华为防火墙产品技术共43页文档

华为E1000E-G12/G16系列AI防火墙(盒式)1概述随着企业业务不断的数字化、云服务化，网络在企业运营中占据着重要的位置，出于各种目的，网络攻击者通过身份仿冒、网站挂马、恶意软件等多种方式进行网络渗透与攻击，影响企业网络的正常使用。

采用防火墙部署网络边界是当前防护企业网络安全的主要方式，但是防火墙通常只能基于签名实现威胁的分析和阻断，该方法对未知威胁无有效的处置方法，还会引起设备性能的降低。

这种单点、被动、事中防御的方式已经不能有效的解决未知威胁攻击，对于隐匿于加密流量中的威胁在不损坏用户隐私的情况下更是无法有效的识别。

华为E1000E-G12/G16系列AI防火墙，在提供NGFW能力的基础上，联动其他安全设备，主动防御网络威胁，增强边界检测能力，有效防御高级威胁，同时解决性能下降问题。

NP 引擎提供快速转发能力，防火墙性能显著提升。

2产品亮点极速：自研业务加速引擎，极致性能，复杂业务处理效率提升至业界2倍智能：基于智能技术，深度集成高级威胁检测，降低Capex 80%智能：采用智能技术免解密检测加密流量融合：内置“诱捕”系统降低勒索软件/APT扩散融合：可信可控的视频终端安全接入，威胁全网可视融合：云管理方式简化设备上线运维3 软件特性功能特性描述一体化防护 集传统防火墙、VPN 、入侵防御、防病毒、数据防泄漏、带宽管理、Anti-DDoS 、URL 过滤、反垃圾邮件等多种功能于一身，全局配置视图和一体化策略管理。

应用识别与管控 可识别6000+应用，访问控制精度到应用功能。

应用识别与入侵检测、防病毒、内容过滤相结合，提高检测性能和准确率。

云管理模式 设备自行向云管理平台发起认证注册，实现即插即用，简化网络创建和开局。

远程业务配置管理、设备监控故障管理，实现海量设备的云端管理。

云应用安全感知 可对企业云应用进行精细化和差异化的控制，满足企业对用户使用云应用的管控需求。

入侵防御与Web 防护 第一时间获取最新威胁信息，准确检测并防御针对漏洞的攻击。

华为防火墙配置使用手册(自己写)[USGxxxx] interface GigabitEthernet 0/0/1 [USGxxxx-GigabitEthernet0/0/1] ip address 192.168.1.1 24 [USGxxxx-GigabitEthernet0/0/1] quit[USGxxxx] saveThe current configuration will be written to the device.Are you sure to continue? [Y/N]:YInfo: Please input the filename(*.cfg,*.zip)[vrpcfg.zip]:(To leave the existing filename unchanged, press the enter key):It will take several minutes to save configuration file, please wt......Configuration file had been saved successfullyNote: The configuration file will take effect after being activated网络 > 接口 > 物理接口 > 编辑 > 基本信息 >华为防火墙配置使用手册一、概述二、功能介绍防火墙功能：根据用户定义的安全策略，对进出网络的数据包进行允许或拒绝的动作，实现网络隔离和访问控制。

入侵防御功能：通过内置或外置的入侵防御系统(IPS)，对网络流量进行深度分析，识别并阻断各种已知或未知的攻击行为，如端口扫描、拒绝服务、木马、漏洞利用等。

反病毒功能：通过内置或外置的反病毒引擎，对网络流量中的文件和进行扫描，检测并清除各种病毒、蠕虫、木马等恶意代码。

内容过滤功能：通过内置或外置的内容过滤引擎，对网络流量中的网页、、即时通信等应用层内容进行过滤，阻止不良或违规的信息传输，如色情、暴力、赌博等。

华为Eudemon1000E-G系列AI防火墙（盒式）随着运营商业务不断的数字化、云服务化，网络在运营商运营中占据着重要的位置，出于各种目的，网络攻击者通过身份仿冒、网站挂马、恶意软件等多种方式进行网络渗透与攻击，影响运营商网络的正常使用。

采用防火墙部署网络边界是当前防护运营商网络安全的主要方式，但是防火墙通常只能基于签名实现威胁的分析和阻断，该方法对未知威胁无有效的处置方法，还会引起设备性能的降低。

这种单点、被动、事中防御的方式已经不能有效的解决未知威胁攻击，对于隐匿于加密流量中的威胁在不损坏用户隐私的情况下更是无法有效的识别。

华为Eudemon1000E-G系列AI防火墙，在提供NGFW能力的基础上，联动其他安全设备，主动防御网络威胁，增强边界检测能力，有效防御高级威胁，同时解决性能下降问题。

NP提供快速转发能力，防火墙性能显著提升。

产品图华为Eudemon1000E-G15/Eudemon 1000E-G25 AI防火墙华为Eudemon1000E-G35/Eudemon 1000E-G55 AI防火墙华为Eudemon1000E-G 系列AI 防火墙（盒式）卓越性能Eudemon1000E-G 系列AI 防火墙内置转发、加密、模式匹配三大协处理引擎，有效将小包转发性能，IPS 、AV 业务性能以及IPSec 业务性能提升2倍。

内置AI 芯片，具备8TOPS 16位浮点数算力，有效支撑高级威胁防御模型加速。

智能防御Eudemon1000E-G 系列AI 防火墙内置NGE 、CDE 和AIE 三大威胁防御引擎。

NGE 作为NGFW 检测引擎，提供IPS 、反病毒和URL 过滤等内容安全相关的功能，有效保证内网服务器和用户免受威胁的侵害。

CDE （Content-based Detection Engine ）可提供数据深度分析，暴露威胁的细节，快速检测恶意文件，有效提高威胁检出率。

产品亮点C&C 加密破解检测…华为Eudemon1000E-G 系列AI 防火墙（盒式）8-3AIE 作为APT 威胁检测引擎，针对暴力破解、C&C 异常流量、DGA 恶意域名和加密威胁流量进行检测，有效解决威胁快速变化、变种频繁、传统升级特征库检测响应慢以及加密攻击检测难度大等问题，构建“普惠式”AI ，帮助客户做到更全面的网络风险评估，有效应对攻击链上的网络威胁，真正实现攻击防御“智”能化。

Huawei USG6370/6380/6390 next-generation firewalls provide high-performance security protection for medium-sized businesses and branch offices with 800 to 1500 users. The firewalls provide VPN, intrusion prevention, and antivirus functions, and can ensure high performance even when multiple security functions are enabled. With comprehensive application control and advanced threat prevention, the firewalls provide cost-effective and all-around security protection for users.HighlightsComprehensive and integrated protection• Multiple security functions, including firewall, VPN, intrusion prevention, and online behavior management,for complete versatility.• Accurately identify more than 6000 applications to deliver fine-grained access control and improve thequality of key services.• Detection and prevention of unknown threats, such as zero-day attacks, using sandboxing and thereputation system*.Simple security management• Predefined common-scenario defense templates to facilitate security policy deployment.• Automatically generate policy-tuning suggestions based on risks in network traffic and applications inaccordance with the least privilege principle.• Intelligent detection of redundant and invalid policies.Third-party proven security capability• Obtained Firewall, IPS, IPsec, and SSL VPN certifications from the ICSA Labs.•Obtained the highest-level CC certificate (EAL4+), ranking among the highest security levels in the world.HUAWEI USG6370/6380/6390 Next-Generation Firewalls---Comprehensive Protection for Medium-Sized BusinessesIntelligent link selection for Internet access• Select the optimal egress based on services, applications, bandwidth, ISPs, and link priorities to fully utilize link resources, improve Internet access experience, and reduce bandwidth settlement fees.• Detect link and tunnel quality in real time and intelligently adjust traffic distribution based on detection results to improve service quality and stability.• Create a predefined ISP address library, from which the optimal Internet access link is selected to ensurea quality Internet access experience.DeploymentIntranet Control and Security Isolation for medium-sized businesses• F irewalls are deployed on the Internet egress and between enterprise departments to protect medium-sized businesses. The firewalls use firewall policy control, data filtering, and audit functions to monitor social network applications, prevent data leaks, and protect the enterprise network.• Intrusion prevention is enabled on the firewall deployed on the Internet egress for real-time application-layer threat prevention.• T he firewall provides refined bandwidth management based on applications and website categories to prioritize bandwidth for mission-critical services.• T he firewall manages online user behavior based on URL categories and applications to block access to infected websites and websites irrelevant to work.HardwareUSG6370/6380/6390Interfaces1. 2 x USB Ports2. Console Port3. 1 x GE (RJ45) Management Port4. 8 x GE (RJ45) Ports5. 4 x GE (SFP) PortsTable 1. Wide Service Interface Cards (WSICs) for USG6300 SeriesSoftware Features1: I f no hard disk is inserted, you can view and export system and service logs. By inserting a hard disk, you can also view, export, customize, and subscribe to reports.Functions marked with * are supported only in USG V500R001 and later versions.Specifications *System Performance and Capacity1. P erformance is tested under ideal conditions based on RFC 2544 and RFC 3511. The actual result may vary with deployment environments.2. Antivirus, IPS, and SA performances are measured using 100 KB of HTTP files.3. Throughput is measured with the Enterprise Traffic Model.4. SSL inspection throughput is measured with IPS-enabled and HTTPS traffic using TLS v1.2 with AES256-SHA.5. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.6. USG6000 V100R001 supports only the RESTCONF interface and cannot interwork with sandbox or third-party tools.* SA indicates Service Awareness.* This content is applicable only to regions outside mainland China. Huawei reserves the right to interpret this content. Hardware Specifications*WISC is not hot-swappable.CertificationsRegulatory, Safety, and EMC ComplianceOrdering GuideAbout This PublicationThis publication is for reference only and does not constitute any commitments or guarantees. All trademarks, pictures, logos, and brands mentioned in this document are the property of Huawei Technologies Co., Ltd. or a third party.For more information, visit /en/products/enterprise-networking/security.Copyright©2018 Huawei Technologies Co., Ltd. All rights reserved.。

