USG firewall configuration saving

9

If the configuration is not saved or fails to be saved, it is lost.
You can save the configuration files on USG firewalls as follows:
1. CLI
save //Save the input information.//
11:36:31 2015/03/04
The current configuration will be written to the device.
Are you sure you want to continue?[Y/N]y //Click Y to configure the saving.//
Now saving the current configuration to the device............................................
Info: The current configuration was saved to the device successfully.

2. Web UI:
Click the Save button in the upper right corner on the web UI. In the displayed window, click Overwrite the profile used for next boot and then click OK.

Other related questions:
Saving a file to a specified path on the firewall
Save the configuration file to a specified directory as follows: Method 1: 1. cd flash:/Access the Flash directory. 2. mkdir test/Create the test directory (folder). Info: Create directory flash:/test......Done. 3. cd test/Access the test directory. 4. save configuration.zip/Save the configuration to configuration.zip. Are you sure to save the configuration to flash:/test/configuration.zip?[Y/N]:y Now saving the current configuration to the device. 2015-04-22 17:52:46 Firewall %%01CFM/4/SAVE_FILE(l): When deciding whether to save con figuration to the file flash:/test/configuration.zip, the user chose Y... Info: Save the current config to flash:/test/configuration.zip successfully 5. dir/Display the configuration file saved under the test directory. 17:52:49 2015/04/22 Directory of flash:/test/ 0 -rw- 1009 Apr 22 2015 17:52:47 configuration.zip/Saved configuration file. 31248 KB total (31104 KB free) Method 2: 1. save flash:/test/conf.zip /Save configuration file conf.zip to Flash:/test. Are you sure to save the configuration to flash:/test/conf.zip?[Y/N]:y Now saving the current configuration to the device. 2015-04-22 17:58:25 Firewall %%01CFM/4/SAVE_FILE(l): When deciding whether to save con figuration to the file flash:/test/conf.zip, the user chose Y... Info: Save the current config to flash:/test/conf.zip successfully 2. dir /Displays the file under the Flash directory. 17:58:29 2015/04/22 Directory of flash:/ 0 -rw- 61 Apr 22 2015 17:58:26 private-data.txt 1 drw- - Apr 22 2015 17:45:08 ceshi 2 -rw- 2243 Apr 22 2015 17:49:56 vrpcfg.cfg 3 drw- - Apr 22 2015 17:52:16 test /Directory for saving the configuration file. 31248 KB total (31088 KB free) 3. cd test /Access the test directory. 4. dir /Display files under the test directory. 17:58:35 2015/04/22 Directory of flash:/test/ 0 -rw- 1009 Apr 22 2015 17:52:47 configuration.zip 1 -rw- 991 Apr 22 2015 17:58:26 conf.zip /Saved configuration file. 31248 KB total (31088 KB free)

RIP configuration of USG firewalls
Configure the RIP on the USG2000 or USG5000 as follows: 1. Run the system-view command to enter the system view. 2. Run the rip [ process-id ] command to enable the RIP route process and enter the RIP view. If the RIP commands are configured in the interface view before the RIP is enabled, the configuration only takes effect after the RIP is enabled. 3. Run the network network-address command to enable the RIP in the specified network segment. The RIP runs only at the interface in the specified network segment. For other interfaces, the RIP does not receive and send routes or does not forward the interface route. Therefore, after the RIP is enabled, you must specify the network segment. The network-address indicates the address in the natural network segment. By default, the RIP is disabled at all interfaces after it is enabled. Note: The RIP does not support different addresses specified for different RIP processes of the same physical interface. 4. By default, the interface receives RIP-1 and RIP-2 packets but sends only RIP-1 packets. When the interface version is RIP-2, you can specify the packet sending mode. If the RIP version is not configured for the interface, the global version shall prevail. Configure the global RIP version by running the version { 1 | 2 } command. Configure the RIP version for the interface. a. Run the system-view command to enter the system view. b. Run the interface interface-type interface-number command to enter the interface view. c. Run the rip version { 1 | 2 [ broadcast | multicast ] } command to specify the RIP version of the interface.

