安全网关产品说明书模板

ANYSEC安全网关YKey管理员手册版权所有：深圳市中科网威科技有限公司1.ANYSEC安全网关服务器端配置1.1．生成证书1.1.1．准备工作必须具备以下条件1．确保ANYSEC系统设备运行正常；2．确保ANYSEC系统设备版本支持ANYSEC移动客户端V6.0版本；3．确保管理员电脑上已经成功安装了ANYSEC客户端程序。

1.1.2．开始生成证书证书生成顺序必须为“CA证书”——“本机证书”——“远端证书”；在生成证书前，将设备时间设置提前一天，因为CA证书次日才会生效；所有证书信息请使用英文（国际CA标准，中文支持较差）。

如下图所示：1．登陆ANYSEC设备WEB配置界面，选择“系统管理”-“证书”-“CA证书”-“创建根证书”，见以下图示：●新建一个CA根证书，根据提示填写相关信息（相关信息请填写英文），如图：●建好CA证书后，点击“设备证书”——“新建”，新建一个本机证书，如图：新建一个本地证书，根据提示填写相关信息（相关信息请填写英文）如下图：注：CA证书、本机证书均为ANYSEC安全网关作为CA中心所必须的基础证书。

2．建立用户证书，点击“证书库”——“新建客户端证书”，按实际情况填写信息（相关信息请填写英文，个人信息请填写新建用户时的认证用户名），如图所示：●建好远端证书后，会列表显示出已有证书，以及证书的使用状态，还可以对证书进行导出、吊销、删除等管理，如图所示：●点击“导出”，将证书下载到管理员的电脑中进行保存、管理、导入UKey的工作。

如图所示：私钥保护口令验证：是指建立私钥时输入私钥保护密码；证书保护口令：是指将证书导入UKey时的密码，也是在使用证书验证时的密码，此口令不是UKey PIN码。

●点击右上角“配置保存”完成证书生成工作。

如图：1.1.3．移动客户端UKEY认证配置1.点击“VPN管理”——“移动客户端”——“配置”，如下图：起始IP地址、结束IP地址：是指移动客户端获取的虚拟内网地址，该地址不能与内网网段冲突；支持PKI认证：采用证书或UKey认证的需要点开此选项，勾选，用户名密码方式将失效；服务器证书：是指本机证书，选择之前建立的本机证书；接受所有合法PKI用户：如果勾选此项，则表示本设备远端证书中所有有效证书都可以通过客户端远程接入，如果不勾选此项，则表示只接受认证用户组中的证书用户；认证用户组：是指远程接入的合法用户组，此项是引用“用户管理”——“用户组”中的用户数据，默认用户组为MClientAuth（移动客户端用户组），在该组中引用的用户，其“用户名”必须与生成远端证书时填写的“个人信息”一栏内容一致；服务状态：勾选此项，打开移动客户端服务。

安全网关产品说明书介绍欢迎并感谢您选购联通网络信息安全产品，用以构筑您的实时网络防护系统。

ZXSECUS 统一威胁管理系统（安全网关）增强了网络的安全性，避免了网络资源的误用和滥用，帮助您更有效的使用通讯资源的同时不会降低网络性能。

ZXSECUS统一安全网关是致力于网络安全，易于管理的安全设备。

其功能齐备，包括：●应用层服务，例如病毒防护、入侵防护、垃圾邮件过滤、网页内容过滤以及IM/P2P过滤服务。

●网络层服务，例如防火墙、入侵防护、IPSec与SSLVPN，以及流量控制。

●管理服务，例如用户认证、发送日志与报告到USLA、设备管理设置、安全的web与CLI管理访问，以及SNMP。

ZXSECUS统一安全网关采用ZXSECUS动态威胁防护系统（DTPSTM）具有芯片设计、网络通信、安全防御及内容分析等方面诸多技术优势。

独特的基于ASIC上的网络安全构架能实时进行网络内容和状态分析，并及时启动部署在网络边界的防护关键应用程序，随时对您的网络进行最有效的安全保护。

ZXSECUS设备介绍所有的ZXSECUS统一安全网关可以对从soho到企业级别的用户提供基于网络的反病毒，网页内容过滤，防火墙，VPN以及入侵防护等防护功能。

ZXSECUS550ZXSECUS550设备的性能，可用性以及可靠性迎合了企业级别的需求。

ZXSECUS550同样也支持高可用性群集以及包括在HA设备主从设备切换时不会丢弃会话，该设备是关键任务系统的理想选择。

ZXSECUS350ZXSECUS350设备易于部署与管理，为soho以及子机构之间的应用提供了高附加值与可靠的性能。

ZXSECUS安装指南通过简单的步骤指导用户在几分钟之内运行设备。

ZXSECUS180ZXSECUS180为soho以及中小型企业设计。

ZXSECUS180支持的高级的性能例如802.1Q，虚拟域以及RIP与OSPF路由协议。

ZXSECUS120ZXSECUS120设计应用于远程办公以及零售店管理.具备模拟modem接口，能够作为与互联网连接的备份或单独与互联网连接。

•Safety Category 4, Performance Level e, according to EN 13849-1•Safety Category 4 according to EN 954-1•Category 0 Emergency Stop (EN 60204-1)•Input type: 2 NO•2 x 6 A NO safety outputs (NSO02D)•3 x 6 A NO safety outputs and 1 x 6 A NC auxiliary output (NSO13D)•Automatic / manual or monitored manual reset •Single / double channel operations•LED indication for outputs status and power supply ON •Connection by fixed or detachable terminals•For mounting on DIN-rail in accordance with DIN/EN 50022•22.5 mm Euronorm housingProduct De s crip t ionSafety gate and safety magnetic sensor modules according to EN 60204-1, EN 292-1/-2, EN 418 and EN1088.This family of safety module in Safety Category 4,Performance Level e,includes fixed screw and detachable screw as well as automatic/manual or monitored manual restart versions.Safety ModulesSafety Gate and Safety Magnetic Sensor Types NSO02D, NSO13DTime SpecificationScrew, fixed Type SelectionAuxiliary outputsSafety outputs2 NO 2 NO2 NO 2 NO 1 NC3 NO 1 NC 3 NO 1 NC 3 NO 1 NC3 NOOutput SpecificationInput SpecificationsNSO02D, NSO13DSupply SpecificationGeneral SpecificationsMode of OperationThe safety modules NSO02D and NSO13D monitor both mechanical switches and safety magnetic sensors (2 NO contact outputs), according to 98/37/CE Machinery Directive.If the unit is correctly supplied and the input terminals are closed (i.e. safety gate closed),the module is enabled to close the safety outputs and the external contactors can be energized.When the input terminals are open (i.e. safety gate open) the module is not enabled to close the safety outputs and the external contactors can not be energized.Automatic STARTProvided that the terminals X1and X2 (NSO02...A) or S33and S34 (NSO13...A) are connected, the safety outputs close and the auxiliary output opens (NSO13...A) as soon as both S1 and S2 switches are closed.The relevant CH1 and CH2LED turn on.Releasing even one input contact (S1 and/or S2) forces immediately the safety outputs to open and the auxiliary output (NSO13...A) to close.A new operating cycle is possible only after releasing both input contacts and then operating them again.Manual STARTProvided that both S1 and S2switches are closed, the safety outputs close and the auxiliary output opens (NSO13...A) as soon as the NO START pushbutton is pushed [connecting X1 and X2(NSO02...A) or S33 and S34(NSO13...A)]A new operating cycle is possible only after releasing both input contacts, closing them again and pushing the START button.Monitored manual START The monitored manual START versions (NSO...C) work as described in the previous paragraph (M anual START)except for a minimum delay of 500 ms from the closed status of the input contacts to the pushing of the START button. If the input terminals get closed with the START switch already closed, the safety outputs don’t close and the auxiliary doesn’t open (NSO13...C): it is necessary to release the START button and the input contacts before starting a new cycle, then operate the input contacts and finally, after at least 500 ms,operate the START button.So if the NO START button gets welded, the outputs don’t close anymore.NSO02D, NSO13D Operational DiagramWiring DiagramsNSO02D, NSO13DWiring Diagrams (cont.)Dimensions。

Version 5.5ST00001B1111版权所有，保留所有权利Copyright © 2021, Hillstone NetworksTW-RN-OSG-V5.5ST00001B111-CN-V1.0-Y21M01山石网科运维安全网关V5.5ST00001B111发布概述发布日期：2021年1月11日本次发布重点新增RDP运维支持NLA网络基本身份验证、新增AD域认证用户同步、针对Windows类资产账号改密中新增“winRM服务方式”改密方式；新增图形应用Chrome浏览器支持http/https资产运维等新功能，同时优化和修复了一些功能问题。

在升级V5.5ST00001B111版本时，请务必查看“升级注意事项”进行升级。

产品型号和升级包文件新增功能已解决问题升级注意事项1、在升级到V5.5ST00001B111版本后，无法通过IE8浏览器访问设备页面。

建议用户不要使用IE8浏览器进行升级。

如在某些环境中，需要使用IE8访问设备页面，可以在升级V5.5ST00001B111版本之后，再使用“openssl配置回退包（upgrade_iam_090_openssl_back.tar.gz）”进行回退。

2、在升级到V5.5ST00001B111版本后，如果用户需要导入新的授权文件，请先导入“授权清理包（upgrade_iam_license_clean.tar.gz）”清除原授权文件。

3、集群/热备环境升级前需要解除集群/热备环境。

确保单机环境升级。

4、在升级到V5.5ST00001B111版本后，请先清除浏览器页面缓存，重启设备5、由于修改了V5.5ST00001B111版本中hillstoneotp.cab插件，会造成之前已经部署的设备无法调用，在升级到该版本后，请先替换hillstoneotp.cab插件。

6、RESTful API接口功能开放：根据项目需求，收费支持。

7、内置应用发布中心的操作系统及RDS授权未激活，部署时需要手动激活。

Version 5.5ST00001B112
1
版权所有，保留所有权利Copyright © 2021, Hillstone Networks
TW-RN-OSG-V5.5ST00001B112-CN-V1.0-Y21M12
山石网科运维安全网关V5.5ST00001B112
发布概述
发布日期：2021年12月30日
本次版本升级，主要新增了H5方式运维、三级会同审批、支持人大金仓、达梦数据库工具单点登录等新功能，优化修复了一些漏洞和问题。

在升级V5.5ST00001B1112版本时，请务必查看“升级注意事项”进行升级。

产品型号和升级包文件
新增功能
已解决问题
升级注意事项
1、集群/热备环境升级前需要解除集群/热备环境，确保单机环境升级。

2、在升级到V5.5ST00001B112版本后，请先清除浏览器页面缓存，重启设备。

浏览器兼容性
以下浏览器推荐用户使用：
♦IE11
获得帮助
山石网科运维安全网关配有以下手册，请访问获取：♦《山石网科运维安全网关部署手册_V5.5ST00001B112》
♦《山石网科运维安全网关用户手册-管理员分册_V5.5ST00001B112》
♦《山石网科运维安全网关用户手册-用户分册_V5.5ST00001B112》
服务热线：400-828-6655
官方网址：。

华盾VPN 安全网关用户手册(5.2.0版)北京东方华盾信息技术有限公司二00五年九月华盾VPN 网关用户手册 1北京东方华盾信息技术有限公司 010-********/56/57/58/59/60目 录第一章 概 述.............................................................................................6 1.1 华盾VPN 产品系列...........................................................................6 1.2 关于本手册........................................................................................6 第二章 硬件安装.. (7)2.1 安全说明............................................................................................7 2.2 安装指南............................................................................................7 第三章 配置准备.......................................................................................11 3.1 控制面板安装...................................................................................11 3.2 登录VPN 网关 (11)3.2.1 本地登录...................................................................................12 3.2.2 远程登录...................................................................................12 3.3 控制面板界面...................................................................................13 第四章 网络设置.......................................................................................16 4.1 网络功能简介...................................................................................16 4.1.1 网络接口...................................................................................16 4.1.2 上网的负载均衡.......................................................................16 4.1.3 透明网络...................................................................................17 4.1.4 静态路由...................................................................................18 4.1.5 动态路由...................................................................................18 4.2 网络接口配置...................................................................................19 4.3 透明网络配置...................................................................................22 4.4 静态路由配置...................................................................................24 4.5 动态路由配置.. (26)北京东方华盾信息技术有限公司 010-********/56/57/58/59/60第五章 PKI 设置.......................................................................................27 5.1 本机VPN 证书管理.........................................................................27 5.2 客户端证书属性...............................................................................28 5.3 CA 证书管理.....................................................................................30 5.4 客户端根证书设置...........................................................................31 5.5 客户端本地证书管理.......................................................................32 5.6 远程证书认证设置...........................................................................32 第六章 VPN 设置......................................................................................34 6.1 VPN 功能简介..................................................................................34 6.1.1 术语...........................................................................................34 6.1.2 分布式管理...............................................................................35 6.1.3 集中式管理...............................................................................35 6.1.4 VPN 的负载均衡.......................................................................35 6.2 SMC 设置..........................................................................................36 6.3 加密算法..........................................................................................38 6.4 静态隧道..........................................................................................38 6.5 本地保护子网列表...........................................................................41 6.6 下载设备列表...................................................................................42 6.7 下载子网列表...................................................................................43 6.8 下载隧道列表...................................................................................44 6.9 协商隧道列表...................................................................................44 第七章 客户端接入...................................................................................47 7.1 客户端管理简介...............................................................................47 7.1.1 概念及术语...............................................................................47 7.1.2 认证流程...................................................................................49 7.1.3 认证模式.. (50)北京东方华盾信息技术有限公司 010-********/56/57/58/59/607.2 基本设置..........................................................................................52 7.3 地址池设置......................................................................................54 7.4 远程认证设置...................................................................................56 7.5 权限对象管理...................................................................................57 7.6 本地用户管理...................................................................................58 7.7 在线列表..........................................................................................60 7.8 客户端L ICENCE ................................................................................60 第八章 防火墙设置...................................................................................62 8.1 包过滤规则......................................................................................62 8.1.1 添加...........................................................................................62 8.1.2 删除...........................................................................................64 8.1.3 更改...........................................................................................65 8.1.4 清空...........................................................................................65 8.1.5 上移/下移..................................................................................65 8.2 NAT 规则..........................................................................................65 8.2.1 NAT 地址池...............................................................................65 8.2.2 源NAT 规则.............................................................................66 8.2.3 反向NAT 规则.........................................................................68 8.3 IP-MAC 地址绑定............................................................................69 8.4 本机安全策略...................................................................................71 8.5 非法登录主机...................................................................................73 8.6 抗攻击和扫描...................................................................................73 第九章 应用代理.......................................................................................76 9.1 基本设置..........................................................................................76 9.2 时间规则设置...................................................................................77 9.3 网站过滤规则设置 (78)北京东方华盾信息技术有限公司 010-********/56/57/58/59/609.4 用户管理..........................................................................................79 第十章 服务器设置...................................................................................82 10.1 DHCP 服务器..................................................................................82 10.2 拨号服务器.....................................................................................84 10.3 L2TP 服务器...................................................................................86 10.4 PPTP 服务器...................................................................................89 10.5 拨号用户........................................................................................90 10.6 SNMP 代理.....................................................................................92 10.7 附录................................................................................................96 10.7.1 Windows 上L2TP over IPSec VPN 客户端的配置................96 10.7.2 Windows 上L2TP VPN 客户端的配置................................111 第十一章 带宽管理.................................................................................113 11.1 基本设置.......................................................................................114 11.2 带宽组...........................................................................................114 11.3 添加带宽规则...............................................................................117 第十二章 双机热备份.............................................................................121 第十三章 系统日志.................................................................................126 第十四章 系统工具.................................................................................127 14.1 口令设置......................................................................................127 14.2 启动脚本......................................................................................127 14.3 本机已注册...................................................................................128 14.4 固件升级......................................................................................128 14.5 连接超时属性...............................................................................128 14.6 恢复配置......................................................................................129 14.7 备份配置.. (129)北京东方华盾信息技术有限公司 010-********/56/57/58/59/6014.8 清空配置......................................................................................129 14.9 系统时钟......................................................................................129 14.10 802.1X 认证.................................................................................130 14.11 DNS 设置....................................................................................130 14.12 DDNS 设置.................................................................................131 14.13 版本信息 (134)北京东方华盾信息技术有限公司 010-********/56/57/58/59/60第一章 概 述Internet 技术正日益改变着人们的工作和生活方式，基于Internet 构建信息网络传输平台已成为政府、金融、企业等部门组建专用网络的首选方案之一，“华盾VPN （虚拟专用网）系列产品”正是您基于Internet 架设自己的专用网络的最佳选择。

创新的网络安全架构Hillstone SA-2010采用了先进的多核处理器技术，自主开发的专用安全芯片(ASIC)和内部高速交换总线，使得Hillstone SA-2010在应用层安全处理的性能上有了质的飞跃，为企业应用安全提供专业的高性能硬件平台。

强大的处理能力Hillstone SA-2010采用64位网络专用多核并行处理器，运算能力超过3.2GOPS ，能够避免传统ASIC 和NP 安全系统会话创建能力和流量控制能力弱的弊病，为VPN 和应用层内容安全功能提供强大的处理能力保障。

强大的抗攻击能力Hillstone SA-2010采用的多核处理器架构和新一代的StoneOS 安全操作系统，能够提供高性能的应用安全处理能力和更强的应用层抗攻击能力。

Hillstone SA-2010每秒能够处理超过3万的TCP 会话请求，超过同类产品5-10倍，具有超强的DDoS 攻击防护能力。

强健的专用实时操作系统Hillstone 自主开发的64位实时并行操作系统StoneOS ，强大的并行处理能力和模块化的结构设计，易于集成和扩展更多的安全功能。

通过对新一代多核处理器的全面优化和安全加固，极大地提高了系统处理效率、稳定性和安全性。

模块化和并行多任务的处理机制，为Hillstone 新一代的网络安全系统提供了极大的可扩展能力，包括支持更多核处理器和集成更多的安全功能。

精密的流量控制依靠高性能的多核处理器及ASIC 专用芯片，Hillstone SA-2010可实现精密的基于用户和应用的流量控制。

在保障系统运行性能的情况下，Hillstone SA-2010可实现精密度为1kbps ，多达2500用户的流量控制。

基于应用的流量控制可识别各种P2P 及IM(即时通讯)协议，配合时间表功能的使用，帮助您灵活掌控带宽分配。

VPNHillstone SA 支持IPSec 和SSL VPN ，在多种拓扑下可以灵活结合，解决您远程互联和远程接入的问题。

SSG500 LINE OF SECURE SERVICES GAConnectivity and Routing: The SSG500 line provides four onboard 10/100/1000 interfaces complemented by six I/O expansion slots that can house a mix of LAN or WAN interfaces, making the SSG500 line an extremely flexible platform. The broad array of I/O options coupled with WAN protocol and encapsulation support makes SSG500 line gateways easily deployable as traditional branch office routers or as consolidated security and routing devices to reduce CapEx and OpEx.Access Control Enforcement: The SSG500 line gateways can act as enforcement points in a Juniper Networks Unified Access Control deployment with the simple addition of the IC Series UAC appliance. The IC Series appliance functions as a central policy managementengine by interacting with the SSG500 line to augment or replace the firewall-based access control with a solution that grants/denies access based on more granular criteria, including endpoint state and user identity in order to accommodate the dramatic shifts in attack landscape and user characteristics.World-Class Support: From simple lab testing to major network implementations, Juniper Networks Professional Services will collaborate with your team to identify goals, define the deployment process, create or validate the network design and manage the deployment to its successful conclusion.Features and Benefitsbuilt hardware, powerful processing and a security-against internal and external attacks now and into the * Bridge groups supported only on uPIMs in ScreenOS 6.0 and greater releasesProduct OptionsSingle or redundant AC or DC power suppliesAll models in the SSG500 line are available with either AC or DC power supplies. The SSG520 and SSG520M offer a single power supply. The SSG550 and SSG550M are available with optional redundant power supplies.SSG550/SSG550M SSG520/SSG520MSSG520SSG520MSSG550SSG550MSpecifications*Bridge groups supported only on uPIMs in ScreenOS 6.0 and greater releases(1) P erformance, capacity and features listed are based upon systems running ScreenOS 6.2 and are the measured maximums under ideal testing conditions unless otherwise noted. Actual resultsmay vary based on ScreenOS release and by deployment. For a complete list of supported ScreenOS versions for SSG Series gateways, please visit the Juniper Customer Support Center (www./customers/support/) and click on ScreenOS Software Downloads.(2) I MIX stands for Internet mix and is more demanding than a single packet size as it represents a traffic mix that is more typical of a customer’s network. The IMIX traffic used is made up of 58.33%64 byte packets + 33.33% 570 byte packets + 8.33% 1518 byte packets of UDP traffic.(3) U TM Security features (IPS/Deep Inspection, antivirus, antispam and Web filtering) are delivered by annual subscriptions purchased separately from Juniper Networks. Annual subscriptionsprovide signature updates and associated support. The high memory option is required for UTM security features.(4) R edirect Web filtering sends traffic from the firewall to a secondary server. The redirect feature is free. However, it does require the purchase of a separate Web filtering license from eitherWebsense or SurfControl.(5) N AT, PAT, policy-based NAT, virtual IP, mapped IP, virtual systems, virtual routers, VLANs, OSPF, BGP, RIPv2, Active/Active HA and IP address assignment are not available in Layer 2transparent mode.IPS (Deep Inspection firewall) Signature PacksSignature packs provide the ability to tailor the attack protection to the specific deployment and/or attack type. The following signature packs are available for the SSG500 line:Base Branch offices, small/medium businesses Client/server and worm protection Range of signatures and protocolJuniper Networks Services and SupportJuniper Networks is the leader in performance-enabling services and support, which are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to bring revenue-generating capabilities online faster so you can realize bigger productivity gains and faster rollouts of new business models and ventures. At the same time, Juniper Networks ensures operational excellence by optimizing your network to maintain required levels of performance, reliability, and availability. For more details, please visit /us/en/products-services/.Ordering InformationSSG550MSSG-550M-SH SSG550M with 1 GB memory, 0 PIM Cards,MODEL NUMBERDESCRIPTIONOrdering Information (continued)Communications CablesSSG-PS-AC Spare power supply for SSG550, AC powerSSG-PS-DC Spare power supply for SSG550, DC powerCBL-JX-PWR-AU Power cable, AustraliaCBL-JX-PWR-CH Power cable, ChinaCBL-JX-PWR-EU Power cable, EuropeCBL-JX-PWR-IT Power cable, ItalyCBL-JX-PWR-JP Power cable, JapanCBL-JX-PWR-UK Power cable, UKCBL-JX-PWR-US Power cable, USASSG-500-MEM-1GB 1 gigabyte memory upgrade for the SSG500 lineSSG-500-FLTR Replacement air filter for SSG550 lineJX-CBL-EIA530-DCE EIA530 cable (DCE)JX-CBL-EIA530-DTE EIA530 cable (DTE)JX-CBL-RS232-DCE RS232 cable (DTE)JX-CBL-RS449-DCE RS449 cable (DCE)JX-CBL-RS449-DTE RS449 cable (DTE)JX-CBL-V35-DCE V.35 cable (DCE)JX-CBL-V35-DTE V.35 cable (DTE)JX-CBL-X21-DCE X.21 cable (DCE)JX-CBL-X21-DT X.21 cable (DTE)JX-Blank-FP-S Blank I/O plateEnhanced Pluggable Interface Modules (Enhanced PIMs) are used in ePIM slots only (SSG520/ SSG520M, SSG550/SSG550M, Juniper Networks J4350 and J6350 Services Routers only). Universal Pluggable Interface Modules (Universal PIMs) are used in either ePIM slots or regular PIM slots on the Juniper Networks SSG Series Secure Services Gateways and J Series Services Routers and are only supported in ScreenOS 6.0 or greater releases.About Juniper NetworksJuniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at .Notes11121000143-006-EN April 2010Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.EMEA Headquarters Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: 35.31.8903.600 EMEA Sales: 00800.4586.4737 Fax: 35.31.8903.601APAC Headquarters Juniper Networks (Hong Kong) 26/F, Cityplaza One 1111 King’s Road Taikoo Shing, Hong Kong Phone: 852.2332.3636 Fax: 852.2574.7803Corporate and Sales HeadquartersJuniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, CA 94089 USAPhone: 888.JUNIPER (888.586.4737)or 408.745.2000Fax: 408.745.2100 To purchase Juniper Networks solutions, please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller.Printed on recycled paper。

