 The firewall technology is a specific embodiment of security technology.

Firewall is
literally referred to a wall between two houses to prevent the spread of fire in case
of fire. The firewall described in this document refers to the hardware firewall, an
integration of various types of security technologies using the dedicated hardware
structure, high-speed CPU, and embedded operating system. It supports a variety of
high-speed interfaces (LAN interface) and is used to protect private network (host)
security. Such a device is called a hardware firewall. Hardware firewalls can be
independent of operating systems (such as HP-UNIX, SUN OS, AIX, and NT.) and
hosts (IBM6000 and ordinary PCs).

 The firewall is used to address network security issues and works as a highly
efficient "filter". In addition, it can provide access control, authentication, data
encryption, VPN technology, address translation, and other security functions, so
users can configure their own security policies according to their network
environment to prevent unauthorized access and ensure network security.

 Modern firewall system should not be just an "entry protective screen", but an
access control point of many networks, forcing all incoming and outgoing data
flows to go through the firewall first. The firewall, serving as a gateway, protects
not only the internal network security in Internet environment, but also internal
network security of many hosts
 Early firewalls were only software deployed on a single device, and the control mode
could only be based on packets. With the development of technologies and Internet
environment, firewalls have also been developed into more types. For example, firewalls
include hardware firewall and software firewall by form, standalone firewall and
network firewall by protected target, and packet filtering firewall, proxy firewall, and
stateful inspection firewall by access control method.

 The mainstream firewall classification method is based on access control methods.

Network firewalls can protect the entire network in a distributed mode. The features of
network firewalls are as follows:

1. Centralized security policies

2. Complex and diversified security functions

3. Professional maintenance by administrators

4. Low security risks

5. Complicated policy configuration

This document mainly describes firewall classification by access control method.

 Packet filtering means checking every data packet at the network layer and
forwarding or dropping the packets according to the configured security policy. The
basic principle of packet filtering firewalls is to carry out packet filtering by configuring
Access Control Lists (ACLs) mainly based on source or destination IP address, source or
destination port, IP identifier, and packet forwarding direction in the data packet.
Packet filtering firewalls have a simple design, so it is cheap and easy to deploy.

 However, packet filtering firewalls have the following defects:

1. If ACLs are longer and more complex, the filtering capability declines.

2. Static ACL rules are hard to meet dynamic security requirements.

3. Packet filtering neither check session status nor analyze data, which gives
chance to hackers. For example, packets from attackers can pass the firewall if
they set their IP addresses to legitimate IP addresses.

Note: Multichannel protocols, such as FTP, generate dynamic data channel port based
on FTP control channel, and later data interaction is mainly carried out in the data
channel.
 Proxy firewall is for the application layer, which is to take over the direct user services
between extranet and intranet. The proxy firewall checks user requests. After the user
passes the security check, the proxy firewall establishes a connection with the real
server on behalf of the user, forwards the user request to the server, and sends the
response from the server back to the external user.

 Proxy firewalls have high security control capabilities. They can completely control
network information exchange and session process. However, they have the following
defects:

1. The software limits the processing speed, prone to Denial of Service (DoS)
attacks.

2. Application-layer proxies must be developed for each protocol, the development

cycle is long, and it is difficult to upgrade.
 Stateful inspection is an extension of the packet filtering technology. Connection status-
based packet filtering considers each data packet as an independent unit and take into
account the history relations between the previous and follow-up packets. As we know,
the establishment of all reliable connections (TCP connections) needs to go through the
"three-way handshake“ process, namely, "client synchronization request", "server
response“, and "client response", which means each data packet is not independent, but
closely connected with each other. The stateful inspection technology is developed on this
basis.

 Basic principles:

1. Stateful inspection firewalls use all kinds of session tables to track the activated TCP
sessions and UDP false sessions, the access control list (ACL) decides which sessions
should be established, and data packets are forwarded only when they match a
session entry. UDP false sessions are virtual connections (UDP are connectionless
protocols) for stateful inspection, and they are established for the UDP data flow
when the UDP packets are processed.

2. Stateful inspection firewalls intercept data packets and acquire the status information
required by the security policy from the application layer, and save the information
to the session table. Then the firewalls determines whether to allow follow-up
packets based on the session table.
 Firewall hardware platforms can be classified into the universal CPU architecture,
Application Specific Integrated Circuit (ASIC) architecture, Network Processor (NP)
architecture, and multi-core processor architecture. Here we will introduce them one
by one.

 Universal CPU Architecture

 The universal CPU architecture is based on the X86 platform, using a host CPU
to process services. Card chip and CPU use PCI bus for data transmission. The
traditional 32-bit PCI bus frequency is 33 Hz, so the data transfer rate between
card chip and the CPU can theoretically reach 1056 Mbits/s, meeting the need
of Gigabit firewall theoretically. But the X86 platform uses a shared bus, so if
two cards simultaneously transmit data, the average rate of each card can only
be 528 Mbit/s. And so on, the bigger the card number is, the lower the rate is.
As long as there is more than one card, the rate is lower than 1000 Mbit/s. In
addition, based on the X86 platform architecture, the thread scheduling
mechanism is implemented using interrupts, so when there is a large number of
small data packets on the network, the same traffic will face more interrupts,
and then the firewall throughput is only about 20%, and the CPU usage is very
high. This architecture based on X86 platform cannot meet the needs of Gigabit
firewalls and is only suitable for the hardware platform for 100M firewalls.
 In transparent mode, the firewall is responsible for packet forwarding, but not routing.
The two networks connected to the firewall must be on the same subnet. The upstream
and downstream interfaces of the firewall both work at Layer 2 and do not have IP
addresses.

 Firewalls in this networking mode can avoid the trouble of topology modification. You
can deploy the firewall just like deploying a bridge without modifying any existing
configuration. IP packets will also go through relevant filtering checks, and internal
network users are still protected by the firewall.
 In routing mode, the firewall can support more security features, such as NAT and UTM.
However, if adopting the routing mode, the network administrator may need to modify
the network topology, for example, Intranet users need to modify the gateway or
routing configurations on routers. Therefore, the designer needs to consider network
transformation and service interruption and other factors comprehensively.

 In routing mode, firewall is deployed between the intranet and Internet. The upstream
and downstream interfaces on the firewall work at Layer 3 and have IP addresses on
different subnets. The firewall is responsible for routing for intranet-Internet
communication, like a router.
 Functions of security zones

 Security policies are implemented on the basis of security zones.

 Data exchanged within a security zone is secure and does not require any security
policy.

 Data exchange between zones triggers security checks, and related security policies
are implemented.

 On a firewall, all network devices on the network connected to the same interface
reside in the same security zone, and one security zone can include the networks
connected to multiple interfaces.
 A firewall supports multiple security zones. It supports four predefined security zones,
including the Untrust zone, DMZ, Trust zone, and local zone, and also supports user-
defined security zones.

 The default four security zones are described as follows:

 Untrust zone: a security zone with low security level (level 5)

 DMZ: a security zone with medium security level (level 50)

 Trust zone: a security zone with high security level (level 85)

 Local zone: a security zone with highest security level (level 100)

 The four security zones do not need to create and cannot be deleted, and the security
level cannot be reset. The security level is specified from 1 the lowest to 100 the highest.

 Note that, the operation of adding an interface to a security zone, in fact, means
adding the network connected to the interface into the security zone, and the
interface still belongs to the local security zone reserved by the system to represent the
device itself.

 The USGs support a maximum of 32 security zones.

 Firewall zones are classified one the basis of interfaces. That is, all network devices
connected to the same interface should belong to the same security zone, while one
security zone can include multiple networks connected to multiple interfaces. Here the
interfaces can be physical interfaces or logic interfaces. Therefore, users on different
subnets connected by the same physical interface belong to different security zones
using subinterfaces, Vlanif interfaces, or other logical interfaces.

 Question: If different interfaces belong to one security zone, is the interzone packet-
filtering policy still effective?
 Data flows between two security zones (referred to as interzone) are in two
directions:

 Inbound: data transfer from a low security level zone to a high security level
zone

 Outbound: data transfer from a high security level zone to a low security level
zone

 High priority and low priority are relative.

 Data transmission between security zones of different security levels triggers USG
security policy checks. Different security policies can be specified in advance for
different directions in the same interzone. When data flows in the two different
directions within the interzone, different security policy checks are triggered.
 The firewalls provide the following functions:
 Routing
 IPv4 routes and IPv6 routes
 Static routes
 Dynamic routes, including RIP, OSPF, BGP, and ISIS routes
 Routing policies and routing iteration
 Unified management
 SNMP
 Web-based management
 NTP
 Ethernet
 Provides Layer-2 and Layer-3 Ethernet interfaces and switchover between
 Eth-Trunk and VLAN
 Security
 UTM
 Access technologies
 Access Control: The firewall enables a set of policies and mechanisms. It identifies the
packet headers to allow legitimate data to specific resources and block malicious or casual
access.

 The implementation process of access control is as follows:

1. The firewall obtains packet header information from the packets to be forwarded.
The information includes upper-layer protocol, source IP address, destination IP
address, source port, and destination port.

2. The firewall compares the header information with the specified access control
policies.

3. The firewall allows or blocks the packet based on the action specified in the
matched access control policy.
 The USG uses the Service Awareness (SA) technology to perform in-depth inspection
on packets, identify application-layer protocols, and control the traffic of specific
types. The USG analyzes packets, compares them with the signatures in the
knowledge base, identifies online gaming, stock trading, P2P, IM, and VoIP traffic,
and takes actions to control the traffic according to the application type and
associated polices.

 Supports the knowledge base query. The knowledge base covers a wide variety
of protocol signatures.

 Supports the online and local update of the knowledge base.

 Supports time-based control policy to block some applications such as MSN

during working hours but allow them during off hours.

 Supports the control over online gaming, stock trading, P2P, IM, and VoIP
traffic.

 Supports user-defined rules to permit or block traffic (such as online gaming,

stock trading, or P2P traffic) as needed.
 Identification based on application-layer gateways

 As we know, there is a kind of service with separated control flows and service
flows, and its service flow has no characteristics. The identification based on
application layer gateway is designed for this kind of service. First, the
application layer gateway identifies the control flow and selects specified
application layer according to control flow protocol to analyze the control flow
and then to identify the service flow. For example, SIP and H323 obtain their
data channels through consultation by signaling interaction; generally it is
encapsulated voice flow in RTP format.

 Identification based on behavior patterns

 The behavior pattern identification technology is usually used for the services
that cannot be decided by the protocol itself. From the email content, spam
service flow and common email flow are the same, so only further analysis can
identify spam. Specifically, a behavior identification model can be established
based on the email sending rate, the number of email addresses, and change
frequency to sort out spam.
 Security Access Control Gateway (SACG) controls terminal network access permissions.
Users with different security situations have different permissions. The control server
(SC) authenticates the terminal, informs the SACG of the results, and then decides the
access permission according to UCL policies to prevent external users and intranet
insecure hosts from accessing intranet resources.

 Based on the SACG, the intranet is divided into three logical domains:

 Access domain: It consists of a group of clients on which the TSM Agent is

installed to form a local network connected using Layer-2 or Layer-3 switches.

 Pre-authentication domain: It is a logical domain, and its ACL configuration is

carried out on the SACG to ensure that users are allowed to access only the
network or hosts specified by the ACLs before they are authenticated. The pre-
authentication domain of the terminal security management system includes the
management server (SM), SC, AD domain management server, antivirus server,
and patch server.

 Post-authentication domain: It is a logical domain, corresponding to the pre-

authentication domain. The configurations are completed on the SACG. When a
user gains service authorization, the user can access the service resources in the
post-authentication domain. Such resources include the OA server, ERP server,
and financial server.
 Typically, each intranet host has a default route with the next hop as the interface IP
address of the egress router. All interactive packets between internal and external
users go through the router. If the router fails, the communication between the
external network and all hosts with the router as the default next hop will be
interrupted. As a result, communication reliability cannot be guaranteed.

 Virtual Router Redundancy Protocol (VRRP) is developed to resolve this problem. VRRP
organizes a group of routers on LANs into a virtual router, which is called a VRRP
group. Among them, only one device is active. All the rest devices are in backup state
and are prepared to take over services according to priorities. If the active router in
the VRRP group fails, another standby router in the VRRP group will be selected
according to the priority to act as the new active router, which continues providing
network routing services. Therefore, VRRP enables intranet hosts to communicate
with external networks without being interrupted.

 To centrally manage multiple VRRP groups, Huawei proposes the VRRP Group
Management Protocol(VGMP), which is responsible for unified management of all
VRRP groups. The VGMP mechanism can implement status consistency management,
preemption management, and channel management of multiple VRRP groups to
ensure that all interfaces on the same firewall are in active or standby state at the
same time.
 IP link automatically determines to use the characteristics of ICMP or ARP to detect
whether the service link is reachable. It sends ICMP or ARP requests to a specific IP
address regularly and waits for responses from the IP address to determine network
connectivity. If no response packet is received in the specified time, the link is
regarded as unreachable, and related operation will be carried out. If three
consecutive response packets are received in the specified time on a failed link, the
link is regarded recovered, and link recovery operations will be carried out.
 The result of IP link automatic inspection (destination host is reachable or unreachable)
can be referenced by other functions, and the main applications include:
 QoS enables firewalls to provide functions, such as traffic classification, traffic policing,
traffic shaping, congestion management, and congestion avoidance. It is the basis for
differentiated services, and these functions aim to:
 Traffic classification identifies traffic based on certain rules for implementing
differentiated services.
 Traffic policing monitors the volume of specific traffic to the network. If the traffic
volume exceeds certain threshold, the firewall takes actions to protect customer
benefits and network resources.
 Traffic shaping limits the traffic of specific data flows from a network so that the
traffic of the data flow can be forwarded in a smooth rate. This is an active measure
for scheduling traffic forwarding.
 Congestion management is a mechanism for defining resource scheduling policies in
case of traffic congestion to determine packet processing orders. The major
scheduling policies include FIFO, CQ, PQ, WFQ, and RTP.
Note: For Layer-3 interfaces, the USG5500 must configure interface rate limiting for the
queues to take effect. However, classifier-based WRR is not prone to this limit.
 Congestion avoidance enables the firewall to monitor network resource (queue and
memory buffer) usage and discard packets in case of congestions. It is a traffic
control mechanism by adjusting network traffic to resolve overload issues.
 The Elog is a dedicated log software of Huawei firewalls. It supports the universal syslogs
and binary logs.

 Syslogs

 Common syslogs and traffic monitoring logs (excluding Service Awareness traffic
monitoring logs) are ouput in text format as syslogs. These logs require the
information center for log management and output redirection. Then they are
displayed on terminal screens or sent to log hosts for storage and analysis.

 Binary logs

 Session logs (NAT/ASPF logs) and SA traffic monitoring logs are output in binary
format. They are directly output to binary log hosts for storage and analysis and do
not require the processing of the information center.
 Traffic attack

 Traffic attacks refer to the attacks where the attackers use large quantities of data to
occupy excessive resources, causing the servers to stop responding to services.

 Scanning and sniffing attack

 Scanning and sniffing attacks mainly include IP sweep and port scanning attacks. In
IP sweep attacks, the attacker sends IP packets such as TCP, UDP, and ICMP packets
whose destination addresses change instantly, to find target hosts and networks.

 Malformed-packet attack

 In malformed-packet attacks, the attacker sends malformed IP packets to the target

system. The target system may encounter errors or crash when handling such
packets. Malformed-packet attacks mainly include Ping of Death attacks and
Teardrop attacks.

 Special-packet attack

 In special-packet attacks, the attacker uses specific packets to probe networks or

detect data. The packets used are normal packets, which are seldom used on
networks.
 After analyzing packet statistics, the firewall can protect the intranet. For example, the
firewall can:

 Check whether the number of TCP or UDP connections from the Internet to the
intranet exceeds the specified threshold to determine whether to limit the
connections in this direction or limit the new connections to a specific intranet IP
address.

 Check whether the total number of connections exceeds the specified threshold. If
yes, the firewall can accelerate the connection aging time to ensure that new
connections can be established and to prevent the system from denial of services.
 The firewall can create blacklist entries as follows:

1. Detects attacks with specific behavior characteristics from specific IP address.

2. Automatically adds this IP address to the blacklist.

3. Discards packets from this IP address to ensure network security.

 You can reference advanced ACLs in the blacklist to ensure that special users are
exempted from the blacklist. In this case, the security policies determine whether to allow
packets based on the advanced ACLs. If an ACL rule denies the traffic, the firewall discards
the traffic and vice versa even if the IP address is blacklisted.
 Load balancing enables the firewall to distribute user traffic to multiple servers using the
following technologies:

 Virtual service technology

 Every real server has a unique private IP address (real IP address) but share the same
public IP address (virtual IP address). All user access to these servers is sent to the
virtual IP address, and the firewall distributes the traffic accessing the virtual server
IP address to each real server by using the configured load balancing algorithm.

 Server health check

 The firewall detects real servers regularly. If a real server is available, it returns a
response packet. If not, the firewall does not use this real server and forwards traffic
to other real servers based on the configured policies.

 Traffic-based forwarding

 The firewall sends data streams to each real server for processing based on the
specified algorithm.
 SA inspects the content of the application-layer data. The firewall matches the application-
layer data in parsed packets with the rules in the SA signature database to analyze the
application type of packets or flows at layers above the IP and UDP/TCP layer.

 If a match is found, control actions are performed on the identified network traffic, such
as allowing and blocking the traffic, limiting the number of connections, and limiting the
traffic rate.
 Throughput refers to the packet processing capability of firewalls. RFC2647 defines
that firewall throughput is the number of bits that a firewall receives, processes, and
forwards to the correct destination interface per second. When testing firewall
throughput, ignore error traffic and the retransmitted traffic, that is, you need to
calculate only the traffic that is forwarded to the destination interface. Traffic at
different load levels and traffic in different directions also need to be tested to obtain
the final average value. For payload levels, the industry generally uses big packet of 1
KB to 1.5 KB to measure firewall packet processing capability. However, most
network traffic is 200-byte packets, so the test should also consider small packet
throughput. Firewalls must configure rules, so the forwarding performance supported
by a firewall under the ACL also needs to be tested.
 New connections per second refers to the number of new complete TCP connections
established on a firewall per second.

 Connections are established dynamically according to the current situations of both

communication parties. Each session must establish a connection on the firewall
before data exchange. If the connection establishment on the firewall is slow, the
client may find long delay at each time of communication. Therefore, the larger the
indicator is, the higher the forwarding rate will be. However, in case of attacks, the
defense capability is stronger if the indicator is large; and so it is with the backup
capability.
 The greater the indicator is, the stronger the attack defense capability will be. When
the number of concurrent connections reaches the upper limit, new connection
request packets will be dropped when it reaches the firewall.
 Device login management
 Logging in through the console port: Log in to the device through the console port
connected to the PC.
 Logging in through Web: Access the firewall on the PC through the Web browser to
control and manage the firewall.
 Logging in through Telnet: Connect the PC to the network and log in to the firewall
through Telnet.
 Logging in through SSH: Logging in through SSH provides secure information
guarantee and powerful authentication to protect the system from being attacked
by attacks, such as IP spoofing.
 File management
 A configuration file refers to the configuration items loaded when the firewall is
started. You can save, modify, or clear the configuration file or select the
configuration file to be loaded for startup. The system files include the software
version and database file.
 You can upload system software to the firewall using TFTP or FTP.
 A license acts as an agreement for the device provider to authorize the application
and duration of product features. A license can dynamically control the availability of
certain product features.
 Logging in through the console port: Log in to the USG through the console port
connected to the PC and power on and configure the USG for the first time. If you fail to
access the USG remotely, you can log in to the USG locally through the console port. If the
USG cannot be started normally, you can diagnose the system or enter the BootROM
system through the console port to upgrade it.

 Logging in through Telnet: Connect the PC to the network and log in to the USG through
Telnet to implement the local or remote configuration. Then the USG can authenticate
users according to the specified login parameters. Logging in through Telnet facilitates the
remote management and maintenance over the USG.

 Logging in through SSH: Logging in through SSH provides secure information guarantee
and powerful authentication to protect the system from being attacked by attacks, such as
IP spoofing. Logging in through SSH ensures the security of data exchange to the greatest
extent.

 Logging in through Web: You can access the USG on the PC through the Web browser to
control and manage the USG. This is applicable to the scenario where you log in to the
USG on the PC through Web.
 To configure the USG using a PC, you need to run a simulation program, such as
Windows3.1 Terminal and Windows98/Windows2000/Windows XP HyperTerminal, on the
PC to set up a new connection. As shown in the figure, enter a name for the connection
and click OK.

 In the dialog box for setting serial port attributes, set the baud rate to 9600, data bit to 8,
parity bit to none, stop bit to 1, and flow control to none. Then click OK to return to the
HyperTerminal window.

 Power on the USG and check whether the indicators on the front panel are normal.
 By default, HTTP and HTTPS are enabled on the USG. HTTPS is recommended to improve
security. Users can use the default user name and password (admin/Admin@123) to log in.
For security reasons, change the password after login.
 Enabling HTTP

 Run the system-view command to access the system view.

 Run the web-manager enable [ port port-number ] command to enable HTTP.

At this time, you can enter an address in the http://ip-address:port format on the Web
browser to access the device. The default port number is 80.

 Enable HTTPS (default certificate).

 Run the system-view command to access the system view.

 Run the web-manager security enable port port-number command to enable

HTTPS.

At this time, you can enter an address in the https://ip-address:port format on the Web
browser to access the device.

 The local-user level command sets the priority of a local user.

 Level 3: management level

 Enable web management and HTTP/HTTPS services as required and set the port number.
After the HTTP/HTTPS services are enabled (using the device as a Web server), you can
configure terminals to access the device by using HTTP/HTTPS for remote configuration
and management. HTTPS has a higher security than HTTP; therefore, you are advised to
employ the HTTPS services on a network that requires enhanced security.

 Creating an administrator account：

1. Choose System > Admin > Administrators

2. Click Add

3. Set the administrator parameters

 Configuring Device Services

1. Choose System > Admin > Settings。

2. Select Enable for HTTPS/HTTP Service。

3. Enter a port number in HTTP Port, HTTPS Port, or both service ports

4. Click Apply.
 Configure the login interface.

1. Choose Network > Interface, choose the right interface you want to configure.

2. Set the parameters: security zone, IP address, and allow HTTPS management.
课程名称

 Assign interface GigabitEthernet 0/0/0 to the Trust zone with a default IP address
192.168.0.1/24.
课程名称

 The USG provides two methods for verifying the validity of telnet users: password
authentication and AAA authentication.

 Password authentication:

 When the authentication mode is password authentication, remote users need to

enter only their passwords to log in to the USG.

 Run the user-interface [ interface-type ] first-number [ last-number ] command

to access the VTY user interface view.

 Run the authentication-mode password command to set the authentication

mode to password authentication.

 Run the set authentication password cipher password command to set a

password for password authentication.

 AAA authentication:

 Run the user-interface [ interface-type ] first-number [ last-number ] command

to access the VTY user interface view.

 Run the authentication-mode aaa command to set the authentication mode to

AAA authentication.
 Enable the telnet service.

1. Choose System > Admin > Settings

2. Click to select the telnet service check box

 Creating a telnet administrator account：

1. Choose System > Admin > Administrators

2. Click Add

3. Set the administrator parameters, add telnet service.

 Configure the login interface.

1. Choose Network > Interface, choose the right interface you want to configure.

2. Set the parameters: security zone, IP address, and allow Telnet management.
课程名称

 SSH provides enhanced information security and powerful authentication for user login to
the device. Configure USG interface SSH device management function as required.

 Generate a local RSA key pair on the USG.

 To log into the device successfully, you must configure and generate a local RAS key pair
on the USG. Before you perform other SSH configurations, you must run the rsa local-
key-pair create command to crate a local RSA key pair. You need to run this command
only once. After the device is restarted, you do not need to run it again.
课程名称

 Create an SSH user on the USG.

 When the USG functions as an SSH server, you can configure SSH user
authentication mode as password or RSA authentication. Here we use password
authentication as an example.
 saved-configuration:

 Configuration file for the next startup. The USG stores the configuration file in the
Flash or CF card of the USG, and it is still available after restart

 current-configuration:

 Running configuration file of the USG. Command and web operations are performed
on the running configuration file. It is saved in the memory of the USG and is
unavailable after restart.

 Save the configuration file.

 Save the configurations for the next startup to use.

 Method 1 (CLI): In the user view, run the save command.

 Method 2 (Web): In the upper right of the homepage, click save.

 Reboot the device.

 Restart the USG and log the restart.

 Method 1 (CLI): In the user view, run the reboot command.

 Method 2 (Web): Log in to the USG web UI and choose System > Maintenance >
Restart.
 TFTP

 The USG serving as the TFTP client obtains system software from the TFTP server. In
this case, the TFTP server and the USG are not required to be on the same network
segment, but they must be reachable to each other.

 FTP

 If FTP is used, the FTP server and USG are not required to be on the same network
segment, but they must also be reachable to each other.

 The USG serves as an FTP client.

 Run the FTP server program on the FTP client and save the system software to
be downloaded in the corresponding FTP directory. In the user view of the
USG, use commands to download the system software to the corresponding
directory of the USG.

 The USG serves as an FTP server.

 Start the FTP server on the USG. Log in to the USG using an FTP client and
upload system software to the corresponding directory of the USG.
 One-touch system software upgrade

 If the storage space in the USG is insufficient, the USG automatically deletes the
running system software.

 The system software must use .bin as the file name extension, and the file name can
contain any Chinese characters.

 Choose System > System Upgrade.

 Click One-Touch Version Upgrade. The wizard for one-touch version upgrade is
displayed.

 Optional: Click Export to export USG alarm information, log information, and
configuration information to a terminal. You are advised to save the configuration
information to the terminal.

 Click Browse and select the system software to be uploaded.

 Select Restart the system now or Do not restart the system according to
whether the current network allows the device to restart immediately after system
upgrade.

 The USG must restarts for the target system software to take effect.
 A license file must use .dat as the file name extension, and the file name cannot contain
any Chinese characters.

 Choose System > License Management.

 Select Local Manual Activation from the License Activation Mode

 Click Browse. Select the license file to be uploaded.

 Click Activate to activate the uploaded license file.

 VRP system commands are hierarchically classified. They are classified into four levels,
including the visit level, monitoring level, configuration level, and management level.

 The system classifies login users into four levels as well, which corresponded to the
command levels respectively. After users of different levels log in to the system, they
can use only the commands that are equal to or lower than their own level. To switch
from a low level user to a high level user, use the super password [ level user-level ]
{ simple | cipher } password command.
 The system divides the command line interface into multiple command views. All
commands of the system are registered under a certain (or some) command views. The
commands under this view can be run in the corresponding view.

 After the connection with the firewall is established, the user view is displayed. You can
view the operating status and statistics information in this view. Then you can access the
system view to enter different configuration commands to enter corresponding protocol
and interface views.
 The VRP platform provides the command line online help function. You can type a
question mark where you have a question.

1. For example, you can type a question mark in the system view. Then the system
displays command parameters that can be configured in the system view.

2. Or type a space after a parameter and then type a question mark. The list of
available parameters is displayed.

3. Type a character string and then a question mark. The system lists all commands
beginning with this character string.
 Type the first a few characters of a key word of the command and then press Tab. The
complete key word will be displayed.

 When the pause menu is displayed, press Ctrl+C to stop display and command execution.

 When the pause menu is displayed, press Space to continue to display the information of
the next screen.

 When the pause menu is displayed, press Enter to continue to display the information of
the next line.
 Configure the network to enable network communication.

 Configure the object to manage the common factors referenced in all policies.

 Configure policies to secure the network and manage the traffic.

 The USG supports the following two interface cards:

 Layer-2 interface card: All interfaces are Layer-2 Ethernet interfaces and cannot
be switched to Layer-3 interfaces.

 Layer-3 interface card: All interfaces are Layer-3 Ethernet interfaces by default.
You can rung the portswitch command to switch to Layer-2 Ethernet interfaces.
 Create a security zone.

 Step 1 Run the system-view command to enter the system view.

 Step 2 Run the firewall zone [ name ] zone-name command to create a

security zone and enter the security zone view.

Run the firewall zone command based on the following scenarios:

If the security zone exists: Do not configure keyword name. The security zone
view is displayed directly.

If the security zone does not exist: Configure keyword name. Then the security
zone view is displayed.

The system predefines four security zones, including Local, Trust, DMZ, and
Untrust. In routing mode, the four security zones are not required to create and
cannot be deleted. The firewall supports up to 16 security zones.

 Step 3 Run the set priority security-priority command to configure the security
level of the security zone.
 The action command configures the action in the security policy rule.

 Permit: Indicates that the traffic that matches the rule is permitted.

 Deny: Indicates that the traffic that matches the rule is denied.

 By default, NGFW blocks all the inter-zone packets.

 An interconnection network can be established by configuring static routes. If a
network failure occurs, the static route will not be changed automatically. Therefore,
it must be changed by the administrator.

 The default route is used if no routing entry is matched. In the routing table, the
default route is configured as the route to network 0.0.0.0 (mask:0.0.0.0). If the
destination address of the packet does not match any entry of the routing table, this
packet will use the default route. If the default route does not exist and the
destination address of the packet is not in the routing table, this packet will be
discarded. Meanwhile, an ICMP packet is returned to the source indicating that this
destination address or network is unreachable.
 Choose Network > Interface > Interface.

 Set an IP address and switch the interface mode.

 The USG supports the two types of interface cards:

 Layer-2 interface card: All interfaces are Layer-2 interfaces and cannot be switched to
Layer-3 interfaces.

 Layer-3 interface card: All interfaces are Layer-3 interfaces by default and can be stitched
to Layer-2 interfaces using the portswitch command.
 Step 1 Choose Network > Zone.

 Step 2 Select a default zone or create a zone.

 Step 3 If you create a zone, set the zone name and security level.
Step 4 Assign an interface to a zone.
 Configuring an security policy using the Web UI.

1. Choose Policy > Security Policy > Security Policy.

2. Click Add.

3. Configure the name and description of the security policy.

4. Define the match conditions of the security policy.

5. Configure the action of the security policy.

6. Configure the profiles.

7. Click OK to complete the application of the security policy.

 Choose Network > Router > Static Route to create a static route.