深信服SD-WAN产品使用说明书

Simplifying SD-WAN Operations with Single-Pane ManagementExecutive SummarySoftware-defined wide area networking (SD-WAN) is rapidly replacingtraditional WAN for remote office and branch deployments. While SD-WANoffers performance benefits that support new digital innovations, many SD-WANsolutions lack consolidated networking and security features. In response, manynetwork leaders have had to add a complex assortment of tools and solutions tomanage and protect their SD-WAN deployments. Instead, they need a simplifiedapproach to contain costs, improve efficiency, and reduce risks. Fortinet SecureSD-WAN addresses each of these requirements, combining next-generationfirewalls (NGFWs) with integrated solutions for management and analytics tocentralize and simplify SD-WAN operations.Supporting Innovation While Securing Growing BusinessesDistributed enterprises are adopting digital innovations—such as Software-as-a-Service (SaaS) applications and real-time applications such as voice and video—toincrease productivity, improve communications, and foster rapid business growth.However, traditional WAN architectures at many branch and remote office locationsstruggle to support the traffic demands of these new technologies. This has ledto increasing adoption of SD-WAN architectures that utilize more affordable directinternet connections. The SD-WAN market is expected to grow to over $30 billion in2030, from $3.5 billion in 2022, with a CAGR of 31.2% from 2022 to 2030.1But while SD-WAN improves networking bandwidth, it can also increase theorganization’s risk exposure. According to Gartner survey analysis, “Customerscontinue to strive for better WAN performance and visibility, but security now topstheir priorities when it comes to the challenges with their WAN.2In many organizations, the need for SD-WAN security has led network engineeringand operations leaders to incorporate many different tools and point products toaddress individual functions, threat exposures, or compliance requirements. But thisapproach leads to infrastructure complexity, which increases manageability burdenswhile creating new defensive gaps at the network edge.Fortinet Simplifies and Secures SD-WAN DeploymentsConsolidating networking and security tools requires a secure SD-WAN solution thateliminates the complexity of disaggregated branch infrastructures. This not onlyreduces the organization’s attack surface while enabling digital innovation initiatives,but it also simplifies operations for networking teams. SOLUTION BRIEFFortinet enables the convergence of networking and security to simplify network operations, ensuring a secure and optimized user experience across all network edges with the hybrid mesh firewall (HMF). Hybrid mesh firewall is a new concept bringing all firewall deployments together in an integrated mesh to manage, monitor, and secure all firewall deployments. It unifies network management and security policies for all firewall deployments, whether on-premises for branch, campus, and data centerdeployments or virtual firewalls for cloud and cloud-native environments. It also uses artificial intelligence and machine learning to provide advanced threat protection. FortiManager is the foundation of HMF, offering unified, centralized management of all FortiGate deployments.Fortinet Secure SD-WAN can leverage a single-pane-of-glass console with an SD-WAN orchestrator offered as part ofFortiManager and provide enhanced analytics and improved reporting with FortiAnalyzer. This allows organizations tosignificantly simplify centralized deployment, enable automation to save time, and offer business-centric policies.Figure 1: SD-WAN use case featuring network operations center solutions Zero-touch deploymentOrganizations implementing Fortinet Secure SD-WAN can leverage FortiManager to accelerate deployment, reducing the time from days to minutes. FortiManager zero-touch deployment capabilities enable FortiGate devices to be plugged in at a branch location and then automatically configured by FortiManager at the main office via a broadband connection, thereby avoiding the time and cost of truck rolls. Fortinet’s approach can also leverage an existing SD-WAN configuration as a template to accelerate the deployment of new branches and remote sites at scale.Centralized management for distributed organizationsCentralized management through the FortiManager of all distributed networks across the organization helps network leaders drastically reduce the opportunities for configuration errors that lead to cyber-risk exposures and network outages.Secure SD-WAN orchestrator is part of the FortiManager. This allows customers to significantly simplify centralized deployment, enable automation to save time, and offer business-centric policies. Fortinet management tools can support much larger deployments than competing solutions—up to 100,000 FortiGate devices. Features such as SD-WAN and NGFW templating, enterprise-grade configuration management, and role-based access controls help network engineering and operations leaders quickly mitigate human errors.SD-WAN reporting and analyticsEnhanced analytics for WAN link availability, performance service-level agreements (SLAs) and application traffic in runtime, and historical stats allow the infrastructure team to troubleshoot and quickly resolve network issues. FortiManager, integrated with FortiAnalyzer, offers advanced telemetry for application visibility and network performance to achieve faster resolution and reduce the number of IT support tickets. On-demand SD-WAN reports provide further insight into the threat landscape, trust level, and asset access, which are mandated for compliance.Network Operations Center Solutions FortiManager with SD-WAN Orchestrator and FortiAnalyzerBranch Branch Branch Third-Party ToolsSD-WAN Orchestrator FortiManager FortiAnalyzerFortiGate FortiGate FortiGateCompliance reportingOrganizations need reports and tools for customization to help prove compliance to their auditors. However, compliance management has traditionally been a costly, labor-intensive process for networking teams—often requiring multiple full-time staff and months of work to aggregate and normalize data from multiple point security products.Fortinet accelerates compliance reporting by simplifying security infrastructure and eliminating the need for many manual processes. FortiManager and FortiAnalyzer include customizable regulatory templates as well as canned reports for standards such as Payment Card Industry Data Security Standard (PCI DSS), Security Activity Report (SAR), Center for Internet Security (CIS), and National Institute of Standards and Technology (NIST). They also provide audit logging and role-based access control (RBAC) to ensure that employees can only access the information they need to perform their jobs.As an extension of FortiManager and FortiAnalyzer capabilities, the FortiGuard Security Rating Service runs audit checks to help security and networking teams identify critical vulnerabilities and configuration weaknesses in their Security Fabric setup and implement best-practice recommendations. As part of the service, network leaders can compare their organization’s security posture score against those of other industry peers.5Integration and automationTo be effective, security must integrate seamlessly across every part of the distributed organization—every branch and remote office location. Network engineering and operations leaders need full visibility across the entire attack surface from a single location. They then need automated responses to reduce the time window from detection to remediation and alleviate the burdens of manual tasks from their staff.FortiManager and FortiAnalyzer help decrease threat remediation time from months to minutes by coordinating policy-based automated response actions across the Fortinet Security Fabric, an integrated security architecture that unlocks security workflows and threat intelligence automation. A detected incident alert sent with contextual awareness data from one branch location allows a network administrator to quickly determine a course of action to protect the entire enterprise against a potential coordinated attack. Certain events can also trigger automatic changes to device configurations to instantly close the loop on attack mitigation.FortiAnalyzer and FortiManager also automate many required SD-WAN tasks to help network leaders reduce the burden on their staff resources. Both products integrate with third-party tools, such as security information and event management (SIEM), IT service management (ITSM), and DevOps (for example, Ansible, Terraform), to preserve existing workflows and previous investments in other security and networking tools.Delivering Value, Simplicity, and SecurityFortiManager and FortiAnalyzer deliver enterprise-class security and branch networking capabilities with industry-leading benefits: Increases ROI: Fortinet’s integrated approach to secure SD-WAN improves return on investment (ROI) by consolidating the number of networking and security tools required via capital expenditure (CapEx) while also reducing operating expenses (OpEx) through simplified management and workflow automation. The move to public broadband means expensive multiprotocol label switching (MPLS) connections can be replaced with more cost-effective options. Here, Fortinet Secure SD-WAN delivers 300% ROI over three years, eight months payback, a 65% reduction in the number of network disruptions, and a 50% increase in the productivity of security and network teams.6Improves efficiency: Simultaneously, Fortinet institutes a simplified infrastructure for SD-WAN that reduces operational complexity both at the branch and across the entire distributed organization. Fortinet Secure SD-WAN can be administered through a single, intuitive management console. With FortiManager, FortiGate devices are true plug-and-play. Centralized policies and device information can be configured with FortiManager, and the FortiGate devices are automatically updatedto the latest policy configuration. The flexibility of single-pane-of-glass management includes scalable remote security and network control via the cloud for all branches and locations.Contains risks: Fortinet’s tracking and reporting features help organizations ensure compliance with privacy laws, security standards, and industry regulations while reducing risks associated with fines and legal costs in the event of a breach. FortiAnalyzer tracks real-time threat activity, facilitates risk assessment, detects potential issues, and helps mitigate problems. Its close integration with Fortinet Secure SD-WAN allows it to monitor firewall policies and help automate compliance audits across distributed business infrastructures.The average total cost of a data breach ($4.35 million) in 2022, a 2.6% increase from last year.7Fortinet Realizes Secure SD-WANThere are many use cases for secure SD-WAN, and Fortinet’s unique approach enables them in the most effective way for all types of SD-WAN projects. Simplifying SD-WAN operations is core to successful implementation and expansion in supportof digital innovation initiatives. Fortinet Secure SD-WAN with FortiManager and FortiAnalyzer offers best-of-breed SD-WAN management and analytics capabilities that help network leaders reduce operational costs and risks at the network edge.1“SD-WAN Market,” Prescient & Strategic Intelligence, Dec. 2022.2“Fortinet Named a 2023 Gartner® Peer Insights™ Customers’ Choice for SD-WAN for the Fourth Year in a Row,” Fortinet, March 23, 2023.3“2022 Gartner® Magic Quadrant™ for SD-WAN,” Gartner, September 2022.4 Meiran Galis, “Security Compliance: Hurdle or Critical Growth Strategy,” Forbes, June 13, 2023.5“FortiGuard Security Rating Service,” Fortinet, accessed July 20, 2023.6“The Total Economic Impact™ Of Fortinet Secure SD-WAN,” Forrester, Dec. 2022.7“Cost of a Data Breach Report 2022,” Ponemon Institute and IBM, July 2022. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.Copyright © 2023 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.。

防火墙/SD-WAN配置管理手册 手册版本V5.0产品版本V5.0资料状态发行内容介绍本手册详细介绍防火墙/SD-WAN的功能特性，配置方法；用于指导用户对于产品的配置，使用。

本书共分为六部分：第一部分管理方式介绍内容涵盖第1章；主要介绍防火墙的WEB管理方法。

第二部分系统信息内容涵盖第2-14章；主要介绍防火墙的系统状态，历史数据统计，流量监控等功能的使用方法。

第三部分网络配置内容涵盖第16-41章，主要介绍防火墙网络相关功能配置方式。

包括VLAN，链路聚合，IP地址，静态路由，策略路由，动态路由，静态ARP，NAT，协议管理，网络调试的介绍。

第四部分安全特性内容涵盖第42-68章；主要介绍的安全相关策略的配置，包括安全策略，ARP 和DoS防护策略，流控策略，应用策略，会话控制策略等第五部分模板与对象内容涵盖第69-79章；防火墙为使配置更加灵活简便，引入了对象及模板的概念。

