< Home

CLI: Example for Configuring the FW to Interwork with the HiSec Insight (Mirroring Traffic Through the FW)

Networking Requirements

The FW can interwork with the HiSec Insight to identify and block malicious sessions. As shown in Figure 1, the FW acts as the RESTCONF server, and the HiSec Insight as the RESTCONF client. The FW and HiSec Insight are reachable, and the FW uses the RESTCONF NBI to communicate with the HiSec Insight.

In this example, the service traffic is encrypted traffic.

Figure 1 Interworking between the FW and HiSec Insight

Configuration Roadmap

  1. Configure an API administrator for authentication for communication between the HiSec Insight and the FW.

  2. Create a detection profile and a detection policy to decrypt encrypted traffic. In this example, HTTPS-encrypted packets are decrypted.

    HiSec Insight V100R003C30 and later versions support encrypted traffic analysis. Encrypted service traffic (such as HTTPS, POP3S, IMAPS, and SMTPS traffic encrypted based on SSL) can be directly mirrored to the HiSec Insight through the FW or switch. For versions earlier than HiSec Insight V100R003C30, you need to configure SSL encrypted traffic detection on the FW to decrypt the traffic and then mirror the traffic to the HiSec Insight through the FW.

  3. Configure the HiSec Insight interworking function.

Procedure

  1. Set interface IP addresses and assign the interfaces to security zones.
    1. Set the IP address of GigabitEthernet0/0/1 and add it to the Untrust zone.

      [sysname] interface GigabitEthernet0/0/1
[sysname-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[sysname-GigabitEthernet0/0/1] quit
[sysname] firewall zone untrust
[sysname-zone-untrust] add interface GigabitEthernet0/0/1
[sysname-zone-untrust] quit

    2. Set the IP address of GigabitEthernet0/0/2 and add it to the Trust zone.

      [sysname] interface GigabitEthernet0/0/2
[sysname-GigabitEthernet0/0/2] ip address 10.1.1.1 24
[sysname-GigabitEthernet0/0/2] quit
[sysname] firewall zone trust
[sysname-zone-trust] add interface GigabitEthernet0/0/2
[sysname-zone-trust] quit

    3. Set the IP address of GigabitEthernet0/0/3 and add it to the DMZ.

      [sysname] interface GigabitEthernet0/0/3
[sysname-GigabitEthernet0/0/3] ip address 10.1.2.1 24
[sysname-GigabitEthernet0/0/3] quit
[sysname] firewall zone dmz
[sysname-zone-dmz] add interface GigabitEthernet0/0/3
[sysname-zone-dmz] quit

  2. Configure security policies to ensure that users in the enterprise network, HiSec Insight, and FW can communicate.
    1. Configure a security policy to allow the HiSec Insight flow probe to transfer files from the FW's Local zone to the DMZ where the HiSec Insight resides.

      [sysname] security-policy
[sysname-policy-security] rule name policy_to_cis
[sysname-policy-security-rule-policy_to_cis] source-zone local
[sysname-policy-security-rule-policy_to_cis] destination-zone dmz
[sysname-policy-security-rule-policy_to_cis] action permit
[sysname-policy-security-rule-policy_to_cis] quit

    2. Configure a security policy to allow users in the enterprise network to access the Internet.

      [sysname-policy-security] rule name policy_to_Internet
[sysname-policy-security-rule-policy_to_Internet] source-zone trust
[sysname-policy-security-rule-policy_to_Internet] destination-zone untrust
[sysname-policy-security-rule-policy_to_Internet] action permit
[sysname-policy-security-rule-policy_to_Internet] quit

  3. Create an API administrator and use local authentication. The user name and password can be customized. After this administrator account is created, remember the user name and password. When the HiSec Insight communicates with the FW, the administrator account is used for authentication.

    [sysname] aaa
[sysname-aaa] manager-user restconf-admin
[sysname-aaa-manager-user-restconf-admin] service-type api
[sysname-aaa-manager-user-restconf-admin] password cipher Hello@123
[sysname-aaa-manager-user-restconf-admin] quit
[sysname-aaa] quit

  4. Create a detection profile.

    [sysname] profile type decryption name profile_cis
[sysname-profile-decryption-profile_cis] detect type inbound
[sysname-profile-decryption-profile_cis] mirror-interface GigabitEthernet 0/0/3
[sysname-profile-decryption-profile_cis] quit

  5. Configure an SSL-encrypted traffic detection policy.

    [sysname] decryption-policy
[sysname] rule name cis
[sysname-policy-decrytion-rule-cis] source-zone untrust
[sysname-policy-decrytion-rule-cis] destination-zone trust
[sysname-policy-decrytion-rule-cis] destination-address 10.1.1.0 24
[sysname-policy-decrytion-rule-cis] service https
[sysname-policy-decrytion-rule-cis] action decrypt profile profile_cis
[sysname-policy-decrytion-rule-cis] quit
[sysname-policy-decrytion] quit

  6. Configure a RESTCONF NBI.

    [sysname] api
[sysname-api] api https port 8447 enable
[sysname-api] undo security server-certificate
[sysname-api] quit

  7. Enable the blacklist function.

    [sysname] firewall blacklist enable

  8. Configure the HiSec Insight interworking function.

    [sysname] apt-cis
[sysname-apt-cis] linkage enable
[sysname-apt-cis] blacklist aging-time 30
[sysname-apt-cis] log interval 1
[sysname-apt-cis] quit

Verification

  1. Run the display firewall blacklist item type apt-cis command to check the blacklists generated when the HiSec Insight delivers blocking instructions.
    <sysname> display firewall blacklist item type apt-cis
IP/port/protocol/user                              Reason                         Insert Time            Age Time  HitTimes        
  ----------------------------------------------------------------------------------------------------------------------------      
 1.1.1.1 /any (src) /any/                           Apt-cis                       2017/02/16 16:59:55    Permanent 2
  2. Run the display apt-cis statistics log command to check threat log statistics sent to the HiSec Insight.
    <sysname> system-view
[sysname] diagnose
[sysname-diagnose] display apt-cis statistics log destination 10.1.1.1

Configuration Scripts

#
aaa
  manager-user restconf-admin                                                    
  password cipher @%@%r"4+){k0COFQte$ymxOMEk80.\ACNlhJgDNfvyN*CqfSk83E@%@%      
  service-type api  
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
 #
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
 firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/3
#
api
 api https enable
#
security-policy
 default action permit
 rule name policy_to_cis
  source-zone local
  destination-zone dmz
  action permit
 rule name policy_to_Internet
  source-zone trust
  destination-zone untrust
  action permit
 group name https
#
profile type decryption name profile_cis
  detect type inbound
  mirror-interface GigabitEthernet0/0/3
  #
decryption-policy
 rule name cis
  source-zone untrust
  destination-zone trust
  destination-address 10.1.1.0 mask 255.255.255.0
  service https
  action decrypt profile profile_cis
#
apt-cis
 linkage enable
#
return
Parent Topic: Security Protection
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >