Scribd Logo
Upload

Welcome to Scribd!

  • Configuring Firewall For Huawei MA5600 Series

    Uploaded by

    Elizabeth Rich
    147 views4 pages
    Leading Huawei networking products distributor-huanetwork.com Configuring Firewall for Huawei MA5600 Series

    Original Title

    Configuring Firewall for Huawei MA5600 Series

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Leading Huawei networking products distributor-huanetwork.com Configuring Firewall for Huawei MA5600 Series

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    147 views4 pages

    Configuring Firewall For Huawei MA5600 Series

    Uploaded by

    Elizabeth Rich
    Leading Huawei networking products distributor-huanetwork.com Configuring Firewall for Huawei MA5600 Series

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Configuring Firewall for Huawei MA5600 Series

    Configuring Firewall for Huawei MA5600 Series


    Configuring system firewall can control the packets that go through the management port
    of the device so that unauthorized operators cannot access the system through the
    inband or outband channel.
    Context
    Firewall includes the following items:
    l Blacklist: The blacklist function can be used to screen the packets sent from a specific
    IP
    address. ma!or feature of the blacklist function is that entries can be dynamically added
    or deleted. "hen firewall detects the attack attempt of a specific IP address according to
    the characteristics of packets# firewall actively adds an entry to the blacklist and then
    filters the packets from this IP address.
    l C$%Packet filtering firewall: Configure an C$ to filter data packets. To set a port to
    allow only one type of packets to go through# use the C$ to implement the packet
    filtering
    function.
    &or e'ample# to allow only the packets from source IP address (.(.(.( to go through a
    port
    in the inbound direction# do as follows:
    (. Configure an C$ rule1# which allows the packets with source IP address (.(.(.( to
    pass.
    ). Configure an C$ rule2# which denies all packets.
    *. +un the firewall ac!et"filter command# and bind rule) first and then rule( to the
    inbound direction.
    #$%&
    ,n the -./*(%-./*)# an C$ can be activated in two modes. In two modes# the
    e'ecution priorities on the sub0rules in one C$ are different.
    l +un the firewall ac!et"filter command to activate an C$. This mode is mainly
    applied to the 1-2. &or the sub0rules in one C$# the e'ecution priority is implemented
    by software. The earlier the e'ecution priority of the sub0rules in one C$ is configured#
    the higher the priority.
    l +un the ac!et"filter command to activate an C$. &or the sub0rules in one C$# the
    e'ecution priority is implemented by hardware. The later the e'ecution priority of the sub0
    rules in one C$ is configured# the higher the priority.
    1
    CA'%($#
    To ensure device security# firewall must be configured. This is to control the packets that
    go through the management port of the device.
    )rocedure
    l Configure a firewall blacklist.
    Two modes are supported: configuring a firewall blacklist by using C$s or by adding the
    source IP addresses of untrusted packets. Choose either mode# or both.
    "hen two modes are configured# the priority of the firewall blacklist function is higher
    than the priority of C$s. That is# the system checks the firewall blacklist first# and then
    matches C$s.
    #$%&
    The firewall blacklist function only takes effect to the service packets that are sent from
    the user side.
    3 Configure the firewall blacklist function by using advanced C$s.
    (. +un the acl command to create an C$. ,nly advanced C$s can be used when
    the black list function is enabled. Therefore# the range of the C$ I4 is
    *5550*666.
    ). +un the rule*ad+ acl, command to create an advanced C$.
    *. +un the -uit command to return to the global config mode.
    7. +un the firewall .lac!list ena.le acl"num.er acl-number command to enable
    the firewall blacklist function.
    3 Configure the firewall blacklist function by adding the source IP addresses of untrusted
    packets.
    (. +un the firewall .lac!list item command to add the source IP addresses of
    untrusted packets to the blacklist.
    ). +un the firewall .lac!list ena.le command to enable the firewall blacklist
    function.
    l Configure the firewall 8filtering packets based on the C$9.
    (. +un the acl command to create an C$. ,nly basic C$s and advanced C$s can
    be used when packet filtering by firewall is configured. Therefore# the range of the
    C$ I4 is )5550*666.
    ). +un different commands to create different types of C$s.
    3 Basic C$: +un the rule*.asic acl, command.
    3 dvanced C$: +un the rule*ad+ acl, command.
    *. +un the -uit command to return to the global config mode.
    7. +un the firewall ena.le command to enable the firewall blacklist function. By default#
    the firewall blacklist function is disabled.
    To filter the packets of a port based on the basic C$# enable the firewall blacklist
    2
    function.
    .. +un the firewall ac!et"filter command to apply firewall packet filtering rules to an
    interface.
    """"&nd
    &xamle
    To add IP address (6).(/:.(5.(: to the firewall blacklist with the aging time of (55 min#
    do as follows:
    huawei8config9;firewall .lac!list item 1/20161010011 timeout 100
    huawei8config9;firewall .lac!list ena.le
    To add the IP addresses in network segment (5.(5.(5.5 to the firewall blacklist and bind
    C$ *555 to these IP addresses# do as follows:
    huawei8config9;acl 2000
    huawei8config0acl0adv0*5559;rule den3 i source 1001001000 000000255 destination
    10010010020 0
    huawei8config0acl0adv0*5559;-uit
    huawei8config9;firewall .lac!list ena.le acl"num.er 2000
    To deny the users in network segment (<).(/.)..5 to access the maintenance =thernet
    port with IP address (<).(/.)..): on the device# do as follows:
    huawei8config9;acl 2001
    huawei8config0acl0adv0*55(9;rule 5 den3 icm source 14201602500 000000255 destin
    ation 142016025021 0
    huawei8config0acl0adv0*55(9;-uit
    huawei8config9;firewall ena.le
    huawei8config9;interface meth 0
    huawei8config0if0meth59;firewall ac!et"filter 2001 in.ound
    C$ applied successfully
    More related:
    T>= B2IC C,1&I?@+TI,1 ,& ,$T
    ?P,1 A2 =P,1: C,2T C,-P+I2I,1
    4=P$,B-=1T 2C=1+I,2 ,& >@"=I -./55T
    -./55%-./5*: C,1&I?@+I1? T>= $IC=12= &@1CTI,1
    -./55T% -./5*T: 2=+AIC= B,+4 I2 I1 T>= &I$=4 2TT=
    More Huawei roducts and 5e+iews 3ou can +isit: http://www.huanetwork.com/blog
    Huanetwork.com is a world leading Huawei networking products distributor, we wholesale
    original new Huawei networking equipments, including Huawei switches, Huawei routers,
    Huaweisymantec security products, Huawei IA, Huawei !"# and other Huawei networking
    $
    products. %ur customers include telecom operators, Huawei resellers, I!# and system integrators.
    &ight now most o' our sales are contributed by regular customers.
    In Huanetwork (ab, also we ha)e Huawei %(*, +,, !(A+ and switch 'or customer do
    remote testing, any potential customer are welcome to login to our lab. I' you need a total Huawei
    "**- solution or Huawei A!( solution 'or your network, also you may 'eel 'ree to contact us.
    %ur website: http://www.huanetwork.com
    *elephone: ./021$2021342
    5mail: sales6huanetwork.com
    Address: 2$/" (ucky #la7a, $101$21 (ockhart &oad, 8anchai, Hongkong
    4

    You might also like