ZXR10 8900 Series 10G Routing Switch
Contents
1. Example To delete year1 execute the following command ZXR10_FW define schedule delete name yearl Configuring Service Resource service Resource Configuration Overview With setting of service resource user can define access control rules according to different services System defines some com mon services and user can customize services and port ids ac cording to its demands or define various service combinations to service groups Showing System Defined Services System has preset some common services for using when user sets access control rules User can only view these preset services instead of modifying or deleting them 1 Showing all services ZXR10_FW define service show This shows all custom default services 50 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 3 Resource Management Configuration Parameter Description custom defa This specifies the type of service to be viewed ult where keyword custom indicates the service is customized by user and default indicates the service is the default one in FW system user doesn t need to customize it Configuring Customized Services 1 Adding one service ZXR10_FW define service add name This adds one service lt string1 gt protocol lt numberi gt port lt number2 gt port2 lt number3 gt comm ent lt string2 gt Parameter Description Parameter Description ad This adds one ser2. This renames groupaddri to groupaddr2 ZXR10 FW define group address rename oldname groupaddrl newname groupaddr2 This deletes one address group ZXR10_FW define group_address This deletes one delete id lt numberi gt name lt string gt address group Parameter Description This deletes one address group This specifies ID of the address group to be deleted This is one number indicating ID of address group Confidential and Proprietary Information of ZTE CORPORATION 39 ZXR10 8900 Series User Manual FW Volume ZTERH name This specifies the name of address group to be deleted lt string gt This is one string indicating the name of address group Command Illustration To delete address group it is available to delete the address group according to address group name address group id or both However in case address group id and address group name are inconsistent address group name shall apply When no parameter is given all address groups not quoted by policy is deleted Example To delete groupaddri execute the following command ZXR10_ FW define group_addrees delete name groupaddr1l 5 This deletes one member in address group ZXR10_FW define group_address This deletes one delmember groupname lt string1 gt member in address member lt string2 gt group Parameter Description This deletes one member in address group groupname This specifies name for address
3. lt string1 gt This is one string indicating the name of host the host name has been defined newname This specifies new name for one host This is one string indicating new name of the host Example To modify the name of one host from hosti to host2 execute the following command ZXR10_FW define host rename oldname hostl newname host2 4 Deleting one host 30 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 3 Resource Management Configuration ZXR10_FW define thost delete id This deletes one host lt number1 gt name lt string gt Parameter Description fia Tis specifies 10 ofthe host wo be deleted Command Illustration To delete one host it is available to delete the host according to host name host id or both However in case host id and host name are inconsistent host name shall apply When no parameter is given the host not quoted by policy is deleted Example To delete the host whose name is host1 execute the following command ZXR10_FW define host delete name hostl 5 Deleting all hosts not quoted by policy ZXR10_FW define host clean This deletes all hosts not quoted by policy 6 Viewing all hosts ZXR10_FW definethost show This views all hosts Setting Address Range Resource 1 Adding address configuration range ZXR10_FW definetrange add This adds address name lt string1 gt ip1 lt string2 gt ip2 configuration
4. Confidential and Proprietary Information of ZTE CORPORATION 121 ZXR10 8900 Series User Manual FW Volume ZTERH FIGURE 9 DOCUMENT GROUP SERVER l0 x mp RRO SEW KRA TAD gp a Qm O x BEAP Fe O2 HEO fElhep 192168 88 219 Ora jes Google oOo C CS amp E web AS PageRank gt gt e S This is WebServer2 192 168 83 235 RIM a CHS 48 SAAR SBE o o Ri e Internet Notes During configuration process make sure that no NAT policy and block policy conflict with this rule In communication if one server is deleted from the balancing group connections on this server will not be disconnected and configuration can get effective only after re connection In communication if connected server gets disconnected client will not be connected with other active server unless re connection When host sends ping packets if service being accessed is disabled but host still works the host will still be assigned with connections Since service is unavailable host keeps in the status of failing to be connected 122 Confidential and Proprietary Information of ZTE CORPORATION Chapter 10 Log and Alarm Configuration Table of Contents Log and Alarmi CVERVIEW 8 eegeEe gege EES 123 Configuring Logs and LENA EES ENEE BR SEEN Es 124 Log and Alarm Overview To debug monitor and manage ZXR10 8900 Series Switch FW ser vice card FW module conveniently ZXR10 8900 Se
5. Where joining one port gei_1 2 in link state to viani0 is to enable protocol of vlan 10 to up state Only in this case can this L3 interface IP be bound to FW Configuring Flow Recovery Th is topic how to configure FW flow recovery egg mmere e ZXR10 config fw This enters FW configuration mode used in configure terminal mode ZXR10 config fw fw template lt This accesses template id gt fw template node used in fw configuration mode ZXR10 config fw template 1 flow r This enables flow ecovery enable recovery function take fw template 1 for example to configure flow recovery ZXR10 config fw template 1 flow This disables flow recovery disable recovery function used in fw template configuration mode Binding Slot Number Th is topic describes how to bind FW template with slot number 60 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Example Chapter 4 ZXR10 FW Function Management Dt E ZXR10 config fw ZXR10 config fw fw template lt template id gt ZXR10 config fw template 1 bind lt slot number gt ZXR10 config fw show fw template lt template id gt This enters FW configuration mode used in configure terminal mode This accesses fw template node used in fw configuration mode This binds slot number used in fw template configuration mode This shows if fw template is successfully configured used
6. ZXR10 FW pf rule set default action accept log yes 2 To add host doc_server execute the following command ZXR10_ FW define host add name doc_server ipaddr 192 168 83 234 3 To add area_vian3 setting gei_2 3 to be in vlan 3 it is the in terface connecting to router execute the following command ZXR10_ FW define area add name area _vlan3 access off attribute gei 2 3 4 To configure packet filtering rule forbid the host whose MAC address is 00 50 04 C3 B0 31 to access document server ex ecute the following command ZXR10_ FW pf rule add smac 00 50 04 C3 B0 31 area area _vlan2 dip doc server dport 8000 action reject 74 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 5 Packet Filtering and Access Control Rule Configuration Notes Make sure that area attribute and access control rule specify to forbid this host to access document sever Hexadecimal digit letter in MAC address shall be upper case For example if MAC address 00 50 04 C3 B0 31 is wrongly in put to 00 50 04 c3 b0 31 system will prompt error message If source MAC address and source IP address are input when defining packet filtering policy this rule takes effect only when both MAC address and IP address of host match this condition To forbid accessing some ports of destination host set range on destination port if port ids are continuous or it needs to set corresponding packet block policy to each port
7. week end This sets the end time in each day End time must be larger than start time lt string4 gt This is one string indicating the end time in format of HH MM hour minute Command Illustration When specifying that multiple periods are contained in the week with no separator among periods For example 12 indicates Monday and Tuesday Note 24 hour time format is used for start time and end time in each day period For example 10pm is expressed as 22 00 Example To add weeki with period to be 10am to 18pm each Wednes day execute the following command Confidential and Proprietary Information of ZTE CORPORATION 45 ZXR10 8900 Series User Manual FW Volume ZTERH ZXR10_ FW define schedule add name weekl cyctype weekcyc week 3 start 10 00 end 18 00 2 Modifying one week cycle ZXR10_FW define schedule This modifies one modify name lt stringi gt type week cycle Week lt weekcyc gt week lt string2 gt start cycle indicates this lt string3 gt end lt string4 gt object contains multiple uncontinuous regular period such as 9am to 5pm each Tuesday Parameter Description This modifies one cycle name This specifies the name of cycle to be modified This is one string indicating name of cycle type This specifies type of cycle to be modified weekcyc or yearcyc The former indicates week cycle and the latter indicates year cycle lt weekcyc gt This indicates week c
8. Example To add area_gei_1 1 bound with attribute gei_1 1 and permit access to this area execute the following command ZXR10_FW define area add name area_gei_1 1 access on attribute gei 1 1 comment 2 Modifying one area ZXR10_FW define area modify name This modifies one lt string1 gt access lt on off gt attribute area lt string2 gt comment lt string3 gt Parameter Description This modifies one area This specifies the name of area to be modified 42 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 3 Resource Management Configuration This is a string indicating the name of area access This specifies new privilege for accessing one area This permits accessing this area This denies accessing this area attribute This specifies new attribute or attribute group bound to this area lt string2 gt This is one string which can be one or more pre defined attributes or attribute groups As for multiple ones single quotes are used and space is used between each two such as aa bb to view and define attribute or attribute group perform the operations in attribute and attribute group of network module comment This sets new comment Tips If the value none is input following parameter comment it indicates deleting this comment lt string3 gt This s one string indicating the content of comment Example To modify the privilege of accessing area_
9. Example To set the max concurrent administrator number to 16 execute the following command ZXR10_FW system authset maxonlineadm set maxnum 16 8 Showing max concurrent administrator number ZXR10_FW system authset maxonline This shows adm show max concurrent administrator number This sets all authentication parameters to default values ZXR10_FW system authset usermaxlo This sets the max gin set maxnum lt number gt login number for the same one user Parameter Description This sets the max login number for the same one user This is the max number in range of 1 2000 Example To set the max login number for the same one user to 4 exe cute the following command ZXR10_FW system authset usermaxlogin set maxnum 4 11 Showing the max concurrent login user number set on system ZXR10_FW system authset usermaxl This shows the max ogin show concurrent login user number set on system 14 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 2 System Management Configuration Managing System Services System services indicate management monitoring services con ducted by FW device including monitoring service SSH service Telnet service HTTP service and NTP service Monitoring service is used by user to remotely monitor running status of this device SSH service is used by user to remotely manage device through SSH protocol Telnet service
10. This manual describes device MPLS configuration MPLS L3VPN configuration and MPLS L2VPN configuration This manual describes device IPv6 address configuration IPv6 neighbor discovery protocol configuration IPv6 tunnel configuration IPv6 static routing configuration RIPng configuration OSPFv3 configuration IS ISv6 configuration and BGP configuration This manual describes device signature symbol configuration signature entry configuration policy configuration subservice configuration service configuration and DPI template configuration This chapter describes system management configuration resource management configuration FW function management packet filtering and access control rule configuration NAT configuration protocol filtering configuration intrusion prevention configuration high availability configuration and log and alarm configuration This manual describes volume and section corresponding to each command in ZXR10 8900 series 10G routing switch This manual describes IPv6 related commands in ZXR10 8900 series 10G routing switch This manual describes RIP OSPF and IS IS related commands in ZXR10 8900 series 10G routing switch ZTEDH ZXR10 8900 Series V2 8 02 C 10G Routing Switch Command Manual IP Routing Volume IT ZXR10 8900 Series V2 8 02 C 10G Routing Switch Command Manual MPLS Volume ZXR10 8900 Series V2 8 02 C 10G Routing Switch Command Manual QoS V
11. Deleting one application protocol port binding policy ZXR10_FW dpi policy delete id This deletes one lt number gt application protocol port binding policy Parameter Description lt number gt This is one number which is the ID of policy Confidential and Proprietary Information of ZTE CORPORATION 103 ZXR10 8900 Series User Manual FW Volume ZTERHY Command Illustration Command policy show can be used to view ID of policy 4 Clearing all application protocol port binding policies ZXR10_ FW dpi policy clean This clears all application protocol port binding policies 5 Showing all application protocol port binding policies ZXR10_ FW dpi policy show This shows all application protocol port binding policies 6 Restoring default application protocol port ZXR10_ FW dpi policy reset This restores default application protocol port Applying Port Binding Configuration Example To bind HTTP packets sent to subnet 192 168 0 0 255 255 0 0 with destination port 8080 execute the following command ZXR10 FW dpi policy add name http net 192 168 0 0 mask 255 255 0 0 protocol tcp port 8080 To delete one application protocol port binding policy whose id is 8547 execute the following command ZXR10_FW dpi policy delete id 8547 To modify port id of FTP packets in port binding policy whose id is 8182 to 2121 execute the following command ZXR10 FW dpi policy modify id 8182 name ftp
12. FW Volume ZTERH Access Control Rule Configuration Example Access Control Rule Configuration Example One As shown in network structure diagram of an enterprise FW cards works in hybrid mode Interface gei_2 1 belongs to intranet area_gei_2 1 is a switch trunk port belongs to both VLAN 0001 and VLAN 0002 where IP address of vlan 0001 is 10 10 10 1 and connected to intranet 10 10 10 0 24 where document team of R amp D department locates IP and IP address of vlan 0002 is 10 10 11 1 and connected to intranet 10 10 11 0 24 where project team of R amp D department locates IP address of Interface Vlan4 is 192 168 100 140 and belongs to extranet area_vlian4 Intranet is connected with extranet through the router connected with FW Interface Vlan4 Interface vlan3 belongs to area_vlan3 and it is route interface with interface IP to be 172 16 1 1 Data management department locates in area_vlan3 and multiple servers are in this area where IP address of web server is 172 16 1 3 User has the following requirements PCs of intranet document team can access internet leaders of project team can access internet and common members of project team cannot access internet Extranet and PCs in area_vlan3 cannot access intranet of R amp D department All pcs in intranet can access web server in area_vlan3 FIGURE 2 ACCESS CONTROL RULE CONFIGURATION EXAMPLE ONE Internet aa WEB Server 172 16 1 3 Area_Vlan3 Interface vl
13. The same as policy source policy destination can contain one or mul tiple hosts subnet scope and multiple areas or VLAN Policy service defines network protocol used by packet and specific port id Access control defines FW operations to the packet meeting poli cies including permit permit the packet to pass through and deny drop this packet In the case that a packet matches one access policy it indicates source address of the packet is within the scope defined by pol icy source destination address of the packet is within the scope defined by policy destination port id corresponding to the packet is contained in policy service and packet receiving time meet the requirement of policy access time if access time is defined Only when one packet meets all conditions required by the policy this policy matches this packet It shall be noted that one content filtering policy and one appli cation identity policy shall be defined for each access rule to filter and inspect data at application layer FW searches the access pol icy matching a packet according at the following steps ZXR10 8900 Series Switch FW module retrieves access control rule table according to sequence of access policies and matches poli cies with packet one by one Once an access policy is found to match the packet FW stops checking matched access policy and processes the packet permit or deny according to rules defined in the first matched access poli
14. This deletes one server id This specifies ID of the server to be deleted This is one number indicating ID of server Confidential and Proprietary Information of ZTE CORPORATION 115 ZXR10 8900 Series User Manual FW Volume ZTERHY name This specifies the name of server to be deleted lt string gt This is one string indicating name of the server Command Illustration To delete server it is available to delete the server according to server name server id or both However in case server id and server name are inconsistent server name shall apply When no parameter is given the server not quoted by policy is deleted 5 This deletes all servers not quoted by policy ZXR10_FW define server clean This deletes all servers not quoted by policy 6 Showing all servers ZXR10_FW define server show This shows all servers Configuring Load Balancing Group This topic describes configuration commands and examples of load balancing group User can add modify and delete load balancing group in manage ment of FW load balancing group 1 Adding one load balancing group ZXR10_FW define virtual_server add This adds one load name lt string1 gt server lt string2 gt b balancing group alance lt rr wrr c wic sh dh gt backup lt number gt Parameter Description ad sd This adds one load balancing group This sets name for load balancing group lt string1 gt This is one s
15. routing switch This manual describes NAT Time Range stack and DEBUG related commands in ZXR10 8900 series 10G routing switch This manual describes network management related commands in ZXR10 8900 series 10G routing switch This manual describes MAC VLAN SuperVLAN STP link aggregation VBAS MAC PING and UDLD related commands in ZXR10 8900 series 10G routing switch This manual describes VOIP and IPTV related commands in ZXR10 8900 series 10G routing switch This manual describes multicast protocol related commands in ZXR10 8900 series 10G routing switch Confidential and Proprietary Information of ZTE CORPORATION iii ZXR10 8900 Series User Manual FW Volume ZTERH RRE ZXR10 8900 Series V2 8 02 C 10G This manual describes Routing Switch Command Manual DPI related commands in DPI Volume ZXR10 8900 series 10G routing switch ZXR10 8900 Series V2 8 02 C 10G This manual describes Routing Switch Command Manual FW related commands in FW Volume ZXR10 8900 series 10G routing switch Commands supported by ZXR10 8900 series V2 8 02 C 10G routing switch are based on uniform platform ZXROS V4 8 22 ZXR10 8900 Series V2 8 02 C 10G Routing Switch User Manual FW Volume contains the following chapters enapter Summary SSCS Chapter 1 FW Overview This chapter describes FW functional principle and management mode Chapter 2 System This chapter describes basic concept Managemen
16. 1 Setting max authentication failure related parameter Confidential and Proprietary Information of ZTE CORPORATION 11 ZXR10 8900 Series User Manual FW Volume ZTERH ZXR10_FW system authset authfail This sets max set maxnum lt number gt authentication failure related parameter This can prevent brute force of password Parameter Description set maxnum Setting system name This is the max number in range of 1 10 Example To set max authentication failure number to 5 execute the following command ZXR10_FW system authset authfail set maxnum 5 2 Showing max authentication failure number ZXR10_FW system authset authfail This shows max show authentication failure number Example To show max authentication failure number execute the fol lowing command ZXR10_FW system authset authfail show 3 Setting authentication faillock time related parameter ZXR10_FW system authset faillock set This sets authe time lt number gt ntication faillock time related parameter Parameter Description settime This sets authentication faillock time lt number gt This is the faillock time in range of 60 3600 in seconds Example To set authentication faillock time execute the following com mand ZXR10_FW system authset faillock set time 60 4 Showing authentication faillock time 12 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 2 Sy
17. 168 100 143 orig service HTTP trans dst 172 16 1 3 Defining access control rule Confidential and Proprietary Information of ZTE CORPORATION 83 ZXR10 8900 Series User Manual FW Volume ZTERHY To permit intranet users to access web server execute the fol lowing command ZXR10 FW firewall policy add action accept srcarea area gei 2 1 dst 172 16 1 3 service HTTP To permit leaders of project team to access extranet and deny common members of project team accessing extranet execute the following command ZXR10 FW firewall policy add action deny ssrcvlan vlan 0002 src rd group dstarea area _vlan4 service HTTP Notes It needs to select the actual IP address of web server as desti nation address since FW needs translating destination address of the packet firstly When an intranet user access web server of SSN area through http 192 168 100 143 destination ad dress of the packet will be translated to 172 16 1 3 since it meets NAT destination address translation rule The next step is to proceed access rule query Only when destination address is set to actual ip address of web server can intranet user ac cess web server of SSN area When defining destination address translation rule don t select destination area and destination vlan Access Control Rule Configuration Example Two An enterprise network is divided into three areas area_vlani area_vlan2 and area_vlan3 The three areas are bound with interface vla
18. 99 ZXR10 8900 Series User Manual FW Volume ZTERH This page is intentionally blank 100 Confidential and Proprietary Information of ZTE CORPORATION Chapter D Protocol Filtering Configuration Table of Contents Protocol Filtering Overview wrscicinssieesixecixearimiiaxiciderascenntens 101 Configuring Application Port Binding 101 Contiguring SIP EE 104 Protocol Filtering Overview FW card can provide control over application layer with finer gran ularity through content filtering At present FW card permits user to bind application layer protocol with port Configuring Application Port Binding Application Port Binding Overview Application port binding on FW card is used to bind application layer protocol and port When FW card performs deep content detection to application layer protocol it will check these packets and perform corresponding processing System defines parting bindings between application layer proto cols and standard ports by default In case some application layer protocols use non standard ports or sub connection such as FTP is contained user must bind these ports and application layer pro tocols or FW card will fail to detect and process these packets For example there is one FTP server in intranet SSN area and non standard port 2200 is used to provide FTP service for intranet users In case application port binding is unavailable FW will not process packets of this connection Customize ap
