Compare Products
Hide
VS
Please rate this document.
Please leave your suggestions here.
200 characters leftIf Ruijie may contact you for more details, please leave your contact information here.
* I understand and agree to Terms of Use and acknowledge Ruijie's Privacy Policy.
Thank you for your feedback!
Ruijie RG-WALL 1600Series Next-Generation Firewall Implementation Cookbook (V1.3)
Copyright Statement
Ruijie Networks©2016
Ruijie Networks reserves all copyrights ofthis document. Any reproduction, excerption, backup, modification,transmission, translation or commercial use of this document or any portion ofthis document, in any form or by any means, without the prior written consentof Ruijie Networks is prohibited.
,,,,,,,,, ,, are registered trademarks of Ruijie Networks. Counterfeit is strictlyprohibited.
Exemption Statement
This document is provided “as is”. Thecontents of this document are subject to change without any notice. Pleaseobtain the latest information through the Ruijie Networks website. RuijieNetworks endeavors to ensure content accuracy and will not shoulder anyresponsibility for losses and damages caused due to content omissions,inaccuracies or errors.
Obtaining Technical Assistance
l RuijieNetworks website: http://www.ruijienetworks.com/
l RuijieNetworks service portal: http://caseportal.ruijienetworks.com
2.4 License Service Registration
2.5 Configuration Backup and Recovery
2.8 Restoring Factory Settings
3.1 Internet Access via a Single Line
3.1.1 Configuring Internet Access via a SingleADSL Line
3.1.2 Configuring Internet Access via a StaticLink
3.1.3 Configuring Internet Access via a DHCPLine
3.2 Internet Access via Multiple Links
3.2.1 Configuring Internet Access via Dual Linesof the Same Carrier
3.2.2 Configuring Internet Access via Dual Linesof Different Carriers
3.3.1 Configuring the DHCP Server
3.3.3 DHCP Relay Configuration
3.4.1 Address Mapping (One-to-One IP AddressMapping)
3.4.2 Port Mapping (One-to-Many Port Mapping)
3.4.3 Port Mapping for Multiple Lines
3.6 Application Level Gateway (ALG)
3.6.2 VoIP Destination Address Mapping
3.7.1 IPSec VPN (Point-to-Point)
3.9.1 HTTP Traffic-based Server Load Balancing
3.9.2 HTTPS Traffic-based Server Load Balancing
4 Configuring Transparent Mode
4.3 Out-of-Band Management in TransparentMode
5.3 Configuring VDOM in Hybrid Mode
6.4 Configuring Synchronization ofStandalone Device Configuration and Sessions
6.5 Configuring the Ping Server
6.6 Configuring the Out-of-Band ManagementInterface
7.1.5 Network Application Control
7.1.6 Data Leakage Prevention (DLP)
7.2.2 Storing Logs in the Hard Disk
7.2.3 Storing Logs in the Memory
7.3 Converting Interface Attribute
8.1 Enabling IPv6 on the Web Page
8.2 Configuring Internet Access
8.2.2 Configuring VIP46 Mapping
Networking Requirements
Via a Web visual interface, you can configurethe firewall, for example, configure the management function of the wan1interface.
Network Topology
Configuration Tips
The default IP address of the NGFW is 192.168.1.200,and you can perform Web management via HTTPS (the default user name is admin,and the default password is firewall). The models of managementinterfaces are as follows:
RG-WALL1600-X9300: mgmt1 interface
RG-WALL1600-X8500: mgmt1 interface
RG-WALL1600-X6600: mgmt1 interface
RG-WALL1600-M5100: mgmt interface
RG-WALL1600-S3600: internal interface, corresponding to the switching interfaces 1to 14
RG-WALL1600-S3100: internal interface, corresponding to the switching interfaces 1to 7
All switching interfaces of the S3100 and S3600are Layer-3 internal interfaces; only internal interfaces are suitable forLayer-3 configurations, for example, IP address configurations.
Set the IP address of the PC to192.168.1.1/24, connect to the internal interface or MGMT interface, open theIE browser, enter https://192.168.1.200 to log in to the NGFW management page,and enter the user name admin and password firewall to open theNGFW page. If you forget the password, you can restore the initial password asinstructed in the section “Firewall Maintenance” > “Password Recovery”.
After you log in to the device, enable themanagement function of the wan1 interface.
By default, other interfaces have no IPaddresses, and other management functions (for example, HTTPS) are not enabled onother interfaces.
If the firewall interface address is modifiedbut you forget the new password, you can enter the CLI to view the currentconfigurations.
It is recommended that you use Firefox or IE10(or above). If you use a third-party browser (for example, 360 and Travel), usethe top speed mode.
Configuration Steps
1. When the NGFW is configured with default values, set the IP addressof the PC to 192.168.1.1, and set the IP address of the gateway to 192.168.1.200;
In the address bar of the IE browser, enter https://192.168.1.200, and the firewall login page pops up.
Enter the user name admin and defaultpassword firewall, and then the homepage of the firewall pops up.
2. Set the IP address of the wan1 interface to 192.168.33.51/24,and enable the management function of the internal interface.
Choose the System > Network> Interface menu.
Double-click the wan1 interface to edit thefollowing parameters:
Set the IP address of the interface to 192.168.0.200/24.
Administrative Access: Select HTTPS, PING,and SSH. Their meanings are as follows:
HTTPS: Allow users to use https://192.168.0.200to manage the device;
Ping: Users are allowed to ping thisinterface address. If it is deselected, the interface address cannot be pingedthrough even if the interface address is reachable;
HTTP: Allow users to use http://192.168.0.200to manage the device;
SSH: Allow users to use ssh 192.168.0.200 tomanage the device;
SNMP: Allow users to perform SNMP managementvia the interface;
TELNET: Allow users to use telnet192.168.0.200 to manage the device.
Verification
Enter https://192.168.0.200 in the browser,and then verify the configurations.
Networking Requirements
To perform configuration management, you canuse HyperTerminal or CRT to enter the CLI via a Console cable. By default, thefirewall allows Console management.
Network Topology
Configuration Tips
1. Prepare a Console cable and a PC.
2. Connect the Console cable.
Connect the RJ45 connector end of theConsole cable to the Console port of the PC, and connect the other end of theConsole cable to the com port of the PC.
3. Configure the HyperTerminal
a) A PC under Windows XP is equipped with built-inHyperTerminal; for a PC under Windows 7, you need to install HyperTerminalseparately.
b) By default, the Windows Sever 2003 is notequipped with HyperTerminal. You need to install it in Control Panel> Add/Delete Program, or directly download it from Attachment 1.
c) If you fail to enter the CLI afterconfigurations, check whether the Console cable is connected to the Consoleport, whether the data bits of HyperTerminal are configured correctly, andwhether you click Restore Defaults. If younevertheless fail to center the CLI after performing the above operations,attempt to replace the PC, Console cable and HyperTerminal.
Operation Steps
1. Prepare a Console cable and a PC
2. Connect the Console cable
Insert the RJ45 connector end of theConsole cable to the Console port of the network device (the Console port isusually beside the Ethernet port of the network device, and is marked with Console),and then insert the DB9 port of the Console cable to the Com port of the PC.
3. Configure the HyperTerminal
Verification
Press the Enter key, and the systemdisplays RG-WALL login, prompting you to enter the username adminand password firewall (if the password is changed or you forget thepassword, you can do as instructed in the section “Password Recovery”).
Networking Requirements
If you want to enter the CLI of a device toconfigure or gather the related information, you can manage the device remotelyvia Telnet or SSH when no Console cable is available or you are far away fromthe device.
Network Topology
Configuration Tips
To use the Telnet or SSH mode, first ensure ahigh connectivity between the management host and the interface address of thedevice. You can tick the Ping function of the interface. If the device can pingthrough the management interface, it indicate that the connectivity betweenthem is normal.
1. Enable the Telnet and SSH functions on the interface.
2. Telnet the management device.
3. SSH the management device.
Configuration Steps
1. Enable the Telnet and SSH functions on theinterface
Choose the System > Network> Interface menu, and edit the internal interface by double-clickingit, as shown in the following figures:
Tick SSH and TELNET (bydefault, the Telnet and ping functions of the interface are disabled), andclick OK.
I. Requirements
According to the factory settings, thedefault account is admin (with all privileges), and the default password isfirewall. The requirements are as follows:
Change the admin password to ruijie@123, andset the host IP address of the admin account to 172.18.10.108/32. It indicatesthat only this host (172.18.10.108) can use the admin account to managedevices.
Create a monitor account with"read-only" privilege. Set the password to 123456a!. Set no limit toIP address for the management host which allows admin login from all hosts, andset the permission to read-only.
Define the password policy which specifiespassword complexity.
Set the timeout interval of the Web page. Ifan administrator does not perform any operation within 90 minutes for example,the administrator will automatically log out.
II. Configuration Tips
Change the admin password and setmanagement IP addresses.
Set Admin Profile to readonly.
Create a monitor account.
Define the password policy and changeadministrator settings.
III. Configuration Steps
Change the admin password and setmanagement IP addresses.
Choose System > Admin > Administrators.
Click or double-click the editing button toset the administrator name to admin, and then click Change Password.
In the Edit Password dialog box thatis displayed, change the password to ruijie@123, and then click OK.
Tick Restrict this Admin Login fromTrusted Hosts Only, enter the management IP address 172.18.10.108/32in Trusted Host #1, and then click OK.
Three trusted hosts can be added on thispage. Add up to 10 trusted hosts by running corresponding commands.
RG-WALL # configsystem admin
RG-WALL(admin) # edit admin
RG-WALL(admin) # set trusthost1 172.18.10.108 255.255.255.255
RG-WALL(admin) # set trusthost2 172.19.10.108 255.255.255.255
RG-WALL(admin) # set trusthost3 172.119.10.108 255.255.255.255
RG-WALL(admin) # end
Set Admin Profile to readonly.
Choose System > Admin > AdminProfile, and then click Create New.
Profile Name:Set it to readonly.
Tick Read Only for all items.
Create a monitor account.
Choose System > Admin > Administrators,and then click Create New.
Create a monitor account, set the passwordto 123456a!, set Admin Profile to readonly, and set nolimit to IP addresses for the management hosts, as shown in the followingfigure.
Define the password policy and changeadministrator settings.
If a password must contain at least 6characters comprising letters, digits, and special characters (such as!@#$%&'), set the password policy as follows.
Choose System > Admin > Settings,as shown in the following figure.
Enable: TickEnable.
Minimum Length: It indicates the minimum length of a password.
Must Contain:It indicates limits to the number of letters, digits, and special characters)
Apply Password Policy to: Enter the admin password.
