HP A-F1000-E User manual
HP High-End Firewalls
Getting Started Guide
Part number: 5998-2626
Software version: A-F1000-E/Firewall module: R3166P13
A-F5000-A5: R3206P14
Document version: 6PW100-20110909
Legal and notice information
© Copyright 2011 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or use
of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
i
Contents
Overview ······································································································································································ 1
Product overview·······························································································································································1
Firewall A-F1000-E···················································································································································1
Firewall A-F5000······················································································································································2
HP firewall modules ·················································································································································2
Application scenarios ·······················································································································································4
A-F1000-E application·············································································································································4
A-F5000 application················································································································································5
Firewall module application····································································································································6
Login methods ······························································································································································ 7
Login methods····································································································································································7
User interface overview····················································································································································8
Users and user interfaces·········································································································································9
Numbering user interfaces ······································································································································9
CLI login······································································································································································10
Overview········································································································································································· 10
Logging in through the console port ···························································································································· 10
Introduction ···························································································································································· 10
Configuration requirements·································································································································· 10
Login procedure····················································································································································· 11
Console login authentication modes ··················································································································· 14
Configuring none authentication for console login ··························································································· 14
Configuring password authentication for console login ··················································································· 15
Configuring scheme authentication for console login ······················································································· 16
Configuring common settings for console login (optional) ··············································································· 19
Logging in through Telnet·············································································································································· 21
Introduction ···························································································································································· 21
Telnet login authentication modes ······················································································································· 21
Configuring none authentication for Telnet login ······························································································ 22
Configuring password authentication for Telnet login ······················································································ 23
Configuring scheme authentication for Telnet login ·························································································· 24
Configuring common settings for VTY user interfaces (optional)······································································ 27
Configuring the device to log in to a Telnet server as a Telnet client······························································ 29
Logging in through SSH ················································································································································ 29
Introduction ···························································································································································· 29
Configuring the SSH server·································································································································· 30
Configuring the SSH client to log in to the SSH server ····················································································· 32
Logging in through the AUX port·································································································································· 33
Introduction ···························································································································································· 33
AUX login authentication modes ························································································································· 34
Configuring none authentication for AUX login································································································· 35
Configuring password authentication for AUX login························································································· 35
Configuring scheme authentication for AUX login ···························································································· 36
Configuring common settings for AUX login (optional)····················································································· 39
Configuration requirements·································································································································· 41
Login procedure····················································································································································· 41
Logging in through modems ········································································································································· 44
Introduction ···························································································································································· 44
ii
Configuration requirements·································································································································· 44
Login procedure····················································································································································· 44
Modem login authentication modes ···················································································································· 48
Configuring none authentication for modem login···························································································· 48
Configuring password authentication for modem login···················································································· 50
Configuring scheme authentication for modem login ······················································································· 51
Configuring common settings for modem login (optional)················································································ 53
Displaying and maintaining CLI login ························································································································· 56
Web login ··································································································································································57
Web login overview ······················································································································································ 57
Configuration guidelines ··············································································································································· 57
Logging in to the firewall by using the default web login information····································································· 57
Modifying the default web login information ············································································································· 58
Configuring the web login function····················································································································· 58
Configuring HTTP login ················································································································································· 59
Configuring HTTPS login ··············································································································································· 60
Displaying and maintaining web login ······················································································································· 62
Web login example······················································································································································· 62
HTTP login example ·············································································································································· 62
HTTPS login example ············································································································································ 63
Troubleshooting web login problems··························································································································· 65
Problem 1: Unable to access the device through web······················································································ 65
NMS login ··································································································································································69
NMS login overview······················································································································································ 69
Configuring NMS login················································································································································· 70
NMS login example······················································································································································· 71
Logging in to the firewall module from the network device····················································································73
Logging in to the firewall module from the network device······················································································· 73
Configuring the AUX user interface of the firewall module ·············································································· 73
Logging in to the firewall module ························································································································ 73
Monitoring and managing the firewall module on the network device ··································································· 74
Resetting the system of the firewall module ········································································································ 74
Configuring the ACSEI protocol ·························································································································· 74
Example for monitoring and managing the firewall module from the network device ·········································· 76
Basic configuration ····················································································································································79
Launching the basic configuration wizard·········································································································· 79
Configuring the system name and user password····························································································· 80
Configuring service management························································································································ 81
Configuring the IP address for an interface········································································································ 83
