregation group must contain at least
one port. When an aggregation group has only one port, the port can be deleted from the
aggregation group only by deleting the aggregation group. The static aggregation port's LACP
protocol is enabled. When a static aggregation group is deleted, its member ports will form one
or more dynamic LACP aggregations and keep LACP enabled. Disable the LACP protocol for
shutting down static aggregation ports.
Dynamic aggregation is a system to automatically create or delete the aggregation, dynamic

aggregation group to add and delete the port is automatically completed by the agreement. Only
the same rate and duplex attributes, connected to the same device, the same basic
configuration of the port can be dynamically aggregated together. Even if only one port can
create dynamic aggregation, this is a single-port aggregation. In the dynamic aggregation, the
LACP protocol of the port is enabled. If you configure dynamic aggregation of a port, the peer
device must support dynamic LACP aggregation.
6.3.1.2 Aggregation outbound port description
The device supports seven aggregation port demultiplexing algorithms, and different outbound

port algorithms can be used according to different requirements.
The HASH-to-Port Aggregation Algorithm in the global configuration is that the outgoing port
algorithm is TCP / UDP packets with source IP, destination IP, or source IP + destination IP, and
the TCP / UDP port number is also included in the HASH value In the calculation. Example:
 The outgoing port algorithm is the source IP + destination IP and is not enabled to be mixed
into the port HASH-to-port aggregation algorithm. All TCP packets from 1.1.1.1 to 2.2.2.2
are out of the fixed interface.
 The outgoing port algorithm is source IP + destination IP, but it is enabled to mix the port
HASH-to-port aggregation algorithm. All TCP packets from 1.1.1.1 to 2.2.2.2 may be out of
different interfaces if the port numbers are different.
There are two determinants for selecting the interface: one is the HASH value and the other is
the number of members of the aggregation port. By the configuration of the outbound port
algorithm to determine how to get this HASH value.
 Source MAC: the HASH value is calculated based on the source MAC address of the
packet.
 Destination MAC: calculate the HASH value based on the destination MAC address of the
packet, and selects the outgoing interface.
 Source MAC address and destination MAC: the HASH value is calculated based on the
source MAC address and destination MAC address of the packet.
 Destination IP: calculate the HASH value according to the destination IP address of the
packet and select the outgoing interface.
 Source IP: calculate the HASH value based on the source IP address of the packet, and
selects the outgoing interface.
 Source IP + Destination IP: calculate the HASH value based on the source IP address of the
packet and selects the outgoing interface.
 Port-based: is a composite algorithm. According to different messages, calculate the HASH
value to select the interface in different ways. Ordinary IP packets according to the source
IP and destination IP according to a certain algorithm to get HASH value; other types of
information will be based on the source MAC and destination MAC algorithm according to
certain HASH value, if the VLAN with the message, VLAN will be involved to the calculation
of the HASH value.
6.3.2 Port aggregation configuration
6.3.2.1 Port aggregation configuration
Select Basic > Interface Management > Port Aggregation > Port Aggregation
Configuration from navigation tree to enter the port aggregation configuration page, as shown
in the following figure.

Figure 6-4 Port aggregation configuration
The port aggregation configuration page consists of two parts: global configuration and port
configuration:
Global configuration includes common algorithm configuration and custom algorithm

configuration
 In the general algorithm configuration, you can click to enable the HASH-to-port aggregation
algorithm. If the outgoing port algorithm is source IP, destination IP, source IP + destination
IP, set the port number in TCP / UDP packets to the port aggregation HASH calculation.
 In the custom algorithm configuration, you can customize configuration according to packet
types. The packet types include IPv4, IPv6, non-IP and MPLS. The configurable information
includes physical configuration information into the port, protocol, L4 destination port, L4
source port, VLAN-ID port, you can select multiple options.
The parameters of port configuration list are shown in the following:
 No.: display the number of aggregation group.

 Aggregation group ID: set the aggregation group ID.
 Aggregation group name: display the name of the aggregate group.
 Aggregation group description: set the description information of aggregate group.
 Aggregate group type: set the aggregate group type, including static aggregation and
dynamic aggregation
 Hashing algorithm: set out port algorithm, including the source MAC, destination MAC,
source MAC+ destination MAC, source IP, destination IP, source IP+ destination IP, based
on port
 Port list: select the port contained in aggregation group.
 Advanced configuration: set the minimum number of links required by aggregation group.
6.3.3 LACP configuration
Select Basic > Interface Management > Port Aggregation > LACP Configuration from
navigation tree to enter the LACP configuration page, as shown in the following figure.

Figure 6-5 LACP configuration
The parameters of LACP configuration list are shown in the following:
 No.: the number of the list.

 Aggregation group ID: the aggregation group ID. This argument can be set in the range of
1~127
 Timeout mode: the timeout for the LACP protocol. By default, the LACP timeout is slow
timeout, the time of timeout is 3 seconds
 Select mode: the selection mode of LACP protocol Selected interface. By default, the LACP
protocol uses the duplex rate to select the Selected interface
 System priority: the system priority of LACP protocol. Default value is 32768, in the range of
1~65535. Smallest value has the highest system priority.
 System ID: the system ID of LACP protocol. The form is the same as the MAC address.
Default value is the MAC address of the aggregate port. Smallest value has the highest
system priority.
 Reset: clear the count of LACP protocol packets.
The parameters of port LACP configuration list are shown in the following:
 No.: the number of the list.

 Port name: the port name of LACP protocol
 Aggregation group to which belongs: the aggregation group to which the port belongs.
 Port priority: the port priority of LACP protocol. Default value is 32768, the value range of
1~65535, the smaller the value, the higher the priority
 Admin KEY: the port administration KEY of LACP. Default value is 0. This argument can be
set in the range of 1~65535.
 Reset: clear the count of LACP protocol packets.
6.3.4 Aggregation group status
The aggregation group status module provides the aggregation group ID, aggregation group
name, aggregation type, outgoing port algorithm, local device ID, remote device ID, the minimum
port number, and traffic statistics.

Select Basic > Interface Management > Port Aggregation > Aggregation group status from
navigation tree to enter the port aggregation status page, as shown in the following figure.
Figure 6-6 Aggregation group status
The parameters of the aggregation group status page are shown in the following:
 Aggregation group ID: display the aggregation group ID.

 Aggregation group name: display the aggregation group name.
 Aggregation group type: display the aggregation group type.
 Hashing algorithms: display the outgoing port algorithm of aggregation.
 Local device ID: display the local device ID.
 Remote device ID: display the remote device ID.
 Mini port ID: display the minimum port number.
 Selected port: display the selected port.
 Unselected port: display the unselected port.
 Traffic statistics (bytes): display and clear the traffic statistics data of port aggregation group.
6.4 Port mirroring

Port mirroring refers to copying a message from a designated port (source port) to another port
(destination port). The destination port will be connected to the data monitoring device. The user
uses these data monitoring devices to analyze the message copied to the destination port.
Perform network monitoring and troubleshooting.
6.4.1 Local mirror
Local port mirroring refers to copying the packets from the source port of the device to the
destination port of the device for monitoring and analyzing these packets. It is implemented by
means of a local mirroring group, that is, the source port and the destination port are mirrored
locally. Group.
Select Basic > Interface Management > Port Mirroring > Local Mirror from navigation tree to
enter the local port mirroring configuration page, as shown in the following figure.

Figure 6-7 Local mirror
The parameter description of local port mirroring configuration is as follows:
 Remaining image resources: Display the remaining image resources.

 Mirror group ID range: display the value range of the mirror group ID.
 Serial number: the serial number of the list item.
 ID: Mirror group ID number.
 Mirror group description: description information of the mirror group.
 Source port: the source port of the mirrored packet.
 Destination port: the destination port of the mirrored packet.
 Mirrored message direction: select the direction of the mirrored message, including
outgoing, incoming, and bidirectional.
 Incoming direction: only mirror the packets received from the source port.
 Outgoing direction: only mirror the packets sent from the source port.
 Two-way: mirror the messages received and sent from the source port.
6.4.2 Remote source mirror
Remote source mirror refers to copying the packets on the source port of this device to the
destination port of another device for monitoring and analyzing these packets. The remote
mirroring source group configuration module provides the function of setting the parameters of
the remote mirroring source group, including the mirroring group ID, mirroring group description,
source port, egress port, remote VLAN, and mirrored message direction.
Select Basic > Interface Management > Port Mirroring > Local Port Mirroring > Remote
Source Mirror from navigation tree to enter the remote mirroring source group configuration

Figure 6-8 Remote source mirror
The parameter description of the remote mirroring source group configuration is as follows:
 Remaining image resources: Display the remaining image resources.

 Mirror group ID range: display the value range of remote mirror group ID.
The parameters for remote mirroring with outgoing port mirroring are as follows:
 Serial number: Display the serial number of the remote mirroring source group.
 Mirror group ID: remote mirror source group ID number.
 Mirror group description: description information of the remote mirror source group.
 Source port: the source port of the mirrored packets of this device.
 Outgoing port: the outgoing port of the mirrored packet of this device.
 Remote VLAN: VLAN ID of the remote VLAN.
 Mirrored message direction: select the direction of the mirrored message of the device,
including outbound, inbound, and bidirectional.
 Incoming direction: only mirror the packets received from the source port.
 Outgoing direction: only mirror the packets sent from the source port.
 Two-way: mirror the messages received and sent from the source port.
The outgoing port of remote mirroring must be configured as a trunk port, and the remote VLAN
should not be the default VLAN of the mirroring link port.
6.5 Logic interface
6.5.1 Subinterface
The subinterface is the logical interfaces virtualized by a physical interface. It breaks the number
of physical interfaces of the device and enables routing and communication between multiple
VLANs on an interface.

Select Basic > Interface Management > Subinterface from navigation tree to enter the
subinterface configuration page, as shown in the following figure.
Figure 6-9 Subinterface configuration
When configuring the sub-interface name, you need to select the physical interface first, and
then enter the sub-interface name. The sub-interface types include Layer 3 interface and Layer 2
interface (access). After the configuration takes effect, the system automatically generates the
corresponding VLAN ID.
The device supports batch addition and batch deletion of sub-interfaces. Click the <Batch Add
Sub-interfaces> and <Batch Delete Sub-interfaces> buttons, select the physical interface and
enter the sub-interface range interface.
6.5.2 Loopback interface
Loopback interface is a loopback interface, which is a logical and virtual interface on the device.
The device does not enable the loopback interface by default and needs to be created manually.
You can create one or more loopback interfaces on the device and configure the IP address and
mask as the physical interface. The address of the loopback interface is usually specified as a
32-bit mask. Loopback interface has a feature, its state has been up unless the device fails.
Select Basic > Interface Management > Loopback Interface from navigation tree to enter the
loopback interface page, as shown in the following figure.
Figure 6-10 Loopback interface configuration
Enter the interface ID and description information, and click the OK button.
6.5.3 PPP interface configuration
The PPP interface configuration is a virtual interface for PPPoE dialing. The PPP interface
configuration module only supports the static PPP interface. The interface ID ranges from 2 to
128. PPP0 port and PPP1 port exist by default. You cannot be deleted them.

Select Basic > Interface Management > PPP Interface > PPP Interface Configuration from
navigation tree to enter the PPP interface configuration page, as shown in the following figure.
Figure 6-11 PPP interface configuration
The parameters of the PPP interface configuration are shown in the following：
 Name: set the ID of the PPP port.

 ID: set the interface ID of the PPP port.
 Description: set the description of the PPP port.
 MTU: set the MTU value.
The PPP port traffic and the number of packets are shown in the following:
 Interface: display the PPP interface configured by user.

 Traffic (Bytes) number of sents / receives: display the transmission and reception traffic of
the PPP port.
 Packets sents and receives: display the number of packets sent and received by PPP port.
6.5.4 Template interface
Template interface is a virtual interface that is dynamically created based on the configuration
parameters of the virtual interface template for exchanging data with the peer. Template interface
is mainly used in the security domain module. By default, the Template interfaces of the device
exit and do not need to be created manually.
The Template interface is typically used as a collection of virtual interfaces for L2TP,
representing all L2TP server-side virtual interfaces (no need to add each L2TP virtual interface in
the security domain, but need you to add the Template interface).
The Template interface configuration module provides the function of displaying the name,
interface ID, and description information for users.
Select Basic > Interface Management > Logic Interface > Template Interface from navigation
tree to enter the Template interface page, as shown in the following figure.

Figure 6-12 Template interface
6.5.5 IPsec interface configuration
IPsec (Internet Protocol Security) is an open standard framework that ensures secure
communication over Internet Protocol (IP) networks by using encrypted security services. The
IPsec protocol works on the third layer of the OSI model so that it is suitable for protecting TCP
or UDP-based protocols when used alone. The IPsec interface configuration module can be
used for binding IPsec interface, belonging to the virtual interface, which will be used only in the
IPsec special network.
Select Basic > Interface Management > Logic Interface > IPsec Interface Configuration
from navigation tree to enter the IPsec interface configuration page, as shown in the following
figure.
Figure 6-13 IPsec interface configuration
The parameters of IPsec interface configuration are shown in the following:
 Tunnel interface ID: the number of the IPsec interface.

 Tunnel interface IP address: the IP address of the interface.
 Tunnel interface mode: the application mode of the interface, including gateway mode
(route), point-to-multipoint mode, gateway mode (policy), client mode (policy).
 Description: the description of the interface.
6.6 IPv6 tunnel

The 6to4 tunnel is a point-to-multipoint automatic tunnel technology that enables communication
between isolated IPv6 subnets connected to a pure IPv4 network. The interface address of the
6to4 tunnel adopts a special IPv6 address form with an embedded IPv4 address, that is, the

IPv4 address at the end of the tunnel can be obtained from the destination address of the IPv6
message. The IPv6 address is a permanent address assigned by IANA with a prefix of 0X2002,
expressed as an IPv6 address prefix format of 2002::/16.
Select Basic > Network Protocol > IPv6 Tunnel from navigation tree to enter the 6to4 tunnel
Figure 6-14 6to4 tunnel
The parameters of the 6to4 tunnel are described as follows:
 Interface number: Set the number of the 6to4 tunnel interface, the number range is 1-63.
 Interface IPv6 address: Set the IPv6 address of the 6to4 tunnel interface.
 Source IP address: Set the source address of the manually configured tunnel, or use the
tunnel source interface address as the source address of the tunnel.
 Destination IP address: Set the destination IP address of the 6to4 tunnel.
6.7 GRE
GRE (General Routing Encapsulation) protocol is a tunneling protocol. It encapsulates some
network layer protocol data packets in another network layer protocol so that these encapsulated
data packets can be transmitted through another network layer protocol.
Select Basic > Network Protocol > GRE Tunnel Port from navigation tree to enter the GRE
tunnel port configuration page, as shown in the following figure.

Figure 6-15 GRE tunnel
The parameters of the GRE4 tunnel are shown in the following:
 Interface number (1 ~ 255): set the GRE tunnel interface number.

 Interface address: set the IPv4 address of the GRE tunnel interface.
 Source IP address: set the source IPv4 address of the GRE tunnel.
 Destination IP address: set the destination IPv4 address of the GRE tunnel.
 Advanced configuration: set the advanced parameters of GRE tunnel, including GRE link
detection, packet interval, Checksum check, tunnel identification keyword.
 Description: set the description of the GRE tunnel.
The parameters of the GRE6 tunnel are shown in the following:
 Interface number (1 ~ 255): set the GRE tunnel interface number.

 Interface Address: set the GRE tunnel interface IPv6 address.
 Source IP Address: set the source IPv6 address of the GRE tunnel.
 Destination IP address: set the destination IPv6 address of the GRE tunnel.
 Advanced configuration: set the advanced parameters of the GRE tunnel, including the
Checksum check and tunnel identification keyword.
 Description: set the description of the GRE tunnel.

7 VLAN Management
7.1 VLAN
7.1.1 VLAN configuration
Select Basic > VLAN Management > VLAN > VLAN Configuration from navigation tree to
enter the VLAN configuration page, as shown in the following figure.
Figure 7-1 VLAN configuration
On the VLAN configuration page, user can add / delete in batch of VLANs. User can view a
single or all VLANs. The VLAN configuration page provides the following function buttons:
 Add VLAN: Click the icon to add a new VLAN. Configure the VLAN ID and description
information. The port information contained in the VLAN configures the VLAN that the
interface belongs to in the networking configuration. Only the configuration information is
displayed here.
 Delete VLAN: Click the icon to delete the newly added VLAN.
 Add VLANs in batches: Click the <Add VLANs in batches> button, and enter the VLAN IDs
to be added in the pop-up configuration window to add VLANs in batches.
 Delete VLANs in batches: Click the <Bulk Delete VLANs> button, and enter the VLAN IDs to
be deleted in the pop-up configuration window to delete VLANs in batches.
 View a single VLAN: enter the ID of a single VLAN in the text box corresponding to "Please
enter a single VLAN ID", and click the <View> button to view the information of a single
VLAN.
 View all VLANs: Click the <View all VLANs> button to view all VLAN information.
The parameters of VLAN configuration page are shown in the following:
 VLAN ID: set the VLAN ID, in the range of 2 to 4094.

 Description: set the description of the VLAN.

 Ports: display the ports that are contained in the VLAN.
 Flow statistics: select whether to enable or disable flow statistics function.
7.1.2 VLAN flow statistics
After the VLAN traffic statistics function is enabled in the "VLAN Configuration" module, the
VLAN traffic statistics page displays VLAN traffic statistics.
Select Basic > VLAN Management > VLAN > VLAN Flow Statistics from navigation tree to
enter the VLAN flow statistics page, as shown in the following figure.
Figure 7-2 VLAN flow statistics
The VLAN traffic statistics page provides the following function buttons:
 View: Click the <View> button, and the VLAN traffic statistics to be viewed will be displayed
in the list.
 View all VLANs: Click the <View all VLANs> button, the traffic statistics of all VLANs will be
displayed in the list.
 Clear all: Click the <Clear All> button to clear the traffic statistics of all VLANs.
The description of VLAN traffic statistics list parameters is as follows:
 VLAN ID: VLAN ID number.

 Traffic size (TX/RX): VLAN traffic size.
 bps (TX/RX): VLAN traffic rate.
 pps(TX/RX): VLAN packet forwarding rate.
 Clear traffic: clear traffic statistics for this VLAN.
7.1.3 VLAN frame manage
Select Basic > VLAN Management > VLAN > VLAN Frame Manage from navigation tree to
enter the VLAN frame manage page, as shown in the following figure.

Figure 7-3 VLAN frame manage
The system defaults to enable the VLAN frame check function. If you want to disable this
function, you can add the corresponding interface in the interface name list. The interface that
disables the VLAN frame check function does not check the VLAN tag of the message, that is,
the message that does not belong to the VLAN of this interface can also be processed by this
interface.
7.2 VLAN interface
7.2.1 VLAN interface configuration
The VLAN interface configuration module provides functions to add/delete VLANs, view VLAN
information, and file import/export.
Select Basic > VLAN Management > VLAN Interface Configuration > VLAN Interface
Configuration from navigation tree to enter the interface configuration page, as shown in the
following figure.
Figure 7-4 VLAN interface configuration
On the VLAN interface configuration page, user can add / delete in batch of VLANs. The device
allows you to create/delete a single VLAN or in batch of VLANs.
 Adding VLAN in batch: click the Adding VLAN in Batch button to add VLANs, then you can
view that the VLANs you have added is displayed in the VLAN configuration list.
 Deleting VLAN in batch: click the Deleting VLAN in Batch button to delete VLANs, then
you can view that the VLANs you have deleted do not exist in the VLAN configuration list.
 View: click the View button, then you can view the VLAN information is displayed in the
VLAN configuration list.
 Search: click the Search button then you can view the VLANs you have created in the
VLAN configuration list.

The parameters of VLAN interface configuration page are shown in the following:
 VLAN ID: set the VLAN ID, in the range of 2 to 4094.

 Interface name: display the name of the VLAN.
 Interface description: the description of the VLAN interface.
 Interface IP/Mask: set the IP address and mask for VLAN. Click the list item of the interface
IP/ mask, you can configure the primary IPv4 address, secondary IPv4 and IPv6 address.
You can configure multiple secondary IPv4 addresses. And you can select static IP or
DHCP for static IPv4 address.
 User-defined Mac Address: set the MAC address of the VLAN, in the format of
HH:HH:HH:HH:HH:HH.
 MTU: set the MTU value of the VLAN, in the range of 68 to 9216.
 State: click the checkbox button, you can configure VLAN status as disabled.
7.2.2 Display VLAN interface
The display VLAN interface module provides the function of displaying the VLAN that you have
crated and its related parameters.
Select Basic > VLAN Management > VLAN Interface Configuration > Display VLAN
Interface from navigation tree to enter the display VLAN interface page, as shown in the
following figure.
Figure 7-5 Display VLAN interface
On the display VLAN interface page. User can query the VLAN interface information of a single
VLAN or all VLANs. The display VLAN interface page provides the following function buttons:
 View: in the Enter a VLAN ID button, you can view a VLAN ID that you need to query. Click
the View button, the VLAN interface information that you need to query is displayed in the
VLAN interface list.
 View all VLANs: click the View All VLANs button, then you can view all VLAN interfaces’
information are displayed in the list.
The parameters of the display VLAN interface are shown in the following:
 Interface name: display the name and status of the VLAN interface. represents the
VLAN interface status is “UP”, represents the VLAN Interface status is “Down”

 Interface description: display the VLAN interface description information.

 Valid MTU: display the MTU value of the valid VLAN interface.
 Valid IP address: display the IP address of the valid VLAN interface.
 Valid MAC address: display the MAC address of the valid VLAN interface.
 Ports: display the port that is contained in the VLAN.

8 Route Management
8.1 Routing table
8.1.1 IPv4 routing table
The routing device selects the route through the routing table, delivers the preferred route to the
FIB (Forwarding Information Base) table, and guides the message forwarding through the FIB
table. At least one routing table and one FIB table are stored in each routing device.
The routing table stores the routes discovered by various routing protocols. According to
different sources, they are usually divided into the following three categories:
 Direct route: The route discovered by the link layer protocol, also called interface route.
 Static routing: manually configured by the network administrator. Static routing is easy to
configure, has low system requirements, and is suitable for small networks with simple and
stable topologies. The disadvantage is that whenever the network topology changes, it
needs to be manually reconfigured and cannot be automatically adapted.
 Dynamic routing: the routing discovered by the dynamic routing protocol.
Each forwarding entry in the FIB table specifies which physical interface of the routing device to
send a packet to a certain subnet or a host, so that it can reach the next routing device of the
path, or it does not need to go through other routes. The device can be transmitted to the
destination host in the directly connected network.
8.1.1.1 Basic IPv4 Routing table
Select Basic > Route Management > IPv4 unicast routing > IPv4 Static Route > Basic IPv4
Routing Table from navigation tree to enter the basic IPv4 routing table page, as shown in the
following figure.

Figure 8-1 Basic IPv4 routing table
The routing table query function includes all routing information, designated destination network
segment, and designated destination IP. Users can query routing information through query
conditions according to actual needs, and the queried routing information is displayed in the
routing table.
8.1.1.2 Detailed IPv4 routing table
Select Basic > Route Management > IPv4 unicast routing > IPv4 Static Route > Detailed
IPv4 Routing Table from navigation tree to enter the detailed IPv4 routing table page, as shown
Figure 8-2 Detailed IPv4 routing table
The detailed IPv4 routing table page shows the destination network segment, next hop, protocol,
status, cost and other information of the routing table. User can query the routing table according
different searching condition. The searching conditions includes all routes, designated
destination network segment, designated protocol (static, connect, RIP, OSPF, BGP, Guard, ISIS,
IP.), and the designated destination IP.
8.1.2 IPv6 routing table
IPv6 unicast routing table is a database that stores the path to the specific network address,
route metric and network surrounding topology information. It can find a best route for the IPv6
packets which go through the device. IPv6 routing table contains three types of routing
information, including direct route, static route and dynamic route.
8.1.2.1 Basic IPv6 routing table
Select Basic > Route Management > IPv6 unicast Routing > Basic IPv6 Routing Table from
navigation tree to enter the basic IPv6 routing table page, as shown in the following figure.

Figure 8-3 Basic IPv6 routing table
The searching conditions include all routes, designated destination work. The parameters of
basic IPv6 routing table are shown in the following:
 Destination network segment: the destination network segment routing network.

 Subnet mask: the subnet mask of destination network segment.
 Gateway (next hop): the next hop address of the destination segment.
 Outbound interface: the outbound interface of IPv6 packets that go to destination network
segment.
8.1.2.2 Detailed IPv6 routing table
Select Basic > Route Management > IPv6 Unicast Routing > IPv6 Routing Table > Detailed
IPv6 Routing Table from navigation tree to enter the detailed IPv6 routing table page, as shown
Figure 8-4 Detailed IPv6 routing table
The searching conditions include all routes, specific destination subnet, specify protocol. Among
them, the specify protocol includes static, connect, RIPng, OSPFv3, BGP, ISIS:
The parameters of detailed routing table page are shown in the following:
 Destination network segment: the destination network segment routing network.

 Subnet mask: the subnet mask of destination network segment.
 Gateway (next hop): the next hop address of the destination segment.
 Outbound interface: the outbound interface of IPv6 packets that go to destination network
segment.
 Status: the status of the IPv6 unicast routing table entry.
 Protocol: the protocol that the IPv6 routing table entry is generated.

 Priority: the priority of IPv6 unicast route entry.

 Cost: the route cost of IPv6 unicast route entry.
 Type: the properties of IPv6 unicast route, including normal, blackhole, and reject.
8.2 Static route
8.2.1 IPv4 static route
Static route is configured by administrator manually. It isn’t the dynamically learned routing
protocol. Using with other routing protocols, static route can enhance routing capacity and can
provide route backup function. The advantages of static routes are: high confidence and saving
bandwidth.
Unlike dynamic route, the static route is fixed and will not changed automatically when the
network topology is changed. After network topology is changed, static route needs
administrator to configure manually, so that it can adapt the network operation.
The static route module on the device has three sub-modules, including static route, health
check and prefix address group. Users can configure static route manually or configure static
routes in batch. And also, static route allows user to query the static route information which has
already configured on the device. The health check function is that user can check the working
status of static routes through configuring health check policy. The prefix address group can be
configured more flexibly through the combination of different prefix addresses.
8.2.1.1 Display basic routing table
Select Basic > Route Management > IPv4 Unicast Routing > IPv4 Static Route from
navigation tree to enter the configure static route page, as shown in the following figure.
Figure 8-5 Configure IPv4 static route
To query static route, the searching conditions are all routes, designated destination network
segment, designated destination network segment, designated destination IP. User can search
static route according to different searching condition. The result of queried static route are
displayed in the manual configure static route list.

The batch configure static route includes append import, export, and delete all static route.
The parameters of manual configure static route are shown in the following:
 Destination network segment: the destination network segment of static route.

 Subnet mask: the subnet mask of destination segment.
 Description: the description information of static route.
 Gateway (next hop): the outbound interface and the next hop address of static route.
 Advanced configuration: including route priority, route type, route weight, health check, BFD
check. In the advanced configuration: the route type has the following options:
 normal: default configuration, which means reachable route.
 reject: the route packet with reject keyword will be discarded and the source host will be
notified.
 blackhole: the route packet with blackhole keyword will be discarded, and the source
host will not be notified.
8.2.1.2 Monitoring
Select Basic > Route Management > IPv4 Unicast Routing > Monitoring from navigation tree
to enter the monitoring page, as shown in the following figure.
Figure 8-6 Monitoring
The parameters of health check configuration are shown in the following:
 Name: the name of the health check policy.

 Type: the detection packet type of health check, including ICMP and TCP.
 Monitored IP address: the destination IP address of detection packet of health check.
 TCP port: when the health check type is TCP, you need to configure its port number; when
the health check type is ICMP, you don’t need to configure it.
 Monitor interval (second): the time interval that the detection packet of health check will be
send.
 Designated source IP: the source IP address of the detection packet of health check.

 Designated next hop: the next hop of detection packet of health check, including automatic
and manual. Under manual mode, you need to configure the outbound interface and the
next hop IP address.
 Required reachable IP number: a maximum of three addresses can be detected by health
check. Only when the required reachable number is reached, the health check can be
reached. When you configure one detection address, you don’ need to configure this
parameter. When you configure the two detection addresses, this parameter is in the range
of 1 to 2. When you configure three detection addresses, this parameter is in the range of 1
to 3.
 Status: the status of health check policy.
 Static route, IPv4 policy routing, VRRP shares the above health check strategy.
 Under non-silent hot-standby condition, you make sure that both of the two devices have
the soruce IP address if one is configured with designated source IP.
8.2.1.3 Prefix Address Group
Select Basic > Route Management > IPv4 Unicast Routing > Prefix Address Group from
navigation tree to enter the prefix address group page, as shown in the following figure.
Figure 8-7 Prefix address group
The configuration parameters of the prefix address group are described as follows:
 Group name: the name of the IPv4 prefix address group.

 Network segment: IPv4 prefix address, multiple prefix addresses can be configured in the
same group.
The parameters for configuring static routes by group are as follows:

 Address group: The group name of the IPv4 prefix address group to be associated.
 Description: The description information of the IPv4 static route.
 Gateway (next hop): static routing out interface and next hop address.
 Advanced configuration: Including route priority, route type, route weight, health check, BFD
check. The routing type in the advanced configuration has the following options:
 normal: The default configuration indicates a reachable route.
 reject: The routing message with the reject keyword is discarded and the source host is
notified.
 blackhole: The routing message with the blackhole keyword is discarded and the
source host is not notified.
8.2.2 IPv6 static route
The principle of IPv6 static route is similar to IPv4 static route. IPv6 static route is used in IPv6
network and should be configured by network administrator manually, rather than it dynamically
learns the route from packets. IPv6 static route is commonly used with dynamic route which can
enhance device’s routing capacity and provides backup function for dynamic route. IPv6 static
route has high confidentiality and the advantage of saving bandwidth.
Unlike IPv6 dynamic routing, the IPv6 static route is fixed, which will not change if network
topology updates automatically. When the network topology changes, network administrator
needs to update IPv6 static route manually, otherwise the network operation will be affected.
Select Basic > Route Management > IPv4 unicast Routing > IPv6 Static route from
navigation tree to enter the IPv6 Static route page, as shown in the following figure.
Figure 8-7 Configure IPv6 static route
The device supports batch configure static route, including import and export:
The parameters of manual configuration static route are shown in the following:
 Destination network segment: the destination network segment of IPv6 static route.
 Subnet mask: set the subnet mask of destination network segment subnet mask.
 Gateway (next hop): the outbound interface and the next hop address of IPv6 static route.
 Advanced configuration: set the priority of IPv6 static route and routing type.

8.3 Policy-based routing

Policy-based routing is a mechanism used to make routing decisions based on policies set by
the network administrator. When a router receives a packet it normally decides where to forward
it based on the destination address in the packet, which is then used to look up an entry in a
routing table. PBR provides can be used in security and load sharing cases.
Policy-based routing is a kind of special type of static route, which can send data packets
according to their destination addresses. In the meanwhile, policy-based routing can also be
used with access list, so that data packets are sent depend on protocol type, protocol number,
packet length. Through specifying next-hop or output port, policy-based routing can control the
place to which data packets are sent. In addition, policy-based routing can also control the TOS
field in IP packet which is matched with policy-based routing policy to control traffic size.
The policy-based routing configuration module provides three kinds of route forwarding policies.
 Policy-based Prerouting (It applies to packets forwarding, and takes precedence over
destination-based routing).
 Policy-based Postrouting (It applies to packets forwarding, and first matches at
destination-based routing)
 Local Route-Policy (It applies to locally generated packet, and first matches at
destination-based routing).
8.3.1 IPv4 policy-based routing
8.3.1.1 Policy routing mode
Select Basic > Route Management > IPv4 Policy Based Routing > Policy Routing Mode
from navigation tree to enter the policy routing mode page, as shown in the following figure.

Figure 8-8 Transmit route policy
Configure each matching rule and specify how to forward matched packets in the action
configuration item. The parameter description is as follows:
 Name: Policy routing name.

 Incoming interface: select the incoming interface of the message.
 Source network segment: The network segment where the source IP address of the
message is located. You can configure network segments or select address groups. The
address group is the IP address group configured in the network object module.
 Destination network segment: The network segment where the destination IP address of the
message is located. You can configure network segments or select address groups. The
address group is the IP address group configured in the network object module.
 TOS: TOS value of the message, the value is 0-255.
 Protocol: including Any, TCP, UDP and custom protocol numbers.
 Time: including always valid, relative time and absolute time.
 Action: The forwarding method of packets matching the rule, including normal routing and
policy routing. If you choose to perform policy routing forwarding, you need to configure
parameters such as the outbound interface, next hop, weight, health check type and name,
and BFD check.
 Status: enable or disable policy routing.
8.3.1.2 Local policy routing
Select Basic > Route Management > IPv4 Policy Based Routing > Local Policy Routing
from navigation tree to enter the local policy routing page, as shown in the following figure.

Figure 8-9 PBR for sending packets locally
8.3.1.3 Monitoring
Select Basic > Route Management > IPv4 Policy Based Routing > Monitoring from
navigation tree to enter the monitoring page, as shown in the following figure.
Figure 8-10 Monitoring
The parameters of health check configuration are shown in the following:
 Name: set the name of health check policy

 Type: set the type of health check, including ICMP and TCP.
 Monitored IP address: set the destination IP address of health check detection packet.
 TCP port: set the TCP port number. This configuration can be configured when the health
check type is TCP.
 Monitor interval: set the time interval that health check interval detection packets are sent.
 Designated source IP: set the source IP address for health check detection interval
 Designated next hop: set the outbound interface for health check detection packets,
including automatic and manual. In manual mode, you need to configure the outbound
interface and next-hop IP address.
 Required reachable IP Number: at most, three destination addresses can be detected
simultaneously in an entry of health check. Only if the minimum number of health check is
reached, health check can be reachable. When you configure only one detection address,
you don’t need to configure this parameter. When you configure two addresses, this
parameter can be set in the range of 1 to 20. When you configure three addresses, this
parameter can be set in the range of 1 to 3.
 Status: display the current status of health check policy.

8.3.2 IPv6 policy based routing
Select Basic > Route Management > IPv6 Policy Based Routing from navigation tree to enter
the IPv6 policy based routing page, as shown in the following figure.
Figure 8-11 IPv6 Policy Based Routing
The parameter description is applicable to any forwarding strategy. The configuration

parameters of IPv6 policy routing are described as follows:
 Source network segment: The network segment where the source IP address of the
message is located.
 Destination network segment: The network segment where the destination IP address of the
message is located.
 Incoming interface: select the incoming interface of the message.
 Protocol: including Any, TCP, UDP and custom protocol numbers.
 Next hop information: including outgoing interface, next hop, weight.

8.4 RIP
8.4.1 RIP
RIP (Routing Information Protocol) is a distance vector protocol. It uses UDP packets to
exchange routing information, and the port number is 520. RIP uses the number of hops as the
routing metric to measure the distance to the destination address. To limit the network
convergence time, the maximum number of hops supported by RIP is 15, and the number of
hops greater than or equal to 16 is defined as infinite (that is, the network is unreachable).
Therefore, RIP is suitable for small-scale or simple-structured networks.
RIP-enabled devices use the route update timer to control the route update time. By default, they
broadcast their routes every 30 seconds. If no route update message is received from the
network neighbor within the time specified by the route aging timer (the default value is 180
seconds), the RIP device will mark the route learned from the neighbor as unreachable. If the
time specified by the garbage collection timer (the default value is 120 seconds) still does not
receive a routing update message from the neighbor, the RIP device will delete these routes
from the routing table.
In order to improve routing capabilities and prevent routing loops, RIP uses split horizon and
poison reverse mechanisms. Split Horizon means that the routing information learned from an
interface will no longer be sent to neighboring devices from that interface; Poison Reverse
means that after learning a route from an interface, the device will use the metric value of the
route (Hop count) is set to 16 and returned from the original interface to the neighboring device.
Currently, RIP has two versions, RIPv1 and RIPv2. Among them, RIPv1 is a classful routing
protocol (Classful Routing Protocol), its protocol message cannot carry mask information, and
does not support discontinuous subnet design; RIPv2 is a classless routing protocol (Classless
Routing Protocol), its protocol The message carries mask information, supports CIDR (Classless
Internet-Do basic routing, classless inter-domain routing) and route aggregation.
8.4.1.1 Configure RIP protocol
Select Basic >Route Management >RIP> RIP Protocol to enter the RIP protocol page, as

Figure 8-12 RIP
The system configuration includes starting RIP and advanced configuration, each parameter
description is as follows:
 Start RIP: Turn on the switch of the global RIP protocol.

 Routing priority: RIP routing priority, the default is 120.
 Route update timer: the time interval for sending route update messages, the default is 30
seconds. That is, route update messages are sent every 30 seconds.
 Route aging timer: route aging time, the default is 180 seconds. That is, if no routing update
message is received from the peer router within 180 seconds, the routing information of this
router is marked as unreachable.
 Garbage collection timer: the time to delete aging routes, the default is 120 seconds. That is,
after the route is marked as unreachable, if no update message is received for 120 seconds,
the route is deleted from the routing table.
 Unicast neighbor: When you need to send routing update messages with non-directly
connected routers, you can configure the IP addresses of non-directly connected neighbors
to achieve this. You can configure multiple non-directly connected neighbor IP addresses,
and the device will send RIP packets to the configured non-directly connected neighbor IP
addresses.
 Imported routes: other routes imported by RIP.
 After starting the global RIP protocol, you can configure interface parameters, as follows:
 Interface name: lists the names of all routing interfaces of the device, which cannot be
modified.
 Startup state: the startup state of the interface, including enabled and disabled.

 Authentication information: Whether the interface carries authentication information when

sending RIP messages, including none, text authentication (plain text) and MD5
authentication.
 Advanced configuration:
 RIP protocol interface version: the version the router receives RIP protocol packets, the
default is RIPv1 and RIPv2.
 RIP protocol sending version: the version of RIP protocol packets sent by the router, the
default is RIPv2.
 Working mode: Interface working mode, including active and dormant. When working in
active mode, the interface both receives and sends RIP packets; when working in sleep
mode, the interface only receives and does not send RIP packets.
 Horizontal split: Enable or disable horizontal split function, the default is enabled.
8.4.1.2 RIP state
Select Basic >Route Management >RIP> RIP state to enter the RIP Status page, as shown in
Figure 8-13 RIP state
The parameters in the RIP state display are described as follows:
 RIP status: 1 means on, 0 means off.

 Priority: RIP protocol priority is 120.
 Default hop count: 1 hop is added to the routing metric through a router, which means that 1
hop is added by default.
 Update timer (seconds): The update timer is 30 seconds.

 Aging timer (seconds): The aging timer is 180 seconds.

 Garbage timer (seconds): The garbage timer is 120 seconds.
 Interface information:
 Enable interface: enable the interface of RIP protocol.
 Sending version number: The sending version number is RIPv2.
 Receiving version number: The receiving version number is RIPv1 and RIPv2.
 Neighbor statistics:
 Neighbor IP: Neighbor interface IP address.
 Error messages: display the number of error messages.
 Wrong route: display the number of wrong routes.
 Priority: neighbor RIP routing priority.
 Last updated: neighbor route was last updated in order to determine the aging time of
the route.
8.4.2 RIPng
RIPng (RIP next generation, next generation RIP) is a distance vector protocol developed from
RIPv2 and applied to IPv6 networks. It uses the hop count as the routing metric to measure the
distance to the destination address. To limit the network convergence time, the maximum
number of hops supported by RIPng is 15, and the number of hops greater than or equal to 16 is
defined as infinite (that is, the network is unreachable).
RIPng uses UDP packets to exchange routing information. The default port number is 521. To
improve routing capability and prevent routing loops, RIPng supports split horizon and poison
reverse.
The RIPng device is enabled to control the route update time through the route update timer. By
default, it broadcasts its route every 30 seconds. If no route update message is received from
the network neighbor within the time specified by the route aging timer (the default value is 180
seconds), the RIPng device will mark the route learned from the neighbor as unreachable. If the
time specified by the garbage collection timer (the default value is 120 seconds) still does not
receive a routing update message from the neighbor, the RIPng device will delete these routes
from the routing table.
RIPng has the characteristics of easy implementation, easy configuration, and easy
maintenance, and is mainly suitable for small-scale or simple-structured networks.
8.4.2.1 Configure RIPng protocol
Select Basic >Route Management >RIP> RIPng protocol to enter the RIPng protocol page, as

Figure 8-14 RIPng protocol
The system configuration parameters are described as follows:
 Start RIPng: enable RIPng protocol.

 Routing update timer: the timeout period of RIPng routing update timer.
 Route aging timer: the timeout period of RIPng route aging timer.
 Garbage collection timer: the timeout period of the RIPng garbage collection timer.
 Imported routes: Routes imported by RIPng, including default routes, direct routes, BGP
routes, static routes, and OSPFv3 routes.
 The interface configuration parameters are described as follows:
 Interface name: the name of the interface.
 Startup state: interface enable/disable RIPng protocol.
 Advanced configuration: Set the working mode and horizontal division of the interface.
Working modes include active and dormant modes. In dormant mode, the interface only
receives and does not send RIPng packets.。
8.4.2.2 Display RIPng status
Select Basic >Route Management > RIPng Protocol > RIPNG Status to enter the RIPNG
status page, as shown in the following figure.

Figure 8-15 RIPng state
The display parameters of RIPng are described as follows:
 RIP status: display RIPng status. 1 means on, 0 means off.

 Priority: The default priority of RIPng.
 Default hop count: the additional route metric value of the RIPng route sent by the interface.
 Update timer (seconds): The timeout period of the RIPng routing update timer.
 Aging timer (seconds): the timeout period of the RIPng routing aging timer.
 Garbage timer (seconds): The timeout period of the RIPng garbage collection timer.
 Interface information:
 Enable interface: display the interface that enables RIPng protocol.
 Send version number: Display the RIP version sent by the interface that enables the
RIPng protocol.
 Receiving version number: Display the RIP version received by the interface with
RIPng protocol enabled.
 Neighbor statistics:
 Neighbor IP: The IP address of the neighbor device.
 Error message: The number of error messages of neighbor equipment.
 Wrong routing: the number of wrong routing of neighboring equipment.
 Priority: The priority of the route in the receiving routing information entry.
 Last updated: displays the time a neighbor last updated statistics.

8.5 OSPF
8.5.1 OSPF protocol
OSPF (Open Shortest Path First) is an interior gateway protocol based on link state. OSPF
dynamically obtaining information from other routers and advertising routes to other routers
using link state advertisements.
An OSPF network is a structured network, or is subdivided into routing areas identified by area
ID. It gathers link state advertisement (LSA) information from available routers and constructs a
topology map of the network. Then, ABR distributes routing information between routing areas.
When a link happens network change, router on this link will recalculate routes in this domain,
routers in other routing areas modify the related routing entries of their own routing table. OSPF
can reduce routing update and restrict uncertainty area.
OSPF protocol defines that OSPF router can only establish neighbor relationship with DR
(Designated Router) and exchange their routing information, thus can reduce more bandwidth is
occupied when routers exchange routing information.
8.5.2 Configure OSPF protocol
Select Basic > Route Management > OSPF > OSPFv2 Protocol > Configure OSPFv2 from
navigation tree to enter the configure OSPFv2 protocol page, as shown in the following figure.

Figure 8-16 Configure OSPFv2
The OSPF multi-process configuration list allows you to set process ID, VRF name, and
description.
8.5.2.2 Configure OSPFv2
Select Basic > Route Management > IPv4 Unicast Routing > OSPF > OSPF multi-process
from navigation tree to enter the configure OSPF page, as shown in the following figure.

Figure 8-17 Configure OSPFv2
The parameters of system configuration are shown in the following:
 Enable OSPF: enable OSPF protocol.

 Restart OSPF: restart OSPF protocol. It takes effect only when the OSPF protocol is
enabled.
 Route priority: OSPF route priority.
 Router device ID: the router ID.
 NBMA neighbor: manually designated neighbor IP address in NBMA network.
 Redistribute route: options include default route, direct route, static route, RIP route,
GUARD routing, BGP route. You need to configure LSA type and route Cost value. The
default routing configuration parameter is always. After you click this option, whether routing
table has default route or not, routes will be advertised.
 Graceful restart: graceful restart is a kind of mechanism that ensures the transmitted
services not to be interrupted, the configurable GR capabilities of the device includes
GR Helper and GR Restarter.
 GR Helper: the device happens protocol restart event and has capability.
 GR Restarter: the device is the neighbor of GR Restarter and can assist to complete
GR procedure.
 GR Timeout: when master and backup device are switched, the route and neighbor
relationship of the device are kept in a certain time. Default is 60 seconds.
The parameters of area configuration are shown in the following:
 Area ID: the area ID of OSPF protocol.

 Enabling interface: add the interface to the OSPF area.

 Authentication type: the authentication type of OSPF protocol packets which are transmitted
in the routing area, including non-authentication, Text authentication (plaintext) and MD5
authentication.
 Advanced configuration: OSPF region type and the related information. Area type includes
Default, Stub and NSSA.
The parameters of interface configuration are shown in the following:
 Interface name: list the name of all routing interfaces on the device. You cannot modify
them.
 Hello interval: the time interval between sending Hello packets.
 Dead interval: failure time, if the device does not receive Hello packets from its neighbor
within this time, the device will recognize its neighbor is failure.
 Authentication type: the authentication type that OSPF protocol packets are transmitted on
the interface link, including non-authentication, Text authentication (plaintext) and MD5
authentication.
 Authentication information: set the authentication information for an interface which sends
or receives data packets, Text authentication needs to configure authentication password;
MD5 authentication needs to configure authentication KEY ID and password. You can
configure multiple entries of authentication information.
 Advanced configuration: including interface cost value, DR election priority, weight, working
mode, and interface type.
 cost: options include automatic and manual. Default is manual. If you select the manual
option, you should enter cost value in the text box.
 DR election priority: the DR election priority of OSPF protocol.
 Weight: the weight value of link load balancing.
 Working mode: options include active and hibernate. When you select the active option,
the interface will send and receive data packets. If you select hibernate option, the
interface only receives but does not send data packets. After you enable OSPF function,
this configuration can be configured.
 Interface type: including broadcast, point-to-point, non-broadcast, point-to-multipoint.
You can select one of them. Default is broadcast.
The “Authentication information" configuration item can be applied in "interface configuation" and
"area configuration". First is the authentication type of relevent interface in "interface
configuration", if you do not configure an authentication type for the interface, then, it is the
authentcation type of the relevent interface. If you don’t configure the authentication information,
the password of interface authtentication type is none.
8.5.2.3 OSPFv2 interface
Select Basic > Route Management > OSPF > OSPFv2 Interface Information from navigation
tree to enter the OSPF interface page, as shown in the following figure.

Figure 8-18 OSPFv2 interface information
The query function allows user to query OSPF interface information according to interface name
and area. The parameters of Interface list are shown in the following:
 Interface name: the interface which has enabled OSPF protocol.

 Area: the area to which the interface belongs.
 State: interface state, including DR, BDR and DRother.
 COST: the cost value of the interface.
 DR: display the IP address of DR.
 BDR: display the IP address of BDR.
 Neighbor count: the number of neighbors in the network where the interface belongs.
8.5.2.4 OSPFv2 neighbor information
Select Basic > Route Management > OSPF > OSPF neighbor from navigation tree to enter
the OSPFv2 neighbor information page, as shown in the following figure.
Figure 8-19 OSPFv2 neighbor information
The query function allows user to query OSPFv2 neighbor information according to neighbor ID,
neighbor IP, interface name. The parameters of OSPFv2 neighbor are shown in the following:
 Neighbor ID: the neighbor device ID.

 Neighbor IP: the IP address of neighbor device’s interface.
 Priority: the interface priority of neighbor device.
 Neighbor state: the state that the device and its neighbor establish relationship.
 Area: the OSPF area that neighbor device’s interface belongs.
 Interface name: the device’s interface that is connected with its neighbor.
 DR: display DR IP address.

 BDR: display BDR IP address.

 Dead Time: the dead time of neighbor relationship.
 Setup time: the setup time of neighbor relationship.
8.5.3 OSPFv3 protocol
OSPFv3 (Open Shortest Path First Version 3, Open Shortest Path First Version 3) is an interior
gateway protocol developed from OSPFv2 and applied to IPv6 networks. Compared with
OSPFv2, OSPFv3 has the following features:
 OSPFv3 runs on a link, separated from specific IPv6 addresses and prefixes. Even if the
IPv6 addresses of different nodes on the same link are not in the same network segment,
the protocol can still operate normally.
 OSPFv3 only uses Router ID to identify adjacent OSPF neighbors.
 OSPFv3 cancels the authentication field of the protocol message and uses the IPv6
standard authentication method to ensure the security of information transmission, which
simplifies the protocol processing flow to a certain extent.
 OSPFv3 clarifies the flooding range of LSA more clearly, and adds a special field for
description in LS_Type; therefore, OSPFv3 does not need to judge the LSA flooding range
based on different LSA types when processing LSA flooding, but directly Process according
to special fields.
 OSPFv3 supports multiple instances, and adds the "Instance ID" field to the protocol
message to achieve link multiplexing.
8.5.3.1 Configure OSPFv3
Select Basic > Route Management > OSPF > OSPF v3 Protocol > Configure OSPFv3 from
navigation tree to enter the configure OSPFv3 page, as shown in the following figure.

Figure 8-20 9 OSPFv3
The system configuration parameters are described as follows:
 Start OSPFv3: enable OSPFv3 protocol.

 Advanced configuration:
 Routing device ID: Set the routing device ID, including automatic configuration and
manual configuration.
 Imported routes: the routes imported by OSPFv3, including IPv6 default routes, direct
routes, static routes, RIPng routes, ISIS routes, and BGP routes.
 Routing priority: OSPFv3 routing priority.

The area configuration parameters are described as follows:
 Area ID: The area ID of OSPFv3 protocol.

 Enable interface: set the interface included in the area.
 The interface configuration parameters are described as follows:
 Interface name: display the name of the interface.
 Hello interval: The interval for sending OSPFv3 Hello messages.
 Dead interval: the timeout period of OSPFv3 neighbors.
 Instance ID: The instance ID specified by the interface.
 Advanced configuration: Set the cost, DR election priority, working mode, and MTU value of
the interface.
8.5.3.2 OSPFv3 interface information
Select Basic > Route Management > OSPF > OSPF v3 Protocol > OSPFv3 Interface
Information from navigation tree to enter the OSPFv3 interface information page, as shown in
Figure 8-21 OSPFv3 interface information
The query function can query OSPFv3 interface information based on the interface name and
area. The parameters of the interface list are described as follows:
 Interface name: The name of the interface that enables OSPFv3 protocol.
 Location: The area where the interface is located.
 Interface status: the status of the interface, including DR, BDR, DROther, and down.
 COST: The cost value of the interface.
 DR: Display the IP address of DR.
 BDR: Display the IP address of BDR.
 Number of neighbors: the number of neighbors in the network segment where the interface
is located.
8.5.3.3 OSPFv3 neighbor information
Select Basic > Route Management > OSPF > OSPF v3 Protocol > OSPFv3 Neighbor
Information from navigation tree to enter the OSPFv3 neighbor information page, as shown in

Figure 8-22 OSPFv3 neighbor information
The query function can query OSPFv3 neighbor information based on neighbor ID, neighbor IP,
area and interface name. The parameters of the neighbor list are described as follows:
 Neighbor ID: The ID of the neighbor device.

 Neighbor IP: The IP address of the neighbor device interface that establishes the neighbor
relationship.
 Priority: the priority of the neighboring device interface.
 Neighbor state: the state of the neighbor state machine during the establishment of the
adjacency relationship.
 Area: OSPFv3 area where the neighbor interface is located.
 Interface name: The name of the interface connecting the device to the neighbor.
 DR: Display the IP address of DR.
 BDR: Display the IP address of BDR.
 Dead Time: The remaining dead time of the neighbor relationship.
 Establishment time: the time when the neighbor relationship was established.
8.6 ISIS
IS-IS (Intermediate System-to-Intermediate System) protocol is an interior gateway protocol for
autonomous systems. It establishes and maintains neighbor relationships by sending Hello
messages, and sends Link State Protocol Data Units (LSPs) to neighbors to advertise its link
status.
IS-IS uses a two-level hierarchical structure to divide the routing domain into one or more areas.
The Level 1 router manages the routes within the area, the Level 2 router manages the routes
between the areas, and the Level 1-2 router is responsible for the communication within and
outside the domain. All routers at the same level generate the same LSDB (Link State Data Base)
by collecting LSPs of themselves and other routers, and use SPF (Shortest Path First) algorithm
to calculate routes to achieve rapid route convergence .
IS-IS protocol is scalable, robust, and easy to use. It is an internal gateway protocol commonly
used by telecom operators.

8.6.1 Configure ISIS
Select Basic > Route Management > ISIS > ISIS configuration from navigation tree to enter
the configure ISIS configuration page, as shown in the following figure.
Figure 8-23 Configure ISIS
The parameters in the system configuration are described as follows:
 Start IS-IS: Turn on the switch of IS-IS protocol.

 Restart IS-IS: Restart the IS-IS protocol, which is valid only when it is started.
 Level: IS-IS level to which the device belongs.
 NET: NET (Nerwork Entity Title) of the device. For example: 12.abcd.3456.0000.0001.00,
where 12.abcd represents Area, 3456.0000.0001 represents System ID, and 00 represents
SEL
 Import route: configuration items include default route, direct route, static route, RIP route,
OSPF route, BGP route. The imported IS-IS level needs to be configured.
 The parameter description in the interface configuration is as follows:
 Interface name: lists the names of all routing interfaces of the device, which cannot be
modified.
 Startup state: the startup state of the interface. Different interface types enable different
protocols, including none, IPv4, IPv6, IPv4&IPv6.
 Network type: The network type to which the interface belongs, including Broadcast and
P2P.

 Authentication information: authentication type and configuration information during IS-IS

message exchange.
 Election priority: The election priority of the interface.
 Hello interval: the interval of sending Hello messages.
 Hello_multiplier: Define the timeout time as a multiple of the Hello period, and the default
value is 3.
8.6.2 ISIS neighbor
Select Basic > Route Management > ISIS > Display ISIS status > ISIS neighbor from
navigation tree to enter the configure ISIS configuration page, as shown in the following figure.
Figure 8-24 ISIS neighbor
The parameters of the neighbor list are described as follows:
 System ID: the system ID of the IS-IS neighbor.

 Type: IS-IS neighbor level.
 Outgoing interface: the interface connecting the device to IS-IS neighbors.
 IPv4 address: the IPv4 address of the IS-IS neighbor.
 IPv6 address: the IPv6 address of the IS-IS neighbor.
 Status: IS-IS neighbor status, including up, init, and down.
 Hold Time: The timeout time of Hello message.
 Circuit ID: The ID of the local link.
8.6.3 ISIS LSP
Select Basic > Route Management > ISIS > Display ISIS status > ISIS LSP from navigation
tree to enter the configure ISIS LSP Information page, as shown in the following figure.

Figure 8-25 ISIS LSP
The parameters of the LSP information list are described as follows:
 LSP ID: lD of the LSP.

 Level: Level to which the LSP belongs.
 Sequence Number: the sequence number of the LSP.
 Remaining survival time: LSP survival time.
8.7 BGP
BGP (Border Gateway Protocol) is an external gateway protocol that exchanges routing and
network reachability information between ASs (Autonomous Systems). An AS is a group of
routers that have the same routing strategy and run under the same technical management
department.
BGP is an exterior gateway protocol (Exterior Gateway Protocol, EGP), which is different from
OSPF, RIP and other interior gateway protocols (Interior Gateway Protocol, IGP). It is not about
discovering and calculating routes, but about controlling the propagation of routes and choosing
the best routing.
The BGP protocol has the following advantages:
 Highly reliable data transmission. BGP uses TCP as its transport layer protocol (port
number 179), which improves the reliability of the protocol.
 Strong scalability. BGP supports classless inter-domain routing and route aggregation,
which can slow down the growth rate of entries in the BGP table and has strong scalability.
 Save bandwidth resources. The use of triggered update and incremental update routing
mechanisms is conducive to saving bandwidth resources. When routing updates, BGP only
sends updated routes, which greatly reduces the bandwidth occupied by BGP to propagate
routes, and is suitable for propagating a large amount of routing information on the Internet.
 Effectively avoid routing loops. BGP routes carry the AS-PATH attribute, which avoids loops
in design.
 Flexible filtering and selection of routing information. BGP has rich routing attributes such as
ORIGIN, NEXT-HOP, MED, LOCAL-PREF, COMMUNITY, etc., which realizes flexible
filtering and selection of routing information.

8.7.1 Configure BGP protocol
Select Basic > Routing Management > BGP > BGP Configuration from navigation tree to
enter the configure BGP page, as shown in the following figure.
Figure 8-26 Configure BGP
System configuration includes enabling BGP, configuring BGP AS-ID and advanced
configuration. The description of each parameter is as follows:
 Start BGP: Turn on the switch of BGP protocol.

 AS-ID: Autonomous system ID, which can be configured after the BGP protocol is enabled.
 Route priority: Display EBGP route priority/IBGP route priority/local route priority
respectively.
 Routing device ID: the ID of the BGP device. You can choose automatic or manual
configuration.
 BGP multipath: the number of EBGP and IBGP multipaths.
 Import route: The options include IPv4 direct route, static route, RIP route, OSPF route,
GUARD route, ISIS route.
 Import IPv6 route: The options include IPv6 direct route, static route, RIPng route, OSPFv3
route, GUARD route, ISIS route.
 Introduce OSPF instances: the optional range is 1~65535, please separate the instance
numbers with commas.

 BGP graceful restart: This function is mainly used in dual-system backup scenarios to keep
BGP routes alive during active/standby switchover to avoid network interruption. You need
to enable the graceful restart function and configure the neighbor reestablishment time and
route hold time. The route hold time should be greater than the neighbor rebuild time.
The neighbor configuration parameters are described as follows:
 Neighbor IP: The IP address of the neighbor device interface.

 Neighbor AS: AS-ID of the neighbor device.
 EBGP maximum hops: EBGP routing maximum hops, the value is 1~255.
 Local source address: the local source address for establishing BGP neighbors. It can be
selected automatically, or you can manually specify the interface or IP address.
 Authentication information: the authentication information when BGP establishes neighbors.
The neighbor devices must be configured with the same authentication password.
 Advanced configuration: including configuring BFD check, advertising default routes to
neighbors, changing the next hop to yourself when advertising routes, not learning routes
advertised by the neighbors, allowing duplicate local AS numbers in the AS-PATH, and
using local pseudo ASs for EBGP neighbors Number, manually configure time parameters,
configure neighbor community attributes.
 Routing capability: What kind of routing belong to BGP neighbors.
Among them, the advanced configuration parameters are described as follows:
 BFD check: Choose whether to enable BFD check.

 Advertise default route to neighbors: Choose whether to send default route to neighboring
devices.
 Change the next hop to yourself when advertising routes: Choose whether to change the
next hop to yourself when advertising routes.
 Do not learn the routes advertised by the neighbor: Choose whether to learn the routes
advertised by the neighbor.
 Allow local AS number repetition in AS-PATH: After checking, the "Maximum times"
drop-down box will appear, select the maximum number of repetitions of local AS number in
AS-PATH, the default is 3 times.
 Use local pseudo-AS numbers for EBGP neighbors: increase the path length by adding
pseudo-AS numbers to affect path selection. After checking, the "pseudo AS number" text
box appears, enter the pseudo AS number.
 Manually configure time parameters: After checking, the message interval and hold time text
boxes will appear.
 Message interval: the time interval for sending KEEPALIVE messages.
 Holding time: If the device does not receive the neighbor KEEPALIVE message within
the holding time, it is regarded as the neighbor interruption.
 Configure neighbor community attributes: Check to configure neighbor community
attributes.

 NO-ADVERTISE: Routes with this attribute are not sent to any BGP neighbors,
including EBGP and IBGP.
 NO-EXPORT: Routes with this attribute are not sent to any EBGP neighbors outside the
confederation. If no confederation is defined, the AS is considered to be an
independent confederation.
 LOCAL-AS: Routes with this attribute will not be sent to any EBGP neighbors, including
EBGP neighbors in the alliance.
 AA:NN format: The Type code of the community attribute is 8, and the length is 32 bits.
It can be parsed as a decimal number or AA:NN format. According to the RFC, the first
16 bits are used as the AS number; the last 16 bits are locally defined values, which are
used by the AS itself. The first part 0x00000000-0x0000FFFF and the end part
0xFFFF0000-0xFFFFFFFF are reserved. To configure and display in AA:NN format,
issue the ip bgp-community new-format global configuration command.
The configuration parameters of route aggregation are described as follows:
 Destination network segment: the IP address of the network segment after route
aggregation.
 Mask: The mask of the destination network segment.
 Advanced configuration: Including the configuration of "when aggregated routes, calculate
the AS-PATH attribute" and "when advertising routes, only publish aggregated routes, not
detailed routes".
8.7.2 Configure BGP-VPN
enter the configure BGP page, as shown in the following figure.
Figure 8-27 Configure BGP-VPN
The BGP-VPN configuration parameters are described as follows:
 OVC: The name of the OVC instance.

 VRF: The name of the VRF instance.
 Enable: enable or disable this VPN instance.
 RD: RD (Route Distinguisher, route distinguisher).
 RT: RT (Route Target), including Import RT and Export RT.

 Imported routes: Routes imported by VPN instances, including direct routes, static routes,
RIP routes, OSPF routes, and ISIS routes.
 Import OSPF instance: OSPF instance introduced by VPN instance.
Before enabling the VPN instance, you need to enter Basic > Basic Configuration to create the
corresponding OVC or VRF instance.
8.7.3 BGP neighbor information
enter the BGP neighbor information page, as shown in the following figure.
Figure 8-28 BGP neighbor information
The description of each parameter on the BGP neighbor information display page is as follows:
 Neighbor IP: The interface IP address of the connected neighbor device.

 Neighbor AS: AS-ID of the neighbor device.
 Neighbor ID: the device ID of the neighbor device.
 Neighbor status: neighbor status includes Connect, Active, Open-sent, Open-confirm,
Established and Idle.
 Local ID: the device ID of the local device.
 Establishment time: the time to establish BGP neighbor.
 Timeout time: Timeout time refers to the interval time between sending two BGP Keepalive
packets continuously. If the Keepalive packet from the BGP neighbor is not received within
this time, it indicates that the connection between the device and the BGP neighbor is
interrupted.
8.8 GUARD
When the Traffic Anomaly Probe device identifies a potential attack, it alerts the Guard device to
begin diverting traffic destined for the targeted devices—and only that traffic—for inspection. All
other traffic continues to flow freely, reducing the impact on overall business operations.
Guard route is configured on the Guard device. Its main role is it diverts traffic destined for the

targeted device to the Guard device. Guard route can be configured manually by administrator,
or can be configured automatically by the device’s script which is triggered according to the
received information.
The outbound interface of Guard route is Null0. Guard route will not be added into FIB table after
it is configured. Guard route will not participate in forwarding packets and needs to be used with
BGP protocol. Through introduced by BGP protocol, Guard route is distributed to BGP peer.
Therefore, guard device diverts traffic to itself and scrub the anomaly traffic to normal.
Select Basic > Route Management > IPv4 Unicast Routing > IPv4 Guard Route to enter the
IPv4 guard route page, as shown in the following figure.
Figure 8-29 IPv4 guard route
8.9 MPLS
MPLS (Multi-protocol Label Switching）is a kind of forwarding technology that integrates the
Layer 2 switching characteristic with Layer 3 routing characteristic. Not only MPLS can run in the
network layer protocol network, such as IPv4 and IPv6 network, but also can run in data link
layer protocol network, such as ATM, Frame relay, Ethernet, PPP. By using of label forwarding
technology, packets are forwarded according to their classification. MPLS either has the
characteristic of IP routing flexibility, or has the characteristic of Layer 2 switching convenience.
The basic procedure of MPLS forwarding are shown in the following:
 Together with traditional routing protocol, LDP establishes routing table and MPLS
forwarding related entries for all services required FEC in all LSR (Label Switching Router).
 The LER (Label Edge Router) in MPLS domain in-port after received group determines that
the group to which FEC belongs and tagged with label and generates MPLS packets. And
then data packets are forwarded according to MPLS entry.
 LSW will find label forwarding table according to MPLS packet incoming label. It uses new
label to substitute original incoming label and forwards data packets to the next-hop LSR for
the related outbound interface.

 After receiving MPLS packets from LSR, the LER in MPLS domain out-port will find label
forwarding table according to data packet’s incoming label.
8.9.1 MPLS forwarding configuration
Select Basic > Route Management > MPLS > MPLS Configure > Global Configuration >
Enable MPLS from navigation tree to enter the MPLS configure page, as shown in the following
figure.
Figure 8-30 Enable MPLS
Click to enable MPLS function and then click the Submit button in the upper right corner on the
Web page. The global MPLS function is enabled.
8.9.2 Static configuration
The static configuration modules provide the statically configured label forwarding table. Label
forwarding table is composed of FTN (FEC-to-NHLFE Map) and ILM (Incoming Label Map) table.
After receiving the data packets without label, LER finds FTN table and tags label according the
destination address of IP group and then LER forwards data packets after MPLS packets are
generated. After receiving MPLS data packets, LSR finds ILM table according to data packet’s
incoming label and then forwards group after incoming label is popped-up.
8.9.2.1 Configure Output
Select BASIC > Route Management > MPLS > MPLS Configure > Static configuration from
navigation tree to enter the configure output page, as shown in the following figure.
Figure 8-31 Configure Output
The parameters of configure output page are shown in the following:
 Segment: the network segment that the IP group belongs.

 Outgoing label: the outgoing label that IP group corresponds to.

 Next Hop: the next-hop that corresponds to IP group.
Before you configure the "outgoing label" parameter, you should configure the weight range of
static lable in the “label range” under “advanced configuration” on the LDP configuration page.
8.9.2.2 Configure Input
Select Basic > Route Management > MPLS configure > Static configuration > Configure
Input from navigation tree to enter the configure input page, as shown in the following figure.
Figure 8-32 Configure Input
The parameters of Configure input page are shown in the following:
 Segment: the network segment that the IP group belongs.

 Incoming label: the incoming label that IP group corresponds to.
Before you configure the "incoming label" parameter, you should configure the weight range of
static label in the “Label Range” under “Advanced Configuration” on the LDP configuration page.
8.9.3 LDP Protocol
LDP (Label Distribution Protocol) is a kind of main protocol in MPLS system. It defines all kinds
of messages and the related process during label distribution procedure. To establish label
switching path, LSR uses LDP to map network layer routing information to data link layer
switching path.
8.9.3.1 LDP configuration
The LDP configuration module provides the function of configuring the parameters of LDP,
including router ID, Tag space, label distribution control mode, label distribution mode, the
Backoff Time-domain, label range, the introduced route, GR configuration, interface

configuration, etc.,
Select Basic > Route Management > MPLS configure > LDP protocol > Configure LDP from
navigation tree to enter the LDP configuration page, as shown in the following figure.
Figure 8-33 LDP configuration
The parameters of advanced configuration are shown in the following:
 Router ID: the router ID, in dot-decimal format.

 Label space: the type of label space.
 Label distribution control mode: the label distribution control mode.
 Label distribution mode: label distribution mode
 Backoff Time-Domain: backoff Time-Domain.
 Label range: dynamic / static label range.
 Import route: the introduced routing information, including OSPF routing, ISIS routing, rip
routing, static routing, Guard routing, BGP routing.
 GR configuration: enable / disable smooth restart configuration
 Reconnect time: timeout time for the GR reset timer.
 Recover time: timeout time for the GR recovery timer.
 Forwarding hold time: the timeout time for the MPLS forwarding state hold timer.
 Hello Hold time: timeout time for Hello timer.
 Keepalive time: the timeout time of Keepalive timer.

 Interface name: the interface name.

 Enabling LDP: enable / disable interface LDP.
 Transport address: the transport address for LDP interface.
8.9.3.2 Display LDP neighbor
Select Basic > Route Management > MPLS configure > LDP protocol > Display LDP
neighbor from navigation tree to enter the display LDP neighbor page, as shown in the following
figure.
Figure 8-34 Display LDP neighbor
The parameters of display LDP neighbor are shown in the following:
 Neighbour: LDP neighbour.

 State: LDP neighbor state.
 Keepalive Hold time: the timeout time of LDP neighbour Keepalive timer.
 Up time: LDP neighbor establishment time.
8.9.3.3 Display LDP adjacency
adjacency from navigation tree to enter the display LDP adjacency page, as shown in the
following figure.
Figure 8-35 Display LDP adjacency
The parameters of display LDP adjacency are shown in the following:
 LSR_ID: LDP adjacent LSR ID.

 Transport: the address that is used to establish TCP connection.
 Interface: the interface that connects with LSR.

 Hello_hold time: the hello time of LSR that is adjacent of LDP.

 Next hop: the next-hop address of LSR that is the adjacent of LDP.
8.9.3.4 Display LDP interface
interface from navigation tree to enter the display LDP interface page, as shown in the following
figure.
Figure 8-36 Display LDP interface
The parameters of display LDP interface are shown in the following:
 Interface: LDP interface

 State: enable LDP interface state
8.9.3.5 Display MPLS forward
Select Basic > Route Management > MPLS configure > LDP protocol > Display MPLS
forward from navigation tree to enter the display MPLS forward page, as shown in the following
figure.
Figure 8-37 Display MPLS forward
By specifying the destination network segment of MPLS, you can query MPLS forward table,
including out label, prefix, next hop, out interface.
8.9.4 L2VPN
MPLS L2VPN is a Layer 2 VPN technology based on MPLS network, which can use the existing
public network to expand user's private network.
Device two kinds of MPLS L2VPN service model supports: VPWS and VPLS

 The VPWS (Virtual Private Wire Service) is a point-to-point virtual private network
technology, which provides high-speed Layer 2 of transparent transmission and supports
almost all link layer protocols. CCC, SVC MARTINI are three implementation methods of
MPLS L2VPN, they built on the VPWS model.
 The VPLS (Virtual Private LAN Service) is an Ethernet-based L2VPN technology that uses
signaling protocol in VPLS instance between PE nodes to establish and maintain PW, and
encapsulate Layer 2 protocol frame to transmit and exchange on the PW. In the data link
layer, VPLS integrates different LANs into a virtual VLAN. VPLS has the features of MPLS
technology and L2VPN technology, which supports point-to-multipoint service types.
MPLS L2VPN mainly has the following three ways to realize:
 CCC mode
CCC (Circuit Cross Connect) uses a single label to transmit user data. CCC is exclusive on
the use of LSP. It does not need any label signaling to pass layer 2 VPN information.
 SVC mode
SVC (Static Virtual Circuit) is a kind of static MPLS L2VPN. SVC needs VC (Virtual Circuit)
to be configured manually, do not use signaling protocol in L2VPN information transmission.
 Martini mode
The MPLS L2VPN of Martini mode focuses on building VC between two CEs. It uses
double- layer label between two CEs. The inner label uses the extended LDP as signaling
interaction.
8.9.4.1 L2VPN configuration
Select Basic > Route Management > MPLS configure > L2VPN > L2VPN Configuration from
navigation tree to enter the L2VPN configuration page, as shown in the following figure.
Figure 8-38 L2VPN Configuration
8.9.4.2 PW template
In the PW template, you can specify the properties of PW, such as PW data encapsulation type,
and the use of control words, etc. PW with the same attribute can reference the same PW
template. Therefore, the PW attribute configuration can be realized and simplified.
Select Basic > Route Management > MPLS configure > L2VPN > PW Template from
navigation tree to enter the PW template page, as shown in the following figure.

Figure 8-39 PW Template
The parameters of PW template configuration are shown in the following:
 Pw name: name of PW template

 Remote neighbor: select the type of tunnel.
 Encapsulated type: select the PW data encapsulation type, including ethernet, vlan and
none.
 Control word: enable / disable the characteristics of control word, including Ctrl Word and
None Ctrl Word
8.9.4.3 SVC mode
Select Basic > Route Management > MPLS configure > L2VPN > SVC mode from navigation
tree to enter the SVC mode page, as shown in the following figure.
Figure 8-40 SVC mode
The parameters of SVC mode configuration are shown in the following:
 Incoming interface: the interface that connects to CE.

 Remote neighbor: the IP address of the remote neighbor.
 Vc id: virtual circuit ID
 Receiving label: group’s incoming label.
 Transported label: group’s outgoing label.
 Tunnel type: select the type of tunnel.
 Pw configuration: select the corresponding PW template and apply.
8.9.4.4 CCC mode
Select Basic > Route Management > MPLS configure > L2VPN > CCC mode from navigation
tree to enter the CCC mode page, as shown in the following figure.

Figure 8-41 CCC mode
The parameters of CCC mode configuration are shown in the following:
 Type: the type of CE device

 Inbound interface: the interface that connects to CE
 In-label: incoming label of group
 Out-label: outgoing label of group
 Outbound interface: outbound interface of group
 Next-hop: the next-hop address of group
 TAG mode: whether add VLAN tag for groups, including Raw and Tagged.
 Control word: enable/disable control word, including Ctrl Word and None Ctrl Word.
8.9.4.5 MARTINI mode
Select Basic > Route Management > MPLS configure > L2VPN > MARTINI mode from
navigation tree to enter the MARTINI mode page, as shown in the following figure.
Figure 8-42 MARTINI mode
The parameters of MARTINI mode page are shown in the following:
 Inbound interface: connect with CE interface

 Remote neighbour: the IP address of remote neighbor
 Vc ID: virtual circuit ID
 Tunnel type: select the tunnel type
 PW config: select the corresponding PW template and application
8.9.4.6 VPLS mode
Select Basic > Route Management > MPLS configure > L2VPN > VPLS mode from
navigation tree to enter the VPLS mode page, as shown in the following figure.

Figure 8-43 VPLS mode
The parameters of VPLS mode page are shown in the following:
 VSI NAME: virtual forwarding instance name

 VSI ID: virtual forwarding instance ID
 Pw type: select the PW encapsulation type, including Ethernet and VLAN type
 Remote peer: remote neighbor address, virtual circuit ID, Pw type and tunnel template
 Mac configure: enable Mac learning function, configure Mac aging time.
 Interface: connect with CE interface
8.9.5 Display L3VPN forward
Select Basic > Route Management > MPLS configure > Display L3VPN forward from
navigation tree to enter the display L3VPN forward page, as shown in the following figure.
Figure 8-44 Display L3VPN forward
Through specifying VRF Name or destination network segment, you can query the MPLS
L3VPN forwarding table, including VRF Name, network segment, label, next-hop, out interface.
8.9.6 TE static configuration
Network congestion is one of the major problems that can degrade your network backbone
performance. It may occur either when network resources are inadequate or when load
distribution is unbalanced. Traffic engineering (TE) is intended to avoid the latter situation where
partial congestion may occur as the result of inefficient resource allocation.
TE can make the best utilization of network resources and avoid non-even load distribution by
real-time monitoring traffic and traffic load on each network elements to dynamically tune traffic

management attributes, routing parameters and resources constraints. MPLS TE combines the
MPLS technology and traffic engineering, reserving resources by establishing LSP tunnels to
specific destinations, and allowing traffic to bypass congested nodes to achieve appropriate load
distribution.
MPLS TE is a kind of good scalability and simple traffic engineering solution that gets favored by
service providers. Through the technology of MPLS TE, service providers can deploy the
simplified traffic engineering in the existing MPLS backbone network, making full use of existing
network resources to provide diversified services. At the same time, it also can optimize network
resources and manage network scientifically.
8.9.6.1 TE FTN
Select Basic > Route Management > MPLS configure > TE static configuration > TE FTN
from navigation tree to enter the TE FTN page, as shown in the following figure.
Figure 8-45 TE FTN
The parameters of TE FTN configuration are shown in the following:
 Tunnel ID: MPLS TE tunnel ID.

 Destination network segment: the destination network segment to which the group belongs.
 Next hop: the next-hop address that the group corresponds to.
 Outgoing label: the label that the group corresponds to.
 Outgoing interface: the outgoing interface that the group corresponds to.
 Bandwidth: traffic bandwidth.
8.9.6.2 TE ILM
Select Basic > Route Management > MPLS configure > TE static configuration > TE ILM
from navigation tree to enter the TE ILM page, as shown in the following figure.

Figure 8-46 TE ILM
The parameters of TE ILM configuration are shown in the following:
 Type: the type of device node, including Transit and Egress.

 Incoming interface: the incoming interface to that the group corresponds.
 Incoming label: the incoming label that the group corresponds to.
 Outgoing label: the label that the group corresponds to.
 Outgoing interface: the outgoing interface that the group corresponds to.
 Next-hop: the next hop address that the group corresponds to.
 Bandwidth: traffic bandwidth.
8.9.7 TE tunnel configuration
MPLS LSP, MPLS TE (Traffic Engineering) and other types of tunnel carry multi kinds traffic for
MPLSVPN (Virtual Private Network). If there are many tunnels between two PEs (Provider
Edge), and each PE have multiple tunnels, the tunnel selection is very important that must be
considered. How to reasonably select a tunnel, not only the selection can benefit ISP network
management and design, but also can reduce the cost of PE processing.
MPLS TE is a virtual point-to-point connection from the ingress node to the egress node.
Typically, an MPLS TE tunnel consists of one CRLSP. To deploy CRLSP backup or transmit
traffic over multiple paths, you need to establish multiple CRLSPs for one class of traffic. In this
case, an MPLS TE tunnel consists of a set of CRLSPs. An MPLS TE tunnel is identified by an
MPLS TE tunnel interface on the ingress node. When the outgoing interface of a traffic flow is an
MPLS TE tunnel interface, the traffic flow is forwarded through the CRLSP of the MPLS TE
tunnel.
8.9.7.1 TE tunnel
Select Basic > Route Management > MPLS configure > TE Tunnel > TE Tunnel from
navigation tree to enter the TE Tunnel page, as shown in the following figure.

Figure 8-47 TE Tunnel
The parameters of TE tunnel configuration are shown in the following:

 Basic configuration: tunnel interface IP, tunnel bandwidth and tunnel destination network
segment.
 Advanced configuration: establish priorities and keep priority settings, enabled or disable
record route and fast reroute function
 Path selection: you can select dynamic or static for path selection.
8.9.7.2 TE PATH
Select Basic > Route Management > MPLS configure > TE Tunnel > TE PATH from
navigation tree to enter the TE path page, as shown in the following figure.
Figure 8-48 TE PATH
The parameters of TE PATH page are shown in the following:
 Path name: the name of MPLS TE path.

 Path parameter: including next_address and exclude_address. Among them, the
next_address configuration allows you to select strict and loose path option.
 Enabling status: enable \disable TE path configuration.
8.9.7.3 Interface config
Select Basic > Route Management > MPLS configure > TE Tunnel > Interface Config from
navigation tree to enter the interface config page, as shown in the following figure.

Figure 8-49 Interface config
 Interface: configure MPLS TE interface

 Enable TE: enable \ disable TE path configuration
 Backup link: MPLS TE backup link
 Bandwidth: traffic bandwidth
 Max reserved bandwidth: reserve the maximum bandwidth value
 Metric: MPLS TE path cost value
 Hello: enable and configure the Interval of and misses time of fast reroute Hello packets
8.10 IPv4 multicast

Multicast is a multicast group that sends data to a unique identified multicast address. Recipient
receives data and communicate by joining the multicast group. IPv4 multicast the following
features.
 Low latency. After multicast traffic is transmitted stably, the short path tree will be built
between source and receiver, which can effectively reduce network latency, and realize
efficient of multicast data transmission.
 Low bandwidth. When using multicast data transmission, the same multicast traffic on a
trunk link is only transmitted once. Data is copied and forwarded when it in the closest point
to the recipient. Therefore, the backbone link occupied by multicast data will not be
increased along with the recipients are increased.
 Strong scale expansibility: in multicast network, one or more multicast sources do not need
to know the location of receiver, they only need to send multicast traffic to multicast group;
any recipient can accept/reject data from multicast group through joining/leaving the specific
multicast group. With strong scale expansibility, multicast transmission mode is suitable for
any size of networks.
8.10.1 Basic configuration
The common configuration module provides the function of enabling/disabling multicast function
on an interface, or provides the function setting interface multicast boundary.

Select Basic > Route Management > IPv4 Multicast > Basic Configuration from navigation
tree to enter the basic configuration page, as shown in the following figure.
Figure 8-50 Basic configuration
The parameters of basic configuration are shown in the following:
 Interface name: the name of device interface.

 State: enable or disable multicast function on the interface.
 Multicast border: interface does not support the multicast group address and mask
corresponds to multicast data forwarding. You can configure it only when the interface is
enabled multicast function.
8.10.2 IGMP Snooping
IGMP Snooping, which is referred to as Internet Group Management Snooping, is a constraint

mechanism runs on the Layer 2 device and can be used to for multicast group management and
control.
The Layer 2 device which had run IGMP Snooping establishes the mapping relationship
between port and MAC multicast address through analyzing the received IGMP messages, and
forwards multicast data packets according the relationship.
8.10.2.1 IGMP Snooping
Select Basic > Route Management > IPv4 Multicast > IGMP Snooping > IGMP Snooping
from navigation tree to enter the IGMP Snooping page, as shown in the following figure.

Figure 8-51 IGMP Snooping
Click to enable IGMP Snooping function and click <Submit> button in the upper right corner on
the webpage.
The parameters of VLAN configuration are shown in the following:
 VLAN: display VLAN ID.

 State: set VLAN interface and enable/disable IGMP Snooping function.
 Fast leave: set VLAN interface and enable/disable fast leave function.
 Querier: set to enable IGMP Snooping querier, IGMP querier packet source IP address.
 Static configuration: MAC address/member port: multicast MAC address and member port
mapping relationship.
 Static configuration: route port: router port.
8.10.2.2 Layer 2 unknown multicast drop configuration
The Layer 2 unknown multicast packets refer to those multicast data packets do not have the
corresponding entries in IGMP Snooping forwarding table: when you enable the Layer 2
unknown multicast drop function, switch receives unknown multicast packets and forwards them
to router port only, but does not broadcast them in VLAN. If the switch does not have a router
port, packets will be dropped and will be no longer forwarded. When you disable the Layer 2
unknown multicast packets function, switch will broadcast the unknown multicast packets in
which VLAN they belong.
Select Basic > Route Management > IPv4 Multicast > IGMP Snooping > Layer 2 Unknown
Multicast Drop Configuration from navigation tree to enter the Layer 2 unknown multicast drop

Figure 8-52 Layer 2 Unknown Multicast Drop Configuration
The VLAN configuration parameters in the IGMP Snooping agent are described as follows:
 VLAN: Display VLAN ID.

 Status: Set to enable/disable IGMP Snooping proxy function.
 Source IP address: Set the source IP address of the IGMP message sent by the proxy.
8.10.2.3 IGMP Snooping state
Select Basic > Route Management > IPv4 Multicast > IGMP Snooping > IGMP Snooping
State from navigation tree to enter the IGMP Snooping state configuration page, as shown in the
following figure.
Figure 8-53 IGMP Snooping state
The query condition includes all information, VLAN ID. That is, you can query all IGMP Snooping
routing status information or the IGMP Snooping routing status information of a specific VLAN.
The parameters of IGMP Snooping routing state are shown in the following:
 VLAN: display VLAN ID.

 Route port: display the router port of the VLAN.
 MAC address: display multicast MAC address.
 Member port: display the member port within a VLAN.
 Group address: display the multicast IP address of multicast group.
 Group member port: display the member ports that correspond to multicast group. Due to
the reason of several multicast IP addresses may correspond to a multicast MAC address,
therefore there display the multicast group addresses are the ports of previous column
"group addresses" membership report.

8.10.3 Multicast VLAN
8.10.3.1 Multicast VLAN
In the traditional multicast programs-on-demand mode when hosts that belong to different
VLANs require multicast programs-on-demand service, the Layer 3 device must forward a
separate copy of the multicast traffic in each user VLAN to the Layer 2 device. In this case, a
large amount of network bandwidth is used and an extra burden is added to the Layer 3 device.
Select Basic > Route Management > IPv4 Multicast > Multicast VLAN > Multicast VLAN
from navigation tree to enter the multicast VLAN configuration page, as shown in the following
figure.
Figure 8-54 Multicast VLAN
Click to enable multicast VLAN and click the Submit button in the upper right corner on the
webpage.
The parameters of multicast VLAN page are shown in the following:
 State: enable multicast VLAN function.

 Multicast VLAN: enable the VLAN ID for multicast VLAN function.
The parameters of sub VLAN configuration page are shown in the following:
 VLAN: sub VLAN ID.

 State: enable multicast VLAN function.
8.10.3.2 Multicast VLAN state
Select Basic > Route Management > IPv4 Multicast > Multicast VLAN > Multicast VLAN
state from navigation tree to enter the multicast VLAN state page, as shown in the following

figure.
Figure 8-55 Multicast VLAN state
The parameters of multicast VLAN state page are shown in the following:

 MAC address: enable the VLAN ID for multicast VLAN function.
 Sub VLAN: enable the sub VLAN ID for multicast VLAN function.
 Sub VLAN port: enable the sub VLAN ID port for multicast VLAN function.
8.10.4 IGMP
8.10.4.1 IGMP
As a TCP/IP protocol responsible for IP multicast group member management, the Internet
Group Management Protocol (IGMP) is used by IP hosts and adjacent multicast routers to
establish and maintain their multicast group memberships.
IGMP has three versions, including IGMPv1, IGMPv2 and IGMPv3.
 IGMPv1 (RFC1112) defines basic multicast group membership query and join mechanism.
IGMP querier periodically multicasts IGMP queries (with the destination address of
224.0.0.1) to all hosts and routers on the local subnet; Host sends membership report to join
membership group.
 IGMPv2 (RFC2236) defines leave group mechanism. It adds leave group packets and
specific group query packet. When multicast group member leave the group, it will send
leave group packet; after router receives leave packets, the router will send specific group
querier packets to determine whether all members in member group have been leaved.
 IGMPv3 (RFC3376) supports SSM model. It adds specific multicast group source filter
function. Multicast receiver can specify whether to receive or refuse the data from a specific
multicast source.
All IGMP versions support the ASM model. In addition to the ASM model, IGMPv3 can directly
implement the SSM model. IGMPv1 and IGMPv2 must work with the IGMP SSM mapping
function to implement the SSM model. At present, owing to network mainly uses IGMPv2
protocol, the following will introduce the working procedure of IGMPv2.

Figure 8-56 IGMPv2 working procedure
(1) Querier election
On the same subnet, if there have multiple multicast routers and all of them can receive IGMP
membership report message from host. It is enough that only one router send IGMP Query
message. Therefore, the querier election mechanism should be used to determine which router
is the IGMP querier.
Initially, every router assumes itself as the querier and sends IGMP general query messages
(often called "general queries") to all hosts and routers on the local subnet. The destination
address is 224.0.0.1. After receiving a general query, every router compares the source IP
address of the query message with its own interface address. After comparison, the router with
the lowest IP address wins the querier election and becomes the querier, and all other routers
become non-queriers. All the non-queriers start a timer, known as "other querier present timer." If
a router receives an IGMP query from the querier before the timer expires, it resets this timer.
Otherwise, it assumes the querier have timed out and initiates a new querier election process. As
shown in above figure, router 1 and router 2 are both consider themselves as querier by default, they
send IGMP general group query message to each other. Router 2 with the lowest IP address become
IGMP querier and router 1 become non-querier.
(2) Joining multicast group
You can join multicast group through actively join or response query.
 Actively join: when a host joins a multicast group, the host will send membership report
message to querier to announce that it wants receive multicast packets from the specific
group, rather than the host send general group querier packet after received from querier.

As shown in above figure, host A wants to receive multicast group G1’s message, so that
host A send membership report message to join multicast group G1.
 Response query: querier will send general group querier packets to the host and routers in
its local subnet periodically and see whether multicast data receiver exists; if a host in this
network host wants to join a multicast group, the host will send membership report and join
the multicast group. As shown in above figure, host B, after received the general group
query message send by querier, host B send membership report to multicast group G2.
(3) Response suppression mechanism
Because all hosts and router can receive the membership report message from any host in the
local network, so there only need one router to send membership report message to the specific
multicast group, other hosts in this network segment don’t need to send. This kind of mechanism
is called response suppression mechanism, which can reduce information traffic in this network
segment. As shown in above figure, both of host B and host C want to join multicast group G2,
host B has already send membership report to join G2, so that host C doesn’t need to send.
(4) Leave group
When a host leaves a multicast group, it will send notification to the multicast router. After
receiving the leave message, the querier sends a configurable number of group-specific queries
to the group that the host is leaving. If the querier receives a membership report for the group
within the maximum response delay, it maintains the memberships for the group. Otherwise, the
querier assumes that the group has no member hosts on the local subnet and stops maintaining
the memberships for the group. As shown in above figure, after host B sends the leave message,
the querier immediately send specific group query message to all hosts in its local network.
Select Basic > Route Management > IPv4 Multicast > IGMP > IGMP from navigation tree to
enter the IGMP configuration page, as shown in the following figure.
Figure 8-57 IGMP
The parameters of IGMP page are shown in the following:

 Version: set an IGMP version for the interface or disable IGMP.
 Fast leave: set to enable/disable quick leave function
 General query interval: set the time interval for IGMP general group query packets.

 General query max response time: set the maximum response time after sending general
group query packet
 Other querier present interval: set the timeout for other queriers which have been setup
timer.
 Group quantitative limit: set the maximum number of multicast groups that supported by the
device.
 Static group: set the static join multicast group. After you configure this, even if the interface
has not received membership report messages from the specific multicast group, the
interface will forward the multicast group data to the device that connects with it.
 Group filter: set the multicast IP address and source IP address that corresponds to the
multicast group packet filtered by interface.
8.10.4.2 IGMP SSM Mapping
The IGMP SSM mapping feature enables you to configure static IGMP SSM mappings on the
last hop router to provide SSM support for receiver hosts that are running IGMPv1 or IGMPv2.
Figure 8-58 IGMP SSM Mapping principle
As shown in above figure, host A only supports to send IGMPv1/IGMPv2 membership message.
At this time, host A can support the specific source/group multicast packets forwarding services.
Therefore, IGMPv3 querier must enable PIM SSM function and configure SSM service scope,
and then enable IGMP SSM Mapping, and configure the specific multicast group/group SSM
Mapping policy statically.
A host that is running IGMPv1 or IGMPv2, however, cannot specify multicast source addresses

in its report. In this case, you must configure the IGMP SSM mapping feature to translate the (*,
G) information in the IGMPv1 or IGMPv2 report into (Include Source（S,G）) information.
Select Basic > Route Management > IPv4 Multicast > IGMP > IGMP SSM Mapping from
navigation tree to enter the IGMP SSM Mapping page, as shown in the following figure.
Figure 8-59 IGMP SSM Mapping
The IGMP SSM Mapping configuration page includes system configuration, global configuration
and interface configuration. The parameters of system configuration function are shown in the
following:
 Multicast group address: set the multicast group address supported by IGMP SSM
Mapping.
 Source address: set the source IP address that corresponds to the multicast group address
supported by IGMP SSM Mapping.
 Interface name: display the interface which starts IGMPv3 version. The interface name will
be displayed only after you configure the interface start IGMPv3 version.
 State: set the interface to enable / disable IGMP SSM Mapping function.
8.10.4.3 IGMP Proxying
IGMP proxying is a kind of technology that improves upstream devices overall performance
through reducing IGMP multicast packets received by upstream device. IGMP proxying runs in
Layer 3 environment, which establishes multicast membership database through blocking IGMP
packets between hosts and upstream devices by IGMP Snooping proxying device. IGMP
proxying represents upstream devices and downstream hosts respectively, and communicates
with device and host by using of multicast protocol. For upstream devices, the IGMP Snooping
proxying device seems like a host, for downstream devices, the IGMP Snooping proxying device
seems like a querier.
The IGMP proxy device contains the following two interfaces:
 Host interface

 The host interface is an interface that connects IGMP proxy device with the querier. The
interface acts as a role of host that responses queriers. When a new multicast group adds or
the last member of multicast group exits, the interface will send membership report
messages to the querier or send leave group messages.
 Router interface
 The router interface is the interface that connects IGMP proxy device with the downstream
host. The interface acts as a role of the router and sends general group query messages to
the downstream host periodically. after the interface received leave group messages, the
interface will send the specific group query messages to the downstream host immediately.
The working process of the IGMP proxy device
Figure 8-60 IGMP Proxying principle
Proxy query:
The IGMP proxy devices sends general query messages to the downstream host A and host B;
after received these messages, host A and host B sends membership report messages to
announce that they want to join a multicast group; the IGMP proxy device generates group
membership database according to the received messages.
When the host A wants to leave a multicast group, it will send the leave group messages; after
received these messages, the IGMP proxy device sends specific group query messages to the
host A immediately. In the maximum response time, if the IGMP proxy device isn’t received the
membership report messages from host A, it will delete the router interface that connects with
host A in the IGMP proxy table and stop forwarding multicast data to host A.
Proxy response:
After received the general group query messages and specific group messages from querier,
IGMP proxy device will find itself maintained membership database and make a response to the
querier, rather than it directly forward query message to downstream hosts and wait for the

downstream host response to it and then make a response to the querier. As shown in above
figure, the querier sent general group / specific group query messages to IGMP proxy device,
then IGMP proxy device make a response to querier according to itself maintained IGMP proxy
entries, rather than it forward messages to the downstream host A and host B.
The IGMP Proxying module provides three functions, including IGMP Proxying, set host
interface and router interface.
Select Basic > Route Management > IPv4 Multicast > IGMP > IGMP Proxying from
navigation tree to enter the IGMP proxying page, as shown in the following figure.
Figure 8-61 IGMP Proxying
The IGMP Proxying configuration provides system configuration, host interface configuration
and router interface configuration.
 The system configuration allows you to enable IGMP proxying function.

 The host interface configuration allows you to enable /disable host interface and select
interface.
 The router interface configuration allows you set enable /disable router interface.
8.10.4.4 IGMP state
Select BASIC > Route Management > IPv4 Multicast > IGMP > IGMP State from navigation
tree to enter the IGMP state page, as shown in the following figure.