19. FW Function Management 0 0s0000022 57 ZXR10 FW Function Management OvervieW ees 57 Configuring ZXR10 FW 58 Accessing and Exiting FW Configuration Mode 58 Creating and Deleting FW Template Mode 58 Binding Management IP 59 Configuring Flow Recovery cceeeeeee eee ee teen cena eeeeeenaees 60 Binding Slot Number 60 Configuring NAT IP 61 civile teller TEE 62 Binding FW Template for Specific VLAN 62 Viewing Management Configuration es 63 Configuring VAN a Age ER eed AANA 64 Packet Filtering and Access Control Rule Configuration s ssssssssssssunnnnnnnnunnnnnnnnnnnnnnn O7 Configuring Packet Filtering Bolten 67 Packet Filtering Overview eee ee eee eeeeee enna 67 Configuring Packet Filtering Bolten 67 Packet Filtering Policy Configuration Example 005 73 Packet Filtering Policy Configuration Example L 73 Packet Filtering Policy Configuration Example TWO EE 75 Access Control Rule Overvlew 76 Configuring Access Control Rule 76 Access Control Rule Configuration Example ssssasessees 82 Access Control Rule Configuration Example OMG fae ea ta A saan ETA EEE E eee E neat eas 82 Access Control Rule Configuration Example JEE ede estates ee ENNEN 84 Configuring IDS Interacton ee eee teeta eee ee eee eees 86 IDS Interaction Overvlew eee eee eee e eee eee eee eeeenaee 86 Configuring IDS Interachon eee ee ee eee eee ee ees 86 NAT Confguration ee NK KREE KEEN Ee une OD Kugel EE 89
20. If there is only one port it is ok to only input start port id or set the same value for start and end port ids In this example it is set to 8000 8000 It is not recommended to input MAC address If destination MAC address needs to be input it must be MAC address of FW corresponding to this area physical interface and cannot be other values Packet Filtering Policy Configuration Example Two Disable port 8000 in 192 168 83 234 to 10 10 10 0 24 That s to say users of all network segments except for 10 10 10 0 24 can access port 800 in 192 168 83 234 Configuration Points Defining server host address resource and subnet address re source Configuring default packet block policy Configuring packet block policy 1 Configuring default packet block policy permit any packets to pass through FW ZXR10_ FW pf rule set default action accept log yes 2 Adding host address resource doc_server ZXR10_ FW define host add name doc_server ipaddr 192 168 83 234 3 Adding subnet address resource market department ZXR10_ FW define subnet add name market ipaddr 10 10 10 0 mask 255 255 255 0 4 Adding packet block policy and forbidding market accessing port 8000 of document server ZXR10 FW pf rule add sip market dip doc server dport 8000 action reject Confidential and Proprietary Information of ZTE CORPORATION 75 ZXR10 8900 Series User Manual FW Volume ZTERH Configuring Access Control Rules
21. Network VPN Virtual Private Network Confidential and Proprietary Information of ZTE CORPORATION 137
22. a name string 4 Showing name privilege comments and other information of manager in database ZXR10 FW system admininfo showdb This shows name 8 privilege comments and other information of manager in database 5 Showing names login addresses and online time of online managers ZXR10_FW system admininfo This shows names showonline login addresses and online time of online managers Confidential and Proprietary Information of ZTE CORPORATION 25 ZXR10 8900 Series User Manual FW Volume ZTERH System Manager Configuration Example 1 Adding device configuration security management manager test admininfo add input manager s name test new password re enter password choose manager s privilege audit config config input the comment y n input the comment config test _user It prompts manager is added successfully Add this manager successfully 2 Modifying information of manager test set it to security audit manager and modify password comments and other informa tion admininfo modify input manager s name test modify the name only super admin can change name y n y input new name audittest new password 22222222 re enter password 22222222 modify the privilege y n y choose manager s privilege audit config audit modify the comment y n y input the comment audit_user 3 Deleting the manager named test admininfo delete db manager name test 26 Confiden
23. case subnet id and subnet name are inconsistent subnet name shall apply When no parameter is given the subnet not quoted by policy is deleted Example To delete subnet1 execute the following command ZXR10_ FW define subnet delete name subnetl This deletes all subnets not quoted by policy ZXR10_FW define subnet clean This deletes all subnets not quoted by policy Showing all subnets ZXR10_FW define tsubnet show This shows all subnets Confidential and Proprietary Information of ZTE CORPORATION 37 ZXR10 8900 Series User Manual FW Volume ZTERHY Setting Address Group Different address resources can be combined to one address group to define policy destination or policy source With address group resource management is more flexible 1 Adding one address group ZXR10_FW define group_address add This adds one address name lt stringi gt member lt string2 gt group Parameter Description ad This adds one address group This sets name for address group lt string1 gt This is one string indicating the name of address group This sets member in address group lt string2 gt This is one string indicating address object which can be defined host object subnet object or address range object Command Illustration Before defining one address group define address object For details please refer to related sections Example To add groupaddri and set defined h
24. detection and service detection Host detection is to verify if server is online through timely monitoring which is realized by executing command ping Service detection is to perform detection by selecting corresponding port according to services provided by server and establishing TCP connection such as 114 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 9 Load Balancing Configuration HTTP port 80 FTP port 21 and customized special port Gen erally service detection can reflect actual working status of server 2 Modifying one server ZXR10_FW define server modify This modifies one name lt string1 gt host lt string server 2 gt weight lt number1 gt probe lt none host service gt port lt number2 gt Parameter Description This modifies one server 3 Renaming one server ZXR10_FW define server rename This renames one oldname lt string1 gt newname server lt string2 gt Parameter Description Parameter Description rename This renames one server oldname This specifies the name of server to be renamed lt string1 gt This is one string indicating the name of server the server name has been defined This specifies new name for one server lt string2 gt This is one string indicating new name of the server 4 Deleting one server ZXR10 FW define server delete id This deletes one lt number gt name lt string gt server Parameter Description
25. group whose member is to be deleted lt string1 gt This is one string indicating the name of address group member This specifies the member to be deleted in the address group lt string2 gt This is one string indicating address name which can be host object subnet object or address range object Example To delete member subnet in groupaddri execute the follow ing command ZXR10_FW define group_address delmember groupname groupaddrl member subnetl 6 Deleting all address groups not quoted by policy ZXR10_FW define group_address This deletes all clean address groups not quoted by policy 40 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 3 Resource Management Configuration 7 Deleting all members in one address group ZXR10_FW define group_address This deletes all cleanmember groupname lt string gt members in one address group Parameter Description Parameter Description cleanmember This deletes all members in one address group groupname This specifies the name of address group all of whose members are to be deleted lt string gt This is one string indicating the name of address group Example To delete all members in groupaddri execute the following command ZXR10_FW define group_address cleanmember groupame groupaddrl 8 Showing all address groups ZXR10_FW define group_address This shows all address show groups Confi
26. in service group groupname This specifies the name of service group whose service member is to be deleted lt string1 gt This is one string indicating the name of service group member This specifies the service member to be deleted in the service group This is a string indicating the name of service 56 Confidential and Proprietary Information of ZTE CORPORATION Chapter 4 ZXR10 FW Function Management Table of Contents ZXR10 FW Function Management OvervieW eee e eens 57 COMMUTING ZAR UD ME 58 ZXR10 FW Function Management Overview Management to most functions of ZXR10 8900 Series Switch FW service card is based on VLAN and implemented on main board with command lines The following FW related confutations are available on main board Entering and exiting from FW configuration mode Creating and deleting fw template Binding management IP Configuring flow recovery Binding slot number Configuring nat ip Configuring session Binding FW template for specific vlan Viewing management configuration Configuring vlan Confidential and Proprietary Information of ZTE CORPORATION 57 ZXR10 8900 Series User Manual FW Volume ZTERH Configuring ZXR10 FW Accessing and Exiting FW Configuration Mode This topic describes how to access and exit FW configuration node 1 Entering FW configuration mode used in configure terminal mode ZXR10 config fw This enters FW configuration
27. indicates denying packets passing through 2 Modifying intrusion detection rule ZXR10_FW ips dos rule modify ruleid This modifies intrusion lt string gt stattype lt synflood udpflood i detection rule cmpflood portscan ipsweep gt threshold lt number gt log lt yes no gt action lt pass block gt Parameter Description This modifies intrusion detection rule This sets ID of the rule to be modified dos rule show can be used to view id of each rule lt string gt This is an ID string stattype This sets statistics type of rule to be modified synflood udpflood ic This is the statistics type User can give mpflood portscan ip choice according to demands sweep threshold This sets threshold of statistics type lt number gt This is one number which is the threshold 3 Moving intrusion detection rule Confidential and Proprietary Information of ZTE CORPORATION 109 ZXR10 8900 Series User Manual FW Volume ZTERH ZXR10_FW ips dos rule move id This moves intrusion lt number1 gt before lt number2 gt detection rule Parameter Description lt number1 gt This is one number indicating ID of the rule to be modified lt number2 gt This is one number indicating ID of the rule to be referred to 4 Deleting intrusion detection rule ZXR10_FW ips dos rule delete id This deletes intrusion lt string gt detection rule Parameter Description This is one string indicati
28. is used by user to remotely manage device through Telnet protocol HTTP service is used by user to remotely manage device through HTTP protocol NTP service is used to synchronize system time through NTP protocol In factory configuration only HTTP service is in running status To disable this system service user will fail to manage system through WebUI FW system provides control enable and disable over these functions The detailed commands are as follows 1 Eabling monitoring service ZXR10_FW system monitord start This enables monitoring service 2 Disabling monitoring service ZXR10_FW system monitord stop This disables monitoring service 3 Enabling SSH service ZXR10_FW system sshd start This enables SSH service 4 Disabling SSH service ZXR10_FW system sshd stop This disables SSH service 5 Enabling Telnet service ZXR10_FW system telnetd start This enables Telnet service Confidential and Proprietary Information of ZTE CORPORATION 15 ZXR10 8900 Series User Manual FW Volume ZTERH 6 Disabling Telnet service ZXR10_FW system telnetd stop This disables Telnet service 7 Enabling HTTP service ZXR10_FW system httpd start This enables HTTP service 8 Disabling HTTP service ZXR10_FW system httpd stop This disables HTTP service Note When enabling corresponding system service system will enable corresponding service program on background to provi
29. of ZTE CORPORATION ZTEDH Chapter 5 Packet Filtering and Access Control Rule Configuration predefined area resource fies Tms specifies whether to record it into fos all O tcp 6 udp 17 i All protocols all protocols TCP protocol TCP cmp 1l igmp 2 num protocol UDP protocol UDP protocol ICMP ber protocol ICMP protocol IGMP protocol User inputs specified protocol number be one predefined address must be one predefined address Example To permit the device whose source MAC address is 00 50 04 C3 B0 31 to access the device whose destination ip is doc_server and destination port id is 8000 execute the following command where doc_server is predefined address ZXR10_ FW pf rule add action accept smac 00 50 04 C3 B0 31 dip doc_server dport 8000 Adding one ARP RARP IPX packet filtering rule ZXR10_FW pf rule add action This adds one lt accept reject gt I2protocol lt arp 0806 r ARP RARP IPX packet arp 8035 ipx 8137 gt log lt yes no gt area filtering rule lt string gt smac lt string 2 gt dmac lt string 3 gt Parameter Description Confidential and Proprietary Information of ZTE CORPORATION 69 ZXR10 8900 Series User Manual FW Volume ZTERH This adds one packet filtering rule action This is the action to packet meeting rules permit or deny accept reject permit deny I2protocol This is the L2 protocol type used by packet arp 0806 rarp 8035 ARP ARP protocol number RARP RARP
30. of slot where FW card locates lt ipaddress gt It is IP address in form of A B C D Administrator inputs FW management URL such as https lt ipaddress gt on browser of management host and login inter face pops up END OF STEPS Example The following steps show how to log in FW through browser https 1 Binding fw template 1 with slot number ZXR10 config fw ZXR10 config fw fw template 1 ZXR10 config fw templatel bind slot 2 Configuring IP address for L3 vlan interface ZXR10 config vlan 2 ZXR10 config vlan2 exit ZXR10 config int vlan 2 ZXR10 config if vlan2 ip addr TO 2 221 2555255 255 0 Accessing FW configuration node and configuring IP address of VLAN interface to management IP of managed FW card ZXR10 config if vlan2 exit ZXR10 config fw ZXR10 config fw bind mng ip 2 10 2 2 1 Logging in FW card through https https 10 2 2 1 Confidential and Proprietary Information of ZTE CORPORATION Chapter 2 System Management Configuration Table of Contents System Management OvervieW s sssssrrsrsrrrsrriiarina risin nainn a Nkan 9 Querying System Basic Information sssssssssesssrrerrsrrsessessns 10 Querying System Running Information 10 Configuring System Management ste g gge nek gege ue SEKR degen 11 Configuration MaintenangE sissnsrisrmirsriiinti aa 21 Configuring System Manager 2 ege r rege bhinne 23 system Management Overview In system co
31. or L4 protocol number This is one number indicating protocol number port This modifies the start port from which service is enabled In case only one port is available it only needs to set start port and doesn t need to set end port lt string1 gt This s one string indicating the contents of comment Command Illustration Services are classified into default services provided by sys tem and user customized services As for default services user cannot perform add delete modify and some other op erations Example To modify port id of service http8080 from 8000 to 8080 and modify protocol number to 4 execute the following command ZXR10 FW define service modify name http8080 port 8000 port2 8008 protocol 4 3 Renaming customized service 52 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 3 Resource Management Configuration ZXR10_FW define service rename This renames one oldname lt stringi1 gt newname customized service lt string2 gt Parameter Description Parameter Description rename This renames one service oldname This specifies the name of service to be renamed lt string1 gt This is one string indicating the name of service the service name has been defined This specifies new name for one service lt string2 gt This is one string indicating new name of the service Command Illustration Services are classified into default service
32. pf rule add action reject l3protocol 6 log no 5 Modifying one IP packet filtering rule ZXR10_FW pf rule modify id lt This modifies one IP numbe1i gt action lt accept reject packet filtering rule gt I2protocol lt ip 0800 gt area lt string1 gt log lt yes no gt smac lt string2 gt dmac lt string3 gt I3protocol lt all O tcp 6 udp 17 icmp iligmp 2 number gt sip lt string4 gt dip lt string5 gt sport lt number2 gt dport lt number3 gt sport end lt numbe4 gt dport_end lt number5 gt Parameter Description This modifies one packet filtering rule This is rule id lt numbe1 gt This is one number action This is the action to packet meeting rules permit or deny accept reject permit deny This is one string which must be one predefined area resource oo This species whether to record it into lo Confidential and Proprietary Information of ZTE CORPORATION 71 ZXR10 8900 Series User Manual FW Volume Parameter smac lt string2 gt dmac lt string3 gt I3protocol all O tcp 6 udp 17 i cmp iligmp 2 num ber lt string4 gt lt string5 gt sport lt number2 gt sport_end lt number3 gt dport lt number4 gt dport_end lt number5 gt IER Description This sets source mac address This is one standard mac address string This sets destination mac address This is one standard mac address string This is the L3 protocol type used by pack
33. range lt string3 gt except lt string4 gt session lt number1 gt Parameter Description Confidential and Proprietary Information of ZTE CORPORATION 31 ZXR10 8900 Series User Manual FW Volume ZTEDH ad This adds address range This sets name for address range lt string1 gt This is one string indicating the name of address range ipl This sets start IP address for address range lt string2 gt This is one string indicating IP address in format of 0 0 0 0 ip2 This sets end IP address for address range lt string3 gt This is one string indicating IP address in format of 0 0 0 0 except This sets except IP address in address range lt string4 gt This is one string indicating IP address in format of 0 0 0 0 session This sets the number of session lt number1 gt This is one number indicating the number of sessions Command Illustration The value of ip1 mustn t be larger than that of ip2 or it will report error The value of parameter Except shall be within the range between Ipaddress1 and Ipaddress2 The default range configuration for ZXR10 8900 Series Switch FW service card is any0 0 0 0 255 255 255 255 At the same moment the number of connections of individual addresses within the address range cannot exceed the number of max sessions Example To add address rangel and set the range to 192 16 1 10 192 16 2 81 execute the following command ZXR10 FW define range
34. range name address range id or both However in case address range id and address range name are inconsistent address range name shall apply When no parameter is given the address range not quoted by policy is deleted Example To delete address rangel execute the following command ZXR10 FW define range delete name rangel 5 This deletes all address ranges not quoted by policy ZXR10_FW define range clean This deletes all address ranges not quoted by policy 6 Showing all address ranges ZXR10_FW definetrange show This shows all address ranges 34 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 3 Resource Management Configuration Setting Subnet Resource 1 Adding one subnet ZXR10_FW define tsubnet add name This adds one subnet lt string1 gt ipaddr lt ipaddress gt mask lt netmask gt except lt string2 gt session lt number1 gt Parameter Description acd Tris ds one subnet OOOO lt ipaddress gt This is one string indicating ip address of subnet such as 192 168 8 0 This sets subnet mask lt netmask gt This is one string indicating subnet mask such as 255 255 255 0 This sets except address in subnet lt string2 gt This is one string indicating excepted IP address in format of 0 0 0 0 This sets the number of sessions lt number1 gt This is one number indicating the number of sessions Command Illustration At the s
35. system Querying System Running Information Running information indicates current system CPU memory other occupation information of system resources and connection infor mation established through FW 1 Viewing current running status of device 10 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 2 System Management Configuration ZXR10_FW system information It views current running status of device including memory information CPU utilization and other information 2 Showing network connection information ZXR10_ FW system netstat It shows network connection routing table and network interface information and thus user can learn which network connections are being used currently Configuring System Management Setting System Parameters User can set administrator login parameter and connection time out parameter and view session statistics on authset command module System parameter specifies the max login failures for the same one administrator and concurrent administrators and managing login site Once the login failure number of an admin istrator exceeds threshold system will lock the login to prevent illegal users logging into ZXR10 8900 Series Switch FW service card through brute force of password To access authset command module execute the following com mand authset To exit from this command module execute the following com mand exit
36. when translating source address Attribute resource with no interface binding cannot be used as address after translation of address translation policy 2 Modifying NAT policy ZXR10_FW nat policy modify id lt numb Modifying NAT policy er1 gt srcarea lt srcarea_nam gt dstarea lt dstarea_nam gt srcvlan lt srcvlan_n o gt dstvlan lt dstvian_no gt orig_src lt src_addri1 gt orig_dst lt dst_addri gt o rig_sport lt sport_id gt orig_service lt ser_id gt trans_sre lt src_addr2 gt tr ans det lt dst_addr2 gt trans_service lt ser_obj gt pat lt yes no gt enable lt yes no gt Parameter Description This modifies NAT policy lid This sets ID of policy to be modified lt number gt This is one number which is the ID of policy to be modified 3 Deleting one NAT policy ZXR10_FW nat policy delete id This deletes one NAT lt number1 gt policy Parameter Description 94 Confidential and Proprietary Information of ZTE CORPORATION ZTEDY Chapter 6 NAT Configuration lt number1 gt This is one number which is the ID of NAT policy to be deleted 4 Showing NAT policy ZXR10_FW nat policy show This shows NAT policy 5 Clearing NAT policy ZXR10_FW nat policy clean This clears NAT policy 6 Moving NAT policy ZXR10_FW nat policy move This moves NAT lt number1 gt lt before lt number2 gt after policy NAT policy lt number3 gt conforms to sequ
37. 8 83 235 Configuring addresses on two web servers for accessing exter nal network ZXR10_ FW define host add name WebServer ipaddr 192 168 83 219 3 Configuring load balancing server Configuring load balancing server S1 120 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 9 Load Balancing Configuration ZXR10_ FW define server add name S1 host WebServerl weight 10 probe host Configuring load balancing server S2 ZXR10 FW define server add name S2 host WebServer2 weight 20 probe host Configuring load balancing group ZXR10_ FW define virtual server add name VS1 server S1 S2 balance rr Configuring NAT rule ZXR10_ FW nat policy add orig sre any orig dst WebServer orig service HTTP trans dst VS1 enable yes Verifying if HTTP connection request can be scheduled by way of polling Open IE browser input http 192 168 83 219 turn to Web Serverl IP192 168 83 234 page as shown in Figure 8 FIGURE 8 BACKING UP AND RESTORING USER INFORMATION A i AK APS B Microsoft Internet Explorer THO SD SEM RRA TA Sin Qa x a Dae ym Ol BAKO E repifisz s68 e3 2i7 d Google GBH wed IB Paveank z This is WebServerl 192 168 83 234 Pease RSE MARN e Internet Due to setting of polling mechanism when refreshing the page it turns to WebServer2 IP 192 168 83 235 page as shown in Figure 9
38. AN area or one or more address resources and user group resources Configuring Access Control Rule This topic describes configuration commands and configuration ex amples of access control rule User can control L3 L7 access flexibly and powerfully by setting access control rule FW card can identify and match packet from various aspects such as area VLAN address user connection and time What s more FW card can perform deep data detection and filtering for various application layer protocols Similar to packet filtering policy packet matches access control rules sequentially However there is no default rule for access control rule That s to say if no Deny All rule is attached to the end of ACL system will process this packet according to default attribute permit or deny of area where destination interface locates To access this command module execute the following command firewall 76 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 5 Packet Filtering and Access Control Rule Configuration To exit from this command module execute the following com mand Zend 1 Adding one access control rule ZXR10_FW firewall policy add This adds one access action lt accept deny gt srcarea control rule lt string1 gt dstarea lt string2 gt srcvlan lt string3 gt dstvlan lt string4 gt src lt string5 gt dst lt string6 gt service lt string7 gt schedule lt string8 gt spor
39. Access Control Rule Overview As for access control rule FW card permits or denies the packets matching access control rule to pass through After receiving one packet FW will match it with all rules in ACL se quentially Once matched rule is found FW processes this packet according to operation permit or drop specified by this policy and not check default area attribute In case matched access rule is unavailable FW card will process this packet according to default attribute permit or deny of the area where destination interface locates Before querying access control rule FW card will query if the packet matches destination address translation rule If the packet matches destination address translation rule FW card will trans late destination IP address of received packet to preset IP address actual IP address in usual cases Therefore when setting access control rule system uses actual source and destination addresses destination address after translation to set access rule meanwhile system supports to set access rule according to destination address before translation In this case packet will match access control rule according to destination address before translation By defining access control rule that is defining match rule of packet FW card can identify and match packet from various aspects such as area VLAN address user connection and time Source and destination of access control rule can be preset VL
40. H lt string6 gt This is one string indicating preset address name Multiple address names can be input and space is used between each two address names and all address names are quoted with single quotes such as aa Il service This sets service resource lt string7 gt This is one string It must be one or more names of system default services or customized services As for multiple service names space is used between each two service names and all service names are quoted with single quotes such as IP ICMP The case of names must be identical with that defined by system such as IP To view service resources execute command ZxR10 define service show default schedule This selects time resource which must be defined in previous define module This is the object name This specifies service resource on source port lt string9 gt This is one string which must be system predefined service resource name orig_dst This specifies destination address before NAT lt string10 gt This is one string which must be system predefined address name permanent This is optional switch of long connection It is disabled by default which means the connection is an common connection In usual cases FW disconnects one connection if communication on it is idle for a period for improving security and releasing communication resources However connection for some applications requires long time holding even if t
41. I system root certificate This restores root certificate ad Tip gt In WEBUI authentication FW system must import PEM for mat certificate and client must import PCKS 12 format cer tificate Client can obtain this certificate from CA For de tails please contact enterprise certificate administrator gt When enabling WEBUI authentication to log into WEBUI management interface administrator must provide corre sponding certificate for passing authentication gt Before authentication administrator needs to import per sonal certificate into Internet browser For details please contact enterprise certificate administrator 2 Showing WEBUI setting ZXR10_FW system webui show This shows WEBUI setting 3 Seting WEBUI timeout time ZXR10_FW system webui idle timeout This sets WEBUI lt number gt timeout time Parameter Description 20 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 2 System Management Configuration idle timeout This sets WEBUI timeout time lt number gt This is an interval in range of 30 3600 or 0 in seconds The default value is 180 As for number 0 it indicates WEBUI will never timeout Example To set WEBUI timeout time to 60 seconds execute the follow ing command ZXR10_ FW system webui idle timeout 60 Configuration Maintenance Maintenance includes operations of viewing uploading and down loading configuration fil
42. Illustration gt The port connecting with access link can only belong to one VLAN It shall be untagged gt The port connecting with trunk link can belong to multiple vlans gt The port connecting with hybrid link can belong to multiple vlans 7 Setting native VLAN on Ethernet interface under L2 interface configuration mode ZXR10 config gei 1 2 switchport This sets native vlan trunk hybrid native vlan lt vian id on Ethernet interface gt lt vlan name gt Command Illustration Trunk port and hybrid port belong to multiple vlans and they need to set native vlan If native vlan is set on port when one frame with no vlan tag is received on port it will be forwarded to the port belonging to this native vlan Native vlan of trunk port and hybrid port is vlan 1 by default 8 Creating VLAN L3 interface Confidential and Proprietary Information of ZTE CORPORATION 65 ZXR10 8900 Series User Manual FW Volume ZTERH ZXR10 config interface vlan This creates VLAN L3 lt vlan id gt lt vlan if gt interface Command Illustration To create VLAN L3 interface it is necessary to create this VLAN firstly 9 Enabling Disabling VLAN L3 interface used under if vlan node ZXR10 config if vlani0 shutdown This enables disables no shutdown VLAN L3 interface Command Illustration To enable disable VLAN L3 interface is just to enable disable VLAN L3 forwarding function and it doesn t influ
43. N name One ore more VLAN names can be input here As for mult iple VLAN names space is used betw een each two VLAN names and all VLAN names are quoted with single quotes such as 1 2 b When adding destination address translation policy this parameter mustn t be set This sets source object of original packet Confidential and Proprietary Information of ZTE CORPORATION 91 ZXR10 8900 Series User Manual FW Volume ZTERH lt src_addr1 gt This is one string and source object name of original packet is input here Tips a This parameter must be one predef ined address object name b Multiple address objects can be input at the same time in format of test1 test2 As for multiple address objects space is used between each two and all address object names are quoted with single quotes orig_dst This sets destination object of original packet lt dst_addri1 gt This is one string and source object name of original packet is input here Tips a This parameter must be one predef ined address object name b Multiple address objects can be input at the same time in format of test1 test2 As for multiple address objects space is used between each two and all address object names are quoted with single quotes orig_sport This sets source port of original packet lt sport_id gt This is one string and source port name of original packet is input here Tips a This parameter must be one p
44. VIEWING H e Le EE 123 len 124 Configuring Logs and Alamrs eats eee eeeee eens 124 CONPQUIING LOG WEE 124 MIGWING LO e EE 126 Configuring Alar Sei esn sees ENEE tered araa 127 Lat UN e e EI TE e GIOSSANY E Be e About This Manual This manual is ZXR10 8900 Series V2 8 02 C 10G Rout ing Switch User Manual FW Volume and applies to ZXR10 8902 8905 8908 8912 10G routing switch V2 8 02 C ZXR10 8900 series 10G routing switch has the following related manuals a ZXR10 8900 Series V2 8 02 C 10G Routing Switch Hardware Installation Manual ZXR10 8900 Series V2 8 02 C 10G Routing Switch Hardware Manual ZXR10 8900 Series V2 8 02 C 10G Routing Switch User Manual Basic Configuration Volume ZXR10 8900 Series V2 8 02 C 10G Routing Switch User Manual Ethernet Switching Volume This manual describes installation preparation 19 inch cabinet installation main device installation power cable connection cable connection and hardware inspection This manual describes device functions technical characteristics and parameters working principle hardware structure MCS LIC power module and fan plug in box This manual describes using and operation of device system management CLI privilege ranking configuration port configuration network protocol configuration DHCP configuration VRRP configuration ACL configuration QoS configuration DOTIX configuration cluster management configuratio
45. ZTEDR ZXR10 8900 Series 10G Routing Switch User Manual FW Volume ZTE CORPORATION ZTE Plaza Keji Road South Hi Tech Industrial Park Nanshan District Shenzhen P R China 518057 Tel 86 755 26771900 800 9830 9830 Fax 86 755 26772236 URL http support zte com cn E mail doc zte com cn Version 2 8 02 C LEGAL INFORMATION Copyright 2006 ZTE CORPORATION The contents of this document are protected by copyright laws and international treaties Any reproduction or distribution of this document or any portion of this document in any form by any means without the prior written consent of ZTE CORPO RATION is prohibited Additionally the contents of this document are protected by contractual confidentiality obligations All company brand and product names are trade or service marks or registered trade or service marks of ZTE CORPORATION or of their respective owners This document is provided as is and all express implied or statutory warranties representations or conditions are dis claimed including without limitation any implied warranty of merchantability fitness for a particular purpose title or non in fringement ZTE CORPORATION and its licensors shall not be liable for damages resulting from the use of or reliance on the information contained herein ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications covering the subject matter of this doc
46. a please refer to section Configuring Area Resource lt string2 gt It is a string It must be a preset host subnet or scope address object Command Illustration Parameters addressid and addressname can be used at the same time However it must be confirmed that the objects corresponding to addressid and addressname are unique or services will fail to be added Example To open webui service for area_intervlanO where area_inter vlanO is the preset area object execute the following com mand ZXR10_ FW pf service add name webui area area_intervlan0O addressname any 2 Modifying one open service rule ZXR10_FW pf service modify id This modifies one lt number gt name lt gui snmp ssh m open service rule onitor ping telnet ids auth ntp u pdate dhcp rip l2tp pptp webuili psecvpn gt area lt string1 gt addressid lt number1 gt addressname lt string2 gt Parameter Description This modifies one open service rule 18 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 2 System Management Configuration lid This specifies ID for the rule lt number gt This is a number and must be the id of a rule that has been added Command Illustration Service rule can be modified except for id Example To modify the service whose id is 8361 and open gui service execute the following command ZXR10 FW pf service modify id 8361 name gui area area_intervlanO addres
47. acket will be processed according to default rule According to factory configuration all packets can pass FW by default To access this command module execute the following command pf To exit from this command module execute the following com mand exit After logging into GW and accessing this command module CLI administrator can execute corresponding component management commands The following parts will introduce all component man agement commands under this command module The format of command in the example is that after accessing this command module 1 Adding one open service rule ZXR10_ FW pf service add name This adds one open lt gui snmp ssh monitor ping teln service rule et ids auth ntp update dhcp rip I2tp pptp webuil ipsecvpn sdmi gt area lt string1 gt lt addressid lt number1 gt addressname lt string2 gt gt Parameter Description aoa is adds one open severe ai rare e Iess m Jemen Confidential and Proprietary Information of ZTE CORPORATION 17 ZXR10 8900 Series User Manual FW Volume ZTEDHY EREECHEN ip eseme SSS EREECHEN ep Jemen ett rass Gw rouan wesu It is the service opened when establishing IPSEC tunnel It is security management service It allows to manage FW device through military security management platform It selects the area from which service request is sent The area must be selected from existing ones For configuration and illustration of are
48. add name rangel ipl 192 16 1 10 ip2 192 16 2 81 2 Modifying address configuration range ZXR10_FW define range modify User can add modify name lt string1 gt ip1 lt string2 gt ip2 and delete address lt string3 gt except lt string4 gt session range in management lt number1 gt of address range of FW Parameter Description This modifies address range This sets name for address range to be modified lt string1 gt This is one string indicating the name of address range 32 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 3 Resource Management Configuration This sets start IP address for address range lt string2 gt This is one string indicating IP address in format of 0 0 0 0 This sets end IP address for address range lt string3 gt This is one string indicating IP address in format of 0 0 0 0 This sets except IP address in address range lt string4 gt This is one string indicating IP address in format of 0 0 0 0 session This sets the number of session lt number1 gt This is one number indicating the number of sessions Command Illustration At the same moment the total number of connections of all hosts within the address range cannot exceed the number of max sessions Example To modify address range to 192 16 1 11 192 16 2 82 after adding rangei with address 192 16 2 1 excepted execute the following command ZXR10 FW def
49. ail lt string2 gt This is one string indicating ip address of mail address such as abc topsec com cn subject This sets the subject of alarm mail lt string3 gt This is one string indicating subject of mail 5 Modifying one mail alarm related parameter ZXR10_ E Loo alarmnotice modify This modifies one lt mail gt name lt stringi gt srvaddr mail alarm related lt ipaddress gt srvport lt number gt parameter mailaddr lt string2 gt subject lt string3 gt Parameter Description This modifies one mail alarm This indicates the alarming mode is mail alarm 6 Modifying authentication attribute of mail alarming mode ZXR10_FW log alarmnotice modify This modifies lt mail gt name lt string1 gt auth lt on off gt authentication username lt string2 gt password attribute of mail lt string3 gt alarming mode if authentication is needed for server Parameter Description This modifies mail alarm This indicates the alarming mode is mail alarm mail This specifies the name of alarm to be modified lt string1 gt This is a string indicating the name of alarm auth This specifies if the mail server of mail alarm needs authentication Confidential and Proprietary Information of ZTE CORPORATION 129 ZXR10 8900 Series User Manual FW Volume ZTERHY Off indicates authentication is not needed and when selecting this option it doesn t need to set the following parameters o
50. ame moment the number of connections of individual addresses within the subnet cannot exceed the number of max sessions Example To add subneti with subnet address to be 192 168 10 0 and mask to be 255 255 255 0 execute the following command ZXR10_ FW define subnet add name subnetl ipaddr 192 168 10 0 mask 255 255 255 0 2 Modifying one subnet ZXR10 FW define subnet modify name This modifies one lt string1 gt ipaddr lt ipaddress gt mask subnet lt netmask gt except lt string2 gt session lt number1 gt Parameter Description Confidential and Proprietary Information of ZTE CORPORATION 35 ZXR10 8900 Series User Manual FW Volume ZTEDH lt ipaddress gt This is one string indicating ip address of subnet such as 192 168 8 0 This sets new subnet mask lt netmask gt This is one string indicating subnet mask such as 255 255 255 0 This sets new except address in subnet lt string2 gt This is one string indicating excepted IP address in format of 0 0 0 0 session This sets new number of session lt number1 gt This is one number indicating the number of sessions Command Illustration At the same moment the total number of connections of all hosts within the subnet cannot exceed the number of max ses sions Example To modify IP address of subnet1 to 192 168 20 0 execute the following command ZXR10_FW define subnet modify name subnetl ipaddr 192 168 20 0 3 Ren
51. aming one subnet ZXR10_FW define subnet rename This renames one oldname lt string1 gt newname subnet lt string2 gt Parameter Description Parameter Description rename This renames one subnet oldname This specifies the name of subnet to be renamed lt string1 gt This is one string indicating the name of subnet the subnet name has been defined This specifies new name for the subnet lt string2 gt This is one string indicating new name of the subnet Command Illustration 36 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 3 Resource Management Configuration At the same moment the total number of connections of all hosts within the subnet cannot exceed the number of max ses sions Example To rename subneti to subnet2 execute the following com mand ZXR10 FW define subnet rename oldname subnetl newname subnet2 Deleting one subnet ZXR10_FW define subnet delete id This deletes one lt number1 gt name lt string gt subnet Parameter Description delete This deletes one subnet This specifies ID of the subnet to be deleted lt number gt This is one number indicating ID of subnet name This specifies the name of subnet to be deleted lt string gt This is one string indicating name of the subnet Command Illustration To delete one subnet it is available to delete the subnet ac cording to subnet name subnet id or both However in
52. an4 192 168 100 140 Interface vlan3 172 16 1 1 Aren geil Vlan0001 Document Team 10 10 11 3 Project Team Leading Host 10 10 11 2 82 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 5 Packet Filtering and Access Control Rule Configuration To set IP addresses for interface vilan 0004 and interface vlan 0003 execute the following commands ZXR10 ZXR10 ZXR10 ZXR10 ZXR10 ZXR10 config vlan 3 ZXR10 config vlan3 exit config interface vlan 3 config if vlan3 ip addr 172 16 1 1 255 255 255 0 config if vlan3 exit ZXR10 config vlan 4 config vlan4 exit ZXR10 config interface vlan 4 config if vlan4 ip addr 192 168 100 140 255 255 255 0 S as e AE AE To set IP addresses for interface vlan 0001 and interface vilan 0002 and join interface gei_2 1 to two vlans in trunk mode execute the following commands ZXR10 ZXR10 ZXR10 ZXR10 config vlan 1 ZXR10 config vlan1 exit config interface vlan 1 config if vlanl ip addr 10 10 10 1 299529052000 config if vlanl exit ZXR10 config vlan 2 ZXR10 config vlan2 exit ZXR10 config interface vlan 2 ZXR10 config if vlan2 ip addr 110 10 11 1 255 255 255 0 ZXR10 config if vlan2 exit ZXR10 config int gei 2 1 ZXR10 config gei 2 1 switchport mode trunk ZXR10 ZXR10 config gei_2 1 config gei 2 1 switchport trunk vlan 1 2 switchport trunk native vlan 1 DA EN ee Ee e SES Ee Eet L
53. and Proprietary Information of ZTE CORPORATION ZTEDH Parameter lt srcarea_nam gt dstarea lt dstarea_nam gt srcvlan lt srcvilan_no gt dstvlan lt dstvlan_no gt orig_src Chapter 6 NAT Configuration This is one string and source area resource name is input here Tips This parameter value must be predefined area name One ore more area names can be input here As for multiple area names space is used between each two area names and all addresses are quoted with single quotes such as areal area2 This sets destination area This is one string and destination area resource name is input here Tips a This parameter value must be pred efined area name One ore more area names can be input here As for mult iple area names space is used betw een each two area names and all area names are quoted with single quotes such as areal area2 b When adding destination address translation policy this parameter mustn t be set This sets source VLAN This is one string and source VLAN name is input here Tips This parameter value must be predefined VLAN name One ore more VLAN names can be input here As for multiple VLAN names space is used between each two VLAN names and all VLAN names are quoted with single quotes such as 1 2 This sets destination VLAN This is one string and destination VLAN name is input here Tips a This parameter value must be pred efined VLA
54. ates the start time in format of HH MM SS hour minute second Example To add weeki with period to be 10am to 18pm each Wednes day execute the following command ZXR10_ FW define schedule add name weekl cyctype weekcyc week 3 start 10 00 end 18 00 2 Modifying one year cycle ZXR10_FW define schedule modify This modifies one year name lt stringi gt type lt yearcyc gt sdate cycle which indicates lt string2 gt stime lt string3 gt edate lt it only contains one string4 gt etime lt string5 gt period such as from am 0 on January 1 2007 to pm 23 on December 12 2007 Parameter Description This modifies one cycle name This specifies the name of cycle to be modified This is one string indicating name of cycle type This specifies type of cycle weekcyc or yearcyc The former indicates week cycle and the latter indicates year cycle 48 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 3 Resource Management Configuration lt yearcyc gt This indicates year cycle such as from Oam in January 1 2007 to 23pm in December 12 2007 This sets new start date lt string2 gt This indicates start date in format of YYYY MM DD Year Month Day This sets new start time lt string3 gt This indicates the start time in format of HH MM SS hour minute second This sets new end date lt string4 gt This indicates end date in format of YYYY MM DD Year M
55. by default ranging from 1 to 65535 ipsweep This sets the max ICMP packets sent from the same one IP to multiple hosts within the specified interval When packet number reaches this threshold it believes that addresses are scanned for one time lt number2 gt This is one number ranging from 1 to 65535 synflood This sets the max connection requests initiated to protected object per second lt number3 gt This is one number 500 by default ranging from 1 to 65535 udpflood This sets the max UDP packets sent to protected object per second When the packet number reaches this threshold UDP flooding attack protection function is enabled lt number4 gt This is one number 1000 by default ranging from 1 to 65535 108 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 8 Intrusion Prevention Configuration portscan This sets the max IP packets containing TCP SYN segment sent from the same one source IP to multiple ports of destination IP within the specified interval When packet number reaches this threshold it believes that ports are scanned for one time lt number5 gt This is one number ranging from 1 to 65535 When attack event occurs it sets whether to record it into log yes no yes Record the event into log no Don t record the event into log action It sets whether to permit packets to pass through pass block pass It indicates permitting packets to pass through block It
56. ce vlan2 Configuration Points Defining area resource Confidential and Proprietary Information of ZTE CORPORATION IER Chapter 6 NAT Configuration Specifying actual address of WEB server Specifying WEB server access address Specifying actual port of WEB server Defining NAT policy To set E1 and EO areas execute the following commands ZXR10_ FW define area add name El access on attribute interface vlan2 ZXR10 FW define area add name EO access off attribute interface vlanl To specify actual address of WEB server execute the following command ZXR10 FW define host add name WEB server ipaddr 172 16 1 2 To specify WEB server access address execute the following command ZXR10_ FW define host add name MAP IP ipaddr 202 99 27 199 To define service port execute the following command ZXR10 FW define service add name Web port protocol 6 port 8080 Tips 6 here is the TCP protocol number To define NAT rule execute the following command ZXR10 FW nat policy add srcarea El orig dst MAP IP orig service http trans dst Web server trans service Web port Notes When public user accesses web server the used default port is port 80 and the port for web server providing services is port 8080 Therefore destination address NAT is necessary When defining destination address NAT note not to define des tination AREA and destination VLAN Confidential and Proprietary Information of ZTE CORPORATION
57. collect policies related to this packet that is entering Receiving and Processing flow 2 Receiving and Processing ZXR10 8900 Series Switch FW module invokes related func tional module and conducts initial processing to received pack ets The following functional modules are invoked gt IDS Module used to perform intrusion detection to pack ets If the received packet matches IDS rule it is regarded illegal and dropped gt IP MAC binding module If IP address and MAC address data contained in header of received packet break rules in IP MAC binding table the packet will be dropped 3 Rule Matching At this step FW matches the packet passing through receiving and processing step with a series of rules The following mod ules are invoked gt PF module PF module not only conducts L2 L3 protocol filtering to the packet but also checks if the packet belongs to the service that can pass through Address translation module Address translation policy gives processing method of received packet ZXR10 8900 Series Switch FW module supports four address translation policies Forwarding directly FW doesn t process packet and the packet is forwarded directly This is default address translation policy of ZXR10 8900 Series Switch FW Translating source address Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Matching Access Control Rules Chapter 1 Firewall Overview FW transla
58. communication process if one server is deleted from the load balancing group connections on this server will not be disconnected and only after re establishment of connection can configuration of load balancing group take effect If connected server gets disconnected during communication client will not be connected to another server in load balancing group unless re establishing connection When load balancing mode is set to weight balance algorithm the total number of connections is assigned according to weight value Here weight value is not priority dh and sh algorithms proceed HASH query according to IP address Only when source IP and destination IP are disperse can connections be allocated to different servers averagely Load balancing server can be defined before defining load bal ancing group For details please refer to section Configuring High Availability Modifying one load balancing group ZXR10_FW define virtual_server This modifies one load modify name lt string1 gt server balancing group lt string2 gt balance lt rr wrr c wic sh dh gt backup lt number gt Confidential and Proprietary Information of ZTE CORPORATION 117 ZXR10 8900 Series User Manual FW Volume ZTERH Parameter Description This modifies one load balancing group 3 Renaming load balancing group ZXR10_FW define virtual_server This renames load rename oldname lt string1 gt newname balancing group lt strin
59. corresponding alarm message according to rule Configuring Logs and Alamrs Configuring Log This topic describes how to configure log To access this command module execute the following command log To exit from this command module execute the following com mand Zend 1 Setting log server ZXR10_FW log log set ipaddr This sets log server lt ipaddress gt port lt string gt logtype lt syslog welf gt trans lt enable disable gt Parameter Description lt string gt This is one string indicating port id in format of tcp 80 or udp 80 logtype This sets log transmission format syslog or welf syslog welf This is log transmission format syslog by default 124 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 10 Log and Alarm Configuration This sets whether to transmit log enable disable Enables indicates transmitting log and disable indicates not transmitting log Command Illustration Generated log data needs to be managed by log server Log server can be any reachable network node such as PC This command can set IP address port id transmission format and other information of log server By default IP address of log server is 192 168 1 253 protocol and port id is udp 514 log transmission format is syslog and log is not transmitted 2 Setting log level ZXR10_FW log log level_set This sets the levels lt number gt at which logs are transmit
60. cy If no access policy is found to match this packet FW will process this packet according to default access control properties on packet sending interface If the packet is forbidden to be forwarded it will be dropped if the packet is permitted to be forwarded check if this policy defines DPI policy or application identity policy If application identity policy is defined in the policy check to see if any protocol of the application identity policy is used in application layer of the packet If corresponding protocol is used process this packet according to operations defined by this application identity policy Working Modes ZXR10 8900 Series Switch FW protects VLAN interfaces and sup ports two working modes routing mode and hybrid mode Route Mode In this mode ZXR10 8900 Series Switch FW protects L3 packets on protected vlan interface All L3 packets passing through protected vlan are forwarded only after being processed by FW module This mode is applicable to the case when each area is in a separate network segment Similar to router IP address shall be configured for each vian interface in routing mode or hybrid mode according to area planning Hybrid Mode In this mode ZXR10 8900 Series Switch FW protects L2 and L3 packets on protected vlan interface No matter internal L2 packets of the protected vlan or L3 packets cross vlans are forwarded after being processed by FW module 4 Confidential and Proprietary Informa
61. d by policy is deleted 5 This deletes all load balancing groups not quoted by policy ZXR10_FW define virtual_server This deletes all load clean balancing groups not quoted by policy 6 Showing all load balancing groups ZXR10_FW define virtual_server This shows all load show balancing groups High Availability Configuration Example The access traffic of web service provided by an enterprise is large so this enterprise decides to use two WEB servers to provide web services WebServeri IP 192 168 83 234 and WebServer2 IP 192 168 83 235 Both two WEB servers use rr algorithm to provide service outwards through vlani interface IP 192 168 83 240 of FW FW is connected with extranet through vlan interface IP 10 1 1 1 HTTP connection request coming from extranet is scheduled by way of polling FIGURE 7 HIGH AVAILABILITY CONFIGURATION EXAMPLE s 5 eth0 H 192 168 83 240 24 ethl H 10 1 1 1 24 WEB Server 192 168 83 234 24 P l l l i Client 10 1 1 2 24 d WEB Server n 192 168 83 235 24 5 7 VSI Configuration Points Confidential and Proprietary Information of ZTE CORPORATION 119 ZXR10 8900 Series User Manual FW Volume ZTERH Adding routes on two web servers Configuring IP and GW on client host Configuring FW interface attributes IP addresses of areas that ethO and ethi belong to Configur
62. dded access control lt accept deny gt srcarea lt string rule 1 gt dstarea lt string2 gt srcvlan lt string3 gt dstvlan lt string4 gt src lt string5 gt dst lt string6 gt service lt string7 gt schedule lt string8 gt sport lt string9 gt orig_dst lt string10 gt dpi lt string11 gt ar lt string12 gt av lt on off gt permanent lt on off gt log lt on off gt enable lt yes no gt Parameter Description ig This m0 of detned access controle lt string1 gt This is one string It must be one or more preset area name s As for multiple area names space is used between each two area names and all addresses are quoted with single quotes such as area_gei_5 1 lt string2 gt This is one string It must be one or more preset area name s As for multiple area names space is used between each two area names and all addresses are quoted with single quotes such as area_gei_5 1 Confidential and Proprietary Information of ZTE CORPORATION 79 ZXR10 8900 Series User Manual FW Volume ZTEDH This sets source VLAN lt string3 gt This is one string indicating preset vlan number This sets destination VLAN lt string4 gt This is one string indicating preset vlan number lt string5 gt This is one string indicating preset address name Multiple address names can be input and space is used between each two address names and all address names are quoted with sing
63. de this ser vice However to use this service to manage or monitor device it is necessary to add corresponding service control rule in Open Service For details please refer to section 2 4 3 Only HTTP service is enabled by default in factory configuration Setting Open Services To improve device security system provides granularity access control to communication management between user and device and among devices User can strengthen access control by set ting open service control rules System can manage the following service types Service Description GUI It allows user to configure and manage device through ZXR10 8900 Series Switch FW service card manager WEBUI It allows user to configure and manage device through WEBUI MONITOR It allows user to monitor running status of device according to preset conditions PING It allows user to ping physical interface address of device vlan virtual interface address and sub interface addresses 16 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 2 System Management Configuration Service Description IDS It allows interaction with IDS device Telnet It allows user to configure and manage device through TELNET User can implement simple L2 L3 access control by setting packet filtering policy When receiving one packet device will match it with packet filtering policy sequentially In case no policy is matched the p
64. describes how to bind and delete management IP on FW 1 ZXR10 config interface vlan lt vianid gt This enters L3 interface configuration mode 2 10 config if vlan10 bind fw template 127 This binds fw for L3 interface take L3 interface in vlaniO for example here in vlan10 for example here 4 ZXR10 config fw This enters FW configuration mode 5 ZXR10 config fw bind mng ip lt ipaddress gt This binds management IP with FW ZXR10 config fw show mng ip This shows management IP of FW ZXR10 config fw no bind mng ip This deletes management IP of FW 3 10 config if vlan10 ip address lt ipaddress gt lt i This configures IP address for pmask gt L3 interface take L3 interface Confidential and Proprietary Information of ZTE CORPORATION 59 ZXR10 8900 Series User Manual FW Volume ZTERH Example To bind one management IP with FW execute the following com mands ZX ZX ZX ZX ZX ZX ZX ZX ZX ZX R10 config fw ZXR10 config fw fw template 7 R10 config fw templete 7 bind slot 8 R10 config interface vlan 10 R10 config if vlan10 bind fw template 7 R10 config if vlan10 ip addr 1 2 3 4 255 255 255 0 R10 config if vlan10 exit ZXR10 config inter gei 1 2 R10 config gei_1 2 switchport mode access R10 config gei_1 2 switchport access vlan 10 R10 config gei 1 2 exit ZXR10 config fw R10 config fw bind mng ip 8 1 2 3 4 assume that FW is in slot 8 currently
65. desti nation address NAT intranet addresses can be hidden Internet users need to access WEB server through FW To hide the actual address 172 16 1 2 of server in intranet public network address 202 99 27 201 is used as user access address Network topology diagram is shown in Figure 5 FIGURE 5 IP ADDRESS BASED DESTINATION ADDRESS TRANSLATION CONFIGURATION EXAMPLE Public Network IP Address of WEB Server WEB Server 202 99 27 201 172 16 1 2 vlanl 172 16 1 vlan2 202 99 27 199 Intranet Area area vlanl Extranet Area area vlan2 Configuration Points Defining area resource area_vlan2 Defining address resource corresponding to actual address of WEB server Defining public network virtual IP address resource of WEB server Defining NAT policy To set area_vlan2 and define default attribute to permit to ac cess execute the following command ZXR10_ FW define area add name area _vlan2 access on attribute interface vlan2 To set area_vlani and define default attribute to deny access ing execute the following command ZXR10_ FW define area add name area _ vlani access off attribute interface vlanl Confidential and Proprietary Information of ZTE CORPORATION 97 98 ZXR10 8900 Series User Manual FW Volume ZTERH 2 To specify actual address of WEB server execute the following command ZXR10_ FW define host add name WEB server ipaddr 172 16 1 2 3 To specify public network address of WEB serv
66. e One 82 Figure 3 Access Control Rule Configuration Example Two 84 Figure 4 Address Based Source Address Translation Configuration Example ceceeeeeeee eens eeeeaeeees 96 Figure 5 IP Address Based Destination Address Translation Configuration Example cceeeeeeeeeeeee eee ea ees 97 Figure 6 Port Based Destination Address Translation Configuration Example ceceeeeeeeeeeeeeeeeeaeees 98 Figure 7 High Availability Configuration Example sasse 119 Figure 8 Backing up and Restoring User Information 121 Figure 9 Document Group Gerver eee estes eee eee eee ena 122 Confidential and Proprietary Information of ZTE CORPORATION 133 ZXR10 8900 Series User Manual FW Volume ZTERH This page is intentionally blank 134 Confidential and Proprietary Information of ZTE CORPORATION Tables Confidential and Proprietary Information of ZTE CORPORATION 135 ZXR10 8900 Series User Manual FW Volume ZTERH This page is intentionally blank 136 Confidential and Proprietary Information of ZTE CORPORATION Glossary DPI Deep Packet Inspection FTP File Transfer Protocol IP Internet Protocol IPv4 Internet Protocol version 4 MAC Media Access Control NAT Network Address Translation NTP Network Time Protocol PPTP PPP Tunnel Protocol RSTP Rapid Spanning Tree Protocol TELNET Telecommunication Network Protocol TFTP Trivial File Transfer Protocol VLAN Virtual Local Area
67. e TE 1 Management MOUS iiss iassacesn iapoctiettarsceleteesscarsieeeaceseiaaseeess 5 Function Overview ZXR10 8900 Series Switch firewall FW service card has the fol lowing basic functions Supporting routing and hybrid working modes Supporting object based network access control including ac cess control of network layer application layer and other lay ers Supporting NAT of multiple types of network addresses Supporting built in IDS module which prevents Land Smurf TearOfDrop Ping of Death SynFlood Targa3 IpSweep and another few attacks and has the function of anti DOS DDOS Supporting hot standby between FW cards Supporting FTP TFTP MMS H 323 SIP RSTP SQLNET and PPTP protocols ZXR10 8900 Series Switch FW has the following features Adopting the design of multi interfaces providing sound net work application scalability Providing high efficiency application layer access control Proxy technology is used for traditional access control on application layer System needs to switch among core layer application layer and processes frequently which consumes a lot system resources and influences performance Showing flexible management Network administrator can ac cess FW through various interfaces for central management Using a brand new management port protocol With this pro tocol multiple management services can be enabled on the unique service interface of FW Providing high performanc
68. e content filtering Core layer of system provides restore and security inspection to transmit ted packets and implements high performance content secu rity protocol Confidential and Proprietary Information of ZTE CORPORATION 1 ZXR10 8900 Series User Manual FW Volume ZTERHY 2 Data Flow Processing Flow Working Principle Generally FW is used to control access from external untrusted networks such as Internet to internal trusted networks and mu tual accesses among different areas within internal network OS platform used by ZXR10 8900 Series Switch FW is the latest mod ular OS By uploading a series of functional modules such as FW module and packet filtering module FW module can control data flow traversing security device by setting access rules packet fil tering rules interface properties and other mechanisms ZXR10 8900 Series Switch FW takes the following basic steps to process packets 1 Fast Forwarding As for a newly received legal packet FW firstly searches ses sion table to see if this packet has belonged to one existed ses sion If so FW processes this packet according to correspond ing session in the session table When the packet matches access rule and address translation policy of this session FW processes this packet fast If the session is unavailable it indi cates this packet belongs to one new session FW will retrieve routing table address translation policy table and access rule table to
69. e of system restoring factory configura tion restarting device and other functions Configuration Maintenance Overview System configuration indicates configurations and files of all func tional modules in the entire FW including FW configuration in cluding network basic configuration VPN configuration and AV configuration There are two types of system configuration The first one is saving configuration which is the configuration file manually saved on the device by user for the last time When system reboots this configuration file will be loaded au tomatically The second one is running configuration which shows config uration when device is in running state This configuration can be dynamically adjusted according to operations of users But when system reboots this configuration will get invalid Run ning configuration is different from saving configuration For example after one user adds some rules these rules join run ning configuration and get valid immediately but will not join saving configuration until user saves them and these rules will get invalid after system reboots System provides maintenance to configuration of FW device User can perform some maintenance operations on device such as viewing saving configuration and running configuration uploading and downloading system configuration file that is import and export all system configurations for one time and others System also enables admi
70. ee Defining host and subnet address resources gei_2 8 is the interface for switch connecting with extranet and it belongs to vian4 ZXR10_ FW define host add name 172 16 1 3 ipaddr 172 16 1 3 ZXR10_ FW define host add name 192 168 100 143 ipaddr 192 168 10 ZXR10_ FW define host add name doc server ipaddr 10 10 10 3 ZXR10 FW define subnet add name rd group ipaddr 10 10 11 0 mask 255 255 255 0 except 10 10 11 2 10 10 11 3 ZXR10_FW define area add name area_vlan4 access on attribute ge Setting default privilege for accessing area resource conduct the following configurations on main board to join interface gei_2 3 to vlan3 in access mode ZXR10 config gei_2 3 switchport mode acesss ZXR10 config gei_2 3 switchport access vlan 3 ZXR10 FW define area add name gei_2 1 access off attribute gei_2 1 deny accessing intranet ZXR10_FW define area add name area_vlan3 access off attribute gei_2 3 deny accessing intranet Defining NAT rule Execute the following command to define source address trans lation rule so that intranet users can access extranet ZXR10_FW nat policy add dstarea area_vlan4 trans sre 192 168 100 140 Execute the following command to define destination address translation rule so that both intranet document team and extra users can access web server of area_vlan3 192 168 100 143 is a bogus extranet address used to access web server ZXR10 FW nat policy add orig dst 192
71. ence member ports of this vlan When all Ethernet interfaces under VLAN interface are down vlan interface is down by default when one or more Ethernet interfaces under one VLAN interface are up the vlan interface is up VLAN interface in up state can be disabled by force 66 Confidential and Proprietary Information of ZTE CORPORATION Chapter 5 Packet Filtering and Access Control Rule Configuration Table of Contents Configuring Packet Filtering Policy 67 Configuring Access Control Rules 5 evvkegekR CHEN NK NNNKER NNN Ne NR 76 Configuring IDS Interaction EE 86 Configuring Packet Filtering Policy Packet Filtering Overview By reading this chapter user can learn how to control data flow by setting packet block policy and access control rule This chapter has the following content a Packet block policy This part describes how to control L2 3 access by setting packet block policy a Access control rule This part describes how to control L3 L7 access by setting access control rule Configuring Packet Filtering Policy This topic describes basic configuration commands and configura tion examples of packet filtering policy Commands introduced in this topic are used to set packet filtering rule control access of received IP packets filter illegal packets or those denied by rules and provide protection in the case that GW system doesn t join GW module To access this command module execute the follow
72. ential matching principle By moving NAT policy matching priority of policy can be changed Parameter Description lt number1 gt This is one number which is the ID of NAT policy to be moved lt number2 gt This is one number which is the ID of policy Tips Values of parameters before and after cannot be set at the same time lt numbe3 gt This is one number which is the ID of policy Tips Values of parameters before and after cannot be set at the same time Confidential and Proprietary Information of ZTE CORPORATION 95 ZXR10 8900 Series User Manual FW Volume ZTEDH NAT Configuration Example Address Based Source Address Translation Configuration Example Source address translation policy of FW card supports address re source based source address translation Address resources that can be translated include single host host address range and sub net Source address can be translated in the following modes fixedly mapping source address to a legal IP address and dynami cally mapping source address to a network segment or the address within an address range Gei_3 1 in interface van on FW card is connected to intranet intranet address is 192 168 100 0 24 and ip address of interface vlani is 192 168 100 1 Gei_3 2 in interface vlan2 is connected to extranet and ip address of interface vlan2 is 202 10 10 1 The available range of public network IP address for enterprise is 202 10 10 1 202 10 10 10 Networ
73. er execute the following command ZXR10_ FW define host add name MAP IP ipaddr 202 99 27 201 4 To set NAT rule execute the following command ZXR10 FW nat policy add srcarea area vlan2 orig dst MAP_IP orig service http trans dst WEB server Notes When defining destination address translation policy don t specify destination area and destination vlan If web server uses customized port id rather than standard port 80 to provide web service the actual applied server port shall be filled in destination port is translated to when defining address translation policy For detailed configuration method please refer to Port Based Destination NAT configuration ex ample Port Based Destination Address Translation Configuration Example Basic requirement With destination address NAT intranet ad dresses can be hidden However sometimes server open appli cation port is different from the port used for user access default port in usual cases In this case NAT is necessary Public Internet user accesses web server through public address 202 99 27 199 80 Actual address of web server is 172 16 1 2 and the port providing HTTP service is 8080 The network topology diagram is as shown in Figure 6 FIGURE 6 PORT BASED DESTINATION ADDRESS TRANSLATION CONFIGURATION EXAMPLE Public Network IP Address of Web Server 202 99 27 201 WEB Server 172 16 1 2 Intranet Area interface vlan Extranet Area interfa
74. er Manual FW Volume ZTERH This page is intentionally blank 112 Confidential and Proprietary Information of ZTE CORPORATION Chapter 9 Load Balancing Configuration Table of Contents Load Balancing t ee cones Ee ENEE SEA SEENEN EA SE 113 C nfigurina Load Balancing test See ainsana 113 High Availability Configuration Example ssssssssssssresssreresrrrres 119 Load Balancing Overview High availability means some advanced characteristics of ZXR10 8900 Series Switch FW including Server load balancing It mainly describes how to define load bal ancing server and load balancing group and how to meet user access demands through load balancing ZXR10 8900 Series Switch FW can implement load balancing of user server according to user demands and flexible load balancing algorithm so as to guarantee effectiveness of user critical services ZXR10 8900 Series Switch FW supports session based load balanc ing There are three ways to realize ZXR10 8900 Series Switch FW server load balancing function 1 Defining server 2 Defining load balancing group 3 Defining NAT rule Configuring Load Balancing Configuring Load Balancing Server This topic describes configuration commands and examples of load balancing Confidential and Proprietary Information of ZTE CORPORATION 113 ZXR10 8900 Series User Manual FW Volume ZTERH User can add modify or modify and delete server in FW server management Server here is mainly
75. et All protocols all protocols TCP protocol TCP protocol number UDP protocol UDP protocol number ICMP protocol ICMP protocol number IGMP protocol IGMP protocol number User inputs specified protocol number This specifies source address which must be one predefined address This is one string This specifies destination address which must be one predefined address This sone tena This sone number This is one number Command Illustration As for execution of policy First match principle is adopted where policy sequence is related to policy logic After adding one policy by moving the position of packet filtering rule policy execution sequence can be changed Example To modify the rule whose id is 8054 and permit the device whose source MAC address is 00 50 04 C3 B0 31 to access the device whose destination ip is doc_server and destination port id is 8080 execute the following command ZXR10 FW pf rule modify id 8054 action reject smac 00 50 04 C3 B0 31 dip doc_server dport 8080 6 Clearing all packet filtering rules ZXR10_FW pf rule clean This clears all packet filtering rules 7 Deleting one packet filtering rule 72 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 5 Packet Filtering and Access Control Rule Configuration ZXR10_FW pf rule delete id lt number gt This deletes one packet filtering rule Parameter Description 8 Viewing packet filterin
76. ethO to off execute the following command ZXR10 FW define area modify name area gel 1 1 access off 3 Deleting one area ZXR10_FW definet area delete name This deletes one area lt string gt Parameter Description Example To delete area_gei_1 1 execute the following command ZXR10_ FW define area delete name area_gei 1 1 4 Renaming one area ZXR10_FW define area rename This renames one oldname lt stringi gt newname area lt string2 gt Confidential and Proprietary Information of ZTE CORPORATION 43 ZXR10 8900 Series User Manual FW Volume ZTERH Parameter Description Parameter Description rename This renames one area oldname This specifies the name of area to be renamed This is a string indicating the name of area This specifies new area name This is a string indicating the name of area Example To rename area_gei_1 1 to firstarea execute the following command ZXR10_ FW define area rename oldame area gei 1 1 newname firstarea 5 Showing all areas in FW system ZXR10_FW define area show This shows all areas in FW system 6 Cleaning all unquoted areas in FW system ZXR10_FW define area clean This cleans all unquoted areas in FW system Configuring Time Resource Time Resource Configuration Overview User can set time resource for using in access control rule which can provides control with finer granularity For example user hopes to set di
77. fferent access control rules for working time and non working time With time resource this problem can be solved easily According to using times time resource can be classified into multi time time resource and one time time resource where multi time time indicates cycle time such as a specific day in a week or a period in one day and one time time indicates a certain period 44 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 3 Resource Management Configuration Configuring Week Cycle 1 Adding one week cycle ZXR10_FW define schedule add name This adds one week lt string1 gt cyctype lt weekcyc gt week cycle Week cycle lt string2 gt start lt string3 gt end indicates this object lt string4 gt contains multiple uncontinuous regular period such as 9am to 5pm each Tuesday Parameter Description add iris adds one yae S SS SSS S S This is one string indicating name of cycle cyctype This sets type of cycle weekcyc or yearcyc The former indicates week cycle and the latter indicates year cycle lt weekcyc gt This indicates week cycle such as 8am to 8pm each Monday This sets which days are included in one week lt string2 gt This is one string indicating one day in the week in format of 1234567 indicating from Monday to Sunday This sets the start time in one day lt string3 gt This is one string indicating the start time in format of HH MM hour minute
78. fines area access privilege by being bound with property resource Time resource It includes time resources for multi cycles and single cycle Service resource It includes system defined service resource customized service resource and service group Confidential and Proprietary Information of ZTE CORPORATION 27 ZXR10 8900 Series User Manual FW Volume ZTERH aid Note The following special characters cannot be present in resource name s ace LEALI mun WY weit TO UI W R W UI o LLE GLI nan W UI W UI PE ie W A ny a MAN non h Fa d d En W f lt gt T T AT MI poe the key under ZXR10 8900 Series SwitchlIt is available to rename resource on FW service card Configuring Address Resource Address Resource Configuration Overview Configuration of address resource is the most basic one in resource management It needs to select different address resources when defining access control rules and address translation rules User can set address resources of various types such as host resource address range resource and subnet resource and meanwhile can define address group to add all these address resources into ad dress group For setting of various address resources and address group please refer to the following sections User can perform management and configuration to above re sources in DEFINE module of ZXR10 8900 Series Switch FW card To access this command module execute t
79. fw ZXR10 config fw fiw template 1 config fw template 1 bind slot 7 config interface vlan 10 config if vlanl10 bind fw template 1 L ee Viewing Management Configuration This topic shows how to view binding among management IP fw template and vlan a ca ZXR10 config show mng ip This shows FW management IP used in any mode of main board ZXR10 config show fw template lt te This shows mplate id gt fw template information used in any mode of main board ZXR10 config show fw vlan binding This shows binding between vlan and fw template used in any mode of main board Confidential and Proprietary Information of ZTE CORPORATION 63 ZXR10 8900 Series User Manual FW Volume ZTERH Configuring VLAN This topic describes how to configure VLAN 1 Creating specific VLAN and entering VLAN configuration mode under configure terminal node ZXR10 config vlan lt vilan id gt When this vlan doesn t exist a vlan whose id is lt vlan id gt is generated and this enters corresponding vlan configuration mode When this vlan exist this enters corresponding vlan configuration mode 2 Deleting specific VLAN under configure terminal node This deletes vlan whose id is lt vlan id gt Parameter Description Vlanid range is from id1 to idN and the max value of vlan id is 4094 4 Deleting VLANs in batch under configure terminal node ZXR10 config no vian
80. fw template 1 exit ZXR10 config fw exit 2 Configuring IP address for L3 vlan interface ZXR10 config vlan 2 ZXR10 config vlan2 exit ZXR10 config int vlan 2 ZXR10 config if vlan2 ip addr 10 2 2 1 255 255 255 0 3 Accessing FW configuration node and configuring IP address of VLAN interface to management IP of managed FW card ZXR10 config if vlan2 exit ZXR10 config fw ZXR10 config fw bind mng ip 2 10 2 2 1 4 Accessing FW card through terminal telnet telnet 10 2 2 1 Logging into FW through Browser It is available to log into FW module through browser and conduct some basic settings on FW 1 Selecting the interface of vlan where administrator locates and configuring IP address for the interface ZXR10 config if vlan1 ip address lt It configures IP ipaddress gt lt maskaddress gt address and subnet mask for L3 vlan 1 Parameter Description It is IP address in form of A B C D It is subnet mask such as 255 255 255 0 gt 2 Accessing FW configuration node and configuring IP address of VLAN interface to management IP of managed FW card ZXR10 config fw bind mng ip lt s ot IP address of number gt lt ipaddress gt vlan 1 interface is management IP of FW card in slot 2 Parameter Description Confidential and Proprietary Information of ZTE CORPORATION 7 8 3 ZXR10 8900 Series User Manual FW Volume ZTERH lt slot number gt It is the number
81. g content a Host intrusion prevention This topic describes how does FW card provide host intrusion prevention function to all hosts Anti DOS This topic describes how does FW card detect and defend common attacks Configuring Intrusion Detection Rule This topic describes commands of configuring intrusion detection rule To access this command module execute the following command ZXR10_FW ips To exit from this command module execute the following com mand ZXR10_FW end Confidential and Proprietary Information of ZTE CORPORATION 107 ZXR10 8900 Series User Manual FW Volume ZTERH 1 Adding protected object host subnet range or address group ZXR10_FW ips dos rule add This adds the host or protect_name lt string gt icmpflood subnet to be protected lt number1 gt ipsweep lt number2 gt from intrusion synflood lt number3 gt udpflood lt number4 gt portscan lt number5 gt log lt yes no gt action lt pass block gt Parameter Description This adds one host or subnet to be protected protect_name This sets address resource to be protected which can be host subnet or address range This address resource shall be added in command define in advance lt string gt This is one string indicating the name of address resource icmpflood This sets the max reply requests initiated to protected object per second lt number1 gt This is one number indicating max connection requests 500
82. g rule ZXR10 FW pf rule show This shows packet filtering rule Packet Filtering Policy Configuration Example Packet Filtering Policy Configuration Example One The most basic function of FW is to control communication between intranet and extranet MAC address can be used to directly identify one network device FW card supports to filter packets based on MAC address Only packets whose MAC address meets packet fil tering rule can pass through FW and access destination area With MAC address filtering technology only authorized MAC address can access network resources In the Figure 1 only forbid the host in Area_Vlan2 and whose MAC address is 00 50 04 C3 B0 31 to access document server port 8000 in 192 168 83 234 24 in Area_Vlani Confidential and Proprietary Information of ZTE CORPORATION 73 ZXR10 8900 Series User Manual FW Volume ZTERH FIGURE 1 PACKET FILTERING CONFIGURATION EXAMPLE Internet et 202 10 10 2 24 Document Server Interface vlan3 192 168 83 234 2 702 10 10 10 24 Interface vlan 192 168 83 240 24 EW Card Rack Interface vlan Area Vlani 10 10 10 1 24 Host MAC 00 50 04 C3 B0 31 Area Vlan Configuration Points Specifying server host address Configuring default packet block policy Configuring packet block policy 1 To configure default packet block policy permit any packets to pass through FW execute the following command
83. g2 gt Parameter Description Parameter Description This renames load balancing group oldname This specifies the name of load balancing group to be renamed lt string1 gt This is one string indicating the name of load balancing group the name of load balancing group has been defined newname This specifies new name for load balancing group lt string2 gt This is one string indicating the new name of load balancing group 4 Deleting one load balancing group ZXR10_FW define virtual_server This deletes one load delete id lt number gt name lt string gt balancing group Parameter Description This deletes one load balancing group This specifies ID of the load balancing group to be deleted lt number gt This is one number indicating ID of load balancing group name This specifies the name of load balancing group to be deleted lt string gt This is one string indicating the name of load balancing group Command Illustration To delete load balancing group it is available to delete the load balancing group according to load balancing group name load balancing group id or both However in case load balancing 118 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 9 Load Balancing Configuration group id and load balancing group name are inconsistent load balancing group name shall apply When no parameter is given the load balancing group not quote
84. guring Area Resource Area Resource Configuration Overview In FW area management user can add modify and delete one area and set default access privilege for area as well Access con trol rule uses area for access control In case no access control rule matches ZXR10 8900 Series Switch FW service card will process this packet according to the privilege of area where destination interface locates Configuring Area Resource 1 Adding one area Confidential and Proprietary Information of ZTE CORPORATION 41 ZXR10 8900 Series User Manual FW Volume ZTERH ZXR10 FW define area add name This adds one area lt string1 gt access lt on off gt attribute lt string2 gt comment lt string3 gt Parameter Description ERREECHEN attribute This specifies new attribute or attribute group bound to this area lt string2 gt This is one string which can be one or more pre defined attributes or attribute groups As for multiple ones single quotes are used and space is used between each two such as aa bb to view and define attribute or attribute group perform the operations in attribute and attribute group of network module This sets comment lt string3 gt This s one string indicating the content of comment Command Illustration Area is section of network space with similar security attribute As for ZXR10 8900 Series Switch FW service card access con trol rule uses area to control access
85. he connection is in idle state For example ATM must hold connection with server at processing center so this connection must be set to long connection on off On off indicating long connection and common connection This is optional It sets whether to record the event in log or prompt alarm message when a packet matches rule It doesn t record event into log by default on off alarm This records the event into log doesn t record the event into log generates alarm enable This is optional indicating whether to enable this rule The rule is enabled by default 78 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 5 Packet Filtering and Access Control Rule Configuration yes no Enable not enable before This is optional When adding one new access control rule it is available to select before which rule to place this new rule The new rule is placed at end by default lt number gt This is one number indicating ID of added access control rule Example To add one access control rule execute the following com mand where area_ethO any http_policy and msn are de fined objects ZXR10_ FW firewall policy add action accept srcarea area _ethO src any service IP dpi http policy ar msn av on log on enable yes 2 Modifying one added access control rule ZXR10_FW firewall policy This modifies one modify id lt numberi gt action a
86. he following command define To exit this command module execute the following command Zend Setting Host Resource 1 Adding host ZXR10_FW definethost add lt name This adds one host lt string1 gt gt ipaddr lt string2 gt m acaddr lt macaddress gt session lt number1 gt halfsession lt number2 gt 28 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 3 Resource Management Configuration Parameter Description acs Tris eds one hosts OSSOS lt string2 gt This is one string indicating IP address in format of 192 168 1 6 It can be one or more IP addresses As for multiple IP addresses space is used between each two IP addresses and all addresses are quoted with single quotes This sets MAC address for the host lt macaddress gt This is one string indicating MAC address in format of 00 00 00 00 00 00 session This sets the number of session lt number1 gt This is one number indicating the number of sessions on host This sets the number of half sessions lt number2 gt This is one number indicating the number of half sessions on host Command Illustration Multiple IP addresses no more than 120 can be added to sin gle host resource to control multi IP user Example To add hosti and set its IP addresses to 192 168 1 8 and 192 168 1 9 mac address to 1a 21 7b 13 11 5c the number of session on host to 1 and half session to 1 execute the foll
87. idsserver delete id This deletes one IDS lt number gt interaction rule 4 Clearing all IDS interaction servers ZXR10_FW pf idsserver clean This clears all IDS interaction servers 5 Showing all IDS interaction rules ZXR10_FW pf idsserver show This shows all IDS interaction rules Confidential and Proprietary Information of ZTE CORPORATION 87 ZXR10 8900 Series User Manual FW Volume ZTERH This page is intentionally blank 88 Confidential and Proprietary Information of ZTE CORPORATION Address Translation Advantages Address Translation Rule Chapter 6 NAT Configuration Table of Contents CR E 89 ENEE NAT oreren EE EE EE EE 90 NAT Configuration Example sensira pended eonepatee cones 96 NAT Overview Rapid development of Internet speeds lack of IP addresses To alleviate this problem RFC1631 and related RFC define Network Address Translation NAT which is used widely NAT is to map an IP address from one address domain to another address domain One of this typical application is to map private IP address defined in RFC1918 to available public IP address in Internet RFC 1918 gives the following definitions to private IP address Internet Assigned Numbers Authority IANA reserves three IP ad dresses for private network 10 0 0 0 10 255 255 255 Class A address segment 172 16 0 0 172 31 255 255Class B address segment 192 168 0 0 192 168 255 255 Class C address segment When
88. in any mode of main board To bind slot 8 with fw template10 fw is inserted in slot 8 execute the following command ZXR10 config fw ZXR10 config fw fw template 10 ZXR10 config fw templete 10 bind slot 8 Configuring NAT IP This topic describes how to specify IP POOL for NAT function a a ZXR10 config fw ZXR10 config fw fw template lt template id gt ZXR10 config fw template 1 nat dip lt ipaddr gt lt ipmask gt ZXR10 config fw template 1 nat sip lt ipaddr gt lt ipmask gt This enters FW configuration mode used in configure terminal mode This accesses fw template node used in fw configuration mode This specifies one destination nat address used in fw template configuration mode This specifies one source nat address used in fw template configuration mode Confidential and Proprietary Information of ZTE CORPORATION 61 ZXR10 8900 Series User Manual FW Volume ZTERH auld Note Masks used in steps 3 and 4 are inverse masks Example To specify source mac address of fw template 7 to 10 1 1 1 255 255 0 0 execute the following commands ZXR10 config fw ZXR10 config fw fw template 7 ZXR10 config fw templete 7 bind slot 8 ZXR10 config fw templete 7 nat sip 10 1 1 1 0 0 255 255 Configuring Session This topic describes how to log in FW with command session I ic ZXR10 config fw This enters FW configuration mode used
89. ine range modify name rangel ipl 192 16 1 11 ip2 192 16 2 82 except 192 16 2 1 Renaming address configuraiton range ZXR10_FW define range rename This renames address oldname lt stringi gt newname range lt string2 gt Parameter Description Parameter Description rename This renames address range oldname This specifies the name of address range to be renamed lt string1 gt This is one string indicating the name of address range the name of address range has been defined This specifies new name for address range lt string2 gt This is one string indicating the new name of address range Example To rename address rangei to range2 execute the following command Confidential and Proprietary Information of ZTE CORPORATION 33 ZXR10 8900 Series User Manual FW Volume ZTERHY ZXR10_ FW define range rename oldname rangel newname range2 4 Deleting one address range ZXR10_FW define range delete id This deletes one lt number1 gt name lt string gt address range Parameter Description This deletes address range This specifies ID of the address range to be deleted lt number1 gt This is one number indicating ID of address range name This specifies name for address range to be deleted lt string gt This is one string indicating the name of address range Command Illustration To delete address range it is available to delete the address range according to address
90. ing and Access Control Rule Configuration lt string12 gt This specifies object name which must be defined in content filtering module and only one name can be selected av This sets whether to enable anti virus module Enable disable disable by default This is the switch of long connection It sets whether to record the event in log or prompt alarm message when a packet matches rule It doesn t record event into log by default on off This records the event into log doesn t record the event into log generates alarm This specifies whether to enable this rule Example To modify one access control rule execute the following com mand where area_ethO any http_policy and msn are de fined objects ZXR10 FW firewall policy modify id 8048 action accept srcarea area _eth0O src any service IP dpi http policy ar msn av on log on enable yes Deleting one access control rule execute the following com mand ZXR10 FW firewall policy delete id This deletes one lt number1 gt access control rule execute the following command Parameter Description lt number1 gt This is one string which must be ID of predefined rule Example To delete one access control rule whose id is 8503 execute the following command ZXR10 FW firewall policy delete id 8503 Confidential and Proprietary Information of ZTE CORPORATION 81 ZXR10 8900 Series User Manual
91. ing command Confidential and Proprietary Information of ZTE CORPORATION 67 ZXR10 8900 Series User Manual FW Volume ZTERHY 68 pf To exit from this command module execute the following com mand exit 1 Setting default packet filtering rule ZXR10_FW pf rule set default action This sets default lt accept reject gt log lt yes no gt packet filtering rule Parameter Description accept reject permit deny eg e This specifies whether to record it in the log Example To set default packet filtering rule to permit and not record it into log execute the following command ZXR10 FW pf rule set default action accept log no 2 Adding one IP packet filtering rule ZXR10_FW pf rule add action lt acce This adds one IP pt reject gt l2protocol lt ip O800 gt area packet filtering rule lt string1 gt log lt yes no gt smac lt string2 gt dmac lt string3 gt I3protocol lt all O tcp 6 udp 17 icmp 1 igmp 2 number gt sip lt string4 gt dip lt string5 gt sport lt number1 gt dport lt number2 gt sport_end lt number3 gt dport_end lt number4 gt Parameter Description a This adds one packet filtering rule action This is the action to packet meeting rules permit or deny accept reject permit deny I2protocol This is the L2 protocol type used by packet ip 0800 IP protocol IP protocol number This specifies area resource Confidential and Proprietary Information
92. ing host Configuring load balancing server Configuring load balancing group Configuring NAT rule Verifying if HTTP connection request can be scheduled by way of polling 1 Configuring FW interface attributes areas and IP addresses that vlani and vian2 belong to set gei_3 1 to be in vlani connected with two webservers set gei_3 2 to be in vlan2 connected with client Configuration on main board ZXR10 config vlan 2 ZXR10 config vlan2 exit ZXR10 config interface vlan 2 ZXR10 config if vlan2 ip address 10 1 1 1 255 255 255 0 ZXR10 config interface vlan 1 ZXR10 config if vlanl ip address192 168 83 240 255 255 255 0 ZXR10 ZXR10 ZXR10 ZXR10 ZXR10 ZXR10 config vlan 1 ZXR10 config vlan1 exit config interface vlan 1 config if vlanl ip address 192 168 83 240 255 255 255 0 config if vlan1 exit ZXR10 config interface gei 3 1 config gei_3 1 switchport access vlan 1 config gei_3 1 exit dee Ee e EE ZXR10 config interface gei 3 2 ZXR10 config gei_ 3 2 switchport access vlan 2 ZXR10 config gei_ 3 1 exit Configuration on FW ZXR10_ FW define area add name area vlani attribute gei_3 1 access on ZXR10_ FW define area add name area_vlan2 attribute gei_3 2 access on 2 Configuring host Configuring host WebServer1 ZXR10_ FW define host add name doc server ipaddr 192 168 83 234 Configuring host WebServer2 ZXR10_ FW define host add name WebServer2 ipaddr 192 16
93. ipx 8137 protocol number IPX IPX protocol number This specifies whether to record it into log yesing area This specifies area resource lt string1 gt This is one string which must be one predefined area resource Example To add arp accept rule to area_ethl and record it into log execute the following command ZXR10 FW pf rule add action accept l12protocol arp smac 00 50 04 C3 B0 31 4 Adding one L3 protocol packet filtering rule ZXR10_FW pf rule add action This adds one L3 lt accept reject gt I3protocol lt number gt I protocol packet og lt yes no gt area lt string1i gt smac lt filtering rule string2 gt dmac lt string3 gt Parameter Description ad sd This adds one packet filtering rule action This is the action to packet meeting rules permit or deny accept reject permit deny fog This species whether to record Rint To 70 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 5 Packet Filtering and Access Control Rule Configuration Parameter Description This specifies area resource lt string1 gt This is one string which must be one predefined area resource smac This sets source mac address This is one standard mac address string This sets destination mac address This is one standard mac address string Command Illustration To reject TCP packets passing through and not record it into log execute the following command ZXR10 FW
94. irewall policy add action accept srcarea area vlanl dstarea area vlan2 dst 192 168 100 140 service Web port enable yes Notes To permit only partial services to be accessed and deny others set the default access privilege of destination area to deny Sys tem will match default access privilege of area automatically after matching access control rule Confidential and Proprietary Information of ZTE CORPORATION 85 ZXR10 8900 Series User Manual FW Volume ZTERH Configuring IDS Interaction IDS Interaction Overview It is hard for one security system to integrate all security technolo gies It is convenient for management and maintenance to include IDS anti virus content auditing and other functions into FW and it can also degrade performance of FW so it is inappropriate for FW which acts as GW to integrate all security technologies Firstly IDS needs to update attack pattern database periodically How ever it is obviously inappropriate to upgrade critical devices such as FW Secondly if FW contains too many additional functions its running speed will be slower which brings bottleneck for commu nication between intranet and extranet Taking convenience and maintainability of user operation and se curity system construction into account FW designs core platform in security system and provides sound assistant system for IDS anti virus and other security products to interact with products of other main IDS and anti virus
95. k topology di agram is shown in Figure 4 FIGURE 4 ADDRESS BASED SOURCE ADDRESS TRANSLATION CONFIGURATION EXAMPLE Intranet 192 168 100 0 24 Interface vlan2 202 10 10 1 Interface vlan 192 168 100 1 Internet 1 To define area resource execute the following command ZXR10_ FW define area add name area _vlan2 access on attribute gei 3 2 ZXR10 FW define area add name area vlanl access off attribute gei 3 1 2 To define intranet address resource execute the following com mand ZXR10_ FW define subnet add name subnetl ipaddr 192 168 100 0 mask 255 255 255 0 3 To define NAT address pool resource execute the following command ZXR10 FW define range add name nat pool ipl 202 10 10 1 ip2 202 10 10 10 4 To define NAT rule and dynamically select one IP address after being translated in address pool execute the following com mand ZXR10 FW nat policy add srcarea area vlani 96 Confidential and Proprietary Information of ZTE CORPORATION IER Chapter 6 NAT Configuration orig src sbunetl dstarea area vlan2 trans src nat pool enable yes Notes System also translates source port address by default when trans lating source address IP Address Based Destination Address Translation Configuration Example Due to frequent Internet attacks to government and enterprise networks it is necessary to provide protection to the intranet crit ical device which provides access service to extranet With
96. le quotes such as aa Il This is destination address lt string6 gt This is one string indicating preset address name Multiple address names can be input and space is used between each two address names and all address names are quoted with single quotes such as aa Il service This sets service resource lt string7 gt This is one string It must be one or more names of system default services or customized services As for multiple service names space is used between each two service names and all service names are quoted with single quotes such as IP ICMP The case of names must be identical with that defined by system such as IP To view service resources execute command ZxR10 define service show default schedule This selects time resource which must be defined in previous define module This is the object name This specifies service resource on source port lt string9 gt This is one string which must be system predefined service resource name orig_dst This specifies destination address before NAT lt string10 gt This is one string which must be system predefined address name on This sets DPI object lt string11 gt This specifies object name which must be defined in previous DPI module and only one name can be selected This sets application identification policy 80 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 5 Packet Filter
97. list This deletes all VLANs lt vlanid range gt in batch with VLAN ids belong to range lt vlanid range gt 5 Setting VLAN link type on Ethernet interface under L2 inter face configuration mode 64 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 4 ZXR10 FW Function Management ZXR10 config gei 1 2 switchport This sets VLAN link mode access trunk hybrid type on Ethernet interface Command Illustration ZXR10 8900 Series SwitchThere are three VLAN link types for Ethernet interface Access mode Trunk mode and Hybrid mode Access mode is used by default gt The port connecting with access link can only belong to one VLAN It shall be untagged and is used to connect PC in usual cases The port connecting with trunk link can belong to multiple vlans It must be tagged can receive and send packets of multiple vlans and is used to connect two switches in usual cases gt The port connecting with hybrid link can belong to multiple vlans User can customize whether to attach tag to the packet on the port It can receive and send packets of multiple vlans and can be used to connect two switches or to connect pc 6 Adding an Ethernet interface into a designated vlan under L2 interface configuration mode ZXR10 config gei 1 2 switchport This adds one Ethernet access trunk hybrid vlan lt vian id interface into the gt lt vian range gt designated VLAN Command
98. lo vie WEE 90 NAT Configuration Example sssssssssssserrnrsrrnesrenrnsrrrnnesrnn 96 Address Based Source Address Translation Configuration Example ccceeeeeee eens eeeeaeeees 96 IP Address Based Destination Address Translation Configuration Example cceeeeeeee eens ee eeaeeees 97 Port Based Destination Address Translation Configuration Example ceeeeeeeeeeeee eee eaeeees 98 Protocol Filtering Configuration sccsse00 LOL Protocol Filtering Overview ccceeeeeee eee eeeee eee eeeeeeaeees 101 Configuring Application Port Binding 101 Application Port Binding OVErvieW ccceceeeeeneeaeeaeeeas 101 Configuring Application Port Binding eae 102 Applying Port Binding Configuration Example 104 Configuring SIP Serye aope oa iene den a ede e 104 Intrusion Prevention Configuration 107 Intrusion Prevention Overvlew 107 Configuring Intrusion Detection Rule 107 Load Balancing Configuration scsssesseesees LIZ Load Balancing Overview cceceeeeee eee ee eens eee eeeeeenaees 113 Configuring Load Balancing eee eeeeeeeees 113 Configuring Load Balancing Server sssssresesrrrrerrrrns 113 Configuring Load Balancing Group teens 116 High Availability Configuration Example eeeeeee 119 Log and Alarm Configuration EELER 123 Log and Alarm Overvlew ee eee teens teeta eeeeaeees 123 Log Configuration c ccc aana eee neta teenie 123
99. ly adding alarming mode and setting alarm triggered security event To add alarm maill sent to user zte com cn and set ip address of SMTP mail server to 192 168 1 2 port id to 25 and subject of alarm mail to Mail Alarm execute the following command ZXR10_ EN Loo alarmnotice add mail name maill srvaddr 192 168 1 2 srvport 25 mailaddr user zte com cn subject Mail alarm To change the destination mail address to user2 zte com cn ex ecute the following command ZXR10 EN Log alarmnotice modify mail name maill srvaddr 192 168 1 2 srvport 25 mailaddr user2 zte com cn subject Mail alarm To change maill to need authentication and set authentication username password to user user execute the following command ZXR10_ EN Loo alarmnotice modify mail name maill auth on username user password user To delete maill execute the following command ZXR10_ EM Log alarmnotice delete name maill To show the alarm named mailt execute the following command ZXR10_ EM Log alarmnotice show name maill To show all alarms execute the following command ZXR10_FW log alarmnotice show Confidential and Proprietary Information of ZTE CORPORATION 131 ZXR10 8900 Series User Manual FW Volume ZTERH This page is intentionally blank 132 Confidential and Proprietary Information of ZTE CORPORATION Figures Figure 1 Packet Filtering Configuration Example sassseseeesess 74 Figure 2 Access Control Rule Configuration Exampl
100. manufacturers Configuring IDS Interaction This topic describes how to configure IDS interaction 1 Adding one IDS interaction rule ZXR10_ FW pf idsserver add ip This adds one IDS lt ipaddress gt key lt string gt interaction rule Parameter Description ad This adds one IDS interaction rule lip This sets IP address for interacted IDS This is IP address string in format of A B C D This sets shared key with IDS device This is one string Command Illustration gt Shared key of FW and interacted IDS device is set manually If the key of interacted IDS device is generated automat ically by system user needs to give the configuration on WEBUI interface For details please refer to Logging into FW through Browser 86 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 5 Packet Filtering and Access Control Rule Configuration gt To realize interaction between FW and IDS device it needs to enable IDS servie in corresponding area For details please refer to section Setting Open Services 2 Modifying one IDS interaction rule ZXR10_FW pf idsserver modify This modifies one IDS id lt number gt lt ip lt ipaddress gt key interaction rule lt string gt gt Parameter Description This modifies one IDS interaction rule lid This modifies ID for the rule to be modified E e interaction device 3 Deleting one IDS interaction rule ZXR10_FW pf
101. mmand module user can configure basic informa tion of ZXR10 8900 Series Switch FW service card such as ver sion display clock management NTP setting system configuration management system upgrade authentication user management administrator information FW reboot command and so on To access command module execute the following command system To exit from this command module execute the following com mand exit After logging into FW and accessing this command module CLI administrator can execute corresponding component management commands The following parts will introduce all component man agement commands under this command module The format of command in the example is that after accessing this command module Confidential and Proprietary Information of ZTE CORPORATION 9 ZXR10 8900 Series User Manual FW Volume ZTERHY Querying System Basic Information User can search model software platform version system current configuration and other information of current device in system command module 1 Displaying system version information ZXR10_ FW system version It displays system version information 2 Displaying running statuses of system services ZXR10 FW system service status It displays running statuses of system services such as server state and if various services are enabled 3 Displaying system name ZXR10_FW system config show_runn It displays current ing configuration of
102. mode 2 Exiting FW configuration mode used in FW configuration mode ZXR10 config fw exit This exit FW configuration mode Creating and Deleting FW Template Mode This topic describes how to create and delete fw template on main board 1 This creates fw template used in fw configuration mode ZXR10 config fw fw template lt This creates template id gt fw template Parameter Description lt template id gt This is id of fw template in range of 1 127 2 Showing configuration state of fw template used in any mode of main board 58 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 4 ZXR10 FW Function Management ZXR10 config fw show fw template This shows if the lt template id gt configuration is successful 3 Deleting fw template configuration node used in fw configu ration mode ZXR10 config fw no fw template lt This deletes the template id gt specific fw template Note FW template ranges from 1 to 127 Example 1 To add one template whose id is 100 or to enter the configu ration mode of existing fw template whose id is 100 execute the following command ZXR10 config fw fiw template 100 2 To delete one template whose id is 100 or to enter the config uration mode of existing fw template whose id is 100 execute the following command ZXR10 config fw no fw template 100 Binding Management IP This topic
103. n network management configuration IPTV configuration VBAS configuration CPU guard URPF configuration and UDLD configuration This manual describes device VLAN configuration STP configuration MAC address table operation link aggregation configuration IGMP Snooping configuration link protection configuration Ethernet OAM configuration and EPON OLT configuration Confidential and Proprietary Information of ZTE CORPORATION i ZXR10 8900 Series User Manual FW Volume ZXR10 8900 Series V2 8 02 C 10G Routing Switch User Manual IPv4 Routing Volume ZXR10 8900 Series V2 8 02 C 10G Routing Switch User Manual MPLS Volume ZXR10 8900 Series V2 8 02 C 10G Routing Switch User Manual IPv6 Volume ZXR10 8900 Series V2 8 02 C 10G Routing Switch User Manual DPI Volume ZXR10 8900 Series V2 8 02 C 10G Routing Switch User Manual FW Volume ZXR10 8900 Series V2 8 02 C 10G Routing Switch Command Manual Command Index Volume ZXR10 8900 Series V2 8 02 C 10G Routing Switch Command Manual IPv6 Volume ZXR10 8900 Series V2 8 02 C 10G Routing Switch Command Manual IP Routing Volume I Confidential and Proprietary Information of ZTE CORPORATION IER This manual describes static routing configuration RIP configuration OSPF configuration IS IS configuration BGP configuration load balancing configuration multicast routing configuration IP LDP FRR configuration and BFD configuration
104. n indicates authentication is needed username This is the username of authentication on mail server lt string2 gt This is a string indicating username password This is the password of authentication on mail server This is a string indicating user password 7 Deleting one alarm ZXR10_FW log alarmnotice delete This deletes one name lt string gt id lt number gt alarm Parameter Description lt string gt This is a string indicating the name of alarm This is one number indicating ID Command Illustration Only when alarm event of this alarm rule is null can the alarm be deleted or it will prompt error 8 Clearing all alarm rules ZXR10_FW log alarmnotice clean This clears all alarm rules Only when alarm events contained in alarm rules are null can alarm rules be deleted 9 Showing alarms ZXR10_FW log alarmnotice show This shows alarms name lt string gt id lt number gt Parameter Description 130 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Example Chapter 10 Log and Alarm Configuration lt string gt This is a string indicating the name of alarm This is one number indicating ID 10 Testing one alarm ZXR10_FW log alarmnotice test This tests one alarm Command Illustration For convenience of user FW provides alarm testing function User can verify effectiveness of alarm rules through testing after successful
105. n1 interface vlan2 and interface vlan3 respectively Area_vlani is connected with extranet and permits user access Area_vlan2 and area_vlan3 forbid user to access Server locates in area_vlan2 and IP address is 192 168 100 140 Intranet locates in area_vlan3 and network address is 192 168 101 0 Enterprise network structure is shown in Figure 3 User has the following requirements Intranet user can access TELNET SSH FTP and Web_port services on server where Web_port service is customized and port id is 8080 intranet user cannot access other servers and services on Interface vlan 2 Extranet user can access TCP service on Interface vlan 2 server and the port id is 8080 FIGURE 3 ACCESS CONTROL RULE CONFIGURATION EXAMPLE TWO Server 192 168 100 140 Interface vlan1 Interface vlan2 Interface vlan3 d we jes 2 Intranet 192 168 101 0 84 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 5 Packet Filtering and Access Control Rule Configuration Configuration Points Defining area and address resources Defining service resource Defining service group resource Defining area resource To join gei_2 1 gei_2 2 and gei_2 3 to viani vlan2 and vlan3 respectively in access mode execute the following commands ZXR10_ FW define area add name area _vlanl access on attribute gei 2 1 ZXR10 FW define area add name area vlan2 access on attribute gei 2 2 ZXR10_ FW define a
106. nce 21 Configuration Maintenance Overvlew sssssssssssseresrrrrre 21 Configuring Maintenance ccceeeee eee ee teen ee ee teens eeaees 22 RESCOFING Syste 2 AN SEENEN NENNEN EEN a SNE ek ER Rebooting System e 79ESAEEKE ENEE EENS NEE ENEE REENEN 23 Configuring System Manager 23 System Manager Overvlew eee eee tees eee eee teeta 23 Configuring System Manager 23 System Manager Configuration Example ccceceeneeaes 26 Resource Management Configuration 0012 227 Resource Management OVErview cceeceeeeeeeeeeeeeeeeaeeeeaees 27 Configuring Address RESOUICE oo cceecceeeee eect eee eneeeaeeaeenneeaes 28 Address Resource Configuration OvervieW s s s 28 Setting Host Resource 28 Setting Address Range Resource 31 Setting Subnet Resource ccc cee eee ee eens eee eee teen uuan 35 Setting Address Group 38 Configuring Area Resource 41 Area Resource Configuration Overview ccceeeeeeeeeeeenees 41 Configuring Area Resource 41 Configuring Time Resource eceeeeee eee E a 44 Time Resource Configuration Overview eeeeeeeeees 44 Configuring Week Cwvcle eee ee eee eeeeeeeeeenaees 45 Configuring Year Cycle ccceeceeeeeee teste teen ee ee tena enaees 47 Configuring Service Resource 50 Service Resource Configuration Overvlew 50 Showing System Defined Gervices 50 Configuring Customized Services ccceceeeeeseeeeeeeeneeas 51 Configuring Server Group 54 ZXR10
107. net 0 0 0 0 mask 0 0 0 0 protocol tcp port 2121 Configuring SIP Service Session Initiation Protocol SIP is a signaling control protocol of application layer This topic describes how to configure SIP service 104 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 7 Protocol Filtering Configuration Commands in this module are used for application protocol filter ing related configurations To access this command module execute the following command ZXR10_FW dpi To exit from this command module execute the following com mand ZXR10_FW end 1 Enabling SIP service ZXR10_FW dpi Sip start This enables SIP service 2 Disabling SIP service ZXR10_ FW dpi sip stop This disables SIP service Confidential and Proprietary Information of ZTE CORPORATION 105 ZXR10 8900 Series User Manual FW Volume ZTERH This page is intentionally blank 106 Confidential and Proprietary Information of ZTE CORPORATION Chapter 8 Intrusion Prevention Configuration Table of Contents Intrusion Prevention ODvervlew 107 Configuring Intrusion Detection Rule 107 Intrusion Prevention Overview FW card has a built in IDS module used to detect and defend common attacks and scanning Meanwhile FW card can realize interaction with intrusion detection system of other manufacturers and provides comprehensive and efficient security protection to user intranet This chapter has the followin
108. ng id of one rule 5 Clearing all intrusion detection rules ZXR10_FW ips dos rule clean This clears all intrusion detection rules 6 Viewing all intrusion detection rules ZXR10_FW ips dos rule show This views all intrusion detection rules 7 Clearing all configurations of intrusion detection This clears all configurations of intrusion detection ZXR10_FW ips dos config show This shows all configurations of intrusion detection 9 Adding prevension type 110 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 8 Intrusion Prevention Configuration lt land smurf pingofdeath winnuke tcp_sscan ip_option teardrop targa3 ipspoof gt stattype lt synflood udpflood icmpflood portscan ipsweep gt Parameter Description ad sd This adds prevention type abntype This sets the type of abnormal packet attack land smurf This shows various types of abnormal pingofdeath packet attack winnuke tcp_sscan ip_option teardrop targa3 ipspoof 10 Deleting prevention type ZXR10_ FW ips dos type delete This deletes abntype lt and smurf pingofdeath prevention type winnuke tcp_sscan ip_option teardrop targa3 ipspoof gt stattype lt synflood udpflood icmpflood portscan ipsweep gt Parameter Description This deletes prevention type Confidential and Proprietary Information of ZTE CORPORATION 111 ZXR10 8900 Series Us
109. ng one cycle ZXR10_FW define schedule delete id This deletes one cycle lt number1 gt name lt string gt Parameter Description ERR Tis specifies 10 ofthe cya to be deleted Example To delete week1 execute the following command ZXR10 FW define schedule delete name weekl Configuring Year Cycle 1 Adding one year cycle ZXR10_FW define tschedule add name This adds one year lt string1 gt cyctype lt yearcyc gt sdate cycle which indicates lt string2 gt stime lt string3 gt edate lt it only contains one string4 gt etime lt string5 gt period such as from am 0 on January 1 2007 to pm 23 on December 12 2007 Parameter Description Confidential and Proprietary Information of ZTE CORPORATION 47 ZXR10 8900 Series User Manual FW Volume ZTEDH aaa rms adds onega OOS cyctype This sets type of cycle weekcyc or yearcyc The former indicates week cycle and the latter indicates year cycle lt yearcyc gt This indicates year cycle such as from Oam in January 1 2007 to 23pm in December 12 2007 This sets start date lt string2 gt This indicates start date in format of YYYY MM DD Year Month Day This sets start time lt string3 gt This indicates the start time in format of HH MM SS hour minute second This sets end date lt string4 gt This indicates end date in format of YYYY MM DD Year Month Day This sets end time lt string5 gt This indic
110. nistrator to restore configuration to factory ones for user reconfiguration Confidential and Proprietary Information of ZTE CORPORATION 21 ZXR10 8900 Series User Manual FW Volume ZTEDHY Configuring Maintenance 1 Validating the configurations newly added to system ZXR10_FW system config implement This validates the configurations newly added to system Command Illustration With this command the newly added configurations get valid on device immediately but they are not saved To apply these configurations next time when enabling FW it is needed to save configurations 2 Loading default configuration ZXR10_ FW system config show This shows configurations previously saved on system 5 Showing current system configuration ZXR10_FW system config show_runn This shows current ing system configuration 22 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 2 System Management Configuration Restoring System ZXR10_FW system service default This restores default system service factory configuration All services are enabled by default Rebooting System Configuring System Manager System Manager Overview ZXR10 8900 Series Switch FW service card supports management and operation by multiple users Different users have different operation privileges Root system manager has global privilege to configuration information and can view configuration inf
111. o transmit level 5 and below log to log server execute the following command ZXR10_FW log log Level ser 5 2 To set log server on each FW where log analysis is needed execute the following command ZXR10 EN Log log set ipaddr 10 200 2 111 port udp 514 logtype syslog trans enable To set log level execute the following command ZXR10_FW log log level_set 6 To set log type to System Running execute the folloing com mand ZXR10 EN Log log type set add system To show System Running log execute the following command ZXR10 EN Log log show keyword system from 1 to 10 Viewing Log This topic describes how to view log 1 Viewing the total number of logs ZXR10_FW log log count This views the total number of logs 2 Viewing configuration information of log server ZXR10_FW log log set_show This views configuration information of log server 3 Viewing log information ZXR10_FW log log show from lt numbe This views log r1 gt to lt number2 gt keyword lt string gt information 126 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Example Chapter 10 Log and Alarm Configuration Parameter Description show This views log information from This sets from which log to view lt number1 gt This is one number indicating the number of log to This sets to which log to view lt number2 gt This is one number indicating the number of log keywo
112. ocol pptp protocol This specifies subnet address This is one standard IP address string This specifies subnet mask 102 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 7 Protocol Filtering Configuration This is one standard address mask string This specifies the name of used protocol udp tcp This selects the protocol to be used UDP or TCP port This customizes service port of this protocol This is the service port id 2 Modifying one application protocol port binding policy ZXR10_FW dpi policy modify id This modifies one lt number1 gt name lt ftp smtp tftp http p application protocol op3 sun_rpc ms_rpc sq net rtsp h225 port binding policy h225ras mms sip imap te lnet gt net lt string1 gt mask lt string2 gt protocol lt udp tcp gt port lt number2 gt Parameter Description modify This modifies one application protocol port binding policy lid This is the ID of policy to be modified name This is one string specifying the name of protocol which is to re define port ftp smtp tftp http p ftp protocol smtp protocol tftp op3 sun_rpc ms_rp protocol http protocol pop3 prot c sq net rtsp h225 ocol Sun_rpc protocol ms_rpc h225ras mms protocol sqlinet protocol rstp protocol h225 sip imap telnet protocol h225ras protocol mms protocol sip protocol imap protocol telnet protocol Command Illustration Command policy show can be used to view ID of policy 3
113. olume ZXR10 8900 Series V2 8 02 C 10G Routing Switch Command Manual Security Volume ZXR10 8900 Series V2 8 02 C 10G Routing Switch Command Manual Basic Configuration Volume I ZXR10 8900 Series V2 8 02 C 10G Routing Switch Command Manual Basic Configuration Volume II ZXR10 8900 Series V2 8 02 C 10G Routing Switch Command Manual Basic Configuration Volume III ZXR10 8900 Series V2 8 02 C 10G Routing Switch Command Manual Network Management Volume ZXR10 8900 Series V2 8 02 C 10G Routing Switch Command Manual Ethernet Switching Volume ZXR10 8900 Series V2 8 02 C 10G Routing Switch Command Manual Voice and Video Volume ZXR10 8900 Series V2 8 02 C 10G Routing Switch Command Manual Multicast Volume About This Manual a This manual describes BGP route map and routing policy related commands in ZXR10 8900 series 10G routing switch This manual describes MPLS related commands in ZXR10 8900 series 10G routing switch This manual describes QoS related commands in ZXR10 8900 series 10G routing switch This manual describes security configuration related commands in ZXR10 8900 series 10G routing switch This manual describes system management file management user interface log statistics FTP TFTP server and IPvr related commands in ZXR10 8900 series 10G routing switch This manual describes interface configuration DHCP and VRRP related commands in ZXR10 8900 series 10G
114. ommand prompt is after accessing command line interface When manager is of security audit type the command prompt is after accessing command line interface 2 Modifying system manager information comment name password privilege and the type of system that manager belongs to ZXR10_ FW system admininfo modify This modifies system input manager s name lt string1 gt manager information new password lt string2 gt comment name re_enter password lt string2 gt password privilege choose manager s privilege audit and the type of system config lt audit config gt that manager belongs input the comment y n lt y n gt to input the comment lt string3 gt Parameter Description 24 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 2 System Management Configuration lt string2 gt This is a password string new_password This sets password privilege This sets privilege audit config Manager has the following types security audit security management It is the comment Command Illustration Only super manager can modify the name of manager 3 Deleting information of a manager in database ZXR10_FW system admininfo This deletes delete_db_manager name lt string gt information of a manager in database Parameter Description delete_db_man This deletes information of a manager in ager database This is the name of device manager This is
115. one user of private IP address needs to access public net work or one user in public network needs to access one server with private IP address administrator needs to set corresponding address translation rule With network address translation enterprises can use quite a few Internet public IP addresses to access Internet which relieves lack of IPv4 addresses and meanwhile provides certain security NAT has the following advantages Guarantee that intra users of enterprises using private IP ad dresses can access Internet normally Protect intranet hide intranet topology and actual IP and re duce direct attacks Protect internal server that provides service externally and pro vide the function of load balancing FW card can configure NAT rules flexibly according to user net work planning and function demands When user defines address translation rules on FW card firstly he needs to define source and destination of this rule that is source address range and destina Confidential and Proprietary Information of ZTE CORPORATION 89 ZXR10 8900 Series User Manual FW Volume ZTERH tion address range of packet of applicable to address translation rule then define corresponding services and the last one is trans lation control mode FW card provides the following translation control modes SNAT Users with private addresses can access public network DNAT Users in public network can access intranet server with pri
116. onth Day This sets new end time lt string5 gt This indicates the start time in format of HH MM SS hour minute second Example To modify period of year1 to 0am in January 5 2007 to 23pm in February 20 2007 execute the following command ZXR10 FW define schedule modify name yearl type yearcyc sdate 2007 01 05 stime 00 00 00 edate2007 02 20 etime 23 00 00 3 Renaming one cycle ZXR10_FW define tschedule rename This renames one oldname lt stringi gt newname cycle lt string2 gt Parameter Description Parameter Description This renames one cycle oldname This specifies the name of cycle to be renamed lt string1 gt This is one string indicating the name of cycle the cycle name has been defined This specifies new name for the cycle This is one string indicating new name of cycle Example To rename yearl to year2 execute the following command ZXR10_ FW define schedule rename oldname yearlnewname year2 4 Deleting one cycle Confidential and Proprietary Information of ZTE CORPORATION 49 ZXR10 8900 Series User Manual FW Volume ZTERH ZXR10_FW define schedule delete id This deletes one cycle lt number1 gt name lt string gt Parameter Description This deletes one cycle lid This specifies ID of the cycle to be deleted This is one number indicating ID of cycle This specifies the name of cycle to be deleted This is one string indicating name of cycle
117. orma tion of all public interface factors corresponding to this privilege Where superman is the unique super manager in system and has all management privileges in ZXR10 8900 Series Switch FW ser vice card Configuring System Manager As for ZXR10 8900 Series Switch FW service card only super man ager can configure manager account and add another manager 1 Adding device manager information name password and privilege information Confidential and Proprietary Information of ZTE CORPORATION 23 ZXR10 8900 Series User Manual FW Volume ZTERH ZXR10_FW system admininfo add This adds device input manager s name lt string1 gt manager information new password lt string2 gt name password and re_enter password lt string2 gt privilege information choose manager s privilege audit config vs lt audit config vs gt input the comment y n lt y n gt input the comment lt string3 gt Parameter Description acd Tis adds device manager audit config Manager has the following types security vs audit security management virtual system Manager of security audit type can view system security and configuration information but cannot modify configuration Manager of security management type has additional right of modifying configuration It is the comment It specifies whether to give comment It the content of comment Command Illustration When manager is of security management type the c
118. ost1 as the group member execute the following command ZXR10 FW define group address add name groupaddrl member hostl 2 This adds member to defined address group ZXR10_FW define group_address This adds member addmember groupname lt string1 gt to defined address member lt string2 gt group Parameter Description This adds member to address group name This specifies name for address group to which member will be added lt string1 gt This is one string indicating the name of address group 38 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 3 Resource Management Configuration member This specifies members to be added lt string2 gt This is one string indicating address object which can be host object subnet object or address range object Example ZXR10 FW define group address addmember groupame groupaddrl member subnetl Renaming address group ZXR10_FW define group_address This renames one rename oldname lt string1 gt newname subnet lt string2 gt Parameter Description Parameter Description This renames address group oldname This specifies the name of address group to be renamed lt string1 gt This is one string indicating the name of address group the name of address group has been defined newname This specifies new name for address group lt string2 gt This is one string indicating the new name of address group Example
119. other information Packets of this session received after this new record will be processed according to record in the session table 5 Processing before Routing When policy changes during communication process FW will re invoke packet filtering module and access control module to match the packet with policy 6 Route Querying ZXR10 8900 Series SwitchFW module selects packet forward ing interface according to routing table or MAC address table learned on each interface If packet address is translated FW will search NAT table to find the actual address for routing Access control rules are a set of policies customized by user These rules can define what packets meeting certain conditions can pass FW and what packets meeting some other conditions will be denied by FW Data contained in each access policy include source address and destination address of the packet service protocol type and port id and operations forwarding or dropping per formed to the packets meeting conditions In access policy policy source defines the source of packet which can be one or multiple objects such as host subnet scope and so on When source address of the packet belongs to the scope of policy source it is believed to meet constraint conditions of policy source Confidential and Proprietary Information of ZTE CORPORATION 3 ZXR10 8900 Series User Manual FW Volume ZTEDH Policy destination defines the scope of destination address
120. owing command ZXR10_ FW define host add name hostl ipaddr 192 168 1 8 192 168 1 9 macaddr 1a 21 7b 13 11 5c session 1 halfsession 1 2 Modifying one host ZXR10_FW define host modify name This modifies one lt string1 gt ipaddr lt string2 gt macaddr host lt macaddress gt session lt numberi gt h alfsession lt number2 gt Parameter Description This modifies one host This specifies the name of host to be modified This is one string indicating name of the host Confidential and Proprietary Information of ZTE CORPORATION 29 ZXR10 8900 Series User Manual FW Volume ZTERH echter session This specifies the new number of max sessions lt number1 gt This is one number indicating the number of max sessions This modifies the number of half sessions lt number2 gt This is one number indicating the number of half sessions on host Example To modify host1 and set its IP addresses to 192 168 1 8 and 192 168 1 9 mac address to 1a 21 7b 13 11 5c the number of session on host to 1 and half session to 1 execute the fol lowing command ZXR10_FW define host modify name hostl ipaddr 192 168 1 8 192 168 1 9 macaddr la 21 7b 13 11 5c session 1 halfsession 1 3 Renaming one host ZXR10_FW definethost rename This renames one oldname lt stringi gt newname host lt string2 gt Parameter Description This renames one host This specifies the name of host to be renamed
121. ows all custom default services Parameter Description custom defa This specifies the type of service to be viewed ult where keyword custom indicates the service is customized by user and default indicates the service is the default one in FW system user doesn t need to customize it Configuring Server Group User can combine a few services into one group which can be used when setting access control 1 Adding one service group ZXR10_FW define group_service add This adds one service name lt stringi gt member lt string2 gt group Parameter Description ad This adds one service group This sets name for the service group lt string1 gt This is one string indicating the name of service group 54 Confidential and Proprietary Information of ZTE CORPORATION IER Chapter 3 Resource Management Configuration member This sets members services in service group The services can be customized by user or default ones in system lt string2 gt This is a string indicating the name of service Command Illustration Before defining service group define services For details please refer to section Showing System Defined Services Note Both system default services and user customized services can be included in one service group Adding service to existing service group ZXR10_FW define group_service add This adds service to name lt stringi gt member l
122. plication protocol port binding policy System has the following default standard ports Confidential and Proprietary Information of ZTE CORPORATION 101 ZXR10 8900 Series User Manual FW Volume ZTERH Application Default Port Protocol Type Used Protocol Protocol ID Number Name SMTP IMAP POP3 a e e Bso o ic e me e a a ame de e Je ma es foe Je 3z te Je ao de Je Configuring Application Port Binding This topic describes configuration commands of application proto col filtering Commands in this module are used for application protocol filter ing related configurations To access this command module execute the following command ZXR10_FW dpi To exit from this command module execute the following com mand ZXR10_FW end 1 Customizing one application protocol port binding policy ZXR10_FW dpi policy add name This customizes one lt ftp tftplsun_rpc ms_rpc sqlnet rts application protocol p h225 h225ras mms sip pptp gt net port binding policy lt string1 gt mask lt string2 gt protocol lt udp tcp gt port lt number gt Parameter Description This adds one application protocol port binding policy name This is one string specifying the name of protocol which is to re define port tftp sun_rpc ms_rpc tftp protocol sun_rpc protocol ms_rpc sqinet rtsp h225 h2 protocol sqinet protocol rstp protocol h225 25ras mms sip pptp protocol h225ras protocol mms protocol sip prot
123. rd This is optional It sets the keyword in log to view lt string gt This is one string indicating keyword To view the total number of logs execute the following command ZXR10 EN Log log count Total log 351 To view information of no 10 to no 100 logs containing string logo execute the following command ZXR10 EN Log log show from 10 to 100 keyword log Configuring Alarms This topic describes how to manage alarming mode It is available to trigger alarms according to predefined policies and security alarm events and send alarm messages to administrator by way of mail alarm User can set related parameters here 1 Setting event alarming modes according to event types ZXR10_FW log alarmevent set lt mana This sets event ge system security policy communication alarming modes hardware recover noticetest all gt according to event noticeid lt number gt noticename types lt string gt notice lt empty gt Parameter Description This sets event alarming mode lt manage system Manage indicates management system security policy alarm system indicates system alarm communication security indicates security alarm policy hardware recover n indicates policy alarm communication oticetest all gt indicates communication alarm hardware indicates hardware alarm recover indicates recover alarm noticetest indicates test alarm and all indicates alarm of all events Confidential and P
124. rea add name area_vlan3 access on attribute gei 2 3 Defining host and subnet address resources To define host address resource 192 168 100 140 and subnet address source intranet resource inner_web execute the following commands ZXR10 FW define host add name 192 168 100 140 ipaddr 192 168 100 140 ZXR10 FW define subnet add name inner web ipaddr 192 168 101 0 mask 255 255 255 0 Defining customized service with service name to be Web_port and port id to be 8080 execute the following command ZXR10_ FW define service add name Web port protocol tcp port 8080 Setting service group resource To name service group to inner_web_srv intranet access service and include services Web_port FTP Telnet and SSH into this group execute the following command ZXR10_ FW difine group service add name inner web srv member Web port FTP TELNET SSH Setting access control rule Permit subnet object intranet inner_web 192 168 101 0 24 in area_vlan3 to access Web_port FTP TELNET and SSH ser vices bound with customized service group inner_web_srv on server of area_vlan2 with server IP address to be 192 168 100 140 ZXR10 FW firewall policy add action accept srcarea area vlan3 dstarea area vlan2 src inner web dst 192 168 100 140 service inner web srv enable yes Setting service access control rule to only permit extranet user area_vlani to access services on port 8080 of server 192 168 100 140 ZXR10 FW f
125. redef ined port name b Multiple port objects can be input at the same time in format of serveri server2 As for multiple port objects space is used between each two and all port names are quoted with single quotes orig_service This sets service resource of original packet lt ser_id gt This is one string and service resource name of original packet is input here Tips a This parameter must be one predef ined service resource b Multiple service resources can be input at the same time in format of ser verl server2 As for multiple service resources space is used between each two and all address object names are quoted with single quotes trans_src This sets source object after translation 92 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Parameter lt src_addr2 gt trans_dst lt dst_addr2 gt trans_service lt ser_obj gt enable yes no Chapter 6 NAT Configuration This is one string and source object name after translation is input here Tips a This parameter must be one prede fined address object name or attribute name b Only one object can be input here c This parameter is necessary when adding source address translation poli cy This sets destination object after translation This is one string and destination object name after translation is input here Tips a This parameter must be one prede fined address object name or att
126. ribute name b Only one object can be input here c This parameter is necessary when adding destination address translation policy This sets service resource after translation This is the number and service resource name after translation is input here Tips This parameter must be one name predefined in define module This sets source port translation switch YES means conducting port address translation to source port and no means not conducting port address translation to source port Tips Yes is the default value This sets address translation policy switch Yes means enabling this address translation policy and no means forbidding this address translation policy temporarily Tips Yes is the default value Confidential and Proprietary Information of ZTE CORPORATION 93 ZXR10 8900 Series User Manual FW Volume ZTERH before This places this address translation policy before one policy lt number gt This is one number which shall be ID of the next address translation policy after inputting this address translation policy Tips a This parameter must be id of an added address translation policy b To view id of system default service resource execute the following comma nd define service show default Command Illustration When defining destination address translation policy don t specify destination area and destination vlan System also translates source port address by default
127. ries Switch FW service card FW module provides log management and alarm func tion for user Log and alarm function has three parts Log configuration Log Viewing Alarm Log Configuration ZXR10 8900 Series Switch FW service card FW module provides all around logging and alarm service functions which is conve nient for user tracing working status of ZXR10 8900 Series Switch FW service card FW module ZXR10 8900 Series Switch FW service card FW module can record log in WELF format transmit the log to preset log server over Syslog protocol and use the third party software to perform statistics and analysis to log Viewing Log ZXR10 8900 Series Switch FW service card FW module can buffer partial log data according to performance of hardware device This is convenient for user to view system log and trace working status of ZXR10 8900 Series Switch FW service card FW module timely Confidential and Proprietary Information of ZTE CORPORATION 123 ZXR10 8900 Series User Manual FW Volume ZTERH Alarms ZXR10 8900 Series Switch FW service card FW module has com prehensive alarm prompt function supports mail alarming voice alarming console alarming and other alarming modes Firstly administrator needs to add alarm rules and set alarm objects and parameters Then set security events triggering alarm rules in cluding device faults and administrator predefined security events When security event occurs FW will trigger
128. roprietary Information of ZTE CORPORATION 127 ZXR10 8900 Series User Manual FW Volume ZTERH noticed This sets id of alarming mode lt number gt This is one number indicating ID of alarming mode noticename This sets name of alarming mode lt string gt This is one string indicating name of alarming mode This specifies that no alarm event rule is contained in alarming mode and removes all alarm events This indicates not generating alarms 2 Showing an alarm event ZXR10_FW log alarmevent This shows an alarm show lt manage system sec event urity policy communication hardware recover noticetest all gt ZXR10_FW log alarmnotice add This adds one mail lt mail gt name lt string1 gt srvaddr alarm lt ipaddress gt srvport lt number gt mailaddr lt string2 gt subject lt string3 gt Parameter Description ah o This adds one mail alarm This indicates the alarming mode is mail alarm name This sets alarm name lt string1 gt This is a string indicating the name of alarm srvaddr This sets IP address for SMTP server that is to send mail lt ipaddress gt This is one string indicating IP address in format of A B C D 128 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 10 Log and Alarm Configuration srvport This sets port of SMTP server lt number gt This is one number indicating port id mailaddr This sets mail account that receives alarm m
