H3c-technologies H3C VMSG VFW1000 Manuel d'utilisateur

H3C SecPath Virtual Multiservice Security GatewayInstallation and Getting Started Guide Hangzhou H3C Technologies Co., Ltd. http

5 Item Description HTTP policies Policy matching based on the HTTP header, HTTP cookie, HTTP URL, HTTP content, HTTP method, HTTP class nesting schedu

6 Preparing for the installation The installation requirements, preparation, and procedure for the VFW1000 and the VLB1000 are similar. This document

7 NOTE: The virtual machine platform software versions vary with the VFW1000 versions. For more information about the software versions compatible w

8 Installing the VFW1000 on the VMware platform Installation guidelines Install the VFW1000 on the VMware platform by using a virtual drive program to

9 NOTE: • To get the username and password for logging in to the VMware virtual machine server, contact theadministrator of the server. • When th

10 Figure 3 Creating a new virtual machine 4. Enter a name for the new virtual machine in the Name field, and click Next.

11 Figure 4 Naming the new virtual machine 5. Select a destination storage device for the virtual machine files, and click Next.

12 Figure 5 Selecting a destination storage device for the virtual machine files 6. Select a virtual machine version, and click Next.

13 Figure 6 Selecting a virtual machine version 7. Select a guest operating system, and click Next.

14 Figure 7 Specifying the guest operating system for the virtual machine 8. Select the number of virtual CPUs for the virtual machine according to

Copyright © 2014, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmitted

15 Figure 8 Selecting the number of virtual CPUs for the virtual machine 9. Configure the memory size for the virtual machine, which must be equal

16 Figure 9 Configuring the memory size for the virtual machine 10. Assign the specified number of NICs to the virtual machine, which must be equal

17 Figure 10 Specifying the number of NICs assigned to a virtual machine 11. Select a SCSI controller type, and click Next.

18 Figure 11 Specifying the SCSI controller type 12. Select the type of the disk to use, and click Next.

19 Figure 12 Selecting the type of the disk to use 13. Specify the virtual disk size and the disk provisioning policy. The disk size must be equal

20 Figure 13 Specifying the virtual disk size and disk provisioning policy 14. Configure other advanced options, and click Next.

21 Figure 14 Configuring other advanced options 15. On the page shown in Figure 15, click Finish to complete creating the virtual machine. When the

22 Figure 15 Completing creating the virtual machine Editing the boot options of the virtual machine to configure it to boot from CD-ROM 1. Select

23 Figure 16 Selecting Force BIOS Setup 2. Select the newly created virtual machine from the navigation tree, and click to start the virtual mach

24 Figure 17 Configuring the virtual machine to preferentially boot from the CD-ROM drive Connecting the CD drive of the virtual machine to the ISO

Preface The H3C SecPath Virtual Multiservice Security Gateway Installation and Getting Started Guide describes the software installation and license r

25 Figure 19 Installation interface 2. Enter 1, and then enter yes. After the installation is finished, disconnect the CD drive as shown in Figure

26 Figure 22 Disconnecting the CD drive 2 Installing the VFW1000 through OVF (on the VMware platform) This installation method is available only on

27 Figure 23 Selecting the OVF template path 3. Verify the OVF template details, and click Next.

28 Figure 24 OVF template details 4. Enter a name for the new virtual machine in the Name field, and click Next.

29 Figure 25 Naming the new virtual machine 5. Configure the storage format for the virtual disk (use the default settings in this section), and cl

30 Figure 26 Configuring the storage format for the virtual disk 6. Configure the network mapping (use the default settings in this section), and c

31 Figure 27 Configuring the network mapping 7. On the page shown in Figure 28, click Finish to complete creating the VFW1000.

