- DL manuals
- 3Com
- Firewall
- H3C SECPATH F5000-A5 ADVANCED VPN FIREWALL 12-PORT GIGABIT ETHERNET MODULE
- Installation Manual
3Com H3C SECPATH F5000-A5 ADVANCED VPN FIREWALL 12-PORT GIGABIT ETHERNET MODULE Installation Manual
Summary of H3C SECPATH F5000-A5 ADVANCED VPN FIREWALL 12-PORT GIGABIT ETHERNET MODULE
Page 1
H3c secpath f5000-a5 firewall installation manual hangzhou h3c technologies co., ltd. Http://www.H3c.Com manual version: 5pw101-20090424.
Page 2
Copyright © 2008-2009, hangzhou h3c technologies co., ltd. And its licensors all rights reserved no part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of hangzhou h3c technologies co., ltd. Trademarks h3c, , aolynk, , h 3 care, , top g, , i...
Page 3
About this manual organization h3c secpath f5000-a5 firewall installation manual is organized as follows: chapter contents 1 firewall overview briefly introduces the product specifications, as well as the features and applications of the h3c secpath f5000-a5. 2 arranging slots and numbering interfac...
Page 5
Obtaining documentation you can access the most up-to-date h3c product documentation on the world wide web at this url: http://www.H3c.Com. The following are the columns from which you can obtain different categories of product documentation: [products & solutions]: provides information about produc...
Page 6: Table of Contents
I table of contents 1 firewall overview ······································································································································1-1 introduction ·············································································································...
Page 7: Firewall Overview
1-1 1 firewall overview introduction the h3c secpath f5000-a5 firewall (hereinafter referred to as the f5000-a5) is a high-end core firewall product developed by hangzhou h3c technologies co., ltd. (hereinafter referred to as h3c) to deliver extremely high-performance security solutions for large-si...
Page 8
1-2 physical description front view figure 1-1 front view of the f5000-a5 (1) (2) (3) (7) (5) (8) (9) (10) (13) (6) (15) (14) (12) (11) (4) (1) left mounting bracket (2) main processing unit (mpu) (3) right mounting bracket (4) chassis handle (5) weight-bearing warning label (50 kg/110.2 lb.) (6) fa...
Page 9
1-3 rear view figure 1-2 rear view of the f5000-a5 (2) (1) (4) (6) (7) (8) (9) (3) (5) (1) warning label (2) handle on the rear chassis panel (3) upper slide rail for the air filter (optional) (4) air filter (optional) (5) lower slide rail for the air filter (optional) (6) chassis handle (7) weight-...
Page 10
1-4 system specifications mpu–nsq1mpua0 front view figure 1-3 front view of the mpu (1) link status led of the management ethernet port (link) (2) data reception/transmission led of the management ethernet port (act) (3) link status led of the ha port (link) (4) data reception/transmission led of th...
Page 11
1-5 item specification aux port 1 (9600 bps to 115200 bps, 9600 bps by default) management ethernet port 1 (10base-t/100base-tx/1000base-t) ha port 1 (10base-t/100base-tx/1000base-t) cf card z 256 mb by default for the built-in cf card z 256 mb, 512 mb, or 1 gb for an optional external cf card usb i...
Page 12
1-6 table 1-2 description of the device status leds led status description off no power input or the mpu is faulty. Slow blinking (1 hz) the mpu is operating normally. Fast blinking (8 hz) the application software is being loaded (in this state, never power off the device or hot-swap the mpu; otherw...
Page 13
1-7 4) cf card led table 1-5 description of the cf card led led status description off no cf card is present or the cf card is not recognizable. On a cf card is in position and has been detected. Cf (green) blinking the system is accessing the cf card. Do not remove the cf card in this state. Do not...
Page 14
1-8 technical specifications table 1-6 technical specifications of nsq1gt8c40 item description memory type and size ddr2 sdram 1 memory slot 512 mb (default), 1 gb (maximum) 8 10 mbps, half/full duplex 100 mbps, half/full duplex electrical interfaces 1000 mbps, full duplex 4 (electrical/optical) 10 ...
Page 15
1-9 led status description off no link is present on the corresponding interface. Solid green a 1000 mbps link is present on the interface. Blinking green data is being transmitted or received at 1000 mbps. Solid yellow a 10/100 mbps link is present on the interface. Ge0 through ge11 (yellow/green) ...
Page 16
1-10 lpu leds table 1-9 description of the leds on nsq1xp20 led status description off no power input or the lpu is faulty. Slow blinking (1 hz) the lpu is operating normally. Fast blinking (8 hz) the application software is being loaded (in this state, never power off the device or hot-swap the lpu...
Page 17
1-11 fan tray table 1-12 technical specifications of the fan tray item specification rated voltage 12 vdc total fan power consumption 50 w dimensions (h × w × d) 227 × 31 × 413.3 mm (8.94 ×1.22 × 16.27 in.) table 1-13 description of the fan tray leds led status description run (green) on the fan tra...
Page 18
1-12 memory module the memory module is used for storing data exchanged between the system and the cpu. The default memory size of the mpu is 2 gb, which is the maximum memory size supported by the mpu. The mpu provides two memory slots for memory modules of the same size. You can use ddr2 sdram-1gb...