对象建立好后，可以在多种业务功能中使用。

该部分包括对地址对象，时间对象，服务对象，ISP地址对象，健康检查模板的介绍。

第六部分系统管理内容涵盖80-90章，主要介绍防火墙安全特性的系统特性的配置方式。

包括设备基本配置，时间配置，配置文件管理，操作系统升级管理，管理员，许可授权，高可靠性，VRRP ，日志管理和SNMP。

防火墙/sd-wan配置管理手册 (1)内容介绍 (1)第1章Web管理介绍 (1)1.1 Web管理概述 (1)1.2 工具条 (1)1.2.1 保存配置 (1)1.2.2 修改密码 (1)1.2.3 注销 (2)1.3 Web管理 (2)1.3.1 菜单 (3)1.3.2 列表 (3)1.3.3 图标 (4)1.4 设备默认配置 (4)1.4.1 管理接口的默认配置 (4)1.4.2 默认管理员用户 (4)第2章首页 (5)2.1 首页 (5)2.1.1 用户流量排行Top10 (5)2.1.2 应用流量排行Top10 (6)2.1.3 威胁统计 (6)2.1.4 URL访问排行Top10 (7)2.1.5 设备流量 (7)2.1.6 连接数 (8)2.1.7 高级别日志 (8)2.1.8 物理接口信息 (9)2.1.9 系统信息 (10)2.1.10 常用配置概览 (11)第3章vCenter (12)3.1 vCenter概述 (12)3.2 流量 (12)3.3 威胁 (14)第4章系统监控 (16)4.1 系统监控概述 (16)4.2 系统监控 (16)第5章接口监控 (17)5.1 接口监控概述 (17)5.2 接口概览 (17)5.3 接口详情 (18)第6章威胁监控 (21)6.1 威胁监控概述 (21)6.2 威胁概览 (21)6.3 威胁详情 (25)第7章用户监控 (28)7.1 用户监控概述 (28)7.2 用户概览 (28)7.3 用户详情 (29)7.4 指定用户 (30)第8章应用监控 (32)8.1 应用监控概述 (32)8.2 应用监控概览 (32)8.3 应用统计详情 (33)第9章流量监控 (37)9.1 流量监控概述 (37)9.2 流量监控详情 (37)第10章URL监控 (38)10.1 URL监控概述 (38)10.2 URL监控概览 (38)10.3 URL统计详情 (38)第11章SDWAN监控 (42)11.1 SDWAN监控概述 (42)11.2 链路质量 (42)11.3 SDWAN统计 (42)11.4 WOC加速统计 (43)第12章会话监控 (45)12.1 会话监控概述 (45)12.2 会话统计 (45)12.3 标准会话 (46)12.4 配置案例 (47)第13章流量统计 (50)13.1 基于IP/端口流量统计查询 (50)13.2 配置案例 (51)13.3 基于策略流量统计 (51)13.4 配置案例 (52)第14章主机监控 (54)14.1 主机监控概述 (54)14.2 威胁主机 (54)14.3 风险主机 (55)14.4 关注网段 (56)第15章资产防护 (58)15.1 资产防护概述 (58)15.2 配置资产防护 (58)15.2.1 防护配置 (58)15.3 配置资产黑名单 (59)15.3.1 配置资产黑名单 (59)15.3.2 放行删除资产黑名单 (61)15.3.3 手动删除资产黑名单 (61)15.3.4 重置资产黑名单命中数 (62)15.3.5 查询资产黑名单配置 (62)15.3.6 设置资产黑名单阻断方向 (62)15.4 配置IP-MAC绑定 (63)15.4.1 配置IP-MAC绑定 (63)15.5 配置交换机联动 (63)15.5.1 配置的基本要素 (63)15.5.2 启用交换机联动 (64)15.5.3 删除SNMP服务器 (65)15.6 配置预定义指纹库 (65)15.6.1 预定义指纹库版本 (65)15.6.2 预定义指纹库总数 (65)15.6.3 预定义指纹库升级 (65)15.7 配置自定义指纹 (66)15.7.1 配置的基本要素 (66)15.7.2 编辑自定义指纹 (67)15.7.3 删除自定义指纹 (67)15.7.4 导入自定义指纹 (68)15.7.5 导出自定义指纹 (68)15.8 配置资产列表 (69)15.8.1 资产列表配置 (69)15.9 行为学习 (71)15.9.1 连接和资产统计 (71)15.9.2 连接关系详情 (72)15.9.3 当前连接数详情 (74)15.9.4 隔离资产详情 (75)15.10 配置案例 (75)15.10.1 配置案例1：对某个网段开启资产防护功能 (75)15.10.2 配置案例：创建资产黑名单 (77)15.10.3 配置案例：交换机联动 (78)第16章接口 (79)16.1 接口概述 (79)16.2 物理接口配置 (79)16.3 VLAN配置 (82)16.3.1 添加VLAN (83)16.3.2 修改VLAN (85)16.3.3 删除VLAN (86)16.4 VXLAN配置 (86)16.4.1 添加VXLAN (87)16.4.2 修改VXLAN (87)16.4.3 删除VXLAN (88)16.5 透明桥配置 (88)16.5.1 添加透明桥 (88)16.5.2 修改桥接口 (90)16.5.3 删除桥接口 (91)16.6 链路聚合配置 (92)16.6.1 添加链路聚合 (92)16.6.2 修改链路聚合 (94)16.6.3 删除链路聚合 (95)16.7 GRE配置 (95)16.7.1 添加GRE接口 (95)16.7.2 修改GRE (97)16.7.3 删除GRE接口 (97)16.8 LOOPLACK接口配置 (98)16.8.1 添加LOOPBACK接口 (98)16.8.2 修改LOOPBACK接口 (99)16.8.3 删除LOOPBACK接口 (99)16.9 旁路部署 (100)16.10 接口联动 (100)16.10.1 接口联动概述 (100)16.10.2 配置接口联动组 (100)16.10.3 编辑接口联动组 (101)16.10.4 删除接口联动组 (102)16.11 配置案例 (102)16.11.1 配置案例1：增加一个VLAN (102)16.11.2 配置案例2：增加一个VXLAN隧道配置 (103)16.11.3 配置案例3：增加一个链路聚合 (104)16.11.4 配置案例4：配置桥模式 (105)16.11.5 配置案例5：增加一个GRE接口 (105)16.12 常见故障分析 (106)16.12.1 故障现象：链路聚合接口无效 (106)16.12.2 故障现象：VLAN下tagged接口无效 (106)16.12.3 故障现象：桥接环境，部分流量不通 (107)16.12.4 故障现象：GRE隧道环境，流量不通 (107)第17章安全域 (108)17.1 安全域概述 (108)17.2 配置安全域 (108)17.2.1 配置安全域 (108)17.2.2 编辑安全域 (109)17.2.3 删除安全域 (110)17.3 配置案例 (110)17.3.1 配置案例1：增加一个安全域并在防火墙策略中进行引用 (110)17.4 常见故障分析 (112)17.4.1 故障现象：安全域无法选择某接口 (112)第18章静态ARP (113)18.1 静态ARP概述 (113)18.2 静态ARP配置 (113)18.2.1 添加静态ARP (113)18.2.2 修改静态ARP (114)18.2.3 删除静态ARP (114)18.3 常见故障分析 (115)18.3.1 故障现象：添加静态ARP后网络不通 (115)第19章DHCP服务器 (116)19.1 DHCP服务概述 (116)19.1.1 DHCP服务器概述 (116)19.1.2 DHCP Relay概述 (117)19.2 配置说明 (117)19.2.1 在接口上指定DHCP服务 (117)19.2.2 配置DHCP服务器地址池 (119)19.2.3 配置DHCP服务器地址排除 (120)19.2.4 配置DHCP服务器地址绑定 (121)19.3 配置案例 (122)19.3.1 案例1：接口ge0/2配置DHCP Server (122)19.3.2 案例2：接口ge0/1配置DHCP Relay (124)19.4 监控与维护 (125)19.4.1 查看DHCP服务器的地址分配 (125)19.5 常见故障分析 (126)19.5.1 故障现象：启用DHCP Server的接口对应的DHCP Client不能获得地址 (126)19.5.2 故障现象：启用DHCP Relay的接口对应的DHCP Client不能获得地址 (126)第20章静态路由 (128)20.1 静态路由概述 (128)20.2 配置静态路由 (128)20.2.1 配置IPv4静态路由 (128)20.2.2 查看IPv4路由表 (129)20.2.3 配置IPv6静态路由 (129)20.2.4 查看IPv6路由表 (130)20.2.5 IPv6前缀公告 (130)20.3 配置案例 (131)20.3.1 配置案例1：对多条路由配置路由监控 (131)20.4 常见故障分析 (134)20.4.1 路由状态为失效状态 (134)第21章静态路由BFD (135)21.1 BFD概述 (135)21.2 配置说明 (135)21.2.1 配置静态路由BFD (135)21.3 配置案例 (136)21.3.1 配置BFD与静态路由联动 (136)21.4 故障分析 (137)21.4.1 BFD邻居建立失败 (137)第22章RIP路由 (138)22.1 RIP协议概述 (138)22.2 配置RIP协议 (138)22.2.1 缺省配置信息 (138)22.2.2 配置RIP版本 (138)22.2.3 配置RIP高级选项 (139)22.2.4 配置RIP发布的网络 (140)22.2.5 配置RIP接口 (141)22.3 配置案例 (142)22.3.1 配置案例：配置两台防火墙设备互连 (142)22.4 查看RIP配置信息 (144)22.4.1 查看RIP配置信息 (144)22.5 常见故障分析 (144)22.5.1 故障现象1：两台设备不能正常通信 (144)第23章OSPF路由 (145)23.1 OSPF协议概述 (145)23.2 配置OSPF协议 (145)23.2.1 缺省配置信息 (145)23.2.2 配置OSPF (146)23.2.3 配置OSPF的网络 (147)23.2.4 编辑区域属性 (147)23.2.5 配置OSPF接口 (148)23.3 配置案例 (149)23.3.1 配置案例：配置两台防火墙设备互连 (149)23.4 OSPF监控与维护 (151)23.4.1 查看邻居路由器状态信息 (151)23.5 常见故障分析 (151)23.5.1 故障现象：两台设备不能建立邻接关系 (151)第24章BGP路由 (153)24.1 BGP协议概述 (153)24.2 配置BGP协议 (154)24.2.1 缺省配置信息 (154)24.2.2 配置BGP Router-ID (155)24.2.3 配置运行BGP (156)24.2.4 配置指定BGP的对等体 (156)24.2.5 配置宣告网络 (157)24.3 配置案例 (157)24.3.1 配置案例1：配置两台FW设备互连 (157)24.4 BGP监控与维护 (159)查看BGP路由信息 (159)24.5 常见故障分析 (159)24.5.1 故障现象1：两台设备不能建立邻接关系 (159)第25章策略路由 (160)25.1 策略路由概述 (160)25.2 配置策略路由 (160)25.2.1 创建策略路由 (160)25.2.2 编辑策略路由 (161)25.2.3 删除策略路由 (162)25.2.4 策略路由顺序调整 (163)25.2.5 策略路由启用禁用 (163)25.2.6 查看策略路由列表 (164)25.3 配置案例 (165)25.3.1 策略路由案例1 (165)25.3.2 策略路由案例2 (168)25.3.3 策略路由案例3 (169)25.4 常见故障分析 (171)25.4.1 策略路由不生效 (171)25.4.2 策略路由部分下一跳没有命中计数 (172)第26章会话保持 (173)26.1 会话保持概述 (173)26.2 配置会话保持 (173)26.2.1 配置会话保持 (173)26.2.2 会话保持配置说明 (173)26.3 常见故障分析 (174)26.3.1 策略路由会话保持不生效 (174)26.3.2 会话保持不生效 (174)第27章配置NAT (175)27.1 NAT概述 (175)27.2 配置NAT (175)27.2.1 配置地址池(NAT Pool) (176)27.2.2 编辑地址池 (177)27.2.4 配置源地址转换 (178)27.2.5 配置目的地址转换 (180)27.2.6 配置双向地址转换 (181)27.2.7 配置静态地址转换 (183)27.2.8 启用NAT规则 (184)27.2.9 编辑NAT规则 (184)27.2.10 删除NAT规则 (185)27.2.11 移动NAT规则 (186)27.3 NAT监控与维护 (186)27.3.1 查看地址池 (186)27.3.2 查看源、目的NAT规则 (187)27.3.3 查看静态NAT规则 (188)27.3.4 查看NAT规则并发连接数和命中数 (188)27.4 配置案例 (189)27.4.1 配置源地址转换 (189)27.4.2 配置目的地址转换 (191)27.4.3 配置双向地址转换 (194)27.4.4 配置静态地址转换 (197)27.5 常见故障分析 (199)27.5.1 连接时通时断 (199)第28章NAT地址池检查 (200)28.1 配置地址池检查功能 (200)28.2 修改地址池检查配置 (201)28.3 开启地址池检查功能 (202)28.4 关闭地址池检查功能 (202)28.5 查看地址池检查状态 (203)第29章跨协议转换 (205)29.1 跨协议转换概述 (205)29.2 配置跨协议转换规则 (205)29.2.1 配置IVI转换方式 (205)29.2.2 配置嵌入地址转换方式 (207)29.2.3 配置地址池转换方式 (209)29.2.4 编辑跨协议转换规则 (211)29.2.5 删除跨协议转换规则 (212)29.2.6 移动跨协议转换规则 (213)29.3 配置案例 (213)29.3.1 配置NAT46转换 (213)29.3.2 配置NAT64转换 (215)29.4 常见故障分析 (217)29.4.1 用户发现网络中一直有地址冲突的情形 (217)29.4.2 用户发送的请求报文无法到达设备 (218)第30章端口管理 (219)30.1 端口管理概述 (219)30.2 端口配置 (219)30.2.1 设置端口号 (219)30.2.2 删除端口号 (219)30.2.3 查看端口号 (220)30.3 配置案例 (220)第31章IPSec VPN (224)31.1 概述 (224)31.2 IPSec VPN配置过程 (224)31.2.1 配置IKE协商策略 (225)31.2.2 配置IPSEC协商策略 (225)31.2.3 配置IPsec策略 (226)31.3 IPSec VPN配置参数 (227)31.3.1 IKE协商参数 (227)31.3.2 IPSEC协商参数 (229)31.3.3 IPsec策略 (230)31.4 配置案例 (231)31.4.1 配置案例1：配置IPSEC基本组网 (231)31.4.2 配置案例2：配置IPSEC HUB_SPOKE (233)31.5 IPSEC VPN监控与维护 (239)31.5.1 查看SA是否建立 (239)31.5.2 删除建立的SA (240)31.6 常见故障分析 (240)31.6.1 故障现象：不能建立隧道 (240)第32章SSL远程接入 (241)32.1 技术简介 (241)32.2 配置SSL VPN (241)32.2.1 配置SSL VPN基本功能 (242)32.2.2 配置SSL VPN用户和用户组 (244)32.2.3 配置SSL VPN Web访问配置 (245)32.2.4 配置SSL VPN资源和资源组 (246)32.2.5 配置SSL VPN接口选项 (248)32.3 SSL VPN登录 (249)32.3.1 WEB模式 (249)32.3.2 Tunnel模式 (252)32.4 SSL VPN监控与维护 (258)32.4.1 SSL VPN监视器 (258)32.5 WINDOWS7 下的使用注意事项 (258)32.6 SSLVPN插件、客户端与操作系统兼容性问题的FAQ (263)32.6.1 共性问题 (263)32.6.2 针对Windows 2003和Windows XP-SP3操作系统 (264)32.6.3 针对Windows Vista、Windows 7和Windows 2008操作系统 (267)第33章L2TP (273)33.1 L2TP概述 (273)33.2 配置L2TP (274)33.2.1 配置认证用户 (275)33.2.2 配置用户组 (275)33.2.3 配置接口接入控制 (276)33.2.4 配置L2TP (277)33.3 配置案例 (278)33.3.1 案例1：在接口ge0/0上启用L2TP (278)33.4 L2TP监控与维护 (280)33.4.1 察看L2TP会话信息 (280)33.5 故障分析 (280)33.5.1 L2TP客户端拨号，无法建立连接 (280)33.5.2 L2TP建立连接后，出现异常断开 (281)第34章DNS代理 (282)34.1 DNS代理概述 (282)34.2 配置DNS代理 (282)34.2.1 配置服务器 (282)34.2.2 配置代理策略 (283)34.2.3 配置全局配置 (284)34.3 配置案例 (285)34.3.1 DNS代理配置案例1 (285)34.3.2 DNS代理配置案例2 (287)第35章DNS服务 (289)35.1 DNS服务概述 (289)35.2 配置DNS服务 (289)35.2.1 基础配置 (289)35.2.2 配置DNS记录 (290)35.2.3 配置案例 (296)第36章系统参数 (299)36.1 系统参数概述 (299)36.2 协议管理 (299)36.3 TCP状态管理 (300)36.4 参数管理 (300)第37章WEB调试 (302)37.1 WEB调试概述 (302)37.2 配置WEB调试 (302)37.2.1 配置WEB调试的基本要素 (302)37.2.2 配置协议为TCP(UDP)的WEB调试 (303)37.2.3 配置协议为ICMP的WEB调试 (304)37.2.4 配置协议为OTHER的WEB调试 (304)37.3 配置案例 (305)37.3.1 案例1：使用IPv4的Web调试功能 (305)第38章路由跟踪 (308)38.1 路由跟踪概述 (308)38.2 配置路由跟踪 (308)38.2.1 配置路由跟踪的基本要素 (308)38.2.2 配置TCP(或UDP)协议类型的路由跟踪 (309)38.2.3 配置ICMP协议类型的路由跟踪 (309)38.2.4 配置IP协议类型的路由跟踪 (310)38.3 配置案例 (310)38.3.1 案例1：配置IPv4路由跟踪 (310)38.3.2 案例2：配置IPv6路由跟踪 (311)第39章诊断 (313)39.1 诊断功能概述 (313)39.2 配置 (313)39.2.1 配置traceroute诊断 (313)39.2.2 配置ping诊断 (314)39.2.3 配置TCP诊断 (314)39.2.4 配置ping6诊断 (315)39.3 配置案例 (315)39.3.1 配置案例1：对网络进行traceroute诊断 (315)第40章PMTU (317)40.1 PMTU概述 (317)40.2 PMTU配置 (317)40.3 配置案例 (317)第41章自定义抓包 (319)41.1 自定义抓包概述 (319)41.2 自定义抓包配置 (319)41.3 配置案例 (320)第42章SDWAN策略 (322)42.1 SDWAN策略概述 (322)42.2 配置SDWAN策略 (322)42.2.1 创建SDWAN策略 (322)42.2.2 编辑SDWAN策略 (324)42.2.3 删除SDWAN策略 (324)42.2.4 SDWAN策略顺序调整 (325)42.2.5 SDWAN策略启用禁用 (325)42.2.6 查看SDWAN策略列表 (327)42.3 配置链路质量检查 (327)42.4 配置案例 (329)42.4.1 SDWAN策略案例 (329)42.4.2 链路质量检查案例 (332)42.5 常见故障分析 (334)42.5.1 SDWAN策略不生效 (334)42.5.2 SDWAN策略部分下一跳没有命中计数 (335)第43章WOC加速模板 (336)43.1 WOC加速模板概述 (336)43.2 配置WOC加速模板 (336)43.2.1 新建WOC加速模板 (336)43.2.2 编辑WOC加速模板 (336)43.2.3 删除WOC加速模板 (337)43.2.4 防护策略引用WOC加速模板 (337)43.3 WOC加速监控 (338)43.4 配置案例 (339)第44章防火墙策略 (340)44.1 防火墙策略概述 (340)44.2 配置策略组 (340)44.2.1 配置策略组 (340)44.2.2 启用策略组 (341)44.2.3 删除策略组 (341)44.2.4 移动策略组 (342)44.2.5 插入策略组 (343)44.2.6 重命名策略组 (343)44.2.7 策略组内策略迁移 (344)44.3 配置防火墙策略 (345)44.3.1 配置策略的基本要素 (345)44.3.2 配置DENY策略 (346)44.3.3 配置PERMIT策略 (347)44.3.4 启用防火墙策略 (348)44.3.5 编辑防火墙策略 (349)44.3.6 删除防火墙策略 (353)44.3.7 移动防火墙策略 (353)44.3.8 插入防火墙策略 (354)44.3.9 策略配置模块 (355)44.3.10 策略预编译模块 (356)44.4 防火墙策略监控与维护 (357)44.4.1 按协议类型查看防火墙策略 (357)44.4.2 按分类方式（策略组）查看防火墙策略 (357)44.4.3 按分类方式（接口对）查看防火墙策略 (358)44.4.4 导出csv文件查看防火墙策略 (359)44.4.5 按过滤条件查询防火墙策略 (360)44.4.6 防火墙策略冗余检测 (361)44.4.7 查看防火墙策略流量统计 (362)44.4.8 查看防火墙策略会话监控信息 (362)44.4.9 查看防火墙策略当前连接数 (363)44.5 配置案例 (364)44.5.1 配置案例1：创建IPV4防火墙策略 (364)44.5.2 配置案例2 ：二层转发控制 (366)44.5.3 配置案例3：web认证用户防火墙策略控制 (367)44.6 常见故障分析 (370)44.6.1 故障现象1：匹配上某条策略的数据流没有执行相应的动作 (370)44.6.2 故障现象2：配置基于应用的防火墙策略不能匹配 (371)44.6.3 故障现象3：防火墙策略部分接口不能选择 (371)第45章本地安全策略 (372)45.1 本地安全策略概述 (372)45.2 配置本地安全策略 (372)45.2.1 创建本地安全策略 (372)45.2.2 编辑本地安全策略 (373)45.2.3 删除本地安全策略 (373)45.2.4 移动本地安全策略 (373)45.2.5 插入本地安全策略 (374)45.2.6 启用本地安全策略 (374)45.2.7 查看本地安全策略列表 (375)45.2.8 策略配置模块 (375)45.3 配置案例 (376)45.3.1 配置案例：阻断不安全用户访问设备 (376)第46章防护策略 (378)46.1 安全防护策略概述 (378)46.2 配置安全防护策略 (378)46.2.1 配置策略的基本要素 (378)46.2.2 启用安全防护策略 (380)46.2.3 编辑安全防护策略 (380)46.2.4 删除安全防护策略 (381)46.2.5 调整安全防护策略的顺序 (382)46.2.6 插入一条攻击防护策略 (383)46.2.7 重置安全防护策略的命中计数 (384)46.2.8 查询攻击防护策略 (384)46.3 配置案例 (385)46.3.1 案例1：创建安全防护策略 (385)46.3.2 案例2：创建安全防护防扫描策略 (386)46.4 常见故障分析 (388)46.4.1 故障现象：某些应该匹配上某条策略的数据流没有匹配上该策略 (388)第47章攻击防护 (389)47.1 攻击防护概述 (389)47.2 配置攻击防护 (389)47.2.2 编辑攻击防护 (392)47.2.3 删除攻击防护 (393)47.2.4 在安全防护策略中引用攻击防护 (394)47.3 配置案例 (395)47.3.1 案例1：创建安全防护防Flood策略 (395)47.3.2 案例2：创建安全防护防扫描策略 (396)47.4 攻击防护监控与维护 (398)47.4.1 查看攻击防护日志 (398)47.5 常见故障分析 (399)47.5.1 故障现象：防flood功能不能正常工作 (399)第48章病毒防护 (400)48.1 病毒防护概述 (400)48.2 配置病毒防护 (400)48.2.1 新建病毒防护模板 (400)48.2.2 编辑病毒防护模板 (400)48.2.3 删除病毒防护模板 (401)48.2.4 防护策略引用病毒防护模板 (401)48.3 配置文件类型 (402)48.3.1 文件扫描配置 (402)48.3.2 新增文件类型 (403)48.3.3 删除文件类型 (404)48.3.4 文件类型的启用和不启用 (404)48.4 配置案例 (405)48.5 病毒防护监控 (407)48.5.1 查看病毒防护日志 (407)第49章入侵防护 (409)49.1 入侵防护概述 (409)49.2 配置事件集 (409)49.2.1 新建事件集 (409)49.2.2 编辑事件集 (410)49.2.3 删除事件集 (411)49.2.4 复制事件集 (412)49.2.5 防护策略引用事件集 (413)49.3 事件集中事件配置 (414)49.3.1 查看事件 (414)49.3.2 在线说明 (415)49.3.3 添加事件 (416)49.3.4 删除事件 (417)49.3.5 编辑事件 (418)49.3.6 搜索事件 (419)49.4 自定义事件配置 (419)49.4.2 编辑自定义事件 (421)49.4.3 删除自定义事件 (422)49.4.4 引用自定义事件 (423)49.4.5 自定义事件在线说明 (423)49.5 全局配置 (424)49.6 自定义事件配置备份恢复 (425)49.7 IPS抓包 (425)49.7.1 IPS抓包概述 (425)49.7.2 IPS抓包配置 (425)49.7.3 IPS抓包配置案例 (426)49.8 配置案例 (428)49.9 入侵防护监控 (430)49.9.1 查看入侵防护日志 (430)第50章Web防护 (431)50.1 Web防护概述 (431)50.2 配置Web防护 (431)50.2.1 配置策略的基本要素 (431)50.2.2 编辑Web防护 (432)50.2.3 删除Web防护策略 (432)第51章威胁情报 (434)51.1 威胁情报概述 (434)51.2 配置威胁情报 (434)51.2.1 配置威胁情报 (434)51.2.2 编辑威胁情报 (435)51.2.3 删除威胁情报 (435)51.2.4 配置防护等级 (435)51.2.5 配置云端查询 (436)51.2.6 情报库升级 (436)51.3 配置案例 (437)51.4 威胁情报监控 (438)51.4.1 查看IP地址威胁监控 (438)51.4.2 查看域名威胁监控 (439)第52章Dos防护 (440)52.1 防攻击概述 (440)52.2 配置防攻击 (440)52.3 配置案例 (441)52.3.1 案例1：配置防DOS攻击 (441)52.4 防攻击监控与维护 (443)52.4.1 查看防攻击日志 (443)52.5 常见故障分析 (443)52.5.1 故障现象：SYN Flood攻击防御失效 (443)52.5.2 故障现象：配置防扫描后没有报警，没有拒包 (444)第53章ARP攻击防护 (445)53.1 ARP攻击防护概述 (445)53.2 配置ARP攻击防护 (445)53.2.1 缺省配置信息 (445)53.2.2 ARP攻击防护基本配置 (445)53.2.3 主动保护列表配置 (447)53.2.4 IP-MAC绑定配置 (448)53.2.5 ARP表 (448)53.3 配置案例 (450)53.3.1 配置案例：配置防ARP欺骗和防ARP Flood (450)53.4 常见故障分析 (452)53.4.1 故障现象：PC无法上网 (452)第54章IP黑名单防护 (453)54.1 IP黑名单概述 (453)54.2 配置IP黑名单阻断方向 (453)54.3 配置IP黑名单组 (454)54.3.1 创建IP黑名单组 (454)54.3.2 删除IP黑名单组 (455)54.3.3 修改IP黑名单组 (455)54.3.4 修改IP黑名单组名称 (456)54.3.5 启停IP黑名单组 (456)54.3.6 查询IP黑名单组 (457)54.4 配置IP黑名单 (457)54.4.1 创建IP黑名单 (457)54.4.2 编辑创建IP黑名单 (459)54.4.3 修改IP黑名单 (460)54.4.4 删除IP黑名单 (460)54.4.5 删除失效IP黑名单 (461)54.4.6 超时自动删除IP黑名单 (461)54.4.7 重置IP黑名单命中数 (462)54.4.8 查询IP黑名单 (462)54.4.9 组过滤显示IP黑名单 (462)54.4.10 全局开关IP黑名单 (463)54.5 IP黑名单配置导入导出 (463)54.5.1 IP黑名单导入 (463)54.5.2 IP黑名单导出 (465)54.6 配置案例 (466)54.6.1 案例1：创建IP黑名单 (466)54.6.2 案例2：创建实时阻断IP黑名单 (466)54.6.3 案例3：创建入侵防护阻断IP黑名单 (467)54.6.4 案例4：创建WEB应用防护阻断IP黑名单 (468)54.6.5 案例5：创建口令防护IP黑名单 (468)第55章域名黑名单防护 (470)55.1 域名黑名单概述 (470)55.2 配置域名黑名单 (470)55.2.1 配置域名黑名单 (470)55.2.2 编辑创建域名黑名单 (471)55.2.3 修改域名黑名单 (472)55.2.4 删除黑名单 (472)55.2.5 重置域名黑名单命中数 (472)55.2.6 刷新域名黑名单 (473)55.3 查询域名黑名单配置 (473)55.4 域名黑名单配置导入导出 (473)55.4.1 域名黑名单导入 (474)55.4.2 域名黑名单导出 (474)55.5 配置案例 (474)55.5.1 案例1：禁止员工访问博彩站点 (474)55.5.2 案例2：禁止员工在上班期间访问游戏站点 (475)55.6 域名黑名单防护监控与维护 (476)55.6.1 查看域名黑名单防护日志 (476)第56章白名单防护 (477)56.1 白名单概述 (477)56.2 配置白名单匹配方向 (477)56.3 配置白名单 (477)56.3.1 配置白名单 (477)56.3.2 编辑创建白名单 (479)56.3.3 修改白名单 (479)56.3.4 删除白名单 (480)56.3.5 重置白名单命中数 (480)56.3.6 全局开关白名单 (481)56.3.7 查询白名单 (481)56.4 白名单配置导入导出 (481)56.4.1 白名单导入 (482)56.4.2 白名单导出 (483)56.5 配置案例 (483)56.5.1 案例1：创建白名单 (483)第57章口令防护 (484)57.1 口令防护概述 (484)57.2 配置口令防护 (484)57.2.1 新建口令防护模板 (484)57.2.2 编辑口令防护模板 (486)57.2.3 删除口令防护 (486)57.2.1 在安全防护策略中引用口令防护 (487)57.3 配置案例 (488)57.3.1 案例1：创建安全防护弱口令检查策略 (488)57.3.2 案例2：创建安全防护防口令暴力破解策略 (489)57.4 口令防护监控与维护 (490)57.4.1 查看口令防护日志 (490)第58章Web应用防护 (492)58.1 概述 (492)58.2 配置策略 (492)58.2.1 策略的基本要素 (492)58.2.2 新建策略 (492)58.2.3 编辑策略 (493)58.2.4 删除策略 (494)58.2.5 移动策略 (494)58.2.6 插入策略 (495)58.3 配置事件集 (495)58.3.1 新建事件集 (495)58.3.2 编辑事件集 (496)58.3.3 删除事件集 (497)58.3.4 复制事件集 (497)58.4 配置事件集中事件 (497)58.4.1 查看事件 (497)58.4.2 添加事件 (498)58.4.3 编辑事件 (499)58.4.4 删除事件 (500)58.5 配置自定义事件 (500)58.5.1 添加自定义事件 (500)58.5.2 编辑自定义事件 (501)58.5.3 删除自定义事件 (502)58.5.4 引用自定义事件 (502)58.6 配置合规检查模板 (503)58.6.1 添加合规检查模板 (503)58.6.2 编辑合规检查模板 (504)58.6.3 删除合规检查模板 (505)58.7 配置参数 (505)58.8 配置案例 (506)58.8.1 阻断POST方法 (506)58.9 常见故障分析 (507)58.9.1 自定义事件不能匹配 (507)第59章应用控制策略 (508)59.1 应用控制策略概述 (508)59.2 配置应用控制策略 (508)59.2.1 配置策略的基本要素 (508)59.2.2 关键字配置 (510)59.2.3 启用应用控制策略 (510)59.2.4 编辑应用控制策略 (511)59.2.5 删除应用控制策略 (512)59.2.6 调整应用控制策略的顺序 (512)59.2.7 查询应用控制策略 (513)59.3 配置案例 (513)59.3.1 案例1：阻断QQ号中包含“12456”的用户登陆 (513)59.3.2 案例2：拒绝接收所有电子邮件 (515)59.4 常见故障分析 (516)59.4.1 常见故障：策略没有命中 (516)第60章Web控制策略 (517)60.1 Web控制策略概述 (517)60.2 配置Web控制策略 (517)60.2.1 配置策略的基本要素 (517)60.2.2 关键字配置 (518)60.2.3 启用Web控制策略 (519)60.2.4 编辑Web控制策略 (520)60.2.5 删除Web控制策略 (520)60.2.6 调整Web控制策略的顺序 (521)60.2.7 阻断提示页面 (521)60.3 配置案例 (522)60.3.1 案例1：阻断所有新闻网页并提示该网络禁止访问新闻 (522)60.4 常见故障分析 (523)60.4.1 常见故障：策略没有命中 (523)第61章流量控制策略 (524)61.1 流量控制概述 (524)61.2 配置线路策略 (524)61.2.1 配置线路策略 (524)61.2.2 编辑线路策略 (525)61.2.3 删除线路策略 (525)61.3 配置管道策略 (526)61.3.1 配置管道策略 (526)61.3.2 编辑管道策略 (528)61.3.3 删除管道策略 (528)61.3.4 移动管道策略 (529)61.4 流量监控 (529)61.5 配置案例 (530)第62章会话控制策略 (532)62.1 会话控制策略概述 (532)62.2 配置会话控制策略 (532)62.2.1 配置策略的基本要素 (532)62.2.2 启用会话控制策略 (534)62.2.3 编辑会话控制策略 (534)62.2.4 删除会话控制策略 (535)62.2.5 调整会话控制策略的顺序 (535)62.2.6 查询会话控制策略 (536)62.3 会话控制策略监控与维护 (537)62.3.1 查看会话控制策略 (537)62.4 配置案例 (537)62.4.1 案例1：创建IPv4会话控制策略限制总连接速率 (537)62.5 常见故障分析 (538)62.5.1 故障现象：匹配上某条策略的某些数据流没有受到相应的限制 (538)第63章Web认证策略 (539)63.1 Web认证策略概述 (539)63.2 配置Web认证策略 (539)63.2.1 配置用户 (539)63.2.2 配置用户组 (541)63.2.3 配置Web认证策略 (541)63.2.4 编辑Web认证策略 (543)63.2.5 删除Web认证策略 (543)63.2.6 移动Web认证策略 (544)63.2.7 Web认证策略命中次数清零 (544)63.2.8 修改Web认证配置 (545)63.2.9 清除所有在线用户 (545)63.3 配置案例 (546)63.3.1 配置案例：配置员工上网需要ladp认证 (546)63.4 常见故障分析 (548)63.4.1 故障现象：认证用户进行认证时失败 (548)第64章地址对象 (550)64.1 地址对象概述 (550)64.2 配置地址节点 (550)64.3 批量删除地址节点 (551)64.4 配置地址组 (551)64.5 批量删除地址组 (552)64.6 配置域名地址 (552)64.7 批量删除域名地址 (553)64.8 清除域名地址解析成员 (553)64.9 配置案例 (554)64.9.1 配置案例1：增加IPv4地址节点 (554)64.9.2 配置案例2：编辑增加IPv4地址节点 (554)64.9.3 配置案例3：增加IPv6地址节点 (555)64.9.4 配置案例4：增加地址对象组 (556)64.9.5 配置案例5：增加域名地址并在防火墙策略中引用 (557)64.10 地址对象监控与维护 (558)64.10.1 查看地址节点 (558)64.10.2 查看地址组 (559)64.10.3 查看域名地址 (560)64.10.4 地址对象的备份和恢复 (561)64.11 常见故障分析 (563)64.11.1 故障现象：提交不成功 (563)64.11.2 故障现象：域名地址没有成员 (563)第65章ISP地址库 (564)65.1 ISP地址库概述 (564)65.1 配置ISP地址库 (564)65.1.1 配置ISP地址库 (564)65.1.2 ISP地址库导入 (565)65.1.3 ISP地址库导出 (565)65.1.4 ISP地址库删除 (566)65.2 常见故障分析 (567)65.2.1 ISP地址加载不完整 (567)第66章服务对象 (568)66.1 概述 (568)66.2 配置服务对象 (568)66.2.1 预定义服务 (568)66.2.2 配置自定义服务 (568)66.2.3 批量删除自定义服务 (569)66.2.4 配置服务组 (569)66.2.5 批量删除服务组 (570)66.3 配置案例 (570)66.3.1 配置案例1：添加自定义服务 (570)66.3.2 配置案例2：添加服务组 (571)66.4 服务对象监控与维护 (571)66.4.1 查看预定义服务 (571)66.4.2 查看自定义服务 (573)66.4.3 查看服务组 (574)66.5 常见故障分析 (575)66.5.1 故障现象：提交不成功 (575)第67章应用对象 (576)67.1 概述 (576)67.2 配置应用对象 (576)67.2.1 配置自定义应用 (576)67.2.2 配置应用组 (577)67.3 配置案例 (578)67.3.1 配置案例1：增加自定义应用 (578)67.3.2 配置案例2：增加应用组 (579)67.4 监控与维护 (579)67.4.1 查看预定义应用 (579)67.4.2 查看自定义应用 (580)67.4.3 查看应用组 (580)第68章用户对象 (582)68.1 用户对象概述 (582)68.2 配置用户对象 (582)68.2.1 配置本地认证用户对象 (582)68.2.2 配置radius用户对象 (582)68.2.3 配置ldap用户对象 (583)68.2.4 配置静态用户对象 (583)68.3 配置用户组对象 (584)68.4 用户对象查看 (585)68.5 用户组对象查看 (586)第69章认证服务器对象 (588)69.1 认证服务器对象概述 (588)69.2 配置认证服务器对象 (588)69.2.1 配置RADIUS服务器对象 (588)69.2.2 配置LDAP服务器 (589)69.3 配置AD域同步策略 (590)69.3.1 新建同步策略 (590)69.3.2 配置案例 (590)第70章URL分类 (592)70.1 概述 (592)70.2 配置URL分类 (592)70.2.1 配置自定义URL分类 (592)70.2.2 配置URL组 (593)70.3 自定义URL分类配置备份恢复 (594)70.4 配置案例 (595)70.4.1 配置案例1：增加自定义URL分类 (595)70.4.2 配置案例2：增加URL组 (595)70.5 监控与维护 (596)70.5.1 查看预定义URL分类 (596)70.5.2 查看自定义URL分类 (597)70.5.3 查看URL组 (597)70.5.4 URL分类查询 (598)第71章域名对象 (599)71.1 概述 (599)71.2 配置域名对象 (599)71.2.1 配置自定义域名 (599)71.2.2 配置域名组 (600)71.3 配置案例 (600)71.3.1 配置案例1：增加自定义域名 (600)71.3.2 配置案例2：增加域名组 (601)71.4 监控与维护 (601)71.4.1 查看自定义域名 (601)71.4.2 查看域名组 (602)第72章时间对象 (603)72.1 概述 (603)72.2 配置时间对象 (603)72.2.1 配置绝对时间 (603)72.2.2 配置周期时间 (603)72.3 配置案例 (604)72.3.1 配置案例1：增加绝对时间 (604)72.3.2 配置案例2：增加周期时间 (605)72.4 绝对时间与周期时间监控与维护 (605)72.4.1 查看绝对时间 (605)72.5 常见故障分析 (606)72.5.1 故障现象：提交不成功 (606)第73章健康检查 (607)73.1 健康检查概述 (607)73.2 配置健康检查 (607)73.3 配置案例 (626)第74章CA证书 (628)74.1 证书概述 (628)74.2 配置证书管理 (628)74.2.1 配置通用证书 (628)74.2.2 配置国密证书 (631)74.2.3 配置CA证书 (634)74.2.4 配置CRL证书 (636)74.2.5 配置管理根CA配置 (639)74.2.6 配置管理用户证书 (645)74.3 配置案例 (649)74.4 常见故障 (650)74.4.1 导入证书链失败 (650)第75章日志管理 (651)75.1 日志概述 (651)75.2 配置说明 (651)75.2.1 缺省配置说明 (651)75.2.2 配置SYSLOG服务器 (651)75.3 配置日志过滤 (652)75.4 部分模块日志配置的注意事项 (652)75.5 监控与维护 (654)75.5.1 日志查看 (654)75.5.2 日志查询条件设置 (655)75.6 配置案例 (656)75.6.1 配置案例：配置健康检查模块SYSLOG日志 (656)75.7 常见故障分析 (658)75.7.1 故障现象1：SYSLOG日志失效 (658)75.7.2 故障现象2：E-mail日志失效 (658)第76章日志合并 (659)76.1 日志合并概述 (659)76.2 配置日志合并 (659)76.3 配置案例 (660)76.3.1 配置案例：配置防火墙策略日志合并 (660)第77章流日志 (662)77.1 流日志概述 (662)77.2 流日志配置 (662)77.2.1 全局开关 (662)77.2.2 流日志过滤开关 (662)77.3 流日志展示 (662)77.3.1 本地日志展示 (662)第78章系统配置 (665)78.1 系统配置概述 (665)78.2 配置说明 (665)78.2.1 配置设备 (665)78.2.2 系统监控 (667)78.2.3 时间配置 (668)78.2.4 DNS配置 (670)78.2.5 备份恢复 (671)78.2.6 告警邮件配置 (671)78.2.7 问题反馈 (673)78.2.8 设备重启 (674)78.2.9 集中管理 (674)78.2.10 设备运行记录 (675)78.2.11 配置自动备份 (676)78.3 配置案例 (676)78.3.1 配置案例1：对设备运行记录进行配置并导出 (676)78.3.2 配置案例2：设置每个月10号进行配置自动备份 (677)第79章管理员 (679)79.1 管理员概述 (679)79.2 配置管理员 (679)79.2.1 配置管理员 (679)79.3 配置RADIUS服务器 (681)79.4 配置LDAP服务器 (681)79.4.1 配置LDAP服务器 (681)79.5 认证用户监控与维护 (682)79.5.1 查看管理员信息 (682)79.5.2 查看RADIUS服务器信息 (683)79.5.3 查看LDAP服务器信息 (683)79.5.4 查看在线管理员信息 (683)79.6 常见故障分析 (684)79.6.1 故障现象：系统用户使用radius认证失败 (684)第80章版本管理 (685)80.1 版本管理 (685)80.1.1 版本管理 (685)80.1.2 特征库升级 (685)1.1.3 系统快照 (686)第81章许可管理 (689)81.1 许可管理概述 (689)81.2 许可导入 (689)81.3 许可试用 (690)第82章高可用性 (691)82.1 HA概述 (691)82.2 HA基本配置 (691)82.3 配置同步 (692)82.4 差异配置导出 (693)82.5 配置数据同步 (694)82.6 配置HA监控 (694)82.6.1 配置接口监控 (694)82.6.2 配置链路聚合监控 (695)82.6.3 配置网关监控 (696)82.6.4 配置切换条件 (696)82.7 HA状态控制 (697)82.8 配置案例 (698)82.8.1 案例1：配置主备模式基本配置 (698)82.8.2 案例2：配置主主模式基本配置 (700)第83章VRRP (703)83.1 VRRP概述 (703)83.2 配置VRRP (705)83.2.1 配置VRRP (705)83.2.2 编辑VRRP备份组 (707)83.2.3 删除VRRP备份组 (707)83.2.4 查看VRRP备份组 (707)83.3 配置案例 (708)。

Fortinet Secure SD-WAN Architecture ComponentsFortiGate Next Generation Firewall CapabilitiesApplication AwarenessFortiGuard LabsFortiSandbox Security Rating ServiceMPLSSwitched EthernetBroadbandFortiExtenderFortiDeployFortiManagerFortiGateFortiAuthenticatorFortiSSOFortiGateFortiManagerFortiAnalyzerFortiSIEMCIO•Enable Digital Transformation•Application Resilience & Recovery •Integrated Security Infrastructure •Edge Device Consolidation •CapEx & OpEx ReductionCISO•Attack Surface Visibility •Reduced Complexity•Increased Response Time •Compliance Posture Visibility •D&R Automation•Security Framework AlignmentSecurity ProcessorIPS Content FilterAnti-BotnetApp ControlReputation AntivirusSSL InspectionVLANRouter IPSNGFW SD-WAND a t a C e n t e rP r i v a t e C l o u dM u l t i -C l o u dI n t e r n a l S e r v e r sVMsE x t e r n a l S e r v i c e s•WAN Path Controller •Application Awareness •Zero Touch Deployment •Device Consolidation•Improved WAN Link Performance •Dynamic Application Distribution•Next Generation Firewall (NGFW)•Multi-Transport Support •Centralized Management•Single-Pane-of-Glass Monitoring •Identity-Based Policy•Service Level Agreements (WAN Metrics)•Traffic Shaping & Policing3 M b p s25 Mbps100 Mbps500 M b p sBranch OfficeNGFWSD-WAN MembersBroadbandIPSec Tunnel MPLSLANDigital Transformation for Enterprise BranchMPLSInternetSIEM &Analytics Provisioning Server Threat Intelligence Monitoring & ManagementD a t a C e n t e r•WAN Path Controller •Application Awareness •Zero Touch Deployment •Device Consolidation •Improved WAN Link Performance•Dynamic Application Distribution•Identity-Based Policy •Traffic Shaping & Policing•Next Generation Firewall (NGFW)•Multi-Transport Support •Centralized Management•Single-Pane-of-Glass Monitoring •Service Level Agreements (WAN Metrics)I n t e r n a l S e r v e r sVMsE x t e r n a l S e r v i c e s1 G b p s10 Mbps10 Mbps50 M b p s50 MbpsSD-WAN MembersSD-WAN MembersReduce WAN OpEx with Direct Internet AccessBroadbandIPSec Tunnel MPLSLANP r i v a t e C l o u dM u l t i -C l o u d10 Mbps100 MbpsBranch OfficeSD-WAN MembersInternetNGFWNGFWMPLSSIEM &Analytics Provisioning Server Threat Intelligence Monitoring & ManagementNGFW•WAN Path Controller •Application Awareness •Zero Touch Deployment •Device Consolidation•Improved WAN Link Performance •Dynamic Application Distribution •Next Generation Firewall (NGFW)•Multi-Transport Support •Centralized Management•Single-Pane-of-Glass Monitoring •Identity-Based Policy•Service Level Agreements (WAN Metrics)•Traffic Shaping & PolicingBroadbandIPSec Tunnel LANRedundant Broadband Enterprise BranchTwo Internet Service Providers Direct Internet AccessD a t a C e n t e rI n t e r n a l S e r v e r s E x t e r n a l S e r v i c e sISP1ISP22x 200 Mbps2x 50 MbpsSD-WAN MembersISP1 –InternetVMsBranch OfficeNGFWP r i v a t e C l o u dM u l t i -C l o u dSIEM &AnalyticsProvisioning Server Threat IntelligenceMonitoring & ManagementISP2 –InternetI n t e r n a l S e r v e r sE x t e r n a l S e r v i c e sD a t a C e n t e r•WAN Path Controller •Application Awareness •Zero Touch Deployment •Device Consolidation •Centralized Management•Single-Pane-of-Glass Monitoring •Identity-Based Policy•Service Level Agreements (WAN Metrics)•Traffic Shaping & PolicingFortiGateSimplify with Secure SD-Branch5 Mbps25 Mbps10 M b p s50 Mbps100 Mbps1 G b p sSD-BranchSD-BranchFortiGate Secure SD-WANFortiAPFortiAPFortiSwitchFortiSwitchFortiGate Secure SD-WANBroadbandIPSec Tunnel MPLSLANInternetMPLS•Next Generation Firewall (NGFW)•Improved WAN Link Performance •Dynamic Application Distribution •Multi-Transport SupportP r i v a t e C l o u dM u l t i -C l o u d SIEM &Analytics Provisioning Server Threat Intelligence Monitoring & Management•WAN Path Controller •Application Awareness •Zero Touch Deployment •Device Consolidation •Improved WAN Link Performance•Dynamic Application Distribution•Next Generation Firewall •Multi-Transport Support •Centralized Management •Single-Pane-of-Glass Monitoring•Identity-Based Policy •Service LevelAgreements (WAN Metrics)•Traffic Shaping & PolicingISP1 (20 Mbps)Branch Office100 Mbps ISP1 (Broadband)ISP2 (LTE)ISP2 (LTE)SD-WAN MembersRedundant Connectivity Enterprise BranchBroadband with LTE Direct Internet AccessInternetNGFWD a t a C e n t e rI n t e r n a l S e r v e r sVMsE x t e r n a l S e r v i c e sP r i v a t e C l o u dM u l t i -C l o u dSIEM &Analytics Provisioning Server Threat Intelligence Monitoring & ManagementBroadbandIPSec Tunnel LANIPsec。

