Home> Support> Technical Documents>

RG-WALL 1600 Series Next-Generation Firewall Cookbook

2017-05-17View: 1014
Catalog
11.x项目配置指南模板

      Firewall Maintenance

1.1     Device Management

1.1.1     Web-based Management

Networking Requirements

Via a Web visual interface, you can configure the firewall, for example, configure the management function of the wan1 interface.

Network Topology

Configuration Tips

The default IP address of the NGFW is 192.168.1.200, and you can perform Web management via HTTPS (the default user name is admin, and the default password is firewall). The models of management interfaces are as follows:

RG-WALL 1600-X9300:   mgmt1 interface

RG-WALL 1600-X8500:    mgmt1 interface

RG-WALL 1600-X6600:    mgmt1 interface

RG-WALL 1600-M5100:   mgmt interface

RG-WALL 1600-S3600:    internal interface, corresponding to the switching interfaces 1 to 14

RG-WALL 1600-S3100:   internal interface, corresponding to the switching interfaces 1 to 7

 

*         All switching interfaces of the S3100 and S3600 are Layer-3 internal interfaces; only internal interfaces are suitable for Layer-3 configurations, for example, IP address configurations.

 

Set the IP address of the PC to 192.168.1.1/24, connect to the internal interface or MGMT interface, open the IE browser, enter https://192.168.1.200 to log in to the NGFW management page, and enter the user name admin and password firewall to open the NGFW page. If you forget the password, you can restore the initial password as instructed in the section “Firewall Maintenance” > “Password Recovery”.

After you log in to the device, enable the management function of the wan1 interface.

By default, other interfaces have no IP addresses, and other management functions (for example, HTTPS) are not enabled on other interfaces.

If the firewall interface address is modified but you forget the new password, you can enter the CLI to view the current configurations.

 

*         It is recommended that you use Firefox or IE10 (or above). If you use a third-party browser (for example, 360 and Travel), use the top speed mode.

 

Configuration Steps

1.      When the NGFW is configured with default values, set the IP address of the PC to 192.168.1.1, and set the IP address of the gateway to 192.168.1.200;

 

In the address bar of the IE browser, enter https://192.168.1.200, and the firewall login page pops up.

Enter the user name admin and default password firewall, and then the homepage of the firewall pops up.

2.      Set the IP address of the wan1 interface to 192.168.33.51/24, and enable the management function of the internal interface.

Choose the System > Network > Interface menu.

Double-click the wan1 interface to edit the following parameters:

Set the IP address of the interface to 192.168.0.200/24.

Administrative Access: Select HTTPS, PING, and SSH. Their meanings are as follows:

HTTPS: Allow users to use https://192.168.0.200 to manage the device;

Ping: Users are allowed to ping this interface address. If it is deselected, the interface address cannot be pinged through even if the interface address is reachable;

HTTP: Allow users to use http://192.168.0.200 to manage the device;

SSH: Allow users to use ssh 192.168.0.200 to manage the device;

SNMP: Allow users to perform SNMP management via the interface;

TELNET: Allow users to use telnet 192.168.0.200 to manage the device.

 

Verification

Enter https://192.168.0.200 in the browser, and then verify the configurations.

 

1.1.2     Console Management

Networking Requirements

To perform configuration management, you can use HyperTerminal or CRT to enter the CLI via a Console cable. By default, the firewall allows Console management.

Network Topology

Configuration Tips

1.      Prepare a Console cable and a PC.

2.      Connect the Console cable.

Connect the RJ45 connector end of the Console cable to the Console port of the PC, and connect the other end of the Console cable to the com port of the PC.

3.      Configure the HyperTerminal

a)      A PC under Windows XP is equipped with built-in HyperTerminal; for a PC under Windows 7, you need to install HyperTerminal separately.

b)      By default, the Windows Sever 2003 is not equipped with HyperTerminal. You need to install it in Control Panel > Add/Delete Program, or directly download it from Attachment 1.

c)      If you fail to enter the CLI after configurations, check whether the Console cable is connected to the Console port, whether the data bits of HyperTerminal are configured correctly, and whether you click Restore Defaults. If you nevertheless fail to center the CLI after performing the above operations, attempt to replace the PC, Console cable and HyperTerminal.