Configuring NAT··················································································································································· 84
Completing the configuration wizard ················································································································· 85
Device management ··················································································································································87
Device management overview······································································································································ 87
Configuring the device name ······································································································································· 87
Configuring the device name in the web interface···························································································· 87
Configuring the device name in the CLI·············································································································· 87
Configuring the system time·········································································································································· 88
Configuring the system time in the web interface······························································································ 88
Configuring the system time in the CLI················································································································ 92
Setting the idle timeout timer········································································································································· 95
Setting the idle timeout timer in the web interface····························································································· 95
Setting the idle timeout timer in the CLI··············································································································· 96
iii
Enabling the display of copyright information············································································································ 96
Configuring banners······················································································································································ 96
Introduction to banners ········································································································································· 96
Configuring banners ············································································································································· 97
Configuring the maximum number of concurrent users ····························································································· 98
Configuring the exception handling method··············································································································· 98
Rebooting the firewall···················································································································································· 99
Rebooting the firewall in the CLI·························································································································· 99
Configuring a scheduled task·····································································································································100
What is a scheduled task ···································································································································100
Configuration approaches ·································································································································100
Scheduled task configuration example ·············································································································103
Configuring temperature alarm thresholds for a card······························································································104
Clearing unused 16-bit interface indexes··················································································································104
Identifying and diagnosing pluggable transceivers ·································································································105
Introduction to pluggable transceivers ··············································································································105
Identifying a pluggable transceiver···················································································································106
Diagnosing a pluggable transceiver ·················································································································106
Displaying and maintaining device management····································································································106
User management ··················································································································································· 108
Configuring local users················································································································································108
Local user overview·············································································································································108
User levels ····························································································································································108
Configuring a local user·····································································································································108
Local user configuration example······················································································································109
Configuring user login control ····································································································································110
User login control overview································································································································110
Configuring login control over Telnet users······································································································110
Configuring source IP-based login control over NMS users···········································································113
Configuring source IP-based login control over web users·············································································114
Displaying online users················································································································································116
Overview······························································································································································116
Displaying online users·······································································································································116
CLI configuration ····················································································································································· 117
What is CLI? ·································································································································································117
Entering the CLI ····························································································································································117
Command conventions ················································································································································117
Undo form of a command···········································································································································118
CLI views ·······································································································································································118
CLI view description············································································································································118
Entering system view···········································································································································119
Exiting the current view·······································································································································120
Returning to user view·········································································································································120
Using the CLI online help ············································································································································120
Typing commands························································································································································121
Editing command lines········································································································································121
Typing incomplete keywords······························································································································122
Configuring command aliases ···························································································································122
Configuring CLI hotkeys······································································································································123
Redisplaying input but not submitted commands·····························································································124
Checking command-line errors···································································································································125
Using command history···············································································································································125
Accessing history commands ·····························································································································125
iv
Configuring the history buffer size ····················································································································126
Controlling the CLI display··········································································································································126
Multi-screen display·············································································································································126
Filtering output information·································································································································127
Configuring user privilege and command levels ······································································································130
Introduction ··························································································································································130
Configuring a user privilege level ·····················································································································130
Switching user privilege level·····························································································································133
Modifying the level of a command ···················································································································134
Saving the current configuration ································································································································134
Displaying and maintaining CLI ·································································································································134
Support and other resources ·································································································································· 135
Contacting HP ······························································································································································135
Subscription service ············································································································································135
Related information······················································································································································135
Documents····························································································································································135
Websites·······························································································································································135
Conventions ··································································································································································136
Index ········································································································································································ 138
1
Overview
This documentation is applicable to the following HP high-end firewall products and software versions:
•Firewall chassis—A-F1000-E (R3166P13), and A-F5000 (R3206P14)
•Firewall modules—(R3166P13)
You can configure most of the firewall functions in the web interface and some functions in the command
line interface (CLI). Each function configuration guide specifies clearly whether the function is configured
in the web interface or CLI.
