Stateful inspection configuration on the web UI

13

Do as follows to configure stateful inspection on the web UI:
1. Choose System > Setup > Stateful Inspection.
2. Select TCP stateful inspection or ICMP stateful inspection to enable the corresponding function.
Note that the TCP stateful inspection and ICMP stateful inspection functions are independent of each other. Enabling or disabling one function does not affect stateful inspection on the other type of data flows.

Other related questions:
Stateful inspection configuration on the CLI
Do as follows to configure stateful inspection on the CLI: 1. Run the system-view command to enter the system view. 2. Enable or disable the stateful inspection function as required. - Enable the stateful inspection function. Run the firewall session link-state [ icmp | tcp | sctp ] check command to enable IPv4 stateful inspection. Run the firewall ipv6 session link-state [ icmpv6 | tcp | sctp ] check command to enable IPv6 stateful inspection. - Disable the stateful inspection function. Run the undo firewall session link-state [ icmp | tcp ] check command to disable IPv4 stateful inspection. Run the undo firewall ipv6 session link-state [ icmpv6 | tcp ] check command to disable IPv6 stateful inspection. Note that after the stateful inspection function is enabled, a session can be created only when the first packet passes through the firewall. After the stateful inspection function is disabled, sessions can be created even if no subsequent packets are found.

Function of stateful inspection configured on firewalls
The function of stateful inspection configured on firewalls is as follows: Using stateful inspection, a firewall checks the validity of the link status of packets and discards the packets with invalid link status. Stateful inspection takes effect on both common packets and inner packets (decapsulated VPN packets). When the firewall is the only egress of a network, all packets are forwarded through the firewall. In this case, both incoming and outgoing packets pass through the firewall. You can enable stateful inspection on the firewall to secure services.

Configuring URL categories on the web UI of the USG2000 and USG5000
There are two URL categories: predefined category and user-defined category. Predefined categories are provided and maintained by the security service center, and available only after a license is purchased and activated. User-defined categories are configured and maintained by users and no license is required. The procedure for configuring a user-defined category is as follows: 1. Configure a URL mode group. (1) Choose UTM > Object > URL Address Group. (2) Click Create. (3) Set relevant parameters, including Name and Description. (4) Click Apply. (5) In URL Address List, click Create. (6) Set relevant parameters, including Matching mode and Content. (7) Click Apply. (8) Click Save and Submit in the upper right corner. 2. Configure a URL user-defined category. (1) Choose UTM > Web Filtering > URL Category. (2) Click Create. (3) Set relevant parameters, including Name, Description, and URL object group. You must select a URL object group that has been created and submitted successfully. The URL object group matches only the non-parameter part of a URL. For example, for the URL http://www.abcd.com/news/education.aspx?name=tom&age=20, only the part "www.abcd.com/news/education.aspx" is matched. (4) Click Apply.

Method for configuring HTTPS login to the web UI of the USG6000
You can configure the HTTPS login to the web UI as follows:
Note: If you only enable the web function by running web-manager enable but do not enable the HTTPS service by running web-manager security enable, you cannot log in to the device.
1. Networking requirement
Configure a local authentication administrator webadmin for the NGFW and require that the administrator use HTTPS to log in to the web UI.

2. Configuration roadmap
a. Configure the web service for the device and enable the HTTPS service on the interface to allow the administrator to use HTTPS to log in to the web UI.
b. Create an administrator.
3. Operation procedure
system-view
a. Enable the web service.
Enable HTTPS.
[NGFW] web-manager security enable port 8443
Configure the timeout period for the web service.
[NGFW] web-manager timeout 5
By default, the web service timeout period is 10 minutes.
(Optional) Configure automatic web UI lockout upon 5 consecutive administrator login failures.
Note:
By default, the web UI will be added to the blacklist for 10 minutes (cannot be modified) after 3 consecutive authentication failures.
[NGFW] firewall blacklist authentication-count login-failed 5
Configure the IP address on GigabitEthernet 1/0/3 and enable the HTTPS service.
system-view
[NGFW] interface GigabitEthernet 1/0/3
[NGFW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0
[NGFW-GigabitEthernet1/0/3] service-manage enable
[NGFW-GigabitEthernet1/0/3] service-manage https permit
[NGFW-GigabitEthernet1/0/3] quit
Add the interface to the security zone.
[NGFW] firewall zone trust
[NGFW-zone-trust] add interface GigabitEthernet1/0/3
[NGFW-zone-trust] quit
b. Create an administrator.
Create an administrator and bind a role to it.
[NGFW-aaa] manager-user webadmin
[NGFW-aaa-manager-user-webadmin] password
Enter Password:
Confirm Password:
[NGFW-aaa-manager-user-webadmin] service-type web
[NGFW-aaa-manager-user-webadmin] access-limit 10
[NGFW-aaa-manager-user-webadmin] level 3
[NGFW-aaa-manager-user-webadmin] quit
Log in to the NGFW on the administrator PC.
Open the browser on the PC and access https://10.3.0.1:8443, the IP address of the device to be logged in to.
On the login page, enter the administrator's user name and password, respectively webadmin and Myadmin@123, and click Enter to enter the web UI.

Does an FW support NAT if I disable stateful inspection on the FW
Yes. The FW supports NAT after stateful inspection is disabled on the FW.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top