H3c-technologies H3C SecPath F1000-E Manuel d'utilisateur

H3C SecPath Series High-End FirewallsSystem Management and MaintenanceConfiguration Guide Hangzhou H3C Technologies Co., Ltd. ht

v SNMPv3 configuration example························································································································

89 Session logs are output in the format of user logs. To view session logs, you also need to configure user logging. Session logging configuration t

90 Table 15 Configuration items Item Description Source Zone Specify the source zone and destination zone. You can configure an optional security zo

91 Displaying system logs Select Log Report > Report > System Log from the navigation tree to enter the page as shown in Figure 36. Figure 36 O

92 Severity level Description Value Note: A smaller value represents a higher severity level. Displaying connection limit logs Select Log Report &

93 Displaying attack prevention logs Select Log Report > Report > Attack Prevention Log from the navigation tree to enter the page as shown in

94 Figure 39 Blacklist log configuration page Table 21 Field description Item Description Time/Date Time when a blacklist member is generated. Mod

95 Field Description Policy ID ID of the interzone policy that a flow match. Action Action taken against a flow, permitted or denied. Protocol Type

96 Figure 42 User logging 3.0 log report Table 23 User logging 1.0 field description Item Description Time/Date Time and date when a user log was

97 Item Description Flow Information Flow information: • If the protocol type is TCP or UDP, the displayed flow information is source IP address:sou

98 Configuring NTP This chapter provides an overview of the Network Time Protocol (NTP) and guides you through the configuration procedure. NOTE:

vi Configuration task list ···························································································································

99 How NTP works Figure 43 shows the basic workflow of NTP. Device A and Device B are connected over a network. They have their own independent syste

100 This is only a rough description for the NTP work mechanism. For more information, see RFC 1305. NTP message format NTP uses two types of message

101 • Stratum—An 8-bit integer indicating the stratum level of the local clock, with the value ranging from 1 to 16. The clock precision decreases f

102 (server mode). Upon receiving the replies from the servers, the client performs clock filtering and selection, and synchronizes its local clock t

103 mode and continues listening to broadcast messages, and synchronizes its local clock based on the received broadcast messages. Multicast mode Fig

104 Figure 49 Network diagram NTP configuration task list Task Remarks Configuring the NTP operation modes Required. Configuring the local clock

105 receipt of a message, rather than creating an association (static or dynamic). In symmetric mode, static associations are created at the symmetri

106 Configuration procedure To specify a symmetric-passive peer on the active peer: Step Command Remarks 1. Enter system view. system-view N/A 2.

107 Configuring the NTP multicast mode The multicast server periodically sends NTP multicast messages to multicast clients, which send replies after

108 clock errors of the devices in the network. To configure the local clock as a reference source: Step Command Remarks 1. Enter system view. syst

1 Device information Displaying device information After logging in to the Web interface, you will enter the Device Info page. Figure 1 Device overvie

109 Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Disable the interface from receiving NTP message

110 Configuration procedure To configure the NTP service access-control right to the local device: Step Command Remarks 1. Enter system view. syste

111 Step Command Remarks 1. Enter system view. system-view N/A 2. Enable NTP authentication. ntp-service authentication enable By default, NTP aut

112 Displaying and maintaining NTP Task Command Remarks Display information about NTP service status. display ntp-service status [ | { begin | exclu

113 Clock offset: 0.0000 ms Root delay: 0.00 ms Root dispersion: 0.00 ms Peer dispersion: 0.00 ms Reference time: 00:00:00.000 UTC Jan 1 1900 (0

114 Figure 51 Network diagram Configuration procedure 1. Set the IP address for each interface as shown in Figure 51. (Details not shown.) 2. Con

115 As shown above, SecPath B has been synchronized to SecPath C, and the clock stratum level of SecPath B is 2, while that of SecPath C is 1. # View

116 # Configure SecPath A to operate in broadcast client mode and receive broadcast messages on GigabitEthernet 0/1. <SecPathA> system-view [Se