Admin Password Expires after: Configure the expiry date of a password. The system prompts theadministrator to change the password after the expiry date.
Idle Timeout:If an administrator does not perform any operation within the specified time,the administrator will automatically log out.
Note: The total length of uppercaseletters, lowercase letters, digits, and special characters should be less thanor equal to the maximum length; otherwise, the policy setting is invalid.
IV. Verification
Log in to the monitor account and change thesettings. An error prompt Permission denied is displayed.
Networking Requirements
The firewall system can be upgraded via a Webinterface or TFTP CLI. Here, the firewall system needs to be upgraded via TFTP.
Before the upgrade, be sure to back up thefirewall configurations. For details, refer to the section “FirewallMaintenance” > “Configuration Backup and Recovery”.
Network Topology
Configuration Tips
1. Prepare tools and connect the Console cable;
2. Connect the network cable, and ensure that network communication isnormal;
3. Set up the TFTP server;
4. Begin the upgrade.
Configuration Steps
1. Prepare tools
Prepare the Console cable, network cable,upgrade file, TFTP tool, and cable for USB conversion (the PC has no Com port),and install the driver;
2. Connect the network cable, and ensure that network communication isnormal;
3. Set up the TFTP server;
4. Begin the upgrade.
You can download the Cisco TFTP server fromthe attachment.
Run the Cisco TFTP software, and save theupgrade firmware into the folder in the red frame below (when you install thesoftware, the system will specify a folder), for example, c:\tftp.
Restart the device, and perform the followingsteps:
5. Enter M (press Shift + m), and enter the BIOS menu:
...
[G]: Getfirmware image from TFTP server.
[F]: Format boot device.
[B]: Bootwith backup firmware and set as default.
[I]: Configuration and information.
[Q]: Quitmenu and continue to boot with default firmware.
[H]: Display this list of options.
6. Select F to set format to the Flash card;
EnterSelection [G]:
EnterG,F,B,I,Q,or H: F // Select F to setformat to the Flash card. Optional
All datawill be erased,continue:[Y/N]?Y
7. Select G to download the mirror file:
EnterG,F,B,I,Q,or H: G // Select G todownload the mirror file from the server.
Pleaseconnect TFTP server to Ethernet port "MGMT1". // Connect the PCto the MGMT1 port of the firewall.
Enter TFTPserver address [192.168.1.1]: // Enter the address of the TFTPserver.
Enterlocal address [192.168.1.200]: // Assign a temporary IPaddress to MGMT1.
Enterfirmware image file name [image.out]: Ruijie_XXX_ .bin // Enter the name ofthe mirror file.
MAC:14144B7EE172
###########################################
8. The TFTP server prompts successful download:
Total45387871 bytes data downloaded.
Verifyingthe integrity of the firmware image.
Total262144kB unzipped.
Save asDefault firmware/Backup firmware/Run image without saving:[D/B/R]?d //Serve as the default boot file.
Programmingthe boot device now.
................................................................................................................................................................................................................................................................
Readingboot image 1401958 bytes.
Initializingfirewall...
System isstarting...
Resizingshared data partition...done
Formattingshared data partition ... done!
Networking Requirements
The current system software version isoutdated, so it needs to be upgraded via a Web interface.
Before the upgrade, be sure to back up thedevice configurations. For details, refer to the section “Firewall Maintenance”> “Configuration Backup and Recovery”.
Configuration Points
1. RG-WALL: It is a next-generation firewall. Each model of the devicehas a separate version file; before the upgrade, confirm the current devicemodel.
2. The postfix of the upgrade package must be “.bin”, and its prefix isnot restricted;
3. Before the upgrade, prepare a Console cable, so as to take measuresin case of upgrade failure;
4. During the upgrade process, do not switch to other interfaces, norpower off or restart the device; the upgrade process usually takes less thanfive minutes;
5. After the new version is imported, the device is automaticallyrestarted, and then the upgrade takes effect.
The upgrade will cause network interrupt. Duringthe upgrade process, follow the upgrade procedure strictly; misoperations willcause system missing.
Upgrade Procedure
1. Log in to the Web interface of the NGFW
Choose the System > DashboardStatus > Firmware Version menu, and click the Updatebutton;
2. Select the related OS files
Click OK, and then the system isautomatically restarted.
Verification
The system will be restarted via the newlyloaded OS.
Precautions
The P3 version makes many changes over theprevious versions; you need to use the following upgrade mode:
1. Before the upgrade, be sure to disable the auto-ipsec managementproperty of the wan1 and wan2 interfaces via a CLI (if the management propertyis not disabled, the system will reports errors on the switching of thetransparent mode of the P3 version).
1) View the management property of interfaces
RG-WALL #show system interface
configsystem interface
edit"wan1"
set vdom "root"
set ip 192.168.57.74 255.255.255.0
setallowaccess ping https ssh telnet auto-ipsec
set type physical
set snmp-index 1
next
edit"wan2"
set vdom "root"
set ip 192.168.101.200 255.255.255.0
set allowaccess ping auto-ipsec
set type physical
set snmp-index 2
2) Disable the auto ipsec property of the wan1 andwan2 interfaces
RG-WALL #config system interface
RG-WALL(interface) # edit wan1
RG-WALL(wan1) # set allowaccess ping https ssh
RG-WALL(wan1) # next
RG-WALL(interface) # edit wan2
RG-WALL(wan2) # set allowaccess ping
RG-WALL(wan2) # end
2. Upgrade the P0, P1 or P2 version to the P3 version via a Webinterface (the upgrade process takes about five minutes);
3. To attain complete upgrade, you need to upgrade the P3 version againon a Web interface;
1) During the upgrade to the P3 version, aformatting action is added, so as to ensure complete upgrade;
2) The formatting operation will not clear theoriginal configurations;
3) The subsequent versions are not affected bythis; only the P3 version requires two upgrades;
4) The upgrade process takes about 5 minutes.
4. Upgrade flowchart: p0, p1 or p2 to p3 to P3.
5. auto-ipsec is enabled or disabled, depending on specific model ofthe device:
1) S3100: By default, auto-ipsec is enabled on wan1 and wan2;
2) S3600: By default, auto-ipsec is enabled on wan1 and wan2;
3) M5100: By default, auto-ipsec is enabled on wan1;
4) M6600 and X9300: auto-ipsec is not enabled onthe interfaces.
I. Description
1. There is only one kind of license service, namely RG-WALL1600-XXXXX (model)-LIS-1Y,which is sent in an envelope with the term of 1 year. This is a compound licenseservice, containing virus signature upgrade service, IPS signature upgrade service,URL signature upgrade service, application signature upgrade service, and spam signatureupgrade service.
2. License service registration is online registration of a service licensefor UTM-related functions (such as anti-virus, IPS, application detection, emailfiltering, Web filtering, and data leakage prevention) purchased by customers, whichenables customers to upgrade rules repository and use the online detection functionduring the license term. You cannot handle license service registration by yourselves.Instead, you need provide relevant information to our engineer for registration.Then ,when your devices are connected to the Internet, you can find that the licensehas been activated, and UTM functions can be used.
II. License Service Registration Process
Step 1: Send registrationinformation.
When you purchase the service,you will receive an envelope enclosed with an authorization code. If you need registration,send the software SN (16 digits), model, authentication code, project name, andcustomer name of the device to be registered to rgngfw3@ruijie.com.cnaccording to instructions of the envelope.
1. Collect related information according to samples in the following table.
| Software SN (16 digits) | Model | Authorization Code (12 digits) | Project Name | Customer Name |
Sample | DB99KKK124667235 | Sample* | Sample* | Sample | Sample* |
Explanation:
Software SN: It is a stringof code with 16 digits starting with RGFW on the Web page.
Model: It can be obtainedfrom the dashboard or Web page.
Please send the table information in Step1 and your contact information to the technical support email address: rgngfw3@ruijie.com.cntitled "License Activation for WALL 1600 (model)".
We will finish license activation basedon the table information provided by you within 1 working day. If your applicationis filed on weekends or holidays, we will finish license activation before 12:00on the subsequent working day.
When you receive an email about successfulactivation, it indicates that your license has been activated and you can use theupgrade service.
Notes:
1. The authorization code is only applicable to a certain model in RG-WALL1600 series.
2. Please do activate your license within 10 months after receipt of thelicense envelope. Otherwise, Ruijie Cloud Server will automatically activate itfor you.
3. The authorization code can be activated only once. If you fail to activateit, please contact Ruijie engineers for license migration.
Step 2: Operate on thedevice.
Ensure that the firewallis connected to the Internet and configured with the correct DNS address. The serverdomain name is automatically updated to fwupdate.ruijie.com.cn and port 8890 bydefault.
Run the following commandsto change the default setting to automatically find the server (using servers distributedglobally):
RG-WALL # show system central-management
config system central-management
set Ruijiemanager-fds-override enable
set fmg "fwupdate.ruijie.com.cn"
end
RG-WALL # config system central-management
RG-WALL (central-management) # unset fmg
RG-WALL (central-management) # set Ruijiemanager-fds-overridedisable
RG-WALL # show system central-management //Indicates that the default update address is disabled and it will automaticallyfind the nearest server.
1. Perform initial manual update.
After receipt of the registration successemail from Ruijie official reply, log in to the firewall to perform initialmanual update.
Confirm license information.
Choose System > Status to viewLicense Information which indicates Licensed. Confirm the expiry dateof each service.
IV. Information Acquisition Method
1. Software SN
Log in to device. Choose System > Dashboard> Status > System Information to view the software SN (softwarereg number).
Model
View the model on the dashboard or Web page. Onthe Web page, choose System > Dashboard > Status >System Information to view the model.
Authorization Code
Obtain the authorization code from theenvelope.
Networking Requirements
Save the current configurations of thefirewall, and export them for backup, so as to restore the configurations incase of need.
Configuration Tips
1. Save the configurations
2. Export the configurations
3. Restore the configurations
. The imported configuration files must bein conf format; otherwise, they cannot be identified.
2. After you import the configurations, you must restart the system so thatthe imported configurations take effect.
3. You must remember the password for the backup configurations; otherwise,they cannot be imported or restored. 1
Configuration Steps
1. Save the configurations
Web: Via the Web interface, theconfigurations can take effect timely, and be saved automatically. Every timeyou modify configurations and click OK, the new configurations areautomatically saved.
CLI: Enter next and end on theCLI, the new configurations take effect and are automatically saved.
2. Export the configurations
Choose the System > Dashboard> Status menu, and the System Information page pops up. Then,click Backup after System Configuration.
The updated P2 version allows you to choosewhether to encrypt configuration files (in the P1 version, configuration filesmust be encrypted by default). You can select or deselect Encryptconfiguration file (if selected, you need to set a password) according toactual needs, and click Backup.
The configuration files will be backed up tothe local disk.
3. Restore the configurations
Choose the System > Dashboard> Status menu, and the System Information page pops up. Then,click Restore after System Configuration, so as to use thelocally stored configuration files to restore the firewall configurations.
After the import is successful, the systemprompts that you need to restart the system.
Verification
After the system is restarted, the previousconfigurations are restored.
Networking Requirements
If the intranet is equipped with a networkmanagement server that monitors and manages the network devices, you need toenable the SNMP function on the NGFW, so that the network management server canmonitor the NGFW via the SNMP function.
Configuration Tips
1. Enable the SNMP management function on the network interface;
2. Enable the SNMP local agent.
3. Configure the SNMP Community.
Configuration Steps
1. Enable the SNMP management function on the network interface
Choose the System > Network> Interface menu, edit the menu used for SNMP management; in the Managethe Access option, select SNMP.
2. Enable the SNMP local agent
Choose the System > Config> SNMPv1/v2 menu, select SNMP Agent, enter the relateddescription information, and click Apply.
3. Configure the SNMP Community
On the interface of Step 2, click the CreateNew button below SNMP Communities. Then, the New SNMP Communityconfiguration page pops up.
Community Name: It isset to readonly (read the character string).
Host management: Enter the address of theSNMP server (the address is mandatory, for example, 192.168.1.168);then, the host is only allowed to perform SNMP management by using thecharacter string, and the address is used as the address for receiving the Trapinformation.
Interface: If you select an interface, thesystem only allows SNMP management by using the character string via theselected interface. any refers to any interface.
Queries: It refers to the interface used forSNMP queries.
Trap: It refers to the interface that theSNMP uses to send a Trap.
SNMP Event: It refers to an event of sendinga SNMP Trap. By default, all events are selected. It is recommended that youshould not modify the default setting.
Verification
As shown in the following figure, connect themibbrowser to thefirewall via SNMP, and view the related information of the device. You can viewthe device name and run time of the firewall:
Networking Requirements
1. If you forget the password of the device, you need to recover thepassword by using a Console cable.
2. After recovering the password, you need to restart the device on thebottom menu of the device. This will cause network interrupt. Therefore,perform the restart operation at a convenient time.
3. After you recover the password, the current configurations will notbe changed.
Configuration Tips
1. Connect to the firewall serial port via the HyperTerminal or CRT;
2. Power off the device to restart it, and enter the built-in account ruijieto log in.
3. Set a new password for the administrator.
Configuration Steps
1. Connect the Console cable, and set the HyperTerminal
a) Prepare a Console cable and a PC with a Com port;
b) Connect the Console cable;
Insert the RJ45 connector end of theConsole cable to the Console port of the network device (the Console port isusually beside the Ethernet port of the network device, and is marked with Console),and then insert the DB9 port of the Console cable to the Com port of the PC.
c) Configure the HyperTerminal.
2. Power off to restart the device
Within 15 seconds after system restart, enterthe user name ruijie and the password (the password is the softwareregistration number, which is usually a string of 16 characters starting with RJFW).The serial No. of the product is available on the bottom or one side of thedevice, as shown below.
RG-WALLlogin: ruijie
Password:RGFW314614039839
RG-WALL #
The account is valid only within 15 secondsafter system restart, and must be used via the Console interface.
3. Change the account and password for the administrator
RG-WALL #config system admin
RG-WALL(admin) # edit admin
RG-WALL(admin) # set pass 123455@!@#
RG-WALL(admin) # end
Verification
Use the new admin account and password to login to the firewall via HTTPS or SSH.
Networking Requirements
If you want to delete all currentconfigurations of the device, you can restore the factory default. If you arethat you want to restore the factory default, you are recommended to back upthe current configurations. For details about the backup operation, refer tothe section “Firewall Maintenance” > “Configuration Backup and Recovery”.
The license information of the device is savedon the cloud. After restoring the factory default, you can obtain the licenseinformation again if connecting the device to the Internet.
Configuration Tips
1. After you restore the factory default, all current configurationswill be removed and the system will be automatically restarted.
2. After you restore the factory default, the IP address of theinternal or MGMT interface is restored to 192.168.1.200.
Configuration Steps
Mode 1: CLI
Enter the CLI, run the executefactoryreset command, and press the Enter button. Then, the systemprompts whether you want to continue. Enter y to continue the operation.
RG-WALL #execute factoryreset
Thisoperation will reset the system to factory default!
Do youwant to continue? (y/n) y
Mode 1: Press the Reset button on thedevice (this is only available on the S3100 and S3600, but not other models).
Within 30 seconds after the firewall systemis normally started, press and hold the Reset button. The system will beautomatically restarted, and you can restore the factory default.
Verification
After you restore the factory default, the IPaddress of the management interface is restored to 192.168.1.200. Via thisaddress, you can log in to https://192.168.1.200.The user name and password are restored to the default admin and firewall.
Precautions
After you restore the factory default, thedisk log is not be removed and only the current configurations are removed.
I. Command Structure
config Configure object. Configurespolicies and objects.
get Get dynamic and system information. Shows settings of specific objects.
show Show configuration. Shows the configuration file.
diagnose Diagnose facility. Indicatesdiagnosis commands.
execute Execute static commands.Indicatescommon commands, such as ping.
exit Exit the CLI. Exits the CLI.
II. Common Commands
1. Configure an interface address.
RG-WALL # config system interface
RG-WALL (interface) # edit lan
RG-WALL (lan) # set ip 192.168.100.99/24
RG-WALL (lan) # end
2. Configure a static route.
RG-WALL (static) # edit 1
RG-WALL (1) # set device wan1
RG-WALL (1) # set dst 10.0.0.0 255.0.0.0
RG-WALL (1) # set gateway 192.168.57.1
RG-WALL (1) # end
3. Configure a default route.
RG-WALL (1) # set gateway 192.168.57.1
RG-WALL (1) # set device wan1
RG-WALL (1) # end
4. Configure a firewall address.
RG-WALL # config firewall address
RG-WALL (address) # edit clientnet
new entry 'clientnet' added
RG-WALL (clientnet) # set subnet 192.168.1.0255.255.255.0
RG-WALL (clientnet) # end
5. Configure an IP pool.
RG-WALL (ippool) # edit nat-pool
new entry 'nat-pool' added
RG-WALL (nat-pool) # set startip 100.100.100.1
RG-WALL (nat-pool) # set endip 100.100.100.100
RG-WALL (nat-pool) # end
6. Configure a virtual IP address.
RG-WALL # config firewall vip
RG-WALL (vip) # edit webserver
new entry 'webserver' added
RG-WALL (webserver) # set extip 202.0.0.167
RG-WALL (webserver) # set extintf wan1
RG-WALL (webserver) # set mappedip 192.168.0.168
RG-WALL (webserver) # end
7. Configure the Internet access policy.
RG-WALL # config firewall policy
RG-WALL (policy) # edit 1
RG-WALL (1)#set srcintf internal //Indicatesthe source interface.
RG-WALL (1)#set dstintf wan1 ///Indicatesthe destination interface.
RG-WALL (1)#set srcaddr all //Indicates the source address.
RG-WALL (1)#set dstaddr all //Indicates the destination address.
RG-WALL (1)#set action accept //Indicates the action.
RG-WALL (1)#set schedule always //Indicates the schedule.
RG-WALL (1)#set service ALL //Indicates the service.
RG-WALL (1)#set logtraffic disable //Enables or disables logs.
RG-WALL (1)#set nat enable //EnablesNAT.
end
8. Configure the mapping policy.
RG-WALL # config firewall policy
RG-WALL (policy) #edit 2
RG-WALL (2)#set srcintf wan1 //Indicatesthe source interface.
RG-WALL (2)#set dstintf internal //Indicatesthe destination interface.
RG-WALL (2)#set srcaddr all //Indicates the source address.
RG-WALL (2)#set dstaddr ngfw1 //Indicatesthe destination address used for virtual IP address mapping, which is added beforehand.
RG-WALL (2)#set action accept //Indicates the action.
RG-WALL (2)#set schedule always //Indicates the schedule.
RG-WALL (2)#set service ALL //Indicates the service.
RG-WALL (2)#set logtraffic disable //Enables or disables logs.
end
9. Change the internal switching interface to the routing interface.
Ensure that routing, DHCP, and firewallpolicies of the internal interface are deleted.
RG-WALL # config system global
RG-WALL (global) # set internal-switch-modeinterface
RG-WALL (global) #end
Restart
--------------------------------------
10. View the host name and management port.
RG-WALL# show system global
11. View the system status and available resources.
RG-WALL# get system performance status
12. View the application traffic statistics.
RG-WALL# get system performance firewall statistics
13. View the ARP table.
RG-WALL # get system arp
14. View ARP details.
RG-WALL # diagnose ip arp list
15. Clear the ARP cache.
RG-WALL # execute clear system arp table
16. View the current session table.
RG-WALL # diagnose sys session stat or RG-WALL# diagnose sys session full-stat;
17. View the session list.
RG-WALL # diagnose sys session list
18. View the physical interface status.
RG-WALL# get system interface physical
19. View settings of the default route.
RG-WALL# show router static
20. View the static route in the routing table.
RG-WALL# get router info routing-table static
21. View OSPF configuration.
RG-WALL# show router ospf
22. View the global routing table.
RG-WALL # get router info routing-tableall
-----------------------------------------------
23. View HA status.
RG-WALL # get system ha status
24. Check synchronization of active and standby routers.
RG-WALL# diagnose sys ha showcsum
---------------------------------------------------
25. Diagnosis commands:
RG-WALL #diagnose debug enable //Enables debugging.
RG-WALL # diagnose debug application ike-1 //Debugs packets of Phase 1 of IPSec to check whether an IPSec VPN is created.
RG-WALL #dia debug reset //Resets debugging.
---------------------------------------------------
Execute Commands:
RG-WALL #execute ping 8.8.8.8 //Indicatesthe common ping command.
RG-WALL #execute ping-options source 192.168.1.200 //Specifies 192.168.1.200 as the source address of ping packets.
RG- WALL #execute ping 8.8.8.8 //Entersthe destination address of ping packets to execute the ping command via the specifiedsource address 192.168.1.200.
RG-WALL #execute traceroute 8.8.8.8
RG-WALL #execute telnet 2.2.2.2 //Getsaccess via Telnet.
RG-WALL #execute ssh 2.2.2.2 //Getsaccess via SSH.
