[Dr.WoW] [No.12] Configuration Precautions and Troubleshooting Guide Highlighted

Latest reply: May 19, 2018 01:31:58 3219 7 0 0

1 Security Policy

In actual networks, inappropriate security policies often result in service interruptions. The display firewall statistic system discard command can be used to view statistics on packets discarded by firewalls. By ***yzing the command output, we can determine whether the packets are discarded due to security policies. For example:

[FW] display firewall statistic system discard

 Packets discarded statistic

                            Total packets discarded:            10

                         ACL deny packets discarded:            5

                     Default deny packets discarded:           5

In the command output, the value of "ACL deny packets discarded" indicates the number of packets discarded due to security policies; the value of "Default deny packets discarded" indicates the number of packets discarded due to default packet filtering. If statistics on discarded packets contain the preceding information, security policies are inaccurate and must be troubleshot.

First, check the matching conditions in security policies. If the matching conditions are incorrect, packets cannot match the security policies, and therefore firewalls cannot take the predefined actions on the packets. After a security policy is configured on a firewall, if the firewall does not process packets in the expected way, we must check the security policy configuration.

[FW] display policy interzone trust untrust outbound

policy interzone trust untrust outbound

 firewall default packet-filter is deny

 policy 1 (0 times matched)

  action permit

  policy service service-set http (predefined)

  policy source 192.168.0.1 0

  policy destination 172.16.0.1 0

In the preceding command output, 0 packets matched policy 1. If the corresponding interface has been added to the correct security zone, we should check whether the conditions in the policy are correct.

Second, if multiple security policies are configured in an interzone, pay attention to their matching sequence. In the following example, two security policies are configured in the Trust-Untrust interzone.

[FW] policy interzone trust untrust outbound

[FW-policy-interzone-trust-untrust-outbound] policy 1

[FW-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255

[FW-policy-interzone-trust-untrust-outbound-1] policy destination 172.16.0.0 0.0.0.255

[FW-policy-interzone-trust-untrust-outbound-1] action permit

[FW-policy-interzone-trust-untrust-outbound-1] quit

[FW-policy-interzone-trust-untrust-outbound] policy 2

[FW-policy-interzone-trust-untrust-outbound-2] policy source 192.168.0.100 0

[FW-policy-interzone-trust-untrust-outbound-2] action deny

[FW-policy-interzone-trust-untrust-outbound-2] quit

As the source address scope in policy 1 covers that in policy 2, packets from 192.168.0.100 always match policy 1 and pass through the firewall. The action deny defined in policy 2 for packets from 192.168.0.100 will never be taken.

To resolve this problem, we can run the following command to move policy 2 prior to policy 1.

[FW-policy-interzone-trust-untrust-outbound] policy move 2 before 1

Then, packets from 192.168.0.100 first match policy 2 and are denied by the firewall.

#

policy interzone trust untrust outbound

 policy 2

  action deny

  policy source 192.168.0.100 0

 

 policy 1

  action permit

  policy source 192.168.0.0 0.0.0.255

  policy destination 172.16.0.0 0.0.0.255

#

It is difficult to specify accurate matching conditions for security policies. Broad matching conditions bring security risks, while strict matching conditions may cause some packets not to match policies, affecting services. Here, I want to introduce a general configuration roadmap for you: First, set the action in default packet filtering to "permit" to commission services, ensuring normal service operation. Then, view the session table and configure security policies with information recorded in the session table being matching conditions. At last, restore the default packet filtering configuration to commission services again, verifying the security policy effect.

When the action in default packet filtering is permit, the firewall allows all packets to pass, exposing the firewall to risks. Therefore, using this setting only for service commissioning is recommended. After service commissioning, you must restore the default packet filtering configuration. That is, set the action to deny.

Let's look at two examples. Figure 1-1 shows the networking for the first example. A PC and a Web server directly connect to a firewall. The PC resides in the Trust zone, while the Web server resides in the Untrust zone. The PC needs to access the Web server.

Figure 1-1 Networking for a PC to access a Web server

[Dr.WoW] [No.12] Configuration Precautions and Troubleshooting Guide-1350657-1

 

At the beginning, we do not know the exact matching condition. So, set the action to permit for default packet filtering in the Trust-Untrust interzone and enter y when the following message is displayed.

[FW] firewall packet-filter default permit interzone trust untrust direction outbound

Warning: Setting the default packet filtering to permit poses security risks. You are advised to configure the security policy based on the actual data flows. Are you sure you want to continue?[Y/N] y

At this time, the firewall allows all packets to pass from the Trust zone to the Untrust zone. Use the PC to access the Web server. After the access succeeds, view the session table on the firewall.

[FW] display firewall session table verbose

 Current Total Sessions : 1

  http  VPN:public --> public

  Zone: trust--> untrust  TTL: 00:00:10  Left: 00:00:07

  Interface: GigabitEthernet0/0/1  NextHop: 172.16.0.1  MAC: 54-89-98-c0-15-c5

  <--packets:4 bytes:465   -->packets:7 bytes:455

  192.168.0.1:2052-->172.16.0.1:80

A session has been generated for the connection from the PC to the Web server. Then, configure the following security policy:

[FW] policy interzone trust untrust outbound

[FW-policy-interzone-trust-untrust-outbound] policy 1

[FW-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.1 0

[FW-policy-interzone-trust-untrust-outbound-1] policy destination 172.16.0.1 0

[FW-policy-interzone-trust-untrust-outbound-1] policy service service-set http

[FW-policy-interzone-trust-untrust-outbound-1] action permit

[FW-policy-interzone-trust-untrust-outbound-1] quit

At last, set the action back to deny for default packet filtering. The security policy configuration is complete.

[FW] firewall packet-filter default deny interzone trust untrust direction outbound

Figure 1-2 shows the networking for the second example. A PC residing in the Trust zone directly connects to a firewall. It is required that an administrator log in to the firewall through Telnet from the PC.

Figure 1-2 Networking for an administrator to log in to a firewall through Telnet from a PC

[Dr.WoW] [No.12] Configuration Precautions and Troubleshooting Guide-1350657-2

 

First, configure default packet filtering in the Trust-Local interzone and set the action to permit. When the following message is displayed, enter y.

[FW] firewall packet-filter default permit interzone trust local direction inbound

Warning: Setting the default packet filtering to permit poses security risks. You

are advised to configure the security policy based on the actual data flows. Are

you sure you want to continue?[Y/N] y

Use Telnet to log in to the firewall from the PC. After the login succeeds, view the session table on the firewall.

[FW] display firewall session table verbose

 Current Total Sessions : 1

  telnet  VPN:public --> public

  Zone: trust--> local  TTL: 00:10:00  Left: 00:09:55

  Interface: InLoopBack0  NextHop: 127.0.0.1  MAC: 00-00-00-00-00-00

  <--packets:6 bytes:325   -->packets:8 bytes:415

  192.168.0.1:2053-->192.168.0.2:23

Then, configure the following security policy based on the preceding session:

[FW] policy interzone local trust inbound

[FW-policy-interzone-local-trust-inbound] policy 1

[FW-policy-interzone-local-trust-inbound-1] policy source 192.168.0.1 0

[FW-policy-interzone-local-trust-inbound-1] policy destination 192.168.0.2 0

[FW-policy-interzone-local-trust-inbound-1] policy service service-set telnet

[FW-policy-interzone-local-trust-inbound-1] action permit

At last, set the action back to deny for default packet filtering. The security policy configuration is complete.

[FW] firewall packet-filter default deny interzone trust local direction inbound

I hope that these two examples help you understand the configuration roadmap, so that you can configure accurate matching conditions in actual networks.

2 ASPF

ASPF determines whether firewalls can properly forward the packets of special protocols. When FTP is used on a network, check whether ASPF is enabled. The USG2000/5000 series firewalls are used as an example. Table 1-1 lists the protocols for which ASPF can be enabled. For the support conditions of other firewall models, see the product documentation of a specific firewall model.

