Professional Documents
Culture Documents
DPtech FW1000 Series Application Firewall User Manual v5.0
DPtech FW1000 Series Application Firewall User Manual v5.0
Declaration
Copyright © 2008-2021 Hangzhou DPtech Co., Ltd. All rights reserved. All rights reserved.
Without the written permission of the company, any unit or individual shall not excerpt or
copy part or all of the content of this book without authorization, and shall not spread it in any
form.
Due to product version upgrades or other reasons, the contents of this manual may change.
Hangzhou DPtech Technology Co., Ltd. reserves the right to modify the contents of this
manual without any notice or prompt. This manual is only used as a guide. Hangzhou
DPtech Technology Co., Ltd. makes every effort to provide accurate information in this
manual. However, Hangzhou DPtech Technology Co., Ltd. does not guarantee that the
contents of the manual are completely free of errors. All statements and information in this
manual And suggestions do not constitute any express or implied guarantee.
Conventions
GUI conventions
Convention Description
Multi-level menus are separated by“ > ”. Such as System Management >
>
Administrator.
Sign conventions
Convention Description
An alert that calls attention to important information that if ignored can result in data
corruption, data loss, or damage to hardware or software.
Contents
1 Getting Started...................................................................................................................................... 1-1
1.1 Product overview ............................................................................................................................... 1-1
1.2 Introduction to Web management system ......................................................................................... 1-1
1.2.1 Cautions .................................................................................................................................. 1-2
1.2.2 Log in to the Web management system .................................................................................. 1-2
1.2.3 Page layout introduction .......................................................................................................... 1-3
1.3 Basic configuration and maintenance ............................................................................................... 1-4
1.3.1 Telnet / SSH remote management device ............................................................................... 1-4
1.3.2 Restrictions on specific IP / specific protocol management devices ....................................... 1-6
1.3.3 Save / upload the configuration file ......................................................................................... 1-9
1.3.4 Webpage upgrade software version ..................................................................................... 1-10
1.4 Introduction to common operations ................................................................................................. 1-12
2 Device Monitor ...................................................................................................................................... 2-1
2.1 System monitoring ............................................................................................................................. 2-1
2.1.1 Device information / status ...................................................................................................... 2-1
2.1.2 CPU statistics .......................................................................................................................... 2-2
2.1.3 Flow statistics .......................................................................................................................... 2-3
2.2 Session monitoring ............................................................................................................................ 2-4
2.2.1 Session statistics ..................................................................................................................... 2-4
2.2.2 Session list .............................................................................................................................. 2-5
2.2.3 Session ranking ....................................................................................................................... 2-6
3 Basic Configuration .............................................................................................................................. 3-1
3.1 OVC ................................................................................................................................................... 3-1
3.1.1 OVC technology introduction .................................................................................................. 3-1
3.1.2 OVC configuration ................................................................................................................... 3-5
3.2 VRF .................................................................................................................................................... 3-6
3.3 Virtual system .................................................................................................................................... 3-8
3.3.1 Introduction .............................................................................................................................. 3-8
3.3.2 Virtual system configuration .................................................................................................... 3-8
3.3.3 Virtual system parameter settings ........................................................................................... 3-9
1 Getting Started
1.1 Product overview
Nowadays, new business and new applications such as Web2.0, audio / video, P2P, cloud
computing emerge endlessly. Traditional port-based router which can only do application
identification and access control cannot meet the need of security protection for various kinds of
new application. To solve this problem, DPtech has introduced a new series product based on
multi-core processor architecture. The DPtech FW1000 series product integrate application layer
with application layer security, adopting the sole technology "parallel flow filter engine" and
matching all security policies once. Even if the application layer function is expanding and the
signature database is increasing, the performance of the product will not be degraded and
network latency will not be increased.
DPtech FW1000 series are the leading application routers in the industry. Based on DPtech’s
independent intellectual property rights, the product has high-performance hardware
architecture APP-X and L2 ~ 7 converged operating system ConPlat. The unmatchable high
availability, high performance and high reliability make the DPtech FW1000 Series application
routers can be deployed in a variety of complex scenarios such as data centers, large campus
networks, and so on. In addition, the feature-rich and scalable application router solution, but
also simplifies the network security architecture, and greatly reduces the overall cost of
ownership of the enterprise network.
1.2.1 Cautions
To access to the Web management system, you should pay attention to the following:
Make sure that the client host and the device management interface communicate normally.
IE9.0 or above is recommended. The screen resolution is 1440 * 900 and above.
The default number of connections that the administrator uses HTTP or HTTPS protocol to
log in to the Web management system is 5.
The default IP address of the device is 192.168.0.1/24.
The initial user can use the default user login, the user name is admin, the password is
admin_default. It is recommended to change the password after logging in for the first time.
For details, please refer to the section on administrator configuration.
Web management system does not support to use the back, forward, refresh operations of
web broswer, because these may cause the Web browser page display is not normal.
After user logs in, if the Web interface does not operate for more than 5 minutes, the system
will time out and return to the login page. You must log in again to continue. Of course, the
user can modify the timeout time. For details, please refer to the "Administrator" section.
(1) Open the IE browser, use HTTP or HTTPS way to connect the device management address,
enter the Web user login interface, as shown in the following figure.
Enter the correct user name and password. The default user name is admin and the
password is admin_default.
Enter the verification code according to the interface prompt, not case sensitive.
Select language, Chinese or English. After selecting the language, the interface will display
the corresponding language.
(3) Click the Login button to log in to the Web management system.
The functions of the DPX8000 system are configured through different function pages. The
layout of the Web management page is shown in the following figure.
Display the function menu of all the modules of the device. After selecting the
(1) Navigation Bar menu item, the corresponding function page is displayed in the configuration
area
Display the name of the device, the basic function of the label and business
(2) Shortcut bar function tag fast switch, to provide restart, exit and other shortcut function
button
Configuration
(3) In the configuration area, the function modules are configured in detail
area
To ensure network connectivity, manage the device remotely through the following configuration
procedures.
(1) Select Basic > System Management > Login Management > Management Protocol >
Telnet/SSH Login Management from navigation tree to enter the Telnet/SSH login
management page, as shown in the following figure.
(2) Click the Enable Telnet and select Enable User Name Password Authentication. By
default, local password authentication is enabled, but the default password is empty. You
need to configure the local password for Telnet.
(3) Click the Enable SSH and click the Enable User Name Password Authentication. Click
the Submit button as shown in the following figure.
When you use the Telnet client to log in to the device and choose to enable user name password
authentication, the default user name is admin and the password is admin_default, as shown in
the following figure.
Use the SSH client to log in to the device. The default user name is admin and the password is
admin_default, as shown in the following figure.
Management Host A will not restricted by any kinds of devices. Host B can only access the
device through the HTTP protocol. Host D can access the device only through SSH or HTTPS.
Other devices cannot access the device.
(2) Click the "IP settings" configuration item, configure the interface gige0_2 address as
192.168.1.1/24, the interface gige0_3 address as 211.136.1.1/24, as shown in the following
figure.
(3) When the configuration is finished, click the Confirm button on the top right of the page.
2. Configure Telnet/SSH Login Management to allow users access to the device
(1) Select Basic > System Management > Management Protocol > Telnet/SSH Login
Management from navigation tree to enter the Telnet/SSH login management page.
Configure the Telnet/SSH login management page, as shown in the following figure.
(2) Enable Telnet or enable SSH, use username and password authentication.
(3) Add the host IP address of Host A and Host D to the Telnet / SSH login list.
(4) After you finished the above configuration, click the Submit button, as shown in the
following figure.
3. Configure the Web allows login IP address list and specify an IP Access for the Device
Web interface
(1) Select Basic > System Management > Management Protocol > HTTP/HTTPS Login
Management from navigation tree to enter the HTTP/HTTPS login management page, as
shown in the following figure.
(2) Add the host IP address of Host A, Host B, and Host D to the "Web login configuration", as
shown in the following figure.
4. Configure the limited interface service and use specific protocols to access the device
(1) Select Basic > System Management > Management Protocol > Limited Interface
Service from navigation tree to enter the interface service limit page, as shown in the
following figure.
(2) The management interface does not allow interface services. The VLAN interface can only
use the HTTP protocol to access the device. The physical port can use SSH and HTTPS to
access the device, as shown in the following figure.
Respectively, hosts use different ways to access the device and get the following results:
Host A can access the device through HTTP, HTTPS, Telnet, SSH, and Ping protocols.
Host B can access the device through the HTTP protocol and use HTTPS, Telnet, SSH, and
Ping to access the device.
Host C uses HTTP, HTTPS, Telnet, SSH, and Ping protocol to access the device.
Host D can access the device through HTTPS or SSH, and use HTTP, Telnet, and Ping to
access the device.
Save the current configuration file to the device; export the saved configuration file to the local.
Upload the local profile to the device.
1. Save the configuration file
(1) Select Basic > System Management > Configuration File > Configuration File from
navigation tree to enter the configuration file page, as shown in the following figure.
(2) Click the New Config button, enter file name; click the icon to save the configuration
file to the device. The other configuration icons appear as shown in the following figure.
(3) Click the icon to save the configuration file to the local device.
(1) Select Basic > System Management > Configuration File > Configuration File from
navigation tree to enter the configuration file page, as shown in the following figure.
(2) Click the Import button, and click File Path to select the local configuration file.
(3) Click the Import button to upload the configuration file to the device.
1. Upload version
(1) Select Basic > System Management > Software Version from navigation tree to enter the
(2) Click the Browse button to select the software version file to be upgraded.
(3) Click the Upload Version button, the system starts to download the software version, this
3. Reboot
When you upload the software version, you can click the next running version button. Then the
device downloads software version automatically and restarts after download.
You can also manually restart the device by clicking the button in the upper right
corner on the Webpage.
(2) Click the Browse button to select the local software version file.
(3) Click the Upload version button, the system began to upload the software version to the
device, this process takes some time, please be patient.
2. Set the next boot software version
After selecting a software version, you click the Upload and next version button, as shown in
the following figure.
Click the button manually in the upper right corner on the Web page to restart the
device.
Confirm: after the parameter is set, make the configuration take effect.
Cancel: cancel the configuration that did not take effect.
2. Add and delete configurations
In the configuration list, it generally provides two functions: add and delete.
Add: click the icon to add a new configuration below the existing configuration.
Delete: click the icon, the configuration becomes red and waits to be deleted. This
configuration can be deleted if you click the Submit button in the upper right corner on the
webpage. If you don’t want to delete this configuration, you can click the Delete icon again.
You cannot modify the configuration which waits to be deleted.
If the configuration file is the same as the existing configuration in the configuration list, it can not
be imported successfully.
Enforce or force offline Sort the order in which you can adjust the policy.
2 Device Monitor
2.1 System monitoring
System monitoring mainly includes three modules: device information / state, CPU statistics and
flow statistics.
Device status: the configuration information such as device name, time, device size, serial
number, slot number, power number, fan number, and PCB version are displayed. The
power of the device, the status of the fan, and the status of each slot.
CPU statistics: the main way to count the way the last 30 seconds, 1 minute, 5 minutes each
CPU core usage, and a graphical to show the last 24 hours of data core and control the
average utilization of the core.
Flow statistics: the last 24 hours of data traffic information is displayed graphically.
Select Basic > Device Monitor > System Monitoring > Device Information/Status from
navigation tree to enter the device information/status page, as shown in the following figure. This
page allows you to view the device information, device status, and slot status.
1. Device information /status
The device information mainly shows the basic information of the device, as shown in the
following figure.
Select Basic > Device Monitor > System Monitoring > CPU Statistics from navigation tree to
The CPU statistics page shows the CPU usage of the device, and the CPU usage of the
specified slot can be selected by slot selection. The figure above shows the CPU usage of slot 1,
that is, the control board and the data core, the average usage statistics table for 30 seconds, 1
minute and 5 minutes before the current time, and all the control cores and the average
utilization curve of the data core for each period in 24 hours. In the statistics table, the average
utilization rate of the control kernel is shown in columns 0 to 11, and the table is blue. The 12 to
15 columns show the average utilization rate of the data core and the table is white. In the graph,
the blue curve represents the average utilization of the control nucleus, and the yellow curve
represents the average utilization of the data core.
Select Basic > Device Monitor > System Monitoring > Flow statistics from navigation tree to
enter the flow statistics page, as shown in the following figure.
The flow statistics page shows the average flow curve for each time period of the device in 24
hours. The unit is Kbit / s. The unit size is related to the size of the traffic.
Select Basic > Device Monitor > Session Monitoring > Session Statistics from navigation
tree to enter the session statistics page. The display information includes overall statistics,
accurate statistics, and session charts.
1. Overall statistics
The overall statistics show the session statistics of the equipment business board. As shown in
the following figure.
The overall statistics show session statistics that can be refreshed automatically or manually.
Select Basic > Device Monitor > Session Monitoring > Session List from navigation tree to
enter the session list, as shown in the following figure.
The query conditions include slot number, session type, protocol type, initiator source IP address,
initiator source port, originator destination IP address, initiator destination port, and policy name.
If not configured, it indicates that the query condition is not filtered.
Click the Query button to display the query results in the conversation list. Click the <Delete>
button to reset all session queries.
Select Basic > Device Monitor > Session Monitoring > Session Ranking from navigation tree
to enter the session ranking, as shown in the following figure.
The query conditions include slot number, statistical mode and ranking. If not configured, it
means that the query conditions are not ranked.
3 Basic Configuration
3.1 OVC
Public OVC: the default OVC instance that exists in the system initial state, called public
OVC, and all resources are used by public OVC.
Ordinary OVC: other OVC instances outside the public OVC are called ordinary OVC. After
creating an ordinary OVC, any resources in the system that are not assigned to normal OVC
belong to public OVC.
Through the system-level virtualization technology, you can assign a series of hardware and
software resources for each OVC to separate ports, CPUs, memory resources, number of
sessions, new, concurrent, throughput, number of routing entries, and number of security
policies. Flexible customization of OVC's actual specifications.
OVC virtualization technology allows the system for each virtual device for independent process
management, memory management, disk management, there is no switching between the
virtual devices and scheduling resources and performance loss, while the support through the
operating system virtualization, Can achieve each OVC from the management plane, control
plane, data plane, business plane all-round isolation, the formation of each completely
independent of the logical device. The operating system kernel completes the scheduling
between OVC virtual devices and allocates hardware resources for each OVC virtual device
according to a pre-set resource template.
As shown in the following figure, OVC implements the 1: N virtualization of the physical device.
Each OVC can be regarded as a standalone device. The user can access and manage the OVC
through the network interface belonging to each OVC. Each OVC has a separate HTTP / CLI /
SNMP / SYSLOG configuration management protocol process, the configuration file is stored
separately, can be independently restart and configuration recovery. Each OVC has a separate
administrator and log files, the system log and operation log can be independently output to the
log monitoring server. Each OVC is managed by the corresponding administrator, and each OVC
is not visible to each other.
Each OVC will initiate its own management process to manage the system resources it owns
and also initiate its own protocol processes (such as OSPF, ISIS, BGP, and other routing
protocols) to maintain their respective protocols. Each OVC runs a separate protocol process,
and each process does not interfere with each other.
As shown in the following figure, OVC1 enables OSPF / ISIS, OVC2 is enabled for OSPF / RIP /
BGP, OVC3 enables ISIS / BGP, and they have separate processes. Any OVC protocol process
failure does not affect other OVC counterparts normal operation.
The benefits of controlling flat virtualization are fault isolation between OVC. As shown in the
following figure, the OSPF process in the OVC2 causes the OSPF protocol of the OVC to fail to
operate normally. The OSPF processes in other OVCs can still run normally and are not affected
at all.
When creating OVC, the system divides the interface resources, which are managed by their
own virtual data planes, and are completely isolated between the different OVCs. When traffic
flows to an OVC interface, it only queries the forwarding entries belonging to the OVC and can
only be forwarded from the interfaces that belong to the OVC. At the same time, the routing
protocols can only be run on these interface resources, ensure that each OVC forwarding entry
contains only the interfaces that belong to this OVC, so that different OVC routes and forwarding
are completely isolated.
In the security device, the message forwarding session needs to be established to record some
status information. In order to ensure the complete isolation of each OVC forwarding information,
each OVC has a separate session table. When the packet is forwarded, it only queries , Maintain
the session table belonging to this OVC, each OVC session does not interfere with each other, to
ensure that each OVC address space and forwarding information completely independent.
As shown in the following figure, after the system resources are pooled, each OVC can
independently configure the security policies of the related services, and process its own L4 ~ 7
services independently. The OVC security services are completely isolated. Completely realize
L4 ~ 7 layer virtualization.
Select Basic > Basic Configuration > OVC from navigation tree to enter the OVC configuration
page, as shown in the following figure.
OVC configuration function is not enabled by default, click the "Enable OVC configuration", click
the Submit button. The enable OVC configuration function is the prerequisite for creating,
modifying, and deleting OVC configurations.
Name: OVC name. Chinese or English. Once the configuration has been issued, the OVC
name does not support modification. The valid OVC name cannot be empty and cannot
contain illegal characters (~ `! @ # $% ^ & * \ '' <>), Can not be duplicated with the existing
OVC name, the number of bytes cannot exceed 31 (A single Chinese character occupies 3
bytes, a single English character occupies 1 byte).
Virtual system: static display of the current OVC belongs to the virtual system, does not
support the configuration. The newly created OVC defaults to PublicSystem.
Interface: OVC interface resources. Click the list item to pop up the interface list window.
The interface list window of OVC_0 is only used to display public interface resources and
cannot be configured. The interface list window that is not OVC_0 shows the interface that
belongs to the OVC and the interface that can be used by this OVC. You can add or remove
interface resources for OVC by checking or checking the check box of the interface.
Management services: administrators based on this OVC access page permissions. Check
that the administrator based on this OVC has access to the Web page, otherwise it does not
have.
Since the device command line cannot display Chinese characters, it is recommended that the
OVC name be configured as a commandable character, such as numbers, letters, or
underscores. Otherwise, the OVC can not be accessed from the command line.
3.2 VRF
VRF is a VPN routing and forwarding instance (VPN Routing & Forwarding Instance), is a router
routing table to allow multiple routing and forwarding instances of the computer network
technology. Each routing instance is independent of each other, and the same or overlapping IP
address does not conflict. VRF can not only isolate the network paths on the same device, but
also enhance the security of the network without encryption and authentication.
Each VRF can be seen as a virtual router, as if it were a dedicated PE device. The virtual router
includes the following elements:
VRF configuration The main functions include turning off VRF and creating, modifying, deleting
VRF, and configuring interface resources for VRF.
Select Basic > Basic Configuration > VRF from navigation tree to enter the VRF configuration
page, as shown in the following figure.
VRF configuration function is not enabled by default, check "Open VRF configuration", click the
Submit button to open. The VRF configuration is a prerequisite for creating, modifying, and
deleting VRF configurations. VRF and OVC cannot be turned on at the same time. When VRF is
closed, all existing VRFs are deleted.
Name: VRF name. Chinese or English. A valid VRF name cannot be empty, cannot contain
illegal characters (~ `! @ # $% ^ & * \ '' <>), Cannot be duplicated with the existing VRF
name, the name of the number of bytes cannot exceed 31 (A single Chinese character
occupies 3 bytes, a single English character occupies 1 byte).
Virtual system: static display VRF belongs to the virtual system, does not support user
configuration. The new VRF displays PublicSystem by default.
Interface: VRF interface resources. Click the configuration item to pop up the interface
configuration window. The interface configuration window of VRF_0 is only used to display
public interface resources and cannot be configured. The interfaces configured in the
non-VRF_0 interface show the interfaces that belong to the VRF and the interfaces that can
be used by this VRF. Add or remove interface resources for VRF by checking or checking
the check boxes of the interfaces.
Since the device command line can not display Chinese characters, it is recommended that the
VRF name be configured as a commandable character, such as a number, a letter, or an
underscore. Otherwise, the VRF can not be accessed from the command line.
3.3.1 Introduction
Virtual system is a physical device can be logically divided into multiple virtual devices, the
virtual system is a function of the original physical device, a subset. Each virtual system can be
seen as a completely independent device, which has independent system resources,
administrators, security policies.
Virtual systems are mostly deployed in the operator's or IDC room network, by the operator to
buy and maintain physical device, users can rent one or more virtual devices, and manage their
own part of the resources.
More divisional divisions lead to the need for multiple independent equipment to be
deployed, resulting in higher ownership and maintenance costs.
Multiple stand-alone devices will occupy more rack space and provide additional complexity
for integrated wiring.
The increase in physical devices means an increase in the number of network elements that
need to be managed in the network. It is necessary to increase the complexity of network
management.
Virtual system role:
Select Basic > Basic Configuration > VSM > VSM configuration from navigation tree to enter
the VSM configuration page, as shown in the following figure.
Virtual system is not turned on by default, check "Open virtual system configuration", click the
Submit button to open. Open the virtual system is a new, modify, delete the premise of the
virtual system.
Virtual system support import and export functions. Virtual system configuration import for the
overlay import, will delete all users have configured the virtual system. Export the configuration
file can be imported directly, you can also edit and then import.
Name: the name of the virtual system. Chinese or English. The legal virtual system name
can not be empty, can not contain illegal characters (~ `! @ # $% ^ & * \ '' <>), Can not be
duplicated with the existing virtual system name, the name of the number of bytes can not
More than 63 (single Chinese characters accounted for 3 bytes, a single English characters
accounted for 1 byte).
ID: ID number of the virtual system.
Type: the type of virtual system.
Resource: you can select the interface resources of the virtual system.
Because the device command line can not display Chinese characters, it is recommended that
the virtual system name be configured as a command line recognizable character, such as
numbers, letters, or underscores. Otherwise, the virtual system can not be accessed from the
command line.
Select Basic > Basic Configuration > VSM > Virtual System Parameter Settings from
navigation tree to enter the virtual system parameter settings page, as shown in the following
figure.
4 System Management
4.1 Login management
4.1.1 Administrator
Select Basic > System Management > Administrator > Administrator from navigation tree to
enter the administrator configuration page. The functions of the administrator sub-module
include the current Web login administrator, administrator settings, administrator authentication
settings, and login parameter settings.
1. Administrator configuration
In the administrator settings list, you can configure the administrator account name, password,
permissions and other information, as shown in the following figure.
By default, you cannot modify and delete the configuration information of admin account. You
can click the icon to increase administrator account. The configuration items of administrator
configuration are shown as follows:
Administrator: the name of the administrator account. The user name must begin with a
letter, consisting of letters, numbers, "_" or "-" 3 to 20 characters.
Description: the description of the administrator account.
Password: the password of the administrator account. Password length is 10-128, which
does not contain the user name, must contain the upper and lower case letters, numbers
and special symbols in the four categories of three.
Local certification
The authentication service for local authentication is provided by the device itself. When the
administrator logs in to the device, the device sends the received identity authentication request
information to the corresponding authentication module for processing. The authentication
module compares the user account information stored in the local database. If the username
and password match successfully, it returns a success message. If it matches If it fails, it returns
a failure message.
RADIUS authentication
When RADIUS authentication is selected as the authentication method, a third-party RADIUS
server provides authentication services. The account and password information used by the
administrator when logging in is stored in the RADIUS server. When the administrator performs
the login operation, the device forwards the received identity authentication request information
to a third-party RADIUS server, and the RADIUS server sends the user information to the user
after receiving the request information. The name and password are compared with the
information stored locally on the RADIUS server. If the match is consistent, a success message
is returned, and if the match is inconsistent, a failure message is returned. RADIUS
authentication uses UDP protocol transmission, using port 1812 for authentication and port 1813
for accounting.
TACACS+ certification
When the authentication method is TACACS+ authentication, the authentication server is Cisco
TACACS+. When the TACACS+ authentication method is adopted, the transmission protocol
adopts the TCP protocol, and the port number is 49. TACACS+ (Terminal Access Controller
Access-Control System Plus) authentication method is also an AAA-based management method
like RADIUS, including authentication (Authentication), authorization (Authorization), and
accounting (Accounting) functions.
LDAP authentication
When the authentication method is LDAP (Lightweight Directory Access Protocol), the device
forwards the identity authentication request to the LDAP server. LDAP is similar to a simple
database that stores the username and password data of the firewall authentication process.
LDAP technology is currently used more commonly, and the device currently supports a
standard third-party LDAP server as an authentication server.
Timeout time: If you do not perform any operation for a period of time, the system will pop up
a timeout prompt and you need to log in again. The default timeout period is 300 seconds.
Wrong login lock times: the number of logins locked due to incorrect password. The options
are 3, 4, and 5, and the default number is 5.
Automatic unlocking time after locking: the selectable range is 1~65535, the unit is second.
The default automatic unlocking time is 1800 seconds.
Maximum number of logins for a single user: the maximum number of users allowed to log
in to the device via the Web with the same administrator account.
The maximum number of web users to log in: the maximum number of users allowed to log
in to the device through the web. The value of this parameter ranges from 1 to 32. By default,
the maximum number of users allowed to log in via Web is 5.
Password strength: The password strength is divided into three levels: high, medium and
low.
High: The length is between 10 and 128, and the password does not contain the user
name; it must contain three of the four types of uppercase letters, lowercase letters,
numbers, and special symbols.
Medium: The length is between 8~128, and the password does not contain the user
name.
Low: By default, the length is between 8 and 128. The minimum length depends on the
minimum length of low-strength passwords.
Minimum length of low-strength password: the value range is 1~16, and the default value is
8.
Password validity period: the range of password validity period. You can choose permanent
validity or specific days. The range of days is 1~365.
Remote authentication administrator configuration range: including five configuration ranges
of Super, System Configuration, Business Configuration, Log Configuration and Readonly. It
can only be configured when non-local authentication is selected in the authentication
settings.
Remote authentication administrator level: the level of remote authentication users.
Including five levels 1, 2, 3, 4, and 5. It can be configured only when non-local
authentication is selected in the authentication settings. The user level here refers to the
user's authority. This level only applies when the currently logged-in user modifies other
user attributes, such as modifying other user passwords, user groups, and user rights. 1 is
the highest, you can modify all users of level 1~5, users of other levels cannot modify users
of the same level, but can only modify users with lower authority than themselves. For
example, users with authority 2 can only modify users with authority 3, 4, and 5.
4. Separation of the three powers of the administrator
Click the Enable button to enable the function of separating the three powers of the
administrator.
After enabling this function, only the default three accounts can be used to log in to the device. It
is recommended that users do not enable it.
The system predefines five basic rights: Super, System Configuration, Business Configuration,
Log Configuration, Readonly. Through the rational allocation of authority, so that the managers
of different responsibilities can only access the functional modules within the scope of this
authority, and enhance the confidentiality of the system, is an effective means of security
management.
Super role: refers to the system's highest administrative authority, the role of the account
has all the functional modules of the system configuration management authority.
System role: refers to the configuration management rights that have the system.
Business configuration role refers to the configuration management rights that have the
system business module.
Log configuration role refers to the configuration access that has the system-related log
module.
Readonly configuration role refers to the relevant module has the right to view.
The system supports the custom management authority, so that users can customize the access
rights of the administrator account according to the actual management requirements, so that
the access of the service modules of the system can be more effectively controlled.
Select Basic > System Management > Administrator > Web Authority Management from
navigation tree to enter the web authority management page.
The system supports custom management rights, so that users can customize the access rights
of the administrator account according to the actual management requirements, so that the
access of the service modules of the system can be more effectively controlled.
The parameters of Web authority management page are shown in the following:
Name: the name of the administrative privilege. Each function can manage the function
modules are listed in the corresponding "configuration view" list item.
Scope: a function module with view permission.
Reboot: whether to restart the device permissions.
Privilege: Is there a privilege to configure the corresponding module?
Five pre-defined administrative privileges cannot be modified and deleted. Click the icon to
customize the administrative rights. Once the configuration is complete, click the Submit button
at the top right of the page.
The current online administrator displays the information as shown in the following:
When the same login address is repeated in the multi-browser or multi-tab. When logging in to
the device Web interface, multiple records appear in the "Current Web Login Administrator" list
due to browser caching. Directly shutting down the browser cannot be completely exited, there is
a security risk, only in the login timeout or forced to exit after the operation will be completely out,
while the list will delete the record. Therefore, it is recommended that the administrator log in to
the device's Web interface and do not log in repeatedly. Click the button at the top right
of the page to exit the device web interface.
The Web access protocol configuration module provides the basic configuration of Web access
functions, including HTTP and HTTPS protocol configuration, USB key authentication
configuration.
Select Basic > System Management > Administrator > Web Access Protocol Configuration
from navigation tree to enter the Web access protocol configuration page, as shown in the
following figure.
The parameters of the Web access protocol configuration page are described as follows:
HTTP protocol configuration: After enabling the HTTP protocol, you can access the Web
management system through the HTTP protocol, and the port number is 80 by default.
HTTPS protocol configuration: After the HTTPS protocol is enabled, the Web management
system can be accessed through the HTTPS protocol. The default port number is 443. The
encryption strength includes four levels: high, medium high, medium, and low. After
Telnet / SSH login management is used to set the remote user login mode, and set the address
to allow remote users to log on.
Select Basic > System Management > Administrator > Telnet/SSH login management from
navigation tree to enter the Telnet/SSH login management page, as shown in the following
figure.
After the configuration is completed, you need to click the <Confirm> button at the top right
of the page.
By default, the terminal output function is disabled, and you don’t need to use the <Disable
terminal output> button; in order to view the debugging information, the terminal output
function will be enabled through the "terminal monitor" command. At this time, the
debugging information will be displayed continuously. It is inconvenient to turn off this
function. You can turn it off by clicking the <Disable Terminal Output> button on the web
interface.
Interface service restrictions are restrictions on the protocols used by each business interface to
access the Web management system. Protocols include HTTPS, HTTP, Telnet, SSH and Ping
protocols.
Select Basic > System Management >Administrator > Management Protocol from
navigation tree to enter the limited interface service page, as shown in the following figure.
(1) Click the drop-down list of interface names and select one of the interfaces;
(3) Click the OK button on the upper right to make the configuration effective.
After the interface service restriction takes effect, the device no longer provides the
corresponding interface service, and the outside world cannot access the device through the
corresponding method. Each configuration is only for one interface, you can click the icon to
add multiple configurations.
The software version module provides the function of managing and upgrading the device
software version.
Select Basic > System Management > Version Management > Software Version from
navigation tree to enter the software version page, as shown in the following figure.
In the software version configuration page, you can see the current system running software
version information. The "current status" is displayed as "next start", which is the current system
running version. The currently running version can only be saved but cannot be deleted.
Click the Upload and next version button. The selected software version will be used when you
reboot the system.
Software version can be uploaded locally or online. If you click the Upload and next version or
Upload restart button, the corresponding operation will be executed after software upgrade.
Due to storage space limitations, it is recommended that the number of software versions
stored on the device is not more than 2.
Please backup the configuration before upgrading to avoid data loss.
Hot patch is the patch version based on a software version, upgrade the hot patch will not
change the software version, nor restart the device.
Select Basic > System Management > Version Management > Patch Management from
navigation tree to enter the patch management page, as shown in the following figure.
After the hot patch is imported, the system will automatically upgrade the related function
modules to repair the related defects. When using hot patches, follow the instructions in the hot
patch release notice.
The signature database upgrade module provides automatic and manual upgrade of APP, URL
filtering, AV and IPS signature databases, as well as license file management for each signature
database.
4.2.3.1 APP
Select Basic > System Management > Version Management > Feature library > APP from
navigation tree to enter the APP page, as shown in the following figure.
The APP feature database upgrade page mainly includes the following three functions:
1. Version information
The version information area displays the version information of the APP feature library. The
parameter description is as follows:
Current version: Including the release date, current version number and update time of the
signature database version.
Historical version: including the release date and historical version number of the signature
database version.
Validity period: The validity period of the current signature database version requires the
purchase of a license.
Version rollback: This function is used to roll back the signature database to the historical
version.
Version rollback operation method:
(2) Click the rollback button, a confirmation dialog box will pop up.
(3) Click the OK button, the page displays the upgrade progress bar, as shown in the following
figure.
(4) After the upgrade progress is completed, you can return to the historical version. You can
also click the Cancel Upgrade button to abort the version rollback.
2. Online upgrade settings
(1) Click the "Enable automatic upgrade" checkbox corresponding to the "Automatic upgrade
enable" parameter. "Upgrade mode" changed from non-configurable to configurable.
(2) Select "Automatic download and upgrade" or "Prompt for new version information" in the
"Upgrade method" drop-down box.
Automatic download and upgrade: After configuring the online upgrade, the system will
automatically upgrade the signature database when the upgrade time is reached.
Prompt the new version information: After configuring the online upgrade, when the
upgrade time is reached, the system will prompt that there is a new version of the
signature database, and the user can choose whether to upgrade the signature
database according to needs.
(3) Click the con corresponding to "Start Time", and configure the start time of the updated
signature database in the pop-up calendar box.
(4) Click the Save button, the "Interval Time" changes from non-configurable to configurable.
(5) In the "Interval Time" drop-down box, select the interval time for automatic version upgrade.
The options are 1~30, and the unit is days. For example, if the interval is selected as 3 days,
the signature database will be automatically detected and updated every 3 days from the
start time.
(6) In the "Upgrade Address" text box, you can configure the address of the signature database
to be automatically upgraded. The default is the signature database upgrade address of
DPtech's official website. Keep the default. If you have any questions, please contact
technical service personnel.
(7) After the configuration is complete, click the Save button again.
(8) If you need to upgrade the signature database immediately, you can click the Upgrade Now
button under the condition that the upgrade address is correct, and the upgrade progress
bar shown in Figure 4-11 will pop up for immediate upgrade.
3. Local upgrade
(1) Click the Browse button to select the local APP signature database file.
(2) Click the OK button, and the upgrade progress bar will pop up for local upgrade,as shown
in Figure 4-12
4.2.3.2 URL
Select Basic > System Management > Version Management > Feature library > URL from
navigation tree to enter the URL page, as shown in the following figure.
The update method of the URL classification filtering signature database is exactly the same as
the APP signature database. For details, please refer to "APP Signature Database".
4.2.3.3 AV
Select Basic > System Management > Version Management > Feature library > AV from
navigation tree to enter the AV page, as shown in the following figure.
Figure 4-14 AV
The configuration method of the AV feature library is exactly the same as the APP feature library.
For more information, please refer to "APP Feature Library".
4.2.3.4 IPS
Select Basic > System Management > Version Management > Feature library > IPS from
navigation tree to enter the IPS page, as shown in the following figure.
The configuration method of the IPS signature database is exactly the same as the APP
signature database. For details, please refer to "APP Signature Database".
4.2.3.5 License
License file management is used to register license information files and export the registered
license files.
Select Basic > System Management > Version Management > Feature library > License
from navigation tree to enter the License page, as shown in the following figure.
The method of importing and exporting the license file of each feature library is the same. Taking
the APP feature library as an example, the method is as follows:
(1) Click the <Browse> button and select the local license file.
(2) Click the <File Import> button to import the local license file.
(3) For signature databases that have registered licenses, click the corresponding <File
Export> button to save the license file locally.
For how to apply for a license file, please contact technical service personnel.
The configuration file module provides the function of saving the user's current configuration.
With this feature, when multiple devices in the network are configured and configured, users can
import configurations on a device, import them locally, and then import them from other devices,
thus reducing duplication. In the hot standby environment, you can synchronize the host
configuration to the backup machine by synchronizing the configuration function.
Select Basic > System Management > Configuration File > Configuration File from
navigation tree to enter the configuration file page, as shown in the following figure.
When you switch the configuration file between different software versions, you can switch the
configuration file if you are upgrading from the software version corresponding to the
configuration file to the next software version of the device. Otherwise, a functional abnormality
may occur. Please consult technical service personnel if the software version is compatible with
the upgrade.
NTP (Network Time Protocol) is a protocol used to synchronize computer time. It allows the
computer to synchronize with the server or reference clock (such as quartz clock, GPS, etc.) to
provide high-precision time correction, and can be encrypted to confirm the way to prevent
malicious protocol attacks.
By configuring the clock server to correct the device's time (Client mode), the device can also
provide clock synchronization services (Server mode) for other hosts as a reference clock.
Supports IPv4 and IPv6 clock synchronization.
1. NTP Client mode
When the device is configured as an NTP client, multiple reference clocks can be configured.
Each reference clock can be set to a different priority level. The device uses a statistical
algorithm to filter the time from different servers to select the best source and path to correct the
host time. The NTP service is still running even if the device can not contact a clock server for a
long time.
As an NTP client, the device supports the standard NTP protocol and supports both domain
name and IP address. It can be synchronized from different NTP servers in the Internet or
through the clock server in the LAN.
As an NTP server, the device adopts the international standard NTP protocol, which can provide
clock synchronization service for NTP clients of different types of different vendors in the network,
and has good compatibility.
3. NTP authentication
Enabling the NTP function has little effect on the performance of the system. However, when a
large number of NTP clients are connected to the NTP server at the same time, the NTP server's
CPU, memory and other resources are lost, which affects the performance of the NTP server.
Therefore, in order to prevent malicious attacks such as abnormal connection requests, or
intentionally control the number of NTP client connections, the need to use authentication
technology.
NTP clock synchronization of the device has a professional authentication function. The
authentication function requires authentication. Both parties must match the pre-defined key to
communicate successfully, so that only the valid client can establish the NTP connection with the
device.
In addition, the device can also configure the network segment of the NTP client that is allowed
to access. Ensure that only requests within the specified network range can be accessed,
making the NTP connection safer and more reliable.
Select Basic > System Management > Time Management from navigation tree to enter the
time management page, as shown in the following figure.
Select Basic > System Management > Time Management from navigation tree to enter the
NTP time synchronization page, as shown in the following figure.
Local clock acts as reference clock: if checked, configure the local clock as the reference
clock. The clock level is configured from 1 to 15 and defaults to 8.
Enable authentication: if checked, configure key id and key.
NTP server: when the device is a client, you need to configure the following parameters. To
NTP client network segment: configure the network segment to allow access.
Mask: configure the mask that allows access to the network segment.
Once the configuration is complete, click the Submit button at the top right of the page.
Select Basic > System Management > Time Management from navigation tree to enter the
NTP time synchronization page, as shown in the following figure.
If the device is an NTP server, click the “Enable NTP Server (IPv6)”. If the device functions as an
NTP client, click the “Enable NTP Client (IPv6)” and click the “please configure” at the same time,
and then configure the IPv6 address of the NTP server.
After you finished the above configuration, click the Submit button at the top right of the page.
As a certificate authority, the device generates a root certificate, and then issues a device
certificate for itself, issuing a user certificate for the client.
The device requests a certificate from the CA server.
Select Basic > System Management > Digital Certificate > Certificate Request from
navigation tree to enter the certificate request configuration page, as shown in the following
figure.
The device information configuration function is the basic information that the device needs to
provide when applying for a certificate, including common name, IP address, country, province,
city, organization, department, certificate validity period, certificate type and encryption mode.
The CA server configuration function is the CA server information that needs to be configured
when the device requests the certificate online. The parameters are as follows:
certificate according to the set root certificate authentication algorithm and the root
certificate fingerprint. If the verification fingerprint fails, the certificate application fails. If you
do not check the CA root certificate is not verified, directly accepted.
Root certificate authentication algorithm: root certificate authentication algorithm,
including "MD5" and "SHA1" options.
Root certificate fingerprint: the result of using the set authentication algorithm to hash
the certificate is composed of 0-9 and AF characters. When "MD5" mode is selected,
the string length is 32, select "SHA1" Mode, the string length is 40.
The CRL server configuration function means that the device obtains CRL information online.
Can be automatically obtained from the certificate, you can also manually configure the CRL
URL address to obtain.
Select Basic > System Management > Digital Certificate > Certificate Management from
navigation tree to enter the certificate application and management page, as shown in the
following figure.
1. Key management
Key management functions include automatic generation of keys, import of export key files, and
display of key information.
Click the Auto-generate keys button. The device automatically generates a key pair according
to the device information configured in the "Certificate Request Information Configuration"
module. Click the Show Key Info button to view the key information.
The key length is the length selected in the "Encryption Mode" column of the certificate
configuration page. Therefore, please configure identity information first and then generate
the key.
After the key pair (public key and private key) is generated, the public key information will be
used for the registration of the certificate and the private key will be saved to the device.
Public and private keys must be paired.
The rebuild key will overwrite the original key pair. At this time, the original certificate will be
deleted. Therefore, please be careful to use this feature.
2. Certificate request
The certificate request function is used when the device requests a CA certificate from the CA
server, including offline application and online application:
Offline application certificate: Click the Generate Offline Request Information button to
generate the certificate request information according to the device information configured
in the "Certificate Request Information Configuration" module. Send this information to the
security administrator for a digital certificate application on the CA server.
Online application for a certificate: Click the Submit online application information button,
the page shows the generated application information. If the application is successful, the
"certificate application is successful". When the CA server is set up for automatic issuance,
the two certificates are displayed directly in the Certificate Management list, where
"rootcert.cer" is the CA root certificate for which it was obtained, and "usercert.cer" was the
local certificate for the application.
If the CA server receives the application and hangs, and "Certificate Request Method"
selects "Manual Online Get", it prompts "Successfully Submit Request Information". In
this case, the device does not automatically query the CA server. If you want to check
the status of the submitted application, click Get Online Certificate in Certificate
Management. After the CA server receives the query, it will return the status of the
submitted application, which is divided into "certificate application success", "certificate
application is suspended" and "certificate application is rejected".
If the CA server receives the application and hangs and the "Certificate Request
Method" selects "SCEP Auto Acquire", it prompts "Successfully Submit the Certificate
Request Information to enter the Polling". In this case, the device periodically inquires
whether the application is successful to the CA server based on the set number of
"certificate inquiry times" and "certificate query interval". The certificate of successful
application will be saved by the device.
Click the Show Certificate Request button to view the certificate request information.
3. Certificate management
Certificate management functions include offline import of certificates, online access to
certificates, and export of certificate files.
To import a certificate offline: click the Import Certificate Offline button to bring up the pfx
password and path configuration window. Click the Submit button when the configuration is
complete. If the imported certificate conforms to the encoding format (currently supporting
PEM and DER encoding formats) and is signed and valid, this certificate overwrites the
original certificate in the device and displays the certificate information in the certificate list.
If the import fails, it will prompt you for the reason for the import failure.
Obtain the certificate online: Click the Get Certificate Online button. If the certificate is
successful, the certificate management list will display the newly obtained certificate
information. If the certificate fails, the system will prompt the reason for the failure.
Export the certificate file: Click the Export Certificate File button to export the certificate file
to the local level.
The operations of the certificate management list are shown in the following:
View: click the icon to view the certificate details in the new page that opens.
Delete: click the icon, then click the Submit button at the top right of the page to delete
the certificate.
When you import a certificate, you need to pay attention to the order of certificate import.
Only after you import the CA certificate, you can import the Local certificate.
When importing a Local certificate, make sure that the existing private key in the device
matches the public key of the Local certificate. When you restore the certificate
configuration, you need to import the key file before importing the corresponding Local
certificate.
Before importing, you need to confirm that the system time of the device is correct. If the
error occurs, the error will result in certificate authentication.
Online access to the certificate function for CA server support online to obtain a certificate,
and it shuts down the automatic issue of the certificate function.
4. CRL management
The CRL management functions include offline import CRL, start / stop CRL queries, and export
CRL files.
Offline import CRL: click the Offline Import CRL button, the path selection window is
popped up, select the local CRL file path, click the Submit button. If the imported CRL file
conforms to the encoding format (currently supports PEM and DER encoding formats), the
import is successful and overwrites the original CRL file, and the CRL list shows the
imported CRL information. If the import fails, the reason for the failure is prompted.
Start / stop CRL query: click the Start CRL Query button to synchronize the CRL
information of the CA server to the device. If the query fails, the reason for the failure is
indicated. Click the Stop CRL Query button to stop CRL synchronization, but the device
retains the previously updated CRL information.
Import CRL file: click the Export CRL File button to export the CRL file to the local level.
The operating function of the CRL management list is described as follows:
View: click the icon to view the CRL details in the new page that opens.
Delete: click the icon, then click the Submit button at the top right of the page to delete
the CRL.
Select Basic > System Management > Digital Certificate > Certificate authority from
navigation tree to enter the certificate authority page. The certificate authority features include
Certificate Authority (CA) information, User Certificate Request Information, Certificate Authority
(CA) management, and User Certificate Management. The following are introduced separately
as shown in the following figure.
1. Certificate Authority (CA) information
Click "Certificate Authority (CA)" to expand the configuration parameters, as shown in the
following figure.
Certificate Authority (CA) information is the basic information that the device needs to provide as
a certificate authority, including common name, E-mail, country, province, city, organization /
company, department, certificate type, and encryption method.
2. User request information
Click "User Request Information" to expand the configuration parameters, as shown in the
following figure.
User certificate application information is the basic information that users need to provide to the
device when applying for a certificate, including common name, E-mail, country, province, city,
organization / company, department, RSA key length, certificate (* pfx) And the validity period of
the user certificate. Certificate (* pfx) The password is the password for the certificate file. If the
configuration is to install the certificate, you need to configure this password.
Build / update CA: click the Build / Update CA button to display the prompt message
(configure CA information before updating or generating CA. If the current CA status is "CA
Exist", the current CA will be destroyed. All certificates issued to the user are invalid. Update
the CA need to update the device certificate at the same time. Are you sure you want to
create / update the CA ?, and click Submit to create / update the CA certificate.
Delete CA: click the Delete CA button to display the prompt message (if the current CA
status is "CA Exist") will destroy the current CA. Deleting the CA will invalidate all certificates
issued by the CA to the user. / Update the device certificate. Are you sure you want to delete
this CA?), Click the Submit to delete the CA certificate.
Update device cert: click the Update Device Cert button to bring up the message (update
the device certificate before updating or generating the device certificate.) Updating the
device certificate will delete the original certificate and private key! You need to restart the
SSL after updating the device certificate VPN process. Are you sure you want to update the
device certificate?) And click the Submit button to update the device certificate.
User certificate state: click the Build User Cert button, pop-up message (generate user
certificate, please configure the user application information. Are you sure to "issued" to this
user certificate?), Click the Submit button to generate a user certificate. The newly
generated user certificate is displayed in the list of issued user certificates.
Download the USB-KEY plugin: download USB-KEY control user certificate will be imported
into the USB-KEY, through the USB-KEY certificate certification.
4. User certificate management
Click "Certificate Management" to expand the list of certificates, as shown in the following figure.
The operational function of the list of issued user certificates is described as follows:
View: click the icon to view the certificate details in the new page that opens.
Save: click the icon to save the certificate to the local.
Download: click the icon to download the user certificate to the USB-KEY.
Revoked certificate: click the icon to revoke the certificate. The revoked user certificate
is displayed in the list of revoked user certificates.
Delete: click the icon to delete the user certificate. The certificate issued to the user will
still be available.
The operational function of the revoked list of user certificates is described as follows:
Click the icon to cancel the revoked user certificate. The revoked user certificate will be
displayed on the list of issued user certificate lists.
Click the icon to delete the revoked user certificate. This certificate will be permanently
disabled.
4.7.1 Forwarding
Select Basic > System Management > Forwarding Configuration > Forwarding from
navigation tree to enter the forwarding page, as shown in the following figure.
The parameters of forwarding basic configuration page are shown in the following:
Select Basic > System Management > Forwarding Configuration > Forwarding Mode from
navigation tree to enter the forwarding mode page, as shown in the following figure.
After forwarding acceleration is enabled, the device uses high-speed cache to process
message forwarding based on data stream technology.
If you enable the same message to be accelerated by the device multiple times, the device
will accelerate the forwarding of the same message that has passed the device multiple
times.
After normal forwarding is enabled, the device will look up the matching route in the routing table
according to the destination address of the message to determine an optimal message
forwarding path, and encapsulate the message according to the protocol used on the data link
layer. Finally, Message forwarding
Equal cost routing (ECMP, Equal Cost Multi-path) refers to when there are multiple different
routing paths with the same cost value to the same destination IP or destination network
segment, IP data packets are sent in turn on these links. Equal-cost routing protocols can
improve link utilization, realize network load balancing and route redundancy backup.
Select Basic > System Management > Forwarding Configuration > Equal-cost Route Load
Balancing from navigation tree to enter the equal-cost route load balancing page, as shown in
the following figure.
The device supports the flow-by-flow method to achieve load sharing of equal-cost routes. It
Select Basic > System Management > Session Log Configuration from navigation tree to
enter the session log configuration page, as shown in the following figure.
Check to enable session log, you need to configure the following parameters:
Log type: The type of log, including NAT session log and normal log, can be selected at the
same time.
Log format: log format, you can choose flow log format or Syslog format. There are 6 flow
log formats and 7 Syslog formats. Among them, Syslog log type is suitable for Syslog server;
Flow log type (message encryption) is suitable for UMC server.
Log sample: For the log sample, click on "Details" to open the "Session log format
description" page, with detailed instructions for each log format.
Log sending timing: The log sending timing, you can choose the end of the session, new
session or send all.
Log server sharing mode: the log server sharing mode, including load sharing, replication
sending and designated source network segment sending. Load sharing means that the
local device performs polling and distribution according to the configured log server list;
copying sending means sending the log intact to each configured log server; designated
source network segment sending means sending the packets of the specified source
network segment to the specified log server.
Log source IP address: the source IP address for sending session logs.
Log source port: the source port for sending session logs.
Log server port: the port number of the log server.
Log server list: The IP address of the server receiving the log. Click the configuration item to
configure the log server. Multiple log servers can be configured at the same time. When the
log server sharing mode is selected as "specified source network segment sending", the
session source network segment needs to be configured here.
The configuration parameters of the port block allocation log part are similar to the configuration
parameters of the session log part, and will not be repeated here.
After the configuration is completed, you need to click the <OK> button at the top right of the
page to make the configuration effective.
Select Basic > System Management > Session Parameter from navigation tree to enter the
session parameter page, as shown in the following figure.
TCP session parameter settings: set the aging time of the ESTABLISHED, SYN_SENT,
SYN_RECV, FIN_WAIT, TIME_WAIT, CLOSE, CLOSE_WAIT, LAST_ACK state of the TCP
session.
UDP session parameter setting: set the aging time of the NEW and ESTABLISHED state of
the UDP session.
GRE session parameter settings: set the aging time of the NEW and ESTABLISHED states
of the GRE session.
PPTP GRE session parameter setting: Set the aging time of the NEW and ESTABLISHED
state of PPTP GRE session.
ESP session parameter setting: Set the aging time of the NEW state of the ESP session.
Other session parameter settings:
DNS: Set the aging time of the NEW state of the DNS session.
ICMP: Set the aging time of the NEW state of the ICMP session.
ICMPv6: Set the aging time of the NEW state of ICMPv6 sessions.
General protocol: Set the aging time of the NEW state of the general protocol session.
User-defined protocol settings: Set the transport layer protocol, port and aging time of the
user-defined protocol.
Select Basic > System Management > Session Detection from navigation tree to enter the
session detection page, as shown in the following figure.
Select Basic > System Management > Session Forwarding from navigation tree to enter the
session forwarding page, as shown in the following figure.
The parameters of warning threshold configuration page are shown in the following:
4.10 SNMP
With the development of network, more and more applications and devices are used in the
network. Many enterprises must face a problem that how to manage these network devices. This
problem can be solved by users using SNMP (Simple Network Management Protocol). Devices
are configured with standard SNMP and abundant MIB resources, which allow users to monitor,
manage, and control all kinds of resources on the devices through network management tools.
SNMP uses the special form of the Client / Server model: the agent / management station model.
The management and maintenance of the network is done through the interaction between the
management station and the SNMP agent. Each SNMP agent is responsible for responding to
various queries from the SNMP management station about MIB information.
For network management, the required data is the device configuration, parameters, status and
other information, the face of the operation is read and set. Due to the large number of network
equipment, in order to be able to get a variety of information in a timely manner, while requiring
equipment to take the initiative to report information, need to use SNMP protocol.
SNMP network management protocol is actually through the management of a series of devices
Get, Set, Trap operation to achieve the ultimate monitoring and management purposes.
Set-Request
The SNMP management station uses Set-Request to remotely configure the network device
(including device name, device attribute, delete device, or make a device attribute valid / invalid).
Trap
The SNMP agent uses Trap to send unsolicited messages to the SNMP management station,
which is typically used to describe the occurrence of an event. By configuring the Trap function,
the device can send configuration change information to the network management tool in real
time without waiting for the network management tool to poll the query. By configuring the SNMP
Trap function, the device can report the error situation to the network management tool at any
time, for example, when the CPU utilization exceeds the set threshold.
The SNMP management process mainly involves two roles: NMS and Agent.
NMS
Also known as the management station, network management system, is the system console, to
provide the interface to the administrator to obtain the equipment configuration, parameters,
status and other information. The management station communicates with the agent, executes
the corresponding Set and Get operations, and receives the alarm packets sent by the agent.
Agent
Network management agent, responsible for the management station and equipment SNMP
operation of the transfer. Between the management station and the device, communicate with
the management station and respond to requests from the management station, such as
obtaining the corresponding data from the device or setting the device accordingly. The agent
has the ability to send alarm packets to the management station using the Trap defined in the
MIB according to the status of the device.
MIB (Management Information Base) is the standard for network management data. In this
standard, the data items, data types, and operations allowed in each data item must be stored
by the network proxy device. Through the access to these data items access, you can get all the
statistical content of the device. And then through a number of statistical analysis of the contents
of the equipment can be a comprehensive analysis of the basic network management.
The MIB specifies the variables that are maintained by the network element (that is, information
that can be processed and set by the process). The MIB gives the data structure of a collection
of all possible managed objects in a network.
Select Basic > System Management > SNMP Configuration > SNMP configuration from
navigation tree to enter the SNMP configuration page. Configurable items include SNMP version
configuration, SNMP trap configuration, device information configuration, and IP address list
configuration.
SNMPv1 and SNMPv2c group word parameters are the same, when the two are selected at the
same time, modify any party's word, the other side of the corresponding group word will change.
Device location: the physical location of the device, for example, beijing
Contact information: contact information for the device, for example, admin@mail.com
After all the configuration is complete, click the Submit button at the top right of the page to
make the configuration take effect.
4.10.3 SNMPv3
Select Basic > System Management > SNMP Configuration > SNMPv3 from navigation tree
to enter the SNMPv3 configuration page, as shown in the following figure.
Select Basic > System Management > SNMP Configuration > SNMP Host from navigation
tree to enter the SNMP host page, as shown in the following figure.
Add the address information of the management station. Only the addresses specified in the IP
address list have access to the device MIB library. After all configurations are completed, click
the <OK> button at the top right of the page to make the configuration effective.
RMON (Remote Network Monitoring) is a standard monitoring specification, based on the SNMP
architecture, which can transmit network monitoring data between different network monitors (or
probes) and console systems. Users can use these network monitoring data to diagnose
network faults, network planning and performance adjustments.
The RMON configuration module provides three functions: alarm entries, historical entries, and
logs. Through configuration interfaces and sampling parameters, it obtains network traffic data
and monitors network operation.
4.10.5.1 Alarm
The alarm function means that the management device monitors the value of the specified MIB
variable. When the value reaches the alarm threshold, the managed device automatically
records the log and sends a Trap message to the management device.
Select Basic >System Management > RMON Configuration > Alarm to enter the alarm entry
configuration page, as shown in the following figure.
The configuration list parameters of the sampling information window are described as follows:
4.10.5.2 Statistics
Select Basic >System Management > RMON Configuration > Statistics to enter the statistics
entry page, as shown in the following figure.
Number of conflicting packets: Display the number of conflicting packets in the current
network traffic.
Inter-partition statistics of received packets (length): Display statistics of received packets
between partitions, based on packet length.
The results of the configuration in the alarm table are displayed in the statistics table. The
detailed information of "Inter-partition statistical length of received package" needs to be viewed
by clicking "click to view" under its list item.
4.10.5.3 History
Select Basic >System Management > RMON Configuration > History to enter the history
entry page, as shown in the following figure.
The parameters of the history entry configuration list are described as follows:
4.10.5.4 History_stat
Select Basic >System Management > RMON Configuration > History_stat to enter the
history_stat page, as shown in the following figure.
Interface name: Display the interface name of the history statistics entry.
Sampling ID: Display the serial numbers of the most recent samples, the number of which
depends on the buckets value.
Event packet loss count: display the number of packet loss events sampled in history.
Byte count: Display the byte count of historical sampling.
Number of packets: Display the number of transmitted data packets sampled in history.
Number of broadcast packets: Display the number of broadcast packets sampled in history.
Check the number of error packets: display the number of error packets sampled in history.
Number of small packets: display the number of small packets sampled in history.
Number of large packets: Display the number of large packets sampled in history.
The number of packets that are too small and the inspection error: displays the number of
packets that are too small and the inspection error of the historical sampling.
The number of packets that are too large and the inspection errors: Display the number of
historically sampled packets that are too large and inspection errors.
Number of conflict packets: Display the number of conflict packets sampled in history.
Bandwidth utilization: display the bandwidth utilization of historical sampling.
The user can view the RMON log configuration function and delete the logs.
Select Basic > System Management > RMON Configuration > RMON Log to enter the history
entry page, as shown in the following figure.
5 Object Management
5.1 Security zone
The device implements the default security mechanism through the security zone, and the
security zone implements access control based on the interface. By default, the device has three
security zones, which are Trust (for intranet PCs, intranet devices, intranet servers), Untrust
(public network environment), and DMZ (for public network mapping servers). The priority of
these three security domains cannot be changed. Of course, users can also customize the
security domain and priority. If no security policy is configured, the higher-priority security zone
can access the lower-priority security zone, and the lower-priority security zone cannot access
the higher-priority security zone. If no security policy is configured, the two security domains of
the same security level cannot communicate with each other.
Select Basic > Object Management > Security Zone from navigation tree to enter the security
zone host page, as shown in the following figure.
High-priority to low-priority pass: this is the default inter-domain action of the device.
All passed: all security domains can access each other without any priority of security
domains.
All packet loss: do not allow inter-domain access.
Intra-domain action: The user can choose whether to drop packets in the security zone. If you
choose to drop packets, each interface in the security zone cannot access each other. If you do
not choose packet loss, each interface in the security zone can access each other.
5.2 IP address
The IP address module is composed by IP address object configuration and IP address object
configuration group. There two configurations can be referenced by packet filtering policy, NAT
policy.
5.2.1 IP address
Select Basic > Object Management > IP Address > IP Address from navigation tree to enter
the IP address page, as shown in the following figure.
Besides increase, modify, and delete function, the IP address object also provides query function.
The query function can be queried by name or by IP address. If queried by name, this function
support fuzzy matching and not case sensitive. For example, if you enter the letter a, the system
will match all address objects that contain a or A in the name.
The synchronization feature synchronizes the configuration of the IP address object to other
security policies. These security policies include packet filtering policy, NAT, session limit, stream
definition, policy routing, and DNS transparent proxy policy.
The parameters of the IP address object list are shown in the following:
Reference counter: the number and module name that the address object is referenced by
other modules. This function only supports to display the packet filtering and address object
group reference address object. When other modules reference address object, this
function does not support to display the module configuration information.
IP address\wildcard can be directly configured in the IP address object. Currently, only IPv4
packet filtering and source NAT support the address segment in the format of IP
address\wildcard.
Select Basic > Object Management > IP Address > IP Address Group from navigation tree to
enter the IP address object group configuration page, as shown in the following figure.
IP address group, which is the collection of IP address object elements. This function and
configuration method is basically the same. It should be noted that there are two ways to
configure the address object parameters:
If an IP address object is configured, you can select the configured IP address object
directly.
If the IP address object is not configured, you can configure a new IP address objected in
the pop-up configuration window.
Select Basic > Object Management > IPv6 Address from navigation tree to enter the IPv6
IPv6 address objects have the functions of creating, deleting, modifying, copying, importing,
exporting, and clearing, and they do not support query.
The configuration parameters in the IPv6 address object list are described as follows:
Select Basic > Object Management > MAC Address > MAC Address from navigation tree to
enter the MAC address configuration page, as shown in the following figure.
When configuring a MAC object, note that the MAC address format entered is HH: HH: HH: HH:
HH: HH.
MAC objects support new, modify, delete, import and export, emptying and query functions. The
query function supports fuzzy matching and is case insensitive. For example, if you enter the
letter a, the system will match all address objects that contain a or A in the name.
Select Basic > Object Management > MAC Address > MAC Address Group from navigation
tree to enter the MAC address group configuration page, as shown in the following figure.
MAC group for the MAC object collection, function and configuration methods and MAC objects
are basically the same. It should be noted that there are two ways to configure MAC object
parameters:
When a MAC object is configured, the configured MAC object is directly selected.
When a MAC object is not configured, a new MAC object can be created in the pop-up
configuration window.
5.5 User
5.5.1 User
Select Basic > Object Management > User > User Import from navigation tree to enter the
user import configuration page, as shown in the following figure.
Click the Browse button, select the local CSV file, and click the Add Import button to import in
CSV.
Select Basic > Object Management > User > User Import from navigation tree to enter the
user import configuration page, as shown in the following figure.
The domain name module provides the function of querying its corresponding IP address
according to the domain name. Enter the domain name to be queried, click the Submit button in
the upper right corner on the webpage, and the IP address corresponding to the domain name is
displayed in the list.
On the premise, if you want to query the IP address through the domain name successfully, the
DNS server records the corresponding relationship of domain name and IP address.
5.7 Service
The service module includes 3 sub-modules: predefined service, custom service and service
group. The system predefines 28 service objects, the user can customize the service object, or
add predefined and custom service objects to the created service group.
Select Basic > Object Management > Service > Predefined Service from navigation tree to
enter the predefined service page, as shown in the following figure.
The system defines 28 service objects. In the predefined service page, you can view the protocol
type, message type, message code, source port, and destination port.
Select Basic > Object Management > Service > Custom service from navigation tree to enter
the custom service page, as shown in the following figure.
Besides increase, modify, and delete function, the custom service also provides query function.
The query function can be queried by name or by IP address. If queried by name, this function
support fuzzy matching and not case sensitive. For example, if you enter the letter a, the system
will match all address objects that contain a or A in the name.
The synchronization feature synchronizes the configuration of the custom service to other
security policies. These security policies include packet filtering policy, NAT, session limit, stream
definition.
Select Basic > Object Management > Service > Service Group from navigation tree to enter
the service group page, as shown in the following figure.
The service group configuration method is basically the same as the predefined service. The
parameters of service group are shown in the following:
5.8 Time
Select Basic > Object Management > Time from navigation tree to enter the time page, as
shown in the following figure.
The time object is mainly used to configure different time ranges. These time ranges can be
referenced by different policies. The time range has three kinds of configurations, including:
Relative time: periodic effective time. The effective time is a fixed time in some days of the
week.
Absolute time: the specified effective time. The effective time is the time range you
configured.
Combination time: Combine the collection time period of each specific time period.
6 Interface Management
6.1 Networking configuration
All the physical interfaces of the device are configured in the networking configuration module,
including the working mode of the interface and the corresponding interface type, interface
description, IP configuration, VLAN configuration, open / close interface, and valid IP / MAC
address information.
Select Basic > Interface Management > Networking configuration from navigation tree to
enter the networking configuration, as shown in the following figure.
The working mode of the device interface can be configured as a Layer 2 interface and a Layer 3
interface. Support two and three forwarding, two three layers of hybrid forwarding. If the
destination MAC address received by the device matches the MAC address of the VLAN
interface or the physical layer of the Layer 3 physical interface, the Layer 3 forwarding is carried
out through the VLAN interface of the device or the physical interface. If the destination MAC
address received by the device is not a VLAN interface And the MAC address of the physical
port, the Layer 2 relay is forwarded through the Layer 2 interface.
The physical interface of the device has two modes, Access and Trunk.
The packets received by the Access port are sent to the corresponding VLAN. The message
sent by the Access port removes the VLAN tag from the destination port.
Trunk links can be used to transmit data of multiple VLAN tags on the same link.
The Layer 2 interface needs to be configured with VLANs and default VLANs. If not configured,
the system is automatically configured as "vlan: 1 default vlan: 1".
The physical interface of the device is divided into management interface and service port. The
management port is used only by the management device and cannot forward the service data,
thus avoiding the situation that the interface cannot manage the device. Business port, including
LAN and WAN for the two types, the role is basically the same, the LAN port is generally used in
the LAN, the WAN port used in the LAN exit.
Layer 3 interface requires IP settings, the IP address of the method has the following four:
Static IP: Manually configure IP addresses and masks to support IPv4 and IPv6 addresses.
Among them, the add and delete operations are only valid for IPv4 addresses and IPv6
addresses.
PPPoE: obtain an IP address by user name and password authentication.
DHCP: obtain an IPv4 address through a DHCP server in the local area network.
DHCPv6: obtain an IPv6 address through the DHCPv6 server.
After you finished the above configuration, click the Submit button at the top right of the page,
then configuration take effect.
The service interface is a Layer 3 physical interface with an interface type of LAN or WAN. The
device provides the setting of rate setting, duplex setting, MTU, TCP_MSS, etc., which can
control the rate of the service interface. At the same time, the device issues an alarm when the
interface rate exceeds the threshold and real-time monitors the interface abnormality.
Select Basic > Interface Management > Ethernet Port > Ethernet Port from navigation tree to
enter the Ethernet port page, as shown in the following figure.
Enable/disable: select to enable or disable the interface. The interface does not forward
traffic data.
Rate status: the interface supports 100M and 1000M rates. It can also be configured as
auto-negotiation. The system automatically selects the interface rate according to the actual
traffic size.
Duplex setting: configuration items include full-duplex, half-duplex, and auto-negotiation,
and are recommended for full-duplex or auto-negotiation. The general interface may also
have incoming packets when sending packets. The half-duplex state may affect the rate at
which packets are processed.
MTU: configure the MTU of the interface to prevent packet loss or large packets from
blocking the link.
TCP_MSS: configure TCP_MSS to prevent packet loss when establishing a TCP
connection.
Zero clearing: click the icon to clear all traffic information for that interface.
Select Basic > Interface Management > Business Interface > Interface Rate beyond
Warning from navigation tree to enter the Ethernet port traffic statistic page, as shown in the
following figure.
Select the physical interface in the port name to configure the maximum sending rate and the
maximum received packet rate. When the interface rate exceeds the maximum value, the device
will generate the system log with the interface rate exceeding the limit. The administrator can
find the abnormal interface according to the prompt of the log information.
6.3.1 Introduction
The aggregation type of a device is divided into static aggregation (no LACP protocol is enabled)
and dynamic aggregation (enabling static LACP). The "dynamic aggregation with fast cycle" in
the global configuration is not checked by default. When not checked, LACP packets are sent
once every 30 seconds. When checked, LACP packets are sent once every 1 second. Ensure
that the LACP packets on both devices are consistent.
Static aggregation is manually configured by the user. Do not allow the system to automatically
add or remove ports from the aggregation group. The aggregation group must contain at least
one port. When an aggregation group has only one port, the port can be deleted from the
aggregation group only by deleting the aggregation group. The static aggregation port's LACP
protocol is enabled. When a static aggregation group is deleted, its member ports will form one
or more dynamic LACP aggregations and keep LACP enabled. Disable the LACP protocol for
shutting down static aggregation ports.
The device supports seven aggregation port demultiplexing algorithms, and different outbound
The HASH-to-Port Aggregation Algorithm in the global configuration is that the outgoing port
algorithm is TCP / UDP packets with source IP, destination IP, or source IP + destination IP, and
the TCP / UDP port number is also included in the HASH value In the calculation. Example:
The outgoing port algorithm is the source IP + destination IP and is not enabled to be mixed
into the port HASH-to-port aggregation algorithm. All TCP packets from 1.1.1.1 to 2.2.2.2
are out of the fixed interface.
The outgoing port algorithm is source IP + destination IP, but it is enabled to mix the port
HASH-to-port aggregation algorithm. All TCP packets from 1.1.1.1 to 2.2.2.2 may be out of
different interfaces if the port numbers are different.
There are two determinants for selecting the interface: one is the HASH value and the other is
the number of members of the aggregation port. By the configuration of the outbound port
algorithm to determine how to get this HASH value.
Source MAC: the HASH value is calculated based on the source MAC address of the
packet.
Destination MAC: calculate the HASH value based on the destination MAC address of the
packet, and selects the outgoing interface.
Source MAC address and destination MAC: the HASH value is calculated based on the
source MAC address and destination MAC address of the packet.
Destination IP: calculate the HASH value according to the destination IP address of the
packet and select the outgoing interface.
Source IP: calculate the HASH value based on the source IP address of the packet, and
selects the outgoing interface.
Source IP + Destination IP: calculate the HASH value based on the source IP address of the
packet and selects the outgoing interface.
Port-based: is a composite algorithm. According to different messages, calculate the HASH
value to select the interface in different ways. Ordinary IP packets according to the source
IP and destination IP according to a certain algorithm to get HASH value; other types of
information will be based on the source MAC and destination MAC algorithm according to
certain HASH value, if the VLAN with the message, VLAN will be involved to the calculation
of the HASH value.
Select Basic > Interface Management > Port Aggregation > Port Aggregation
Configuration from navigation tree to enter the port aggregation configuration page, as shown
in the following figure.
The port aggregation configuration page consists of two parts: global configuration and port
configuration:
In the general algorithm configuration, you can click to enable the HASH-to-port aggregation
algorithm. If the outgoing port algorithm is source IP, destination IP, source IP + destination
IP, set the port number in TCP / UDP packets to the port aggregation HASH calculation.
In the custom algorithm configuration, you can customize configuration according to packet
types. The packet types include IPv4, IPv6, non-IP and MPLS. The configurable information
includes physical configuration information into the port, protocol, L4 destination port, L4
source port, VLAN-ID port, you can select multiple options.
The parameters of port configuration list are shown in the following:
Select Basic > Interface Management > Port Aggregation > LACP Configuration from
navigation tree to enter the LACP configuration page, as shown in the following figure.
The aggregation group status module provides the aggregation group ID, aggregation group
name, aggregation type, outgoing port algorithm, local device ID, remote device ID, the minimum
port number, and traffic statistics.
Select Basic > Interface Management > Port Aggregation > Aggregation group status from
navigation tree to enter the port aggregation status page, as shown in the following figure.
The parameters of the aggregation group status page are shown in the following:
Local port mirroring refers to copying the packets from the source port of the device to the
destination port of the device for monitoring and analyzing these packets. It is implemented by
means of a local mirroring group, that is, the source port and the destination port are mirrored
locally. Group.
Select Basic > Interface Management > Port Mirroring > Local Mirror from navigation tree to
enter the local port mirroring configuration page, as shown in the following figure.
Remote source mirror refers to copying the packets on the source port of this device to the
destination port of another device for monitoring and analyzing these packets. The remote
mirroring source group configuration module provides the function of setting the parameters of
the remote mirroring source group, including the mirroring group ID, mirroring group description,
source port, egress port, remote VLAN, and mirrored message direction.
Select Basic > Interface Management > Port Mirroring > Local Port Mirroring > Remote
Source Mirror from navigation tree to enter the remote mirroring source group configuration
page, as shown in the following figure.
The parameter description of the remote mirroring source group configuration is as follows:
Serial number: Display the serial number of the remote mirroring source group.
Mirror group ID: remote mirror source group ID number.
Mirror group description: description information of the remote mirror source group.
Source port: the source port of the mirrored packets of this device.
Outgoing port: the outgoing port of the mirrored packet of this device.
Remote VLAN: VLAN ID of the remote VLAN.
Mirrored message direction: select the direction of the mirrored message of the device,
including outbound, inbound, and bidirectional.
Incoming direction: only mirror the packets received from the source port.
Outgoing direction: only mirror the packets sent from the source port.
Two-way: mirror the messages received and sent from the source port.
The outgoing port of remote mirroring must be configured as a trunk port, and the remote VLAN
should not be the default VLAN of the mirroring link port.
6.5.1 Subinterface
The subinterface is the logical interfaces virtualized by a physical interface. It breaks the number
of physical interfaces of the device and enables routing and communication between multiple
VLANs on an interface.
Select Basic > Interface Management > Subinterface from navigation tree to enter the
subinterface configuration page, as shown in the following figure.
When configuring the sub-interface name, you need to select the physical interface first, and
then enter the sub-interface name. The sub-interface types include Layer 3 interface and Layer 2
interface (access). After the configuration takes effect, the system automatically generates the
corresponding VLAN ID.
The device supports batch addition and batch deletion of sub-interfaces. Click the <Batch Add
Sub-interfaces> and <Batch Delete Sub-interfaces> buttons, select the physical interface and
enter the sub-interface range interface.
Loopback interface is a loopback interface, which is a logical and virtual interface on the device.
The device does not enable the loopback interface by default and needs to be created manually.
You can create one or more loopback interfaces on the device and configure the IP address and
mask as the physical interface. The address of the loopback interface is usually specified as a
32-bit mask. Loopback interface has a feature, its state has been up unless the device fails.
Select Basic > Interface Management > Loopback Interface from navigation tree to enter the
loopback interface page, as shown in the following figure.
Enter the interface ID and description information, and click the OK button.
The PPP interface configuration is a virtual interface for PPPoE dialing. The PPP interface
configuration module only supports the static PPP interface. The interface ID ranges from 2 to
128. PPP0 port and PPP1 port exist by default. You cannot be deleted them.
Select Basic > Interface Management > PPP Interface > PPP Interface Configuration from
navigation tree to enter the PPP interface configuration page, as shown in the following figure.
The parameters of the PPP interface configuration are shown in the following:
Template interface is a virtual interface that is dynamically created based on the configuration
parameters of the virtual interface template for exchanging data with the peer. Template interface
is mainly used in the security domain module. By default, the Template interfaces of the device
exit and do not need to be created manually.
The Template interface is typically used as a collection of virtual interfaces for L2TP,
representing all L2TP server-side virtual interfaces (no need to add each L2TP virtual interface in
the security domain, but need you to add the Template interface).
The Template interface configuration module provides the function of displaying the name,
interface ID, and description information for users.
Select Basic > Interface Management > Logic Interface > Template Interface from navigation
tree to enter the Template interface page, as shown in the following figure.
IPsec (Internet Protocol Security) is an open standard framework that ensures secure
communication over Internet Protocol (IP) networks by using encrypted security services. The
IPsec protocol works on the third layer of the OSI model so that it is suitable for protecting TCP
or UDP-based protocols when used alone. The IPsec interface configuration module can be
used for binding IPsec interface, belonging to the virtual interface, which will be used only in the
IPsec special network.
Select Basic > Interface Management > Logic Interface > IPsec Interface Configuration
from navigation tree to enter the IPsec interface configuration page, as shown in the following
figure.
IPv4 address at the end of the tunnel can be obtained from the destination address of the IPv6
message. The IPv6 address is a permanent address assigned by IANA with a prefix of 0X2002,
expressed as an IPv6 address prefix format of 2002::/16.
Select Basic > Network Protocol > IPv6 Tunnel from navigation tree to enter the 6to4 tunnel
configuration page, as shown in the following figure.
Interface number: Set the number of the 6to4 tunnel interface, the number range is 1-63.
Interface IPv6 address: Set the IPv6 address of the 6to4 tunnel interface.
Source IP address: Set the source address of the manually configured tunnel, or use the
tunnel source interface address as the source address of the tunnel.
Destination IP address: Set the destination IP address of the 6to4 tunnel.
6.7 GRE
GRE (General Routing Encapsulation) protocol is a tunneling protocol. It encapsulates some
network layer protocol data packets in another network layer protocol so that these encapsulated
data packets can be transmitted through another network layer protocol.
Select Basic > Network Protocol > GRE Tunnel Port from navigation tree to enter the GRE
tunnel port configuration page, as shown in the following figure.
7 VLAN Management
7.1 VLAN
Select Basic > VLAN Management > VLAN > VLAN Configuration from navigation tree to
enter the VLAN configuration page, as shown in the following figure.
On the VLAN configuration page, user can add / delete in batch of VLANs. User can view a
single or all VLANs. The VLAN configuration page provides the following function buttons:
Add VLAN: Click the icon to add a new VLAN. Configure the VLAN ID and description
information. The port information contained in the VLAN configures the VLAN that the
interface belongs to in the networking configuration. Only the configuration information is
displayed here.
Delete VLAN: Click the icon to delete the newly added VLAN.
Add VLANs in batches: Click the <Add VLANs in batches> button, and enter the VLAN IDs
to be added in the pop-up configuration window to add VLANs in batches.
Delete VLANs in batches: Click the <Bulk Delete VLANs> button, and enter the VLAN IDs to
be deleted in the pop-up configuration window to delete VLANs in batches.
View a single VLAN: enter the ID of a single VLAN in the text box corresponding to "Please
enter a single VLAN ID", and click the <View> button to view the information of a single
VLAN.
View all VLANs: Click the <View all VLANs> button to view all VLAN information.
The parameters of VLAN configuration page are shown in the following:
After the VLAN traffic statistics function is enabled in the "VLAN Configuration" module, the
VLAN traffic statistics page displays VLAN traffic statistics.
Select Basic > VLAN Management > VLAN > VLAN Flow Statistics from navigation tree to
enter the VLAN flow statistics page, as shown in the following figure.
The VLAN traffic statistics page provides the following function buttons:
View: Click the <View> button, and the VLAN traffic statistics to be viewed will be displayed
in the list.
View all VLANs: Click the <View all VLANs> button, the traffic statistics of all VLANs will be
displayed in the list.
Clear all: Click the <Clear All> button to clear the traffic statistics of all VLANs.
The description of VLAN traffic statistics list parameters is as follows:
Select Basic > VLAN Management > VLAN > VLAN Frame Manage from navigation tree to
enter the VLAN frame manage page, as shown in the following figure.
The system defaults to enable the VLAN frame check function. If you want to disable this
function, you can add the corresponding interface in the interface name list. The interface that
disables the VLAN frame check function does not check the VLAN tag of the message, that is,
the message that does not belong to the VLAN of this interface can also be processed by this
interface.
The VLAN interface configuration module provides functions to add/delete VLANs, view VLAN
information, and file import/export.
Select Basic > VLAN Management > VLAN Interface Configuration > VLAN Interface
Configuration from navigation tree to enter the interface configuration page, as shown in the
following figure.
On the VLAN interface configuration page, user can add / delete in batch of VLANs. The device
allows you to create/delete a single VLAN or in batch of VLANs.
Adding VLAN in batch: click the Adding VLAN in Batch button to add VLANs, then you can
view that the VLANs you have added is displayed in the VLAN configuration list.
Deleting VLAN in batch: click the Deleting VLAN in Batch button to delete VLANs, then
you can view that the VLANs you have deleted do not exist in the VLAN configuration list.
View: click the View button, then you can view the VLAN information is displayed in the
VLAN configuration list.
Search: click the Search button then you can view the VLANs you have created in the
VLAN configuration list.
The parameters of VLAN interface configuration page are shown in the following:
The display VLAN interface module provides the function of displaying the VLAN that you have
crated and its related parameters.
Select Basic > VLAN Management > VLAN Interface Configuration > Display VLAN
Interface from navigation tree to enter the display VLAN interface page, as shown in the
following figure.
On the display VLAN interface page. User can query the VLAN interface information of a single
VLAN or all VLANs. The display VLAN interface page provides the following function buttons:
View: in the Enter a VLAN ID button, you can view a VLAN ID that you need to query. Click
the View button, the VLAN interface information that you need to query is displayed in the
VLAN interface list.
View all VLANs: click the View All VLANs button, then you can view all VLAN interfaces’
information are displayed in the list.
The parameters of the display VLAN interface are shown in the following:
Interface name: display the name and status of the VLAN interface. represents the
VLAN interface status is “UP”, represents the VLAN Interface status is “Down”
8 Route Management
8.1 Routing table
The routing device selects the route through the routing table, delivers the preferred route to the
FIB (Forwarding Information Base) table, and guides the message forwarding through the FIB
table. At least one routing table and one FIB table are stored in each routing device.
The routing table stores the routes discovered by various routing protocols. According to
different sources, they are usually divided into the following three categories:
Direct route: The route discovered by the link layer protocol, also called interface route.
