H3c-technologies H3C SecPath F5000-A5 Firewall User Manual

H3C SecPath F5000-A5 FirewallInstallation Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document version: 6PW10

iv Power module ······································································································································

90 Item Description Maximum transmission distance 0.55 km (0.34 miles) 10 km (6.21 miles) 40 km (24.86 miles) 40 km (24.86 miles) 70 km (43.50 miles)

91 Appendix B LEDs Table 24 lists the LEDs available for you to monitor module status. Table 24 LEDs at a glance LEDs Description MPU LEDs Device sta

92 Table 25 LED description LED Status Description (green) Off No link is present on the management Ethernet port. On A link is present on the man

93 Interface module LEDs NSQ1GT8C40 Figure 67 NSQ1GT8C40 LEDs Table 26 LED description LED Status Description (yellow/green) Off No link is prese

94 Table 27 LED description LED Status Description (green) Off No fiber link is present on the port. Steady green A fiber link is present on the

95 Power module LEDs Figure 70 AC power module LED Figure 71 DC power module LED Table 29 LED description LED Status Description Power LED Stead

96 Fan tray LEDs Figure 72 Fan tray LEDs Table 30 LED description LED Status Description (green) Off No system power input is present or the fan

97 Appendix C Arranging slots and numbering interfaces Arranging slots The F5000-A5 supports console, AUX, GigabitEthernet, and Ten-GigabitEthernet i

98 • interface-type represents the type of the interface such as GigabitEthernet. • X represents the number of the slot where the interface module

99 Appendix D Cables This chapter describes cables used for connecting network ports. Table 31 Cable description Cable Port type Application Ethernet

1 Preparing for installation Safety recommendations To avoid possible bodily injury and equipment damage, read all safety recommendations carefully b

100 strict application requirements and are expensive although they provide better EMI prevention performance than UTPs, so in most LANs, UTPs are co

101 Figure 75 Straight-through cable Figure 76 Crossover cable Select an Ethernet twisted pair cable according to the RJ-45 Ethernet port type on

102 Table 33 RJ-45 MDI interface pinouts Pin 10Base-T/100Base-TX 1000Base-T Signal Function Signal Function 1 Tx+ Send data BIDA+ Bi-directional

103 3. Untwist the pairs so that they can lie flat, and arrange the colored wires based on the wiring specifications. 4. Cut the top of the wires

104 Precautions • Make sure the fiber connector and fiber type match the transceiver module type. • The optical interfaces on some cards have shiel

105 Appendix E Cabling recommendations When an F5000-A5 is mounted in a 19-inch standard rack, the interface cables are routed through the cable mana

106 Figure 78 Correct and incorrect cable binding • Route different types of cables (for example, power cables and signal cables) separately. If t

107 Figure 80 Binding cables where they must be bent • Route, bind, and attach excess cables for easy, safe maintenance activities and correct ope

108 Table 36 Tie-binding parameters Cable bundle diameter (mm) Space between bundles (mm) 10 80 to 150 10 to 30 150 to 200 30 200 to 300 • Do not

109 Figure 83 Fiber cabling example

2 • Do not work alone when the firewall has power. Laser safety The firewall is a Class 1 laser product. WARNING! • Do not stare into any fiber p

110 Index A C D E F G I L M N O P R S T V A Accessories,7 Application file missing errors,79 Arranging slots,97 C Cable management requirements,105

111 Managing interfaces and transceiver modules,67 MPU failures,71 MPU LEDs,91 N Numbering interfaces,97 O Optical fiber,103 P Password loss,76 Perfo

3 Temperature and humidity Maintain appropriate temperature and humidity in the equipment room. • Lasting high relative humidity can cause poor insu

4 Cooling The F5000-A5 firewalls adopt left to right airflow for heat dissipation. Plan the installation site for adequate ventilation. • Leave at l

5 • Place the removed MPU, CF card, or service card on an antistatic workbench, with the face upward, or put it into an antistatic bag. • Touch onl

6 EMI The EMI might be coupled from the source to the firewall through the following coupling mechanisms: • Capacitive coupling • Inductive couplin

7 Power supply Make sure the power source of the installation site is steady and can satisfy the input requirements of the power modules and paramete

8 Checklist before installation Table 4 Checklist before installation Item Requirements Result Installation site Weight support The floor can support

9 Item Requirements Result Electricity safety • Equip an uninterrupted power supply (UPS). • In case of emergency during operation, switch off the

Copyright © 2008-2014, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmi

10 Installing the firewall IMPORTANT: Keep the packages of the firewall and the components for future use. Figure 3 F5000-A5 firewall installation

11 • You have read "Preparing for installation" carefully and the installation site meets all the requirements. • A 19-inch rack is ready

12 Figure 5 Installing cage nuts Attaching the mounting brackets to the chassis Mounting bracket Figure 6 Mounting bracket (1) Left mounting brack

13 Figure 7 Attaching the cable management bracket (1) Cable management bracket (2) Left mounting bracket Attaching the mounting brackets to the c

14 Figure 8 Attaching the front mounting brackets to the chassis Mounting the firewall to the rack 1. Put the firewall on the rack shelf, and slid

15 Figure 9 Mounting the firewall to the rack (1) Rack shelf NOTE: If you have purchased an air filter, install the air filter before mounting th

16 The power input end of the firewall has a noise filter, whose central ground is directly connected to the chassis to form the chassis ground (comm

17 Figure 11 Connecting the grounding cable to the grounding hole of firewall NOTE: • The resistance reading should be smaller than 5 ohms betwe

18 Figure 12 Inserting the MPU into slot 4. Fasten the captive screws with a Phillips screwdriver. Figure 13 Fastening the captive screws 5. Th

19 NOTE: • The MPU is not hot swappable. • For the LED description, see "LED description." Installing a CF card IMPORTANT: Before you

Preface The H3C SecPath F5000-A5 Firewall Installation Guide includes eight chapters, which describe the product overview, preparing for installation,

20 2. Remove the filler panel. For how to remove a filler panel, see "Removing a filler panel." 3. Use even pressure to gently push the i

21 Figure 16 Fastening the captive screws on the interface module 5. After the firewall is powered on, the RUN LED (green) flashes once and then f

22 Figure 17 Pushing the fan tray into the slot 3. Use a Phillips screwdriver to fasten the captive screws on the fan tray. Figure 18 Fastening th

23 NOTE: • The fans can automatically adjust the speed. • For the LED description of the fan tray, see "Fan tray LEDs." Installing a p

24 Connecting interface cables Connecting the management Ethernet port The firewall has one management Ethernet port, which is a 10Base-T/100Base-TX/

25 • Stateful failover can be implemented between only two devices. Use a network cable to directly connect the failover interfaces. No intermediary

26 To connect a fiber port to a peer device through optical fibers: 1. Remove the dust plug from the fiber port. 2. Remove the dust cover from the

27 3. Connect one end of the AC power cord to the AC receptacle on the firewall, and the other end to the AC power source. Figure 23 Connecting an

28 Figure 24 DC power cord (1) Naked crimping terminal, OT, 6mm^2, M4, tin plating, naked ring terminal, 12 to 10 AWG (2) Heat shrink tube (3) Labe

29 Figure 25 Connecting the DC power cord Verifying the installation To ensure normal operation of the firewall, verify the following items before

Convention Description &<1-n> The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times

30 Installing FRUs You can install an air filter, a lightning protector for a network port, and a power strip with lightning protection on an F5000-A

31 Figure 27 Pushing the air filter along the slide rails 6. Fasten the captive screws on the rear edge of the air filter with a Phillips screwdri

32 The following two types of lightning protectors for network ports are available for the F5000-A5. Type Port description Maximum discharge curren

33 Figure 29 Installing a lightning protector (1) Grounding wire (2) Outdoor network cable (3) Lightning protector for a network port (4) Cable con

34 Connecting the AC power supply to a power strip with lightning protection CAUTION: Make sure the PE terminal of the power socket has been securel

35 Logging in and performing basic configurations The first time you access the firewall, you can log in to the CLI through the console port or log i

36 Figure 31 Connecting the terminal to the firewall (1) Console port (2) RJ-45 connector (3) Console cable IMPORTANT: • Identify the mark on th

37 Figure 32 Creating a HyperTerminal connection 3. Select the serial port used to connect to the firewall and click OK. Figure 33 Selecting the s

38 Figure 34 Configuring serial port properties Table 5 Serial port properties Property Value Bits per second 9600 bps (the default) Data bits 8

39 Figure 35 HyperTerminal window 6. Select File > Properties and then click the Settings tab. Figure 36 Selecting the emulation type 7. Sel

About the H3C SecPath F5000-A5 documentation set The H3C SecPath F5000-A5 documentation set includes: Category Documents Purposes Product descriptio

40 Powering on the firewall Before powering on the firewall, confirm the following: • You know where the emergency power-off switch for the equipmen

41 Memory Size : 4096MB Memory Speed : 533MHz

42 Logging in to the Web interface The firewall supports Web login by default, and is provided with the following default Web login information: • U

43 Step Command 3. Enable the none authentication mode. authentication-mode none 4. Specify the user privilege level 3. user privilege level 3 To

44 Step Command Remarks 7. Add the interface to a security zone. zone name zone-name [ id zone-id ] Five security zones are predefined in the system

45 Configuring the system name and user password 1. Click Next on the first basic configuration page to enter the username and password configuratio

46 Figure 40 Basic configuration wizard—3/6 (service management) 2. Configure services as described in Table 7. Table 7 Configuration items Item D

47 Item Description HTTPS Specify whether to enable the HTTPS service on the firewall. To enable the HTTPS service on the firewall, select the Enabl

48 Table 8 Configuration items Item Description IP Configuration Select an IP address acquisition approach for the interface: • None—Assigns no IP a

49 Item Description Dynamic NAT Specify whether to enable dynamic NAT on the interface. If dynamic NAT is enabled, the IP address of the interface wi

Documentation feedback You can e-mail your comments about product documentation to [email protected]. We appreciate your comments.

50 Figure 43 Basic configuration wizard—6/6 2. To modify your configuration, click Back to go back to the previous page. 3. To save the current

51 Replacement procedures Precautions • Always wear an ESD wrist strap or ESD gloves when servicing the firewall. • When removing FRUs (such as MPU

52 NOTE: The MPU and interface module slots use the same type of filler panels. Figure 45 Filler panel for a power module slot (1) Front view (2

53 Figure 46 Removing a filler panel from an interface module slot NOTE: • Keep the removed filler panels and screws for future use. • H3C rec

54 Figure 47 Installing a filler panel in an interface module slot Replacing an MPU IMPORTANT: MPUs are not hot-swappable. Before you remove MPUs,

55 Figure 48 Loosening the captive screws 3. Pull the two ejector levers at both ends of the MPU outward to release the MPU, and then gently pull

56 4. Install a new MPU. For the installation procedures, see "Installing an MPU." If no new MPU is to be installed, install a filler pane

57 Figure 51 Pulling out the interface module 4. Install a new interface module. For the installation procedures, see "Installing an interfa

58 Figure 52 Removing a CF card 4. Install a new CF card. For the installation procedures, see "Installing a CF card." Replacing a trans

59 1. Pressing the tab of the LC connector, pull out the LC connector from the transceiver module. Put on the dust cap for the LC connector. 2. Pi

i Contents Preparing for installation ················································································································

60 Figure 54 Pulling out the power module 4. Install a new power module. For the installation procedures, see "Installing a power module.&quo

61 Figure 55 Loosening the captive screws 3. Gently pull the fan tray out along the slide rails. Put the removed fan tray in an antistatic bag.

62 Hardware management and maintenance This chapter describes how to display hardware information, manage interfaces and transceiver modules, trouble

63 Displaying running status data For diagnosis or troubleshooting, you can use the display diagnostic-information command in any view to bulk collec

64 The SubCard1 on Board0: Status : Normal

65 Unit CPU usage: 3% in last 5 seconds

66 Table 12 Command output Field Description CF ID Slot number of the CF card Status CF card status, which can be: • Absent—No CF card is in the s

67 Managing interfaces and transceiver modules Managing combo interfaces Combo interfaces are logical interfaces. A combo interface comprises one SFP

68 Verifying and diagnosing transceiver modules Commonly used transceiver modules Transceiver type Application scenarios Whether can be an optical t

69 To configure the exception handling method: Step Command Remarks Enter system view. system-view N/A Configure the exception handling method fo

ii Connecting an AC power cord ·······················································································································

70 Task Command Remarks Enable the scheduled reboot function and specify a reboot waiting time. schedule reboot delay { hh:mm | mm } Optional. The sc

71 Troubleshooting IMPORTANT: The barcode stuck on the firewall chassis contains information about production and servicing. Before youreturn a faul

72 Symptom 3 Symptom The ALM LED is steady on or flashing, which indicates that the firewall is faulty. For example, the ALM LED is on when the syste

73 Slot3: The Board is present, state is unknown Solution Contact your local sales agent. Power supply system failures Symptom 1 Symptom The f

74 Fan failures Symptom 1 Symptom After the firewall is booted, the following information appears on the configuration terminal: %Jul 5 14:47:20:618

75 No display on the configuration terminal Symptom After the firewall is powered on, the configuration terminal does not display anything. Solution

76 1. Make sure the AUX port is operating in flow mode. 2. Power off the firewall, connect the RJ-45 connector of the console cable to the AUX por

77 %May 14 22:25:18:713 2007 H3C DEV/4/BOARD TEMP NORMAL:

78 Failed to write data into storage device, maybe no enough space on device • Symptom 2: The file to be downloaded is not found. File will be trans

79 Application file missing errors Symptom When none of the main, backup, and secure application files exists, the system displays the following info

iii Verifying and diagnosing transceiver modules ·································································································· 68

80 Appendix A Chassis views and technical specifications Chassis views CAUTION: When moving the chassis, do not use the rear chassis cover handle (c

81 Figure 58 Rear view (1) Warning label (2) Rear chassis cover handle (3) (Optional) Upper slide rail for the air filter (4) (Optional) Air filter

82 Interface modules The F5000-A5 firewall must have at least one interface module in addition to one MPU. The slots for interface modules are slot 1

83 NSQ1GT8P40 The NSQ1GT8P40 interface module provides eight 1000BASE-X fiber Ethernet ports and four combo interfaces. These ports can be set to ope

84 DC power module Figure 64 F5000-A5 DC power module (1) DC-input terminal block (2) Power LED (3) Power module handle (4) Power switch (5) Capti

85 Technical specifications Dimensions and weight Table 15 Dimensions and weight Item Description Dimensions (H × W × D) 308 (7RU) × 436 × 476 mm (1

86 Item Description Dimensions (H × W × D) 40 × 140 × 350 mm (1.57 × 5.51 × 13.78 in) DC power module Table 18 DC power module specifications Item

87 Item Specification Management Ethernet port 1 (10Base-T/100Base-TX/1000Base-T) HA port 1 (10Base-T/100Base-TX/1000Base-T) CF card • 256 MB by

88 Item Description Optical transmit power Type Short-haul multimode optical interface module (850 nm) Medium-haul single-mode optical interface modu

89 Item Description Fiber type 62.5/125 m multimode fiber 9/125 m single-mode fiber 9/125 m single-mode fiber 9/125 m single-mode fiber Maximum t