Page 19
1-13 the cf card is hot-swappable. When the cf led is blinking, do not unplug the cf card. Otherwise, the file system on the cf card may be damaged. Console port 1) introduction the f5000-a5 provides an rs232 asynchronous serial console port, which can be connected to a computer for system debugging...
Page 20
1-14 rj-45 pin signal direction db-9 signal 4 Å 1 dcd 5 — 5 gnd 6 Å 3 txd 7 Å 4 dtr 8 Å 7 rts for the connection of the console cable, refer to the section talking about connecting a console cable in chapter 4 “installing the firewall.” aux port 1) introduction the aux port is an rs232 asynchronous ...
Page 21
1-15 figure 1-9 aux cable table 1-18 aux cable connector pinouts rj-45 signal direction db-25 db-9 signal 1 Æ 4 7 rts 2 Æ 20 4 dtr 3 Æ 2 3 txd 4 Å 8 1 dcd 5 — 7 5 gnd 6 Å 3 2 rxd 7 Å 6 6 dsr 8 Å 5 8 cts for how to connect the aux cable, refer to the section talking about connecting the aux cable to ...
Page 22
1-16 table 1-19 technical specifications of the management ethernet port/ha port item description connector type rj-45 port quantity 1 management ethernet port 1 ha port interface type automatic mdi/mdix frame formats ethernet_ii ethernet_snap interface speed and duplex mode 10 mbps, half/full duple...
Page 23
1-17 z never replace the clock module battery when the device is powered on. Z the system time gets lost once the clock module battery is removed. You need to set the system time again through the command line interface. Z use the clock datetime time date command in user view to set the system date ...
Page 24
1-18 technical specifications for ethernet interfaces z technical specifications for electrical ethernet interfaces table 1-21 technical specifications for electrical ethernet interfaces item description connector type rj-45 interface type automatic mdi/mdix frame formats ethernet_ii ethernet_snap 1...
Page 25
1-19 item description fiber type 62.5/125 μ m multimode fiber 9/125 μ m single-mode fiber 9/125 μ m single-mode fiber 9/125 μ m single-mode fiber 9/125 μ m single-mode fiber maximum transmission distance 0.55 km (0.34 miles) 10 km (6.21 miles) 40 km (24.86 miles) 40 km (24.86 miles) 70 km (43.50 mil...
Page 26
1-20 z before using an optical fiber to connect a network device, verify that the optical fiber connector matches the optical module. Z before connecting an optical fiber, make sure the received optical power at the local end does not exceed the upper threshold of the receiving optical power of the ...
Page 27
1-21 table 1-24 crossover cable connector pinouts rj-45 signal direction category-5 twisted pair signal direction rj-45 1 tx+ white (orange) Æ 3 2 tx– orange Æ 6 3 rx+ white (green) Å 1 4 — blue — 4 5 — white (blue) — 5 6 rx– green Å 2 7 — white (brown) — 7 8 — brown — 8 z you can refer to the table...
Page 28
1-22 lpu–nsq1xp20 introduction to 10 ge interfaces nsq1xp20 provides two xfp interfaces (10gbase–r), which operate in the lan phy mode rather than the wan phy mode. An xfp interface operating in the lan phy mode supports a maximum data-rate of 10.3125 gbps. The led for an xfp interface is on the rig...
Page 29
1-23 figure 1-13 an xfp transceiver z no xfp transceivers are shipped with the f5000-a5. Z use only the xfp transceivers provided by h3c. The device cannot recognize other xfp transceivers. Z for how to connect xfp transceivers, refer to the section talking about connecting ethernet cables in chapte...
Page 30
1-24 table 1-26 ac power module specifications item specification rated voltage range 100 vac to 240 vac; 50/60 hz maximum input current 10 a maximum power consumption 650 w dimensions (h × w × d) 40.2 × 140 × 353.5 mm (1.58 × 5.51 ×13.92 in.) table 1-27 description of the ac power led status descri...
Page 31
1-25 table 1-29 description of the dc power led status description off no power input is present. Solid green the power module is working normally. Solid red the power module is faulty. Figure 1-15 dc power module (1) captive screw (2) power input terminals (3) power switch (4) power led (5) power m...
Page 32
1-26 the following power lightning arrester can be installed on the f5000-a5. The specifications for the power lightning arrester are as follows: maximum discharge current: 6500 a, protection voltage: 220 vac to 500 vac. For the installation of a power lightning arrester, refer to chapter 4 “install...
Page 33: Table of Contents
I table of contents 2 arranging slots ands numbering interfaces ··························································································2-1 slot arrangement ·····························································································································...
Page 34
2-1 2 arranging slots ands numbering interfaces slot arrangement the f5000-a5 supports many types of interfaces, such as console, aux, gigabitethernet, and ten-gigabitethernet interfaces. This chapter describes how these interfaces are numbered. Figure 2-1 slot arrangement on the f5000-a5 the number...
Page 35
2-2 z the ha port is permanently inner-ethernet0/1. Examples numbers of interfaces on nsq1gt8c40 1) if the lpu is installed in slot 1, gigabitethernet interfaces on the lpu are numbered as follows: z gigabitethernet 1/0 z gigabitethernet 1/1 z gigabitethernet 1/2 z gigabitethernet 1/3 z gigabitether...
Page 36: Table of Contents
I table of contents 3 preparing for installation ··························································································································3-1 environment requirements ····································································································...
Page 37: Preparing For Installation
3-1 3 preparing for installation environment requirements the device is designed for indoor application. To ensure the normal operation and prolong the service life, the installation site must meet the requirements mentioned hereunder. Temperature and humidity requirements the temperature and humidi...
Page 38
3-2 table 3-3 concentration limit of some harmful gases in the equipment room gas max (mg/m 3 ) so 2 0.2 h 2 s 0.006 nh 3 0.05 cl 2 0.01 ventilation requirements the fans of the f5000-a5 draw air in through the inlet vents on the left and out through the exhaust vents on the right. Figure 3-1 ventil...
Page 39
3-3 make sure that the device and the floor are well grounded. Take dust-proof measures for the equipment room. Maintain the humidity and temperature at a proper level. Always wear an esd-preventive wrist strap or antistatic clothing when touching a circuit board or optical module. Place the removed...
Page 40
3-4 figure 3-2 wear an esd-preventive wrist strap (1) esd-preventive wrist strap (2) snap fastener (3) esd socket (4) connector electromagnetic interference prevention all possible interference sources, external or internal, affect the device in the way of capacitance coupling, inductance coupling, ...
Page 41
3-5 install a lightning arrester at the input end of the power supply to enhance the lightning protection capability of the power supply. Install a special lightning arrester at the input end of outdoor signal lines to which interface modules of the device are connected to enhance the lightning prot...
Page 42
3-6 make sure the device is correctly grounded. Do not open or close the chassis cover when the device is powered on. Connect the interface cables for the firewall correctly. Use laser with caution. Do not directly stare into apertures or fiber connectors that emit laser radiation. Equip an uninterr...
Page 43
3-7 checklist before installation table 3-4 checklist before installation item requirements ventilation there is a minimum clearance of 10 cm (3.9 in.) around the inlet vents and exhaust vents for heat dissipation of the router chassis. A ventilation system is available at the installation site. Tem...
Page 44
3-8 item requirements installation tools installation accessories supplied with the firewall user supplied tools reference documents shipped with the firewall electronic documents.
Page 45: Table of Contents
I table of contents 4 installing the firewall ································································································································4-1 preparations··············································································································...
Page 46: Installing The Firewall
4-1 4 installing the firewall preparations z before installing the firewall, make sure that you have read through chapter 3 “preparing the installation.” z make sure all the requirements mentioned in chapter 3 “preparing the installation” are satisfied. Installation flowchart figure 4-1 installation...
Page 47
4-2 dimensions of the firewall the f5000-a5 is designed to fit standard 19-inch racks. The following table describes the dimensions of the firewall. Table 4-1 dimensions of the device item description dimensions without foot pads and mounting brackets (h × w × d) 308 × 436 × 476 mm (12.13 × 17.17 × ...
Page 48
4-3 figure 4-3 structure of mounting brackets (1) (2) (1) left mounting bracket (2) right mounting bracket 3) install mounting brackets to the firewall before installing the firewall in the rack, fix the mounting brackets respectively to the left and right sides of the front panel of the firewall. F...
Page 49
4-4 step4 put the firewall on the support tray and slide the firewall along the slide rails to an appropriate place. Step5 fix the firewall in the rack horizontally and firmly by fastening the mounting brackets onto the rack posts with pan-head screws. The size of pan-head screws should satisfy the ...
Page 50
4-5 pgnd cable connection importance of the pgnd cable a correct connection of the protection ground (pgnd) cable on the device chassis is an essential safeguard against lightning strokes and electromagnetic interference (emi). When installing or using the firewall, make sure the pgnd cable is corre...
Page 51
4-6 step3 fasten the grounding screw, which is attached with the ot terminal, into the grounding screw hole with a screwdriver. Step4 connect the other end of the pgnd cable to the ground. Generally, the cabinets installed in equipment rooms are equipped with a ground bar. Z if a grounding bar is av...
Page 52
4-7 port protective unit–single port, maximum discharge current (8/20 μ s waveform): 5 ka, output voltage (10/700 μ s waveform): core-core tools z philips or flat-blade screwdriver z multimeter z diagonal pliers installation procedures follow these steps to install a port lightning arrester: step1 u...
Page 53
4-8 precautions pay attention that the performance of the port lightning arrester may be affected in the following cases: z the in and out ends of the port lightning arrester are incorrectly connected. The in end should be connected to the external cable while the out end should be connected to the ...
Page 54
4-9 2) after the ac power cord connector of the device is plugged into a multi-purpose socket of the power lightning arrester (lightning protection busbar), if the green led is on while the red led is off, the lightning protection is functioning normally. Pay attention when the red led is on. You sh...
Page 55
4-10 connecting the power cables power supply interface and pgnd terminal you can use ac power modules for ac power input or dc power modules for dc power input for the f5000-a5. Table 4-2 shows the specifications for the power supply interface and pgnd terminal. Table 4-2 power supply interface and...
Page 56
4-11 connection procedure follow these steps to connect the ac power cord: step1 make sure that the pgnd terminal is securely connected to the ground. Step2 move the power switch of the power module to the off position. Step3 move the bail latch holder to the left. Step4 connect one end of the suppl...
Page 57
4-12 figure 4-12 dc power module (1) captive screw (2) dc input terminals (3) power switch (4) power led (5) power module handle dc power cables figure 4-13 dc power cables (1) (2) (3) (4) (5) (6) (9) (8) (7) (1) naked crimping terminal, ot, 6mm^2, m4, tin plating, naked ring terminal, 12 to 10 awg ...
Page 58
4-13 step1 move the power switch to the off position. Step2 remove the dc input terminals with a philips screwdriver. Step3 attach the end marked with “–“ of the supplied blue dc power cable to the negative terminal (–) on the power module and fasten the screw. Step4 attach the end marked with “+“ o...
Page 59
4-14 figure 4-14 connect the console cable (1) console port (2) rj-45 connector (3) serial interface on the configuration terminal (4) db-9 (female) connector (5) console cable connecting the aux port to a modem the aux port is usually used for remote configuration or dial backup. You need to connec...
Page 60
4-15 figure 4-15 connect the aux cable (1) (2) (3) (4) (5) (1) aux port (aux) (2) rj-45 connector (3) aux cable (4) modem (5) db-25 (male) or db-9 (female) connector connecting the management ethernet port and ha port cables the management ethernet port and ha port are 10base-t/100base-tx/1000base-t...
Page 61
4-16 figure 4-16 connect the management ethernet port (1) management ethernet port (management) (2) rj-45 connector of the ethernet cable (3) console port (console) (4) rj-45 connector of the console cable (5) ethernet interface on the terminal (6) rj-45 connector of the ethernet cable (7) serial in...
Page 62
4-17 figure 4-17 remove the dust cover step2 align an sfp transceiver with the optical sfp transceiver receptacle, with the side having a release lever facing outward. Then insert it into the receptacle. Figure 4-18 insert an optical transceiver step3 identify the rx and tx ports on the sfp transcei...
Page 63
4-18 figure 4-19 connect fiber cables step4 after power-on, check the sfp led. For the status of the sfp led, refer to the table describing the behaviors of the leds on nsq1gt8c40 in chapter 1 “firewall overview.” upon the connection of an xfp transceiver, you need to check the xfp led. For details,...
Page 64
4-19 z the firewall is correctly connected to other devices, such as the configuration terminal. It is very important to verify the installation because instability and poor grounding of the firewall and an unmatched power supply will affect the operation of the firewall..
Page 65: Table of Contents
I table of contents 5 starting and configuring the firewall ·····································································································5-1 setting up a configuration environment ································································································...
Page 66
5-1 5 starting and configuring the firewall you can only use the console port to make initial configuration of the firewall. Setting up a configuration environment connecting the firewall to a configuration terminal for the connection of the firewall to the configuration terminal, refer to “connecti...
Page 67
5-2 figure 5-2 select a port for local configuration connection step3 set serial port parameters figure 5-3 set serial port parameters set the properties of the serial port in the com1 properties dialog box, as shown in table 5-1..
Page 68
5-3 table 5-1 set serial port parameters item value bits per second 9600 bps (default) data bits 8 parity none stop bits 1 flow control none in case securecrt is used to configure the f5000-a5 firewall, flow control of the serial port must be set to xon/xoff ; otherwise, the terminal screen displays...
Page 69
5-4 figure 5-5 set hyperterminal properties firewall power-on checklist for firewall power-on before powering on the firewall, check that: z the power cord and ground cable are correctly connected. Z the voltage of the power source conforms to voltage requirements of the firewall. Z the console cabl...
Page 70
5-5 powering on the firewall z turn on the power source. Z turn on the power switch on the power module of the firewall. Checklist/operations after power-on after powering on the firewall, check that: 1) the leds on the mpu are normal. For the status of the leds, refer to “table 1-2 description of t...
Page 71
5-6 press ctrl + b at this prompt to enter the extended boot menu; otherwise, the system starts to read and decompress the application program. Z to enter the extended boot menu, press ctrl+b within four seconds as the system displays “press ctrl+b to enter extended boot menu”. Otherwise, the system...
Page 72
5-7 step7 perform reliability configuration for the firewall if necessary. For the configuration details of the protocols or functions of the firewall, refer to h3c secpath series security products user manual. Command line interface features of the command line interface the command line interface ...
Page 73: Table of Contents
I table of contents 6 maintaining software·································································································································6-1 overview ····················································································································...
Page 74: Maintaining Software
6-1 6 maintaining software overview files three types of files need to be managed on the firewall: z bootware program file z application file z configuration file bootware program file the bootware program file is used for booting the application program when the firewall starts and is stored in the...
Page 75
6-2 note that: z an application file with the attribute of m, b, or s can be used for system startup, but one with an attribute of n/a (that is, an application file without a specific attribute assigned to it) cannot. Z you can modify the names of application files at the cli after the application p...
Page 76
6-3 z uses the default configuration file (if any) to initialize the configuration. The default configuration file is startup.Cfg . Note that you can use the startup saved-configuration cfgfile command to define the configuration file to be used at the next system boot. Z uses the default settings i...
Page 77
6-4 z the bootware program is upgraded together with the comware application program. You do not need to upgrade the bootware program separately. After you upgrade the comware application program to the latest version and restart the device, the system checks whether the current bootware version is ...
Page 78
6-5 bootware menu main menu when the firewall is powered on, it first runs the basic segment and then the extended segment of bootware. The following information is displayed on the configuration terminal: system start booting... Booting normal extend bootware.... ***********************************...
Page 79
6-6 z to enter the extended bootware menu, press ctrl+b within four seconds after the system displays “press ctrl+b to enter extended boot menu”. Otherwise, the system reads and decompresses the main application file. Z if you want to enter the extended bootware menu after the system starts main app...
Page 80
6-7 table 6-1 bootware main menu menu item description boot system load and boot system applications from a cf card. Enter serial submenu enter the serial port submenu. For detailed description of this submenu, refer to “serial submenu“ on page 6-7. Enter ethernet submenu enter the ethernet submenu....
Page 82
6-9 menu item description update backup application file upgrade the backup application file update secure application file upgrade the secure application file modify ethernet parameter modify ethernet interface parameters exit to main menu return to the main menu file control submenu select 4 on th...
Page 83
6-10 table 6-5 bootware operation submenu menu item description backup full bootware back up the entire bootware. Restore full bootware restore the entire bootware. Update bootware by serial upgrade bootware through a serial port. Update bootware by ethernet upgrade bootware through an ethernet inte...
Page 84
6-11 z if the check fails, the receiving program sends a negative acknowledgement character and the sending program retransmits the packet. Modifying serial port parameters in actual applications, you may need to make the serial port baud rate higher to reduce upgrading time or make it lower to guar...
Page 85
6-12 figure 6-3 modify the baud rate on the terminal step5 select call > call to establish a new connection. Figure 6-4 establish a new connection step6 press enter on the console terminal. The system displays the current baud rate and returns to the previous menu. The system displays: the current b...
Page 86
6-13 upgrading an application the application upgrading on a serial port is implemented on the serial submenu. Step1 select 2 on the main menu to enter the serial submenu. For details about this submenu, refer to “serial submenu” on page 6-7. The following example shows how to upgrade the main appli...
Page 87
6-14 download successfully! 14092032 bytes downloaded! The system then prompts you to enter the target file name. Input the file name: step5 input the file name. 1) if the file name is different from that of any existing file in the storage medium, the application file is saved using the specified f...
Page 89
6-16 after the application file is downloaded, the following information appears on terminal interface, indicating a successful upgrade. Download successfully! 14092032 bytes downloaded! Updating basic bootware? [y/n] step8 upgrade the bootware. 1) if you enter n , the system displays: not update th...
Page 90
6-17 the firewall can serve as the tftp client. The filer server serves as the tftp server. You can upload/download the application file on the firewall to/from the file server. There are two approaches to upgrading bootware and application files using tftp: z on the bootware menu z at the cli upgra...
Page 91
6-18 z the tftp server is not provided with the device. You need to purchase and install it. Z you can upgrade applications and the bootware through the console port or the management ethernet port. 2) configure ethernet port parameters on the bootware menu. Enter the main menu and select 3 to enter...
Page 92
6-19 item description target file name name of the target file after the file is downloaded to the firewall. The extension of the target file needs to be the same as that of the download file. Note that: z the first “main.Bin“ is the previous file name automatically remembered in the system. Z the s...
Page 93
6-20 upgrading and backing up an application using tftp at the cli 1) set up a tftp upgrading environment z the firewall serves as the tftp client and the pc serves as the tftp server. Z for the procedures of setting up a upgrading environment, refer to “upgrading an application using tftp on the bo...
Page 95
6-22 table 6-9 command output description for upgrading and backing up an application file field description tftp 192.168.80.200 get main.Bin main.Bin download the file to be upgraded from the server. The file main.Bin exists. Overwrite it? [y/n]: whether to overwrite the existing file with the same...
Page 96
6-23 figure 6-10 set up an ftp upgrading environment z the firewall serves as the ftp client and the pc serves as the ftp server. Z connect the management ethernet port on the firewall to the pc using a crossover ethernet cable. Ensure the connectivity between the firewall and the pc. In this exampl...
Page 97
6-24 upgrading and backing up an application using ftp at the cli firewall serving as the ftp client and pc serving as the ftp server 1) set up the upgrading environment. Refer to “upgrading and backing up an application using tftp at the cli” on page 6-20. 2) use the dir command on the terminal to ...
Page 98
6-25 z when you download an application file, if a file with the same name exists on the firewall, the system asks you whether to overwrite the existing file on your device. You need to enter y for confirmation. Z for details about the get command, refer to h3c secpath series security products user ...
Page 99
6-26 field description [ftp]quit quit ftp client view. 221 service closing control connection close the service control connection. Firewall serving as the ftp client and pc serving as the ftp server 1) set up an ftp upgrading environment. Figure 6-11 set up an ftp upgrading environment router ftp s...
Page 100
6-27 2) enable ftp server on the firewall. # enable ftp server. [h3c] ftp server enable # add ftp username and password. [h3c] local-user guest new local user added. [h3c-luser- guest] service-type ftp [h3c-luser- guest] password simple 123456 [h3c-luser-guest] authorization-attribute level 3 table ...
Page 101
6-28 table 6-13 output description field description c:\documents and settings\administrator>ftp enable the ftp client program on the pc. Ftp> open 192.168.80.10 in ftp client view, log into the ipv4 ftp server. User (192.168.80.10:(none)) input the username configured on the ftp server. 331 passwor...
Page 102
6-29 z when you download an application file, if the file name already exists on the server, the system overwrites the existing file without any prompt. Z for details about the get command, refer to h3c secpath series security products user manual . Z you can backup a configuration file in the way y...
Page 103
6-30 displaying all files at the cli dir directory of cfa0:/ 0 drw- - nov 28 2000 04:09:30 logfile 1 -rw- 24802996 nov 04 2007 17:03:26 f5000-a5.Bin 2 -rw- 1355 nov 04 2007 17:22:12 startup.Cfg 3 -rw- 24802996 nov 13 2037 13:21:20 main.Bin 505480 kb total (456576 kb free) file system type of cfa0: f...
Page 106
6-33 for details about the delete and undelete commands, refer to h3c secpath series security products user manual . Dealing with password loss when the bootware password, user password or super password is lost, resort to the following methods: bootware password loss contact your local sales agent ...
Page 107
6-34 z the bootware password you entered is displayed in the form of asterisks. Z the bootware password can contain up to 32 characters. If you enter more than 32 characters to set the bootware password, the system will automatically use the first 32 characters. Dealing with user password loss if yo...
Page 108
6-35 z execute the save command after modifying the user password to save the new password. Z you are recommended to save the modification to the configuration file used by default. Dealing with super password loss the super password enables you to switch between four super levels. In the case of su...
Page 109
6-36 backing up the entire bootware to backup the entire bootware, you need to backup the basic segment and then the extended segment of the bootware. Step1 select 1 on the bootware operation submenu. The system displays: will you backup the basic bootware? [y/n] step2 enter y . The system displays:...
Page 110: Table of Contents
I table of contents 7 maintaining hardware ·······························································································································7-1 preparing tools···············································································································...
Page 111: Maintaining Hardware
7-1 7 maintaining hardware preparing tools z phillips screwdrivers: p1-100mm, p2-150mm, p3-250mm z flat-blade screwdrivers: p4-75mm z esd-preventive wrist straps, esd-preventive gloves z antistatic bags, antistatic pads except an esd-preventive wrist strap, none of the above installation tools are s...
Page 112
7-2 figure 7-1 f5000-a5 structure (1) (2) (3) (7) (5) (8) (9) (10) (13) (6) (15) (14) (12) (11) (4) (1) left mounting bracket (2) mpu (3) right mounting bracket (4) chassis handle (5) weight-bearing warning label (50 kg/110.2 lb.) (6) fan tray (7) ac power module (pwr1) (8) blank panel for poe power...
Page 113
7-3 installing and removing an mpu structure of an mpu figure 7-2 interior structure of the mpu (1) guide pin (2) left release latch (3) cpu heatsink (4) memory module and slot (5) built-in cf card (6) right release latch (7) bus connector (8) power connector (9) reset button (10) external cf card l...
Page 114
7-4 figure 7-3 insert the mpu into the slot step4 fasten the captive screws by turning them clockwise with a philips screwdriver. Figure 7-4 fasten the captive screws step5 turn on the power switch of the firewall if the firewall is powered off. Step6 after the mpu is powered on, the run led (green)...
Page 115
7-5 figure 7-5 loosen the captive screws step3 pull the two ejector levers at both ends of the mpu outward to release the mpu, and then gently pull the mpu out along the slide rails. Figure 7-6 pull out the mpu z to protect the removed mpu, place it in an antistatic bag. Z if you do not install a ne...
Page 116
7-6 figure 7-7 nsq1gt8c40 (1) cpu heatsink (2) positioning hole (3) left release latch (4) memory module and slot (5) bus connector (6) right release latch (7) bus connector (8) power connector (9) run led (run) (10) led for sfp interface 11 (sfp11) (11) led for sfp interface 10 (sfp10) (12) sfp int...
Page 117
7-7 installing an lpu nsq1gt8c40 and nsq1xp20 are installed in the same way. Nsq1gt8c40 is taken as an example here. Follow these steps to install the lpu: step1 face the front panel of the firewall. Step2 locate the slot where you will install the lpu (slot 1 through slot 4), and remove the blank p...
Page 118
7-8 z if there is a great resistance when you push an lpu into a slot, first remove the blank panels above and below the slot, then install the lpu, and finally install the removed blank panels to prevent dust from entering the chassis. Z do not insert or remove an lpu when the run led on the lpu is...
Page 119
7-9 figure 7-12 pull out the lpu z to protect the removed lpu, place it in an antistatic bag. Z if you do not install a new lpu in the slot, install a blank panel to prevent dust from entering the chassis. For how to install a blank panel, refer to “installing and removing a blank panel” on page 7-9...
Page 120
7-10 figure 7-13 blank panel for an mpu/lpu slot (1) front view (2) side view (3) oblique rear view (4) emi gasket the mpu and lpu slots use the same type of blank panels. Figure 7-14 blank panel for a power module slot (1) front view (2) side view (3) oblique rear view (4) emi gasket removing a bla...
Page 121
7-11 step1 face the front panel of the firewall. Step2 locate the blank panel to be removed, loosen the two captive screws by turning them counterclockwise with a philips screwdriver. Then, remove the blank panel. Figure 7-15 remove a blank panel from an lpu slot z place the removed blank panels and...
Page 122
7-12 position the blank panel so that the side with emi gaskets faces upward; otherwise you cannot fasten the captive screws. Installing and removing a power module the device supports both ac and dc power modules. This section describes how to install and remove an ac power module. Power module str...
Page 123
7-13 installing a power module the following describe how to install an ac power module. You can install a dc power module in a similar way. Step1 face the front panel of the firewall. Step2 locate the slot where the power module is to be installed, insert the power module into the slot, and gently ...
Page 124
7-14 step1 face the front panel of the firewall. Step2 locate the power module to be removed, and loosen the captive screws on the power module by turning them counterclockwise with a philips screwdriver. Figure 7-21 loosen the captive screws step3 gently pull the power module out along the slide ra...
Page 125
7-15 installing and removing a fan tray fan tray structure figure 7-23 fan tray structure (1) run led (run) (2) alarm led (alm) (3) handle (4) fan (5) caution sign (6) captive screw installing a fan tray follow these steps to install a fan tray: step1 face the front panel of the firewall. Step2 make...
Page 126
7-16 step4 fasten the captive screws by turning them clockwise with a philips screwdriver. Figure 7-25 fasten the captive screws step5 turn on the power switch of the firewall if the firewall is powered off. The fan led run (green) lights up, indicating the fans run normally. Z the device supports a...
Page 127
7-17 figure 7-26 loosen the captive screws step3 gently pull the fan tray out along the slide rails. Figure 7-27 take out the fan tray z do not keep the firewall working without a fan tray for a long time because poor ventilation may result in damage to the firewall. Z to protect the removed fan tra...
Page 128
7-18 inserting and removing a cf card cf card and slot figure 7-28 cf card and slot (1) eject button (2) cf card slot (3) cf led installing a cf card follow these steps to install a cf card: step1 check whether the cf card led is blinking. If yes, the system is accessing the cf card. Proceed with th...
Page 129
7-19 figure 7-30 eject the cf card step3 press the eject button again to eject the cf card part-way out of the slot, and then pull the card out of the slot. Figure 7-31 press the eject button to eject the cf card z do not insert or remove the cf card when the firewall is booting or the led is blinki...
Page 130
7-20 you may need to replace a memory module or expand memory in the following situations: z more memory is needed to upgrade the application program. Z the firewall needs to maintain a large routing table or support memory-demanding operations. Z the memory module is damaged. Z use the memory modul...
Page 131
7-21 memory module structure figure 7-33 memory module structure (1) connector edge (2) polarization notch (3) latch notch memory module slot figure 7-34 memory module slot (1) left release latch (2) memory module slot (3) right release latch removing a memory module follow these steps to remove a m...
Page 132
7-22 figure 7-35 remove a memory module z do not touch the surface-mounted components of the memory module directly with your hands. Hold the memory module only by its non-conductive edge. Because a memory module is vulnerable to esd, improper operation may cause damage to it. Z do not use too much ...
Page 133
7-23 do not touch the surface-mounted components of the memory module directly with your hands. Hold the memory module only by its non-conductive edge. Because a memory module is vulnerable to esd, improper operation may damage it. Installing and removing an air filter an air filter is an optional a...
Page 134
7-24 figure 7-37 install the air filter slide rails step6 gently push the air filter along the slide rails until it is seated in position. Figure 7-38 insert the air filter step7 fasten the captive screws by turning them clockwise with a philips screwdriver..
Page 135
7-25 figure 7-39 fasten the captive screws removing an air filter to remove an air filter, reverse the installation procedure. Step1 face the left side of the chassis, where the air filter is to be removed. Step2 loosen the captive screws one by one by turning them counterclockwise with a philips sc...
Page 136
7-26 figure 7-41 pull out the air filter z keep the removed air filter and fastening screws in a safe place for future use. Z you can clean the air filter with water, but wait until it is completely dry before installing it again..
Page 137: Table of Contents
I table of contents 8 troubleshooting ········································································································································8-1 troubleshooting mpu ······································································································...
Page 138: Troubleshooting
8-1 8 troubleshooting the barcode stuck on the firewall chassis contains information about production and servicing. Before you return a faulty firewall for servicing, please provide the barcode information of the firewall to your local sales agent. Troubleshooting mpu symptom 1 symptom the run led ...
Page 139
8-2 symptom 3 symptom the alm led is solid on or blinking, which indicates that the firewall is faulty. For example, the alm led is on when the cpu is overheated. The system gives the following message: %jun 25 14:38:45:444 2007 h3c drvmsg/3/tempcritical: cpu temperature critical in slot 3, index is...
Page 140
8-3 troubleshooting the power system symptom 1 symptom the firewall cannot be powered on. The power led on the front panel is off. Solution check that: z the power switch of the firewall is turned on. Z the power cord is properly and firmly connected. Z the power source of the firewall is turned on....
Page 141
8-4 symptom 2 symptom when the firewall is running, the alm led turns red and the following information appears: %jul 5 14:59:03:878 2007 h3c drvmsg/3/fanplugin:fan 1 plug in. %jul 5 14:59:03:879 2007 h3c drvmsg/3/fanerr:fan 1 error. #jul 5 14:59:03:998 2007 h3c dev/1/fan state changes to failure: t...
Page 142
8-5 solution z if the “data bits” field is set to 5 or 6 in the emulation grogram, illegible characters appear on the screen. Set this field to the default value 8. Z check that the current baud setting is 9600 bps. An incorrect baud setting can cause illegible characters. Z make sure that the work ...
Page 143
8-6 password loss if you have lost the bootware password, user password, or super password, refer to the section talking about dealing with password loss in chapter 6 “maintaining software.” troubleshooting the cooling system symptom when the temperature inside the firewall exceeds 75°c (167°f), the...
Page 144
8-7 if the temperature inside the firewall exceeds 90°c (194°f) while the fans are working normally and environment is well ventilated, contact your local sales agent. For more information about the display environment command, refer to h3c secpath series security products user manual . Troubleshoot...
Page 145
8-8 solution z for symptom 1: delete some files in the cf card or use a new cf card so that enough space is available for the application program. Z for symptom 2: type the correct file name. Z for symptom 3: configure the network port correctly. Make sure the network port is up and you can successf...
Page 146
8-9 troubleshooting application file missing errors symptom when none of the main, backup, and secure application files exists, the system gives the following message in the startup stage: bootware validating... Application program does not exist. Please input bootware password: if you select 1 on t...
Page 147: Table of Contents
I table of contents appendix a regulatory compliance information ···················································································· a-1 regulatory compliance standards·········································································································· a-1 euro...
Page 148
A-1 appendix a regulatory compliance information regulatory compliance standards table a-1 regulatory compliance standards discipline standards emc fcc part 15 (cfr 47) class a ices-003 class a vcci-3 class a vcci-4 class a cispr 22 class a en 55022 class a as/nzs cispr22 class a cispr 24 en 55024 e...
Page 149
A-2 r&tte directive this product complies with the european directive 1999/5/ec r&tte declaration statements: Č esky [czech] h3c coporation tímto prohlašuje, že tento router je ve shod ě se základními požadavky a dalšími p ř íslušnými ustanoveními sm ě rnice 1999/5/es. Dansk [danish] undertegnede h3...
Page 150
A-3 português [portuguese] h3c corporation declara que este router está conforme com os requisitos essenciais e outras disposições da directiva 1999/5/ce. Slovensko [slovenian] h3c corporation izjavlja, da je ta router v skladu z bistvenimi zahtevami in ostalimi relevantnimi dolo č ili direktive 199...
Page 151
A-4 this equipment has been tested and found to comply with the limits for a class a digital device, pursuant to part 15 of the fcc rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipmen...
Page 152: Informationen
B-1 appendix b safety information sicherheits informationen 安全信息 overview Überblick 概述 this section introduces part of the safety precautions that should be followed during the installation and maintenance of the equipment. And for the safety statements and warnings, there followed the translations ...
Page 153
B-2 lesen sie bitte alle arbeitsanweisungen und sicherheitvorschriften sorgfältig durch, bevor sie mit dem arbeiten beginnen. Nur durch beachtung dieser hinweise lässt sich das unfallrisiko minimieren. Die in anderen handbüchern aufgeführten symbole anmerkung , achtung , warnung und gefahr beinhalte...
Page 154
B-3 table b-1 safety symbol and description sicherheitssymbole und beschreibung 安全标识和描述 safety symbol symbole 安全标识 description erläuterung 描述 generic alarm symbol: to suggest a general safety concern alarm: hinweis auf ein generelles sicherheitsproblem 一般注意标识:用于一般安全提示 esd protection symbol: to sugge...
Page 155
B-4 z the unit/system must be connected to the protection ground before operation permanently. And the cross-section of protective earthing conductor shall be at least 2.5 mm 2 . Z das system muss vor der ständigen inbetriebnahme geerdet werden. Der querschnitt der erdverbindung sollte mindestens 2....
Page 156
B-5 z 当有液体进入机架或机架有损坏时,请立即切断电源。 z when operation is performed in a damp environment, make sure that water is kept off the equipment. Z muss in einem feuchten umgebung gearbeitet werden, ist sicherzustellen, dass kein wasser in die ausrüstung dringen kann. Z 在潮湿环境下进行安装时,请避免液体进入设备。 non-standard and imp...
Page 157
B-6 das entfernen und anbringen von zuleitungen ist strengstens verboten. Kurzschlüsse zwischen innerem und äußerem leiter können lichtbögen oder funkenflug verursachen, was zu feuer oder einer augenverletzung führen kann. 禁止安装和移动带电的线缆。因为导电体和带电的线缆,即使短暂接触,也会引起电火花或电弧,从而 导致失火或是伤害眼睛。 z before the power ...
Page 158
B-7 thunderstorm gewitter 防雷击 high voltage and ac operations or operations on a steel tower and a mast on a thunderstorm day are prohibited. In order to prevent the equipment from being damaged by lightning, proper grounding is required. Arbeiten mit hochspannung und wechselstrom oder arbeiten auf s...