H3C+SecPath+U200-C统一威胁管理产品+客户使用手册-5PW101

合集下载

HCSECPATHR版本说明书

非经本公司书面许可，任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部，并不得以任何形式传播。

本文档中的信息可能变动，恕不另行通知。

目录SECPATH9000M-SECBLADENGFW-CMW710-R9115P11版本 (1)1.1 NAT配置命令修改 (1)1.1.1 address (1)SECPATH9000M-SECBLADENGFW-CMW710-R9115P10版本 (1)1 新增特性—设备在域间策略丢包时，发送ICMP差错报文 (1)1.1.1 aspf icmp-error reply (1)2 新增特性—在NAT转换失败时，发送ICMP差错报文 (2)2.1 nat icmp-error reply (2)3 变更特性—会话备份 (2)3.1 变更会话备份默认属性 (2)3.2 新增会话备份配置命令 (3)3.2.1 session synchronization { dns | http } * (3)4 变更特性—NAT ALG 默认配置变更 (4)4.1 NAT ALG 默认配置命令 (4)4.1.1 nat alg (4)SECPATH9000M-SECBLADENGFW-CMW710-R9115P05版本 (1)1 修改命令 (1)1.1.1 nat server (1)SECPATH9000M-SECBLADENGFW-CMW710-R9115P04版本 (1)SECPATH9000M-SECBLADENGFW-CMW710-R9115P02版本 (1)SECPATH9000M-SECBLADENGFW-CMW710-R9115版本 (1)1 新增特性—配置流量转发模式 (1)1.1 流量转发模式配置 (1)1.2 流量转发模式配置命令 (1)1.2.1 forwarding policy (1)SECPATH9000M-SECBLADENGFW-CMW710-E9114P05版本 (3)SECPATH9000M-SECBLADENGFW-CMW710-E9114P04版本 (4)1 新增特性—静态NAT生成OpneFlow流表功能 (4)1.1 静态NAT生成OpneFlow流表功能配置 (4)1.2 静态NAT生成OpneFlow流表功能配置命令 (4)SECPATH9000M-SECBLADENGFW-CMW710-E9114P03版本 (6)SECPATH9000M-SECBLADENGFW-CMW710-E9114P01版本 (7)1 新增特性—配置Track与接口物理状态联动 (7)1.1 Track与接口物理状态联动配置 (7)1.2 Track与接口物理状态联动配置命令 (7)1.2.1 track interface physical (7)2 变更特性—开启会话统计功能 (8)2.1 特性变更说明 (8)2.2 命令变更说明 (8)2.2.1 修改—开启会话统计功能命令 (8)3 变更特性—指定冗余组节点的倒回延时 (9)3.1 特性变更说明 (9)3.2 命令变更说明 (9)3.2.1 修改—指定冗余组节点的倒回延时命令 (9)SECPATH9000M-SECBLADENGFW-CMW710-D9112版本 (10)1 新增特性－配置Context (10)1.1 Context配置 (10)1.1.1 为Context分配VLAN配置 (10)1.1.2 为Context限制吞吐量 (11)1.1.3 为Context限制对象策略规则数 (11)1.1.4 为Context限制会话并发数 (12)1.1.5 为Context限制会话新建速率 (12)1.2 Contex配置命令 (12)2 新增特性－清除安全引擎的加载软件包 (13)2.1 清除安全引擎的加载软件包配置命令 (13)2.1.1 reset boot-loader blade (13)3 新增特性－普通二层转发 (14)3.1 普通二层转发配置 (14)3.1.1 普通二层转发的工作机制 (14)3.1.2 配置普通二层转发 (14)3.1.3 普通二层转发显示和维护 (14)3.2 普通二层转发配置命令 (14)3.2.2 reset mac-forwarding statistics (16)4 新增特性－定位设备 (16)4.1 定位设备配置 (16)4.2 定位设备配置命令 (17)4.2.1 locator blink (17)5 新增特性－配置用户角色切换的缺省目的用户角色 (18)5.1 用户角色切换的缺省目的用户角色配置命令 (18)5.2 super default role (18)6 新增特性—DHCP地址池报警功能 (19)6.1 DHCP地址池报警功能配置 (19)6.2 DHCP地址池报警功能配置命令 (19)6.2.1 ip-in-use threshold (19)7 新增特性－ACL加速配置 (20)7.1 ACL加速配置 (20)7.2 ACL加速命令 (21)7.2.1 accelerate (21)7.2.2 display acl accelerate (22)8 新增特性—配置攻击检测与防范 (23)8.1 攻击检测与防范配置 (23)8.1.1 攻击检测及防范简介 (23)8.1.2 攻击检测及防范配置任务简介 (23)8.1.3 配置攻击防范 (24)8.1.4 配置TCP客户端验证 (32)8.1.5 配置DNS客户端验证 (32)8.1.6 配置HTTP客户端验证 (32)8.1.7 配置黑名单 (33)8.2 攻击检测与防范配置命令 (33)9 新增特性—配置对象策略加速 (37)9.1 对象策略加速配置 (37)9.2 对象策略加速配置命令 (37)9.2.1 accelerate (37)10 新增特性—显示对象策略加速功能相关信息 (38)10.1 显示对象策略加速功能相关信息配置 (38)10.2 显示对象策略加速功能相关信息配置命令 (38)10.2.1 portal nas-port-id format (38)11 新增特性—配置会话业务热备功能 (39)11.1 会话业务热备份功能配置 (39)11.2 会话业务热备功能配置命令 (39)11.3 session synchronization enable (39)12.1 备份组配置 (40)12.1.1 配置备份组 (40)12.1.2 备份组显示和维护 (41)12.2 备份组配置命令 (41)12.2.1 bind (41)12.2.2 display failover group (42)12.2.3 failover group (43)13 变更特性－创建安全域实例 (44)13.1 特性变更说明 (44)13.2 命令变更说明 (44)13.2.1 修改- interzone source (44)14 变更特性－显示已创建的所有域间实例的信息 (44)14.1 特性变更说明 (44)14.2 命令变更说明 (45)14.2.1 修改display interzone (45)15 变更特性—在BETH-Trunk接口下加入指定的成员口 (45)15.1 特性变更说明 (45)15.2 命令变更说明 (45)15.2.1 修改- member priority (45)16 变更特性—配置安全域间实例上应用ACL进行报文过滤 (46)16.1 特性变更说明 (46)16.2 命令变更说明 (46)16.2.1 修改- packet-filter (46)17 变更特性—清除ACL在报文过滤中应用的统计信息 (46)17.1 特性变更说明 (46)17.2 命令变更说明 (47)17.2.1 修改- reset packet-filter statistics (47)18 变更特性—配置SSH用户的服务类型 (47)18.1 特性变更说明 (47)18.2 命令变更说明 (47)18.2.1 修改- ssh user service-type (47)19 变更特性—计算用户给定明文密码通过加密算法处理后得到的密文密码所对应摘要 (48)19.1 特性变更说明 (48)19.2 命令变更说明 (48)19.2.1 修改- snmp-agent calculate-password (48)20.1 特性变更说明 (49)20.2 命令变更说明 (49)20.2.1 修改- nqa template (49)21 变更特性—配置本地用户或用户组的授权属性 (50)21.1 特性变更说明 (50)21.2 命令变更说明 (50)21.2.1 修改- authorization-attribute (50)SECPATH9000M-SECBLADENGFW-CMW710-E9110P04版本 (52)1 新增特性—保存上一跳信息 (52)1.1 保存上一跳信息配置 (52)1.2 保存上一跳信息配置命令 (52)1.2.1 iplast-hop hold (52)SECPATH9000M-SECBLADENGFW-CMW710-D9110P03版本 (54)1 变更特性—支持在聚合口和全局下应用QoS策略 (54)1.1 特性变更说明 (54)1.2 命令变更说明 (54)1.2.1 修改-qos apply policy (54)1.2.2 修改-qos apply policy global (55)SECPATH9000M-SECBLADENGFW-CMW710-D9110P02版本 (56)SECPATH9000M-SECBLADENGFW-CMW710-D9110P01版本 (57)SECPATH9000M-SECBLADENGFW-CMW710-R9115P11版本本版本特性变更情况如下：NAT配置命令修改1.1 NAT配置命令修改1.1.1 addressaddress命令用来添加一个地址组成员。

