No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R009C00 Operation Guide 10

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Precautions

Precautions

This section describes precautions on using the security policy management function so that eSight can be used properly.

License Support

  • A maximum of 5,000 firewalls or virtual systems are supported in security policy management.
  • When a firewall or virtual system is accessed, the license number increases by one. When a firewall or virtual system is deleted, the license number decreases by one.

Component Dependency

The security policy management depends on the Secure Center security policy management component.

Protocol Support

SNMP and Netconf are required.

Device Support

  • USG-, Eudemon-, and NIP-series Huawei firewalls are supported.
  • NIP-series firewalls support only the security policy, bandwidth policy, and attack defense. The firewalls do not support the NAT policy, authentication policy, and ASPF configuration. Objects associated with security policies do not support users and security groups. The associated security configuration file does not support URL filtering, email filtering, content filtering, file filtering, and application behavior control. Objects associated with bandwidth policies do not support users and security groups.
  • The virtual system of the hardware firewall is supported.
  • The virtual system of the active-standby firewall in hot standby mode does not support active/standby management.

Version Support

  • The eSight V300R007C00 or a higher version security policy component can only manage firewalls of V500R001C30SPC300 and higher versions.
  • If the eSight version is upgraded from V300R007C00 to V300R007C00 or a higher version, the security policy component cannot manage firewalls whose versions are lower than V500R001C30SPC300, so the firewall version needs to be upgraded.

Application Scenario

  • The management domain is enabled and devices are added to security policy management.
  • Policies are configured and deployed.
  • Objects are configured.
  • Data is synchronized.

Feature Limitation and Dependency

  • Device management

    A device can be added to device management only when the management domain is enabled and the device is added to the management domain.

  • Policy management
    • Specification restrictions: The maximum number of policies (such as security policies, bandwidth policies, NAT policies, and authentication policies) is 120,000 for the Oracle database and 50,000 for the SQL Server database.
    • The unit cell replication of policy management does not support the following attributes: Seq, Name, Action, Hits, Traffic Profile, NAT Type, Nat Mode, Source Address Translation, Destination Address Translation, and Portal Authentication Template.
    • The editing operation of policy management does not support the following attributes: Seq, Action, Hits, Traffic Profile, NAT Type, Nat Mode, Source Address Translation, Destination Address Translation, and Portal Authentication Template.
    • The firewall of the V500R001C30 version supports only security policies and NAT policies.
  • Policy deployment
    • When you create a deployment task, select a firewall device. In the hot standby active-standby scenario, you can only select the active device. The standby device is not displayed.
    • Policy deployment is directly delivered to firewall devices. Ensure policy service correctness to avoid affecting services on the network.
  • Data synchronization
    • In a single synchronization task (immediate or scheduled), the maximum number of devices that can be selected (including devices in a device group) is 100. The synchronization time increases as the number of objects and policies on the device increases.
    • When a device is synchronized, the more the objects and policies on the device, the longer the synchronization.
    • In object management, user objects support only the default domain but do not support user-defined domains. If a user policy in a non-default domain is referenced during firewall policy data synchronization, user information in the policy cannot be synchronized to eSight.
  • Object management
    • The firewall of the V500R001C30 version supports only the security domain, address set, area, service, and time period.
    • Specification restrictions: The maximum number of objects (all objects and security configuration files) is 80,000 for the Oracle database and 30,000 for the SQL Server database.
Translation
Download
Updated: 2019-09-07

Document ID: EDOC1100011877

Views: 333094

Downloads: 667

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next