2018适用范围：内部运维人员使用手册天玥运维安全网关V6.0适用范围：天玥运维安全网关V6.0系列精细控制合规审计北京启明星辰信息安全技术有限公司目录1 概述 (1)2 用户登录 (1)2.1 WEB方式 (1)2.1.1 WEB访问方式 (1)2.1.2 相关资料下载 (2)2.2 运维客户端 (2)2.3 登录认证 (3)3 环境准备 (5)3.1 环境检测 (5)3.2 安装JAVA控件 (7)3.3 浏览器设置 (9)3.4 配置本地工具 (11)3.5 修改密码 (13)4 运维说明 (14)4.1 RDP/VNC访问 (14)4.2 Telnet/SSH/Rlogin访问 (15)4.3 FTP访问 (16)4.4 数据库访问 (17)4.5 批量登录主机 (18)4.6 工单操作 (19)4.6.1 工单申请 (19)4.6.2 工单运维 (22)4.7 最近访问资源 (23)4.8 高级搜索 (23)4.9 菜单模式 (24)4.9.1 命令行方式 (24)4.9.2 图形方式 (28)5 FAQ (30)5.1 登录提示应用程序被阻止 (30)5.2 提示Java过时需要更新 (31)5.3 调用应用发布工具失败 (32)5.4 使用dbvis提示JAVA环境变量 (32)1概述启明星辰天玥运维安全网关V6.0，是启明星辰综合内控系列产品之一。

本手册详细介绍了天玥运维安全网关V6.0进行运维操作过程的使用方法，用户可参考本手册，通过天玥运维安全网关V6.0进行各种运维操作。

2用户登录运维用户可选择通过以下方式使用天玥运维安全网关V6.0进行运维操作：（1）WEB方式（依赖JAVA环境）；（2）运维客户端方式（不依赖JAVA环境）；（3）客户端工具直连模式（不依赖浏览器和JAVA环境，目前支持运维SSH、TELNET、RDP、VNC，使用方法参见本手册4.9章节）。

2.1WEB方式2.1.1WEB访问方式通过浏览器访问天玥运维安全网关V6.0系统，如图2.1.1所示：（默认URL：https://天玥OSM系统的IP，如果web服务端口不是默认的443，登录URL地址需要加上web服务当前的端口号，例如：https://172.16.67.201:10443）。

思科安全邮件网关使用入门本章包含以下部分：•AsyncOS14.0.1中的新增功能，第1页•Web界面比较（新Web界面与旧Web界面），第4页•哪里可以获得详细信息,on page6•思科安全邮件网关概述,on page9AsyncOS14.0.1中的新增功能表1:AsyncOS14.0.1中的新增功能功能说明您现在可以在邮件网关的Web界面中配置以下高级URL过URL过滤高级配置设置滤参数：•URL查找超时值•邮件正文中的最大URL数•邮件附件中的最大URL数•重写邮件中的URL文本和HREF•邮件日志和邮件跟踪中的URL详细信息有关详细信息，请参阅防御恶意或不需要的URL。

说明功能您可以根据以下任一场景向思科云服务门户重新注册邮件网关：•如果在自动向思科云服务门户注册邮件网关时无法查看或管理添加到思科云服务门户的设备。

•如果在向思科云服务门户自动注册邮件网关时，智能帐户和思科云服务帐户未关联。

您可以使用以下任何一种方式向思科云服务门户重新注册邮件网关：•Web 界面中的网络(Network)>云服务设置(Cloud Service Settings)页面。

•CLI 中的cloudserviceconfig >reregister 子命令。

有关详细信息，请参阅与思科SecureX 威胁响应集成或与此版本相关的CLI 参考指南的“命令：参考示例”一章中的“配置思科云服务门户设置和使用情况”部分。

使用思科云服务门户重新注册邮件网关以下是在邮件网关中配置系统日志推送日志检索方法所需的新参数：•远程系统日志服务器的端口号。

•发送到远程系统日志服务器的日志消息的最大大小（以字节为单位）。

•[仅限TCP 协议]：邮件网关和远程系统日志服务器之间的TLS 连接。

您可以使用以下任何一种方式来为系统日志推送日志检索方法配置新参数：•Web 界面中的系统管理(System Administration)>日志订用(Log Subscriptions)页面•CLI 中的logconfig 命令。

网御星云安全网关PowerV 命令行操作手册VERSION 1.0明声♦本手册所含内容若有任何改动，恕不另行通知。

♦在法律法规的最大允许范围内，北京网御星云信息技术有限公司除就本手册和产品应负的瑕疵担保责任外，无论明示或默示，不作其它任何担保，包括（但不限于）本手册中推荐使用产品的适用性和安全性、产品的适销性和适合某特定用途的担保。

♦在法律法规的最大允许范围内，北京网御星云信息技术有限公司对于您的使用或不能使用本产品而发生的任何损坏（包括，但不限于直接或间接的个人损害、商业利润的损失、业务中断、商业信息的遗失或任何其它损失），不负任何赔偿责任。

♦本手册含受版权保护的信息，未经北京网御星云信息技术有限公司书面允许不得对本手册的任何部分进行影印、复制或翻译。

♦本手册使用于网御星云PowerV系列防火墙和VPN，在手册中称为安全网关。

文档少部分内容视产品具体型号略有不同，请以购买的实际产品为准。

♦网御星云不承担由于本资料中的任何不准确性引起的任何责任，网御星云保留不作另行通知的情况下对本资料进行变更、修改、转换或以其他方式修订的权利！北京网御星云信息技术有限公司号电8层中北京海淀中村南大街国区关6中信息大厦目 录目 录 (III)第1 章 前 言 (1)第2 章 命令行概述 (4)第3 章 快速入门 (25)第4 章 系统管理 (26)第5 章 网络管理 (76)第6 章 路由 (119)第7 章 防火墙 (135)第8 章 应用防护 (205)第9 章 用户认证 (287)第10 章 会话管理 (305)第11 章 VPN (308)第12 章 SSLVPN (327)第13 章 IPv6 (448)第14 章 漏洞扫描 (474)第15 章 状态监控 (477)第16 章 日志与报警 (480)第17 章 其他 (490)第1章 前 言1.1 导言员册该册绍过终《命令行操作手》是御册网安全网关Power V管理手中的一本。

Power on the Appliance and Verify LEDsTo verify the appliance is operational:Confirm the appliance’s power cords are securely connected to a power source.If the appliance does not automatically power on, press the rear soft power switch.The state of the appliance’s soft power switch (on or off) is retained when power is removed. This may necessitate pressing the power switch when reapplying power to theAs the appliance boots, verify the following:The LCD panel displays Symantec and the Power LED turns amber.Near the end of the boot cycle, the Power LED alternates between amber and green, indicating an unconfigured state.After the boot cycle has completed, the LCD panel displays the appliance’s model, serial number, and IP address.Following the initial configuration (see Step 4), the Power LED turns green.Locking tabthe rail. Do not yet fully tighten the screws.Copyright © 2019 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND。

版本说明本文件为SG-6000系列安全网关系统固件StoneOS的版本说明，描述版本信息、软件功能以及版本中的已知问题等。

StoneOS 5.0R3P6本节为StoneOS 5.0R3P6版本说明。

产品和版本信息产品名称：Hillstone SG-6000系列安全网关产品型号和系统文件：发布日期：2014年06月06日文档说明Hillstone SG-6000系列安全网关配有以下手册：✹《Hillstone山石网科多核安全网关使用手册》✹《Hillstone山石网科多核安全网关命令手册》✹《Hillstone SG-6000多核安全网关安装手册》✹《Hillstone山石网科多核安全网关扩展模块手册》✹《Hillstone山石网科多核安全网关日志信息参考手册》✹《Hillstone山石网科SNMP私有MIB信息参考手册》版本升级说明从低版本升级到StoneOS 5.0R3P6时，有以下几个问题需要注意：✹系统文件升级说明✹地址簿功能相关配置升级说明✹策略规则相关配置升级说明✹统计集功能相关配置升级说明✹接口镜像功能相关配置升级说明✹攻击防护功能相关配置升级说明系统文件升级说明因较早版本曾对系统文件的大小进行了限制，所以当从4.0R6P15.1（包括4.0R6P15.1）之前的版本升级到5.0R3P6时，用户需要通过sysloader才能升级成功。

可以直接升级5.0R3P6的系统版本包括5.0R2P2之后的5.0R版本、4.5R3P8以及4.5R4P1，更低版本建议先升级到上述版本，然后再升级到5.0R3P6。

地址簿功能相关配置升级说明StoneOS 5.0R3P6为地址条目增加了ID属性。

当把系统从低版本升级到5.0R3P6时，系统会对已有地址簿配置做平滑处理，不影响用户使用。

当把系统从5.0R3P6降级时，已有地址簿配置会丢失。

策略规则相关配置升级说明StoneOS 5.0R3P6将策略规则的默认模式转变为全局配置模式。

Product OverviewAs a new-generation unified security gateway, Huawei Eudemon200E-X Series product family transforms today’s Small Business and Enterprise’s workspace experience by delivering them high performance routing and switching, strong security enhancement, wireless access and voice business in an integrated single platform.HUAWEI Eudemon200E-X series products using Huawei's unified software platform which named VRP, providing a combination of traditional network access and network security integration business standards. In addition to a strong routing and switching features, Unified Security Gateway Eudemon200E-X with a variety of professional security features including stateful firewall, VPN, Network Address Translation (NAT), authentication, access control, anti-virus, anti-spam , URL filtering, IPS, application security and other security features can protect the network against DDoS attacks, worms, Trojan horses, viruses, spam, illegal invasion and illegal networks. These safety features and wide area network WAN, local area network LAN, wireless WAN and wireless LAN WLAN WWAN interface provides a high degree of integration makes the sustainability of flexible end to end security services become a reality.Product DescriptionProduct FeaturesLeading infrastructure platformsEudemon200E-X series products using advanced multi-threaded ■multi-core hardware architectures and parallel processing technology to optimize the safety of business processes, making the Eudemon200E-X series products sufficient to meet all kinds of large-scale application of network traffic. Mature VRP software platform Eudemon200E-X Series products provide a robust operating system, a user's most trusted security operating system.Extensive routing, switching, wireless (Wi-Fi,3G) and securityEudemon200E-X series of products set routing, switching, ■wireless (Wi-Fi, 3G), voice, security functions into one, integrating the traditional routers, traditional switches, the deployment of traditional firewall and UTM solutions can help companies improve efficiency, reduce maintenance complexity, and reduce TCO.Comprehensive dedicated technologies for network protectionIntegrated UTM functions:■IPS:• IPS Intrusion detection using Symantec's advanced IPS detection engines to provide efficient and accurate networkpacket scanning capability, with advanced software andhardware platforms and rich signature library, Eudemon200E-X series products can quickly and accurately identify attacks.AV:• efficiently and precisely detects and removes hiddenviruses in network traffic by virtue of Symantec cutting-edgevirus detection engine.AS:• effectively blocks spam and purifies enterprises' mail systems, thus preventing spam from interfering with normalservices.URL filtering and P2P/IM control:• precisely identifies access to illegitimate Web sites and over 60 P2P/IM applications,and provides alerting, traffic limiting, and blocking actions toguarantee bandwidth for normal services.Diversified VPNsThe Eudemon200E-X delivers powerful VPN function, and ■supports the following common VPNs for differentiated VPN applications:L2TP•IPSec VPN•Dynamic VPN (DVPN)•SSL VPN•GRE•MPLS VPN•Flexible scalabilityEudemon200E-X series products support MIC, FIC, DFIC three ■types of expansion slot that can support the FE, GE, E1/CE1, SA, ADSL2 +, G. SHDSL, WIFI, 3G,GPON and other access ways into the Internet to provide users with a wealth of access.Product SpecificationsCopyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.General DisclaimerThe information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factorsthat could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such informationis provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.HUAWEI TECHNOLOGIES CO., LTD.Huawei Industrial BaseBantian LonggangShenzhen 518129, P.R. ChinaTel: +86-755-28780808 Version No.: M3-110019999-20110629-C-1.0。

Nowadays, network bandwidths increase rapidly, and security threats and attacks also flood on networks. Therefore, enterprise and carriers must ensure the service security and continuity while extending network structure. The E8000E adopts distributed hardware and software design. Its LPUs and SPUs are mutually independent and support on-demand configuration. Therefore, the E8000E provides flexible processing capability, diversified I/O interfaces, and abundant security services. This perfectly satisfies the requirements of users (including data centers, carriers, ISPs, and governments) for high integrity, quick response, high-speed processing, and long-term guarantee.Product DescriptionCombining the dedicated multi-core processor and distributed hardware platform and adopting innovative NP+multi-core+distributed architecture, the E8000E breaks through the performance bottleneck of the CPU. It delivers industry-leading service processing capability and service expansion capability. In addition, the full-redundancy technology is applied on all components. The E8000E provides diversified technical guarantees, including dual-NP interface module, dual-CPU service processing module, dual-MPU control module, dual power supplies, and load balancing. All these ensure the core router-level reliability, which further guarantees the service continuity in high-speed networking.The E8000E utilizes the dynamic distributed concurrent processing technology. Service traffic is forwarded to multiple dedicated SPUs at the line rate in distributed manner. Additionally, the SPUs support on-demand configuration, which thoroughly solves the conflict between the service processing performance and data forwarding capability in ever-increasing high-speed networking. This distributed technology uses line-rate intelligent traffic splitting for data forwarding. All data flows are equally distributed to service processing modules to prevent performance bottleneck. In so doing, the service processing performance increases at the line rate in accordance with service modules, fundamentally supporting the long-term development of networks.The E8000E supports multiple LPUs, and users can realize flexible LPU configuration as required. Furthermore, LPUs and SPUs adopt the same slot type. Thus, different combinations of LPUs and SPUs can be implemented for various interface and performance requirements, providing users with customized security protection solutions.The E8000E has a maximum interface capacity of 320 Gbps and provides 30 10GE interfaces and 360 GE interfaces. The E8000E also supports various POS interfaces and cross-board interface binding, which meets the requirements for large interface capacity and high interface intensity. Moreover, this also meets the networking requirements in complicated situations, such as the Metropolitan Area Networks (MANs) of carriers, large enterprises, and data centers.The E8000E series includes two models, namely, the E8080E and E8160E. The E8160E provides industry-leading securityE8080EE8160EHUAWEI TECHNOLOGIES CO., LTD.Product FeaturesAdvanced NP + multi-system + distributed architecture — breaking traditional performance bottlenecksE8000E adopts the architecture of independent control modules, ■interface modules, and service processing modules. Based on the dual NP, the interface module ensures the line-speed forwarding of interface traffic. Based on the multi-core and multi-thread architecture, the service processing module ensures the high-speed concurrent processing of multiple services, such as the Network Address Translation (NAT), Application Specific Packet Filter (ASPF), Anti-DDoS, and VPN. E8000E adopts the distributed concurrent processing mechanism, which greatly enhances the product performance. Thus, users can expand capacities with low pre-phase investment.High firewall performance — guaranteeing users’ key servicesThe three main indexes of the E8000E, throughput, number of ■connections established per second, and maximum number of concurrent connections, are in leading roles. The throughput of one service processing module of E8000E is 20 G; the number of connections established per second is 500,000; and the maximum number of concurrent connections is 8,000,000. Furthermore, E8000E has a maximum of eight service processing modules and its entire throughput reaches 160 G; the number of connectionsestablished per second is 4,000,000; the maximum number of concurrent connections is 64,000,000; and the number of virtual firewalls is 1024. The high performance and expandability of E8000E can meet high-end users’ requirements for high performance.Stable and reliable security gateway — ensuring consistency of users’ servicesNetwork security is a key point for enterprise operations. E8000E ■supports the redundant components, such as interface, fan, and power, networking of hot swap, dual processing engine, master/ backup, master/master, and high reliability. Different service boards of E8000E support the load balancing and mutual hot backup, so the abnormity of a single board will not influence the entire system. Meanwhile, together with BYPASS devices, services will not be interrupted even if faults or power failures occur on devices. The mean time between failures of E8000E is as long as 500,000 hours, and the failover time is less than 0.1 second. These ensure the consistent and stable service operations.Optimal VPN performance — adapting to requirements for encrypted transmission of mass servicesWith the increase of network applications, more and more ■services need to be transmitted on the public network safely. Subsequently, services that require mass VPN access gatewayprotection capability and scalability. It supports 16 extension slots. The maximum firewall throughput reaches 160 Gbps; the IPS performance is 64 Gbps; the number of new connections per second is 4M, and 64M concurrent connections are supported; the VPN performance is 96 Gbps. The E8080E adopts the same software and hardware architecture as the E8160E. The E8080E, however, supports only 8 extension slots, and its integrated performance is just half that of the E8160E.The SPU, heart of the E8000E, processes all services.To realize flexible configuration, the board combination design is adopted. Each SPU contains two parts, that is, the mother board and extension board, which can be deployed either independently or separately. The mother board provides 10G firewall performance and the mother board+extension board provides 20G firewall performance.The SPU adopts the multi-core+multi-processor hardware and implements service features through software modules. The heartbeat detection mechanism is realized between the SPU and LPU. Moreover, the SPU supports mutual backup.When an SPU is faulty, all its traffic is immediately distributed to other SPUs, preventing service interruption.The LPU, limb of the E8000E, is responsible for external connection and data transmission.The LPU integrates the high-speed network processor to ensure flexibility.Certain firewall functions can be implemented on the LPU, which significantly reduces the pressure of the SPU.The network processor provides special processing design for each type of packets, for example, dedicated co-processor for hardware-based table searching and professional bit operation design, enabling unique advantage for small packet processing. Thus, the E8000E can realize almost-line-rate performance when processing mixed traffic on the network.Through the interworking between the LPU and SPU, the E8000E delivers high performance for services processing, as well as sound scalability.of 100-Gigabit emerge, such as mobile security access, Short Message Service (SMS) push, and email push. E8000E provides a maximum of 96 Gbps encryption and decryption performance and supports 320,000 concurrent VPN tunnels, which is the VPN access gateway of the highest performance for the moment. E8000E also supports the IKEv2 protocol and enhances the functions of user authentication, packet authentication, and NAT traversal. Thus, E8000E eliminates the hidden hazards of the middleman attack and the DDoS attack, and supports wireless authentication protocols, such as EAP-SIM and EAP-AKA, which effectively ensures the wireless network security.Practical IPS feature — defending againstexternal threats and promoting network securityThe core technologies of the IPS are embodied in the detection■engine performance, signature identification efficiency, and integrated processing performance.Adopting the advanced IPS detection engine and mature signature database, Huawei E8000E defends against various threats, including system vulnerabilities, unauthorized automatic downloading, spoofing software, spyware/adware, abnormal protocols, and P2P anomalies.A single vulnerability-based signature covers thousands of attacks. Supplemented with globally deployed honeypot system, the E8000E can capture the latest attack, worm, and Trojan horse features, thus providing zero-day attack defense capability.Moreover, the practicability of the IPS is significantly promoted. The E8000E adopts internal off-line and "one board one feature" technologies; certain necessary service traffic is split to the dedicated SPU. In so doing, the service processing capability is improved; further more, the traffic processing does not affect the basic services of the firewall, ensuring service continuity.Product SpecificationCopyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.General DisclaimerThe information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factorsthat could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such informationis provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.HUAWEI TECHNOLOGIES CO., LTD.Huawei Industrial BaseBantian LonggangShenzhen 518129, P.R. ChinaTel: +86-755-28780808 Version No.: M3-110019999-20110805-C-1.0。

元安物联物联网安全网关产品规格书产品概述COTX-SG系列物联网安全网关是根据物联网用户在实际应用场景的组网需求和安全防护痛点为出发点，凭借多年的网络安全经验，以及前沿的物联网研究成果，自主研发的新一代物联网安全网关产品。

COTX-SG系列物联网安全网关针对物联网分布式部署的业务特点，网络碎片化问题，提供全加密互联的物联网虚拟专网服务，进而实现对物联网接入设备的安全访问控制、通讯链路加密、疑似业务阻断等功能，有效降低来自感知层的业务风险，减少网络层的攻击行为；同时，产品设计充分考虑物联网分布式部署的特点，内部采用强安全设计，可以确保设备难以被攻破，同时其启动、升级、系统进程等都采用可信环境机制，确保设备的本身安全。

COTX-SG系列物联网安全网关采用云端统一认证和集中管理方式，可以为物联网用户提供可视化的安全管理界面，通过云端管理，用户可以灵活定位虚拟网络拓扑，实现设备快速接入和业务使能，全面构建物联网网络端到端的安全体系。

使用物联网安全网关和安全管理平台形成的物联网虚拟专网安全解决方案，具有快速部署、即刻生效、可管可控、安全可视等特点，可广泛应用于石油电力、智能制造、智慧城市、轨道交通等在内的多种工业物联网应用场景。

产品特性统一认证，集中管理COTX-SG 系列采用分布式部署、集中管理、分权分域、高度可视化的灵活管理模式，通过安全管理平台进行一体化管理，可以实现设备即插即用，无需配置即可接入云端，形成物联网虚拟专网，消除传统VPN 接入方案的配置复杂性，极大减少物联网项目实施的人力成本和时间成本。

虚拟专网，安全互联COTX-SG系列产品帮助物联网客户快速构建安全，高效的业务信息私有网络，通过物联网虚拟专网技术，为物联网感知层设备提供网络分析、调度、优化和加密等功能，满足用户针对物联网的分权分域的管理要求和各种差异化的组网方案，确保物联网感知层设备的安全互联。

灵动引擎，节点感知基于物联网节点感知技术，通过丰富的物联网设备指纹基线库，实现物联网设备准入后的行为控制，可以有效评估物联网设备的安全状态、防止仿冒终端、异常终端等设备接入专网后对物联网业务的冲击，保障工业物联网端到端双向业务的安全。