This chapter includes these sections:
•Product overview
•Application scenarios
Product overview
Firewall A-F1000-E
The HP A-F1000-E firewall (hereinafter referred as the A-F1000-E) is designed for large- and
medium-sized networks. It supports the following functions:
•Traditional firewall functions
•Virtual firewall, security zone, attack protection, URL filtering
•Application Specific Packet Filter (ASPF), which can monitor connection processes and user
operations and provide dynamic packet filtering together with ACLs.
•Multiple types of VPN services, such as IPsec VPN
•RIP/OSPF/BGP routing
•Power supply redundancy backup (AC+AC or DC+DC)
•Stateful failover (Active/Active and Active/Standby mode)
•Inside-chassis temperature detection
•Its own web-based management system
•Support for management by iMC
The A-F1000-E uses a multi-core processor and provides the following interfaces:
•Four combo interfaces, for fiber/copper port switching
•Two high-speed interface module (HIM) expansion slots, which support the following interface
modules: 4GBE, 8GBE, HIM-1EXP, and 4GBP.
2
Figure 1 Appearance of the A-F1000-E
Firewall A-F5000
The HP A-F5000 firewall (hereinafter referred to as the A-F5000) provides security protection for large
enterprises, carriers, and data centers. It adopts multi-core multi-threaded and ASIC processors to
construct a distributed architecture, which allows for the separation of the system management and
service processing, making it a firewall that has the highest, distributed security processing capability.
The A-F5000 supports the following functions and features:
•Protection against external attacks, internal network protection, traffic monitoring, email filtering,
web filtering, application layer filtering
•ASPF
•Multiple types of VPN services, such as L2TP VPN, GRE VPN, IPsec VPN, and dynamic VPN
•RIP/OSPF/BGP routing, routing policy, and policy-based routing
•Power supply 1+1 redundancy backup (AC+AC or DC+DC)
•Service interface cards are hot swappable.
•High availability functions, such as stateful failover and VRRP
Figure 2 Appearance of the A-F5000
HP firewall modules
The HP firewall modules are developed based on the Open Application Architecture (OAA) for
carrier-level customers.
3
A firewall module can be installed in the HP A5800/A7500/A9500/A12500 Switch Series or an
A6608/A8800 router. A switch or router can be installed with multiple firewall modules to expand the
firewall processing capability for future use. The main network device (switch or router) and the firewall
modules together provide highly integrated network and security functions for large networks.
The firewall modules support the following functions and features:
•Traditional firewall functions
•Virtual firewall, security zone, attack protection, URL filtering
•Application Specific Packet Filter (ASPF), which can monitor connection processes and user
operations and provide dynamic packet filtering together with ACLs.
•Multiple types of VPN services, such as IPsec VPN
•RIP/OSPF/BGP routing
A firewall module provides two GE ports and two GE combo interfaces. It is connected to the main
network device through the internal 10GE port. The HP main network device’s rear card has the
line-speed forwarding capability, ensuring fast data forwarding with the firewall module. The firewall
modules are equipped with dedicated, multi-core processors and high-speed caches. They can process
security services without impacting performances of the main network devices.
Figure 3 Firewall module for A5800 series switches
Figure 4 Firewall module for A7500/A9500/A12500 series switches
4
Figure 5 Firewall module for A6600/A8800 routers
Application scenarios
The A-F1000-E and A-F5000 have similar software functions.
The firewall modules also have similar software functions to the A-F1000-E. You can regard a firewall
module as an A-F1000-E firewall that is connected to the main network device through their 10 GE ports.
The difference lies in that the A-F1000-E firewall uses physical ports to forward data, and the firewall
module uses logical interfaces (subinterfaces and VLAN interfaces) of the 10 GE port to forward data.
The configuration on a firewall module is similar to that on an A-F1000-E firewall.
•Configurations for zone-based security functions, such as attack protection and object-oriented
ACLs, are the same on the two firewalls. The difference is that the A-F1000-E adds physical ports to
security zones, and the firewall module adds logical interfaces (subinterfaces and VLAN interfaces)
of the 10 GE port to security zones.
•Configurations for interface-based security functions are the same on the two firewalls. The
difference is that the A-F1000-E supports these functions on physical ports and the firewall module
support these functions on the logical interfaces of the 10 GE port.
For more information about the configuration differences, see the Layer 2 and Layer 3 forwarding
configurations in Network Management Configuration Guide.
A-F1000-E application
Deployed at the egress of an enterprise network, A-F1000-E firewalls can protect against external attacks,
ensure security access from the external network to the internal network resources (such as servers in the
DMZ zone) through NAT and VPN functions, and control access to the internal network by using security
zones. You can deploy two firewalls in the network for redundancy backup to avoid a single point failure.
5
Figure 6 Network diagram for the A-F1000-E application
A-F5000 application
Large data centers are connected to the 10G core network usually through a 10G Ethernet. The A-F5000
firewall has a 10G processing capability and abundant port features. It can be deployed at the egress
of a network to protect security for the internal network. You can deploy two firewalls to implement
stateful failover.
•Active-active stateful failover can balance user data.
•Active-standby stateful failover improves availability of the firewalls. They back up each other to
avoid a single point failure.
Figure 7 Network diagram for the A-F5000 application
6
Firewall module application
Firewall modules work with the main network devices (such as A5800/A7500/A9500/A12500
switches and A6600/A8800 routers). Deployed at the egress of a network, the firewall modules can
protect against external attacks and implement security access control of the internal network by using
security zones. You can meet the development of the network simply by installing more firewall modules
to a switch or router. Deploying two switches/routers with the firewall modules in the network can
improve service availability.
Figure 8 Network diagram for the firewall module application
7
Login methods
Login methods
HP Series High-End Firewalls support the following login methods:
•Local login through the console port
•Remote login through an Ethernet port or through Telnet/SSH
•Remote login through the AUX port
•Login through the web interface
•NMS login
In addition to these login methods, HP firewall modules also support login from the network device (a
switch or router) that accommodates the firewall module.
Table 1 Login methods
Login method Default state
Logging in
through the
console port
By default, you can log in to a device through the console port, the
authentication mode is None (no username or password required), and the user
privilege level is 3.
Logging in
through Telnet
By default, you cannot log in to a device through Telnet. To do so, log in to the
device through the console port, and complete the following configuration:
•Enable the Telnet function.
•Configure the IP address of the management Ethernet interface of the device,
and make sure that your device and the Telnet client can reach each other (by
default, the IP address of the management Ethernet interface is
192.168.0.1/24).
•Configure the authentication mode of VTY login users (scheme by default).
•Configure the user privilege level of VTY login users (0 by default).
Logging in
through SSH
By default, you cannot log in to a device through SSH. To do so, log in to the
device through the console port, and complete the following configuration:
•Enable the SSH function and configure SSH attributes.
•Configure the IP address of the management Ethernet interface of the device,
and make sure that your device and the SSH client can reach each other (by
default, the IP address of the management Ethernet interface is
192.168.0.1/24).
•Configure the authentication mode of VTY login users as scheme (scheme by
default).
•Configure the user privilege level of VTY login users (0 by default).
CLI login
Logging in
through the
AUX port
By default, you cannot log in to a device through the AUX port. To do so, log in
to the device through the console port, and complete the following
configuration:
•Configure the password for the default password authentication mode, or
change the authentication mode and configure parameters for the new
authentication mode.
The default user privilege level of AUX login users is 0.
8
Login method Default state
Logging in
through
modems
By default, you can log in to a device through modems. The default user
privilege level of modem login users is 3.
