Got it
Huawei Enterprise Support Community
Community Forums Security
FAQ-LogCenter IPv6 Sessio...

FAQ-LogCenter IPv6 Session Query

Latest reply: Nov 19, 2016 13:42:35 1837 1 0 0 0
View the author 1#
IPv6 Session Query


You can learn session creation situations of the firewalls based on IPv6 packets by checking IPv4 session logs on the LogCenter.

The LogCenter supports the following modes of querying IPv6 session logs:

l   IPv6 DS-Lite

You can query session logs generated by the IPv6 DS-Lite function.

l   IPv6 NAT-PT

You can query session logs generated by the IPv6 NAT-PT function.

l   IPv6 NAT64

You can query session logs generated by the IPv6 NAT64 function.

This section describes adaptation of the firewalls in different product forms to different log query modes.

USG6000 V100R001C10/V100R001C20/V100R001C30

Table 4-14 describes adaptation of firewalls of USG6000 V100R001C10/V100R001C20/V100R001C30.

Table 1-1 Adaptation of firewalls of USG6000 V100R001C10/V100R001C20/V100R001C30 to IPv6 session logs

Query Mode

 Log Type

 Log Format

 Output Mode

 Key Configuration Points

 Description

IPv6 DS-Lite

 -

 -

 -

 -

 The firewalls of these versions do not generate this type of logs. Therefore, you cannot view the corresponding logs on the LogCenter.

IPv6 NAT-PT

 -

 -

 -

 -

 The firewalls of these versions do not generate this type of logs. Therefore, you cannot view the corresponding logs on the LogCenter.

IPv6 NAT64

 -

 -

 -

 -

 The firewalls of these versions do not generate this type of logs. Therefore, you cannot view the corresponding logs on the LogCenter.


 
USG9500 V300R001C01

The IPv6 session logs of the firewalls of USG9500 V300R001C01 include session aging logs, session creation logs, and scheduled session logs. Table 4-15 describes the adaptation of the firewalls.


 
<?xml:namespace prefix = "v" ns = "urn:schemas-microsoft-com:vml" />


If the firewall outputs session aging logs, session creation logs, and scheduled session logs at the same time, the logs received by the LogCenter increase sharply and greatly consume the storage space of the LogCenter. Therefore, be careful in the actual deployment.




Unless otherwise specified, the operator involved in configurations indicates the system administrators of the firewalls.

Table 1-2 Adaptation of firewalls of USG9500 V300R001C01 to IPv6 session logs

Query Mode

 Log Type

 Log Format

 Output Mode

 Key Configuration Points

 Description

IPv6 DS-Lite

 Session aging logs

 Binary

 The logs are directly sent to the LogCenter.

 In the system view, run the firewall log host command to configure the log host and set the port number to 9002.

In the system view, run the firewall log source command to configure the source address and source port used for sending the session logs.

In the system view, configure IPv4 auditing policies.

If the firewall serves as the CGN, configure the DS-Lite function.

 Because the session logs generated by the DS-Lite function are IPv4 session logs, you need to configure the corresponding IPv4 audit policies.

For details about configuration instances, see 7.2.2 Checking IPv6 Session Logs on the LogCenter.

Session creation logs

 Binary

 The logs are directly sent to the LogCenter.

 In the system view, run the firewall log host command to configure the log host and set the port number to 9002.

In the system view, run the firewall log source command to configure the source address and source port used for sending the session logs.

In the system view, configure IPv4 auditing policies.

If the firewall serves as the CGN, configure the DS-Lite function.

In the system view, run the firewall log session new-session enable command to enable the function of generating session creation logs.

 Because the session logs generated by the DS-Lite function are IPv4 session logs, you need to configure the corresponding IPv4 audit policies.

For details about configuration instances, see 7.2.2 Checking IPv6 Session Logs on the LogCenter.

Scheduled session logs

 Binary

 The logs are directly sent to the LogCenter.

 In the system view, run the firewall log host command to configure the log host and set the port number to 9002.

In the system view, run the firewall log source command to configure the source address and source port used for sending the session logs.

In the system view, configure IPv4 auditing policies.

If the firewall serves as the CGN, configure the DS-Lite function.

In the system view, run the firewall log session periodic enable command to enable the function of generating session creation logs. Run the firewall log session periodic time-interval command to configure the interval for sending logs.

 Because the session logs generated by the DS-Lite function are IPv4 session logs, you need to configure the corresponding IPv4 audit policies. In addition, the session logs generated by the DS-Lite function can also be periodically output.

For details about configuration instances, see 7.2.2 Checking IPv6 Session Logs on the LogCenter.

IPv6 NAT-PT

 -

 -

 -

 -

 The firewalls of these versions do not generate this type of logs. Therefore, you cannot view the corresponding logs on the LogCenter.

IPv6 NAT64

 Session aging logs

 Binary

 The logs are directly sent to the LogCenter.

 In the system view, run the firewall log host command to configure the log host and set the port number to 9002.

In the system view, run the firewall log source command to configure the source address and source port used for sending the session logs.

In the system view, configure IPv6 auditing policies.

Configure the NAT64 function.

 Because the session logs generated by the NAT64 function are IPv6 session logs, you need to configure the corresponding IPv6 audit policies.

Session creation logs

 Binary

 The logs are directly sent to the LogCenter.

 In the system view, run the firewall log host command to configure the log host and set the port number to 9002.

In the system view, run the firewall log source command to configure the source address and source port used for sending the session logs.

In the system view, configure IPv6 auditing policies.

Configure the NAT64 function.

In the system view, run the firewall log session new-session enable command to enable the function of generating session creation logs.

 Because the session logs generated by the NAT64 function are IPv6 session logs, you need to configure the corresponding IPv6 audit policies.


 
In addition, IPv6 DS-Lite and IPv6 NAT64 session logs can also be output to the LogCenter in netflow format. You can view log information in Log Analysis > Session Analysis > Netflow Session Query > Netflow DS-Lite or Log Analysis > Session Analysis > Netflow Session Query > Netflow NAT64 on the LogCenter.

Like (0) Dislike (0) Favorite(0) Share Report
Previous: FAQ-LogCenter IPv4 Session Query
Next: The analysis COS&TOS of QOS
(0) (0)
2#
Wayne
Created Nov 19, 2016 13:42:35

http://support.huawei.com/enterprise/docinforeader.action?contentId=DOC1000107643&idPath=7919710|9856724|21430823|21100508|8661805
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.