Partners
Log in
Compare Products
Hide
VS
| Model Function | S3100 | S3600 | M5100 | M6600 | X9300 |
| Reset Button | Y | Y | N | N | N |
| Console Port | N | N | Y | Y | Y |
| Bypass Port | N | N | N | N | N |
| MGMT Port(RJ45) | N | N | Y | Y | Y |
| Hard Disk | N | Y | Y | N | Y |
| Redundant Power Supplies | N | N | FRPS-100 | FRPS-100 | Y |
Q: How to login firewall by using default IPaddress?
A: User can manage firewall device throughhttps web management (192.168.1.200/24). Here are the ports can be managed onfirewall with default setting:
· RG-WALL1600-X9300 : MGMT1
· RG-WALL1600-X8500 : MGMT1
· RG-WALL1600-X6600 : MGMT1
· RG-WALL1600-M5100 : MGMT
· RG-WALL1600-S3600 : internal (1-14)
· RG-WALL1600-S3100 : internal (1-7)
Step1: Set a static IP address for your PCwith same subnet as firewall (e.g. 192.168.1.1/24)
Step2: Connect your PC to firewall’s MGMT orinternal port.
Step3: Open https://192.168.1.200 with your browser and enter default username &password(admin/firewall)
Q: How to recover device’s password withoutlosing running configuration?
A:
Step1: Mark down the software serial numberon lateral or back plane.
Step2: Use username(admin) andpassword(RGFWXXXXXXXXXXXX) which showed as above captured to login firewall viaconsole cable in 15s after the device is powered off and restarted.
Step3: Modify admin password on CLI UI.
· RG-WALL # config system admin
· RG-WALL (admin) # edit admin
· RG-WALL (admin) # set pass123455@!@#
· RG-WALL (admin) # end
Temporary License
NGFW 1600 Firewall provides temporary licenseone month for each firewall device once. Below are the procedures to activatetemporary license.
· Collect device’s Software reg number. Claimfor temporary license to mail
· Once we approve your request, signature databasewill be renewed when the internet is reachable.
Official License
· Collect related information according to samples in thefollowing table and mail to
rgngfw3@ruijie.com.cn
|
| Software SN (16 digits) | Model | Authorization Code (12 digits) | Project Name | Customer Name |
| Sample | DB99KKK124667235 | Sample* | Sample* | Sample | Sample* |
· Ensure that the firewall is connected to theInternet and configured with the correct DNS address.
Troubleshooting
· Ensure destination ports ofsignature database listed below are permitted (default source port is random).
Anti-Virus, IPS: UDP9443, TCP 8890/443
Web Filter, Spam: UDP53, 8888, 8889
· Ensure “management-vdom”can access Internet for signature database update if VDOM feature is enabled.
· Collect following diagnosticinformation to Ruijie Support Team
RG-WALL #printcliovrd enabl4e ---restart CLI session after this command
RG-WALL #executeping google.com
RG-WALL #diagnosedebugenable
RG-WALL #diagnosedebug application update -1
RG-WALL #execupdate-now
In NGFW firewall, we need to use Hex toset DHCP option. Require transforming IP address to Hex number and zero inthe front of the HEX string cannot ignore.
e.g. 1.1.1.1->’01010101’. But cannot enter“1010101”
Ruijie NGFW Firewall doesn’t have officialIPSEC/SSL VPN agent for Windows or mobile phone. User can use build-in IPSEC clienton Apple device and PPTP or L2TP VPN for windows and Android platform.
Q: How to set a keepalive page forauthenticated user?
A: As there is not logout page forauthentication function, so the user can’t logout the account when they want.And user can configure the keepalive page for holding the authenticatedsession.
· RG-WALL#config usersetting
· RG-WALL#set auto-keepaliveenable
Q: How to block the online proxy on firewall?
A:
Step1: Select “flow based” web filter andblock the Proxy Avoidance on Ruijie categories.
Step2: Enable scan encrypted connections
Step3: Apply web filter and ssl/sshinspection.
After that, all HTTPS website will beconverted into firewall certification.
Q: Web filter feature cannot be used and itshows Ruijie Guard server failed to response.
A: This problem is related to signature licenseand internet connection between firewall and Ruijie Guard cloud server.
Troubleshooting
1. Verity firewall signature license status, if web filter signature isexpired, Ruijie Guard service will be not available. For more details aboutlicense activation, please refer License Activation chapter.
