安全网关产品说明书

Secoway USG3000 系列统一安全网关产品概述USG3000系列安全网关是华为赛门铁克公司新一代网关型安全防护设备，采用基于多核的硬件平台，为用户提供了集高转发率、高加密性能、高端口密度于一体的产品级安全防护解决方案。

集成DDos攻击防范能力，可防御多种类型的DDos攻击。

采用硬件加密芯片，提供高速的VPN加密性能。

支持多种地址转换功能、为用户提供最大限度的灵活组网，集成多种路由特性，可参与动态路由，提供Qos控制，为用户提供丰富的功能选择，同时结合智能的黑白名单过滤、多样的统计分析、方便的WEB管理等优势于一身，业务应用范围广泛，是运营商、政府、金融、教育、能源、军队等机构网络的理想安全防护设备。

产品特点高性能高可靠性USG3000系列安全网关采用多核技术，并行处理数据流，使得产品处理性能大幅提高，为用户的网络出口提供高速的数据转发，产品中内嵌加密芯片，采用硬件加解密处理技术，为用户提供高达600Mbps的加解密性能，在业界同类产品中处于领先。

USG3000系列产品是华为赛门铁克专业的高可靠硬件平台和VRP软件平台结合的优秀网络安全产品，配置了双电源、温控机箱、自动转速调节风扇等多种硬件可靠性保障技术，同时，还可以支持双机热备、负载均衡、路由信息1＋1备份等多种软件可靠性保障技术，为用户提供了全方位的高性能高可靠性的安全防护。

功能全面的VPN网关USG3000系列安全网关可以支持L2TP、GRE 、IPSec、MPLS等多种VPN组网方式，既可以单独使用，也可以多种方式组合使用，USG3000系列产品采用华为赛门铁克独立研发的硬件加密芯片来处理加密运算，加密运算和数据封装过程通过硬件来实现，加密处理性能与软件算法和业务流量无关，支持DES、3DES、AES、SCB2等多种加密算法。

同时，基于华为赛门铁克公司强大的技术研发能力，USG3000还可以为用户提供MPLS VPN技术，在用户的内部承载网络中实现多通道VPN划分与互通，在整网VPN的解决方案中领先于业界同类产品，可以为用户提供全方位的VPN解决方案。

㺙Web 㔥 Ϟⱘ䰆⮙↦Ϣ 䍟 ⾥ TM Web 㔥 (IWSA)趋势科技（中国）有限公司保留对本文档以及此处所述产品进行更改而不通知的权利。

在安装并使用本软件之前，请阅读自述文件、发布说明（如果有）和最新版本的适用用户文档，这些文档可以通过趋势科技的以下 Web 站点获得：/download/zh-cn/Trend Micro、Trend Micro t- 球徽标、InterScan、TrendLabs、趋势科技控制管理中心和趋势科技损害清除服务都是趋势科技（中国）有限公司/Trend Micro Incorporated 的商标或注册商标。

所有其他产品或公司名称可能是其各自所有者的商标或注册商标。

版权所有© 2015 趋势科技（中国）有限公司/Trend Micro Incorporated。

保留所有权利。

文档编号：IBCM66844/150109发布日期：2014 年 7 月受美国专利号 5,951,698 的保护《趋势科技 Web 安全网关 (IWSA) 安装指南》旨在介绍软件的主要功能和适用于您生产环境的安装说明。

在安装和使用该软件之前，请详细阅读该指南。

有关如何使用软件中特定功能的详细信息，可从联机帮助文件和趋势科技 Web 站点上的在线知识库中获得。

趋势科技一直致力于改进其文档。

我们始终欢迎您的反馈。

目录前言适用读者 (x)如何使用本指南 (x)IWSA 文档 (xi)文档约定 (xii)关于趋势科技 (xiii)第 1 章：预安装规划服务器要求 .....................................................................................................1-2操作系统 ....................................................................................................1-2硬件要求 ....................................................................................................1-2组件安装 ....................................................................................................1-3Web 浏览器 ...............................................................................................1-4其他要求 ....................................................................................................1-5安装所需的信息 IWSA ...............................................................................1-6全新安装 ....................................................................................................1-6迁移 .............................................................................................................1-6代理服务器配置的类型 .........................................................................1-6控制管理中心服务器信息 ....................................................................1-7数据库类型和位置 ..................................................................................1-7SNMP 通知 ................................................................................................1-7Web 控制台密码 ......................................................................................1-7命令行访问 ................................................................................................1-8用于 Internet 更新的代理服务器 ........................................................1-8激活码 .........................................................................................................1-8趋势科技™ Web 安全网关 (IWSA) 6.5 安装指南规划网络通信保护 .......................................................................................1-8透明桥接模式 ...........................................................................................1-9正向代理服务器模式 ..............................................................................1-9反向代理服务器模式 ............................................................................1-10ICAP 模式 ................................................................................................1-10简单透明性模式 .....................................................................................1-10WCCP 模式 ..............................................................................................1-10第 2 章：部署入门识别服务器位置 ............................................................................................2-2具有 DMZ 的两个防火墙 ......................................................................2-2没有 DMZ 的防火墙 ...............................................................................2-3规划网络通信流 ............................................................................................2-4规划 HTTP 流程 .......................................................................................2-5HTTPS 解密 ..........................................................................................2-7规划 FTP 流程 ..........................................................................................2-7独立模式下的 FTP 代理服务器 .....................................................2-7附属模式下的 FTP 代理服务器 .....................................................2-9以正向代理服务器模式部署 ...................................................................2-10正向代理服务器模式概述 ...................................................................2-10重新配置客户端设置 .......................................................................2-11使用第四层交换机 ...........................................................................2-12使用启用 WCCP 的交换机或路由器 ..........................................2-14使用正向代理服务器模式规划 HTTP 流程 ..................................2-15独立模式下的 HTTP 代理服务器 ................................................2-15简单透明性模式下的 HTTP 代理服务器 ..................................2-16附属模式下的 HTTP 代理服务器（代理服务器前置） .......2-17附属模式下的 HTTP 代理服务器（代理服务器后置） .......2-19附属模式下的 HTTP 双代理服务器 ...........................................2-21以 WCCP 模式部署 ..........................................................................2-23WCCP 模式下的 HTTP 代理服务器（单个和多个 IWSA 服务器） ........................................2-23目录以 ICAP 模式部署 ......................................................................................2-23ICAP 模式概述 .......................................................................................2-23使用 ICAP 模式规划 HTTP 流程 .....................................................2-25ICAP 模式下的 HTTP 代理服务器（单个和多个 IWSA 服务器） ........................................2-25具有多台服务器的 IWSA ICAP 模式 .........................................2-27以反向代理服务器模式部署 ...................................................................2-29反向代理服务器模式概述 ..................................................................2-29使用反向代理服务器模式规划 HTTP 流程 ..................................2-30附属模式下的 HTTP 反向代理服务器 ......................................2-30以透明桥接模式部署 ................................................................................2-32透明桥接模式概述 ................................................................................2-32使用透明桥接模式规划 HTTP 流程 ................................................2-33高可用性部署模式 ................................................................................2-33HA 部署模式安装指南 ........................................................................2-34第 3 章：安装趋势科技 Web 安全网关 (IWSA)获取 IWSA ......................................................................................................3-2使用趋势科技企业解决方案 DVD ....................................................3-2下载安装文件 ...........................................................................................3-3安装 IWSA ......................................................................................................3-3首次登录到 IWSA ......................................................................................3-10安装后说明 ...................................................................................................3-10第 4 章：迁移到趋势科技 Web 安全网关 (IWSA)关于迁移 .........................................................................................................4-2重要说明 ....................................................................................................4-2未迁移的信息 ...........................................................................................4-3迁移过程概述 ...........................................................................................4-4从 IWSA 5.6 迁移到 IWSA 6.5 ...................................................................4-4趋势科技™ Web 安全网关 (IWSA) 6.5 安装指南从一个 IWSA 6.5 迁移到另一个 IWSA 6.5 .............................................4-5迁移之后 ..........................................................................................................4-6附录 A：部署集成分布式环境中的 IWSA ...............................................................................A-2连接要求和属性 ......................................................................................A-2吞吐量和可用性要求 ........................................................................A-3与 LDAP 的集成 ..........................................................................................A-4支持用于容纳多个 LDAP 服务器的多个域 ...................................A-4透明模式下的 LDAP 认证 ...................................................................A-6使用 WCCP 与 Cisco 路由器的集成 .......................................................A-7使用反向代理服务器保护 HTTP 或 FTP 服务器 ..............................A-7与 ICAP 设备的集成 ...................................................................................A-9设置 ICAP 1.0 兼容的缓存服务器 .....................................................A-9为 NetCache 设备设置 ICAP ................................................................A-9为 Blue Coat 端口 80 安全设备设置 ICAP .....................................A-11为 Cisco CE ICAP 服务器设置 ICAP ...............................................A-14配置病毒扫描服务器群集 ..................................................................A-15删除群集配置或条目 ...........................................................................A-16启用 "X-Virus-ID" 和 "X-Infection-Found" 头 ...............................A-17附录 B：微调和故障排除IWSA性能微调 ..............................................................................................B-2URL 过滤 ...................................................................................................B-2LDAP 性能微调 .......................................................................................B-2LDAP 内部缓存 ..................................................................................B-2启用 LDAP 时，禁用详细记录 .....................................................B-3透明模式下的 LDAP 认证 ..............................................................B-4目录故障排除 .........................................................................................................B-5故障排除提示 ...........................................................................................B-5联系技术支持之前 ..................................................................................B-5安装问题 ....................................................................................................B-5常规功能问题 ...........................................................................................B-6附录 C：有关 IWSA 安装和部署的最佳实践IWSA 安装概述 .............................................................................................C-2正确评估环境规模 .......................................................................................C-4最佳实践建议 ...........................................................................................C-4选择部署方法和冗余性 ..............................................................................C-4最佳实践建议 ...........................................................................................C-6附录 D：维护和技术支持产品维护 ........................................................................................................D-2维护协议 ...................................................................................................D-2续订维护协议 ..........................................................................................D-3联系技术支持 ...............................................................................................D-3TrendLabs ..................................................................................................D-4知识库 ........................................................................................................D-4已知问题 ...................................................................................................D-5将可疑代码发送给趋势科技 ...............................................................D-5安全信息中心 ...............................................................................................D-6附录 E：在 VMware ESX 下为 IWSA 创建新的虚拟机简介 ..................................................................................................................E-2创建新的虚拟机 ...........................................................................................E-2启动 IWSA 虚拟机并完成安装 .............................................................E-16趋势科技™ Web 安全网关 (IWSA) 6.5 安装指南附录 F：在 Microsoft Hyper-V 下为 IWSA 创建新的虚拟机简介 ...................................................................................................................F-2Hyper-V 的 IWSA 支持 ................................................................................F-2Hyper-V 虚拟化模式 ...............................................................................F-2在 Microsoft Hyper-V 上安装 IWSA 6.5 ...................................................F-3导入 IWSA 映像 .......................................................................................F-7为 IWSA 分配资源 ...................................................................................F-9启动 IWSA 虚拟机并完成安装 .........................................................F-21访问 IWSA Web 控制台 ......................................................................F-28索引前言前言欢迎使用《趋势科技™ Web 安全网关 (IWSA) 6.5 安装指南》。