 

Operation Steps

1.      Prepare a Console cable and a PC

2.      Connect the Console cable

Insert the RJ45 connector end of the Console cable to the Console port of the network device (the Console port is usually beside the Ethernet port of the network device, and is marked with Console), and then insert the DB9 port of the Console cable to the Com port of the PC.

3.      Configure the HyperTerminal

 

Verification

Press the Enter key, and the system displays RG-WALL login, prompting you to enter the username admin and password firewall (if the password is changed or you forget the password, you can do as instructed in the section “Password Recovery”).

 

 

 

1.1.3     SSH/Telnet

Networking Requirements

If you want to enter the CLI of a device to configure or gather the related information, you can manage the device remotely via Telnet or SSH when no Console cable is available or you are far away from the device.

Network Topology

Configuration Tips

To use the Telnet or SSH mode, first ensure a high connectivity between the management host and the interface address of the device. You can tick the Ping function of the interface. If the device can ping through the management interface, it indicate that the connectivity between them is normal.

1.      Enable the Telnet and SSH functions on the interface.

2.      Telnet the management device.

3.      SSH the management device.

 

Configuration Steps

1.      Enable the Telnet and SSH functions on the interface

Choose the System > Network > Interface menu, and edit the internal interface by double-clicking it, as shown in the following figures:

Tick SSH and TELNET (by default, the Telnet and ping functions of the interface are disabled), and click OK.

1.2     Administrator Settings

I. Requirements

According to the factory settings, the default account is admin (with all privileges), and the default password is firewall. The requirements are as follows:

Change the admin password to ruijie@123, and set the host IP address of the admin account to 172.18.10.108/32. It indicates that only this host (172.18.10.108) can use the admin account to manage devices.

Create a monitor account with "read-only" privilege. Set the password to 123456a!. Set no limit to IP address for the management host which allows admin login from all hosts, and set the permission to read-only.

Define the password policy which specifies password complexity.

Set the timeout interval of the Web page. If an administrator does not perform any operation within 90 minutes for example, the administrator will automatically log out.

II. Configuration Tips

Change the admin password and set management IP addresses.

Set Admin Profile to readonly.

Create a monitor account.

Define the password policy and change administrator settings.

III. Configuration Steps

Change the admin password and set management IP addresses.

Choose System > Admin > Administrators.

Click or double-click the editing button to set the administrator name to admin, and then click Change Password.

In the Edit Password dialog box that is displayed, change the password to ruijie@123, and then click OK.

Tick Restrict this Admin Login from Trusted Hosts Only, enter the management IP address 172.18.10.108/32 in Trusted Host #1, and then click OK.

Three trusted hosts can be added on this page. Add up to 10 trusted hosts by running corresponding commands.

RG-WALL # config system admin

RG-WALL (admin) # edit admin

RG-WALL (admin) # set trusthost1 172.18.10.108 255.255.255.255

RG-WALL (admin) # set trusthost2 172.19.10.108 255.255.255.255

RG-WALL (admin) # set trusthost3 172.119.10.108 255.255.255.255

RG-WALL (admin) # end

Set Admin Profile to readonly.

Choose System > Admin > Admin Profile, and then click Create New.

 

Profile Name: Set it to readonly.

Tick Read Only for all items.

Create a monitor account.

Choose System > Admin > Administrators, and then click Create New.

Create a monitor account, set the password to 123456a!, set Admin Profile to readonly, and set no limit to IP addresses for the management hosts, as shown in the following figure.

 

Define the password policy and change administrator settings.

If a password must contain at least 6 characters comprising letters, digits, and special characters (such as !@#$%&'), set the password policy as follows.

Choose System > Admin > Settings, as shown in the following figure.

Enable: Tick Enable.

Minimum Length: It indicates the minimum length of a password.

Must Contain: It indicates limits to the number of letters, digits, and special characters)

Apply Password Policy to: Enter the admin password.

Admin Password Expires after: Configure the expiry date of a password. The system prompts the administrator to change the password after the expiry date.

Idle Timeout: If an administrator does not perform any operation within the specified time, the administrator will automatically log out.

Note: The total length of uppercase letters, lowercase letters, digits, and special characters should be less than or equal to the maximum length; otherwise, the policy setting is invalid.

 

IV. Verification

Log in to the monitor account and change the settings. An error prompt Permission denied is displayed.

