Scribd
Upload
198 views277 pages

Fw1000 Series Firewall

The document provides a user guide for the DPtech FW1000 Series Firewall Products. It describes the product overview, system and network management features, firewall configuration, and other functions to help users understand and configure the firewall device.

Uploaded by

Yamagato Hirohito
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
198 views277 pages

Fw1000 Series Firewall

The document provides a user guide for the DPtech FW1000 Series Firewall Products. It describes the product overview, system and network management features, firewall configuration, and other functions to help users understand and configure the firewall device.

Uploaded by

Yamagato Hirohito
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 277

DPtech FW1000 Series Firewall Products

User Configuration Guide v1.0

i
Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support.

If you need any help, please contact Hangzhou DPtech Technologies Co., Ltd. and its sale agent, according to where
you purchase their products.

Hangzhou DPtech Technologies Co., Ltd.


Address: 6th floor, zhongcai mansion, 68 tonghelu, Binjiangqu, Hangzhoushi
Address code: 310051

ii
Declaration

Copyright 2011
Hangzhou DPtech Technologies Co., Ltd.
All rights reserved.

No Part of the manual can be extracted or copied by any company or individuals without written permission, and can
not be transmitted by any means.

Owing to product upgrading or other reasons, information in this manual is subject to change. Hangzhou DPtech
Technologies Co., Ltd. has the right to modify the content in this manual, as it is a user guides, Hangzhou DPtech
Technologies Co., Ltd. made every effort in the preparation of this document to ensure accuracy of the contents, but
all statements, information, and recommendations in this document do not constitute the warranty of any kind
express or implied.

iii
Table of Contents
CHAPTER 1 PRODUCT OVERVIEW 1-5

1.1 PRODUCT INTRODUCTION 1-5


1.2 WEB MANAGEMENT 1-5
1.2.1 LOGGING IN TO THE WEB MANAGEMENT INTERFACE 1-5
1.2.2 WEB INTERFACE LAYOUT 1-6

CHAPTER 2 SYSTEM MANAGEMENT 2-8

2.1 INTRODUCTION TO SYSTEM MANAGEMENT 2-8


2.2 DEVICE MANAGEMENT 2-9
2.2.1 DEVICE INFORMATION 2-9
2.2.2 DEVICE STATUS 2-10
2.2.3 DEVICE CONFIGURATION 2-12
2.3 SNMP CONFIGURATION 2-15
2.3.1 SNMP VERSION CONFIGURATION 2-16
2.4 RMON CONFIGURATION 2-19
2.4.1 ALARM 2-19
2.4.2 HISTORY 2-20
2.5 ADMINISTRATOR 2-21
2.5.1 INTRODUCTION TO ADMINISTRATOR 2-21
2.5.2 AUTHORITY MANAGEMENT 2-27
2.5.3 WEB ACCESS PROTOCOL 2-28
2.5.4 LIMITED INTERFACE SERVICE 2-28
2.5.5 REMOTE USER 2-29
2.6 CONFIGURATION FILE 2-30
2.7 HOT PATCHING 2-32
2.8 SIGNATURE DATABASE 2-33
2.8.1 APP SIGNATURE 2-33
2.8.2 URL CLASSIFICATION FILTERING SIGNATURE 2-36
2.8.3 AV SIGNATURE 2-39
2.8.4 IPS SIGNATURE 2-39
2.8.5 LICENSE MANAGEMENT 2-40
2.9 SOFTWARE VERSION 2-41
2.10 NTP 2-42
2.11 VIRTUAL MANAGEMENT SYSTEM 2-44
2.11.1 VIRTUAL MANAGEMENT SYSTEM CONFIGURATION 2-44
2.11.2 VIRTUAL MANAGEMENT SYSTEM PARAMETER SETTINGS 2-44
2.12 OVC 2-45
2.13 VRF 2-45
2.14 DIGITAL CERTIFICATE 2-46
2.14.1 INTRODUCTION TO DIGITAL CERTIFICATE 2-46
2.14.2 CERTIFICATE MANAGEMENT 2-49
2.15 INSTALLATION PACKAGE 2-52
iv
2.16 MANAGEMENT CENTER 2-53

CHAPTER 3 NETWORK MANAGEMENT 3-54

3.1 INTRODUCTION TO NETWORK MANAGEMENT 3-54


3.2 INTERFACE MANAGEMENT 3-55
3.2.1 NETWORKING CONFIGURATION 3-55
3.2.2 VLAN CONFIGURATION 3-56
3.2.3 INTERFACE CONFIGURATION 3-57
3.2.4 PORT AGGREGATION 3-58
3.2.5 PORT MIRRORING 3-59
3.2.6 LOGIC INTERFACE 3-59
3.2.7 GRE 3-61
3.3 3G DIAL-UP 3-61
3.4 NETWORK OBJECT 3-62
3.4.1 SECURITY ZONE 3-62
3.4.2 IP ADDRESS 3-64
3.4.3 IPV6 ADDRESS 3-66
3.4.4 MAC ADDRESS 3-66
3.4.5 MAC ADDRESS MANAGE 3-67
3.4.6 ACCOUNT 3-68
3.4.7 DOMAIN NAME 3-69
3.4.8 SERVICE 3-69
3.5 FORWARDING 3-70
3.5.1 FORWARDING 3-70
3.5.2 FORWARDING MODE 3-71
3.5.3 NEIGHBOR DISCOVER 3-71
3.6 TRANS_TECH 3-72
3.6.1 DS_LITE 3-72
3.7 6TO4 TUNNEL 3-72
3.8 AUTOCONFIG 3-73
3.8.1 STATELESS CONFIGURATION 3-73
3.9 IPV4 UNICAST ROUTING 3-73
3.9.1 IPV4 UNICAST ROUTING 3-73
3.9.2 CONFIGURE STATIC ROUTE 3-73
3.10 ROUTING TABLE 3-75
3.10.1 BASIC ROUTING TABLE 3-75
3.10.2 DETAILED ROUTING TABLE 3-76
3.10.3 EQUAL-COST ROUTE 3-77
3.10.4 BGP 3-78
3.10.5 RIP 3-82
3.10.6 OSPF 3-84
3.10.7 IS-IS 3-88
3.10.8 GUARD ROUTE 3-91
3.11 IPV6 UNICAST ROUTING 3-92
3.11.1 STATIC ROUTE 3-92
v
3.11.2 RIPNG 3-94
3.11.3 OSPFV3 3-96
3.11.4 GUARD ROUTE 3-101
3.12 IPV4 MULTICAST ROUTING 3-101
3.12.1 BASIC CONFIG 3-101
3.12.2 IGMP SNOOPING 3-102
3.12.3 IGMP/IGMP PROXY 3-104
3.12.4 PIM 3-106
3.12.5 MSDP 3-111
3.12.6 MULTICAST VPN 3-113
3.12.7 MULTICAST SOURCE PROXY 3-113
3.12.8 MULTICAST SOURCE NAT 3-113
3.12.9 MULTICAST DESTINATION NAT 3-113
3.12.10 MULTICAST STATIC ROUTING 3-114
3.12.11 MULTICAST ROUTING TABLE 3-114
3.13 IPV6 MULTICAST ROUTING 3-116
3.13.1 BASIC CONFIG 3-116
3.13.2 MLD 3-116
3.13.3 PIM 3-117
3.13.4 PIM MULTICAST ROUTING TABLE 3-120
3.14 POLICY-BASED ROUTING 3-121
3.14.1 INTRODUCTION TO POLICY-BASED ROUTING 3-121
3.14.2 IPV6 POLICY-BASED ROUTING 3-121
3.14.3 IPV4 POLICY-BASED ROUTING 3-122
3.15 MPLS 3-124
3.15.1 MPLS CONFIGURATION 3-124
3.15.2 STATIC FTN/ILM 3-124
3.15.3 LDP 3-125
3.15.4 L2VPN CONFIGURATION 3-126
3.16 ARP CONFIGURATION 3-128
3.16.1 DISPLAY ARP 3-128
3.16.2 ANTI-ARP-SNOOPING 3-129
3.17 MAC ADDRESS MANAGE 3-130
3.18 DNS CONFIGURATION 3-131
3.18.1 INTRODUCTION TO DNS 3-131
3.18.2 DNS 3-131
3.19 DHCP CONFIGURATION 3-131
3.19.1 INTRODUCTION TO DHCP 3-131
3.19.2 DHCP SERVER 3-132
3.19.3 DHCPV6 SERVER 3-134
3.19.4 DHCP RELAY AGENT 3-134
3.19.5 DHCP IP ADDRESS TABLE 3-135
3.20 BFD 3-135
3.20.1 BFD CONFIGURATION 3-135
3.20.2 BFD SESSION 3-136
3.20.3 BFD MANUAL 3-137
3.21 BASIC WIRELESS 3-137
vi
3.22 DIAGNOSTIC TOOLS 3-138
3.22.1 PING 3-138
3.22.2 TRACEROUTE 3-138
3.22.3 CAPTURE 3-139
3.23 LAN SWITCH 3-139
3.23.1 SPANNING TREE 3-139

CHAPTER 4 FIREWALL 4-143

4.1 INTRODUCTION TO THE FIREWALL 4-143


4.2 PACKET FILTERING POLICY 4-144
4.2.1 PACKET FILTERING POLICY 4-144
4.2.2 PACKET FILTERING POLICY LOG 4-147
4.3 IPV6 PACKET FILTERING POLICY 4-147
4.3.1 IPV6 PACKET FILTERING POLICY 4-147
4.3.2 IPV6 PACKET FILTERING LOG 4-148
4.4 NAT 4-148
4.4.1 INTRODUCTION TO NAT 4-148
4.4.2 SOURCE NAT 4-148
4.4.3 DESTINATION NAT 4-149
4.4.4 ONE TO ONE NAT 4-150
4.4.5 N TO N NAT 4-151
4.5 NAT64 4-152
4.5.1 NAT64 PREFIX 4-153
4.5.2 NAT64 ADDRESSS 4-153
4.5.3 ADDRESS POOL 4-153
4.6 NAT66 4-154
4.6.1 SOURCE NAT 4-154
4.6.2 DESTINATION NAT 4-154
4.6.3 ADDRESS POOL 4-154
4.7 DS_LITE_NAT 4-155
4.7.1 DS_LITE_NAT 4-155
4.7.2 ADDRESS POOL 4-155
4.8 ALG CONFIGURATION 4-155
4.8.1 ALG CONFIGURATION 4-156
4.8.2 USER-DEFINED LOG 4-156
4.9 BASIC ATTACK PROTECTION 4-156
4.9.1 BASIC ATTACK PROTECTION 4-156
4.9.2 BASIC ATTACK LOG QUERY 4-158
4.10 NETWORK ACTION MANAGE 4-159
4.11 SESSION LIMIT 4-159
4.12 SERVICE LIMIT 4-160
4.13 BLACKLIST 4-160
4.13.1 IPV4 BLACK LIST CONFIGURATION 4-160
4.13.2 IPV6 BLACK LIST CONFIGURATION 4-161
4.13.3 BLACK LIST QUERY 4-161
vii
4.13.4 BLACKNAME LOG QUERY 4-162
4.14 MAC/IP BINDING 4-162
4.14.1 MAC/IP BINDING 4-162
4.14.2 AUTO LEARNING 4-162
4.14.3 USER MAC BINDING 4-166
4.14.4 USER/IP BINDING 4-165
4.14.5 BINDING LOG QUERY 4-167
4.15 SESSION MANAGEMENT 4-169
4.15.1 SESSION LIST 4-169
4.15.2 SESSION PARAMETER 4-170
4.15.3 SESSION MONITORING 4-171
4.15.4 SESSION LOG CONFIGURATION 4-171
4.16 QOS 4-173
4.16.1 VIP BANDWIDTH GUARANTEE 错误!未定义书签。
4.16.2 TRAFFIC CLASSIFICATION 4-174
4.16.3 CONGESTION AVOIDANCE 4-176
4.16.4 CONGESTION MANAGEMENT 4-178
4.16.5 TRAFFIC SHAPING 4-179
4.17 ANTI-ARP-SPOOFING 4-179
4.17.1 ANTI-ARP-SPOOFING 4-179
4.17.2 ARP CONFIGURATION 4-180

CHAPTER 5 LOG MANAGEMENT 5-181

5.1 INTRODUCTION TO THE LOG MANAGEMENT 5-181


5.2 SYSTEM LOG 5-182
5.2.1 LATEST LOG 5-182
5.2.2 SYSTEM LOG QUERY 5-183
5.2.3 SYSTEM LOG FILE OPERATION 5-184
5.2.4 SYSTEM LOG CONFIGURATION 5-185
5.3 OPERATION LOG 5-186
5.3.1 LATEST LOG 5-186
5.3.2 OPERATION LOG QUERY 5-187
5.3.3 LOG FILE OPERATION 5-188
5.3.4 OPERATION LOG CONFIGURATION 5-189
5.4 SERVICE LOG 5-190
5.4.1 SERVICE LOG CONFIGURATION 5-190

CHAPTER 6 LOAD BALANCING 6-192

6.1 LINK LOAD BALANCING 6-192


6.1.1 INTRODUCTION TO LINK LOAD BALANCING 6-192
6.1.2 LINK LOAD BALANCING 6-192
6.1.3 LINK HEALTH CHECK 6-193
6.1.4 ISP 6-194

viii
CHAPTER 7 ACCESS CONTROL 7-195

7.1 RATE LIMITATION 7-195


7.1.1 INTRODUCTION TO THE RATE LIMITATION 7-195
7.1.2 RATE LIMIT 7-196
7.1.3 SINGLE USER LIMIT 7-197
7.1.4 GROUP MANAGEMENT 7-199
7.1.5 NETWORK APPLICATION BROWSING 7-200
7.1.6 TYPICAL CONFIGURATION FOR THE RATE LIMITATION 7-200
7.2 ACCESS CONTROL 7-202
7.2.1 INTRODUCTION TO THE ACCESS CONTROL 7-202
7.2.2 ACCESS CONTROL 7-203
7.2.3 GROUP MANAGEMENT 7-203
7.2.4 TYPICAL CONFIGURATION FOR THE ACCESS CONTROL 7-205
7.3 URL FILTERING 7-207
7.3.1 URL CLASSIFICATION FILTERING 7-207
7.3.2 CUSTOMIZE URL CLASSIFICATION 7-208
7.3.3 ADVANCED URL FILTERING 7-209
7.3.4 URL FILTER PAGE PUSH 7-210
7.3.5 TYPICAL CONFIGURATION FOR THE RATE LIMITATION 7-211
7.4 SQL INJECTION PROTECTION 7-214

CHAPTER 8 VPN 8-214

8.1.1 INTRODUCTION TO IPSEC 8-215


8.1.2 IPSEC SYSCONFIG 8-215
8.1.3 IPSEC POLICY MODE 8-218
8.1.4 IPSEC ROUTE MODE 8-218
8.1.5 NET PROTECT 8-219
8.1.6 SA 8-219
8.1.7 IPSEC INTERFACE 8-219
8.2 L2TP 8-219
8.2.1 INTRODUCTION TO L2TP 8-219
8.2.2 L2TP 8-220
8.2.3 L2TP USER AUTHENTICATION 8-221
8.2.4 L2TP IP POOL 8-221
8.2.5 L2TP ONLINE STATUS 8-222
8.3 PPTP 8-222
8.4 GRE 8-223
8.4.1 INTRODUCTION TO THE GRE 8-223
8.4.2 GRE CONFIGURATION 8-223
8.5 SMAD 8-225
8.5.1 SMAD 8-225
8.5.2 SMAD BLACKLIST 8-225
8.5.3 SMAD LOG 8-225
8.6 SSL VPN 8-226
ix
8.6.1 INTRODUCTION TO THE SSL VPN 8-226
8.6.2 SSL VPN 8-226
8.6.3 RESOURCES 8-228
8.6.4 USER MANAGEMENT 8-229
8.6.5 AUTHENTICATION KEY 8-229
8.6.6 SECURITY POLICY 8-230
8.6.7 LOG MANAGEMENT 8-231
8.6.8 REPORT FORMS 8-232

CHAPTER 9 ONLINE BEHAVIOR MANAGEMENT 9-234

9.1 INTRODUCTION TO ONLINE BEHAVIOR MANAGEMENT 9-234


9.2 TRAFFIC ANALYSIS 9-234
9.2.1 TRAFFIC ANALYSIS 9-234
9.3 BEHAVIOR ANALYSIS 9-235
9.3.1 POLICY CONFIGURATION 9-235
9.3.2 ADVANCED CONFIGURATION 9-236
9.3.3 KEYWORD FILTERING 9-236

CHAPTER 10 PORTAL AUTHENTICATION 10-239

10.1 INTRODUCTION TO THE PORTAL AUTHENTICATION 10-239


10.1.1 AUTHENTICATION CONFIG 10-239
10.1.2 WEB AUTHENTICATION NOTICE 10-243
10.1.3 WEB LISTEN 10-244
10.1.4 PROSCENIUM MANAGEMENT 10-244
10.1.5 TERMINAL MANAGEMENT 10-246
10.1.6 ONLINE USER 10-248
10.1.7 LOCAL ACCOUNT USER 10-249
10.1.8 BLACKNAME LIST 10-250
10.1.9 REMOTE SYNCHRONIZATION 10-250

CHAPTER 11 IDS INTEGRATION 11-252

11.1 INTRODUCTION 11-252


11.2 IDS INTEGRATION 11-252
11.2.1 DISPLAY IDS COOPERATION LOG 11-252

CHAPTER 12 HIGH AVAILABILITY 12-253

12.1 VRRP 12-253


12.1.1 INTRODUCTION TO VRRP GROUP 12-253
12.1.2 MONITOR IP ADDRESS OBJECT 12-255
12.1.3 MONITORING 12-256
12.1.4 BFD OPTION 12-256

x
12.2 OVERFLOW 12-257
12.2.1 OVERFLOW PROTECT 12-257
12.3 HOT STANDBY 12-257
12.3.1 HOT STANDBY 12-257
12.3.2 HANDWORK SYNCHRONIZATION 12-258
12.3.3 BACKUP REBOOT 12-258
12.3.4 INTERFACE SYNCHRONIZATION GROUP 12-259

List of Figures
Figure1-1 WEB Management Interface .................................................................................................................. 1-6
Figure1-2 Deploying of WEB Interface ................................................................................................................. 1-7
Figure2-1 System menu .......................................................................................................................................... 2-9
Figure2-2 Device information .............................................................................................................................. 2-10
Figure2-3 Device status ........................................................................................................................................ 2-11
Figure2-4 Device information settings ................................................................................................................. 2-12
Figure2-5 System name ........................................................................................................................................ 2-12
Figure2-6 System time settings ............................................................................................................................ 2-13
Figure2-7 System threshold .................................................................................................................................. 2-13
Figure2-8 Enable remote diagnostics ................................................................................................................... 2-14
Figure2-9 Set frame gap ....................................................................................................................................... 2-14
Figure2-10 System parameter ............................................................................................................................... 2-15
Figure2-11 Clear database .................................................................................................................................... 2-15
Figure2-12 SNMP................................................................................................................................................. 2-16
Figure2-13 Device information ............................................................................................................................ 2-17
Figure2-14 SNMP version configuration ............................................................................................................. 2-18
Figure2-15 IP address list ..................................................................................................................................... 2-18
Figure2-16 Alarm ................................................................................................................................................. 2-19
Figure2-17 Alarm_stat .......................................................................................................................................... 2-19
Figure2-18 History ............................................................................................................................................... 2-20
Figure2-19 History_stat ........................................................................................................................................ 2-20
Figure2-20 RMON log ......................................................................................................................................... 2-21
Figure2-21 Current administrator ......................................................................................................................... 2-21
Figure2-22 Administrator settings ........................................................................................................................ 2-22
Figure2-23 Administrator authentication settings ................................................................................................ 2-24
Figure2-24 Login parameter settings .................................................................................................................... 2-26
Figure2-25 Authority management ....................................................................................................................... 2-27
Figure2-26 WEB access protocol ......................................................................................................................... 2-28
Figure2-27 Interface service ................................................................................................................................. 2-29
Figure2-28 Remote user ....................................................................................................................................... 2-29
Figure2-29 Configuration file ............................................................................................................................... 2-31
Figure2-30 Hot patching ....................................................................................................................................... 2-33
Figure2-31 APP signature..................................................................................................................................... 2-33
Figure2-32 Signature version information ............................................................................................................ 2-33
Figure2-33 Auto-upgrade settings ........................................................................................................................ 2-34
Figure2-34 Manual upgrade ................................................................................................................................. 2-35
xi
Figure2-35 Upgrade progress interface ................................................................................................................ 2-36
Figure2-36 URL classification filtering signature ................................................................................................ 2-36
Figure2-37 Signature version information ............................................................................................................ 2-37
Figure2-38 Auto-upgrade settings ........................................................................................................................ 2-37
Figure2-39 Manual upgrade ................................................................................................................................. 2-38
Figure2-40 Upgrade progress interface ................................................................................................................ 2-39
Figure2-41 AV signature ...................................................................................................................................... 2-39
Figure2-42 IPS signature ...................................................................................................................................... 2-40
Figure2-43 License management .......................................................................................................................... 2-40
Figure2-44 Software version ................................................................................................................................ 2-41
Figure2-45 NTP configuration ............................................................................................................................. 2-42
Figure2-46 NTP client configuration.................................................................................................................... 2-43
Figure2-47 Virtual management system ............................................................................................................... 2-44
Figure2-48 Virtual management system parameter settings ................................................................................. 2-44
Figure2-49 OVC configuration............................................................................................................................. 2-45
Figure2-50 Virtual system .................................................................................................................................... 2-45
Figure2-51 Certification configuration ................................................................................................................. 2-46
Figure2-52 Device information configuration ...................................................................................................... 2-47
Figure2-53 CA server configuration ..................................................................................................................... 2-48
Figure2-54 CRL server configuration................................................................................................................... 2-49
Figure2-55 Certificate management ..................................................................................................................... 2-50
Figure2-56 Key management ............................................................................................................................... 2-50
Figure2-57 Certificate application ........................................................................................................................ 2-51
Figure2-58 Certificate management ..................................................................................................................... 2-51
Figure2-59 CRL management .............................................................................................................................. 2-52
Figure2-60 Install option ...................................................................................................................................... 2-52
Figure2-61 Management center ............................................................................................................................ 2-53
Figure3-1 Manage center ...................................................................................................................................... 3-55
Figure3-2 Networking configuration .................................................................................................................... 3-56
Figure3-3 VLAN Interface configuration ............................................................................................................. 3-56
Figure3-4 VLAN frame manage ........................................................................................................................... 3-57
Figure3-5 Interface configuration ......................................................................................................................... 3-57
Figure3-6 Interface rate beyond warning.............................................................................................................. 3-58
Figure3-7 Port aggregation configuration............................................................................................................. 3-58
Figure3-8 Aggregation group status ..................................................................................................................... 3-58
Figure3-9 Local mirroring .................................................................................................................................... 3-59
Figure3-10 Remote source mirroring ................................................................................................................... 3-59
Figure3-11 Remote destination mirroring ............................................................................................................ 3-59
Figure3-12 Sub interface configuration ................................................................................................................ 3-60
Figure3-13 Loopback interface configuration ...................................................................................................... 3-60
Figure3-14 PPP interface configuration ............................................................................................................... 3-60
Figure3-15 Template interface ............................................................................................................................. 3-60
Figure3-16 IPsec interface .................................................................................................................................... 3-61
Figure3-17 GRE ................................................................................................................................................... 3-61
Figure3-18 3G dial-up .......................................................................................................................................... 3-61
Figure3-19 Security zone ...................................................................................................................................... 3-62
Figure3-20 Network diagram for configuring security zones............................................................................... 3-63
xii
Figure3-21 IP address object ................................................................................................................................ 3-65
Figure3-22 IP address object group ...................................................................................................................... 3-65
Figure3-23 IPv6 address ....................................................................................................................................... 3-66
Figure3-24 MAC address ..................................................................................................................................... 3-67
Figure3-25 MAC address group ........................................................................................................................... 3-67
Figure3-26 MAC address manage ........................................................................................................................ 3-68
Figure3-27 Account user ...................................................................................................................................... 3-68
Figure3-28 Domain name ..................................................................................................................................... 3-69
Figure3-29 Predefined service object ................................................................................................................... 3-70
Figure3-30 User-defined service object ................................................................................................................ 3-70
Figure3-31 Service object group .......................................................................................................................... 3-70
Figure3-32 Forwarding ......................................................................................................................................... 3-71
Figure3-33 Forwarding mode ............................................................................................................................... 3-71
Figure3-34 Neighbor discover .............................................................................................................................. 3-71
Figure3-35 DS_Lite .............................................................................................................................................. 3-72
Figure3-36 6to4 tunnel ......................................................................................................................................... 3-72
Figure3-37 Stateless configuration ....................................................................................................................... 3-73
Figure3-38 Configure static route ......................................................................................................................... 3-74
Figure3-39 Health check....................................................................................................................................... 3-75
Figure3-40 Basic routing table ............................................................................................................................. 3-76
Figure3-41 Detailed routing table ......................................................................................................................... 3-77
Figure3-42 Equal-cost route ................................................................................................................................. 3-78
Figure3-43 Configure BGP................................................................................................................................... 3-78
Figure3-44 Configure BGP-VPN ......................................................................................................................... 3-80
Figure3-45 BGP neighbor information ................................................................................................................. 3-81
Figure3-46 Configure RIP .................................................................................................................................... 3-82
Figure3-47 Display RIP state................................................................................................................................ 3-83
Figure3-48 Configure OSPF ................................................................................................................................. 3-84
Figure3-49 OSPF interface information ............................................................................................................... 3-87
Figure3-50 OSPF neighbor information ............................................................................................................... 3-87
Figure3-51 Configure IS-IS .................................................................................................................................. 3-89
Figure3-52 IS-IS neighbor .................................................................................................................................... 3-90
Figure3-53 ISIS LSP ............................................................................................................................................ 3-91
Figure3-54 Guard route ........................................................................................................................................ 3-91
Figure3-55 Static route ......................................................................................................................................... 3-92
Figure3-56 Basic routing table ............................................................................................................................. 3-93
Figure3-57 Detailed routing table ......................................................................................................................... 3-94
Figure3-58 RIPng configuration ........................................................................................................................... 3-95
Figure3-59 OSPFv3 configuration ....................................................................................................................... 3-97
Figure3-60 OSPFv3 area configuration ................................................................................................................ 3-97
Figure3-61 OSPFv3 advanced configuration ....................................................................................................... 3-98
Figure3-62 OSPFv3 neighbor information ........................................................................................................... 3-99
Figure3-63 OSPFv3 neighbor information ......................................................................................................... 3-100
Figure3-64 Guard route ...................................................................................................................................... 3-101
Figure3-65 Basic config ..................................................................................................................................... 3-101
Figure3-66 IGMP_Snooping .............................................................................................................................. 3-102
Figure3-67 IGMP snooping proxy...................................................................................................................... 3-103
xiii
Figure3-68 IGMP snooping routing ................................................................................................................... 3-104
Figure3-69 IGMP proxy ..................................................................................................................................... 3-104
Figure3-70 IGMP SSM mapping........................................................................................................................ 3-104
Figure3-71 IGMP Proxy ..................................................................................................................................... 3-105
Figure3-72 IGMP status ..................................................................................................................................... 3-106
Figure3-73 PIM .................................................................................................................................................. 3-107
Figure3-74 Static RP configuration .................................................................................................................... 3-107
Figure3-75 Candidate RP configuration ............................................................................................................. 3-108
Figure3-76 PIM interface configuration ............................................................................................................. 3-108
Figure3-77 Admin scope zone ............................................................................................................................ 3-109
Figure3-78 PIM status ........................................................................................................................................ 3-110
Figure3-79 BSR status ........................................................................................................................................ 3-111
Figure3-80 RP-Mapping ..................................................................................................................................... 3-111
Figure3-81 MSDP............................................................................................................................................... 3-112
Figure3-82 Peer status ........................................................................................................................................ 3-112
Figure3-83 Cache status ..................................................................................................................................... 3-112
Figure3-84 Multicast VPN ................................................................................................................................. 3-113
Figure3-85 Multicast source proxy ..................................................................................................................... 3-113
Figure3-86 Multicast source NAT ...................................................................................................................... 3-113
Figure3-87 Multicast destination NAT ............................................................................................................... 3-114
Figure3-88 Multicast static routing .................................................................................................................... 3-114
Figure3-89 Multicast routing table ..................................................................................................................... 3-114
Figure3-90 PIM multicast routing table.............................................................................................................. 3-115
Figure3-91 IGMP multicast routing table .......................................................................................................... 3-115
Figure3-92 IGMP proxy routing table ................................................................................................................ 3-115
Figure3-93 Basic config ..................................................................................................................................... 3-116
Figure3-94 MLD snooping ................................................................................................................................. 3-117
Figure3-95 MLD................................................................................................................................................. 3-117
Figure3-96 MLD status....................................................................................................................................... 3-117
Figure3-97 PIM .................................................................................................................................................. 3-118
Figure3-98 Admin scope zone ............................................................................................................................ 3-118
Figure3-99 PIM status ........................................................................................................................................ 3-119
Figure3-100 BSR status ...................................................................................................................................... 3-120
Figure3-101 RP-Mapping ................................................................................................................................... 3-120
Figure3-102 PIM multicast routing table............................................................................................................ 3-120
Figure3-103 Policy-based routing ...................................................................................................................... 3-121
Figure3-104 Monitoring ..................................................................................................................................... 3-122
Figure3-105 Policy-based routing ...................................................................................................................... 3-123
Figure3-106 Monitoring ..................................................................................................................................... 3-124
Figure3-107 Global configuration ...................................................................................................................... 3-124
Figure3-108 Static FTN ...................................................................................................................................... 3-124
Figure3-109 Static ILM ...................................................................................................................................... 3-125
Figure3-110 LDP configuration ......................................................................................................................... 3-125
Figure3-111 Display LDP neighbor ................................................................................................................... 3-125
Figure3-112 Display LDP adjacency.................................................................................................................. 3-126
Figure3-113 Display LDP interface.................................................................................................................... 3-126
Figure3-114 L2VPN configuration..................................................................................................................... 3-126
xiv
Figure3-115 SVC mode ...................................................................................................................................... 3-127
Figure3-116 CCC mode...................................................................................................................................... 3-127
Figure3-117 MARTINI mode............................................................................................................................. 3-127
Figure3-118 VPLS mode .................................................................................................................................... 3-127
Figure3-119 Display ARP .................................................................................................................................. 3-128
Figure3-120 Static ARP...................................................................................................................................... 3-128
Figure3-121 Gratuitous ARP .............................................................................................................................. 3-129
Figure3-122 Configure ARP probe period ......................................................................................................... 3-129
Figure3-123 Anti-ARP snooping ........................................................................................................................ 3-130
Figure3-124 ARP configuration ........................................................................................................................ 3-130
Figure3-125 ARP log.......................................................................................................................................... 3-130
Figure3-126 MAC address manage .................................................................................................................... 3-131
Figure3-127 DNS ............................................................................................................................................... 3-131
Figure3-128 DHCP server .................................................................................................................................. 3-132
Figure3-129 DHCPv6 server .............................................................................................................................. 3-134
Figure3-130 DHCP relay agent .......................................................................................................................... 3-134
Figure3-131 DHCP IP address table................................................................................................................... 3-135
Figure3-132 Basic wireless................................................................................................................................. 3-136
Figure3-133 Basic session .................................................................................................................................. 3-137
Figure3-134 Basic session .................................................................................................................................. 3-137
Figure3-135 Basic wireless................................................................................................................................. 3-137
Figure3-136 Ping ................................................................................................................................................ 3-138
Figure3-137 Traceroute ...................................................................................................................................... 3-139
Figure3-138 Capture ........................................................................................................................................... 3-139
Figure3-139 Spanning tree ................................................................................................................................. 3-139
Figure3-140 STP................................................................................................................................................. 3-140
Figure3-141 RSTP .............................................................................................................................................. 3-141
Figure3-142 MSTP ............................................................................................................................................. 3-141
Figure3-143 STP status....................................................................................................................................... 3-142
Figure4-1 Firewall .............................................................................................................................................. 4-144
Figure4-2 Packet filtering policy ........................................................................................................................ 4-144
Figure4-3 Configuring action ............................................................................................................................. 4-146
Figure4-4 Packet filtering policy log .................................................................................................................. 4-147
Figure4-5 IPv6 packet filtering policy ................................................................................................................ 4-148
Figure4-6 IPv6 packet filtering log..................................................................................................................... 4-148
Figure4-7 Source NAT ....................................................................................................................................... 4-149
Figure4-8 Address pool ...................................................................................................................................... 4-149
Figure4-9 Destination NAT ................................................................................................................................ 4-149
Figure4-10 One to one NAT ............................................................................................................................... 4-151
Figure4-11 N to N NAT ..................................................................................................................................... 4-152
Figure4-12 NAT64 prefix ................................................................................................................................... 4-153
Figure4-13 NAT64 address ................................................................................................................................ 4-153
Figure4-14 Address pool .................................................................................................................................... 4-153
Figure4-15 Source NAT ..................................................................................................................................... 4-154
Figure4-16 Destination NAT .............................................................................................................................. 4-154
Figure4-17 Address pool .................................................................................................................................... 4-154
Figure4-18 DS_LITE_NAT................................................................................................................................ 4-155
xv
Figure4-19 Address pool .................................................................................................................................... 4-155
Figure4-20 ALG configuration ........................................................................................................................... 4-156
Figure4-21 User-defined log............................................................................................................................... 4-156
Figure4-22 Basic attack protection ..................................................................................................................... 4-156
Figure4-23 Basic attack log query ...................................................................................................................... 4-158
Figure4-24 Network action manage ................................................................................................................... 4-159
Figure4-25 Sessions Limit .................................................................................................................................. 4-159
Figure4-26 Service Limit .................................................................................................................................... 4-160
Figure4-27 IPv4 blacklist configuration ............................................................................................................. 4-160
Figure4-28 Blacklist query ................................................................................................................................. 4-161
Figure4-29 Black list query ................................................................................................................................ 4-161
Figure4-30 Blacklist log query ........................................................................................................................... 4-162
Figure4-31 MAC/IP Binding .............................................................................................................................. 4-164
Figure4-32 Auto learning ........................................................................................................... 错误!未定义书签。
Figure4-33 User MAC binding ........................................................................................................................... 4-166
Figure4-34 User/IP binding ................................................................................................................................ 4-165
Figure4-35 binding log query ............................................................................................................................. 4-168
Figure4-36 Session Management ....................................................................................................................... 4-169
Figure4-37 Session Parameter ............................................................................................................................ 4-171
Figure4-38 Session Monitoring .......................................................................................................................... 4-171
Figure4-39 Session Monitoring .......................................................................................................................... 4-172
Figure4-40 VIP bandwidth guarantee ......................................................................................... 错误!未定义书签。
Figure4-41 Traffic classification ........................................................................................................................ 4-174
Figure4-42 Congestion avoidance .............................................................................................. 错误!未定义书签。
Figure4-43 Congestion management .................................................................................................................. 4-178
Figure4-44 Traffic shaping ................................................................................................................................. 4-179
Figure4-45 Anti-ARP-Spoofing ......................................................................................................................... 4-179
Figure4-46 ARP configuration ........................................................................................................................... 4-180
Figure5-1 Log management menu ...................................................................................................................... 5-182
Figure5-2 Latest log............................................................................................................................................ 5-182
Figure5-3 System log query................................................................................................................................ 5-183
Figure5-4 System log file operation ................................................................................................................... 5-184
Figure5-5 System log configuration ................................................................................................................... 5-185
Figure5-6 Latest log............................................................................................................................................ 5-186
Figure5-7 Operation log query ........................................................................................................................... 5-187
Figure5-8 Log file operation ............................................................................................................................... 5-188
Figure5-9 Operation log configuration ............................................................................................................... 5-189
Figure5-10 Service log configuration ................................................................................................................. 5-190
Figure6-1 Interface config .................................................................................................................................. 6-193
Figure6-2 Interface config .................................................................................................................................. 6-193
Figure6-3 ISP configuration ............................................................................................................................... 6-195
Figure7-1 Access control menu .......................................................................................................................... 7-196
Figure7-2 Rate limit............................................................................................................................................ 7-196
Figure7-3 User group parameter ......................................................................................................................... 7-197
Figure7-4 Single user limit ................................................................................................................................. 7-198
Figure7-5 Rate limitation .................................................................................................................................... 7-198
Figure7-6 Group management ............................................................................................................................ 7-199
xvi
Figure7-7 Network application browsing ........................................................................................................... 7-200
Figure7-8 Access control .................................................................................................................................... 7-203
Figure7-9 Group management ............................................................................................................................ 7-204
Figure7-10 Network application browsing ......................................................................................................... 7-205
Figure7-11 URL classification filtering .............................................................................................................. 7-207
Figure7-12 Customize URL classification ......................................................................................................... 7-208
Figure7-13 Advanced URL filtering................................................................................................................... 7-209
Figure7-14 Advanced URL filtering configuration ............................................................................................ 7-210
Figure7-15 URL filter page push ........................................................................................................................ 7-211
Figure7-16 URL page push ................................................................................................................................ 7-211
Figure7-17 Advanced URL filtering................................................................................................................... 7-212
Figure7-18 SQL injection prevention ................................................................................................................. 7-214
Figure8-1 IPSec sysConfig ................................................................................................................................. 8-215
Figure8-2 IPsec policy mode .............................................................................................................................. 8-218
Figure8-3 IPsec route mode ................................................................................................................................ 8-218
Figure8-4 Net protect.......................................................................................................................................... 8-219
Figure8-5 SA ...................................................................................................................................................... 8-219
Figure8-6 IPsec interface .................................................................................................................................... 8-219
Figure8-7 L2TP configuration ............................................................................................................................ 8-220
Figure8-8 L2TP user authentication ................................................................................................................... 8-221
Figure8-9 L2TP IP pool ...................................................................................................................................... 8-222
Figure8-10 L2TP online status ........................................................................................................................... 8-222
Figure8-11 PPTP ................................................................................................................................................ 8-222
Figure8-12 GRE configuration ........................................................................................................................... 8-224
Figure8-13 SMAD .............................................................................................................................................. 8-225
Figure8-14 SMAD blacklist ............................................................................................................................... 8-225
Figure8-15 SMAD log ........................................................................................................................................ 8-225
Figure8-16 SSL VPN.......................................................................................................................................... 8-226
Figure8-17 IP pool configuration ....................................................................................................................... 8-227
Figure8-18 Domain configuration ...................................................................................................................... 8-227
Figure8-19 License management ........................................................................................................................ 8-227
Figure8-20 Portals management ......................................................................................................................... 8-228
Figure8-21 Resource configuration .................................................................................................................... 8-228
Figure8-22 Share space....................................................................................................................................... 8-228
Figure8-23 User configuration ........................................................................................................................... 8-229
Figure8-24 User status ........................................................................................................................................ 8-229
Figure8-25 Authentication key ........................................................................................................................... 8-229
Figure8-26 Security set ....................................................................................................................................... 8-230
Figure8-27 Security rule ..................................................................................................................................... 8-230
Figure8-28 Security rule group ........................................................................................................................... 8-230
Figure8-29 Policy configuration ......................................................................................................................... 8-231
Figure8-30 Log query ......................................................................................................................................... 8-231
Figure8-31 Log configuration............................................................................................................................. 8-231
Figure8-32 Log manage...................................................................................................................................... 8-231
Figure8-33 User stat form................................................................................................................................... 8-232
Figure8-34 Flux stat form ................................................................................................................................... 8-232
Figure8-35 Statistical offline users ..................................................................................................................... 8-232
xvii
Figure8-36 Online time ranking form................................................................................................................. 8-233
Figure8-37 Resource access form ....................................................................................................................... 8-233
Figure9-1 Traffic analysis................................................................................................................................... 9-234
Figure9-2 Traffic analysis................................................................................................................................... 9-234
Figure9-3 Policy configuration ........................................................................................................................... 9-235
Figure9-4 Advanced configuration ..................................................................................................................... 9-236
Figure9-5 Keyword filtering ............................................................................................................................... 9-237
Figure9-6 Keyword filtering ............................................................................................................................... 9-238
Figure10-1 Security center ............................................................................................................................... 10-239
Figure10-2 Basic authentication configuration items ....................................................................................... 10-239
Figure10-3 Webauth configuration................................................................................................................... 10-241
Figure10-4 TAC configuration ......................................................................................................................... 10-242
Figure10-5 Customer configuration ................................................................................................................. 10-243
Figure10-6 Web authentication notice.............................................................................................................. 10-243
Figure10-7 Web listen ...................................................................................................................................... 10-244
Figure10-8 Proscenium management ............................................................................................................... 10-244
Figure10-9 Online management for the hotel user. .......................................................................................... 10-245
Figure10-10 Terminal management ................................................................................................................. 10-246
Figure10-11 USB data leakage monitor ........................................................................................................... 10-247
Figure10-12 Terminal configuration ................................................................................................................ 10-247
Figure10-13 Online user ................................................................................................................................... 10-248
Figure10-14 Local Account Authentication ..................................................................................................... 10-249
Figure10-15 Blackname list .............................................................................................................................. 10-250
Figure10-16 Remote synchronization............................................................................................................... 10-251
Figure11-1 Display IDS cooperation log .......................................................................................................... 11-252
Figure12-1 High availability............................................................................................................................. 12-253
Figure12-2 VRRP configuration....................................................................................................................... 12-254
Figure12-3 Monitoring ..................................................................................................................................... 12-255
Figure12-4 Monitoring ..................................................................................................................................... 12-256
Figure12-5 BFD option..................................................................................................................................... 12-256
Figure12-6 Overflow protect ............................................................................................................................ 12-257
Figure12-7 Hot standby .................................................................................................................................... 12-257
Figure12-8 Handwork synchronization ............................................................................................................ 12-258
Figure12-9 Backup reboot ................................................................................................................................ 12-258
Figure12-10 Interface synchronization group................................................................................................... 12-259

xviii
List of Tables
Table2-1 Device information ................................................................................................................................ 2-10
Table2-2 Device status ......................................................................................................................................... 2-11
Table2-3 System threshold ................................................................................................................................... 2-13
Table2-4 SNMPv3 configuration ......................................................................................................................... 2-17
Table2-5 User management .................................................................................................................................. 2-21
Table2-6 Current administrator ............................................................................................................................ 2-22
Table2-7 Administrator settings configuration items ........................................................................................... 2-22
Table2-8 Administrator authentication setting ..................................................................................................... 2-24
Table2-9 Login parameter settings ....................................................................................................................... 2-26
Table2-10 Authority management configuration items ........................................................................................ 2-27
Table2-11 WEB access protocol .......................................................................................................................... 2-28
Table2-12 Interface service .................................................................................................................................. 2-29
Table2-13 Remote user ......................................................................................................................................... 2-30
Table2-14 Configuration file configuration items ................................................................................................ 2-31
Table2-15 Version information ............................................................................................................................ 2-34
Table2-16 The auto-upgrade settings ................................................................................................................... 2-34
Table2-17 Manual upgrade configuration items ................................................................................................... 2-35
Table2-18 Version information ............................................................................................................................ 2-37
Table2-19 The auto-upgrade settings ................................................................................................................... 2-38
Table2-20 Manual upgrade configuration items ................................................................................................... 2-38
Table2-21 Software version configuration items .................................................................................................. 2-41
Table2-22 NTP server mode configuration items ................................................................................................. 2-42
Table2-23 NTP client mode.................................................................................................................................. 2-43
Table2-24 Virtual server setting configuration items ........................................................................................... 2-44
Table2-25 VRF configuration items ..................................................................................................................... 2-45
Table2-26 Device information configuration items .............................................................................................. 2-47
Table2-27 CA Server configuration items ............................................................................................................ 2-48
Table2-28 CRL server configuration .................................................................................................................... 2-49
Table2-29 Certification Management ................................................................................................................... 2-51
Table2-30 CRL management ................................................................................................................................ 2-52
Table3-1 Security zone configuration items ......................................................................................................... 3-63
Table3-2 IP address object configuration items.................................................................................................... 3-65
Table3-3 IP address object group ......................................................................................................................... 3-66
Table3-4 IP address object group ......................................................................................................................... 3-67
Table3-5 Account user.......................................................................................................................................... 3-68
Table3-6 State ....................................................................................................................................................... 3-72
Table3-7 Configure static route ............................................................................................................................ 3-74
Table3-8 Basic routing table................................................................................................................................. 3-76
Table3-9 Detailed routing table configuration items ............................................................................................ 3-77
Table3-10 BGP neighbor configuration ............................................................................................................... 3-78
Table3-11 BGP advanced configuration............................................................................................................... 3-79
Table3-12 BGP advanced configuration............................................................................................................... 3-80
Table3-13 BGP-VPN configuration items ............................................................................................................ 3-80
i
Table3-14 BGP-VPN configuration items ............................................................................................................ 3-81
Table3-15 RIP interface configuration ................................................................................................................. 3-83
Table3-16 RIP advanced configuration ................................................................................................................ 3-83
Table3-17 OSPF advanced configuration ............................................................................................................. 3-85
Table3-18 OSPF area configuration ..................................................................................................................... 3-85
Table3-19 OSPF interface configuration .............................................................................................................. 3-86
Table3-20 OSPF interface information................................................................................................................. 3-87
Table3-21 OSPF neighbor information ................................................................................................................ 3-88
Table3-22 IS-IS advanced configuration .............................................................................................................. 3-89
Table3-23 IS-IS interface configuration ............................................................................................................... 3-89
Table3-24 IS-IS neighbor ..................................................................................................................................... 3-90
Table3-25 ISIS LSP .............................................................................................................................................. 3-91
Table3-26 Basic routing table ............................................................................................................................... 3-93
Table3-27 Detailed routing table .......................................................................................................................... 3-94
Table3-28 RIPNG interface configuration ........................................................................................................... 3-95
Table3-29 RIPng advanced configuration ............................................................................................................ 3-96
Table3-30 OSPFv3 area configuration ................................................................................................................. 3-97
Table3-31 OSPFv3 interface configuration .......................................................................................................... 3-98
Table3-32 OSPFv3 advanced configuration ......................................................................................................... 3-99
Table3-33 OSPFv3 interface information............................................................................................................. 3-99
Table3-34 OSPFv3 neighbor information .......................................................................................................... 3-100
Table3-35 Basic config ....................................................................................................................................... 3-102
Table3-36 IGMP snooping ................................................................................................................................. 3-102
Table3-37 IGMP configuration .......................................................................................................................... 3-103
Table3-38 IGMP Proxy ...................................................................................................................................... 3-105
Table3-39 IGMP status ....................................................................................................................................... 3-106
Table3-40 Candidate BSR configuration ............................................................................................................ 3-107
Table3-41 Static RP configuration ..................................................................................................................... 3-107
Table3-42 Candidate RP configuration .............................................................................................................. 3-108
Table3-43 Interface configuration ...................................................................................................................... 3-108
Table3-44 Global zone configuration ................................................................................................................. 3-109
Table3-45 Global zone configuration ................................................................................................................. 3-110
Table3-46 Basic config ....................................................................................................................................... 3-116
Table3-47 Global zone configuration ................................................................................................................. 3-118
Table3-48 Global zone configuration ................................................................................................................. 3-119
Table3-49 Policy-based routing configuration items .......................................................................................... 3-122
Table3-50 Policy-based routing configuration items .......................................................................................... 3-123
Table3-51 Dynamic DHCP server configuration ............................................................................................... 3-132
Table3-52 Static DHCP server configuration ..................................................................................................... 3-133
Table3-53 DHCP relay configuration ................................................................................................................. 3-134
Table3-54 DHCP IP address table ...................................................................................................................... 3-135
Table3-55 BFD configuration............................................................................................................................. 3-136
Table3-56 Select STP configuration items ......................................................................................................... 3-140
Table3-57 MSTP region configuration items ..................................................................................................... 3-141
Table4-1 Packet filtering policy configuration items ......................................................................................... 4-145
Table4-2 Configuring action............................................................................................................................... 4-146
Table4-3 Destination NAT configuration ........................................................................................................... 4-149
ii
Table4-4 One to one NAT configuration ............................................................................................................ 4-151
Table4-5 Address pool configuration ................................................................................................................. 4-152
Table4-6 Basic attack protection ........................................................................................................................ 4-157
Table4-7 Basic attack log query ......................................................................................................................... 4-158
Table4-8 Blacklist configuration ........................................................................................................................ 4-160
Table4-9 Blacklist query..................................................................................................................................... 4-161
Table4-10 Blacklist log query ............................................................................................................................ 4-162
Table4-11 MAC/IP binding ................................................................................................................................ 4-164
Table4-12 Switches table.................................................................................................................................... 4-165
Table4-13 Auto learning ..................................................................................................................................... 4-163
Table4-14 User/Mac binding .............................................................................................................................. 4-167
Table4-15 User /IP binding ................................................................................................................................ 4-165
Table4-16 binding log query .............................................................................................................................. 4-168
Table4-17 VIP bandwidth guarantee .......................................................................................... 错误!未定义书签。
Table4-18 Congestion avoidance ............................................................................................... 错误!未定义书签。
Table4-19 Congestion management ................................................................................................................... 4-178
Table4-20 Anti-ARP-Spoofing ........................................................................................................................... 4-180
Table4-21 ARP configuration............................................................................................................................. 4-180
Table5-1 Latest log ............................................................................................................................................. 5-182
Table5-2 System log querying condition ............................................................................................................ 5-184
Table5-3 System log file operation..................................................................................................................... 5-185
Table5-4 System log configuration..................................................................................................................... 5-185
Table5-5 Latest log ............................................................................................................................................. 5-186
Table5-6 Operation log query ............................................................................................................................. 5-188
Table5-7 Back up or delete operation file .......................................................................................................... 5-189
Table5-8 Operation log configuration ................................................................................................................ 5-189
Table5-9 Service log configuration .................................................................................................................... 5-190
Table7-1 Rate limit configuration items ............................................................................................................. 7-196
Table7-2 User group parameter .......................................................................................................................... 7-197
Table7-3 Single user limit .................................................................................................................................. 7-198
Table7-4 Single user rate limit ........................................................................................................................... 7-199
Table7-5 Access control configuration items ..................................................................................................... 7-203
Table7-6 URL classification filtering configuration items ................................................................................. 7-207
Table7-7 Customize URL classification ............................................................................................................. 7-208
Table7-8 Advanced URL filtering configuration items ...................................................................................... 7-209
Table7-9 URL filter parameter configuration items ........................................................................................... 7-210
Table7-10 SQL injection protection configuration items ................................................................................... 7-214
Table8-1 IPSec VPN configuration .................................................................................................................... 8-215
Table8-2 IPSec VPN client access mode and gateway-gateway mode .............................................................. 8-216
Table8-3 LNS configuration items ..................................................................................................................... 8-220
Table8-4 LNS configuration items ..................................................................................................................... 8-220
Table8-5 PNS configuration ............................................................................................................................... 8-223
Table8-6 Customer information ......................................................................................................................... 8-223
Table8-7 GRE configuration items ..................................................................................................................... 8-224
Table8-8 SSL VPN configuration items ............................................................................................................. 8-226
Table9-1 Traffic statistic configuration items .................................................................................................... 9-235
Table9-2 Policy configuration ............................................................................................................................ 9-235
iii
Table9-3 Keyword filtering configuration items ................................................................................................ 9-237
Table9-4 Keyword filtering configuration items ................................................................................................ 9-238
Table10-1 Basic authentication configuration items ........................................................................................ 10-240
Table10-2 Webauth configuration items .......................................................................................................... 10-241
Table10-3 TAC configuration items ................................................................................................................. 10-242
Table10-4 Customer configuration ................................................................................................................... 10-243
Table10-5 Web listen configuration items........................................................................................................ 10-244
Table10-6 Proscenium management ................................................................................................................. 10-245
Table10-7 Hotel user online management ........................................................................................................ 10-245
Table10-8 Microsoft patch management .......................................................................................................... 10-246
Table10-9 USB data leakage monitor ............................................................................................................... 10-247
Table10-10 Terminal configuration items ........................................................................................................ 10-248
Table10-11 Online user .................................................................................................................................... 10-248
Table10-12 Local account authentication ......................................................................................................... 10-249
Table10-13 Local account authentication configuration items ......................................................................... 10-251
Table11-1 Display IDS integration log configuration items............................................................................. 11-252
Table12-1 VRRP configuration items .............................................................................................................. 12-254
Table12-2 Monitor IP address object configuration items ............................................................................... 12-256
Table12-3 Hot standby details of the hot standby ............................................................................................ 12-258
Table12-4 Interface synchronization group ...................................................................................................... 12-259

iv
DPtech FW1000 Series Firewall Products User Configuration Guide

Chapter 1 Product Overview

1.1 Product Introduction

With information technology change and network information system development, the application level of
government and enterprise are expanding from traditional small to critical large scale business system. Information
security is a dynamic process, providing itself with high-efficient network operation platform but also potentially
threaten the network by complicated IT business system and different background users. Therefore, firewall can
effectively prevent and protect service flow and sensitive information transmission from inside network to the
Internet, understanding network system security status timely and accurately, which can detect the against security
policy violation events, report logs and alarm in the real time.
DPtech FW1000 Series are next-generation products designed for enterprise, telecom and industry users,
providing users with all kinds of solutions under various network environments. DPtech FW1000 Firewall
combines packet filtering function with VPN security protection; integrate OSPFv3, RIP routing into source NAT
and destination NAT translation, which separate and restrict network communication from Intranet and Internet and
other outside network to separate, and restrict network communication so that the inner network devices can be
protected.
FW1000 firewall not only satisfied with inner network security protection under all kinds of network
environments, but also has powerful application layer features such as flow control, analysis, webpage filtering,
which helps enterprise administrators understand and grasp network safety status in time, and discovers unsafe
factors (such as visit violation, misuse resource, packet attack and divulge secret. etc.); Continuous and periodical
signature database update allow enterprises to get the newest signature database in shortest time, which guarantee
the most safety inner network.

1.2 WEB Management

1.2.1 Logging in to the Web Management Interface

This section introduces how to log in to the web management interface:


 Make sure that the host can communicate with the management port of the FW.
 Open an IE browser and access the IP address of the management port using HTTP
 Type in the username and password in the interface shown in Figure1-1, and then click Login to access the
Web management interface of the FW device.
1-5
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure1-1 WEB Management Interface

! Caution:
It is recommended that you should use IE 6.0 or higher. The resolution should be 1024 x 768 or higher.
<Backward>, <Forward> and <Refresh> are not supported on the Web management interface. If you use these
buttons, the Web page may not be displayed properly.
By default, the name of the management port is meth0_0, and the IP address is 192.168.0.1.
Both of the default username and the default password are admin. You can use the default username for the first
login, but it is strongly recommended that you should change your password. For how to change your password, see
the Section “xxxx”.
After you log in, if you don’t perform any operations within 5 minutes, the connection will timeout and go back to
the login page.
Up to 5 administrators are allowed to log in to the Web management interface at the same time.

1.2.2 Web Interface Layout

Figure1-2 shows the main page of the Web Management Interface of the FW device.

1-6
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure1-2 Deploying of WEB Interface

(1)Navigation bar (2)Shortcut area (3)Configuration area

 Navigation bar: Lists all of the Web management function menus. You can choose the desired function menu,
which is shown in the configuration area.
 Shortcut area: Shows the directory of the current page, as well as the status of the device. This area also
provides function buttons, including Collapse, Homepage, Restart, Help and Logout.
 Configuration area: Provides an area for configuring and viewing the device.

1-7
DPtech FW1000 Series Firewall Products User Configuration Guide

Chapter 2 System Management

2.1 Introduction to System Management

System management allows user to configure the related system management function, including:

 Device management
 SNMP configuration
 RMON configuration
 Administrator
 Configuration file
 Signature database
 Software version
 NTP configuration
 Virtual system
 VRF
 Digital certificate
 Installation package
 Centralized management

To access system menu, you can select Basic > System from navigation tree, as shown in Figure2-1.

2-8
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure2-1 System menu

2.2 Device Management

2.2.1 Device information

Device information feature helps user to know the information about current system and the device, including
system name, system time and system time zone, memory, external memory, serial number, PCB hardware version,
software version, default management interface information, CPLD hardware version, Conboot version and power.

To enter the device information page, you can choose Basic > System management > Device management >
Device information from navigation tree, as shown in Figure2-2.

2-9
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure2-2 Device information

Table2-1 describes the fields of device information.

Table2-1 Device information

Item Description

System name Displays the name of the system.

System time Displays the current time of the system.

System time zone Displays the time zone of the system.

Memory Displays the memory capacity of the hardware device.

External memory size Displays the type of the external memory and capacity.

Serial number Displays the serial number of the hardware device.

PCB hardware version Displays the hardware PCB version information.

Software version Displays the version information of the system software.

Default management interface information Displays the name of the default management interface and default IP address.

CPLD hardware version Displays the CPLD hardware version.

Conboot version Displays the Conboot version information of the system.

Power Displays power supply power of the device.

Note:
When you login to the FW WEB management interface, the first page you will seen is the Device Information page.

2.2.2 Device status

Device status module displays the system current health status, which helps user to understand CPU, memory, disk
and CF card utilization, fan and power supply status, CPU and mainboard temperature.

2-10
DPtech FW1000 Series Firewall Products User Configuration Guide

To enter the device status page, you can choose Basic > System management > Device management > Device
status from navigation tree, as shown in Figure2-3.

Figure2-3 Device status

Table2-2 describes the details of device status.

Table2-2 Device status

Item Description

CPU utilization Displays real-time CPU utilization. When it beyond the threshold, the indicator light displays
red light . Otherwise, the indicator light displays green light .

Memory utilization Displays real-time memory utilization. When it beyond the threshold, the indicator light
displays red light . Otherwise, the indicator light displays green light .

Hardware utilization Displays real-time hardware utilization. When it beyond the threshold, the indicator light
displays red light . Otherwise, the indicator light displays green light .

CF Card utilization Displays real-time CF Card utilization. When it beyond the threshold, the indicator light
displays red light . Otherwise, the indicator light displays green light .

Fans status Displays real-time fans status. When one of the fans can’t work normally, the indicator light
displays red light . Otherwise, the indicator light displays green light .

Power status Displays real-time power status. When the power can’t work normally, the indicator light
displays red light . Otherwise, the indicator light displays green light .

CPU temperature Displays real-time CPU temperature. When it beyond the threshold, the indicator light displays
red light . Otherwise, the indicator light displays green light .

Mainboard temperature Displays real-time mainboard temperature. When it beyond the threshold, the indicator light
displays red light . Otherwise, the indicator light displays green light .

Note:
Hover your mouse pointer over an LED, you can view the real-time data. On the webpage, you can view the
real-time information about CPU, memory utilization, fan and power supply status.

2-11
DPtech FW1000 Series Firewall Products User Configuration Guide

2.2.3 Device configuration

2.2.3.1 Device information settings

Device information settings provide a function of modifying the system name and time. Users can modify the
system threshold according to their requirement and select whether to enable the remote diagnostic function.

To enter the device information settings page, you can choose Basic > System management > Device
management > Device setting > Device information settings from navigation tree, as shown in Figure2-4.

Figure2-4 Device information settings

The system name feature allows users to customize system name, which is easily to be managed.
To enter the information settings page and configure the system name, you can choose Basic > System
management > Device management > Information settings, as shown in Figure2-5.

Figure2-5 System name

To modify system name, you can take the following steps:

 Select Device Information Setting tab and type in the system name
 After you click Ok button, new settings take effect immediately.

System time allows user to customize the system time, synchronizing with the current time.

2-12
DPtech FW1000 Series Firewall Products User Configuration Guide

To enter the system time interface, you can choose Basic > System management > Device management >
Information settings from navigation tree, as shown in Figure2-6.

Figure2-6 System time settings

To modify the system time, you can take the following steps:

 Select Device Information Settings tab, and reconfigure time zone, date and time.
 After you click Ok button, new settings take effect immediately.

System threshold allow user to configure the hardware utilization and temperature threshold.
To enter the device information settings and configure system threshold, you can choose Basic > System
management >Device management > Information settings from navigation tree, as shown in Figure2-7.

Figure2-7 System threshold

Table2-3 describes the configuration items of system threshold.

Table2-3 System threshold

Item Description

CPU usage threshold Set the CPU usage threshold.

Memory usage threshold Set the memory usage threshold.

Hardware usage threshold Set the hard disk usage threshold.

CPU temperature threshold Set the lower limit and upper limit of the CPU temperature threshold.

2-13
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

Mainboard temperature threshold Set the lower limit and upper limit of the mainboard temperature threshold.

To configure system thresholds of the device, you can take the following steps:

 Select Device Information Settings tab.


 Enter the threshold in the corresponding place.
 After you click Ok button, new settings take effect immediately.

Enable remote diagnostic allows users to do non-local operations for the device, which effectively solve the network
failure.

To enter the device information settings page and enable the remote diagnostics function, you can choose Basic >
System management >Device management > Information settings from navigation tree, as shown in Figure2-8.

Figure2-8 Enable remote diagnostics

The set frame gap allows user to set the frame gap of data frames.

To enter the device information settings page and set frame gap, you can choose Basic > System
management >Device management > Information settings from navigation tree, as shown in Figure2-9.

Figure2-9 Set frame gap

! Caution:
Please configure the system threshold according to hardware specification and processing capacity. If there is no
special requirement, you should adopt default settings. When hardware utilization, CPU and mainboard
temperature beyond thresholds, the hardware LED on Device Status page will turn red from green. Please contact
network administrator to solve the problem.

2.2.3.2 System parameter

System parameter is mainly set the fast forwarding parameter setting, blacklist taking effect immediately setting,
packet filtering taking effect immediately setting, and Ac Memory Spec Set setting.

2-14
DPtech FW1000 Series Firewall Products User Configuration Guide

To enter the system parameter setting page, you can choose Basic > System management >Device management >
System parameter settings, as shown in Figure2-10.

Figure2-10 System parameter

2.2.3.3 Clear database

Clear database function provides the function of clearing the database configuration. Clear the database and then the
device will be rebooted.
To enter the clear database page, you can choose Basic > System management >Device management > System
parameter settings, as shown in Figure2-11.

Figure2-11 Clear database

2.3 SNMP configuration

Simple Network Management Protocol (SNMP) is a frame that use TCP/IP protocol suite to manage the devices on
the Internet, providing a suite of basic operation to monitor and maintain Internet.

2-15
DPtech FW1000 Series Firewall Products User Configuration Guide

2.3.1 SNMP version configuration

2.3.1.1 SNMP

Simple Network Management Protocol (SNMP) is the communication rule used for the management device and
managed device in the network. It defines a series of information, method and grammar and used for the
management device access and manage to the managed device.

To enter SNMP version configuration page, you can choose Basic > System management > SNMP configuration
from navigation tree, as shown in Figure2-12.

Figure2-12 SNMP

To configure the SNMP version configuration, you can take the following steps:

 Select Basic > System management > SNMP configuration from navigation tree to enter the SNMP version
page.
 Click the SNMPv1, SNMPv2c or SNMPv3 checkbox.
 Select SNMPv1, SNMPv2c option, you should configure the read community string or the read/write
community string.
 Click Ok button in the upper right corner on the webpage.

2-16
DPtech FW1000 Series Firewall Products User Configuration Guide

2.3.1.2 SNMPv3 configuration

Table2-4 describes the configuration items of SNMPv3.

Table2-4 SNMPv3 configuration

Item Description

Username Allows you to configure a user name for the SNMPv3

Authenticate protocol Determining that the message is from a valid source. You should select an authenticate
protocol, including none, MD5 and SHA.

Authenticate password Configure the authenticate password.

Encryption algorithm Mixing the contents of a package to prevent it from being read by an unauthorized source.
You should select a kind of encryption algorithm, including none, DES.

Encryption password Configure the encryption password.

User authority Configure the user authority.

Operation
Click copy or delete to do the operations.

2.3.1.3 Device information

To enter the device information page and configure the device information, you can choose Basic > System
management > SNMP configuration from navigation tree, as shown in Figure2-13.

Figure2-13 Device information

To configure the device information, you can take the following steps:

2-17
DPtech FW1000 Series Firewall Products User Configuration Guide

 Select Basic > System management > SNMP configuration from navigation tree to enter the SNMP version
interface.
 Configure the device information, including device location, contact information, trap destination host.
 Click Ok button in the upper right corner on the webpage.

2.3.1.4 NAT Traverse

To enter the NAT traverse page and configure NAT traverse, you can choose Basic > System management >
SNMP configuration from navigation tree, as shown in Figure2-14.

Figure2-14 SNMP version configuration

To configure NAT traverse, you can take the following steps:

 Select Basic > System management > SNMP configuration from navigation tree to enter the SNMP version
interface.
 Configure the primary channel configuration and command channel configuration.
 Click Ok button in the upper right corner on the webpage.

2.3.1.5 IP address list

The administrator who has added into the IP address list can access to device.
To enter the device information page and configure IP address list, you can choose Basic > System management >
SNMP configuration from navigation tree, as shown in Figure2-15.

Figure2-15 IP address list

2-18
DPtech FW1000 Series Firewall Products User Configuration Guide

2.4 RMON configuration

Remote Monitoring (RMON) defined by Internet Engineering Task Force (IETF), which is a kind of Management
Information Base (MIB), reinforcement of the MIB II standard. RMON is mainly used to monitor one network
segment or the whole network traffic, which is the widely used network management standard at present.

2.4.1 Alarm

2.4.1.1 Alarm

The RMON alarm group monitors specified alarm variables, such as statistics on a port. If the sampled value of the
monitored variable is bigger than or equal to the upper threshold, an upper event is triggered; if the sampled value of
the monitored variable is lower than or equal to the lower threshold, a lower event is triggered. The event is then
handled as defined in the event group.

To enter the RMON alarm page, you can choose Basic > System management > RMON from navigation tree, as
shown in Figure2-16.

Figure2-16 Alarm

2.4.1.2 Alarm_stat

To enter the alarm_stat device information page and configure IP address list, you can choose Basic > System
management > Alarm_stat from navigation tree, as shown in Figure2-17.

Figure2-17 Alarm_stat

2-19
DPtech FW1000 Series Firewall Products User Configuration Guide

2.4.2 History

2.4.2.1 History

The history group periodically collects statistics on data at interfaces and saves the statistics in the history record
table for query convenience. The statistics data includes bandwidth utilization, number of error packets, and total
number of packets.
Once you successfully create a history entry in the specified interface, the history group starts to periodically collect
statistics on packet at the specified interface. Each statistical value is a cumulative sum of packets sent/received on
the interface during a sampling period.

To enter the RMON alarm page, you can choose Basic > System management > RMON from navigation tree, as
shown in Figure2-18.

Figure2-18 History

2.4.2.2 History_stat

To enter the alarm_stat device information page and configure IP address list, you can choose Basic > System
management > History_stat from navigation tree, as shown in Figure2-19.

Figure2-19 History_stat

2.4.2.3 RMON log

To enter the RMON log page, you can choose Basic > System management > RMON log, as shown in Figure2-20.

2-20
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure2-20 RMON log

2.5 Administrator

2.5.1 Introduction to administrator

The administrator allows user to add, modify and delete an administrator.


Administrators log in web management interface with different privilege, authentication method, and web access
protocol and port.
Table2-5 describes the configuration items of administrator.

Table2-5 User management

Item Description

Current administrator List all administrators who has logged into the web management interface, which can kick out other
administrator.

Administrator settings Allows you to add, delete and modify an administrator’s password and administrator’ authority and
to modify the administrator except the administrator itself.

Administrator authentication Allows you to configure the login authentication parameter, it includes local authentication and
settings Radius authentication and Tacacs Plus authentication.

Logon parameter Allows you to configure the logon parameter, it includes the time out settings, login lock settings,
configuration unlock time.

2.5.1.1 Current administrator

Current administrator allows you to view the administrators who has logged into the web management interface.
To enter the current administrator interface, you can choose Basic > System management > Administrator >
Administrator from navigation tree, as shown in Figure2-21.

Figure2-21 Current administrator

2-21
DPtech FW1000 Series Firewall Products User Configuration Guide

Table2-6 describes the details of current administrator.

Table2-6 Current administrator

Item Description

Administrator Displays the name of the administrator who has logged into the web management interface.

Logon time Displays the specific time of the administrator who has logged on the device.

Last access time Displays the last time when an administrator log in to the web management interface.

Logon IP address Displays the IP address of the administrator who has logged into the web management interface.

Operation
Click the kick out icon that an administrator can be kicked out.

2.5.1.2 Administrator settings

Administrator settings allow user to add, modify and delete an administrator.


To enter the administrator settings interface, you can choose Basic > Administrator > Administrator from
navigation tree, as shown in Figure2-22.

Figure2-22 Administrator settings

Table2-7 describes the configuration items of the administrator settings

Table2-7 Administrator settings configuration items

Item Description

Administrator Add the administrator name in the system.


Consists of alphanumeric characters, case sensitive, and must be begun with letter and digit. The length
must be 3 to 20 characters.

Password The password that administrator uses it to login to the device.


Consists of alphanumeric characters, case sensitive, and allows to use special characters ()-+=|[]:;/_,.

Confirm password The password and confirm password must be same. If not, the system will prompt you that the two
passwords are inconsistent when you submit them.

Description Configure the description of the administrator.

2-22
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

Consists of alphanumeric characters, case sensitive, and allows using space and special character. The
length of the description is from 0 to 40 characters.

Level Set the administrator permission level.


Different administrators login to the web with different authorities.

Status  Allows you to select a status for the administrator, including lock or normal.
 Lock: means the administrator who has been locked that cannot log in to the web management
interface.
 Normal: means the administrator who isn’t locked that can login into web management interface.

Operation
 Click delete icon that the administrator can be deleted.

To add an administrator, you can take the following steps:

 Enter the administrator page, you choose Basic > Administrator > Administrator from navigation tree.