117 Figure 53 Network diagram Configuration procedure 1. Set the IP address for each interface as shown in Figure 53. (Details not shown.) 2. Con

118 As shown above, SecPath D has been synchronized to SecPath C and the clock stratum level of SecPath D is 3, while that of SecPath C is 2. # View

2 Field Description Contact Information Display the contact information for device maintenance. SerialNum Display the serial number of the device. S

119 ************************************************************************** [1234] 3.0.1.31 127.127.1.0 2 255 64 26 -16.0 40.0

120 # Enable NTP authentication. [DeviceA] ntp-service authentication enable # Set an authentication key. [DeviceA] ntp-service authentication-keyi

121 Figure 55 Network diagram Configuration procedure 1. Set the IP address for each interface as shown in Figure 55. (Details not shown.) 2. Con

122 Actual frequency: 64.0000 Hz Clock precision: 2^7 Clock offset: 0.0000 ms Root delay: 31.00 ms Root dispersion: 8.31 ms Peer dispersion

123 Configuring RMON This chapter provides an overview of the Remote Monitoring (RMON) and guides you through the configuration procedure. NOTE: T

124 future retrieval. The interface traffic statistics include network collisions, CRC alignment errors, undersize/oversize packets, broadcasts, mult

125 Figure 56 Rising and falling alarm events Private alarm group The private alarm group calculates the values of alarm variables and compares the

126 Configuring the RMON Ethernet statistics function Step Command 1. Enter system view. system-view 2. Enter Ethernet interface view. interface i

127 • After the maximum number of entries is reached, no new entry can be created. For the table entry limits, see Table 25. To configure the RMON a

128 Task Command Remarks Display the RMON history control entry and history sampling information. display rmon history [ interface-type interface-nu

3 Recent system logs Table 4 Field description Field Description Time Display the time when the system logs are generated. Level Display the level of

129 etherStatsCRCAlignErrors : 0 , etherStatsCollisions : 0 etherStatsDropEvents (insufficient resources): 0 Packets received accord

130 collisions : 0 , utilization : 0 Sampled values of record 3 : dropevents : 0 , octets

131 Alarm group configuration example Network requirements Configure the RMON alarm group on the RMON agent in Figure 59 to send alarms in traps when

132 Latest value : 0 # Display statistics for GigabitEthernet 0/1. <SecPath> display rmon statistics GigabitEthernet 0/1 EtherStatsE

133 Configuring SNMP This chapter provides an overview of the Simple Network Management Protocol (SNMP) and guides you through the configuration proc

134 Figure 61 MIB tree A MIB view represents a set of MIB objects (or MIB object hierarchies) with certain access privilege and is identified by a

135 Configuring SNMP basic parameters SNMPv3 differs from SNMPv1 and SNMPv2c in many ways. Their configuration procedures are described in separate s

136 Step Command Remarks 8. Add a user to the SNMPv3 group. snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 | sha

137 Step Command Remarks 6. Configure SNMP access right. • (Approach 1) Create an SNMP community: snmp-agent community { read | write } community-n

138 Configuring SNMP logging Disable SNMP logging in normal cases to prevent a large amount of SNMP logs from decreasing device performance. The SNMP

4 Using ping, tracert, and system debugging Use the ping, tracert, and system debugging utilities to test network connectivity and identify network p

139 To generate linkUp or linkDown traps when the link state of an interface changes, enable the linkUp or linkDown trap function both globally by us

140 Step Command Remarks 2. Configure target host. snmp-agent target-host trap address udp-domain { ip-address | ipv6 ipv6-address } [ udp-port port

141 Task Command Remarks Display basic information about the trap queue. display snmp-agent trap queue [ | { begin | exclude | include } regular-expr

142 [SecPath] snmp-agent sys-info location telephone-closet,3rd-floor # Enable SNMP traps, set the NMS at IP address 1.1.1.2/24 as an SNMP trap desti

143 [SecPath] undo snmp-agent mib-view ViewDefault [SecPath] snmp-agent mib-view included test interfaces [SecPath] snmp-agent group v3 managev3group

144 Figure 65 Network diagram Configuration procedure For more information about the NMS and SecPath, see "SNMPv1/SNMPv2c configuration exampl

145 Field Description errorstatus Error status, with noError meaning no error. value Value set by the SET operation. This field is null for a GET op

146 Configuring MIB style MIBs fall into public MIBs and private MIBs. A private MIB is attached to a sub-node under the enterprises MIB node (1.3.6.

147 Configuring RSH The RSH configuration is available only at the CLI. RSH overview Remote shell (RSH) allows you to execute the commands provided b

148 Figure 67 Network diagram Configuring the remote host Windows NT, 2000, XP, and 2003 are shipped with no RSH daemon. The RSH daemon must be sep

5 Figure 2 Page for executing the ping operation 2. Enter the IP address or the host name of the destination device in the field. 3. Click Start.

149 3. Check for the Remote Shell Daemon entry. If it does not exist, install the daemon first. 4. Look at the Status column to check whether the R

150 Configuring SSH Feature and hardware compatibility Feature F1000-A-EI/E-SI/S-AI F1000-E F5000-A5 Firewall module FIPS No No No Yes Overview Se

151 Stages Description Interaction After the server grants the request, the client and the server start to communicate with each other. Version nego

152 • Password authentication—The SSH server uses AAA for authentication of the client. During password authentication, the SSH client encrypts its

153 2. The server decrypts and executes the command, and then encrypts and sends the result to the client. 3. The client decrypts and displays the

154 Task Remarks Configuring a client's host public key Required for publickey authentication users and optional for password authentication use

155 Step Command Remarks 2. Enable the SSH server function. ssh server enable Disabled by default Configuring the user interfaces for SSH clients

156 NOTE: • H3C recommends you to configure a client's host public key by importing it from a public key file. • You can configure up to 20

157 • If publickey authentication, whether with password authentication or not, is used, the command level accessible to the user is set by the user

158 Setting the SSH management parameters SSH management includes: • Enabling the SSH server to be compatible with SSH1 client • Setting the RSA s

6 Executing the ping operation at the CLI Task Command Remarks Test the network connectivity to an IP address. • For IPv4 networks: ping [ ip ] [ -

159 Specifying a source IP address/interface for the SSH client This configuration task allows you to specify a source IP address or interface for th

160 Step Command Remarks 3. Configure the server host public key. See "Configuring a client's host public key" The method for configu

161 Task Command Remarks Establish a connection between the SSH client and the IPv6 server, and specify algorithms involved during the connection. •

162 SSH server configuration examples Password authentication enabled SSH server configuration example Network requirements As shown in Figure 72, a

163 # Configure an IP address for interface GigabitEthernet 0/1, which the SSH client will use as the destination for SSH connection. [SecPath] inter

164 Figure 73 Specifying the host name (or IP address) In the window shown in Figure 73, click Open to connect to the server. If the connection is

165 Configuration procedure NOTE: During SSH server configuration, the client's host public key is required. Use the client software to gener

166 Figure 76 Generating process After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key

167 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any pro

168 Figure 78 Specifying the host name (or IP address) Select Connection > SSH > Auth from the navigation tree. The following window appears.

7 2. The first hop (Device B, the first Layer 3 device that receives the packet) responds by sending a TTL-expired ICMP error message to the source,

169 Figure 79 Specifying the private key file In the window shown in Figure 79, click Open to connect to the server. If the connection is normal, y

170 # Generate the RSA key pairs. <Router> system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES

171 # Configure an IP address for interface GigabitEthernet 0/1. <SecPath> system-view [SecPath] interface GigabitEthernet 0/1 [SecPath-Gigabit

172 [SecPath-pkey-key-code]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E 8716261214A5A3B493E866991113B2D [SecPath-pkey-key-code]485348 [SecPath-p

173 It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++

174 # Set the user command privilege level to 3. [Router-ui-vty0-4] user privilege level 3 [Router-ui-vty0-4] quit # Import the peer public key from

175 Configuring SFTP Overview The Secure File Transfer Protocol (SFTP) is a new feature in SSH2. SFTP uses the SSH connection to provide secure data

176 Configuring the SFTP connection idle timeout period Once the idle period of an SFTP connection exceeds the specified threshold, the system automa

177 Task Command Remarks Establish a connection to the IPv4 SFTP server and enter SFTP client view. • In non-FIPS mode: sftp server [ port-number ]

178 Step Command Remarks 3. Return to the upper-level directory. cdup Optional. 4. Display the current working directory of the remote SFTP server

8 Figure 5 Page for executing the tracert operation 2. Enter the IP address or host name of the destination device in the Trace Route field. 3. C

179 Displaying help information This configuration task will display a list of all commands or the help information of an SFTP client command, such a

180 # Configure an IP address for interface GigabitEthernet 0/1. <SecPath> system-view [SecPath] interface GigabitEthernet 0/1 [SecPath-Gigabit

181 # Enable the SFTP server. [Router] sftp server enable # Configure an IP address for interface GigabitEthernet 0/1, which the client will use as t

182 sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubk

183 Bye Connection closed. <SecPath> SFTP server configuration example Network requirements As shown in Figure 83, an SSH connection is require

184 # Configure an IP address for interface GigabitEthernet 0/1, which the client will use as the destination for SSH connection. [SecPath] interface

185 Figure 84 SFTP client interface

186 Managing virtual firewalls NOTE: The virtual firewall configuration is available only in the web interface. Overview The virtual device feat

187 Configuring a virtual device Configuration task list Task Description Creating a virtual device Required. You can add a member to a virtual devi

188 Item F1000-S-AI F1000-A-EI/E-SI F1000-E/F5000-A5 Firewall module Maximum number of virtual devices supported 64 128 256 256 Select Device Mana

Copyright © 2011-2013, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmi

9 • Enable sending of ICMP destination unreachable packets on the destination device. If the destination device is an H3C device, execute the ip unr

189 maximum number of sessions for a virtual device must not exceed the session limit of the virtual device displayed on the Profile tab. Figure 88 P

190 Adding VLANs to a virtual device Select Device Management > Virtual Device > VLAN, and the VLANs that belong to all the current virtual dev

191 Figure 93 Network diagram Configuration considerations • Create two virtual devices VD_A and VD_B. • Add VLAN 100 through VLAN 205 and VLAN 3

192 Figure 95 Creating VD_B Adding interfaces to the virtual devices 1. Select Device Management > Virtual Device > Interface from the navig

193 Figure 97 Adding VLAN members to VD_A 2. Add VLAN members to VD_B: a. Select Device Management > Virtual Device > VLAN from the navigat

194 Configuring host traffic statistics Feature and hardware compatibility Feature F1000-A-EI/E-SI/S-AI F1000-E F5000-A5 Firewall module Host traffi

195 Specifying service type Select Network > Statistics > L2 Statistics from the navigation tree and then click the Service Configuration tab

196 Figure 101 Basic configuration page Table 32 Configuration items Item Description Enable host traffic statistics Enable or disable the host tr

197 Configuration procedure # Specify the IP address of the log host. • Select Log Report > Syslog from the navigation tree of the SecPath and p

198 Figure 104 Configuring the customized service resource • Enter tcp-des80 for Name. • Select the TCP option. • Specify the Source Port rang

10 Figure 7 Relationship between the protocol and screen output switch Debugging a feature Output from debugging commands is memory intensive. To g

199 Figure 105 Configuring the service group resource • Enter test for Name. • Select tcp-des80 and tcp-des8080 from the Available Group Members

200 Figure 107 Enabling the host statistics function • Select the Enable host traffic statistics box. • Click Apply. Configuration guidelines •

201 Configuring FTP This chapter describes how to configure FTP. NOTE: FTP configuration is available only at the CLI. Feature and hardware compa

202 Table 33 Configuration when the device serves as the FTP client Device Configuration Remarks SecPath (FTP client) Use the ftp command to establis

203 Establishing an FTP connection Before you can access the FTP server, you must establish a connection from the FTP client to the FTP server. You c

204 Task Command Remarks Log in to the remote FTP server directly in user view. ftp ipv6 [ server-address [ service-port ] [ vpn-instance vpn-instanc

205 Task Command Remarks Display detailed information about a directory or file on the remote FTP server. dir [ remotefile [ localfile ] ] The ls co

206 Task Command Remarks Enable information display in a detailed manner. verbose Enabled by default. Enable FTP related debugging when the firewall

207 230 Logged in successfully # Set the file transfer mode to binary to transmit boot file. [ftp] binary 200 Type set to I. # Download the boot file

208 Step Command Remarks 3. Use an ACL to control FTP clients’ access to the firewall. ftp server acl acl-number Optional. By default, no ACL is use

11 NOTE: Configure the debugging, terminal debugging and terminal monitor commands before you can displaydetailed debugging information on the term

209 Step Command Remarks 5. Configure user properties. authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute

210 # Check the available space of the Flash. Ensure adequate space for the boot file to be uploaded. <Sysname> dir Directory of flash0:/ 0

211 Displaying and maintaining FTP Task Command Remarks Display the source IP address configuration of the FTP client. display ftp client configurat

212 Configuring TFTP This chapter describes how to configure TFTP. NOTE: TFTP configuration is available only at the CLI. Feature and hardware co

213 Table 35 Configuration when the device serves as the TFTP client Device Configuration SecPath (TFTP client) • Configure the IP address and routi

214 Step Command Remarks 3. Specify the source IP address of sent TFTP packets. tftp client source { interface interface-type interface-number | ip

215 Figure 112 Network diagram Configuration procedure 1. Configure the PC (TFTP server): a. On the PC, enable the TFTP server. (Details not show

216 Using automatic configuration Automatic configuration enables a device without any configuration file to automatically obtain and execute a confi

217 How automatic configuration works Automatic configuration works in the following manner: 1. During startup, the device sets the first up interfa

218 Using DHCP to obtain an IP address and other configuration information Address acquisition process As mentioned before, a device sets the first u

12 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=2 ttl=254 time=1 ms Record Rou

219 • If devices use different configuration files, you need to configure static address pools to ensure that each device can get a fixed IP address

220 Obtaining the configuration file Figure 115 Obtaining the configuration file A device obtains its configuration file by using the following wor

221 • If the IP address and the domain name of the TFTP server are not contained in the DHCP response or they are illegitimate, the device broadcast

222 Index A C D E F H I L M N O P R S T U V A Alarm group configuration example,131 C Configuration guidelines,200 Configuration prerequisites,194

223 Managing the configuration file at the CLI,47 N NTP configuration examples,112 NTP configuration task list,104 O Outputting system information t

13 Ping and tracert example Network requirements As shown in Figure 9, SecPath failed to Telnet Device B. Verify whether SecPath and Device B can rea

14 3. Use the debugging ip icmp command on SecPath and Device B to verify that they can send and receive the specific ICMP packets, or use the displ

15 Configuring IP performance optimization Enabling forwarding of directed broadcasts destined for the directly connected network Directed broadcast

16 Figure 10 Network diagram Configuration procedure 1. Configure SecPath: # Configure IP addresses for GigabitEthernet 0/1 and GigabitEthernet 0/

17 Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the TCP MSS of the interface. tcp mss v

18 Step Command Remarks 1. Enter system view. system-view N/A 2. Enable TCP path MTU discovery. tcp path-mtu-discovery [ aging minutes | no-aging

Preface The H3C SecPath Series High-End Firewalls documentation set includes 10 configuration guides, which describe the software features for the H3C

19 Configuring ICMP to send error packets Sending error packets is a major function of ICMP. In case of network abnormalities, error packets are usua

20 { When forwarding a packet, if the MTU of the sending interface is smaller than the packet, but the packet has been set as "Don't Fragm

21 Step Command Remarks 2. Set the packet forwarding mode. ip forwarding { per-flow | per-packet } By default, the packet forwarding mode is per-pac

22 Managing the file system This chapter describes how to manage the file system of your firewall, including the storage media, directories, and file

23 Displaying file contents Task Command Remarks Display the contents of a file. more file-url [ | { begin | exclude | include } regular-expression

24 Restoring a file from the recycle bin Task Command Remarks Restore a file from the recycle bin. undelete file-url Available in user view Empty

25 Displaying the current working directory Task Command Remarks Display the current working directory. pwd Available in user view Changing the c

26 • If a storage medium is partitioned, the name of a partition is composed of the physical device name and the partition number. The sequence numb

27 Before partitioning a CF card, back up the files in the CF card. The partition operation clears all data in the CF card. After partitioning a CF

28 Checking files After files are written to the NAND flash memory, use the following commands together to check the content of these files. To check

Convention Description [ x | y | ... ] * Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you se

29 File system management examples # Display the files and the subdirectories in the current directory. <Sysname> dir Directory of flash0:/

30 Upgrading software You can use the CLI, BootWare menus, or Web interface to upgrade software. This chapter describes how to upgrade software from

31 Upgrading method Software types Remarks Installing hotfixes System software image Hotfixes repair software defects without requiring a reboot or

32 Upgrading system software from the web interface IMPORTANT: Upgrading software takes some time. To prevent upgrade failure, do not perform any o

33 Upgrading system software from the CLI Step Command Remarks 1. Use FTP or TFTP to transfer the system software image to the root directory of th

34 Patch states A patch is in IDLE, DEACTIVE, ACTIVE, or RUNNING state, depending on the patch manipulation command. Patch manipulation commands incl

35 Figure 14 Patches that are not loaded to the memory patch area DEACTIVE state Patches in DEACTIVE state have been loaded to the memory patch are

36 Figure 16 Patches that are activated RUNNING state After you confirm ACTIVE patches, their states change to RUNNING and persist after a reboot.

37 • Make sure the patch file matches the device model and software version. • Save the patch file to the root directory of the device's stora

38 If the patch file is saved in the root directory, you do not need to specify the patch location. If not, you must specify the patch file location.

Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on t

39 Step Command 1. Enter system view. system-view 2. Confirm the running of patches. patch run [ patch-number ] Uninstalling a patch step by step

40 Software upgrade configuration examples Scheduled upgrade configuration example Network requirements As shown in Figure 18: • The current system

41 startup saved-configuration new-config.cfg boot-loader file soft-version2.bin main reboot 2. Configure the SecPath firewall: # Log in to the FTP

42 Figure 19 Network diagram Configuration procedure This example assumes that the SecPath firewall and the TFTP server can ping each other. 1. Co

43 Managing configuration files You can use the CLI, BootWare menus, or Web interface to manage configuration files. This chapter explains how to man

44 • Only non-default configuration settings are saved. • The commands are listed in sections by views, usually in this order: system view, interfa

45 To save the running configuration in fast mode, click the Save button at the upper right of the auxiliary area. To save the running configuration

46 To restore configuration: 1. Select Device Management > Maintenance from the navigation tree. 2. Click Restore. Figure 22 Restoring configura

47 Importing a configuration file This operation allows you to import a .cfg file from your host to the device and execute the configuration in the f

48 • Private key: A configuration file encrypted by this kind of key can be decrypted and recognized only by the local device. • Public key: A conf

i Contents Device information ························································································································

49 Configuring configuration rollback Configuration rollback allows you to revert to a previous configuration state based on a specified configuratio

50 The number of saved configuration files has an upper limit. After the maximum number of files is saved, the system deletes the oldest files when t

51 Manually saving the running configuration Automatic saving of the running configuration occupies system resources, and frequent saving can greatly

52 • Use the save command. If you save the running configuration to the specified configuration file in the interactive mode, the system automatical

53 • Startup configuration files are corrupted, which is often caused by loading an incorrect configuration file. With startup configuration files d

54 Task Command Remarks Display the running configuration of the device. display current-configuration [ configuration [ configuration ] | interface

55 Configuring the information center This chapter describes how to configure the information center. NOTE: The information center configuration i

56 Figure 25 Information center diagram By default, the information center is enabled. It affects system performance to some degree when processing

57 Table 6 Severity description Severity Severity value Description Corresponding keyword in commands Emergency 0 The system is unavailable. emerge

58 Information channel number Default channel name Default output destination Description 8 channel8 Not specified Receives log, trap, and debugging

ii Displaying the current working directory ··········································································································

59 Output destination Modules allowed LOG TRAP DEBUG Enabled/disabled Severity Enabled/disabled Severity Enabled/disabled Severity Log buffer All def

60 The closing set of angel brackets (< >), the space, the forward slash (/), and the colon (:) are all required in the above format. What foll

61 Time stamp parameter Description Example iso Time stamp format stipulated in ISO 8601 Only the system information sent to a log host supports this

62 For system information destined to the log host: • If the character string ends with (l), the information is log information • If the character

63 Outputting system information to the console Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the information center. info

64 Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the information center. info-center enable Optional. Enabled by default. 3

65 Step Command Remarks 3. Name the channel with a specified channel number. info-center channel channel-number name channel-name Optional. See Tabl

66 Step Command Remarks 4. Configure an output channel for the trap buffer and specify the buffer size. info-center trapbuffer [ channel { channel-n

67 Outputting system information to the SNMP module The SNMP module only receives trap information, and discards log and debug information. To monito

68 Step Command Remarks 2. Enable the information center. info-center enable Optional. Enabled by default. 3. Name the channel with a specified cha

iii System information levels ························································································································

69 Step Command Remarks 6. Configure the maximum size of the log file. info-center logfile size-quota size Optional. By default, the maximum size of

70 Saving security logs into the security log file With this feature enabled, when the system outputs the system information to a specified destinati

71 Task Command Remarks Display the summary of the security log file. display security-logfile summary [ | { begin | exclude | include } regular-expr

72 Task Command Remarks Perform these operations to the security log file. • Display the contents of the specified file: more file-url • Display in

73 Enabling synchronous information output The output of system logs interrupts ongoing configuration operations, and you have to find the previously

74 Displaying and maintaining information center Task Command Remarks Display information about information channels. display channel [ channel-numb

75 1. Configure the SecPath # Enable the information center. <SecPath> system-view [SecPath] info-center enable # Specify the host 1.2.0.1/16

76 Now, the system can record log information into the log file. Outputting log information to a Linux log host Network requirements Configure the Se

77 NOTE: Be aware of the following issues while editing the file /etc/syslog.conf: • Comments must be on a separate line and must begin with a pou

78 [SecPath] quit # Enable the display of log information on a terminal. (Optional, this function is enabled by default.) <SecPath> terminal mo

iv Configuration guidelines ··························································································································

79 Managing logs This chapter describes how to manage various types of logs. Configuring syslog Syslog can be configured only in the Web interface.

80 Figure 29 Syslog Table 11 Configuration items Item Description Log Buffer Size Set the number of syslogs that can be stored in the log buffer.

81 Item Description Log Host IP Address Log Host 1 Set the IPv4/IPv6 addresses, port number and the VPN instance (this option is available only when

82 Table 13 Packet format in user logging version 3.0 Field Description Prot Protocol carried over IP. Operator Indicates the reason why a flow has

83 Figure 30 User logging Table 14 Configuration items Item Description Version Set the version of user logging: 1.0 or 3.0. IMPORTANT: Configure

84 Item Description Log Host Configuration Log Host 1 Set the IPv4/IPv6 addresses, port number, and the VPN instance of the log hosts. You can speci

85 Task Remarks Exporting user logs Exporting user logs to a log server Use either method. Exporting user logs to the information center Configurin

86 Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the system to record user logs in localtime. userlog flow export timest

87 Step Command Remarks 1. Enter system view. system-view N/A 2. Export user logs to the information center. userlog flow syslog User logs are exp

88 # Export User's user logs to the log server with IP address 1.2.3.6:2000. [SecPath] userlog flow export host 1.2.3.6 2000 # Configure the sou