.png)
This post talks about most asked questions about Huawei firewall products, including USG and Eudemon series.
| License Management | How Do I Obtain COMM Licenses for a Firewall? | A: COMM licenses need to be obtained in the following scenarios: new site projects and capacity expansion projects. |
| How Do I Obtain a Temporary License for a Firewall? | A: To obtain a temporary license, contact Huawei technical support personnel. | |
| How Do I Install a License for a Firewall? | A: A license can be installed through the following methods: local manual activation and automatic online activation. | |
| What Should I Do When an incorrect ESN is bound with a Firewall License? | A: You need to change the status of the license to which an incorrect ESN is bound from active to inactive | |
| How to Process the License When the Firewall Software Is Upgraded? | A: When the software version of a firewall is upgraded, you need to upgrade the license file so that the product version in the license file is the same as the software version of the device. | |
| When Should I Start to Calculate the Activation Time of License Control Items? | A: The validity periods of the license control items start from the activation time on ESDP. After the license file is generated, download and load it on the device to prevent resource wastes | |
| Do I Need to Upgrade the License When Upgrading the Signature Database? | A: You do not need to upgrade the license when upgrading the signature database. However, before updating a signature database, ensure that the license for the update service has been purchased and activated. | |
| Does the license need to be migrated when the Firewall is replaced? | A: License migration between devices is required in the following scenarios: License replacement of a spare part, ESN change with a revocation code and ESN change without a revocation code. | |
| How Do I Change the License Version After the Firewall Software Version Is Upgraded? | A: After the firewall software version is upgraded, you are not required to upgrade the license file. However, the license control items may change between different versions. Therefore, you are advised to upgrade the license file and reload the license file to prevent service exceptions. | |
| How Do I Check Whether a Function of a Firewall Needs a License? | A:
| |
| How Do I Restore an Invalidated License After License Migration Between Firewalls Fails? | A: If a license file fails to be rolled back, a license file fails to be migrated between devices, or a license file fails to be combined with other license files, you need to restore a license file that is available on the device. In this case, perform the following operations to generate a new license file. | |
| How to configure automatic online activation and license trial using the CLI of the firewall? | A: The automatic online activation and license trial functions of the firewall cannot be configured on the CLI. If necessary, perform the operations on the web UI. | |
| Whether a license needs to be applied for and loaded for the hot standby function of the firewall? | A: The hot standby function of the firewall is not controlled by a license. However, if the two firewalls in a hot standby function need to use other license-controlled functions, such as intrusion prevention and antivirus, you need to apply for and load the corresponding license for the two firewalls separately. The two firewalls cannot share the license. The license control item type, resource quantity, and upgrade service expiration time of the two devices must be the same. | |
| NAT | How to configure multiple mappings for an internal server to provide external services? | A: In the scenario where an intranet server advertises multiple public IP addresses for Internet users, if the interfaces with these IP addresses reside in different security zones, you can configure NAT Server to advertise a different public IP address for each security zone. If the interfaces with these IP addresses reside in the same security zone, you can configure NAT Server with no-reverse specified. |
| What Is the Function of a Blackhole Route? | A: If addresses in a NAT address pool are on a different network segment from the IP address of the FW WAN interface, configure a blackhole route to prevent loops between the FW and the Internet. | |
| What are the differences between NAT Server and destination NAT? | A: NAT Server is a static destination NAT technology. Both NAT Server and policy-based static destination NAT can be used when there are fixed mappings between private and public IP addresses. Policy-based destination NAT can match multiple address ranges in a NAT policy and supports the address exclusion configuration (that is, excluding some addresses from an address range), allowing for flexible configurations. NAT Server is easier to configure, with mappings specified one by one. | |
| What is the sequence in which NAT policies are matched on the firewall? | A: If multiple NAT policies are created, the policies are matched top down. If the traffic matches a NAT policy, the remaining policies are ignored. | |
| In hot standby networking, when does it Need to Bind the NAT address pool to the VRRP group? | A: In active/standby mode, you do not need to manually bind the NAT address pool to the VRRP group. In load balancing hot standby, if addresses in a NAT address pool are not on the same subnet as the address of a VRRP group, you do not need to manually bind the NAT address pool to the VRRP group. If addresses in a NAT address pool are on the same subnet as the address of a VRRP group, you need to manually bind the NAT address pool to the VRRP group. | |
| How to Advertise the Routes to the Global IP Addresses of the NAT Address Pool and NAT Server? | A: The global IP addresses reside on the same network segment as the interface IP address: You only need to advertise the route to the interface IP address. The global IP addresses reside on different network segments from the interface IP address: To advertise the route of the NAT address pool and NAT Server, you can configure blackhole routes of the IP addresses in the NAT address pool or of the global IP address of NAT Server and then import static routes to OSPF. | |
| What Should I Do if NAT Mappings Are Unavailable in the Scenario Where Two Egresses Are Deployed on the Firewall? | A: If NAT mappings are unavailable in the scenario where two egresses are deployed, the possible causes are as follows: Cause 1: The PBR, default route, static route, and black-hole route are not correctly configured. Cause 2: Packets are discarded during forwarding. | |
| In Which Scenarios Must Black-hole Routes Be Configured When NAT Is Configured? | A: You can configure a black-hole route when configuring NAT on the firewall to prevent packets destined to the address in the NAT address pool or NAT Server global IP address from being forwarded to the outgoing interface and being forwarded by the downstream device back to the firewall. | |
| SecoClient | Where can I obtain the product documentation of SecoClient? | A: The product documentation of SecoClient includes the administrator guide and end user access guide. Only the latest version of SecoClient administrator guide is provided at http://support.huawei.com. For details about the differences between versions, see the Change History section in the document. |
| Where to download the SecoClient installation package? | A: The SecoClient installation package and firewall software package are released at http://support.huawei.com/enterprise and are in the same download directory as the firewall software package. Client software installation packages for 32-bit and 64-bit Windows operating systems and 64-bit MAC operating system are available in the download directory. | |
| Do Huawei USG V500R00x firewalls provide VPN clients? | A: SecoClient is VPN remote access client provided by Huawei. It provides secure and convenient VPN access for mobile office users to remotely access resources in enterprise networks. | |
| What is the latest version of SecoClient? | A: Currently, the latest version of SecoClient is 7.0.2, which is compatible with V500R005C20 of Huawei USG firewall series. | |
| Which operating systems are supported by SecoClient? Is there any requirement on the hardware resources of the system? | A: SecoClient supports 32-bit and 64-bit Windows operating systems, 32-bit and 64-bit Linux operating systems and 64-bit MAC operating systems. There is no special requirement on the hardware resources, such as the memory, hard disk, and CPU. | |
| Which VPN access technologies does SecoClient support? | A: SecoClient integrates three mainstream VPN access technologies, namely, SSL VPN, L2TP VPN, and L2TP over IPSec VPN, to meet users' VPN access requirements in different scenarios. | |
| Which authentication methods does SecoClient Support? | A: SecoClient provides multiple authentication methods, such as user name and password authentication, certificate-anonymous authentication, certificate-challenge authentication, and two-factor authentication, covering most VPN access scenarios. | |
| Does the SecoClient Installation And Running Require Administrator Rights on the Firewall? | A: What permissions do I need to install or run SecoClient? The following contents can be used to answer this question. To install the SecoClient, you must have the administrator rights.To run the SecoClient, you do not need to have the administrator rights. Common users are allowed to run the SecoClient. | |
SSL VPN | How to configure the network extension with certificate authentication? | A: SSL VPN supports certificate-anonymous authentication and certificate-challenge authentication. To configure the network extension function in certificate authentication mode, the administrator needs to upload the CA certificate to the firewall. Select a certificate authentication mode when creating a virtual gateway. Configure the User Filtering Field and Group Filtering Field. Deliver the client certificate to terminal users. Terminal users can upload certificates to the client for identity authentication. |
| What authentication methods does the SSL VPN provide? | A: SSL VPN provides the following authentication modes: user name/password authentication, server authentication, and certificate authentication. | |
| How to use three routing modes in SSL VPN network extension? | A: In the split routing mode, network extension forwards only the data to the intranet. In the full routing mode, all data accessing any resources is delivered to the virtual network card to forward the data to the virtual gateway. In the manual routing mode, the client identifies the data destined for the intranet and forwards the data through the virtual network card. | |
| How to configure SSL VPN authorization for different users? | A: The FW performs access authorization and control based on roles. Users of the same role have the same permission. Roles determine users' permission control measures, such as accessible resources, host check policies, and allowed login time ranges. You can add users with the same permission to a role and associate the role with accessible service resources and host check policies. | |
| How to Enable Different Users Using the Same Account to Log In to SSL VPN Simultaneously? | A: After the virtual gateway is created, you can modify the created gateway. On the Gateway Configuration page, you can select “Allow one account to log in at multiple places at the same time”, and then one account can be used at different places at the same time to log in to the same virtual gateway. | |
| How to analyze the security policies of each SSL VPN service? | A: When a mobile office user accesses the intranet server, FW traffic is classified into encrypted packets for creating SSL VPN tunnels and subsequent service packets. Security policies need to be analyzed based on the traffic of different services. | |
| What Browsers Does the SSL VPN ActiveX Control Support on the Firewall? | A: When we log in to the SSL VPN gateway using a browser for the first time, we need to install the ActiveX control. The SSL VPN features can't be available for all the browsers. | |
| How Do I Handle the Alarm "Failed to establish the VPN connection. The VPN server may not be unreachable." on the Firewall? | A: This post describes how to troubleshoot the alarm "Failed to establish the VPN connection. The VPN server may not be unreachable." on the Firewall. | |
| Log | A: You can configure IPv4 session logs on the firewall , and can check IPv4 session logs on theeLog. | |
Why is no traffic log nor a threat log displayed on the Firewall Web UI? | A: After a user logs in to the web page of the FW, only the system log, service log and alarm information web pages are displayed. Traffic logs, threat logs cannot be queried. | |
| What logs can I see on the Web? | A:When a hard disk or SD card is available, you can view and export logs on the web UI. For devices of certain models, you can view only certain logs on a log node on the web UI even if no hard disk or SD card is available. | |
What Are the Storage Paths of Logs and How Do I View Logs? | A:When packets pass through the FW, and corresponding log generation and recording conditions are met, the log module of the FW performs assembly according to the configured log format. Then, the FW sends logs to the log server or other storage paths. End users can view the logs in the paths where the logs are stored. | |
| A: No export button on the Log web page due to the administrator is not allowed to export reports or no hard disk is mounted to the device. | ||
| How Do I View Threat Logs on the Firewall? | A: Threat logs can be viewed on the web page, help you learn what threats have occurred or are occurring, and adjust the security policies for better attack defense. | |
| How to Manually Delete Logs on the Firewall? | A: When the storage space of logs from a module hits or exceeds Alarm Threshold, you can manually clear logs to release the disk space. | |
A: The firewall provides multiple log storage paths. The paths for storing logs of various types are different. | ||
How Many Logs Can Be Queried Once on the Web Page of the Firewall? | A: A maximum of 100 logs can be displayed on each web page. If the number of logs that meet the query conditions exceeds 10000, the firewall stops the query and displays 10000 at the lower right corner of the page. That is, a maximum of 10000 logs can be queried once. | |
| System Forwarding | A: The following types of server map entries are available: SA, ASPF, SA ASPF, STUN, STUN Reverse, NAT Server, NAT Server Reverse, No-Pat, No-Pat Reverse, SLB, SLB Reverse and Unknown. | |
| What does it mean when the policyname field in the session table details is displayed as ---? | A: The policyname field in the session table details indicates the name of the security policy matched by packets. If this field is displayed as ---, the packets corresponding to the session is in policy pending state or does not require security policy check. | |
| How can I view the default aging time of a session? | A: You can run the display firewall session aging-time command to view the session aging time of each protocol, including the default aging time (Default-Time) and the configured aging time (Timeout). | |
| How can I export the session table? | A: The FW can export session information to a log server. For details about how to configure session log output, see Configuring Session Log Output. | |
| How can I configure the aging time of DNS sessions? | A: DNS session aging is classified into normal aging and fast aging. The normal aging time of DNS sessions can be configured using the firewall session aging-time service-set dns aging-time command. The fast aging function of DNS sessions can be enabled using the firewall dns fast-aging enable command. | |
A: For some special services, for example, when a user downloads a large file using FTP, the interval between two consecutive packets of a session may be longer than the FTP session aging time. In this case, the user needs to reconnect to the FTP server, affecting user experience. You can configure security policy–based persistent connection to set an overlong aging time for the special service traffic. For details about how to configure a persistent connection, see Configuring a Persistent Connection. | ||
| How Do I Disable Session Status Detection on the Firewall? | A: You can disable session status detection in either of the following ways:Disable status detection on the web UI and Disable status detection on the CLI. | |
| What Is the Meaning of the Firewall Session Table Content? | A: Run the display firewall session table verbose command to view firewall session table information. | |
| How Can I View Hardware Fast Forwarding Information on the Firewall? | A: We provide a series of commands to view hardware fast forwarding information. | |
| How Shall I Analyze Captured Packets on the Firewall? | A: Packet capture is a basic method for locating faults. The packet analysis focuses vary according to packet capture purposes. | |
System Management | What Should I Do If I Forgot the Administrator Password? | A: If the administrator account/password (including the console port password) is forgotten, other administrator accounts of level 3 or above can be used to log in to the device using other login methods to recover the password. When the password of the console port is also forgotten and there is no other high-level administrator account on the device, you need to enter the BootLoader to recover the password. |
| How to Locate and Analyze the Fault When an NTP Fault Occurs on the Firewall? | A: When an NTP running fault occurs, you can debug NTP using maintenance commands. By checking debugging messages, you can locate and analyze the fault. | |
Hardware | How Do We Locate the Fault When the Power Supply of the Firewall Is Faulty? | A: When a power module is faulty, you are advised to use these methods to locate and analyze the fault. |
| How Do I Locate an Optical Module Fault? | A: When the following faults occur on an optical module, you can locate and rectify the faults quickly. | |
| A: If a hard disk is faulty (for example, a hard disk failure log is generated on the Firewall), you can replace the hard disk. | ||
| IPSec | How Do I Check the IPSec SA Negotiation Failure Reason on the Firewall? | A: IPSec SA negotiation failure is the one of the core issues in IPSec faults. This post describes how to troubleshoot IPSec SA negotiation failures. |
| How Can I Rectify the Service Interruption After an IPSec Tunnel Is Established on the Firewall? | A: Another typical IPSec fault symptom is that the abnormal services occur after an IPSec tunnel is established on the firewall. | |
| What Can I Do If the Service Quality Is Poor After an IPSec Tunnel Is Established Successfully on the Firewall? | A: During data transmission stage, some abnormal services such as the poor quality could result in the fault symptoms. | |
| What Ports Must Be Open to Use IPSec on the Firewall? | A: IPSec was developed to address some of the security flaws of IP. It works at the IP layer to provide transparent security services for IP network communication. To use IPSec on a firewall, enable corresponding ports to send and receive the following packets: 1. UDP packets with destination ports 500 and 4500 2. IP packets with protocols AH and ESP | |
Content Security | A: A signature database supports automatic online update, manual online update, and local update. | |
| What Should I Do If File Blocking Is Configured But Does Not Take Effect on the Firewall? | A: If file blocking does not take effect, perform the following operations: 1. Check whether the networking is correct. 2. Check whether the device runs properly. 3. Check whether the configuration is correct. | |
How Do I Determine Whether Audit Logs Are Not Displayed Due to Configurations on the Firewall? | A: You can run the display audit statistics command to check audit log statistics in the diagnose view. Pay attention to the values of Total Log Send Count and Total Log Drop Count. | |
A: If an antivirus policy is configured on the device, but no antivirus logs are generated after virus traffic passes through the firewall, you can perform the following operations: 1. Check whether the networking is correct. 2. Check whether the device runs properly. 3. Check whether the configuration is correct. 4. Check whether the log system works properly. | ||
A: If after the default IPS policy is configured, connection failures occasionally occur when users send email messages, you can perform the following operations: 1. Check whether the connection failures are caused by the IPS function. In a scenario where the IPS function takes effect, intrusion logs are generated. 2. If it is confirmed that the failures are caused by the IPS function, configure the IPS signatures to be permitted as exception signatures and set the actions for them to alert or permit to prevent this issue for now. |