Figure 8-62 IGMP state
The IGMP state module supports information query function. The parameters of IGMP state
page are shown in the following:
 No.: the sequence number of IGMP state information.

 Interface name: IGMP interface name.
 Multicast group address: display multicast group address.
 Multicast source address: display multicast source address.
 Multicast group mode: display multicast group mode.
 Multicast group type: display multicast group type.
8.10.5 PIM
PIM is IP routing protocol-independent and can leverage whichever unicast routing protocols are
used to populate the unicast routing table. PIM has three operation modes, including PIM-DM,
PIM-SM, PIM-SSM.
PIM-DM (PIM Dense Mode) is a dense-mode independent multicast routing protocol. It

establishes a unidirectional loop free shortest path tree that connects multicast source and
multicast group members by using of "diffusion -pruning" periodically. PIM-DM can be used in a s
mall network and the group member are relatively dense.
PIM-SM (PIM Sparse Mode PIM) is a sparse-mode independent multicast routing protocol. It
transmits multicast data through constructing the shared tree and the shortest path tree. It can
be used in a large-scale network and the group members are relatively dispersed.
PIM-SSM is the solution for specific source multicast. Due to the specific location of multicast
source receivers is known, PIM-SSM can transmit multicast data by constructing the shortest
path tree between the multicast source and receiver, which reduces the procedures of PIM-SM
RP found and RPT construction and source registration.
Under the PIM-SSM environment, receivers use IGMPv3 to send channel subscription message
hop-by-hop to the multicast source side DR. All the routers Along this way generate (Include S,
G) or (Exclude S, G) entries, so as to a tree which root is the multicast source and the leaves are
multicast receivers are established.

8.10.5.1 PIM
The PIM module provides the function of configuring BSR, static RP, candidate RP, SSM and
PIM interface.
Select BASIC > Route Management > IPv4 Multicast > PIM > PIM from navigation tree to
enter the PIM page, as shown in the following figure.
Figure 8-63 PIM
The parameters of candidate BSR configuration are shown in the following:
 Candidate BSR state: set to enable /disable candidate BSR.

 Candidate BSR interface: set the candidate BSR interface.
 Candidate BSR high mask length: set the candidate BSR hash mask length.
 Candidate BSR priority: set the candidate BSR priority.
The parameters of state RP configuration are shown in the following:
 Static RP state: set to enable / disable static RP.

 Static RP address: set the IP address of static RP.
 Static RP service scope restriction: set the multicast group scope of static RP service.
The parameters of candidate RP configuration are shown in the following:
 Candidate RP configuration: display the interface name of candidate RP.

 Candidate RP state: set to enable /disable the candidate RP.
 Candidate RP advertise period: set the time interval for sending candidate RP advertise
packets.
 Candidate RP Priority: set the candidate RP priority

 Candidate RP service scope: set the multicast group scope of candidate RP service.
The parameters of SSM configuration are shown in the following:
 SSM state: set to enable /disable PIM-SSM function.

 SSM service scope: set the service scope of PIM SSM.
The parameters of PIM interface configuration are shown in the following:
 Interface name: display the interface name of the PIM interface.

 State: set the working mode for the PIM interface, including
 Join/Prune period: set the time interval for join / prune packets.
 Hello period: set the time interval for sending PIM hello packets.
 DR priority: set the DR priority
 BSR border: set the BSR border.
8.10.5.2 Administrative scoping
A PIM-SM domain can be divided into a Global domain and several administrative scopings. The
administrative scoping is a logical domain which provides multicast data for specific multicast
group. Administrative scoping can alleviate the management pressure of single BRS in a domain
and can realize refined management.
The Global domain contains all domains inside the administrative scoping or outside the
administrative scoping. It can provide the services for the multicast group data the outside
administrative scoping. The multicast data which belongs to Global domain scoping can be
transferred throughout the Global domain.
The administrative scope only provides services for the specific multicast group. The multicast
data which belongs to a administrative scoping cannot be transferred to the outside. Each
administrative scoping maintains a unique BSR. RP election in different administrative scopings
is separated.

Figure 8-64 Administrative principle
As shown above, all routers in the network belong to the Global domain. Router B and router C
belong to the administrative scoping 1, router D and router E belong to the administrative
scoping 2. Multicast source 2 sends the administrative scoping 1 provided specific service
239.0.0.1 multicast data in administrative scoping 1; Multicast source 3 sends the administrative
scoping 2 provided specific service 236.1.1.1 multicast data in administrative scoping 2. In
Global domain, the 236.1.1.1 multicast data sent by multicast source 1 can traverse the
administrative scoping 1 and can be received by receiver 1.
Select Basic > Route Management > IPv4 Multicast > PIM > Administrative Scoping from
navigation tree to enter the administrative scoping page, as shown in the following figure.
Figure 8-65 Administrative scoping
The parameters of administrative scoping page are shown in the following:
 The system configuration allows you to enable BSR administrative scoping.

 The global domain configuration allows you to enable Global domain, hash mask length and
priority.
 The administrative configuration allows you to set the multicast group scope of
administrative scoping, hash mash length and priority.
8.10.5.3 PIM state
The PIM state module provides the function of displaying interface’s PIM state.
Select BASIC > Route Management > IPv4 Multicast > PIM > PIM State from navigation tree
to enter the PIM state page, as shown in the following figure.
Figure 8-66 PIM state
The parameters of PIM state page are shown in the following:
 No.: display the sequence number of PIM state.

 Interface name: display the interface that connects with PIM neighbor.
 Neighbor address: display the IP address of PIM neighbor.
 DR priority: display the DR priority of the interface.
 State: display interface state.
8.10.5.4 E-BSR state
The E-BSR state page provides the function of displaying E-BSR state of administrative scoping.
Select Basic > Route Management > IPv4 Multicast > PIM > E-BSR State from navigation
tree to enter the E-BSR state page, as shown in the following figure.
Figure 8-67 E-BSR state
The E-BSR page allows you to query BSR state list by clicking the <Search> button. The
parameters of E-BSR state page are shown in the following:

 Elected E-BSR address: display the IP address of the elected E-BSR.

 Domain: display the administrative scoping that E-BSR belongs.
 Priority: display the priority of E-BSR.
 Hash mask length: display the hash mask length of E-BSR.
8.10.5.5 RP state
The RP state page allows you to query the multicast group information that RP corresponds to.
Select Basic > Route Management > IPv4 Multicast > PIM > RP State from navigation tree to
enter the RP state page, as shown in the following figure.
Figure 8-68 RP state
According to multicast group address, you can query RP information:
(1) Beside the query group address, you enter the RP corresponded multicast group address
that you need to query.
(2) Click Search button, the RP information that corresponds to multicast group is displayed.
8.10.6 MSDP
8.10.6.1 MSDP introduction
In the PIM - SM domain, multicast source only registers the RP that corresponds to the multicast
group in PIM - SM domain, so that the RP in PIM-SM domain is unable to know other domain’s
information, thus leads to multicast data cannot be transmitted in different domains. At this time,
MSDP is used to solve this problem.
MSDP (Multicast Source Discovery Protocol) is a kind of inter domain routing protocol. To
connect with RPs in each domain, it selects the appropriate routers to establish MSDP peer and
interact SA information between peers to share multicast source information, so that the cross
domain transmission of multicast data can be realized by cross domain multicast distribution
tree.
Take the following figure as example. The following working procedure of MSDP is shown in
following:

Figure 8-69 The working procedure of MSDP
1. Constructing RPT
The receiver 2 wants to join the multicast group G and send IGMP membership report to router
C; as the DR of receiver 2 side, router C receives the report message from receiver 2 and send
(*, G) join message to the RP2 in PIM-SM2 domain to establish the RPT which root is router D
(RP2) and the leaf is receiver 2.
2. Source registration
Multicast source 1 sends multicast data to the multicast group G; route A, as the multicast
source side DR, which is directly connected to multicast source 1 will encapsulate the received
multicast data in registration packets and send them to RP1 to register in PIM-SM1.
3. SA information interaction
Router B, as the RP of PIM-SM1 domain, knows the information of multicast source 1 after
received the registration packets from router A, and sends SA messages periodically to the
MSDP peer to share multicast source information; router D, as router B’s peer, learns the
information of multicast source 1 through SA
4. Constructing SPT
Router D, as PIM-SM2 domain RP, will check whether the intra domain has multicast group G’s
receiver after it learns the information from multicast source 1; the receiver 2 is discovered to
receive the data from multicast group G. Router D sends joining packets (S, G) to the multicast
source 1 hop-by-hop to establishes SPT based on the root of as multicast source 1, router D
(RP2) as leaf.
5. Cross domain transmission
Multicast data is transmitted to the router D (RP2) along the SPT, and then transmitted to the

receiver 2 along the RPT, which realizes the cross domain transmission of multicast data.
8.10.6.2 MSDP configuration
The MSDP module allows you to configure MSDP parameters, including enable MSDP, SA
create policy, MSDP configuration.
Select Basic > Route Management > IPv4 Multicast > MSDP > MSDP from navigation tree to
enter the MSDP page, as shown in the following figure.
Figure 8-70 MSDP
The parameters of each configuration are shown in the following:
 In the SA create policy, the system configuration allows you enable MSDP function. Its
advanced configuration includes Encapsulate Data Message, Configure SA-RP Address,
Enable SA-Cache, The Max Num of SA-Cache, Peer Connect Retry Period.
 In the SA create policy, you click <Enable> button to enable this function. For the SA create
policy range, you can configure the source address, source address mask, group address,
and group address mask.
 In the MSDP peer configuration, you set the peer address, interface, SA policy limit, send
SA request, SA request filter, SA request filter limit, advance configuration, status. Among
them, the advanced configuration allows you to set neighbor AS domain, mesh-group, static
RPF peer.
The peer state module provides the function of displaying MSDP peer state.
Select Basic > Route Management > IPv4 Multicast > MSDP > Peer state from navigation
tree to enter the peer state page, as shown in the following figure.

Figure 8-71 Peer state
The parameters of peer state page are shown in the following:
 No.: display the sequence number of MSDP peer.

 Peer address: display the IP address of MSDP peer.
 State: display the five states of MSDP peer, including DISABLED, INACTIVE, LISTEN,
CONNECTING, and ESTABLISHED.
8.10.6.3 Cache state
The cache state module provides the function of displaying SA cache state function, including
source address, group address, RP address
Select Basic > Route Management > IPv4 Multicast > MSDP > Cache state from navigation
tree to enter cache state page, as shown in the following figure.
Figure 8-72 Cache state
The parameters of Cache state are shown in the following:
 No.: display the sequence number of SA Cache.

 Source address: display the source address of group.
 Group address: display the multicast group address.
8.10.7 Multicast VPN
Multicast VPN is a kind of multicast transmission technology which can be used in MPLS L3VPN
network. It mainly adopts the MD (Multicast Domain) scheme to realize. Because MVRFs exists
in different PE and they belong to the same VPN instance, multicast VPN adds these MVRFs
into the Share-Group identified domain, and built multicast tunnels between these MVRFs.

Private network multicast packets are encapsulated into the public multicast packets which can
be transmitted in public network through multicast tunnel.
The multicast VPN realization procedure is shown in the following:
Figure 8-73 Multicast VPN
The MVRFs which distributes on different PEs and belongs to the same VPN instance are added
to the same MD, and specify a share-group address for MD as the public network multicast
group address. As shown in the figure above, the MVRFs belonging to the same VPN instance
on PE1, PE2 and PE3 construct the multicast domain.
To establish a multicast tunnel, the MVRFs belonging to the same VPN instance in each
multicast device in the multicast domain are connected to each other that can provide a channel
for private network multicast packets to be transmitted on the public network. In the actual
forwarding, the private network packets need to be encapsulated in the public network multicast
packets, the MDT (Multicast Distribution Tree) constructed in the public network is used for
transmission. As shown in the figure above, the white arrows represent the multicast tunnels
established between the MVRFs on the PEs in the multicast domain.
Create a multicast distribution tree that belongs to the same VPN instance MVRF, including
Share-MDT and Switch-MDT. Private multicast packets are encapsulated in the public network
multicast packets along the share-MDT and use the share-group address as the destination
address of the packets. Because all the private multicast packets transmitted in the same VPN
instance Will be transmitted along the Share-MDT, and regardless of whether the PE device has
a connected receiver, can be received along the Share-MDT forwarded multicast data. Therefore,
when the data of a PE enters the public network exceeds the threshold, the PE sends the
switchover notification of the distribution tree as the source to the PE device belonging to the

VPN instance in the multicast domain, and switches the multicast distribution tree from the
share-MDT to Switch-MDT. After switching to Switch-MDT, the private network multicast data is
encapsulated into public network multicast packets and the idle Switch-Group address is used
as the destination address. The switch is delivered along the Switch-MDT to the receivers. The
switch between the share-MDT and the switch-MDT helps to reduce the CPU consumption of
the P-device (the backbone router). As shown in the figure above, the dark blue arrows
represent the Share-MDT established between the PEs of the PEs. If PE2 is not connected to
the receivers, it can still receive the multicast data forwarded by PE1 and PE3 along the
share-MDT. When PE1 and PE3 enter the public network, the share-MDT needs to be switched
to the Switch-MDT represented by the red-red arrow. PE2 will not receive the multicast data from
PE1 and PE3.
Select Basic > Route Management > IPv4 Multicast > Multicast VPN from navigation tree to
enter multicast VPN page, as shown in the following figure.
Figure 8-74 Multicast VPN
The parameters of multicast VPN configuration are shown in the following:
 Multicast tunnel: the name of multicast tunnel

 PIM enabling status: includes PIM-SM, PIM-DM and disable.
 Default group: the default group is used as destination address for private network multicast
packets.
 Translation group: the translation group is used as destination address for private network
multicast packets.
 MTunnel address: MTunnel’s address, in dot-decimal format.
8.10.8 Multicast source proxying
The multicast source proxy is a kind of technology that receives multicast data from different
interfaces and forwards them by a fixed outbound interface.
Select Basic > Route Management > IPv4 Multicast > Multicast Source Proxying from
navigation tree to enter multicast source proxying page, as shown in the following figure.

Figure 8-75 Multicast source proxying
Click the Enable Multicast Source Proxying button to enable multicast source proxy. Then you
set the outbound interface of multicast data
8.10.9 Multicast static routing
Static multicast routing is a kind of routing that can be for RPF check but cannot directly guide
multicast data forwarding. It only works on the configured router and cannot be broadcast by any
other means or introduced by other routers. After you configure static multicast routing, router
will find unicast routing table and static multicast routing table at the same to select the optimal
route as the RPF route when it does RPF check. Then the router will forward multicast data
according to the multicast route table created by RPF.
Select Basic > Route Management > IPv4 Multicast > Multicast Static Routing from
navigation tree to enter multicast static routing page, as shown in the following figure.
Figure 8-76 Multicast static routing
The parameters of static multicast routing configuration are shown in the following:
 Multicast source address: set the multicast source IP address and mask.
 Interface name: set the interface that is connected with RPF neighbor.
 Neighbor address: set the IP address of PRF neighbor.

8.10.10 Multicast routing table
8.10.10.1 Multicast routing table
The multicast routing table module provides the functions of displaying the multicast routing
table, including group address, multicast source address, incoming interface and outgoing
interface information.
Select Basic > Route Management > IPv4 Multicast > Multicast Routing Table from
navigation tree to enter multicast routing table page, as shown in the following figure.
Figure 8-77 Multicast routing table
The parameters of multicast routing table are shown in the following. You can click the <Search>
button to refresh it.
 No.: display the sequence number of multicast routing table.

 Source address: display the multicast source address that corresponds to the multicast
group.
 Incoming interface: display the incoming interface of multicast group traffic.
 Outgoing interface: display the outgoing interface of multicast group traffic.
8.10.10.2 PIM multicast routing table
The PIM multicast routing table module provides the functions of displaying PIM multicast
routing table entries, including (*, G) / (S, G), RP, flag bit, incoming interface, upstream neighbor,
outgoing interface.
Select Basic > Route Management > IPv4 Multicast > Multicast Routing Table > PIM
Multicast Routing Table from navigation tree to enter PIM multicast routing table page, as

Figure 8-78 PIM multicast routing table
The parameters of PIM multicast routing table are shown in the following. You can click the
search button to refresh it.
 (*, G) / (S, G): according to (*, G) / (S, G) notation, it displays the PIM table.
 RP: display the RP that corresponds to the PIM table.
 Flags: display the flag bit of the PIM entry.
 Incoming interface: display the incoming interface of multicast traffic.
 Upstream neighbor: display the PIM neighbor’s IP address of upstream device.
 Outgoing interface: display the outbound interface of multicast traffic.
8.10.10.3 IGMP multicast routing table
The IGMP multicast routing table module provides the function of displaying IGMP routing table
entries, including (*, G) and outgoing interface information.
Select Basic > Route Management > IPv4 Multicast > Multicast Routing Table > IGMP
Multicast Routing Table from navigation tree to enter IGMP multicast routing table page, as
Figure 8-79 IGMP multicast routing table
The parameters of IGMP multicast routing table are shown in the following. You can click the
search button to refresh it.
 No.: display the sequence number of IGMP routing table.

 (*, G): (*, G) according notation, it displays the IGMP routing table.
 Outing interface: interface multicast traffic.

8.10.10.4 IGMP proxying routing table
The IGMP proxying routing table module provides the function of displaying IGMP proxying
routing table, including (*, G) / (S, G), incoming interface and outbound interface information.
Select Basic > Route Management > IPv4 Multicast > Multicast Routing Table > IGMP
Proxying Routing Table from navigation tree to enter IGMP proxying routing table page, as
Figure 8-80 IGMP proxying routing table
The parameters of IGMP proxying multicast routing table are shown in the following. You can
click the search button to refresh it.
 (*, G) / (S, G): according to (*, G) / (S, G) notation, it displays IGMP proxying routing table.
 Outgoing interface: display the outgoing interface of multicast traffic.
8.11 IPv6 multicast routing

IPv6 multicast technology inherits the advantages of low latency, low bandwidth and scalability
of IPv4 multicast technology, and it also has the following advantages:
 The address space is rich. Multicast address’s capacity expansion and structure
optimization can improve the routing efficiency and data throughput, and meet the needs of
the large amount of information transmission in video application.
 High utilization rate of bandwidth. In the IPv6 multicast message range field, the IPv6
multicast is divided into intra domain multicast and inter domain multicast, which can
efficiently transmit multicast data in the domain, and avoid the blockage of inter domain low
speed links. The improvement of bandwidth utilization can create favorable conditions for
the popularization of high bandwidth applications such as large scale video conference.
 The multicast data transmission quality is stable. In the IPv6 data packet header, a field of
20-bits flow label field 20 is reserved. It enables the network device to adjust the order of
video and audio stream flow is conducive to improving the quality of multicast data
transmission.
 Multicast transmission security is high. IPv6 IPSec is an open architecture, which can
ensure the security of multicast communication by encrypting the security services.

Before you configure the IPv6 multicast function, you must enable the IPv6 forwardng function in
basic configuation.
The basic configuration module provides the function of enabling / disabling IPv6 multicast on
the interface and set the multicast border of the interface.
Select Basic > Route Management > IPv6 Multicast > Basic Configuration from navigation
tree to enter the basic configuration page, as shown in the following figure.
Figure 8-81 Basic configuration

 State: allow you to enable/disable IPv6 multicast function on the interface.
 Multicast border: set the multicast group address and mask that corresponds to the IPv6
multicast data which does not support by the interface.
8.11.2 MLD Snooping
8.11.2.1 MLD Snooping
MLD Snooping is a kind of multicast control mechanism based on IPv6. It maintains Layer 2
multicast forwarding table and limit the scope of Layer 2 multicast by snooping the information of
Layer 2 and Layer3’s MLD information. MLD snooping can save bandwidth resources and
enhance the security of multicast.
The device that enables MLD Snooping function will explore the MLD information between router
and host automatically. The device can complete the following two tasks:
 Learns router port and port member. The router port is toward upstream multicast device,
which is learned by MLD Snooping device from general query message and IPv6 PIM Hello

learning message; The member port is toward the downstream device, which is learned by
MLD Snooping device membership report message.
 Establish the mapping relationship between multicast MAC address and member port.
When the multicast data is received, the MLD Snooping device determines the forwarding
path of the message according to the mapping relationship.
Besides dynamic learning, you can configure the static router port. The static member port can
be configured according to the mapping relationship between multicast MAC address and
member port.
The working procedure of MLD Snooping is shown in below figure.
Figure 8-82 The working procedure of MLD Snooping
The port of switch A towards the router side is router port. The port of switch B towards the
member port; switch router and switch B toward the switch A and router port. The port towards
host C side is member port. Switch A and switch B are enabled MLD Snooping function, after
they received IPv6 multicast data from router port, then they forward data to the downstream
port. Because the port which towards switch A isn’t the member port, so that it will not forward
IPv6 multicast data to host A.
The MLD Snooping module provides the function of enabling MLD Snooping and allows user to
configure VLAN interface information.
Select Basic > Route Management > IPv6 Multicast > MLD Snooping > MLD Snooping from
navigation tree to enter the MLD snooping page, as shown in the following figure.

Figure 8-83 MLD Snooping
The system configuration allows user to enable the MLD Snooping function. In the advanced
configuration, user can configure the router port aging timer and member port aging timer. The
parameters of VLAN configuration are shown in the following:
 VLAN: display the VLAN ID.

 Status: set the VLAN interface and select whether to enable the MLD Snooping dynamic
learning function.
 Fast leave status: set the VLAN interface and select whether to enable the fast leave
function.
 Static configuration: group address/member port: set the mapping relationship between
multicast address and member port.
 Static configuration: group MAC address/member port: set the mapping relationship
between multicast MAC address and member port.
 Static configuration: router port: set the router port.
8.11.2.2 Layer 2 unknown multicast drop
The Layer 2 unknown multicast packets refer to those multicast data packets which do not have
the corresponding entries in the IGMP Snooping forwarding table: when you enable the Layer 2
unknown multicast drop function, switch receives unknown multicast packets and forwards them
to router port only, but does not broadcast them in VLAN. If the switch does not have a router
port, packets will be dropped and will be no longer forwarded. When you disable the Layer 2
unknown multicast packets function, switch will broadcast the unknown multicast packets in the
VLAN that they belong.
Select BASIC > Route Management > IPv6 Multicast > MLD Snooping > Layer 2 unknown
multicast drop from navigation tree to enter the Layer 2 unknown multicast drop page, as

Figure 8-84 Layer 2 unknown multicast drop
8.11.2.3 MLD Snooping status
Select BASIC > Route Management > IPv6 Multicast > MLD Snooping > MLD Snooping
state from navigation tree to enter the MLD Snooping state page, as shown in the following
figure.
Figure 8-85 MLD Snooping status
Query conditions include all information, VLAN ID, that is, you can query all MLD Snooping
query routing state information or you can query the MLD Snooping routing state information of
the specific VLAN.
The parameters of MLD Snooping state page are shown in the following:
 VLAN: display the VLAN ID.

 Router port: display the router port of the VLAN.
 MAC address: display the multicast MAC address.
 Member port: display the member port inside the VLAN.
 Group address: display the multicast IP address of multicast group.
 Member port: display the member port that corresponds to the multicast group. Because
several multicast IP addresses may correspond to a multicast MAC address, therefore the
multicast group address in here in displayed as the port of previous column group address
message.

8.11.3 MLD
8.11.3.1 MLD introduction
MLD (Multicast Listener Discovery Protocol) is an IPv6-based multicast group membership

management protocol used to discover multicast listeners on network segments directly
connected to IPv6 routers, and to establish and maintain groups Group member relationship.
The MLD message uses the ICMPv6 (Internet Control Message Protocol for IPv6) Internet
Protocol protocol, and uses the link-local address of the router that sent the packet as the source
address. Because the number of hops of all MLD messages is fixed at 1, the MLD packets are
forwarded only on the local link.
Currently, MLD has MLDv1 (RFC2710) and MLDv2 (RFC3810) two versions. The following
describes the working principle of MLDv1 and MLDv2.
1. MLDv1
Developed from IGMPv2, the operating mechanism of MLDv1 is basically the same as IGMPv2.
MLD is mainly used in ASM mode multicast group management.
Figure 8-86 MLDv1 working principle
(1) querier election
When there are multiple MLD routers in a network segment, all the routers initially default to the
querier and send MLD general query messages with the destination address of FF02 :: 1 to all
the routers and hosts in the network segment All the routers that received the general query
message will compare the source IP address of the packet with the size of the IP address, the
router with the smallest IP address becomes the querier, and the other router becomes the
non-querier. At this point, all non-queriers will start an other querier present time timer. If the

querier receives a general query from the querier before the timer-specified querier collision
suppression time expires, the timer is reset; otherwise, the querier is re-elected. As shown in
Figure 8-91, Router 1 and Router 2 both default to the querier and send MLD general queries to
each other. The router with the smaller IP address becomes the querier and the router 1
becomes the non-querier.
(2) Join multicast group
Multicast group join is divided into active join and respond to join two cases.
 Active join: when the host wants to join an IPv6 multicast group, it automatically sends an
MLD report to the querier with the destination address as the IPv6 multicast group address,
announcing that it wishes to receive the multicast from the multicast group Data, rather than
receiving MLD general queries from the querier. As shown in Figure 3-108, host A wishes to
receive multicast packets from multicast group G1 and sends MLD report messages to
multicast group G1.
 Response join: the querier periodically sends MLD general queries to all hosts and routers
in the local network segment to check whether there is a multicast listener on the network. If
the hosts in the network segment want to join a multicast Group, the MLD report is sent as a
response. As shown in Figure 8-91, host B receives the MLD general query from the querier
and sends the MLD report to the multicast group G2.
(3) Response suppression
Because all the hosts and routers in the same network segment can receive MLD report
messages sent by the host, as long as a host sends a membership report, it announces joining a
multicast group. The hosts that join the multicast group will not send the membership report as a
response. This mechanism is called a response suppression mechanism. The response
suppression mechanism helps to reduce the flow of information within the local network segment.
As shown in Figure 8-91, both Host B and Host C want to join multicast group G2. Host B will not
send a membership report because the host B has sent an MLD report.
(4) Group to leave
When a host wants to leave a multicast group, it sends an MLD leave group message to leave
the multicast group. After receiving the outgoing packet, the querier sends n times MLD specific
group queries (The number of MLD packets sent by the MLD is determined by the robustness
coefficient, and the default is 2 times) to confirm whether there is a multicast group member in
the network segment. If the querier does not receive the MLD report sent by the host in the
specified network during the specified maximum response time, it considers that there is no
member of the multicast group in the network segment and no longer forwards the multicast
group the data. As shown in Figure 8-91, when Host B sends MLD leave group packets, the
querier sends MLD specific group queries to all hosts in the network segment immediately.
2. MLDv2
MLDv2 is developed by IGMPv3. Compared with MLDv1, the source filtering function is added,
which can not only be used for multicast group management under ASM model, but also for
multicast group management in SSM mode.

The source filtering function enables the host to explicitly request or receive multicast data from
a specific IPv6 multicast source when joining the multicast group G.
Figure 8-87 Source filter
As shown in the above figure, the host A wishes to receive the multicast data from the multicast
sources S1 and S2, send the MLD report message of the tag INCLUDE source (S1, S2) to its
directly connected router C; the router C forwards (S1 , G) and (S2, G) to the host A. The host B
does not wish to receive the multicast data from the multicast source S1, sends the MLD report
message of the EXCLUDE source (S1) to its directly connected router D, and the router D
forwards (S2, G) the multicast stream To host B, do not forward (S1, G) multicast flow to host B.
8.11.3.2 MLD
The MLD module provides the function of configuring MLD interface information.
Select BASIC > Route Management > IPv6 Multicast > MLD > MLD from navigation tree to
enter the MLD page, as shown in the following figure.
Figure 8-88 MLD
The parameters of interface configuration list are shown in the following:
 Interface name: display the interface name.

 Version: select to enable the interface MLD version or disable MLD.

 Fast leave: set to enable / Disable fast leave.

 General query interval: set the interval for sending MLD general queries.
 General query maximum response time: set the maximum response time after sending MLD
general query messages.
 Querier conflict suppression time: set the timeout time for other querier present time timers.
 Group number limit: set the maximum number of multicast groups supported by the device.
 Static group: set the static join group. After the configuration, even if the interface does not
receive the group membership report of the multicast group, the device forwards the
multicast data of the multicast group to the downstream device connected to the interface.
 Group filtering: set the multicast IP address and source IP address of the multicast packets
filtered by the interface.
8.11.3.3 MLD state
The MLD state module displays the IPv6 multicast group status on the device directly connected,
including the interface name, multicast group address, multicast source address, and multicast
group mode.
Select Basic > Route Management > IPv6 Multicast > MLD > MLD state from navigation tree
to enter the MLD state page, as shown in the following figure.
Figure 8-89 MLD state
MLD state module supports query function. The parameters of MLD parameters are shown in
the following:
 Number: display the number of the MLD status entry.

 Interface name: display the MLD interface name.
 Multicast group address: display the IPv6 multicast group address.
 Multicast source address: display the multicast source address of the IPv6 multicast group.
 Multicast group mode: display the filtering mode of the IPv6 multicast group.

8.11.4 PIM
8.11.4.1 PIM introduction
IPv6 PIM (Protocol Independent Multicast for IPv6) is an IPv6 unicast routing table generated by
any IPv6 unicast routing protocol to provide routing for IPv6 multicast.
IPv6 PIM includes IPv6 PIM-DM, IPv6 PIM-SM, and IPv6 PIM-SSM.
IPv6 PIM-SM (PIM Sparse Mode for IPv6, IPv6 PIM Sparse Mode) is a sparse mode of IPv6
protocol-independent multicast protocols. It forwards IPv6 multicast data by constructing the
shared tree and the shortest path tree, which is suitable for large-scale networks where the
members are relatively dispersed. There are seven working mechanisms: neighbor discovery,
DR election, RP discovery, RPT, IPv6 multicast source registration, SPT switching, and
assertion.
(1) Neighbor discovery
In an IPv6 PIM domain, all multicast routers discover and maintain IPv6 PIM neighbors by
periodically sending IPv6 PIM hello packets.
(2) DR election
The DR (Designated Router) election is performed by comparing the DR precedence

parameters carried in an IPv6 PIM hello message or the size of the IPv6 link-local address of the
router. The DR on the IPv6 multicast source side and the receiver side serves as a guide to the
forwarding of IPv6 multicast data on the local network segment. The DR on the IPv6 multicast
source side is responsible for sending the registration message to the RP. The DR on the
receiver side is responsible for sending the join / Prune message.
(3) RP discovery
The RP is the convergence point of multicast data in the IPv6 PIM-SM domain. It is responsible
for forwarding the data of several or all IPv6 multicast groups. It can be statically configured, you
can also use the bootstrap mechanism to dynamically elect. When using the bootstrap
mechanism to actively elect RP, you need to select E-BSR (Bootstrap Router). The main role of
the E-BSR is to collect the announcements from the candidate RP and send the bootstrap
messages encapsulating the RP sets. The RP set is a database of IPv6 multicast group and RP
mapping. The advertisements of candidate RPs collected by the E-BSR (the advertisement
packets carry the candidate RP address, the priority and the service scope of the IPv6 multicast
group) are aggregated. Instruct the PIM router to select RP for a specific IPv6 multicast group.

Figure 8-90 RP discovery
As shown above, Router A is responsible for collecting the advertisements from Router B,
Router C, and Router D as E-BSRs and aggregates the collected advertisements into RP sets.
The packets are advertised in the bootstrap messages to the entire IPv6 PIM-SM domain The
Finally, the router in the network can select the corresponding RP for the specific IPv6 multicast
group according to the information provided by the RP set.
(4) Construct RPT
Initially, IPv6 PIM-SM assumes that all routers in the domain do not forward data from an IPv6
multicast group. The IPv6 multicast data is forwarded unless the request is received. When a
receiver wants to join an IPv6 multicast group, it needs to send the MLD report to the DR directly
connected to it. After receiving the report packet, the DR sends hop (*, G) to the RP in the RP
direction. (*, G) entries are generated by the router passing the packet, which forms the RPT
with the RP as the root and the RP to the receiver side DR.
Figure 8-91 Construct RPT
As shown in the above figure, the receiver sends the MLD report message to its directly
connected router C. Router C sends the packet as hop on the receiver side and sends the
message (*, G) in the RP direction, RP as the root, the recipient for the leaf of the RPT.
(5) IPv6 multicast source registration

In order to let the RP know the location of the IPv6 multicast source, the DR on the multicast
source side encapsulates the received IPv6 multicast data in the registration message and
sends the registration message to the IPv6 group through the registered tunnel in unicast mode
RP receives the registration packets forwarded by the registered tunnel, decapsulates it and
forwards it along the RPT to the receivers of the IPv6 multicast data, and sends the packets to
the multicast source hop by hop (S, (S, G) entry, which forms the SPT with the multicast source
as the root and the RP as the leaf. After the SPT is established, the DR stops encapsulating the
IPv6 multicast data, The multicast data is directly sent to the corresponding RP. After receiving
the multicast data forwarded along the SPT, the RP sends a registration stop message to the
multicast source DR via the registered tunnel. At this point, the IPv6 multicast source registration
process is complete.
Figure 8-92 IPv6 multicast source registration
As shown in the figure above, the IPv6 multicast source sends the first IPv6 multicast data to
Router A and Router A as the DR on the multicast source side. The IPv6 multicast data is
encapsulated in the registration message and sent to the router through the registered tunnel E,
Router E as RP, decrypts the received registration message, forwards it along the RPT to the
receiver, and sends the (S, G) join message hop by hop to the IPv6 multicast source, The RP is
the SPT of the leaves, the DR on the multicast source side stops encapsulating the multicast
data. When the multicast data is forwarded along the SPT, the RP sends a registration stop
message to the multicast source side via the registered tunnel DR. At this point, the IPv6
multicast source is registered.
(6) SPT switching
After receiving the first IPv6 multicast data, the DR on the receiver side immediately initiates the
SPT switchover to reduce the burden on the RP and ensure that the IPv6 multicast data is
forwarded to the receiver along the shortest path. In this case, the DR on the receiver side sends
the (S, G) join message hop by hop on the DR direction of the IPv6 multicast source side. The
router passes the router to automatically generate the (S, G) entry. The root of the multicast
source, the receiver for the leaves of the SPT. Then, the IPv6 multicast data is forwarded along
the SPT and RPT to the SPT and RPT bifurcated routers. After receiving the IPv6 multicast data

forwarded along the SPT, the router discards the IPv6 multicast data that is forwarded along the
RPT. , The DR on the receiver side sends RPT pruning messages hop by hop to the RP. After
receiving the RPT prune message, the RP checks whether other receivers of the IPv6 multicast
data exist. If there are no other receivers, the pruning message is sent hop-by-hop to the
multicast source to complete the RPT-to-SPT switchover.
Figure 8-93 SPT switching
As shown in the above figure, the router C acts as the DR on the receiver side, initiates the SPT
switch immediately after receiving the first IPv6 multicast data, and sends the (S, G) join
message to the multicast source side DR direction to form The multicast source is the root, and
the receiver is the SPT of the leaf. At this time, the router C acts as the fork router of the RPT and
SPT and the DR on the receiver side. After receiving the IPv6 multicast data forwarded along the
SPT, the router C discards the IPv6 multicast data transmitted along the RPT, Hop to send RPT
pruning messages; Router E as RP, received RPT pruning message, found that the IPv6
multicast data is not the other receivers, the direction of the multicast source hop hop to send
pruning messages, the final completion RPT to switch to SPT.
(7) Assertion mechanism
When the device receives IPv6 multicast data from the downstream interface, it indicates that
there are other upstream devices in the network segment. At this point, the assertion mechanism
starts. The device sends assert messages from the downstream interface and participates in the
campaign's only upstream device. The assertion message carries the IPv6 multicast source
address, the IPv6 multicast group address, the unicast route priority and the metric of the router
sending the assert message to the IPv6 multicast source.

Figure 8-94 Assertion mechanism
After receiving Router IPv6 and multicast data from the multicast network, Router A and Router
B forward the data to the local network segment, causing Router C to receive two identical IPv6
multicast data, and Router A and Router B will be the downstream interface receives the IPv6
multicast data sent by the peer. At this point, the assertion mechanism is started. Router A and
Router B send assert messages from the downstream interface to the routers on the local
network segment in multicast mode. By comparing the parameter information carried by the
packets, the router A and Router B select the forwarders of the IPv6 multicast data on the local
network segment.
8.11.4.2 PIM
The IPv6 PIM module provides the functions of setting candidate E-BSRs, static RPs, candidate
RPs, SSMs, and PIM interfaces.
Select Basic > Route Management > IPv6 Multicast > PIM > PIM from navigation tree to enter
the PIM configuration page, as shown in the following figure.

Figure 8-95 PIM
The parameters of candidate E-BSR configuration are shown in the following:
 Candidate E-BSR state: set to enable / disable Candidate E-BSR.

 Candidate E-BSR interface: set the candidate E-BSR interface.
 Candidate E-BSR hash mask length: set the hash mask length of the candidate E-BSR.
 Candidate E-BSR priority: set the priority of the candidate E-BSR.
The static RP configuration parameters are as follows:
 Static RP state: set to enable / disable static RP.

 Static RP address: set the address of the static RP.
 Static RP service range: set the range of IPv6 multicast groups for static RP services.
The candidate RP configuration parameters are as follows:
 Candidate RP interface: display the candidate RP interface name.

 Candidate RP State: set to enable / disable candidate RP.
 Candidate RP advertisement interval: set the interval for sending candidate RP
advertisements.
 Candidate RP priority: set the priority of the candidate RP.
 Candidate RP service range: set the range of IPv6 multicast groups for candidate RP
services.
 The SSM configuration parameters are described below:
 SSM State: set to enable / disable PIM-SSM.
 SSM service range: set the service scope of PIM SSM.

 Interface name: display the name of the PIM interface.

 State: set the interface to run PIM mode, including sparse mode and disabled.
 Add / Prune Interval: set the interval for sending add / prune messages.
 Hello interval: set to enable interval for sending PIM hello packets.
 DR priority: set the DR priority.
 E-BSR boundary: set the E-BSR boundary.
8.11.4.3 PIM state
The PIM state module provides the ability to display the PIM state of the interface.
Select Basic > Route Management > IPv6 Multicast > PIM > PIM State from navigation tree to
enter the PIM state configuration page, as shown in the following figure.
Figure 8-96 PIM state
The query function queries PIM state information according to the query conditions. The
parameters of RP information are shown in the following:
 Number: display the number of the PIM state.

 Interface name: display the interface name associated with the PIM neighbor.
 Neighbor address: display the IP address of the PIM neighbor.
 DR priority: display the DR priority of the interface.
 Neighbor relationship: indicate whether the PIM neighbor is a DR.
8.11.4.4 E-BSR
The E-BSR state module provides the function of displaying the selected E-BSR information.
Select Basic > Route Management > IPv6 Multicast > PIM > E-BSR State from navigation
tree to enter the E-BSR state page, as shown in the following figure.

Figure 8-97 E-BSR
You can query / refresh the E-BSR list by clicking the <Query> button. The parameters of
E-E-BSR are shown in the following:
 Preferred E-BSR Address: display the IP address of the selected E-BSR.

 Priority: display the E-BSR priority.
 Hash mask length: display the hash length of the E-BSR.
8.11.4.5 RP state
The RP information module provides the function of querying the RP information corresponding
to the multicast group.
Select Basic > Route Management > IPv6 Multicast > PIM > RP State from navigation tree to
enter the RP state page, as shown in the following figure.
Figure 8-98 RP state
The query function queries the RP information according to the multicast group address.
(1) Enter the multicast group address that needs to be queried after the query group address.
(2) Click the <Query> button. The RP information list displays the RP information
corresponding to the specified multicast group address.
8.11.5 Multicast routing table
8.11.5.1 Multicast routing table
The multicast routing table module provides the functions of displaying IPv6 multicast routing
entries, including group address, multicast source address, inbound interface, and outbound
interface information.

Select Basic > Route Management > IPv6 Multicast > Multicast Routing Table > Multicast
Routing Table from navigation tree to enter the multicast routing table page, as shown in the
following figure.
Figure 8-99 Multicast routing table
The Query button can refresh the multicast routing table. The parameters of the multicast
routing table are shown in the following:
 Number: display the number of the multicast routing entry.

 Source Address: display the multicast source address corresponding to the multicast group.
 Incoming interface: display the incoming interface of multicast group traffic.
 Outgoing interface: display the outgoing interface of multicast group traffic.
8.11.5.2 PIM multicast routing table
The PIM multicast routing table module provides the functions of displaying IPv6 PIM multicast
routing entries, including (*, G) / (S, G), RP, flag, incoming interface, upstream neighbor, and
outbound interface information.
Select BASIC > Route Management > IPv6 Multicast > Multicast Routing Table > Multicast
Routing Table from navigation tree to enter the multicast routing table page, as shown in the
following figure.
Figure 8-100 PIM multicast routing table
The query button refreshes the PIM multicast routing table. The parameters of the PIM multicast
routing table are shown in the following:
 (*, G) / (S, G): display the PIM entry according to (*, G) / (S, G).

 RP: display PIM entries corresponding to RPs.

 Flag: display the flag of the PIM entry.
 Upstream neighbor: display the IP address of the PIM neighbor on the upstream device.
 Outbound interface: display the outgoing interface of multicast traffic.

9 Network Protocol
9.1 DHCPv4
DHCP (Dynamic Host Configuration Protocol) is a UDP-based protocol used in LAN network.
DHCP is commonly used in large local area network and can be used for centralized
management, IP address distribution. It allows hosts in the network to get IP address, gateway
address, DNS server address and other information. DHCP can improve address utilization.
By adopting client / server model, DHCP allocates host address dynamically. When DHCP
server receives the request of applying IP address information from network hosts, the DHCP
server will send relevant address to network hosts, thus can realize the dynamic allocation of
network host address.
DHCP Relay (DHCPR), which is also called DHCP relay agent. DHCP relay agent forwards
DHCP packets between DHCP server and client. If DHCP client and server are not in the same
subnet, it needs DHCP relay agent to transmit DHCP request and response packets. Different
from normal routing forwarding, DHCP relay agent forwards packets after it received DHCP
information and generates DHCP information. While, the normal routing forwarding is relatively
transparent and does not modify IP address. From DHCP client point to see, the DHCP client
likes a DHCP server; from DHCP server point to see, the DHCP relay agent like a DHCP client.
9.1.1 DHCP
9.1.1.1 DHCP server
The DHCPv4 server configuration module provides the function of setting the parameters of
DHCPv4 address pool and importing / exporting configuration information.
Select Basic > Network Protocol > DHCPv4 > DHCPv4 server from navigation tree to enter
the DHCPv4 server page, as shown in the following figure.

Figure 9-1 DHCPv4 server configuration
After you enable the DHCPv4 server function, it is recommended to write the lease information.
Otherwise, the DHCPV4 address information will be lost after the device is rebooted. The device
cannot manage the network’s hosts through DHCPv4.
DHCPv4 address pool configuration and host configuration provide the function of deleting all
address pools and deleting the addresses of all hosts. The host address configuration support
query function, including the host name, MAC address, IP address. Also it supports the conflict
detection before importing and exporting configurations.
The parameters of DHCPv4 address pool configuration are shown in the following:
 Interface name: the interface name that DHCPv4 Server provides DHCPv4 service to the
outside.
 Address pool: DHCPv4 address pool address range, which allows you to configure the start
IP and end IP. Start IP and end IP should be in the same network.
 Gateway address: DHCPv4 client gateway address.
 Relay agent address: the device considered it as the legitimate DHCPv4 proxy server
address.
 CAPWAP V4: the address of the wireless controller AC. When the client is AP, it can be
used in the location of AC in high speed AP network.
 Domain name server: DNS server address, which can be used to tell the DNS server
location in the client network.
 WINS server: WINS server IP address, which you can configure two. It can be used to tell
the WINS server location in the client network.
 Domain name: DHCPV4 option in DNS. Specify the domain name which should be used
when DHCPv4 client conversion is failed.

 Advanced options: you can configure the specific Option field information for DHCPv4
packets.
 Lease (minutes): the lease time. Unit: minute.
The address in DHCPv4 host address configuration should be an address pool’s address. After
the device receiving client’s DHCPv4 packets, the device will check whether the hostname
option in packets can match with the configured hostname. Only when the hostname and MAC
address are matched at the same time, the device will allocate the configured IP address to the
client.
9.1.1.2 DHCPv4 IP address table
The DHCPv4 address table module provides the function of displaying the addresses that have
allocated by DHCPv4 server, including the host name, MAC address, IP address, and lease
time.
Select Basic > Network Protocol > DHCPv4 > DHCPv4 server from navigation tree to enter
the DHCPV4 IP address table page, as shown in the following figure.
Figure 9-2 DHCPv4 IP address table
The parameters of DHCPv4 address information list are shown in the following:
 No.: display the serial number of the DHCPv4 IP address.

 MAC address: display the MAC address of the host which obtains address from DHCPv4
server.
 IP address: display the IP address of the host which obtains address from DHCPv4 server.
 Lease period: displays the lease period of the allocated IP address.
9.1.2 DHCPv4 relay agent configuration
Select Basic > Network Protocol > DHCPv4 > DHCPv4 Relay Agent Configuration from
navigation tree to enter the DHCPV4 relay agent configuration page, as shown in the following
figure.

Figure 9-3 DHCPv4 relay agent configuration
Enable DHCPV4 Relay function and set the DHCPV4 relay parameters, including the interface
list and DHCPV4 server list.
9.2 DHCPv6
9.2.1 DHCPv6 server
9.2.1.1 DHCPv6 server configuration
The DHCPv6 server configuration module provides the function of configuring the parameters of
DHCPv6 address pool and provides the function of importing / exporting configuration.
Select Basic > Network Protocol > DHCPv6 > DHCPv6 Server > DHCPv6 Server
Configuration from navigation tree to enter the DHCPv6 server configuration, as shown in the
following figure.
Figure 9-4 DHCPv6 server configuration
The parameters of DHCPv6 server configuration page are shown in the following:
 Enable DHCPv6 Server: set to enable DHCPv6 Server.

 Write lease (Recommended): set whether server saves the lease time.
 DHCPv6 address pool configuration: set the parameters of DHCPv6 address pool, including
pool name, address pool, DNS server, domain name, advanced options and lease (minute).
The DHCPv6 server configuration module also provides the file import and export function. Click

the Browse button to set the file path. Click the Append Import or Cover Import button to
import the DHCPv6 server configuration of the selected file path; click the Export button to
export the DHCPv6 server configuration file.
9.2.1.2 DHCPv6 IP address table
Select Basic > Network Protocol > DHCPv6 > DHCPv6 Server > DHCPv6 IP Address Table
Configuration from navigation tree to enter the DHCPv6 IP address table configuration, as
Figure 9-5 DHCPv6 IP address table
The DHCPv6 IP address table module provides the function of querying IPv6 address
information, including No., client, DUID, IA_ID, IPv6, preferred, valid, lease period, type.
9.2.2 DHCPv6 relay agent configuration
The DHCPv6 relay agent configuration module provides the function of setting the parameters of
DHCPv6 relay agent configuration.
Select Basic > Network Protocol > DHCPv6 > DHCPv6 Relay from navigation tree to enter the
DHCPv6 relay agent configuration page, as shown in the following figure.
Figure 9-6 DHCPv6 relay agent configuration
Enable the DHCPv6 relay function and set the parameters of DHCP relay, including the server
interfaces list, client interfaces list and DHCP servers list.