H3CUTM统一威胁管理产品介绍

安全产品介绍第一章 H3C UTM介绍 (1)1.1 H3C SecPath U200-A (11)1.2 H3C SecPath U200-M (12)1.3 H3C SecPath U200-S (13)1.4 H3C SecPath U200-CA (14)1.5 H3C SecPath U200-CM (15)1.5 H3C SecPath U200-CS (15)第一章 H3C UTM介绍H3C SecPath U200是H3C公司面向中小型企业/分支机构设计的新一代UTM（United Threat Management，统一威胁管理)设备，采用高性能的多核、多线程安全平台，保障全部安全功能开启时不降低性能，产品具有极高的性价比。

在提供传统防火墙、VPN功能基础上，同时提供病毒防护、URL过滤、漏洞攻击防护、垃圾邮件防护、P2P/IM应用层流量控制和用户行为审计等安全功能。

H3C公司的SecPath U200不仅能够全面有效的保证用户网络的安全，还支持SNMP和TR-069网管方式，最大化减少设备运营成本和维护复杂性。

市场领先的安全防护功能l 完善的防火墙功能：提供安全区域划分、静态/动态黑名单功能、MAC和IP绑定、访问控制列表（ACL）和攻击防范等基本功能，还提供基于状态的检测过滤、虚拟防火墙、VLAN透传等功能。

能够防御ARP欺骗、TCP报文标志位不合法、Large ICMP报文、CC、SYN flood、地址扫描和端口扫描等多种恶意攻击。

l 丰富的VPN特性：支持L2TP VPN、GRE VPN、IPSec VPN等远程安全接入方式，同时设备集成硬件加密引擎实现高性能的VPN处理。

l 实时的病毒防护：采用Kaspersky公司的流引擎查毒技术，从而迅速、准确查杀网络流量中的病毒等恶意代码。

l 实时的垃圾邮件防护：可以拦截垃圾邮件，净化邮件系统，解决垃圾邮件对正常工作的干扰问题。

H3C SecPath UTM统一威胁管理产品日常维护指导书

H3C UTM产品日常维护指导书V1.0杭州华三通信技术有限公司修订记录目录第1章日常维护建议 (2)1.1 UTM产品日常维护建议 (2)第2章维护操作指导 (4)2.1 H3C UTM设备日常维护操作指导 (4)2.2 H3C UTM设备季度维护操作指导 (4)2.3 H3C UTM设备年度维护操作指导 (5)第3章维护记录表格 (6)3.1 H3C UTM设备日常维护值班日志 (6)3.2 H3C UTM设备季度维护记录表 (7)3.3 H3C UTM设备年度维护记录表 (8)3.4 H3C UTM设备突发问题处理记录表 (9)3.5 硬件更换记录表 (10)3.6 系统参数修改记录表 (11)第4章常见故障处理 (12)4.1 Ping不通或丢包 (12)4.1.1 故障描述 (12)4.1.2 故障处理步骤 (12)4.2 有NAT转换情况下，Ping丢包或不通 (13)4.2.1 故障描述 (13)4.2.2 故障处理步骤 (13)4.2.3 故障诊断命令 ................................................................................. 错误!未定义书签。

4.3 动态NAT转换故障(以动态NAT Outbound为例) (14)4.3.1 故障描述 (14)4.3.2 故障处理步骤 (15)4.4 设备作为出口网关设备割接之后，NAT业务不通，但是设备接口IP地址可以Ping通 (16)4.4.1 故障描述 (16)4.4.2 故障处理步骤 (16)4.4.3 故障诊断命令 ................................................................................. 错误!未定义书签。

4.5 CPU占用率高 (17)4.5.1 故障描述 (17)4.5.2 故障处理步骤 (18)4.6 内存占用率高 (19)4.6.1 故障描述 (19)4.6.2 故障处理步骤 (19)4.6.3 故障诊断命令 ................................................................................. 错误!未定义书签。

