Application of the Huawei Firewall USG5300

The USG5300 series is a new-generation multi-function firewall launched by Huawei Symantec. The USG5300 series delivers extensive advanced security functions such as the firewall, VPN, IPS, anti-virus, and URL filtering, and provides all-around security protection to safeguard the efficient running of the network system.

The USG5300 supports Virtual Private Networks (VPNs) to ensure secure access between the enterprise and its remote branches, personnel on business trip, or service partners. The IPS function can deeply sense and detect the data flows passing through the USG5300; once attacks are detected, the USG5300 can block the attacks in time, thus effectively defending against application-layer attacks. The AV function implement scanning the files transmitted through HTTP, SMTP, and POP3, and processing the files infected with viruses according the AV policy. The URL filtering function is used to manage online behaviors, audit and monitor terminal applications, and limit the applications that may increase internal security risks or affect normal services. The update function can supports the updates of the IPS signature database and virus database through both online and manual update, and this ensures that the USG5300 always has the latest IPS signature database and virus database, making the intrusion prevention and AV functions more effective.

The Application for Huawei Firewall USG5300

1 Application of Dual-System Hot Backup

The USG5300 provides the dual-system hot backup, so that the user data will not be disrupted due to the switchover between the active and standby Unified Security Gateways.

Figure 1 Dual-system hot backup of the USG5300

Two USG5300 devices in the headquarters (HQ) form a hot backup group. One of the USG5300 is used as the active device for security protection. The other is used as the standby device. The backup group provides the security guard such as ACL, ASPF, traffic monitoring and NAT.

Two USG5300 devices are interconnected with each other.

The LAN switch devices in the Intranet and the routers in the Extranet are connected with each USG5300 device to form the mesh connection.

2 IPSec VPNs

As the VPN gateway, the USG5300 supports tunneling technologies such as L2TP and GRE. It uses the tunneling technologies with the IPSec and firewall technologies to guarantee the QoS and security of network transmission. Figure 1 shows the details.

The access VPN provides SOHO and mobile office users with security channels to access the resources of the headquarters through public switched telephone network (PSTN)/integrated services digital network (ISDN).

The intranet VPN provides channels to access the headquarters for the regional offices and branch offices. The IPSec/IKE technology is used to ensure that data is securely transmitted over the Internet. This protects the data on the Internet from eavesdropping and tampering.

The extranet VPN provides channels to access the internal network of an enterprise for the partners and customers. Also, it protects the security of the internal network.

Figure 2 IPSec VPN implemented by the USG5300

3 IDC Security Protection

Two USG5300 are deployed at the egress of the IDC and the basic routing, firewall, IPS, AV, and URL filtering functions are enabled.

The IPS function can deeply sense and detect the data flows passing through the USG5300; once attacks are detected, the USG5300 can block the attacks in time, thus effectively defending against application-layer attacks.

The AV function implement scanning the files transmitted through HTTP, SMTP, and POP3, and processing the files infected with viruses according the AV policy.

The URL filtering function manages online behaviors, audits and monitors terminal applications, and limits the applications that may increase internal security risks or affect normal services.

The security service center on the Internet provides the USG5300 with the online update of the IPS signature database and virus database, and this ensures that the USG5300 always has the latest IPS signature database and virus database, making the intrusion prevention and AV functions more effective.

Huawei Firewall USG5300: Configuring System Parameters

This describes the configurations of system parameters, including the language mode, system name, system time, login prompt, and command level.

1 Changing the Language Mode

The USG5300 can provide the help information either in English or in Chinese. The language mode can be changed from English to Chinese or from Chinese to English.

Run the following command to change the language mode from Chinese to English:

language-mode English

Run the following command to change the language mode from English to Chinese:

language-mode Chinese

2 Defining the System Name

The system name of the USG5300 is displayed in the command prompt. Then, you can modify the name as required.

Run the following command to enter the system view:

system-view

Run the following command to define the system name:

sysname sysname

3 Configuring the System Time

An accurate system clock is needed to ensure interworking with other devices. The USG5300 supports the configuration of the time zone and the daylight saving time.

Run the following command to configure the Universal Time Coordinated (UTC) standard time:

clock datetime HH:MM:SS YYYY/MM/DD

Run the following command to configure the local time zone:

clock timezone zone-name { add | minus } offset

Run the following command to configure the daylight time:

clock summer-time zone-name { one-off | repeating } start-time start-date end-time end-date offset

4 Configuring the Prompt Information

Prompt information is the information that the system prompts when a user logs in to the USG5300, passes login authentication, and starts interactive configuration.

Run the following command to enter the system view:

system-view

Run the following command to configure the title prompt information during login authentication:

header login { file file-name | information information-text }

Run the following command to configure the title text when the interactive configuration is started:

header shell { file file-name | information information-text }

5 Configuring Command Levels

All commands are classified into the following four levels: Visit, Monitoring, Configuration and Management. The four levels are numbered from 0 to 3. The administrator can specify the level and the view where the command is located as required.

Run the following command to enter the system view:

system-view

Run the following command to configure the level of a command in a view:

command-privilege level level view view command

Each command is configured with a default view and a level. Generally, you do not need to reconfigure them.

6 Locking the Configuration Interface

To prohibit unauthorized users from operating the terminal when you leave the operation terminal temporarily, you can lock the configuration interface. When locking the configuration interface, you need to specify the password and confirm it. To unlock the interface, you must enter the correct password to operate the user interface.

Run the following command to lock the user interface:

lock

7 Displaying Status Information about the System

You can run the display commands in any view to collect system status information.

Run the following command to display the system version:

display version

Run the following command to display the system clock:

display clock

Run the following command to display terminal users:

display users [ all ]

Run the following command to display the starting and ending configuration information:

display saved-configuration

Run the following command to display the configuration information on the current view:

display this

Run the following command to display the configuration information on the current configuration information:

display current-configuration [ interface interface-type [ interface-number ] | configuration [ configuration-type ] ] [ | { begin | exclude | include } regular-expression ]

Run the following command to display debugging status:

display debugging [ interface { interface-type interface-number } ] [ module-name ]

Run the following command to display technical support information:

display diagnostic-information

Run the following command to view the Equipment Serial Number(ESN):

display firewall esn

The popular Huawei firewall USG5300, more information please click:

USG5310

USG5320

How to configure single arm routing for Huawei USG2130 firewall

Have you wondered with this: Partition VLAN on switch, and setting the single arm routing on the Huawei USG2130, while VLAN30 can access VLAN10, VLAN20; but VLAN10 and VLAN20 are unable to access the VLAN30. 

Cause analysis: because the USG2130 only has a three layer interface WAN port, supports the sub interface portand WAN port (E0/0/0), based on the current demand, we would be the port as the network interface. Through the creation of VLAN, one VLAN interface as the Internet interface. If theVLAN in the same region, to realize the VLAN access control is more complex. If the VLAN interface is divided into different areas, through the realization of inter domain packet filtermethod, which is simple and reliable.

How to configure single arm routing for Huawei USG2130 firewall

Process:

1 Enter sub interface, configure the IP address, and package the 802.1.

[USG2130]int e0/0/0.1

[USG2130-Ethernet0/0/0.1]description VLAN10

[USG2130-Ethernet0/0/0.1]ip address 192.168.1.1 24

[USG2130-Ethernet0/0/0.1]vlan-type dot1q 10

[USG2130][USG2130]int e0/0/0.2

[USG2130-Ethernet0/0/0.2]description VLAN20

[USG2130-Ethernet0/0/0.2]ip add 192.168.2.1 24

[USG2130-Ethernet0/0/0.2]vlan-type dot1q 20

[USG2130]int e0/0/0.3

[USG2130-Ethernet0/0/0.3]description VLAN30

[USG2130-Ethernet0/0/0.3]ip add 192.168.3.1 24

[USG2130-Ethernet0/0/0.3]vlan-type dot1q 30

2 Creating a VLAN Internet connection, and configuring the IP.

[USG2130]vlan 3                                  

[USG2130-vlan3]description WAN

[USG2130]int e1/0/0

[USG2130-Ethernet1/0/0]port access VLAN 3

[USG2130]int VLAN 3

[USG2130-Vlanif3]description TO-INTERNET

[USG2130-Vlanif3]ip add 100.100.100.1 30

3 Custom three regions, and devide the VLAN interface in the regions, make the Vlan 3 into the untrust region.

[USG2130]firewall zone name lan1 joined the regional

[USG2130-zone-lan1]set priority 60

[USG2130-zone-lan1]add interface e0/0/0.1

[USG2130]firewall zone name lan2

[USG2130-zone-lan2]set priority 65

[USG2130-zone-lan2]add interface e0/0/0.2

[USG2130]firewall zone name lan3

[USG2130-zone-lan3]set priority 70

[USG2130-zone-lan3]add interface e0/0/0.3

[USG2130]firewall zone untrust

[USG2130-zone-untrust]add interface vlan3

4 Creating for VLAN access control between the ACL, and applied to VLAN region.

[USG2130]acl 3001

[USG2130-acl-adv-3001]rule permit IP source 192.168.3.0 0.0.0.255

[USG2130]acl 3002

[USG2130-acl-adv-3002]rule deny IP source 192.168.1.0 0.0.0.255 destination 192.168.3.00.0.0.255

