SupportDocumentationSecurityProducts RecommendUSGConfiguration & CommissioningConfiguration Examples

HiSecEngine USG6000F Typical Configuration Examples

CLI: Example for Outputting Customized Syslog Session Logs to a Third-Party Log Host

CLI: Example for Outputting Customized Syslog Session Logs to a Third-Party Log Host

Networking Requirements

As shown in Figure 20-9, DeviceA is deployed on the network border. The network environment is as follows:

  • The intranet is the Trust zone, while the Internet is the Untrust zone. Users on the intranet access the Internet using the NAT function provided by DeviceA.
  • A third-party log server is deployed in the DMZ.

DeviceA is required to send session information generated when intranet users access the Internet to the third-party log server in the customized syslog format. The administrator can view and analyze session information on the third-party log server.

Figure 20-9 Networking for sending syslog session logs to log servers

In this example, interfaces 1, 2, and 3 represent GE0/0/1, GE0/0/2, and GE0/0/3, respectively.


Configuration Roadmap

This example provides only the DeviceA configuration. For the third-party log server configuration, see the third-party log server product document.

The system time must be set correctly during the initial configuration. Changing the system time during device running will result in incorrect timestamps in historical logs. The time zone of the log server must be the same as that of DeviceA.

  1. Set the IP addresses for interfaces and add the interfaces to security zones.
  2. Configure security policies.
  3. Configure a NAT policy.
  4. Configure routes.
  5. Configure log servers.
  6. Enable the session logging function in a security policy.
  7. Set the output format of syslog session logs.

Procedure

  1. Set the IP addresses for interfaces and add the interfaces to security zones.

    # Configure an IP address for GE0/0/1.

    <HUAWEI> system-view
[HUAWEI] sysname DeviceA
[DeviceA] interface ge 0/0/1
[DeviceA-GE0/0/1] undo portswitch
[DeviceA-GE0/0/1] ip address 192.168.0.1 24
[DeviceA-GE0/0/1] quit

    # Configure an IP address for GE0/0/2.

    [DeviceA] interface ge 0/0/2
[DeviceA-GE0/0/2] undo portswitch
[DeviceA-GE0/0/2] ip address 172.16.0.1 24
[DeviceA-GE0/0/2] quit

    # Configure an IP address for GE0/0/3.

    [DeviceA] interface ge 0/0/3
[DeviceA-GE0/0/3] undo portswitch
[DeviceA-GE0/0/3] ip address 1.1.1.1 24
[DeviceA-GE0/0/3] quit

    # Add GE0/0/1 to the Trust zone.

    [DeviceA] firewall zone trust
[DeviceA-zone-trust] add interface ge 0/0/1
[DeviceA-zone-trust] quit

    # Add GE0/0/2 to the DMZ.

    [DeviceA] firewall zone dmz
[DeviceA-zone-dmz] add interface ge 0/0/2
[DeviceA-zone-dmz] quit

    # Add GE0/0/3 to the Untrust zone.

    [DeviceA] firewall zone untrust
[DeviceA-zone-untrust] add interface ge0/0/3
[DeviceA-zone-untrust] quit

  2. Configure a Trust-Untrust interzone security policy and enable the session logging function. This function takes effect only when the policy action is set to permit.

    [DeviceA] security-policy
[DeviceA-policy-security] rule name trust_untrust
[DeviceA-policy-security-rule-trust_untrust] source-zone trust
[DeviceA-policy-security-rule-trust_untrust] destination-zone untrust
[DeviceA-policy-security-rule-trust_untrust] source-address 192.168.0.0 24
[DeviceA-policy-security-rule-trust_untrust] action permit
[DeviceA-policy-security-rule-trust_untrust] session logging
[DeviceA-policy-security-rule-trust_untrust] quit

    Session log packets are not subject to security policies. Therefore, you do not need to configure a security policy for session logs. Instead, you need to configure only the preceding security policies.

  3. Configure a NAT policy.

    # Configure NAT address pool 1 and set the mode to PAT. In this example, the public address ranges from 1.1.1.10 to 1.1.1.15.

    [DeviceA] nat address-group add1
[DeviceA-address-group-add1] mode pat
[DeviceA-address-group-add1] section 0 1.1.1.10 1.1.1.15
[DeviceA-address-group-add1] route enable
[DeviceA-address-group-add1] quit

    # Configure a NAT policy.

    [DeviceA] nat-policy
[DeviceA-policy-nat] rule name policy1
[DeviceA-policy-nat-rule-policy1] source-zone trust
[DeviceA-policy-nat-rule-policy1] destination-zone untrust
[DeviceA-policy-nat-rule-policy1] source-address 192.168.0.0 24
[DeviceA-policy-nat-rule-policy1] action source-nat address-group add1
[DeviceA-policy-nat-rule-policy1] quit
[DeviceA-policy-nat] quit

  4. Configure a default route. In this example, the next hop of DeviceA to the Internet is 1.1.1.2.

    [DeviceA] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2

  5. Configure the log server. 

    [DeviceA] firewall log host 1 172.16.0.2 514

  6. Configure the source IP address and source port for sending logs.

    [DeviceA] firewall log source 172.16.0.1 6666

  7. Set the session log output format to syslog.

    [DeviceA] firewall log session log-type syslog

  8. Customize the output syslog content.

    You can customize the syslog output format in either expression mode or list mode. These two modes are mutually exclusive. That is, you can select only one mode for a syslog template. The specific configurations are as follows:
    • Customizing syslog session logs in expression mode
      1. Configure a template for syslog session logs and access the template view.
        [DeviceA] session-log template test type syslog
      2. Configure a content expression for session logs.
        [DeviceA-syslog-template-test] expression message "$logtype ipver=$ipversion pro:$protocol source=$srcip:$srcport
 destination=$dstip:$dstport"
[DeviceA-syslog-template-test] quit
        • If IPv4 and IPv6 session logs share the same expression, run the preceding command once.
        • If IPv4 and IPv6 session logs use different expressions, run the preceding command twice. Set the IPv6 session log expression to expression message ipv6 "$logtype ipver=$ipversion pro:$protocol source=$srcip:$srcport destination=$dstip:$dstport".
      3. Set the content format of syslog session logs to the template format.
        [DeviceA] firewall log syslog content format template test
    • Customizing syslog session logs in list mode
      1. Configure a template for syslog session logs and access the template view.
        [DeviceA] session-log template test type syslog
      2. Configure field delimiters in syslog session logs.
        [DeviceA-syslog-template-test] separate semicolon

        The default field delimiters are commas (,).

      3. Configure the fields contained in syslog session logs and their sequences.
        [DeviceA-syslog-template-test] expression ip-version source-ip destination-ip source-port source-nat-ip source-nat-port protocol
      4. Create prefixes for the fields in syslog session logs.
        [DeviceA-syslog-template-test] ip-version prefix-characters ipversion= 
[DeviceA-syslog-template-test] protocol prefix-characters Protocol=
[DeviceA-syslog-template-test] source-ip prefix-characters Source_IP
[DeviceA-syslog-template-test] quit
      5. Set the content format of syslog session logs to the template format.
        [DeviceA] firewall log syslog content format template test

  9. Configure a third-party log server.

Verifying the Configuration

Logs can be viewed on the third-party log server.

Configuration Scripts

The following script uses customizing syslog session logs in list mode as an example.

#
sysname DeviceA
#
firewall log source 172.16.0.1 6666
firewall log host 1 172.16.0.2 514
firewall log session log-type syslog
firewall log syslog content format template test
#
nat address-group add1 0
 mode pat
 route enable
 section 0 1.1.1.10 1.1.1.15
#
interface GE0/0/1
 ip address 192.168.0.1 255.255.255.0
#
interface GE0/0/2
 ip address 172.16.0.1 255.255.255.0
#
interface GE0/0/3
 ip address 1.1.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GE0/0/1
#
firewall zone untrust
 set priority 5
 add interface GE0/0/3                                      
#
firewall zone dmz                                                                
 set priority 50                                                      
 add interface GE0/0/2
#
security-policy
 rule name trust_untrust
  source-zone trust
  destination-zone untrust
  source-address 192.168.0.0 mask 255.255.255.0
  session logging
  action permit
#
nat-policy
 rule name policy1
  source-zone trust
  destination-zone untrust
  source-address 192.168.0.0 24
  action source-nat address-group add1
#
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
session-log template test type syslog
separate semicolon
expression ip-version source-ip destination-ip source-port source-nat-ip source-nat-port protocol
ip-version prefix-characters ipversion= 
protocol prefix-characters Protocol=
source-ip prefix-characters Source_IP
#
return
Translation
Favorite
Download
Update Date:2024-07-17
Document ID:EDOC1100387632
Views:41126
Downloads:1056
Average rating:0.0Points

Related Version

Related Documents

Digital Signature File

digtal sigature tool