H3C SecPath F100-C-SI防火墙 Web配置指导-5PW100-安全配置

目录1访问控制 ············································································································································ 1-11.1 概述 ··················································································································································· 1-11.2 配置访问控制····································································································································· 1-11.3 访问控制典型配置举例 ······················································································································ 1-3 2网站过滤 ············································································································································ 2-12.1 概述 ··················································································································································· 2-12.2 网站过滤典型配置举例 ······················································································································ 2-23 MAC地址过滤 ···································································································································· 3-13.1 概述 ··················································································································································· 3-13.2 配置MAC地址过滤····························································································································· 3-13.2.1 配置MAC地址过滤类型··········································································································· 3-13.2.2 配置要过滤的MAC地址··········································································································· 3-23.3 MAC地址过滤典型配置举例 ·············································································································· 3-3 4攻击防范 ············································································································································ 4-14.1 概述 ··················································································································································· 4-14.1.1 黑名单功能······························································································································ 4-14.1.2 入侵检测功能 ·························································································································· 4-14.2 配置黑名单 ········································································································································ 4-34.2.1 配置概述 ································································································································· 4-34.2.2 启用黑名单过滤功能 ··············································································································· 4-44.2.3 手动新建黑名单表项 ··············································································································· 4-44.2.4 查看黑名单······························································································································ 4-54.3 配置入侵检测····································································································································· 4-54.4 攻击防范典型配置举例 ······················································································································ 4-64.4.1 攻击防范典型配置举例 ··········································································································· 4-6 5应用控制 ············································································································································ 5-15.1 概述 ··················································································································································· 5-15.2 配置应用控制····································································································································· 5-15.2.1 配置概述 ································································································································· 5-15.2.2 加载应用程序 ·························································································································· 5-15.2.3 配置自定义应用程序 ··············································································································· 5-25.2.4 使能应用控制 ·························································································································· 5-35.3 应用控制典型配置举例 ······················································································································ 5-41 访问控制1.1 概述访问控制是指通过设置时间段、局域网内计算机的IP地址、端口范围和数据包协议类型，禁止符合指定条件的数据包通过，来限制局域网内的计算机对Internet的访问。

H3C SecPath U200-CS_U200-CM_U200-CA统一威胁管理产品安装指导-5PW103-第2章接口卡和接口模块

1. 模块简介 NSQ1GT2UA0 是 H3C 公司开发的、类型为 MIM 的高速三层千兆以太网接口模块。该模块提供 2 个 RJ45 电口，并且所有接口都具备三层路由功能。每个接口都由一个独立的指示灯表示当前的运
2-2
行状态。NSQ1GT2UA0 通过 PCIE 的高速总线和处理器连接，能够为用户提供高性能的三层以太网接口的全部功能。 2. 前面板图
图2-1 2GE 前面板图
(1)
(2)
(3)
(4)
(5)
(7)
(1) 松不脱螺丝 (3) GE 口 0 的链路状态指示灯(LINK) (5) GE 口 1 的链路状态指示灯(LINK) (7) GE 口 0 数据收发状态指示灯(ACT)
3. 指示灯说明表2-1 2GE 模块指示灯说明
状态
LINK
常灭常亮
WLAN 模块天线的连接方法，请参见《第 4 章 UTM 设备的安装》中的“4.10.6 连接 NSQ1WLAN0 模块接口天线”。
2.5 槽位排列顺序及接口编号规则
2.5.1 槽位排列顺序
UTM 设备支持多种接口，包括 Console 口、GE 口等，每种接口在配置时按编号排列。
2.5.2 接口编号规则
属性
描述
连接器类型
SFP/LC
接口数量
4个
接口标准
802.3，802.3u 和 802.3ab
接口标准
Ethernet_II Ethernet_SNAP
接口速率
1000Mbps
发送光功率
类型最小最大
短距多模 -9.5dBm 0dBm
中距单模 -9dBm -3dBm
长距（1310nm）长距（1550nm）超长距离

H3C SecPath U200-C

声明
Copyright © 2009-2010 杭州华三通信技术有限公司及其许可者版权
所有，保留一切权利。
未经本公司书面许可，任何单位和个人不得擅自摘抄、复制本书内容的部分或全部，并不得以任何形式传播。
H3C、
、Aolynk、
、H3Care、
、TOP G、
、
IRF、NetPilot、Neocean、NeoVTL、SecPro、SecPoint、SecEngine、 SecPath、Comware、Secware、Storware、NQA、VVG、V2G、VnG、
IMPORTANT! See Compliance and Safety information for the product before connecting to the supply. 您可以通过以下步骤获取本产品的安全与兼容性信息：
To obtain Compliance and Safety information, follow these steps: (1) 请访问网址：/Technical_Documents；
z 第 2 章安全注意事项。介绍 H3C SecPath U200-C 安装和使用中需要注意的事项。
z 第 3 章产品介绍。介绍 H3C SecPath U200-C 的主要功能、应用环境及其外观。
z 第 4 章基本连接配置。介绍 H3C SecPath U200-C 的基本连接配置步骤。
本书约定
1.命令行格式约定
格式
意义
粗体
命令行关键字（命令中保持不变、必须照输的部分）采用加粗字体表示。
斜体
命令行参数（命令中必须由实际值部分在命令配置时是可选的。
格式 { x | y | ... } [ x | y | ... ]

H3C SecPath T200-M入侵防御系统产品彩页-5PW101-20091211

H3C SecPath T200-M 入侵防御系统1 产品概述H3C SecPath T200-M IPS（Intrusion Prevention System）集成入侵防御与检测、病毒过滤、带宽管理和URL过滤等功能，是业界综合防护技术最领先的入侵防御/检测系统。

通过深入到7层的分析与检测，实时阻断网络流量中隐藏的病毒、蠕虫、木马、间谍软件、网页篡改等攻击和恶意行为，实现对网络应用、网络基础设施和网络性能的全面保护。

SecPath T200-M IPS适用于小型网络的数据中心和中小型网络边界。

图1SecPath T200-M2 产品特点强大的入侵抵御能力SecPath IPS是业界唯一集成漏洞库、专业病毒库、应用协议库的IPS产品，特征库数量已达10000+。

配合H3C FIRST（Full Inspection with Rigorous State Test）专有引擎技术，能精确识别并实时防范各种网络攻击和滥用行为。