Static routing: manually configured by the network administrator. Static routing is easy to
configure, has low system requirements, and is suitable for small networks with simple and
stable topologies. The disadvantage is that whenever the network topology changes, it
needs to be manually reconfigured and cannot be automatically adapted.
Dynamic routing: the routing discovered by the dynamic routing protocol.
Each forwarding entry in the FIB table specifies which physical interface of the routing device to
send a packet to a certain subnet or a host, so that it can reach the next routing device of the
path, or it does not need to go through other routes. The device can be transmitted to the
destination host in the directly connected network.
Select Basic > Route Management > IPv4 unicast routing > IPv4 Static Route > Basic IPv4
Routing Table from navigation tree to enter the basic IPv4 routing table page, as shown in the
following figure.
The routing table query function includes all routing information, designated destination network
segment, and designated destination IP. Users can query routing information through query
conditions according to actual needs, and the queried routing information is displayed in the
routing table.
Select Basic > Route Management > IPv4 unicast routing > IPv4 Static Route > Detailed
IPv4 Routing Table from navigation tree to enter the detailed IPv4 routing table page, as shown
in the following figure.
The detailed IPv4 routing table page shows the destination network segment, next hop, protocol,
status, cost and other information of the routing table. User can query the routing table according
different searching condition. The searching conditions includes all routes, designated
destination network segment, designated protocol (static, connect, RIP, OSPF, BGP, Guard, ISIS,
IP.), and the designated destination IP.
IPv6 unicast routing table is a database that stores the path to the specific network address,
route metric and network surrounding topology information. It can find a best route for the IPv6
packets which go through the device. IPv6 routing table contains three types of routing
information, including direct route, static route and dynamic route.
Select Basic > Route Management > IPv6 unicast Routing > Basic IPv6 Routing Table from
navigation tree to enter the basic IPv6 routing table page, as shown in the following figure.
The searching conditions include all routes, designated destination work. The parameters of
basic IPv6 routing table are shown in the following:
Select Basic > Route Management > IPv6 Unicast Routing > IPv6 Routing Table > Detailed
IPv6 Routing Table from navigation tree to enter the detailed IPv6 routing table page, as shown
in the following figure.
The searching conditions include all routes, specific destination subnet, specify protocol. Among
them, the specify protocol includes static, connect, RIPng, OSPFv3, BGP, ISIS:
The parameters of detailed routing table page are shown in the following:
Static route is configured by administrator manually. It isn’t the dynamically learned routing
protocol. Using with other routing protocols, static route can enhance routing capacity and can
provide route backup function. The advantages of static routes are: high confidence and saving
bandwidth.
Unlike dynamic route, the static route is fixed and will not changed automatically when the
network topology is changed. After network topology is changed, static route needs
administrator to configure manually, so that it can adapt the network operation.
The static route module on the device has three sub-modules, including static route, health
check and prefix address group. Users can configure static route manually or configure static
routes in batch. And also, static route allows user to query the static route information which has
already configured on the device. The health check function is that user can check the working
status of static routes through configuring health check policy. The prefix address group can be
configured more flexibly through the combination of different prefix addresses.
Select Basic > Route Management > IPv4 Unicast Routing > IPv4 Static Route from
navigation tree to enter the configure static route page, as shown in the following figure.
To query static route, the searching conditions are all routes, designated destination network
segment, designated destination network segment, designated destination IP. User can search
static route according to different searching condition. The result of queried static route are
displayed in the manual configure static route list.
The batch configure static route includes append import, export, and delete all static route.
The parameters of manual configure static route are shown in the following:
8.2.1.2 Monitoring
Select Basic > Route Management > IPv4 Unicast Routing > Monitoring from navigation tree
to enter the monitoring page, as shown in the following figure.
Designated next hop: the next hop of detection packet of health check, including automatic
and manual. Under manual mode, you need to configure the outbound interface and the
next hop IP address.
Required reachable IP number: a maximum of three addresses can be detected by health
check. Only when the required reachable number is reached, the health check can be
reached. When you configure one detection address, you don’ need to configure this
parameter. When you configure the two detection addresses, this parameter is in the range
of 1 to 2. When you configure three detection addresses, this parameter is in the range of 1
to 3.
Status: the status of health check policy.
Static route, IPv4 policy routing, VRRP shares the above health check strategy.
Under non-silent hot-standby condition, you make sure that both of the two devices have
the soruce IP address if one is configured with designated source IP.
Select Basic > Route Management > IPv4 Unicast Routing > Prefix Address Group from
navigation tree to enter the prefix address group page, as shown in the following figure.
Figure 8-7 Prefix address group
The configuration parameters of the prefix address group are described as follows:
Address group: The group name of the IPv4 prefix address group to be associated.
Description: The description information of the IPv4 static route.
Gateway (next hop): static routing out interface and next hop address.
Advanced configuration: Including route priority, route type, route weight, health check, BFD
check. The routing type in the advanced configuration has the following options:
normal: The default configuration indicates a reachable route.
reject: The routing message with the reject keyword is discarded and the source host is
notified.
blackhole: The routing message with the blackhole keyword is discarded and the
source host is not notified.
The principle of IPv6 static route is similar to IPv4 static route. IPv6 static route is used in IPv6
network and should be configured by network administrator manually, rather than it dynamically
learns the route from packets. IPv6 static route is commonly used with dynamic route which can
enhance device’s routing capacity and provides backup function for dynamic route. IPv6 static
route has high confidentiality and the advantage of saving bandwidth.
Unlike IPv6 dynamic routing, the IPv6 static route is fixed, which will not change if network
topology updates automatically. When the network topology changes, network administrator
needs to update IPv6 static route manually, otherwise the network operation will be affected.
Select Basic > Route Management > IPv4 unicast Routing > IPv6 Static route from
navigation tree to enter the IPv6 Static route page, as shown in the following figure.
The device supports batch configure static route, including import and export:
The parameters of manual configuration static route are shown in the following:
Destination network segment: the destination network segment of IPv6 static route.
Subnet mask: set the subnet mask of destination network segment subnet mask.
Gateway (next hop): the outbound interface and the next hop address of IPv6 static route.
Advanced configuration: set the priority of IPv6 static route and routing type.
Policy-based routing is a kind of special type of static route, which can send data packets
according to their destination addresses. In the meanwhile, policy-based routing can also be
used with access list, so that data packets are sent depend on protocol type, protocol number,
packet length. Through specifying next-hop or output port, policy-based routing can control the
place to which data packets are sent. In addition, policy-based routing can also control the TOS
field in IP packet which is matched with policy-based routing policy to control traffic size.
The policy-based routing configuration module provides three kinds of route forwarding policies.
Policy-based Prerouting (It applies to packets forwarding, and takes precedence over
destination-based routing).
Policy-based Postrouting (It applies to packets forwarding, and first matches at
destination-based routing)
Local Route-Policy (It applies to locally generated packet, and first matches at
destination-based routing).
Select Basic > Route Management > IPv4 Policy Based Routing > Policy Routing Mode
from navigation tree to enter the policy routing mode page, as shown in the following figure.
Configure each matching rule and specify how to forward matched packets in the action
configuration item. The parameter description is as follows:
Select Basic > Route Management > IPv4 Policy Based Routing > Local Policy Routing
from navigation tree to enter the local policy routing page, as shown in the following figure.
8.3.1.3 Monitoring
Select Basic > Route Management > IPv4 Policy Based Routing > Monitoring from
navigation tree to enter the monitoring page, as shown in the following figure.
Select Basic > Route Management > IPv6 Policy Based Routing from navigation tree to enter
the IPv6 policy based routing page, as shown in the following figure.
Source network segment: The network segment where the source IP address of the
message is located.
Destination network segment: The network segment where the destination IP address of the
message is located.
Incoming interface: select the incoming interface of the message.
Protocol: including Any, TCP, UDP and custom protocol numbers.
Next hop information: including outgoing interface, next hop, weight.
8.4 RIP
8.4.1 RIP
RIP (Routing Information Protocol) is a distance vector protocol. It uses UDP packets to
exchange routing information, and the port number is 520. RIP uses the number of hops as the
routing metric to measure the distance to the destination address. To limit the network
convergence time, the maximum number of hops supported by RIP is 15, and the number of
hops greater than or equal to 16 is defined as infinite (that is, the network is unreachable).
Therefore, RIP is suitable for small-scale or simple-structured networks.
RIP-enabled devices use the route update timer to control the route update time. By default, they
broadcast their routes every 30 seconds. If no route update message is received from the
network neighbor within the time specified by the route aging timer (the default value is 180
seconds), the RIP device will mark the route learned from the neighbor as unreachable. If the
time specified by the garbage collection timer (the default value is 120 seconds) still does not
receive a routing update message from the neighbor, the RIP device will delete these routes
from the routing table.
In order to improve routing capabilities and prevent routing loops, RIP uses split horizon and
poison reverse mechanisms. Split Horizon means that the routing information learned from an
interface will no longer be sent to neighboring devices from that interface; Poison Reverse
means that after learning a route from an interface, the device will use the metric value of the
route (Hop count) is set to 16 and returned from the original interface to the neighboring device.
Currently, RIP has two versions, RIPv1 and RIPv2. Among them, RIPv1 is a classful routing
protocol (Classful Routing Protocol), its protocol message cannot carry mask information, and
does not support discontinuous subnet design; RIPv2 is a classless routing protocol (Classless
Routing Protocol), its protocol The message carries mask information, supports CIDR (Classless
Internet-Do basic routing, classless inter-domain routing) and route aggregation.
Select Basic >Route Management >RIP> RIP Protocol to enter the RIP protocol page, as
shown in the following figure.
The system configuration includes starting RIP and advanced configuration, each parameter
description is as follows:
Select Basic >Route Management >RIP> RIP state to enter the RIP Status page, as shown in
the following figure.
8.4.2 RIPng
RIPng (RIP next generation, next generation RIP) is a distance vector protocol developed from
RIPv2 and applied to IPv6 networks. It uses the hop count as the routing metric to measure the
distance to the destination address. To limit the network convergence time, the maximum
number of hops supported by RIPng is 15, and the number of hops greater than or equal to 16 is
defined as infinite (that is, the network is unreachable).
RIPng uses UDP packets to exchange routing information. The default port number is 521. To
improve routing capability and prevent routing loops, RIPng supports split horizon and poison
reverse.
The RIPng device is enabled to control the route update time through the route update timer. By
default, it broadcasts its route every 30 seconds. If no route update message is received from
the network neighbor within the time specified by the route aging timer (the default value is 180
seconds), the RIPng device will mark the route learned from the neighbor as unreachable. If the
time specified by the garbage collection timer (the default value is 120 seconds) still does not
receive a routing update message from the neighbor, the RIPng device will delete these routes
from the routing table.
RIPng has the characteristics of easy implementation, easy configuration, and easy
maintenance, and is mainly suitable for small-scale or simple-structured networks.
Select Basic >Route Management >RIP> RIPng protocol to enter the RIPng protocol page, as
shown in the following figure.
Select Basic >Route Management > RIPng Protocol > RIPNG Status to enter the RIPNG
status page, as shown in the following figure.
8.5 OSPF
OSPF (Open Shortest Path First) is an interior gateway protocol based on link state. OSPF
dynamically obtaining information from other routers and advertising routes to other routers
using link state advertisements.
An OSPF network is a structured network, or is subdivided into routing areas identified by area
ID. It gathers link state advertisement (LSA) information from available routers and constructs a
topology map of the network. Then, ABR distributes routing information between routing areas.
When a link happens network change, router on this link will recalculate routes in this domain,
routers in other routing areas modify the related routing entries of their own routing table. OSPF
can reduce routing update and restrict uncertainty area.
OSPF protocol defines that OSPF router can only establish neighbor relationship with DR
(Designated Router) and exchange their routing information, thus can reduce more bandwidth is
occupied when routers exchange routing information.
Select Basic > Route Management > OSPF > OSPFv2 Protocol > Configure OSPFv2 from
navigation tree to enter the configure OSPFv2 protocol page, as shown in the following figure.
The OSPF multi-process configuration list allows you to set process ID, VRF name, and
description.
Select Basic > Route Management > IPv4 Unicast Routing > OSPF > OSPF multi-process
from navigation tree to enter the configure OSPF page, as shown in the following figure.
Authentication type: the authentication type of OSPF protocol packets which are transmitted
in the routing area, including non-authentication, Text authentication (plaintext) and MD5
authentication.
Advanced configuration: OSPF region type and the related information. Area type includes
Default, Stub and NSSA.
The parameters of interface configuration are shown in the following:
Interface name: list the name of all routing interfaces on the device. You cannot modify
them.
Hello interval: the time interval between sending Hello packets.
Dead interval: failure time, if the device does not receive Hello packets from its neighbor
within this time, the device will recognize its neighbor is failure.
Authentication type: the authentication type that OSPF protocol packets are transmitted on
the interface link, including non-authentication, Text authentication (plaintext) and MD5
authentication.
Authentication information: set the authentication information for an interface which sends
or receives data packets, Text authentication needs to configure authentication password;
MD5 authentication needs to configure authentication KEY ID and password. You can
configure multiple entries of authentication information.
Advanced configuration: including interface cost value, DR election priority, weight, working
mode, and interface type.
cost: options include automatic and manual. Default is manual. If you select the manual
option, you should enter cost value in the text box.
DR election priority: the DR election priority of OSPF protocol.
Weight: the weight value of link load balancing.
Working mode: options include active and hibernate. When you select the active option,
the interface will send and receive data packets. If you select hibernate option, the
interface only receives but does not send data packets. After you enable OSPF function,
this configuration can be configured.
Interface type: including broadcast, point-to-point, non-broadcast, point-to-multipoint.
You can select one of them. Default is broadcast.
The “Authentication information" configuration item can be applied in "interface configuation" and
"area configuration". First is the authentication type of relevent interface in "interface
configuration", if you do not configure an authentication type for the interface, then, it is the
authentcation type of the relevent interface. If you don’t configure the authentication information,
the password of interface authtentication type is none.
Select Basic > Route Management > OSPF > OSPFv2 Interface Information from navigation
tree to enter the OSPF interface page, as shown in the following figure.
The query function allows user to query OSPF interface information according to interface name
and area. The parameters of Interface list are shown in the following:
Select Basic > Route Management > OSPF > OSPF neighbor from navigation tree to enter
the OSPFv2 neighbor information page, as shown in the following figure.
The query function allows user to query OSPFv2 neighbor information according to neighbor ID,
neighbor IP, interface name. The parameters of OSPFv2 neighbor are shown in the following:
OSPFv3 (Open Shortest Path First Version 3, Open Shortest Path First Version 3) is an interior
gateway protocol developed from OSPFv2 and applied to IPv6 networks. Compared with
OSPFv2, OSPFv3 has the following features:
OSPFv3 runs on a link, separated from specific IPv6 addresses and prefixes. Even if the
IPv6 addresses of different nodes on the same link are not in the same network segment,
the protocol can still operate normally.
OSPFv3 only uses Router ID to identify adjacent OSPF neighbors.
OSPFv3 cancels the authentication field of the protocol message and uses the IPv6
standard authentication method to ensure the security of information transmission, which
simplifies the protocol processing flow to a certain extent.
OSPFv3 clarifies the flooding range of LSA more clearly, and adds a special field for
description in LS_Type; therefore, OSPFv3 does not need to judge the LSA flooding range
based on different LSA types when processing LSA flooding, but directly Process according
to special fields.
OSPFv3 supports multiple instances, and adds the "Instance ID" field to the protocol
message to achieve link multiplexing.
Select Basic > Route Management > OSPF > OSPF v3 Protocol > Configure OSPFv3 from
navigation tree to enter the configure OSPFv3 page, as shown in the following figure.
Select Basic > Route Management > OSPF > OSPF v3 Protocol > OSPFv3 Interface
Information from navigation tree to enter the OSPFv3 interface information page, as shown in
the following figure.
The query function can query OSPFv3 interface information based on the interface name and
area. The parameters of the interface list are described as follows:
Interface name: The name of the interface that enables OSPFv3 protocol.
Location: The area where the interface is located.
Interface status: the status of the interface, including DR, BDR, DROther, and down.
COST: The cost value of the interface.
DR: Display the IP address of DR.
BDR: Display the IP address of BDR.
Number of neighbors: the number of neighbors in the network segment where the interface
is located.
Select Basic > Route Management > OSPF > OSPF v3 Protocol > OSPFv3 Neighbor
Information from navigation tree to enter the OSPFv3 neighbor information page, as shown in
The query function can query OSPFv3 neighbor information based on neighbor ID, neighbor IP,
area and interface name. The parameters of the neighbor list are described as follows:
8.6 ISIS
IS-IS (Intermediate System-to-Intermediate System) protocol is an interior gateway protocol for
autonomous systems. It establishes and maintains neighbor relationships by sending Hello
messages, and sends Link State Protocol Data Units (LSPs) to neighbors to advertise its link
status.
IS-IS uses a two-level hierarchical structure to divide the routing domain into one or more areas.
The Level 1 router manages the routes within the area, the Level 2 router manages the routes
between the areas, and the Level 1-2 router is responsible for the communication within and
outside the domain. All routers at the same level generate the same LSDB (Link State Data Base)
by collecting LSPs of themselves and other routers, and use SPF (Shortest Path First) algorithm
to calculate routes to achieve rapid route convergence .
IS-IS protocol is scalable, robust, and easy to use. It is an internal gateway protocol commonly
used by telecom operators.
Select Basic > Route Management > ISIS > ISIS configuration from navigation tree to enter
the configure ISIS configuration page, as shown in the following figure.
Select Basic > Route Management > ISIS > Display ISIS status > ISIS neighbor from
navigation tree to enter the configure ISIS configuration page, as shown in the following figure.
Select Basic > Route Management > ISIS > Display ISIS status > ISIS LSP from navigation
tree to enter the configure ISIS LSP Information page, as shown in the following figure.
8.7 BGP
BGP (Border Gateway Protocol) is an external gateway protocol that exchanges routing and
network reachability information between ASs (Autonomous Systems). An AS is a group of
routers that have the same routing strategy and run under the same technical management
department.
BGP is an exterior gateway protocol (Exterior Gateway Protocol, EGP), which is different from
OSPF, RIP and other interior gateway protocols (Interior Gateway Protocol, IGP). It is not about
discovering and calculating routes, but about controlling the propagation of routes and choosing
the best routing.
Highly reliable data transmission. BGP uses TCP as its transport layer protocol (port
number 179), which improves the reliability of the protocol.
Strong scalability. BGP supports classless inter-domain routing and route aggregation,
which can slow down the growth rate of entries in the BGP table and has strong scalability.
Save bandwidth resources. The use of triggered update and incremental update routing
mechanisms is conducive to saving bandwidth resources. When routing updates, BGP only
sends updated routes, which greatly reduces the bandwidth occupied by BGP to propagate
routes, and is suitable for propagating a large amount of routing information on the Internet.
Effectively avoid routing loops. BGP routes carry the AS-PATH attribute, which avoids loops
in design.
Flexible filtering and selection of routing information. BGP has rich routing attributes such as
ORIGIN, NEXT-HOP, MED, LOCAL-PREF, COMMUNITY, etc., which realizes flexible
filtering and selection of routing information.
Select Basic > Routing Management > BGP > BGP Configuration from navigation tree to
enter the configure BGP page, as shown in the following figure.
System configuration includes enabling BGP, configuring BGP AS-ID and advanced
configuration. The description of each parameter is as follows:
BGP graceful restart: This function is mainly used in dual-system backup scenarios to keep
BGP routes alive during active/standby switchover to avoid network interruption. You need
to enable the graceful restart function and configure the neighbor reestablishment time and
route hold time. The route hold time should be greater than the neighbor rebuild time.
The neighbor configuration parameters are described as follows:
NO-ADVERTISE: Routes with this attribute are not sent to any BGP neighbors,
including EBGP and IBGP.
NO-EXPORT: Routes with this attribute are not sent to any EBGP neighbors outside the
confederation. If no confederation is defined, the AS is considered to be an
independent confederation.
LOCAL-AS: Routes with this attribute will not be sent to any EBGP neighbors, including
EBGP neighbors in the alliance.
AA:NN format: The Type code of the community attribute is 8, and the length is 32 bits.
It can be parsed as a decimal number or AA:NN format. According to the RFC, the first
16 bits are used as the AS number; the last 16 bits are locally defined values, which are
used by the AS itself. The first part 0x00000000-0x0000FFFF and the end part
0xFFFF0000-0xFFFFFFFF are reserved. To configure and display in AA:NN format,
issue the ip bgp-community new-format global configuration command.
The configuration parameters of route aggregation are described as follows:
Destination network segment: the IP address of the network segment after route
aggregation.
Mask: The mask of the destination network segment.
Advanced configuration: Including the configuration of "when aggregated routes, calculate
the AS-PATH attribute" and "when advertising routes, only publish aggregated routes, not
detailed routes".
Select Basic > Routing Management > BGP > BGP Configuration from navigation tree to
enter the configure BGP page, as shown in the following figure.
Imported routes: Routes imported by VPN instances, including direct routes, static routes,
RIP routes, OSPF routes, and ISIS routes.
Import OSPF instance: OSPF instance introduced by VPN instance.
Before enabling the VPN instance, you need to enter Basic > Basic Configuration to create the
corresponding OVC or VRF instance.
Select Basic > Routing Management > BGP > BGP Configuration from navigation tree to
enter the BGP neighbor information page, as shown in the following figure.
The description of each parameter on the BGP neighbor information display page is as follows:
8.8 GUARD
When the Traffic Anomaly Probe device identifies a potential attack, it alerts the Guard device to
begin diverting traffic destined for the targeted devices—and only that traffic—for inspection. All
other traffic continues to flow freely, reducing the impact on overall business operations.
Guard route is configured on the Guard device. Its main role is it diverts traffic destined for the
targeted device to the Guard device. Guard route can be configured manually by administrator,
or can be configured automatically by the device’s script which is triggered according to the
received information.
The outbound interface of Guard route is Null0. Guard route will not be added into FIB table after
it is configured. Guard route will not participate in forwarding packets and needs to be used with
BGP protocol. Through introduced by BGP protocol, Guard route is distributed to BGP peer.
Therefore, guard device diverts traffic to itself and scrub the anomaly traffic to normal.
Select Basic > Route Management > IPv4 Unicast Routing > IPv4 Guard Route to enter the
IPv4 guard route page, as shown in the following figure.
8.9 MPLS
MPLS (Multi-protocol Label Switching)is a kind of forwarding technology that integrates the
Layer 2 switching characteristic with Layer 3 routing characteristic. Not only MPLS can run in the
network layer protocol network, such as IPv4 and IPv6 network, but also can run in data link
layer protocol network, such as ATM, Frame relay, Ethernet, PPP. By using of label forwarding
technology, packets are forwarded according to their classification. MPLS either has the
characteristic of IP routing flexibility, or has the characteristic of Layer 2 switching convenience.
Together with traditional routing protocol, LDP establishes routing table and MPLS
forwarding related entries for all services required FEC in all LSR (Label Switching Router).
The LER (Label Edge Router) in MPLS domain in-port after received group determines that
the group to which FEC belongs and tagged with label and generates MPLS packets. And
then data packets are forwarded according to MPLS entry.
LSW will find label forwarding table according to MPLS packet incoming label. It uses new
label to substitute original incoming label and forwards data packets to the next-hop LSR for
the related outbound interface.
After receiving MPLS packets from LSR, the LER in MPLS domain out-port will find label
forwarding table according to data packet’s incoming label.
Select Basic > Route Management > MPLS > MPLS Configure > Global Configuration >
Enable MPLS from navigation tree to enter the MPLS configure page, as shown in the following
figure.
Click to enable MPLS function and then click the Submit button in the upper right corner on the
Web page. The global MPLS function is enabled.
The static configuration modules provide the statically configured label forwarding table. Label
forwarding table is composed of FTN (FEC-to-NHLFE Map) and ILM (Incoming Label Map) table.
After receiving the data packets without label, LER finds FTN table and tags label according the
destination address of IP group and then LER forwards data packets after MPLS packets are
generated. After receiving MPLS data packets, LSR finds ILM table according to data packet’s
incoming label and then forwards group after incoming label is popped-up.
Select BASIC > Route Management > MPLS > MPLS Configure > Static configuration from
navigation tree to enter the configure output page, as shown in the following figure.
Before you configure the "outgoing label" parameter, you should configure the weight range of
static lable in the “label range” under “advanced configuration” on the LDP configuration page.
Select Basic > Route Management > MPLS configure > Static configuration > Configure
Input from navigation tree to enter the configure input page, as shown in the following figure.
Before you configure the "incoming label" parameter, you should configure the weight range of
static label in the “Label Range” under “Advanced Configuration” on the LDP configuration page.
LDP (Label Distribution Protocol) is a kind of main protocol in MPLS system. It defines all kinds
of messages and the related process during label distribution procedure. To establish label
switching path, LSR uses LDP to map network layer routing information to data link layer
switching path.
The LDP configuration module provides the function of configuring the parameters of LDP,
including router ID, Tag space, label distribution control mode, label distribution mode, the
Backoff Time-domain, label range, the introduced route, GR configuration, interface
configuration, etc.,
Select Basic > Route Management > MPLS configure > LDP protocol > Configure LDP from
navigation tree to enter the LDP configuration page, as shown in the following figure.
Select Basic > Route Management > MPLS configure > LDP protocol > Display LDP
neighbor from navigation tree to enter the display LDP neighbor page, as shown in the following
figure.
Select Basic > Route Management > MPLS configure > LDP protocol > Display LDP
adjacency from navigation tree to enter the display LDP adjacency page, as shown in the
following figure.
Select Basic > Route Management > MPLS configure > LDP protocol > Display LDP
interface from navigation tree to enter the display LDP interface page, as shown in the following
figure.
Select Basic > Route Management > MPLS configure > LDP protocol > Display MPLS
forward from navigation tree to enter the display MPLS forward page, as shown in the following
figure.
By specifying the destination network segment of MPLS, you can query MPLS forward table,
including out label, prefix, next hop, out interface.
8.9.4 L2VPN
MPLS L2VPN is a Layer 2 VPN technology based on MPLS network, which can use the existing
public network to expand user's private network.
Device two kinds of MPLS L2VPN service model supports: VPWS and VPLS
The VPWS (Virtual Private Wire Service) is a point-to-point virtual private network
technology, which provides high-speed Layer 2 of transparent transmission and supports
almost all link layer protocols. CCC, SVC MARTINI are three implementation methods of
MPLS L2VPN, they built on the VPWS model.
The VPLS (Virtual Private LAN Service) is an Ethernet-based L2VPN technology that uses
signaling protocol in VPLS instance between PE nodes to establish and maintain PW, and
encapsulate Layer 2 protocol frame to transmit and exchange on the PW. In the data link
layer, VPLS integrates different LANs into a virtual VLAN. VPLS has the features of MPLS
technology and L2VPN technology, which supports point-to-multipoint service types.
MPLS L2VPN mainly has the following three ways to realize:
CCC mode
CCC (Circuit Cross Connect) uses a single label to transmit user data. CCC is exclusive on
the use of LSP. It does not need any label signaling to pass layer 2 VPN information.
SVC mode
SVC (Static Virtual Circuit) is a kind of static MPLS L2VPN. SVC needs VC (Virtual Circuit)
to be configured manually, do not use signaling protocol in L2VPN information transmission.
Martini mode
The MPLS L2VPN of Martini mode focuses on building VC between two CEs. It uses
double- layer label between two CEs. The inner label uses the extended LDP as signaling
interaction.
Select Basic > Route Management > MPLS configure > L2VPN > L2VPN Configuration from
navigation tree to enter the L2VPN configuration page, as shown in the following figure.
8.9.4.2 PW template
In the PW template, you can specify the properties of PW, such as PW data encapsulation type,
and the use of control words, etc. PW with the same attribute can reference the same PW
template. Therefore, the PW attribute configuration can be realized and simplified.
Select Basic > Route Management > MPLS configure > L2VPN > PW Template from
navigation tree to enter the PW template page, as shown in the following figure.
Select Basic > Route Management > MPLS configure > L2VPN > SVC mode from navigation
tree to enter the SVC mode page, as shown in the following figure.
Select Basic > Route Management > MPLS configure > L2VPN > CCC mode from navigation
tree to enter the CCC mode page, as shown in the following figure.
Select Basic > Route Management > MPLS configure > L2VPN > MARTINI mode from
navigation tree to enter the MARTINI mode page, as shown in the following figure.
Select Basic > Route Management > MPLS configure > L2VPN > VPLS mode from
navigation tree to enter the VPLS mode page, as shown in the following figure.
Select Basic > Route Management > MPLS configure > Display L3VPN forward from
navigation tree to enter the display L3VPN forward page, as shown in the following figure.
Through specifying VRF Name or destination network segment, you can query the MPLS
L3VPN forwarding table, including VRF Name, network segment, label, next-hop, out interface.
Network congestion is one of the major problems that can degrade your network backbone
performance. It may occur either when network resources are inadequate or when load
distribution is unbalanced. Traffic engineering (TE) is intended to avoid the latter situation where
partial congestion may occur as the result of inefficient resource allocation.
TE can make the best utilization of network resources and avoid non-even load distribution by
real-time monitoring traffic and traffic load on each network elements to dynamically tune traffic
management attributes, routing parameters and resources constraints. MPLS TE combines the
MPLS technology and traffic engineering, reserving resources by establishing LSP tunnels to
specific destinations, and allowing traffic to bypass congested nodes to achieve appropriate load
distribution.
MPLS TE is a kind of good scalability and simple traffic engineering solution that gets favored by
service providers. Through the technology of MPLS TE, service providers can deploy the
simplified traffic engineering in the existing MPLS backbone network, making full use of existing
network resources to provide diversified services. At the same time, it also can optimize network
resources and manage network scientifically.
8.9.6.1 TE FTN
Select Basic > Route Management > MPLS configure > TE static configuration > TE FTN
from navigation tree to enter the TE FTN page, as shown in the following figure.
8.9.6.2 TE ILM
Select Basic > Route Management > MPLS configure > TE static configuration > TE ILM
from navigation tree to enter the TE ILM page, as shown in the following figure.
MPLS LSP, MPLS TE (Traffic Engineering) and other types of tunnel carry multi kinds traffic for
MPLSVPN (Virtual Private Network). If there are many tunnels between two PEs (Provider
Edge), and each PE have multiple tunnels, the tunnel selection is very important that must be
considered. How to reasonably select a tunnel, not only the selection can benefit ISP network
management and design, but also can reduce the cost of PE processing.
MPLS TE is a virtual point-to-point connection from the ingress node to the egress node.
Typically, an MPLS TE tunnel consists of one CRLSP. To deploy CRLSP backup or transmit
traffic over multiple paths, you need to establish multiple CRLSPs for one class of traffic. In this
case, an MPLS TE tunnel consists of a set of CRLSPs. An MPLS TE tunnel is identified by an
MPLS TE tunnel interface on the ingress node. When the outgoing interface of a traffic flow is an
MPLS TE tunnel interface, the traffic flow is forwarded through the CRLSP of the MPLS TE
tunnel.
8.9.7.1 TE tunnel
Select Basic > Route Management > MPLS configure > TE Tunnel > TE Tunnel from
navigation tree to enter the TE Tunnel page, as shown in the following figure.
8.9.7.2 TE PATH
Select Basic > Route Management > MPLS configure > TE Tunnel > TE PATH from
navigation tree to enter the TE path page, as shown in the following figure.
Select Basic > Route Management > MPLS configure > TE Tunnel > Interface Config from
navigation tree to enter the interface config page, as shown in the following figure.
Low latency. After multicast traffic is transmitted stably, the short path tree will be built
between source and receiver, which can effectively reduce network latency, and realize
efficient of multicast data transmission.
Low bandwidth. When using multicast data transmission, the same multicast traffic on a
trunk link is only transmitted once. Data is copied and forwarded when it in the closest point
to the recipient. Therefore, the backbone link occupied by multicast data will not be
increased along with the recipients are increased.
Strong scale expansibility: in multicast network, one or more multicast sources do not need
to know the location of receiver, they only need to send multicast traffic to multicast group;
any recipient can accept/reject data from multicast group through joining/leaving the specific
multicast group. With strong scale expansibility, multicast transmission mode is suitable for
any size of networks.
The common configuration module provides the function of enabling/disabling multicast function
on an interface, or provides the function setting interface multicast boundary.
Select Basic > Route Management > IPv4 Multicast > Basic Configuration from navigation
tree to enter the basic configuration page, as shown in the following figure.
The Layer 2 device which had run IGMP Snooping establishes the mapping relationship
between port and MAC multicast address through analyzing the received IGMP messages, and
forwards multicast data packets according the relationship.
Select Basic > Route Management > IPv4 Multicast > IGMP Snooping > IGMP Snooping
from navigation tree to enter the IGMP Snooping page, as shown in the following figure.
Click to enable IGMP Snooping function and click <Submit> button in the upper right corner on
the webpage.
The Layer 2 unknown multicast packets refer to those multicast data packets do not have the
corresponding entries in IGMP Snooping forwarding table: when you enable the Layer 2
unknown multicast drop function, switch receives unknown multicast packets and forwards them
to router port only, but does not broadcast them in VLAN. If the switch does not have a router
port, packets will be dropped and will be no longer forwarded. When you disable the Layer 2
unknown multicast packets function, switch will broadcast the unknown multicast packets in
which VLAN they belong.
Select Basic > Route Management > IPv4 Multicast > IGMP Snooping > Layer 2 Unknown
Multicast Drop Configuration from navigation tree to enter the Layer 2 unknown multicast drop
configuration page, as shown in the following figure.
The VLAN configuration parameters in the IGMP Snooping agent are described as follows:
Select Basic > Route Management > IPv4 Multicast > IGMP Snooping > IGMP Snooping
State from navigation tree to enter the IGMP Snooping state configuration page, as shown in the
following figure.
The query condition includes all information, VLAN ID. That is, you can query all IGMP Snooping
routing status information or the IGMP Snooping routing status information of a specific VLAN.
The parameters of IGMP Snooping routing state are shown in the following:
In the traditional multicast programs-on-demand mode when hosts that belong to different
VLANs require multicast programs-on-demand service, the Layer 3 device must forward a
separate copy of the multicast traffic in each user VLAN to the Layer 2 device. In this case, a
large amount of network bandwidth is used and an extra burden is added to the Layer 3 device.
Select Basic > Route Management > IPv4 Multicast > Multicast VLAN > Multicast VLAN
from navigation tree to enter the multicast VLAN configuration page, as shown in the following
figure.
Click to enable multicast VLAN and click the Submit button in the upper right corner on the
webpage.
Select Basic > Route Management > IPv4 Multicast > Multicast VLAN > Multicast VLAN
state from navigation tree to enter the multicast VLAN state page, as shown in the following
figure.
The parameters of multicast VLAN state page are shown in the following:
8.10.4 IGMP
8.10.4.1 IGMP
As a TCP/IP protocol responsible for IP multicast group member management, the Internet
Group Management Protocol (IGMP) is used by IP hosts and adjacent multicast routers to
establish and maintain their multicast group memberships.
IGMPv1 (RFC1112) defines basic multicast group membership query and join mechanism.
IGMP querier periodically multicasts IGMP queries (with the destination address of
224.0.0.1) to all hosts and routers on the local subnet; Host sends membership report to join
membership group.
IGMPv2 (RFC2236) defines leave group mechanism. It adds leave group packets and
specific group query packet. When multicast group member leave the group, it will send
leave group packet; after router receives leave packets, the router will send specific group
querier packets to determine whether all members in member group have been leaved.
IGMPv3 (RFC3376) supports SSM model. It adds specific multicast group source filter
function. Multicast receiver can specify whether to receive or refuse the data from a specific
multicast source.
All IGMP versions support the ASM model. In addition to the ASM model, IGMPv3 can directly
implement the SSM model. IGMPv1 and IGMPv2 must work with the IGMP SSM mapping
function to implement the SSM model. At present, owing to network mainly uses IGMPv2
protocol, the following will introduce the working procedure of IGMPv2.
On the same subnet, if there have multiple multicast routers and all of them can receive IGMP
membership report message from host. It is enough that only one router send IGMP Query
message. Therefore, the querier election mechanism should be used to determine which router
is the IGMP querier.
Initially, every router assumes itself as the querier and sends IGMP general query messages
(often called "general queries") to all hosts and routers on the local subnet. The destination
address is 224.0.0.1. After receiving a general query, every router compares the source IP
address of the query message with its own interface address. After comparison, the router with
the lowest IP address wins the querier election and becomes the querier, and all other routers
become non-queriers. All the non-queriers start a timer, known as "other querier present timer." If
a router receives an IGMP query from the querier before the timer expires, it resets this timer.
Otherwise, it assumes the querier have timed out and initiates a new querier election process. As
shown in above figure, router 1 and router 2 are both consider themselves as querier by default, they
send IGMP general group query message to each other. Router 2 with the lowest IP address become
IGMP querier and router 1 become non-querier.
You can join multicast group through actively join or response query.
Actively join: when a host joins a multicast group, the host will send membership report
message to querier to announce that it wants receive multicast packets from the specific
group, rather than the host send general group querier packet after received from querier.
As shown in above figure, host A wants to receive multicast group G1’s message, so that
host A send membership report message to join multicast group G1.
Response query: querier will send general group querier packets to the host and routers in
its local subnet periodically and see whether multicast data receiver exists; if a host in this
network host wants to join a multicast group, the host will send membership report and join
the multicast group. As shown in above figure, host B, after received the general group
query message send by querier, host B send membership report to multicast group G2.
(3) Response suppression mechanism
Because all hosts and router can receive the membership report message from any host in the
local network, so there only need one router to send membership report message to the specific
multicast group, other hosts in this network segment don’t need to send. This kind of mechanism
is called response suppression mechanism, which can reduce information traffic in this network
segment. As shown in above figure, both of host B and host C want to join multicast group G2,
host B has already send membership report to join G2, so that host C doesn’t need to send.
When a host leaves a multicast group, it will send notification to the multicast router. After
receiving the leave message, the querier sends a configurable number of group-specific queries
to the group that the host is leaving. If the querier receives a membership report for the group
within the maximum response delay, it maintains the memberships for the group. Otherwise, the
querier assumes that the group has no member hosts on the local subnet and stops maintaining
the memberships for the group. As shown in above figure, after host B sends the leave message,
the querier immediately send specific group query message to all hosts in its local network.
Select Basic > Route Management > IPv4 Multicast > IGMP > IGMP from navigation tree to
enter the IGMP configuration page, as shown in the following figure.
General query max response time: set the maximum response time after sending general
group query packet
Other querier present interval: set the timeout for other queriers which have been setup
timer.
Group quantitative limit: set the maximum number of multicast groups that supported by the
device.
Static group: set the static join multicast group. After you configure this, even if the interface
has not received membership report messages from the specific multicast group, the
interface will forward the multicast group data to the device that connects with it.
Group filter: set the multicast IP address and source IP address that corresponds to the
multicast group packet filtered by interface.
The IGMP SSM mapping feature enables you to configure static IGMP SSM mappings on the
last hop router to provide SSM support for receiver hosts that are running IGMPv1 or IGMPv2.
As shown in above figure, host A only supports to send IGMPv1/IGMPv2 membership message.
At this time, host A can support the specific source/group multicast packets forwarding services.
Therefore, IGMPv3 querier must enable PIM SSM function and configure SSM service scope,
and then enable IGMP SSM Mapping, and configure the specific multicast group/group SSM
Mapping policy statically.
A host that is running IGMPv1 or IGMPv2, however, cannot specify multicast source addresses
in its report. In this case, you must configure the IGMP SSM mapping feature to translate the (*,
G) information in the IGMPv1 or IGMPv2 report into (Include Source(S,G)) information.
Select Basic > Route Management > IPv4 Multicast > IGMP > IGMP SSM Mapping from
navigation tree to enter the IGMP SSM Mapping page, as shown in the following figure.
The IGMP SSM Mapping configuration page includes system configuration, global configuration
and interface configuration. The parameters of system configuration function are shown in the
following:
Multicast group address: set the multicast group address supported by IGMP SSM
Mapping.
Source address: set the source IP address that corresponds to the multicast group address
supported by IGMP SSM Mapping.