Version 5.5ST00001B1111版权所有，保留所有权利Copyright © 2021, Hillstone NetworksTW-RN-OSG-V5.5ST00001B111-CN-V1.0-Y21M01山石网科运维安全网关V5.5ST00001B111发布概述发布日期：2021年1月11日本次发布重点新增RDP运维支持NLA网络基本身份验证、新增AD域认证用户同步、针对Windows类资产账号改密中新增“winRM服务方式”改密方式；新增图形应用Chrome浏览器支持http/https资产运维等新功能，同时优化和修复了一些功能问题。

在升级V5.5ST00001B111版本时，请务必查看“升级注意事项”进行升级。

产品型号和升级包文件新增功能已解决问题升级注意事项1、在升级到V5.5ST00001B111版本后，无法通过IE8浏览器访问设备页面。

建议用户不要使用IE8浏览器进行升级。

如在某些环境中，需要使用IE8访问设备页面，可以在升级V5.5ST00001B111版本之后，再使用“openssl配置回退包（upgrade_iam_090_openssl_back.tar.gz）”进行回退。

2、在升级到V5.5ST00001B111版本后，如果用户需要导入新的授权文件，请先导入“授权清理包（upgrade_iam_license_clean.tar.gz）”清除原授权文件。

3、集群/热备环境升级前需要解除集群/热备环境。

确保单机环境升级。

4、在升级到V5.5ST00001B111版本后，请先清除浏览器页面缓存，重启设备5、由于修改了V5.5ST00001B111版本中hillstoneotp.cab插件，会造成之前已经部署的设备无法调用，在升级到该版本后，请先替换hillstoneotp.cab插件。

6、RESTful API接口功能开放：根据项目需求，收费支持。

7、内置应用发布中心的操作系统及RDS授权未激活，部署时需要手动激活。

Version 5.5ST00001B112
1
版权所有，保留所有权利Copyright © 2021, Hillstone Networks
TW-RN-OSG-V5.5ST00001B112-CN-V1.0-Y21M12
山石网科运维安全网关V5.5ST00001B112
发布概述
发布日期：2021年12月30日
本次版本升级，主要新增了H5方式运维、三级会同审批、支持人大金仓、达梦数据库工具单点登录等新功能，优化修复了一些漏洞和问题。

在升级V5.5ST00001B1112版本时，请务必查看“升级注意事项”进行升级。

产品型号和升级包文件
新增功能
已解决问题
升级注意事项
1、集群/热备环境升级前需要解除集群/热备环境，确保单机环境升级。

2、在升级到V5.5ST00001B112版本后，请先清除浏览器页面缓存，重启设备。

浏览器兼容性
以下浏览器推荐用户使用：
♦IE11
获得帮助
山石网科运维安全网关配有以下手册，请访问获取：♦《山石网科运维安全网关部署手册_V5.5ST00001B112》
♦《山石网科运维安全网关用户手册-管理员分册_V5.5ST00001B112》
♦《山石网科运维安全网关用户手册-用户分册_V5.5ST00001B112》
服务热线：400-828-6655
官方网址：。

网关使用说明书网关使用说明书1、简介1.1 产品概述本网关是用于连接互联网与局域网之间的设备，实现数据的传输和控制。

它提供了安全、稳定和高效的连接，适用于各种场景和应用。

1.2 主要特性- 支持多种通信方式，包括以太网、Wi-Fi、蓝牙等；- 提供可靠的数据传输和实时控制功能；- 具备安全访问保护和数据加密功能；- 可通过远程管理系统进行配置和监控；- 兼容各种常用操作系统和软件平台。

2、硬件安装2.1 检查包装内容- 确保包装盒内有网关设备、电源适配器、网线等所需物品；- 若有缺失或损坏，请联系供应商处理。

2.2 连接网络- 将网关设备通过网线连接到路由器或交换机的LAN口；- 确保网关电源适配器的插头与电源插座相匹配，然后将其插入网关的电源接口，并将电源适配器接通电源。

2.3 配置网关- 打开电脑或移动设备的浏览器，输入默认网关IP地质进行访问；- 根据提示进行网关配置，包括设置网络参数、安全设置等；- 确认配置无误后，保存并重启网关设备。

3、软件配置3.1 安装管理软件- 到官方网站最新版本的网关管理软件；- 根据操作系统的要求，进行安装。

3.2 登录管理界面- 打开已安装的网关管理软件；- 输入网关的IP地质、用户名和密码进行登录。

3.3 基本设置- 在管理界面中找到基本设置选项；- 配置网关的网络参数，如IP地质、子网掩码、网关地质等；- 根据需要配置其他基本设置，如时间同步、DNS设置等。

3.4 安全设置- 在管理界面中找到安全设置选项；- 配置访问控制列表，限制访问网关的设备；- 启用数据加密功能，确保数据传输的安全性。

4、远程管理4.1 远程访问- 在管理界面中找到远程访问选项；- 启用远程访问功能，并进行相应的设置；- 根据需要配置端口映射，实现对内网设备的远程管理。

4.2 远程监控- 在管理界面中找到远程监控选项；- 配置远程监控系统的参数，包括IP地质、端口号等；- 确保外部设备能够访问并监控网关。

Sophos Web GatewayEnterprise-grade secure web gateway—Sophos Central simplicityThe web is the number one source of threats, with 80% of them coming from legitimate, trusted sites. Sophos Web Gateway provides security, visibility, and control for all your desktop PCs, Macs, Chromebooks, and mobile devices, regardless of how or where they access the web. And you get the simple, elegant management experience that is Sophos Central.HighlightsÌCloud management, reporting and enforcementÌProtects users from the latest web threatsÌSecures your desktops, laptops and mobile devices Ì100+ reports covering all aspects of web activityÌBe up and running in minutesÌIntegrates seamlessly with the rest of Sophos Central ÌFast Lane technology speeds up downloadsto enhance browsing experience Advanced web protection from today’s threatsOur advanced web protection engine intelligently scans web content and blocks the latest zero-day web threats using a variety of advanced techniques—and not just for HTTP and HTTPS traffic, but other types of network traffic as well. And you don’t need to worry about slowing users down. Our global network of data centers ensures your web traffic is analyzed quickly and transparently without any noticeable latency.Big-data, cloud-powered reportingWith Sophos Web Gateway you get big-data reporting without the need for onsite servers or management overhead. Take advantage of unrivaled insight into network analytics, applications and threats in order to keep your sensitive data safe, control costs and comply with regulations.Effortless to deploy, simple to manageSophos Central sets the standard for how IT security should be managed—simply and effectively. Sophos Central brings endpoint, mobile, server, email, and web security together in a single, truly integrated management console—a first in the industry. You’ll be up and running in a matter of minutes with Sophos Web Gateway. And you’ll be able to effortlessly expand your cloud-managed security any time you want.Simple but powerful policy controlSophos Central was built from the ground up, making powerful policy settings easy and intuitive. You get all the tools you need to easily customize policies to meet compliance obligations, manage productivity, optimize bandwidth, control applications, protect data and keep your users and organization safe online.Reliable enforcement on the goDon’t entrust enforcement to just anyone. At Sophos, mobile device management and endpoints are part of our DNA. Whether your users have a PC, Mac, iPad, iPhone, or Chromebook, you can be confident policy is being enforced 24/7. Enforcement is all thanks to an integrated agent with sophisticated tamper protection safeguards that even keep rogue users compliant.Sophos Web GatewayTry it now for freeRegister for a free 30-day evaluation at /web.Sophos Web Gateway FeaturesSecurity and ProtectionÌIntelligent scanning engine scans all web code and scripts without impacting performanceÌAutomated threat updates, multiple times per day ÌReal-time site reputation dataÌLive Protection provides real-time cloud lookups for the latest threatsÌAutomatically detects anonymizing proxies in real-time ÌIdentification and reporting on 500+ app usage ÌScans HTTP, HTTPS, IMAP, SMTP, UDP, and DNS network trafficPolicy and ControlÌPolicies by users or groups ÌOver 90 site categoriesÌIP and domain-based gateway exclusions ÌConfigurable SSL scanningÌConfigurable end-user privacy settings ÌGranular application controlÌDLP detects keywords, data types (e.g., PII) or regular expressionsÌDLP templates aid compliance with PCI, Profanity (CIPA), HIPAA, etc.Deployment and Directory Service IntegrationÌSupport for Windows (7 and above), OS X (10.8 and above), iOS (4 and above), and Chromebook ÌAutomated Active Directory synchronization ÌManual user setup with automatic registration ÌData residency in the USA or EuropeUser ExperienceÌ F ully customizable user notification pages ÌUser feedback option on blocked pages with simple workflow for administrator reviewPerformanceÌOver 10 worldwide locationsÌFast Lane technology intelligently routes traffic to the optimal Sophos gateway to enhance download speeds Ì100% uptime networkReportingÌOver 100 different network and threat reports ÌDetailed user reporting by category, apps, threats, bandwidth and moreÌDetailed network activity logs with source and destination IP, URL, protocol, port, ISP, and more ÌExport report data to PDF or CSVManagementÌWeb-based management console via Sophos ÌOffers integrated management of endpoint, mobile, server, and web security ÌManage alerts and issuesSophos Web Gateway provides simple but powerful web protection and policy control.United Kingdom and Worldwide Sales Tel: +44 (0)8447 671131Email:****************North American SalesToll Free: 1-866-866-2802Email:******************Australia and New Zealand Sales Tel: +61 2 9409 9100Email:****************.auAsia SalesTel: +65 62244168Email:********************© Copyright 2016. Sophos Ltd. All rights reserved.Registered in England and Wales No. 2096520, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK Sophos is the registered trademark of Sophos Ltd. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.16-10-31 DSNA (DD-2481)Optrics is a Sophos Reseller Toll Free (CDA): 1.877.463.7638 Toll Free (USA): 1.877.386.3763 ****************。