 Click Add icon.

 In each column, you type in the password, confirm password and description.
 Select the privilege for the administrator.
 Click Ok button in the upper right corner on the webpage.

To modify an administrator, you can take the following steps:

 Make sure that the administrator will be modified.


 If you want to modify the password of the administrator, hover your mouse pointer over the password, then
click to modify the password.
 Password and confirm password must be same.
 Click Ok button in upper right on the webpage.
 If you want to modify other properties of the administrator, such as description, configure range, and status,
please repeat the above steps.

To delete an administrator, you can take the following steps:

 Make sure that the administrator will be deleted.

 Click Delete button.

 Click Ok button in the upper right corner on the webpage.

2-23
DPtech FW1000 Series Firewall Products User Configuration Guide

! Caution:
Default password cannot be used when you add an administrator, please confiure the password corresponding to the
rule.
You cannot lock administrator when you add the administrator. Default status is normal. If you require to lock the
administrator, you should lock the administrator after you create it.
When you delete an administrator, the system will prompt you. Please carefully use it.

2.5.1.3 Administrator authentication setting

The administrator authentication setting page allows user to configure the authentication method of an administrator
to login to the webpage, including local authentication and Radius authentication.
To enter the administrator authentication setting page, you can choose Basic > System management >
Administrator from navigation tree from navigation tree, as shown in Figure2-23.

Figure2-23 Administrator authentication settings

Table2-8 describes the configuration items of administrator authentication setting.

Table2-8 Administrator authentication setting

Item Description

Local authentication To authenticate administrator’s name and password through the device.

2-24
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

Radius authentication To authenticate administrator’s name and password through Radius server, please configure the
following parameters:
 Server IP address
 Authentication port number
 Shared key
 Authentication packet timeout time
 Authentication packet retransmission times
 Radius authentication user to which user group belongs

Tacacs Plus authentication To authenticate administrator’s name and password through Tacacs Plus server. Please configure the
following parameters:
 Server IP address
 Share key

LDAP authentication To authenticate administrator’s name and password through Tacacs Plus server. Please configure the
following parameters:
 LDAP server version
 LDAP server address
 LDAP server port
 Username attribute name
 Base DN
 Administrator DN
 Administrator Password

2.5.1.4 Login parameter settings

You can set several security parameters to login to web, including time out settings, login lock settings, and unlock
time and login password strength settings.

To enter the login parameter settings page, you can choose Basic > System management > Administrator from
navigation tree, as shown in Figure2-24.

2-25
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure2-24 Login parameter settings

Table2-9 describes the details of login parameter settings.

Table2-9 Login parameter settings

Item Description

Idle timeout Set the idle timeout for the current administrator.

If an administrator did not perform any operations in that time, the administrator will
be quit by the system forcedly.

Login lock settings If you type in error password for the administrator for consecutive times, the
administrator will be locked.

Unlock time Set the time that the administrator has been locked.
 Lock: means the specific time that you have designated for the
administrator to be locked. When the time is arrived, this administrator can be unlocked
automatically.
 Permanent: If an administrator has been locked, this administrator
unable to unlock by itself. Only if an administrator with system permission configuration can
modify the locked administrator status in the “Administrator setting” column.

Password strength settings Allows you to select the password strength, including high, medium and low.

The group to which a Allows you to select a configuration to which a remote authentication user belongs,
remote authentication includes:
user belongs  Super
 System configuration
 Business configuration
 Log configuration
 Manage center configuration

Remote authentication Configure remote authentication user right. The range is from 1 to 5, 1 is the highest
user rights level.

2-26
DPtech FW1000 Series Firewall Products User Configuration Guide

! Caution:
If an user has been locked, whether you enter correct password or not, the system will prompt you that the user has
been locked, please try it again later !

2.5.2 Authority management

User can login to the web management page according to different privileges, and also user can login to the web
management page as their requirements.
To enter the authority management page, you can choose Basic > System management > Administrator >
authority from navigation tree, as shown in Figure2-25.

Figure2-25 Authority management

Table2-10 describes the configuration items of authority management.

Table2-10 Authority management configuration items

Item Description

Super The administrator has the permission to login to the Web, which can configure all modules.

System configuration The administrator has the permission to login to the Web, which can configure system management
module and network management module, without the permission except system configuration.

Business configuration The administrator has the permission to login to the Web, which can configure the firewall module,
load balancing module, access control module, VPN module, behavior analysis module, user
authentication module and comprehensive module, without the permission except business
management.

Log management configure The administrator has the permission to login to the Web, which can view service log, system log,
range operation log and comprehensive log, without the permission except log management.

User customize configure The administrator has the permission to login to the Web and allow user to customize the
range configuration range.

2-27
DPtech FW1000 Series Firewall Products User Configuration Guide

2.5.3 WEB access protocol

On the web access protocol interface, you can configure web access protocol and port.
To enter the WEB access protocol interface, you can choose Basic > System management > Administrator >
WEB access protocol from navigation tree, as shown in Figure2-26.

Figure2-26 WEB access protocol

Table2-11 describes the configuration items of WEB access protocol.

Table2-11 WEB access protocol

Item Description

HTTP settings Click Enable HTTP checkbox and configure the port number.

HTTPS settings Click Enable HTTPS checkbox and configure the port number.
If digit certificate is configured, you can enable the administrator certificate authentication function
to enhance security function.

Connection number Configure the connection number. The range is from 5-200, default is 100.

IP address list Configure the IP address range for the administrator.

2.5.4 Limited interface service

Limited interface service module limits the login access protocol for all service interfaces, including https, http,
telnet, SSH, ping protocol.
2-28
DPtech FW1000 Series Firewall Products User Configuration Guide

To enter the limited interface service page, you can choose Basic > System management > Administrator >
Interface service limit from navigation tree, as shown in Figure2-27.

Figure2-27 Interface service

Table2-12 describes the configuration items of interface service.

Table2-12 Interface service

Item Description

Interface name Allows you to select an interface to be limited.

Limit services Allows you to select which kind of access protocol to be limited, including Https, Http telnet, SSH,
Ping protocol.

Operation
Click copy button or delete button to do the operations.

2.5.5 Remote user

Set the remote user login method, and set the maximum remote user login number.
To enter the remote user page, you can choose Basic > System management > Administrator > Interface service
limit from navigation tree, as shown in Figure2-28.

Figure2-28 Remote user

Table2-13 describes the configuration items of remote user.

2-29
DPtech FW1000 Series Firewall Products User Configuration Guide

Table2-13 Remote user

Item Description

Client IP Displays the IP address that the client used to login to the web.

Client port Displays the login user port number.

Login type Displays the client login type, including telnet and SSH method.

Client login time Displays the client login time.

Last operation time Displays the last time that the user did operation.

Operation
Click kick out button to quit the administrator forcedly.

! Caution:
User can enable the Telent and SSH method at the same time, but only login method can be used to login to the
device.

2.6 Configuration file

Configuration file provides the function of saving current system configuration to your local system. Through this
function, you can configure one of the devices if there are many devices in the network with same configurations
and export configuration file to your local system and then from other devices to import the configuration file.

To enter the configuration file page, you can choose Basic > System management > Administrator >
Configuration file from navigation tree, as shown in Figure2-29.

2-30
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure2-29 Configuration file

Table2-14 describes the configuration items of configuration file.

Table2-14 Configuration file configuration items

Item Description

Configuration file Displays the name of the configuration file.


The first line displays factory default configuration file.

Last save Displays the last time when configuration file saved.

Software version Displays the software version of the configuration file which you saved the last
time.

Operation Allows you to save, export, switch, or deleted configuration file by clicking such

icons: the save icon, the export icon, the switch icon and the delete
icon.
You only can switch the factory default configuration file.

To create a new configuration file, you can take the following steps:

 Click the New config button in the upper left corner on the webpage.

 Configure the file name in the new line of the configuration file list, and click the Save icon.

To import a configuration file and apply it, you can take the following steps:

2-31
DPtech FW1000 Series Firewall Products User Configuration Guide

 Click Browse button which beside the file path, and select a configuration file to be downloaded, and click
Download button

 The downloaded configuration file displays in the configuration file list. Click the switch icon to switch

configuration file.
 A pop-up a window hit you that ‘switch the configuration, after that, the device will restart, will you continue?’
Click the Ok button.

To upload your configuration file to a server, you can take the following steps:

 Select TFTP or FTP protocol which will be used if you upload your configuration file to the server
 Configure server address to upload your configuration file, such as 10.58.241.234/test
 On the server, you should run the software 3CDaemon and create a new file folder, such as test
 Click Upload button beside the file name

To download a configuration file, you can take the following steps:

 Select TFTP or FTP protocol which will be used if you download a configuration file from the server
 Configure the server address to download the configuration file, such as 10.58.241.234/test
 On the server, you should run the software 3CDaemon and select a software version to be downloaded.
 Click Download beside the file path

To save configuration file on your device at regular time, you should take the following steps:
 Enable the Time save device configuration option
 Select unit settings
 Select time settings

Note:

Please refer to the above steps if you want to save , export or delete configuration file.

2.7 Hot patching

Hot patching is a kind of fast and low cost method to repair the software defect. Compare with updating software
version, the main advantage of hot patching is the running services of the device will not be disconnected, that is,
you don’t need to reboot your device that the current software of the device can be repaired.
2-32
DPtech FW1000 Series Firewall Products User Configuration Guide

To enter the patch page, you can choose Basic > System management > Administrator > Patch from navigation
tree, as shown in Figure2-29.

Figure2-30 Hot patching

2.8 Signature database

2.8.1 APP signature

2.8.1.1 Introduction to the APP signature

APP signature module displays APP signature version information and allows user to upgrade APP signature
database automatically or manually.
To enter the APP signature page, you can choose Basic > System management > Signature > APP Signature
from navigation tree, as shown in Figure2-31.

Figure2-31 APP signature

2.8.1.2 Version Information

Version information is used to display version information of APP signature database.


To enter the version information page, you can choose Basic > System management > Signature > APP
signature from navigation tree, as showing in Figure2-32.

Figure2-32 Signature version information

2-33
DPtech FW1000 Series Firewall Products User Configuration Guide

Table2-15 describes the details of the version information.

Table2-15 Version information

Item Description

Current version Displays the release date, signature version and update time of the current APP
signature.

History version Displays the release date, signature version of the version which you have updated
last time.

Valid period Displays when you can update the signature database.

Downgrade Click the downgrade button that you can downgrade the APP signature database to
the previous version.

To downgrade a signature database version, you can take the following steps:

 Click Downgrade button in the upper right corner, the system prompt you that signature database will be
downgraded to a history version, continue?
 Click Confirm button
 After you downgrade the signature database version, current signature version become history version

2.8.1.3 Auto-upgrade Settings

Auto-upgrade settings help user to get the newest signature database from official website in every specific time,
real time updating signature database.
To enter the auto-upgrade settings interface, you can choose Basic > System management > Signature > APP
signature from navigation tree, as shown in Figure2-33.

Figure2-33 Auto-upgrade settings

Table2-16 describes the details of auto-upgrade settings.

Table2-16 The auto-upgrade settings

Item Description

Enable Auto-upgrade Configure whether to enable or disable the auto-upgrade function.

2-34
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

Click the check box of the enable auto-upgrade, and then the configuration can be
used.

Start time Sets the auto-upgrade start time.

Time interval Sets the auto-upgrade time interval.

Upgrade address Sets the IP address for signature database auto-upgrading.

To auto-upgrade a signature database version:

 Click enable auto-upgrade


 Click the start time table and then select auto-upgrade start time.
 Select time interval
 After you finished the above steps, click the Save button.

2.8.1.4 Manual upgrade

Manual upgrade allows you to upgrade signature database when you need it. And user can export specific signature
database file from your local system and manual upgrade the signature database.
To enter the manual upgrade interface, you can choose Basic > System management > Signature > APP
Signature from navigation tree, as shown in Figure2-34.

Figure2-34 Manual upgrade

Table2-17 describes the configuration items of the manual upgrade settings.

Table2-17 Manual upgrade configuration items

Item Description

File path Select signature database upgrade packet file path and select which upgrade packet
should be downloaded.

To manual upgrade a signature database version:

 Click the Browse button


 Select which upgrade packet to be downloaded.
 After you finish the above steps, click Confirm button in the right side in the upper right corner.
2-35
DPtech FW1000 Series Firewall Products User Configuration Guide

Note:
During signature database upgrade process, the interface will skip to the upgrade process interface.

Figure2-35 Upgrade progress interface

2.8.2 URL classification filtering signature

2.8.2.1 Introduction to URL classification filtering signature

URL classification filtering signature module displays URL classification filtering signature version information
and allows user to upgrade URL classification filtering signature database automatically or manually.
To enter the URL classification filtering signature page, you can choose Basic > System management >
Signature > URL classification filtering from navigation tree, as shown in Figure2-36.

Figure2-36 URL classification filtering signature

2.8.2.2 Version Information

Version information is used to display version information of URL classification filtering signature database.
To enter the version information page, you can choose Basic > System management > Signature > URL
classification filtering signature from navigation tree, as showing in Figure2-37.

2-36
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure2-37 Signature version information

Table2-18 describes the details of the version information.

Table2-18 Version information

Item Description

Current version Displays the release date, signature version and update time of the current URL
classification filtering signature.

History version Displays the release date, signature version of the version which you have updated
last time.

Valid period Displays when you can update the signature database.

Downgrade Click the downgrade button that you can downgrade the URL classification filtering
signature database to the previous version.

To downgrade a signature database version, you can take the following steps:

 Click Downgrade button in the upper right corner, the system prompt you that signature database will be
downgraded to a history version, continue?
 Click Confirm button
 After you downgrade the signature database version, current signature version become history version

2.8.2.3 Auto-upgrade settings

Auto-upgrade settings help user to get the newest signature database from official website in every specific time,
real time updating signature database.
To enter the auto-upgrade settings page, you can choose Basic > System management > Signature > URL
classification filtering signature from navigation tree, as shown in Figure2-38.

Figure2-38 Auto-upgrade settings

Table2-19 describes the details of auto-upgrade settings.

2-37
DPtech FW1000 Series Firewall Products User Configuration Guide

Table2-19 The auto-upgrade settings

Item Description

Enable Auto-upgrade Configure whether to enable or disable the auto-upgrade function.


Click the check box of the enable auto-upgrade, and then the configuration can be
used.

Start time Sets the auto-upgrade start time.

Time interval Sets the auto-upgrade time interval.

Upgrade address Sets the IP address for signature database auto-upgrading.

To auto-upgrade a signature database version:

 Click enable auto-upgrade


 Click the start time table and then select auto-upgrade start time.
 And then select time interval for the auto-upgrade settings
 After you finish the above steps, click the Save button.

2.8.2.4 Manual upgrade

Manual upgrade allows you to upgrade signature database when you need it. And user can export specific signature
database file from your local system and manual upgrade the signature database.
To enter the manual upgrade interface, you can choose Basic > System management > Signature > URL
classification filtering signature from navigation tree, as shown in Figure2-39.

Figure2-39 Manual upgrade

Table2-20 describes the configuration items of the manual upgrade settings.

Table2-20 Manual upgrade configuration items

Item Description

File path Select signature database upgrade packet file path and select which upgrade packet
should be downloaded.

To manual upgrade a signature database version:

 Click the Browse button

2-38
DPtech FW1000 Series Firewall Products User Configuration Guide

 Select which upgrade packet to be downloaded.


 After you finish the above steps, click Confirm button in the right side in the upper right corner.

Note :
During signature database upgrade process, the interface will skip to the upgrade process interface.

Figure2-40 Upgrade progress interface

2.8.3 AV signature

To enter AV signature page, you can choose Basic > System Management > Signature database > License
management from navigation tree, as shown in Figure2-43.

Figure2-41 AV signature

2.8.4 IPS signature

To enter IPS signature page, you can choose Basic > System Management > Signature database > IPS signature
from navigation tree, as shown in Figure2-42.

2-39
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure2-42 IPS signature

2.8.5 License management

License management module is the license registered page that allows you to import and export license file.
To enter license management page, you can choose Basic > System Management > Signature database >
License management from navigation tree, as shown in Figure2-43.

Figure2-43 License management

To export license file to your local system:

 Click the Export File button and then system prompt you a windows.
 And then select a file path for the license file and then click the Save button.

To import license file from your local system:

 Click the Browse button and then select a file path for the license file.
 And then select a license file to download.
 After you finish the above steps, click the Import File button.

2-40
DPtech FW1000 Series Firewall Products User Configuration Guide

2.9 Software version

Software version provides the function of managing and upgrading device software version.
To enter the software version interface, you can choose Basic > System Management > Software Version from
navigation tree, as shown in Figure2-44.

Figure2-44 Software version


Table2-21 describes the configuration items of the software version.

Table2-21 Software version configuration items

Item Description

Image name Displays the name of software version.

Image version Displays the version number of software version.

Current status Displays the status of software version, including in use and others.

Operation Click save or delete icon to do the operations. In-use software version can’t
be deleted.

The software for the next boot Select a software version for the next boot, which will be run when you reboot your
device.

Download IP address Download software version from UMC


Configure the IP address of downloading file and port number, and then click
Reboot after finishing upgrade button.

To download a software version file and apply it, you can take the following steps:

 Click Browse button and select a software version to download, then click Download button.
 On the software version page, displayed the downloaded software version, move your mouse pointer to the
software version for the next boot, and then mouse pointer become pencil icon.
 Click the drop down list and select a software version.
 After you finished the above steps, click Ok button.
2-41
DPtech FW1000 Series Firewall Products User Configuration Guide

 Reboot your device. Configurations take effect.

2.10 NTP

NTP is intended for the clock synchronization of all devices in the network, keeping time consistent for all devices,
so that the devices can provide multiple applications based on time synchronization.

To enter the NTP page, you can choose Basic > System Management > NTP from navigation tree, as shown in
Figure2-45.

Figure2-45 NTP configuration

Table2-22 describes the configuration items of NTP server mode.

Table2-22 NTP server mode configuration items

Item Description

NTP server address Configures NTP server IP address or domain name.

Master-slave server Select whether the NTP server is a master NTP server.

NTP client subnet Configures an IP segment for the NTP client.

Mask Configures the subnet mask for the NTP client.

Authentication Select whether to enable NTP client authentication.

Operation
To copy or delete NTP configuration, you can click the copy icon and the
delete icon.

2-42
DPtech FW1000 Series Firewall Products User Configuration Guide

NTP server mode configuration steps:

 Select server mode as NTP work mode


 Configure NTP server address and domain name, select whether the server is a master server.
 Configure NTP client segment and mask
 Click Ok button in the upper right corner on the webpage.

The following diagram is NTP client configuration, as shown in Figure2-46.

Figure2-46 NTP client configuration

Table2-23 describes the configuration items of the NTP client mode.

Table2-23 NTP client mode

Item Description

NTP server address Configures NTP server address and select whether to enable authentication.

NTP client mode configuration steps:


 Select client mode as NTP work mode
 Select NTP server address or domain name
 Select whether to enable the authentication mode
 Click Ok button in the upper right corner on the webpage.

2-43
DPtech FW1000 Series Firewall Products User Configuration Guide

2.11 Virtual management system

2.11.1 Virtual management system configuration

Virtual management system is a new system generated by the existing operation system. Meanwhile it also has the
same function with original system that can be switched to the original system flexibly.

To enter the virtual management system page, you can choose Basic > System Management > Virtual System
from navigation tree, as shown in Figure2-47.

Figure2-47 Virtual management system

2.11.2 Virtual management system parameter settings

To enter the virtual management system parameter settings page, you can choose Basic > System Management >
Virtual management system parameter settings from navigation tree, as shown in Figure2-48.

Figure2-48 Virtual management system parameter settings

Table2-24 describes the configuration items of the virtual server setting.

Table2-24 Virtual server setting configuration items

Item Description

Name Configure the name of the virtual system.

Session limit Configure session limit number of the virtual system.

2-44
DPtech FW1000 Series Firewall Products User Configuration Guide

2.12 OVC

To enter the OVC configuration page, you can choose Basic > System Management > OVC from navigation tree,
as shown in Figure2-48.

Figure2-49 OVC configuration

2.13 VRF

VPN Routing and Forwarding (VRF) is a technology used in computer networks that allows multiple instances of a
routing table to co-exist within the same router at the same time. Because the routing instances are independent, the
same or overlapping IP addresses can be used without conflicting with each other.

To enter the virtual system page, you can choose Basic > System management > VRF from navigation tree, as
shown in Figure2-50.

Figure2-50 Virtual system

Table2-25 describes the configuration items of the VRF.

Table2-25 VRF configuration items

Item Description

Enable VRF configuration Select whether to enable VRF configuration.

Name Configure the name of the virtual device.

2-45
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

Interface Select one interface or several interfaces for each virtual interface.

Manage server Select whether to enable the managing service function.

Operation
Click the copy icon that you can copy an entry of the VRF configuration.

Click the delete icon that you can delete an entry of the VRF configuration.

2.14 Digital certificate

2.14.1 Introduction to digital certificate

A digital certificate is an electronic "credit card" that establishes your credentials when doing business or other
transactions on the Web. It is issued by a certification authority (CA). It contains your name, a serial number,
expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures),
and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.

To enter the digital certificate configuration page, you can choose Basic > System management > Digital
certification > Certification configuration from navigation tree, as shown in Figure2-51.

Figure2-51 Certification configuration

Device information configuration provides the function of configuring basic information of digital certificate.

2-46
DPtech FW1000 Series Firewall Products User Configuration Guide

To enter the device information configuration page, you can choose Basic > System management > Digital
certification > Certification configuration from navigation tree, as shown in Figure2-52.

Figure2-52 Device information configuration

Table2-26 describes the configuration items of the device information configuration.

Table2-26 Device information configuration items

Item Description

Common name Specify a common name. The range is from 1 to 31 characters.

IP address Type in the IP address of the device.

Country Select a country for the device.

State Configure the state for the device.

City Configure the city for the device.

Company Configure the company name for the device.

Department Configure the department for device.

RSA key length Sets RSA key length.

To configure the device information configuration, you can take the following steps:

 Configure all items of the device information configuration.


 And then select RSA key length.
 After you finish the above steps, click Ok button in the upper right corner on the webpage.

CA server configuration is used in configuring the information of CA server.


To enter to the CA server interface, you can choose the Basic > System management > Digital certification >
Certification configuration from navigation tree, as shown in Figure2-53.

2-47
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure2-53 CA server configuration

Table2-27 describes the configuration items of CA server.

Table2-27 CA Server configuration items

Item Description

CA ID Configure the CA ID

Certificate application URL Configure the certificate application URL

How to apply for a certificate Select how to apply for a certificate

Root certificate authentication algorithm Select root certificate authentication algorithm

Root certificate fingerprint Set the root certificate fingerprint

To configure the CA server configuration, you can take the following steps:

 Configure CA ID
 Configure certificate application URL
 Select a method of how to apply for a certificate
 And then configure the certificate query number and configure the certificate query time interval
 After you finish the above steps, click Ok button in the upper right corner on the webpage.

CRL server configuration is used in configuring CRL server information.


To enter to the CRL server configuration interface, you can choose Basic > System management > Digital
certification from navigation tree, as shown in Figure2-54.

2-48
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure2-54 CRL server configuration

Table2-28 describes the details of CRL server configuration

Table2-28 CRL server configuration

Item Description

How to get URL Select how to get the URL.

Obtain CRL URL Set the URL for manual configuring the CRL.

To configure the CRL server, you can take the following steps:

 Select a method of how to get the URL


 If you the select manual configuration option, you should configure the obtain CRL URL item
 After you finished the above steps, you can click the Confirm button.

2.14.2 Certificate management

Certificate management is used in obtaining the key of a certificate, applying certificate, and managing certificate
and CRL.
To enter to the certification management interface, you can choose Basic > System management > Digital
certification > Certification management from navigation tree, as shown in Figure2-55.

2-49
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure2-55 Certificate management

Key management is used to generate new key of the certificate and allows you to view or hide key information.
To enter to the key management page, you can choose the Basic > System management > Digital certificate >
Certificate management from navigation tree, as shown in Figure2-56.

Figure2-56 Key management

Note:
Factory default for the certificate key is that the device does not have certificate key.
Click the Hide key information button that you can view or hide RSA publick key information.

Certificate application can be used to generate certificate application information and allows you to submit
certificate application online or offline.
To enter the certification management interface and view the certificate application, you can choose the Basic >
System management > Digital certification > Certificate management from navigation tree, as shown in
Figure2-57.

2-50
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure2-57 Certificate application

Certificate management module provides two methods to obtain certificate, including import certificate offline and
the obtain certificate online.
To view certificate management, you can choose Basic> System management > Digital certification >
Certification application from navigation tree, as shown in Figure2-58.

Figure2-58 Certificate management

Table2-29 describes the details of certification management.

Table2-29 Certification Management

Item Description

Certificate file name Displays the name of the certificate file.

Certificate issuer Displays the certificate issuer.

Certificate subject/Identification name(DN) Displays the certificate subject or identification name (DN).

Certificate expiration date Displays the expiration date of the certificate.

Certificate type Displays the type of the certificate.

Certificate operation The certificate can be managed through the followings:

Click the browse icon that you can view the detailed information of the
certificate.

Click the delete icon that you can delete a certificate file.

2-51
DPtech FW1000 Series Firewall Products User Configuration Guide

CRL management provides these functions: offline import CRL function, start/stop CRL query, and export CRL
files, and allows you to manage CRL, such as view the detailed information of a CRL and delete the CRL.

To enter the certificate management interface and view the CRL management, you can choose Basic > System
management > Digital certification > Certificate application from navigation tree, as shown in Figure2-59.

Figure2-59 CRL management

Table2-30 describes the details of the CRL management.

Table2-30 CRL management

Item Description

CRL file name Displays the name of the CRL file.

CRL issuer Displays the CRL issuer.

Current CRL update date Displays the update date time of current CRL.

Next CRL update date Displays the next update date time of CRL.

CRL operation CRL can be managed through the followings:

 Click the browse icon that you can view the detailed information of the
CRL.

 Click the delete icon that you can delete a CRL.

2.15 Installation Package

To enter the installation package interface, you can choose Basic > System management > Installation Package
from navigation tree, as shown in Figure2-60.

Figure2-60 Install option

2-52
DPtech FW1000 Series Firewall Products User Configuration Guide

To download an installation package:

 Click Browse button and select an installation package to be downloaded


 Click Download button

2.16 Management center

Centralized management is a method of the firewall using an interface to manage several firewalls in the network.
As simple as you using a remote control to manage all electrical appliances in your home, the centralized
management can greatly simplify administrator’s work.

To enter the centralized management page, you can choose Basic > System management > Management center
from navigation tree, as shown in Figure2-61.

Figure2-61 Management center

3-53
DPtech FW1000 Series Firewall Products User Configuration Guide

Chapter 3 Network Management

3.1 Introduction to network management

Network management provides the related function about device network management:

 Interface management
 3G Dial-up
 Network object
 Forwarding
 IPv6_Tunnel
 IPv6 autoconfig
 IPv4 unicast routing
 IPv4 multicast routing
 IPv6 multicast routing
 Policy-based routing
 ICMP
 MPLS
 ARP
 DNS
 DHCP
 BFD
 Wireless
 Diagnostic tool
 Lan switch

To access network management menu, you can choose Basic > Network, as shown in Figure3-1.

3-54
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-1 Manage center

3.2 Interface management

Interface management provides function of configuring network mode, such as networking configuration, VLAN
configuration, interface configuration, port aggregation, and logic interface configuration.

3.2.1 Networking configuration

User can configure the FW device’s interface working mode according to their requirement for the network mode
and select the interface type. If you select Layer 2 interface, you should configure a VLAN ID for the Layer 2
interface. If you select Layer 3 interface, you should configure an IP address for the Layer 3 interface.

To enter the networking configuration page, you can choose Basic> Network > Interface management >
Networking configuration from navigation tree, as shown in Figure3-2.

3-55
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-2 Networking configuration

3.2.2 VLAN Configuration

VLAN configuration provides the function of configuring VLAN ID and applying the VLAN ID to Layer 2 network
mode interface for users.

3.2.2.1 VLAN Interface Configuration

To enter the VLAN interface configuration page, you can choose Basic> Network > Interface management >
VLAN interface configuration from navigation tree, as shown in Figure3-3.

Figure3-3 VLAN Interface configuration

3.2.2.2 VLAN frame manage

To enter the VLAN frame manage page, you can choose Basic> Network > VLAN configuration > VLAN frame
manage from navigation tree, as shown in Figure3-4.

3-56
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-4 VLAN frame manage

3.2.3 Interface configuration

3.2.3.1 Interface configuration

Service interface configuration allows user to view and modify the interface status of the device.
To enter the interface configuration page, you can choose Basic> Network > Interface management > Interface
configuration, as shown in Figure3-5.

Figure3-5 Interface configuration

3.2.3.2 Interface rate beyond warning

To enter the interface rate beyond warning page, you can choose Basic> Network > Interface management >
Interface rate beyond warning, as shown in Figure3-6.

3-57
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-6 Interface rate beyond warning

3.2.4 Port aggregation

3.2.4.1 Port aggregation configuration

Port aggregation binds multiple links together to form a logical channel, so that it can increase link bandwidth. In the
meanwhile, those bound together links can dynamically backup with each other which enhance the link reliability.

To enter the port aggregation configuration page, you can choose Basic> Network > Interface management >
Port aggregation, as shown in Figure3-7.

Figure3-7 Port aggregation configuration

3.2.4.2 Aggregation group status

To enter the aggregation group status page, you can choose Basic> Network > Interface management > Port
aggregation status, as shown in Figure3-8.

Figure3-8 Aggregation group status

3-58
DPtech FW1000 Series Firewall Products User Configuration Guide

3.2.5 Port mirroring

3.2.5.1 Local mirroring

To enter the local mirroring page, you can choose Basic> Network > Interface management > Local mirroring,
as shown in Figure3-9.

Figure3-9 Local mirroring

3.2.5.2 Remote source mirroring

To enter the local mirroring page, you can choose Basic> Network > Interface management > Remote source
mirroring from navigation tree, as shown in Figure3-10.

Figure3-10 Remote source mirroring

3.2.5.3 Remote destination mirroring

To enter the remote destination mirroring page, you can choose Basic> Network > Interface management >
Remote destination mirroring from navigation tree, as shown in Figure3-11.

Figure3-11 Remote destination mirroring

3.2.6 Logic interface

Logic interface is to divide one physical interface into several logical interfaces, so that it can realizes sub interfaces
data switching. Logic interface configuration includes sub interface, Loopback interface, and PPP interface
configuration.

3-59
DPtech FW1000 Series Firewall Products User Configuration Guide

3.2.6.1 Sub interface configuration

To enter the sub interface configuration page, you can choose Basic> Network > Interface management > Logic
interface > Sub interface, as shown in Figure3-12.

Figure3-12 Sub interface configuration

3.2.6.2 Loopback interface configuration

To enter the loopback interface configuration page, you can choose Basic> Network > Interface management >
Logic interface > Loopback interface, as shown in Figure3-13.

Figure3-13 Loopback interface configuration

3.2.6.3 PPP interface configuration

To enter the PPP interface configuration page, you can choose Basic> Network > Interface management > Logic
interface > PPP interface from navigation tree, as shown in Figure3-14.

Figure3-14 PPP interface configuration

3.2.6.4 Template interface

To enter the template interface page, you can choose Basic> Network > Interface management > Logic
interface > Template interface from navigation tree, as shown in Figure3-15.

Figure3-15 Template interface

3-60
DPtech FW1000 Series Firewall Products User Configuration Guide

3.2.6.5 IPsec interface

To enter the IPsec interface page, you can choose Basic> Network > Interface management > Logic interface >
IPsec interface from navigation tree, as shown in Figure3-16.

Figure3-16 IPsec interface

3.2.7 GRE

To enter the GRE page, you can choose Basic> Network > Interface management > GRE from navigation tree, as
shown in Figure3-17.

Figure3-17 GRE

3.3 3G Dial-up

3G dial-up allows you to dial-up the Internet by using of 3G. User can select a network operator for 3G dial-up, and
user can select whether to enable the reconnect after disconnection function according to requirement and add
default route.
To enter the 3G Dial-up page, you can choose Basic> Network > 3G dial-up from navigation tree, as shown in
Figure3-18.

Figure3-18 3G dial-up

3-61
DPtech FW1000 Series Firewall Products User Configuration Guide

3.4 Network object

3.4.1 Security zone

3.4.1.1 Introduction to security zone

Traditional firewall policies are configured based on packet inbound and outbound interfaces on early
dual-homed firewalls. With the development of firewalls, they can not only connect the internal and external
network, but also connect the internal network, external network, and the Demilitarized Zone (DMZ). Also, they are
providing high-density ports. A high-end firewall can provide dozens of physical interfaces to connect multiple
logical subnets. In this networking environment, traditional interface-based policy configuration mode requires
configuration of a security policy for each interface, which brings great working loads for administrators and thus
increases probability for introducing security problems due to improper configurations.
The industry-leading firewalls solve the above problems by implementing security policies based on security zones.
A security zone is an abstract conception. It can include physical interfaces and logical interfaces, and also Trunk
interface + VLAN. Interfaces added to the same security zone have consistent security needs. Therefore, an
administrator can classify interfaces (assign them to different zones) based on their security needs, thus
implementing hierarchical policy management. For example, on the firewall in the following figure, the
administrator can add the interface that connects the R&D area to Zone_RND, and the interface connecting the
servers to Zone_DMZ. In this way, the administrator only needs to deploy security policies in the two zones. If the
network changes in the future, the administrator only needs to adjust the interfaces in a certain zone, without
modifying the security policies. The security zone management feature not only simplifies policy maintenance but
also separates network services from security services.

3.4.1.2 Security zone

To enter the security zone page, you can choose Basic> Network > Network object > Security zone from
navigation tree, as shown in Figure3-19.

Figure3-19 Security zone

Table3-1 describes the configuration items of the security zone.

3-62
DPtech FW1000 Series Firewall Products User Configuration Guide

Table3-1 Security zone configuration items

Item Description

Serial number Allows you to view the serial number of the security zone.

Zone name Allows you to specify a name for the security zone.

Interface Allows you to select an interface for the security zone.

Priority Allows you to specify the priority for the security zone.

Description Allows you to specify the description for the security zone.

Operation
Click copy icon or delete icon to do the operations.

3.4.1.3 Typical configuration for security zone

1. Network requirement

Figure3-20 Network diagram for configuring security zones

2. A company uses Device as the network border firewall device to connect the internal network and the Internet and
to provide WWW and FTP services to the external network. You need to perform some basic configurations for the
zones of the firewall to prepare for the configurations of the security policies. The internal network is a trust network
and can access the server and the external network. You can deploy the internal network in the Trust zone with a
higher priority and connect the interface eth0/0 on Device to the external network. The external network is an

3-63
DPtech FW1000 Series Firewall Products User Configuration Guide

untrusted network, and you need to use strict security rules to control access from the external network to the
internal network and the server. You can deploy the external network in the Untrust zone with a lower priority and
connect the interface gige 0_0 on Device to the external network.
If you deploy the WWW server and the FTP server on the external network, security cannot be ensured; if you
deploy them on the internal network, the external illegal users may use the security holes to attack the internal
network. Therefore, you can deploy the servers in the DMZ zone with a priority between Trust and Untrust, and
connect the Ethernet interface eth0/1 on Device to the servers. In this way, the server in the DMZ zone can access
the external network in the Untrust zone with a lower priority, but when it accesses the internal network in the
Trustzone with a higher priority, its access is controlled by the security rules.

