Configuring IPS for the USG2000 and USG5000

0

Configure IPS on the USG2000 or USG5000.
The procedure is as follows:
1. Configure global IPSec parameters.
system-view //Access the system view.
ips enable //Enable the IPS function.
system-view //Access the system view.
ips mode { protective | warning } //Configure the IPS operating mode.
2. Configure the IPS signature, upgrade the predefined signature, or configure a custom signature. The procedure for configuring a custom signature is as follows:
ips signature signature-id //Create a custom IPS signature and access the IPS signature view.
a. name name //Configure the name of the custom IPS signature.
b. protocol protocol-name [ [ severity { informational | notification | warning | error | critical } ] | [ direction { to-server | to-client | any } ] | [ source-ip { any | ip-address mask } ] | [ source-port { any | port-number | high | low } ] | [ destination-ip { any | ip-address mask } ] | [ destination-port { any | port-num | high | low } ] | [ offset { { packet | stream } offset-value | any } ] | [ max-stream-len { stream-len | any } ] ] * //Configure the protocol, severity, and direction of the custom IPS signature.
c. regex regex //Configure the description of behavioral characteristics of attacks.
3. Configure the IPS policy.
ips policy policy-name //Access the IPS policy view.
signature-set signature-set-name //Create a signature set and access the signature set view.
direction enable //Enable the function of filtering signatures in the signature set based on signature directions.
direction { { to-server | to-client | any } * | all } //Add signatures of the specified direction to the signature set.
severity enable //Enable the function of filtering signatures in the signature set based on signature severities.
severity { above | below } { informational | notification | warning | error |critical }
//Add signatures of the specified severity to the signature set.
reliability enable //Enable the function of filtering signatures in the signature set based on signature reliability.
reliability { above | below } { low | medium | high }
//Add signatures of the specified reliability to the signature set.
protocol enable //Enable the function of filtering signatures in the signature set based on protocols.
protocol { protocol-name &<1-10> | all } //Add signatures of the specified protocol to the signature set.
protocol enable //Enable the function of filtering signatures in the signature set based on categories.
category mode { or | and } //Configure the matching mode for categories in the signature set.
category { category-name &<1-10> | all } //Add signatures of the specified category to the signature set.
signature-set [ enable ] action { alert | block } //Configure the enabling status and response mode of the signature set.
signature-set move signature-set-name1 { before | after } signature-set-name2
//Modify the priority of the signature set.
ips policy policy-name //Create an IPS policy named policy-name.
override-signature signature-id enable action { block | alert }
//Enable signature overriding and configure the response mode.
4. Apply the IPS policy.
policy zone zone-name //Access the intra-zone firewall policy view.
policy interzone zone-name1 vpn-instance vpn-instance-name zone-name2 { inbound | outbound },
//Access the inter-zone firewall policy view.
policy policy-id //Create a firewall policy and access the policy ID view.
action permit //Configure the action of the firewall policy to permit.
policy ips ips-policy //Apply the IPS policy.

Other related questions:
what the purpose of the USG2000 and USG5000 series equipment configured IP-Link
IP-Link is mainly used for automatic detection of the normal link or not, can be detected with the FW is not directly linked to the state of the link, to ensure business continuity.

Configuring bandwidth limitation for the USG2000 or USG5000
Configure bandwidth limitation for the USG. Bandwidth limitation can be achieved through traffic policing, traffic shaping, and interface rate limiting. Configure traffic policing, traffic shaping, and interface rate limiting to implement traffic control. 1. Configuration procedure: Configure traffic shaping (QoS GTS). Configure traffic policing (QoS CAR). Configure the interface bandwidth (QoS LR). 2. Configuration example: USG_A and USG_B are interconnected through their GE interface 0/0/1 and GE interface 0/0/2. The server and PC1 can access the Internet through either USG_A or USG_B. The server and PC1 are on the same network segment as GE interface 0/0/3 of USG_A. Apply the following traffic control policies for packets received by GE interface 0/0/2 of USG_B from the server and PC1: Limit the rate of packets sent from the server to 54,000 kbit/s. Limit the rate of packets sent from PC1 to 8000 kbit/s, and the rate of burst traffic to 15,000 kbit/s. Apply the following traffic control policies for packets received and sent by GE interface 0/0/2 and GE interface 0/0/1 of USG_B: Limit the rate of packets received by GE interface 0/0/2 of USG_B to 500,000 kbit/s. Limit the rate to 1000 kbit/s for packets forwarded by GE interface 0/0/1 of USG_B to the Internet. Network topology: (Internal server and PC1)---(4)USG_A(1)---(2)USG_B(3)--Internet Server: 1.1.1.1/8 PC1: 1.1.1.2/8 (1) 172.16.1.2 (2) 172.16.1.1 (3) 172.17.1.1/24 (4) 1.1.1.10/8 3. Configuration procedure: Configure traffic policing, traffic shaping, and interface rate limiting as follows: 1. Configure traffic shaping on the outbound interface GE interface 0/0/1 of USG_A to ensure compliance with the traffic rate on GE interface 0/0/2 of USG_B. 2. Configure traffic policing on GE interface 0/0/2 of USG_B to limit the packets sent from the server and PC1. 3. Configure interface rate limiting for GE interface 0/0/1 of USG_B to limit the packets destined for the Internet. 4. Procedure: a. For the USG series, add interfaces to security zones and configure inter-zone packet filtering to ensure normal network communication. The configuration procedure is not described here. For the USG BSR and HSR series, you do not need to add interfaces to security zones or configure packet filtering. b. Configure IP addresses for interfaces. Configure routes to ensure normal network communication. The configuration procedure is not described here. c. Configure traffic shaping on GE interface 0/0/1 of USG_A. Traffic shaping is performed for sent packets that exceed the rate 500,000 kbit/s to reduce the packet loss rate on GE interface 0/0/2 of USG_B. system-view [USG_A] interface GigabitEthernet 0/0/1 [USG_A-GigabitEthernet0/0/1] qos gts any cir 500000 //Traffic shaping [USG_A-GigabitEthernet0/0/1] quit d. Configure traffic policing on GE interface 0/0/2 of USG_B. [USG_B] system-view [USG_B] acl number 2001 [USG_B-acl-basic-2001] rule permit source 1.1.1.1 0.0.0.0 [USG_B-acl-basic-2001] quit [USG_B] acl number 2002 [USG_B-acl-basic-2002] rule permit source 1.1.1.2 0.0.0.0 [USG_B-acl-basic-2002] quit [USG_B] interface GigabitEthernet 0/0/2 //Traffic policing [USG_B-GigabitEthernet0/0/2] qos car inbound acl 2001 cir 54000 cbs 54000 green pass red discard [USG_B-GigabitEthernet0/0/2] qos car inbound acl 2002 cir 8000 cbs 15000 green pass red discard [USG_B-GigabitEthernet0/0/2] quit e. Configure interface rate limiting on GE interface 0/0/1 of USG_B to ensure that the rate for GE interface 0/0/1 to send packets does not exceed 1000 kbit/s. [USG_B] interface GigabitEthernet 0/0/1 //Interface rate limiting [USG_B-GigabitEthernet0/0/1] qos lr cir 1000 cbs 500 [USG_B-GigabitEthernet0/0/1] quit 5. Verification: On the USG, run display qos gts interface [ interface-type interface-number ] to view traffic shaping configuration.

Configuration of the Client-Initialized VPN on the USG2000 and USG5000
The method used to configure the Client-Initialized VPN on the USG2000 and USG5000 is as follows: The LAC client can directly initiates a tunnel establishment request to the LNS bypassing the LAC. The LNS allocates an address to the LAC client. The HQ network can connect to the Internet through the LNS. An employee on a business trip can directly initiate a tunnel establishment request to the LNS by means of L2TP dialup. The L2TP client software must be installed on the PC of the employee. Configure the Client-Initialized VPN using the CLI: 1. Configure the LNS. a. Create and configure the virtual interface template. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] ip address 192.168.0.1 255.255.255.0 [LNS-Virtual-Template1] ppp authentication-mode chap [LNS-Virtual-Template1] quit b. Enable the L2TP. [LNS] l2tp enable c. Create and configure the L2TP group. [LNS] l2tp-group 1 d. Configure local tunnel name on the LNS end and the received peer tunnel name. [LNS-l2tp1] tunnel name LNS [LNS-l2tp1] allow l2tp virtual-template 1 [LNS-l2tp1] tunnel authentication [LNS-l2tp1] tunnel password cipher Password123 Note: If you use the L2TP client software provided by the Windows system to dial up, you must disable the L2TP tunnel verification function. e. Define an address pool and allocate an IP address to the dial-up user. [LNS] aaa [LNS-aaa] ip pool 1 192.168.0.2 192.168.0.100 f. Set the user name and password (consistent with those configured on the PC of the employee on a business trip). [LNS-aaa] local-user vpdnuser password cipher Hello123 [LNS-aaa] quit Note: Because the addresses in the IP address pool are not in the same network segment as the intranet addresses, you need to configure the route to network segment 192.168.0.0 on the HQ device, and set the next hop address to 192.168.1.1. g. Allocate an address in the IP address pool to the peer interface. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] remote address pool 1 [LNS-Virtual-Template1] quit

Configuring interface rate limiting for the USG2000 or USG5000
Configure interface rate limiting for the SRG, USG2000, and USG5000. Configuration method: Run qos lr to configure rate limiting for interfaces. Configuration example: Limit the rate to 1000 kbit/s for packets forwarded by GE interface 0/0/1 of the USG to the Internet. Procedure: 1. For the USG series, add interfaces to security zones and configure inter-zone packet filtering to ensure normal network communication. The configuration procedure is not described here. For the USG BSR and HSR series, you do not need to add interfaces to security zones or configure packet filtering. 2. Configure IP addresses for interfaces of the USG. Configure routes to ensure normal network communication. The configuration procedure is not described here. 3. Configure LR on GE interface 0/0/1 of the USG to limit the traffic forwarded by this interface to the Internet. system-view [USG] interface GigabitEthernet 0/0/1 //Access the interface. [USG-GigabitEthernet0/0/1] qos lr cir 1000 cbs 3000 //Limit the interface rate to 1 Mbit/s. Verification: In any view of the USG, run display qos lr interface [ interface-type interface-number ] and view interface rate limiting configuration. [USG] display qos lr interface GigabitEthernet 0/0/1

Configuration of the black-hole route on the USG2000 and USG5000
When the addresses in the NAT address pool and the interface address used to connect to the external network are in different network segments, you need to configure a black-hole route.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top