H3C SecPath Series High-End FirewallsSystem Management and MaintenanceConfiguration Guide Hangzhou H3C Technologies Co., Ltd. ht
v SNMPv3 configuration example························································································································
89 Session logs are output in the format of user logs. To view session logs, you also need to configure user logging. Session logging configuration t
90 Table 15 Configuration items Item Description Source Zone Specify the source zone and destination zone. You can configure an optional security zo
91 Displaying system logs Select Log Report > Report > System Log from the navigation tree to enter the page as shown in Figure 36. Figure 36 O
92 Severity level Description Value Note: A smaller value represents a higher severity level. Displaying connection limit logs Select Log Report &
93 Displaying attack prevention logs Select Log Report > Report > Attack Prevention Log from the navigation tree to enter the page as shown in
94 Figure 39 Blacklist log configuration page Table 21 Field description Item Description Time/Date Time when a blacklist member is generated. Mod
95 Field Description Policy ID ID of the interzone policy that a flow match. Action Action taken against a flow, permitted or denied. Protocol Type
96 Figure 42 User logging 3.0 log report Table 23 User logging 1.0 field description Item Description Time/Date Time and date when a user log was
97 Item Description Flow Information Flow information: • If the protocol type is TCP or UDP, the displayed flow information is source IP address:sou
98 Configuring NTP This chapter provides an overview of the Network Time Protocol (NTP) and guides you through the configuration procedure. NOTE:
vi Configuration task list ···························································································································
99 How NTP works Figure 43 shows the basic workflow of NTP. Device A and Device B are connected over a network. They have their own independent syste
100 This is only a rough description for the NTP work mechanism. For more information, see RFC 1305. NTP message format NTP uses two types of message
101 • Stratum—An 8-bit integer indicating the stratum level of the local clock, with the value ranging from 1 to 16. The clock precision decreases f
102 (server mode). Upon receiving the replies from the servers, the client performs clock filtering and selection, and synchronizes its local clock t
103 mode and continues listening to broadcast messages, and synchronizes its local clock based on the received broadcast messages. Multicast mode Fig
104 Figure 49 Network diagram NTP configuration task list Task Remarks Configuring the NTP operation modes Required. Configuring the local clock
105 receipt of a message, rather than creating an association (static or dynamic). In symmetric mode, static associations are created at the symmetri
106 Configuration procedure To specify a symmetric-passive peer on the active peer: Step Command Remarks 1. Enter system view. system-view N/A 2.
107 Configuring the NTP multicast mode The multicast server periodically sends NTP multicast messages to multicast clients, which send replies after
108 clock errors of the devices in the network. To configure the local clock as a reference source: Step Command Remarks 1. Enter system view. syst
1 Device information Displaying device information After logging in to the Web interface, you will enter the Device Info page. Figure 1 Device overvie
109 Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Disable the interface from receiving NTP message
110 Configuration procedure To configure the NTP service access-control right to the local device: Step Command Remarks 1. Enter system view. syste
111 Step Command Remarks 1. Enter system view. system-view N/A 2. Enable NTP authentication. ntp-service authentication enable By default, NTP aut
112 Displaying and maintaining NTP Task Command Remarks Display information about NTP service status. display ntp-service status [ | { begin | exclu
113 Clock offset: 0.0000 ms Root delay: 0.00 ms Root dispersion: 0.00 ms Peer dispersion: 0.00 ms Reference time: 00:00:00.000 UTC Jan 1 1900 (0
114 Figure 51 Network diagram Configuration procedure 1. Set the IP address for each interface as shown in Figure 51. (Details not shown.) 2. Con
115 As shown above, SecPath B has been synchronized to SecPath C, and the clock stratum level of SecPath B is 2, while that of SecPath C is 1. # View
116 # Configure SecPath A to operate in broadcast client mode and receive broadcast messages on GigabitEthernet 0/1. <SecPathA> system-view [Se
117 Figure 53 Network diagram Configuration procedure 1. Set the IP address for each interface as shown in Figure 53. (Details not shown.) 2. Con
118 As shown above, SecPath D has been synchronized to SecPath C and the clock stratum level of SecPath D is 3, while that of SecPath C is 2. # View
2 Field Description Contact Information Display the contact information for device maintenance. SerialNum Display the serial number of the device. S
119 ************************************************************************** [1234] 3.0.1.31 127.127.1.0 2 255 64 26 -16.0 40.0
120 # Enable NTP authentication. [DeviceA] ntp-service authentication enable # Set an authentication key. [DeviceA] ntp-service authentication-keyi
121 Figure 55 Network diagram Configuration procedure 1. Set the IP address for each interface as shown in Figure 55. (Details not shown.) 2. Con
122 Actual frequency: 64.0000 Hz Clock precision: 2^7 Clock offset: 0.0000 ms Root delay: 31.00 ms Root dispersion: 8.31 ms Peer dispersion
123 Configuring RMON This chapter provides an overview of the Remote Monitoring (RMON) and guides you through the configuration procedure. NOTE: T
124 future retrieval. The interface traffic statistics include network collisions, CRC alignment errors, undersize/oversize packets, broadcasts, mult
125 Figure 56 Rising and falling alarm events Private alarm group The private alarm group calculates the values of alarm variables and compares the
126 Configuring the RMON Ethernet statistics function Step Command 1. Enter system view. system-view 2. Enter Ethernet interface view. interface i
127 • After the maximum number of entries is reached, no new entry can be created. For the table entry limits, see Table 25. To configure the RMON a
128 Task Command Remarks Display the RMON history control entry and history sampling information. display rmon history [ interface-type interface-nu
3 Recent system logs Table 4 Field description Field Description Time Display the time when the system logs are generated. Level Display the level of
129 etherStatsCRCAlignErrors : 0 , etherStatsCollisions : 0 etherStatsDropEvents (insufficient resources): 0 Packets received accord
130 collisions : 0 , utilization : 0 Sampled values of record 3 : dropevents : 0 , octets
131 Alarm group configuration example Network requirements Configure the RMON alarm group on the RMON agent in Figure 59 to send alarms in traps when
132 Latest value : 0 # Display statistics for GigabitEthernet 0/1. <SecPath> display rmon statistics GigabitEthernet 0/1 EtherStatsE
133 Configuring SNMP This chapter provides an overview of the Simple Network Management Protocol (SNMP) and guides you through the configuration proc
134 Figure 61 MIB tree A MIB view represents a set of MIB objects (or MIB object hierarchies) with certain access privilege and is identified by a
135 Configuring SNMP basic parameters SNMPv3 differs from SNMPv1 and SNMPv2c in many ways. Their configuration procedures are described in separate s
136 Step Command Remarks 8. Add a user to the SNMPv3 group. snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 | sha
137 Step Command Remarks 6. Configure SNMP access right. • (Approach 1) Create an SNMP community: snmp-agent community { read | write } community-n
138 Configuring SNMP logging Disable SNMP logging in normal cases to prevent a large amount of SNMP logs from decreasing device performance. The SNMP
4 Using ping, tracert, and system debugging Use the ping, tracert, and system debugging utilities to test network connectivity and identify network p
139 To generate linkUp or linkDown traps when the link state of an interface changes, enable the linkUp or linkDown trap function both globally by us
140 Step Command Remarks 2. Configure target host. snmp-agent target-host trap address udp-domain { ip-address | ipv6 ipv6-address } [ udp-port port
141 Task Command Remarks Display basic information about the trap queue. display snmp-agent trap queue [ | { begin | exclude | include } regular-expr
142 [SecPath] snmp-agent sys-info location telephone-closet,3rd-floor # Enable SNMP traps, set the NMS at IP address 1.1.1.2/24 as an SNMP trap desti
143 [SecPath] undo snmp-agent mib-view ViewDefault [SecPath] snmp-agent mib-view included test interfaces [SecPath] snmp-agent group v3 managev3group
144 Figure 65 Network diagram Configuration procedure For more information about the NMS and SecPath, see "SNMPv1/SNMPv2c configuration exampl
145 Field Description errorstatus Error status, with noError meaning no error. value Value set by the SET operation. This field is null for a GET op
146 Configuring MIB style MIBs fall into public MIBs and private MIBs. A private MIB is attached to a sub-node under the enterprises MIB node (1.3.6.
