CLI: Example for Sending Port Pre-Allocation Logs to the eLog Log Host

Procedure

1. Important check items before configuration

   Before configuring the FW and eLog, pay attention to the following important check items and complete the configuration based on the actual situation:

   • The time zone and time of the FW shall be the same as those of the eLog.

     If the time zone or time of the FW is different from that of the eLog collector, log query results will be affected. You are advised to use NTP to make the FW and eLog as the clients to synchronize time from the clock source. If NTP is not deployed on the network, you can manually adjust the time on the FW to ensure time consistency between the FW and eLog.

   • Specify the method of managing the log source (that is, the FW) on the eLog.

     Currently, the eLog supports two FW management methods: manual adding and automatic discovery. You are advised to manually add the FW because this method is simple and you do not need to perform extra configuration on the FW. When there are a large number of FW, you can use the other method, automatic discovery. If this method is used, you need to set SNMP parameters on the FW.

2. Configure the FW.

   1. Check whether the time zone and time of the FW are the same as those of the eLog collector. In the case of inconsistency, run the following commands to adjust the time zone or time of the FW.

      # Adjust the time zone of theFW to keep consistency with that of the eLog collector. Assume that the eLog collector is in the Beijing time zone. The time of the collector is 8 hours earlier than Universal Time Coordinated (UTC). Use the add 08:00:00 parameter. If the eLog collector is in a time zone where the time is later than UTC, use the minus parameter.

      <FW> clock timezone BJ add 08:00:00

      # Adjust the time of the FW to keep consistency with that of the eLog collector. Assume that the current time of the eLog collector is 00:00:00 on December 1, 2018.

      <FW> clock datetime 0:0:0 2018/12/01

      After the preceding configuration, run the display clock command to view configuration results.

      <FW> display clock
      2018-12-01 00:00:06
      Tuesday
      Time Zone(Default Zone Name) : UTC
      Daylight saving time :
               Name        : utc
               Repeat mode : repeat
               Start year  : 2011
               End year    : 2018
               Start time  : 01-01 12:11:00
               End time    : 12-04 01:00:00
               Saving time : 01:00:00

   2. If the eLog manages FW through automatic discovery, SNMP parameters must be configured on the FW. However, if the eLog manages FW through manual adding, skip this step.

      # Configure SNMP parameters on FW, so that they can be automatically discovered by the eLog. As SNMPv3 is securer than SNMPv1 or SNMPv2c, you are advised to use SNMPv3. At the same time, you are advised to use SHA2-256 as the authentication protocol and AES128 as the encryption protocol.

      <FW> system-view 
      [FW] snmp-agent sys-info version v3 
      [FW] snmp-agent group v3 group privacy 
      [FW] snmp-agent usm-user v3 admin group group
      [FW] snmp-agent usm-user v3 admin authentication-mode sha2-256
      Please configure the authentication password (8-64) 
      Enter Password:                                                                  
      Confirm Password:
      [FW] snmp-agent usm-user v3 admin privacy-mode aes128 
      Please configure the authentication password (8-64) 
      Enter Password:                                                                  
      Confirm Password:

   3. Complete the basic configuration such as the configuration of the IP address and security zone of the interface.

      # Configure the IP address of the interface and assign the interface to the security zone. Here the interface connecting the firewall to the eLog is taken as an example. If the firewall and eLog belong to different networks, configure a route on the firewall to the eLog.

      [FW] interface GigabitEthernet 0/0/1 
      [FW-GigabitEthernet 0/0/1] ip address 172.16.81.1 16 
      [FW-GigabitEthernet 0/0/1] quit 
      [FW] firewall zone dmz 
      [FW-zone-dmz] add interface GigabitEthernet 0/0/1 
      [FW-zone-dmz] quit

      

      If the eLog manages firewalls through automatic discovery, you need to run the service-manage SNMP permit command to enable the access permission on SNMP after running the ip address 172.16.81.1 16 command; if the eLog manages firewalls through manual adding, you do not need to run the command.

   4. Enable IPv6 globally.

      [FW] ipv6

   5. Configure the IPv6 address for the interface.

      [FW] interface GigabitEthernet 0/0/2
      [FW-GigabitEthernet 0/0/2] ipv6 enable
      [FW-GigabitEthernet 0/0/2] ipv6 address 2000::2 64
      [FW-GigabitEthernet 0/0/2] quit
      [FW] firewall zone trust
      [FW-zone-trust] add interface GigabitEthernet 0/0/2
      [FW-zone-trust] quit

   6. Configure the security policy.

      # Configure the security policy for log traffic.

      [FW] security-policy
      [FW-policy-security] rule name policy1
      [FW-policy-security-rule-policy1] source-zone local
      [FW-policy-security-rule-policy1] destination-zone dmz
      [FW-policy-security-rule-policy1] destination-address 172.16.110.168 32
      [FW-policy-security-rule-policy1] action permit
      [FW-policy-security-rule-policy1] quit
      [FW-policy-security] quit

      # Configure the security policy for service traffic.

      [FW-policy-security] rule name policy2
      [FW-policy-security-rule-policy2] source-zone local
      [FW-policy-security-rule-policy2] destination-zone trust
      [FWW-policy-security-rule-policy2] destination-address 2000:: 64
      [FW-policy-security-rule-policy2] action permit
      [FW-policy-security-rule-policy2] quit
      [FW-policy-security] rule name policy3
      [FW-policy-security-rule-policy3] source-zone trust
      [FW-policy-security-rule-policy3] destination-zone local
      [FW-policy-security-rule-policy3] source-address 2000:: 64
      [FW-policy-security-rule-policy3] action permit
      [FWW-policy-security-rule-policy3] quit

