< Home

CLI: Example for Configuring the Flow Probe

This example describes the typical application and configuration method of the flow probe function.

Networking Requirements

On an enterprise campus network, the network administrator needs to use the flow probe function on the FW to collect network-layer and transport-layer information of traffic passing through the FW. It then sends the collected information to the HiSec Insight for analysis and evaluation. In this way, threats and APT attacks on the network can be identified.

Figure 1 Flow probe application networking

Procedure

  1. Set interface IP addresses and assign the interfaces to security zones.
    1. Set the IP address of GigabitEthernet0/0/1 and add it to the Untrust zone.

      [sysname] interface GigabitEthernet0/0/1
[sysname-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[sysname-GigabitEthernet0/0/1] quit
[sysname] firewall zone untrust
[sysname-zone-untrust] add interface GigabitEthernet0/0/1
[sysname-zone-untrust] quit

    2. Set the IP address of GigabitEthernet0/0/2 and add it to the DMZ.

      [sysname] interface GigabitEthernet0/0/2
[sysname-GigabitEthernet0/0/2] ip address 10.1.2.1 24
[sysname-GigabitEthernet0/0/2] quit
[sysname] firewall zone dmz
[sysname-zone-dmz] add interface GigabitEthernet0/0/2
[sysname-zone-dmz] quit

    3. Set the IP address of interface GigabitEthernet0/0/3 and add it to the Trust zone.

      [sysname] interface GigabitEthernet0/0/3
[sysname-GigabitEthernet0/0/3] ip address 10.1.1.1 24
[sysname-GigabitEthernet0/0/3] quit
[sysname] firewall zone trust
[sysname-zone-trust] add interface GigabitEthernet0/0/3
[sysname-zone-trust] quit

  2. Configure security policies.
    1. Configure a security policy between the Local and DMZ security zones to allow the FW to send the information collected by the flow probe to the HiSec Insight.

      [sysname] security-policy
[sysname-policy-security] rule name policy_to_cis
[sysname-policy-security-rule-policy_to_cis] source-zone local
[sysname-policy-security-rule-policy_to_cis] destination-zone dmz
[sysname-policy-security-rule-policy_to_cis] source-address 10.1.2.1 24
[sysname-policy-security-rule-policy_to_cis] destination-address 10.1.2.2 24
[sysname-policy-security-rule-policy_to_cis] service udp
[sysname-policy-security-rule-policy_to_cis] action permit
[sysname-policy-security-rule-policy_to_cis] quit

    2. Configure a security policy between the Trust and Untrust security zones to allow intranet users to access the Internet.

      [sysname-policy-security] rule name policy_to_Internet
[sysname-policy-security-rule-policy_to_Internet] source-zone trust
[sysname-policy-security-rule-policy_to_Internet] destination-zone untrust
[sysname-policy-security-rule-policy_to_Internet] source-address 10.1.1.0 24
[sysname-policy-security-rule-policy_to_Internet] action permit
[sysname-policy-security-rule-policy_to_Internet] quit

  3. Configure the flow probe.

    1. Set parameters for interconnection between the FW and HiSec Insight server.
      [sysname] flow-probe metadata-collect transfer-method udp
[sysname] flow-probe metadata-collect server ip 10.1.2.2 port 8514
[sysname] flow-probe metadata-collect source ip 10.1.2.1
    2. Configure flow probe policies.
      [sysname] flow-probe-policy
[sysname-policy-probe] rule name policy_probe
[sysname-policy-probe-rule-policy_probe] source-zone trust
[sysname-policy-probe-rule-policy_probe] destination-zone untrust
[sysname-policy-probe-rule-policy_probe] source-address 10.1.1.0 24
[sysname-policy-probe-rule-policy_probe] action probe network-layer

    If you want the flow probe to collect SSL-encrypted traffic information, you can use the ECA (Encrypted Communication Analytics,) function. That is, set the action of the flow probe policy to network-layer application-layer or application-layer network-layer. For traffic matching the flow probe policy, the ECA function collects SSL protocol negotiation information, packet statistics information, and DNS and HTTP protocol information of the traffic. Then it sends the information to the HiSec Insight in metadata format. The HiSec Insight analyzes and assesses the information to identify malicious encrypted traffic.

  4. Configure the HiSec Insight.

    Configure the third-party data source function on the HiSec Insight. For details, see the HiSec Insight product documentation. If the FW needs to send collected data to the HiSec Insight in SSL mode, you must configure the relevant certificate under the server certificate function node of the HiSec Insight.

Verification

  1. Run the display flow-probe metadata-collect statistics command to check the statistics information about flow probe data collection. If there are statistics, the flow probe has collected the corresponding traffic information. If no statistics are displayed, the flow probe does not collect information. In this case, check whether the flow probe policy is correctly configured.
  2. For traffic matching the flow probe policy, choose Smart Search > Metadata Search on the HiSec Insight web UI to search for the source IP address of the traffic. If a result can be found, the HiSec Insight has received data sent from the FW flow probe. If no result is found, the HiSec Insight does not receive data sent from the FW flow probe. In this case, check whether the interconnection configurations between the flow probe and HiSec Insight are correct.

Configuration Scripts

#
interface GigabitEthernet 0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/2
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet 0/0/3
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/2
#
security-policy
 rule name policy_to_cis
  source-zone local
  destination-zone dmz
  source-address 10.1.2.0 mask 255.255.255.0
  destination-address 10.1.2.0 mask 255.255.255.0
  service udp
  action permit
 rule name policy_to_Internet
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  action permit
#
flow-probe metadata-collect server ip 10.1.2.2
flow-probe metadata-collect source ip 10.1.2.1
#
flow-probe-policy
 rule name policy_probe
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  action probe network-layer
Parent Topic: Configuration Examples for Flow Probe
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic