What are the basic configuration commands of Huawei usg firewall?

Step one. Log in to the default firewall and change the name of the firewall.

Like a router, a firewall has a console interface. Connect the console interface with the com port of the computer by using the console cable. You can connect to the firewall by using HyperTerminal software that comes with the windows operating system.

The default configuration of firewall includes user name and password. The user name is admin and the password is Admin@ 123, so you need to enter the user name and password information when logging in, and be case-sensitive.

Modifying the firewall name is the same as modifying the router name.

In addition, it should be noted that firewalls and routers also use the VRP platform operating system, so the command level and command help are the same as those on routers.

& ltSRG & gt； System copy command (short for system)

13:47:28 20 14/07/04

Enter the system view and use Ctrl+Z to return to the user view.

[SRG] system name firmware

13:47:32 20 14/07/04

Step two. Modify the time and time zone information of the firewall.

By default, the firewall does not define a time zone, so the time saved by the system may not match the actual time. Time and time zone information should be defined according to the actual situation. In the experiment, we defined the time zone as East Eight Zone and Standard Time.

& ltFW & gt clock time zone 1 plus 08:00:00.

13:50:57 20 14/07/04

& ltFW & gtdis clock

2 1:5 1: 15 20 14/07/03

20 14-07-03 2 1:5 1: 15

Thursday

Time zone: 1 plus 08:00:00.

& ltFW & gt Clock Date Time13: 53: 442014/07/04

2 1:53:29 20 14/07/03

& ltFW & gtdis clock

13:54:04 20 14/07/04

20 14-07-04 13:54:04

Friday

Time zone: 1 plus 08:00:00.

Step three. Modify firewall login banner information

By default, after logging in to the firewall, you will get the following slogan information after logging in successfully.

Please press enter.

Login authentication

User name: admin

Password: * * * * * * *

Note: This is a private communication system.

Unauthorized access or use may lead to prosecution.

Firewall devices use this information to warn against unauthorized access.

In actual use, the administrator can modify the default landing slogan information as needed. There are two types: prompt information before login and prompt information after successful login.

[fw] Title Login Information

14:0 1:2 1 20 14/07/04

Information: Banner text supports up to 220 characters, including the beginning and the end.

D character. If you want to enter more content, please use the banner file.

Enter banner text and exit the character'':

Welcome to USG5500^

[fw] header shell information

14:02:54 20 14/07/04

Information: Banner text supports up to 220 characters, including the beginning and the end.

D character. If you want to enter more content, please use the banner file.

Enter banner text and exit the character'':

Welcome to USG5500.

You are logging in to the system, please do not delete the system configuration files^.

After the configuration is completed, push out the system by. Then log in again to see if it works.

Please press enter.

Welcome to USG5500.

Login authentication

User name: admin

Password: * * * * * * *

Welcome to USG5500.

You are logging in to the system, please do not delete the system profile.

Note: This is a private communication system.

Unauthorized access or use may lead to prosecution.

Note that the default notification information generally exists and will not disappear or be replaced.

Step four. Modify the user name and password for logging into the firewall.

The username admin used by the firewall by default. Password Admin@ 123. It can be modified according to our needs. In the experiment, we created a new user with level3. The user name is user 1. The password is Huawei @ 123. It should be noted that by default, the console interface login only allows administrators to log in. Therefore, configuring the login authentication mode of the console interface to aaa can ensure that the newly created user takes effect. In configuration, you need to specify the usage range of the configured user name. In this lab, termianl is selected to indicate the credentials used for login authentication through the console port.

[FW]aaa

14: 15:43 20 14/07/04

[FW-AAA] Local User User 1 Pass

[FW-AAA] local user 1 password encryption Huawei @ 123

14: 16:08 20 14/07/04

[FW-AAA] Local User User 1 Service Type Terminal

14: 16:28 20 14/07/04

[FW-AAA] Local User User 1 Level 3

14: 16:38 20 14/07/04

[FW-AAA] q

14: 16:43 20 14/07/04

[FW] User Interface Console 0

14: 16:57 20 14/07/04

[FW-ui-console 0] authentication mode aaa

Exit the system and test whether the new user name and password take effect.

Please press enter.

Welcome to USG5500.

Login authentication

User name: user 1

Password: * * * * * * * *

Welcome to USG5500.

You are logging in to the system, please do not delete the system profile.

Note: This is a private communication system.

Unauthorized access or use may lead to prosecution.

& ltFW & gt

Step five. Learn how to view, save and delete configurations.

Use commands on the firewall to view running and saved configurations. Use the display current-configuration command to view the running configuration, and use the displaysaved-configuration command to view the saved configuration.

& ltFW & gt displays the current configuration.

14:27:0 1 20 14/07/04

#

Stp zone-configuration

Area name f0a7e2 157008

Active area configuration

#

Interface Gigabit Ethernet 0/0/0

Alias GE0/MGMT

IP address192.168.0.1255.255.0.