Configuration of the security association on the USG firewalls
Configuration of the security association on the USG firewalls Create an IPSec SA in IKE negotiation mode. 1. The communication between network A and network B requires an IPSec tunnel, established between USG_A and USG_B, to encrypt and transmit data. The internal network segment of network A is 10.1.1.0/24, and the USA public IP address is 202.38.163.1/24. The internal network segment of network B is 10.1.2.0/24, and the public IP address is 202.38.169.1/24. Network A---USG_A----INTERNET----USG_B---Network B 2. The configuration procedure is as follows: [USG_A] acl 3000 //Configure ACL rules used to match the sensitive traffic. [USG_A-acl-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [USG_A-acl-adv-3000] quit [USG_A] ip route-static 10.1.2.0 255.255.255.0 202.38.163.2 //Configure the route. [USG_A] ipsec proposal tran1 //Configure the IPSec security proposal. [USG_A-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_A-ipsec-proposal-tran1] transform esp [USG_A-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_A-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_A-ipsec-proposal-tran1] quit [USG_A] ike proposal 10 //Configure the IKE security proposal. [USG_A-ike-proposal-10] authentication-method pre-share [USG_A-ike-proposal-10] authentication-algorithm sha1 [USG_A-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_A-ike-proposal-10] quit [USG_A] ike peer b //Configure the IKE peer. [USG_A-ike-peer-b] ike-proposal 10 [USG_A-ike-peer-b] remote-address 202.38.169.1 [USG_A-ike-peer-b] pre-shared-key abcde [USG_A-ike-peer-b] quit [USG_A] ipsec policy map1 10 isakmp //Configure IPSec security policies. [USG_A-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_A-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_A-ipsec-policy-isakmp-map1-10] ike-peer b [USG_A-ipsec-policy-manual-map1-10] quit [USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] ipsec policy map1 //Apply the security policies to the interface. [USG_B] acl 3000 //Configure ACL rules used to match the sensitive traffic. [USG_B-acl-adv-3000] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [USG_B-acl-adv-3000] quit [USG_B] ip route-static 10.1.1.0 255.255.255.0 202.38.169.2 //Configure the route. [USG_B] ipsec proposal tran1 //Configure the IPSec security proposal. [USG_B-ipsec-proposal-tran1] encapsulation-mode tunnel [USG_B-ipsec-proposal-tran1] transform esp [USG_B-ipsec-proposal-tran1] esp authentication-algorithm sha1 [USG_B-ipsec-proposal-tran1] esp encryption-algorithm aes [USG_B-ipsec-proposal-tran1] quit [USG_B] ike proposal 10 //Configure the IKE security proposal. [USG_B-ike-proposal-10] authentication-method pre-share [USG_B-ike-proposal-10] authentication-algorithm sha1 [USG_B-ike-proposal-10] integrity-algorithm hmac-sha1-96 [USG_B-ike-proposal-10] quit [USG_B] ike peer a //Configure the IKE peer. [USG_B-ike-peer-a] ike-proposal 10 [USG_B-ike-peer-a] remote-address 202.38.163.1 [USG_B-ike-peer-a] pre-shared-key abcde [USG_B-ike-peer-a] quit [USG_B] ipsec policy map1 10 isakmp //Configure IPSec security policies. [USG_B-ipsec-policy-isakmp-map1-10] security acl 3000 [USG_B-ipsec-policy-isakmp-map1-10] proposal tran1 [USG_B-ipsec-policy-isakmp-map1-10] ike-peer a [USG_B-ipsec-policy-isakmp-map1-10] quit [USG_B] interface GigabitEthernet 0/0/2 [USG_B-GigabitEthernet0/0/2] ipsec policy map1 //Apply the security policies to the interface.

DHCP snooping configuration on USG firewalls
You can configure the DHCP snooping on USG firewalls as follows: The DHCP snooping is a DHCP security feature. It can protect devices against DHCP DoS attack, DHCP server spoofing, ARP man-in-the-middle attack, and IP/MAC spoofing attack when using the DHCP. The most commonly used function of the DHCP server snooping is to protect devices against the DHCP DoS attack. It can prevent users from obtaining IP addresses from other DHCP servers (such as private routers) except for the firewall. However, the firewall does not restrict private routers. The key configuration is as follows: 1. Enable the global and interface DHCP snooping. [USG] dhcp snooping enable [USG] interface GigabitEthernet 0/0/1 [USG-GigabitEthernet0/0/1] dhcp snooping enable [USG-GigabitEthernet0/0/1] quit [USG] interface GigabitEthernet 0/0/2 [USG-GigabitEthernet0/0/2] dhcp snooping enable [USG-GigabitEthernet0/0/2] quit 2. Configure the Trusted interface to prevent DHCP server spoofing. Set the interface connected to the DHCP server to the Trusted mode and the interface connected to the DHCP client to the Untrusted mode (after the DHCP snooping is enabled for the interfaces, the interfaces are in Untrusted mode by default). [USG] interface GigabitEthernet 0/0/2 [USG-GigabitEthernet0/0/2] dhcp snooping trusted [USG-GigabitEthernet0/0/2] quit Note: The DHCP snooping takes effect only when the firewall serves as the DHCP server or the upper-level device of the firewall is the DHCP server. If the lower-level switch interconnected to the USG firewall serves as the DHCP server, DHCP packets do not pass through the firewall. This configuration is invalid. Therefore, the DHCP snooping must be configured on the switch. For specific configurations, click DHCP Snooping Configuration on USG Firewalls.

MPLS VPN configuration of USG firewalls
The scenario and configuration for establishing the LSP using the LDP on the USG2000, USG5000, and USG6000 are as follows: Local LDP sessions can be established only between adjacent LSRs. LDP LSP is a method used to create a dynamic LSP. When the LSP establishment process does not need to be strictly controlled and traffic engineering is not required by the MPLS network, you can create the LSP using LDP. 1. Enable the global MPLS and MPLS LDP on each LSR. Modify the LDP LSP triggering policy to all on each LSR, so that all static routes and IGP entries in the routing table can trigger the LDP LSP establishment. a. Configure the LSRA. [LSRA] mpls lsr-id 1.1.1.9 [LSRA] mpls [LSRA-mpls] lsp-trigger all [LSRA-mpls] quit [LSRA] mpls ldp b. Configure the LSRB. [LSRB] mpls lsr-id 2.2.2.9 [LSRB] mpls [LSRB-mpls] lsp-trigger all [LSRB-mpls] quit [LSRB] mpls ldp c. Configure the LSRC. [LSRC] mpls lsr-id 3.3.3.9 [LSRC] mpls [LSRC-mpls] lsp-trigger all [LSRC-mpls] quit [LSRC] mpls ldp 2. Enable the MPLS and MPLS LDP function on each LSR interface. a. Configure the LSRA. [LSRA] interface GigabitEthernet 0/0/3 [LSRA-GigabitEthernet0/0/3] mpls [LSRA-GigabitEthernet0/0/3] mpls ldp b. Configure the LSRB. [LSRB] interface GigabitEthernet 0/0/2 [LSRB-GigabitEthernet0/0/2] mpls [LSRB-GigabitEthernet0/0/2] mpls ldp [LSRB] interface GigabitEthernet 0/0/3 [LSRB-GigabitEthernet0/0/3] mpls [LSRB-GigabitEthernet0/0/3] mpls ldp c. Configure the LSRC. [LSRC] interface GigabitEthernet 0/0/3 [LSRC-GigabitEthernet0/0/3] mpls [LSRC-GigabitEthernet0/0/3] mpls ldp The scenario and configuration for establishing the static LSP on the USG2000, USG5000, and USG6000 are as follows: You can configure the static LSP for stable small-scaled network with simple topology. 1. Configure the global MPLS for each node. a. Configure the LSRA. [LSRA] mpls lsr-id 1.1.1.9 [LSRA] mpls b. Configure the LSRB. [LSRB] mpls lsr-id 2.2.2.9 [LSRB] mpls c. Configure the LSRC. [LSRC] mpls lsr-id 3.3.3.9 [LSRC] mpls d. Configure the LSRD. [LSRD] mpls lsr-id 4.4.4.9 [LSRD] mpls 2. Configure the MPLS for each interface. a. Configure the LSRA. [LSRA] interface GigabitEthernet 0/0/2 [LSRA-GigabitEthernet0/0/2] mpls [LSRA] interface GigabitEthernet 0/0/3 [LSRA-GigabitEthernet0/0/3] mpls b. Configure the LSRB. [LSRB] interface GigabitEthernet 0/0/2 [LSRB-GigabitEthernet0/0/2] mpls [LSRB] interface GigabitEthernet 0/0/3 [LSRB-GigabitEthernet0/0/3] mpls c. Configure the LSRC. [LSRC] interface GigabitEthernet 0/0/2 [LSRC-GigabitEthernet0/0/2] mpls [LSRC] interface GigabitEthernet 0/0/3 [LSRC-GigabitEthernet0/0/3] mpls d. Configure the LSRD. [LSRD] interface GigabitEthernet 0/0/2 [LSRD-GigabitEthernet0/0/2] mpls [LSRD] interface GigabitEthernet 0/0/3 [LSRD-GigabitEthernet0/0/3] mpls 3. Create the static LSP from LSRA to LSRD. a. Configure the ingress LSRA. [LSRA] static-lsp ingress RAtoRD destination 4.4.4.9 32 nexthop 10.1.1.2 out-label 20 b. Configure the Transit LSRB. [LSRB] static-lsp transit RAtoRD incoming-interface GigabitEthernet 0/0/2 in-label 20 nexthop 10.2.1.2 out-label 40 c. Configure the egress LSRD. [LSRD] static-lsp egress RAtoRD incoming-interface GigabitEthernet 0/0/2 in-label 40 The LSP is unidirectional. Therefore, you need to configure the static LSP from LSRD to LSRA. 4. Create the static LSP from LSRD to LSRA. You can configure the static LSP from LSRD to LSRA using the same method. a. Configure the ingress LSRD. [LSRD] static-lsp ingress RDtoRA destination 1.1.1.9 32 nexthop 10.4.1.1 out-label 30 b. Configure the Transit LSRC. [LSRC] static-lsp transit RDtoRA incoming-interface GigabitEthernet 0/0/3 in-label 30 nexthop 10.3.1.1 out-label 60 c. Configure the egress LSRA. [LSRA] static-lsp egress RDtoRA incoming-interface GigabitEthernet 0/0/3 in-label 60

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top