HiSecEngine USG6000F Typical Configuration Examples
Web: Example for Configuring a Device to Connect to eSight Using SNMPv3
Networking Requirements
As shown in Figure 20-1, DeviceA is deployed at the network border of an enterprise as the security gateway and eSight is deployed to centrally manage network devices. eSight needs to monitor and manage DeviceA and receive alarms from DeviceA.
Data Planning
Item |
Data |
Description |
|
|---|---|---|---|
DeviceA |
Interface |
Interface number: GE0/0/1 IP address: 1.1.1.1/24 Security zone: Untrust |
Interface connecting to the Internet. |
Interface number: GE0/0/2 IP address: 10.2.0.1/24 Security zone: DMZ |
Interface communicating with the eSight server. |
||
Interface number: GE0/0/3 IP address: 10.3.0.1/24 Security zone: Trust |
Interface connecting to the enterprise intranet. |
||
SNMP parameters |
User name: V3user SNMP version: V3 Authentication protocol: HMAC-SHA2-256 Authentication password: YsHsjx_202206 Encryption protocol: AES256 Encryption password: YsHsjx_202206 |
The SNMP parameters of DeviceA and eSight must be the same. |
|
eSight |
IP address |
10.2.0.10/24 |
Deployed in the DMZ in centralized mode. |
SNMP parameters |
User name: V3user Parameter type: v3 Authentication protocol: HMAC-SHA2-256 Authentication password: YsHsjx_202206 Privacy protocol: AES256 Encryption password: YsHsjx_202206 |
The SNMP parameters of eSight and DeviceA must be the same. |
|
Configuration Roadmap
Enable communication between DeviceA and eSight. Specifically, configure IP addresses for interfaces on DeviceA, add the interfaces to security zones, and configure the interface access management function to permit SNMP packets.
If the interface access management function is not used, you need to configure related security policies. Before disabling the interface access management function, configure security policies for the remote management protocol to ensure that DeviceA can be remotely managed.
Enable eSight to manage DeviceA and receive alarms from DeviceA. Specifically, set SNMP parameters and enable the trap function on DeviceA, and set the same SNMP parameters on eSight and add DeviceA to eSight. To enable DeviceA to send alarms to eSight, you need to configure related security policies.
This example focuses on the configurations of the interconnection between DeviceA and eSight. Configure routes to ensure that devices are routable. For other configurations on eSight, see related manuals.
Ensure that the system time and time zone of Device A are the same as those of eSight.
Procedure
- Set IP addresses for interfaces, and assign the interfaces to security zones.
- Click
![]()
of GE0/0/1 and set the following parameters.IP Address
1.1.1.1
Mask
255.255.255.0
Zone
untrust
- Click
- Configure security Policies.
- Set the SNMP parameters and enable the deviceA to send alarms to the eSight.
- Set the parameters as follows.
![]()
- Set the parameters as follows.
- Configure eSight.
- Create an SNMP template.
- Choose .
- On the SNMP Template tab page, click Create and create an SNMP template based on the following parameter settings.
Template Name
snmpv3_template
Parameter Type
V3
Authentication protocol
HMAC-SHA2-256
Authentication password
YsHsjx_202206
Privacy protocol
AES_256
Encryption password
YsHsjx_202206
User name
V3user
Port(1-65535)
161
Timeout period (1-60s)
3
Retries (1-20)
3
![]()
The user name, authentication protocol password, and privacy protocol password on eSight must be the same as the corresponding parameter settings on DeviceA.
- Create an SNMP template.
of 
Verifying the Configuration
- Log in to the deviceA from the web UI. Choose and deselect Enable of ge 0/0/4.
- On eSight, choose , where you can view the alarm information.
Configuration Scripts
# interface GE0/0/1 ip address 1.1.1.1 255.255.255.0 # interface GE0/0/2 ip address 10.2.0.1 255.255.255.0 service-manage enable service-manage snmp permit # interface GE0/0/3 ip address 10.3.0.1 255.255.255.0 # firewall zone untrust set priority 5 add interface GE0/0/1 # firewall zone dmz set priority 50 add interface GE0/0/2 # firewall zone trust set priority 85 add interface GE0/0/3 # security-policy rule name trust_untrust_outbound source-zone trust destination-zone untrust source-address 10.3.0.0 mask 255.255.255.0 action permit rule name local_dmz_outbound source-zone local destination-zone dmz source-address 10.2.0.1 mask 255.255.255.0 action permit # snmp-agent snmp-agent local-engineid 000007DB7FFFFFFF000077D0 snmp-agent sys-info version v3 snmp-agent target-host trap address udp-domain 10.2.0.10 params securityname % $%$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy private-netmanager snmp-agent usm-user v3 V3user authentication-mode sha2-256 cipher %+%#]lck/kEvSA'=g^ WsIwEI~rf&=qHpDEhhB\3Dmt1(%+%# snmp-agent usm-user v3 V3user privacy-mode aes256 cipher %+%#Ow4n$dQvbD:^-A snmp-agent trap enable # snmp-agent protocol source-interface GE0/0/2 snmp-agent trap source GE0/0/2 # return