Dhcpselect interface

Dhcpserver Gateway-List192.168.0.1

#

Interface Gigabit Ethernet 0/0/ 1

#

Interface Gigabit Ethernet 0/0/2

#

Interface Gigabit Ethernet 0/0/3

#

Interface Gigabit Ethernet 0/0/4

#

Interface Gigabit Ethernet 0/0/5

#

Interface Gigabit Ethernet 0/0/6

#

Interface Gigabit Ethernet 0/0/7

#

Interface Gigabit Ethernet 0/0/8

#

Interface NULL0

Alias NULL0

#

Local firewall area

Set priority 100

#

Firewall zone trust

Set priority 85

Add Gigabit Ethernet Interface 0/0/0

#

The firewall zone is not trusted.

Set priority 5

#

Firewall area dmz

Set priority 50

#

American Automobile Association

Password of local user administrator cipher% $% $ s $] c% xv6 (/| baq $ [t; x " G >； 5%$%$

Local User Management Service Type web Terminal telnet

Local user management level 15

Local user user 1 password %$%$tY4Z:`xG0/G! 1^C)2[48"%yp%$%$

Local user 1 service terminal

Local User User 1 Level 3

Authentication scheme default value

#

Authorization scheme default value

#

Accounting scheme default

#

Domain default value

#

#

Nqa- jitter label-version 1

#

Title shell information "Welcome to G5500"

You are logging in to the system, please do not delete the system profile. "

Title login information "Welcome to G5500"

Enable banner

#

User interface icon 0

Authentication mode aaa

User interface vty 0 4

Authentication mode none

Protocol inbound all

#

slb

#

Right manager server group

#

Sysname firmware

#

L2TP domain suffix-delimiter @

#

By default, firewall packet filter allows inbound local trust direction between regions.

By default, firewall packet filter allows outbound local trust direction between regions.

By default, the firewall packet filter allows the local untrusted direction between regions to leave the station.

By default, firewall packet filter allows inter-regional local dmz outbound.

#

Ipdf- unreachable enable

#

Firewall ipv6 session link status check

Firewall ipv6 statistical system enabled

#

dnsresolve

#

Firewall statistics system enabled

#

Pkiocsp response cache refresh interval 0

Pkiocsp response cache number 0

#

Revoke dns proxy

#

License server domain lic.huawei.com

#

Enable network manager

#

return

Save the configuration and view the saved configuration information.

& ltFW & gt Salvation Army (sex apple) requires approval (subject to approval) Semi-Automatic)? shock absorption (Surface Area).

14:29:29 20 14/07/04

The current configuration will be written to the device.

Are you sure you want to continue? [Yes/No] Yes

2014-07-0414: 29: 31fw%% 01cfm/4/save (l): When deciding whether to save the configuration.

Option, the user chooses y.

Do you want to save the configuration synchronously to the startup save configuration?

Quota file on peer device? [Yes/No]: Yes

Now save the current configuration to the device. ...

Info: The current configuration has been successfully saved to the device.

& ltFW & gt Cancel Save-Configure

14:27:48 20 14/07/04

# CLI_VERSION=V300R00 1

# The last time the configuration was changed from the console 0 was 2014/07/0413: 56: 09.

# * * * * * Start * * * Open * * * *

#

Interface Gigabit Ethernet 0/0/0

Alias GE0/MGMT

IP address192.168.0.1255.255.0.

Dhcpselect interface

Dhcpserver Gateway-List192.168.0.1

#

Interface Gigabit Ethernet 0/0/ 1

#

Interface Gigabit Ethernet 0/0/2

#

Interface Gigabit Ethernet 0/0/3

#

Interface Gigabit Ethernet 0/0/4

#

Interface Gigabit Ethernet 0/0/5

#

Interface Gigabit Ethernet 0/0/6

#

Interface Gigabit Ethernet 0/0/7

#

Interface Gigabit Ethernet 0/0/8

#

Interface NULL0

Alias NULL0

#

Local firewall area

Set priority 100

#

Firewall zone trust

Set priority 85

Add Gigabit Ethernet Interface 0/0/0

#

The firewall zone is not trusted.

Set priority 5

#

Firewall area dmz

Set priority 50

#

American Automobile Association

Password of local user administrator cipher% $% $ s $] c% xv6 (/| baq $ [t; x " G >； 5%$%$

Local User Management Service Type web Terminal telnet

Local-User Management Level 15

Authentication scheme default value

#

Authorization scheme default value

#

Accounting scheme default

#

Domain default value

#

#

Nqa- jitter label-version 1

#

Enable banner

#

User interface icon 0

Authentication mode none

User interface vty 0 4

Authentication mode none

Protocol inbound all

#

slb

#

Right manager server group

#

Sysname firmware

#

L2TP domain suffix-delimiter @

#

By default, firewall packet filter allows inbound local trust direction between regions.

By default, firewall packet filter allows outbound local trust direction between regions.

By default, the firewall packet filter allows the local untrusted direction between regions to leave the station.

By default, firewall packet filter allows inter-regional local dmz outbound.

#

Ipdf- unreachable enable

#

Firewall ipv6 session link status check

Firewall ipv6 statistical system enabled

#

dnsresolve

#

Firewall statistics system enabled

#

Pkiocsp response cache refresh interval 0

Pkiocsp response cache number 0

#

Revoke dns proxy

#

License server domain lic.huawei.com

#

Enable network manager

#

return

#-End-#

Use the deleteflash:/vrpcfg.zip command to delete the saved configuration.

Step six. Configure the interface address.

Configure G0/0/1:10.0.2.1/24; G0/0/0: 10 . 0 . 1. 1/24； G0/0/2: 10.0.3. 1/24。

[FW] Interface g0/0/2

16: 12:58 20 14/07/04

[FW- Gigabit Ethernet 0/0/2]ip address 10.0.3. 1 24

16: 13:2 1 20 14/07/04

[FW- Gigabit Ethernet 0/0/2] Interface g0/0/0

16: 13:32 20 14/07/04

[FW-gigabit Ethernet 0/0/0] cancel ip addition.

16: 14:02 20 14/07/04

[FW-GigabitEthernet0/0/0]ip address10.0.1.124.

16: 14: 14 20 14/07/04

[FW-gigabit Ethernet 0/0/0] interface g0/0/ 1

16: 14:36 20 14/07/04

[fw-gigabit Ethernet 0/0/1] IP address 10.0.2. 1 24.

16: 14:50 20 14/07/04

[FW-gigabit Ethernet 0/0/ 1]q

16: 14:52 20 14/07/04

[FW]

On switch S 1.0. 1, configure interface G0/0/22 to belong to vlan 1, interface G0/0/22 to belong to vlan2, and interface G0/0/23 to belong to VLAN 3. Configure the IP address of the vlanif2 interface.

[Huawei ]sysname S 1

[S 1]vlan batch 2 3

[s 1] interface g0/0/2 1

[s 1- Gigabit Ethernet 0/0/2 1] Port Link Type Access

[s 1- Gigabit Ethernet 0/0/2 1] Default vlan 1

[s 1- gigabit Ethernet 0/0/2 1] interface g0/0/22

[s 1- Gigabit Ethernet 0/0/22] Port Link Access

[s 1- gigabit Ethernet 0/0/22] default vlan2.

[s 1- Gigabit Ethernet 0/0/22] Interface g0/0/23

[s 1- Gigabit Ethernet 0/0/23] Port Link Access

[s 1- gigabit Ethernet 0/0/23] default vlan3.

[s 1- gigabit Ethernet 0/0/23] interface vlanif 1

[S 1-Vlanif 1]ip address 10.0. 1.2 24

[s 1-VLAN if 1] interface vlanif 2

Ip address 10.0.2.2 24

[s 1- VLAN 2] Interface VLAN 3

Ip address 10.0.3.2 24

Add G0/0/0, G0/0/ 1 and G0/0/2 to the trust zone. Test the connectivity of the three ports (make sure they are not in the untrusted zone before adding them to the trusted zone).

[FW] firewall zone trust

16:39:40 20 14/07/04

[FW-zone-trust] Add interface g0/0/2

16:40:05 20 14/07/04

[FW-zone-trust] Add interface g0/0/3

16:4 1:59 20 14/07/04

[FW-zone-trust] Add interface g0/0/ 1

[FW- region-trust ]q

[s 1] Ping-c110.0.1.

Ping10.0.1.1:56 data bytes, and press CTRL_C to disconnect.

Reply from 10.0. 1. 1: byte =56 sequence = 1 ttl=255 time = 50ms.

-10.0.1.1ping statistics-

1 packets were transmitted.

1 packets received

0.00% packet loss

Round trip minimum/average/maximum = 50/50/50ms.

Ping-c110.0.2.1

PING 10.0.2. 1: 56 data bytes, and press CTRL_C to interrupt.

Reply from 10.0.2. 1: byte =56 sequence = 1 ttl=255 time = 50ms.

-10.0.2. 1 ping statistics-

1 packets were transmitted.

1 packets received

0.00% packet loss

Round trip minimum/average/maximum = 50/50/50ms.

Ping-c110.0.3.1

PING 10.0.3. 1: 56 data bytes, and press CTRL_C to interrupt.

Reply from 10.0.3. 1: byte =56 sequence = 1 ttl=255 time = 60 ms.

-10.0.3. 1 ping statistics-

1 packets were transmitted.

1 packets received

0.00% packet loss

Round trip minimum/average/maximum = 60/60/60ms