[USG2130-acl-adv-3002]rule deny IP source 192.168.2.0 0.0.0.255 destination 192.168.3.00.0.0.255

[USG2130-acl-adv-3002]rule permit IP

[USG2130]firewall interzone lan1 lan3

[USG2130-interzone-lan3-lan1]packet-filter 3001 outbound

[USG2130-interzone-lan3-lan1]packet-filter 3001 inbound

[USG2130]firewall interzone lan2 lan3

[USG2130-interzone-lan3-lan2]packet-filter 3001 outbound

[USG2130-interzone-lan3-lan2]packet-filter 3002 inbound

5 (Optional), change the interface region of Ethernet0/0/0

[USG2130-Vlanif3]fire zone untrust

[USG2130-zone-untrust]undo add interface e0/0/0

[USG2130-zone-untrust]firewall Zone Trust

[USG2130-zone-trust]add interface e0/0/0

6 Completed the NAT configuration

[USG2130-zone-trust]acl 2000

[USG2130-acl-basic-2000]rule permit source 192.168.0.0 0.0.0.3

[USG2130]firewall interzone trust untrust

[USG2130-interzone-trust-untrust]nat outbound 2000 interface VLAN 3

Summary: due to a network device is limited, in order to meet the special need to break the normal procedure setting and planning, and use of custom domain USG2130 the type of firewall between the packet filtering and VLAN function.

Huawei firewall included USG2220, USG2250, USG5310 more than 30% off on Huanetwork.com, competitive price.

USG5310 VS USG5320

Let's know them from their similarity:

1 They are all Huawei firewall, 4 Combo GE, 1 console port, 2 USB, 2 Extended Slots.

2 Comprehensive P2P and IM control

3 Unified Threat Management (anti-virus, anti-spam, IPS and URL filtering)

4 Powerful Intrusion Prevention System (IPS) and Anti-DDOS

5 Comprehensive VPN support (IPSec/SSL)

And the USG5300 series is a new-generation multi-function firewall launched by Huawei Symantec. The USG5300 series delivers extensive advanced security functions such as the firewall, VPN, IPS, anti-virus, and URL filtering, and provides all-around security protection to safeguard the efficient running of the network system.

What's the difference between them?

USG5310:

Maximum Firewall throughput: 1.5Gbps

Maximum VPN throughput: 1Gbps

Maximum number of virtual firewalls: 100

IPS Goodput (UDP): 600Mbps

Connections per second: 50000

USG5320:

Maximum Firewall throughput: 2Gbps

Maximum VPN throughput: 2Gbps

Maximum number of virtual firewalls: 10

IPS Goodput (UDP): 800Mbps

Connections per second: 60000

And let's compare them with the price:

According to Huanetwork.com, a world leading Huawei networking products distributor

USG5310 price : USD 4400

USG5320 price : USD 5900

Huawei USG5320 USD 5900 Competitive price on Huanetwork.com

The USG5300 series is a new-generation multi-function firewall launched by Huawei Symantec. The USG5300 series delivers extensive advanced security functions such as the firewall, VPN, IPS, anti-virus, and URL filtering, and provides all-around security protection to safeguard the efficient running of the network system.

Huawei USG5320 protects the user increasing trafffic, business system to protect the full range of users, it has DDoS attack prevention, load balancing and network redundancy, improve user service ability, strong maintenance management function, is the new experience of green environmental protection.

USG5320 price:

Huawei symantec USG5320 competitive price on Huanetwork.com, USD 5900. If you want to know more about the USG5320 specification and datasheet, please visit: http://www.huanetwork.com/huawei-usg5320-price_p2601.html

USG5320 overview:

Huawei firewall: USG5320, 4 Combo GE, 1 console port, 2 USB, 2 Extended Slots.

• Maximum Firewall throughput: 2Gbps

• Maximum VPN throughput: 2Gbps

• Maximum number of virtual firewalls: 100

• Comprehensive P2P and IM control

• Unified Threat Management (anti-virus, anti-spam, IPS and URL filtering)

• Powerful Intrusion Prevention System (IPS) and Anti-DDOS

• Comprehensive VPN support (IPSec/SSL)

• Dimensions: 436×560×44.2 mm

• Weight: 10kgs