RG-WALL #execute factoryreset //Restoresfactory settings.
RG-WALL #execute reboot //Reboots thedevice.
RG-WALL #execute shutdown//Shuts down thedevice.
Networking Requirements
The extranet interface uses ADSL for dial-upand the intranet belongs to 192.168.1.0/24 segment. Intranet users can accessthe Internet.
Network Topology
Configuration Tips
1. Configure interfaces.
wan1 interface: It is used to access ADSL.The Retrieve default gatewayfrom server option is mandatory. After ADSL dial-upsucceeds, the device generates a default route without manual configuration.
Internal interface: Configure an IP addressformatted as 192.168.1.200/24. Ifnecessary, enable the management function on theinterface.
2. Configure address object lan. with address 192.168.1.0/24.
3. Configure the policy for the data transmitted from the internalinterface to wan1 interface and enable NAT.
Configuration Steps
1. Configure interface address.
Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage.
Addressing mode: Select PPPoE.
Username:Enter the user name.
Password:Enter the password.
Initial Disc Timeout: The waiting time before beginning a new PPPoE discovery .
Initial PADT Timeout: If the idle time exceeds the defined time, PPPoE will be disabled.PADT function requires the support from the ISP.
Retrieve defaultgateway from server(mandatory): After dial-up succeeds, the firewall will obtain one defaultroute.
Override internal DNS: If the company does not have its own DNS server, this option ismandatory.
Edit the internal interface. The default IPaddress of the internal interface is 192.168.1.200/24, which shall be changedaccording to the actual situations.
You can enable the management function on theinterface if necessary. It recommended to enable HTTPS, SSH, and PING services.
After dial-up succeeds, choose Router>Monitor>RoutingMonitor to check the default route obtained by the PPPoE client.
2. Configure address resources.
Choose Firewall>Address>Address,and then click Create New, as shown in the following figure:
Set Name to lan. Choose Subnetfrom Type. Set Subnet/IP Range to 192.168.1.0/24. Click OK.See the following figure:
3. Configure the policy.
For some low-end models, the system providesan NAT policy from the internal interface to wan1 interface by default.
Choose Firewall>Policy>Policy,and then click Create New, as shown in the following figure:
On the Edit Policy page, add onepolicy as shown in the following figure:
Source Interface/Zone: Choose internal.
Source address: Choose lan.
Destination Interface/Zone: Choose wan1.
Source address: Choose lan.
Destination address: Choose all, which indicates all the addresses.
Service:Choose ALL.
NAT: TickEnable ANT. The system automatically converts the IP address of theintranet lan to the IP address of wan1 interface for Internet access.
Click OK. The system automaticallysaves configuration and the policy takes effect.
Log Allowed Traffic once enabled consumes extra system resources. Therefore, tick thisitem only when necessary.
Verification
Set the IP address of the PC to192.168.1.1/24, the gateway address to 192.168.1.200, and the DNS address to202.106.196.115, 8.8.8.8.(In general, you can set the DNS to the local DNS.)
Then the PC can access the Internet.
Networking Requirements
The extranet interface is connected to aprivate line and configured with a static address assigned by the carrier. Theintranet belongs to 192.168.1.0/24 segment. Intranet users can access theInternet.
Network Topology
Assume that the IP addresses assigned by thecarrier are as follows:
Network segment:202.1.1.8/29 Assigned IP address: 202.1.1.10 Gateway address: 202.1.1.9DNS address: 202.106.196.115
Configuration Tips
1. Configure interfaces.
wan1 interface: Configure the IP addressassigned by the carrier.
Internal interface: Configure an IP address formatted as 192.168.1.200/24. Ifnecessary, enable the management function on theinterface.
2. Configure a static routing table.
3. Configure address object lan with address 192.168.1.0/24.
4. Configure the policy for the data transmitted from the internalinterface to wan1 interface and enable NAT.
Configuration Steps
1. Configure interface address.
Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage, as shown in the following figure:
In the 202.1.1.8/29network segment, 2202.1.1.8 is the network address and 202.1.1.15 is thebroadcast address, which cannot be used. 202.1.1.9 is the carrier’s gateway address. The available IP addressrange is from 202.1.1.9 to 202.1.1.14.
Set the IP address of wan1 interface to202.1.1.10.
Edit internal interface. The default IPaddress of internal interface is 192.168.1.200/24, which shall be changedaccording to the actual situations.
You can enable the management function on theinterface if necessary. It is recommended to enable HTTPS, SSH, and PINGservices.
2. Configure a static routing table.
Choose Router>Static>StaticRoute, and then click Create New, as shown in the following figure:
Create a routing table, as shown in thefollowing figure:
Destination IP/Mask: Keep the default value 0.0.0.0/0.0.0.0.
Device: Choosewan1, which is related to this route. It must be set correctly.Otherwise, the route cannot work.
Gateway: TheIP address of the next hop, that is, the IP address of the peer devicecorresponding to wan1 interface.
Distance: Thedefault value is 10.
Priority: Thedefault value is 0.
3. Configure address resources.
Choose Firewall>Address>Address,and then click Create New, as shown in the following figure:
Set Name to lan. Choose Subnetfrom Type. Set Subnet/IP Range to 192.168.1.0/24. Click OK.See the following figure:
4. Configure the policy.
For some low-end models, the system providesan NAT policy from internal interface to wan1 interface by default.
Choose Firewall>Policy>Policy,and then click Create New, as shown in the following figure:
On the Edit Policy page, add onepolicy as shown in the following figure:
Source Interface/Zone: Choose internal.
Source address:Choose lan.
Destination Interface/Zone: Choose wan1.
Destination address: Choose all, which indicates all the addresses.
Service: ChooseALL.
NAT: Tick EnableANT. The system automatically converts the IP address of the intranet lanto 202.1.1.10, the IP address of wan1 interface for Internet access.
Click OK. The system automaticallysaves configuration and the policy takes effect.
Log Allowed Traffic once enabled consumes extra system resources. Therefore, tick thisitem only when necessary.
Verification
Set the IP address of the PC to192.168.1.1/24, the gateway address to 192.168.1.200, and the DNS address to 8.8.8.8.(In general, you can set the DNS to the local DNS.)
Then the PC can access the Internet.
Networking Requirements
The extranet interface uses DHCP and theintranet belongs to 192.168.1.0/24 segment. Intranetusers can access the Internet.
Network Topology
Configuration Tips
1. Configure interfaces.
Wan1 interface: The Retrievedefault gateway from server option is mandatory. After obtaining a DHCPaddress, the device generates a default route without manual configuration.
Internal interface: Configurean IP address formatted as 192.168.1.200/24. If necessary, enable the managementfunction on the interface.
2. Configure address object lan with address 192.168.1.0/24.
3. Configure the policy for the data transmitted from the internalinterface to wan1 interface and enable NAT.
Configuration Steps
1) Configure interfaces.
Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage.
Addressing mode: Choose DHCP.
Retrieve defaultgateway from server(mandatory): After dial-up succeeds, the firewall will obtain one defaultroute.
Override internal DNS: If the company does not have its own DNSserver, this option is mandatory. The DHCP successfully obtains an IP address,as shown in the following figure:
Edit the internal interface. The default IPaddress of the internal interface is 192.168.1.200/24, which shall be changedaccording to the actual situations.
You can enable the management function on theinterface if necessary. It is recommended to enable HTTPS, SSH, and PINGservices.
After the IP address is obtained, choose Router>Monitor>RoutingMonitor to check the default route, as shown in the following figure:
2) Configure address resources.
Choose Firewall>Address>Address,and then click Create New, as shown in the following figure:
Set Name to lan. Choose Subnetfrom Type. Set Subnet/IP Range to 192.168.1.0/24. Click OK.See the following figure:
3) Configure the policy.
For some low-end models, the system providesan NAT policy from the internal interface to wan1 interface by default.
Choose Firewall>Policy>Policy,and then click Create New, as shown in the following figure:
On the Edit Policy page, add onepolicy as shown in the following figure:
Source Interface/Zone: Choose internal.
Source address:Choose lan.
Destination Interface/Zone: Choose wan1.
Source address:Choose lan.
Destination address: Choose all, which indicates all the addresses.
Service: ChooseALL.
NAT: Tick EnableANT. The system automatically converts the IP address of intranet lan tothe IP address of wan1 interface for Internet access.
Click OK. The system automaticallysaves configuration and the policy takes effect.
If you select Log Allowed Traffic, extraresource consumption of the system is caused. Therefore, tick this item onlywhen necessary.
Verification
Set the IP address of the PC to 192.168.1.1/24,the gateway address to 192.168.1.200, and the DNS address to 202.106.196.115, 8.8.8.8.(In general, you can set the DNS to the local DNS.)
Then the PC can access the Internet.
Networking Requirements
Two lines provided by China Telecom are usedon the current device with the same bandwidth. They back up each other, andwork in load-balancing mode.
Telecom line 1: wan1 interface, IP address202.1.1.2/30; gateway address 202.1.1.1
Telecom line 2: wan2 interface, IP address202.1.1.6/30; gateway address 202.1.1.5
Internal interface: intranet
In this example, the Internet interfaceaddress is used as NAT. If there is a need to use the address pool as NAT, seesection 1.2.2“Configuring Internet Access via Dual Lines of Different Carriers” for thepolicy configuration,.
Network Topology
Configuration Tips
1. Configure interface address.
2. Configure a route.
3. Configure zones (untrust and trust zones).
4. Configure the policy.
5. Configure ECMP load-balancing mode.
Configuration Steps
1) Configure interface address.
Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage, as shown in the following figure:
Configure IP address and subnet mask to202.1.1.2/30.
Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage, as shown in the following figure:
IP address of wan2 interface is 202.1.1.6/30,and the gateway address is 202.1.1.5.
The configuration is asfollows:
2) Configure a route.
Choose Router>Static>StaticRoute, and then click Create New, as shown in the following figure:
Create two routing tables, as shown in thefollowing figure:
Destination IP/Mask: Keep the default value 0.0.0.0/0.0.0.0.
Device: Choosewan1, which is related to this route. It must be set correctly.Otherwise, the route cannot work.
Gateway: TheIP address of the next hop, that is, the IP address of the peer devicecorresponding to wan1 interface.
Distance: Thedefault value is 10. The route with a shorter distance will be put into therouting table.
Priority: Thedefault value is 0. The route with a smaller priority is used preferentially.
Destination IP/Mask: Keep the default value 0.0.0.0/0.0.0.0.
Device: Choosewan2, which is related to this route. It must be set correctly.Otherwise, the route cannot work.
Gateway: TheIP address of the next hop, that is, the IP address of the peer devicecorresponding to wan2 interface.
Distance: Thedefault value is 10. The route with a shorter distance will be put into therouting table.
Priority: Thedefault value is 0. The route with a smaller priority is used preferentially.
(1) To enable both egress lines to work, ensurethat two routing tables have the same path distances. Otherwise, the routingentries with a longer distance will not be put into the routing table.
(2) Besides, their priorities must be the same. With the same distance anddifferent priority, both routes are put into the routing table. The firewallwill choose the route with a lower priority preferentially. Therefore, trafficover two links cannot be balanced.
3) Configure zones.
The usage of zones facilitates and simplifiesconfiguration. If Internet access is based on physical interfaces, multiplefirewall policies are required.
Choose System>Network>Zone,and then click Create New, as shown in the following figure:
Create untrust and trust zones, as shown inthe following figure. The zone can be regarded as an interface group and zonename is user defined.
After configuration, interfaces is displayedas shown in the following figure:
4) Configure the policy.
For some low-end models, the system providesa policy from internal interface to wan1 interface by default. Follow thefollowing steps to add a default route if there is no one.
Choose Firewall>Policy>Policy,and then click Create New.
Create a policy, as shown in the followingfigure:
Source Interface/Zone: Choose trust.
Source address:Choose lan, which indicates internal network address.
Destination Interface/Zone: Choose untrust.
Destination address: Choose all, which indicates all the addresses.
Service: Chooseany.
Log Allowed Traffic: This item is ticked by default. It is recommended to untick it.
NAT: Tick EnableANT. The system automatically converts the IP address of intranet lan intothe IP address of wan1 interface or wan2 interface for Internet access.
Click OK. The system automaticallysaves configuration and the policy takes effect.
Log Allowed Traffic once enabled consumes extra system resources. Therefore, tick thisitem only when necessary.
5) Configure ECMP load-balancing mode.
The firewall supports the following threeload balancing modes:
Source IP based: Choose different routes based on different source IP addresses.
Weighted Load Balance: Choose routes based on weight values. In this example, tick thisitem.
For example, assume that wan1 interfaceweight is 50, wan2 interface weight is 50, and weight of other interfaces is 0.In this case, traffic is balanced over two links in 1:1 manner.
Assume that wan1 interface weight is 50 andwan2 interface weight is 100. In this case, traffic is balanced in 1:2 manner.
Spillover:When the traffic over a link exceeds a threshold value, another link is used.
It is recommended to choose Source IP based.For example, online banking and online games require source IP address verification.If traffic with different IP addresses interacts, online banking serviceinteraction may fail and games may get offline.
Verification
Check the real-time rates of two interfaces.
Networking Requirements
There is one link from the firewall to theTelecom interface and one to Unicom interface. The data transmitted to the IPaddress of the Telecom interface will pass wan1 interface, while the datatransmitted to the IP address of the Unicom interface will pass wan2 interface.
Telecom: wan1 interface, IP address202.1.1.2/30; gateway address 202.1.1.1; NAT address pool: 100.0.0.1-10
Unicom: wan2 interface, IP address202.1.1.6/30; gateway address 202.1.1.5; NAT address pool: 200.0.0.1-10
Internal interface: internal 7F51
Network Topology
Configuration Tips
1. Configure IP addresses of interfaces.
2. Configure a route.
3. Configure the address pool.
4. Configure the policy.
Current routing table entries: The routing table entries for China Telecomreach more than 1,800, while those for China Netcom are more than 400 and thosefor China Mobile are around 30.
Because the routing tables of the S3100 and S3600 havea limited capacity (100 entries), the S3100 and S3600 are not applied to themulti-line scenario.
Routing tables of the M5100 and M6600 contain up to 500 entries. When a networkinvolves multiple lines, such as lines of China Telecom and lines of ChinaNetcom, it is recommended to configure a default route for Telecom lines and astatic route for Netcom lines.
The X9300 firewalls have sufficient routing table space.
Configuration Steps
1) Configure interface address.
Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage, as shown in the following figure:
Configure IP address and subnet mask to202.1.1.2/30.
Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage, as shown in the following figure:
IP address of wan2 interface is 202.1.1.6/30,while the gateway address is 202.1.1.5.
The configuration is asfollows:
2) Configure a route.
Route for China Telecom: Configure a defaultroute of wan1 interface.
Route for China Unicom: Refer to the tool (attached)for importing routing tables to configure a detailed route. (Recommended)
You can also configure a default route forChina Unicom and a detailed route for China Telecom.
Choose Router>Static>StaticRoute, and then click Create New, as shown in the following figure:
Create a default route for China Telecom, asshown in the following figure:
Destination IP/Mask: Keep the default value 0.0.0.0/0.0.0.0.
Device: Choosewan1, which is connected by this route. It must be set correctly.Otherwise, the route cannot work.
Gateway: TheIP address of the next hop, that is, the IP address of the peer devicecorresponding to wan1 interface.
Distance: Thedefault value is 10. The route with a shorter distance will be put into therouting table.
Priority: The defaultvalue is 0. The route with a smaller priority is used preferentially.
3) Configure the address pool.
Choose Firewall>Virtual IP>IPPool, and then click Create New, as shown in the following figure:
Create two address pools, as shown in thefollowing figure:
Name: Entertelcom100.0.0.1-10.
Type: Choose Overload.The IP address is dynamically assigned from the address pool.
External IP Range/Subnet: Enter 100.0.0.1-100.0.0.10.
ARP Reply: Tick this item to enable ARP response, whichis equivalent to sending gratuitous ARP packets.
Name: Enter unicom200.0.0.1-10.
Type: Choose Overload.The IP address is dynamically assigned from the address pool.
External IP Range/Subnet: Enter 200.0.0.1-200.0.0.10.
ARP Reply: Tick this item to enable ARP response, whichis equivalent to sending gratuitous ARP packets.
4) Configure the policy.
Configure two policies. One is for the routefrom the internal interface to wan1 interface, and the other is for the routefrom the internal interface to wan2 interface.
Choose Firewall>Policy>Policy,and then click Create New, as shown in the following figure:
Create a policy for the route from theinternal interface to wan1 interface, as shown in the following figure:
Source Interface/Zone: Choose internal.
Source address:Choose lan, which indicates internal network address.
Destination Interface/Zone: Choose wan1.
Destination address: Choose all, which indicates all the addresses.
Service: Choose any.
Log Allowed Traffic: The item is ticked by default. It is recommended to untick it,because many logs will be generated due to excessive data packet traffic andrecording normal logs is meaningless.
NAT: Tick EnableNAT. Select Dynamic IP Pool and choose the corresponding addresspool telecom100.0.0.1-10.
Create a policy for the route from theinternal interface to wan1 interface, as shown in the following figure:
Source Interface/Zone: Choose internal.
Source address:Choose lan, which indicates internal network address.
Destination Interface/Zone: Choose wan2.
Destination address: Choose all, which indicates all the addresses.
Service: Chooseany.
Log Allowed Traffic: This item is ticked by default. It is recommended to untick it.
NAT: Tick EnableNAT. Select Dynamic IP Pool and choose the corresponding addresspool unicom200.0.0.1-10.
Verification
Access the Internet for testing. Run the tracertcommand to check the path.
Networking Requirements
Enable DHCP sever function of the NGFW. Theintranet PC can automatically obtain an IP address for Internet access. Theintranet segment is 192.168.1.0/24 and the gateway address is 192.168.1.200.
Network Topology
Configuration Tips
1. Basic configuration for Internet access
2. Configure the DHCP server.
Configuration Steps
1. Basic configuration for Internet access
For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under section“Internet Access via a Single Line” in “Configuring Routing Mode”.
2. Configure the DHCP service.
a) Enable the DHCP service.
Choose System>DHCP Server>Service,and then click Create New, as shown in the following figure:
Interface Name:Choose the interface where the DHCP server is connected to.
Mode: Choose Serveror Relay.
Enable: Thisitem is ticked by default.
Type: Choose Regularor IPsec. If you choose IPsec, the system assigns IP addressesfor IPsec users.
IP Range: Itindicates the IP address range assigned to users.
Network Mask:It indicates the subnet mask. Set it to 255.255.255.0.
Default Gateway: Generally, it indicates the IP address of the interface that theDHCP server is connected to.
DNS Service:You can choose Specify or Use System DNS Setting.
b) Advanced options. You can set the lease time and excluded range, asshown in the following figure:
Lease Time: Itis set to 1 day, which can be adjusted according to the actualsituations. If you choose Unlimited, the assigned IP addresses are notreleased forever. Therefore, Unlimited is not recommended.
Options: It isused to configure the DHCP server options.
Exclude Ranges:Enter the IP address segment to be reserved, such as192.168.1.120-192.168.1.130.
Verification
Set the PC to automatically obtain an IPaddress.
Notes
1. Question: Among DHCP configuration, does the system DNS refer to theDNS settings of the firewall itself?
DHCP configuration provides three DNSoptions:
RG-WALL #config system dhcp server
RG-WALL (server) #edit 1
RG-WALL (1)#set auto-configuration enable
RG-WALL (1)#set conflicted-ip-timeout 1800
RG-WALL (1)#set default-gateway 192.168.1.99
RG-WALL (1)#set dns-service default //Default parameter
default Use system DNS settings. // DNS server configured on the firewall.
local Use this RGT as DNS server. //IP address of the firewall interface.
specify Specify DNS servers. //Specify DNS servers.
2. When yourun the set dns-service default command, the PC obtains the DNS serverconfigured by the firewall itself.
Set the DNS server of the firewall itself.
RG-WALL#config system dns //DNS server configured on the firewall.
RG-WALL (dns) #set primary 8.8.8.8
RG-WALL (dns) #end
3. When you run the set dns-service local command, the PC obtains the IPaddress of the DHCP interface enabled by the firewall.
Networking Requirements
Enable DHCP sever function of the NGFW. Theintranet PC can automatically obtain an IP address for Internet access. Theintranet segment is 192.168.1.0/24 and the gateway address is 192.168.1.200.Reserve IP address 192.168.1.100 for the host with MAC address04:7d:7b:9b:71:ad.
Network Topology
Configuration Tips
1. Basic configuration for Internet access
2. Configure the DHCP server.
Configuration Steps
1) Basic configuration for Internet access
2) Configure the DHCP service.
See section “Configuring the DHCP Server”.
3) Configure the reserved IP address.
Before operation, it is recommended to upgradethe firewall version to the latest..