 

1.3     Upgrading Software

1.3.1     TFTP Upgrade

Networking Requirements

The firewall system can be upgraded via a Web interface or TFTP CLI. Here, the firewall system needs to be upgraded via TFTP.

*         Before the upgrade, be sure to back up the firewall configurations. For details, refer to the section “Firewall Maintenance” > “Configuration Backup and Recovery”.

 

Network Topology

Configuration Tips

1.      Prepare tools and connect the Console cable;

2.      Connect the network cable, and ensure that network communication is normal;

3.      Set up the TFTP server;

4.      Begin the upgrade.

 

Configuration Steps

1.      Prepare tools

Prepare the Console cable, network cable, upgrade file, TFTP tool, and cable for USB conversion (the PC has no Com port), and install the driver;

2.      Connect the network cable, and ensure that network communication is normal;

3.      Set up the TFTP server;

4.      Begin the upgrade.

You can download the Cisco TFTP server from the attachment.

Run the Cisco TFTP software, and save the upgrade firmware into the folder in the red frame below (when you install the software, the system will specify a folder), for example, c:\tftp.

 

 

Restart the device, and perform the following steps:

5.      Enter M (press Shift + m), and enter the BIOS menu:

...

[G]:  Get firmware image from TFTP server.

[F]:  Format boot device.

[B]:  Boot with backup firmware and set as default.

[I]:  Configuration and information.

[Q]:  Quit menu and continue to boot with default firmware.

[H]:  Display this list of options.

 

6.      Select F to set format to the Flash card;

Enter Selection [G]:

 

Enter G,F,B,I,Q,or H:  F                                   // Select F to set format to the Flash card. Optional

 

All data will be erased,continue:[Y/N]?Y

 

7.      Select G to download the mirror file:

Enter G,F,B,I,Q,or H:  G                                   // Select G to download the mirror file from the server.

Please connect TFTP server to Ethernet port "MGMT1".       // Connect the PC to the MGMT1 port of the firewall.

 

Enter TFTP server address [192.168.1.1]:                 // Enter the address of the TFTP server.

Enter local address [192.168.1.200]:                       // Assign a temporary IP address to MGMT1.

Enter firmware image file name [image.out]: Ruijie_XXX_ .bin    // Enter the name of the mirror file.

MAC:14144B7EE172

###########################################

 

8.      The TFTP server prompts successful download:

Total 45387871 bytes data downloaded.

Verifying the integrity of the firmware image.

 

Total 262144kB unzipped.

Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?d        // Serve as the default boot file.

Programming the boot device now.

................................................................................................................................................................................................................................................................

Reading boot image 1401958 bytes.

Initializing firewall...

System is starting...

Resizing shared data partition...done

Formatting shared data partition ... done!

 

1.3.2     Web-based Upgrade

Networking Requirements

The current system software version is outdated, so it needs to be upgraded via a Web interface.

*         Before the upgrade, be sure to back up the device configurations. For details, refer to the section “Firewall Maintenance” > “Configuration Backup and Recovery”.

 

Configuration Points

1.      RG-WALL: It is a next-generation firewall. Each model of the device has a separate version file; before the upgrade, confirm the current device model.

2.      The postfix of the upgrade package must be “.bin”, and its prefix is not restricted;

3.      Before the upgrade, prepare a Console cable, so as to take measures in case of upgrade failure;

4.      During the upgrade process, do not switch to other interfaces, nor power off or restart the device; the upgrade process usually takes less than five minutes;

5.      After the new version is imported, the device is automatically restarted, and then the upgrade takes effect.

 

*         The upgrade will cause network interrupt. During the upgrade process, follow the upgrade procedure strictly; misoperations will cause system missing.

 

Upgrade Procedure

1.      Log in to the Web interface of the NGFW

Choose the System > Dashboard Status > Firmware Version menu, and click the Update button;

                  

2.      Select the related OS files

Click OK, and then the system is automatically restarted.

Verification 

The system will be restarted via the newly loaded OS.

Precautions

The P3 version makes many changes over the previous versions; you need to use the following upgrade mode:

1.      Before the upgrade, be sure to disable the auto-ipsec management property of the wan1 and wan2 interfaces via a CLI (if the management property is not disabled, the system will reports errors on the switching of the transparent mode of the P3 version).