Interface name: display the interface which starts IGMPv3 version. The interface name will
be displayed only after you configure the interface start IGMPv3 version.
State: set the interface to enable / disable IGMP SSM Mapping function.
IGMP proxying is a kind of technology that improves upstream devices overall performance
through reducing IGMP multicast packets received by upstream device. IGMP proxying runs in
Layer 3 environment, which establishes multicast membership database through blocking IGMP
packets between hosts and upstream devices by IGMP Snooping proxying device. IGMP
proxying represents upstream devices and downstream hosts respectively, and communicates
with device and host by using of multicast protocol. For upstream devices, the IGMP Snooping
proxying device seems like a host, for downstream devices, the IGMP Snooping proxying device
seems like a querier.
Host interface
The host interface is an interface that connects IGMP proxy device with the querier. The
interface acts as a role of host that responses queriers. When a new multicast group adds or
the last member of multicast group exits, the interface will send membership report
messages to the querier or send leave group messages.
Router interface
The router interface is the interface that connects IGMP proxy device with the downstream
host. The interface acts as a role of the router and sends general group query messages to
the downstream host periodically. after the interface received leave group messages, the
interface will send the specific group query messages to the downstream host immediately.
Proxy query:
The IGMP proxy devices sends general query messages to the downstream host A and host B;
after received these messages, host A and host B sends membership report messages to
announce that they want to join a multicast group; the IGMP proxy device generates group
membership database according to the received messages.
When the host A wants to leave a multicast group, it will send the leave group messages; after
received these messages, the IGMP proxy device sends specific group query messages to the
host A immediately. In the maximum response time, if the IGMP proxy device isn’t received the
membership report messages from host A, it will delete the router interface that connects with
host A in the IGMP proxy table and stop forwarding multicast data to host A.
Proxy response:
After received the general group query messages and specific group messages from querier,
IGMP proxy device will find itself maintained membership database and make a response to the
querier, rather than it directly forward query message to downstream hosts and wait for the
downstream host response to it and then make a response to the querier. As shown in above
figure, the querier sent general group / specific group query messages to IGMP proxy device,
then IGMP proxy device make a response to querier according to itself maintained IGMP proxy
entries, rather than it forward messages to the downstream host A and host B.
The IGMP Proxying module provides three functions, including IGMP Proxying, set host
interface and router interface.
Select Basic > Route Management > IPv4 Multicast > IGMP > IGMP Proxying from
navigation tree to enter the IGMP proxying page, as shown in the following figure.
The IGMP Proxying configuration provides system configuration, host interface configuration
and router interface configuration.
Select BASIC > Route Management > IPv4 Multicast > IGMP > IGMP State from navigation
tree to enter the IGMP state page, as shown in the following figure.
The IGMP state module supports information query function. The parameters of IGMP state
page are shown in the following:
8.10.5 PIM
PIM is IP routing protocol-independent and can leverage whichever unicast routing protocols are
used to populate the unicast routing table. PIM has three operation modes, including PIM-DM,
PIM-SM, PIM-SSM.
PIM-SM (PIM Sparse Mode PIM) is a sparse-mode independent multicast routing protocol. It
transmits multicast data through constructing the shared tree and the shortest path tree. It can
be used in a large-scale network and the group members are relatively dispersed.
PIM-SSM is the solution for specific source multicast. Due to the specific location of multicast
source receivers is known, PIM-SSM can transmit multicast data by constructing the shortest
path tree between the multicast source and receiver, which reduces the procedures of PIM-SM
RP found and RPT construction and source registration.
Under the PIM-SSM environment, receivers use IGMPv3 to send channel subscription message
hop-by-hop to the multicast source side DR. All the routers Along this way generate (Include S,
G) or (Exclude S, G) entries, so as to a tree which root is the multicast source and the leaves are
multicast receivers are established.
8.10.5.1 PIM
The PIM module provides the function of configuring BSR, static RP, candidate RP, SSM and
PIM interface.
Select BASIC > Route Management > IPv4 Multicast > PIM > PIM from navigation tree to
enter the PIM page, as shown in the following figure.
Candidate RP service scope: set the multicast group scope of candidate RP service.
The parameters of SSM configuration are shown in the following:
A PIM-SM domain can be divided into a Global domain and several administrative scopings. The
administrative scoping is a logical domain which provides multicast data for specific multicast
group. Administrative scoping can alleviate the management pressure of single BRS in a domain
and can realize refined management.
The Global domain contains all domains inside the administrative scoping or outside the
administrative scoping. It can provide the services for the multicast group data the outside
administrative scoping. The multicast data which belongs to Global domain scoping can be
transferred throughout the Global domain.
The administrative scope only provides services for the specific multicast group. The multicast
data which belongs to a administrative scoping cannot be transferred to the outside. Each
administrative scoping maintains a unique BSR. RP election in different administrative scopings
is separated.
As shown above, all routers in the network belong to the Global domain. Router B and router C
belong to the administrative scoping 1, router D and router E belong to the administrative
scoping 2. Multicast source 2 sends the administrative scoping 1 provided specific service
239.0.0.1 multicast data in administrative scoping 1; Multicast source 3 sends the administrative
scoping 2 provided specific service 236.1.1.1 multicast data in administrative scoping 2. In
Global domain, the 236.1.1.1 multicast data sent by multicast source 1 can traverse the
administrative scoping 1 and can be received by receiver 1.
Select Basic > Route Management > IPv4 Multicast > PIM > Administrative Scoping from
navigation tree to enter the administrative scoping page, as shown in the following figure.
The global domain configuration allows you to enable Global domain, hash mask length and
priority.
The administrative configuration allows you to set the multicast group scope of
administrative scoping, hash mash length and priority.
The PIM state module provides the function of displaying interface’s PIM state.
Select BASIC > Route Management > IPv4 Multicast > PIM > PIM State from navigation tree
to enter the PIM state page, as shown in the following figure.
The E-BSR state page provides the function of displaying E-BSR state of administrative scoping.
Select Basic > Route Management > IPv4 Multicast > PIM > E-BSR State from navigation
tree to enter the E-BSR state page, as shown in the following figure.
The E-BSR page allows you to query BSR state list by clicking the <Search> button. The
parameters of E-BSR state page are shown in the following:
8.10.5.5 RP state
The RP state page allows you to query the multicast group information that RP corresponds to.
Select Basic > Route Management > IPv4 Multicast > PIM > RP State from navigation tree to
enter the RP state page, as shown in the following figure.
(1) Beside the query group address, you enter the RP corresponded multicast group address
that you need to query.
(2) Click Search button, the RP information that corresponds to multicast group is displayed.
8.10.6 MSDP
In the PIM - SM domain, multicast source only registers the RP that corresponds to the multicast
group in PIM - SM domain, so that the RP in PIM-SM domain is unable to know other domain’s
information, thus leads to multicast data cannot be transmitted in different domains. At this time,
MSDP is used to solve this problem.
MSDP (Multicast Source Discovery Protocol) is a kind of inter domain routing protocol. To
connect with RPs in each domain, it selects the appropriate routers to establish MSDP peer and
interact SA information between peers to share multicast source information, so that the cross
domain transmission of multicast data can be realized by cross domain multicast distribution
tree.
Take the following figure as example. The following working procedure of MSDP is shown in
following:
1. Constructing RPT
The receiver 2 wants to join the multicast group G and send IGMP membership report to router
C; as the DR of receiver 2 side, router C receives the report message from receiver 2 and send
(*, G) join message to the RP2 in PIM-SM2 domain to establish the RPT which root is router D
(RP2) and the leaf is receiver 2.
2. Source registration
Multicast source 1 sends multicast data to the multicast group G; route A, as the multicast
source side DR, which is directly connected to multicast source 1 will encapsulate the received
multicast data in registration packets and send them to RP1 to register in PIM-SM1.
3. SA information interaction
Router B, as the RP of PIM-SM1 domain, knows the information of multicast source 1 after
received the registration packets from router A, and sends SA messages periodically to the
MSDP peer to share multicast source information; router D, as router B’s peer, learns the
information of multicast source 1 through SA
4. Constructing SPT
Router D, as PIM-SM2 domain RP, will check whether the intra domain has multicast group G’s
receiver after it learns the information from multicast source 1; the receiver 2 is discovered to
receive the data from multicast group G. Router D sends joining packets (S, G) to the multicast
source 1 hop-by-hop to establishes SPT based on the root of as multicast source 1, router D
(RP2) as leaf.
5. Cross domain transmission
Multicast data is transmitted to the router D (RP2) along the SPT, and then transmitted to the
receiver 2 along the RPT, which realizes the cross domain transmission of multicast data.
The MSDP module allows you to configure MSDP parameters, including enable MSDP, SA
create policy, MSDP configuration.
Select Basic > Route Management > IPv4 Multicast > MSDP > MSDP from navigation tree to
enter the MSDP page, as shown in the following figure.
In the SA create policy, the system configuration allows you enable MSDP function. Its
advanced configuration includes Encapsulate Data Message, Configure SA-RP Address,
Enable SA-Cache, The Max Num of SA-Cache, Peer Connect Retry Period.
In the SA create policy, you click <Enable> button to enable this function. For the SA create
policy range, you can configure the source address, source address mask, group address,
and group address mask.
In the MSDP peer configuration, you set the peer address, interface, SA policy limit, send
SA request, SA request filter, SA request filter limit, advance configuration, status. Among
them, the advanced configuration allows you to set neighbor AS domain, mesh-group, static
RPF peer.
The peer state module provides the function of displaying MSDP peer state.
Select Basic > Route Management > IPv4 Multicast > MSDP > Peer state from navigation
tree to enter the peer state page, as shown in the following figure.
The cache state module provides the function of displaying SA cache state function, including
source address, group address, RP address
Select Basic > Route Management > IPv4 Multicast > MSDP > Cache state from navigation
tree to enter cache state page, as shown in the following figure.
Multicast VPN is a kind of multicast transmission technology which can be used in MPLS L3VPN
network. It mainly adopts the MD (Multicast Domain) scheme to realize. Because MVRFs exists
in different PE and they belong to the same VPN instance, multicast VPN adds these MVRFs
into the Share-Group identified domain, and built multicast tunnels between these MVRFs.
Private network multicast packets are encapsulated into the public multicast packets which can
be transmitted in public network through multicast tunnel.
The MVRFs which distributes on different PEs and belongs to the same VPN instance are added
to the same MD, and specify a share-group address for MD as the public network multicast
group address. As shown in the figure above, the MVRFs belonging to the same VPN instance
on PE1, PE2 and PE3 construct the multicast domain.
To establish a multicast tunnel, the MVRFs belonging to the same VPN instance in each
multicast device in the multicast domain are connected to each other that can provide a channel
for private network multicast packets to be transmitted on the public network. In the actual
forwarding, the private network packets need to be encapsulated in the public network multicast
packets, the MDT (Multicast Distribution Tree) constructed in the public network is used for
transmission. As shown in the figure above, the white arrows represent the multicast tunnels
established between the MVRFs on the PEs in the multicast domain.
Create a multicast distribution tree that belongs to the same VPN instance MVRF, including
Share-MDT and Switch-MDT. Private multicast packets are encapsulated in the public network
multicast packets along the share-MDT and use the share-group address as the destination
address of the packets. Because all the private multicast packets transmitted in the same VPN
instance Will be transmitted along the Share-MDT, and regardless of whether the PE device has
a connected receiver, can be received along the Share-MDT forwarded multicast data. Therefore,
when the data of a PE enters the public network exceeds the threshold, the PE sends the
switchover notification of the distribution tree as the source to the PE device belonging to the
VPN instance in the multicast domain, and switches the multicast distribution tree from the
share-MDT to Switch-MDT. After switching to Switch-MDT, the private network multicast data is
encapsulated into public network multicast packets and the idle Switch-Group address is used
as the destination address. The switch is delivered along the Switch-MDT to the receivers. The
switch between the share-MDT and the switch-MDT helps to reduce the CPU consumption of
the P-device (the backbone router). As shown in the figure above, the dark blue arrows
represent the Share-MDT established between the PEs of the PEs. If PE2 is not connected to
the receivers, it can still receive the multicast data forwarded by PE1 and PE3 along the
share-MDT. When PE1 and PE3 enter the public network, the share-MDT needs to be switched
to the Switch-MDT represented by the red-red arrow. PE2 will not receive the multicast data from
PE1 and PE3.
Select Basic > Route Management > IPv4 Multicast > Multicast VPN from navigation tree to
enter multicast VPN page, as shown in the following figure.
The multicast source proxy is a kind of technology that receives multicast data from different
interfaces and forwards them by a fixed outbound interface.
Select Basic > Route Management > IPv4 Multicast > Multicast Source Proxying from
navigation tree to enter multicast source proxying page, as shown in the following figure.
Click the Enable Multicast Source Proxying button to enable multicast source proxy. Then you
set the outbound interface of multicast data
Static multicast routing is a kind of routing that can be for RPF check but cannot directly guide
multicast data forwarding. It only works on the configured router and cannot be broadcast by any
other means or introduced by other routers. After you configure static multicast routing, router
will find unicast routing table and static multicast routing table at the same to select the optimal
route as the RPF route when it does RPF check. Then the router will forward multicast data
according to the multicast route table created by RPF.
Select Basic > Route Management > IPv4 Multicast > Multicast Static Routing from
navigation tree to enter multicast static routing page, as shown in the following figure.
The parameters of static multicast routing configuration are shown in the following:
Multicast source address: set the multicast source IP address and mask.
Interface name: set the interface that is connected with RPF neighbor.
Neighbor address: set the IP address of PRF neighbor.
The multicast routing table module provides the functions of displaying the multicast routing
table, including group address, multicast source address, incoming interface and outgoing
interface information.
Select Basic > Route Management > IPv4 Multicast > Multicast Routing Table from
navigation tree to enter multicast routing table page, as shown in the following figure.
The parameters of multicast routing table are shown in the following. You can click the <Search>
button to refresh it.
The PIM multicast routing table module provides the functions of displaying PIM multicast
routing table entries, including (*, G) / (S, G), RP, flag bit, incoming interface, upstream neighbor,
outgoing interface.
Select Basic > Route Management > IPv4 Multicast > Multicast Routing Table > PIM
Multicast Routing Table from navigation tree to enter PIM multicast routing table page, as
shown in the following figure.
The parameters of PIM multicast routing table are shown in the following. You can click the
search button to refresh it.
(*, G) / (S, G): according to (*, G) / (S, G) notation, it displays the PIM table.
RP: display the RP that corresponds to the PIM table.
Flags: display the flag bit of the PIM entry.
Incoming interface: display the incoming interface of multicast traffic.
Upstream neighbor: display the PIM neighbor’s IP address of upstream device.
Outgoing interface: display the outbound interface of multicast traffic.
The IGMP multicast routing table module provides the function of displaying IGMP routing table
entries, including (*, G) and outgoing interface information.
Select Basic > Route Management > IPv4 Multicast > Multicast Routing Table > IGMP
Multicast Routing Table from navigation tree to enter IGMP multicast routing table page, as
shown in the following figure.
The parameters of IGMP multicast routing table are shown in the following. You can click the
search button to refresh it.
The IGMP proxying routing table module provides the function of displaying IGMP proxying
routing table, including (*, G) / (S, G), incoming interface and outbound interface information.
Select Basic > Route Management > IPv4 Multicast > Multicast Routing Table > IGMP
Proxying Routing Table from navigation tree to enter IGMP proxying routing table page, as
shown in the following figure.
The parameters of IGMP proxying multicast routing table are shown in the following. You can
click the search button to refresh it.
(*, G) / (S, G): according to (*, G) / (S, G) notation, it displays IGMP proxying routing table.
Incoming interface: display the incoming interface of multicast traffic.
Outgoing interface: display the outgoing interface of multicast traffic.
The address space is rich. Multicast address’s capacity expansion and structure
optimization can improve the routing efficiency and data throughput, and meet the needs of
the large amount of information transmission in video application.
High utilization rate of bandwidth. In the IPv6 multicast message range field, the IPv6
multicast is divided into intra domain multicast and inter domain multicast, which can
efficiently transmit multicast data in the domain, and avoid the blockage of inter domain low
speed links. The improvement of bandwidth utilization can create favorable conditions for
the popularization of high bandwidth applications such as large scale video conference.
The multicast data transmission quality is stable. In the IPv6 data packet header, a field of
20-bits flow label field 20 is reserved. It enables the network device to adjust the order of
video and audio stream flow is conducive to improving the quality of multicast data
transmission.
Multicast transmission security is high. IPv6 IPSec is an open architecture, which can
ensure the security of multicast communication by encrypting the security services.
Before you configure the IPv6 multicast function, you must enable the IPv6 forwardng function in
basic configuation.
The basic configuration module provides the function of enabling / disabling IPv6 multicast on
the interface and set the multicast border of the interface.
Select Basic > Route Management > IPv6 Multicast > Basic Configuration from navigation
tree to enter the basic configuration page, as shown in the following figure.
MLD Snooping is a kind of multicast control mechanism based on IPv6. It maintains Layer 2
multicast forwarding table and limit the scope of Layer 2 multicast by snooping the information of
Layer 2 and Layer3’s MLD information. MLD snooping can save bandwidth resources and
enhance the security of multicast.
The device that enables MLD Snooping function will explore the MLD information between router
and host automatically. The device can complete the following two tasks:
Learns router port and port member. The router port is toward upstream multicast device,
which is learned by MLD Snooping device from general query message and IPv6 PIM Hello
learning message; The member port is toward the downstream device, which is learned by
MLD Snooping device membership report message.
Establish the mapping relationship between multicast MAC address and member port.
When the multicast data is received, the MLD Snooping device determines the forwarding
path of the message according to the mapping relationship.
Besides dynamic learning, you can configure the static router port. The static member port can
be configured according to the mapping relationship between multicast MAC address and
member port.
The port of switch A towards the router side is router port. The port of switch B towards the
member port; switch router and switch B toward the switch A and router port. The port towards
host C side is member port. Switch A and switch B are enabled MLD Snooping function, after
they received IPv6 multicast data from router port, then they forward data to the downstream
port. Because the port which towards switch A isn’t the member port, so that it will not forward
IPv6 multicast data to host A.
The MLD Snooping module provides the function of enabling MLD Snooping and allows user to
configure VLAN interface information.
Select Basic > Route Management > IPv6 Multicast > MLD Snooping > MLD Snooping from
navigation tree to enter the MLD snooping page, as shown in the following figure.
The system configuration allows user to enable the MLD Snooping function. In the advanced
configuration, user can configure the router port aging timer and member port aging timer. The
parameters of VLAN configuration are shown in the following:
The Layer 2 unknown multicast packets refer to those multicast data packets which do not have
the corresponding entries in the IGMP Snooping forwarding table: when you enable the Layer 2
unknown multicast drop function, switch receives unknown multicast packets and forwards them
to router port only, but does not broadcast them in VLAN. If the switch does not have a router
port, packets will be dropped and will be no longer forwarded. When you disable the Layer 2
unknown multicast packets function, switch will broadcast the unknown multicast packets in the
VLAN that they belong.
Select BASIC > Route Management > IPv6 Multicast > MLD Snooping > Layer 2 unknown
multicast drop from navigation tree to enter the Layer 2 unknown multicast drop page, as
shown in the following figure.
Select BASIC > Route Management > IPv6 Multicast > MLD Snooping > MLD Snooping
state from navigation tree to enter the MLD Snooping state page, as shown in the following
figure.
Query conditions include all information, VLAN ID, that is, you can query all MLD Snooping
query routing state information or you can query the MLD Snooping routing state information of
the specific VLAN.
The parameters of MLD Snooping state page are shown in the following:
8.11.3 MLD
The MLD message uses the ICMPv6 (Internet Control Message Protocol for IPv6) Internet
Protocol protocol, and uses the link-local address of the router that sent the packet as the source
address. Because the number of hops of all MLD messages is fixed at 1, the MLD packets are
forwarded only on the local link.
Currently, MLD has MLDv1 (RFC2710) and MLDv2 (RFC3810) two versions. The following
describes the working principle of MLDv1 and MLDv2.
1. MLDv1
Developed from IGMPv2, the operating mechanism of MLDv1 is basically the same as IGMPv2.
MLD is mainly used in ASM mode multicast group management.
When there are multiple MLD routers in a network segment, all the routers initially default to the
querier and send MLD general query messages with the destination address of FF02 :: 1 to all
the routers and hosts in the network segment All the routers that received the general query
message will compare the source IP address of the packet with the size of the IP address, the
router with the smallest IP address becomes the querier, and the other router becomes the
non-querier. At this point, all non-queriers will start an other querier present time timer. If the
querier receives a general query from the querier before the timer-specified querier collision
suppression time expires, the timer is reset; otherwise, the querier is re-elected. As shown in
Figure 8-91, Router 1 and Router 2 both default to the querier and send MLD general queries to
each other. The router with the smaller IP address becomes the querier and the router 1
becomes the non-querier.
Multicast group join is divided into active join and respond to join two cases.
Active join: when the host wants to join an IPv6 multicast group, it automatically sends an
MLD report to the querier with the destination address as the IPv6 multicast group address,
announcing that it wishes to receive the multicast from the multicast group Data, rather than
receiving MLD general queries from the querier. As shown in Figure 3-108, host A wishes to
receive multicast packets from multicast group G1 and sends MLD report messages to
multicast group G1.
Response join: the querier periodically sends MLD general queries to all hosts and routers
in the local network segment to check whether there is a multicast listener on the network. If
the hosts in the network segment want to join a multicast Group, the MLD report is sent as a
response. As shown in Figure 8-91, host B receives the MLD general query from the querier
and sends the MLD report to the multicast group G2.
(3) Response suppression
Because all the hosts and routers in the same network segment can receive MLD report
messages sent by the host, as long as a host sends a membership report, it announces joining a
multicast group. The hosts that join the multicast group will not send the membership report as a
response. This mechanism is called a response suppression mechanism. The response
suppression mechanism helps to reduce the flow of information within the local network segment.
As shown in Figure 8-91, both Host B and Host C want to join multicast group G2. Host B will not
send a membership report because the host B has sent an MLD report.
When a host wants to leave a multicast group, it sends an MLD leave group message to leave
the multicast group. After receiving the outgoing packet, the querier sends n times MLD specific
group queries (The number of MLD packets sent by the MLD is determined by the robustness
coefficient, and the default is 2 times) to confirm whether there is a multicast group member in
the network segment. If the querier does not receive the MLD report sent by the host in the
specified network during the specified maximum response time, it considers that there is no
member of the multicast group in the network segment and no longer forwards the multicast
group the data. As shown in Figure 8-91, when Host B sends MLD leave group packets, the
querier sends MLD specific group queries to all hosts in the network segment immediately.
2. MLDv2
MLDv2 is developed by IGMPv3. Compared with MLDv1, the source filtering function is added,
which can not only be used for multicast group management under ASM model, but also for
multicast group management in SSM mode.
The source filtering function enables the host to explicitly request or receive multicast data from
a specific IPv6 multicast source when joining the multicast group G.
As shown in the above figure, the host A wishes to receive the multicast data from the multicast
sources S1 and S2, send the MLD report message of the tag INCLUDE source (S1, S2) to its
directly connected router C; the router C forwards (S1 , G) and (S2, G) to the host A. The host B
does not wish to receive the multicast data from the multicast source S1, sends the MLD report
message of the EXCLUDE source (S1) to its directly connected router D, and the router D
forwards (S2, G) the multicast stream To host B, do not forward (S1, G) multicast flow to host B.
8.11.3.2 MLD
The MLD module provides the function of configuring MLD interface information.
Select BASIC > Route Management > IPv6 Multicast > MLD > MLD from navigation tree to
enter the MLD page, as shown in the following figure.
The MLD state module displays the IPv6 multicast group status on the device directly connected,
including the interface name, multicast group address, multicast source address, and multicast
group mode.
Select Basic > Route Management > IPv6 Multicast > MLD > MLD state from navigation tree
to enter the MLD state page, as shown in the following figure.
MLD state module supports query function. The parameters of MLD parameters are shown in
the following:
8.11.4 PIM
IPv6 PIM (Protocol Independent Multicast for IPv6) is an IPv6 unicast routing table generated by
any IPv6 unicast routing protocol to provide routing for IPv6 multicast.
IPv6 PIM includes IPv6 PIM-DM, IPv6 PIM-SM, and IPv6 PIM-SSM.
IPv6 PIM-SM (PIM Sparse Mode for IPv6, IPv6 PIM Sparse Mode) is a sparse mode of IPv6
protocol-independent multicast protocols. It forwards IPv6 multicast data by constructing the
shared tree and the shortest path tree, which is suitable for large-scale networks where the
members are relatively dispersed. There are seven working mechanisms: neighbor discovery,
DR election, RP discovery, RPT, IPv6 multicast source registration, SPT switching, and
assertion.
In an IPv6 PIM domain, all multicast routers discover and maintain IPv6 PIM neighbors by
periodically sending IPv6 PIM hello packets.
(2) DR election
(3) RP discovery
The RP is the convergence point of multicast data in the IPv6 PIM-SM domain. It is responsible
for forwarding the data of several or all IPv6 multicast groups. It can be statically configured, you
can also use the bootstrap mechanism to dynamically elect. When using the bootstrap
mechanism to actively elect RP, you need to select E-BSR (Bootstrap Router). The main role of
the E-BSR is to collect the announcements from the candidate RP and send the bootstrap
messages encapsulating the RP sets. The RP set is a database of IPv6 multicast group and RP
mapping. The advertisements of candidate RPs collected by the E-BSR (the advertisement
packets carry the candidate RP address, the priority and the service scope of the IPv6 multicast
group) are aggregated. Instruct the PIM router to select RP for a specific IPv6 multicast group.
As shown above, Router A is responsible for collecting the advertisements from Router B,
Router C, and Router D as E-BSRs and aggregates the collected advertisements into RP sets.
The packets are advertised in the bootstrap messages to the entire IPv6 PIM-SM domain The
Finally, the router in the network can select the corresponding RP for the specific IPv6 multicast
group according to the information provided by the RP set.
Initially, IPv6 PIM-SM assumes that all routers in the domain do not forward data from an IPv6
multicast group. The IPv6 multicast data is forwarded unless the request is received. When a
receiver wants to join an IPv6 multicast group, it needs to send the MLD report to the DR directly
connected to it. After receiving the report packet, the DR sends hop (*, G) to the RP in the RP
direction. (*, G) entries are generated by the router passing the packet, which forms the RPT
with the RP as the root and the RP to the receiver side DR.
As shown in the above figure, the receiver sends the MLD report message to its directly
connected router C. Router C sends the packet as hop on the receiver side and sends the
message (*, G) in the RP direction, RP as the root, the recipient for the leaf of the RPT.
In order to let the RP know the location of the IPv6 multicast source, the DR on the multicast
source side encapsulates the received IPv6 multicast data in the registration message and
sends the registration message to the IPv6 group through the registered tunnel in unicast mode
RP receives the registration packets forwarded by the registered tunnel, decapsulates it and
forwards it along the RPT to the receivers of the IPv6 multicast data, and sends the packets to
the multicast source hop by hop (S, (S, G) entry, which forms the SPT with the multicast source
as the root and the RP as the leaf. After the SPT is established, the DR stops encapsulating the
IPv6 multicast data, The multicast data is directly sent to the corresponding RP. After receiving
the multicast data forwarded along the SPT, the RP sends a registration stop message to the
multicast source DR via the registered tunnel. At this point, the IPv6 multicast source registration
process is complete.
As shown in the figure above, the IPv6 multicast source sends the first IPv6 multicast data to
Router A and Router A as the DR on the multicast source side. The IPv6 multicast data is
encapsulated in the registration message and sent to the router through the registered tunnel E,
Router E as RP, decrypts the received registration message, forwards it along the RPT to the
receiver, and sends the (S, G) join message hop by hop to the IPv6 multicast source, The RP is
the SPT of the leaves, the DR on the multicast source side stops encapsulating the multicast
data. When the multicast data is forwarded along the SPT, the RP sends a registration stop
message to the multicast source side via the registered tunnel DR. At this point, the IPv6
multicast source is registered.
After receiving the first IPv6 multicast data, the DR on the receiver side immediately initiates the
SPT switchover to reduce the burden on the RP and ensure that the IPv6 multicast data is
forwarded to the receiver along the shortest path. In this case, the DR on the receiver side sends
the (S, G) join message hop by hop on the DR direction of the IPv6 multicast source side. The
router passes the router to automatically generate the (S, G) entry. The root of the multicast
source, the receiver for the leaves of the SPT. Then, the IPv6 multicast data is forwarded along
the SPT and RPT to the SPT and RPT bifurcated routers. After receiving the IPv6 multicast data
forwarded along the SPT, the router discards the IPv6 multicast data that is forwarded along the
RPT. , The DR on the receiver side sends RPT pruning messages hop by hop to the RP. After
receiving the RPT prune message, the RP checks whether other receivers of the IPv6 multicast
data exist. If there are no other receivers, the pruning message is sent hop-by-hop to the
multicast source to complete the RPT-to-SPT switchover.
As shown in the above figure, the router C acts as the DR on the receiver side, initiates the SPT
switch immediately after receiving the first IPv6 multicast data, and sends the (S, G) join
message to the multicast source side DR direction to form The multicast source is the root, and
the receiver is the SPT of the leaf. At this time, the router C acts as the fork router of the RPT and
SPT and the DR on the receiver side. After receiving the IPv6 multicast data forwarded along the
SPT, the router C discards the IPv6 multicast data transmitted along the RPT, Hop to send RPT
pruning messages; Router E as RP, received RPT pruning message, found that the IPv6
multicast data is not the other receivers, the direction of the multicast source hop hop to send
pruning messages, the final completion RPT to switch to SPT.
When the device receives IPv6 multicast data from the downstream interface, it indicates that
there are other upstream devices in the network segment. At this point, the assertion mechanism
starts. The device sends assert messages from the downstream interface and participates in the
campaign's only upstream device. The assertion message carries the IPv6 multicast source
address, the IPv6 multicast group address, the unicast route priority and the metric of the router
sending the assert message to the IPv6 multicast source.
After receiving Router IPv6 and multicast data from the multicast network, Router A and Router
B forward the data to the local network segment, causing Router C to receive two identical IPv6
multicast data, and Router A and Router B will be the downstream interface receives the IPv6
multicast data sent by the peer. At this point, the assertion mechanism is started. Router A and
Router B send assert messages from the downstream interface to the routers on the local
network segment in multicast mode. By comparing the parameter information carried by the
packets, the router A and Router B select the forwarders of the IPv6 multicast data on the local
network segment.
8.11.4.2 PIM
The IPv6 PIM module provides the functions of setting candidate E-BSRs, static RPs, candidate
RPs, SSMs, and PIM interfaces.
Select Basic > Route Management > IPv6 Multicast > PIM > PIM from navigation tree to enter
the PIM configuration page, as shown in the following figure.
The PIM state module provides the ability to display the PIM state of the interface.
Select Basic > Route Management > IPv6 Multicast > PIM > PIM State from navigation tree to
enter the PIM state configuration page, as shown in the following figure.
The query function queries PIM state information according to the query conditions. The
parameters of RP information are shown in the following:
8.11.4.4 E-BSR
The E-BSR state module provides the function of displaying the selected E-BSR information.
Select Basic > Route Management > IPv6 Multicast > PIM > E-BSR State from navigation
tree to enter the E-BSR state page, as shown in the following figure.
You can query / refresh the E-BSR list by clicking the <Query> button. The parameters of
E-E-BSR are shown in the following:
8.11.4.5 RP state
The RP information module provides the function of querying the RP information corresponding
to the multicast group.
Select Basic > Route Management > IPv6 Multicast > PIM > RP State from navigation tree to
enter the RP state page, as shown in the following figure.
The query function queries the RP information according to the multicast group address.
(1) Enter the multicast group address that needs to be queried after the query group address.
(2) Click the <Query> button. The RP information list displays the RP information
corresponding to the specified multicast group address.
The multicast routing table module provides the functions of displaying IPv6 multicast routing
entries, including group address, multicast source address, inbound interface, and outbound
interface information.
Select Basic > Route Management > IPv6 Multicast > Multicast Routing Table > Multicast
Routing Table from navigation tree to enter the multicast routing table page, as shown in the
following figure.
The Query button can refresh the multicast routing table. The parameters of the multicast
routing table are shown in the following:
The PIM multicast routing table module provides the functions of displaying IPv6 PIM multicast
routing entries, including (*, G) / (S, G), RP, flag, incoming interface, upstream neighbor, and
outbound interface information.
Select BASIC > Route Management > IPv6 Multicast > Multicast Routing Table > Multicast
Routing Table from navigation tree to enter the multicast routing table page, as shown in the
following figure.
The query button refreshes the PIM multicast routing table. The parameters of the PIM multicast
routing table are shown in the following:
(*, G) / (S, G): display the PIM entry according to (*, G) / (S, G).
9 Network Protocol
9.1 DHCPv4
DHCP (Dynamic Host Configuration Protocol) is a UDP-based protocol used in LAN network.
DHCP is commonly used in large local area network and can be used for centralized
management, IP address distribution. It allows hosts in the network to get IP address, gateway
address, DNS server address and other information. DHCP can improve address utilization.
By adopting client / server model, DHCP allocates host address dynamically. When DHCP
server receives the request of applying IP address information from network hosts, the DHCP
server will send relevant address to network hosts, thus can realize the dynamic allocation of
network host address.
DHCP Relay (DHCPR), which is also called DHCP relay agent. DHCP relay agent forwards
DHCP packets between DHCP server and client. If DHCP client and server are not in the same
subnet, it needs DHCP relay agent to transmit DHCP request and response packets. Different
from normal routing forwarding, DHCP relay agent forwards packets after it received DHCP
information and generates DHCP information. While, the normal routing forwarding is relatively
transparent and does not modify IP address. From DHCP client point to see, the DHCP client
likes a DHCP server; from DHCP server point to see, the DHCP relay agent like a DHCP client.
9.1.1 DHCP
The DHCPv4 server configuration module provides the function of setting the parameters of
DHCPv4 address pool and importing / exporting configuration information.
Select Basic > Network Protocol > DHCPv4 > DHCPv4 server from navigation tree to enter
the DHCPv4 server page, as shown in the following figure.
After you enable the DHCPv4 server function, it is recommended to write the lease information.
Otherwise, the DHCPV4 address information will be lost after the device is rebooted. The device
cannot manage the network’s hosts through DHCPv4.
DHCPv4 address pool configuration and host configuration provide the function of deleting all
address pools and deleting the addresses of all hosts. The host address configuration support
query function, including the host name, MAC address, IP address. Also it supports the conflict
detection before importing and exporting configurations.
The parameters of DHCPv4 address pool configuration are shown in the following:
Interface name: the interface name that DHCPv4 Server provides DHCPv4 service to the
outside.
Address pool: DHCPv4 address pool address range, which allows you to configure the start
IP and end IP. Start IP and end IP should be in the same network.
Gateway address: DHCPv4 client gateway address.
Relay agent address: the device considered it as the legitimate DHCPv4 proxy server
address.
CAPWAP V4: the address of the wireless controller AC. When the client is AP, it can be
used in the location of AC in high speed AP network.
Domain name server: DNS server address, which can be used to tell the DNS server
location in the client network.
WINS server: WINS server IP address, which you can configure two. It can be used to tell
the WINS server location in the client network.
Domain name: DHCPV4 option in DNS. Specify the domain name which should be used
when DHCPv4 client conversion is failed.
Advanced options: you can configure the specific Option field information for DHCPv4
packets.
Lease (minutes): the lease time. Unit: minute.
The address in DHCPv4 host address configuration should be an address pool’s address. After
the device receiving client’s DHCPv4 packets, the device will check whether the hostname
option in packets can match with the configured hostname. Only when the hostname and MAC
address are matched at the same time, the device will allocate the configured IP address to the
client.
The DHCPv4 address table module provides the function of displaying the addresses that have
allocated by DHCPv4 server, including the host name, MAC address, IP address, and lease
time.
Select Basic > Network Protocol > DHCPv4 > DHCPv4 server from navigation tree to enter
the DHCPV4 IP address table page, as shown in the following figure.
The parameters of DHCPv4 address information list are shown in the following:
Select Basic > Network Protocol > DHCPv4 > DHCPv4 Relay Agent Configuration from
navigation tree to enter the DHCPV4 relay agent configuration page, as shown in the following
figure.
Enable DHCPV4 Relay function and set the DHCPV4 relay parameters, including the interface
list and DHCPV4 server list.
9.2 DHCPv6
The DHCPv6 server configuration module provides the function of configuring the parameters of
DHCPv6 address pool and provides the function of importing / exporting configuration.
Select Basic > Network Protocol > DHCPv6 > DHCPv6 Server > DHCPv6 Server
Configuration from navigation tree to enter the DHCPv6 server configuration, as shown in the
following figure.
The parameters of DHCPv6 server configuration page are shown in the following:
the Browse button to set the file path. Click the Append Import or Cover Import button to
import the DHCPv6 server configuration of the selected file path; click the Export button to
export the DHCPv6 server configuration file.
Select Basic > Network Protocol > DHCPv6 > DHCPv6 Server > DHCPv6 IP Address Table
Configuration from navigation tree to enter the DHCPv6 IP address table configuration, as
shown in the following figure.
The DHCPv6 IP address table module provides the function of querying IPv6 address
information, including No., client, DUID, IA_ID, IPv6, preferred, valid, lease period, type.
The DHCPv6 relay agent configuration module provides the function of setting the parameters of
DHCPv6 relay agent configuration.
Select Basic > Network Protocol > DHCPv6 > DHCPv6 Relay from navigation tree to enter the
DHCPv6 relay agent configuration page, as shown in the following figure.
Enable the DHCPv6 relay function and set the parameters of DHCP relay, including the server
interfaces list, client interfaces list and DHCP servers list.
9.3 ARP
ARP (Address Resolution Protocol, Address Resolution Protocol) is a protocol that resolves
network layer addresses to data link layer addresses. The working mechanism is as follows:
When the source host and the destination host are in the same network segment, the
source host searches the local ARP cache according to the destination IP address, and
does not find the MAC address corresponding to the destination IP address, and sends ARP
requests to all hosts in the same network segment. After receiving the ARP request, the
destination host finds that the destination IP address of the request message is consistent
with its own address, and then sends an ARP response message containing its IP address
and MAC address to the source host. After the source host receives the ARP response
message from the destination host, it learns the MAC address corresponding to the
destination IP address and stores it in the local ARP cache. Subsequent packets are
forwarded directly according to the cached ARP entries.
When the source host and the destination host are not in the same network segment, the
source host searches the local ARP cache according to the destination IP address, and if it
does not find the MAC address corresponding to the destination IP address, it first sends an
ARP request to the gateway. After receiving the ARP response message from the gateway,
the source host learns the MAC address of the gateway, encapsulates the message and
sends it to the gateway. The gateway that receives the encapsulated message will
broadcast an ARP request message to the destination network segment, and the
destination IP address of the ARP request message is the IP address of the destination host.
Subsequently, the gateway will learn the MAC address of the destination host through the
response message of the destination host, and then send the message to the destination
host.
The ARP table module provides the function of viewing ARP entries and deleting ARP dynamic
entries according to the specified query conditions.
Select Basic > Network Protocol > ARP> ARP table from navigation tree to enter the ARP
table page, as shown in the following figure.
Searching condition: set the VLAN ID/port number to be queried. Click Query button, the
ARP table is displayed in bottom of the page according to your searching condition. Click
Search All button that all entries of ARP table are displayed in the bottom of the page.
ARP entries: display the ARP entries, including No., IP address, MAC address, VLAN ID,
port, type. Click Delete All Dynamic Entries button, all dynamic ARP entries are deleted
from the ARP table.
The static ARP configuration module provides the function of configuring static ARP
configuration.
Select Basic > Network Protocol > ARP > ARP Configuration > Static ARP Configuration
from navigation tree to enter the static ARP configuration page, as shown in the following figure.
VLAN ID: set the VLAN ID to which the static ARP table entry corresponds to.
Port: set the port to which the static ARP table corresponds to.
The ARP parameter configuration provides the function of setting the parameters of dynamic
ARP table.
Select Basic > Network Protocol > ARP > ARP Configuration > ARP Parameter
Configuration from navigation tree to enter the ARP parameter configuration page, as shown in
the following figure.
The description of each parameter in the ARP parameter configuration page is as follows:
Enable ARP strict learning function: After enabling, the device will not create ARP entries
when it receives ARP request packets.
Enable the ARP response interface UP function: After this function is enabled, when the
interface changes from the down state to the up state, the device will re-request to learn the
ARP entries related to this interface, which is mainly used for a vlan-if port. In the case of a
physical port, if a physical port is changed from down to up, we will find the vlan-if port
based on this physical port, and then relearn all ARPs of this vlan-if port.
ARP aging time setting: Set the aging time of dynamic ARP entries. When the aging time is
reached, the corresponding ARP dynamic entry will be deleted. The default value is 1200
seconds, and the value range is 1 to 86400.
ARP retransmission time setting: Set the time interval between the first ARP request
message sent and the retransmission of the ARP request message when the device sends
an ARP request message but does not receive an ARP response message. The default
value is 5, and the value range is 1 to 300.
Configuration of the maximum number of ARP detections: Set the number of times that the
device sends an ARP request message but does not receive an ARP response message.
The default value is 60, and the value range is 1-100.
Limit on the number of messages in each ARP cache: Set the maximum number of
messages in each ARP cache. The default value is 3, and the value range is 0~1000.
Limit on the total number of ARP cache messages: Set the maximum number of messages
in all ARP caches. The default value is 100, and the value range is 0~1000
Gratuitous ARP packets is a special kind of ARP special packets which can avoid IP address
conflict and notify other devices to update their ARP table. Both of the source IP address and
destination IP address of gratuitous ARP packets are the sender’s IP address. The source MAC
address is the MAC address of the sender, but the destination MAC address is the broadcast
address.
The gratuitous ARP configuration module provides the function of setting the parameters of
gratuitous ARP.
Select Basic > Network Protocol > ARP > ARP Configuration > Gratuitous ARP
Configuration from navigation tree to enter the gratuitous ARP configuration page, as shown in
the following figure.
The parameters of gratuitous ARP configuration page are shown in the following:
Enable the gratuitous ARP learning function: set to enable the gratuitous ARP learning
function. After the gratuitous ARP learning function is enabled, the device will add or update
entries in ARP table; if gratuitous ARP learning function isn’t enabled, the device will update
the already existed ARP table according to the received data packets, but will not create
new ARP entry.
No.: display the serial number of gratuitous ARP timing sending.
Interface: set the interface to send gratuitous ARP packets.
Time interval (second): set the time interval to send gratuitous ARP packets.
Send flag: set the parameters of sending gratuitous ARP packets, including interface
primary address and secondary address. You can select multiple options.
The data transmission in the LAN is not based on the IP address, but based on the MAC address.
ARP (Address Resolution Protocol) is an address resolution protocol, a protocol that converts IP
addresses into physical addresses.
When host A wants to send a message to host B, it will query the local ARP cache table, and
after finding the MAC address corresponding to B's IP address, it will start data transmission. If it
is not found, A broadcasts an ARP request packet (carrying the IP address and MAC address of
host A), requesting the MAC address corresponding to the IP address of host B. All hosts in the
LAN, including B, receive the ARP request, but only host B recognizes its own IP address, so it
sends back an ARP response message to host A, which contains B's MAC address. After A
receives B's response, it will update the local ARP cache table, and then use this MAC address
to send data. Therefore, the ARP table of the local cache is the basis of local network circulation,
and the cache is dynamic.
The ARP protocol does not only receive ARP responses after sending ARP requests. When the
computer receives the ARP response packet, it will update the local ARP cache and store the IP
and MAC addresses in the response in the ARP cache. Therefore, when a machine B in the local
area network sends a forged ARP response to A, and if the response is forged by B pretending
to be C, that is, the IP address is the IP of C and the MAC address is forged, then A After
receiving B's forged ARP response, the local ARP cache will be updated, so that from A's
perspective, C's IP address has not changed, and its MAC address is no longer the original one.
This is a kind of ARP spoofing.
There are two types of ARP spoofing: one is spoofing the gateway ARP table; the other is the
gateway spoofing the intranet PC.
The principle of the first type of ARP spoofing is to intercept gateway data. It notifies the gateway
of a series of incorrect internal network MAC addresses, and keeps it at a certain frequency, so
that the real address information cannot be updated and saved in the gateway device. As a
result, all data of the gateway can only be sent to the wrong MAC address, causing normal The
PC cannot receive the information. The second principle of ARP spoofing is to forge gateways.
Its principle is to establish a fake gateway and let the PC deceived by it send data to the fake
gateway instead of going online through the normal gateway. From the PC's point of view, it just
can't connect to the Internet, "the network is down".
DPtech equipment prevents ARP spoofing by setting the binding relationship between IP
address and MAC address, VLAN and interface. At the same time, the ARP learning function of
the interface can be turned off, so that the interface will not update the ARP cache table even if it
receives an ARP response message, thus avoiding the occurrence of ARP spoofing. If a new
host is added to the network, you can enable the ARP learning function or manually add the
Select Basic > Network Protocol > ARP> Basic Defense of ARP > ARP Dynamic Detection
from navigation tree to enter the ARP dynamic detection page, as shown in the following figure.
The list shows the ARP cache information learned by the device. The dynamically learned
information can be added to or deleted from the static ARP cache.
Select Basic > Network Protocol > ARP> Basic Defense of ARP > ARP Source
Suppression from navigation tree to enter the ARP source suppression page, as shown in the
following figure.
Enable ARP source suppression and configure the threshold. The IP packet will be forwarded by
our device to request arp, if it cannot learn the arp in the incomplete state will be generated. The
maximum number of incomplete arps that can be generated for packets sent from the same
source ip cannot exceed the threshold number.
The ARP monitoring configuration module provides the function of preventing ARP spoofing by
turning off the ARP learning function of the interface.
Select Basic > Network Protocol > ARP> Basic Defense of ARP > ARP Monitoring
Configuration from navigation tree to enter the ARP monitoring configuration page, as shown in
the following figure.
Select the interface whose ARP learning function is to be turned off, and set its opening state to
on. Then this interface will no longer automatically update the ARP cache table.
The ARP log module provides the function of querying and deleting anti-ARP spoofing logs.
Select Basic > Network Protocol > ARP > Advanced Defense > ARP Monitoring Log from
navigation tree to enter the ARP monitoring log page, as shown in the following figure.
The ARP monitoring log page provides log query and delete functions.
Query: select or specify the time range, click the <Query> button, the ARP monitoring log of
the corresponding time period will be displayed in the ARP monitoring log list, including IP,
real MAC, spoofed MAC and time.
Delete: click the Delete button to delete the content in the ARP monitoring log list.
ARP dynamic detection function is the ARP packet detection on inbound interface. Only the
packets pass the ARP packet detection can be forwarded. ARP dynamic detection can
effectively prevent illegal user’s intrusion and fake network gateway attack.
Select Basic > Network Protocol > ARP> Advanced defense > ARP dynamic detection from
navigation tree to enter the ARP dynamic detection page, as shown in the following figure.
The parameters of the ARP dynamic detection configuration page are shown in the following:
Number: display the serial number of the ARP dynamic detection configuration.
VLAN ID: set to enable ARP dynamic detection VLAN.
Detected interface: set the ARP dynamic detection interface. The interface should belong to
the VLAN which enables ARP dynamic detection and the interface should be untrusted port.
The ports in this VLAN should trusted port.
Expand the item: set the detection items for ARP dynamic detection, including ARP packet
validity check and ARP restricted forwarding.
Packet validity check: the ARP packet validity check will not be carried out for the
trusted port in this VLAN; for the dynamic detection port, it will check and filter the illegal
MAC address and IP address.
ARP restricted forwarding: the ARP packet restricted forwarding function is the ARP
packets received from untrusted port will be forwarded according to anti-attack rule.
The function does not restrict the ARP packets received from trusted port.
ARP gateway protection: set the ARP network gateway address. This function can protect
the port which does not connected with device and prevent ARP spoofing attacks. After this
function is enabled, the device will check whether the source IP address and the protected
address are the same when port receiving ARP packets. If they are the same, then the IP
address will be recognized as illegal address and will be discarded. Otherwise, the data
packets will be forwarded.
Select Basic > Network Protocol > ARP> Advanced Defense > Anti-ARP attack of fixed
source MAC from navigation tree to enter the anti-ARP attack of fixed source MAC page, as
shown in the following figure.
The anti-ARP attack of fixed source MAC page has two parts: the base config and safe MAC.
The parameters of base config are shown in the following:
Defend: click to enable the anti-ARP attack of fixed source MAC function.
Threshold of attack: the number of packets that exceeds the threshold of ARP response
packets are attack packets, in the range of 1~5000. Default is 1200 times.
Detection mode: including monitor and defend. Monitor only refers to the attack source MAC
detection and system log generation; Defend means the packets are dropped after detected
as attack source MAC.
Safe MAC: the aging time of the attack source MAC address. During this time, if the attack
source MAC is no longer do attack behavior, the MAC address is aged normally; if it does
attack behavior again, then the source MAC address is continuously to be monitored and
protected.
The parameters of safe MAC are shown in the following:
Select Basic > ARP> Advanced Defense > Anti-ARP attack of fixed source MAC from
navigation tree to enter the anti-ARP attack of fixed source MAC page, as shown in the following
figure.
The parameters of attacker information of fixed source MAC page are shown in the following:
Sequence: display the sequence number of the attacker information of fixed source MAC.
SMAC: display the attacker information of fixed source MAC.
VLAN ID: display the VLAN ID that corresponds to the attacker information of fixed source
MAC.
Interface: display the interface that corresponds to the attacker information of fixed source
MAC.
Aging time: show the remained aging time of the attack source MAC address.
9.4 ND
9.4.1 ND configuration
Select Basic > Network Protocol > ARP > Advanced Defense > Neighbor Discover from
navigation tree to enter the neighbor discover page, as shown in the following figure.
The ND configuration is mainly to disable the automatic neighbor discovery function. Select the
interface to be disabled and click the <OK> button.
Select Basic > Network Protocol > ARP > Advanced Defense > Neighbor Discover from
navigation tree to enter the anti-ND attack of fixed source MAC/IP page, as shown in the
following figure.
After opening attack protection, select the protection mode: fixed source MAC, fixed source
destination MAC, fixed source destination IP, configure detection thresholds, configure attack
source aging time, and select actions: packet loss, direct pass.
9.5 MAC
The MAC table module provides the function of viewing and deleting MAC table entry.
Select Basic > Network Protocol > MAC > MAC Table navigation tree to enter the MAC table
page, as shown in the following figure.
The MAC table management provides the function of viewing and deleting dynamic MAC table
entry. To view the MAC table, you can select All, static, dynamic, by VLAN ID, by MAC address,
by port number. After that you select a slot number and configure which you want to query, then
you click the View button, then MAC table entries are displayed in the MAC table list. Click the
Delete All Dynamic Mac Address Tables button that you can delete all dynamic MAC tables.
Select Basic > Network Protocol > MAC > Static MAC configuration from navigation tree to
enter the static MAC configuration page, as shown in the following figure.
The description of each parameter in the static MAC configuration page is as follows:
Serial number: Display the serial number of the static MAC table entry.
MAC address: Set the MAC address of the static MAC table entry.
VLAN ID: Set the VLAN ID to which the static MAC entry belongs.
Outgoing port: Set the outgoing port to which static MAC entry is applied.
Discard: Set whether to enable the function of discarding data packets matching MAC
address, VLAN ID, and outbound port.
The MAC parameter configuration module provides the function of setting the dynamic MAC
address aging time.
Select Basic > Network Protocol > MAC > MAC Address Configuration from navigation tree
to enter the mac address configuration page, as shown in the following figure.
9.6 STP
Spanning tree protocol is a kind of Layer-2 management protocol, which can block some
redundant links through a specific algorithm and can eliminate the loop in the network, at the
same time it can backup the link. The device supports three kinds of spanning tree protocols,
including STP, RSTP and MSTP.
STP (Spanning Tree Protocol) determines the topology of network through interacting BPDU
packets between devices, and complete blockage of redundant link port, thus can achieve the
establishment of loop-free logical network topology. When the network topology changes, it
needs to wait double of the forwarding delay time that the port is changed from block status to
forwarding status, so that the STP network can recover.
RSTP (Rapid Spanning Tree Protocol) is optimized version of STP, not only RSTP has all the
functions of STP, but also it has replace port, backup port and edge port, which shorten the time
of network connectivity restoration after network topology is changed. But in actual use, RSTP
only achieve link redundancy backup, which cannot realize link load balancing according VLAN
traffic.
MSTP (Multiple Spanning Tree Protocol) is developed on the basis of STP and RSTP. By using
of instance, MSTP calculate non-loop topology, which reduces communication cost and increase
the utilization rate of resources. The bridge priority, the maximum sending rate, and the concept
of advanced configuration domain are used by MTSP can effectively constrain the range of
spanning tree, and speed up the convergence of the spanning tree, so that the network traffic in
different VLANs can be forwarded along different paths.
The spanning tree protocol selection module provides the function selecting the type of spanning
tree protocol, including STP, RSTP, MSTP.
Select Basic > Network Protocol > Spanning Tree > Protocol selection from navigation tree
to enter the protocol selection page, as shown in the following figure.
The parameters of spanning tree protocol selection page are described are shown in the
following:
Select Basic > Network Protocol > Spanning Tree > Spanning Tree Protocol Configuration
from navigation tree to enter the spanning tree protocol configuration page, as shown in the
following figure.
The spanning tree protocol configuration page is the same to the protocol configuration page.
Take MSTP protocol as example, the page shows the configuration parameters of MSTP,
including MSTP global configuration, MSTP instance configuration and MSTP port configuration.
BPDU: after you enable BPDU protection function, if the edge port received BPDU packets,
the system will close these ports in order to prevent spanning tree recalculation and avoid
network shocks. At the same time, network manager will be notified. Only network manager
can recover the closed port.
Maximum transmission rate: the maximum transmission rate of the port, in the range of
1-10.
Advanced configuration: parameters including network diameter, forward delay timer(s),
Hello timer, max age(s), and timer-factor.
Spanning tree port: set to enable MSTP port, which must be Layer 2 interface.
The parameters of MSTP instance configuration are shown in the following:
Port name: enable MSTP port name. It only allows you to configure the port which has
enabled spanning tree protocol.
P2P link: set the port whether is connected with P2P link. The P2P link options include Auto,
Yes, No. If the two connected by a P2P link are root ports or designated ports, the two ports
can be quickly migrate to the forwarding state via the proposal message and agreement
message, which shorten the forwarding delay time.
Edge port: set whether the MSTP port is the edge port. Edge port is directly connected with
the user terminal, but isn’t connected to other devices or shared network. When network
topology changes, network loop will not be generated on the port.
9.6.3 Status
The status page displays the information according to what you have selected on the “Protocol
Selection” module. The content of each kind of spanning tree status is similar. Take STP and
MSTP as example, as shown in following:
1. STP status
Select Basic > Network Protocol > Spanning Tree > Status from navigation tree to enter the
status page, as shown in the following figure.
Protocol edition: display the edition of the spanning tree protocol, including 3 represents
MSTP, 0 represents STP, 2 represents RSTP.
Bridge priority: display an instance of STP network bridge priority.
Maximum transmission rate: the maximum transmission rate of the port, in the range of
1-10.
Max age timer: display the time parameters of the Max age timer.
Fwd delay timer: display the time parameters of the Delay forward timer.
Hello timer: display the time parameters of the Hello timer.
The parameters of STP MAC are shown in the following:
Bridge MAC: display the bridge MAC address.
Root bridge MAC: display the root bridge MAC address.
STP port information:
Port name: enable STP port name.
Port priority: enable STP port priority.
Path cost: enable the STP path cost.
Port role: display the current port role.
Port status: displays the current port status.
2. MSTP status
Select BASIC > Network Protocol > Spanning Tree > Status from navigation tree to enter the
status page, as shown in the following figure.
Protocol edition: display the edition of the spanning tree protocol, including 3 represents
MSTP, 0 represents STP, 2 represents RSTP.
Current domain (MSTP): display the MSTP domain where the device is located.
Max age timer: display the time parameters of the Max age timer.
Fwd delay timer: display the time parameters of the Delay forward timer.
Hello time: display the time parameters of the Hello timer.
Max Hops timer(MSTP):display the time parameter of max hops
The parameters of MSTP instance are shown in the following:
9.7 DNS
DNS (Domain Name System) is a distributed database maps the relationship of domain name
and IP address and provides the conversion service between domain name and IP address.
DNS can be divided into static and dynamic DNS. When it doing domain name conversion, the
device will do static DNS first (that is, the device converse domain names by using of the
predefined mapping table of domain name/IP address); if static DNS is failed, then execute the
dynamic DNS (that is, converse domain name through DNS server).
DNS proxy provides the function of forwarding DNS request and response packets between
DNS server and client. When the DNS server’s address is changed, network administrators do
not need to modify the configuration of each DNS client, but only need to modify the
configuration of DNS proxy device. Therefore, DNS proxy can greatly reduce the workload of
network management.
Select Basic > Network Protocol > DNS from navigation tree to enter the DNS page, as shown
in the following figure.
Network management module provides the function of setting the send host unreachable error
function, send destination protocol unreachable error function, send destination port
unreachable error function, send fragmentation required function, but DF flag set error and send
timestamp reply function.
Select Basic > Network Protocol > ICMP > ICMP option from navigation tree to enter the
ICMP option page, as shown in the following figure.
The parameters of ICMP options page are show in the following: send host unreachable error
Send host unreachable error: set to send destination host unreachable ICMP packets.
Send destination protocol unreachable error: set to send destination host unreachable
ICMP packets.
Send destination port unreachable error: set to send destination port unreachable error
ICMP packets.
Send fragmentation required, but DF flag set error: set to fragmentation required, but DF
flag set error ICMP packets.
Send timestamp reply: set to send timestamp reply ICMP packets.
Enable ip address for the TTL response: after you enable this option, set the fixed IP
address to reply TTL.
Send TTL-expired error: set to send TTL expired in transmit ICMP packets.
Select Basic > Network Protocol > IPv6 Autoconfig from navigation tree to enter the IPv6
autoconfig page, as shown in the following figure.
The description of each parameter in the stateless automatic configuration page is as follows:
9.10.1 Ping
Ping is the most common tool that can be used to detect network host. If failure happens in the
network, user can use Ping to discover the failure point effectively. Ping can help use to know
whether the device’s NIC TCP/IP stack is normal, whether the device’s IP address is effective,
whether the route to destination host and the connectivity is normal, whether the specified
domain name is conversed normally, and to know the delay time and packet loss in the network,
network device type., etc.
By using of Ping command and the related parameters, user can get an effective judgement
from the returned information. It is necessary to under the returned information of Ping and the
related parameters. The followings are the common returned information and the problems may
be happened in the network:
Destination host isn’t power up. For example, an intranet server’s IP address is
192.168.2.250, because of the server is power off and isn’t power up again, the server
cannot reply to the request. User suspects that if the access control function has
enabled on the device. If there does not have other security device between server and
device and the server itself is not enabled firewall function, user can use Ping command
directly on the device. Then the returned information is Request timed out, which
illustrates packet filtering policy has enabled on the device.
Destination host doesn't exist, or the destination host isn’t in the same network with the
host itself. Destination host cannot be found through route.
Destination host exists indeed, but other security device is connected between device
and destination host, or the destination host has enabled ICMP packet filtering function.
Destination host Unreachable
Host and destination host are not in the same network. The host itself isn’t set default
route or the IP address isn’t exist in the network.
Cable has problem. Here we need to illustrate the difference between “destination host
unreachable” and “time out“. The routers that user goes by must have the route to the
destination host, if the destination host has other reason that user cannot go to, the
“time out” will be displayed. If routers don’t have the route to go to the destination host,
the destination host unreachable” will be displayed.
Bad IP address
May be it doesn’t connect with DNS server, so this IP address cannot be resolved, or maybe
the IP address does not exist.
Unknown host
The remote host name cannot be translated to IP address by domain name server (DNS).
The fault may because of the domain name server has fault, or the name of remote host is
not correct, or the cable between network administrator and remote host has problem.
no answer
The local system has a route to the destination host, but can't receive any information that
sends to the destination host. The fault may because one of the following:
Destination host doesn’t work.
The network between local and destination host are not correct.
The NIC of local and destination host work abnormal.
The connection cable has problems.
Destination host has route selection problem.
no route to host: NIC works abnormal.
unknown host name: DNS configuration isn’t correct.
9.10.1.2 Ping
Select Basic > Network Protocol > Diagnostic Tools from navigation tree and then enter to
the Ping page, enter to the IP address that you want to diagnose, then click Test button, after a
while, the page displays the returned Ping result, as shown in the following figure.
9.10.2 Tracert
Traceroute is an important tool which can be used to detect the route between host and
destination host, and also it is the most convenient tool. Although Ping can detect host, because
of IP head limit Ping cannot fully record all the routers that it go through. While, Traceroute can
realize this feature. The Traceroute can record the IP address of the routers that it goes through
and can find out which router has link or route problem between device and destination host.
The principle of Traceroute is very simple. After receiving the IP address of destination host, first
the device will send a UDP packet which TTL=1 to destination host. And then after received by
the first router, the packet’s TTL will be minus 1 automatically. When the packet’s TTL is 0, the
router who received this packet will drop the packet and will generate an ICMP packet data to tell
the device that the route is unreachable. Then the device send a UDP packet which TTL=2 to the
destination host, and then trigger the second routers to send an ICMP packets. Move back to the
forth, until the packet reaches the destination host. In this way, the Traceroute can get all the IP
addresses of routers, thus can avoid the problem of IP header only record destination host’s IP
address.
9.10.2.2 Tracert
Select Basic > Network Protocol > Diagnostic Tools > Tracert from navigation tree and then
enter to the Tracert page, enter to the IP address that you want to diagnose, then click Test
button, after a while, the page display the returned Ping result, as shown in the following figure.
9.10.2.3 Tracert6
Select Basic > Network Protocol > Diagnostic Tool > Tracert6 from navigation tree to enter
the Tracert6 operation page, then input the IP address to be diagnosed, the parameter
configuration is optional, click the Test button, the page will return after a while The result of
Tracert6 is shown in the figure below.
The remote capture provides the function of capturing, replaying and analyzing the packets that
goes in and goes out the device. It can help user to view network status, network flow and data
transmission.
Select Basic > Network Protocol > Diagnostic Tools > Remote capture from navigation tree
and then enter to the capture page, as shown in the following figure.
The capture page has two parts, including cap param and process cap result. The parameters of
capture parameter are shown in the following:
Specify IP address:
IP address: set the IP address type of the packets to be captured, including IPv4 and
IPv6.
Source IP: set the source IP address of the packets to be captured.
Destination IP: set the destination IP address of the packets to be captured.
Specify protocol: set the protocol of the data packets to be captured, including ICMP, IGMP,
TCP, IGP, and so on.
Capture length: set the length of the packets to be captured.
Cap time: set the capture time, which cannot be more than 5 minutes.
Cap number: set the number of packets to be captured.
Cap progress: click the Start Cap button to start capturing packets on the specified
interface. Click the Stop button to stop capturing packets on the specified interface.
The process capture result includes replay and download the captured packets:
Replay packet: select the interface and click the <Replay Packet> button.
Download: click the Download button to download the file and download the captured file to the
local.
10 Authentication
Configuration
10.1 Authentication configuration
Select Basic > Authentication Management > Authentication Configuration > Global
Configuration from navigation tree to enter the global configuration page, as shown in the
following figure.。
Account login limit: Enable account login limit and the number of authentications that can be
passed by each account.
User login conflict handling: Set operations after authentication conflicts, including retaining
authenticated users and logging out logged-in users.
Number of login failures: The number of failed login attempts. The default value is 0, which
means it is not locked after login failure.
Authentication port number: Portal authentication port number.
The custom page provides the function of setting a custom authentication page.
The web authentication login page customization function is used to display information related
to the device user's web authentication login page, including Chinese and English titles and
background images under different terminals.
The online user page displays information about Portal authenticated online users, including
user name, IP address, online time, and description information. The information of online users
can be inquired by IP address, user name and description information.
11 ACL management
11.1 Inbound ACL
Select Basic > ACL Management > IPv4 ACL from navigation tree to enter the IPv4 ACL page,
as shown in the following figure.
Priority: Set the priority of IPv4 ACL rules, which is related to the configuration order in the
ACL list. The smaller the number, the higher the priority.
Name: Set the name of the IPv4 ACL rule.
Source IP/mask: Set the source IP address and mask that match the IPv4 ACL rule.
Destination IP/mask: Set the destination IP address and mask that match the IPv4 ACL rule.
Protocol type: Set the protocol type that matches the IPv4 ACL rule, click the list item of
"Protocol Type", and select it in the pop-up window.
Packet priority: Set the packet priority type and its parameters that match IPv4 ACL rules.
Physical port: Set the physical port that matches the IPv4 ACL rule.
Action: Set the action to be taken on packets matching IPv4 ACL rules.
Time zone: Click on the "Time zone" list item, and the time configuration window will appear.
Two time modes can be selected.
Always effective: After the policy is issued and effective, it will remain effective.
Weekly: Check the "Weekly" radio box, and configure the time period, the time format is
00:00, then it will ensure that the policy takes effect in this time period of the day; Check
the "Weekly" single Check the box, and check one or more from Monday to Sunday,
and the time period must be configured. At this time, the policy will be guaranteed to
take effect on one or more days of the week.
Select Basic > ACL Management > IPv6 ACL from navigation tree to enter the IPv6 ACL page,
as shown in the following figure.
Priority: Set the priority of IPv46 ACL rules, which is related to the configuration order in the
ACL list. The smaller the number, the higher the priority.
Name: Set the name of the IPv46ACL rule.
Source IP/mask: Set the source IP address and mask that match the IPv6 ACL rule.
Destination IP/mask: Set the destination IP address and mask that match the IPv6 ACL rule.
Protocol type: Set the protocol type that matches the IPv6 ACL rule, click the list item of
"Protocol Type" and select it in the pop-up window.
VLAN range: Set the VLAN range that matches the IPv6 ACL rule, you can choose any or
choose the VLAN range, and the value range is 1~4094.
Packet priority: Set the packet priority type and its parameters that match IPv6 ACL rules.
Physical port: Set the physical port that matches the IPv6 ACL rule.
Action: Set the action to be taken on packets matching IPv6 ACL rules.
Time zone: Click the "Time zone" list item, and the time configuration window appears,
and two time modes can be selected.
Always effective: After the policy is issued and effective, it will remain effective.
Weekly: Check the "Weekly" radio box, and configure the time period, the time format is
00:00, then it will ensure that the policy takes effect in this time period of the day; Check
the "Weekly" single Check the box and check Monday to Sunday
Select Basic > ACL Management > Resource Allocation from navigation tree to enter the
resource allocation page, as shown in the following figure.
The hardware resource allocation page is a slice resource that can be configured by ACL rules.
12 QoS Management
12.1 Basic QoS
QoS is the quality of service. For network service, QoS includes network services and service
quality, including transmission bandwidth, transmission delay, and data packet loss rate. In the
network, using these measures such as the transmission bandwidth guarantee, and the
reduction of transmission delay, packet loss rate and data jitter can improve the quality of
service.
Network source is always limited, as long as the situation of snatching network source existence,
the requirement of quality of service is need. QoS is in relative terms of network services, while it
ensures the quality of service, other services may be harmed. For example, under the fixed total
network bandwidth, the more the bandwidth occupied by one kind of service, the less the
bandwidth occupied by other services, then other services will be influenced. Therefore, network
managers need to plan and allocate their network source according to characteristics, so that
they can make efficient use of network source.
QoS mainly has three kinds of traffic management technologies, includes flow classification,
congestion management and congestion avoidance. Among them, flow classification technology
is based on some rules of traffic classification, which is the basis of QoS; congestion
management and congestion avoidance can control the network traffic and network resources
respectively by changing the order of packet forwarding order and discarding packet actively.
CoS (Class of Service) is a kind of method which uses similar type group approach to manage
the same way of network (such as e-mail, data flow video, voice, large file process conversion).
For each class, it has its own priority level and priority. The CoS technology, which can control
and upgrade network easier if the network structure is complex and network flow increase. It is
simple to say, CoS is a kind of mechanism that let data has different treatment, and is a part of
QoS service quality control standard.
The CoS priority mapping configuration module provides the function of setting the port priority,
mapping configuration and the related parameters.
Select Basic > QoS Management > QoS Basic Configuration > Cos Priority Mapping from
navigation tree to enter the CoS priority mapping page, as shown in the following figure.
The parameters of CoS priority mapping configuration page are shown in the followings:
Port name: select the port name that you need to configure the port priority mapping
configuration.
Priority trust model: select the priority of the trust mode, including the use of port priority,
trust DSCP priority, trust CoS priority, trust IP priority.
Internal priority mapping: after you select the internal priority mapping, and set the
corresponding internal priority mapping. The larger the priority is, the packets will be
processed first.
Drop priority mapping: set the priority according to when the packets are dropped. When the
drop priority is red packet, the red packets will be dropped first, then the second drop priority
is yellow packet, yellow packets will be dropped. The last drop priority is Green, green
packets will be dropped.
After you finished the above configuration, you click the Submit button in the upper right corner
on the webpage.
The congestion management configuration module allows user to limit port bandwidth and set
the queue scheduling mode function.
Select Basic > QoS Management > QoS Basic Configuration > Congestion management
from navigation tree to enter the congestion management page, as shown in the following figure.
The congestion management includes the guarantee bandwidth configuration and queue
scheduling mode configuration.
The bandwidth guarantee is mainly to set the maximum and minimum bandwidth value of the
port. The parameters of bandwidth guarantee page are shown in the following:
Port: select the interface that you need to set the bandwidth guarantee.
The minimum guarantee bandwidth: set the minimum guaranteed bandwidth of the interface.
The default value is 0 (not limit), in the range of 64~10000000, unit is kbits/s.
The maximum guaranteed bandwidth: set the maximum guaranteed bandwidth of the
interface. The default value is 0 (not limit), in the range is 64~10000000, the unit is kbits/s.
Queue scheduling mode configuration is mainly to set the queue scheduling mode of the port.
The parameters of queue scheduling mode are shown in the following:
Select Basic > QoS Management > QoS Basic Configuration > Congestion avoidance from
navigation tree to enter the congestion avoidance page, as shown in the following figure.
There are two types configuration of congestion avoidance: including, configuring as port, and
configuring as CoS Queue.
The configuring as port number is mainly based- on the port number for congestion avoidance.
The parameters of congestion avoidance page are shown in the following:
Port number: select the slot number that you need to configure the congestion avoidance.
Message type: select the message type, including green TCP, yellow TCP, red TCP and
non-TCP packets.
Begin-to-drop-packet percentage %: set the begin-to-drop-packet percentage. The default
value is 100, in the range of 0 to 100.
Drop-all-package Percentage %: set the drop-all-package percentage. The default value is
100, in the range of 0 to 100, and it must larger than the begin-to-drop-packet percentage.
Maximum packet drop rate %: set the maximum packet drop rate. The default value is 100,
in the range of 1 to 100.
The configuring as CoS queue is mainly based- on the CoS queue for congestion avoidance.
The parameters of congestion avoidance page are shown in the following:
Port number: select the slot number that you need to configure the congestion avoidance.
Message type: select the message type, including green TCP, yellow TCP, red TCP and
non-TCP packets.
Begin-to-drop-packet percentage %: set the begin-to-drop-packet percentage. The default
value is 100, in the range of 0 to 100.
Drop-all-package Percentage %: set the drop-all-package percentage. The default value is
100, in the range of 0 to 100, and it must larger than the begin-to-drop-packet percentage.
Maximum packet drop rate %: set the maximum packet drop rate. The default value is 100,
in the range of 1 to 100.
Select Basic > QoS Management > QoS Policy > QoS flow template from navigation tree to
enter the QoS flow template page, as shown in the following figure.
Configure flow template name, source / destination MAC address, source / destination IP
address, protocol type, priority. You can add multiple entries of QoS flow template.
Protocol types include any, TCP, UDP, and custom. You can select the protocol type and
configure the port number.
Priority includes any, DSCP, IP priority, and CoS. You can select the priority type and configure
Select Basic > QoS Management > QoS Policy > QoS policy configuration from navigation
tree to enter the QoS policy configuration page, as shown in the following figure.
The QoS policy configuration module provides the function of setting the parameters of QoS
policy, including policy name, policy type, policy object, action, time, application object.
Select Basic > QoS Management > QoS Policy > QoS policy show from navigation tree to
enter the QoS policy show page, as shown in the following figure.
The QoS policy statistics page shows the statistical information of QoS policy, including policy
name, flow matching number, green packets passed number, red packets passed number,
yellow packets passed number. Click the icon that the statistics information of this policy can
be cleared. Click the Clear All Policy Statistics icon that all statistics can be cleared.
Select Basic > QoS Management > Port Rate Configuration from navigation tree to enter the
port rate configuration page, as shown in the following figure.
13 High Availability
For online systems and media, continuous network business traffic is vital. The security gateway
is an important part of the network. Almost all business traffic flows through it. When the security
gateway device has a single point of failure, the network business will be interrupted. The basic
problem of high reliability is how to keep the network open.
The most common way to solve the single point of failure problem is to introduce redundant
equipment. Deploy two or more security gateway devices in the network to make each other
backup. Under normal circumstances, business traffic passes through the host device for
network communication. When the host fails, the standby machine can continue to work on
behalf of the host, thereby ensuring normal business operation. DPtech equipment provides
VRRP and dual-system hot backup solutions, combined with an overload protection mechanism
to achieve high reliability of the security gateway.
Select Basic > QoS Management > Overload Protection from navigation tree to enter the
overload protection page, as shown in the following figure.
13.3 Hotbakcup
Hotbackup is a kind of redundancy backup technology. It can solve the problem of network
service interception caused by single point failure through data synchronization and flow switch
After you enable this function, in the network the two firewalls which are deployed at the access
point will synchronize data; if one device happens failure, network traffic will be tracked to the
other device, originally network traffic should be processed by the failure device. Hotbackup
technology can avoid service interruption and enhance network stability and reliability.
Hotbackup solution supports two modes, including the master and slave mode and the load
sharing mode. According to who bearing network traffic, device role is decided according to if the
device has network traffic go through, if has, the device is the master device, if not has, the
device is standby device. Network traffic can be switched by the aid of VRRP and dynamic
routing protocol. Commonly, we use the combination of VRPP and hot-standby to switch network
traffic.
If there two devices are under the master and slave mode, one device is used as master device
and the other is used as standby device. Master device process all services and send session
information to standby device. The standby device does not process any service and only
backup session information. When failure happened on master device, the standby device will
replace the work of master device and process services, so that it can ensure new session
establishment and the current session non-interruption.
Under load-sharing mode, the two devices are master devices which handle network traffic.
They are the backup devices of each other and they backup the session of each other. When
failure happened on one device, the other device will take responsibility for all services, so that
new session can be established and the current running session will not be interrupted.
Ordinary hotbackup: the two devices only synchronize and backup part of configuration
information of each other, but they cannot synchronize session.
Silence hotbackup: master and slave device synchronize their configuration and session. In
this scenario, the master device is in working status, which can handle service traffic
normally; the backup device is in silence status, which does not handle any packets from
service interface. When heartbeat packets are timeout, backup device will automatically
switch to working status and send gratuitous ARP packets. Backup device will take the role
of master device and process service traffic.
The hotbackup module provides the function of setting the type and parameters of hotbackup.
Select Basic > High availability > Hotbackup > Hotbackup Configuration from navigation
tree to enter the hotbackup configuration page, as shown in following figure.
Initial PRI: set the initial priority of silence interface, in the range of 0 to 255.
Heartbeat interface: select the heartbeat interface of silence hotbackup.
Heartbeat interface: set the time interval of heartbeat packets, in the range of 1 to 240
seconds.
Neighbor timeout set the timeout time of heartbeat packets, in the range of 1 to 240 seconds.
In normal condition, the neighbor timeout time must be larger than the heartbeat time
interval.
Gratuitous ARP algorithm: including multiple step and keep step. Default is multiple step.
Start interval: set the start interval of sending gratuitous ARP.
Sending times: set the times of sending gratuitous ARP.
Silence interfaces: configure silence interface in the list.
Monitor interfaces: configure silence interface in the list
The state and maintenance of hotbackup provides the function of synchronizing the
configuration of local device to remote device and reboot the remote device.
Select Basic > High availability > Hotbackup > State and Maintenance of Hotbackup from
navigation tree to enter the State and Maintenance of Hotbackup page, as shown in following
figure
This page shows the hotbackup status. Click the Synchronous button to the synchronous
configuration to the remote. Click on the Reboot button.
The session synchronization configuration page has three main parts: session synchronization,
advanced configuration and session synchronization filter condition configuration.
Click the "Enable" checkbox for session synchronization, enable the session synchronization
function, and select the session synchronization port. At this time, the session information will be
synchronized in real time and the aging state will be synchronized.
Batch backup: After enabling this function, the active device will back up session information
in batches to the backup device. This function is generally used in the case of a
dual-machine device upgrade version.
Fast backup: After turning on this function, session information can be synchronized in real
time, but the aging state does not need to be synchronized. This function is generally used
in asymmetric routing environments.
The configuration parameters of session synchronization filter conditions are described as
follows:
ID: Set the filter condition ID number.
Source address/wildcard mask: Set the session source address and mask.
Destination address/wildcard mask: Set the session destination address and mask.
Service: Set up conversation service. Including all, predefined and custom three ways.
After the configuration is complete, you need to click the <Confirm> button at the top right of the
page.
13.5 VRRP
VRRP (Virtual Router Redundancy Protocol) is a fault-tolerant protocol. Usually, all hosts in the
same network set the same default route for the next-hop of network gateway. Hosts send
packet to other network segment through this default route to the network gateway, and then
packets are forwarded by the gateway, so as the communication between computer and external
network gateway is realized. When fault occurs, all host in the same segment which take
network gateway as default route cannot communicates with the external network.
1. VRRP realization method
In order to solve the problem of single-point gateway failure, the VRRP technology is proposed.
VRRP let a group of routers together in LAN, which known as a backup group. One Master
router and several Backup routers form the backup group, whose function is equivalent to a
virtual router. VRRP backup group has the following characteristics:
Virtual router has an IP address, which is the virtual IP address. LAN host only needs to
know the virtual router IP address, and set it as the next-hop address of the default route.
Host within this network will communicate with external networks through this virtual router.
According to the priority of the routes in backup group, a Master router will be elected which
takes the responsibility of network gateway. Other router as backup router, when the Master
router fails, other router will replace the Master router and responsible for the function of
master, thus ensuring the inner network host to communicate with external networks
uninterruptedly.
The virtual router has its own IP address 10.100.10.1. Routers in backup group have its own IP
address (such as the Master IP address is 10.100.10.11, the Backup IP address is 10.100.10.12).
The LAN hosts only know the virtual router IP address 10.100.10.1, but they do not know the
specific IP address of the Master router and Backup router. They set their default route next-hop
to the virtual route IP address 10.100.10.1. Therefore, hosts in the network will use the virtual
router IP address 10.100.10 as the next-hop address. So, the hosts in the network will use the
virtual routers to communicate with other network. If the Master router in backup group fails,
Backup router will select a new Master router according to selection policy, and provide routing
services to the hosts in the network, so that hosts in the network can communicate with the
external network uninterruptedly.
2. VRRP working principle
A VRRP router has a unique identification: VRID, in the range of 0-255. The VRRP router has a
unique virtual MAC address to the outside network, the MAC address format is
00-00-5E-00-01-[VRID]. Master router is responsible for using the MAC address to response
ARP request. So that, no matter how you switch the status of master and backup switch,
terminals will get the unique and same IP and MAC address, thus can reducing the effect that
you switch to the terminals.
VRRP control packet has only one kind: VRRP advertisement. It uses IP multicast packets to
encapsulate and uses the multicast address 224.0.0.18. The advertisement range is only limited
to the same local area network, so that the VRID can be reused in a different network. In order to
reduce network bandwidth consumption, only master router periodically sends VRRP
advertisement packets. In three consecutive announcement interval, the backup router does not
receive the VRRP or the received priority is 0, a new launch of advertisement of VRRP election
will be started automatically.
In VRRP router group, master router will be elected according to router priority. In VRRP protocol,
the priority range is 0-255. If the VRRP router's IP address and virtual router interface’s IP
address are the same, then the virtual router is called the IP address owner of VRRP group. The
IP address owner automatically has the highest priority 255. Priority 0 is generally used when the
IP address owner give up its role as master controller. The priority range can be configured is
1-254. The configuration range of priority is according to link speed and cost, the router
performance and reliability and other management strategies. In master router election, high
priority virtual router wins. Therefore, the owner of IP address in VRRP group always comes out
to be the master router. For the same priority routers, they will be elected as IP address order.
The preemptive priority strategy is also provided, if you configured this strategy, the high priority
backup router will replace the role of the low priority master router and becomes the master
router new.
In order to ensure the security of VRRP protocol, two authentication measures are provided: the
plaintext authentication and the MD5 authentication. Plaintext authentication requests that the
same VRID and the plaintext password must be provided when a VRRP router joins in the VRRP
router group, which is suitable to avoid configuration errors in the LAN, but cannot prevent
getting the password through network monitoring method. MD5 authentication method provides
higher security, which can prevent packets replay and attack modification.
Select Basic > High Availability > VRRP > IPv4 VRRP from navigation tree to enter the IPv4
VRRP page, as shown in following figure.
The IPv4 VRRP has the function of adding one interface into the IPv4 VRRP, assigning virtual IP
address, configuring VRRP version and the related parameters. The parameters of IPv4 VRRP
are shown in the following:
Select Basic > High Availability > VRRP > IPv6 VRRP from navigation tree to enter the IPv6
VRRP page, as shown in following figure.
The IPv6 VRRP has the function of adding one interface into the IPv6 VRRP, assigning virtual IP
address, configuring VRRP version and the related parameters. The parameters of IPv6 VRRP
are shown in the following:
In the application scenario where multiple groups of VRRP are enabled on multiple links,
simultaneous switching of multiple links can be realized by synchronizing the VRRP state,
ensuring the consistency of the uplink and downlink states, thereby improving network stability.
Associate two or more VRRP backup groups, one of which is set as the master VRRP, the slave
VRRP must be in the same state as the master VRRP, and the master and backup negotiation is
no longer carried out through notification messages and priorities.
Select Basic > High Availability > Interface Synchronization Group from navigation tree to
enter the interface synchronization page, as shown in following figure.
Configure the synchronization group name, select the port, and click the <OK> button.
13.8 BFD
BFD is the Bidirectional Forwarding Detection mechanism. It provides fast forwarding path
failure detection for upper-layer routing protocols and establish BFD sessions between two
adjacent neighbors. By periodically sending BFD control packets on the link between two
systems, BFD can achieve monitoring the connectivity of the link. BFD can realize route fast
convergence and ensure service continuity.
13.8.1 BFD
BFD public configuration module allows user to set the session initialization mode, multi-hop
parameter and interface parameter.
Select Basic > High Availability > BFD > BFD Public Configuration from navigation tree to
enter the BFD public configuration page, as shown in following figure.
The parameters of BFD public configuration page are shown in the following:
Session init mode: active mode or passive mode should be selected before BFD session
established. One of the two systems which establish BFD session must be active mode at
least.
Active mode: before a BFD session is established, BFD actively sends BFD control
packets regardless of whether any BFD control packet is received from its peer.
Passive mode: before a BFD session is established, BFD does not send control
packets until a BFD control packet is received from its peer.
Multi-hop configuration: BFD detects any of the paths between two systems. These paths
have multiple hops, and might overlap.
Min TX interval: the minimum interval that is taken by the sender to send BFD control
packets, in the range of 100~999ms.
Min TX receiving interval: the minimum receiving interval that is taken by the sender
that two BFD control packets can be supported to send, in the range of 100~999ms.
Detecti Mult: multiplier of detection time, in the range of 3 to 50.
Auth type: set the authentication mode for BFD control packets.
key-id: set the key-id for the specified authentication mode, in the range of 0 to 255.
Key: set the key for the specified authentication mode.
Interface configuration: select an interface and set the parameters of minimum sending
interval, minimum sending interface, timeout detection times, authentication type, key ID,
key. You can refer to the “multiple-hop parameter configuration” section to see the details.
The configure BFD manual session module allows user to establish BFD session through user
manual configuration.
Select Basic > High availability > BFD > BFD Manual Configuration from navigation tree to
enter to the BFD manual page, as shown in following figure:
BFD manual page includes multi-hop manual configuration and single-hop manual configuration.
The display BFD session information module displays the source IP, destination IP, interface,
hop, session state and other detailed information of BFD session.
Select Basic > High Availability > BFD > Display BFD Session Information from navigation
tree to enter the display BFD session information page, as shown in following figure:
The parameters of display BFD session information page are shown in following:
Source IP: display the source IP address of the BFD session packets.
Destination IP: display the destination IP address of BFD session packets.
Interface: display the name of the interface that connects to its neighbor.
Hop: display the type of BFD session packets, including multi-hop and single-hop.
Status: display the state of the BFD session.
Detail information: display the detailed parameters of the BFD, including the minimum
sending interval, the minimum receiving interval, timeout detection multiple, authentication
type, discrimination value, etc.
13.9 ULDP
The ULDP configuration module provides functions to set ULDP parameters, including enable
status, DOWN working mode, timer, port authentication, ULDP port configuration, etc.
Select Basic > High Availability > BFD > ULDP Configuration from navigation tree to enter
the ULDP configuration page, as shown in following figure:
ULDP display module provides the function of displaying ULDP configuration, including port
name, neighbor table entry, neighbor status, port status, reset, etc.
Select Basic > High Availability > BFD > ULDP show from navigation tree to enter the ULDP
show page, as shown in following figure:
Auto refresh: set to automatically refresh the latest ULDP information and refresh time.
Manual refresh: Click the <Manual refresh> button to refresh the latest log.
Port name: Display the port name of ULDP.
Neighbor table entry: Display the ULDP neighbors of the port.
Neighbor status: Display the ULDP neighbor status of the port.
Port status: display the status of the port.
Reset: Display reset information.
14 Log Management
14.1 System log
System log records system hardware information, system software information and abnormal
information. At the same time, it can also monitor system events. Users can check the occurred
error through it, or can find out the trace left by attack after users suffered attack. The system log
page provides the following functions:
Select Basic > Log Management > System log > Latest log from navigation tree to enter the
latest log page, as shown in following figure.
Severity level: display the severity level of the latest log page, including emergency, alert,
critical, error, warning, notice, informational, debug.
Log content: the description of the log content.
Some functions on the interface are introduced:
Auto-refresh: click the Auto-refresh checkbox, then you select the auto-refresh time
interval. Every XXX seconds, the system will automatically refresh the latest log page.
Manual refresh: click the Manual button to refresh the latest log page immediately.
Export: click the Export button in the lower corner of the latest log page, then you can
export the log information to your local computer.
Select Basic > Log Management> System log > System log query from navigation tree to
enter the system log query page, as shown in following figure.
The system log query page includes query terms of severity level, keyword and time range:
Severity level: display the severity level of the system log query page, including emergency,
alert, critical, error, warning, notice, informational, debug, unknown.
Keyword: enter the keyword of the log content to be query. The keyword is case sensitive
and supports fuzzy matching.
Time range: select the time range that you want to query, including current hour, the last
hour, the last two hours, yesterday, today and customize. If you select the customize option,
you need to click this icon, and you set the start time and end time to query.
After you configure the query terms, you click the Query button, then you can view the logs that
you have queried displayed in the log list. Click the Export by Query Terms button, you can
export the logs that you have queried to your local computer.
Select Basic > Log Management> System log > System Log File Management from
navigation tree to enter the system log file management page, as shown in following figure.
The system log file name is displayed in the form of time. You can execute save or delete
operation for the system log files.
Click the Save icon to save the system log file to your local computer.
Click the Delete icon, the log file entry to be deleted becomes red. Then you click
Submit button in the upper right corner on the webpage.
The system log configuration includes the remote log host configuration and the log hold time
configuration.
Select Basic > Log Management > System Log > System Log File Operation from
navigation tree to enter the system log file operation page, as shown in following figure.
(1) Select Basic > Log Management > System log > System Log Configuration to enter the
system log configuration page, as shown in the following figure.
(2) Click the "IP type" configuration item and select the IP type as IPv4 or IPv6.
(3) Click the "remote log host address" configuration item and enter the remote host IP address,
which cannot be a loopback, D, or E address.
(4) Click the "Service Port" configuration item and enter the port number of the remote log host
to receive logs.
(5) Click the "Log Level" configuration item, and a level selection window will pop up, including
emergency, warning, severe, error, warning, note, description, and debugging. The device
sends logs matching the selected level to the remote host.
(6) Click the "local host address" configuration item and enter the IP address of the device
sending logs.
(8) Select the number of days to keep the log, including one week, two weeks, three weeks, 30
days and custom. If you choose custom, you need to manually enter the number of days,
ranging from 7 to 180 days.
(9) Click the OK button in the upper right corner of the page to make the configuration effective.
Select Basic > Log Management > Operation log > Latest log from navigation tree to enter
the latest log page, as shown in following figure.
Auto refresh: Check the "Auto refresh" check box, select the auto refresh interval, and the
system will automatically refresh the log information every interval.
Manual refresh: Click the <Manual refresh> button to refresh the log information
immediately.
Export: Click the <Export> button at the bottom right corner of the page to save the current
log information to the local.
Select Basic > Log Management> Operation log > Operation log query from navigation tree
to enter the operation log query page, as shown in following figure.
The operation log query page includes query terms of administrator, IP address, keyword and
time range.
Administrator: select the operational administrator, including All, admin, do not exit, control
console.
IP address: set the IP address of the administrator.
Keyword: enter the keyword of the log content to be query. The keyword is case sensitive
and supports fuzzy matching.
Time range: select the time range that you want to query, including current hour, the last
hour, the last two hours, yesterday, today and customize. If you select the customize option,
you need to click this icon, and you set the start time and end time to query.
After you configure the query terms, you click the Query button, then you can view the logs that
you have queried displayed in the log list. Click the Export by query terms button, you can
export the logs that you have queried to your local computer.
Select Basic > Log Management> Operation log > Operation log file management from
navigation tree to enter the operation log file management page, as shown in following figure.
The operation log file name is displayed in the form of time. You can execute save or delete
operation for the operation log files.
Click the Save icon to save the system log file to your local computer.
Click the Delete icon, the log file entry to be deleted becomes red. Then you click the
Submit button in the upper right corner on the webpage.
The operation log configuration includes the remote log host configuration and the log hold time
configuration.
Select Basic > Log Management> Operation Log > Operation Log Configuration from
navigation tree to enter the operation log configuration page, as shown in following figure.
(1) Select Basic > Log Management> Operation Log > Operation Log Configuration to
enter the operation log configuration page, as shown in the following figure.
(2) Click the "IP type" configuration item and select the IP type as IPv4 or IPv6.
(3) Click the "remote log host address" configuration item and enter the remote host IP address,
which cannot be a loopback, D, or E address.
(4) Click the "Service Port" configuration item and enter the port number of the remote log host
to receive logs.
(5) Click the "local host address" configuration item and enter the IP address of the device
sending logs.
(7) Select the number of days to keep the log, including one week, two weeks, three weeks, 30
days and custom. If you choose to customize, you need to manually enter the number of
days, ranging from 7 to 180 days.
(8) Click the OK button in the upper right corner of the page to make the configuration effective.
exceptions do not influence the device’s normal operation. Diagnosis log is mainly used for
software developer to find out what the problems happened on the device. Users do not need to
pay attention to diagnosis logs.
Select Basic > Log Management> Service log configuration from navigation tree to enter the
service log configuration page, as shown in following figure.
The service log configuration page includes the following three items: including hold time, IPS
log aggregation, sending mode.
Hold time: select the number of days to hold: including one week, two weeks, three weeks, 30
days and customize. If you select the customize option, you need to configure a number for the
customize hold time. Default of it is 30 days. You can configure it in the range of 7 to 180 days.
The IPS log aggregation function can only be used after the IPS service board is inserted into
the device. After you enable this function, the device will aggregate the received IPS logs
according to IPS log aggregation time and terms, so that system resource will be saved. IPS
aggregation condition includes source IP aggregation, destination IP aggregation, source port
aggregation, destination port aggregation, and protocol aggregation.
Output to the syslog log host in real time: click the checkbox, you need to configure the
following:
Syslog Log Local IP Address: click the configuration item, then you can configure the
source IP address that is used for sending logs.
Syslog Log Host IP Address: click the configuration item, then you can configure the
destination IP address that is used for receiving logs.
Service port: click the configuration item, then you can configure the service port that is
used for receiving logs, in the range of 1 to 65535.
Send mail: click the checkbox, then you need to configure mail server IP address,
destination Email address, username, and password. Click the <Mail Test> button, you can
test whether the mail server is normal or not.
Synchronize device information (IP information) with UMC: click the checkbox, UMC will
synchronize the device’s IP information. This configuration item can be used in the scenario
of the inner network device and outer network device are connected through dial-up
method.
Attack source IP address sending format: select a format for the IP attack source to send
data packets, including the hexadecimal format and character string address.
UMC synchronius sort: configure the log host synchronization port, in the range of 1 to
65535.
After you finish the above configurations, you click the Submit button in the upper right corner
on the webpage.
Select Basic > Log Management > Service Log Query > IPS Log from navigation tree to enter
the IPS log page, as shown in following figure:
The query conditions include the attack ID, attack level, action type, interface, source IP,
destination IP, source port, destination port, and specified time. Click the Query button after
configuring the conditions. The query result is displayed in the list below.
Click the Export button to export the inquired log to local.
Click the Delete button to delete the log information.
Select Basic > Log Management > Service Log Query > Anti-virus Log from navigation tree
to enter the anti-virus Log page, as shown in following figure:
The query conditions include virus ID, virus classification, action type, interface, source IP
address, destination IP address, source port, destination port, and specified time. Click the
Query button after configuring the conditions. The query result is displayed in the list below.
Click the Export button to export the inquired log to local.
Click the Delete button to delete the log information.
Select Basic > Log Management > Service Log Query > RMON Log from navigation tree to
enter the RMON log page, as shown in following figure:
The RMON log view page displays the relevant information of the RMON log, including event ID,
time, log content, etc. Click the <Delete> button to delete RMON log information.
Select Basic > Log Management > Service Log Query > ARP Monitoring Log from
navigation tree to enter the ARP monitoring log page, as shown in following figure:
ARP monitoring logs provide query functions. Users can query log information of different time
periods. In the right of the "time" to select the drop-down box to query for the period, including all,
the last day, the last two days, the last week and the specified time, if you select the specified
time you need to configure the start time and end time, select the good query After the time click
on the button, the query result is displayed in the list below. Click Delete to delete the log
information.
In a networking scenario where the FW device and the IDS device are used together, when the
IDS device detects the attack, the attack source IP address and the destination IP address can
be sent to the FW device. The FW device is blocked based on the source / destination IP and is
displayed in the IDS linkage log.
Select Basic > Log Management > Service Log Query > IDS Collaboration Log from
navigation tree to enter the IDS collaboration log page, as shown in following figure:
Select Basic > Log Management > Service Log Query > Session Limit Log from navigation
tree to enter the session limit log page, as shown in following figure:
Session Limit Logs page provides query, delete, and export functions:
The query conditions include the log type, policy name, keyword, and time range. After the
conditions are configured, click the Query button, and the query result is displayed in the list
below.
Click Delete All to delete the log information.
Click Export button to export the inquired log locally.
Select Basic > Log Management > Service Log Query > Session Limit Log from navigation
tree to enter the packet filtering log page, as shown in following figure:
IPv4 packet filtering log page provides query, delete and export functions:
The query conditions include the source IP address, destination IP address, and packet
filtering policy name. After the conditions are configured, click the query button, and the
query result is displayed in the list below.
Click the Delete button to delete the log information.
Click the Export All button to export the inquired log to local.
Select Basic > Log Management > Service Log Query > Basic Attack Log from navigation
tree to enter the basic attack log page, as shown in following figure:
The basic attack protection log page provides query, delete, and export functions:
The query conditions include the action type, interface, source IP address, destination IP
address, and specified time. Click the query button after configuring the conditions, and the
query result is displayed in the list below.
Click the Delete button to delete the log information.
Click the Export button to export the queried log locally.
Select Basic > Log Management > Service Log Query > Blacklist Log from navigation tree to
enter the blacklist log page, as shown in following figure:
The query conditions include reason, IP address / mask and time range. Click the Query
button after configuring the conditions, and the query result will be displayed in the list
below.
Click the Delete button to delete the log information.
Click the Export By Search Condition button to export the queried log locally.
Select Basic > Log Management > Service Log Query > DDoS Protection Log > IPv4 Basic
Protection Log from navigation tree to enter the IPv4 Basic Protection Log page, as shown in
following figure:
The basic IPv4 protection log page provides manual refresh log information. The detailed log
information is displayed in the log list, including type, characteristics, source IP address,
destination IP address, rate, and time.
15 Security Policy
Security policy mainly includes IPv4 packet filtering module and IPv6 packet filtering module.
According to packet filtering policy, the device will check the data packets in each data stream
based on their source address, destination address, source port, destination port, and protocol
type or based on the combination factors. User can customize different kinds of packet filtering
policies, so that can realize the basic security protection for data packets.
Select Service > Security Policy > IPv4 Packet filtering > IPv4 Packet filtering policy to
enter the IPv4 Packet filtering policy page, as shown in following figure.
15.1.1.2 Icons
The IPv4 packet filtering policy page includes seven function icons, "Import, Export, Refresh,
Show / Hide Column, Clear Count, Group Management, and Clear" in addition to the packet
filtering policy, as follows.
1. Import
The import function of the packet filtering policy is to add the configured packet filtering policy to
the device in the form of an Excel spreadsheet. The import function is applicable to the existing
packet filtering configuration file or to configure a large number of packet filtering policies. The
configuration method is as follows:
(1) Click Import, click to select the file and select the file path you want to import, as shown
in the following figure:
Figure 15-2
(2) Click Append Import to complete the import of the package filtering configuration file, as
shown in the following figure: (The imported configuration file can not contain the same
policy as the existing policy name)
Figure 15-3
2. Export
The export function of the packet filtering policy is to configure the existing packet filtering policy
in the form of an Excel spreadsheet file. The configuration method is as follows:
(1) Click Export, select the file name and file address you want to export.
(2) Click Download, you can find the current packet filtering policy configuration file in the
destination path.
Refresh
The packet filtering policy refresh button is used to refresh the latest information of the
current page. After refreshing, the latest page filtering policy information and the latest hit count
information of the current page are obtained.
The show / hide columns for packet filtering policies to change the display status of different
messages, showing or hiding.
Clear count
The zero count function of the packet filtering policy clears the hit count of all packet filtering
policies.
3. Group management
You can add different packet filtering policies into different group, so that you can manage these
packet filtering policies easily. The configuration method is shown in the following:
(1) Click icon to view the packet filtering groups. You can see the
default packet filtering group.
(2) Move your mouse pointer to the “Default”, and then you can view the description information
of this group, as shown in following diagram.
(4) Enter a name for the newly added group and enter the description information, then click
icon to save your configurations. If you want to delete this group, you can click delete
icon.
(5) Move your mouse pointer the newly added group, so that you can execute these operations
such as add, disable, delete and modify for this group, as shown in following diagram.
The parameters of packet filtering policy list are shown in the following:
address wildcard through the guide bar, the pop-up window of Dst addr, and the “Object
Management”.
Src MAC: the source MAC that the IPv4 packet filtering policy is applied. You can select
source MAC from the pop-up window of source MAC by clicking “Any” option or configuring
network address object. You can configure MAC object and MAC group through the pop-up
window of Src MAC and the “Object Management”.
Dst MAC: the destination MAC that the IPv4 packet filtering policy is applied. You can select
destination MAC from the pop-up window of destination MAC by clicking “Any” option or
configuring network address object. You can configure MAC object and MAC group through
the pop-up window of Dst MAC and the “Object Management”.
Service: the service object or service object group that the IPv4 packet filtering policy is
applied. You can configure them through the guide bar, the pop-up window of Service and
the “Object Management”.
Effect time: the effect time of packet filtering policy, including all time, relative time (weekly
cycle) and absolute time (from start time, it takes effect).
Action: you select different actions for the packet filtering policy matched data packets.
Packet loss: packet loss matching packet filtering strategy.
It is passed directly: the packet matching the packet filtering policy is released.
Advanced Security Service: Enables session length connection or fragment packet loss
function for packets that match the packet filtering policy. The long session connection
function is generally used in the Long Connection Application. The session does not
need to be aged within the specified time limit. If the long connection parameter is not
configured, this type of application access exception may occur. For details, see
System Administration> Session Configuration> Session Parameter. Set the aging time
of long sessions. Enable the fragmented packet loss function to avoid the potential
security risks caused by the direct fragmentation of packets.
Hit log: records packets matching the packet filtering policy, which can be saved locally
or sent to the remote end. The remote log supports two log formats, syslog and flow
log.
Session Log: records the session information matching the packet filtering policy, which
can be saved locally or sent to the remote end. The remote log supports two kinds of
log formats, syslog and flow log. In the session management page to do a detailed
configuration.
Matched: the number of times the packet filtering policy is matched.
State: enable or disable the packet filtering policy.
Create time: display the create time of packet filtering policy.
Modify time: display the modify time of packet filtering policy.
Operation: there are four icons allow you to select: including sort, upward copy, downward
copy and delete.
Insert: click the icon to copy the same strategy above the existing strategy.
Copy: click the icon to copy the same strategy below the existing strategy.
Delete: click the icon, the policy that has taken effect becomes red and is in a
pending state. click the button at the top right of the page to delete the policy.
Sort: Click the icon, drag to adjust the order of the strategies. You can use the policy name
as the keyword to quickly select the desired policy through the query function in the upper right
corner of the page. You can also click the drop-down box of the advanced query function to
select the desired policy based on one or more other criteria.
Packet filtering strategy from top to bottom in order to match, you must strictly abide by the
principle of fuzzy first. The wrong configuration will cause the packets to match the policy of
"large range" preferentially, resulting in the failure of the policy of "small range". In this case,
you need to adjust the matching order by clicking the icon.
If the session is long, the source address, destination address, and service parameters
must be fine-tuned.
Through IPv4 packet filtering log module, user can select whether to send packet filtering log,
and can select the log type, the method for log sending, and log server.
Select Service > Security Policy > IPv4 Packet filtering > IPv4 Packet filtering log to enter
the IPv4 Packet filtering log page, as shown in following figure.
Each parameter description IPv4 packet filtering log is shown in the following:
Enable packet filter log: click the Enable packet filter log to enable this function.
Log save type: select log save type, including remote server and local server.
Log type: select packet filtering log type, including syslog and stream log.
IPv4 packet filtering log search function allows user to search packet filtering logs according to
different searching conditions.
Select Service > Security Policy > IPv4 Packet filtering > IPv4 Packet filtering log search to
enter the IPv4 Packet filtering log search page, as shown in following diagram.
The configuration methods of IPv4 packet filtering log search are shown in the following:
(1) Set the searching conditions of IPv4 packet filtering log, including: source IP address,
destination IP address or packet filter name.
No: displays the sequence number of the IPv4 packet filtering logs.
Packet filter name: display the name of packet filtering policy.
Match time: display the time that data packets match with the packet filtering policy.
In Ifindex: display the inbound interface that data packets match with IPv4 packet filtering
policy.
Out Ifindex: display the outbound interface that data packets match with IPv4 packet filtering
policy.
Source IP: display the source IP address that data packets match with IPv4 packet filtering
policy.
Source port: display the source port number that data packets match with IPv4 packet
filtering policy.
Destination IP address: display the destination IP address that data packets match with IPv4
packet filtering policy.
Destination port number: display the port number that data packets match with IPv4 packet
filtering policy.
Protocol: display the protocol that data packets match with IPv4 packet filtering policy.
Action: display the action to be taken when data packets match with IPv4 packet filtering.
IPv6 packet filtering policy module provides user with the IPv4 packet filtering parameter setting
function.
Select Service > Security Policy > IPv6 packet filtering > IPv6 packet filtering policy to
enter the IPv6 packet filtering policy page, as shown in following diagram.
On the IPv6 packet filtering policy page, there are three parts allow user to configure: guide bar,
function icons and packet filtering policy list.
For the guide bar, icon, please refer to IPv6 packet filtering policy. The parameters of IPv6
packet filtering policy is shown in following:
Click the icon and drag to adjust the order of the strategies.
Select Service > Security Policy > IPv6 packet filtering > IPv6 packet filtering log to enter
the IPv6 packet filtering log page, as shown in following diagram.
Enable IPv6 Packet Filter Log: enable the IPv6 packet filtering log function.
Log type: set the log type of IPv6 packet filtering log type, including Syslog log and stream
log. The Syslog log type can be used for Syslog server. Stream log (packet encryption) can
be used for UMC server.
Source IP address: set the source IP address for sending IPv6 packet filtering logs. The
source IP address is the local device interface address (physical/logical).Make sure that the
route to log server is reachable.
Source Port: set the source port number for sending IPv6 packet filtering logs. Source port
number must be greater than 1024, which does not conflict with local device port number.
Log server list: set the log server’s address for receiving IPv6 packet filtering logs.
Log server port: set the log server’s port for receiving IPv6 packet filtering logs.
Redundancy usually refers to increasing the reliability of the system through multiple backups
Start analysis
There may be redundant rules in a large number of filtering rules, which makes the
management of the firewall more difficult and the throughput rate decreases. The policy
redundancy rule analysis technology is for the rules input by the user, and the system
judges whether the input rules conform to its original intention; For the remaining problem,
an algorithm for detecting redundancy is proposed to locate redundant rules
16 NAT Configuration
16.1 NAT overview
1. NAT technology background
With the development of Internet and the increase of network application, IPv4 address
depletion has become a bottleneck that restricts the development of the network. Although IPv6
can fundamentally solve insufficient IPv4 address problem, but many of the current network
devices and network applications also use IPv4 address. To solve the problem, some transition
technologies (such as CIDR, private network address, etc.) can be used before IPv6 address is
widely used.
Private network address can save IPv4 address because of this fact: in a LAN, only a few hosts
need to access the external network in a certain period, and about 80% of internal traffic is
limited to the LAN. As the internal hosts can exchange their traffic by the private network address,
and private network address can be reused in different local area network, so the use of private
network address can effectively alleviate the problem of insufficient IPv4 address. When internal
hosts need to access external network, NAT technology can convert their private addresses to
public network addresses. Therefore, NAT technology can ensure network interoperability and
can save the public network address.
2. Technology advantages
As a transition plan, NAT through the address multiplexing method to meet the needs of IP
addresses, to a certain extent, ease the pressure of IP address space depletion. It has the
following advantages:
For private communication, private network addresses can be used. If you need to
communicate with external sources or access external resources, you can implement
private network addresses by converting private addresses to public addresses.
Through the combination of public network address and port, multiple private network users
can share a public network address.
Through static mapping, different internal servers can be mapped to the same public
network address. External users through the public network address and port access to
different internal servers, while hiding the internal server's real IP address, so as to prevent
external internal servers and even internal network attacks.
Convenient network management, such as by changing the mapping table can be achieved
private network server migration, internal network changes are also easy.
NAT can also play a security role for the private network host, mainly because the private
network host address when connected to the Internet when the public address for the
connection, so outside the attacker in the port scan when the detection is not Private host.
3. Basic principles of NAT technology
NAT basic principle is only in the private network host need to access the Internet will be
assigned to the legitimate public network address, and in the internal use of private network
address. When the Internet accesses the NAT gateway through the NAT gateway, the NAT
gateway replaces the source IP address of the original packet with a valid public network
address and records the conversion. After the packet is returned from the Internet side, NAT
gateway to find the original record, the destination address of the message and then replace the
original private network address, and sent back the request of the host. In this way, in the private
network side or public network side equipment, this process and ordinary network access and no
difference. According to this model, a large number of internal network hosts no longer need to
allocate and use the public IP address, but all can reuse the NAT public network IP.
Traditional network equipment on the dynamic address NAT design is usually when the public IP
address pool is used up, the new connection will not be established, and DPtech equipment on
this basis to make some improvements: private IP address to actively access the external
network The first public IP address is allocated and the source port is kept unchanged. When the
public IP address pool is exhausted, the public IP address of the public network that has been
used is automatically multiplexed, but the source port will be Change, that is, into a dynamic port
NAT, in order to avoid the internal network host due to public network IP address pool resources
caused by insufficient network access interrupt, while more efficient use of public IP address
resources.
2. Dynamic port NAT
Dynamic NAT is the most basic NAT work, the device will be a private IP address dynamically
converted to one or more public network IP address, while the transport layer port or other upper
layer protocol information to convert IP address to achieve reuse The The packets that are
forwarded to the public network by the private network are replaced with the source IP address
and port, and the reverse packet replaces the destination IP address and port.
It is the most simplified dynamic port NAT configuration when connecting the outgoing interface
IP address of the public network as the public IP address of the NAT translation. When a public
IP address is used as the NAT address, it needs to configure an address pool. The device will
automatically select the public IP address to be used in the address pool. Through the internal
HASH allocation algorithm, the IP address and port use.
By default, the IP address of the private network is ported on the dynamic NAT port, that is, the
source port after NAT is the same as the source port before NAT. Unless the port corresponding
to the public IP address has been occupied, the device will be forced to port the port, that is, use
the public port IP address corresponding to the port within the random port.
3. Session level NAT
Session level NAT is mainly for the NAT address pool single address of the session support
ability in terms of. Traditional NAT technology can only use 65535 single port address, and
Session-level NAT can provide unlimited NAT. Unlimited NAT can be based on five tuple
information to distinguish between sessions, the same port can be used for different sessions, to
achieve port reuse.
Session-level NAT function is usually deployed in the public network address more intense
application scenarios.
For security reasons, most private network hosts do not typically want to be accessed by public
network users. But in some practical applications, the need for public network users to access
the private network server. Purpose NAT converts the IP address of the public network to the
private IP address by statically configuring the mapping between the public IP address + port
number and the private IP address + port number to implement the public network user Access
to private network server needs.
The difference between destination NAT and one-to-one NAT is not only the mapping between
the public IP address and the private IP address mapping, but also the port number. There is
also an important difference is that the purpose of NAT mapping is one-way, only from the public
network side to the private network side of the public network IP address when the NAT will use
the mapping rules. If the private network host accesses the public network resource, the
mapping rules of the destination NAT will not be used, and the source NAT rules need to be
configured on the outgoing interface of the device.
1. One-to-one NAT
One-to-one NAT is usually an internal IP address that is uniquely mapped to a public IP address.
In this way, the conversion of the upper layer protocol is unnecessary, because a public network
IP can only correspond to an internal host. Obviously, this way to save the public network IP
does not make much sense, mainly in order to achieve some special networking needs. For
example, users want to publish a network of servers to the public network, or to achieve two IP
addresses overlap network communication.
After a flow undergoes source NAT translation, a five-tuple mapping table will be established in
the NAT gateway. During the entry aging period, only reverse traffic from the same address can
reach the NAT gateway to match the five-tuple mapping table for NAT translation.
For example: a flow of TCP IP1:Port1 -> IP2:Port2 is converted to TCP IP111:Port111 ->
IP2:Port2 after NAT. The mapping table established is: TCP IP2:Port2 -> IP111:Port111 is
converted to IP2:Port2 -> IP1:Port1. Then the reverse traffic must arrive before the mapping
table entry is aging and it can be NATed when it is TCP IP2:Port2 -> IP111:Port111, and other
traffic cannot be NAT forwarded.
After a flow is translated by source NAT, a triplet mapping table will be established in the NAT
gateway. During the aging period of the table entry, any address is allowed to access the IP
address and port after NAT translation for NAT translation.
For example: a traffic TCP IP1:Port1 -> IP2:Port2 is converted to TCP IP111:Port111 -> IP2:Port2
after NAT. The mapping table established is: TCP IP1:Port1 is converted to IP111:Port111. Then
any address will be converted to IP1:Port1 when accessing the mapped IP address and port
IP111:Port111.
Cone NAT is mainly used in environments where there are more P2P applications. Because NAT
destroys the end-to-end network model of IP, many UDP protocols currently also consider NAT
devices, so some applications based on UDP protocol themselves can traverse NAT devices,
such as QQ. If the application does not support the NAT traversal protocol, then the messages
directed to the NAT-translated address and port initiated by the public network will be discarded
by the NAT device. Deployment of cone NAT will improve this situation.
The public network IP and port after the cone NAT conversion is occupied by a private network
IP and port, and a reverse mapping record to the private network IP is compulsorily formed. This
feature is mutually exclusive with the Session-level NAT feature, and the two cannot Take effect
at the same time. Therefore, the session-level NAT function will be automatically closed when
using cone NAT. In practical applications, if you choose to use cone NAT, you need to consider
the rationality of public network IP resource allocation.
Divide the port range 1024~65535 (because 0~1023 are well-known ports, so reserved), each
block has the same size, and there are "Port Number/Block Size" port blocks, so the number of
port block resources is: public network address pool IP Number * Port number/Block size, each
private network IP occupies a port block resource exclusively.
For example: Configure the private network IP range on the NAT device as addr1~addr2, the
public IP address pool is addr3~addr4, the port block size is n, and the port block is obtained
according to "public network address pool IP number * Port number/Block size" Resources. PC1
is allocated to Block1, and PC2 is allocated to Block2. The converted IP and port of PC1 to PC3
must be in Block1, and the converted IP and port of PC2 to PC3 must be in Block2.
This type of NAT is mainly used when there are high requirements for log traceability and the log
traceability system is not strong. Due to the large amount of NAT logs, users do not know
whether the logs are lost, so port block NAT can be used to allocate logs through port blocks
instead of session logs.
The private network IP address and the public network port block resource form a fixed mapping,
strictly in accordance with the order of the IP address and the port block resource sequence for
one-to-one correspondence, and the private network IP address access to the Internet will be
NATed according to this static mapping relationship.
For example: private network IP address IP1, IP2, IP3 and public network port block resource
IP100:Block1, IP100:Block2, IP100:Block3 one-to-one correspondence, IP1 is mapped to
IP100:Block1, IP2 is mapped to IP100:Block2, and IP3 is mapped to IP100 :Block3. The device
will always maintain such a mapping relationship. Whenever IP1, IP2, and IP3 access the
Internet, they will perform NAT conversion based on this static mapping relationship. Therefore,
the static port block NAT must satisfy: the number of private network IP is less than or equal to
the number of public network port block resources.
In actual deployment projects, static port block NAT is usually used more than dynamic port
block NAT. The main reason is that static port block NAT can make it easier for ISP users to trace
the source through a fixed static mapping relationship.
In the VRRP dual-system hot backup networking environment, if the address of the NAT address
pool is not the Virtual IP of the VRRP group, but other IP addresses in the same network
segment, because the primary device and the backup device are configured with the same NAT
rules , This will cause ARP conflicts of NAT address pool addresses, resulting in abnormal
business traffic, and even network interruption. This situation can occur in the use of NAT rules
such as source NAT, destination NAT, one-to-one NAT, and many-to-many NAT.
The NAT-associated VRRP function is to solve the above problems. The status of dual-system
hot standby will change with the changes of the VRRP active/standby status. Usually only the
active device will process business traffic. Therefore, when NAT is associated with VRRP, only
the VRRP state is available. When it is the Master, the NAT rule will respond to ARP requests,
and the NAT rule with the VRRP status of Backup will be in a state of not responding to ARP,
thus avoiding the occurrence of ARP conflicts and ensuring that only the Master device can
receive service traffic. As shown in the following figure:
221.110.1.4
Internet
Master Backup
221.110.1.2 221.110.1.3
Virtual IP
221.110.1.1
Virtual IP
192.168.1.1
Master Backup
192.168.1.2 221.110.1.3
Intranet
192.168.1.254
The internal data forwarding process of the device is carried out according to the sequence
shown in the figure below. The session entry is first searched, then the destination NAT
conversion, route search, packet filtering rules, DPI rules, and audit rules are performed. Finally,
the source NAT is queried and forwarded from the routing outbound interface.
Figure 16-6 Brief flow chart of data forwarding inside the device
The device performs the destination NAT first and then the packet filtering strategy, so the packet
filtering strategy should allow the private network IP address after the destination NAT
translation.
For example: map the public IP address 211.110.1.1 of the Untrust zone to the private IP
address 192.168.1.1 of the Trust zone, and the packet filtering policy should be configured as:
Source Destination
Source Address Destination Address Action
Domain Domain
The destination address of the packet filtering policy should be the private IP address
192.168.1.1 after the destination NAT translation.
The device first implements the packet filtering policy and then the source NAT, so the packet
filtering policy should allow the private network address before source NAT translation.
For example: Map the private IP address 192.168.2.1 of the Trust zone to the public IP address
211.110.1.1 of the Untrust zone, and the packet filtering policy should be configured as:
Source Destination
Source Address Destination Address Action
Domain Domain
The source address of the packet filtering policy should be the private IP address 192.168.2.1
before source NAT translation.
Select Service > NAT Configuration > Source NAT > Source NAT from navigation tree to
enter the source NAT page, as shown in following figure.
Use outbound interface: select the public network address as the outgoing interface
address.
No NAT: do not perform NAT after the device is selected.
Select an existing address pool: select an existing address pool rule. After selecting in
the left frame, click the ">" button and the selected address pool rule is displayed on the
right. The deletion method is reversed.
High-level port: this port is the source port after NAT, and does not have the port hash
function the same as the source port before NAT.
Port hash: the source port number after NAT is modified to the random port number
within the advanced port range. If the application software and external communication
requirements cannot change the source port number of the message, then need to turn
off the port hash function.
Status: display the status of this source NAT policy, including enable and disable.
Operation: includes four functions: move, add, insert and delete.
Move: click the icon to select the order in which the strategy is moved before or
after a strategy is used to adjust the policy.
Add: click the icon to add a new strategy below the existing policy.
Insertion: click the icon to insert a new strategy above the policy.
Delete: click the icon, the policy becomes red, in the state to be deleted. Click the
Submit button in the upper right corner on the webpage.
The list of configured source NAT policies can be saved and downloaded by the import and
export functions. Click Import, Select File to select the path of the file to be imported, and click
Import to import the source NAT policy. Click Export button to save the current source NAT
policy configuration.
Select Service > NAT Configuration > Source NAT > Address Pool from navigation tree to
enter the address pool page, as shown in following figure.
Before configuring the source NAT, you need to configure the address pool. After the
configuration, you need to click the Submit button at the top right of the page.
Select Service > NAT Configuration > Port Block NAT > Port Block NAT from navigation tree
to enter the port block NAT page, as shown in the following figure.
The page parameters of port block NAT and source NAT are roughly the same, only the port
block resource pool is different. The port block resource pool configuration window is shown in
the figure below:
Port block resource pool: select the existing port block resource pool serial number in the
drop-down box.
IP address range: Display the IP address range of the selected port block resource pool.
Port range: Display the port range of the selected port block resource pool.
Number of ports per block: Display the port block size of the selected port block resource
pool. The system divides the set port range into several blocks of fixed size, and the
addresses in the address pool are mapped to ports in different port blocks in turn. The main
purpose is to facilitate address source tracing after NAT translation. It should be noted that
the number of port blocks cannot be less than the number of addresses in the address pool,
otherwise some addresses cannot be port mapped.
Port block NAT is mainly used in scenarios with high requirements for log source. To facilitate
viewing of port block allocation logs, you can enable the port block allocation log function
through System Management > Session Management > Session Log Configuration".
Select Service > NAT Configuration > Port Block NAT > Port Block Resource from
navigation tree to enter the port block resource page, as shown in the following figure
Serial number: Display the serial number of the port block resource pool.
Name: Set the name of the port block resource pool.
Start IP: Set the start address of the port block resource pool.
End IP: Set the end address of the port block resource pool.
Anti-loopback routing: Check to enable the anti-loopback routing function. When the
unknown public IP accesses the address pool address through the ISP device, because
there is no SNAT translation record, the address pool address cannot be reversely
converted into an intranet address. At this time, the gateway device will look up the routing
table and change it according to the default route pointing to the ISP. The message is sent
back again, thus forming a loop. In order to avoid this phenomenon, enable the
anti-loopback routing function, the device will add static routing, set the destination address
of the address pool address of the routing outbound interface to null0, discarding such
packets.
Advanced configuration: Set the port range, number of ports per block and number of
reserved port blocks in the port block resource pool allocated by the device.
Whether referenced: Show whether the address pool rule is referenced by the source NAT
policy.
Before the source NAT configuration, you need to configure the port block resource pool. After
the configuration is complete, you need to click the <Submit> button at the top right of the page.
The parameters of destination NAT policy configuration are shown in the following:
One-to-one NAT is an advanced destination NAT, which maps the private IP address of the
internal server to a public IP address through a static one-to-one NAT configuration. One-to-one
NAT is the internal private network server all the services are open, allowing public network
users to access through the public network IP address.
Select Service > NAT Configuration > One-to-one NAT from navigation tree to enter the
one-to-one NAT page, as shown in following figure.
Operation: including the four functions of sorting, adding, inserting and deleting.
Move: click the icon to select the order in which the strategy is moved before or
after a strategy is used to adjust the policy.
Add: click the icon to add a new strategy below the existing policy.
Insertion: click the icon to insert a new strategy above the policy.
Delete: click the icon, the policy becomes red, in the state to be deleted. Click the
Submit button at the top right of the page to delete the policy.
N-to-N NAT statically maps a segment of private network IP addresses to a segment of public
network IP addresses, so that the private network IP addresses and public network IP addresses
can translate to each other mutually. This kind of configuration can greatly reduce your workload
of NAT configuration. N-to-N NAT module provides the following configuration parameters.
Select Service > NAT Configuration > N-to-N NAT to enter the N-to-N NAT page, as shown in
following figure.
16.7 NAT66
NAT66 (IPv6-to-IPv6 Network Address Translation) is a technology that realizes the mutual
conversion between IPv6 local unicast addresses and aggregated global unicast addresses by
statically correlating specific IPv6 local unicast addresses with aggregated global unicast
addresses.
Select Service > NAT Configuration > NAT66 > Source NAT from navigation tree to enter the
Source NAT page, as shown in following figure.
Select Service > NAT Configuration > NAT66 > Destination NAT from navigation tree to enter
the destination NAT page, as shown in following figure.
Serial number: Display the serial number of the destination NAT policy.
Name: Set the name of the destination NAT policy.
Inbound interface: Set the inbound interface of the message to which the destination NAT
policy is applied.
Public IP: Set the IPv6 address of the initiator of the application destination NAT policy (that
is, the IPv6 aggregated global unicast address).
Service: Set the service type and parameters of the application destination NAT policy.
Intranet address pool: set the IPv6 local unicast address to which the IPv6 aggregated
global unicast address is mapped.
Advanced configuration: Set the internal network port number of the application destination
NAT policy.
Associate VRRP: Set whether to associate VRRP.
Status: Set the enable/disable destination NAT policy.
Operation: including three functions of adding, inserting and deleting.
Add: Click the icon to add a new strategy below the existing strategy.
Insert: Click the icon to insert a new strategy above the strategy.
Delete: Click the icon, the policy turns red and it is in a state to be deleted. Click the
Submit button at the top right of the page to delete the policy
Select Service > NAT Configuration > NAT66 > One-To-One NAT from navigation tree to enter
Select Service > NAT Configuration > NAT66 > Address Pool from navigation tree to enter
the address pool page, as shown in following figure.
Serial number: Display the serial number of the IPv6 address pool.
Name: Set the name of the IPv6 address pool.
Start IP: Set the start IP address of the IPv6 address pool.
End IP: Set the end IP address of the IPv6 address pool.
Virtual system: Set the virtual system to which the IPv6 address pool belongs.
Quoted: Show whether the IPv6 address pool is quoted.
17 ALG Configuration
ALG (Application Layer Gateway) is a proxy for a particular application layer protocol. It
implements the NAT traversal of the application layer protocol by converting the IP packet data
load address.
Normally, NAT only translates the IP address and port information in the packet header, and
does not analyze the fields in the application layer data payload. However, some special
protocols, their message may contain IP address or port information, the contents can not be
NAT for effective conversion, it may lead to problems. For example, the FTP application is done
by the data connection and the control connection, and the establishment of the data connection
is dynamically determined by the load field information in the control connection. This requires
the ALG to complete the conversion of the payload field information to ensure that the
subsequent data connection is correct set up.
The device supports 15 common application layer protocols to implement the ALG function. You
can select the application layer protocol to enable the ALG function in the ALG configuration
module.
Select Service > ALG Configuration > ALG Configuration > ALG Configuration from
navigation tree to enter the ALG configuration page, as shown in following figure.
Select Service > ALG Configuration > ALG Configuration > User-defined ALG from
navigation tree to enter the user-defined ALG page, as shown in following figure.
The device supports the user-defined ALG configuration. The parameters of configuration list are
shown in the following:
Select Service >ALG Configuration > DNS ALG from navigation tree to enter the DNS ALG
page, as shown in following figure.
Click the Use DNS_ALG, and select the interface, and then click the OK button.
18 VPN
VPN (Virtual Private Network) is a technology that uses a public network to set up a dedicated
network. It uses encryption, authentication and tunneling techniques to establish a relatively
closed, logical private network between the nodes that communicate with each other. Its
essence is the use of specialized tunnel encryption technology in the public network
encapsulation of a data communication tunnel, to provide users with a public network security
access to the internal network of enterprises through the way.
18.1 IPsec
IPsec (IP Security) is a security standard framework defined by the IETF to provide end-to-end
encryption and authentication services for both public and private networks.
IPsec VPN is a VPN technology that uses IPsec protocol to implement remote access. It is
through the IPsec technology to establish a safe and secure tunnel on the Internet, IP packet
encapsulation and encryption to enhance the security of VPN, is the most secure VPN
technology.
The router service board supports IPsec VPN by means of policy mode and route. Among them,
the policy mode is to check the data flow of interest on the IPsec binding interface, perform IPsec
encapsulation on the packets matching the policy, and perform the traffic on the packets that do
not match the policy. The routing mode can only tunnel through the tunnel interface, All packets
sent to their bound tunnel interface will perform IPsec encapsulation.
Select Service > VPN > IPsec > IPsec VPN > System Configuration from navigation tree to
enter the IPsec VPN page, as shown in following figure.
Enable IPsec: click to enable IPsec. Click the Restart button, the dialog box "OK to restart
IPsec service?", Click the OK button to restart the IPsec service.
The parameters of the advanced configuration are described as follows:
Enable NAT traversal (Client mode must enable NAT traversal): click to enable NAT
traversal. Client mode must enable NAT traversal.
Enable NAT session keepalive mechanism: click to enable NAT session security
mechanism and set the interval for sending NAT session keepalive messages.
Enable Layer 2 IPsec: click to enable Layer 2 IPsec. In general, IPsec is deployed on a
Layer 3 interface. To enable IPsec on a Layer 2 forwarding device, you need to enable
this feature.
Enable UDP checksum: when this function is enabled, the device automatically
calculates the checksum of the UDP header after the VPN service data is encapsulated
to prevent VPN traffic anomalies caused by UDP verification errors. This feature is
turned on by default.
Enable appointed interfaces negotiation (IPSec will negotiate on the interface that
connection configured local IP is connected to): when this function is enabled, IPsec
negotiates the interface on the local IP address. For a negotiation packet, the device
forwards only as the outgoing interface of the configured local IP address. For the
service packets, the device matches the data flow of interest in the routing table, and
the outgoing interface is IPsec binding. If the above routes do not exist, they are
forwarded according to other matching routes.
Enable hot standby: set Dual Hot Standby.
Enable set mode of MODECFG: Set MODECFG SET mode for MODECFG negotiation
phase of IPsec, the client will automatically generate a VPN IP address, and ask the
server whether the address is available, if not, the negotiation fails; Close the
MODECFG SET mode, by the server for the client to assign IP addresses.
Enable user only check: set Enable User Unique Check, Reboot Enabled.
Enable connection state log: set the enable status log to be viewed in the system log.
Enable error diagnosis log: set the enable warning log to be viewed in the system log.
Enable negotiation process detailed log: set the enable debug log to be viewed in the
system log.
Enable XAuth user login and logout log: enable the user status log to be viewed in the
system log.
Select Service > VPN > IPsec > Connection Configuration > System Configuration from
navigation tree to enter the policy mode page, as shown in following figure.
(Local ID), host name (strict match ID), IP address (IPv4 / IPv6), user domain name
(Email address) Address format, by domain matching ID) and the local certificate
identification name (peer check the local certificate to identify the name of the
legitimacy) four ways. If the local device does not pass through NAT, it is recommended
to select "auto". If the local end of the device passes through NAT as an IPsec access
point, you need to select "IP address" and fill in the external network address.
Client ID: set the client device ID, including any host ID, host name (strict match ID), IP
address (IPv4 / IPv6), user domain name (Email address format, domain match ID) and
peer certificate Identify the name (the peer check the local certificate recognition name
legitimacy) four ways.
Protect subnets: set the network segment to apply IPsec VPN, that is, the network
segment that allows the client to access, that is, you can configure it in the "protection
network segment" or you can "create a new protection network segment" directly.
Authentication mode: set the authentication mode of IPsec VPN, including pre-shared
key, digital certificate, whether XAUTH authentication is enabled and how to assign
private network address to client.
Advanced configuration: set the IPsec VPN negotiation mode, IPsec proposal,
encapsulation mode, whether to allow access to external network, whether to enable
advanced DPD and other advanced configuration parameters, it is recommended to
use the default configuration.
Status: select whether to enable the policy.
Gateway - Gateway Mode (International Commercial Password Standard):
Connection name: set the name of the IPsec VPN tunnel.
Bind interface: set the IPsec VPN binding interface. It can be a tunnel interface, a
physical interface, or a VLAN interface. This interface refers to the encapsulation and
decapsulation of VPN data in the case of connection establishment. The data flow that
needs to be encrypted can be routed to the binding interface through routing (such as
static route, policy routing, dynamic routing, and so on).
Local IP: set the IPv4 address, IPv6 address, or local interface (dial port) of the local
device.
Peer IP: set the IPv4 address, IPv6 address, DNS domain name, DPDNS domain
name, or Any of the peer device.
Local ID, host name (strict match ID), IP address (IPv4 / IPv6), user domain name
(Email address) Address format, by domain matching ID) and the local certificate
identification name (peer check the local certificate to identify the name of the
legitimacy) four ways. If the local device does not pass through NAT, it is recommended
to select "auto". If the local end of the device passes through NAT as an IPSec access
point, you need to select "IP address" and fill in the external network address.
Remote ID, IP address (IPv4 / IPv6), user domain name (Email address format, field
match ID), and peer end. The peer ID is set to include the peer ID, host name (strict
match ID), IP address (IPv4 / IPv6), user domain name Certificate identification name
(check the peer certificate identification name legitimacy) four ways.
Protect subnets: set the protection network segment of the IPSec VPN, that is, the
network segment that allows the client to access, that is, it can be configured in the
"protection network segment", or you can directly "create a new network segment"
Authentication mode: set the IPsec VPN authentication mode and parameters.
Including pre-shared key and digital certificate (automatic extraction of equipment
certificate) in two ways.
Advanced configuration: set the security proposal, negotiation mode, encapsulation
mode, IPsec encryption failure action, DPD configuration, enable DPD configuration,
DPD message interval (default 30 seconds), and DPD timeout (default is 120 seconds).
Status: select whether to enable the policy.
Gateway - Gateway mode (China national password standard):
Connection Name: set the name of the IPsec VPN tunnel.
Bind interface: set the IPsec VPN binding interface. It can be a tunnel interface, a
physical interface, or a VLAN interface. This interface refers to the encapsulation and
decapsulation of VPN data in the case of connection establishment. The data flow that
needs to be encrypted can be routed to the binding interface through routing (such as
static route, policy routing, dynamic routing, and so on).
Local IP: set the IPv4 address, IPv6 address, or local interface (dial port) of the local
device.
Remote IP: set the IPv4 address, IPv6 address, DNS domain name, DPDNS domain
name, or Any of the peer device.
Local ID, host name (strict match ID), IP address (IPv4 / IPv6), user domain name
(Email address) Address format, by domain matching ID) and the local certificate
identification name (peer check the local certificate to identify the name of the
legitimacy) four ways. If the local device does not pass through NAT, it is recommended
to select "auto". If the local end of the device passes through NAT as an IPsec access
point, you need to select "IP address" and fill in the external network address.
Remote ID, IP address (IPv4 / IPv6), user domain name (Email address format, field
match ID), and peer end. The peer ID is set to include the peer ID, host name (strict
match ID), IP address (IPv4 / IPv6), user domain name Certificate identification name
(check the peer certificate identification name legitimacy) four ways.
Protect subnets: set the network segment to apply IPsec VPN, that is, the network
segment that allows the client to access, that is, you can configure it in the "protection
network segment" or you can "create a new protection network segment" directly.
Authentication mode: set the IPsec VPN authentication mode and parameters, and
select the digital certificate mode.
Advanced configuration: set the IPsec VPN negotiation mode, security proposal,
encapsulation mode, allow access to external network, encryption failure action, enable
fast DPD and other advanced configuration parameters.
Status: select whether to enable the policy.
Select Service > VPN > IPsec > IPsec VPN > Connection Configuration > Route Mode from
navigation tree to enter the route mode page, as shown in following figure.
Select Service > VPN > IPsec > IPsec VPN > Connection Configuration > Protect Subnet
from navigation tree to enter the protect subnet page, as shown in following figure.
The parameters of the protect subnet page are shown in the following:
Add: click the Add button to add a protection network segment according to the set of
resource groups.
Delete: Click the Delete button to delete the protection network segment according to the
set of resource groups.
List of protected network segments: includes the client-mode IPv4 network segment group,
the client-mode IPv6 network segment group, the gateway mode IPv4 network segment
group, and the gateway mode IPv6 network segment group.
Import and export operation: Click the Browse button to select the path information to be
imported, click Addition Import or Override Import to import the protection network
information; click the Export to save the current protection Network segment information.
Click "Client mode IPv4 network segment group", the following page appears.
The parameters of client mode IPv4 subnet group are shown in the following:
Query protection network segment: set the source IP address based on the protection of
network segment information.
Query result: display the query result of the protection network segment.
Client mode IPv6 network segment group, gateway mode IPv4 network segment group, and
gateway mode The page parameters of the IPv6 network segment group can be specified in the
"Client Mode IPv4 Network Segment Group".
When using the mobile client to access the IPSec VPN, the protection network segment must
contain the "0.0.0.0/0" protection network segment due to the special restrictions when the
actual client negotiation. In addition, this does not affect the PC client connection, because at the
same time contains the detailed protection network segment and 0.0.0.0 / 0 network segment,
PC client connection will only push the default protection network segment.
IPsec protocol suite supports a variety of encryption, authentication algorithm, and security
proposal is a collection of a variety of algorithms. You can use the "default" security proposal
when you are not aware of specific security proposals at the peer end, or if you want to simplify
the IPsec configuration.
Select Service > VPN > IPsec > IPsec VPN > Connection Configuration > Security Proposal
from navigation tree to enter the security proposal page, as shown in following figure.
The security proposal page includes configuration methods under two cryptographic standards:
security proposal configuration (international commercial password standard), security proposal
configuration (China national password standard).
SA reconsideration time: set the IKE SA and IPsec SA renegotiation interval in seconds.
PFS DH group: set PFS DH group parameters, including DH2 (1024), DH1 (768), DH5
(1536), DH14 (2048), DH15, DH16, DH19 and DH24.
IKE security proposal: set IKE proposal parameters, including encryption algorithm,
authentication algorithm and DH group.
IPsec security proposal: set IPsec proposal parameters, including encryption algorithm and
authentication algorithm.
The security proposal configuration (China National Password Standard) list parameter
description is as follows:
Select Service > VPN > IPsec > IPsec VPN > Tunnel Interface from navigation tree to enter
the tunnel interface page, as shown in following figure.
Interface number (1 ~ 511): set the number of the IPsec tunnel interface, in the range of 1 to
511.
Interface IP: set the IP of the IPsec tunnel interface.
Application mode: set the application mode of the IPsec tunnel interface, including gateway
mode (route), point-to-multipoint mode, gateway mode (policy) and client mode (policy).
Description: set the description of the IPsec tunnel interface.
Operation: add or delete tunnel interface information.
The user information configuration module provides the ability to set the Xauth parameter.
Select Service > VPN > IPsec > XAuth Configuration > User Information Configuration from
navigation tree to enter the user information configuration page, as shown in following figure.
The parameters of the user information configuration page are shown in the following:
of retransmission attempts, turn on billing, update the packet update time, and update
the packet The number of times the number of retransmission messages is terminated.
RADIUS RADIUS authentication configuration: set the RADIUS server address,
authentication port number, shared key, authentication packet timeout time, number of
retransmission times for authentication packets, turn on billing, update the packet
update time, and update the packet The number of times the number of retransmission
messages is terminated.
LDAP authentication: set up LDAP authentication. Set the LDAP server version number, the
LDAP server IP address, the LDAP server port number, the Base DN, the administrator DN,
the administrator password, and the user name attribute name.
Select Service > VPN > IPsec > XAuth Configuration > Display User Online from navigation
tree to enter the display user online page, as shown in following figure.
The parameters of display user online page are shown in the following:
The centralized management module provides functions for setting UMC parameters and
querying DPDNS domain name registration.
Select Service > VPN > IPsec > Centralized management from navigation tree to enter the
IPsec management page, as shown in the following figure.
Obtain a domain name from UMC: Click the <Obtain domain name from UMC> button, and
the domain name obtained from UMC will be displayed in the DPDNS domain name
registration list.
The UMC configuration parameters are described as follows:
Start DPDNS: Set to start DPDNS, request the IP address corresponding to the domain
name from UMC, and UMC will return information to IPSec according to the configured
binding relationship.
Preferred UMC server: Set the preferred UMC server address.
Standby UMC server: Set the address of the standby UMC server.
The parameters of the DPDNS domain name registration list are explained as follows:
Local domain name: Display the local domain name obtained from UMC.
Binding interface: Display the binding interface obtained from UMC.
The display connection module provides the function of querying / displaying the status of the
IPsec tunnel connection.
Select Service > VPN > IPsec > XAuth Configuration > Display Connection from navigation
tree to enter the display connection page, as shown in following figure.
The parameters of the display connection page are shown in the following:
Connection type: select the type of connection. The user can select all, the client or the
gateway.
Query item: set the query type, including connection name, local IP address and peer IP
address.
Keyword: set the keyword for the query.
Query: click the Query button to display the corresponding IPsec tunnel connection status
information in the connection display list according to the query items and keywords.
Connection name: display the name of the IPsec tunnel.
Remote host name: display the name of the peer device.
Local address: display the IP address of the local device.
Remote address: display the IP address of the peer device.
Protected network: display the local protection network segment.
Connection status: indicate whether the connection is normally established.
Sending/Receiving Rate(Kbit/s): real-time rate of packets sent and received by the tunnel.
Duration: the duration of the tunnel establishment.
Last teardown time/teardown reason: the time of the last break and the reason for the break.
Detail information: details of the tunnel connection.
SSL VPN is a combination of SSL technology with the VPN technology. It establishes a secure
communication connection through the SSL protocol authentication, data encryption, message
integrity verification and other mechanisms in application layer. SSL VPN is mainly used for
Web-based remote security access, and provides a security guarantee for users to remotely
access the company's internal network.
The global configuration module provides the function of setting SSL VPN global parameters.
Select Service > VPN > SSL VPN > Basic Configuration > Global Configuration from
navigation tree to enter the global configuration page, as shown in following figure.
Enable SSL VPN server: click to open the SSL VPN server.
Advanced configuration: set the SSL VPN parameters, including the user login port, whether
to listen on port 80, allow access interface configuration, interface binding settings,
authentication-free configuration, allowing user accounts to be public, allowing users to
change passwords.
User port number: the default value is 6443, in the range of 1 to 65534. When
configuring a user, configure the port number to be less than 32767; do not configure a
well-known port number other than 443; do not use port numbers 1701, 543, 442, 6444,
Whether to listen 80 port: the default does not start listening 80 port function. Before
enabling snooping, enter "Basic > System Management > Administrator > Web
Access Protocol Configuration" to modify the device HTTP port to port 80. After
enabling listening function, the HTTP 80 page will automatically jump to SSL VPN login
page without you specifying user login port.
Allow to access interface configuration: the default is All. It can be configured as
“custom”. Only the selected interface can open the login page. If, custom does not click
gige0_15, while the device IP configuration is on the interface, then the login page
cannot be opened.
Enable interface binding: the default is disable. You can choose whether to open, this
time only from the receiving message interface reply message to solve the problem of
multi-carrier access.
Free authentication: you can choose not to enable authentication-free, enable the free
authentication home page or enable the authentication-free resource group. By default,
you do not need to enter the user name and password. You can log in to the
authentication-free resource page directly. If you want to enable the authentication-free
login page, you can enter the SSL-free login page. Resources, open the SSL VPN login
page, will automatically jump to the configuration of the Web interface.
Allow user account to be used publicly: this function is enabled by default. At this time,
the same account can be used by multiple IP entries. When the number of public
addresses is set, the number of public accounts reaches the upper limit when the IP
login is exceeded. You need to set the account number in the advanced configuration of
"SSL VPN > User Management > User Configuration". In this case, the public
function of the user account is allowed to take effect.
Allow users to change the password: this feature does not open by default, after the
login page does not provide the password to change the password entry. When the
user is allowed to change the password, the resource page will provide a modified
password entry.
Synchronizes password when Hotbackup function is enabled: This function does not
turn on by default. At this time, the dual-master master password will not be
synchronized to the backup device. If the active / standby switchover occurs at this time,
the user cannot log in with the new password. This feature is required when using dual
hot backup.
Only allow access to VPN: this feature does not turn on by default. When this feature is
enabled, login to SSL VPN via Windows, Linux and Mac OS will only access VPN
resources, and other resources will not be accessible.
Enable stat flux: this feature does not open by default. When this feature is enabled,
you can view the traffic statistics report and the resource access report through the SSL
VPN Report Query. The resource access report needs to be enabled when the Log
Logging function is enabled at the same time.
Allow kernel TCP forwarding: this feature does not enable by default. When this
function is enabled, the SSL VPN data channel can be transmitted through TCP 6444.
After this function is enabled, the client needs to use it with the client configuration.
Does not support the model does not display this feature
SSL VPN domain name: this feature does not enable by default. When this feature is
enabled, you can ensure that Web resource requests are handled properly when you
use the domain name to access the SSL VPN service. The main application scenarios:
the network has two or more SSL VPN server, and are using domain name login and
involves domain name cross switch.
Free cookie authentication: this feature does not enable by default. This function is to
be used in conjunction with the authentication-free function and the corresponding jump
server. When this function is enabled, the SSL VPN server will forward the request to
the configuration file in the cookie and forward it again. Such as: free certification
Cookei set to: "sslvpncookie = 1", when the SSL VPN received Cookie to carry
"sslvpncookie = 1" request directly forward the corresponding resources.
Client exits when you close the browser: this feature does not open by default, then
close the browser that displays the resource page. The client will not exit. When this
function is enabled, the browser will be closed and the client will exit.
Enable UDP checksum: this function is enabled by default. The device automatically
calculates the checksum of the UDP header after the VPN service data is encapsulated
to prevent the VPN service abnormality caused by the UDP check error.
Enable log: this feature does not enabled by default. When this function is enabled,
logs are logged, such as authentication logs, resource access logs, and so on. Log
information can be queried through "SSL VPN> Log Management".
Timeout interval: the timeout time set by the client. The resource access is not detected
within the timeout period and will automatically time out. The default is 15 minutes, in
the range of 1 to 7200 minutes.
User failed login number: the maximum number of failed login attempts using the same
account, the maximum number of times will lock the user. The default is 3, in the range
of 3 to 6.
User unlock time: the time when the user locks after unlocking automatically. The
default is 15 minutes, which can be changed in the drop-down list.
IP failed login number: The maximum number of failed login attempts using the same
source IP address, the maximum number of times will lock the IP. The default is 64
times, which can be changed in the drop-down list.
IP unlock time: IP lock automatically unlock the time. The default is 15 minutes, which
can be changed in the drop-down list.
IP lock mode: can choose to prohibit login or enable verification code. When you
choose to disable login, you cannot log in until you unlock it. When you enable the
verification code, this IP login will pop up the SSL VPN login page. The default is to
prohibit login.
Service page title: SSL VPN login page and resource page title, default is Hangzhou
DPtech Co., Ltd, can be modified.
Import the company icon: SSL VPN login page and resource page icon, the default for
the company icon, you can import other pictures to modify.
The configuration item marked with "*" will need to be restarted after modification. The SSL
VPN service will take effect and can be restarted by manually changing the check box
before "Eanble SSL VPN Server".
It is recommended to use the default configuration when there is no special requirement.
The IP address pool module provides the function of setting IP address pool parameters. The
address in the IP address pool will be assigned to the remote user for access to the internal
network.
Select Service > VPN > SSL VPN > Basic Configuration > IP Address Pool from navigation
tree to enter the IP Address Pool page, as shown in following figure.
The parameters of the IP address pool page are shown in the following:
IP pool name: the name of the IP address pool. The default name is the default IP address
pool.
Description: the description of the IP address pool.
Starting IP: the IP address of the IP address pool.
Ending IP: IP address pool end IP address.
Subnet mask: the subnet mask length of the address in the IP address pool.
Used: display the number of times the address in the IP address pool is referenced.
The IP address pool page also provides the file import / export function: Click the Browse button
to select the storage path of the IP address pool configuration file, and click the Add Import
button to import the IP address pool configuration file under the selected storage path. Click the
Export button to export the IP address pool configuration file.
The Domain Name Server configuration module provides the function of setting domain name
server parameters. When a remote user logs in through a domain name, the DNS / WINS server
needs to resolve the domain name to its corresponding IP address.
Select Service > VPN > SSL VPN > Basic Configuration > Domain name server
configuration from navigation tree to enter the domain name server configuration page, as
shown in following figure.
The parameters of DNS domain name server configuration are shown in the following:
The license file management module provides the function of importing a license file. The
maximum number of online users allowed by the device is 50. If the requirements cannot be met,
the user can import the license file to increase the maximum number of online users allowed.
Select Service > VPN > SSL VPN > Basic Configuration > License File Management from
navigation tree to enter the license file management page, as shown in following figure.
The parameters of license file management page are shown in the following:
The list of imported license files is displayed: Displays the imported license file information.
Import License File: click the Browse button to set the storage path of the license file. Click
the Import button to import the license file.
Select Service > VPN > SSL VPN > Basic Configuration > Portals Management from
navigation tree to enter the portals management page, as shown in following figure.
Interface template: display information about the template name, associated user group,
and access URL of the imported interface template.
Import the template file: click the Browse button to set the storage path of the interface
template; click the Import button to import the interface template.
The resource configuration module provides the function of setting resources on the SSL VPN
gateway that correspond to the internal network server.
Select Service > VPN > SSL VPN > Resource Management > Resource Configuration from
navigation tree to enter the resource configuration page, as shown in following figure.
IP resource configuration: set the name of the IP resource, description information and allow
access to network segments and other parameters. Click the "Allow access to network
segment" configuration item, you can also limit the protocol and port that the IP resource
can use on the basis of configuring IP segment resources.
RDP resource configuration: set the resource name, description information, and internal
server address of the RDP resource.
Web resource configuration: Set the resource name, description information, and resource
address of the Web resource.
Shortcut configuration: including Web shortcuts and command line shortcuts two shortcuts.
Web shortcuts: set parameters such as the name, description information, and
resource links for Web shortcuts.
Command line shortcuts: set the command line shortcut name, description information
and command line and other parameters.
Announcement SMS configuration: set the name of the announcement message,
description information and type parameters.
Resource group configuration: add or remove configured resources from resource groups,
including IP resources, RDP resources, Web resources, Web shortcuts, command-line
shortcuts, and public information lists.
The page also allows user to import / export configuration: click the Browse button to select the
path of the file to be imported and click the Add Import button to configure the IP resource to
import to the device. Click the Export button. Export the device's IP resource configuration.
The shared space module provides the ability to set up files that can be downloaded before and
after users.
Select Service > VPN > SSL VPN > Resource Management > Share Space from navigation
tree to enter the share space page, as shown in following figure.
Internal file (user can download after login): display the internal files that can be downloaded
after the user logs in.
External files (available before user login): display external files that can be downloaded
before the user logs on.
Import file: set the internal / external file type to be imported. Click <Browse> to set the
storage path of the internal / external file to be imported. Click <Import> to import the file to
the device.
The user configuration module provides the function of setting user / user group information.
Select Service > VPN > SSL VPN > User Management > User Configuration from navigation
tree to enter the user configuration page, as shown in following figure.
User group information configuration: set user group name, description information, jump
directly to resource, access resource group, IP address pool, security policy, authentication
policy, including user number and other parameters.
User information configuration: set the user name, user password, user group, advanced
settings and other parameters. After the configuration is complete, you can use this user to
log in to the SSL VPN and access the intranet resources.
Browse: click the Browse button to select the storage path for the user profile.
Additional Import: click the Add Import button to import the user information profile under
the selected path.
Export: click the Export button to export the user profile.
Query: click the Query button to query the user information according to the query
conditions set.
Delete the query result: click the Delete Query Result button to delete the searched user
information.
Delete all: click the Delete All button to delete all user information.
The user status display module provides the function of displaying online user status information,
locked user information, and locked IP information.
Select Service > VPN > SSL VPN > User Management > Status Display from navigation tree
to enter the user status display page, as shown in following figure.
Click to enable auto refresh function, and can set the automatic refresh interval.
Click the Manual Refresh button to manually refresh the status information.
The authentication policy configuration module provides the ability to set authentication policy
parameters.
Select Service > VPN > SSL VPN > Authentication Policy from navigation tree to enter the
authentication policy page, as shown in following figure.
The parameters of authentication policy configuration page are shown in the following:
Authentication option configuration: set the security login, RADIUS, LDAP, TACACS +, 4A
authentication, USB-KEY option policy parameters.
Authentication combination: set the parameters such as enable status, name, option
combination.
The log query module provides the function of querying SSL VPN logs.
Select Service > VPN > SSL VPN > Log Management > Log Query from navigation tree to
enter the log query page, as shown in following figure.
User name: set the user name of the SSL VPN log to be queried.
IP Address: set the IP address of the SSL VPN log that needs to be queried.
Audit log: set the audit log type of the SSL VPN log that needs to be queried, including all,
authentication information, security information, resource information, and others.
Time range: set the generation time range of the SSL VPN log that needs to be queried.
Start time: set / display the earliest generation time of the SSL VPN log that needs to be
queried.
End Time: set / display the latest generation time of the SSL VPN log that needs to be
queried.
Click the Query button to query the SSL VPN log based on the username / IP address / audit log
/ time range. Click the Export by Query button to export the SSL VPN log file.
Serial number: display the serial number of the SSL VPN log.
Operation time: display the generation time of the SSL VPN log.
User name: display the user name of the SSL VPN log.
IP Address: display the IP address of the SSL VPN log.
Client IP: display the client IP for the SSL VPN log.
Operation: display the operation contents of the SSL VPN log.
The log configuration module provides the function of setting the parameters of remote log host,
timestamp format, and save days for SSL VPN logs.
Select Service > VPN > SSL VPN > Log Management > Log Configuration from navigation
tree to enter the log configuration page, as shown in following figure.
The parameters of the log configuration page are shown in the following:
IP Type: set the IP address type of the remote log host address and local host address.
Remote log host address: set the remote log host address to receive SSL VPN logs.
Service port: set the service port number of the remote log host to receive the SSL VPN log.
Local host address: set the address used to send the SSL VPN log to the remote log host.
Operation: click the icon to add the remote log host configuration; click the icon to
delete the remote log remote host configuration.
Timestamp format: set the timestamp format of the SSL VPN log.
Save days: choose the number of days to keep the log, including one week, two weeks,
three weeks, 30 days, and custom. If you choose to customize, you need to enter the
number of days manually. The default is 30 days. The value ranges from 7 to 365 days.
The log management module provides the function of saving / deleting SSL VPN logs.
Select Service > VPN > SSL VPN > Log Management > Log Manage from navigation tree to
enter the log manage page, as shown in following figure.
The user statistics report module provides the function of saving / deleting SSL VPN logs.
Select Service > VPN > SSL VPN > Report Query > User statistics report from navigation
tree to enter the user statistics report page, as shown in following figure.
The traffic statistics report module provides the function of displaying / querying / exporting user
traffic statistics.
Select Service > VPN > SSL VPN > Report Query > Traffic statistic report from navigation
tree to enter the traffic statistics report page, as shown in following figure.
User name: set the user name of the user traffic statistics to be queried.
User IP: set the user IP address of the user traffic statistics that needs to be queried.
Time range: set the time range for user traffic statistics that need to be queried.
Start Time: set / display the start time of the user traffic statistics that needs to be queried.
End Time: set / display the end time of the user traffic statistics that need to be queried.
Click the Query button to query the user traffic statistics based on the query conditions such as
user name / user IP / time range. Click the Export by Query button to export user traffic
statistics.
The not logged user statistics report module provides the function of displaying / exporting /
querying offline user information.
Select Service > VPN > SSL VPN > Report Query > Not Logged User Statistics Report from
navigation tree to enter the not logged user statistics report page, as shown in following figure.
The parameters of not logged user statistics report page are shown in the following:
Time range: the time range of the not logged user that needs to be queried.
Start time: set / display the earliest offline time of the unregistered user who needs to query.
End time: set / display the latest offline time for unregistered users who need to query.
Inquiry: click the Query button, according to the time range, query is not logged in user
information. The query information is displayed in the unregistered user statistics list. The
parameters are described below.
User name: display the name of the not logged user.
User group name: display the user group to which the user is not logged in.
Export by query: Click the Export by query button to export the not logged user’s
information.
The online time ranking form module provides the function of displaying / querying / exporting
user’s online time data.
Select Service > VPN > SSL VPN > Report Query > Online Duration Ordering Report from
navigation tree to enter the online duration ordering report page, as shown in following figure.
The query conditions for the online duration ordering report are shown in the following:
User name: set the user name of the user's online duration data to be queried.
User IP: set the user IP of the user's online duration data to be queried.
Query mode: set the user online length of the way, including the current online duration and
the total length of the online.
Time range: set the time range of the user's online duration data to be queried.
Start time: set / display the start time of the user's online duration data to be queried.
End time: set / display the end time of the user's online duration data that needs to be
queried.
Click the Query button, according to the user name / user IP / time range and other query
conditions, query the user online time statistics. Click the Export by Query button to export the
user's online duration statistics.
The parameters of the online time ranking form are shown in the following:
The resource access report module provides the function of displaying / exporting / query
resources to access data.
Select Service > VPN > SSL VPN > Report Query > Resource Access Report from
navigation tree to enter the resource access report page, as shown in following figure.
User name: set the user name of the resource that needs to be queried.
User IP: set the user IP of the resource that needs to be queried.
Resource type: set the resource type of the resource that needs to be queried, including all
resources, Web resources, and IP resources.
Resource name: set the resource name of the resource access data that needs to be
queried.
Time range: set the time range for resource access to data that needs to be queried.
Start time: set / display the start time of the resource access data that needs to be queried.
End time: set / display the end time of the resource access data that needs to be queried.
Click the Query button to query the resource access data according to the query conditions such
as user name / user IP / resource type / resource name / time range. Click Export by Query
button to export the resource access data.
18.3 L2TP
18.3.1 L2TP
Select Service > VPN > L2TP > L2TP from navigation tree to enter the L2TP page, as shown in
following figure.
The L2TP page includes the configuration of the system configuration and dial-in policy. The
system is configured to enable or disable the L2TP service and configure the range of the tunnel
ID. The dial-in policy configuration items include policy name, tunnel template name, PPP
template name, local host name, peer host name, association domain, and so on.
18.3.2 Authentication
The L2TP user authentication module provides the function of setting domain information, user
group information, and user information.
Select Service > VPN > L2TP > L2TP Authentication from navigation tree to enter the L2TP
Enable Online User Uniqueness Limit Function On After L2TP authentication online users are
unique.
The authentication method includes local authentication and RADIUS authentication. Different
authentication modes are different. Local authentication mode needs to configure user name,
password and other user information. RADIUS authentication needs to be configured with
parameters such as RADIUS server, source IP address, authentication port number, shared key,
and optional accounting function and related parameters.
18.3.3 Domain
Select Service > VPN > L2TP > L2TP Domain from navigation tree to enter the L2TP domain
page, as shown in following figure.
Select Service > VPN > L2TP > Interface Configuration from navigation tree to enter the
interface configuration page, as shown in following figure.
The parameters of the L2TP interface configuration are shown in the following:
18.3.5 Profile
Select Service > VPN > L2TP > Profile from navigation tree to enter the profile page, as shown
in following figure.
The parameter template page mainly configures the tunnel template and the PPP template.
18.3.6 Online
Select Service > VPN > L2TP > Online Display from navigation tree to enter the online display
page, as shown in following figure.
The parameters of the L2TP online display are shown in the following:
Select type: set the L2TP online information according to the tunnel or session.
Auto-refresh: set the interval for automatically refreshing L2TP online information and auto
refresh.
Refresh: click the Refresh button to manually refresh L2TP online information.
Query items: you can query L2TP online information according to the local tunnel ID, remote
IP, remote host name, and creation time.
18.4 PPTP
PPTP (Point-to-Point Tunneling Protocol) is a technology that supports multi-protocol virtual
private network. It uses GRE encapsulates PPP data to traverse other networks, enabling
remote users to access the enterprise's private network through any ISP that supports PPTP.
The PPTP module provides the ability to start PPTP, set up PNS, and customer information.
Select Service > VPN > PPTP from navigation tree to enter the PPTP page, as shown in
following figure.
Select Service > VPN > SMS Authentication from navigation tree to enter the SMS
authentication page, as shown in following figure.
19 Attack Protection
19.1 Session limit
IPv4 session limit: the IPv4 session limit for the source IP address.
Select Service > Attack Protection > Session Limiting > IPV4 Session Limit > Source
Address Limit to enter the source IP page, as shown in following figure.
The parameters of source IP session limit list page are shown in Figure 19-1.
Effective time: click the effective time list, a pop-up window displayed, then you can select
the effective time for IPv4 session limit
Always: always take effect after the IPv4 session limit rule applied
Per week: If you click the “Per week” radio box and you configure the time period (in the
format of 00:00), then the IPv4 session limit rule will take effect at this time every week.
If you click the checkbox of “Per week” and you select one day or several days from the
list of Monday to Sunday, you must configure the time period, then the IPv4 session
limit rule will take effect at this time every day or several days.
IPv4 session limit: the IPv4 session limit for the destination IP address.
Select Service > Attack Protection > Session Limiting > IPv4 session limit > Destination
Address Limit to enter the destination IP page, as shown in following figure.
The parameters of destination address limit page are shown in Figure 19-3.
Action: select an action for IPv4 session limit. These actions includes packet drop, warning,
drop packet+ log.
Effective time: click the effective time list, a pop-up window displayed, then you can select
the effective time for IPv4 session limit
Always: always take effect after the IPv4 session limit rule applied.
Per week: If you click the “Per week” radio box and you configure the time period (in the
format of 00:00), then the IPv4 session limit rule will take effect at this time every week.
If you click the checkbox of “Per week” and you select one day or several days from the
list of Monday to Sunday, you must configure the time period, then the IPv4 session
limit rule will take effect at this time every day or several days.
Select Service > Attack Protection > Session Limiting > IPv4 session limit > Service limit
log configuration to enter the service limit log configuration page, as shown in following figure.
Log source IP: set the host’s address for sending logs.
Log source port: set the host’s source port number for sending log.
Log destination IP: set the host’s destination IP address for sending logs.
Log destination port: set the host’s destination port for sending logs.
Log send speed limit: set the upper limit of logs to be send. Example: 1000/ every 5
minutes.
Select Service > Attack Protection > DDOS protection > Basic protection to enter the basic
protection page, as shown in following figure.
The basic protection page consists of TCP protection, ICMP protection, UDP protection and
fragment packet protection. The base protection page allows user to set the protection threshold
for different kind of packets, and allows user to select an action for the data packets that exceeds
protection threshold. At most, user can configure two entries of configuration for each kind of
protection.
(1) Click the checkbox of [Source IP, SYN], you can configure TCP speed limit for the same
source IP address and synchronization number, in the range of 0~10000000. Unit: PPS.
(2) Click the configuration item of speed limit, and then you select an action for the data packets
that exceeds protection threshold. Protection actions include speed limit, observed and
blocking.
Speed limit: limit the transmission rate of data packets that exceeds the protection
threshold with in the protection threshold.
Observed: generates alarm log after the data packets exceeds protection threshold.
Blocking: discard all data packets after they exceed protection threshold.
Select Service > Attack Protection > DDOS Protection > Basic Protection > Basic
Protection Log from navigation tree to enter the basic protection log page, as shown in
following figure.
The basic protection log page records the log information of basic DDoS protection, including
type, characteristics, source IP, destination IP, rate and time. Click the <Manual Refresh> button
to refresh the log list.
Select Service > Attack Protection > DDOS Protection > IPv6 Basic Protection > IPv6
Basic Protection Log from navigation tree to enter the IPv6 basic protection page, as shown in
following figure.
The basic IPv6 protection configuration includes TCP protection, ICMP protection and UDP
protection. For the configuration method and parameter description, please refer to the "Basic
Protection Configuration" chapter.
Select Service > Attack Protection > DDOS Protection > Basic Protection > IPv6 Basic
Protection Log from navigation tree to enter the IPv6 basic protection log page, as shown in
following figure.
The IPv6 basic protection log page records the log information of basic DDoS protection,
including type, characteristics, source IP, destination IP, rate, and time. Click the <Manual
Refresh> button to refresh the log list.
SYN Flood protection configuration module provides the function of setting the protection
threshold of SYN Flood attack. SYN Flood attack is a kind of attack that uses the defect of TCP
protocol and sends large amount of forged TCP connection request to destination host, which
causes the destination host resource exhausted.
Select Service > Attack Protection > DDOS protection > SYN Flood Protection to enter the
SYN Flood protection page, as shown in following figure.
Protection threshold: Set threshold parameters for enabling SYN Flood protection and
triggering protection.
Global: Set the protection threshold for TCP packets from the same "source IP" per second.
After configuration, once the number of TCP packets from the same "source IP address" per
second exceeds the threshold, the device will enable SYN Flood protection for all TCP
packets.
Per source IP: Set the protection threshold for TCP packets from the same "source IP
address" every second. After configuration, once the number of TCP packets from the same
"source IP address" per second exceeds the threshold, the device only enables SYN Flood
protection for the TCP packets that exceed the threshold.
Each destination IP: Set the protection threshold for TCP packets from the same
"destination IP address" every second. After configuration, once the number of TCP packets
from the same "destination IP address" per second exceeds the threshold, the device only
enables SYN Flood protection for TCP packets that exceed the threshold.
Every source IP + every destination IP: Set the protection threshold for TCP packets from
the same "source IP address + destination IP address" every second. After configuration,
once the number of TCP packets from the same "source IP address + destination IP
address" per second exceeds the threshold, the device only enables SYN Flood protection
for the TCP packets that exceed the threshold.
Compared with the SYN Flood in basic attack protection, the SYN Flood protection configuration
increases the validity of the source. After reaching the SYN Flood protection threshold, the
validity of the source is first judged. If it is judged to be a normal user, the source IP is added to
the whitelist. And let the source IP packet pass; if it is judged to be an attack packet, it is
discarded.
Select Service > Attack Protection > DDOS protection > SYN Flood Protection > IPv4 SYN
Flood Protection Log to enter the IPv4 SYN Flood protection log page, as shown in following
figure.
The IPv4 SYN Flood protection log page records the log information of IPv4 SYN Flood
protection, including source IP, destination IP, source port, destination port, rate, attack status,
and time. Click the Manual Refresh button to refresh the log list.
Select Service > Attack Protection > DDOS protection > IPv6 SYN Flood Protection to enter
the IPv6 SYN Flood protection page, as shown in following figure.
Select Service > Attack Protection > DDOS Protection > IPv6 SYN Flood Protection Log to
enter the IPv6 SYN Flood protection log page, as shown in following figure.
Select Service > Attack Protection > DDOS protection > DDoS log configuration > DDoS
log configuration to enter the DDoS UMC log configuration page, as shown in following figure.
Select Service > Attack Protection > DDOS Protection > DDOS Log Configuration >
SYSLOG configuration to enter the SYSLOG configuration page, as shown in following figure.
19.3.1 Auto-learning
Select Service > Attack Protection > MAC/IP Binding > Binding Automatic Learning from
navigation tree to enter the binding automatic learning page.
The networking mode includes two-layer networking and three-layer networking, which can be
selected according to the actual networking. The following describes the operation methods of
automatic learning in two networking modes.
(2) Click the OK button at the top right of the page. If it has been confirmed, this operation is not
required.
(3) Click the Start button, and the device will start automatic learning. To stop learning, click the
Stop button to stop learning and clear the learning result.
(4) Click the View button, the learning result will be displayed in the list.
(5) Tick the check box corresponding to the learning result (you can also directly check the
"option" check box to select all), and click the <Add to MAC/IP binding table> button to learn
the selected MAC/IP relationship The result will be added to the MAC/IP binding table. It can
be checked on the MAC/IP binding page.
(6) If you need to export the learning results, you can click the <Export> button to export the
learning results to the local.
Select Service > Attack Protection > User/MAC/IP Binding > Auto-learning from navigation
tree to enter the auto-learning page, as shown in following figure.
(2) Click the OK button at the top right of the page. If it has been confirmed, this operation is not
required.
(3) Configure the Layer 3 gateway. The configuration content includes the switch IP address
and SNMP read community. Multiple gateway devices can be added at the same time.
(4) Perform SNMP configuration. The configuration content includes the timeout period and
access interval for accessing the SNMP server.
(5) Click the <Start automatic learning> button, and the device will start automatic learning. To
stop learning, click the <Stop and clear learning result> button to stop learning and clear the
learning result.
(6) Click the <View current learning result> button, the learning result will be displayed in the
list.
(7) Tick the check box corresponding to the learning result (you can also directly check the
"option" check box to select all), click the <Add to MAC/IP binding table> button, the
selected MAC/IP relationship learning result Will be added to the MAC/IP binding table. It
can be checked on the MAC/IP binding page.
(8) If you need to export the learning results, you can click the Export button to export the
learning results to the local.
Select Service > Attack Protection > User/MAC/IP Binding > MAC/IP Binding from
navigation tree to enter the MAC/IP binding page, as shown in following figure.
The user can set the address that satisfies the MAC / IP binding relationship to pass through the
configured interface. The configuration is as follows:
(3) If there is no limit to the MAC / IP binding relationship IP, can be added in the exception IP
address list.
(4) Manually add MAC / IP binding information. In the MAC / IP list, click the icon to add a
configuration message.
(5) Configure the IP address, MAC address, set the valid time and description information.
The MAC / IP binding list includes information that is manually added and automatically learned.
IP / IP binding information can be queried by IP address and MAC address. List information can
be a single delete, you can click the top right of the page Delete All button, delete all.
If "Only address specified below" is selected, only the IP address in the MAC / IP list can be
configured through the interface, and the interface will not learn the new MAC / IP binding
information.
Select Service > Attack Protection > User/MAC/IP Binding > Binding Intercept Log Query
from navigation tree to enter the binding intercept log query page, as shown in following figure.
The binding intercept log query page provides the function of querying, deleting and exporting
functions:
The query time includes all, the last day, the last two days, the last week, and the specified
time. Click the Query button and the query results are displayed in the list below.
Click the Delete button to delete the log information.
Click the Export button to export the query to the local.
Select Service > Attack Protection > Basic Attack Protection > Basic Attack Protection
from navigation tree to enter the basic attack protection page, as shown in following figure.
The parameters of basic attack protection page are shown in the following:
Interval for sending log (sec): set the interval for sending protection logs, in the range of 1 to
1200 (in seconds).
Number interval for sending log: set the interval for sending protection logs, in the range of 1
to 100000.
Attack type: display attack types, including LAND attacks, ping, UDP Fraggle attacks,
WinNuke attacks, ICMP Smurf attacks, and Tear Drop attacks.
Action: set the actions taken for the attack, including no, alarm log, block and block + log.
Attack times: display the number of attacks.
Clear count: click the icon to clear the statistics for the number of attacks.
The basic attack protection log query module provides the function of querying / deleting attack
protection logs.
Select Service > Attack Protection > Basic Attack Protection > Basic Attack Log Query
from navigation tree to enter the basic attack protection log query page, as shown in following
figure.
The basic attack protection log query page has two parts: query conditions and query results.
The query conditions are described as follows:
Action type: set the action type of the basic attack protection log that needs to be queried,
including blocking and alerting.
Interface: set the attack interface of the basic attack protection log that needs to be queried.
Source IP: set the source IP address of the attack packet for the basic attack defense log
that needs to be queried.
Destination IP: set the IP address of the attack packet for the basic attack protection log that
needs to be queried.
Specified time: set the generation time of the basic attack defense log that needs to be
queried.
Start time: display / set the earliest generation time of the basic attack protection log that
needs to be queried.
End Time: display/ set the latest generation time for the basic attack protection log that
needs to be queried.
Export: click the Export button to export the Basic Attack Protection log.
Query: click the Query button, according to the query conditions, query the basic attack
protection log.
Delete: click the Delete button to delete the basic attack defense log according to the
deletion conditions.
The query results are displayed in the query result list. The parameters are as follows:
NO.: display the serial number of the basic attack protection log.
Time: display the generation time of the basic attack protection log.
Attack type: display the type of attack that caused the basic attack protection log.
Protocol: display the type of protocol that caused the attack packets generated by the basic
attack defense log.
Source IP: display the source IP of the attack packet that caused the basic attack protection
log.
Destination IP: display the destination IP of the attack packet that caused the basic attack
protection log.
Source port: display the source port number of the attack packet that caused the basic
attack protection log.
Destination port: display the destination port number of the attack packet that caused the
basic attack protection log.
Interface: display the attacked interface.
Action: show actions taken for an attack.
Select Service > Attack Protection > Network Behavior Management from navigation tree to
enter the network behavior management page, as shown in following figure.
Log sending interval: Set the interval for sending attack protection logs. For example: Send
logs every 300 seconds.
Send log number interval: Set the log number interval. For example: Send logs every 1000
entries. Note: If you select both the log sending interval and the number of logs sending
interval options, the log will be sent as long as one of the options is met.
Attack type: display the attack type.
Threshold: Set the protection threshold of the attack type.
Action: Select the attack protection action, you can choose to block or log.
Attack times: Shows the hit times of this attack type.
Clear count: clear the number of attacks.
The IPv4 blacklist configuration module provides the function of adding / removing IPv4 blacklist
entries.
Select Service > Attack Protection > Blacklist Configuration > IPv4 Black List
Configuration from navigation tree to enter the IPv4 blacklist configuration page, as shown in
following figure.
Click to enable the IPv4 black list function. The parameters of IPv4 black list configuration are
shown in the following:
IP Address / Mask: set the IP address / mask for the packets to be filtered.
Remaining life time: set the blacklist's elapsed time and show the remaining time that the
configuration takes effect.
Status: set the filtering function for enabling / disabling black list entries.
Last configuration record: display the effective time and lifecycle of the last configured
blacklist (valid).
The IPv6 black list configuration module provides the function of adding / removing IPv6 blacklist
entries.
Select Service > Attack Protection > Blacklist Configuration > IPv6 Black List
Configuration from navigation tree to enter the IPv6 blacklist configuration page, as shown in
following figure.
Click the IPv6 blacklist function. The parameters of IPv6 blacklist configuration are shown in the
following:
IP Address / Mask: set the IP address / mask for the packets to be filtered.
Remaining life time: set the blacklist's elapsed time and show the remaining time that the
configuration takes effect.
Status: set the filtering function for enabling / disabling blacklist entries.
Last configuration record: display the effective time and lifecycle of the last configured
blacklist (valid).
The black list query module provides the function of querying IPv4 and IPv6 blacklist entries.
Select Service > Attack Protection > Blacklist Query > Blacklist Query from navigation tree
to enter the blacklist query page, as shown in following figure.
The parameters of the black list query page are shown in the following:
IP address / mask: display the source IP address / mask of the packet to be filtered.
Effective time: display the time when the blacklist entry takes effect.
Remaining time: display the remaining time for the blacklist entry to take effect.
Cause: display the way the blacklist entries are generated.
The blacklist log query module provides the function of querying / deleting blacklist logs.
Select Service > Attack Protection > Blacklist > Blacklist Log Query from navigation tree to
enter the blacklist log query page, as shown in following figure.
The black list log query page has two parts: query conditions and query results. The query
conditions are described as follows:
Cause: set the cause of the blacklist log that needs to be queried, including manual,
automatic, and aging.
IP Address / Mask: set the source IP address / mask of the filtered packets in the blacklist
log that needs to be queried.
Time range: set the generation time of the blacklist log that needs to be queried.
Start time: display / set the earliest generation time of the blacklist log that needs to be
queried.
End time: display / set the latest generation time of the blacklist log that needs to be queried.
Export by search conditions: click the Export to search conditions button to export the
blacklist log file.
Query: click the Query button to query the blacklist log according to the query conditions.
Delete: click the Delete by search condition button to delete the blacklist log.
The parameters of query result are shown in the following:
20 Application Security
20.1 Anti-virus
The device provides antivirus services to users through the integration of a professional virus
signature database and can detect viruses transmitted through protocols such as HTTP, FTP,
SMTP, POP3, IMAP, SMB, and TFTP. Anti-virus module through the use of real-time analysis of
the way to automatically detect, block, isolate or redirect the virus carrying traffic.
Select Service > Application Security >Anti-Virus > Anti-Virus Signature Management Rom
navigation tree to enter the anti-virus signature management page, as shown in following figure.
The anti-virus signature management module is mainly based on different conditions to query
the virus-related information, query conditions, including virus ID, virus name, popularity and
virus classification. After configuring the query conditions, click the Search button and the query
result is displayed in the list below. Among them, the virus is divided into high, medium and low
levels, respectively, with different colors.
You need to upgrade the AV signature database in System Management > Feature Library
page. Then the anti-virus signature page displays the virus-related information on management
page.
Anti-virus strategy module through the different levels of virus configuration strategy, making
when the device detects the virus to take the appropriate action. The action and its description
are as follows:
The anti-virus policy module supports import and export policy configuration functions, the list of
parameters are as follows:
Inbound interface: antivirus device interface. All default interface, and cannot be configured.
The specific scope of the interaction with the package filter.
High risk: actions to be taken when the device detects a virus of high risk.
Medium risk: actions to be taken when the device detects a virus of medium risk.
Low risk: actions to be taken when the device detects a virus of low risk.
Anti-virus policies need to be referenced in IPv4 Packet Filtering > Action> Anti-virus.
Select Service > Application Security > Virus Warning Push Configuration from navigation
tree to enter the virus warning push configuration page, as shown in following figure.
The default push information as shown above, the user can also customize the push information,
limited to 128 bytes.
Select Service > Application Security >Anti-Virus > Virus Seclusion Configuration from
navigation tree to enter the virus seclusion configuration page, as shown in following figure.
Click Enable to start the virus isolation mechanism. When the device detects the software
carrying the virus, it will isolate the virus files for user analysis. Isolated virus files can be saved
locally or deleted.
Select Service > Application Security >Anti-Virus > Anti-Virus Policy from navigation tree to
enter the virus seclusion configuration page, as shown in following figure.
Device supports automatic and manual refresh function. Click the Auto-refresh check box, turn
on the auto refresh function, the interval includes 10,30,60 seconds, the default is 30 seconds.
Click Refresh button to refresh manually. After the refresh is complete, the antivirus log
information is displayed in the log list. Export the log information locally by clicking the Export
button.
Select Service > Application Security >Anti-Virus > Anti-Virus Policy from navigation tree to
enter the anti-virus log query page, as shown in following figure.
Configure different query conditions and click Query. The query result is displayed in the list
below.
Click the Delete button to delete the log information.
Click Export to export the log information locally.
20.2 IPS
The IPS module performs in-depth inspection of threats such as system vulnerabilities, protocol
weaknesses, virus worms, DDoS attacks, web page tampering, spyware, malicious attacks, and
traffic anomalies. With applications such as high reliability Bypass design, to meet a variety of
complex network environment on the application layer security protection of high performance,
high reliability and easy to manage needs.
Select Service > Application Security > IPS > IPS Signature Management from navigation
tree to enter the IPS signature management page, as shown in following figure.
The IPS feature management function queries information about attack features based on
different conditions. The query conditions include ID, name, level, CVE number, attack method
classification, and attack target classification. After configuring the query conditions, click the
Search button and the query result is displayed in the list below.
Click the CVE number link, enter the CVE official website information display page, the user can
directly CVE information query device page, some links need to open in a new browser.
One-click level setting function can query the features of the batch level to modify and repeal.
You need to upgrade the IPS signature database in the System Management > Feature
Library page to display information about the attack signature on the IPS signature
management page.
The IPS module adjusts attack defense rules to take appropriate actions on attack packets that
match the IT resources, attack types, and protocols. The types of IT resources include operating
systems, office software, applications, databases, web applications, browsers, mail servers, web
crawlers and more. Attack types include exploit classes, malicious code classes, information
gathering classes, protocol anomalies, network monitoring, denial of service, Web classes, and
more.
Select Service > Application Security > IPS Rule > IPS Rule from navigation tree to enter the
IPS rule page, as shown in following figure.
Configure rule names, select IT resources, attack types, and protocols to specify actions for
different degrees of attack characteristics. Support both import and export functions. The action
and its description are as follows:
Select Service > Application Security > IPS Rule > Customized IPS signature from
navigation tree to enter the customized IPS signature page, as shown in following figure.
The parameters of custom IPS signature configuration are shown in the following:
The global IPS policy implements the function of device attack defense by referencing the IPS
rules.
Select Service > Application Security > IPS Rule > Global IPS Policy from navigation tree to
enter the global IPS policy page, as shown in following figure.
IPS policies need to be referenced in IPv4 Packet Filtering > Action> IPS.
Select Service > Application Security > IPS Rule > IPS Blacklist Collaboration from
navigation tree to enter the IPS blacklist collaboration page, as shown in following figure.
The device blacklists addresses that are high in attack frequency and is released only after the
lifetime has expired. Enable the IPS blacklist linkage function, configure the attack frequency
and lifetime, and click Refresh Configuration.
Select Service > Application Security > IPS > IPS Log > Latest Log from navigation tree to
enter the latest log page, as shown in following figure.
Device supports automatic and manual refresh. Check the "Auto refresh" check box, turn on the
auto refresh function, the interval includes 10,30,60 seconds, the default is 30 seconds. Click
Refresh button to refresh manually. After the refresh is complete, the IPS log information is
displayed in the log list.
Select Service > Application Security > IPS > IPS Log > Latest Log Query from navigation
The IPS log query module includes query, delete, export functions.
Configure different query conditions and click Search. The search result is displayed in the
list below.
Click the Delete button to delete the log information.
Click Export to export the log information locally.
Through a comprehensive analysis of the network such as P2P download, instant messaging,
remote management, online games, Internet TV, agency services, financial securities and other
user network access behavior, to help enterprises conduct Internet users to effectively control
the management.
The access control module supports import, export and delete all functions. The configuration
parameters are as follows:
Send log: click to set the UMC address in the business log configuration module, the log can
be sent to the UMC to view.
20.3.2.1 Browsing
Web application browsing page shows the system provides a variety of network applications
specific information to the application group details, application details and protocol details of the
three levels from the category to subclass and then to the specific agreement to show the way,
before and after the inclusion and Contains the relationship. Users can choose layer by layer to
find the required application and its protocol information.
The URL classification filtering page visited by users according to the URL address in the URL
filtering feature library to protect users from illegal websites.
Select Service > Application Security > IPS > IPS Log > URL Classification Filtering from
navigation tree to enter the URL classification filtering page, as shown in following figure.
The URL classification filtering module is used to configure URL filtering policies and supports
the import, export, and deletion of configuration information. The content of the policy that
matches the URL is configured in the list, and the default action is used to configure the action
performed by the URL that does not match the policy.
The parameters of URL classification filter configuration are shown in the following:
20.3.3.2 Custom
Select Service > Application Security >Access Control > Custom from navigation tree to
enter the custom page, as shown in following figure.
The parameters of URL custom classification configuration are shown in the following:
(1) Configure URL address information in the URL list on the right of the page. Multiple
configurations can be added at the same time.
(2) Click the OK button in the upper right corner of the page, URL custom classification
configuration is completed.
Can add more custom categories, each custom category can increase the number of URL
address information. Select the check box corresponding to the newly created category and click
Delete to delete the added category. After the configuration is completed, the custom URL
information can be queried on the category overview page.
20.3.3.3 Advanced
Select Service > Application Security >Access Control > Advanced from navigation tree to
enter the custom page, as shown in following figure.
Name: The name of the advanced URL filtering policy, less than 64 bytes.
Filter parameters: configure the filter parameters to match the URL, including the host name,
regular expression and HTTPS host name.
Black and white list: including black list, white list and BYPASS.
Configure the blacklist, block the matching filter parameters, unmatch is released.
Configure whitelist, match the filter parameters release, unmatched blocked.
Configure BYPASS, match the filter parameters directly after the release, follow-up
other DPI process is no longer processed.
Send log: click to set the UMC address in the business log configuration module, the log can
be sent to the UMC to view.
Push: when click, the alarm page is pushed to the user when matching the policy. The alarm
information is configured in the URL Filter Push Configuration module.
Effective Time: You can configure the period is always valid, you can also configure some
day of the week.
Disable: When checked, the filtering policy is disabled.
Operation: Include the functions of adding, deleting and inserting configuration items.
Specific instructions, please refer to "Quick Start" chapter related content.
Select Service > Application Security >Access Control > Page Push from navigation tree to
enter the page push page, as shown in following figure.
The default push information as shown above, the user can also customize the push information,
limited to 1024 bytes.
Select Service > Application Security >Access Control > Page Push from navigation tree to
enter the page push page, as shown in following figure.
After you enable interface traffic statistics, the device analyzes the traffic of all service
interfaces.
After user traffic statistics is enabled, the device collects traffic statistics based on the user
IP addresses configured in User Groups and sends statistics to the UMC every interval.
Adding a User Group You need to configure an IP address object or an IP address object
group in advance.
Select Service > Application Security >Access Control > Behavior Analysis from navigation
tree to enter the behavior analysis basic configuration page, as shown in following figure.
The parameters behavior analysis basic configuration are shown in the following:
Select Service > Application Security >Access Control > Advanced Configuration from
navigation tree to enter the advanced configuration page, as shown in following figure.
The parameters of behavioral audit advanced configuration are shown in the following:
Audit signature database upgrade: when audit features are changed or increased, there is
no need to change the device software version, and the audit signature database can be
manually upgraded. To upgrade the audit signature database, you need to consider the
compatibility of the signature database. The version numbers of the upgrade must be the
same, and the size of the upgrade version must be larger than the size of the currently used
version. For example, if the audit signature library currently used by the device is
CAM-1.10.9-CN.dat, where 10 is the version number of the audit signature library and 9 is
the size of the version, CAM1.10. * - CN.dat can only be upgraded, And * must be greater
than 9.
Behavioral audit orders: click to enable behavioral audit. When enabled, ensure that the
audited packets are sent in the order they are entered into the device.
Application session audit: enable the session audit function. Select the protocol to be
audited. The device will record the session logs of the selected protocol and send the log
information to the UMC. Log information contains quintuplets and application protocols and
other information. UMC displays the received log information in the form of a graph so that
the originator of the network application can be queried.
Web browsing audit configuration: according to different HTTP audit requirements to select
a different audit mode, HTTP records under different modes audit log number. The device
default audit level is "Record html page access", and each audit level has a corresponding
functional note description. Placing your mouse over the exclamation point will automatically
show the description.
Smart filter: enable to filter the logs generated by most non-user access pages.
Record status code: after opening, HTTP audit records the status code of Web server
response and judge the current network quality according to the status code of the log
record.
E-mail attachment audit: enabled to audit the e-mail attachment, the default is turned on.
The attachment size can be configured as a decimal number and cannot exceed 32M.
Audit log obtaining mac configuration: this function obtains the source MAC address of the
packet after it passes through the Layer 3 switch. Configure the IP address of the Layer 3
switch and read the MAC address of the switch through SNMP to obtain the real MAC
address. The timeout period and interval for accessing the SNMP server can be modified.
The default values are 5 minutes and 15 minutes respectively.
Keyword import and export configuration: select the format of the character set for importing
and exporting files based on the keyword character set encoding. The default import and
export file character set encoding is in GBK format and can be configured in UTF-8 format.
Select Service > Application Security >Access Control > BBS User Name Custom Audit
from navigation tree to enter the BBS user name custom audit page, as shown in following
figure.
The parameters of forum user name custom audit support all delete function, the configuration
are as follows:
Select Service > Application Security >Access Control > BBS Domain Name Custom Audit
from navigation tree to enter the BBS domain name custom audit page, as shown in following
figure.
Forum domain custom audit support import and export and delete all functions, the configuration
parameters are as follows:
Select Service > Application Security >Access Control > Keyword Filtering Policy Config
from navigation tree to enter the keyword filtering policy config page, as shown in following
figure.
The parameters of keyword filtering policy configuration are shown in the following:
Select Service > Application Security >Access Control > Keyword Group Config from
navigation tree to enter the keyword group config page, as shown in following figure.
No.: the keyword group configuration item serial number, automatically generated.
Name: the name of the keyword group.
Keywords: keywords in the keyword group, you can configure multiple keywords at the
same time.
Select Service > Application Security >Access Control > QQ Application Control from
navigation tree to enter the QQ application control page, as shown in following figure.
Enable QQ filtering function, configure white list filtering account and black list filtering account
respectively. The white list mode is that the whitelist account is completely unblocked, all the
other accounts are blocked; the blacklist mode is all the blacklist accounts are blocked, and all
the other accounts are completely unblocked.
Select Service > Application Security >Access Control > Mail Attachment Restriction from
navigation tree to enter the mail attachment restriction page, as shown in following figure.
Mail attachment restrictions feature can prohibit attachment, you can also limit the size of the
attachment sent.
Bandwidth speed limit includes user group speed limit and single user speed limit, and the
configuration method is exactly the same. The purpose is to limit the bandwidth of the user's
specific applications, such as HTTP downloads, online games, online TV, P2P downloads, etc.
Select Service > Application Security > Bandwidth Management> User Group Rate Limit
from navigation tree to enter the user group rate limit page, as shown in following figure.
The user group rate limit configuration parameters are described as follows:
Effective time: It can be configured to be always valid, or it can be configured to be valid for
certain periods of a certain day of the week.
Disable: After checking, disable the policy. Certain policies can be disabled individually or all
policies can be disabled at the same time.
Operation: Including the functions of adding, deleting and inserting configuration items. For
specific instructions, please refer to the relevant content in the "Quick Start" chapter.
User group rate limit needs to be referenced in "IPv4 Packet Filtering Policy>Actions>Advanced
Security Services>User Group Rate Limit".
Select Service > Application Security > Bandwidth Management> Single User Limit from
navigation tree to enter the single user limit page, as shown in following figure.
The configuration method of single user rate limit is exactly the same as that of user group rate
limit, so I won't repeat it here.
Single user rate limit needs to be referenced in "IPv4 packet filtering policy> Actions> Advanced
security services> Per IP rate limit".
QoS basic configuration by configuring a bandwidth guarantee policy, you can ensure that the
basic Internet access behaviors of different users are not affected while the bandwidth is limited.
Select Service > Application Security >Access Control > QoS from navigation tree to enter
the mail attachment restriction page, as shown in following figure.
The parameters of bandwidth guarantee basic setting are shown in the following:
User group bandwidth guarantee provides bandwidth guarantee for different applications of
different user groups based on the basic bandwidth guarantee settings. Before configuring the
user group bandwidth guarantee, you need to configure the device interface bandwidth in the
bandwidth guarantee basic settings.
Select Service > Application Security >Access Control > QoS > User Group Bandwidth
Guarantee from navigation tree to enter the user group bandwidth guarantee page, as shown in
following figure.
Name: The name of the bandwidth guarantee policy of the user group.
Device interface group: select the name of the configured basic bandwidth guarantee
strategy. Move the mouse over the option to view the interface bandwidth information.
User group: To add a user group, you need to configure the IP address object or IP address
object group in advance.
Guaranteed rate setting: Click the "Please set the guaranteed rate parameter" configuration
item, and the user group bandwidth guaranteed rate setting window will pop up as shown in
the following figure. Select the network application group, configure the guaranteed uplink
and downlink rate, maximum rate and unit, and click the <OK> button.
Effective time: It can be configured to be always valid, or it can be configured to be valid for
certain periods of a certain day of the week.
Disable: After checking, disable the policy. Certain policies can be disabled individually or all
policies can be disabled at the same time.
Operation: Including the functions of adding, deleting and inserting configuration items. For
specific instructions, please refer to the relevant content in the "Quick Start" chapter.
Select Service > Application Security >Access Control > QoS > Single User Bandwidth
Guarantee from navigation tree to enter the single user bandwidth guarantee page, as shown in
following figure.
The configuration method of single-user bandwidth guarantee is exactly the same as that of user
group bandwidth guarantee, and will not be repeated here.
Select Service > Application Security >IDS Collaboration Log from navigation tree to enter
the IDS collaboration log page, as shown in following figure.
Link load balancing is a technology that enhances network connectivity and enhances link
availability by accessing multiple links between intranets and external networks. It can be divided
into outbound load balancing and inbound load balancing.
Outbound load balancing: when multiple operators access the network, the device selects
the optimal link according to the destination IP address and the load balancing rule of the
outgoing packets so that the internal network user can access the service from different
carrier links Visit the external network. Once an operator link fails, the network user can also
access the external network through other carrier links. Outbound load balancing provides a
backup of the link, enhancing the reliability of the communication.
Inbound load balancing: when an external network user accesses an intranet server, the
device performs domain name resolution based on the DNS request from the external
network and the load balancing rule in the inbound direction, and sends a DNS response to
the external network so that the external network user can use the DNS Select the correct
link to access the internal network server. Inbound load balancing avoids excessive
concentration of incoming link traffic and enhances the stability of network traffic.
Link
Link in the load balancing usually refers to the operator to provide Internet access lines, in
the application delivery equipment, the main bandwidth, its operators, link status and quality
(packet loss and delay, etc.) several attributes used to Describe the Internet access
capabilities and access quality provided by the link.
Link scheduling policy
The link scheduling policy allows the user to freely control the traffic flow, maximizing the
reasonable utilization of the link. In the application delivery equipment, it supports the
control flow direction through various carriers, link overload protection, designated source
address, designated inbound interface and designated application type, so that all types of
links can be fully utilized and optimized Flow quality.
Link health monitoring
Link health monitoring function refers to the application of the delivery device through the
specified link to the remote device or server to detect. According to different detection
methods (TCP, ICMP, etc.) to determine whether the current link is available, if the current
link failure, will flow to other normal links.
Link session keep
When multiple link access application delivery devices are used, the source NAT function
needs to be configured for each link. When an intranet user uses an application, the
application initiates multiple requests, and if these requests are deployed to a different link
exit, a different source address is selected, which is likely to cause an application failure.
Therefore, the link session is maintained by the requested source + destination IP, the
application of multiple requests remain on the same link, making the application in the
multi-link source NAT environment will not fail.
When the health monitoring found several consecutive tests can not be normal through, will also
think that the link failure, the traffic re-scheduling. When the physical interface is pulled out or the
administrator shuts down the interface through the configuration, the device also resends the
traffic.
3. Scheduling based on static and dynamic proximity
Static proximity refers to the application of the delivery device built-in telecommunications, China
Unicom, mobile and education networks and other operators of the latest network segment table,
and can be automatically updated by way of remote connection, through the static network
segment matching allows users to access the telecommunications address Of the traffic to take
the telecommunications link, and access to China Unicom traffic Unicom link static optimal
matching, get a good network experience.
Dynamic proximity refers to the application of the delivery device through the active detection of
the way from each link to detect a destination address delay, packet loss rate and many other
parameters and through the link quality assessment algorithm, in multiple links Select the best
exit link for the destination address, and the traffic to that destination address will be directed to
the link.
4. Domain-based scheduling
Application delivery equipment can be a domain name (such as www.dptechnology.com)
corresponding to the flow of all traction to the specified link. If the domain name of the reply
packet is the same as the domain name specified by the device, the device extracts the IP
address corresponding to the domain name from the packet and creates the IP address of the
destination IP address. The When the destination IP address of another connection is followed
by the IP address entry, the connection is forwarded through the specified link to implement the
domain name drainage function.
Select Service > Link LB > Link Configuration > Link Configuration from navigation tree to
enter the link configuration page, as shown in following figure.
ISP: display / set the operator to which the export link belongs. The export link is the role of
link load balancing, including the direction of the link and the direction of the link; the
observation link does not carry out the link scheduling, only the statistical link traffic
information and link health check.
Basic: Set the bandwidth, bandwidth threshold, weight and priority of the export link.
Bandwidth: display/set the bandwidth of the export link. The value range is
1~100000Mbps.
Bandwidth threshold: display/set the bandwidth threshold of the export link.
Weight: Display/set the weight of the export link to be called in the group. The greater
the weight, the greater the proportion of scheduled traffic.
Priority: display/set the priority of the export link.
Health monitoring: select the link to be monitored in the alternative box (the link to be tested
can be configured in the link health check).
Advanced configuration: Set whether to enable the default route and bandwidth threshold
control function at a specific time.
Default route: Set the export link to use the default route. When the link "Owner" is
"None", it is forced to open. After configuration, the default route of the egress link will
be displayed in the routing table, and the device allows this link to receive traffic from
other operators.
Specific time bandwidth threshold control: Set the bandwidth threshold of the export
link in a specific time period.
Browse: click the Browse button to set the storage path of the underlying link load
balancing configuration file that needs to be imported.
Additional Import: click the Add Import button to import the configuration file, but not
overwrite the original configuration.
Override Import: click the Overwrite Import button to import the configuration file and
overwrite the original configuration.
Export: click the Export button to export the configuration file.
Select Service > Link LB > Link Configuration > Link Information Preview from navigation
tree to enter the link configuration page, as shown in following figure.
The parameters of the link information preview page are shown in the following:
The health monitoring module provides the function of setting link health monitoring parameters.
Select Service > Link LB > Link Configuration > Link Information Preview from navigation
tree to enter the link configuration page, as shown in following figure.
Select Service > Link LB > Monitored Object from navigation tree to enter the monitored
object page, as shown in following figure.
The IP address of the domain name resolution is preferentially monitored. If the domain name or
domain name can not be resolved, the IP address is used for monitoring.
21.3 ISP
Select Service > Link LB > ISP from navigation tree to enter the ISP page. Enter the IP address
in the information query on the right side of the page to inquire the operator to which this IP
address belongs. When the IP address does not exist in the operator's network table, the query
is empty.
The system has pre-defined some of the four network operations such as China Telecom, China
Unicom, China Mobile and China Education Network. Users can import and export the network
segment table, or add, delete and insert network segment information in the existing network
segment table. To China Telecom, for example, the operator network segment table information
as shown in the following figure.
Click the Add button, and then the "New ISP" submenu item appears under the "ISP" menu item.
Enter the name of the ISP and click the OK button. The page displays the configuration
information of this operator segment. You can manually configure the network segment
information, or you can do the import and export operations.
22 IPv6 Transition
Technology
22.1 NAT64
Select Service > IPv6 Transition Technology > NAT64 > Prefix from navigation tree to enter
the prefix configuration page, as shown in the following figure.
Serial number: display the serial number of the IPv6 prefix configuration.
IPv6 prefix: set the prefix of the IPv6 address.
IPv6 prefix length: set the mask length corresponding to the IPv6 address prefix.
Select Service > IPv6 Transition Technology > NAT64 > NAT64 Address from navigation tree
to enter the NAT64 address page, as shown in the following figure.
The parameters of the NAT64 address configuration list are described as follows:
Borrow outgoing interface address: After selection, the public network address is the
outgoing interface address.
Select an existing address pool: select an existing address pool rule. After selecting in
the left frame, click the <Add> button, and the selected address pool rule will be
displayed on the right. The deletion method is the opposite.
Associate VRRP: Set whether to associate VRRP.
Select Service > IPv6 Transition Technology > NAT64 > NAT-PT translation configuration
from navigation tree to enter the NAT-PT configuration page, as shown in the following figure.
2) During 6to4 conversion, the source address after conversion needs to select the IPV4
address pool
Translated destination address: the destination address of the message after NAT-PT policy
translation.
Advanced configuration: Set whether the NAT-PT strategy performs destination port
conversion.
IPV4 VRRP: Set whether the NAT-PT policy is associated with IPV4 VRRP.
The address pool module provides the function of setting IPv4 address pool parameters.
Select Service > IPv6 Transition Technology > NAT64 > Address Pool from navigation tree to
enter the address pool page, as shown in the following figure.
DS-Lite (Dual-Stack Lite) is a 4in6 tunnel technology. In the IPv6-only access network
environment, it can implement dual-stack or IPv4-only host access to IPv4 network resources.
DS-Lite is implemented jointly by AFTR (DS-Lite Address Family Transition Router Element) and
B4 (Basic Bridging BroadBand Element).
After learning the AFTR location information advertised by static configuration or DHCPv6, the
dual-stack capable B4 initiates the establishment of a two-way, stateless IPv4 in IPv6 tunnel to
AFTR, and encapsulates the incoming IPv4 data packets into IPv6 packets The header (the
source address of the message header is the B4 address and the destination address is the
AFTR address) is sent to AFTR via the IPv4 in IPv6 tunnel; AFTR receives the message, strips
off the IPv6 message header, reveals the IPv4 message, and then performs NAT Operation, the
user's private network IPv4 address is converted to the public network IPv4 address and
forwarded to the IPv4 system.
When receiving an IPv4 message from the IPv4 system, AFTR will look up the NAT mapping
table, perform NAT translation from the public network to the private network, and then index the
B4 address according to the private network information, and encapsulate the IPv4 message
with an IPv6 message The header is forwarded to B4 via the IPv4 in IPv6 tunnel; after receiving
the message, B4 strips off the IPv6 header to expose the IPv4 message and forward it.
Select Service > IPv6 Transition Technology > DS-Lite > DS-Lite Address from navigation
tree to enter the page, as shown in the following figure.
Open DS-Lite to expand the configuration information, you can configure AFTR or B4. The
parameter description is as follows:
AFTR configuration:
AFTR IPv6 address: Set the IPv6 address of AFTR.
B4 configuration:
Interface: Set the interface connected to the IPv4 in IPv6 tunnel.
B4 AFTR address: Set the AFTR address corresponding to B4.
DHCP option: After enabling, there is no need to configure the interface and B4 AFTR
address.
Select Service > IPv6 Transition Technology > DS-Lite > DS-Lite Address from navigation
tree to enter the page, as shown in the following figure.
Borrow outgoing interface address: After selection, the public network address is the
outgoing interface address.
No NAT: After selection, the device will not perform NAT processing.
Select an existing address pool: select an existing address pool rule. After selecting in
the left frame, click the <Add> button, and the selected address pool rule will be
displayed on the right. The deletion method is the opposite.
Advanced port: This port is the source port after NAT, which is the same as the source
port before NAT when the port hash function is not enabled.
Associate VRRP: Choose whether to associate VRRP.
Status: Set to enable/disable DS-Lite NAT policy.
The address pool module provides the function of setting the public network IPv4 address pool.
Select Service > IPv6 Transition Technology > DS-Lite > Address Pool from navigation tree
to enter the address pool page, as shown in the following figure.