Accenture MDR Quick Start Guide for Huawei Versatile Routing Platform

This quick start guide will help Accenture MDR customers configure Huawei Versatile Routing Platform to send logs to the Log collection Platform (LCP).

This document includes the following topics:

1 Supported Versions
2 Port Requirements
3 Configuring a Huawei Router :
4 LCP Configuration Parameters

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

Huawei Router

LCP

514 (UDP) or

601 (TCP)

Default port

Configuring a Huawei Router :

For NE Device:

Run system-view

-The system view is displayed.

2. (Optional) Run info-center enable

-Information management is enabled to send information to a terminal or remote server.

3. (Optional) Run info-center channel channel-number name channel-name

-The information channel specified by channel-number is named channel-name.

4. (Optional) Run info-center syslog packet-priority priority-level

-The output priority of Syslog packets is configured.

5. Run info-center loghost source interface-type interface-number

-The source interface through which the device sends information to the Syslog server is configured.

6. Run info-center loghost source-port source-port

-The source interface through which the device sends information to the log host is configured.

7. Send information to a specified Syslog server.

On an IPv4 network, run info-center loghost lcp-ipv4-address [ { public-net | vpn-instance vpn- instance-name } | channel { channel-number | channel-name } | source-ip source-ip-address | facility local-number | port port-number | level log-level | { local-time | utc } | transport { udp | tcp [ ssl-policy policy-name [ security | verify-dns-name dns-name ] ] } ] ^*

-The device is configured to send information to a specified Syslog server.

On an IPv6 network, run info-center loghost ipv6 lcp-ipv6-address [ { public-net | vpn-instance vpn-instance-name } | facility local-number | source-ip source-ipv6-address | channel { channel-number | channel-name } | port port-number | level log-level | { local-time | utc } | transport { udp | tcp [ ssl-policy policy-name [ security | verify-dns-name dns-name ] ] } ] ^*

-The device is configured to send information to a specified Syslog server.

For a log host with a domain name specified, run info-center loghost domain domain-name [ { local-time | utc } | channel { channel-number | channel-name } | { public-net | vpn-instance vpn-instance-name } | source-ip source-ip-address | facility local-number | level log-level | port port-number | transport { udp | tcp [ ssl-policy policy-name [ security ] ] } ] ^*

-The device is configured to send information to a specified Syslog server.

If the security parameter is set, the system sends only security logs to the log host.

By default, a device sends logs to a Syslog server over UDP. To improve transmission security, you can configure TCP-based SSL encrypted transmission by specifying transport tcp ssl-policy policy-name.

8. Run info-center source { module-name | default } channel { channel-number | channel-name } [ log { state { off | on } | level severity } ^* | trap { state { off | on } | level severity } ^* | debug { state { off | on } | level severity } ^* ] ^*

-The rules for outputting information to the information channel are configured.

9. (Optional) Run info-center syslog packet-priority priority-level

-The output priority of Syslog packets is configured.

10. Run commit

-The configuration is committed.

Note: Before configuring TCP-based SSL encrypted transmission, configure an SSL policy and load a digital certificate.

For AR Device:

Run system-view

-The system view is displayed.

2. Run the following command as required.

Run info-center loghost lcp-ip-address [ channel { channel-number | channel-name } | facility local-number | language language-name | transport { udp | tcp ssl-policy policy-name } | { vpn-instance vpn-instance-name | public-net } | local-time ] ^*

-The device is configured to output logs to the IPv4 log host.The device is configured to output logs to the IPv4 log host.

Run info-center loghost ipv6 lcp-ipv6-address [ channel { channel-number | channel-name } | facility local-number | language language-name | transport { udp | tcp ssl-policy policy-name } | local-time ] ^*

-The device is configured to output logs to the IPv6 log host.

3. Run info-center source { module-name | default } channel { channel-number | channel-name } log { state { off | on } | level severity } ^*

-A rule for outputting logs to a channel is set. By default, channel 2 is enabled to output logs and the lowest log severity is informational

4. Optional) Run info-center loghost source interface-type interface-number

-The source interface used by the device to send messages to a log host is specified.

By default, the source interface for a device to send messages to a log host is the actual interface that sends the messages. After the source interface is specified, the log host determines the device that sends messages.

For Cloud Engine 67xx Switch:

Login into the CLI of a switch by using Admin credentials.
Run system-view
The system view is displayed.
Run info-center enable
Information management is enabled to send information to a terminal or remote server. By default, the information center is enabled.
Run the following commands to enable log forwarding to LCP.
1. Forwarding logs through UDP
  info-center loghost <lcp-ip-address> channel 2 public-net port 514 security-log operation-log transport udp
2. Forwarding logs through TCP over SSL
  info-center loghost <lcp-ip-address> channel 2 public-net port 6514 security-log operation-log transport tcp ssl-policy <policy-name>
  Find Parameters reference used in the above commands.
  1. channel - Specifies the channel used to send information to a log host. Channel-number or Channel-name can be provided. Default channel 2 is enabled for Loghost. Customer can use any channel number configured for loghost within ranges from 0 to 9.
  2. public-net - Indicates that the log host is connected in the public network.
  3. transport - Indicates the information transport mode.
    1. udp - Indicates the UDP transport mode. This is the default transport mode.
    2. tdp - Indicates the TCP transport mode.
    3. ssl-policy - Specifies a Secure Sockets Layer (SSL) policy in the TCP transport mode. This parameter is recommended to improve log transmission security.
  4. port - Specifies the port number of a log host.
    1. udp- 514
    2. tcp over SSL - 6514
Run following command to set rules for outputting information through information channel.
info-center source <module-name or default> channel 2 log level informational
Find Parameters reference used in the above command.
1. channel - Specifies the number of a channel. By default, channel 2 is enabled to output logs. One can configure any number that can be configured with ranges from 0 to 9.
2. module-name - Specifies the module name. The value depends on the registered module such as AAA, NTP, SECE etc.
3. level - Specifies the lowest severity of output logs. By default the lowest log severity is informational.

For Cloud Engine 68XX Switch:

Login into the CLI of a switch by using Admin credentials.
Run system-view
The system view is displayed.
Run info-center enable
Information management is enabled to send information to a terminal or remote server. By default, the information center is enabled.
Run the following commands to enable log forwarding to LCP.
1. Forwarding logs through UDP
  info-center loghost <lcp-ip-address> channel 2 public-net port 514 transport udp
2. Forwarding logs through TCP over SSL
  info-center loghost <lcp-ip-address> channel 2 public-net port 6514 transport tcp ssl-policy <policy-name>
  Find Parameters reference used in the above commands.
  1. channel - Specifies the channel used to send information to a log host. Channel-number or Channel-name can be provided. Default channel 2 is enabled for Loghost. Customer can use any channel number configured for loghost within ranges from 0 to 9.
  2. public-net - Indicates that the log host is connected in the public network.
  3. transport - Indicates the information transport mode.
    1. udp - Indicates the UDP transport mode. This is the default transport mode.
    2. tcp - Indicates the TCP transport mode.
    3. ssl-policy - Specifies a Secure Sockets Layer (SSL) policy in the TCP transport mode. This parameter is recommended to improve log transmission security.
  4. port - Specifies the port number of a log host.
    1. udp- 514
    2. tcp over SSL - 6514
Run following command to set rules for outputting information through information channel.
info-center source <module-name or default> channel 2 log level informational

Find Parameters reference used in the above command.
1. channel - Specifies the number of a channel. By default, channel 2 is enabled to output logs. One can configure any number that can be configured with ranges from 0 to 9.
2. module-name - Specifies the module name. The value depends on the registered module such as AAA, NTP, SECE etc.
3. level - Specifies the lowest severity of output logs. By default the lowest log severity is informational.
Commit the configuration.
commit

LCP Configuration Parameters

Table 1-2: The Huawei Versatile Routing Platform event collector (Syslog -3953) properties to be configured by Accenture are given in the table.

Property	Default Value	Description
Protocol	UDP	The default protocol for syslog. The collector can also accept logs in TCP. Note: While TCP offers guaranteed delivery of log packets, it places a larger overhead on the LCP. To balance TCP for reliability over UDP for speed/simplicity, contact the Accenture Security Onboarding team.
IP Address	Huawei Router IP address	Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture Security Onboarding team.
Signatures	AAA/,ACLE/,AM/,ARP/,ARPLINK/,ASSOC/,ATM/,ADA/,BFD/,BGP/,CM/,CPUP/,CSPF/,CWMP/,DEFD/,DEV/,DHCP/,DLSW/,DLP/,DSVPN/,DOT1X/,EFM/,ENGINE/,ENVMON/,ERRORDOWN/,FR/,FTPS/,FW/0/,FW/1/,FW/2/,FW/3/,FW/4/,FW/5/,FW/6/,FW/7/,FW-Log/,FW-LOG/,GPM/,GTL/,GRE/,GRESM/,GVRP/,HA/6/,HA/5/,HSB/,HTTP/4/,HTTP/6/,HWCM/,IFNET/,IFPDT/,IFM/,IGMP/,INFO/,IPS/4/,ADP-IPSEC/,IKE/,IPSec/,IPSEC/,NHRP/,ISIS/,KEYCHAIN/,L2TP/,L2V,L3ADP/,L3VPN/,LACP/,LDP/,LEDCTRL/,LINE/3/,LINE/4/,LINE/5/,LINE/6/,LLDP/,LOAD/5/,LSPM/,MEM/,MON/4/,MFIB/,MLD/,MRM/,MSDP/,NAT/5/,NATPT/,NETSTREAM/,NETCONF/,NQA/,NTP/4/,NTP/6/,OPSA/,OSPF/,OSPFV3/,PIM/,PKI/5/,PKI/4/,POE/,PPP/,PPPoE/,PPIURPF/,QOEQOS/,QoS/,QOS/,SA/3/,SA/6/,RDS/,REASM/,RIP/,RIPNG/,RM/3/,RM/6/,RM/4/,RMON/,RSVP/,SECAPP/,SECE/,SEP/6/,SEP/4/,SEP/3/,SEP/5/,SHELL/,SINDEX/,SNMP/5/,SNPG/,SSH/4/,SSH/5/,SSH/6/,SSLA/,SVPN_UM/,SOCKET/,SPR/,TFTP/,TDM/,TIME/5/,TNLM/,TRUNK/,UDPH/,UPDATE/3/,UPDATE/4/,UPDATE/6/,URL/1/,URL/3/,URL/4/,URL/6/,UTASK/,VRRP/,VOICE/,VOSCPU/,WEB/4/,WLAN/4/,WLAN/3/,WLAN/Notice/,WLAN_STA_DISCONNECT_REASON,WLAN_STA_INFO_AP_ASSOCIATE1,WLAN_STA_INFO_AP_ASSOCIATE2,WLAN_STA_INFO_AP_ASSOCIATE3,WLAN_STA_INFO_AP_ASSOCIATE4,WLAN_STA_INFO_AP_ASSOCIATE5,WLAN_STA_INFO_AP_ASSOCIATE6,WLAN_STA_STATE_CHANGE,WWAN/,3G/6/,CFG/4/,CLI/4/,CLI/5/,CONFIGURATION/,DEBUG/4/,DEBUG/5/,DEBUG/6/,DEBUG/7/,FTP/5/,FTP/6/,HTTPC/,RSA/6/,SSH/3/,SSHC/,SSHS/,SSL/,TELNET/,TELNETS,TPM/,TTY/,VFS/,VTY/,CLKM/,CLKSYNC/,CUSP/,DCNM/,DEVMEOP/,DRIVER/,FEI/,FM/4/,FM/5/,FM/7/,INFO/1/,INFO/4/,INFO/5/,INFO/6/,LCM/,LCS/,LINK-DETECT/,MPE/,NETCONFC/,NTP/,OPS/,PM/4/,PTP/,SAID_CFC/,SNMP/3/,SNMP/4/,SNMP/6/,SPM/,SYSCLOCK/,SYSTEM/1/,SYSTEM/2/,SYSTEM/4/,SYSTEM/5/,CPUDEFEND/,DEFEND/,DHCPR/,DHCPS/,DHCPSNP/,FEI_SEC/,HWTACACS/,PKI/2/,PKI/6/,PKI/7/,LDM/,MK/,SOC/4/,SOC/5/,SOC/6/,TRUSTTEM/,BASE-TRAP/,DEVM/,FE1/,FEI_7021/,FEI_COMM/,FEI_DUNE/,FEI_VFP/,LSPICDRIVER/,DISASTER_RECOVERY/,EOAM-1AG/,EOAM-Y1731/,FEI_TPOAM/,RBS/,TPOAM/,FEI_Y1731/,MPLS-OAM/,VRRP6/,PIC/,PORT/1/,PORT/2/,TRANSMISSION-ALARM/,ERPS/,ERROR-DOWN/,ETRUNK/,L2IF/,LPT/,MFLP/,MSTP/,NVO3/,RRPP/,VXLAN/,APS/,CES/,FEI_LSPIC/,FR/4/,HDLC/,IMA/,MP/1/,MP/2/,DNS/4/,FIB/,IPV6/,ND/2/,ND/4/,TCP/4/,VSTM/,OSPFV2COMM/,RM/2/,BIER/,FEI_MC/,L2-MULTICAST/,PIM-STD/,SUBSYS_ID_PIMPRO/,FEI_MPLS/,MPLS-TE/,MPLS_LSPM/,MPLS_RSVP/,PCEP/,TUNNEL-TE/,SEGR/,SRPOLICY/,EVPN/,FEI_APS/,FEI_L2/,L2VPN/,LDT/,FEI_QOS/,EMDI/,FEI_NQA/,IFIT/,IPFPM/,PATH-DETECT/,TELEMETRY/,TWAMP/,BRASAAA/,BRASAM/,BRASDHCP/,BRASEAP/,BRASL2TP/,BRASRDS/,BRASRUI/,BRASUM/,BRASWEB/,DHCPACC/,NAT/1/,NAT/2/,NAT/4/,NAT/6/,VCLUSTER/,BRASVSM/,ACL6/3/,ACL6/4/,6OVER4/,ADDR/4/COLLISION_CNT_EXCEED,ALML/,ADPIPV4/,ASSISTANT/4,ASSISTANT/6,ASMNG/,ADA_BFD/,AUTODIAG/,BULKSTAT/,CFGMGR/,CFM/,CLOUD-MNG-CFG/,CLOUD-MNG-PM/,CMAINT/,CMD/5,CMD/4,CMREG/,COMT/,DBGCENTER/,DLDP/,DSA/,ECML/,EOAM1AG/,EOAM_ADP/,ERPS (G.8032)/,EZOP/,FECD/,FIBSPT/,FILTER/6,FSP/,GRSA/,HA/5,HA/6,HACA/,HOUP/,HSC/,HTTP/3,HTTP/4,HTTP/5,HTTP/6,HTTP2C/3,HTTP2C/4,IFADP/,IPV4-IPV6/,IPV6FIBAGENT/,IPV6PP/,IPV6TCP/,L2IFPPI/,L2V/,L3AD/,LINE/3,LINE/4,LINE/5,LOAD/,MAD/,MBR/,MCAST/,MCMD/,MD/,mDNS/,MPLS/,ND_RAGUARD/,NSADP/,OMNG/,PAF/,PATCH/6,PDF/4,PGM/,PM/3,Portal/6,QOSE/,RSA/3,RSA/4,RSA/6,RUMNG/,RUUP/,SA/3,SA/6,SACL/,SAID/6,SEA/,SEP/,SMLK/,SRM/,SSH/2,SSH/7,SSPADP/,SVXLAN/,SW_SNPG/,TAC/4,TAC/6,TAD/4,TAD/6,TPLMNG/,TRAFSTAT/,TUNNEL/6,TUNN_PS/,UNI-TOPOMNG/,UPDATE/3,UPDATE/4,UPDATE/6,USA/5,USBLOAD/,UVM/,VBST/,VCMP/,VOSMEM/,VPNBASE/,VTRUNK/,WEB/4,WEB/6,WEBMNG/,WEBS/,WEB_WRITEFILE_LOG/,Y1731ADP/,WLAN/2,WLAN/5,WLAN/6,WLAN/7,AIFABRIC/,CFG/2,DCB/,DOPHI/,DPLM/,EAI/,EAP/,EVA/6,EWM/,FIPS/,FWM-ETH/,FWM-FRAME/,GMDB/,HIPS/3,HIPS/6,HPE/3/,HPP/,MACSEC/,MDCLI/,M-LAG/,MQC/,OAS/,OPENFLOW/,PKGM/,PSSP_KMS/,SMLKTRAP/,SUM/,SYSTEM/6/,TELNETS/,VCMU/,ZTP/,ADPVXLAN/,BASETRAP/,CLKMIB/,EMDI_MB/,ENERGYTRAP/,ENTITYTRAP/,ENTITYEXTTRAP/,ENTMIB/,EOAM_Y1731/,HGMP/,IPCA/,LSPV,L2BPTNL/,L3MB/,LBDT/,LOOPDETECT/,MGMD/,SYSMIB/,SYSRES/,CMD/2,DS/4,IP/4,MONITOR/4,PKI/3,TUNNEL/4,TUNNEL/2,FM/2,ND/5,ND/3,ND/6,PATCH/2,PATCH/3,PATCH/4,PATCH/5,RM/5,SNMP/2	Accenture Security recommended signatures processed by the Huawei Router event collector.
Port Number	514	The default port for UDP. For TCP, the default port is 601. Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture Security Onboarding team if this is a requirement.