1)      View the management property of interfaces

RG-WALL # show system interface

config system interface

    edit "wan1"

        set vdom "root"

        set ip 192.168.57.74 255.255.255.0

set allowaccess ping https ssh telnet auto-ipsec

        set type physical

        set snmp-index 1

    next

    edit "wan2"

        set vdom "root"

        set ip 192.168.101.200 255.255.255.0

        set allowaccess ping auto-ipsec

        set type physical

        set snmp-index 2

2)      Disable the auto ipsec property of the wan1 and wan2 interfaces

RG-WALL # config system interface

RG-WALL (interface) # edit wan1

RG-WALL (wan1) # set allowaccess ping https ssh

RG-WALL (wan1) # next

RG-WALL (interface) # edit wan2

RG-WALL (wan2) # set allowaccess ping

RG-WALL (wan2) # end       

2.      Upgrade the P0, P1 or P2 version to the P3 version via a Web interface (the upgrade process takes about five minutes);

3.      To attain complete upgrade, you need to upgrade the P3 version again on a Web interface;

1)      During the upgrade to the P3 version, a formatting action is added, so as to ensure complete upgrade;

2)      The formatting operation will not clear the original configurations;

3)      The subsequent versions are not affected by this; only the P3 version requires two upgrades;

4)      The upgrade process takes about 5 minutes.

4.      Upgrade flowchart: p0, p1 or p2 to p3 to P3.

5.      auto-ipsec is enabled or disabled, depending on specific model of the device:

1)      S3100: By default, auto-ipsec is enabled on wan1 and wan2;

2)      S3600: By default, auto-ipsec is enabled on wan1 and wan2;

3)      M5100: By default, auto-ipsec is enabled on wan1;

4)      M6600 and X9300: auto-ipsec is not enabled on the interfaces.

 

1.4     License Service Registration

I. Description

1.      There is only one kind of license service, namely RG-WALL1600-XXXXX (model)-LIS-1Y, which is sent in an envelope with the term of 1 year. This is a compound license service, containing virus signature upgrade service, IPS signature upgrade service, URL signature upgrade service, application signature upgrade service, and spam signature upgrade service.

2.      License service registration is online registration of a service license for UTM-related functions (such as anti-virus, IPS, application detection, email filtering, Web filtering, and data leakage prevention) purchased by customers, which enables customers to upgrade rules repository and use the online detection function during the license term. You cannot handle license service registration by yourselves. Instead, you need provide relevant information to our engineer for registration. Then ,when your devices are connected to the Internet, you can find that the license has been activated, and UTM functions can be used.

II. License Service Registration Process

Step 1: Send registration information.

When you purchase the service, you will receive an envelope enclosed with an authorization code. If you need registration, send the software SN (16 digits), model, authentication code, project name, and customer name of the device to be registered to rgngfw3@ruijie.com.cn according to instructions of the envelope.

1.      Collect related information according to samples in the following table.

 

Software SN (16 digits)

Model

Authorization Code (12 digits)

Project Name

Customer Name

Sample

DB99KKK124667235

Sample*

Sample*

Sample

Sample*

Explanation:

Software SN: It is a string of code with 16 digits starting with RGFW on the Web page.

Model: It can be obtained from the dashboard or Web page.

Please send the table information in Step 1 and your contact information to the technical support email address: rgngfw3@ruijie.com.cn titled "License Activation for WALL 1600 (model)".

We will finish license activation based on the table information provided by you within 1 working day. If your application is filed on weekends or holidays, we will finish license activation before 12:00 on the subsequent working day.

When you receive an email about successful activation, it indicates that your license has been activated and you can use the upgrade service.

Notes:

1.      The authorization code is only applicable to a certain model in RG-WALL 1600 series.

2.      Please do activate your license within 10 months after receipt of the license envelope. Otherwise, Ruijie Cloud Server will automatically activate it for you.

3.      The authorization code can be activated only once. If you fail to activate it, please contact Ruijie engineers for license migration.

Step 2: Operate on the device.

Ensure that the firewall is connected to the Internet and configured with the correct DNS address. The server domain name is automatically updated to fwupdate.ruijie.com.cn and port 8890 by default.

Run the following commands to change the default setting to automatically find the server (using servers distributed globally):

RG-WALL # show system central-management

config system central-management

    set Ruijiemanager-fds-override enable

    set fmg "fwupdate.ruijie.com.cn"

end

 

RG-WALL # config system central-management

RG-WALL (central-management) # unset fmg

RG-WALL (central-management) # set Ruijiemanager-fds-override disable

RG-WALL # show system  central-management  //Indicates that the default update address is disabled and it will automatically find the nearest server.

1.      Perform initial manual update.

After receipt of the registration success email from Ruijie official reply, log in to the firewall to perform initial manual update.

Confirm license information.

Choose System > Status to view License Information which indicates Licensed. Confirm the expiry date of each service.

IV. Information Acquisition Method

1.      Software SN

Log in to device. Choose System > Dashboard > Status > System Information to view the software SN (software reg number).

Model

View the model on the dashboard or Web page. On the Web page, choose System > Dashboard > Status > System Information to view the model.

Authorization Code

Obtain the authorization code from the envelope.

1.5     Configuration Backup and Recovery

Networking Requirements

Save the current configurations of the firewall, and export them for backup, so as to restore the configurations in case of need.

Configuration Tips

1.      Save the configurations

2.      Export the configurations

3.      Restore the configurations

 

*         .      The imported configuration files must be in conf format; otherwise, they cannot be identified.
2.    After you import the configurations, you must restart the system so that the imported configurations take effect.
3.    You must remember the password for the backup configurations; otherwise, they cannot be imported or restored. 1

 

Configuration Steps

1.      Save the configurations

Web: Via the Web interface, the configurations can take effect timely, and be saved automatically. Every time you modify configurations and click OK, the new configurations are automatically saved.

CLI: Enter next and end on the CLI, the new configurations take effect and are automatically saved.

 

2.      Export the configurations

Choose the System > Dashboard > Status menu, and the System Information page pops up. Then, click Backup after System Configuration.

The updated P2 version allows you to choose whether to encrypt configuration files (in the P1 version, configuration files must be encrypted by default). You can select or deselect Encrypt configuration file (if selected, you need to set a password) according to actual needs, and click Backup.

The configuration files will be backed up to the local disk.

 

3.      Restore the configurations

Choose the System > Dashboard > Status menu, and the System Information page pops up. Then, click Restore after System Configuration, so as to use the locally stored configuration files to restore the firewall configurations.

After the import is successful, the system prompts that you need to restart the system.

Verification

After the system is restarted, the previous configurations are restored.

1.6     Configuring SNMP

Networking Requirements

If the intranet is equipped with a network management server that monitors and manages the network devices, you need to enable the SNMP function on the NGFW, so that the network management server can monitor the NGFW via the SNMP function.

Configuration Tips

1.      Enable the SNMP management function on the network interface;

2.      Enable the SNMP local agent.

3.      Configure the SNMP Community.

 

Configuration Steps

1.      Enable the SNMP management function on the network interface

Choose the System > Network > Interface menu, edit the menu used for SNMP management; in the Manage the Access option, select SNMP.

2.      Enable the SNMP local agent

Choose the System > Config > SNMPv1/v2 menu, select SNMP Agent, enter the related description information, and click Apply.

 

3.      Configure the SNMP Community 

On the interface of Step 2, click the Create New button below SNMP Communities. Then, the New SNMP Community configuration page pops up.

Community Name: It is set to readonly (read the character string).

Host management: Enter the address of the SNMP server (the address is mandatory, for example, 192.168.1.168); then, the host is only allowed to perform SNMP management by using the character string, and the address is used as the address for receiving the Trap information.

Interface: If you select an interface, the system only allows SNMP management by using the character string via the selected interface. any refers to any interface.

Queries: It refers to the interface used for SNMP queries.

Trap: It refers to the interface that the SNMP uses to send a Trap.

SNMP Event: It refers to an event of sending a SNMP Trap. By default, all events are selected. It is recommended that you should not modify the default setting.

 

Verification 

As shown in the following figure, connect the mibbrowser to the firewall via SNMP, and view the related information of the device. You can view the device name and run time of the firewall:

 

1.7     Password Recovery

Networking Requirements

1.      If you forget the password of the device, you need to recover the password by using a Console cable.

2.      After recovering the password, you need to restart the device on the bottom menu of the device. This will cause network interrupt. Therefore, perform the restart operation at a convenient time.