2. Ensure the destination port for web filter update is not blocked byISP or uplink device, or you can exec below setting to change port for servercommunication.
RG-WALL #printcliovrd enabl4e ---restart CLI session after this command
RG-WALL # configsystem Ruijieguard
RG-WALL(Ruijieguard) # set port
53 Port 53 for server communication.
8888 Port 8888 for server communication. //default setting
3. If above troubleshooting steps cannot solve your problem, pleasecollect following debug information for Ruijie Support.
RG-WALL #printcliovrd enabl4e ---restart CLI session after this command
RG-WALL #diagnosedebug enable
RG-WALL #diagnosedeb rating
Q: Some viruses cannot be scanned even theanti-virus feature is enabled.
A: All Ruijie NGFW firewall units have thenormal antivirus signature database but some models have additional databasesyou can select for use. Which you choose depends on your network and securityneeds.
| Normal | Includes viruses currently spreading as determined by the RuijieGuard Global Security Research Team. These viruses are the greatest threat. The Normal database is the default selection and it is available on every NGFW unit. |
| Extended | Includes the normal database in addition to recent viruses that are no-longer active. These viruses may have been spreading within the last year but have since nearly or completely disappeared. |
| Extreme | Includes the extended database in addition to a large collection of ‘zoo’ viruses. These are viruses that have not spread in a long time and are largely dormant today. Some zoo viruses may rely on operating systems and hardware that are no longer widely used. |
config antivirussetting
set default-db[normal|extended|extreme]
end
Q: NGFW UTM features are not working while memoryreaches to 80%.
A: Conservemode is activated when the remaining free memory is nearly exhausted (up to80%). While conserve mode is active, the UTM does not accept new sessionsand bypass all session by default.
Conserve ModeSetting:
config system global
setav-failopen {idledrop | off | one-shot | pass}
end
– idledrop – Drop idleconnections.
– off – Off.
– one-shot – try tocreate new session
– pass – bypass newsession(default)
Q: IPSEC VPN tunnel cannot bring up
A:
· Ensure that the pre-shared keys match exactly
· Ensure that both ends use the same P1 and P2proposal settings
· Ensure that you have allowed inbound andoutbound traffic for all necessary network services, especially if servicessuch as DNS or DHCP are having problems.
· Check that a static route has been configuredproperly to allow routing of VPN traffic.
· Ensure that your unit is in NAT/Route mode,rather than Transparent.
· Check your NAT settings, enabling NAT traversalin the Phase 1 configuration while disabling NAT in the security policy. Youmight need to pin the PAT/NAT session table, or use some of kind of NAT-Tkeepalive to avoid the expiration of your PAT/NAT translation.
· Ensure that both ends of the VPN tunnel areusing Main mode, unless multiple dial-up tunnels are being used.
· If you have multiple dial-up IPsec VPNs, ensurethat the Peer ID is configured properly
· and that clients have specified the correctLocal ID.
· If you are using Perfect Forward Secrecy (PFS),ensure that it is used on both peers. You can use the diagnose vpn tunnel listcommand to troubleshoot this.
· Ensure that the Quick Mode selectors arecorrectly configured. If part of the setup currently uses firewall addresses oraddress groups, try changing it to either specify the IP addresses or use anexpanded address range.
· If XAUTH is enabled, ensure that the settingsare the same for both ends, and that the firewall unit is set to Enable asServer.
· Check IPsec VPN Maximum Transmission Unit (MTU)size. A 1500 byte MTU is going to exceed the overhead of the ESP-header,including the additional ip_header,etc. You can use the diagnose vpn tunnellist command to troubleshoot this.
· If your unit is behind a NAT device, such as arouter, configure port forwarding for UDP ports 500 and 4500.
· Remove any Phase 1 or Phase 2 configurationsthat are not in use. If a duplicate instance of the VPN tunnel appears on theIPsec Monitor, reboot your unit to try and clear the entry.
If you are still unable to connect to theVPN tunnel, run the following diagnostic command in the CLI and send to Ruijiesupport.
Troubleshooting
RG-WALL#diagnosedebugenable
RG-WALL#diagnosedebug application ike -1
The following steps can be used to understand why a PPTP/L2TP VPNuser is experiencing disconnections from NGFW firewall, and to enable theappropriate debug depending on the type of PPTP/L2TP VPN User. Collect belowinformation and send to Ruijie support.