Table 1-1 Protocols for which ASPF can be enabled on the USG2000/5000

Location

Protocol

Interzone

DNS, FTP, H.323, ICQ, ILS, MGCP, MMS, MSN, NETBOIS, PPTP, QQ, RTSP, SIP, and SQLNET

Zone

DNS, FTP, H.323, ILS, MGCP, MMS, MSN, NETBOIS, PPTP, QQ, RTSP, SIP, and SQLNET

 

Run the display interzone command to check whether ASPF has been enabled in an interzone. For example:

[FW] display interzone

interzone trust untrust

 detect ftp

#

The command output shows that ASPF has been enabled for FTP in the Trust-Untrust interzone. Run the display zone command to check whether ASPF has been enabled in a zone. For example:

[FW] display zone

local

 priority is 100

#

trust

 priority is 85

 detect qq

 interface of the zone is (1):

    GigabitEthernet0/0/1

#

untrust

 priority is 5

 interface of the zone is (0):

#

dmz

 priority is 50

 interface of the zone is (0):

#

The command output shows that ASPF has been enabled for QQ in the Trust zone.

If ASPF for a user-defined protocol does not take effect, run the display firewall server-map command to check whether the corresponding server-map entry has been generated. For example:

[FW] display firewall server-map

 server-map item(s)

 ------------------------------------------------------------------------------

Type: STUN,  ANY -> 192.168.0.1:55199,  Zone:---                              

 Protocol: udp(Appro: stun-derived),  Left-Time:00:04:52,  Pool: ---,

 Vpn: public -> public

The command output shows that the server-map entry has been generated. If the server-map entry does not exist, check whether ACL rules are correctly configured and whether packets can match the ACL rules. If the ACL is incorrect, reconfigure it.

 

 

Questions from Dr. WoW:

1.         An administrator configures the following security policies in sequence in the Trust-Untrust interzone. What is wrong in the configuration?

l   Policy 1: Deny packets destined for 172.16.0.0/24.

l   Policy 2: All packets destined for 172.16.0.100.

2.         Which dimensions of matching conditions are available for unified security policies on NGFWs?

3.         In the networking where an FTP client accesses an FTP server, does ASPF need to be enabled if the FTP client works in passive (PASV) mode?

4.         In the assumption that OSPF runs on a firewall and the OSPF network type is Broadcast, fill in the blank in the following configuration script to configure accurate security policies in the Untrust-Local interzone (the OSPF-enabled interface on the firewall is in the Untrust zone).

#    

policy interzone local untrust _____________                     

 policy 1                                                         

  action permit                                       

  policy service service-set _____________             

#

policy interzone local untrust _____________

 policy 1                                                      

  action permit                                               

  policy service service-set _____________                     

#

 

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created May 13, 2015 10:10:53 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

ing.estradaes
Created Mar 24, 2017 20:24:09 Helpful(0) Helpful(0)

1. An administrator configures the following security policies in sequence in the Trust-Untrust interzone. What is wrong in the configuration?
l Policy 1: Deny packets destined for 172.16.0.0/24.
l Policy 2: All packets destined for 172.16.0.100.

Answear: Policy 1 includes all ip addresses from the segment so, if you want exclude one ip address is wouldn't posible. Within policy 2 not action is mantioned
  • x
  • convention:

ing.estradaes
Created Mar 24, 2017 20:49:13 Helpful(0) Helpful(0)

Posted by ing.estradaes at 2017-03-24 20:24 1. An administrator configures the following security policies in sequence in the Trust-Untr ...
2.         Which dimensions of matching conditions are available for unified security policies on

• NGFWs
• Application
• Content
• Time
• User
• Attack
• Location
  • x
  • convention:

ing.estradaes
Created Mar 24, 2017 21:25:01 Helpful(0) Helpful(0)

Posted by ing.estradaes at 2017-03-24 20:49 2.         Which dimensions of matching conditions are available for unified security pol ...
3. In the networking where an FTP client accesses an FTP server, does ASPF need to be enabled if the FTP client works in passive (PASV) mode?

I guess yes we need to enable in both active and pasv modes.
  • x
  • convention:

Ammar_Tinawi
Created Oct 9, 2017 12:56:27 Helpful(0) Helpful(0)

I am looking for input on whether or not, it’s good idea to connect Huawei USG 9560 firewall directly to the internet connection, or should I place it behind a router?. Are there any concerns when connecting the USG firewall directly to the internet?
  • x
  • convention:

Aminakhan2
Created Oct 17, 2017 15:12:26 Helpful(0) Helpful(0)

good one. site
  • x
  • convention:

w1
Created May 19, 2018 01:31:58 Helpful(0) Helpful(0)

Nice :)
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login