3.      After you recover the password, the current configurations will not be changed.

 

Configuration Tips

1.      Connect to the firewall serial port via the HyperTerminal or CRT;

2.      Power off the device to restart it, and enter the built-in account ruijie to log in.

3.      Set a new password for the administrator.

 

Configuration Steps

1.      Connect the Console cable, and set the HyperTerminal

a)      Prepare a Console cable and a PC with a Com port;

b)      Connect the Console cable;

Insert the RJ45 connector end of the Console cable to the Console port of the network device (the Console port is usually beside the Ethernet port of the network device, and is marked with Console), and then insert the DB9 port of the Console cable to the Com port of the PC.

c)      Configure the HyperTerminal.

2.      Power off to restart the device

Within 15 seconds after system restart, enter the user name ruijie and the password (the password is the software registration number, which is usually a string of 16 characters starting with RJFW). The serial No. of the product is available on the bottom or one side of the device, as shown below.

RG-WALL login: ruijie

Password: RGFW314614039839

RG-WALL #

The account is valid only within 15 seconds after system restart, and must be used via the Console interface.

 

3.      Change the account and password for the administrator

RG-WALL # config system admin

RG-WALL (admin) # edit admin

RG-WALL (admin) # set pass 123455@!@#          

RG-WALL (admin) # end

 

Verification 

Use the new admin account and password to log in to the firewall via HTTPS or SSH.

 

1.8     Restoring Factory Settings

Networking Requirements

If you want to delete all current configurations of the device, you can restore the factory default. If you are that you want to restore the factory default, you are recommended to back up the current configurations. For details about the backup operation, refer to the section “Firewall Maintenance” > “Configuration Backup and Recovery”.

*         The license information of the device is saved on the cloud. After restoring the factory default, you can obtain the license information again if connecting the device to the Internet.

 

Configuration Tips

1.      After you restore the factory default, all current configurations will be removed and the system will be automatically restarted.

2.      After you restore the factory default, the IP address of the internal or MGMT interface is restored to 192.168.1.200.

 

Configuration Steps

Mode 1: CLI

Enter the CLI, run the execute factoryreset command, and press the Enter button. Then, the system prompts whether you want to continue. Enter y to continue the operation.

RG-WALL # execute  factoryreset

This operation will reset the system to factory default!

Do you want to continue? (y/n) y

 

Mode 1: Press the Reset button on the device (this is only available on the S3100 and S3600, but not other models).

Within 30 seconds after the firewall system is normally started, press and hold the Reset button. The system will be automatically restarted, and you can restore the factory default.

Verification

After you restore the factory default, the IP address of the management interface is restored to 192.168.1.200. Via this address, you can log in to https://192.168.1.200. The user name and password are restored to the default admin and firewall.

Precautions

After you restore the factory default, the disk log is not be removed and only the current configurations are removed.

1.9     Common Commands

I. Command Structure

config      Configure object.  Configures policies and objects.

get         Get dynamic and system information.         Shows settings of specific objects.

show        Show configuration.          Shows the configuration file.

diagnose    Diagnose facility.  Indicates diagnosis commands.

execute     Execute static commands.Indicates common commands, such as ping.

exit        Exit the CLI.  Exits the CLI.

II. Common Commands

1.      Configure an interface address.

RG-WALL # config system interface

RG-WALL (interface) # edit lan

RG-WALL (lan) # set ip 192.168.100.99/24

RG-WALL (lan) # end

2.      Configure a static route.

RG-WALL (static) # edit 1

RG-WALL (1) # set device wan1

RG-WALL (1) # set dst 10.0.0.0 255.0.0.0

RG-WALL (1) # set gateway 192.168.57.1

RG-WALL (1) # end

3.      Configure a default route.

RG-WALL (1) # set gateway 192.168.57.1

RG-WALL (1) # set device wan1

RG-WALL (1) # end

4.      Configure a firewall address.

RG-WALL # config firewall address

RG-WALL (address) # edit clientnet

new entry 'clientnet' added

RG-WALL (clientnet) # set subnet 192.168.1.0 255.255.255.0

RG-WALL (clientnet) # end

5.      Configure an IP pool.

RG-WALL (ippool) # edit nat-pool

new entry 'nat-pool' added

RG-WALL (nat-pool) # set startip 100.100.100.1

RG-WALL (nat-pool) # set endip 100.100.100.100

RG-WALL (nat-pool) # end

6.      Configure a virtual IP address.

RG-WALL # config firewall vip

RG-WALL (vip) # edit webserver

new entry 'webserver' added

RG-WALL (webserver) # set extip 202.0.0.167

RG-WALL (webserver) # set extintf wan1

RG-WALL (webserver) # set mappedip 192.168.0.168

RG-WALL (webserver) # end

7.      Configure the Internet access policy.

RG-WALL # config firewall policy

RG-WALL (policy) # edit 1      

RG-WALL (1)#set srcintf internal //Indicates the source interface.