129. rough Telnet Context It is available to log into FW module through Telnet and conduct some basic settings on FW Steps 1 Selecting the interface of vlan where administrator locates and configuring IP address for the interface ZXR10 config if vlan1 ip address lt It configures IP ipaddress gt lt maskaddress gt address and subnet mask for L3 vlan 1 Parameter Description It is IP address in form of A B C D It is subnet mask such as 255 255 255 0 gt 2 Accessing FW configuration node and configuring IP address of VLAN interface to management IP of managed FW card ZXR10 config fw bind mng ip lt s ot It configures number gt lt ipaddress gt IP address of VLAN interface to management IP of managed FW card Parameter Description It is the number of slot where FW card locates lt ipaddress gt It corresponds to above IP address of L3 vlan interface in form of A B C D 3 Running telnet lt ipaddress gt that is IP address configured in step 2 on administrator PC to access configuration interface of FW card END OF STEPS 6 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Example Context Steps Chapter 1 Firewall Overview The following steps show how to log into FW through Telnet 1 Binding fw template 1 with slot number ZXR10 config fw ZXR10 config fw fw template 1 ZXR10 config fw template 1 bind slot 2 ZXR10 config
130. s provided by sys tem and user customized services As for default services user cannot perform add delete modify and some other op erations Example To rename service http8080 to http8000 execute the following command ZXR10_ FW define service rename oldname http8080 newname http8000 Deleting one customized service ZXR10_FW define service delete id This deletes one lt number1 gt name lt string gt customized service Parameter Description delete This deletes one service This specifies ID of the service to be deleted lt number1 gt This is one number indicating ID of service name This specifies the name of service to be deleted lt string gt This is one string indicating name of the service Command Illustration To delete one service it is available to delete it according to service name id or both In case the two are inconsistent service name shall apply Confidential and Proprietary Information of ZTE CORPORATION 53 ZXR10 8900 Series User Manual FW Volume ZTERHY When no parameter is given the service not quoted by policy is deleted Example To delete service http8000 execute the following command ZXR10_ FW define service delete name http8000 5 Deleting all customized services not quoted by policy ZXR10_FW define service clean This deletes all customized services not quoted by policy 6 Showing all services ZXR10_FW define service show This sh
131. sname any Showing one open service rule ZXR10_FW pf service show name This shows one open lt gui snmp ssh monitor ping teln service rule et ids auth ntp update dhcp rip I2tp pptp webui ipsecvpn gt Parameter Description Parameter Description This shows one open service rule This selects name of the service to be viewed Command Illustration When type is selected the setting of specified service type is shown when type is not selected all rules are shown Example To show gui open service rule execute the following command ZXR10_ FW pf service show name gui Deleting one open service rule ZXR10_FW pf service delete id This deletes one open lt number gt service rule Parameter Description This deletes one open service rule lid This selects id of service opened by GW Command Illustration Confidential and Proprietary Information of ZTE CORPORATION 19 ZXR10 8900 Series User Manual FW Volume ZTERH To view the id needed for deleting one service execute com mand service show Setting WEBUI Authentication WEBUI authentication means administrator can access ZXR10 8900 Series Switch FW service card only after passing both certificate authentication and username password authentication 1 Restoring WEBUI system root certificate ZXR10_FW system webui cert This restores lt restore gt WEBUI system root certificate Parameter Description Setting WEBU
132. stem Management Configuration ZXR10_ FW system authset faillock This shows show authentication faillock time ZXR10_FW system authset managerm This sets max axlogin set maxnum lt number gt concurrent manag ement site related parameter that is setting the max number of sites IP from which the same administrator name can log into the same one device The default value is 5 in range of 1 32 For example one device is configured with multiple IP addresses and this command limits the number of IP addresses with which one user can log in Parameter Description This sets max concurrent management site related parameter This is the max number in range of 1 32 Example To set max concurrent management sites to 16 execute the following command ZXR10 FW system authset managermaxlogin set maxnum 16 Showing max concurrent management site related parameter ZXR10_FW system authset managerm This shows max axlogin show concurrent manag ement site related parameter Setting max concurrent administrator number ZXR10_ FW system authset maxonline It sets max concurrent adm set maxnum lt number gt administrator number Parameter Description Confidential and Proprietary Information of ZTE CORPORATION 13 ZXR10 8900 Series User Manual FW Volume ZTERHY Parameter Description set maxnum This sets max concurrent administrator number This is the max number in range of 1 256
133. t lt string9 gt orig_dst lt string10 gt dpi lt string11 gt ar lt string12 gt av lt on off gt permanent lt on off gt log lt on off alarm gt enable lt yes no gt before lt number1 gt Parameter Description ad This adds one FW access control rule This sets access privilege that is to permit or deny packets matching this rule to pass through FW accept deny permit deny lt string1 gt This is one string It must be one or more preset area name s As for multiple area names space is used between each two area names and all addresses are quoted with single quotes such as area_gei_5 1 This sets destination area lt string2 gt This is one string It must be one or more preset area name s As for multiple area names space is used between each two area names and all addresses are quoted with single quotes such as area_gei_5 1 This sets source VLAN lt string3 gt This is one string indicating preset vlan number This sets destination VLAN lt string4 gt This is one string indicating preset vlan number lt string5 gt This is one string indicating preset address name Multiple address names can be input and space is used between each two address names and all address names are quoted with single quotes such as aa Il This is destination address Confidential and Proprietary Information of ZTE CORPORATION 77 ZXR10 8900 Series User Manual FW Volume ZTER
134. t configuration and configuration example of Configuration FW system management Chapter 3 Resource This chapter describes basic concept Management configuration and configuration example of Configuration FW resource management Chapter 4 ZXR10 FW This chapter describes basic concept Function Management configuration and configuration example of FW function management Chapter 5 Packet This chapter describes basic concepts Filtering and configurations and configuration examples of Access Control Rule FW packet filtering and access control rule Configuration Chapter 6 NAT This chapter describes basic concept Configuration configuration and configuration example of FW NAT Chapter 7 Protocol This chapter describes basic concept Filtering Configuration configuration and configuration example of FW protocol filtering Chapter 8 Intrusion This chapter describes basic concept Prevension configuration and configuration example of Configuration FW intrusion prevention Chapter 9 High Availab This chapter describes basic concept ility Configuration configuration and configuration example of FW high availability Chapter 10 Log and This chapter describes basic concept Alarm Configuration configuration and configuration example of log and alarm This part lists glossaries used in this manual iv Confidential and Proprietary Information of ZTE CORPORATION Chapter 1 Firewall Overview Table of Contents glat CITY E
135. t string2 gt existing service group Parameter Description This adds service to service group groupname This sets name of service group to which service will be added lt string1 gt This is a string indicating the name of service group member This sets services to be added The services can be customized by user or default one in system This is a string indicating the name of service Command Illustration Before defining service group define services For details please refer to section Configuring Customized Services Renaming service group ZXR10_FW define group_service This renames service rename oldname lt sitringi gt newname group lt string2 gt Parameter Description rename This renames service group Confidential and Proprietary Information of ZTE CORPORATION 55 ZXR10 8900 Series User Manual FW Volume ZTERH oldname This specifies the name of service group to be renamed lt string1 gt This is one string indicating the name of service group the service group name has been defined This specifies new name for one service group lt string1 gt This is one string indicating new name of service group 4 Deleting service member in service group ZXR10_FW define group_service This deletes service delmember groupname lt string1 gt member in service member lt string2 gt group Parameter Description Parameter Description delmember This deletes service member
136. ted to log server Parameter Description lt number gt This is one number indicating log level ranging from 0 to 8 where 0 indicates serious errors that cause unavailability of system 1 indicates alarm messages 2 indicates errors that cause unavailability of partial system functions 3 indicates common error messages 4 indicates all attacks and unauthorized accesses except for communication log 5 indicates operation record of administrator 6 indicates common event record 7 indicates debugging information of developer and 8 indicates diagnosis log 3 Adding log type transmitted to log server ZXR10_ FW log log type_set add This adds log type lt string gt transmitted to log server Parameter Description lt string gt This is one string indicating log type including mgmt system pf conn ac secure dpi vpn avse sslvpn_conn sslvpn_admin sslvpn_system all or none 4 Deleting log type transmitted to log server Confidential and Proprietary Information of ZTE CORPORATION 125 ZXR10 8900 Series User Manual FW Volume ZTERH ZXR10_FW log log type_set delete This deletes log type lt string gt transmitted to log server Example 1 To set log server to 192 168 1 25 protocol and port to TCP 524 log transmission type to syslog and permit log transmis sion execute the following command ZXR10 FW log log set ipaddr 192 168 1 25 port tcp 524 logtype syslog trans enable T
137. tes source IP address or port id of the re ceived packet to preset IP address or port id and then forwards the packet whose source address is modified Translating destination address FW translates destination IP address or port id of the received packet FW interface address in usual cases to preset IP address or port id actual IP address or port id and then forwards the packet whose destination address is modified Bi directional NAT FW translates source address and destination address or port id of the packet at the same time Access control module Access control rule defines if FW permits the packets matching rules to pass through When receiving one packet FW matches it with rules in access rule table one by one according to policy sequence num ber and processes the packet according to operation per mit or deny specified by corresponding policy If corre sponding access policy fails to be matched the packet will be forwarded to destination interface ZXR10 8900 Series SwitchFW will proces this packet according to default prop erty permit or deny of the area where destination inter face locates 4 Session Establishment As for the packet with no session for matching ZXR10 8900 Series SwitchFW will create one new record in session table ac cording to packet processing information in steps 1 3 includ ing packet destination address source address route address translation policy access rule and
138. tial and Proprietary Information of ZTE CORPORATION y Chapter 3 Resource Management Configuration Table of Contents RESOUTSE Management OVErVIEW ga ERAN SE DESEN GENEE 27 Configuring Address Resource 28 Configuring Area RESOUPCE annern inaina EA 41 Configuring Time RESOUPCE yess eg dE Nd NK Rio 44 Configuring Service RESOUICE s sssssssserrsrrsrrsesrerrerrsrnsesnesnns 50 Resource Management Overview ZXR10 8900 Series SwitchMost functions of FW service card are based on resource such as access control policy address trans lation policy server load balancing policy authentication manage ment and so on It is necessary to define resources of various types before manager configures ZXR10 8900 Series Switch FW service card The using of concept resource simplifies management to ZXR10 8900 Series Switch FW service card When one resource changes manager only needs to modify properties of resource and doesn t need to modify all policies and rules related to this resource As for ZXR10 8900 Series Switch FW service card user can cus tomize the following resource types Address resource It includes host resource address range resource subnet resource and address group Property resource It includes property resource and property group Proper resource can get valid only when bound with other resources such as interface resource sub interface re source area resource and so on Area resource It de
139. tion of ZTE CORPORATION ZTEDH Context Steps Chapter 1 Firewall Overview Management Modes Network administrator can manage ZXR10 8900 Series Switch FW module in many ways including Through CONSOLE perform local management through CON SOLE port Through TELNET perform remote management by logging into FW through Telnet Through WEBUI perform remote management by logging into FW through browser Logging into FW through Console Port It is available to log into FW module through CONSOLE port and conduct some basic settings on FW 1 Using one serial console cable included in factory accessories to connect serial port of PC assume that com1 is available and console port of FW Setting properties of serial port according to the following pa rameters Bits per Second 9600 baud rate Logging into switch main board accessing FW template con figuration node under config node and inputting the following command to access FW card ZXR10 fw template 1 session It accesses FW card from main board Logging into ZXR10 8900 Series Switch FW module by inputting system default username User can perform config uration management through command line after accessing FW module Confidential and Proprietary Information of ZTE CORPORATION 5 ZXR10 8900 Series User Manual FW Volume ZTERH wih Tip Both username and password are case sensitive END OF STEPS Logging into FW th
140. tring indicating the name of load balancing group server This sets the server contained in load balancing group 116 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Chapter 9 Load Balancing Configuration lt string2 gt This is one string indicating the name of server As for multiple server names space is used between each two server names and all server names are quoted with single quotes such as serverl server2 balance This sets load balancing mode Six modes are available rr wrr Ic wlc sh and dh rr wrr lc wic sh dh rr indicates selecting server in load balancing group sequentially wrr indicates selecting load balancing server in sequence of weight Ic indicates selecting server according to response time the faster the response time the higher the priority wlc indicates selecting server according to response time and weight the shorter the response time and the larger the weight the larger the priority sh indicates selecting server with HASH query according to source address dh indicates selecting server with HASH query according to destination address This specifies ID of backup load balancing group When all servers in one group stop providing services data in servers of load balancing group will be backed up to the specified load balancing group lt number gt This is one number indicating ID of load balancing group Command Illustration During
141. ument Except as expressly provided in any written license between ZTE CORPORATION and its licensee the user of this document shall not acquire any license to the subject matter herein ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice Users may visit ZTE technical support website http ensupport zte com cn to inquire related information The ultimate right to interpret this product resides in ZTE CORPORATION Revision History Revision No Revision Date Revision Reason Serial Number sjzl20093843 Contents About This Manual eseu KK NNN KEREN KEREN E EE KR E vue Firewall Overview unn une KEEN KEREN KEREN E EE E R v nen L fleegt EE 1 Working Princple eee ee eee eee ee eee ee eens ea eeaeaes 2 Working MOGES vis Seet NEE KEE RENE ER EENE AAAA 4 Management Mode 5 Logging into FW through Console Port 5 Logging into FW through Telnet eee eeeee ee 6 Logging into FW through Browser 7 System Management Confguration eseu eneen 9 System Management Overvlew cette eee ence eee eee tenes 9 Querying System Basic Information 10 Querying System Running Information 10 Configuring System Management 11 Setting System Parameters ceccceeeeee eee eee eee eee eeee nae 11 Managing System ServiCeS ccecceeeeeee eee eee ener eee eee naeae 15 Setting OPEN ele 16 Setting WEBUI Authentication cceeceeeeeee eee ee eee ees 20 Configuration Maintena
142. under configure terminal node ZXR10 config fw fw template lt This accesses template id gt fw template node used in fw configuration mode ZXR10 config fw template 1 sess This executes session ion used in fw template configuration mode Example To configuring session execute the following commands ZXR10 config fw ZXR10 config fw fiw template 7 ZXR10 config fw templete 7 bind slot 8 ZXR10 config fw templete 7 session Binding FW Template for Specific VLAN This topic describes how to bind FW template for specific VLAN anc EE ZXR10 config fw This enters FW configuration mode used in configure terminal mode 62 Confidential and Proprietary Information of ZTE CORPORATION ZTEDH Example Chapter 4 ZXR10 FW Function Management Den sc ZXR10 config fw fw template lt This accesses template id gt fw template node used in fw configuration mode ZXR10 config interface vlan lt vian id This enters L3 interface configuration mode used under configure terminal node ZXR10 config if vlan10 bind This binds fw template lt template id gt fw template used under if vlan node ZXR10 config show fw vlan binding This shows if vlan succeeds in binding with FW it can be used in any mode of main board To bind fw template1 with vlaniO and bind slot 7 with fw tem plate1 execute the following commands ZXR10 ZXR10 ZXR10 ZXR10 config
143. used for FW load balancing function To access this command module execute the following command ZXR10_FW define To exit from this command module execute the following com mand ZXR10_FW end 1 Adding one server ZXR10 FW define server add name This adds one server lt string1 gt host lt string2 gt weight lt numb er1 gt probe lt none host service gt port lt number2 gt Parameter Description Parameter Description This sets name for the server lt string1 gt This is one string indicating name of the server This sets the host used for server This is a string indicating the name of host This sets weight of server lt number1 gt This is one number indicating weight of server ranging from 1 to 100 This sets whether to perform detection to server There are three options none host and service none host service None indicates no detection host indicates host detection service indicates service detection User needs to set detection port when selecting service detection This sets detection port Detection port needs being set only when service detection is selected This is one number indicating port id Command Illustration With detection working status of server can be found thus avoiding sending traffics to this server when the server is down or services are abnormal which makes services requested by user fail to be responded Two detection modes are available host
144. vate address NONAT It can be used to define special cases of SNAT DNAT bi directional NAT rules In this case it shall be placed in the front of NAT rule list All address translation rules defined by FW card are stored in rule table in certain sequence When one packet passes through FW card FW card will retrieve address translation rule table according to sequence of address translation rules and match them with the packet one by one Once the packet is found to match one address translation rule FW card will stop retrieving and process the packet according to defined rule Configuring NAT This topic describes configuration commands and configuration ex amples of NAT Commands in this module are used for address translation policy related configurations To access this command module execute the following command ZXR10 FW nat To exit from this command module execute the following com mand ZXR10_ FW end 1 Adding NAT policy ZXR10_FW nat policy add srcarea This adds NAT policy lt srcarea_nam gt dstarea lt dstarea_n am gt srcvlan lt srcvian_no gt dstvlan lt dstvlan_no gt orig_sre lt src_addri gt J orig_dst lt dst_addr1 gt orig_sport lt sport_id gt orig_service lt ser_id gt tr ans_src lt src_addr2 gt trans_dst lt dst_addr2 gt trans_service lt ser_obj gt pat lt yes no gt enable lt yes no gt before lt number2 gt Parameter Description 90 Confidential
145. vice This sets name for the service lt string1 gt This is one string indicating name of customized service This sets L3 or L4 protocol number This is one number indicating protocol number This sets the start port from which service is enabled In case only one port is available it only needs to set start port and doesn t need to set end port lt string1 gt This s one string indicating the contents of comment Command Illustration Services are classified into default services provided by sys tem and user customized services As for default services user cannot perform add delete modify and some other op erations Example Confidential and Proprietary Information of ZTE CORPORATION 51 ZXR10 8900 Series User Manual FW Volume ZTERH To add service http8080 set protocol number to 6 and port id to 8080 and set httpservice to be the content of comment execute the following command ZXR10 FW define service add name http8080 protocol 6 port 8080 comment httpservice 2 Modifying one customized service ZXR10_FW define service modify name This modifies one lt string1 gt protocol lt number1 gt port customized service lt number2 gt port2 lt number3 gt comm ent lt string2 gt Parameter Description This modifies one service name This specifies the name of service to be modified lt string1 gt This is one string indicating name of customized service This sets L3
146. ycle such as 8am to 8pm each Monday This modifies which days of a week are included lt string2 gt This is one string indicating one day in the week in format of 1234567 indicating from Monday to Sunday This modifies the start time in one day lt string3 gt This is one string indicating the start time in format of HH MM hour minute week end This modifies the end time in each day End time must be larger than start time lt string4 gt This is one string indicating the end time in format of HH MM hour minute Example To modify the period of weeki to 9am to 16pm each Monday execute the following command ZXR10 FW define schedule modify name weekl type weekcyc week 1 start 09 00 end 14 00 3 Renaming one cycle ZXR10_FW define tschedule rename This renames one oldname lt stringi gt newname cycle lt string2 gt Parameter Description 46 Confidential and Proprietary Information of ZTE CORPORATION ZIEOS Chapter 3 Resource Management Configuration Parameter Description This renames one cycle oldname This specifies the name of cycle to be renamed lt string1 gt This is one string indicating the name of cycle the cycle name has been defined This specifies new name for the cycle This is one string indicating new name of cycle Example To rename week to week2 execute the following command ZXR10 FW define schedule rename oldname weekl newname week2 4 Deleti
Download Pdf Manuals
Related Search