WHITE PAPERSD-WAN Enables a Multi-cloud FreewayExecutive SummaryThe COVID-19 pandemic only accelerated the already rapid pace of digital innovation at organizations in every industry.1 This velocity of change is enabled by cloud-based services and solutions, which facilitate quick rollouts, scalable infrastructure, and minimal capital expenditure. The result is that the vast majority of enterprises—and an increasing number of small and midsize businesses—now operate hybrid clouds and even across multiple clouds.A multi-cloud architecture enables organizations to deploy a reliableand technically appropriate infrastructure for each service, but it brings complications as well. It expands the attack surface and makes security management more challenging. It also complicates the task of connecting users to all the services they need to access, and of integrating applications and workflows that need to interact with each other.In the words of one observer, “Clouds were born to be complex because applications were able to break away from the confines of the racked physical servers, storage, and networking devices. Once unleashed, new ways to manage, ensure, and secure applications would be required.”2 And yet the complexity of multi-cloud architectures makes finding these new ways difficult. Complexity Brings Inefficiency “Multi-cloud computing lowers the risk of cloud provider lock-in, and can provide service resiliency and migration opportunities, in addition to the core cloud benefits of agility, scalability, and elasticity.”3For example, each of the three largest public clouds in North America—Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP)—has its own networking constructs, management consoles, and security and networking tools. They are essentially incompatible with each other, and this complicates the task of administering a multi-cloud architecture.For network architects, connecting each public cloud with headquarters, branch offices, and the corporate data center is challenging. Configuring the correct routes and setting up and maintaining virtual private networks (VPNs) can be a waste of time if one works within each provider’s console. This is because it’s a largely manual process—and even automation across the various clouds is different. These increase operational complexity and security risks.SD-WAN Addresses ComplexitySoftware-defined wide-area networking (SD-WAN) technology was originally developed to provide highly available WAN connections to branch locations, delivering superior performance and cost effectiveness compared with traditional WAN. But it can also play a key role with cloud connectivity. SD-WAN gateways can steer applications over policy-definedlinks and automatically set up Internet Protocol security (IPsec) tunnels to and across cloud service providers—all from a centralized console.The big three cloud providers have taken steps to make it easier to support SD-WAN gateways. AWS has introduced Transit Gateway Connect designed to connect AWS VPCs in each region to a transit VPC with an SD-WAN gateway that aggregates connections from on-premises locations. GCP has launched its Network Connectivity Center with more robust options for connecting Google Cloud VPC virtual private clouds with branches and data center networks. And Microsoft has built features into its virtual WAN to integrate with SD-WAN gateways and extend connectivity to Azure virtual networks from branch offices and remote sites.This means that SD-WAN technology can be used as a cloud overlay network to connect branch offices to cloud services, virtual networks within a single public cloud, and even across multiple clouds with one another. Its ability to prioritize traffic by application enables the most critical traffic to receive priority, and its ability to steer traffic over multiple routes for the best performance makes it ideal as a multi-cloud overlay. Access and security policies are centralized, and administrators have full visibility into application traffic, performance, and security.2Copyright © 2021 Fortinet, Inc. All rights reserved. Fortinet ®, FortiGate ®, FortiCare ® and FortiGuard ®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.August 28, 2021 12:57 PM1238653-0-0-EN Public Cloud as TransitwayWhile most public cloud use cases focus on applications and workloads, cloudproviders have built out high-speed network backbones, and customers cantake advantage of this infrastructure to simplify cloud connectivity, boostperformance, ensure security, and improve agility. SD-WAN technology makesthe cloud provider network backbone more efficient for organizations to deliverthe best application experience.For instance, if a company had a business requirement for a high-performance,low-latency connection between two branches in different parts of the country,the network team could leverage a cloud provider’s backbone as the transport. Inthis use case, secure SD-WAN in each branch and in the public cloud can be usedto set up IPsec tunnels that will traverse the cloud provider’s backbone.SD-WAN as Information Freeway The idea of deploying SD-WAN in branch locations to enable public cloud access is well understood. As organizations embrace a fuller multi-cloud strategy—deliberately or by default—they can extend their SD-WAN investment to supporthybrid cloud and multi-cloud deployments, enabling highly secure and efficientnetwork traffic across an enterprise.These flexible and rapid “freeways” route traffic efficiently and securely between users and different clouds, between different services in a single cloud, and between multiple public and private clouds. Ideally this would all be centrallymanaged and monitored. Unlike physical freeways, constructing and maintaining them does not cause major disruption. Once the IPsec tunnels are set up, secure SD-WAN technology automatically prioritizes traffic and ensures that each packet is sent over the most efficient route.SD-WAN as Part of a Security FabricAll of these connections of course must be monitored and secured. SD-WAN can integrate into a security fabric, whichdelivers security capabilities across a variety of domains, including wired and wireless networks, endpoints, web applications, the cloud, and more. A security fabric can analyze logs and events from all these security products to correlate alarms and alerts and provide greater context into incidents. A fabric can also orchestrate a response to threats across domains.Networking for the FutureSD-WAN technology provides an extensive menu of options to network architects for connecting an organization’s people with all its digital resources. In a multi-cloud world, it can provide the necessary links across the infrastructure to enable secure network traffic with high performance for users.“Multi-cloud is not the same as hybrid cloud, in which public and private clouds are integrated. Multi-cloud simplymeans that organizations havethe flexibility to select the bestcloud provider for each of theirvarious infrastructure andapplication needs.”41 “How COVID-19 has pushed companies over the technology tipping point—and transformed business forever ,” McKinsey, October 5, 2020.2 Emil Sayegh, “Is Further Abstraction The Answer To Cloud Complexities?” Forbes, May 3, 2021.3 Rani Osnat, “Mitigating the Risks of Multi-Cloud Environments ,” Network Computing, July 27, 2021.4“What to Look for in a Secure SD-WAN Solution for Multi-Cloud Environments ,” Fortinet, July 10, 2020.。

深信服上网行为管理系统用户手册深信服上网行为管理系统用户手册AC 12.0.18用户手册目录前言 (2)手册内容 (2)本书约定 (2)图形界面格式约定 (2)各类标志 (3)技术支持 (3)致谢 (3)第1 章安装指南 (4)1.1.环境要求 (4)1.2.电源 (4)1.3.产品外观 (4)1.4.配置与管理 (5)1.5.单设备接线方式 (5)1.6.双机备份接线方式 (7)第2 章控制台的使用 (8)2.1.登录WebUI配置界面 (8)2.1.1.AC的web 登录方式 (8)2.1.2.统一认证中心的登录方式 (11)2.2.配置和使用 (12)第3 章功能说明 (15)3.1.增值服务导航 (15)3.1.1.激活设备 (15)3.1.2.进入技术社区 (17) 3.1.3.“信服君”机器人 (18) 3.2.行为感知系统 (19)3.2.1.办公网上网态势 (22) 3.2.2.带宽分析 (31)3.2.3.泄密追溯分析 (33) 3.2.4.离职倾向分析 (36) 3.2.5.工作效率分析 (40) 3.2.6.未关机检测分析 (42) 3.3.实时状态 (43)3.3.1.实时状态 (43)3.4.对象定义 (89)3.4.1.应用特征识别库 (91) 3.4.2.应用智能识别库 (97) 3.4.3.自定义应用 (100)3.4.4.URL分类库 (104) 3.4.5.URL库列表 (104) 3.4.6.准入规则库 (109)3.4.7.网络服务 (129)3.4.8.IP 地址库 (131)3.4.9.时间计划组 (139)3.4.10.关键字组 (141)3.4.11.文件类型组 (143) 3.4.12.位置对象组 (144) 3.5.用户认证与管理 (147) 3.5.1.原理 (147)3.5.2.用户认证 (151)3.5.3.用户管理 (220)3.5.4.认证高级选项 (259) 3.6.策略管理 (277)3.6.1.上网策略 (278)3.6.2.策略高级选项 (368)3.7.流量管理 (375)3.7.1.概述 (375)3.7.3.通道配置 (377)3.7.4.线路带宽配置 (414)3.7.5.虚拟线路配置 (415)3.7.6.流量可视化 (425)3.8.终端接入管理 (425)3.8.1.共享接入管理 (426)3.8.2.移动终端管理 (430)3.8.3.代理工具管理 (433)3.9.上网安全 (438)3.9.1.安全状态 (438)3.9.2.安全配置 (441)3.10.VPN配置 (457)3.10.1.DLAN运行状态 (457) 3.10.2.多线路设置 (458)3.10.3.SDWAN智能选路 (460) 3.10.4.基本设置 (472)3.10.5.用户管理 (474)3.10.6.连接管理 (488)3.10.7.虚拟IP 池 (491)3.10.8.本地子网列表 (492) 3.10.9.隧道间路由设置 (494) 3.10.10.第三方对接 (497)3.10.11.通用设置 (509)3.10.12.证书管理 (511)3.10.13.高级设置 (515)3.11.系统管理 (527)3.11.1.防火墙 (527)3.11.2.网络配置 (544)3.11.3.系统配置 (633)3.12.网络安全法 (693)第4 章案例集 (696)4.1.单点登录配置案例 (696)4.1.1AD域单点登录功能配置案例 (696)4.1.2PROXY单点登录配置案例 (723)4.1.3POP3单点登录配置案例 (732)4.1.4Web单点登录配置案例 (737)4.1.5与第三方设备结合单点登录配置案例 (741)4.1.6深信服设备结合认证 (756)4.1.7数据库系统结合认证 (759)4.2.不需要认证用户配置案例 (762)4.3.密码认证用户配置案例 (769)4.3.1短信认证 (769)4.3.2微信及二维码认证 (787)4.3.3密码认证 (801)4.4.其他认证配置案例 (810)4.5.与cas第三方认证配置案例 (825)4.6.策略配置案例 (828)4.6.1针对某用户组设置封堵P2P 和P2P流媒体的策略 (828) 4.6.2针对某用户组设置IM 监控的策略 (832)4.6.3针对某用户组设置开启审计功能 (836)4.7.终端管理配置案例 (838)4.7.1防共享功能配置案例 (838)4.7.2移动终端管理配置案例 (840)4.7.3代理工具理配置案例 (841)4.8.SNMPTRAP配置案例 (842)4.9.综合案例 (846)4.9.1客户网络环境与需求 (846)4.9.2配置思路 (847)附录：SANGFOR设备升级系统的使用 (865)产品升级步骤 (868)前言手册内容第1 部分SANGFOR AC 产品概述。

Firewall IPS NGFW Threat Protection Interfaces 950 Mbps 300 Mbps 200 Mbps 150 MbpsMultiple GE RJ45Refer to specification table for detailsfanless desktop form factor for enterprise branch offices and mid-sized businesses. Protect against cyber threats with industry-leading secure SD-WAN in a simple, affordable and easy to deploy solution.Security§Identifies thousands of applications inside network traffic for deep inspection and granular policy enforcement§Protects against malware, exploits, and malicious websites in both encrypted and non-encrypted traffic§Prevent and detect against known and unknown attacks using continuous threat intelligence from AI powered FortiGuard Labs security services Performance§Delivers industry’s best threat protection performance and ultra-low latency using purpose-built security processor (SPU) technology§Provides industry-leading performance and protection for SSL encrypted traffic Certification§Independently tested and validated best security effectiveness and performance§Received unparalleled third-party certifications from NSS Labs, ICSA, Virus Bulletin and AV ComparativesNetworking§Best of Breed SD-WAN capabilities to enable application steering using WAN path control for high quality of experience §Delivers extensive routing, switching, wireless controller, high-performance, and scalable IPsec VPN capabilities Management§Includes Management Console that’s effective, simple to use, and provides comprehensive network automation & visibility. §Provides Zero Touch Integration with Security Fabric’s Single Pane of Glass Management§Predefined compliance checklist analyzes the deployment and highlights best practices to improve overall security posture Security Fabric§Enables Fortinet and Fabric-ready partners’ products to provide broader visibility, integrated end-to-end detection, threatintelligence sharing and automated remediation§Automatically builds Network Topology visualizations which discover IoT devices and provide complete visibility into Fortinet and Fabric-ready partner productsDATA SHEET | FortiGate® 30E-3G4GDeploymentU nified Threat Management(UTM)§Integrated wired and wireless networking to simplify IT§Purpose-built hardware for industry best performance with easyadministration through cloud management§Provides consolidated security and networking for smallbusinesses and consistently provides top-rated threat protection§Proactively blocks newly discovered sophisticated attacks inreal-time with advanced threat protectionS ecureSD-WAN§Secure direct Internet access for Cloud Applications forimproved latency and reduce WAN cost spending§High-performance and cost-effective threat protectioncapabilities§WAN Path Controller and Link Health Monitoring for betterapplication performance and quality of experience§Security Processer powered industry’s best IPsec VPN and SSLInspection performance§Simplified Management and Zero Touch deploymentFortiGate 30E-3G4G deployment in Small Office(UTM)FortiGate 30E-3G4G deployment in Enterprise Branch(Secure SD-WAN)Secure AccessSwitchDATA SHEET | FortiGate ® 30E-3G4G3HardwareInterfaces1. USB Port2. Console Port3. 1x GE RJ45 WAN PortFortiGate 30E-3G4GInstall in Minutes with FortiExplorerThe FortiExplorer wizard enables easy setup and configuration coupled with easy-to-follow instructions. FortiExplorer runs on popular iOS devices. Using FortiExplorer is as simple as starting the application and connecting to the appropriate USB port on the FortiGate. By using FortiExplorer, you can be up and running and protected in minutes.3G/4G WAN ExtensionsThe FortiGate 30E-3G4G includes built-in 3G/4G modem that allows additional WAN connectivity or a redundant link for maximum reliability.Compact and Reliable Form FactorDesigned for small environments, you can simply place the FortiGate 30E-3G4G on a desktop. It is small, lightweight yet highly reliable with superior MTBF (Mean Time Between Failure), minimizing the chance of a network disruption.4. 4x GE RJ45 Switch Ports5. Internal 3G4G ModemFortiOSControl all security and networking capabilities across the entireFortiGate platform with one intuitive operating system. Reducecomplexity, costs, and response time with a truly consolidatednext-generation security platform.§ A truly consolidated platform with a single OS and pane-of-glassfor all security and networking services across all FortiGateplatforms.§Industry-leading protection: NSS Labs Recommended, VB100,AV Comparatives, and ICSA validated security and performance.Ability to leverage latest technologies such as deception-basedsecurity.§Control thousands of applications, block the latest exploits, andfilter web traffic based on millions of real-time URL ratings inaddition to true TLS 1.3 support.§Prevent, detect, and mitigate advanced attacks automaticallyin minutes with integrated AI-driven breach prevention andadvanced threat protection.§Fulfil your networking needs with extensive routing, switching,and SD-WAN capabilities along with intent-based segmentation.§Utilize SPU hardware acceleration to boost security capabilityperformance.dynamically expand and adapt as more and more workloads and dataare added. Security seamlessly follows and protects data, users, andapplications as they move between IoT, devices, and cloud environmentsthroughout the network. All this is ties together under a single pane ofglass management for significantly thereby delivering leading securitycapabilities across your entire environment while also significantly reducingcomplexity.FortiGates are the foundation of Security Fabric, expanding securityvia visibility and control by tightly integrating with other Fortinet securityproducts and Fabric-Ready Partner solutions.ServicesFortiGuard™Security ServicesFortiGuard Labs offers real-time intelligence on the threatlandscape, delivering comprehensive security updates acrossFortiCare™Support ServicesOur FortiCare customer support team provides global technicalsupport for all Fortinet products. With support staff in the Americas,DATA SHEET | FortiGate ® 30E-3G4G5SpecificationsNote: All performance values are “up to” and vary depending on system configuration. 1. IPsec VPN performance test uses AES256-SHA256.2. IPS (Enterprise Mix), Application Control, NGFW and Threat Protection are measured with Logging enabled.3. SSL Inspection performance test uses TLS v1.2 with AES128-SHA256.4. NGFW performance is measured with Firewall, IPS and Application Control enabled.5. Threat Protection performance is measured with Firewall, IPS, Application Control and MalwareProtection enabled.Firewall Latency (64 byte UDP packets)130 μs Firewall Throughput (Packets Per Second)180 Kpps Concurrent Sessions (TCP)900,000New Sessions/Second (TCP)15,000Firewall Policies5,000IPsec VPN Throughput (512 byte) 175 Mbps Gateway-to-Gateway IPsec VPN Tunnels 200Client-to-Gateway IPsec VPN Tunnels 250SSL-VPN Throughput35 Mbps Concurrent SSL-VPN Users(Recommended Maximum, Tunnel Mode)100SSL Inspection Throughput (IPS, HTTP) 3160 Mbps Application Control Throughput (HTTP 64K) 2400 Mbps CAPWAP Throughput (HTTP 64K)850 Mbps Virtual Domains (Default / Maximum) 5 / 5Maximum Number of FortiSwitches Supported 8Maximum Number of FortiAPs (Total / Tunnel Mode)2 / 1Maximum Number of FortiTokens500Maximum Number of Registered FortiClients 200High Availability ConfigurationsActive/Active, Active/Passive, ClusteringFG-30E-3G4G-GBLRegional CompatibilityAll RegionsModem Model Sierra Wireless EM7565LTE B1, B2, B3, B4, B5, B7, B8, B9, B12, B13, B18, B19, B20, B26, B28, B29, B30, B32, B41, B42, B43, B46, B48, B66UMTS/HSPA+B1, B2, B3, B4, B5, B6, B8, B9, B19WCDMA–CDMA 1xRTT/EV-DO Rev A –GSM/GPRS/EDGE –Module Certifications CE, FCC, GCF, IC, JRF/JPA, NCC, PTCRBDiversity Yes MIMO Yes GNSS BiasYesDATA SHEET | FortiGate ® 30E-3G4GCopyright © 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common lawtrademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.FST -PROD-DS-GT30E2FGFWF-30E-3G4G-DAT -R13-201904Order InformationBundlesFortiGuard BundleFortiGuard Labs delivers a number of security intelligence services to augment the FortiGate firewall platform. You can easily optimize the protection capabilities of your FortiGate with one of these FortiGuard Bundles.Bundles 360 Protection Enterprise Protection UTM Threat Protection FortiCareASE 124x724x724x7FortiGuard App Control Service ••••FortiGuard IPS Service••••FortiGuard Advanced Malware Protection (AMP) — Antivirus, Mobile Malware, Botnet, CDR, Virus Outbreak Protection and FortiSandbox Cloud Service ••••FortiGuard Web Filtering Service •••FortiGuard Antispam Service •••FortiGuard Security Rating Service ••FortiGuard Industrial Service ••FortiCASB SaaS-only Service ••FortiConverter Service•SD-WAN Cloud Assisted Monitoring 2•SD-WAN Overlay Controller VPN Service 2• FortiAnalyzer Cloud2•FortiManager Cloud2•1. 24x7 plus Advanced Services Ticket Handling2. Available when running FortiOS 6.2ProductSKUDescriptionFortiGate 30E-3G4G-GBLFG-30E-3G4G-GBL5x GE RJ45 ports (including 1x WAN port, 4x Switch ports) with Embedded 3G/4G/LTE wireless WAN module (Global LTE – EM7565), 2 external SMA WWAN antennas included.。

深信服SD-WAN 产品使用手册目录前言 (11)手册内容 (11)本书约定 (12)技术支持 (13)致谢 (13)第1 章SDWAN 的安装 (15)1.1. 环境要求 (15)1.2. 电源 (15)1.3.产品形态 (15)1.3.1.SD-WAN-MIG 一体化网关 (16)1.3.2.SD-WAN-WOC (16)1.3.3.SDWAN 虚拟网元 (16)1.3.4.管控平台X-Central (17)1.3.5.硬件性能参数 (18)1.4.配置与管理 (19)1.5.设备接线方式 (19)1.6.设备开机方式 (20)第2 章SDWAN 组网方式 (21)2.1.hub-spoken 组网 (21)2.2.full mesh 组网 (21)2.3.partial mesh 组网 (22)第3 章SDWAN 的部署 (24)3.1.网关模式部署 (24)3.2.网桥模式部署 (24)3.3.网桥VPN 模式部署 (25)3.4.网桥多线路模式部署 (26)3.5.双网桥模式部署 (27)3.6.单臂模式的部署 (28)3.7.双单臂模式部署 (30)第4 章SD-WAN 易部署和应用选路 (32)4.1.分支邮件易部署 (32)4.2.AutoVPN (33)4.3.SD-WAN 应用选路 (34)4.3.1.指定线路 (34)4.3.2.高质量选路选路 (34)4.3.3.按剩余带宽负载 (35)4.3.4.带宽叠加 (35)4.3.5.线路质量探测原理与淘汰机制 (36)第5 章SDWAN 终端设备 (38)5.1.ssh 登录 (38)5.2.登录WebUI 配置界面 (38)5.3. 状态 (39)5.3.1.广域网优化状态 (39)5.3.2.流量监控 (42)5.3.3.DHCP 状态 (48)5.3.4.设备运行状态 (48)5.3.5.EoIP 状态 (48)5.4.路由设置 (49)5.4.1.系统设置 (50)5.4.2.部署设置 (54)5.4.3.路由设置 (85)5.4.4.用户管理 (93)5.4.5.网络对象 (97)5.4.6.DHCPv4 设置 (105)5.4.7.DHCPv6 设置 (108)5.4.8.Syslog & SNMP (109)5.4.9.SC 设置 (113)5.5.SD-WAN VPN (114)5.5.1.SDWAN 选路 (114)5.5.2. 服务端 (115)5.5.3. 客户端 (134)5.5.4. 多线路 (137)5.5.5.第三方认证 (140)5.5.6.高级设置 (144)5.6.SD-WAN VPN (153)5.6.1.第一阶段 (153)5.6.2.第二阶段 (156)5.6.3.安全选项 (159)5.6.4.EoIP 设置 (160)5.7.流量管理 (164)5.7.1.对象设置 (164)5.7.2.策略设置 (177)5.7.3.流控设置 (186)5.7.4.策略故障排除 (206)5.7.5.高级设置 (207)5.8.应用识别 (210)5.8.1.识别是管理的基础 (210)5.8.2.应用库说明 (211)5.9.NAT 设置 (212)5.9.1.代理上网网段 (212)5.9.2.端口映射 (214)5.10.安全防护能力 (216)5.10.1.端对端传输加密 (216)5.10.2.过滤规则 (217)5.10.3.防DoS 攻击 (219)5.10.4.ARP 欺骗防护 (221)5.10.5.涉及产品 (222)5.10.6.僵木蠕一次清理，保障终端安全 (223)5.10.7.已知威胁 (223)5.10.8.未知威胁 (224)5.11.高可用冗余保护 (225)5.11.1.双机部署方式 (226)5.11.2.双机维护 (227)5.13. 维护 (229)5.13.1. 日志 (230)5.13.2. 序列号 (231)5.13.3. 自动升级 (232)5.13.4. 备份/恢复 (233)5.13.5. 关机 (236)5.13.6.页面控制台 (236)5.13.7.远程技术支持 (238)第6 章方案整体设计 (240)6.1. 总部端 (240) (241) (241) (241)6.2. 数据中心互联 (241)6.3. 分支端 (242)6.4.大中型分支 (243)6.5.跨国分支 (244)6.6.智能应用选路 (245)第7 章广域网优化（SD-WAN 接入网元） (251)7.1.分钟级上线 (251)7.2.AUTO VPN (252)7.3.广域网数据传输优化 (253)7.4.广域网传输安全加固 (262)7.5.广域网立体安全防护 (263)7.6.应用及流量可视化，打造一张可管理的广域网 (267)7.7.应用识别功能 (267)对象设置 (270)策略设置 (283)流控设置 (292)7.7.1.HTP 高速传输协议解决高延迟高丢包 (312)7.7.2.改进型TCP 实现快速TCP 传输 (314)7.8.冗余数据削减技术，提高带宽吞吐 (314)7.8.1.基于码流特征的数据优化 (314)7.8.2.高效的数据流压缩算法 (316)7.8.3.全局IP 流量压缩，降低TCP 和UDP 流量占用 (316)7.9.应用加速，提升核心业务系统访问速度，提升工作效率 (317)7.9.1.传输协议优化 (317)7.9.2.应用协议优化 (318)7.9.3.CIFS 协议优化技术 (318)7.9.4.HTTP 和FTP 协议优化技术 (319)7.9.5.Exchange MAPI 协议优化技术 (320)7.9.6.RDP 与Citrix ICA 协议优化技术 (320)7.9.7.OracleTNS 协议优化技术 (320)7.9.8.常见应用系统加速效果 (321)7.10.广域网流量管理，实现流量整形和基于应用的带宽保障 (322)7.10.1.基于应用和内容的流量管理技术 (322)7.10.2.带宽通道实现智能带宽保证 (322)7.10.3.虚拟线路技术有效保障视频会议带宽，提升访问体验 (323)7.11.视频会议优化，零距离协同办公 (323)7.11.1.智能带宽保障 (323)7.11.2.丢包补偿（UDP 代理+FEC 前向校验） (324)7.11.3.业务数据压缩 (325)7.12.SD-WAN 广域网优化其他亮点技术 (326)7.12.1.移动客户端的广域网优化 (326)7.12.2.多线路复用 (327)7.12.3.HTTP 和FTP 文件预取功能 (327)7.12.4.数据中心智能报表，帮助用户智慧决策 (328)7.12.5.策略路由 (329)7.13.SD-WAN 广域网优化能为您解决的问题 (329)7.14.服务配置说明 (331)7.14.1.应用设置 (332)7.14.2.流缓存设置 (339)7.14.3.视频优化设置 (339)7.14.4. 服务端 (340)7.14.5. 客户端 (346)7.14.6.数字证书 (352)7.14.7.高级设置 (359)7.14.8.LDAP 服务器 (362)7.14.9.高级设置 (364)第8 章灰白盒化交付 (369)8.1.产品介绍 (369)8.2.集中可视可控运营管理 (371)第9 章虚拟化SD-WAN (377)9.1.性能部署要求 (377)9.1.1.场景描述 (377)9.1.2.性能相关要求 (377)9.1.3.检测性能参数 (377)9.1.4.场景拓扑 (378)9.2.前期准备 (378)9.3.部署操作 (378)9.3.1. 云部署 (378)9.3.2.WOC 基础配置 (398)9.3.3.VPN 配置 (402)9.3.4.配置引流策略 (405)9.3.5.验证VPN 业务 (405)9.4.业务配置 (406)9.4.1.加速配置 (406)9.4.2.流量管理 (406)9.4.3.SDWAN 智能选路 (406)9.5. FAQ (407)第10 章SDWAN 管控平台使用说明 (408)10.1.平台性能参数 (408)10.2.首页地图 (408)10.3.智能监控 (410)10.3.1.智能告警 (410)10.3.2.设备配置管理 (411)10.4.Restful API (412)10.4.1.协议规范说明 (412)10.4.2.用户管理接口格式 (413)10.4.3.设备管理接口格式 (414)10.4.4.虚拟网元管理网络编排接口格式 (414)10.4.5.设备功能调用接口格式 (415)10.4.6.平台管理接口格式 (415)10.4.7.数据分析输出接口格式 (415)第11 章数据中心的使用 (417)11.1. 首页 (417)11.2.流量分析 (418)11.2.1.流量排名 (418)11.2.2.带宽分布 (421)11.3.带宽优化 (423)11.4. 报表 (425)11.5. 日志 (430)11.5.1.管理日志 (430)11.5.2.防火墙日志 (431)11.6.系统设置 (433)11.6.1.数据库清理 (433)11.6.3. 子网 (435)第12 章案例集 (438)12.1.双单臂模式部署配置案例 (438)12.2.VLAN 环境下的单网桥部署配置案例 (439)12.3.网桥VPN 部署配置案例 (442)12.4.网桥多线路部署配置案例 (443)12.5.WCCP 的应用场景及配置案例 (445)12.6.MAC 跟踪的应用场景及配置案例 (447)12.7.加速本地子网和静态路由的配置案例 (450)12.8.网关VPN 模式EoIP 部署案例 (452)12.9.添加加速用户的案例 (460)12.10.Sangfor VPN 的配置案例 (462)12.10.1.隧道内NAT 案例 (462)12.10.2.移动PDLAN 用户接入WOC 设备的案例 (466)12.10.3.VPN 内网权限的设置案例 (472)12.10.4.VPN 多线路配置案例 (476)12.10.5.移动用户使用LDAP 认证接入案例 (481)12.10.6.VPN 多子网配置案例 (484)12.10.7.通过隧道间路由实现分支间互访的案例 (487)12.10.8.通过目的路由用户上网的配置案例 (489)12.11.和CISCO PIX 标准IPSEC VPN 互连的案例 (492)12.12.WOC 加速互连的案例 (500)12.12.1.为分支WOC 设备创建用户并关联策略的案例 (500)12.12.2.加速HTTP 或HTTPS 访问的Oracle EBS 案例 (501)12.12.3.加速访问Citrix 服务器的案例 (504)12.12.4.加速访问RDP 服务器的案例 (507)12.12.5.跟总部建立加速连接的配置案例 (510)12.12.6.加速Outlook Anywhere 访问Exchange 服务器的案例 (511)12.12.7.使用透明传输模式的案例 (516)12.12.8.使用反向加速建立双向加速连接的案例 (517)12.12.9.对FTP 服务器的预取案例 (524)12.12.10.通过排除规则对指定网段进行加速的案例 (525)12.13.UDP 优化配置案例 (527)12.14.委派的配置案例 (532)12.15.策略路由配置案例 (540)12.16.综合案例 (546)12.16.1.客户环境与需求 (546)12.16.2.配置思路 (546)12.16.3.总部WOC 设备配置步骤 (547)12.16.4.分支WOC 设备配置步骤 (553)附录A：SANGFOR 设备升级系统的使用 (556)附录B：通过USB 口恢复默认配置 (559)功能1：使用U 盘查看网口配置 (559)功能2：使用U 盘恢复控制台密码 (559)注意事项 (560)前言手册内容第1 部分SANGFOR SDWAN 产品介绍和安装。

VMware SD-WAN 管理指南VMware SD-WAN 4.0您可以从 VMware 网站下载最新的技术文档：https:///cn/。

VMware, Inc.3401 Hillview Ave. Palo Alto, CA 94304 威睿信息技术（中国）有限公司北京办公室北京市朝阳区新源南路 8 号启皓北京东塔 8 层 801/cn上海办公室上海市淮海中路 333 号瑞安大厦 804-809 室/cn广州办公室广州市天河路 385 号太古汇一座 3502 室/cn版权所有© 2020 VMware, Inc. 保留所有权利。

版权和商标信息VMware SD-WAN 管理指南目录1关于 VMware SD-WAN 管理指南122新增功能133概览15解决方案组件16SD-WAN Edge 性能和规模数据17功能23隧道开销和 MTU26网络拓扑29分支站点拓扑30角色和特权级别34用户角色列表36重要概念38支持的浏览器42支持的调制解调器424用户协议435使用 SSO 以企业用户身份登录到 VMware SD-WAN Orchestrator446监控企业45监控导航面板45网络概览45监控 Edge48“概览”选项卡49QoE 选项卡50“传输”选项卡53“应用程序”选项卡55“源”选项卡56“目标”选项卡57“业务优先级”选项卡59“系统”选项卡59VMware SD-WAN Orchestrator 数据保留60监控网络服务64监控路由65PIM 邻居视图66监控警示66监控事件67自动回滚到上一个已知正常的配置68监控报告687使用新的 Orchestrator UI 监控企业70监控网络概览71监控 Edge72监控 Edge 概览74监控 Edge 的链路75监控路径可见性77监控 Edge 应用程序78监控 Edge 源80监控 Edge 目标82监控 Edge 的业务优先级83监控 Edge 的系统信息84监控连接到 Edge 的网关85监控网络服务86监控通过网关的非 SD-WAN 目标86监控云安全服务站点87监控 Edge 集群88监控 Edge VNF89监控路由详细信息89监控多播组90监控 PIM 邻居90监控 BGP Edge 邻居状态91监控 BFD92监控 BGP 网关邻居状态93监控警示93监控事件94企业报告96创建新的企业报告96创建自定义的报告98选择时间范围98选择数据100选择 Edge101提交报告102监控企业报告1038配置分段1079配置网络服务109关于 Edge 集群111Edge 集群的工作方式111配置 Edge 集群117Edge 集群故障排除119创建 Non VMware SD-WAN Site119VPN 工作流120配置通过网关的非 SD-WAN 目标124配置 Check Point125配置 Cisco ASA 类型的 Non VMware SD-WAN Site128配置 Cisco ISR 类型的 Non VMware SD-WAN Site130配置通过网关的通用 IKEv2 路由器类型的 Non VMware SD-WAN Site 132配置 Microsoft Azure Non VMware SD-WAN Site135配置 Palo Alto 类型的 Non VMware SD-WAN Site137配置 SonicWALL 类型的 Non VMware SD-WAN Site139配置 Zscaler141配置通过网关的通用 IKEv1 路由器类型的 Non VMware SD-WAN Site148配置通用防火墙（基于策略的 VPN）类型的 Non VMware SD-WAN Site150配置 Amazon Web Services152配置通过 Edge 的非 SD-WAN 目标153配置通过 Edge 的通用 IKEv1 路由器类型的 Non-VMware SD-WAN Site154配置通过 Edge 的“通用 IKEv2 路由器”类型的 Non-VMware SD-WAN Site156配置分支和通过 Edge 的非 SD-WAN 目标之间的隧道159在 Edge 级别配置云 VPN 和隧道参数159云安全服务161配置云安全提供程序161为配置文件配置云安全服务164为 Edge 配置云安全服务165为云安全服务配置业务策略167监控云安全服务168监控云安全服务事件169配置 DNS 服务170配置 Netflow 设置170IPFIX 模板173非 NAT 模板173NAT 模板180流量链路统计信息模板181隧道统计信息模板181应用程序选项模板183接口选项模板184VMware分段 ID 到分段的映射模板185链路选项模板185Netflow 源地址和分段186IPFIX 信息元素定义187专用网络名称191配置专用网络191删除专用网络名称191配置身份验证服务19110配置配置文件19311设置配置文件设备196配置设备196在配置文件中分配分段197配置身份验证设置199配置 DNS 设置199为配置文件配置 Netflow 设置200为配置文件配置 Syslog 设置201防火墙日志的 Syslog 消息格式204为配置文件配置云 VPN206云 VPN 概览207配置分支和通过网关的非 SD-WAN 目标之间的隧道211配置分支和 SD-WAN Hubs VPN 之间的隧道212配置分支和分支 VPN 之间的隧道221配置分支和通过 Edge 的非 SD-WAN 目标之间的隧道222配置多播设置222在接口级别配置多播设置224为配置文件配置 VLAN226配置管理 IP 地址228配置设备设置229配置接口设置242配置 Wi-Fi 无线设置249为配置文件配置第 2 层设置249为配置文件配置 SNMP 设置251为配置文件配置 NTP 设置252配置可见性模式254分配合作伙伴网关254分配控制器25712配置业务策略260为配置文件配置业务策略260配置 Edge 的业务策略261创建业务策略规则262为业务策略规则配置网络服务267配置链路转向模式268配置基于策略的 NAT273覆盖网络 QoS CoS 映射274具有合作伙伴网关的服务提供商的隧道调整程序27513配置防火墙277为配置文件配置防火墙279为 Edge 配置防火墙281配置防火墙规则287配置有状态防火墙设置290配置网络和泛洪保护设置291配置 Edge 访问294防火墙故障排除29514置备 Edge297置备新的 Edge297激活 Edge299使用零接触置备激活 Edge（技术预览版）300使用电子邮件激活 Edge300发送激活电子邮件300激活 Edge 设备302管理 Edge306分配软件映像308将 Edge 重置为出厂设置30915配置 Edge 信息31116配置 Edge 设备316配置 DSL 设置318为 Edge 配置 Netflow 设置320Edge 级别的 LAN 端 NAT 规则321为 Edge 配置 Syslog 设置329配置静态路由设置331配置 ICMP 探测/响应程序331配置 VRRP 设置332监控 VRRP 事件334在 Edge 级别配置云 VPN 和隧道参数335为 Edge 配置 VLAN337高可用性 (HA)339配置设备设置339在路由接口上配置 DHCP 服务器340在路由接口上启用 RADIUS 341配置 Edge LAN 替代项342配置 Edge WAN 替代项342配置 Edge WAN 覆盖网络设置343通过 MPLS 的 SD-WAN 服务可访问性353配置 MPLS CoS357配置热备用链路359监控热备用链路360配置 Wi-Fi 无线覆盖362安全 VNF363配置 VNF 管理服务366配置没有 HA 的安全 VNF370配置具有 HA 的安全 VNF374定义分段和服务 VLAN 之间的映射376为 VLAN 配置 VNF 插入377监控 Edge 的 VNF379监控 VNF 事件380配置 VNF 警示382为 Edge 配置第 2 层设置383为 Edge 配置 SNMP 设置384为 Edge 配置 NTP 设置386配置 Edge 激活38717Edge 软件映像管理389Edge 软件映像管理概述389启用 Edge 软件映像管理389Edge 映像分配和访问390升级 SD-WAN Edge39118对象组392配置地址组392配置端口组394使用对象组配置业务策略394使用对象组配置防火墙规则39619站点配置399数据中心配置399配置分支和 Hub40020为动态路由配置 OSPF 或 BGP411启用 OSPF411路由筛选器414配置 BGP415OSPF/BGP 重新分发423BFD 设置424配置 BFD424为 BGP 配置 BFD426为 OSPF 配置 BFD427监控 BFD 会话431监控 BFD 事件432BFD 故障排除433覆盖网络流量控制434配置全局路由首选项436配置子网43721配置警示44022测试和故障排除445远程诊断445执行远程诊断测试447远程操作467诊断包468请求数据包捕获包469请求诊断包470下载诊断包471删除诊断包47123企业管理472系统设置472配置企业信息472配置企业身份验证476单点登录概览477为企业用户配置单点登录477针对单点登录配置 IDP480管理管理员用户499创建新的管理员用户500配置管理员用户501角色自定义503创建新的自定义包504上载自定义的包507Edge 许可507Edge 许可示例50924配置 SD-WAN Edge 高可用性511SD-WAN Edge HA 概览511必备条件512高可用性选项512标准 HA512增强 HA516裂脑条件517脑裂检测和防御517故障场景518支持通过 HA 链接的 BGP519用于确定活动状态和备用状态的选择条件519通过 HA 链接的带 VLAN 标记的流量519配置 HA520启用高可用性520等待 SD-WAN Edge 担任活动设备角色521将备用 SD-WAN Edge 连接到活动 Edge521连接备用 SD-WAN Edge 上的 LAN 和 WAN 接口521 HA 事件详细信息522在 VMware ESXi 上部署 HA52225VMware 虚拟 Edge 部署527VMware 虚拟 Edge 的部署必备条件527VMware 虚拟 Edge 部署的特殊注意事项529创建 cloud-init530安装 VMware 虚拟 Edge531在 KVM 上启用 SR-IOV532在 KVM 上安装虚拟 Edge534在 VMware 上启用 SR-IOV538在 VMware ESXi 上安装虚拟 Edge53926Azure 虚拟 WAN SD-WAN Gateway 自动化545 Azure 虚拟 WAN SD-WAN Gateway 自动化概览545Azure 配置必备条件546注册 SD-WAN Orchestrator 应用程序546为 SD-WAN Orchestrator 应用程序分配参与者角色548注册资源提供程序549创建客户端密码550VMware SD-WAN 管理指南配置 Azure 虚拟 WAN 以启用分支到 Azure 的 VPN 连接551创建资源组552创建虚拟 WAN554创建虚拟 Hub555创建虚拟网络557在 VNet 和 Hub 之间创建虚拟连接559配置 SD-WAN Orchestrator 以启用分支到 Azure 的 VPN 连接560配置 IaaS 订阅网络服务560配置 Microsoft Azure 类型的 Non VMware SD-WAN Site561将 Non VMware SD-WAN Site 与配置文件相关联563编辑 VPN 站点564同步 VPN 配置565删除 Non VMware SD-WAN Site56627附录567企业级 Orchestrator 警示和事件567syslog 支持的 VMware SD-WAN Edge 事件588关于 VMware SD-WAN 管理指南1VMware SD-WAN™（以前称为 VMware SD-WAN™ by VeloCloud®）管理指南提供了有关 VMware SD-WAN Orchestrator 和核心 VMware 配置设置的信息，包括如何配置和管理网络、网络服务、Edge、配置文件以及使用 SD-WAN Orchestrator 的客户。

深信服上网行为管理部署方式及功能实现配置说明（标化院）设备出厂的默认IP见下表：接口IP地址ETH0（LAN）10.251.251.251/24ETH1（DMZ）10.252.252.252/24ETH2（W AN1）200.200.20.61/24AC支持安全的HTTPS登录，使用的是HTTPS协议的标准端口登录。

如果初始登录从LAN口登录，那么登录的URL为：https://10.251.251.251，默认情况下的用户名和密码均为admin。

设备正常工作时POWER灯常亮，W AN口和LAN口LINK灯长亮，ACT灯在有数据流量时会不停闪烁。

ALARM红色指示灯只在设备启动时因系统加载会长亮（约一分钟），正常工作时熄灭。

如果在安装时此红灯长亮，请将设备掉电重启，重启之后若红灯一直长亮不能熄灭，请与我们联系。

『部署模式』用于设置设备的工作模式，可设定为路由模式、网桥模式或旁路模式。

选择一个合适的部署模式，是顺利将设备架到网络中并且使其能正常使用的基础。

路由模式：设备做为一个路由设备使用，对网络改动最大，但可以实现设备的所有的功能；网桥模式：可以把设备视为一条带过滤功能的网线使用，一般在不方便更改原有网络拓扑结构的情况下启用，平滑架到网络中，可以实现设备的大部分功能；旁路模式：设备连接在内网交换机的镜像口或HUB上，镜像内网用户的上网数据，通过镜像的数据实现对内网上网数据的监控和控制，可以完全不需改变用户的网络环境，并且可以避免设备对用户网络造成中断的风险，但这种模式下设备的控制能力较差，部分功能实现不了。

选择【导航菜单】中的『网络配置』→『部署模式』，右边进入【部署模式】编辑页面，点击开始配置，会出现『路由模式』、『网桥模式』、『旁路模式』的选项，选择想要配置的网关模式。

路由模式：是把设备作为一个路由设备使用，一般是把设备放在内网网关出口的位置，代理局域网上网；或者把设备放在路由器后面，再代理局域网上网。

Support GuideYour New Service Request Process: Technical SupportReference Guide forCisco SD-WAN ProductsMarch 2019ContentsIntroduction (3)Registration for a User ID (4)Opening a Support Case by Phone (7)Support Numbers (7)Defining the Severity of a Support Case (8)Opening a Support Case by Email (9)Opening a Support Case by Web (10)Check Entitlement (11)Describe Problem (12)Review & Submit (15)Save as Draft (15)Managing Your Support Case (16)IntroductionThis document describes the procedure for obtaining Technical Support through your newly adopted case management system through the Cisco® Technical Assistance Center (TAC). This document covers the user ID registration process, how to contact technical support, as well as how to manage your support case online.We want you to know that this is only a change in the process through which you receive technical support. We at Cisco are committed to delivering the same high level of quality service that you are accustomed to receiving.The Cisco TAC will allow you to:●Open support cases by phone, web, or email 24 hours a day, 365 days a year●Download software updates (maintenance and minor releases) for your covered software●Access Cisco’s online support, including database of product and service information, support casetracking, and a robust set of tools that help facilitate knowledge transfer to your staff and help answerquestions more quicklyRegistration for a User IDTo contact Cisco Technical Support for questions or issues with your Cisco SD-WAN products, you first need to register for a user ID. If you already have a user ID, go to step 5, as you do not need to reregister.1. Navigate to and click “Create an account.”2. Fill out the information on the Registration form.3. Upon clicking “Submit” you will receive an email sent from Cisco. From the link provided in this email, you willbe directed to the Registration confirmation page. This step is to verify, confirm, and activate your registration.Note: This step in the registration process for a user ID is critical.You will need to select “Associate your user ID” to update your Cisco Account Profile.4. You will be directed to the Cisco Account Profile. Click the “Add Access” button, then select the “TAC andRMA case creation, Software Download, support tools, and entitled content on ” radio button on the pop-up screen, and then click “Go” to manage your Service Contract online.5. Enter your Service contract number(s) as provided in the Welcome to Cisco Services letter or contact yourCisco authorized partner or distributor for your contract number(s). Partners can access their new contract numbers in Cisco Commerce Workspace-Renewals (CCW-R). If you have multiple service contract numbers, separate them by commas. If you don’t know your service contract number, you can enter the serial number of any product covered by your service contract.If you have any problems with this web registration process, you may send an email to Cisco at web-**************. If you are located in North America, you may call 1-800-553-2447 for assistance to reach Cisco’s TAC support organization. For the rest of the world, it is recommended you consult the worldwide toll-free number list at /en/US/support/tsd_cisco_worldwide_contacts.html, and one of the support agents will assist you in completing the registration process.Service Access Management ToolThe Service Access Management Tool is an application that enables Partners or Customer Administrators to determine which of their service contract numbers are present in user profiles. It is ideal fororganizations that want to manage and associate multiple profiles.By using the Service Access Management Tool, Cisco partners and customers can manage access to the services provided by their contracts (e.g., TAC support, hardware replacement). This management can be done either using Bill to ID or contract number. To manage access by Bill to ID, the Bill to ID must be in an individual's profile and selected (enabled) for support access. This will ensure that all the contracts under the Bill to ID can be utilized for service. To manage access by contract number, a contract number must be in an individual's profile in order for that individual to be able to obtain service. Access the Service Access Management Tool, training, and related content for more information.Opening a Support Case by PhoneSupport Numbers1-800-553-2447 U.S.For worldwide support numbers, refer to Cisco worldwide contacts:/en/US/partner/support/tsd_cisco_worldwide_contacts.htmlWhen you want to report a case, make sure you have the following information available:● user ID that has been associated to the service contract●Service contract number●Business effect (case severity)Cisco entitles customers by contract number and ID. You must know your user name and have the contract number of the product when you are calling for support.Once the agent has all the appropriate information he/she will open a case, provide you with a case tracking number and route your case to a support engineer. They will contact you to provide technical assistance.Defining the Severity of a Support CaseSeverity 1 and 2 Support Cases must be opened by phone.Severity 3 and 4 Support Cases should be opened online or by email, but may be opened by phone.●Severity 1 (S1) – shall mean reported Error(s) in Covered Software that causes all or substantially all of asystem to be functionally inoperative severely affecting delivery to Customers and requiring immediatecorrective action, regardless of time of day or day of the week.◦Product and/or covered software are in operable for 100% of Customers◦Loss of service>0.5% of Customers●Severity 2 (S2) – shall mean reported Error(s) in covered products causing the loss of one or more majorfunctions of the system, causing perceptible degradation or interruption of services delivery to Customers or seriously affecting Customer’s ability to operate, administer, or maintain their system and requiringimmediate attention. Urgency is less than Severity 1 situation because of a lesser immediate or impending effect on system performance, Customer’s operation and revenue.◦Management system failure◦No backup is available●Severity 3 (S3) – shall mean reported Error(s) in covered products disabling specific noncritical functions ofthe system that do not significantly affect delivery services to Customers. The lost or degraded functionality impairs Customer’s ability to operate, administer, or maintain the system, but does not significantly affect services delivery to Customers.◦System functionality or performance is reduced◦System is working on backup◦Loss of service <0.5 % of Subscribers●Severity 4 (S4) – shall mean reported Error(s) in covered products which is an irritant only and has nosignificant effect on the functionality or operation of the system and requests for informational supportassistance, including product information requests and configuration assistance.◦Conditions that do not significantly impair the function of the system◦Documentation◦System enhancement/functionality requestOpening a Support Case by EmailOpen new support cases by email using the Cisco support email address:*************. If you are opening a new support case, include the product type as the subject line of your email; for example, “Cisco SD-WAN.” This will help the agent processing the incoming email to determine the correct support case queue to route your support request.Include the following information in your email:●Company name●Contact name●Contact phone number● User ID●Contact email address●Contract number●Product type (e.g. Cisco SD-WAN, Cisco vEdge, Cisco vBond Orchestrator, etc.)●Business effect (support case severity – as defined above)●Brief problem description●Equipment location (e.g., address)●Alternate contact name●Alternate contact phone numberProviding this information will help expedite the processing of the support case through the Cisco TAC agent.Once the agent has processed the email, he/she will open a support case and you will receive a support case number by email. A support engineer will contact you shortly regarding your support case.Opening a Support Case by WebThe online support case management tool, called Support Case Manager (SCM), allows users to open a support case, assign a severity (level 3 or 4), receive information through the web or email, maintain and track support cases online, and upload files.SCM allows you to create Cisco TAC support cases for issues covered under the terms of your Cisco support contract(s). At this time, SCM can assist you only with products currently covered by a Cisco service contract. If you would like assistance with a product that is not covered by a contract or is covered under warranty, contact the Cisco TAC by phone.Before you use SCM, you must be logged in with your user ID and password, and your ID must contain all of your appropriate Cisco support contracts in order for you to access the services covered by those contracts. You can use the Cisco Profile Manager to associate all of your Cisco service contracts to your profile.Note: If you have a Service Access Management Administrator, you can ask them to make sure that all of your service contracts are associated with your user ID. If you are unsure of your contract number(s), your Cisco Partner, Reseller, or Service Account Manager can provide you with a complete list of your service contracts.The main steps for opening a support case using SCM include:1. Check Entitlement – verify the product is covered by a service contract2. Describe the Problem – enter details about the product3. Submit Your Support Case – confirm information and edit accordinglyYou can access the online support case tool using this link:/caseYou will be required to log in with your ID and Password. Please make sure that you have your service contract number available with your ID.To open a new support case, click on Open New Case and then follow the instructions below.Check EntitlementIdentify the type of support case.Complete these steps in order to open a support case:1. Choose one of the Request Type options:•Diagnose and Fix•Request RMA•Ask a Question2. For hardware products enter the Product Serial Number and click on “Search.” For software products enterthe Service Contract number or product description to search for the product requiring support. If you have a Smart Account you can enter your Product Subscription Number.Note: At any time during the process, you can click the Save draft and exit link in order to save a draft of your support case. See the Save a Draft section in this document for the steps required to delete or continue submitting a saved support case.Describe ProblemIdentify the severity of the problem, loss of service (if applicable), case details and whether you would like the engineer to contact you. In addition, you can review and change your contact information.1231. Choose the severity from the Severity options. The Severity is automatically populated based on the type ofsupport case:•Diagnose and Fix = Severity 3 – Network Impaired•Request RMA = Severity 3 – Network Impaired•Answer my Question = Severity 4 – Normal Response TimeIf you need to open a severity 1 or 2 network-down emergency support case, please call the Technical Assistance Center (TAC) nearest you.2. Check the box if users are experiencing a loss of service for more than 15 seconds.3. Enter a Case Title and Description.Keep these guidelines in mind when describing your problem:•Include a meaningful case title that states the problem accurately. A meaningful title permits assignment of the case to the appropriate technical resources.•Describe the problem and symptoms (only one per support case).•Include a history of the problem and any troubleshooting steps you completed.•Describe your network topology.•Include any recent changes to your network or data center environment.•Include output from the show tech command (if applicable) and all other relevant output.•Include software versions and types of equipment.456744. Click on “Select a Technology” and select the Technology from the pop up menu.•For Cisco SD-WAN products choose one of the following technology and sub-technology categories: o Software Defined Wide Area Networking (SDWAN) PnP Portal – Serial number missingo Software Defined Wide Area Networking (SDWAN) SDWAN Cloud Infrao Software Defined Wide Area Networking (SDWAN) SDWAN Security (ZBF, IPS, IDS, AMP, URL Filtering)o Software Defined Wide Area Networking (SDWAN) Serial file SDWAN Licenseo Software Defined Wide Area Networking (SDWAN) cEdge (ASR/ISR)o Software Defined Wide Area Networking (SDWAN) vAnalyticso Software Defined Wide Area Networking (SDWAN) vBond - ZTP, Control Connectionso Software Defined Wide Area Networking (SDWAN) vEdge (100, 1000, 2000, 5000)o Software Defined Wide Area Networking (SDWAN) vManage - Templates, Deep Packet Inspection (DPI)o Software Defined Wide Area Networking (SDWAN) vSmart - Overlay Management Protocol (OMP), Policy5. Select the Problem Area.6. Review your contact information in the Contact Preference section. Your contact information is automaticallyprovided based on the username you used to log in to the tool.7. Click Review to review your case before you submit.Review & SubmitReview your information and submit your support case.1. Review the summary of your support case. If you need to update a section, click the Edit link.2. Click Submit in order to submit your support case.Your support case number will appear at the top of the page.Save as DraftDuring your process to open a support case, you can click the Save Draft and Exit link located at the bottom of the page in order to complete the process at a later time. When you click the Save Draft and Exit link, all information you entered is saved, and you are redirected to your open support cases page. Each saved draft has an expiration date, after which it will be automatically deleted.To continue submitting a saved draft, click the title of the support case.To delete a saved draft, click the checkbox located next to the support case, and click the Delete button.Managing Your Support CaseAfter you have created your support case, you can view the status, update the notes, upload files, turn automatic updates on or off, and request case closure.Navigate to /c/en/us/support/index.html and then select “View Open Cases” from the “My Support” menu.Or you may go directly to: /caseOn your Support Case Manager home page, you can filter your support cases.Here are the available options:•Open Cases•Draft Cases•Closed Cases•Advanced FilterIf you click Show Advanced Filter link, additional fields appear.Select an option from the Filter menu, and enter additional information in the remaining fields in order to further filter your support cases. Here are the Advanced Filter menu options:•Statuso Newo Customer Pendingo Cisco Pendingo Bug/Defect Requiredo Closure Pendingo Customer Requested Closureo Customer Updatedo Release Pendingo Restoration of Serviceo Service Order Pending•Severityo Severity 1o Severity 2o Severity 3o Severity 4•Linked Bugs•RMAs•Contract Number•PICA ID•Serial Number•Node Name•From DatePrinted in USA 03/19。

Key Features>Single Screen Administration: Enables rapid and consistent implementation of network-wide business intent policies, eliminating many of the repetitive and mundane manual steps required to configure and connect remote offices andbranch locations>Centralized Orchestration and Policy Auto-mation: Empowers network administrators tocentrally define and orchestrate granular security policies and create secure end-to-end zones across any combination of users, application groups and virtual overlays, pushing configurations to sites in accordance with business intent. In addition, it offers seam-less drag and drop service chaining to next generation security servicesUnity Orchestrator offers customers the unique ability to centrally assign business intent policies to secure and control all Silver Peak Unity EdgeConnect software-defined Wide Area Network (SD-WAN) traffic. An intuitive user interface provides unprecedented levels of visibility into both data center and cloud-based applications.>Live View: Monitors real-time throughput,loss, latency and jitter across business intent overlays and the underlying transportservices to proactively identify potential perfor-mance impacts>Granular Real-Time Monitoring and HistoricalReporting: Provides specific details into application, location, and network statistics,including continuous performance monitoring of loss, latency, and packet ordering for all network paths; identifies all web and native application traffic by name and location, and alarms and alerts allow for faster resolution of network issues>Bandwidth Cost Savings Reports:Documents the cost savings for moving to broadband connectivitySD-WAN Deployments Done FasterUnity Orchestrator™ enables secure zero-touch provisioning of Unity EdgeConnect™ appliances in the branch. Orchestrator automates the assignment of business intent policies to ensure faster and easier connectivity across multiple branches, eliminating the configuration drift that can come from manually updating rules and access control lists (ACLs) on a site-by-site basis. With Orchestrator, customers can:>Avoid WAN reconfigurations by delivering appli -cations to users in customized virtual overlays >Align application delivery to business goals through business intent policies>Simplify branch deployments with EdgeConnectProfiles that describe the virtual and physical configuration of the locationReal-Time Health Monitoring and Historical ReportingOrchestrator provides specific details into SD-WAN health and performance:>Appliance dashboard displays a centralized sum -mary of appliances connected on the network, top talkers, applications, topology map and more>Health map provides a high-level view ofEdgeConnect appliance status and network health based on configured thresholds for pack -et loss, latency and jitter>Monitoring and reporting tools generate andschedule multiple customized reports to track a variety of performance metrics; reports may be scheduled on a regular basis and automatically sent to specific individuals or departmentsFigure 2: Unity Orchestrator enables centralized definition and auto -mated distribution of network-wide business intent policies to multiplebranch offices.Figure 1: A matrix view from Orchestrator, provides an easy-to-read, intuitive visualization of configured zones and defined whitelist exceptions.Gain Control over the CloudGain an accurate picture of how Software-as-a-Ser-vice (SaaS) and Infrastructure-as-a-Service (IaaS) are being used within the organization.>Name-based identification and reporting of all cloud and data center-hosted applications>Tracking of SaaS provider network traffic>Cloud Intelligence provides internet mappingof optimal egress to SaaS servicesFlexible Deployment>On-premise: Deploy Orchestrator as a virtualmachine in an existing environment>Private cloud: Deploy Orchestrator as a virtualinstance within Amazon Web Services (AWS)>Cloud-hosted Orchestrator: A Silver Peakcloud-hosted Orchestrator provides a highly reli-able, zero-CAPEX alternative deployment mod -el. With an optional license, organizations can subscribe to Orchestrator as a software service that supports all Orchestrator features without the complexity of managing on premise virtual compute and storage resource. UniqueOrchestrator instance for each enterprise cus-tomer ensures secure SD-WAN management, monitoring and reporting.Orchestrator Licensing>Unity Orchestrator, hosted on premise or in aprivate cloud, is included with the purchase of Unity EdgeConnect (see Unity EdgeConnect data sheet )>Optional cloud-hosted Orchestrator requires aseparate subscriptionFigure 4: Unity Orchestrator Dashboard summarizes overall SD-WANhealth, appliance status, topology and top applications.Figure 3: Unity Orchestrator monitoring report on application consumption.Delivering Real Business Value EdgeConnect is the most agile SD-WAN unified plat-form that. also powers industry-leading performance improvements to any form of connectivity. Silver Peak customers benefit from significant:>Performance:End-user satisfaction and produc-tivity are significantly improved due to consistent and enhanced performance and availability forboth legacy and cloud applications.>Visibility and Control: Customers benefit from unprecedented levels of visibility into both legacy and cloud applications.>Security: Centralized segmentation of users, applications and WAN services into secure zones and automated application traffic steeringacross the LAN and WAN in compliance withpredefined security policies, regulatory man-dates and business intent.>Extensibility: Fully compatible with existing WAN infrastructure hardware and transport services,customers can rapidly and non-disruptively aug-ment or replace their MPLS networks with anyform of broadband connectivity. Furthermore,customers can replace conventional routers with EdgeConnect SD-WAN that consolidates network functions like SD-WAN, WAN optimization, rout-ing and security into a single software instance;all managed centrally from the Orchestrator.Easy integration with orchestration systems isprovided via RESTful APIs. >Savings: With EdgeConnect, customers can dramatically lower connectivity, equipment and network administration costs; these savings are achieved through:>Reduction in bandwidth costs by actively using broadband connectivity>OPEX: Reducing the time and expertise needed to connect branch offices>CAPEX: Reducing appliance sprawl andmoving to a “thin branch” architectureSP-DS-ENT-UNITY-ORCHESTRATOR-091918。

VMware SD-WAN 操作员指南2020VMware SD-WAN 4.1您可以从 VMware 网站下载最新的技术文档：https:///cn/。

VMware, Inc.3401 Hillview Ave. Palo Alto, CA 94304 威睿信息技术（中国）有限公司北京办公室北京市朝阳区新源南路 8 号启皓北京东塔 8 层 801/cn上海办公室上海市淮海中路 333 号瑞安大厦 804-809 室/cn广州办公室广州市天河路 385 号太古汇一座 3502 室/cn版权所有© 2020 VMware, Inc. 保留所有权利。

版权和商标信息VMware SD-WAN 操作员指南目录1关于 VMware 操作员指南72VMware SD-WAN Orchestrator 概述83支持的浏览器94新增功能105安装 SD-WAN Orchestrator11必备条件11实例要求11上游防火墙配置12外部服务12安装过程12准备 cloud-init12在 VMware 上安装15在 KVM 上安装16在 AWS 上安装19初始配置任务19安装 SSL 证书20配置系统属性21升级 SD-WAN Orchestrator22扩展磁盘大小 (VMware)226使用 SSO 以操作员用户身份登录到 SD-WAN Orchestrator257监控客户268管理客户28创建新的客户29克隆客户33在 VMware SD-WAN Orchestrator 上启用 VMware Edge Network Intelligence36为新客户启用分析37为现有客户启用分析40配置客户42配置客户功能44配置安全策略45配置分布式成本计算47配置每个流量具有多个 DSCP 标签的路径计算50为 Edge 配置 NFV 和 VNF53管理 Edge 软件映像53关联网关池549管理合作伙伴59创建新的合作伙伴59配置合作伙伴信息6210软件映像6411系统属性66系统属性列表6712管理操作员80监控操作员事件80管理操作员配置文件81创建新的操作员配置文件83复制操作员配置文件84修改操作员配置文件84管理操作员用户86创建新的操作员用户87配置操作员用户8813管理网关池和网关91网关池91“受管池”列92创建网关池92创建特定于合作伙伴的网关池93删除网关池93合作伙伴网关切换94合作伙伴网关94合作伙伴网关94“网关”页面103启用合作伙伴网关模式103配置网关 BGP105为网关运行诊断108监控网关110使用新的 Orchestrator UI 监控网关11114应用程序映射114上载应用程序库115克隆应用程序库116修改应用程序库116刷新应用程序映射118推送应用程序映射11915角色自定义120创建新的自定义包121上载自定义的包12416Edge 许可126管理合作伙伴的 Edge 许可证127管理客户的 Edge 许可证128生成 Edge 许可证报告12917Orchestrator 身份验证130配置 RADIUS 身份验证131配置操作员单点登录133单点登录概览133为操作员用户配置单点登录133针对单点登录配置 IDP13518升级启用了 DR 的 SD-WAN Orchestrator 部署156 SD-WAN Orchestrator 升级概述156升级 Orchestrator156步骤 1：为 Orchestrator 升级做准备156步骤 2：发送升级通知158步骤 3：执行 Orchestrator 升级159步骤 4：完成 Orchestrator 升级159SD-WAN Orchestrator 灾难恢复159在 VMware 中设置 DR159升级 DR 设置15919配置 SD-WAN Orchestrator 灾难恢复161SD-WAN Orchestrator 灾难恢复概述161设置 SD-WAN Orchestrator 复制162设置备用 Orchestrator163设置活动 Orchestrator164测试故障切换166升级备用 Orchestrator166返回独立模式167SD-WAN Orchestrator DR 故障排除16820管理用户协议169创建用户协议17021将 VMware SD-WAN Orchestrator 版本从 3.3.2 或 3.4 升级到 4.017222SD-WAN Orchestrator 故障排除174Orchestrator 诊断174SD-WAN Orchestrator 诊断概述174“诊断包”选项卡174“数据库统计信息”选项卡177系统衡量指标监控178速率限制 API 请求179关于 VMware 操作员指南1《VMware SD-WAN™操作员指南》提供了有关 VMware SD-WAN Orchestrator 的信息，包括如何配置和管理使用 Orchestrator 的客户和合作伙伴。

VMware SD-WAN 管理指南VMware SD-WAN 3.4您可以在 VMware 網站上找到最新的技術文件，網址如下：https:///tw/VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304Copyright ©2020 VMware, Inc. 保留所有權利。

版權與商標資訊。

VMware SD-WAN 管理指南目錄1關於 VMware SD-WAN 管理指南102新增功能113概觀13解決方案元件14SD-WAN Edge 效能和規模資料14功能21通道額外負荷和 MTU23網路拓撲27分支站台拓撲27角色和權限層級33使用者角色對照表34重要概念36支援的瀏覽器40支援的數據機404使用者合約415企業使用者使用 SSO 登入 VMware SD-WAN Orchestrator426監控企業43監控導覽面板43網路概觀43監控 Edge45概觀索引標籤46QoE 索引標籤48傳輸索引標籤51應用程式索引標籤53來源索引標籤54目的地索引標籤55商務優先順序索引標籤57系統索引標籤58流量統計資料彙總和保留59監控網路服務61監控路由62PIM 芳鄰視圖62監控警示63監控事件64自動復原至上一個已知良好的組態64Syslog 支援的 VMware SD-WAN Edge 事件65監控報告707設定區段728設定網路服務74關於 Edge 叢集化75Edge 叢集化的運作方式76設定 Edge 叢集化81對 Edge 叢集化進行疑難排解82設定 Non VMware SD-WAN Site83VPN 工作流程88設定 Check Point92設定 Check Point CloudGuard Connect92在 SD-WAN Orchestrator 上將 Check Point 設定為 Non VMware SD-WAN Site92設定 Zscaler95建立和設定Non VMware SD-WAN Site95將 NVS 與組態設定檔相關聯97設定 Zscaler98設定商務優先順序規則101設定 Amazon Web Services103取得 Amazon Web Services 組態詳細資料103建立和設定Non VMware SD-WAN Site104設定雲端安全性服務107雲端安全性服務概觀107設定雲端安全性服務107新增和設定雲端安全性提供者108為設定檔設定雲端安全性服務109為 Edge 設定雲端安全性服務111監控雲端安全性服務113Edge 畫面113網路服務畫面113設定 DNS 服務114設定 Netflow 設定115私人網路名稱117設定私人網路117刪除私人網路名稱117設定驗證服務1179設定設定檔119建立設定檔119修改設定檔120設定檔概觀畫面121網路到區段的移轉121Edge 從 2.X 升級至 3.X 的必要條件121對部署作為中樞和輪輻的 Edge 進行升級的最佳做法121對部署於 HA 中的 Edge 進行升級的最佳做法122將網路移轉至區段122設定本機認證126新增認證12610設定設定檔裝置128設定裝置128在設定檔中指派區段129設定驗證設定130設定 DNS 設定131在設定檔層級設定 Netflow 設定131在設定檔層級設定 Syslog 設定133防火牆記錄的 Syslog 訊息格式135設定雲端 VPN138雲端 VPN 概觀138設定分支到 Non VMware SD-WAN Site VPN142設定分支與 SD-WAN Hubs VPN 之間的通道143設定分支到分支 VPN152設定多點傳播設定153在介面層級設定多點傳播設定154設定設定檔的 VLAN157設定管理 IP 位址158設定裝置設定159設定介面設定173設定 Wi-Fi 無線電設定180設定設定檔的 SNMP 設定180設定可見度模式182指派合作夥伴閘道183指派控制器18511設定設定檔商務原則188建立商務原則規則189設定比對來源194設定比對目的地195設定比對應用程式196設定動作優先順序196設定動作網路服務196設定連結操控模式198設定以原則為基礎的 NAT203設定動作服務類別204覆疊 QoS CoS 對應204服務提供者可用於合作夥伴閘道的通道塑形器20512設定防火牆208設定設定檔的防火牆209設定 Edge 的防火牆210設定防火牆規則215設定 Edge 存取218對防火牆進行疑難排解21913佈建 Edge220佈建新的 Edge220啟用 Edge223使用零接觸佈建來啟用 Edge (技術預覽)223使用電子郵件來啟用 Edge223傳送啟用電子郵件224啟動 Edge 裝置225SD-WAN Edges230將 Edge 重設為原廠設定23214Edge 概觀索引標籤23415設定 Edge 裝置242設定 DSL 設定244在 Edge 層級設定 Netflow 設定246在 Edge 層級設定 Syslog 設定247設定靜態路由設定248設定 ICMP 探查/回應程式249設定 VRRP 設定249監控 VRRP 事件252Edge 雲端 VPN253設定 Edge 的 VLAN253設定裝置設定256在路由介面上設定 DHCP 伺服器256高可用性 (HA)258在路由介面上啟用 RADIUS 258設定 Edge LAN 覆寫259設定 Edge WAN 覆寫259設定 Edge WAN 覆疊設定260設定 MPLS CoS269透過 MPLS 的 SD-WAN 服務可連線性270設定 Edge 的 SNMP 設定275設定 Wi-Fi 無線電覆寫277安全性 VNF278設定 VNF 管理服務280設定安全性 VNF284使用服務 VLAN 定義對應區段288設定含 VNF 插入的 VLAN288監控 Edge 的 VNF290VNF 事件291設定 VNF 警示292設定 Edge 商務原則293設定 Edge 啟用294Edge 層級上的 LAN 端 NAT 規則29516物件群組304設定位址群組304設定連接埠群組305使用物件群組設定商務原則306使用物件群組設定防火牆規則30817站台組態311資料中心組態312設定分支和中樞31218使用 OSPF 或 BGP 設定動態路由323啟用 OSPF323路由篩選器326啟用 BGP327OSPF/BGP 重新分配332覆疊流量控制332設定全域路由喜好設定334設定子網路33519設定警示33820測試和疑難排解343遠端診斷344遠端診斷測試345遠端動作363診斷服務包364要求封包擷取365要求診斷服務包366下載服務包367刪除服務包36721企業管理368系統設定368設定企業資訊368設定企業驗證371單一登入概觀372設定企業使用者的單一登入372設定單一登入的 IDP374管理管理員使用者395建立新的管理員使用者396設定管理員使用者397Edge 授權39922設定 SD-WAN Edge 高可用性400SD-WAN Edge HA 的概觀400必要條件401高可用性選項401標準 HA401HA 選項 2：增強型 HA405叢集分裂狀況406核心分裂偵測和防護406失敗案例407支援透過 HA 連結的 BGP408判斷作用中和待命狀態的選取準則408透過 HA 連結的 VLAN 標記流量408設定 HA409啟用高可用性 (HA) 409等待 SD-WAN Edge 進入作用中狀態410將備用 SD-WAN Edge 連線至主動 Edge410連線備用 SD-WAN Edge 上的 LAN 和 WAN 介面410 HA 事件詳細資料411在 VMware ESXi 上部署 HA41123VMware 虛擬 Edge 部署416VMware 虛擬 Edge 的部署必要條件416VMware 虛擬 Edge 部署的特殊考量事項418建立 Cloud-Init419安裝 VMware 虛擬 Edge420在 KVM 上啟用 SR-IOV421在 KVM 上安裝虛擬 Edge423在 VMware 上啟用 SR-IOV427在 VMware ESXi 上安裝虛擬 Edge42824Azure Virtual WAN SD-WAN Gateway自動化434 Azure Virtual WAN SD-WAN Gateway自動化概觀434必要的 Azure 組態435登錄 SD-WAN Orchestrator 應用程式435將 SD-WAN Orchestrator 應用程式指派給參與者角色437登錄資源提供者438建立用戶端密碼439設定 Azure Virtual WAN 以建立分支到 Azure VPN 的連線441建立資源群組441建立虛擬 WAN443建立虛擬中樞444建立虛擬網路446在 VNet 與中樞之間建立虛擬連線448設定 SD-WAN Orchestrator 以建立分支到 Azure VPN 的連線449設定 IaaS 訂閱網路服務449設定 Microsoft Azure Non VMware SD-WAN Site450將Non VMware SD-WAN Site與設定檔相關聯452編輯 VPN 站台453同步 VPN 組態454刪除 Non VMware SD-WAN Site454關於 VMware SD-WAN 管理指南1《VMware SD-WAN™ (以前稱為 VMware SD-WAN™ by VeloCloud®) 管理指南》提供 VMware SD-WAN Orchestrator 和核心 VMware 組態設定的相關資訊，包括如何設定和管理網路、網路服務、Edge、設定檔以及使用 SD-WAN Orchestrator 的客戶。

深信服上网行为管理部署方式及功能实现配置说明（标化院）设备出厂的默认IP见下表：AC支持安全的HTTPS登录，使用的是HTTPS协议的标准端口登录。

如果初始登录从LAN口登录，那么登录的URL为：，默认情况下的用户名和密码均为admin。

设备正常工作时POWER灯常亮，W AN口和LAN口LINK灯长亮，ACT灯在有数据流量时会不停闪烁。

ALARM红色指示灯只在设备启动时因系统加载会长亮（约一分钟），正常工作时熄灭。

如果在安装时此红灯长亮，请将设备掉电重启，重启之后若红灯一直长亮不能熄灭，请与我们联系。

『部署模式』用于设置设备的工作模式，可设定为路由模式、网桥模式或旁路模式。

选择一个合适的部署模式，是顺利将设备架到网络中并且使其能正常使用的基础。

路由模式：设备做为一个路由设备使用，对网络改动最大，但可以实现设备的所有的功能；网桥模式：可以把设备视为一条带过滤功能的网线使用，一般在不方便更改原有网络拓扑结构的情况下启用，平滑架到网络中，可以实现设备的大部分功能；旁路模式：设备连接在内网交换机的镜像口或HUB上，镜像内网用户的上网数据，通过镜像的数据实现对内网上网数据的监控和控制，可以完全不需改变用户的网络环境，并且可以避免设备对用户网络造成中断的风险，但这种模式下设备的控制能力较差，部分功能实现不了。

选择【导航菜单】中的『网络配置』→『部署模式』，右边进入【部署模式】编辑页面，点击开始配置，会出现『路由模式』、『网桥模式』、『旁路模式』的选项，选择想要配置的网关模式。

路由模式：是把设备作为一个路由设备使用，一般是把设备放在内网网关出口的位置，代理局域网上网；或者把设备放在路由器后面，再代理局域网上网。

配置方法：第一步：先配置设备，通过默认IP登录设备，比如通过LAN口登录设备，LAN口的默认IP是10.251.251.251/24，在电脑上配置一个此网段的IP地址，通过登录设备，默认登录用户名/密码是：admin/admin。