3. Configuration procedure:
By default, the system has created the Trust, DMZ and Untrust zones, defined the priority of these zones.
(1) Deploy the Trustzone.
Select Basic> Network > Network object > Security zone from navigation tree to enter the security zone interface,
then select the interface eth0_0 for the trust zone, and then click Ok button.
(2) Deploy the DMZ zone.
Select Basic> Network > Network object > Security zone from navigation tree to enter the security zone interface,
then select the interface eth0_1 for the DMZ, and then click Ok button.
(3)Untrust zone
Select Basic> Network > Network object > Security zone from navigation tree to enter the security zone interface,
then select the interface eth0_7 for the Untrust zone, and then click Ok button.

3.4.2 IP address

3.4.2.1 Introduction to IP address

IP address function provides user with address object, address object group function for users. Those functions can
divide the inner network addresses into several groups and apply these addresses to the expanded application, so that
the inner network user can be managed effectively.

3.4.2.2 IP address object

To enter the IP address object page, you can choose Basic> Network > Network object > IP address > IP address
object from navigation tree, as shown in Figure3-21.

3-64
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-21 IP address object

Table3-2 describes the configuration items of the IP address object.

Table3-2 IP address object configuration items

Item Description

Serial number Displays the serial number of the IP address object.

Name Allows you to specify a name for the IP address object.

Content Allows you to specify a name Displays the IP range of the IP address object and
exceptional IP address.

Description Allows you to specify the description of the IP address object.

Policy reference Whether the IP address object is referenced.

Operation
Click copy icon or delete icon to do the operations.

3.4.2.3 IP address object group

To enter the IP address object group page, you can choose Basic> Network > Network object > IP address > IP
address object group from navigation tree, as shown in Figure3-22.

Figure3-22 IP address object group

Table3-3 describes the details of the IP address object group.

3-65
DPtech FW1000 Series Firewall Products User Configuration Guide

Table3-3 IP address object group

Item Description

No. Displays the sequence number of the IP address object.

Name Displays the name of the IP address object.

Content Displays the net address object.

Description Displays the description of the IP address object group.

Policy reference Displays which policy can be referenced to the IP address object group.

Operation
Click copy icon or delete icon to do the operations.

3.4.3 IPv6 address

3.4.3.1 Introduction to IPv6 Address

To enter the IPv6 address page, you can choose Basic> Network > Network object > IPv6 address from
navigation tree, as shown in Figure3-23.

Figure3-23 IPv6 address

3.4.4 MAC address

3.4.4.1 Introduction to MAC address

To enter the MAC address page, you can choose Basic> Network > Network object > MAC address from
navigation tree, as shown in Figure3-24.

3-66
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-24 MAC address

3.4.4.2 MAC Address Group

To enter the MAC address group page, you can choose Basic> Network > Network object > MAC address group
from navigation tree, as shown in Figure3-25.

Figure3-25 MAC address group

Table3-3 describes the details of the IP address object group.

Table3-4 IP address object group

Item Description

Mac address Displays the user group created in the MAC address.

Mac address group Create the MAC address group, and add the MAC address to the MAC address
group.

3.4.5 MAC address manage

To enter the MAC address manage page, you can choose Basic> Network > Network object > MAC address
manage from navigation tree, as shown in Figure3-26.

3-67
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-26 MAC address manage

3.4.6 Account

A user, which is added into the account list can access to the Internet.

3.4.6.1 Account user

To enter the account user page, you can choose Basic> Network > Network object > Account > Account user
from navigation tree, as shown in Figure3-27.

Figure3-27 Account user

Table3-4 describes the configuration items of the account user.

Table3-5 Account user

Item Description

From UMC Configure the UMC IP address and port number.

From domain name Configure the LDAP server.

3-68
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

SN Displays the sequence of account user.

Account list Allows you to configure the account user manually.

Description Allows you to configure the description of the account user.

Operation
Click copy or delete icon to do operations.

3.4.7 Domain name

The domain name function provides the domain name and IP address translation function for users, which allows
users to view the IP address after domain name is configured.

To enter the domain name page, you can choose Basic> Network > Network object > Domain name from
navigation tree, as shown in Figure3-28.

Figure3-28 Domain name

3.4.8 Service

The service function definite the type and character of the protocol carried by IP (Such as TCP or UDP source port/
destination port, ICMP protocol information type/information code), which can be referenced to the policy as packet
matching condition.

3.4.8.1 Predefined service object

To enter the predefined service object page, you can choose Basic> Network > Network object > Service>
Predefine service object from navigation tree, as shown in Figure3-29.

3-69
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-29 Predefined service object

3.4.8.2 User-defined service object

To enter the user-defined service object, you can choose Basic> Network > Network object > Service >
User-defined service object from navigation tree, as shown in Figure3-30.

Figure3-30 User-defined service object

3.4.8.3 Service object group

To enter the service object group page, you can choose Basic> Network > Network object > Service > Service
object group from navigation tree, as shown in Figure3-31.

Figure3-31 Service object group

3.5 Forwarding

3.5.1 Forwarding

To enter the forwarding page, you can choose Basic> Network > Network object > Forwarding > Forwarding
from navigation tree, as shown in Figure3-32.

3-70
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-32 Forwarding

3.5.2 Forwarding mode

To enter the forwarding mode page, you can choose Basic> Network > Network object > Forwarding >
Forwarding mode from navigation tree, as shown in Figure3-33.

Figure3-33 Forwarding mode

3.5.3 Neighbor discover

To enter the neighbor discover page, you can choose Basic> Network > Network object > Forwarding >
Neighbor discover from navigation tree, as shown in Figure3-34.

Figure3-34 Neighbor discover

3-71
DPtech FW1000 Series Firewall Products User Configuration Guide

3.6 Trans_Tech

3.6.1 DS_LITE

To enter the DS_Lite page, you can choose Basic> Network > Trans_Tech > DS_Lite from navigation tree, as
shown in Figure3-35.

Figure3-35 DS_Lite

3.7 6to4 tunnel

To enter the 6to4 tunnel page, you can choose Basic> Network > 6 to4 tunnel from navigation tree, as shown in
Figure3-37.

Figure3-36 6to4 tunnel

Table3-6 State

Item Description

Tunnel ID Configure the tunnel ID number.

Tunnel IP Configure the IP address for the tunnel interface.

Tunnel source interface IP Select whether to use the tunnel source address or the tunnel source interface to
configure

Tunnel Dest IP Configure the tunnel destination IP address.

Operation
Click icon or delete to do the operations.

3-72
DPtech FW1000 Series Firewall Products User Configuration Guide

3.8 Autoconfig

3.8.1 Stateless configuration

To enter the stateless configuration page, you can choose Basic> Network > Stateless configuration, as shown in
Figure3-37.

Figure3-37 Stateless configuration

3.9 IPv4 unicast routing

3.9.1 IPv4 unicast routing

IPv4 unicast routing allows you to configure IPv4 static routing manually. After you configured IPv4 static routing,
data packets will be transmitted to the destination according to your requirement.

3.9.2 Configure static route

3.9.2.1 Introduction to static route

Static route is a kind of special route that configured by administrator manually. After static route is configured, data
packets go to the specific destination will be forwarded to the paths designated by administrator.

In a simple network, network communication can be realized only by configure the static route. If you set and use
static route properly, it can improve the network performance and guarantee bandwidth for important applications.
When you configure static route, you should understand the following:
1. Destination IP address and mask
When you configure static route, destination IP address and mask must be in dotted decimal notation format.

2. Outbound interface and next hop


When you configure static route, you can specify the outbound interface and next hop. Whether you specify the
outbound interface or next hop, you should depend on the real condition. Routing cannot take effect if the next hop
is local interface IP address.

3-73
DPtech FW1000 Series Firewall Products User Configuration Guide

In actual, all route entries have their explicit next hop addresses. When data packet are sent, their destination address
will be looked up in the routing table and find out which route can be matched. Only if you specify the next hop, link
layer find the corresponding layer address and forward data packet.

3. Priority
You can specify different priorities for different static routes, so that you can flexibly use the route management
policy. Such as: configuring multiple routes to the same destination, if you specify the routes with same priority, it
can realize load sharing, if you specify different the routes with different priority, then route back up can be realized.

To enter the configure static route page, you can choose Basic> Network > IPv4 unicast routing > Configure
static route from navigation tree, as shown in Figure3-38.

Figure3-38 Configure static route

Table3-5 describes the configuration items of the configure static route.

Table3-7 Configure static route

Item Description

Batch configure static route Allows you to import static routes in batch.

Batch delete Allows you to delete static routes in batch.

Destination subnet Allows you to configure the destination segment.

Subnet mask Allows you to configure the subnet mask.

Describe Allows you to configure the description for the static route.

Gateway(next hop) Allows you to configure the gateway (next hop).

Advanced configuration Allows you to configure the advanced configuration.

Operation
Click copy icon or delete icon to do the operations.

3-74
DPtech FW1000 Series Firewall Products User Configuration Guide

3.9.2.2 Monitoring

To enter the health check page, you can choose Basic> Network > IPv4 unicast routing > Health check from
navigation tree, as shown in Figure3-39.

Figure3-39 Health check

To configure static route, you should take the following steps:


1. Import static route in batch:
Select Basic > Network> Network object > Static Routing from the navigation tree to enter the configure static route
page.
Click Browse button, and then select a CSV format file, then click Ok button.
Export static route in batch:
Click Export CSV File button, and then select a file path, then click Ok button.
2. Configure static route manually:
Configure the destination address: 0.0.0.0, subnet mask: 0.0.0.0, Gateway (next hop): 10.66.0.1, interface: auto,
next hop: 10.66.0.1, advanced configuration is default.

3.10 Routing table

3.10.1 Basic routing table

Basic routing table page provides user with the basic routing table query function. User can select the all routes,
designated destination network segment or designated destination IP radio box to look up routing table, as shown in
Figure3-40.

To enter the configure static route page, you can choose Basic> Network > IPv4 unicast routing > Basic routing
table from navigation tree, as shown in Figure3-40.

3-75
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-40 Basic routing table

Table3-8 describes the configuration items of the basic routing table.

Table3-8 Basic routing table

Item Description

Destination network segment Allows you to view the destination network segment

Subnet mask Allows you to view the destination subnet mask.

Gateway (Next hop) Allows you to view the network gateway (Next hop) address.

Outbound interface Allows you to view the static route outbound interface.

3.10.2 Detailed routing table

Detailed routing table page provides user with the detailed routing table query function. User can select the all
routes, designated destination network segment, designated protocol, or designated destination IP radio box to look
up routing table.

To enter the detailed routing table page, you can choose Basic> Network > IPv4 unicast routing > Detailed
routing table, as shown in Figure3-41.

3-76
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-41 Detailed routing table

Table3-9 describes the configuration items of the detailed routing table.

Table3-9 Detailed routing table configuration items

Item Description

Destination subnet Allows you to view the destination IP address.

Subnet mask Allows you to view the subnet mask of the destination IP address.

Gateway (Next hop) Allows you to view the gateway (next hop) IP address.

Outbound interface Allows you to view the interface on which IP packets are forwarded.

Status Allows you to view the active state of the route.

Protocol Allows you to view the method that the route is generated, including
Static, Connect, RIP, OSPF, BGP, Guard protocol.

Priority Allows you to view the static route priority.

Cost Allows you to view the route cost.

Type Allows you to view the route type.

3.10.3 Equal-cost route

Equal-cost route (ECMP) is that in order to go to the same destination IP address or destination segment, multiple
route paths with the same Cost value are existed. If device supports equal-cost route, Layer 3 traffic forwarded to the
destination IP or destination segment can realize load sharing through different paths, so that the network load
balancing can be realized. If failure occurs in some paths, these paths will be replaced by others which realize route
redundancy backup function.

3-77
DPtech FW1000 Series Firewall Products User Configuration Guide

To enter the equal-cost route page, you can choose Basic> Network > IPv4 unicast routing > Equal-cost route
load balancing from navigation tree, as shown in Figure3-42.

Figure3-42 Equal-cost route

3.10.4 BGP

3.10.4.1 Introduction to BGP

Border Gateway Protocol (BGP) is a kind of dynamic routing protocol used for autonomous systems (AS).
Autonomous systems have the same routing policy, running at a series of routes under the same technology
management department.
There are three early BGP versions, BGP-1 (RFC1105), BGP-2 (RFC1163) and BGP-3 (RFC1267). The current
version in use is BGP-4 (RFC 4271), which is the defacto Internet exterior gateway protocol used between ISPs.

3.10.4.2 Configure BGP

To enter the configure BGP page, you can choose Basic> Network > IPv4 unicast routing > BGP from navigation
tree, as shown in Figure3-43.

Figure3-43 Configure BGP

Table3-9 describes the configuration items of the BGP neighbor configuration.

Table3-10 BGP neighbor configuration

Item Description

Neighbor IP Configure the IP address of BGP neighbor.

3-78
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

Neighbor AS Displays neighbor AS

The max hop of EBGP Displays the max hop of EBGP

Authentication information Allows you to select a method of BGP authentication, include none and MD5.

Advanced configuration Allows you to configure the advanced configuration

Routing capacity Allows you to select a routing capacity.

Operation
Click copy, delete or insert icon that you can do the operations.

To configure the BGP neighbor configuration, you should take the following steps:
 Click the checkbox of enable BGP, enter the local AS number
 Configure the neighbor configuration
 Click Ok button in the upper right corner on the webpage.

Table3-11 describes the details of BGP advanced configuration.

Table3-11 BGP advanced configuration

Item Description

Router ID Configure the router ID. Default is auto.

Redistribute route Displays the BGP protocol introduced route.

Router priority Configure the router priority.

BGP graceful restart Enable BGP graceful restart.

To configure BGP advanced configuration, you should take the following steps:
 Click advanced configuration.
 Configure the router ID.
 Select which kind of route will be introduced.
 Click Ok button in the upper right corner.

Table3-11 describes the details of BGP advanced configuration.

3-79
DPtech FW1000 Series Firewall Products User Configuration Guide

Table3-12 BGP advanced configuration

Item Description

Destination network segment Configure destination network segment for route aggregation.

Subnet mask Configure the mask for the route aggregation.

Advanced configuration Select the options:


Compute AS-PATH attributes when route aggregating.
Advertise aggregation route, not detailed route, when route advertising.

Operation
Click icon, delete icon, insert icon to do the operations.

To configure route aggregation, you should take the following steps:


 Configure each item of route aggregation
 Click Ok button in the upper right corner on the webpage.

3.10.4.3 Configure BGP-VPN

To enter the configure BGP-VPN neighbor information page, you can choose Basic> Network > IPv4 unicast
routing > Configure BGP-VPN from navigation tree, as shown in Figure3-44.

Figure3-44 Configure BGP-VPN

Table3-13 describes the configuration items of the configure BGP-VPN.

Table3-13 BGP-VPN configuration items

Item Description

VRF Allows you to select a VRF.

Enable Allows you to enable or disable the BGP-VPN function.

RD Allows you to configure the RD.

RT Allows you to configure the RT.

Redistribute a Route Allows you to redistribute the routes

BGP-VPN configuration steps:


Firewall device A:
3-80
DPtech FW1000 Series Firewall Products User Configuration Guide

 Select Basic> System > Virtual system from navigation tree to enter the virtual system interface, and click the
enable virtual system configuration.
 Select Basic> System > VRF from navigation tree to enter the VRF interface, and create a new VRF, such as
VRF_A, select a virtual system and an interface for the VRF.
 Select Basic> Network > IPv4 unicast routing > BGP from navigation tree to enter the VRF interface, and
create a new VRF, such as VRF_A, select a virtual system and an interface for the VRF
 Enable the MPLS and LDP function, and configure the BGP-VPN function, example: select VRF_A, configure
the RD 1:100, RT import: 1:200, RT export: 1:300, and select which kind of route redistributed to the BGP
route.

Firewall device B:
 Select Basic> System > Virtual system from navigation tree to enter the virtual system interface, and click the
enable virtual system configuration.
 Select Basic> System > VRF from navigation tree to enter the VRF interface, and create a new VRF, such as
VRF_A, select a virtual system and an interface for the VRF.
 Select Basic> Network > IPv4 unicast routing > BGP from navigation tree to enter the VRF interface, and
create a new VRF, such as VRF_A, select a virtual system and an interface for the VRF
 Enable the MPLS and LDP function, and configure the BGP-VPN function, example: select VRF_A, configure
the RD 1:100, RT import: 1:300, RT export: 1:200, and select which kind of route redistributed to the BGP
route.

3.10.4.4 BGP neighbor information

To enter the configure BGP neighbor information page, you can choose Basic> Network > IPv4 unicast routing >
BGP Neighbor Information from navigation tree, as shown in Figure3-45.

Figure3-45 BGP neighbor information

Table3-11 describes the configuration items of the configure BGP-VPN.

Table3-14 BGP-VPN configuration items

Item Description

Neighbor IP Displays the IP address of the neighbor.

Neighbor AS Displays the AS number of the neighbor.

Neighbor ID Displays the ID number of the neighbor.

3-81
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

Neighbor status Displays the status of the neighbor.

Local outbound interface ID Displays the ID of local outbound interface.

Established time Displays the time when BGP neighbor is established.

Timeout time Displays the timeout time of the BGP neighbor.

3.10.5 RIP

3.10.5.1 Introduction to RIP

The Routing Information Protocol (RIP) is a distance-vector routing protocol, which employs the hop count as a
routing metric. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from the
source to a destination. The maximum number of hops allowed for RIP is 15. This hop limit, however, also limits
the size of networks that RIP can support. A hop count of 16 is considered an infinite distance and used to deprecate
inaccessible, inoperable, or otherwise undesirable routes in the selection process.

3.10.5.2 Configure RIP

To enter the RIP page, you can choose Basic> Network > IPv4 unicast routing > RIP from navigation tree, as
shown in Figure3-46.

Figure3-46 Configure RIP

Table3-15 describes the configuration items of the RIP interface configuration.

3-82
DPtech FW1000 Series Firewall Products User Configuration Guide

Table3-15 RIP interface configuration

Item Description

Interface name Displays the name of the interface.

Enabling status Allows you to enable or disable an interface that run RIP protocol.

Authentication information Allows you to configure RIP authentication information.

Advanced configuration Allows you to configure the advanced configuration.

Table3-16 describes the configuration items of RIP advanced configuration.

Table3-16 RIP advanced configuration

Item Description

Route priority Allows you to configure the route priority.

Router update timer Allows you to configure the time intervals for router update timer.

Router aging timer Allows you to configure the router aging timer.

Garbage collection timer Allows you to configure garbage collection timer.

Indirect neighbor Allows you to add or delete non-direct neighbor.

Redistribute route Allows you to set the RIP protocol introduced route.

3.10.5.3 Display RIP state

To enter the RIP page, you can choose Basic> Network > IPv4 unicast routing > RIP from navigation, as shown
in Figure3-47.

Figure3-47 Display RIP state

3-83
DPtech FW1000 Series Firewall Products User Configuration Guide

3.10.6 OSPF
Open Shortest Path First (OSPF) is a link state interior gateway protocol developed by the OSPF working group of
the Internet Engineering Task Force (IETF).
OSPF has the following features:
 Wide scope: Supports networks of various sizes and up to several hundred routers in an OSPF routing domain.
 Fast convergence: Transmits updates instantly after network topology changes for routing information
synchronization in the AS.
 Loop-free: Computes routes with the shortest path first (SPF) algorithm according to collected link states, so no
route loops are generated.
 Area partition: Allows an AS to be split into different areas for ease of management and routing information
transmitted between areas is summarized to reduce network bandwidth consumption.
 Equal-cost multi-route: Supports multiple equal-cost routes to a destination.
 Routing hierarchy: Supports a four-level routing hierarchy that prioritizes routes into intra-area, inter-area,
external Type-1, and external Type-2 routes.
 Authentication: Supports interface-based packet authentication to ensure the security of packet exchange.
 Multicast: Supports multicasting protocol packets on some types of links.

3.10.6.1 OSPF

To enter the OSPF page, you can choose Basic> Network > IPv4 unicast routing > OSPF from navigation tree, as
shown in Figure3-48.

Figure3-48 Configure OSPF

3-84
DPtech FW1000 Series Firewall Products User Configuration Guide

Table3-17 describes the details of the OSPF advanced configuration

Table3-17 OSPF advanced configuration

Item Description

Route priority Configure the route priority of the device.

Route device ID Configure the ID number of the router device.

NBMA neighbor Add or delete NBMA neighbor of the device.

Redistribute route Select which route will be imported by OSPF.

GR capacity settings Configure GR capability.

GR timeout time Configure GR timeout time (Default is 60 seconds)

To configure OSPF advanced configuration, you should take the following steps:

 Click advanced configuration.


 And then configure route priority.
 Set route device ID number (The “auto” is the maximum IP address of device interfaces).
 Add NBMA neighbor.
 Select which kind of route will be redistributed.
 Select GR capability settings.
 Enter the GR timeout time (Default is 60 seconds).
 Click Ok button in the upper right corner on the webpage.

Table3-18 describes the details of OSPF area configuration

Table3-18 OSPF area configuration

Item Description

Area ID Configure the ID number of the area.

Enable interface Enable the interface.

Advanced configuration Configure the advanced priorities in the area configuration.

Operation
Click copy icon or delete icon to do the operations.

To configure OSPF area configuration, you should:

 Configure area ID number


3-85
DPtech FW1000 Series Firewall Products User Configuration Guide

 Select an interface for the area configuration


 Configure the advanced configuration for the area
 Click Ok button in the upper right corner on the webpage

Table3-19 describes the details of the OSPF interface configuration.

Table3-19 OSPF interface configuration

Item Description

Interface name Displays all interface names of the device.

Hello interval Allow you to configure the Hello packet time interval (Default is 10 second).

Dead interval Allows you to configure the Dead time interval that the interface doesn’t receive
Hello packet (Default is 40 second).

Authentication information Allows you to select authentication mode.

Advanced configuration Allows you to configure the OSPF advanced configurations.

To configure OSPF interface configuration, you should:

 Configure time interval for the interface to send Hello packet.


 Configure time interval for the interface to send Dead packet.
 Configure OSPF authentication information for the interface (including None, Test authentication and Md5
authentication)
 In the advanced configuration, you should select Cost value, DR election priority, working mode and interface
type for the interface.
 Click Ok button in the upper right corner on the webpage.

Note:
After you enable OSPF, the OSPF function and OSPF advance configuration can be used.

3.10.6.2 OSPF interface information

To enter the OSPF interface information, you can choose Basic> Network > IPv4 unicast routing > OSPF
interface information from navigation tree, as shown in Figure3-49.

3-86
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-49 OSPF interface information

Table3-20 describes the details of the OSPF interface information.

Table3-20 OSPF interface information

Item Description

Querying item Allows you to select an item to be queried

Keyword Interface information that contains keyword.

Interface name Displays the OSPF interface.

Area Displays the interface to which area belongs.

Interface status Displays the interface status.

COST Displays the interface COST value.

DR Displays the DR of the interface in the area.

BDR Displays the BDR of interface in the area.

Neighbor number Displays the neighbor numbers of the interface.

To configure the OSPF interface information, you should:


 Select an item to be queried
 Type in the keyword that you want to query on the OSPF interface information page
 Click Query button

3.10.6.3 OSPF neighbor information

To enter the OSPF interface information page, you can choose Basic> Network > IPv4 unicast routing > OSPF
interface information from navigation tree, as shown in Figure3-50.

Figure3-50 OSPF neighbor information

3-87
DPtech FW1000 Series Firewall Products User Configuration Guide

Table3-21 describes the details of the OSPF neighbor information.

Table3-21 OSPF neighbor information

Item Description

Querying item Allows you to select an item to be queried.

Keyword Interface information that contains keyword.

Neighbor ID Displays the ID number of the neighbor.

Neighbor IP Displays the IP address of the neighbor.

Priority Displays the priority of the routing protocol.

Neighbor state Displays the connection state of the neighbor.

To which area belongs Displays the interface to which area belongs.

Interface name Displays the name of the interface.

DR Displays the DR of the interface in the area.

BDR Displays the BDR of interface in the area.

Dead Time Displays the Dead time that the device establish relationship with neighbors.

Established time Displays the time that the device establish relationship with neighbors.

To configure the OSPF interface information, you should:

 Select an item to be queried


 Enter the keyword to be queried on the OSPF neighbor information page
 Click Query button

3.10.7 IS-IS

3.10.7.1 Configure IS-IS

To enter the configure IS-IS page, you can choose Basic> Network > IPv4 unicast routing > IS-IS from
navigation tree, as shown in Figure3-51.

3-88
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-51 Configure IS-IS

Table3-22 describes the details of IS-IS advanced configuration.

Table3-22 IS-IS advanced configuration

Item Description

Level Displays the area.

NET Configure the NET address.

Redirect route Allows you to configure the redistributed route.

Table3-23 describes the details of IS-IS interface configuration.

Table3-23 IS-IS interface configuration

Item Description

Interface name Displays interface name

Enabling status Allows you to configure the enabling status.

NET type Allows you to configure the NET type, including broadcast and P2P.

Priority Specify an elect route protocol

Hello interval Specify Hello time interval

Hello_multiplier Specify hello_multiplier time.

To configure the IS-IS advanced configuration, you should take the following steps:

 Select to enable IS-IS function.


3-89
DPtech FW1000 Series Firewall Products User Configuration Guide

 Click advanced configuration.


 Configure IS-IS level, including Level1, Level2, and Level1and Level2
 Configure the NET
 Enable an interface
 Click Ok button in the upper right corner.

3.10.7.2 IS-IS neighbor information

To enter the configure IS-IS neighbor information page, you can choose Basic> Network > IPv4 unicast routing >
IS-IS from navigation tree, as shown in Figure3-52.

Figure3-52 IS-IS neighbor

Table3-24 describes the details of IS-IS neighbor

Table3-24 IS-IS neighbor

Item Description

Sys ID Displays system ID number.

Type Displays the type of area.

Outbound interface Displays the outbound interface.

IPv4 address Displays IPv4 address.

IPv6 address Displays IPv6 address.

State Displays the status.

Hold Time Displays the hold time.

Circuit ID Displays circuit ID.

3.10.7.3 IS-IS LSP

To enter the IS-IS LSP page, you can choose Basic> Network > IPv4 unicast routing > IS-IS LSP from
navigation tree, as shown in Figure3-53.

3-90
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-53 ISIS LSP

Table3-25 describes the details of ISIS LSP information

Table3-25 ISIS LSP

Item Description

LSP ID Displays the LSP ID.

Level Displays the IS-IS Level.

Sequence Number Displays the sequence number.

Remaining Lifetime Displays the remaining lifetime.

Operation
Click to view the detailed information.

3.10.8 Guard route

The Guard route should be used with BGP. BGP protocol imports guard route to the BGP route table and advertises
it to BGP peer, so that the traffic forwarded to other devices by BGP peer will be introduced to Guard device, then
Guard device filter and clear the traffic.

To enter the guard route page, you can choose Basic> Network > IPv4 unicast routing > Guard from navigation
tree, as shown in Figure3-54.

Figure3-54 Guard route

3-91
DPtech FW1000 Series Firewall Products User Configuration Guide

3.11 IPv6 unicast routing

IPv6 unicast routing allows user to configure IPv6 static routing manually. After you configured IPv6 static routing,
data packets will be transmitted to the desired destination.

3.11.1 Static route

To enter the static route page, you can choose Basic> Network > IPv6 unicast routing > Static route from
navigation tree, as shown in Figure3-55.

Figure3-55 Static route

To configure static route in batch, you should take the following steps:
 Click Browse button to select a configuration file from local disk.
 Click Ok button and then static route configuration file is imported immediately.
 Click Export button to export all static routes.

To manually configure the IPv6 static route, you should:

 Set the IPv6 destination subnet IP address, subnet mask.


 Select outbound interface and configure the next hop address for the network gateway (next hop)
 Select route priority, type and weight in the advanced configuration.
 After you click Ok button, the manually created static routes take effect immediately.

3.11.1.1 Basic routing table

Basic routing table provides users with the function of querying detailed routing information. User can click all
routes or specify the destination subnet radio box to query the basic routing table.

3-92
DPtech FW1000 Series Firewall Products User Configuration Guide

To enter the basic routing table page, you can choose Basic> Network > IPv6 unicast routing > Basic routing
table from navigation tree, as shown in Figure3-56.

Figure3-56 Basic routing table

Table3-26 describes the details of basic routing table.

Table3-26 Basic routing table

Item Description

Destination subnet Allows you to view the destination subnet IP address.

Subnet mask Allows you to view the destination subnet IP address and subnet mask.

Gateway (Next hop) Allows you to view the gateway (Next hop) address.

Outbound interface Allows you to view the outbound interface of the route.

3.11.1.2 Detailed routing table

Detailed routing table provides users with the function of querying detailed routing information. Users can click all
routes or specify the destination subnet, specify a protocol to query radio box to query the detailed routing table.

To enter the detailed routing table page, you can choose Basic> Network > IPv6 unicast routing > Detailed
routing table from navigation tree, as shown in Figure3-57.

3-93
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-57 Detailed routing table

Table3-27 describes the details of the detailed routing table.

Table3-27 Detailed routing table

Item Description

Destination subnet Allows you to view the destination IP address.

Subnet mask Allows you to view the subnet mask of the destination IP address.

Gateway (Next hop) Allows you to view the gateway (next hop) IP address.

Outbound interface Allows you to view the interface on which IP packets are forwarded.

Status Allows you to view the active state of the route.

Protocol Allows you to view the method that the route is generated, including
Static, Connect, RIP, OSPF, BGP, Guard protocol.

Priority Allows you to view the static route priority.

Cost Allows you to view the route cost.

Type Allows you to view the route type.

3.11.2 RIPng

RIPng is also called the next generation RIP protocol, which derives from RIP-2 protocol in IPv4 network. Most
RIP conception can be used for RIPng protocol. RIPng uses hop count to measure the distance to the destination
(also is called metric or cost). In RIPng, hop 0 can be counted from one router to the directly connected network, hop
1 can be counted from one router to the directly connected router to other network, and the rest can be done in the
same manner. When the hop count is larger than or equal to 16, destination network or host is unreachable.

3-94
DPtech FW1000 Series Firewall Products User Configuration Guide

3.11.2.1 RIPng

To enter the RIPng page, you can choose Basic> Network > IPv6 unicast routing > RIPng from navigation tree,
as shown in Figure3-58.

Figure3-58 RIPng configuration

Table3-28 describes the details of RIPng interface configuration.

Table3-28 RIPNG interface configuration

Item Description

Interface name Displays all interfaces of the device.

Enabling status Specify whether to enable RIP protocol for the interface.

Advanced configuration Specify the interface RIP working mode and horizontal split.

To configure RIPng configuration, you should:

 Select whether to enable RIPng


 Select working mode as active mode(default is Active mode)
 Select whether to enable horizontal split
 Click Ok button in the upper right corner.

Table3-29 describes the details of RIPng configuration.

3-95
DPtech FW1000 Series Firewall Products User Configuration Guide

Table3-29 RIPng advanced configuration

Item Description

Route update timer Specify the update route time interval.

Route aging timer Specify the route aging time.

Garbage recycle timer Specify the deleted time interval of out routing table.

Non direct neighbor Specify the device indirect connect neighbor.

Redistribute a route Specify the RIPng redistributed route.

To configure the RIPng advanced configuration:

 Click advanced configuration


 Set update timer(By default, it is 30)
 Set route aging timer(By default, it is 180)
 Set garbage recycle timer (By default, it is 120).
 Select a route which you want to redistribute.
 Click Ok button in the upper right.

Note:
RIPng and its advanced configuration can be used after enable RIPng function.

3.11.3 OSPFv3

3.11.3.1 Configuring OSPFv3

To enter the OSPFv3 page, you can click Basic > Network > OSPFv3 from navigation tree, as shown in
Figure3-59.

3-96
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-59 OSPFv3 configuration

OSPFv3 area configuration shows in Figure3-60.

Figure3-60 OSPFv3 area configuration

Table3-30 describes the details of OSPFv3 area configuration.

Table3-30 OSPFv3 area configuration

Item Description

Create an area Create an OSPFv3 area.

Area ID Specify area ID number.

Enable the interface Specify an interface for the area.

Operation
Click delete icon, and then you can delete an area.

3-97
DPtech FW1000 Series Firewall Products User Configuration Guide

To configure the OSPFv3 area configuration:

 Click create an area


 Type in area ID
 Add the interface into the new created area.
 Click Ok button in the upper right.

Table3-31 and Table3-32 describes the details of OSPFv3 interface configuration.

Table3-31 OSPFv3 interface configuration

Item Description

Interface name Displays all interfaces of the device.

Hello time interval Specify the hello packet time interval for an interface.

Dead time interval Displays the dead time interval of an unreceived interface.

Instance ID Specify the Instance ID

Advanced configuration Specify interface OSPFv3 protocol and all its advanced configuration.

To configure OSPFv3 configuration:

 Set hello packet time interval for an interface.


 Set the dead time interval of hello packet.
 Specify the instance ID
 Configure the item in advanced configuration, including cost, DR, working mode and MTU.
 Click Ok button in the upper right.

Note:
To configure OSPFv3 configuration, you must add interface into OSPFv3 protocol.

OSPFv3 advanced configuration shows in Figure3-61.

Figure3-61 OSPFv3 advanced configuration

3-98
DPtech FW1000 Series Firewall Products User Configuration Guide

Table3-32 describes the details of OSPFv3 advanced configuration.

Table3-32 OSPFv3 advanced configuration

Item Description

Router device ID Specify the router device ID

Redistribute a route Specify the redistributed route of OSPF

To configure OSPFv3 advanced configuration:

 Click advanced configuration


 Set route ID(auto is the maximum IP address of all interfaces)
 Select a route which you want to redistribute.
 Click Ok button in the upper right corner.

3.11.3.2 OSPFv3 neighbor information

To access the OSPFv3 interface information, you can click Basic > Network > Unicast IPv6 routing > OSPFv3 >
OSPFv3 neighbor information as shown in Figure3-62.

Figure3-62 OSPFv3 neighbor information

Table3-33 describes the details of the OSPFv3 interface information

Table3-33 OSPFv3 interface information

Item Description

Query item Select an item which you want to query.

Keywords Displays the interface information which contains keywords

Interface name Displays OSPFv3 interface

Area Displays the area to which interface belongs

State Displays the interface status

COST Displays cost of an interface.

3-99
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

DR Displays DR of an area

BDR Displays BDR of an area

Neighbor count Displays the number interface neighbor.

3.11.3.3 OSPFv3 neighbor information

To access the OSPFv3 interface information, you can click Basic >Basic > Network > IPv6 unicast routing >
OSPFv3 neighbor information, as shown in Figure3-63.

Figure3-63 OSPFv3 neighbor information

Table3-34 describes the details of OSPFv3 neighbor information.

Table3-34 OSPFv3 neighbor information

Item Description

Query item Select an item which you want to query.

Keyword Displays neighbor information which contains keyword.

Neighbor ID Displays neighbor ID.

Neighbor IP Displays neighbor IP address.

Priority Displays route priority.

Neighbor status Displays neighbor connect status.

Area Displays the area to which interface belongs.

Interface name Displays interface name

DR Displays DR of an area.

BDR Displays BDR of an area.

Dead Time Displays the dead time of neighbor relationship.

Established time Displays how long the neighbor relationship established.

3-100
DPtech FW1000 Series Firewall Products User Configuration Guide

3.11.4 Guard route

To enter the guard route page, you can choose Basic> Network > IPv4 unicast routing > Guard, as shown in
Figure3-54.

Figure3-64 Guard route

3.12 IPv4 multicast routing

The multicast technique effectively addresses the issue of point-to-multipoint data transmission. By allowing
high-efficiency point-to-multipoint data transmission over an IP network, multicast greatly saves network
bandwidth and reduces network load.

3.12.1 Basic config

To enter basic config page, you can choose Basic> Network > IPv6 multicast routing > Basic config from
navigation tree, as shown in Figure3-65.

Figure3-65 Basic config

Table3-35 describes the configuration items of basic config.

3-101
DPtech FW1000 Series Firewall Products User Configuration Guide

Table3-35 Basic config

Item Description

Interface name Allows you to view all interfaces of the device.

Enabling status Allows you to disable or enable the interface.

Multicast border Allows you to configure multicast address and subnet mask.

To configure basic-config, you should take the following steps:

 Select an interface to enable the status.


 Configure IP multicast address and subnet mask.
 Click Ok button in the upper right corner.

3.12.2 IGMP snooping

3.12.2.1 IGMP snooping

Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast constraining mechanism that runs
on Layer 2 devices to manage and control multicast groups.

To enter IGMP_snooping page, you can choose Basic> Network > IPv6 multicast routing > IGMP_Snooping
interface from navigation tree, as shown in Figure3-66.

Figure3-66 IGMP_Snooping

Table3-11 describes the configuration items of the IGMP snooping.

Table3-36 IGMP snooping

Item Description

VLAN Displays the VLAN number.

Dynamic learning Allows you to select whether to enable the dynamic learning function.

3-102
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

Quick leave Allows you to select whether to enable the quick leave function.
With quick leave processing function enabled, when the device receives an IGMP
leave message on a port, the device directly removes that port from the forwarding
table entry for the specific group. If only one host is attached to the port, enable fast
leave processing to improve bandwidth management.

Static configuration: MAC address/Member Displays static configuration: MAC group address/Member port
port

Static configuration: Router port Displays static configuration: Router port

3.12.2.2 IGMP snooping proxy

To enter the IGMP page, you can choose Basic> Network > IPv4 multicast routing > IGMP snooping proxy, as
shown in Figure3-67.

Figure3-67 IGMP snooping proxy

Table3-37 describes the configuration items of IGMP configuration.

Table3-37 IGMP configuration

Item Description

Interface name Displays the name of the IGMP interface.

Version Allows you to select an IGMP version.

Timer query interval Allows you to set the timer query interval.

Max response time Allows you to set the max response time.

Other querier Allows you to set other querier present interval.

Group num Allows you to set the IGMP multicast group number.

Static group Allows you to configure the static group.

Group filter Allows you to set the group filter.

3-103
DPtech FW1000 Series Firewall Products User Configuration Guide

3.12.2.3 IGMP snooping routing

To enter the IGMP snooping routing page, you can choose Basic> Network > IPv4 multicast routing > IGMP
proxy from navigation tree, as shown in Figure3-44.

Figure3-68 IGMP snooping routing

3.12.3 IGMP/IGMP proxy

3.12.3.1 IGMP

To enter the IGMP page, you can choose Basic> Network > IPv4 multicast routing > IGMP/IGMP Proxy >
IGMP from navigation tree, as shown in Figure3-69.

Figure3-69 IGMP proxy

3.12.3.2 IGMP SSM mapping

To enter the IGMP SSM mapping page, you can choose Basic> Network > IPv4 multicast routing >
IGMP/IGMP Proxy > IGMP SSM Mapping from navigation tree, as shown in Figure3-70.

Figure3-70 IGMP SSM mapping

3-104
DPtech FW1000 Series Firewall Products User Configuration Guide

3.12.3.3 IGMP proxy

To enter the IGMP proxy page, you can choose Basic> Network > IPv4 multicast routing > IGMP/IGMP
Proxy > IGMP proxy from navigation tree, as shown in Figure3-71.

Figure3-71 IGMP Proxy

Table3-38 describes the configuration items of IGMP proxy.

Table3-38 IGMP Proxy

Item Description

Host interface configuration Select whether to enable IGMP proxy on the host interface.

Route interface configuration Select whether to enable IGMP proxy on each interface.

To configure IGMP proxy configuration, you should take the following steps.

 Select whether to enable IGMP proxy.


 Set the host interface enable status
 Set the router interface enable status
 Click Ok button in the upper right corner on the webpage.

Note:
After you enable the IGMP Proxy function, IGMP Proxy can be used.

3.12.3.4 IGMP status

To enter the IGMP status interface, you can choose Basic> Network > IPv4 multicast routing > IGMP status
from navigation tree, as shown in Figure3-72.

3-105
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-72 IGMP status

Table3-39 describes the configuration items of the IGMP status.

Table3-39 IGMP status

Item Description

Number Displays the sequence number of the IGMP.

Interface name Displays the name of the IGMP interface.

Group address Displays the IGMP group address.

Source address Displays the source address.

Group record types Displays the group record types.

3.12.4 PIM

3.12.4.1 PIM

Protocol Independent Multicast (PIM) provides IP multicast forwarding by leveraging static routes or unicast
routing tables generated by any unicast routing protocol, such as Routing Information Protocol (RIP), Open Shortest
Path First (OSPF), Intermediate System To Intermediate System (IS-IS), or Border Gateway Protocol (BGP).
Independent of the unicast routing protocols running on the device, multicast routing can be implemented as long as
the corresponding multicast routing entries are created through unicast routes.

To enter the PIM page, you can choose Basic> Network > IPv4 multicast routing > PIM > PIM from navigation
tree, as shown in Figure3-73.

3-106
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-73 PIM

Table3-40 describes the details of candidate BSR configuration.

Table3-40 Candidate BSR configuration

Item Description

Candidate BSR enable status Select the enabling status of BSR, including enable and disable.

Candidate BSR interface Configure the candidate BSR interface.

Candidate BSR hash mask length Configure the candidate BSR hash mask length.

Candidate BSR priority Configure the candidate BSR priority.

To configure static RP configuration, you can choose Basic> Network > IPv4 multicast routing > PIM > Static
RP configuration from navigation tree, as shown in Figure3-74

Figure3-74 Static RP configuration

Table3-41 describes the details of static RP configuration.

Table3-41 Static RP configuration

Item Description

Static RP enabling status Select the enabling status of static RP configuration, including enable and disable.

3-107
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

Static RP address Configure the static RP address.

Static RP boundary Configure the static RP boundary.

To configure candidate RP configuration, you can choose Basic> Network > IPv4 multicast routing > PIM >
Candidate RP configuration from navigation tree, as shown in Figure3-75.

Figure3-75 Candidate RP configuration

Table3-42 describes the details of candidate RP configuration.

Table3-42 Candidate RP configuration

Item Description

Interface name Displays the interfaces of the device.

Candidate RP enabling status Allows you to enable or disable candidate RP.

Candidate RP advertisement interval Set the candidate RP advertisement interval.

Candidate RP priority Set the candidate RP priority.

Candidate RP boundary Allows you to view candidate RP boundary

To configure the PIM interface configuration, you can choose Basic> Network > IPv4 multicast routing > PIM
from navigation tree, as shown in Figure3-76.

Figure3-76 PIM interface configuration

Table3-43 describes the details of interface configuration

Table3-43 Interface configuration

Item Description

Interface name Displays all interfaces of the device.

Enabling status Select the enabling status of interface configuration, including enable and disable.

3-108
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

Enable mode Select whether to enable the PIM-SM or PIM-DM mode.

Hello interval Select the Hello interval which counts in unit of second.

DR priority Configure the DR priority.

BSR border Select the enabling status of BSR border, including enable and disable.

3.12.4.2 Admin scope zone

To enter the admin scope zone page, you can choose Basic> Network > IPv4 multicast routing > PIM > Admin
scope zone, as shown in Figure3-77.

Figure3-77 Admin scope zone

Table3-44 describes the configuration item of Global zone configuration.


Table3-44 Global zone configuration

Item Description

Global zone configuration Enable/disable Global zone.

Hash mask length Set the hash mask length.

Priority Set the priority

To configure Global zone configuration, you can take the following steps:

 Select to enable Global zone configuration and configure other configuration.


 Click Ok button in the upper right corner on the webpage.

Table3-45 describes the configuration items of the global zone configuration.

3-109
DPtech FW1000 Series Firewall Products User Configuration Guide

Table3-45 Global zone configuration

Item Description

SCOPE Configure SCOPE.

Hash mask length Set the hash mask length.

Priority Set the priority.

Operation
Click insert or delete icon to do the operations.

To configure global zone configuration, you should take the following steps:

 Configure scope and set the hash mask length.


 Click Ok button in the upper right corner on the webpage.

Note:
After you enable the global zone configuration, global zone configuration can be used.

3.12.4.3 PIM status

To enter the PIM status page, you can choose Basic> Network > IPv4 multicast routing > PIM > PIM status, as
shown in Figure3-78.

Figure3-78 PIM status

3.12.4.4 BSR status

To enter the BSR status page, you can choose Basic> Network > IPv4 multicast routing > PIM > BSR status, as
shown in Figure3-79.

3-110
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-79 BSR status

3.12.4.5 RP-Mapping

To enter the RP-Mapping page, you can choose Basic> Network > IPv4 multicast routing > PIM > RP-Mapping
from navigation tree, as shown in Figure3-80.

Figure3-80 RP-Mapping

3.12.5 MSDP
Multicast Source Discovery Protocol (MSDP) establishes MSDP peer relationships among RPs of different
PIM-SM domains, source active (SA) messages can be forwarded among domains and the multicast source
information can be shared.

3.12.5.1 MSDP

To enter MSDP page, you can choose Basic> Network > IPv4 multicast routing > MSDP from navigation tree, as
shown in Figure3-81.

3-111
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-81 MSDP

3.12.5.2 Peer status

To enter peer status page, you can choose Basic> Network > IPv4 multicast routing > MSDP > Peer status from
navigation tree, as shown in Figure3-82.

Figure3-82 Peer status

3.12.5.3 Cache status

To enter cache status page, you can choose Basic> Network > IPv4 multicast routing > MSDP > Cache status
from navigation tree, as shown in Figure3-83.

Figure3-83 Cache status

3-112
DPtech FW1000 Series Firewall Products User Configuration Guide

3.12.6 Multicast VPN


To enter the Multicast VPN page, you can choose Basic> Network > IPv4 multicast routing > Multicast VPN
from navigation tree, as shown in Figure3-84.

Figure3-84 Multicast VPN

3.12.7 Multicast source proxy


To enter the multicast source proxy page, you can choose Basic> Network > IPv4 multicast routing > Multicast
source proxy, as shown in Figure3-85.

Figure3-85 Multicast source proxy

3.12.8 Multicast source NAT


To enter the multicast source NAT page, you can choose Basic> Network > IPv4 multicast routing > Multicast
source NAT from navigation tree, as shown in Figure3-86.

Figure3-86 Multicast source NAT

3.12.9 Multicast destination NAT


To enter the multicast destination NAT page, you can choose Basic> Network > IPv4 multicast routing >
Multicast destination NAT from navigation tree, as shown in Figure3-87.

3-113
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-87 Multicast destination NAT

3.12.10 Multicast static routing


To enter the multicast static routing page, you can choose Basic> Network > IPv4 multicast routing > Multicast
static routing from navigation tree, as shown in Figure3-88.

Figure3-88 Multicast static routing

3.12.11 Multicast routing table

3.12.11.1 Multicast routing table

To enter the multicast routing table page, you can choose Basic> Network > IPv4 multicast routing > Multicast
routing table from navigation tree, as shown in Figure3-89.

Figure3-89 Multicast routing table

3.12.11.2 PIM mulitcast routing table

To enter the PIM multicast routing table page, you can choose Basic> Network > IPv4 multicast routing > PIM
multicast routing table from navigation tree, as shown in Figure3-90.

3-114
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-90 PIM multicast routing table

3.12.11.3 IGMP mulitcast routing table

To enter the IGMP multicast routing table page, you can choose Basic> Network > IPv4 multicast routing >
IGMP multicast routing table, as shown in Figure3-91.

Figure3-91 IGMP multicast routing table

3.12.11.4 IGMP proxy routing table

To enter the IGMP proxy routing table page, you can choose Basic> Network > IPv4 multicast routing > IGMP
proxy routing table from navigation tree, as shown in Figure3-92.

Figure3-92 IGMP proxy routing table

3-115
DPtech FW1000 Series Firewall Products User Configuration Guide

3.13 IPv6 multicast routing

3.13.1 Basic Config

To enter the basic config page, you can choose Basic> Network > IPv6 multicast routing > Basic config, as
shown in Figure3-93.

Figure3-93 Basic config

Table3-46 describes the details of basic config.

Table3-46 Basic config

Item Description

Interface name Display all interfaces of the device.

Enabling status Select a status of basic config, including enable and disable.

To configure the basic config, you should take the following steps:

 Select an interface will be enabled and then select the Enable status for the interface.
 Configure the multicast address and subnet mask for the interface.
 Click Ok button in the upper right corner on the webpage.

3.13.2 MLD

Multicast Listener Discovery (MLD) is a component of the Internet Protocol Version 6 (IPv6) suite. MLD is used by
IPv6 routers to discover multicast listeners on a directly attached link, much as IGMP is used in IPv4.

3.13.2.1 MLD snooping

To enter the MLD snooping page, you can choose Basic> Network > IPv6 multicast routing > MLD snooping
from navigation tree, as shown in Figure3-94.

3-116
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-94 MLD snooping

3.13.2.2 MLD

To enter the MLD page, you can choose Basic> Network > IPv6 multicast routing > MLD from navigation tree,
as shown in Figure3-95.

Figure3-95 MLD

3.13.2.3 MLD status

To enter the MLD status page, you can choose Basic> Network > IPv6 multicast routing > MLD status, as shown
in Figure3-96.

Figure3-96 MLD status

3.13.3 PIM

Protocol Independent Multicast (PIM) provides IP multicast forwarding by leveraging static routes or unicast
routing tables generated by any unicast routing protocol, such as RIP, OSPF, IS-IS, BGP.

3-117
DPtech FW1000 Series Firewall Products User Configuration Guide

3.13.3.1 PIM

To enter the PIM page, you can choose Basic> Network > IPv6 multicast routing > PIM from navigation tree, as
shown in Figure3-97.

Figure3-97 PIM

3.13.3.2 Admin scope zone

To enter the admin scope zone page, you can choose Basic> Network > IPv6 multicast routing > PIM > Admin
scope zone from navigation tree, as shown in Figure3-98.

Figure3-98 Admin scope zone

Table3-47 describes the configuration item of Global zone configuration.


Table3-47 Global zone configuration

Item Description

Global zone configuration Enable/disable Global zone.

Hash mask length Set the hash mask length.

Priority Set the priority

3-118
DPtech FW1000 Series Firewall Products User Configuration Guide

To configure Global zone configuration, you can take the following steps:

 Select to enable Global zone configuration and configure other configuration.


 Click Ok button in the upper right corner on the webpage.

Table3-48 describes the configuration items of the global zone configuration.


Table3-48 Global zone configuration

Item Description

SCOPE Configure SCOPE.

Hash mask length Set the hash mask length.

Priority Set the priority.

Operation
Click insert or delete icon to do the operations.

To configure global zone configuration, you should take the following steps:

 Configure scope and set the hash mask length.


 Click Ok button in the upper right corner on the webpage.

Note:
After you enable the global zone configuration, global zone configuration can be used.

3.13.3.3 PIM status

To enter the PIM status page, you can choose Basic> Network > IPv6 multicast routing > PIM > PIM status
from navigation tree, as shown in Figure3-99.

Figure3-99 PIM status

3-119
DPtech FW1000 Series Firewall Products User Configuration Guide

3.13.3.4 BSR status

To enter the BSR status page, you can choose Basic> Network > IPv6 multicast routing > PIM > BSR status, as
shown in Figure3-100.

Figure3-100 BSR status

3.13.3.5 RP-Mapping

To enter the RP-Mapping page, you can choose Basic> Network > IPv6 multicast routing > PIM > RP-Mapping,
as shown in Figure3-101.

Figure3-101 RP-Mapping

3.13.4 PIM multicast routing table


To enter the PIM multicast routing table page, you can choose Basic> Network > IPv6 multicast routing > PIM >
RP-Mapping from navigation tree, as shown in Figure3-102.

Figure3-102 PIM multicast routing table

3-120
DPtech FW1000 Series Firewall Products User Configuration Guide

3.14 Policy-based routing

3.14.1 Introduction to policy-based routing

The policy-based routing (PBR) is a routing mechanism based on user-defined policies that used to modify next
hoop address and marketing packet to provide different network service.

When the device transmitted packets, it will look up the route table of forward by route-policy before route, if
packets are not matched, the device will look up the static route table, if the packets are not matched, the device will
look up the route table of forward by route-policy after route.

The policy-based routing (PBR) of DPtech is a technology that recognize different network packets thus forward
these packets as the policy created in advance. PBR can classify the network packets according different key field
and decide which policy-based routing should be used. It can effectively control network streams and behaviors.
PBR is on the IP layer, before IP forwarded, if a massage match with a PBR policy, it will execute relatively action,
the actions includes redirect to the nexthop, remark (such as TOS, IP priority, DSCP), and then according to
destination IP address of the replaced packet of the nexthop to look up FIB table to do IP forwarding.

3.14.2 IPv6 policy-based routing

3.14.2.1 Policy-based routing

To enter the policy-based routing page, you can choose Basic> Network >Policy-based routing from navigation
tree, as shown in Figure3-103.

Figure3-103 Policy-based routing

3-121
DPtech FW1000 Series Firewall Products User Configuration Guide

Table3-49 describes the configuration items of policy-based routing.

Table3-49 Policy-based routing configuration items

Item Description

ID Displays the sequence number of the PBR policy.

Source subnet Allows you to configure the source IP address of the PBR policy.

Destination subnet Allows you to configure the destination IP address of the PBR policy.

ToS Allows you to configure the type of service (ToS).

Inbound interface Allows you to select which interface enabled the PBR policy.

Protocol Allows you to select which protocol should be used by the PBR policy

Nexthop Allows you to configure nexthop information.

Operation
Click copy or delete or insert icon to do the operations.

3.14.2.2 Monitoring

To enter the monitoring page, you can choose Basic> Network >Monitoring from navigation tree, as shown in 错
误!未找到引用源。.

Figure3-104 Monitoring

3.14.3 IPv4 policy-based routing

3.14.3.1 Policy-based routing

To enter the policy-based routing interface, you can choose Basic> Network >Policy-based
routing >Policy-based routing from navigation tree, as shown in Figure3-105.

3-122
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-105 Policy-based routing

Table3-50 describes the configuration items of policy-based routing.

Table3-50 Policy-based routing configuration items

Item Description

ID Displays the sequence number of the PBR policy.

Source subnet Allows you to configure the source IP address of the PBR policy.

Destination subnet Allows you to configure the destination IP address of the PBR policy.

ToS Allows you to configure the type of service (ToS).

Inbound interface Allows you to select which interface enabled the PBR policy.

Protocol Allows you to select which protocol should be used by the PBR policy

Nexthop Allows you to configure nexthop information.

Operation
Click copy or delete or insert icon to do the operations.

3.14.3.2 Monitoring

To enter the monitoring page, you can choose Basic> Network >Policy-based routing > Monitoring from
navigation tree, as shown in Figure3-106.

3-123
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-106 Monitoring

3.15 MPLS

Multiprotocol Label Switching (MPLS) is a mechanism in high-performance telecommunications networks which


directs and carries data from one network node to the next with the help of labels.

3.15.1 MPLS configuration

3.15.1.1 Global configuration

To enter the MPLS configuration page, you can choose Basic> Network >MPLS > Global configuration from
navigation tree, as shown in Figure3-107.

Figure3-107 Global configuration

3.15.2 Static FTN/ILM

3.15.2.1 Configure FTN

To enter the static FTN page, you can choose Basic> Network > MPLS > Configure FTN from navigation tree, as
shown in Figure3-108.

Figure3-108 Static FTN

3.15.2.2 Configure ILM

3-124
DPtech FW1000 Series Firewall Products User Configuration Guide

To enter the configure ILM page, you can choose Basic> Network > MPLS > Configure ILM from navigation
tree, as shown in Figure3-109.

Figure3-109 Static ILM

3.15.3 LDP

3.15.3.1 LDP configuration

To enter the LDP configuration page, you can choose Basic> Network > MPLS > LDP > LDP configuration
from navigation tree, as shown in Figure3-110.

Figure3-110 LDP configuration

3.15.3.2 Display LDP neighbor

To enter the display LDP neighbor page, you can choose Basic> Network > MPLS > LDP > Display LDP
neighbor from navigation tree, as shown in Figure3-111.

Figure3-111 Display LDP neighbor

3.15.3.3 Display LDP adjacency

To enter the display LDP adjacency page, you can choose Basic> Network > Display LDP adjacency from
navigation tree, as shown in Figure3-112.

3-125
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-112 Display LDP adjacency

3.15.3.4 Display LDP interface

To enter the display LDP interface page, you can choose Basic> Network >Policy-based routing from navigation
tree, as shown in 错误!未找到引用源。.

Figure3-113 Display LDP interface

3.15.4 L2VPN configuration


MPLS L2VPN transfers Layer 2 user data transparently on the MPLS network. For users, the MPLS network is a
Layer 2 switched network and can be used to establish Layer 2 connections between nodes.

3.15.4.1 L2VPN configuration

To enter the L2VPN configuration, you can choose Basic> Network >MPLS > L2VPN configuration > L2VPN
configuration from navigation tree, as shown in Figure3-114.

Figure3-114 L2VPN configuration

3.15.4.2 SVC mode

Static Virtual Circuit (SVC) also implements MPLS L2VPN by static configuration. It transfers L2VPN
information without using any signaling protocol. The SVC method resembles the Martini method closely and is in
fact a static implementation of the Martini method.

To enter the SVC mode configuration, you can choose Basic> Network >MPLS > L2VPN configuration > SVC
mode from navigation tree, as shown in Figure3-115.

3-126
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-115 SVC mode

3.15.4.3 CCC mode

To enter the CCC mode configuration, you can choose Basic> Network >MPLS > L2VPN configuration > CCC
mode from navigation tree, as shown in Figure3-116.

Figure3-116 CCC mode

3.15.4.4 MARTINI mode

To enter the MARTINI mode configuration, you can choose Basic> Network >MPLS > L2VPN configuration >
MARTINI mode from navigation tree, as shown in Figure3-117.

Figure3-117 MARTINI mode

3.15.4.5 VPLS mode

VPLS provides Layer 2 VPN services. However, it supports multipoint services, rather than the point-to-point
services that traditional VPN supports. With VPLS, service providers can create on the PEs a series of virtual
switches for customers, allowing customers to build their LANs across the Metropolitan Area Network (MAN) or
Wide Area Network (WAN).

To enter the VPLS mode configuration, you can choose Basic> Network >MPLS > L2VPN configuration >
VPLS mode, as shown in Figure3-118.

Figure3-118 VPLS mode

3-127
DPtech FW1000 Series Firewall Products User Configuration Guide

3.16 ARP Configuration

Address Resolution Protocol (ARP) is the protocol that converts IP address to the Ethernet MAC address. In local
area network, when the host or other network device send data to the other host or device, they must know the
network layer address (IP address) of each other. But only the IP address is not enough, because IP data packets runs
encapsulated by line protocol, so that the sender must know the receiver’s physical IP address and needs the IP
address and physical address mapping relationship. ARP protocol is used for this kind of requirement.

3.16.1 Display ARP

3.16.1.1 Display ARP

To enter the display ARP page, you can choose Basic> Network >ARP > Display ARP, as shown in Figure3-119.

Figure3-119 Display ARP

3.16.1.2 Static ARP

To enter the static ARP display interface, you can choose Basic> Network > ARP > Static ARP, as shown in
Figure3-120.

Figure3-120 Static ARP

3-128
DPtech FW1000 Series Firewall Products User Configuration Guide

3.16.1.3 Gratuitous ARP

A gratuitous ARP reply is a reply to which no request has been made. Gratuitous ARP could mean both gratuitous
ARP request and gratuitous ARP reply. Gratuitous in this case means a request/reply that is not normally needed
according to the ARP specification but could be used in some cases. A gratuitous ARP request is an Address
Resolution Protocol request packet where the source and destination IP are both set to the IP of the machine issuing
the packet and the destination MAC is the broadcast address ff:ff:ff:ff:ff:ff. Ordinarily, no reply packet will occur.

To enter the gratuitous page, you can choose Basic> Network > ARP > Gratuitous ARP from navigation tree, as
shown in Figure3-121.

Figure3-121 Gratuitous ARP

3.16.1.4 Configure ARP probe period

To enter the configure ARP probe period page, you can choose Basic> Network > ARP > Configure ARP probe
period from navigation tree, as shown in Figure3-122.

Figure3-122 Configure ARP probe period

3.16.2 Anti-ARP-snooping

3.16.2.1 Anti-ARP-snooping

To enter the anti-ARP-snooping page, you can choose Basic> Network > ARP > Anti-ARP snooping from
navigation tree, as shown in 错误!未找到引用源。.

3-129
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-123 Anti-ARP snooping

3.16.2.2 ARP configuration

To enter the ARP configuration page, you can choose Basic> Network > ARP> ARP configuration from
navigation tree, as shown in Figure3-124.

Figure3-124 ARP configuration

3.16.2.3 ARP log

To enter the ARP log page, you can choose Basic> Network > ARP> ARP log, as shown in Figure3-125 .

Figure3-125 ARP log

3.17 MAC address manage

To enter the MAC address manage page, you can choose Basic> Network > MAC address manage, as shown in
Figure3-126.

3-130
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-126 MAC address manage

3.18 DNS Configuration

3.18.1 Introduction to DNS

DNS domain name system is used to provide domain and IP address switching function for users.

3.18.2 DNS

To enter the DNS page, you can choose Basic> Network > DNS from navigation tree, as shown in Figure3-127.

Figure3-127 DNS

To configure DNS configuration, you can take the following steps:

 Enter the DNS server address and click the check box of DNS proxy.
 Click Ok button in the upper right corner on the webpage.

3.19 DHCP Configuration

3.19.1 Introduction to DHCP

DHCP allows administrator to monitor and distribute the IP address from central node. While a computer is moved
to other place in a network, it will automatically receive the new IP address, this facilitates user configuration and
centralized management. In a local network, the DHCP server is used to distribute IP address for every workstation
and the DHCP relay will distribute IP address when the local network is divided into several subnets, After DHCP
3-131
DPtech FW1000 Series Firewall Products User Configuration Guide

clients is enabled on an interface, the interface can dynamically obtain an IP address and other configuration
parameters from the DHCP server.

3.19.2 DHCP server

To enter the DHCP server page, you can choose Basic> Network > DHCP > DHCP server from navigation tree,
as shown in Figure3-128.

Figure3-128 DHCP server

Table3-51 describes the details of dynamic DHCP server configuration.

Table3-51 Dynamic DHCP server configuration

Item Description

Start IP address Specify start IP address from the IP address pool.

End IP address Specify end IP address from the IP address pool.

Subnet mask Specify the subnet mask for the IP address pool.

Gateway address Specify the distributing gateway address for every host in the network.

Agent address Specify agent address for every host in the network.

DNS server Specify DNS server for every host in the network.

WINS server Specify the distributing WINS server for every host in the network.

Region name Specify the region name.

Lease(minute) Specify valid time for the allocated IP address.

3-132
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

Operation
Click copy or delete icon to do the operations.

Table3-52 describes the details of static DHCP server configuration.

Table3-52 Static DHCP server configuration

Item Description

Hostname Specify a hostname which is required to obtain static IP address.

MAC address Specify the MAC address which is required to obtain the static IP address.

IP address Allocating IP address to the above hosts.

Operation
Click the copy icon or delete icon to do the operations.

To configure the dynamic DHCP address pool, you can take the following steps:

 Click copy icon.

 And then, enter the starting and ending IP address, which will be distributed by DHCP server.
 Enter IP address subnet mask of the distributed address and enter the DHCP server gateway address.
 Enter the DHCP domain name server address and then enter the WIN server address, which will allocate IP
address to the host.
 Enter the specific region name and then select valid time
 Click Ok button in the upper right corner on the webpage.

To create the static DHCP address pool, you can take the following steps:

 Click the copy icon.

 Enter the hostname of the static DHCP configuration.


 Enter the MAC address which will be distributed an IP address statically.
 Enter the IP address which will be distributed a static IP address.
 Click Ok button in the upper right corner on the webpage.

3-133
DPtech FW1000 Series Firewall Products User Configuration Guide

3.19.3 DHCPv6 server

To enter the DHCPv6 server page, you can choose Basic> Network > DHCP > DHCPv6 server from navigation
tree, as shown in Figure3-131.

Figure3-129 DHCPv6 server

3.19.4 DHCP relay agent

To enter the DHCP relay agent page, you can choose Basic> Network > DHCP > DHCP relay agent, as shown in
Figure3-130.

Figure3-130 DHCP relay agent

Table3-53 describes the details of DHCP relay configuration.

Table3-53 DHCP relay configuration

Item Description

Interfaces list Specify an interface which automatically obtain IP address

DHCP servers list Specify DHCP server IP address which provides DHCP service.

Operations
Click the delete icon, and then you can delete the address pool.

3-134
DPtech FW1000 Series Firewall Products User Configuration Guide

To configure the DHCP relay configuration:

 Click DHCP relay agent check box


 Click the interface list and then select an interface to enable the DHCP relay.
 Click the DHCP server list and then add a DHCP server IP address
 Click Ok button in the upper right corner on the webpage

3.19.5 DHCP IP address table

DHCP IP address table allows you to view the related information of the host allocated by DHCP server.
To enter the DHCP IP address table interface, you can choose Basic> Network > DHCP > DHCP IP address
table from navigation tree, as shown in Figure3-131.

Figure3-131 DHCP IP address table

Table3-54 describes the details of DHCP IP address table.

Table3-54 DHCP IP address table

Item Description

Serial number Displays the serial number of the host.

Host name Displays the hostname of the host.

MAC address Displays the MAC address of the host

IP address Displays the IP address of the host

Lease period Displays the lease period of the host

3.20 BFD

3.20.1 BFD configuration

BFD is a detection protocol designed to provide fast forwarding path failure detection times for all media types,
encapsulations, topologies, and routing protocols.

3-135
DPtech FW1000 Series Firewall Products User Configuration Guide

To enter the BFD interface, you can choose Basic> Network > BFD, as shown in Figure3-132.

Figure3-132 Basic wireless

Table3-55describes the configuration items of the BFD configuration.

Table3-55 BFD configuration

Item Description

Interface Configure the BFD interface.

Enable status Allows you to enable or disable the interface.

Mode BFD provides the following detection modes:


 Initiative mode: In initiative mode, two systems periodically send BFD control
packets to each other. If one system receives no packets consecutively, the system
considers the BFD session Down.
 Passive mode: If multiple BFD sessions exist in a system, periodically sending costs
of BFD control packets affects system running. To solve this problem, use the
demand mode. In demand mode, after BFD sessions are set up, the system does not
periodically send BFD control packets. The system detects connectivity using other
mechanisms such as the Hello mechanism of a routing protocol and hardware
detection to reduce the costs of BFD sessions.

Advanced configuration Configure the advanced configuration.

3.20.2 BFD session

To enter the BFD page, you can choose Basic> Network > BFD session from navigation tree, as shown in
Figure3-133.

3-136
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-133 Basic session

3.20.3 BFD manual

To enter the BFD manual page, you can choose Basic> Network > BFD manual from navigation tree, as shown in
Figure3-134.

Figure3-134 Basic session

3.21 Basic wireless

To enter the basic wireless address table interface, you can choose Basic> Network > Wireless from navigation
tree, as shown in Figure3-135.

Figure3-135 Basic wireless

To configure basic wireless configuration:

 Click Enable option


 Configure the SSID, example: dptech
 Select wireless mode (default wireless mode is 802.1n)
 Select channel1
 Select whether to enable SSID broadcast
 Select security policy
 Click Ok button in the upper right corner on the webpage.
3-137
DPtech FW1000 Series Firewall Products User Configuration Guide

3.22 Diagnostic tools

3.22.1 Ping

Ping is used to test the reachability of a host on an Internet Protocol (IP) network and to measure the round-trip time
for messages sent from the originating host to a destination computer.
To enter the PING page, you can choose Basic> Network > Diagnose tool > Ping from navigation tree, as shown in
Figure3-136.

Figure3-136 Ping

To use Ping diagnose tool:

 Enter the PING destination IP address


 Click the Test button on the bottom right
 The PING test result will be show on the interface.

3.22.2 Traceroute

Traceroute is a computer network diagnostic tool for displaying the route (path) and measuring transit delays of
packets across an Internet Protocol (IP) network.
To enter the Traceroute tool page, you can choose Basic> Network > Diagnose tool > Traceroute from navigation
tree, as shown in Figure3-137.

3-138
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-137 Traceroute

3.22.3 Capture

To enter the Capture page, you can choose Basic> Network > Diagnose tool > Capture from navigation tree, as
shown in Figure3-138.

Figure3-138 Capture

3.23 LAN Switch

3.23.1 Spanning tree

3.23.1.1 Select STP

To enter the select STP page, you can choose Basic> Network > LAN Switch > Spanning tree > Select STP, as
shown in Figure3-139.

Figure3-139 Spanning tree

3-139
DPtech FW1000 Series Firewall Products User Configuration Guide

Table3-56 describes the configuration items of the select STP.

Table3-56 Select STP configuration items

Item Description

Enable STP Select whether to enable the STP function.


After the STP function enabled, you can enable the following function: STP, RSTP and
MSTP.

STP mode All ports of the device send out STP BPDUs.

RSTP mode All ports of the device send out RSTP BPDUs. If the device detects that it is connected with
a legacy STP device, the port connecting with the legacy STP device will automatically
migrate to STP-compatible mode.

MSTP mode All ports of the device send out MSTP BPDUs. If the device detects that it is connected
with a legacy STP device, the port connecting with the legacy STP device will
automatically migrate to STP-compatible mode.

3.23.1.2 STP

To enter the STP interface, you can choose Basic> Network > LAN Switch > Spanning tree > STP from
navigation tree, as shown in Figure3-140.

Figure3-140 STP

3.23.1.3 RSTP

To enter the RSTP page, you can Basic> Network > LAN Switch > Spanning tree > RSTP from navigation tree,
as shown in Figure3-141.

3-140
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure3-141 RSTP

3.23.1.4 MSTP

Spanning tree protocol (STP) is a layer 2 management protocol selectively block the redundancy links in a network
to eliminate layer 2 loop, it also can backup links.

To enter the MSTP interface, you can Basic> Network > LAN Switch > Spanning tree > MSTP from navigation
tree, as shown in Figure3-142.

Figure3-142 MSTP

Table3-57 describes the configuration items of the MSTP region.

Table3-57 MSTP region configuration items

Item Description

Revision level Allows you to configure the revision level of MSTP region.

Region name Allows you to configure the region name.

3-141
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

Protocol message form Allows you to select protocol message form.

Start BPDU protection Select whether to enable the global BPDU protection function.
BPDU protection function can prevent the device from malicious attack by fabricate
configuration information, so that it can avoid network oscillation.

3.23.1.5 STP status

To enter the STP status, you can Basic> Network > LAN Switch > Spanning tree > MSTP, as shown in
Figure3-143.

Figure3-143 STP status

3-142
DPtech FW1000 Series Firewall Products User Configuration Guide

Chapter 4 Firewall

4.1 Introduction to the Firewall

Firewall module control incoming and outgoing data packet and block intrusion from outside network, the
followings are provided by firewall, including:

 Packet filtering policy


 IPv6 packet filtering
 NAT
 NAT_PT
 Basic attack protection
 Session limit
 Service limit
 IPV4 Basic DDOS
 Blacklist
 MAC/IP Binding
 Session Management
 QoS
 Anti-ARP-spoofing

To enter the firewall menu, you can choose Basic> Network > Firewall > Packet filtering policy from navigation
tree, as shown in Figure4-1.

4-143
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure4-1 Firewall

4.2 Packet Filtering Policy

4.2.1 Packet Filtering Policy

Packet filtering is to inspect the source domain, destination domain, originator source IP, originator destination IP,
originator source MAC, originator destination MAC, service, IP fragment, flow re-mark, action for every data
packet.
To enter the packet filtering policy interface, you can choose Basic> Network > Firewall > Packet filtering policy
from navigation tree, as shown in Figure4-2.

Figure4-2 Packet filtering policy

Table4-1 describes the configuration items of packet filtering policy.

4-144
DPtech FW1000 Series Firewall Products User Configuration Guide

Table4-1 Packet filtering policy configuration items

Item Description

Serial number Displays the serial number of the packet filtering policy.

Name Configure a name for the packet filtering policy.

Source domain Specify the source domain.

Destination domain Specify the destination domain.

Originator source IP Specify the originator source IP.

Originator destination IP Specify the originator destination IP.

Originator source MAC Specify the range of packet source MAC.

Originator destination MAC Specify the range of packet destination MAC.

Service Select a service for the packet filtering policy.

IP fragment Select whether to permit fragment packet passing through the device

Valid time Select a time range for the rule. By default, time range is the always. Always is the
packet filtering policy effect always.

Status Select a status for the packet filtering policy.


 Enable: packet filtering policy is enabled.
 Disable: packet filtering policy is disabled.

Action Specify whether to permit packet pass the device and further limit packet filtering
policy.

Operation
Click copy icon, delete icon or insert icon to do the operations.

4-145
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure4-3 Configuring action

Table4-2 describes the details of how to configure action.

Table4-2 Configuring action

Item Description

Pass Allow packet to pass through the device.

Discard Not allow packet pass through the device.

Rate limitation Select rate limitation rule which will apply to the packet filtering policy.

Per IP rate limitation Select per IP limitation rule which will apply to the packet filtering policy.

Access control Select access control rule which will apply to the packet filtering policy.

URL filtering Select URL filtering rule which will apply to the packet filtering policy.

Advanced filtering Select advanced filtering rule which will apply to the packet filtering policy.

Behavior audit Select behavior audit rule which will apply to the packet filtering policy.

Flow analysis Select whether to enable the flow analysis.

To create packet filtering policy:

 Click the copy icon

 Select source domain and destination domain in the new line


 Select initiate source IP and initiate destination IP for the packet filtering policy
 Select the related service and valid for the packet filtering policy
 The action you can select is the pass, discard or rate limitations
4-146
DPtech FW1000 Series Firewall Products User Configuration Guide

 Click Ok button in the upper right corner on the webpage.

! Caution:
It performs default packet filtering policy if there is no packet match packet filtering policy. The default is that
interface with higher security level can access the interface with lower security level, but interface with lower
security level cannot access higher security level interface.

4.2.2 Packet filtering policy log

Packet filtering policy log query function is to query specific log in the database, but the premise is you should click
the select box before packet filtering policy.

To enter the packet filtering policy interface, you can choose Basic> Network > Firewall > Packet filtering policy
from navigation tree, as shown in Figure4-4.

Figure4-4 Packet filtering policy log

4.3 IPv6 packet filtering policy

4.3.1 IPv6 packet filtering policy

To enter the IPv6 packet filtering policy page, you can choose Basic> Network > Firewall > Packet filtering
policy > IPv6 packet filtering policy from navigation tree, as shown in Figure4-5.

4-147
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure4-5 IPv6 packet filtering policy

4.3.2 IPv6 packet filtering log

To enter the IPv6 packet filtering log page, you can choose Basic> Network > Firewall > Packet filtering policy >
IPv6 packet filtering log from navigation tree, as shown in Figure4-6.

Figure4-6 IPv6 packet filtering log

4.4 NAT

4.4.1 Introduction to NAT

Network Address Translation (NAT) provides a way of translating the IP address in an IP packet header to another
IP address. Originally, NAT is used to allow users using private IP addresses to access public networks. By using of
NAT, a smaller number of public IP addresses can meet public network access requirements for a larger number of
private hosts, thus NAT can effectively alleviate the depletion of IP addresses.

4.4.2 Source NAT

4.4.2.1 Source NAT

To enter the source NAT page, you can choose Basic> Network > Firewall > Source NAT > Source NAT from
navigation tree, as shown in the Figure4-7.

4-148
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure4-7 Source NAT

4.4.2.2 Address pool

To enter the address pool page, you can choose Basic> Network > Firewall > Source NAT > Address pool from
navigation tree, as shown in the Figure4-8.

Figure4-8 Address pool

4.4.3 Destination NAT

To enter the destination NAT page, you can choose Basic> Network > Firewall > Destination NAT from
navigation tree, as shown in Figure4-9.

Figure4-9 Destination NAT

Table4-3 describes the details of destination NAT configuration.

Table4-3 Destination NAT configuration

Item Description

No. Shows the sequence number of destination NAT.

Name Configure a name for the destination NAT.

Inbound interface Allows you to select an inbound interface for the destination NAT.

Public IP address Configure public IP address.

4-149
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

Service Allows you to select a kind of service.

Intranet address Configure Intranet address.

Advanced configuration Configure advanced configuration.

VRRP Allows you to select whether is related to VRRP.

State Allows you to select a state.

Operation
Click add icon or delete icon to do the operations.

To configure destination NAT configuration, you can take the following steps:

 Click the copy button of the destination NAT policy

 Select the outbound interface


 Configure the service type of the destination NAT policy
 Configure the public address of the destination NAT server
 Configure the inner IP address of the destination NAT server
 After you finished the above steps, you can click Ok button in the upper right corner on the webpage.

Note:
If you configure the server inner port in the advanced configuration, it will connect to the destiantion port after it
switched destination NAT.

4.4.4 One to one NAT

One to one NAT is that an internal network user accesses an external network that NAT uses an external or public IP
address to replace the original internal IP address. This address is the outbound interface address (a public IP
address) of the NAT gateway. This means that all internal hosts use the same external IP address when accessing
external networks. If only one host is allowed to access external networks at a given time. Hence, it is referred to as
“one-to one NAT”.

To enter the one to one NAT page, you can choose Basic> Network > Firewall > One to one NAT from navigation
tree, as shown in Figure4-10.

4-150
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure4-10 One to one NAT

Table4-4 describes the configuration items of one to one NAT configuration.

Table4-4 One to one NAT configuration

Item Destination

Serial number Displays the serial number of one to one NAT policy.

Public interface Displays the outbound interface of one to one NAT policy.

One to one NAT Displays the inner address of one to one NAT policy.

Public address Displays the public address of one to one NAT policy.

Operation
Click copy or delete icon to do the operations.

To configure one to one NAT configuration, you can take the following steps:

 Click icon of the one to one NAT policy

 Select public interface


 Configure the inner address of one to one NAT policy
 Configure the public address of one to one NAT policy
 After you finished the above steps, you can click the Ok button in the upper right corner on the webpage

4.4.5 N to N NAT

When the first internal host accesses external networks, NAT chooses a public IP address for it, records the mapping
between the two addresses and transfers data packets. When the second internal host accesses external networks,
NAT choose another public IP address for the second host, others will be followed by such kind of operations. This
kind of NAT is called “N- to-N NAT”.

To enter the N to N NAT page, you can choose Basic> Network > Firewall > N to N NAT from navigation tree, as
shown in Figure4-11.

4-151
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure4-11 N to N NAT

Table4-5 describes the details of address pool.

Table4-5 Address pool configuration

Item Description

No. Shows the sequence number of N to N NAT.

Net interface Allows you to select the Net interface.

Innet address Allows you to select the innet address

Net address Configure Net address.

VRRP Allows you to select whether is related to VRRP.

Operation
Click copy or delete icon to do the operations.

To configure address pool configuration, you can take the following steps:

 Click button of the address pool

 Configure ID number
 Configure start IP
 Configure end IP
 After you finished the above steps, you can click Ok button in the upper right corner on the webpage.

4.5 NAT64

Network Address Translation IPv6 to IPv4 (NAT64 for short) is a mechanism to allow IPv6 hosts to communicate
with IPv4 servers. The NAT64 server is the endpoint for at least one IPv4 address and an IPv6 network segment of
32-bits (for instance 64:ff9b::/96, that is NAT64 prefix). The IPv6 client embeds the IPv4 address it wishes to
communicate with using these bits, and sends its packets to the resulting address. The NAT64 server then creates a
NAT-mapping between the IPv6 and the IPv4 address, allowing them to communicate.

4-152
DPtech FW1000 Series Firewall Products User Configuration Guide

4.5.1 NAT64 prefix

To enter the NAT64 prefix page, you can choose Basic> Network > Firewall > NAT64 prefix from navigation tree,
as shown in Figure4-12.

Figure4-12 NAT64 prefix

4.5.2 NAT64 addresss

To enter the NAT64 transfer page, you can choose Basic> Network > Firewall > NAT64 address from navigation
tree, as shown in Figure4-13.

Figure4-13 NAT64 address

4.5.3 Address pool

To enter the address pool page, you can choose Basic> Network > Firewall > Address pool from navigation tree,
as shown in Figure4-14.

Figure4-14 Address pool

4-153
DPtech FW1000 Series Firewall Products User Configuration Guide

4.6 NAT66

4.6.1 Source NAT

To enter the NAT66 source NAT page, you can choose Basic> Network > Firewall > NAT> Source NAT from
navigation tree, as shown in Figure4-15.

Figure4-15 Source NAT

4.6.2 Destination NAT

To enter the NAT66 destination NAT page, you can choose Basic> Network > Firewall > NAT > Destination
NAT from navigation tree, as shown in Figure4-16.

Figure4-16 Destination NAT

4.6.3 Address pool

To enter the NAT66 address pool page, you can choose Basic> Network > Firewall > NAT > Address pool from
navigation tree, as shown in Figure4-17.

Figure4-17 Address pool

4-154
DPtech FW1000 Series Firewall Products User Configuration Guide

4.7 DS_LITE_NAT

Because of IPv4 address exhaustion, DS _Lite was designed to let an Internet service provider omit the deployment
of any IPv4 address to the customer's Customer-premises equipment (CPE). Instead, only global IPv6 addresses are
provided.

4.7.1 DS_LITE_NAT

To enter the DS_LITE_NAT page, you can choose Basic> Network > Firewall > DS_LITE_NAT from
navigation tree, as shown in Figure4-18.

Figure4-18 DS_LITE_NAT

4.7.2 Address pool

To enter the address pool page, you can choose Basic> Network > Firewall > Address pool from navigation tree,
as shown in Figure4-19.

Figure4-19 Address pool

4.8 ALG configuration

Application level gateway (ALG) is mainly to process the application layer packets. Usually, NAT only translate the
IP address and port number carried in packet header while it doesn’t translate the fields in the payload of application
layer. NAT can’t effectively translate the IP address and port number in the payload of some special protocols,
which may result problems.

4-155
DPtech FW1000 Series Firewall Products User Configuration Guide

4.8.1 ALG configuration

To enter the ALG configuration page, you can choose Basic> Network > Firewall > ALG configuration from
navigation tree, as shown in Figure4-20.

Figure4-20 ALG configuration

4.8.2 User-defined log

To enter the user-defined log interface, you can choose Basic> Network > Firewall > User-defined log from
navigation tree, as shown in Figure4-21.

Figure4-21 User-defined log

4.9 Basic attack protection

4.9.1 Basic attack protection

Sometimes, normal packets transmitted in the network with attack packets which interference hosts receiving
normal packets. Basic attack protection block attack packets and send logs to a remote host or displays logs on local
device.
To enter the basic attack protection page, you can choose Basic> Firewall > Basic attack protection from
navigation tree, as shown in Figure4-22.

Figure4-22 Basic attack protection

4-156
DPtech FW1000 Series Firewall Products User Configuration Guide

Table4-6 describes the details of basic attack protection.

Table4-6 Basic attack protection

Item Description

Attack type Select an attack type of basic attack protection.

Threshold Set the threshold of the basic attack protection.

Block Click the select box of the basic attack protection, which enable the relevant
protocol attack protection.

Send log Click the select box and then you can view the log while attack packet transmitted
through the device interface.

Number of attacks Statistics of the attack count.

Clear counter Clear the attack count statistics.

Time interval(per second) Select how much time it sending log per second.

Terms interval Select how many log it report the new log.

To configure basic attack protection:

 Click the select box of attack type.


 Click the send log box and then, you can click Ok button in the upper right corner on the webpage.

4-157
DPtech FW1000 Series Firewall Products User Configuration Guide

4.9.2 Basic Attack Log Query

Basic attack log query allow you to query the specific log from the database.
To enter the basic attack lo query interface, you can choose Basic> Firewall > Basic attack protection > Basic
attack log query from navigation tree, as shown in Figure4-23.

Figure4-23 Basic attack log query

Table4-7 describes the details of basic attack log query.

Table4-7 Basic attack log query

Item Description

Serial number Displays serial number of the attack.

Time Displays when the attack log is created.

Attack type Displays the type of the attack.

Protocol Displays the protocol of the attack.

Source IP Displays the source IP of the attack.

Destination IP Displays the attack packet destination IP address.

Source port Displays the interface of the attack.

Action Displays the action for the attack.

To query the basic attack log query:

 Enter the desired to query parameter


 Click Search button and then you can view the related searching result
 Click Export button and then you can export the log file to remote system
 Click Delete button, and then you can delete the logs which you queried

4-158
DPtech FW1000 Series Firewall Products User Configuration Guide

4.10 Network action manage

To enter the network action manage, you can choose Basic> Firewall > Basic attack protection > Network action
manage from navigation tree, as shown in Figure4-24.

Figure4-24 Network action manage

4.11 Session limit

Session entries occupy certain of internal memory. If there too many session entries on the device, these entries
occupy large amount of internal memory and influence other service to be performed.
User can configure session limit to limit the new created session on the device. When session number reaches the
device’s maximum session number, new session could not be created; only if the session number smaller than the
maximum session number that the device can allow to create new session.

To enter the session limit page, you can choose Basic> Firewall > Sessions Limit from navigation tree, as shown in
Figure4-25.

Figure4-25 Sessions Limit

4-159
DPtech FW1000 Series Firewall Products User Configuration Guide

4.12 Service limit

To enter the service limit page, you can choose Basic> Firewall > Service Limit from navigation tree, as shown in
Figure4-26.

Figure4-26 Service Limit

4.13 Blacklist

4.13.1 IPv4 black list configuration

Blacklist is an attack prevention mechanism that filters packets based on source IP address. Blacklist feature can be
easily configured and filter packets source from particular IP addresses fast.

To enter the IPv4 blacklist configuration page, you can choose Basic> Firewall > Blacklist from navigation tree, as
shown in Figure4-27.

Figure4-27 IPv4 blacklist configuration

Table4-8 describes the details of blacklist configuration.

Table4-8 Blacklist configuration

Item Description

Option Click the Enable IPv4 black list check box to enable this function.

IP address/mask Specifies an IP address to be blacklisted.

Remaining life time Displays the last configuration record that you can view the valid time and life
cycle.

Status Allows you to select the status for the IPv4 blacklist configuration.

Last configuration record


Click copy icon and delete icon to do the operation.

4-160
DPtech FW1000 Series Firewall Products User Configuration Guide

To configure the black list, you can take the following steps:

 Enter a source IP address which is listed in the blacked.


 Enter the remaining time of blacklist.
 Click the Confirm the selected configuration button in the upper right corner on the webpage.
 If you want to delete one configuration, you can click the Delete the selected configuration button.

4.13.2 IPv6 black list configuration

To enter the IPv6 black list configuration page, you can choose Basic> Firewall > Blacklist query from navigation
tree, as shown in Figure4-28.

Figure4-28 Blacklist query

4.13.3 Black list query

To enter the black list query page, you can choose Basic> Firewall > Black list query from navigation tree, as
shown in Figure4-29.

Figure4-29 Black list query

Table4-9 describes the details of blacklist query.

Table4-9 Blacklist query

Item Description

IP address/mask Displays the blacklisted IP address.

Valid time Displays the valid time

Remaining time Displays the remaining time and the time when you create the black list.

Cause Displays the add reason of a blacklisted IP address.

4-161
DPtech FW1000 Series Firewall Products User Configuration Guide

4.13.4 Blacklist log query

To enter the blacklist log query page, you can choose Basic> Firewall > Blacklist Log Query from navigation tree,
as shown in Figure4-30.

Figure4-30 Blacklist log query

Table4-10 describes the details of blacklist log query.

Table4-10 Blacklist log query

Item Description

Serial number Displays the serial number of a blacklist log query.

Time Displays the time when the attack begins.

IP address Displays the blacklisted IP address.

Lifecycle Displays the lifecycle in blacklist log query.

Add reasons Displays the IP address is added, including Manual and Dynamic.

To query the blacklist log, you should take the following steps:

 Configure each query item to be queried.


 Click Search button and then you can view the searching results.
 Click Export to CSV button that you can export the log file.
 Click Delete button, and then you can delete the logs you have searched.

4.14 MAC/IP Binding

4.14.1 Auto Learning

Auto learning is that the firewall receives ARP packets sent by each host, so that the firewall can get the IP address
and MAC address of each host.
4-162
DPtech FW1000 Series Firewall Products User Configuration Guide

To enter the auto learning page, you can choose Basic> Firewall > MAC/IP binding >Auto learning from
navigation tree, as shown in Figure4-31.

Figure4-31 Auto-learning

Table4-11 describes the details of auto learning.

Table4-11 Auto learning

Item Description

Option Allows you to select one item or several items to add into the MAC/IP binding list.

IP address Displays the auto learned IP address

MAC address Displays the auto learned MAC address.

Binding status Displays MAC/IP binding status, including not bind and already bind.

To each Layer 2 network mode auto-learning, you should take the following steps:

 Click the Layer 2 mode network radio box, click Auto-learn button.
 Click Check current learned result button that you can view the MAC/IP learning result.
 Click Add to MAC/IP binding learning button, the MAC/IP address is added into MAC/IP binding list.

To each Layer 3 network mode auto-learning, you should take the following steps:

 Click the Layer 3 mode network radio box, configure switch IP address and SNMP community string, and
click Auto-learn button.
 Click Check current learned result button that you can view the MAC/IP learning result.
 Click Add to MAC/IP binding learning button, the MAC/IP address is added into MAC/IP binding list.

4-163
DPtech FW1000 Series Firewall Products User Configuration Guide

4.14.2 MAC/IP Binding

User configure the IP address-to-MAC address binding relationship on the firewall, so that the firewall checks the IP
address and MAC address in a packet and compares them to the addresses that are registered with firewall and
forwards the packet only if they both match. MAC/IP binding can avoid IP address forgery attack.

To enter the MAC/IP binding page, you can choose Basic> Firewall > MAC/IP address from navigation tree, as
shown in Figure4-32.

Figure4-32 MAC/IP Binding

Table4-12 describes the details of MAC/IP binding

Table4-12 MAC/IP binding

Item Description

Enable MAC/IP binding Enable MAC/IP binding function.

Enabled interface Select an interface to be enabled MAC/IP binding.

MAC/IP binding (only appointed address Click the MAC/IP binding (only appointed address pass) checkbox that only
pass) appointed address can pass through the device.

IP address Configure the IP address of the MAC/IP binding list.

MAC address Configure the MAC address of the MAC/IP binding list.

Operation
Click copy icon or delete icon to do the operations.

To create MAC/IP binding rule, you should take the following steps:

 Enter the binding IP address and MAC address.


 Click Ok button in the upper right corner on the webpage.
 Export a MAC/IP binding form, and then you can click Search button, and then you can select a CSV form file
from local system, and click import the import CSV file button.

Table4-13 describes the details of switches table.


4-164
DPtech FW1000 Series Firewall Products User Configuration Guide

Table4-13 Switches table

Item Description

Switches IP address Specify the switches IP address.

SNMP read community Specify community sting of the switches

Operation
Click copy icon or delete icon to do the operations.

4.14.3 User/IP binding

User/IP binding should be used with the web authenticate function. With username and IP address binding function
configured, an interface checks whether the username and IP addresses in packet is identical. If so, it forwards the
packet; otherwise, it discards the packet.

To enter the User/ IP binding page, you can choose Basic> Firewall > MAC/IP binding > User/IP binding from
navigation tree, as shown in Figure4-33.

Figure4-33 User/IP binding

Table4-14 describes the details User/IP binding.

Table4-14 User /IP binding

Item Description

Binding mode Manual configuration: add username and IP address through manual configuration.
Automatic learning: learn username and IP address from the switch.

No. Displays the sequence number of the user/IP binding list.

Username Enter manually: configure IP address manually


Existent authenticated user: select a user from the existent authentication user list.

4-165
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

IP address Configure the IP address of the user/IP binding list.

Operation
Click the copy icon or delete icon to do the operations.

To add username and IP address through manual configuration, you should take the following steps:

 Click manual configuration


 Enter user name and IP address
 Click Ok button in the upper right corner on the webpage
 If you want to import username and IP address in batch, click Browse button, and select the user/IP binding file
from your local system, click import button.
 If you want to export username and IP address to a CSV file, you can click export button, then select a file path
to store your use/IP binding file, and then click Save button.

4.14.4 User/ MAC binding

User/MAC binding should be used with the web authenticate function. With username and IP address binding
function configured, an interface checks whether the username and IP addresses in packet is identical. If so, it
forwards the packet; otherwise, it discards the packet.

To enter the User/ MAC binding page, you can choose Basic> Firewall > User/MAC binding from navigation tree,
as shown in Figure4-34.

Figure4-34 User/MAC binding

Table4-15 describes the details of User/MAC binding.

4-166
DPtech FW1000 Series Firewall Products User Configuration Guide

Table4-15 User/Mac binding

Item Description

Binding mode Manual configuration: add username and IP address through manual configuration.
Automatic learning: learn username and IP address from the switch.

No. Displays the sequence number of the user/IP binding list.

Username Configure the username of the user/IP binding list.

IP address Configure the IP address of the user/IP binding list.

Operation
Click the copy icon or delete icon to do the operations.

To add user name and MAC address by manual configuration, you should take the following steps:

 Click manual configuration


 Enter user name and IP address
 Click Ok button in the upper right corner on the webpage
 If you want to import username and IP address in batch, click Browse button, and select the user/IP binding file
from your local system, click import button.
 If you want to export username and IP address to a CSV file, you can click export button, then select a file path
to store your use/IP binding file, and then click Save button.

To add user name and MAC address automatically, you should take the following steps:
 Click Automatic learning, can also be manually configured radio box to enable this function.

4.14.5 Binding log query

Binding log query displays the IP address and MAC address


To enter the binding log query interface, you can choose Basic> Firewall > MAC/IP binding > MAC/IP binding
log query, as shown in Figure4-35.

4-167
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure4-35 binding log query

Table4-16 describes the details of binding log query.

Table4-16 binding log query

Item Description

Serial number Displays the serial number of the queried logs.

Time Displays the time that the device detects the unmatched IP address and MAC
address.

IP address Displays the IP address of the unmatched

MAC address Displays the MAC address that unmatched with MAC/IP binding list.

Detailed information Displays the detailed information about MAC/IP binding log.

To query MAC/IP binding log, you should take the following steps:

 Select the time scope that you want to query


 Click Query button that you can view the results
 Click Export to CSV button, you can select whether to save or delete MAC/IP binding log, if you click save
button, you should choose a file path to save
 Click Delete button to delete all searched MAC address and IP address.

4-168
DPtech FW1000 Series Firewall Products User Configuration Guide

4.15 Session management

Session management is mainly used for detecting translation layer data packets. Its substance is to trace the
connection status for general TCP protocol and UDP protocol through layer protocol detection, which maintain and
manage connection status uniformly.

4.15.1 Session list

To enter the session list page, you can choose Basic> Firewall > Session Management > Session List from
navigation tree, as shown in Figure4-36.

Figure4-36 Session management

Table4-17 describes the details of binding log query.

Table4-17 Binding log query

Item Description

No. Displays the sequence number of the session list.

Protocol type Transport layer protocol type, including TCP, UDP, ICMP, ICMPv6, GRE, AH,
ESP, and Unknown protocol.

Session status Displays session status, including new, close-wait, established, time-wait, etc.

Create time Displays when the session is created.

TTL Display the session time to live.

Initiator Source Address: Port->Destination Displays the source port and destination port of the session initiator.
Address: Port

Initiator Packets/Bytes Displays the total packet numbers send by session initiator.

4-169
DPtech FW1000 Series Firewall Products User Configuration Guide

Responder Source Address: Port->Destination Displays the source port and destination port of the session responder.
Address: Port

Responder Packets/Bytes Displays the total packet numbers received by session initiator.

Operation
Click delete icon to delete this entry of session record.

4.15.2 Session zone

To enter the session zone page, you can choose Basic> Firewall > Session Management > Session zone from
navigation tree, as shown in Figure4-37.

Figure4-37 Session zone

4.15.3 Session forwarding

After you enable this function, response packets will be forwarded by using of original interface. Original interface
is the interface that request packets come into the device.
To enter the session forwarding page, you can choose Basic> Firewall > Session Management > Session
forwarding from navigation tree, as shown in Figure4-38.

Figure4-38 Session forwarding

4.15.4 Session parameter

To enter the session parameter page, you can choose Basic> Firewall > Session Management > Session
parameter from navigation tree, as shown in Figure4-39.

4-170
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure4-39 Session parameter

4.15.5 Session monitoring

Session monitoring allows you to select a kind of session or multiple sessions to display. The session monitoring
displays as a trend chart.
To enter the session monitoring page, you can choose Basic> Firewall > Session Management > Session
Monitoring from navigation tree, as shown in Figure4-40.

Figure4-40 Session monitoring

4.15.6 Session log configuration

To enter the session log configuration page, you can choose Basic> Firewall > Session Management > Session
Log Configuration from navigation tree, as shown in Figure4-41.

4-171
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure4-41 Session log configuration

Table4-18 describes the details of session log configuration

Table4-18 Session log configuration

Item Description

Log type Allows you to select the log type, including NAT log and session log.

Log format Allows you to select the log format, including stream format and syslog format.
 Stream format log: binary format log which received by UMC server.
 Syslog format log: plain text log received by log server.

Content format type Allows you select the stream format log and syslog format.
 Normal: sending log as normal format.
 Third party: sending log as third part log format.

Log option If you select the stream format option, you can configure the inbound interface of
packet option and select the PROCID options.
 Inbound interface of packet: if you enable this option, the interface
information field will be added into data packet.
 PROCID: if you enable this option, the PROCID field will be added into data
packet.
If you select the syslog formation option, you can select syslog1, syslog2, syslog3,
syslog4 format log.
 Guangdong Unicom format: syslog data packets transmitted as Guangdong
Unicom format.
 Yunnan Telecom format: syslog data packets transmitted as Yunnan Telecom
format.
 China Telecom format: syslog data packets transmitted as China Telecom
format.

4-172
DPtech FW1000 Series Firewall Products User Configuration Guide

 ZTE format: syslog data packets transmitted as ZTE format.

Method for sending log Allows you to select the log sending method, including share mode and send all.
 Share mode: the device sends logs to log server according load sharing
method. You can configure 16 servers to receive logs at most, and you can
configure load sharing weight for the 16 servers.
 Send all: the device sends all logs to the log server.

Log Src IP The source IP address of log sending device.

Log Src Port The source port of log sending device.

Log server list Allows you configure IP address and weight for log server.

Log server port: Allows you to configure the log server port. The port number is 9505.

4.16 QoS

QoS is a kind of network mechanism which is used for resolving the problem of network delay and network
congestion. If the network only limited on some specific applications, such as web application or E-mail, without
time limitation, QoS does not required. But, it is very important for multilayer application. When network overload
or network congestion happens, QoS can ensure the network working efficiently and ensure some important
services to will not be delayed or discarded.

4.16.1 Basic setting

To enter the basic setting page, you can choose Basic> Firewall > QOS> Basic setting from navigation tree, as
shown in 错误!未找到引用源。.

Figure4-42 Basic setting

错误!未找到引用源。 describes the details of basic setting.

Table4-19 Basic setting

Item Description

Name Allows you to configure a name for the basic settings.

4-173
DPtech FW1000 Series Firewall Products User Configuration Guide

Device interface Allows you an interface for bandwidth reservation.

Uplink bandwidth Allows you to configure the uplink bandwidth

Downlink bandwidth Allows you to configure the downlink bandwidth.

Unit Transmission rate unit, including K, M, G.


 K represents Kilo-Bytes per second
 M represents Million-Bytes per second
 G represents Gigabit –Bytes per second

User group bandwidth Bandwidth reservation for user group.


reservation

Single user bandwidth Bandwidth reservation for single user.


reservation

Operation
Click copy icon or delete icon to do the operations.

4.16.2 User group bandwidth reservation

User group bandwidth reservation allocates service stream according to the importance of service stream and delay
sensibility, thus can make the most use of available bandwidth. If network congestion happens, low priority service
will be discarded.
Bandwidth reservation: in order to provide user with satisfying QoS, you must reserves the bandwidth resource to
ensure the resource will not be used.

To enter the VIP bandwidth guarantee interface, you can choose Basic> Firewall > QOS> Traffic classification,
as shown in Figure4-43.

Figure4-43 Traffic classification

To configure user group bandwidth reservation:

 Enter a name for this entry of user group bandwidth reservation


 Select the interface group
 Select the user group
 Configure guarantee rate
 Click Ok button in the upper right corner on the webpage.
4-174
DPtech FW1000 Series Firewall Products User Configuration Guide

Configuration for guarantee rate:


 Select one application group or several network application groups
 Configure the uplink guarantee rate
 Configure the maximum uplink rate
 Configure the downlink guarantee rate
 Configure the maximum downlink rate
 Select the transmission rate unit
 Click Ok button in the upper right corner.

4.16.3 Single user bandwidth reservation

To enter the single user bandwidth reservation page, you can choose Basic> Firewall > QOS> Single user
bandwidth reservation, as shown in 错误!未找到引用源。.

Figure4-44 Single user bandwidth reservation

To configure single user bandwidth reservation:

 Enter a name for this entry of single user bandwidth reservation


 Select the interface group
 Select the user group
 Configure guarantee rate
 Click Ok button in the upper right corner on the webpage.

Configuration for guarantee rate:


 Select one application group or several network application groups
 Configure the uplink guarantee rate
 Configure the maximum uplink rate
 Configure the downlink guarantee rate
 Configure the maximum downlink rate
 Select the transmission rate unit
 Click Ok button in the upper right corner.
4-175
DPtech FW1000 Series Firewall Products User Configuration Guide

4.17 Advanced QoS

Advanced QoS consists of the traffic marking, congestion management, congestion avoidance, and traffic shaping
function. It executes Weighted Round Robin (WRR), Deficit Round Robin (DRR) scheduling method for IP packets
and implements Weighted Random Early Detection (WRED), traffic policy and traffic shaping for IP packets.

4.17.1 Traffic classification

Traffic classification is used for doing QoS action for data packets.
Priority mapping table: the device provides multiple priority mapping tables, which represents different priority
mapping relationship respectively. Under normal condition, the device looks up default priority mapping for data
packets. If default priority mapping table cannot satisfied with users, user can modify mapping table according to
their requirement.

To enter the traffic classification page, you can choose Basic> Firewall > QOS> Traffic classification, as shown
in Figure4-45.

Figure4-45 Traffic classification

错误!未找到引用源。 describes the details of traffic classification.

Table4-20 Traffic classification

Item Description

COS CoS is a 3-bits field in a packet header. It specifies a priority value between 0 and 7, more
commonly known as CS0 through CS7, which is used by quality of service (QoS).

EXP EXP is a 3-bits field in MPLS packet header. It specifies a priority value between 0 and 7. By
default, the priority EXP and IPv4 can match with each other.

4-176
DPtech FW1000 Series Firewall Products User Configuration Guide

DSCP DiffServ uses a 6-bit differentiated services code point (DSCP) in the 8-bit Differentiated services
Field (DS field) in the IP header for packet classification purposes. The DS field and ECN field
replace the outdated IPv4 TOS field. It specifies a priority value between 0 63. When QoS
executed, router will inspect data packet priority.

IPsec VPN Click IPsec VPN checkbox to enable IPsec VPN QoS function.

SSL VPN Click SSL VPN checkbox to enable SSL VPN QoS function.

Customize session parameter Classifies data packet as IP packet quintuple. IP packet quintuple includes protocol, source IP
address, destination IP address, source port, destination port.

4.17.2 Congestion avoidance

When network congestion increase, it drops packets actively and adjusts network traffic to eliminate network
overload problem.
To enter the congestion avoidance page, you can choose Basic> Firewall > QoS> Congestion avoidance, as
shown in Figure4-46.

Figure4-46 Congestion avoidance

错误!未找到引用源。 describes the details of traffic classification.

Table4-21 Traffic classification

Item Description

Name Enter a name for congestion avoidance policy.

Packet drop policy Select a kind of packet drop algorithm.