Way 1(CLI):
RG-WALL #config system dhcp server
RG-WALL (server) # edit1 //Basicconfiguration
RG-WALL (1)#set dns-service default
RG-WALL (1)#set default-gateway 192.168.1.200
RG-WALL (1)#set netmask 255.255.255.0
RG-WALL (1)#set interface internal
RG-WALL (1) # config ip-range
RG-WALL (ip-range) #edit 1
RG-WALL (1)set start-ip 192.168.1.99
RG-WALL (1)set end-ip 192.168.1.199
RG-WALL (1) # next
RG-WALL (ip-range) # end //Basic configuration of
RG-WALL (1)#config reserved-address //Configure thereserved IP address.
RG-WALL (reserved-address)#edit 1 //Entry 1, 2, or 3, which is used as identification. Youcan define multiple entries.
RG-WALL (1) # set ip 192.168.1.100 //Assign the IP address tothe specified MAC address.
RG-WALL (1) # set mac 04:7d:7b:9b:71:ad //Specify the MAC address.
RG-WALL (1) # next
RG-WALL (reserved-address) # end
RG-WALL (1) # next
RG-WALL (server) #end
Way 2(Web UI):
Verification
Set the PC to automatically obtain an IPaddress. The host with MAC address 04:7d:7b:9b:71:ad will obtain IP address 192.168.1.100.
1. Check the DHCP address pool assignment on the firewall, as shown inthe following figure:
I. Networking Requirements
Enable DHCP relay of RG-WALL1600 Series Next-Generation Firewall (NGFW) to allow the intranet PC to obtain theaddress assigned to the device by the DHCP server.
II. Network Topology
III. Configuration Tips
1. Basic configuration for Internet access
2. Enable DHCP relay and enter the address of the DHCP server.
IV. Configuration Steps
1. Basic configuration for Internet access
For the detailed configurationprocess, see section 1.1.2 "Configuring Internet Access via a Static Link"under section 1.1 "Internet Access via a Single Line" in Chapter 1 "TypicalFunctions of Routing Mode".
Enable DHCP relay and enter the addressof the DHCP server.
Choose System >DHCP Server > Service, and then click Create New.
Interface Name: Choose the interface where the DHCP server is connected to.
Mode: Choose Server or Relay.
Type: Choose Regular or IPsec. If you choose IPsec,the system assigns IP addresses for IPsec users.
DHCP Server IP: Enter the IP address of the DHCP server.
V. Verification
Set the PC to automaticallyobtain an IP address.
Networking Requirements
As shown in the following figure, you havecompleted the basic configuration of the firewall. Now, you need to map one webserver address (IP address: 192.168.1.2) on the intranet to the extranet portaddress (IP address: 202.1.1.11) so that extranet users can access the webserver.
Meantime, intranet users can access the webserver by using a public network IP address.
Network Topology
Configuration Tips
1. Basic configuration for Internet access
2. Configure the virtual IP address (DNAT).
3. Configure the security policy.
Configuration Steps
1. Basic configuration for Internet access
For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under “InternetAccess via a Single Line” in “Configuring Routing Mode”.
IP addresses of the interfaces are displayedas shown in the following figure:
The route configuration is as shown in thefollowing figure:
2. Configure the virtual IP address (DNAT).
Choose Firewall>Virtual IP>VirtualIP, and then click Create New, as shown in the following figure:
Configure the virtual IPaddress. Set the name to webserver. The virtual IP address is used forthe destination address conversion of wan1 interface.
Values of External IP Address/Range aremapped to the values of Mapped IP Address/Range correspondingly. Enterboth the start and end IP addresses of the external IP address range. You justneed to enter the start mapped IP address and the system automatically enterthe end IP address.
Take the IP address range from 202.1.1.3 to202.1.1.10 as an example. The start IP address for internal mapping is192.168.1.2 and the end IP address must be 192.168.1.9 (which is filled in bythe system automatically). The IP addresses within the two ranges are mappedcorrespondingly.
For example, the IP address 202.1.1.3 ismapped to 192.168.1.2, while the IP address 202.1.14 is mapped to 192.168.1.3.
3. Configure the security policy.
Choose Firewall>Policy>Policy,and then click Create New, as shown in the following figure:
Source Interface/Zone: Choose wan1. //If intranet users needto access the Internet by using a virtual IP address, choose any.
Source address: Choose all.
DestinationInterface/Zone: Choose internal.
Destination address: Choose webserver. //It indicates thedefined object mapped by the virtual IP address.
Service: Choose HTTP. //The system only allowsInternet access via HTTP.
If intranet users need toaccess the Internet by using a virtual IP address, choose one of the followingtwo methods:
1. Set Source Interface/Zone of the original policy to any.
2. Add one internal-to-internal policy with the Source Interface/Zonevalue of internal.
Source Interface/Zone: Choose internal.
Source address: Choose all.
DestinationInterface/Zone: Choose internal.
Destination address: Choose webserver. //It indicates thedefined object mapped by the virtual IP address.
Service: Choose HTTP. //The system only allowsInternet access via HTTP.
4. Intranet users are allowed to access the VIP public network IPaddress.
Intranet users are allowed to access theinternal web server by using the IP address mapped by the public network. Youjust need to add one policy that allows intranet users to access extranet. Addthe policy, as shown in the following figure:
Verification
Access http://202.1.1.11from extranet. To test whether the mapping is valid, temporarily add the pingservice .
Networking Requirements
As shown in the followingfigure, you have completed the basic configuration of the firewall.
Map port 80 of oneintranet web server (IP address: 192.168.1.2) to the extranet port 8080 (IPaddress: 202.1.1.11). (The intranet port is different from the mapped port ofthe extranet.)
Map port 25 of oneintranet SMTP server (IP address: 192.168.1.3) to port 25 of the extranet port(IP address: 202.1.1.11).
Meaning of this case: Master the mapping sequence of the criticalfunction of the new NGFW: DNAT > Route > Security Policy > Source NAT.
Network Topology
Configuration Tips
1. Basic configuration for Internet access
2. Configure the virtual IP address (DNAT).
3. Configure the security policy.
Configuration Steps
1. Basic configuration for Internet access
For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under “InternetAccess via a Single Line” in “Configuring Routing Mode”.
IP addresses of the interfaces are displayedas shown in the following figure:
The route configuration is as shown in thefollowing figure:
2. Configure the virtual IP address (DNAT).
Choose Firewall>Virtual IP>VirtualIP, and then click Create New to create a new virtual IP address, asshown in the following figure:
Create virtual IP1. Set Nameto webserver:80 to map the HTTP server, as shown in the followingfigure:
Create virtual IP2. Set Name to smtpserver:25to map the SMTP server, as shown in the following figure:
Values of External IP Address/Range aremapped to the values of Mapped IP Address/Range correspondingly. Enterboth the start and end IP addresses of the external IP address range. You justneed to enter the start mapped IP address and the system automatically entersthe end IP address.
Take the IP address range from 202.1.1.3 to 202.1.1.10 as an example. The start IP address forinternal mapping is 192.168.1.2 and the end IP address must be 192.168.1.9(which is filled in by the system automatically). The IP addresses within thetwo ranges are mapped correspondingly.
For example, the IP address 202.1.1.3 is mapped to 192.168.1.2, while the IP address 202.1.14 ismapped to 192.168.1.3.
3. Configure the security policy.
Choose Firewall>Policy>Policy,and then click Create New, as shown in the following figure:
On the New Policy page, add one policyas shown in the following figure:
Click Multiple next to DestinationAddress to choose two defined virtual IP addresses, as shown in thefollowing figure:
Click Multiple next to Serviceto add HTTP and SMTP services, as shown in the following figure:
Source Interface/Zone: Choose wan1. //If intranet users needto access the Internet by using a virtual IP address, choose any.
Source address: Choose all.
DestinationInterface/Zone: Chooseinternal.
Destination address: Choose webserver:80 and smtpserver:25.
Service: Choose HTTP and SMTP.
If intranet users need toaccess the Internet by using a virtual IP address, choose one of the followingtwo methods:
1. Set Source Interface/Zone of the original policy to any.
2. Add one internal-to-internal policy with the Source Interface/Zonevalue of internal.
Source Interface/Zone: Choose internal.
Source address: Choose all.
Destination Interface/Zone: Choose internal.
Destination address: Choose webserver:80and smtpserver:25.
Service: ChooseHTTP and SMTP.
Key note: Data traffic of the new NGFW maps the DNAT (virtual IP address), and then the firewall policy. Inthis case, the extranet port 8080 of the webserver is changed into port 80after being converted by the DNAT (virtual IP address). Therefore, the HTTPservice (port 80) is released by the firewall policy.
The policy configuration is as follows:
Verification
Access http://202.1.1.11from extranet. To test whether the mapping is valid, temporarily add the pingservice.
Do an email test.
Networking Requirements
Respectively map one intranet web server tothe public network IP addresses of China Telecom and China Unicom egress portsfor Internet access.
Web server address: 192.168.1.2/24; Gatewayaddress: 192.168.1.200
China Telecom egress port address:202.1.1.2/29; gateway address: 202.1.1.1; public network IP address of theserver: 202.1.1.3
China Unicom egress port address:100.1.1.2/29; gateway: address 100.1.1.1; public network IP address of theserver: 100.1.1.3
The PCs in the intranetsegment 192.168.1.0/24 need to access the Internet.
Meaning of this case: The new NGFW supports Source In Source Outfunction of data traffic. The firewall traces sessions. The access from theTelecom port is returned from the Telecom port preferentially, while the accessfrom the Unicom port is returned from the Unicom port preferentially. Theprecondition is that the routing table of the firewall contains routing entriesthat can map the returned data traffic. Therefore, you just need to configuredefault routes to the Telecom port and Unicom port respectively.
Network Topology
Configuration Tips
1. Configure the IP addresses of interfaces.
2. Configure a route.
3. Configure the virtual IP address (DNAT).
4. Configure address resources.
5. Configure the policy.
Configuration Steps
1. Configure interface address.
For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under “InternetAccess via a Single Line” in “Configuring Routing Mode”.
The following figure shows IP addresses ofinterfaces:
2. Configure a route.
The firewall tracessessions. The access from the Telecom port is returned from the Telecom portpreferentially, while the access from the Unicom port is returned from theUnicom port preferentially. The precondition is that the firewall of thefirewall contains routing entries that can map the returned data traffic.Therefore, you just need to configure default routes to the Telecom port andUnicom port respectively.
The default route toTelecom port:
The default route to Unicom port:
Check the current routes,as shown in the following figure:
3. Configure the virtual IP address.
Set Name to web1, which is usedfor the IP address mapping of the Telecom interface, as shown in the followingfigure:
Set Name to web2, which is usedfor the IP address mapping of the Unicom interface, as shown in the followingfigure:
Values of External IP Address/Range aremapped to the values of Mapped IP Address/Range correspondingly. Enterboth the start and end IP addresses of the external IP address range. You justneed to Enter the start mapped IP address and the system automatically entersthe end IP address.
Take the IP address range from 202.1.1.3 to 202.1.1.10 as an example. The start IP address forinternal mapping is 192.168.1.2 and the end IP address must be 192.168.1.9(which is filled in by the system automatically). The IP addresses within tworanges are mapped correspondingly.
For example, the IP address 202.1.1.3 is mapped to 192.168.1.2, while the IP address 202.1.14 ismapped to 192.168.1.3, and so on.
4. Configure address resources.
Choose Firewall>Address>Address,and then click Create New, as shown in the following figure:
Set Name to lan. Choose Subnetfrom Type. Set Subnet/IP Range to 192.168.1.0/24. Click OK.See the following figure:
5. Configure the policy.
You need to configure the following fourpolicies:
a) Configure the virtual IP address policy from wan1 interface to internalinterface, as shown in the following figure:
b) Configure the virtual IP address policy from wan2 interface tointernal interface, as shown in the following figure:
c) Configure the policy from internal interface to wan1 interface toallow the PC with an internal IP address to access the Internet through wan1interface, as shown in the following figure:
d) Configure the policy from internal interface to wan2 interface toallow the PC with an internal IP address to access the Internet through wan2 interface,as shown in the following figure:
Verification
Access port 80 at the IP address202.1.1.3 and 100.1.1.3 through two interfaces respectively.
Static Routing
Static routing is a routing entry manuallyadded on the firewall by the system administrator according to the networkstructure. For the firewall, static routing is the most basic manner and isalso the most common route configuration.
Network Topology
The IP address of wan1 interface of thefirewall is 202.1.1.10, while the IP address of G1/0 interface of the peer ISProuter is 202.1.1.9.
Configuration Method
Choose Router>Static>StaticRoute, and then click Create New, as shown in the following figure:
Destination IP/Mask: Keep the default value 0.0.0.0/0.0.0.0.
Device: Choosewan1, which is related to this route. It must be set correctly.Otherwise, the route cannot work.
Gateway: TheIP address of the next hop, that is, the IP address of the peer devicecorresponding to wan1 interface.
Distance: Thedefault value is 10. For the same routing entry, the entry with theshorter distance will be put into the routing table. If the distance is thesame, both of them will be put into the routing table.
Priority: Thedefault value is 0. For the two routes with the same distance, the firewallchooses the route with a lower priority preferentially.
Configuration Command
1. Configure the default route
RG-WALL #config router static
RG-WALL(static) # edit 1
RG-WALL(1) # set gateway 202.1.1.9 //This entry does not define the dstdestination network. Therefore, the default value is 0.0.0.0/0.0.0.0.
RG-WALL(1) # set device wan1
RG-WALL(1) # next
2. Configure the static routing.
RG-WALL# config router static
RG-WALL(static) # edit 2
RG-WALL(2) # set dst 1.24.0.0255.248.0.0
RG-WALL(2) # set gateway 202.1.1.5
RG-WALL(2) # set device wan2
RG-WALL(2) # next
Verification
Check the routing tableon the graphical page. Choose Router>Monitor>Routing Monitor or run the get router info routing-table static command to check whether the route takes effect.
Run ping 202.1.1.9to check the link.
Policy-Based Routing
Both static and dynamic routing are destinationrouting, which selects a route according to the destination address.
The policy-based routing selects a routeaccording to the original address, protocol type, flow control label, ordestination address.
The policy-based routing priority is higherthan the static routing priority. The policy-based routing is implementedpreferentially.
Application example
Scenario: As described in section“Configuring Internet Access via Dual Lines of Different Carriers” undersection “Internet Access via Multiple Links” in “Configuring Routing Mode”,force the PC with IP address 192.168.1.0/29 to access the Internet from wan2interface.
Choose Router>Static>PolicyRoute, and then click Create New, as shown in the following figure:
As defined by this policy-based route, allthe data packets from the internal interface with source address 192.168.1.0255.255.255.248 and destination address 0.0.0.00.0.0.0 will be forcibly forwarded by wan2 interface. The gateway address ofthe next hop is 100.1.1.1.
On the New Routing Policy page, theoptions are as follows:
Protocol: Itindicates the protocol type. The value 0 indicates any protocol. You canspecify 6 for TCP, 17 for UDP, or 132 for SCTP.
Incoming interface: It indicates the interface through which traffic enters.
Source address/mask: It indicates the source address of the data packet.
Source address/mask: It indicates the source address of the data packet.
Destination Ports: By default, it indicates all the ports, from port 1 to port 65536.
Force traffic to:
Outgoing interface: It indicates the interface through which data is forwarded.
Gateway Address: It indicates the gateway address.
Application Scenario
If there are many network routing devices andthe number does not exceed 16, it is recommended to configure RIP on the NGFWso that the NGFW can dynamically learn the routing to other networks and theroutes can automatically age and update.
When the number of routing devices exceeds16, it is recommended to configure OSPF, because the OSPF enables faster routelearning and updating and the OSPF is more suitable for the network with morethan 16 routing devices.
If there are few routing devices, it isrecommended to configure the static route. That’s because the static route iseasily maintained and does not raise a high requirement for the routers. Allthe routers support static routes. In general, the low end routers do notsupport RIP.
Networking Requirements
As shown in the figure, the L3 switch in theintranet and the egress NGFW mutually advertise routes through the dynamicroute RIP to enable intranet users to access the Internet.
On the NGFW, manually configure the defaultroute, redistribute the default route into RIP. The L3 switch and NGFW mutuallylearn routes through RIP to enable intranet users to access the Internet.
Network Topology
Configuration Tips
1. Configure interface address.
2. Configure the firewall.
3. Configure the router.
Configuration Steps
1. Configure interface address.
For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under section“Internet Access via a Single Line” in “Configuring Routing Mode”. Theconfiguration is displayed as shown in the following figure:
2. Configure a default route.
For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under section“Internet Access via a Single Line” in “Configuring Routing Mode”. Theconfiguration is displayed as shown in the following figure:
3. Configure RIP.
Choose Router > Dynamic > RIP.
a) Configure basic information, as shown in the following figure:
RIP Version: Choose 2.
Enable Default-information-originate: Tickthis item to send the default route to the neighbor (router).
Redistribute: It determines whether todistribute other protocol routes.
b) Add the RIP network.
Click Create New. Set IP/Netmask to192.168.1.0/255.255.255.0, and then click Add, as shown in the followingfigure:
After the network segment is added, theconfiguration is displayed as shown in the following figure:
4. Configure the router.
interfaceFastEthernet 0/1
ipaddress 192.168.1.111 255.255.255.0
interfaceFastEthernet 0/2
ipaddress 192.168.200.100 255.255.255.0
Configure RIP as follows:
routerrip
version2
network192.168.1.0
network192.168.10.0
noauto-summary
Verification
Check the current routes.
Choose Router>Monitor>RoutingMonitor, as shown in the following figure:
Run the following commandto display the current routes:
RG-WALL #get router info routing-table all
Codes: K -kernel, C - connected, S - static, R - RIP, B - BGP
O -OSPF, IA - OSPF inter area
N1 - OSPFNSSA external type 1, N2 - OSPF NSSA external type 2
E1 -OSPF external type 1, E2 - OSPF external type 2
i - IS-IS,L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* -candidate default
S* 0.0.0.0/0 [10/0] via 192.168.2.1, wan1, [0/50]
C 192.168.1.0/24 is directly connected, internal
C 192.168.2.0/24 is directly connected, wan1
R 192.168.200.0/24 [120/2] via 192.168.1.99, internal, 00:00:01
Application Scenario
When the number of routing devices exceeds16, it is recommended to configure OSPF, because the OSPF enables faster routelearning and updating and the OSPF is more suitable for the network with morethan 16 routing devices.
If there are many network routing devices andthe number does not exceed 16, it is recommended to configure the RIP on theNGFW so that the NGFW can dynamically learn the routing to other networks andthe routes can automatically age and update.
If there are few routing devices, it isrecommended to configure the static route. That’s because the static route iseasily maintained and does not raise a high requirement for the routers. Allthe routers support static routes. In general, the low end routers do notsupport RIP.
Networking Requirements
As shown in the figure, the L3 switch in theintranet and the egress NGFW mutually advertise routes through the dynamicroute OSPF to enable intranet users to access the Internet.
On the NGFW, manually configure the defaultroute, redistribute the default route into OSPF. The L3 switch and NGFWmutually learn routes through OSPF to enable intranet users to access theInternet.
Network Topology
Configuration Tips
1. Configure the IP addresses of interfaces.
2. Configure a default route.
3. Configure OSPF.
l Configure the router ID.
l Distribute the default route.
l Redistribute the default route.
l Create OSPF areas.
l Add the OSPF network.
l Add the interface.
4. Configure the peer router.
Configuration Steps
1. Configure the IP addresses of interfaces.
For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under section“Internet Access via a Single Line” in “Configuring Routing Mode”. Theconfiguration is displayed as shown in the following figure:
2. Configure a default route.
For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under section“Internet Access via a Single Line” in “Configuring Routing Mode”. Theconfiguration is displayed as shown in the following figure:
3. Configure OSPF.
Choose Router>Dynamic>OSPF,as shown in the following figure:
a) Configure basic information, as shown in the following figure:
Set Router ID to 1.1.1.1.
Default Information: Choose Regular. The three options are described as follows:
The default route is not distributed.
Regular: Ifthe default route is configured, the system distributes it. If not, the systemdoes not distribute it.
Always: Nomatter whether the default route is configured, the system distributes adefault route.
Ospf_redistribute: Choose Connected Metric, which indicates that the routinginformation at the 192.168.1.0/24 is sent to the OSPF neighbor.
After the above settings are completed,click Apply to validate configuration.
b) Create OSPF areas.
Click Create New,as shown in the following figure:
Create root area 0.0.0.0 (area 0), as shown in the following figure:
The configuration is as follows:
c) Add the OSPF network.
Click Create New, as shown in thefollowing figure:
Add segment 1.1.1.0/24 to the OSPF area 0.0.0.0, as shown in thefollowing figure:
d) Add interfaces. (Optional)
Click Create New, as shown in thefollowing figure:
You can edit the related parameters ofinterfaces by using this menu.
Name: It isused for identification.
Interface: Itindicates the interface to be edited.
IP: Itindicates the IP address of the interface.
Authentication:It determines whether to perform OSPF authentication on the interface. Thesystem supports MD5 (MD5 summary), txt (plain text), and none (none).
MD5 keys:Enter key ID and key.
Timers:
Hello Interval:By default, the interval for sending hello packets is 10 seconds, which can bechanged as required. In the case of OSPF neighbor negotiation, the value of HelloInterval must be the same.
Dead Interval:By default, the value is 40 seconds, which can be changed as required. In thecase of OSPF neighbor negotiation, the value of Dead Interval must bethe same.
4. Configure the switch.
Configure interface address.
interfaceFastEthernet 0/0
ip address1.1.1.2255.255.255.0
interfaceFastEthernet 0/1
ip address192.168.2.1 255.255.255.0
Configure OSPF as follows:
routerospf 10
network1.1.1.00.0.0.255 area 0
network192.168.2.0 0.0.0.255area 0 //This entry can also be distributed through direct connection.
Verification
RG-WALL # get router info routing-table all
path=router,objname=info, tablename=(null), size=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPFNSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS,L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0[10/0] via 192.168.118.1, wan1, [0/50]
C 1.1.1.0/24is directly connected, wan2
C 192.168.1.0/24 is directly connected, internal
O 192.168.2.0/24 [110/11] via 1.1.1.2, wan2, 00:01:49
C 192.168.118.0/24 is directly connected, wan1
Check the routes of the router:
Codes:K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPFNSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS,L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
O*E2 0.0.0.0/0[110/10] via 1.1.1.1, wan1, 00:09:34
C 1.1.1.0/24is directly connected, wan1
O E2 192.168.1.0/24 [110/10] via 1.1.1.1, wan1, 00:09:34
C 192.168.2.0/24 is directly connected, internal
O E2 192.168.118.0/24 [110/10] via 1.1.1.1, wan1, 00:09:34
I. Networking Requirements
A company uses a voice system based on the SessionInitiation Protocol (SIP). The employees use SIP phones in the company. The SIPserver is connected to a node outside the firewall.
Because of the particularity of SIP, the firewallshould enable SIP ALG to prevent dial-up failure, unidirectional port state, orother problems caused by the firewall policy.
II. Network Topology
III. Configuration Tips
1. Basic configuration for Internet access
2. Configure a VoIP policy.
3. Move policies. (Optional)
4. Configure SIP ports. (Optional)
IV. Configuration Steps
1. Basic configuration for Internet access
See section 1.1 "InternetAccess via a Single Line" in Chapter 1 "Typical Functions of Routing Mode".
Configure a VoIP policy.
1) Define the address object.
Choose Firewall > Address> Address.
2) Define a VoIP policy.
Choose Firewall > Policy >Policy.
Enable the UTM function,tick Enable VoIP, and choose default.
Move policies. (Optional)
Move policies to appropriatepositions to ensure execution.
Configure SIP ports. (Optional)
In most SIP settings, TCPor UDP port 5060 is used for SIP sessions while port 5061 is used for SIP SSL sessions.If the SIP network uses other ports for SIP sessions, run the following commandsto enable SIP ALG to use other ports of TCP, UDP, or SSL for interception. For example,use TCP port 5064, UDP port 5065, and SSL port 5066 instead.
RG-WALL#config system settings
RG-WALL (settings) #set sip-tcp-port5064
RG-WALL (settings) #set sip-udp-port5065
RG-WALL (settings) #set sip-ssl-port5066
RG-WALL (settings) #end
SIP ALG can also be setto use two different TCP ports and two different UDP ports for interception of SIPsessions. For example, if ports 5060 and 5064 are used to receive SIP TCP trafficwhile ports 5061 and 5065 are used to receive SIP UDP traffic, run the followingcommands to use all these ports to receive SIP traffic.
RG-WALL#config system settings
RG-WALL (settings) #set sip-tcp-port5060 5064
RG-WALL (settings) #set sip-udp-port5061 5065
RG-WALL (settings) #end
V. Verification
Use a SIP phone for testing.
VI. Notes
Q: Why to enable theUTM function of VoIP?
A: Session Helper of thesystem supports some functions of VoIP ALG but provides simple functions and appliesto simple scenarios. As VoIP scenarios become more complicated, VoIP profiles areused now.
VoIP ALG feature can befound on UTM function, which provides a well-developed ALG function and safety protectionfor VoIP.
I. Networking Requirements
A company uses a SIP-based voice system. The employeesuse SIP phones in the company. SIP server 100.1.1.2 is connected to a node in thefirewall server area. The SIP server needs to be mapped to the intranet 192.168.1.2.
Because of the particularity of SIP, the firewallshould enable SIP ALG to prevent dial-up failure, unidirectional port state, orother problems caused by the firewall policy.
II. Network Topology
III. Configuration Tips
1. Basic configuration for Internet access
2. Configure a VoIP policy.
3. Move policies. (Optional)
4. Configure SIP ports. (Optional)
IV. Configuration Steps
1. Basic configuration for Internet access
See section 1.1 "InternetAccess via a Single Line" in Chapter 1 "Typical Functions of Routing Mode"
Configure a VoIP policy.
1) Define a virtual IP address.
Choose Firewall> Virtual IP > Virtual IP.
2) Define a VoIP policy.
Choose Firewall> Policy > Policy.
Enable the UTM function,tick Enable VoIP, and choose default.
3) Configure SIP ports. (Optional)
In most SIP settings, TCPor UDP port 5060 is used for SIP sessions while port 5061 is used for SIP SSL sessions.If the SIP network uses other ports for SIP sessions, run the following commandsto enable SIP ALG to use other ports of TCP, UDP, or SSL for interception. For example,use TCP port 5064, UDP port 5065, and SSL port 5066 instead.
RG-WALL#config system settings
RG-WALL (settings) #set sip-tcp-port5064
RG-WALL (settings) #set sip-udp-port5065
RG-WALL (settings) #set sip-ssl-port5066
RG-WALL (settings) #end
SIP ALG can also be setto use two different TCP ports and two different UDP ports for interception of SIPsessions. For example, if ports 5060 and 5064 are used to receive SIP TCP trafficwhile ports 5061 and 5065 are used to receive SIP UDP traffic, run the followingcommands to use all these ports to receive SIP traffic.
RG-WALL#config system settings
RG-WALL (settings) #set sip-tcp-port5060 5064
RG-WALL (settings) #set sip-udp-port5061 5065
RG-WALL (settings) #end
V. Verification
Use a SIP phone for testing.
Networking Requirements
As shown in the figure, two LANs areconnected via VPN, so as to implement the communication between two networksegments (including 192.168.0.0/24 and 192.168.1.0/24).
Network Topology
Configuration Tips
1. Configure NGFW1
1. Perform basic configurations of Internet access
2. Configure IKE Phase 1
3. Configure IKE Phase 2
4. Configure the routes
5. Configure the policies
2. Configure NGFW2
1. Perform basic configurations of Internet access
2. Configure IKE Phase 1
3. Configure IKE Phase 2
4. Configure the routes
5. Configure the policies
To delete Phases 1 and 2 of IPSec VPN, you needto delete the invoked route or firewall security policy first.
Configuration Steps
1. Configure NGFW1
1. Perform basic configurations of Internetaccess
For details about the configuration procedure,refer to the section “Configuring Routing Mode” > “Configuring InternetAccess via a Single Line” > “Configuring Internet Access via a Static Link”.
2. Configure IKE Phase 1
Choose the VPN > IPsec > Auto Key(IKE) menu, and click Create Phase 1.
Configure the related parameters of Phase1, as shown below.
Name: Set it to VPN. In interfacemode, it is used to indicate the name of the VPN interface.
Remote Gateway: Set it to Static IPAddress.
IP Address: The IP address of the extranetinterface of the peer firewall is 200.1.1.2.
Local Interface: It refers to the interfacevia which the firewall builds a VPN connection with the peer device. It isusually an extranet interface.
Authentication Method: It is set to Pre-sharedKey.
Pre-shared Key: It must be the same at bothends.
Enable IPsec Interface Mode: Ticked.
Other parameters are set to their defaultvalues. For details about the parameters, refer to section “Parameters of Phase1”.
3. Configure IKE Phase 2
Choose the VPN > IPsec > Auto Key(IKE) menu, and click Create Phase 2.
Configure thebasic parametersof Phase 2.
Name: It refers to the name of Phase 2, andis here set to vpn2.
Phase 1: It is associated with Phase 2, andis here set to vpn1.
Click Advanced, and the advancedparameter options pop up.
Tick Autokey Keep Alive, and set otherparameters to their default values.
4. Configure the VPN route.
Choose the Route > Static> Static Route menu, and click Create New.
Add the VPN static route of the protectednetwork segment on the peer as follows:
Destination IP/Mask: It refers to the subnetprotected by the peer firewall; here, it is set to 192.168.1.0.
Device: It refers to the interface generatedby the VPN; here, it is set to vpn1.
5. Configure the policies
Choose the Firewall > Policy> Policy menu, and click Create New.
Create two policies as shown below. Via thepolicies, the system controls the access between two subnets at the peer end,and implements NAT and UTM protection.
Policy 1: Allow the local 192.168.0.0 networksegment to access the peer 192.168.1.0 network segment.
Policy 2: Allow the peer 192.168.1.0 networksegment to access the local 192.168.0.0 network segment.
2. Configure NGFW2
1. Perform basic configurations of Internetaccess
For details about the configurationprocedure, refer to the section “Configuring Routing Mode” > “Configuring InternetAccess via a Single Line” > “Configuring Internet Access via a Static Link”.
2. Configure IKE Phase 1
Choose the VPN > IPsec > Auto Key(IKE) menu, and click Create Phase 1.
Configure the related parameters of Phase 1.
Name: Set it to VPN. In interfacemode, it is used to indicate the name of the VPN interface.
Remote Gateway: Set it to Static IPAddress.
IP Address: The IP address of the extranetinterface of the peer firewall is 100.1.1.2.
Local Interface: It refers to an interface viawhich the firewall builds a VPN connection with the peer device; it is here setto wan1.
Authentication Method: It is set to Pre-sharedKey.
Pre-shared Key: It must be the same at bothends.
Enable IPsec Interface Mode: Ticked.
Other parameters are set to their defaultvalues. For details about the parameters, refer to section “Parameters of Phase1”.
3. Configure IKE Phase 2
Choose the VPN > IPsec > Auto Key(IKE) menu, and click Create Phase 2.
Configure the basic parameters of Phase 2.
Name: It refers to the name of Phase 2, andis here set to vpn2.
Phase 1: It is associated with Phase 2, andis here set to vpn.
Click Advanced, and the advancedparameter options pop up.
Tick Autokey Keep Alive, and set otherparameters to their default values.
4.