Configuration of the black-hole route on the USG2000 and USG5000

4

When the addresses in the NAT address pool and the interface address used to connect to the external network are in different network segments, you need to configure a black-hole route.

Other related questions:
Functions of the black-hole route on the USG2000 and USG5000
The black-hole route provides the following functions: prevent the route loop between the NGFW and the uplink routing device; enable the uplink routing device to learn routes destined for addresses in the address pool.

Route types in the routing table on the USG2000 and USG5000 series
Route types in the routing table on the USG2000 and USG5000 series include: protocol and destination address/mask.

Functions of the routing table on the USG2000 and USG5000 series
When the network is disconnected, you can check whether a route to the specified destination exists in the routing table.

Configuring IPS for the USG2000 and USG5000
Configure IPS on the USG2000 or USG5000. The procedure is as follows: 1. Configure global IPSec parameters. system-view //Access the system view. ips enable //Enable the IPS function. system-view //Access the system view. ips mode { protective | warning } //Configure the IPS operating mode. 2. Configure the IPS signature, upgrade the predefined signature, or configure a custom signature. The procedure for configuring a custom signature is as follows: ips signature signature-id //Create a custom IPS signature and access the IPS signature view. a. name name //Configure the name of the custom IPS signature. b. protocol protocol-name [ [ severity { informational | notification | warning | error | critical } ] | [ direction { to-server | to-client | any } ] | [ source-ip { any | ip-address mask } ] | [ source-port { any | port-number | high | low } ] | [ destination-ip { any | ip-address mask } ] | [ destination-port { any | port-num | high | low } ] | [ offset { { packet | stream } offset-value | any } ] | [ max-stream-len { stream-len | any } ] ] * //Configure the protocol, severity, and direction of the custom IPS signature. c. regex regex //Configure the description of behavioral characteristics of attacks. 3. Configure the IPS policy. ips policy policy-name //Access the IPS policy view. signature-set signature-set-name //Create a signature set and access the signature set view. direction enable //Enable the function of filtering signatures in the signature set based on signature directions. direction { { to-server | to-client | any } * | all } //Add signatures of the specified direction to the signature set. severity enable //Enable the function of filtering signatures in the signature set based on signature severities. severity { above | below } { informational | notification | warning | error |critical } //Add signatures of the specified severity to the signature set. reliability enable //Enable the function of filtering signatures in the signature set based on signature reliability. reliability { above | below } { low | medium | high } //Add signatures of the specified reliability to the signature set. protocol enable //Enable the function of filtering signatures in the signature set based on protocols. protocol { protocol-name &<1-10> | all } //Add signatures of the specified protocol to the signature set. protocol enable //Enable the function of filtering signatures in the signature set based on categories. category mode { or | and } //Configure the matching mode for categories in the signature set. category { category-name &<1-10> | all } //Add signatures of the specified category to the signature set. signature-set [ enable ] action { alert | block } //Configure the enabling status and response mode of the signature set. signature-set move signature-set-name1 { before | after } signature-set-name2 //Modify the priority of the signature set. ips policy policy-name //Create an IPS policy named policy-name. override-signature signature-id enable action { block | alert } //Enable signature overriding and configure the response mode. 4. Apply the IPS policy. policy zone zone-name //Access the intra-zone firewall policy view. policy interzone zone-name1 vpn-instance vpn-instance-name zone-name2 { inbound | outbound }, //Access the inter-zone firewall policy view. policy policy-id //Create a firewall policy and access the policy ID view. action permit //Configure the action of the firewall policy to permit. policy ips ips-policy //Apply the IPS policy.

Differences between static and dynamic routes on the USG2000 and USG5000 series
Static routes are easy to configure, have low requirements on the system, and apply to simple, stable, and small networks. The disadvantage of static routes is that they cannot automatically adapt to network topology changes. Therefore, static routes require subsequent maintenance. Dynamic routing protocols have their routing algorithms. Therefore, dynamic routes can automatically adapt to network topology changes and apply to the networks on which Layer 3 devices are deployed. The configurations of dynamic routes are complex. Dynamic routes have higher requirements on the system than static ones and consume network resources and system resources.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top