SecPath IPS通过了国际权威组织CVE(Common Vulnerabilities & Exposures，通用漏洞披露)的兼容性认证，在系统漏洞研究和攻击防御方面达到了业界顶尖水平。

专业的病毒查杀SecPath T200-M IPS集成卡巴斯基防病毒引擎，内置卡巴斯基专业病毒库。

采用第二代启发式代码分析技术、独特的实时监控脚本病毒拦截技术等多种最尖端的反病毒技术，能实时查杀大量文件型、网络型和混合型等各类病毒；并采用新一代虚拟脱壳和行为判断技术，准确查杀各种变种病毒、未知病毒。

零时差的应用保护H3C专业安全团队密切跟踪全球知名安全组织和厂商发布的安全公告，经过分析、验证所有这些威胁，生成保护操作系统、应用系统以及数据库漏洞的特征库；H3C通过了微软的MAPP (Microsoft Active Protections Program)认证，可以提前获得微软的漏洞信息。

H3C UTM统一威胁管理SecPath U系列产品介绍

系统管理 > 安全域管理
默认情况下，高优先级的安全域可以访问低优先级的安全域；低优先级的安全域不允许访问高优先级的安全域点击<编辑安全域>按钮

13
配置接口所属安全域
二层口需指定所属的vlan

14
配置ACL
策略管理 > ACL

10
配置防火墙接口
修改接口参数，如MTU、TCP MSS、工作模式、IP配置

11
配置接口所属安全域：
Internet
UnTrust
G0/1 UTM200S G0/2 G0/3
DMZ Trust

12
配置接口所属安全域：
输入名称

30
应用IPS段策略
对象管理 > 段策略管理，点击< 新建段策略 > 点击“激活”

31
创建防病毒策略、规则
对象管理 > 防病毒管理 > 策略管理 > 创建策略
输入名称

32
应用防病毒段策略
对象管理 > 段策略管理，点击< 新建段策略 > 点击“激活”
15

16
配置NAT
策略管理 > 地址转换策略 > 地址转换
策略管理 > 地址转换策略 > 内部服务器

17
配置访问控制策略-面向对象ACL
策略管理 > 访问控制策略 > 面向对象ACL

18
Vlan配置
系统管理 > 虚拟局域网 > VLAN >新建

37
协议内容审计
修改Notify动作

H3C SecPath U200-CS_U200-CM_U200-CA统一威胁管理产品安装指导-5PW103-第6章 UTM设备的软件维护

目录6 UTM设备的软件维护..........................................................................................................................6-16.1 简介...................................................................................................................................................6-16.1.1 UTM设备管理的文件..............................................................................................................6-16.1.2 BootWare程序文件.................................................................................................................6-16.1.3 应用程序文件..........................................................................................................................6-16.1.4 配置文件.................................................................................................................................6-26.1.5 UTM设备的软件维护的几种方法............................................................................................6-26.2 BootWare菜单...................................................................................................................................6-36.2.1 BootWare主菜单.....................................................................................................................6-36.2.2 串口子菜单..............................................................................................................................6-66.2.3 以太网子菜单..........................................................................................................................6-66.2.4 文件控制子菜单......................................................................................................................6-76.2.5 BootWare操作子菜单.............................................................................................................6-76.2.6 存储设备操作子菜单...............................................................................................................6-86.3 通过串口升级BootWare和应用程序..................................................................................................6-86.3.1 XModem协议简介...................................................................................................................6-86.3.2 串口参数的修改......................................................................................................................6-96.3.3 升级应用程序........................................................................................................................6-106.3.4 升级BootWare......................................................................................................................6-126.4 通过TFTP升级应用程序..................................................................................................................6-146.4.1 在BootWare菜单中通过TFTP升级应用程序.........................................................................6-156.4.2 在命令行模式通过TFTP升级和备份应用程序.......................................................................6-176.5 通过FTP升级应用程序....................................................................................................................6-196.5.1 通过BootWare菜单升级应用程序.........................................................................................6-196.5.2 在命令模式下通过FTP升级应用程序....................................................................................6-206.6 应用程序以及配置文件的维护.........................................................................................................6-246.6.1 显示所有文件........................................................................................................................6-256.6.2 设置应用程序文件类型.........................................................................................................6-256.6.3 删除文件...............................................................................................................................6-266.6.4 设置下次启动配置文件.........................................................................................................6-276.7 口令的丢失处理和修改....................................................................................................................6-286.7.1 BootWare口令丢失处理和修改.............................................................................................6-286.7.2 用户口令丢失的处理.............................................................................................................6-286.7.3 Super Password口令丢失的处理..........................................................................................6-296.8 BootWare的备份和恢复..................................................................................................................6-306.8.1 备份完整BootWare...............................................................................................................6-306.8.2 恢复完整BootWare...............................................................................................................6-31 6.9 Web方式/i-Ware方式升级管理配置.................................................................................................6-326.9.1 概述......................................................................................................................................6-326.9.2 Web方式升级软件.................................................................................................................6-336.9.3 i-Ware方式升级特征库和维护配置文件................................................................................6-356 UTM设备的软件维护6.1 简介6.1.1 UTM设备管理的文件UTM设备有三类文件需要管理，分别是：z BootWare程序文件z应用程序文件z配置文件6.1.2 BootWare程序文件BootWare程序文件是UTM设备启动时用来引导应用程序的文件。