147 Configuring RSH The RSH configuration is available only at the CLI. RSH overview Remote shell (RSH) allows you to execute the commands provided b
148 Figure 67 Network diagram Configuring the remote host Windows NT, 2000, XP, and 2003 are shipped with no RSH daemon. The RSH daemon must be sep
5 Figure 2 Page for executing the ping operation 2. Enter the IP address or the host name of the destination device in the field. 3. Click Start.
149 3. Check for the Remote Shell Daemon entry. If it does not exist, install the daemon first. 4. Look at the Status column to check whether the R
150 Configuring SSH Feature and hardware compatibility Feature F1000-A-EI/E-SI/S-AI F1000-E F5000-A5 Firewall module FIPS No No No Yes Overview Se
151 Stages Description Interaction After the server grants the request, the client and the server start to communicate with each other. Version nego
152 • Password authentication—The SSH server uses AAA for authentication of the client. During password authentication, the SSH client encrypts its
153 2. The server decrypts and executes the command, and then encrypts and sends the result to the client. 3. The client decrypts and displays the
154 Task Remarks Configuring a client's host public key Required for publickey authentication users and optional for password authentication use
155 Step Command Remarks 2. Enable the SSH server function. ssh server enable Disabled by default Configuring the user interfaces for SSH clients
156 NOTE: • H3C recommends you to configure a client's host public key by importing it from a public key file. • You can configure up to 20
157 • If publickey authentication, whether with password authentication or not, is used, the command level accessible to the user is set by the user
158 Setting the SSH management parameters SSH management includes: • Enabling the SSH server to be compatible with SSH1 client • Setting the RSA s
6 Executing the ping operation at the CLI Task Command Remarks Test the network connectivity to an IP address. • For IPv4 networks: ping [ ip ] [ -
159 Specifying a source IP address/interface for the SSH client This configuration task allows you to specify a source IP address or interface for th
160 Step Command Remarks 3. Configure the server host public key. See "Configuring a client's host public key" The method for configu
161 Task Command Remarks Establish a connection between the SSH client and the IPv6 server, and specify algorithms involved during the connection. •
162 SSH server configuration examples Password authentication enabled SSH server configuration example Network requirements As shown in Figure 72, a
163 # Configure an IP address for interface GigabitEthernet 0/1, which the SSH client will use as the destination for SSH connection. [SecPath] inter
164 Figure 73 Specifying the host name (or IP address) In the window shown in Figure 73, click Open to connect to the server. If the connection is
165 Configuration procedure NOTE: During SSH server configuration, the client's host public key is required. Use the client software to gener
166 Figure 76 Generating process After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key
167 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any pro
168 Figure 78 Specifying the host name (or IP address) Select Connection > SSH > Auth from the navigation tree. The following window appears.
7 2. The first hop (Device B, the first Layer 3 device that receives the packet) responds by sending a TTL-expired ICMP error message to the source,
169 Figure 79 Specifying the private key file In the window shown in Figure 79, click Open to connect to the server. If the connection is normal, y
170 # Generate the RSA key pairs. <Router> system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES
171 # Configure an IP address for interface GigabitEthernet 0/1. <SecPath> system-view [SecPath] interface GigabitEthernet 0/1 [SecPath-Gigabit
172 [SecPath-pkey-key-code]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E 8716261214A5A3B493E866991113B2D [SecPath-pkey-key-code]485348 [SecPath-p
173 It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++
174 # Set the user command privilege level to 3. [Router-ui-vty0-4] user privilege level 3 [Router-ui-vty0-4] quit # Import the peer public key from
175 Configuring SFTP Overview The Secure File Transfer Protocol (SFTP) is a new feature in SSH2. SFTP uses the SSH connection to provide secure data
176 Configuring the SFTP connection idle timeout period Once the idle period of an SFTP connection exceeds the specified threshold, the system automa
177 Task Command Remarks Establish a connection to the IPv4 SFTP server and enter SFTP client view. • In non-FIPS mode: sftp server [ port-number ]
178 Step Command Remarks 3. Return to the upper-level directory. cdup Optional. 4. Display the current working directory of the remote SFTP server
8 Figure 5 Page for executing the tracert operation 2. Enter the IP address or host name of the destination device in the Trace Route field. 3. C
179 Displaying help information This configuration task will display a list of all commands or the help information of an SFTP client command, such a
180 # Configure an IP address for interface GigabitEthernet 0/1. <SecPath> system-view [SecPath] interface GigabitEthernet 0/1 [SecPath-Gigabit
181 # Enable the SFTP server. [Router] sftp server enable # Configure an IP address for interface GigabitEthernet 0/1, which the client will use as t
182 sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubk
183 Bye Connection closed. <SecPath> SFTP server configuration example Network requirements As shown in Figure 83, an SSH connection is require
184 # Configure an IP address for interface GigabitEthernet 0/1, which the client will use as the destination for SSH connection. [SecPath] interface
185 Figure 84 SFTP client interface
186 Managing virtual firewalls NOTE: The virtual firewall configuration is available only in the web interface. Overview The virtual device feat
187 Configuring a virtual device Configuration task list Task Description Creating a virtual device Required. You can add a member to a virtual devi
188 Item F1000-S-AI F1000-A-EI/E-SI F1000-E/F5000-A5 Firewall module Maximum number of virtual devices supported 64 128 256 256 Select Device Mana
Copyright © 2011-2013, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmi
9 • Enable sending of ICMP destination unreachable packets on the destination device. If the destination device is an H3C device, execute the ip unr
189 maximum number of sessions for a virtual device must not exceed the session limit of the virtual device displayed on the Profile tab. Figure 88 P
190 Adding VLANs to a virtual device Select Device Management > Virtual Device > VLAN, and the VLANs that belong to all the current virtual dev
191 Figure 93 Network diagram Configuration considerations • Create two virtual devices VD_A and VD_B. • Add VLAN 100 through VLAN 205 and VLAN 3
192 Figure 95 Creating VD_B Adding interfaces to the virtual devices 1. Select Device Management > Virtual Device > Interface from the navig
193 Figure 97 Adding VLAN members to VD_A 2. Add VLAN members to VD_B: a. Select Device Management > Virtual Device > VLAN from the navigat
194 Configuring host traffic statistics Feature and hardware compatibility Feature F1000-A-EI/E-SI/S-AI F1000-E F5000-A5 Firewall module Host traffi
195 Specifying service type Select Network > Statistics > L2 Statistics from the navigation tree and then click the Service Configuration tab
196 Figure 101 Basic configuration page Table 32 Configuration items Item Description Enable host traffic statistics Enable or disable the host tr
197 Configuration procedure # Specify the IP address of the log host. • Select Log Report > Syslog from the navigation tree of the SecPath and p
198 Figure 104 Configuring the customized service resource • Enter tcp-des80 for Name. • Select the TCP option. • Specify the Source Port rang
10 Figure 7 Relationship between the protocol and screen output switch Debugging a feature Output from debugging commands is memory intensive. To g
199 Figure 105 Configuring the service group resource • Enter test for Name. • Select tcp-des80 and tcp-des8080 from the Available Group Members
200 Figure 107 Enabling the host statistics function • Select the Enable host traffic statistics box. • Click Apply. Configuration guidelines •
201 Configuring FTP This chapter describes how to configure FTP. NOTE: FTP configuration is available only at the CLI. Feature and hardware compa
202 Table 33 Configuration when the device serves as the FTP client Device Configuration Remarks SecPath (FTP client) Use the ftp command to establis
203 Establishing an FTP connection Before you can access the FTP server, you must establish a connection from the FTP client to the FTP server. You c
204 Task Command Remarks Log in to the remote FTP server directly in user view. ftp ipv6 [ server-address [ service-port ] [ vpn-instance vpn-instanc
205 Task Command Remarks Display detailed information about a directory or file on the remote FTP server. dir [ remotefile [ localfile ] ] The ls co
206 Task Command Remarks Enable information display in a detailed manner. verbose Enabled by default. Enable FTP related debugging when the firewall
207 230 Logged in successfully # Set the file transfer mode to binary to transmit boot file. [ftp] binary 200 Type set to I. # Download the boot file
208 Step Command Remarks 3. Use an ACL to control FTP clients’ access to the firewall. ftp server acl acl-number Optional. By default, no ACL is use
11 NOTE: Configure the debugging, terminal debugging and terminal monitor commands before you can displaydetailed debugging information on the term
209 Step Command Remarks 5. Configure user properties. authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute
210 # Check the available space of the Flash. Ensure adequate space for the boot file to be uploaded. <Sysname> dir Directory of flash0:/ 0
211 Displaying and maintaining FTP Task Command Remarks Display the source IP address configuration of the FTP client. display ftp client configurat
212 Configuring TFTP This chapter describes how to configure TFTP. NOTE: TFTP configuration is available only at the CLI. Feature and hardware co
213 Table 35 Configuration when the device serves as the TFTP client Device Configuration SecPath (TFTP client) • Configure the IP address and routi
214 Step Command Remarks 3. Specify the source IP address of sent TFTP packets. tftp client source { interface interface-type interface-number | ip
215 Figure 112 Network diagram Configuration procedure 1. Configure the PC (TFTP server): a. On the PC, enable the TFTP server. (Details not show
216 Using automatic configuration Automatic configuration enables a device without any configuration file to automatically obtain and execute a confi
217 How automatic configuration works Automatic configuration works in the following manner: 1. During startup, the device sets the first up interfa
218 Using DHCP to obtain an IP address and other configuration information Address acquisition process As mentioned before, a device sets the first u
12 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=2 ttl=254 time=1 ms Record Rou
219 • If devices use different configuration files, you need to configure static address pools to ensure that each device can get a fixed IP address
220 Obtaining the configuration file Figure 115 Obtaining the configuration file A device obtains its configuration file by using the following wor
221 • If the IP address and the domain name of the TFTP server are not contained in the DHCP response or they are illegitimate, the device broadcast
222 Index A C D E F H I L M N O P R S T U V A Alarm group configuration example,131 C Configuration guidelines,200 Configuration prerequisites,194
223 Managing the configuration file at the CLI,47 N NTP configuration examples,112 NTP configuration task list,104 O Outputting system information t
13 Ping and tracert example Network requirements As shown in Figure 9, SecPath failed to Telnet Device B. Verify whether SecPath and Device B can rea
14 3. Use the debugging ip icmp command on SecPath and Device B to verify that they can send and receive the specific ICMP packets, or use the displ
15 Configuring IP performance optimization Enabling forwarding of directed broadcasts destined for the directly connected network Directed broadcast
16 Figure 10 Network diagram Configuration procedure 1. Configure SecPath: # Configure IP addresses for GigabitEthernet 0/1 and GigabitEthernet 0/
17 Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the TCP MSS of the interface. tcp mss v
18 Step Command Remarks 1. Enter system view. system-view N/A 2. Enable TCP path MTU discovery. tcp path-mtu-discovery [ aging minutes | no-aging
Preface The H3C SecPath Series High-End Firewalls documentation set includes 10 configuration guides, which describe the software features for the H3C
19 Configuring ICMP to send error packets Sending error packets is a major function of ICMP. In case of network abnormalities, error packets are usua
20 { When forwarding a packet, if the MTU of the sending interface is smaller than the packet, but the packet has been set as "Don't Fragm
21 Step Command Remarks 2. Set the packet forwarding mode. ip forwarding { per-flow | per-packet } By default, the packet forwarding mode is per-pac
22 Managing the file system This chapter describes how to manage the file system of your firewall, including the storage media, directories, and file
23 Displaying file contents Task Command Remarks Display the contents of a file. more file-url [ | { begin | exclude | include } regular-expression
24 Restoring a file from the recycle bin Task Command Remarks Restore a file from the recycle bin. undelete file-url Available in user view Empty
25 Displaying the current working directory Task Command Remarks Display the current working directory. pwd Available in user view Changing the c
26 • If a storage medium is partitioned, the name of a partition is composed of the physical device name and the partition number. The sequence numb
27 Before partitioning a CF card, back up the files in the CF card. The partition operation clears all data in the CF card. After partitioning a CF
28 Checking files After files are written to the NAND flash memory, use the following commands together to check the content of these files. To check
Convention Description [ x | y | ... ] * Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you se
29 File system management examples # Display the files and the subdirectories in the current directory. <Sysname> dir Directory of flash0:/
30 Upgrading software You can use the CLI, BootWare menus, or Web interface to upgrade software. This chapter describes how to upgrade software from
31 Upgrading method Software types Remarks Installing hotfixes System software image Hotfixes repair software defects without requiring a reboot or
32 Upgrading system software from the web interface IMPORTANT: Upgrading software takes some time. To prevent upgrade failure, do not perform any o
33 Upgrading system software from the CLI Step Command Remarks 1. Use FTP or TFTP to transfer the system software image to the root directory of th
34 Patch states A patch is in IDLE, DEACTIVE, ACTIVE, or RUNNING state, depending on the patch manipulation command. Patch manipulation commands incl
35 Figure 14 Patches that are not loaded to the memory patch area DEACTIVE state Patches in DEACTIVE state have been loaded to the memory patch are
36 Figure 16 Patches that are activated RUNNING state After you confirm ACTIVE patches, their states change to RUNNING and persist after a reboot.
37 • Make sure the patch file matches the device model and software version. • Save the patch file to the root directory of the device's stora
38 If the patch file is saved in the root directory, you do not need to specify the patch location. If not, you must specify the patch file location.
Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on t
39 Step Command 1. Enter system view. system-view 2. Confirm the running of patches. patch run [ patch-number ] Uninstalling a patch step by step
40 Software upgrade configuration examples Scheduled upgrade configuration example Network requirements As shown in Figure 18: • The current system
41 startup saved-configuration new-config.cfg boot-loader file soft-version2.bin main reboot 2. Configure the SecPath firewall: # Log in to the FTP
42 Figure 19 Network diagram Configuration procedure This example assumes that the SecPath firewall and the TFTP server can ping each other. 1. Co
43 Managing configuration files You can use the CLI, BootWare menus, or Web interface to manage configuration files. This chapter explains how to man
44 • Only non-default configuration settings are saved. • The commands are listed in sections by views, usually in this order: system view, interfa
45 To save the running configuration in fast mode, click the Save button at the upper right of the auxiliary area. To save the running configuration
46 To restore configuration: 1. Select Device Management > Maintenance from the navigation tree. 2. Click Restore. Figure 22 Restoring configura
47 Importing a configuration file This operation allows you to import a .cfg file from your host to the device and execute the configuration in the f
48 • Private key: A configuration file encrypted by this kind of key can be decrypted and recognized only by the local device. • Public key: A conf
i Contents Device information ························································································································
49 Configuring configuration rollback Configuration rollback allows you to revert to a previous configuration state based on a specified configuratio
50 The number of saved configuration files has an upper limit. After the maximum number of files is saved, the system deletes the oldest files when t
51 Manually saving the running configuration Automatic saving of the running configuration occupies system resources, and frequent saving can greatly
52 • Use the save command. If you save the running configuration to the specified configuration file in the interactive mode, the system automatical
53 • Startup configuration files are corrupted, which is often caused by loading an incorrect configuration file. With startup configuration files d
54 Task Command Remarks Display the running configuration of the device. display current-configuration [ configuration [ configuration ] | interface
55 Configuring the information center This chapter describes how to configure the information center. NOTE: The information center configuration i
56 Figure 25 Information center diagram By default, the information center is enabled. It affects system performance to some degree when processing
57 Table 6 Severity description Severity Severity value Description Corresponding keyword in commands Emergency 0 The system is unavailable. emerge
58 Information channel number Default channel name Default output destination Description 8 channel8 Not specified Receives log, trap, and debugging
ii Displaying the current working directory ··········································································································
59 Output destination Modules allowed LOG TRAP DEBUG Enabled/disabled Severity Enabled/disabled Severity Enabled/disabled Severity Log buffer All def
60 The closing set of angel brackets (< >), the space, the forward slash (/), and the colon (:) are all required in the above format. What foll
61 Time stamp parameter Description Example iso Time stamp format stipulated in ISO 8601 Only the system information sent to a log host supports this
62 For system information destined to the log host: • If the character string ends with (l), the information is log information • If the character
63 Outputting system information to the console Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the information center. info
64 Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the information center. info-center enable Optional. Enabled by default. 3
65 Step Command Remarks 3. Name the channel with a specified channel number. info-center channel channel-number name channel-name Optional. See Tabl
66 Step Command Remarks 4. Configure an output channel for the trap buffer and specify the buffer size. info-center trapbuffer [ channel { channel-n
67 Outputting system information to the SNMP module The SNMP module only receives trap information, and discards log and debug information. To monito
68 Step Command Remarks 2. Enable the information center. info-center enable Optional. Enabled by default. 3. Name the channel with a specified cha
iii System information levels ························································································································
69 Step Command Remarks 6. Configure the maximum size of the log file. info-center logfile size-quota size Optional. By default, the maximum size of
70 Saving security logs into the security log file With this feature enabled, when the system outputs the system information to a specified destinati
71 Task Command Remarks Display the summary of the security log file. display security-logfile summary [ | { begin | exclude | include } regular-expr
72 Task Command Remarks Perform these operations to the security log file. • Display the contents of the specified file: more file-url • Display in
73 Enabling synchronous information output The output of system logs interrupts ongoing configuration operations, and you have to find the previously
74 Displaying and maintaining information center Task Command Remarks Display information about information channels. display channel [ channel-numb
75 1. Configure the SecPath # Enable the information center. <SecPath> system-view [SecPath] info-center enable # Specify the host 1.2.0.1/16
76 Now, the system can record log information into the log file. Outputting log information to a Linux log host Network requirements Configure the Se
77 NOTE: Be aware of the following issues while editing the file /etc/syslog.conf: • Comments must be on a separate line and must begin with a pou
78 [SecPath] quit # Enable the display of log information on a terminal. (Optional, this function is enabled by default.) <SecPath> terminal mo
iv Configuration guidelines ··························································································································
79 Managing logs This chapter describes how to manage various types of logs. Configuring syslog Syslog can be configured only in the Web interface.
80 Figure 29 Syslog Table 11 Configuration items Item Description Log Buffer Size Set the number of syslogs that can be stored in the log buffer.
81 Item Description Log Host IP Address Log Host 1 Set the IPv4/IPv6 addresses, port number and the VPN instance (this option is available only when
82 Table 13 Packet format in user logging version 3.0 Field Description Prot Protocol carried over IP. Operator Indicates the reason why a flow has
83 Figure 30 User logging Table 14 Configuration items Item Description Version Set the version of user logging: 1.0 or 3.0. IMPORTANT: Configure
84 Item Description Log Host Configuration Log Host 1 Set the IPv4/IPv6 addresses, port number, and the VPN instance of the log hosts. You can speci
85 Task Remarks Exporting user logs Exporting user logs to a log server Use either method. Exporting user logs to the information center Configurin
86 Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the system to record user logs in localtime. userlog flow export timest
87 Step Command Remarks 1. Enter system view. system-view N/A 2. Export user logs to the information center. userlog flow syslog User logs are exp
88 # Export User's user logs to the log server with IP address 1.2.3.6:2000. [SecPath] userlog flow export host 1.2.3.6 2000 # Configure the sou
Commentaires sur ces manuels