1. A PPTP/l2TP VPN user connects to the NGFW firewall with localauthentication.
RG-WALL#diag debenable
RG-WALL#diag debreset
RG-WALL#diag debconsole timestamp en
RG-WALL#diag deb appppp -1
2. If thePPTP VPN User uses authentication with LDAP then enable the followingdebug with step.
diag test auth ldap(ldapservername in GUI) (username to test) (pwd user)
diag test auth ldapLDAP_Server user password
3. If the PPTP VPNUser uses Radius then also collect the following debug.
diag test authserverradius <server_name> <chap | pap | mschap | mschap2><username> <password>
4. Collect asniffer trace on the port of the PPTP/L2TP connection.
diag sniffer packet<port of pptp/l2tp connection> 'local_ip_addr of pc' 6
When the CPU or Memory running in high utilization,take below actions and collect necessary information for Ruijie Support.
CPU:
1.Abnormal Data like virus is dropped while passing through.
diagnose sniffer packet any none 4 100
2.Check the Top 5 processes
diagnosesys top 5 99 -----press Q to quit
Memory:
1.Check the Top 5 processes
diagnosesys top 5 99 -----press Q to quit
2.Check the cache if enabled the logging function
diagnose hardware sysinfo memory
'Debug Flow' is usually used to debug thebehavior of the traffic in a NGFW device and to check how the traffic isflowing. The use of proper filtering can help by narrowing down to onlythe desired traffic and thus ease the debugging process.
Troubleshooting
RG-WALL#diagnose debugdisable
RG-WALL#diagnose debugflow trace stop
RG-WALL#diagnose debugflow filter clear
RG-WALL#diagnose debugreset
RG-WALL#diagnose debugflow filter addr x.x.x.x
RG-WALL#diagnose debugflow show console enable
RG-WALL#diagnose debugflow show function-name enable
RG-WALL#diagnose debugconsole timestamp enable
RG-WALL#diagnose debugflow trace start 999
RG-WALL#diagnose debugenable
Common Problems:
msg="iprope_in_check()check failed, drop“ ---- mismatch policy
msg="Denied byforward policy check“ ---- policydeny
msg="reversepath check fail,drop“ ----RPF check failed
To use packet capture through the GUI, your firewallmodel must have internal storage and disk logging must be enabled. If yourdevice doesn’t support disk logging, please execute packet capture under CLI.
GUI Capture
CLI Capture
diagnose sniffer packet<interface> <'filter'> <verbose> <count>
Q: Why cannot see any logs on model M6600?
A: Logging is not enabled by default for thismodel. Because firewall M6600 doesn’t have storage disk, logs will be saved inmemory and drag down the performance if enabled. Here are steps to enable thelogging on memory and not be recommended.
1) Tick the logging traffic option on firewall setting.
2) Exec below command on firewall:
RG-WALL # Config log memory setting
RG-WALL (setting) # Set status enable
RG-WALL (setting) #end
RG-WALL #
1. Configure an interfaceaddress.
RG-WALL # config systeminterface
RG-WALL (interface) #edit lan
RG-WALL (lan) # set ip192.168.100.99/24
RG-WALL (lan) # end
2. Configure astatic route.
RG-WALL (static) # edit1
RG-WALL (1) # setdevice wan1
RG-WALL (1) # set dst10.0.0.0 255.0.0.0
RG-WALL (1) # set gateway192.168.57.1
RG-WALL (1) # end
3. Configure adefault route.
RG-WALL (1) # setgateway 192.168.57.1
RG-WALL (1) # setdevice wan1
RG-WALL (1) # end
4. Configure afirewall address.
RG-WALL # configfirewall address
RG-WALL (address) #edit clientnet
new entry 'clientnet'added
RG-WALL (clientnet) #set subnet 192.168.1.0 255.255.255.0
RG-WALL (clientnet) #end
5. Configure anIP pool.
RG-WALL (ippool) # editnat-pool
new entry 'nat-pool'added
RG-WALL (nat-pool) #set startip 100.100.100.1
RG-WALL (nat-pool) #set endip 100.100.100.100
RG-WALL (nat-pool) #end
6. Configure avirtual IP address.
RG-WALL # configfirewall vip
RG-WALL (vip) # editwebserver
new entry 'webserver'added
RG-WALL (webserver) #set extip 202.0.0.167
RG-WALL (webserver) #set extintf wan1
RG-WALL (webserver) #set mappedip 192.168.0.168
RG-WALL (webserver) #end
7. Configurethe Internet access policy.
RG-WALL # configfirewall policy
RG-WALL (policy) # edit1
RG-WALL (1)#set srcintfinternal //Indicates the source interface.
RG-WALL (1)#set dstintfwan1 ///Indicates the destination interface.
RG-WALL (1)#set srcaddrall //Indicates the source address.
RG-WALL (1)#set dstaddrall //Indicates the destination address.
RG-WALL (1)#set actionaccept //Indicates the action.
RG-WALL (1)#setschedule always //Indicates the schedule.
RG-WALL (1)#set serviceALL //Indicates theservice.
RG-WALL (1)#setlogtraffic disable //Enables or disables logs.
RG-WALL (1)#set nat enable //Enables NAT.
8. Configurethe mapping policy.
RG-WALL # configfirewall policy
RG-WALL (policy) #edit2
RG-WALL (2)#set srcintfwan1 //Indicates the source interface.
RG-WALL (2)#set dstintfinternal //Indicates the destination interface.
RG-WALL (2)#set srcaddrall //Indicates thesource address.
RG-WALL (2)#set dstaddrngfw1 //Indicates the destination address used for virtual IP addressmapping, which is added beforehand.
RG-WALL (2)#set actionaccept //Indicates the action.
RG-WALL (2)#setschedule always //Indicates the schedule.
RG-WALL (2)#set serviceALL //Indicates theservice.
RG-WALL (2)#setlogtraffic disable //Enables or disables logs.
9. Change theinternal switching interface to the routing interface.
Ensure that routing, DHCP, and firewallpolicies of the internal interface are deleted.
RG-WALL # config systemglobal
RG-WALL (global) # setinternal-switch-mode interface
RG-WALL (global) #end
10. View the host name andmanagement port.
RG-WALL # show systemglobal
11. View the system statusand available resources.
RG-WALL # get systemperformance status
12. View the applicationtraffic statistics.
RG-WALL # get systemperformance firewall statistics
13. View the ARP table.
RG-WALL # get systemarp
14. View ARP details.
RG-WALL # diagnose iparp list
15. Clear the ARP cache.
RG-WALL # execute clearsystem arp table
16. View the currentsession table.
RG-WALL # diagnose syssession stat or RG-WALL # diagnose sys session full-stat
17. View the session list.
RG-WALL # diagnose syssession list
18. View the physicalinterface status.
RG-WALL # get systeminterface physical
19. View settings of thedefault route.
RG-WALL # show routerstatic
20. View the static routein the routing table.
RG-WALL # get routerinfo routing-table static
21. View OSPFconfiguration.
RG-WALL # show routerospf
22. View the global routingtable.
RG-WALL # get routerinfo routing-table all
23. View HA status.
RG-WALL # get system hastatus
24. Check synchronizationof active and standby routers.
RG-WALL # diagnose sysha showcsum
How do you like this document ?
Thank you. We will inform you of our response as soon as possible. 
Ruijie Networks websites use cookies to deliver and improve the website experience.
See our cookie policy for further details on how we use cookies and how to change your cookie settings.
Cookie Manager
When you visit any website, the website will store or retrieve the information on your browser. This process is mostly in the form of cookies. Such information may involve your personal information, preferences or equipment, and is mainly used to enable the website to provide services in accordance with your expectations. Such information usually does not directly identify your personal information, but it can provide you with a more personalized network experience. We fully respect your privacy, so you can choose not to allow certain types of cookies. You only need to click on the names of different cookie categories to learn more and change the default settings. However, blocking certain types of cookies may affect your website experience and the services we can provide you.
Through this type of cookie, we can count website visits and traffic sources in order to evaluate and improve the performance of our website. This type of cookie can also help us understand the popularity of the page and the activity of visitors on the site. All information collected by such cookies will be aggregated to ensure the anonymity of the information. If you do not allow such cookies, we will have no way of knowing when you visited our website, and we will not be able to monitor website performance.
This type of cookie is necessary for the normal operation of the website and cannot be turned off in our system. Usually, they are only set for the actions you do, which are equivalent to service requests, such as setting your privacy preferences, logging in, or filling out forms. You can set your browser to block or remind you of such cookies, but certain functions of the website will not be available. Such cookies do not store any personally identifiable information.
Contact Us
How can we help you?
Global / EN
