Web: Example for Configuring the FW to Interwork with the HiSec Insight (Mirroring Traffic Through the Switch)

This example describes the typical networking and method for configuring the interworking with the HiSec Insight.

Networking Requirements

The FW can interwork with the HiSec Insight to identify and block malicious sessions. As shown in Figure 1, the FW acts as the RESTCONF server, and the HiSec Insight as the RESTCONF client. The FW and HiSec Insight are reachable, and the FW uses the RESTCONF NBI to communicate with the HiSec Insight.

Service traffic is mirrored by the downstream switch to the HiSec Insight.

Figure 1 Interworking between the FW and HiSec Insight

Configuration Roadmap

Configure an API administrator for authentication for communication between the HiSec Insight and the FW.
Configure northbound RESTCONF interface.
Enable interworking with the HiSec Insight.
Configure the port mirroring function on the switch to mirror service traffic to the HiSec Insight.

Procedure

Set interface IP addresses and assign the interfaces to security zones.
1. Choose Network > Interface.
2. Click of GE0/0/1 and set the parameters as follows.
  
  IP Address
  
  1.1.1.1
  
  Subnet Mask
  
  255.255.255.0
  
  Security Zone
  
  untrust
3. Click OK.
4. Configure GE0/0/2 based on the preceding step.
  
  IP Address
  
  10.1.1.1
  
  Subnet Mask
  
  255.255.255.0
  
  Security Zone
  
  trust
5. Configure GE0/0/3 based on the preceding step.
  
  IP Address
  
  10.1.2.1
  
  Subnet Mask
  
  255.255.255.0
  
  Security Zone
  
  dmz
Configure security policies to ensure that users in the enterprise network, HiSec Insight, and FW can communicate.
1. Configure a security policy to allow the HiSec Insight flow probe to transfer files from the FW's Local zone to the DMZ where the HiSec Insight resides.
2. Choose Policy > Security Policy > Security Policy.
3. Click Add.
4. Configure the following parameters for the security policy.
  
  Name
  
  policy_to_cis
  
  Source Zone
  
  local
  
  Destination Zone
  
  dmz
  
  Action
  
  Permit
5. Click OK.
6. Configure a security policy to allow users in the enterprise network to access the Internet.
  
  Name
  
  policy_to_Internet
  
  Source Zone
  
  trust
  
  Destination Zone
  
  untrust
  
  Action
  
  Permit
Create an API administrator and use local authentication. The user name and password can be customized. After this administrator account is created, remember the user name and password. When the HiSec Insight system communicates with the FW, this administrator account shall be used for authentication.
Choose System > Administrator > Administrator and click Add.
Configure the HiSec Insight interworking function.
1. Choose System > Setup > HiSec Insight Interworking.
2. Enable the HiSec Insight interworking function.
3. Enable RESTCONF.
  You can use the default configuration or modify the configuration according to the actual networking requirements.
4. Enable Blacklist Status to enable the blacklist function.
5. Set other parameters for HiSec Insight interworking.
  You can use the default configuration or modify the configuration according to the actual networking requirements.
6. Click Apply.
Configure the port mirroring function on the switch.
This example uses Huawei S9700 to describe how to configure the port mirroring function. For the configurations of other functions, refer to the product documents of the S9700.
1. Configure GigabitEthernet 0/0/2 as the observing interface.
```
<Switch> system-view
[Switch] observe-port 1 interface GigabitEthernet 0/0/2
```
2. Configure GigabitEthernet 0/0/1 as the mirroring port to mirror incoming traffic.
```
[Switch] interface GigabitEthernet 0/0/1
[Switch-GigabitEthernet0/0/1] port-mirroring to observe-port 1 inbound
[Switch-GigabitEthernet0/0/1] quit
```

IP Address	1.1.1.1
Subnet Mask	255.255.255.0
Security Zone	untrust

IP Address	10.1.1.1
Subnet Mask	255.255.255.0
Security Zone	trust

IP Address	10.1.2.1
Subnet Mask	255.255.255.0
Security Zone	dmz

Name	policy_to_cis
Source Zone	local
Destination Zone	dmz
Action	Permit

Name	policy_to_Internet
Source Zone	trust
Destination Zone	untrust
Action	Permit

Verification

Choose Policy > Security Protection > Blacklist. In the blacklist list, set the cause to HiSec Insight-detection and click Search to check entries added to the FW blacklist through interworking with the HiSec Insight.

Configuration Scripts

#
aaa
  manager-user restconf-admin                                                    
  password cipher @%@%r"4+){k0COFQte$ymxOMEk80.\ACNlhJgDNfvyN*CqfSk83E@%@%      
  service-type api  
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
 #
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
 firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/3
#
api
 api https enable
#
security-policy
 default action permit
 rule name policy_to_cis
  source-zone local
  destination-zone dmz
  action permit
 rule name policy_to_Internet
  source-zone trust
  destination-zone untrust
  action permit
 group name https
#
apt-cis
 linkage enable
#
return