第一部分华为防火墙基本初始化LAB1 子接口初始化一、实验拓扑二、基本配置SW:[SW]vlan 2[SW-vlan2]description Untrust[SW-vlan2]vlan 3[SW-vlan3]description Trust[SW-vlan3]vlan 4[SW-vlan4]description DMZ[SW]int g0/0/9[SW-GigabitEthernet0/0/8]port link-type access[SW-GigabitEthernet0/0/8]port default vlan 3[SW-GigabitEthernet0/0/8]int g0/0/3[SW-GigabitEthernet0/0/3]port link-type access[SW-GigabitEthernet0/0/3]port default vlan 3[SW]int g0/0/9[SW-GigabitEthernet0/0/9]port link-type trunk[SW-GigabitEthernet0/0/9]port trunk allow-pass vlan 1 2 4 [SW]int g0/0/1[SW-GigabitEthernet0/0/1]port link-type access [SW-GigabitEthernet0/0/1]port default vlan 2[SW-GigabitEthernet0/0/1]int g0/0/2[SW-GigabitEthernet0/0/2]port link-type access[SW-GigabitEthernet0/0/2]port default vlan 4三、防火墙配置system-viewEnter system view, return user view with Ctrl+Z.[SRG][SRG]sysname HWFW[HWFW]int g0/0/0[HWFW-GigabitEthernet0/0/0]alias Trust ===配置接口描述[HWFW-GigabitEthernet0/0/0]ip add 192.168.1.10 24 [HWFW]int g0/0/1.2[HWFW-GigabitEthernet0/0/1.2]vlan-type dot1q 2 ====封装VLAN [HWFW-GigabitEthernet0/0/1.2]alias Untrust[HWFW-GigabitEthernet0/0/1.2]ip add 202.100.1.10 24[HWFW-GigabitEthernet0/0/1.2]interface GigabitEthernet0/0/1.4 [HWFW-GigabitEthernet0/0/1.4]alias DMZ[HWFW-GigabitEthernet0/0/1.4]vlan-type dot1q 4[HWFW-GigabitEthernet0/0/1.4]ip add 172.16.1.10 24测试：[HWFW]ping -c 2 192.168.1.119:26:33 2014/05/26PING 192.168.1.1: 56 data bytes, press CTRL_C to breakReply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=80 msReply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=580 ms [HWFW]ping -c 2 202.100.1.119:26:55 2014/05/26PING 202.100.1.1: 56 data bytes, press CTRL_C to breakRequest time outRequest time out[HWFW]ping -c 2 172.16.1.119:27:14 2014/05/26PING 172.16.1.1: 56 data bytes, press CTRL_C to breakRequest time outRequest time out为什么直连不通？因为默认不同zone之间流量是不允许访问的，可以通过以下命令查看：[HWFW]display current-configurationfirewall zone trustset priority 85add interface GigabitEthernet0/0/0为了测试，可以将防火墙其它两个两口放入相同的zone[HWFW] firewall zone trust[HWFW-zone-trust]add interface g0/0/1.2[HWFW-zone-trust]add interface GigabitEthernet0/0/1.4[HWFW]ping -c 2 202.100.1.119:32:39 2014/05/26PING 202.100.1.1: 56 data bytes, press CTRL_C to breakReply from 202.100.1.1: bytes=56 Sequence=1 ttl=255 time=70 ms Reply from 202.100.1.1: bytes=56 Sequence=2 ttl=255 time=700 ms --- 202.100.1.1 ping statistics ---2 packet(s) transmitted2 packet(s) received0.00% packet lossround-trip min/avg/max = 70/385/700 ms[HWFW]ping -c 2 172.16.1.119:32:45 2014/05/26PING 172.16.1.1: 56 data bytes, press CTRL_C to breakReply from 172.16.1.1: bytes=56 Sequence=1 ttl=255 time=70 ms Reply from 172.16.1.1: bytes=56 Sequence=2 ttl=255 time=560 ms --- 172.16.1.1 ping statistics ---2 packet(s) transmitted2 packet(s) received0.00% packet lossround-trip min/avg/max = 70/315/560 mssave ===保存配置19:37:09 2014/05/26The current configuration will be written to the device.Are you sure to continue?[Y/N]y2014-05-26 19:37:11 HWFW �M/4/SAVE(l): When deciding whether to save configuration to the device, the user chose Y.Do you want to synchronically save the configuration to the startupsaved-configuration file on peer device?[Y/N]:yNow saving the current configuration to the device..Info:The current configuration was saved to the device successfully.reset saved-configuration ?reset saved-configuration ====清空配置19:37:26 2014/05/26The action will delete the saved configuration in thedevice.The configuration will be erased to reconfigure.Are you sure?[Y/N]yNow clearing the configuration in the device.2014-05-26 19:37:28 HWFW �M/4/RST_CFG(l): When deciding whether to reset the saved configuration, the user chose Y.Error:The config file does not exist!LAB2:三接口初始化一、基本配置[SW]vlan batch 2 to 4port link-type accessport default vlan 2interface GigabitEthernet0/0/8port link-type accessport default vlan 2interface GigabitEthernet0/0/3port link-type accessport default vlan 3interface GigabitEthernet0/0/10port link-type accessport default vlan 3interface GigabitEthernet0/0/2port link-type accessport default vlan 4interface GigabitEthernet0/0/9port link-type accessport default vlan 4二、防火墙配置[HWFW]undo interface g0/0/1.2 ===删除子接口[HWFW]undo interface g0/0/1.4ip address 202.100.1.10 255.255.255.0interface GigabitEthernet0/0/1ip address 172.16.1.10 255.255.255.0interface GigabitEthernet0/0/2ip address 192.168.1.10 255.255.255.0测试：[HWFW]ping -c 1 202.100.1.120:01:23 2014/05/26PING 202.100.1.1: 56 data bytes, press CTRL_C to breakReply from 202.100.1.1: bytes=56 Sequence=1 ttl=255 time=950 ms [HWFW]ping -c 1 172.16.1.120:01:59 2014/05/26PING 172.16.1.1: 56 data bytes, press CTRL_C to breakReply from 172.16.1.1: bytes=56 Sequence=1 ttl=255 time=180 ms [HWFW]ping -c 1 192.168.1.120:02:27 2014/05/26PING 192.168.1.1: 56 data bytes, press CTRL_C to breakReply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=780 ms安全区域概述：安全区域（Security Zone），或者简称为区域（Zone），是一个安全概念，大部分的安全策略都基于安全区域实施。

HUAWEI TECHNOLOGIES CO., LTD.Burgeoning services such as high-speed Internet access, video, and media stream lead to the rocketing of network traffic and ever-increasing service requirements of large organizations, intranets, and data centers in the 10-Gigabit epoch. New applications emerge and occupy the fixed ports of traditional services, making traditional port-dependent firewalls inadequate to cope with such applications. For the sake of illegal profits, hacker attacks and malware are spreading at will. Under this background, false positive and false negative are frequently seen in traditional traffic-based attacks. IT administrators find it difficult to deal with so many problems; therefore, large organizations, intranets, and data centers have to be confronted with such predicaments:How to select a cost-effective product to deal with ever- •increasing service requirements at present and in the future?How to block abuse and provide sufficient bandwidths for mission-•critic applications in the case of so many new applications?How to deal with flooding worms, effectively protecting intranets •and securing office environments?With in-depth understanding of service and customer requirements, Huawei launches its Eudemon1000E-X series. This series employs the new 10-Gigabit multi-core hardware platform and constructs a more high-speed network with no delay for processing mass services. By integrating advanced Symantec intrusion prevention and anti-virus technologies, it delivers content security protection and builds a secure network; with Huawei industry-leading deep packet inspection (DPI) technology, it manages thousands of application programs subtly and provides an effective network. All in all, the Eudemon1000E-X series brings "continuous, cost-effective, and secure" network experiencefor large organizations, intranets, and data centers.Eudemon1000E-X3Eudemon1000E-X5Eudemon1000E-X6Highlights10-Gigabit Multi-Core Hardware PlatformProminent performance, realizing mass service processing ■Provides 15G firewall throughput, 200,000 new connections •per second, 4,000,000 concurrent connections, and 15,000 concurrent VPN tunnels.Supports high-capacity NAT.•High-density 10G interfaces, suiting different application ■scenariosDelivers 64 Gigabit+14 x 10-Gigabit high-density interfaces. •Super-long mean time between failures (MTBF), safeguarding ■service continuitySupplies redundant key components and mature link conversion. •Provides built-in bypass cards for both optical and electrical links. •Relies on a stable software platform for over 10 years' •commercial use, and more than 100,000 devices concurrently online in the world.1Refined Management over Thousands of Application Programs, Building an Efficient NetworkWide application identification, providing visibility into the ■applications running on your networkPossesses 150 application identification experts, and over 850 •identifiable categories.Massive Web site categories, constructing a green Internet ■access environmentEquips with 65 million Web sites and over 130 content •categories, blocking Trojan horse-embedded and phishing Web sites, isolating pornographic and gambling Web sites, and preventing employees against maloperations.Refined application management, creating an efficient ■working networkOffers multi-dimensional control measures specific to time, •application, user, bandwidth, and connection number, effectively providing bandwidths for mission-critic applications, improving bandwidth usage and working efficiency, and making P2P/IM//Web sites at your mercy.Professional Content Security Defense, Providing a Secure NetworkIndustry-leading anti-virus engine with 99% high identification ■accuracyBases on Symantec accumulative anti-virus technologies, •adopts the anti-virus engine with file-level content scanning, combines the globally leading emulation environment and virtual execution technology, provides a 99% identification ratio, and gains good reputation from the international assessment organization.Dedicated vulnerability patching, making transformation ■illuminatedMaintains and updates the huge