   7. Configure the DS-Lite tunnel interface.

      # Configure the tunnel interface.

      [FW] interface Tunnel 1
      [FW-Tunnel1] tunnel-protocol ipv4-ipv6 ds-lite
      [FW-Tunnel1] source 2000::2
      [FW-Tunnel1] ip address 10.10.10.2 24
      [FW-Tunnel1] quit

      # Add the tunnel interface to the security zone.

      [FW] firewall zone trust
      [FW-zone-trust] add interface Tunnel 1
      [FW-zone-trust] quit

   8. Configure the DS-Lite policy.

      # Configure the NAT address pool, where the size of the pre-allocated port block is 256, and the number of times of incremental allocation is 1.

      [FW] nat address-group 1
      [FW-address-group-1] section 0 192.168.1.100 192.168.1.120
      [FW-address-group-1] port-block-size 256 extended-times 1
      [FW-address-group-1] quit

      # Configure the DS-Lite NAT policy.

      [FW] nat-policy
      [FW-policy-nat-rule-policy_nat_1] rule name policy_nat_1
      [FW-policy-nat-rule-policy_nat_1] nat-type ds-lite
      [FW-policy-nat-rule-policy_nat_1] source-zone trust
      [FW-policy-nat-rule-policy_nat_1] destination-zone untrust
      [FW-policy-nat-rule-policy_nat_1] source-address 2000:: 64
      [FW-policy-nat-rule-policy_nat_1] action source-nat address-group 1
      [FW-policy-nat-rule-policy_nat_1] quit
      [FW-policy_nat] quit

   9. Enable the NAT-Port Range log sending function.

      # Enable the function of sending logs at the time of port-block allocation and recycle.

      [FW] nat port-block assigning syslog enable
      [FW] nat port-block freeing syslog enable

      # Enable the port-block keepalive log sending function and set the time interval of sending to 1200s.

      [FW] nat port-block keepalive syslog enable
      [FW] nat port-block keepalive syslog timer 1200

   10. Configure the log host.

       # Set the IP address and port of the log host respectively to 172.16.110.168 and 514 (the eLog collects logs using the syslog method).

       [FW] nat port-block syslog host 172.16.110.168 514 source FW_2 172.16.81.1 6666

   11. Configure the timestamp for the log header.

       # By default, the firewall CGN uses the UTC time for sending NAT-Port Range logs. If the time used by both the firewall CGN and eLog is set to the Beijing time zone, the mapping generation time of NAT-Port Range logs observed on the eLog is 8 hours earlier than the log receiving time. If it is required that the generation time of NAT-Port Range logs be consistent with the local time, run the following commands so that the firewall CGN uses the local time when sending NAT-Port Range logs.

       [FW] firewall log syslog header default timestamp local

   12. Configure the CPE. Refer to the CPE documentation for the configuration on the CPE. The key items of configuration are briefly introduced below.

       # Enable IPv6 globally, configure the interface address, add the interface to the security zone, configure the security policy, and implement basic interworking.

       # Configure the DS-Lite tunnel interface (tunnel interface), configure the encapsulation mode to "IPv4 over IPv6", specify the source address to be the IPv6 address of the interface through which the CPE connects to the IPv6 network, specify the destination address to be the IPv6 address of the interface through which the CGN connects to the IPv6 network, set the IPv4 address of the tunnel interface to 10.10.10.2, and add the tunnel interface to the security zone.

       # Configure the route to the IPv4 network-side of the CGN device. The next hop is the tunnel interface.

3. Configure the eLog.

   Assume that the eLog has been successfully installed; the collector works normally; and the disk space has been planned. Operations for managing log sources and viewing log reports on the eLog are as follows.

   For details about how to install and use the eLog, see the product documentation of the corresponding version in Technical Support > Product Support > Documentation > Security > eLog.

   1. Log in to the eLog using an administrator account.
   2. Choose System > System Management > Log Source List.
   3. Select the log source management method, manual adding or automatic discovery. Manual adding is recommended.

      • Manage log sources by manually adding them:

        1. Click and set the following parameters.

           

        2. Click OK. A message is displayed, indicating the configuration success.
        3. Click OK.

      • Manage log sources by automatically discovering them:

        1. Click and set the following parameters. The authentication and authorization protocol and password as well as the data encryption protocol and password must be consistent with the configuration on the FW.

           If there are many log sources on the network and these log sources are configured with the same SNMP parameters, you can create an SNMP parameter template on the eLog in advance, set the automatic discovery mode, and reference the SNMP parameter template to reduce the configuration workload.

           

        2. Click Start Discovery.
        3. After discovery is complete, the discovery result shows information about discovered log sources. In the Discovery Result dialog box, click Close.

   4. Choose System > System Management > Service Management.
   5. Click next to the collector. Then click in the Operation column of the collector.

      The collector configuration window is displayed.

   6. Click .
   7. Select the log source to be associated.
   8. Click Next and configure the log collection mode.

      Configure the corresponding log collection mode on the eLog, select SYSLOG, and set the port number to 514. If the FW supports the UTM feature, select Enable the UTM feature.

   9. Click Finish.