In order to avoid TCP global synchronization pheromone, Random Early Detection (RED) or
Weighted Random Early Detection (WRED) can be used.
 Weighted Random Early Detection (WRED): Queuing method that ensures that
high-precedence traffic has lower loss rates than other traffic during times of congestion.
 Random Early Detection (RED): also known as random early discard or random early drop
is a queuing discipline for a network scheduler suited for congestion avoidance.

Enabling connection

Maximum packet drop rate

Operation

4-177
DPtech FW1000 Series Firewall Products User Configuration Guide

4.17.3 Congestion management

We adopt the queuing technology for congestion management generally. If we use queue algorithm for traffic
classification, then we use a kind of priority algorithm to send out the traffic. Each queue algorithm is used for
resolve the specific network traffic problems, which influences bandwidth resource allocation, time delay, Jitter.
The processing of congestion management includes the queue creation, packet classification, sending different
packet to different queue, queue scheduling.

To enter the congestion management page, you can choose Basic> Firewall > QoS> Congestion management, as
shown in Figure4-47.

Figure4-47 Congestion management

Table4-22 describes the details of congestion management.

Table4-22 Congestion management

Item Description

Name Displays the congestion management policy name.

Outbound interface Displays the congestion management outbound interface.

Congestion avoidance Readjust congestion avoidance.

Total bandwidth settings Configure the total bandwidth settings.

Franchise’s PRI Configure the congestion management franchise priority.

Low PRI protected Select whether to enable low priority protected.

Priority setting Configure the congestion management priority settings.

Operation
Click the copy icon, and then you can copy a rule of congestion management.

Click the delete icon, and then you can delete a rule of congestion management.

4-178
DPtech FW1000 Series Firewall Products User Configuration Guide

4.17.4 Traffic shaping

Traffic shaping is a measure that adjust traffic output rate actively.


To enter the traffic shaping page, you can choose Basic> Firewall > QOS> Traffic shaping, as shown in
Figure4-48.

Figure4-48 Traffic shaping

4.18 Anti-ARP-Spoofing

4.18.1 Anti-ARP-Spoofing

To enter the Anti-ARP-Spoofing interface, you can choose Basic> Firewall > Anti-ARP-Spoofing, as shown in
Figure4-49.

Figure4-49 Anti-ARP-Spoofing

Table4-23 describes the details of Anti-ARP-Spoofing.

4-179
DPtech FW1000 Series Firewall Products User Configuration Guide

Table4-23 Anti-ARP-Spoofing

Item Description

Option Select an anti-arp-spoofing entry and then click the option.

IP address Displays the IP address scanned by anti-arp-spoofing.

MAC address Displays the MAC address scanned by anti-arp-spoofing.

VLAN ID Displays the VLAN ID scanned by anti-arp-spoofing.

Interface Displays the interface scanned by anti-arp-spoofing.

Type Displays the obtaining method of anti-arp-spoofing.

4.18.2 ARP Configuration

The Address Resolution Protocol (ARP) is used to resolve an IP address into a physical address (Ethernet MAC
address, for example). In an Ethernet LAN, when a device sends data to another device, it uses ARP to translate the
IP address of that device to the corresponding MAC address.

To enter the ARP configuration page, you can choose Basic> Firewall > ARP configuration, as shown in
Figure4-50.

Figure4-50 ARP configuration

Table4-24 describes the details of ARP configuration.

Table4-24 ARP configuration

Item Description

Interface name Displays the all interfaces name of the device.

4-180
DPtech FW1000 Series Firewall Products User Configuration Guide

Enable state Enable/disable ARP configuration interface.

Chapter 5 Log Management

5.1 Introduction to the Log Management

Log management provides log management function for users, including:

 System log
 Operation log
 Business log

To access the log management interface, you can click Basic > Log management, as shown in Figure5-1.

5-181
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure5-1 Log management menu

5.2 System Log

5.2.1 Latest Log

Recent log provides the latest system log for users.


To enter latest log interface, click Bascic > Log management > System log > Recent log, and then you can view at
most 25 pieces log in this page, as shown in Figure5-2.

Figure5-2 Latest log

To export the system log to the local system, click Export button, and then you can made a choice from the pop up
window that you can view the system log as CSV file or save it to the local system.

Table5-1 describes the details of latest log. You can click the grey items of each column to sort and display the
records based on the item you selected.

Table5-1 Latest log

Item Description

Serial number Shows the sequence of the latest system log

Time stamp Shows system log created time

Module Shows which module is the system log belong

Severity level Shows the severity of latest system log, it includes

5-182
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

 Fatal error can result the system cannot be use


 Emergency error warn users must take emergency measures
 Critical is the system is dangerous status
 Common error will give you a hint
 Warning shows the warning information
 Status information shows the import information under the normal condition
 Information will show you system information
 Unknown will show you the unknown information.

Log content Shows the specific system log.

Note:
Auto-refresh can be set as 10, 30, 60 second and it can refreshed as if you click the auto-refresh button and set the
specific time, and it also can be refreshed as if you click the refresh button.
Shading color is used in warning user and represent the severity of system log
 Red color stands for fatal error, emergency and serverity
 Orange color stands for common error and warning
 White color stands for status, informaiton, unkown informaiton

5.2.2 System Log Query

System log query provides users with system log querying function.
To access the system log query interface, you can click Basic > Log management > System log > System log
query. System log query allows you to query the logs according to different condition, as shown in Figure5-3.

Figure5-3 System log query

Click Export button, make a choice for the pop-up window, select whether to open or save the system log file.
Click Query button to view the logs.
Click the drop-down list of Jump to or Per page that you can view the logs as you desired.
5-183
DPtech FW1000 Series Firewall Products User Configuration Guide

Note:
You can select customize time scope and clik Query button, then you can view all system logs you’ve queried.

Table5-2 describes the details of system log querying condition.

Table5-2 System log querying condition

Item Description

Severity Search system log as severity condition

Time scope Search system log as time scope

Start time Search system log as its beginning time

End time Search system log as its finish time

5.2.3 System Log File Operation

System log file operation provides users with system save and delete as today and the desired day.
To enter the system log file operation interface, you can click Basic > Log management > System log > Log file
operation, as shown in Figure5-4.

Figure5-4 System log file operation

Note:
Click Save icon that you can save the system log file on your local system.
Click delete icon that you can delete the system log file.

Table5-3 describes the details of system log file operation. System log file can be saved or deleted as you desired.

5-184
DPtech FW1000 Series Firewall Products User Configuration Guide

Table5-3 System log file operation

Item Description

Serial umber Shows the sequence of system log

Log file name Shows the time of system log creating, today is the current time.

Operation Shows back up icon and delete icon.

5.2.4 System Log Configuration

System log configuration provides users with system log save and export configuration.
To enter system log configuration, you can click Basic > Log management > System log configuration, as shown
in Figure5-5.

Figure5-5 System log configuration

Table5-4 describes the details of system log configuration. You can save log file on your device or export the log file
to your local system.

Table5-4 System log configuration

Item Description

Export to remote log server Set the remote server parameter, it includes
 Remote syslog server IP address
 Service port
 Time stamp

The system will delete the expired system log by your selection which includes one week, two
Days for saving
week and three week, 30 days or customize. You can set specific days for saving system log.

5-185
DPtech FW1000 Series Firewall Products User Configuration Guide

5.3 Operation Log

5.3.1 Latest Log

On latest log interface, it shows latest log of operation log.


To enter the latest log interface, you can click Basic > Log management > Operation log > Latest log, which
shows latest 25 operation log, as shown in Figure5-6.

Figure5-6 Latest log

Single click Export button on the bottom, and then you can make a choice from the system prompt window that you
can view the system log as CSV format or export CSV log file to the local system,

Table5-5 describes the details of the latest log and you can sort the log table by clicking their headline.

Table5-5 Latest log

Item Description

Serial number Shows the sequence of operation log generating

Time stamp Shows when the operation log generating.

5-186
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

Shows the client type of operation log, including


 Web type is the administrator managing the device through web.
 Console type is the administrator managing the device through
console port.
Client type
 Telnet type is the administrator managing the device through
telnet server.
 SSH type is the administrator managing the device through SSH
service.

Administrator Shows the administrator who did the operation

Address Shows the IP address of the operation log

Shows the result of operation log, including success and fail


Operation result  success means your operation is successful
 fail means your operation is fail

Log content Shows the content of operation log

Note:
Auto-refresh can be refreshed by the system in every 10,30,60 second as your selecton if you click the auto-refresh
button. Click refresh button, you can refresh the operation log interface.

5.3.2 Operation Log Query

Operation log query provides operation log searching function.


To enter operation log query interface, you can click Basic > Log management > Operation log > Log query, as
shown in Figure5-7. Operation log query allows you to query logs according to different searching functions.

Figure5-7 Operation log query

5-187
DPtech FW1000 Series Firewall Products User Configuration Guide

Click the export button, and then you can make a choice from the pop up window that you can open the file to view
the log content or save the operation log to the local system.
And then click the search button and then you can view all operation logs.
You can view the operation log as your selection if you click the drop-down list of page and pieces

Note:
If you select customize as time scope and click search button, the system will you the whole content of operation
log.

Table5-6 describes the details of operation log query which provides you operation log query function.

Table5-6 Operation log query

Item Description

Administrator Shows the administer who did the operation log

IP address Shows the IP address of operation log

Time scope Select operation log as time scope

Start time Display or to set the operation log beginning time

End time Display or to set the operation log finish time

5.3.3 Log File Operation

Log file operation provides operation log back up or delete function. You can back up or delete today or the desired
day operation log.
To enter the interface, you can click Basic > Log management > Operation log > Log file operation, as shown in
Figure5-8.

Figure5-8 Log file operation

Click back up button of the operation log file and you can export the log file to local system.

Click delete button of the operation log file and you can export the log file
5-188
DPtech FW1000 Series Firewall Products User Configuration Guide

Operation log file provides back up or delete operation log file as today or the desired day.

Table5-7 Back up or delete operation file

Item Description

Serial number Shows the sequence of operation log

Log file name Shows when the operation log file generating, today is the current time

Operation Shows the back up and delete button

5.3.4 Operation Log Configuration

Operation log configuration provides operation log configuring with users. You can save or export operation log as
your configuration.
To enter operation log configuration interface, you can click Basic > Log management > Operation log >Log file
operation, as shown in Figure5-9.

Figure5-9 Operation log configuration

Table5-8 describes the details of operation log configuration. You can save or export the operation log to the local
system.

Table5-8 Operation log configuration

Item Description

Export to remote server Set the export to remote server configuration, including
 Remote syslog server IP address
 Service port
 Time stamp format

Days for saving The system will delete the expired operation log by your selection which includes one week,
two week and three week, 30 days or customize. You can set specific days for saving system
log.

5-189
DPtech FW1000 Series Firewall Products User Configuration Guide

5.4 Service Log

5.4.1 Service Log Configuration

Service log configuration provides service log related configuration.


To enter service log interface, you can click Basic > Log management > Service log, as shown in Figure5-10.

Figure5-10 Service log configuration

Table5-9 describes the details of operation log configuration. You can save or export the operation log to the local
system.

Table5-9 Service log configuration

Item Description

Days for saving The system will delete the expired service log by your selection which includes one week, two
week and three week, 30 days or customize. You can set specific days for saving system log.

Output to a remote syslog server Configuring the output to a remote syslog server function, including
 Remote syslog server IP address
 Service port

Mail server IP address Set the IP address of mail server

Source mail address Set the source mail address

Destination mail address Set the destination mail address

User name Set the user name for mail server

Password Set the password for mail server

5-190
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

The number of emails sent out  Configuring the e-mail sent frequency
every minute

Domain name Set domain name of email user.

6-191
DPtech FW1000 Series Firewall Products User Configuration Guide

Chapter 6 Load Balancing

6.1 Link Load Balancing

6.1.1 Introduction to Link Load Balancing

In the information age, people more and more rely on network. In order to avoid the network availability risk of an
ISP exit fault and solve the network access problem caused by bandwidth resource limitation, enterprise will hire
two or more ISP links (Such as China Telecom, China Netcom). How to reasonably use ISP’s multiple links, which
will not cause network resources waste and better services enterprises? Traditional routing strategy can solve the
problem in some extent, but the inconvenient and inflexible configurations can’t dynamically adapt the network
structure change and can’t distribute packet according to bandwidth that you cannot take full advantage of the high
throughput link. Through dynamic algorithm, link load balancing technology is capable of balancing the network
flow on multiple links, which algorithm is simple and self-adaptive.

6.1.2 Link Load Balancing

6.1.2.1 Interface config

To enter the interface config interface, you can choose Service > Load balancing > Link config, as shown in
Figure6-1.

6-192
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure6-1 Interface config

6.1.2.2 Interface config

Click Add configuration button, you can view the basic configuration of the ISP, as shown in Figure6-2.

Figure6-2 Interface config

6.1.3 Link health check

To enter the interface config interface, you can choose Service > Load balancing > Link config, as shown in
Figure6-3.

6-193
DPtech FW1000 Series Firewall Products User Configuration Guide

6.1.4 ISP

To enter the ISP interface, you can click Service > Load balancing > ISP, as shown in Figure6-3.

6-194
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure6-3 ISP configuration

Chapter 7 Access Control

7.1 Rate Limitation

7.1.1 Introduction to the Rate Limitation

Network traffic can be divided into several service types according to different network protocols such as HTTP
service, FTP service, E-mail service that can be implemented different rate limitation is call bandwidth rate
limitation.

To access the access control menu, you can choose Service > Access control, as shown in Figure7-1.
7-195
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure7-1 Access control menu

7.1.2 Rate Limit

7.1.2.1 Rate limit

To enter the rate limit interface, you can choose Service > Access control > Rate limit > Rate limit, as shown in
Figure7-2.

Figure7-2 Rate limit

Table7-1 describes the configuration items of the rate limit.

Table7-1 Rate limit configuration items

Item Description

Name Configure a name for the user group limitation.

Limit parameter Configure the user group limitation parameter.

Time Select a time scope. User group limitation takes effect as your selection.

Disable Click the option that user group limitation will be disabled.

Operation Click copy delete insert icon to do the operations.

To create the user group limit, you can take the following steps:
 Configure a name for the user group limit.
 And then select a status for the rule of rate limitation.
 Select a service and then configure upstream and downstream parameter for the service.
 Click Ok button in the upper right corner on the webpage.

7-196
DPtech FW1000 Series Firewall Products User Configuration Guide

7.1.2.2 User group parameter

You can configure the user group parameter, including net user group, uplink and downlink rate speed, unit(bps).

Figure7-3 User group parameter

Table7-2 describes the configuration items of user group parameter

Table7-2 User group parameter

Item Description

NetUserGroup Configure a name for the user group parameter.

Up Configure the rate speed for the uplink.

Unit(bps) Select a unit for the uplink rate limit.

Down Configure the rate speed for the downlink.

Units(bps) Select a unit for the downlink rate limit.

Operation Click copy or delete to do the operations.

7.1.3 Single user limit

To enter the single user limit interface, you can choose Service > Access control > Rate limitation > Single user
limit, as shown in Figure7-4.

7-197
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure7-4 Single user limit

Table7-3 describes the configuration items of single user limit.

Table7-3 Single user limit

Item Description

Name Configure a name for the single user limit.

Limit parameter Select a status for the rule of rate limitation.

Time Select a service and then configure upstream and downstream parameter for the
service.

Disable Click the option that user group limitation will be disabled.

Operation Click copy delete insert icon to do the operations.

To create the rule of the rate limitation, you can take the following steps:
 Configure a name for the rule of rate limitation.
 And then select a status for the rule of rate limitation.
 Select a service and then configure upstream and downstream parameter for the service.
 Click Ok button in the upper right corner on the webpage.

Figure7-5 Rate limitation

7-198
DPtech FW1000 Series Firewall Products User Configuration Guide

Table7-4 describes the configuration items of the single user rate limit parameter.

Table7-4 Single user rate limit

Item Description

NetUserGroup Configure a name for the user group parameter.

Up Configure the rate speed for the uplink.

Unit(bps) Select a unit for the uplink rate limit.

Down Configure the rate speed for the downlink.

Units(bps) Select a unit for the downlink rate limit.

Operation Click copy or delete to do the operations.

! Caution:
Rate limitation is to limit user’ communiation between inside network and outside, while it can’t limit the
communitcation in same network.
Rate limiation is to control the sum of the newwork bandwith of all users correspond to the rule.
Rate limitation per IP address is control the bandwidth of single user correspond to the rule.

7.1.4 Group Management

To enter group management interface, you can choose Service > Access control > Rate limitation > Group
management, as shown in Figure7-6.

Figure7-6 Group management

7-199
DPtech FW1000 Series Firewall Products User Configuration Guide

7.1.5 Network Application Browsing

To enter network application browsing interface, you can choose Service > Access control > Rate limitation >
Browsing, as shown in Figure7-7.

Figure7-7 Network application browsing

7.1.6 Typical configuration for the Rate Limitation

7.1.6.1 Network requirement

On the firewall device, you can configure rate limitation, working mode of the network configuration is layer 3
interface, and then you can configure marketing department IP segment is 192.168.3.2-192.168.3.10, exclude the IP
address192.168.3.6, research department IP segment is 192.168.4.0/24, exclude IP address 192.168.4.8, and then
you can do the following operations:

Per IP address rate limitation for the marketing department for file transfer is that: upstream 10kbps
Rate limitation for the research and development department for the HTTP download: downstream 1Mbps

7-200
DPtech FW1000 Series Firewall Products User Configuration Guide

7.1.6.2 Configuration requirement

7.1.6.3 Configuration procedures

 Choose Basic > Network management > Network user group > IP user group
 WAN interface: eth0/3, access method: PPPoE, type the name and password provided by ISP.
 LAN interface: : eth0/0, IP address: 192.168.3.0, subnet mask: 24, eth0/5, IP address:192.168.4, subnet
mask:24,and then click the Ok button.

 Choose Basic > Network management > Network user group > IP address to enter the IP address page.

 Click the add button in the upper right corner.

 Type the name: marketing department.


 IP address range: 192.168.3.2-192.168.3.10, exclude IP: 192.168.3.6. Click the Ok button in the upper right
corner.

7-201
DPtech FW1000 Series Firewall Products User Configuration Guide

 Click the add button and type the name: research and development department.

 IP address range: 192.168.4.0-192.168.4.255, mask: 24 exclude IP: 192.168.4.8. Click the Ok button in the
upper right corner.

 Choose Service > Access control > Rate limitation > to enter the rate limitation interface.
 Create a rule of the rate limitation: such as bandwidth1
 Type a name for the rate limitation rule: bandwidth1
 Select the Enable status
 Configure rate limitation parameter, select a type of service: file transfer and configure rate limitation as:
1Mbps
 Click the Ok button in the upper right corner on the webpage.
 Click rate limitation per IP address select tab
 Create a rule of the rate limitation per IP address: bandwidth2
 Configure a name for the rate limitation: bandwidth2
 Select the Enable status
 Configure rate limitation parameter, select a type of service: HTTP download and configure the rate limitation
as: 1Mbps
 Click Ok button in the upper right corner on the webpage.

 Choose Basic > Network management > Network object > Security zone to enter the security zone
interface.
 Select trust security zone, interface: eth0/0 and eth0/5
 Select untrust security zone, interface: eth0/3
 Click Ok button in the upper right corner on the webpage.
 Reference the above mentioned IP address, security zone and rate limitation rule to packet filtering policy.

7.2 Access Control

7.2.1 Introduction to the Access Control

The device according to the application protocol to which receiving packets belong decides the service to which
packet belongs and blocks all packets for this kind of service.

7-202
DPtech FW1000 Series Firewall Products User Configuration Guide

7.2.2 Access Control

To access to the access control interface, you can choose Service > Access control > Access control, as shown in
Figure7-8.

Figure7-8 Access control

Table7-5 describes the configuration items of access control.

Table7-5 Access control configuration items

Item Description

Name Configure a name for the access control rule.

Network application group Select a name for the network application group.

Action set Select black list or white list for the rule of access control.

Send log Select whether to enable the send log function.

Operation
Click copy or delete icon to do the operations.

To create the rule of the access control, you can take the following steps:

 Configure a name for the rule.


 Select network application group, and select an action for the rule, select whether to enable send log function.
 Click Ok button in the upper right corner on the webpage.

! Caution:
Access control is to restrict the communication between inside network and outside network, while, it can not restict
the communiation in the same network.

7.2.3 Group Management

To enter group management interface, you can choose Service > Access control > Rate limitation > Group
management, as shown in Figure7-9.

7-203
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure7-9 Group management

To configure the network application group management, you can take the following steps:
In the left box, the system pre-defined box, double click the user-defined application, and then you can configure a
name for it.

Click edit icon that you can select a kind of protocol and configure port number.

Click add button that you can add entry of the user-defined application.

Click delete button that you can delete an entry of the user-defined application.

In the right box, the user-defined application group box, double click the node of application group and configure a
name for it.

Click add button that you can add entry of the user-defined application group.

Click delete button that you can delete an entry of the user-defined application group.
Click node of the system pre-define tree and drag the node from left side box, the system-predefined box to the right
box, to the user-defined tree, that is, you add an application for one network application group.
Click the node of the user-defined tree and then you can configure rate limitation priority of the node.

To enter network application browsing interface, you can choose Service > Access control > Rate limitation >
Browsing, as shown in Figure7-10.

7-204
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure7-10 Network application browsing

7.2.4 Typical configuration for the Access Control

7.2.4.1 Network requirement

On the firewall device, you can configure the access control for the marketing department, IP segment is
192.168.3.2-192.168.3.10, exclude the IP address192.168.3.6, and then do the following operations:
For the marketing department, block Tencent QQ, PPLivet.

7-205
DPtech FW1000 Series Firewall Products User Configuration Guide

7.2.4.2 Configuration requirement

7.2.4.3 Configuration procedures

 Choose Basic > Network management > Network user group > IP user group
 WAN interface: eth0/3, access method: PPPoE, type the name and password provided by ISP.
 LAN interface: : eth0/0, IP address: 192.168.3.0, subnet mask: 24, eth0/5, IP address:192.168.4, subnet
mask:24,and then click the Ok button.

 Choose Basic > Network management > Network user group > IP address to enter the IP address page.

 Click the add button in the upper right corner.

 Type the name: marketing department.


 IP address range: 192.168.3.2-192.168.3.10, exclude IP: 192.168.3.6. Click the Ok button in the upper right
corner.

7-206
DPtech FW1000 Series Firewall Products User Configuration Guide

 Choose Service > Access control > Group management to enter the group management interface.
 Create an application group, yyz, from the user-defined tree drag Tencent QQ and PPLive to the yyz.
 Select Access control selection tab
 Create an access control rule: bandwidth3
 Configure a name for the access control rule: bandwidth3
 Network application group: yyz
 Select blacklist and click the send log option
 Click Ok button in the upper right corner on the webpage.
 Reference the above mentioned IP address, security zone and rate limitation rule to packet filtering policy.

7.3 URL Filtering

Uniform Resource Locator (there refer to URL hereinafter) is a kind of webpage filtering function, support HTTP
request packet filtering according to IP address, host name, regular expression. The realization of URL filtering
function rely on the URL filtering database which allow user to flexible configure URL filtering rule for the URL
filtering.

7.3.1 URL Classification Filtering

To enter the URL classification filtering interface, you can choose Service > Access control > URL filtering >
Classification, as shown in Figure7-11.

Figure7-11 URL classification filtering

Table7-6 describes the configuration items of the URL classification filtering.

Table7-6 URL classification filtering configuration items

Item Description

Name Configure a name for the URL filtering rule.

Filtering classification Upgrade the signature database to obtain the system classification or customize
your classification.

7-207
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

Configure URL filtering parameter; you can select the customized URL
classification.

Black/white list Select an action for the rule of URL filtering.

Send log Select whether to enable send log function:


Blacklist
White list

Page push Select whether to enable the page push function.

Operation
Click the copy icon to copy an entry of the URL filtering rule.

Click the delete icon to delete an entry of the access control rule.

7.3.2 Customize URL Classification

To access the customize URL classification interface, you can choose Service > Access control > URL filtering >
Customize, as shown in Figure7-12.

Figure7-12 Customize URL classification

Table7-7 describes the configuration items of the customize URL filtering

Table7-7 Customize URL classification

Item Description

Classification name Configure a name for the URL classification name.

URL list Configure the URL list

Operation
Click the copy icon to copy an entry of the customized URL filtering rule.

Click the delete icon to delete an entry of the customized URL filtering rule.

7-208
DPtech FW1000 Series Firewall Products User Configuration Guide

7.3.3 Advanced URL Filtering

To enter the advanced URL filtering interface, you can click Service > Access control > URL filtering >
Advanced URL filtering, as shown in Figure7-13.

Figure7-13 Advanced URL filtering

Table7-8 describes the configuration items of the advanced URL filtering.

Table7-8 Advanced URL filtering configuration items

Item Description

Name Configure a name for the advanced URL filtering rule.

Filter parameter Configure the advanced URL filtering parameter, including:


IP address: filtering according to the IP address.
Host name: filtering according to the host name.
Regular expression: filtering according to the content restricted by regular
expression.

Black/white list Select an action for the advanced URL filtering rule.
Blacklist log
White list log

Send log Select whether to enable the send log function.

Operation
Click the copy icon to copy an entry of the advanced URL filtering rule.

Click the delete icon to delete an entry of the advanced URL filtering rule.

To create an advanced URL filtering rule, you can take the following steps:

 Configure the URL filtering policy and configure name for the rule
 Configure filtering parameter for the rule.
 Select blacklist and then enable the send log function and the page push function.
 Click Ok button in the upper right corner on the webpage.

7-209
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure7-14 Advanced URL filtering configuration

Table7-9 describes the configuration items of the filter parameter.

Table7-9 URL filter parameter configuration items

Item Description

Filter type Select a type of the filter parameter.

Filter parameter In the filter parameter column, you should configure the filter parameter:
IP address: filtering according to the IP address.
Host name: filtering according to the host name.
Regular expression: filtering according to the content restricted by regular
expression.

Operation Click the copy icon that you can copy an entry of the filter parameter.

Click the delete icon that you can delete an entry of the filter parameter.

7.3.4 URL Filter Page Push

To enter the URL filter page push interface, you can choose Service > Access control > URL filter page push, as
shown in Figure7-15.

7-210
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure7-15 URL filter page push

The URL filter page push provides the custom template allowing user to customize the page push information, as
shown in Figure7-16.

Figure7-16 URL page push

7.3.5 Typical configuration for the Rate Limitation

7.3.5.1 Network requirement

On the firewall device, you can configure rate limitation, working mode of the network configuration is layer 3
interface, and then you can configure marketing department IP segment is 192.168.3.2-192.168.3.10, exclude the IP
address192.168.3.6, research department IP segment is 192.168.4.0/24, exclude IP address 192.168.4.8, and then
you can do the following operations, and view the logs by using of the 3CDaemon

Allow marketing department access IP address: 202.202.100.101, hostname: news.sina.com.cn


Prohibit research and development access the website contains sports in URL, regular expression: sports.*

7-211
DPtech FW1000 Series Firewall Products User Configuration Guide

7.3.5.2 Configuration requirement

The following is the network diagram for the URL configuration, as shown in Figure7-17.

Figure7-17 Advanced URL filtering

7.3.5.3 Configuration procedures

 Choose Basic > Network management > Network user group > IP user group
 WAN interface: eth0/3, access method: PPPoE, type the name and password provided by ISP.
 LAN interface: : eth0/0, IP address: 192.168.3.0, subnet mask: 24, eth0/5, IP address:192.168.4, subnet
mask:24,and then click the Ok button.

 Choose Basic > Network management > Network user group > IP address to enter the IP address page.

 Click the add button in the upper right corner.


7-212
DPtech FW1000 Series Firewall Products User Configuration Guide

 Type the name: marketing department.


 IP address range: 192.168.3.2-192.168.3.10, exclude IP: 192.168.3.6. Click the Ok button in the upper right
corner.

 Click the add button and type the name: research and development department.

 IP address range: 192.168.4.0-192.168.4.255, mask: 24 exclude IP: 192.168.4.8. Click the Ok button in the
upper right corner.

 Choose Service > Access control > Advanced > to enter the advanced URL interface.
 Create a rule for the advanced URL configuration: such as URL1.
 Type a name for the advanced URL configuration: such as URL1.
 Configure filter parameter, select IP address and then configure 202.202.100.101, host name:
news.sina.com.cn and then click Confirm button.
 And then select white list and click the send log option.
 Click the Ok button in the upper right corner on the webpage.

 Create a rule for the advanced URL configuration: URL2


 Configure a name for the advanced URL configuration: URL2
 Configure the filter parameter, select regular expression, and then configure the fixed character string: sports,
expression: sports.*, click the Confirm button.
 And then select blacklist for the URL rule and click the send log option
 Click Ok button in the upper right corner on the webpage, then the advanced URL configuration is finished.
 Choose Basic > Network management > Network object > Security zone to enter the security zone
interface.
 Select trust security zone, interface: eth0/0,eth0/5
 And then select untrust security zone, interface: eth0/3
 Click Ok button in the upper right cornet on the webpage.
 Reference the above mentioned IP address, security zone and the advanced URL to the packet filtering policy.

! Caution:
All rules configured in the access control module must be reference to the packet filtering policy.

7-213
DPtech FW1000 Series Firewall Products User Configuration Guide

7.4 SQL Injection Protection

SQL injection is a technique often used to attack databases through a website. SQL injection attack a website
through WWW normal port and it seems like the common webpage, firewall device cannot alarm for the SQL
injection and if an administrator does not view the IIS log, SQL injection for a long time will not detected, so that the
SQL injection protection is especially important.

To enter the SQL injection protection interface, you can choose Service > Access control > SQL injection
protection, as shown in Figure7-18.

Figure7-18 SQL injection prevention

Table7-10 describes the configuration items of the SQL injection protection.

Table7-10 SQL injection protection configuration items

Item Description

Name Configure a name for the SQL injection protection rule.

Exceptional interface  Configure the exceptional interface.

Exceptional parameter Configure the exceptional parameter

Action  Select an action for the rule, including warning and block

Operation
 Click the copy icon to copy an entry of the SQL injection protection rule.

 Click the delete icon to delete an entry of the SQL injection protection rule.

Chapter 8 VPN

A virtual private network (VPN) is a private network that interconnects remote (and often geographically separate)
networks through primarily public communication infrastructures such as the Internet. VPNs provide security
through tunneling protocols and security procedures such as encryption. For example, a VPN could be used to
securely connect the branch offices of an organization to a head office network through the public Internet.

 IPSec
8-214
DPtech FW1000 Series Firewall Products User Configuration Guide

 L2TP
 PPTP
 GRE
 SMAD

8.1.1 Introduction to IPSec

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by
authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for
establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic
keys to be used during the session.

8.1.2 IPsec sysConfig

To enter the IPsec sysConfig interface, you can choose Service > VPN > IPSec > IPSec sysConfig, as shown in
Figure8-1.

Figure8-1 IPSec sysConfig

Table8-1 describes the configuration items of the IPSec VPN configuration.

Table8-1 IPSec VPN configuration

Item Description

Enable IPSec Select whether to enable the IPSec function.

8-215
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

Advanced configuration Select whether to enable the NAT traverse function


Select whether to enable the NAT session keepalive mechanism, configuring the
intervals for sending NAT session keepalive packets (default is 20 Sec)
Select whether to user IPsec acceleration
Select whether to enable the layer 2 IPSec
Select whether to enable UDP checksum
Select a mode for the route add mode ( This configuration takes effect after restart IPsec)

Table8-2 describes the configuration items of the IPSec VPN client access mode and gateway-gateway mode.

Table8-2 IPSec VPN client access mode and gateway-gateway mode

Item Description

Connection Name Bind Interface Displays the name of the IPSec rule.
Advanced Configuration

Status Display the status of the IPSec rule.

Local IP Address Displays the local IP address for the IPSec rule.

Remote IP address Displays the remote IP address for the IPSec rule.

Local Device ID  Auto:(The system auto-select the local IP address as the local device ID)
 Host Name:(Required when NAT traverse is configured)
 IP Address:(Manually input any IP address on the local device as the local ID)
 Local Certificate ID Alias:(Required when it is required to strictly check the
validity of the remote certification ID alias)

Remote device ID  Auto:(The system auto-select the local IP address as the local device ID)
 Host Name:(Required when NAT traverse is configured)
 IP Address:(Manually input any IP address on the local device as the local ID)
 Local Certificate ID Alias:(Required when it is required to strictly check the
validity of the remote certification ID alias)

Client ID Configure the client ID number

Subnets Available to the clients List The Encryption Protection Subnets To The Clients

Authentication Mode There are four kinds of authentication method provided for you, including
 Pre-shared key:
 Digital Certificate: usercert.cer(Select the local certificate for certificate
authentication)
 Xauth Authentication
 Assign private IP address for clients

8-216
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

Advanced configuration
Click the pencil icon that you can enter the advanced configuration interface,
including
 Negotiation mode
 IPSec Encryption Failed Action
 IPSec Security Protocol
 IKE Security Proposal
 IPSec Security Proposal

Operation
Click the copy icon that you can copy an entry of the IPSec rule.

Click the delete icon that you can delete an entry of the IPSec rule.

To configure IPSec VPN client access mode, you can take the following steps:

 Configure a correct name for the IPSec rule


 Select the Enable status for the rule
 Configure local IP address example: 10.66.0.11
 Configure local device ID and then from the four options you should select the obtaining method as your
requirement example: auto
 Configure client ID and then from the four options you should select the obtaining method as your requirement
example: auto
 Add the encryption protection subnets to the clients.
 Configure authentication method and then from the four options you should select an authentication as your
requirement example: pre-shared key 1234.
 Configure the advanced configuration.
 After you finished the above steps, click Ok button up in the upper right corner.

Configure the IPSec VPN gateway-gateway mode:

 Configure a correct name for the IPSec rule


 Select the Enable status for the rule.
 Configure local IP address example:10.66.0.11
 Configure remote IP address example: 10.66.0.12
 Configure local device ID, and then from the four options you should select the obtaining method as your
requirement example: auto

8-217
DPtech FW1000 Series Firewall Products User Configuration Guide

 Configure remote device ID and then from the four options you should select the obtaining method as your
requirement example: auto
 Configure an IP segment for the source IP address packet, example: 1.1.1.0\24, configure an IP segment for the
destination IP address packet, example: 2.2.2.0\24
 Configure authentication method and then from the two options you should select an authentication as your
requirement example: pre-shared key 1234.
 After you finished the above steps, click Ok button in the upper right corner on the webpage.

8.1.3 IPsec policy mode

To enter the IPsec policy mode interface, you can choose Service > VPN > IPSec > IPSec policy mode, as shown
in Figure8-2.

Figure8-2 IPsec policy mode

8.1.4 IPsec route mode

To enter the IPsec policy mode interface, you can choose Service > VPN > IPsec > IPsec policy mode, as shown in
Figure8-3.

Figure8-3 IPsec route mode

8-218
DPtech FW1000 Series Firewall Products User Configuration Guide

8.1.5 Net protect

To enter the Net protect interface, you can choose Service > VPN > IPsec > Net protect, as shown in Figure8-4.

