H3C Security Products

(1)

H3C Security Products

Safety & Configuration Cautions and Guidelines

New H3C Technologies Co., Ltd. http://www.h3c.com

(2)

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Trademarks

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

Notice

The information in this document is subject to change without notice. All contents in this document, including statements, information, and recommendations, are believed to be accurate, but they are presented without warranty of any kind, express or implied. H3C shall not be liable for technical or editorial errors or omissions contained herein.

Environmental protection

This product has been designed to comply with the environmental protection requirements. The storage, use, and disposal of this product must meet the applicable national laws and regulations.

(3)

Preface

This document describes important information that if not understood or followed can result in undesirable situations, including bodily injury, hardware damage, service interruption, or service anomalies. It contains hardware safety guidelines, CLI-based and Web-based configuration cautions and guidelines. Before you work on or configure your device, read the information in this document carefully.

This preface includes the following topics about the documentation: • Audience.

• Prerequisites

• Conventions

• Documentation feedback

Audience

This documentation is intended for: • Network planners.

• Field technical support and servicing engineers. • Network administrators.

Prerequisites

This document is not restricted to specific software or hardware versions. If a conflict occurs between this document and a product-specific document, the product-specific document overrides.

This document provides only generic technical information, some of which might not apply to your devices.

Conventions

The following information describes the conventions used in the documentation.

Command conventions

Convention Description

Boldface Bold text represents commands and keywords that you enter literally as shown.

Italic Italic text represents arguments that you replace with actual values.

[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.

{ x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.

[ x | y | ... ] Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none.

(4)

{ x | y | ... } * Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select a minimum of one.

[ x | y | ... ] * Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you select one choice, multiple choices, or none.

&<1-n> The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions

Boldface Window names, button names, field names, and menu items are in Boldface. For

example, the New User window opens; click OK.

> Multi-level menus are separated by angle brackets. For example, File > Create >

Folder.

Symbols

WARNING!

An alert that calls attention to important information that if not understood or followed can result in personal injury.

CAUTION: An alert that calls attention to important information that if not understood or followed _{can result in data loss, data corruption, or damage to hardware or software.}

IMPORTANT: An alert that calls attention to essential information.

NOTE: An alert that contains additional or supplementary information.

TIP: An alert that provides helpful information.

Network topology icons

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

Represents an access controller, a unified wired-WLAN module, or the access controller engine on a unified wired-WLAN switch.

Represents an access point.

Represents a wireless terminator unit.

T T

(5)

Represents a wireless terminator.

Represents a mesh access point.

Represents omnidirectional signals.

Represents directional signals.

Represents a security product, such as a firewall, UTM, multiservice security gateway, or load balancing device.

Represents a security module, such as a firewall, load balancing, NetStream, SSL VPN, IPS, or ACG module.

Examples provided in this document

Examples in this document might use devices that differ from your device in hardware model, configuration, or software version. It is normal that the port numbers, sample output, screenshots, and other information in the examples differ from what you have on your device.

Documentation feedback

You can e-mail your comments about product documentation to [email protected]. We appreciate your comments.

T T

(6)

1

Hardware safety guidelines

Introduction

This guide contains general safety guidelines about avoiding potentially hazardous situations that can cause bodily injury, device or module damage, device or module exceptions, or service anomalies. Only trained and qualified personnel are allowed to perform the operations described in this guide.

Before working on your device, review the safety guidelines in this document carefully.

Safety guidelines

Table1-1 Safety guidelines

Category Guidelines Consequences of misoperation

Maintenance

Wear an ESD wrist strap correctly during the installation.

Static electricity can damage the electronic components on the module or damage the device, causing service interruption.

Ground the device correctly.

Device damage or service interruption caused by lightning strikes.

Network cables are used for the communication between the device and the maintenance terminal. Network cable connection or disconnection can be performed only by qualified maintenance personnel for service adjustment as scheduled and they must be aware of the impact on the network.

Login failure from a maintenance endpoint to the device.

Operate the power switches on the PDUs in the cabinet only when upgrading or expanding the device, replacing the components in the device, or when a severe system failure occurs.

Device shutdown or service interruption.

Keep a filler panel in an unused slot. Insufficient heat dissipation caused by dust build-up.

Clean air filters of modular devices within the recommended time period.

Device overtemperature or shutdown caused by insufficient heat dissipation.

Pressing the RESET button will reset the device forcibly. This operation can be performed only by qualified maintenance personnel when a severe system failure occurs.

Service interruption.

Handling modules

When holding a module, do not touch the electronic components or PCB directly.

Module damage or malfunction caused by static electricity. Put a module into an antistatic bag when Module damage or malfunction

(7)

Category Guidelines Consequences of misoperation

it is not inside the chassis. caused by static electricity. Make sure a module supports hot

swapping before hot swapping the module.

Incorrect operation of the module or the device.

Do not hot swap the only MPU in a modular device.

MPU damage or service interruption.

Do not replace a switching fabric module when a modular device is operating correctly.

Device shutdown, service interruption, or data loss.

Before hot swapping a hard disk, execute

the umount command from the CLI to

unmount all the file systems before removing a hard disk.

Storage medium damage.

Handling fan trays

Do not install fan trays of different models on the same device.

Device damage because of insufficient heat dissipation.

Replace fan trays timely. Device damage because of insufficient heat dissipation. If multiple fan trays fail, do not remove the

fan trays at the same time. Replace the fan trays one after another.

Device damage because of insufficient heat dissipation.

Handling power modules

Do not install power modules of different

types on the same device. Power module damage. Make sure the power input method, rated

output voltage, and other parameters of the power supply system meet the requirements of the installed power modules.

Device shutdown because of unstable power supply system.

Do not hot swap a power module when the remaining power modules in a modular device cannot provide enough power for normal device operation.

Service interruption because of insufficient power supply.

Do not install or remove a power module

when the device is powered on. Device damage or bodily injury.

Handling optical fibers

Make sure the received optical power of the device is within the upper limit of the received optical power of the transceiver module.

Transceiver module damage or service interruption.

Connect the optical fiber to the Tx and Rx ports on the installed transceiver module correctly.

Service failure.

Make sure the connectors of the optical fiber can meet the requirements of the installed transceiver module.

Service failure.

Do not stare into any open apertures of operating transceiver modules or optical fiber connectors.

Disconnected optical fibers or transceiver modules might emit invisible laser light. Staring into any fiber port or viewing directly with non-attenuating optical instruments when the device has power might hurt your eyes.

(8)

Content

CLI-based configuration cautions and guidelines ··· 1

Introduction ··· 1 Configuration cautions and guidelines ··· 1

(9)

CLI-based configuration cautions and

guidelines

Introduction

This guide contains important information that if not understood or followed can result in undesirable situations, including:

• Unexpected shutdown or reboot of devices or cards. • Service anomalies or interruption.

• Loss of data, configuration, or important files. • User login failure or unexpected logoff.

Only trained and qualified personnel are allowed to do the configuration tasks described in this guide.

Before you configure your device, read the information in this document carefully.

Configuration cautions and guidelines

Feature

Command

Description

Usage guidelines

Login management

authentication-mod e

Sets the authentication mode for a user line.

When the authentication mode is none, a user can log in without

authentication. To improve device security, use the password or scheme authentication mode. An authentication mode change does not take effect on the current session. It takes effect on subsequent login sessions.

Login management

auto-execute command

Specifies the command to be automatically executed for a login user.

After configuring this command for a user line, you might be unable to access the CLI through the user line. Please use it with caution.

RBAC interface policy

deny

Enters interface policy view of a user role.

This command denies the access of the user role to any interfaces if the

permit interface

command is not

configured. To restrict the interface access of a user role to a set of interfaces, configure the permit

(10)

Feature

Command

Description

Usage guidelines

RBAC security-zone

policy deny

Enters security zone policy view of a user role.

This command denies the access of the user role to any security zones if no security zones are specified by using the

permit

security-zone

command. To restrict the security zone access of a user role to a set of security zones, configure the

permit

security-zone

command.

RBAC vlan policy deny Enters VLAN policy view

of a user role.

This command denies the access of the user role to any VLANs if no VLANs are specified by using the

permit vlan

command. To restrict the VLAN access of a user role to a set of VLANs,

configure the permit vlan command.

RBAC vpn-instance policy

deny

Enters VPN instance policy view of a user role.

This command denies the access of the user role to any VPN instances if no VPN instances are specified by using the

permit

vpn-instance

command. To restrict the VPN instance access of a user role to a set of VPN instances, configure the

permit

vpn-instance

command.

FTP and TFTP delete Permanently deletes a

file from the FTP server.

Make sure the file to delete is not in use before executing this command.

