Network Management

Administrators can use the eSight system to monitor and manage the FW, receive alarms from the FW.

Networking Requirements

As shown in Figure 1, an enterprise deploys a FW at the network border as the security gateway and the eSight system to centrally manage the network devices. The eSight must be enabled to monitor and manage the FW, receive alarms when intranet users access the Internet from the FW.

Figure 1 eSight management of the FW

Data Planning

Item		Data	Description
FW	Interface	Interface: GigabitEthernet 0/0/1 IP Address: 1.1.1.1/24 Security zone: Untrust	Interface connecting to the Internet. In this example, the next-hop address of the interface to the Internet is 1.1.1.2.
		Interface: GigabitEthernet 0/0/2 IP Address: 10.2.0.1/24 Security zone: DMZ	Interface communicating with the eSight server.
		Interface: GigabitEthernet 0/0/3 IP Address: 10.3.0.1/24 Security zone: Trust	Interface connecting to the enterprise intranet.
	SNMP parameters	Security user group name: v3group Security user name: V3user SNMP version: v3 Authentication protocol: HMAC_SHA Authentication Password: Admin@123 Privacy protocol: AES128 Encryption Password: Admin@1234	Ensure that the SNMP parameters on the FW and the eSight are the same.
eSight	IP Address	10.2.0.10/24	The physical server is deployed in the DMZ.
eSight	SNMP parameters	Security name: V3user SNMP version: v3 Authentication protocol: HMAC_SHA Password: Admin@123 Privacy protocol: AES128 Password: Admin@1234	Ensure that the SNMP parameters on the FW and the eSight are the same.

Configuration Roadmap

To enable the FW to communicate with the eSight, set an IP address for FW interface GigabitEthernet 0/0/2, assign the interface to the DMZ, and configure the interface access management function to allow the SNMP protocol to pass.

If the interface access management function is not used, you need to configure related security policies. Before disabling interface access management, configure security policies for remote management protocols to prevent the failure to remotely manage the FW.
To enable the eSight to manage the FW and receive alarms from the FW, set SNMP parameters and enable the trap function on the FW, set the same SNMP parameters on the eSight and add the FW to the eSight system.

This example describes only how to connect the FW and the eSight. Configure corresponding routes to ensure that devices are routable. For other settings on the eSight, refer to the corresponding documents.

Procedure

Configure the FW.

Set IP addresses for interfaces, and assign the interfaces to security zones.

# Set an IP address for interface GE0/0/1.

<sysname> system-view
[sysname] interface GigabitEthernet 0/0/1
[sysname-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[sysname-GigabitEthernet0/0/1] quit

# Set an IP address for interface GE0/0/2 and configure interface access management.

[sysname] interface GigabitEthernet 0/0/2
[sysname-GigabitEthernet0/0/2] ip address 10.2.0.1 24
[sysname-GigabitEthernet0/0/2] service-manage snmp permit
[sysname-GigabitEthernet0/0/2] quit

# Set an IP address for interface GE0/0/3.

[sysname] interface GigabitEthernet 0/0/3
[sysname-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[sysname-GigabitEthernet0/0/3] quit

# Add interface GE0/0/1 to the Untrust zone.

[sysname] firewall zone untrust
[sysname-zone-untrust] add interface GigabitEthernet 0/0/1
[sysname-zone-untrust] quit

# Add interface GE0/0/2 to the DMZ zone.

[sysname] firewall zone dmz
[sysname-zone-dmz] add interface GigabitEthernet 0/0/2
[sysname-zone-dmz] quit

# Add interface GE0/0/3 to the Trust zone.

[sysname] firewall zone trust
[sysname-zone-trust] add interface GigabitEthernet 0/0/3
[sysname-zone-trust] quit

Configure security policies.

# Configure a security policy for the Trust-Untrust interzone.

[sysname-policy-security] rule name trust_untrust_outbound
[sysname-policy-security-trust_untrust_outbound] source-zone trust 
[sysname-policy-security-trust_untrust_outbound] destination-zone untrust
[sysname-policy-security-trust_untrust_outbound] source-address 10.3.0.0 mask 255.255.255.0
[sysname-policy-security-trust_untrust_outbound] action permit
[sysname-policy-security-trust_untrust_outbound] quit

# Configure a security policy for the Local-Dmz interzone.

[sysname] security-policy
[sysname-policy-security] rule name local_dmz
[sysname-policy-security-rule-local_dmz] source-zone local
[sysname-policy-security-rule-local_dmz] destination-zone dmz
[sysname-policy-security-rule-local_dmz] source-address 10.2.0.1 24
[sysname-policy-security-rule-local_dmz] service snmptrap
[sysname-policy-security-rule-local_dmz] action permit
[sysname-policy-security-rule-local_dmz] quit
[sysname-policy-security] quit

Configure routes.

# Configure a default route and set the next hop to the next hop of the route destined to the Internet.

[sysname] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2

# Configure blackhole routes to prevent routing loops.

[sysname] ip route-static 1.1.1.10 32 NULL 0
[sysname] ip route-static 1.1.1.11 32 NULL 0
[sysname] ip route-static 1.1.1.12 32 NULL 0

Set SNMP parameters on the FW and enable the FW to send alarms to the eSight.

[sysname] snmp-agent sys-info version v3
[sysname] snmp-agent mib-view include mib2view iso
[sysname] snmp-agent group v3 v3group privacy
[sysname] snmp-agent usm-user v3 V3user authentication-mode sha
Please configure the authentication password (8-64)                             
Enter Password:                                                                 
Confirm Password: 
[sysname] snmp-agent usm-user v3 V3user privacy-mode aes128
Please configure the privacy password (8-64)                                    
Enter Password:                                                                 
Confirm Password: 
[sysname] snmp-agent usm-user v3 V3user group v3group
[sysname] snmp-agent group v3 v3group privacy write-view mib2view notify-view mib2view
[sysname] snmp-agent target-host trap address udp-domain 10.2.0.10 params securityname V3user v3 privacy private-netmanager
[sysname] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y

In this example, the snmp-agent mib-view include mib2view iso command is used. You can view all alarms in the ISO object and configure an OID or object name as required.

Configure the eSight.

Create an SNMP protocol template.

Choose Resource > Resource Management > Protocol Template.

Click the SNMP Protocol Template tab and then Create to create an SNMP protocol template. Set the parameters as follows:

Name	snmpv3_template
SNMP version	V3
NE port	161
Timeout interval(s)	3
Resending times	3
Security name	V3user
Authentication protocol	HMAC_SHA
Password	Admin@123
Privacy protocol	AES_128
Password	Admin@1234

The security name, authentication protocol password, and privacy protocol password on the eSight must be the same as the security name, authentication password, and encryption password on the FW.

Add the FW to the eSight.
1. Choose Resource > Add Resource > Single.
2. Select SNMP Protocol in Discovery Protocol.
3. In IP Address, enter IP address 10.2.0.1 that the FW uses to connect to the eSight.
4. In Select Protocol Template, select the protocol template snmpv3_template created in 1 to add the network element.
5. Click OK.

Configuration Verification

Check whether the eSight can receive alarms.
1. Change the status of the interface at one end of a physical link from Up to Down.
```
[sysname] interface GigabitEthernet 0/0/4
[sysname-GigabitEthernet0/0/4] shutdown
```
2. Choose Monitor > Fault Manage > Current Alarms on the eSight. You can view the alarm information.

Configuration Script

#                                                                               
sysname sysname               
                                                    
#                                                                               
interface GigabitEthernet0/0/1                                                  
 undo shutdown                                                               
 ip address 1.1.1.1 255.255.255.0                                             
#                                                                               
interface GigabitEthernet0/0/2                                                  
 undo shutdown                                                               
 ip address 10.2.0.1 255.255.255.0                                             
 service-manage snmp permit
#                                                                               
interface GigabitEthernet0/0/3                                                 
 undo shutdown                                                               
 ip address 10.3.0.1 255.255.255.0                                             
#                                                                               
firewall zone untrust                                                             
 set priority 5
 add interface GigabitEthernet0/0/1                                             
#                                                                               
firewall zone dmz                                                           
 set priority 50
 add interface GigabitEthernet0/0/2                                             
#                                                                               
firewall zone trust                                                               
 set priority 85
 add interface GigabitEthernet0/0/3                                            
#
security-policy
 rule name trust_untrust_outbound1
  source-zone trust
  destination-zone Untrust
  source-address 10.14.10.1 32
  destination-address 10.3.0.0 mask 255.255.255.0
  action permit
#                                                                               
security-policy 
 rule name local_dmz                                                            
  source-zone local                                                             
  destination-zone dmz                                                          
  source-address 10.2.0.1 24
  service snmptrap                                                    
  action permit                                                                 
#                                                                                           
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.2                                                              
 ip route-static 1.1.1.10 255.255.255.255 NULL0                                                        
 ip route-static 1.1.1.11 255.255.255.255 NULL0
 ip route-static 1.1.1.12 255.255.255.255 NULL0
#                                                                               
 snmp-agent                                                                     
 snmp-agent local-engineid 000007DB7FFFFFFF000077D0                             
 snmp-agent sys-info version v3                                                 
 snmp-agent mib-view include mib2view iso
 snmp-agent group v3 v3group privacy                                            
 snmp-agent group v3 v3group privacy write-view mib2view notify-view mib2view
 snmp-agent target-host trap  address udp-domain 10.2.0.10 params securityname %
 $%$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3  privacy  private-netmanager                 
 snmp-agent usm-user v3 V3user authentication-mode sha cipher %^%#]lck/kEvSA'=g^
 WsIwEI~rf&=qHpDEhhB\3Dmt1(%^%#
 snmp-agent usm-user v3 V3user privacy-mode aes128 cipher %^%#Ow4n$dQvbD:^-Asnmp
 -agent usm-user v3 V3user privacy-mode aes128 cipher %^%#Ow4n$dQvbD:^-A
 snmp-agent usm-user v3 V3user group v3group
 snmp-agent trap enable                                                         
#                                                                                 
return