Figure8-4 Net protect

8.1.6 SA

To enter the SA interface, you can choose Service > VPN > IPsec > SA, as shown in Figure8-5.

Figure8-5 SA

8.1.7 IPsec interface

To enter the IPsec interface, you can choose Service > VPN > IPsec > IPsec interface, as shown in Figure8-6.

Figure8-6 IPsec interface

8.2 L2TP

8.2.1 Introduction to L2TP

L2TP is a standard Internet tunnel protocol similar to the PPTP protocol, and both of them can encrypt network on
the network stream. But the difference is that PPTP required to be IP network and L2TP is the peer-to-peer
connection facing to data packet; PPTP is to use a single tunnel whereas L2TP is to use multi tunnel; And the L2TP
provides the packet header compressing, tunnel verification, and vice versa, the it cannot supported by PPTP.

8-219
DPtech FW1000 Series Firewall Products User Configuration Guide

8.2.2 L2TP

To enter the L2TP configuration interface, you can click Service > VPN > L2TP, as shown in Figure8-7.

Figure8-7 L2TP configuration

Table8-3 describes the configuration items of LNS.

Table8-3 LNS configuration items

Item Description

Tunnel name Displays the tunnel name of the LNS rule.

Tunnel interface IP Configure the IP address of the tunnel interface.

PPP authentication mode Select an option from PPP authentication mode drop-down list, such as CHAP, PAP,
MSCHAP, and MSCHAPV2.

Client IP address range Configure the client IP address range and from the address pool to allocate local tunnel IP
address.

Advanced configuration
Click the modify icon that you can configure the advanced configuration of the LNS
rule,

Operation
Click the delete icon that you can delete an entry of the LNS rule.

Table8-4 describes the configuration items of the LAC.

Table8-4 LNS configuration items

Item Description

Enable L2TP Displays whether to enable the L2TP function.

Tunnel Name Displays the tunnel name.

8-220
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description

Remote LNS Displays the remote LNS.

IP Trigger Mode Displays the IP trigger mode.

Advanced Configuration Displays the advanced configuration.

To batch import configuration, you can take the following steps:


 To batch import the configuration, you can click Browse button and then select file a path on the pop-up window for the
configuration file and click Import.
 To export the configuration, click Export and then click Save as button select file path for the configuration file and then click
Save button.

8.2.3 L2TP user authentication

To enter the L2TP configuration interface, you can click Service > VPN > L2TP, as shown in Figure8-8.

Figure8-8 L2TP user authentication

8.2.4 L2TP IP pool

To enter the L2TP IP pool interface, you can click Service > VPN > L2TP IP pool, as shown in Figure8-8.

8-221
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure8-9 L2TP IP pool

8.2.5 L2TP online status

To enter the L2TP online status interface, you can click Service > VPN > L2TP online status, as shown in
Figure8-10.

Figure8-10 L2TP online status

8.3 PPTP

Point to Point Tunneling Protocol (PPTP) is a kind of technology support multiple protocol VPN, working at layer
2.
To enter the L2TP configuration interface, you can click Service > VPN > PPTP, as shown in Figure8-11.

Figure8-11 PPTP

Table8-5 describes the configuration items of the PNS configuration.


8-222
DPtech FW1000 Series Firewall Products User Configuration Guide

Table8-5 PNS configuration

Item Description

Tunnel name Displays the name of the tunnel.

Local tunnel IP Configure local tunnel IP address.

PPP authentication mode Select PPP authentication method

Client IP address range Configure the start IP address of the IP address pool and configure a size of the IP address
pool.

DNS server Configure the DNS server address.

Operation
Click the delete icon that you can delete PNS configuration.

Table8-6 describes the configuration items of the customer configuration.

Table8-6 Customer information

Item Description

User name Configure a user name for the customer information.

Password Configure the corresponding password for the username.

Confirm password Configure the configuration password.

Operation
Click the copy icon that you can copy an entry of the user information configuration.

Click the delete icon that you can delete an entry of the user information
configuration.

8.4 GRE

8.4.1 Introduction to the GRE

Generic Routing Encapsulation (GRE) is a protocol designed for encapsulating and carrying the packets of one
network layer protocol (for example, IP or IPX) over another network layer protocol (for example, IP). GRE is a
tunneling technology and serves as a Layer 3 tunneling protocol. A GRE tunnel is a virtual point-to-point
connection for transferring encapsulated packets.

8.4.2 GRE configuration

To enter the GRE configuration interface, you can click Service > VPN > GRE, as shown in Figure8-12.
8-223
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure8-12 GRE configuration

Table8-7 describes the configuration items of GRE.

Table8-7 GRE configuration items

Item Description

Tunnel interface NO Configure the GRE tunnel interface number (the number is from 1 to 64).

Tunnel interface IP address Configure the GRE tunnel interface IP address.

Tunnel source interface/IP address Displays GRE tunnel source interface IP address, select tunnel interface or the
corresponding IP address.

Tunnel destination IP address IP address of the remote device GRE configuration

Advanced configuration Configure the advanced configuration, including MTU discovery and checksum
checkout and tunnel key.

Operation Allows you to copy or delete the GRE rule.

Operation
Click the copy icon that you can copy an entry of the GRE rule.

Click the delete icon that you can delete an entry of the GRE rule.

To configure the GRE VPN rule, you can take the following steps:

 Configure a name corresponding to the GRE rule.


 Configure the tunnel IP address, example: 6.6.6.1/24.
 Configure the tunnel source interface/IP address, example: 10.66.0.12 or eth0_7.
 Configure the tunnel destination IP address, such as 6.6.6.2/24.
 Configure the advanced configuration, including the MTU discovery, checksum checkout and tunnel key.
 After you finished the above steps, click Ok button in the upper right corner on the webpage.

8-224
DPtech FW1000 Series Firewall Products User Configuration Guide

8.5 SMAD

8.5.1 SMAD

To enter the SMAD interface, you can click Service > VPN > SMAD, as shown in Figure8-13.

Figure8-13 SMAD

8.5.2 SMAD blacklist

To enter the SMAD blacklist interface, you can click Service > VPN > SMAD blacklist, as shown in Figure8-14.

Figure8-14 SMAD blacklist

8.5.3 SMAD log

To enter the SMAD log interface, you can click Service > VPN > SMAD log, as shown in Figure8-15.

Figure8-15 SMAD log

8-225
DPtech FW1000 Series Firewall Products User Configuration Guide

8.6 SSL VPN

8.6.1 Introduction to the SSL VPN

SSL VPN is the most simple and the safest technology to resolve remote user access sensitive company data.
Compare with the complicated IPsec VPN, SSL VPN use the simple method to realize remote connection. Every
computer with browser can use SSL VPN software, for the reason of SSL VPN embedded into the browser, which
don’t need you to set up client software on every host like traditional IPsec VPN.

8.6.2 SSL VPN

8.6.2.1 Basic configuration

To enter the basic configuration interface, you can choose Service > VPN > SSL VPN, as shown in Figure8-16.

Figure8-16 SSL VPN

Table8-8 describes the configuration items of the SSL VPN.

Table8-8 SSL VPN configuration items

Item Description

Enable SSL VPN server Select a digital certificate for the server

Select the CA digit certificate

Select whether to enable the client certificate authentication.

Advanced configuration User login port number configuration

Allow user to access the interface configuration

Maximum user number

Free authentication configuration.

Select whether to allow access VPN only.

8-226
DPtech FW1000 Series Firewall Products User Configuration Guide

8.6.2.2 IP pool configuation

To enter the IP pool configuration interface, you can choose Service > VPN > SSL VPN > IP pool configuration,
as shown in Figure8-17.

Figure8-17 IP pool configuration

8.6.2.3 Domain configuration

To enter the domain configuration interface, you can choose Service > VPN > SSL VPN > Domain configuration,
as shown in Figure8-18.

Figure8-18 Domain configuration

8.6.2.4 License management

To enter the license management interface, you can choose Service > VPN > SSL VPN > License management, as
shown in Figure8-19.

Figure8-19 License management

8.6.2.5 Portals management

To enter the portals management interface, you can choose Service > VPN > SSL VPN > Portals management, as
shown in Figure8-20.

8-227
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure8-20 Portals management

8.6.3 Resources

8.6.3.1 Resource configuration

To enter the resources interface and configure the IP resource configuration, you can choose Service > VPN > SSL
VPN > Resource, as shown in Figure8-21.

Figure8-21 Resource configuration

8.6.3.2 Share space

To enter the share space interface, you can choose Service > VPN > SSL VPN > Share space, as shown in
Figure8-22.

Figure8-22 Share space

8-228
DPtech FW1000 Series Firewall Products User Configuration Guide

8.6.4 User management

8.6.4.1 User management

To enter the share space interface, you can choose Service > VPN > SSL VPN > Share space, as shown in
Figure8-23.

Figure8-23 User configuration

8.6.4.2 User status

To enter the user status interface, you can choose Service > VPN > SSL VPN > User status, as shown in
Figure8-24.

Figure8-24 User status

8.6.5 Authentication key

To enter the authentication key interface, you can choose Service > VPN > SSL VPN > Authentication key, as
shown in Figure8-25.

Figure8-25 Authentication key

8-229
DPtech FW1000 Series Firewall Products User Configuration Guide

8.6.6 Security policy

8.6.6.1 Security set

To enter the security set interface, you can choose Service > VPN > SSL VPN > Security set, as shown in
Figure8-26.

Figure8-26 Security set

8.6.6.2 Security rule

To enter the security rule interface, you can choose Service > VPN > SSL VPN > Security rule, as shown in
Figure8-27.

Figure8-27 Security rule

8.6.6.3 Security rule group

To enter the security rule group interface, you can choose Service > VPN > SSL VPN > Security rule group , as
shown in Figure8-28.

Figure8-28 Security rule group

8.6.6.4 Policy configuration

To enter the policy configuration interface, you can choose Service > VPN > SSL VPN > Policy configuration, as
shown in Figure8-29.

8-230
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure8-29 Policy configuration

8.6.7 Log management

8.6.7.1 Log query

To enter the log query interface, you can choose Service > VPN > SSL VPN > Log query, as shown in Figure8-30.

Figure8-30 Log query

8.6.7.2 Log configuration

To enter the log configuration interface, you can choose Service > VPN > SSL VPN > Log configuration, as
shown in Figure8-31.

Figure8-31 Log configuration

8.6.7.3 Log manage

To enter the log manage interface, you can choose Service > VPN > SSL VPN > Log manage, as shown in
Figure8-32.

Figure8-32 Log manage

8-231
DPtech FW1000 Series Firewall Products User Configuration Guide

8.6.8 Report forms

8.6.8.1 User stat form

To enter the user stat form interface, you can choose Service > VPN > SSL VPN > User stat form, as shown in
Figure8-33.

Figure8-33 User stat form

8.6.8.2 Flux stat form

To enter the flux stat form interface, you can choose Service > VPN > SSL VPN > Flux stat form, as shown in
Figure8-34.

Figure8-34 Flux stat form

8.6.8.3 Statistical offline users

To enter the statistical offline users interface, you can choose Service > VPN > SSL VPN > Statistical offline
users, as shown in Figure8-35.

Figure8-35 Statistical offline users

8.6.8.4 Online time ranking form

To enter the online time ranking form interface, you can choose Service > VPN > SSL VPN > Online time
ranking form, as shown in Figure8-36.

8-232
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure8-36 Online time ranking form

8.6.8.5 Resource access form

To enter the resource access form interface, you can choose Service > VPN > SSL VPN > Resource access form,
as shown in Figure8-37.

Figure8-37 Resource access form

9-233
DPtech FW1000 Series Firewall Products User Configuration Guide

Chapter 9 Online Behavior Management

9.1 Introduction to Online Behavior Management

Online behavior management module provides the following features:

 Traffic analysis
 Behavior analysis
 Keyword filtering

To view the online behavior management menu, you can choose Service > Behavior > Traffic analysis, as shown
in Figure9-1.

Figure9-1 Traffic analysis

9.2 Traffic analysis

9.2.1 Traffic analysis

To enter the traffic analysis interface, you can choose Service > Behavior > Traffic analysis, as shown in
Figure9-2.

Figure9-2 Traffic analysis

9-234
DPtech FW1000 Series Firewall Products User Configuration Guide

Table9-1 describes the configuration items of traffic statistic.

Table9-1 Traffic statistic configuration items

Item Description

Interface traffic statistics Enable whether to enable the interface traffic statistic.

Traffic statistics per IP address Select whether to enable the traffic statistics per IP address function, and configure the
sending interval and network user group.

Exception web config Configure the exception website.

9.3 Behavior Analysis

9.3.1 Policy configuration

To enter the policy configuration interface, you can choose Service > Behavior > Behavior analysis > Policy
configuration, as shown in Figure9-3.

Figure9-3 Policy configuration

Table9-2 describes the details of policy configuration

Table9-2 Policy configuration

Item Description

Policy name Displays the name of behavior analysis policy

User/User group Select an user or an user group for the behavior analysis policy

Configure audit object Allows you to select behavior analysis objects

Save details Allows you to select to the save details objects

Operation
Click the copy icon to copy a behavior analysis rule.

Click the delete icon to delete behavior analysis rule.

To create a behavior analysis policy:

 Enter a name for the behavior analysis policy

9-235
DPtech FW1000 Series Firewall Products User Configuration Guide

 Select a user or an user group for the behavior analysis policy


 In the save detail column, you can select an item and several items of behavior analysis policy
 After you finish the above steps, you can click the Ok button in the upper right corner.

9.3.2 Advanced configuration

To enter the policy configuration interface, you can choose Service > Behavior > Behavior analysis > Advanced
configuration, as shown in Figure9-4.

Figure9-4 Advanced configuration

9.3.3 Keyword Filtering

9.3.3.1 Keyword Filtering

To enter the keyword filtering interface, you can choose Service > Behavior > Keyword filtering, as shown in
Figure9-5.

9-236
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure9-5 Keyword filtering

Table9-3 describes the configuration items of keyword filtering function

Table9-3 Keyword filtering configuration items

Item Description

Name Enter a name for the keyword filtering rule.

Action Select an action for the keyword filtering rule, including warning or block.

Operation
Click the copy icon that you can copy an entry of the keyword filtering rule.

Click the delete icon that you delete an entry of the keyword filtering rule.

To create a keyword filtering rule, you can take the following steps:

 Enable the keywords filtering function


 And then enter a name for the keyword filtering rule
 And then select an action for the rule.
 Click Ok button in the upper right corner on the webpage.

9.3.3.2 Latest Log

To enter the keyword filtering interface, you can choose Service > Behavior > Keyword filtering, as shown in
Figure9-5.

9-237
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure9-6 Keyword filtering

Table9-3 describes the configuration items of keyword filtering function

Table9-4 Keyword filtering configuration items

Item Description

Name Enter a name for the keyword filtering rule.

Action Select an action for the keyword filtering rule, including warning or block.

Operation
Click copy icon that you can copy an entry of the keyword filtering rule.

Click delete icon that you delete an entry of the keyword filtering rule.

To create a keyword filtering rule, you can take the following steps:

 Enable the keywords filtering function


 And then enter a name for the keyword filtering rule
 And then select an action for the rule.
 Click Ok button in the upper right corner on the webpage.

9-238
DPtech FW1000 Series Firewall Products User Configuration Guide

Chapter 10 Portal Authentication

10.1 Introduction to the Portal Authentication

Portal authentication provides several authentication mechanisms, which allows user to authenticate their user name
and password before access to the Internet.

 Authentication Config
 Web Auth Notice
 Behavior Listen
 Proscenium Management
 Terminal Management
 Online User
 Local User

To view the user authentication menu, you can choose Service > User authentication, as shown in Figure10-1.

Figure10-1 Security center

10.1.1 Authentication Config

10.1.1.1 Basic authentication

To enter the user authentication interface, you can choose Service > User authentication > Basic authentication,
as shown in Figure10-2.

Figure10-2 Basic authentication configuration items

10-239
DPtech FW1000 Series Firewall Products User Configuration Guide

Table10-1 illustrates configuration items of the basic authentication.

Table10-1 Basic authentication configuration items

Item description

Web auth Allows you to enable or disable web auth function.

Terminal auth Allows you to enable or disable terminal auth function.

Avoid auth IP Allows you to set the free authentication IP address.

User group Allows you to select a user group.

Auth mode Allows you to select and configure authentication mode.

Unique authentication Allows you to select whether to enable unique authentication function.

User aging time Allows you to set the user aging time.

Quick offline Allows you to select whether to enable quick offline function.

10.1.1.2 Webauth Configuration

To enter the webauth configuration interface, you can choose Service > User authentication > Webauth
configuration, as shown in Figure10-3.
10-240
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure10-3 Webauth configuration

Table10-2 describes the configuration items of webauth configuration.

Table10-2 Webauth configuration items

Item Description

NAT traverse configuration Allows you to configure the NAT traverse configuration, including authenticated protocol
configuration, authentication policy configuration.

Login state Allows you to select whether to show the login state window.

Notice Allows you to select no notice, web auth notice and URL address option for web authentication.

Enable proxy authentication Allows you to use proxy server to authenticate web users and allows you to configure the proxy
server IP address.

HTTP/HTTPS Allows you to enable authenticate HTTP/HTTPS configuration.

Using USB key Allows you to enable usbkey authentication function (Require importing certificate and
corresponding CA reboot are required, to take effect).

Temporary user login Allows you to enable temporary user login function.

Tem background photo Allows you to select the background image.

Login interface image Allows you to select the login interface image.

Get MAC Allows you to enable the get MAC function and then you can get MAC from SNMP.

10-241
DPtech FW1000 Series Firewall Products User Configuration Guide

10.1.1.3 TAC configuration

To enter the TAC configuration interface, you can choose Service > User authentication > Webauth
configuration > TAC configuration, as shown in Figure10-4.

Figure10-4 TAC configuration

Table10-3 describes the configuration items of TAC.

Table10-3 TAC configuration items

Item Description

Management server IP address Configure an IP address for the management server.

Client download URL Type client download URL for the TAC configuration

MAC match Select whether to enable the MAC match function.

Aged by traffic Select whether to enable the aged by traffic function.

User group Select an user group for the TAC configuration

10.1.1.4 Customer Configuration

To enter customer configuration interface, you can choose Service > User authentication > Webauth
configuration > Customer configuration, as shown in Figure10-5.

10-242
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure10-5 Customer configuration

Table10-4 describes the configuration items of the customer configuration.

Table10-4 Customer configuration

Item Description

Login page Select an option that the login page will skip to the specific page
 Default
 Upload the return page
 URL address (http://www.baidu.com)

Customize web authentication Allows you to customize the web authentication interface.
interface

10.1.2 Web Authentication Notice

To enter the web authentication notice interface, you can choose Service > User authentication > Web
authentication notice, as shown in Figure10-6.

Figure10-6 Web authentication notice

10-243
DPtech FW1000 Series Firewall Products User Configuration Guide

Table10-5 describes the configuration items of web listen.

Table10-5 Web listen configuration items

Item Description

Serial number Displays the sequence number of the web auth notice.

Title Configure the title of the notice.

Content Configure the notice content.

Operation
Click the copy icon that you can copy an entry of the notice.

Click the delete icon that you can delete an entry of the notice.

10.1.3 Web Listen

If the web authentication function isn’t enabled, you can enable the web listen function for user authentication.
To enter the web listen interface, you can choose Service > User authentication > Web listen, as shown in
Figure10-7.

Figure10-7 Web listen

10.1.4 Proscenium Management

To enter the proscenium management interface, you can choose Service > User authentication > Portal
authentication, as shown in Figure10-8.

Figure10-8 Proscenium management

Table10-6 describes the configuration items of the proscenium management.

10-244
DPtech FW1000 Series Firewall Products User Configuration Guide

Table10-6 Proscenium management

Item Description

Proscenium administrator Configure the user name for proscenium administrator.

Password Configure the password for the proscenium administrator.

Access address of proscenium Configure the device bridge interface IP address or WAN interface address.

Email address (addressee) Configure the e-mail address of the mail receiver(addressee)

Operation
You can copy or delete the proscenium administrator configuration by click the copy icon

or delete icon. Click the e-mail icon that you can send e-mail to the specific proscenium
administrator.

To configure the proscenium management configuration, you can take the following steps:

 In the operation column, you can click the copy icon

 And then configure the proscenium administrator


 Configure the proscenium administrator’s password.
 Configure the access address of the proscenium, which is the WAN interface address or bridge address of the
device.
 After you finished the above steps, click Ok button in the upper right corner on the webpage.

After you configured the proscenium configuration, click the email button that proscenium administrator can
receive an email which contains the user name, password and URL. When you log into the online management
interface, you can create user information, as shown in Figure10-9.

Figure10-9 Online management for the hotel user.

Table10-7 describes the configuration items of the hotel user online management.

Table10-7 Hotel user online management

Item Description

User name Displays the user name of the online user.

Password Configure the password of the online user.

10-245
DPtech FW1000 Series Firewall Products User Configuration Guide

Room number of the user Room number of the user.

Real name of the user Real name of the user.

Identification card Configure the identification card number of the user.

Operation Allows you to modify, add or delete an administrator.

To configure the hotel user online management, you can take the following steps:

 In the operation column, click the copy icon

 Configure user name for the hotel user.


 Configure password for the hotel user
 Configure room number for the hotel user.
 Configure real name for the hotel user.
 Configure identification number of the hotel user.
 After you finished the above steps, Click Ok button in the upper right corner on the webpage.

10.1.5 Terminal Management

10.1.5.1 Microsoft Patch Management

To enter the Microsoft update interface, you can choose Service > User authentication > Portal authentication >
Terminal > Microsoft update, as shown in Figure10-10.

Figure10-10 Terminal management

Table10-8 describes the details of the Microsoft patch management.

Table10-8 Microsoft patch management

Item Description

Remind management Click the Enable option that you can enable the remind management function.
Click the Disable option that you can disable the remind management function.

10-246
DPtech FW1000 Series Firewall Products User Configuration Guide

Remind check level Select the remind check level.

Remind install Configure the remind install, including not install, forcible install and remind install.

10.1.5.2 USB Data Leakage Monitor

To enter the USB leakage monitor interface, you can choose Service > User authentication > Portal
authentication > Terminal > USB data leakage monitor, as shown in Figure10-11.

Figure10-11 USB data leakage monitor

Table10-9 describes the configuration items of the USB data leakage monitor.

Table10-9 USB data leakage monitor

Item Description

USB data leakage monitor Click the Enable option that you can enable the USB data leakage monitor function.
Click the Disable option that you can disable the USB data leakage monitor function.

USB log audit Allows you to query or export the USB data monitor audit log.

10.1.5.3 Terminal Configuration

To enter the terminal configuration interface, you can choose Service > User authentication > Portal
authentication > Terminal > Terminal configuration, as shown in Figure10-12.

Figure10-12 Terminal configuration

Table10-10 describes the configuration items of the terminal configuration.

10-247
DPtech FW1000 Series Firewall Products User Configuration Guide

Table10-10 Terminal configuration items

Item Description

Terminal name Configure a name for the terminal.

MAC address Configure the terminal MAC address.

IP address Configure the terminal IP address.

Physical position of terminal Configure the physical position of the terminal.

Operation
Click the copy icon that you can copy an entry of the terminal configuration.

Click the delete icon that you can delete an entry of the terminal configuration.

10.1.6 Online User

After the user is authenticated, the user’s authentication information will be displayed on the online user interface.
To enter the online user interface, you can choose Service > User authentication > Portal authentication >
Online user, as shown in Figure10-13.

Figure10-13 Online user

Table10-11 describes the details of the online user.

Table10-11 Online user

Item Description

Username Displays the user name of the authentication user.

IP Displays the IP address of the authentication host.

Enter net time Displays the time when the authentication user is online

Operation Click the icon that you can log out an administrator forcibly on the online user page.

10-248
DPtech FW1000 Series Firewall Products User Configuration Guide

10.1.7 Local account user

10.1.7.1 Local account authentication user

Local account authentication user is mainly to authenticate and manage local user.
To enter the local authentication user interface, you can choose Service > User authentication > Portal > Local
authentication user, as shown in Figure10-14.

Figure10-14 Local Account Authentication

Table10-12 describes the configuration items of the local account authentication.

Table10-12 Local account authentication

Item Description

Username Configure an user for the local authentication user

Password Configure a password for the local authentication user.

Repeat password Configure the confirm password for the local authentication user.

User account group Select user account group for the local authentication user.

Real name group Select real name group for the local authentication user.

Status Select the Normal status or Locked status for the local authentication user.

Description Configure the local authentication user description

Operation
Click copy icon that you can an entry of the local authentication user.

Click delete icon that you can delete an entry of the local authentication user.

To configure local authentication user:

 Configure a name for the local authentication user.


 Configure the password for the local authentication user.

10-249
DPtech FW1000 Series Firewall Products User Configuration Guide

 Configure the repeat password for the local authentication user.


 Select user account group and select the real name user group.
 Configure the description for the local account user.
 Select Normal status or Locked status for the authentication user.
 Click Ok button in the upper right corner on the webpage.

To import or export local authentication users in batch, you can:


 Click Browse button and select a file from your local system
 Click Import button

To query local authentication users in batch, you can:

 Enter the username or description you want to query


 Click Search button

10.1.8 Blackname list

To enter the blackname interface, you can choose Service > User authentication > Portal > Local authentication
user, as shown in Figure10-15.

Figure10-15 Blackname list

10.1.9 Remote Synchronization

Remote synchronization allows you to synchronize the local user authentication information with a remote host with
Unified Management Center software.
To enter the remote synchronization interface, you can choose Service > User authentication > Portal > Remote
synchronization, as shown in Figure10-16.

10-250
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure10-16 Remote synchronization

Table10-13 describes the configuration items of the local account authentication.

Table10-13 Local account authentication configuration items

Item Description

Username Display the user name of the

User account group Displays the user account group of the

Description Displays the description of the local user authentication

Select Allow you to select the local user authentication

To synchronize with remote server, you can:

 Configure the IP address of UMC server, example: 10.58.241.234 port number: 9502
 Select a remote user need to be synchronized, click Ok button.
 If you want to search one of users, enter username in in the search bar, and click Search button.

10-251
DPtech FW1000 Series Firewall Products User Configuration Guide

Chapter 11 IDS Integration

11.1 Introduction

Firewall device added up with IDS cooperation function in order to cooperate with IDS device. IDS device can
detect network traffic if attacks exist and sent SNMIP Trap information to the firewall device with blocking
information, including source IP address and destination IP address of the packets. When IDS cooperation function
enabled, the firewall receives SNMP Trap information and generates blocked entry for the follow-up traffic.

11.2 IDS Integration

11.2.1 Display IDS cooperation log

To enter the display IDS cooperation log interface, you can choose Service > IDS integration > Display IDS
cooperation log, as shown in Figure11-1.

Figure11-1 Display IDS cooperation log

Table11-1 describes the configuration items of the display IDS integration log.

Table11-1 Display IDS integration log configuration items

Item Description

Serial number Displays the serial number of the IDS integration log.

Source IP Displays the source IP address of the attack event.

Destination IP Displays the destination IP address of the attack event.

Whether or not bidirectional Displays the direction of the attack event.

Valid time (Second) Displays the valid time of the IDS integration.

Time stamp Displays the time stamp of the attack event.

Operation
Click copy icon to copy an entry of the IDS integration log.

Click delete icon to delete an entry of the IDS integration log.

11-252
DPtech FW1000 Series Firewall Products User Configuration Guide

Chapter 12 High Availability

12.1 VRRP

High availability module provides the following features:

 VRRP
 Hot standby
 Interface synchronization group

To enter the VRRP interface, you can choose Service > High availability > VRRP, as shown in Figure12-1.

Figure12-1 High availability

12.1.1 Introduction to VRRP Group

During data communication process, software and hardware error may result network disconnection, causing data
transmission failure. To avoid data communication disconnected, DPtech FW has provides Virtual Router
Redundancy Protocol (VRRP) technology using back up solution when communication line or device failure, so
that it ensure data communication smoothly and enhance network robustness and availability.
Enhancing local network and outside network connection availability, VRRP is fit for the local area network
which support multicast and broadcast (such as Ethernet). Through many devices forming a back up group, they
have an exit gateway for the local network and they are all transparent inside the local network. In the back up group,
if an FW device failure, it will be substituted by other device. So that the local host can still work without any
modification, greatly enhance network communication availability.

To enter the high availability interface, you can choose Service > High availability > VRRP, as shown in
Figure12-2.

12-253
DPtech FW1000 Series Firewall Products User Configuration Guide

Figure12-2 VRRP configuration

Table12-1 describes the configuration items of VRRP.

Table12-1 VRRP configuration items

Item Description

VRID Virtual router identification. A virtual router consists of a group of routers with same
VRID.

Virtual IP Virtual IP address: virtual router IP address. A virtual router has one or
several IP addresses.

Interface Configure VRRP backup group interface, example:eth0_7.

Authentication mode Allows you to select an authentication method, including None, simple text and MD5.
 None authentication: No authentication is performed for any VRRP packet, without
security guarantee.
 Simple text authentication: You can adopt the simple text authentication mode in a
network facing possible security problems. A router sending a VRRP packet fills an
authentication key into the packet, and the router receiving the packet compares its
local authentication key with that of the received packet. If the two authentication
keys are the same, the received VRRP packet is considered valid; otherwise, the
received packet is considered an invalid one.
 MD5 authentication: You can adopt MD5 authentication in a network facing severe
security problems. The router encrypts a VRRP packet to be sent using the
authentication key and MD5 algorithm and saves the encrypted packet in the
authentication header. The router receiving the packet uses the authentication key
to decrypt the packet and checks whether the validity of the packet.

Advanced configuration 1.Configure elect parameter:


 Priority: VRRP determines the role (master or backup) of each router in a virtual
router by priority.
 Hello interval: Configure Hello packet time interval.
 Non-preemptive mode: the backup working in non-preemptive mode remains as a
backup as long as the master does not fail. The backup will not become the master
even if the former is configured with a higher priority.
 Preemptive mode: the backup working in preemptive mode compares the priority
in the packet with that of its own when a backup receives a VRRP advertisement. If
its priority is higher than that of the master if preempts as the master; otherwise, it
remains a backup.

12-254
DPtech FW1000 Series Firewall Products User Configuration Guide

Item Description
2.Configure tracking interface:
3. Configure monitor IP:

Status Displays the relationship of master and server.

Operation
Click Add button or the delete button that you can add or delete an entry of the
VRRP configuration.

To configure the VRRP configuration, you can take the following steps:

 Configure a number for the back up group ID number, the range is from 0 to 255, example: 1
 Configure virtual IP address for the back up group, example: 2.2.2.1
 Select backup group interface, example: eth0_7
 Select an authentication method including none, text, and MD5
 In the advanced configuration column, configure master elect priority, announce packet sending interval,
master preempt mode, and master preempt delay configuration, example: master elect priority 20,
announcement packet interval:1s, master preempt mode: preempt, master preempt delay: 0s
 After you finished the above steps, click Confirm button in the upper right corner on the webpage.

Note:
Backup group ID number must be same in the same backup group.

Click delete icon that you can delete an entry of the VRRP configuration.

Click copy icon that you can copy an entry of the VRRP configuration.

12.1.2 Monitor IP address Object

To enter the monitor IP address object interface, you can choose Service > High availability > VRRP, as shown in
Figure12-3.

Figure12-3 Monitoring

Table12-2 describes the configuration items of the monitor IP address object.

12-255
DPtech FW1000 Series Firewall Products User Configuration Guide

Table12-2 Monitor IP address object configuration items

Item Description

Name Displays the monitor IP address object name.

Monitor IP Displays the monitor IP address.

Monitor interval(second) Displays the monitor interval.

Current status Displays the current status of monitor IP address status.

operation Add or delete the entry of monitor IP address object.

12.1.3 Monitoring

To enter the monitoring interface, you can choose Service > High availability > Monitoring, as shown in
Figure12-4.

Figure12-4 Monitoring

12.1.4 BFD Option

To protect key applications, a network is usually designed with redundant backup links. Devices need to quickly
detect communication failures and restore communication through backup links as soon as possible. On some links,
such as POS links, devices detect link failures by sending hardware detection signals. However, some other links,
such as Ethernet links, provide no hardware detection mechanism. In that case, devices can use the hello mechanism
of a protocol for failure detection, which has a failure detection rate of more than one second. Such a rate is too slow
for some applications. Some routing protocols, such as OSPF and IS-IS, provide a fast hello mechanism for failure
detection, but this mechanism has a failure detection rate of at least one second and is protocol-dependent.

To enter the BFD option interface, you can choose Service > High availability >VRRP >BFD option, as shown in
the Figure12-5.

Figure12-5 BFD option

12-256
DPtech FW1000 Series Firewall Products User Configuration Guide

12.2 Overflow

12.2.1 Overflow protect

To enter the overflow protect interface, you can choose Service > High availability >Overflow protect, as shown
in the Figure12-7.

Figure12-6 Overflow protect

12.3 Hot standby

12.3.1 Hot standby

Hot stand function is the basic software constructs high availability system, for any reason result in system failure
and service disconnection will trigger software process to predicate and isolate the failure and execute disconnected
services online. During this process, user only suffers a certain time delay and recovers services in the shortest time.

To enter the hot standby configuration interface, you can choose Service > High availability >Hot standby, as
shown in the Figure12-7.

Figure12-7 Hot standby

Table12-3 describes the details of the hot standby.

12-257
DPtech FW1000 Series Firewall Products User Configuration Guide

Table12-3 Hot standby details of the hot standby

Item Description

Hot standby configuration Hot standby configuration. There are four option allows you to choose, including disable
hot standby, common hot standby, advanced hot standby, advanced hot standby,
dissymmetrical hot standby, silence hot standby.

Configuration synchronous port Allows you to select a synchronous port.

Configuration of the synchronous IP Allows you to configure the synchronous IP address.

IP Type in back up device interface IP address.

Port Type in back up device port number.

Heartbeat interface Select back up device interface.

Hot standby mode There are two kinds of hot standby mode:
 Double host
 Host standby

Double host status Back up

12.3.2 Handwork synchronization

To enter the handwork synchronization interface, you can choose Service > High availability > Handwork
synchronization, as shown in the Figure12-8Figure12-10.

Figure12-8 Handwork synchronization

12.3.3 Backup reboot

To enter the backup reboot interface, you can choose Service > High availability > Backup reboot, as shown in
the Figure12-9.

Figure12-9 Backup reboot

12-258
DPtech FW1000 Series Firewall Products User Configuration Guide

12.3.4 Interface synchronization group

To enter the interface synchronization group interface, you can choose Service > High availability > Interface
synchronization group, as shown in the Figure12-10.

Figure12-10 Interface synchronization group

Table12-4 describes the configuration items of the interface synchronization group.

Table12-4 Interface synchronization group

Item Description

Synchronization group name Configure a name for the synchronization group.

Port list Select a port for the synchronization group.

Synchronization group status Displays the synchronization group status.

Operation
Click copy icon to copy an entry of the interface synchronization group.

Click delete icon to delete an entry of the interface synchronization group.

12-259

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy