H3c-technologies H3C SecCenter UTM Manager Bedienungsanleitung

H3C SecCenter UTM Manager Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document version: 5

2 Installation and uninstallation Installing H3C SecCenter Installing H3C SecCenter installs all H3C SecCenter components at the same time. H3C SecC

92 Table 78 Email application analysis query options Option Description Device Group Select a device group to collect statistics on the traffic of

93 Figure 85 Web application auditing page Table 79 Web application auditing query options Option Description User IP Type the IP address of a

94 Figure 86 FTP application auditing page Table 80 FTP application auditing query options Option Description User IP Type the IP address of a u

95 Figure 87 Email application auditing page Table 81 Email application auditing query options Option Description Device Group Select a device gr

96 Figure 88 Instant message application auditing page Table 82 Instant message application auditing query options Option Description Device Group

97 Figure 89 Telnet application auditing page Table 83 Telnet application query options Option Description Device Group Select a device group to

98 Figure 90 SQL application auditing page Table 84 SQL application auditing query options Option Description Device Group Select a device group

99 Figure 91 NAT log auditing Table 85 NAT log auditing query options Option Description Src IP Type a source IP address. Dest IP Type a destin

100 Figure 92 Quick auditing Table 86 Quick auditing query options Option Description User IP Type the IP address of a user. User Name Type the

101 User behavior alarm The user behavior alarm function includes alarm configuration and alarm information. After the alarm function is configured,

3 Figure 2 Specify the SecCenter server port 3. At the end of the installation, select Yes, restart my system and click Done to restart your syste

102 Table 88 Alarm configuration items Item Description Alarm Mode Optional Select the alarm modes. • If you select Alarm by Email, you must specify

103 Figure 95 Alarm information Database auditing and analysis Database auditing analysis provides real-time reports about various database operati

104 Figure 96 Database access snapshot Table 89 Fields of the alarm list Field Description Time Time when the alarm was generated Alarm Type Typ

105 Figure 98 Database operation statistics by user Figure 99 Database operation statistics by operation Viewing database access trend analysis F

106 Figure 100 Database access trend analysis Table 90 Database access trend analysis query options Option Description Device Select the device o

107 Figure 101 Database access trend analysis by database

108 Figure 102 Database access trend analysis by user

109 Figure 103 Database access trend analysis by operation Viewing database access details From the navigation tree of the behavior auditing compone

110 • Click the icon to export reports to an Excel file. Figure 104 Database access details Table 91 Database access details query options Opt

111 Field Description User IP IP address of the user DB Server Database server that the user accessed DB Name Type of the database that the user a

4 Registering the UTM Manager Open the login page by entering http://localhost/ or http://localhost:port number/ (if you modified the server port num

112 Figure 106 SQL statement filtering conditions management page Table 93 SQL statement filtering conditions management functions Function Descrip

113 Figure 107 Add a SQL statement filtering condition Table 95 Configuration items for adding a SQL statement filtering condition Item Description

114 Function Description Managing database access alarming policies Allows you to manage database access alarming policies. Deleting database access

115 4. Click the alarm time points, or drag the cursor to select a time period. 5. Click Apply. Figure 109 Configuring database access alarming

116 Field Description Enabled or Not Indicates whether the policy has been enabled. Operation Click the icon to edit the alarming policy. Figure 1

117 Table 100 Configuration items for adding a database access alarming policy Item Description Policy Name Required Type a name for the policy. The

118 Item Description SQL Type Optional Select the SQL type, which can be dynamic or static. Operation Keywords Optional Select the Exclude check box

119 Figure 112 URL filtering event snapshot Table 101 URL filtering event snapshot query options Option Description Top Select the number of top u

120 Operation guide From the navigation tree of the behavior auditing component, select Aggregate Analysis under URL Analysis to enter the URL filter

121 information of a user by specifying the IP address of the user. Table 103 describes the user action analysis query options. Figure 114 User actio

5 Figure 6 Register your license After the acknowledgement page appears, you can use the UTM Manager to configure devices and perform other operati

122 Figure 115 URL filtering auditing Table 104 URL filtering auditing query options Option Description User IP Specify the IP address of a user W

123 Figure 116 Manual backup page Table 105 Manual backup configuration items Item Description Start Time End Time Required Specify a time range.

124 Item Description FTP Server IP Required when save to FTP server is selected as the log saving mode. Type the IP address of an FTP server. Userna

125 Table 106 Auto backup schedule configuration items Item Description Log Type Required Select log types. At present, nine types are available. Sav

126 From the navigation tree of the behavior auditing component, select Import Logs under Audit Logs Backup to enter the log importing page, as shown

127 Item Description Password Required when From FTP server is selected as the import mode. Type the password for FTP access. Optional when From FTP

128 IPS management The UTM Manager allows for centralized management of IPS features of the UTM devices in the network and centralized event informat

129 Function Description Deleting devices Allows you to delete UTM devices. Follow these steps: 1. Select the check box before the UTM devices you w

130 Adding UTM devices This function is used to add UTM devices to the IPS device management component. You can add only the UTM devices that are und

131 Managing signature files This function allows you to add, delete, and modify signature files. A device can detect various attacks and viruses onl

6 CAUTION: During the uninstallation process, no system data backup operation is performed and all data will also beremoved. If you need the system

132 In the Operation column of the signature files list, you can click the icon of a file to enter the page for modifying the storage path of the f

133 Figure 124 Modify the storage path of a signature file Return to Signature file management functions. Rule list This function provides the deta

134 Option Description Severity Query by severity. Events are of four severities: critical, major, minor, warning. Table 116 Fields of the rule list

135 Figure 127 Device statistics 2. In the Analysis column of the attack protection list or virus protection list, you can click the icon of a d

136 Figure 128 Snapshot Table 117 Event snapshot query options Option Description Device Select a device, a device group, or All devices from the D

137 Table 118 Fields of the event snapshot lists Field Description Attack/Virus Destination IP, Source IP, Destination/Source Ports, Protocol Attack

138 Figure 129 Attack protection event snapshot

139 Figure 130 Virus protection event snapshot Displaying attack/virus/DDoS snapshot list The attack/virus/DDoS event snapshot list presents you th

140 Figure 131 Attack snapshot list Figure 132 Virus snapshot list Table 119 Query options of the attack/virus snapshot list Option Description F

141 Field Description Src Port Source port Dest Port Destination port Figure 133 DDoS current event list Table 121 Fields of the DDoS current ev

7 Integration with iMC H3C SecCenter can be integrated into H3C Intelligent Management Center (iMC). After being integrated into iMC, SecCenter becom

142 Figure 134 Device monitoring On the page, you can perform the following operations: • Click the icon in the Snapshot column of a device to en

143 Figure 135 Attack event analysis From the navigation tree of the IPS management component, select Virus Event Analysis under Event Analysis. Th

144 Figure 136 Virus event analysis From the navigation tree of the IPS management component, select DDoS Event Analysis under Event Analysis. The

145 Figure 137 DDoS attack event analysis Table 122 Event analysis query options Option Description Filter Select a filter to display specific att

146 Figure 138 Top attack/virus events analysis On the page, you can perform the following operations: • Click the link to export all the analysi

147 Figure 139 Attack event details Table 123 Attack event details query options Option Description Filter Select a filter to display specific att

148 Table 124 Fields of the attack event details Field Description Time Time when the attack event occurred Src IP/MAC Source IP address Dest IP/MA

149 CAUTION: Logs are aggregated at 3 o’clock in the morning every day. When you query event information of the current month, the system displays o

150 Option Description Event Select a virus event. Protocol Select the protocol. The default is --, which means any protocol. Src IP Specify the s

151 Displaying DDoS event details This function helps you quickly find the desired DDoS event information from history data of months. The event info

8 Figure 8 Install a new component 3. Click Browse, locate the components directory in the SCMTOOL installation path, and click OK. The SCMTOOL in

152 Table 128 Fields of the DDoS event details Field Description Start Time Time when the DDoS event started End Time Time when the DDoS event ende

153 Figure 144 Alarming configuration Table 129 Alarming configuration items Item Description Alarm Mode Optional The following alarm modes are ava

154 Item Description Virus Specify the system to raise alarms when detecting virus events. You can also specify a filter for virus events, so that th

155 Field Description Filter Rule Name of the filter used for filtering events. The system only raises alarms for events that match the filtering con

156 detailed information of all tasks. Table 132 describes the query options on the report export task management page. Table 133 describes fields of

157 4. Click Add. Figure 148 Add a report export task Table 134 Configuration items of a report export task Item Description Task Name Required Sp

158 Configuring attack protection policies Attack protection policies enable devices to filter attacks such as backdoor program, spyware, DoS attacks

159 Attack protection policies list From the navigation tree of the IPS management component, select Attack Protection Policies under Policy Manageme

160 Item Description Copy Rules From Required Select a policy from the dropdown list. The system will create a policy by copying rules from the selec

161 Table 139 Fields of the attack protection rule list Field Description ID ID of the rule Name Name of the protection rule Type Type of the rule

9 Figure 9 Set SecCenter parameters 6. After the deployment completes, select the Monitor tab and click Start iMC. All iMC processes start. Note t

162 Figure 153 Rule modification page Return to Attack protection policies management page. Configuring anti-virus policies Anti-virus policies ena

163 Function Description Authorizing operators Authorizes specific operators to manage the anti-virus policies. Follow these steps: 1. Select the ch

164 Figure 155 Create an anti-virus policy Table 142 Anti-virus policy configuration items Item Description Policy Name Required Type a name for th

165 Table 143 Query options on the rule management page of an anti-virus policy Option Description Name Type a name to display the rule with this na

166 the policy is to be applied, the policy type, the policy name, and the policy application direction, and enable the policy on the device. Configu

167 Table 147 Fields of the policy application list Field Description Segment Segment where the policy application is configured. When you place your

168 Table 148 Policy application configuration items Item Description Please select segment Required Select segments to which the policy applies. At

169 Figure 160 Attack signature list Table 149 Query options on the attack signature list page Option Description ID Type an event ID to query the

170 Figure 161 Detailed information of the event Displaying virus category list The virus category list displays the virus types supported by the s

171 Table 151 Query option Option Description Virus Type Select a virus type to query the corresponding viruses. Details Click the icon to view th

10 System management The system management component of the UTM Manager comprises four modules: “Device management”, “Operator management”, “System c

172 Figure 164 Custom event list Table 152 Custom event management functions Function Description Custom event list Allows you to perform operatio

173 Field Description Event Notification Alarm method when an event is recorded and an alarm is triggered, which can be email alarm, sound alarm, or

174 Figure 165 Add a custom event Table 154 Configuration items for adding a custom event Item Description Event Name Required Type a name for the

175 Item Description Description Required Type the description for the custom event. The string can comprise up to 40 characters. Level Required Sele

176 Figure 166 Add an event rule Table 155 Event rule configuration items Item Description Threshold Optional If filters of a rule are all matched

177 Item Description Event Optional Select attack events as the match criteria. Invert selection is supported. Attack event query by event ID, descri

178 Figure 168 Change event notification method Return to Custom event management functions. Changing the event status Follow these steps: 1. On t

179 Figure 170 Matched event history On the event history page, click the icon of an archived item to enter the event list page, which displays d

180 Figure 172 Import and export policies Table 156 Policy import and export management functions Functions Description Policy list Allows you to

181 Table 158 Policy importing configuration items Item Description Device Required Select a device from which the policy is imported. Policy Type Re

11 Configuration guide From the navigation tree of the system management component, select Device Group List under Device Management. The device grou

182 Firewall management The Firewall Manager enables centralized management of firewall devices in the network, centralized event collection and anal

183 Table 159 Firewall management functions Function Description Firewall device list Allows you to view information about the current firewall devi

184 Figure 175 Add firewall devices Select the check boxes before the devices that you want to add to the firewall management component, and then c

185 pre-defined segments, and modify, copy, delete, export, or deploy the custom configuration segments. You can also import configuration files from

186 Configuration segment list The configuration segment list is on the configuration segment management page, as shown in Figure 177. Table 164 Fie

187 Figure 178 Add a configuration segment Table 165 Configuration segment configuration items Item Description File Type Required Select the confi

188 Select a device, select the file type, specify a filename and a description, and click Import to import the running configuration file of the dev

189 Figure 180 Select the devices you want to deploy the configuration segment to 2. Configure parameters—Type the SNMP version and community stri

190 Figure 182 Configure deployment task attributes 4. Confirm your configuration. You can click the icon in the device list to view the config

191 Managing deployment tasks Configuration guide From the navigation tree of the firewall management component, select Deployment Tasks under Policy

Copyright © 2009-2011, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmi

12 Figure 11 Add a device group Table 3 Device group configuration items Item Description Device Group Name Required Type the name for the device

192 Field Description Task Name Name of the task Task Type Type of the task Creation Time Creation date and time of the task Creator Administrato

193 Figure 185 Snapshot of events Table 168 Event snapshot query options Option Description Device Select a device, a device group, or All devices

194 Recent events list The firewall management component presents firewall attack events not only through graphs but also in a table list. The recent

195 Device monitoring In addition to the attack event information of the entire network, the firewall management component also allows you to view th

196 Figure 188 Attack event overview Table 172 Query options on the attack event overview page Option Description Device Select a device, a device

197 Figure 189 Top 10 attack events contrast graph CAUTION: Logs are aggregated at 3 o’clock every day. When you query event information of the cu

198 Figure 190 Attack event details Table 173 Event details query options Option Description Device Select a device, a device group, or All devices

199 Table 174 Fields of the attack event details list Field Description Time Time when the attack event occurred Src IP Attack source IP address De

200 Report export task list From the navigation tree of the firewall management component, select Event Export Tasks under Event Analysis to enter th

201 Figure 193 Add a report export task Table 178 Configuration items of a report export task Item Description Task Name Required Specify the name

13 Template list From the navigation tree of the system management component, select Access Template List under Device Management. The access templat

202 abnormal traffic, reason for giving the alarm, severity, and ratio of each protocol used by the abnormal traffic. Abnormal traffic log auditing

203 Figure 195 Operation log auditing Auditing blacklist logs From the navigation tree of the firewall management component, select Blacklist Logs

204 Auditing NAT logs From the navigation tree of the firewall management component, select NAT Logs under Event Auditing to enter the NAT log auditi

205 Auditing MPLS logs From the navigation tree of the firewall management component, select MPLS Logs under Event Auditing to enter the MPLS log aud

206 Figure 200 Other log auditing Security policy management This function allows you to configure security policies for the firewall devices, so t

207 Function Description Adding a security zone Allows you to add a security zone. Importing security zones from a device Allows you to import secur

208 Table 181 Security zone configuration item Item Description Security Zone Type a name for the security zone. A security zone name cannot contain

209 Time range list The time range list is on the time range management page, as shown in Figure 204. Figure 205 describes the fields of the list.

210 Item Description Time Range Required Specify the time periods during which a security policy that references the time range take effect. A time p

211 Predefined services The predefined services are displayed by default when you select Services under Security Policy Management. See Figure 206.

14 Figure 13 Add a template Table 6 Template configuration items Item Description Template Name Required Type a name for the template. The templat

212 Figure 208 Add a user-defined service Table 188 User-defined service configuration items Item Description Name Required Type a name for the use

213 Service groups From the navigation tree of the firewall management component, select Services under Security Policy Management. Click the Service

214 Figure 210 Add a service group Table 190 Service group configuration items Item Description Name Required Type a name for the service group. Th

215 Managing IP addresses Configuration guide From the navigation tree of the firewall management component, select IP Addresses under Security Polic

216 Figure 212 Add a host address Table 193 Host address configuration items Item Description Name Required Type a name for the host address. The n

217 Figure 213 Address range management page Table 194 Fields of the address range list Field Description Name Name of the address range Address R

218 Table 195 Address range configuration items Item Description Name Required Type a name for the address range. The name can contain only digits (0

219 Field Description Referenced Whether the subnet address is referenced or not Operation Click the icon to modify the subnet address. To add a s

220 Item Description Excluded Addresses Required Specify the IP addresses to be excluded from the subnet. • Input an IP address and click Add next t

221 Figure 218 Add an IP address group Table 199 IP address group configuration items Item Description Name Required Type a name for the IP address

15 Item Description SNMP Version Required Select an SNMP version from the dropdown list. The options include SNMPv1, SNMPv2C, and SNMPv3. Community

222 Managing interzone rules Configuration guide From the navigation tree of the firewall management component, select Interzone Rules under Security

223 Option Description Policy Query interzone rules by policy. Status Query interzone rules by status (enabled, disabled, or both) Referenced Query i

224 Figure 220 Add an interzone rule Table 203 Interzone rule configuration items Item Description Src Zone Required Select a source zone for the i

225 Item Description Dest IP Required Add destination IP addresses for the interzone rule. • Available IP addresses are listed in the left box. The