FTP and TFTP rmdir

Permanently deletes a directory from the FTP server.

Make sure the directory to delete is not in use before executing this command.

File system management

delete [ /unreserved ]

file Deletes a file.

The delete

/unreserved file

command deletes a file permanently. The file cannot be restored.

The delete file

command (without

/unreserved) moves a

file to the recycle bin unless it is executed on the default MDC to delete a file from a non-default MDC.

(11)

Feature

Command

Description

Usage guidelines

File system

management format Formats a file system.

Formatting a file system permanently deletes all files in the file system. If a startup configuration file exists in the file system, back up the file if necessary.

File system

management reset recycle-bin

Deletes files from the recycle bin.

A file moved to the recycle bin can be restored, but a permanently deleted file cannot. Make sure the files in the recycle bin will not be used any more before you execute this command.

File system

management rmdir Deletes a directory.

To delete a directory, you must delete all files and subdirectories in the directory permanently or move them to the recycle bin. If you move them to the recycle bin, executing the

rmdir command

permanently deletes them. Make sure the files and subdirectories in the directory will not be used any more before you execute this command.

Configuration file

management

configuration replace file

Rolls the running configuration back by using a local replacement configuration file.

Configuration rollback allows you to replace the running configuration with the configuration in a replacement configuration file without rebooting the device. A configuration rollback might cause service disruption.

Configuration file

management

configuration

replace server file

Enables remote configuration rollback.

This command enables the device to download the replacement configuration file from the remote rollback server and roll back the running

configuration immediately or schedule a rollback for a future date and time. A configuration rollback might cause service disruption.

Configuration file management reset saved-configuratio n Deletes a next-startup configuration file. This command

permanently deletes the specified next-startup configuration file from the device.

Configuration file

management

save

Saves the running configuration to a configuration file.

If the file specified for this command already exists, the system prompts you to confirm whether to overwrite the file.

(12)

Feature

Command

Description

Usage guidelines

ISSU issu commit

Completes an ISSU upgrade to a compatible version.

This command ends the ISSU process. When this command is completed, the ISSU status changes to Init and the ISSU process cannot be rolled back.

ISSU reset install

rollback oldest

Clears ISSU rollback points.

This command clears the specified rollback point and all rollback points older than the specified rollback point.

Device

management reboot Reboots the device.

A reboot might interrupt network services. Use the force keyword only when the device fails or a reboot command without the force

keyword cannot perform a reboot correctly. A reboot command with the force

keyword might result in file system corruption, because it does not perform data protection. Device management restore factory-default Restores the factory-default configuration for the device.

Use this command with caution. This command is disruptive. It clears the running configuration and data and deletes all files except .bin files and license files. The operation cannot be reverted. Use this command only when you cannot troubleshoot the device by using other methods, or when you want to use the device in a different scenario.

IRF undo chassis convert

mode

Restores the standalone mode of a member device in an IRF fabric.

Read the virtual technologies or IRF configuration guide for restrictions and guidelines before restore the standalone mode of a member device.

This operation removes the member device from the IRF fabric. IP or bridge MAC conflict might occur after a member device is removed from an IRF fabric and operate as a

standalone device on the network. You must change the IP address or bridge MAC settings to remove the conflict.

(13)

Feature

Command

Description

Usage guidelines

IRF irf mac-address

persistent

Configures IRF bridge MAC persistence.

IRF bridge MAC address change causes transient traffic disruption. Use this command with caution.

IRF irf member renumber Changes the member ID

of an IRF member device.

IRF member ID change can invalidate member

ID-related settings, including interface and file path settings, and cause data loss. Make sure you fully understand its impact on your live network.

IRF (start topology)

undo chassis convert mode

Restores the standalone mode.

Read the virtual technologies or IRF configuration guide for restrictions and guidelines before restore the standalone mode of a member device.

This operation removes the member device from the IRF fabric.

IP or bridge MAC conflict might occur after a member device is removed from an IRF fabric and operate as a standalone device on the network. You must change the IP address or bridge MAC settings to remove the conflict.

irf mac-address persistent

Configures IRF bridge MAC persistence.

IRF bridge MAC address change causes transient traffic disruption. Use this command with caution.

IRF (start

topology) irf member renumber

Changes the member ID of an IRF member device.

IRF member ID change can invalidate member

ID-related settings, including interface and file path settings, and cause data loss. Make sure you fully understand its impact on your live network.

undo irf member stack enable

Disables multimember stacking capability for an IRF member device.

If multimember stacking capability is disabled for a device, the device cannot join an IRF fabric that contains other devices.

Context undo context start Stops a context.

Stop a context with caution. Stopping a context stops all services on the context and logs out all users on the context. To avoid configuration data loss, save the running

configuration of a context before you stop the

(14)

Feature

Command

Description

Usage guidelines

context.

Context location

blade-controller

Adds a security engine to a security engine group.

For the device to correctly process services, make sure the default security engine group has a minimum of one security engine.

Common interface settings

default Restores the default

settings for an interface.

The default command

might interrupt ongoing network services. Make sure you are fully aware of the impacts of this command when you use it in a live network.

Common interface settings

shutdown Shuts down an interface.

Use this command with caution. This command disables the interface from forwarding or receiving traffic.

Ethernet

interface port link-mode

Changes the link mode of an Ethernet interface.

Changing the link mode of an Ethernet interface also restores all commands (except shutdown and combo enable) on the Ethernet interface to their defaults in the new link mode. Ethernet interface, FC and FCoE port-type fc port-type ethernet

Switches the interface type between Layer 2 Ethernet and FC.

This command removes the original interface, and then creates the target interface with the same number as the original interface. All commands on the original interface will be restored to their defaults on the new interface.

3G and 4G modem management

modem reboot Reboots a 3G/4G

modem.

Executing this command disconnects the 3G or 4G modem connection that has been established on the user line.

ARP reset arp Clears ARP entries from

the ARP table.

This command might increase the latency to send external traffic to users on LANs attached to the device. NAT reset nat dynamic-load-balan ce Redistributes the dynamic NAT load on security engines.

Use this command with caution because the command execution will cause a temporary traffic interruption.

NAT

reset nat

static-load-balanc e

Redistributes the static NAT load on security engines.

Use this command with caution. This command will cause a temporary traffic interruption.

(15)

Feature

Command

Description

Usage guidelines

ADVPN reset vam server

address-map

Clears IPv4 private-public address mapping

information for VAM clients registered with the VAM server.

Executing this command also clears IPv4 private network information for the private IPv4 addresses. Then, the system sends an error notification to VAM clients that have registered the private IPv4 addresses and logs off the clients.

ADVPN reset vam server

ipv6 address-map

Clears IPv6 private-public address mapping

information for VAM clients registered with the VAM server.

Executing this command also clears IPv6 private network information for the private IPv6 addresses. Then, the system sends an error notification to VAM clients that have registered the private IPv6 addresses and logs off the clients.

ADVPN reset vam client fsm Resets FSMs for VAM

clients.

After the FSM is reset for a VAM client, the client will immediately try to come online.

ADVPN reset vam client

ipv6 fsm

Resets FSMs for IPv6 VAM clients.

After the FSM is reset for an IPv6 VAM client, the client will immediately try to come online.

Static routing delete

static-routes all Deletes all static routes.

Use this command with caution. This command might cause forwarding failure.

IPv6 static routing

delete ipv6

static-routes all

Deletes all IPv6 static routes.

Use this command with caution. This command might cause packet forwarding failure.

IS-IS network-entity

Configures the Network Entity Title (NET) for an IS-IS process.

To avoid data loss, execute

the network-entity

command after the

cost-style and

is-level commands if

you want to execute these three commands for the same IS-IS process.

BGP label-allocation-m

ode

Specifies a label allocation mode.

Use this command with caution. A change to the label allocation mode enables BGP to re-advertise all routes, which will cause service interruption.

BGP peer ignore

Disables BGP session establishment with a peer or peer group.

If a session has been established to a peer, executing this command for the peer tears down the session and clears all related routing information. If sessions have been

(16)

Feature

Command

Description

Usage guidelines

established to a peer group, executing this command for the peer group disables the sessions to all peers in the group and clears all related routing information.

BGP reset bgp

Resets BGP sessions for the specified address family.

This operation breaks down BGP sessions for a short period of time.

BGP reset bgp all Resets all BGP sessions

for all address families.

This operation breaks down BGP sessions for a short period of time.

IGMP igmp version Specifies an IGMP

version on an interface.

For IGMP to operate correctly, specify the same IGMP version for all devices on the same subnet.

IGMP reset igmp group Clears dynamic IGMP

multicast group entries.

This command might interrupt multicast information transmission.

MLD mld version Specifies an MLD version

on an interface.

For MLD to operate correctly, specify the same MLD version for all devices on the same subnet.

MLD reset mld group Clears dynamic MLD

multicast group entries.

This command might interrupt IPv6 multicast information transmission. MPLS L3VPN, MCE ip binding vpn-instance Associates an interface with a VPN instance.

This command or its undo form clears the IP address and routing protocol configuration on the interface.

ARP attack

protection arp scan

Triggers an ARP scanning in an address range.

ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.

Portal

portal

authorization strict-checking

Enables strict checking on portal authorization information.

You can enable strict checking on authorized ACLs, authorized user profiles, or both. If you enable both strict ACL checking and user profile checking, the user will be logged out if either checking fails. An ACL/user profile checking fails when the authorized ACL/user profile does not exist on the device or the ACL/user profile fails to be deployed.

(17)

Feature

Command

Description

Usage guidelines

Portal portal

user-dhcp-only

Allows only users with DHCP-assigned IP addresses to pass portal authentication.

With this feature enabled, users with static IP addresses cannot pass portal authentication to come online.

In an AC+fit network, this command takes effect only when the AC acts as a DHCP server.

To ensure that IPv6 users can pass portal

authentication when this feature is enabled, disable the temporary IPv6 address feature on terminal devices.

SSH ssh server port Specifies the SSH

service port.

If you modify the SSH port number when the SSH server is enabled, the SSH service is restarted and all SSH connections are terminated after the modification. SSH users must reconnect to the SSH server to access the server. If you set the SSH port to a well-known port number, the service that uses the well-known port number might fail to start. Well-known port numbers are in the range of 1 to 1024.

DDoS protection

anti-ddos detection-mode

Sets the DDoS attack detection mode.

The device might fail to identify DDoS attack packets during detection mode switchover.

VRRP vrrp vrid shutdown Disables an IPv4 VRRP

group.

This command will cause the device to drop packets sent to the IPv4 VRRP group. Use this command only when necessary, for example, for purposes such as testing or troubleshooting. Bring the group up as soon as possible to restore services. VRRP vrrp ipv6 vrid shutdown Disables an IPv6 VRRP group.

With this command configured, packets sent to the IPv6 VRRP group might be discarded.

BFD bfd init-fail-timer

Sets the delay timer for BFD to notify upper-layer protocols of session establishment failures.

For session establishment failures caused by configuration mismatches at the two ends, this command can cause the

(18)

Feature

Command

Description

Usage guidelines

upper-layer protocol to act incorrectly. Therefore, use this command with caution. BFD status mismatch and BFD authentication configuration mismatch are examples of configuration mismatches. Process placement placement reoptimize Applies configured process placement policies for optimizing process placement.

After you execute this command, the system bases its placement decisions on the new process placement policies, hardware resources, and locations and states of active processes. If the new location for an active process is different from its current location, a process switchover is triggered. To prevent undesirable situations such as neighbor flapping in routing

protocols, make sure backup features such as NSR and GR have been configured for the processes and they are in stable state. Process monitoring and maintenance monitor kernel deadloop action

Specifies the action to be taken in response to a kernel thread deadloop.

In most situations, use the default settings. Use this command only under the guidance of H3C Support. Inappropriate configuration can cause system

breakdown. As a best practice, leave the default unchanged.

DPI inspect bypass Disables the DPI engine.

After you disable the DPI engine, packets will not be processed by DPI. This command can cause temporary service disruptions. As a best practice, execute this command after all DPI service policy and rule configurations are complete.

DPI inspect activate

Activates the policy and rule configurations for DPI service modules.

This command can cause temporary service disruption. As a best practice, execute this command after all DPI service policy and rule configurations are complete.

(19)

Introduction ··· 1

Objects ··· 1

APP security··· 1

Enabling the bypass feature··· 1

Activating configuration ··· 1

Submitting configuration changes ··· 2

Network ··· 2

Interfaces ··· 2

Shutting down an interface··· 2

SSL VPN ··· 3

Shutting down an SSL VPN AC interface ··· 3

Security zones··· 3

Removing the device management interface from the Management security zone ··· 3

System ··· 5

IRF ··· 5

Changing the member ID of an IRF member device··· 5

Binding a physical interface to an IRF port ··· 5

Contexts ··· 6

Stopping a context ··· 6

Upgrade center ··· 7

Updating the signature library ··· 7

Upgrading the software ··· 7

Administrators ··· 8

Locking a user account permanently after it consecutively fails the maximum number of login attempts · 8 Configuration management ··· 8

Restoring the factory defaults ··· 8

Reboot··· 9

(20)

Introduction

This document applies to firewalls. The webpages might be slightly different depending on the software or hardware version of the firewalls.

Objects

APP security

Enabling the bypass feature

Impact

After the bypass feature is enabled, the system does not perform DPI on received packets. This might cause interruptions to DPI-based services. For example, security policies cannot take effect to control access to applications.

Procedure

1. On the top navigation bar, click Objects.

2. From the navigation pane, select App Security > Advanced Settings.

3. In the Bypass area, select Enable.

Activating configuration

Impact

This operation might cause interruptions to the DPI service and other DPI-based services. For example, security policies cannot take effect to control access to applications.

Procedure

(21)

Submitting configuration changes

Impact

Procedure

2. From the navigation pane, select App Security > IPS > Profiles.

3. Click Submit to submit the configuration changes of the IPS profiles.

4. Use the same procedure to submit the configuration changes of the profiles for other DPI services, such as anti-virus.

Network

Interfaces

Shutting down an interface

Impact

Shutting down an interface disconnects the links attached to the interface and might cause communication disruption.

Procedure

1. From the navigation pane, select Network > Interface Configuration > Interfaces.

(22)

SSL VPN

Shutting down an SSL VPN AC interface

Impact

Shutting down an SSL VPN AC interface might cause disruption of the SSL VPN IP access service.

Procedure

1. On the top navigation bar, click Network.

2. From the navigation pane, select SSL VPN > SSL VPN AC Interfaces.

3. Click the Edit icon for an SSL VPN AC interface.

4. Select Shut down in the Link status field.

Security zones

Removing the device management interface from the

Management security zone

Impact

The device management interface belongs to the Management security zone by default. You can log in to the Web interface of the device from the management interface. If you remove the management interface from the Management security zone, you cannot manage the device remotely from the Web interface.

(23)

Procedure

1. On the top navigation bar, click Network.

2. From the navigation pane, select Security Zones.

3. Click the Edit icon for the Management security zone.

4. Select the device management interface from the member list, and then click the Remove icon to remove the interface to the interface list.

(24)

System

IRF

Changing the member ID of an IRF member device

Impact

On an IRF fabric, an IRF member ID change can invalidate member ID-related settings and cause data loss.

The new member ID takes effect at reboot. After the device reboots, the settings on all member ID-related physical resources (including common physical network interfaces) are removed, regardless of whether you have saved the configuration.

Procedure

1. On the top navigation bar, click System.

2. From the left navigation pane, select Upgrade Center > Signature Upgrade.

3. On the page that opens, select an update operation in the Actions column for a signature library.

Upgrading the software

Impact

This operation will interrupt services during the upgrade.

Procedure

2. From the left navigation pane, select Upgrade Center > Software Upgrade.

(27)

4. Select a .ipe file, select Reboot the device immediately, and click OK.

Administrators

Locking a user account permanently after it consecutively

fails the maximum number of login attempts

Impact

With password control enabled, this operation prevents a user from using its IP address to access the device after it consecutively fails the maximum number of login attempts.

Enabling the bypass feature··· 1 Activating configuration ··· 1 Submitting configuration changes ··· 2

Network ··· 2

SSL VPN ··· 2 Shutting down an SSL VPN AC interface ··· 2 Security zones··· 3 Removing the device management interface from the Management security zone ··· 3

System ··· 4

Configuration management ··· 4 Restoring the factory defaults ··· 4 Contexts ··· 5 Stopping a context ··· 5 Moving a security engine from the default security engine group to a non-default group ··· 5 Upgrade center ··· 6 Updating the signature library ··· 6 Upgrading the software ··· 6 IRF ··· 7 Converting the device operating mode ··· 7 Changing the member ID of an IRF member device··· 8 Binding a physical interface to an IRF port ··· 8 Password control··· 9 Locking a user account permanently after it consecutively fails the maximum number of login attempts · 9 Reboot··· 9 Rebooting the device ··· 9

(30)

Introduction

This document applies only to H3C SecPath M9000 and T9000 firewalls. The webpages might be slightly different depending on the software or hardware version of the firewalls.

Objects

APP security

Enabling the bypass feature

Impact

After the bypass feature is enabled, the system does not perform DPI on received packets. This might cause disruptions of DPI-based services. For example, security policies cannot take effect to control access.

Procedure

Activating configuration

Impact

This operation might cause disruptions of the DPI service and other DPI-based services. For example, security policies cannot take effect to control access.

Procedure

(31)

Submitting configuration changes

Impact

This operation might cause disruptions of the DPI service and other DPI-based services. For example, security policies cannot take effect to control access.

Procedure

Network

SSL VPN

Shutting down an SSL VPN AC interface

Impact

Shutting down an SSL VPN AC interface might cause disruption of the SSL VPN IP access service.

Procedure

1. On the top navigation bar, click Network.

2. From the navigation pane, select SSL VPN > SSL VPN AC Interfaces.

3. Click the Edit icon for an SSL VPN AC interface.

(32)

Security zones

Removing the device management interface from the

Management security zone

Impact

Procedure

(33)

System

Configuration management

Restoring the factory defaults

Impact

This operation deletes next-startup configuration files from the device and restores the device configuration to the factory defaults. If you restore the factory defaults, all user-configured settings will be deleted from the device.

Procedure

(34)

Contexts

Stopping a context

Impact

Procedure

3. On the page that opens, select a context and click Stop.

Moving a security engine from the default security engine

group to a non-default group

Impact

The default security engine group must have a minimum of one security engine for the device to process services correctly.

To prevent service anomalies, make sure the default security engine group still contains a minimum of one security engine after you move an engine from it to a non-default security engine group.

Procedure

2. From the left navigation pane, select Virtualization > Contexts > Security Engine Group.

3. Select the only security engine in the default security engine group and click Add to security engine group.

(35)

Upgrade center

Updating the signature library

Impact

Procedure

Upgrading the software

Impact

Procedure

(36)

IRF

Converting the device operating mode

Impact

When you convert the operating mode of the device between IRF and standalone, the device automatically reboots, causing service interruption. When you perform this task, make sure you fully aware of its impact on services.

Procedure

(37)

Changing the member ID of an IRF member device

Impact

Procedure

Binding a physical interface to an IRF port

Impact

This operation causes service interruption on the physical interface.

Procedure

(38)

Password control

Locking a user account permanently after it consecutively

fails the maximum number of login attempts

Impact

Procedure

Reboot

Rebooting the device

Impact

Procedure

(39)

(40)

Introduction ··· 1

Policies ··· 1

Objects ··· 1

Network ··· 2

Interfaces ··· 2

Security zones··· 3

Removing the device management interface from the Management security zone ··· 3

System ··· 4

IRF ··· 4

Contexts ··· 6

Reboot··· 9

(41)

Introduction

Binding a physical interface to an IRF port

Impact

This operation causes service interruption on the physical interface.

Procedure

(46)

Contexts

Stopping a context

Impact

Procedure

(47)

Upgrade center

Updating the signature library

Impact

Procedure

Upgrading the software

Impact

Procedure

(48)

Administrators

Locking a user account permanently after it consecutively

fails the maximum number of login attempts

Impact

Procedure

Configuration management

Restoring the factory defaults

Impact

This operation deletes next-startup configuration files from the device and restores the device configuration to the factory defaults. All user-configured settings will be deleted from the device.

Procedure

(49)

Reboot

Rebooting the device

Impact

Procedure

(50)

Introduction ··· 1

Objects ··· 1

Network ··· 2

Interfaces ··· 2

System ··· 3

IRF ··· 3

Contexts ··· 4

Reboot··· 7

(51)

Introduction

• Unexpected shutdown or reboot of devices or cards.

• Service anomalies or interruption.

• Loss of data, configuration, or important files.

• User login failure or unexpected logoff.

This document applies to load balancing products. The webpages might be slightly different depending on the software or hardware version of the load balancing products.

Objects

APP security

Enabling the bypass feature

Impact

After the bypass feature is enabled, the system does not perform DPI on received packets. This might cause disruptions of DPI-based services. For example, the Layer 7 load balancing service cannot load share the traffic of applications.

Procedure

Activating configuration

Impact

This operation might cause disruptions of the DPI service and other DPI-based services. For example, the Layer 7 load balancing service cannot load share the traffic of applications.

Procedure

(52)

Submitting configuration changes

Impact

This operation might cause disruptions of the DPI service and other DPI-based services. For example, the Layer 7 load balancing service cannot load share the traffic of applications.

H3C Security Products