SSG500 LINE OF SECURE SERVICES GAConnectivity and Routing: The SSG500 line provides four onboard 10/100/1000 interfaces complemented by six I/O expansion slots that can house a mix of LAN or WAN interfaces, making the SSG500 line an extremely flexible platform. The broad array of I/O options coupled with WAN protocol and encapsulation support makes SSG500 line gateways easily deployable as traditional branch office routers or as consolidated security and routing devices to reduce CapEx and OpEx.Access Control Enforcement: The SSG500 line gateways can act as enforcement points in a Juniper Networks Unified Access Control deployment with the simple addition of the IC Series UAC appliance. The IC Series appliance functions as a central policy managementengine by interacting with the SSG500 line to augment or replace the firewall-based access control with a solution that grants/denies access based on more granular criteria, including endpoint state and user identity in order to accommodate the dramatic shifts in attack landscape and user characteristics.World-Class Support: From simple lab testing to major network implementations, Juniper Networks Professional Services will collaborate with your team to identify goals, define the deployment process, create or validate the network design and manage the deployment to its successful conclusion.Features and Benefitsbuilt hardware, powerful processing and a security-against internal and external attacks now and into the * Bridge groups supported only on uPIMs in ScreenOS 6.0 and greater releasesProduct OptionsSingle or redundant AC or DC power suppliesAll models in the SSG500 line are available with either AC or DC power supplies. The SSG520 and SSG520M offer a single power supply. The SSG550 and SSG550M are available with optional redundant power supplies.SSG550/SSG550M SSG520/SSG520MSSG520SSG520MSSG550SSG550MSpecifications*Bridge groups supported only on uPIMs in ScreenOS 6.0 and greater releases(1) P erformance, capacity and features listed are based upon systems running ScreenOS 6.2 and are the measured maximums under ideal testing conditions unless otherwise noted. Actual resultsmay vary based on ScreenOS release and by deployment. For a complete list of supported ScreenOS versions for SSG Series gateways, please visit the Juniper Customer Support Center (www./customers/support/) and click on ScreenOS Software Downloads.(2) I MIX stands for Internet mix and is more demanding than a single packet size as it represents a traffic mix that is more typical of a customer’s network. The IMIX traffic used is made up of 58.33%64 byte packets + 33.33% 570 byte packets + 8.33% 1518 byte packets of UDP traffic.(3) U TM Security features (IPS/Deep Inspection, antivirus, antispam and Web filtering) are delivered by annual subscriptions purchased separately from Juniper Networks. Annual subscriptionsprovide signature updates and associated support. The high memory option is required for UTM security features.(4) R edirect Web filtering sends traffic from the firewall to a secondary server. The redirect feature is free. However, it does require the purchase of a separate Web filtering license from eitherWebsense or SurfControl.(5) N AT, PAT, policy-based NAT, virtual IP, mapped IP, virtual systems, virtual routers, VLANs, OSPF, BGP, RIPv2, Active/Active HA and IP address assignment are not available in Layer 2transparent mode.IPS (Deep Inspection firewall) Signature PacksSignature packs provide the ability to tailor the attack protection to the specific deployment and/or attack type. The following signature packs are available for the SSG500 line:Base Branch offices, small/medium businesses Client/server and worm protection Range of signatures and protocolJuniper Networks Services and SupportJuniper Networks is the leader in performance-enabling services and support, which are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to bring revenue-generating capabilities online faster so you can realize bigger productivity gains and faster rollouts of new business models and ventures. At the same time, Juniper Networks ensures operational excellence by optimizing your network to maintain required levels of performance, reliability, and availability. For more details, please visit /us/en/products-services/.Ordering InformationSSG550MSSG-550M-SH SSG550M with 1 GB memory, 0 PIM Cards,MODEL NUMBERDESCRIPTIONOrdering Information (continued)Communications CablesSSG-PS-AC Spare power supply for SSG550, AC powerSSG-PS-DC Spare power supply for SSG550, DC powerCBL-JX-PWR-AU Power cable, AustraliaCBL-JX-PWR-CH Power cable, ChinaCBL-JX-PWR-EU Power cable, EuropeCBL-JX-PWR-IT Power cable, ItalyCBL-JX-PWR-JP Power cable, JapanCBL-JX-PWR-UK Power cable, UKCBL-JX-PWR-US Power cable, USASSG-500-MEM-1GB 1 gigabyte memory upgrade for the SSG500 lineSSG-500-FLTR Replacement air filter for SSG550 lineJX-CBL-EIA530-DCE EIA530 cable (DCE)JX-CBL-EIA530-DTE EIA530 cable (DTE)JX-CBL-RS232-DCE RS232 cable (DTE)JX-CBL-RS449-DCE RS449 cable (DCE)JX-CBL-RS449-DTE RS449 cable (DTE)JX-CBL-V35-DCE V.35 cable (DCE)JX-CBL-V35-DTE V.35 cable (DTE)JX-CBL-X21-DCE X.21 cable (DCE)JX-CBL-X21-DT X.21 cable (DTE)JX-Blank-FP-S Blank I/O plateEnhanced Pluggable Interface Modules (Enhanced PIMs) are used in ePIM slots only (SSG520/ SSG520M, SSG550/SSG550M, Juniper Networks J4350 and J6350 Services Routers only). Universal Pluggable Interface Modules (Universal PIMs) are used in either ePIM slots or regular PIM slots on the Juniper Networks SSG Series Secure Services Gateways and J Series Services Routers and are only supported in ScreenOS 6.0 or greater releases.About Juniper NetworksJuniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at .Notes11121000143-006-EN April 2010Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.EMEA Headquarters Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: 35.31.8903.600 EMEA Sales: 00800.4586.4737 Fax: 35.31.8903.601APAC Headquarters Juniper Networks (Hong Kong) 26/F, Cityplaza One 1111 King’s Road Taikoo Shing, Hong Kong Phone: 852.2332.3636 Fax: 852.2574.7803Corporate and Sales HeadquartersJuniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, CA 94089 USAPhone: 888.JUNIPER (888.586.4737)or 408.745.2000Fax: 408.745.2100 To purchase Juniper Networks solutions, please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller.Printed on recycled paper。

2018适用范围：内部运维人员使用手册天玥运维安全网关V6.0适用范围：天玥运维安全网关V6.0系列精细控制合规审计北京启明星辰信息安全技术有限公司目录1 概述 (1)2 用户登录 (1)2.1 WEB方式 (1)2.1.1 WEB访问方式 (1)2.1.2 相关资料下载 (2)2.2 运维客户端 (2)2.3 登录认证 (3)3 环境准备 (5)3.1 环境检测 (5)3.2 安装JAVA控件 (7)3.3 浏览器设置 (9)3.4 配置本地工具 (11)3.5 修改密码 (13)4 运维说明 (14)4.1 RDP/VNC访问 (14)4.2 Telnet/SSH/Rlogin访问 (15)4.3 FTP访问 (16)4.4 数据库访问 (17)4.5 批量登录主机 (18)4.6 工单操作 (19)4.6.1 工单申请 (19)4.6.2 工单运维 (22)4.7 最近访问资源 (23)4.8 高级搜索 (23)4.9 菜单模式 (24)4.9.1 命令行方式 (24)4.9.2 图形方式 (28)5 FAQ (30)5.1 登录提示应用程序被阻止 (30)5.2 提示Java过时需要更新 (31)5.3 调用应用发布工具失败 (32)5.4 使用dbvis提示JAVA环境变量 (32)1概述启明星辰天玥运维安全网关V6.0，是启明星辰综合内控系列产品之一。

本手册详细介绍了天玥运维安全网关V6.0进行运维操作过程的使用方法，用户可参考本手册，通过天玥运维安全网关V6.0进行各种运维操作。

2用户登录运维用户可选择通过以下方式使用天玥运维安全网关V6.0进行运维操作：（1）WEB方式（依赖JAVA环境）；（2）运维客户端方式（不依赖JAVA环境）；（3）客户端工具直连模式（不依赖浏览器和JAVA环境，目前支持运维SSH、TELNET、RDP、VNC，使用方法参见本手册4.9章节）。

2.1WEB方式2.1.1WEB访问方式通过浏览器访问天玥运维安全网关V6.0系统，如图2.1.1所示：（默认URL：https://天玥OSM系统的IP，如果web服务端口不是默认的443，登录URL地址需要加上web服务当前的端口号，例如：https://172.16.67.201:10443）。

目录第一章．NB1000-WSG-M产品简介 (4)1.1前侧面板图及指示灯状态 (4)1.2后侧面板图及端口功能 (4)1.3包装配件清单 (5)第二章．产品安装 (5)2.1硬件安装 (5)2.2网络应用拓扑 (6)第三章．计算机网络配置 (7)3.1计算机IP及子网掩码配置 (7)第四章．用户登陆与无线上网 (8)第五章．程序组说明 (9)5.1网络安全系统配置一览 (9)5.2管理系统功能项目 (10)第六章．用户管理 (11)6.1用户管理功能模块 (11)6.2用户管理功能操作实例 (11)6.2.1创建用户组 (11)6.2.2 创建用户 (13)6.2.3．认证方式 (14)6.2.3.1 IP认证 (14)6.2.3.2 MAC认证方式 (14)6.2.3.3帐号认证 (15)6.2.3.3.1 帐号自动生成 (15)6.2.3.3.2 手动修改帐号 (16)6.2.3.4 IP和MAC组合认证 (16)6.2.3.5 IP和帐号组合认证 (17)6.2.3.6 IP、MAC和帐号三者组合认证 (17)6.2.4在线用户 (18)6.2.5接入信息 (19)6.2.6 实时连接 (20)第七章．楼层管理 (21)第八章．无线网络设置 (22)8.1无线路由网络设置模块 (22)8.1.1网络配置一览 (23)8.1.2 WAN口配置 (24)8.1.3 WLAN配置 (25)8.1.4 无线AP配置 (25)8.1.5 DHCP配置 (26)8.1.6 保存与应用 (28)第九章. 监控设置 (28)9.1监控设置模块 (28)9.1.1监控网段 (29)9.1.2 场所配置 (30)9.1.3 证件类型 (31)第十章. 系统设置 (31)10.1系统设置模块 (31)10.1.1管理员设置 (32)10.1.1.1 超级管理员 (32)10.1.1.2添加普通管理员 (32)10.1.2开户证件类型定义 (33)10.1.3恢复出厂设置 (35)10.1.4重启设备 (35)第十一章．常见问题解答 (35)第十二章．其它说明 (36)第一章．NB1000-WSG-D产品简介1.1前侧面板图及指示灯状态1-1◆Power: 绿色长亮表示设备电源已连通。

Hillstone࿍ဝᆀపࣶਖ਼ڔཝᆀਈෘഎ၄ݿྟୈۈ۾੓：StoneOS 5.0R3关于本手册本手册为Hillstone山石网科多核安全网关命令手册。

详细描述StoneOS中用到的所有命令，具体内容有命令的格式、使用方法、参数、默认值和使用实例等。

文档约定在本手册中，StoneOS命令语法描述使用以下约定：·大括弧（{ }）：指明该内容为必要元素。

·方括弧（[ ]）：指明该内容为可选元素。

·竖线（|）：分隔可选择的互相排斥的选项。

·粗体：粗体部分为命令的关键字，是命令行中不可变部分，用户必须逐字输入。

·斜体：斜体部分为需要用户提供值的参数。

命令实例约定：·命令实例中需要用户输入部分用粗体标出。

·需要用户提供值的变量用斜体标出。

·命令实例包括不同平台的输出，可能会有些许差别。

目录怎样使用StoneOS CL I (1)CLI介绍 (1)命令模式和提示符 (1)执行模式 (1)全局配置模式 (1)子模块配置模式 (1)CLI命令模式切换 (1)命令行错误信息提示 (2)命令行的输入 (2)命令行的缩写形式 (2)自动列出命令关键字 (2)自动补齐命令关键字 (3)命令行的编辑 (3)查看历史命令 (3)快捷键 (3)过滤CLI输出信息 (4)分页显示CLI输出信息 (4)设置终端属性 (5)设置连接超时时间 (5)重定向输出 (5)StoneOS系统管理命令 (6)access (6)admin (6)admin host (7)admin user (8)allow-pwd-change (8){app | ips signature} stat-report (9)arp (10)bandwidth (11)bandwidth-threshold (12)delay-threshold (12)external-bypass enable (13)clock time (14)clock summer-time (15)clock zone (16)configure (16)console timeout (17)cpu (17)debug (19)delete configuration (20)desc (20)dns (21)dst-addr-based-session-counter (22)exec admin user password update (23)exec console baudrate (23)exec format (24)exec detach (24)exec customize (25)exec license apply (25)exec license install (26)exec license uninstall (27)exec webauth kickout (27)exit (28)expire (28)export configuration (29)group (30)hostname (30)http (31)http port (32)https port (33)https trust-domain (33)ike-id (34)import configuration (34)import customize (35)import image (36)interface (37)ip (37)language (39)match (39)monitor (41)nbt-cache enable (41)nbtstat ip2name (42)network-manager enable (42)network-manager host (43)ntp authentication (44)ntp authentication-key (44)ntp enable (45)ntp max-adjustment (45)ntp query-interval (46)ntp server (47)password (47)password（user） (48)password-policy (48)ping (49)privilege (50)reboot (51)role (51)role-expression (52)role-mapping-rule (52)rollback configuration backup (53)save (54)smtp (54)snmp-server contact (55)snmp-server engineID (55)snmp-server group (56)snmp-server host (57)snmp-server location (58)snmp-server manager (58)snmp-server port (59)snmp-server trap-host (59)snmp-server user (60)ssh port (61)ssh timeout (61)tcp (62)telnet authorization-try-count (63)telnet connection-interval (64)telnet timeout (65)threshold (66)traceroute (66)track (67)user (68)user-binding (69)user-group (69)webauth force-timeout (70)webauth http (71)webauth http-port (71)webauth https (72)webauth https-port (72)webauth reauth (73)webauth redirect (73)webauth sso-ntlm (74)webauth sso-ntlm-timeout (75)webauth timeout (75)web timeout (76)系统结构命令 (77)deny-session deny-type (77)deny-session percentage (77)deny-session timeout (78)fragment chain (79)fragment timeout (79)tcp-mss (80)tcp-rst-bit-check (80)tcp-seq-check-disable (81)tcp-syn-check (82)tcp-syn-bit-check (82)安全网关应用模式命令 (84)exec vrouter enable/disable (84)ip vrouter (84)forward-tagged-packet (85)l2-nonip-action (86)virtual-wire enable (86)virtual-wire set (87)vswitch (88)安全网关网络部署模式命令 (89)tap control-interface (89)tap lan-address (89)zone （绑定接口到Tap域） (90)zone （创建Tap域） (90)域（Zone）命令 (92)bind (92)vrouter (92)zone (93)接口（Interface）命令 (94)aggregate aggregate number (94)arp timeout (94)authenticated-arp (95)bgroup bgroup number (96)clear mac (96)combo (97)duplex (97)ftp (98)ftp port (99)holddown (99)holdup (100)interface aggregate number (101)interface aggregate number.tag (101)interface bgroup number (102)interface ethernet m/n (102)interface ethernetX/Y-pppoeZ (103)interface ethernet m/n.tag (104)interface loopback number (104)interface redundant number (105)interface redundant number.tag (105)interface tunnel number (106)interface vlan id (106)interface supervlan X (107)ip address (108)ip mtu (109)lacp (109)lacp max-bundle (110)lacp min-bundle (111)lacp system-priority (112)lacp period-short (112)load-balance mode (113)mac-clone (114)manage (114)mirror to (115)mirror filter (116)primary (117)proxy-arp (117)redundant redundant number (118)reverse-route (119)shutdown (119)speed (120)tunnel (121)webauth auth-arp-prompt (122)zone (122)地址（Address）命令 (124)address (124)host (124)ip (125)member (126)range (126)rename (127)服务（Service）命令 (128)app cache (128)app cache disable (129)app cache static disable (129)application-identify (130)clear app cache table (130)description (131)icmp (131)icmp type (132)longlife-sess-percent (133)protocol (134)servgroup (134)service (135)service service-name (136)tcp | udp application (137)策略（Policy）命令 (139)absolute (139)action (139)clear policy hit-count (140)clear policy hit-count default-action (141)default-action (141)description (142)disable (142)dst-addr (143)dst-host (143)dst-ip (144)dst-range (145)dst-zone (145)enable (146)log (147)import customize webredirect (147)move (148)name (149)periodic (149)periodic (150)policy-global (151)policy-qos-tag tag (151)role (152)user (152)user-group (153)rule (154)rule id (155)schedule (156)schedule (156)service (157)src-addr (157)src-host (158)src-ip (159)src-range (159)src-zone (160)web-redirect (161)安全控制命令 (163)arp (163)arp-disable-dynamic-entry (164)arp-inspection (164)arp-inspection rate-limit (165)arp-inspection trust (165)arp-inspection vlan (166)arp-l2mode (167)arp-learning (167)behavior-profile (168)clear arp (168)clear arp-spoofing-statistics (169)clear dhcp-snooping binding (170)dhcp-snooping（BGroup或者VSwitch接口） (170)dhcp-snooping（物理接口） (171)dhcp-snooping rate-limit (172)dhcp-snooping vlan (172)exec mac-address dynamic-to-static (173)exec urlfilter apply (173)export urlfilter-database (174)gratuitous-arp-send ip (175)host-blacklist (175)host-blacklist ip (176)host-blacklist mac (177)im (178)import urlfilter-database (178)mac-address-static (179)mac-learning (180)urlfilter (180)urlfilter domain-only (181)urlfilter rule type blacklist (181)urlfilter rule type keyword (182)urlfilter rule type whitelist (183)urlfilter unlimit-ip (183)urlfilter unlimit-ip (184)urlfilter whitelist-only (184)url-profile (185)认证与授权命令 (186)aaa-server (186)accounting (186)accounting enable (187)accounting port (188)accounting secret (188)admin auth-server (189)admin auth-server radius-server-name (190)agent (190)auth-method (191)auto-sync (191)backup-aaa-server (192)backup1 (193)backup2 (194)base-dn (194)debug aaa (195)group-class (195)host (196)login-dn (197)login-password (197)member-attribute (198)naming-attribute (198)port （Active-Directory / LDAP） (199)port （RADIUS） (199)retries (200)role-mapping-rule (201)secret (201)timeout (202)user-black-list (202)802.1X 认证协议命令 (204)aaa-server (204)dot1x allow-multi-logon (204)dot1x allow-multi-logon number (205)dot1x auto-kickout (205)dot1x control-mode (206)dot1x enable (207)dot1x max-user (207)dot1x port-control (208)dot1x profile (209)dot1x timeout (210)exec dot1x kickout (210)quiet-period (211)reauth-period (212)retransmission-count (212)server-timeout (213)tx-period (213)网络地址转换（NAT）命令 (215)dnatrule (215)dnatrule move (216)expanded-port-pool (217)nat (217)nat-enable (218)no dnatrule id (219)no snatrule id (219)snatrule （NAT） (220)snatrule（NAT444） (222)snatrule move (223)应用层识别与控制命令 (225)alg (225)alg h323 session-time (225)IPSec协议命令 (227)accept-all-proxy-id (227)anti-replay (227)authentication (228)auto-connect (229)compression deflate （manual） (229)compression deflate （P2） (230)connection-type (230)df-bit (231)dpd (232)encryption （P1） (232)encryption （manual） (233)encryption （P2） (234)encryption-key (235)group （P2） (236)hash （P1） (236)hash （manual） (237)hash （P2） (238)hash-key (239)id (239)interface (240)ipsec proposal (241)ipsec-proposal (241)isakmp peer (242)isakmp-peer (242)isakmp proposal (243)isakmp-proposal (244)lifesize (244)lifetime （P1） (245)lifetime（P2） (245)local-id (246)mode （协商模式） (247)mode （操作模式） (247)nat-traversal (248)peer (248)peer-id (249)pre-share (250)protocol (250)spi (251)track-event-notify (252)trust-domain (252)tunnel ipsec name auto (253)tunnel ipsec name manual (253)type (254)vpn-track (255)Secure Connect VPN命令 (256)aaa-server (256)anti-replay (256)address (257)allow-multi-logon (258)allow-multi-logon number (258)client-auth-trust-domain (259)client-cert-authentication (260)df-bit (261)dns (261)exclude address (262)exec scvpn approve-binding (263)exec scvpn clear-binding (263)exec scvpn increase-host-binding (264)exec scvpn kickout (265)exec scvpn no-host-binding-check (265)exec scvpn no-user-binding-check (266)exec sms send test-message to (266)export aaa user-password (267)export scvpn user-host-binding (268)host-check (268)https-port (269)idle-time (270)import pki cacert (271)import aaa user-password (271)import scvpn user-host-binding (272)interface (273)ip-binding role (273)ip-binding user (274)link-select (275)move (275)phone (276)pool (277)redirect-url (277)scvpn host-check-profile (278)scvpn pool (279)scvpn-udp-port (280)sms-auth enable (280)sms-auth expiration (281)sms modem (281)split-tunnel-route (282)ssl-protocol (283)trust-domain (283)tunnel scvpn (285)tunnel scvpn (285)user-host-verify (286)wins (287)拨号VPN命令 (288)exec generate-user-key rootkey (288)generate-route (288)ike_id (289)user (290)PnPVPN命令 (291)dhcp-pool-address (291)dhcp-pool-gateway (291)dhcp-pool-netmask (292)dns (293)peer_id fqdn (293)split-tunnel-route (294)tunnel-ip-address (295)user (295)wins (296)GRE命令 (297)destination (297)interface (297)next-tunnel ipsec (298)source (298)tunnel gre (299)L2TP命令 (301)aaa-server (301)accept-client-ip (301)address (302)allow-multi-logon (303)avp-hidden (303)clear l2tp (304)dns (304)exclude address (305)exec l2tp kickout (306)interface (306)ip-binding user (307)ppp-lcp-echo interval (308)keepalive (309)move (309)next-tunnel ipsec (310)pool (311)ppp-auth (311)l2tp pool (312)local-name (312)secret (313)transmit-retry (314)tunnel-authentication (314)tunnel l2tp (315)tunnel l2tp (316)tunnel-receive-window (316)wins (317)攻击防护命令 (318)ad all (318)ad arp-spoofing (318)ad dns-query-flood (319)ad huge-icmp-pak (321)ad icmp-flood (321)ad ip-directed-broadcast (322)ad ip-fragment (323)ad ip-option (324)ad ip-spoofing (324)ad ip-sweep (325)ad land-attack (326)ad ping-of-death (326)ad port-scan (327)ad session-limit (328)ad syn-flood (329)ad syn-proxy (331)ad tcp-anomaly (332)ad tear-drop (332)ad tear-drop (333)ad udp-flood (334)ad winnuke (335)clear ad zone (336)clear session-limit (337)交换命令 (338)bridge priority (338)enable (338)forward-delay (339)hello (339)interface vlan id (340)maximum-age (340)stp (341)stp cost (342)stp enable (342)stp priority (343)sub-vlan (343)supervlan (344)switchmode (344)vlan (345)路由命令 (347)access-list route (347)access-list name description (347)aggregate-address (348)area authentication (349)area default-cost (349)area range (350)area stub (351)area virtual-link (351)area virtual-link authentication (352)auto-cost reference-bandwidth (353)bind pbr-policy (354)clear ip bgp (354)continue (355)default-information originate (356)default-information originate (356)default-metric (357)default-metric（BGP） (357)description (358)distance（BGP） (359)distance (360)distance (360)distance ospf (361)domain (362)dst-addr (362)dst-host (363)dst-ip (364)dst-range (364)ecmp enable (365)ecmp-route-select (365)eif (366)enable (367)exec isp-network clear-predefine (367)iif (368)import vrouter (368)ip (369)ip igmp-proxy enable (370)ip igmp-proxy {router-mode | host-mode} (371)ip igmp-snooping enable (371)ip igmp-snooping {router-mode | host-mode | auto | disable} (372)ip multicast-routing (373)ip mroute (373)ip ospf authentication (374)ip ospf authentication-key (375)ip ospf cost (375)ip ospf dead-interval (376)ip ospf hello-interval (377)ip ospf message-digest-key (377)ip ospf priority (378)ip ospf retransmit-interval (378)ip ospf transmit-delay (379)ip rip authentication mode (380)ip rip authentication string (380)ip rip receive version (381)ip rip send version (381)ip rip split-horizon (382)ip route isp-name (384)ip route source (384)ip route source in-interface (385)ip vrouter (386)isp-network (387)llb inbound smartdns (388)llb-outbd-prox-detect (388)llb-outbd-prox-route (389)llb outbound proximity-route (390)match（OSPF） (390)match（PBR） (391)match id (392)max-route (393)move (394)neighbor（BGP） (394)neighbor A.B.C.D peer-group (395)neighbor {A.B.C.D | peer-group} activate (395)neighbor {A.B.C.D | peer-group} default-originate (396)neighbor {A.B.C.D | peer-group} description (396)neighbor {A.B.C.D | peer-group} next-hop-self (397)neighbor {A.B.C.D | peer-group} password (398)neighbor {A.B.C.D | peer-group} remote-as (398)neighbor {A.B.C.D | peer-group} shutdown (399)neighbor {A.B.C.D | peer-group} timers (399)neighbor（RIP） (400)nexthop (401)network（BGP） (401)network（RIP） (402)network area (403)passive-interface (403)pbr-policy (404)redistribute（BGP） (404)redistribute（RIP） (405)redistribute（OSPF） (406)route-map (406)route enable/disable (407)role (408)router bgp (409)router ospf (409)router rip (410)router-id （BGP） (411)router-id （OSPF） (411)service (412)set (412)src-addr (413)src-host (414)src-ip (414)src-range (415)subnet (416)timers (416)timers basic (417)timers spf (418)unknown-multicast drop (418)user (419)user-group (419)version (420)网络参数命令 (422)ac (422)address (422)authentication (423)auto-config interface (423)auto-connect (424)clear host (425)ddns enable (425)ddns name (426)dhcp-client ip (426)dhcp-client route (427)dhcp-relay enable (428)dhcp-relay server (428)dhcp-server enable (429)dhcp-server pool (429)dns (430)dns-proxy (430)domain (431)gateway (432)exclude address (432)idle-interval (433)ip address dhcp (433)ip dns-proxy black-list enable (434)ip dns-proxy white-list enable (434)ip dns-proxy black-list domain (435)ip dns-proxy white-list domain (435)ip address pppoe (436)ip domain lookup (437)ip domain name (437)ip domain retry (438)ip domain timeout (438)ip host (439)ip name-server (439)ip dns-proxy domain (440)ipmac-bind (441)lease (441)maxupdate interval (442)minupdate interval (443)netmask（DHCP） (443)netmask（PPPoE） (444)news (444)pop3 (445)pppoe enable group (445)pppoe-client group (446)pppoe-client group (446)relay-agent (447)route (448)server (448)schedule (449)service (450)smtp (450)static-ip (451)type (451)user（DDNS） (452)user（PPPoE） (452)wins (453)虚拟系统命令 (454)enter-vsys (454)export-to (454)profile (455)session (456)vsys（创建） (457)vsys（接口） (458)vsys-profile (458)vsys-shared (459)QoS管理命令 (460)bandwidth (460)class (460)class-map (461)exception-list (462)disable (462)flex-qos (463)flex-qos low-water-mark (463)flex-qos max-bandwidth (464)flex-qos-up-rate (465)ip-qos (465)match address (466)match application (467)match cos (467)match dscp (468)match ip-range (468)match policy-qos-tag (469)match precedence (470)match-priority (470)match role (471)police (472)priority (473)qos-profile (473)qos-profile (474)qos-profile（嵌套QoS Profile） (475)random-detect (476)role-qos (476)set cos (477)set dscp (478)set precedence (479)shape (479)shaping-for-egress (480)PKI配置命令 (482)crl (482)crl configure (482)enrollment (483)export pki （PKI信任域信息） (483)export pki （本地证书） (484)import pki （PKI信任域信息） (485)import pki （本地证书） (486)keypair (487)pki authenticate (487)pki crl request (488)pki enroll (488)pki export (489)pki import (490)pki import pkcs12 (490)pki key generate (491)pki key zeroize (491)pki key zeroize noconfirm (492)pki trust-domain (492)subject commonname (493)subject country (493)subject localityname (494)subject organization (495)subject organizationunit (495)subject stateorprovincename (496)url (496)高可靠性命令 (498)arp (498)description (498)exec ha sync (499)ha cluster (499)ha group (500)ha link interface (501)ha link ip (501)ha non-group (502)ha sync rdo session (503)ha traffic delay (503)ha traffic enable (504)hello interval (504)hello threshold (505)interface (506)manage ip (506)monitor track (507)preempt (507)priority (508)send gratuitous-arp (509)病毒过滤命令 (510)anti-malicious-sites (510)av enable (510)av max-decompression-recursion (511)av-profile (512)av signature update mode (512)av signature update schedule (513)av signature update server (513)exec av (514)exec av signature update (515)file-type (515)import av signature (516)label-mail (517)mail-sig (518)protocol-type (518)IPS命令 (520)attack-level (520)banner-protect enable (521)brute-force auth (521)brute-force lookup (522)command-injection-check (523)deny-method (523)exec block-ip remove (524)exec block-service remove (524)exec ips (525)external-link-check (527)ips enable (527)ips log disable (528)ips mode (529)ips profile (529)ips signature (530)ips sigset (530)max-arg-length (531)max-bind-length (532)max-black-list (533)max-cmd-line-length (533)max-content-type-length (534)max-content-filename-length (535)max-content-type-length (536)max-failure (536)max-input-length (537)max-path-length (538)max-reply-line-length (539)max-request-length (539)max-rsp-line-length (540)max-scan-bytes (541)max-text-line-length (541)max-uri-length (542)max-white-list (543)protocol-check (543)signature id (544)signature id number disable (545)sigset (546)sql-injection-check (546)virtual-host (547)web-acl (548)web-acl-check (548)xss-check enable (549)网络行为控制命令 (551)behavior (551)behavior-profile (551)bin-type (552)category (553)clear logging nbc (554)clear sslproxy notification (554)contentfilter（进入内容过滤配置模式） (555)contentfilter（绑定内容过滤Profile到策略规则） (555)contentfilter-profile (556)exec contentfilter apply (557)exec url-db update (557)exclude-html-tag (558)export log nbc (558)export pki (559)ftp (560)http (561)im (561)import pki (562)import sslproxy (563)import url-db (564)im-profile (564)keyword (565)keyword-category（URL过滤） (566)keyword-category（网页关键字） (567)keyword-category（Web外发信息） (567)keyword-category（邮件过滤） (568)logging (569)logging nbc to (569)mail (571)mail any (572)mail attach (572)mail control (573)mail enable (574)mail max-attach-size (575)mail others (576)mail-profile (576)mail {sender | recipient} (577)mail whitelist (578)msn | ymsg | qq (579)nbc-user-notification (579)remove database (580)ssl-decode (581)ssl-notification-disable (582)sslproxy (582)sslproxy exempt-match-subject (583)sslproxy-profile (583)sslproxy require-match-subject (584)sslproxy {require-mode | exempt-mode} (585)sslproxy trust-domain (585)sslproxy trustca-delete (586)url（添加URL条目） (586)url（绑定URL过滤Profile到策略规则） (587)url-category（新建URL类别） (588)url-category（URL过滤） (588)url-category（网页关键字） (589)url-category（Web外发信息） (589)url-db update mode (590)url-db update schedule (591)url-db update server (591)url-db-query (592)url-db-query server (593)url-profile (593)webpost (594)webpost all (595)webpost-profile (595)web-surfing-record (596)统计命令 (597)active (597)export statistics-set (597)filter (598)group-by (600)statistics address (601)statistics servgroup (602)statistics-set (602)target-data (603)日志命令 (605)export log event (605)logging (606)logging app-identification (607)logging alarm to (607)logging configuration to (608)logging content [hostname | username] (609)logging debug to (610)logging email to (610)logging event to (611)logging network to (612)logging facility (613)logging security to (613)logging sms (614)logging syslog (615)logging traffic to (616)logging traffic to syslog (616)GTP防护命令 (618)apn (618)gtp-profile（创建GTP Profile） (618)gtp-profile（绑定GTP Profile到策略规则） (619)imsi (620)imei (621)internal-inspect (621)message-type (622)message gtp-in-gtp-deny (623)message length (623)message log (624)message rate (624)message sanity-check (625)msisdn-filter (626)rat (626)rai (627)uli (628)IPv6命令 (630)ad huge-icmp-pak (630)ad ip-fragment (630)ad ip-spoofing (631)ad ipv6 nd-spoofing (633)ad icmp-flood (633)ad land-attack (634)ad ping-of-death (635)ad port-scan (636)ad syn-flood (636)ad syn-proxy (638)ad tcp-anomaly (639)ad tear-drop (639)ad udp-flood (640)address (641)clear ipv6 host (642)clear ipv6 neighbor (642)clear ipv6 nd-spoofing-statistics (643)clear ipv6 pmtu (643)destination (644)dnatrule (644)dnatrule (NAT64) (646)dnatrule move (647)dst-ip (648)dst-range (648)exec ipv6 nd-dynamic-to-static (649)export configuration (650)export image (650)export license (651)export log (652)export pki (652)export scvpn user-host-binding (653)export urlfilter-database (654)icmpv6 type (654)import application-signature (655)import configuration (656)import image (656)import ispfile (657)import license (658)import pki (658)import scvpn user-host-binding (659)import urlfilter-database (660)interface (660)ip (661)ip vrouter (662)ipv6 address (662)ipv6 address autoconfig (663)ipv6 dns-proxy domain (664)ipv6 dns64-proxy id (665)ipv6 enable (665)ipv6 general-prefix (666)ipv6 host (667)ipv6 mtu (667)ipv6 name-server (668)ipv6 neighbor (669)ipv6 nd adv-linkmtu (669)ipv6 nd hoplimit (670)ipv6 nd dad attempts (670)ipv6 nd-disable-dynamic-entry (671)ipv6 nd hoplimit (672)ipv6 nd-inspection (672)ipv6 nd-inspection deny-ra (673)ipv6 nd-inspection rate-limit (673)ipv6 nd-inspection trust (674)ipv6 nd-learning (675)ipv6 nd {managed-config-flag | other-config-flag} (675)ipv6 nd prefix (676)ipv6 nd ns-interval (677)ipv6 nd ra interval (678)ipv6 nd ra lifetime (678)ipv6 nd ra suppress (679)ipv6 nd reachable-time (680)ipv6 pmtu ageout-time (680)ipv6 pmtu enable (681)ipv6 route (682)ipv6 route source (682)ipv6 route source in-interface (683)ipv6 nd router-preference (684)no dnatrule id (685)no snatrule id (685)ping ipv6 (686)policy (687)range (687)rule (688)rule id (689)service (689)show dnat (690)show dnat server (691)show ipv6 dns (691)show ipv6 host (692)show ipv6 interface (693)show ipv6 neighbor (694)show ipv6 nd-spoofing-statistics (694)show ipv6 pmtu (695)show snat (695)show snat resource (696)snatrule (697)snatrule move (698)snmp-server ipv6-host (699)snmp-server ipv6-trap-host (700)snmp-server user (701)src-ip (702)src-range (702)Show命令 (704)show aaa-server (704)show access-list route (705)show ad zone (705)show address (707)show admin host (708)show admin user (708)show alg (709)show app cache status (710)show app logging (710)show arp (711)show arp-spoofing-statistics (711)show auth-user (712)show auth-user dot1x (712)show auth-user interface (714)show auth-user l2tp (714)show auth-user static (715)show auth-user scvpn (715)show auth-user webauth (716)show auth-user vrouter (717)show av-profile (717)show av signature info (718)show av zone-binding (718)show behavior-object (719)show behavior-profile (719)show block-ip (720)show block-notification (720)show block-service (721)show class-map (722)show clock (722)show configuration (723)show configuration running (723)show configuration backup (724)show configuration record (724)show console (725)show contentfilter-profile (726)show contentfilter category (727)show contentfilter count (727)show contentfilter keyword (728)show cpu (728)show database (729)show debug (729)show dhcp-server (730)show dhcp-snooping binding (730)show dhcp-snooping configuration (731)show dnat (731)show dnat server (732)show dns (733)show dns-address (733)show dot1x (734)show dp-filter ip (734)show external-bypass (735)show fib (736)show file (737)show flow deny-session (737)show fragment (738)show ftp (738)show gtp-profile (739)show ha cluster (740)show ha flow statistics (741)show ha group (741)show ha link status (742)show ha protocol statiscitc (742)show ha sync state (743)show ha sync statistic (744)show ha traffic (745)show host-blacklist (745)show http (746)show im-object (746)show im-profile (747)show image (747)show interface (748)show interface bind-tunnels (748)show interface supervlanX (749)show inventory (750)show ip bgp (750)show ip bgp neighbor (751)show ip bgp paths (751)show ip bgp summary (752)show ip hosts (752)show ip igmp-proxy (753)show ip igmp-snooping (753)show ip mroute (754)show ip ospf (755)show ip ospf database (755)show ip ospf database (756)show ip ospf interface (756)show ip ospf neighbor (757)。

网御星云安全网关PowerV 命令行操作手册VERSION 1.0明声♦本手册所含内容若有任何改动，恕不另行通知。

♦在法律法规的最大允许范围内，北京网御星云信息技术有限公司除就本手册和产品应负的瑕疵担保责任外，无论明示或默示，不作其它任何担保，包括（但不限于）本手册中推荐使用产品的适用性和安全性、产品的适销性和适合某特定用途的担保。

♦在法律法规的最大允许范围内，北京网御星云信息技术有限公司对于您的使用或不能使用本产品而发生的任何损坏（包括，但不限于直接或间接的个人损害、商业利润的损失、业务中断、商业信息的遗失或任何其它损失），不负任何赔偿责任。

♦本手册含受版权保护的信息，未经北京网御星云信息技术有限公司书面允许不得对本手册的任何部分进行影印、复制或翻译。

♦本手册使用于网御星云PowerV系列防火墙和VPN，在手册中称为安全网关。

文档少部分内容视产品具体型号略有不同，请以购买的实际产品为准。

♦网御星云不承担由于本资料中的任何不准确性引起的任何责任，网御星云保留不作另行通知的情况下对本资料进行变更、修改、转换或以其他方式修订的权利！北京网御星云信息技术有限公司号电8层中北京海淀中村南大街国区关6中信息大厦目 录目 录 (III)第1 章 前 言 (1)第2 章 命令行概述 (4)第3 章 快速入门 (25)第4 章 系统管理 (26)第5 章 网络管理 (76)第6 章 路由 (119)第7 章 防火墙 (135)第8 章 应用防护 (205)第9 章 用户认证 (287)第10 章 会话管理 (305)第11 章 VPN (308)第12 章 SSLVPN (327)第13 章 IPv6 (448)第14 章 漏洞扫描 (474)第15 章 状态监控 (477)第16 章 日志与报警 (480)第17 章 其他 (490)第1章 前 言1.1 导言员册该册绍过终《命令行操作手》是御册网安全网关Power V管理手中的一本。

Power on the Appliance and Verify LEDsTo verify the appliance is operational:Confirm the appliance’s power cords are securely connected to a power source.If the appliance does not automatically power on, press the rear soft power switch.The state of the appliance’s soft power switch (on or off) is retained when power is removed. This may necessitate pressing the power switch when reapplying power to theAs the appliance boots, verify the following:The LCD panel displays Symantec and the Power LED turns amber.Near the end of the boot cycle, the Power LED alternates between amber and green, indicating an unconfigured state.After the boot cycle has completed, the LCD panel displays the appliance’s model, serial number, and IP address.Following the initial configuration (see Step 4), the Power LED turns green.Locking tabthe rail. Do not yet fully tighten the screws.Copyright © 2019 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND。

版本说明本文件为SG-6000系列安全网关系统固件StoneOS的版本说明，描述版本信息、软件功能以及版本中的已知问题等。

StoneOS 5.0R3P6本节为StoneOS 5.0R3P6版本说明。

产品和版本信息产品名称：Hillstone SG-6000系列安全网关产品型号和系统文件：发布日期：2014年06月06日文档说明Hillstone SG-6000系列安全网关配有以下手册：✹《Hillstone山石网科多核安全网关使用手册》✹《Hillstone山石网科多核安全网关命令手册》✹《Hillstone SG-6000多核安全网关安装手册》✹《Hillstone山石网科多核安全网关扩展模块手册》✹《Hillstone山石网科多核安全网关日志信息参考手册》✹《Hillstone山石网科SNMP私有MIB信息参考手册》版本升级说明从低版本升级到StoneOS 5.0R3P6时，有以下几个问题需要注意：✹系统文件升级说明✹地址簿功能相关配置升级说明✹策略规则相关配置升级说明✹统计集功能相关配置升级说明✹接口镜像功能相关配置升级说明✹攻击防护功能相关配置升级说明系统文件升级说明因较早版本曾对系统文件的大小进行了限制，所以当从4.0R6P15.1（包括4.0R6P15.1）之前的版本升级到5.0R3P6时，用户需要通过sysloader才能升级成功。

可以直接升级5.0R3P6的系统版本包括5.0R2P2之后的5.0R版本、4.5R3P8以及4.5R4P1，更低版本建议先升级到上述版本，然后再升级到5.0R3P6。

地址簿功能相关配置升级说明StoneOS 5.0R3P6为地址条目增加了ID属性。

当把系统从低版本升级到5.0R3P6时，系统会对已有地址簿配置做平滑处理，不影响用户使用。

当把系统从5.0R3P6降级时，已有地址簿配置会丢失。

策略规则相关配置升级说明StoneOS 5.0R3P6将策略规则的默认模式转变为全局配置模式。

Product OverviewAs a new-generation unified security gateway, Huawei Eudemon200E-X Series product family transforms today’s Small Business and Enterprise’s workspace experience by delivering them high performance routing and switching, strong security enhancement, wireless access and voice business in an integrated single platform.HUAWEI Eudemon200E-X series products using Huawei's unified software platform which named VRP, providing a combination of traditional network access and network security integration business standards. In addition to a strong routing and switching features, Unified Security Gateway Eudemon200E-X with a variety of professional security features including stateful firewall, VPN, Network Address Translation (NAT), authentication, access control, anti-virus, anti-spam , URL filtering, IPS, application security and other security features can protect the network against DDoS attacks, worms, Trojan horses, viruses, spam, illegal invasion and illegal networks. These safety features and wide area network WAN, local area network LAN, wireless WAN and wireless LAN WLAN WWAN interface provides a high degree of integration makes the sustainability of flexible end to end security services become a reality.Product DescriptionProduct FeaturesLeading infrastructure platformsEudemon200E-X series products using advanced multi-threaded ■multi-core hardware architectures and parallel processing technology to optimize the safety of business processes, making the Eudemon200E-X series products sufficient to meet all kinds of large-scale application of network traffic. Mature VRP software platform Eudemon200E-X Series products provide a robust operating system, a user's most trusted security operating system.Extensive routing, switching, wireless (Wi-Fi,3G) and securityEudemon200E-X series of products set routing, switching, ■wireless (Wi-Fi, 3G), voice, security functions into one, integrating the traditional routers, traditional switches, the deployment of traditional firewall and UTM solutions can help companies improve efficiency, reduce maintenance complexity, and reduce TCO.Comprehensive dedicated technologies for network protectionIntegrated UTM functions:■IPS:• IPS Intrusion detection using Symantec's advanced IPS detection engines to provide efficient and accurate networkpacket scanning capability, with advanced software andhardware platforms and rich signature library, Eudemon200E-X series products can quickly and accurately identify attacks.AV:• efficiently and precisely detects and removes hiddenviruses in network traffic by virtue of Symantec cutting-edgevirus detection engine.AS:• effectively blocks spam and purifies enterprises' mail systems, thus preventing spam from interfering with normalservices.URL filtering and P2P/IM control:• precisely identifies access to illegitimate Web sites and over 60 P2P/IM applications,and provides alerting, traffic limiting, and blocking actions toguarantee bandwidth for normal services.Diversified VPNsThe Eudemon200E-X delivers powerful VPN function, and ■supports the following common VPNs for differentiated VPN applications:L2TP•IPSec VPN•Dynamic VPN (DVPN)•SSL VPN•GRE•MPLS VPN•Flexible scalabilityEudemon200E-X series products support MIC, FIC, DFIC three ■types of expansion slot that can support the FE, GE, E1/CE1, SA, ADSL2 +, G. SHDSL, WIFI, 3G,GPON and other access ways into the Internet to provide users with a wealth of access.Product SpecificationsCopyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.General DisclaimerThe information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factorsthat could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such informationis provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.HUAWEI TECHNOLOGIES CO., LTD.Huawei Industrial BaseBantian LonggangShenzhen 518129, P.R. ChinaTel: +86-755-28780808 Version No.: M3-110019999-20110629-C-1.0。

Nowadays, network bandwidths increase rapidly, and security threats and attacks also flood on networks. Therefore, enterprise and carriers must ensure the service security and continuity while extending network structure. The E8000E adopts distributed hardware and software design. Its LPUs and SPUs are mutually independent and support on-demand configuration. Therefore, the E8000E provides flexible processing capability, diversified I/O interfaces, and abundant security services. This perfectly satisfies the requirements of users (including data centers, carriers, ISPs, and governments) for high integrity, quick response, high-speed processing, and long-term guarantee.Product DescriptionCombining the dedicated multi-core processor and distributed hardware platform and adopting innovative NP+multi-core+distributed architecture, the E8000E breaks through the performance bottleneck of the CPU. It delivers industry-leading service processing capability and service expansion capability. In addition, the full-redundancy technology is applied on all components. The E8000E provides diversified technical guarantees, including dual-NP interface module, dual-CPU service processing module, dual-MPU control module, dual power supplies, and load balancing. All these ensure the core router-level reliability, which further guarantees the service continuity in high-speed networking.The E8000E utilizes the dynamic distributed concurrent processing technology. Service traffic is forwarded to multiple dedicated SPUs at the line rate in distributed manner. Additionally, the SPUs support on-demand configuration, which thoroughly solves the conflict between the service processing performance and data forwarding capability in ever-increasing high-speed networking. This distributed technology uses line-rate intelligent traffic splitting for data forwarding. All data flows are equally distributed to service processing modules to prevent performance bottleneck. In so doing, the service processing performance increases at the line rate in accordance with service modules, fundamentally supporting the long-term development of networks.The E8000E supports multiple LPUs, and users can realize flexible LPU configuration as required. Furthermore, LPUs and SPUs adopt the same slot type. Thus, different combinations of LPUs and SPUs can be implemented for various interface and performance requirements, providing users with customized security protection solutions.The E8000E has a maximum interface capacity of 320 Gbps and provides 30 10GE interfaces and 360 GE interfaces. The E8000E also supports various POS interfaces and cross-board interface binding, which meets the requirements for large interface capacity and high interface intensity. Moreover, this also meets the networking requirements in complicated situations, such as the Metropolitan Area Networks (MANs) of carriers, large enterprises, and data centers.The E8000E series includes two models, namely, the E8080E and E8160E. The E8160E provides industry-leading securityE8080EE8160EHUAWEI TECHNOLOGIES CO., LTD.Product FeaturesAdvanced NP + multi-system + distributed architecture — breaking traditional performance bottlenecksE8000E adopts the architecture of independent control modules, ■interface modules, and service processing modules. Based on the dual NP, the interface module ensures the line-speed forwarding of interface traffic. Based on the multi-core and multi-thread architecture, the service processing module ensures the high-speed concurrent processing of multiple services, such as the Network Address Translation (NAT), Application Specific Packet Filter (ASPF), Anti-DDoS, and VPN. E8000E adopts the distributed concurrent processing mechanism, which greatly enhances the product performance. Thus, users can expand capacities with low pre-phase investment.High firewall performance — guaranteeing users’ key servicesThe three main indexes of the E8000E, throughput, number of ■connections established per second, and maximum number of concurrent connections, are in leading roles. The throughput of one service processing module of E8000E is 20 G; the number of connections established per second is 500,000; and the maximum number of concurrent connections is 8,000,000. Furthermore, E8000E has a maximum of eight service processing modules and its entire throughput reaches 160 G; the number of connectionsestablished per second is 4,000,000; the maximum number of concurrent connections is 64,000,000; and the number of virtual firewalls is 1024. The high performance and expandability of E8000E can meet high-end users’ requirements for high performance.Stable and reliable security gateway — ensuring consistency of users’ servicesNetwork security is a key point for enterprise operations. E8000E ■supports the redundant components, such as interface, fan, and power, networking of hot swap, dual processing engine, master/ backup, master/master, and high reliability. Different service boards of E8000E support the load balancing and mutual hot backup, so the abnormity of a single board will not influence the entire system. Meanwhile, together with BYPASS devices, services will not be interrupted even if faults or power failures occur on devices. The mean time between failures of E8000E is as long as 500,000 hours, and the failover time is less than 0.1 second. These ensure the consistent and stable service operations.Optimal VPN performance — adapting to requirements for encrypted transmission of mass servicesWith the increase of network applications, more and more ■services need to be transmitted on the public network safely. Subsequently, services that require mass VPN access gatewayprotection capability and scalability. It supports 16 extension slots. The maximum firewall throughput reaches 160 Gbps; the IPS performance is 64 Gbps; the number of new connections per second is 4M, and 64M concurrent connections are supported; the VPN performance is 96 Gbps. The E8080E adopts the same software and hardware architecture as the E8160E. The E8080E, however, supports only 8 extension slots, and its integrated performance is just half that of the E8160E.The SPU, heart of the E8000E, processes all services.To realize flexible configuration, the board combination design is adopted. Each SPU contains two parts, that is, the mother board and extension board, which can be deployed either independently or separately. The mother board provides 10G firewall performance and the mother board+extension board provides 20G firewall performance.The SPU adopts the multi-core+multi-processor hardware and implements service features through software modules. The heartbeat detection mechanism is realized between the SPU and LPU. Moreover, the SPU supports mutual backup.When an SPU is faulty, all its traffic is immediately distributed to other SPUs, preventing service interruption.The LPU, limb of the E8000E, is responsible for external connection and data transmission.The LPU integrates the high-speed network processor to ensure flexibility.Certain firewall functions can be implemented on the LPU, which significantly reduces the pressure of the SPU.The network processor provides special processing design for each type of packets, for example, dedicated co-processor for hardware-based table searching and professional bit operation design, enabling unique advantage for small packet processing. Thus, the E8000E can realize almost-line-rate performance when processing mixed traffic on the network.Through the interworking between the LPU and SPU, the E8000E delivers high performance for services processing, as well as sound scalability.of 100-Gigabit emerge, such as mobile security access, Short Message Service (SMS) push, and email push. E8000E provides a maximum of 96 Gbps encryption and decryption performance and supports 320,000 concurrent VPN tunnels, which is the VPN access gateway of the highest performance for the moment. E8000E also supports the IKEv2 protocol and enhances the functions of user authentication, packet authentication, and NAT traversal. Thus, E8000E eliminates the hidden hazards of the middleman attack and the DDoS attack, and supports wireless authentication protocols, such as EAP-SIM and EAP-AKA, which effectively ensures the wireless network security.Practical IPS feature — defending againstexternal threats and promoting network securityThe core technologies of the IPS are embodied in the detection■engine performance, signature identification efficiency, and integrated processing performance.Adopting the advanced IPS detection engine and mature signature database, Huawei E8000E defends against various threats, including system vulnerabilities, unauthorized automatic downloading, spoofing software, spyware/adware, abnormal protocols, and P2P anomalies.A single vulnerability-based signature covers thousands of attacks. Supplemented with globally deployed honeypot system, the E8000E can capture the latest attack, worm, and Trojan horse features, thus providing zero-day attack defense capability.Moreover, the practicability of the IPS is significantly promoted. The E8000E adopts internal off-line and "one board one feature" technologies; certain necessary service traffic is split to the dedicated SPU. In so doing, the service processing capability is improved; further more, the traffic processing does not affect the basic services of the firewall, ensuring service continuity.Product SpecificationCopyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.General DisclaimerThe information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factorsthat could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such informationis provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.HUAWEI TECHNOLOGIES CO., LTD.Huawei Industrial BaseBantian LonggangShenzhen 518129, P.R. ChinaTel: +86-755-28780808 Version No.: M3-110019999-20110805-C-1.0。

腾铭防火墙安全网关TM－200用户手册z专业VPNz企业级防火墙z内容过滤z智能路由z带宽叠加z负载均衡z动态寻址z流量监控z访问控制z即插即用Revision 1.0 2007年8月1日育成佳讯科技（深圳）有限公司深圳市福田区南园中路金宝城金银阁6CTEL：0755-******** 0755-******** FAX：83791280如何使用此用户手册用户手册的设计是用来帮助您了解如何使用防火墙连入网络. 当您在读此用户手册时，请查考下面的项目：核取标志表示当您在使用防火墙时应该特别注意的地方。

此惊叹号表示谨慎和警告，指出可能损坏您的设备或防火墙的地方。

此问号提醒您在使用防火墙时是否应该作的事情。

除了这些记号之外, 还有专用术语的定义用下面方式表示:词: 定义.还有，每个图表(diagram, screenshot, 或其他的图像) 会附带图表编号和说明, :Figure 0-1: 样本图片说明图表编号和说明也可以在图表目录里找到。

目录第一章介绍 (5)第二章网络入门 (6)第三章了解设备 (9)第四章连接设备 (10)第五章设置设备 (11)1摘要 (11)2如何访问配置界面 (11)3系统目录 (12)3.1 系统信息 (12)3.2 网络设置状态 (12)3.3 防火墙设置状态 (13)3. VPN 设置状态 (13)4接口配置目录 (13)4.1 模式选择 (13)4.2 WAN口配置 (16)4.3 LAN 配置 (21)5网络配置目录 (22)5.1 内网DHCP (22)5.2 DNS&DDNS配置 (23)5.3 静态路由设置 (24)5.4 VLAN设置 (25)5.5 内网 IP绑定 (26)6防火墙目录 (27)6.1 设置选项 (27)6.2 时间表 (28)6.3 IP 管理 (30)6.4 服务 (31)6.5 端口映射 (33)6.6 IP地址映射 (34)6.7 数据包控制策略 (35)6.8 会话列表 (36)7VPN配置 (38)7.1 VPN配置列表 (38)7.2 VPN状态 (47)7.3 PPTP (48)8服务管理目录 (53)9.1 时间设置 (53)9.2 命令行工具 (54)9.3 系统升级 (54)9.4 配置备份与恢复 (55)9.5 恢复默认值 (56)10流量管理 (57)10.1 IP流量控制 (57)11配置向导 (58)13修改账号 (60)13.1 修改密码 (60)13.2 确定登录密码 (60)14退出 (61)附录A 故障修理 (62)附录Ｂ安装客户端软件 (63)1IPS EC VPN客户端配置软件 (63)图表目录图表1机箱前部的面板 (9)图表2机箱后部的面板4LAN口+2WAN口 (9)表格目录表格1网口 (9)表格2显示灯状态 (9)第一章介绍欢迎TM200的虚拟专用网络(VPN)功能让您在公共网络上组建加密的隧道，提供安全的、可靠的、可管理的私有网络，让多至200个远程办公室或者移动用户从远端接入办公室的内部网络。

创新的网络安全架构Hillstone SA-2010采用了先进的多核处理器技术，自主开发的专用安全芯片(ASIC)和内部高速交换总线，使得Hillstone SA-2010在应用层安全处理的性能上有了质的飞跃，为企业应用安全提供专业的高性能硬件平台。

强大的处理能力Hillstone SA-2010采用64位网络专用多核并行处理器，运算能力超过3.2GOPS ，能够避免传统ASIC 和NP 安全系统会话创建能力和流量控制能力弱的弊病，为VPN 和应用层内容安全功能提供强大的处理能力保障。

强大的抗攻击能力Hillstone SA-2010采用的多核处理器架构和新一代的StoneOS 安全操作系统，能够提供高性能的应用安全处理能力和更强的应用层抗攻击能力。

Hillstone SA-2010每秒能够处理超过3万的TCP 会话请求，超过同类产品5-10倍，具有超强的DDoS 攻击防护能力。

强健的专用实时操作系统Hillstone 自主开发的64位实时并行操作系统StoneOS ，强大的并行处理能力和模块化的结构设计，易于集成和扩展更多的安全功能。

通过对新一代多核处理器的全面优化和安全加固，极大地提高了系统处理效率、稳定性和安全性。

模块化和并行多任务的处理机制，为Hillstone 新一代的网络安全系统提供了极大的可扩展能力，包括支持更多核处理器和集成更多的安全功能。

精密的流量控制依靠高性能的多核处理器及ASIC 专用芯片，Hillstone SA-2010可实现精密的基于用户和应用的流量控制。

在保障系统运行性能的情况下，Hillstone SA-2010可实现精密度为1kbps ，多达2500用户的流量控制。

基于应用的流量控制可识别各种P2P 及IM(即时通讯)协议，配合时间表功能的使用，帮助您灵活掌控带宽分配。

VPNHillstone SA 支持IPSec 和SSL VPN ，在多种拓扑下可以灵活结合，解决您远程互联和远程接入的问题。