Professional Documents
Culture Documents
Chapter 3 - Lab Environment Settings
Chapter 3 - Lab Environment Settings
HCSA-NGFW 2022
1 Working Mode
Contents
2 Basic command
3 Data Forwarding
4 Lab
Working Mode
Routing Mode
Internet
E0/4
untrust
E0/1 E0/2
trust dmz
192.168.10.0/24 192.168.20.0/24
www.hillstonenet.com
Transparent Mode
Internet
LAN interface:192.168.10.254/24
E0/4 L2-untrust
E0/1 L2-trust
192.168.10.10/24 www.hillstonenet.com
Tap Mode
Internet
LAN interface:192.168.10.254/24
mirror
E0/4
zone TAP
192.168.10.10/24 www.hillstonenet.com
Mix Mode
Internet
E0/4
untrust
192.168.10.0/24 192.168.10.0/24
Gw:192.168.10.254 Gw:192.168.10.254
www.hillstonenet.com
Basic command
CLI Configuration Mode
• Execution mode
The execution mode is the CLI mode right after you enter the username and password. In this mode, you can only configure the
device with your privilege.
hostname#
hostname(config)#
hostname(config-if-eth0/0)#
www.hillstonenet.com
Commonly Used Show Commands
www.hillstonenet.com
Check System Status - CLI
• In CLI, show is used to check SG-6000# show version
Hillstone Networks StoneOS software, Version 5.5
system status: Copyright (c) 2009-2020 by Hillstone Networks
- Device SN
Product name: SG-6000-E1600 S/N: 2508132161001434
- StoneOS version Assembly number: B102
- Running time/status Boot file is SG6000-M-3-5.5R7P4.bin from flash
Built by buildmaster8 2020/02/11 13:42:52
- Hardware platform
- Licenses Uptime is 0 day 22 hours 36 minutes 27 seconds
System language is "en"
- ……
VRouter feature: disabled
www.hillstonenet.com
Check Interface Status - CLI
• In CLI, show is used to check status information:
- e.g. to check interface status:
www.hillstonenet.com
Interface Configuration(CLI)
SG-6000# configure
Enter global configuration mode
SG-6000(config)# interface ethernet0/1
Enter interface configuration module
SG-6000(config-if-eth0/1)# zone trust
SG-6000(config-if-eth0/1)# ip address 192.168.10.10/24
Configure layer 3 zone
SG-6000(config-if-eth0/1)# manage https
SG-6000(config-if-eth0/1)# exit
Configure interface management method
SG-6000(config-if-eth0/1)# zone l2-trust
Configure layer 2 zone
www.hillstonenet.com
Route Configuration(CLI)
SG-6000# configure
Enter global configuration mode
SG-6000(config)# ip vrouter trust-vr
Enter policy configuration mode
SG-6000(config-vrouter)# ip route 10.18.0.0/16 10.1.1.1
SG-6000(config-vrouter)# exit
www.hillstonenet.com
Policy Configuration(CLI)
SG-6000# configure
Enter global configuration mode
SG-6000(config)# policy-global
Enter policy configuration mode
SG-6000(config-policy)# rule from any to any service any permit
www.hillstonenet.com
NAT Configuration(CLI)
SG-6000# configure
Enter global configuration mode
SG-6000(config)# nat
Enter NAT configuration mode (option1)
SG-6000(config-nat)# snatrule from any to any service eif e0/0
trans-to eif-ip mode dynaimicport log
SG-6000(config-nat)# dnatrule from any to 200.0.0.10/32 service
http trans-to 192.168.10.10/32 port 80
Enter vrouter configuration mode(option2)
SG-6000(config)# ip vrouter trust-vr
SG-6000(config-vrouter)# snatrule from any to any service eif
e0/0 trans-to eif-ip mode dynaimicport log
www.hillstonenet.com
Data Forwarding
Data Forwarding Example (1 of 4)
Trust Untrust
Zone Zone
E0/1 E0/4
192.168.10.254/24 200.1.1.0/24
Internet
.254
192.168.10.10/24 200.5.5.5
www.hillstonenet.com
Requirements (2 of 4)
• In order to achieve the Internet Access:
- Interface:How to configure?
- Route:Which type of route needs to be set?
- NAT:Which type of NAT needs to be used and why?
- Policy:What policy needs to be set for allowing the traffic pass through the FW?
www.hillstonenet.com
Configuration (3 of 4)
interface ethernet0/1
zone trust
ip address 192.168.10.10/24
Interface: interface ethernet0/4
zone untrust
ip address 200.1.1.1/24
Snatrule from any to any service any eif e0/4 trans-to eif-ip
SNAT:
mode dynamicport
Policy-global
Policy: rule from any to any from-zone trust to-zone untrust
service any permit
www.hillstonenet.com
Data Forwarding Analysis (4 of 4)
SRC-IP DST-IP Protocol SRC-Port DST-Port
No Address Pair
(no match)
Protocol Port Pair
or among zones?
Int Zone
E1 trust
Yes E4 untrust
www.hillstonenet.com
Data Forwarding Analysis (4 of 4 Cont.)
4. SNAT ? SA DA
Yes any any Translate to Egress Interface IP
Session Table
Create a session Address Pair Protocol Port Pair
192.168.10.10 200.5.5.5 6 55908 80
www.hillstonenet.com
Lab
Setting Up Lab Environment
• Configuration Steps of Routing mode:
a. Configure L3 interface
b. Add default route
c. Add SNAT rule
d. Add policy
www.hillstonenet.com
Topology of Routing Mode
E0/1 trust
192.168.10.254/24
192.168.10.10/24
www.hillstonenet.com
L3 Interface Settings (WebUI)
Network > Interface select the interface,and click『Edit』button
www.hillstonenet.com
Default Route Settings (WebUI)
Network > Routing > Destination Route, click『New』
www.hillstonenet.com
SNAT Settings(WebUI)
Policy > NAT> SNAT, click『New』
www.hillstonenet.com
Policy Setting (WebUI)
Policy > Security Policy > Policy, click『New』to create a permit policy from trust to untrust
www.hillstonenet.com
Routing Mode Configurations (CLI)
1、Enter the interface configuration mode, bind the interface to a zone, assign an IP address
SG-6000(config)# interface eth0/4
SG-6000(config-if-eth0/4)# zone untrust
SG-6000(config-if-eth0/4)# ip address 200.1.1.1/24
SG-6000(config-if-eth0/4)# interface eth0/1
SG-6000(config-if-eth0/1)# zone trust
SG-6000(config-if-eth0/1)# ip address 192.168.10.254/24
SG-6000(config-if-eth0/1)# manage http
www.hillstonenet.com
Routing Mode Configurations (CLI)
3、 Add Policy
SG-6000(config)# policy-global
SG-6000(config-policy)# rule from any to any from-zone trust to-zone untrust
permit
www.hillstonenet.com
Check Settings
SG-6000# show interface
H:physical state;A:admin state;L:link state;P:protocol state;U:up;D:down;K:ha keep up;C:lacp
down
=========================================================================================
Interface name IP address/mask Zone name H A L P MAC address Description
-----------------------------------------------------------------------------------------
vswitchif1 0.0.0.0/0 NULL D U D D 001c.5426.5c14 ------
ethernet0/0 10.86.100.198/24 trust U U U U 5000.0004.0000 ------
ethernet0/1 192.168.10.10/24 trust U U U U 5000.0004.0001 ------
ethernet0/2 0.0.0.0/0 NULL U U U D 5000.0004.0002 ------
ethernet0/3 0.0.0.0/0 NULL U U U D 5000.0004.0003 ------
ethernet0/4 200.1.1.1/24 untrust U U U U 5000.0004.0004 ------
=========================================================================================
SG-6000# show ip route
Codes: K - kernel route, C - connected, S - static, Z - ISP, R - RIP, O - OSPF,
B - BGP, D - DHCP, P - PPPoE, W - wireless, H - HOST, G - SCVPN, V - VPN, M - IMPORT,
I - ISIS, Y - SYNC, L - llb outbound, > - selected first nexthop, * - FIB route, b -
BFD enable
Routing Table for Virtual Router <trust-vr>
==============================================================================
S>* 0.0.0.0/0 [1/0/1] via 200.1.1.254, ethernet0/4
C>* 10.86.100.0/24 is directly connected, ethernet0/0
H>* 10.86.100.198/32 [0/0/1] is local address, ethernet0/0
C>* 192.168.10.0/24 is directly connected, ethernet0/1
H>* 192.168.10.10/32 [0/0/1] is local address, ethernet0/1
C>* 200.1.1.0/24 is directly connected, ethernet0/4
H>* 200.1.1.1/32 [0/0/1] is local address, ethernet0/4
============================================================================== www.hillstonenet.com
Check Settings – Cont.
SG-6000# show snat
-------------------------------------------------------------------------------
vr name:trust-vr
snat rules total number is :1
==================================================================================
id ingress if from to service egress if/vr
translate to mode start end size
-------------------------------------------------------------------------------
1 Any Any Any ethernet0/4
egress if's IP Dyn-Pt
==================================================================================
vswitchif1
192.168.10.1/24
E0/1 E0/2
L2-trust L2-untrust
PC1 PC2
192.168.10.10/24 192.168.10.20/24
www.hillstonenet.com
Configure L2 Interface(WebUI)
Network > Interface
www.hillstonenet.com
Configure Policy(WebUI)
Policy > Security Policy
www.hillstonenet.com
Transparent Mode(CLI)
1、Enter interface configuration mode and bind interface to security zone
SG-6000(config)# interface e0/1
SG-6000(config-if-eth0/1)# zone l2-trust
SG-6000(config-if-eth0/1)# exit
SG-6000(config)# interface e0/2
SG-6000(config-if-eth0/2)# zone l2-untrust
SG-6000(config-if-eth0/2)# exit
www.hillstonenet.com
Transparent Mode(CLI)
2、Configure Policy
SG-6000(config)# policy-global
SG-6000(config-policy)# rule
SG-6000(config-policy-rule)# src-zone l2-trust
SG-6000(config-policy-rule)# dst-zone l2-untrust
SG-6000(config-policy-rule)# src-addr any
SG-6000(config-policy-rule)# dst-addr any
SG-6000(config-policy-rule)# service any
SG-6000(config-policy-rule)# action permit
SG-6000(config-policy-rule)# exit
www.hillstonenet.com
Questions
1. What is the difference between routing mode and transparent mode?
2. What settings need to be done in routing mode?
3. What settings need to be done in transparent mode?
4. Can security zones access to each other by default?
www.hillstonenet.com
Lab-1 Topology (Routing mode)
Requirement:Intranet PC can access to Internet in routing mode
Internet
E0/4 untrust Gw:200.1.1.254
200.1.1.1/24
E0/1 trust
192.168.10.254/24
192.168.10.10/24
www.hillstonenet.com
Lab-2 Topology (Transparent mode)
Requirement:
1、PC1 can access to PC2;
2、manage FW via IP 192.168.10.1
vswitchif1
192.168.10.1/24
E0/1 E0/2
L2-trust L2-untrust
PC1 PC2
192.168.10.10/24 192.168.10.20/24
www.hillstonenet.com
Thanks