Universal Security Gateway (USG) is the product branding for Huawei next-generation AI-enabled application security firewall. It comes with several forms – modular and virtual appliance. Introducing AI-based threat response, software-defined network-security defense, and intelligent security policy optimization, Huawei network security through its series of USG products help mitigating network security risks as customers go digital.
To provide proof-of-concept kinds of network security solutions prior to the purchase, rollout and implementation of firewall, it will cost a bomb to purchase the real physical products and solutions to testify. Hence, the simulated solution environment with the real Huawei USG platform serves its purpose.
The next relevant questions arise are:
1) Where shall I obtain the virtualized USG image to perform the simulation?
2) How do I install the acquired image on the eNSP simulated environment?
3) How do I access the USG security firewall from my Windows 10 machine to configure the product?
Part 1: Where shall I obtain the USG image?
The USG image I plan to install, is a Huawei proprietary software image. It is only uniquely run on the eNSP software. Using a renown search engine to locate the software is the best approach to locate it.
Step 1.1: Open Chrome or Edge web browser to locate the required image. Follow the steps as shown below. Search for the keyword “ensp”.
Step 1.2: The discovered link will lead me to a public Facebook link as shown below.
Step 1.3: From the MegaNZ cloud shared folder, select the required image to download as shown below:
USG6000V.zip
Part 2: How do I install the USG image on eNSP?
Prior to the USG image installation, the pre-requisite that I have my eNSP software is completely installed and running fine. If the eNSP software has not been installed, kindly refer to my first blog on “How To install Huawei eNSP on Windows 10” to get it started and running.
Step 2.1: Extract the downloaded zipped USG image.
Step 2.2 : Install the USG image file on eNSP. Locate the extracted image file named vfw_usg.vdi from the folder storing the file. Open up the eNSP application software to load the file to start.
Open a new topology on eNSP platform as shown below.
Step 2.3: Add USG6000v device onto the new topology workspace. Then add a cloud image onto the same workspace too. The cloud image serves as a translator between physical machine and the virtual USG firewall. Follow the steps as shown below:
Note: Cloud1 requires a loopback adapter. Install Microsoft network loopback adapter if your Windows 10 machine does not have one.
Step 2.4: Configure a local loopback adapter on Windows 10 machine. The loopback adapter is the network interface used to communicate to the virtual USG firewall on eNSP upon configuration completed. By default, Windows 10 machine does not come with pre-installed loopback adapter. Installing a loopback adapter with a local private IP address matching the firewall management address allowing us to manage the USG in graphical user interface view.
Step 2.4.1: Install a loopback network adapter on Windows 10. Go to Device Manager and add a new loopback network adapter as shown below:
Next, proceed to choose and add a new hardware component, which is a network adapter as steps shown below:
Verify the loopback adapter was completely installed from the Device Manager applet.
Step 2.4.2: Configure the loopback adapter address manually. Follow the steps as displayed below:
Configure an IP address for the loopback adapter to match the USG firewall management address at 192.168.0.0/24 subnet, for instance. The default firewall IP address is 192.168.0.1/24. We can change the default IP address to avoid address conflicts in your LAN. Otherwise we can proceed with the default address plan. In this example, I change the IP address plan for the illustration purposes.
Step 2.5: Open up eNSP application and load a new topology. Select ‘Cloud1’ and ‘USG6000V’ for the subsequent required configurations.
Step 2.5.1: Install the USG firewall image by loading it onto the virtual device upon starting it for the first time. Upon starting up the USG6000V for the first time (no installed image), it prompts for the import of the image file as shown in the steps below.
Step 2.5.2: Power up USG6000V and verify the device is working properly by accessing its console as shown below.
Note: The default username and password for the USG6000V is admin and Admin@123 respectively. We need to change the default password upon login it.
Default information relating to the USG6000V firewall as follows:
Default System Name | USG6000V1 |
Default IP Address | 192.168.0.1 |
Default Subnet Mask | 255.255.255.0 |
Built-in Username | admin |
Default Password | Admin@123 |
Step 2.5.3: Check USG6000V default IP address from the console access.
Use the command ‘display ip interface brief’ as shown below.
Step 2.5.4 (Optional): Change the default management IP address of the USG firewall to the segment same as my loopback address plan at 192.168.1.0/24. I plan to use the management IP address of the USG firewall at 192.168.1.1/24 while my loopback address at 192.168.1.100/24.
Change the management IP address of the USG firewall as follows:
Step 2.5.5: Configure Cloud1 (representing your Windows 10 host machine) to communicate with the virtual USG6000V firewall. Follow the steps below closely to configure Windows 10 host to communicate with the firewall for the subsequent firewall security management tasks.
Prior to this cloud 1 setting, the local PC loopback address has been assigned in the previous step 2.4.2.
Right click on Cloud1 to start setting the required configuration parameters as shown below:
i. Right click on Cloud1 icon and select ‘Properties’
ii. Select ‘GE’ from Port Type; add two options a) Loopback adapter (as in my case Ethernet3) and b) UDP for the BindingInfo.
iii. For the port map setting, choose ‘GE’ for Port Type and assign Remote Port Number as 2 and check the Two-way Channel box; then add into the port mapping table as shown below:
Step 2.5.6 : Configure the firewall management interface for administration and not for data forwarding. Clear up the current default management interface configuration, followed by reconfiguring the interface for system administration only.
A) Clear up the current default management interface configuration.
Double click FW1 to open up the USG firewall device after booting up completely. [Wait for the green dot sign as shown in the diagram above].
Issue the following command to clear the default management interface configuration.
undo ip binding vpn-instance default
Configure the changed IP address for the management interface gi0/0/0 and enable service administration function.
ip address 192.168.1.1 24
service-manage enable
service-manage https permit
Step 2.5.6 : Test drive accessing the web UI administration from your own PC browser as shown below:
Enter the url address as https://192.168.1.1:8443 on the browser to access the web UI administration of the USG firewall as shown below.
Login the web portal with user account Admin and your currently changed user password.
Once the login is successful, you can start to configure your firewall functions.
Finally, come to the conclusion of the whole installation process, it is expected to work fine with your eNSP simulator as well from the guide. If you like the technical guide blog, kindly like and share the blog to benefit more. Your constructive feedback is much appreciated for my motivation to produce future blogs.