No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
About This Document

About This Document

Related Version

The following table lists the product versions related to this document.

Product Name

Version

USG6000

V500R005C00 and later versions

USG9500

V500R005C00 and later versions

USG6000E

V600R006C00 and later versions

Eudemon200E-N

V500R005C00 and later versions

Eudemon1000E-N

V500R005C00 and later versions

Eudemon8000E-X

V500R005C00 and later versions

Eudemon200E-G

V600R006C00 and later versions

Eudemon1000E-G

V600R006C00 and later versions

Unless otherwise specified, USG and Eudemon series listed in this table are referred to as the FW hereinafter.

Intended Audience

This document describes the application scenarios and configuration methods in typical projects of the FW. This document does not cover all scenarios. You can adapt the examples to your conditions.

This document is intended for administrators who configure and manage FWs. The administrators must have good Ethernet knowledge and network management experience.

Content Conventions

The purchased products, services and features are stipulated by the contract made between Huawei Technologies Co., Ltd. and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.

The screenshots in this document are for reference only. The settings are subject to the actual GUI.

Encryption Algorithm Declaration

Currently, the device uses the following encryption algorithms: DES, 3DES, AES, RSA, SHA1, SHA2, and MD5. The encryption algorithm depends on the applicable scenario. Use the recommended encryption algorithm; otherwise, security defense requirements may be not met.

  • The encryption algorithms DES/3DES/RSA (RSA-1024 or lower)/MD5 (in digital signature scenarios and password encryption)/SHA1 (in digital signature scenarios) have a low security, which may bring security risks. If protocols allowed, using more secure encryption algorithms, such as AES/RSA (RSA-2048 or higher)/SHA2/HMAC-SHA2, is recommended.
  • For the symmetrical encryption algorithm, use AES with the key of 128 bits or more.
  • For the asymmetrical encryption algorithm, use RSA with the key of 2048 bits or more.
  • For the hash algorithm, use SHA2 with the key of 256 bits or more.
  • For the HMAC algorithm, use HMAC-SHA2.
  • SHA2 is irreversible encryption algorithm. The irreversible encryption algorithm must be used for the administrator password.

Personal Data Declaration

Some personal data may be obtained or used during operation or fault location of your purchased products, services, features. Huawei Technologies Co., Ltd. alone is unable to collect or save the content of users' communications. It is suggested that you activate the user data-related functions based on the applicable laws and regulations in terms of purpose and scope of usage. You are obligated to take considerable measures to ensure that the content of users' communications is fully protected when the content is being used and saved.

Feature Usage Declaration

The IPSec VPN and SSL VPN functions are not provided in versions shipped to Russia in accordance with Russian laws.

  • The features such as antivirus, IPS, file blocking, data filtering, application behavior control, mail filtering, url session logs and URL filtering may involve the collection of users' communication contents such as the browsed websites and transmitted files. You are advised to clear unnecessary sensitive information in a timely manner.
  • Antivirus and IPS support attack evidence collection to analyze data packets for viruses or intrusions. However, the attack evidence collection process may involve the collection of user's communication content. The device provides dedicated audit administrators to obtain collected attack evidence. Other administrators do not have such permissions. Please keep the audit administrator account safe and clear the attack evidence collection history in time.
  • The audit function is used to record online behaviors, including the collection or storage of browsed web pages, BBS or microblog posts, HTTP/FTP file transfer, email receiving and sending, and QQ login and logout. The device provides dedicated audit administrators to configure audit policies and view audit logs. Other administrators do not have such permissions. Please keep the audit administrator account safe.
  • Port mirroring and NetStream are vital to fault diagnosis and traffic statistics and analysis, but may involve the collection of user's communication content. The product provides permission control over such functions. You are advised to clear traffic records after fault diagnosis and traffic analysis.
  • The quintuple packet capture function can capture the whole packet content, which may cause the disclosure of users' personal data. When using this function, you must comply with related national laws and regulations and take sufficient measures to protect users' personal data. For example, the technical support personnel cannot perform packet capture without prior consent of customers; in addition, they must delete captured packets immediately after the fault locating is complete. Huawei will not bear any legal obligations or liabilities for the security events (such as personal data leaks) that are not caused by Huawei's misconduct.
  • Data feedback function (user experience plan) may involve transferring or processing users' communication contents or personal data. Huawei Technologies Co., Ltd. alone is unable to transfer or process the content of users' communications and personal data. It is suggested that you activate the user data-related functions based on the applicable laws and regulations in terms of purpose and scope of usage.
  • The device can transfer files through FTP, TFTP, SFTPv1, SFTPv2, and FTPS. Using FTP, TFTP or SFTPv1 has potential security risks. SFTPv2 or FTPS is recommended.
  • Telnet and STelnetv1&v2 can be used to log in to the device. Using Telnet or STelnetv1 has potential security risks. STelnetv2 is recommended.
  • SNMPv1&v2c&v3 can be used to manage network elements. Using SNMPv1&v2c has potential security risks. SNMPv3 is recommended.

MAC Address and IP Address Usage Declaration

For purposes of introducing features and giving configuration examples, the MAC addresses and public IP addresses of real devices are used in this document. Unless otherwise specified, these addressees are used as examples only.

Symbol Conventions

The symbols that may be found in this document are defined as follows.

Symbol

Description

Indicates a hazard with a high level of risk which, if not avoided, will result in death or serious injury.

Indicates a hazard with a medium level of risk which, if not avoided, could result in death or serious injury.

Indicates a hazard with a low level of risk which, if not avoided, could result in minor or moderate injury.

Indicates a potentially hazardous situation which, if not avoided, could result in equipment damage, data loss, performance deterioration, or unanticipated results.

NOTICE is used to address practices not related to personal injury.

Supplements the important information in the main text.

NOTE is used to address information not related to personal injury, equipment damage, and environment deterioration.

Command Conventions

The command conventions that may be found in this document are defined as follows.

Convention

Description

Boldface

The keywords of a command line are in boldface.

Italic

Command arguments are in italics.

[ ]

Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... }

Optional items are grouped in braces and separated by vertical bars. One item is selected.

[ x | y | ... ]

Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected.

{ x | y | ... } *

Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected.

[ x | y | ... ] *

Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected.

&<1-n>

The parameter before the & sign can be repeated 1 to n times.

#

A line starting with the # sign is comments.

GUI Conventions

The GUI conventions that may be found in this document are defined as follows.

Convention

Description

Boldface

Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK.

>

Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder.

Update History

Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.

Updates in Issue 02 (2019-08-30)

Second commercial release.

Updates in Issue 01 (2019-01-10)

Initial commercial release.

Translation
Download
Updated: 2019-08-30

Document ID: EDOC1100062972

Views: 19422

Downloads: 801

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next