32 Figure 28 Completing creating the virtual machine The page in Figure 29 appears. When the virtual machine is successfully created, it is added to

33 Mapping VFW1000 network interfaces to virtual machine network interfaces Mapping VFW1000 network interfaces to virtual NICs When the VFW1000 starts

34 Last 300 seconds output: 0 packets/sec 0 bytes/sec 0% Input (total): 18002 packets, 2414911 bytes 63 unicasts, 10012 broadcasts, 7927

Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Obtaining documentatio

35 IMPORTANT: Before you configure a VFW1000 network interface, verify the mappings between virtual NICs and the VFW1000 slots to make sure the confi

36 Last clearing of counters: Never Last 300 seconds input: 2 packets/sec 268 bytes/sec 0% Last 300 seconds output: 0 packets/sec 0 bytes/sec 0%

37 0 aborts, 0 deferred, 0 collisions, 0 late collisions 0 lost carrier, 0 no carrier The output shows that two virtual NICs are map

38 Media type: twisted pair, loopback: not set, promiscuous mode: not 1000Mb/s, Full-duplex, link type: autonegotiation, flow-control: disabled Output

39 0 ignored, 0 parity errors Output (total): 0 packets, 0 bytes 0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses Output (normal):

40 Figure 32 Mapping multiple VFW1000 interfaces to one physical port • As shown in Figure 33, the VFW1000 interface GigabitEthernet 3/0 is mapped

41 Installing the VFW1000 on the KVM platform Installation guidelines You can install the VFW1000 on the KVM platform by using a virtual drive program

42 Figure 34 Virtual machine manager management interface NOTE: The virtual machine manager is a GUI-based optional management software for the Li

43 Figure 35 Creating a new virtual machine 4. Select an ISO image, and click Forward.

44 Figure 36 Selecting an ISO image 5. Select the memory size for the virtual machine, which must be equal to or greater than the value specified i

i Contents Virtual Multiservice Security Gateway ·····································································································

45 Figure 37 Selecting the memory size and the number of virtual CPUs 6. Specify the virtual disk size, which must be equal to or greater than the

46 Figure 38 Specifying the virtual disk size 7. Configure other advanced options, select Customize configuration before install, and click Finish.

47 Figure 39 Configuring other advanced options After you select Customize configuration before install, the page as shown in Figure 40 appears when

48 Figure 40 Customizing the configuration 8. Select Disk 1 from the navigation tree on the left, and specify the Disk bus as IDE.

49 Figure 41 Specifying the disk bus 9. Select NIC from the navigation tree on the left, and configure the virtual NIC.

50 Figure 42 Configuring the virtual network interface Only one virtual NIC is configured on the virtual machine. To make sure the VFW1000 runs corr

51 Figure 43 Adding hardware 12. Click to finish creating the virtual machine. The new virtual machine begins booting up and the VFW1000 installa

52 Figure 44 Installation interface 2. Enter 1 to install the VFW1000, enter yes to confirm the installation, and then enter yes to reboot the syst

53 Figure 45 Completing the VFW1000 installation Mapping VFW1000 network interfaces to virtual machine network interfaces For information about the

54 Figure 46 Mapping each VFW1000 interface to an individual physical port • As shown in Figure 47, multiple VFW1000 interfaces are mapped to one p

1 Virtual Multiservice Security Gateway Overview H3C SecPath virtual multiservice security gateway (VMSG), developed based on H3C Comware V7, includes

55 • As shown in Figure 48, the VFW1000 interface GigabitEthernet 3/0 is mapped to the trunk port of the vSwitch and bound to one physical port on th

56 Upgrading and recovering the VFW1000 Upgrading the VFW1000 Upgrading the VFW1000 at the CLI 1. At the CLI of the VFW1000, use FTP or TFTP to downl

57 Recovering the VFW1000 through an ISO image 1. The first several steps are the same as installing the VFW1000 through ISO. For more information, s

58 Registering the software IMPORTANT: Verify that a correct license activation file is installed and restart the VFW1000 for the following purposes:

59 Registering licenses Registering the first time 1. Go to the H3C website at www.h3c.com, and select Technical Support & Documents > Product

60 Figure 54 Typing the information for registering the first time Table 5 Configuration items Item Description Remarks License key Type the licen

61 Item Description Remarks Address Type your address. Optional. Project name Type the name of the project that sold the device. For internal user

62 Figure 57 Selecting a product category 3. In the Device Information area, type the information as described in Figure 58. Click Submit. Figure 5

63 Figure 59 Typing the license and contact information Table 7 Field description Item Description Remarks License key Type the license key on the

