Web: Example for Configuring the FW to Interwork with the HiSec Insight (Encrypted Traffic)

This example describes the typical networking and method for configuring the interworking with the HiSec Insight.

Networking Requirements

The FW can interwork with the HiSec Insight to identify and block malicious sessions. As shown in Figure 1, the FW acts as the RESTCONF server, and the HiSec Insight as the RESTCONF client. The FW and HiSec Insight are reachable, and the FW uses the RESTCONF NBI to communicate with the HiSec Insight.

In this example, the service traffic is encrypted traffic.

Figure 1 Interworking between the FW and HiSec Insight

Configuration Roadmap

Configure an API administrator for authentication for communication between the HiSec Insight and the FW.
Create a detection profile and a detection policy to decrypt encrypted traffic. In this example, HTTPS-encrypted packets are decrypted.

HiSec Insight V100R003C30 and later versions support encrypted traffic analysis. Encrypted service traffic (such as HTTPS, POP3S, IMAPS, and SMTPS traffic encrypted based on SSL) can be directly mirrored to the HiSec Insight through the FW or switch. For versions earlier than HiSec Insight V100R003C30, you need to configure SSL encrypted traffic detection on the FW to decrypt the traffic and then mirror the traffic to the HiSec Insight through the FW.
Configure the HiSec Insight interworking function.

Procedure

Set interface IP addresses and assign the interfaces to security zones.
1. Choose Network > Interface.
2. Click of GE0/0/1 and set the parameters as follows.
  
  IP Address
  
  1.1.1.1
  
  Subnet Mask
  
  255.255.255.0
  
  Security Zone
  
  untrust
3. Click OK.
4. Configure GE0/0/2 based on the preceding step.
  
  IP Address
  
  10.1.1.1
  
  Subnet Mask
  
  255.255.255.0
  
  Security Zone
  
  trust
5. Configure GE0/0/3 based on the preceding step.
  
  IP Address
  
  10.1.2.1
  
  Subnet Mask
  
  255.255.255.0
  
  Security Zone
  
  dmz
Configure security policies to ensure that users in the enterprise network, HiSec Insight, and FW can communicate.
1. Configure a security policy to allow the HiSec Insight flow probe to transfer files from the FW's Local zone to the DMZ where the HiSec Insight resides.
2. Choose Policy > Security Policy > Security Policy.
3. Click Add.
4. Configure the following parameters for the security policy.
  
  Name
  
  policy_to_cis
  
  Source Zone
  
  local
  
  Destination Zone
  
  dmz
  
  Action
  
  Permit
5. Configure a security policy to allow users in the enterprise network to access the Internet.
  
  Name
  
  policy_to_Internet
  
  Source Zone
  
  trust
  
  Destination Zone
  
  untrust
  
  Action
  
  Permit
Create an API administrator and use local authentication. The user name and password can be customized. After this administrator account is created, remember the user name and password. When the HiSec Insight system communicates with the FW, this administrator account shall be used for authentication.
Choose System > Administrator > Administrator and click Add.
Create a detection profile.
1. Choose Policy > Encrypted Traffic Detection > Detection Profile.
2. Click Add to create the following detection profile.
Configure a detection policy, so that encrypted traffic can be mirrored to the HiSec Insight after matching the detection policy on the FW.
1. Choose Policy > Encrypted Traffic Detection > Detection Policy.
2. Click Add to create an SSL-encrypted traffic detection policy.
Configure the HiSec Insight interworking function.
1. Choose System > Setup > HiSec Insight Interworking.
2. Enable the HiSec Insight interworking function.
3. Enable RESTCONF.
  You can use the default configuration or modify the configuration according to the actual networking requirements.
4. Enable Blacklist Status to enable the blacklist function.
5. Set other parameters for HiSec Insight interworking.
  You can use the default configuration or modify the configuration according to the actual networking requirements.
6. Click Apply.

IP Address	1.1.1.1
Subnet Mask	255.255.255.0
Security Zone	untrust

IP Address	10.1.1.1
Subnet Mask	255.255.255.0
Security Zone	trust

IP Address	10.1.2.1
Subnet Mask	255.255.255.0
Security Zone	dmz

Name	policy_to_cis
Source Zone	local
Destination Zone	dmz
Action	Permit

Name	policy_to_Internet
Source Zone	trust
Destination Zone	untrust
Action	Permit

Verification

Choose Policy > Security Protection > Blacklist. In the blacklist list, set the cause to HiSec Insight-detection and click Search to check entries added to the FW blacklist through interworking with the HiSec Insight.

Configuration Scripts

#
aaa
  manager-user restconf-admin                                                    
  password cipher @%@%r"4+){k0COFQte$ymxOMEk80.\ACNlhJgDNfvyN*CqfSk83E@%@%      
  service-type api  
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
 #
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
 firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/3
#
api
 api https enable
#
security-policy
 default action permit
 rule name policy_to_cis
  source-zone local
  destination-zone dmz
  action permit
 rule name policy_to_Internet
  source-zone trust
  destination-zone untrust
  action permit
 group name https
#
profile type decryption name profile_cis
  detect type inbound
  mirror-interface GigabitEthernet0/0/3
  #
decryption-policy
 rule name cis
  source-zone untrust
  destination-zone trust
  destination-address 10.1.1.0 mask 255.255.255.0
  service https
  action decrypt profile profile_cis
#
apt-cis
 linkage enable
#
return