电信H3C SecPath U200-C

目录1 前言...................................................................................................................................................1-11.1 概述...................................................................................................................................................1-11.2 使用说明............................................................................................................................................1-11.3 缩略语...............................................................................................................................................1-12 安全注意事项.....................................................................................................................................2-12.1 基本要求............................................................................................................................................2-12.2 环境要求............................................................................................................................................2-12.3 使用须知............................................................................................................................................2-12.4 清洁须知............................................................................................................................................2-23 产品介绍............................................................................................................................................3-13.1 产品简介............................................................................................................................................3-13.2 应用环境............................................................................................................................................3-13.3 产品特性............................................................................................................................................3-13.4 产品外观............................................................................................................................................3-23.4.1 前面板.....................................................................................................................................3-23.4.2 后面板.....................................................................................................................................3-33.5 产品规格............................................................................................................................................3-44 开通前预配置.....................................................................................................................................4-14.1 环境准备............................................................................................................................................4-14.2 开箱检查............................................................................................................................................4-14.2.1 配件检查.................................................................................................................................4-14.2.2 设备ID检查..............................................................................................................................4-14.3 硬件连接............................................................................................................................................4-24.3.1 设备连线.................................................................................................................................4-24.3.2 开启电源.................................................................................................................................4-24.4 参数准备............................................................................................................................................4-34.4.1 设备登录参数..........................................................................................................................4-34.4.2 配置信息准备..........................................................................................................................4-34.5 登录操作............................................................................................................................................4-44.5.1 PC操作台设置.........................................................................................................................4-44.5.2 登录配置界面..........................................................................................................................4-44.6 开通前预配置.....................................................................................................................................4-44.6.1 配置向导.................................................................................................................................4-44.6.2 选择接入方式..........................................................................................................................4-64.6.4 配置允许进行远程Web登录的主机IP地址..............................................................................4-94.6.5 配置TR069管理平台............................................................................................................4-114.6.6 配置SNMP Trap上报主机地址和SNMP管理地址.................................................................4-124.6.7 配置远程Syslog主机地址......................................................................................................4-134.6.8 配置远程Userlog主机地址....................................................................................................4-144.7 配置状态检查...................................................................................................................................4-164.8 保存配置..........................................................................................................................................4-164.8.1 配置保存...............................................................................................................................4-164.8.2 装箱......................................................................................................................................4-185 产品安装............................................................................................................................................5-15.1 现场连接............................................................................................................................................5-15.2 设备加电............................................................................................................................................5-25.3 客户信息交付和告知..........................................................................................................................5-25.4 连接状态检测.....................................................................................................................................5-26 基本功能配置.....................................................................................................................................6-16.1 修改宽带上网参数.............................................................................................................................6-16.2 配置页面访问密码修改......................................................................................................................6-26.3 无线组网............................................................................................................................................6-36.3.1 使用出厂预配置的无线网络....................................................................................................6-36.3.2 添加新的无线网络...................................................................................................................6-36.4 访问控制............................................................................................................................................6-66.5 入侵检测............................................................................................................................................6-96.6 Web过滤..........................................................................................................................................6-126.6.1 功能简介...............................................................................................................................6-126.6.2 配置举例...............................................................................................................................6-166.7 IPS（入侵防御系统）.....................................................................................................................6-216.8 防病毒.............................................................................................................................................6-216.9 应用程序控制...................................................................................................................................6-226.10 日志配置........................................................................................................................................6-236.11 会话管理........................................................................................................................................6-246.11.1 查看会话列表......................................................................................................................6-246.11.2 配置会话基本设置...............................................................................................................6-256.11.3 配置会话高级设置...............................................................................................................6-266.11.4 配置会话统计使能状态.......................................................................................................6-277 高级功能配置.....................................................................................................................................7-17.1 双线上行（双WAN连接）.................................................................................................................7-17.1.1 综述........................................................................................................................................7-17.2 NAT（包含DMZ及虚拟服务器）.......................................................................................................7-57.2.1 综述........................................................................................................................................7-57.2.2 配置举例（以GE0/1上配置NAT为例）：..............................................................................7-5 7.3 DNS...................................................................................................................................................7-97.3.1 综述........................................................................................................................................7-97.3.2 配置......................................................................................................................................7-10 7.4 DHCP Server..................................................................................................................................7-117.4.1 综述......................................................................................................................................7-117.4.2 配置......................................................................................................................................7-12 7.5 内网网段划分及控制........................................................................................................................7-157.5.1 综述......................................................................................................................................7-157.5.2 配置......................................................................................................................................7-15 7.6 静态路由..........................................................................................................................................7-187.6.1 综述......................................................................................................................................7-187.6.2 配置......................................................................................................................................7-18 7.7 ARP管理..........................................................................................................................................7-197.7.1 ARP表...................................................................................................................................7-197.7.2 免费ARP...............................................................................................................................7-207.7.3 动态表项管理........................................................................................................................7-21 7.8 ARP防攻击......................................................................................................................................7-227.8.1 综述......................................................................................................................................7-227.8.2 配置......................................................................................................................................7-22 7.9 负载均衡..........................................................................................................................................7-247.9.1 综述......................................................................................................................................7-247.9.2 配置......................................................................................................................................7-24 7.10 虚拟专网（IPSec VPN）..............................................................................................................7-287.10.1 综述....................................................................................................................................7-287.10.2 配置....................................................................................................................................7-29 7.11 L2TP..............................................................................................................................................7-397.11.1 综述....................................................................................................................................7-397.11.2 配置....................................................................................................................................7-39 7.12 GRE..............................................................................................................................................7-427.12.1 综述....................................................................................................................................7-427.12.2 配置....................................................................................................................................7-42 7.13 流量监管........................................................................................................................................7-477.13.1 综述....................................................................................................................................7-477.13.2 配置举例.............................................................................................................................7-477.14 服务质量保证（QoS）..................................................................................................................7-497.14.1 综述....................................................................................................................................7-497.14.2 网段带宽限速配置...............................................................................................................7-507.14.3 高级带宽限速配置...............................................................................................................7-507.14.4 高级带宽保证配置...............................................................................................................7-527.15 无线加密/鉴权等配置.....................................................................................................................7-547.15.1 综述....................................................................................................................................7-547.15.2 配置....................................................................................................................................7-568 设备恢复和升级.................................................................................................................................8-18.1 恢复到开通前预配置..........................................................................................................................8-18.2 恢复到出厂预配置.............................................................................................................................8-18.3 设备升级............................................................................................................................................8-28.4 特征库升级........................................................................................................................................8-38.5 特征库License...................................................................................................................................8-49 设备运行状态查看..............................................................................................................................9-19.1 设备状态查看.....................................................................................................................................9-19.1.1 设备信息.................................................................................................................................9-19.1.2 接口状态.................................................................................................................................9-19.1.3 路由信息.................................................................................................................................9-29.1.4 VPN状态.................................................................................................................................9-29.1.5 无线状态.................................................................................................................................9-39.2 设备日志查看.....................................................................................................................................9-39.2.1 综述........................................................................................................................................9-39.2.2 设备访问日志..........................................................................................................................9-39.2.3 设备安全日志..........................................................................................................................9-410 故障诊断和处理方法......................................................................................................................10-110.1 常见故障列表.................................................................................................................................10-110.2 远程诊断........................................................................................................................................10-110.3 现场故障处理.................................................................................................................................10-210.4 诊断工具使用介绍.........................................................................................................................10-210.4.1 Ping工具.............................................................................................................................10-210.4.2 路由追踪工具（TraceRoute）............................................................................................10-3附录A 设备出厂预配置清单. (1)附录B Windows XP无线客户端配置 (1)附录C Windows XP配置动态获取IP地址 (1)附录D IPSec VPN客户端配置 (1)附录E 配置界面简介 (1)1 前言1.1 概述本手册面向H3C SecPath U200-C统一威胁管理产品的安装维护和技术支持工程师，用于指导其安装维护操作。

H3C SecPath+U200典型配置指导

SecPath U200典型配置指导1 介绍H3C SecPath U200-S是H3C公司面向中小型企业/分支机构设计推出的新一代UTM （United Threat Management，统一威胁管理)设备，采用高性能的多核、多线程安全平台，保障在全部安全功能开启时性能不降低；在防火墙、VPN功能基础上，集成了IPS、防病毒、URL过滤、协议内容审计、带宽管理以及反垃圾邮件等安全功能，产品具有极高的性价比。

H3C公司的SecPath U200-S能够全面有效的保证用户网络的安全，同时还可以使用户避免部署多台安全设备所带来的运营成本和维护复杂性问题。

2 组网需求2.1 组网图2.2 三层模式2.2.1 接口与安全域配置G0/1 三层接口，Trust域，192.168.1.1/24Eth0/0 Trust域，10.254.254.1/24G0/2 三层接口，Untrust域，202.0.0.1/242.2.2 ACL配置用于内网访问Internet时作NAT用于iware访问内网、Internet时作NAT用于深度安全策略2.2.3 NAT配置nat server配置nat outbound配置2.3 二层模式2.3.1 接口与安全域配置G0/1 二层access口，PVID 10，Trust域G0/2 二层access口，PVID为10，UntrustEth0/0 三层接口，Trust域，10.254.254.1/24vlan-interface 10 Trust域，192.168.1.1/242.3.2 ACL配置用于iware访问内网时作NAT用于深度安全策略2.3.3 NAT配置NAT Server配置NAT outbound配置3 U200典型配置举例3.1 IPS/AV特征库升级3.1.1 特征库自动升级（1）功能简述验证U200自动升级IPS/AV特征库（2）测试步骤防火墙Web管理界面，策略管理> 深度安全策略。

H3C SecPath U200-S UTM开局指导书v1.10

H3C SecPath U200-S开局指导书Deployment Instructions for H3C SecPath U200-S Beta Test杭州华三通信技术有限公司Hangzhou H3C Technologies Co., Ltd.(仅供内部使用)(For internal use)拟制：Drafted by: Date 日期审核：Reviewed by: Date 日期审核：Reviewed by: Date 日期批准：Approved by: Date 日期修订记录Revision Records目录1 产品概述 (2)1.1 产品特点 (2)1.1.1 市场领先的安全防护功能 (2)1.1.2 电信级设备高可靠性 (3)1.1.3 智能图形化的管理 (3)1.2 U200-S的外观 (3)1.2.1 前面板图 (3)1.2.2 后面板图 (4)1.2.3 系统结构介绍 (4)1.3 U200-S的管理 (4)1.3.1 WEB方式管理 (5)1.3.2 命令行方式管理 (6)2 UTM基础配置 (6)2.1 UTM的几个基本概念 (6)2.1.1 虚拟设备 (6)2.1.2 安全区域 (7)2.1.3 会话 (8)2.2 UTM的基本工作流程 (9)2.3 UTM的基本配置 (10)3 透明模式基本转发配置（二层转发） (12)3.1 组网需求 (12)3.2 典型配置 (13)3.2.1 命令行下的配置 (13)3.2.2 WEB配置 (13)3.3 注意事项 (14)4 Inline转发基本配置（二层转发） (15)4.1 组网需求 (15)4.2 典型配置 (15)4.2.1 WEB配置 (15)4.3 工作流程 (16)5 路由模式基本转发配置（三层转发） (16)5.1 组网需求 (16)5.2 典型配置 (17)5.2.1 命令行下的配置 (17)5.2.2 WEB配置 (17)6 混合模式转发基本配置 (21)6.1 组网需求 (21)6.2 典型配置 (22)6.2.1 命令行下的配置 (22)6.2.2 WEB配置 (23)6.3 注意事项 (23)7 二层VLAN透传并对 UTM通过业务vlan进行管理 (24)7.1 组网需求 (24)7.2 典型配置 (24)7.2.1 命令行下的配置 (24)7.2.2 WEB配置 (26)8 预配置 (26)8.1 三层模式 (26)8.1.1 接口配置 (26)8.1.2 安全域配置 (27)8.1.3 ACL配置 (28)8.2 二层模式 (33)8.2.1 接口配置 (33)8.2.2 安全域配置 (36)8.2.3 ACL配置 (37)9 IPS/AV特征库升级 (40)9.1 特征库自动升级 (40)9.2 特征库手动升级 (41)9.3 注意事项 (41)10 IPS配置 (42)10.1 组网需求 (42)10.2 典型配置 (42)10.3 注意事项 (48)11 防病毒配置 (49)11.1 组网需求 (49)11.2 典型配置 (49)11.3 注意事项 (55)12 URL过滤 (55)12.1 组网需求 (55)12.2 典型配置 (55)13 协议内容审计 (63)13.1 组网需求 (63)13.2 典型配置 (64)14 带宽管理配置（应用带宽控制） (71)14.1 组网需求 (71)14.2 典型配置 (71)15 带宽管理配置（策略带宽控制） (80)15.1 组网需求 (80)15.2 典型配置 (80)16 U200-S的基本维护 (87)16.1 版本维护 (87)16.1.1 设置设备启动时加载的版本 (87)16.1.2 下载版本到Flash卡 (87)16.1.3 重启设备 (88)16.2 配置维护 (88)16.2.1 配置文件组成 (88)16.2.2 配置保存 (88)16.2.3 配置导入 (89)16.2.4 i-ware配置的导出/导入 (90)开局指导书Customer sites Deployment Instructions关键词：Key words:摘要：Abstract:缩略语清单：List of abbreviations: 对本文所用缩略语进行说明，要求提供每个缩略语的英文全名和中文解释。