226 Managing interzone policies Configuration guide From the navigation tree of the firewall management component, select Interzone Policies under Se

227 Adding an interzone policy From the navigation tree of the firewall management component, select Interzone policies under Security Policy Managem

228 Table 207 Fields of the policy’s rule list Filed Description ID ID of the interzone rule When you create an interzone rule, the system automatica

229 Figure 225, select after, select rule 1 from the drop-down list, and click Apply to move rule 0. Figure 226 shows the result. Figure 225 Move ru

230 Table 208 Interzone policy application management functions Function Description Interzone policy application list Allows you to view all interzo

231 Figure 228 Apply policies to the device CAUTION: The left box lists the available policies. The right box lists the policies to be applied to

16 Table 7 Device management functions Function Description Device list Allows you to view details about devices, import service definitions, and con

232 Option Description Action Query interzone rules by filtering action. Src IP Query interzone rules by source IP. Dest IP Query interzone rules by

233 Configuration example 1 Network requirements H3C SecCenter UTM Manager works with UTM devices. The UTM Manager collects logs sent by UTM devices

234 Figure 230 Add a device to the system management component 2. Normally, the IPS management component can discover and add UTM devices automati

235 Configuration example 2 Network requirements The UTM device connects the internal network 4.1.1.0/24 through GigabitEthernet 0/4 and connects the

236 Figure 234 Configure dynamic NAT in Firewall > NAT Policy > Dynamic NAT. b. Configure rules for ACL 3000 to permit packets sourced from

237 Then all traffic flows between zones Trust and Untrust will be redirected to segment 3, the default segment. On the In-depth detection page, yo

238 To connect to the SecCenter, you must enable all SNMP versions, create a read-only community named public and a read and write community named of

239 NOTE: The port number set here must match the management port number set in the SecCenter, which can be seen on the page System Management &g

240 NOTE: Flow logs refer to session logs only. To get flow logs, you must configure session logging as shown below. 3. Configure a session logg

241 NOTE: As an example, the threshold is set quite low. Set a proper threshold according to the requirements of yournetwork. Configuring th

17 Field Description Operation • Click the icon of a device to open the web console of the device. • Click the icon of a device to telnet to t

242 2. Click the Application Security Policy link to enter the in-depth detection page. NOTE: Before configuring IPS, AV, and other policies, ma

243 To create a new IPS policy, complete the following steps: 1. Create a new IPS policy a. Select IPS > IPS Policies to enter the IPS policy

244 3. Apply the IPS policy to a segment a. Select IPS > Segment Policies from the navigation tree, and click Add to enter the page for apply

245 Configuring an AV policy There is also a default AV policy on segment 3. Or you can add the default AV policy to other segments. Configurin

246 Configuring flow log parameters Enable flow logging so that the session information is logged and analyzed in the SecCenter. Follow these steps

247 NOTE: Only the U200-A supports flow logging. Configuring a protocol auditing policy 1. Select Protocol Audit > Segment Policy Management f

248 • Intrusion policy logs • User logs Displaying firewall management statistics on the SecCenter Because the firewall has been configured t

249 • Recent events • Inter-zone access logs • Blacklist logs

250 • Operation Logs Checking the effect of the IPS/AV policy and the SecCenter Analysis As an example, run X-scan on an internal PC to scan an

251 Select Log Management > Virus Logs > Recent Logs to view the detailed information of the viruses detected. 2. Check the logs on the S

18 Figure 15 Add a device Table 10 Device configuration items Item Description Host Name/IP Required Type the name or IP address of the device to

252 Because flow logging is enabled, you can select Bandwidth > Traffic Snapshot on the SecCenter to view the statistics of the traffic passing

253 Select the Behavior Auditing tab, and then select Websites under User Behavior Analysis from the navigation tree. The website analysis function

254 IndexA Adding the UTM devices to the UTM Manager 233 Attack events monitoring 192 Audit logs backup 122 C Configuration procedures 235 Configuri

19 Item Description Select access template Specify access parameters Required. Select either of them. • If you select Select access template, selec

20 Return to Device management functions. Device information From the navigation tree of the system management component, select Device List under De

21 Figure 17 Device software management page Table 11 Device software management functions Function Description Deploying software to devices Allo

Preface The H3C SecCenter UTM Manager Configuration Guide describes Installation and uninstallation, Integration with iMC, System management, Bandwid

22 Figure 18 Deploy software to devices Table 13 Software deployment configuration items Item Description Task Name Required Type the name of the

23 Item Description Error Handling Required when the deployment mode is Serial. Specify the error handling scheme to be used when a deployment error

24 Table 14 Fields of the software backup result list Field Description Device Label Device name and IP address Software Name Name of the software b

25 Function Description Restoring a configuration file Allows you to restore the startup and/or backup configuration file of a device to another vers

26 Return to Device configuration management functions. Restoring a configuration file From the navigation tree of the system management component, s

27 Table 17 Tabs on the device configuration information management page and functions provided Tab Description Label A label represents a configura

28 Field Description Restore Allows you to set the configuration file(s) identified by the label as the startup configuration file and/or running con

29 Figure 25 Running configuration file list Table 19 Fields of the running configuration list Field Description Version Uniquely identifies the ru

30 Figure 26 Draft list Table 20 Fields of the draft list Field Description Name Name of the draft. Description Remarks on the draft. Creation Ti

31 Table 21 Device software database functions Function Description Importing device software Allows you to import device software from a file or fr

Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a ro

32 Managing deployment tasks This function allows you to view all deployment task information. Configuration guide From the navigation tree of the sy

33 Managing events Configuration guide The event management function records the operations on managed devices and logs the events, allowing you to t

34 Table 28 Fields of the event list Field Description Severity Severity level of the event Source Label and IP address of the device that is the so

35 Configuring device interface alarming This function allows you to specify when and for what events to generate alarms, how to raise alarms, and wh

36 There are three user levels: common operator, system administrator, and super administrator. A higher level operator has all the rights of operato

37 Table 33 Fields of the operator list Field Description Login Name Name of the operator Role Operation level of the operator Last Login Time Last

38 Table 34 Operator configuration items Item Description Login Name Type a name for the operator, a string of up to 40 characters. Login Password S

39 Table 35 Operation log query options Option Description Operator Specify the operator whose logs you are interested in. Gateway IP Type the IP ad

40 Item Description New Password Required Type the new password. This password must be an alphanumeric string of 6 to 20 characters. Confirm Passwor

41 Figure 37 Service parameter configuration page Configuring system parameters Follow these steps: 1. From the navigation tree of the system mana

i Contents Overview ··································································································································

42 2. Configure the ports. Table 38 describes the configuration items. 3. Click Apply. Figure 39 Management port configuration page Table 38 Mana

43 Item Description NetStream V5 Logs Port Required Type the port for receiving NetStream V5 logs. NetStream V5 logs are used by H3C Intelligent Tra

44 Table 39 Mail server configuration items Item Description Mail Server IP Required Type the IP or domain name of the mail server. The domain name

45 Table 40 SMS alarming configuration items Item Description Enable SMS Alarm Required Specify whether to enable SMS alarming. COM Port Required Se

46 Filter list From the navigation tree of the system management component, select Filter Management under System Config. The filter management page

47 Table 43 Filter configuration items Item Description Filter Name Required Type a name for the filter. The filter name can comprise up to 40 chara

48 Configuration guide From the navigation tree of the system management component, select LDAP Server Management under System Config. The LDAP serve

49 Figure 45 Add an LDAP server Table 46 LDAP server configuration items Item Description Server Name Required Type a name for the LDAP server. Se

50 2. Select Alarm by Email and enter the email address. 3. Click the alarm time points, or drag the cursor to select a time period. 4. Click Appl

51 • Click the icon of a segment to modify the segment. • Click the icon of a segment to delete the segment. Adding a segment Follow these steps

ii Top users' traffic statistics ················································································································

52 Figure 49 Disk space alarm configuration page Table 47 Alarm configuration items of the disk space for logs Item Description Warning Disk Space

53 Figure 50 Free disk space monitoring page Managing subsystems Subsystem management implements unified management and monitoring of multiple SecC

54 Figure 51 Subsystem management page Table 48 Fields of the subsystem list Field Description Server IP IP address of the subsystem server Port

55 Item Description Server Port Required Specify the server port providing web access service. The default port is 80. User Name Required Specify the

56 Bandwidth management The bandwidth management component of the UTM Manager receives stream logs from managed devices and analyzes and reports netw

57 Figure 53 Traffic snapshot Table 51 Traffic snapshot query options Option Description Device Group Select a device group to collect statistics

