CLI: Example for Sending IPv6 Session Logs to the eLog Log Host
You can check IPv6 session logs on the eLog to understand the creation of sessions by packets on the FW.
Networking Requirements
As shown in Figure 1, the FW, as the CGN device, establishes a DS-Lite tunnel to the CPE, enabling the mutual access between two IPv4 networks across the IPv6 network.
You need to check DS-Lite session logs on the eLog to understand the creation of sessions by packets on the FW in a timely manner.
Configuration Roadmap
To meet the requirements, you need to consider the following key configuration points:
- Configure the DS-Lite function on the FW, set the interfacing parameters, and output the logs to the eLog.
- After the eLog is installed, discover the log source (that is, the FW) on the eLog and associate the collector with the log source.
Data Planning
In this case, data planning for the FW and eLog is shown in Table 1.
Data Planning on the FW |
Data Planning on the eLog |
Description |
||
|---|---|---|---|---|
Interface and IP Address |
Security Policy |
IP Address |
Collection Mode |
|
Interface connecting to the eLog: GigabitEthernet 0/0/1 Associated security zone: DMZ IP address: 172.16.81.1/16 Interface connecting to the IPv6 network: GigabitEthernet 0/0/2 Associated security zone: Trust IP address: 2000::2/64 Interface connecting to the IPv4 network: GigabitEthernet 0/0/3 Associated security zone: Untrust IP address: 192.168.1.1/24 |
Security policy for log traffic:
DS-Lite policy for service traffic:
|
172.16.110.168 |
Collection mode: Session Port: 9002 |
The session collection mode is used for the eLog, and port 9002 is used to receive log information. |
Procedure
- Important check items before configuration
Before configuring the FW and eLog, pay attention to the following important check items and complete the configuration based on the actual situation:
The time zone and time of the FW shall be the same as those of the eLog.
If the time zone or time of the FW is different from that of the eLog collector, log query results will be affected. You are advised to use NTP to make the FW and eLog as the clients to synchronize time from the clock source. If NTP is not deployed on the network, you can manually adjust the time on the FW to ensure time consistency between the FW and eLog.
Specify the method of managing the log source (that is, the FW) on the eLog.
Currently, the eLog supports two FW management methods: manual adding and automatic discovery. You are advised to manually add the FW because this method is simple and you do not need to perform extra configuration on the FW. When there are a large number of FW, you can use the other method, automatic discovery. If this method is used, you need to set SNMP parameters on the FW.
- Configure the FW.
Check whether the time zone and time of the FW are the same as those of the eLog collector. In the case of inconsistency, run the following commands to adjust the time zone or time of the FW.
# Adjust the time zone of theFW to keep consistency with that of the eLog collector. Assume that the eLog collector is in the Beijing time zone. The time of the collector is 8 hours earlier than Universal Time Coordinated (UTC). Use the add 08:00:00 parameter. If the eLog collector is in a time zone where the time is later than UTC, use the minus parameter.
<FW> clock timezone BJ add 08:00:00# Adjust the time of the FW to keep consistency with that of the eLog collector. Assume that the current time of the eLog collector is 00:00:00 on December 1, 2018.
<FW> clock datetime 0:0:0 2018/12/01After the preceding configuration, run the display clock command to view configuration results.
<FW> display clock 2018-12-01 00:00:06 Tuesday Time Zone(Default Zone Name) : UTC Daylight saving time : Name : utc Repeat mode : repeat Start year : 2011 End year : 2018 Start time : 01-01 12:11:00 End time : 12-04 01:00:00 Saving time : 01:00:00If the eLog manages FW through automatic discovery, SNMP parameters must be configured on the FW. However, if the eLog manages FW through manual adding, skip this step.
# Configure SNMP parameters on FW, so that they can be automatically discovered by the eLog. As SNMPv3 is securer than SNMPv1 or SNMPv2c, you are advised to use SNMPv3. At the same time, you are advised to use SHA2-256 as the authentication protocol and AES128 as the encryption protocol.
<FW> system-view [FW] snmp-agent sys-info version v3 [FW] snmp-agent group v3 group privacy [FW] snmp-agent usm-user v3 admin group group [FW] snmp-agent usm-user v3 admin authentication-mode sha2-256 Please configure the authentication password (8-64) Enter Password: Confirm Password: [FW] snmp-agent usm-user v3 admin privacy-mode aes128 Please configure the authentication password (8-64) Enter Password: Confirm Password:
Complete the basic configuration such as the configuration of the IP address and security zone of the interface.
# Configure the IP address of the interface and assign the interface to the security zone. Here the interface connecting the firewall to the eLog is taken as an example. If the firewall and eLog belong to different networks, configure a route on the firewall to the eLog.
[FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet 0/0/1] ip address 172.16.81.1 16 [FW-GigabitEthernet 0/0/1] quit [FW] firewall zone dmz [FW-zone-dmz] add interface GigabitEthernet 0/0/1 [FW-zone-dmz] quit
If the eLog manages firewalls through automatic discovery, you need to run the service-manage SNMP permit command to enable the access permission on SNMP after running the ip address 172.16.81.1 16 command; if the eLog manages firewalls through manual adding, you do not need to run the command.
Enable IPv6 globally.
[FW] ipv6Configure the IPv6 address for the interface.
[FW] interface GigabitEthernet 0/0/2 [FW-GigabitEthernet 0/0/2] ipv6 enable [FW-GigabitEthernet 0/0/2] ipv6 address 2000::2 64 [FW-GigabitEthernet 0/0/2] quit [FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/2 [FW-zone-trust] quit
Configure the security policy.
# Configure the security policy for service traffic.
[FW-policy-security] rule name policy2 [FW-policy-security-rule-policy1] source-zone local [FW-policy-security-rule-policy1] destination-zone trust [FW-policy-security-rule-policy1] destination-address 2000:: 64 [FW-policy-security-rule-policy1] action permit [FW-policy-security-rule-policy1] quit
[FW-policy-security] rule name policy3 [FW-policy-security-rule-policy1] source-zone trust [FW-policy-security-rule-policy1] destination-zone local [FW-policy-security-rule-policy1] source-address 2000:: 64 [FW-policy-security-rule-policy1] action permit [FW-policy-security-rule-policy1] quit
Configure the DS-Lite tunnel interface.
# Configure the tunnel interface.
[FW] interface Tunnel 1 [FW-Tunnel1] tunnel-protocol ipv4-ipv6 ds-lite [FW-Tunnel1] source 2000::2 [FW-Tunnel1] ip address 10.10.10.2 24 [FW-Tunnel1] quit
# Add the tunnel interface to the security zone.
[FW] firewall zone trust [FW-zone-trust] add interface Tunnel 1 [FW-zone-trust] quit
Configure the DS-Lite policy.
# Configure the NAT address pool and use the PAT mode (also the default mode).
[FW] nat address-group 1 [FW-address-group-1] mode pat [FW-address-group-1] section 0 192.168.1.100 192.168.1.120 [FW-address-group-1] quit
# Configure the DS-Lite NAT policy.
[FW] nat-policy [FW-policy-nat-rule-policy_nat_1] rule name policy_nat_1 [FW-policy-nat-rule-policy_nat_1] nat-type ds-lite [FW-policy-nat-rule-policy_nat_1] source-zone trust [FW-policy-nat-rule-policy_nat_1] destination-zone untrust [FW-policy-nat-rule-policy_nat_1] source-address 2000:: 64 [FW-policy-nat-rule-policy_nat_1] action source-nat address-group 1 [FW-policy-nat-rule-policy_nat_1] quit [FW-policy_nat] quit
- Configure the log host.
# Set the IP address of the log host to 172.16.110.168 and port to 9002. (the eLog adopts the session mode to collect logs.)
[FW] firewall log host 1 172.16.110.168 9002 - Configure the source address and source port to be used by the firewall for sending service logs.
[FW] firewall log source 172.16.81.1 6666 Enable the session log function.
# Enable the record function for session logs in the security policy for service traffic.
[FW] security-policy [FW-policy-security] rule name policy2 [FW-policy-security-rule-policy1] session logging [FW-policy-security-rule-policy1] quit [FW-policy-security] quit
[FW] security-policy [FW-policy-security] rule name policy3 [FW-policy-security-rule-policy1] session logging [FW-policy-security-rule-policy1] quit [FW-policy-security] quit
Configure the session log type according to actual requirements.
If the FW simultaneously outputs session aging logs and session creation logs, the number of logs received by the eLog increases sharply, which consumes the storage space of the eLog. Therefore, perform configuration with caution in practical deployment.
By default, the eLog does not parse session creation logs. If it is required that session creation logs be parsed and displayed on the eLog, open LogCenter/collector/etc/conf/logCollector.xml on the collector, search for IsReceiveSessionBeginLog, and change the value to true.
# If it is required that logs be output as well when sessions are created, run the following commands.
[FW] firewall log session new-session enableConfigure the CPE. Refer to the CPE documentation for the configuration on the CPE. The key items of configuration are briefly introduced below.
# Enable IPv6 globally, configure the interface address, add the interface to the security zone, configure the security policy, and implement basic interworking.
# Configure the DS-Lite tunnel interface (tunnel interface), configure the encapsulation mode to "IPv4 over IPv6", specify the source address to be the IPv6 address of the interface through which the CPE connects to the IPv6 network, specify the destination address to be the IPv6 address of the interface through which the CGN connects to the IPv6 network, set the IPv4 address of the tunnel interface to 10.10.10.2, and add the tunnel interface to the security zone.
# Configure the route to the IPv4 network-side of the CGN device. The next hop is the tunnel interface.
- Configure the eLog.
Assume that the eLog has been successfully installed; the collector works normally; and the disk space has been planned. Operations for managing log sources and viewing log reports on the eLog are as follows.
For details about how to install and use the eLog, see the product documentation of the corresponding version in .
- Select the log source management method, manual adding or automatic discovery. Manual adding is recommended.
Manage log sources by automatically discovering them:
Click
and set the following parameters. The authentication and authorization protocol and password as well as the data encryption protocol and password must be consistent with the configuration on the FW.If there are many log sources on the network and these log sources are configured with the same SNMP parameters, you can create an SNMP parameter template on the eLog in advance, set the automatic discovery mode, and reference the SNMP parameter template to reduce the configuration workload.
- Click Start Discovery.
- After discovery is complete, the discovery result shows information about discovered log sources. In the Discovery Result dialog box, click Close.
- Click
next to the collector. Then click 
in the Operation column of the collector.The collector configuration window is displayed.
- Click
.
- Select the log source management method, manual adding or automatic discovery. Manual adding is recommended.
Checking Log Information
After the configurations are complete, when a user on the IPv4 network-side of the CPE accesses the IPv4 network-side of the firewall CGN device, corresponding DS-Lite sessions are generated on the FW CGN device. After the sessions age, the FW CGN device sends the session logs to the eLog. Then you can check the DS-Lite session logs on the eLog.
- Choose .
Click the IPv6 DS-Lite tab, set a reasonable query time range, and click Search.
The query results are as shown in the following figure. The log information given here is only an example. Log information in different network environments should conform to the actual conditions.
By checking the log information above, the administrator can understand the creation of DS-Lite sessions by packets in time. You can also learn the information (such as the IP address) before NAT is performed on packets and perform, when necessary, NAT source tracing.
In addition, the administrator can click
, 
, and 
and export the query results to corresponding file formats.
Configuration Script
This example provides only the configuration script regarding the interworking between the firewall and eLog.
# sysname FW # ipv6 # firewall log host 1 172.16.110.168 9002 firewall log source 172.16.81.1 6666 firewall log session new-session enable # interface GigabitEthernet 0/0/1 ip address 172.16.81.1 255.255.0.0 # interface GigabitEthernet 0/0/2 ipv6 enable ipv6 address 2000::2/64 firewall zone trust add interface GigabitEthernet 0/0/2 # interface GigabitEthernet 0/0/3 ip address 192.168.1.1 255.255.255.0 # nat address-group 1 mode pat section 0 192.168.1.100 192.168.1.120 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/2 add interface Tunnel1 # firewall zone dmz set priority 50 add interface GigabitEthernet 0/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/3 # security-policy rule name policy2 session logging source-zone local destination-zone trust destination-address 2000:: 64 action permit rule name policy3 session logging source-zone trust destination-zone local source-address 2000:: 64 action permit # nat-policy rule name policy_nat_1 nat-type ds-lite source-zone trust destination-zone untrust source-address 2000:: 64 action source-nat address-group 1 # interface Tunnel 1 tunnel-protocol ipv4-ipv6 ds-lite source 2000::2 ip address 10.10.10.2 24 # snmp-agent snmp-agent sys-info version v3 snmp-agent group v3 group privacy snmp-agent usm-user v3 admin group group snmp-agent usm-user v3 admin authentication-mode sha2-256 cipher %^%#ZgL-L2HsZ<5P]s+:6d)LcBG5)~mdl=te snmp-agent usm-user v3 admin privacy-mode aes128 cipher %^%#i!rs46cpF"_)d#.cJ,'1>wE_>wE #