Web login
By default, you can log in to a device through web. If the web function is
disabled, you need to log in to the device through the console port, and
complete the following configuration:
•Configure the IP address of the management Ethernet interface of the device,
and make sure the device and web terminal can reach each other (by
default, the IP address of the management Ethernet interface is
192.168.0.1/24.).
•Configure a username and password for web login (by default, the username
and password are admin).
•Configure the user privilege level for web login (by default, the user privilege
level is 3).
•Configure the web service type for web login (not configured by default).
NMS login
By default, you cannot log in to a device through a network management station
(NMS). To do so, log in to the device through the console port, and complete the
following configuration:
•Configure the IP address of the management Ethernet interface, and make
sure the device and the NMS can reach each other (by default, the IP address
of the management Ethernet is 192.168.0.1/24. ).
•Configure SNMP basic parameters.
User interface overview
User interfaces, or lines allow you to manage and monitor sessions between the terminal and device
when you log in to the device through the console port, AUX port, or through Telnet or SSH.
Asynchronous serial interfaces include the following types:
•Synchronous/asynchronous serial interface operating in asynchronous mode, whose interface
index begins with Serial.
•Dedicated asynchronous serial interface, whose interface index begins with Async.
One user interface corresponds to one user interface view where you can configure a set of parameters,
such as whether to authenticate users at login, whether to redirect the requests to another device, and the
user privilege level after login. When the user logs in through a user interface, the parameters set for the
user interface apply.
At present, the system supports the following CLI configuration methods:
•Local configuration via the console port
•Local/Remote configuration via the AUX port (Auxiliary port)
•Local/Remote configuration through Telnet or SSH
The methods correspond to the following user interfaces.
•Console user interface: Used to manage and monitor users that log in via the console port. The type
of the console port is EIA/TIA-232 DCE.
•AUX user interface: Used to manage and monitor users that log in via the AUX port. The type of the
AUX port is EIA/TIA-232 DTE. The port is usually used for modem dialup access.
9
•VTY (virtual type terminal) user interface: Used to manage and monitor users that log in via VTY. A
VTY port is a logical terminal line used for Telnet or SSH access.
Users and user interfaces
Only one user can use a user interface at a time. The configuration made in a user interface view applies
to any login user. For example, if user A uses the console port to log in, the configuration in the console
port user interface view applies to user A; if user A logs in through VTY 1, the configuration in VTY 1 user
interface view applies to user A.
A device has one console port, one AUX port, and multiple Ethernet interfaces. These user interfaces do
not associate with specific users. When a user initiates a connection request, the system automatically
assigns an idle user interface with the smallest number to the user based on the login method. During the
login, the configuration in the user interface view takes effect. The user interface varies depending on the
login method and the login time.
Numbering user interfaces
User interfaces can be numbered by using absolute numbering or relative numbering.
Absolute numbering
Absolute numbering identifies a user interface or a group of different types of user interfaces. The
specified user interfaces are numbered from number 0 with a step of 1 and in the sequence of console,
TTY (not supported, but the numbers are reserved), AUX, and VTY user interfaces. You can use the
display user-interface command without any parameters to view supported user interfaces and their
absolute numbers.
Relative numbering
Relative numbering allows you to specify a user interface or a group of user interfaces of a specific type.
The number format is “user interface type + number”. The following rules of relative numbering apply:
•Console ports are numbered from 0 in the ascending order, with a step of 1.
•AUX ports are numbered from 0 in the ascending order, with a step of 1.
•TTYs are numbered from 1 in the ascending order, with a step of 1.
10
CLI login
Overview
The CLI enables you to interact with a device by typing text commands. At the CLI, you can instruct your
device to perform a given task by typing a text command and then pressing Enter to submit it to your
device. Compared with the graphical user interface (GUI) where you can use a mouse to perform
configuration, the CLI allows you to input more information in one command line.
You can log in to the device at the CLI through the console port, Telnet, SSH, or modem.
•By default, you can log in to a device through the console port without any authentication, which
introduces security problems.
•By default, you cannot log in to a device through Telnet, SSH, or modem, so you cannot remotely
manage and maintain the device.
Therefore, you need to perform configurations to increase device security and manageability.
Logging in through the console port
Introduction
Logging in through the console port is the most common login method, and is also the first step to
configure other login methods.
By default, you can log in to a device through its console port only. After logging in to the device through
the console port, you can configure other login methods.
Configuration requirements
The following table shows the configuration requirements for console port login.
Object Requirements
Device No configuration requirement
Run the hyper terminal program.
Terminal Configure the hyper terminal attributes.
The port properties of the hyper terminal must be the same as the default settings of the console port
shown in the following table.
Setting Default
Bits per second 9,600 bps
Flow control None
Parity None
11
Setting Default
Stop bits 1
Data bits 8
Login procedure
1. As shown in Figure 9, use the console cable shipped with the device to connect the PC and the
device. Plug the DB-9 connector of the console cable into the serial port of the PC, and plug the
RJ-45 connector into the console port of your device.
Figure 9 Connect the device and PC through a console cable
WARNING!
Identify interfaces correctly to avoid connection errors.
NOTE:
The serial port of a PC does not support hot-swap. Do not plug or unplug the console cable to or from the
PC when your device is powered on. To connect the PC to the device, first plug the DB-9 connector of the
console cable into the PC, and then plug the RJ-45 connector of the console cable into your device. To
disconnect the PC from the device, first unplug the RJ-45 connector and then the DB-9 connector.
2. Launch a terminal emulation program (such as HyperTerminal in Windows XP). The following
takes the HyperTerminal of Windows XP as an example. Select a serial port to be connected to the
device, and set terminal parameters as follows: set Bits per second to 9600, Data bits to 8, Parity
to None, Stop bits to 1, and Flow control to None, as shown in Figure 10 through Figure 12.
NOTE:
On Windows 7, Windows Vista, or some other operating system, obtain a third party terminal control
program first, and follow the user guide or online help of that program to log in to the device.
12
Figure 10 Connection description
Figure 11 Specify the serial port used to establish the connection
13
Figure 12 Set the properties of the serial port
3. Turn on the device. You are prompted to press Enter if the device successfully completes the
power-on self test (POST). A prompt such as <HP> appears after you press Enter, as shown in
Figure 13.
Figure 13 Configuration page
4. Execute commands to configure the device or check the running status of the device. To get help,
type ?.
14
Console login authentication modes
The following authentication modes are available for console port login: none, password, and scheme.
•none—Requires no username and password at the next login through the console port. This mode
is insecure.
•password—Requires password authentication at the next login through the console port. Keep your
password.
•scheme—Requires username and password authentication at the next login through the console
port. Authentication falls into local authentication and remote authentication. To use local
authentication, configure a local user and related parameters. To use remote authentication,
configure the username and password on the remote authentication server. Keep your username
and password.
The following table lists console port login configurations for different authentication modes:
Authentication
mode Configuration Remarks
None Configure not to authenticate users
For more information, see
“Configuring none
authentication for console
login.”
Configure to authenticate users by using the local password
Password Set the local password
For more information, see
“Configuring password
authentication for console
login.”
Configure the authentication scheme
Configure a
RADIUS/HWTACACS scheme
Configure the AAA scheme used
by the domain
Remote
AAA
authenticati
on Configure the username and
password on the AAA server
Configure the authentication
username and password
Scheme Select an
authentic
ation
scheme
Local
authenticati
on Configure the AAA scheme used
by the domain as local
For more information, see
“Configuring scheme
authentication for console
login.”
NOTE:
A newly configured authentication mode does not take effect unless you exit and enter the CLI again.
Configuring none authentication for console login
Configuration prerequisites
You have logged in to the device.
By default, you can log in to the device through the console port without authentication and have user
privilege level 3 after login. For information about logging in to the device with the default configuration,
see “Configuration requirements.”
Other manuals for A-F1000-E
2
This manual suits for next models
1
Table of contents
Other HP Firewall manuals