9.3 ARP
ARP (Address Resolution Protocol, Address Resolution Protocol) is a protocol that resolves
network layer addresses to data link layer addresses. The working mechanism is as follows:
 When the source host and the destination host are in the same network segment, the
source host searches the local ARP cache according to the destination IP address, and
does not find the MAC address corresponding to the destination IP address, and sends ARP
requests to all hosts in the same network segment. After receiving the ARP request, the
destination host finds that the destination IP address of the request message is consistent
with its own address, and then sends an ARP response message containing its IP address
and MAC address to the source host. After the source host receives the ARP response
message from the destination host, it learns the MAC address corresponding to the
destination IP address and stores it in the local ARP cache. Subsequent packets are
forwarded directly according to the cached ARP entries.
 When the source host and the destination host are not in the same network segment, the
source host searches the local ARP cache according to the destination IP address, and if it
does not find the MAC address corresponding to the destination IP address, it first sends an
ARP request to the gateway. After receiving the ARP response message from the gateway,
the source host learns the MAC address of the gateway, encapsulates the message and
sends it to the gateway. The gateway that receives the encapsulated message will
broadcast an ARP request message to the destination network segment, and the
destination IP address of the ARP request message is the IP address of the destination host.
Subsequently, the gateway will learn the MAC address of the destination host through the
response message of the destination host, and then send the message to the destination
host.
9.3.1 ARP table
The ARP table module provides the function of viewing ARP entries and deleting ARP dynamic
entries according to the specified query conditions.
Select Basic > Network Protocol > ARP> ARP table from navigation tree to enter the ARP
table page, as shown in the following figure.

Figure 9-7 ARP table
The parameters of ARP table page are shown in the following:
 Searching condition: set the VLAN ID/port number to be queried. Click Query button, the
ARP table is displayed in bottom of the page according to your searching condition. Click
Search All button that all entries of ARP table are displayed in the bottom of the page.
 ARP entries: display the ARP entries, including No., IP address, MAC address, VLAN ID,
port, type. Click Delete All Dynamic Entries button, all dynamic ARP entries are deleted
from the ARP table.
9.3.2 ARP configuration
9.3.2.1 Static ARP configuration
The static ARP configuration module provides the function of configuring static ARP
configuration.
Select Basic > Network Protocol > ARP > ARP Configuration > Static ARP Configuration
from navigation tree to enter the static ARP configuration page, as shown in the following figure.
Figure 9-8 Static ARP configuration
The parameters of static ARP configuration are shown in the following:
 No.: display the serial number of the static ARP table.

 IP address: set the IP address of the static ARP table.
 MAC address: set the MAC address of the static ARP table.

 VLAN ID: set the VLAN ID to which the static ARP table entry corresponds to.
 Port: set the port to which the static ARP table corresponds to.
9.3.2.2 ARP parameter configuration
The ARP parameter configuration provides the function of setting the parameters of dynamic
ARP table.
Select Basic > Network Protocol > ARP > ARP Configuration > ARP Parameter
Configuration from navigation tree to enter the ARP parameter configuration page, as shown in
Figure 9-9 ARP parameter configuration
The description of each parameter in the ARP parameter configuration page is as follows:
 Enable ARP strict learning function: After enabling, the device will not create ARP entries
when it receives ARP request packets.
 Enable the ARP response interface UP function: After this function is enabled, when the
interface changes from the down state to the up state, the device will re-request to learn the
ARP entries related to this interface, which is mainly used for a vlan-if port. In the case of a
physical port, if a physical port is changed from down to up, we will find the vlan-if port
based on this physical port, and then relearn all ARPs of this vlan-if port.
 ARP aging time setting: Set the aging time of dynamic ARP entries. When the aging time is
reached, the corresponding ARP dynamic entry will be deleted. The default value is 1200
seconds, and the value range is 1 to 86400.
 ARP retransmission time setting: Set the time interval between the first ARP request
message sent and the retransmission of the ARP request message when the device sends
an ARP request message but does not receive an ARP response message. The default
value is 5, and the value range is 1 to 300.
 Configuration of the maximum number of ARP detections: Set the number of times that the
device sends an ARP request message but does not receive an ARP response message.
The default value is 60, and the value range is 1-100.

 Limit on the number of messages in each ARP cache: Set the maximum number of
messages in each ARP cache. The default value is 3, and the value range is 0~1000.
 Limit on the total number of ARP cache messages: Set the maximum number of messages
in all ARP caches. The default value is 100, and the value range is 0~1000
9.3.2.3 Gratuitous ARP configuration
Gratuitous ARP packets is a special kind of ARP special packets which can avoid IP address
conflict and notify other devices to update their ARP table. Both of the source IP address and
destination IP address of gratuitous ARP packets are the sender’s IP address. The source MAC
address is the MAC address of the sender, but the destination MAC address is the broadcast
address.
The gratuitous ARP configuration module provides the function of setting the parameters of
gratuitous ARP.
Select Basic > Network Protocol > ARP > ARP Configuration > Gratuitous ARP
Configuration from navigation tree to enter the gratuitous ARP configuration page, as shown in
Figure 9-10 Gratuitous ARP configuration
The parameters of gratuitous ARP configuration page are shown in the following:
 Enable the gratuitous ARP learning function: set to enable the gratuitous ARP learning
function. After the gratuitous ARP learning function is enabled, the device will add or update
entries in ARP table; if gratuitous ARP learning function isn’t enabled, the device will update
the already existed ARP table according to the received data packets, but will not create
new ARP entry.
 No.: display the serial number of gratuitous ARP timing sending.
 Interface: set the interface to send gratuitous ARP packets.
 Time interval (second): set the time interval to send gratuitous ARP packets.
 Send flag: set the parameters of sending gratuitous ARP packets, including interface
primary address and secondary address. You can select multiple options.

9.3.3 Basic defense of ARP
9.3.3.1 ARP scan and fixup
The data transmission in the LAN is not based on the IP address, but based on the MAC address.
ARP (Address Resolution Protocol) is an address resolution protocol, a protocol that converts IP
addresses into physical addresses.
When host A wants to send a message to host B, it will query the local ARP cache table, and
after finding the MAC address corresponding to B's IP address, it will start data transmission. If it
is not found, A broadcasts an ARP request packet (carrying the IP address and MAC address of
host A), requesting the MAC address corresponding to the IP address of host B. All hosts in the
LAN, including B, receive the ARP request, but only host B recognizes its own IP address, so it
sends back an ARP response message to host A, which contains B's MAC address. After A
receives B's response, it will update the local ARP cache table, and then use this MAC address
to send data. Therefore, the ARP table of the local cache is the basis of local network circulation,
and the cache is dynamic.
The ARP protocol does not only receive ARP responses after sending ARP requests. When the
computer receives the ARP response packet, it will update the local ARP cache and store the IP
and MAC addresses in the response in the ARP cache. Therefore, when a machine B in the local
area network sends a forged ARP response to A, and if the response is forged by B pretending
to be C, that is, the IP address is the IP of C and the MAC address is forged, then A After
receiving B's forged ARP response, the local ARP cache will be updated, so that from A's
perspective, C's IP address has not changed, and its MAC address is no longer the original one.
This is a kind of ARP spoofing.
There are two types of ARP spoofing: one is spoofing the gateway ARP table; the other is the
gateway spoofing the intranet PC.
The principle of the first type of ARP spoofing is to intercept gateway data. It notifies the gateway
of a series of incorrect internal network MAC addresses, and keeps it at a certain frequency, so
that the real address information cannot be updated and saved in the gateway device. As a
result, all data of the gateway can only be sent to the wrong MAC address, causing normal The
PC cannot receive the information. The second principle of ARP spoofing is to forge gateways.
Its principle is to establish a fake gateway and let the PC deceived by it send data to the fake
gateway instead of going online through the normal gateway. From the PC's point of view, it just
can't connect to the Internet, "the network is down".
DPtech equipment prevents ARP spoofing by setting the binding relationship between IP
address and MAC address, VLAN and interface. At the same time, the ARP learning function of
the interface can be turned off, so that the interface will not update the ARP cache table even if it
receives an ARP response message, thus avoiding the occurrence of ARP spoofing. If a new
host is added to the network, you can enable the ARP learning function or manually add the

IP/MAC correspondence to the ARP cache table.
Select Basic > Network Protocol > ARP> Basic Defense of ARP > ARP Dynamic Detection
from navigation tree to enter the ARP dynamic detection page, as shown in the following figure.
Figure 9-11 ARP scan and fixup
The list shows the ARP cache information learned by the device. The dynamically learned
information can be added to or deleted from the static ARP cache.
9.3.3.2 ARP source suppression
Select Basic > Network Protocol > ARP> Basic Defense of ARP > ARP Source
Suppression from navigation tree to enter the ARP source suppression page, as shown in the
following figure.
Figure 9-12 ARP source suppression
Enable ARP source suppression and configure the threshold. The IP packet will be forwarded by
our device to request arp, if it cannot learn the arp in the incomplete state will be generated. The
maximum number of incomplete arps that can be generated for packets sent from the same
source ip cannot exceed the threshold number.
9.3.3.3 ARP monitoring configuration
The ARP monitoring configuration module provides the function of preventing ARP spoofing by
turning off the ARP learning function of the interface.
Select Basic > Network Protocol > ARP> Basic Defense of ARP > ARP Monitoring
Configuration from navigation tree to enter the ARP monitoring configuration page, as shown in

Figure 9-13 ARP monitoring configuration
Select the interface whose ARP learning function is to be turned off, and set its opening state to
on. Then this interface will no longer automatically update the ARP cache table.
9.3.3.4 ARP monitoring log
The ARP log module provides the function of querying and deleting anti-ARP spoofing logs.
Select Basic > Network Protocol > ARP > Advanced Defense > ARP Monitoring Log from
navigation tree to enter the ARP monitoring log page, as shown in the following figure.
Figure 9-14 ARP monitoring log
The ARP monitoring log page provides log query and delete functions.
 Query: select or specify the time range, click the <Query> button, the ARP monitoring log of
the corresponding time period will be displayed in the ARP monitoring log list, including IP,
real MAC, spoofed MAC and time.
 Delete: click the Delete button to delete the content in the ARP monitoring log list.
9.3.4 Advanced defense
9.3.4.1 ARP dynamic detection
ARP dynamic detection function is the ARP packet detection on inbound interface. Only the
packets pass the ARP packet detection can be forwarded. ARP dynamic detection can
effectively prevent illegal user’s intrusion and fake network gateway attack.
Select Basic > Network Protocol > ARP> Advanced defense > ARP dynamic detection from
navigation tree to enter the ARP dynamic detection page, as shown in the following figure.

Figure 9-15 ARP dynamic detection
The parameters of the ARP dynamic detection configuration page are shown in the following:
 Number: display the serial number of the ARP dynamic detection configuration.
 VLAN ID: set to enable ARP dynamic detection VLAN.
 Detected interface: set the ARP dynamic detection interface. The interface should belong to
the VLAN which enables ARP dynamic detection and the interface should be untrusted port.
The ports in this VLAN should trusted port.
 Expand the item: set the detection items for ARP dynamic detection, including ARP packet
validity check and ARP restricted forwarding.
 Packet validity check: the ARP packet validity check will not be carried out for the
trusted port in this VLAN; for the dynamic detection port, it will check and filter the illegal
MAC address and IP address.
 ARP restricted forwarding: the ARP packet restricted forwarding function is the ARP
packets received from untrusted port will be forwarded according to anti-attack rule.
The function does not restrict the ARP packets received from trusted port.
 ARP gateway protection: set the ARP network gateway address. This function can protect
the port which does not connected with device and prevent ARP spoofing attacks. After this
function is enabled, the device will check whether the source IP address and the protected
address are the same when port receiving ARP packets. If they are the same, then the IP
address will be recognized as illegal address and will be discarded. Otherwise, the data
packets will be forwarded.
9.3.4.2 Anti-ARP attack of fixed source MAC
Select Basic > Network Protocol > ARP> Advanced Defense > Anti-ARP attack of fixed
source MAC from navigation tree to enter the anti-ARP attack of fixed source MAC page, as

Figure 9-16 Anti-ARP attack of fixed source MAC
The anti-ARP attack of fixed source MAC page has two parts: the base config and safe MAC.
The parameters of base config are shown in the following:
 Defend: click to enable the anti-ARP attack of fixed source MAC function.
 Threshold of attack: the number of packets that exceeds the threshold of ARP response
packets are attack packets, in the range of 1~5000. Default is 1200 times.
 Detection mode: including monitor and defend. Monitor only refers to the attack source MAC
detection and system log generation; Defend means the packets are dropped after detected
as attack source MAC.
 Safe MAC: the aging time of the attack source MAC address. During this time, if the attack
source MAC is no longer do attack behavior, the MAC address is aged normally; if it does
attack behavior again, then the source MAC address is continuously to be monitored and
protected.
The parameters of safe MAC are shown in the following:
 No.: the serial number of the protected MAC.

 Safe MAC: the protected MAC address, which will not be detected as attack source MAC.
9.3.4.3 Attacker information of fixed source MAC
Select Basic > ARP> Advanced Defense > Anti-ARP attack of fixed source MAC from
navigation tree to enter the anti-ARP attack of fixed source MAC page, as shown in the following
figure.
Figure 9-17 Attacker information of fixed source MAC
The parameters of attacker information of fixed source MAC page are shown in the following:

 Sequence: display the sequence number of the attacker information of fixed source MAC.
 SMAC: display the attacker information of fixed source MAC.
 VLAN ID: display the VLAN ID that corresponds to the attacker information of fixed source
MAC.
 Interface: display the interface that corresponds to the attacker information of fixed source
MAC.
 Aging time: show the remained aging time of the attack source MAC address.
9.4 ND
9.4.1 ND configuration
Select Basic > Network Protocol > ARP > Advanced Defense > Neighbor Discover from
navigation tree to enter the neighbor discover page, as shown in the following figure.
Figure 9-18 Neighbor discover
The ND configuration is mainly to disable the automatic neighbor discovery function. Select the
interface to be disabled and click the <OK> button.
9.4.2 Anti-ND attack of fixed source MAC/IP
Select Basic > Network Protocol > ARP > Advanced Defense > Neighbor Discover from
navigation tree to enter the anti-ND attack of fixed source MAC/IP page, as shown in the
following figure.

Figure 9-19 Anti-ND attack of fixed source MAC/IP
After opening attack protection, select the protection mode: fixed source MAC, fixed source
destination MAC, fixed source destination IP, configure detection thresholds, configure attack
source aging time, and select actions: packet loss, direct pass.
9.5 MAC
9.5.1 MAC table
9.5.1.1 MAC table
The MAC table module provides the function of viewing and deleting MAC table entry.
Select Basic > Network Protocol > MAC > MAC Table navigation tree to enter the MAC table
Figure 9-20 MAC table
The MAC table management provides the function of viewing and deleting dynamic MAC table
entry. To view the MAC table, you can select All, static, dynamic, by VLAN ID, by MAC address,
by port number. After that you select a slot number and configure which you want to query, then
you click the View button, then MAC table entries are displayed in the MAC table list. Click the

Delete All Dynamic Mac Address Tables button that you can delete all dynamic MAC tables.
9.5.2 Static MAC configuration
Select Basic > Network Protocol > MAC > Static MAC configuration from navigation tree to
enter the static MAC configuration page, as shown in the following figure.
Figure 9-21 Static MAC configuration
The description of each parameter in the static MAC configuration page is as follows:
 Serial number: Display the serial number of the static MAC table entry.
 MAC address: Set the MAC address of the static MAC table entry.
 VLAN ID: Set the VLAN ID to which the static MAC entry belongs.
 Outgoing port: Set the outgoing port to which static MAC entry is applied.
 Discard: Set whether to enable the function of discarding data packets matching MAC
address, VLAN ID, and outbound port.
9.5.3 MAC address configuration
The MAC parameter configuration module provides the function of setting the dynamic MAC
address aging time.
Select Basic > Network Protocol > MAC > MAC Address Configuration from navigation tree
to enter the mac address configuration page, as shown in the following figure.
Figure 9-22 MAC address configuration

9.6 STP
Spanning tree protocol is a kind of Layer-2 management protocol, which can block some
redundant links through a specific algorithm and can eliminate the loop in the network, at the
same time it can backup the link. The device supports three kinds of spanning tree protocols,
including STP, RSTP and MSTP.
STP (Spanning Tree Protocol) determines the topology of network through interacting BPDU
packets between devices, and complete blockage of redundant link port, thus can achieve the
establishment of loop-free logical network topology. When the network topology changes, it
needs to wait double of the forwarding delay time that the port is changed from block status to
forwarding status, so that the STP network can recover.
RSTP (Rapid Spanning Tree Protocol) is optimized version of STP, not only RSTP has all the
functions of STP, but also it has replace port, backup port and edge port, which shorten the time
of network connectivity restoration after network topology is changed. But in actual use, RSTP
only achieve link redundancy backup, which cannot realize link load balancing according VLAN
traffic.
MSTP (Multiple Spanning Tree Protocol) is developed on the basis of STP and RSTP. By using
of instance, MSTP calculate non-loop topology, which reduces communication cost and increase
the utilization rate of resources. The bridge priority, the maximum sending rate, and the concept
of advanced configuration domain are used by MTSP can effectively constrain the range of
spanning tree, and speed up the convergence of the spanning tree, so that the network traffic in
different VLANs can be forwarded along different paths.
9.6.1 Select STP
The spanning tree protocol selection module provides the function selecting the type of spanning
tree protocol, including STP, RSTP, MSTP.
Select Basic > Network Protocol > Spanning Tree > Protocol selection from navigation tree
to enter the protocol selection page, as shown in the following figure.
Figure 9-23 Select STP
The parameters of spanning tree protocol selection page are described are shown in the

following:
 Enable STP: set to enable the spanning tree function.

 STP: set to enable STP.
 RSTP: set to enable RSTP.
 MSTP: set to enable MSTP
9.6.2 Spanning tree protocol configuration
Select Basic > Network Protocol > Spanning Tree > Spanning Tree Protocol Configuration
from navigation tree to enter the spanning tree protocol configuration page, as shown in the
following figure.
Figure 9-24 Spanning tree protocol configuration
The spanning tree protocol configuration page is the same to the protocol configuration page.
Take MSTP protocol as example, the page shows the configuration parameters of MSTP,
including MSTP global configuration, MSTP instance configuration and MSTP port configuration.
The parameters of MSTP global configuration are shown in the following:
 The parameters of MSTP domain configuration:

 Revision level: MSTP revision level which can be used with domain name and VLAN
mapping table to determine the device belongs to which domain.
 Region name: the name of the MSTP domain.
 Protocol message form: including standard, compatible and auto. The packet length of
standard and compatible is different. Standard format support 802.1Q standard
compatible format support connecting our company devices with other vendors’
devices. Auto means automatic detection, which detects according packet’s format
sending by remote peer. Local peer select standard and compatible format to send
packets.
 Max MSTP hops: configure MSTP domain size, in the range of 1-7.

 BPDU: after you enable BPDU protection function, if the edge port received BPDU packets,
the system will close these ports in order to prevent spanning tree recalculation and avoid
network shocks. At the same time, network manager will be notified. Only network manager
can recover the closed port.
 Maximum transmission rate: the maximum transmission rate of the port, in the range of
1-10.
 Advanced configuration: parameters including network diameter, forward delay timer(s),
Hello timer, max age(s), and timer-factor.
 Spanning tree port: set to enable MSTP port, which must be Layer 2 interface.
The parameters of MSTP instance configuration are shown in the following:
 Instance ID: MSTP instance ID. Instance 0 cannot be modified.

 VLAN mapping: the VLAN ID of MSTP instance.
 Bridge priority: the network bridge priority within MSTP instance.
 Each instance port configuration: ports with in MSTP instance, you can configure the port
that has started spanning tree protocol.
The parameters of MSTP port configuration are shown in the following:
 Port name: enable MSTP port name. It only allows you to configure the port which has
enabled spanning tree protocol.
 P2P link: set the port whether is connected with P2P link. The P2P link options include Auto,
Yes, No. If the two connected by a P2P link are root ports or designated ports, the two ports
can be quickly migrate to the forwarding state via the proposal message and agreement
message, which shorten the forwarding delay time.
 Edge port: set whether the MSTP port is the edge port. Edge port is directly connected with
the user terminal, but isn’t connected to other devices or shared network. When network
topology changes, network loop will not be generated on the port.
9.6.3 Status
The status page displays the information according to what you have selected on the “Protocol
Selection” module. The content of each kind of spanning tree status is similar. Take STP and
MSTP as example, as shown in following:
1. STP status
Select Basic > Network Protocol > Spanning Tree > Status from navigation tree to enter the

Figure 9-25 STP status
The parameters of STP global information are show in the following:
 Protocol edition: display the edition of the spanning tree protocol, including 3 represents
MSTP, 0 represents STP, 2 represents RSTP.
 Bridge priority: display an instance of STP network bridge priority.
 Maximum transmission rate: the maximum transmission rate of the port, in the range of
1-10.
 Max age timer: display the time parameters of the Max age timer.
 Fwd delay timer: display the time parameters of the Delay forward timer.
 Hello timer: display the time parameters of the Hello timer.
 The parameters of STP MAC are shown in the following:
 Bridge MAC: display the bridge MAC address.
 Root bridge MAC: display the root bridge MAC address.
 STP port information:
 Port name: enable STP port name.
 Port priority: enable STP port priority.
 Path cost: enable the STP path cost.
 Port role: display the current port role.
 Port status: displays the current port status.
2. MSTP status
Select BASIC > Network Protocol > Spanning Tree > Status from navigation tree to enter the

Figure 9-26 MSTP status
The parameters of MSTP global are shown in the following:
 Protocol edition: display the edition of the spanning tree protocol, including 3 represents
MSTP, 0 represents STP, 2 represents RSTP.
 Current domain (MSTP): display the MSTP domain where the device is located.
 Max age timer: display the time parameters of the Max age timer.
 Fwd delay timer: display the time parameters of the Delay forward timer.
 Hello time: display the time parameters of the Hello timer.
 Max Hops timer(MSTP):display the time parameter of max hops
The parameters of MSTP instance are shown in the following:
 Instance ID: display the MSTP instance ID.

 VLAN mapping: display the MSTP instance mapping VLAN ID.
 Bridge priority: display the bridge priority in MSTP instance.
 Bridge MAC: display the bridge MAC address.
 Root bridge MAC: display the root bridge MAC address.
The MSTP port configuration result is displayed in the port information list the bottom of the page.
Parameters do not repeat again.
9.7 DNS
DNS (Domain Name System) is a distributed database maps the relationship of domain name
and IP address and provides the conversion service between domain name and IP address.
DNS can be divided into static and dynamic DNS. When it doing domain name conversion, the
device will do static DNS first (that is, the device converse domain names by using of the
predefined mapping table of domain name/IP address); if static DNS is failed, then execute the
dynamic DNS (that is, converse domain name through DNS server).
DNS proxy provides the function of forwarding DNS request and response packets between
DNS server and client. When the DNS server’s address is changed, network administrators do
not need to modify the configuration of each DNS client, but only need to modify the

configuration of DNS proxy device. Therefore, DNS proxy can greatly reduce the workload of
network management.
Select Basic > Network Protocol > DNS from navigation tree to enter the DNS page, as shown
Figure 9-27 DNS
The parameters of DNS configuration are shown in the following:
 Static DNS server IP:

 DNS server_1 IP: set the DNS server 1’s address.
 DNS server_2 IP: set the DNS server 2’s address which can be used if DNS server_1
cannot converse domain name.
 Dynamic DNS server IP: display the dynamically obtained DNS server address.
 Enable DNS proxy: this function must be enabled when the device is DNS proxy server.
Configure the relationship between domain name and IP manually:
 Realm name: the realm name in the static DNS table.

 IP address: the IP address that corresponds to the real name in the static DNS table.

Figure 9-28 Static DNS
9.8 ICMP option

ICMP (Internet Control Message Protocol) is a sub-protocol of TCP/IP protocols, which can be
used to transfer control information between IP hosts and routers. ICMP can facilitate users to
manage the network.
Network management module provides the function of setting the send host unreachable error
function, send destination protocol unreachable error function, send destination port
unreachable error function, send fragmentation required function, but DF flag set error and send
timestamp reply function.
Select Basic > Network Protocol > ICMP > ICMP option from navigation tree to enter the
ICMP option page, as shown in the following figure.
Figure 9-29 ICMP option
The parameters of ICMP options page are show in the following: send host unreachable error
 Send host unreachable error: set to send destination host unreachable ICMP packets.
 Send destination protocol unreachable error: set to send destination host unreachable
ICMP packets.
 Send destination port unreachable error: set to send destination port unreachable error
ICMP packets.
 Send fragmentation required, but DF flag set error: set to fragmentation required, but DF
flag set error ICMP packets.
 Send timestamp reply: set to send timestamp reply ICMP packets.

 Enable ip address for the TTL response: after you enable this option, set the fixed IP
address to reply TTL.
 Send TTL-expired error: set to send TTL expired in transmit ICMP packets.
9.9 IPv6 autoconfig

Stateless automatic configuration is achieved through the IPv6 neighbor discovery protocol. The
stateless automatic configuration module provides the function of setting the parameters of the
RA message sent by the device.
Select Basic > Network Protocol > IPv6 Autoconfig from navigation tree to enter the IPv6
autoconfig page, as shown in the following figure.
Figure 9-30 Stateless autoconfig
The description of each parameter in the stateless automatic configuration page is as follows:
 Serial number: Display the serial number of RA message configuration.

 Effective interface: Set the interface for receiving RA messages.
 Sending interval: Set the maximum/minimum time interval for sending IPv6 address prefix
advertisement.
 Prefix information: set the IPv6 address prefix information of the RA message.
 Other configuration: Set the managed tag, other tag, TTL, link MTU, route life cycle,
neighbor reachable time, neighbor retransmission time and other information of RA
message.
 Status: Set to enable/disable RA message sending.
9.10 Diagnostic tools

The diagnostic tools can be used as an auxiliary means of daily maintenance for devices. The
common diagnostic tools include Ping, Tracert, and remote capture, which can be used for
network detection and route tracking. Diagnostic tools can help user to discover the problems in
the network and find out the network failure point.

9.10.1 Ping
9.10.1.1 Ping introduction
Ping is the most common tool that can be used to detect network host. If failure happens in the
network, user can use Ping to discover the failure point effectively. Ping can help use to know
whether the device’s NIC TCP/IP stack is normal, whether the device’s IP address is effective,
whether the route to destination host and the connectivity is normal, whether the specified
domain name is conversed normally, and to know the delay time and packet loss in the network,
network device type., etc.
The parameters of Ping in the firewall are shown in the following:

[DPTECH]ping
-D Specify vrf name
-I Allow ping from an appointed soure address
-M Mtu discovery hint
-Q Specify TOS value for echo requests to be sent, [0-255]
-R Record route. Include the RECORD_ROUTE option in the ECHO_REQUEST
packets and display the route
-b Allow pinging a broadcast address
-c Specify the number of echo requests to be sent, [1-4294967294]
-f Specify packets not to be fragmented
-i Wait seconds between sending each packet, [1-255]
-n Numeric output only. No attempt will be made to lookup host
addresses for symbolic names
-p No more than 8 "pad" hexadecimal characters to fill out the sent
packet. For example, -p f2 will fill the sent packet with f and 2
repeatedly
-q Quiet output. Nothing will be displayed except for the summary lines
-s Specify the number of data bytes to be sent, [20-32000]
-t Specify TTL value for echo requests to be sent, [1-255]
-v Verbose output
-w Specify a timeout, in Millisecond
STRING Destination ip address or domain name
By using of Ping command and the related parameters, user can get an effective judgement
from the returned information. It is necessary to under the returned information of Ping and the
related parameters. The followings are the common returned information and the problems may
be happened in the network:
 Request timed out

 Destination host isn’t power up. For example, an intranet server’s IP address is
192.168.2.250, because of the server is power off and isn’t power up again, the server
cannot reply to the request. User suspects that if the access control function has
enabled on the device. If there does not have other security device between server and
device and the server itself is not enabled firewall function, user can use Ping command
directly on the device. Then the returned information is Request timed out, which
illustrates packet filtering policy has enabled on the device.
 Destination host doesn't exist, or the destination host isn’t in the same network with the
host itself. Destination host cannot be found through route.
 Destination host exists indeed, but other security device is connected between device
and destination host, or the destination host has enabled ICMP packet filtering function.
 Destination host Unreachable
 Host and destination host are not in the same network. The host itself isn’t set default
route or the IP address isn’t exist in the network.
 Cable has problem. Here we need to illustrate the difference between “destination host
unreachable” and “time out“. The routers that user goes by must have the route to the
destination host, if the destination host has other reason that user cannot go to, the
“time out” will be displayed. If routers don’t have the route to go to the destination host,
the destination host unreachable” will be displayed.
 Bad IP address
May be it doesn’t connect with DNS server, so this IP address cannot be resolved, or maybe
the IP address does not exist.
 Unknown host
The remote host name cannot be translated to IP address by domain name server (DNS).
The fault may because of the domain name server has fault, or the name of remote host is
not correct, or the cable between network administrator and remote host has problem.
 no answer
The local system has a route to the destination host, but can't receive any information that
sends to the destination host. The fault may because one of the following:
 Destination host doesn’t work.
 The network between local and destination host are not correct.
 The NIC of local and destination host work abnormal.
 The connection cable has problems.
 Destination host has route selection problem.
 no route to host: NIC works abnormal.
 unknown host name: DNS configuration isn’t correct.
9.10.1.2 Ping
Select Basic > Network Protocol > Diagnostic Tools from navigation tree and then enter to
the Ping page, enter to the IP address that you want to diagnose, then click Test button, after a
while, the page displays the returned Ping result, as shown in the following figure.

Figure 9-31 Ping
The parameters of Ping page are shown in the following:
 Parameter: set the parameters of the Ping command.

 IP address: set the IP address for the test.
 Test result: display the test result.
 Test: click Test button to start the Ping test.
9.10.2 Tracert
9.10.2.1 Tracert introduction
Traceroute is an important tool which can be used to detect the route between host and
destination host, and also it is the most convenient tool. Although Ping can detect host, because
of IP head limit Ping cannot fully record all the routers that it go through. While, Traceroute can
realize this feature. The Traceroute can record the IP address of the routers that it goes through
and can find out which router has link or route problem between device and destination host.
The principle of Traceroute is very simple. After receiving the IP address of destination host, first
the device will send a UDP packet which TTL=1 to destination host. And then after received by
the first router, the packet’s TTL will be minus 1 automatically. When the packet’s TTL is 0, the
router who received this packet will drop the packet and will generate an ICMP packet data to tell
the device that the route is unreachable. Then the device send a UDP packet which TTL=2 to the
destination host, and then trigger the second routers to send an ICMP packets. Move back to the
forth, until the packet reaches the destination host. In this way, the Traceroute can get all the IP
addresses of routers, thus can avoid the problem of IP header only record destination host’s IP
address.
The parameters of Traceroute are shown in the following:

<DPTECH>tracert
-f First time to live
-m Maximum time to live

-p UDP port number

-q Number of probe packets
-s Select source ip address
-w Timeout in milliseconds to wait for each reply
STRING Destination ip address or domain name
9.10.2.2 Tracert
Select Basic > Network Protocol > Diagnostic Tools > Tracert from navigation tree and then
enter to the Tracert page, enter to the IP address that you want to diagnose, then click Test
button, after a while, the page display the returned Ping result, as shown in the following figure.
Figure 9-32 Tracert
The parameters of Tracert page are shown in the following:
 Parameter: set the parameter of the Traceroute command.

 IP address: set the IP address for the test.
 Test: click Test button to start the Traceroute test.
 Serial number: display the serial number of route that the device goes through.
 Destination IP: display the route that the device goes to the specified address.
 Time interval: displays the time interval of the Traceroute test.
9.10.2.3 Tracert6
Select Basic > Network Protocol > Diagnostic Tool > Tracert6 from navigation tree to enter
the Tracert6 operation page, then input the IP address to be diagnosed, the parameter
configuration is optional, click the Test button, the page will return after a while The result of
Tracert6 is shown in the figure below.

Figure 9-33 Tracert6
The description of each parameter on the Tracert6 page is as follows:
 Optional parameters: Set the command parameters of Traceroute.

 IPV6 address: set the IPV6 address for testing.
 Test: Click the Test button to start Traceroute test.
 Serial number: Display the serial number of the path through.
 Destination IP: Display the path taken by the device to reach the specified address.
 Time interval: Show the time interval of Traceroute test.
9.10.3 Remote capture
The remote capture provides the function of capturing, replaying and analyzing the packets that
goes in and goes out the device. It can help user to view network status, network flow and data
transmission.

Select Basic > Network Protocol > Diagnostic Tools > Remote capture from navigation tree
and then enter to the capture page, as shown in the following figure.
Figure 9-34 Remote capture
The capture page has two parts, including cap param and process cap result. The parameters of
capture parameter are shown in the following:
 Specify IP address:
 IP address: set the IP address type of the packets to be captured, including IPv4 and
IPv6.
 Source IP: set the source IP address of the packets to be captured.
 Destination IP: set the destination IP address of the packets to be captured.
 Specify protocol: set the protocol of the data packets to be captured, including ICMP, IGMP,
TCP, IGP, and so on.
 Capture length: set the length of the packets to be captured.
 Cap time: set the capture time, which cannot be more than 5 minutes.
 Cap number: set the number of packets to be captured.
 Cap progress: click the Start Cap button to start capturing packets on the specified
interface. Click the Stop button to stop capturing packets on the specified interface.
The process capture result includes replay and download the captured packets:
 Replay packet: select the interface and click the <Replay Packet> button.
Download: click the Download button to download the file and download the captured file to the
local.

10 Authentication
Configuration
10.1 Authentication configuration
10.1.1 Global configuration
Select Basic > Authentication Management > Authentication Configuration > Global
Configuration from navigation tree to enter the global configuration page, as shown in the
following figure.。
Figure 10-1 Global configuration
The parameters of the global configuration page are described as follows:
 Redirect address: the redirected portal website address.

 Remote Portal server: Portal server address.

 Account login limit: Enable account login limit and the number of authentications that can be
passed by each account.
 User login conflict handling: Set operations after authentication conflicts, including retaining
authenticated users and logging out logged-in users.
 Number of login failures: The number of failed login attempts. The default value is 0, which
means it is not locked after login failure.
 Authentication port number: Portal authentication port number.
10.1.2 Authentication page customization
The custom page provides the function of setting a custom authentication page.
Select Basic > Authentication Management > Authentication Configuration >

Authentication page customization from navigation tree to enter the authentication page
customization page, as shown in the following figure.
Figure 10-2 Authentication page customization
The web authentication login page customization function is used to display information related
to the device user's web authentication login page, including Chinese and English titles and
background images under different terminals.
10.2 Authentication policy

The announcement configuration module provides the function of setting the content of
announcements on the portal page

Authentication Policy from navigation tree to enter the authentication policy page, as shown in

Figure 10-3 Authentication Policy
The authentication policy parameters are described as follows:
 Authentication strategy: enable/disable Web authentication strategy.

 Authentication method: authentication-free, password authentication.
 Authentication method:
 Local authentication: local user name and password authentication.
 TACACS+ authentication: TACACS+ authentication requires configuration of server
address and shared key.
 RADIUS primary authentication/RADIUS backup authentication: RADIUS
primary/backup authentication requires configuration of related parameters.
 LDAP1 authentication/LDAP2 authentication: LDAP authentication requires
configuration of related parameters.
10.3 Authentication user

The online user authentication module provides information about online users who have
passed Portal authentication.

Authentication User from navigation tree to enter the authentication user page, as shown in the
following figure.
Figure 10-4 Online user
The online user page displays information about Portal authenticated online users, including
user name, IP address, online time, and description information. The information of online users
can be inquired by IP address, user name and description information.

10.4 Authentication server

Authentication Server from navigation tree to enter the authentication server page, as shown in
Figure 10-5 Authentication server
Authentication server configuration:

 TACACS+ authentication: TACACS+ authentication requires configuration of server
address and shared key.
 RADIUS primary authentication/RADIUS backup authentication: RADIUS
primary/backup authentication requires configuration of related parameters.
 LDAP1 authentication/LDAP2 authentication: LDAP authentication requires
configuration of related parameters.

11 ACL management
11.1 Inbound ACL
11.1.1 IPV4 ACL
Select Basic > ACL Management > IPv4 ACL from navigation tree to enter the IPv4 ACL page,
Figure 11-1 IPv4 ACL
The IPv4 ACL configuration parameters are described as follows:
 Priority: Set the priority of IPv4 ACL rules, which is related to the configuration order in the
ACL list. The smaller the number, the higher the priority.
 Name: Set the name of the IPv4 ACL rule.
 Source IP/mask: Set the source IP address and mask that match the IPv4 ACL rule.
 Destination IP/mask: Set the destination IP address and mask that match the IPv4 ACL rule.
 Protocol type: Set the protocol type that matches the IPv4 ACL rule, click the list item of
"Protocol Type", and select it in the pop-up window.
 Packet priority: Set the packet priority type and its parameters that match IPv4 ACL rules.
 Physical port: Set the physical port that matches the IPv4 ACL rule.
 Action: Set the action to be taken on packets matching IPv4 ACL rules.
 Time zone: Click on the "Time zone" list item, and the time configuration window will appear.
Two time modes can be selected.
 Always effective: After the policy is issued and effective, it will remain effective.

 Weekly: Check the "Weekly" radio box, and configure the time period, the time format is
00:00, then it will ensure that the policy takes effect in this time period of the day; Check
the "Weekly" single Check the box, and check one or more from Monday to Sunday,
and the time period must be configured. At this time, the policy will be guaranteed to
take effect on one or more days of the week.
11.1.2 IPV6 ACL
Select Basic > ACL Management > IPv6 ACL from navigation tree to enter the IPv6 ACL page,
Figure 11-2 IPv6 ACL
The IPv6 ACL configuration parameters are described as follows:
 Priority: Set the priority of IPv46 ACL rules, which is related to the configuration order in the
ACL list. The smaller the number, the higher the priority.
 Name: Set the name of the IPv46ACL rule.
 Source IP/mask: Set the source IP address and mask that match the IPv6 ACL rule.
 Destination IP/mask: Set the destination IP address and mask that match the IPv6 ACL rule.
 Protocol type: Set the protocol type that matches the IPv6 ACL rule, click the list item of
"Protocol Type" and select it in the pop-up window.
 VLAN range: Set the VLAN range that matches the IPv6 ACL rule, you can choose any or
choose the VLAN range, and the value range is 1~4094.
 Packet priority: Set the packet priority type and its parameters that match IPv6 ACL rules.
 Physical port: Set the physical port that matches the IPv6 ACL rule.
 Action: Set the action to be taken on packets matching IPv6 ACL rules.
 Time zone: Click the "Time zone" list item, and the time configuration window appears,
and two time modes can be selected.
 Always effective: After the policy is issued and effective, it will remain effective.
 Weekly: Check the "Weekly" radio box, and configure the time period, the time format is
00:00, then it will ensure that the policy takes effect in this time period of the day; Check
the "Weekly" single Check the box and check Monday to Sunday

11.1.3 Resource allocation
Select Basic > ACL Management > Resource Allocation from navigation tree to enter the
resource allocation page, as shown in the following figure.
Figure 11-3 Resource allocation
The hardware resource allocation page is a slice resource that can be configured by ACL rules.

12 QoS Management
12.1 Basic QoS
QoS is the quality of service. For network service, QoS includes network services and service
quality, including transmission bandwidth, transmission delay, and data packet loss rate. In the
network, using these measures such as the transmission bandwidth guarantee, and the
reduction of transmission delay, packet loss rate and data jitter can improve the quality of
service.
Network source is always limited, as long as the situation of snatching network source existence,
the requirement of quality of service is need. QoS is in relative terms of network services, while it
ensures the quality of service, other services may be harmed. For example, under the fixed total
network bandwidth, the more the bandwidth occupied by one kind of service, the less the
bandwidth occupied by other services, then other services will be influenced. Therefore, network
managers need to plan and allocate their network source according to characteristics, so that
they can make efficient use of network source.
QoS mainly has three kinds of traffic management technologies, includes flow classification,
congestion management and congestion avoidance. Among them, flow classification technology
is based on some rules of traffic classification, which is the basis of QoS; congestion
management and congestion avoidance can control the network traffic and network resources
respectively by changing the order of packet forwarding order and discarding packet actively.
CoS (Class of Service) is a kind of method which uses similar type group approach to manage
the same way of network (such as e-mail, data flow video, voice, large file process conversion).
For each class, it has its own priority level and priority. The CoS technology, which can control
and upgrade network easier if the network structure is complex and network flow increase. It is
simple to say, CoS is a kind of mechanism that let data has different treatment, and is a part of
QoS service quality control standard.
12.1.1 CoS priority mapping
The CoS priority mapping configuration module provides the function of setting the port priority,
mapping configuration and the related parameters.
Select Basic > QoS Management > QoS Basic Configuration > Cos Priority Mapping from
navigation tree to enter the CoS priority mapping page, as shown in the following figure.

Figure 12-1 CoS priority mapping
The parameters of CoS priority mapping configuration page are shown in the followings:
 Port name: select the port name that you need to configure the port priority mapping
configuration.
 Priority trust model: select the priority of the trust mode, including the use of port priority,
trust DSCP priority, trust CoS priority, trust IP priority.
 Internal priority mapping: after you select the internal priority mapping, and set the
corresponding internal priority mapping. The larger the priority is, the packets will be
processed first.
 Drop priority mapping: set the priority according to when the packets are dropped. When the
drop priority is red packet, the red packets will be dropped first, then the second drop priority
is yellow packet, yellow packets will be dropped. The last drop priority is Green, green
packets will be dropped.
After you finished the above configuration, you click the Submit button in the upper right corner
on the webpage.
12.1.2 Congestion management
The congestion management configuration module allows user to limit port bandwidth and set
the queue scheduling mode function.
Select Basic > QoS Management > QoS Basic Configuration > Congestion management
from navigation tree to enter the congestion management page, as shown in the following figure.
Figure 12-2 Congestion management
The congestion management includes the guarantee bandwidth configuration and queue
scheduling mode configuration.
The bandwidth guarantee is mainly to set the maximum and minimum bandwidth value of the

port. The parameters of bandwidth guarantee page are shown in the following:
 Port: select the interface that you need to set the bandwidth guarantee.
 The minimum guarantee bandwidth: set the minimum guaranteed bandwidth of the interface.
The default value is 0 (not limit), in the range of 64~10000000, unit is kbits/s.
 The maximum guaranteed bandwidth: set the maximum guaranteed bandwidth of the
interface. The default value is 0 (not limit), in the range is 64~10000000, the unit is kbits/s.
Queue scheduling mode configuration is mainly to set the queue scheduling mode of the port.
The parameters of queue scheduling mode are shown in the following:
 Port: select the interface to set the queue scheduling mode.

 Queue scheduling mode: including SP mode, WRR mode and WDRR mode.
 Each weight particle size: including 2K, 4K, 8K and 16K. Only when you configure the
WDRR for the queue scheduling mode, this parameter can be configured.
 CoS queue weight: set the CoS queue weight value. When you setting the SP mode for the
queue scheduling mode, you don’t need to set the CoS queue weight value; when you
setting the WRR mode or WDRR mode for the queue scheduling mode, the default value of
CoS queue weight value is 0(means this queue scheduling mode is SP mode), in the range
of 0 to 127.
After you finished the above configuration, you click the Submit button in the upper right corner.
12.1.3 Congestion avoidance
Select Basic > QoS Management > QoS Basic Configuration > Congestion avoidance from
navigation tree to enter the congestion avoidance page, as shown in the following figure.
Figure 12-3 Congestion avoidance
There are two types configuration of congestion avoidance: including, configuring as port, and
configuring as CoS Queue.
The configuring as port number is mainly based- on the port number for congestion avoidance.
The parameters of congestion avoidance page are shown in the following:
 Port number: select the slot number that you need to configure the congestion avoidance.

 Message type: select the message type, including green TCP, yellow TCP, red TCP and
non-TCP packets.
 Begin-to-drop-packet percentage %: set the begin-to-drop-packet percentage. The default
value is 100, in the range of 0 to 100.
 Drop-all-package Percentage %: set the drop-all-package percentage. The default value is
100, in the range of 0 to 100, and it must larger than the begin-to-drop-packet percentage.
 Maximum packet drop rate %: set the maximum packet drop rate. The default value is 100,
in the range of 1 to 100.
The configuring as CoS queue is mainly based- on the CoS queue for congestion avoidance.
The parameters of congestion avoidance page are shown in the following:
 Port number: select the slot number that you need to configure the congestion avoidance.
 Message type: select the message type, including green TCP, yellow TCP, red TCP and
non-TCP packets.
 Begin-to-drop-packet percentage %: set the begin-to-drop-packet percentage. The default
value is 100, in the range of 0 to 100.
 Drop-all-package Percentage %: set the drop-all-package percentage. The default value is
100, in the range of 0 to 100, and it must larger than the begin-to-drop-packet percentage.
 Maximum packet drop rate %: set the maximum packet drop rate. The default value is 100,
12.2 QoS policy
12.2.1 QoS flow template
Select Basic > QoS Management > QoS Policy > QoS flow template from navigation tree to
enter the QoS flow template page, as shown in the following figure.
Figure 12-4 QoS flow template
Configure flow template name, source / destination MAC address, source / destination IP
address, protocol type, priority. You can add multiple entries of QoS flow template.
Protocol types include any, TCP, UDP, and custom. You can select the protocol type and
configure the port number.
Priority includes any, DSCP, IP priority, and CoS. You can select the priority type and configure

the value of the priority.
12.2.2 QoS policy configuration
Select Basic > QoS Management > QoS Policy > QoS policy configuration from navigation
tree to enter the QoS policy configuration page, as shown in the following figure.
Figure 12-5 QoS policy configuration
The QoS policy configuration module provides the function of setting the parameters of QoS
policy, including policy name, policy type, policy object, action, time, application object.
 Policy name: set the name of QoS policy.

 Policy type: set the type of the QoS policy, including the stream, user object(IPv4), user
object (IPv6) and the user object group (IPv4)
 Policy object: set which object is applied to QoS policy. You can select the policy object
according to different policy type.
 Action: set the QoS action for the data packets that are matched with user policy, including
bandwidth, remark, and local priority.
 Time: set the time when the QoS policy takes effect.
 Application object: set the interface to which the QoS policy is applied.
12.2.3 QoS policy show
Select Basic > QoS Management > QoS Policy > QoS policy show from navigation tree to
enter the QoS policy show page, as shown in the following figure.
Figure 12-6 QoS policy show
The QoS policy statistics page shows the statistical information of QoS policy, including policy
name, flow matching number, green packets passed number, red packets passed number,
yellow packets passed number. Click the icon that the statistics information of this policy can

be cleared. Click the Clear All Policy Statistics icon that all statistics can be cleared.
12.3 Port rate limit

Port rate limit is a kind of port-based flow limit technology, which can control the ingress and
egress port flow and speed.
Select Basic > QoS Management > Port Rate Configuration from navigation tree to enter the
port rate configuration page, as shown in the following figure.
Figure 12-7 Port rate configuration
The parameters of port rate configuration are shown in the following:
 No.: display the serial number of port rate configuration

 Port name: display the name of the port that you need to limit the speed.
 Egress port packet rate: set the egress port packet rate. It can limit the egress port burst
flow which can avoid abnormal flow and attack.
 Ingress port packet rate: set the ingress port packet rate. It can limit the ingress port burst
flow which can avoid abnormal flow and attack.

