Compare Products

Hide

Clear All

VS

Home> Support> Downloads>

Ruijie RG-WALL 1600 Series Next-Generation Firewall Implementation Cookbook (V1.3)

2020-02-15 View:
11.x项目配置指南模板

 

 

 

 

 

Ruijie RG-WALL 1600Series Next-Generation Firewall Implementation Cookbook (V1.3)


Copyright Statement

Ruijie Networks©2016

Ruijie Networks reserves all copyrights ofthis document. Any reproduction, excerption, backup, modification,transmission, translation or commercial use of this document or any portion ofthis document, in any form or by any means, without the prior written consentof Ruijie Networks is prohibited.

 

,锐捷中英文组合(横式),锐捷网络logo(中文),锐捷logo(英文),,,,,,  ,,  are registered trademarks of Ruijie Networks. Counterfeit is strictlyprohibited.

 

Exemption Statement

This document is provided “as is”. Thecontents of this document are subject to change without any notice. Pleaseobtain the latest information through the Ruijie Networks website. RuijieNetworks endeavors to ensure content accuracy and will not shoulder anyresponsibility for losses and damages caused due to content omissions,inaccuracies or errors.

 

Obtaining Technical Assistance

l  RuijieNetworks website: http://www.ruijienetworks.com/

l  RuijieNetworks service portal: http://caseportal.ruijienetworks.com


       Table of Contents

1      Tableof Contents. 3

2      Firewall Maintenance. 2-6

2.1           Device Management 2-6

2.1.1        Web-based Management 2-6

2.1.2        Console Management 2-10

2.1.3        SSH/Telnet 2-11

2.2           Administrator Settings. 2-13

2.3           Upgrading Software. 2-18

2.3.1        TFTP Upgrade. 2-18

2.3.2        Web-based Upgrade. 2-20

2.4           License Service Registration. 2-23

2.5           Configuration Backup and Recovery. 2-26

2.6           Configuring SNMP. 2-28

2.7           Password Recovery. 2-32

2.8           Restoring Factory Settings. 2-33

2.9           Common Commands. 2-35

3      Configuring Routing Mode. 3-40

3.1           Internet Access via a Single Line. 3-40

3.1.1        Configuring Internet Access via a SingleADSL Line. 3-40

3.1.2        Configuring Internet Access via a StaticLink. 3-43

3.1.3        Configuring Internet Access via a DHCPLine. 3-47

3.2           Internet Access via Multiple Links. 3-51

3.2.1        Configuring Internet Access via Dual Linesof the Same Carrier 3-51

3.2.2        Configuring Internet Access via Dual Linesof Different Carriers  3-57

3.3           Configuring DHCP. 3-63

3.3.1        Configuring the DHCP Server 3-63

3.3.2        DHCP Static Binding. 3-65

3.3.3        DHCP Relay Configuration. 3-67

3.4           Port Mapping. 3-69

3.4.1        Address Mapping (One-to-One IP AddressMapping) 3-69

3.4.2        Port Mapping (One-to-Many Port Mapping) 3-72

3.4.3        Port Mapping for Multiple Lines. 3-77

3.5           Configuring Route. 3-82

3.5.1        Static Routing. 3-82

3.5.2        Policy-Based Routing. 3-83

3.5.3        RIP. 3-84

3.5.4        OSPF. 3-87

3.6           Application Level Gateway (ALG) 3-93

3.6.1        VoIP. 3-93

3.6.2        VoIP Destination Address Mapping. 3-95

3.7           Configuring VPN.. 3-98

3.7.1        IPSec VPN (Point-to-Point) 3-98

3.7.2        IPSec VPN (Dial-up) 3-114

3.7.3        SSL VPN.. 3-124

3.7.4        L2TP/PPTP. 3-142

3.8           WAN Optimization. 3-149

3.8.1        Standalone Mode. 3-149

3.9           Load Balancing. 3-152

3.9.1        HTTP Traffic-based Server Load Balancing. 3-152

3.9.2        HTTPS Traffic-based Server Load Balancing. 3-157

4      Configuring Transparent Mode. 4-163

4.1           Enabling Transparent Mode. 4-163

4.2           VLAN and Transparent Mode. 4-165

4.3           Out-of-Band Management in TransparentMode. 4-168

4.4           Bypass Deployment 4-171

4.5           Notes in Transparent Mode. 4-172

5      Configuring VDOM... 5-175

5.1           Enabling VDOM... 5-175

5.2           Configuring Vlink. 5-180

5.3           Configuring VDOM in Hybrid Mode. 5-181

6      Configuring HA.. 6-189

6.1           Networking Requirements. 6-189

6.2           Master Election. 6-189

6.3           Basic Configuration. 6-193

6.4           Configuring Synchronization ofStandalone Device Configuration and Sessions. 6-197

6.5           Configuring the Ping Server 6-205

6.6           Configuring the Out-of-Band ManagementInterface. 6-207

6.7           Related Commands. 6-210

7      Universal Typical Functions. 7-214

7.1           UTM Security Applications. 7-214

7.1.1        Intrusion Prevention. 7-214

7.1.2        Anti-Virus. 7-222

7.1.3        Web Filter 7-227

7.1.4        Mail Filter 7-231

7.1.5        Network Application Control 7-236

7.1.6        Data Leakage Prevention (DLP) 7-246

7.1.7        User Authentication. 7-251

7.2           Configuring Log. 7-255

7.2.1        Log Storage Manner 7-255

7.2.2        Storing Logs in the Hard Disk. 7-256

7.2.3        Storing Logs in the Memory. 7-260

7.2.4        Sending Syslog. 7-263

7.2.5        Configuring UTM Logging. 7-266

7.2.6        Email Configuration. 7-267

7.2.7        Traffic Rate Limit 7-269

7.3           Converting Interface Attribute. 7-275

7.4           Configuring LACP. 7-279

8      Configuring IPv6. 8-284

8.1           Enabling IPv6 on the Web Page. 8-284

8.2           Configuring Internet Access. 8-284

8.2.1        Configuring NAT64&DNS64. 8-288

8.2.2        Configuring VIP46 Mapping. 8-292

8.2.3        Configuring VIP64 Mapping. 8-296

8.2.4        Configuring OSPFv3. 8-300

8.2.5        Common Commands. 8-303

9      Troubleshooting. 9-306

9.1           Debug Flow Command. 9-306


      Firewall Maintenance

1.1     Device Management

1.1.1    Web-based Management

Networking Requirements

Via a Web visual interface, you can configurethe firewall, for example, configure the management function of the wan1interface.

Network Topology

Configuration Tips

The default IP address of the NGFW is 192.168.1.200,and you can perform Web management via HTTPS (the default user name is admin,and the default password is firewall). The models of managementinterfaces are as follows:

RG-WALL1600-X9300:   mgmt1 interface

RG-WALL1600-X8500:    mgmt1 interface

RG-WALL1600-X6600:    mgmt1 interface

RG-WALL1600-M5100:   mgmt interface

RG-WALL1600-S3600:    internal interface, corresponding to the switching interfaces 1to 14

RG-WALL1600-S3100:   internal interface, corresponding to the switching interfaces 1to 7

 

*      All switching interfaces of the S3100 and S3600are Layer-3 internal interfaces; only internal interfaces are suitable forLayer-3 configurations, for example, IP address configurations.

 

Set the IP address of the PC to192.168.1.1/24, connect to the internal interface or MGMT interface, open theIE browser, enter https://192.168.1.200 to log in to the NGFW management page,and enter the user name admin and password firewall to open theNGFW page. If you forget the password, you can restore the initial password asinstructed in the section “Firewall Maintenance” > “Password Recovery”.

After you log in to the device, enable themanagement function of the wan1 interface.

By default, other interfaces have no IPaddresses, and other management functions (for example, HTTPS) are not enabled onother interfaces.

If the firewall interface address is modifiedbut you forget the new password, you can enter the CLI to view the currentconfigurations.

 

*      It is recommended that you use Firefox or IE10(or above). If you use a third-party browser (for example, 360 and Travel), usethe top speed mode.

 

Configuration Steps

1.       When the NGFW is configured with default values, set the IP addressof the PC to 192.168.1.1, and set the IP address of the gateway to 192.168.1.200;

 

In the address bar of the IE browser, enter https://192.168.1.200, and the firewall login page pops up.

Enter the user name admin and defaultpassword firewall, and then the homepage of the firewall pops up.

2.       Set the IP address of the wan1 interface to 192.168.33.51/24,and enable the management function of the internal interface.

Choose the System > Network> Interface menu.

Double-click the wan1 interface to edit thefollowing parameters:

Set the IP address of the interface to 192.168.0.200/24.

Administrative Access: Select HTTPS, PING,and SSH. Their meanings are as follows:

HTTPS: Allow users to use https://192.168.0.200to manage the device;

Ping: Users are allowed to ping thisinterface address. If it is deselected, the interface address cannot be pingedthrough even if the interface address is reachable;

HTTP: Allow users to use http://192.168.0.200to manage the device;

SSH: Allow users to use ssh 192.168.0.200 tomanage the device;

SNMP: Allow users to perform SNMP managementvia the interface;

TELNET: Allow users to use telnet192.168.0.200 to manage the device.

 

Verification

Enter https://192.168.0.200 in the browser,and then verify the configurations.

 

1.1.2    Console Management

Networking Requirements

To perform configuration management, you canuse HyperTerminal or CRT to enter the CLI via a Console cable. By default, thefirewall allows Console management.

Network Topology

Configuration Tips

1.      Prepare a Console cable and a PC.

2.      Connect the Console cable.

Connect the RJ45 connector end of theConsole cable to the Console port of the PC, and connect the other end of theConsole cable to the com port of the PC.

3.      Configure the HyperTerminal

a)      A PC under Windows XP is equipped with built-inHyperTerminal; for a PC under Windows 7, you need to install HyperTerminalseparately.

b)     By default, the Windows Sever 2003 is notequipped with HyperTerminal. You need to install it in Control Panel> Add/Delete Program, or directly download it from Attachment 1.

c)      If you fail to enter the CLI afterconfigurations, check whether the Console cable is connected to the Consoleport, whether the data bits of HyperTerminal are configured correctly, andwhether you click Restore Defaults. If younevertheless fail to center the CLI after performing the above operations,attempt to replace the PC, Console cable and HyperTerminal.

 

Operation Steps

1.      Prepare a Console cable and a PC

2.      Connect the Console cable

Insert the RJ45 connector end of theConsole cable to the Console port of the network device (the Console port isusually beside the Ethernet port of the network device, and is marked with Console),and then insert the DB9 port of the Console cable to the Com port of the PC.

3.      Configure the HyperTerminal

 

Verification

Press the Enter key, and the systemdisplays RG-WALL login, prompting you to enter the username adminand password firewall (if the password is changed or you forget thepassword, you can do as instructed in the section “Password Recovery”).

 

 

 

1.1.3    SSH/Telnet

Networking Requirements

If you want to enter the CLI of a device toconfigure or gather the related information, you can manage the device remotelyvia Telnet or SSH when no Console cable is available or you are far away fromthe device.

Network Topology

Configuration Tips

To use the Telnet or SSH mode, first ensure ahigh connectivity between the management host and the interface address of thedevice. You can tick the Ping function of the interface. If the device can pingthrough the management interface, it indicate that the connectivity betweenthem is normal.

1.       Enable the Telnet and SSH functions on the interface.

2.       Telnet the management device.

3.       SSH the management device.

 

Configuration Steps

1.      Enable the Telnet and SSH functions on theinterface

Choose the System > Network> Interface menu, and edit the internal interface by double-clickingit, as shown in the following figures:

Tick SSH and TELNET (bydefault, the Telnet and ping functions of the interface are disabled), andclick OK.

1.2      Administrator Settings

I. Requirements

According to the factory settings, thedefault account is admin (with all privileges), and the default password isfirewall. The requirements are as follows:

Change the admin password to ruijie@123, andset the host IP address of the admin account to 172.18.10.108/32. It indicatesthat only this host (172.18.10.108) can use the admin account to managedevices.

Create a monitor account with"read-only" privilege. Set the password to 123456a!. Set no limit toIP address for the management host which allows admin login from all hosts, andset the permission to read-only.

Define the password policy which specifiespassword complexity.

Set the timeout interval of the Web page. Ifan administrator does not perform any operation within 90 minutes for example,the administrator will automatically log out.

II. Configuration Tips

Change the admin password and setmanagement IP addresses.

Set Admin Profile to readonly.

Create a monitor account.

Define the password policy and changeadministrator settings.

III. Configuration Steps

Change the admin password and setmanagement IP addresses.

Choose System > Admin > Administrators.

Click or double-click the editing button toset the administrator name to admin, and then click Change Password.

In the Edit Password dialog box thatis displayed, change the password to ruijie@123, and then click OK.

Tick Restrict this Admin Login fromTrusted Hosts Only, enter the management IP address 172.18.10.108/32in Trusted Host #1, and then click OK.

Three trusted hosts can be added on thispage. Add up to 10 trusted hosts by running corresponding commands.

RG-WALL # configsystem admin

RG-WALL(admin) # edit admin

RG-WALL(admin) # set trusthost1 172.18.10.108 255.255.255.255

RG-WALL(admin) # set trusthost2 172.19.10.108 255.255.255.255

RG-WALL(admin) # set trusthost3 172.119.10.108 255.255.255.255

RG-WALL(admin) # end

Set Admin Profile to readonly.

Choose System > Admin > AdminProfile, and then click Create New.

 

Profile Name:Set it to readonly.

Tick Read Only for all items.

Create a monitor account.

Choose System > Admin > Administrators,and then click Create New.

Create a monitor account, set the passwordto 123456a!, set Admin Profile to readonly, and set nolimit to IP addresses for the management hosts, as shown in the followingfigure.

 

Define the password policy and changeadministrator settings.

If a password must contain at least 6characters comprising letters, digits, and special characters (such as!@#$%&'), set the password policy as follows.

Choose System > Admin > Settings,as shown in the following figure.

Enable: TickEnable.

Minimum Length: It indicates the minimum length of a password.

Must Contain:It indicates limits to the number of letters, digits, and special characters)

Apply Password Policy to: Enter the admin password.

Admin Password Expires after: Configure the expiry date of a password. The system prompts theadministrator to change the password after the expiry date.

Idle Timeout:If an administrator does not perform any operation within the specified time,the administrator will automatically log out.

Note: The total length of uppercaseletters, lowercase letters, digits, and special characters should be less thanor equal to the maximum length; otherwise, the policy setting is invalid.

 

IV. Verification

Log in to the monitor account and change thesettings. An error prompt Permission denied is displayed.

 

1.3     Upgrading Software

1.3.1    TFTP Upgrade

Networking Requirements

The firewall system can be upgraded via a Webinterface or TFTP CLI. Here, the firewall system needs to be upgraded via TFTP.

*      Before the upgrade, be sure to back up thefirewall configurations. For details, refer to the section “FirewallMaintenance” > “Configuration Backup and Recovery”.

 

Network Topology

Configuration Tips

1.       Prepare tools and connect the Console cable;

2.       Connect the network cable, and ensure that network communication isnormal;

3.       Set up the TFTP server;

4.       Begin the upgrade.

 

Configuration Steps

1.       Prepare tools

Prepare the Console cable, network cable,upgrade file, TFTP tool, and cable for USB conversion (the PC has no Com port),and install the driver;

2.       Connect the network cable, and ensure that network communication isnormal;

3.       Set up the TFTP server;

4.     Begin the upgrade.

You can download the Cisco TFTP server fromthe attachment.

Run the Cisco TFTP software, and save theupgrade firmware into the folder in the red frame below (when you install thesoftware, the system will specify a folder), for example, c:\tftp.

 

 

Restart the device, and perform the followingsteps:

5.       Enter M (press Shift + m), and enter the BIOS menu:

...

[G]:  Getfirmware image from TFTP server.

[F]: Format boot device.

[B]:  Bootwith backup firmware and set as default.

[I]: Configuration and information.

[Q]:  Quitmenu and continue to boot with default firmware.

[H]: Display this list of options.

 

6.       Select F to set format to the Flash card;

EnterSelection [G]:

 

EnterG,F,B,I,Q,or H:  F                                   // Select F to setformat to the Flash card. Optional

 

All datawill be erased,continue:[Y/N]?Y

 

7.       Select G to download the mirror file:

EnterG,F,B,I,Q,or H:  G                                   // Select G todownload the mirror file from the server.

Pleaseconnect TFTP server to Ethernet port "MGMT1".       // Connect the PCto the MGMT1 port of the firewall.

 

Enter TFTPserver address [192.168.1.1]:                 // Enter the address of the TFTPserver.

Enterlocal address [192.168.1.200]:                       // Assign a temporary IPaddress to MGMT1.

Enterfirmware image file name [image.out]: Ruijie_XXX_ .bin    // Enter the name ofthe mirror file.

MAC:14144B7EE172

###########################################

 

8.       The TFTP server prompts successful download:

Total45387871 bytes data downloaded.

Verifyingthe integrity of the firmware image.

 

Total262144kB unzipped.

Save asDefault firmware/Backup firmware/Run image without saving:[D/B/R]?d        //Serve as the default boot file.

Programmingthe boot device now.

................................................................................................................................................................................................................................................................

Readingboot image 1401958 bytes.

Initializingfirewall...

System isstarting...

Resizingshared data partition...done

Formattingshared data partition ... done!

 

1.3.2    Web-based Upgrade

Networking Requirements

The current system software version isoutdated, so it needs to be upgraded via a Web interface.

*      Before the upgrade, be sure to back up thedevice configurations. For details, refer to the section “Firewall Maintenance”> “Configuration Backup and Recovery”.

 

Configuration Points

1.       RG-WALL: It is a next-generation firewall. Each model of the devicehas a separate version file; before the upgrade, confirm the current devicemodel.

2.       The postfix of the upgrade package must be “.bin”, and its prefix isnot restricted;

3.       Before the upgrade, prepare a Console cable, so as to take measuresin case of upgrade failure;

4.       During the upgrade process, do not switch to other interfaces, norpower off or restart the device; the upgrade process usually takes less thanfive minutes;

5.       After the new version is imported, the device is automaticallyrestarted, and then the upgrade takes effect.

 

*      The upgrade will cause network interrupt. Duringthe upgrade process, follow the upgrade procedure strictly; misoperations willcause system missing.

 

Upgrade Procedure

1.      Log in to the Web interface of the NGFW

Choose the System > DashboardStatus > Firmware Version menu, and click the Updatebutton;

                

2.      Select the related OS files

Click OK, and then the system isautomatically restarted.

Verification 

The system will be restarted via the newlyloaded OS.

Precautions

The P3 version makes many changes over theprevious versions; you need to use the following upgrade mode:

1.       Before the upgrade, be sure to disable the auto-ipsec managementproperty of the wan1 and wan2 interfaces via a CLI (if the management propertyis not disabled, the system will reports errors on the switching of thetransparent mode of the P3 version).

1)      View the management property of interfaces

RG-WALL #show system interface

configsystem interface

    edit"wan1"

       set vdom "root"

       set ip 192.168.57.74 255.255.255.0

setallowaccess ping https ssh telnet auto-ipsec

       set type physical

       set snmp-index 1

    next

    edit"wan2"

       set vdom "root"

       set ip 192.168.101.200 255.255.255.0

       set allowaccess ping auto-ipsec

       set type physical

       set snmp-index 2

2)      Disable the auto ipsec property of the wan1 andwan2 interfaces

RG-WALL #config system interface

RG-WALL(interface) # edit wan1

RG-WALL(wan1) # set allowaccess ping https ssh

RG-WALL(wan1) # next

RG-WALL(interface) # edit wan2

RG-WALL(wan2) # set allowaccess ping

RG-WALL(wan2) # end       

2.       Upgrade the P0, P1 or P2 version to the P3 version via a Webinterface (the upgrade process takes about five minutes);

3.       To attain complete upgrade, you need to upgrade the P3 version againon a Web interface;

1)      During the upgrade to the P3 version, aformatting action is added, so as to ensure complete upgrade;

2)      The formatting operation will not clear theoriginal configurations;

3)      The subsequent versions are not affected bythis; only the P3 version requires two upgrades;

4)      The upgrade process takes about 5 minutes.

4.       Upgrade flowchart: p0, p1 or p2 to p3 to P3.

5.       auto-ipsec is enabled or disabled, depending on specific model ofthe device:

1)       S3100: By default, auto-ipsec is enabled on wan1 and wan2;

2)       S3600: By default, auto-ipsec is enabled on wan1 and wan2;

3)       M5100: By default, auto-ipsec is enabled on wan1;

4)      M6600 and X9300: auto-ipsec is not enabled onthe interfaces.

 

1.4     License Service Registration

I. Description

1.       There is only one kind of license service, namely RG-WALL1600-XXXXX (model)-LIS-1Y,which is sent in an envelope with the term of 1 year. This is a compound licenseservice, containing virus signature upgrade service, IPS signature upgrade service,URL signature upgrade service, application signature upgrade service, and spam signatureupgrade service.

2.       License service registration is online registration of a service licensefor UTM-related functions (such as anti-virus, IPS, application detection, emailfiltering, Web filtering, and data leakage prevention) purchased by customers, whichenables customers to upgrade rules repository and use the online detection functionduring the license term. You cannot handle license service registration by yourselves.Instead, you need provide relevant information to our engineer for registration.Then ,when your devices are connected to the Internet, you can find that the licensehas been activated, and UTM functions can be used.

II. License Service Registration Process

Step 1: Send registrationinformation.

When you purchase the service,you will receive an envelope enclosed with an authorization code. If you need registration,send the software SN (16 digits), model, authentication code, project name, andcustomer name of the device to be registered to rgngfw3@ruijie.com.cnaccording to instructions of the envelope.

1.       Collect related information according to samples in the following table.

 

Software SN (16 digits)

Model

Authorization Code (12 digits)

Project Name

Customer Name

Sample

DB99KKK124667235

Sample*

Sample*

Sample

Sample*

Explanation:

Software SN: It is a stringof code with 16 digits starting with RGFW on the Web page.

Model: It can be obtainedfrom the dashboard or Web page.

Please send the table information in Step1 and your contact information to the technical support email address: rgngfw3@ruijie.com.cntitled "License Activation for WALL 1600 (model)".

We will finish license activation basedon the table information provided by you within 1 working day. If your applicationis filed on weekends or holidays, we will finish license activation before 12:00on the subsequent working day.

When you receive an email about successfulactivation, it indicates that your license has been activated and you can use theupgrade service.

Notes:

1.       The authorization code is only applicable to a certain model in RG-WALL1600 series.

2.       Please do activate your license within 10 months after receipt of thelicense envelope. Otherwise, Ruijie Cloud Server will automatically activate itfor you.

3.       The authorization code can be activated only once. If you fail to activateit, please contact Ruijie engineers for license migration.

Step 2: Operate on thedevice.

Ensure that the firewallis connected to the Internet and configured with the correct DNS address. The serverdomain name is automatically updated to fwupdate.ruijie.com.cn and port 8890 bydefault.

Run the following commandsto change the default setting to automatically find the server (using servers distributedglobally):

RG-WALL # show system central-management

config system central-management

    set Ruijiemanager-fds-override enable

    set fmg "fwupdate.ruijie.com.cn"

end

 

RG-WALL # config system central-management

RG-WALL (central-management) # unset fmg

RG-WALL (central-management) # set Ruijiemanager-fds-overridedisable

RG-WALL # show system  central-management //Indicates that the default update address is disabled and it will automaticallyfind the nearest server.

1.       Perform initial manual update.

After receipt of the registration successemail from Ruijie official reply, log in to the firewall to perform initialmanual update.

Confirm license information.

Choose System > Status to viewLicense Information which indicates Licensed. Confirm the expiry dateof each service.

IV. Information Acquisition Method

1.       Software SN

Log in to device. Choose System > Dashboard> Status > System Information to view the software SN (softwarereg number).

Model

View the model on the dashboard or Web page. Onthe Web page, choose System > Dashboard > Status >System Information to view the model.

Authorization Code

Obtain the authorization code from theenvelope.

1.5     Configuration Backup and Recovery

Networking Requirements

Save the current configurations of thefirewall, and export them for backup, so as to restore the configurations incase of need.

Configuration Tips

1.       Save the configurations

2.       Export the configurations

3.       Restore the configurations

 

*      .      The imported configuration files must bein conf format; otherwise, they cannot be identified.
2.    After you import the configurations, you must restart the system so thatthe imported configurations take effect.
3.    You must remember the password for the backup configurations; otherwise,they cannot be imported or restored. 1

 

Configuration Steps

1.       Save the configurations

Web: Via the Web interface, theconfigurations can take effect timely, and be saved automatically. Every timeyou modify configurations and click OK, the new configurations areautomatically saved.

CLI: Enter next and end on theCLI, the new configurations take effect and are automatically saved.

 

2.       Export the configurations

Choose the System > Dashboard> Status menu, and the System Information page pops up. Then,click Backup after System Configuration.

The updated P2 version allows you to choosewhether to encrypt configuration files (in the P1 version, configuration filesmust be encrypted by default). You can select or deselect Encryptconfiguration file (if selected, you need to set a password) according toactual needs, and click Backup.

The configuration files will be backed up tothe local disk.

 

3.       Restore the configurations

Choose the System > Dashboard> Status menu, and the System Information page pops up. Then,click Restore after System Configuration, so as to use thelocally stored configuration files to restore the firewall configurations.

After the import is successful, the systemprompts that you need to restart the system.

Verification

After the system is restarted, the previousconfigurations are restored.

1.6     Configuring SNMP

Networking Requirements

If the intranet is equipped with a networkmanagement server that monitors and manages the network devices, you need toenable the SNMP function on the NGFW, so that the network management server canmonitor the NGFW via the SNMP function.

Configuration Tips

1.       Enable the SNMP management function on the network interface;

2.       Enable the SNMP local agent.

3.       Configure the SNMP Community.

 

Configuration Steps

1.       Enable the SNMP management function on the network interface

Choose the System > Network> Interface menu, edit the menu used for SNMP management; in the Managethe Access option, select SNMP.

2.       Enable the SNMP local agent

Choose the System > Config> SNMPv1/v2 menu, select SNMP Agent, enter the relateddescription information, and click Apply.

 

3.       Configure the SNMP Community 

On the interface of Step 2, click the CreateNew button below SNMP Communities. Then, the New SNMP Communityconfiguration page pops up.

Community Name: It isset to readonly (read the character string).

Host management: Enter the address of theSNMP server (the address is mandatory, for example, 192.168.1.168);then, the host is only allowed to perform SNMP management by using thecharacter string, and the address is used as the address for receiving the Trapinformation.

Interface: If you select an interface, thesystem only allows SNMP management by using the character string via theselected interface. any refers to any interface.

Queries: It refers to the interface used forSNMP queries.

Trap: It refers to the interface that theSNMP uses to send a Trap.

SNMP Event: It refers to an event of sendinga SNMP Trap. By default, all events are selected. It is recommended that youshould not modify the default setting.

 

Verification 

As shown in the following figure, connect themibbrowser to thefirewall via SNMP, and view the related information of the device. You can viewthe device name and run time of the firewall:

 

1.7     Password Recovery

Networking Requirements

1.       If you forget the password of the device, you need to recover thepassword by using a Console cable.

2.       After recovering the password, you need to restart the device on thebottom menu of the device. This will cause network interrupt. Therefore,perform the restart operation at a convenient time.

3.       After you recover the password, the current configurations will notbe changed.

 

Configuration Tips

1.       Connect to the firewall serial port via the HyperTerminal or CRT;

2.       Power off the device to restart it, and enter the built-in account ruijieto log in.

3.       Set a new password for the administrator.

 

Configuration Steps

1.       Connect the Console cable, and set the HyperTerminal

a)       Prepare a Console cable and a PC with a Com port;

b)       Connect the Console cable;

Insert the RJ45 connector end of theConsole cable to the Console port of the network device (the Console port isusually beside the Ethernet port of the network device, and is marked with Console),and then insert the DB9 port of the Console cable to the Com port of the PC.

c)       Configure the HyperTerminal.

2.       Power off to restart the device

Within 15 seconds after system restart, enterthe user name ruijie and the password (the password is the softwareregistration number, which is usually a string of 16 characters starting with RJFW).The serial No. of the product is available on the bottom or one side of thedevice, as shown below.

RG-WALLlogin: ruijie

Password:RGFW314614039839

RG-WALL #

The account is valid only within 15 secondsafter system restart, and must be used via the Console interface.

 

3.       Change the account and password for the administrator

RG-WALL #config system admin

RG-WALL(admin) # edit admin

RG-WALL(admin) # set pass 123455@!@#          

RG-WALL(admin) # end

 

Verification 

Use the new admin account and password to login to the firewall via HTTPS or SSH.

 

1.8     Restoring Factory Settings

Networking Requirements

If you want to delete all currentconfigurations of the device, you can restore the factory default. If you arethat you want to restore the factory default, you are recommended to back upthe current configurations. For details about the backup operation, refer tothe section “Firewall Maintenance” > “Configuration Backup and Recovery”.

*      The license information of the device is savedon the cloud. After restoring the factory default, you can obtain the licenseinformation again if connecting the device to the Internet.

 

Configuration Tips

1.       After you restore the factory default, all current configurationswill be removed and the system will be automatically restarted.

2.       After you restore the factory default, the IP address of theinternal or MGMT interface is restored to 192.168.1.200.

 

Configuration Steps

Mode 1: CLI

Enter the CLI, run the executefactoryreset command, and press the Enter button. Then, the systemprompts whether you want to continue. Enter y to continue the operation.

RG-WALL #execute  factoryreset

Thisoperation will reset the system to factory default!

Do youwant to continue? (y/n) y

 

Mode 1: Press the Reset button on thedevice (this is only available on the S3100 and S3600, but not other models).

Within 30 seconds after the firewall systemis normally started, press and hold the Reset button. The system will beautomatically restarted, and you can restore the factory default.

Verification

After you restore the factory default, the IPaddress of the management interface is restored to 192.168.1.200. Via thisaddress, you can log in to https://192.168.1.200.The user name and password are restored to the default admin and firewall.

Precautions

After you restore the factory default, thedisk log is not be removed and only the current configurations are removed.

1.9     Common Commands

I. Command Structure

config      Configure object.  Configurespolicies and objects.

get         Get dynamic and system information.        Shows settings of specific objects.

show        Show configuration.         Shows the configuration file.

diagnose    Diagnose facility.  Indicatesdiagnosis commands.

execute     Execute static commands.Indicatescommon commands, such as ping.

exit        Exit the CLI.  Exits the CLI.

II. Common Commands

1.       Configure an interface address.

RG-WALL # config system interface

RG-WALL (interface) # edit lan

RG-WALL (lan) # set ip 192.168.100.99/24

RG-WALL (lan) # end

2.       Configure a static route.

RG-WALL (static) # edit 1

RG-WALL (1) # set device wan1

RG-WALL (1) # set dst 10.0.0.0 255.0.0.0

RG-WALL (1) # set gateway 192.168.57.1

RG-WALL (1) # end

3.       Configure a default route.

RG-WALL (1) # set gateway 192.168.57.1

RG-WALL (1) # set device wan1

RG-WALL (1) # end

4.       Configure a firewall address.

RG-WALL # config firewall address

RG-WALL (address) # edit clientnet

new entry 'clientnet' added

RG-WALL (clientnet) # set subnet 192.168.1.0255.255.255.0

RG-WALL (clientnet) # end

5.       Configure an IP pool.

RG-WALL (ippool) # edit nat-pool

new entry 'nat-pool' added

RG-WALL (nat-pool) # set startip 100.100.100.1

RG-WALL (nat-pool) # set endip 100.100.100.100

RG-WALL (nat-pool) # end

6.       Configure a virtual IP address.

RG-WALL # config firewall vip

RG-WALL (vip) # edit webserver

new entry 'webserver' added

RG-WALL (webserver) # set extip 202.0.0.167

RG-WALL (webserver) # set extintf wan1

RG-WALL (webserver) # set mappedip 192.168.0.168

RG-WALL (webserver) # end

7.       Configure the Internet access policy.

RG-WALL # config firewall policy

RG-WALL (policy) # edit 1      

RG-WALL (1)#set srcintf internal //Indicatesthe source interface.

       RG-WALL (1)#set dstintf wan1    ///Indicatesthe destination interface.

       RG-WALL (1)#set srcaddr all       //Indicates the source address.

       RG-WALL (1)#set dstaddr all      //Indicates the destination address.

       RG-WALL (1)#set action accept     //Indicates the action.

       RG-WALL (1)#set schedule always   //Indicates the schedule.

       RG-WALL (1)#set service ALL         //Indicates the service.

       RG-WALL (1)#set logtraffic disable    //Enables or disables logs.

       RG-WALL (1)#set nat enable   //EnablesNAT.

       end

8.       Configure the mapping policy.

      RG-WALL # config firewall policy

      RG-WALL (policy) #edit 2

      RG-WALL (2)#set srcintf wan1  //Indicatesthe source interface.

      RG-WALL (2)#set dstintf internal //Indicatesthe destination interface.

      RG-WALL (2)#set srcaddr all         //Indicates the source address.

      RG-WALL (2)#set dstaddr ngfw1  //Indicatesthe destination address used for virtual IP address mapping, which is added beforehand.

       RG-WALL (2)#set action accept     //Indicates the action.

       RG-WALL (2)#set schedule always   //Indicates the schedule.

       RG-WALL (2)#set service ALL         //Indicates the service.

       RG-WALL (2)#set logtraffic disable    //Enables or disables logs.

      end

9.       Change the internal switching interface to the routing interface.

Ensure that routing, DHCP, and firewallpolicies of the internal interface are deleted.

RG-WALL # config system global

RG-WALL (global) # set internal-switch-modeinterface

RG-WALL (global) #end

Restart

--------------------------------------

10.     View the host name and management port.

     RG-WALL# show system global

11.     View the system status and available resources.

       RG-WALL# get system performance status

12.     View the application traffic statistics.

       RG-WALL# get system performance firewall statistics

13.     View the ARP table.

RG-WALL # get system arp

14.     View ARP details.

RG-WALL # diagnose ip arp list

15.     Clear the ARP cache.

RG-WALL # execute clear system arp table

16.     View the current session table.

RG-WALL # diagnose sys session stat or RG-WALL# diagnose sys session full-stat;

17.     View the session list.

RG-WALL # diagnose sys session list

18.     View the physical interface status.

       RG-WALL# get system interface physical

19.     View settings of the default route.

        RG-WALL# show router static

20.     View the static route in the routing table.

       RG-WALL# get router info routing-table static

21.     View OSPF configuration.

       RG-WALL# show router ospf

22.     View the global routing table.

        RG-WALL # get router info routing-tableall

-----------------------------------------------

23.     View HA status.

    RG-WALL # get system ha status

24.     Check synchronization of active and standby routers.

    RG-WALL# diagnose sys ha showcsum

---------------------------------------------------

25.     Diagnosis commands:

RG-WALL #diagnose debug enable //Enables debugging.

RG-WALL # diagnose debug application ike-1 //Debugs packets of Phase 1 of IPSec to check whether an IPSec VPN is created.

RG-WALL #dia debug  reset  //Resets debugging.

   ---------------------------------------------------

Execute Commands:

 

RG-WALL #execute  ping  8.8.8.8   //Indicatesthe common ping command.

 

RG-WALL #execute  ping-options source  192.168.1.200   //Specifies 192.168.1.200 as the source address of ping packets.

RG- WALL #execute  ping  8.8.8.8    //Entersthe destination address of ping packets to execute the ping command via the specifiedsource address 192.168.1.200.

 

RG-WALL #execute  traceroute   8.8.8.8    

RG-WALL #execute  telnet 2.2.2.2      //Getsaccess via Telnet.

RG-WALL #execute  ssh  2.2.2.2        //Getsaccess via SSH.

RG-WALL #execute  factoryreset        //Restoresfactory settings.

RG-WALL #execute  reboot  //Reboots thedevice.

RG-WALL #execute  shutdown//Shuts down thedevice.

 



 

      Configuring Routing Mode

1.1     Internet Access via a Single Line

1.1.1    Configuring Internet Access via a Single ADSLLine

Networking Requirements

The extranet interface uses ADSL for dial-upand the intranet belongs to 192.168.1.0/24 segment. Intranet users can accessthe Internet.

Network Topology

Configuration Tips

1.       Configure interfaces.

wan1 interface: It is used to access ADSL.The Retrieve default gatewayfrom server option is mandatory. After ADSL dial-upsucceeds, the device generates a default route without manual configuration.

Internal interface: Configure an IP addressformatted as 192.168.1.200/24. Ifnecessary, enable the management function on theinterface.

2.       Configure address object lan. with address 192.168.1.0/24.

3.       Configure the policy for the data transmitted from the internalinterface to wan1 interface and enable NAT.

Configuration Steps

1.       Configure interface address.

Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage.

Addressing mode: Select PPPoE.

Username:Enter the user name.

Password:Enter the password.

Initial Disc Timeout: The waiting time before beginning a new PPPoE discovery .

Initial PADT Timeout: If the idle time exceeds the defined time, PPPoE will be disabled.PADT function requires the support from the ISP.

Retrieve defaultgateway from server(mandatory): After dial-up succeeds, the firewall will obtain one defaultroute.

Override internal DNS: If the company does not have its own DNS server, this option ismandatory.

Edit the internal interface. The default IPaddress of the internal interface is 192.168.1.200/24, which shall be changedaccording to the actual situations.

You can enable the management function on theinterface if necessary. It recommended to enable HTTPS, SSH, and PING services.

After dial-up succeeds, choose Router>Monitor>RoutingMonitor to check the default route obtained by the PPPoE client.

2.       Configure address resources.

Choose Firewall>Address>Address,and then click Create New, as shown in the following figure:

Set Name to lan. Choose Subnetfrom Type. Set Subnet/IP Range to 192.168.1.0/24. Click OK.See the following figure:

3.       Configure the policy.

For some low-end models, the system providesan NAT policy from the internal interface to wan1 interface by default.

Choose Firewall>Policy>Policy,and then click Create New, as shown in the following figure:

On the Edit Policy page, add onepolicy as shown in the following figure:

Source Interface/Zone: Choose internal.

Source address: Choose lan.

Destination Interface/Zone: Choose wan1.

Source address: Choose lan.

Destination address: Choose all, which indicates all the addresses.

Service:Choose ALL.

NAT: TickEnable ANT. The system automatically converts the IP address of theintranet lan to the IP address of wan1 interface for Internet access.

Click OK. The system automaticallysaves configuration and the policy takes effect.

*      Log Allowed Traffic once enabled consumes extra system resources. Therefore, tick thisitem only when necessary.

 

Verification

Set the IP address of the PC to192.168.1.1/24, the gateway address to 192.168.1.200, and the DNS address to202.106.196.115, 8.8.8.8.(In general, you can set the DNS to the local DNS.)

Then the PC can access the Internet.

1.1.2    Configuring Internet Access via a Static Link

Networking Requirements

The extranet interface is connected to aprivate line and configured with a static address assigned by the carrier. Theintranet belongs to 192.168.1.0/24 segment. Intranet users can access theInternet.

Network Topology

Assume that the IP addresses assigned by thecarrier are as follows:

Network segment:202.1.1.8/29     Assigned IP address: 202.1.1.10   Gateway address: 202.1.1.9DNS address: 202.106.196.115

Configuration Tips

1.       Configure interfaces.

wan1 interface: Configure the IP addressassigned by the carrier.

Internal interface: Configure an IP address formatted as 192.168.1.200/24. Ifnecessary, enable the management function on theinterface.

2.       Configure a static routing table.

3.       Configure address object lan with address 192.168.1.0/24.

4.       Configure the policy for the data transmitted from the internalinterface to wan1 interface and enable NAT.

Configuration Steps

1.       Configure interface address.

Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage, as shown in the following figure:

In the 202.1.1.8/29network segment, 2202.1.1.8 is the network address and 202.1.1.15 is thebroadcast address, which cannot be used.  202.1.1.9 is the carriers gateway address. The available IP addressrange is from 202.1.1.9 to 202.1.1.14.

Set the IP address of wan1 interface to202.1.1.10.

Edit internal interface. The default IPaddress of internal interface is 192.168.1.200/24, which shall be changedaccording to the actual situations.

You can enable the management function on theinterface if necessary. It is recommended to enable HTTPS, SSH, and PINGservices.

2.       Configure a static routing table.

Choose Router>Static>StaticRoute, and then click Create New, as shown in the following figure:

Create a routing table, as shown in thefollowing figure:

Destination IP/Mask: Keep the default value 0.0.0.0/0.0.0.0.

Device: Choosewan1, which is related to this route. It must be set correctly.Otherwise, the route cannot work.

Gateway: TheIP address of the next hop, that is, the IP address of the peer devicecorresponding to wan1 interface.

Distance: Thedefault value is 10.

Priority: Thedefault value is 0.

3.       Configure address resources.

Choose Firewall>Address>Address,and then click Create New, as shown in the following figure:

Set Name to lan. Choose Subnetfrom Type. Set Subnet/IP Range to 192.168.1.0/24. Click OK.See the following figure:

4.       Configure the policy.

For some low-end models, the system providesan NAT policy from internal interface to wan1 interface by default.

Choose Firewall>Policy>Policy,and then click Create New, as shown in the following figure:

On the Edit Policy page, add onepolicy as shown in the following figure:

Source Interface/Zone: Choose internal.

Source address:Choose lan.

Destination Interface/Zone: Choose wan1.

Destination address: Choose all, which indicates all the addresses.

Service: ChooseALL.

NAT: Tick EnableANT. The system automatically converts the IP address of the intranet lanto 202.1.1.10, the IP address of wan1 interface for Internet access.

Click OK. The system automaticallysaves configuration and the policy takes effect.

*      Log Allowed Traffic once enabled consumes extra system resources. Therefore, tick thisitem only when necessary.

 

Verification

Set the IP address of the PC to192.168.1.1/24, the gateway address to 192.168.1.200, and the DNS address to 8.8.8.8.(In general, you can set the DNS to the local DNS.)

Then the PC can access the Internet.

1.1.3    Configuring Internet Access via a DHCP Line

Networking Requirements

The extranet interface uses DHCP and theintranet belongs to 192.168.1.0/24 segment. Intranetusers can access the Internet.

Network Topology

Configuration Tips

1.       Configure interfaces.

Wan1 interface: The Retrievedefault gateway from server option is mandatory. After obtaining a DHCPaddress, the device generates a default route without manual configuration.

Internal interface: Configurean IP address formatted as 192.168.1.200/24. If necessary, enable the managementfunction on the interface.

2.       Configure address object lan with address 192.168.1.0/24.

3.       Configure the policy for the data transmitted from the internalinterface to wan1 interface and enable NAT.

Configuration Steps

1)       Configure interfaces.

Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage.

Addressing mode: Choose DHCP.

Retrieve defaultgateway from server(mandatory): After dial-up succeeds, the firewall will obtain one defaultroute.

Override internal DNS: If the company does not have its own DNSserver, this option is mandatory. The DHCP successfully obtains an IP address,as shown in the following figure:

Edit the internal interface. The default IPaddress of the internal interface is 192.168.1.200/24, which shall be changedaccording to the actual situations.

You can enable the management function on theinterface if necessary. It is recommended to enable HTTPS, SSH, and PINGservices.

After the IP address is obtained, choose Router>Monitor>RoutingMonitor to check the default route, as shown in the following figure:

2)       Configure address resources.

Choose Firewall>Address>Address,and then click Create New, as shown in the following figure:

Set Name to lan. Choose Subnetfrom Type. Set Subnet/IP Range to 192.168.1.0/24. Click OK.See the following figure:

3)       Configure the policy.

For some low-end models, the system providesan NAT policy from the internal interface to wan1 interface by default.

Choose Firewall>Policy>Policy,and then click Create New, as shown in the following figure:

On the Edit Policy page, add onepolicy as shown in the following figure:

Source Interface/Zone: Choose internal.

Source address:Choose lan.

Destination Interface/Zone: Choose wan1.

Source address:Choose lan.

Destination address: Choose all, which indicates all the addresses.

Service: ChooseALL.

NAT: Tick EnableANT. The system automatically converts the IP address of intranet lan tothe IP address of wan1 interface for Internet access.

Click OK. The system automaticallysaves configuration and the policy takes effect.

*      If you select Log Allowed Traffic, extraresource consumption of the system is caused. Therefore, tick this item onlywhen necessary.

 

Verification

Set the IP address of the PC to 192.168.1.1/24,the gateway address to 192.168.1.200, and the DNS address to 202.106.196.115, 8.8.8.8.(In general, you can set the DNS to the local DNS.)

Then the PC can access the Internet.

1.2     Internet Access via Multiple Links

1.2.1    Configuring Internet Access via Dual Lines ofthe Same Carrier

Networking Requirements

Two lines provided by China Telecom are usedon the current device with the same bandwidth. They back up each other, andwork in load-balancing mode.

Telecom line 1: wan1 interface, IP address202.1.1.2/30; gateway address 202.1.1.1

Telecom line 2: wan2 interface, IP address202.1.1.6/30; gateway address 202.1.1.5

Internal interface: intranet

In this example, the Internet interfaceaddress is used as NAT. If there is a need to use the address pool as NAT, seesection 1.2.2“Configuring Internet Access via Dual Lines of Different Carriers” for thepolicy configuration,.

Network Topology

Configuration Tips

1.       Configure interface address.

2.       Configure a route.

3.       Configure zones (untrust and trust zones).

4.       Configure the policy.

5.       Configure ECMP load-balancing mode.

Configuration Steps

1)       Configure interface address.

Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage, as shown in the following figure:

Configure IP address and subnet mask to202.1.1.2/30.

Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage, as shown in the following figure:

IP address of wan2 interface is 202.1.1.6/30,and the gateway address is 202.1.1.5.

The configuration is asfollows:

2)       Configure a route.

Choose Router>Static>StaticRoute, and then click Create New, as shown in the following figure:

Create two routing tables, as shown in thefollowing figure:

Destination IP/Mask: Keep the default value 0.0.0.0/0.0.0.0.

Device: Choosewan1, which is related to this route. It must be set correctly.Otherwise, the route cannot work.

Gateway: TheIP address of the next hop, that is, the IP address of the peer devicecorresponding to wan1 interface.

Distance: Thedefault value is 10. The route with a shorter distance will be put into therouting table.

Priority: Thedefault value is 0. The route with a smaller priority is used preferentially.

Destination IP/Mask: Keep the default value 0.0.0.0/0.0.0.0.

Device: Choosewan2, which is related to this route. It must be set correctly.Otherwise, the route cannot work.

Gateway: TheIP address of the next hop, that is, the IP address of the peer devicecorresponding to wan2 interface.

Distance: Thedefault value is 10. The route with a shorter distance will be put into therouting table.

Priority: Thedefault value is 0. The route with a smaller priority is used preferentially.

*      (1) To enable both egress lines to work, ensurethat two routing tables have the same path distances. Otherwise, the routingentries with a longer distance will not be put into the routing table.
(2) Besides, their priorities must be the same. With the same distance anddifferent priority, both routes are put into the routing table. The firewallwill choose the route with a lower priority preferentially. Therefore, trafficover two links cannot be balanced.

 

3)       Configure zones.

*      The usage of zones facilitates and simplifiesconfiguration. If Internet access is based on physical interfaces, multiplefirewall policies are required.

 

Choose System>Network>Zone,and then click Create New, as shown in the following figure:

Create untrust and trust zones, as shown inthe following figure. The zone can be regarded as an interface group and zonename is user defined.

After configuration, interfaces is displayedas shown in the following figure:

4)       Configure the policy.

For some low-end models, the system providesa policy from internal interface to wan1 interface by default. Follow thefollowing steps to add a default route if there is no one.

Choose Firewall>Policy>Policy,and then click Create New.

Create a policy, as shown in the followingfigure:

Source Interface/Zone: Choose trust.

Source address:Choose lan, which indicates internal network address.

Destination Interface/Zone: Choose untrust.

Destination address: Choose all, which indicates all the addresses.

Service: Chooseany.

Log Allowed Traffic: This item is ticked by default. It is recommended to untick it.

NAT: Tick EnableANT. The system automatically converts the IP address of intranet lan intothe IP address of wan1 interface or wan2 interface for Internet access.

Click OK. The system automaticallysaves configuration and the policy takes effect.

*      Log Allowed Traffic once enabled consumes extra system resources. Therefore, tick thisitem only when necessary.

 

5)       Configure ECMP load-balancing mode.

The firewall supports the following threeload balancing modes:

Source IP based: Choose different routes based on different source IP addresses.

Weighted Load Balance: Choose routes based on weight values. In this example, tick thisitem.

For example, assume that wan1 interfaceweight is 50, wan2 interface weight is 50, and weight of other interfaces is 0.In this case, traffic is balanced over two links in 1:1 manner.

Assume that wan1 interface weight is 50 andwan2 interface weight is 100. In this case, traffic is balanced in 1:2 manner.

Spillover:When the traffic over a link exceeds a threshold value, another link is used.

*      It is recommended to choose Source IP based.For example, online banking and online games require source IP address verification.If traffic with different IP addresses interacts, online banking serviceinteraction may fail and games may get offline.

 

Verification

Check the real-time rates of two interfaces.

1.2.2    Configuring Internet Access via Dual Lines ofDifferent Carriers

Networking Requirements

There is one link from the firewall to theTelecom interface and one to Unicom interface. The data transmitted to the IPaddress of the Telecom interface will pass wan1 interface, while the datatransmitted to the IP address of the Unicom interface will pass wan2 interface.

Telecom: wan1 interface, IP address202.1.1.2/30; gateway address 202.1.1.1; NAT address pool: 100.0.0.1-10

Unicom: wan2 interface, IP address202.1.1.6/30; gateway address 202.1.1.5; NAT address pool: 200.0.0.1-10

Internal interface: internal 7F51

Network Topology

Configuration Tips

1.       Configure IP addresses of interfaces.

2.       Configure a route.

3.       Configure the address pool.

4.       Configure the policy.

*     Current routing table entries: The routing table entries for China Telecomreach more than 1,800, while those for China Netcom are more than 400 and thosefor China Mobile are around 30.
Because the routing tables of the S3100 and S3600 havea limited capacity (100 entries), the S3100 and S3600 are not applied to themulti-line scenario.
Routing tables of the M5100 and M6600 contain up to 500 entries. When a networkinvolves multiple lines, such as lines of China Telecom and lines of ChinaNetcom, it is recommended to configure a default route for Telecom lines and astatic route for Netcom lines.
The X9300 firewalls have sufficient routing table space.

 

Configuration Steps

1)       Configure interface address.

Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage, as shown in the following figure:

Configure IP address and subnet mask to202.1.1.2/30.

Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage, as shown in the following figure:

IP address of wan2 interface is 202.1.1.6/30,while the gateway address is 202.1.1.5.

The configuration is asfollows:

2)       Configure a route.

Route for China Telecom: Configure a defaultroute of wan1 interface.

Route for China Unicom: Refer to the tool (attached)for importing routing tables to configure a detailed route. (Recommended)

You can also configure a default route forChina Unicom and a detailed route for China Telecom.

Choose Router>Static>StaticRoute, and then click Create New, as shown in the following figure:

Create a default route for China Telecom, asshown in the following figure:

Destination IP/Mask: Keep the default value 0.0.0.0/0.0.0.0.

Device: Choosewan1, which is connected by this route. It must be set correctly.Otherwise, the route cannot work.

Gateway: TheIP address of the next hop, that is, the IP address of the peer devicecorresponding to wan1 interface.

Distance: Thedefault value is 10. The route with a shorter distance will be put into therouting table.

Priority: The defaultvalue is 0. The route with a smaller priority is used preferentially.

3)       Configure the address pool.

Choose Firewall>Virtual IP>IPPool, and then click Create New, as shown in the following figure:

Create two address pools, as shown in thefollowing figure:

Name: Entertelcom100.0.0.1-10.

Type: Choose Overload.The IP address is dynamically assigned from the address pool.

External IP Range/Subnet: Enter 100.0.0.1-100.0.0.10.

ARP Reply: Tick this item to enable ARP response, whichis equivalent to sending gratuitous ARP packets.

Name: Enter unicom200.0.0.1-10.

Type: Choose Overload.The IP address is dynamically assigned from the address pool.

External IP Range/Subnet: Enter 200.0.0.1-200.0.0.10.

ARP Reply: Tick this item to enable ARP response, whichis equivalent to sending gratuitous ARP packets.

4)       Configure the policy.

Configure two policies. One is for the routefrom the internal interface to wan1 interface, and the other is for the routefrom the internal interface to wan2 interface.

Choose Firewall>Policy>Policy,and then click Create New, as shown in the following figure:

Create a policy for the route from theinternal interface to wan1 interface, as shown in the following figure:

Source Interface/Zone: Choose internal.

Source address:Choose lan, which indicates internal network address.

Destination Interface/Zone: Choose wan1.

Destination address: Choose all, which indicates all the addresses.

Service: Choose any.

Log Allowed Traffic: The item is ticked by default. It is recommended to untick it,because many logs will be generated due to excessive data packet traffic andrecording normal logs is meaningless.

NAT: Tick EnableNAT. Select Dynamic IP Pool and choose the corresponding addresspool telecom100.0.0.1-10.

Create a policy for the route from theinternal interface to wan1 interface, as shown in the following figure:

Source Interface/Zone: Choose internal.

Source address:Choose lan, which indicates internal network address.

Destination Interface/Zone: Choose wan2.

Destination address: Choose all, which indicates all the addresses.

Service: Chooseany.

Log Allowed Traffic: This item is ticked by default. It is recommended to untick it.

NAT: Tick EnableNAT. Select Dynamic IP Pool and choose the corresponding addresspool unicom200.0.0.1-10.

Verification

Access the Internet for testing. Run the tracertcommand to check  the path.

1.3     Configuring DHCP

1.3.1    Configuring the DHCP Server

Networking Requirements

Enable DHCP sever function of the NGFW. Theintranet PC can automatically obtain an IP address for Internet access. Theintranet segment is 192.168.1.0/24 and the gateway address is 192.168.1.200.

Network Topology

Configuration Tips

1.       Basic configuration for Internet access

2.       Configure the DHCP server.

Configuration Steps

1.       Basic configuration for Internet access

For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under section“Internet Access via a Single Line” in “Configuring Routing Mode”.

2.       Configure the DHCP service.

a)       Enable the DHCP service.

Choose System>DHCP Server>Service,and then click Create New, as shown in the following figure:

Interface Name:Choose the interface where the DHCP server is connected to.

Mode: Choose Serveror Relay.

Enable: Thisitem is ticked by default.

Type: Choose Regularor IPsec. If you choose IPsec, the system assigns IP addressesfor IPsec users.

IP Range: Itindicates the IP address range assigned to users.

Network Mask:It indicates the subnet mask. Set it to 255.255.255.0.

Default Gateway: Generally, it indicates the IP address of the interface that theDHCP server is connected to.

DNS Service:You can choose Specify or Use System DNS Setting.

b)       Advanced options. You can set the lease time and excluded range, asshown in the following figure:

Lease Time: Itis set to 1 day, which can be adjusted according to the actualsituations. If you choose Unlimited, the assigned IP addresses are notreleased forever. Therefore, Unlimited is not recommended.

Options: It isused to configure the DHCP server options.

Exclude Ranges:Enter the IP address segment to be reserved, such as192.168.1.120-192.168.1.130.

Verification

Set the PC to automatically obtain an IPaddress.

Notes

1.       Question: Among DHCP configuration, does the system DNS refer to theDNS settings of the firewall itself?

DHCP configuration provides three DNSoptions:

RG-WALL #config system dhcp server

   RG-WALL (server) #edit 1

   RG-WALL (1)#set auto-configuration enable

   RG-WALL (1)#set conflicted-ip-timeout 1800

   RG-WALL (1)#set default-gateway 192.168.1.99

   RG-WALL (1)#set dns-service default        //Default parameter

 

default   Use system DNS settings.    // DNS server configured on the firewall.

local     Use this RGT as DNS server.   //IP address of the firewall interface.

specify   Specify DNS servers.         //Specify DNS servers.

2.      When yourun the set dns-service default command, the PC obtains the DNS serverconfigured by the firewall itself.

Set the DNS server of the firewall itself.

RG-WALL#config system dns      //DNS server configured on the firewall.

   RG-WALL (dns) #set primary 8.8.8.8

   RG-WALL (dns) #end

3.       When you run the set dns-service local command, the PC obtains the IPaddress of the DHCP interface enabled by the firewall.

 

1.3.2    DHCP Static Binding

Networking Requirements

Enable DHCP sever function of the NGFW. Theintranet PC can automatically obtain an IP address for Internet access. Theintranet segment is 192.168.1.0/24 and the gateway address is 192.168.1.200.Reserve IP address 192.168.1.100 for the host with MAC address04:7d:7b:9b:71:ad.

Network Topology

Configuration Tips

1.       Basic configuration for Internet access

2.       Configure the DHCP server.

Configuration Steps

1)       Basic configuration for Internet access

2)       Configure the DHCP service.

See section “Configuring the DHCP Server”.

3)       Configure the reserved IP address.

*      Before operation, it is recommended to upgradethe firewall version to the latest..

Way 1(CLI):

RG-WALL #config system dhcp server                             

       RG-WALL (server) # edit1                                                               //Basicconfiguration

       RG-WALL (1)#set dns-service default 

       RG-WALL (1)#set default-gateway 192.168.1.200

       RG-WALL (1)#set netmask 255.255.255.0

       RG-WALL (1)#set interface internal

       RG-WALL (1) # config ip-range

       RG-WALL (ip-range) #edit 1

       RG-WALL (1)set start-ip 192.168.1.99

       RG-WALL (1)set end-ip 192.168.1.199

       RG-WALL (1) # next

       RG-WALL (ip-range) # end                        //Basic configuration of

       RG-WALL (1)#config reserved-address                      //Configure thereserved IP address.

       RG-WALL (reserved-address)#edit 1                    //Entry 1, 2, or 3, which is used as identification. Youcan define multiple entries.

       RG-WALL (1) # set ip 192.168.1.100                   //Assign the IP address tothe specified MAC address.

       RG-WALL (1) # set mac 04:7d:7b:9b:71:ad          //Specify the MAC address.

       RG-WALL (1) # next   

       RG-WALL (reserved-address) # end

       RG-WALL (1) # next

       RG-WALL (server) #end

Way 2(Web UI):

 

Verification

Set the PC to automatically obtain an IPaddress. The host with MAC address 04:7d:7b:9b:71:ad will obtain IP address 192.168.1.100.

1.       Check the DHCP address pool assignment on the firewall, as shown inthe following figure:

 

1.3.3    DHCP Relay Configuration

I. Networking Requirements

Enable DHCP relay of RG-WALL1600 Series Next-Generation Firewall (NGFW) to allow the intranet PC to obtain theaddress assigned to the device by the DHCP server.

II. Network Topology

III. Configuration Tips

1.       Basic configuration for Internet access

2.       Enable DHCP relay and enter the address of the DHCP server.

IV. Configuration Steps

1.       Basic configuration for Internet access

For the detailed configurationprocess, see section 1.1.2 "Configuring Internet Access via a Static Link"under section 1.1 "Internet Access via a Single Line" in Chapter 1 "TypicalFunctions of Routing Mode".

Enable DHCP relay and enter the addressof the DHCP server.

Choose System >DHCP Server > Service, and then click Create New.

Interface Name: Choose the interface where the DHCP server is connected to.

Mode: Choose Server or Relay.