58 Option Description Top Users Select a number to display detailed information about the specified number of top users. Direction Select a traffic

59 Figure 54 Traffic comparison by segments Table 54 Traffic comparison query options Option Description Device Group Select a device group to col

60 To configure the alarming settings, follow these steps: 1. Select the Alarm configuration tab. See Figure 56. 2. Select alarm modes and specif

61 Service traffic analysis by device group Service traffic trend For better traffic analysis, the bandwidth management component allows you to group

iii Attack event details ·····························································································································

62 Figure 57 Level-1 service traffic statistics report page Level-2 service traffic statistics Similarly, the level-2 service traffic statistics re

63 • The upper area displays traffic trend graphs for the upstream, downstream, and streams of both directions of a service type. • The middle are

64 Table 56 Query options on the service traffic statistics report pages Option Description Device Group Select a device group to collect statistics

65 Table 57 Service traffic trend query options Option Description Device Group Select a device group to collect statistics on its service traffic.

66 Figure 60 Level-1 service traffic distribution report page Level-2 service traffic distribution Similarly, the level-2 service traffic distribu

67 Figure 61 Level-2 service traffic distribution report page Table 58 Service traffic distribution query options Option Description Device Group

68 Generic service analysis From the navigation tree of the bandwidth management component, select Generic Service Analysis under Analysis by Device

69 Service traffic analysis by user Top users' traffic statistics From the navigation tree of the bandwidth management component, select Top Use

70 Figure 63 Top users' traffic report page Table 60 Top users' traffic statistics query options Option Description Device Group Selec

71 Realtime traffic monitoring of a single user To monitor the traffic of single user in real time, select Realtime Traffic Monitoring under Analysis

iv Configuring the advanced detection policies and specifying sending logs to the SecCenter····················241 Verification·······················

72 Figure 65 Add users to the monitored users list Table 63 Configuration items for adding users to the monitored users list Item Description Devic

73 Figure 66 Level-1 service traffic statistics of a single user Level-2 service traffic statistics of a single user Similarly, the report page o

74 • The middle area lists the service traffic summary, and you can click a service name link to enter the service statistics report page of the ser

75 Traffic statistics of a specific service for a single user The traffic statistic report page of a specific service for a single user is also divid

76 • Click the icon to export reports. Table 65 describes the service distribution query options on the service traffic distribution report page f

77 Figure 70 Level-2 service traffic distribution of a single user Table 65 Service traffic distribution query options on the distribution report p

78 Table 66 Detailed session statistics query options Option Description Source IP Specify a source IP address. Destination IP Specify a destinati

79 Table 68 IP group management functions Function Description IP group list Allows you to view details of all IP groups. Adding an IP group Allow

80 Adding an IP group From the navigation tree of the bandwidth management component, select IP Groups under Analysis by IP Group to enter the IP gro

81 Table 71 Fields of the IP address management list Field Description Start IP Start IP address of the IP group End IP End IP address of the IP gr

1 Overview Introduction to H3C SecCenter UTM Manager H3C SecCenter Unified Threat Management (UTM) Manager is a powerful system for comprehensive ana

82 Figure 76 Realtime traffic snapshots of an IP group Table 73 Realtime traffic snapshots query options option Description IP Group Select an I

83 • The upper area displays service traffic trend graphs for the upstream, downstream, and streams of both directions. • The middle area lists th

84 Level-2 service traffic statistics of an IP group Similarly, the level-2 service traffic statistics report of an IP group is also divided into thr

85 Traffic statistics of a specific service for an IP group The traffic statistics report of a specific service for an IP group is also divided into

86 • Click a service type link to enter the level-2 service traffic distribution report of the IP group, as shown in Figure 81. • Click the icon

87 Figure 81 Level-2 service traffic distribution of an IP group Table 75 Traffic distribution query options Option Description IP Group Specify

88 Figure 82 Traffic statistics of top users in an IP group Table 76 Top users' traffic statistics query options Option Description Direction

89 Behavior auditing The behavior auditing component analyzes audit logs received from managed devices, allowing you to audit terminal user behaviors

90 Figure 83 Website analysis Table 77 Website analysis query options Option Description Device Group Select a device group to collect statistics

91 Option Description Duration Select the statistics duration. You can select Day, Week, or Month, or select Customize to specify a statistics durati