13 High Availability
For online systems and media, continuous network business traffic is vital. The security gateway
is an important part of the network. Almost all business traffic flows through it. When the security
gateway device has a single point of failure, the network business will be interrupted. The basic
problem of high reliability is how to keep the network open.
The most common way to solve the single point of failure problem is to introduce redundant
equipment. Deploy two or more security gateway devices in the network to make each other
backup. Under normal circumstances, business traffic passes through the host device for
network communication. When the host fails, the standby machine can continue to work on
behalf of the host, thereby ensuring normal business operation. DPtech equipment provides
VRRP and dual-system hot backup solutions, combined with an overload protection mechanism
to achieve high reliability of the security gateway.
13.1 Management defend

Select Basic > QoS Management > Management Defend from navigation tree to enter the
management defend page, as shown in the following figure.
Figure 13-1 Management defend
13.2 Overload protect

The overload protection module provides the function of preventing device overload by limiting
the number of sessions processed by the device per second.
Select Basic > QoS Management > Overload Protection from navigation tree to enter the
overload protection page, as shown in the following figure.

Figure 13-2 Overload protection
13.3 Hotbakcup
Hotbackup is a kind of redundancy backup technology. It can solve the problem of network
service interception caused by single point failure through data synchronization and flow switch
After you enable this function, in the network the two firewalls which are deployed at the access
point will synchronize data; if one device happens failure, network traffic will be tracked to the
other device, originally network traffic should be processed by the failure device. Hotbackup
technology can avoid service interruption and enhance network stability and reliability.
Hotbackup solution supports two modes, including the master and slave mode and the load
sharing mode. According to who bearing network traffic, device role is decided according to if the
device has network traffic go through, if has, the device is the master device, if not has, the
device is standby device. Network traffic can be switched by the aid of VRRP and dynamic
routing protocol. Commonly, we use the combination of VRPP and hot-standby to switch network
traffic.
If there two devices are under the master and slave mode, one device is used as master device
and the other is used as standby device. Master device process all services and send session
information to standby device. The standby device does not process any service and only
backup session information. When failure happened on master device, the standby device will
replace the work of master device and process services, so that it can ensure new session
establishment and the current session non-interruption.

Figure 13-3 Master and slave mode
Under load-sharing mode, the two devices are master devices which handle network traffic.
They are the backup devices of each other and they backup the session of each other. When
failure happened on one device, the other device will take responsibility for all services, so that
new session can be established and the current running session will not be interrupted.

Figure 13-4 Load balancing mode
13.3.1 Hotbackup configuration
The device provides two types of hobackup schemes:
 Ordinary hotbackup: the two devices only synchronize and backup part of configuration
information of each other, but they cannot synchronize session.
 Silence hotbackup: master and slave device synchronize their configuration and session. In
this scenario, the master device is in working status, which can handle service traffic
normally; the backup device is in silence status, which does not handle any packets from
service interface. When heartbeat packets are timeout, backup device will automatically
switch to working status and send gratuitous ARP packets. Backup device will take the role
of master device and process service traffic.
The hotbackup module provides the function of setting the type and parameters of hotbackup.
Select Basic > High availability > Hotbackup > Hotbackup Configuration from navigation
tree to enter the hotbackup configuration page, as shown in following figure.

Figure 13-5 Hotbackup configuration
The parameters of hotbackup configuration page are shown in the following:
 Hotbackup configuration: set to enable the hotbackup function

 The parameters of synchronous configuration are shown in the following:
 Synchronous interface: set the synchronous port of hotbackup.
 Remote IP: set to enable the IP address of remote device.
 Disable synchronous module of ordinary: set the disable synchronous module of
ordinary function, including VPN module, route module, VLAN module and session
module.
 Disable synchronous module of silence: set the disable synchronous module of silence,
including VPN module, route module, VLAN module and session module.
 Disable all synchronization module: disable all modules.
 Hotbackup configuration: when you select the silence hotbackup option, you can configure
the following parameters.
The parameters of silence hotbackup are shown in the following:
 Initial PRI: set the initial priority of silence interface, in the range of 0 to 255.
 Heartbeat interface: select the heartbeat interface of silence hotbackup.
 Heartbeat interface: set the time interval of heartbeat packets, in the range of 1 to 240
seconds.
 Neighbor timeout set the timeout time of heartbeat packets, in the range of 1 to 240 seconds.
In normal condition, the neighbor timeout time must be larger than the heartbeat time
interval.
 Gratuitous ARP algorithm: including multiple step and keep step. Default is multiple step.
 Start interval: set the start interval of sending gratuitous ARP.
 Sending times: set the times of sending gratuitous ARP.
 Silence interfaces: configure silence interface in the list.
 Monitor interfaces: configure silence interface in the list

Figure 13-6 Hotbackup configuration
13.3.2 State and maintenance of hotbackup
The state and maintenance of hotbackup provides the function of synchronizing the
configuration of local device to remote device and reboot the remote device.
Select Basic > High availability > Hotbackup > State and Maintenance of Hotbackup from
navigation tree to enter the State and Maintenance of Hotbackup page, as shown in following
figure
Figure 13-7 State and Maintenance of Hotbackup
This page shows the hotbackup status. Click the Synchronous button to the synchronous
configuration to the remote. Click on the Reboot button.
13.4 Session synchronous

Select Basic > High availability > Hotbackup > Session Synchronous from navigation tree to
enter the session synchronous page, as shown in following figure

Figure 13-8 Session synchronous
The session synchronization configuration page has three main parts: session synchronization,
advanced configuration and session synchronization filter condition configuration.
Click the "Enable" checkbox for session synchronization, enable the session synchronization
function, and select the session synchronization port. At this time, the session information will be
synchronized in real time and the aging state will be synchronized.
The advanced configuration parameters are described as follows:
 Batch backup: After enabling this function, the active device will back up session information
in batches to the backup device. This function is generally used in the case of a
dual-machine device upgrade version.
 Fast backup: After turning on this function, session information can be synchronized in real
time, but the aging state does not need to be synchronized. This function is generally used
in asymmetric routing environments.
 The configuration parameters of session synchronization filter conditions are described as
follows:
 ID: Set the filter condition ID number.
 Source address/wildcard mask: Set the session source address and mask.
 Destination address/wildcard mask: Set the session destination address and mask.
 Service: Set up conversation service. Including all, predefined and custom three ways.
After the configuration is complete, you need to click the <Confirm> button at the top right of the
page.
13.5 VRRP
13.5.1 VRRP introduction
VRRP (Virtual Router Redundancy Protocol) is a fault-tolerant protocol. Usually, all hosts in the
same network set the same default route for the next-hop of network gateway. Hosts send
packet to other network segment through this default route to the network gateway, and then
packets are forwarded by the gateway, so as the communication between computer and external

network gateway is realized. When fault occurs, all host in the same segment which take
network gateway as default route cannot communicates with the external network.
1. VRRP realization method
In order to solve the problem of single-point gateway failure, the VRRP technology is proposed.
VRRP let a group of routers together in LAN, which known as a backup group. One Master
router and several Backup routers form the backup group, whose function is equivalent to a
virtual router. VRRP backup group has the following characteristics:
 Virtual router has an IP address, which is the virtual IP address. LAN host only needs to
know the virtual router IP address, and set it as the next-hop address of the default route.
 Host within this network will communicate with external networks through this virtual router.
 According to the priority of the routes in backup group, a Master router will be elected which
takes the responsibility of network gateway. Other router as backup router, when the Master
router fails, other router will replace the Master router and responsible for the function of
master, thus ensuring the inner network host to communicate with external networks
uninterruptedly.
Figure 13-9 VRRP backup group
The virtual router has its own IP address 10.100.10.1. Routers in backup group have its own IP
address (such as the Master IP address is 10.100.10.11, the Backup IP address is 10.100.10.12).
The LAN hosts only know the virtual router IP address 10.100.10.1, but they do not know the
specific IP address of the Master router and Backup router. They set their default route next-hop
to the virtual route IP address 10.100.10.1. Therefore, hosts in the network will use the virtual

router IP address 10.100.10 as the next-hop address. So, the hosts in the network will use the
virtual routers to communicate with other network. If the Master router in backup group fails,
Backup router will select a new Master router according to selection policy, and provide routing
services to the hosts in the network, so that hosts in the network can communicate with the
external network uninterruptedly.
2. VRRP working principle
A VRRP router has a unique identification: VRID, in the range of 0-255. The VRRP router has a
unique virtual MAC address to the outside network, the MAC address format is
00-00-5E-00-01-[VRID]. Master router is responsible for using the MAC address to response
ARP request. So that, no matter how you switch the status of master and backup switch,
terminals will get the unique and same IP and MAC address, thus can reducing the effect that
you switch to the terminals.
VRRP control packet has only one kind: VRRP advertisement. It uses IP multicast packets to
encapsulate and uses the multicast address 224.0.0.18. The advertisement range is only limited
to the same local area network, so that the VRID can be reused in a different network. In order to
reduce network bandwidth consumption, only master router periodically sends VRRP
advertisement packets. In three consecutive announcement interval, the backup router does not
receive the VRRP or the received priority is 0, a new launch of advertisement of VRRP election
will be started automatically.
In VRRP router group, master router will be elected according to router priority. In VRRP protocol,
the priority range is 0-255. If the VRRP router's IP address and virtual router interface’s IP
address are the same, then the virtual router is called the IP address owner of VRRP group. The
IP address owner automatically has the highest priority 255. Priority 0 is generally used when the
IP address owner give up its role as master controller. The priority range can be configured is
1-254. The configuration range of priority is according to link speed and cost, the router
performance and reliability and other management strategies. In master router election, high
priority virtual router wins. Therefore, the owner of IP address in VRRP group always comes out
to be the master router. For the same priority routers, they will be elected as IP address order.
The preemptive priority strategy is also provided, if you configured this strategy, the high priority
backup router will replace the role of the low priority master router and becomes the master
router new.
In order to ensure the security of VRRP protocol, two authentication measures are provided: the
plaintext authentication and the MD5 authentication. Plaintext authentication requests that the
same VRID and the plaintext password must be provided when a VRRP router joins in the VRRP
router group, which is suitable to avoid configuration errors in the LAN, but cannot prevent
getting the password through network monitoring method. MD5 authentication method provides
higher security, which can prevent packets replay and attack modification.

13.5.2 IPv4 VRRP
Select Basic > High Availability > VRRP > IPv4 VRRP from navigation tree to enter the IPv4
VRRP page, as shown in following figure.
Figure 13-10 IPv4 VRRP
The IPv4 VRRP has the function of adding one interface into the IPv4 VRRP, assigning virtual IP
address, configuring VRRP version and the related parameters. The parameters of IPv4 VRRP
are shown in the following:
 ID: the serial number of configuration items.

 Interface: the interface of the VRRP backup group
 VRID: backup group ID.
 Virtual address: the virtual IP address of the VRRP backup group.
 Detailed parameters: VRRP version and the related parameters.
 Protocol status: displays the status of the VRRP protocol.
 Configure status: shows whether the VRRP backup group is disabled.
13.5.3 IPv6 VRRP
Select Basic > High Availability > VRRP > IPv6 VRRP from navigation tree to enter the IPv6
VRRP page, as shown in following figure.
Figure 13-11 IPv6 VRRP
The IPv6 VRRP has the function of adding one interface into the IPv6 VRRP, assigning virtual IP
address, configuring VRRP version and the related parameters. The parameters of IPv6 VRRP
are shown in the following:

 ID: the serial number of configuration items.

 Interface: the interface of the VRRP backup group
 VRID: backup group ID.
 Virtual address: the virtual IP address of the VRRP backup group.
 Detailed parameters: VRRP version and the related parameters.
 Protocol status: displays the status of the VRRP protocol.
 Configure status: shows whether the VRRP backup group is disabled.
13.6 VRRP synchronization

Select Basic > High Availability > VRRP Synchronization from navigation tree to enter the
VRRP synchronization page, as shown in following figure.
Figure 13-12 VRRP synchronization
In the application scenario where multiple groups of VRRP are enabled on multiple links,
simultaneous switching of multiple links can be realized by synchronizing the VRRP state,
ensuring the consistency of the uplink and downlink states, thereby improving network stability.
Associate two or more VRRP backup groups, one of which is set as the master VRRP, the slave
VRRP must be in the same state as the master VRRP, and the master and backup negotiation is
no longer carried out through notification messages and priorities.
13.7 Interface synchronization group

Interface synchronization group is a kind of function that can speed up the response speed of
the link change. In the interface sync group, if any member’s link state is down, the group state is
down; only if all member’s link state in the interface sync are down, the group state is up.
Select Basic > High Availability > Interface Synchronization Group from navigation tree to
enter the interface synchronization page, as shown in following figure.

Figure 13-13 Interface synchronization group
Configure the synchronization group name, select the port, and click the <OK> button.
13.8 BFD
BFD is the Bidirectional Forwarding Detection mechanism. It provides fast forwarding path
failure detection for upper-layer routing protocols and establish BFD sessions between two
adjacent neighbors. By periodically sending BFD control packets on the link between two
systems, BFD can achieve monitoring the connectivity of the link. BFD can realize route fast
convergence and ensure service continuity.
13.8.1 BFD
BFD public configuration module allows user to set the session initialization mode, multi-hop
parameter and interface parameter.
Select Basic > High Availability > BFD > BFD Public Configuration from navigation tree to
enter the BFD public configuration page, as shown in following figure.
Figure 13-14 BFD public configuration
The parameters of BFD public configuration page are shown in the following:
 Session init mode: active mode or passive mode should be selected before BFD session
established. One of the two systems which establish BFD session must be active mode at
least.

 Active mode: before a BFD session is established, BFD actively sends BFD control
packets regardless of whether any BFD control packet is received from its peer.
 Passive mode: before a BFD session is established, BFD does not send control
packets until a BFD control packet is received from its peer.
 Multi-hop configuration: BFD detects any of the paths between two systems. These paths
have multiple hops, and might overlap.
 Min TX interval: the minimum interval that is taken by the sender to send BFD control
packets, in the range of 100~999ms.
 Min TX receiving interval: the minimum receiving interval that is taken by the sender
that two BFD control packets can be supported to send, in the range of 100~999ms.
 Detecti Mult: multiplier of detection time, in the range of 3 to 50.
 Auth type: set the authentication mode for BFD control packets.
 key-id: set the key-id for the specified authentication mode, in the range of 0 to 255.
 Key: set the key for the specified authentication mode.
 Interface configuration: select an interface and set the parameters of minimum sending
interval, minimum sending interface, timeout detection times, authentication type, key ID,
key. You can refer to the “multiple-hop parameter configuration” section to see the details.
13.8.2 BFD manual configuration
The configure BFD manual session module allows user to establish BFD session through user
manual configuration.
Select Basic > High availability > BFD > BFD Manual Configuration from navigation tree to
enter to the BFD manual page, as shown in following figure:
Figure 13-15 BFD manual configuration
BFD manual page includes multi-hop manual configuration and single-hop manual configuration.
 The parameters of multi-hop configuration are shown in following:

 Source IP: display the IP address of interface that connects with BFD neighbor.
 Destination IP: display the IP address of BFD neighbor

 Local discriminator: a unique, nonzero discriminator value generated by the

transmitting system. It can be used to demultiplex multiple BFD sessions between the
same pair of systems.
 Remote discriminator: the discriminator: the received value of my discriminator.
 The parameters of single-hop manual configuration are shown in following:
 Interface: display the interface name that connects with BFD neighbors.
 Source IP: display the IP address of interface that connects with BFD neighbor.
 Destination IP: display the IP address of BFD neighbor
 Local discriminator: a unique, nonzero discriminator value generated by the
transmitting system. It can be used to demultiplex multiple BFD sessions between the
same pair of systems. .
 Remote discriminator: the discriminator: the received value of my discriminator.
13.8.3 BFD session information
The display BFD session information module displays the source IP, destination IP, interface,
hop, session state and other detailed information of BFD session.
Select Basic > High Availability > BFD > Display BFD Session Information from navigation
tree to enter the display BFD session information page, as shown in following figure:
Figure 13-16 Display BFD session information
The parameters of display BFD session information page are shown in following:
 Source IP: display the source IP address of the BFD session packets.
 Destination IP: display the destination IP address of BFD session packets.
 Interface: display the name of the interface that connects to its neighbor.
 Hop: display the type of BFD session packets, including multi-hop and single-hop.
 Status: display the state of the BFD session.
 Detail information: display the detailed parameters of the BFD, including the minimum
sending interval, the minimum receiving interval, timeout detection multiple, authentication
type, discrimination value, etc.

13.9 ULDP
13.9.1 ULDP configuration
The ULDP configuration module provides functions to set ULDP parameters, including enable
status, DOWN working mode, timer, port authentication, ULDP port configuration, etc.
Select Basic > High Availability > BFD > ULDP Configuration from navigation tree to enter
the ULDP configuration page, as shown in following figure:
Figure 13-17 ULDP configuration
The parameters of the ULDP configuration page are described as follows:
 Start ULDP: enable ULDP function.

 DOWN working mode: configure DOWN working mode, automatic mode or manual mode.
 Adverisment timer: Configure the value of the Adverisment timer.
 Delay Down timer: Configure the value of the Delay Down timer.
 Port authentication: configure port authentication mode and authentication password. The
authentication mode is simple, md5 or none.
 ULDP port: Configure the port to enable the ULDP function.
13.9.2 ULDP show
ULDP display module provides the function of displaying ULDP configuration, including port
name, neighbor table entry, neighbor status, port status, reset, etc.
Select Basic > High Availability > BFD > ULDP show from navigation tree to enter the ULDP
show page, as shown in following figure:

Figure 13-18 ULDP show
ULDP display page parameters are described as follows:
 Auto refresh: set to automatically refresh the latest ULDP information and refresh time.
 Manual refresh: Click the <Manual refresh> button to refresh the latest log.
 Port name: Display the port name of ULDP.
 Neighbor table entry: Display the ULDP neighbors of the port.
 Neighbor status: Display the ULDP neighbor status of the port.
 Port status: display the status of the port.
 Reset: Display reset information.

14 Log Management
14.1 System log
System log records system hardware information, system software information and abnormal
information. At the same time, it can also monitor system events. Users can check the occurred
error through it, or can find out the trace left by attack after users suffered attack. The system log
page provides the following functions:
 Latest log: display the latest 25 system logs.

 System log query: query the system logs according to the query terms of severity level and
time.
 System log file management: save and delete log files.
 System log configuration: configure the remote log host address that is used for sending
logs, and configure the hold time of logs.
14.1.1 Latest log
Select Basic > Log Management > System log > Latest log from navigation tree to enter the
latest log page, as shown in following figure.
Figure 14-1 Latest log
The parameters of the latest log page are shown in following:
 No.: display the serial number of the latest log.

 Time stamp: display the time that the latest logs are generated.
 Module: display the module that the latest logs are generated.

 Severity level: display the severity level of the latest log page, including emergency, alert,
critical, error, warning, notice, informational, debug.
 Log content: the description of the log content.
Some functions on the interface are introduced:
 Auto-refresh: click the Auto-refresh checkbox, then you select the auto-refresh time
interval. Every XXX seconds, the system will automatically refresh the latest log page.
 Manual refresh: click the Manual button to refresh the latest log page immediately.
 Export: click the Export button in the lower corner of the latest log page, then you can
export the log information to your local computer.
14.1.2 System log query
Select Basic > Log Management> System log > System log query from navigation tree to
enter the system log query page, as shown in following figure.
Figure 14-2 System log query
The system log query page includes query terms of severity level, keyword and time range:
 Severity level: display the severity level of the system log query page, including emergency,
alert, critical, error, warning, notice, informational, debug, unknown.
 Keyword: enter the keyword of the log content to be query. The keyword is case sensitive
and supports fuzzy matching.
 Time range: select the time range that you want to query, including current hour, the last
hour, the last two hours, yesterday, today and customize. If you select the customize option,
you need to click this icon, and you set the start time and end time to query.
After you configure the query terms, you click the Query button, then you can view the logs that
you have queried displayed in the log list. Click the Export by Query Terms button, you can
export the logs that you have queried to your local computer.
14.1.3 System log file management
Select Basic > Log Management> System log > System Log File Management from

navigation tree to enter the system log file management page, as shown in following figure.
Figure 14-3 System log file management
The system log file name is displayed in the form of time. You can execute save or delete
operation for the system log files.
 Click the Save icon to save the system log file to your local computer.
 Click the Delete icon, the log file entry to be deleted becomes red. Then you click
Submit button in the upper right corner on the webpage.
14.1.4 System log configuration
The system log configuration includes the remote log host configuration and the log hold time
configuration.
Select Basic > Log Management > System Log > System Log File Operation from
navigation tree to enter the system log file operation page, as shown in following figure.
Figure 14-4 System log configuration
(1) Select Basic > Log Management > System log > System Log Configuration to enter the
system log configuration page, as shown in the following figure.

(2) Click the "IP type" configuration item and select the IP type as IPv4 or IPv6.
(3) Click the "remote log host address" configuration item and enter the remote host IP address,
which cannot be a loopback, D, or E address.
(4) Click the "Service Port" configuration item and enter the port number of the remote log host
to receive logs.
(5) Click the "Log Level" configuration item, and a level selection window will pop up, including
emergency, warning, severe, error, warning, note, description, and debugging. The device
sends logs matching the selected level to the remote host.
(6) Click the "local host address" configuration item and enter the IP address of the device
sending logs.
(7) Select the time stamp format for sending logs.
(8) Select the number of days to keep the log, including one week, two weeks, three weeks, 30
days and custom. If you choose custom, you need to manually enter the number of days,
ranging from 7 to 180 days.
(9) Click the OK button in the upper right corner of the page to make the configuration effective.
14.2 Operation log

The operation log is mainly used for tracing operation behaviors of system users, including user
query, add, edit, delete data, or user login to the system. Operation log can help user to query
the operations in the event of data lost or modified. The operation log page provides the
following functions:
 Latest log: display the latest 25 operation logs.

 Operation log query: query the operation logs according to the query terms of administrator,
IP address, and time.
 Operation log file management: save and delete log files.
 Operation log configuration: configure the remote log host address that is used for sending
logs, and configure the hold time of logs.
14.2.1 Latest log
Select Basic > Log Management > Operation log > Latest log from navigation tree to enter
the latest log page, as shown in following figure.

The parameters in the recent log list are described as follows:
 Serial number: the serial number of the log.

 Timestamp: the time when the log was generated.
 Client type: The client type that operates the device.
 Administrator: The administrator who operates the equipment.
 Address: the IP address of the client.
 Operation result: Show whether the operation result is successful.
 Log content: describe the content of operations on the device.
Interface function introduction:
 Auto refresh: Check the "Auto refresh" check box, select the auto refresh interval, and the
system will automatically refresh the log information every interval.
 Manual refresh: Click the <Manual refresh> button to refresh the log information
immediately.
 Export: Click the <Export> button at the bottom right corner of the page to save the current
log information to the local.
14.2.2 Operation log query
Select Basic > Log Management> Operation log > Operation log query from navigation tree
to enter the operation log query page, as shown in following figure.

Figure 14-6 Operation log query
The operation log query page includes query terms of administrator, IP address, keyword and
time range.
 Administrator: select the operational administrator, including All, admin, do not exit, control
console.
 IP address: set the IP address of the administrator.
 Keyword: enter the keyword of the log content to be query. The keyword is case sensitive
and supports fuzzy matching.
 Time range: select the time range that you want to query, including current hour, the last
hour, the last two hours, yesterday, today and customize. If you select the customize option,
you need to click this icon, and you set the start time and end time to query.
After you configure the query terms, you click the Query button, then you can view the logs that
you have queried displayed in the log list. Click the Export by query terms button, you can
export the logs that you have queried to your local computer.
14.2.3 Operation Log File Management
Select Basic > Log Management> Operation log > Operation log file management from
navigation tree to enter the operation log file management page, as shown in following figure.
Figure 14-7 Operation log file management
The operation log file name is displayed in the form of time. You can execute save or delete
operation for the operation log files.
 Click the Save icon to save the system log file to your local computer.

 Click the Delete icon, the log file entry to be deleted becomes red. Then you click the
14.2.4 Operation log configuration
The operation log configuration includes the remote log host configuration and the log hold time
configuration.
Select Basic > Log Management> Operation Log > Operation Log Configuration from
navigation tree to enter the operation log configuration page, as shown in following figure.
Figure 14-8 Operation log configuration
(1) Select Basic > Log Management> Operation Log > Operation Log Configuration to
enter the operation log configuration page, as shown in the following figure.
(2) Click the "IP type" configuration item and select the IP type as IPv4 or IPv6.
(3) Click the "remote log host address" configuration item and enter the remote host IP address,
which cannot be a loopback, D, or E address.
(4) Click the "Service Port" configuration item and enter the port number of the remote log host
to receive logs.
(5) Click the "local host address" configuration item and enter the IP address of the device
sending logs.
(6) Select the time stamp format for sending logs.
(7) Select the number of days to keep the log, including one week, two weeks, three weeks, 30
days and custom. If you choose to customize, you need to manually enter the number of
days, ranging from 7 to 180 days.
(8) Click the OK button in the upper right corner of the page to make the configuration effective.
14.3 Diagnosis log

Diagnosis log shows some exceptions of the device when the device is working normally. These

exceptions do not influence the device’s normal operation. Diagnosis log is mainly used for
software developer to find out what the problems happened on the device. Users do not need to
pay attention to diagnosis logs.
14.4 Service log configuration

The system provides user with the common configuration of system log, including the hold time,
SYSLOG log host configuration, and send email configuration.
Select Basic > Log Management> Service log configuration from navigation tree to enter the
service log configuration page, as shown in following figure.
Figure 14-9 Service log configuration
The service log configuration page includes the following three items: including hold time, IPS
log aggregation, sending mode.
Hold time: select the number of days to hold: including one week, two weeks, three weeks, 30
days and customize. If you select the customize option, you need to configure a number for the
customize hold time. Default of it is 30 days. You can configure it in the range of 7 to 180 days.
The IPS log aggregation function can only be used after the IPS service board is inserted into
the device. After you enable this function, the device will aggregate the received IPS logs
according to IPS log aggregation time and terms, so that system resource will be saved. IPS
aggregation condition includes source IP aggregation, destination IP aggregation, source port
aggregation, destination port aggregation, and protocol aggregation.
The parameters of sending mode are shown in the following:
 Output to the syslog log host in real time: click the checkbox, you need to configure the
following:

 Syslog Log Local IP Address: click the configuration item, then you can configure the
source IP address that is used for sending logs.
 Syslog Log Host IP Address: click the configuration item, then you can configure the
destination IP address that is used for receiving logs.
 Service port: click the configuration item, then you can configure the service port that is
used for receiving logs, in the range of 1 to 65535.
 Send mail: click the checkbox, then you need to configure mail server IP address,
destination Email address, username, and password. Click the <Mail Test> button, you can
test whether the mail server is normal or not.
 Synchronize device information (IP information) with UMC: click the checkbox, UMC will
synchronize the device’s IP information. This configuration item can be used in the scenario
of the inner network device and outer network device are connected through dial-up
method.
 Attack source IP address sending format: select a format for the IP attack source to send
data packets, including the hexadecimal format and character string address.
 UMC synchronius sort: configure the log host synchronization port, in the range of 1 to
65535.
After you finish the above configurations, you click the Submit button in the upper right corner
on the webpage.

14.5 Service log query

The service log query module provides a variety of log query functions, including IPS log,
antivirus log, RMON log, ARP monitoring log, IDS linkage log, session limit log, IPv4 packet
filtering log, basic attack protection log, and blacklist log . Some logs have functions such as
query, export, and delete, and the operation methods are basically the same.
14.5.1 IPS log
Select Basic > Log Management > Service Log Query > IPS Log from navigation tree to enter
the IPS log page, as shown in following figure:
Figure 14-10 IPS log
IPS Log page provides query, export and delete functions:
 The query conditions include the attack ID, attack level, action type, interface, source IP,
destination IP, source port, destination port, and specified time. Click the Query button after
configuring the conditions. The query result is displayed in the list below.
 Click the Export button to export the inquired log to local.
 Click the Delete button to delete the log information.
14.5.2 Anti-virus Log
Select Basic > Log Management > Service Log Query > Anti-virus Log from navigation tree
to enter the anti-virus Log page, as shown in following figure:
Figure 14-11 Anti-virus Log
Anti-virus log page provides query, export and delete functions:

 The query conditions include virus ID, virus classification, action type, interface, source IP
address, destination IP address, source port, destination port, and specified time. Click the
Query button after configuring the conditions. The query result is displayed in the list below.
 Click the Export button to export the inquired log to local.
14.5.3 RMON log
Select Basic > Log Management > Service Log Query > RMON Log from navigation tree to
enter the RMON log page, as shown in following figure:
Figure 14-12 RMON log
The RMON log view page displays the relevant information of the RMON log, including event ID,
time, log content, etc. Click the <Delete> button to delete RMON log information.
14.5.4 ARP monitoring log
Select Basic > Log Management > Service Log Query > ARP Monitoring Log from
navigation tree to enter the ARP monitoring log page, as shown in following figure:
Figure 14-13 ARP monitoring log
ARP monitoring logs provide query functions. Users can query log information of different time
periods. In the right of the "time" to select the drop-down box to query for the period, including all,
the last day, the last two days, the last week and the specified time, if you select the specified
time you need to configure the start time and end time, select the good query After the time click
on the button, the query result is displayed in the list below. Click Delete to delete the log
information.

14.5.5 IDS collaboration log
In a networking scenario where the FW device and the IDS device are used together, when the
IDS device detects the attack, the attack source IP address and the destination IP address can
be sent to the FW device. The FW device is blocked based on the source / destination IP and is
displayed in the IDS linkage log.
Select Basic > Log Management > Service Log Query > IDS Collaboration Log from
navigation tree to enter the IDS collaboration log page, as shown in following figure:
Figure 14-14 IDS collaboration log
14.5.6 Session limit log
Select Basic > Log Management > Service Log Query > Session Limit Log from navigation
tree to enter the session limit log page, as shown in following figure:
Figure 14-15 Session limit log
Session Limit Logs page provides query, delete, and export functions:
 The query conditions include the log type, policy name, keyword, and time range. After the
conditions are configured, click the Query button, and the query result is displayed in the list
below.
 Click Delete All to delete the log information.
 Click Export button to export the inquired log locally.
14.5.7 IPv4 packet filtering log
Select Basic > Log Management > Service Log Query > Session Limit Log from navigation
tree to enter the packet filtering log page, as shown in following figure:

Figure 14-16 IPv4 packet filtering log
IPv4 packet filtering log page provides query, delete and export functions:
 The query conditions include the source IP address, destination IP address, and packet
filtering policy name. After the conditions are configured, click the query button, and the
query result is displayed in the list below.
 Click the Export All button to export the inquired log to local.
14.5.8 Basic attack log
Select Basic > Log Management > Service Log Query > Basic Attack Log from navigation
tree to enter the basic attack log page, as shown in following figure:
Figure 14-17 Basic attack log
The basic attack protection log page provides query, delete, and export functions:
 The query conditions include the action type, interface, source IP address, destination IP
address, and specified time. Click the query button after configuring the conditions, and the
query result is displayed in the list below.
 Click the Export button to export the queried log locally.
14.5.9 Blacklist log
Select Basic > Log Management > Service Log Query > Blacklist Log from navigation tree to
enter the blacklist log page, as shown in following figure:

Figure 14-18 Blacklist log
Blacklist log page provides query, delete and export functions:
 The query conditions include reason, IP address / mask and time range. Click the Query
button after configuring the conditions, and the query result will be displayed in the list
below.
 Click the Export By Search Condition button to export the queried log locally.
14.5.10 DDoS protection log
Select Basic > Log Management > Service Log Query > DDoS Protection Log > IPv4 Basic
Protection Log from navigation tree to enter the IPv4 Basic Protection Log page, as shown in
following figure:
Figure 14-19 IPv4 basic protection log
The basic IPv4 protection log page provides manual refresh log information. The detailed log
information is displayed in the log list, including type, characteristics, source IP address,
destination IP address, rate, and time.

15 Security Policy
Security policy mainly includes IPv4 packet filtering module and IPv6 packet filtering module.
According to packet filtering policy, the device will check the data packets in each data stream
based on their source address, destination address, source port, destination port, and protocol
type or based on the combination factors. User can customize different kinds of packet filtering
policies, so that can realize the basic security protection for data packets.
15.1 IPv4 Packet filtering
15.1.1 IPv4 Packet filtering policy
Select Service > Security Policy > IPv4 Packet filtering > IPv4 Packet filtering policy to
enter the IPv4 Packet filtering policy page, as shown in following figure.
Figure 15-1 IPv4 Packet filtering policy
15.1.1.2 Icons
The IPv4 packet filtering policy page includes seven function icons, "Import, Export, Refresh,
Show / Hide Column, Clear Count, Group Management, and Clear" in addition to the packet
filtering policy, as follows.
1. Import
The import function of the packet filtering policy is to add the configured packet filtering policy to

the device in the form of an Excel spreadsheet. The import function is applicable to the existing
packet filtering configuration file or to configure a large number of packet filtering policies. The
configuration method is as follows:
(1) Click Import, click to select the file and select the file path you want to import, as shown
in the following figure:
Figure 15-2
(2) Click Append Import to complete the import of the package filtering configuration file, as
shown in the following figure: (The imported configuration file can not contain the same
policy as the existing policy name)
Figure 15-3
2. Export
The export function of the packet filtering policy is to configure the existing packet filtering policy
in the form of an Excel spreadsheet file. The configuration method is as follows:
(1) Click Export, select the file name and file address you want to export.
(2) Click Download, you can find the current packet filtering policy configuration file in the
destination path.
Refresh
The packet filtering policy refresh button is used to refresh the latest information of the

current page. After refreshing, the latest page filtering policy information and the latest hit count
information of the current page are obtained.
Show / hide column
The show / hide columns for packet filtering policies to change the display status of different
messages, showing or hiding.
Clear count
The zero count function of the packet filtering policy clears the hit count of all packet filtering
policies.
3. Group management
You can add different packet filtering policies into different group, so that you can manage these
packet filtering policies easily. The configuration method is shown in the following:
(1) Click icon to view the packet filtering groups. You can see the
default packet filtering group.
(2) Move your mouse pointer to the “Default”, and then you can view the description information
of this group, as shown in following diagram.
Figure 15-4 Default group
(3) Click icon to add a group, as shown in following diagram.
Figure 15-5 Add a group

(4) Enter a name for the newly added group and enter the description information, then click
icon to save your configurations. If you want to delete this group, you can click delete
icon.
(5) Move your mouse pointer the newly added group, so that you can execute these operations
such as add, disable, delete and modify for this group, as shown in following diagram.
Figure 15-6 New group
 Add: click icon, then you can add a group.

 Disable: click icon to disable this group, then the icon becomes icon. If you want to
enable this group, click this icon again.
 Delete: click icon to delete this group. After you click delete icon, the shading color of
this group becomes red and the icon becomes icon. This group will be deleted if you
click OK button in the upper right corner. If you don’t want to delete this group, click
icon.
 Modify: click the name and description of the group, then you can modify that.
15.1.1.3 Packet filtering policy list
The parameters of packet filtering policy list are shown in the following:
 ID: the ID number of packet filtering policy.

 Group: the group to which the packet filtering policy belongs
 Name: the name of packet filtering policy.
 Src Zone: the source zone that the IPv4 packet filtering policy is applied. Default security
zone is one of the three zones: Untrust,Trust and DMZ. You can create a source zone by
configuring the guide bar or the “Object Management”.
 Dst Zone: the source zone that the IPv4 packet filtering policy is applied. Default security
zone is one of the three zones: Untrust, Trust and DMZ. You can create a destination zone
by configuring the guide bar or the “Object Management”.
 Src Addr: the source address that the IPv4 packet filtering policy is applied. You can select
source address from the pop-up window of Src addr by clicking “Any” option or configuring
network address object, network address group, domain and IP address wildcard. You can
configure network address object, network address group, domain and IP address wildcard
through the guide bar, the pop-up window of Src addr, and the “Object Management”.
 Dst Addr: the destination address that the IPv4 packet filtering policy is applied. You can
select destination address from the pop-up window of Dst addr by clicking “Any” option or
configuring network address object, network address group, domain and IP address
wildcard. You can configure network address object, network address group, domain and IP

address wildcard through the guide bar, the pop-up window of Dst addr, and the “Object
Management”.
 Src MAC: the source MAC that the IPv4 packet filtering policy is applied. You can select
source MAC from the pop-up window of source MAC by clicking “Any” option or configuring
network address object. You can configure MAC object and MAC group through the pop-up
window of Src MAC and the “Object Management”.
 Dst MAC: the destination MAC that the IPv4 packet filtering policy is applied. You can select
destination MAC from the pop-up window of destination MAC by clicking “Any” option or
configuring network address object. You can configure MAC object and MAC group through
the pop-up window of Dst MAC and the “Object Management”.
 Service: the service object or service object group that the IPv4 packet filtering policy is
applied. You can configure them through the guide bar, the pop-up window of Service and
the “Object Management”.
 Effect time: the effect time of packet filtering policy, including all time, relative time (weekly
cycle) and absolute time (from start time, it takes effect).
 Action: you select different actions for the packet filtering policy matched data packets.
 Packet loss: packet loss matching packet filtering strategy.
 It is passed directly: the packet matching the packet filtering policy is released.
 Advanced Security Service: Enables session length connection or fragment packet loss
function for packets that match the packet filtering policy. The long session connection
function is generally used in the Long Connection Application. The session does not
need to be aged within the specified time limit. If the long connection parameter is not
configured, this type of application access exception may occur. For details, see
System Administration> Session Configuration> Session Parameter. Set the aging time
of long sessions. Enable the fragmented packet loss function to avoid the potential
security risks caused by the direct fragmentation of packets.
 Hit log: records packets matching the packet filtering policy, which can be saved locally
or sent to the remote end. The remote log supports two log formats, syslog and flow
log.
 Session Log: records the session information matching the packet filtering policy, which
can be saved locally or sent to the remote end. The remote log supports two kinds of
log formats, syslog and flow log. In the session management page to do a detailed
configuration.
 Matched: the number of times the packet filtering policy is matched.
 State: enable or disable the packet filtering policy.
 Create time: display the create time of packet filtering policy.
 Modify time: display the modify time of packet filtering policy.
 Operation: there are four icons allow you to select: including sort, upward copy, downward
copy and delete.
 Insert: click the icon to copy the same strategy above the existing strategy.
 Copy: click the icon to copy the same strategy below the existing strategy.

 Delete: click the icon, the policy that has taken effect becomes red and is in a
pending state. click the button at the top right of the page to delete the policy.
Sort: Click the icon, drag to adjust the order of the strategies. You can use the policy name
as the keyword to quickly select the desired policy through the query function in the upper right
corner of the page. You can also click the drop-down box of the advanced query function to
select the desired policy based on one or more other criteria.
 Packet filtering strategy from top to bottom in order to match, you must strictly abide by the
principle of fuzzy first. The wrong configuration will cause the packets to match the policy of
"large range" preferentially, resulting in the failure of the policy of "small range". In this case,
you need to adjust the matching order by clicking the icon.
 If the session is long, the source address, destination address, and service parameters
must be fine-tuned.
Through IPv4 packet filtering log module, user can select whether to send packet filtering log,
and can select the log type, the method for log sending, and log server.
Select Service > Security Policy > IPv4 Packet filtering > IPv4 Packet filtering log to enter
the IPv4 Packet filtering log page, as shown in following figure.
Each parameter description IPv4 packet filtering log is shown in the following:
 Enable packet filter log: click the Enable packet filter log to enable this function.
 Log save type: select log save type, including remote server and local server.
 Log type: select packet filtering log type, including syslog and stream log.

 Syslog: type is appropriate for Syslog server.

 Stream log (packet encrypted) is appropriate for UMC server.
 Method for log sending: the method for sending packet filtering logs, including share mode
and send all.
 Share mode: by default, it sends packet filtering logs according to the polling order of
log server list.
 Send all: send all packet filtering logs to each configured log server.
 Log client ip: the source IP address that is used for sending packet filtering logs. It must be
the local device’s interface address (physical/logical). The route to the log server must be
reachable.
 Log client port: the port number that is used for sending packet filtering logs. Log source
port number must be greater than 1024, which does not conflict with local device port
number.
 Log server list: set the IP address of log server.
 Log server port: the port number that is used for receiving packet filtering logs.
 Log options: click the Default discarding policy of packet filter option. If the data packet does
not match with any packet filtering policy, the data packet will be dropped.
After you finish above configurations, you click OK button in the upper right corner on the
webpage.
15.1.3 IPv4 Packet filtering log search
IPv4 packet filtering log search function allows user to search packet filtering logs according to
different searching conditions.
Select Service > Security Policy > IPv4 Packet filtering > IPv4 Packet filtering log search to
enter the IPv4 Packet filtering log search page, as shown in following diagram.
Figure 15-8 IPv4 Packet filtering log search
The configuration methods of IPv4 packet filtering log search are shown in the following:
(1) Set the searching conditions of IPv4 packet filtering log, including: source IP address,
destination IP address or packet filter name.
(2) Click Query button to see the results.
The parameters of IPv4 packet filtering log are shown in following:

 No: displays the sequence number of the IPv4 packet filtering logs.
 Packet filter name: display the name of packet filtering policy.
 Match time: display the time that data packets match with the packet filtering policy.
 In Ifindex: display the inbound interface that data packets match with IPv4 packet filtering
policy.
 Out Ifindex: display the outbound interface that data packets match with IPv4 packet filtering
policy.
 Source IP: display the source IP address that data packets match with IPv4 packet filtering
policy.
 Source port: display the source port number that data packets match with IPv4 packet
filtering policy.
 Destination IP address: display the destination IP address that data packets match with IPv4
packet filtering policy.
 Destination port number: display the port number that data packets match with IPv4 packet
filtering policy.
 Protocol: display the protocol that data packets match with IPv4 packet filtering policy.
 Action: display the action to be taken when data packets match with IPv4 packet filtering.
15.2 IPv6 packet filtering
15.2.1 IPv6 packet filtering policy
IPv6 packet filtering policy module provides user with the IPv4 packet filtering parameter setting
function.
Select Service > Security Policy > IPv6 packet filtering > IPv6 packet filtering policy to
enter the IPv6 packet filtering policy page, as shown in following diagram.
Figure 15-9 IPv6 packet filtering policy
On the IPv6 packet filtering policy page, there are three parts allow user to configure: guide bar,
function icons and packet filtering policy list.
For the guide bar, icon, please refer to IPv6 packet filtering policy. The parameters of IPv6
packet filtering policy is shown in following:

 No.: the sequence number of IPv6 packet filtering policy.

 Name: the name of IPv6 packet filtering policy.
 Source Domain: the source zone that the IPv6 packet filtering policy is applied. Default
security zone is one of the three zones: Untrust, Trust and DMZ. You can create a source
zone by configuring the guide bar or the “Object Management”.
 Destination Domain: the source zone that the IPv6 packet filtering policy is applied. Default
security zone is one of the three zones: Untrust, Trust and DMZ. You can create a
destination zone by configuring the guide bar or the “Object Management”.
 Source IP: the source address that the IPv6 packet filtering policy is applied. You can select
source address from the pop-up window of Src addr by clicking “Any” option or configuring
network address object, network address group, domain and IP address wildcard. You can
configure network address object, network address group, domain and IP address wildcard
through the guide bar, the pop-up window of Src addr, and the “Object Management”.
 Destination IP: the destination address that the IPv6 packet filtering policy is applied. You
can select destination address from the pop-up window of Dst addr by clicking “Any” option
or configuring network address object, network address group, domain and IP address
wildcard. You can configure network address object, network address group, domain and IP
address wildcard through the guide bar, the pop-up window of Dst addr, and the “Object
Management”.
 Source MAC: the source MAC that the IPv6 packet filtering policy is applied. You can select
source MAC from the pop-up window of source MAC by clicking “Any” option or configuring
network address object. You can configure MAC object and MAC group through the pop-up
window of Src MAC and the “Object Management”.
 Destination MAC: the destination MAC that the IPv6 packet filtering policy is applied. You
can select destination MAC from the pop-up window of destination MAC by clicking “Any”
option or configuring network address object. You can configure MAC object and MAC
group through the pop-up window of Dst MAC and the “Object Management”.
 Service: the service object or service object group that the IPv6 packet filtering policy is
applied. You can configure them through the guide bar, the pop-up window of Service and
the “Object Management”.
 Extended Header: the IPv6 extension header of the IPv6 packet filtering policy.
 Action: the action to be taken when data packets match with IPv6 packet filtering policy.
 Group: the group to which IPv6 packet filtering policy belongs.
 Valid time: the effect time of packet filtering policy, including all time, relative time (weekly
cycle) and absolute time (from start time, it takes effect).
 Status: enable or disable the packet filtering policy.
 Match times: display the IPv6 packet filtering policy matched times. Click Reset Counters
button to recalculate the matched times.
 Operation: there are four icons allow you to select: including sort, upward copy, downward
copy and delete.
 Click the icon and drag to adjust the order of the strategies.

 Click the icon to add IPv6 packet filtering policy
 Click the icon to insert IPv6 packet filtering policy
 Click the icon to delete the IPv6 packet filtering policy
 Click the icon to clear the statistics of matching counts.

You can save and download IPv6 packet filtering policies through the import and export function.
Click Browse button, then you can select the imported file path. Click Append Import button,
then you can import the IPv6 packet filtering policy configuration. Click Export button, then you
can save the current IPv6 packet filtering policy configuration.
Select Service > Security Policy > IPv6 packet filtering > IPv6 packet filtering log to enter
the IPv6 packet filtering log page, as shown in following diagram.
The parameters of IPv6 packet filtering log are shown in following:
 Enable IPv6 Packet Filter Log: enable the IPv6 packet filtering log function.
 Log type: set the log type of IPv6 packet filtering log type, including Syslog log and stream
log. The Syslog log type can be used for Syslog server. Stream log (packet encryption) can
be used for UMC server.
 Source IP address: set the source IP address for sending IPv6 packet filtering logs. The
source IP address is the local device interface address (physical/logical).Make sure that the
route to log server is reachable.
 Source Port: set the source port number for sending IPv6 packet filtering logs. Source port
number must be greater than 1024, which does not conflict with local device port number.
 Log server list: set the log server’s address for receiving IPv6 packet filtering logs.
 Log server port: set the log server’s port for receiving IPv6 packet filtering logs.

15.3 IPv4 packet filtering policy redundancy analysis

Select Service > Security Policy > IPv6 Packet Filtering > IPv4 packet filtering policy
redundancy analysis to enter the IPv4 packet filtering policy redundancy analysis page, as
shown in following diagram.
Figure 15-11 IPv4 packet filtering redundancy analysis
Redundancy usually refers to increasing the reliability of the system through multiple backups
 Start analysis
 There may be redundant rules in a large number of filtering rules, which makes the
management of the firewall more difficult and the throughput rate decreases. The policy
redundancy rule analysis technology is for the rules input by the user, and the system
judges whether the input rules conform to its original intention; For the remaining problem,
an algorithm for detecting redundancy is proposed to locate redundant rules

16 NAT Configuration
16.1 NAT overview
1. NAT technology background
With the development of Internet and the increase of network application, IPv4 address
depletion has become a bottleneck that restricts the development of the network. Although IPv6
can fundamentally solve insufficient IPv4 address problem, but many of the current network
devices and network applications also use IPv4 address. To solve the problem, some transition
technologies (such as CIDR, private network address, etc.) can be used before IPv6 address is
widely used.
Private network address can save IPv4 address because of this fact: in a LAN, only a few hosts
need to access the external network in a certain period, and about 80% of internal traffic is
limited to the LAN. As the internal hosts can exchange their traffic by the private network address,
and private network address can be reused in different local area network, so the use of private
network address can effectively alleviate the problem of insufficient IPv4 address. When internal
hosts need to access external network, NAT technology can convert their private addresses to
public network addresses. Therefore, NAT technology can ensure network interoperability and
can save the public network address.
 Three network segments are private addresses: 10.0.0.0/8, 172.16.0.0/12 and

192.168.0.0/16.
 Hosts that use private network addresses cannot directly access the Internet, and they
cannot directly access the hosts that use private addresses on the Internet.
2. Technology advantages
As a transition plan, NAT through the address multiplexing method to meet the needs of IP
addresses, to a certain extent, ease the pressure of IP address space depletion. It has the
following advantages:
 For private communication, private network addresses can be used. If you need to
communicate with external sources or access external resources, you can implement
private network addresses by converting private addresses to public addresses.

 Through the combination of public network address and port, multiple private network users
can share a public network address.
 Through static mapping, different internal servers can be mapped to the same public
network address. External users through the public network address and port access to
different internal servers, while hiding the internal server's real IP address, so as to prevent
external internal servers and even internal network attacks.
 Convenient network management, such as by changing the mapping table can be achieved
private network server migration, internal network changes are also easy.
 NAT can also play a security role for the private network host, mainly because the private
network host address when connected to the Internet when the public address for the
connection, so outside the attacker in the port scan when the detection is not Private host.
3. Basic principles of NAT technology
NAT basic principle is only in the private network host need to access the Internet will be
assigned to the legitimate public network address, and in the internal use of private network
address. When the Internet accesses the NAT gateway through the NAT gateway, the NAT
gateway replaces the source IP address of the original packet with a valid public network
address and records the conversion. After the packet is returned from the Internet side, NAT
gateway to find the original record, the destination address of the message and then replace the
original private network address, and sent back the request of the host. In this way, in the private
network side or public network side equipment, this process and ordinary network access and no
difference. According to this model, a large number of internal network hosts no longer need to
allocate and use the public IP address, but all can reuse the NAT public network IP.
16.2 NAT feature description
16.2.1 Source NAT
1. Dynamic address NAT

When a packet on the private network side reaches the NAT gateway, the NAT gateway checks
whether the IP address of the private network has a mapping entry for the public IP address. If it
exists, it replaces the source IP address directly with the mapping entry and does not modify the
upper layer protocol. If it does not exist, it occupies an idle IP address in the public IP address
pool and writes it to the mapping table. After this address entry is performed according to the
mapping entry. When all the external accesses initiated by the private network host are closed or
timed out, the NAT gateway reclaims the public IP address, that is, deletes the mapping entry
and releases the occupied public IP address.
Traditional network equipment on the dynamic address NAT design is usually when the public IP
address pool is used up, the new connection will not be established, and DPtech equipment on
this basis to make some improvements: private IP address to actively access the external
network The first public IP address is allocated and the source port is kept unchanged. When the

public IP address pool is exhausted, the public IP address of the public network that has been
used is automatically multiplexed, but the source port will be Change, that is, into a dynamic port
NAT, in order to avoid the internal network host due to public network IP address pool resources
caused by insufficient network access interrupt, while more efficient use of public IP address
resources.
2. Dynamic port NAT
Dynamic NAT is the most basic NAT work, the device will be a private IP address dynamically
converted to one or more public network IP address, while the transport layer port or other upper
layer protocol information to convert IP address to achieve reuse The The packets that are
forwarded to the public network by the private network are replaced with the source IP address
and port, and the reverse packet replaces the destination IP address and port.
It is the most simplified dynamic port NAT configuration when connecting the outgoing interface
IP address of the public network as the public IP address of the NAT translation. When a public
IP address is used as the NAT address, it needs to configure an address pool. The device will
automatically select the public IP address to be used in the address pool. Through the internal
HASH allocation algorithm, the IP address and port use.
By default, the IP address of the private network is ported on the dynamic NAT port, that is, the
source port after NAT is the same as the source port before NAT. Unless the port corresponding
to the public IP address has been occupied, the device will be forced to port the port, that is, use
the public port IP address corresponding to the port within the random port.
3. Session level NAT
Session level NAT is mainly for the NAT address pool single address of the session support
ability in terms of. Traditional NAT technology can only use 65535 single port address, and
Session-level NAT can provide unlimited NAT. Unlimited NAT can be based on five tuple
information to distinguish between sessions, the same port can be used for different sessions, to
achieve port reuse.
Session-level NAT function is usually deployed in the public network address more intense
application scenarios.
16.2.2 Destination NAT
For security reasons, most private network hosts do not typically want to be accessed by public
network users. But in some practical applications, the need for public network users to access
the private network server. Purpose NAT converts the IP address of the public network to the
private IP address by statically configuring the mapping between the public IP address + port
number and the private IP address + port number to implement the public network user Access
to private network server needs.
The difference between destination NAT and one-to-one NAT is not only the mapping between

the public IP address and the private IP address mapping, but also the port number. There is
also an important difference is that the purpose of NAT mapping is one-way, only from the public
network side to the private network side of the public network IP address when the NAT will use
the mapping rules. If the private network host accesses the public network resource, the
mapping rules of the destination NAT will not be used, and the source NAT rules need to be
configured on the outgoing interface of the device.
16.2.3 Static NAT
1. One-to-one NAT
One-to-one NAT is usually an internal IP address that is uniquely mapped to a public IP address.
In this way, the conversion of the upper layer protocol is unnecessary, because a public network
IP can only correspond to an internal host. Obviously, this way to save the public network IP
does not make much sense, mainly in order to achieve some special networking needs. For
example, users want to publish a network of servers to the public network, or to achieve two IP
addresses overlap network communication.
For example, Company A applies to several public IP addresses (211.110.1.129 to

211.110.1.136) from the ISP and wants to assign the public IP address (211.110.1.136) to an
internal Email Server (192.168). 1.254) use. You only need to create a one-to-one NAT rule on
the device and map the public IP address 211.110.1.136 to the Email Server address
192.168.1.254. In this way, the public network user accesses the public IP address
211.110.1.136 corresponding to the Email Server, and the device converts the public IP address
211.110.1.136 corresponding to the mail server to the private IP address 192.168.1.254.
Similarly, when the Email Server actively access the public network resources, the device will be
its private IP address 192.168.1.254 converted to public IP address 211.110.1.136.
2. N-to-N NAT
Many of the NAT's approach is similar to one-to-one NAT, but mapping a private IP address to a
public IP address. For example, the device maps the private IP address segment
192.168.1.128/28 to the public IP address segment 211.110.1.128/28. The IP address segment
and private network IP address segment mask must be the same, that is, one to one
correspondence. Obviously, this approach does not save the public network address resources,
the purpose is to simplify the configuration of the administrator.
16.2.4 NAT with different mapping methods
16.2.4.1 Symmetric NAT
After a flow undergoes source NAT translation, a five-tuple mapping table will be established in

the NAT gateway. During the entry aging period, only reverse traffic from the same address can
reach the NAT gateway to match the five-tuple mapping table for NAT translation.
For example: a flow of TCP IP1:Port1 -> IP2:Port2 is converted to TCP IP111:Port111 ->
IP2:Port2 after NAT. The mapping table established is: TCP IP2:Port2 -> IP111:Port111 is
converted to IP2:Port2 -> IP1:Port1. Then the reverse traffic must arrive before the mapping
table entry is aging and it can be NATed when it is TCP IP2:Port2 -> IP111:Port111, and other
traffic cannot be NAT forwarded.
Figure 16-1 Symmetric NAT
16.2.4.2 Cone NAT
After a flow is translated by source NAT, a triplet mapping table will be established in the NAT
gateway. During the aging period of the table entry, any address is allowed to access the IP
address and port after NAT translation for NAT translation.
For example: a traffic TCP IP1:Port1 -> IP2:Port2 is converted to TCP IP111:Port111 -> IP2:Port2
after NAT. The mapping table established is: TCP IP1:Port1 is converted to IP111:Port111. Then
any address will be converted to IP1:Port1 when accessing the mapped IP address and port
IP111:Port111.

Figure 16-2 Cone NAT
Cone NAT is mainly used in environments where there are more P2P applications. Because NAT
destroys the end-to-end network model of IP, many UDP protocols currently also consider NAT
devices, so some applications based on UDP protocol themselves can traverse NAT devices,
such as QQ. If the application does not support the NAT traversal protocol, then the messages
directed to the NAT-translated address and port initiated by the public network will be discarded
by the NAT device. Deployment of cone NAT will improve this situation.
The public network IP and port after the cone NAT conversion is occupied by a private network
IP and port, and a reverse mapping record to the private network IP is compulsorily formed. This
feature is mutually exclusive with the Session-level NAT feature, and the two cannot Take effect
at the same time. Therefore, the session-level NAT function will be automatically closed when
using cone NAT. In practical applications, if you choose to use cone NAT, you need to consider
the rationality of public network IP resource allocation.
16.2.5 Port block NAT
16.2.5.1 Port block NAT description
Divide the port range 1024~65535 (because 0~1023 are well-known ports, so reserved), each
block has the same size, and there are "Port Number/Block Size" port blocks, so the number of
port block resources is: public network address pool IP Number * Port number/Block size, each
private network IP occupies a port block resource exclusively.
For example: Configure the private network IP range on the NAT device as addr1~addr2, the
public IP address pool is addr3~addr4, the port block size is n, and the port block is obtained
according to "public network address pool IP number * Port number/Block size" Resources. PC1
is allocated to Block1, and PC2 is allocated to Block2. The converted IP and port of PC1 to PC3
must be in Block1, and the converted IP and port of PC2 to PC3 must be in Block2.

Figure 16-3 Port block NAT description
This type of NAT is mainly used when there are high requirements for log traceability and the log
traceability system is not strong. Due to the large amount of NAT logs, users do not know
whether the logs are lost, so port block NAT can be used to allocate logs through port blocks
instead of session logs.
16.2.5.2 Static port block NAT
The private network IP address and the public network port block resource form a fixed mapping,
strictly in accordance with the order of the IP address and the port block resource sequence for
one-to-one correspondence, and the private network IP address access to the Internet will be
NATed according to this static mapping relationship.
For example: private network IP address IP1, IP2, IP3 and public network port block resource
IP100:Block1, IP100:Block2, IP100:Block3 one-to-one correspondence, IP1 is mapped to
IP100:Block1, IP2 is mapped to IP100:Block2, and IP3 is mapped to IP100 :Block3. The device
will always maintain such a mapping relationship. Whenever IP1, IP2, and IP3 access the
Internet, they will perform NAT conversion based on this static mapping relationship. Therefore,
the static port block NAT must satisfy: the number of private network IP is less than or equal to
the number of public network port block resources.

Figure 16-4 Static Port Block NAT
In actual deployment projects, static port block NAT is usually used more than dynamic port
block NAT. The main reason is that static port block NAT can make it easier for ISP users to trace
the source through a fixed static mapping relationship.
16.2.6 NAT-associated VRRP
In the VRRP dual-system hot backup networking environment, if the address of the NAT address
pool is not the Virtual IP of the VRRP group, but other IP addresses in the same network
segment, because the primary device and the backup device are configured with the same NAT
rules , This will cause ARP conflicts of NAT address pool addresses, resulting in abnormal
business traffic, and even network interruption. This situation can occur in the use of NAT rules
such as source NAT, destination NAT, one-to-one NAT, and many-to-many NAT.
The NAT-associated VRRP function is to solve the above problems. The status of dual-system
hot standby will change with the changes of the VRRP active/standby status. Usually only the
active device will process business traffic. Therefore, when NAT is associated with VRRP, only
the VRRP state is available. When it is the Master, the NAT rule will respond to ARP requests,
and the NAT rule with the VRRP status of Backup will be in a state of not responding to ARP,
thus avoiding the occurrence of ARP conflicts and ensuring that only the Master device can
receive service traffic. As shown in the following figure:

Figure 16-5 NAT-associated VRRP
221.110.1.4
Internet
One_To_One NAT One_To_One NAT

221.110.1.10 221.110.1.10
<-> <->
192.168.1.254 192.168.1.254
Master Backup
221.110.1.2 221.110.1.3
Virtual IP
221.110.1.1
Virtual IP
192.168.1.1
Master Backup
192.168.1.2 221.110.1.3
Intranet
192.168.1.254
16.2.7 NAT and security policy coordination
16.2.7.1 Internal data forwarding process of the device
The internal data forwarding process of the device is carried out according to the sequence
shown in the figure below. The session entry is first searched, then the destination NAT
conversion, route search, packet filtering rules, DPI rules, and audit rules are performed. Finally,
the source NAT is queried and forwarded from the routing outbound interface.

Figure 16-6 Brief flow chart of data forwarding inside the device
16.2.7.2 Destination NAT with packet filtering strategy
The device performs the destination NAT first and then the packet filtering strategy, so the packet
filtering strategy should allow the private network IP address after the destination NAT
translation.
For example: map the public IP address 211.110.1.1 of the Untrust zone to the private IP
address 192.168.1.1 of the Trust zone, and the packet filtering policy should be configured as:
Table 16-1 Destination NAT with packet filtering strategy
Source Destination
Source Address Destination Address Action
Domain Domain
Untrust Trust Any 192.168.1.1 Pass
The destination address of the packet filtering policy should be the private IP address
192.168.1.1 after the destination NAT translation.

16.2.7.3 Source NAT with packet filtering strategy
The device first implements the packet filtering policy and then the source NAT, so the packet
filtering policy should allow the private network address before source NAT translation.
For example: Map the private IP address 192.168.2.1 of the Trust zone to the public IP address
211.110.1.1 of the Untrust zone, and the packet filtering policy should be configured as:
Table 16-2 Source NAT with packet filtering strategy
Source Destination
Source Address Destination Address Action
Domain Domain
Trust Untrust 192.168.2.1 Any Pass
The source address of the packet filtering policy should be the private IP address 192.168.2.1
before source NAT translation.
16.3 Source NAT

Source NAT mode is a one-to-many address translation, which is converted by using "IP address
+ port number", so that multiple private network users can share a public IP address to access
the external network, so the address conversion to achieve the main Form, also known as NAPT.
The source NAT module contains three functional features:
 Source NAT policy configuration

 Address pool rule configuration
 Port block resource pool configuration
16.3.1 Source NAT
Select Service > NAT Configuration > Source NAT > Source NAT from navigation tree to
enter the source NAT page, as shown in following figure.

Figure 16-7 Source NAT
1. Source NAT policy list

Source NAT policy configuration, as shown in Figure 17-7 source NAT, its parameters are as
follows:
 SN.: the serial number of the source NAT policy.

 Name: the name of the source NAT policy.
 Outbound interface: outbound interface of the intranet data packets of the source NAT
policy.
 Source IP: the source IP address of the intranet data packet of the source NAT policy. You
can select the Any entry or configure it through the IP address and IP address group. IP
addresses and IP address groups can be customized through the source NAT policy list
internal window or the "object management" page.
 Destination IP: the destination IP address of the intranet data packet for the source NAT
policy. You can select the Any entry or configure it through the IP address and IP address
group. IP addresses and IP address groups can be customized through the source NAT
policy list internal window or the "object management" page.
 Service: the service type of the source NAT policy application. Can be created through the
source NAT policy list internal pop-up or "object management" page.
 Public IP address (pool): the IP address or IP address of the public network source IP
address to be converted can be customized by default. The public IP address (pool)
configuration information is shown in the following figure.

Figure 16-8 Public IP address (pool)
 Use outbound interface: select the public network address as the outgoing interface
address.
 No NAT: do not perform NAT after the device is selected.
 Select an existing address pool: select an existing address pool rule. After selecting in
the left frame, click the ">" button and the selected address pool rule is displayed on the
right. The deletion method is reversed.
 High-level port: this port is the source port after NAT, and does not have the port hash
function the same as the source port before NAT.
 Port hash: the source port number after NAT is modified to the random port number
within the advanced port range. If the application software and external communication
requirements cannot change the source port number of the message, then need to turn
off the port hash function.
 Status: display the status of this source NAT policy, including enable and disable.
 Operation: includes four functions: move, add, insert and delete.
 Move: click the icon to select the order in which the strategy is moved before or
after a strategy is used to adjust the policy.
 Add: click the icon to add a new strategy below the existing policy.
 Insertion: click the icon to insert a new strategy above the policy.

 Delete: click the icon, the policy becomes red, in the state to be deleted. Click the
The list of configured source NAT policies can be saved and downloaded by the import and
export functions. Click Import, Select File to select the path of the file to be imported, and click
Import to import the source NAT policy. Click Export button to save the current source NAT
policy configuration.
16.3.2 Address pool
Select Service > NAT Configuration > Source NAT > Address Pool from navigation tree to
enter the address pool page, as shown in following figure.
Figure 16-9 Address pool
The parameters of address pool configuration are shown in the following:
 No.: the number of the address pool rule.

 Name: the name of the address pool rule.
 Start IP: the start address of the address pool.
 End IP: the end address of address pool.
 Loop route: click the anti-loopback function. When the unknown public network IP address
through the ISP device to access the address pool address, because there is no SNAT
conversion records, address pool address cannot be converted into the internal network
address, then the gateway device will find the routing table, according to the default route to
the ISP will The message is sent back, thus forming a loop. To prevent this from happening,
the loopback function is enabled. The device increases the static route and sets the route
outgoing interface of the destination address address to null0 to discard such packets.
 Advanced configuration: contains both Gratuitous ARP and Track VRRP configurations, as
detailed below
 Free ARP: click to enable free ARP function.
 Associated VRRP: associated VRRP backup group. In the dual backup mode of VRRP,
the NAT policy is associated with the VRRP group. Only VRRP is the address pool IP of
the master side. The ARP packets are exchanged with other VRRP states. NAT does
not respond to ARP. ARP Conflicts in Machine Environment.
 Whether to reference: indicates whether this address pool rule is referenced by the source
NAT policy.

Before configuring the source NAT, you need to configure the address pool. After the
configuration, you need to click the Submit button at the top right of the page.
16.4 Port block NAT
16.4.1 Port block NAT
Select Service > NAT Configuration > Port Block NAT > Port Block NAT from navigation tree
to enter the port block NAT page, as shown in the following figure.
Figure 16-10 Port block NAT
The page parameters of port block NAT and source NAT are roughly the same, only the port
block resource pool is different. The port block resource pool configuration window is shown in
the figure below:
Figure 16-11 Port block resource pool
The description of each parameter is as follows:

 Port block resource pool: select the existing port block resource pool serial number in the
drop-down box.
 IP address range: Display the IP address range of the selected port block resource pool.
 Port range: Display the port range of the selected port block resource pool.
 Number of ports per block: Display the port block size of the selected port block resource
pool. The system divides the set port range into several blocks of fixed size, and the
addresses in the address pool are mapped to ports in different port blocks in turn. The main
purpose is to facilitate address source tracing after NAT translation. It should be noted that
the number of port blocks cannot be less than the number of addresses in the address pool,
otherwise some addresses cannot be port mapped.
Port block NAT is mainly used in scenarios with high requirements for log source. To facilitate
viewing of port block allocation logs, you can enable the port block allocation log function
through System Management > Session Management > Session Log Configuration".
16.4.2 Port block resource
Select Service > NAT Configuration > Port Block NAT > Port Block Resource from
navigation tree to enter the port block resource page, as shown in the following figure
Figure 16-12 Port block resource
The port block resource configuration parameters are described as follows:
 Serial number: Display the serial number of the port block resource pool.
 Name: Set the name of the port block resource pool.
 Start IP: Set the start address of the port block resource pool.
 End IP: Set the end address of the port block resource pool.
 Anti-loopback routing: Check to enable the anti-loopback routing function. When the
unknown public IP accesses the address pool address through the ISP device, because
there is no SNAT translation record, the address pool address cannot be reversely
converted into an intranet address. At this time, the gateway device will look up the routing
table and change it according to the default route pointing to the ISP. The message is sent

back again, thus forming a loop. In order to avoid this phenomenon, enable the
anti-loopback routing function, the device will add static routing, set the destination address
of the address pool address of the routing outbound interface to null0, discarding such
packets.
 Advanced configuration: Set the port range, number of ports per block and number of
reserved port blocks in the port block resource pool allocated by the device.
 Whether referenced: Show whether the address pool rule is referenced by the source NAT
policy.
Before the source NAT configuration, you need to configure the port block resource pool. After
the configuration is complete, you need to click the <Submit> button at the top right of the page.
16.5 Destination NAT

Select Service NAT Configuration > Destination NAT from navigation tree to enter the
destination NAT page, as shown in following figure.
Figure 16-13 Destination NAT
The parameters of destination NAT policy configuration are shown in the following:
 No: the number of the destination NAT policy.

 Name: the name of the destination NAT policy.
 In interface: the incoming interface of the public network data packet of the destination NAT
policy.
 Public IP: public network IP address.
 Service: the type of service that matches the destination NAT policy.
 Intranet address: public network users to access the IP address of the network.
 Advanced configuration: display the configured internal network port.
 IPv4 VRRP: associated VRRP backup group. In the dual backup mode of VRRP, the NAT
policy is associated with the VRRP group. Only VRRP is the address pool IP of the master
side. The ARP packets are exchanged with other VRRP states. NAT does not respond to
ARP. ARP Conflicts in Machine Environment.

 Status: enable or disable this source NAT policy.

 Operation: includes four functions: move, add, insert and delete.
Submit button at the top right of the page to delete the policy.
16.6 Static NAT
16.6.1 One to one NAT
One-to-one NAT is an advanced destination NAT, which maps the private IP address of the
internal server to a public IP address through a static one-to-one NAT configuration. One-to-one
NAT is the internal private network server all the services are open, allowing public network
users to access through the public network IP address.
Select Service > NAT Configuration > One-to-one NAT from navigation tree to enter the
one-to-one NAT page, as shown in following figure.
Figure 16-14 One-to-one NAT
The parameters of one-to-one NAT configuration are shown in the following:
 No.: the serial number of the one-to-one NAT policy.

 Name: The name of a one-to-one NAT policy.
 Public network interface: one to one NAT corresponds to the public network interface.
 Public network address: public network IP address.
 Intranet address: IP address of intranet.
 Track VRRP: associated VRRP backup group. In the dual backup mode of VRRP, the NAT
policy is associated with the VRRP group. Only VRRP is the address pool IP of the master
side. The ARP packets are exchanged with other VRRP states. NAT does not respond to
ARP. ARP Conflicts in Machine Environment.

 Operation: including the four functions of sorting, adding, inserting and deleting.
16.6.2 N toN NAT
N-to-N NAT statically maps a segment of private network IP addresses to a segment of public
network IP addresses, so that the private network IP addresses and public network IP addresses
can translate to each other mutually. This kind of configuration can greatly reduce your workload
of NAT configuration. N-to-N NAT module provides the following configuration parameters.
Select Service > NAT Configuration > N-to-N NAT to enter the N-to-N NAT page, as shown in
following figure.
Figure 16-15 N-to-N NAT
The description of each parameter is shown in the following:
 No.: the sequence number of N-to-N NAT.

 Net Interface: the public network interface of N-to-N NAT.
 Innet Address: the private network address segment of N-to-N NAT.
 Net Address: the public network address segment of N-to-N NAT.
 Tracked VRRP group. Under VRRP mode hot-standby function, only VRRP master
responses ARP packets, VRRP backup does not response ARP packets. The Track VRRP
function can avoid VRRP master and VRRP backup response ARP packets at the same
time.
16.7 NAT66
NAT66 (IPv6-to-IPv6 Network Address Translation) is a technology that realizes the mutual

conversion between IPv6 local unicast addresses and aggregated global unicast addresses by
statically correlating specific IPv6 local unicast addresses with aggregated global unicast
addresses.
16.7.1 NAT66 source NAT
Select Service > NAT Configuration > NAT66 > Source NAT from navigation tree to enter the
Source NAT page, as shown in following figure.
Figure 16-16 Source NAT
NAT66 source NAT parameters are described as follows:
 Serial number: the serial number of the source NAT policy.

 Name: The name of the source NAT policy.
 Outgoing interface: the outgoing interface of the internal network data packet of the source
NAT policy.
 Initiator source IP: the source IP address of the intranet data packet of the source NAT
policy.
 Destination IP of the initiator: the destination IP address of the intranet data packet of the
source NAT policy.
 Service: The type of service applied by the source NAT policy.
 Public IP address (pool): The public IP address or address pool where the source IP
address of the internal network is converted.
 Status: Display the status of this source NAT policy, including enable and disable.
 Operation: including three functions of adding, inserting and deleting.
 Add: Click the icon to add a new strategy below the existing strategy.
 Insert: Click the icon to insert a new strategy above the strategy.
 Delete: Click the icon, the policy turns red and it is in a state to be deleted. Click the
<Submit> button at the top right of the page to delete the policy

16.7.2 NAT66 destination NAT
Select Service > NAT Configuration > NAT66 > Destination NAT from navigation tree to enter
the destination NAT page, as shown in following figure.
Figure 16-17 Destination NAT
The description of NAT66 destination NAT parameters is as follows:
 Serial number: Display the serial number of the destination NAT policy.
 Name: Set the name of the destination NAT policy.
 Inbound interface: Set the inbound interface of the message to which the destination NAT
policy is applied.
 Public IP: Set the IPv6 address of the initiator of the application destination NAT policy (that
is, the IPv6 aggregated global unicast address).
 Service: Set the service type and parameters of the application destination NAT policy.
 Intranet address pool: set the IPv6 local unicast address to which the IPv6 aggregated
global unicast address is mapped.
 Advanced configuration: Set the internal network port number of the application destination
NAT policy.
 Associate VRRP: Set whether to associate VRRP.
 Status: Set the enable/disable destination NAT policy.
 Operation: including three functions of adding, inserting and deleting.
Submit button at the top right of the page to delete the policy
16.7.3 NAT66 one-to-one NAT
Select Service > NAT Configuration > NAT66 > One-To-One NAT from navigation tree to enter

the One-To-One NAT page, as shown in following figure.
Figure 16-18 One-to-one NAT
NAT66 one-to-one NAT policy configuration parameters are described as follows:
 Serial number: the serial number of the one-to-one NAT policy.

 Name: The name of the one-to-one NAT policy.
 Public network interface: One-to-one NAT corresponds to the public network interface.
 Public network address: public network IP address.
 Intranet address: IP address of the intranet.
 Associated VRRP: Associated VRRP backup group. In the dual-system hot backup
environment of VRRP mode, the NAT policy is associated with the VRRP group status. Only
the address pool IP on the master side of VRRP will respond to ARP information, while the
associated NAT of other VRRP statuses will not respond to ARP to avoid double ARP
conflicts in a computer environment.
 Operation: includes four functions of sorting, adding, inserting and deleting.
 Move: Click the icon to select the move strategy to before or after a strategy to
adjust the order of the strategy.
16.7.4 NAT66 address pool
Select Service > NAT Configuration > NAT66 > Address Pool from navigation tree to enter
the address pool page, as shown in following figure.

The NAT66 address pool parameters are described as follows:
 Serial number: Display the serial number of the IPv6 address pool.
 Name: Set the name of the IPv6 address pool.
 Start IP: Set the start IP address of the IPv6 address pool.
 End IP: Set the end IP address of the IPv6 address pool.
 Virtual system: Set the virtual system to which the IPv6 address pool belongs.
 Quoted: Show whether the IPv6 address pool is quoted.

17 ALG Configuration
ALG (Application Layer Gateway) is a proxy for a particular application layer protocol. It
implements the NAT traversal of the application layer protocol by converting the IP packet data
load address.
Normally, NAT only translates the IP address and port information in the packet header, and
does not analyze the fields in the application layer data payload. However, some special
protocols, their message may contain IP address or port information, the contents can not be
NAT for effective conversion, it may lead to problems. For example, the FTP application is done
by the data connection and the control connection, and the establishment of the data connection
is dynamically determined by the load field information in the control connection. This requires
the ALG to complete the conversion of the payload field information to ensure that the
subsequent data connection is correct set up.
17.1 ALG configuration
17.1.1 ALG configuration
The device supports 15 common application layer protocols to implement the ALG function. You
can select the application layer protocol to enable the ALG function in the ALG configuration
module.
Select Service > ALG Configuration > ALG Configuration > ALG Configuration from
navigation tree to enter the ALG configuration page, as shown in following figure.

Figure 17-1 ALG configuration
17.1.2 User-defined ALG
Select Service > ALG Configuration > ALG Configuration > User-defined ALG from
navigation tree to enter the user-defined ALG page, as shown in following figure.
Figure 17-2 User-defined ALG
The device supports the user-defined ALG configuration. The parameters of configuration list are
shown in the following:
 No.: display the serial number of the user-defined ALG.

 Name: set the name of the user-defined ALG.
 Type: set the type of user-defined application layer protocol, including FTP and SIP.
 Source IP: set the sender IP address of the user-defined application layer protocol packets.
 Protocol: set the transport layer protocol type for the user-defined application layer protocol,
including TCP and UDP.
 Port: set the port number for the user-defined application layer protocol.
17.2 DNS ALG

The DNS ALG module provides the function of setting the ALG to handle DNS packet payload
and enable the interface.

Select Service >ALG Configuration > DNS ALG from navigation tree to enter the DNS ALG
page, as shown in following figure.
Figure 17-3 DNS ALG
Click the Use DNS_ALG, and select the interface, and then click the OK button.

18 VPN
VPN (Virtual Private Network) is a technology that uses a public network to set up a dedicated
network. It uses encryption, authentication and tunneling techniques to establish a relatively
closed, logical private network between the nodes that communicate with each other. Its
essence is the use of specialized tunnel encryption technology in the public network
encapsulation of a data communication tunnel, to provide users with a public network security
access to the internal network of enterprises through the way.
18.1 IPsec
IPsec (IP Security) is a security standard framework defined by the IETF to provide end-to-end
encryption and authentication services for both public and private networks.
IPsec VPN is a VPN technology that uses IPsec protocol to implement remote access. It is
through the IPsec technology to establish a safe and secure tunnel on the Internet, IP packet
encapsulation and encryption to enhance the security of VPN, is the most secure VPN
technology.
The router service board supports IPsec VPN by means of policy mode and route. Among them,
the policy mode is to check the data flow of interest on the IPsec binding interface, perform IPsec
encapsulation on the packets matching the policy, and perform the traffic on the packets that do
not match the policy. The routing mode can only tunnel through the tunnel interface, All packets
sent to their bound tunnel interface will perform IPsec encapsulation.
18.1.1 System configuration
Select Service > VPN > IPsec > IPsec VPN > System Configuration from navigation tree to
enter the IPsec VPN page, as shown in following figure.
Figure 18-1 System configuration

The parameters of system configuration page are shown in the following:
 Enable IPsec: click to enable IPsec. Click the Restart button, the dialog box "OK to restart
IPsec service?", Click the OK button to restart the IPsec service.
The parameters of the advanced configuration are described as follows:
 Enable NAT traversal (Client mode must enable NAT traversal): click to enable NAT
traversal. Client mode must enable NAT traversal.
 Enable NAT session keepalive mechanism: click to enable NAT session security
mechanism and set the interval for sending NAT session keepalive messages.
 Enable Layer 2 IPsec: click to enable Layer 2 IPsec. In general, IPsec is deployed on a
Layer 3 interface. To enable IPsec on a Layer 2 forwarding device, you need to enable
this feature.
 Enable UDP checksum: when this function is enabled, the device automatically
calculates the checksum of the UDP header after the VPN service data is encapsulated
to prevent VPN traffic anomalies caused by UDP verification errors. This feature is
turned on by default.
 Enable appointed interfaces negotiation (IPSec will negotiate on the interface that
connection configured local IP is connected to): when this function is enabled, IPsec
negotiates the interface on the local IP address. For a negotiation packet, the device
forwards only as the outgoing interface of the configured local IP address. For the
service packets, the device matches the data flow of interest in the routing table, and
the outgoing interface is IPsec binding. If the above routes do not exist, they are
forwarded according to other matching routes.
 Enable hot standby: set Dual Hot Standby.
 Enable set mode of MODECFG: Set MODECFG SET mode for MODECFG negotiation
phase of IPsec, the client will automatically generate a VPN IP address, and ask the
server whether the address is available, if not, the negotiation fails; Close the
MODECFG SET mode, by the server for the client to assign IP addresses.
 Enable user only check: set Enable User Unique Check, Reboot Enabled.
 Enable connection state log: set the enable status log to be viewed in the system log.
 Enable error diagnosis log: set the enable warning log to be viewed in the system log.

 Enable negotiation process detailed log: set the enable debug log to be viewed in the
system log.
 Enable XAuth user login and logout log: enable the user status log to be viewed in the
system log.
If there is no special requirement, it is recommended to use the default configuration in

Advanced Configuration.
18.1.2 Connection configuration
18.1.2.1 Policy mode
Select Service > VPN > IPsec > Connection Configuration > System Configuration from
navigation tree to enter the policy mode page, as shown in following figure.
Figure 18-2 Policy mode
The policy mode page includes three modes, as described below:
 Client access mode:

 Connection name: set the name of the IPsec VPN tunnel.
 Bind interface: set the binding interface of IPsec VPN. It can be a tunnel interface, a
physical interface, or a VLAN interface. This interface refers to the encapsulation and
decapsulation of VPN data in the case of connection establishment. The data flow that
needs to be encrypted can be routed to the binding interface through routing (such as
static route, policy routing, dynamic routing, and so on).
 Local IP: set the IP address of the external device, including IPv4 address or IPv6
address.

 (Local ID), host name (strict match ID), IP address (IPv4 / IPv6), user domain name
(Email address) Address format, by domain matching ID) and the local certificate
identification name (peer check the local certificate to identify the name of the
legitimacy) four ways. If the local device does not pass through NAT, it is recommended
to select "auto". If the local end of the device passes through NAT as an IPsec access
point, you need to select "IP address" and fill in the external network address.
 Client ID: set the client device ID, including any host ID, host name (strict match ID), IP
address (IPv4 / IPv6), user domain name (Email address format, domain match ID) and
peer certificate Identify the name (the peer check the local certificate recognition name
legitimacy) four ways.
 Protect subnets: set the network segment to apply IPsec VPN, that is, the network
segment that allows the client to access, that is, you can configure it in the "protection
network segment" or you can "create a new protection network segment" directly.
 Authentication mode: set the authentication mode of IPsec VPN, including pre-shared
key, digital certificate, whether XAUTH authentication is enabled and how to assign
private network address to client.
 Advanced configuration: set the IPsec VPN negotiation mode, IPsec proposal,
encapsulation mode, whether to allow access to external network, whether to enable
advanced DPD and other advanced configuration parameters, it is recommended to
use the default configuration.
 Status: select whether to enable the policy.
 Gateway - Gateway Mode (International Commercial Password Standard):
 Connection name: set the name of the IPsec VPN tunnel.
 Bind interface: set the IPsec VPN binding interface. It can be a tunnel interface, a
 Local IP: set the IPv4 address, IPv6 address, or local interface (dial port) of the local
device.
 Peer IP: set the IPv4 address, IPv6 address, DNS domain name, DPDNS domain
name, or Any of the peer device.
 Local ID, host name (strict match ID), IP address (IPv4 / IPv6), user domain name
to select "auto". If the local end of the device passes through NAT as an IPSec access
 Remote ID, IP address (IPv4 / IPv6), user domain name (Email address format, field
match ID), and peer end. The peer ID is set to include the peer ID, host name (strict
match ID), IP address (IPv4 / IPv6), user domain name Certificate identification name
(check the peer certificate identification name legitimacy) four ways.
 Protect subnets: set the protection network segment of the IPSec VPN, that is, the
network segment that allows the client to access, that is, it can be configured in the
"protection network segment", or you can directly "create a new network segment"

 Authentication mode: set the IPsec VPN authentication mode and parameters.
Including pre-shared key and digital certificate (automatic extraction of equipment
certificate) in two ways.
 Advanced configuration: set the security proposal, negotiation mode, encapsulation
mode, IPsec encryption failure action, DPD configuration, enable DPD configuration,
DPD message interval (default 30 seconds), and DPD timeout (default is 120 seconds).
 Gateway - Gateway mode (China national password standard):
 Connection Name: set the name of the IPsec VPN tunnel.
 Bind interface: set the IPsec VPN binding interface. It can be a tunnel interface, a
 Local IP: set the IPv4 address, IPv6 address, or local interface (dial port) of the local
device.
 Remote IP: set the IPv4 address, IPv6 address, DNS domain name, DPDNS domain
name, or Any of the peer device.
 Local ID, host name (strict match ID), IP address (IPv4 / IPv6), user domain name
to select "auto". If the local end of the device passes through NAT as an IPsec access
Remote ID, IP address (IPv4 / IPv6), user domain name (Email address format, field
match ID), and peer end. The peer ID is set to include the peer ID, host name (strict
match ID), IP address (IPv4 / IPv6), user domain name Certificate identification name
(check the peer certificate identification name legitimacy) four ways.
 Protect subnets: set the network segment to apply IPsec VPN, that is, the network
segment that allows the client to access, that is, you can configure it in the "protection
network segment" or you can "create a new protection network segment" directly.
 Authentication mode: set the IPsec VPN authentication mode and parameters, and
select the digital certificate mode.
 Advanced configuration: set the IPsec VPN negotiation mode, security proposal,
encapsulation mode, allow access to external network, encryption failure action, enable
fast DPD and other advanced configuration parameters.
18.1.2.2 Route mode
Select Service > VPN > IPsec > IPsec VPN > Connection Configuration > Route Mode from
navigation tree to enter the route mode page, as shown in following figure.
Figure 18-3 Route mode

The parameters of the routing page description are as follows:
 Connection name: set the name of the IPsec VPN tunnel.

 IPsec interface: set the IPsec VPN binding interface. In the route mode, only the tunnel
interface can be bound.
 Local IP: set the IPv4 address, IPv6 address, or local interface (dial port) of the local device.
 Remote IP: set the IPv4 address, IPv6 address, DNS domain name, DPDNS domain name,
or Any of the peer device.
 Local ID: set the local device ID, including automatic (the system automatically selects the
local IP address as the local device ID), host name (strict match ID), IP address (IPv4 / IPv6),
user domain name (Email Address format, domain ID), the local certificate identifies the
name (the peer checks the local certificate to identify the name of the legitimacy). If the local
device does not pass through NAT, it is recommended to select "auto". If the local end of the
device passes through NAT as an IPsec access point, you need to select "IP address" and
fill in the external network address.
 Remote ID: IP address (IPv4 / IPv6), user domain name (Email address format, field match
ID), peer to peer Certificate identification name (check the peer certificate identification
name legitimacy).
 Authentication mode: set the IPsec VPN authentication mode and parameters. Including
pre-shared key and digital certificate (automatic extraction of equipment certificate) in two
ways.
 Advanced configuration: set IPsec VPN negotiation mode, IPsec proposal, IPsec
encapsulation mode, whether to send DPVPN request, IPsec encryption failure action,
whether DPD, DPD message interval and DPD timeout time are enabled.
 Status: set whether to enable this function.
18.1.2.3 Protect subnet
Select Service > VPN > IPsec > IPsec VPN > Connection Configuration > Protect Subnet
from navigation tree to enter the protect subnet page, as shown in following figure.
Figure 18-4 Protect subnet

The parameters of the protect subnet page are shown in the following:
 Add: click the Add button to add a protection network segment according to the set of
resource groups.
 Delete: Click the Delete button to delete the protection network segment according to the
set of resource groups.
 List of protected network segments: includes the client-mode IPv4 network segment group,
the client-mode IPv6 network segment group, the gateway mode IPv4 network segment
group, and the gateway mode IPv6 network segment group.
 Import and export operation: Click the Browse button to select the path information to be
imported, click Addition Import or Override Import to import the protection network
information; click the Export to save the current protection Network segment information.
Click "Client mode IPv4 network segment group", the following page appears.
Figure 18-5 Client mode IPv4 subnet group
The parameters of client mode IPv4 subnet group are shown in the following:
 Query protection network segment: set the source IP address based on the protection of
network segment information.
 Query result: display the query result of the protection network segment.
Client mode IPv6 network segment group, gateway mode IPv4 network segment group, and
gateway mode The page parameters of the IPv6 network segment group can be specified in the
"Client Mode IPv4 Network Segment Group".

When using the mobile client to access the IPSec VPN, the protection network segment must
contain the "0.0.0.0/0" protection network segment due to the special restrictions when the
actual client negotiation. In addition, this does not affect the PC client connection, because at the
same time contains the detailed protection network segment and 0.0.0.0 / 0 network segment,
PC client connection will only push the default protection network segment.
18.1.2.4 Security proposal
IPsec protocol suite supports a variety of encryption, authentication algorithm, and security
proposal is a collection of a variety of algorithms. You can use the "default" security proposal
when you are not aware of specific security proposals at the peer end, or if you want to simplify
the IPsec configuration.
Select Service > VPN > IPsec > IPsec VPN > Connection Configuration > Security Proposal
from navigation tree to enter the security proposal page, as shown in following figure.
Figure 18-6 Security proposal
The security proposal page includes configuration methods under two cryptographic standards:
security proposal configuration (international commercial password standard), security proposal
configuration (China national password standard).
The security proposal configuration (International Commercial Password Standard) list

parameter is described as follows:
 Security proposal ID: set the security proposal ID.

 Protocol type: set the type of security protocol, including AH and ESP.
 AH (Authentication Header) protocol can provide data integrity confirmation, anti-replay
and other security features, often using the digest algorithm MD5 and SHA1 to achieve
its characteristics.
 ESP (Encapsulated Security Payload) protocol can provide data encryption, integrity
confirmation, anti-replay and other security features, often using DES, 3DES, AES and
other encryption algorithms to achieve data encryption, the use of MD5 or SHA1 to
achieve data integrity Confirmation of sex.

 SA reconsideration time: set the IKE SA and IPsec SA renegotiation interval in seconds.
 PFS DH group: set PFS DH group parameters, including DH2 (1024), DH1 (768), DH5
(1536), DH14 (2048), DH15, DH16, DH19 and DH24.
 IKE security proposal: set IKE proposal parameters, including encryption algorithm,
authentication algorithm and DH group.
 IPsec security proposal: set IPsec proposal parameters, including encryption algorithm and
authentication algorithm.
The security proposal configuration (China National Password Standard) list parameter
description is as follows:
 Security Proposal ID: set the security proposal ID.

 Protocol type: set the type of security protocol, including AH and ESP.
 AH (Authentication Header) protocol can provide data integrity confirmation, anti-replay
and other security features, often using the digest algorithm MD5 and SHA1 to achieve
its characteristics.
 ESP (Encapsulated Security Payload) protocol can provide data encryption, integrity
confirmation, anti-replay and other security features, often using DES, 3DES, AES and
other encryption algorithms to achieve data encryption, the use of MD5 or SHA1 to
achieve data integrity Confirmation of sex.
 SA Reconsideration Time: set IKE SA / IPsec SA Rescheduling Interval.
 IKE proposal: set the encryption algorithm, authentication algorithm, and public key
algorithm for IKE proposal.
 IPsec proposal: set the IPsec algorithm and authentication algorithm for IPsec proposal.
18.1.2.5 Tunnel interface
Select Service > VPN > IPsec > IPsec VPN > Tunnel Interface from navigation tree to enter
the tunnel interface page, as shown in following figure.
Figure 18-7 Tunnel interface
The parameters of tunnel interface page are shown in the following:
 Interface number (1 ~ 511): set the number of the IPsec tunnel interface, in the range of 1 to
511.
 Interface IP: set the IP of the IPsec tunnel interface.

 Application mode: set the application mode of the IPsec tunnel interface, including gateway
mode (route), point-to-multipoint mode, gateway mode (policy) and client mode (policy).
 Description: set the description of the IPsec tunnel interface.
 Operation: add or delete tunnel interface information.
18.1.3 XAuth configuration
XAuth (Extended Authentication with IKE, IKE Extended Authentication) is a one-way

authentication mechanism based on IKE for client authentication when a remote user is
accessed by IPsec. It is in the IKE after the completion of the first phase of the negotiations, the
IPsec gateway to the remote users to issue XAuth authentication request, mandatory request for
user response, the user only through the XAuth authentication before access VPN.
18.1.3.1 User information configuration
The user information configuration module provides the ability to set the Xauth parameter.
Select Service > VPN > IPsec > XAuth Configuration > User Information Configuration from
navigation tree to enter the user information configuration page, as shown in following figure.
Figure 18-8 User information configuration
The parameters of the user information configuration page are shown in the following:
 Local authentication: set to enable local authentication.

 Local authentication configuration: Add, delete, query, import and export local
authentication client user name, password and other information.
 LAN domain configuration: set the domain name, address pool start IP, address pool
end IP, domain name server and WINS server.
 RADIUS authentication: Set to enable RADIUS authentication.
 RADIUS RADIUS authentication configuration: set the RADIUS server address,
authentication port number, shared key, authentication packet timeout time, the number

of retransmission attempts, turn on billing, update the packet update time, and update
the packet The number of times the number of retransmission messages is terminated.
 RADIUS RADIUS authentication configuration: set the RADIUS server address,
authentication port number, shared key, authentication packet timeout time, number of
retransmission times for authentication packets, turn on billing, update the packet
update time, and update the packet The number of times the number of retransmission
messages is terminated.
 LDAP authentication: set up LDAP authentication. Set the LDAP server version number, the
LDAP server IP address, the LDAP server port number, the Base DN, the administrator DN,
the administrator password, and the user name attribute name.
18.1.3.2 Display user online
Select Service > VPN > IPsec > XAuth Configuration > Display User Online from navigation
tree to enter the display user online page, as shown in following figure.
Figure 18-9 Display user online
The parameters of display user online page are shown in the following:
 User name: set the remote user name to be queried.

 Query: click the Query button to query the online user according to the set user name.
 Auto refresh: set the automatic refresh interval, automatically refresh the online user
information.
 Manual refresh: click the Manual Refresh button to manually refresh the online user
information
18.1.4 IPsec management
The centralized management module provides functions for setting UMC parameters and
querying DPDNS domain name registration.
Select Service > VPN > IPsec > Centralized management from navigation tree to enter the
IPsec management page, as shown in the following figure.

Figure 18-10 IPsec management
The parameters of the IPsec management page are described as follows:
 Obtain a domain name from UMC: Click the <Obtain domain name from UMC> button, and
the domain name obtained from UMC will be displayed in the DPDNS domain name
registration list.
 The UMC configuration parameters are described as follows:
 Start DPDNS: Set to start DPDNS, request the IP address corresponding to the domain
name from UMC, and UMC will return information to IPSec according to the configured
binding relationship.
 Preferred UMC server: Set the preferred UMC server address.
 Standby UMC server: Set the address of the standby UMC server.
 The parameters of the DPDNS domain name registration list are explained as follows:
 Local domain name: Display the local domain name obtained from UMC.
 Binding interface: Display the binding interface obtained from UMC.
18.1.5 Display connection
The display connection module provides the function of querying / displaying the status of the
IPsec tunnel connection.
Select Service > VPN > IPsec > XAuth Configuration > Display Connection from navigation
tree to enter the display connection page, as shown in following figure.

Figure 18-11 Display connection
The parameters of the display connection page are shown in the following:
 Connection type: select the type of connection. The user can select all, the client or the
gateway.
 Query item: set the query type, including connection name, local IP address and peer IP
address.
 Keyword: set the keyword for the query.
 Query: click the Query button to display the corresponding IPsec tunnel connection status
information in the connection display list according to the query items and keywords.
 Connection name: display the name of the IPsec tunnel.
 Remote host name: display the name of the peer device.
 Local address: display the IP address of the local device.
 Remote address: display the IP address of the peer device.
 Protected network: display the local protection network segment.
 Connection status: indicate whether the connection is normally established.
 Sending/Receiving Rate(Kbit/s): real-time rate of packets sent and received by the tunnel.
 Duration: the duration of the tunnel establishment.
 Last teardown time/teardown reason: the time of the last break and the reason for the break.
 Detail information: details of the tunnel connection.
18.2 SSL VPN

SSL (Secure Socket Layer) protocol is a secure network communication protocol. It specifies the
data security hierarchical mechanism between application protocol and TCP / IP protocol. It
provides TCP / IP connection with server authentication, optional client authentication, data
encryption, and message integrity verification services, which enhances data transmission
security and data integrity.
SSL VPN is a combination of SSL technology with the VPN technology. It establishes a secure
communication connection through the SSL protocol authentication, data encryption, message
integrity verification and other mechanisms in application layer. SSL VPN is mainly used for

Web-based remote security access, and provides a security guarantee for users to remotely
access the company's internal network.
18.2.1.1 Global configuration
The global configuration module provides the function of setting SSL VPN global parameters.
Select Service > VPN > SSL VPN > Basic Configuration > Global Configuration from
navigation tree to enter the global configuration page, as shown in following figure.
Figure 18-12 Global configuration
The parameters of the global configuration page shown in the following:
 Enable SSL VPN server: click to open the SSL VPN server.
 Advanced configuration: set the SSL VPN parameters, including the user login port, whether
to listen on port 80, allow access interface configuration, interface binding settings,
authentication-free configuration, allowing user accounts to be public, allowing users to
change passwords.
 User port number: the default value is 6443, in the range of 1 to 65534. When
configuring a user, configure the port number to be less than 32767; do not configure a
well-known port number other than 443; do not use port numbers 1701, 543, 442, 6444,
 Whether to listen 80 port: the default does not start listening 80 port function. Before
enabling snooping, enter "Basic > System Management > Administrator > Web
Access Protocol Configuration" to modify the device HTTP port to port 80. After
enabling listening function, the HTTP 80 page will automatically jump to SSL VPN login
page without you specifying user login port.
 Allow to access interface configuration: the default is All. It can be configured as
“custom”. Only the selected interface can open the login page. If, custom does not click
gige0_15, while the device IP configuration is on the interface, then the login page
cannot be opened.

 Enable interface binding: the default is disable. You can choose whether to open, this
time only from the receiving message interface reply message to solve the problem of
multi-carrier access.
 Free authentication: you can choose not to enable authentication-free, enable the free
authentication home page or enable the authentication-free resource group. By default,
you do not need to enter the user name and password. You can log in to the
authentication-free resource page directly. If you want to enable the authentication-free
login page, you can enter the SSL-free login page. Resources, open the SSL VPN login
page, will automatically jump to the configuration of the Web interface.
 Allow user account to be used publicly: this function is enabled by default. At this time,
the same account can be used by multiple IP entries. When the number of public
addresses is set, the number of public accounts reaches the upper limit when the IP
login is exceeded. You need to set the account number in the advanced configuration of
"SSL VPN > User Management > User Configuration". In this case, the public
function of the user account is allowed to take effect.
 Allow users to change the password: this feature does not open by default, after the
login page does not provide the password to change the password entry. When the
user is allowed to change the password, the resource page will provide a modified
password entry.
 Synchronizes password when Hotbackup function is enabled: This function does not
turn on by default. At this time, the dual-master master password will not be
synchronized to the backup device. If the active / standby switchover occurs at this time,
the user cannot log in with the new password. This feature is required when using dual
hot backup.
 Only allow access to VPN: this feature does not turn on by default. When this feature is
enabled, login to SSL VPN via Windows, Linux and Mac OS will only access VPN
resources, and other resources will not be accessible.
 Enable stat flux: this feature does not open by default. When this feature is enabled,
you can view the traffic statistics report and the resource access report through the SSL
VPN Report Query. The resource access report needs to be enabled when the Log
Logging function is enabled at the same time.
 Allow kernel TCP forwarding: this feature does not enable by default. When this
function is enabled, the SSL VPN data channel can be transmitted through TCP 6444.
After this function is enabled, the client needs to use it with the client configuration.
Does not support the model does not display this feature
 SSL VPN domain name: this feature does not enable by default. When this feature is
enabled, you can ensure that Web resource requests are handled properly when you
use the domain name to access the SSL VPN service. The main application scenarios:
the network has two or more SSL VPN server, and are using domain name login and
involves domain name cross switch.
 Free cookie authentication: this feature does not enable by default. This function is to
be used in conjunction with the authentication-free function and the corresponding jump
server. When this function is enabled, the SSL VPN server will forward the request to
the configuration file in the cookie and forward it again. Such as: free certification
Cookei set to: "sslvpncookie = 1", when the SSL VPN received Cookie to carry
"sslvpncookie = 1" request directly forward the corresponding resources.
 Client exits when you close the browser: this feature does not open by default, then
close the browser that displays the resource page. The client will not exit. When this
function is enabled, the browser will be closed and the client will exit.

 Enable UDP checksum: this function is enabled by default. The device automatically
calculates the checksum of the UDP header after the VPN service data is encapsulated
to prevent the VPN service abnormality caused by the UDP check error.
 Enable log: this feature does not enabled by default. When this function is enabled,
logs are logged, such as authentication logs, resource access logs, and so on. Log
information can be queried through "SSL VPN> Log Management".
 Timeout interval: the timeout time set by the client. The resource access is not detected
within the timeout period and will automatically time out. The default is 15 minutes, in
the range of 1 to 7200 minutes.
 User failed login number: the maximum number of failed login attempts using the same
account, the maximum number of times will lock the user. The default is 3, in the range
of 3 to 6.
 User unlock time: the time when the user locks after unlocking automatically. The
default is 15 minutes, which can be changed in the drop-down list.
 IP failed login number: The maximum number of failed login attempts using the same
source IP address, the maximum number of times will lock the IP. The default is 64
times, which can be changed in the drop-down list.
 IP unlock time: IP lock automatically unlock the time. The default is 15 minutes, which
can be changed in the drop-down list.
 IP lock mode: can choose to prohibit login or enable verification code. When you
choose to disable login, you cannot log in until you unlock it. When you enable the
verification code, this IP login will pop up the SSL VPN login page. The default is to
prohibit login.
 Service page title: SSL VPN login page and resource page title, default is Hangzhou
DPtech Co., Ltd, can be modified.
 Import the company icon: SSL VPN login page and resource page icon, the default for
the company icon, you can import other pictures to modify.
 The configuration item marked with "*" will need to be restarted after modification. The SSL
VPN service will take effect and can be restarted by manually changing the check box
before "Eanble SSL VPN Server".
 It is recommended to use the default configuration when there is no special requirement.
18.2.1.2 IP address pool
The IP address pool module provides the function of setting IP address pool parameters. The
address in the IP address pool will be assigned to the remote user for access to the internal
network.
Select Service > VPN > SSL VPN > Basic Configuration > IP Address Pool from navigation
tree to enter the IP Address Pool page, as shown in following figure.

Figure 18-13 IP address pool
The parameters of the IP address pool page are shown in the following:
 IP pool name: the name of the IP address pool. The default name is the default IP address
pool.
 Description: the description of the IP address pool.
 Starting IP: the IP address of the IP address pool.
 Ending IP: IP address pool end IP address.
 Subnet mask: the subnet mask length of the address in the IP address pool.
 Used: display the number of times the address in the IP address pool is referenced.
The IP address pool page also provides the file import / export function: Click the Browse button
to select the storage path of the IP address pool configuration file, and click the Add Import
button to import the IP address pool configuration file under the selected storage path. Click the
Export button to export the IP address pool configuration file.
18.2.1.3 Domain name server configuration
The Domain Name Server configuration module provides the function of setting domain name
server parameters. When a remote user logs in through a domain name, the DNS / WINS server
needs to resolve the domain name to its corresponding IP address.
Select Service > VPN > SSL VPN > Basic Configuration > Domain name server
configuration from navigation tree to enter the domain name server configuration page, as
shown in following figure.
Figure 18-14 Domain name server configuration

The parameters of DNS domain name server configuration are shown in the following:
 Primary DNS: configure the IP address of the preferred DNS server.

 Spare DNS: configure the IP address of the secondary DNS server.
18.2.1.4 License file management
The license file management module provides the function of importing a license file. The
maximum number of online users allowed by the device is 50. If the requirements cannot be met,
the user can import the license file to increase the maximum number of online users allowed.
Select Service > VPN > SSL VPN > Basic Configuration > License File Management from
navigation tree to enter the license file management page, as shown in following figure.
Figure 18-15 License file management
The parameters of license file management page are shown in the following:
 The list of imported license files is displayed: Displays the imported license file information.
 Import License File: click the Browse button to set the storage path of the license file. Click
the Import button to import the license file.
18.2.1.5 Portals management
Select Service > VPN > SSL VPN > Basic Configuration > Portals Management from
navigation tree to enter the portals management page, as shown in following figure.

Figure 18-16 Portals management
The parameters of interface custom page are shown in the following:
 Interface template: display information about the template name, associated user group,
and access URL of the imported interface template.
 Import the template file: click the Browse button to set the storage path of the interface
template; click the Import button to import the interface template.
18.2.1.6 License management
Figure 18-17 License management
18.2.2 Resource management
18.2.2.1 Resource configuration
The resource configuration module provides the function of setting resources on the SSL VPN
gateway that correspond to the internal network server.
Select Service > VPN > SSL VPN > Resource Management > Resource Configuration from
navigation tree to enter the resource configuration page, as shown in following figure.

Figure 18-18 Resource configuration
The parameters of resource configuration page are shown in the following:
 IP resource configuration: set the name of the IP resource, description information and allow
access to network segments and other parameters. Click the "Allow access to network
segment" configuration item, you can also limit the protocol and port that the IP resource
can use on the basis of configuring IP segment resources.
 RDP resource configuration: set the resource name, description information, and internal
server address of the RDP resource.
 Web resource configuration: Set the resource name, description information, and resource
address of the Web resource.
 Shortcut configuration: including Web shortcuts and command line shortcuts two shortcuts.
 Web shortcuts: set parameters such as the name, description information, and
resource links for Web shortcuts.
 Command line shortcuts: set the command line shortcut name, description information
and command line and other parameters.
 Announcement SMS configuration: set the name of the announcement message,
description information and type parameters.
 Resource group configuration: add or remove configured resources from resource groups,
including IP resources, RDP resources, Web resources, Web shortcuts, command-line
shortcuts, and public information lists.
The page also allows user to import / export configuration: click the Browse button to select the
path of the file to be imported and click the Add Import button to configure the IP resource to
import to the device. Click the Export button. Export the device's IP resource configuration.
18.2.2.2 Share space
The shared space module provides the ability to set up files that can be downloaded before and
after users.
Select Service > VPN > SSL VPN > Resource Management > Share Space from navigation
tree to enter the share space page, as shown in following figure.

Figure 18-19 Share space
The parameters of the share space are shown in the following:
 Internal file (user can download after login): display the internal files that can be downloaded
after the user logs in.
 External files (available before user login): display external files that can be downloaded
before the user logs on.
 Import file: set the internal / external file type to be imported. Click <Browse> to set the
storage path of the internal / external file to be imported. Click <Import> to import the file to
the device.
18.2.3 User management
18.2.3.1 User configuration
The user configuration module provides the function of setting user / user group information.
Select Service > VPN > SSL VPN > User Management > User Configuration from navigation
tree to enter the user configuration page, as shown in following figure.
Figure 18-20 User configuration
The parameters of user configuration are shown in the following:
 User group information configuration: set user group name, description information, jump
directly to resource, access resource group, IP address pool, security policy, authentication
policy, including user number and other parameters.

 User information configuration: set the user name, user password, user group, advanced
settings and other parameters. After the configuration is complete, you can use this user to
log in to the SSL VPN and access the intranet resources.
 Browse: click the Browse button to select the storage path for the user profile.
 Additional Import: click the Add Import button to import the user information profile under
the selected path.
 Export: click the Export button to export the user profile.
 Query: click the Query button to query the user information according to the query
conditions set.
 Delete the query result: click the Delete Query Result button to delete the searched user
information.
 Delete all: click the Delete All button to delete all user information.
18.2.3.2 User status
The user status display module provides the function of displaying online user status information,
locked user information, and locked IP information.
Select Service > VPN > SSL VPN > User Management > Status Display from navigation tree
to enter the user status display page, as shown in following figure.
Figure 18-21 User status
The status display includes two methods:
 Click to enable auto refresh function, and can set the automatic refresh interval.
 Click the Manual Refresh button to manually refresh the status information.
18.2.4 Authentication policy
The authentication policy configuration module provides the ability to set authentication policy
parameters.
Select Service > VPN > SSL VPN > Authentication Policy from navigation tree to enter the
authentication policy page, as shown in following figure.

Figure 18-22 Authentication policy
The parameters of authentication policy configuration page are shown in the following:
 Authentication option configuration: set the security login, RADIUS, LDAP, TACACS +, 4A
authentication, USB-KEY option policy parameters.
 Authentication combination: set the parameters such as enable status, name, option
combination.
18.2.5 Log management
18.2.5.1 Log query
The log query module provides the function of querying SSL VPN logs.
Select Service > VPN > SSL VPN > Log Management > Log Query from navigation tree to
enter the log query page, as shown in following figure.
Figure 18-23 Log query
The log query conditions are shown in the following:
 User name: set the user name of the SSL VPN log to be queried.
 IP Address: set the IP address of the SSL VPN log that needs to be queried.
 Audit log: set the audit log type of the SSL VPN log that needs to be queried, including all,
authentication information, security information, resource information, and others.
 Time range: set the generation time range of the SSL VPN log that needs to be queried.
 Start time: set / display the earliest generation time of the SSL VPN log that needs to be
queried.
 End Time: set / display the latest generation time of the SSL VPN log that needs to be
queried.
Click the Query button to query the SSL VPN log based on the username / IP address / audit log

/ time range. Click the Export by Query button to export the SSL VPN log file.
The parameters of log query list are shown in the following:
 Serial number: display the serial number of the SSL VPN log.
 Operation time: display the generation time of the SSL VPN log.
 User name: display the user name of the SSL VPN log.
 IP Address: display the IP address of the SSL VPN log.
 Client IP: display the client IP for the SSL VPN log.
 Operation: display the operation contents of the SSL VPN log.
18.2.5.2 Log configuration
The log configuration module provides the function of setting the parameters of remote log host,
timestamp format, and save days for SSL VPN logs.
Select Service > VPN > SSL VPN > Log Management > Log Configuration from navigation
tree to enter the log configuration page, as shown in following figure.
Figure 18-24 Log configuration
The parameters of the log configuration page are shown in the following:
 IP Type: set the IP address type of the remote log host address and local host address.
 Remote log host address: set the remote log host address to receive SSL VPN logs.
 Service port: set the service port number of the remote log host to receive the SSL VPN log.
 Local host address: set the address used to send the SSL VPN log to the remote log host.
 Operation: click the icon to add the remote log host configuration; click the icon to
delete the remote log remote host configuration.
 Timestamp format: set the timestamp format of the SSL VPN log.
 Save days: choose the number of days to keep the log, including one week, two weeks,
three weeks, 30 days, and custom. If you choose to customize, you need to enter the
number of days manually. The default is 30 days. The value ranges from 7 to 365 days.

18.2.5.3 Log manage
The log management module provides the function of saving / deleting SSL VPN logs.
Select Service > VPN > SSL VPN > Log Management > Log Manage from navigation tree to
enter the log manage page, as shown in following figure.
Figure 18-25 Log manage
18.2.6 Report query
18.2.6.1 User statistics report
The user statistics report module provides the function of saving / deleting SSL VPN logs.
Select Service > VPN > SSL VPN > Report Query > User statistics report from navigation
tree to enter the user statistics report page, as shown in following figure.
Figure 18-26 User statistics report
The parameters of user statistics report are shown in the following:
 Group name: display the name of the user group.

 User number: display the number of users that the user group contains.
 Export: click Export by query button to export user group statistics.
18.2.6.2 Traffic statistics report
The traffic statistics report module provides the function of displaying / querying / exporting user
traffic statistics.
Select Service > VPN > SSL VPN > Report Query > Traffic statistic report from navigation
tree to enter the traffic statistics report page, as shown in following figure.

Figure 18-27 Traffic statistics report
The parameters of traffic statistics report query conditions are as follows:
 User name: set the user name of the user traffic statistics to be queried.
 User IP: set the user IP address of the user traffic statistics that needs to be queried.
 Time range: set the time range for user traffic statistics that need to be queried.
 Start Time: set / display the start time of the user traffic statistics that needs to be queried.
 End Time: set / display the end time of the user traffic statistics that need to be queried.
Click the Query button to query the user traffic statistics based on the query conditions such as
user name / user IP / time range. Click the Export by Query button to export user traffic
statistics.
The display list of the traffic statistics report is as follows:
 User Name: display the user name.

 User IP: display the user's IP address.
 Sending traffic (kb): display the traffic size sent by the user.
 Sending rate (kbps): display the speed at which the user sends traffic.
 Receiving traffic (kb): display the traffic size received by the user.
 Receiving rate (kbps): display the speed at which the user receives traffic.
18.2.6.3 Not logged user statistics report
The not logged user statistics report module provides the function of displaying / exporting /
querying offline user information.
Select Service > VPN > SSL VPN > Report Query > Not Logged User Statistics Report from
navigation tree to enter the not logged user statistics report page, as shown in following figure.
Figure 18-28 Not logged user statistics report

The parameters of not logged user statistics report page are shown in the following:
 Time range: the time range of the not logged user that needs to be queried.
 Start time: set / display the earliest offline time of the unregistered user who needs to query.
 End time: set / display the latest offline time for unregistered users who need to query.
 Inquiry: click the Query button, according to the time range, query is not logged in user
information. The query information is displayed in the unregistered user statistics list. The
parameters are described below.
 User name: display the name of the not logged user.
 User group name: display the user group to which the user is not logged in.
 Export by query: Click the Export by query button to export the not logged user’s
information.
18.2.6.4 Online duration ordering report
The online time ranking form module provides the function of displaying / querying / exporting
user’s online time data.
Select Service > VPN > SSL VPN > Report Query > Online Duration Ordering Report from
navigation tree to enter the online duration ordering report page, as shown in following figure.
Figure 18-29 Online duration ordering report
The query conditions for the online duration ordering report are shown in the following:
 User name: set the user name of the user's online duration data to be queried.
 User IP: set the user IP of the user's online duration data to be queried.
 Query mode: set the user online length of the way, including the current online duration and
the total length of the online.
 Time range: set the time range of the user's online duration data to be queried.
 Start time: set / display the start time of the user's online duration data to be queried.
 End time: set / display the end time of the user's online duration data that needs to be
queried.
Click the Query button, according to the user name / user IP / time range and other query
conditions, query the user online time statistics. Click the Export by Query button to export the
user's online duration statistics.

The parameters of the online time ranking form are shown in the following:
 User name: display the user name.

 User IP: display the user's IP address.
 User group name: display the user group name to which the user belongs.
 Online time: display the user's on-line time. The query mode is "Current Online Time".
 Online duration: display the user's online duration. The query mode is "Current Online
Time".
18.2.6.5 Resource access report
The resource access report module provides the function of displaying / exporting / query
resources to access data.
Select Service > VPN > SSL VPN > Report Query > Resource Access Report from
navigation tree to enter the resource access report page, as shown in following figure.
Figure 18-30 Resource access report
The resource access report query condition is described as follows:
 User name: set the user name of the resource that needs to be queried.
 User IP: set the user IP of the resource that needs to be queried.
 Resource type: set the resource type of the resource that needs to be queried, including all
resources, Web resources, and IP resources.
 Resource name: set the resource name of the resource access data that needs to be
queried.
 Time range: set the time range for resource access to data that needs to be queried.
 Start time: set / display the start time of the resource access data that needs to be queried.
 End time: set / display the end time of the resource access data that needs to be queried.
Click the Query button to query the resource access data according to the query conditions such
as user name / user IP / resource type / resource name / time range. Click Export by Query
button to export the resource access data.
The resource list of resource access reports is as follows:

 No.: display the serial number of the resource access data.

 User name: display the user name of the resource access data.
 User IP: display the user IP address of the resource access data.
 Access time: display the access time of the resource access data.
 Resource type: display the resource type of the resource access data.
 Resource name: display the resource name of the resource access data.
 Resource address: display the resource address of the resource access data.
18.3 L2TP
18.3.1 L2TP
L2TP (Layer 2 Tunneling Protocol) is an industry standard Internet tunneling protocol. It

combines the advantages of the PPTP protocol and the L2F protocol to tunnel the PPP link layer
packets. L2TP as VPDN (Virtual Private Dial Network, virtual dial line network) the main
technology, so that enterprises and travel agencies can dial-up access to the internal network.
Select Service > VPN > L2TP > L2TP from navigation tree to enter the L2TP page, as shown in
following figure.
Figure 18-31 L2TP
The L2TP page includes the configuration of the system configuration and dial-in policy. The
system is configured to enable or disable the L2TP service and configure the range of the tunnel
ID. The dial-in policy configuration items include policy name, tunnel template name, PPP
template name, local host name, peer host name, association domain, and so on.
18.3.2 Authentication
The L2TP user authentication module provides the function of setting domain information, user
group information, and user information.
Select Service > VPN > L2TP > L2TP Authentication from navigation tree to enter the L2TP

authentication page, as shown in following figure.
Figure 18-32 L2TP authentication
Enable Online User Uniqueness Limit Function On After L2TP authentication online users are
unique.
The authentication method includes local authentication and RADIUS authentication. Different
authentication modes are different. Local authentication mode needs to configure user name,
password and other user information. RADIUS authentication needs to be configured with
parameters such as RADIUS server, source IP address, authentication port number, shared key,
and optional accounting function and related parameters.
18.3.3 Domain
Select Service > VPN > L2TP > L2TP Domain from navigation tree to enter the L2TP domain
Figure 18-33 L2TP Domain
The parameters of L2TP domain configuration are shown in the following:
 Domain: L2TP domain name.

 Description: the description of the L2TP domain.
 Interface name: L2TP domain interface name.

18.3.4 Interface configuration
Select Service > VPN > L2TP > Interface Configuration from navigation tree to enter the
interface configuration page, as shown in following figure.
Figure 18-34 L2TP interface configuration
The parameters of the L2TP interface configuration are shown in the following:
 Interface name: L2TP interface name, in the range of 1 to 255.

 Interface address: L2TP interface address.
 Address pool start address: the address of the address pool.
 Address pool end address: address pool end address.
 Subnet mask: subnet mask for address.
 Slot number: no need to configure the slot number, select none.
 DNS / DNS2: DNS server address.
18.3.5 Profile
Select Service > VPN > L2TP > Profile from navigation tree to enter the profile page, as shown
in following figure.
Figure 18-35 Profile
The parameter template page mainly configures the tunnel template and the PPP template.

The configuration parameters of the tunnel profile are as follows:
 Tunnel template name: Name of the tunnel template.

 Tunnel authentication: Whether to enable tunnel authentication.
 Tunnel key: Tunnel key information.
 Hello message interval: hello message interval.
 Message timeout time: hello message timeout time.
The parameters of the PPP template configuration are shown in the following:
 PPP template name: the name of the PPP template.

 Authentication mode: PPP authentication mode, including PAP and CHAP.
 LCP live time: default is 120 seconds.
 LCP live retransmission times: defaults to 6 times.
 Advanced configuration: whether to enable forced local authentication or forced LCP
renegotiation.
18.3.6 Online
Select Service > VPN > L2TP > Online Display from navigation tree to enter the online display
Figure 18-36 L2TP online display
The parameters of the L2TP online display are shown in the following:
 Select type: set the L2TP online information according to the tunnel or session.
 Auto-refresh: set the interval for automatically refreshing L2TP online information and auto
refresh.
 Refresh: click the Refresh button to manually refresh L2TP online information.
 Query items: you can query L2TP online information according to the local tunnel ID, remote
IP, remote host name, and creation time.
18.4 PPTP
PPTP (Point-to-Point Tunneling Protocol) is a technology that supports multi-protocol virtual

private network. It uses GRE encapsulates PPP data to traverse other networks, enabling
remote users to access the enterprise's private network through any ISP that supports PPTP.
The PPTP module provides the ability to start PPTP, set up PNS, and customer information.
Select Service > VPN > PPTP from navigation tree to enter the PPTP page, as shown in
following figure.
Figure 18-37 PPTP
The parameters of PPTP page are shown in the following:
 System configuration: click to enable PPTP function.

 PNS configuration: set the name of the tunnel, PPP authentication mode, address pool
range, and DNS server address.
 User configuration (it allows to configure the user information which is from PNS client): set
the user name and password information of the remote user.
18.5 SMS authentication

SMS authentication module provides the function of setting SMS authentication parameters, so
that remote users can access the verification code through SMS to authenticate.
Select Service > VPN > SMS Authentication from navigation tree to enter the SMS
authentication page, as shown in following figure.

Figure 18-38 SMS authentication
The SMAD parameters are shown in the following:
 System configuration: set the content format of the authentication message.

 SMS send configuration: set the type of SMS access device and related parameters.

19 Attack Protection
19.1 Session limit
19.1.1 Session limit
IPv4 session limit: the IPv4 session limit for the source IP address.
Select Service > Attack Protection > Session Limiting > IPV4 Session Limit > Source
Address Limit to enter the source IP page, as shown in following figure.
Figure 19-1 Source address limit
The parameters of source IP session limit list page are shown in Figure 19-1.
 NO.: display the number of IPv4 session limit rule.

 Rule name: set the name of the IPv4 session limit rule.
 Input security zone: select the source security zone. Including Untrust, Trust, and DMZ. You
can create it through the guide bar or you can create it through the object management
page.
 Source address: select the source IP. You can create it through the guide bar or you can
create it through the object management page
 Ramp rate of create sessions: set the new session rate, in the range of 0~2147483647.
Default is not limit.
 Total sessions: set the total sessions number, in the range of 0~2147483647. Default is not
limit.
 Total sessions per IP: set the sessions per IP, TCP sessions per IP, UDP sessions per IP
respectively, in the range of 0~2147483647. Default is not limit.
 Action: select an action for IPv4 session limit. These actions includes packet drop, warning,
drop packet+ log.

 Effective time: click the effective time list, a pop-up window displayed, then you can select
the effective time for IPv4 session limit
 Always: always take effect after the IPv4 session limit rule applied
 Per week: If you click the “Per week” radio box and you configure the time period (in the
format of 00:00), then the IPv4 session limit rule will take effect at this time every week.
If you click the checkbox of “Per week” and you select one day or several days from the
list of Monday to Sunday, you must configure the time period, then the IPv4 session
limit rule will take effect at this time every day or several days.
19.1.2 Destination address limit
IPv4 session limit: the IPv4 session limit for the destination IP address.
Select Service > Attack Protection > Session Limiting > IPv4 session limit > Destination
Address Limit to enter the destination IP page, as shown in following figure.
Figure 19-2 Destination address limit
The parameters of destination address limit page are shown in Figure 19-3.
 NO.: display the number of IPv4 session limit rule.

 Rule name: set the name of the IPv4 session limit rule.
 Destination security zone: select the source security zone. Including Untrust, Trust, and
DMZ. You can create it through the guide bar or you can create it through the object
management page.
 Destination address: select the destination IP. You can create it through the guide bar or you
can create it through the object management page
 Ramp rate of create sessions: set the new session rate, in the range of 0~2147483647.
Default is not limit.
 Total Sessions: set the total sessions number, in the range of 0~2147483647. Default is not
limit.
 Total sessions per IP: set the sessions per IP, TCP sessions per IP, UDP sessions per IP
respectively, in the range of 0~2147483647. Default is not limit.
 IP session number: the total number of the session limit per IP.
 TCP session number: the TCP number of the session limit per IP.
 UDP session number: the UDP number of the session limit per IP.

 Action: select an action for IPv4 session limit. These actions includes packet drop, warning,
drop packet+ log.
 Effective time: click the effective time list, a pop-up window displayed, then you can select
the effective time for IPv4 session limit
 Always: always take effect after the IPv4 session limit rule applied.
 Per week: If you click the “Per week” radio box and you configure the time period (in the
format of 00:00), then the IPv4 session limit rule will take effect at this time every week.
If you click the checkbox of “Per week” and you select one day or several days from the
list of Monday to Sunday, you must configure the time period, then the IPv4 session
limit rule will take effect at this time every day or several days.
19.1.3 Session limit log configuration
Select Service > Attack Protection > Session Limiting > IPv4 session limit > Service limit
log configuration to enter the service limit log configuration page, as shown in following figure.
Figure 19-3 Session limit log configuration
The parameters of session limit log configuration are shown in following:
 Log source IP: set the host’s address for sending logs.
 Log source port: set the host’s source port number for sending log.
 Log destination IP: set the host’s destination IP address for sending logs.
 Log destination port: set the host’s destination port for sending logs.
 Log send speed limit: set the upper limit of logs to be send. Example: 1000/ every 5
minutes.

19.2 DDoS protection
19.2.1 Basic protection
19.2.1.1 Basic protection
Select Service > Attack Protection > DDOS protection > Basic protection to enter the basic
protection page, as shown in following figure.
Figure 19-4 Basic protection
The basic protection page consists of TCP protection, ICMP protection, UDP protection and
fragment packet protection. The base protection page allows user to set the protection threshold
for different kind of packets, and allows user to select an action for the data packets that exceeds
protection threshold. At most, user can configure two entries of configuration for each kind of
protection.
Take [source IP, SYN] in “TCP protection” as example:
(1) Click the checkbox of [Source IP, SYN], you can configure TCP speed limit for the same
source IP address and synchronization number, in the range of 0~10000000. Unit: PPS.
(2) Click the configuration item of speed limit, and then you select an action for the data packets
that exceeds protection threshold. Protection actions include speed limit, observed and
blocking.
 Speed limit: limit the transmission rate of data packets that exceeds the protection
threshold with in the protection threshold.
 Observed: generates alarm log after the data packets exceeds protection threshold.
 Blocking: discard all data packets after they exceed protection threshold.

19.2.1.2 Basic protection log
Select Service > Attack Protection > DDOS Protection > Basic Protection > Basic
Protection Log from navigation tree to enter the basic protection log page, as shown in
following figure.
Figure 19-5 Basic protection log
The basic protection log page records the log information of basic DDoS protection, including
type, characteristics, source IP, destination IP, rate and time. Click the <Manual Refresh> button
to refresh the log list.
19.2.2 IPv6 basic protection
19.2.2.1 IPv6 basic protection
Select Service > Attack Protection > DDOS Protection > IPv6 Basic Protection > IPv6
Basic Protection Log from navigation tree to enter the IPv6 basic protection page, as shown in
following figure.

Figure 19-6 IPv6 basic protection
The basic IPv6 protection configuration includes TCP protection, ICMP protection and UDP
protection. For the configuration method and parameter description, please refer to the "Basic
Protection Configuration" chapter.
19.2.2.2 IPv6 basic protection log
Select Service > Attack Protection > DDOS Protection > Basic Protection > IPv6 Basic
Protection Log from navigation tree to enter the IPv6 basic protection log page, as shown in
following figure.
Figure 19-7 IPv6 basic protection log
The IPv6 basic protection log page records the log information of basic DDoS protection,
including type, characteristics, source IP, destination IP, rate, and time. Click the <Manual
Refresh> button to refresh the log list.

19.2.3 SYN Flood protection
19.2.3.1 SYN Flood protection configuration
SYN Flood protection configuration module provides the function of setting the protection
threshold of SYN Flood attack. SYN Flood attack is a kind of attack that uses the defect of TCP
protocol and sends large amount of forged TCP connection request to destination host, which
causes the destination host resource exhausted.
Select Service > Attack Protection > DDOS protection > SYN Flood Protection to enter the
SYN Flood protection page, as shown in following figure.
Figure 19-8 SYN Flood protection configuration
SYN Flood protection feature configuration parameter description:
 Protection threshold: Set threshold parameters for enabling SYN Flood protection and
triggering protection.
 Global: Set the protection threshold for TCP packets from the same "source IP" per second.
After configuration, once the number of TCP packets from the same "source IP address" per
second exceeds the threshold, the device will enable SYN Flood protection for all TCP
packets.
 Per source IP: Set the protection threshold for TCP packets from the same "source IP
address" every second. After configuration, once the number of TCP packets from the same
"source IP address" per second exceeds the threshold, the device only enables SYN Flood
protection for the TCP packets that exceed the threshold.
 Each destination IP: Set the protection threshold for TCP packets from the same
"destination IP address" every second. After configuration, once the number of TCP packets
from the same "destination IP address" per second exceeds the threshold, the device only
enables SYN Flood protection for TCP packets that exceed the threshold.
 Every source IP + every destination IP: Set the protection threshold for TCP packets from
the same "source IP address + destination IP address" every second. After configuration,
once the number of TCP packets from the same "source IP address + destination IP
address" per second exceeds the threshold, the device only enables SYN Flood protection
for the TCP packets that exceed the threshold.

Compared with the SYN Flood in basic attack protection, the SYN Flood protection configuration
increases the validity of the source. After reaching the SYN Flood protection threshold, the
validity of the source is first judged. If it is judged to be a normal user, the source IP is added to
the whitelist. And let the source IP packet pass; if it is judged to be an attack packet, it is
discarded.
19.2.3.2 IPv4 SYN Flood protection log
Select Service > Attack Protection > DDOS protection > SYN Flood Protection > IPv4 SYN
Flood Protection Log to enter the IPv4 SYN Flood protection log page, as shown in following
figure.
Figure 19-9 IPv4 SYN Flood protection log
The IPv4 SYN Flood protection log page records the log information of IPv4 SYN Flood
protection, including source IP, destination IP, source port, destination port, rate, attack status,
and time. Click the Manual Refresh button to refresh the log list.
19.2.4 IPv6 SYN Flood protection
19.2.4.1 IPV6 SYN Flood protection configuration
Select Service > Attack Protection > DDOS protection > IPv6 SYN Flood Protection to enter
the IPv6 SYN Flood protection page, as shown in following figure.

Figure 19-10 IPv6 SYN Flood protection configuration
19.2.4.2 IPV6 SYN Flood protection log
Select Service > Attack Protection > DDOS Protection > IPv6 SYN Flood Protection Log to
enter the IPv6 SYN Flood protection log page, as shown in following figure.
Figure 19-11 IPv6 SYN Flood protection log
19.2.5 DDoS log configuration
19.2.5.1 DDoS log configuration
Select Service > Attack Protection > DDOS protection > DDoS log configuration > DDoS
log configuration to enter the DDoS UMC log configuration page, as shown in following figure.
Figure 19-12 UMC log configuration
The parameters of DDoS log configuration are shown in following:
 Enable: enable/disable the UMC log function.

 Send log address: configure the device IP address to send the logs.
 IPv4 addr: the IPv4 address of the device which sends logs.
 IPv6 addr: the IPv6 address of the device which sends logs.
 UMC server address: configure the UMC server address to receive the logs.
 IPv4 address: the IPv4 address of the UMC server.

 IPv6 address: the IPv6 address of the UMC server.

 Send log port: the port number used by the device to send logs. It must be consistent with
the port number of UMC server. The default is 9502.
19.2.5.2 UMC SYSLOG configuration
Select Service > Attack Protection > DDOS Protection > DDOS Log Configuration >
SYSLOG configuration to enter the SYSLOG configuration page, as shown in following figure.
Figure 19-13 SYSLOG configuration
The parameters of DDoS SYSLOG configuration page are shown in following:
 Open the SYSLOG function: click to enable the SYSLOG function.

 NO.: display the sequence number of the DDoS SYSLOG configuration list.
 Send Log addr: set the IP address for sending logs.
 SYSLOG Server addr: set the IP address of the remote SYSLOG server.
 Server Port number (1-65535): set the service port number of the remote SYSLOG server,
19.3 User / MAC / IP binding

User / MAC / IP binding refers to the user, MAC, IP two binding, can effectively prevent
unauthorized users access and prevent users to modify the user's host IP address and
management inconvenience.
19.3.1 Auto-learning
Select Service > Attack Protection > MAC/IP Binding > Binding Automatic Learning from
navigation tree to enter the binding automatic learning page.
The networking mode includes two-layer networking and three-layer networking, which can be
selected according to the actual networking. The following describes the operation methods of
automatic learning in two networking modes.
19.3.1.1 Automatic learning of Layer 2 networking
(1) Select the Layer 2 networking mode.

(2) Click the OK button at the top right of the page. If it has been confirmed, this operation is not
required.
(3) Click the Start button, and the device will start automatic learning. To stop learning, click the
Stop button to stop learning and clear the learning result.
(4) Click the View button, the learning result will be displayed in the list.
(5) Tick the check box corresponding to the learning result (you can also directly check the
"option" check box to select all), and click the <Add to MAC/IP binding table> button to learn
the selected MAC/IP relationship The result will be added to the MAC/IP binding table. It can
be checked on the MAC/IP binding page.
(6) If you need to export the learning results, you can click the <Export> button to export the
learning results to the local.
Select Service > Attack Protection > User/MAC/IP Binding > Auto-learning from navigation
tree to enter the auto-learning page, as shown in following figure.
Figure 19-14 Auto-learning
19.3.1.2 Layer3 network automatic learning
(1) Select the Layer3 networking mode.
(2) Click the OK button at the top right of the page. If it has been confirmed, this operation is not
required.
(3) Configure the Layer 3 gateway. The configuration content includes the switch IP address
and SNMP read community. Multiple gateway devices can be added at the same time.
(4) Perform SNMP configuration. The configuration content includes the timeout period and
access interval for accessing the SNMP server.
(5) Click the <Start automatic learning> button, and the device will start automatic learning. To
stop learning, click the <Stop and clear learning result> button to stop learning and clear the
learning result.
(6) Click the <View current learning result> button, the learning result will be displayed in the
list.

(7) Tick the check box corresponding to the learning result (you can also directly check the
"option" check box to select all), click the <Add to MAC/IP binding table> button, the
selected MAC/IP relationship learning result Will be added to the MAC/IP binding table. It
can be checked on the MAC/IP binding page.
(8) If you need to export the learning results, you can click the Export button to export the
learning results to the local.
Figure 19-15 Layer3 network automatic learning
19.3.2 MAC/IP binding
Select Service > Attack Protection > User/MAC/IP Binding > MAC/IP Binding from
navigation tree to enter the MAC/IP binding page, as shown in following figure.

Figure 19-16 MAC/IP binding
The user can set the address that satisfies the MAC / IP binding relationship to pass through the
configured interface. The configuration is as follows:
(1) Enable the MAC / IP binding function.
(2) Select the interface in the interface configuration.
(3) If there is no limit to the MAC / IP binding relationship IP, can be added in the exception IP
address list.
(4) Manually add MAC / IP binding information. In the MAC / IP list, click the icon to add a
configuration message.
(5) Configure the IP address, MAC address, set the valid time and description information.
(6) Click the OK button at the top right of the page.
The MAC / IP binding list includes information that is manually added and automatically learned.
IP / IP binding information can be queried by IP address and MAC address. List information can
be a single delete, you can click the top right of the page Delete All button, delete all.
If "Only address specified below" is selected, only the IP address in the MAC / IP list can be
configured through the interface, and the interface will not learn the new MAC / IP binding
information.

19.3.3 Binding intercept log query
Select Service > Attack Protection > User/MAC/IP Binding > Binding Intercept Log Query
from navigation tree to enter the binding intercept log query page, as shown in following figure.
Figure 19-17 Binding intercept log query
The binding intercept log query page provides the function of querying, deleting and exporting
functions:
 The query time includes all, the last day, the last two days, the last week, and the specified
time. Click the Query button and the query results are displayed in the list below.
 Click the Export button to export the query to the local.
19.4 Basic attack protection
19.4.1 Basic attack protection
Select Service > Attack Protection > Basic Attack Protection > Basic Attack Protection
from navigation tree to enter the basic attack protection page, as shown in following figure.
Figure 19-18 Basic attack protection
The parameters of basic attack protection page are shown in the following:

 Interval for sending log (sec): set the interval for sending protection logs, in the range of 1 to
1200 (in seconds).
 Number interval for sending log: set the interval for sending protection logs, in the range of 1
to 100000.
 Attack type: display attack types, including LAND attacks, ping, UDP Fraggle attacks,
WinNuke attacks, ICMP Smurf attacks, and Tear Drop attacks.
 Action: set the actions taken for the attack, including no, alarm log, block and block + log.
 Attack times: display the number of attacks.
 Clear count: click the icon to clear the statistics for the number of attacks.
19.4.2 Basic attack protection log query
The basic attack protection log query module provides the function of querying / deleting attack
protection logs.
Select Service > Attack Protection > Basic Attack Protection > Basic Attack Log Query
from navigation tree to enter the basic attack protection log query page, as shown in following
figure.
Figure 19-19 Basic attack log query
The basic attack protection log query page has two parts: query conditions and query results.
The query conditions are described as follows:
 Action type: set the action type of the basic attack protection log that needs to be queried,
including blocking and alerting.
 Interface: set the attack interface of the basic attack protection log that needs to be queried.
 Source IP: set the source IP address of the attack packet for the basic attack defense log
that needs to be queried.
 Destination IP: set the IP address of the attack packet for the basic attack protection log that
needs to be queried.
 Specified time: set the generation time of the basic attack defense log that needs to be
queried.

 Start time: display / set the earliest generation time of the basic attack protection log that
 End Time: display/ set the latest generation time for the basic attack protection log that
 Export: click the Export button to export the Basic Attack Protection log.
 Query: click the Query button, according to the query conditions, query the basic attack
protection log.
 Delete: click the Delete button to delete the basic attack defense log according to the
deletion conditions.
The query results are displayed in the query result list. The parameters are as follows:
 NO.: display the serial number of the basic attack protection log.
 Time: display the generation time of the basic attack protection log.
 Attack type: display the type of attack that caused the basic attack protection log.
 Protocol: display the type of protocol that caused the attack packets generated by the basic
attack defense log.
 Source IP: display the source IP of the attack packet that caused the basic attack protection
log.
 Destination IP: display the destination IP of the attack packet that caused the basic attack
protection log.
 Source port: display the source port number of the attack packet that caused the basic
attack protection log.
 Destination port: display the destination port number of the attack packet that caused the
basic attack protection log.
 Interface: display the attacked interface.
 Action: show actions taken for an attack.
19.5 Network behavior management

The user selects a different type of attack and selects a guard action for that type of attack and
whether or not to send the log.
Select Service > Attack Protection > Network Behavior Management from navigation tree to
enter the network behavior management page, as shown in following figure.

Figure 19-20 Network behavior management
The network behavior management page parameters are described as follows:
 Log sending interval: Set the interval for sending attack protection logs. For example: Send
logs every 300 seconds.
 Send log number interval: Set the log number interval. For example: Send logs every 1000
entries. Note: If you select both the log sending interval and the number of logs sending
interval options, the log will be sent as long as one of the options is met.
 Attack type: display the attack type.
 Threshold: Set the protection threshold of the attack type.
 Action: Select the attack protection action, you can choose to block or log.
 Attack times: Shows the hit times of this attack type.
 Clear count: clear the number of attacks.
19.6 Black list

The black list is a technique that filters packets based on the source IP address / mask of the
message, controls access to illegal users, and prevents malicious traffic from large traffic. As the
blacklist implementation mechanism is relatively simple, so the increase in the number of
blacklist entries, will not have a significant impact on equipment performance.
19.6.1 IPv4 black list configuration
The IPv4 blacklist configuration module provides the function of adding / removing IPv4 blacklist
entries.

Select Service > Attack Protection > Blacklist Configuration > IPv4 Black List
Configuration from navigation tree to enter the IPv4 blacklist configuration page, as shown in
following figure.
Figure 19-21 IPv4 black list configuration
Click to enable the IPv4 black list function. The parameters of IPv4 black list configuration are
shown in the following:
 IP Address / Mask: set the IP address / mask for the packets to be filtered.
 Remaining life time: set the blacklist's elapsed time and show the remaining time that the
configuration takes effect.
 Status: set the filtering function for enabling / disabling black list entries.
 Last configuration record: display the effective time and lifecycle of the last configured
blacklist (valid).
19.6.2 IPv6 black list configuration
The IPv6 black list configuration module provides the function of adding / removing IPv6 blacklist
entries.
Select Service > Attack Protection > Blacklist Configuration > IPv6 Black List
Configuration from navigation tree to enter the IPv6 blacklist configuration page, as shown in
following figure.
Figure 19-22 IPv6 black list configuration
Click the IPv6 blacklist function. The parameters of IPv6 blacklist configuration are shown in the

following:
 IP Address / Mask: set the IP address / mask for the packets to be filtered.
 Remaining life time: set the blacklist's elapsed time and show the remaining time that the
configuration takes effect.
 Status: set the filtering function for enabling / disabling blacklist entries.
 Last configuration record: display the effective time and lifecycle of the last configured
blacklist (valid).
19.6.3 Black list query
The black list query module provides the function of querying IPv4 and IPv6 blacklist entries.
Select Service > Attack Protection > Blacklist Query > Blacklist Query from navigation tree
to enter the blacklist query page, as shown in following figure.
Figure 19-23 Black list query
The parameters of the black list query page are shown in the following:
 IP address / mask: display the source IP address / mask of the packet to be filtered.
 Effective time: display the time when the blacklist entry takes effect.
 Remaining time: display the remaining time for the blacklist entry to take effect.
 Cause: display the way the blacklist entries are generated.
19.6.4 Black list log query
The blacklist log query module provides the function of querying / deleting blacklist logs.
Select Service > Attack Protection > Blacklist > Blacklist Log Query from navigation tree to
enter the blacklist log query page, as shown in following figure.

Figure 19-24 Black list log query
The black list log query page has two parts: query conditions and query results. The query
conditions are described as follows:
 Cause: set the cause of the blacklist log that needs to be queried, including manual,
automatic, and aging.
 IP Address / Mask: set the source IP address / mask of the filtered packets in the blacklist
log that needs to be queried.
 Time range: set the generation time of the blacklist log that needs to be queried.
 Start time: display / set the earliest generation time of the blacklist log that needs to be
queried.
 End time: display / set the latest generation time of the blacklist log that needs to be queried.
 Export by search conditions: click the Export to search conditions button to export the
blacklist log file.
 Query: click the Query button to query the blacklist log according to the query conditions.
 Delete: click the Delete by search condition button to delete the blacklist log.
The parameters of query result are shown in the following:
 No.: display the serial number of the blacklist log.

 Time: display the generation time of the blacklist log.
 IP Address / Mask: display the source IP address / mask of the filtered packets in the
blacklist log.
 Lifetime: display the blacklist log's lifetime.
 Cause: display the cause of the blacklist log.

20 Application Security
20.1 Anti-virus
The device provides antivirus services to users through the integration of a professional virus
signature database and can detect viruses transmitted through protocols such as HTTP, FTP,
SMTP, POP3, IMAP, SMB, and TFTP. Anti-virus module through the use of real-time analysis of
the way to automatically detect, block, isolate or redirect the virus carrying traffic.
20.1.1 Anti-virus signature management
Select Service > Application Security >Anti-Virus > Anti-Virus Signature Management Rom
navigation tree to enter the anti-virus signature management page, as shown in following figure.
Figure 20-1 Anti-virus signature management
The anti-virus signature management module is mainly based on different conditions to query
the virus-related information, query conditions, including virus ID, virus name, popularity and
virus classification. After configuring the query conditions, click the Search button and the query
result is displayed in the list below. Among them, the virus is divided into high, medium and low
levels, respectively, with different colors.
You need to upgrade the AV signature database in System Management > Feature Library
page. Then the anti-virus signature page displays the virus-related information on management
page.

20.1.2 Anti-virus policy
20.1.2.1 Anti-virus policy
Anti-virus strategy module through the different levels of virus configuration strategy, making
when the device detects the virus to take the appropriate action. The action and its description
are as follows:
 None: do not take any action.

 Warning: generate anti-virus log.
 Block: block virus-carrying packets from passing through the device.
 Mail virus replacement: When the device found the virus transmitted with the mail, the
normal transmission of the virus after the replacement feature, then the message is no
longer virus-aggressive.
 Block + source TCP reset: block and actively disconnecting the source TCP connection.
 Block + destination TCP reset: block and actively disconnect the destination TCP
connection.
 Block + bidirectional TCP reset: block and actively disconnect the bidirectional TCP
connection.
 Block + bidirectional TCP Reset + warning page: block, bidirectional TCP Reset, and when
the device detects that the HTTP transmission carries a virus, it pushes the virus warning
message to the user through HTTP. The virus alarm information is configured in the "virus
alarm push configuration" module.
 Mail virus replacement + block + bidirectional TCP reset: mail virus replacement, block,
bidirectional TCP Reset.
 Mail virus replacement + block + bidirectional TCP reset + warning page: mail virus
replacement, block, bidirectional TCP Reset, and warning page.
Select Service > Application Security >Anti-Virus > Anti-Virus Policy Rom navigation tree to
enter the anti-virus policy page, as shown in following figure.
Figure 20-2 Anti-virus policy
The anti-virus policy module supports import and export policy configuration functions, the list of
parameters are as follows:
 Name: the name of the anti-virus policy.

 Inbound interface: antivirus device interface. All default interface, and cannot be configured.
The specific scope of the interaction with the package filter.
 High risk: actions to be taken when the device detects a virus of high risk.
 Medium risk: actions to be taken when the device detects a virus of medium risk.
 Low risk: actions to be taken when the device detects a virus of low risk.
Anti-virus policies need to be referenced in IPv4 Packet Filtering > Action> Anti-virus.
20.1.2.2 Virus warning push configuration
Select Service > Application Security > Virus Warning Push Configuration from navigation
tree to enter the virus warning push configuration page, as shown in following figure.
Figure 20-3 Virus warning push configuration
The default push information as shown above, the user can also customize the push information,
limited to 128 bytes.
20.1.2.3 Virus seclusion configuration
Select Service > Application Security >Anti-Virus > Virus Seclusion Configuration from
navigation tree to enter the virus seclusion configuration page, as shown in following figure.
Figure 20-4 Virus seclusion configuration
Click Enable to start the virus isolation mechanism. When the device detects the software
carrying the virus, it will isolate the virus files for user analysis. Isolated virus files can be saved
locally or deleted.

20.1.3 Anti-virus log
20.1.3.1 Latest log
Select Service > Application Security >Anti-Virus > Anti-Virus Policy from navigation tree to
enter the virus seclusion configuration page, as shown in following figure.
Device supports automatic and manual refresh function. Click the Auto-refresh check box, turn
on the auto refresh function, the interval includes 10,30,60 seconds, the default is 30 seconds.
Click Refresh button to refresh manually. After the refresh is complete, the antivirus log
information is displayed in the log list. Export the log information locally by clicking the Export
button.
20.1.3.2 Anti-virus log query
Select Service > Application Security >Anti-Virus > Anti-Virus Policy from navigation tree to
enter the anti-virus log query page, as shown in following figure.
Figure 20-6 Anti-virus log query
Virus log query module includes query, delete, export features.
 Configure different query conditions and click Query. The query result is displayed in the list
below.
 Click Export to export the log information locally.
20.2 IPS
The IPS module performs in-depth inspection of threats such as system vulnerabilities, protocol

weaknesses, virus worms, DDoS attacks, web page tampering, spyware, malicious attacks, and
traffic anomalies. With applications such as high reliability Bypass design, to meet a variety of
complex network environment on the application layer security protection of high performance,
high reliability and easy to manage needs.
20.2.1 IPS signature management
Select Service > Application Security > IPS > IPS Signature Management from navigation
tree to enter the IPS signature management page, as shown in following figure.
Figure 20-7 IPS signature management
The IPS feature management function queries information about attack features based on
different conditions. The query conditions include ID, name, level, CVE number, attack method
classification, and attack target classification. After configuring the query conditions, click the
Search button and the query result is displayed in the list below.
Click the CVE number link, enter the CVE official website information display page, the user can
directly CVE information query device page, some links need to open in a new browser.
One-click level setting function can query the features of the batch level to modify and repeal.
You need to upgrade the IPS signature database in the System Management > Feature
Library page to display information about the attack signature on the IPS signature
management page.

20.2.2 IPS rule
20.2.2.1 IPS rule
The IPS module adjusts attack defense rules to take appropriate actions on attack packets that
match the IT resources, attack types, and protocols. The types of IT resources include operating
systems, office software, applications, databases, web applications, browsers, mail servers, web
crawlers and more. Attack types include exploit classes, malicious code classes, information
gathering classes, protocol anomalies, network monitoring, denial of service, Web classes, and
more.
Select Service > Application Security > IPS Rule > IPS Rule from navigation tree to enter the
IPS rule page, as shown in following figure.
Figure 20-8 IPS rule
Configure rule names, select IT resources, attack types, and protocols to specify actions for
different degrees of attack characteristics. Support both import and export functions. The action
and its description are as follows:
 None: do not take any action.

 Warning: generate IPS log.
 Block: block attack packets from passing through the device.
 Block + source TCP Reset: block and actively disconnecting the source TCP connection.
 Block + destination TCP Reset: block and actively disconnect the destination TCP
connection.
 Block + Bidirectional TCP Reset: block and actively disconnect the bidirectional TCP
connection.
20.2.2.2 Customized IPS signature
Select Service > Application Security > IPS Rule > Customized IPS signature from
navigation tree to enter the customized IPS signature page, as shown in following figure.

Figure 20-9 Customized IPS signature
The parameters of custom IPS signature configuration are shown in the following:
 Name: the name of the custom IPS feature.

 Direction: attack packet direction, the options include client-to-server, server-to-client,
bidirectional.
 Parent agreement: the outer protocol that carries attack information.
 Payload: character string and regular expression of attack packets.
 Head: including IP options, TCP options, UDP options, ICMP options.
 Severity level: includes warning, normal, serious and fatal.
20.2.3 IPS policy
20.2.3.1 Global IPS policy
The global IPS policy implements the function of device attack defense by referencing the IPS
rules.
Select Service > Application Security > IPS Rule > Global IPS Policy from navigation tree to
enter the global IPS policy page, as shown in following figure.
Figure 20-10 Global IPS policy
IPS policies need to be referenced in IPv4 Packet Filtering > Action> IPS.

20.2.3.2 IPS blacklist collaboration
Select Service > Application Security > IPS Rule > IPS Blacklist Collaboration from
navigation tree to enter the IPS blacklist collaboration page, as shown in following figure.
Figure 20-11 IPS blacklist collaboration
The device blacklists addresses that are high in attack frequency and is released only after the
lifetime has expired. Enable the IPS blacklist linkage function, configure the attack frequency
and lifetime, and click Refresh Configuration.
20.2.4 IPS log
20.2.4.1 Latest log
Select Service > Application Security > IPS > IPS Log > Latest Log from navigation tree to
enter the latest log page, as shown in following figure.
Device supports automatic and manual refresh. Check the "Auto refresh" check box, turn on the
auto refresh function, the interval includes 10,30,60 seconds, the default is 30 seconds. Click
Refresh button to refresh manually. After the refresh is complete, the IPS log information is
displayed in the log list.
Click Export to export the log information locally.
20.2.4.2 IPS log query
Select Service > Application Security > IPS > IPS Log > Latest Log Query from navigation

tree to enter the latest log page, as shown in following figure.
Figure 20-13 IPS log query
The IPS log query module includes query, delete, export functions.
 Configure different query conditions and click Search. The search result is displayed in the
list below.
 Click Export to export the log information locally.
20.3 Access control

Access control technical support according to the application layer protocol or service to which
the traffic belongs, different responses are taken for different users to realize the subdivision
management of network traffic based on the service. Access control blocking for different
application traffic control, that is, all the specified application traffic is discarded. After blocking,
users can not access, or can only access the administrator designated unrestricted applications.
One of the most important technologies in access control is application identification, and the
characteristics of the application may change, so the protocol signature library needs to be
updated in real time. In addition access control configuration can be flexible according to need,
you can set the IP group, network application group, the effective time.
20.3.1 Access control
Through a comprehensive analysis of the network such as P2P download, instant messaging,
remote management, online games, Internet TV, agency services, financial securities and other
user network access behavior, to help enterprises conduct Internet users to effectively control
the management.
The access control module supports import, export and delete all functions. The configuration
 Name: the name of the web application access control rule.

 Network application group: the system provides a variety of network applications by default,
you can directly select.
 Action: including passing and blocking. The action taken when matching the selected web
application.

 Send log: click to set the UMC address in the business log configuration module, the log can
be sent to the UMC to view.
20.3.2 Application object
20.3.2.1 Browsing
Web application browsing page shows the system provides a variety of network applications
specific information to the application group details, application details and protocol details of the
three levels from the category to subclass and then to the specific agreement to show the way,
before and after the inclusion and Contains the relationship. Users can choose layer by layer to
find the required application and its protocol information.
20.3.2.2 User-defined application
The parameters of user-defined application configuration are shown in the following:
 Name: the name of the custom application.

 Type: includes fixed IP port class and depth detection class.
 Parent protocol: transport layer protocol that carries application information, including TCP
and UDP.
 Parameters: when selecting a fixed IP port type, you need to configure the IP address and
port number. If the type is deep detect, you need to set the direction, string, regular
expression and other parameters.
 Reference count: the number of times a custom application is referenced.
20.3.3 URL filtering
20.3.3.1 URL classification filtering
The URL classification filtering page visited by users according to the URL address in the URL
filtering feature library to protect users from illegal websites.
Select Service > Application Security > IPS > IPS Log > URL Classification Filtering from
navigation tree to enter the URL classification filtering page, as shown in following figure.

Figure 20-14 URL classification filtering
The URL classification filtering module is used to configure URL filtering policies and supports
the import, export, and deletion of configuration information. The content of the policy that
matches the URL is configured in the list, and the default action is used to configure the action
performed by the URL that does not match the policy.
The parameters of URL classification filter configuration are shown in the following:
 Name: the name of the URL category filtering policy.

 Classification: including custom classification, system classification and others. The custom
category is configured in the "URL custom category" module, and the system category is
selected after updating the "URL category filtering signature database".
 Action: actions taken after the strategy is matched, including passing and blocking.
 Send log: check, set the UMC address in the business log configuration module, the log can
 Push: when checked, the alarm page is pushed to the user when matching the policy. The
alarm information is configured in the URL Filter Push Configuration module.
 Valid time: can be configured to be valid at all times, and some periods of the day of the
week can be configured to be effective.
 Disable: when clicked, the filtering policy is disabled. You can disable each of several
policies and disable all policies at the same time.
20.3.3.2 Custom
Select Service > Application Security >Access Control > Custom from navigation tree to
enter the custom page, as shown in following figure.
Figure 20-15 Custom
The parameters of URL custom classification configuration are shown in the following:

(1) Configure URL address information in the URL list on the right of the page. Multiple
configurations can be added at the same time.
(2) Click the OK button in the upper right corner of the page, URL custom classification
configuration is completed.
Can add more custom categories, each custom category can increase the number of URL
address information. Select the check box corresponding to the newly created category and click
Delete to delete the added category. After the configuration is completed, the custom URL
information can be queried on the category overview page.
20.3.3.3 Advanced
Select Service > Application Security >Access Control > Advanced from navigation tree to
enter the custom page, as shown in following figure.
Figure 20-16 Advanced
The parameters of advanced filtering configuration are shown in the following:
 Name: The name of the advanced URL filtering policy, less than 64 bytes.
 Filter parameters: configure the filter parameters to match the URL, including the host name,
regular expression and HTTPS host name.
 Black and white list: including black list, white list and BYPASS.
 Configure the blacklist, block the matching filter parameters, unmatch is released.
 Configure whitelist, match the filter parameters release, unmatched blocked.
 Configure BYPASS, match the filter parameters directly after the release, follow-up
other DPI process is no longer processed.
 Send log: click to set the UMC address in the business log configuration module, the log can
 Push: when click, the alarm page is pushed to the user when matching the policy. The alarm
information is configured in the URL Filter Push Configuration module.
 Effective Time: You can configure the period is always valid, you can also configure some
day of the week.
 Disable: When checked, the filtering policy is disabled.
 Operation: Include the functions of adding, deleting and inserting configuration items.
Specific instructions, please refer to "Quick Start" chapter related content.

20.3.3.4 Page push
Select Service > Application Security >Access Control > Page Push from navigation tree to
enter the page push page, as shown in following figure.
Figure 20-17 Page push
The default push information as shown above, the user can also customize the push information,
limited to 1024 bytes.
20.4 Online behavior management
20.4.1 Traffic statistic
Select Service > Application Security >Access Control > Page Push from navigation tree to
enter the page push page, as shown in following figure.
Figure 20-18 Traffic statistic
Device supports traffic statistics through interfaces and users:
 After you enable interface traffic statistics, the device analyzes the traffic of all service
interfaces.
 After user traffic statistics is enabled, the device collects traffic statistics based on the user
IP addresses configured in User Groups and sends statistics to the UMC every interval.

Adding a User Group You need to configure an IP address object or an IP address object
group in advance.
20.4.2 Behavior analysis
Select Service > Application Security >Access Control > Behavior Analysis from navigation
tree to enter the behavior analysis basic configuration page, as shown in following figure.
Figure 20-19 Behavior analysis basic configuration
The parameters behavior analysis basic configuration are shown in the following:
 Name: the name of the audit strategy.

 Audit object: the audit object.
 Save the details: save the contents of the audit.
20.4.3 Advanced configuration
20.4.3.1 Advanced configuration
Select Service > Application Security >Access Control > Advanced Configuration from
navigation tree to enter the advanced configuration page, as shown in following figure.
Figure 20-20 Advanced configuration
The parameters of behavioral audit advanced configuration are shown in the following:

 Audit signature database upgrade: when audit features are changed or increased, there is
no need to change the device software version, and the audit signature database can be
manually upgraded. To upgrade the audit signature database, you need to consider the
compatibility of the signature database. The version numbers of the upgrade must be the
same, and the size of the upgrade version must be larger than the size of the currently used
version. For example, if the audit signature library currently used by the device is
CAM-1.10.9-CN.dat, where 10 is the version number of the audit signature library and 9 is
the size of the version, CAM1.10. * - CN.dat can only be upgraded, And * must be greater
than 9.
 Behavioral audit orders: click to enable behavioral audit. When enabled, ensure that the
audited packets are sent in the order they are entered into the device.
 Application session audit: enable the session audit function. Select the protocol to be
audited. The device will record the session logs of the selected protocol and send the log
information to the UMC. Log information contains quintuplets and application protocols and
other information. UMC displays the received log information in the form of a graph so that
the originator of the network application can be queried.
 Web browsing audit configuration: according to different HTTP audit requirements to select
a different audit mode, HTTP records under different modes audit log number. The device
default audit level is "Record html page access", and each audit level has a corresponding
functional note description. Placing your mouse over the exclamation point will automatically
show the description.
 Smart filter: enable to filter the logs generated by most non-user access pages.
 Record status code: after opening, HTTP audit records the status code of Web server
response and judge the current network quality according to the status code of the log
record.
 E-mail attachment audit: enabled to audit the e-mail attachment, the default is turned on.
The attachment size can be configured as a decimal number and cannot exceed 32M.
 Audit log obtaining mac configuration: this function obtains the source MAC address of the
packet after it passes through the Layer 3 switch. Configure the IP address of the Layer 3
switch and read the MAC address of the switch through SNMP to obtain the real MAC
address. The timeout period and interval for accessing the SNMP server can be modified.
The default values are 5 minutes and 15 minutes respectively.
 Keyword import and export configuration: select the format of the character set for importing
and exporting files based on the keyword character set encoding. The default import and
export file character set encoding is in GBK format and can be configured in UTF-8 format.
20.4.3.2 BBS user name custom audit
Select Service > Application Security >Access Control > BBS User Name Custom Audit
from navigation tree to enter the BBS user name custom audit page, as shown in following
figure.

Figure 20-21 BBS user name custom audit
The parameters of forum user name custom audit support all delete function, the configuration
are as follows:
 Serial number: the serial number of the configuration item.

 User name characteristics: forum user name characteristics. Includes start feature, end
feature and feature is cheaper.
 Forum description: the forum description information.
20.4.3.3 BBS domain name custom audit
Select Service > Application Security >Access Control > BBS Domain Name Custom Audit
from navigation tree to enter the BBS domain name custom audit page, as shown in following
figure.
Figure 20-22 BBS domain name custom audit
Forum domain custom audit support import and export and delete all functions, the configuration
 Serial number: the serial number of the configuration item.

 Forum description: the forum description information.
 Forum domain name list: forum domain name information, you can configure multiple
domain names, the same forum domain name configured in the same list.
20.4.4 Keyword filtering
20.4.4.1 Keyword filtering policy config
Select Service > Application Security >Access Control > Keyword Filtering Policy Config
from navigation tree to enter the keyword filtering policy config page, as shown in following
figure.

Figure 20-23 Keyword filtering policy config
The parameters of keyword filtering policy configuration are shown in the following:
 Name: the name of the keyword filtering policy.

 Filter objects: including mail, forum posting, web browsing.
 Keyword group: It needs to be configured in advance on the "Keyword Group Configuration"
page.
 Action: including alarm and blocking. That is, the action taken after the policy takes effect.
 Disable: when clicked, the filtering policy is disabled. You can disable each of several
policies and disable all policies at the same time.
20.4.4.2 Keyword group config
Select Service > Application Security >Access Control > Keyword Group Config from
navigation tree to enter the keyword group config page, as shown in following figure.
Figure 20-24 Keyword group config
The parameters of keyword group configuration are shown in the following:
 No.: the keyword group configuration item serial number, automatically generated.
 Name: the name of the keyword group.
 Keywords: keywords in the keyword group, you can configure multiple keywords at the
same time.
20.4.5 Behavior control
20.4.5.1 QQ application control
Select Service > Application Security >Access Control > QQ Application Control from
navigation tree to enter the QQ application control page, as shown in following figure.

Figure 20-25 QQ application control
Enable QQ filtering function, configure white list filtering account and black list filtering account
respectively. The white list mode is that the whitelist account is completely unblocked, all the
other accounts are blocked; the blacklist mode is all the blacklist accounts are blocked, and all
the other accounts are completely unblocked.
20.4.5.2 Mail attachment restriction
Select Service > Application Security >Access Control > Mail Attachment Restriction from
navigation tree to enter the mail attachment restriction page, as shown in following figure.
Figure 20-26 Mail attachment restriction
Mail attachment restrictions feature can prohibit attachment, you can also limit the size of the
attachment sent.
20.5 Bandwidth management
20.5.1 Bandwidth speed limit
Bandwidth speed limit includes user group speed limit and single user speed limit, and the
configuration method is exactly the same. The purpose is to limit the bandwidth of the user's
specific applications, such as HTTP downloads, online games, online TV, P2P downloads, etc.
20.5.1.1 User group rate limit
Select Service > Application Security > Bandwidth Management> User Group Rate Limit
from navigation tree to enter the user group rate limit page, as shown in following figure.

Figure 20-27 User group rate limit
The user group rate limit configuration parameters are described as follows:
 Name: The name of the user group rate limit policy.

 Speed limit parameters: Click the "Please set the speed limit parameters" configuration item
and the user group speed limit parameter configuration window as shown in the following
figure will pop up. Select the network application group, configure the upstream and
downstream bandwidth and units, and click the <OK> button. Multiple configurations can be
added at the same time to implement different bandwidth restrictions for different network
applications.
Figure 20-28 User group speed limit parameter configuration window
 Effective time: It can be configured to be always valid, or it can be configured to be valid for
certain periods of a certain day of the week.
 Disable: After checking, disable the policy. Certain policies can be disabled individually or all
policies can be disabled at the same time.
 Operation: Including the functions of adding, deleting and inserting configuration items. For
specific instructions, please refer to the relevant content in the "Quick Start" chapter.

User group rate limit needs to be referenced in "IPv4 Packet Filtering Policy>Actions>Advanced
Security Services>User Group Rate Limit".
20.5.1.2 Single user limit
Select Service > Application Security > Bandwidth Management> Single User Limit from
navigation tree to enter the single user limit page, as shown in following figure.
Figure 20-29 Single user limit
The configuration method of single user rate limit is exactly the same as that of user group rate
limit, so I won't repeat it here.
Single user rate limit needs to be referenced in "IPv4 packet filtering policy> Actions> Advanced
security services> Per IP rate limit".
20.5.2 QoS basic setting
QoS basic configuration by configuring a bandwidth guarantee policy, you can ensure that the
basic Internet access behaviors of different users are not affected while the bandwidth is limited.
20.5.2.1 Basic setting
Select Service > Application Security >Access Control > QoS from navigation tree to enter
the mail attachment restriction page, as shown in following figure.
Figure 20-30 Basic setting
The parameters of bandwidth guarantee basic setting are shown in the following:

 Name: the name of the basic bandwidth guarantee policy.

 Device interface: the device interface for bandwidth guarantee policy.
 Upstream bandwidth: the maximum uplink guaranteed bandwidth.
 Downstream bandwidth: the maximum downlink guaranteed bandwidth.
 Bandwidth units: including Kbps, Mbps, Gbps.
 Group bandwidth reservation: whether to reserve guaranteed bandwidth for user group.
 Single user bandwidth reservation: Whether to reserve guaranteed bandwidth for a single
user.
20.5.2.2 User group bandwidth guarantee
User group bandwidth guarantee provides bandwidth guarantee for different applications of
different user groups based on the basic bandwidth guarantee settings. Before configuring the
user group bandwidth guarantee, you need to configure the device interface bandwidth in the
bandwidth guarantee basic settings.
Select Service > Application Security >Access Control > QoS > User Group Bandwidth
Guarantee from navigation tree to enter the user group bandwidth guarantee page, as shown in
following figure.
Figure 20-31 User group bandwidth guarantee
The user group bandwidth guarantee parameters are described as follows:
 Name: The name of the bandwidth guarantee policy of the user group.
 Device interface group: select the name of the configured basic bandwidth guarantee
strategy. Move the mouse over the option to view the interface bandwidth information.
 User group: To add a user group, you need to configure the IP address object or IP address
object group in advance.
 Guaranteed rate setting: Click the "Please set the guaranteed rate parameter" configuration
item, and the user group bandwidth guaranteed rate setting window will pop up as shown in
the following figure. Select the network application group, configure the guaranteed uplink
and downlink rate, maximum rate and unit, and click the <OK> button.

 Effective time: It can be configured to be always valid, or it can be configured to be valid for
certain periods of a certain day of the week.
 Disable: After checking, disable the policy. Certain policies can be disabled individually or all
policies can be disabled at the same time.
20.5.2.3 Single user bandwidth guarantee
Select Service > Application Security >Access Control > QoS > Single User Bandwidth
Guarantee from navigation tree to enter the single user bandwidth guarantee page, as shown in
following figure.
Figure 20-32 Single user bandwidth guarantee
The configuration method of single-user bandwidth guarantee is exactly the same as that of user
group bandwidth guarantee, and will not be repeated here.
20.6 IDS collaboration log

In the network scenario where the FW device and the IDS device are used together, when the
IDS device detects the attack, the source / destination IP address of the attack can be sent to the
FW device. The FW device is blocked based on the source / destination IP and is displayed in
the IDS linkage log.
Select Service > Application Security >IDS Collaboration Log from navigation tree to enter
the IDS collaboration log page, as shown in following figure.
Figure 20-33 IDS collaboration log

21 Link Load Balancing

21.1 Introduction
In modern life and work, people have become increasingly inseparable from the network. In
order to avoid the risk of network availability, network failure and to solve the network access
problems caused by insufficient network bandwidth, network customers generally lease two or
more operators (such as: China Telecom, China Mobile, China Unicom, etc.). How to reasonably
use the links of multiple operators has become an urgent issue. Either the link resource will not
be wasted, or the operator link can better service customers. Traditional routing can solve this
problem to a certain extent, but the configuration of it is not easy, and is not flexible enough to
adapt the changes of network structure. Messages cannot be distributed according to the actual
situation of the link. User cannot take full advantage of the links. By static and dynamic algorithm,
load balancing can balance the load of multiple links. The configuration is very simple and can
better solve the above problem.
Link load balancing is a technology that enhances network connectivity and enhances link
availability by accessing multiple links between intranets and external networks. It can be divided
into outbound load balancing and inbound load balancing.
 Outbound load balancing: when multiple operators access the network, the device selects
the optimal link according to the destination IP address and the load balancing rule of the
outgoing packets so that the internal network user can access the service from different
carrier links Visit the external network. Once an operator link fails, the network user can also
access the external network through other carrier links. Outbound load balancing provides a
backup of the link, enhancing the reliability of the communication.
 Inbound load balancing: when an external network user accesses an intranet server, the
device performs domain name resolution based on the DNS request from the external
network and the load balancing rule in the inbound direction, and sends a DNS response to
the external network so that the external network user can use the DNS Select the correct
link to access the internal network server. Inbound load balancing avoids excessive
concentration of incoming link traffic and enhances the stability of network traffic.
21.1.1 Basic concepts
 Link
Link in the load balancing usually refers to the operator to provide Internet access lines, in
the application delivery equipment, the main bandwidth, its operators, link status and quality

(packet loss and delay, etc.) several attributes used to Describe the Internet access
capabilities and access quality provided by the link.
 Link scheduling policy
The link scheduling policy allows the user to freely control the traffic flow, maximizing the
reasonable utilization of the link. In the application delivery equipment, it supports the
control flow direction through various carriers, link overload protection, designated source
address, designated inbound interface and designated application type, so that all types of
links can be fully utilized and optimized Flow quality.
 Link health monitoring
Link health monitoring function refers to the application of the delivery device through the
specified link to the remote device or server to detect. According to different detection
methods (TCP, ICMP, etc.) to determine whether the current link is available, if the current
link failure, will flow to other normal links.
 Link session keep
When multiple link access application delivery devices are used, the source NAT function
needs to be configured for each link. When an intranet user uses an application, the
application initiates multiple requests, and if these requests are deployed to a different link
exit, a different source address is selected, which is likely to cause an application failure.
Therefore, the link session is maintained by the requested source + destination IP, the
application of multiple requests remain on the same link, making the application in the
multi-link source NAT environment will not fail.
21.1.2 Basic scheduling strategy
1. Scheduling based on link bandwidth thresholds

When the actual traffic of the link exceeds the configured bandwidth and threshold (percentage),
the application delivery device will no longer schedule the new request (except for the hit session)
to the link so that the traffic flow is steady and slow Drop, when it is reduced to the threshold, will
continue to allow traffic scheduling to this link.
2. Based on link quality / status scheduling
When the link configuration health monitoring, the application delivery equipment will be based
on the results of health monitoring, set the number of detection range, calculate the link delay
and packet loss rate of the average, when the two test results in any one When the threshold
exceeds the configured threshold, the device determines that the link has failed and dispatches
traffic to other normal links.
When the health monitoring found several consecutive tests can not be normal through, will also
think that the link failure, the traffic re-scheduling. When the physical interface is pulled out or the
administrator shuts down the interface through the configuration, the device also resends the
traffic.
3. Scheduling based on static and dynamic proximity
Static proximity refers to the application of the delivery device built-in telecommunications, China

Unicom, mobile and education networks and other operators of the latest network segment table,
and can be automatically updated by way of remote connection, through the static network
segment matching allows users to access the telecommunications address Of the traffic to take
the telecommunications link, and access to China Unicom traffic Unicom link static optimal
matching, get a good network experience.
Dynamic proximity refers to the application of the delivery device through the active detection of
the way from each link to detect a destination address delay, packet loss rate and many other
parameters and through the link quality assessment algorithm, in multiple links Select the best
exit link for the destination address, and the traffic to that destination address will be directed to
the link.
4. Domain-based scheduling
Application delivery equipment can be a domain name (such as www.dptechnology.com)
corresponding to the flow of all traction to the specified link. If the domain name of the reply
packet is the same as the domain name specified by the device, the device extracts the IP
address corresponding to the domain name from the packet and creates the IP address of the
destination IP address. The When the destination IP address of another connection is followed
by the IP address entry, the connection is forwarded through the specified link to implement the
domain name drainage function.
21.1.3 Link configuration
Select Service > Link LB > Link Configuration > Link Configuration from navigation tree to
enter the link configuration page, as shown in following figure.
Figure 21-1 Link configuration
The parameters of link configuration page are shown in the following:
 Name: display / set the name of the link.

 Interface: display / set the interface to which the device is connected to the external network
link.
 Type: display / set the type of link, including the egress link and the observing link
 Gateway: set the gateway address (next hop address) of the link.

 ISP: display / set the operator to which the export link belongs. The export link is the role of
link load balancing, including the direction of the link and the direction of the link; the
observation link does not carry out the link scheduling, only the statistical link traffic
information and link health check.
 Basic: Set the bandwidth, bandwidth threshold, weight and priority of the export link.
 Bandwidth: display/set the bandwidth of the export link. The value range is
1~100000Mbps.
 Bandwidth threshold: display/set the bandwidth threshold of the export link.
 Weight: Display/set the weight of the export link to be called in the group. The greater
the weight, the greater the proportion of scheduled traffic.
 Priority: display/set the priority of the export link.
 Health monitoring: select the link to be monitored in the alternative box (the link to be tested
can be configured in the link health check).
 Advanced configuration: Set whether to enable the default route and bandwidth threshold
control function at a specific time.
 Default route: Set the export link to use the default route. When the link "Owner" is
"None", it is forced to open. After configuration, the default route of the egress link will
be displayed in the routing table, and the device allows this link to receive traffic from
other operators.
 Specific time bandwidth threshold control: Set the bandwidth threshold of the export
link in a specific time period.
 Browse: click the Browse button to set the storage path of the underlying link load
balancing configuration file that needs to be imported.
 Additional Import: click the Add Import button to import the configuration file, but not
overwrite the original configuration.
 Override Import: click the Overwrite Import button to import the configuration file and
overwrite the original configuration.
 Export: click the Export button to export the configuration file.
21.1.4 Link information preview
Select Service > Link LB > Link Configuration > Link Information Preview from navigation
tree to enter the link configuration page, as shown in following figure.

Figure 21-2 Link information preview
The parameters of the link information preview page are shown in the following:
 Link name (type): display the name of the link.

 Link interface: display the interface to which the device is connected to the external network
link
 Send traffic: display the traffic information in the outbound direction of the link.
 Receive traffic: display the traffic information in the inbound direction of the link.
 Delay time (ms): display the delay time for the link health check.
 Packet loss rate (%): display the packet loss rate for link health check.
 Monitoring target pass / total: display the number and total number of inspection target
passes for link health check.
 Passed number/total number of monitoring targets: Shows the number and total number of
passed check targets for link health check..
 Link status: display the status of the link. The link status is "up"; the link status is
"down".
21.2 Health monitoring
21.2.1 Health monitoring
The health monitoring module provides the function of setting link health monitoring parameters.
Select Service > Link LB > Link Configuration > Link Information Preview from navigation
tree to enter the link configuration page, as shown in following figure.
Figure 21-3 Health monitoring

The parameters of health monitoring page are shown in the following:
 No.: automatically generate health monitoring strategy serial number.

 Name: the name of the health monitoring strategy.
 Type: the type of protocol used in the health monitoring implementation, and supports the
health monitoring of TCP and ICMP protocols. Must be configured, defaults is TCP.
 Port: the port of the protocol used in the health monitoring implementation, defaults is 80,
and the TCP protocol must be configured for ports.
 Monitoring target: health monitoring destination IP, in the pop-up window can be directly
added and deleted configured IP address, you can also pop-up window and "monitoring
target" in the custom new.
 Timeout: display / set the maximum allowable interval between sending a health monitoring
probe and receiving a response. The value ranges from 1 to 3600 seconds and defaults to 3
seconds.
 Interval: the interval between successive rounds of detection. Must be configured. The
default is 15 seconds, ranging from 1 to 3600 seconds. The monitoring interval is greater
than the timeout.
 Retry times: a quick and efficient method of controlling the state of the target. When the
number of consecutive failures of a detection target is greater than the number of attempts,
it is determined that the detection target is a failure. Must be configured. The default is 3
times, the range 1 ~ 30.
 Results range: for health monitoring of any test objectives, statistics of its recent N test
results. Must be configured. The default is 10 times, ranging from 1 to 30. The set of results
will be used to calculate the link packet loss rate, statistical delay, and whether the target is
passed, and the delay and packet loss rate will use the average of multiple results in the
statistical range.
21.2.2 Monitored object
Select Service > Link LB > Monitored Object from navigation tree to enter the monitored
object page, as shown in following figure.
Figure 21-4 Monitored object
The parameters of monitored object page are shown in the following:
 NO.: automatically generated detection target serial number.

 IP address: the IP address of the monitoring target.
 Domain name: the domain name of the monitoring target.

The IP address of the domain name resolution is preferentially monitored. If the domain name or
domain name can not be resolved, the IP address is used for monitoring.
21.3 ISP
Select Service > Link LB > ISP from navigation tree to enter the ISP page. Enter the IP address
in the information query on the right side of the page to inquire the operator to which this IP
address belongs. When the IP address does not exist in the operator's network table, the query
is empty.
The system has pre-defined some of the four network operations such as China Telecom, China
Unicom, China Mobile and China Education Network. Users can import and export the network
segment table, or add, delete and insert network segment information in the existing network
segment table. To China Telecom, for example, the operator network segment table information
Figure 21-5 ISP
Click the Add button, and then the "New ISP" submenu item appears under the "ISP" menu item.
Enter the name of the ISP and click the OK button. The page displays the configuration
information of this operator segment. You can manually configure the network segment
information, or you can do the import and export operations.

22 IPv6 Transition
Technology
22.1 NAT64
22.1.1 Prefix Configuration
Select Service > IPv6 Transition Technology > NAT64 > Prefix from navigation tree to enter
the prefix configuration page, as shown in the following figure.
Figure 22-1 Prefix configuration
The parameters of the prefix configuration are described as follows:
 Serial number: display the serial number of the IPv6 prefix configuration.
 IPv6 prefix: set the prefix of the IPv6 address.
 IPv6 prefix length: set the mask length corresponding to the IPv6 address prefix.
22.1.2 NAT64 address
Select Service > IPv6 Transition Technology > NAT64 > NAT64 Address from navigation tree
to enter the NAT64 address page, as shown in the following figure.

Figure 22-2 NAT64 address
The parameters of the NAT64 address configuration list are described as follows:
 Serial number: Display the serial number of the NAT64 policy.

 Name: Set the name of the NAT64 policy.
 Outgoing interface: Set the outgoing interface of packets applying NAT64 policy.
 Source IPV6 address of the initiator: Set the source IPv6 address of the initiator applying the
NAT64 policy.
 Service: Set the service type and parameters for applying NAT64 strategy.
 Public network IP address (pool): Set the public network IPv4 address and parameters to
which the source IPv6 address of the initiator applying the NAT64 policy is mapped. As
 Borrow outgoing interface address: After selection, the public network address is the
outgoing interface address.

the left frame, click the <Add> button, and the selected address pool rule will be
displayed on the right. The deletion method is the opposite.
 Associate VRRP: Set whether to associate VRRP.
22.1.3 NAT-PT configuration
Select Service > IPv6 Transition Technology > NAT64 > NAT-PT translation configuration
from navigation tree to enter the NAT-PT configuration page, as shown in the following figure.
Figure 22-4 NAT-PT configuration
The parameters of the NAT-PT configuration list are described as follows:
 Serial number: Display the serial number of the NAT-PT strategy.

 Name: Set the name of the NAT64 policy.
 Inbound interface: Set the inbound interface of the packet to which the NAT-PT policy is
applied.
 Conversion type: 4to6, 6to4 two types
 Initiator destination address: Set the destination IPv6 address of the initiator applying the
NAT-PT policy.
 Service: Set the service type and parameters for applying NAT-PT strategy.
 Source address after conversion: There are two situations.
1) During 4to6 conversion, the source address after conversion can be self-defined prefix, or
select IPV6 address pool

Figure 22-5 Source address after conversion-1
2) During 6to4 conversion, the source address after conversion needs to select the IPV4
address pool
Figure 22-6 Source address after conversion-2
 Translated destination address: the destination address of the message after NAT-PT policy
translation.
 Advanced configuration: Set whether the NAT-PT strategy performs destination port
conversion.
 IPV4 VRRP: Set whether the NAT-PT policy is associated with IPV4 VRRP.
22.1.4 Address pool
The address pool module provides the function of setting IPv4 address pool parameters.
Select Service > IPv6 Transition Technology > NAT64 > Address Pool from navigation tree to
enter the address pool page, as shown in the following figure.

The parameters of the address pool page are described as follows:
 No.: displays the sequence number of the IPv4 address pool.

 Name: set the name of the IPv4 address pool.
 Start IP: set the starting IP address of the IPv4 address pool.
 End IP: set the ending IP address of the IPv4 address pool.
 Anti-loopback routing: set to enable anti-loopback routing. If there is no special requirement,
it is recommended not to enable this option.
 Address allocation: Set the address pool address assigned to the service board.
 Gratuitous ARP: Set whether to send gratuitous ARP packets.
 Refering: shows whether the IPv4 address pool is referenced.
22.2 DS-Lite address
22.2.1 DS-Lite address
DS-Lite (Dual-Stack Lite) is a 4in6 tunnel technology. In the IPv6-only access network
environment, it can implement dual-stack or IPv4-only host access to IPv4 network resources.
DS-Lite is implemented jointly by AFTR (DS-Lite Address Family Transition Router Element) and
B4 (Basic Bridging BroadBand Element).
After learning the AFTR location information advertised by static configuration or DHCPv6, the
dual-stack capable B4 initiates the establishment of a two-way, stateless IPv4 in IPv6 tunnel to
AFTR, and encapsulates the incoming IPv4 data packets into IPv6 packets The header (the
source address of the message header is the B4 address and the destination address is the
AFTR address) is sent to AFTR via the IPv4 in IPv6 tunnel; AFTR receives the message, strips
off the IPv6 message header, reveals the IPv4 message, and then performs NAT Operation, the
user's private network IPv4 address is converted to the public network IPv4 address and
forwarded to the IPv4 system.
When receiving an IPv4 message from the IPv4 system, AFTR will look up the NAT mapping
table, perform NAT translation from the public network to the private network, and then index the
B4 address according to the private network information, and encapsulate the IPv4 message

with an IPv6 message The header is forwarded to B4 via the IPv4 in IPv6 tunnel; after receiving
the message, B4 strips off the IPv6 header to expose the IPv4 message and forward it.
Select Service > IPv6 Transition Technology > DS-Lite > DS-Lite Address from navigation
tree to enter the page, as shown in the following figure.
Figure 22-8 DS-Lite address-1
Open DS-Lite to expand the configuration information, you can configure AFTR or B4. The
parameter description is as follows:
 AFTR configuration:
 AFTR IPv6 address: Set the IPv6 address of AFTR.
 B4 configuration:
 Interface: Set the interface connected to the IPv4 in IPv6 tunnel.
 B4 AFTR address: Set the AFTR address corresponding to B4.
 DHCP option: After enabling, there is no need to configure the interface and B4 AFTR
address.
22.2.2 DS-Lite transfer
Select Service > IPv6 Transition Technology > DS-Lite > DS-Lite Address from navigation
tree to enter the page, as shown in the following figure.
Figure 22-9 DS-Lite address-2
The DS-Lite address page parameters are described as follows:
 Enable DS-Lite: click to enable DS-Lite.

 AFTR configuration: configure the AFTR IPv6 address.

 The parameters of DS-Lite conversion page are described as follows:
 Serial number: Display the serial number of DS-Lite NAT policy
 Name: Set the name of DS-Lite NAT policy
 Outgoing interface: Set the outgoing interface of packets applying DS-Lite NAT policy
 Initiator source IPv6 address: Set the source address of the IPv6 packet encapsulated into
the private network IPv4 data packet that applies the DS-Lite NAT policy
 Destination IP of the initiator: Set the destination IP address of the private network IPv4 data
message to which the DS-Lite NAT policy is applied
 Service: Set the service type and parameters for applying the DS-Lite NAT strategy, which
can be customized through the shortcut navigation bar, the internal pop-up window of the
DS-Lite conversion configuration list or the "Object Management" page.
 Advanced configuration: set the NAT port mapping method, including symmetric NAT and
cone NAT
 Public IP address (pool): Set the public IP address to which the source IP address of the
private network IPv4 data message is converted, which can be customized through the
shortcut navigation bar. The public network IP address (pool) configuration information is
shown in the figure below.

 Borrow outgoing interface address: After selection, the public network address is the
outgoing interface address.
 No NAT: After selection, the device will not perform NAT processing.
the left frame, click the <Add> button, and the selected address pool rule will be
displayed on the right. The deletion method is the opposite.
 Advanced port: This port is the source port after NAT, which is the same as the source
port before NAT when the port hash function is not enabled.
 Associate VRRP: Choose whether to associate VRRP.
 Status: Set to enable/disable DS-Lite NAT policy.
22.2.3 Address pool
The address pool module provides the function of setting the public network IPv4 address pool.
Select Service > IPv6 Transition Technology > DS-Lite > Address Pool from navigation tree
to enter the address pool page, as shown in the following figure.
The parameters of address pool page are shown in the following:
 Serial number: Display the serial number of the address pool.

 Name: Set the name of the address pool.
 Start IP: Set the start IP of the address pool.
 End IP: Set the end IP of the address pool.
 Anti-loopback routing: select whether to enable the anti-loopback routing function
 Address allocation: allocate different address segments for different slot numbers.
 Gratuitous ARP: Choose whether to enable the gratuitous ARP function.

 Whether to quote: check whether the address pool is quoted.

DPtech FW1000 Series Application Firewall User Manual v5.0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DPtech FW1000 Series Application Firewall User Manual v5.0

Uploaded by

Copyright:

Available Formats

DPtech FW1000 Series Application

Firewall User Manual

Manual version: v5.0

is a trademark of Hangzhou DPtech Co., Ltd.

Hangzhou DPtech Technologies Co., Ltd.

Boldface Button name. Such as click OK button.

An alert that contains supplementary or additional information.

4 System Management............................................................................................................................ 4-1

Copyright © Hangzhou DPtech Technologies Co., Ltd. I

4.2 Version management ....................................................................................................................... 4-10

5 Object Management ............................................................................................................................. 5-1

Copyright © Hangzhou DPtech Technologies Co., Ltd. II

5.3 IPv6 address ...................................................................................................................................... 5-3

Copyright © Hangzhou DPtech Technologies Co., Ltd. III

7.1.3 VLAN frame manage ............................................................................................................... 7-2

8 Route Management .............................................................................................................................. 8-1

Copyright © Hangzhou DPtech Technologies Co., Ltd. IV

8.9.7 TE tunnel configuration ......................................................................................................... 8-45

Copyright © Hangzhou DPtech Technologies Co., Ltd. V

9.6 STP .................................................................................................................................................. 9-18

Copyright © Hangzhou DPtech Technologies Co., Ltd. VI

13.3 Hotbakcup ...................................................................................................................................... 13-2

14 Log Management .............................................................................................................................. 14-1

Copyright © Hangzhou DPtech Technologies Co., Ltd. VII

14.5.7 IPv4 packet filtering log ....................................................................................................... 14-3

15 Security Policy .................................................................................................................................. 15-1

Copyright © Hangzhou DPtech Technologies Co., Ltd. VIII

16.7.4 NAT66 address pool .......................................................................................................... 16-22

Copyright © Hangzhou DPtech Technologies Co., Ltd. IX

19.2.2 IPv6 basic protection ........................................................................................................... 19-5

20 Application Security .......................................................................................................................... 20-1

Copyright © Hangzhou DPtech Technologies Co., Ltd. X

20.5 Bandwidth management .............................................................................................................. 20-18

21 Link Load Balancing ......................................................................................................................... 21-1

Copyright © Hangzhou DPtech Technologies Co., Ltd. XI

1.2 Introduction to Web management system

Copyright © Hangzhou DPtech Technologies Co., Ltd. 1-1

Figure 1-1 Network topology

1.2.2 Log in to the Web management system

The ways to log in to the Web management system are as follows:

Copyright © Hangzhou DPtech Technologies Co., Ltd. 1-2

Figure 1-2 Web interface user login interface

(2) Configure the following:

1.2.3 Page layout introduction

Copyright © Hangzhou DPtech Technologies Co., Ltd. 1-3

Figure 1-3 Page layout

The description of each area is shown in the following table.

Table 1-1 Each description

No. Name Description

1.3 Basic configuration and maintenance

1.3.1 Telnet / SSH remote management device

Copyright © Hangzhou DPtech Technologies Co., Ltd. 1-4

1.3.1.1 Configure remote user management

Figure 1-4 Telnet/SSH login management

1.3.1.2 Log in to the device using Telnet

Figure 1-5 Log in to the device using Telnet

Copyright © Hangzhou DPtech Technologies Co., Ltd. 1-5

1.3.1.3 Log in to the device using SSH

Figure 1-6 Log in to the device using SSH

1.3.2 Restrictions on specific IP / specific protocol management devices

1.3.2.1 Configuration requirement

1.3.2.2 Network topology

Figure 1-7 Network topology

Copyright © Hangzhou DPtech Technologies Co., Ltd. 1-6