       RG-WALL (1)#set dstintf wan1    ///Indicates the destination interface.

       RG-WALL (1)#set srcaddr all        //Indicates the source address.

       RG-WALL (1)#set dstaddr all       //Indicates the destination address.

       RG-WALL (1)#set action accept      //Indicates the action.

       RG-WALL (1)#set schedule always    //Indicates the schedule.

       RG-WALL (1)#set service ALL          //Indicates the service.

       RG-WALL (1)#set logtraffic disable     //Enables or disables logs.

       RG-WALL (1)#set nat enable   //Enables NAT.

       end

8.      Configure the mapping policy.

      RG-WALL # config firewall policy

      RG-WALL (policy) #edit 2

      RG-WALL (2)#set srcintf wan1  //Indicates the source interface.

      RG-WALL (2)#set dstintf internal //Indicates the destination interface.

      RG-WALL (2)#set srcaddr all          //Indicates the source address.

      RG-WALL (2)#set dstaddr ngfw1  //Indicates the destination address used for virtual IP address mapping, which is added beforehand.

       RG-WALL (2)#set action accept      //Indicates the action.

       RG-WALL (2)#set schedule always    //Indicates the schedule.

       RG-WALL (2)#set service ALL          //Indicates the service.

       RG-WALL (2)#set logtraffic disable     //Enables or disables logs.

      end

9.      Change the internal switching interface to the routing interface.

Ensure that routing, DHCP, and firewall policies of the internal interface are deleted.

RG-WALL # config system global

RG-WALL (global) # set internal-switch-mode interface

RG-WALL (global) #end

Restart

--------------------------------------

10.    View the host name and management port.

     RG-WALL # show system global

11.    View the system status and available resources.

       RG-WALL # get system performance status

12.    View the application traffic statistics.

       RG-WALL # get system performance firewall statistics

13.    View the ARP table.

RG-WALL # get system arp

14.    View ARP details.

RG-WALL # diagnose ip arp list

15.    Clear the ARP cache.

RG-WALL # execute clear system arp table

16.    View the current session table.

RG-WALL # diagnose sys session stat or RG-WALL # diagnose sys session full-stat;

17.    View the session list.

RG-WALL # diagnose sys session list

18.    View the physical interface status.

       RG-WALL # get system interface physical

19.    View settings of the default route.

        RG-WALL # show router static

20.    View the static route in the routing table.

       RG-WALL # get router info routing-table static

21.    View OSPF configuration.

       RG-WALL # show router ospf

22.    View the global routing table.

        RG-WALL # get router info routing-table all

-----------------------------------------------

23.    View HA status.

    RG-WALL # get system ha status

24.    Check synchronization of active and standby routers.

    RG-WALL # diagnose sys ha showcsum

---------------------------------------------------

25.    Diagnosis commands:

RG-WALL #diagnose debug enable //Enables debugging.

RG-WALL # diagnose debug application ike -1 //Debugs packets of Phase 1 of IPSec to check whether an IPSec VPN is created.

RG-WALL #dia debug  reset  //Resets debugging.

   ---------------------------------------------------

Execute Commands:

 

RG-WALL #execute  ping  8.8.8.8   //Indicates the common ping command.

 

RG-WALL #execute  ping-options source  192.168.1.200    //Specifies 192.168.1.200 as the source address of ping packets.

RG- WALL #execute  ping  8.8.8.8    //Enters the destination address of ping packets to execute the ping command via the specified source address 192.168.1.200.

 

RG-WALL #execute  traceroute   8.8.8.8    

RG-WALL #execute  telnet 2.2.2.2      //Gets access via Telnet.

RG-WALL #execute  ssh  2.2.2.2        //Gets access via SSH.

RG-WALL #execute  factoryreset        //Restores factory settings.

RG-WALL #execute  reboot  //Reboots the device.

RG-WALL #execute  shutdown//Shuts down the device.


 

  • Sales Enquiry