No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R009C00 Operation Guide 10

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Typical Configuration Example

Typical Configuration Example

This section describes typical configuration examples in typical application scenarios, helping users complete various operations based on the actual scenarios.

Example for Configuring a Firewall to Enable Devices to Be Added and Managed on eSight

To protect security of an operations and maintenance center (OMC) on an enterprise campus network, a firewall is deployed at the OMC edge. After deployment of the firewall, security policies must be configured on the firewall to ensure that devices can be added to and managed on eSight.

Networking Requirements

Jack is the network administrator of an an enterprise campus network. As shown in the following figure, a firewall is deployed between the OMC and core devices. Jack wants to use eSight to manage devices on the campus network.

Figure 12-53 Topology of the campus network

NOTE:

In this example, the OMC is in the demilitarized zone (DMZ). You can also create a trust zone based on actual networking and add eSight to the trust zone.

Requirement Analysis

  • To add devices to eSight normally, permit port 161 on the firewall.
  • To enable devices to correctly send alarms to eSight, permit ports 162 and 10162 on the firewall.
  • To back up devices' configuration files to the eSight server through FTP, permit ports 21 and 31921 on the firewall.
NOTE:

The five ports are used as examples to illustrate how to permit ports on the firewall. For details on other service ports to be permitted, see the eSight Communication Matrix.

Data Plan

Service Name

Source Device

Source Port

Destination Device

Destination Port

Protocol

Description

snmp

eSight

A random port number greater than 1024

NE A/NE B

161

UDP

Enable devices to be added to eSight.

snmptrap

NE A/NE B

A random port number greater than 1024

eSight

162

10162

UDP

Enable devices to correctly send alarms to eSight.

ftp

NE A/NE B

A random port number greater than 1024

eSight

21

31921

TCP

Enable devices' configuration files to be transferred to the eSight server.

Configuration Roadmap

  1. Configure a source IP address set. This example configures a source IP address set for core devices NE A and NE B. I f you want add all devices on the entire campus network to eSight, specify multiple IP addresses or address segments when configuring an address set.
    NOTE:

    Because the destination address in a security policy is unique, you do not need to configure a destination IP address set in this example. Instead, enter the destination address directly when you configure a security policy.

  2. Configure two security policies for two directions to ensure that devices can be normally added to eSight, and devices can correctly send alarms to eSight and devices' configuration files can be transferred to the eSight server.

    The firewall USG 6600 V100R001C30 is used as an example. Log in to the firewall through web and perform the following operations.

Procedure

  1. Set basic interface parameters.

    1. Choose Network > Interface.
    2. In Interface List, click GigabitEthernet 1/0/1 and modify the interface parameters.

      Zone

      dmz

      Mode

      Route

      IP Address Type

      IPv4

      Connection Type

      Static IP

      IP Address

      10.2.0.1/255.255.255.0

    3. Repeat the preceding operations to configure parameters of GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3.

      The following table lists parameters of GigabitEthernet 1/0/2. Retain the default values for other parameters.

      Zone

      trust

      Mode

      Route

      IP Address Type

      IPv4

      Connection Type

      Static IP

      IP Address

      10.1.1.1/255.255.255.0

      The following table lists parameters of GigabitEthernet 1/0/3. Retain the default values for other parameters.

      Zone

      trust

      Mode

      Route

      IP Address Type

      IPv4

      Connection Type

      Static IP

      IP Address

      10.2.1.1/255.255.255.0

  2. Configure an address set named esight_trust.

    1. Choose Object > Address > Address.
    2. Click Add to configure an address set, and then click OK.

  3. Configure security policies and reference the address set configured in the previous step in the security policies.

    NOTE:

    The FTP, SNMP, TRAP services use known ports; therefore, you do not need to define a service set. If unknown ports are used, define a service set first, and then reference the service set in security policies.

    1. Choose Policy > Security Policy > Security Policy.
    2. Click AddAdd > Add Security Policy to create security policies for control of traffic in the DMZ-to-Trust and Trust-to-DMZ directions.

      Create a security policy for control of traffic in the DMZ-to-Trust direction to ensure that devices can be normally added to eSight.

    Create a security policy for control of traffic in the Trust-to-DMZ direction to ensure that devices can send alarms to eSight and devices' configuration files can be transferred to the eSight server.

    10.2.0.10 is the eSight server IP address. (If southbound and northbound services are separated for eSight, the eSight IP address here refers to the southbound IP address.)

Verification

  • Devices can be normally added to eSight.
  • eSight can receive alarms from devices.
  • Devices' configuration files can be backed up on eSight.

Troubleshooting

How Do I Locate the Fault When Failing to Add NEs?

Example for Using eSight to Deploy Security Policies in Centralized Mode

This section describes how to deploy security policies in a centralized manner through eSight.

Prerequisites

  • New devices and eSight routes are reachable.
  • Data plans for the objects and policies to be deployed on new devices have been prepared.
  • SNMP parameters and NetConf parameter have been set on new devices.

Networking Requirements

Networks of company M support rights- and domain-based management by department. A system administrator or a user with the system administrator rights can create administrative domains. After management rights of a domain are granted to a domain administrator, the domain administrator can manage this domain on eSight. Domain-based management realizes data isolation.

Three firewalls of the R&D department are deployed in the research administrative domain. Due to network capacity expansion, two more firewalls need to be added for the R&D department to ensure the network security. If one security policy is manually configured, errors may occur and the efficiency is affected. The network administrator Sam wants to use eSight to deploy security policies in centralized mode to improve the configuration efficiency and correctness.

Figure 12-54 Network diagram

Requirement Analysis

Two firewalls are added to the research administrative domain, and security policies on the two firewalls are consistent. Some policies of source firewalls are reused for the two new firewalls, and some objects and policies are added.

Data Plan

Table 12-82 Original device

Name

IP Address

Device Type

USG6530

10.137.240.138

USG6530

Eude42

10.137.240.42

Eudemon1000E-N6

Eude125

10.137.240.125

Eudemon1000E-N2

Table 12-83 New device

Name

IP Address

Device Type

Device Group

FW-240.143

10.137.240.143

ET1D2FW00S02

secgrou1

FW-240.144

10.137.240.144

ET1D2FW00S02

Configuration Roadmap

The configuration roadmap is as follows:

  1. Add two firewalls to eSight and set the NetConf parameters.
  2. Add two firewalls to the research administrative domain under system management. Then, the two firewalls are in the research domain management scope.
  3. In the research administrative domain of Secure Center, add the two firewalls to the device management page to implement firewall configuration and management. The two firewalls compose a device group secgrou1.
  4. Synchronize all firewall data.
  5. Reuse some security policies of source firewalls to the new firewalls.
  6. Add objects and policies and bind the device group secgrou1.
  7. Adjust the policy priority. A smaller sequence number of a policy indicates a higher priority.
  8. Deploy policies.

Procedure

  1. Add two firewalls to eSight and set the NetConf parameters.

    1. Choose Resource > Common > Add Resource > Add Resource from the main menu.
    2. Set basic information and SNMP parameters and click OK.

    3. Choose Resource > Network > Equipment > Network Device from the main menu.
    4. Search for the firewall whose IP address is 10.137.240.143 and click the firewall name.
    5. Choose Protocol Parameters > Netconf Parameters and set NetConf parameters.

    6. Click Test. After the test is successful, click Apply.
    7. Repeat the preceding steps to add the firewall whose IP address is 10.137.240.144.

  2. Add two firewalls to the research administrative domain under system management.

    1. Choose System > System Settings > Administrative Domains from the main menu.

    2. Click in the Operation column of the research domain in the administrative domain list.
    3. In the dialog box that is displayed, select the two firewalls whose IP addresses are 10.137.240.143 and 10.137.240.144 respectively, and click OK.

    4. In the firewall list that is displayed, click OK.

  3. Add the two new firewalls to the research administrative domain for security policy management, create service group secgrou1, and add the two firewalls to the group.

    1. Choose Resource > Network > Security Business > Secure Center from the main menu.
    2. Choose Current Domain > research and click Device Management.

    3. Click Add. In the Add dialog box that is displayed, select the two firewalls whose IP addresses are 10.137.240.143 and 10.137.240.144 respectively, and click OK.

    4. Switch to the Group tab page and click Add.
    5. Set GroupName to secgrou1, click Add, and click Add Device Group.
    6. Add the two firewalls whose IP addresses are 10.137.240.143 and 10.137.240.144 respectively to the device group and click OK.

  4. Synchronize all firewall data.

    1. On the Device tab page, select all firewalls, and choose Sync > Sync to synchronize all firewall data.

    2. Click Out of Sync in the Deploy Status column and check whether the policy and object modification needs to be accepted.

  5. Reuse some security policies of source firewalls to the new firewalls. That is, modify security policies and add the device group secgrou1 to Deploy on.

    The security policy aa13 on USG6530 is used as an example.

    1. Choose Policy Management > Security Policy, click at the upper right corner, and search for the security policy whose name is aa13.
    2. Click in the Operation column.
    3. Click Deploy on, select secgrou1, and click OK.

  6. Add objects and policies and bind the device group secgrou1.

    1. In the navigation tree on the left, click the corresponding node under Objects Management and create an object. The created object will be referenced by policies.
    2. In the navigation tree on the left, click the corresponding node under Policy Management and create a policy.

  7. Adjust the policy priority. Move policies to change the policy priority.

    For example, the new security policy Secyp1 is moved to be above aa13.

    1. Choose Policy Management > Security Policy, right-click Secyp1, and choose Cut from the shortcut menu.

    2. Right-click aa13 and choose Paste Above.

  8. Deploy policies.

    1. Choose Policy Management > Security Policy from the navigation tree on the left and click .

    2. Click Next and choose Add > Add Device Group.
    3. In the dialog box that is displayed, select secgrou1 and click OK.

    4. Click Next and verify the network environment and deployment data correctness. After the verification, the page shown in the following figure is displayed.

    5. Click Deploy. The Warning dialog box is displayed.

    6. Select I have learned about the risks of the operation. and click OK to start policy deployment.

      If the policy deployment is successful, the status is Succeeded.

Verification

Log in to a firewall and check whether the security policies deployed on eSight exist on the firewall.

  1. On the firewall home page, click Policy.
  2. Choose Security Policy > Security Policy from the navigation tree on the left.

Security policies deployed on eSight are displayed in the firewall security policy list and the sequence is correct, indicating that policy deployment is successful.

Translation
Download
Updated: 2019-09-07

Document ID: EDOC1100011877

Views: 332927

Downloads: 667

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next