华三安全网关U200C开局指导书(20110309)

泉州移动安全网关H3C U200-C 开局指导书（V1.0）H3C Technologies Co., Ltd.杭州华三通信技术有限公司http:// All rights reserved版权所有侵权必究I目录一、概述 (1)二、设备开通 (1)1、连接设备 (2)2、配置IP、网关、DNS等信息、DHCP (2)3、禁PING (3)4、开启ARP防护 (3)5、端口映射 (4)6、无线组网 (4)7、保存配置 (5)三、网管配置 (5)四、流控配置 (6)五、开通信息收集 (6)1 概述该文档介绍了安全网关U200-C的基本配置，用户可以通过简单的几个步骤就可配置完成，将该设备应用于实际环境，并发挥其防火墙和深度检测的功能。

2 设备开通2.1连接设备建立有线连接请按照以下步骤连接本产品。

(1) 用一条网线连接本产品的WAN 接口GE0/0 和入户信息点（以太网端口）。

(2) 用一条网线连接本产品的LAN 接口（GE0/2～GE0/4）和计算机的以太网接口面板示意图U200-C注意：如果设备没有CF 卡，则无法启用防病毒及防攻击等U200-C无线发射缺省开启DHCP功能，网段为：192.168.1.0/24。

登录Web配置界面登录配置界面的步骤如下：（请确定设备的LAN接口与计算机网线连接正常）(1)PC接入G0/2-G0/4任意一个接口，等待自动获取到192.168.1.X段的IP地址：(2)浏览器的地址栏输入“http://192.168.1.1”，按回车键。

浏览器将弹出登录窗口，如下图所示：在登录窗口中输入用户名和密码（缺省用户名为“admin”，缺省密码为“admin”），以及验证码，然后点击【登录】按钮。

密码验证通过后即可进入本产品的配置界面，如下图所示。

2.2配置IP、网关、DNS等信息、DHCP使用快速配置向导，将帮助你完成设备的基本配置，包括设置LAN 口的DHCP 功能和WAN 口的配置。

H3CSecPathU200至中神通UTMWALL的功能迁移手册

H3C SecPath U200至中神通UTMWALL的功能迁移手册更多产品迁移说明：SecPath U系列统一威胁管理产品是H3C公司自主研发的、面向企业级用户开发的新一代专业UTM设备。

SecPath U 系列统一威胁管理产品除了具有传统的防火墙功能外，还支持虚拟设备、安全区域、入侵检测和防御、网关防病毒、防垃圾邮件、P2P 流量控制、URL 过滤等功能，且支持特征库动态更新，能够有效地保证网络安全；采用ASPF 技术，可以对连接过程和非法操作进行监测，并协同ACL 完成动态包过滤；支持多种VPN 业务，提供丰富的路由能力。

武汉中神通信息技术有限公司历经15年的开发和用户使用形成了中神通UTMWALL®系列产品，有硬件整机、OS软件、虚拟化云网关等三种产品形式，OS 由50多个不断增长的功能APP、32种内置日志和5种特征库组成，每个APP都有配套的在线帮助、任务向导、视频演示和状态统计，可以担当安全网关、防火墙、UTM、NGFW等角色，胜任局域网接入、服务器接入、远程VPN接入、流控审计、行为管理、安全防护等重任，具备稳定、易用、全面、节能、自主性高、扩展性好、性价比优的特点，是云计算时代的网络安全产品。

以下是两者之间的功能对比迁移表：SecPath U200业务特性特性说明中神通UTMWALL v1.8功能项页码Web 概述对防火墙功能的Web 网管进行了整体的介绍B快速安装指南2.4 菜单界面954设备概览设备概览模块可以帮助用户了解设备的状态和概要信息，如系统资源状态、设备接口信息等。

1.1系统概要/仪表盘1.5 网卡状态1725防火墙策略配置向导提供了对虚拟设备的防火墙策略的快速配置功能，可以帮助用户完成域间策略相关参数的配置。

2.2 初始设置2.3 任务向导4952IPSec VPN 配置向导IPSec VPN 策略配置向导提供了对IPSec VPN 的快速配置功能，可以帮助用户完成IPSec VPN 相关参数的配置。

H3C SecPath U200-CS_U200-CM_U200-CA统一威胁管理产品安装指导-5PW103-第4章 UTM设备的安装

目录4 UTM设备的安装.................................................................................................................................4-14.1 安装前的准备工作.............................................................................................................................4-14.2 UTM设备的安装流程.........................................................................................................................4-14.3 安装UTM设备到指定位置..................................................................................................................4-24.3.1 将UTM设备安装到工作台上....................................................................................................4-24.3.2 将UTM设备安装到机柜上.......................................................................................................4-24.4 安装通用模块.....................................................................................................................................4-44.5 连接保护地线.....................................................................................................................................4-44.5.1 连接保护地线的重要性...........................................................................................................4-44.5.2 连接保护地线的方法...............................................................................................................4-44.6 安装网口避雷器（可选）..................................................................................................................4-64.6.1 需要工具.................................................................................................................................4-64.6.2 安装步骤.................................................................................................................................4-64.6.3 安装注意事项..........................................................................................................................4-74.7 安装交流电源避雷器（防雷接线排）（可选）..................................................................................4-74.8 选择和安装信号避雷器（可选）........................................................................................................4-84.9 连接电源线........................................................................................................................................4-94.9.1 电源接口及保护地...................................................................................................................4-94.9.2 连接交流电源线....................................................................................................................4-104.10 连接接口电缆.................................................................................................................................4-104.10.1 连接Console口电缆............................................................................................................4-104.10.2 连接以太网电缆..................................................................................................................4-114.10.3 连接2GE模块接口电缆.......................................................................................................4-124.10.4 连接NSQ1GT2UA0模块接口电缆......................................................................................4-124.10.5 连接NSQ1GP4U0模块接口电缆........................................................................................4-124.10.6 连接NSQ1WLAN0模块接口天线........................................................................................4-134.11 安装后的检查.................................................................................................................................4-134 UTM设备的安装4.1 安装前的准备工作z请确认已经仔细阅读第3章的内容。

1、下载文档前请自行甄别文档内容的完整性，平台不提供额外的编辑、内容补充、找答案等附加服务。
2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
3、如文档侵犯您的权益，请联系客服反馈,我们会尽快为您处理(人工客服工作时间：9:00-18:30)。

可以快速地浏览各种互联网上的信息，可进行网上交谈、收发电子邮件、获得所需要的信息等。 z 组建多个内部局域网功能，实现各局域网间安全隔离。通过 VLAN 功能用户能方便地在网络中快捷地组建宽带网络，而无需改变任何硬件和通信线路。 z 无线内部组网功能，为您提供灵活方便的接入方式，您可以使用支持无线网卡的电脑通过无线网络接入局域网，省去了连接电脑与网络的网线，在您布线受限的条件下更能显出其优越性。您还可针对不同部门设置不同的无线网络名称，设置不同的访问权限和安全机制，例如为来访人员设置专用的无线网络名称。为避免各无线网络之间的相互干扰，提供自动信道选择和手工配置两种方式，默认采用自动信道选择方式。 z 完善的防火墙功能，基于 URL 的内容过滤、基于 IP 地址、IP 地址段或基于用户的访问控制，保证内网安全。例如，您可以设置 URL 地址，过滤指定网站；设置 URL 关键字，过滤相关网站。您还可以禁止部分电脑在工作日的 9：00－17：00 访问某些游戏娱乐网站。 z 强大的入侵检测功能，本产品的入侵检测功能能够检测拒绝服务（DoS）、扫描窥探、畸形报文等多种类型的攻击，并对攻击采取合理的防范措施。包括黑名单过滤、报文攻击特征识别、流量异常检测、入侵检测统计等。它分析经过本设备的报文的·············································································· 5-12 5.8 IPSec VPN ················································································· 5-14 5.9 入侵检测 ····················································································· 5-26 5.10 Web过滤··················································································· 5-30
目录
1 前言········································································································· 1-1 2 安全注意事项 ·························································································· 2-1 3 产品介绍·································································································· 3-1
3.3.1 前面板 ················································································ 3-3 3.3.2 后面板 ················································································ 3-5 4 基本连接配置 ·························································································· 4-1 4.1 建立有线连接················································································ 4-1 4.2 开启电源 ······················································································· 4-2 4.3 建立无线连接················································································ 4-2 5 业务功能介绍 ·························································································· 5-1 5.1 配置前的准备················································································ 5-1 5.1.1 登录Web配置界面······························································ 5-1 5.1.2 登录命令行配置界面 ·························································· 5-3 5.2 用户密码修改················································································ 5-4 5.3 配置接口IP地址 ············································································ 5-5 5.4 配置接口安全域 ············································································ 5-5 5.5 宽带上网 ······················································································· 5-6 5.6 无线组网 ······················································································· 5-7 5.6.1 使用出厂预配置的无线网络 ··············································· 5-7 5.6.2 添加新的无线网络······························································ 5-7
如果长时间使用设备，外壳会有一定程度的发热。请不必担心，这属于正常现象，设备依旧能正常工作。
2-1
3 产品介绍
3.1 主要功能
本产品已经为您做了全面的预配置工作，您不再需要进行任何配置，正确连接后即可使用。本产品还为您提供了灵活的功能选项，您可以根据自己的需求进行功能选择，您可以使用的功能包括： z 高速宽带上网功能，支持现行各种接入认证方式。通过此功能您
ii
1 前言
SecPath U200-C 统一威胁管理产品是 H3C 公司专门为品牌客户定制的一款功能强大、性能卓越的终端产品，向您提供了一个灵活、安全和完备的企业网络解决方案。它的配置简单、操作方便、使用灵活、安全可靠。为了您更有效的了解和使用本产品，我们向您提供本产品的用户使用手册，请您仔细阅读。本手册包含： z 安全注意事项 z 产品介绍 z 基本连接配置 z 业务功能介绍 z 快速故障定位 z 附录A Windows XP配置动态获取IP地址 z 附录B IPSec VPN客户端配置
燥，以免引起触电或其它危险；请不要使用已破损或老化的电源线。 z 请勿在无人监管的情况下让儿童使用设备；请勿让儿童玩耍设备及小配件，避免因吞咽等行为产生危险。 z 如有不正常现象出现，如：冒烟、声音异常、有异味等，请立刻停止使用，并断开电源，拔出电源插头。 z 安放设备时请在四周和顶部留出 10cm 以上的散热空间，并远离热源或裸露的火源，例如电暖器、蜡烛等。 z 请勿在设备以及电源线或电源插头上放置任何物体。请不要拿物体覆盖机箱的通风口。 z 清洁前，请先停止使用设备并切断电源。清洁时，请使用柔软的干布擦拭设备外壳。 z 请勿自行拆卸设备，设备发生故障时请联系指定的维修点。
3.1 主要功能 ······················································································· 3-1 3.2 规格 ······························································································ 3-2 3.3 外观 ······························································································ 3-3
1-1
2 安全注意事项
在设备的安装和使用中，请注意下列安全事项： z 遇到雷雨天气时请停止使用设备，并断开电源，拔出电源线和电
话线，以免设备遭雷击损坏 z 请将设备放置于平稳工作台上，并安放在通风、无强光直射的环
境中。 z 在存储、运输和使用设备的过程中，必须严格保持干燥。若有液
体意外流入机箱，请立即断开电源，并与指定的维修点联系。 z 请使用设备配套的电源适配器等配件。请保持电源插头清洁、干
5.10.1 网站地址过滤 ································································· 5-31 5.10.2 URL参数过滤 ································································· 5-33 5.10.3 Java阻断 ········································································ 5-34 5.10.4 ActiveX阻断 ··································································· 5-35 5.11 防病毒······················································································· 5-36 5.12 高级网络功能············································································ 5-37 5.13 恢复到出厂配置 ········································································ 5-37 6 快速故障定位 ·························································································· 6-1 附录A Windows XP配置动态获取IP地址······················································· 1 附录B IPSec VPN客户端配置 ······································································· 1