signature database by the •traditional attack code-based defense mode due to the transformation of attack types, which imposes overload on the IPS engine and leads to low detection performance and high false negative and false positive ratios. The Eudemon1000E-X is backed by advanced Symantec vulnerability defense technology and delivers virtual patches for vulnerabilities (not attack code), disabling various attacks from transforming.Real-time update by a professional team, realizing zero-day ■attack defenseSupplies the honeynet system deployed globally together •with a professional team of over 300 experts to keep tracking the latest, hottest, and most dangerous system and software vulnerabilities, and to defend against zero-day attacks quickly.One-Key Configuration, Freeing You from Complicated Policy OptimizationGUI, a farewell to CLI■Delivers the Web page–based configuration and management, •visualized and simple.Professional configuration wizard, simplifying policy configuration ■Provides a professional configuration wizard for each independent •service.One-key enabling of IPS and anti-virus, reducing maintenance ■workloadBuilds the IPS/anti-virus rule base, with a 99% detection •ratio, which can be directly enabled without commissioning. Therefore, administrators are freed from time-consuming, strenuous, and complicated policy optimization, and quick deployment comes true, that is, plug and play.Application ScenariosNetwork Isolation and VPN InterconnectionCustomer challenges■Because user networks reside in different network areas, •problems such as unclear borders, improper access control management, and disordered mutual access may occur. When branches and mobile employees communicate with the headquarters, data may be intercepted or tampered.Solution strengths ■Delivers 15G processing performance, avoiding the bottleneck •of border deployment.Divides security zones on demand, clearly planning network •borders.Provides the flexible packet filtering policies, accurately •controlling mutual access.Comes with 15,000 concurrent VPN tunnels, 7G VPN •encryption and decryption capabilities, ensuring mass secure interconnection and securing data communication.2External Threat PreventionCustomer challenges■Coming along with the abundant Internet resources are •threats such as DDoS attacks, malicious intrusions, and viruses.Solution strengths■Supplies 200,000 new connections per second and 4,000,000•concurrent connections, easily coping with millions of DDoS attack packets per second.Empowered by advanced IPS and anti-virus technologies •of Symantec as well as vulnerability-based and abundant signature database, ensuring near-zero false positives and negatives, and a detection ratio of higher than 99%; providespowerful security defense against diversified security threats.Office networkOnline Behavior ManagementCustomer challenges■None-work-related Internet surfing, P2P download, online •games, and stock transaction waste bandwidths for business, reduce productivity, and increase the risks of potential malicious code and hacker attacks.Solution strengths■Provides over 850 identifiable application categories, providing•visibility into the applications running on your network.Equips with 65 million Web sites, blocking Trojan horse- •embedded and phishing Web sites, isolating pornographic and gambling Web sites, and preventing employees against maloperations.Offers multi-dimensional control measures specific to the •time, application, user, and bandwidth, effectively providing bandwidths for mission-critic applications, improving working efficiency, and making P2P/IM//Web sites at your mercy.P2POffice networkProduct Specifications456Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.General DisclaimerThe information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factorsthat could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such informationis provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.HUAWEI TECHNOLOGIES CO., LTD.Huawei Industrial BaseBantian LonggangShenzhen 518129, P.R. ChinaTel: +86-755-28780808 Version No.: M3-110019999-20110805-C-1.0。