64 5. When the registration success message appears, click the .lic link to save the activation file. Unzip the file and follow the procedures descri

2 Item Description Firewall By default, no communication between devices in different security zones is available. Preventing attacks of Land, Smurf,

65 Appendix A Installing the KVM platform KVM overview The kernel-based virtual machine (KVM) is developed in the x86-based Linux system. The KVM prov

66 Figure 61 Welcome page 2. Press Enter or wait for 59 seconds for the disk test page to appear, as shown in Figure 62. Figure 62 Disk test page

67 Figure 63 CentOS 6.3 installation page 5. Select installation language and click Next, as shown in Figure 64. Figure 64 Language configuration p

68 Figure 65 Keyboard configuration page 7. Select the storage device type and click Next, as shown in Figure 66. Figure 66 Storage device configur

69 Figure 67 Storage device warning page 9. Specify a name for the host and click Configure Network, as shown in Figure 68. Figure 68 Host name con

70 11. Configure IPv4 address and IPv6 address obtaining methods and click Apply, as shown in Figure 70. Figure 70 Network interface configuration pa

71 Figure 71 Time zone configuration page 15. Configure the Linux root account password. If the Weak Password dialog box appears, click Cancel to c

72 Figure 73 Installation type configuration page 17. Click Write changes to disk on the prompted page and click Next, as shown in Figure 74. Figur

73 Figure 75 Software selection page 19. Click Virtualization, select Virtualization, Virtualization Client, Virtualization Platform, and Virtualiz

74 20. Verify that the installation is complete based on the installation progress page, as shown in Figure 77. Figure 77 Installation progress page

3 Item Description Network protocols IP Forwarding/Fast forwarding TCP, UDP, and IP Option Ping and Tracert DHCP server, DHCP relay, and DHCP client

75 Figure 79 Welcome page 23. Select Yes, I agree to the License Agreement and click Forward, as shown in Figure 80. Figure 80 License information

76 Figure 81 Creating a user 25. Configure the date and time and click Forward, as shown in Figure 82. Figure 82 Date and time page 26. Use the

77 Figure 83 Kdump page 27. Use the root account to log in to the system after the system is rebooted. 28. Select Applications > System Tools

78 Figure 85 Virtual machine manager

79 Appendix B Configuring the Intel 82599 VF NIC Intel 82599 VF NIC overview The Intel 82599 NIC supports SR-IOV, which allows hardware-based NIC virt

80 Figure 87 Enabling CPU VT-d 3. Select Advanced Options > SR-IOV to enable SR-IOV, as shown in Figure 88. Figure 88 Enabling SR-IOV Configur

81 2. Start VMware ESXI 5.1 and enable ESXI Shell. For more information about ESXI Shell configuration, see related VMware documents. 3. Log in to t

82 Figure 91 VF NIC configuration succeeded 8. Log in to the server through the VMware vSphere Client, choose the VFW1000, select Edit virtual mach

83 Figure 93 Adding the VF NIC for the virtual machine 10. Click OK to save the configuration, as shown in Figure 94.

84 Figure 94 Saving the configuration 11. Start the VFW1000 and use the display version command to verify the VF NIC configuration. The command ou

4 Item Description IPv6 security IPv6 packet filtering IPv6 ASPF IPv6 interzone policies IPv6 attack prevention ' Table 2 Features supported by

85 Configuring Intel 82599 VF NICs on the KVM platform This section uses HP 360Gen8 and VMware Fedora 17 as an example. You can use the same method to

86 The VF NIC driver of a later version, for example, driver 3.15.1, enables you to configure different numbers of VF NICs for ports. Assign the value

87 Figure 101 /etc/rc.d/rc.local file 7. Restart the server. 8. Verify the VF NIC configuration. lspci | grep 82599 Figure 102 VF NIC configuratio

88 Figure 103 Adding hardware Figure 104 Adding the VF NIC 10. Start the VFW1000 and use the display version command to verify the VF NIC configu

89 Figure 105 display version command output

90 Index C F I K L M O R S U V C Configuring the BIOS server,79 Configuring the virtual platform,80 F Features,1 I Installation guidelines,8 Installa