Type: Choose Regular or IPsec. If you choose IPsec,the system assigns IP addresses for IPsec users.

DHCP Server IP: Enter the IP address of the DHCP server.

 

V. Verification

Set the PC to automaticallyobtain an IP address.

1.4     Port Mapping

1.4.1    Address Mapping (One-to-One IP Address Mapping)

Networking Requirements

As shown in the following figure, you havecompleted the basic configuration of the firewall. Now, you need to map one webserver address (IP address: 192.168.1.2) on the intranet to the extranet portaddress (IP address: 202.1.1.11) so that extranet users can access the webserver.

Meantime, intranet users can access the webserver by using a public network IP address.

Network Topology

Configuration Tips

1.       Basic configuration for Internet access

2.       Configure the virtual IP address (DNAT).

3.       Configure the security policy.

Configuration Steps

1.       Basic configuration for Internet access

For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under “InternetAccess via a Single Line” in “Configuring Routing Mode”.

IP addresses of the interfaces are displayedas shown in the following figure:

The route configuration is as shown in thefollowing figure:

2.       Configure the virtual IP address (DNAT).

Choose Firewall>Virtual IP>VirtualIP, and then click Create New, as shown in the following figure:

Configure the virtual IPaddress. Set the name to webserver. The virtual IP address is used forthe destination address conversion of wan1 interface.

*      Values of External IP Address/Range aremapped to the values of Mapped IP Address/Range correspondingly. Enterboth the start and end IP addresses of the external IP address range. You justneed to enter the start mapped IP address and the system automatically enterthe end IP address.

 

Take the IP address range from 202.1.1.3 to202.1.1.10 as an example. The start IP address for internal mapping is192.168.1.2 and the end IP address must be 192.168.1.9 (which is filled in bythe system automatically). The IP addresses within the two ranges are mappedcorrespondingly.

For example, the IP address 202.1.1.3 ismapped to 192.168.1.2, while the IP address 202.1.14 is mapped to 192.168.1.3.

3.       Configure the security policy.

Choose Firewall>Policy>Policy,and then click Create New, as shown in the following figure:

Source Interface/Zone: Choose wan1. //If intranet users needto access the Internet by using a virtual IP address, choose any.

Source address: Choose all.

DestinationInterface/Zone: Choose internal.

Destination address: Choose webserver. //It indicates thedefined object mapped by the virtual IP address.

Service: Choose HTTP. //The system only allowsInternet access via HTTP.

*      If intranet users need toaccess the Internet by using a virtual IP address, choose one of the followingtwo methods:
1. Set Source Interface/Zone of the original policy to any.
2. Add one internal-to-internal policy with the Source Interface/Zonevalue of internal.

 

Source Interface/Zone: Choose internal.

Source address: Choose all.

DestinationInterface/Zone: Choose internal.

Destination address: Choose webserver. //It indicates thedefined object mapped by the virtual IP address.

Service: Choose HTTP. //The system only allowsInternet access via HTTP.

4.       Intranet users are allowed to access the VIP public network IPaddress.

Intranet users are allowed to access theinternal web server by using the IP address mapped by the public network. Youjust need to add one policy that allows intranet users to access extranet. Addthe policy, as shown in the following figure:

Verification

Access http://202.1.1.11from extranet. To test whether the mapping is valid, temporarily add the pingservice .

1.4.2    Port Mapping (One-to-Many Port Mapping)

Networking Requirements

As shown in the followingfigure, you have completed the basic configuration of the firewall.

Map port 80 of oneintranet web server (IP address: 192.168.1.2) to the extranet port 8080 (IPaddress: 202.1.1.11). (The intranet port is different from the mapped port ofthe extranet.)

Map port 25 of oneintranet SMTP server (IP address: 192.168.1.3) to port 25 of the extranet port(IP address: 202.1.1.11).

Meaning of this case: Master the mapping sequence of the criticalfunction of the new NGFW: DNAT > Route > Security Policy > Source NAT.

Network Topology

Configuration Tips

1.       Basic configuration for Internet access

2.       Configure the virtual IP address (DNAT).

3.       Configure the security policy.

Configuration Steps

1.       Basic configuration for Internet access

For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under “InternetAccess via a Single Line” in “Configuring Routing Mode”.

IP addresses of the interfaces are displayedas shown in the following figure:

The route configuration is as shown in thefollowing figure:

2.       Configure the virtual IP address (DNAT).

Choose Firewall>Virtual IP>VirtualIP, and then click Create New to create a new virtual IP address, asshown in the following figure:

Create virtual IP1. Set Nameto webserver:80 to map the HTTP server, as shown in the followingfigure:

Create virtual IP2. Set Name to smtpserver:25to map the SMTP server, as shown in the following figure:

*      Values of External IP Address/Range aremapped to the values of Mapped IP Address/Range correspondingly. Enterboth the start and end IP addresses of the external IP address range. You justneed to enter the start mapped IP address and the system automatically entersthe end IP address.

 

Take the IP address range from 202.1.1.3 to 202.1.1.10 as an example. The start IP address forinternal mapping is 192.168.1.2 and the end IP address must be 192.168.1.9(which is filled in by the system automatically). The IP addresses within thetwo ranges are mapped correspondingly.

For example, the IP address 202.1.1.3 is mapped to 192.168.1.2, while the IP address 202.1.14 ismapped to 192.168.1.3.

3.       Configure the security policy.

Choose Firewall>Policy>Policy,and then click Create New, as shown in the following figure:

On the New Policy page, add one policyas shown in the following figure:

Click Multiple next to DestinationAddress to choose two defined virtual IP addresses, as shown in thefollowing figure:

Click Multiple next to Serviceto add HTTP and SMTP services, as shown in the following figure:

Source Interface/Zone: Choose wan1. //If intranet users needto access the Internet by using a virtual IP address, choose any.

Source address: Choose all.

DestinationInterface/Zone: Chooseinternal.

Destination address: Choose webserver:80 and smtpserver:25.

Service: Choose HTTP and SMTP.

*      If intranet users need toaccess the Internet by using a virtual IP address, choose one of the followingtwo methods:
1. Set Source Interface/Zone of the original policy to any.
2. Add one internal-to-internal policy with the Source Interface/Zonevalue of internal.

 

Source Interface/Zone: Choose internal.

Source address: Choose all.

Destination Interface/Zone: Choose internal.

Destination address: Choose webserver:80and smtpserver:25.

Service: ChooseHTTP and SMTP.

Key note: Data traffic of the new NGFW maps the DNAT (virtual IP address), and then the firewall policy. Inthis case, the extranet port 8080 of the webserver is changed into port 80after being converted by the DNAT (virtual IP address). Therefore, the HTTPservice (port 80) is released by the firewall policy.

 

The policy configuration is as follows:

Verification

Access http://202.1.1.11from extranet. To test whether the mapping is valid, temporarily add the pingservice.

Do an email test.

1.4.3    Port Mapping for Multiple Lines

Networking Requirements

Respectively map one intranet web server tothe public network IP addresses of China Telecom and China Unicom egress portsfor Internet access.

Web server address: 192.168.1.2/24; Gatewayaddress: 192.168.1.200

China Telecom egress port address:202.1.1.2/29; gateway address: 202.1.1.1; public network IP address of theserver: 202.1.1.3

China Unicom egress port address:100.1.1.2/29; gateway: address 100.1.1.1; public network IP address of theserver: 100.1.1.3

The PCs in the intranetsegment 192.168.1.0/24 need to access the Internet.

Meaning of this case: The new NGFW supports Source In Source Outfunction of data traffic. The firewall traces sessions. The access from theTelecom port is returned from the Telecom port preferentially, while the accessfrom the Unicom port is returned from the Unicom port preferentially. Theprecondition is that the routing table of the firewall contains routing entriesthat can map the returned data traffic. Therefore, you just need to configuredefault routes to the Telecom port and Unicom port respectively.

Network Topology

Configuration Tips

1.       Configure the IP addresses of interfaces.

2.       Configure a route.

3.       Configure the virtual IP address (DNAT).

4.       Configure address resources.

5.       Configure the policy.

Configuration Steps

1.       Configure interface address.

For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under “InternetAccess via a Single Line” in “Configuring Routing Mode”.

The following figure shows IP addresses ofinterfaces:

2.       Configure a route.

The firewall tracessessions. The access from the Telecom port is returned from the Telecom portpreferentially, while the access from the Unicom port is returned from theUnicom port preferentially. The precondition is that the firewall of thefirewall contains routing entries that can map the returned data traffic.Therefore, you just need to configure default routes to the Telecom port andUnicom port respectively.

The default route toTelecom port:

The default route to Unicom port:

Check the current routes,as shown in the following figure:

3.       Configure the virtual IP address.

Set Name to web1, which is usedfor the IP address mapping of the Telecom interface, as shown in the followingfigure:

Set Name to web2, which is usedfor the IP address mapping of the Unicom interface, as shown in the followingfigure:

*      Values of External IP Address/Range aremapped to the values of Mapped IP Address/Range correspondingly. Enterboth the start and end IP addresses of the external IP address range. You justneed to Enter the start mapped IP address and the system automatically entersthe end IP address.

 

Take the IP address range from 202.1.1.3 to 202.1.1.10 as an example. The start IP address forinternal mapping is 192.168.1.2 and the end IP address must be 192.168.1.9(which is filled in by the system automatically). The IP addresses within tworanges are mapped correspondingly.

For example, the IP address 202.1.1.3 is mapped to 192.168.1.2, while the IP address 202.1.14 ismapped to 192.168.1.3, and so on.

4.       Configure address resources.

Choose Firewall>Address>Address,and then click Create New, as shown in the following figure:

Set Name to lan. Choose Subnetfrom Type. Set Subnet/IP Range to 192.168.1.0/24. Click OK.See the following figure:

5.       Configure the policy.

You need to configure the following fourpolicies:

a)       Configure the virtual IP address policy from wan1 interface to internalinterface, as shown in the following figure:

b)       Configure the virtual IP address policy from wan2 interface tointernal interface, as shown in the following figure:

c)       Configure the policy from internal interface to wan1 interface toallow the PC with an internal IP address to access the Internet through wan1interface, as shown in the following figure:

d)       Configure the policy from internal interface to wan2 interface toallow the PC with an internal IP address to access the Internet through wan2 interface,as shown in the following figure:

Verification

Access port 80 at the IP address202.1.1.3 and 100.1.1.3 through two interfaces respectively.

1.5     Configuring Route

1.5.1    Static Routing

Static Routing

Static routing is a routing entry manuallyadded on the firewall by the system administrator according to the networkstructure. For the firewall, static routing is the most basic manner and isalso the most common route configuration.

Network Topology

The IP address of wan1 interface of thefirewall is 202.1.1.10, while the IP address of G1/0 interface of the peer ISProuter is 202.1.1.9.

Configuration Method

Choose Router>Static>StaticRoute, and then click Create New, as shown in the following figure:

Destination IP/Mask: Keep the default value 0.0.0.0/0.0.0.0.

Device: Choosewan1, which is related to this route. It must be set correctly.Otherwise, the route cannot work.

Gateway: TheIP address of the next hop, that is, the IP address of the peer devicecorresponding to wan1 interface.

Distance: Thedefault value is 10. For the same routing entry, the entry with theshorter distance will be put into the routing table. If the distance is thesame, both of them will be put into the routing table.

Priority: Thedefault value is 0. For the two routes with the same distance, the firewallchooses the route with a lower priority preferentially.

Configuration Command

1.       Configure the default route

RG-WALL #config router static

 RG-WALL(static) # edit 1

 RG-WALL(1) # set gateway 202.1.1.9      //This entry does not define the dstdestination network. Therefore, the default value is 0.0.0.0/0.0.0.0.

 RG-WALL(1) # set device wan1

 RG-WALL(1) # next         

2.       Configure the static routing.

  RG-WALL# config router static

  RG-WALL(static) # edit 2

  RG-WALL(2) # set dst 1.24.0.0255.248.0.0

  RG-WALL(2) # set gateway 202.1.1.5

  RG-WALL(2) # set device wan2

  RG-WALL(2) # next

Verification

Check the routing tableon the graphical page. Choose Router>Monitor>Routing Monitor or run the get router info routing-table static command to check whether the route takes effect.

Run ping 202.1.1.9to check the link.

1.5.2    Policy-Based Routing

Policy-Based Routing

Both static and dynamic routing are destinationrouting, which selects a route according to the destination address.

The policy-based routing selects a routeaccording to the original address, protocol type, flow control label, ordestination address.

The policy-based routing priority is higherthan the static routing priority. The policy-based routing is implementedpreferentially.

Application example

Scenario: As described in section“Configuring Internet Access via Dual Lines of Different Carriers” undersection “Internet Access via Multiple Links” in “Configuring Routing Mode”,force the PC with IP address 192.168.1.0/29 to access the Internet from wan2interface.

Choose Router>Static>PolicyRoute, and then click Create New, as shown in the following figure:

As defined by this policy-based route, allthe data packets from the internal interface with source address 192.168.1.0255.255.255.248 and destination address 0.0.0.00.0.0.0 will be forcibly forwarded by wan2 interface. The gateway address ofthe next hop is 100.1.1.1.

On the New Routing Policy page, theoptions are as follows:

Protocol: Itindicates the protocol type. The value 0 indicates any protocol. You canspecify 6 for TCP, 17 for UDP, or 132 for SCTP.

Incoming interface: It indicates the interface through which traffic enters.

Source address/mask: It indicates the source address of the data packet.

Source address/mask: It indicates the source address of the data packet.

Destination Ports: By default, it indicates all the ports, from port 1 to port 65536.

Force traffic to:

Outgoing interface: It indicates the interface through which data is forwarded.

Gateway Address: It indicates the gateway address.

1.5.3    RIP

Application Scenario

If there are many network routing devices andthe number does not exceed 16, it is recommended to configure RIP on the NGFWso that the NGFW can dynamically learn the routing to other networks and theroutes can automatically age and update.

When the number of routing devices exceeds16, it is recommended to configure OSPF, because the OSPF enables faster routelearning and updating and the OSPF is more suitable for the network with morethan 16 routing devices.

If there are few routing devices, it isrecommended to configure the static route. That’s because the static route iseasily maintained and does not raise a high requirement for the routers. Allthe routers support static routes. In general, the low end routers do notsupport RIP.

Networking Requirements

As shown in the figure, the L3 switch in theintranet and the egress NGFW mutually advertise routes through the dynamicroute RIP to enable intranet users to access the Internet.

On the NGFW, manually configure the defaultroute, redistribute the default route into RIP. The L3 switch and NGFW mutuallylearn routes through RIP to enable intranet users to access the Internet.

Network Topology

Configuration Tips

1.       Configure interface address.

2.       Configure the firewall.

3.       Configure the router.

Configuration Steps

1.       Configure interface address.

For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under section“Internet Access via a Single Line” in “Configuring Routing Mode”. Theconfiguration is displayed as shown in the following figure:

2.       Configure a default route.

For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under section“Internet Access via a Single Line” in “Configuring Routing Mode”. Theconfiguration is displayed as shown in the following figure:

3.       Configure RIP.

Choose Router > Dynamic > RIP.

a)       Configure basic information, as shown in the following figure:

RIP Version: Choose 2.

Enable Default-information-originate: Tickthis item to send the default route to the neighbor (router).

Redistribute: It determines whether todistribute other protocol routes.

b)       Add the RIP network.

Click Create New. Set IP/Netmask to192.168.1.0/255.255.255.0, and then click Add, as shown in the followingfigure:

After the network segment is added, theconfiguration is displayed as shown in the following figure:

4.       Configure the router.

interfaceFastEthernet 0/1

     ipaddress 192.168.1.111 255.255.255.0

interfaceFastEthernet 0/2

     ipaddress 192.168.200.100 255.255.255.0

     Configure RIP as follows:

     routerrip

     version2

     network192.168.1.0

     network192.168.10.0

     noauto-summary

Verification

Check the current routes.

Choose Router>Monitor>RoutingMonitor, as shown in the following figure:

Run the following commandto display the current routes:

RG-WALL #get router  info routing-table  all

Codes: K -kernel, C - connected, S - static, R - RIP, B - BGP

       O -OSPF, IA - OSPF inter area

N1 - OSPFNSSA external type 1, N2 - OSPF NSSA external type 2

       E1 -OSPF external type 1, E2 - OSPF external type 2

i - IS-IS,L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * -candidate default

S*      0.0.0.0/0 [10/0] via 192.168.2.1, wan1, [0/50]

C      192.168.1.0/24 is directly connected, internal

C      192.168.2.0/24 is directly connected, wan1

R      192.168.200.0/24 [120/2] via 192.168.1.99, internal, 00:00:01

1.5.4    OSPF

Application Scenario

When the number of routing devices exceeds16, it is recommended to configure OSPF, because the OSPF enables faster routelearning and updating and the OSPF is more suitable for the network with morethan 16 routing devices.

If there are many network routing devices andthe number does not exceed 16, it is recommended to configure the RIP on theNGFW so that the NGFW can dynamically learn the routing to other networks andthe routes can automatically age and update.

If there are few routing devices, it isrecommended to configure the static route. That’s because the static route iseasily maintained and does not raise a high requirement for the routers. Allthe routers support static routes. In general, the low end routers do notsupport RIP.

 

Networking Requirements

As shown in the figure, the L3 switch in theintranet and the egress NGFW mutually advertise routes through the dynamicroute OSPF to enable intranet users to access the Internet.

On the NGFW, manually configure the defaultroute, redistribute the default route into OSPF. The L3 switch and NGFWmutually learn routes through OSPF to enable intranet users to access theInternet.

Network Topology

Configuration Tips

1.       Configure the IP addresses of interfaces.

2.       Configure a default route.

3.       Configure OSPF.

l Configure the router ID.

l Distribute the default route.

l Redistribute the default route.

l Create OSPF areas.

l Add the OSPF network.

l Add the interface.

4.       Configure the peer router.

Configuration Steps

1.       Configure the IP addresses of interfaces.

For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under section“Internet Access via a Single Line” in “Configuring Routing Mode”. Theconfiguration is displayed as shown in the following figure:

2.       Configure a default route.

For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under section“Internet Access via a Single Line” in “Configuring Routing Mode”. Theconfiguration is displayed as shown in the following figure:

3.       Configure OSPF.

Choose Router>Dynamic>OSPF,as shown in the following figure:

a)       Configure basic information, as shown in the following figure:

Set Router ID to 1.1.1.1.

Default Information: Choose Regular. The three options are described as follows:

*      The default route is not distributed.

 

Regular: Ifthe default route is configured, the system distributes it. If not, the systemdoes not distribute it.

Always: Nomatter whether the default route is configured, the system distributes adefault route.

Ospf_redistribute: Choose Connected Metric, which indicates that the routinginformation at the 192.168.1.0/24 is sent to the OSPF neighbor.

After the above settings are completed,click Apply to validate configuration.

b)       Create OSPF areas.

Click Create New,as shown in the following figure:

Create root area 0.0.0.0 (area 0), as shown in the following figure:

The configuration is as follows:

c)       Add the OSPF network.

Click Create New, as shown in thefollowing figure:

Add segment 1.1.1.0/24 to the OSPF area 0.0.0.0, as shown in thefollowing figure:

d)       Add interfaces. (Optional)

Click Create New, as shown in thefollowing figure:

You can edit the related parameters ofinterfaces by using this menu.

Name: It isused for identification.

Interface: Itindicates the interface to be edited.

IP: Itindicates the IP address of the interface.

Authentication:It determines whether to perform OSPF authentication on the interface. Thesystem supports MD5 (MD5 summary), txt (plain text), and none (none).

MD5 keys:Enter key ID and key.

Timers:

Hello Interval:By default, the interval for sending hello packets is 10 seconds, which can bechanged as required. In the case of OSPF neighbor negotiation, the value of HelloInterval must be the same.

Dead Interval:By default, the value is 40 seconds, which can be changed as required. In thecase of OSPF neighbor negotiation, the value of Dead Interval must bethe same.

4.       Configure the switch.

Configure interface address.

interfaceFastEthernet 0/0

ip address1.1.1.2255.255.255.0

interfaceFastEthernet 0/1

ip address192.168.2.1 255.255.255.0

     Configure OSPF as follows: 

     routerospf 10

     network1.1.1.00.0.0.255 area 0

     network192.168.2.0 0.0.0.255area 0         //This entry can also be distributed through direct connection.

Verification

                 RG-WALL # get router info routing-table all

path=router,objname=info, tablename=(null), size=0

                 Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

                         O - OSPF, IA - OSPF inter area

N1 - OSPFNSSA external type 1, N2 - OSPF NSSA external type 2

                         E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS,L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

                         * - candidate default

                 S*      0.0.0.0/0[10/0] via 192.168.118.1, wan1, [0/50]

                 C       1.1.1.0/24is directly connected, wan2

                 C       192.168.1.0/24 is directly connected, internal

                 O       192.168.2.0/24 [110/11] via 1.1.1.2, wan2, 00:01:49

                 C       192.168.118.0/24 is directly connected, wan1

Check the routes of the router:

                  Codes:K - kernel, C - connected, S - static, R - RIP, B - BGP

                         O - OSPF, IA - OSPF inter area

N1 - OSPFNSSA external type 1, N2 - OSPF NSSA external type 2

                         E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS,L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

                          * - candidate default

 

                  O*E2    0.0.0.0/0[110/10] via 1.1.1.1, wan1, 00:09:34

                  C       1.1.1.0/24is directly connected, wan1

                  O E2    192.168.1.0/24 [110/10] via 1.1.1.1, wan1, 00:09:34

                  C       192.168.2.0/24 is directly connected, internal

                  O E2    192.168.118.0/24 [110/10] via 1.1.1.1, wan1, 00:09:34


1.6     Application Level Gateway (ALG)

1.6.1    VoIP

I. Networking Requirements

A company uses a voice system based on the SessionInitiation Protocol (SIP). The employees use SIP phones in the company. The SIPserver is connected to a node outside the firewall.

Because of the particularity of SIP, the firewallshould enable SIP ALG to prevent dial-up failure, unidirectional port state, orother problems caused by the firewall policy.

II. Network Topology

III. Configuration Tips

1.       Basic configuration for Internet access

2.       Configure a VoIP policy.

3.       Move policies. (Optional)

4.       Configure SIP ports. (Optional)

IV. Configuration Steps

1.       Basic configuration for Internet access

See section 1.1 "InternetAccess via a Single Line" in Chapter 1 "Typical Functions of Routing Mode".

Configure a VoIP policy.

1)       Define the address object.

Choose Firewall > Address> Address.

2)       Define a VoIP policy.

Choose Firewall > Policy >Policy.

Enable the UTM function,tick Enable VoIP, and choose default.

Move policies. (Optional)

Move policies to appropriatepositions to ensure execution.

Configure SIP ports. (Optional)

In most SIP settings, TCPor UDP port 5060 is used for SIP sessions while port 5061 is used for SIP SSL sessions.If the SIP network uses other ports for SIP sessions, run the following commandsto enable SIP ALG to use other ports of TCP, UDP, or SSL for interception. For example,use TCP port 5064, UDP port 5065, and SSL port 5066 instead.

           RG-WALL#config system settings

           RG-WALL (settings) #set sip-tcp-port5064

           RG-WALL (settings) #set sip-udp-port5065

           RG-WALL (settings) #set sip-ssl-port5066

           RG-WALL (settings) #end

SIP ALG can also be setto use two different TCP ports and two different UDP ports for interception of SIPsessions. For example, if ports 5060 and 5064 are used to receive SIP TCP trafficwhile ports 5061 and 5065 are used to receive SIP UDP traffic, run the followingcommands to use all these ports to receive SIP traffic.

           RG-WALL#config system settings

           RG-WALL (settings) #set sip-tcp-port5060 5064

           RG-WALL (settings) #set sip-udp-port5061 5065

           RG-WALL (settings) #end

V. Verification

Use a SIP phone for testing.

VI. Notes

Q: Why to enable theUTM function of VoIP?

A: Session Helper of thesystem supports some functions of VoIP ALG but provides simple functions and appliesto simple scenarios. As VoIP scenarios become more complicated, VoIP profiles areused now.

VoIP ALG feature can befound on UTM function, which provides a well-developed ALG function and safety protectionfor VoIP.

 

1.6.2    VoIP Destination Address Mapping

I. Networking Requirements

A company uses a SIP-based voice system. The employeesuse SIP phones in the company. SIP server 100.1.1.2 is connected to a node in thefirewall server area. The SIP server needs to be mapped to the intranet 192.168.1.2.

Because of the particularity of SIP, the firewallshould enable SIP ALG to prevent dial-up failure, unidirectional port state, orother problems caused by the firewall policy.

II. Network Topology

III. Configuration Tips

1.       Basic configuration for Internet access

2.       Configure a VoIP policy.

3.       Move policies. (Optional)

4.       Configure SIP ports. (Optional)

IV. Configuration Steps

1.       Basic configuration for Internet access

See section 1.1 "InternetAccess via a Single Line" in Chapter 1 "Typical Functions of Routing Mode"

Configure a VoIP policy.

1)     Define a virtual IP address.

Choose Firewall> Virtual IP > Virtual IP.

2)     Define a VoIP policy.

Choose Firewall> Policy > Policy.

Enable the UTM function,tick Enable VoIP, and choose default.

3)     Configure SIP ports. (Optional)

In most SIP settings, TCPor UDP port 5060 is used for SIP sessions while port 5061 is used for SIP SSL sessions.If the SIP network uses other ports for SIP sessions, run the following commandsto enable SIP ALG to use other ports of TCP, UDP, or SSL for interception. For example,use TCP port 5064, UDP port 5065, and SSL port 5066 instead.

         RG-WALL#config system settings

         RG-WALL (settings) #set sip-tcp-port5064

         RG-WALL (settings) #set sip-udp-port5065

         RG-WALL (settings) #set sip-ssl-port5066

         RG-WALL (settings) #end

SIP ALG can also be setto use two different TCP ports and two different UDP ports for interception of SIPsessions. For example, if ports 5060 and 5064 are used to receive SIP TCP trafficwhile ports 5061 and 5065 are used to receive SIP UDP traffic, run the followingcommands to use all these ports to receive SIP traffic.

          RG-WALL#config system settings

          RG-WALL (settings) #set sip-tcp-port5060 5064

          RG-WALL (settings) #set sip-udp-port5061 5065

          RG-WALL (settings) #end

V. Verification

Use a SIP phone for testing.

1.7     Configuring VPN

1.7.1    IPSec VPN (Point-to-Point)

1.7.1.1    Interface Mode

Networking Requirements

As shown in the figure, two LANs areconnected via VPN, so as to implement the communication between two networksegments (including 192.168.0.0/24 and 192.168.1.0/24).

Network Topology

Configuration Tips

1. Configure NGFW1

1.      Perform basic configurations of Internet access

2.       Configure IKE Phase 1

3.      Configure IKE Phase 2

4.      Configure the routes

5.      Configure the policies

       

2. Configure NGFW2

1.       Perform basic configurations of Internet access

2.       Configure IKE Phase 1

3.       Configure IKE Phase 2

4.       Configure the routes

5.       Configure the policies

 

*      To delete Phases 1 and 2 of IPSec VPN, you needto delete the invoked route or firewall security policy first.

 

Configuration Steps

1. Configure NGFW1

1.      Perform basic configurations of Internetaccess

For details about the configuration procedure,refer to the section “Configuring Routing Mode” > “Configuring InternetAccess via a Single Line” > “Configuring Internet Access via a Static Link”.

2.       Configure IKE Phase 1           

Choose the VPN > IPsec > Auto Key(IKE) menu, and click Create Phase 1.

Configure the related parameters of Phase1, as shown below.

Name: Set it to VPN. In interfacemode, it is used to indicate the name of the VPN interface.

Remote Gateway: Set it to Static IPAddress.

IP Address: The IP address of the extranetinterface of the peer firewall is 200.1.1.2.

Local Interface: It refers to the interfacevia which the firewall builds a VPN connection with the peer device. It isusually an extranet interface.

Authentication Method: It is set to Pre-sharedKey.

Pre-shared Key: It must be the same at bothends.

Enable IPsec Interface Mode: Ticked.

Other parameters are set to their defaultvalues. For details about the parameters, refer to section “Parameters of Phase1”.

3.       Configure IKE Phase 2

Choose the VPN > IPsec > Auto Key(IKE) menu, and click Create Phase 2.

Configure thebasic parametersof Phase 2.

 

Name: It refers to the name of Phase 2, andis here set to vpn2.

Phase 1: It is associated with Phase 2, andis here set to vpn1.      

Click Advanced, and the advancedparameter options pop up.

Tick Autokey Keep Alive, and set otherparameters to their default values.

4.      Configure the VPN route.

Choose the Route > Static> Static Route menu, and click Create New.

Add the VPN static route of the protectednetwork segment on the peer as follows:

Destination IP/Mask: It refers to the subnetprotected by the peer firewall; here, it is set to 192.168.1.0.

Device: It refers to the interface generatedby the VPN; here, it is set to vpn1.

5.      Configure the policies

Choose the Firewall > Policy> Policy menu, and click Create New.

Create two policies as shown below. Via thepolicies, the system controls the access between two subnets at the peer end,and implements NAT and UTM protection.

Policy 1: Allow the local 192.168.0.0 networksegment to access the peer 192.168.1.0 network segment.

Policy 2: Allow the peer 192.168.1.0 networksegment to access the local 192.168.0.0 network segment.

2. Configure NGFW2

1.      Perform basic configurations of Internetaccess

For details about the configurationprocedure, refer to the section “Configuring Routing Mode” > “Configuring InternetAccess via a Single Line” > “Configuring Internet Access via a Static Link”.

 

2.       Configure IKE Phase 1

Choose the VPN > IPsec > Auto Key(IKE) menu, and click Create Phase 1.

Configure the related parameters of Phase 1.

Name: Set it to VPN. In interfacemode, it is used to indicate the name of the VPN interface.

Remote Gateway: Set it to Static IPAddress.

IP Address: The IP address of the extranetinterface of the peer firewall is 100.1.1.2.

Local Interface: It refers to an interface viawhich the firewall builds a VPN connection with the peer device; it is here setto wan1.

Authentication Method: It is set to Pre-sharedKey.

Pre-shared Key: It must be the same at bothends.

Enable IPsec Interface Mode: Ticked.

Other parameters are set to their defaultvalues. For details about the parameters, refer to section “Parameters of Phase1”.

3.       Configure IKE Phase 2

Choose the VPN > IPsec > Auto Key(IKE) menu, and click Create Phase 2.

Configure the basic parameters of Phase 2.

Name: It refers to the name of Phase 2, andis here set to vpn2.

Phase 1: It is associated with Phase 2, andis here set to vpn.  

Click Advanced, and the advancedparameter options pop up.

Tick Autokey Keep Alive, and set otherparameters to their default values.

4.      Configure the VPN routes.

Choose the Route > Static> Static Route menu, and click Create New.

Add the VPN route of the protected networksegment on the peer as shown below:

Destination IP/Mask: It refers to the subnetprotected by the peer firewall; here, it is set to 192.168.1.0/24.

Device: It refers to the interface generatedby the VPN; here, it is set to vpn.

5.      Configure the policies

Choose the Firewall > Policy> Policy menu, and click Create New.

Create two policies as shown below. Via thepolicies, the system controls the access between two subnets at the peer end,and implements NAT and UTM protection.

Policy 1: Allow the local 192.168.1.0 networksegment to access the peer 192.168.0.0 network segment.

Policy 2: Allow the peer 192.168.0.0 networksegment to access the local 192.168.1.0 network segment.

 

1.7.1.2    Troubleshooting

Common Negotiation Failures:

1.       Inconsistency of pre-shared key;

2.       Inconsistency of encryption algorithm and authentication algorithmparameters;

3.       Mismatch of quick selector at two ends in Phase 2;

4.       Errors of policy configurations or sequence.

 

Troubleshooting Commands:

RG-WALL#diagnose debug enable

RG-WALL#diagnose debug applicationike -1

If multiple gateways are available, observethe negotiation process of ike after the gateways are filtered:

diagnose vpn ike log-filter dst-addr4<IP address of peer gateway>

diagnose vpn ike log-filter src-addr4<IP address of local gateway>

diagnose vpn ike log-filter dst-port  <Peerport of IKE negotiation, for example, 500>

diagnose vpn ike log-filter src-port  <Localport of IKE negotiation, for example, 500>

 

Analysis of Common Faults:

1.      Inconsistency of encryption andauthentication algorithms: In Phase 1, authentication or encryption algorithms are not consistent. Check the authenticationor encryption algorithms on the devices of both ends at the time of IPsec setupfor their consistency.

Results of packet capture:

Troubleshooting position: Check whether theencryption and authentication algorithms in the red frame below match eachother at two ends.

2.      Inconsistency of DH algorithm: The DH algorithms at two ends are notconsistent.

Results of packet capture:

Troubleshooting position: Check whether theDH Group in the red frame below is consistent at two ends.

(Common packet capture results of DH group:DH group 1 (768-bit), DH group 2 (1024-bit), and DH group 5 (1536-bit))

3.      Inconsistency of pre-shared key;

Results of packet capture:

ike0:mobile:5140: responder: main mode get 3rd message...

ike0:mobile:5140: decA5BF9FFD3412F8CD24C7C54635FA869705100201000000000000005CF50FA936BEFB6D99E76CD6FAA679D77858160C306FE83B03F7DB8CFB680BB864AB42391BA3C5A5ADCDFB2D6CF1CEEC0A6AC0BAC12DFEABEC25E534580E6EFF32

ike0:mobile:5140: probable pre-shared secret mismatch

Troubleshooting position: Check the positionin the red frame below.

Normal packet capture results of pre-sharedkey:

ike0:mobile:5122: responder: main mode get 3rd message...

ike0:mobile:5122: dec0AB1AD6CF994A06023E867B8EBB63F4505100201000000000000005C0800000C01000000C0A8FE020B000018608B589D57388681EC1286989FB775C88FEB66D20000001C00000001011060020AB1AD6CF994A06023E867B8EBB63F45

ike0:mobile:5122: received notify type 24578

ike0:mobile:5122: PSK authentication succeeded

ike0:mobile:5122: authentication OK

 

4.      Normal negotiation prompts of Phase 1

ike0:0ab1ad6cf994a060/0000000000000000:5122: negotiation result

ike0:0ab1ad6cf994a060/0000000000000000:5122: proposal id = 1:

ike0:0ab1ad6cf994a060/0000000000000000:5122:   protocol id = ISAKMP:

ike0:0ab1ad6cf994a060/0000000000000000:5122:      trans_id = KEY_IKE.

ike0:0ab1ad6cf994a060/0000000000000000:5122:      encapsulation = IKE/none

ike 0:0ab1ad6cf994a060/0000000000000000:5122:        type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.

ike0:0ab1ad6cf994a060/0000000000000000:5122:         type=OAKLEY_HASH_ALG,val=SHA.

ike0:0ab1ad6cf994a060/0000000000000000:5122:         type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.

ike0:0ab1ad6cf994a060/0000000000000000:5122:         type=OAKLEY_GROUP, val=1536.

ike0:0ab1ad6cf994a060/0000000000000000:5122: ISAKMP SA lifetime=28800

ike0:0ab1ad6cf994a060/0000000000000000:5122: SA proposal chosen, matched gatewaymobile

5.      Mismatch of quick selector in Phase 2

Results of packet capture

Troubleshooting position: Check whether thenetwork segment settings in the red frame below match each other at two ends.

Other common commands

1)      If multiple gateways are available, observe thenegotiation process of ike after the gateways are filtered:

diagnose vpn ike log-filter dst-addr4 <IP address of peer gateway>

diagnose vpn ike log-filter src-addr4 <IP address of local gateway>

diagnose vpn ike log-filter dst-port  <Peer port of IKE negotiation, for example, 500>

diagnose vpn ike log-filter src-port  <Local port of IKE negotiation, for example, 500>

2)       View the VPN channels: diagnose vpn tunnel list

RG-WALL #diagnose  vpn tunnel  list

list allipsec tunnel in vd 0

------------------------------------------------------

name=mobile_0ver=1 serial=4 192.168.118.25:4500->192.168.118.151:10954 lgwy=statictun=intf mode=dial_inst bound_if=5

parent=mobileindex=0

proxyid_num=1child_num=0 refcnt=7 ilast=3 olast=3

stat:rxp=10 txp=0 rxb=1280 txb=0

dpd:mode=active on=1 idle=5000ms retry=3 count=0 seqno=22

natt:mode=silent draft=32 interval=10 remote_port=10954

proxyid=mobileproto=0 sa=1 ref=2 auto_negotiate=0 serial=1

  src:0:0.0.0.0-255.255.255.255:0

  dst:0:10.0.0.10-10.0.0.10:0

  SA:ref=4 options=00000006 type=00 soft=0 mtu=1280 expire=1671 replaywin=1024seqno=1

  life:type=01 bytes=0/0 timeout=1790/1800

  dec:spi=b2ad0f87 esp=aes key=16 046a1e666f7ae7b2aaf6197a13ea5818

       ah=sha1key=20 6f607decd4416c203911070d960cd5f26e2061bf

  enc:spi=dfe610a1 esp=aes key=16 453e333a15416cfdb6ab95d324fa3ffe

      ah=sha1 key=20 2a2d1cee5da51a1503ddb18599a265d5dce51e5a

 dec:pkts/bytes=10/608, enc:pkts/bytes=0/0

 npu_flag=02 npu_rgwy=192.168.118.151 npu_lgwy=192.168.118.25 npu_selid=2

------------------------------------------------------

name=mobilever=1 serial=1 192.168.118.25:0->0.0.0.0:0 lgwy=static tun=intf mode=dialupbound_if=5

proxyid_num=0child_num=1 refcnt=5 ilast=29 olast=29

stat:rxp=0 txp=0 rxb=0 txb=0

 

1.7.2    IPSec VPN (Dial-up)

 

1.7.2.1    HUB-SPOKE Mode

Networking Requirements

As shown in the figure, the headquarters of acompany is internally fitted with an OA server and the three branch offices ofthe company need to log in to the headquarters’ intranet by VPN dial-up firstand then access the OA server. To facilitate the configurations, theheadquarters wants to build only one VPN tunnel to implement the communicationsbetween all branch offices and the headquarters.

 

Network Topology

Configuration Tips

1. Configure NGFW-1

1.       Perform basic configurations of Internet access;

2.       Configure IKE Stage 1;

3.       Configure IKE Stage 2;

4.       Configure the IPsec policy;

5.       Configure the route.

2. Configure NGFW-2

1.       Perform basic configurations of Internet access;

2.       Configure IKE Stage 1;

3.       Configure IKE Stage 2;

4.       Configure the route;

5.       Configure the IPSec policy;

3. Configure other spoke node devices.

 

*      To delete Stages 1 and 2 of IPSec VPN, you needto delete the invoked route or firewall security policy first.

 

Configuration Steps

 

1.       Configure NGFW-1

1)     Perform basic configurations of Internetaccess

For details about the configurationprocedure, refer to the section “Configuring Routing Mode” > “InternetAccess via a Single Line” > “Configuring Internet Access via a Static Link”.

2)       Configure IKE Stage 1

Choose the VPN > IPsec > Auto Key(IKE) menu, and click Create Phase 1.

Configure the related parameters of Phase1.

Name: Set it to dialvpn. In interfacemode, it is used to indicate the name of the VPN interface.

Remote Gateway: It is used to connect thedialup user.

Local Interface: It refers to the interfacevia which the firewall builds a VPN connection with the peer device. It isusually an extranet interface. Here, it is set to wan1.

Authentication Method: It is set to Pre-sharedKey.

Pre-shared Key: It must be the same at bothends.

Enable IPsec Interface Mode: Ticked.

Other parameters are set to their defaultvalues. For details about the parameters, refer to section “Parameters of Phase1”.

3)       Configure IKE Phase 2

Choose the VPN > IPsec > Auto Key(IKE) menu, and click Create Phase 2.

Configure the basic parameters of Phase 2.

 

Name: It refers to the name of Phase 2, andis here set to dialvpn2.

Phase 1: It is associated with Phase 2, andis here set to dialvpn.      

Click Advanced, and the advancedparameter options pop up.

Tick Autokey Keep Alive, and set otherparameters to their default values.

Quick Mode Selector: Both the source addressand destination address are set to their default values 0.0.0.0 0.0.0.0.

4)       Configure the IPSec policy

Choose the Firewall > Policy> Policy menu, and click Create New.

Add an IPSec policy as shown below, allowingthe external user 192.168.0.0/16 to access the network segment 192.168.0.0/24.

Source Interface/Zone: Select the new dialupVPN interface dialvpn.

5)       Configure the route

You do not need to configure the hub-endfirewall into the routing table of each branch office; instead, the system willgenerate the hub-end firewall automatically.

2.       Configure NGFW-2

1)     Perform basic configurations of Internetaccess

For details about the configurationprocedure, refer to the section “Configuring Routing Mode” > “InternetAccess via a Single Line” > “Configuring Internet Access via a Static Link”.

2)       Configure IKE Phase 1

Choose the VPN > IPsec > Auto Key(IKE) menu, and click Create Phase 1.

Configure the related parameters of Phase1.

Name: Set it to VPN. In interfacemode, it is used to indicate the name of the VPN interface.

Remote Gateway: Set it to Static IPAddress.

IP Address: The IP address of the extranetinterface of the peer firewall is 100.1.1.2.

Local Interface: It refers to an interfacevia which the firewall builds a VPN connection with the peer device; it is hereset to wan1.

Authentication Method: It is set to Pre-sharedKey.

Pre-shared Key: It must be the same at bothends.

Enable IPsec Interface Mode: Ticked.

Other parameters are set to their defaultvalues. For details about the parameters, refer to section “Parameters of Phase1”.

3)       IKE Phase 2

Choose the VPN > IPsec > AutoKey (IKE) menu, and click Create Phase 2.

Configure the basic parameters of Phase 2.

Name: It refers to the name of Phase 2, andis here set to vpn2.

Phase 1: It is associated with Phase 2, andis here set to vpn.  

Click Advanced, and the advancedparameter options pop up.

Tick Autokey Keep Alive, and set otherparameters to their default values.

Source Address: It refers to the locallyprotected subnet.

Destination address: It refers to the networksegment accessed via the VPN.

*      The destination IP address mask of the staticroute can comprise 16 or 24 bits; in this scenario, the branch offices cancommunicate with each other if it comprises 16 bits; the branch offices canaccess the network segment 0 of the headquarters if it comprises 24 bits.

 

4)       Configure the route

Choose the Route > Static> Static Route menu, and click Create New.

Add the VPN route of the protected networksegment on the peer as follows:

Destination IP/Mask: It refers to the subnetprotected by the peer firewall; here, it is set to 192.168.1.0/16.

Device:  It refers to the interface generatedby the VPN; here, it is set to vpn.

*      The destination IP address mask of the staticroute can comprise 16 or 24 bits; in this scenario, the branch offices cancommunicate with each other if it comprises 16 bits; the branch offices canaccess the network segment 0 of the headquarters if it comprises 24 bits.

 

5)       Configure the IPSec policy

Choose the Firewall > Policy> Policy menu, and click Create New.

Create a security policy as follows:

Source Address: 192.168.1.0/24 can accessother network segments.

Destination Address: It can be 192.168.0.0/16or 192.168.0.0/24.Then, the user is allowed to access only the networksegment protected by NGFW1, but not the network segments of other branchoffices, for example, 192.168.2.0/24.

3.       Configure other spoke node devices.

By reference to the configurations of NGFW2,adjust the related parameters according to the local private network segment.

When editing Phase 2 of IPsec, modify theSource Address of the quick mode selector. For example, the relatedconfigurations of NGFW3 are as follows:

 

1.7.3    L2TP/PPTP

Overview

The PPTP VPN allows a PC client or mobileclient to dial up.

Networking Requirements

As shown in the figure, a company isinternally fitted with an OA server, and to access the OA server, the employeesoutside the company need to first log in to its intranet via PPT VPN.

The configurations of L2TP VPN are the sameas those of PPTP VPN.

Network Topology

 

Configuration Tips

1.      Perform basic configurations of Internet access;

2.      Configure the users;

3.      Perform PPTP/L2TP configurations for the NGFW;

4.      Define the policy;

5.      Configure the PC client;

6.      If PPTP dialup is successful, the DNS is not issued; if LSTP dialupis successful, the DNS of the firewall system is issued.

 

Configuration Steps

Step 1. Perform basic configurations ofInternet access

For details about the configurationprocedure, refer to the section “Configuring Routing Mode” > “InternetAccess via a Single Line” or  “Internet Access via a Multiple Links”.

Step 2. Configure the users

1)       Define the users

Choose the User > User > Usermenu, and click Create New.

Add the user name user1 and password 11111111.

2)       Define the user group

Choose the User > User Group> User Group menu, and click Create New.

Add the user group vpn, and add theuser user1 to the user group.

 

Step 3. Perform PPTP/L2TP VPNconfigurations for the NGFW (on the CLI)

RG-WALL#config vpn pptp                                            // config vpnl2tp            The configurations of pptp are the same as the configurations ofl2TP; take pptp as an example.

RG-WALL(pptp) #set status enable                                     //  Enable theVPN function

RG-WALL(pptp) #set eip 192.168.1.220                            //  Configure therange of IP addresses allocated to the client: End IP address

RG-WALL(pptp) #set sip 192.168.1.210                            // Configure the rangeof IP addresses allocated to the client: Start IP address

RG-WALL(pptp) #set usrgrp vpn                                   //  Invoke the VPN usergroup

RG-WALL(pptp) #end

 

*      The address range allocated to the VPN user canbe a segment of intranet addresses or an independent network segment.

 

Step 4. Define the policy

1)       Configure an address object

 

2)       Create the policy

Choose the Firewall > Policy> Policy menu, and click Create New.

The policy is configured as shown below:

Source interface/zone: wan1, extranetinterface

Source address: Select the previously createdpptppool.

Destination Interface/Zone: Select internal.

Destination Address: Enter 192.168.1.10/32.

Service: Select ALL.

Other parameters: Select the defaultsettings.

 

Verification

Note: If the VPN is not establishedsuccessfully, run the diagnosis command below:

dia debug enable

dia deb app ppp -1

 

For example, the entered user name orpassword is incorrect; the system displays the following prompt:

Should you have any query, collect therelated information and then call the technical support hotline (400-111-000)to seek help.

 

1.8     WAN Optimization

1.8.1    Standalone Mode

I. Networking Requirements

Configure basic functionsfor Internet access and enable Web cache.

II. Network Topology

Assume that the ISP assignsthe following addresses:

Network segment: 202.1.1.8/29;IP address: 202.1.1.10; gateway address: 202.1.1.9; DNS: 202.106.196.115.

III. Configuration Tips

1.       Basic Configuration for Internet Access (Omitted. See section 1.1 "InternetAccess via a Single Line" in Chapter 1 "Typical Functions of Routing Mode".)

a.       Configure an interface.

b.       Configure a static routing table.

c.       Set the address object to InternalIP and the address to 192.168.1.0/24.

d.       Configure the policy from LAN to wan1, and enable NAT.

2.       Enable Web cache.

3.       Configure Web cache parameters.

IV. Configuration Steps

1.       Basic Configuration for Internet Access (Omitted. See section 1.1 "InternetAccess via a Single Line" in Chapter 1 "Typical Functions of Routing Mode".)

a)       Configure an interface.

b)       Configure a static routing table.

c)       Set the address object to InternalIP and the address to 192.168.1.0/24.

d)       Configure the policy from LAN to wan1, and enable NAT.

For some low-end models,the system configures an NAT policy from internal to wan1 by default.

In the New Policywindow, create a policy as follows:

Source Interface/Zone: Choose Ian.

Source address: Choose InternalIP.

Destination Interface/Zone: Choose wan1.

Destination address: Choose all, which indicates all addresses.

Service: Choose ALL.

NAT: Tick Enable NAT. The system automatically converts the IP addressof the intranet lan to the IP address of wan1 interface 202.1.1.10 for Internetaccess.

Click Enable Web cache.

Click OK. The systemautomatically saves configuration and the policy takes effect.

Configure Web cache parameters.

Choose WAN Opt. &Cache > Cache >Settings. Default settings are used generally.

Always Revalidate:

Max Cache Object Size: It indicates the maximum size of the cache object, which is 512 MBby default. Larger files are directly sent to clients without caches.

Negation Response Duration: It indicates whether to cache error messages returned by the server.The default value is 0.

Fresh Factor: It is used to set the check frequency of cache update by the firewall.If it is set to 100%, check caches once before expiration (TTL timeout). If it isset to 20%, check caches five times.

Max TTL: It indicates the maximum alive time of caches when the expiration isnot checked.

Min TTL: It indicates the minimum alive time of caches before the expirationis checked.

Default TTL: It indicates the default alive time of caches.

Ignore: It indicates that caches are ignored.

V. Verification

RGFW # diagnose  wacs stats

Disk 0 /var/storage/FLASH1-68B85ACE134E6A3A/wa_cs

        Current number of open connections: 2

        Number of terminated connections: 21 //

        Number of requests -- Adds: 6547 (0 repetitive keys), Lookups: 12780, Conflict incidents: 0

        Percentage of missed lookups: 96.39

        Communication is blocked for 0 client(s)

        wa_cs disk space: 4278 MB

        Disk usage: 93861 KB (2%)           //Indicates the space occupied by caches.

1.9     Load Balancing

1.9.1    HTTP Traffic-based Server Load Balancing

I. Networking Requirements

As shown in the followingfigure, the company has two Web servers. Load balancing is configured on the serversand loads Web services to the server 192.168.1.1 and the server 192.168.1.2.

II. Network Topology

III. Configuration Tips

1.       Basic configuration for Internet access

Configure the load balancing server.

a)       Configure health check.

b)       Configure the load balancing server.

c)       Configure a real server.

d)       Configure a safety policy.

IV. Configuration Steps

1.       Basic configuration for Internet access

For the detailed configurationprocess, see section 1.1.2 "Configuring Internet Access via a Static Link"under section 1.1 "Internet Access via a Single Line" in Chapter 1 "TypicalFunctions of Routing Mode".

IP addresses of interfacesare as follows:

The routing configurationis as follows:

2.       Configure the load balancing server.

(1)    health check.

Choose Firewall> Load Balance > Health Check Monitor. Set health check methodsto check the health condition of the real server. The following takes TCP as anexample.

Name: Enter tcp80. This item is user-defined.

Type: TCP, HTTP, and PING are supported. Tick TCPto check the service port 80, or tick HTTP to check whether the HTTP serviceprocess is normal and whether Web pages can be accessed, or tick PING tocheck whether the host is online.

Interval: Enter 10, which indicates check every 10 seconds.

Timeout: Enter 2. If no response is received from the server within 2seconds, it indicates exceptions on the server.

Retry: If the server still fails to give any response after retry for threeconsecutive times, it indicates that the server is out of service and will not assignload to the device.

(2)    Configure the load balancing server.

Choose Firewall> Load Balance > Virtual Server, and then click Create Newto create a virtual server, as shown in the following figure.

Name: Enter httpserver. This item is user-defined.

Type: HTTP, TCP, UDP, and IP are supported. HTTP is chosen in thisexample. For the DNS server, choose UDP.

Interface: Choose wan1. It indicates the port where the server is connectedto external servers.

Virtual Server IP: It indicates the IP address where the server provides external services.

Load Balance Method: Static, Round-Robin, Weighted, First Alive, Least RTT, Least-conn,and HTTP Host are supported. For the difference between these methods, see the FirewallConfiguration Guide.

Persistence: Choose http cookie.

HTTP Multiplexing: This item is optional. Multiple links requested by a customer can bemerged into one request to reduce the server load.

SSL: It indicates the loadapplicable to HTTPS service.

Certificate: It indicates the certificate that enables HTTP proxy.

Health Check: Select tcp80.

(3)    Configure a real server.

Choose Firewall> Load Balance > Real Server, and then click Create Newto create two real servers, as shown in the following figure.

Virtual Server: Choose httpserver. It indicates the virtual serverfor which a real server is configured.

IP Address: It indicates IP address of the real server.

Port: It indicates the HTTP service port of the real server, which may bedifferent from the server port of the virtual server.

Weight: It is disabled in this example. If the load balance method is set toweighted, specify the percentage, such as 10:10.

Max Connections: The value 0 indicates no restriction.

Mode: Choose Active. Three options are available: active, inactive,and standby.

Configure a safety policy.

Choose Firewall> Policy > Policy, and then click Create New.

In the New Policywindow, create a policy as follows:

Click Multiple behindDestination address, and choose two virtual IP addresses that have been defined.

Source Interface/Zone: Choose wan1.

Source address: Choose all.

Destination Interface/Zone: Choose internal.

Destination address: Choose httpserver.

Service: Choose HTTP.

Note: Virtual IP addressesdefined with earlier versions than P4 cannot be called on the Web page but can becalled from the command line. Choose the interface defined by the virtual serveras the source interface, and run the following commands:

V. Verification

Access http://192.168.118.122from an external address.

Common Diagnosis Commands:

1.       Check the status of a real server.

    RG-WALL # diagnose  firewall  vip realserver list

alloc=4

------------------------------

vf=0 name=httpserver/1 type=3 192.168.118.122:(80-80),protocol=6

total=2 alive=2 power=2 ptr=197676

ip=192.168.1.1-192.168.1.1:80 adm_status=0holddown_interval=300 max_connections

=0 weight=1 option=01

alive=1 total=1 enable=00000001 alive=00000001power=1

src_sz=0

id=0 status=up ks=12 us=0 events=1 bytes=2078892rtt=0

ip=192.168.1.2-192.168.1.2:80 adm_status=0holddown_interval=300 max_connections

=0 weight=1 option=01

alive=1 total=1 enable=00000001 alive=00000001power=1

src_sz=0

id=0 status=up ks=9 us=0 events=1 bytes=50450rtt=0

Check the status of a real server configuredfor a virtual server.

RG-WALL # diagnose  firewallvip  virtual-server real-server

vd root/0  vs httpserver/1  addr 192.168.1.1:80 status 2/1 (process 193)

conn: max 0  active5  attempts 1440success 165  drop  0  fail 3

http: available4  total 5

 

vd root/0  vs httpserver/1  addr 192.168.1.2:80 status 2/1 (process 193)

conn: max 0  active1  attempts 37success 11  drop  0  fail 2

http: available0  total 1

Collect statistics on the sessions of avirtual server.

RG-WALL # diagnose  firewallvip  virtual-server stats

summary

c2p_connections: now 21  max 31total 140

embryonics: now0  max 6total 140

close_during_connect: 0

........

Collect statistics on the sessions of avirtual server.

RG-WALL # diagnose  firewallvip  virtual-server stats

summary

c2p_connections: now 21  max 31total 140

1.9.2    HTTPS Traffic-based Server Load Balancing

I. Networking Requirements

As shown in the following figure, the companyhas two Web servers with the domain name www.test.com,which can be accessed via HTTPS. Load balancing is configured on the firewall andloads Web services to the server 192.168.1.1 and the server 192.168.1.2.

II. Network Topology

III. Configuration Tips

2.       Basic configuration for Internet access

Configure the load balancing server.

(1)    Configure health check.

(2)    Configure the load balancing server.

(3)    Configure a real server.

(4)    Configure a safety policy.

IV. Configuration Steps

1.       Basic configuration for Internet access

For the detailed configurationprocess, see section 1.1.2 "Configuring Internet Access via a Static Link"under section 1.1 "Internet Access via a Single Line" in Chapter 1 "TypicalFunctions of Routing Mode".

IP addresses of interfacesare as follows:

The routing configurationis as follows:

Configure the load balancingserver.

(1)    Configure the load balancing server.

Choose Firewall> Load Balance > Virtual Server, and then click Create Newto create a virtual server, as shown in the following figure.

Name: Enter https. This item is user-defined and can be modified asrequired.

Type: HTTP, TCP, UDP, and IP are supported. HTTP is chosen in thisexample. For the DNS server, choose UDP.

Interface: Choose port15. It indicates the port where the firewall is connectedto the Internet.

Virtual Server IP: Enter 192.168.118.126. It indicates the IP address where theserver provides external services.

Load Balance Method: Static, Round-Robin, Weighted, First Alive, Least RTT, Least-conn,and HTTP Host are supported.

Persistence: Choose http cookie.

HTTP Multiplexing: This item is optional. Multiple links requested by a customer can bemerged into one request to reduce the server load.

SSL Offloading: client--RuijieGate indicates that a client and the firewallare connected via SSL, and the firewall and a server are connected via a plaintextpassword to reduce the server load.

client--RuijieGate--server indicates that a client and the firewall are connected via SSL, andthe firewall and a server are connected also via SSL.

Certificate: Choose the certificate that is applied for the server. In this example,the valid certificate of the website is web.

Health check: This item is optional. If there is only one real server, it is setby default. (The configuration is similar to HTTP.)

(2)     Configure a real server.

Choose Firewall> Load Balance > Real Server, and then click Create Newto create two real servers, as shown in the following figure.

Virtual Server: Choose https. It indicates the virtual serverfor which a real server is configured.

IP Address: It indicates IP address of the real server.

Port: It indicates the HTTP service port of the real server, which may bedifferent from the server port of the virtual server.

Weight: It is disabled in this example. If the load balance method is set toweighted, specify the percentage, such as 10:10.

Max Connections: The value 0 indicates no restriction.

Mode: Choose Active. Three options are available: active, inactive,and standby are optional.

(3)    Configure the second server in the above way.

(4)    Configure a safety policy.

Choose Firewall> Policy > Policy, and then click Create New. In theNew Policy window, create a policy.

Click Multiple behindDestination address, and choose two virtual IP addresses that have been defined.

Source Interface/Zone: Choose wan1.

Source address: Choose all.

Destination Interface/Zone: Choose internal.

Destination address: Click Multiple to choose https and https 1.

Service: Choose HTTPS.

In the policy, enable theHTTP archiving function of DLP, and tick Enable SSL/SSH Inspection.

V. Verification

Access http://www.test.comfrom an external address to view logs.

 


 

      Configuring Transparent Mode

1.1     Enabling Transparent Mode

Networking Requirements

Without changing the current networktopology, deploy the firewall NGFW in transparent mode between the router andserver. The firewall works in transparent mode to protect server 192.168.1.10.

Network Topology

Configuration Tips

l  Setthe firewall to work in transparent mode.

l  Addthe server address.

l  Configurethe policy.

Configuration Steps

For the M5100, take the following steps toconvert the LAN port into the routing port, and then switch to the transparentmode. For other modes, such operation is not required.Delete the policy, route, and DHCP configurationrelated to the LAN port.

RG-WALL#configsystem virtual-switch

    RG-WALL# (virtual-switch)#delete lan

    RG-WALL# end

*      Before operation, it is recommended to upgradethe firewall version to the latest.

1.     Set the firewall to work in transparentmode.

Choose System > Dashboard> Status. The information on the home page is as follows:

Click Change in the Operation Mode field.Change the value of Operation Mode into Transparent. Setthe management IP address and gateway for the device. See the following figure:

In transparent mode, the interface addresscannot be written. There is only one user-managed device IP address. To managethe device through an interface, run the following command to enable managementvia the interface (mgmt or mgmt1 interface by default). The following takes port1 as an example:

RG-WALL#configsystem interface

          RG-WALL (interface)#edit port1

          RG-WALL (port1)#set allowaccess ping https ssh telnet

          RG-WALL (port1)#end

The following figure shows interfaces:

2.      Add the server address.

Choose Firewall > Address> Address, and then click Create New to add the serveraddress, as shown in the following figure: