E5168 / E5260 / E5268 / E5568 / E5660 / E5760 / E5960

Hillstone E-5000 Series

Next-Generation Firewall

The Hillstone E-5000 Series Next Generation Firewall (NGFW) is designed for the specific function
of security and provides comprehensive and granular visibility and control of applications. It can
identify and prevent potential threats associated with high-risk applications while providing policy-
based control over applications, users, and user-groups. Policies can be defined that guarantee
bandwidth to mission-critical applications while restricting or blocking unauthorized or malicious
applications. The Hillstone E-5000 Series NGFW incorporates comprehensive network security and
advanced firewall features, provides superior price performance, excellent energy efficiency, and
comprehensive threat prevention capability.

Product Highlights
Granular Application Identification and Control Comprehensive Threat Detection and Prevention
The Hillstone E-5000 Series NGFW is optimized for content The Hillstone E-5000 Series NGFW provides real-time protec-
analysis of Layer 7 applications, providing fine-grained control tion for applications from network attacks including viruses,
of web applications regardless of port, protocol, or evasive spyware, worms, botnets, ARP spoofing, DoS/DDoS, Trojans,
action. It can identify and prevent potential threats associated buffer overflows, and SQL injections. It incorporates a unified
with high-risk applications while providing policy-based threat detection engine that shares packet details with multi-
control over applications, users, and user-groups. Security ple security engines (AD, IPS, URL filtering, Antivirus, Sandbox
policies can be defined that guarantee bandwidth to etc.), which significantly enhances the protection efficiency
mission-critical applications while restricting or blocking and reduces network latency.
unauthorized or malicious applications.

www.HillstoneNet.com © 2020 Hillstone Networks All Rights Reserved. | 1

Hillstone E-5000 Series Next-Generation Firewall

Features
Network Services Attack Defense • AV enablement for SSL encrypted traffic
• Dynamic routing (OSPF, BGP, RIPv2) • Abnormal protocol attack defense • URL filter for SSL encrypted traffic
• Static and policy routing • Anti-DoS/DDoS, including SYN flood, UDP flood, • SSL encrypted traffic whitelist
• Route controlled by application DNS reply flood, DNS query flood defense, TCP • SSL proxy offload mode
• Built-in DHCP, NTP, DNS Server and DNS proxy fragment, ICMP fragment, etc. • Support application identification, DLP, IPS
• Tap mode – connects to SPAN port • ARP attack defense sandbox, AV for SSL proxy decrypted traffic of
• Allow list for destination IP address SMTPS/POP3S/IMAPS
• Interface modes: sniffer, port aggregated,
loopback, VLANS (802.1Q and Trunking) Endpoint Identification and Control
URL Filtering
• L2/L3 switching & routing • Support to identify endpoint IP, endpoint quantity,
• Flow-based web filtering inspection
• Multicast(PIM-SSM) on-line time, off-line time, and on-line duration
• Manually defined web filtering based on URL, web
• Virtual wire (Layer 1) transparent inline • Support 10 operating systems including Windows,
content and MIME header
deployment iOS, Android, etc.
• Dynamic web filtering with cloud-based real-time
categorization database: over 140 million URLs • Support query based on IP, endpoint quantity,
Firewall
with 64 categories (8 of which are security related) control policy and status etc.
• Operating modes: NAT/route, transparent (bridge),
• Additional web filtering features: • Support the identification of accessed endpoints
and mixed mode
quantity across layer 3, logging and interference
• Policy objects: predefined, custom, aggregate - Filter Java Applet, ActiveX or cookie
on overrun IP
policy, object grouping - Block HTTP Post
• Redirect page display after custom interference
• Security policy based on application, role and - Log search keywords operation
geo-location - Exempt scanning encrypted connections on • Supports blocking operations on overrun IP
• Application Level Gateways and session support: certain categories for privacy
• User identification and traffic control for remote
MSRCP, PPTP, RAS, RSH, SIP, FTP, TFTP, HTTP, • Web filtering profile override: allows administrator desktop services of Windows Server
dcerpc, dns-tcp, dns-udp, H.245 0, H.245 1, H.323 to temporarily assign different profiles to user/
• NAT and ALG support: NAT46, NAT64, NAT444, group/IP Data Security
SNAT, DNAT, PAT, Full Cone NAT, STUN • Web filter local categories and category rating • File transfer control based on file type, size and
• NAT configuration: per policy and central NAT override name
table • Support multi-language • File protocol identification, including HTTP, FTP,
• VoIP: SIP/H.323/SCCP NAT traversal, RTP pin • URL allow / block list configuration SMTP, POP3 and SMB
holing • File signature and suffix identification for over 100
• Global policy management view Cloud-Sandbox file types
• Security policy redundancy inspection, policy • Upload malicious files to cloud sandbox for • Content filtering for HTTP-GET, HTTP-POST, FTP
group, policy configuration rollback analysis and SMTP protocols
• Policy assistant for easy detailed policy • Support protocols including HTTP/HTTPS, POP3, • IM identification and network behavior audit
deployment IMAP, SMTP, FTP and SMB
• Filter files transmitted by HTTPS using SSL Proxy
• Policy analyzing and invalid policy cleanup • Support file types including PE, ZIP, RAR, Office, and SMB
• Comprehensive DNS policy PDF, APK, JAR, SWF and Script
• Schedules: one-time and recurring • File transfer direction and file size control Application Control
• Provide complete behavior analysis report for • Over 4,000 applications that can be filtered by
Intrusion Prevention malicious files name, category, subcategory, technology and risk
• Protocol anomaly detection, rate-based detection, • Global threat intelligence sharing, real-time threat • Each application contains a description, risk
custom signatures, manual, automatic push or blocking factors, dependencies, typical ports used, and
pull signature updates, integrated threat encyclo- • Support detection only mode without uploading URLs for additional reference
pedia files • Actions: block, reset session, monitor, traffic
• IPS Actions: default, monitor, block, reset shaping
(attackers IP or victim IP, incoming interface) with Botnet C&C Prevention • Identify and control cloud applications in the cloud
expiry time • Discover intranet botnet host by monitoring C&C • Provide multi-dimensional monitoring and
• Packet logging option connections and block further advanced threats statistics for cloud applications, including risk
• Filter Based Selection: severity, target, OS, appli- such as botnet and ransomware category and characteristics
cation or protocol • Regularly update the botnet server addresses
• IP exemption from specific IPS signatures • Prevention for C&C IP and domain Quality of Service (QoS)
• IDS sniffer mode • Support TCP, HTTP, and DNS traffic detection • Max/guaranteed bandwidth tunnels or IP/user
basis
• IPv4 and IPv6 rate based DoS protection with • Allow and block list based on IP address or
threshold settings against TCP Syn flood, TCP/ domain name • Tunnel allocation based on security domain,
UDP/SCTP port scan, ICMP sweep, TCP/UDP/ interface, address, user/user group, server/server
• Support DNS sinkhole and DNS tunneling group, application/app group, TOS, VLAN
SCIP/ICMP session flooding (source/destination) detection
• Active bypass with bypass interfaces • Bandwidth allocated by time, priority, or equal
IP Reputation bandwidth sharing
• Predefined prevention configuration
• Identify and filter traffic from risky IPs such as • Type of Service (TOS) and Differentiated Services
Antivirus botnet hosts, spammers, Tor nodes, breached (DiffServ) support
• Manual, automatic push or pull signature updates hosts, and brute force attacks • Prioritized allocation of remaining bandwidth
• Manually add or delete MD5 signature to the AV • Logging, dropping packets, or blocking for • Maximum concurrent connections per IP
database different types of risky IP traffic • Bandwidth allocation based on URL category
• MD5 signature support uploading to cloud • Periodical IP reputation signature database • Bandwidth limit by delaying access for user or IP
sandbox, and manually add or delete on local upgrade
• Automatic expiration cleanup and manual cleanup
database of user used traffic
SSL Decryption
• Flow-based antivirus: protocols include HTTP,
SMTP, POP3, IMAP, FTP/SFTP, SMB • Application identification for SSL encrypted traffic
• IPS enablement for SSL encrypted traffic
• Compressed file virus scanning

www.HillstoneNet.com © 2020 Hillstone Networks All Rights Reserved. | 2

Hillstone E-5000 Series Next-Generation Firewall

Features (Continued)

Server Load Balancing and GRE over IPSEC • Use authentication synchronization based on
• View and manage IPSEC and SSL VPN connec- SSO-monitor
• Weighted hashing, weighted least-connection, and
weighted round-robin tions • Support IP-based and MAC-based user authenti-
• PnPVPN cation
• Session protection, session persistence and
session status monitoring • VTEP for VxLAN static unicast tunnel Administration
• Server health check, session monitoring and • Management access: HTTP/HTTPS, SSH, telnet,
session protection
IPv6
console
• Management over IPv6, IPv6 logging and HA
Link Load Balancing • Central Management: Hillstone Security Manager
• IPv6 tunneling: DNS64/NAT64, IPv6 ISATAP, IPv6
(HSM), web service APIs
• Bi-directional link load balancing GRE, IPv6 over IPv4 GRE
• System Integration: SNMP, syslog, alliance
• Outbound link load balancing: policy based routing • IPv6 routing including static routing, policy routing,
partnerships
including ECMP, time, weighted, and embedded ISIS, RIPng, OSPFv3 and BGP4+
ISP routing; Active and passive real-time link • Rapid deployment: USB auto-install, local and
• IPS, Application identification, URL filtering,
quality detection and best path selection remote script execution
Antivirus, Access control, ND attack defense, iQoS
• Inbound link load balancing supports SmartDNS • Dynamic real-time dashboard status and drill-in
• Track address detection
and dynamic detection monitoring widgets
• IPv6 jumbo frame support
• Automatic link switching based on bandwidth, • Language support: English
• IPv6 Radius support
latency, jitter, connectivity, application etc.
• IPv6 support on the following ALGs: TFTP, FTP, Logs & Reporting
• Link health inspection with ARP, PING, and DNS RSH, HTTP, SIP • Logging facilities: local log storage with storage
VPN • IPv6 support on distributed iQoS models for up to 6 months, multiple syslog
servers and multiple Hillstone Security Audit (HSA)
• IPSec VPN VSYS platforms
- IPSEC Phase 1 mode: aggressive and main ID • System resource allocation to each VSYS • Encrypted logging and log integrity with HSA
protection mode scheduled batch log uploading
• CPU virtualization
- Peer acceptance options: any ID, specific ID, ID in • Reliable logging using TCP option (RFC 3195)
dialup user group • Non-root VSYS support firewall, IPSec VPN,
SSL VPN, IPS, URL filtering, app monitoring, IP • Detailed traffic logs: forwarded, violated sessions,
- Supports IKEv1 and IKEv2 (RFC 4306) reputation, QoS local traffic, invalid packets, URL etc.
- Authentication method: certificate and • VSYS monitoring and statistic • Comprehensive event logs: system and adminis-
pre-shared key trative activity audits, routing & networking, VPN,
- IKE mode configuration support (as server or High Availability user authentications, WiFi related events
client) • Redundant heartbeat interfaces • IP and service port name resolution option
- DHCP over IPSEC • Active/Active and Active/Passive mode • Brief traffic log format option
- Configurable IKE encryption key expiry, NAT • Standalone session synchronization • Three predefined reports: Security, Flow and
traversal keep alive frequency Network reports
• HA reserved management interface
- Phase 1/Phase 2 Proposal encryption: DES, • User defined reporting
• Failover:
3DES, AES128, AES192, AES256
- Port, local & remote link monitoring • Reports can be exported in PDF, Word and HTML
- Phase 1/Phase 2 Proposal authentication: via Email and FTP
MD5, SHA1, SHA256, SHA384, - Stateful failover
SHA512 - Sub-second failover Statistics and Monitoring
- IKEv1 support DH group 1,2,5,19,20,21,24 - Failure notification • Application, URL, threat events statistic and
- IKEv2 support DH group • Deployment options: monitoring
1,2,5,14,15,16,19,20,21,24 - HA with link aggregation • Real-time traffic statistic and analytics
- XAuth as server mode and for dialup users - Full mesh HA • System information such as concurrent session,
- Dead peer detection - Geographically dispersed HA CPU, Memory and temperature
- Replay detection • iQOS traffic statistic and monitoring, link status
- Autokey keep-alive for Phase 2 SA Twin-mode HA monitoring
• IPSEC VPN realm support: allows multiple custom • High availability mode among multiple devices • Support traffic information collection and
SSL VPN logins associated with user groups (URL • Multiple HA deployment modes forwarding via Netflow (v9.0)
paths, design) • Configuration and session synchronization among
multiple devices CloudView
• IPSEC VPN configuration options: route-based or
policy based • Dual HA data link ports • Cloud-based security monitoring
• IPSEC VPN deployment modes: gateway-to- • 24/7 access from web or mobile application
gateway, full mesh, hub-and-spoke, redundant User and Device Identity • Device status, traffic and threat monitoring
tunnel, VPN termination in transparent mode • Local user database • Cloud-based log retention and reporting
• One time login prevents concurrent logins with the • Remote user authentication: TACACS+, LDAP,
same username Radius, Active Directory IoT Security
• SSL portal concurrent users limiting • Single-sign-on: Windows AD • Identify IoT devices such as IP Cameras and
• SSL VPN port forwarding module encrypts client • 2-factor authentication: 3rd party support, Network Video Recorders
data and sends the data to the application server integrated token server with physical and SMS • Support query of monitoring results based on
• Supports clients that run iOS, Android, and • User and device-based policies filtering conditions, including device type, IP
Windows XP/Vista including 64-bit Windows OS address, status, etc.
• User group synchronization based on AD and
• Host integrity checking and OS checking prior to LDAP • Support customized whitelists
SSL tunnel connections • Support for 802.1X, SSO Proxy
• MAC host check per portal • WebAuth: page customization, force crack
• Cache cleaning option prior to ending SSL VPN prevention, IPv6 support
session • Interface based authentication
• L2TP client and server mode, L2TP over IPSEC, • Agentless ADSSO (AD Polling)

www.HillstoneNet.com © 2020 Hillstone Networks All Rights Reserved. | 3

Hillstone E-5000 Series Next-Generation Firewall

Specifications
SG-6000-E5168 SG-6000-E5260 SG-6000-E5268 SG-6000-E5568 SG-6000-E5660 SG-6000-E5760 SG-6000-E5960

FW Throughput (1) 10 Gbps 16 Gbps 16 Gbps 20 Gbps 25 Gbps 32 Gbps 40 Gbps

IPSec Throughput (2) 6 Gbps 8 Gbps 8 Gbps 12 Gbps 15 Gbps 18 Gbps 25 Gbps
AV Throughput (3) 3 Gbps 3.5 Gbps 3.5 Gbps 5 Gbps 7 Gbps 8 Gbps 10 Gbps
IPS Throughput (4) 4 Gbps 5 Gbps 5 Gbps 7 Gbps 12 Gbps 15 Gbps 18 Gbps
IMIX Throughput (5) 4 Gbps 6 Gbps 6 Gbps 8 Gbps 12 Gbps 16 Gbps 16 Gbps
NGFW Throughput (6) 3 Gbps 3.5 Gbps 3.5 Gbps 5 Gbps 7 Gbps 8 Gbps 9.5 Gbps
Threat Protection
Throughput (7) 2 Gbps 2.2 Gbps 2.2 Gbps 3 Gbps 4.5 Gbps 5 Gbps 6 Gbps

New Sessions/s (8) 170,000 200,000 200,000 300,000 400,000 500,000 600,000
Maximum Concurrent
6 Million 6 Million 6 Million 10 Million 10 Million 12 Million 15 Million
Sessions
IPSec Tunnel Number 10,000 20,000 20,000 20,000 20,000 20,000 20,000
SSL VPN Users
(Default/Max) 8 / 8,000 8 / 10,000 8 / 10,000 8 / 10,000 8 / 10,000 8 / 10,000 8 / 10,000

Virtual Systems
(Default/Max) 1 / 100 1 / 250 1 / 250 1 / 250 1 / 250 1 / 250 1 / 250

Storage Options 256G / 512G SSD N/A 256G / 512G SSD 256G / 512G SSD N/A N/A N/A
(E5168 / E5168A) (E5268 / E5268A) (E5568 / E5568A)
1 x Console Port, 1 1 x Console Port, 1 1 x Console Port, 1 1 x Console Port, 1 1 x Console Port, 1 1 x Console Port, 1 1 x Console Port, 1
Management Ports x AUX Port, 1 x USB x AUX, Port, 1 x USB x AUX, Port, 1 x USB x AUX, Port, 1 x USB x AUX, Port, 1 x USB x AUX, Port, 1 x USB x AUX, Port, 1 x USB
Port, 1 x HA, 1 x MGT Port, 1 x HA, 1 x MGT Port, 1 x HA, 1 x MGT Port, 1 x HA, 1 x MGT Port, 1 x HA, 1 x MGT Port, 1 x HA, 1 x MGT Port, 1 x HA, 1 x MGT
4 x GE (one pair 4 x GE (one pair 4 x GE (one pair 4 x GE (one pair
Fixed I/O Ports bypass), 4 x SFP, 2 bypass), 4 x SFP, 2 bypass), 4 x SFP, 2 bypass), 4 x SFP, 2 4 x GE, 4x SFP 4 x GE, 4x SFP 4 x GE, 4x SFP
X SFP+ X SFP+ X SFP+ X SFP+

Available Slots for 4 x Generic Slot 4 x Generic Slot 4 x Generic Slot 4 x Generic Slot 4 x Generic Slot 4 x Generic Slot 4 x Generic Slot
Expansion Modules

IOC-4GE-B-M, IOC- IOC-4GE-B-M, IOC- IOC-4GE-B-M, IOC- IOC-8GE-M, IOC- IOC-8GE-M, IOC- IOC-8GE-M, IOC- IOC-8GE-M, IOC-
8GE-M, IOC-8SFP-M 8GE-M, IOC-8SFP-M, 8GE-M, IOC-8SFP-M 8SFP-M, IOC-4GE- 8SFP-M, IOC-4GE- 8SFP-M, IOC-4GE- 8SFP-M, IOC-4GE-
Expansion Module IOC-4SFP+, IOC- B-M, IOC-8SFP+, B-M, IOC-8SFP+, B-M, IOC-8SFP+, B-M, IOC-8SFP+,
IOC-4SFP+, IOC- IOC-4SFP+, IOC-
Option 8SFP+, IOC-2SF- IOC-4SFP+ , IOC-2SF- IOC-4SFP+ , IOC-2SF- IOC-4SFP+ , IOC-2SF- IOC-4SFP+ , IOC-2SF-
8SFP+, IOC-2SF- 8SFP+, IOC-2SF-
P+-Lite P+-Lite P+-Lite P+-Lite P+-Lite P+-Lite P+-Lite

Twin-mode HA Yes Yes Yes Yes Yes Yes Yes

450W, Dual AC or Dual 450W, Dual AC or Dual 450W, Dual AC or Dual 450W, Dual AC or Dual 450W, Dual AC or Dual 450W, Dual AC or Dual 450W, Dual AC or Dual
Power Specification
DC Redundant DC Redundant DC Redundant DC Redundant DC Redundant DC Redundant DC Redundant
AC 100-240 V AC 100-240 V AC 100-240 V AC 100-240 V AC 100-240 V AC 100-240 V AC 100-240 V
Power Supply 50/60 Hz 50/60 Hz 50/60 Hz 50/60 Hz 50/60 Hz 50/60 Hz 50/60 Hz
DC -40 ~ -60 V DC -40 ~ -60 V DC -40 ~ -60 V DC -40 ~ -60 V DC -40 ~ -60 V DC -40 ~ -60 V DC -40 ~ -60 V
Dimension (W×D×H, 2U 17.3 x 20.9 x 3.5 in 2U 17.3 x 20.9 x 3.5 in 2U 17.3 x 20.9 x 3.5 in 2U 17.3 × 20.5 × 3.5 in 2U 17.3 × 20.5 × 3.5 in 2U 17.3 × 20.5 × 3.5 in 2U 17.3 × 20.5 × 3.5 in
mm) (440 x530 x 88 mm) (440 x530 x 88 mm) (440 x530 x 88 mm) (440×520×88 mm) (440×520×88 mm) (440×520×88 mm) (440×520×88 mm)
Weight 26.0 lb (11.8 kg) 26.0 lb (11.8 kg) 26.0 lb (11.8 kg) 27.1 lb (12.3 kg) 27.1 lb (12.3 kg) 27.1 lb (12.3 kg) 27.1 lb (12.3 kg)
Temperature 32-104°F (0-40°C) 32-104°F (0-40°C) 32-104°F (0-40°C) 32-104°F (0-40°C) 32-104°F (0-40°C) 32-104°F (0-40°C) 32-104°F (0-40°C)
Relative Humidity 10-95% (no dew) 10-95% (no dew) 10-95% (no dew) 10-95% (no dew) 10-95% (no dew) 10-95% (no dew) 10-95% (no dew)
Compliance and
CE, CB, FCC, UL/cUL, ROHS, IEC/EN61000-4-5 Power Surge Protection, ISO 9001:2015, ISO 14001:2015, CVE Compatibility, IPv6 Ready, ICSA Firewalls
Certificate

www.HillstoneNet.com © 2020 Hillstone Networks All Rights Reserved. | 4

Hillstone E-5000 Series Next-Generation Firewall

Module Options
IOC-8GE-M IOC-8SFP-M IOC-4GE-B-M IOC-2SFP+-Lite IOC-8SFP+ IOC-4SFP+

Names 4GE Bypass Expansion

8GE Expansion Module 8SFP Expansion Module 2SFP+ Expansion Module 8SFP+ Expansion Module 4SFP+ Expansion Module
Module
8 x SFP, SFP module not 4 x GE Bypass (2 pair 2 x SFP+, SFP+ module not 8 x SFP+, SFP+ module not 4 x SFP+, SFP+ module not
I/O Ports 8 x GE
included bypass ports) included included included

Dimension ½U (Occupies 1 generic ½U (Occupies 1 generic ½U (Occupies 1 generic ½U (Occupies 1 generic 1U (Occupies 2 generic 1U (Occupies 2 generic
slot) slot) slot) slot) slots) slots)
Weight 1.8 lb (0.8 kg) 2.0 lb (0.9 kg) 1.8 lb (0.8 kg) 0.7 lb (0.3 kg) 1.5 lb (0.7 kg) 1.5 lb (0.7 kg)

NOTES:
(1) FW throughput data is obtained under single-stack UDP traffic with 1518-byte packet size;
(2) IPSec throughput data is obtained under Preshare Key AES256+SHA-1 configuration and 1400-byte packet size;
(3) AV throughput data is obtained under HTTP traffic with file attachment;
(4) IPS throughput data is obtained under bi-direction HTTP traffic detection with all IPS rules being turned on;
(5) IMIX throughput data is obtained under UDP traffic mix (64 byte : 512 byte : 1518 byte =5:7:1);
(6) NGFW throughput data is obtained under 64 Kbytes HTTP traffic with application control and IPS enabled;
(7) Threat protection throughput data is obtained under 64 Kbytes HTTP traffic with application control, IPS, AV and URL filtering enabled;
(8) New sessions/s is obtained under TCP traffic.
Unless specified otherwise, all performance, capacity and functionality are based on StoneOS5.5R8. Results may vary based on StoneOS® version and deployment.

www.HillstoneNet.com
© 2020 Hillstone Networks All Rights Reserved.
Version: EX-08.01-NGFW-5.5R8-1120-EN-01