0% found this document useful (0 votes)

173 views

StoneOS WebUI User Guide A-12

Uploaded by

(unknown)

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

173 views

StoneOS WebUI User Guide A-12

Uploaded by

(unknown)

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 1389

Hillstone Networks

StoneOS WebUI Guide - A series

Version 5.5R9

TechDocs | docs.hillstonenet.com
Copyright 2021 Hillstone Networks. All rights reserved.
Information in this document is subject to change without notice. The software described in
this document is furnished under a license agreement or nondisclosure agreement. The software
may be used or copied only in accordance with the terms of those agreements. No part of this
publication may be reproduced, stored in a retrieval system, or transmitted in any form or any
means electronic or mechanical, including photocopying and recording for any purpose other
than the purchaser's personal use without the written permission of Hillstone Networks.
Hillstone Networks
Commercial use of the document is forbidden.

Contact Information:
US Headquarters:
Hillstone Networks
5201 Great America Pkwy, #420
Santa Clara, CA 95054
Phone: 1-408-508-6750
https://www.hillstonenet.com/about-us/contact/

About this Guide:

This guide gives you comprehensive configuration instructions of Hillstone Networks StoneOS
.
For more information, refer to the documentation site: https://docs.hillstonenet.com.cn
To provide feedback on the documentation, please write to us at: [email protected]
Hillstone Networks
TWNO: TW-WUG-UNI-A-5.5R9-EN-V1.0-9/16/2022
Contents

Contents 1

Welcome 1

Conventions 3

Explorer Compatibility 11

Chapter 1 Getting Started Guide 12

Initial Visit to Web Interface 13

Preparing the StoneOS System 15

Installing Licenses 15

Creating a System Administrator 15

Adding Trust Hosts 19

Upgrading StoneOS Firmware 22

Updating Signature Database 22

Connecting to Internet Under Routing Mode 24

Restoring Factory Settings 32

Restoring using a pin 32

Restoring via WebUI 32

Chapter 2 Deploying Your Device 34

How a Firewall Works 35

StoneOS System Architecture 35

General Rules of Security Policy 37

TOC - 1
Packet Processing Rule 39

Forwarding Rule in Layer 2 39

Forwarding Rule in Layer 3 41

Deploying Transparent Mode 44

Deploying Routing Mode 54

Deploying Mix Mode 63

Deploying Tap Mode 64

Chapter 3 Dashboard 68

Customization 68

Threats 68

Threatscape 69

User 69

Application 70

Total Traffic 70

Physical Interface 70

System and Signature Database 71

System Information 71

Signature DB Information 72

License 72

Specified Period 73

Chapter 4 iCenter 74

Threat 74

TOC - 2
Hot Threat Intelligence 79

Viewing Hot Threat Intelligence 82

Chapter 5 Network 84

Security Zone 85

Configuring a Security Zone 85

Interface 89

Configuring an Interface 92

Creating a PPPoE Interface 92

Creating a Tunnel Interface 108

Creating a Virtual Forward Interface 120

Creating a Loopback Interface 128

Creating an Aggregate Interface 132

Creating a Redundant Interface 145

Creating an Ethernet Sub-interface/an Aggregate Sub-interface/a Redundant Sub-inter-

face 148

Creating a VSwitch Interface Interface 154

Editing an Interface 156

Viewing the Interface Status 169

Interface Group 170

Creating an Interface Group 170

LLDP 171

LLDP Work Mode 171

TOC - 3
Configuring LLDP 172

Enabling LLDP 172

Modifying LLDP Configuration 174

Viewing MIB Topology 176

Management Interface 178

Configuring a Management Interface 178

VLAN 186

Configuring a VLAN 186

DNS 187

Configuring a DNS Server 187

Configuring a DNS Proxy 188

Configuring a DNS Proxy Rule 188

Enabling/Disabling a DNS Proxy Rule 194

Adjusting DNS Proxy Rule Position 194

DNS Proxy Global Configuration 195

DNS Proxy Hit Analysis 196

Configuring an Analysis 197

Configuring a DNS Cache 198

NBT Cache 200

DHCP 202

Configuring a DHCP Server 202

Configuring a DHCP Relay Proxy 213

TOC - 4
Configuring a DHCPv6 Server 213

Configuring a DHCPv6 Relay Proxy 215

DDNS 217

Configuring a DDNS 217

PPPoE 221

Configuring PPPoE 221

Virtual Wire 225

Configuring a Virtual-Wire 226

Configuring the Virtual Wire Mode 226

Virtual Router 228

Creating a Virtual Router 229

Global Configuration 229

Virtual Switch 231

Creating a VSwitch 231

Port Mirroring 234

WLAN 235

Creating a WLAN 235

Advanced Settings 238

3G/4G 241

Configuring 3G/4G Settings 241

Managing Data Card 244

Automatically Verifying the PIN Code 244

TOC - 5
Enabling/Disabling the PIN Code Protection 245

Modifying the PIN Code 245

Manually Verifying the PIN Code 246

Unlocking the PIN Code 246

Outbound Link Load Balancing 248

Configuring LLB Profile 248

Configuring LLB Rule 250

Inbound Link Load Balancing 252

Creating a Smart DNS Rule Table 252

Application Layer Gateway (ALG) 255

Enabling ALG 255

Global Network Parameters 258

Configuring Global Network Parameters 258

Configuring Protection Mode 261

Chapter 6 Advanced Routing 263

Destination Route 265

Creating a Destination Route 265

Destination-Interface Route 268

Creating a Destination-Interface Route 268

Source Route 272

Creating a Source Route 272

Source-Interface Route 275

TOC - 6
Creating a Source-Interface Route 275

ISP Profile 279

Creating an ISP Profile 279

Deleting a User-defined ISP Profile 281

Upgrading a Pre-defined ISP Profile 281

Uploading a User-defined ISP Profile 282

Saving an ISP Profile 282

ISP Route 283

Creating an ISP Route 283

Policy-based Route 286

Creating a Policy-based Route 286

Creating a Policy-based Route Rule 287

Adjusting Priority of a PBR Rule 294

Applying a Policy-based Route 295

DNS Redirect 296

Configuring the Global Match Order 297

RIP 298

Creating RIP 298

OSPF 303

Creating OSPF 303

Viewing the Neighbor Information 308

Configuring OSPFv3 310

TOC - 7
Creating OSPFv3 310

Viewing Neighbor Information 318

Configuring BGP 320

Basic 320

Neighbor List 325

Delete BGP 326

Chapter 7 Authentication 327

Authentication Process 327

Web Authentication 329

Enabling the WebAuth 329

Configuring Basic Parameters for WebAuth 330

Customizing WebAuth Page 338

NTLM Authentication 340

Step 1: Configure NTLM for System 340

Step 2: Configure settings for User Browser 341

Single Sign-On 342

Enabling SSO Radius for SSO 345

Using AD Scripting for SSO 347

Step 1: Configuring the Script for AD Server 347

Step 2: Configuring AD Scripting for StoneOS 350

Radius Snooping 351

Using AD Polling for SSO 353

TOC - 8
Using SSO Monitor for SSO 358

Using AD Agent Software for SSO 361

Step 1: Installing and Running AD Security Agent on a PC or Server 362

Step 2: Configuring AD server for StoneOS 366

Using TS Agent for SSO 367

Step 1: Installing and running Hillstone Terminal Service Agent in Windows server 368

Step 2: Configuring TS Agent parameters in StoneOS 380

802.1x 384

Configuring 802.1x 384

Creating 802.1x Profile 385

802.1x Global Configuration 388

Viewing Online Users 389

PKI 391

Creating a PKI Key 392

Creating a Trust Domain 394

Importing/Exporting Trust Domain 397

Importing Trust Certification 398

Online Users 399

Chapter 8 VPN 400

IPSec VPN 401

Basic Concepts 401

Security Association (SA) 401

TOC - 9
Encapsulation Modes 401

Establishing SA 402

Using IPSec VPN 403

Configuring an IPSec VPN 404

Configuring a VPN Peer 412

Editing a VPN Peer 418

Deleting a VPN Peer 418

Copying a VPN Peer 418

Configuring a Phase 1 Proposal 419

Configuring a Phase 2 Proposal 423

Editing an IPSec VPN 427

Deleting an IPSec VPN 427

Enabling or Disabling an IPSec VPN 427

Copying an IPSec VPN 428

Viewing IPSec VPN Entry 428

Configuring a Manual Key VPN 429

Viewing Manual Key VPN Entry 433

Viewing IPSec VPN Monitoring Information 435

Configuring PnPVPN 438

PnPVPN Workflow 438

PnPVPN Link Redundancy 439

TOC - 10
Configuring a PnPVPN Client 439

Configuring IPSec-XAUTH Address Pool 442

SSL VPN 445

Configuring an SSL VPN 445

Configuring Resource List 464

Configuring an SSL VPN Address Pool 466

Configuring SSL VPN Download Page 470

Host Binding 472

Configuring Host Binding 472

Configuring Host Binding and Unbinding 473

Configuring a Super User 473

Configuring a Shared Host 474

Importing/Exporting Host Binding List 475

Host Compliance Check 477

Role Based Access Control and Host Compliance Check Procedure 478

Configuring a Host Compliance Check Profile 479

SSL VPN Client for Windows 485

Downloading and Installing Secure Connect 485

Starting Secure Connect 486

Starting the Software Based on TLS/SSL Protocol 486

Using Username/Password Authentication 487

Using Username/Password + USB Key Certificate Authentication 490

TOC - 11
Using Username/Password + File Certificate Authentication 493

Using USB Key Certificate Only 496

Using File Certificate Only 498

Starting the Software Based on GMSSL Protocol 500

Using Username/Password Authentication 500

Using Username/Password + Digital Certificate Authentication 501

Using Digital Certificate Only Authentication 503

Viewing Secure Connect GUI 506

General 506

Interface 507

Route 508

Viewing Secure Connect Menu 508

Configuring Secure Connect 509

Configuring General Options 509

Configuring a Login Entry 510

SSL VPN Client for Android 512

Downloading and Installing the Client 512

Starting and Logging into the Client 513

GUI 514

Connection Status 514

Configuration Management 515

Adding a Login Entry 515

TOC - 12
Editing a Login Entry 516

Deleting a Login Entry 516

Modifying the Login Password 516

Disconnecting the Connection or Logging into the Client 517

Connection Log 517

System Configuration 517

About Us 518

SSL VPN Client for iOS 519

Deploying VPN Configurations 519

Connecting to VPN 520

Introduction to GUI 521

Connection Status 521

Configuration Management 521

Adding a Login Entry 522

Deleting a Login Entry 523

Disconnecting the Connection or Logging into the Client 523

Enabling/ Disabling the Auto Reconnection 523

Connection Log 523

About US 524

SSL VPN Client for macOS 524

Downloading and Installing Client 524

Starting Client and Establishing Connection 525

TOC - 13
GUI 526

Toolbar 527

Connection List 528

Connection Information 528

Status Bar 528

Menu 528

SSL VPN Client for Linux 530

Downloading and Installing Client 530

Starting Client and Establishing Connection 532

Upgrading and Uninstalling Client 536

GUI 537

Toolbar 538

Connection List 539

Connection Information 539

Status Bar 539

Menu 540

L2TP VPN 541

Configuring a LNS 541

Configuring an L2TP VPN 541

Configuring an L2TP VPN Address Pool 546

Viewing L2TP VPN Online Users 550

Configuring Device as L2TP Client 551

TOC - 14
Configuring a L2TP Client 551

VXLAN 555

Creating VXLAN Static Tunnel 555

GRE VPN 557

Configuring GRE VPN 557

Chapter 9 Object 560

Address 562

Creating an Address Book 562

Viewing Details 565

Searching Address Entries 565

Host Book 567

Creating a Host Book 567

Editing a Host Book 568

Deleting a Host Book 569

Service Book 570

Predefined Service/Service Group 570

User-defined Service 570

User-defined Service Group 570

Configuring a Service Book 571

Configuring a User-defined Service 571

Configuring a User-defined Service Group 577

Viewing Details 578

TOC - 15
Searching Service Entries 578

Searching Service Groups 579

Application Book 581

Editing a Predefined Application 581

Creating a User-defined Application 581

Creating a User-defined Application Group 583

Creating an Application Filter Group 584

Creating a Signature Rule 584

Viewing Details 590

SSL Proxy 591

Work Mode 591

Working as the Gateway of Web Clients 593

Configuring SSL Proxy Parameters 594

Specifying the PKI Trust Domain of Device Certificate 594

Obtaining the CN Value 594

Importing Device Certificate to Client Browser 595

Configuring an SSL Proxy Profile 596

Working as the Gateway of Web Servers 604

Configuring an SSL Proxy Profile 604

Binding an SSL Proxy Profile to a Policy Rule 607

Configuring Domain White List 607

Creating a User-defined Domain White List 607

TOC - 16
Editing a User-defined Domain White List 608

Deleting a User-defined Domain White List 609

Exporting the Domain White List 609

Configuring the IP Whitelist 609

Configuring Dynamic IP Whitelist 610

Configuring the Validity Time of the Dynamic IP Whitelist 610

Configuring the Dynamic IPs on the Whitelist to be Permanently Valid 611

Configuring Static IP Whitelist 611

Deleting IP Whitelist 612

SLB Server Pool 613

Configuring SLB Server Pool and Track Rule 613

Viewing Details of SLB Pool Entries 617

Schedule 618

Periodic Schedule 618

Absolute Schedule 618

Creating a Schedule 618

AAA Server 621

Configuring a Local AAA Server 621

Configuring Radius Server 629

Configuring Active Directory Server 633

Configuring LDAP Server 642

Configuring TACACS+ Server 647

TOC - 17
Connectivity Test 648

Radius Dynamic Authorization 650

User 652

Configuring a Local User 652

Creating a Local User 653

Creating a User Group 657

Export User List 657

Import User List 658

Configuring a LDAP User 660

Synchronizing Users 660

Configuring an Active Directory User 661

Synchronizing Users 661

Configuring a IP-User Binding 661

Adding User Binding 661

Import Binding 663

Export Binding 663

Role 664

Configuring a Role 664

Creating a Role 664

Mapping to a Role Mapping Rule 665

Creating a Role Mapping Rule 666

Creating a Role Combination 667

TOC - 18
Track Object 670

Creating a Track Object 670

Track Object List 675

URL Filtering 677

Configuring URL Filtering 677

Cloning a URL filtering Rule 685

Viewing URL Hit Statistics 686

Viewing Web Surfing Records 686

Configuring URL Filtering Objects 686

Predefined URL DB 687

Configuring Predefined URL Database Update Parameters 688

Upgrading Predefined URL Database Online 688

Upgrading Predefined URL Database from Local 688

User-defined URL DB 688

Configuring User-defined URL DB 689

Importing User-defined URL 690

Clearing User-defined URL 690

URL Lookup 691

Inquiring URL Information 691

Configuring URL Lookup Servers 692

Keyword Category 693

Configuring a Keyword Category 694

TOC - 19
Warning Page 695

Enabling/ Disabling the Block Warning 695

Enabling/ Disabling the Audit Warning 697

First Access of Uncategorized URL 698

Configuring the URL Blacklist/Whitelist 699

Configuring the URL Blacklist 700

Configuring the URL Whitelist 702

Data Security 704

Configuring Objects 706

Predefined URL DB 707

Configuring Predefined URL Database Update Parameters 707

Upgrading Predefined URL Database Online 708

Upgrading Predefined URL Database from Local 709

User-defined URL DB 709

Configuring User-defined URL DB 709

Importing User-defined URL 710

Clearing User-defined URL 711

URL Lookup 711

Inquiring URL Information 711

Configuring URL Lookup Servers 712

Keyword Category 713

Configuring a Keyword Category 714

TOC - 20
Warning Page 715

Enabling/ Disabling the Block Warning 716

Enabling/ Disabling the Audit Warning 717

Bypass Domain 718

Exempt User 719

File Filter 721

Creating File Filter Rule 721

Viewing File Filter Logs 723

Content Filter 724

File Content Filter 725

Configuring File Content Filter 725

Viewing Monitored Results of Keyword Blocking in File Content 729

Viewing Logs of Keyword Blocking in File Content 729

Web Content 730

Configuring Web Content 730

Viewing Monitored Results of Keyword Blocking in Web Content 735

Viewing Logs of Keyword Blocking in Web Content 735

Web Posting 736

Configuring Web Posting 736

Viewing Monitored Results of Keyword Blocking in Web Posts 741

Viewing Logs of Keyword Blocking in Web Posts 741

Email Filter 742

TOC - 21
Configuring Email Filter 742

Viewing Monitored Results of Email Keyword Blocking 746

Viewing Logs of Emails Keyword Blocking 746

APP Behavior Control 747

Configuring APP Behavior Control 747

Viewing Logs of APP Behavior Control 753

Network Behavior Record 754

Configuring Network Behavior Recording 754

Viewing Logs of Network Behavior Recording 758

NetFlow 759

Configuring NetFlow 760

Configuring a NetFlow Rule 760

NetFlow Global Configurations 763

End Point Protection 764

Configuring End Point Protection 765

Preparing 765

Configuring End Point Protection Function 765

Configuring End Point Protection Rule 766

Configuring End Point Security Control Center Parameters 771

ACL 773

ACL Profile 773

IoT Policy 777

TOC - 22
Configuring IoT Policy 778

Preparations for IoT Policy Configuration 778

Configuring IoT Policy 778

Configuring IoT Profile 778

Configuring Admittance List 781

Creating Admittance List Profile 781

Importing Admittance List 784

Adding to Admittance List 785

Chapter 10 Policy 787

Security Policy 788

Configuring a Security Policy Rule 789

Managing Security Policy Rules 807

Enabling/Disabling a Policy Rule 807

Cloning a Policy Rule 807

Adjusting Security Policy Rule Position 808

Configuring Default Action 808

Schedule Validity Check 810

Showing Disabled Policies 810

Importing Policy Rule 811

Exporting Policy Rule 812

Searching Policy Rule 815

Configuring Policy Audit Function 817

TOC - 23
Enabling the Configuration Audit Function 818

Adding the Audit Comment 818

Viewing audit history 819

Configuring an Aggregate Policy 820

Creating an Aggregate Policy 820

Adding an Aggregate Policy Member 822

Removing an Aggregate Policy Member 825

Deleting an Aggregate Policy 826

Adjusting Position of an Aggregate Policy 826

Enabling/Disabling an Aggregate Policy 828

Configuring a Policy Group 829

Creating a Policy Group 829

Deleting a Policy Group 831

Enabling/Disabling a Policy Group 831

Adding/Deleting a Policy Rule Member 831

Editing a Policy Group 832

Showing Disabled Policy Group 832

Mini Policy 833

Configuring a Mini Policy 833

Creating a Mini Policy 834

Deleting a Mini Policy 836

Editing a Mini Policy 837

TOC - 24
Enabling/Disabling a Mini Policy 837

Viewing and Searching Security Policy Rules/ Policy Groups/ Mini Policy 837

Viewing the Policy/ Policy Group/ Mini Policy 837

Searching Security Policy Rules/ Policy Groups/ Mini Policy 839

Policy Optimization 841

Policy Hit Analysis 841

Rule Redundancy Check 843

Configuring the Policy Assistant 844

Enabling the Policy Assistant 844

Displaying Traffic 845

Replacing Policy 847

Application Scenario Example 847

Configuring Replacement Conditions 847

Aggregating Policy 849

Generating Address book 850

Generating Service Book 851

Generating Policy 853

User Online Notification 855

Configuring User Online Notification 856

Configuring the Parameters of User Online Notification 856

Viewing Online Users 857

iQoS 858

TOC - 25
Implement Mechanism 858

Pipes and Traffic Control Levels 859

Pipes 859

Traffic Control Levels 862

Enabling iQoS 864

Pipes 866

Basic Operations 866

Configuring a Pipe 867

Searching QoS Policy 880

Viewing Statistics of Pipe Monitor 880

NAT 881

Basic Translation Process of NAT 881

Implementing NAT 882

Configuring SNAT 883

Enabling/Disabling a SNAT rule 891

Viewing and Searching SNAT Rules 891

Adjusting Priority 892

Copying/Pasting a SNAT rule 893

Importing SNAT rule 894

Exporting SNAT rule 895

Exporting NAT444 Static Mapping Entries 896

Hit Count 897

TOC - 26
Clearing NAT Hit Count 897

Hit Count Check 897

Configuring DNAT 899

Configuring an IP Mapping Rule 899

Configuring a Port Mapping Rule 901

Configuring an Advanced NAT Rule 904

Enabling/Disabling a DNAT Rule 910

Viewing and Searching DNAT Rules 911

Copying/Pasting a DNAT Rule 912

Adjusting Priority 912

Importing DNAT rule 913

Exporting DNAT rule 914

Hit Count 916

Clearing NAT Hit Count 916

Hit Count Check 916

SLB Server 918

Viewing SLB Server Status 918

Viewing SLB Server Pool Status 918

Session Limit 920

Configuring a Session Limit Rule 920

Clearing Statistic Information 924

Traffic Quota 925

TOC - 27
Configuring the Traffic Quota Rule 926

Configuring the User/ User Group Traffic Quota Rule 926

Adjusting Traffic Quota Rule Priority 927

Configuring the Traffic Quota Profile 928

Configuring the Traffic Quota Zone 929

Share Access 930

Configuring Share Access Rules 930

ARP Defense 934

Configuring ARP Defense 936

Configuring Binding Settings 936

Adding a Static IP-MAC-Port Binding 936

Obtaining a Dynamic IP-MAC-Port Bindings 937

Bind the IP-MAC-Port Binding Item 939

Importing/Exporting Binding Information 940

Configuring Authenticated ARP 940

Configuring ARP Inspection 941

Configuring DHCP Snooping 943

Viewing DHCP Snooping List 946

Configuring Host Defense 947

Chapter 11 Threat Prevention 949

Threat Protection Signature Database 950

Anti-Virus 952

TOC - 28
Configuring Anti-Virus 953

Preparing 953

Configuring Anti-Virus Function 953

Configuring an Anti-Virus Rule 955

Cloning an Anti-Virus Rule 958

Configuring Anti-Virus Global Parameters 958

Enabling / Disabling the Anti-Virus function 958

Configuring the Decompression Control Function 959

Intrusion Prevention System 962

Signatures 962

Configuring IPS 964

Preparation 964

Configuring IPS Function 964

Configuring an IPS Rule 967

Cloning an IPS Rule 999

IPS Global Configuration 1000

Signature List 1002

Searching Signatures 1002

Managing Signatures 1003

Configuring IPS White list 1007

Sandbox 1009

Configuring Sandbox 1010

TOC - 29
Preparation 1010

Configuring Sandbox 1011

Configuring a Sandbox Rule 1012

Threat List 1017

Trust List 1017

Sandbox Global Configurations 1018

Attack-Defense 1021

ICMP Flood and UDP Flood 1021

ARP Spoofing 1021

SYN Flood 1021

WinNuke Attack 1022

IP Address Spoofing 1022

IP Address Sweep and Port Scan 1022

Ping of Death Attack 1022

Teardrop Attack 1023

Smurf Attack 1023

Fraggle Attack 1023

Land Attack 1023

IP Fragment Attack 1023

IP Option Attack 1024

Huge ICMP Packet Attack 1024

TCP Flag Attack 1024

TOC - 30
DNS Query Flood Attack 1024

DNS Reply Flood Attack 1024

TCP Split Handshake Attack 1024

Configuring Attack Defense 1026

Perimeter Traffic Filtering 1042

Configuring IP Blacklist 1043

Static IP Blacklist 1043

Redundancy Check 1044

Blacklist Library Rule 1045

Blacklist Library Details 1046

Dynamic IP Blacklist 1048

Hit Statics 1050

Service Blacklist 1050

MAC Blacklist 1052

IP Reputation Filtering 1053

White List 1055

Global Search 1056

Configuration 1056

Antispam 1057

Configuring Antispam 1058

Preparing 1058

Configuring Antispam Function 1058

TOC - 31
Configuring an Antispam Rule 1059

Configuring an Anti-Spam User-defined Blacklist 1062

Antispam Global Configuration 1065

Botnet Prevention 1066

DGA Detection 1066

DNS Tunnel Detection 1066

Configuring Botnet Prevention 1068

Preparing 1068

Configuring Botnet Prevention Function 1068

Configuring a Botnet Prevention Rule 1069

Address Liberary 1072

Configuring the Exclude List 1072

Configuring the Block List 1073

Botnet Prevention Global Configuration 1076

Chapter 12 Monitor 1077

Monitor 1078

User Monitor 1079

Summary 1079

User Details 1080

Address Book Details 1081

Monitor Address Book 1081

Statistical Period 1082

TOC - 32
Application Monitor 1084

Summary 1084

Application Details 1085

Group Details 1086

Select Application Group 1087

Statistical Period 1089

Cloud Application Monitor 1090

Summary 1090

Cloud Application Details 1091

Statistical Period 1092

Share Access Monitor 1093

End Point Monitor 1094

iQoS Monitor 1095

Device Monitor 1096

Summary 1096

Statistical Period 1099

Detailed Information 1099

Online IP 1101

URL Hit 1102

Summary 1102

User/IP 1102

URL 1104

TOC - 33
URL Category 1104

Statistical Period 1105

Link Status Monitor 1107

Link User Experience 1107

Statistical Period 1108

Link Detection 1108

Link Configuration 1109

Detection Destination 1111

IoT Monitor 1113

Summary 1113

Details 1113

User Quota Monitor 1115

Application Block 1117

Summary 1117

Application 1117

User/IP 1118

Statistical Period 1119

Keyword Block 1120

Summary 1120

File Content 1121

Web Content 1121

Email Content 1122

TOC - 34
Web Posting 1122

User/IP 1122

Statistical Period 1123

Authentication User 1124

User-defined Monitor 1125

Creating a User-defined Stat-set 1141

Viewing User-defined Monitor Statistics 1142

Reporting 1144

Report File 1145

Report Template 1147

Creating a User-defined Template 1147

Editing a User-defined Template 1151

Deleting a User-defined Template 1152

Cloning a Report Template 1152

Report Task 1153

Creating a Report Task 1153

Editing the Report Task 1161

Deleting the Report Task 1162

Enabling/Disabling the Report Task 1162

Logging 1163

Log Severity 1164

Destination of Exported Logs 1165

TOC - 35
Log Format 1165

Event Log 1166

Network Log 1167

Configuration Log 1168

Share Access Logs 1168

Threat Log 1169

Session Log 1170

PBR Log 1170

NAT Log 1172

URL Log 1173

EPP Log 1174

IoT Log 1175

File Filter Log 1176

Content Filter Log 1177

Network Behavior Record Log 1178

CloudSandBox Log 1178

Log Configuration 1179

Creating a Log Server 1179

Configuring Sending Souceport Number 1181

Configuring Log Encoding 1182

Adding Email Address to Receive Logs 1183

Specifying a Unix Server 1183

TOC - 36
Specifying a Mobile Phone 1184

Managing Logs 1185

Configuring Logs 1185

Option Descriptions of Various Log Types 1185

Chapter 13 Diagnostic Tool 1200

Packet Path Detection 1201

Configuring Packet Path Detection 1201

Emulation Detection 1201

Online Detection 1204

Imported Detection 1207

Detected Sources 1210

Packet Capture Tool 1211

Configuring Packet Capture Tools 1211

Create a Packet Capture Rule 1213

Packet Capture Global Configuration 1215

Test Tools 1217

DNS Query 1217

Ping 1217

Traceroute 1217

Chapter 14 High Availability 1219

Basic Concepts 1220

HA Cluster 1220

TOC - 37
HA Group 1221

HA Node 1221

Virtual Forward Interface and MAC 1221

HA Selection 1221

HA Synchronization 1221

Configuring HA 1223

HA Interface Traffic Monitor 1231

Viewing the HA Status of the Device 1233

Chapter 15 System Management 1234

System Information 1235

Viewing System Information 1235

Device Management 1238

Administrators 1238

VSYS Administrator 1240

Creating an Administrator Account 1242

Changing the Password for Admin Users 1246

Configuring Login Options for the Default Administrator 1247

Enabling Telnet/HTTP Login Type for the Default Administrator 1247

Admin Roles 1248

Trusted Host 1250

Creating a Trusted Host 1251

Management Interface 1254

TOC - 38
System Time 1257

Configuring the System Time Manually 1257

Configuring NTP 1258

NTP Key 1259

Creating a NTP Key 1259

Option 1260

Rebooting the System 1264

System Debug 1265

Failure Feedback 1265

System Debug Information 1265

Application Layer Security Bypass 1265

Configuration Audit 1266

Storage Management 1266

Password Reset Management 1268

Configuration File Management 1271

Managing Configuration File 1271

Viewing the Current Configuration 1273

Importing/Exporting the Configuration of All VSYS 1273

Warning Page Management 1275

Page Management 1275

Uploading the Picture 1275

Editing the Picture 1276

TOC - 39
Deleting the Picture 1276

Page Management 1276

Extended Services 1280

Connecting to HSM 1281

HSM Deployment Scenarios 1281

Connecting to HSM 1282

Connecting to Hillstone Cloud Service Platform 1283

Connecting to Hillstone Cloud Service Platform 1284

SNMP 1288

SNMP Agent 1288

SNMP Host 1290

Trap Host 1292

V3 User Group 1293

V3 User 1296

SNMP Server 1299

Creating an SNMP Server 1299

NETCONF 1300

Configuring the NETCONF Agent 1302

Configuring NETCONF Candidate 1302

Configuring NETCONF Timeout 1303

Upgrading System 1304

Upgrading Firmware 1304

TOC - 40
Updating Signature Database 1306

Updating Trusted Root Certificate Database 1308

License 1311

Applying for a License 1319

Installing a License 1320

Mail Server 1321

Creating a Mail Server 1321

SMS Parameters 1324

SMS Modem 1324

Configuring SMS Parameters 1324

Testing SMS 1325

SMS Gateway 1325

Configuring SMS Gateway 1325

Testing SMS 1330

VSYS (Virtual System) 1332

VSYS Objects 1332

Root VSYS and Non-root VSYS 1333

Creating Non-root VSYS 1334

Configuring VSYS Quota 1335

Entering the VSYS 1344

The Maximum Concurrent Sessions 1346

TOC - 41
Welcome
Thanks for choosing Hillstone products!
This part introduces how you get user guides of Hillstone products.
Getting Started Guide:

l Getting Started Guide (Download PDF)

Cookbook (recipes):

l StoneOS 5.5 Cookbook (Download PDF)

OS Operation Guides:

l StoneOS Command Line Interface User Guide (Download PDF)

l StoneOS WebUI User Guide (Download PDF)

l StoneOS Log Messages Reference Guide (Download PDF)

l StoneOS SNMP Private MIB Reference Guide (Download PDF)

l StoneOS Addendum Book for P Releases (Download PDF)

Hardware Installation Guides:

l Hardware Reference Guide of all series platforms (Download PDF)

l Expansion Modules Reference Guide of all modules (Download PDF)

l Technical Support: 1-800-889-9860

Welcome 1
2 Welcome
Conventions
Know the operate method of WebUI common controls, can complete the configuration of most
functions.
Note: All the configurations should be in UTF-8 code if not particularly indicated.
The common controls and effect of operating as follows:

l Switching between the function category : Select the tab ( at the top of page).

l Switching between the function : Click specific function node in level-2 navigation pane.

Conventions 3
l Open the function list: Click in the level-2 navigation pane;
Close the function list: Click in the level-2 navigation pane.

l Viewing the specified column: Click icon, click "Column" in the drop-down list, select the

specified list.The system support for the list status memory function, the system will display

4 Conventions
the last configuration of the list status when logging in to the device.

Conventions 5
l To lock the column: Click icon, click "Lock" in the drop-down list, the locked column will

be always showing at the right of the list.

l To unlock the list: Click icon, click "Unlock".

l To restore the initial state of the list: double-click the list header and click "OK" in the dialog
box.

l To restore the initial state of all the list: Click button of the user name in the top right

corner of the page and click "OK" in the dialog box.

6 Conventions
l To view the specified items by setting up filters: click button, select filter conditions

from the Filter drop-down list, and then select filter conditions as needed. To delete a filter

condition, hover your mouse on that condition and then click the icon. To delete all filter
conditions, click the icon on the right side of the row.

l To create a item, click New.

l To edit a item, select the check box and click Edit.

Conventions 7
l To delete the items, select the check box and click Delete.

l To copy a item, select the check box and click Copy.

l To paste a item, select the check box and click Paste.

8 Conventions
l To dispaly the hidden controls , click .

l To update the data displayed on the current page, click refresh.

l To search according one condition , click Filter. In the pop-up line, click +Filter to add a new
filter condition. Then select a filter condition from the drop-down menu and enter a value.
And then press Enter to start searching.

l To search according multiple conditions, click to add another filter condition, Then

select a filter condition from the drop-down menu and enter a value. And then press Enter to
start searching.

Conventions 9
l To close the dialog, click 'X' at the top right corner of dialog.

l To save the current configuration, click OK.

l To cancel the current operation, click Cancel.

10 Conventions
l Click Apply, the modification will be took effect.

l Click next page buttons to jump to previous page , next page , dashboard or last page. Enter
the page number, jump to the corresponding page.

Explorer Compatibility
The following browsers have passed compatibility tests:

l IE11

l Chrome

Conventions 11
Chapter 1 Getting Started Guide
This guide helps you go through the initial configuration and the basic set-up of your Hillstone
device. The intended reader is your company's network administrator.
This guide is used when you have finished mounting your device. After following the steps in this
guide, your private network will be able to access the Internet. To set up security functions, you
will need to read the User Guide (WebUI User Guide or CLI User Guide).
You may configure your firewall in the following sequence:

1. "Initial Visit to Web Interface" on Page 13

2. "Preparing the StoneOS System" on Page 15, including:

l "Installing Licenses" on Page 15

l "Creating a System Administrator" on Page 15

l "Adding Trust Hosts" on Page 19

l "Upgrading StoneOS Firmware" on Page 22

l "Updating Signature Database" on Page 22

3. "Connecting to Internet Under Routing Mode" on Page 24

4. "Restoring Factory Settings" on Page 32

Chapter 1 Getting Started Guide 12

Initial Visit to Web Interface
Interface eth0/0 is configured with IP address 192.168.1.1/24 by default and it is open to SSH、
PING、SNMP、HTTP connection types(except for some custom versions). For the initial visit,
use this interface.
To visit the web interface for the first time, take the following steps:

1. Go to your computer's Ethernet properties and set the IPv4 protocol as below.

2. Connect an RJ-45 Ethernet cable from your computer to the eth0/0 of the device.

13 Chapter 1 Getting Started Guide

3. In your browser's address bar, type "https://192.168.1.1" and press Enter.

4. In the login interface, type the default username and password: hillstone/hillstone.

5. At the first sign of address, the user needs to read and accept the EULA ( end-user license
agreements ), click EULA to view the details of EULA.

6. Click Login, follow the prompts to change the default password, and then log in again with
the new password.

Chapter 1 Getting Started Guide 14

Preparing the StoneOS System

Installing Licenses
Licenses control features and performance.
Before installing any license, you must purchase a license code.
To install a license, take the following steps:

1. Go to System > License.

Click Import to open Import License page.Choose one of the three ways to import a
license:

l Upload License File: Select the radio button, click Browse, and select the license file
(a .txt file).

l Manual Input: Select the radio button, and paste the license code into the text box.

3. Click OK.

4. To make the license take effect, reboot the system. Go to System > Device Management >
Options, and click Reboot.

Creating a System Administrator

System administrator has the authority to read, write and execute all the features in system.
To create a system administrator, take the following steps:

15 Chapter 1 Getting Started Guide

1. Go to System > Device Management > Administrator.

2. Click New.

Configure the following options.

Option Description

Name Type a name for the system administrator account.

Role From the Role drop-down list, select a role for the
administrator account. Different roles have different
privileges.

l Administrator: Permission for reading, execut-

ing and writing. This role has the authority
over all features.

l Operator: This role has the authority over all

Chapter 1 Getting Started Guide 16

Option Description

features except modifying the Administrator's

configurations, and has no permission to
check the log information

l Auditor: You can only operate on the log

information, including the view, export and
clear.

l Administrator-read-only: Permission for read-

ing and executing. You can view the current
or historical configuration information.

Authentication Select the authentication type, including:

Type l Local Authentication: When an administrator

accesses StoneOS, the administrator is authen-
ticated based on the administrator information
(including the account and password) con-
figured in StoneOS.

l Server Authentication: When an administrator

accesses StoneOS, the administrator is authen-
ticated based on the administrator information
(including the account and password) con-
figured on the authentication server.

Authentication If Authentication Type is set to Server Authentic-

Server ation, you need to select an authentication server

from the drop-down list or click button to cre-
ate an authentication server. For details, see AAA

17 Chapter 1 Getting Started Guide

Option Description

Server. The following servers are supported:

l Radius Server

l Active Directory Server

l LDAP Server

l TACACS+ Server

Retry Local After this function is enabled, local password veri-

fication will be performed if the server is unreach-
able. If the server returns a password error, this
function is invalid. By default, the function is dis-
abled.

Password Type a login password for the admin into the Pass-
word box. The password should meet the require-
ments of Password Strategy.

Confirm Password Re-type the password into the Confirm Password

box.

Login Type Select the access method(s) for the admin, including
Console, Telnet, SSH, HTTP, HTTPS and
NETCONF. If you need all access methods, select
Select All.

Description Enter descriptions for the administrator account.

3. Click OK.

Chapter 1 Getting Started Guide 18

Notes: The system has a default administrator "hillstone". You can modify the set-
ting of hillstone.

Adding Trust Hosts

The trust host is administrator's host. Only computers included in the trust hosts can manage sys-
tem.
To add a trust host, take the following steps:

1. Select System > Device Management > Trusted Host.

2. Click New.

3. In the Trusted Host Configuration dialog box, configure these values.

Configure the following options.

Option Description

When the system is IPv4 version, configure the following options:

Match Select the address type to match the trusted host.

Address

19 Chapter 1 Getting Started Guide

Option Description

Type l When "IPv4" is selected, you need to specify the

IP range, and only the hosts in the IP range can be
the trust hosts;

l When "IPv4&MAC" is selected, you need to spe-

cify the IP range or MAC address/range, and only
the hosts in the specified IP range and MAC range
can be the trusted hosts.

IP Type Specify the IP range of the trusted hosts:

l IP/Netmask: Type the IP address and netmask of

the trusted hosts.

l IP Range: Type the start IP and end IP of the trus-

ted hosts.

MAC Type Specifies the MAC address or MAC range of the trusted
hosts:

l MAC Address: Type the MAC address of the trus-

ted hosts.

l MAC Range: Type the start MAC address and end

MAC address of the trusted hosts.

When the system is IPv6 version, configure the following options:

Type Select the address type to match the trusted host: "IPv4"

Chapter 1 Getting Started Guide 20

Option Description

or "IPv6".

Host Type Configure the IPv6 trusted host or the IPv4 trusted
host.

l If the user chooses "IPv4" type, specify the IP

address or the IP range of the IPv4 trusted host:

l IP/Netmask: Type the IP address and net-

mask of the trusted hosts.

l IP Range: Type the start IP and end IP of

the trusted hosts.

l If the user chooses "IPv6" type, specify the IPv6

address or the IPv6 range of the IPv6 trusted host:

l IPv6/Prefix: Type the IPv6 address and pre-

fix of the trusted hosts.

l IPv6 Range: Type the start IPv6 address and

end IPv6 addressof the trusted hosts.

MAC Type Click the Enable button to use the MAC address or the
MAC range to match the trusted host. By default, this but-
ton is disabled.

MAC Specify the MAC address or the MAC range of the trus-

Address ted host.

l MAC address: Type the MAC address of the trus-

ted hosts.

21 Chapter 1 Getting Started Guide

Option Description

l MAC range: Type the start MAC address and end

MAC address of the trusted hosts.

4. Click OK.

Upgrading StoneOS Firmware

Notes: Back up your configuration files before upgrading your system.

To upgrade your system firmware, take the following steps:

1. Go to System > Upgrade Management.

2. Select Browse and choose the new image from your local computer.

3. Click Reboot to make new firmware take effect, then click Apply.

4. System will automatically reboot when it finishes installing the new firmware.

Updating Signature Database

Features that require constant updates of signature are license controlled. You must purchase the
license in order to be able to update the signature libraries. By default, the system will auto-
matically update the databases daily.
Toupdate a database, take the following steps:

1. Go to System > Upgrade Management, and click the <Signature Database Update> tab.

2. Find your intended database, and choose one of the following two ways to upgrade.

Chapter 1 Getting Started Guide 22

l Remote Update: Click Update , and system will automatically update the database.

l Local Update: Select Browse to open the file explorer, and select your local signature
file to import it into system.

23 Chapter 1 Getting Started Guide

Connecting to Internet Under Routing Mode
In routing mode, the device is working as a gateway and router between two networks. This sec-
tion shows how to connect and configure a new Hillstone device in routing mode to securely con-
nect the private network to the Internet.

To get your private network access to Internet through a Hillstone device, take the following
steps:
Step 1: Connecting to the device

1. Connect one port (e.g. eth0/1) of Hillstone device to your ISP network. In this way,
"eth0/1" is in the untrust zone.

2. Connect your internal network to another Ethernet interfaces (e.g. eth0/0) of the device.
This means "eth0/0" is connected to the trust zone.

3. Power on the Hillstone device and your PCs.

4. If one of the internal interfaces already has been configured with an IP address, use a
browser to visit that address from one of your internal PCs.
If it is a new device, use the methods in "Initial Visit to Web Interface" on Page 13 to visit.

5. Enter "hillstone" for both the username and the password.

Step 2: Configuring interfaces

Chapter 1 Getting Started Guide 24

1. Go to Network > Interface.

2. Double click ethernet0/1.

25 Chapter 1 Getting Started Guide

In the Ethernet Interface dialog box, enter values

Option Value

Binding Zone L3-zone

Zone untrust

Type Static IP

IP Address 202.10.1.2 (public IP address provided by your ISP)

Netmask 255.255.255.0

Management Select protocols that you want to use to access the

device.

3. Click OK.

Step 3: Creating a NAT rule to translate internal IP to public IP

Chapter 1 Getting Started Guide 26

1. Go to Policy > NAT > SNAT.

2. Click New

In the SNAT Configuration dialog box, enter values

Option Value

Source Address Entry, Any

Address

Destination Address Entry, Any

Address

27 Chapter 1 Getting Started Guide

Option Value

Egress Egress interface, ethernet 0/1

Translated Egress IP

Sticky Enable

3. Click OK.

Step 4: Creating a security policy to allow internal users access Internet.

1. Go to Policy > Security Policy>Policy.

2. Click New,select Policy from the drop-down list.

Chapter 1 Getting Started Guide 28

In the Policy Configuration dialog box, enter values.

Source Information

Zone trust

Address Any

29 Chapter 1 Getting Started Guide

Destination Information

Zone untrust

Address Any

Other Information

Service/Service Group Any

APP/APP Group -----

Action Permit

3. Click OK.

Step 5: Configuring a default route

1. Go to Network >Routing > Destination Route.

Chapter 1 Getting Started Guide 30

2. Click New.

In the Destination Route Configuration dialog box, enter values.

Option Value

Destination 0.0.0.0 (means all network)

Subnet Mask 0.0.0.0 (means all subnets)

Gateway 202.10.1.1 (gateway provided by your ISP)

3. Click OK.

31 Chapter 1 Getting Started Guide

Restoring Factory Settings

Notes: Resetting your device will erase all configurations, including the settings that
have been saved. Please be cautious!

To restore the factory default settings, use one of the following ways:

l "Restoring using a pin" on Page 32

l "Restoring via WebUI" on Page 32

Restoring using a pin

To restore factory default settings using a pin, take the following steps:

Model Step

1. When the device is working, use a pin to

press the CLR button in the pinhole and
the device will restart.
SG-6000-A3800、SG-6000-A3700、SG-6000-
2. After the device restarts, the CON port
A3600、SG-6000-A3000、SG-6000-A2600、
outputs the information of CLR button
SG-6000-A2000、SG-6000-A1100、SG-6000-
pressed and the STA and ALM LEDs
A1000
turn solid red. After the LEDs turn off,
the device will restart again.

Restoring via WebUI

To restore factory default settings via WebUI, take the following steps:

Chapter 1 Getting Started Guide 32

1. Go to System > Configuration File Management > Configuration File List.

2. Click Backup Restore.

3. In the prompt, click Restore.

4. Click OK to confirm.

5. The device will automatically reboot and be back to factory settings.

33 Chapter 1 Getting Started Guide

Chapter 2 Deploying Your Device
This chapter introduces how a firewall works and its most commonly used scenarios. Under-
standing the system structure, basic elements and flow chart will help you in better organizing
your network and making the most of the firewall product.

l "How a Firewall Works" on Page 35

A firewall has more than one deployment scenario. Each scenario applies to one environment
requirement. The usual deployment modes are:

l "Deploying Transparent Mode" on Page 44

Transparent mode is a situation when the IT administrator does not wish to change his/her
existing network settings. In transparent mode, the firewall is invisible to the network.
Because no IP address configuration is needed, the firewall only provides security features.

l "Deploying Routing Mode" on Page 54

Routing mode applies when the firewall offers both routing and NAT functions. In routing
mode, the firewall connects two networks typically, an internal network and the Internet, and
the firewall interfaces are configured with IP addresses.

l "Deploying Mix Mode" on Page 63

If a firewall has Layer-2 interfaces and Layer-3 interfaces, it is in mix mode.

l "Deploying Tap Mode" on Page 64

When an IT administrator only wants the monitor, IPS or statistic function of a firewall, while
not a gateway device, using tap mode is the right choice. In tap mode, the firewall is not dir-
ectly connected within the network.

Chapter 2 Deploying Your Device 34

How a Firewall Works
A firewall is a network security device. It protects a network by controlling the traffic that comes
in and out of that network. The basic mechanism of how a firewall works is that allowing or deny-
ing the data packet by identifying whether it matches the policy rules or not. Besides security func-
tions, a firewall can also works as a bridging device to connect a trust zone (internal network) and
untrust zone (external network).

StoneOS System Architecture

The elements that constitute StoneOS system architecture are:

l Zone: Zones divide network into multiple segments, for example, trust (usually refers to the
trusted segments such as the Intranet), untrust (usually refers to the untrusted segments
where security treats exist).

l Interface: Interface is the inlet and outlet for traffic going through security zones. An inter-
face must be bound to a security zone so that traffic can flow into and from the security zone.
Furthermore, for the Layer 3 security zone, an IP address should be configured for the inter-
face and the corresponding policy rules should also be configured to allow traffic transmission
between different security zones. Multiple interfaces can be bound to one security zone, but
one interface cannot be bound to multiple security zones.

l VSwitch: VSwitch is short for Virtual Switch. A VSwitch functions as a switch in Layer 2.
After binding a Layer 2 zone to a VSwitch, all the interfaces in the zone are also bound to the
VSwitch. There is a default VSwitch named VSwitch1. By default, all Layer 2 zones will be
bound to VSwitch1. You can create new VSwitches and bind Layer 2 zones to VSwitches.
Each VSwitch is a Layer 2 forwarding zone with its own MAC address table which supports
the Layer 2 traffic transmission for the device. Furthermore, the VSwitchIF helps the traffic
to flow between Layer 2 and Layer 3.

35 Chapter 2 Deploying Your Device

l VRouter: VRouter is Virtual Router and also abbreviated as VR. A VRouter functions as a
router with its own routing table. There is a default VR named trust-vr. By default, all the
Layer 3 zones will be bound to trust-vr automatically. The system supports the multi-VR func-
tion and the max VR number varies from different platforms. Multiple VRs make the device
work as multiple virtual routers, and each virtual router uses and maintains its own routing
table.The multi-VR function allows a device to achieve the effects of the address isolating in
different route zones and the address overlapping in different VRs, as well as avoiding leakage
of route to some extent and enhancing route security of network.

l Policy: Policy is used to control the traffic flow in security zones/segments. By default Hill-
stone devices will deny all traffic in security zones/segments, while the policy can identify
which flow in security zones or segments will be permitted, and which will be denied, which
is specifically based on policy rules.

For the relationships among interface, security zone, VSwitch and VRouter, see the following dia-
gram:

As shown above, the binding relationships among them are:

l Interfaces are bound to security zones. Interfaces bound to Layer 2 security zones and Layer 3
security zones are known as Layer 2 interfaces and Layer 3 interfaces respectively. One

Chapter 2 Deploying Your Device 36

interface can be only bound to one security zone; interface and its sub interface can belong to
different security zones.

l Security zones are bound to a VSwitch or VRouter. Layer 2 security zones are bound to a
VSwitch (by default the predefined Layer 2 security zone is bound to the default VSwitch1),
and Layer 3 security zones are bound to a VRouter (by default the predefined Layer 3 security
zone is bound to the default trust-vr), thus realizing the binding between the interfaces and
VSwitch or VR. One security zone can be only bound to one VSwtich or VR.

General Rules of Security Policy

By default, all interfaces, even in the same zone, cannot communicate. Traffic in different zones
are not allowed to be transferred either. In order to change the rule, you need to set up new policy
rules to allow traffic forwarding.

Notes: To allow bidirectional traffic, you need to set up two policies: one is from
source to destination, the other is from destination to source. If there is only one-
direction initiative access, the responsive direction only need to respond to that
visit, you will need to create only one-way policy (from source to destination).

This part explains what policy is needed to allow interfaces in different zones, VSwitches, or
VRouters to communicate. The rules are:

l Interfaces in the same zone

To allow interfaces in the same zone to communicate, you need to create a policy whose
source and destination are both the zone which the interfaces belong to.
For example, to allow eth0/0 and eth0/1 to communicate, you need to create an "allowing"
policy with source L3-zone and destination L3-zone.

l Zones of two interfaces are under the same VSwtich

To allow communication of interfaces in different zones under the same VSwitch, you need
to create two policies: one policy is to allow traffic from a zone to another; the other policy is

37 Chapter 2 Deploying Your Device

to allow traffic in the opposite direction.
For example, to allow eth0/2 and eth0/3 to communicate, you should create a policy whose
source is L2-zone1 and destination is L2-zone2, then create another policy to allow traffic
from L2-zone2 to L2-zone1.

l Zones of two interfaces are under different VSwitches

Each VSwtich has its VSwtich interface (VSwitchIF) which is bound to a Layer-3 zone. To
allow interfaces in different zones under different VSwitches to communicate, you need to
create an "allowing" policy where the source is the zone of one VSwitchIF and the destination
is the zone of the other VSwitchIF. After that, create another policy of the opposite direction.

l Zones of two L3 interfaces are under the same VRouter

To allow two L3 interfaces to communicate, you need to create a policy allowing one zone to
the other zone.
For example, to allow communication between eth0/0 and eth0/5, you should create a policy
from L3-zone1 to L3-zone2, and then create an opposite direction policy.

l Zones of two L3 interfaces are under different VRouters

To allow two L3 interfaces in two different zones of different VRouters, you need to create a
policy with the source being one VRouter and the destination being the other VRouter. Then
you create a policy of the opposite direction.

l An L2 interface and an L3 interface under the same VRouter

To allow communication between an L2 interface and an L3 interface under the same
VRouter, you will need to create a policy whose source is the zone which binds the VSwithIF
of L2 interface and the destination is the zone of L3 interface. After that, create a policy of
the opposite direction.
For example, to allow eth0/0 and eth0/2 to communicate, create a policy from L3-zone1 to
L2-zone1, and its opposite direction policy.

Chapter 2 Deploying Your Device 38

Packet Processing Rule

Forwarding Rule in Layer 2

Forwarding within Layer 2 means it is in one VSwitch. StoneOS system creates a MAC address
table for a VSwitch by source address learning. Each VSwitch has its own MAC address table. The
packets are forwarded according to the types of the packets, including IP packets, ARP packets,
and non-IP-non-ARP packets.
The forwarding rules for IP packets are:

1. Receive a packet.

2. Learn the source address and update the MAC address table.

3. If the destination MAC address is a unicast address, the system will look up the egress inter-
face according to the destination MAC address. And in this case, two situations may occur:

l If the destination MAC address is the MAC address of the VSwitchIF with an IP con-
figured, system will forward the packet according to the related routes; if the des-
tination MAC address is the MAC address of the VSwitchIF with no IP configured,
system will drop the packet.

l Figure out the egress interface according to the destination MAC address. If the
egress interface is the source interface of the packet, system will drop the packet.
Otherwise, system will forward the packet from the egress interface.

If no egress interfaces (unknown unicast) is found in the MAC address table, jump to Step 6 dir-
ectly.

4. Figure out the source zone and destination zone according to the ingress and egress inter-
faces.

39 Chapter 2 Deploying Your Device

5. Look up the policy rules and forward or drop the packet according to the matched policy
rules.

6. If no egress interface (unknown unicast) is found in the MAC address table, system will
send the packet to all the other L2 interfaces. The sending procedure is: take each L2 inter-
face as the egress interface and each L2 zone as the destination zone to look up the policy
rules, and then forward or drop the packet according to the matched policy rule. In a word,
forwarding of unknown unicast is the policy-controlled broadcasting. Process of broad-
casting packets and multicasting packets is similar to the unknown unicast packets, and the
only difference is the broadcast packets and multicast packets will be copied and handled in
Layer 3 at the same time.

For the ARP packets, the broadcast packet and unknown unicast packet are forwarded to all the
other interfaces in the VSwitch, and at the same time, system sends a copy of the broadcast
packet and unknown unicast packet to the ARP module to handle.

Chapter 2 Deploying Your Device 40

Forwarding Rule in Layer 3

0. Identify the logical ingress interface of the packet to determine the source zone of the
packet. The logical ingress interface may be a common interface or a sub-interface.

41 Chapter 2 Deploying Your Device

1. System performs sanity check to the packet. If the attack defense function is enabled on the
source zone, system will perform AD check simultaneously.

2. Session lookup. If the packet belongs to an existing session, system will perform Step 11 dir-
ectly.

3. DNAT operation. If a DNAT rule is matched, system will mark the packet. The DNAT
translated address is needed in the step of route lookup.
*Note: If the system has static 1-to-1 BNAT rule, BNAT rule is checked before other NAT
rules. If a packet matches BNAT, it will be processed in accordance with this rule's con-
figuration. It will skip the regular DNAT rule checking.

4. Route lookup. The route lookup order from high to low is: PBR > SIBR > SBR > DBR >
ISP route.
Until now, the system has known the logical egress and destination zone of the packet.

5. SNAT operation. If a SNAT rule is matched, system will mark the packet.
*Note: If the system has static 1-to-1 BNAT rule, BNAT rule is checked before other NAT
rules. If a packet matches BNAT, it will be processed in accordance with this rule's con-
figuration. It will skip the regular SNAT rule checking.

6. VR next hop check. If the next hop is a VR, system will check whether it is beyond the max-
imum VR number (current version allows the packet traverse up to three VRs). If it is bey-
ond the maximum number, system will drop the packet; if it is within the maximum number
range, return to Step 4. If the next hop is not a VR, go on with policy lookup.

7. Policy lookup. System looks up the policy rules according to the packet’s source/des-
tination zones, source/destination IP and port, and protocol. If no policy rule is matched,
system will drop the packet; if any policy rule is matched, the system will deal with the
packet as the rule specified. And the actions can be one of the followings:

Chapter 2 Deploying Your Device 42

l Permit: Forward the packet.

l Deny: Drop the packet.

l Tunnel: Forward the packet to the specified tunnel.

l Fromtunnel: Check whether the packet originates from the specified tunnel. Sys-
tem will forward the packet from the specified tunnel and drop other packets.

l WebAuth: Perform WebAuth on the specified user.

8. First time application identification. System tries to identify the type of the application
according to the port number and service specified in the policy rule.

9. Establish the session.

10. If necessary, system will perform the second time application identification. It is a precise
identification based on the packet contents and traffic action.

11. Application behavior control. After knowing the type of the application, system will deal
with the packet according to the configured profiles and ALG.

12. Perform operations according to the records in the session, for example, the NAT mark.

13. Forward the packet to the egress interface.

43 Chapter 2 Deploying Your Device

Deploying Transparent Mode
Transparent mode is also known as bridge mode or transparent bridging mode. Transparent mode
is used when the IT administrator does not wish to change the existing network layout. Normally,
the existing network has already set up routers and switches. The firewall will be used as a secur-
ity device.
Transparent mode has the following advantages:

l No need to change IP addresses

l No need to set up NAT rule

Under normal circumstances, the firewall in transparent mode is deployed between the router and
the switch of the protected network, or it is installed between the Internet and a company's
router. The internal network uses its old router to access the Internet, and the firewall only
provides security control features.
This section introduces a configuration example of a firewall deployed between a router and a
switch. In this example,the administrator uses eth0/0 to manage firewall. The firewall's eth0/1 is
connected to router (which is connecting to the Internet) and eth0/2 is connected to a switch
(which is connecting to internal network).

Chapter 2 Deploying Your Device 44

Step 1: Initial log in the firewall

1. In the administrator's Ethernet properties, set the IPv4 protocol as below.

45 Chapter 2 Deploying Your Device

2. Connect an RJ-45 Ethernet cable from the computer to the eth0/0 of the device.

3. In the browser's address bar, type "https://192.168.1.1" and press Enter.

4. In the login interface, type the default username and password: hillstone/hillstone.

5. Click Login, follow the prompts to change the default password, and then log in again
with the new password.

Step 2: Configure interface and zone

l Configure eth0/1 as an Internet connected interface.

Chapter 2 Deploying Your Device 46

1. Select Network > Interface.

2. Double click ethernet0/1, and configure in the prompt.

3. Click OK.

47 Chapter 2 Deploying Your Device

l Configure eth0/2 as a private network connected interface.

1. Select Network > Interface.

2. Double click ethernet0/2, and configure in the prompt.

3. Click OK.

Step 3: Configuring policies

Chapter 2 Deploying Your Device 48

l Create a policy to allow visiting the Internet.

1. Select Policy > Security Policy>Policy.

2. Click New,select Policy from the drop-down list.

3. Click OK.

49 Chapter 2 Deploying Your Device

l Create a policy to allow the Internet to visit a private network.

1. Select Policy > Security Policy.

2. Click New.

3. Click OK.

l The two policies above ensure communication between a private network and the Internet. If
you want to set up more details, e.g. to limit P2P download, you can add more policies and

Chapter 2 Deploying Your Device 50

overlap the new policies with the old ones. The match sequence of policies is determined by
their position in the policy list, not their ID numbers.

(Optional) Step 4: Configuring VSwitch Interface for managing the firewall.

If you want any PC in the private network to visit and configure the firewall, you can configure a
VSwitch interface as a management interface.

51 Chapter 2 Deploying Your Device

1. Select Network > Interface.

2. Double click vswtichif1.

Notes: When configuring IP Configuration, set an IP address in the same

subnet of the private network.

Chapter 2 Deploying Your Device 52

3. Click OK.

4. With any PC in the private network, enter the IP address of vswitchif1, and you will visit
the firewall web user interface.

53 Chapter 2 Deploying Your Device

Deploying Routing Mode
Routing mode deployment often uses the NAT function, so it is also called NAT mode. In rout-
ing mode, each interface has its IP address which means interfaces are in the layer 3 zone. A fire-
wall in routing mode can work as a router and a security devcie.
Routing mode is mostly used when the firewall is installed between an internal network and the
Internet.
The example which is based on the below topology shows you how to connect and configure a
new Hillstone device in routing mode. The device connects a private network to the Internet.

Step 1: Connecting to the device

1. Connect one port (e.g. eth0/1) of the Hillstone device to your ISP network. In this way,
"eth0/1" is in the untrust zone.

2. Connect your internal network to another Ethernet interface (e.g. eth0/0) of the device.
This means "eth0/0" is connected to the trust zone.

3. Power on the Hillstone device and your PCs.

4. If one of the internal interfaces already has been configured with an IP address, use a
browser to visit that address from one of your internal PCs.

Chapter 2 Deploying Your Device 54

If it is a new device, use the methods in "Initial Visit to Web Interface" on Page 13 to visit.

5. Enter "hillstone" for both the username and the password.

Step 2: Configuring interfaces

1. Go to Network > Interface.

2. Double click ethernet0/1.

55 Chapter 2 Deploying Your Device

In the Ethernet Interface dialog box, enter values

Option Value

Binding L3-zone

Chapter 2 Deploying Your Device 56

Option Value

Zone

Zone untrust

Type Static IP

IP Address 202.10.1.1 (public IP address provided by your ISP)

Netmask 255.255.255.0

Management Select the protocols that you want to use to access the
device.

3. Click OK.

Step 3: Creating a NAT rule to translate internal IP to public IP

57 Chapter 2 Deploying Your Device

1. Go to Policy > NAT > SNAT.

2. Select New

In the SNAT Configuration dialog box, enter values

Option Value

Source Address Entry, Any

Address

Destination Address Entry, Any

Address

Chapter 2 Deploying Your Device 58

Option Value

Egress Egress interface, ethernet 0/1

Translated Egress IP

Sticky Enable

3. Click OK.

Step 4: Creating a security policy to allow internal users to access the Internet.

1. Go to Policy > Security Policy>Policy.

59 Chapter 2 Deploying Your Device

2. Click New,select Policy from the drop-down list.

In the Policy Configuration dialog box, enter values.

Source Information

Zone trust

Address Any

Destination Information

Chapter 2 Deploying Your Device 60

Zone untrust

Address Any

Other Information

Service/Service Group Any

APP/APP Group -----

Action Permit

3. Click OK.

Step 5: Configuring a default route

61 Chapter 2 Deploying Your Device

1. Go to Network >Routing > Destination Route.

2. Click New.

In the Destination Route Configuration dialog box, enter values.

Option Value

Destination 0.0.0.0 (means all network)

Subnet Mask 0.0.0.0 (means all subnets)

Gateway 202.10.1.1 (gateway provided by your ISP)

Chapter 2 Deploying Your Device 62

Deploying Mix Mode
If the firewall has both L2 interfaces (transparent mode) and L3 interfaces (routing mode), the fire-
wall is in mix mode.

To configure a mix mode, you need to combine the routing mode of the deployment methods
with the transparent mode. Please refer to these two modes.

63 Chapter 2 Deploying Your Device

Deploying Tap Mode
In most cases, the security device is deployed within the network as a serial node. However, in
some other scenarios, an IT administrator would just want the auditing and statistical functions
like IPS, antivirus, and Internet behavior control. For these features, you just need to connect the
device to a mirrored interface of a core network. The traffic is mirrored to the security device for
auditing and monitoring.

The bypass mode is created by binding a physical interface to a tap zone. Then, the interface
becomes a bypass interface.

Use an Ethernet cable to connect e0 of the Switch with e1 of the Hillstone device. The interface
e1 is the bypass interface and e2 is the bypass control interface. The interface e0 is the mirror
interface of the switch.The switch mirrors the traffic to e1 and the Hillstone device will monitor,

Chapter 2 Deploying Your Device 64

scan, and log the traffic received from e1. After configuring IPS, AV, or network behavior control
on the Hillstone device, if the device detects network intrusions, viruses, or illegal network beha-
viors, it will send a TCP RST packet from e2 to the switch to tell it to reset the connections.

Notes: Before configuring tap mode in the device, you need to set up an interface
mirroring your primary switch. Mirror the traffic of the switch from e0 to e1, and
the device can scan, monitor and count the mirrored traffic.

Here provides an example of monitoring IPS in tap mode.

Step 1: Creating tap mode by binding an interface

1. Select Network > Zone, and click New.

Option Value

Zone enter a name, e.g. "tap-zone" .

Type TAP

Binding Inter- Select the bypass interface (only a physical interface,

face aggregate interface or redundant interface can apply, sub-
interface is not allowed).

2. Click OK.

Step 2: Creating an IPS rule

65 Chapter 2 Deploying Your Device

1. Select Object > Intrusion Prevention System.

2. Click New.

3. Enter the rule name.

4. Configure the signatures settings.

5. Configure the protocol settings.

6. Click OK to complete IPS rule configuration.

Step 3: Add IPS rule into Tap zone

1. Select Network > Zone, and double-click the tap zone created in step 1.

2. In the Treat Prevention tab, enable IPS and select the IPS rule created.

3. Click OK.

(Optional) Block traffic in switch

A bypass control interface is used to send control packets (TCP RST packet is supported in cur-
rent version). After configuring IPS, AV, or network behavior control on the Hillstone device, if
the device detects network intrusions, viruses, or illegal network behaviors, it will send a TCP
RST packet from e2 to the switch to tell it to reset the connections.
By default, the bypass interface itself is the control interface. However, you may also change the
control interface.
To change a bypass control interface, you can only use the command line interface:
tap control-interface interface-name

Chapter 2 Deploying Your Device 66

l interface-name - Specifies which interface is used as the bypass control interface.

67 Chapter 2 Deploying Your Device

Chapter 3 Dashboard
This feature may vary slightly on different platforms. If there is a conflict between this guide and
the actual page, the latter shall prevail.
The dashboard shows the system and threat information. The layout of the dashboard is shown
below:

Customization
You can customize the dashboard display function or modify the function area location as needed.

l To customize the dashboard display function:

1. Click Customize at the top-right corner.

2. Select the function check box from the expanded list.

l To modify the function area location:

1. Hover your mouse over the title part in the ribbon.

2. When appears, press and hold the mouse functional area , the regional location to

be displayed .

Threats
Display the top 10 threats information within the specified period.

Chapter 3 Dashboard 68
l Click to specify the type of display: Destination IP, Source IP or

Threat Name.

Threatscape
The threat information statistic chart is displayed within the specified period.

l Click the column to jump to the iCenter page, and the list will display the corresponding
threat level.

User
Display the top 10 user traffic information within the specified period.

69 Chapter 3 Dashboard
l Specify the type of display: by Traffic or by Concurrent Sessions from the drop-down menu.

l Click and , switch between the table and the bar chart.

l Hover your mouse over a bar, to view users' upstream traffic, downstream traffic, total traffic
or concurrent sessions.

Application
Display the top 10 application traffic information within the specified period.

l Specify the type of display: by Traffic or by from the drop-down menu.

l Click and , switch between the table and the bar chart.

l Hover your mouse over a bar, to view users' total traffic .

Total Traffic
Show the Total Traffic within the specified period .

Physical Interface
Display the statistical information of interfaces, including the interface name, IP address,
upstream speed, downstream speed, and total speed.

Chapter 3 Dashboard 70
System and Signature Database

System Information
System information include.

l Serial number: The serial number of the device.

l Host name: The host name of the device.

l Platform: The platform type of the device.

l System Time: The time of system.

l System Uptime: The running time of system.

l HA State: The HA State of device:

l Standalone: Non-HA mode which represents HA is disabled.

l Init: Initial state.

l Hello: Negotiation state which represents the device is negotiating the relationship
between master and backup.

l Master: Master state which represents current device is master.

71 Chapter 3 Dashboard
l Backup: Backup state which represents current device is backup.

l Failed: Fault state which represents the device is failed.

l Firmware: The version number and version time of the firmware running on the device.

l Boot File: The boot file name.

Signature DB Information
Signature database information include.

l Anti Virus Signature: The version number and time of the anti virus signature database.

l IPS Signature: The version number and time of the IPS signature database.

l Botnet Prevention Signature Database: The version number and time of the botnet prevention
signature database.

l URL Category Database: The version number and time of the URL category database.

l Application Signature: The version number and time of the application signature database.

l Sandbox Whitelist Database: The version number and time of the sandbox whitelist database.

l IP Reputation Database: The version number and time of the IP reputation database.

License
Display the detailed information of installed licenses.

Chapter 3 Dashboard 72
l Customer: Displays the name of the customer who applied for the license.

l Type: Displays the type of license.

l Valid Time: Displays the valid time of license.

l Others: Displays additional notes for the license.

Specified Period
System supports the predefined time cycle and the custom time cycle. Click

on the top right corner of each tab to set the time cycle.

l Realtime: Display the statistical information within 5 minutes of the current time.

l Last Hour: Display the statistical information within the latest 1 hour.

l Last Day: Display the statistical information within the latest 1 day.

l Last Month: Display the statistical information within the latest 1 month.

In the top-right corner, you can set the refresh interface of the displayed data.

73 Chapter 3 Dashboard
Chapter 4 iCenter
This feature may not be available on all platforms. Please check actual page in system to see
whether your device delivers this feature.
The multi-dimensional features show threats to the whole network in depth. threats of the whole
network.

Threat
Threats tab statistics and displays the all threats information of the whole network within the "Spe-
cified Period" on Page 73. Click iCenter.

Click a threat name link in the list to view the detailed information , source/destination, know-
ledge base and history about the threat.

l Threat Analysis: Depending on the threats of the different detection engine , the content of
Threat Analysis tab is also different.

Chapter 4 iCenter 74
l Anti Virus/IPS: Display the detailed threat information .

For the Anti Virus/IPS function introduction, see /" Intrusion Prevention System"
on Page 962.

75 Chapter 4 iCenter
l Attack Defense/Perimeter Traffic Filtering: Display the threat detailed information.

For the Attack Defense/Perimeter Traffic Filtering function introduction, see

"Attack-Defense" on Page 1021/"Perimeter Traffic Filtering" on Page 1042.

l Sandbox Threat Detection: Display the detailed threat information of the suspicious
file.

Chapter 4 iCenter 76
For the Sandbox function, see "Sandbox" on Page 1009.

77 Chapter 4 iCenter
l Anti-Spam:Display the spam filter information, such as sender and subject of spam.

For the Anti-Spam information, see "Antispam" on Page 1057.

Chapter 4 iCenter 78
l Botnet Prevention: Display the threat detailed information.

For the Botnet Prevention information, see "Botnet Prevention" on Page 1066.

l Knowledge Base: Display the specified threat description, solution, etc. of the threats detec-
ted by IPS .

l Threat History: Display the selected threat historical information of the whole network .

Hot Threat Intelligence

Hot threat intelligence page displays the intelligence of hot threats on the Internet, including IPS
vulnerability, virus and threats detected by the cloud sandbox. You can view the details of the hot
threats, or carry out protection operations to prevent them.
Click iCenter> Hot Threat Intelligence to enter the Hot Threat Intelligence page. By default, the
threats intelligence list shows the information of the latest year, including the release time, name,
type, protection status and operation.

79 Chapter 4 iCenter
l Select a time period from the Release Time drop-down list to filter the threat information of

the specified time period. Click to add conditions to filter threat information as

needed.

l Click the button after "Hot Threat Intelligence Push”. If it’s enabled, Hillstone Cloud
server will push the latest hot threat intelligence to system , and once system gets threat intel-
ligence from the Hillstone Cloud server, it will be notified in the form of pop-up window.
Otherwise, Hillstone cloud platform will no longer push the latest hot threat intelligence.
Meanwhile, the previously received threat intelligence can only be viewed, and relevant pro-
tective operations are not allowed.

l Select one threat intelligence item in the list and the corresponding threat details and pro-
tection logs will be displayed below the list.

l Threat Details: You can view the detailed threat information, including the release time
,the name, signature ID, severity, details, solutions, affected systems and other inform-
ation (the items may vary slightly for different types of threat).

Option Description

Release Time Displays the release time of threat intelligence.

Chapter 4 iCenter 80
Option Description

Threat Intel- Displays the threat intelligence name.

ligence Name

Signature ID Displays the corresponded signature ID of the IPS signature

database of the threat intelligence.

Severity Displays the severity of threat intelligence.

Details Displays the details of threat intelligence.

Solution Displays the solutions to the threat .

Affected Sys- Displays the name of operating system that the threat will
tems affect.

CVE ID Displays the CVE ID and link of the threat. Click the link
address, and a new page will be opened, where you can view
the CVE details.

Reference Displays links of the reference information about the threat.

Information Click the link address and a new page will be opened, where
you can view details of the reference information.

l Protection Log: If system has been attacked by the threat described in the threat intel-
ligence in the latest month, the protection logs will be displayed. If not, the protection
log is empty.

l Click the threat intelligence name in the list or the corresponded operation ("Protect Now"
or "View Details") in the "Operation" column, and the < Hot Threat Intelligence > dialog
box will pop up. You can view the information about the hot threat intelligence in the dia-
log.

81 Chapter 4 iCenter
Notes: Because the operation steps in the < Solution >tab are correlated, please fol-
low the steps of the solution in turn. For example, if the signature database has not
been upgraded, the signature ID will not be shown, and subsequent protections may
be unavailable. Or after the signature database is upgraded, the subsequent steps
may change or some of the subsequent steps may be omitted.

Viewing Hot Threat Intelligence

System will obtain and download the latest threat intelligence information from the Hillstone
cloud server at the set time every day or when you log in to system, and the information will be
upgraded in the hot threat intelligence list.
When you enable the "Hot Threat Hot Threat Intelligence Push" function, once system gets a
new intelligence, the notice of New Threat Intelligence will display in the upper right corner of
the page. Hover the mouse over the notification, click "details", and the page will jump to the hot
threat intelligence page. On the iCenter> Hot Threat Intelligence page, the new threat intel-
ligence will be displayed in the form of pop-up windows for users to view.

Chapter 4 iCenter 82
83 Chapter 4 iCenter
Chapter 5 Network
This chapter describes factors and configurations related to network connection, including:

l Security Zone: The security zone divides the network into different section, such as the trust
zone and the untrust zone. The device can control the traffic flow from and to security zones
once the configured policy rules have been applied.

l Interface: The interface allows inbound and outbound traffic flow to security zones. An inter-
face must be bound to a security zone so that traffic can flow into and from the security zone.

l Virtual-Wire: The virtual wire allows direct Layer 2 communications between sub networks.

l Virtual Switch: Running on Layer 2, VSwitch acts as a switch. Once a Layer 2 security zone is
bound to a VSwitch, all the interfaces bound to that zone will also be bound to the VSwitch.

l Application Layer Gate: ALG can assure the data transmission for the applications that use
multiple channels and assure the proper operation of VoIP applications in the strictest NAT
mode.

l Global Network Parameters: These parameters mainly include the IP packet's processing
options, like IP fragmentation, TCP MSS value, etc.

Chapter 5 84
Network
Security Zone
Security zone is a logical entity. One or more interfaces can be bound to one zone. A zone applied
with a policy is known as a security zone, while a zone created for a specific function is known as
a functional zone. Zones have the following features:

l An interface should be bound to a zone. A Layer 2 zone will be bound to a VSwitch, while a
Layer 3 zone will be bound to a VRouter. Therefore, the VSwitch to which a Layer 2 zone is
bound decides which VSwitch the interfaces belong to in that Layer 2 zone, and the VRouter
to which a Layer 3 zone is bound decides which VRouter the interfaces belong to in that
Layer 3 zone.

l Interfaces in Layer 2 and Layer 3 are working in Layer 2 mode and Layer 3 mode respectively.

l System supports internal zone policies, like trust-to-trust policy rule.

There are 8 pre-defined security zones in StoneOS, which are trust, untrust, dmz, L2-trust, L2-
untrust, L2-dmz, vpnhub (VPN functional zone) and ha (HA functional zone). You can also cus-
tomize security zones. Pre-defined security zones and user-defined security zones have no dif-
ference in functions, so you can make your choice freely.

Configuring a Security Zone

To create a security zone, take the following steps：

85 Chapter 5
Network
1. Select Network > Zone.

2. Click New.

3. In the Zone Configuration text box, type the name of the zone into the Zone box.

4. Type the descriptions of the zone in the Description text box.

5. Specify a type for the security zone. For a Layer 2 zone, select a VSwitch for the zone from
the VSwitch drop-down list below; for a Layer-3 zone, select a VRouter from the Virtual
Router drop-down list. If TAP is selected, the zone created is a tap zone, which is used in
Bypass mode.

6. Bind interfaces to the zone. Select an interface from the Binding Interface drop-down list.

Chapter 5 86
Network
7. If needed, select the Enable button to enable APP identification for the zone.

8. If needed, select the Enable button to set the zone to a WAN zone, assuring the accuracy
of the statistic analysis sets that are based on IP data.

9. If needed, select the Enable button to enable NetBIOS host query for the zone.

10. If needed, select Threat Protection tab and configure the parameters for Threat Protection
function. For detailed instructions, see "Chapter 11 Threat Prevention" on Page 949.

11. If needed, select Data Security tab and configure the parameters for Data Security function.
For detailed instructions, see "Data Security" on Page 704.

12. If needed, select End Point Prevention tab and configure the parameters for End Point Pre-
vention function. For detailed instructions, see "End Point Protection" on Page 764.

13. If needed, select IoT Monitor tab and configure the parameters for IoT Monitor function.
For detailed instructions, see "IoT Policy" on Page 777.

14. Click OK.

Notes:
l Pre-defined zones cannot be deleted.

l When changing the VSwitch to which a zone belong, make sure there is no
binding interface in the zone.

l The interface bound to the Tap zone only monitor the traffic but does not for-
ward the traffic, but when the device enters the Bypass state (such as system
restart, abnormal operation, and device power off ), the Bypass interface pair
will be physically connected, and then the traffic will be forwarded to each

87 Chapter 5
Network
other. If you want to avoid this situation, try to avoid setting the pair of
Bypass interfaces as the tap zone.

Chapter 5 88
Network
Interface
Interfaces allow inbound and outbound traffic to flow to security zones. An interface must be
bound to a security zone so that traffic can flow into and from the security zone. Furthermore, for
the Layer 3 security zone, an IP address should be configured for the interface, and the cor-
responding policy rules should also be configured to allow traffic transmission between different
security zones. Multiple interfaces can be bound to one security zone, but one interface cannot be
bound to multiple security zones.
The security devices support various types of interfaces which are basically divided into physical
and logical interfaces based on the nature.

l Physical Interface: Each Ethernet interface on devices represents a physical interface. The
name of a physical interface, consisting of media type, slot number and location parameter, is
pre-defined, like ethernet2/1 or ethernet0/2.

l Logical Interface: Include sub-interface, VSwitch interface, loopback interface, tunnel inter-
face, aggregate interface, redundant interface, PPPoE interface and Virtual Forward interface.

Interfaces can also be divided into Layer 2 interface and Layer 3 interface based on their security
zones.

l Layer 2 Interface: Any interface in Layer 2 zone.

l Layer 3 Interface: Any interface in Layer 3 zone. Only Layer 3 interfaces can operate in
NAT/routing mode.

Different types of interfaces provide different functions, as described in the table below.

Type Description

Sub-interface The name of an sub-interface is an extension to the name of its

original interface, like ethernet0/2.1. System supports the fol-
lowing types of sub-interfaces: Ethernet sub-interface, aggreg-
ate sub-interface and redundant sub-interface. An interface and

89 Chapter 5
Network
Type Description

its sub-interfaces can be bound to one single security zone, or

to different zones.

VSwitch inter- A Layer 3 interface that represents the collection of all the
face interfaces of a VSwitch. The VSwtich interface is virtually the
upstream interface of a switch that implements packet for-
warding between Layer 2 and Layer 3.

Loopback A logical interface. If only the security device with loopback

interface interface configured is in the working state, the interface will
be in the working state as well. Therefore, the loopback inter-
face is featured with stability.

Tunnel inter- Only a Layer 3 interface, the tunnel interface acts as an ingress
face for VPN communications. Traffic flows into VPN tunnel
through this interface.

Aggregate Collection of physical interfaces that include 1 to 16 physical

interface interfaces. These interfaces averagely share the traffic load to
the IP address of the aggregate interface, in an attempt to
increase the available bandwidth for a single IP address. If one
of the physical interfaces within an aggregate interface fails,
other physical interfaces can still process the traffic normally.
The only effect is the available bandwidth will decrease.

Redundant The redundant interface allows backup between two physical

interface interfaces. One physical interface, acting as the primary inter-
face, processes the inbound traffic, and another interface, act-
ing as the alternative interface, will take over the processing if
the primary interface fails.

Chapter 5 90
Network
Type Description

PPPoE inter- A logical interface based on Ethernet interface that allows con-
face nection to PPPoE servers over PPPoE protocol.

Virtual For- In HA environment, the Virtual Forward interface is HA

ward interface group's interface designed for traffic transmission.

91 Chapter 5
Network
Configuring an Interface
The configuration options for different types of interfaces may vary. For more information, see
the following instructions.
Both IPv4 and IPv6 address can be configured for the interface.

Creating a PPPoE Interface

To create a PPPoE interface, take the following steps:

1. Select Network > Interface.

Chapter 5 92
Network
2. Click New > PPPoE Interface.

93 Chapter 5
Network
Chapter 5 94
Network
In this page, configure the following.

Option Description

Interface Specifies a name for the PPPoE interface.

Name

Description Enter descriptions for the PPPoE interface.

Binding If Layer 3 zone is selected, you should also select a secur-

Zone ity zone from the Zone drop-down list, and the interface
will bind to a Layer 3 zone. If No Binding is selected, the
interface will not bind to any zone.

Zone Select a security zone from the Zone drop-down list.

HA sync Click this button to enable the HA Sync function, which

disables Local property and uses the virtual MAC, and the
primary device will synchronize its information with the
backup device; not clicking this button disables the HA
Sync function, which enables Local property and uses the
original MAC, and the primary device will not syn-
chronize its information with the backup device.

IP Configuration

User Specifies a user name for PPPoE.

Password Specifies PPPoE user's password.

Confirm Pass- Enter the password again to confirm.

word

Idle interval If the PPPoE interface has been idle (no traffic) for a cer-
tain period, i.e. the specified idle interval, system will dis-

95 Chapter 5
Network
Option Description

connect the Internet connections; if the interface requires

Internet access, the system will connect to the Internet
automatically. The value range is 0 to 10000 minutes.
The default value is 0.

Re-connect Specifies a re-connect interval (i.e., system will try to re-

interval connect automatically after being disconnected for the
interval). The value range is 0 to 10000 seconds. The
default value is 10, which means the function is disabled.

Set gateway With this selected check box, system will set the gateway
information information provided by PPPoE server as the default gate-
from PPPoE way route.
server as the
default gate-
way route

Advanced In the Advanced page, configure advanced options for

PPPoE, including:

l Access Concentrator - Specifies a name for the con-

centrator.

l Authentication - The devices will have to pass

PPPoE authentication when trying to connect to a
PPPoE server. The supported authentication meth-
ods include CHAP, PAP and Any (the default, any-
one between CHAP and PAP).

Chapter 5 96
Network
Option Description

l Netmask - Specifies a netmask for the IP address

obtained via PPPoE.

l Static IP - You can specify a static IP address and

negotiate about using this address to avoid IP
change. To specify a static IP address, type it into
the box.

l Distance - Specifies a route distance. The value

range is 1 to 255. The default value is 1.

l Weight - Specifies a route weight. The value range

is 1 to 255. The default value is 1.

l Service - Specifies allowed service. The specified

service must be the same with that provided by the
PPPoE server. If no service is specified, system
will accept any service returned from the server
automatically.

DDNS In the DDNS Configuration page, configure DDNS

options for the interface. For detailed instructions, see
"DDNS" on Page 217.
Tip: This function is available only when you edit the
interface.

Management Select one or more management method check boxes to

configure the interface management method, including
Telnet, SSH, Ping, HTTP, HTTPS, SNMP, NETCONF,

97 Chapter 5
Network
Option Description

and TRACEROUTE.

WebAuth

Auth Service Click the Enable，Close or Global Default radio button

as needed.

l Enable：Enable the WebAuth function of the spe-

cified interface.

l Close：Disable the WebAuth function of the spe-

cified interface.

l Global Default：Specify that the interface uses the

global default configuration of WebAuth. For the
global default configuration of WebAuth function,
see "Web Authentication" on Page 329.

Proactive Click the Enable button to enable proactive webauth

WebAuth function and Specify the AAA server. After enabling, you
can access the Web authentication address initiate authen-
tication request, and then fill in the correct user name and
password in the authentication login page. The Web
authentication address consists of the IP address of the
interface and the port number of the HTTP/HTTPS of
the authentication server. For example the IP address of
the interface is 192.168.3.1, authentication server
HTTP/HTTPS port number is respectively configured as
8182/44434. When the authentication server is con-

Chapter 5 98
Network
Option Description

figured for HTTP authentication mode, Web address is:

http:// 192.168.3.1:8182; when the authentication
server is configured for HTTPS mode, the Web address
for the https:// 192.168.3.1:44434 certification.

Expand Interface Properties, configure properties for the interface.

Option Description

Parameters

ARP Learn- Click the Enable button to enable ARP learning.

ing

ARP Specifies an ARP timeout for the interface. The value

Timeout range is 5 to 65535 seconds. The default value is 1200.

Keep-alive Specifies an IP address that receives the interface's keep-

IP alive packets.

MAC clone System clones a MAC address in the Ethernet sub-inter-

face. If the user click "Restore Default MAC", the Eth-
ernet sub-interface will restore the default MAC address.

Mirror Enable port mirroring on an Ethernet interface, and select

the traffic type to be mirrored.

Bandwidth

Up Band- Specifies the maximum value of the up bandwidth of the

width interface.

Down Band- Specifies the maximum value of the down bandwidth of

99 Chapter 5
Network
Option Description

width the interface.

Expand Advanced Configuration, configure advanced options for the interface.

Option Description

NetFlow Con- Select a configured NetFlow profile from the drop-down

figuration list below.

Reverse Enable or Disable reverse route as needed:

Route
l Enable: Force to use a reverse route. If the reverse
route is not available, packets will be dropped.
This option is enabled by default.

l Close: Reverse route will not be used. When reach-

ing the interface, the reverse data stream will be
returned to its original route without any reverse
route check. That is to say, reverse packets will be
sent from the ingress interface that initializes the
packets.

l Auto: Reverse route will be prioritized. If avail-

able, the reverse route will be used to send pack-
ets; otherwise the ingress interface that initializes
the packets will be used as the egress interface that
sends reverse packets.

Shutdown System supports interface shutdown. You can not only

force a specific interface to shut down, but also control

Chapter 5 100
Network
Option Description

the time it shuts down by schedule or according to the

link status of tracked objects. Configure the options as
below:

1. Select the Shut down check box to enable inter-

face shutdown.

2. To control the shutdown by schedule or tracked

objects, select the appropriate check box, and
then select an appropriate schedule or tracked
object from the drop-down list or click button

to create a new schedule or a new track object.

Monitor and Configure the options as below:

Backup
1. Select the appropriate check box, and then select
an appropriate schedule or tracked object from
the drop-down list or click button to create a

new schedule or a new track object.

2. Select an action:

l Shut down the interface: During the time

specified in the schedule, or when the
tracked object fails, the interface will be
shut down and its related route will fail;

l Migrate traffic to backup interface: During

101 Chapter 5
Network
Option Description

the time specified in the schedule, or

when the tracked object fails, traffic flow-
ing to the interface will be migrated to the
backup interface. In such a case you need
to select a backup interface from the
Backup interface drop-down list and type
the time into the Migrating time box.
(Migrating time, 0 to 60 minutes, is the
period during which traffic is migrated to
the backup interface before the primary
interface is switched to the backup inter-
face. During the migrating time, traffic is
migrated from the primary interface to the
backup interface smoothly. By default the
migrating time is set to 0, i.e., all the traffic
will be migrated to the backup interface
immediately.)

Select Network > Routing > RIP, click Interface Configuration to open the <Interface>
page and configure RIP for the selected interface.

Option Description

Authentication Specifies a packet authentication mode for the system,

mode including plain text (the default) and MD5. The plain
text authentication, during which unencrypted string is
transmitted together with the RIP packet, cannot assure

Chapter 5 102
Network
Option Description

security, so it cannot be applied to the scenarios that

require high security.

Authentication Specifies a RIP authentication string for the interface.

string

Transmit ver- Specifies a RIP information version number transmitted

sion by the interface. By default V1&V2 RIP information
will be transmitted.

Receive ver- Specifies a RIP information version number transmitted

sion by the interface. By default V1&V2 RIP information
will be transmitted.

Split horizon Select the Enable checkbox to enable split horizon.

With this function enabled, routes learned from an inter-
face will not be sent from the same interface, in order to
avoid routing loop and assure correct broadcasting to
some extent.

Passive mode The interface which receives data only but not send is
known as a passive interface. Click the button to enable
the interface as passive interface.

Select Network > Routing > OSPF, click Interface Configuration to open the <Interface>
page and configure OSPF for the selected interface.

Option Description

Interface There are four interface timers: the interval for sending
Timer Hello packets, the dead interval of adjacent routers, the

103 Chapter 5
Network
Option Description

interval for retransmitting LSA, and the transmit delay for

updating packets.

l Hello Transmission Interval: Specifies the interval

for sending Hello packets for an interface. The
value range is 1 to 65535 seconds. The default
value is 10.

l Dead Time: Specifies the dead interval of adjacent

routes for an interface. The value range is 1 to
65535 seconds. The default value is 40 (4 times of
sending the Hello packets). If a router has not
received the Hello packet from its peer for a cer-
tain period, it will determine the peering router is
dead. This period is known as the dead interval
between the two adjacent routers.

l LSA Transmit Interval: Specifies the LSA retrans-

mit interval for an interface. The value range is 3 to
65535 seconds. The default value is 5.

l LSU Transmit Delay Time: Specifies the transmit

delay for updating packet for an interface. The
value range is 1 to 65535 seconds. The default
value is 1.

Chapter 5 104
Network
Option Description

Priority Specifies the router priority. The value range is 0 to 255.

The default value is 1. The router with priority set to 0
will not be selected as the designated router (The des-
ignated router will receive the link information of all the
other routers in the network, and broadcast the received
link information). If two routers within a network can
both be selected as the designated router, the router with
higher priority will be selected; if the priority level is the
same, the one with higher Router ID will be selected.

Network Specifies the network type of an interface. The network

Type types of an interface have the following options: broad-
cast, point-to-point, and point-to-multipoint. By default,
the network type of an interface is broadcast.

Link Cost Click the Enable button to enable the link cost function.
The value range is 1 to 65535. By default, the HA syn-
chronization function is enabled, and the link cost will be
synchronized to the backup device. Clear the check box
to disable the synchronization function, and the system
will stop synchronizing.

Select Network > Routing > OSPFv3, click Interface Configuration to open the <Inter-
face> page and configure OSPFv3 for the selected interface

Option Description

Area ID Specifies the area ID to which the interface belongs. The

area ID is represented by 32 bits, which can be a number

105 Chapter 5
Network
Option Description

or an IP address.

Instance ID Specifies the instance ID to which the interface belongs.

The value range is 0 to 255. The default value is 0.

Interface There are four interface timers: the interval for sending
Timer Hello packets, the dead interval of adjacent routers, the
interval for retransmitting LSA, and the transmit delay for
updating packets.

l Hello Transmission Interval: Specifies the interval

for sending Hello packets for an interface. The
value range is 1 to 65535 seconds. The default
value is 10.

l Dead Time: Specifies the dead interval of adjacent

l LSA Transmit Interval: Specifies the LSA retrans-

mit interval for an interface. The value range is 3 to
65535 seconds. The default value is 5.

l LSU Transmit Delay Time: Specifies the transmit

Chapter 5 106
Network
Option Description

delay for updating packet for an interface. The

value range is 1 to 65535 seconds. The default
value is 1

Priority Specifies the router priority. The value range is 0 to 255.

Link Cost Specifies the link cost. The value range is 1 to 65535.

Passive Some interfaces can be configured to receive updates but

not send them. Such interfaces are passive interfaces.
Click Enable to enable the passive interface.

MTU-Ignore OSPFv3 uses DBD packets to check whether the MTU

of interfaces between neighbors match. If mtus of adja-
cent OSPFv3 router interfaces do not match each other,
they cannot establish an adjacency relationship. You can
modify the MTU of the interface to solve this problem.
MTU cannot be modified on some interfaces. In this
case, you can click the Enable button to make OSPFv3
ignore the MTU matching check.

107 Chapter 5
Network
3. Click OK.

Creating a Tunnel Interface

To create a tunnel interface:

1. Select Network > Interface.

2. Select New > Tunnel Interface.

In this page, configure the following.

Chapter 5 108
Network
Option Description

Interface Specifies a name for the tunnel interface.

Name

Description Enter descriptions for the tunnel interface.

Binding Zone If No Binding is selected, the interface will not bind to

any zone.

Zone Select a security zone from the Zone drop-down list.

HA sync Click this button to enable the HA Sync function, which

NetFlow con- Select a configured NetFlow profile from the drop-down

figuration list below.

IP Configuration

109 Chapter 5
Network
Option Description

Static IP IP address: Specifies an IP address for the interface.

Chapter 5 110
Network
Option Description

Netmask: Specifies a netmask for the interface.

Set as Local IP: In an HA environment, if this option is

specified, the interface IP will not synchronize to the HA
peer.

Advanced:

l Management IP: Specifies a management IP for the

interface. Type the IP address into the box.

l Secondary IP: Specifies secondary IPs for the inter-

face. You can specify up to 10 secondary IP
addresses.

Notes: The secondary IP address of the

configured interface and the current IP
address of the interface must be in dif-
ferent network segments.

DHCP: In the DHCP Configuration page, configure

DHCP options for the interface. For detailed instruc-
tions, see "DHCP" on Page 202.

DDNS: In the DDNS Configuration page, configure

DDNS options for the interface. For detailed instruc-
tions, see "DDNS" on Page 217.
Tip: This function is available only when you edit the
interface.

Auto-obtain Set gateway information from DHCP server as the default

111 Chapter 5
Network
Option Description

gateway route: With this check box selected, system will

set the gateway information provided by the DHCP
server as the default gateway route.

Advanced:

l Distance: Specifies a route distance. The value

range is 1 to 255. The default value is 1.

l Weight: Specifies a route weight. The value range

is 1 to 255. The default value is 1.

l Management Priority: Specifies a priority for the

DNS server. Except for static DNS servers, system
can also learn DNS servers dynamically via DHCP
or PPPoE. Therefore, you need to configure pri-
orities for the DNS servers, so that system can
choose a DNS server according to its priority dur-
ing DNS resolution. The priority is represented in
numbers from 1 to 255. The larger the number is,
the higher the priority is. The priority of static
DNS servers is 20.

l Classless Static Routes: Enable the classless static

Chapter 5 112
Network
Option Description

return the classless static route information. Fin-

ally, the client will add the classless static routing
information to the routing table.

DDNS: In the DDNS Configuration page, configure

DDNS options for the interface. For detailed instruc-
tions, see "DDNS" on Page 217.
Tip: This function is available only when you edit the
interface.

Management Select one or more management method check boxes to

configure the interface management method, including
Telnet, SSH, Ping, HTTP, HTTPS, SNMP, NETCONF
and TRACEROUTE.

Tunnel Bind- Bind the interface to a IPSec VPN tunnel or a SSL VPN
ing tunnel. One tunnel interface can be bound to multiple
IPSec VPN tunnels, while only to one SSL VPN tunnel.

l IPSec VPN: Select IPSec VPN radio button. Spe-

cifies a name for the IPSec VPN tunnel that is
bound to the interface. Then select a next-hop
address for the tunnel, which can either be the IP
address or the egress IP address of the peering tun-
nel interface. This parameter, which is 0.0.0.0 by
default, will only be valid when multiple IPSec
VPN tunnels is bound to the tunnel interface.

l SSL VPN: Select SSL VPN radio button. Specifies

113 Chapter 5
Network
Option Description

a name for the SSL VPN tunnel that is bound to

the interface.

TAP Con- l Control Interface: A bypass control interface is

figuration used to send control packets (TCP RST packet is
supported in current version). After configuring
IPS, AV, or network behavior control on the Hill-
stone device, if the device detects network intru-
sions, virus, or illegal network behaviors, it will
send TCP RST packet from e2 to the switch to tell
it to reset the connections. By default, the bypass
control interface is the bypass interface itself. For
tunnel interfaces, if the interface itself is used as
the control interface, the control message sent by
the tunnel interface may not be processed cor-
rectly. It is recommended that bypass tunnel inter-
faces be configured with other interfaces as control
interfaces. When configuring, ensure that the con-
trol interface can send messages to the switch nor-
mally.

l LAN Address: Specify a LAN address. Packets

whose source IP is in the specified range will be
counted.

Firewall Link- Specify the firewall information (firewall's IP, SSH

age Con- port, login name, and password) in Firewall Linkage

Chapter 5 114
Network
Option Description

figuration Configuration to combine the current device with a

Hillstone firewall. If the device detects the attack
traffic, it will send the IP of the attack source to the
linkage firewall in the form of blacklist, and the linkage
firewall will block the traffic of the attack source IP.

Up Brand- Specifies the maximum value of the up bandwidth of the

width interface.

Down Brand- Specifies the maximum value of the down bandwidth of

width the interface.

3. Expand Interface Properties, configure properties for the interface.

Option Description

Parameters

MTU Specifies a MTU for the interface. The value range is

1280 to 1500/1800 bytes (The max MTU may vary on
different platforms). The default value is 1500.
Specifies the MTU value. The default MTU value is 1500
bytes. The range is 1280 bytes to 1800/2000 bytes (Dif-
ferent devices support different maximum MTU value.).

ARP Learn- Click the Enable button to enable ARP learning.

ing

ARP Specifies an ARP timeout for the interface. The value

Timeout range is 5 to 65535 seconds. The default value is 1200.

Keep-alive Specifies an IP address that receives the interface's keep-

IP alive packets.

115 Chapter 5
Network
Option Description

MAC clone System clones a MAC address in the Ethernet sub-inter-

face. If the user click "Restore Default MAC", the Eth-
ernet sub-interface will restore the default MAC address.

Mirror Enable port mirroring on an Ethernet interface, and select

the traffic type to be mirrored.

Bandwidth

Up Band- Specifies the maximum value of the up bandwidth of the

width interface.

Down Band- Specifies the maximum value of the down bandwidth of

width the interface.

4. Expand IPv6 Configuration, configure the following.

Option Description

Enable Enable IPv6 in the interface.

IPv6 Specifies the IPv6 address prefix.

Address

Prefix Specifies the prefix length.

Length

Autoconfig Select the check box to enable Auto-config function. In the

address auto-config mode, the interface receives the address
prefix in RA packets first, and then combines it with the
interface identifier to generate a global address.

l Set Default Route - If the interface is configured with

Chapter 5 116
Network
Option Description

a default router, this option will generate a default

route to the default router.

Enable Select this check box to enable DNS proxy for the inter-
DNS face.
Proxy

DHCP System supports DHCPv6 client, DHCPv6 server and

DHCPv6 relay proxy.

l Select DHCP check box to enable DHCP client for

the interface. After enabling, system will act as a
DHCPv6 client and obtain IPv6 addresses from the
DHCP server. Selecting Rapid-commit option can
help fast get IPv6 addresses from the server. You
need to enable both of the DHCP client and the
server's Rapid-commit function.

l Select DHCPv6 Server from DHCP drop-down list

and configure options as Configuring DHCPv6
Server, system will act as a DHCPv6 server to appro-
priate IPv6 addresses for DHCP client.

l Select DHCPv6 Relay Proxy from DHCP drop-down

list and configure options as Configuring DHCPv6
Relay Proxy, system will act as a DHCPv6 relay proxy
to receive requests from a DHCPv6 client and send
requests to the DHCPv6 server

117 Chapter 5
Network
Option Description

IPv6 AdvancedEnable DNS Proxy: Select this check box to enable

DNS proxy for the interface.

Static Click Add button to add several IPv6 address, at most 5

IPv6 addresses.. Click Delete button to delete IPv6
address.

Dynamic Shows IPv6 address which is dynamic.

Link-local Specifies link-local address. Link-local address is used for

communication between adjacent nodes of a single link. For
example, communication between hosts when there are no
routers on the link. By default system will generate a link-
local address for the interface automatically if the interface
is enabled with IPv6 (in the interface configuration mode,
use the command ipv6 enable). You can also specify a link-
local address for the interface as needed, and the specified
link-local address will replace the automatically generated
one.

MTU Specifies an IPv6 MTU for an interface. The default MTU

value is 1500 bytes. The range is 1280 bytes to 1800/2000
bytes (Different devices support different maximum MTU
value.).

DAD Specifies NS packet attempt times. The value range is 0 to

Attempts 20. Value 0 indicates DAD is not enabled on the interface.
If system does not receive any NA response packets after

Chapter 5 118
Network
Option Description

sending NS packets for the attempt times, it will verify that

the IPv6 address is an unique available address.
DAD (Duplicate Address Detection) is designed to verify
the uniqueness of IPv6 addresses. This function is imple-
mented by sending NS (Neighbor Solicitation) requests.
After receiving a NS packet, if any other host on the link
finds that the address of the NS requester is duplicated, it
will send a NA (Neighbor Advertisement) packet advert-
ising that the address is already in use, and then the NS
requester will mark the address as duplicate, indicating that
the address is an invalid IPv6 address.

ND Inter- Specifies an interval for sending NS packets.

val

ND Reach- Specifies reachable time. After sending an NS packet, if the

able Time interface receives acknowledgment from a neighbor within
the specified time, it will consider the neighbor as reach-
able. This time is known as reachable time.

Hop Limit Specifies the hop limit. Hop limit refers to the maximum
number of hops for IPv6 or RA packets sent by the inter-
face.

ND RA Select the checkbox to disable RA suppress on LAN inter-

Suppress faces.
By default, FDDI interface configured with IPv6 unicast
route will send RA packets automatically, and interfaces of

119 Chapter 5
Network
Option Description

other types will not send RA packets.

Manage Specifies the manage IP/MASK.

IP/MASK

5. "Configuring an Interface" on Page 92

6. "Select Network > Routing > RIP, click Interface Configuration to open the <Interface>
page and configure RIP for the selected interface." on Page 102

7. "OSPF" on Page 303

8. "Configuring OSPFv3" on Page 310

9. Click OK.

Creating a Virtual Forward Interface

This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
To create a virtual forward interface, take the following steps:

Chapter 5 120
Network
1. Select Network > Interface.

2. Select New > Virtual Forward Interface.

In this page, configure the following.

121 Chapter 5
Network
Option Description

Interface Specifies a name for the virtual forward interface.

Name

Description Enter descriptions for the virtual forward interface.

Binding If No Binding is selected, the interface will not bind to

Zone any zone.

Zone Select a security zone from the Zone drop-down list.

IP Configuration

Chapter 5 122
Network
Option Description

Static IP IP address: Specifies an IP address for the interface.

123 Chapter 5
Network
Option Description

Netmask: Specifies a netmask for the interface.

Set as Local IP: In an HA environment, if this option is

specified, the interface IP will not synchronize to the HA
peer.

Advanced:

l Management IP: Specifies a management IP for the

interface. Type the IP address into the box.

l Secondary IP: Specifies secondary IPs for the inter-

face. You can specify up to 10 secondary IP
addresses.

Notes: The secondary IP address of the

configured interface and the current IP
address of the interface must be in dif-
ferent network segments.

DHCP: In the DHCP Configuration page, configure

DHCP options for the interface. For detailed instruc-
tions, see "DHCP" on Page 202.

DDNS: In the DDNS Configuration page, configure

DDNS options for the interface. For detailed instruc-
tions, see "DDNS" on Page 217.
Tip: This function is available only when you edit the
interface.

Chapter 5 124
Network
Option Description

Auto-obtain Set gateway information from DHCP server as the default

gateway route: With this check box selected, system will
set the gateway information provided by the DHCP
server as the default gateway route.

Advanced:

l Distance: Specifies a route distance. The value

range is 1 to 255. The default value is 1.

l Weight: Specifies a route weight. The value range

is 1 to 255. The default value is 1.

l Management Priority: Specifies a priority for the

l Classless Static Routes: Enable the classless static

routing function via the DHCP options. When it is
enabled, the DHCP client will send a request mes-
sage with the Option121 (i.e., classless static rout-

125 Chapter 5
Network
Option Description

ing option) to the server, and then the server will

return the classless static route information. Fin-
ally, the client will add the classless static routing
information to the routing table.

DDNS: In the DDNS Configuration page, configure

DDNS options for the interface. For detailed instruc-
tions, see "DDNS" on Page 217.
Tip: This function is available only when you edit the
interface.

Management Select one or more management method check boxes to

configure the interface management method, including
Telnet, SSH, Ping, HTTP, HTTPS, SNMP, NETCONF
and TRACEROUTE.

WebAuth

Auth Service Click the Enable，Close or Global Default radio button

as needed.

l Enable：Enable the WebAuth function of the spe-

cified interface.

l Close：Disable the WebAuth function of the spe-

cified interface.

l Global Default：Specify that the interface uses the

global default configuration of WebAuth. For the
global default configuration of WebAuth function,

Chapter 5 126
Network
Option Description

see "Web Authentication" on Page 329.

Proactive Click the Enable button to enable proactive webauth

WebAuth function and Specify the AAA server. After enabling, you
can access the Web authentication address initiate authen-
tication request, and then fill in the correct user name and
password in the authentication login page. The Web
authentication address consists of the IP address of the
interface and the port number of the HTTP/HTTPS of
the authentication server. For example the IP address of
the interface is 192.168.3.1, authentication server
HTTP/HTTPS port numbe is respectively configured as
8182/44434. When the authentication server is con-
figured for HTTP authentication mode, Web address is:
http:// 192.168.3.1:8182; when the authentication
server is configured for HTTPS mode, the Web address
for the https:// 192.168.3.1:44434 certification.

3. "Expand IPv6 Configuration, configure the following." on Page 116

4. "Expand Interface Properties, configure properties for the interface." on Page 115

5. "Configuring an Interface" on Page 92

6. "Select Network > Routing > RIP, click Interface Configuration to open the <Interface>
page and configure RIP for the selected interface." on Page 102

7. "OSPF" on Page 303

8. "Configuring OSPFv3" on Page 310

127 Chapter 5
Network
9. Click OK.

Creating a Loopback Interface

To create a loopback interface, take the following steps:

Chapter 5 128
Network
1. Select Network > Interface.

2. Click New > Loopback Interface.

In this page, configure the following.

129 Chapter 5
Network
Option Description

Interface Specifies a name for the loopback interface.

Name

Description Enter descriptions for the loopback interface.

Binding If No Binding is selected, the interface will not bind to

Zone any zone.

Zone Select a security zone from the Zone drop-down list.

HA sync Click this button to enable the HA Sync function, which

IP Configuration

Chapter 5 130
Network
Option Description

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.

Set as Local IP:In an HA environment, if this option is

specified, the interface IP will not synchronize to the HA
peer.

Advanced:

Notes: The secondary IP address of the

configured interface and the current IP
address of the interface must be in dif-
ferent network segments.

DHCP: In the DHCP Configuration page, configure

DHCP options for the interface. For detailed instruc-
tions, see "DHCP" on Page 202.

DDNS: In the DDNS Configuration page, configure

DDNS options for the interface. For detailed instruc-
tions, see "DDNS" on Page 217.
Tip: This function is available only when you edit the
interface.

Auto-obtain Set gateway information from DHCP server as the default

gateway route: With this check box selected, system will
set the gateway information provided by the DHCP
server as the default gateway route.

Advanced:

131 Chapter 5
Network
Option Description

DDNS: In the DDNS Configuration page, configure

DDNS options for the interface. For detailed instruc-
tions, see "DDNS" on Page 217.
Tip: This function is available only when you edit the
interface.

Management Select one or more management method check boxes to

configure the interface management method, including
Telnet, SSH, Ping, HTTP, HTTPS, SNMP, NETCONF
and TRACEROUTE.

3. "Expand IPv6 Configuration, configure the following." on Page 116

4. "Expand Interface Properties, configure properties for the interface." on Page 115

5. "Configuring an Interface" on Page 92

6. "Select Network > Routing > RIP, click Interface Configuration to open the <Interface>
page and configure RIP for the selected interface." on Page 102

7. "OSPF" on Page 303

8. "Configuring OSPFv3" on Page 310

9. Click OK.

Creating an Aggregate Interface

To create an aggregate interface, take the following steps：

Chapter 5 132
Network
1. Select Network > Interface.

133 Chapter 5
Network
2. Click New > Aggregate Interface.

Chapter 5 134
Network
135 Chapter 5
Network
3. In this page, configure the following.

Option Description

Interface Specifies a name for the aggregate interface.

Name

Description Enter descriptions for the aggregate interface.

Binding Specifies the zone type.

Zone If Layer 2 zone is selected, you should also select a secur-
ity zone from the Zone drop-down list, and the interface
will bind to a Layer 2 zone.
If TAP is selected, the interface will bind to a tap zone.
You can specify the IPv4 or IPv6 LAN addresses from
the LAN Address drop-down menu. With this con-
figured, the device can identify the intranet traffic, and
display them in the Monitor.
And you can also specify the firewall information (fire-
wall's Pv4 or IPv6 address, SSH port, login name, and
password) in Firewall Linkage Configuration to make the
current device link with a Hillstone firewall. When the
current device is working in the TAP mode and this inter-
face is the one that receives the mirror traffic, if one or
more of the following configurations are made, the device
will send the matched traffic information to the linkage
firewall which will block the traffic:

l The source zone and destination zone in the secur-

ity policy is the TAP zone with this interface

Chapter 5 136
Network
Option Description

Belong to Description

Aggregate The interface you specified belongs to an

Interface aggregate interface. Choose an aggregate
interface which the aggregate interface
belongs to from the Interface Group drop-
down list.

Redundant This interface belongs to a redundant inter-

Interface face. Select that redundant interface from
the Interface Group drop-down list.

None This interface does not belong to any

object.

Zone Select a security zone from the Zone drop-down list.

Aggregate l Forced: Aggregates multiple physical interfaces to

mode form an aggregate interface. These physical inter-
faces will share the traffic passing through the
aggregate interface equally.

l Enables LACP on the interface to negotiate aggreg-

ate interfaces dynamically. LACP options are:

l System priority: Specifies the LACP system

priority. The value range is 1 to 32768, the
default value is 32768. This parameter is
used to assure the interfaces of two ends are
consistent. System will select interfaces

137 Chapter 5
Network
Option Description

based on the end with higher LACP system

priority. The smaller the value is, the higher
the priority will be. If the LACP system pri-
orities of the two ends are equal, system will
compare MACs of the two ends. The smaller
the MAC is, the higher the priority will be.

l Max bundle: Specifies the maximum active

interfaces. The value range is 1 to 16, the
default value is 16. When the active inter-
faces reach the maximum number, the status
of other legal interfaces will change to
Standby.

l Min bundle: Specifies the minimum active

interfaces. The value range is 1 to 8, the
default value is 1. When the active interfaces
reach the minimum number, the status of all
the legal interfaces in the aggregation group
will change to Standby automatically and will
not forward any traffic.

HA sync Click this button to enable HA sync function. The

primary device will synchronize its information with the
backup device.

IP Configuration

Chapter 5 138
Network
Option Description

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.

Set as Local IP: In an HA environment, if this option is

specified, the interface IP will not synchronize to the HA
peer.

Advanced:

Notes: The secondary IP address of the

configured interface and the current IP
address of the interface must be in dif-
ferent network segments.

DHCP: In the DHCP Configuration page, configure

DHCP options for the interface. For detailed instruc-
tions, see "DHCP" on Page 202.

DDNS: In the DDNS Configuration page, configure

DDNS options for the interface. For detailed instruc-
tions, see "DDNS" on Page 217.
Tip: This function is available only when you edit the
interface.

139 Chapter 5
Network
Option Description

Auto-obtain

Chapter 5 140
Network
Option Description

Advanced:

l Distance: Specifies a route distance. The value

range is 1 to 255. The default value is 1.

l Weight: Specifies a route weight. The value range

is 1 to 255. The default value is 1.

l Management Priority: Specifies a priority for the

l Classless Static Routes: Enable the classless static

routing function via the DHCP options. When it is
enabled, the DHCP client will send a request mes-
sage with the Option121 (i.e., classless static rout-
ing option) to the server, and then the server will
return the classless static route information. Fin-
ally, the client will add the classless static routing
information to the routing table.

141 Chapter 5
Network
Option Description

DDNS: In the DDNS Configuration page, configure

DDNS options for the interface. For detailed instruc-
tions, see "DDNS" on Page 217.
Tip: This function is available only when you edit the
interface.

PPPoE Obtain IP through PPPoE。Configure the following

options：

l User - Specifies a username for PPPoE.

l Password - Specifies PPPoE user's password.

l Confirm password - Enter the password again to

confirm.

l Idle interval - If the PPPoE interface has been idle

(no traffic) for a certain period, i.e., the specified
idle interval, the system will disconnect the Inter-
net connection; if the interface requires Internet
access, the system will connect to the Internet
automatically. The value range is 0 to 10000
minutes. The default value is 30.

l Re-connect interval - Specifies a re-connect inter-

val (i.e., system will try to re-connect automatically
after being disconnected for the interval). The
value range is 0 to 10000 seconds. The default
value is 0, which means the function is disabled.

Chapter 5 142
Network
Option Description

l Set gateway information from PPPoE server as the

default gateway route - With this check box selec-
ted, system will set the gateway information
provided by PPPoE server as the default gateway
route.

Management Select one or more management method check boxes to

configure the interface management method, including
Telnet, SSH, Ping, HTTP, HTTPS, SNMP, NETCONF
and TRACEROUTE.

WebAuth

Auth Service Click the Enable，Close or Global Default radio button

as needed.

l Enable：Enable the WebAuth function of the spe-

cified interface.

l Close：Disable the WebAuth function of the spe-

cified interface.

l Global Default：Specify that the interface uses the

global default configuration of WebAuth. For the
global default configuration of WebAuth function,
see "Web Authentication" on Page 329.

Proactive Click the Enable button to enable proactive webauth

WebAuth function and Specify the AAA server.
After enabling, you can access the Web authentication

143 Chapter 5
Network
Option Description

address initiate authentication request, and then fill in the

correct user name and password in the authentication
login page. The Web authentication address consists of
the IP address of the interface and the port number of the
HTTP/HTTPS of the authentication server. For example
the IP address of the interface is 192.168.3.1, authen-
tication server HTTP/HTTPS port number is respect-
ively configured as 8182/44434. When the
authentication server is configured for HTTP authen-
tication mode, Web address is: http:// 192.168.3.1:8182;
when the authentication server is configured for HTTPS
mode, the Web address for the https://
192.168.3.1:44434 certification.

4. "Expand IPv6 Configuration, configure the following." on Page 116

5. "Expand Interface Properties, configure properties for the interface." on Page 115

6. "Configuring an Interface" on Page 92

7. "Select Network > Routing > RIP, click Interface Configuration to open the <Interface>
page and configure RIP for the selected interface." on Page 102

8. "OSPF" on Page 303

9. "Configuring OSPFv3" on Page 310

10. Expand Load Balance, configure a load balance mode for the interface. "Flow-based" means
enabling automatic load balance based on the flow. This is the default mode. "Tuple" means
enabling load based on the source/destination IP, source/destination MAC,

Chapter 5 144
Network
source/destination interface or protocol type of packet, or the combination of the selected
items.

11. Click OK.

Creating a Redundant Interface

To create a redundant interface, take the following steps:

1. Select Network > Interface.

145 Chapter 5
Network
2. Click New > Redundant Interface.

Chapter 5 146
Network
147 Chapter 5
Network
3. "In this page, configure the following." on Page 136

4. "Expand IPv6 Configuration, configure the following." on Page 116

5. "Expand Interface Properties, configure properties for the interface." on Page 115

6. "Configuring an Interface" on Page 92

7. "Select Network > Routing > RIP, click Interface Configuration to open the <Interface>
page and configure RIP for the selected interface." on Page 102

8. "OSPF" on Page 303

9. "Configuring OSPFv3" on Page 310

10. Click OK.

Creating an Ethernet Sub-interface/an Aggregate Sub-interface/a Redundant

Sub-interface

To create an ethernet sub-interface/an aggregate sub-interface/a redundant sub-interface, take the

following steps:

1. Select Network > Interface.

2. Click New > Ethernet Sub-interface/Aggregate Sub-interface/Redundant Sub-interface.

3. In this page, configure the following.

Option Description

Interface Specifies a name for the virtual forward interface.

Name

Description Enter descriptions for the virtual forward interface.

Binding If No Binding is selected, the interface will not bind to

Chapter 5 148
Network
Option Description

Zone any zone.

Zone Select a security zone from the Zone drop-down list.

IP Configuration

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.

Set as Local IP: In an HA environment, if this option is

specified, the interface IP will not synchronize to the HA
peer.

Advanced:

Notes: The secondary IP address of the

configured interface and the current IP
address of the interface must be in dif-
ferent network segments.

DHCP: In the DHCP Configuration page, configure

DHCP options for the interface. For detailed instruc-
tions, see "DHCP" on Page 202.

DDNS: In the DDNS Configuration page, configure

DDNS options for the interface. For detailed instruc-
tions, see "DDNS" on Page 217.
Tip: This function is available only when you edit the
interface.

Auto-obtain Set gateway information from DHCP server as the default

gateway route: With this check box selected, system will

149 Chapter 5
Network
Option Description

set the gateway information provided by the DHCP

server as the default gateway route.

Advanced:

l Distance: Specifies a route distance. The value

range is 1 to 255. The default value is 1.

l Weight: Specifies a route weight. The value range

is 1 to 255. The default value is 1.

l Management Priority: Specifies a priority for the

DNS server. Except for static DNS servers, system
can also learn DNS servers dynamically via DHCP
or PPPoE. Therefore, you need to configure pri-
orities for the DNS servers, so that the system can
choose a DNS server according to its priority dur-
ing DNS resolution. The priority is represented in
numbers from 1 to 255. The larger the number is,
the higher the priority is. The priority of static
DNS servers is 20.

l Classless Static Routes: Enable the classless static

Chapter 5 150
Network
Option Description

ally, the client will add the classless static routing

information to the routing table.

DDNS: In the DDNS Configuration page, configure

DDNS options for the interface. For detailed instruc-
tions, see "DDNS" on Page 217.
Tip: This function is available only when you edit the
interface.

PPPoE Obtain IP through PPPoE。Configure the following

options：(Effective only when creating a aggregate sub-
interface)

l User - Specifies a username for PPPoE.

l Password - Specifies PPPoE user's password.

l Confirm password - Enter the password again to

confirm.

l Idle interval -If the PPPoE interface has been idle

(no traffic) for a certain period, i.e., the specified
idle interval, system will disconnect the Internet
connection; if the interface requires Internet
access, the system will connect to the Internet
automatically. The value range is 0 to 10000
minutes. The default value is 30.

l Re-connect interval - Specifies a re-connect inter-

val (i.e., system will try to re-connect automatically

151 Chapter 5
Network
Option Description

after being disconnected for the interval). The

value range is 0 to 10000 seconds. The default
value is 0, which means the function is disabled.

l Set gateway information from PPPoE server as the

default gateway route - With this check box selec-
ted, system will set the gateway information
provided by PPPoE server as the default gateway
route.

Management Select one or more management method check boxes to

configure the interface management method, including
Telnet, SSH, Ping, HTTP, HTTPS, SNMP, NETCONF
and TRACEROUTE.

WebAuth

Auth Service Click the Enable，Close or Global Default radio button

as needed.

l Enable：Enable the WebAuth function of the spe-

cified interface.

l Close：Disable the WebAuth function of the spe-

cified interface.

l Global Default：Specify that the interface uses the

global default configuration of WebAuth. For the
global default configuration of WebAuth function,

Chapter 5 152
Network
Option Description

see "Web Authentication" on Page 329.

Proactive Click the Enable button to enable proactive webauth

4. "Expand IPv6 Configuration, configure the following." on Page 116

5. "Expand Interface Properties, configure properties for the interface." on Page 115

6. "Configuring an Interface" on Page 92

7. "Select Network > Routing > RIP, click Interface Configuration to open the <Interface>
page and configure RIP for the selected interface." on Page 102

8. "OSPF" on Page 303

9. "Configuring OSPFv3" on Page 310

153 Chapter 5
Network
10. Click OK.

Creating a VSwitch Interface Interface

To create a VSwitch interface/a VLAN interface, take the following steps:

Chapter 5 154
Network
1. Select Network > Interface.

2. Click New > VSwitch Interface Interface.

3. "In this page, configure the following." on Page 121

155 Chapter 5
Network
4. "Expand IPv6 Configuration, configure the following." on Page 116

5. "Expand Interface Properties, configure properties for the interface." on Page 115

6. "Configuring an Interface" on Page 92

7. "Select Network > Routing > RIP, click Interface Configuration to open the <Interface>
page and configure RIP for the selected interface." on Page 102

8. "OSPF" on Page 303

9. "Configuring OSPFv3" on Page 310

10. Click OK.

Editing an Interface

To edit an interface, take the following steps:

1. Select Network > Interface.

2. Select the interface you want to edit from the interface list and click Edit.

3. In this page, configure the following.

Option Description

Interface Specifies a name for the interface.

Name

Description Enter descriptions for the interface.

Binding Specifies the zone type. IfLayer 2 zone is selected, you

Zone should also select a security zone from the Zone drop-
down list, and the interface will bind to a Layer 2 zone. If
TAP is selected, the interface will bind to a tap zone. You

Chapter 5 156
Network
Option Description

You can also specify the firewall information (firewall's

IPve4 or IPv6 address, SSH port, login name, and pass-
word) in Firewall Linkage Configuration to make the cur-
rent device link with a Hillstone firewall. When the
current device is working in the TAP mode and this inter-
face is the one that receives the mirror traffic, if one or
more of the following configurations are made, the device
will send the matched traffic information to the linkage
firewall which will block the traffic:

l The source zone and destination zone in the secur-

ity policy is the TAP zone with this interface
bound, and the action of the IPS rule that ref-
erenced by the security policy is Block IP or Block
service;

l The source zone of the share access rule is the

TAP zone with this interface bound, and the action
of the share access rule is Block;

l The source zone and destination zone in the secur-

ity policy is the TAP zone with this interface
bound, and the action of the end point profile that
referenced by the security policy is Block;

l The zone of the perimeter traffic filtering is the

TAP zone with this interface bound, and the action

Belong to Description
157 Chapter 5
Aggregate The interface you specified belongs to a
Network
Interface aggregate interface.
Option Description

Belong to Description

Aggregate The interface you specified belongs to a

Interface aggregate interface.

l Interface Group: Choose an aggregate

interface which the aggregate interface
belongs to from Interface Group
drop-down list.

l Port LACP priority: Port LACP pri-

ority determines the sequence of
becoming the Selected status for the
members in the aggregate group. The
smaller the number is, the higher the
priority will be. Link in the aggregate
group that will be aggregated is
determined by the interface LACP pri-
ority and the LACP system priority.

l Port timeout mode: The LACP

timeout refers to the time interval for
the members The system supports
Fast (1 second) and Slow (30 seconds,
the default value) waiting to receive
the LACPDU packets. If the local
member does not receive the

Chapter 5 158
Network
Option Description

LACPDU packet from its peer in

three timeout values, the peer will be
conclude as down, and the status of
the local member will change from
Active to Selected, and stop traffic for-
warding.

Redundant This interface belongs to a redundant inter-

Interface face. Select that redundant interface from
the Interface Group drop-down list.

None This interface does not belong to any object.

Aggregare l Forced: Aggregates multiple physical interfaces to

mode form an aggregate interface. These physical inter-
faces will share the traffic passing through the
aggregate interface equally.

l Enables LACP on the interface to negotiate aggreg-

ate interfaces dynamically. LACP options are:

l System priority: Specifies the LACP system

priority. The value range is 1 to 32768, the
default value is 32768. This parameter is
used to assure the interfaces of two ends are
consistent. System will select interfaces
based on the end with higher LACP system
priority. The smaller the value is, the higher

159 Chapter 5
Network
Option Description

the priority will be. If the LACP system pri-

orities of the two ends are equal, system will
compare MACs of the two ends. The smaller
the MAC is, the higher the priority will be.

l Max bundle: Specifies the maximum active

interfaces. The value range is 1 to 16, the
default value is 16. When the active inter-
faces reach the maximum number, the status
of other legal interfaces will change to
Standby.

l Min bundle: Specifies the minimum active

Zone Select a security zone from the Zone drop-down list.

IP Configuration

Chapter 5 160
Network
Option Description

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.

Set as Local IP: In an HA environment, if this option is

specified, the interface IP will not synchronize to the HA
peer.

Advanced:

Notes: The secondary IP address of the

configured interface and the current IP
address of the interface must be in dif-
ferent network segments.

DHCP: In the DHCP Configuration page, configure

DHCP options for the interface. For detailed instruc-
tions, see "DHCP" on Page 202.

DDNS: In the DDNS Configuration page, configure

DDNS options for the interface. For detailed instruc-
tions, see "DDNS" on Page 217.
Tip: This function is available only when you edit the
interface.

Auto-obtain Set gateway information from DHCP server as the default

gateway route: With this check box selected, system will
set the gateway information provided by the DHCP
server as the default gateway route.

Advanced:

161 Chapter 5
Network
Option Description

l Distance: Specifies a route distance. The value

range is 1 to 255. The default value is 1.

l Weight: Specifies a route weight. The value range

is 1 to 255. The default value is 1.

l Management Priority: Specifies a priority for the

l Classless Static Routes: Enable the classless static

DDNS: In the DDNS Configuration page, configure

Chapter 5 162
Network
Option Description

DDNS options for the interface. For detailed instruc-

tions, see "DDNS" on Page 217.
Tip: This function is available only when you edit the
interface.

PPPoE User: Specifies a user name for PPPoE.

Password: Specifies PPPoE user's password.

Confirm Password: Enter the password again to confirm.

Idle Interval: If the PPPoE interface has been idle (no

traffic) for a certain period, i.e. the specified idle interval,
system will disconnect the Internet connection; if the
interface requires Internet access, system will connect to
the Internet automatically. The value range is 0 to 10000
minutes. The default value is 30.

Re-connect Interval: Specifies a re-connect interval (i.e.,

system will try to re-connect automatically after being dis-
connected for the interval). The value range is 0 to
10000 seconds. The default value is 0, which means the
function is disabled.

Set gateway information from PPPoE server as the

default gateway route: With this check box being selec-
ted, system will set the gateway information provided by
PPPoE server as the default gateway route.

Advanced Access concentrator: Specifies a name for

the concentrator.

163 Chapter 5
Network
Option Description

Authentication: The devices will have to

pass PPPoE authentication when trying to
connect to a PPPoE server. The supported
authentication methods include CHAP,
PAP and Any (the default, anyone between
CHAP and PAP). Click an authentication
method.

Netmask: Specifies a netmask for the IP

address obtained via PPPoE.

Static IP: You can specify a static IP address

and negotiate to use this address to avoid IP
change. To specify a static IP address, type
it into the box.

Service: Specifies allowed service. The spe-

cified service must be the same with that
provided by the PPPoE server. If no service
is specified, Hillstone will accept any ser-
vice returned from the server automatically.

Distance: Specifies a route distance. The

value range is 1 to 255. The default value is
1.

Weight: Specifies a route weight. The value

range is 1 to 255. The default value is 1.

DDNS: In the DDNS Configuration page, configure

Chapter 5 164
Network
Option Description

DDNS options for the interface. For detailed instruc-

tions, see "DDNS" on Page 217.
Tip: This function is available only when you edit the
interface.

Management Select one or more management method check boxes to

configure the interface management method, including
Telnet, SSH, Ping, HTTP, HTTPS, SNMP, NETCONF
and TRACEROUTE.

WebAuth

Auth Service Click the Enable，Close or Global Default radio button

as needed.

l Enable：Enable the WebAuth function of the spe-

cified interface.

l Close：Disable the WebAuth function of the spe-

cified interface.

l Global Default：Specify that the interface uses the

global default configuration of WebAuth. For the
global default configuration of WebAuth function,
see "Web Authentication" on Page 329.

Proactive Click the Enable button to enable proactive webauth

WebAuth function and Specify the AAA server.
After enabling, you can access the Web authentication
address initiate authentication request, and then fill in the

165 Chapter 5
Network
Option Description

correct user name and password in the authentication

login page. The Web authentication address consists of
the IP address of the interface and the port number of the
HTTP/HTTPS of the authentication server. For example
the IP address of the interface is 192.168.3.1, authen-
tication server HTTP/HTTPS port numbe is respectively
configured as 8182/44434. When the authentication
server is configured for HTTP authentication mode, Web
address is: http:// 192.168.3.1:8182; when the authen-
tication server is configured for HTTPS mode, the Web
address for the https:// 192.168.3.1:44434 certification.

4. "Expand IPv6 Configuration, configure the following." on Page 116

5. Expand Interface Properties, configure properties for the interface.

Property Description

Duplex Specifies a duplex working mode for the interface.

Options include auto, full duplex and half duplex. Auto is
the default working mode, in which system will select the
most appropriate duplex working mode automatically.
1000M half duplex is not supported.

Rate Specifies a working rate for the interface. Options include

Auto, 10M, 100M and 1000M. Auto is the default work-
ing mode, in which system will detect and select the most
appropriate working mode automatically. 1000M half
duplex is not supported.

Chapter 5 166
Network
Property Description

Combo type This option is applicable to the Combo port of copper

port + fiber port. If both the copper port and the fiber
port are plugged with cable, the fiber port will be pri-
oritized by default; if the copper port is used at first, and
the cable is plugged into the fiber port, and the fiber port
will be used for data transmission after reboot. You can
specify how to use a copper port or fiber port. For
detailed options, see the following instructions:

l Auto: The above default scenario.

l Copper forced: The copper port is enforced.

l Copper preferred: The copper port is prioritized.

l Fiber forced: The fiber port is enforced.

l Fiber preferred: The fiber port is prioritized. With

this option configured, the device will migrate the
traffic on the copper port to the fiber port auto-
matically without reboot.

MTU The default MTU value is 1500 bytes. The range is 1280
bytes to 1800/2000 bytes (Different devices support dif-
ferent maximum MTU value.).

ARP Learn- Select the Enable checkbox to enable ARP learning.

ing

ARP Specifies an ARP timeout for the interface. The value

167 Chapter 5
Network
Property Description

Timeout range is 5 to 65535 seconds. The default value is 1200.

Keep-alive Specifies an IP address that receives the interface's keep-

IP alive packets.

MAC clone System clones a MAC address to the Ethernet sub-inter-

face. If the user click "Restore Default MAC", the Eth-
ernet sub-interface will retore the default MAC address.

Bandwidth

Up Band- Specifies the maximum value of the up bandwidth of the

width interface.

Down Band- Specifies the maximum value of the down bandwidth of

width the interface.

6. "Configuring an Interface" on Page 92

7. "Select Network > Routing > RIP, click Interface Configuration to open the <Interface>
page and configure RIP for the selected interface." on Page 102

8. "OSPF" on Page 303

9. "Configuring OSPFv3" on Page 310

10. Click OK.

Notes:
l Before deleting an aggregate/redundant interface, you must cancel other inter-
faces' bindings to it, aggregate/redundant sub-interface's configuration, its IP

Chapter 5 168
Network
address configuration and its binding to the security zone.

l An Ethernet interface can only be edited but cannot be deleted.

l When a VSwitch interface is deleted, the corresponding VSwitch will be

deleted as well.

l The HA interface can not bind the track object.

Viewing the Interface Status

Select Network > Interface, you can view the status information of the interface in the Interface
Status column of the interface list, and the status indicators are indicated as follows:

l Physical Status: Display the physical state of the interface. The icon indicates connected,

the icon indicates HA keep up, the icon indicates disconnected or lacp disconnected.

l Management Status: Display the management state of the interface. The icon indicates con-

nected, the icon indicates disconnected or lacp disconnected.

l Link Status: Display the link state of the interface. The icon indicates connected, the

icon indicates HA keep up, the icon indicates disconnected or lacp disconnected.

l IPv4 Protocol Status (Only "Protocol Status" is displayed in the IPv4 version): Display the
IPv4 protocol state of the interface. The icon indicates connected, the icon indicates

HA keep up, the icon indicates disconnected or lacp disconnected.

l IPv6 Protocol Status (Only displayed in the IPv6 version): Display the IPv6 protocol state of
the interface. The icon indicates connected, the icon indicates HA keep up, the

icon indicates disconnected or lacp disconnected.

The interface list is displayed as follows:

169 Chapter 5
Network
Interface Group
The interface group function binds the status of several interfaces to form a logical group. If any
interface in the group is faulty, the status of the other interfaces will be down. After all the inter-
faces return to normal, the status of the interface group will be Up. The interface group function
can binds the status of interfaces on different expansion modules.

Creating an Interface Group

To create an interface group, take the following steps:

1. Select Network > Interface Group.

2. Click New.

3. In the Interface Group Configuration page, type the name for the interface group. Names of
the interface group can not be the same.

Chapter 5 170
Network
4. In the Member drop-down list, select the interface you want to add to the interface group.
The maximum number of interfaces is 8.
Note: Members of an interface group can not conflict with other interface groups.

5. Click OK.
You can click Edit or Delete button to edit the members of interface group or delete the
interface group.

LLDP
Network devices are increasingly diverse, and their configurations are respectively complicate.
Therefore, mutual discovery and interactions in information of system and configuration between
devices of different manufacturers are necessary to facilitate management. LLDP (Link Layer Dis-
covery Protocol ) is a neighbor discovery protocol defined in IEEE 802.1ab, which provides a dis-
covery method in link layer network. By means of the LLDP technology, the system can quickly
master the information of topology and its changes of the layer-2 network when the scale of net-
work expands rapidly.
By means of LLDP, the LLDP information of the device, including the device information, sys-
tem name, system description, port description, network management address and so on, can be
sent in the form of standard TLV (Type Length Value) multicast message from the physical port
to the directly-connected neighbor. If the neighbor enables LLDP too, then neighbor relations
will be established between both sides. When the neighbor receives these messages, they are
stored in the form of MIB in the SNMP MIB database, in order to be utilized by the network man-
agement system to search and analyze the two-layer topology and the problems in it of the current
network.

LLDP Work Mode

The 4 work modes of LLDP are listed below:

l Transmit and Receive: the port transmits and receives LLDP messages.

l Receive only: the port only receives LLDP messages.

171 Chapter 5
Network
l Transmit only: the port only transmits LLDP messages.

l Not work: the port neither transmits nor receives LLDP messages.

l Viewing MIB Topology

Configuring LLDP
Configuring LLDP can enable neighbor devices' collection of network topology changes.

l Enabling LLDP

l Modifying LLDP Configuration

Enabling LLDP

LLDP is enabled only when the "Global LLDP" and the "LLDP of Port" are enabled at the same
time, so the corresponding port can transmit and receive LLDP messages.

l By default, the global LLDP and the LLDP of port are both disabled.

l When the global LLDP is enabled, the LLDP of port of all the ports of the system will be
enabled.

l When the global LLDP is disabled, the LLDP of port of all the ports of the system will be dis-
abled.

l When the global LLDP is enabled, the user does not have to modify LLDP configuration, for
LLDP can be enabled by default configuration. If there is a need to optimize LLDP con-
figuration, please see Modifying LLDP Configuration.

Chapter 5 172
Network
Notes: Only the physical port of the device supports enabling LLDP. Logical port
does not support this function.

To enable the global LLDP, take the following steps:

1. Select Network > LLDP > LLDP Configuration.

2. Click Global Enable button.

3. Click OK to enable LLDP by default configuration.

LLDP default configuration is as follows:

Option Default

Initialization 2 seconds
Delay

Transmission 1 seconds

173 Chapter 5
Network
Option Default

Delay

Transmission 30 seconds
Interval

TTL Mul- 4 seconds

tiplier

port LLDP is enabled in all the physical ports with the work
mode being Transmit and Receive.

Modifying LLDP Configuration

According to the loading condition of network, the user can modify related LLDP configuration
to reduce the consumption of system resources and optimize the LLDP performance.
To modify LLDP configuration, take the following steps:

l Select Network > LLDP > LLDP Configuration.

In the LLDP Configuration page, configure as follows:

Option Description

Initialization When the LLDP work mode of the port changes, the sys-
Delay tem will operate initialization on the port. Configuring the
initialization delay of the port can avoid continuous ini-
tialization of the port due to frequent changes of the LLDP
work mode.
Type the delay time of initialization of the port in the Ini-
tialization Delay text box. The measurement is second-

Chapter 5 174
Network
Option Description

based, and the range is from 1 to 10.

Transmission Transmission delay refers to the minimal delay time before

Delay the LLDP messages are sent to the neighbor device when
the state of the local device frequently changes.
Type the minimal delay time before the LLDP message is
sent in the Transmission Delay text box. The measurement
is second-based, and the range is from 1 to 900.

Transmission Transmission interval refers to the time period of trans-

Interval mitting the LLDP message to the neighbor device when
the state of the local device state remains stable.
Type the transmission period before the LLDP message is
sent in the Transmission Interval text box. The meas-
urement is second-based, and the range is from 1 to 3600.

TTL Mul- TTL (Time to Live) refers to the living time of the local
tiplier device information in the neighbor device.
TTL multiplier is used to adjust the living time of the local
device information in the neighbor device. The com-
putational formula is: TTL = Transmission Interval ×
TTL Multiplier.
Type the TTL multiplier value in the TTL Multiplier text
box. The range is from 1 to 100.

port Click the Enable button under LLDP Enable to enable the
LLDP function of the port.
Select LLDP work mode from the Work Mode drop-down

175 Chapter 5
Network
Option Description

menu to modify the LLDP work mode of the port.

Note: For the introduction of the LLDP work mode,
please see LLDP Work Mode.

l Click OK.

Viewing MIB Topology

The user can view the LLDP local information and the neighbor information (the LLDP inform-
ation sent from the neighbor device to the local device) of the port in the MIB Topology page.
To view the MIB topology, take the following steps.

1. Select Network > LLDP > MIB Topology.

2. Click the Local Information button to open the Local Information page and view the LLDP
local information, including chassis ID, system name, system description, system-supported

Chapter 5 176
Network
capabilities, management address and so on.

3. View the MIB topology and neighbor information of all the ports which enable LLDP in the
list in the MIB Topology page.

177 Chapter 5
Network
Management Interface
This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
To facilitate the management of the device and meet the requirement of separating the man-
agement traffic from the data traffic, the system has an independent management interface (MGT
Interface). By default, the management interface belongs to the mgt zone and the mgt-vr virtual
router. The mgt zone belongs to the mgt-vr virtual router, the information of routing, ARP table
are independent.

Configuring a Management Interface

To configure a MGT interface, take the following steps:

1. Select Network > Management Interface.

2. To edit a MGT interface, select the interface and click Edit, and the MGT Interface page
pops up.

Chapter 5 178
Network
In this page, configure the following.

179 Chapter 5
Network
Option Description

Interface Show the name for the interface.

Name

Zone Specifies the zone for the management interface in the

Zone drop-down list. You can only select a Layer 3 zone.
By default, the interface is bound in the mgt zone.

HA sync Click this button to enable the HA Sync function, which

NetFlow con- Select a configured NetFlow profile from the drop-down

figuration list below.

IP Configuration

Chapter 5 180
Network
Option Description

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.

Set as Local IP: In an HA environment, if this option is

specified, the interface IP will not synchronize to the HA
peer.

Advanced:

l Management IP: Specifies a management IP for the

interface. Type the IP address into the box.

l Secondary IP: Specifies secondary IPs for the inter-

face. You can specify up to 10 secondary IP
addresses.

DHCP Server: Click the button to configure DHCP

options for the interface in the DHCP Configuration
page. For detailed instructions, see "DHCP" on Page 202.

Auto-obtain Specifies to obtain the IP address through DHCP.

Management Specifies the management methods by selecting the "Tel-

net/SSH/Ping/HTTP/HTTPS/SNMP" check boxes of
the desired management methods.

Transmission Specifies the mode and rate of the management interface.

Mode If you select the Auto duplex transmission mode , you
can only select the Auto rate.

Shut Down Select the check box to shut down the management inter-
face.

181 Chapter 5
Network
3. Expand IPv6 Configuration, configure the following.

Option Description

Enable Enable IPv6 in the interface.

IPv6 Specifies the IPv6 address prefix.

Address

Prefix Specifies the prefix length.

Length

Autoconfig Select the check box to enable Auto-config function. In the

address auto-config mode, the interface receives the address
prefix in RA packets first, and then combines it with the
interface identifier to generate a global address.

l Set Default Route - If the interface is configured with

a default router, this option will generate a default
route to the default router.

DHCP System supports DHCPv6 client and DHCPv6 server.

l Select DHCP check box to enable DHCP client for

l Click the DHCPv6 Server button and configure

options as Configuring DHCPv6 Server, system will

Chapter 5 182
Network
Option Description

act as a DHCPv6 server to appropriate IPv6

addresses for DHCP client.

IPv6 Advanced

Static Click Add button to add several IPv6 address, at most 5

IPv6 addresses. Click Delete button to delete IPv6 address.

Dynamic Shows IPv6 address which is dynamic.

Link-local Specifies link-local address. Link-local address is used for

MTU Specifies an IPv6 MTU for an interface. The default MTU

value is 1500 bytes. The range is 1280 bytes to 1800/2000
bytes (Different devices support different maximum MTU
value.).

DAD Specifies NS packet attempt times. The value range is 0 to

Attempts 20. Value 0 indicates DAD is not enabled on the interface.
If system does not receive any NA response packets after

183 Chapter 5
Network
Option Description

sending NS packets for the attempt times, it will verify that

ND Inter- Specifies an interval for sending NS packets.

val

ND Reach- Specifies reachable time. After sending an NS packet, if the

able Time interface receives acknowledgment from a neighbor within
the specified time, it will consider the neighbor as reach-
able. This time is known as reachable time.

Hop Limit Specifies the hop limit. Hop limit refers to the maximum
number of hops for IPv6 or RA packets sent by the inter-
face.

ND RA Select the checkbox to disable RA suppress on LAN inter-

Suppress faces.
By default, FDDI interface configured with IPv6 unicast
route will send RA packets automatically, and interfaces of

Chapter 5 184
Network
Option Description

other types will not send RA packets.

Manage Specifies the manage IP/MASK.

IP/MASK

4. Click OK.

5. To create the virtual forward interface of MGT0 (that is, the MGT interface of HA group
1）, click New to open Virtual Forward Interface page for configuration.

185 Chapter 5
Network
VLAN
This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
VLAN, the abbreviation for Virtual Local Area Network, is defined in IEEE 802.1Q. VLAN has
the following features:

l A physical LAN can be divided into multiple VLANs, and a VLAN might include devices
from multiple physical networks.

l A VLAN is virtually a broadcast domain. Layer 2 packets between VLANs are isolated. Com-
munication between VLANs can only be implemented by a Layer 3 route technique (through
routers, Layer 3 switches, or other Layer 3 network devices).

VLANs are distinguished by VLAN numbers. The value range is 1 to 4094. System reserves 32
VLAN numbers (224 to 255) for BGroup, but the unused numbers within the range are also avail-
able to VLANs.

Configuring a VLAN
To create a VLAN, take the following steps:

1. Select Network > VLAN.

2. Click New.
In the VLAN Configuration page, type a number in the VLAN ID text box, the value range
is from 1 to 4094.

3. Click OK.

Chapter 5 186
Network
DNS
DNS, the abbreviation for Domain Name System, is a computer and network service naming sys-
tem in form of domain hierarchy. DNS is designed for TCP/IP network to query for Internet
domain names (e.g., www.xxxx.com) and translate them into IP addresses (e.g., 10.1.1.1) to locate
related computers and services.
The security device's DNS provides the following functions:

l Server: Configures DNS servers and default domain names for the security device.

l Proxy:As a DNS proxy, the device can filter the DNS request according to the DNS proxy
rules set by the user, and system will forwarded the qualified DNS request to the designated
DNS server.

l Analysis: Sets retry times and timeout for device's DNS service.

l Cache: DNS mappings to cache can speed up query. You can create, edit and delete DNS map-
pings.

l NBT Cache: Displays NBT cache information.

Configuring a DNS Server

You can configure a DNS server for system to implement DNS resolution. To create a DNS
server, take the following steps:

187 Chapter 5
Network
1. Select Network > DNS > DNS Server.

2. Click New in the DNS Server section.

3. Select the IP address type, including IPv4 or IPv6.

4. Select a VRouter from the VR drop-down list. The default VRouter is trust-vr.

5. Type the IP address for the DNS server into the Server IP box

6. Click OK.

Configuring a DNS Proxy

DNS Proxy function take effect by the DNS proxy rules.Generally a proxy rule consists of two
parts: filtering condition and action. You can set the filtering condition by specifying traffic's
ingress interface , source address, destination address, and domain name. The action of the DNS
proxy rules includes proxy,bypass and block. When the action of the proxy rule is specified as
proxy, you need to configure the DNS proxy servers, so that the DNS request meeting the fil-
tering condition will be resolved by these DNS proxy servers.

Configuring a DNS Proxy Rule

To create a DNS proxy rule, take the following steps:

Chapter 5 188
Network
1. Select Network > DNS > DNS Proxy.

2. Click New in the DNS Proxy section.

3. In the <DNS Proxy Rule Configuration> page, configure the following settings.

Option Description

Description Add the description.

Type Specify the type of a DNS proxy rule, IPv4 or IPv6.

Ingress Inter- Specify the ingress interface of DNS request in the rule
face to filter the DNS request message.It is permissible to spe-
cify numbers of interfaces.

Source Specify the source address of DNS request to filter the

Address DNS request message. It is permissible to specify mul-
tiple source address filtering conditions. Select the
address entry type and then type the address. Click Add
to add the selected entry to the pane.

1. Select an address type from the Address drop-

down list.

2. Select or type the source addresses based on the

selected type.

3. Click Add to add the addresses to the left pane.

4. After adding the desired addresses, click Close to

complete the source address configuration.
You can also perform other operations:

l When selecting the Address Book type, you can

189 Chapter 5
Network
Option Description

click button to create a new address entry.

l When selecting the IPv4 type, the default address

configuration is any. To restore the configuration
to this default one, select the any check box.

l When selecting the IPv6 type, the default address

configuration is IPv6-any. To restore the con-
figuration to this default one, select the IPv6-any
check box.

Destination Specify the destination address of DNS request to filter

Address the DNS request message. It is permissible to specify
multiple destination address filtering conditions. Select
the address entry type and then type the address. Click
Add to add the selected entry to the pane.

1. Select an address type from the Address drop-

down list.

2. Select or type the destination addresses based on

the selected type.

3. Click Add to add the addresses to the left pane.

4. After adding the desired addresses, click Close to

complete the destination address configuration.
You can also perform other operations:

l When selecting the Address Book type, you can

Chapter 5 190
Network
Option Description

click button to create a new address entry.

l When selecting the IPv4 type, the default address

configuration is any. To restore the configuration
to this default one, select the any check box.

l When selecting the IPv6 type, the default address

configuration is IPv6-any. To restore the con-
figuration to this default one, select the IPv6-any
check box

Domain Specify the domain name of DNS request to filter the

DNS request message. It is permissible to specify mul-
tiple domain name filtering conditions.
Select the domain entry type and then type the domain.
Click Add to add the selected entry to the pane.

1. Select an address type from the Domain drop-

down list.

2. Select or type the domain name.

3. Click Add to add the domain to the left pane.

4. After adding the desired domain, click Close to

complete the domain configuration.
You can also perform other operations:

l When selecting the Host Book type, you can click

Add to create a new host book entry.

191 Chapter 5
Network
Option Description

l The default domain configuration is any. To restore

the configuration to this default one, select the any
check box.

Action Specify the action for a DNS proxy rule. For the DNS
request that meets the filtering conditions, system can
proxy, bypass or block the traffic.

DNS Proxy Specify the action for DNS proxy failed. System can
Failed block or bypass the DNS request and then forward it to
the DNS server originally requested by the message.

Log Click the Enable button to enable the DNS proxy log
function. With this function enabled, the system will gen-
erate log information when there is DNS request traffic
matching this DNS proxy rule. You can view the DNS
proxy log in the "Network Log" on Page 1167 page.

DNS Server Specify the DNS proxy server. When the action of the
proxy rule is specified as proxy, you need to configure the
DNS proxy servers. You can specify up to six DNS server
and you can configure the interface and preferred prop-
erties for the DNS server as needed. When you configure
multiple DNS servers, the DNS server with preferred
property will be selected for domain name resolution. If
no preferred server is specified, the system will query
whether there are DNS servers that have specified the
egress interface; If so, select these DNS server in a round

Chapter 5 192
Network
Option Description

robin. Except for these two kinds of DNS servers, which

means that there are only regular DNS server, then sys-
tem will select this kind of DNS servers in a round robin.
At the bottom of the DNS server list, click the "+" but-
ton, and a table entry will be added. Enter the IP address
(IPv4 address or IPv6 address) of server and other para-
meters ,such as the virtual router.

DNS64 If the IPv6 client host receives the DNS query request, it
will use DNS64 to resolve the AAAA record (IPv6
address) in the DNS query information. If the resolution
is successful, the IPv6 address is directly returned to the
client. If the resolution fails, it will use DNS64 to resolve
the A record (IPv4 address) in the DNS query inform-
ation, and return the A record (IPv4 address) to the
AAAA record (IPv6 address) to the client.
Click the Enable button to enable the DNS64 function.
By default, the DNS64 function is disabled.

DNS64 The DNS64 server is used to resolve the A record (IPv4

Server address) in the DNS query information. Each IPv6 DNS
proxy rule can specify up to 6 DNS64 servers.
DNS64 Prefix: Specifies the DNS64 prefix and prefix
length. The DNS64 prefix to synthesize the A record
(IPv4 address) into an AAAA record (IPv6 address). The
synthesized IPv6 address is in the form of "DNS64 prefix
+ IPv4 address". By default, the DNS64 prefix is

193 Chapter 5
Network
Option Description

"64:ff9b:: /96".
At the bottom of the DNS64 server list, click the "+"
button, and a table entry will be added. Enter the IP
address (IPv4 address) of server and other parameters
,such as the virtual router.

4. Click OK.

Enabling/Disabling a DNS Proxy Rule

DNS proxy rule is enabled by default. To disable or enable the function, take the following steps:

1. Select Network > DNS > DNS Proxy.

2. Select the rule that you want to enable/disable.

3. Click Enable or Disable to enable or disable the rule.

Adjusting DNS Proxy Rule Position

To adjust the rule position, take the following steps:

1. Select Network > DNS > DNS Proxy.

2. Select the check box of the security policy whose position will be adjusted.

3. Click Priority.

4. In the pop-up menu, type the rule ID or name , and click Top, Bottom, Before ID , After
ID , Before Name or After Name. Then the rule will be moved to the top, to the bottom,
before or after the specified ID or name.

Chapter 5 194
Network
DNS Proxy Global Configuration

To set the DNS proxy global configuration, take the following steps:

1. Select Network > DNS > DNS Proxy.

2. Click DNS Proxy Global Configuration in the DNS Proxy section.

3. In the <DNS Proxy Global Configuration> page, configure the following settings.

Option Description

TTL Enable and specifies the TTL for DNS-proxy’s response

packets. If the DNS-proxy requests are not responded
after the TTL, the DNS client will clear all DNS records.
The value range is 30 to 600 seconds. The default value is
60.

Server Track Enable the DNS proxy server track and configure the time
interval of tracking for DNS proxy server. System will
periodically detect the DNS proxy server at a specific
time interval. When the server cannot be tracked, the IP
address of server will be removed from the DNS res-
olution list untill the link is restored. By default, the track-
ing for DNS proxy server is enabled.

UDP Check- Click the checkbox to enable/disable calculating the

sum checksum of UDP packet for DNS proxy. The system
will calculate the checksum of UDP packet for DNS
proxy when the DNS proxy on interfaces is enabled. If
you need to improve the performance of the device, you
can disable this function.

195 Chapter 5
Network
4. Click OK.

DNS Proxy Hit Analysis

DNS Proxy Hit Analysis is a process to check the DNS proxy rule hit counts, that is, when DNS
request traffic matches a certain DNS proxy rule, the hit count will increase by 1 automatically,
and the ratio of the hit number of each DNS proxy rule to all the DNS requests of the system is
counted, which directly shows the efficiency of the use of DNS proxy rules in the user network.
To view DNS proxy statistics, take the following steps:

1. Select Network > DNS > DNS Proxy.

2. Click DNS Proxy Hit Analysis above the DNS proxy rule list.

Chapter 5 196
Network
View DNS proxy statistics in the <DNS Proxy Hit Analysis> page:

Option Description

Time Select a statistic period from the drop-down list:

l Last 60 Minutes: Displays the statistical inform-

ation within the latest 1 hour.

l Last 24 Hours: Displays the statistical information

within the latest 1 day.

l Last 7 Days: Displays the statistical information

within the latest 1 week.

l Last 30 Days: Displays the statistical information

within the latest 1 month.

l All: Displays all the statistical information.

Clear Click Clear to clear all the statistical information of all

DNS proxy rules.

ID Shows DNS proxy rule ID.

Hit count Shows the hit count of a DNS proxy rule within the spe-
cified statistic period.

Hit per- Shows the ratio of the hit number of a DNS proxy rule to
centage all the DNS requests of the system within the specified
statistic period.

3. Click Close.

Configuring an Analysis
Analysis configuration includes DNS requests' retry times and timeout.

197 Chapter 5
Network
l Retry: If there is no response from the DNS server after the timeout, system will send the
request again; if there is still no response from the DNS server after the specified retry times
(i.e. the number of times to repeat the DNS request), system will send the request to the next
DNS server.

l Timeout: System will wait for the DNS server's response after sending the DNS request and
will send the request again if no response returns after a specified time. The period of waiting
for a response is known as timeout.

To configure the retry times and timeout for DNS requests, take the following steps:

1. Select Network > DNS > Analysis

2. Select the retry times radio button.

3. Select the timeout values radio button.

4. Click Apply.

Configuring a DNS Cache

When using DNS, system might store the DNS mappings to its cache to speed up the query.
There are three ways to obtain DNS mappings:

l Dynamic: Obtains from DNS response.

l Static: Adds DNS mappings to cache manually.

l Register: DNS hosts specified by some modules of security devices, such as NTP, AAA, etc.

For convenient management , DNS static cache supports group function, which means users
make the multiple domain hosts with the same IP address and virtual router is a DNS static cache
group.
To add a static DNS mapping to cache, take the following steps:

Chapter 5 198
Network
1. Select Network > DNS > Cache

2. Click New.

Option Description

Hostname Specify the hostname of a DNS cache group. You can

click to add or click button to delete the specified

hostname. The maximum number of domain hosts is 128,

and the maximum length of each hostname is 255 char-
acters.

IP Specify the host IPv4 address of a DNS cache group. You

can click to add or click button to delete the spe-

cified IP. The maximum number of host IP address is 8,

and the earlier configured IP will be matched first.

199 Chapter 5
Network
Option Description

Virtual Select a VRouter.

Router

3. Click OK.

Notes:

l Only DNS static cache group can support new, edit and delete operation ,
while dynamic and register cache cannot .

l The DNS dynamic cache can be deleted by command or the lifetime reset.
For detailed information , refer to StoneOS CLI User Guide and download
PDF on website.

l User can clear the register cache only by deleting the defined hosts in func-
tion module.

l DNS static cache is superior to dynamic and register cache, which means the
static cache will cover the same existed dynamic or register cache.

NBT Cache
System supports NetBIOS name resolution. With this function enabled, system can automatically
obtain all the NetBIOS host names registered by the hosts within the managed network, and store
them in the cache to provide IP address to NetBIOS host name query service for other modules.
Enabling a NetBIOS name resolver is the pre-requisition for displaying host names in NAT logs.
For more information on how to display host names in the NAT logs, see "Log Configuration" on
Page 1179.
To enable NetBIOS for a zone, select the NBT cache check box when creating or editing the
zone. For more details, see "Security Zone" on Page 85. The security zone with NetBIOS enabled

Chapter 5 200
Network
should not be the zone that is connected to WAN. After NetBIOS is enabled, the query process
might last for a while, and the query result will be added to the NetBIOS cache table. System will
perform the query again periodically and update the result.

Notes: Only when PCs have NetBIOS enabled can their host names be queried. For
more information on how to enable NetBIOS, see the detailed instructions of your
PC's Operating System.

To clear NBT cache, take the following steps:

1. Select Network > DNS > NBT Cache.

2. Select a VRouter from the VR drop-down list to display the NBT cache in that VRouter.

3. Select a NBT cache entry from the list and click Delete.

201 Chapter 5
Network
DHCP
DHCP, the abbreviation for Dynamic Host Configuration Protocol, is designed to allocate appro-
priate IP addresses and related network parameters for subnetworks automatically, thus reducing
requirement on network administration. Besides, DHCP can avoid address conflict to assure the
re-allocation of idle resources.
DHCP supports to allocate IPv4 and IPv6 addresses.
System supports DHCP client, DHCP server and DHCP relay proxy.

l DHCP client: The interface can be configured as a DHCP client and obtain IP addresses from
the DHCP server. For more information on configuring a DHCP client, see "Configuring an
Interface" on Page 92.

l DHCP server: The interface can be configured as a DHCP server and allocate IP addresses
chosen from the configured address pool for the connected hosts.

l DHCP relay proxy: The interface can be configured as a DHCP relay proxy to obtain DHCP
information from the DHCP server and forward the information to connected hosts.

The security devices are designed with all the above three DHCP functions, but an individual
interface can be only configured with one of the above functions.

Configuring a DHCP Server

To create a DHCP server, take the following steps:

Chapter 5 202
Network
1. Select Network > DHCP.

2. Select New > DHCP Server.

3. In the DHCP Configuration page, configure as following:

Option Description

Interface Configures a interface which enables the DHCP server.

Gateway Configures a gateway IP for the client.

203 Chapter 5
Network
Option Description

Netmask Configures a netmask for the client.

DNS1 Configures a primary DNS server for the client. Type the
server's IP address into the box.

DNS2 Configures an alternative DNS server for the client. Type

the server's IP address into the box.

Address pool Configures an IP range in the address pool. The IPs

within this range will be allocated. Take the following
steps:

1. Type the start IP and end IP into the Start IP and

End IP box respectively.

2. Click New to add an IP range which will be dis-

played in the list below.

3. Repeat the above steps to add more IP ranges.

To delete an IP range, select the IP range you
want to delete from the list and click Delete.

4. Configure Reserved Address ( IP addresses in the Reserved Address, within the IP range of
the address pool, are reserved for the DHCP server and will not be allocated).
To configure a reserved address, expand Reserved Address, type the start and end IP for an
IP range into the Start IP and End IP box respectively, and then click New. To delete an IP
range, select the IP range you want to delete from the list and then click Delete.

5. Configure IP-MAC Binding. If the IP is bound to a MAC address manually, the IP will only
be allocated to the specified MAC address.
To configure an IP-MAC Binding, expand IP-MAC Binding and type the IP and MAC

Chapter 5 204
Network
address into the IP address and MAC box respectively, type the description in the Descrip-
tion text box if necessary, and then click New. Repeat the above steps to add multiple
entries. To delete an IP-MAC Binding, select an entry from the list and click Delete.

6. Expand Option, configure the options supported by DHCP server.

Option Description

43 Option 43 is used to exchange specific vendor specific

information (VSI) between DHCP client and DHCP
server. The DHCP server uses option 43 to assign Access
Controller (AC) addresses to wireless Access Point (AP),
and the wireless AP use DHCP to discover the AC to
which it is to connect.

1. Click New.

2. Select 43 from the Option drop-down list.

3. Select the type of the VSI, ASCII or HEX.

When selecting ASCII, the VSI matching string
must be enclosed in quotes if it contains spaces.

4. Enter the VSI in the Sign text box.

Notes: If the VCI matching string has

been configured, first of all, you need to
verify the VCI carried by the option 60
field in client’s DHCP packets. When
the VCI matches the configured one, the
IP address, option 43 and corresponding
information will be offered. If not,
DHCP server will drop client’s DHCP
packets and will not reply to the client.

205 Chapter 5
Network
Option Description

49 After you configure the option 49 settings, the DHCP cli-

ent can obtain the list of the IP addresses of systems that
are running the X window System Display Manager.
To configure the option 49 settings:

1. Click New.

2. Select 49 from the Option drop-down list.

3. Enter the IP address of the system that is running

the X window System Display Manager into the
IP address box.

4. Repeat the above steps to add multiple entries.

To delete an entry, select it from the list and
click Delete.

60 After configuring the VCI carried by option 60 for DHCP

server, the DHCP packets sent by the DHCP server will
carry this option and the corresponding VCI.

1. Click New.

2. Select 60 from the Option drop-down list.

3. Select the type of the VCI, ASCII or HEX.

When selecting ASCII, the VCI matching string
must be enclosed in quotes if it contains spaces.

4. Enter the VCI in the Sign text box.

Chapter 5 206
Network
Option Description

5. Repeat the above steps to add multiple entries.

To delete an entry, select it from the list and
click Delete.

66 The option 66 is used to configure the TFTP server name

option. By configuring Option 66, the DHCP client get
the domain name or the IP address of the TFTP server.
You can download the startup file specified in the Option
67 from the TFTP server.

1. Click New.

2. Select 66 from the Option drop-down list.

3. Select the type of the TFTP server name, ASCII

or HEX. When selecting ASCII, the length of
TFTP server is 1 to 255 characters, but the max-
imum length between the two periods (.) is only
63 characters.

4. Enter the domain name or the IP address of the

TFTP server in the Sign text box.

5. Repeat the above steps to add multiple entries.

To delete an entry, select it from the list and
click Delete.

67 The option 67 is used to configure the startup file name

option for the TFTP server. By configuring option 67,
the DHCP client can get the name of the startup file.

207 Chapter 5
Network
Option Description

1. Click New.

2. Select 67 from the Option drop-down list.

3. Select the type of the startup file name, ASCII or

HEX. When selecting ASCII, the length of star-
tup file name is 1 to 255 characters.

4. Enter the startup file name in the Sign text box.

5. Repeat the above steps to add multiple entries.

To delete an entry, select it from the list and
click Delete.

138 The DHCP server uses option 138 to carry a list of 32-bit
(binary) IPv4 addresses indicating one or more CAPWAP
ACs available to the WTP. Then the WTP discovers and
connects to the AC according to the provided AC list.

1. Click New.

2. Select 138 from the Option drop-down list.

3. Enter the AC IP address in the IP address text

box.

4. Repeat the above steps to add multiple entries.

To delete an entry, select it from the list and
click Delete.
You can add up to four AC IP addresses.

Chapter 5 208
Network
Option Description

If you do not set the option 138 for the DHCP server or
the DHCP client does not request option 138, DHCP
server will not offer the option 138 settings.

150 The option 150 is used to configure the address options

for the TFTP server. By configuring option 150, the
DHCP client can get the address of the TFTP server.

1. Click New.

2. Select 150 from the Option drop-down list.

3. Enter the TFTP server IP address in the IP

address text box.

4. Repeat the above steps to add multiple entries.

To delete an entry, select it from the list and
click Delete.

242 The option 242 is a private DHCP private option for IP

phones. By configuring option 242, the specific para-
meters information of IP phone can be exchanged
between DHCP server and DHCP client, such as call
server address (MCIPADD), call the server port
(MCPORT), the address of the TLS server (TLSSRVR),
HTTP (HTTPSRVR) HTTP server address and server
port (HTTPPORT) etc.

1. Click New.

209 Chapter 5
Network
Option Description

2. Select 242 from the Option drop-down list.

3. Select the type of the specific parameters of the

IP phone, ASCII or HEX. When selecting
ASCII, the length of startup file name is 1 to 255
characters.

4. Enter the specific parameters of the IP phone in

the Sign text box.

5. Repeat the above steps to add multiple entries.

To delete an entry, select it from the list and
click Delete.

7. Expand Advanced Configuration to configure the DHCP server's advanced options.

Option Description

Domain The domain name configured by the DHCP client.

Lease Specifies a lease time. The value range is 300 to 1048575

seconds. The default value is 3600. Lease is the period
during which a client is allowed to use an IP address, start-
ing from the time the IP address is assigned. After the
lease expires, the client will have to request an IP address
again from the DHCP server.

Auto Con- Enables automatic configuration. Select an interface with

figure DHCP client enabled on the same gateway from the drop-
down list. "----"indicates auto configure is not enabled.

Chapter 5 210
Network
Option Description

Auto configure will activate function in the following con-

dition: Another interface with DHCP configured on the
device enables DHCP client. When auto configure is
enabled, if the DHCP server (Hillstone device) does not
have DNS, WINS or domain name configured, the
DHCP client (DHCP) will dispatch the DNS, WINS and
domain name information obtained from a connected
DHCP server to the host that obtains such information
from the DHCP server (Hillstone device). However, the
DNS, WINS and domain name that are configured manu-
ally still have the priority.

WINS1 Configures a primary WINS server for the client. Type

the server's IP address into the box.

WINS2 Configures an alternative WINS server for the client.

Type the server's IP address into the box.

Server

SMTP server Configures a SMTP server for the client. Type the
server's IP address into the box.

POP3 server Configures a POP3 server for the client. Type the server's
IP address into the box.

News server Configures a news server for the client. Type the server's
IP address into the box.

Relay agent When the device1 with DHCP server enabled is con-

211 Chapter 5
Network
Option Description

nected to another device2 with DHCP relay enabled, and

the PC obtains device1's DHCP information from
device2, then only when the relay agent's IP address and
netmask are configured on device1 can the DHCP inform-
ation be transmitted to the PC successfully.
Relay agent: Type relay agent's IP address and netmask,
i.e., the IP address and netmask for the interface with
relay agent enabled on device2.

VCI-match- The DHCP server can verify the VCI carried by option
string 60 in the client’s DHCP packets.When the VCI in the
client's DHCP packet matches the VCI matching string
you configured in the DHCP server, the DHCP server
will offer the IP address and other corresponding inform-
ation. If not, the DHCP server will drop the client's
DHCP packets and will not reply to the client. If you do
not configure a VCI matching string for the DHCP
server, it will ignore the VCI carried by option 60.

1. Select the type of the VCI matching string,

ASCII or HEX. When selecting ASCII, the VCI
matching string must be enclosed in quotes if it
contains spaces.

2. Enter the VCI matching string in the text box.

8. Click OK.

Chapter 5 212
Network
Configuring a DHCP Relay Proxy
The device can act as a DHCP relay proxy to receive requests from a DHCP client and send
requests to the DHCP server, and then obtain DHCP information from the server and return it to
the client.
To create a DHCP relay proxy, take the following steps:

1. Select Network > DHCP.

2. Click New > DHCP Relay Proxy.

3. In the DHCP Relay Proxy page, select an interface to which the DHCP Relay Proxy will be
applied from the Interface drop-down list.

4. Type the IP addresses of DHCP servers into the Server 1/Server 2/Server 3 boxes.

5. Click OK.

Notes: To ensure that clients can successfully obtain IP addresses, the administrator
needs to configure DHCP relay permit policies in the direction from the DHCP
server to clients.

Configuring a DHCPv6 Server

To create a DHCPv6 server to appropriate IPv6 addresses, take the following steps:

213 Chapter 5
Network
1. Select Network > DHCP.

2. Select New > DHCPv6 Server.

3. In the DHCPv6 Configuration page, configure as following:

Option Description

Interface Configures a interface which enables the DHCPv6 server

to appropriate IPv6 addresses.

rapid-commit Clicking this button can help fast get IPv6 address from

Chapter 5 214
Network
Option Description

the server. You need to enable both of the DHCP client

and server's Rapid-commit function.

Preference Specifies the priority of the DHCPv6 server. The range

should be from 0 to 255. The bigger the value is, the
higher the priority is.

DNS1 Configures a primary DNS server for the client. Type the
server's IP address into the box.

DNS2 Configures an alternative DNS server for the client. Type

the server's IP address into the box.

Domain Configures the domain name for the DHCP client.

Address Pool: System can act as a DHCPv6 server to allocate IPv6

addresses for the DHCP clients in the subnets.

IP Specifies the IPv6 address prefix and prefix length.

Valid Life- Specifies the lifetime of the address.

time

Preferred Specifies the preferred lifetime for the IPv6 address. The
Lifetime preferred lifetime should not be larger than the valid life-
time.

4. Click OK.

Configuring a DHCPv6 Relay Proxy

The device can act as a DHCPv6 relay proxy to receive requests from a DHCPv6 client and send
requests to the DHCPv6 server, and then obtain DHCP information from the server and return it
to the client.
To create a DHCPv6 relay proxy, take the following steps:

215 Chapter 5
Network
1. Select Network > DHCP.

2. Click New > DHCPv6 Relay Proxy.

3. In the DHCP Relay Proxy page, select an interface to which the DHCPv6 Relay Proxy will
be applied from the Interface drop-down list.

4. Type the IPv6 addresses of DHCPv6 servers into the Server 1/Server 2/Server 3 boxes.

5. If the DHCPv6 server is specified as link-local address, you need to select the egress inter-
face name from Egress Interface 1/Egress Interface 2/Egress Interface 3 dropdown list.

6. Click OK.

Chapter 5 216
Network
DDNS
DDNS (Dynamic Domain Name Server) is designed to resolve fixed domain names to dynamic IP
addresses. Generally you will be allocated with a dynamic IP address from ISP each time you con-
nect to the Internet, i.e., the allocated IP addresses for different Internet connections will vary.
DDNS can bind the domain name to your dynamic IP address, and the binding between them will
be updated automatically each time you connect to the Internet.
In order to enable DDNS, you will have to register in a DDNS provider to obtain a dynamic
domain name. Hillstone devices support the following 5 DDNS providers, and you can visit one
of the following websites to complete the registration:

l dyndns.org: http://dyndns.com/dns

l 3322.org: http://www.pubyun.com

l no-ip.com: http://www.noip.com

l Huagai.net: http://www.ddns.com.cn

l ZoneEdit.com: http://www.zoneedit.com

Configuring a DDNS
To create a DDNS, take the following steps:

217 Chapter 5
Network
1. Select Network > DDNS.

2. Click New.

3. In the DDNS Configuration page, configure as follows:

Option Description

DDNS Name Specifies the name of DDNS.

Interface Specifies the interface to which DDNS is applied.

Chapter 5 218
Network
Option Description

Hostname Specifies the domain name obtained from the DDNS pro-
vider.

Provider

Provider Specifies a DDNS provider. Choose one from the drop-

down list.

Server Name Specifies a server name for the configured DDNS.

Server Port Specifies a server port number for the configured DDNS.
The value range is 1 to 65535.

User

User Name Specifies the user name registered in the DDNS provider.

Password Specifies the corresponding password.

Confirm Pass- Enter the password again to confirm.

word

Update Interval

Minimum When the IP address of the interface with DDNS enabled

Update Inter- changes, system will send an update request to the
val DDNS server. If the server does not respond to the
request, system will send the request again according to
the configured min update interval. For example, if the
minimum update interval is set to 5 minutes, then system
will send the second request 5 minutes after the first
request failure; if it fails again, system will send the third
request 10 (5x2) minutes later; if it fails again, and system

219 Chapter 5
Network
Option Description

will send the forth request 20 (10*2) minutes later, and

so forth. The value will not increase anymore when reach-
ing 120 minutes. That is, system will send the request at a
fixed interval of 120 minutes. The default value is 5.

Maximum In case the IP address has not changed, system will send
Update Inter- an update request to the DDNS server at the maximum
val update interval. Type the maximum update interval into
the box. The value range is 24 to 8760 hours. The default
value is 24.

4. Click OK.

Notes: The Server name and Server port in the configuration options must be the
corresponding name and port of the DDNS server. Do not configure these options
if the exact information is unknown. The server will return the name and port
information automatically after connection to the DDNS server has been estab-
lished successfully.

Chapter 5 220
Network
PPPoE
PPPoE, Point-to-Point Protocol over Ethernet, combines PPP protocol and Ethernet to imple-
ment access control, authentication, and accounting on clients during an IP address allocation.
The implementation of PPPoE protocol consists of two stages: discovery stage and PPP session
stage.

l Discovery stage: The client discovers the access concentrator by identifying the Ethernet
MAC address of the access concentrator and establishing a PPPoE session ID.

l PPP session stage: The client and the access concentrator negotiate over PPP. The nego-
tiation procedure is the same with that of a standard PPP negotiation.

Interfaces can be configured as PPPoE clients to accept PPPoE connections.

Configuring PPPoE
To create a PPPoE instance, take the following steps:

221 Chapter 5
Network
1. Select Network > PPPoE.

2. Click New.

3. In the PPPoE Configuration page, configure as follows.

Option Description

PPPoE Name Specifies a name for the PPPoE instance.

Interface Select an interface from the drop-down list.

Chapter 5 222
Network
Option Description

User Name Specifies a username.

Password Specifies the corresponding password.

Conform Pass- Enter the password again to confirm.

word

Idle Interval Automatic connection. If the PPPoE interface has been

idle (no traffic) for a certain period, i.e., the specified
idle interval, system will disconnect the Internet con-
nection; if the interface requires Internet access, system
will connect to the Internet automatically. The value
range is 0 to 10000 minutes. The default value is 0.

Reconnect If the PPPoE connection disconnects for any reason for

Interval a certain period, i.e. the specified re-connect interval,
system will try to re-connect automatically. The value
range is 0 to 10000 seconds. The default value is 10,
which means the function is disabled.

Access Con- Specifies a name for the concentrator.

centrator

Authentication The devices will have to pass PPPoE authentication

when trying to connect to a PPPoE server. The sup-
ported authentication methods include CHAP, PAP and
Any (the default, anyone between CHAP and PAP). To
configure a PPPoE authentication method, click the
authentication you want to select. The configured
authentication must be the same with that configured in

223 Chapter 5
Network
Option Description

the PPPoE server.

Netmask Specifies a netmask for the IP address obtained via

PPPoE.

Distance Specifies a route distance. The value range is 1 to 255.

The default value is 1.

Weight Specifies a route weight. The value range is 1 to 255.

The default value is 1.

Service Specifies allowed service. The specified service must be

the same with that provided by the PPPoE server. If no
service is specified, system will accept any service
returned from the server automatically.

Static IP You can specify a static IP address and negotiate to use

this address to avoid IP change. To specify a static IP
address, type it into the Static IP box.

4. Click OK.

Chapter 5 224
Network
Virtual Wire
The system supports the VSwitch-based Virtual Wire. With this function enabled and the Virtual
Wire interface pair configured, the two Virtual Wire interfaces form a virtual wire that connects
the two subnetworks attached to the Virtual Wire interface pair together. The two connected sub-
networks can communicate directly on Layer 2, without other sub network's forwarding. Fur-
thermore, controls of policy rules or other functions are still available when Virtual Wire is used.
Virtual Wire operates in two modes, which are Strict and Non-Strict mode respectively, as
detailed below:

l Strict Virtual Wire mode: In this mode, Hillstone devices do not need to perform MAC
address learning. Packets can only be transmitted between Virtual Wire interfaces, and the
VSwitch cannot operate in Hybrid mode. Any PC connected to Virtual Wire can neither man-
age devices nor access Internet over this interface.

l Non-Strict Virtual Wire mode: In this mode, Hillstone devices can perform MAC address
learning. Packets can be transmitted between Virtual Wire interfaces, and the VSwitch also
supports data forwarding in Hybrid mode. That is, this mode only restricts Layer 2 packets'
transmission between Virtual Wire interfaces, and does not affect Layer 3 packets' forwarding.

The table below lists packet transmission conditions in Strict Virtual Wire and Non-Strict Virtual
Wire mode. You can choose an appropriate Virtual Wire mode according to the actual require-
ment.

Packet Strict Non-strict

Egress and ingress are interfaces of one Virtual Wire Allow Allow
interface pair

Ingress is not Virtual Wire's interface Deny Deny

Egress and ingress are interfaces of different Virtual Deny Deny

Wire interface pairs

225 Chapter 5
Network
Packet Strict Non-strict

Ingress of to-self packet is a Virtual Wire’s interface Deny Allow

Ingress is Virtual Wire's interface, and egress is a Layer Deny Allow

3 interface

Configuring a Virtual-Wire
To create a Virtual-Wire, take the following steps:

1. Select Network > Virtual-Wire.

2. Click New.

3. In the Virtual-Wire Configuration page, select a virtual switch from the VSwitch drop-down
list.

4. In the Interface 1 drop-down list, specify an interface for the virtual wire interface pair. The
two interfaces in a single virtual wire interface pair must be different, and one interface can-
not belong to two different virtual wire interface pairs simultaneously.

5. In the Interface 2 drop-down list, specify an interface for the virtual wire interface pair. The
two interfaces in a single virtual wire interface pair must be different, and one interface can-
not belong to two different virtual wire interface pairs simultaneously.

6. Click OK.

Configuring the Virtual Wire Mode

To configure a virtual wire mode, take the following steps:

1. Select Network > Virtual-Wire.

2. Click Virtual-Wire Mode.

Chapter 5 226
Network
3. In the Virtual-Wire Mode Configuration page, select a virtual switch from the VSwitch
drop-down list.

4. Specify a virtual wire mode from one of the following options:

l Strict - Packets can only be transmitted between virtual wire interfaces, and the
VSwitch cannot operate in Hybrid mode. Any PC connected to the virtual wire can
neither manage devices nor access Internet over this interface.

l Non-strict - Packets can be transmitted between virtual wire interfaces, and the
VSwitch also supports data forwarding in Hybrid mode. That is, this mode only
restricts Layer 2 packets' transmission between virtual wire interfaces, and does not
affect Layer 3 packets' forwarding.

l Disabled - Disables the virtual wire.

5. Click OK.

227 Chapter 5
Network
Virtual Router
Virtual Router (VRouter) is known as VR in system. VR acts as a router, and different VRs have
their own independent routing tables. A VR named "trust-vr" is implemented with the system,
and by default, all of the Layer 3 security zones are bounded to the trust-vr automatically. Hill-
stone devices support multiple VRs, and the max amount of supported VRs may vary with dif-
ferent hardware platforms. Multiple VRs divide a device into multiple virtual routers, and each
router utilizes and maintains their independent routing table. In such a case one device is acting as
multiple routers. Multiple VRs allow a device to achieve the effects of the address isolation
between different route zones and address overlapping between different VRs, as well as to avoid
route leaking to some extent, enhancing route security of network. For more information about
the relationship between interface, security zone, VSwitch and VRouter, see the following dia-
gram:

As shown above, the binding relationship between them are:

l Interfaces are bound to security zones. Those that are bound to Layer 2 security zones and
Layer 3 security zones are known as Layer 2 interfaces and Layer 3 interfaces respectively.
One interface can be only bound to one security zone; the primary interface and sub interface
can belong to different security zones.

Chapter 5 228
Network
l Security zones are bound to a VSwitch or VRouter. Layer 2 security zones are bound to a
VSwitch (by default the pre-defined Layer 2 security zone is bound to the default VSwitch1),
and Layer 3 security zones are bound to a VRouter (by default the pre-defined Layer 3 secur-
ity zone is bound to the default trust-vr), thus realizing the binding between the interfaces and
VSwitch or VR. One security zone can be only bound to one VSwtich or VR.

Creating a Virtual Router

To create a Virtual Router, take the following steps:

1. Select Network > Virtual Router > Virtual Router.

2. Click New.

3. Type the name into the Virtual Router name box.

4. Click OK.

Global Configuration
Virtual Router's global configuration is the configuration for multiple Virtual Routers. To con-
figure Multi-Virtual Router, take the following steps:

1. Select Network > Virtual Router > Global Configuration.

2. Click the Enable button for Multi-Virtual Router.

3. Click Apply.

Notes:

l After Multi-Virtual Router is enabled or disabled, system must reboot to

make it take effect. After rebooting, system's max concurrent sessions might
decrease if the function is enabled, or restore to normal if the function is

229 Chapter 5
Network
disabled. For more information about the maximum concurrent sessions, see
"The Maximum Concurrent Sessions" on Page 1346.

l If Multi-Virtual Router is enabled, traffic can traverse up to 3 Virtual Routers,

and any traffic that has to traverse more than 3 Virtual Routers will be
dropped.

Chapter 5 230
Network
Virtual Switch
System might allow packets between some interfaces to be forwarded in Layer 2 (known as trans-
parent mode), and packets between some interfaces to be forwarded in Layer 3 (known as routing
mode), specifically depending on the actual requirement. To facilitate a flexible configuration of
hybrid mode of Layer 2 and Layer3, system introduces the concept of Virtual Switch (VSwitch).
By default system uses a VSwitch known as VSwitch1. Each time you create a VSwitch, system
will create a corresponding VSwitch interface (VSwitchIF) for the VSwitch automatically. You
can bind an interface to a VSwitch by binding that interface to a security zone, and then binding
the security zone to the VSwitch.
A VSwitch acts as a Layer 2 forwarding zone, and each VSwitch has its own independent MAC
address table, so the packets of different interfaces in one VSwitch will be forwarded according to
Layer 2 forwarding rules. You can configure policy rules conveniently in a VSwitch. A VSwitchIF
virtually acts as a switch uplink interface, allowing packets forwarding between Layer 2 and Layer
3.

Creating a VSwitch
To create a VSwitch, take the following steps:

1. Select Network > VSwitch.

2. Click New.

Options are described as follows.

Option Description

VSwitch Specifies a name for the VSwitch.

Name

Virtual-Wire Specifies a Virtual-Wire mode for the VSwitch, including

Mode (for specific information on Virtual Wire, see "Virtual
Wire" on Page 225)

231 Chapter 5
Network
Option Description

l Strict - Packets can only be transmitted between

Virtual Wire interfaces, and the VSwitch cannot
operate in Hybrid mode. Any PC connected to Vir-
tual Wire can neither manage devices nor access
Internet over this interface.

l Non-strict - Packets can be transmitted between

Virtual Wire interfaces, and the VSwitch also sup-
ports data forwarding in Hybrid mode. That is, this
mode only restricts Layer 2 packets' transmission
between Virtual Wire interfaces, and does not
affect Layer 3 packets' forwarding.

l Disabled - Disables Virtual Wire.

IGMP Snoop- Enables IGMP snooping on the VSwitch.

ing

Forward Enables VLAN transparent so that the device can trans-

Tagged Pack- mit VLAN tagged packets transparently, i.e., packets
ets tagged with VLAN ID will still keep the original ID after
passing through the device.

Forward Enables VLAN transparent so that the device can trans-

Double mit VLAN double tagged packets transparently, i.e., pack-
Tagged Pack- ets tagged with VLAN ID will still keep the original ID
ets after passing through the device.

Drop Drops the packets sent to unknown multicast to save

Chapter 5 232
Network
Option Description

Unknown bandwidth.
Multicast
Packets

3. Click OK.

233 Chapter 5
Network
Port Mirroring
Some low-end platforms do not support port mirroring.

Products that do not support port mirroring

Series Model

SG-6000 A A1000.
Series

The device is designed with port mirroring on Ethernet interfaces. This function allows users to
mirror the traffic of one interface to another interface (analytic interface) for analysis and mon-
itoring.
To configure port mirroring, take the following steps:

1. Enable port mirroring on an Ethernet interface, and select the traffic type to be mirrored.

2. Configure a destination interface.

To configure the destination interface of port mirroring:

1. Select Network > Port Mirroring.

2. Select an interfaces from the Destination Interface drop-down list, and click OK. All the
source and destination interface will be listed in the table below.

Chapter 5 234
Network
WLAN
This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
WLAN (Wireless Local Area Network) represents the local area network that uses the wireless
channel as the medial. WLAN is important supplements and extensions of the wired LAN. By con-
figuring the WLAN function, you can establish the wireless local area network and allow the users
to access LAN through wireless mode.

Creating a WLAN
To create a WLAN, take the following steps:

1. Select Network > WLAN.

2. Click New.

In the WLAN Configuration page, configure the following information.

Option Description

SSID Specifies the name of the WLAN.

WLAN Interface Specifies the WLAN interface bound to this newly-

created WLAN.

SSID Broadcast Click the Enable button to enable the SSID broad-
cast. After enabling SSID broadcast, any user can
search it.

Security Mode Configures the security mode:

l No encryption - Do not perform the encryp-

tion.

l MAC-PSK - Integrates MAC authentication

235 Chapter 5
Network
Option Description

with WPA-WPA2-PSK authentication.

l WEP - Specifies the security mode as wired

equivalent privacy.

l WPA、WPA2 - Specifies the security mode

as Wi-FI and uses 802.1X authentication.
WPA and WPA2 have stronger performance
than WEP. The safety of WPA2 is more reli-
able than WPA.

l WPA-WPA2 - Compatible with WPA and

WPA-2.

l WPA-PSK、WPA2-PSK - Specifies the

security mode as Wi-FI and uses the pre-
shared key authentication.

l WPA-WPA2-PSK - Compatible with WPA-

PSK and WPA2-PSK.

Link-lay- When using the WEP security mode, specify the

erAuthentication authentication mode for the WLAN.
Mode
l open-system - The default authentication
mode. This is the easiest authentication, ie.
do not need to certify.

l shared-key - Certify with the same shared key

authentication.

Chapter 5 236
Network
Option Description

Data Encryption When using a security mode besides WEP, spe-

cifies the data encryption mode, including TKIP,
CCMP, and TKIP-CCMP.

Key When using the WEP security mode, specify the

form and the value of the key. The form of the key
can be a character string or a hexadecimal number.
When using character strings, you can specify 5
characters or 13 characters. When using hexa-
decimal numbers, you can specify 10 hexadecimal
numbers or 26 hexadecimal numbers.

Pre-shared Key When using the MAC-PSK, WPA-PSK, WPA2-

PSK, WPA-WPA2-PSK security modes, specify
the form and the value of the pre-defined key.
The form of the key can be a character string or a
hexadecimal number. When using character
strings, you can specify 8-63 characters. When
using hexadecimal numbers, you can specify 64
hexadecimal numbers.

Maximum Users Specifies the allowed maximum number of users

that can access this WLAN. The value ranges from
1 to 128. The default value is 64.

User Isolation Select Enable to enable the user isolation function.

After enabling the user isolation, users within one
WLAN cannot access each other. User isolation
enhances the security for different users.

237 Chapter 5
Network
Option Description

AAA Server When specifying the security mode as WPA,

WPA2, WPA-WPA2, or MAC-PSK, you must
select a configured AAA server as the authen-
tication server for user identification.

3. Click OK.

Advanced Settings
To configure the advanced settings for WLAN, take the following steps:

1. Select Network > WLAN.

2. Click Advanced.

Chapter 5 238
Network
3. In the Advanced page, configure the following information.

Option Description

Countries & Different countries or regions have different man-

Regions agement and limitations on RF use. The coun-
try/region code determines the available frequency
range, channel, and legal level of transmit power.
The default value is United States.

Working Mode Configure the working mode.

l 802.11a represents that the interface works in

the 802.11a mode.

l 802.11b represents that the interface works in

the 802.11b mode.

l 802.11g represents that the interface works in

the 802.11g mode.

l 802.11an represents that the interface works

in the 802.11n mode of 5GHz.

l 802.11bgn represents that the interface works

in the 802.11n mode of 2.4GHz.

Channel The available channels you can select vary with the
country/region code and RF type. The default value
is auto, which represents to ask the system to select
the channel automatically. After the country/region
code or the operation mode is changed, system will
select the channel automatically.

239 Chapter 5
Network
Option Description

Maximum Trans- The maximum transmit power varies with the coun-
mit Power try/region code and RF type. By default, there are
four levels: 12.5% of the maximum transmit power,
25% of the maximum transmit power, 50% of the
maximum transmit power, and 100% of the max-
imum transmit power.

4. Click OK.

Chapter 5 240
Network
3G/4G
This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
The third generation of mobile telecommunications technology supports the high speed data trans-
mission. By configuring the 3G/4G function, users can access the Internet through wireless
mode.
The 3G/4G function needs the support of ISP. Before configuring the 3G/4G function, you
need to purchase the SIM card from the ISP, enable the data connection service, and obtain the
following 3G/4G parameters: access point, username, password, dial-up string, and correctly
installed SIM card.

Configuring 3G/4G Settings

To configure 3G/4G settings, take the following steps:

241 Chapter 5
Network
1. Select Network > 3G/4G.

2. In the 3G/4G tab, you can view the 3G/4G connection status in the Status section. Click
Connect to connect to the 3G network.

3. Select Enable to enable the 3G/4G function. By default, the 3G function is enabled.

Chapter 5 242
Network
4. Enter the name of the access point in the Access point text box. You can enter up to 31
characters.

5. Specify the 3G/4G user information. In the User Name text box, enter the username of the
3G/4G user. You can enter up to 31 characters. In the Password text box, enter the cor-
responding password.

6. Configure the dial-up string. Ask your ISP to provide the dial-up string and enter the dial-up
string in the Dial number text box.

7. Specify the authentication mode. When 3G/4G dial-up establishes the connection, it needs
to pass the PPP protocol verification. The device supports the following verification meth-
ods: CHAP, PAP, and Any. Select the desired method by selecting the Authentication radio
button.

8. Configure the IP address information for the 3G/4G interface. Select Auto-obtain to make
the 3G/4G interface obtain the IP address automatically. Select Static IP to enter the static
IP address and the netmask.

9. Specify the online mode in Redialing options. 3G/4G dial-up has two online modes as fol-
lows:

l Redial interval: When the 3G/4G connection disconnects due to certain reasons and
the disconnection time exceeds the specified time interval, system will redial auto-
matically. Specify the time interval in the Redial interval text box. The value ranges
from 0 to 10000 seconds. The default value is 0, which represents that the system
does not use the redial automatically mode.

l Idle time before hanging up: When the idle time of the 3G/4G (cellular) interface
reaches the specified value, system will disconnect the 3G/4G connection. Specify
the length of time in the Idle time before hanging up text box. The value ranges from

243 Chapter 5
Network
0 to 10000 seconds. The default value is 0, which represents that the system does not
use the hang up after a specified idle time mode

Notes: The above two modes cannot be used simultaneously.

Without configuring the schedule, system will use the "Redial inter-
val" mode by default.

10. Specify the security zone of the 3G/4G interface.

11. Click OK.

Notes: After installing the SIM card, system can automatically configure the settings
in the 3G/4G tab based on the information of the 3G/4G module. The settings
include the name of the access point, 3G/4G user information, and dial-up string.
You can modify the settings according to your requirements.

Managing Data Card

PIN (Personal Identification Number) code is used to identify the user of the SIM card and avoid
the illegal use of the SIM card.

Automatically Verifying the PIN Code

After enabling the PIN code protection, you can save the PIN code in system. After system
reboots, it can automatically verify the PIN code.
To automatically verify the PIN code, take the following steps:

1. Select Network > 3G/4G.

2. Click Data Card tab.

Chapter 5 244
Network
3. Enter the PIN code in the PIN Code text box. The value ranges from 4 to 8 numbers.

4. Click Apply to make the system save the PIN code.

Notes: After three consecutive failed attempts at PIN code, the SIM card will be
locked.

Enabling/Disabling the PIN Code Protection

To enable/disable the PIN code protection, take the following steps:

1. Select Network > 3G/4G.

2. Click Data Card tab.

3. Click Enable PIN code protection in the PIN code management section to enable the PIN
code protection function. To disable the function, click Disable PIN code protection.

4. Enter the PIN code in the PIN code text box. The PIN code consists of 4-8 decimal num-
bers.

5. Click Apply.

Modifying the PIN Code

To modify the PIN code, take the following steps:

1. Select Network > 3G/4G.

2. Click Data Card tab.

3. Click Change PIN code in the PIN code management section.

4. Specify the current PIN code in the Current PIN code text box. The PIN code consists of
4-8 decimal numbers.

245 Chapter 5
Network
5. Specify a new PIN code in the New PIN code text box. The PIN code consists of 4-8
decimal numbers.

6. Confirm the new PIN code in the Confirm PIN code text box.

7. Click Apply.

Manually Verifying the PIN Code

To manually verify the PIN code, take the following steps:

1. Select Network > 3G/4G.

2. Click Data Card tab.

3. Click Verify PIN Code in the PIN code management section.

4. Enter the PIN code in the PIN code text box. The PIN code consists of 4-8 decimal num-
bers.

5. Click Apply.

Unlocking the PIN Code

If the SIM card is locked, you need to obtain the PUK code from the ISP to unlock the SIM card
and set the new PIN code. To use the PUK code to unlock the PIN code, take the following
steps:

1. Select Network > 3G/4G.

2. Click Data Card tab.

3. Click Unlock PIN Code in the PIN code management section.

4. Enter the PUK code in the PUK code text box.

Chapter 5 246
Network
5. Specify a new PIN code in the New PIN code text box. The PIN code consists of 4-8
decimal numbers.

6. Confirm the new PIN code in the Confirm PIN code text box.

7. Click Apply.

247 Chapter 5
Network
Outbound Link Load Balancing
For Outbound LLB, the system can intelligently oute and dynamically adjust the traffic load of
each link by monitoring the delay, jitter, packet loss rate and bandwidth utilization of each link in
real-time.You can configure a flexible LLB profile to bind to the route (the current system only
supports DBR and PBR), forming LLB rules to implement outbound dynamic link load balancing,
and thus make efficient use of network bandwidth.

Configuring LLB Profile

The LLB profile contains the parameters of the load balancing algorithm, such as bandwidth util-
ization threshold, probe switch, probe mode, and equalization direction.

1. Select Network > Outbound > Profile.

2. Click New.

Chapter 5 248
Network
3. In the LLB Profile Configuration page, configure as follows:

Option Description

Profile Name Specifies the Profile name whose length range is 1-96
characters.

Bandwidth Specifies the bandwidth utilization threshold of the inter-

Utilization face. When the rate does not exceed the threshold by the
interface bandwidth, the system will only analysis delay,
jitter and packet loss rate to dynamically adjust the rout-
ing link; when the rate exceeds the threshold by the inter-
face bandwidth, system will analysis of each link
bandwidth utilization rate of the parameters at the same
time to adjust the routing method. Value ranges from 0 to
100 (0% to 100%) and defaults to 60.

Balance There are two equalization modes: High Performance and

Mode High Compatibility.

l High Performance - In this mode, system adjusts

link to keep the link balance as fast as possible

l High Compatibility - When the link load changes,

system does not switch the link frequently, but
ensures that the service is as far as possible on the
previous link. This mode is suitable for services
that are sensitive to link switching, such as banking
services, only when the previous link is over-
loaded.

Description Configure Additional details for the LLB profile.

249 Chapter 5
Network
4. Click OK.

Configuring LLB Rule

The LLB Profile and the route is bound by the formation of LLB rules that currently support bind-
ing destination routing (DBR) and policy-based routing (PBR).

1. Select Network > Outbound > Rule.

2. Click New.

Chapter 5 250
Network
3. In the LLB Policy Configuration page, configure the following:

Option Description

Rule Name Specifies the Rule name, length of 1-96 characters

LLB Profile Specifies the bandwidth utilization threshold. It is in the

range of 0-100 (0% -100%) and defaults to 60.

Bind Route Specify the route to be bound in the rule: Destination

Route or Policy Based Route.

l Destination Route - When this option is selected,

specify the virtual router and destination address of
the destination route.

l Policy Based Routing - Select this option to specify

the name and id of the policy route.

4. Click OK.

251 Chapter 5
Network
Inbound Link Load Balancing
After enabling the LLB for inbound traffic, the system will resolve domains of different IPs based
on the sources of the DNS requests and return IPs for different ISPs to the corresponding users
who initiate the requests, which reduces access across ISPs. Such a resolution method is known
as SmartDNS.
You can enable inbound LLB by the following steps:

1. Enable SmartDNS. This is the prerequisite for the implementation of inbound LLB.

2. Configure a SmartDNS rule table. The smart domain-to-IP resolution is implemented based
on the rule table.

Creating a Smart DNS Rule Table

To create a SmartDNS rule table, take the following steps:

1. Select Network > Inbound.

2. Click New > Domain Table.

3. In the Domain Configuration page, type a domain table name into Domain Table text box.

4. Type a domain name into Domain text box. Separate multiple domain names with comma.
Each rule table supports up to 64 domain names (case insensitive).

5. Click OK.

6. In the Inbound LLB page, click the domain table name you already created and then click
New.

Chapter 5 252
Network
In the New SmartDNS Rule page, configure the following:

Option Description

ISP Static Select a predefined or user-defined ISP from the drop-

Address down list. If the source address matches any address entry
of the ISP, system will return the specified IP.

Return IP Specifies the return IP for different request sources. You

can configure up to 64 IPs for a domain name.

Weight Specifies the weight of the return IP. The value range
is 1 to 100. The default value is 1. In the SmartDNS
rule table, one domain name might correspond to mul-
tiple IPs. System will sort the IPs based on the weight
and then return to the users.

Inbound Specifies the inbound interface for the return IP address.

Interface System will judge whether the return IP address is valid
according to the track result or the protocol status of the
inbound interface. Only the valid IP address will be
returned to the request source.
Select the proximity address to which the request source
address will be matched from the drop-down list.

Track Object Select a track object of interface type from the drop-

253 Chapter 5
Network
Option Description

down list. When the track object fails, the return IP

address is invalid. When there’s track object configured
on the inbound interface, if the track status is successful,
the return IP address is valid. Otherwise the IP address is
invalid. When there’s no track object configured on
inbound interface, if the protocol state of the interface is
UP, the return IP address is valid. Otherwise the IP
address is invalid. If you don’t specify the inbound
interface for the return IP address, the return IP address
is always valid.

7. Click OK.

Notes: The ISP route being referenced by the SmartDNS rule table cannot be
deleted.

Chapter 5 254
Network
Application Layer Gateway (ALG)
Some applications use multi-channels for data transmission, such as the commonly used FTP. In
such a condition the control channel and data channel are separated. Devices under strict security
policy control may set strict limits on each data channel, like only allowing FTP data from the
internal network to the external network to transfer on the well-known port TCP 21. Once in the
FTP active mode, if a FTP server in the public network tries to initiate a connection to a random
port of the host in the internal network, devices will reject the connection and the FTP server
will not work properly in such a condition. This requires devices to be intelligent enough to prop-
erly handle the randomness of legitimate applications under strict security policies. In FTP
instances, by analyzing the transmission information of the FTP control channel, devices will be
aware that the server and the client reached an agreement, and open up a temporary com-
munication channel when the server takes the initiative to connect to a port of the client, thus
assuring the proper operation of FTP.
The system adopts the strictest NAT mode. Some VoIP applications may work improperly after
NAT due to the change of IP address and port number. The ALG mechanism can ensure the nor-
mal communication of VoIP applications after the NAT. Therefore, the ALG supports the fol-
lowing functions:

l Ensures normal communication of multi-channel applications under strict security policy

rules.

l Ensures the proper operation of VoIP applications such as SIP and H.323 in NAT mode, and
performs monitoring and filtering according to policies.

Enabling ALG
The system allows you to enable or disable ALG for different applications. Devices support ALG
for the following applications: FTP, HTTP, MSRPC, PPTP, Q.931, RAS, RSH, RTSP, SIP,
SQLNetV2, SUNRPC, TFTP, DNS, Auto and XDMCP. You can not only enable ALG for applic-
ations, but also specify H323's session timeout.
To enable the ALG for applications, take the following steps:

255 Chapter 5
Network
1. Select Network> Application Layer Gateway.

2. In the Application Layer Gateway dialog, select the applications that require ALG.

3. To modify H323's session timeout, type the value into the H323 session timeout box. The
value range is 60 to 1800 seconds. The default value is 60.

4. Click OK to save your changes.

Chapter 5 256
Network
Notes: Only when the FTP ALG is enabled can the FTPS ALG be selected.

257 Chapter 5
Network
Global Network Parameters
Global network parameter configuration includes IP fragment, TCP packet processing methods
and other options.

Configuring Global Network Parameters

To configure global network parameters, take the following steps:

1. Select Network > Global Network Parameters > Global Network Parameters.

2. Configure the following parameters.

Chapter 5 258
Network
Option Description

IP Fragment

Maximum Specifies a maximum fragment number for every IP

Fragment packet. The value range is 1 to 1024. The default value is
Number 48. Any IP packet that contains more fragments than this
number will be dropped.

Timeout Specifies a timeout period of fragment reassembling. The

value range is 1 to 30. The default value is 2. If the Hill-
stone device has not received all the fragments after the
timeout, the packet will be dropped.

Long Dur- Enables or disables long duration session. If this function

ation Session is enabled, specify long duration session's percentage in
the Percentage text box below. The default value is 10,
i.e., 10% of long duration session in the total sessions.

TCP

TCP MSS Specifies a MSS value for all the TCP SYN/ACK pack-
ets. Click the Enable button, and type the value into the
Maximum MSS text box below.

Maximum Type the max MSS value into the Maximum MSS text box
MSS below. The value range is 64 to 65535. The default value
is 1448.

TCP MSS Specifies a MSS value for IPSec VPN's TCP SYN pack-
VPN ets. Click the Enable button, and type the value into the
Maximum MSS text box below.

259 Chapter 5
Network
Option Description

Maximum Type the max MSS value for IPSEC VPN into the Max-
MSS imum MSS text box below. The value range is 64 to
65535. The default value is 1380.

TCP Configures if the TCP sequence number will be checked.

Sequence When this function is enabled, if the TCP sequence num-
Number ber exceeds TCP window, that TCP packet will be
Check dropped.

TCP Three- Configures if the timeout of TCP three-way handshaking

way Hand- will be checked. Click the Enable button to enable this
shaking function, and specify a timeout value in the Timeout text
box below. The value range is 1 to 1800 seconds. The
default value is 20. If the three-way handshaking has not
been completed after timeout, the connection will be
dropped.

TCP SYN Click the Enable button to enable this function and spe-
Packet cify the action for TCP non-SYN packet. When the
Check received packet is a TCP SYN packet, the TCP con-
nection will be established. When the received packet is a
TCP non-SYN packet, the packet will be processed
according to the specified action.

l drop: When the received packet is a TCP non-SYN

packet, the system will drop the packet.

l reset：When the received packet is a TCP non-

Chapter 5 260
Network
Option Description

SYN packet, the system will drop the packet and

send RST packet to the peer device.

Others

Non-IP and Specifies how to process packets that are neither IP nor
Non-ARP ARP.
Packet

3. Click OK.

Configuring Protection Mode

To configure the protection mode, take the following steps:

1. Select Network > Global Network Parameters > Protection Mode.

2. Configure the traffic working mode.

l Log only - System only generates protocol anomaly alarms and attacking behavior
logs, but will not block attackers or reset connections.

l Protect - System not only records attack behavior detected by Intrusion Prevention
System, Anti-Virus or AD, Policy, Black list, but also reset the connection or block
the access.

261 Chapter 5
Network
Notes: Log & reset mode is recommended. In this mode, the security performance
of the device can take effect normally. If log only mode is selected, system can only
record logs, and functions which can block traffic in system will be invalid, includ-
ing policy, IPS, AV, QoS, etc.

Chapter 5 262
Network
Chapter 6 Advanced Routing
Routing is the process of forwarding packets from one network to the destination address in
another network. Router, a packet forwarding device between two networks, is designed to trans-
mit packets based on the various routes stored in routing tables. Each route is known as a routing
entry.
Hillstone devices are designed with Layer 3 routing. This function allows you to configure routing
options and forward various packets via VRouter. System implements with a default VRouter
trust-vr, and also supports multiple VRouters (multi-VR).
Hillstone devices support destination routing, ISP routing, Source-Based Routing (SBR), Source-
Interface-Based Routing (SIBR), Destination-Interface-Based Routing (DIBR), Policy-Based
Routing (PBR), dynamic routing (including RIP, OSPF and BGP) and Equal Cost MultiPath Rout-
ing (ECMP).

l Destination Routing: A manually-configured route which determines the next routing hop
according to the destination IP address.

l DIBR: A manually-configured route which determines the next routing hop according to the
destination IP address and ingress interface.

l SBR: Source IP based route which selects routers and forwards data according to the source
IP address.

l SIBR: Source IP and ingress interface based route.

l ISP Profile: Add a subnet to an ISP.

l ISP Routing: A kind of route which determines the next hop based on different ISPs.

l PBR: A route which forwards data based on the source IP, destination IP address and service
type.

Chapter 6 263

Advanced Routing
l Dynamic Routing: Selects routers and forwards data according to the dynamic routing table
generated by dynamic routing protocols ("RIP" on Page 298, "OSPF" on Page 303 or BGP).

l ECMP: Load balancing traffic destined to the same IP address or segment in multiple routes
with equal management distance.

When forwarding the inbound packets, the device will select a route in the following sequence:
PBR > SIBR > SBR > DIBR > Destination routing/ISP routing/Proximity routing/Dynamic
routing.
Routing supports IPv4 and IPv6 address. If IPv6 is enabled, you can configure IPv6 address
entry for the routing rule.
Related Topics:

l "Destination Route" on Page 265

l "Destination-Interface Route" on Page 268

l "Source Route" on Page 272

l "Source-Interface Route" on Page 275

l "ISP Profile" on Page 279

l "ISP Route" on Page 283

l "Policy-based Route" on Page 286

l "RIP" on Page 298

264 Chapter 6

Advanced Routing
Destination Route
The destination route is a manually-configured route entry that determines the next routing hop
based on the destination IP address. Usually a network with comparatively a small number of out-
bound connections or stable Intranet connections will use a destination route. You can add a
default route entry at your own choice as needed.

Creating a Destination Route

To create a destination route, take the follwing steps:

1. Select Network > Routing > Destination Route.

2. Select the IPv4 or IPv6 tab page, and create an IPv4 destination route or IPv6 destination
route on the corresponding page. This step is only applicable for IPv6 version.

3. Click New.

In the Destination Route Configuration page, enter values.

Chapter 6 265

Advanced Routing
Option Description

Virtual From the Virtual Router drop-down list, select the Vir-
Router tual Routerouter for the new route. The default value is
"trust-vr".

Destination Type the IP address for the route into the text box.

Netmask Type the corresponding subnet mask into the text box.

Next-hop To specify the type of next hop, click Gateway, Virtual

Router, Interface.

l Gateway: Type the IP address into the Gateway

266 Chapter 6

Advanced Routing
Option Description

text box.

l Virtual Router: Select a name from the drop-down

list.

l Interface: Select a name from the Interface drop-

down list. Type the IP address into the Gateway
text box. For a tunnel interface, you need to type
the gateway address for the tunnel's peer in the
optional box below.

Schedule Specifies a schedule when the rule will take effect. Select
a desired schedule from the Schedule drop-down list.
After selecting the desired schedules, click the blank area
in this dialog to complete the schedule configuration.
To create a new schedule, click New Schedule.

Track Object Select a created track object from the drop-down manual.
When the track fails, the route will be invalid.

Precedence Type the route precedence into the text box. The smaller
the parameter is, the higher the precedence is. If multiple
routes are available, the route with higher precedence will
be prioritized. The value range is 1 to 255. The default
value is 1. When the value is set to 255, the route will be
invalid.

Weight Type the weight for the route into the text box. This para-
meter is used to determine the weight of traffic for-

Chapter 6 267

Advanced Routing
Option Description

warding in load balance. The value range is 1 to 255. The

default value is 1.

Tag Specifies the tag value of the destination route. When

OSPF redistributes routes, if the configured routing tag
values here are matched to the rules in the routing map-
ping table, the route will be redistributed to filter its
information. The value range is 1 to 4294967295.

Description Type the description information into the Description

text box if necessary.

4. Click OK.

Destination-Interface Route
Destination interface route is designed to select a route and forward data based on the Destination
IP address and ingress interface of a packet.

Creating a Destination-Interface Route

To create a Destination-Interface route, take the following steps:

1. Select Network > Routing > Destination Interface Route.

2. Select the IPv4 or IPv6 tab page, and create an IPv4 Destination-Interface route or IPv6
Destination-Interface route on the corresponding page. This step is only applicable for IPv6
version.

3. Click New.

In the Destination Interface Route Configuration page, enter values.

268 Chapter 6

Advanced Routing
Option Description

Virtual From the Virtual Router drop-down list, select the Vir-
Router tual Routerouter for the new route. The default value is
"trust-vr".

Ingress Inter- Select an interface for the route from the drop-down list.
face

Destination Type the Destination IP for the route into the textbox.
IP

Netmask Type the corresponding subnet mask into the textbox.

Chapter 6 269

Advanced Routing
Option Description

Next-hop To specify the type of next hop, click Gateway, Virtual

Router, Interface.

l Gateway: Type the IP address into the Gateway

text box.

l Virtual Router: Select a name from the Virtual

Router drop-down list.

l Interface: Select a name from the Interface drop-

down list. Type the IP address into the Gateway
text box. For a tunnel interface, you need to type
the gateway address for the tunnel's peer in the
optional box below.

Track Object Select a created track object from the drop-down manual.
When the track fails, the route will be invalid.

Precedence Type the route precedence into the textbox. The smaller
the parameter is, the higher the precedence is. If multiple
routes are available, the route with higher precedence will
be prioritized. The value range is 1 to 255. The default
value is 1. When the value is set to 255, the route will be

270 Chapter 6

Advanced Routing
Option Description

invalid.

Weight Type the weight for the DIBR into the textbox. This para-
meter is used to determine the weight of traffic for-
warding in load balance. The value range is 1 to 255. The
default value is 1.

Description Type the description information into the Description

text box if necessary.

4. Click OK.

Chapter 6 271

Advanced Routing
Source Route
Source route is designed to select a router and forward data based on the source IP address of a
packet.

Creating a Source Route

To create a source route, take the following steps:

1. Select Network > Routing > Source Route.

2. Select the IPv4 or IPv6 tab page, and create an IPv4 source route or IPv6 source route on
the corresponding page. This step is only applicable for IPv6 version.

3. Click New.

In the Source Route Configuration page, enter values.

272 Chapter 6

Advanced Routing
Option Description
Virtual From the Virtual Router drop-down list, select the Vir-
Router tual Routerouter for the new route. The default value is
"trust-vr".
Source IP Type the source IP for the route into the box.
Netmask Type the corresponding subnet mask into the box.
Next-hop To specify the type of next hop, click Gateway, Virtual
Router, Interface.

l Gateway: Type the IP address into the Gateway

text box.

l Virtual Router: Select a name from the drop-

down list.

l Interface: Select a name from the Interface drop-

down list. Type the IP address into the Gateway
text box. For a tunnel interface, you need to type
the gateway address for the tunnel's peer in the
optional box below.

Schedule Specifies a schedule when the rule will take effect.

Select a desired schedule from the Schedule drop-down
list. After selecting the desired schedules, click the
blank area in this dialog to complete the schedule con-
figuration.
To create a new schedule, click New Schedule.
Track Select a created track object from the drop-down
Object manual. When the track fails, the route will be invalid.
Precedence Type the route precedence into the box. The smaller

Chapter 6 273

Advanced Routing
Option Description
the parameter is, the higher the precedence is. If mul-
tiple routes are available, the route with higher pre-
cedence will be prioritized. The value range is 1 to 255.
The default value is 1. When the value is set to 255, the
route will be invalid.
Weight Type the weight for the route into the box. This para-
meter is used to determine the weight of traffic for-
warding in load balance. The value range is 1 to 255.
The default value is 1.
Description Type the description information into the Description
text box if necessary.

4. Click OK.

274 Chapter 6

Advanced Routing
Source-Interface Route
Source interface route is designed to select a router and forward data based on the source IP
address and ingress interface of a packet.

Creating a Source-Interface Route

To create a Source-Interface route, take the following steps:

1. Select Network > Routing > Source Interface Route.

2. Select the IPv4 or IPv6 tab page, and create an IPv4 Source-Interface route or IPv6 Source-
Interface route on the corresponding page. This step is only applicable for IPv6 version.

3. Click New.

In the Source Interface Route Configuration page, enter values.

Chapter 6 275

Advanced Routing
Option Description

Virtual From the Virtual Router drop-down list, select the Vir-
Router tual Routerouter for the new route. The default value is
"trust-vr".

Ingress Inter- Select an interface for the route from the drop-down list.
face

Source IP Type the source IP for the route into the textbox.

Netmask Type the corresponding subnet mask into the textbox.

Next-hop To specify the type of next hop, click Gateway, Virtual

276 Chapter 6

Advanced Routing
Option Description

Router, Interface.

l Gateway: Type the IP address into the Gateway

text box.

l Virtual Router: Select a name from the Virtual

Router drop-down list.

l Interface: Select a name from the Interface drop-

down list. Type the IP address into the Gateway
text box. For a tunnel interface, you need to type
the gateway address for the tunnel's peer in the
optional box below.

Track Object Select a created track object from the drop-down manual.
When the track fails, the route will be invalid.

Precedence Type the route precedence into the textbox. The smaller
the parameter is, the higher the precedence is. If multiple
routes are available, the route with higher precedence will
be prioritized. The value range is 1 to 255. The default
value is 1. When the value is set to 255, the route will be
invalid.

Chapter 6 277

Advanced Routing
Option Description

Weight Type the weight for the ISP route into the textbox. This
parameter is used to determine the weight of traffic for-
warding in load balance. The value range is 1 to 255. The
default value is 1.

Description Type the description information into the Description

text box if necessary.

4. Click OK.

278 Chapter 6

Advanced Routing
ISP Profile
To configure an ISP route, you need to first add a subnet to an ISP, and then configure the ISP
route. The destination of the route is determined by the name of the ISP. You can customize ISP
information, or upload profiles that contain different ISP information.

Creating an ISP Profile

To create an ISP Profile, take the following steps:

1. Select Network > Routing > ISP Profile.

2. Select the IPv4 or IPv6 tab, this option can only be configured in the IPv6 version

3. Click New.

In the ISP Configuration page, enter values.

Option Description

ISP Profile Type the name for the new ISP profile into the textbox.

Subnet List

Member Specifies the member type of the ISP profile, including

subnet member entry and ISP profile member entry.

Chapter 6 279

Advanced Routing
Option Description

When creating an IPv4 ISP profile:

l Add subnet member: Select IP/Netmask from the

drop-down list, and then type the IPv4 address and
nermask for the subnet into the textbox.

l Add an IPv4 ISP menber: Add an IPv4 ISP profile

entry, that is to add other configured IPv4 ISP pro-
file (predefined IPv4 ISP profile or user-defined
IPv4 ISP profile), select ISP Profile from the drop-
down list, and then select the ISP profile name.
When creating an IPv6 ISP profile:

l Add subnet member: Select IPv6/Prefix from the

drop-down list, and then type the IPv6 address and
prefix for the subnet into the textbox.

l Add an IPv6 ISP menber: Add an IPv6 ISP profile

entry, that is to add other configured IPv6 ISP pro-
file (predefined IPv6 ISP profile or user-defined
IPv6 ISP profile), select ISP Profile from the drop-
down list, and then select the ISP profile name.

New Add the member to the ISP profile. The member will be
displayed in the list below. If needed, repeat the steps to
add multiple subnets for the ISP profile.

Delete Delete the selected ISP profiles.

4. Click OK.

280 Chapter 6

Advanced Routing
Deleting a User-defined ISP Profile
To delete a user-defined ISP Profile, take the following steps:

1. Select Network > Routing > ISP Profile.

2. Select the IPv4 or IPv6 tab, this option can only be configured in the IPv6 version

3. Selete the user-defined ISP profile, and click Delete.

Notes:
l The predefined ISP profile cannot be deleted.

l To ensure that the custom ISP profile can be deleted normally, please delete
the nested ISP profile entry before deleting it.

Upgrading a Pre-defined ISP Profile

The pre-defined ISP profile shipped with StoneOS is encrypted. If the predefined profile has
been updated, you need to upgrade the new profile.
To upgrade an ISP Profile, take the following steps:

1. Select Network > Routing > ISP Profile.

2. Select the IPv4 or IPv6 tab, this option can only be configured in the IPv6 version

3. Click Upgrade.

Chapter 6 281

Advanced Routing
4. Click Browse to select a pre-defined ISP profile in your PC.

5. Click Upload to upload the selected pre-defined ISP profile to device.

Uploading a User-defined ISP Profile

To upload a user-defined ISP Profile, take the following steps:

1. Select Network > Routing > ISP Profile.

2. Select the IPv4 or IPv6 tab, this option can only be configured in the IPv6 version.

3. Click Upload.

4. Click Browse to select the user-defined ISP profile in your PC.

5. Click Upload to upload the selected user-defined ISP profile to device.

Saving an ISP Profile

To save an ISP Profile, take the following steps:

1. Select Network > Routing > ISP Profile.

2. Select the IPv4 or IPv6 tab, this option can only be configured in the IPv6 version.

3. Click Save.

4. In the Save User-defined ISP Configuration page, select an ISP profile from the ISP profile
drop-down list.

5. Click Save to save the profile to a specified location in PC.

282 Chapter 6

Advanced Routing
ISP Route
Generally many users might apply for multiple lines for load balancing purpose. However, a typ-
ical balance will not have the function based on the traffic's direction. For such a scenario, the
device provides the ISP route, which allows traffic from different ISPs to take their proprietary
routes, thus accelerating network access.
To configure an ISP route, first you need to add a subnet to an ISP, and then configure the ISP
route. The destination of the route is determined by the name of the ISP. You can customize ISP
information, or upload profiles that contain different ISP information.

Creating an ISP Route

To create an ISP route, take the following steps:

1. Select Network > Routing > ISP Route.

2. Select the IPv4 or IPv6 tab, this option can only be configured in the IPv6 version.

3. Click New.

In the ISP Configuration page, enter values.

Chapter 6 283

Advanced Routing
Option Description

ISP Profile Select an ISP profile name from the drop-down list.

Virtual From the Virtual Router drop-down list, select the Vir-
Router tual Router for the new route. The default value is "trust-
vr".

Next-hop To specify the type of next hop, click Gateway, Virtual

Router, Interface.

l Gateway: Type the IP address into the Gateway

text box.

l Virtual Router: Select a name from the Virtual

284 Chapter 6

Advanced Routing
Option Description

Router drop-down list.

l Interface: Select a name from the Interface drop-

down list. Type the IP address into the Gateway
text box. For a tunnel interface, you need to type
the gateway address for the tunnel's peer in the
optional box below.

Precedence Type the route precedence into the textbox. The smaller
the parameter is, the higher the precedence is. If multiple
routes are available, the route with higher precedence will
be prioritized. The value range is 1 to 255. The default
value is 10. When the value is set to 255, the route will
be invalid.

Weight Type the weight for the ISP route into the textbox. This
parameter is used to determine the weight of traffic for-
warding in load balance. The value range is 1 to 255. The
default value is 1.

Description Type the description information into the Description

text box if necessary.

4. Click OK.

Chapter 6 285

Advanced Routing
Policy-based Route
Policy-based Route (PBR) is designed to select a router and forward data based on the source IP
address, destination IP address and service type of a packet.

Creating a Policy-based Route

To create a Policy-based route, take the following steps:

1. Select Network > Routing > Policy-based Routing.

2. Click New. Select PBR from the drop-down list.

In the Policy-based Route Configuration page, configure the following.

Option Description

PBR Name Specifies a name for the policy-based route.

Virtual From the Virtual Router drop-down list, select the Vir-
Router tual Router for the new route. The default value is "trust-
vr".

Type Specifies the object type that the policy-based route

binds to. You can select Zone, Virtual Router, Interface

286 Chapter 6

Advanced Routing
Option Description

or No Binding.

l Zone: Click this option button and select a zone

from the Bind To drop-down list.

l Virtual Router: Click this option button and show

the virtual router that the policy-based route bind
to.

l Interface: Click this option button and select a

interface from the Bind To drop-down list.

l No Binding: This policy-based route is no binding.

3. Click OK.

Creating a Policy-based Route Rule

To create a Policy-based Route rule, take the following steps:

Chapter 6 287

Advanced Routing
1. Select Network > Routing > Policy-based Routing.

2. Click New. Select Rule from the drop-down list.

In this page, configure the following.

Option Description

PBR Name Specifies a name for the policy-based route.

288 Chapter 6

Advanced Routing
Option Description

Description Type information about the PBR rule.

（Optional）

Source

Address Specifies the source addresses of PBR rule.

1. Select an address type from the Address drop-

down list.

2. Select or type the source addresses based on the

selected type.

3. Click Add to add the addresses to the left pane.

4. After adding the desired addresses, click Close.

You can also perform other operations:

l When selecting the Address Book type, you can

click button to create a new address entry.

l The default address configuration is any. To restore

the configuration to this default one, select the any
check box.

User Specifies a role, user or user group for the PBR rule.

1. From the User drop-down menu, select the AAA

server which the users and user groups belongs
to. To specify a role, select Role from the AAA
Server drop-down list.

Chapter 6 289

Advanced Routing
Option Description

2. Based on different types of AAA server, you can

execute one or more actions: search a user/user
group/role, expand the user/user group list, enter
the name of the user/user group.

3. After selecting users/user groups/roles, click

them to add them to the left panes.

4. After adding the desired objects, click the Close

to complete the user configuration.

Destination

Address Specifies the destination addresses of PBR rule.

1. Select an address type from the Address drop-

down list.

2. Select or type the source addresses based on the

selected type.

3. Click Add to add the addresses to the left panes.

4. After adding the desired addresses, click Close.

You can also perform other operations:

l When selecting the Address Book type, you can

click button to create a new address entry.

l The default address configuration is any. To restore

the configuration to this default one, select the any
check box.

290 Chapter 6

Advanced Routing
Option Description

Other

Service Specifies a service or service group.

1. From the Service drop-down menu, select a type:

Service, Service Group.

2. You can search the desired service/service group,

expand the service/service group list.

3. After selecting the desired services/service

groups, click them to add them to the left panes.

4. After adding the desired objects, click Close.

You can also perform other operations:

l To add a new service or service group, select User-

defined from the Predefined drop-down listr, and
click button.

l The default service configuration is any. To restore

the configuration to this default one, select the any
check box.

Application Specifies an application/application group/application fil-

ters.

1. From the Application drop-down menu, you can

search the desired application/application
group/application filter, expand the list of applic-
ations/application groups/application filters.

Chapter 6 291

Advanced Routing
Option Description

2. After selecting the desired applic-

ations/application groups/application filters,
click them to add them to the left panes.

3. After adding the desired objects, click Close to

complete the application configuration.
You can also perform other operations:

l To add a new application group, click New

AppGroup.

l To add a new application filter, click New AppFil-

ter.

Schedule Specifies a schedule when the PBR rule will take effect.
Select a desired schedule from the Schedule drop-down
list. After selecting the desired schedules, click Close to
complete the schedule configuration.
To create a new schedule, click New Schedule.

Expand Next-hop, configure the following.

Option Description

Set Next-hop To specify the type of next hop, click IP Address, Virtual
Router in current Vsys, Interface.

l IP Address: Type IP address into the IP address

text box and specify the weight into the Weight
text box. When more than one next hops are avail-
able, the traffic will be allocated to the different

292 Chapter 6

Advanced Routing
Option Description

next hops according to the weight value.

l Virtual Router in current Vsys: Select a name from

the Next-Hop Virtual Router drop-down list and
specify the weight into the Weight text box. When
more than one next hops are available, the traffic
will be allocated to the different next hops accord-
ing to the weight value.

l Interface: Select an interface from the Interface

drop-down list and specify the weight into the
Weight text box. When more than one next hops
are available, the traffic will be allocated to the dif-
ferent next hops according to the weight value.

Track Object Select the track object from the drop-down list or click
button to create a new track object. See "Track Object"

on Page 670.

Weight Specifies the weight for the next hop. The value range is 1
to 255. The default value is 1. If a PBR rule is configured
with multiple next hops, system will distribute the traffic
in proportion to the corresponding weight.

Add Click to add the specified next hop.

Delete Select next-hop entries from the next hop table and click
this button to delete.

Chapter 6 293

Advanced Routing
Adjusting Priority of a PBR Rule
To adjust priority of a Policy-based Route rule, take the following steps:

1. Select Network > Routing > Policy-based Routing.

2. From the Virtual Router drop-down list, select the Virtual Router for the new route.

3. Select the rule you want to adjust priority from the list below, click Priority.

4. In the Priority page, enter values.

Option Description

Top Click this option button to move the PBR rule to the top.

Bottom Click this option button to move the PBR rule to the bot-
tom.

Before ID Click this option button and type the ID into the box to
move the PBR rule to the position before the ID.

After ID Click this option button and type the ID into the box to
move the PBR rule to the position after the ID.

Notes: Each PBR rule is labeled with a unique ID. When traffic flows into a
Hillstone device, the device will query for PBR rules by turn, and process
the traffic according to the first matched rule. However, the PBR rule ID is
not related to the matching sequence during the query. You can move a

294 Chapter 6

Advanced Routing
PBR rule's location up or down at your own choice to adjust the matching
sequence accordingly.

Applying a Policy-based Route

You can apply a policy-based route by binding it to an interface, virtual router or zone.
To apply a policy-based route, take the following steps:

1. Select Network > Routing > Policy-based Routing.

2. From the Virtual Router drop-down list, select the Virtual Router for the new route.

3. Click Bind to.

In the Policy-based Route Configuration page, enter values.

Option Description

PBR Name Select a route from the PBR name drop-down list.

Virtual From the Virtual Router drop-down list, select the Vir-
Router tual Router for the new route. The default value is "trust-
vr".

Chapter 6 295

Advanced Routing
Option Description

Type Specifies the object type that the policy-based route

binds to. You can select Zone, Virtual Router, Interface
or No Binding.

l Zone: Click this option button and select a zone

from the Bind To drop-down list.

l Virtual Router: Click this option button and show

the virtual router that the policy-based route binds
to.

l Interface: Click this option button and select a

interface from the Bind To drop-down list.

l No Binding: This policy-based route is no binding.

4. Click OK.

DNS Redirect
System supports the DNS redirect funtion, which redirects the DNS requests to a specified DNS
server. For more information about specifying IP addresses of the DNS server, see Configuring a
DNS Server. Currently, the DNS redirect function is mainly used to redirect the video traffic for
load balancing. With the policy based route working together, system can redirect the Web video
traffic to different links, improving the user experience.
To enable the DNS redirect function, take the following steps:

1. Select Network > Routing > Policy-based Routing.

2. Click Enable DNS Redirect.

296 Chapter 6

Advanced Routing
Configuring the Global Match Order
By default, if the PRB rule is bound to both an interface , VRouter and the security zone the inter-
face belongs to, the traffic matching sequence will be: Interface > Zone > VRouter. You can con-
figure the global match order of PBR.
To configure the global match order, take the following steps:

1. Select Network > Routing > Policy-based Routing.

2. Click Config Global Match Order.

3. Select the items that need to be adjusted, and click and .

4. To restore the default matching sequence, click Restore Default.

5. Click OK.

Chapter 6 297

Advanced Routing
RIP
RIP, Routing Information Protocol, is an internal gateway routing protocol that is designed to
exchange routing information between routers. Currently, devices support both RIP versions, i.e.,
RIP-1 and RIP-2.
RIP configuration includes basic options, redistribute, Passive IF, neighbor, network and dis-
tance. You will also need to configure RIP parameters for different interfaces, including RIP ver-
sion, split horizon, and authentication mode.

Creating RIP
To create RIP, take the following steps:

1. Select Network > Routing > RIP.

2. From the Virtual Router drop-down list, select the Virtual Router for the new route.

3. Click New.

298 Chapter 6

Advanced Routing
In the configuration tab, configure the following.

Option Description

Version Specifies a RIP version. Hillstone devices support RIP-1

and RIP-2. RIP-1 transmits packets by broadcasting,
while RIP-2 transmits packet by multicasting. Select a ver-
sion from the drop-down list. The default version is RIP-
2.

Network

Network Type the IP address and netmask into the Network

(IP/netmask) (IP/netmask) box.

New Click New to add the network. All the networks that have
been added will be displayed in the list below.

Delete Repeat the above steps to add more networks. To delete a

network, select the entry you want to delete from the list,
and click Delete.

Click Advanced Configuration, configure the following.

Option Description

Metric Specifies a default metric. The value range is 1 to 15. If

no value is specified, the value of 1 will be used. RIP
measures the distance to the destination network by hops.
This distance is known as metric. The metric from a
router to a directly connected network is 1, increment is 1
for every additional router between them. The max metric
is 15, and the network with metric larger than 15 is not

Chapter 6 299

Advanced Routing
Option Description

reachable. The default metric will take effect when the

route is redistributed.

Distance Specifies a default distance. The value range is 1 to 255.

If no value is specified, the value of 120 will be used.

Default-info Specifies if the default route will be redistributed to other

originate routers with RIP enabled. By default RIP will not redis-
tribute the default route. Click the Enable button to redis-
tribute the default route.

Update inter- Specifies an interval in which all RIP routes will be sent
val to all the neighbors. The value range is 0 to 16777215
seconds. The default value is 30.

Invalid time If a route has not been updated for the invalid time, its
metric will be set to 16, indicating an unreachable route.
The value range is 1 to 16777215 seconds. The default
value is 180.

Hold-down If the metric becomes larger (e.g., from 2 to 4) after a

time route has been updated, the route will be assigned with a
holddown time. During the holddown time, the route will
not accept any update. The value range is 1 to 16777215
seconds. The default value is 180.

Flush time System will keep on sending the unreachable routes (met-
ric set to 16) to other routers during the flush time. If the
route still has not been updated after the end of flush
time, it will be deleted from the RIP information data-

300 Chapter 6

Advanced Routing
Option Description

base. The value range is 1 to 16777215 seconds. The

default value is 240.

Redistribute

Protocol Select a protocol type for the route from the Protocol
drop-down list. The type can be Connected, Static, IS-IS,
OSPF or BGP.

New Click New to add the Redistribute route entry. All the
entries that have been added will be displayed in the
Redistribute Route list below.

Delete Repeat the above steps to add more Redistribute route

entries. To delete a Redistribute route entry, select the
entry you want to delete from the list, and click Delete.

Neighbor

Neighbor IP Type the neighbor IP into the Neighbor IP box.

New Click New to add the neighbor IP. All the neighbor IPs
that have been added will be displayed in the list below.

Delete Repeat the above steps to add more neighbor IPs. To

delete a neighbor IP, select the entry you want to delete
from the list, and click Delete.

Distance

Distance Type the distance into the Distance box. The priority of
the specified distance is higher than than the default dis-
tance.

Chapter 6 301

Advanced Routing
Option Description

Network Type the IP prefix and netmask into the Network(IP/net-

(IP/netmask) mask) box.

New Click New to add the distance. All the distances that have
been added will be displayed in the list below.

Delete Repeat the above steps to add more distances. To delete a

distance, select the entry you want to delete from the list,
and click Delete.

Click Interface Configuration, configure the following.

Option Description

Edit Select the check box of an interface from the Interface

page, and click Edit to open the Interface Configuration
page.

In the DB tab, view the database of the RIP route .

All the route entries that can reach target network are stored in the database.

4. Click OK.

Notes: Configuration for RIP on Hillstone device's interfaces includes: RIP version,
split horizon and authentication mode. For more information on how to configure
RIP on an interface, see "Configuring an Interface" on Page 92.

302 Chapter 6

Advanced Routing
OSPF
OSPF, the abbreviation for Open Shortest Path First, is an internal gateway protocol based on link
state developed by IETF. The current version of OSPF is version 2 (RFC2328). OSPF is applic-
able to networks of any size. Its quick convergence feature can send update message immediately
after the network topology has changed, and its algorithm assures it will not generate routing
loops. OSFP also have the following characteristics:

l Area division: divides the network of autonomous system into areas to facilitate management,
thereby reducing the protocol’s CPU and memory utilization, and improving performance.

l Classless routing: allows the use of variable length subnet mask.

l ECMP: improves the utilization of multiple routes.

l Multicasting: reduces the impact on non-OSPF devices.

l Verification: interface-based packet verification ensures the security of the routing calculation.

Note: Autonomous system is a router and network group under the control of a management insti-
tution. All routers within an autonomous system must run the same routing protocol.

Creating OSPF
To create OSPF, take the following steps:

1. Select Network > Routing > OSPF.

2. From the Virtual Router drop-down list, select the Virtual Router for the new route.

Chapter 6 303

Advanced Routing
3. Click New.

In this page, configure the following.

Option Description

Process ID Enter the OSPF process ID. The default value

is 1. The value ranges from 1 to 65535. Each
OSPF process is individual, and has its own link
state database and the related OSPF routing

304 Chapter 6

Advanced Routing
Option Description

table. Each VRouter supports up to 4 OSPF

processes and multiple OSPF processes main-
tain a routing table together.
When specifying the OSPF process ID, note
the following matters:

l When running multiple OSPF processes

in a VRouter, the network advertised in
interfaces in each OSPF process cannot
be same.

l When route entries with the same prefix

exist in multiple OSPF processes, the sys-
tem will compare the administrative dis-
tance of each route entry and the route
entry with the lower administrative dis-
tance will be added to the VRouter's rout-
ing table. If their AD is the same, the
route entry that was first discovered will
be added to the routing table.

l If the OSPF route entries are redis-

tributed to other routing protocols, the
routing information of process 1 will be
redistributed by default. If this process
does not exist, the routing information of
OSPF will not be redistributed.

Chapter 6 305

Advanced Routing
Option Description

Router ID Enter the Router ID used by OSPF protocol.

Each router running OSPF protocol should be
labeled with a Router ID. The Router ID is the
unique identifier of an individual router in the
whole OSPF domain, represented in the form
of an IP address.

HA Synchronization Click the Enable button to enable HA syn-

chronization. The OSPF configuration of the
master and backup will be synchronized.

Network Configure the network interface that enables

OSPF and add the network to the specified
area. Click New, and enter the network address,
network mask and area ID.

l Network Address: Enter the IP address

of network interface that enables OSPF
protocol.

l Network Mask: Enter the mask of IP

address.

l Area ID: Enter the area ID the network

will be added to, in form of a 32-bit
digital number, or an IP address.

Redistribute Configuration

Static Click the Enable button to introduce the static

306 Chapter 6

Advanced Routing
Option Description

route protocol into the OSPF route and redis-

tribute.

Connected Click the Enable button to introduce the con-

nected route protocol into the OSPF route and
redistribute.

RIP Click the Enable button to introduce the RIP

route protocol into the OSPF route and redis-
tribute.

OSPF Click the Enable button to introduce the OSPF

route protocol into the OSPF route and redis-
tribute.

ISIS Click the Enable button to introduce the ISIS

route protocol into the OSPF route and redis-
tribute.

BGP Click the Enable button to introduce the BGP

route protocol into the OSPF route and redis-
tribute.

VPN Click the Enable button to introduce the VPN

route into the OSPF route and redistribute.

4. Click OK.

Notes: Configuration for OSPF on Hillstone device's interfaces includes: hello trans-
mission interval, dead time, LSA transmit interval and LSU transmit delay time. For

Chapter 6 307

Advanced Routing
more information on how to configure OSPF on an interface, see "Configuring an
Interface" on Page 92.

Viewing the Neighbor Information

To view the neighbor information, take the following steps:

1. Select Network > Routing > OSPF.

2. Select the process ID check box, and the neighbor information will be displayed in the list
below.

l Neighbor Router ID: Shows the router ID of OSPF neighbors.

l Priority: Shows the router priority. The router priority is used to determine which
router will act as the designated router. The designated router will receive the link
information of all the other routers in the network, and broadcast the received link
information.

l Neighbor State: Shows the OSPF neighbor state. The OSPF neighbor state includes 8
types: Down, Attempt, Init, 2-Way, Exstart, Exchange, Loading and Full. The Full
state includes Full/DR and Full/BDR.

l Timeout: Shows the neighbor timeout, which is the difference between dead time and
hello transmission interval. The unit is second. If the OSPF doesn't receive the Hello
packets from neighbor, the neighbor ship cannot be established continually.

308 Chapter 6

Advanced Routing
l Neighbor IP: Shows the IP address of neighbor router.

l Local Interface: Shows the interface sends the Hello packets to the neighbor router.

Chapter 6 309

Advanced Routing
Configuring OSPFv3
OSPFv3 is the third version of Open Shortest Path First and mainly provides the support of
IPv6. Before configuring OSPFv3, you need to enable IPv6 at Network > Interface > New, and
configure an OSPFv3 interface. For how to configure the OSPFv3 interface, refer to Configuring
an Interface.
The similarities between OSPFv3 and OSPFv2 are as follows:

l Both protocols use 32 bits Router ID and Area ID.

l Both protocols use the Hello packets, DD (database description) packets, LSR (link state
request) packets, LSU (link state update) packets, and LSAck (link state acknowledgment)
packets.

l Both protocols use the same mechanisms of finding neighbors and establishing adjacencies.

l Both protocols use the same mechanisms of LSA flooding and aging.

The differences between OSPFv3 and OSPFv2 are as follows:

l OSPFv3 runs on a per-link basis and OSPFv2 is on a per-IP-subnet basis.

l OSPFv3 supports multiple instances per link.

l OSPFv3 identifies neighbors by Router ID, and OSPFv2 identifies neighbors by IP address.

You can configure the OSPFv3 protocol for each VRouter respectively.

Creating OSPFv3
To create the OSPFv3 process, take the following steps:

1. Select Network > Routing > OSPFv3.

2. Select a VR from the Virtual Router drop-down list.

310 Chapter 6

Advanced Routing
3. Click New to open the OSPFv3 Configuration page.

In this page, configure as follows:

Option Description

Process ID Enter the OSPFv3 process ID. The default value

is 1. The value ranges from 1 to 65535. Each
OSPFv3 process is individual, and has its own link
state database and the related OSPFv3 routing
table. Each VRouter supports up to 4 OSPFv3 pro-
cesses and multiple OSPFv3 processes maintain a
routing table together.

Chapter 6 311

Advanced Routing
Option Description

When specifying the OSPFv3 process ID, note

the following matters:

l When running multiple OSPFv3 processes

in a VRouter, the network advertised in
interfaces in each OSPFv3 process cannot
be same.

l When route entries with the same prefix

exist in multiple OSPFv3 processes, the sys-
tem will compare the administrative dis-
tance of each route entry and the route entry
with the lower administrative distance will
be added to the VRouter's routing table. If
their AD is the same, the route entry that
was first discovered will be added to the
routing table.

l If the OSPFv3 route entries are redis-

tributed to other routing protocols, the rout-
ing information of process 1 will be
redistributed by default. If this process does
not exist, the routing information of
OSPFv3 will not be redistributed.

Router ID Specifies the router ID of the router running the

OSPFv3. The router ID is the unique identifier of
an router in the OSPFv3 domain. The router ID

312 Chapter 6

Advanced Routing
Option Description

should be in the format of IP address.

HA Synchronization Click the Enable button to enable HA syn-

chronization. The OSPFv3 configuration of the
master and backup will be synchronized.

IPv6 Redistribute Configuration

Static Click the Enable button to introduce the static

route protocol into the OSPFv3 route and redis-
tribute.

Connected Click the Enable button to introduce the con-

nected route protocol into the OSPFv3 route and
redistribute.

RIPng Click the Enable button to introduce the RIPng

route protocol into the OSPFv3 route and redis-
tribute.

ISISv6 Click the Enable button to introduce the ISISv6

route protocol into the OSPFv3 route and redis-
tribute.

BGP+ Click the Enable button to introduce the BGP+

route protocol into the OSPFv3 route and redis-
tribute.

Virtual Link Configuration

Area ID Virtual link is used to connect the discontinuous

backbone areas, so that they can maintain logical

Chapter 6 313

Advanced Routing
Option Description

continuity. Specifies an area ID that requires vir-

tual link, in form of a 32-bit digital number, or an
IP address.

Virtual Link To Peer Virtual link always connect two area border
ABR Router ID routers. You need to configure the router ID of
the area border routers respectively.

4. Click OK to save the configurations and the created OSPFv3 process will be displayed in
the list.

5. Expand Interface Configuration, configure the following.

Option Description

Edit Select the check box of an interface from the Inter-

face page, and click Edit to open the Interface
Configuration page.

Interface Area Con- Configure the area and instance where the
figuration OSPFv3 interface belongs to.

l Interface：Specifies the interface running

OSPFv3.

l Area ID: Specifies the area ID that the inter-

face belongs to. The area ID is in form of a
32-bit digital number, or an IP address.

l Instance ID：Specifies the instance ID that

the interface belongs to. To establish the
neighbor relationship, interfaces must

314 Chapter 6

Advanced Routing
Option Description

belong to the same instance. The value

ranges from 0 to 255. The default value is 0.

l Interface Timer: There are four interface

timers: the interval for sending Hello pack-
ets, the dead interval of adjacent routers, the
interval for retransmitting LSA, and the
transmit delay for updating packets.

l Hello Transmission Interval: Spe-

cifies the interval for sending Hello
packets for an interface. The value
range is 1 to 65535 seconds. The
default value is 10. If the OSPFv3
interface chooses the point-to-mul-
tipoint network type, the default
value is 30.

l Dead Time: Specifies the dead inter-

val of adjacent routes for an interface.
The value range is 1 to 65535
seconds. The default value is 40 (4
times of sending the Hello packets).
If the OSPFv3 interface chooses the
point-to-multipoint network type, the
default value is 120.If a router has not

Chapter 6 315

Advanced Routing
Option Description

received the Hello packet from its

peer for a certain period, it will
determine the peering router is dead.
This period is known as the dead
interval between the two adjacent
routers.

l LSA Transmit Interval: Specifies the

LSA retransmit interval for an inter-
face. The value range is 3 to 65535
seconds. The default value is 5.

l LSU Transmit Delay Time: Specifies

the transmit delay for updating packet
for an interface. The value range is 1
to 65535 seconds. The default value
is 1.

l Priority: Specifies the router priority. The

value range is 0 to 255. The default value is
1. The router with priority set to 0 will not
be selected as the designated router (The
designated router will receive the link
information of all the other routers in the
network, and broadcast the received link
information). If two routers within a net-
work can both be selected as the designated

316 Chapter 6

Advanced Routing
Option Description

router, the router with higher priority will

be selected; if the priority level is the same,
the one with higher Router ID will be selec-
ted.

l Network Type: Specifies the network type

of an interface. The network types of an
interface have the following options: broad-
cast, point-to-point, and point-to-mul-
tipoint. By default, the network type of an
interface is broadcast.

l Link Cost: The value range is 1 to 65535.

By default, the HA synchronization func-
tion is enabled, and the link cost will be syn-
chronized to the backup device. Clear the
check box to disable the synchronization
function, and the system will stop syn-
chronizing.

l Passive: Click the button to enable the inter-

face as passive interface. The interface
which receives data only but not send is
known as a passive interface.

l MTU-Ignore: Click the button to ignore the

MTU check. OSPFv3 uses DBD packets to

Chapter 6 317

Advanced Routing
Option Description

check whether the interface MTU set is

matched or not between the neighbors. If
the MTU set is not matched, the neighbors
cannot establish the adjacency. You can
modify the MTU set to solve this issue. For
the interfaces whose MTU set cannot be
modified, you can ignore the MTU check.

Viewing Neighbor Information

To view the neighbor information of the created OSPFv3 process, take the following steps:

1. Select Network > Routing > OSPFv3.

2. Select an OSPFv3 process and the neighbor information will be displayed below.

l Neighbor Router ID: Displays the ID of neighbor router.

l Priority: Displays the router priority. The router priority is used to determine which
router will act as the designated router. The designated router will receive the link
information of all the other routers in the network, and send the received link inform-
ation.

l Link Local Address: Displays the Link-local of the neighbor router interface.

318 Chapter 6

Advanced Routing
l Neighbor State: Displays the OSPFv3 neighbor state. The OSPFv3 neighbor state
includes 8 types: Down, Attempt, Init, 2-Way, Exstart, Exchange, Loading and Full.
The Full state includes Full/DR and Full/BDR.

l Timeout: Displays the neighbor timeout, which is the difference between dead time
and hello transmission interval. The unit is second. If the OSPFv3 doesn't receive the
Hello packets from neighbor, the neighbor ship cannot be established continually.

l Local Interface: Displays the interface sending the Hello packets to the neighbor
router.

Chapter 6 319

Advanced Routing
Configuring BGP
BGP, the abbreviation for Border Gateway Protocol, is a routing that is used to exchange dynamic
routing information among the autonomous systems. Autonomous system means the router and
network group under the control of a management institute. When BGP runs within the autonom-
ous system, it is called IBGP (Internal Border Gateway Protocol); when BGP runs between the
autonomous systems, it is called EBGP (External Border Gateway Protocol).

Basic
To configure a basic process, take the following steps:

1. Select Network > Routing > BGP

2. Select a VR from the Virtual Router drop-down list. The default VR is "trust-vr".

3. In this page, enter the basic information of BGP.

4. Configure the options as follows:

320 Chapter 6

Advanced Routing
Option Description

AS Specifies the number of Autonomous System, ran-

ging from 1 to 4294967295.

Router ID Specifies the router ID of the router running the

BGP. The router ID is the unique identifier of an
router in the BGP domain. The router ID should
be in the format of IP address.

Enable IPv6 Click the Enable button to support the format of

IPv6 address.

HA sync Click this button to enable the HA Sync function,

which disables Local property and uses the virtual
MAC, and the primary device will synchronize its
information with the backup device; not clicking
this button disables the HA Sync function, which
enables Local property and uses the original MAC,
and the primary device will not synchronize its
information with the backup device.

IPv4

Network You can add the specified network in the local

routing table to the BGP routing table, and
remove the specified network from the list. Then
the network will be learned by the neighbor router
configured later.

l Add: Click the button, and specify the

Chapter 6 321

Advanced Routing
Option Description

IPv4 address and netmask. When IPv6 is

enabled, you can specify the IPv6 address
and prefix.

l Delete: If you want to delete the specified

network, click the button.

Neighbor You can add neighbor routers to exchange routing

information with the specified router, or delete
the specified router from the list. You can add at
most 8 neighbor routers.

l Add: To add a neighbor router, click the

button and enter the information as follows.

l IP: Enter the IP address of the spe-

cified neighbor router.

l AS: Specify the AS number of the

neighbor router, ranging from 1 to
4294967295.

l Next-hop Self: For a neighbor router

of the EBGP, if the next-hop address
of the IBGP of the neighbor router
cannot be reached, you should enable
the next-hop as self.

l EBGP Multihops: For BGP running

322 Chapter 6

Advanced Routing
Option Description

between different AS (i.e., EBGP), if

the specified router and its neighbor
router are not directly connected, you
need to configure EBGP multi-hops,
ranging from 0 to 255.

l Activate: You can activate the BGP

connection between the configured
neighbor router and the current
device. By default, the function is
enabled.

l Shutdown: You can shutdown the

neighbor router in the list. When it's
shut down, all sessions with the
neighbor router will be cut and all
router information will be cleared. By
default, the function is disabled.

l Delete: To delete the specified neighbor

router, click the button.

Redistribute When IPv4 is supported, the following routing

protocols can be introduced and redistributed.

l Static: Select the check box to introduce

the static route protocol into the BGP route
and redistribute.

Chapter 6 323

Advanced Routing
Option Description

l Connected: Select the check box to intro-

duce the connected route protocol into the
BGP route and redistribute.

l OSPF: Select the check box to introduce

the OSPF route protocol into the BGP
route and redistribute.

l RIP: Select the check box to introduce the

RIP route protocol into the BGP route and
redistribute.

l IS-IS: Select the check box to introduce the

IS-IS route protocol into the BGP route
and redistribute.
When IPv6 is supported, the following routing
protocols can be introduced and redistributed.

l Static: Select the check box to introduce

the static route protocol into the BGP route
and redistribute.

l Connected: Select the check box to intro-

duce the connected route protocol into the
BGP route and redistribute.

l OSPFv3: Select the check box to introduce

the OSPFv3 route protocol into the BGP
route and redistribute.

324 Chapter 6

Advanced Routing
Option Description

l RIPng: Select the check box to introduce

the RIPng route protocol into the BGP
route and redistribute.

l ISISv6: Select the check box to introduce

the ISISv6 route protocol into the BGP
route and redistribute.

5. Click OK to save the configurations. The newly-created nwighbor router will be displayed
in the list.

Neighbor List
To view the created neighbor router, take the following steps:

1. Select Network > Routing > BGP.

2. In the Neighbor List page, view the information of neighbor routers.

l Neighbor IP: Displays the IP address of the neighbor router.

l AS: Displays the autonomous system number of the neighbor router.

l Remote Router ID: When the neighbor router is connected with the peer router, the
router ID of the peer router will be displayed.

Chapter 6 325

Advanced Routing
l BGP Type: Displays the running type of BGP. When BGP runs between different
AS, it displays as EBGP; when BGP runs within an AS, it displays as IBGP.

l State: Displays the status of connection between the neighbor router and its router,
including Idle, Connect, Active, OpenSent, OpenConfirm and Established.

Delete BGP
To delete the BGP process, take the following steps:

1. Select Network > Routing > BGP.

2. Click the Delete BGP button, and all BGP configurations will be deleted.

326 Chapter 6

Advanced Routing
Chapter 7 Authentication
Authentication is one of the key features for a security product. When a security product enables
authentication, the users and hosts can be denied or allowed to access certain networks.
From a user's point of view, authentication is divided into the following categories:

l If you are a user from an internal network who wants to access the Internet, you can use:

l "Web Authentication" on Page 329

l "Single Sign-On" on Page 342

l "PKI" on Page 391

l If you are a user from the Internet who wants to visit an internal network (usually with VPN),
you can use:

l "SSL VPN" on Page 445

l "IPSec VPN" on Page 401 (IPSec VPN (with radius server)+Xauth)

l "L2TP VPN" on Page 541 (L2TP over IPsec VPN)

Authentication Process
A user uses his/her terminal to connect to the firewall. The firewall calls the user data from the
AAA server to check the user's identity.

l User (authentication applicant): The applicant initiates an authentication request, and enters
his/her username and password to prove his/her identity.

Chapter 7 327

Authentication
l Authentication system (i.e. the firewall in this case):The firewall receives the username and
password and sends the request to the AAA server. It is an agent between the applicant and
the AAA server.

l "AAA Server" on Page 621: This server stores user information like the username and pass-
word, etc. When the AAA server receives a legitimate request, it will check if the applicant
has the right to the user network services and send back the decision. For more information,
refer to "AAA Server" on Page 621. AAA server has the following four types:

l Local server

l Radius server

l LDAP server

l AD server

l TACACS+server

328 Chapter 7

Authentication
Web Authentication
After the Web authentication (WebAuth) is configured, when you open a browser to access the
Internet, the page will redirect to the WebAuth login page. According to different authentication
modes, you need to provide corresponded authentication information. With the successful Web
authentication, system will allocate the role for IP address according to the policy configuration,
which provides a role-based access control method.
Web authentication means you will be prompted to check the identity on the authentication page.
It includes the following four modes:

l Password Authentication: Using username and password during the Web authentication.

l SMS Authentication: Using SMS during the Web authentication. In the login page, you need
to enter the mobile number and the received SMS verification code. If the SMS verification
code is correct, you can pass the authentication.

l NTLM Authentication: System obtains the login user information of the local PC terminal
automatically, and then verifies the identity of the user. For more configurations, see NTLM
Authentication.

Notes: NTLM authentication mode only supports the Active Directory servers
deployed in Windows Server 2008 or older versions.

Enabling the WebAuth

To enable the Web authentication, take the following steps:

1. Click Network > WebAuth > WebAuth.

2. Select the Enable check box of WebAuth to enable the WebAuth function.

Chapter 7 329

Authentication
Configuring Basic Parameters for WebAuth
The basic parameters are applicable to all WebAuth polices.
To configure WebAuth basic parameters, take the following steps:

1. Click Network > WebAuth > WebAuth,click the Enable button.

2. In the Basic Configuration tab, configure the following options

330 Chapter 7

Authentication
Basic Configuration

HTTP Select the HTTP authentication methods. Port: Specifies the

HTTP protocol transmission port number of the authen-
tication server. The range is 1 to 65535, and the default value
is 8181.

HTTPS Select the HTTPS authentication methods. HTTPS is encryp-

ted, and can avoid information leakage. Port: Specify the
HTTPS protocol transmission port number of the authen-
tication server. The range is 1 to 65535, and the default value
is 44433. Trust Domain: Specifies the HTTPS trust domain.
This domain is previously created in PKI and has imported
international CA certified certificate.

All Inter- After the WebAuth function is enabled, the WebAuth func-
face tion of all interfaces is disabled by default. You can specify
the Webauth global default configuration of all interfaces,
including Disable authentication service by default and
Enable authentication service by default. For more inform-
ation about configuring the WebAuth of interface, see "Con-
figuring an Interface" on Page 92.

Proxy Specifies the port number for HTTPS, HTTPS and SSO
Port proxy server. The port number applies to all. If it changes in
any page, the other mode will also use the new port. The
range is 1 to 65535.

User Login

Chapter 7 331

Authentication
Basic Configuration

Address Specifies IP address or MAC address as the address type of

Type authentication user. By default, the address type of authen-
tication user is IP address
Note: When the MAC is specified as the address type of
authentication user, the device needs to be deployed in the
same Layer 2 network environment with the client. Other-
wise, system will fail to get the MAC address of the client or
get an incorrect MAC address.

Multiple If you disable the multiple login, one account cannot login if
Login it has already logged in elsewhere. You can click Replace to
kick out the registered user or you can click Refuse New
Login to prevent the same user from logging in again. If you
enable multiple login, more than one clients can login with
the same account. But you can still set up the maximum num-
ber of clients using one account.

Authentication Mode

Password: Specifies the password authentication mode as the authen-

tication mode.

Idle If there is no traffic during a specified time period after the

Timeout successful authentication, system will disconnect the con-
nection. By default, system will not disconnect the con-
nection if there is no traffic after the successful
authentication. Select the Idle Timeout check box to enable
the idle timeout function, and type the idle timeout value

332 Chapter 7

Authentication
Basic Configuration

into the text box. Clear the check box to disable the idle
timeout function.

Force If the forced re-login function is enabled, users must re-login

Timeout after the configured interval ends. Select the Force Timeout
check box to enable the forced timeout function, and type
the forced timeout value into the text box. Clear the check
box to disable the forced timeout function.

Heartbeat When authentication is successful, the system will auto-

Timeout matically refresh the login page before the configured timeout
value ends in order to maintain the login status. If con-
figuring the idle time at the same time, you will log off from
the system at the smaller value. Select the Heartbeat
Timeout check box to enable the heartbeat timeout function,
and type the heartbeat timeout value into the text box. Clear
the check box to disable the heartbeat timeout function.

Re-Auth System can re-authenticate a user after a successful authen-

Interval tication. By default, the re-authentication function is inactive.
Select the Re-Auth Interval check box to enable the re-auth
function, and type the re-auth interval into the text box. Clear
the check box to disable the re-auth function.

Redirect The redirect URL function redirects the client to the spe-
URL cified URL after successful authentication. You need to turn
off the pop-up blocker of your web browser to ensure this
function can work properly.

Chapter 7 333

Authentication
Basic Configuration

Notes:
l You can specify the username and
password in the URL address. When
the specified redirect URL is the
application system page with the
authentication needed in the intranet,
you do not need the repeat authen-
tication and can access the application
system. The corresponding keywords
are $USER, $PWD, or $HASHPWD.
Generally, you can select one keyword
between $PWD and $HASHPWD.
The formart of the URL is "URL"
+"user-
name=$USER&password=$PWD".

l When entering the redirect URL in

CLI, add double quotations to the
URL address if the URL address con-
tains question mark. For example,
"http://192.10.5.201/oa/-
login.-
do?user-
name-

334 Chapter 7

Authentication
Basic Configuration

=$USER&password=$HASHPWD"

SMS: Specifies the SMS authentication mode as the authentication

mode.

Authenti- Select the method to send authentication SMS, SMS Modem

cation or SMS Gateway.
Method

Lifetime When using SMS authentication, users need to use the SMS
of SMS verification code received by the mobile phone, and the veri-
Veri- fication code will be invalid after the timeout value reaches.
fication After the timeout value reaches, if the verification code is
Code not used, you needs to get the new SMS verification code
again. Specifies the verification code interval, the range is 1
to 10 minutes. The default value is 1 minute.

Sender The user can specify a message sender name to display in the
Name message content. Specifies the sender name. The range is 1
to 63. Note: Due to the limitation of UMS enterprise inform-
ation platform, when the the SMS gateway authentication is
enabled, the sender name will be displayed on the name of
the UMS enterprise information platform.

Idle If there is no traffic during a specified time period after the

Timeout successful authentication, system will disconnect the con-
nection. By default, system will not disconnect the con-

Chapter 7 335

Authentication
Basic Configuration

nection if there is no traffic after the successful authen-

tication. Select the Idle Timeout check box to enable the idle
timeout function, and type the idle timeout value into the
text box. Clear the check box to disable the idle timeout func-
tion.

Force If the forced re-login function is enabled, users must re-login

NTLM: Specifies the NTLM authentication mode as the authentication

mode.

Idle If there is no traffic during a specified time period after the

Timeout successful authentication, the system will disconnect the con-
nection. By default, the system will not disconnect the con-
nection if there is no traffic after the successful
authentication. Select the Idle Timeout check box to enable
the idle timeout function, and type the idle timeout value
into the text box. Clear the check box to disable the idle
timeout function.

Force If the forced re-login function is enabled, users must re-login

Timeout after the configured interval ends. Select the Force Timeout
check box to enable the forced timeout function, and type
the forced timeout value into the text box. Clear the check

336 Chapter 7

Authentication
Basic Configuration

box to disable the forced timeout function.

When It will define the next action when user fails to pass SSO
NTLM login. Select Use Password Mode, and the next step is to use
Fails password authentication to continue authentication. Select
No Action, and the users will fail to login in.

Password/ SMS: Specifies the password authentication or the SMS

authentication as the authentication mode.

Password Click the Password tab, and configure the related parameters
for password authentication . For description of options, see
"Password" section.

SMS Click the SMS tab, and configure the related parameters for
SMS authentication . For description of options, see "SMS"
section.

SMS: Specifies the SMS authentication mode.

SMS Click the SMS tab, and configure the related parameters for
SMS authentication . For description of options, see "SMS"
section.

3. Click Apply.

Notes:

l If the WebAuth success page is closed, you can log out not only by
timeout, but also by visiting the WebAuth status page (displaying online
users, online times and logout button). You can visit it through "http

Chapter 7 337

Authentication
(https):// IP-Address: Port-Number". In the URL, IP-Address refers to
the IP address of the WebAuth interface, and Port-Number refers to
HTTP/HTTPS port. By default, the HTTP port is 8181, the HTTPS port
is 44433. The WebAuth status page will be invalid if there are no online
users on the client or the WebAuth is disabled.

l After basic configurations, you should create two policy rules in "Security
Policy" on Page 788 to make WebAuth effective, and then adjust the priority
of the two policies to the highest. The WebAuth policies need to be con-
figured according to the following policy template:

l After WebAuth is configured, the users who matched the WebAuth policy
are recommended to input the correct username and password, and then the
users can access the network. System takes actions to avoid illegal users from
getting usernames and passwords by brute-force. If one fails to log in through
the same host three times in two minutes, that host will be blocked for 2
minutes.

Customizing WebAuth Page

The WebAuth page is the redirected page when an authenticated user opens the browser. By
default, you need to enter the username and password in the WebAuth page. You can also select
the SMS authentication mode .

338 Chapter 7

Authentication
1. Click Network > WebAuth > WebAuth.

2. Click Login Page Customization tab, and click Download Template to download the zip file
“webauth" of the default WebAuth login page, and then unzip the file.

3. Open the source file and modify the content( including style, picture, etc.)according to the
requirements. For more detailed information, see the file of readme_cn.md or readme_
en.md.

4. Compress the modified file and click Upload to upload the zip file to system.

Notes:

l After upgrading the previous version to the 5.5R6 version, the WebAuth
login page you already specified will be invalid and restored to the default
page. You should re-download the template after the version upgrade and

Chapter 7 339

Authentication
customize the login page.

l After upgrading the system version, you should re-download the template,
modify the source file, and then upload the custom page compression pack-
age. If the uploaded package version is not consistent with the current sys-
tem version, the function of the custom login page will not be used
normally.

l The zip file should comply with the following requirements: the file format
should be zip; the maximum number of the file in the zip file is 50; the upper
limit of the zip file is 1M; the zip file should contain “index.html”.

l System can only save one file of the default template page and the cus-
tomized page. When you upload the new customized page file, the old file
will be covered. You are suggested to back up the old file.

l If you want trigger WebAuth through HTTPS request, you need import the
root certificate (certificate of the device) to the browser firstly. Triggering
WebAuth through HTTPS requests depends on the feature of SSL proxy . If
the devrice does not support the SSL proxy. Triggering WebAuth through
HTTPS requests will not work and you can then trigger WebAuth through
HTTP requests.

NTLM Authentication
This method still needs to trigger the browser, and the browser will send user information to the
AD server automatically.
To configure the NTLM authentication, take the following two steps:

Step 1: Configure NTLM for System

340 Chapter 7

Authentication
1. Click Network > WebAuth > WebAuth to enter the WebAuth page.

2. Select NTLM from the Authentication Mode drop-down list. For the basic configurations,
see Configuring Basic Parameters for WebAuth.

3. Click Apply.

Step 2: Configure settings for User Browser

1. On the PC terminal of a user, open a browser (take IE as an example).

2. On the menu bar of IE browser, select Tools > Internet options.

3. In the pop-up Internet Options dialog box, click the Security tab, and click Custom level....

4. In the pop-up Security Settings - Internet Zone dialog box, enter User
Authentication>Logon and select Automatic logon with current user name and password.

Chapter 7 341

Authentication
Single Sign-On
When the user authenticates successfully for one time, system will obtain the user's authen-
tication information. Then the user can access the Internet without authentication later.
SSO can be realized through three methods, which are independent from each other, and they all
can achieve the "no-sign-on"(don't need to enter a user name and password) authentication.

Installing Software
Method Description
or Script

SSO Radius --- After enabling SSO Radius function,

system can receive the accounting
packets that based on Radius stand-
ard protocol. System will obtain user
authentication information, update
online user information and manage
user's login and logout according to
the packets.

AD Scripting Logonscript.exe This method needs to install the

script "Logonscript.exe" on the AD
server. The triggered script can also
send user information to StoneOS.
This method is recommended if you
have a higher accuracy requirement
for statistical monitoring and don't
mind to change the AD server.

Radius Snooping --- The Remote Authentication Dial-In

Up Service (RADIUS) is a protocol
that is used for the communication

342 Chapter 7

Authentication
Installing Software
Method Description
or Script

between NAS and AAA server. The

RADIUS packet monitoring func-
tion analyzes the RADIUS packets
that are mirrored to the device and
the device will automatically obtain
the mappings between the user-
names of the authenticated users and
the IP addresses, which facilitates
the logging module for providing the
auditing function for the authen-
ticated users.

AD Polling --- After enabling the AD Polling func-

tion, system will regularly query the
AD server to obtain the login user
information and probe the terminal
PC to verify whether the users are
still online, thus getting correct
authentication user information to
achieve SSO. This method is recom-
mended if you don't want to change
the AD server.

SSO Monitor --- After enabling SSO Monitor,

StoneOS will build connection with
the third-party authentication server
through SSO-Monitor protocol, as

Chapter 7 343

Authentication
Installing Software
Method Description
or Script

well as obtain user online status and

information of the group that user
belongs to. System will also update
the mapping information between
user name and IP in real time for
online user.

AD Agent AD Security This method needs to install AD

Agent Security Agent software on the AD
server or other PCs in the domain.
The software can send user inform-
ation to StoneOS. This method is
recommended if you don't want to
change the AD server.

TS Agent Hillstone Terminal This method needs to install and run

Service Agent Hillstone Terminal Service Agent in
the Windows server. After the TS
Agent is configured, when users log
in the Windows server using remote
desktop services, the Hillstone Ter-
minal Service Agent will allocate
port ranges to users and send the
port ranges and users information to
the system. At the same time, the
system will create the mappings of
traffic IPs, port ranges and users,

344 Chapter 7

Authentication
Installing Software
Method Description
or Script

and achieve the "no-sign-on" authen-

tication.

Enabling SSO Radius for SSO

After enabling SSO Radius function, system can receive the accounting packets that based on
Radius standard protocol. System will obtain user authentication information, update online user
information and manage user's login and logout according to the packets.
To configure the SSO Radius function, take the following steps:

1. Click Object >SSO Server >SSO Radius and enter SSO Radius page. By default, SSO
Radius is disabled.

2. Click the Enable button to enable the SSO Radius function.

3. Specify the Port to receive Radius packets for StoneOS (Don’t configure port in non-root
VSYS). The range is 1024 to 65535. The default port number is 1813.

Chapter 7 345

Authentication
4. Specify the AAA Server that user belongs to. You can select the configured Local, AD or
LDAP server. After selecting the AAA server, system can query the corresponding user
group and role information of the online user on the referenced AAA server, so as to realize
the policy control based on the user group and role.

5. Specify the IP Address, Shared Secret and Idle Interval of SSO Radius client which is
allowed to access system. You can configure up to 8 clients.

l IP Address: Specify the IPv4 address or the IPv6 address (the IPv6 address is valid
only when the system version is the IPv6 version) of SSO Radius client. If the
address is specified as "any", it means that system receives the packets sent from any
Radius client.

l Shared Key: Specify the shared secret key of SSO Radius client. The range is 1 to 31
characters. System will verify the packet by the shared secret key, and parse the
packet after verifying successfully. If system fails to verify the packet, the packet will
be dropped. The packet can be verified successfully only when SSO Radius client is
configured the same shared secret key with system or both of them aren't configured
a shared secret key.

l Heartbeat Timeout(minute): Configure the idle interval for the authentication inform-
ation of Radius packet in the device. If there’s no update or delete packet of the
user during the idle interval, the device will delete the user authentication inform-
ation. The default value is 30. 0 means the user authentication information will never
timeout. If heartbeat timeout and idle timeout is configured at the same time, the user
will logout at the minimum time point between the heartbeat timeout and the idle
timeout.

l Idle Timeout: Idle timeout refers to the longest time during which the authenticated
user keeps his/her authenticated state in non-traffic state. When the configured idle

346 Chapter 7

Authentication
timeout is exceeded, system will delete the authentication information of the user.
The unit is minute. The range is from 0-1440. The default value is 0. If it is specified
as 0, this function will be disabled, which means the authenticated user will not be
kicked out in non-traffic state.

l Forced Timeout: When the online time of a user exceeds the configured force
timeout time, system will kick out the user and force the user to log out. The range is
0 to 144000 minutes, and the default value is 600 minutes. If it is specified as 0, this
function will be disabled.

6. Click Apply button to save all the configurations.

Using AD Scripting for SSO

Before using a script for SSO, make sure you have established your Active Directory server first.
To use a script for SSO, take the following steps:

Step 1: Configuring the Script for AD Server

1. Open the AD Security Agent software(for detailed information of the software, see Using
AD Agent Software for SSO). On the <AD Scripting> tab, click Get AD Scripting to get
the script "Logonscript.exe" , and save it in a directory where all domain users can access.

2. In the AD server, enter Start menu, and select Mangement Tools > Active Directory User
and Computer.

Chapter 7 347

Authentication
3. In the pop-up <Active Directory User and Computer> dialog box, right-click the domain
which will apply SSO to select Properties, and then click <Group Policy> tab.

4. In the Group Policy list, double-click the group policy which will apply SSO. In the pop-up
<Group Policy Object Editor>dialog box, select User Configuration > Windows Settings>

348 Chapter 7

Authentication
Script (Logon/Logout).

5. Double-click Logon on the right window, and click Add in the pop-up <logon properties>
dialog box.

Chapter 7 349

Authentication
6. In the <Add a Script> dialog box, click Browse to select the logon script (logonscript.exe)
for the Script Name; enter the authentication IP address of StoneOS and the text "logon"
for the Script Parameters(the two parameters are separated by space). Then, click OK.

7. Take the steps of 5-6 to configure the script for logging out, and enter the text "logoff" in
the step 6.

Notes: The directory of saving the script should be accessible to all domain users,
otherwise, when a user who does not have privilege will not trigger the script when
logs in or out.

Step 2: Configuring AD Scripting for StoneOS

After the AD Scripting is enabled, the user can log in Hillstone device simultaneously when log-
ging in the AD server successfully. System only supports AD Scripting of Active Directory
server.
To configure the AD Scripting function, take the following steps:

350 Chapter 7

Authentication
1. Click Object> SSO Server > AD Scripting to enter the AD Scripting page. The AD Script-
ing function is disabled by default.

2. Select the Enable button of AD Scripting to enable the function.

3. Specify the AAA Server that user belongs to. You can select the configured Local, AD or
LDAP server. After selecting the AAA server, system can query the corresponding user
group and role information of the online user on the referenced AAA server, so as to realize
the policy control based on the user group and role.

4. Allow or disable users with the same name to log in depends on needs.

l Enable : Click to permit the user with the same name to log in from multiple ter-
minals simultaneously.

l Disable: Click to permit only one user with the same name to log in, and the user
logged in will be kicked out by the user logging in.

5. Click Apply to save the changes.

After completing the above two steps, the script can send the user information to StoneOS in real
time. When users log in or out, the script will be triggered and send the user behavior to
StoneOS.

Radius Snooping
The Remote Authentication Dial-In Up Service (RADIUS) is a protocol that is used for the com-
munication between NAS and AAA server. The RADIUS packet monitoring function analyzes
the RADIUS packets that are mirrored to the device and the device will automatically obtain the
mappings between the usernames of the authenticated users and the IP addresses, which facil-
itates the logging module for providing the auditing function for the authenticated users.
To configure Radius Snooping, take the following steps:

Chapter 7 351

Authentication
1. Click Object> SSO Server > Radius Snooping to enter the Radius Snooping page. The
Radius Snooping function is disabled by default.

2. Select the Enable button of Radius Snooping to enable the function.

4. Specify the idle time. If the device does not receive the mirrored RADIUS packets within
the specified time period, it will delete the mappings between the usernames and the IP
addresses. The value ranges from 1 to 1440. By default, system will not delete the user
authentication information if there is no traffic.

5. Specify the forced logout time. When the online time of a user exceeds the configured force
timeout time, system will kick out the user and force the user to log out. The range is 0 (the
function is disabled) to 1440 minutes, and the default value is 600 minutes.

6. Specify the heartbeat timeout value. When authentication is successful, the system will auto-
matically reconfirm login information before the configured timeout value ends in order to

352 Chapter 7

Authentication
maintain the login status. If configuring the idle time at the same time, you will log off from
the system at the smaller value. The value range is 3 to 1440 minutes. The default value is 5
minutes.

7. Click Apply to save the changes.

Using AD Polling for SSO

When the domain user logs in the AD server, the AD server will generate login logs. After
enabling the AD Polling function, system will regularly query the AD server to obtain the user
login information and probe the terminal PCs to verify whether the users are still online, thus get-
ting correct authentication user information to achieve SSO.
Before using AD Polling for SSO, you should make sure that the Active Directory server is set up
first. To use AD Polling for SSO, take the following steps:

1. Click Object >SSO Client >AD Polling to enter the AD Polling page.

2. Click the button on the upper left corner of the page, and the AD Polling Con-

figuration dialog box pops up.

Chapter 7 353

Authentication
In the AD Polling Configuration dialog box, configure the following:

Option Description

Name Specifies the name of the new AD Polling profile. The

range is 1 to 31 characters

Status Click Enable button to enable the AD Polling function.

After enabling, system will query the AD server to obtain
the user information and probe the terminal PC to verify
whether the online users are online regularly. When quer-
ies for the first time, system will obtain the online user
information on the AD server in the previous 8 hours . If

354 Chapter 7

Authentication
Option Description

fails to obtain the previous information, system will

obtain the following online user information directly.

Server Enter the IP address of authentication AD server in the

Address domain. You can only select AD server. After specifying
the authentication AD server, when the domain users log
in the AD server, the AD server will generate the login
logs. The range is 1 to 31 characters.

Virtual Select the virtual router that the AD server belongs to in

Router the drop-down list.

Account Enter a domain user name to log in the AD server. The

format is domain\username, and the range is 1 to 63 char-
acters. The user is required to have permission to query
security logs on the AD server, such as the user of
Administrator whose privilege is Domain Admins on the
AD server.

Password Enter a password corresponding to the domain user name.

The range is 1 to 31 characters.

AAA Server Select the referenced AAA server in the drop-down list.
You can select the configured Local, AD or LDAP
server, see "AAA Server" on Page 621. You are suggested
to select the configured authentication AD server. After
selecting the AAA server, system can query the cor-
responding user group and role information of the online
user on the referenced AAA server, so as to realize the

Chapter 7 355

Authentication
Option Description

policy control based on the user group and role,.

AD Polling Configure the interval for regular AD Polling probing. Sys-

Interval tem will query the AD server to obtain the online user
information at interval. The range is 1 to 3600 seconds,
and the default value is 2 seconds. You are suggested to
configure 2 to 5 seconds to ensure to obtain online user
information in real time.

Client Prob- Configure the interval for regular client probing. System
ing Interval will probe whether the user is still online through WMI at
interval, and kick out the user if cannot be probed. The
range is 0 to 1440 minutes, and the default value is 0
minute( the function is disabled). You are suggested to
configure a larger probing interval to save the system per-
formance, if you have low requirements for the offline
users.

Force Configure the forced logout time. When the user's online
Timeout time exceeds the configured timeout time, system will
kick out the user and force the user to log out. The range
is 0（the function is disabled）to 144000 minutes, and
the default value is 600 minutes.

3. Click OK button to finish the configuration of AD Polling.

356 Chapter 7

Authentication
Notes:

l When system is restarted or the configuration of AD Polling (except the

account, password and force timeout) is modified, system will clear the exis-
ted user information and obtain the user information according to the new
configuration.

l To realize the AD Polling function, you need to enable the WMI of the PC
where the AD server is located and the terminal PC. By default, the WMI is
enabled. To enable WMI, you need to enter the Control Panel >Ad-
ministrative Tools> Services and enable the WMI performance adapter.

l To enable WMI to probe the PC where the AD server is located and the ter-
minal PCs, the RPC service and remote management should be enabled. By
default, the RPC service and remote management is enabled. To enable the
RPC service, you need to enter the Control Panel >Administrative Tools>
Services and open the Remote Procedure Call and Remote Procedure Call
Locator; to enable the remote management, you need to run the command
prompt window (cmd) as administrator and enter the command netsh firewall
set service RemoteAdmin.

l To enable WMI to probe the PC where the AD server is located and the ter-
minal PCs, the PC should permit WMI function to pass through Windows
firewall. Select Control Panel >System and Security> Windows Firewall >Al-
low an APP through Windows Firewall, in the Allowed apps and features
list, click the corresponding check box of Domain for Windows Management
Instrumentation (WMI) function.

Chapter 7 357

Authentication
l To use the offline function, you should make sure that the time of the PC
where the AD server is located and the terminal PCs is the same. To enable
the function of Synchronize with an Internet time server, select Control
Panel > Clock, Language, and Region > Date and Time, and the Date and
Time dialog box pops up. Then, click Internet Time tab, and check Syn-
chronize with an Internet time server.

Using SSO Monitor for SSO

When user logs in through the third-party authentication server, the authentication status will be
saved on the server. StoneOS will build connection with the third-party authentication server
through SSO-Monitor protocol, as well as obtain user online status and information of group that
user belongs to.
To use SSO Monitor for SSO, take the following steps:

358 Chapter 7

Authentication
1. Click Object >SSO Client > SSO Monitor to enter SSO Monitor page.

2. Click the button and the SSO Monitor Configuration dialog box pops up.

In the SSO Monitor Configuration dialog box, configure the following:

Name Specify the name of the new SSO Monitor. The range is
1 to 31 characters.

Status Click Enable button to enable the SSO Monitor func-

tion. After enabling the function, system will build con-
nection with the third-party authentication server
through SSO-Monitor protocol, as well as obtain user
online status and information of group that user belongs
to. The machine will generate authentication user accord-

Chapter 7 359

Authentication
ing to the authentication information.

Server Enter the IP address of the authentication server. The

Address range is 1 to 31 characters. You can select the third-party
custom authentication server which supports SSO-Mon-
itor protocol. After specifying the authentication server,
when user logs in the specified server, the server will
save user’s authentication information.

Virtual Select the virtual router that the authentication server

Router belongs to in the drop-down list.

Port Specifies the port number of the third-party authen-

tication server. System will obtain user information
through the port number. The default number is 6666.
The range is 1024 to 65535.

AAA Server Select the referenced AAA server in the drop-down list.
You can select the configured Local, AD or LDAP
server, see "AAA Server" on Page 621 for configuration
method. After selecting the AAA server, system can
query the corresponding user group and role information
of the online user on the referenced AAA server, so as to
realize the policy control based on the user group and
role.

Organization Select the method to synchronize user organization struc-

Source ture with system, including Message and AAA Server.
When Message is selected, StoneOS will use the user

360 Chapter 7

Authentication
group of authentication information as the group that
user belongs to. It's usually used in the scenario of the
third-party authentication server saving user group. When
AAA Server is selected, StoneOS will use the user organ-
ization structure of AAA server as the group that user
belongs to. It's usually used in the scenario of the third-
party authentication server being authenticated by AAA
server and the user organization structure being saved in
the AAA server.

Reconnection Configure the reconnection timeout. When StoneOS dis-

Timeout connects with the third-party authentication server due
to timeout, system will wait during the disconnection
timeout. If system still fails to connect within the con-
figured time, it will delete online users. The range is 0 to
1800 seconds. The default value is 300. 0 means the user
authentication information will never timeout.

3. Click OK button to finish SSO Monitor configuration.

Notes: You can configure different numbers of SSO Monitor on different servers.
When the configured number exceeds the limit, system will pops up the alarm
information.

Using AD Agent Software for SSO

Before using AD Security Agent for SSO, make sure you have established your Active Directory
server first. To use AD Security Agent for SSO, take the following steps:

Chapter 7 361

Authentication
Step 1: Installing and Running AD Security Agent on a PC or Server

AD Security Agent can be installed on an AD server or a PC in the domain. If you install the soft-
ware on an AD server, the communication only includes "AD Security Agent →StoneOS"; If you
install the software on a PC in the domain, the communication includes both process in the fol-
lowing table. The default protocol and port used in the communication are described as follows:

AD Security AD Security
Communication direction
Agent→AD Server Agent→StoneOS

Protocol TCP TCP

Port StoneOS --- 6666

AD Security Agent 1935、1984 6666

AD Server 445 ---

To install the AD Security Agent to an AD server or a PC in the domain, take the following steps:

1. Click http://swupdate.hillstonenet.com:1337/sslvpn/download?os=windows-adagent to
download an AD Security Agent software, and copy it to a PC or a server in the domain.

2. Double-click ADAgentSetup.exeto open it and follow the installation wizard to install it.

3. Start AD Security Agent through one of the two following methods:

l Double-click the AD Agent Configuration Tool shortcut on the desktop.

l Click Start menu, and select All app > Hillstone AD Agent >AD Agent Con-
figuration Tool.

362 Chapter 7

Authentication
4. Click the <General> tab.

On the <General> tab, configure these basic options.

Option Description

Agent Port Enter agent port number. AD Security Agent uses this
port to communicate with StoneOS. The range is 1025 to
65535. The default value is 6666. This port must be the
same with the configured monitoring port in StoneOS,
otherwise, the AD Security Agent and StoneOS cannot
communicate with each other.

AD User Enter user name to log in the AD server. If AD Security

Chapter 7 363

Authentication
Option Description

Name Agent is running on the other PCs of the domain, this

user should have high privilege to query event logs in AD
server, such as the user of Administrator whose privilege
is Domain Admins on AD server.

Password Enter the password that matched with the user name. If
the AD Security Agent is running on the device where
the AD server is located, the user name and password can
be empty.

Server Mon-
itor

Enable Secur- Select to enable the function of monitoring event logs on

ity Log Mon- AD Security Agent. The default query interval is 5
itor seconds. The function must be enabled if the AD Secur-
ity Agent is required to query user information.

Monitor Fre- Specifies the polling interval for querying the event logs
quency on different AD servers. The default value is 5 seconds.
When finishing the query of a AD server, the AD Secur-
ity Agent will send the updated user information to sys-
tem.

Client prob-
ing

Enable WMI Select the check box to enable WMI probing.

probing
l To enable WMI to probe the terminal PCs, the ter-

364 Chapter 7

Authentication
Option Description

minal PCs must open the RPC service and remote

management. To enable the RPC service, you need
to enter the Control Panel >Administrative
Tools> Services and open the Remote Procedure
Call and Remote Procedure Call Locator; to enable
the remote management, you need to run the com-
mand prompt window (cmd) as administrator and
enter the command netsh firewall set service
RemoteAdmin.

l WMI probing is an auxiliary method for security log

monitor. which will probe all IPs in Discovered
Users list. When the probed domain name does not
match with the stored name, the stored name will
be replaced by the probed name.

Probing Fre- Specifies the interval of active probing action. The range
quency is 1 to 99 minutes and the default value is 20 minutes.

5. On the <Discovered Server> tab, click Auto Discover to start automatic scanning the AD
servers in the domain. Besides, you can click Add to input IP address of server to add it
manually.
When querying event logs in multiple AD servers, the query order is from top to bottom in
the list.

6. On the <Filtered User> tab, type the user name need to be filtered into the Filtered user
text box. Click Add, and the user will be displayed in the Filtered User list. You can con-
figure 100 filtered users, which are not case sensitive.

Chapter 7 365

Authentication
7. Click the <Discovered User> tab to view the corresponding relationship between the user
name and user address that has been detected.
Tip: The user added into the Filtered User list will not be displayed in the Discovered User
list.

8. On the <AD Scripting> tab, click Get AD Scripting to get the script "Logonscript.exe".
(For introduction and installation of this script, refer to "Using AD Scripting for SSO" on
Page 347）.

9. Click Commit to submit all settings and start AD Security Agent service in the mean time.

Notes: After you have committed, AD Agent service will be running in the back-
ground all the time. If you want to modify settings, you can edit in the AD Agent
Configuration Tool and click Commit. The new settings can take effect imme-
diately.

Step 2: Configuring AD server for StoneOS

To ensure that the AD Security Agent can communicate with StoneOS, take the following steps
to configure the AD server:

1. Click Object >AAA Server to enter the AAA server page.

2. Choose one of the following two methods to enter the Active Directory server con-
figuration page:

l Click the button on the upper left corner of the page, and choose Active Dir-

ectory Server in the drop-down list.

l Choose the configured AD server and click the button on the upper left

corner of the page.

366 Chapter 7

Authentication
3. For basic configuration of AD server, see Configuraing Active Directory Server.
The following configurations should be matched with the AD Security Agent:

l Server Address: Specify the IP address or domain name of AD server. It should be the
same with the IP address of the device installed AD Security Agent.

l Security Agent: Check the checkbox to enable SSO function, and the server can send
the user online information to StoneOS.

l Agent Port: Specify the monitoring port. StoneOS communicates with the AD
Security Agent through this port. The range is 1025 to 65535. The default value
is 6666. This port should be the same with the configured port of AD Security
Agent, or system will fail to communicate with the AD Agent.

l Reconnection Timeout: Specifies the timeout time of deleting user binding

information. The range is 0 to 1800 seconds. The default value is 300 seconds.
0 means never timeout.

4. Click OK to finish the related configuration of AD server.

After completing the above two steps, when domain user logs in the AD server, the AD Security
Agent will send the user name, address and online time to the StoneOS.

Using TS Agent for SSO

The configurations of TS Agent for SSO include:

l Configuring the TS Agent server: Installing and running Hillstone Terminal Service Agent in
Windows server.

l Configuring the TS Agent client: Configuring TS Agent parameters in StoneOS.

Chapter 7 367

Authentication
Step 1: Installing and running Hillstone Terminal Service Agent in Windows
server

1. Click http://swupdate.hillstonenet.com:1337/sslvpn/download?os=windows-tsagent to
download a Hillstone Terminal Service Agent installation program, and copy it to the Win-
dows server.

Notes:
l Windows Server 2008 R2, Windows Server 2016, and Windows
Server 2019 are currently supported. Windows Server 2008 R2 Ser-
vice Pack 1 and KB3033929 must be installed if Windows Server
2008 R2 is used.

l It's recommended to close the anti-virus software before installing

Hillstone Terminal Service Agent in Windows server.

2. Double-click HSTSAgent.exe to open it and follow the installation wizard to install it.

3. Start Hillstone Terminal Service Agent through one of the two following methods:

l Double-click the Hillstone Terminal Service Agent shortcut on the desktop.

l Click Start menu, and select All app > Hillstone Terminal Service Agent.

368 Chapter 7

Authentication
4. Click the Agent Config tab.

In the Agent Config tab, configure the following options.

Option Description

Agent Status Shows Hillstone Terminal Service Agent running status.

Listening Specifies the IPv4 address to be listened. The default

Address value is 0.0.0.0, which means listening all the IPv4
IPv4 addresses.

Listening Specifies the IPv6 address to be listened. The default

Address value is ::, which means listening all the IPv6 addresses.
IPv6

Listening Specifies the listening port number. The range is 1025 to

Chapter 7 369

Authentication
Option Description

Port 65534. The default value is 5019. This port must be the
same with the TS Agent server port configured in
StoneOS, otherwise, the TS Agent client and the TS
Agent server cannot communicate with each other.

Heartbeat Specifies the interval of sending heartbeat from the TS

Interval Agent client to the TS Agent server. The range is 1 to 30
seconds. The default value is 5 seconds.

Heartbeat The TS Agent client will disconnect with the TS Agent

Timeout server if it doesn't receive the heartbeat response from
the server within the configured time. The range is 10 to
300 seconds. The default value is 60 seconds.

SSL Cert File The TS Agent client synchronizes information with the
TS Agent server through SSL connection. You can use
the internal default SSL cert file or import external SSL
cert file.

Import Click this button to import a new SSL cert file through
extern cert the <Import extern cert file> dialog box. The encryption
file standard of the imported cert is PKCS12. The file is in
.pfx format. To import the external cert file, you should
create a PKI trust domain and import the CA certificate.

Delete extern Click this button to delete the external SSL cert file.
cert file After deletion, you need to restart the Hillstone Terminal
Service Agent to make the default SSL cert file take
effect. To restart the Hillstone Terminal Service Agent,

370 Chapter 7

Authentication
Option Description

click Restart Agent Server from the System drop-down

menu.

5. Click the Access Control Config tab.

In the Access Control Config tab, configure the following options.

Option Description

Enable Select this check box to check if the newly accessed IP

Access Con- address of StoneOS is in the IPv4 address list or IPv6
trol List address list below, if not, the access will be denied. This
function is disabled by default.

IPv4 When the access control list feature is enabled, IPv4

Chapter 7 371

Authentication
Option Description

Address addresses that are not in the list will be access denied.

IPv6 When the access control list feature is enabled, IPv6

Address addresses that are not in the list will be access denied.

Add Enter an IP address in the text box above Add, and clicks
Add to add the IP address into the IPv4 addresses list or
IPv6 addresses list.

Remove Select an IP address in the IPv4 addresses list or IPv6

addresses list, and clicks Remove to delete the IP address
from the list.

Modify Select an IP address in the IPv4 addresses list or IPv6

addresses list, modifies the address in the text box below,
and then clicks Modify to add the address into the list.

372 Chapter 7

Authentication
6. Click the Port Config tab.

In the Port Config tab, configure the following options.

Option Description

System The range of ports reserved by the system, which is read

Reserved from the system registry and cannot be modified.
Port Range

System Alloc- The range of ports used by the system to dynamically

able Port allocate to users, which is read from the system registry
Range and cannot be modified.

User Alloc- The total port range that can be allocated to the users.
able Port The range is 1025 to 65534. The default value is from
Range 20000 to 39999. Only one port range can be configured

Chapter 7 373

Authentication
Option Description

each time, the minimum range size is the specified user

port block size, and the maximum range size is 40960.

User The user-defined reserved range of ports. The range is

Reserved 1025 to 65534. The default value is NULL. You can con-
Port Range figure more than one port ranges with each separated by a
comma, such as 2000-3000,3500,4000-4200.

User Port The number of ports allocated to the user each time. The
Block Size range is 20 to 2000. The default value is 200.

User Port The maximum number of port blocks allocated to each

Block Max user. The range is 1 to 256. The default value is 1.

Passthrough Select the check box, and when the ports in the User
when user Allocable Port Range are exhausted, system will allocate
port ports to users from the System Allocable Port Range.
exhausted This option is checked by default.

374 Chapter 7

Authentication
7. Click the User info tab.

In the User Info tab, view information about users.

Option Description

User Info. List Shows the login user information, including

ID, UID, user name, port block count and
the login time. When users log in the TS
Agent server using remote desktop services,
Hillstone Terminal Service Agent will record
the user info. in the list. It can record up to
2000 users info.

Filter User Name Enter the user name in the text field, and
click Refresh, the searched user info. will be

Chapter 7 375

Authentication
Option Description

displayed in the user info. list. The user name

is case sensitive.

Global Total Port Free The number of remaining ports available to

the users.

Port Range The port range already allocated to login

users. After the user logs off, the system
reclaims all the port ranges allocated to this
user.

Total Port Alloced Total number of ports allocated to the login

users.

TCP/UDP/TCP6/UDP6 The number of ports already used by users.

Port Used After the user's connection to the Internet is
disconnected, the system reclaims the ports.

TCP/UDP/TCP6/UDP6 The number of ports available to the user

Port Free when creating a new connection

Auto Refresh Check the check box, the port statistics will
be refreshed every 5 seconds.

376 Chapter 7

Authentication
8. Click the Firewall Info tab.

In the Firewall Info tab, view information about StoneOS.

Option Description

Connected Displays StoneOS info. currently connected to TS Agent

Device List server, including ID, SN, connected status, IP address,
port and time.

Auto Refresh Check the check box, information of the connected

devices will be refreshed every 5 seconds.

9. Configure related functions and view information using the Menu bar.

Menu bar options introduction.

Chapter 7 377

Authentication
System

Restart agent Click this option to restart Hillstone Terminal Service

server Agent. When Hillstone Terminal Service Agent is being
restarted, Agent Status on the Agent Config tab shows
"Hillstone Terminal Service Agent is stopped". When the
restart is completed, Agent Status on the Agent Config
tab shows "Hillstone Terminal Service Agent is running".

Info

Open log Click this option, you can perform following operations
info in the pop-up Log Info dialog box:

l Check one or more check boxes in the Info Select

section, corresponding logs will be displayed in the
log info list.

l Select a log in the log info list, the complete info.

of this log will be displayed in the text box at the
lower left corner.

l Type the character string in the Filter text box, and

click Refresh, the log info. containing the character
string will be displayed in the log info list.

l Check the ID of one ore more logs in the log info.

list, and click Delete to delete selected logs.

l Click Export to text to export the log info. as a text

file.

378 Chapter 7

Authentication
System

l Click and drag the scroll slider at the lower left

corner left or right to scroll through the log info.
page quickly. The text field below displays the total
number of log information, the total number of log
information pages, and the current page.

Log enable Click this option, and check or uncheck the type of log
set info., system will record or not record corresponding type
of log info. The system record the Event, Alarm and Con-
fig log info. by default.

Open debug Click this option, the SMP (Service Process Module)
info debug info. file and the KM (Kernel Module) debug info.
file display in the pop-up Debug Info dialog box. You can
perform following operations:

l Double-click the file name to open the file.

l Select the file name, and press the Delete key on

your keyboard to delete the file.

SPM debug Click this option, and check the level of the SMP debug
level set info., system will record the info. at or above the selected
level. The default level is Event. You can view the SMP
debug info. in the Debug Info dialog box: the SMP debug
info. at Critical and Error level display in the SPM error
section; the SMP debug info. at other levels display in the
SPM info section.

Chapter 7 379

Authentication
System

KM debug Click this option, and check the level of the KM debug
level set info., system will record the info. at or above the selected
level. The default level is Critical. You can view the KM
debug info. in the Debug Info dialog box: the KM debug
info. at Critical and Error level display in the KM error
section; the KM debug info. at other levels display in the
KM info section.

About

About Displays the information of version, copyright, etc.

Step 2: Configuring TS Agent parameters in StoneOS

To configure the TS Agent parameters in StoneOS, take the following steps:

380 Chapter 7

Authentication
1. Select Object > SSO Client > TS Agent.

2. Click New.

In the TS Agent Configuration dialog box, configure the following options.

Option Description

Name Specifies the name of the new TS Agent. The range is 1

to 31 characters.

Status Select Enable button to enable the TS Agent function.

After enabling, StoneOS will establish SSL connection
with the TS Agent server, as well as obtain user and port
range information. System will also update the mapping

Chapter 7 381

Authentication
Option Description

information of traffic IPs, port ranges and user names in

real time for online users.

Host Specifies the management address of the TS Agent

server. It can be a domain name, or an IPv4 or IPv6
address.

Virtual Router Select the virtual router that the TS Agent server
belongs to in the drop-down list.

Port Specifies the port number of the TS Agent server. The

default number is 5019. The range is 1025 to 65534.
This port number must be the same with the listening
port number of Hillstone Terminal Service Agent, oth-
erwise, the TS Agent client and the TS Agent server can-
not communicate with each other.

AAA Server Select the referenced AAA server in the drop-down list.
You can select the configured Local, AD or LDAP
server, see "AAA Server" on Page 621. After selecting
the AAA server, system can query the corresponding
user group and role information of the online user on the
referenced AAA server, so as to realize the policy con-
trol based on the user group and role.

Disconnection When StoneOS disconnects with the TS Agent server,

Timeout system will wait during the disconnection timeout. If
system still fails to connect within the configured time,
it will delete online user. The range is 0 to 1800

382 Chapter 7

Authentication
Option Description

seconds. The default value is 300. 0 means delete the

online user immediately.

Traffic IP Specifies the traffic IP address, that is the network inter-

face IP address of the TS Agent server. It cab be an
IPv4 or IPv6 address. You can specify up to 4 IP
addresses. Enter an IP address in the text field, and click
Add to add the IP address into the Traffic IP list below.
Check an IP address in the Traffic IP list, and click
Delete to delete the IP address.

3. Click OK to finish the configuration of TS Agent.

After all the above configurations are finished, when users log in the TS Agent server using
remote desktop services, the Hillstone Terminal Service Agent will allocate port ranges to users
and send the port ranges and users information to the system. At the same time, the system will
create the mappings of traffic IPs, port ranges and users.

Chapter 7 383

Authentication
802.1x
This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
802.1X is a standard defined by IEEE for Port-based Network Access Control. It uses Layer-2
based authentication (protocol: EAPOL, Extensible Authentication Protocol over LAN) to verify
the legality of the users accessing the network through LAN. Before authentication, the security
device only allows the 802.1X message to pass through the port. After authentication, all of the
normal traffic can pass through.
The AAA servers for 802.1x are Local server and Radius server. Other types of AAA servers like
AD or LDAP server do not support 802.1x.
The authenticating process is the same with other authentication, please refer to "Chapter 7
Authentication" on Page 327.

Configuring 802.1x
A complete configuration for 802.1x authentication includes the following points:

l Prerequisite: Before configuration, you should already have the AAA server you want (only
local or Radius server is supported for 802.1x). The AAA server has been added in the fire-
wall system (refer to AAA server), and the interface or VLAN for authentication has been
bound to a security zone (refer to interface or VLAN).

l Configuration key steps:

1. Creating a 802.1x profile.

2. Creating a security policy to allow accessing.

l In the user's PC, modify the network adapter's properties: If the computer is connected to the
802.1x interface, this computer should enable its authentication function on its LAN port
(right click LAN and select Properties, in the prompt, under the <Authentication> tab, select
MD5-Challenge or Microsoft: Protected EAP (PEAP), and click OK to confirm.)

384 Chapter 7

Authentication
Notes: Early versions of Windows have enabled 802.1x by default, but Windows 7
and Window 8 do not have this feature enabled. To enable 802.1x, please search
online for a solution that suits your system.

Creating 802.1x Profile

To create a 802.1x profile, take the following steps:

1. Select Network > 802.1X > 802.1X.

2. Click New and a prompt appears.

Under the Basic tab and Advanced tab, enter values

Chapter 7 385

Authentication
Basic Configuration

802.1x Name Enter a name for the 802.1x profile

Interface Select the interface for 802.1x authentication. It should

be a Layer-2 interface or a VLAN interface.

AAA Server Select the AAA server for 802.1x authentication. It

should be a local server or a Radius server.

Access Mode Select an access mode. If you select Port and one of the
clients connected to 802.1x interface has passed authen-
tication, all clients can access the Internet. If you select
MAC, every client must pass authentication before using
Internet.

Advanced Configuration

Port author- If you select Auto, system will allow users who have suc-
ized cessfully passed authentication to connect to network; If
you select Force-unauthorized, system will disable the
authorization of the port; as a result, no client can con-
nect to the port, so there is no way to connect to the net-
work.

Re-auth Enter a time period as the re-authentication time. After a

period user has successfully connected to the network, system
will automatically re-auth the user's credentials. The range
is from 0 to 65535 seconds. If the value is set to 0, this
function is disabled.

Quiet period If the authentication fails, it will take a moment before

system can process the authenticating request from the

386 Chapter 7

Authentication
Basic Configuration

same client again. The range is 0 to 65535 seconds, and

the default value is 60 seconds. If this value is set to 0,
system will not wait, and will immediately process the
request from the same client.

Retries After sending an authentication request to the client and

receives a response containing the expected data, the
authenticator transmits the client's response data to the
authentication server and waits for a response. If the
authentication server does not answer, the authenticator
will resend an authentication request to the client until
receiving a response from the authentication server or
exceeding the allowed maximum retry times. The range is
1 to 10 times, and the default is 2 times.

Sever After sending an authentication request to the client and

timeout receives a response containing the expected data, the
authenticator transmits the client's response data to the
authentication server and waits for a response. If the
server does not answer the authenticator within a spe-
cified time, the authenticator will resend an authen-
tication request to the client. The range is 1 to 65535
seconds, the default value is 30 seconds.

Client When the authenticator sends a request to ask the client

timeout to submit his/her username, the client needs to respond
within a specified period. If the client does not respond

Chapter 7 387

Authentication
Basic Configuration

before timeout, system will resend the authentication

request message. The range is 1 to 65535 seconds, and
the default value is 30 seconds.

3. Click OK.

802.1x Global Configuration

Global parameters apply to all 802.1x profiles.

To configure global parameters, take the following steps:

1. Select Network > 802.1X > Global Configuration.

In the Global Configuration dialog box, specify the parameters that will be applicable for all

388 Chapter 7

Authentication
802.1x profiles.

Option Description

Maximum The maximum user client number for a authentication

Users port.

Multiple You may choose to allow or disable one account to login

logins from different clients.

l Disable: If you select Disable, one account can

only login from one client simultaneously.
Then, when you want to kick off the old login user,
you should select Replace; if you want to disallow
new login user, select Refuse.

l Enable: If you select Enable, different clients can

use one account to login.
If you do not limit the login client number, select
Unlimited; if you want to set up a maximum login
number, select Max attempts and enter a value for
maximum user client number.

Re-Auth time Specify a time for authentication timeout value. If the cli-
ent does not respond within the timeout period, the client
will be required to re-enter its credentials. The range is
180 to 86400 seconds, the default value is 300 seconds.

2. Click OK.

Viewing Online Users

To view which authenticated users are online:

Chapter 7 389

Authentication
1. Select Network > 802.1X > Online user.

2. The page will show all online users. You can set up filters to view results that match your
conditions.

390 Chapter 7

Authentication
PKI
PKI (Public Key Infrastructure) is a system that provides public key encryption and digital sig-
nature service. PKI is designed to automate secret key and certificate management, and assure the
confidentiality, integrity and non-repudiation of data transmitted over the Internet. The certificate
of PKI is managed by a public key by binding the public key with a respective user identity by a
trusted third-party, thus authenticating the user over the Internet. A PKI system consists of
Public Key Cryptography, CA (Certificate Authority), RA (Certificate Authority), Digital Cer-
tificate and related PKI storage library.
PKI terminology:

l Public Key Cryptography: A technology used to generate a key pair that consists of a public
key and a private key. The public key is widely distributed, while the private key is only
known to the recipient. The two keys in the key pair complement each other, and the data
encrypted by one key can only be decrypted by the other key of the key pair.

l CA: A trusted entity that issues digital certificates to individuals, computers or any other entit-
ies. CA accepts requests for certificates and verifies the information provided by the applic-
ants based on certificate management policy. If the information is legal, CA will sign the
certificates with its private key and issue them to the applicants.

l RA: The extension to CA. RA forwards requests for a certificate to CA, and also forwards the
digital certificate and CRL issued by CA to directory servers in order to provide directory
browsing and query services.

l CRL: Each certificate is designed with expiration. However, CA might revoke a certificate
before the date of expiration due to key leakage, business termination or other reasons. Once a
certificate is revoked, CA will issue a CRL to announce the certificate is invalid, and list the
series number of the invalid certificate.

PKI is used in the following two situations:

Chapter 7 391

Authentication
l IKE VPN: PKI can be used by IKE VPN tunnel.

l HTTPS/SSH: PKI applies to the situation where a user accesses a Hillstone device over
HTTPS or SSH.

l "Sandbox" on Page 1009: Support the verification for the trust certification of PE files.

Creating a PKI Key

1. Select System > PKI > Key.

2. Click New.

In the PKI Key Configuration dialog, configure the following.

Option Description

Label Specifies the name of the PKI key. The name must be
unique.

Key con- Specifies the generation mode of keys, which includes

figuration Generate and Import.
mode

392 Chapter 7

Authentication
Option Description

Key Pair Specifies the type of key pair, either RSA、ECC, DSA or
Type SM2.

Key Modulus Specifies the modulus of the key pair. The modulus of
RSA and DSA is 1024 (the default value), 2048, 512 or
768 bits, and the modulus of SM2 is 256.

EC group Specifies the EC group of the key pair when you choose
ECC. It includes P-256, P-384, P-521 elliptic curves.
The default EC group is P-256.

Type Specifies the type of key , including Encryption Key and

Key Pair .

l Encryption Key - Protects the signing key pair by

digital envelope. If you select this option, you
should specify the signing key pair when importing
key.

l Key Pair - If you select this option, you should spe-

cify the imported key pair type as RSA, DSA or
SM2.

Import Key Browse your local file system and import the key file.

3. Click OK.

Chapter 7 393

Authentication
Creating a Trust Domain

1. Select System > PKI > Trust Domain.

2. Click New.

In the Basic Configuration tab, configure values for basic properties.

394 Chapter 7

Authentication
Option Description

Basic

Trust Domain Enter the name of the new trust domain.

Enrollment Use one of the two following methods:

Type
l Select Manual Input, and click Browse to find
the certificate and click Import to import it into
system.

l Select Self-signed Certificate, and the certificate

will be generated by the device itself.

Key Pair Select a key pair.

Subject

Name Enter a name of the subject.

Country Enter the name of applicant's country or region. Only an

(Region) abbreviation of two letters are allowed, like CN.

Location Optional. The location of the applicant.

State/Province Optional. State or province name.

Organization Optional. Organization name.

Organization Optional. Department name within applicant's organ-

Unit ization.

Chapter 7 395

Authentication
3. Click Apply Certificate, and a string of code will appear.

4. Copy this code and send it to CA via email.

5. When you receive the certificate sent from CA. Click Browse to import the certificate.

6. (Optional) In the CRL tab, configure the following.

Certification Revocation List

Check l No Check - System does not check CRL. This is

the default option.

396 Chapter 7

Authentication
Certification Revocation List

l Optional - System accepts certificating from peer,

no matter if CRL is available or not.

l Force - System only accepts certificating from peer

when CRL is available.

URL 1-3 The URL address for receiving CRL. At most 3 URLs are
allowed, and their priority is from 1 to 3.

l Select http:// if you want to get CRL via HTTP.

l Select ldap:// if you want to get CRL via LDAP.

l If you use LDAP to receive CRL, you need to

enter the login-DN of LDAP server and password.
If no login-DN or password is added, the trans-
mission will be anonymous.

Auto Update Update frequency of CRL list.

Manually Get the CRL immediately by clicking Obtain CRL.

Update

7. Click OK.

Importing/Exporting Trust Domain

To simplify configurations, you can export certificates (CA or local) and private key (in the format
of PKSC12) to a computer and import them to another device.
To export a PKI trust domain, take the following steps:

Chapter 7 397

Authentication
1. Select System > PKI > Trust Domain Certificate.

2. Select a domain from drop-down menu.

3. Select the radio button of the item you want to export, and click Export.
If you choose PKCS, you need to set up password.

4. Click OK, and select a storage path to save the item.

To import the saved trust domain to another device, take the following steps:

1. Log in the other device, select System > PKI > Trust Domain Certificate.

2. Select a domain from drop-down menu.

3. Select the radio button of the item you want to import, and click Import.
If you choose PKCS, you need to enter the password when it was exported.

4. Click Browse and find the file to import.

5. Click OK. The domain file is imported.

Importing Trust Certification

System will not detect the PE file whose certification is trusted. To import trust certification of
PE files, take the following steps:

398 Chapter 7

Authentication
Online Users
To view the online authenticated users, take the following steps:

1. Select Network >WebAuth > Online Users.

2. The page will show all online users. You can set up filters to views results that match your
conditions.

l User Name: Displays the name of online users.

l IP/MAC: Displays the IP or MAC address of online users.

l Interface: Displays the authentication interface of online users.

l Online Time: Displays the online time of online users.

l Authentication Type: Displays the authentication type of online users.

l Operation: Displays the executable operation of online users.

Chapter 7 399

Authentication
Chapter 8 VPN
System supports the following VPN functions:

l "IPSec VPN" on Page 401: IPSec is a security framework defined by the Internet Engineering
Task Force (IETF) for securing IP communications. It is a Layer 3 virtual private network
(VPN) technology that transmits data in a secure tunnel established between two endpoints.

l "SSL VPN" on Page 445: SSL provides secure connection services for TCP-based application
layer protocols by using data encryption, identity authentication, and integrity authentication
mechanisms.

l "L2TP VPN" on Page 541: L2TP is one protocol for VPDN tunneling. VPDN technology
uses a tunneling protocol to build secure VPNs for enterprises across public networks. Branch
offices and traveling staff can remotely access the headquarters’ Intranet resources through a
virtual tunnel over public networks.

Chapter 8 400

VPN
IPSec VPN
IPSec is a widely used protocol suite for establishing a VPN tunnel. IPSec is not a single pro-
tocol, but a suite of protocols for securing IP communications. It includes Authentication Head-
ers (AH), Encapsulating Security Payload (ESP), Internet Key Exchange (IKE) and some
authentication methods and encryption algorithms. IPSec protocol defines how to choose the
security protocols and algorithms, as well as the method for exchanging security keys among com-
municating peers, while offering the upper layer protocols with network security services, includ-
ing access control, data source authentication, data encryption, etc.

Basic Concepts

l Security association

l Encapsulation modes

l Establishing SA

l Using IPSec VPN

Security Association (SA)

IPSec provides encrypted communication between two peers which are known as IPSec
ISAKMP gateways. Security Association (SA) is the basis and essence of IPSec. SA defines some
factors of communication peers like the protocols, operational modes, encryption algorithms
(DES, 3DES, AES-128, AES-192 and AES-256), shared keys of data protection in particular
flows and the life cycle of SA, etc.
SA is used to process data flow in one direction. Therefore, in a bi-directional communication
between two peers, you need at least two security associations to protect the data flow in both of
the directions.

Encapsulation Modes

IPSec supports the following IP packet encapsulation modes:

401 Chapter 8

VPN
l Tunnel mode - IPSec protects the entire IP packet, including both the IP header and the
payload. It uses the entire IP packet to calculate an AH or ESP header, and then encap-
sulates the original IP packet and the AH or ESP header with a new IP header. If you use
ESP, an ESP trailer will also be encapsulated. Tunnel mode is typically used for protecting
gateway-to-gateway communications.

l Transport mode - IPSec only protects the IP payload. It only uses the IP payload to cal-
culate the AH or ESP header, and inserts the calculated header between the original IP
header and payload. If you use ESP, an ESP trailer is also encapsulated. The transport mode
is typically used for protecting host-to-host or host-to-gateway communications.

Establishing SA

There are two ways to establish SA: manual and IKE auto negotiation (ISAKMP).

l Manually configuring SA is complicated as all the information will be configured by yourself

and some advanced features of IPSec are not supported (e.g. timed refreshing), but the advant-
age is that manually configured SA can independently fulfill IPSec features without relying on
IKE. This method applies to a situation with a small number of devices or an environment of
static IP addresses.

l IKE auto negotiation method is comparatively simple. You only need to configure inform-
ation of IKE negotiation and leave the rest jobs of creating and maintaining SA to the IKE
auto negotiation function. This method is for medium and large dynamic networks. Estab-
lishing SA by IKE auto negotiation consists of two phases. The Phase 1 negotiates and creates
a communication channel (ISAKMP SA) and authenticates the channel to provide con-
fidentiality, data integrity and data source authentication services for further IKE com-
munication; the Phase 2 creates IPSec SA using the established ISAKMP. Establishing SA in
two phases can speed up key exchanging.

Chapter 8 402

VPN
Using IPSec VPN

To apply VPN tunnel feature in the device, you can use policy-based VPN or route-based VPN.

l Policy-based VPN - Applies the configured VPN tunnel to a policy so that the data flow
which conforms to the policy settings can pass through the VPN tunnel.

l Route-based VPN - Binds the configured VPN tunnel to the tunnel interface and define the
next hop of static route as the tunnel interface.

403 Chapter 8

VPN
Configuring an IPSec VPN
IKE auto negotiation method is comparatively simple. You only need to configure information of
IKE negotiation and leave the rest jobs of creating and maintaining SA to the IKE auto nego-
tiation function. This method is for medium and large dynamic network. Establishing SA by IKE
auto negotiation consists of two phases. The Phase 1 negotiates and creates a communication
channel (ISAKMP SA) and authenticates the channel to provide confidentiality, data integrity and
data source authentication services for further IKE communication; the Phase 2 creates IPSec SA
using the established ISAKMP. Establishing SA in two phases can speed up key exchanging.
To configure an IPSec VPN, you need to confirm the Phase 1 proposal, the Phase 2 proposal, and
the VPN peer. After confirming these three contents, you can proceed with the configuration of
IKE VPN settings.

Configuring an IPSec VPN

To configure IPSec VPN, take the following steps:

Chapter 8 404

VPN
1. Select Network > VPN > IPSec VPN.

2. In the IPSec VPN tab, click New.

In the Peer Name tab, configure the corresponding options.

Peer
Peer Name Specifies the name of the ISAKMP gateway. To create
an ISAKMP gateway, click . For detailed information,
refer to Configuring a VPN Peer.

In the Tunnel tab, configure the corresponding options.

Tunnel
Name Type a name for the tunnel.
Mode Specifies the mode, including tunnel mode and transport
mode.
P2 Proposal Specifies the P2 proposal for tunnel. To create a P2 pro-

405 Chapter 8

VPN
posal, click . For detailed information, refer to Con-
figuring a Phase 2 Proposal.
Proxy ID Users need to specify the IKE phase 2 ID to dis-
tribute and limit IPSec VPN traffic. Phase 2 ID con-
sists of a local network segment, a remote network
segment, and the service. During the configuration,
you need to configure phase 2 IDS on the local and
remote devices. Then, the local and remote devices
negotiate to create an IKE IPSec tunnel. You can spe-
cify one or more phase 2 IDs to create one or more
IKE IPSec tunnels. The system distributes and limits
tunnel traffic according to the phase 2 ID of each tun-
nel.
If you do not need to distribute or limit IPSec VPN
traffic, you do not need to configure this parameter.
For details about how to enable IPSec VPN traffic dis-
tribution and Limitation function, see Check ID.
Specifies ID of Phase 2 for the tunnel which can be
Auto or Manual.

l Auto - The Phase 2 ID is automatically des-

ignated.

l Manual - The Phase 2 ID is manually des-

ignated. Manual configuration of P2 ID
includes the following options:

l Local IP/Netmask - Specifies the IP/ mask

of the local network segment in phase 2.

l Remote IP/Netmask - Specifies the IP/

Chapter 8 406

VPN
mask of the remote network segment(peer
device) in phase 2.

l Service - Specifies the service or protocol

name of the traffic that can be transmitted
by IKE IPSec tunnels in phase 2.

Note: By default, the Phase 2 IDs of the local and

peer device need to be configured accordingly. If the
IDs configured on the two device cannot match, the
negotiation will fail. In this case, if you enable the
Accepting All Proxy ID function on the responder's
device, the negotiation succeeds. For details about
how to enable Accepting All Proxy ID function, see
Accepting All Proxy ID

3. If necessary, click the Advanced Configuration tab to configure some advanced options.

In the Advanced Configuration tab, configure the corresponding options.

Advanced
DNS1/2/3/4 Specifies the IP address of the DNS server allocated to
the client by the PnPVPN server. You can define one
primary DNS server and three backup DNS servers.
WINS1/2 Specifies the IP address of WINS server allocated to
the client by the PnPVPN server. You can define one
primary WINS server and a backup WINS server.
Enable Idle Select the Enable check box to enable the idle time
Time function. By default, this function is disabled. This
time length is the longest time the tunnel can exist
without traffic passing through. When the time is over,
SA will be cleared.
DF-Bit Select the check box to allow the forwarding device to

407 Chapter 8

VPN
Advanced
execute IP packet fragmentation. The options are:

l Copy - Copies the IP packet DF options from

the sender directly. This is the default value.

l Clear - Allows the device to execute packet frag-

mentation.

l Set - Disallows the device to execute packet frag-

mentation.

Anti-Replay Anti-replay is used to prevent hackers from attack-

ing the device by resending the sniffed packets, i.e.,
the receiver rejects the obsolete or repeated packets.
By default, this function is disabled.

l Disable - Disables this function.

l 32 -Specifies the anti-replay window as 32.

l 64 - Specifies the anti-replay window as 64.

l 128 - Specifies the anti-replay window as 128.

l 256 - Specifies the anti-replay window as 256.

l 512 - Specifies the anti-replay window as 512.

Commit Bit Select the Enable check box to make the cor-
responding party configure the commit bit function,
which can avoid packet loss and time difference.
However, commit bit may slow the responding speed.
Accept-all- This function needs to be configured on the respon-

Chapter 8 408

VPN
Advanced
proxy-ID der device of IKE tunnel negotiation. After it is
enabled, the responder device will accept the
second-phase ID configured by the peer (negotiation
initiator) and set its phase 2 ID according to the
peer. In this way, the two ends of the IKE tunnel
can successfully negotiate. This function is often
used in scenarios where the responder device cannot
perceive or is not interested in the initiator's Phase 2
ID.
Note: When multiple Phase 2 IDs are configured on
the responder device (that is, multiple IKE tunnels
are configured), you need to disable this function.
Otherwise, only one tunnel can be negotiated.
Check ID Select the Enable check box to enable the check ID
function( distribute or limit the IPsec VPN traffic).
By default, this function is disabled. Before con-
figuring, ensure that the phase 2 ID has been con-
figured and phase 2 negotiations has been
successful. After this function is enabled, the device
filters the inbound and outbound traffic of the IKE
tunnel according to phase 2 ID and then distributes
and limits the inbound and outbound traffic. Traffic
that does not match phase 2 IDs is discarded.
Details are as follows:

l Distribution：Based on the configuration of

Phase 2 IDs, the traffic distribution function
can distribute the traffic at the IKE tunnel
ingress interface when the traffic flow into the
IKE tunnel. If the elements of source IP

409 Chapter 8

VPN
Advanced
address, destination IP address, and the type
of the traffic can match the configuration of a
certain Phase 2 ID, this kind of traffic will
flow into the corresponding IKE tunnel for
encapsulation and sending. If the traffic can-
not match any Phase 2 IDs, it will be
dropped.

l Limitation：Based on the configuration of

Phase 2 IDs, the traffic limitation function
can limit the traffic at the IKE tunnel egress
interface when the traffic flows out of the
IKE tunnel. After the traffic was de-encap-
sulated, StoneOS checks the elements of
source IP address, destination IP address, and
the type of the traffic to see whether this kind
of traffic matches a certain Phase 2 ID or not.
If matched, the traffic will be dealt with. If
not matched, the traffic will be dropped.
Auto Con- Select the Enable check box to enable the auto con-
nect nection function. By default, this function is disabled.
The device has two methods of establishing SA: auto
and intrigued traffic mode. When it is auto mode, the
device will check SA status every 60 seconds and ini-
tiate negotiation request when SA is not established;
when it is in intrigued traffic mode, the tunnel will
send negotiation request only when there is traffic
passing through the tunnel. By default, the intrigued
traffic mode is enabled. Note: Auto connection works
only when the peer IP is static and the local device is

Chapter 8 410

VPN
Advanced
the initiator.
Tunnel Route This item can be modified only after this IKE VPN is
created. Click Choose to add one or more tunnel
routes in the appearing Tunnel Route Configuration dia-
log box. You can add up to 128 tunnel routes.
Description Type the description for the tunnel.
Tunnel State Select the Enable check box to enable the tunnel state
Notify notification function. With this function enabled, for
route-based VPN, system will inform the routing mod-
ule about the information of the disconnected VPN
tunnel and update the tunnel route once any VPN tun-
nel disconnection is detected; for policy-based VPN,
system will inform the policy module about the inform-
ation of the disconnected VPN tunnel and update the
tunnel policy once any VPN tunnel disconnection is
detected.
VPN Track Select the Enable check box to enable the VPN track
function. The device can monitor the connectivity
status of the specified VPN tunnel, and also allows
backup or load sharing between two or more VPN tun-
nels. This function is applicable to both route-based
and policy-based VPNs. The options are:

l Track Interval - Specifies the interval of sending

Ping packets. The unit is second.

l Threshold - Specifies the threshold for

determining the track failure. If system did
not receive the specified number of con-

411 Chapter 8

VPN
Advanced
tinuous response packets, it will identify a
track as failure, i.e., the target tunnel is dis-
connected.

l Src Address - Specifies the source IP address

that sends Ping packets.

l Dst Address - Specifies the IP address of the

tracked object.

4. Click OK to save the settings.

Configuring a VPN Peer

To configure a VPN peer, take the following steps:

1. Select Network > VPN > IPSec VPN.

2. In the IPSec VPN tab, click New.

Chapter 8 412

VPN
3. In the IPSec VPN Configuration page, select Peer Name drop-down list and click .

In the VPN Peer Configuration dialog box, configure the corresponding options.
Basic Configuration
Name Specifies the name of the ISAKMP gateway.
Interface Specifies interface bound to the ISAKMP gateway.
Interface Type Select the interface type, including IPv4 or IPv6.
Only the IPv6 firmware supports to configure IPv6
type interface.
Protocol Standard Specifies the protocol standard, including IKEv1
and GUOMI . The default protocol standard is

413 Chapter 8

VPN
Basic Configuration
IKEv1. If you select GUOMI, specify the version:

l v1.0: the version is 1.0.

l v1.1: the version is 1.1.

l Default: the initiator can negotiate with the

peer when the initiator version is v1.0 or
v1.1.
Note: If you specify the version as 1.0 or 1.1, the
version of the two peers which negotiate with each
other should be the same, or system will fail to
negotiate.
Mode Specifies the mode of IKE negotiation. There are
two IKE negotiation modes: Main and Aggressive.
The main mode is the default mode. The aggressive
mode cannot protect identity. You have no choice
but use the aggressive mode in the situation where
the IP address of the center device is static and the
IP address of client device is dynamic.
Type Specifies the type of the peer IP. If the peer IP is
static, type the IP address into the Peer IP box; if
the peer IP type is user group, select the AAA
server you need from the AAA Server drop-down
list.
Local ID Specifies the local ID. System supports five types
of ID: FQDN, U-FQDN, Asn1dn (only for
license), KEY-ID and IP. Select the ID type you
want, and then type the content for this ID into
the Local ID box or the Local IP box.

Chapter 8 414

VPN
Basic Configuration
Peer ID Specifies the peer ID. System supports five types
of ID: FQDN, U-FQDN, Asn1dn (only for
license), KEY-ID and IP. Select the ID type you
want, and then type the content for this ID into
the Peer ID box or the Peer IP box.
Proposal1/2/3/4 Specifies a P1 proposal for ISAKMP gateway.
Select the suitable P1 proposal from the Proposal1
drop-down list. You can define up to four P1 pro-
posals for an ISAKMP gateway. To create a P1 pro-
posal, click . For detailed information, refer to
Configuring a Phase 1 Proposal.
Pre-shared Key If you choose to use pre-shared key to authen-
ticate, type the key into the box.
Self-signed Trust If you choose to use RSA signature or DSA sig-
Domain nature, select a trust domain.
Peer Trust Configure the trust domain of peer certification.
Domain The peer certification is used for data encryption
and authentication in the negotiation. The initiator
should import the peer certification first. Only
GUOMI v1.0 supports this option.
Encryption Trust Configure the trust domain of encryption cer-
Domain tification. The encryption certification is used for
data encryption in the negotiation. Only GUOMI
v1.1 supports this option.

4. If necessary, click the Advanced Configuration tab to configure some advanced options.

In the Advanced Configuration tab, configure the corresponding options.

Advanced Configuration
Connection Specifies the connection type for ISAKMP gateway.

415 Chapter 8

VPN
Advanced Configuration
Type l Bidirectional - Specifies that the ISAKMP gate-
way serves as both the initiator and responder.
This is the default value.

l Initiator - Specifies that the ISAKMP gateway

serves as the only initiator.

l Responder - Specifies that the ISAKMP gateway

serves as the only responder.

NAT This option must be enabled when there is a NAT

Traversal device in the IPSec or IKE tunnel and the device imple-
ments NAT. By default, this function is disabled.
Any Peer ID Makes the ISAKMP gateway accept any peer ID and
not check the peer IDs.
Generate Select the Enable check box to enable the auto routing
Route function. By default, this function is disabled. This func-
tion allows the device to automatically add routing
entries which are from the center device to the branch,
avoiding the problems caused by manual configured
routing.
DPD Select the Enable check box to enable the DPD (Deleg-
ated Path Discovery) function. By default, this function
is disabled. After the DPD function is enabled, the sys-
tem will periodically send DPD requests to the peer in a
specified time to detect whether the ISAKMP gateway
exists.

l DPD Interval - The interval of sending DPD

Chapter 8 416

VPN
Advanced Configuration

request to the peer. The value range is 1 to 10

seconds. The default value is 10 seconds.

l DPS Retries - The times of sending DPD request

to the peer. The device will keep sending dis-
covery requests to the peer until it reaches the
specified times of DPD reties. If the device does
not receive response from the peer after the retry
times, it will determine that the peer ISAKMP
gateway is down. The value range is 1 to 10
times. The default value is 3.

Description Type the description for the ISAKMP gateway.

XAUTH Select Enable to enable the XAUTH server in the
Server device. Then select an address pool from the drop-
down list. After enabling the XAUTH server, the
device can verify the users that try to access the IPSec
VPN network by integrating the configured AAA
server.
You can select a configured IPSec-XAUTH address
pool from the drop-down list. It is optional. When a cli-
ent successfully connects to the XAUTH server, the
server will take an IP address from the address pool and
other parameters (like DNS server address or WIN
server address) and assign them to the client. For more
information about the IPSec-XAUTH address pool, see
"VPN > IPsec Protocol > Configuring an IPsec VPN >
XAUTH".

5. Click OK to save the settings.

417 Chapter 8

VPN
Editing a VPN Peer

To edit a VPN peer, take the following steps:

1. Select Network > VPN > IPSec VPN.

2. In the IPSec VPN tab, click New.

3. In the IPSec VPN Configuration page, select Peer Name drop-down list and click .

Deleting a VPN Peer

To delete a VPN peer, take the following steps:

1. Select Network > VPN > IPSec VPN.

2. In the IPSec VPN tab, click New.

3. In the IPSec VPN Configuration page, select Peer Name drop-down list and click .

Copying a VPN Peer

You can quickly create a VPN peer by copying an existing one.

To copy a VPN peer, take the following steps:

1. Select Network > VPN > IPSec VPN.

2. In the IPSec VPN tab, click New.

3. In the IPSec VPN Configuration page, select Peer Name drop-down list. Select the Peer

that you want to copy and click . In the VPN Peer Configuration page, configure the

parameters as required. The name of the peer cannot be the same as an existing one.

4. Click OK.

Chapter 8 418

VPN
Configuring a Phase 1 Proposal

The P1 proposal is used to negotiate the IKE SA. To configure a P1 proposal, take the following
steps:

1. In the IPSec VPN Configuration page, select Peer Name drop-down list and click .

2. In the VPN Peer Configuration page, select Proposal 1drop-down list and click .

In the Phase1 Proposal Configuration page, configure the corresponding options.

Option Description
Proposal Specifies the name of the Phase1 proposal.
Name
Authentication Specifies the IKE identity authentication method.
IKE identity authentication is used to verify the iden-
tities of both communication parties. There are three
methods for authenticating identity: pre-shared key,
RSA signature, DSA signature and GM-DE. The
default value is pre-shared key. For pre-shared key
method, the key is used to generate a secret key and

419 Chapter 8

VPN
Option Description
the keys of both parties must be the same so that it
can generate the same secret keys.
Hash Specifies the authentication algorithm for Phase1.
Select the algorithm you want to use.

l MD5 – Uses MD5 as the authentication

algorithm. Its hash value is 128-bit.

l SHA – Uses SHA as the authentication

algorithm. Its hash value is 160-bit. This is the
default hash algorithm.

l SHA-256 – Uses SHA-256 as the authen-

tication algorithm. Its hash value is 256-bit.

l SHA-384 – Uses SHA-384 as the authen-

tication algorithm. Its hash value is 384-bit.

l SHA-512 – Uses SHA-512 as the authen-

tication algorithm. Its hash value is 512-bit.

l SM3 – Use the state password SM3 as the

authentication algorithm. Its hash value is 256-
bit. It is used for the digital signature and authen-
tication, the generation and authentication of
message authentication code, and the generation
of random digit, which can meet the security
requirement of multiple password applications.

Encryption Specifies the encryption algorithm for Phase1.

Chapter 8 420

VPN
Option Description

l 3DES - Uses 3DES as the encryption algorithm.

The key length is 192-bit. This is the default
encryption algorithm.

l DES – Uses DES as the encryption algorithm.

The key length is 64-bit.

l AES – Uses AES as the encryption algorithm.

The key length is 128-bit.

l AES-192 – Uses 192-bit AES as the encryp-

tion algorithm. The key length is 192-bit.

l AES-256 – Uses 256-bit AES as the encryp-

tion algorithm. The key length is 256-bit.

l SM4 – Uses the state password SM4 as the

encryption algorithm. The key length is 128-bit.

DH Group Specifies the DH group for Phase1 proposal.

l Group1 – Uses Group1 as the DH group. The

key length is 768-bit (MODP Group).

l Group2 – Uses Group2 as the DH group. The

key length is 1024-bit (MODP Group). Group2
is the default value.

l Group5 – Uses Group5 as the DH group. The

key length is 1536-bit (MODP Group).

421 Chapter 8

VPN
Option Description

l Group14 – Uses Group14 as the DH group.

The key length is 2048-bit (MODP Group).

l Group15 – Uses Group5 as the DH group.

The key length is 3072-bit (MODP Group).

l Group16 – Uses Group5 as the DH group.

The key length is 4096-bit (MODP Group).

l Group19 - Uses Group 19 as the DH group.

The key length is 256 bits (ECP Group).

l Group20 - Uses Group 20 as the DH group.

The key length is 384 bits (ECP Group).

l Group21 - Uses Group 21 as the DH group.

The key length is 521 bits (ECP Group).

l Group24 - Uses Group 24 as the DH group.

The key length is 2048 bits (MODP Group with
256-bit Prime Order Subgroup).

Lifetime Specifies the lifetime of SA Phase1. The value range is

300 to 86400 seconds. The default value is 86400.
Type the lifetime value into the Lifetime box. When
the SA lifetime runs out, the device will send a SA P1
deleting message to its peer, notifying that the P1 SA
has expired and it requires a new SA negotiation.

3. Click OK to save the settings.

Chapter 8 422

VPN
Configuring a Phase 2 Proposal

The P2 proposal is used to negotiate the IPSec SA. To configure a P2 proposal, take the fol-
lowing steps:

1. Select Network > VPN > IPSec VPN.

2. In the IPSec VPN tab, click New.

3. In the IPSec VPN Configuration page, select P2 Proposal drop-down list and click .

In the Phase2 Proposal Configuration dialog box, configure the corresponding options.
Option Description
Proposal Specifies the name of the Phase2 proposal.
Name
Protocol Specifies the protocol type for Phase2. The options are
ESP and AH. The default value is ESP.

423 Chapter 8

VPN
Option Description
Hash Specifies the authentication algorithm for Phase2. Select
the algorithm you want to use.

l MD5 – Uses MD5 as the authentication

algorithm. Its hash value is 128-bit.

l SHA – Uses SHA as the authentication

algorithm. Its hash value is 160-bit. This is the
default hash algorithm.

l SHA-256 – Uses SHA-256 as the authentication

algorithm. Its hash value is 256-bit.

l SHA-384 – Uses SHA-384 as the authentication

algorithm. Its hash value is 384-bit.

l SHA-512 – Uses SHA-512 as the authentication

algorithm. Its hash value is 512-bit.

l SM3 – Uses the state password SM3 as the

authentication algorithm. Its hash value is 256-bit.
It is used for the digital signature and authen-
tication, the generation and authentication of mes-
sage authentication code, and the generation of
random digit, which can meet the security require-
ment of multiple password applications.

l Null – No authentication.

Encryption Specifies the encryption algorithm for Phase2.

Chapter 8 424

VPN
Option Description

l 3DES - Uses 3DES as the encryption algorithm.

The key length is 192-bit. This is the default
encryption algorithm.

l DES – Uses DES as the encryption algorithm.

The key length is 64-bit.

l AES – Uses AES as the encryption algorithm.

The key length is 128-bit.

l AES-192 – Uses 192-bit AES as the encryption

algorithm. The key length is 192-bit.

l AES-256 – Uses 256-bit AES as the encryption

algorithm. The key length is 256-bit.

l SM4 – Uses the state password SM4 as the

encryption algorithm. The key length is 128-bit.

l Null – No authentication.

Compression Specifies the compression algorithm for Phase2. By

default, no compression algorithm is used.
PFS Group Specifies the PFS function for Phase2. PFS is used to
protect DH algorithm.

l No PFS - Disables PFS. This is the default value.

l Group1 – Uses Group1 as the DH group. The

key length is 768-bit (MODP Group).

l Group2 – Uses Group2 as the DH group. The

425 Chapter 8

VPN
Option Description

key length is 1024-bit (MODP Group).

l Group5 – Uses Group5 as the DH group. The

key length is 1536-bit (MODP Group).

l Group14 – Uses Group14 as the DH group. The

key length is 2048-bit (MODP Group).

l Group15 – Uses Group5 as the DH group. The

key length is 3072-bit.

l Group16 – Uses Group5 as the DH group. The

key length is 4096-bit (MODP Group).

l Group19 - Uses Group 19 as the DH group. The

key length is 256 bits (ECP Group).

l Group20 - Uses Group 20 as the DH group. The

key length is 384 bits (ECP Group).

l Group21 - Uses Group 21 as the DH group. The

key length is 521 bits (ECP Group).

l Group24 - Uses Group 24 as the DH group. The

key length is 2048 bits (MODP Group with 256-
bit Prime Order Subgroup).

Lifetime You can evaluate the lifetime by two standards which

are the time length and the traffic volume. Type the life-
time length of P2 proposal into the box. The value range
is 180 to 86400 seconds. The default value is 28800.

Chapter 8 426

VPN
Option Description
Lifesize Select Enable to enable the P2 proposal traffic-based
lifetime. By default, this function is disabled. After
selecting Enable, specifies the traffic volume of lifetime.
The value range is 1800 to 4194303 KBs. The default
value is 1800. Type the traffic volume value into the
box.

4. Click OK to save the settings.

Editing an IPSec VPN

To edit an IPSec VPN, take the following steps:

1. Select Network > VPN > IPSec VPN.

2. Select the IPSec VPN entries to be edited in the IPSec VPN list. Click Edit and modify the
configurations in the IPSec VPN Configuration page.

Deleting an IPSec VPN

To delete an IPSec VPN, take the following steps:

1. Select Network > VPN > IPSec VPN.

2. In the IPSec VPN Configuration tab, select the IPSec VPN you want to delete from the
IPSec VPN list.

3. Click Delete.

Enabling or Disabling an IPSec VPN

To enable or disable an IPSec VPN, take the following steps:

427 Chapter 8

VPN
1. Select Network > VPN > IPSec VPN.

2. In the IPSec VPN Configuration tab, select one or more IPSec VPN from the IPSec VPN
list.

3. Click Enable or Disable. The enabled status is displayed as .

Copying an IPSec VPN

You can quickly create an IPSec VPN by copying an existing one.

To copy an IPSec VPN, take the following steps:

1. Select Network > VPN > IPSec VPN.

2. In the IPSec VPN Configuration tab, select the IPSec VPN that you want to copy and click
Copy. In the IPSec VPN Configuration page, configure the parameters as required. The
name of the tunnel cannot be the same as an existing one.

3. Click OK.

Viewing IPSec VPN Entry

To view an IPSec VPN entry of specified filter condition, take the following steps:

1. Select Network > VPN > IPSec VPN.

2. In the IPSec VPN Configuration tab, enter the name of the IPSec VPN entry or the peer
name in the text boxes at the top of the toolbar to view the IPSec VPN entry under the spe-
cified conditions.

Chapter 8 428

VPN
Configuring a Manual Key VPN
Manually configuring SA is complicated as all the information will be configured by yourself and
some advanced features of IPSec are not supported (e.g. timed refreshing), but the advantage is
that manually configured SA can independently fulfill IPSec features without relying on IKE.
This method applies to a situation with a small number of devices or an environment of static IP
addresses.
To create a manual key VPN, take the following steps:

1. Select Network > VPN > IPSec VPN.

429 Chapter 8

VPN
2. In the Manual Key VPN Configuration section, click New.

In the Manual Key VPN Configuration dialog box, configure the corresponding options.
Basic Configuration
Tunnel Specifies the name of manually created key VPN.
Name

Chapter 8 430

VPN
Basic Configuration
Mode Specifies the mode, including Tunnel and Transport.
The tunnel mode is the default mode.
Peer IP Specifies the IP address of the peer.
Local SPI Type the local SPI value. SPI is a 32-bit value trans-
mitted in AH and ESP header, which uniquely identifies
a security association. SPI is used to seek corresponding
VPN tunnel for decryption.
Remote SPI Type the remote SPI value. Note: When configuring an
SA, you should configure the parameters of both the
inbound and outbound direction. Furthermore, SA para-
meters of the two ends of the tunnel should be totally
matched. The local inbound SPI should be the same
with the outbound SPI of the other end; the local out-
bound SPI should be the same with the inbound SPI of
the other end.
Interface Specifies the egress interface for the manual key VPN.
Select the interface you want from the Interface drop-
down list.
Interface Select the interface type, including IPv4 or IPv6. Only
Type the IPv6 firmware supports to configure IPv6 type inter-
face.
Encryption
Protocol Specifies the protocol type. The options are ESP and
AH. The default value is ESP.
Encryption Specifies the encryption algorithm.

l None – No authentication.

l 3DES – Uses 3DES as the encryption algorithm.

431 Chapter 8

VPN
Basic Configuration

The key length is 192-bit. This is the default

encryption algorithm.

l DES – Uses DES as the encryption algorithm.

The key length is 64-bit.

l AES – Uses AES as the encryption algorithm.

The key length is 128-bit.

l AES-192 – Uses 192-bit AES as the encryption

algorithm. The key length is 192-bit.

l AES-256 – Uses 256-bit AES as the encryption

algorithm. The key length is 256-bit.

Inbound Type the encryption key of the inbound direction. You

Encryption should configure the keys of both ends of the tunnel.
Key The local inbound encryption key should be the same
with the peer's outbound encryption key, and the local
outbound encryption key should be the same with the
peer's inbound encryption key.
Outbound Type the encryption key of the outbound direction.
Encryption
Key
Hash Specifies the authentication algorithm. Select the
algorithm you want to use.

l None – No authentication.

l MD5 – Uses MD5 as the authentication

algorithm. Its hash value is 128-bit.

Chapter 8 432

VPN
Basic Configuration

l SHA-1 – Uses SHA as the authentication

algorithm. Its hash value is 160-bit. This is the
default hash algorithm.

l SHA-256 – Uses SHA-256 as the authentication

algorithm. Its hash value is 256-bit.

l SHA-384 – Uses SHA-384 as the authentication

algorithm. Its hash value is 384-bit.

l SHA-512 – Uses SHA-512 as the authentication

algorithm. Its hash value is 512-bit.

Inbound Type the hash key of the inbound direction. You should
Hash Key configure the keys of both ends of the tunnel. The local
inbound hash key should be the same with the peer's
outbound hash key, and the local outbound hash key
should be the same with the peer's inbound hash key.
Outbound Type the hash key of the outbound direction.
Hash Key
Compression Select a compression algorithm. By default, no com-
pression algorithm is used.
Description
Description Type the description for the manual key VPN.

3. Click OK to save the settings.

Viewing Manual Key VPN Entry

To view a manual key VPN of specified filter condition, take the following steps:

433 Chapter 8

VPN
1. Select Network > VPN > IPSec VPN.

2. In the Manual Key VPN Configuration section, enter the name of the manual key VPN
entry in the text box at the top of the toolbar to view the manual key VPN entry under the
specified conditions.

Chapter 8 434

VPN
Viewing IPSec VPN Monitoring Information
By using the ISAKMP SA table, IPSec SA table, and Dial-up User table, IPSec VPN monitoring
function can show the SA negotiation results of IPSec VPN Phase1 and Phase2 as well as inform-
ation of dial-up users.
To view the VPN monitoring information, take the following steps:

1. Select Network > VPN > IPSec VPN.

2. In the IPSec VPN page, click IPSec VPN Monitor . You can view IPSec VPN monitoring
information in ISAKMP SA, IPSec SA and Dial-up User tabs. In the ISAKMP SA page, you
can specify the peer name in the "Peer" drop-down menu and filter the monitoring inform-
ation by the peer name; in the IPSec SA page, you can specify the VPN name in the "VPN
Name" drop-down menu and filter the monitoring information by the VPN name.

Options in these tabs are described as follows:

ISAKMP SA

Option Description

Peer Displays the peer name.

Cookie Displays the negotiation cookies which are used to match SA

Phase 1.

Status Displays the status of SA Phase1.

Peer Displays the IP address of the peer.

Port The port number used by the SA Phase1. 500 indicates that no
NAT has been found during the SA Phase 1; 4500 indicates
that NAT has been detected.

Algorithm Displays the algorithm of the SA Phase1, including authen-

tication method, encryption algorithm and verification

435 Chapter 8

VPN
Option Description

algorithm.

Lifetime Displays the lifetime of SA Phase1. The unit is second.

IPSec SA

Option Description

ID Displays the tunnel ID number which is auto assigned by the

system.

VPN Name Displays the name of VPN.

Direction Displays the direction of VPN.

Peer Displays the IP address of the peer.

Port The port number used by the SA Phase2.

Algorithm The algorithm used by the tunnel, including protocol type,

encryption algorithm, verification algorithm and depression
algorithm.

SPI Displays the local SPI and the peer SPI. The direction of
inbound is local SPI, while outbound is peer SPI.

CPI Displays the compression parameter index (CPI) used by SA

Phase2.

Lifetime (s) Displays the lifetime of SA Phase2 in seconds, i.e. SA Phase2

will restart negotiations after X seconds.

Lifetime (KB) Displays the lifetime of SA Phase2 in KB, i.e. SA Phase2 will
restart negotiations after X kilobytes of data flow.

Status Displays the status of SA Phase2.

Chapter 8 436

VPN
Option Description

Traffic Displays the cumulative value of the inbound and outbound

traffic of the tunnel.

Protect Net- Displays the protect network of the tunnel.

work

Dial-up User

Option Description

Peer Displays the statistical information of the peer user. Select

the peer you want from the Peer drop-down list.

User ID Displays the IKE ID of the user selected.

IP Displays the corresponding IP address.

Encrypted Pack- Displays the number of encrypted packets transferred

ets through the tunnel.

Encrypted Bytes Displays the number of encrypted bytes transferred through

the tunnel.

Decrypted Pack- Displays the number of decrypted packets transferred

ets through the tunnel.

Decrypted Bytes Displays the number of decrypted bytes transferred through

the tunnel.

437 Chapter 8

VPN
Configuring PnPVPN
IPSec VPN requires sophisticated operational skills and high maintenance cost. To relieve net-
work administrators from the intricate work, system provides an easy-to-use VPN technology -
PnPVPN (Plug-and-Play VPN). PnPVPN consists of two parts: PnPVPN Server and PnPVPN Cli-
ent.

l PnPVPN Server: Normally deployed in the headquarters and maintained by an IT engineer,

the PnPVPN Server sends most of the configuration commands to the clients. The device usu-
ally works as a PnPVPN Server and one device can serve as multiple servers.

l PnPVPN Client: Normally deployed in the branch offices and controlled remotely by a
headquarters engineer, the PnPVPN Client can obtain configuration commands (e.g. DNS,
WINS, DHCP address pool, etc.) from the PnPVPN Server with simple configurations, such
as client ID, password, and server IP settings.

The device can serve as both a PnPVPN Server and a PnPVPN Client. When working as a
PnPVPN Server, the maximum number of VPN instance and the supported client number of each
device may vary according to the platform series.

PnPVPN Workflow

The workflow for PnPVPN is as follows:

1. The client initiates a connection request and sends his/her own ID and password to the
server.

2. The server verifies the ID and password when it receives the request. If the verification suc-
ceeds, the server will send the configuration information, including DHCP address pool,
DHCP mask, DHCP gateway, WINS, DNS and tunnel routes, etc,. to the client.

3. The client distributes the received information to corresponding functional modules.

Chapter 8 438

VPN
4. The client PC automatically gains an IP address, IP mask, gateway address and other net-
work parameters and connects itself to the VPN.

PnPVPN Link Redundancy

The PnPVPN server supports dual VPN link dials for a PnPVPN client, and automatically gen-
erates the routing to the client. Also, it can configure the VPN monitor for the client. Two
ISAKMP gateways and two tunnel interfaces need to be configured in the server. The two VPN
tunnels need to refer different ISAKMP gateways and be bound to different tunnel interfaces.
The client supports to configure dual VPN dials and redundant routing. When the two VPN tun-
nels are negotiating with the server, the client generates routes with different priority according to
the tunnel routing configuration at the server side. The high priority tunnel acts as the master link
and the tunnel with low priority as the backup link, so as to realize redundant routing. The master
VPN tunnel will be in the active state first. When master tunnel is interrupted, the client will use
the backup tunnel to transfer the data. When the master tunnel restores to be normal, it will trans-
fer the data again.

Configuring a PnPVPN Client

To configure a PnPVPN client, take the following steps:

1. Select Network > VPN > IPSec VPN.

2. At the top right corner of the IKE VPN Configuration section, click Configuration, selcet
PnPVPN Configuration from the drop-down list.

439 Chapter 8

VPN
In the PnPVPN Configuration dialog box, configure the following options.
Option Description
Server Type the IP address of PnPVPN Server into the box.
Address1 PnPVPN client supports dual link dials to the server
side. This option is required.
Server Type the IP address of PnPVPN Server into the box.
Address2 The server address 1 and the server address 2 can be the
same or different. It is optional.
ID Specifies the IKE ID assigned to the client by the
server.
Password Specifies the password assigned to the client by the
server.
Confirm Pass- Enter the password again to confirm.
word
Auto Save Select Enable to auto save the DHCP and WINS inform-

Chapter 8 440

VPN
Option Description
ation released by the PnPVPN Server.
Egress Inter- Specifies the interface connecting to the Internet. This
face 1 option is required.
Egress Inter- Specifies the interface connecting to the Internet. The
face 2 IF1 and the IF2 can be the same or different. It is
optional.
Incoming IF Specifies the interface on the PnPVPN Client accessed
by the Intranet PC or the application servers.

3. Click OK to save the settings.

Notes:
l Server Addresses1 and Egress IF1 both need to be configured. If you want to
configure a backup link, you need to configure both the Server Address2 and
Egress IF2.

l If the server addresses or the Egress IFs are different, two separate VPN
links will be generated.

l The configuration of the two servers can be configured on one device, and
can also be configured on two different devices. If you configure it on two
devices, you need to configure AAA user on the two devices. The DHCP
configuration for the AAA user should be the same, otherwise it might
cause that the client and server negotiate successfully, but the traffic is
blocked.

441 Chapter 8

VPN
Configuring IPSec-XAUTH Address Pool
XAUTH server assigns the IP addresses in the address pool to users. After the client has estab-
lished a connection to the XAUTH server successfully, the XAUTH server will choose an IP
address along with other related parameters (such as DNS server address, WINS server address,
etc) from the address pool, and will assign them to the client.
XAUTH server provides fixed IP addresses by creating and implementing IP binding rules that
consist of a static IP binding rule and an IP-role binding rule. The static IP binding rule binds the
client user to a fixed IP address in the address pool. Once the client has established a connection
successfully, system will assign the binding IP to the client. The IP-role binding rule binds the
role to a specific IP range in the address pool. Once the client has established a connection suc-
cessfully, system will assign an IP address within the IP range to the client.
When the XAUTH server is allocating IP addresses in the address pool, system will check the IP
binding rule and determine how to assign IP addresses to the client based on the specific check-
ing order below:

1. Check if the client is configured with any static IP binding rule. If so, assign the binding IP
address to the client; otherwise, check the other configuration. Note if the binding IP
address is in use, the user will be unable to log in.

2. Check if the client is configured with any IP-role binding rule. If so, assign an IP address
within the binding IP range to the client; otherwise, the user will be unable to log in.

Notes: The IP addresses defined in the static IP binding rule and IP-role binding
rule should not be overlapped.

To configure the IPSec-XAUTH address pool, take the following steps:

1. Select Network > VPN > IPSec VPN.

2. At the top-right corner, Select IPSec-XAUTH Address Pool..

3. In the XAUTH Address Pool Configuration dialog box, click New.

Chapter 8 442

VPN
In the Basic Configuration tab, configure the corresponding options.
Option Description
Address Specifies the name of the address pool.
Pool Name
Start IP Specifies the start IP of the address pool.
End IP Specifies the end IP of the address pool.
Reserved Specifies the reserved start IP of the address pool.
Start IP
Reserved Specifies the reserved end IP of the address pool.
End IP
Netmask Specifies the netmask of the IP address.
DNS1/2 Specifies the DNS server IP address for the address
pool. It is optional. At most two DNS servers can be
configured for one address pool.
WINS1/2 Specifies the WIN server IP addresses for the address
pool. It is optional. Up to two WIN servers can be con-
figured for one address pool.

In the IP User Binding tab, configure the corresponding options.

Option Description
User Type the user name into the User box.
IP Type the IP address into the IP box.
Add Click Add to add the item that binds the specified user
to the IP address.

In the IP Role Binding tab, configure the corresponding options.

Option Description
Role Select a role from the Roledrop-down list.
Start IP Type the start IP address into the Start IP

443 Chapter 8

VPN
Option Description
box.
End IP Type the end IP address into the End IP
box.
Add Click Add to add the item that binds the
specified role to the IP address range.
Up/Down/Top/Bottom Move the selected IP-role binding rule .
For the user that is bound to multiple
roles that are also configured with their cor-
responding IP-role binding rules, system
will query the IP-role binding rules in
order, and assign an IP address based on
the first matched rule.

4. Click OK to save the settings.

Chapter 8 444

VPN
SSL VPN
The device provides an SSL based remote access solution. Remote users can access the intranet
resource safely through the provided SSL VPN.
SSL VPN consists of two parts: SSL VPN server and SSL VPN client. The device configured as
the SSL VPN server provides the following functions:

l Accept client connections.

l Allocate IP addresses, DNS server addresses, and WIN server addresses to SSL VPN clients.

l Authenticate and authorize clients.

l Perform host checking to client.

l Decrypting and forwarding encrypted packet from the client.

By default, the concurrent online client number may vary on different platform series. You can
expand the supported number by purchasing the corresponding license.
After successfully connecting to the SSL VPN server, the SSL VPN client secures your com-
munication with the server. The following SSL VPN clients are available:

l "SSL VPN Client for Windows" on Page 485

l "SSL VPN Client for Android" on Page 512

l "SSL VPN Client for iOS" on Page 519

l "SSL VPN Client for macOS" on Page 524

l "SSL VPN Client for Linux" on Page 530

Configuring an SSL VPN

To configure an SSL VPN, take the following steps:

445 Chapter 8

VPN
1. Select Network > VPN > SSL VPN.

2. In the SSL VPN page, click New.

In the Name/Access User tab, configure the corresponding options.

Option Description
SSL VPN Type the name of the SSL VPN instance.
Name
Type Select IPv4 or IPv6 to specify the service type of the
SSL VPN instance. This option can only be configured
when the version is IPv6.
Assigned Users
AAA Server Select an AAA server from the AAA Server drop-down
list. You can click View AAA Server to view the
detailed information of this AAA server.
Domain Type the domain name into the Domain box. The
domain name is used to distinguish the AAA server.
Verify User After enabling this function, system will verify the user-
Domain name and its domain name.
Name
Add Click Add to add the assigned users. You can repeat to
add more items.

In the Interface tab, configure the corresponding options.

Chapter 8 446

VPN
Access Interface
Egress Inter- Select the interface from the drop-down list as the SSL
face1 VPN server interface. This interface is used to listen
to the request from the SSL VPN client.
Egress Inter- Select the interface from the drop-down list. This inter-
face2 face is needed when the optimal path detection func-
tion is enabled.
Service Port Specifies the SSL VPN service port number.
Tunnel Interface
Tunnel Inter- Specifies the tunnel interface used to bind to the
face SSL VPN tunnel. Tunnel interface transmits traffic
to/from SSL VPN tunnel.

l Select a tunnel interface from the drop-down

list, and then click Edit to edit the selected
tunnel interface.

l Click New in the drop-down list to create a new

interface.

Information Shows the zone, IP address, and netmask or prefix

length of the selected tunnel interface.
Address Pool
Address Specifies the SSL VPN address pool.
Pool
l Select an address pool from the drop-down list,
and then click Edit to edit the selected address
pool.

l Click New in the drop-down list to create a new

address pool.

447 Chapter 8

VPN
When configuring IPv6 SSL VPN, this option spe-
cifies the IPv6 SSL VPN address pool.
Information Shows the start IP address, end IP address, and mask
of the address pool.

In the Tunnel Route tab, configure the following options.

Tunnel Route
Specify the destination network segment that you want to
access through SCVPN tunnel. The specified destination net-
work segment will be distributed to the VPN client, then the cli-
ent uses it to generate the route to the specified destination.
New Click New to add this route. You can repeat to add
more items.
IP Type the destination IP address.
Mask Type the netmask of the destination IP address.
Metric Type the metric value.
Delete Click Delete to delete the selected route.
Enable Domain Route
Specify the destination domain name that you want to access
through SCVPN tunnel.
After clicking the Enable button, system will distribute the spe-
cified domain names to the VPN client, and the client will gen-
erate the route to the specified destination according to the
resolving results from the DNS.
Maximum The maximum numbers of routes that can be gen-
erated after obtaining the resolved IP addresses of
the domain name. The value ranges from 1 to 10000.
New Click New to add the domain name to the list and

Chapter 8 448

VPN
you can add up to 64 domain names.
Domain Specify the URL of the domain name. The URL can-
not exceed 63 characters and it cannot end with a dot
(.). Both wildcards and a single top level domain, e.g.
com and .com are not supported.
Delete Click Delete to delete the selected domain name.

In the Binding Resource tab, configure the binding relationship between user groups and
resources.

Binding Resource

New Click New to add binding entries for resources and user
groups to the list below. You can repeat to add more
items.

Resource List Selects an existing resource name from the drop-down

list. The range is 1 to 63 characters.

User Group Selects an existing user group from the drop-down list.
Note:

l A user group can be bound with multiple resources,

and a resource can also be bound with multiple user
groups.

l Only 256 binding entries can be configured in an

SSL VPN instance.

AAA Server Select the AAA servers where user groups reside from the
drop-down list. Currently, only the local authentication
server and the RADIUS server are available.

Delete Click Delete to delete the selected item.

449 Chapter 8

VPN
3. If necessary, click Advanced Configuration to configure the advanced functions, including
parameters, client, host security, SMS authentication, and optimized path.

In the Parameters tab, configure the corresponding options.

Security Kit
SSL Version Specifies the SSL protocol version. Any indicates one
of TLSv1, TLSv1.1, TLSv1.2 protocol will be used.
If tlsv1.2 or any is specified to the SSL protocol in
SSL VPN server, you need to convert the certificate
that you are going to import to the browser or cer-
tificate in the USB Key to make it support the tlsv1.2
protocol before the digital certificate authentication
via SSL VPN client, so that the SSL VPN server can
be connected successfully when the User-
name/Password + Digital Certificate or Digital Cer-
tificate Only authentication method is selected.
Prepare a PC with Windows or Linux system which
has been installed with OpenSSL 1.0.1 or later before
processing the certificate. We will take the certificate
file named oldcert.pfx as an example, the procedure is
as follows:

1. In the OpenSSL software interface, enter the fol-

lowing command to convert a certificate in .pfx
format to a certificate in .pem format.
openssl pkcs12 –in oldcert.pfx –out cert.pem

2. Enter the following command to convert the

certificate in .pem format to a .pfx format cer-
tificate that supports tlsv1.2 protocol.

Chapter 8 450

VPN
openssl pkcs12 –export –in cert.pem –out
newcert.pfx –CSP “Microsoft Enhanced
RSA and AES Cryptographic Provider”

3. Import the newly generated .pfx format cer-

tificate into your browser or USB Key.

After the above operation, you have to log into SSL

VPN server with SSL VPN client whose version is
1.4.6.1239 or later.
Trust Specifies the trust domain. When the GMSSLv1.0 pro-
Domain tocol is used, the specified PKI trust domain needs to
include the SM2 signature certificate and its private key
for the GMSSL negotiation.
Encryption When using the GMSSLv1.0 protocol, you must config
Trust this option. The specified encryption PKI trust domain
Domain needs to include the SM2 encryption certificate and its
private key for the GMSSL negotiation.
Encryption Specifies the encryption algorithm of the SSL VPN tun-
nel. The default value is AES. NULL indicates no
encryption. When using the GMSSLv1.0 protocol,
you're recommended to select SM4 for the encryption
algorithm.
Hash Specifies the hash algorithm of the SSL VPN tunnel.
The default value is MD5. NULL indicates no hash.
When using the GMSSLv1.0 protocol, you're recom-
mended to select SM3 for the hash algorithm.
Compression Specifies the compression algorithm of the SSL VPN
tunnel. By default, no compression algorithm is used.
Client Connection

451 Chapter 8

VPN
Allow Down- If the check box is selected , you're allowed to down-
load Client load the SSL VPN client via the browser WebUI. By
from default, the function is enabled. When this function is
Browser disabled, you can only download the SSL VPN client
from www.hillstonenet.com.cn.
Note ：The way to download SSL VPN via the browser
WebUI is :"https://IP-Address:Port-Number", the "IP-
Address" is the address of "Access Interface" ; The
"Port-Number" is the service port number whiched con-
figured in "Access Interface".
Idle Time Specifies the time that a client stays online without any
traffic with the server. After waiting for the idle time,
the server will disconnect from the client. The value
range is 15 to 1500 minutes. The default value is 30.
Multiple This function permits one client to sign in more than
Login one place simultaneously. Select the Enable check box
to enable the function.
Multiple Type the login time into the Multiple Login Times box.
Login Times The value range is 0 to 99,999,999. The value of 0 indic-
ates no login time limitation.
Advanced Parameters
Anti-Replay The anti-replay function is used to prevent replay
attacks. The default value is 32.
DF-Bit Specifies whether to permit packet fragmentation on
the device forwarding the packets. The actions
include:

l Set - Forbids packet fragmentation.

l Copy - Copies the DF value from the destination

Chapter 8 452

VPN
of the packet. It is the default value.

l Clear - Permits packet fragmentation.

Port (UDP) Specifies the UDP port number for the SSL VPN con-
nection.
Port (TCP) Specifies the TCP port number for the SSL VPN con-
nection.

In the Client tab, configure the corresponding options.

Client Configuration
Change Pass- Specifies the URL address that can redirect to the spe-
word URL cified URL page from the client to modify the pass-
word. The length is 1 to 255 characters.
Forgot Pass- Specifies the URL address that can redirect to the
word URL specified URL page from the client to reset the pass-
word. The length is 1 to 255 characters.
Notes：This configuration takes effect only after
Change Password function is enabled on the local
server.
Redirect This function redirects the client to the specified
URL redirected URL after a successful authentication.
Type the redirected URL into the box. The value
range is 1 to 255 characters. HTTP (http://) and
HTTPS (https://) URLs are supported. Based on
the type of the URL, the corresponding fixed format
of URL is required. Take the HTTP type as the
example:

l For the UTF-8 encoding page - The format is

URL+username=$USER&password=$PWD,

453 Chapter 8

VPN
e.g., http://www.-
abc.-
com/oa/-
login.do?username=$USER&password=$PWD

l For the GB2312 page - The format is URL+user-

name=$GBUSER&password=$PWD, e.g.,
http://www.-
abc.-
com/oa/-
login.-
do?username=$GBUSER&password=$PWD

l Other pages: - Type the URL directly, e.g.,

http://www.abc.com

Title Specifies the description for the redirect URL. The

value range is 1 to 31 bytes. This title will appear as a
client menu item.
Delete pri- Select Enable to delete the corresponding privacy data
vacy data after the client's disconnection.
after dis-
connection
Digital Certificate Authentication
Authentic- Select the Enable check box to enable this function.
ation There are two options available:

l Username/Password + Digital Certificate - To

pass the authentication, you need to have the

Chapter 8 454

VPN
correct file certificate, or the USB Key that
stores the correct digital certificate, and also type
the correct username and password. The USB
Key certificate users also need to type the USB
Key password.

l Digital Certificate only - To pass the authen-

tication, you need to have the correct file cer-
tificate, or the USB Key that stores the correct
digital certificate. The USB Key certificater
users also need to type the USB Key password.
No username or user's password is required.
When Digital Certificate only is selected:

l System can map corresponding roles for the

authenticated users based on the CN or OU field
of the USB Key certificate. For more inform-
ation about the role mapping based on CN or
OU, see "Role" on Page 664.

l System does not allow the local user to change

the password.

l System does not support SMS authentication.

l The client will not re-connect automatically if

the USB Key is removed.

USB KEY When USB Key authentication is enabled, you can

Download download the UKey driver from this URL.
URL

455 Chapter 8

VPN
Trust To configure the trust domain and the subject & user-
Domain name checking function:
Sub-
1. From the Trust domain drop-down list, select
ject&User-
name the PKI trust domain that contains the CA
Checking (Certification Authority) certificate. If the cli-
CN Match- ent's certificate is the only one that matches to
ing
any CA certificate of the trust domain, then
OU Match-
the authentication will succeed.
ing
2. If necessary, select the Subject&Username
Checking check box to enable the subject &
username check function. After enabling it,
when the user is authenticated by the USB
Key certificate, system will check whether the
subject CommonName in the client certificate
is the same as the name of the login user. You
can also enter the strings in the CN Match box
and the OU box to determine whether
matches them.

3. Click Add. The configured settings will be

displayed in the list below. To delete an
item, select the item you want to delete
from the list, and then click Delete.

In the Two-Step verification tab, configure the corresponding options.

Option Description
Two-Step Veri- Click Two-Step Verification to enable the func-

Chapter 8 456

VPN
fication tion. Two-Step Verification means that when an
SSL VPN user logs in by providing a "user-
name/password" or a "user-
name/password+Digital Certificate", the Hillstone
device will implement the two-step verification by
means of SMS Authentication, Token Authentic-
ation or Email Authentication after the username
and password is entered. The user must enter the
random verification code received in order to log
into SSL VPN and access intranet resources.
Type Specifies the type of Two-Step Verification,
including SMS Authentication, Token Authentic-
ation and Email Authentication:

l SMS Authentication: Click SMS Modem or

SMS Gateway to specify the authentication
type, and configure corresponding options
below as needed.

l Token Authentication: Enter prompt mes-

sage as needed.

l Email Authentication: Configure cor-

responding options below as needed.

SMS Authentication
SMS Select the SMS Authentication to enable the func-
Authentication tion. And select the SMS Modem or SMS Gate-
way to specify the SMS authentication type.
SMS Gateway Select the SMS gateway name from drop-down
Name list. For more information about SMS Gateway,

457 Chapter 8

VPN
see "SMS Gateway" on Page 1325.
Lifetime of Specifies the lifetime of the SMS authentication
SMS Auth code. Type the lifetime value into the Lifetime of
Code SMS Auth Code box. The range is 1 to 10
minutes.
Sender Name Specifies a message sender name to display in the
message content. The range is 1 to 63.

Notes: Due to the limitation of

UMS enterprise information plat-
form, when the the SMS gateway
authentication is enabled, the
sender name will be displayed on
the name of the UMS enterprise
information platform.

Verification Specifies the length of the SMS verification code.

Code Length The range is 4 to 8 characters. The default value is
8.
Sign Name If an ALIYUNSMS service provider name is spe-
cified for the "SMS Gateway Name" option, the
sign name must be entered in this field and will be
displayed in the message content. The range is 1
to 63 characters. This parameter should be the
same with the sign name applied in the SMS of
Alibaba Cloud.
Template If an ALIYUNSMS service provider name is spe-
Code cified for the "SMS Gateway Name" option, the
code of the SMS template must be entered in this
field. The range is 1 to 30 characters. This para-

Chapter 8 458

VPN
meter should be the same with the template code
applied in the SMS of Alibaba Cloud.
Email Authentication
Mail Server Specifies the existing Email server which the
Email address that used to send the verification
code is configured on. The range is 1 to 31 char-
acters. For more information about the con-
figuration of Mail Server, see "Mail Server" on
Page 1321.
Lifetime of Specifies the lifetime of the Email verification
Email Veri- code. The range is 1 to 10 minutes. The default
fication Code value is 10. Each Email verification code has a
period of validity. If the user neither types the veri-
fication code within the period nor applies for a
new code, SSL VPN server will disconnect the
connection.
Sender Name Specifies a verification code sender name to dis-
play in the Email content. The range is 1 to 63
characters. The default value is "hillstone". In
order to prevent the mail from being identified as
spam, it's recommended that users to configure
the sender name.
Verification Specifies the length of the Email verification code.
Code Length The range is 4 to 8 characters. The default value is
8.
Email Veri- Specifies the Email verification content. The input
fication Con- must contain "＄USERNAME" (This parameter is
tent used to get the username) and "＄VRFYCODE"
(This parameter is used to get the verification

459 Chapter 8

VPN
code). The default content is "SCVPN user
<＄USERNAME> email verification code:
＄VRFYCODE. Do not reveal to anyone! If you
did not request this, please ignore it.".

In the Host Compliance Check/Binding tab, configure the corresponding options.

Host Compliance Check
Creates a host compliance check rule to perform the host com-
pliance check function. Before creating a host compliance check
rule, you must first configure the host compliance check profile
in "Configuring a Host Compliance Check Profile" on Page 479.
Role Specifies the role to which the host compliance
check rule will be applied. Select the role from the
Role drop-down list. Default indicates the rule will
take effect to all the roles.
Host Com- Specifies the compliance check profile. Select the
pliance profile from the Host Compliance Check drop-
Check down list.
Exception Specifies the exception handling method.
handling
l Guest Role: Select the guest role from the
method
Guest Role drop-down list. The user will get
the access permission of the guest role when
the host checking fails. If —— is selected,
system will disconnect the connection when
the host compliance check fails.

l Redirect URL: Click the Redirect URL radio

button, and then type the URL into the text-

Chapter 8 460

VPN
box. When the host checking fails, the
browser jump to the specified URL and
guide the user to download the software
required for host security detection and dis-
connect the client. If this option is not con-
figured, the client will be disconnected.

Guest Role Select the guest role from the Guest Role drop-
down list. The user will get the access permission
of the guest role when the host checking fails. If
Null is selected, system will disconnect the con-
nection when the host compliance check fails.
Periodic Specify the host compliance check period. System
Check will check the status of the host automatically
according to the host compliance check profile in
each period.
Add Click Add. The configured settings will be dis-
played in the table below.
Delete To delete an item, select the item you want to
delete from the list, and then click Delete.
Host Binding
Enable Select the Enable Host Binding check box to
Host Bind- enable the function. By default, one user can only
ing log in one host. You can change the login status by
configuring the following options.

l Allow one user to login through multiple

hosts.

461 Chapter 8

VPN
l Allow multiple users to login on one host.

l Automatically add the user-host ID entry

into the binding list at the first login.
Note: To use the host binding function, you still
have to configure it in the host binding con-
figuration page. For more information about host
binding, see "Host Binding" on Page 472.

In the Optimized Path tab, configure the corresponding options.

Option Description
Optimal path detection can automatically detect which ISP ser-
vice is better, giving remote users a better user experience.
No Check Do not detect.
Client The client selects the optimal path automatically by
sending UDP probe packets.
The device When the client connects to the server directly
without any NAT device, this is the detection pro-
cess:

1. The server recognizes the ISP type of the

client according to the client's source
address.

2. The server sends all of the sorted IP

addresses of the egress interfaces to the cli-
ent.

3. The client selects the optimal path.

When the client connects to the server through a

Chapter 8 462

VPN
NAT device, this is the detection process:

1. The server recognizes the ISP type of the

client according to the client's source
address.

2. The server sends all of the sorted NAT IP

addresses of the external interfaces to the
client.

3. The client selects the optimal path.

NAT Map- If necessary, in the NAT mapping address and port

ping section, specify the mapped public IPs and ports of
Address the server referenced in the DNAT rules of the
and Port DNT device. When the client connects to the
server through the DNAT device, the NAT device
will translate the destination address of the client to
the server's egress interface address. Type the IP
address of the NAT device's external interface and
the HTTPS port number (You are not recom-
mended to specify the HTTPS port as 443, because
443 is the default HTTPS port of WebUI man-
agement). You can configure up to 4 IPs.

4. Click Done to save the settings.

To view the SSL VPN online users, take the following steps:

1. Select Configure > Network > SSL VPN.

2. Select an SSL VPN instance.

463 Chapter 8

VPN
3. View the detailed information of the online users in the table. You can also click
to add filter conditions (Online Users, User group, Host Binding ID) to view the detailed
information of SSL VPN online users that meet the filter conditions.

Configuring Resource List

Resource list refers to resources configured in system that can be easily accessible by users. Each
resource contains multiple resource items. The resource item is presented in the form of a
resource name followed by resource item name in your default browser page. After the SSL VPN
user is authenticated successfully, the authentication server will send the user group information
of the user to the SSL VPN server. Then, according to the binding relationship between the user
group and resources in the SSL VPN instance, the server will send a resource list in which the
user can access to the client. After that, the client will analyze and make the IE browser in system
pop up a page to display the received resource list information, so that the user can access the
private network resource directly by clicking the resource item name. The resource list page pops
up only after the authentication is passed. If a user does not belong to any user group, the browser
will not pop up the resource list page unless authentication is passed.
To configure resource list for SSL VPN:

1. Select Network > VPN > SSL VPN.

2. Click Configuration > Resources List at the top-right corner.

3. Click New.

Chapter 8 464

VPN
In the Resources Configuration dialog box, configure the corresponding options.

Option Description

Name Enters a name for the new resource. The range

is 1 to 63 characters.

Resource Item

Name Enters a name for a new resource item. Names

of resource items in different resources can
not be the same. The range is 1 to 95 char-
acters

URL Enters a URL for a new resource item.

Add Click Addto add this binding item to the

list below.
Note: The maximum configurable resourse
entries of different platforms vary in three
levels: 200 entries, 500 entries, and 1000
entries.

Delete To delete a rule, select the rule you want to

delete from the list and click Delete.

Up/Down/Top/Bottom You can move the location for items at your

own choice to adjust the presentation
sequence accordingly.

4. Click OK, the new resource will be displayed in the resource list.
At most 3 resource items can be displayed in the resource list for each resource, and the
other items will be displayed as "...". You can click Edit or Delete button to edit or delete
the selected resource.

465 Chapter 8

VPN
Notes:
l Less than 256 resource lists can be configured.

l The maximum number of resource entries that can be configured on different

platforms is different. Please refer to the actual situation.

l SSL VPN client versions that allow you to configure the resource list are as
follows: SSL VPN Windows client 1.4.6.1238 or later versions, iOS 2.0.6 or
later versions, and Android 4.6 or later versions.

Configuring an SSL VPN Address Pool

The SSL VPN servers allocate the IPs in the SSL VPN address pools to the clients. After the cli-
ent connects to the server successfully, the server will fetch an IP address along with other
related parameters (e.g., DNS server address, and WIN server address) from the SSL VPN address
pool and then allocate the IP and parameters to the client.
You can create an IP binding rule to meet the fixed IP requirement. The IP binding rule includes
the IP-user binding rule and the IP-role binding rule. The IP-user binding rule binds the client to
a fixed IP in the configured address pool. When the client connects to the server successfully, the
server will allocate the binding IP to the client. The IP-role binding rule binds the role to an IP
range in the configured address pool. When the client connects to the server successfully, the
server will select an IP from the IP range and allocate the IP to the client.
After the client successfully connects to the server, the server will check the binding rules in a
certain order to determine which IP to allocate. The order is shown as below:

l Check whether the IP-user binding rule is configured for the client. If yes, allocate the bound
IP to the client; if no, the server will select an IP which is not bound or used from the address
pool, then allocate it to the client.

Chapter 8 466

VPN
l Check whether the IP-role binding rule is configured for the client. If yes, get an IP from the
IP range and allocate to the client; if no, the server will select an IP which is not bound or
used from the address pool, then allocate it to the client.

Notes: IP addresses in the IP-user binding rule and the IP address in the IP-role
binding rules should not overlap.

To configure an address pool, take the following steps:

1. Select Network > VPN > SSL VPN.

2. Click Configuration > Address Pool at the top-right corner.

3. Select the IPv4 or IPv6 tab, this option can only be configured in the IPv6 version.

467 Chapter 8

VPN
4. Click New.

In the Basic tab, configure the following options.

Chapter 8 468

VPN
Option Description

Address Pool Specifies the name of the address pool.

Name

Start IP Specifies the start IP of the address pool.

End IP Specifies the end IP of the address pool.

Reserved Specifies the reserved start IP of the address pool.

Start IP

Reserved End Specifies the reserved end IP of the address pool.

Netmask Specifies the netmask in the dotted decimal format.

Prefix Length Specifies the prefix for this IPv6 address range. The range
is 111 to 128.

DNS1/2/3/4 Specifies the DNS server IP address for the address pool.
It is optional. 4 DNS servers can be configured for one
address pool at most.

WINS1/2 Specifies the WIN server IP addresses for the address

pool. It is optional. Up to 2 WIN servers can be con-
figured for one address pool. This option can only be con-
figured when the created IPv4 address pool.

In the IP User Binding tab, configure the corresponding options.

Option Description

User Type the user name into the User box.

IP Type the IP address into the IP box.

Add Click Add to add this IP user binding rule.

469 Chapter 8

VPN
Delete To delete a rule, select the rule you want to delete from
the list and click Delete.

In the IP Role Binding tab, configure the corresponding options.

Option Description

Role Type the role name into the Role box.

Start IP Type the start IP address into the Start IP box.

End IP Type the end IP address into the End IP box.

Add Click Addto add this IP role binding rule.

Delete To delete a rule, select the rule you want to

delete from the list and click Delete.

Up/Down/Top/Bottom System will query IP role binding rules by

turn, and allocate the IP address according to
the first matched rule. You can move the loc-
ation up or down at your own choice to adjust
the matching sequence accordingly.

5. Click OK to save the settings.

Configuring SSL VPN Download Page

You can customize the title and background of the SSL VPN download page. The default down-
load page is shown as below:

Chapter 8 470

VPN
To customize the SSL VPN download page, take the following steps:

1. Select Network > VPN > SSL VPN.

2. At the top-right corner, click Configuration > SSL VPN Download Page Configuration.

3. Click Upload Background Picture > Browse to select the background picture.

4. Click Upload to upload the background picture to system. After uploading successfully, you
will have completed the background picture modification.

5. Enter the title in the Download Page Tittle box to customize the title of the download
page.

6. Click OK to save the settings. Clicking Cancel will only affect the authentication page title
modification.

If you want to restore the default picture, click Restore Default Background . Then click OK.

471 Chapter 8

VPN
Host Binding
The host binding function verifies that the hosts are running the SSL VPN clients according to
their host IDs and user information. The verification process is:

1. When an SSL VPN user logs in via the SSL VPN client, the client will collect the host
information of main board serial number, hard disk serial number, CUP ID, and BIOS serial
number.

2. Based on the above information, the client performs the MD5 calculation to generate a 32-
digit character, which is named host ID.

3. The client sends the host ID and user/password to the SSL VPN server.

4. The SSL VPN server verifies the host according to the entries in the host unbinding list and
host binding list, and deals with the verified host according to the host binding con-
figuration.

The host unbinding list and host binding list are described as follows:

l Host unbinding list: The host unbinding list contains the user-host ID entries for the first-
login users.

l Host binding list: The host binding list contains the user-host ID entries for the users who
can pass the verification. The entries in the host unbinding list can be moved to the host
binding list manually or automatically for the first login. When a user logs in, the SSL VPN
server will check whether the host binding list contains the user-host ID entry of the login
user. If there is a matched entry in the host binding list, the user will pass the verification
and the sever will go on checking the user/password. If there is no matched entry for the
login user, the connection will be disconnected.

Configuring Host Binding

Configuring host binding includes host binding/unbinding configurations, super user con-
figurations, shared host configurations, and user-host binding list importing/exporting.

Chapter 8 472

VPN
Configuring Host Binding and Unbinding

To add a binding entry to the host binding list, take the following steps:

1. Select Network > VPN > SSL VPN.

2. At the top right corner, click Host Compliance Binding to visit the Host Compliance Check-
/Binding page.

2. With the Binding and Unbinding tab active, select the entries you want to add to the Host

Unbinding List. You can also click to add filter conditions (User, Host ID) to

view the detailed information of entries that meet the filter conditions.

3. Click Add to add the selected entries to the Host Binding List.

To delete a binding entry from the host binding list, take the following steps:

1. Select Network > VPN > SSL VPN.

2. At the top right corner, click Host Compliance Binding to visit the Host Compliance Bind-
ing page.

3. With the Binding and Unbinding tab active, select the entries you want to delete from the

Host binding List. You can also click to add filter conditions (User, Host ID) to

view the detailed information of entries that meet the filter conditions.

4. Click Unbinding to remove the selected entries from this list.

Configuring a Super User

The super user won't be controlled by the host checking function, and can log into any host. To
configure a super user, take the following steps:

1. Select Network > VPN > SSL VPN.

2. At the top right corner, click Host Compliance Binding to visit the Host Binding page.

473 Chapter 8

VPN
3. With the User Privilege List tab active, click New.

In the New dialog box, configure the corresponding options.

Option Description

User Specifies the name of the user.

Super User Select the Enable check box to make it a super user.

Preapproved If system allows one user to login from multiple hosts,

Number and the option of automatically adding the user-host ID
entry into the host binding list at the first login is enabled,
then by default system only records the user and first
login host ID entry to the host binding list. For example,
if the user logs in from other hosts, the user and host ID
will be added to the host unbinding list. This pre-
approved number specifies the maximum number of user-
host ID entries for one user in the host binding list.

4. Click OK to save the settings.

Configuring a Shared Host

Clients that log in from the shared host won't be controlled by the host binding list. To configure
a shared host, take the following steps:

Chapter 8 474

VPN
1. Select Network > VPN > SSL VPN.

2. At the top right corner, click Host Compliance Binding to visit the Host Binding page.

3. With the Host ID Privilege List tab active, click New.

In the New dialog box, configure the corresponding options.

Option Description

Host ID Type the host ID into the Host ID box.

Shared Host Select the Enable check to make it a shared host. By

default, this check box is selected.

4. Click OK to save the settings.

Importing/Exporting Host Binding List

To import the host binding list, take the following steps:

1. Select Network > VPN > SSL VPN.

2. At the top right corner, click Host Compliance Binding to visit the Host Binding page.

3. With the Binding and Unbinding tab active, click Import.

4. Click Browse to find the binding list file and click Upload.

To export the host binding list, take the following steps:

475 Chapter 8

VPN
1. Select Network > VPN > SSL VPN.

2. At the top right corner, click Host Compliance Binding to visit the Host Checking/Binding
page.

3. With the Binding and Unbinding tab active, click Export.

4. Select a path to save the host binding list.

Chapter 8 476

VPN
Host Compliance Check
The host compliance check function checks the security status of the hosts running SSL VPN cli-
ents, and according to the check result, the SSL VPN server will determine the security level for
each host and assign corresponding resource access right based on their security level. It a way to
assure the security of SSL VPN connection. The checked factors include the operating system, IE
version, and the installation of some specific software.
The factors to be checked by the SSL VPN server are displayed in the list below:

Factor Description

Operating sys- l Operating system, e.g., Windows 2000, Windows 2003,

tem Windows XP, Windows Vista, Windows 7m Windows
8, etc.

l Service pack version, e.g., Service Pack 1

l Windows patch, e.g., KB958215, etc.

l Whether the Windows Security Center and Automatic

Updates are enabled.

l Whether the installation of AV software is com-

pulsory, and whether the real-time monitor and the
auto update of the signature database are enabled.

l Whether the installation of anti-spyware is com-

pulsory, and whether the real-time monitor and the
online update of the signature database are enabled.

l Whether the personal firewall is installed, and whether

the real-time protection is enabled.

Whether the IE version and security level reach the specified

requirements.

477 Chapter 8

VPN
Factor Description

Other con- Whether the specified processes are running.

figurations Whether the specified services are installed.

Whether the specified services are running.

Whether the specified registry key values exist.

Whether the specified files exist in the system.

Role Based Access Control and Host Compliance Check Procedure

Role Based Access Control (RBAC) means that the permission of the user is not determined by
his user name, but his role. The resources can be accessed by a user after the login is determined
by his corresponding role. So role is the bridge connecting the user and permission.
The SSL VPN host checking function supports RBAC. And the concepts of primary role and
guest role are introduced in the host checking procedure. The primary role determines which host
compliance check profile (contains the host checking contents and the security level) will be
applied to the user and what access permission can the user have if he passes the host checking.
The guest role determines the access permissions for the users who fail the host checking.
The host compliance check procedure is shown as below

1. The SSL VPN client sends request for connection and passes the authentication.

2. The SSL VPN server sends the host checking profile to the client.

3. The client checks the host security status according to the items in the host checking pro-
file. If it fails the host compliance check, system will be notified of the checking result.

4. The client sends the checking result back to the server.

5. The server disconnects the connection to the failed client or gives the guest role's access
permission to the failed client.

Chapter 8 478

VPN
The host compliance check function also supports dynamic access permission control. On one
side, when the client's security status changes, the server will send a new host checking profile to
the client to make him re-check; on the other side, the client can perform security checks peri-
odically. For example, if the AV software is disabled and is detected by the host checking func-
tion, the role assigned to the client may change as will the access permissions.

Configuring a Host Compliance Check Profile

To configuring host compliance check profile, take the following steps:

1. Select Network > VPN > SSL VPN.

2. At the top right corner, click Configuration ,select Host Compliance Check from the drop-
down list to visit the Host Compliance Check page.

3. In the Host Compliance Check tab, click New to create a new host checking rule.

In the Basic Configuration tab, configure the corresponding options.

479 Chapter 8

VPN
Option Description
Name Specifies the name of the host checking profile.
OS Version Specifies whether to check the OS version on the cli-
ent host. Click one of the following options:

l No Check: Do not check the OS version.

l Must Match: The OS version running on the

client host must be the same as the version
specified here. Select the OS version and ser-
vice pack version from the drop-down lists
respectively.

l At Least: The OS version running on the cli-

ent host should not be lower than the version
specified here. Select the OS version and ser-
vice pack version from the drop-down lists
respectively.

Patch1/2/3/4/5 Specifies the patch that must be installed on the cli-

ent host. Type the patch name into the box. Up to 5
patches can be specified.
Lowest IE Ver- Specifies the lowest IE version in the Internet zone
sion on the client host. The IE version running on the cli-
ent host should not be lower than the version spe-
cified here.
Lowest IE Secur- Specifies the lowest IE security level on the client
ity Level host. The IE security level on the host should not
be lower than the level specified here.

In the Advanced Configuration tab, configure the corresponding options.

Chapter 8 480

VPN
Option Description
Security Center Checks whether the security center is enabled
on the client host.
Auto Update Checks whether the Windows auto update func-
tion is enabled.
Anti-Virus Soft- Checks the status and configurations of the anti-
ware virus software:

l Installed: The client host must have the

AV software installed.

l Monitor: The client host must enable the

real-time monitor of the AV software.

l Virus Signature DB Update: The client

host must enable the signature database
online update function.

Anti-Spyware Soft- Checks the status and configurations of the anti-

ware spyware software:

l Installed: The client host must have the

anti-spyware installed.

l Monitor: The client host must enable the

real-time monitor of the anti-spyware.

l Signature DB Update: The client host

must enable the signature database online
update function.

Firewall Checks the status and configurations of the fire-

wall:

481 Chapter 8

VPN
l Installed: The client host must have the
personal firewall installed.

l Monitor: The client host must enable the

real-time monitor function of the personal
firewall.

Registry Key Value

Key1/2/3/4/5 Checks whether the key value exists. Up to 5
key values can be configured. The check types
are:

l No Check: Do not check the key value.

l Exist: The client host must have the key

value. Type the value into the box.

l Do not Exist: The client cannot have the

key value. Type the value into the box.

File Path Name

File1/2/3/4/5 Checks whether the file exists. Up to 5 files can
be configured. The check types are:

l No Check: Do not check file.

l Exist: The client host must have the file.

Type the value into the box.

l Do not Exist: The client cannot have the

file. Type the value into the box.

Name of Running Process

Chapter 8 482

VPN
Process1/2/3/4/5 Checks whether the process is running. Up to 5
processes can be configured. The check types
are:

l No Check: Do not check the process.

l Exist: The client host must have the pro-

cess run. Type the process name into the
box.

l Do not Exist: The client cannot have the

process run. Type the process name into
the box.

Name of Installed Service

Service1/2/3/4/5 Checks whether the service is installed. Up to 5
services can be configured. The check types are:

l No Check: Do not check the service.

l Exist: The client host must have the ser-

vice installed. Type the service name into
the box.

l Do not Exist: The client host cannot have

the service installed. Type the service
name into the box.

Name of Running Service

Service1/2/3/4/5 Checks whether the service is running. Up to 5
services can be configured. The check types are:

483 Chapter 8

VPN
l No Check: Do not check the service.

l Exist: The client host must have the ser-

vice run. Type the service name into the
box.

l Do not Exist: The client host cannot have

the service run. Type the service name
into the box.

4. Click OK to save the settings.

Chapter 8 484

VPN
SSL VPN Client for Windows
SSL VPN client for Windows is named Hillstone Secure Connect. Hillstone Secure Connect can
be run with the following operating systems: Windows7/Windows8.1/Windows10/Windows11.
The encrypted data can be transmitted between the SSL VPN client and SSL VPN server after a
connection has been established successfully. The functions of the client are:

l Get the interface and the route information of the PC on which the client is running.

l Show the connecting status, statistics, interface information, and route information.

l Show SSL VPN log messages.

l Upgrade the client software.

l Resolve the resource list information received from the server.

System supports IPv4 and IPv6 SSL VPN Windows clients.

This section mainly describes how to download, install, start, uninstall the SSL VPN client, and
its GUI and menu. The SSL VPN server supports the following authentication methods:

l Username/Password

l Username/Password + Digital Certificate

l Digital Certificate only

System supports IPv4 and IPv6 SSL VPN Windows clients.

Downloading and Installing Secure Connect

When using the SSL VPN client for the first time, you need to download and install the client
software Hillstone Secure Connect. Download and install the SSL VPN client software - Hill-
stone Secure Connect, take the following steps:

485 Chapter 8

VPN
1. Visit the following URL with a web browser: https://IP-Address:Port-Number. In the
URL, IP-Address and Port-Number refer to the IP address and HTTPS port number of the
egress interface specified in the SSL VPN instance.

2. In the SSL VPN download page (shown in Figure 1), click Download to download the cli-
ent software scvpn.exe , and then double click it to install

A virtual network adapter will be installed on your PC together with Secure Connect. It is used to
transmit encrypted data between the SSL VPN server and client.

Starting Secure Connect

This section describes how to start Secure Connect directly based on the three authentication
methods configured on the server.

Starting the Software Based on TLS/SSL Protocol

For the Username/Password + Digital Certificate authentication, the digital certificate can either
be the USB Key certificate provided by the vendor, or the file certificate provided by the admin-
istrator.

Chapter 8 486

VPN
The starting mode based on TLS/SSL protocol are as follows:

l Username/Password

l Username/Password + USB Key Certificate

l Username/Password + File Certificate

l USB Key Certificate Only

l File Certificate Only

Using Username/Password Authentication

When the Username/Password authentication is configured on the server, to start the Secure Con-
nect directly, take the following steps:

1. On your PC, double click the shortcut of Hillstone Secure Connect on your desktop.

2. In the Login dialog box, click Mode. In the Login Mode dialog shown below, in TLS/SSL
section, click Username/Password, and then click OK.

487 Chapter 8

VPN
3. In the Login dialog box of the Username/Password authentication mode (shown in Figure
7), configure the options to login.

Option Description

Saved Con- Provides the connection information you have filled

nection before. Select a connection from the drop-down list.

Server Enter the IP address of SSL VPN server.

Port Enter the HTTPS port number of SSL VPN server.

Username Enter the name of the login user.

Password Enter the password of the login user.

l If the local authentication server is configured on the device, the username and pass-
word should already be configured on the device.

Chapter 8 488

VPN
图 10 - 1

4. Click Login. If SMS authentication is enabled, type the authentication code into the box in
the SMS Auth dialog (as shown below) and click Verify. If you have not received the authen-
tication code within one minute, you can re-apply by clicking Reapply.

489 Chapter 8

VPN
5. If token authentication is enabled on the SSL VPN server, the token Authentication dialog
will appear. Type the authentication code and click Authenticate. If you have not received
the authentication code within one minute, you can re-apply.

l After passing the authentication, you have three chances to type the authentication
code. If you give incorrect authentication code three times in succession, the con-
nection will be disconnected automatically.

l You have three chances to apply the authentication code, and the sending interval is
one minute. Re-applying authentication code will void the old code, thus you must
provide the latest code to pass the authentication.

6. If Email authentication is enabled on the SSL VPN server, the Email Authentication dialog
will appear. Type the authentication code and click Authenticate. If you have not received
the authentication code within one minute, you can re-apply.

Finishing the above steps, the client will connect to the server automatically. After the con-
nection has been established successfully, the icon ( ) will be displayed in the notification area.
And the encrypted communication between the client and server can be implemented now.

Using Username/Password + USB Key Certificate Authentication

When the Username/Password + Digital Certificate authentication is configured on the server,

for the USB Key certificate, to start Secure Connect directly, take the following steps:

Chapter 8 490

VPN
1. Insert the USB Key to the USB port of the PC.

2. In your PC, double click the shortcut to Hillstone Secure Connect on your desktop.

3. In the Login dialog box, click Mode. In the Login Mode dialog box, first click User-
name/Password + Digital Certificate in TLS/SSL section, and if necessary, click Select
Cert. In the Select Certificate dialog box shown below, select a USB Key certificate. If the
USB Key certificate is not listed, click Update. The client will send the selected certificate
to the server for authentication. Finally click OK.

4. In the Login dialog of the Username/Password + Digital Certificate authentication mode (as
shown below), configure the options to login.

491 Chapter 8

VPN
5. Click Login. If SMS authentication is enabled, type the authentication code into the box in
the SMS Auth dialog (as shown below) and click Verify. If you have not received the authen-
tication code within one minute, you can re-apply by clicking Reapply.

6. If token authentication is enabled on the SSL VPN server, the token Authentication dialog
will appear. Type the authentication code and click Authenticate. If you have not received
the authentication code within one minute, you can re-apply.

Chapter 8 492

VPN
l After passing the authentication, you have three chances to type the authentication
code. If you give incorrect authentication code three times in succession, the con-
nection will be disconnected automatically.

7. If Email authentication is enabled on the SSL VPN server, the Email Authentication dialog
will appear. Type the authentication code and click Authenticate. If you have not received
the authentication code within one minute, you can re-apply.

After the above steps being finished, the client will connect to the server automatically. After the
connection has been established successfully, the icon ( ) will be displayed in the notification
area. The encrypted communication between the client and server can be implemented now.

Using Username/Password + File Certificate Authentication

When the Username/Password + Digital Certificate authentication for the USB Key certificate is
configured on the server, to start the Secure Connect directly, take the following steps:

1. Import the file certificate provided by the administrator manually.

2. On your PC, double click the shortcut to Hillstone Secure Connect on your desktop.

493 Chapter 8

VPN
3. In the Login dialog box, click Mode. In the Login Mode dialog, first click User-
name/Password + Digital Certificatein TLS/SSL section, and if necessary, click Select Cer-
tificate. In the Select Certificate dialog box shown below, select a file certificate. If the file
certificate is not listed, click Update. The client will send the selected certificate to the
server for authentication. Finally click OK.

4. In the Login dialog box of the Username/Password + Digital Certificate authentication

mode (as shown below), configure the options to login.

Chapter 8 494

VPN
5. Click Login. If SMS authentication is enabled, type the authentication code into the box in
the SMS Auth dialog box(as shown below) and click Verify. If you have not received the
authentication code in one minute, you can re-apply by clicking Reapply.

495 Chapter 8

Using USB Key Certificate Only

When the Username/Password + Digital Certificate authentication for the file certificate is con-
figured on the server, to start the Secure Connect directly, take the following steps:

1. Insert the USB Key to the USB port of the PC.

2. On your PC, double click the shortcut to Hillstone Secure Connect on your desktop.

Chapter 8 496

VPN
3. In the Login dialog box, click Mode. In the Login Mode dialog box, first click User-
name/Password + Digital Certificate in TLS/SSL section, and if necessary, click Select Cer-
tificate. In the Select Certificate dialog box shown below, select a USB Key certificate. If
the USB Key certificate is not listed, click Update. The client will send the selected cer-
tificate to the server for authentication. Finally click OK.

4. In the Login dialog box of the Username/Password + Digital Certificate authentication

mode (as shown below), configure the options to login.

497 Chapter 8

VPN
5. Finishing the above configuration, click Login.

Using File Certificate Only

When the Digital Certificate Only authentication for the USB Key certificate is configured on the
server, to start the Secure Connect directly, take the following steps:

1. Import the file certificate provided by the administrator manually.

2. On your PC, double click the shortcut to Hillstone Secure Connect on your desktop.

3. In the Login dialog box, click Mode. In the Login Mode dialog box, first click User-
name/Password + Digital Certificate in TLS/SSL section, and if necessary, click Select Cer-
tificate. In the Select Certificate dialog box shown below, select a file certificate. If the file
certificate is not listed, click Update. The client will send the selected certificate to the
server for authentication. Finally click OK.

Chapter 8 498

VPN
4. In the Login dialog box of the Digital Certificate Only authentication mode (as shown
below), configure the options to login.

5. Finishing the above configuration, click Login.

499 Chapter 8

VPN
After the above steps being finished, the client will connect to the server automatically. After the
connection has been established successfully, the icon ( ) will be displayed in the notification
area. The encrypted communication between the client and server can be implemented now.

Starting the Software Based on GMSSL Protocol

The starting mode based on GMSSL protocol are as follows:

l Username/Password

l Username/Password + Digital Certificate

l Digital Certificate Only

Using Username/Password Authentication

To start the Secure Connect client software, take the following steps:

1. On your PC, double click the shortcut of Hillstone Secure Connect on your desktop.

2. In the Login dialog box, click Mode. In the Login Mode dialog shown below, click User-
name/Password in GMSSL section,, and then click OK.

Chapter 8 500

VPN
3. In the Login dialog box of the Username/Password authentication mode, configure the
options to login.

Option Description

Saved Con- Provides the connection information you have filled

nection before. Select a connection from the drop-down list.

Server Enter the IP address of SSL VPN server.

Port Enter the HTTPS port number of SSL VPN server.

Username Enter the name of the login user.

Password Enter the password of the login user.

Using Username/Password + Digital Certificate Authentication

When the Username/Password + Digital Certificate authentication is configured on the server,

for the USB Key certificate, to start the Secure Connect software directly, take the following
steps:

1. Insert the USB Token to the USB port of the PC.

2. In your PC, double click the shortcut to Hillstone Secure Connect on your desktop.

3. In the Login dialog, click Mode. In the Login Mode dialog, first click Username/Password
+ Digital Certificate in GMSSL section, and if necessary, click Select GuoMi Cert. In the

501 Chapter 8

VPN
Select Certificate dialog as shown below, select a GM certificate. Finally click OK.

4. In the Select Certificate dialog box, configure the options to login.

Option Description

Device Select the current USB Token device name in the drop-
down list.

Application The application is a structure that contains a container, a

device authentication key, and a file. Select the specified
application name in the drop-down list.

Container The container is the unique storage space in the USB

Token device to save the key. It is used to store the
encryption key pair, the encryption certificate cor-
responding to the encryption key pair, the signature key
pair, and the signature certificate corresponding to the sig-
nature key pair. Select the name of the specified container
in the drop-down list.

Chapter 8 502

VPN
Option Description

Signature Cer- Display the name of the SM2 signature certificate in the
tificate specified container.

Encryption Display the name of the SM2 encryption certificate in the

Certificate specified container.

5. In the Login dialog of the Username/Password + Digital Certificate authentication mode as

shown below, configure the options to login.

Option Description

Saved Con- Provides the connection information you have filled

nection before. Select a connection from the drop-down list.

Server Enter the IP address of SSL VPN server.

Port Enter the HTTPS port number of SSL VPN server.

Username Enter the name of the login user.

Password Enter the password of the login user.

USB Key Enter the PIN code of the USB Key (1111 by default).
PIN One USB Key only corresponds to one password.

Using Digital Certificate Only Authentication

When the Digital Certificate Only authentication is configured on the server, for the file cer-
tificate, to start the Secure Connect software directly, take the following steps:

503 Chapter 8

VPN
1. Insert the USB Token to the USB port of the PC.

2. In your PC, double click the shortcut to Hillstone Secure Connect on your desktop.

3. In the Login dialog, click Mode. In the Login Mode dialog, first click Digital Certificate
only in GMSSL section, and if necessary, click Select GuoMi Cert. In the Select Certificate
dialog as shown below, select a GM certificate. Finally click OK.

4. In the Select Certificate dialog box, configure the options to login.

Option Description

Device Select the current USB Token device name in the drop-
down list.

Application The application is a structure that contains a container, a

device authentication key, and a file. Select the specified
application name in the drop-down list.

Container The container is the unique storage space in the USB

Token device to save the key. It is used to store the

Chapter 8 504

VPN
Option Description

encryption key pair, the encryption certificate cor-

responding to the encryption key pair, the signature key
pair, and the signature certificate corresponding to the sig-
nature key pair. Select the name of the specified container
in the drop-down list.

Signature Cer- Display the name of the SM2 signature certificate in the
tificate specified container.

Encryption Display the name of the SM2 encryption certificate in the

Certificate specified container.

5. In the Login dialog of the Digital Certificate Only authentication mode as shown below, con-
figure the options to login.

Option Description

Saved Con- Provides the connection information you have filled

nection before. Select a connection from the drop-down list.

Server Enter the IP address of SSL VPN server.

Port Enter the HTTPS port number of SSL VPN server.

USB Key Enter the PIN code of the USB Key (1111 by default).
PIN One USB Key only corresponds to one password.

6. Finish the above configuration, click Login.

505 Chapter 8

VPN
Viewing Secure Connect GUI

Double click the Secure Connect icon ( ) in the notification area, and the Network Information
dialog box appears. This dialog box shows information about statistics, interfaces, and routes.

General

Descriptions of the options on the General tab:

Address Information

Server The IP address of the connected SSL VPN server.

Client The IP address of the client.

Crypto Suite

Cipher The encryption algorithm and authentication algorithm used by

SSL VPN.

Version The SSL version used by SSL VPN.

Connection Status

Status The current connecting status between the client and server.
The possible statuses are: connecting, connected, dis-
connecting, and disconnected.

IPCompress

Algorithm Shows the compression algorithm used by SSL VPN.

Tunnel Packets

Sent The number of sent packets through the SSL VPN tunnel.

Received The number of received packets through the SSL VPN tunnel.

Tunnel Bytes

Chapter 8 506

VPN
Address Information

Sent The number of sent bytes through the SSL VPN tunnel.

Received The number of received bytes through the SSL VPN tunnel.

Connected Time

Duration Shows the time period during which the client is online.

Compress Ratio

Sent Shows the length ratio of sent data after compression.

Received Shows the length ratio of received data after compression.

Interface

Descriptions of the options on the Interface tab:

Option Description

Adapter Name The name of the adapter used to send SSL VPN encrypted
data.

Adapter Type The type of the adapter used to send SSL VPN encrypted data.

Adapter Status The status of the adapter used to send SSL VPN encrypted
data.

Physical The MAC address of the interface used to send SSL VPN
Address encrypted data.

IP Address The type of the interface address used to send SSL VPN
Type encrypted data.

Network The IP address (allocated by SSL VPN server) of the interface

Address used to send SSL VPN encrypted data.

Subnet Mask The subnet mask of the interface used to send SSL VPN
encrypted data.

507 Chapter 8

VPN
Option Description

Default Gate- The gateway address of the interface used to send SSL VPN
way encrypted data.

DNS Server The DNS server addresses used by the client.

Address

WINS The WINS server addresses used by the client.

Address

Route

Description of the option on the Route tab:

Option Description

Local LAN The routes used by the virtual network adapter.

Routes

Viewing Secure Connect Menu

Right-click the Secure Connect icon ( ) in the notification area and the menu appears.

Descriptions of the menu items are as follows:

Option Description

Network Displays the related information in the Network Information dia-

Information log box.

Log Shows Secure Connect log messages in the Log dialog box. This
dialog box shows the main log messages. To view the detailed log
messages, click Detail. Click Clear to remove the messages in the
dialog box. Click OK to close the Log dialog box.

Debug Configures Secure Connect's debug function in the Debug dialog

Chapter 8 508

VPN
Option Description

box.

About Shows Secure Connect related information in the About dialog

box.

Connect When Secure Connect is disconnected, click this menu item to

connect.

Disconnect When Secure Connect is connected, click this menu item to dis-
connect.

Option Configures Secure Connect options, including login information,

auto start, auto login, and so on. For more information, see "Con-
figuring Secure Connect" on Page 509.

Exit Click Exit to exit the client. If the client is connected to the
server, the connection will be disconnected.

Configuring Secure Connect

You can configure Secure Connect in the Secure Connect Options dialog box(click Option from
the client menu). The configurations include:

l Configuring General Options

l Configuring a Login Entry

Configuring General Options

In the Secure Connect Options dialog box, select General from the navigation pane and the gen-
eral options will be displayed.
Descriptions of the options:

509 Chapter 8

VPN
Option Description

Auto Start Select this check box to autorun the SSL VPN client when
the PC is started.

Auto Login Select this check box to allow the specified user to login auto-
matically when the PC is started. Select the auto login user
from the Default Connection drop-down list.

Auto Recon- Select this check box to allow the client to reconnect to the
nect SSL VPN server automatically after an unexpected dis-
connection.

Communication Select this check box to specify the TCP protocol to transmit
stability optim- data.
ization Note: The server also needs to configure the TCP port.

Select Cert Click the button to select a USB Key certificate in the Select
Certificate dialog box. This option is available when the USB
KEY authentication is enabled.

Configuring a Login Entry

Login entry contains the login information for clients. The configured login entries will be dis-
played in the Saved Connection drop-down list in the Login dialog box. You can login by simply
choosing the preferred connection instead of filling up the options in the Login dialog box.
To add a login entry, take the following steps:

1. In the Secure Connect Options dialog box, select Saved Connection from the navigation
pane and the login options will be displayed.

Chapter 8 510

VPN
In the dialog box, configure the corresponding options.

Option Description

Connection Specifies the name for the connection to identify it. Sys-
Name tem will assign a name to the connection based on its
server, port, and user automatically if this option is kept
blank

Server Specifies the IP address of the SSL VPN server.

Port Specifies the HTTPS port number of the SSL VPN

server.

Username Specifies the login user.

l Password (the username/password authentication

method). If Password is selected, select Remember
Password to make system remember the password
and type the password into the Password box.

l Password + UKey (the USB KEY authentication

method). If Password + UKey is selected, select
Remember PIN to make system remember the PIN
number and type PIN number into the UKey PIN
box.

Proximity Select the option to enable the optimal path detection

Auto Detec- function. For more information about optimal path detec-
tion tion, see "Configuring an SSL VPN" on Page 445.

2. Click Apply.

511 Chapter 8

VPN
SSL VPN Client for Android
The SSL VPN client for Android is Hillstone Secure Connect. It can run on Android
8.x/Android 9.x/Android 10.x/Android 11/HongmengOS 2.0 . The functions of Hillstone
Secure Connect contains the following items:

l Obtain the interface information of the Android OS.

l Display the connection status with the device, traffic statistics, interface information, and rout-
ing information.

l Display the log information of the application.

Downloading and Installing the Client

To download and install the client, take the following steps:

1. Visit https://www.hillstonenet.com/more/services/product-downloads/to download the

installation file of the client.

2. Use your mobile phone to scan the QR code of the client for Android at the right sidebar,
and the URL of the client displays.

3. Open the URL and download the Hillstone-Secure-Connect-Versione_Number.apk file.

4. After downloading successfully, find this file in your mobile phone.

5. Click it and the installation starts.

6. Read the permission requirements.

7. Click Install.

After the client being installed successfully, the icon of Hillstone Secure Connect appears in the
desktop as shown below:

Chapter 8 512

VPN
Starting and Logging into the Client

To start and log into the client, take the following steps:

1. Click the icon of Hillstone Secure Connect. The login page appears.

2. Provide the following information and then click Login.

l Please Choose: Select a login entry. A login entry stores the login information and it
facilities your next login. For more information on login entry, see the Configuration
Management section below.

l Server: Enters the IP address or the server name of the device that acts as the VPN
server.

l Port: Enters the HTTPs port number of the device.

l Username: Enters the username for logging into the VPN.

l Password: Enters the corresponding password.

3. If the SSL VPN server enables the SMS authentication, the SMS authentication page will
appear. In this page, enter the received authentication code and then submit it. If you do
not receive the authentication code, you can request it after one minute.

4. If token authentication is enabled on the SSL VPN server, the token Authentication dialog
will appear. Type the authentication code and click Submit. If you have not received the
authentication code within one minute, you can re-apply.

513 Chapter 8

VPN
5. If Email authentication is enabled on the SSL VPN server, the Email Authentication dialog
will appear. Type the authentication code and click Submit. If you have not received the
authentication code within one minute, you can re-apply.

After the client connecting to the SSL VPN server, the key icon ( ) will appear at the noti-
fication area of your Android system.

GUI

After the client connects to the SSL VPN server, you can view the following pages: Connection
Status page, Configuration Management page, Connection Log page, System Configuration page,
and About Us page.

Connection Status

Click Status at the bottom of the page to enter into the Connection Status page and it displays the
statistics and routing information:

l The Connection Time: Time period during which the client is online.

l Received Bytes: Shows the received bytes through the SSL VPN tunnel.

l Sent Bytes: Shows the sent bytes through the SSL VPN tunnel.

l Server: Shows the IP address or the server name of the device that client connects to.

l Port: Shows the HTTPs port number of the device.

l Account: Shows the username that logs into the VPN instance.

l Private Server Address: Shows the interface’s IP address of the device that the client con-
nects to.

l Client Private Address: Shows the IP address of the interface. This interface transmits the
encrypted traffic and this IP address is assigned by the SSL VPN server.

Chapter 8 514

VPN
l Address Mask: Shows the netmask of the IP address of the interface. This interface transmits
the encrypted traffic.

l DNS Address: Shows the DNS Address used by the client.

l Routing Information: Shows the routing information for transmitting encrypted data.

l Disconnection Connection: Click this button to disconnect the current connection with the
server.

Configuration Management

Click VPN at the bottom of the page to enter into the Configuration Management page. In this
page, you can perform the following operations:

l Add/Edit/Delete a login entry

l Modify the login password

l Disconnect the connection with SSL VPN server

l Connect to the SSL VPN server

Adding a Login Entry

To facilitate the login process, you can add a login entry that stores the login information. The
added login entry will display in the drop-down list of Please Choose in the login page. You can
select a login entry and the login information will be filled in automatically.
To add a login entry, take the following steps:

1. In the Configuration Management page, click the icon at the top-right corner.

2. In the pop-up window, enter the following information:

a. Connection Name: Enter a name as an identifier for this login entry

515 Chapter 8

VPN
b. Server: Enter the IP address or the server name of the device that acts as the VPN
server.

c. Port: Enter the HTTPs port number of the device.

d. Username: Enter the username for logging into the VPN.

3. Click Confirm to save this login entry.

Editing a Login Entry

To edit a login entry, take the following steps:

1. In the login entry list, click the one that you want to edit and several buttons will appear.

2. Click Edit to make the Edit Configuration dialog box appear.

3. In the dialog box, edit the login entry.

4. Click Confirm to save the modifications.

Deleting a Login Entry

To delete a login entry, take the following steps:

1. In the login entry list, click the one that you want to delete and several buttons will appear.

2. Click Delete.

3. Click Yes in the pop-up dialog box to delete this login entry.

Modifying the Login Password

To modify the login password, take the following steps:

Chapter 8 516

VPN
1. In the login entry list, click the one that you want to modify the password and several but-
tons will appear.

2. Click Modify Password.

3. Enter the current password and new password in the pop-up dialog box.

4. Click Confirm to save the settings.

Disconnecting the Connection or Logging into the Client

To disconnect the connection or log into the client, take the following steps:

1. In the login entry list, click a login entry and several buttons will appear.

2. If the connection status to this server is disconnected, you can click Login to log into the
client; if the connection status is connected, you can click Disconnect Connection to dis-
connect the connection.

3. In the pop-up dialog box, confirm your operation.

Connection Log

Click Log at the bottom of the page to enter into the Configuration Log page. In this page, you
can view the logs.

System Configuration

Click Config at the bottom of the page to enter into the System Configuration page. In this page,
you can configure the following options:

l Auto Reconnect: After turning on this switch, the client wil automatically reconnect to the
server if the connection is disconnected unexpectedly.

l Show Notify: After turning on this switch, the client icon will display in the notification area.

517 Chapter 8

VPN
l Allow To Sleep: After turning on this switch, the client can stay connected while the Android
system is in the sleep status. With this switch turned off, the client might disconnect the con-
nection and cannot stay connected for a very long time while the Android system is in the
sleep status.

l Auto Login: After turning on this switch, the client will automatically connect to the server
when it starts. The server is the one that the client connects to the last time.

l Remember The Password: After turning on this switch, the client wil remember the password
and automatically fill in the login entry.

l Exit: Click Exit to exit this application.

About Us

Click About at the bottom of the page to enter the About US page. This page displays the version
information, contact information, copyright information, etc.

Chapter 8 518

VPN
SSL VPN Client for iOS
The SSL VPN client for iOS is called Hillstone Access Connectand it supports iOS 12.x/iOS
13.x/iOS 14.x/iOS 15.x versions. HillstoneAccess Connectmainly has the following functions:

l Simplify the VPN creation process between the Apple device and the Hillstone device

l Display the VPN connection status between the Apple device and the Hillstone device

l Display the log information

To use the SSL VPN client for iOS, download and install the Hillstone Access Connectapp from
the App Store.

Deploying VPN Configurations

For the first-time logon, you need to deploy the VPN configurations, as shown below:

1. Click the HSAccess icon located at the desktop of iOS. The login page of HSAccess
appears.

2. In the login page, specify the following information and then click Login.

l Connection: Enter a name for this newly created connection instance.

l Server: Enter the IP address or the server name of the device that acts as the VPN
server.

l Port: Enter the HTTPs port number of the device.

l Username: Enter the username for logging into the VPN.

l Password: Enter the corresponding password.

519 Chapter 8

VPN
3. If the SSL VPN server enables the SMS authentication, the SMS authentication page will
appear. Enter the received authentication code and then confirm it. If you do not receive
the authentication code, you can request it after one minute.

4. After logging the VPN server successfully, the deployment process starts automatically.

5. In the Would Like to Add VPN Configurations page, click Allow.

6. Enter your passcode. The passcode is the one for unlocking your iOS screen. With the cor-
rect passcode entered, iOS starts to install the profile.

Connecting to VPN

After the VPN configuration deployment is finished, take the following steps to connect to VPN:

1. Start HSAccess .

2. In the login page, enter the required information. The value of these parameters should be
the ones that you have specified in the above section of Deploying VPN Configurations. If
one of the parameter changes, you need to re-deploy the VPN configuration.

3. Click Login. HSAccess starts to connects to the Hillstone device.

4. Start Settings of iOS and navigate to VPN.

5. In the VPN page, select the configuration that has the same name as the one you configured
in the section of Deploying VPN Configuration.

6. Click the VPN switch. iOS starts the VPN connection.

7. In this VPN page, when the Status value is Connected, it indicates the VPN between the
iOS device and the Hillstone device has been established.

Chapter 8 520

VPN
Introduction to GUI

After logging into HBC, you can view the following pages: Connection Status, Connect, Log, and
About.

Connection Status

Click Status at the bottom of the page to enter into the Connection Status page and it displays the
statistics and routing information:

l The Connection Time: Time period during which the client is online.

l In Bytes: Shows the received bytes through the SSL VPN tunnel.

l Out Bytes: Shows the sent bytes through the SSL VPN tunnel.

l Server: Shows the IP address or the server name of the device that client connects to.

l Port: Shows the HTTPs port number of the device.

l Username: Shows the user name of the device.

l Server IP: Shows the interface’s IP address of the device that the client connects to.

l Assigned IP: Shows the IP address of the interface. This interface transmits the encrypted
traffic and this IP address is assigned by the SSL VPN server.

l Mask: Shows the netmask of the IP address of the interface. This interface transmits the
encrypted traffic.

l DNS Address: Shows the DNS Address used by the client.

l Route Info: Shows the routing information for transmitting encrypted data.

Configuration Management

Click VPN at the bottom of the page to enter into the Configuration Management page. In this
page, you can perform the following operations:

521 Chapter 8

VPN
l Add a login entry

l Detele a login entry

l Disconnect the connection with SSL VPN server

l Enable/ Disable the auto reconnection

Adding a Login Entry

To facilities the login process, you can add a login entry that stores the login information. The
added login entry will display in the drop-down list of Select in the login page. You can select a
login entry and the login information will be filled in automatically.
To add a login entry, take the following steps:

1. In the Configuration Management page, click the + icon at the top-right corner.

2. In the pop-up window, enter the following information:

l Name: Enters a name as an identifier for this login entry

l Server: Enters the IP address or the server name of the device that acts as the VPN
server.

l Port: Enters the HTTPs port number of the device.

l Username: Enters the username for logging into the VPN.

l Allow Sleep: After turning on this switch, the client can keep connected while the
iOS is in the sleep status. With this switch turned off, the client might disconnect the
connection and cannot keep connected for a long time while the iOS is in the sleep
status.

3. Click Confirm to save this login entry.

Chapter 8 522

VPN
Deleting a Login Entry

To delete a login entry, take the following steps:

1. In the login entry list, click the one that you want to delete and several buttons display.

2. Click Delete.

3. Click Yes in the pop-up dialog to delete this login entry.

Disconnecting the Connection or Logging into the Client

To disconnect the connection or log into the client, take the following steps:

1. In the login entry list, click a login entry.

2. In the pop-up dialog, Click Logout / Login to disconnect the connection or log into the cli-
ent.

Enabling/ Disabling the Auto Reconnection

After turning on this switch, the client will automatically reconnect to the server if the con-
nection is disconnected unexpectedly.
To enable/ disable the auto reconnection, take the following steps:

1. Enter the Configuration Management page.

2. Turn on or turn off the Auto Reconnect switch.

Connection Log

Click Log at the bottom of the page to enter into the Connection Log page and it displays the con-
nection log messages.

523 Chapter 8

VPN
About US

Click About at the bottom of the page to enter the About Hillstone page and it displays the
information of version, copyright, etc.

SSL VPN Client for macOS

The SSL VPN client for macOS is Hillstone Secure Connect. It can run on macOS 10.13/macOS
10.14/macOS 10.15/macOS 11.0/macOS 12.0 versions. The encrypted data can be transmitted
between the SSL VPN client and SSL VPN server after a connection has been established suc-
cessfully. The functions of the client are:

l Establish the SSL VPN connection with the SSL VPN server.

l Show the connection status, traffic statistics, and route information.

l Show log messages.

Downloading and Installing Client

Visit https://www.hillstonenet.com/more/services/product-downloads/ to download the install-

ation file of the client.
After downloading the installation file, double-click it. In the pop-up, drag SCVPN to Applic-
ations to perform the installation.

Chapter 8 524

VPN
To open the installation file, you must have the administrator permission and select Anywhere in
System Preferences > Security & Privacy > General > Allow apps downloaded from.

Starting Client and Establishing Connection

To start the client and establish the connection with the server side, take the following steps:

1. In macOS, select Launchpad > SCVPN. The client starts.

2. Click New. The Create connection profile window appears.

3. Provide the following information and then click OK.

l Name: Specify a name for this VPN connection.

l Description: Specify the description for this VPN connection.

l Server: Enter the IP address or the server name of the device that acts as the VPN
server.

l Port: Enter the HTTPs port number of the device.

l User name: Enter the login name.

l Password: Enter the corresponding password.

525 Chapter 8

VPN
l Remember password : Select this check box to remember the password.

l GMSSL: Select this check box to use the GM SSL protocol.

4. Select the connection name in the connection list.

5. In the toolbar, click Connect. If you do not select Remember password in step 3, enter the
password in the pop-up and then click OK.

6. If token authentication is enabled on the SSL VPN server, the token Authentication dialog
will appear. Type the authentication code and click Submit. If you have not received the
authentication code within one minute, you can re-apply.

After the client connects to the SSL VPN server, the status bar displays Connection established.
Meanwhile, the notification area of Mac displays . The encrypted data can be transmitted
between the SSL VPN client and SSL VPN server now.

GUI

The GUI of the client includes four areas: toolbar, connection list, connection information, and
status bar.

Chapter 8 526

VPN
Toolbar

In the toolbar, you can perform the following actions:

l Connect: Select a connection from the connection list and then click Connect. The client
starts to establish the connection with server side.

l New: Create a new connection. For details, see Starting Client and Establishing Connection.

l Modify: Select a connection from the connection list and then click Modify. For details of
modifying the parameters, see Starting Client and Establishing Connection.

l Delete: Select a connection from the connection list and then click Delete to delete this con-
nection.

l Settings: Set to minimize the client when the connection is established and select whether to
check the update of the client when it starts.

l Cancel: Click this button to cancel the connection. When the client is connecting to the
server side, this button will display.

527 Chapter 8

VPN
l Disconnect: Disconnect the current connection. After the connection is established, this but-
ton will display.

l Info: View the channel information and the route information of the current connection.
After the connection is established, this button displays.

Connection List

Displays all created connections.

Connection Information

When selecting a connection in the connection list, the connection information area displays the
corresponding information of this connection.
After establishing the connection, the connection information area displays the connection dur-
ation, server IP address, the IP assigned to the client, the number of packets sent/received
through the SSL VPN tunnel, and the bytes sent/received through the SSL VPN tunnel.

Status Bar

Displays the connection status.

The SCVPN item in the menu includes the following options:

l About SCVPN: Displays the information of this client.

l Quit SCVPN: Quit the client.

The Logging item in the menu includes the following options:

l View: View the logs.

Chapter 8 528

VPN
l Level: Select the log level. When selecting the lower level in the menu, the displayed logs will
include the logs of upper level. However, when selecting the upper level in the menu, the dis-
played logs will not include the logs of lower level.

529 Chapter 8

VPN
SSL VPN Client for Linux
The SSL VPN client for Linux is Hillstone Secure Connect. It can run on the following operation
system.

l 64-bit desktop version of Ubuntu 14.04 (GNOME desktop);

l 64-bit desktop version of Ubuntu 16.04(GNOME desktop);

l 64-bit desktop version of Ubuntu Kylin 16.04(default desktop );

l 64-bit desktop version of CentOS 6.5(GNOME desktop);

The encrypted data can be transmitted between the SSL VPN client and SSL VPN server after a
connection has been established successfully. The functions of the client are:

l Get interface and route information from the PC on which the client is running.

l Show the connection status, traffic statistics, and route information.

l Show log messages.

Take 64-bit Ubuntu Kylin16.04 desktop as an example to introduce downloading and installing cli-
ent, starting client and establishing connection, upgrading and uninstalling client, the client GUI
and menu. The client configuration of other three Linux systems can refer to 64-bit Ubuntu
Kylin16.04 desktop.

Downloading and Installing Client

Downloading and installing Hillstone Secure Connect, take the following steps:

1. Visit https://www.hillstonenet.com/more/services/product-downloads/ to download the

installation file of the client.

Chapter 8 530

VPN
2. After downloading the installation file, right-click the client icon and select Properties to go
to the properties page.

531 Chapter 8

VPN
3. In the properties page, click Permissions tab and check Allow executing files as program,
then close it.

4. Double-click the client icon and follow the setup wizard to complete the installation.

Starting Client and Establishing Connection

To start the client and establish the connection with the server side, take the following steps:

1. Double-click the SCVPN icon on the desktop of the Linux system, and system enters the
super user authentication page. Then enter the password of super user , and click Authentic-
ate to enter the main interface of the client.

Chapter 8 532

VPN
2. In the client main interface, click New. The Create connection profile dialog box appears.

3. Provide the following information and then click OK.

533 Chapter 8

VPN
l Name: Specify a name for this VPN connection.

l Description: Specify the description for this VPN connection.

l Server: Enter the IP address or the server name of the device that acts as the VPN
server.

l Port: Enter the HTTPs port number of the device.

l User name: Enter the login name. For detailed information, refer to "User" on Page
652.

l Password: Enter the corresponding password.

l Remember password : Select this check box to remember the password.

4. Select the connection name in the connection list. In the toolbar, click Connect. If you do
not select Remember password in step 3, enter the password in the pop-up and then click

Chapter 8 534

VPN
OK.

5. After the client connecting to the SSL VPN server, the status bar displays Connection estab-
lished. The encrypted data can be transmitted between the SSL VPN client and SSL VPN
server now.

535 Chapter 8

VPN
Upgrading and Uninstalling Client

To update and uninstall the SSL VPN Client, take the following steps:

1. Double-click the MaintenanceTool icon to enter the Maintain SCVPN page.

Chapter 8 536

VPN
2. In the Maintain SCVPN page, select Update components or Remove all components to
upgrade or uninstall the client, then click Next.

3. Follow the setup wizard to complete the upgrade or uninstall of client.

GUI

The GUI of the client includes four areas: toolbar, connection list, connection information, and
status bar.

537 Chapter 8

VPN
Toolbar

In the toolbar, you can perform the following actions:

l Connect: Select a connection from the connection list and then click Connect. The client
starts to establish the connection with server side.

l New: Create a new connection. For details, see Starting Client and Establishing Connection.

l Modify: Select a connection from the connection list and then click Modify. For details about
modifying the parameters, see Starting Client and Establishing Connection.

l Delete: Select a connection from the connection list and then click Delete to delete this con-
nection.

l Settings: Set to minimize the client when the connection is established

Chapter 8 538

VPN
l Cancel: Click this button to cancel the connection. When the client is connecting to the
server side, this button is displayed. For more information, see Starting Client and Estab-
lishing Connection.

l Disconnect: Disconnect the current connection. After the connection is established, this but-
ton is displayed. For more information, see Starting Client and Establishing Connection.

l Info: View the channel information and the route information of the current connection.
After the connection is established, this button is displayed. For more information, see Start-
ing Client and Establishing Connection.

Connection List

Displays all created SSL VPN connections, and uses different icons to distinguish between the
connected and the unconnected.

Connection Information

When selecting a connection in the connection list, the connection information area displays the
corresponding information of this connection.

l When the client doesn't connect or has connected to the server, the connection information
area displays the server IP address, the port number, the user name and the authentication
type.

l After establishing the connection, the connection information area displays the connection
duration, server IP address, the IP assigned to the client, the number of packets sent/received
through the SSL VPN tunnel, and the bytes sent/received through the SSL VPN tunnel.

Status Bar

Displays the connection status and the connection progress when connecting to the server. For
more information, see Starting Client and Establishing Connection.

539 Chapter 8

VPN
Menu

Click the logging menu in the top-left corner of the client interface .

l View: View the logs.

l Level: Select the log level. When selecting a level in the menu, system will display the logs of
upper levels and will not display the logs of lower levels.

l About: Display the version information, copyright information and other relevant inform-
ation.

Chapter 8 540

VPN
L2TP VPN
This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
L2TP (Layer Two Tunneling Protocol) is a VPDN technique that allows dial-up users to launch
VPN connection from L2TP clients or L2TP access concentrators (LAC), and connect to a L2TP
network server (LNS) via PPP. After the connection has been established successfully, LNS will
assign IP addresses to legal users and permit them to access the private network.
The device acts as a LNS or a L2TP client in the L2TP tunnel network. When the device acts as a
LNS, the device accepts connections from L2TP clients or LACs, implements authentication and
authorization, and assigns IP addresses, DNS server addresses and WINS server addresses to legal
users.
L2TP does not encrypt the data transmitted through the tunnel, so it cannot assure security dur-
ing the transmission. You can use L2TP in combination with IPsec, and encrypt data by IPSec,
thus assuring the security during the data transmitted through the L2TP tunnel.

Configuring a LNS

Configuring an L2TP VPN

To create an L2TP VPN instance, take the following steps:

1. Select Network > VPN > L2TP VPN.

2. In the L2TP VPN page, click New.

541 Chapter 8

VPN
In the Name/Access User tab, configure the corresponding options.
Option Description
L2TP VPN Type the name of the L2TP VPN instance
Name
Assigned Users
AAA Server Select an AAA server from the AAA Server drop-down
list. You can click View AAA Server to view the
detailed information of this AAA server.
Domain Type the domain name into the Domain box. The
domain name is used to distinguish the AAA server.
Verify User After this function is enable, system will verify the user-
Domain name and its domain name.
Name
Add Click Add to add the assigned users. You can repeat to

Chapter 8 542

VPN
Option Description
add more items.

In the Interface/Address Pool/IPSec Tunnel tab, configure the corresponding options.

Access Interface
Egress Inter- Select the interface from the drop-down list as the
face L2TP VPN server interface. This interface is used to
listen to the request from L2TP clients.
Tunnel Interface
Tunnel Inter- Specifies the tunnel interface used to bind to the
face L2TP VPN tunnel. Tunnel interface transmits
traffic to/from L2TP VPN tunnel.

l Select a tunnel interface from the drop-down

list, and then click Edit to edit the selected
tunnel interface.

l Click New in the drop-down list to create a new

interface.

Information Shows the zone, IP address, and netmask of the selec-

ted tunnel interface.
Address Pool
Address Specifies the L2TP VPN address pool.
Pool
l Select an address pool from the drop-down
list, and then click Edit to edit the selected
address pool.

l Click New in the drop-down list to create a new

address pool.

For more information about creating/editing address

543 Chapter 8

VPN
pools, see "Configuring an L2TP VPN Address
Pool" on Page 546.
Information Shows the start IP address, end IP address, and mask
of the address pool.
L2TP over IPSec
L2TP over Select a referenced IPSec tunnel from the drop-down
IPSec list. L2TP does not encrypt the data transmitted
through the tunnel, so it cannot assure security during
the transmission. You can use L2TP in combination
with IPSec, and encrypt data by IPSec, thus assuring
the security for the data transmitted through the L2TP
tunnel.

3. If necessary, click Advanced Configuration to configure the advanced functions.

In the Parameters tab, configure the corresponding options.

Security
Tunnel Click Enable to enable tunnel authentication to
Authentication assure the security of the connection. The tunnel
authentication can be launched by either LNS or
LAC. The tunnel cannot be established unless the
both ends are authenticated, i.e., the secret strings of
the two ends are consistent.
AVP Hidden Click Enable to enable AVP hidden. L2TP uses AVP
(attribute value pair) to transfer and negotiate several
L2TP parameters and attributes. By default AVP is
transferred in plain text. For data security con-
sideration, you can encrypt the data by the secret
string to hide the AVP during the transmission.
Secret Specifies the secret string that is used for LNS tunnel
authentication.

Chapter 8 544

VPN
Peer Specifies the host name of LAC. If multiple LACs are
connected to LNS, you can specify different secret
strings for different LACs by this parameter.
Add Click Add to add the configured secret and peer name
pair to the list.
Client Connection
Accept Client Click Enable to allow the accepting of IP address spe-
IP cified by the client. By default the client IP is selec-
ted from the address pool, and allocated by LNS
automatically. If this function is enabled, you can spe-
cify an IP address. However, this IP address must
belong to the specified address pool, and be con-
sistent with the username and role. If the specified IP
is already in use, system will not allow the user to log
on.
Multiple Login Click Enable to allow a user to log on and be authen-
ticated on different hosts simultaneously.
Hello Interval Specifies the interval at which Hello packets are sent.
LNS sends Hello packets to the L2TP client or LAC
regularly, and will drop the connection to the tunnel
if no response is returned after the specified period.
LNS Name Specifies the local name of LNS.
Tunnel Win- Specifies the window size for the data transmitted
dows through the tunnel.
Control Packet Specifies the retry times of control packets. If no
Transmit Retry response is received from the peer after the specified
retry times, system will determine the tunnel con-
nection is disconnected.
PPP Configuration

545 Chapter 8

VPN
LCP Interval Specifies parameters for LCP Echo packets used for
Transmit PPP negotiation. The options are:
Retries
l Interval: Specifies the interval at which LCP
Echo packets are sent.

l Transmit Retry: Specifies the retry times for

sending LCP Echo packets. If LNS has not
received any response after the specified retry
times, it will determine the connection is dis-
connected.

PPP Authentic- Specifies a PPP authentication protocol. The options

ation are:

l PAP: Uses PAP for PPP authentication.

l CHAP: Uses CHAP for PPP authentication.

This is the default option.

l Any: Uses CHAP for PPP authentication by

default. If CHAP is not supported, then uses
PAP.

4. Click Done to save the settings.

Configuring an L2TP VPN Address Pool

LNS assigns the IP addresses in the address pool to users. After the client has established a con-
nection to LNS successfully, LNS will choose an IP address along with other related parameters
(such as DNS server address, WINS server address, etc) from the address pool, and assign them
to the client.
L2TP provides fixed IP addresses by creating and implementing IP binding rules.

Chapter 8 546

VPN
l The static IP binding rule binds the client user to a fixed IP address in the address pool. Once
the client has established a connection successfully, system will assign the binding IP to the
client.

l The IP-role binding rule binds the role to a specific IP range in the address pool. Once the cli-
ent has established a connection successfully, system will assign an IP address within the IP
range to the client.

When LNS is allocating IP addresses in the address pool, system will check the IP binding rule
and determine how to assign IP addresses for the client based on the specific checking order
below:

Notes: The IP addresses defined in the static IP binding rule and IP-role binding
rule should not be overlapped.

To create an address pool, take the following steps:

1. Select Network > VPN > L2TP VPN.

2. At the top-right corner, click Address Pool.

547 Chapter 8

VPN
3. In the pop-up window, click New.

In the Basic Configuration tab, configure the corresponding options.

Option Description

Address Pool Specifies the name of the address pool.

Chapter 8 548

VPN
Option Description

Name

Start IP Specifies the start IP of the address pool.

End IP Specifies the end IP of the address pool.

Reserved Specifies the reserved start IP of the address pool.

Start IP

Reserved Specifies the reserved end IP of the address pool.

End IP

DNS1/2 Specifies the DNS server IP address for the address pool.
It is optional. Up to 2 DNS servers can be configured for
one address pool.

WINS1/2 Specifies the WIN server IP addresses for the address

pool. It is optional. Up to 2 WIN servers can be con-
figured for one address pool.

In the IP User Binding tab, configure the corresponding options.

Option Description

User Type the user name into the User box.

IP Type the IP address into the IP box.

Add Click Add to add this IP user binding rule.

Delete To delete a rule, select the rule you want to delete from
the list and click Delete.

In the IP Role Binding tab, configure the corresponding options.

Option Description

549 Chapter 8

VPN
Role Type the role name into the Role box.

Start IP Type the start IP address into the Start IP box.

End IP Type the end IP address into the End IP box.

Add Click Addto add this IP role binding rule.

Delete To delete a rule, select the rule you want to

delete from the list and click Delete.

Up/Down/Top/Bottom System will query for IP role binding rules by

turn, and allocate the IP address according to
the first matched rule. You can move the loc-
ation up or down at your own choice to adjust
the matching sequence accordingly.

4. Click OK to save the settings.

Viewing L2TP VPN Online Users

To view the L2TP VPN online users, take the following steps:

1. Select Network > VPN > L2TP VPN.

2. Select an L2TP VPN instance.

3. View the detailed information of the online users in the table.

Option Description

Name Displays the name of L2TP VPN.

Public IP Displays the public IP of the L2TP VPN online user.

Chapter 8 550

VPN
Option Description

Private IP Displays the private IP of the L2TP VPN online user.

Operation Displays the executable operation of the L2TP VPN

online user.

Configuring Device as L2TP Client

Configuring a L2TP Client

To create an L2TP client, take the following steps:

1. Select Network > VPN > L2TP VPN.

2. At the top-right corner, click L2TP Client.

551 Chapter 8

VPN
3. In the L2TP Client page, click New.

Option Description

Client Name Type the name of the L2TP client.

Tunnel Inter- Specifies the tunnel interface used to bind to the L2TP
face client. Tunnel interface transmits traffic to/from L2TP
client.

Egress Inter- Select the interface from the drop-down list as the
face L2TP client interface. This interface is used to listen to
the request from LNS.

LNS IP Specifies the IP address of the LNS server.

Chapter 8 552

VPN
Option Description

Keepalive To ensure normal communication between the LNS and

L2TP client, the L2TP client periodically sends Hello
packets to check whether the LNS is properly con-
nected. Keepalive indicates the interval at which the
L2TP client sends two Hello packets. The smaller the
value, the quicker the fault sensing; the larger the value,
the lower the occupied bandwidths.

Control Packet Specifies the retry times of control packets. If no

Transmit Retry response is received from the peer after the specified
retry times, system will determine the tunnel con-
nection is disconnected.

User Name Specifies the name of the L2TP client, the L2TP client
uses the user name to initiate a request to the LNS for
establishing an L2TP VPN tunnel.

Password Specifies the password of the L2TP client.

PPP Configuration

LCP-echo Specifies the interval at which LCP Echo packets are

Interval sent. The value range is 0 to 1000 seconds.

Transmit Specifies the retry times for sending LCP Echo packets.
Retries If L2TP client has not received any response after the
specified retry times, it will determine the connection is
disconnected.

PPP Authentic- Specifies a PPP authentication protocol. The options

ation are:

553 Chapter 8

VPN
Option Description

l PAP: Uses PAP for PPP authentication.

l CHAP: Uses CHAP for PPP authentication. This

is the default option.

l Any: Uses CHAP for PPP authentication by

default. If CHAP is not supported, then uses
PAP.

Auto connect Enables the automatic L2TP client dialup function.

After the function is enabled, the L2TP client and LNS
can establish tunnels. Users can access the intranet con-
nected to the LNS, without performing the PPP dialup.

4. Click OK.

Chapter 8 554

VPN
VXLAN
Virtual extensible local area network (VXLAN) is a tunnel encapsulation technology for large layer
2 network expansion overe NOV3 that uses MAC-in-UDP encapsulation. VXLAN uses a 24-bit
network segment ID, called VXLAN network identifier (VNI), to identify users. This VNI is sim-
ilar to a VLAN ID and supports a maximum of 16M [(2^24 - 1)/1024^2] VXLAN segments.
VXLAN uses MAC-in-UDP encapsulation to extend Layer 2 networks to ensure uninterrupted
services during VM migration, the IP address of the VM must remain unchanged.
VXLAN uses VTEP (VXLAN Tunnel Endpoint) equipment to encapsulate and decapsulate
VXLAN packets, including ARP request packets and normal VXLAN data packets. VTEP encap-
sulates the original Ethernet frame through VXLAN and sends it to the peer VTEP device. The
peer VTEP device decapsulates the VXLAN packet after receiving it, and then forwards it accord-
ing to the original MAC. The VTEP can be a physical switch, a physical server, or other VXLAN-
enabled Hardware equipment or software.

Creating VXLAN Static Tunnel

To creating VXLAN static tunnel, take the following steps:

1. Click Network > VPN > VXLAN.

2. Click New

555 Chapter 8

VPN
Configure the following options.

Option Description

Name Specified the name of the VXLAN static tunnel.

VNI Specified the ID as the global network identity of the

VXLAN network. The value range is 1 to 16777215.

Egress Inter- Select the egress interface of the VXLAN network in the
faces drop-down list.

Peer IP Specified the destination VTEP IP address.

3. Click OK.

Chapter 8 556

VPN
GRE VPN
Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety
of network layer protocols inside virtual point-to-point links over an Internet Protocol inter-
network. StoneOS uses GRE over IPSEC feature to ensure the security of routing information
passing between networks.

Configuring GRE VPN

To create an GRE VPN, take the following steps:

1. Select Network > VPN > GRE VPN.

2. In the GRE VPN page, click New.

Configure the corresponding options.

557 Chapter 8

VPN
Option Description

Name Type the name of the GRE VPN.

Source Address Specifies the type of source address for the GRE tun-
Type nel.

Source Inter- Specifies a source interface or source IP Address for

face/Source IP the GRE tunnel.
Address

Destination IP Specifies a destination address for the GRE tunnel

Address

Engress Inter- Select the interface from the drop-down list as the
face GRE VPN interface.

Key Specifies the verification key. When the key carried by

the packets is the same as the key configured in the
receiver, the packets will be decrypted. If the keys are
not the same, the packets will be dropped.

GRE Over Select a referenced IPSec tunnel from the drop-down

IPSec list. GRE does not encrypt the data transmitted
through the tunnel, so it cannot assure security during
the transmission. You can use GRE in combination
with IPSec, and encrypt data by IPSec, thus assuring
the security for the data transmitted through the GRE
tunnel.

Tunnel Interface Specifies the tunnel interface used to bind to the

GRE VPN tunnel.

l Select a tunnel interface from the drop-down

Chapter 8 558

VPN
Option Description

list, and then click to edit the selected

tunnel interface.

l Click in the drop-down list to create a new

interface.

Tunnel Interface Specifies the next hop (the peer tunnel interface) IP
Gateway address of GRE tunnel when multiple tunnels bind to
this interface.

3. Click OK.

559 Chapter 8

VPN
Chapter 9 Object
This chapter describes the concept and configuration of objects that will be referenced by other
modules in system, including:

l "Address" on Page 562: Contains address information, and can be used by multiple modules,
such as policy rules, NAT rules, QoS, session limit rules, etc.

l "Host Book" on Page 567: A collection of one domain name or several domain names.

l "Service Book" on Page 570: Contains service information, and can be used by multiple mod-
ules, such as policy rules, NAT rules, QoS, etc.

l "Application Book" on Page 581: Contains application information, and it can be used by mul-
tiple modules, such as policy rules, NAT rules, QoS, etc.

l "SLB Server Pool " on Page 613: Describes SLB server configurations.

l "Schedule" on Page 618: Specifies a time range or period. The functions (such as policy rules,
QoS rules, host blacklist, connections between the PPPoE interface and Internet) that use the
schedule will take effect in the time range or period specified by the schedule.

l "AAA Server" on Page 621: Describes how to configure an AAA server.

l "User" on Page 652: Contains information about the functions and services provided by a Hill-
stone device, and users authenticated and managed by the device.

l "Role" on Page 664: Contains role information that associates users to privileges. In function
configurations, different roles are assigned with different services. Therefore, the mapped
users can gain the corresponding services as well.

l "Track Object" on Page 670: Tracks if the specified object (IP address or host) is reachable or
if the specified interface is connected. This function is designed to track HA and interfaces.

Chapter 9 560

Object
l " URL Filtering" on Page 677: URL filter controls the access to some certain websites and
records log messages for the access actions.

l "NetFlow" on Page 759 : Collect the user's incoming traffic information according to the
NetFlow profile, and send it to the server with NetFlow data analysis tool.

l "End Point Protection" on Page 764: Obtain the endpoint data monitored by the endpoint
security control center by interacting with it, and then specify the corresponding processing
action according to the security status of endpoint, so as to control the endpoint network
behavior.

l "IoT Policy" on Page 777: Identify the network video monitoring devices, like IPC (IP Cam-
era) and NVR (Network Video Recorder) via the flowing traffic, then monitor the identified
devices and block illegal behaviors according to the configurations.

561 Chapter 9

Object
Address
IP address is an important element for the configurations of multiple modules, such as policy
rules, NAT rules and session limit rules. Therefore, system uses an address book to facilitate IP
address reference and flexible configuration. You can specify a name for an IP range, and only the
name is referenced during configuration. The address book is the database in system that is used
to store the mappings between IP ranges and the corresponding names. The mapping entry
between an IP address and its name in the address book is known as an address entry.
System provides a global address book. You need to specify an address entry for the global
address book. When specifying the address entry, you can replace the IP range with a DNS name.
Interfaces of the configured IPs will be used as address entries and added to the address book
automatically. You can use them for NAT conveniently. Furthermore, an address entry also has
the following features:

l All address books contain the following default address entries named Any and private_net-
work. The IP address of Any is 0.0.0.0/0, which is any IP address. Any can neither be edited
nor deleted. The IP addresses of private_network are 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16, that all private network address. The private_network can be edited and
deleted.

l One address entry can contain another address entry in the address book.

l If the IP range of an address entry changes, StoneOS will update other modules that reference
the address entry automatically.

Address book supports IPv4 and IPv6 address. If IPv6 is enabled, you can configure IPv6
address entry.

Creating an Address Book

To create an address book, take the following steps:

Chapter 9 562

Object
1. Click Object>Address Book.

2. Click New.

In Address Book Configuration dialog box, enter the address entry configuration.

Basic

Name Type the address book name into the Name box.

Type Select the IP type, including IPv4 or IPv6. Only the IPv6
firmware supports to configure IPv6 type.

Member

Member Click New to add a member .

l When you select IPv4 type, configure IP/Netmask,

IP Range, Hostname, Address Book, IP/Wildcard

563 Chapter 9

Object
Basic

or Country/Region as needed.

l When you select IPv6 type, configure IPv6/prefix,

IPv6 Range, Hostname or Address Book as needed.
Tips:

l When you add the IP/Wildcard member, binary 1

indicates exact match and 0 indicates fuzzy match
in wildcard netmask. The subnet mask format can
not be configured. Meanwhile, the address book
with the IP/Wildcard member cannot be ref-
erenced by QoS policy.

l The address book with the Country/Region mem-

ber can only be referenced by the security policy
and the policy-based route rules.

l The address book with the Country/Region mem-

ber does not support the configuration of the
Excluded Member settings.

New Click New to add the configured member to the list

below. If it is needed, repeat the above steps to add more
members.

Delete Delete the selected member from the list.

Excluded Member

Member Specify the excluded member. Click New to add a mem-

Chapter 9 564

Object
Basic

ber , and configure IP/netmask, IP/Prefix, or IP range as

needed.
Note: Excluded members' address range need to be in the
address range of the members, otherwise the con-
figuration cannot be completed.

New Click New to add the configured excluded member to the

list below. If needed, repeat the above steps to add more
excluded members.

Delete Delete the selected excluded member from the list.

3. Click OK.

Viewing Details
To view the details of an address entry, take the following steps, including the name, member,
description and reference:

1. Click Object>Address Book.

2. In the Address Book dialog box, select "+" before an address entry from the member list,
and view the details under the entry.

Searching Address Entries

Use the Filter to search for the address entries that match the filter conditions. The filter con-
ditions include the address entry name, IP address of the members, the description, and whether
the entry is referenced by other function modules.

1. Click Object > Address Entry.

2. At the top-right corner of the page, click Filter. Then a new row appears at the top.

565 Chapter 9

Object
3. Click +Filter to add a new filter condition. Then select a filter condition from the drop-
down menu and enter a value.

4. Press Enter to search for the service entry that matches the filter conditions.

5. Repeat the above two steps to add more filter conditions. The relationship between each fil-
ter condition is AND.

6. To delete a filter condition, hover your mouse on that condition and then click the icon.

To close the filter, click the icon on the right side of the row.

Save the filter conditions.

1. After adding the filter conditions, click the + Filter after the next arrow, in the drop-down
menu, click Save Filters.

2. Specifies the name of the filter condition to save, the maximum length of name is 32 char-
acters, and the name supports only Chinese and English characters and underscores.

3. Click the Save button on the right side of the text box.

4. To use the saved filter condition, double click the name of the saved filter condition.

5. To delete the saved filter condition, click on the right side of the filter condition.

Notes:
l You can add up to 20 filter conditions as needed.

l After the device has been upgraded, the saved filter condition will be cleared.

Chapter 9 566

Object
Host Book
You can specify a name to be a collection of one domain name or several domain names, and ref-
erence this host book when configuring. Host book is the database to store the relationships of
domain integrations and the specified names in system.
The entry of the relationship of domain integrations and the specified name is called host entry.

Notes:
l The maximum number of host entries is one fourth of the maximum num-
ber of address entries.

Creating a Host Book

To create a host book, take the following steps:

1. Select Object > Host Book.

2. Click New.

567 Chapter 9

Object
Configure the following options.

Option Description

Name Type a name for the host book.

Description Type the description of host book entry.

Addition Specify the mode for adding domain members.

Mode
l Manual input: Add the domain member to the host
book via inputting IP address or domain manually.

l File import: Add a batch of domain members to the

host book via importing the file.

Domain When the "Manual input" is selected, enter the IP address

Group or domain names of the domain member. Note：Press
Enter to separate several domain members.

File Name When the "File import" is selected, click Browser to

upload a domain name file in the local. Note: Only the
UTF-8 encoding file (*.txt or *.csv) can be imported cur-
rently.

3. Click OK.

Editing a Host Book

To edit a host book, take the following steps:

1. Select Object > Host Book, and enter the Host Book page.

2. In the host book list, select a host book entry to edit and click Edit.

3. In the Host Book Configuration dialog, edit the selected host book entry as needed.

Chapter 9 568

Object
Notes: When you edit a host book entry, if you add more domain members via
importing a file, the domain in the file will cover all the domain members in the
selected entry.

Deleting a Host Book

To delete a host book, take the following steps:

1. Select Object > Host Book, and enter the Host Book page.

2. In the host book list, select a host book entry to delete and click Delete.

569 Chapter 9

Object
Service Book
Service is an information stream designed with protocol standards. Service has some specific dis-
tinguishing features, like corresponding protocol, port number, etc. For example, the FTP service
uses TCP protocol, and its port number is 21. Service is an essential element for the configuration
of multiple StoneOS modules including policy rules, NAT rules, QoS rules, etc.
System ships with multiple predefined services/service groups. Besides, you can also customize
user-defined services/service groups as needed. All these service/service groups are stored in and
managed by StoneOS service book.

Predefined Service/Service Group

System ships with multiple predefined services, and identifies the corresponding application types
based on the service ports. The supported predefined services may vary from different Hillstone
device models. Predefined service groups contain related predefined services to facilitate user con-
figuration.

User-defined Service
Except for the above predefined services, you can also create your own user-defined services eas-
ily. The parameters that will be specified for the user-defined service entries include:

l Name

l Protocol type

l The source and destination port for TCP or UDP service, and the type and code value for
ICMP service.

User-defined Service Group

You can organize some services together to form a service group, and apply the service group to
StoneOS policies directly to facilitate management. The service group has the following features:

Chapter 9 570

Object
l Each service of the service book can be used by one or more service groups.

l A service group can contain both predefined services and user-defined services.

l A service group can contain another service group. The service group of StoneOS supports up
to 8 layers of nests.

The service group also has the following limitations:

l The name of a service and service group should not be identical.

l A service group being used by any policy cannot be deleted. To delete such a service group,
you must first end its relationship with the other modules.

l If a user-defined service is deleted from a service group, the service will also be deleted from
all of the service groups using it.

Configuring a Service Book

This section describes how to configure a user-defined service and service group.

Configuring a User-defined Service

1. Select Object > Service Book > Service.

2. Click New.

571 Chapter 9

Object
Configure the following options.

Service Configuration

Service Type the name for the user-defined service into the text-
box.

Member Specify a protocol type for the user-defined service. The

available options include TCP, UDP, ICMP, ICMPv6 and
All. If needed, you can add multiple service items. Click
New and the parameters for the protocol types are
described as follows:

TCP/UDP Destination port:

l Min - Specifies the minimum port num-

ber of the specified service entry.

l Max - Specifies the maximum port

number of the specified service entry.

Chapter 9 572

Object
Service Configuration

The value range is 0 to 65535.

Source port:

l Min - Specifies the minimum port num-

ber of the specified service entry.

l Max - Specifies the maximum port

number of the specified service entry.
The value range is 0 to 65535.

Notes:
l The minimum port
number cannot exceed
the maximum port
number.

l The "Min" of the des-

tination port is
required, and other
options are optional.

l If "Max " is not con-

figured, system will
use "Min" as the single
code.

ICMP Type: Specifies an ICMP type for the service

573 Chapter 9

Object
Service Configuration

entry. The value range is 0（Echp-Reply）,

3（Destination-Unreachable）, 4（Source
Quench）, 5（Redirect）, 8（Echo）, 11
（Time Exceeded）, 12（Parameter Prob-
lem）, 13（Timestamp）, 14（Timestamp
Reply） , 15（Information Request）, 16
（Information Reply）, 17（Address Mask
Request）, 18（Address Mask Reply）, 30
（Traceroute）, 31（Datagram Conversion
Error）, 32（Mobile Host Redirect）, 33
（IPv6 Where-Are-You）, 34（IPv6 I-Am-
Here）, 35（Mobile Registration Request）,
36（Mobile Registration Reply）. Code: Spe-
cifies a minimum value and maximum value
for ICMP code. The value range is 0 to 15,
the default value is : min code - 0, max code -
15.

Notes:
l The minimum code
cannot exceed the max-
imum code.

l If "Max " is not con-

figured, system will

Chapter 9 574

Object
Service Configuration

use "Min" as the single

code.

ICMPv6 Type: Specifies an ICMPv6 type for the ser-

vice entry. The value range is 1（Dest-
Unreachable）, 2（Packet Too Big）, 3
（Time Exceeded）, 4（Parameter Prob-
lem）, 100（Private experimentation）, 101
（Private experimentation）, 127
（Reserved for expansion of ICMPv6 error
message）, 128（Echo Request）, 129
（Echo Reply）, 130（Multicast Listener
Query）, 131（Multicast Listener Report）,
132（Multicast Listener Done）, 133
（Router Solicitation）, 134（Router
Advertisement）, 135（Neighbor Soli-
citation）, 136（Neighbor Advert-
isement）, 137（Redirect Message）, 138
（Router Renumbering）, 139（ICMP
Node Information Query）, 140（ICMP
Node Information Response）, 141
（Inverse Neighbor Discovery Solicitation
Message）, 142（Inverse Neighbor Dis-
covery Advertisement Message）, 143（Ver-

575 Chapter 9

Object
Service Configuration

sion 2 Multicast Listener Report）, 144

（Home Agent Address Discovery Request
Massage）, 145（Home Agent Address Dis-
covery Reply Massage）, 146（Mobile Prefix
Solicitation）, 147（Mobile Prefix Advert-
isement ）, 148（Certification Path Soli-
citation Message）, 149（Certification Path
Advertisement Message）, 150（ICMP mes-
sage utilized by experimental mobility pro-
tocols such as Seamoby）, 151（Multicast
Router Advertisement）, 152（Multicast
Router Solicitation ）, 153（Multicast
Router Termination）, 154（FMIPv6 Mes-
sages）, 200（Private experimentation）,
201（Private experimentation）and 255
（Reserved for expansion of ICMPv6 inform-
ational）. Code: Specifies a minimum value
and maximum value for ICMP code. The
value range is 0 to 255, the default value is :
min code - 0, max code - 255.

All Protocol: Specifies a protocol number for the

service entry. The value range is 1 to 255.

Description If it's needed, type the description for the service into the
text box.

3. Click OK.

Chapter 9 576

Object
Configuring a User-defined Service Group

1. Select Object > Service Book > Service Group.

2. Click New.

Configure the following options.

Service Group Configuration

Name Type the name for the user-defined service group into the
text box.

Description If needed, type the description for the service into the
text box.

Member Add services or service groups to the service group. Sys-

Type tem supports at most 8-layer nested service group.
Expand Pre-defined Service or User-defined Service from
the left pane, select services or service groups, and then
click Add to add them to the right pane. To remove a
selected service, select it from the right pane, and then

577 Chapter 9

Object
Service Group Configuration

click Remove.

3. Click OK.

Viewing Details

To view the details of a service entry, take the following steps, including the name, protocol, des-
tination port and reference:

1. Click Object>Service Book > Service.

2. In the service dialog box, select an address entry from the member list, and view the details
under the list.

Searching Service Entries

Use the Filter to search for the service entries that match the filter conditions. The filter con-
ditions include service type, name, protocol, destination port and source port, .

1. Click Object > Service Book > Service.

2. At the top-left corner of the Service page, click Filter.

3. Click + Filter to add a new filter condition. Then select a filter condition from the drop-
down menu and enter a value.

4. Press Enter to search for the service entry that matches the filter conditions.

5. Repeat the above two steps to add more filter conditions. The relationship between each fil-
ter condition is AND.

6. To delete a filter condition, hover your mouse on that condition and then click the icon.

Chapter 9 578

Object
To close the filter, click the icon on the right side of the row.

Save the filter conditions.

1. After adding the filter conditions, click the + Filter after the next arrow, in the drop-down
menu, click Save Filters.

2. Specifies the name of the filter condition to save, the maximum length of name is 32 char-
acters, and the name supports only Chinese and English characters and underscores.

3. Click the Save button on the right side of the text box.

4. To use the saved filter condition, double click the name of the saved filter condition.

5. To delete the saved filter condition, click on the right side of the filter condition.

Notes:
l You can add up to 20 filter conditions as needed.

l After the device has been upgraded, the saved filter condition will be cleared.

Searching Service Groups

Use the Filter to search for the service groups that match the filter conditions. The filter con-
ditions include service group name.

1. Click Object > Service Book > Service Group.

2. At the top-left corner of the page, click Filter. Then a new row appears at the top.

3. Click Filter to add a new filter condition. Then select a filter condition from the drop-down
menu and enter a value.

579 Chapter 9

Object
4. Press Enter to search for the service group that matches the filter conditions.

5. Repeat the above two steps to add more filter conditions. The relationship between each fil-
ter condition is AND.

6. To delete a filter condition, hover your mouse on that condition and then click the icon.

To close the filter, click the icon on the right side of the row.

Save the filter conditions.

1. After adding the filter conditions, click the Filter after the next arrow, in the drop-down
menu, click Save Filters.

2. Specifies the name of the filter condition to save, the maximum length of name is 32 char-
acters, and the name supports only Chinese and English characters and underscores.

3. Click the Save button on the right side of the text box.

4. To use the saved filter condition, double click the name of the saved filter condition.

5. To delete the saved filter condition, click on the right side of the filter condition.

Notes:
l You can add up to 20 filter conditions as needed.

l After the device has been upgraded, the saved filter condition will be cleared.

Chapter 9 580

Object
Application Book
Application has some specific features, like corresponding protocol, port number, application
type, etc. Application is an essential element for the configuration of multiple device modules
including policy rules, NAT rules, application QoS management, etc.
System ships with multiple predefined applications and predefined application groups. Besides,
you can also customize user-defined application and application groups as needed. All of these
applications and applications groups are stored in and managed by StoneOS application book.
If IPv6 is enabled, IPv6 applications will be recognized by StoneOS.

Editing a Predefined Application

You can view and use all the supported predefined applications and edit TCP timeout, but cannot
delete any of them. To edit a predefined application, take the following steps:

1. Select Object > APP Book > Application.

2. Select the application you want to edit from the application list, and click Edit.

3. In the Application Configuration dialog box, edit TCP timeout for the application.

Creating a User-defined Application

You can create your own user-defined applications. By configuring the customized application sig-
nature rules, system can identify and manage the traffic that crosses into the device, thus identi-
fying the type of the traffic.
To create a user-defined application, take the following steps:

581 Chapter 9

Object
1. Select Object > APP Book > Application.

2. Click New.

Configure the following options.

Option Description

Name Specify the name of the user-defined application.

Timeout Configure the application timeout value. If not, system

will use the default value of the protocol.

Signature Select the signature of the application and then click Add.
To create a new signature, see "Creating a Signature Rule"
on Page 584.

Description Specify the description of the user-defined application.

3. Click OK.

Chapter 9 582

Object
Creating a User-defined Application Group
To create a user-defined application group, take the following steps:

1. Select Object > APP Book > Application Groups

2. Click New.

Configure the following options.

Option Description

Name Specifies a name for the new application group.

Member Add applications or application groups to the application

group. System supports at most 8-layer nested application
group. Expand Application or Application Group from
the left pane, select applications or application groups,
and then click Add to add them to the right pane. To
remove a selected application or application group, select
it from the right pane, and then click Remove.

Description Specifies the description for the application group.

3. Click OK.

583 Chapter 9

Object
Creating an Application Filter Group
Application Filter Group allows you to create a group to filter applications according to applic-
ation category, sub-category, technology, risk, and attributes.
To create an application filter group, take the following steps:

1. Select Object > APP Book > Application Filters.

2. Click New.

3. Type an application filter group name in the Name text box.

4. Specifies the filter condition. Choose the category, subcategory, technology, risk and char-
acteristic by sequence in the drop-down list. You can click Clear Filter to clear all the selec-
ted filter conditions according to your need.

5. Click OK.

Creating a Signature Rule

By configuring the customized application signature rules, system can identify and manage the
traffic that crosses into the device. When the traffic matches all of the conditions defined in the
signature rule, it hits this signature rule. Then system identifies the application type.
If IPv6 is enabled, traffic of IPv6 address will be recognized by StoneOS.
To create a new signature rule, take the following steps:

Chapter 9 584

Object
1. Select Object > APP Book > Static Signature Rule.

2. Click New.

Configure the following options.

Option Description

Type Specify the IP address type, including IPv4 and IPv6

585 Chapter 9

Object
Option Description

address. If IPv6 is enabled, traffic of IPv6 address will be

recognized by StoneOS.

Source

Zone Specify the source security zone of the signature rule.

Address Specify the source address. You can use the Address
Book type or the IP/Netmask type.

Destination

Address Specify the source address. You can use the Address
Book type or the IP/Netmask type.

Protocol

Enable Select the Enable button to configure the protocol of the

signature rule.

Type When selecting TCP or UDP,

l Destination Port: Specify the destination port num-

ber of the user-defined application signature. If the
destination port number is within a range, system
will identify the value of min-port as the minimum
port number and identify the value of max-port as
the maximum port number. The range of des-
tination port number is 0 to 66535. The port num-
ber cannot be 0. For example, the destination port
number is in the range of 0 to 20, but it cannot be
0.

Chapter 9 586

Object
Option Description

l Source Port: Specify the source port number of the

user-defined application signature. If the source
port number is within a range, system will identify
the value of min-port as the minimum port number
and identify the value of max-port as the maximum
port number. The range of source port number is 0
to 66535.
When selecting ICMP or ICMPv6:

l When IPv4 is selected, select ICMP:

l Type: Specify the value of the ICMP type of

the application signature. The options are as
follows: is 0（Echp-Reply）, 3（Destin-
ation-Unreachable）, 4（Source Quench）,
5（Redirect）, 8（Echo）, 11（Time
Exceeded）, 12（Parameter Problem）, 13
（Timestamp）, 14（Timestamp Reply） ,
15（Information Request）, 16（Inform-
ation Reply）, 17（Address Mask
Request）, 18（Address Mask Reply）, 30
（Traceroute）, 31（Datagram Conversion
Error）, 32（Mobile Host Redirect）, 33
（IPv6 Where-Are-You）, 34（IPv6 I-Am-
Here）, 35（Mobile Registration
Request）, 36（Mobile Registration

587 Chapter 9

Object
Option Description

Reply）.

l Min Code: Specify the value of the ICMP

code of the application signature. The ICMP
code is in the range of 0 to 15. The default
value is 0.

l When IPv6 is selected, select ICMPv6:

l Type: Specify the value of the ICMPv6 type

of the application signature. The options are
as follows: 1（Dest-Unreachable）, 2
（Packet Too Big）, 3（Time Exceeded）,
4（Parameter Problem）, 100（Private
experimentation）, 101（Private exper-
imentation）, 127（Reserved for expansion
of ICMPv6 error message）, 128（Echo
Request）, 129（Echo Reply）, 130
（Multicast Listener Query）, 131（Mult-
icast Listener Report）, 132（Multicast
Listener Done）, 133（Router Soli-
citation）, 134（Router Advertisement）,
135（Neighbor Solicitation）, 136（Neigh-
bor Advertisement）, 137（Redirect Mes-
sage）, 138（Router Renumbering）, 139
（ICMP Node Information Query）, 140

Chapter 9 588

Object
Option Description

（ICMP Node Information Response）,

141（Inverse Neighbor Discovery Soli-
citation Message）, 142（Inverse Neighbor
Discovery Advertisement Message）, 143
（Version 2 Multicast Listener Report）,
144（Home Agent Address Discovery
Request Massage）, 145（Home Agent
Address Discovery Reply Massage）, 146
（Mobile Prefix Solicitation）, 147
（Mobile Prefix Advertisement ）, 148
（Certification Path Solicitation Message）,
149（Certification Path Advertisement Mes-
sage）, 150（ICMP message utilized by
experimental mobility protocols such as
Seamoby）, 151（Multicast Router Advert-
isement）, 152（Multicast Router Soli-
citation ）, 153（Multicast Router
Termination）, 154（FMIPv6 Messages）,
200（Private experimentation）, 201（Priv-
ate experimentation）and 255（Reserved
for expansion of ICMPv6 informational）.

l Min Code: Specify the value of the ICMPv6

code of the application signature. The
ICMPv6 code is in the range of 0 to 255.
The default value is 0.

589 Chapter 9

Object
Option Description

When selecting Others:

l Protocol: Specifies the protocol number of the

application signature. The protocol number is in
the range of 1 to 255.

Action

App-Sig- Select Enable to make this signature rule take effect after
nature Rule the configurations. Otherwise, it will not take effect.

Continue After enabling this function, if the traffic satisfies the

Dynamic user-defined signature rule and system has identified the
Identification application type, system will continue identifying the
application. To be more accurate, you can enable this
function to set the system to continue dynamically iden-
tification.

3. Click OK.

Viewing Details
To view the details of an application entry, including the name, category, risk and reference, take
the following steps:

1. Click Object > APP Book > Application.

2. In the application dialog box, select "+" before an address entry from the member list, and
view the details under the entry.

Chapter 9 590

Object
SSL Proxy
This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
To assure the security of sensitive data when being transmitting over networks, more and more
websites adopt SSL encryption to protect their information. The device provides the SSL proxy
function to decrypt HTTPS/POP3S/SMTPS/IMAPS traffic. The SSL proxy function works in
the following two scenarios:
The first scenario, the device works as the gateway of Web clients. The SSL proxy function
replaces the certificates of encrypted websites with the SSL proxy certificate to get the encrypted
information and send the SSL proxy certificates to the client's Web browser. During the process,
the device acts as an SSL client and SSL server to establish connections to the Web server and
Web browser respectively. The SSL proxy certificate is generated by using the device's local cer-
tificate and re-signing the website certificate. The process is described as below:

The second scenario, the device works as the gateway of Web servers. The device with SSL proxy
enabled can work as the SSL server, use the certificate of the Web server to establish the SSL con-
nection with Web clients (Web browsers), and send the decrypted traffic to the internal Web
server.

Work Mode
There are two work modes. For the first scenario, the SSL proxy function can work in the "Client
Inspection - Proxy" mode ; for the second scenario, the SSL proxy function can work in the
"Server Inspection - Offload" mode and "Server Inspection - Proxy" mode.
When the SSL proxy function works in the "Client Inspection - Proxy" mode, it can perform the
SSL proxy on specified websites.

591 Chapter 9

Object
For the websites that do not need SSL proxy, it dynamically adds the IP address and port of the
websites to a bypass list, and the HTTPS/POP3S/SMTPS/IMAPS traffic will be bypassed.
For the websites proxied by the SSL proxy function, the device will check the parameters of the
SSL negotiation. When a parameter matches an item in the checklist, the corresponding
HTTPS/POP3S/SMTPS/IMAPS traffic can be blocked or bypassed according to the action you
specified.

l If the action is Block, the HTTPS/POP3S/SMTPS/IMAPS traffic will be blocked by the

device.

l If the action is Bypass, the HTTPS/POP3S/SMTPS/IMAPS traffic will not be decrypted.

Meanwhile, the device will dynamically add the IP address and port number of the Website to
the bypass list, and the HTTPS/POP3S/SMTPS/IMAPS traffic will be bypassed.

The device will decrypte the HTTPS/POP3S/SMTPS/IMAPS traffic that are not blocked or
bypassed.
When the SSL proxy function works in the "Server Inspection - Offload" mode, it will proxy the
SSL connections initialized by Web clients, decrypt the HTTPS traffic, and send the HTTPS
traffic as plaintext to the Web server.
When the SSL proxy function works in the "Server Inspection - Proxy" mode, it will proxy the
SSL connections initialized by Web clients, decrypt the HTTPS traffic, and re-encrypt the traffic
and send it to the Web server.
You can integrate SSL proxy function with the following:

l Integrate with the application identification function. Devices can decrypt the
HTTPS/POP3S/SMTPS/IMAPS traffic encrypted using SSL by the applications and identify
the application. After the application identification, you can configure the policy rule, QoS,
session limit, policy-based route.

Chapter 9 592

Object
l Support unilateral SSL proxy in WebAuth. SSL client can use SSL connection during authen-
tication stage. When authentication is completed, SSL proxy will no longer take effect, and
the client and server communicate directly without SSL encryption.

l Integrate with AV, IPS, Antispam, Sandbox , Content Filter , File Filter and URL. Devices
can perform the AV protection, IPS protection, Sandbox protection, Content filter , File fil-
ter, File content cilter and URL filter on the decrypted HTTPS/POP3S/SMTPS/IMAPS
traffic, can perform the File content filter, Web content, Web posting, HTTP/FTP control on
the decrypted HTTPS traffic, and can perform the Email filter on the decrypted
POP3S/SMTPS/IMAPS traffic.

Working as the Gateway of Web Clients

To implement the SSL proxy, you need to bind an SSL proxy profile to the policy rule. After bind-
ing the SSL proxy profile to a policy rule, system will use the SSL proxy profile to deal with the
traffic that matches the policy rule. To implement the SSL proxy, take the following steps:

1. Configure the corresponding parameters of SSL negotiation, including the following items:
specify the PKI trust domain of the device certificates, obtain the CN value of the subject
field from the website certificate, and import a device certificate to the Web browser.

2. Configure an SSL proxy profile, including the following items: choose the work mode, con-
figure the actions to the HTTPS/POP3S/SMTPS/IMAPS traffic when its SSL negotiation
matches the item in the checklist, enable the audit warning page, and so on.

3. Bind an SSL proxy profile to a proper policy rule. The device will decrypt the
HTTPS/POP3S/SMTPS/IMAPS traffic that matches the policy rule and is not blocked or
bypassed by the device.

593 Chapter 9

Object
Configuring SSL Proxy Parameters

Configuring SSL proxy parameters includes the following items:

l Specify the PKI trust domain of the device certificate

l Obtain the CN value of the website certificate

l Import a device certificate to a Web browser

Specifying the PKI Trust Domain of Device Certificate

By default, the certificate of the default trust domain trust_domain_ssl_proxy_2048 will be used
to generate the SSL proxy certificate with the Web server certificate together, and then system
will issue the generated SSL proxy certificate to the client. You can specify another PKI trust
domain in system as the trust domain of the device certificate. The specified trust domain must
have a CA certificate, local certificate, and the private key of the local certificate. To specify a
trust domain, take the following steps:

1. Click Policy > SSL Proxy.

2. At the top-right corner of the page, click Trust Domain Configuration.

3. Select a trust domain from the Trust domain drop-down list.

l The trust domain of trust_domain_ssl_proxy uses RSA and the modulus size is 1024
bits.

l The trust domain of trust_domain_ssl_proxy_2048 uses RSA and the modulus size is
2048 bits.

4. Click OK to save the settings.

Obtaining the CN Value

To get the CN value in the Subject field of the website certificate, take the following steps (take
www.gmail.com as the example):

Chapter 9 594

Object
1. Open the IE Web browser, and visit https://www.gmail.com.

2. Click the Security Report button ( ) next to the URL.

3. In the pop-up dialog box, click View certificates.

4. In the Details tab, click Subject. You can view the CN value in the text box.

Importing Device Certificate to Client Browser

In the proxy process, the SSL proxy certificate will be used to replace the website certificate.
However, there is no SSL proxy certificate's root certificate in the client browser, and the client
cannot visit the proxy website properly. To address this problem, you have to import the root cer-
tificate (certificate of the device) to the browser.
To export the device certificate to local PC firstly, take the following steps:

1. Export the device certificate to local PC. Select System > PKI.

2. In the Management tab in the PKI Management dialog box, configure the options as below:

l Trust domain: trust_domain_ssl_proxy or trust_domain_ssl_proxy_2048

l Content: CA certificate

l Action: Export

3. Click OK and select the path to save the certificate. The certificate will be saved to the spe-
cified location.

Then, import the device certificate to the client browser. Take Internet Explorer as an example:

1. Open IE.

2. From the toolbar, select Tools > Internet Options.

3. In the Content tab, click Certificates.

595 Chapter 9

Object
4. In the Certificates dialog box, click the Trusted Root Certification Authorities tab.

5. Click Import. Import the certificate following the Certificate Import Wizard.

Configuring an SSL Proxy Profile

On the SSL Proxy Configuration page, you can choose the work mode, configure the actions to
the HTTPS/POP3S/SMTPS/IMAPS traffic when its SSL negotiation matches the item in the
checklist, enable the audit warning page, and so forth. System supports up to 32 SSL proxy pro-
files.
To configure an SSL proxy profile, take the following steps:

1. Select Object> SSL Proxy> SSL Proxy.

2. Click Newin the upper right corner to create a new SSL proxy profile.

Chapter 9 596

Object
In the Basic tab, configure the settings.

Option Description

Name Specify the name of the SSL proxy profile.

Description Add the description of the SSL proxy file.

Mode When the device works as the gateway of Web clients, the

597 Chapter 9

Object
Option Description

SSL proxy function can work in the client-inspection

proxy mode.
When the device works as the gateway of Web servers,
the SSL proxy function can work in the server-inspection
proxy/offload mode.

l In the client-inspection proxy mode, the device

will proxy the SSL connection from the client,
decrypt and inspect its data..

l In the server-inspection proxy mode, the device

will proxy the SSL connections initialized by Web
clients, decrypt the HTTPS traffic, re-encrypt the
data and send the HTTPS traffic as plaintext to the
Web server.

l In the server-inspection offload mode, the device

will proxy the SSL connections initialized by Web
clients, decrypt the HTTPS traffic, and send the
HTTPS traffic as plaintext to the Web server.

App Inspec- Select an application to be proxied by the SSL proxy func-

tion tion. Currently, system supports to perform SSL proxy on
the HTTPS, POP3S, SMTPS and IMAPS traffic passing
through the default port. By default, only the HTTPS
traffic will be proxied, but you can select multiple applic-
ations as needed. To make sure the

Chapter 9 598

Object
Option Description

HTTPS/POP3S/SMTPS/IMAPS traffic passing through

user-defined ports will be proxied by the function, you
can configure the user-defined ports in Object > APP
Book > Static Signature Rule.
Note: Only the predefined applications created in Object
> APP Book > Application can be proxied by the SSL
proxy function.

Root Cer- Click the Enable button again to enable the Root Cer-
tificate Push tificate Push. When the HTTPS traffic is decrypted by the
SSL proxy function, the Install Root Certificate page will
display in your Web browser. On the Install Root Cer-
tificate page, you can select Download or Downloaded,
Ignored as needed.

l Download: Click the button to download the root

certificate to your local PC. For details on import-
ing a root certificate to your Web browser, refer to
Importing Device Certificate to Client Browser.

l Downloaded, Ignored: If you click the button, sys-

tem will no longer push the Install Root Certificate
page, and will redirect you to the page you want to
visit.
Notes:

l When the Install Root Certificate page appears, if

you close the browser without selecting either

599 Chapter 9

Object
Option Description

Download or Download, Ignored, system will still

push the page for your next HTTPS request.

l You must install the root certificate. If you do not

install the root certificate, system will prompt the
access is not secure, therefore the access page may
not be loaded completely.
Click the Enable button to disable the Root Certificate
Push. With the function disabled, when the client initiates
an HTTPS request:

l If the root certificate has been installed in your

Web browser, you will be redirected to the page
you want to visit.

l If the root certificate has not been installed in your

Web browser, you will see the prompted that you're
visiting is not secure.

In the Decryption Configuration tab, configure the following options. After the system com-
pletes inspection of the SSL negotiation, the HTTPS/POP3S/SMTPS/IMAPS traffic that
is not blocked or bypassed will be decrypted. If the parameters match multiple items in the
checklist and you have configured different actions for different items, the Block action will
take effect, and the corresponding traffic will be blocked.

Encryption mode check

Unsupported Check the SSL protocol version used by the server.

version
l When the SSL protocol used by the SSL server is

Chapter 9 600

Object
not supported in system, you can select Block to
block its HTTPS/POP3S/SMTPS/IMAPS traffic,
or select Bypass to bypass its
HTTPS/POP3S/SMTPS/IMAPS traffic. The
default action is to bypass the
HTTPS/POP3S/SMTPS/IMAPS traffic.

l When the SSL protocol used by the SSL server is

supported, it will continue to check other items.

Unsupported Check the encryption algorithm used by the server.

encryption
l When the encryption algorithm used by the SSL
algorithms
server is not supported in system, you can select
Block to block its
HTTPS/POP3S/SMTPS/IMAPS traffic, or select
Bypass to bypass its
HTTPS/POP3S/SMTPS/IMAPS traffic. The
default action is to bypass the
HTTPS/POP3S/SMTPS/IMAPS traffic.

l When the encryption algorithm used by the SSL

server is supported, it will continue to check other
items.

Unknown Check the unknown error.

Error
l When SSL negotiation fails and the cause of failure
can't be confirmed, you can select Block to block
its HTTPS/POP3S/SMTPS/IMAPS traffic, or
select Bypass to bypass its

601 Chapter 9

Object
HTTPS/POP3S/SMTPS/IMAPS traffic. The
default action is to bypass the
HTTPS/POP3S/SMTPS/IMAPS traffic.

l When system do not need check unknown failure,

it will continue to check other items.

Minimum Specify the minimum SSL protocol version supported by

Supported the system. When the SSL protocol version used by the
Version SSL server meets the requirements, the system can proxy
its HTTPS/POP3S/SMTPS/IMAPS traffic.

Maximum Specify the minimum SSL protocol version supported by

Supported the system. When the SSL protocol version used by the
Version SSL server meets the requirements, the system can proxy
its HTTPS/POP3S/SMTPS/IMAPS traffic.

Server certificate check

Expired cer- Check the certificate used by the server. When the cer-
tificate tificate is overdue, you can select Block to block its
HTTPS/POP3S/SMTPS/IMAPS traffic, or select Bypass
to bypass its HTTPS/POP3S/SMTPS/IMAPS traffic, or
select Decrypt to decrypt the
HTTPS/POP3S/SMTPS/IMAPS traffic. The default
action is to decrypt the HTTPS/POP3S/SMTPS/IMAPS
traffic.

Client veri- Check whether the SSL server verifies the client cer-
fication tificate.

Chapter 9 602

Object
l When the SSL server verifies the client certificate,
you can select Block to block its
HTTPS/POP3S/SMTPS/IMAPS traffic, or select
Bypass to bypass its
HTTPS/POP3S/SMTPS/IMAPS traffic. The
default action is to bypass the
HTTPS/POP3S/SMTPS/IMAPS traffic.

l When the SSL server does not verify the client cer-
tificate, it will continue to check other items.

Verification Verify the server certificate. You can configure an action

Failed for the HTTPS/POP3S/SMTPS/IMAPS traffic when the
certificate is failed to be verified. The default action is to
decrypt the HTTPS/POP3S/SMTPS/IMAPS traffic.

l Decrypt: Decrypt the

HTTPS/POP3S/SMTPS/IMAPS traffic when the
certificate is failed to be verified, and select
whether to use the self-signed certificate.

l Use the self-signed certificate: Click the

Enable button to use the self-signed cer-
tificate to complete the SSL negotiation with
the Web browser. In this case, your browser
will prompt a warning message.

l Do not use the self-signed certificate: Click

the Enable button again to disable the self-
signed certificate. Then, the system will use

603 Chapter 9

Object
the trusted certificate "SG6000" to complete
the SSL negotiation with the Web browser.
If the certificate "SG6000" has been
installed, your browser will not prompt a
warning message.

l Block: Block the HTTPS/POP3S/SMTPS/IMAPS

traffic when the certificate is failed to be verified.

l Bypass: Bypass the

HTTPS/POP3S/SMTPS/IMAPS traffic when the
certificate is failed to be verified.

3. Click OK to save the settings.

Working as the Gateway of Web Servers

To implement an SSL proxy, you need to bind an SSL proxy profile to the policy rule. After bind-
ing the SSL proxy profile to a policy rule, the system will use the SSL proxy profile to deal with
the traffic that matches the policy rule. To implement SSL proxy, take the following steps:

1. Configure an SSL proxy profile. You can choose the work mode, specify the trust domain of
the Web server certificate and the HTTP port number of the Web server.

2. Bind an SSL proxy profile to a proper policy rule. The device will decrypt the HTTPS traffic
that matches the policy rule.

Configuring an SSL Proxy Profile

On the SSL Proxy Configuration page, you can configure options such as the work mode, the
trust domain of the Web server certificate, and the HTTP port number of the Web server.
To configure an SSL proxy profile, take the following steps:

Chapter 9 604

Object
1. Select Policy > SSL Proxy > SSL Proxy.

2. Click New in the upper right corner to create a new SSL proxy profile.

605 Chapter 9

Object
In the Basic tab, configure the following options.

Option Description

Name Specify the name of the SSL proxy profile.

Description Add the description of the SSL proxy Profile.

Mode Select the server-inspection proxy/offload mode. When

the device works as the gateway of Web servers, the SSL
proxy function can work in this mode.

Service Port Specify the HTTP port number of the Web server when
the device works in the server-inspection proxy/offload
mode.

Server Trust Since the device will work as the SSL server and use the
Domain certificate of the Web server to establish the SSL con-
nection with Web clients (Web browsers), you need to
import the certificate and the key pair into a trust domain
in the device. For more information about importing the
certificate and the key pair, see "PKI" on Page 391.
After you complete the importing, select the trust domain
used by this SSL Profile.

Warning Select Enable to enable the warning page.

When the HTTPS traffic is decrypted by the SSL proxy
function, the request to a HTTPS website will be redir-
ected to a warning page of SSL proxy. In this page, system
notifies the users that their access to HTTPS websites are
being monitored and asks the users to protect their pri-
vacy.

Chapter 9 606

Object
3. Click OK to save the settings.

Binding an SSL Proxy Profile to a Policy Rule

After binding the SSL proxy profile to a policy rule, system will process the traffic that is matched
to the rule according to the profile configuration. To bind the SSL proxy profile to a policy rule,
see "Security Policy" on Page 788.

Configuring Domain White List

Websites that do not need or support SSL proxy can be added to the domain white list. The sys-
tem provides the predefined domain white list to save the sites that do not support SSL proxy.
For example, sites that require client certificate authentication or sites with fixed website cer-
tificates. You can also add sites to the domain white list as needed. The sites on the predefined
domain white list cannot be edited or deleted.

Creating a User-defined Domain White List

If you choose not to decrypt a site out of service concerns, privacy concerns, or other voluntary
reasons, you can add it to the domain white list. The device will not perform the SSL proxy func-
tion for the sites on the white list. To create a user-defined domain white list, take the following
steps:

1. Select Object > SSL Proxy > Domain White List.

2. Click New to create a new domain white list.

607 Chapter 9

Object
On the Whitelist Configuration page, configure the following options.

Option Description

Domain Enter the domain of the domain white list. You can enter 1 to 63 char-
acters and the domain is case sensitive. You can use the wildcard "*" in
the domain. The wildcard "*" can only be used once and should be
placed at the beginning of the domain, such as "*.hillstonenet.com".

Description Enter the description of the user-defined domain white list. You can
enter 1 to 63 characters.

Free Proxy Click Enable or Disable button to enable or disable the domain white
list.

3. Click OK.

Editing a User-defined Domain White List

To edit a user-defined domain white list, take the following steps:

1. Select Object > SSL Proxy > Domain White List.

2. On the domain white list, select the site that needs to be edited on the domain white list

Chapter 9 608

Object
entry to edit and click Edit.

3. On the Whitelist Configuration page, edit the description information and the Free Proxy
status of the selected site.

4. Click OK.

Deleting a User-defined Domain White List

To delete a user-defined domain white list, take the following steps:

1. Select Object > SSL Proxy > Domain White List.

2. 2. On the domain white list, select the site that needs to be deleted on the domain white
list entry to delete and click Delete.

3. Click Delete in the pop-up dialog box to delete this site from the domain white list.

Exporting the Domain White List

The system exports the domain white list file in .csv format, of which the content is the real-time
information of the domain white list in the system.
To export the domain white list from the system to local, take the following steps:

1. Select Object > SSL Proxy > Domain White List.

2. Click Export.

Configuring the IP Whitelist

The device will not perform the SSL proxy function for the traffic from the IPs listed on the IP
whitelist. You can add the IP, the traffic from which does not need or support SSL proxy, to the
IP whitelist. The IP whitelist contains dynamic IP whitelist and static IP whitelist.

609 Chapter 9

Object
Configuring Dynamic IP Whitelist

When the device works as the gateway of Web clients, the system automatically adds the IP
address to the dynamic IP whitelist in the following conditions: The traffic from this IP cannot be
SSL proxied by the system and the action for this traffic is to bypass. In this scenario, the system
will not perform the SSL proxy function for the traffic from the IPs listed on the IP whitelist in
the future. For more information on the configuration of the SSL proxy profile, see Configuring
an SSL Proxy Profile. The traffic from the IP, which is added to the dynamic IP whitelist because
its traffic cannot be proxied by the device, will be re-proxied again after the validity time is due.
You can configure the validity time of IPs on the dynamic IP whitelist. The system automatically
deletes the existing dynamic IPs on the whitelist after their validity time is due. The system
checks the dynamic IPs on the whitelist every hour to delete the IPs that expire.

Configuring the Validity Time of the Dynamic IP Whitelist

To configure the validity time of the dynamic IPs on the whitelist, take the following steps:

1. Select Object > SSL Proxy > IP WhiteList.

2. Click the Validity Configuration.

On the Validity Configuration page, configure the following options.

Option Description

Validity Specify the validity time of the dynamic IPs on the whitelist. The unit
is by day. The range of the validity time is from 1 to 30 days. The
default validity time is 15 days.

3. Click OK.

Chapter 9 610

Object
Notes: After you modify the SSL Profile policy or change the validity time of the
dynamic IPs on the whitelist, the system deletes all current dynamic IPs on the
whitelist.

Configuring the Dynamic IPs on the Whitelist to be Permanently Valid

To prevent the specified dynamic IPs on the whitelist from being automatically deleted by the sys-
tem, you can configure the dynamic IP on the whitelist to be permanently valid. To configure a
dynamic IP on the whitelist to be permanently valid, take the following steps:

1. Select Object > SSL Proxy > IP WhiteList.

2. On the IP whitelist, select the IP that needs to be set permanently valid and click Set IP
Persistent.

3. Click OK.

Configuring Static IP Whitelist

The device will not perform the SSL proxy function for the traffic from the IPs on the IP whitel-
ist. You can create a static IP on the whitelists as needed and the static IPs on the whitelist never
expire. To create a static IP on the whitelist, take the following steps:

1. Select Object > SSL Proxy > IP WhiteList.

2. Click New.

611 Chapter 9

Object
On the IP Whitelist Configuration page, configure the following options.

Option Description

Type Specify the IP type of the static IP on the whitelist as IPv4 or IPv6.

IP Specify the IP address of the static IP on the whitelist.

TCP Port Specify the TCP port of the static IP on the whitelist.

3. Click OK.

Deleting IP Whitelist

To delete the IP on the whitelist, take the following steps:

1. Select Object > SSL Proxy > IP WhiteList.

2. On the IP whitelist page, select the IP that needs to be deleted and click Delete.

3. Click Delete in the pop-up dialog box to delete this IP from the IP whitelists.

Notes: The total number of IPs that can be listed on the whitelist varies on dif-
ferent platforms. When the number of IP addresses that can be listed on the whitel-
ist exceeds its upper limit, the system generates event logs to remind you of clearing
IPs on the whitelist.

Chapter 9 612

Object
SLB Server Pool
The SLB function uses the load balancing algorithm to distribute the traffic and this utilizes the
resources of the intranet servers. You can use the following methods to balance the server load:

l Distribute the traffic to the specified port of each intranet server. This is applicable to the
scenario that different intranet servers provide the same service via specified port at the same
time.

l Distribute the traffic to different ports of an intranet server. This is applicable to the scenario
that an intranet server provides the same service by running the same process at different
ports.

l Combine the above two methods.

Configuring SLB Server Pool and Track Rule

To configure an SLB server pool and track rule, take the following steps:

1. Select Object > SLB Server Pool.

613 Chapter 9

Object
2. Click New. The SLB Server Pool Configuration dialog box appears.

In the SLB Server Pool Configuration dialog box, configure the following options.

Option Description

Name Specifies the name of the SLB server pool.

Type Specifies the type of the SLB server pool, include IPv4 or
IPv6.

Algorithm Select an algorithm for load balancing.

Member

Member Specifies the member of the pool. You can type the IP
range or the IP address and the netmask.

Chapter 9 614

Object
Option Description

Port Specifies the port number of the server.

Maximum Specifies the allowed maximum sessions of the server.

Sessions The value ranges from 0 to 1,000,000,000. The default
value is 0, which represents no limitation.

Weight Specifies the traffic forwarding weight during the load bal-
ancing. The value ranges from 1 to 255.

Add Add the SLB address pool member to the SLB server
pool. You can add up to 256 members.

Track

Track Type Selects a track type.

Port Specifies the port number that will be tracked. The value
ranges from 0 to 65535.

l When the members in the SLB server pool have the

same IP address and different ports, you don’t
need to specify the port when configuring the track
rule. System will track each IP address and its port
in the SLB server pool.

l When there is a member whose port is not con-

figured exists in the SLB sever pool, you must spe-
cify the port when configuring the track rule.
System will track the specified port of the IP
addresses in the SLB server pool.

l When the members in the SLB server pool are all

615 Chapter 9

Object
Option Description

configured with IP addresses and ports and these

configured IP addresses are different from each
other, you can select whether to specify the port
when configuring the track rule. If specified, sys-
tem will track the specified port of these IP
addresses. If not, system will track the configured
ports of the IP addresses of the members.

Interface Specify the source interface of the track rule. The system
will use the IP address of the specified interface as the
source IP address to send Ping/TCP/UDP messages.

Interval Specifies the interval between each Ping/TCP/UDP

packet. The unit is second. The value ranges from 3 to
255.

Retries Specifies a retry threshold. If no response packet is

received after the specified times of retries, System will
determine this track entry fails, i.e., the track entry is
unreachable. The value range is 1 to 255.

Weight Specifies a weight for the overall failure of the whole

track rule if this track entry fails. The value range is 1 to
255.

Add Click Add to add the configured track rule to the list.

Threshold Types the threshold for the track rule into the Threshold
box. The value range is 1 to 255. If the sum of weights
for failed entries in the track rule exceeds the threshold,

Chapter 9 616

Object
Option Description

system will conclude that the track rule fails.

Description Types the description for this track rule.

3. Click OK to save the settings.

Viewing Details of SLB Pool Entries

To view the details of the servers in the SLB pool, take the following steps:

1. Click Object > SLB Server Pool.

2. Select "+" before an SLB pool entry.

3. In the Server List tab under the entry, view the information of the servers that are in this
SLB pool.

4. In the Monitoring tab, view the information of the track rules.

5. In the Referenced tab, view the DNAT rules that use the SLB pool.

617 Chapter 9

Object
Schedule
System supports a schedule. This function allows a policy rule to take effect in a specified time
and controls the duration of the connection between a PPPoE interface and the Internet. The
schedule consists of a periodic schedule and an absolute schedule. The periodic schedule spe-
cifies a time point or time range for periodic schedule entries, while the absolute schedule decides
a time range in which the periodic schedule will take effect.

Periodic Schedule

Periodic schedule is the collection of periods specified by all of the schedule entries within the
schedule. You can add up to 16 schedule entries to a periodic schedule. These entries can be
divided into 3 types:

l Daily: The specified time of every day, such as Everyday 09:00:30 to 18:00:20.

l Days: The specified time of a specified day during a week, such as Monday Tuesday
Saturday 09:00:15 to 13:30:45.

l Period: A continuous period during a week, such as from Monday 09:30:30 to Wednesday
15:00:05.

Absolute Schedule

An absolute schedule is a time range in which a periodic schedule will take effect. If no absolute
schedule is specified, the periodic schedule will take effect as soon as it is used by some module.

Creating a Schedule
To create a schedule, take the following steps:

Chapter 9 618

Object
1. Select Object > Schedule.

2. Click New.

Configure the following options.

Schedule Configuration Dialog Box

Name Specifies a name for the new schedule.

Add Specifies a type for the periodic schedule in Add Periodic

Schedules section.

Type l Daily - The specified time of every

day. Click this radio button, and then,
in the Time section, select a start time
and end time from the Start time and
End time drop-down list respectively.

l Days - The specified time of a spe-

cified day during a week. Click this
radio button, and then select a

619 Chapter 9

Object
Schedule Configuration Dialog Box

day/days in the Days and Time sec-

tion, and finally select a start time and
end time from the Start time and End
time drop-down list respectively.

l Duration - A continuous period during

a week. Click this radio button, and
then in the Duration section select a
start day/time and end day/time from
the Start time and End time drop-down
list respectively.

Preview Preview the detail of the configured periodic

schedule in the Preview section.

Delete Select the entry you want to delete from the period sched-
ule list below, and click Delete.

Absolute The absolute schedule decides a time range in which the

Schedule periodic schedule will take effect. Without configuring an
absolute schedule, the periodic schedule will take effect
as soon as it is used by some module.

3. Click OK.

Notes: In both absolute schedule and periodic schedule, the interval between the
Start time and the End time should not be less than 1 minute.

Chapter 9 620

Object
AAA Server
An AAA server is a server program that handles user requests to access computer resources, and
for an enterprise, this server provides authentication, authorization, and accounting (AAA) ser-
vices. The AAA server typically interacts with network access and gateway servers and with data-
bases and directories containing user information.
Here in StoneOS system, authentication supports the following five types of AAA server:

l Local server: a local server is the firewall itself. The firewall stores user identity information
and handles requests. A local server authentication is fast and cheap, but its storage space is
limited by the firewall hardware size.

l External servers:

l Radius Server

l LDAP Server

l Active-Directory Server

l TACACS+ Server

According to the type of authentication, you need to choose different AAA servers:

l : Only local and Radius servers support these authentication.

l "Configuring IPSec-XAUTH Address Pool" on Page 442: Local, Radius, Ldap, AD and
Tacacs+ servers are supported.

l Other authentication methods mentioned in this guide: all four servers can support the other
authentication methods.

Configuring a Local AAA Server

1. Select Object > AAA Server, and click New > Local Server.

621 Chapter 9

Object
2. The Local Server Configuration page opens.

Configure the following.

Option Description

Name Type the name for the new server into the text box.

Role mapping Specifies a role mapping rule for the server. With this
rule option selected, system will allocate a role for the users

Chapter 9 622

Object
Option Description

who have been authenticated to the server according to

the specified role mapping rule.

Password Con- To prevent account security problem, you can configure

trol the password control function.

l Change Password: Selects the Change Password

check box. With this function enabled, the sys-
tem allows users to change their own passwords
after the successful WebAuth or SCVPN authen-
tication.

l Change Password after First Login：Select the

Change Password after First Login check box to
enable this function. When you login in to the
SSL VPN client for the first time, you need to
modify the password according to the specified
mode. Before enabling this function, you need to
enable the Change password function first.
Change Password after First Login function sup-
ports two modes:

l Compatible Mode:①If this function does

not apply to the SSL VPN client, users can
log in to the SSL VPN client for the first
time without changing the password.②If
this function applies to the SSL VPN cli-
ent, users need to change the login pass-

623 Chapter 9

Object
Option Description

word immediately after logging in to the

SSL VPN client for the first time.

l Enforce Mode: Users need to change the

Notes:
l In case the Enforce Mode is con-
figured, the SSL VPN client can-
not be used if this function does
not apply to the SSL VPN client.
You are advised to upgrade the
SSL VPN client or switch to the
compatible mode.

l The SSL VPN client versions

that allow you to change the pass-
word upon the first login are as
follows: SSL VPN Windows cli-
ent 1.4.9.1274 or later version,
Linux 1.4.0 or later version,
Android 4.5 or later version, and
iOS 2.0.6 or later version.

Chapter 9 624

Object
Option Description

l Change Password after First

l History Password Check: Select the History Pass-

word Check check box to enable the history pass-
word check function. With the function, system
will verify the new password with the historical
passwords when you change the password, ensur-
ing the new password is different from the pass-
words set in the specified times.

l Validity Check: Select the Validity Check check

box to enable the password validity check func-
tion and configure the valid period of password.

l Password Expiry Warning: Select the Password

Expiry Warning check box to enable the pass-
word expiry warning function and configure the
days how long users will be reminded of password
expiry before it expities.

l Password Complexity: The lower the complexity

of the password, the more likely it is to be
cracked, such as including the username and short

625 Chapter 9

Object
Option Description

password length. For security reasons, you can

enable the password complexity configuration and
configure the password complexity requirements
to ensure that the user's password has high com-
plexity. Select the Password Complexity check
box to enable the password complexity con-
figuration.

l Minimum Password Length: Specify the

minimum password length, the range is 1-
16, the default value is 1.

l Minimum Capital Letter Length: Specifies

the minimum length of uppercase letters
contained in the password. The range is 0-
16. The default value is 0.

l Minimum Lowercase Letter Length: Spe-

cifies the minimum length of lowercase let-
ters contained in the password. The range
is 0-16. The default value is 0.

l Minimum Number Length: Specifies the

minimum length of the number contained
in the password. The range is 0-16. The
default value is 0.

l Minimum Special Character Length: Spe-

Chapter 9 626

Object
Option Description

cifies the minimum length of the password

containing special characters (that is, non-
numeric characters), the range is 0-16, and
the default value is 0.

l Password cannot contain username: Select the

Password cannot contain username checkbox.
Passwords are not allowed to contain username.

l Change Password after First Login: By default,

the function of changing the password for the
first login is disabled. After the function of chan-
ging the password for the first login is enabled,
when you log in for web authentication or SSL
VPN for the first time, system will prompt the
user to "Change the password for the first login"
to force you to change the password according to
the configured password complexity.

Backup To configure a backup authentication server, select a

Authentication server from the drop-down list. After configuring a
Server backup authentication server for the local server, the
backup authentication server will take over the authen-
tication task when the primary server malfunctions or
authentication fails on the primary server. The backup
authentication server can be any existing local, Active-
Directory, RADIUS or LDAP server defined in system.

627 Chapter 9

Object
Option Description

Username Specifies the input format of the user name.

Format

Brute-force To prevent illegal users from obtaining user name and

Cracking password via brute-forth cracking, you can configure the
Defense brute-force cracking defense by locking out user or IP.

l Select the Lockout User check box to enable the

user-based brute-force cracking defense. If the
failed attempts reached the specified times (1-32
times) within the specified period (1-180
seconds), the login user will be locked out for the
specified time (30-1800 seconds). By default,
within 60 seconds, if the failed attempts reached
5 times, the login user will be locked out for 600
seconds.

l Select the Lockout IP check box to enable the

IP-based brute-force cracking defense. If the
failed attempts reached the specified times (1-
2048 times) within the specified period (1-180
seconds), the IP will be locked out for the spe-
cified time (30-1800 seconds). By default, within
60 seconds, if the failed attempts reached 64
times, the IP will be locked out for 60 seconds.

3. Click OK.

Chapter 9 628

Object
Configuring Radius Server

1. Select Object > AAA Server, and click New > Radius Server.

2. The Radius Sever Configuration page opens.

Configure the following.

Basic Configuration

Name Specifies a name for the Radius server.

Server Specifies an IP address ( IPv4 or IPv6 ) or domain name

Address for the Radius server.

Virtual Router Specifies a VR for the Radius server.

Port Specifies a port number for the Radius server. The value
range is 1024 to 65535. The default value is 1812.

Secret Specifies a secret for the Radius server. You can specify

629 Chapter 9

Object
Basic Configuration

at most 31 characters.

Optional Configuration

Authorization When a user is authenticated by the Radius server, when

Policy the user is authenticated successfully, the Radius server
will create a security policy for the authenticated user
that includes the destination network segment, des-
tination port, protocol, and behavior. This policy is
called an authorization policy. System supports two
authorization policies: "Authorization Policy During
Authentication" and "Dynamic Authorization Policy".
You can enable the authorization policy function to
enable to obtain the authorization policy from the
Radius server and add it to the system's policy list to
make it effective. When the authenticated user is dis-
connected, the authorization policy will be deleted auto-
matically.

l By default, the authorization policy is disabled.

Select the checkbox after Authorization Policy
to enable the authorization policy.
After the authorization policy of the Radius server is
enabled, you add the obtained authorization policy to
the aggregation policy that has been created, and arrange
it as the member of aggregation policy at the end of

Chapter 9 630

Object
Basic Configuration

aggregation policy, which is more convenient for the

user to manage the authorization policy uniformly. If it
is not added to the aggregation policy, the authorization
policy will be added to the end of the system policy list
by default.

l Select the aggregate policy name from the drop-

down list.

Username Specifies the input format of the user name.

Format

Role mapping Specifies a role mapping rule for the server. With this
rule option selected, system will allocate a role for the users
who have been authenticated to the server according to
the specified role mapping rule.

Backup server Specifies an IP address or domain name for backup

1/ Backup server 1 or backup server 2.
server 2

Virtual Specifies a VR for the backup server.

Router1/ Vir-
tual Router2

Retries Specifies a retry time for the authentication packets sent

to the AAA server. The value range is 1 to 10. The
default value is 3.

Timeout Specifies a timeout for the server response. The value

631 Chapter 9

Object
Basic Configuration

range is 1 to 30 seconds. The default value is 3.

Backup Specifies a backup authentication server. After con-

Authentication figuring a backup authentication server for the Radius
Server server, the backup authentication server will take over
the authentication task when the primary server mal-
functions or authentication fails on the primary server.
The backup authentication server can be any existing
local, Active-Directory, RADIUS or LDAP server
defined in system.

Enable Select the Enable checkbox to enable accounting for

Accounting the Radius server, and then configure options in the slid-
ing out area.

Server Address Specifies an IP address or domain

name for the accounting server.

Virtual Router Specifies a VR for the accounting

server.

Port Specifies a port number for the

accounting server. The value range is
1024 to 65535. The default value is
1813.

Password Specifies a password for the account-

ing server.

Backup server Specifies an IP address or domain

Chapter 9 632

Object
Basic Configuration

1/Backup name for backup server 1 or backup

server 2 server 2.

Virtual Router- Specifies a VR for the backup server.

1/Virtual
Router2

3. Click OK.

Configuring Active Directory Server

1. Select Object > AAA Server, and click New > Active Directory Server.

2. The Active Directory Server Configuration page opens.

633 Chapter 9

Object
Configure the following.

Basic Configuration

Name Specifies a name for the Active Directory server.

Server Address Specifies an IP address ( IPv4 or IPv6 ) or domain

name for the Active Directory server.

Virtual Router Specifies a VR for the Active Directory server.

Port Specifies a port number for the Active Directory

server. The value range is 1 to 65535. The default
value is 389.

Base-dn Specifies a Base-dn for the AD server. The Base-dn

is the starting point at which your search will begin
when the AD server receives an authentication
request. For the example of abc.xyz.com as
described above, the format for the Base-dn is "dc=a-
abc,dc=xyz,dc=com".

Login-dn Specifies authentication characteristics for the

Login-dn (typically a user account with query priv-
ilege pre-defined by the AD server). When the
authentication mode is plain, the Login-dn should be
configured. DN (Distinguished name) is a username
of the AD server who has a privilege to read user
information. The format of the DN is"cn=xxx,
DC=xxx,...". For example, the server domain is
abc.xyz.com, and the AD server admin name is
administrator who locates in Users directory. Then

Chapter 9 634

Object
Basic Configuration

the login-dn should be "cn=a-

administrator,cn=users,dc=abc,dc=xyz,dc=com".

sAMAc- When the authentication mode is MD5, the sAMAc-

countName countName should be configured. sAMAc-
countName is a username of the AD server who has
a privilege to read user information. The format of
sAMAccountName is "xxx". For example, the AD
server admin name is administrator , and then the
sAMAccountName should be "administrator".

Authentication Specifies an authentication or synchronization

Mode method (either plain text or MD5). The default
method is MD5. If the sAMAccountName is not
configured after you specify the MD5 method, the
plain method will be used in the process of syn-
chronizing user from the server, and the MD5
method will be used in the process of authenticating
the user.

Password Specifies a password for the AD server.

Optional Configuration

Authorization When a user is authenticated by the Radius server,

Policy when the user is authenticated successfully, the
Radius server will create a security policy for the
authenticated user that includes the destination net-

635 Chapter 9

Object
Basic Configuration

work segment, destination port, protocol, and beha-

vior. This policy is called an authorization policy.
System supports two authorization policies: "Author-
ization Policy During Authentication" and "Dynamic
Authorization Policy". You can enable the author-
ization policy function to enable to obtain the author-
ization policy from the Radius server and add it to
the system's policy list to make it effective. When
the authenticated user is disconnected, the author-
ization policy will be deleted automatically.

l By default, the authorization policy is dis-

abled. Select the checkbox after Authorization
Policy to enable the authorization policy.
After the authorization policy of the Radius server
is enabled, you add the obtained authorization policy
to the aggregation policy that has been created, and
arrange it as the member of aggregation policy at the
end of aggregation policy, which is more convenient
for the user to manage the authorization policy uni-
formly. If it is not added to the aggregation policy,
the authorization policy will be added to the end of
the system policy list by default.

l Select the aggregate policy name from the

drop-down list.

Chapter 9 636

Object
Basic Configuration

Username Format Specifies the input format of the user name.

Role Mapping Specifies a role mapping rule for the server. With
Rule this option selected, system will allocate a role for
users who have been authenticated to the server
according to the specified role mapping rule.

Backup server Specifies an IP address or domain name for backup

1/Backup server server 1 or backup server 2.
2

Virtual Router- Specifies a VR for the backup server.

1/Virtual Router2

Authentication Specifies an authentication Base-dn for the AD

Base-DN server. All users in the Base-DN (including those dir-
ectly under the user group) will be allowed to pass
the authentication. The format of the DN is"OU-
U=xxx, DC=xxx,...".

Synchronization Specifies a Synchronization Base-dn for the AD

Base-DN server. All users and user groups in the Base-DN
will be synchronized to the local. The format of the
DN is"OU=xxx, DC=xxx,...".

Synchronization Check the checkbox to enable the synchronization

function; clear the checkbox to disable the syn-
chronization function, and the system will stop syn-
chronizing and clear the existing user information.
By default, system will synchronize the user inform-

637 Chapter 9

Object
Basic Configuration

ation on the configured Active-Directory server with

the local server every 30 minutes.

Automatic Syn- Click the radio button to specify the automatic syn-
chronization chronization.

Interval Syn- Specifies the time interval for

chronization automatic synchronization. The
value range is 30 to 1440
minutes. The default value is 30.

Daily Syn- Specifies the time when the user

chronization information is synchronized every-
day. The format is HH:MM, HH
and MM indicates hour and
minute respectively.

Once Syn- If this parameter is specified,

chronization system will synchronize auto-

matically when the con-
figuration of Active-Directory
server is modified. After
executing this command , sys-
tem will synchronize the user
information immediately.

Synchronous Specifies user synchronization mode, including

Operation Mode Group Synchronization and OU Synchronization. By
default, the user information will be synchronized
with the local server based on the group.

Chapter 9 638

Object
Basic Configuration

OU maximum Specifies the maximum depth of OU to be syn-

depth chronized. The value range is 1 to 12, and the
default value is 12. OU structure that exceeds the
maximum depth will not be synchronized, but users
that exceed the maximum depth will be syn-
chronized to the specified deepest OU where they
belong to. If the total characters of the OU name for
each level(including the “OU=” string and punc-
tuation) is more than 128, OU information that
exceeds the length will not be synchronized with the
local server.

User Filter Specifies the user-filter conditions. System can only

synchronize and authenticate users that are in accord-
ance with the filtering condition on the authen-
tication server. The length is 0 to 120 characters.
For example, if the condition is configured to
“memberOf=CN=Admin,DC=test,DC=com”,
system only can synchronize or authenticate user
whose DN is “mem-
berOf=CN=Admin,DC=test,DC=com”. The com-
monly used operators are: =(equals a value)、&
(and）、|(or)、!(not)、*(Wildcard: when matching
zero or more characters)、～=( fuzzy query.)、
>=Be greater than or equal to a specified value in
lexicographical order.)、<=( Be less than or equal to

639 Chapter 9

Object
Basic Configuration

a specified value in lexicographical order.).

Security Agent Select the Enable check box to enable the Security
Agent. With this function enabled, system will be
able to obtain the mappings between the usernames
of the domain users and IP addresses from the AD
server, so that the domain users can gain access to
network resources. In this way "Single Sign-On" on
Page 342 is implemented. Besides, by making use of
the obtained mappings, system can also implement
other user-based functions, like security statistics,
logging, behavior auditing, etc. To enable the Secur-
ity Agent on the AD server, you first need to install
and run the Security Agent on the server. After-
wards, when a domain user is logging in or logging
off, the Security Agent will log the user's username,
IP address, current time, and other information, and
it will add the mapping between the username and
the IP address to system. In this way the system can
obtain every online user's IP address.

Agent Port Specify the monitoring port.

StoneOS communicates with the
AD Agent through this port. The
range is 1025 to 65535. The default
value is 6666. This port must be

Chapter 9 640

Object
Basic Configuration

matched with the configured port of

AD Agent, or system will fail to
communicate with the AD Agent.

Disconnection Specifies the disconnection

Timeout timeout. The value range is 0 to
1800 seconds. The default value is
300. The value of 0 indicates never
timeout.

Backup Authentic- Specifies a backup authentication server. After con-

ation Server figuring a backup authentication server for the
Radius server, the backup authentication server will
take over the authentication task when the primary
server malfunctions or authentication fails on the
primary server. The backup authentication server can
be any existing local, Active-Directory, RADIUS or
LDAP server defined in system.

3. Click OK.

641 Chapter 9

Object
Configuring LDAP Server

1. Select Object > AAA Server, and click New > LDAP Server.

2. The LDAP Server Configuration page opens.

Configure the following.

Basic Configuration

Server Name Specifies a name for the LDAP server.

Server Address Specifies an IP address ( IPv4 or IPv6 ) or domain

name for the LDAP server.

Virtual Router Specifies a VR for the LDAP server.

Chapter 9 642

Object
Basic Configuration

Port Specifies a port number for the LDAP server. The

value range is 1 to 65535. The default value is 389.

Base-dn Specifies the details for the Base-dn. The Base-dn is

the starting point at which your search will begin when
the LDAP server receives an authentication request.

Login-dn Specifies authentication characteristics for the Login-

dn (typically a user account with query privileges pre-
defined by the LDAP server).

Authid Specifies the Authid, which is a string of 1 to 63 char-

acters and is case sensitive.

Authentication Specifies an authentication or synchronization method

Mode (either plain text or MD5). The default method is
MD5. If the Authid is not configured after you specify
the MD5 method, the plain method will be used in the
process of synchronizing user from the server, and the
MD5 method will be used in the process of authen-
ticating user.

Password Specifies a password for the LDAP server. This should

correspond to the password for Admin DN.

Optional Configuration

Username Specifies the input format of the user name.

Format

Role Mapping Specifies a role mapping rule for the server. With this

643 Chapter 9

Object
Basic Configuration

Rule option selected, system will allocate a role for the users
who have been authenticated to the server according
to the specified role mapping rule.

Backup server Specifies an IP address or domain name for backup

1/Backup server 1 or backup server 2.
server 2

Virtual Router- Specifies a VR for the backup server.

1/Virtual
Router2

Synchronization Check the checkbox to enable the synchronization

function; clear the checkbox to disable the syn-
chronization function, and system will stop syn-
chronizing and clear the existing user information. By
default, system will synchronize the user information
on the configured LDAP server with the local every 30
minutes.

Automatic Syn- Click the radio button to specify the automatic syn-
chronization chronization.

Interval Syn- Specifies the time interval for auto-

chronization matic synchronization. The value
range is 30 to 1440 minutes. The
default value is 30.

Daily Syn- Specifies the time when the user

Chapter 9 644

Object
Basic Configuration

chronization information is synchronized every-

day. The format is HH:MM, HH
and MM indicates hour and minute
respectively.

Once Syn- If this parameter is specified, sys-

chronization tem will synchronize auto-

matically when the configuration
of LDAP server is modified.
After executing this command ,
system will synchronize user
information immediately.

Synchronous Specifies the user synchronization mode, including

Operation Group Synchronization and OU Synchronization. By
Mode default, the user information will be synchronized with
the local server based on the group.

OU maximum Specifies the maximum depth of OU to be syn-

depth chronized. The value range is 1 to 12, and the default
value is 12. OU structure that exceeds the maximum
depth will not be synchronized, but users that exceed
the maximum depth will be synchronized to the spe-
cified deepest OU where they belong to. If the total
characters of the OU name for each level(including the
“OU=” string and punctuation) is more than 128,
OU information that exceeds the length will not be syn-
chronized with the local server.

645 Chapter 9

Object
Basic Configuration

User Filter Specifies the user filters. System can only synchronize
and authenticate users that match the filters on the
authentication server. The length is 0 to 120 char-
acters. For example, if the condition is configured to
“(|(objectclass=inetOrgperson)(object-
class=person))”, system only can synchronize or
authenticate users which are defined as inetOrgperson
or person. The commonly used operators are as fol-
lows: =(equals a value)、&(and）、|(or)、!(not)、*
(Wildcard: when matching zero or more characters)、
～=( fuzzy query.)、>=(Be greater than or equal to a
specified value in lexicographical order.)、<=( Be less
than or equal to a specified value in lexicographical
order.).

Naming Attrib- Specifies a naming attribute for the LDAP server. The
ute default naming attribute is uid.

Group Naming Specifies a naming attribute of group for the LDAP

Attribute server. The default naming attribute is uid.

Member Attrib- Specifies a member attribute for the LDAP server. The
ute default member attribute is uniqueMember.

Group Class Specifies a group class for the LDAP server. The
default class is groupofuniquenames.

Backup Specifies a backup authentication server. After con-

Authentication

Chapter 9 646

Object
Basic Configuration

Server figuring a backup authentication server for the LDAP

server, the backup authentication server will take over
the authentication task when the primary server mal-
functions or authentication fails on the primary server.
The backup authentication server can be any existing
local, Active-Directory, RADIUS or LDAP server
defined in system.

3. Click OK.

Configuring TACACS+ Server

1. Select Object > AAA Server.

2. Click New > TACACS+ Server, and the TACACS+ Server Configuration page opens.

Configure the following.

647 Chapter 9

Object
Basic Configuration

Server Name Enter a name for the TACACS+ server.

Server Specify the IP address or host name for the TACACS+

Address server.

Virtual Specify the VRouter of TACACS+ server.

Router

Port Enter port number for the TACACS+ server. The default
value is 49. The value range is 1 to 65535.

Secret Enter the shared secret to connect the TACACS+ server.

Optional

Username Specifies the input format of the user name.

Format

Role map- Select a role mapping rule for the server. With this option
ping rule selected, system will allocate a role for the users who
have been authenticated to the server according to the
specified role mapping rule.

Backup Enter the domain name or IP address for the backup

Server 1 (2) TACACS+ server.

Virtual Select the VRouter for the backup server.

Router 1 (2)

Connectivity Test
When AAA server parameters are configured, you can test if they are correct by testing server con-
nectivity.
To test server connectivity, take the following steps:

Chapter 9 648

Object
1. Select Object > AAA Server, and click New.

2. Select your AAA server type, which can be Radius, AD, LDAP or TACACS+. The local
server does not need the connectivity test.

3. After filling out the fields, click Test Connectivity.

4. For Radius or TACACS+ server, enter a username and password in the popped <Test Con-
nectivity> dialog box. If the server is AD or LDAP, the login-dn and secret is used to test
connectivity.

5. Click Test Connectivity. If "Test connectivity success" message appears, the AAA server
settings are correct.

If there is an error message, here are the causes:

l Connect AAA server timeout: Wrong server address, port or virtual router.

l AAA server configuration error: Secret is wrong.

l Wrong name or password: Username or password for testing is wrong.

649 Chapter 9

Object
Radius Dynamic Authorization
The Radius dynamic authorization function, includes:

l When the user is authenticated successfully, the Radius server can send a Radius CoA
(Change of Authorization) request message to the authority of the authenticated user to the
device. The device automatically generates the security policy rule for the user. When the user
goes offline, the device delete this user's security policy rule automatically

l When the SCVPN user is authenticated successfully, the Radius server can send a Radius DM
(Disconnect Messages) request message to send the accounting user information (including
the user name, user IP address, user accounting ID, etc.) to the device, and the device can dis-
connect the specified scvpn authentication user and end the accounting.

To configure the Radius dynamic authorization function, take the following steps:

1. Select Object > Radius Dynamic Authorization.

2. Click the Enable button after Radius Dynamic Authorization to enable the Radius dynamic
authorization function.

Chapter 9 650

Object
3. Type the port number of the Radius dynamic authorization server into the Port textbox. The
value range is 1024 to 65535. The default value is 3799.

4. In the Authorization Server section, click New, and then specify the IP address, destination
IP and shared key of the Radius dynamic authorization server.

5. To delete the Radius dynamic authorization server, select the checkbox in the list, and then
click Delete.

6. Click Apply.

Notes: If you need to use the Radius dynamic authorization function, first enable
and configure the Radius accounting server. For the configuration, refer to Enable
Accounting.

651 Chapter 9

Object
User
User refers to the user who uses the functions and services provided by the Hillstone device, or
who is authenticated or managed by the device. The authenticated users consist of local user and
external user. The local users are created by administrators. They belong to different local authen-
tication servers, and are stored in system's configuration files. The external users are stored in
external servers, such as AD server or LDAP server. System supports User Group to facilitate
user management. Users belonging to one local authentication server can be allocated to different
user groups, while one single user can belong to different user groups simultaneously; similarly,
user groups belonging to one local authentication server can be allocated to different user groups,
while one single user group can belong to different user groups simultaneously. The following dia-
gram uses the default AAA server, Local, as an example and shows the relationship between users
and user groups:

As shown above, User1, User2 and User3 belong to UserGroup1, while User3 also belongs to
UserGroup2, and UserGroup2 also contains User4, User5 and UserGroup1.

Configuring a Local User

This section describes how to configure a local user and user group.
Click Object > User > Local User, some information and operations are provided as below:

Chapter 9 652

Object
l Click the "Local server" drop-down box in the upper left corner of the page to switch the
local user's server.

l Red , orange and yellow colors are used

to mark the expired users , expired within a week, expired within a month in the list.

l Check the information of the local user in the list, including user, user group, expiration,
mobile and description.

Creating a Local User

To create a local user, take the following steps:

1. Select Object > User > Local User.

2. Click New > User.

653 Chapter 9

Object
Configure the following.
Option Description
Name Specifies a name for the user.
Encryption Specifies method to encrypt the user's password,
Method that is, the encrypted algorithm of password is
reversible or irreversible .

l Reversible: System will use the reversible

encryption algorithm AES to encrypt the user
password. In some authentication scenarios,
system can decrypt the password for authen-
tication.

l Irreversible: System will use the SHA irre-

Chapter 9 654

Object
Option Description

versible encryption algorithm to encrypt user

passwords. The passwords cannot be decryp-
ted. In this case, the user can not authenticate
through CHAP (Challenge Handshake
Authentication Protocol, which is used in
L2TP VPN and 802.1X).

Password Specifies a password for the user.

Confirm pass- Type the password again to confirm.
word
Mobile+country Specifies the user's mobile number. When users log
code into the SCVPN client, system will send the veri-
fication code to the mobile number.
Email Specifies the user's Email address. The value range is
1 to 127 characters. If the Email authentication func-
tion is enabled, users will receive the verification
code via this Email. For more information about
Email authentication, see Configuring an SSL VPN.
Description If needed, type the description of the user.
Group Add the user to a selected usergroup. Select the user-
group you want and click Add.
Expiration Select the Enable check box to enable expiration for
the user, and then specify a date and time. After
expiration, the user cannot be authenticated, there-
fore cannot be used in system. By default expiration
is not enabled.

Expand VPN Options, configure network parameters for the PnPVPN client.

655 Chapter 9

Object
Option Description
IKE ID Specifies a IKE ID type for dial-up VPN users. If
FQDN or ASN1 is selected, type the ID's content
in the text box below.
DHCP Start IP Specifies a start IP for the DHCP address pool.
DHCP End IP Specifies an end IP for the DHCP address pool.
DHCP Netmask Specifies a netmask for the DHCP address pool.
DHCP Gateway Specifies a gateway for the DHCP address pool. The
IP address of the gateway corresponds to the IP
address of PnPVPN client's Intranet interface and
PC's gateway address. The PC's IP address is determ-
ined by the segment and netmask configured in the
above DHCP address pool. Therefore, the gateway's
address and DHCP address pool should be in the
same segment.
DNS1 Specifies an IP address for the DNS server. You can
DNS2 specify one primary DNS server (DNS1) and up to
three alternative DNS servers.
DNS3
DNS4
WINS1 Specifies an IP address for the WINS server. You
can specify one primary WINS server (WINS1)and
WINS2
one alternative WINS server.
Tunnel IP 1 Specifies an IP address for the master PnPVPN cli-
ent's tunnel interface. Select the Enable SNAT
check box to enable SNAT.
Tunnel IP 2 Specifies an IP address for the backup PnPVPN cli-
ent's tunnel interface.

3. Click OK.

Chapter 9 656

Object
Creating a User Group

To create a user group, take the following steps:

1. Select Object > User > Local User.

2. Click New > User Group.

3. Type the name of the user group into the Name box.

4. Specify members for the user group. Expand User or User Group in the Available list, select
a user or user group and click Add to add it to the Selected list on the right. To delete a
selected user or user group, select it in the Selected list and then click Remove. One user
group can contain multiple users or user groups, but system only supports up to 5 layers of
nested user groups and does not support the loopback nest. Therefore, a user group should
not nest the upper-layer user group it belongs to.

5. Click OK.

Export User List

The system exports the user-list file in .csv format, of which the content is the real-time inform-
ation of the user list in the system.
Export user binding list from system to local, take the following steps:

1. Select Object > User > Local User.

2. Click Export User List to open the Export User List page, and select the saved position in
local.

3. Click OK to finish export.

657 Chapter 9

Object
Import User List

The system supports the import of user-list files in UTF-8 or GBK ecoding with .txt and .csv
format.csv format. When the user-list file is imported, the system will carry out validity test and
complexity check of the user password. If the results turn out to be successful, the importing is
successful; if the results turn out to be unsuccessful, the importing is unsuccessful.
The user-list in .csv file is illustrated in the figure below.

The user-list in text file is illustrated in the figure below.

Notes: Before importing the user-list file, please read carefully the annotations in
the above figures and fill in the user information according to the format.

Import user binding list to system, take the following steps:

Chapter 9 658

Object
1. Select Object>User> Local User.

2. Click Import User List to open the Import User List page.

3. Click Browse to select the file name needed to be imported.

4. Click OK to finish import.

Notes:
l The user password in the import/export file is not encrypted, unless the pass-
word strings match the AES encryption format.

l Please try to keep the import file format consistent with the export file.

l When imported, if the same user name exists under the same server, the ori-
ginal user information will be overwritten.

l When imported, if a user is new to the system, it and its user information will
be added to the system automatically.

l In the imported user-list file, the "username" field should not contain slash/-
comma/double quotation marks/question mark/@; the "group" field should
not contain comma/double quotation marks/question mark.

l In the imported user-list file, the date in the "expire" field should be typed in
the format of DD/MM/YYYY HH:SS.

l If the user-list is imported in the format of text file, special notice should be
given to the following points:

659 Chapter 9

Object
l Every parameter in the file should be separated by half-width commas

l If a parameter does not exist, use a half-width comma to replace it, etc.
"123123,,local".

l The sequence of the parameters in the first row is fixed and case-insens-
itive, etc. "Servername,userName,pAssWord".

l The file should not contain blank lines or gibberish lines, or it is not
able be imported successfully.

l If the length of a parameter is less or more than its length range, it is

not able be imported successfully.
The length range of "username": 1-63 characters
The length range of "password": 1-31 characters
The length range of "phone": 6-15characters
The length range of "email": 1-127 characters
The length range of "description": 0-127 characters

Configuring a LDAP User

This section describes how to configure a LDAP user.

Synchronizing Users

To synchronize users in a LDAP server, firstly, you need to configure a LDAP server, refer to
"Configuring LDAP Server" on Page 642. To synchronize users:

1. Select Object > User > LDAP User.

2. Select a server from the LDAP Server drop-down list, and click Sync Users.

Chapter 9 660

Object
Notes: By default, after creating a LDAP server, system will synchronize the users
of the LDAP server automatically, and then continue to synchronize every 30
minutes.

Configuring an Active Directory User

This section describes how to configure an active directory (AD) user.

Synchronizing Users

To synchronize users in an AD server to the device, first you need to configure an AD server
,refer to "Configuring Active Directory Server" on Page 633. To synchronize users, take the fol-
lowing steps:

1. Select Object > User >AD User.

2. Select an AD server from the Active Directory Server drop-down list, and click Sync Users.

Notes: By default, after creating an AD server, system will synchronize the users of
the AD server automatically, and then continue to synchronize every 30 minutes.

Configuring a IP-User Binding

Adding User Binding

To bind an IP or MAC address to a user, take the following steps:

661 Chapter 9

Object
1. Select Object > User > IP-User Binding .

2. Click Add User Binding.

Configure the following options.

User

AAA Server Select an AAA server from the drop-down list.

User Select a user for the binding from the drop-down list.

Binding Type

Binding Type By specifying the binding type, you can bind the user to a
IP address or MAC address.

l IP - If IP is selected, type the IP address into the

IP text box. Both the IPv4 address and IPv6
address are supported. And select a VR from the
Virtual Router drop-down list. Select the Check
WebAuth IP-User Mapping Relationship check
box to apply the IP-User mapping only to the
check for IP-user mapping during Web authen-
tication if needed.

Chapter 9 662

Object
User

l MAC - If MAC is selected, type the MAC address

into the MAC text box. And select a VR from the
Virtual Router drop-down list.

3. Click OK.

Import Binding

Import user binding list to system, take the following steps:

1. Select Object>User> IP-User Binding.

2. Click Import , and the Import User Binding List dialog box pops up.

3. Click Browse to select the file name needed to be imported.

4. Click OK to finish import.

Export Binding

Export user binding list from system to local, take the following steps:

1. Select Object>User> IP-User Binding.

2. Select the exported user category(include local, LDAP, AD and all users) in the Export
drop-down list to pop up the export dialog box, and select the saved position in local.

3. Click OK to finish export.

663 Chapter 9

Object
Role
Roles are designed with certain privileges. For example, a specific role can gain access to some spe-
cified network resources, or make exclusive use of some bandwidth. In StoneOS, users and priv-
ileges are not directly associated. Instead, they are associated by roles.
The mappings between roles and users are defined by role mapping rules. In function con-
figurations, different roles are assigned with different services. Therefore, the mapped users can
gain the corresponding services as well.
System supports role combination, i.e., the AND, NOT or OR operation on roles. If a role is used
by different modules, the user will be mapped to the result role generated by the specified oper-
ation.
System supports the following role-based functions:

l Role-based policy rules: Implements access control for users of different types.

l Role-based QoS: Implements QoS for users of different types.

l Role-based statistics: Collects statistics on bandwidth, sessions and new sessions for users of
different types.

l Role-based session limits: Implements session limits for specific users.

l SCVPN role-based host security detection: Implements control over accesses to specific
resources for users of different types.

l Role-based PBR: Implements routing for users of different types.

Configuring a Role

Creating a Role

To create a role, take the following steps:

Chapter 9 664

Object
1. Select Object > Role > Role.

2. Click New.

Configure the following options.

Option Description

Role Name Type the role name into the Role Name box.

Description Type the description for the role into the Description
box.

3. Click OK.

Mapping to a Role Mapping Rule

You can map the role to user, user group, CN or OU through this function or Creating a Role Map-
ping Rule. After Creating a Role Mapping Rule, you can click Mapping To to map the selected
role again.
To map the selected role again, take the following steps:

665 Chapter 9

Object
1. Select Object > Role > Role.

2. Select the role need to be mapped, and click Mapping To.

3. In the Mapping name section, select a created mapping rule name from the first drop-down
list ( For detailed information of creating a role mapping role, see Creating a Role Mapping
Rule.), and then select a user, user group, certificate name (the CN field of USB Key cer-
tificate), organization unit (the OU field of USB Key certificate) or any from the second
drop-down list. If User, User group, CN or OU is selected, also select or enter the cor-
responding user name, user group name, CN or OU into the box behind.

4. Click Add to add to the role mapping list.

5. If needed, repeat Step 3 and Step 4 to add more mappings. To delete a role mapping, select
the role mapping you want to delete from the mapping list, and click Delete.

6. Click OK.

Creating a Role Mapping Rule

To create a role mapping rule, take the following steps:

1. Select Object > Role > Role Mapping .

2. Click New.

Chapter 9 666

Object
3. Type the name for the rule mapping rule into the Name box.

4. In the Member section, select a role name from the first drop-down list, and then select a
user, user group, certificate name (the CN field of USB Key certificate) or organization unit
(the OU field of USB Key certificate) from the second drop-down list. If User, User group,
CN or OU is selected, also select or enter the corresponding user name, user group name,
CN or OU into the box behind.

5. Click Add to add to the role mapping list.

6. If needed, repeat Step 4 and Step 5 to add more mappings. To delete a role mapping, select
the role mapping you want to delete from the mapping list, and click Delete.

7. Click OK.

Creating a Role Combination

To create a role combination, take the following steps:

1. Select Object > Role > Role Combination.

2. Click New.

667 Chapter 9

Object
Configure the following options.

Option Description

First Prefix Specifies a prefix for the first role in the role regular
expression.

First Role Select a role name from the First Role drop-down list to
specify a name for the first role in the role regular expres-
sion.

Operator Specifies an operator for the role regular expression.

Second Pre- Specifies a prefix for the second role in the role regular
fix expression.

Second Role Select a role name from the Second Role drop-down list
to specify a name for the second role in the role regular
expression.

Chapter 9 668

Object
Option Description

Result Role Select a role name from the Result Role drop-down list to
specify a name for the result role in the role regular
expression.

3. Click OK.

669 Chapter 9

Object
Track Object
The devices provide the track object to track if the specified object (IP address or host) is reach-
able or if the specified interface is connected. This function is designed to track HA and inter-
faces.

Creating a Track Object

To create a track object, take the following steps:

1. Select Object > Track Object.

2. Click New.

Configure the following options.

Option Description

Name Specifies a name for the new track object.

Chapter 9 670

Object
Option Description

Threshold Type the threshold for the track object into the text box. If
the sum of weights for failed entries in the track object
exceeds the threshold, system will conclude that the whole
track object fails.

Track Select a track object type. One track object can only be con-
Type figured with one type. Select Interface radio button:

l Click Add in Add Track Members section and then

configure the following options in the Add Interfaces
dialog box:

l Interface - Select a track interface from the

drop-down list.

l Weight - Specifies a weight for the interface,

i.e. the weight for overall failure of the whole
track object if this track entry fails.

Select HTTP/ICMP/ICMPv6/ARP/NDP/DNS/TCP
radio button:

l Click Add, select a packet type from the drop-down

list, and then configure the following options in the
Add HTTP/ICMP/ICMPv6/ARP/NDP/DNS/TCP
Member dialog box:

l IP Type - Specifies the IP type for the track

object when the track is implemented by
HTTP/DNS/TCP packets.

671 Chapter 9

Object
Option Description

l IP/Host - Specifies an IP address or host name

for the track object when the track is imple-
mented by HTTP/ICMP/ICMPv6/TCP pack-
ets.
IP - Specifies an IP address for the track object
when the track is implemented by ARP/NDP
packets. DNS - Specifies an IP address for the
track object when the track is implemented by
DNS packets.

l Weight - Specifies a weight for overall failure

of the whole track object if this track entry
fails.

l Retries: Specifies a retry threshold. If no

response packet is received after the specified
times of retries, system will determine this
track entry fails, i.e., the track entry is unreach-
able. The value range is 1 to 255. The default
value is 3.

l Interval - Specifies an interval for sending pack-

ets. The value range is 1 to 255 seconds. The
default value is 3.

l Egress Interface - Specifies an egress interface

from which

Chapter 9 672

Object
Option Description

HTTP/ICMP/ICMPv6/ARP/NDP/DNS/TC-
P packets are sent.

l Source Interface- Specifies a source interface

for HTTP/ICMP/ICMPv6/ARP/DNS/TCP
packets.

Select Traffic Quality radio button:

l Click Add in Add Track Members section and then

configure the following options in the Add Traffic
Quality Member dialog box:

l IP Type - Specifies the address type of the

traffic quality member, including IPv4 and
IPv6. When "IPv4" is specified, only the IPv4
traffic of the tracked interface; when "IPv6" is
specified, only the IPv6 traffic of the tracked
interface.

l Interface - Specifies the name of the tracked

interface.

l Interval - Specifies the duration of per track

period. The unit is second. The value range is 1
to 255. The default value is 3. After a track
period is finished, system will reset the tracked
value of new session.

673 Chapter 9

Object
Option Description

l Retries - Specifies the threshold value which

concludes the track entry is failed. The value
range is 1 to 255. The default value is 3.

l Weight - Specifies how important this track fail-

ure is to the judgment of track object failure.
The value range is 1 to 255. The default value
is 255.

l Low Watermark - Specifies the failure

threshold value of new session success rate.
The value range is 0 to 100. The default value
is 30. During a track period, when the new ses-
sion success rate is below the specified low
watermark, system will conclude the track is
failed.

l High Watermark- Specifies the failure

threshold value of new session success rate.
The value range is 0 to 100. The default value
is 50. During a track period, when the new ses-
sion success rate exceeds the specified low
watermark, system will conclude the track is
successful.

Note: During a track period, when the new session

success rate is equal to or exceeds the low water-
mark, and is equal to or below the low watermark,

Chapter 9 674

Object
Option Description

Traffic
HA sync Select this check box to enable HA sync function. The
Quality primary device will synchronize its information with the
radio but- backup device.
ton:
3. Click OK. The created track object will be displayed in the track object list.
l Clic-

Track Object
k List
Addlist displays information about configured track objects in the system, including
The track object
Status, Name,
in Threshold, Type, and Referenced by. The Referenced by column displays the func-
tional moduleAdd
bound to the track object, which can be an interface, HA, policy-based route, or
vsys-track-status (non-root VSYS). Click the functional module to view details about the module.
Trac-
When the module is unbound or unbound to the track object, the Referenced by column displays
k
No Reference.
Me-
mbe-
rs
sec-
tion
Notes:
and
l A track object can be bound to only one module.

then
l In the non-root VSYS, you need to create a track object before binding it.
con-
fig-After binding, vsys-track-status is displayed in the Referenced by column of
urethe track object list. You cannot view details about vsys-track-status.
the
l In the non-root VSYS, track objects can be bound by interfaces and policy-

fol-based routes, but cannot be bound by HA. After binding, you can view
low-
details about related items in the track object list.
ing
opti-
ons
in
675 the Chapter 9

Add
Traf- Object
For information on how interfaces, HA, policy-based routes, and non-root VSYS bind track
objects, see:

l Interface: An Interface binds a track object.

l HA: A HA binds a track object.

l Policy-based Route: A policy-based route binds a track object.

l Non-root VSYS: A non-root VSYS binding a track object only support command line con-
figuration. For details, refer to the chapter Configuring VSYS in the StoneOS CLI User
Guide.

Chapter 9 676

Object
URL Filtering
URL filtering controls the access to some certain websites and records log messages for the access
actions. URL filtering helps you control the network behaviors in the following aspects:

l Access control to certain category of websites, such as gambling and pornographic websites.

l Access control to certain category of websites during the specified period. For example, for-
bid to access IM websites during the office hours.

l Access control to the website whose URL contains the specified keywords. For example, for-
bid to access the URL that contains the keyword of game.

If IPv6 is enabled, you can configure URL and keyword for both IPv4 and IPv6 address. How to
enable IPv6, see StoneOS_CLI_User_Guide_IPv6.

Configuring URL Filtering

Configuring URL filtering contains two parts:

l Create a URL filtering rule

l Bind a URL filtering rule to a security zone or policy rule

Part 1: Creating a URL filtering rule

677 Chapter 9

Object
1. Select Object > URL Filtering>Profile.

2. Click New.

Configure the following options.

Option Description

Name Specifies the name of the rule. You can configure the

Chapter 9 678

Object
Option Description

same URL filtering rule name in different VSYSs.

Safe Search Many search engines, such as Google, Bing, Yahoo!, Yan-
dex, and YouTube, all have a "SafeSearch" setting, which
can filter adult content, and then return search results at
different levels based on the setting. The system supports
the safe search function in the URL filtering Profile to
detect the “SafeSearch" setting of search engine and per-
form corresponding control actions. Select the Enable
check box to enable the safe search function to detect the
settings of the search engine's “SafeSearch" and perform
corresponding control actions.

Notes:
l The safe search function only can
be used in the following search
engines currently: Google, Bing,
Yahoo!, Yandex, and YouTube.

l The safe search function only can

be used in combination with the
SSL proxy function because the
search engine uses the HTTPS pro-
tocol. Therefore, when the
“SafeSearch” is enabled, enable
the SSL proxy function for the

679 Chapter 9

Object
Option Description

policy rule which is bound with

URL filter profile.

l To ensure the valid "SafeSearch"

function of Google, you need to
configure policy rules to block the
UDP 80 and UDP 443 port.

Control Specifies the safe search action. o Block: Selects the

Action check box to specify the action as block, When the "
SafeSearch" setting of search engine is not set, users will
be prevented from accessing the search page and a warn-
ing page will pop up which provides users with the link
for "SafeSearch" setting. o Enforce: Selects the check box
to specify the action as execute. When the "SafeSearch"
setting of search engine is not set, system will force to set
it at the “strict” level.

3. In the URL Category part to configure the URL category control type for URL filtering rules
to control the access to some certain category of website.

In the URL Category part, configure the following options.

Option Description

New Creates a new URL category. For more information about

URL categories, see "User-defined URL DB" on Page
688.

Chapter 9 680

Object
Option Description

Edit Selects a URL category from the list, and click Edit to
edit the selected URL category. URL Keyword Category
controls the access to the website whose URL contains
the specific keywords. Click the URL Keyword
Categoryoption to configure. The options are:

l New: Creates new keyword categories. For more

information about keyword category, see "Keyword
Category" on Page 693.

l Edit: Select a URL keyword category from the list,

and click Edit to edit the selected URL keyword
categories.

l Keyword category: Shows the name of the con-

figured keyword categories.

l Block: Selects the check box to block access to the

website whose URL contains the specified
keywords.

l Log: Selects the check box to log the access to the

website whose URL contains the specified
keywords.

l Other URLS: Specifies the actions to the URLs that

do not contain the keywords in the list, including
Block Access and Record Log.

URL category Shows the name of pre-defined and user-defined URL cat-

681 Chapter 9

Object
Option Description

egories in the VSYS.

Block Selects the check box to block access to the cor-

responding URL category.

Log Selects the check box to log access to the corresponding

URL category.

Other URLs Specifies the actions to the URLs that are not in the list,
including Block Access and Record Log.

SSL inspec- Select the Enable button to enable SSL negotiation pack-
tion ets inspection. For HTTPS traffic, system can acquire the
domain name of the site which you want to access from
the SSL negotiation packets after this feature is con-
figured. Then, system will perform URL filtering in
accordance with the domain name. If SSL proxy is con-
figured at the same time, SSL negotiation packets inspec-
tion method will be preferred for URL filtering.

4. In the URL Keyword Category part to configure the URL keyword category control type for
URL filtering rules to control the access to the website whose URL contains the specific
keywords.

In the URL Keyword Category part, configure the following options.

Option Description

New Creates new keyword categories. For more information

about keyword category, see "Keyword Category" on Page
693.

Chapter 9 682

Object
Option Description

Edit Select a URL keyword category from the list, and click
Edit to edit the selected URL keyword categories.

Keyword cat- Shows the name of the configured keyword categories.

egory

Block Selects the check box to block access to the website

whose URL contains the specified keywords.

Log Selects the check box to log the access to the website
whose URL contains the specified keywords.

Other URLs Specifies the actions to the URLs that do not contain the
keywords in the list, including Block Access and Record
Log.

5. Click OK to save the settings.

Notes: The control type of a URL filtering rule can configure both the URL cat-
egory and the URL keyword category.

Part 2: Binding a URL filtering rule to a security zone or security policy rule
The URL filtering configurations are based on security zones or policies.

l If a security zone is configured with the URL filtering function, system will perform detection
on the traffic that is destined to the binding zone specified in the rule, and then do according
to what you specified.

l If a policy rule is configured with the URL filtering function, system will perform detection
on the traffic that is destined to the policy rule you specified, and then respond.

683 Chapter 9

Object
l The threat protection configurations in a policy rule are superior to that in a zone rule if they
are specified at the same time, and the URL filtering configurations in a destination zone are
superior to that in a source zone if they are specified at the same time.

To create the zone-based URL filtering, take the following steps:

1. Create a zone. For more information about how to create this, refer to "Security Zone" on
Page 85.

2. In the Zone Configuration dialog box, select the Threat Protection tab.

3. Enable the threat protection that you need, and select the URL filtering rules from the pro-
file drop-down list below; you can click Add Profile from the profile drop-down list below
to create a URL filtering rule. For more information, see "Part 1: Creating a URL filtering
rule" on Page 677.

4. Click OK to save the settings.

To create the policy-based URL filtering, take the following steps:

1. Configure a security policy rule. For more information, see "Configuring a Security Policy
Rule" on Page 789.

2. In the Protection tab, select the Enable check box of URL Filtering.

3. From the Profile drop-down list, select a URL filtering rule. You can also click Add Profile
to create a new URL filtering rule.

4. Click OK to save the settings.

If necessary, you can go on to configure the functions of "Predefined URL DB" on Page 687,
"URL Lookup" on Page 691, and "Warning Page" on Page 695.

Object Description

Predefined The predefined URL database includes dozens of categories

Chapter 9 684

Object
Object Description

URL DB and tens of millions of URLs and you can use it to specify the
URL categories.

URL Lookup Use the URL lookup function to inquire URL information
from the URL database, including the URL category and the
category type.

Warning Page l Block warning: When your network access is blocked, a

warning page will prompt in the Web browser.

l Audit warning: When your network access is audited, a

warning page will prompt in the Web browser.

Notes:
l Only after canceling the binding can you delete the URL filtering rule.

l To get the latest URL categories, you are recommended to update the URL
database first. For more information about URL database, see "Predefined
URL DB" on Page 687.

Cloning a URL filtering Rule

System supports the rapid clone of a URL filtering rule. You can clone and generate a new URL fil-
tering rule by modifying some parameters of the one current URL filtering rule.
To clone a URL filtering rule, take the following steps:

1. Select Object > URL Filtering.

2. Select a URL filtering rule in the list.

685 Chapter 9

Object
3. Click the Clone button above the list, and the Name configuration box will appear below
the button. Then enter the name of the new URL filtering rule.

4. The cloned URL filtering rule will be generated in the list.

Viewing URL Hit Statistics

The URL access statistics includes the following parts:

l Summary: The statistical information of the top 10 user/IPs, the top 10 URLs, and the top 10
URL categories during the specified period of time are displayed.

l User/IP: The user/IP and detailed hit count are displayed.

l URL: The URL and detailed hit count are displayed.

l URL Category: The URL category and detailed hit count and traffic are displayed.

To view the URL hit statistics, see "URL Hit" on Page 1102 in Monitor.

l To view the URL hit statistics, enable URL Hit in Monitor Configuration.

l To view the traffic of the URL category, enable URL Hit and URL Category Bandwidth in
Monitor Configuration.

Viewing Web Surfing Records

To view the Web surfing records, view "URL Log" on Page 1173. Before you view the Web surf-
ing records, see "Log Configuration" on Page 1179 to enable URL Log function.

Configuring URL Filtering Objects

When using URL filtering function, you need to configure the following objects:

Object Description

Predefined The predefined URL database includes dozens of categories

Chapter 9 686

Object
Object Description

URL DB and tens of millions of URLs and you can use it to specify the
URL categories.

User-defined The user-defined URL database is defined by you and you can
URL DB use it to specify the URL category.

URL Lookup Use the URL lookup function to inquire URL information
from the URL database.

Keyword Cat- Use the keyword category function to view the predefined
egory keyword categories and customize the keyword categories.

Warning Page Enable or disable the warning page.

l Block warning: When your network access is blocked, a

warning page will prompt in the Web browser.

l Audit warning: When your network access is audited, a

warning page will prompt in the Web browser.

Predefined URL DB

System contains a predefined URL database.

Notes: The predefined URL database is controlled by a license . Only after a URL
license is installed, the predefined URL database can be used.

The predefined URL database provides URL categories for the configurations of a URL filtering.
It includes dozens of categories and tens of millions of URLs .
When identifying the URL category, the user-defined URL database has a higher priority than the
predefined URL database.

687 Chapter 9

Object
Configuring Predefined URL Database Update Parameters

By default, system updates predefined URL database everyday. You can change the update para-
meters according to your own requirements. Currently, two default update servers are provided:
https://update1.hillstonenet.com and https://update2.hillstonenet.com. Besides, you can update
the predefined URL database from your local disk. For more information about how to change the
update parameters, see Updating Signature Database.

Upgrading Predefined URL Database Online

To upgrade the URL database online, take the following steps:

1. Select System > Upgrade Management > Signature Database Update.

2. In the URL category database update section, click Update to update the predefined URL
database.

Upgrading Predefined URL Database from Local

To upgrade the predefined URL database from local, take the following steps:

1. System > Upgrade Management > Signature Database Update

2. In the URL category database update section, click Browse to select the URL database file
from your local disk.

3. Click Upload to update the predefined URL database.

Notes: You can not upgrade the predefined URL database from local in non-root
VSYS.

User-defined URL DB

Besides categories in predefined URL database, you can also create user-defined URL categories,
which provides URL categories for the configurations of URL filtering. When identifying the URL

Chapter 9 688

Object
category, the user-defined URL database has a higher priority than the predefined URL database.
System provides three predefined URL categories: custom1, custom2, custom3. You can import
your own URL lists into one of the predefined URL categories.

Notes: You can not import your own URL lists into one of the predefined URL cat-
egory in non-root VSYS.

Configuring User-defined URL DB

To configure a user-defined URL category, take the following steps:

1. Select Object > URL Filtering.

2. At the top-right corner, select Configuration > User-defined URL DB. The User-defined
URL DB dialog box will appear.

3. Click New. The URL Category dialog box will appear.

4. Type the category name in the Category box. URL category name cannot only be a hyphen
(-). And you can create at most 16 user-defined categories.

5. Type a URL into the URL http(s):// box.

6. Click Add to add the URL and its category to the table.

689 Chapter 9

Object
7. To edit an existing one, select it and then click Edit. After editing it, click Add to save the
changes.

8. Click OK to save the settings.

Importing User-defined URL

System supports to batch imported user-defined URL lists into the predefined URL category
named custom1/2/3. To import user-defined URL, take the following steps:

1. Select Object > URL Filtering.

2. At the top-right corner, select Configuration > User-defined URL DB. The User-defined
URL DB dialog box will appear.

3. Select one of the predefined URL category(custom1/2/3), and then click Import.

4. In the Batch Import URL dialog box, click Browse button to select your local URL file. The
file should be less than 1 M, and have at most 1000 URLs. Wildcard is supported to use
once in the URL file, which should be located at the start of the address.

5. Click OK to finish importing.

Clearing User-defined URL

In the predefined URL category named custom1/2/3, clear a user-defined URL, take the fol-
lowing steps:

1. Select Object > URL Filtering.

2. At the top-right corner, select Configuration > User-defined URL DB. The User-defined
URL DB dialog box will appear.

3. Select one of the predefined URL categories(custom1/2/3), and then click Clear. The URL
in the custom 1/2/3 will be cleared from the system.

Chapter 9 690

Object
URL Lookup

You can inquire a URL to view the details by URL lookup, including the URL category and the
category type.

Inquiring URL Information

To inquiry URL information, take the following steps:

1. Select Object > URL Filtering.

2. At the top-right corner, click Configuration > URL Lookup. The URL Lookup dialog box
will appear.

3. Type the URL into the Please enter the URL to inquire box.

4. Click Inquire, and the results will be displayed at the bottom of the dialog box.

691 Chapter 9

Object
Configuring URL Lookup Servers

URL lookup server can classify an uncategorized URL (URL is neither in predefined URL data-
base nor in user-defined URL database) you have accessed, and then add it to the URL database
during database updating. Two default URL lookup servers are provided: url1.hillstonenet.com
and url2.hillstonenet.com. By default, the URL lookup servers are enabled.
To configure a URL lookup server, take the following steps:

1. Select Object > URL Filtering>Profile.

2. At the top-right corner, Select Configuration > Predefined URL DB. The Predefined URL
DB dialog box will appear.

3. Click Inquiry Server Configuration. The Predefined URL DB Inquiry Server Configuration
dialog box will appear.

4. In the Inquiry server section, double-click the cell in the IP/Port/Virtual Router column of
Server1/2 and type a new value.

5. Select the check box in the Enable column to enable this URL lookup server.

6. Click OK to save the settings.

Chapter 9 692

Object
Keyword Category

Keyword categories include predefined keyword categories and custom keyword categories,
which are used in the URL filtering function. You can use predefined keyword categories or cus-
tomize the keyword category as needed. System provide two predefined keyword categories,
which are predef_cellphone_number (keyword for mobile phone number) and predef_mainland_
id_card (keyword for ID number), which cannot be edited or deleted.
After configuring a URL filtering rule, system will scan traffic according to the configured
keywords and calculate the trust value for the hit keywords. The calculating method is: adding up
the results of times * trust value of each keyword that belongs to the category. Then system com-
pares the sum with the threshold 100 and performs the following actions according to the com-
parison result:

l If the sum is larger than or equal to category threshold (100), the configured category action
will be triggered;

l If more than one category action can be triggered and there is block action configured, the
final action will be Block;

l If more than one category action can be triggered and all the configured actions are Permit, the
final action will be Permit.

For example, a URL filtering rule contains two keyword categories C1 with action block and C2
with action permit. Both of C1 and C2 contain the same keywords K1 and K2. Trust values of
K1 and K2 in C1 are 20 and 40. Trust values of K1 and K2 in C2 are 30 and 80.
If system detects 1 occurrence of K1 and K2 each on a URL, then C1 trust value is 20*1＋40*1-
1=60<100, and C2 trust value is 30*1+80*1=110>100. As a result, the C2 action is triggered
and the URL access is permitted.
If system detects 3 occurrences of K1 and 1 occurrence of K2 on a URL, then C1 trust value is
20*3+40*1=100, and C2 trust value C2 is 30*3+80*1=170>100. Conditions for both C1 and
C2 are satisfied, but the block action for C1 is triggered, so the web page access is denied.

693 Chapter 9

Object
Configuring a Keyword Category

To configure a keyword category, take the following steps:

1. Select Object > URL Filtering.

2. At the top-right corner, select Configuration > Keyword Category. The Keyword Category
page will appear.

3. Display predefined keyword categories and created custom keyword categories in the Key-
word Category page.

4. Click New. The Keyword Category Configuration page will appear.

5. Type the category name.

6. Click New. In the slide area, specify the keyword, character matching method (sim-
ple/regular expression), and trust value (100 by default).

7. Click Add to add the keyword to the list below.

8. Repeat the above steps to add more keywords.

9. To delete a keyword, select the keyword you want to delete from the list and click Delete.

10. Click OK to save your settings.

Chapter 9 694

Object
Warning Page

The warning page shows the user block information and user audit information. You can enable or
disable the warning page as needed.
The warning page include predefined warning page and user-defined warning page.

l Predefined warning page: Displays the predefined warning information content, including
prompt information and warning reasons.

l User-defined warning page: You can customize the warning page by custom warning inform-
ation and pictures. For details, please refer to "Warning Page Management" on Page 1275..

Enabling/ Disabling the Block Warning

The block warning is disabled by default. If the internet behavior is blocked by the URL filtering
function, the Internet access will be denied. The information of Access Denied will be shown in
your browser, and some web surfing rules will be shown to you on the warning page at the same
time. According to the different network behaviors, the predefined warning page includes the fol-
lowing two situations:

l Visiting a certain type of URL.

695 Chapter 9

Object
l Visiting the URL that contains a certain type of keyword category.

To enable or disable the block warning , take the following steps:

1. Click Object > URL Filtering > Profile.

2. At the top-right corner, select Configuration > Warning Page. The Warning Page dialog box
will appear.

3. In the Block Warning section, select Enable. To disable this function, unselect the Enable
check box.

Chapter 9 696

Object
4. Configure the display information in the blocking warning page.

Option Description

Default Use the default blocking warning page as shown above.

After selecting the Default radio button:

l If the user-defined warning page is not configured,

the predefined warning page will be used.

l If the user-defined warning page is configured and

enabled, the user-defined warning page will be
used.

Redirect page Redirect to the specified URL. Type the URL in the URL
http:// box. You can click Detection to verify whether
the URL is valid.

5. Click OK to save the settings.

Enabling/ Disabling the Audit Warning

The audit warning function is disabled by default. After enabling the audit warning function, when
your network behavior matches the configured URL filtering rule, your HTTP request will be
redirected to a warning page where the audit and privacy protection information is displayed. See
the picture below:

To enable or disable the audit warning function, take the following steps:

697 Chapter 9

Object
1. Select Object > URL Filtering.

2. At the top-right corner, select Configuration > Warning Page. The Warning Page dialog box
will appear.

3. In the Audit Warning section, select Enable.To disable this function, unselect the Enable
check box.

l If the user-defined warning page is not configured, the predefined warning page will
be used.

l If the user-defined warning page is configured and enabled, the user-defined warning
page will be used.
For details, please refer to "Warning Page Management" on Page 1275..

4. Click OK to save the settings.

First Access of Uncategorized URL

For the uncategorized URL that you visit for the first time, that is, the URL which is neither in
the system's predefined URL database nor in the user-defined URL database, system will continue
to query the category of the URL in the cloud. Because the query may takes a litter while, system
cannot process the uncategorized URL immediately until the query result is returned.
To solve the above problem, you can specify the waiting time of query and enable the block
action when waiting times out. After the waiting time of query is exceeded, system will block the
access to the uncategorized URL.
To configure related content of the first access of an uncategorized URL, take the following steps:
Select Object > URL Filtering > Profile.
At the top-right corner, select Configuration > First Access of Uncategorized URL. The First
Access of Uncategorized URL dialog box will appear.

Chapter 9 698

Object
Type the waiting time value of query into the Waiting Time of Query text box. The range is 0 to
5000ms. The default value is 0, which means there is no wait time limit.
Select the Enable check box after Block after Waiting Timeout to enable the block action, after
the waiting time of query is exceeded, system will block the access of uncategorized URL. After
clearing the Enable check box, after the waiting time of query is exceeded, system will continue
to perform URL filtering according to the configuration of URL filtering profile.
Click OK to save the settings.

Configuring the URL Blacklist/Whitelist

You can further control the access to some websites by configuring URL blacklists and whitelists.

l After the URL blacklist is configured, when you send an access request to the specified URL
in the blacklist, the system will block the request.

l After the URL whitelist is configured, when you send an access request to the specified URL
in the whitelist, system will not perform URL filtering for the access request and let the
request pass

l The URL blacklist, the URL whitelist and the URL filtering rule all configured with URL cat-
egories, the matching priority for URL category filtering is: the URL blacklist > the URL
whitelist > the URL filtering rule.

699 Chapter 9

Object
Notes:
l An URL category can only be referenced by an object (URL blacklist, URL
whitelist or URL filtering profile). For example, when the URL category
"Advertisement" has been added to the URL blacklist, this URL category can-
not be added to the URL whitelist, and it will not be referenced in the URL
filtering profile.

l Non-root VSYS does not support the URL blacklist\whitelist function, and
the URL blacklist/whitelist configuration under root VSYS does not take
effect and has no effect on non-root VSYS.

Configuring the URL Blacklist

To configure the URL blacklist, take the following steps:

1. Select Object > URL Filtering > URL Blacklist/Whitelist.

2. Select URL Blacklist tab to open the URL blacklist page, which displays all URL categories
that have been added to the URL blacklist and the corresponding URL type and description.

Chapter 9 700

Object
3. Click "+" , and select the add the URL category needed to add to the URL black list.

4. The "URL category" on the left contains all URL categories that can be referenced (pre-
defined URL DB and user-defined URL DB). You can also click to create a new URL cat-

egory. For specific steps, see Configuring User-defined URL DB.

5. If you need to delete the URL category entry in the URL blacklist, in the "URL blacklist"

list on the right, select the URL category entry you want to delete and click .

6. Click OK.

701 Chapter 9

Object
Configuring the URL Whitelist

To configure the URL whitelist, take the following steps:

1. Select Object > URL Filtering > URL Blacklist/Whitelist.

2. Select URL Whitelist tab to open the URL whitelist page, which displays all URL categories
that have been added to the URL whitelist and the corresponding URL type and description.

3. Click "+" , and select the add the URL category needed to add to the URL white list.

Chapter 9 702

Object
4. The "URL category" on the left contains all URL categories that can be referenced (pre-
defined URL DB and user-defined URL DB). You can also click to create a new URL cat-

egory. For specific steps, see Configuring User-defined URL DB.

5. If you need to delete the URL category entry in the URL whitelist, in the "URL whitelist"

list on the right, select the URL category entry you want to delete and click .

6. Click OK.

703 Chapter 9

Object
Data Security
This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
The data security function allows you to flexibly configure control rules to comprehensively con-
trol and audit (by behavior logs and content logs) on user network behavior.
Data security can audit and filter in the following network behaviors:

Function Description

File filter Checks the files transported through HTTP(S), FTP, SMTP
(S), IMAP(S), POP3(S), SMB protocols and control them
according to the file filter rules.

Content filter l File content filter: Detect sensitive keywords carried in

the file content of the specified protocol type and file
type, and can log or block them.

l Web content :Controls the network behavior of visiting

the webpages that contain certain keywords, and log the
actions.

l Web posting: Controls the network behavior of posting

on websites and posting specific keywords, and logs the
posting action and posted content.

l Email filter: Controls and audit SMTP(S)/POP3

(S)/IMAP(S)mails :

l Control and audit all the behaviors of sending

emails;

l Control and audit the behaviors of sending emails

Chapter 9 704

Object
Function Description

that contain specific sender, recipient, keyword or

attachment.

l Application behavior control: Controls and audits the

actions of HTTP(S), FTP and TELNET applications:

l FTP contents and methods, including Login, Get,

and Put;

l HTTP(S) methods, including Connect, Get, Put,

Head, Options, Post, and Trace;

l Request content initiated by the TELNET client.

Network Beha- Audits the IM applications behaviors and record log messages
vior Record for the access actions.

705 Chapter 9

Object
Configuring Objects
Objects mean the items referenced during Content Filter rules. When using the data security func-
tion, you need to configure the following objects:

Object Description

Predefined The predefined URL database includes dozens of categories

URL DB and tens of millions of URLs and you can use it to specify the
URL category and URL range for the URL category/Web post-
ing functions.

User-defined The user-defined URL database is defined by yourself and you

URL DB can use it to specify the URL category and URL range for the
URL category/Web posting functions.

URL Lookup Use the URL lookup function to inquire URL information
from the URL database.

Keyword Cat- Use the keyword category function to view the predefined
egory keyword categories and customize the keyword categories.
You can use it to specify the keyword for the File Content Fil-
ter/Web Content/Web Posting/Email filter/HTTP(S)/FTP
Control functions.

Warning Page Enable or disable the warning page.

l Block warning: When your network access is blocked, a

warning page will prompt in the Web browser.

l Audit warning: When your network access is audited, a

warning page will prompt in the Web browser.

Bypass Domains that are not controlled by the internet behavior con-

Chapter 9 706

Object
Object Description

Domain trol rules.

Exempt User Users that are not controlled by the internet behavior control
rules.

Predefined URL DB

The system contains a predefined URL database.

Notes: The predefined URL database is controlled by a license controlled. Only

after a URL license is installed, the predefined URL database can be used.

The predefined URL database provides URL categories for the configurations of Web con-
tent/Web posting. It includes dozens of categories and tens of millions of URLs .
When identifying the URL category of a URL, the user-defined URL database has a higher priority
than the predefined URL database.

Configuring Predefined URL Database Update Parameters

By default, the system updates predefined URL database everyday. You can change the update
parameters according to your own requirements. Currently, two default update servers are
provides: https://update1.hillstonenet.com and https://update2.hillstonenet.com. Besides, you
can update the predefined URL database from your local disk.
To change the update parameters:

1. Select System > Upgrade Management > Signature Database Update.

2. In the URL category database update section, you can view the current version of the data-
base, perform the remote update, configure the remote update, and perform the local

707 Chapter 9

Object
update.

3. Click Enable button of Auto Updateto enable the automatic update function. And then con-
tinue to specify the frequency and time. Click OK to save your settings.

4. Double click an entry of Update Server to configure the update server URL. Specify the
URL or IP address of the update server, and select the virtual router that can connect to the
server. To restore the URL settings to the default ones, click Restore Default.

5. Double click an entry of Proxy Server, then enter the IP addresses and ports of the main
proxy server and the backup proxy server. When the device accesses the Internet through a
HTTP proxy server, you need to specify the IP address and the port number of the HTTP
proxy server. With the HTTP proxy server specified, various signature database can update
normally.

6. Click OK to save the settings.

Upgrading Predefined URL Database Online

To upgrade the URL database online:

1. Select System > Upgrade Management > Signature Database Update.

Chapter 9 708

Object
2. In the URL category database update section, click Update to update the predefined URL
database.

Upgrading Predefined URL Database from Local

To upgrade the predefined URL database from local:

1. System > Upgrade Management > Signature Database Update

2. In the URL category database update section, click Browse to select the URL database file
from your local disk.

3. Click Upload to update the predefined URL database.

User-defined URL DB

Besides categories in predefined URL database, you can also create user-defined URL categories,
which provides URL categories for the configurations of Web content/Web posting. When identi-
fying the URL category, the user-defined URL database has a higher priority than the predefined
URL database.
System provides three predefined URL categories: custom1, custom2, custom3. You can import
your own URL lists into one of the predefined URL category.

Configuring User-defined URL DB

To configure a user-defined URL category:

1. Select Object > URL Filtering> Profile.

2. At the top-right corner, select Configuration > User-defined URL DB. The User-defined
URL DB dialog appears.

709 Chapter 9

Object
3. Click New. The URL Category dialog appears.

4. Type the category name in the Category box. URL category name cannot only be a hyphen
(-). And you can create at most 16 user-defined categories.

5. Type a URL into the URL http(s):// box.

6. Click Add to add the URL and its category to the table.

7. To edit an existing one, select it and then click Edit. After editing it, click Add to save the
changes.

8. Click OK to save the settings.

Importing User-defined URL

System supports to batch import user-defined URL lists into the predefined URL category named
custom1/2/3. To import user-defined URL:

1. Select Object > URL Filter.

2. At the top-right corner, select Configuration > User-defined URL DB. The User-defined
URL DB dialog appears.

3. Select one of the predefined URL category(custom1/2/3), and then click Import.

Chapter 9 710

Object
4. In the Batch Import URL dialog, click Browse button to select your local URL file. The file
should be less than 1 M, and has at most 1000 URLs. Wildcard is supported to use once in
the URL file, which should be located at the start of the address.

5. Click OK to finish importing.

Clearing User-defined URL

In the predefined URL category named custom1/2/3, clear user-defined URL:

1. Select Object > URL Filter.

2. At the top-right corner, select Configuration > User-defined URL DB. The User-defined
URL DB dialog appears.

3. Select one of the predefined URL category(custom1/2/3), and then click Clear, the URL in
the custom 1/2/3 will be cleared from the system.

URL Lookup

You can inquire a URL to view the details by URL lookup, including the URL category and the
category type.

Inquiring URL Information

To inquiry URL information:

1. Select Object > URL Filtering> Profile.

711 Chapter 9

Object
2. At the top-right corner, click Configuration > URL Lookup. The URL Lookup dialog
appears.

3. Type the URL into the Please enter the URL to inquire box.

4. Click Inquire, and the results will be displayed at the bottom of the dialog.

Configuring URL Lookup Servers

1. Select Object > URL Filtering> Profile.

2. At the top-right corner, Select Configuration > Predefined URL DB. The Predefined URL
DB dialog appears.

Chapter 9 712

Object
3. Click Inquiry Server Configuration. The Predefined URL DB Inquiry Server Configuration
dialog appears.

4. In the Inquiry server section, double-click the cell in the IP/Port/Virtual Router column of
Server1/2 and type a new value.

5. Select the check box in the Enable column to enable this URL lookup server.

6. Click OK to save the settings.

Keyword Category

Keyword categories include predefined keyword categories and custom keyword categories,
which are used in the URL filtering function. You can use predefined keyword categories or cus-
tomize the keyword category as needed. System provide two predefined keyword categories,
which are predef_cellphone_number (keyword for mobile phone number) and predef_mainland_
id_card (keyword for ID number), which cannot be edited or deleted.
After configuring a internet behavior control rule, the system will scan traffic according to the con-
figured keywords and calculate the trust value for the hit keywords. The calculating method is:
adding up the results of times * trust value of each keyword that belongs to the category. Then
the system compares the sum with the threshold 100 and performs the following actions accord-
ing to the comparison result:

713 Chapter 9

Object
l If the sum is larger than or equal to category threshold (100), the configured category action
will be triggered;

l If more than one category action can be triggered and there is block action configured, the
final action will be Block;

l If more than one category action can be triggered and all the configured actions are Permit, the
final action will be Permit.

For example, a web content rule contains two keyword categories C1 with action block and C2
with action permit. Both of C1 and C2 contain the same keywords K1 and K2. Trust values of
K1 and K2 in C1 are 20 and 40. Trust values of K1 and K2 in C2 are 30 and 80.
If the system detects 1 occurrence of K1 and K2 each on a web page, then C1 trust value is
20*1＋40*1=60<100, and C2 trust value is 30*1+80*1=110>100. As a result, the C2 action is
triggered and the web page access is permitted.
If the system detects 3 occurrences of K1 and 1 occurrence of K2 on a web page, then C1 trust
value is 20*3+40*1=100, and C2 trust value C2 is 30*3+80*1=170>100. Conditions for both
C1 and C2 are satisfied, but the block action for C1 is triggered, so the web page access is denied.

Configuring a Keyword Category

To configure a keyword category:

1. Select Object > URL Filtering> Profile.

2. At the top-right corner, Select Configuration > Keyword Category. The Keyword Category
page appears.

3. Display predefined keyword categories and created custom keyword categories in the Key-
word Category page.

Chapter 9 714

Object
4. Click New. The Keyword Category Configuration page appears.

5. Type the category name.

6. Click New. In the slide area, specify the keyword, character matching method (sim-
ple/regular expression), and trust value (100 by default).

7. Click Add to add the keyword to the list below.

8. Repeat the above steps to add more keywords.

9. To delete a keyword, select the keyword you want to delete from the list and click Delete.

10. Click OK to save your settings.

Warning Page

l Predefined warning page: Displays the predefined warning information content, including
prompt information and warning reasons.

l User-defined warning page: You can customize the warning page by custom warning inform-
ation and pictures. For details, please refer to "Warning Page Management" on Page 1275..

715 Chapter 9

Object
Enabling/ Disabling the Block Warning

The block warning is disabled by default. If the internet behavior is blocked by the internet beha-
vior control function, the Internet access will be denied. The information of Access Denied will
be shown in your browser, and some web surfing rules will be shown to you on the warning page
at the same time. The predefined warning page below:

After enabling the block warning function, block warning information will be shown in the
browser when one of the following actions is blocked:

l Visiting the web page that contains a certain type of keyword category

l Posting information to a certain type of website or posting a certain type of keywords

l HTTP actions of Connect, Get, Put, Head, Options, Post, and Trace.

To enable or disable the block warning:

1. Click Object > URL Filtering> Profile.

2. At the top-right corner, Select Configuration > Warning Page. The Warning Page dialog
appears.

Chapter 9 716

Object
3. In the Block Warning section, select Enable.To disable this function, unselect the Enable
check box.

l If the user-defined warning page is not configured, the predefined warning page will
be used.

l If the user-defined warning page is configured and enabled, the user-defined warning
page will be used.
For details, please refer to "Warning Page Management" on Page 1275..

4. Click OK to save the settings.

Enabling/ Disabling the Audit Warning

The audit warning function is disabled by default. After enabling the audit warning function, when
your internet behavior matches the configured internet behavior rules, your HTTP request will be
redirected to a warning page, on which the audit and privacy protection information is displayed.
See the picture below:

To enable or disable the audit warning function:

1. Select Object > Data Security>Content Filter> Web Content/Web Posting/Email Fil-
ter/HTTP/FTP Control.

2. At the top-right corner, Select Configuration > Warning Page. The Warning Page dialog
appears.

717 Chapter 9

Object
3. In the Audit Warning section, select Enable.To disable this function, unselect the Enable
check box.

l If the user-defined warning page is not configured, the predefined warning page will
be used.

l If the user-defined warning page is configured and enabled, the user-defined warning
page will be used.
For details, please refer to "Warning Page Management" on Page 1275..

4. Click OK to save the settings.

Bypass Domain

Regardless of internet behavior control rules, requests to the specified bypass domains will be
allowed unconditionally.
To configure a bypass domain:

1. Select Object > Data Security>Content Filter> Web Content/Web Posting/Email Fil-
ter/HTTP/FTP Control.

2. At the top-right corner, Select Configuration > Bypass Domain. The Bypass Domain dialog
appears.

Chapter 9 718

Object
3. Click New.In the text box, type the domain name. The domain name will be added to the
system and displayed in the bypass domain list.

4. Click OK to save the settings.

Exempt User

The Exempt User function is used to specify the users who will not be controlled by the internet
behavior control rules. The system supports the following types of exempt user: IP, IP range,
role, user, user group, and address entry.
To configure the user exception:

1. Select Object > Data Security>Content Filter> Web Content/Web Posting/Email Fil-
ter/HTTP/FTP Control.

2. At the top-right corner, Select Configuration > Exempt User. The Exempt User dialog
appears.

719 Chapter 9

Object
3. Select the type of the user from the Type drop-down list.

4. Configure the corresponding options.

5. Click Add. The user will be added to the system and displayed in the exempt user list.

6. Click OK to save the settings.

Chapter 9 720

Object
File Filter
The file filter function checks the files transported through HTTP(S), FTP, SMTP(S), IMAP(S),
POP3(S), SMB protocols and control them according to the file filter rules.

l Be able to check and control the files transported through GET and POST methods of HTTP
(S), FTP, SMTP(S), IMAP(S), SMB, and POP3(S).

l Support file type filter conditions.

l Support block, log, and permit actions.

After you bind the file filter profile to a policy rule, the system will process the traffic that
matches the rule according to the profile.

Creating File Filter Rule

Use the file filter rule to specify the protocol that you want to check, the filter conditions, and the
actions.
To create a file filter rule:

1. Select Object > Data Security > File Filter.

2. Click New.

3. In the dialog box, enter values.

721 Chapter 9

Object
Option Description

Name Specifies the name of the file filter rule.

Description Specifies the description of the file filter rule.

Filter Rule

ID The ID of file filter rule item. There can be up to 8 items

in each file filtering rule. Click the + button to add a file
filter rule item. If one filter rule item is configured with
the block action and the file happens to match this rule,
then the system will block the uploading/downloading of
this file.

Minimum When the size of the transported file reaches the spe-
File Size cified file size, the system will trigger the actions. The
range is from 1 to 512,000. The unit is KB.

File Type Specify the file type. Click on the column's cells and
select from the drop-down menu. You can specify more
than one file types. To control the file type that not sup-
ported, you can use the UNKNOWN type. When the
transmitted file is a particular type, the system will trigger
the actions. The file filter function can identify the fol-
lowing file types: 7Z, AI, APK, ASF, AVI, BAT, BMP,
CAB, CATPART, CDR, CIN, CLASS, CMD, CPL, DLL,
DOC, DOCX, DPX, DSN, DWF, DWG, DXF, EDIT,
EMF, EPS, EPUB, EXE, EXR, FLA, FLV, GDS, GIF,
GZ, HLP, HTA, HTML, IFF, ISO, JAR, JPG, KEY,

Chapter 9 722

Object
Option Description

LNK, LZH, MA, MB, MDB, MDI, MIF, MKV, MOV,

MP3, MP4, MPEG, MPKG, MSI, NUMBERS, OCX,
PAGES, PBM, PCL, PDF, PGP, PIF, PL, PNG, PPT,
PPTX, PSD, RAR, REG, RLA, RMVB, RPF, RTF, SGI,
SH, SHK, STP, SVG, SWF, TAR, TDB, TIF,
TORRENT, TXT, VBE, WAV, WEBM, WMA, WMF,
WMV, WRI, WSF, XLS, XLSX, XML, XPM, ZIP, BZ2,
UNKNOWN

Protocol Specifies the protocols. http-get represents to check the

files transported through the GET method of HTTP.
http-post represents to check the files transported
through the POST method of HTTP. ftp represents to
check the files transported through FTP. smtp represents
to check the files transported through SMTP. imap rep-
resents to check the files transported through IMAP.
pop3 represents to check the files transported through
POP3. You can specify more than one protocol types.
This option is required.

Action Specify the action to control the files that matches the fil-
ter conditions. You can specify block or log. This option
is required.

4. Click OK.

Viewing File Filter Logs

To view the file filter logs, refer to "File Filter Log" on Page 1176.

723 Chapter 9

Object
Content Filter
This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
Includes：

l "File Content Filter" on Page 725: Detect and control the behavior of sensitive keywords car-
ried in the file content of the specified transmission protocol type and file type.

l "Web Content" on Page 730: Controls the network behavior of visiting the webpages that con-
tain certain keywords, and log the actions.

l "Web Posting" on Page 736: Controls the network behavior of posting on websites and post-
ing specific keywords, and logs the posting action and posted content.

l "Email Filter" on Page 742: Controls and audit SMTP(S)/POP3(S)/IMAP(S) mails :

l Control and audit all the behaviors of sending emails.

l Control and audit the behaviors of sending emails that contain specific sender, recipient,
keyword or attachment.

l "APP Behavior Control" on Page 747:Controls and audits the actions of HTTP(S) and FTP
applications:

l FTP methods, including Login, Get, and Put.

l HTTP(S) methods, including Connect, Get, Put, Head, Options, Post, Delete and
Trace.

l Request content initiated by the TELNET client.

Chapter 9 724

Object
File Content Filter

The file content filtering function can detect sensitive keywords carried in the file content of the
specified protocol type and file type, and can log or block them. For example, the content of doc-
type files downloaded through the HTTP protocol is detected, and the log information is recor-
ded for the files containing the keyword content of the mobile phone number.

Configuring File Content Filter

Configuring file content filter contains two parts:

l Create a file content filter rule

l Bind a file content filter rule to a security zone or policy rule.

Part 1: Creating a file content filter rule

725 Chapter 9

Object
1. Select Object > Data Security > Content Filter > File Content Filter

2. Click New.

In the File Content Filter Configuration dialog box, enter values.

Option Description
Name Specifies the rule name.
File Type Specifies the file type. Click the button and select

the file type in the File Type page, you can specify one
or more file types.
Currently supported file types are: txt, doc, docx, ppt,

Chapter 9 726

Object
Option Description
pptx, xls, xlsx.
Protocol Specifies the detected file transfer protocol and dir-
Type ection. Click the Enable button after the specified
protocol type, and select the detection direction
from the drop-down list. HTTP, FTP, and SMB pro-
tocols support Download, Upload, and Bidirec-
tional; SMTP protocol only supports select Upload;
POP3 and IMAP protocols only support Download.
Specific Key- Specifies the keyword category for filtering and the
word action.

1. All predefined keyword categories and custom

keyword categories displayed in this partial
list.

2. Select the control action in the Action drop-

down list, including None, Log Only, and
Block (block and record log).

3. Click the New to configure the keywords that

need to be controlled in the Keyword Cat-
egory Configuration page. For more inform-
ation about keyword category, see
"Configuring Objects" on Page 706.

3. Click OK.

Part 2: Binding a file content filter rule to a security zone or security policy rule
The file content filter configurations are based on security zones or policies.

727 Chapter 9

Object
l If a security zone is configured with the file content filter function, the system will perform
detection on the traffic that is destined to the binding zone specified in the rule, and then do
according to what you specified.

l If a policy rule is configured with the file content filter function, the system will perform
detection on the traffic that is destined to the policy rule you specified, and then response.

l The threat protection configurations in a policy rule is superior to that in a zone rule if spe-
cified at the same time, and the file content filter configurations in a destination zone is super-
ior to that in a source zone if specified at the same time.

To realize the zone-based file content filter:

1. Create a zone. For more information about how to create, refer to "Security Zone" on Page
85.

2. In the Zone Configuration dialog, click Data Security .

3. Enable the File Content Filter, and select a file content filter rule from the profile drop-
down list below; or you can click from the profile drop-down list below, to create a file

content filter rule, see Configuring File Content Filter.

4. Click OK to save the settings.

To realize the policy-based file content filter:

1. Configure a security policy rule. See "Configuring a Security Policy Rule" on Page 789.

2. Click Data Security to expand the option, click the Enable button of File Content Filter.

3. From the Profile drop-down list, select a file content filter rule. You can also click to cre-

ate a new file content filter rule.

4. Click OK to save the settings.

Chapter 9 728

Object
Viewing Monitored Results of Keyword Blocking in File Content

If you have configured file content filter with keyword blocking, you can view the monitored res-
ults of blocking those words.
Select Monitor > Keyword Block > File Content, you will see the monitored results. For more
about monitoring, refer to File Content.

Viewing Logs of Keyword Blocking in File Content

To see the system logs of keyword blocking in file content, please refer to the "Content Filter
Log" on Page 1177.

729 Chapter 9

Object
Web Content

The web content function is designed to control the network behavior of visiting the websites
that contain certain keywords. For example, you can configure to block the access to website that
contains the keyword "gamble", and record the access action and website information in the log.

Configuring Web Content

Configuring Web Content contains two parts:

l Create a Web Content rule

l Bind a Web Content rule to a security zone or policy rule

Part 1: Creating a web content rule

1. Select Object > Data Security > Content Filter > Web Content.

2. Click New.

Chapter 9 730

Object
In the Web Content Rule Configuration dialog box, enter values.
Option Description
Name Specifies the rule name.
Posting Defines the action when a keyword is matched.
information
l New: Creates new keyword categories. For more
with specific
keyword information about keyword category, see "Con-
figuring Objects" on Page 706.

731 Chapter 9

Object
Option Description

l Edit: Edits selected keyword category.

l Keyword category: Shows the name of con-

figured keyword categories.

l Block: Select the check box to block the web

pages containing the corresponding keywords.

l Log: Select the check box to record log messages

when visiting the web pages containing the cor-
responding keywords.

l Record contents: Select the check box to record

the keyword context. This option is available
only when the device has a storage media (SD
card, U disk, or storage module provided by Hill-
stone) with the NBC license installed.

Control Specify the coverage of this rule. By default, the rule

Range applies to all website.

1. Click Control Range.

2. Select or unselect the websites you want to

monitor and control.

3. Click OK.

Part 2: Binding a Web Content rule to a security zone or security policy rule
The Web content configurations are based on security zones or policies.

Chapter 9 732

Object
l If a security zone is configured with the Web content function, the system will perform detec-
tion on the traffic that is destined to the binding zone specified in the rule, and then do
according to what you specified.

l If a policy rule is configured with the Web content function, the system will perform detec-
tion on the traffic that is destined to the policy rule you specified, and then response.

l The threat protection configurations in a policy rule is superior to that in a zone rule if spe-
cified at the same time, and the Web content configurations in a destination zone is superior
to that in a source zone if specified at the same time.

To realize the zone-based Web Content:

1. Create a zone. For more information about how to create, refer to "Security Zone" on Page
85.

2. In the Zone Configuration dialog, click Data Security to expand the option.

3. Enable the Web content, and select a Web content rules from the profile drop-down list
below; or you can click from the profile drop-down list below, to create a Web content

rule, see Creating a Web content rule.

4. Click OK to save the settings.

To realize the policy-based Web content:

1. Configure a security policy rule. See "Configuring a Security Policy Rule" on Page 789.

2. Click Data Security to expand the option, click the Enable button ofWeb Content.

3. From the Profile drop-down list, select a Web Content rule. You can also click to create a

new Web Content rule.

4. Click OK to save the settings.

733 Chapter 9

Object
If necessary, you can configure some additional features by going to the right top corner and click
Configuration.

Option Description

Predefined The predefined URL database includes dozens of categories

URL DB and tens of millions of URLs and you can use it to specify the
URL category and URL range for the URL category/Web post-
ing functions.

User-defined The user-defined URL database is defined by yourself and you

URL DB can use it to specify the URL category and URL range for the
URL category/Web posting functions.

URL Lookup Use the URL lookup function to inquire URL information
from the URL database.

Warning Page l Block warning: When your network access is blocked,

you will be prompted with a warning page in the Web
browser.

l Audit warning: When your network access is audited,

you will be prompted with a warning page in the Web
browser.

Bypass Domains that are not controlled by the internet behavior con-
Domain trol rules.

User Excep- Users that are not controlled by the internet behavior control
tion rules.

Chapter 9 734

Object
Notes:
l To enusre you have the latest URL database, it is better to update your data-
base first. Refer to "Configuring Objects" on Page 706.

l You can export logs to a designated destination. Refer to "Log Configuration"

on Page 1179.

l By default, a rule will immediately take effect after you click OK to complete
configuration.

Viewing Monitored Results of Keyword Blocking in Web Content

If you have configured email filter with keyword blocking, you can view the monitored results of
blocking those words.
Select Monitor > Keyword Block > Web Content, you will see the monitored results. For more
about monitoring, refer to "Web Content" on Page 1121.

Viewing Logs of Keyword Blocking in Web Content

To see the system logs of keyword blocking in web content, please refer to the "Content Filter
Log" on Page 1177.

735 Chapter 9

Object
Web Posting

The web posting function can control the network behavior of posting on websites and posting
specific keywords, and can log the posting action and posting content. For example, forbid the
users to post information containing the keyword X, and record the action log.

Configuring Web Posting

Configuring Web Posting contains two parts:

l Create a web posting rule

l Bind a web posting rule to a security zone or policy rule

Part 1: Creating a web posting rule

Chapter 9 736

Object
1. Select Object > Data Security > Content Filter > Web Posting.

2. Click New.

In the Web Posting Rule Configuration dialog, enter values.

Option Description
Name Specifies the rule name.
All posting The action applies to all web posting content.
information
l Block: Select to block all web posting behaviors.

737 Chapter 9

Object
Option Description

l Record Log: Select to record all logs about web

posting.

Posting Controls the action of posting specific keywords. The

information options are:
with specific
l New: Creates new keyword categories. For more
keyword
information about keyword category, see "Key-
word Category" on Page 713.

l Edit: Edits selected keyword category.

l Keyword category: Shows the name of con-

figured keyword categories.

l Block: Blocks the posting action of the cor-

responding keywords.

l Log: Records log messages when posting the cor-

responding keywords.

Control Specify the coverage of this rule. By default, the rule

Range applies to all website.

1. Click Control Range.

2. Select or unselect the websites you want to

monitor and control.

3. Click OK.

Part 2: Binding a Web Posting rule to a security zone or security policy rule
The web posting configurations are based on security zones or policies.

Chapter 9 738

Object
l If a security zone is configured with the web posting function, the system will perform detec-
tion on the traffic that is destined to the binding zone specified in the rule, and then do
according to what you specified.

l If a policy rule is configured with the web posting function, the system will perform detection
on the traffic that is destined to the policy rule you specified, and then response.

l The threat protection configurations in a policy rule is superior to that in a zone rule if spe-
cified at the same time, and the web posting configurations in a destination zone is superior to
that in a source zone if specified at the same time.

To realize the zone-based web posting:

1. Create a zone. For more information about how to create, refer to "Security Zone" on Page
85.

2. In the Zone Configuration dialog, select Data Security tab.

3. Enable the threat protection you need, and select a Web content rules from the profile drop-
down list below; or you can click Add Profile from the profile drop-down list below, to cre-
ate a Web content rule, see Creating a web posting rule.

4. Click OK to save the settings.

To realize the policy-based web posting:

1. Configure a security policy rule. See "Configuring a Security Policy Rule" on Page 789.

2. In the Data Security tab, select the Enable check box of web posting.

3. From the Profile drop-down list, select a web posting rule. You can also click Add Profile to
create a new web posting rule.

4. Click OK to save the settings.

739 Chapter 9

Object
If necessary, you can configure some additional features by going to the right top corner and click
Configuration.

Option Description

Predefined The predefined URL database includes dozens of categories

URL DB and tens of millions of URLs and you can use it to specify the
URL category and URL range for the URL category/Web post-
ing functions.

User-defined The user-defined URL database is defined by yourself and you

URL DB can use it to specify the URL category and URL range for the
URL category/Web posting functions.

URL Lookup Use the URL lookup function to inquire URL information
from the URL database.

Warning Page l Block warning: When your network access is blocked,

you will be prompted with a warning page in the Web
browser.

l Audit warning: When your network access is audited,

you will be prompted with a warning page in the Web
browser.

Bypass Domains that are not controlled by the internet behavior con-
Domain trol rules.

User Excep- Users that are not controlled by the internet behavior control
tion rules.

Chapter 9 740

Object
Notes:
l To enusre you have the latest URL database, it is better to update your data-
base first. Refer to "Configuring Objects" on Page 706.

l If there is an action conflict between setting for "all websites" and "specific
keywords", when a traffic matches both rules, the "deny" action shall prevail.

l You can export logs to a designated destination. Refer to "Log Configuration"

on Page 1179.

l By default, a rule will immediately take effect after you click OK to complete
configuration.

Viewing Monitored Results of Keyword Blocking in Web Posts

If you have configured web posting rule with keyword blocking, you can view the monitored res-
ults of blocking those words.
Select Monitor > Keyword Block > Web Posting, you will see the monitored results. For more
about monitoring, refer to "Keyword Block" on Page 1120.

Viewing Logs of Keyword Blocking in Web Posts

To see the system logs of keyword blocking in web posts, please refer to the "Content Filter Log"
on Page 1177.

741 Chapter 9

Object
Email Filter

The email filter function is designed to control the email sending actions according to the sender,
receiver, email content and attachment, and record the sending log messages. Both the SMTP
(S)/POP(S)/IMAP(S) emails and the web mails can be controlled.

Configuring Email Filter

Configuring email filter contains two parts:

l Create an email filter rule

l Bind an email filter rule to a security zone or policy rule

Part 1: Creating an email filter rule

1. Select Object > Data Security > Content Filter > Email Filtering Log.

2. Click New.

In the dialog box, enter values.

Chapter 9 742

Object
Option Description
Name Specifies the rule name.
Control All emails - This option applies to all the sending
Type emails.

l Record Log - Select this check box if you want

all emails to be logged.

Specific mail items - This option applies to specific

mail items. To configure the email sender:

1. Click Sender.

2. In the prompt, enter sender's email address.

3. Click Add.

4. You may select to block the sender or keep a

record.

5. Click OK.
To configure the email receiver:

1. Click Recipient.

2. In the prompt, enter email receiver's email

address.

3. Click Add.

4. You may select to block the receiver or keep a

record.

5. Click OK.
To configure the email content keywords:

743 Chapter 9

Object
Option Description

Other Select an action for emails other

emails than which are added above.

Exempt Email
Exempt To configure mail addresses that do not follow the reg-
Email ulations of email filter:

1. Click Exempt Email.

2. In the prompt, enter emails that do not obey

email filter.

3. Click Add, and you can add more.

4. Click OK.

Part 2: Binding an Email filter rule to a security zone or security policy rule
The email filter configurations are based on security zones or policies.

l If a security zone is configured with the email filter function, the system will perform detec-
tion on the traffic that is destined to the binding zone specified in the rule, and then do
according to what you specified.

l If a policy rule is configured with the email filter function, the system will perform detection
on the traffic that is destined to the policy rule you specified, and then response.

l The threat protection configurations in a policy rule is superior to that in a zone rule if spe-
cified at the same time, and the email filter configurations in a destination zone is superior to
that in a source zone if specified at the same time.

To realize the zone-based email filter:

Chapter 9 744

Object
1. Create a zone. For more information about how to create, refer to "Security Zone" on Page
85.

2. In the Zone Configuration dialog, select Threat Protection tab.

3. Enable the threat protection you need, and select an email filter rules from the profile drop-
down list below; or you can click Add Profile from the profile drop-down list below, to cre-
ate an email filter rule, see Creating an email filter rule.

4. Click OK to save the settings.

To realize the policy-based email filter:

1. Configure a security policy rule. See "Configuring a Security Policy Rule" on Page 789.

2. In the Protection tab, select the Enable check box of email filter.

3. From the Profile drop-down list, select an email filter rule. You can also click Add Profile to
create a new email filter rule.

4. Click OK to save the settings.

If needed, you can also configure SSL proxy, keyword category, warning page, bypass domain and
user exempt user.
To configure those features, click Configuration on the right top corner of the Email Filtering Log
list page.

Option Description

Keyword Cat- Use the keyword category function to customize the keyword
egory categories. You can use it to specify the keyword for the URL
category/Web posting/email filter functions.

Warning Page l Block warning: When your network access is blocked,

you will be prompted with a warning page in the Web
browser.

745 Chapter 9

Object
Option Description

l Audit warning: When your network access is audited,

you will be prompted with a warning page in the Web
browser.

Bypass Domains that are not controlled by the internet behavior con-
Domain trol rules.

Exempt User Users that are not controlled by the internet behavior control
rules.

Notes:
l If an email filter rule has added all three of Audit/Block Sender, Receiver and
email content, the rule will take effect when one of them is hit.

l You can export logs to a designated destination. Refer to "Log Configuration"

on Page 1179.

l By default, a rule will immediately take effect after you click OK to complete
configuration.

Viewing Monitored Results of Email Keyword Blocking

If you have configured email filter with keyword blocking, you can view the monitored results of
blocking those words.
Select Monitor > Keyword Block > Email Content, you will see the monitored results. For more
about monitoring, refer to "Email Content" on Page 1122.

Viewing Logs of Emails Keyword Blocking

To see the system logs of email's keywords, please refer to the "Content Filter Log" on Page
1177.

Chapter 9 746

Object
APP Behavior Control

The APP behavior control function is designed to control and audit (record log messages) the
actions of FTP, HTTP(S) and TELNET applications, including:

l Controlling and auditing the FTP content and Login, Get, and Put actions;

l Controlling and auditing the Connect, Get, Put, Head, Options, Post, Trace, Delete actions of
HTTP(S);

l Controlling and auditing the request content initiated by TELNET client.

Configuring APP Behavior Control

Configuring behavior control contains two parts:

l Creating an application behavior control rule

l Binding an application behavior control rule to a security zone or policy rule

Part 1: Creating an APP behavior control rule

1. Select Object > Data Security > Content Filter > APP Behavior Control.

747 Chapter 9

Object
2. Click New.

In the APP Control Rule Configuration dialog box, enter values.

Option Description
Name Specifies the rule name.
Action
FTP Content: Controls the FTP content. If the content
matches the specified keyword categories, system will
execute the specified action, including Block or Log.
Expand the Content, and configure the control options.

l New: Click the button to create a keyword cat-

egory. For how to create the category, refer to the
Keyword Category of Configuring Objects.

Chapter 9 748

Object
Option Description

l Edit: Select one keyword from the list and edit

the category.

l Keyword Category: Displays the keyword cat-

egories in system.

l Block: Select the check box to block the FTP con-

tent matching the keyword category.

l Log: Select the check box to record logs when the

FTP content matches the keyword category.
Command: Controls the FTP methods, including Login,
Get, and Put. Expand the Command, and configure the
control options.

l From the first drop-down list, select the method

to be controlled, it can be GET, PUT, or Login.

l Type the file name (for the method of GET or

PUT) or user name (for the method of Login) into
the next box.

l From the second drop-down list, select the

action. It can be Block or Permit.

l From the third drop-down list, specify whether to

record the log messages.

l Click Add.

l Repeat Step 1 to 5 to add more control entries.

749 Chapter 9

Object
Option Description

To edit/delete a control entry, select the entry

from the list, and then click Edit or Delete.

HTTP Comment: Controls the HTTP(S) methods, including

Connect, GET, PUT, Head, Options, Post, Trace, and
Delete. Expand HTTP(S), and configure the HTTP(S)
control options.

l From the first drop-down list, select the method

to be controlled, it can be Connect, GET, PUT,
Head, Options, Post, Trace, or Delete.

l Type the domain name into the next box.

l From the second drop-down list, select the

action. It can be Block or Permit.

l From the third drop-down list, specify whether to

record the log messages.

l Click Add.

l Repeat Step 1 to 5 to add more control entries.

To edit/delete a control entry, select the entry
from the list, and then click Edit or Delete.

TELNET Content: Controls the request content initiated by the

TELNET client. If the content matches the specified
keyword categories, system will execute the specified
action, including Block or Log. Expand the Content, and
configure the control options.

Chapter 9 750

Object
Option Description

l New: Click the button to create a keyword cat-

egory. For how to create the category, refer to the
Keyword Category of Configuring Objects.

l Edit: Select one keyword from the list and edit

the category.

l Keyword Category: Displays the keyword cat-

egories in system.

l Block: Select the check box to block the request

content matching the keyword category.

l Log: Select the check box to record logs when the

request content matches the keyword category.

3. Click OK.

Part 2: Binding an APP behavior control rule to a security zone or security policy rule
The APP behavior control configurations are based on security zones or policies.

l If a security zone is configured with the APP behavior control function, the system will per-
form detection on the traffic that is destined to the binding zone specified in the rule, and
then do according to what you specified.

l If a policy rule is configured with the APP behavior control function, the system will perform
detection on the traffic that is destined to the policy rule you specified, and then response.

l The threat protection configurations in a policy rule is superior to that in a zone rule if spe-
cified at the same time, and the APP behavior control configurations in a destination zone is
superior to that in a source zone if specified at the same time.

To realize the zone-based APP behavior control:

751 Chapter 9

Object
1. Create a zone. For more information about how to create, refer to "Security Zone" on Page
85.

2. In the Zone Configuration dialog, select Data Security tab.

3. Enable the threat protection you need, and select an email filter rules from the profile drop-
down list below; or you can click Add Profile from the profile drop-down list below, to cre-
ate an APP behavior control rule, see Creating an APP behavior control rule.

4. Click OK to save the settings.

To realize the policy-based APP behavior control:

1. Configure a security policy rule. See "Configuring a Security Policy Rule" on Page 789.

2. In the Data Security tab, select the Enable check box of APP behavior control.

3. From the Profile drop-down list, select a APP behavior control rule. You can also click Add
Profile to create a new APP behavior control rule.

4. Click OK to save the settings.

If necessary, you can configure some additional features by going to the right top corner and click
Configuration.

Option Description

Predefined The predefined URL database includes dozens of categories

URL database and tens of millions of URLs and you can use it to specify the
URL category and URL range for the URL category/Web post-
ing functions.

User-defined The user-defined URL database is defined by yourself and you

URL database can use it to specify the URL category and URL range for the
URL category/Web posting functions.

Chapter 9 752

Object
Option Description

URL lookup Use the URL lookup function to inquire URL information
from the URL database.

Keyword cat- Customizes keyword categories as needed.

egory

Warning Page l Block warning: When your network access is blocked,

you will be prompted with a warning page in the Web
browser.

l Audit warning: When your network access is audited,

you will be prompted with a warning page in the Web
browser.

Bypass Domains that are not controlled by the internet behavior con-
Domain trol rules.

Exempt User Users that are not controlled by the internet behavior control
rules.

Notes:
l You can export logs to a designated destination. Refer to "Log Configuration"
on Page 1179.

l By default, a rule will immediately take effect after you click OK to complete
configuration.

Viewing Logs of APP Behavior Control

To see the system logs of APP behavior control, please refer to the "Content Filter Log" on Page
1177.

753 Chapter 9

Object
Network Behavior Record
Network behavior record function audits the IM applications behaviors and record log messages
for the access actions, includes:

l Audits the QQ, WeChat and sinaweibo user behaviors.

l Log the access behaviors.

Configuring Network Behavior Recording

Configuring network behavior record contains two parts:

l Create a network behavior record rule

l Bind a network behavior record rule to a security zone or policy rule

Part 1: Creating a NBR rule

Chapter 9 754

Object
1. Select Object > Data Security > Network Behavior Record.

2. Click New.

In the Network Behavior Record Configuration dialog box, enter values.

Option Description

Name Specifies the rule name.

QQ To audits the QQ behavior.

1. Select the QQ checkbox.

2. Timeout: Specifies the timeout value. The unit

is minute. The default value is 10. During the
timeout period, the IM user traffic of the same
UID will not trigger the new logs and after the

755 Chapter 9

Object
Option Description

timeout reaches, it will trigger new logs.

WeChat To audits the WeChat behavior.

1. Select the Wechat checkbox.

2. Timeout: Specifies the timeout value. The unit

is minute. The default value is 20. During the
timeout period, the IM user traffic of the same
UID will not trigger the new logs and after the
timeout reaches, it will trigger new logs.

Sina Weibo To audits the sina weibo behavior.

1. Select the Sina Weibo checkbox

2. Timeout: Specifies the timeout value. The unit

is minute. The default value is 20. During the
timeout period, the IM user traffic of the same
UID will not trigger the new logs and after the
timeout reaches, it will trigger new logs.

Web Surfing Record

URL Log logs the GET and POST methods of HTTP.

l Get: Records the logs when having GET meth-

ods.

l Post: Records the logs when having POST meth-

ods.

POST Content Post Content: Records the posted content.

3. Click OK.

Chapter 9 756

Object
Part 2: Binding a network behavior record rule to a security zone or security policy rule
The network behavior record configurations are based on security zones or policies.

l If a security zone is configured with the network behavior record function, the system will
perform detection on the traffic that is destined to the binding zone specified in the rule, and
then do according to what you specified.

l If a policy rule is configured with the network behavior record function, the system will per-
form detection on the traffic that is destined to the policy rule you specified, and then
response.

l The threat protection configurations in a policy rule is superior to that in a zone rule if spe-
cified at the same time, and the network behavior record configurations in a destination zone
is superior to that in a source zone if specified at the same time.

To realize the zone-based network behavior record:

1. Create a zone. For more information about how to create, refer to "Security Zone" on Page
85.

2. In the Zone Configuration dialog, select Data Security tab.

3. Enable the threat protection you need, and select a network behavior record rules from the
profile drop-down list below; or you can click Add Profile from the profile drop-down list
below, to create a network behavior record rule, see Creating a network behavior record
rule.

4. Click OK to save the settings.

To realize the policy-based network behavior record:

1. Configure a security policy rule. See "Configuring a Security Policy Rule" on Page 789.

2. In the Data Security tab, select the Enable check box of network behavior record.

757 Chapter 9

Object
3. From the Profile drop-down list, select a network behavior record rule. You can also click
Add Profile to create a new network behavior record rule.

4. Click OK to save the settings.

Notes:
l You can export logs to a designated destination. Refer to "Log Configuration"
on Page 1179

l By default, a rule will immediately take effect after you click OK to complete
configuration

Viewing Logs of Network Behavior Recording

To see the logs of network behavior recording, please refer to the "Network Behavior Record
Log" on Page 1178.

Chapter 9 758

Object
NetFlow
NetFlow is a data exchange method, which records the source /destination address and port num-
bers of data packets in the network. It is an important method for network traffic statistics and
analysis.
Hillstone NetFlow supports the NetFlow Version 9. With this function configured, the device
can collect user's ingress traffic according to the NetFlow profile, and send it to the server with
NetFlow data analysis tool, so as to detect, monitor and charge traffic.
Related Topics:

l "Configuring NetFlow" on Page 760

759 Chapter 9

Object
Configuring NetFlow
The NetFlow configurations are based on interfaces.
To configure the interface-based NetFlow, take the following steps:

1. Click Object > NetFlow > Configuration. Select Enable check box to enable the NetFlow
function.

2. Click Object > NetFlow > Profile to create a NetFlow rule .

3. Bind the NetFlow rule to an interface. Click Network > Interface. Select the interface you
want to bind or click New to create a new interface. In the Interface Configuration dialog
box, select the Basic tab and then select a NetFlow rule from the NetFlow configuration
drop-down list.

Configuring a NetFlow Rule

To configure the NetFlow rule, take the following steps:

1. Click Object > NetFlow > Profile.

2. Click New to create a new NetFlow rule. To edit an existing one, select the check box of
this rule and then click Edit.

Chapter 9 760

Object
In the NetFlow Configuration dialog box, configure the following options

Option Description

Name Enter the name of the NetFlow rule.

Server To configure the NetFlow server, take the following

steps:

1. Type the server name, IP address and port num-

ber into the Server Name, IP and Port box
respectively.

2. Click New to add a NetFlow server which will be

761 Chapter 9

Object
Option Description

displayed in the list below.

3. Repeat the above steps to add more servers. You

can add up to 2 servers. To delete a server, select
the server check box you want to delete from the
list and click Delete.

Active The active timeout value is the time after which the
Timeout device will send the collected NetFlow traffic inform-
ation to the specified server once. Type the active
timeout value into the Active Timeout box. The range is
1 to 60 minutes. The default value is 5 minutes.

Source Inter- Select the source interface for sending NetFlow traffic
face information in the Source Interface drop-down list.

Source IP After specifying the source interface, the system will auto-
Address matically acquire and display the management IP address
or the secondary IP address of the source interface in the
drop-down list.

Template You can configure the NetFlow template refresh rate by

Refresh Rate time or number of packets, after which system will
refreshes the NetFlow rule.

l Time: Specifies the time after which system

refreshes the NetFlow rule. The range is 1 to 3600
minutes. The default value is 30 minutes.

l Packets: Specifies the number of packets. When

Chapter 9 762

Object
Option Description

the number of NetFlow packets exceeds the spe-

cified value, system will refreshes the NetFlow
rule. The range is 1 to 600. The default value is 20.

Enterprise Select the Enterprise Field check box, and the collected
Field NetFlow traffic information will contain enterprise field
information.

3. Click OK to save the settings.

NetFlow Global Configurations

To configure the NetFlow global configurations, take the following steps:

1. Select Object > NetFlow > Configuration.

2. Select the Open NetFlow check box of NetFlow to enable the NetFlow function. Clear the
check box to disable the NetFlow function. The NetFlow function will take effect after
rebooting.

763 Chapter 9

Object
End Point Protection
This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
The endpoint security control center is used to monitor the security status of each access end-
point and the system information of the endpoint.
When the end point protection function is enabled, the device can obtain the endpoint data mon-
itored by the endpoint security control center by interacting with it, and then specify the cor-
responding processing action according to the security status of endpoint, so as to control the
endpoint network behavior.

Notes:
l At present, end point protection function only supports linkage with
"JIANGMIN" endpoint security control center.

l End point protection is controlled by license. To use end point protection,

apply and install the EPP license.

l "Configuring End Point Protection" on Page 765

l "Configuring End Point Security Control Center Parameters" on Page 771

l "End Point Monitor" on Page 1094

l "EPP Log" on Page 1174

Chapter 9 764

Object
Configuring End Point Protection
This chapter includes the following sections:

l Preparation for configuring end point protection function.

l Configuring end point protection function.

Preparing

Before enabling end point protection, make the following preparations:

1. Make sure your system version supports end point protection.

2. Import an EPP license and reboot.

Configuring End Point Protection Function

The end point protection configurations are based on security zones or policies.
To realize the zone-based end point protection, take the following steps:

1. Create a zone. For more information, refer to "Security Zone" on Page 85.

2. In the Zone Configurationpage, select End Point Protection tab.

3. Enable the end point protection you need and select an end point protection rule from the
profile drop-down list below; or you can click Add Profile from the profile drop-down list.
To create an endpoint protection rule, see Configuring End Point Protection Rule.

4. Click OK to save the settings.

To realize the policy-based endpoint protection, take the following steps:

1. Create a security policy rule. For more information, refer to "Security Policy" on Page 788.

2. In the Policy Configuration page, expand Protection.

765 Chapter 9

Object
3. Select the Enable check box of End Point Protection. Then select an endpoint protection
rule from the Profile drop-down list, or you can click Add Profile from the Profile drop-
down list to create an end point protection rule. For more information, see Configuring End
Point Protection Rule.

4. Click OK to save the settings.

Notes: When the zone and policy bind the same end point protection rule, the pri-
ority is policy > zone.

Configuring End Point Protection Rule

System has two default end point protection rules: predef_epp and no_epp.

l predef_epp: Execute the Logonly action for the endpoint whose status is "Uninstall" and
"Unhealthy". Execute the Block action for the endpoint whose status is "Infected" and
"Abnormal", and the block time is 60s.

l no_epp:No protective action is executed on all endpoints by default.

To configure an end point protection rule, take the following steps:

Chapter 9 766

Object
1. Click Object> End Point Protection > Profile.

2. Click New.

In End Point Protection Rule page, enter the end point protection rule configurations.

Option Description

Name Specifies the rule name.

Status Specifies the protection action corresponding to the end-

point status.

l Uninstalled: Specifies the protection action for the

endpoint which doesn’t install an anti-virus cli-
ent. Select the Uninstalled check box, and select
the protection action in the drop-down list.

767 Chapter 9

Object
Option Description

l Redirect - Redirects the endpoint to the spe-

cified URL. Enter the URL in the Address
text box.

l Logonly - System will pass traffic and record

logs only.

l Block - Block the endpoint connection, and

specifies the block time in the Block time
text box. The unit is second. The value
ranges from 60 to 65535.

l Unhealthy: Specifies the protection action for the

unhealthy endpoint. Select the Unhealthy check
box, and select the protection action in the drop-
down list.

l Logonly - System will pass traffic and record

logs only.

l Block - Block the endpoint connection, and

specifies the block time in the Block time
text box. The unit is second. The value
ranges from 60 to 65535.

l Infected: Specifies the protection action for the

infected endpoint. Select the Infected check box,
and select the protection action in the drop-down

Chapter 9 768

Object
Option Description

list.

l Logonly - System will pass traffic and record

logs only.

l Block - Block the endpoint connection, and

specifies the block time in the Block time
text box. The unit is second. The value
ranges from 60 to 65535.

l Abnormal: Specifies the protection action for the

abnormal endpoint. Select the Abnormal check
box, and select the protection action in the drop-
down list.

l Logonly - System will pass traffic and record

logs only.

l Block - Block the endpoint connection, and

specifies the block time in the Block time
text box. The unit is second. The value
ranges from 60 to 65535.

Exception The exception address is not controlled by the end point

Address protection rule. Select the address book name in the drop
down list.

Notes: Before selecting the exception

address, you need to add the exception

769 Chapter 9

Object
Option Description

endpoint address to the address book.

For configuration, see "Address" on Page
562.

3. Click OK to save the settings.

Chapter 9 770

Object
Configuring End Point Security Control Center Parameters
To configure the endpoint security control center parameters, take the following steps:

1. Go to System > Third Party Linkage.

2. Click New.

771 Chapter 9

Object
In the End Point Linkage Configuration page, enter values.

Option Description

Endpoint Pre- Display the end point protection type as Jiangmin. Only
vention Name one endpoint security control center server with the
same type can be configured.

Server IP/Do- Specifies the address or domain name of the endpoint

main security control center server. The range is 1 to 255
characters.

Server Port Specifies the port of the endpoint security control cen-
ter server. The range is 1 to 65535.

Synchronization Specifies the synchronization period of endpoint data

Period information. The range is 1 to 60 minutes. The default
value is 10 minutes.

Timeout-used l Disable: When the endpoint security control cen-

ter is disconnected with the device and doesn't
restore to connection in two synchronization
periods, the synchronized endpoint data inform-
ation will be cleared. By default, the timeout
entry is disabled.

l Enable: When the endpoint security control cen-

ter is disconnected with the device and doesn't
restore to connection in two synchronization
periods, the endpoint data information that the
system has been synchronized the last time con-
tinues to be used.

Chapter 9 772

Object
3. Click OK.

ACL
System supports ACL (Access Control List) based on MAC addresses. You can create access con-
trol profile based on MAC addresses and bind the profile to security policies to achieve access
control of the specific MAC addresses. With the combination of security policy and ACL rules,
system can achieve accurate access controlling.

ACL Profile
The ACL profile consists of one or more access control rules. In the access rule, you can set the
source MAC address and destination MAC address to filter the packets flowing through the
device, and set access control action for the matched packets, pass or discard. The configured
access control profiles will take effect only when they are bound to security policies.
To configure an ACL profile, take the following steps:

1. Select Object > ACL > Profile.

2. Click New and the ACL Profile Configuration dialog box will appear.

In the ACL Profile Configuration dialog, configure the corresponding options.

Option Description

Name Specify the name of the ACL profile.

773 Chapter 9

Object
Option Description

Default Action Specify the default action of access control. For

the packets which match the access control rule in
the list below, it will be processed according to
the action set in the access control rule; for the
packets which fail to match the access control
rule, it will be processed according to the default
action set here. Default control actions include:

l Pass: By default, packets will be allowed to

pass the detection of access control, but still
need to be detected via IPS, Anti-virus and
so on.

l Block: By default, packets will be blocked

directly and will not pass through the
device.

3. Click New on the ACL Profile Configuration, and the ACL Rule Configuration dialog pops
up.

In the <ACL Rule Configuration> dialog, configure the corresponding options.

Chapter 9 774

Object
Option Description

Priority Specify the priority of ACL rules to be matched, ranging

from 1 to 32. The bigger the value, the higher the priority.

Action Specify the action to be executed after the ACL rules have
been matched, including:

l Pass: Packets will be allowed to pass the detection of

access control, but still need to be detected via IPS,
Anti-virus and so on.

l Block: Packets will be blocked directly and will not

pass through the device.

Traffic Dir- Specify the traffic direction of the ACL rule. Forward indic-
ection ates the traffic direction where the session is initiated. Back-
ward indicates traffic direction where the session is
responded. Bidirectional indicates the direction of both For-
ward and Backward. By default, system matches the bid-
irectional traffic.

Source Specify the source MAC address of packets to be matched.

MAC
Address

Destination Specify the destination MAC address of packets to be

MAC matched.
Address

Limit Type Specify the limit type that the access control rules match for
the extension headers of IPv6 messages, including Total
Header Number, Single Header Number and Header Order.

775 Chapter 9

Object
Option Description

l Total Header Number: Select this option and then

specify the Total Header Number and Comparison
Mode. The system will count and limit the total num-
ber of extension headers in IPv6 message. If the
restriction requirements are met, the system will pro-
cess according to the action of this rule.

l Single Header Number: Select this option, and then

specify the Header and Comparison Mode. The sys-
tem will count and limit the specify header in IPv6
message. If the restriction requirements are met, the
system will process according to the action of this
rule.

l Header Order:Select this option, and then specify the

Header Order:Positive Sequence and out of order-
.Positive Sequence means that the extension headers
should be arranged in order. " Out of order" means
that the extension headers are arranged in non order,
that is, out of order. If the restriction requirements
are met, the system will process according to the
action of the rule.

Log System will log when the messages matching the access con-
trol rules.

4. Click OK.

Chapter 9 776

Object
IoT Policy
This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
IoT, the abbreviation of Internet of Things, is the extension of Internet connectivity into physical
devices and everyday objects.
The IoT policy in system can identify the network video monitoring devices, like IPC (IP Cam-
era) and NVR (Network Video Recorder) via the flowing traffic, then monitor the identified
devices and block illegal behaviors according to the configurations.

Notes:
l Only the IPC and NVR devices of Hikvision, Dahua and Uniview are sup-
ported currently.

l The IoT Policy function is available only when the IoT license is installed on
the system.

l The network video monitoring devices in the NAT scenario cannot be iden-
tified with the IoT policy.

Links:

l Configuring IoT Policy

l Configuring Admittance List

l IoT Monitor

l IoT Log

777 Chapter 9

Object
Configuring IoT Policy
The chapter introduces the following topics:

l Preparations for IoT Policy Configuration

l Configuring IoT Policy

Preparations for IoT Policy Configuration

Before configuring the IoT policy, ensure the following conditions have been met.

1. The IoT Policy function is supported for the system version.

2. The IoT license has been installed and you log in to the device again.

Configuring IoT Policy

System supports the configuration of IoT policy based on the zone.

To configure the IoT policy based on the zone, take the following steps:

1. For how to create or edit the zone, refer to Zone.

2. In the Zone Configuration dialog, click the IoT Monitor tab.

3. Select the Enable check box. You can select a configured IoT profile from the Profile drop-
down list, or click Add Profile in the drop-down list to create an IoT profile. For how to
configure the IoT policy profile, refer to Configuring IoT Profile.

4. Click OK to save the configurations.

Configuring IoT Profile

To create an IoT profile, take the following steps:

Chapter 9 778

Object
1. Click Object > IoT Policy > Profile.

2. Click New and the IoT Profile Configuration dialog pops up.

In the dialog, configure the options as follows:

Option Description

Name Specify the name of the IoT profile.

End-point Select the Open check box to enable the end-point iden-
Identification tification. When the function is enabled, system will
probe the end-point IP in the IoT monitoring list act-
ively, and identify the information of manufacturer and
model of the network video monitoring devices accord-
ing to the returned packets. Then the information will be
displayed in the IoT monitoring list. The end-point iden-
tification will be triggered

l when a new end-point IP adds into the IoT mon-

itoring list.

l when the network video monitoring device logs in

779 Chapter 9

Object
Option Description

again.

l when the network video monitoring device has

been online, and the function will be triggered
every 5 minutes.

End-point Select the Open check box to enable the end-point beha-
Behavior vior monitoring. When the function is enabled, system
Monitor can check whether the devices behaviors are illegal. If
illegal behaviors are detected, you can execute the fol-
lowing operation:

l Log Only: System will let the traffic flowing

through the end-point device pass and record logs.

l Block: System will block the traffic flowing

through the end-point device.

Admittance You can select a configured admittance list profile from

List the drop-down list, or click Add Profile in the drop-down
list to Configure Admittance List.

3. Click OK to save the configurations.

Notes: To ensure the normal performance of IoT policy, the network video mon-
itoring devices should:

l enable ONVIF service and multi-cast detection function.

l communicate with the Hillstone devices.

Chapter 9 780

Object
Configuring Admittance List
For the traffic flowing through the zone bound with the IoT policy profile, systems supports to
control it by configuring the admittance list of the IP, MAC and IP/MAC types, that is, only the
traffic matches the type in the admittance list is allowed to pass. By default, all the traffic flowing
through the zone bound with the IoT policy profile is allowed to pass.
When the admittance lists of the IP/MAC, IP and MAC types are all configured, traffic matches
the admittance lists in the sequence of IP/MAC > IP > MAC. Traffic can pass in the following
conditions.

l Traffic first matches the admittance list of IP/MAC type, and both the IP and MAC types are
matched.

l Traffic first matches the admittance list of IP/MAC type, while only the IP type is matched.
Then traffic tries to match the admittance list of IP and MAC type in order, and both the IP
and MAC types are matched.

You can configure the admittance list with the following methods:

Creating Admittance List Profile

1. Click Object > IoT Policy > Admittance List.

2. Click New, and the Admittance List Configuration dialog pops up. Enter the name of the
admittance list into the Name text box. Click Add and the Add dialog pops up.

781 Chapter 9

Object
Configure the options as follows:

Option Description

Mode Specify the type of the admittance list, including IP,

MAC and IP-MAC. Note: When the network video mon-
itoring devices and the Hillstone devices are not in the
same broadcast domain, the obtained MAC address in the
packets may not be true. Then the network video mon-
itoring devices cannot match the admittance list. There-
fore, you're suggested to configure the admittance list of
IP type.

IP Specify the type of admittance list as IP and configure the

following items:

Chapter 9 782

Object
Option Description

l IP Type: Select the IP address type of the network

video monitoring device, including IPv4 and IPv6.

l IPv4/Netmask: Enter the IPv4 address and

netmask.

l IPv4 Range: Enter the start IPv4 address and

end IPv4 address.

l IPv6/Prefix: Enter the IPv6 address and pre-

fix.

l IPv6 Range: Enter the start IPv6 address and

end IPv6 address.

l Account (Optional): Enter the admin name of the

network video monitoring device.

l Password (Optional): Enter the password of the

account.

MAC Specify the type of admittance list as MAC and configure

the MAC address of the network video monitoring
device.

IP-MAC Specify the type of admittance list as IP/MAC and con-

figure the following items:

l IP Type: Select the IP address type of the network

video monitoring device, including IPv4 and IPv6.

l IPv4: Enter the IPv4 address into the text box.

783 Chapter 9

Object
Option Description

l IPv6: Enter the IPv6 address into the text box.

l MAC: Enter the MAC address into the text box.

l Account (Optional): Enter the admin name of the

network video monitoring device.

l Password (Optional): Enter the password of the

account.

3. Click Add to save the configurations.

Notes: The admittance list of the specified type in one profile cannot be repeated,
otherwise, an error will pop up. The repeat conditions for different types include:

l IP-MAC: The IP address and MAC address are the same.

l IP: There're repeated IP addresses in the IP/netmask or IP range.

l MAC: The MAC addresses are repeated.

Importing Admittance List

1. Click Object > IoT Policy > Admittance List.

2. (Optional) Click Admittance List Template and download the template in local.

Chapter 9 784

Object
3. Select an admittance list and click Import.

4. In the Admittance List Import dialog, click Browse and upload the admittance list in the
local.

5. Click OK.

Adding to Admittance List

1. Click Monitor > IoT Monitor > Details.

2. Select the check box and click Add to Admittance List.

785 Chapter 9

Object
In the pop-up dialog, configure the options as follows.

Option Description

Admittance Select the admittance list profile from the drop-down list
List that the selected item will be added to.

Type Specify the type of the selected item that will be added as
IP, MAC or IP/MAC.

3. Click OK to save the configurations.

Chapter 9 786

Object
Chapter 10 Policy
The Policy module provides the following functions:

l Security policy: Security policy the basic function of devices that are designed to control the
traffic forwarding between security zones/segments. By default all traffic between security
zones/segments will be denied.

l NAT: When the IP packets pass through the devices or routers, the devices or routers will
translate the source IP address and/or the destination IP address in the IP packets.

l QoS: QoS is used to provide different priorities to different traffic, in order to control the
delay and flapping, and decrease the packet loss rate. QoS can assure the normal transmission
of critical business traffic when the network is overloaded or congested.

l Session limit: The session limit function limits the number of sessions and controls the ses-
sion rate to the source IP address, destination IP address, specified IP address, service, or
role/user/user group, thereby protecting from DoS attacks and control the bandwidth of
applications, such as IM or P2P.

l Global blacklist: After adding the IP addresses or services to the global blacklist, system will
perform the block action to the IP address and service until the block duration ends.

Chapter 10 787

Policy
Security Policy
Security policy is the basic function of devices that is designed to control the traffic forwarding
between security zones/segments. Without security policy rules, the devices will deny all traffic
between security zones/segments by default. After configuring the security policy rule, the
device can identify what traffic between security zones or segments will be permitted, and the oth-
ers will be denied.
The basic elements of policy rules:

l The source zone and address of the traffic

l The destination zone and address of the traffic

l The service type of the traffic

l Actions that the devices will perform when processing the specific type of traffic, including
Permit, Deny, Tunnel, From tunnel, WebAuth, and Portal server.

Generally a security policy rule consists of two parts: filtering conditions and actions. You can set
the filtering conditions by specifying traffic's source zone/address, destination zone/address, ser-
vice type, and user. Each policy rule is labeled with a unique ID which is automatically generated
when the rule is created. You can also specify a policy rule ID at your own choice. All policy rules
in system are arranged in a specific order. When traffic flows into a device, the device will query
for policy rules by turn, and processes the traffic according to the first matched rule.
The max global security policy rule numbers may vary in different models.
Security policy supports IPv4 and IPv6 address. If IPv6 is enabled, you can configure IPv6
address entry for the policy rule.
This section contains the following contents:

l Configure a security policy rule

l Manage the security policy rules: enable/disable a policy rule, clone a policy rule, adjust secur-
ity rule position, configure default action, view and clear policy hit count, hit count check,

788 Chapter 10

Policy
rule redundancy check, importing /exporting policy rule searching policy rules and configure
policy audit function.

l Configure an aggregate policy

l Configure a security policy group

l Configure a mini policy

l View and search the security policy rules/ security policy groups

l Configure the policy assistant

Configuring a Security Policy Rule

To configure a security policy rule, take the following steps:

1. Select Policy > Security Policy > Policy.

Chapter 10 789

Policy
2. At the top-left corner, click New to open the Policy Configuration page.

Configure the corresponding options.

Option Description

Name Type the name of the security policy.

Type Select the IP type, including IPv4 or IPv6. Only the IPv6
firmware can configure the IPv6 type. If IPv6 is selected,
all of the IPv6/prefix, IP range, and addressbook should
be configured in the IPv6 format.

790 Chapter 10

Policy
Option Description

Source Information

Zone Specifies a source zone.

Address Specifies the source addresses.

1. Select an address type from the Address drop-

down list.

2. Select or type the source addresses based on the

selected type.

3. Click Add to add the addresses to the left pane.

4. After adding the desired addresses, click Close to

complete the source address configuration.
You can also perform other operations:

l When selecting the Address Book type, you can

click icon to create a new address entry.

l The default address configuration is any. To restore

the configuration to this default one, select the any
check box.

User Specifies a role, user or user group for the security policy
rule.

1. From the User drop-down menu, select the AAA

server where the users and user groups reside. To
specify a role, select Role from the AAA Server-
/Role drop-down list.

Chapter 10 791

Policy
Option Description

2. Based on the type of AAA server, you can

execute one or more actions: search a user/user
group/role, expand the user/user group list, enter
the name of the user/user group.

3. After selecting users/user groups/roles, click the

selected users/user groups/roles to add them to
the left pane.

4. After adding the desired objects, click Close to

complete the user configuration.

Destination

Zone Specifies a destination zone.

Address Specifies the destination addresses.

1. Select an address type from the Address drop-

down list.

2. Select or type the destination addresses based on

the selected type.

3. Click Add to add the addresses to the left pane.

4. After adding the desired addresses, click Close to

complete the destination address configuration.
You can also perform other operations:

l When selecting the Address Book type, you can

click icon to create a new address entry.

792 Chapter 10

Policy
Option Description

l The default address configuration is any. To restore

the configuration to this default one, select the any
check box.

Other Information

Service Specifies a service or service group.

1. From the Service drop-down menu, select a type:

Service, Service Group.

2. You can search the desired service/service group,

expand the service/service group list.

3. After selecting the desired services/service

groups, click the selected services/service groups
to add them to the left pane.

4. After adding the desired objects, click Close to

complete the service configuration.
You can also perform other operations:

l To add a new service or service group, click User-

defined from the Predefined drop-down menu, and
click icon.

l The default service configuration is any. To restore

the configuration to this default one, select the any
check box.
Specifies a service rule.

Chapter 10 793

Policy
Option Description

When configuring the service rule of the policy rule, you

can add a predefined or user-defined service that have
been configured in the service book. When the required
service does not exist in the service book, the admin-
istrator can specify the protocol type and port number of
the service by configuring the service rules, thus sim-
plifying the configuration steps of the policy.
Specify a protocol type for the user-defined service. The
available options include TCP, UDP, ICMP and Others.
If needed, you can add multiple service items.
The parameters for the protocol types are described as fol-
lows:

1. From the Service drop-down menu, select a type:

Service Rule.

2. From the Protocol Typedrop-down menu, select

a protocol type: TCP, UDP, ICMP, ICMPv6 and
All.
The parameters for the protocol types are
described as follows:
TCP/UDP：

l Destination port:

l Min - Specifies the minimum port

number of the specified service rule.

794 Chapter 10

Policy
Option Description

l Max - Specifies the maximum port

number of the specified service rule.
The value range is 0 to 65535.

l Source port:

l Min - Specifies the minimum port

number of the specified service rule.

l Max - Specifies the maximum port

number of the specified service rule.
The value range is 0 to 65535.

Notes:
l The minimum port num-
ber cannot exceed the max-
imum port number.

l The "Min" of the des-

tination port is required,
and other options are
optional.

l If "Max " is not con-

figured, system will use
"Min" as the single code.

ICMP:

Chapter 10 795

Policy
Option Description

l Type: Specifies an ICMP type for the ser-

vice rule. The value range is 0（Echp-
Reply）, 3（Destination-Unreachable）, 4
（Source Quench）, 5（Redirect）, 8
（Echo）, 11（Time Exceeded）, 12
（Parameter Problem）, 13
（Timestamp）, 14（Timestamp Reply）
, 15（Information Request）, 16（Inform-
ation Reply）, 17（Address Mask
Request）, 18（Address Mask Reply）,
30（Traceroute）, 31（Datagram Con-
version Error）, 32（Mobile Host Redir-
ect）, 33（IPv6 Where-Are-You）, 34
（IPv6 I-Am-Here）, 35（Mobile Regis-
tration Request）, 36（Mobile Regis-
tration Reply）.

l Code: Specifies a minimum value and max-

imum value for ICMP code. The value
range is 0 to 15, the default value is : min
code - 0, max code - 15.

Notes:
l The minimum code cannot
exceed the maximum
code.

796 Chapter 10

Policy
Option Description

l If "Max " is not con-

figured, system will use
"Min" as the single code.

ICMPv6:

l Type: Specifies an ICMPv6 type for the ser-

vice rule. The value range is 1（Dest-
Unreachable）, 2（Packet Too Big）, 3
（Time Exceeded）, 4（Parameter Prob-
lem）, 100（Private experimentation）,
101（Private experimentation）, 127
（Reserved for expansion of ICMPv6 error
message）, 128（Echo Request）, 129
（Echo Reply）, 130（Multicast Listener
Query）, 131（Multicast Listener
Report）, 132（Multicast Listener
Done）, 133（Router Solicitation）, 134
（Router Advertisement）, 135（Neigh-
bor Solicitation）, 136（Neighbor Advert-
isement）, 137（Redirect Message）, 138
（Router Renumbering）, 139（ICMP
Node Information Query）, 140（ICMP
Node Information Response）, 141

Chapter 10 797

Policy
Option Description

（Inverse Neighbor Discovery Solicitation

Message）, 142（Inverse Neighbor Dis-
covery Advertisement Message）, 143
（Version 2 Multicast Listener Report）,
144（Home Agent Address Discovery
Request Massage）, 145（Home Agent
Address Discovery Reply Massage）, 146
（Mobile Prefix Solicitation）, 147
（Mobile Prefix Advertisement ）, 148
（Certification Path Solicitation Mes-
sage）, 149（Certification Path Advert-
isement Message）, 150（ICMP message
utilized by experimental mobility protocols
such as Seamoby）, 151（Multicast
Router Advertisement）, 152（Multicast
Router Solicitation ）, 153（Multicast
Router Termination）, 154（FMIPv6 Mes-
sages）, 200（Private experimentation）,
201（Private experimentation）and 255
（Reserved for expansion of ICMPv6
informational）.

l Code: Specifies a minimum value and max-

imum value for ICMP code. The value
range is 0 to 255, the default value is : min
code - 0, max code - 255.

798 Chapter 10

Policy
Option Description

ALL:

l Protocol: Specifies a protocol name for the

service rule. If it is a unknown protocol,
you can directly enter the corresponding
protocol number. .

Notes:
l The minimum code cannot
exceed the maximum
code.

l If "Max " is not con-

figured, system will use
"Min" as the single code.

3. Click Add to add the configured service rules to

the list on the left.

4. Click Close .

Application Specifies an application/application group/application fil-

ters.

1. From the Application drop-down menu, you can

search the desired application/application
group/application filter, expand the list of applic-
ations/application groups/application filters.

Chapter 10 799

Policy
Option Description

2. After selecting the desired applic-

ations/application groups/application filters,
click the selected applications/application
groups/application filters to add them to the left
pane.

3. After adding the desired objects, click Close to

complete the application configuration.
You can also perform other operations:

l To add a new application group, select Application

Groups from the Application drop-down menu and
click icon.

l To add a new application filter, select Application

Filters from the Application drop-down menu and
click icon.

Action Specifies an action for the traffic that is matched to the

policy rule, including:

l Permit - Select Permit to permit the traffic to pass

through.

l Deny - Select Deny to deny the traffic.

l WebAuth - Performs Web authentication on the

matched traffic. Select WebAuth from the drop-
down list after selecting the Secured Connection
option, and then select an authentication server

800 Chapter 10

Policy
Option Description

from the following drop-down list.

l From tunnel (VPN) - For the traffic from a peer to

local, if this option is selected, system will first
determine if the traffic originates from a tunnel.
Only such traffic will be permitted. Select From
tunnel (VPN) from the drop-down list after select-
ing the Secured Connection option, and then select
a tunnel from the following drop-down list.

l Tunnel (VPN) - For the traffic from local to a peer,

select this option to allow the traffic to pass
through the VPN tunnel. Select Tunnel (VPN)
from the drop-down list after selecting the Secured
Connection option, and then select a tunnel from
the following drop-down list.

l Portal server - Performs portal authentication on

the matched traffic. Select Portal server from the
drop-down list after selecting the Secured Con-
nection option, and then type the URL address of
the portal server.

Enable Web Enable the Web redirect function to redirect the HTTP
Redirect request from clients to a specified page automatically.
With this function enabled, system will redirect the page
you are requesting over HTTP to a prompt page.

Chapter 10 801

Policy
Option Description

1. Click the Enable Web Redirect button.

2. Type a redirect URL into the Notification page

URL box.
When using Web redirect function, you need to configure
the Web authentication function. For more con-
figurations, see "User Online Notification" on Page 855.

Audit Com- After the "Configuration Audit" function is enabled, this

ment option is required when creating or modifying a policy,
and you must add policy audit comments to the text box.
The range is 1 to 255 characters. For detailed operation of
this function, please refer to Configuring Policy Audit
Function.
When the "Configuration Audit" function is not enabled,
this option is optional and the range is 0 to 255 char-
acters.
For enabling/disabling the "Configuration Audit" func-
tion, please configure it in the Option page (System >
Device Management > Option), refer to the Con-
figuration Audit.

Expand Protection, configure the corresponding options.

Option Description

Antivirus Specifies an antivirus profile. The combination of security

policy rule and antivirus profile enables the devices to
implement fine-grained application layer policy control.

802 Chapter 10

Policy
Option Description

IPS Specifies an IPS profile. The combination of security

policy rule and IPS profile enables the devices to imple-
ment fine-grained application layer policy control.

URL Fil- Specifies a URL filter profile. The combination of security

tering policy rule and URL filter profile enables the devices to
implement fine-grained application layer policy control.

Sandbox Specifies a sandbox profile. The combination of security

policy rule and sandbox profile enables the devices to
implement fine-grained application layer policy control.

Botnet Pre- Specifies a botnet prevention profile. The combination of

vention security policy rule and botnet prevention profile enables
the devices to implement fine-grained application layer
policy control.

Expand Data Security, configure the corresponding options.

Option Description

File Filter Specifies a file filter profile. The combination of secur-

ity policy rule and file filter profile enables the devices
to implement fine-grained application layer policy con-
trol.

File Content Fil- Specifies a file content filter profile. The com-

ter bination of security policy rule and file content filter

profile enables the devices to implement fine-
grained application layer policy control.

File Content Fil- Specifies a file content filter profile. The combination

Chapter 10 803

Policy
Option Description

ter of security policy rule and file content filter profile

enables the devices to implement fine-grained applic-
ation layer policy control.

Web Content Specifies a web content profile. The combination of

security policy rule and Web Content profile enables
the devices to implement fine-grained application
layer policy control.

Web Posting Specifies a web posting profile. The combination of

security policy rule and web posting profile enables
the devices to implement fine-grained application
layer policy control.

Email Filter Specifies an email filter profile. The combination of

security policy rule and email filter profile enables
the devices to implement fine-grained application
layer policy control.

APP Behavior Specifies an app behavior control profile. The com-

Control bination of security policy rule and app behavior con-

trol profile enables the devices to implement fine-
grained application layer policy control.

Network Beha- Specifies a NBR profile. The combination of security

vior Record policy rule and NBR profile enables the devices to
implement fine-grained application layer policy control.

Expand Options, configure the corresponding options.

Option Description

Schedule Specifies a schedule when the security policy rule takes

effect. Select a desired schedule from the Schedule drop-

804 Chapter 10

Policy
Option Description

down list. This option supports fuzzy search.

After selecting the desired schedules, click the blank area
in this page to complete the schedule configuration. To
create a new schedule, click icon.

Log You can log policy rule matching in the system logs
according to your needs.

l For the policy rules of Permit, logs will be gen-

erated in two conditions: the traffic that is matched
to the policy rules starts and ends its session.

l For the policy rules of Deny, logs will be generated

when the traffic that is matched to the policy rules
is denied.
Select one or more check boxes to enable the cor-
responding log types.

l Deny - Generates logs when the traffic that is

matched to the policy rules is denied.

l Session start - Generates logs when the traffic that

is matched to the policy rules starts its session.

l Session end - Generates logs when the traffic that is

matched to the policy rules ends its session.

SSL Proxy Specifies a SSL proxy profile. The combination of security

policy rule and SSL proxy profile enables the devices to
decrypt the HTTPS traffic.

Chapter 10 805

Policy
Option Description

Policy Assist- Click the Enable button to enable policy assistant. After
ant enabling the policy assistant, you can specify the policy
ID as the traffic hit policy. System can analyze the traffic
data hit the specified policy ID, and aggregate the traffic
list according to the user-defined aggregation rules, and
finally the security policy rules that meet your expect-
ations can be generated. For how to use policy assistant,
see Configuring the Policy Assitant.

ACL Click the Enable button to enable the access control func-
tion and select the ACL profile. With the combination of
security policy and ACL rules, system can achieve accur-
ate access controlling.

Aggregate Click the Aggregate Policy drop-down menu, and select

Policy the aggregate policy to be added to the aggregate policy to
which you want to add.

Position Select a rule position from the Position drop-down list.

Each policy rule is labeled with a unique ID or name.
When traffic flows into a device, the device will query for
the policy rules by turn, and processes the traffic accord-
ing to the first matched rule. However, the policy rule ID
is not related to the matching sequence during the query.
The sequence displayed in policy rule list is the query
sequence for policy rules. The rule position can be an
absolute position, i.e., at the top or bottom, or a relative
position, i.e., before or after an ID or a name.

806 Chapter 10

Policy
Option Description

Description Type descriptions into the Description box.

3. Click OK to save your settings.

Managing Security Policy Rules

Managing security policy rules include the following matters: enable/disable a policy rule, clone a
policy rule, adjust security rule position, configure default action, view and clear policy hit count,
hit count check, and rule redundancy check.

Enabling/Disabling a Policy Rule

By default the configured policy rule will take effect immediately. You can terminate its control
over the traffic by disabling the rule.
To enable/disable a policy rule:

1. Select Policy > Security Policy > Policy.

2. Select the security policy rule that you want to enable/disable.

3. Click icon , and then select Enable or Disable to enable or disable the rule.

The disabled rule will not display in the list. Click icon , and then select Show Disabled
Policies to show them.

Cloning a Policy Rule

When there are a large number of policy rules in system, to create a policy rule which is similar to
an configured policy rule easily, you can copy the policy rule and paste it to the specified location.
To clone a policy rule, take the following steps:

Chapter 10 807

Policy
1. Select Policy > Security Policy > Policy.

2. Select the security policy rule that you want to clone and click Copy.

3. Click Paste. In the drop-down list, select the desired position. Then the rule will be cloned
to the desired position.

Adjusting Security Policy Rule Position

To adjust the rule position, take the following steps:

1. Select Policy > Security Policy > Policy.

2. Select the check box of the security policy whose position will be adjusted.

3. Click Move.

4. In the drop-down list, type the rule ID or name , and click Top, Bottom, Before ID , After
ID , Before Name ,or After Name. Then the rule will be moved to the top, to the bottom,
before or after the specified ID or name.

Configuring Default Action

You can specify a default action for the traffic that is not matched with any configured policy rule.
System will process the traffic according to the specified default action. By default system will
deny such traffic.
To specify a default policy action, take the following steps:

1. Select Policy > Security Policy > Policy.

808 Chapter 10

Policy
2. Click icon and select Default Policy Action.

Configure the following options.

Option Description

Default Specify a default action for the traffic that is not matched
action with any configured policy rule.

l Click Permit to permit the traffic to pass through.

l Click Deny to deny the traffic.

Log Configure to generate logs for the traffic that is not

matched with any configured policy rule. By default sys-
tem will not generate logs for such traffic. To enable log,
click the Enable button, and system will generate logs for
such traffic.

3. Click OK to save your changes.

Chapter 10 809

Policy
Schedule Validity Check

In order to make sure that the policies based on schedule are effective, system provides a method
to check the validity of policies. After checking the policy, the invalid policies based on schedule
will be highlighted by yellow.
To check schedule validity:

1. Select Policy > Security Policy > Policy .

2. Click icon and select Schedule Validity Check. After check, system will highlight the

invalid policy based on schedule by yellow. Meanwhile, you can view the validity status in
the policy list.

Showing Disabled Policies

To show disabled policies:

1. Select Policy > Security Policy > Policy .

2. Click icon and select Show Disabled Policies. The disabled policies will be highlighted

by gray in the policy list.

810 Chapter 10

Policy
Notes:

l By default( the "Schedule Validity Check" and "Show Disabled Policies" are
not selected), the policy list only displays the enabled policies which are not
highlighted.

l When you select both "Schedule Validity Check" and "Show Disabled
Policies", the policy is managed as follows:

l The policy list will display the "Validity" column, which shows the
validity status of policies.

l The invalid policy based on schedule will be highlighted by yellow no

matter if the policy is disabled or not.

l If the valid policy based on schedule is disabled, it will be highlighted

by gray.

Importing Policy Rule

You can import the configuration file of the local policy rules into the device to avoid creating
policy rules manually. Only the DAT format file is supported currently.
To import the configuration file of policy rules, take the following steps:

Chapter 10 811

Policy
1. Click Policy > Security Policy > Policy.

2. Click the Import button to open the Import page.

3. Click Browse and select the local configuration file of policy rule to upload.

4. Click OK, and the imported policy rule will be displayed in the list.

Notes:
l If there's an error during import, system will stop importing immediately and
roll back configurations automatically.

l The imported policy will be displayed on the bottom of the policy list.

Exporting Policy Rule

You can export the policy rules existing on the device to the local in the format of HTML or
DAT formats. At the same time, all the custom objects such as address book, service book and
application can be exported.
To export the policy rules, take the following steps:

812 Chapter 10

Policy
1. Click Policy > Security Policy > Policy.

2. Click Export to open the Export page.

Configure the options as follows:

Option Description

Range Specify the range of policy rules to be exported.

l All Policy: Select the radio button and export all policy rules on
the device.

l Selected Policy: In the policy list, select the policy to be expor-

ted, and then click Export > Selected Policy.

l Page Range: Select the radio button, and enter the page number or
page range of the policy list to be exported.
Note: Separate the page number or range with semicolons, e.g.
"3;5-8".

Export Address, Select the check box to export all the custom objects including address
Service, APP book, service book and application book, and a Zip file named "book+-
Book exported time" will be generated.

Export Policy in Select the check box to export the policy configurations in the format of

Chapter 10 813

Policy
Option Description

DAT Format DAT.

3. Click OK to download the exported files. There're four kinds of files: policyExport.html, "
policy+exported time.zip", "book+exported time.zip" and the policy configurations in the
DAT format.

4. Double-click the policyExport.html, click Import File and import the " policy+exported
time.zip" to view the table of exported policies.

5. Double-click the policyExport.html, click Import File and import the "book+exported
time.zip" to view the table of object configurations.

814 Chapter 10

Policy
Searching Policy Rule

You can view the detailed information of the policy matching the five-tuple filtering conditions
(including source IP address, destination IP address, protocol, source port and destination port),
take the following steps:

1. Click Policy > Security Policy > Policy.

2. Click Search to open the configuration page.

Configure the options as follows:

Option Description

Source Zone Click the drop-down list to select the specified source
zone, and search the policy rules that comply with the
specified source zone.

Source Enter the source address in the text box to search the
Address policy rules that comply with the specified source
address. The source address supports fuzzy matching, and
can search the policy rules containing the input address.

Chapter 10 815

Policy
Option Description

Destination Click the drop-down list to select the specified des-

Zone tination zone, and search the policy rules that comply
with the specified destination zone.

Destination Enter the source address in the text box to search the
Address policy rules that comply with the specified destination
address. The destination address supports fuzzy match-
ing, and can search the policy rules containing the input
address.

Protocol Select the protocol type in the Protocol drop-down list

to search the policy rules that comply with the spe-
cified protocol.

l When the protocol is specified as TCP or UDP,

you can specify the source/destination port range,
the value range is 0-65535, if you specify the same
minimum and maximum source/destination port
number, system will use this port number as the
single source/destination port number.

l When the protocol is specified as ICMP, the type

and code range can be specified. If you specify the
same minimum and maximum code value, the sys-
tem will use the code value as a single code value.
The value range of the code is 0-15.

l When the protocol is specified as ICMPv6, the

type and code range can be specified. If you specify

816 Chapter 10

Policy
Option Description

the same minimum and maximum code value, the

system will use the code value as a single code
value. The value range of the code is 0-255.

l When the protocol is specified as another protocol

type, it does not support configuring the port range
or code range.

Note: If you specify a port range or code range, the

maximum port number/code value and the minimum
port number/code value must be configured at the
same time.

3. Click the OK, the list will display the search results.

4. If you need to clear the configuration and display all the policy rules, click Clear Search
Conditions.

Notes: The search function and the filter conditions are mutually exclusive and can-
not be configured at the same time. When the search function is configured, the fil-
ter condition configuration will be cleared, and vice versa.

Configuring Policy Audit Function

System support the policy audit function. When you create or modify the policy rule/aggregate
policy, you can use this function to add policy audit comments of the policy rule/aggregation
policy so that you can understand the change reasons and change history of the policy rule/ag-
gregate policy.

Chapter 10 817

Policy
Enabling the Configuration Audit Function

By default, the configuration audit function is disabled. To enable this function, take the fol-
lowing steps:

1. Select System > Device Management > Option.

2. In the System Setting page, select the Enable button for Configuration Audit, and click
OK.

Adding the Audit Comment

When you create or modify the a policy rule/aggregate policy, you can add policy audit comments
to the policy rule/aggregate policy, take the following steps:

1. Click Policy > Security Policy > Policy.

2. Click the New drop-down list, and select Policy or Aggregate Policy, or select the policy
rule/aggregate policy that needs to be edited in the list, and click the Edit.

3. In the Audit Comment text box in the Policy Configuration page, enter the content of the
comment.

4. Click OK.

After deleting, pasting, moving, enabling, disabling the policy rule/aggregate policy, adding to the
aggregation policy, and removing from the aggregate policy, the Audit Comment dialog box will
pop up, and you need to fill in the comment content in the dialog box.

818 Chapter 10

Policy
Viewing audit history

Under the Audit Comment text box in the Policy Configuration page, click the Version Logs to
open the Policy Audit page to view the audit history of policy rules/aggregate policies.

l In the Version Logs list, the version number, modification date, modification name, and audit
comment content of the selected policy rule/aggregate policy are displayed. Among them, the
Version is automatically assigned by system, and it will re-overlay from 1 after restoring the
factory settings.

l Click the version number to open the Policy Configuration Details page to view the detailed
configuration information of the policy.

l Select the two items that need to be compared and click Compare. The Results page below
displays the content of the policy configuration information of the two versions, and the dif-
ferent content is highlighted in yellow.

l Select the item, click the Export, specify the name of the exported file and the type of export
file format (TXT or CSV) in the Audit Export page, and then click OK and the browser will

Chapter 10 819

Policy
launch the default download tool to download the export file compression package.

Notes: Only the system administrator (admin) support to export the audit history
files.

Configuring an Aggregate Policy

According to the needs of different scenarios, you can create an aggregate policy, and add some
policy rules with the same effect or the same attributes to the aggregation policy. If the admin-
istrator adjusts the position of an aggregate policy, the positions of all its members will be adjus-
ted accordingly, so as to manage policy rules in bulk.
Configuring an aggregate policy includes: creating an aggregate policy, adding an aggregate policy
member, removing an aggregate policy member, deleting an aggregate policy, adjusting the pos-
ition of an aggregate policy, and enabling/disabling an aggregate policy.

Creating an Aggregate Policy

To create an aggregate policy, take the following steps:

1. Click Policy > Security Policy > Policy.

2. Click the New drop-down list, and select Aggregate Policy to open the Aggregate Policy
Configuration page .

820 Chapter 10

Policy
On the Aggregate Policy Configuration tab, complete the basic configuration information.

Option Description

Name Specifies the name of an aggregate policy. The range is 1 to 95 char-

acters.

Position The rule position can be an absolute position, i.e., at the top or bot-
tom, or a relative position, i.e., before or after an ID or a name. In the
Position drop-down list, you can select a position for the aggregate
policy.

Description Type descriptions into the Description box.

Audit Comment After the "Configuration Audit" function is enabled, this option is
required when creating or modifying an aggregate policy, and you must
add policy audit comments to the text box. The range is 1 to 255 char-
acters. For detailed operation of this function, please refer to Con-
figuring Policy Audit Function.
When the "Configuration Audit" function is not enabled, this option is

Chapter 10 821

Policy
Option Description

optional and the range is 0 to 255 characters.

For enabling/disabling the "Configuration Audit" function, please con-
figure it in the Option page (System > Device Management > Option),
refer to the Configuration Audit.

3. Click OK to save your settings.

Adding an Aggregate Policy Member

After creating an aggregate policy, the administrator can add a policy rule to the aggregate policy to
be an aggregate policy member. There are two methods for adding an aggregate policy member.

822 Chapter 10

Policy
l Editing the policy configuration：

As shown above, take the following steps:

1. Click Policy > Security Policy > Policy.

2. Select the policy rule that you want to add to an aggregate policy from the list.

3. Click Edit to open the Policy Configuration page.

4. Click Options to expand the relevant configuration items.

5. Click the Aggregate Policy drop-down menu, and select the aggregate policy to be

Chapter 10 823

Policy
added to the aggregate policy to which you want to add.

6. Click OK.

l Selecting a policy rule you want to add：

As shown above, take the following steps:

1. Click Policy > Security Policy > Policy.

2. Select the policy rule that you want to add to an aggregate policy from the list. You
can select multiple policy rules at a time

3. Click the Add to aggregate policy drop-down list, and select the aggregate policy to
which you want to add.

824 Chapter 10

Policy
Removing an Aggregate Policy Member

To remove a member from an aggregate policy, take the following steps:

1. Click Policy > Security Policy > Policy.

2. In the list, click the arrow before an aggregate policy to expand it

3. Select the aggregate policy member that you want to remove. You can select multiple policy
rules at a time.

4. Click the Move out from aggregate policy button.

Notes:
l If the member at the top position is removed from an aggregate policy, the
removed member will be put before the aggregate policy.

l If a member at a non-top position is removed from an aggregate policy, the

removed member will be put after the aggregate policy.

l If several aggregate policy members (including the member at the top pos-
ition) in consecutive order are removed, they will be put before the policy all
together.

Chapter 10 825

Policy
Deleting an Aggregate Policy

To delete an aggregate policy, take the following steps:

1. Click Policy > Security Policy > Policy.

2. Select the aggregate policy that you want to delete from the list.

3. Click Delete.

4. Select a deletion method from the drop-down list.

l Delete aggregate policy and members: When deleting an aggregate policy, the mem-
bers in it will also be deleted.

l Delete aggregate policy, unbind members: When deleting an aggregate policy, all mem-
bers in it will be removed.

5. Click OK.

Adjusting Position of an Aggregate Policy

The administrator can adjust the position of an aggregate policy by the following two methods.
After the adjustment, the positions of all its members will be adjusted accordingly.

826 Chapter 10

Policy
l Editing the aggregate policy configuration:

As shown above, take the following steps:

1. Click Policy > Security Policy > Policy.

2. Select the aggregate policy whose position that you want to adjust from the list.

3. Click Edit to open the Aggregate Policy Configurationpage.

4. Click the Position drop-down list, select a position for the aggregate policy.

l Adjust directly in the policy list：

Chapter 10 827

Policy
As shown above, take the following steps:

1. Click Policy > Security Policy > Policy.

2. Select the aggregate policy whose position that you want to adjust from the list.

3. Click Move.

4. In the pop-up menu, click Top, Bottom or type the rule ID /name , and click Before
ID , After ID , Before Name or After Name. Then the rule will be moved before or
after the specified ID or name.

Notes:
l The method for adjusting the position of an aggregate policy member is the
same as the method for adjusting the position of an aggregate policy.

l The position adjustment for an aggregate policy member can only be per-
formed in the aggregate policy to which it belongs.

l It is not supported to add a policy rule to or remove a policy rule from an

aggregate policy by adjusting the position of the policy rule.

Enabling/Disabling an Aggregate Policy

By default, the configured aggregate policy will take effect immediately. By disabling an aggregate
policy, the administrator can terminate its control over the traffic.
To enable/disable an aggregate policy, take the following steps:

1. Click Policy > Security Policy > Policy.

2. Select the aggregate policy that you want to enable/disable from the list.

3. Click , and then select Enable or Disable to enable or disable the aggregate policy.

828 Chapter 10

Policy
The disabled rule will not display in the list. Click , and then select Show Disabled Policies to
show them.

Notes:
l After disabling an aggregate policy, its members will be disabled too.

l After enabling an aggregate policy, the original status (enabled/disabled) of its

members will remain unchanged. For example, if the original status of an
aggregate policy member is "disabled", the status will remain unchanged after
the policy to which it belongs is enabled.

Configuring a Policy Group

You can organize some policy rules together to form a policy group, and configure the policy
group directly.
Configuring a security policy group include the following matters: creating a policy group, deleting
a policy group, enable/disable a policy group, add/delete a policy rule member, edit a policy
group and show disabled policy group.

Creating a Policy Group

To create a policy group, take the following steps:

Chapter 10 829

Policy
1. Select Policy > Security Policy > Policy Group .

2. Click New to open the Policy Group Configuration page.

Configure the corresponding options.

Option Description

Name Specifies the name of the policy group. The length is 1 to

95 characters.

Description Specifies the new description. You can enter at most 255
characters.

Add Policy In the policy rules list, select the security policy rule that
you want to add to the policy group.

3. Click OK to save your settings.

830 Chapter 10

Policy
Deleting a Policy Group

To delete a policy group, take the following steps:

1. Select Policy > Security Policy > Policy Group .

2. Select the check box of the policy group that you want to delete, and click Delete.

Enabling/Disabling a Policy Group

By default the configured policy group will take effect immediately.

To enable/disable a policy group, take the following steps:

1. Select Policy > Security Policy > Policy Group .

2. Select the check box of the policy group that you want to enable or disable, and click the

enable button under Status column. The enabled state is displayed as , and the dis-

abled state is displayed as .

Adding/Deleting a Policy Rule Member

To add a policy rule member to the policy group, take the following steps:

1. Select Policy > Security Policy > Policy Group .

2. In the policy group list, click the "+" in front of the policy group item to expand the mem-
ber list of the policy group.

3. Click Add Members button to open the Policy Group-Add policy page, which displays the
list of policy rules that are not added to policy group.

Chapter 10 831

Policy
4. Select the check box of the policy rules that you want to add to the policy group.

5. Click OK to save your settings.

Notes: A policy rule only can be added to a policy group.

To delete a policy rule member to the policy group, take the following steps:

1. Select Policy > Security Policy .

2. At the top-right corner of list, click Policy Group to enter the Security Policy Group page.

3. In the policy group list, click the "+" in front of the policy group item to expand the mem-
ber list of the policy group.

4. Select the check box of the policy group that needs to be deleted, and click Delete.

Editing a Policy Group

To modify the name or description of policy group, take the following steps:

1. Select Policy > Security Policy > Policy Group .

2. Select the check box of the policy group that you want to edit, and click Edit.

3. Modify the name or description of policy group in the Policy Group Configuration page.

Showing Disabled Policy Group

To show disabled policy groups, take the following steps:

1. Select Policy > Security Policy > Policy Group.

832 Chapter 10

Policy
2. Select the check box of Show Disabled Policy Group. The disabled policy group will be dis-
played in the policy group list, otherwise the policy group list will show only the enabled
policy group.

Mini Policy
Mini policy is a kind of policy rule which only uses source / destination address, protocol, des-
tination port, source / destination zone as traffic filtering conditions, and allows (Permit) or
denies (Deny) as processing behavior. At the same time, system supports the configuration of a
large number of mini policies, so it can meet more policy storage requirements.
The maximum number of mini policies supported by different device platforms is different, please
refer to the actual device limit (Capacity).

Notes:
l Mini policy does not support adjusting priority.

l The matching priority of the policy is: mini policy> policy rule> default
action, that is, system traffic will first match the mini policy, and then match
the policy rule. When it is not matched with any configured mini policy or
policy rule, system will process the traffic according to the specified default
action.
For the configuration of the default action, see Configuring Default Action.

Configuring a Mini Policy

The configuration of mini policy includes:

l Creating / Deleting a mini policy

l Editing a mini policy

Chapter 10 833

Policy
l Viewing the mini policy information

l Viewing the mini policy hit information

Creating a Mini Policy

To create a mini policy, take the following steps:

1. Select Policy > Security Policy > Mini Policy.

2. Click New to open the Mini Policy Configuration page.

834 Chapter 10

Policy
Configure the corresponding options.

Option Description

Type Specifies the IP address type, you can select IPv4 or

IPv6. This option can only be configured when the ver-
sion supports IPv6; after selection, system only supports
the configuration of IPv6 format IPv6/prefix length, IP
address range or IP address entry.

Source Zone Specifies the source zone of the mini policy. If not spe-
cified, the default value is any. Click the drop-down list,
select the created zone, and click to create a new

zone. If not specified, the default is "Any".

Source Specifies the source address of the mini policy. Enter the
Address source address in the text box, which can be specified as
(Required) an IPv4 address or an IPv6 address.

Destination Specifies the destination zone of the mini policy. If not

Zone specified, the default value is any. Click the drop-down
list, select the created zone, and click to create a new

zone. If not specified, the default is "Any".

Destination Specifies the destination address of the mini policy. Enter

Address the source address in the text box, which can be specified
(Required) as an IPv4 address or an IPv6 address.

Protocol Select the protocol type from the drop-down list.

Type
(Required)

Chapter 10 835

Policy
Option Description

Destination When the protocol type is specified as TCP or UDP, the

Port destination port must be specified. The value range is 1-
65535. For other protocol types, this option is not sup-
ported.

Action Specifies the action of the mini policy, including:

(Required)
l Permit: Permits the traffic to pass through.

l Deny: Denies the traffic.

Log You can log policy rule matching in the system logs
according to your needs, multiple options are available.

l Deny: Record session rejection log information.

l Session start: Record session establishment log

information.

l Session end: Record log information of session

end.

Destination Specifies the description of the mini policy. The length of

description is 0 to 31 bytes.

3. Click OK to save your settings

Deleting a Mini Policy

To delete a mini policy, take the following steps:

1. Select Policy > Security Policy > Mini Policy.

2. Select the check box of the mini policy that you want to delete, and click Delete.

836 Chapter 10

Policy
Editing a Mini Policy

To modify the configuration of mini policy, take the following steps:

1. Select Policy > Security Policy > Mini Policy.

2. Select the check box of the mini policy that you want to edit, and click Edit.

3. Modify the configuration of mini policy in the Mini Policy Configuration page

Notes: The type of mini policy cannot be modified.

Enabling/Disabling a Mini Policy

By default the configured mini policy will take effect immediately.

To enable/disable a mini policy group, take the following steps:

1. Select Policy > Security Policy > Mini Policy .

2. Select the check box of the mini policy that you want to enable or disable.

3. Click icon , and then select Enable or Disable to enable or disable the rule.

The disabled rule will not display in the list. Click icon , and then select Show Disabled Mini
Policies to show them.

Viewing and Searching Security Policy Rules/ Policy Groups/ Mini Policy
You can view and search the policy rules or policy groups in the policy/ policy group/ mini
Policy list.

Viewing the Policy/ Policy Group/ Mini Policy

View the security policy rules in the policy rule list.

Chapter 10 837

Policy
l Each column displays the corresponding configurations.

l Click icon under the Session Detail column in the Policy list to open then the Session

Detail page. You can view the current session status of the selected policy. You can also click

button to add filtering conditions and search out the filtered sessions.

l Hover over your mouse on the configuration in a certain column. Then based on the con-

figuration type, the WebUI displays either icon or the detailed configurations.

l You can view the detailed configurations directly.

l You can click icon. Based on the configuration type, the WebUI displays Add Filter

or Details.

l Click Details to see the detailed configurations.

l Click Add Filter, the filter condition of the configuration you are hovering over
with your mouse appears on the top of the list, and then you can filter the policy
according to the filter condition. For detailed information of filtering policy rules,
see Searching Security Policy Rules/ Policy Groups.

View the policy groups in the policy group list.

838 Chapter 10

Policy
l Each column displays the corresponding configurations.

l You can view the current policy group status in Status column. The enabled state is displayed

as , and the disabled state is displayed as .

View the mini policy rules in the policy group list.

l Each column displays the corresponding configurations.

l The ID column shows the ID automatically assigned by the system for the mini policy. The
ID must be unique in the entire system. The starting ID of the mini policy is 1000001, and
the ID range varies according to different device platforms.

Searching Security Policy Rules/ Policy Groups/ Mini Policy

Use the Filter to search for the policy rules that match the filter conditions.

Chapter 10 839

Policy
1. Click Policy > Security Policy > Policy, Policy > Security Policy > Policy Group or Policy
> Security Policy > Mini Policy.

2. At the top-right corner of the Security Policy/ Security Policy Group page, click Filter.
Then a new row appears at the top.

3. Click Filter to add a new filter condition. Then select a filter condition from the drop-down
menu and enter a value.

4. Press Enter to search for the policy rules that matches the filter conditions.

5. Repeat the above two steps to add more filter conditions. The relationship between each fil-
ter condition is AND.

6. To delete a filter condition, hover your mouse on that condition and then click

icon. To close the filter, click icon on the right side of the row.

Save the filter conditions.

1. After adding the filter conditions, click in , in the drop-down menu, click

Save Filters.

2. Specifies the name of the filter condition to save, the maximum length of name is 32 char-
acters, and the name supports only Chinese and English characters and underscores.

3. Click the Save button on the right side of the text box.

4. To use the saved filter condition, double click the name of the saved filter condition.

5. To delete the saved filter condition, click on the right side of the filter condition.

840 Chapter 10

Policy
Notes:
l You can add up to 20 filter conditions as needed.

l After the device has been upgraded, the saved filter condition will be cleared.

Policy Optimization
If you want to clear up the rules which haven't been used for a long time, it is hard to determine
which policy rules need to be deleted when there are a large number of policy rules on the device.
The system supports to operate the Policy Hit Analysis, operate the Rule Redundancy Check, and
configure the Policy Assistant.

Policy Hit Analysis

Policy Hit Analysis is a process to check the policy rule hit counts, that is, when traffic matches a
certain policy rule, the hit count will increase by 1 automatically. With the statistics of the first hit
time, the last hit time, and the days since last hit, you can identify the policy rule that need to be
cleared. You can view the specified policy rules by setting up filters.
To check the hit counts, take the following steps:

1. Select Policy > Security Policy > Policy Optimization, and select the Policy Hit Analysis
tab.

2. Select filter conditions from the Filter drop-down list, and configure filter conditions as
needed.

Configure the options as follows.

Option Description

Days Since Specify the day after the first hit. Then the policy rules
First Hit> which were hit before the specified day will be displayed.

Chapter 10 841

Policy
Option Description

Days Since Specify the day after the last hit. Then the policies rules
Last Hit> before the specified day will be displayed.

Days Since Specify the day after the policy is created. Then the
Policy policy rules before the specified day will be displayed.
Created>

3. Click the Export button, and the analysis of the filtered policy rules will be exported in the
format of CSV.

4. Click Enter or any blank space on the page to view the latest result of Policy Optimization.

5. Click icon in front of policy ID to view the details of the policy rule.

6. Click icon on the right side of to save the selected filters. Click Save Filters,

type the name of the filters and click Save. After saved, the combined filters can be selected
directly in the drop-down list.

7. To delete a filter condition, hover your mouse on that condition and then click icon. To
delete all filter conditions, click icon on the right side of the row.

To clear a policy hit count, take the following steps:

1. Select Policy > Security Policy > Policy Optimization, and select the Policy Hit Analysis
tab.

842 Chapter 10

Policy
2. Click Clear to open the Clear page.

Configure the following options.

Option Description

All policies Clears the hit counts of all policy rules.

Default Clears the hit counts of the default action policy rules.
policy

Policy ID Clears the hit counts of a specified ID policy rule.

Name Clears the hit counts of a specified name policy rule.

3. Click OK.

You can also perform other operations:

l Click icon to delete the policy rule.

l Click icon to disable the policy rule.

Rule Redundancy Check

In order to make the rules in the policy effective, system provides a method to check the con-
flicts among rules in a policy. With this method, administrators can check whether the rules over-
shadow each other.
To start a rule redundancy check, take the following steps:

Chapter 10 843

Policy
1. Select Policy > Security Policy > Policy Optimization, and select the Redundancy Check
tab.

2. Select Redundancy Check. After the check, system will list the policy rule which is over-
shadowed.

Notes: Status will be shown below the policy list when redundancy check
is started. It is not recommended to edit a policy rule during the redund-
ancy check. You can click to stop the check manually.

Configuring the Policy Assistant

The policy assistant can help users generate targeted policies more quickly and accurately. With
the function, system can analyze the traffic of a specified policy ID, optimize the traffic via set-
ting replacement conditions and aggregation conditions, generate address books and service books
on the basis of the traffic, and then generate the target policies.
Click Policy > Security Policy > Policy Optimization, and select the Policy Assistant tab. In the
Policy Assistant tab, generate target policies as the wizard:
Display Traffic->Replace ->Aggregate -> Generate Address book ->Generate Service book -
>Generate Policy

Enabling the Policy Assistant

Before configuring policy assistant related function, please enable the function first.

1. Select Policy > Security Policy > Policy.

2. Create a rule or select an existing rule which needs to enable the policy assistant function
and click Edit to open the Policy Configuration page.

844 Chapter 10

Policy
3. Expand Options, and click the Policy Assistant button to enable the function.

Notes: For the root VSYS, at most 4 policies are allowed to enable the policy assist-
ant function, while for the non-root VSYS, only 1 policy can enable the function.

Displaying Traffic

On the Display Traffic page, the source zone, source IP, destination zone, destination IP and ser-
vice of traffic hit the selected policy ID will be displayed.
To display the traffic data, take the following steps:

Chapter 10 845

Policy
1. Click Policy > Security Policy > Policy Optimization, and select the Policy Assistant tab.

2. Click Display Traffic on the configuration wizard.

Configure the options as follows:

Option Description

Traffic Search Select the ID of policy which has enabled the policy
assistant function from the Policy ID drop-down list,
click Search Traffic and the traffic hit the policy will
be displayed in the following list. Note:

l At most 1,000 traffic data can be displayed in

the list. If the traffic data exceeds 1,000, the
oldest traffic data will be covered.

l If the selected policy is edited, or the policy

assistant function is disabled or the device is
rebooted, the traffic data will be cleared.

Traffic Filtering Edit filtering conditions, and the filtered traffic data

846 Chapter 10

Policy
Option Description

will be displayed in the list.

Hide descrip- Click the Hide description or Show description but-

tion/Show ton in the upper right corner to view/hide the step-
description by-step instructions of policy assistant.

Clear Click the Clear button to delete the searched traffic

data in the list.
Note: Make sure the searched traffic has been ana-
lyzed before clearing.

3. Click Next to enter into the next configurations.

Replacing Policy

You can set the condition of source IP, destination IP or service. When the items of policies
meet the condition, the items will be replaced with the condition.

Application Scenario Example

For example, when the admin get some traffic data originating form 172.16.1.10. After the ana-
lysis of the traffic data, the source IP is judged as normal. What's more, all IP address of
172.16.1.0/24 is judged as normal too. To enlarge the source IP range to 172.16.1.0/24, the
admin can set the 172.16.1.0/24 as the replacement condition on the Replace Policy page, then
the source IP of the searched traffic which is within the IP range will be changed to
172.16.1.0/24.

Configuring Replacement Conditions

To configure replacement conditions for the policy items, take the following steps:

1. Click Replace Policy on the configuration wizard.

Chapter 10 847

Policy
Configure the options as follows:

Option Description

Source IP Specify the replacement condition of source IP. At

most 3 conditions can be set for the source IP.

1. Click the button.

2. Select IP/Netmask or IP Range from the drop

down list and set the replacement conditions
as needed.

Destination IP Specify the replacement condition of destination IP.

At most 3 conditions can be set for the destination IP.

1. Click the button.

2. Select IP/Netmask or IP Range from the drop

down list and set the replacement conditions
as needed.

848 Chapter 10

Policy
Option Description

Service Specify the replacement condition of service. At most

3 conditions can be set for the service.

1. Click the button.

2. Specify the protocol from the drop-down list

and set the port range as needed.

2. Click Next to enter into the next configurations.

Aggregating Policy

You can aggregate the policy items of the same source IP, destination IP and service, so as to
reduce the redundant policies.
To aggregate policies, take the following steps:

1. Click Aggregate Policy on the configuration wizard.

2. Select the Aggregation conditions as Source IP, Destination IP , Service or Application, and
the policy items in the list will be aggregated as the selected condition.

Chapter 10 849

Policy
3. Select the Address Book Generation conditions as Source IP or Destination IP to enable
the Address Book Generation function. In doing so, the corresponding address book entries
will be listed in the "Generating Address book" procedure according to the generation con-
ditions. By default, all the Address Book Generation conditions are selected. If no con-
dition is selected, then the Address Book Generation function will be disabled, the
"Generate Address Book" procedure will be removed from the configuration wizard, and
the system generates policies based on IP address, not on address book.

4. Click Next to enter into the next configurations.

Generating Address book

The searched traffic data can display the Source IP and the Destination IP. After the procedures
of replacing and aggregating, if the user select the Address Book Generation conditions in the
Aggregate procedure and therefore generable address book entries are displayed in the Generate
Address book page. According to your demands, you can select desirable entries to be generated
as address books and then added into the system address books.
If you does not want to generate address books, then you can directly click Next to enter the next
configurations.
To generate address book, take the following steps:

1. Click Generate Address book on the configuration wizard. The Generate Address Book
page displays items of all address books, including the type, member and status.

850 Chapter 10

Policy
2. Specify the prefix for the source address book in the list. The range is 1 -80 characters.
The default prefix is "policy_assistant_src". When the prefix is specified, the name of
address book in the list will be changed to "the specified prefix_addr+serial number".

3. Specify the prefix for the destination address book in the list. The range is 1 -80 characters.
The default prefix is "policy_assistant_dst". When the prefix is specified, the name of
address book in the list will be changed to "the specified prefix_addr+serial number".

4. Select the check box before the desirable address book entry and click Generate Address
book button, the corresponding address book will be generated (which can be seen in
Object> Address book). After successfully generating address books, the Status column
will indicate Generated; if unsuccessfully, the Status column will indicate the failure reason.

5. Click Next to enter into the next configurations.

Generating Service Book

The searched traffic data can display the protocol and port, and you can generate corresponding
service books based on the protocol and service. After replacing, aggregating, address book gen-
eration, generable service book entries are displayed in the Generate Service book page. Accord-
ing to your demands, you can select desirable entries to be generated as service books and then
added into the system service books.

Chapter 10 851

Policy
If you does not want to generate service books, then you can directly click Next to enter the next
configurations.
To generate service, take the following steps:

1. Click Generate Service Book on the configuration wizard. The Generate Service Book page
displays items of all service books, including the protocol, destination/source port and
status.

2. Specify the prefix for the service book in the list. The range is 1 -95 characters. The default
prefix is "policy_assistant". When the prefix is specified, the name of service book in the list
will be changed to "the specified prefix + protocol configurations".

3. Select the check box before the desirable service book entry, click Generate Service, and
the corresponding service book will be generated (which can be seen in Object > Service
Book > Service). After successfully generating address books, the Status column will indic-
ate Generated; if unsuccessfully, the Status column will indicate the failure reason.

4. Click Next to enter into the next configurations.

852 Chapter 10

Policy
Generating Policy

The Generate Policy page displays all policy items after the configurations in Replace, Aggregate,
Generate Address Book and Generate Service Book page. You can select policy items as needed
to generate policy and the selected policy will be display on the Security Policy > Policy page.
Note: For the generated security policies, the source IP, destination IP, service and application
are determined by the selected aggregation conditions, while the source zone, destination zone
and action keep the same with the original policy items.
To generate policies, take the following steps:

1. Click Generate Policy on the configuration wizard.

Configure the options as follows:

Option Description

Generate & Select the check box before the policy items as needed,
Enable click Generate & Enable, and the policies will take effect
after generation. The generated policies will be displayed
on the Policy page and on the above of the original

Chapter 10 853

Policy
Option Description

policies.

Generate & Select the check box before the policy items as needed,
Disable click Generate & Disable, and the policies will not take
effect after generation. The generated policies will be dis-
played on the Policy page and on the above of the original
policies.

Delete Select the check box before the policy items as needed,
click Delete, and the policies will be deleted.

2. Click Finish to finish the configurations of policy assistant.

854 Chapter 10

Policy
User Online Notification
The system provides the policy-based user online notification function. The user online noti-
fication function integrates WebAuth function and Web redirect function.
After configuring the user online notification function, system redirects your HTTP request to a
new notification page when you visit the Internet for the first time. In the process, a prompt page
(see the picture below) will be shown first, and after you click continue on this page, system will
redirect your request to the specified notification page. If you want to visit your original URL,
you need to type the URL address into the Web browser.

Before you enable the user online notification function, you must configure the WebAuth func-
tion. For more information about configuring WebAuth function, view "Web Authentication" on
Page 329.

Chapter 10 855

Policy
Configuring User Online Notification

To configure the user online notification function, take the following steps:

1. Select Policy > Security Policy.

2. Select the security policy rule with which you want to enable the user online notification
function. Generally, it is recommended to select the security policy rule which is under the
WebAuth policy rule and whose action is permit to transmit the HTTP traffic.

3. Click Edit.

4. In the Policy Configuration page, click the Enable Web Redirect button and type the noti-
fication URL into the Notification page URL box.

5. Click OK to save the settings.

Configuring the Parameters of User Online Notification

The parameters are:

l Idle time: The time that an online user stays online without traffic transmitting. If the idle
time is exceeded, the HTTP request will be redirected to the user online notification page
again.

l Background picture: You can change the background picture on the prompt page.

To configure the parameters, take the following steps:

1. Select Policy > Security Policy.

2. Select the security policy rule with the user online notification function enabled.

3. Click and select Web Redirect Configuration.

856 Chapter 10

Policy
4. Type the idle time value into the Idle time box. The default value is 30 minutes. The range
is 0 to 1440 minutes.

5. Change the background picture of the prompt page. Click Browse to choose the picture you
want, and then click Upload. The uploaded picture must be zipped and named as logo.jpg,
with the suggested size of 120px*40px.

Viewing Online Users

After configuring the user online notification function, you can get the information of online
users from the Online Notification Users dialog box.

1. Select Policy > Security Policy.

2. Click and select Web Redirect IP List.

3. In the Web Redirect IP List page, view the following information.

Option Description

IP address The IP address of the online user.

Sessions Session number of the online user.

Interface The source interface of the online user.

Lifetime (s) The period of time during which the user is staying
online.

Expiration (s) The idle time of the user.

Chapter 10 857

Policy
iQoS
System provides iQoS (intelligent quality of service) which guarantees the customer's network per-
formance, manages and optimizes the key bandwidth for critical business traffic, and helps the cus-
tomer greatly in fully utilizing their bandwidth resources.
iQoS is used to provide different priorities to different traffic, in order to control the delay and
flapping, and decrease the packet loss rate. iQoS can assure the normal transmission of critical
business traffic when the network is overloaded or congested. iQoS is controlled by license. To
use iQoS, apply and install the iQoS license.

Notes: If you have configured QoS in the previous QoS function before upgrading
the system to verion 5.5, the previous QoS function will take effect. You still need
to configure the previous QoS function in CLI. You cannot use the newest iQoS
function in version 5.5 and the newest iQoS function will not display in the WebUI
and will not take effect. If you have not configured the previous QoS function
before upgrading the system to version 5.5, the system will enable the newest iQoS
function in version 5.5. You can configure iQoS function in the WebUI and the pre-
vious QoS function will not take effect.

Implement Mechanism
The packets are classified and marked after entering system from the ingress interface. For the clas-
sified and marked traffic, system will smoothly forward the traffic through the shaping mech-
anism, or drop the traffic through the policing mechanism. If the shaping mechanism is selected
to forward the traffic, the congestion management and congestion avoidance mechanisms will give
different priorities to different types of packets so that the packets of higher priority can pass
though the gateway earlier to avoid network congestion.
In general, implementing QoS includes:

l Classification and marking mechanism: Classification and marking is the process of identifying
the priority of each packet. This is the first step of iQoS.

858 Chapter 10

Policy
l Policing and shaping mechanisms: Policing and shaping mechanisms are used to identify traffic
violation and make responses. The policing mechanism checks the traffic in real time and
takes immediate actions according to the settings when it discovers a violation. The shaping
mechanism works together with queuing mechanism. It makes sure that the traffic will never
exceed the defined flow rate so that the traffic can go through that interface smoothly.

l Congestion management mechanism: Congestion management mechanism uses the queuing

theory to solve problems in the congested interfaces. As the data rate can be different among
different networks, congestion may happen to both wide area network (WAN) and local area
network (LAN). Only when an interface is congested will the queuing theory begin to work.

l Congestion avoidance mechanism: Congestion avoidance mechanism is a supplement to the

queuing algorithm, and it also relies on the queuing algorithm. The congestion avoidance
mechanism is designed to process TCP-based traffic.

Pipes and Traffic Control Levels

System supports two-level traffic control: level-1 control and level-2 control. In each level, the
traffic control is implemented by pipes.

Pipes

By configuring pipes, the devices implement iQoS. Pipe, which is a virtual concept, represents
the bandwidth of transmission path. System classifies the traffic by using the pipe as the unit, and
controls the traffic crossing the pipes according to the actions defined for the pipes. For all traffic
crossing the device, they will flow into virtual pipes according to the traffic matching conditions
they match. If the traffic does not match any condition, they will flow into the default pipe pre-
defined by the system.
Pipes, except the default pipe, include two parts of configurations: traffic matching conditions and
traffic management actions:

Chapter 10 859

Policy
l Traffic matching conditions: Defines the traffic matching conditions to classify the traffic
crossing the device into matched pipes. System will limit the bandwidth to the traffic that
matches the traffic matching conditions. You can define multiple traffic matching conditions
to a pipe. The logical relation between each condition is OR. When the traffic matches a
traffic matching condition of a pipe, it will enter this pipe. If the same conditions are con-
figured in different root pipes, the traffic will first match the root pipe listed at the top of the
Level-1 Control list in the Policy > iQoS page.

l Traffic management actions: Defines the actions adopted to the traffic that has been classified
to a pipe. The data stream control includes the forward control and the backward control. For-
ward control controls the traffic that flows from the source to the destination; backward con-
trol controls the traffic flows from the destination to the source.

To provide flexible configurations, system supports the multiple-level pipes. Configuring mul-
tiple-level pipes can limit the bandwidth of different applications of different users. This can
ensure the bandwidth for the key services and users. Pipes can be nested to at most four levels.
Sub pipes cannot be nested to the default pipe. The logical relation between pipes is shown as
below:

860 Chapter 10

Policy
l You can create multiple root pipes that are independent. At most three levels of sub pipes can
be nested to the root pipe.

l For the sub pipes at the same level, the total of their minimum bandwidth cannot exceed the
minimum bandwidth of their upper-level parent pipe, and the total of their maximum band-
width cannot exceed the maximum bandwidth of their upper-level parent pipe.

l If you have configured the forward or backward traffic management actions for the root pipe,
all sub pipes that belong to this root pipe will inherit the configurations of the traffic direction

Chapter 10 861

Policy
set on the root pipe.

l The root pipe that is only configured the backward traffic management actions cannot work.

The following chart illustrates the application of multiple-level pipes in a company. The admin-
istrator can create the following pipes to limit the traffic:

1. Create a root pipe to limit the traffic of the office located in Beijing.

2. Create a sub pipe to limit the traffic of its R&D department.

3. Create a sub pipe to limit the traffic of the specified applications so that each application has
its own bandwidth.

4. Create a sub pipe to limit the traffic of the specified users so that each user owns the
defined bandwidth when using the specified application.

Traffic Control Levels

System supports two-level traffic control: level-1 control and level-2 control. In each level, the
traffic control is implemented by pipes. Traffic that is dealt with by level-1 control flows into the

862 Chapter 10

Policy
level-2 control, and then system performs the further management and control according to the
pipe configurations of level-2 control. After the traffic flowing into the device, the process of
iQoS is shown as below:

According to the chart above, the process of traffic control is described below:

1. The traffic first flows into the level-1 control, and then system classifies the traffic into dif-
ferent pipes according to the traffic matching conditions of the pipe of level-1 control. The
traffic that cannot match any pipe will be classified into the default pipe. If the same con-
ditions are configured in different root pipes, the traffic will first match the root pipe listed
at the top of the Level-1 Control list in the Policy > iQoS page. After the traffic flows into
the root pipe, system classifies the traffic into different sub pipes according to the traffic
matching conditions of each sub pipe.

2. According to the traffic management actions configured for the pipes, system manages and
controls the traffic that matches the traffic matching conditions.

3. The traffic dealt with by level-1 control flows into the level-2 control. System manages and
controls the traffic in level-2 control. The principles of traffic matching, management and
control are the same as the one of the level-1 control.

4. Complete the process of iQoS.

Chapter 10 863

Policy
Enabling iQoS
To enable iQoS, take the following steps:

1. Select Policy > iQoS > Configuration.

2. Click the Enable iQoS button.

3. Select the Enable Threshold Alarm checkbox, and specify the alarm threshold in the Alarm
Threshold textbox. The range is from 50 to 100. The default value is 80. After the function
is enabled and the alarm threshold is specified, when the pipeline usage reaches or exceeds
the specified alarm threshold, the system will record a warning level event log. For the same
pipeline, the system records the event log at an interval of 10 seconds.

4. If you click the Enable NAT IP matching button in Level-1 Control or Level-2 Control, sys-
tem will use the IP addresses between the source NAT and the destination NAT as the
matching items. If the matching is successful, system will limit the speed of these IP
addresses.

864 Chapter 10

Policy
Notes: Before enabling NAT IP matching, you must config the NAT rules.
Otherwise, the configuration will not take effect.

5. Click Apply to save the configurations.

Chapter 10 865

Policy
Pipes
By using pipes, devices implement iQoS. Pipes in different traffic control levels will take effect in
different stages.
Configuring pipes includes the following sections:

1. Create the traffic matching conditions, which are used to capture the traffic that matches
these conditions. If configuring multiple traffic matching conditions for a pipe, the logical
relation between each condition is OR.

2. Create a white list according to your requirements. System will not control the traffic in the
white list. Only root pipe and the default pipe support the white list.

3. Specify the traffic management actions, which are used to deal with the traffic that is clas-
sified into a pipe.

4. Specify the schedule. The pipe will take effect during the specified time period.

Basic Operations

Select Policy > iQoS > Policy to open the Policy page.

You can perform the following actions in this page:

l Disable the level-2 traffic control: Click Disable second level control. The pipes in the level-2
traffic control will not take effect. The Level-2 Control tab will not appears in this page.

l View pipe information: The pipe list displays the name, mode, action, schedule, and the
description of the pipes.

866 Chapter 10

Policy
l Click the icon to expand the root pipe and display its sub pipes.

l Click the icon of the root pipe or the sub pipe to view the condition settings.

l Click the icon of the root pipe to view the white list settings.

l represents the root pipe is usable, represents the root pipe is unusable, rep-

resents the sub pipe is usable, represents the sub pipe is unusable,

the gray text represents the pipe is disabled.

l Create a root pipe: Select the Level-1 Control or Level-2 Control tab, then click New in the
menu bar to create a new root pipe.

l Create a sub pipe: Click the icon of the root pipe or the sub pipe to create the cor-

responding sub pipe.

l Click Enable in the menu bar to enable the selected pipe. By default, the newly-created pipe
will be enabled.

l Click Disable in the menu bar to disable the selected pipe. The disabled pipe will not take
effect.

l Click Delete to delete the selected pipe. The default pipe cannot be deleted.

Configuring a Pipe

To configure a pipe, take the following steps:

1. According to the methods above, create a root pipe or sub pipe. The Pipe Configuration
page appears.

2. In this page, specify the basic pipe information.

Chapter 10 867

Policy
Option Description

Parent Pipe/Con- Displays the control level or the parent pipe of the newly created pipe.
trol Level

Pipe Name Specify a name for the new pipe.

Description Specify the description of this pipe.

Mode Shape, Policy, or Monitor.

l The Shape mode can limit the data transmission rate and smoothly
forward the traffic. This mode supports the bandwidth borrowing
and priority adjusting for the traffic within the root pipe.

l The Policy mode will drop the traffic that exceeds the bandwidth
limit. This mode does not support the bandwidth borrowing and
priority adjusting, and cannot guarantee the minimum bandwidth.

l The Monitor mode will monitor the matched traffic, generate the
statistics, and will not control the traffic.

l Bandwidth borrowing: All of the sub pipes in a root pipe can lend
their idle bandwidth to the pipes that are lacking bandwidth. The
prerequisite is that their bandwidth must be enough to forward
the traffic in their pipes.

l Priority adjusting: When there is traffic congestion, system will

arrange the traffic to enter the waiting queue. You can set the
traffic to have higher priority and system will deal with the traffic
in order of precedence.

868 Chapter 10

Policy
3. In Condition, click New.

In the Condition Configuration page, configure the corresponding options.

Option Description

Type Select the IP type, including IPv4 or IPv6. Only the IPv6
firmware supports to configure IPv6 type IP. If IPv6 is
selected, all the IP/netmask, IP range, address entry con-
figured should be in the IPv6 format.

Chapter 10 869

Policy
Option Description

Source Information

Zone Specify the source zone of the traffic. Select the zone
name from the drop-down menu.

Interface Specify the source interface of the traffic. Select the inter-
face name from the drop-down menu.

Address Specify the source address of the traffic.

1. Select an address type from the Address drop-

down list.

2. Select or type the source addresses based on the

selected type.

3. Click Add to add the addresses to the left pane.

4. After adding the desired addresses, click Close to

complete the address configuration.
You can also perform other operations:

l When selecting the Address Book type, you can

click to create a new address entry.

l The default address configuration is any. To restore

the configuration to this default one, select the any
check box.

Destination Information

Zone Specify the destination zone of the traffic. Select the zone
name from the drop-down menu.

870 Chapter 10

Policy
Option Description

Interface Specify the destination interface of the traffic. Select the

interface name from the drop-down menu.

Address Specify the destination address of the traffic.

1. Select an address type from the Address drop-

down list.

2. Select or type the source addresses based on the

selected type.

3. Click Add to add the addresses to the right pane.

4. After adding the desired addresses, click Close to

complete the address configuration.
You can also perform other operations:

l When selecting the Address Book type, you can

click to create a new address entry.

l The default address configuration is any. To restore

the configuration to this default one, select the any
check box.

User Inform- Specify a user or user group that the traffic belongs to.
ation
1. From the User drop-down menu, select the AAA
server where the users and user groups reside.

2. Based on different types of AAA server, you can

execute one or more actions: search a user/user

Chapter 10 871

Policy
Option Description

group/role, expand the user/user group list, and

enter the name of the user/user group.

3. After selecting users/user groups/roles, click

them to add them to the left pane.

4. After adding the desired objects, click Close to

complete the user information configuration.

Service Specify a service or service group that the traffic belongs

to.

1. From the Service drop-down menu, select a type:

Service, Service Group.

2. You can search the desired service/service group,

expand the service/service group list.

3. After selecting the desired services/service

groups, click them to add them to the right pane.

4. After adding the desired objects, click Close to

complete the service configuration.

You can also perform other operations:

l To add a new service or service group, select User-

defined from the "Predefined" drop-down list, and
click .

l The default service configuration is any. To restore

the configuration to this default one, select the any

872 Chapter 10

Policy
Option Description

check box.

Application Specify an application, application group, or application fil-

ters that the traffic belongs to.

1. From the Application drop-down menu, you can

search the desired application/application
group/application filter, expand the list of applic-
ations/application groups/application filters.

2. After selecting the desired applic-

ations/application groups/application filters,
click them to add them to the left pane.

3. After adding the desired objects, click Close com-

plete the application configuration.

You can also perform other operations:

l To add a new application group, click .

l To add a new application filter, click .

URL Cat- Specifies the URL category that the traffic belongs to.
egory After the user specifies the URL category, the system
matches the traffic according to the specified category.

1. In the "URL category" drop-down menu, the user

can select one or more URL categories, up to 8
categories.

2. After selecting the desired filters, click the blank

Chapter 10 873

Policy
Option Description

area in this page to complete the configuration.

To add a new URL category, click , the page will pop

up "URL category" page. In this page, the user can con-

figure the category name and URL.

Advanced

VLAN Specify the VLAN information of the traffic.

TOS Specify the TOS fields of the traffic; or click Configure to

specify the TOS fields of the IP header of the traffic in
the TOS Configuration page.

l Precedence: Specify the precedence.

l Delay: Specify the minimum delay.

l Throughput: Specify the maximum throughput.

l Reliability: Specify the highest reliability.

l Cost: Specify the minimum cost.

l Reserved: Specify the normal service.

TrafficClass Specify the TOS fields of the traffic.

4. If you are configuring root pipes, you can specify the white list settings based on the descrip-
tion of configuring conditions.

5. In Action, configuring the corresponding actions.

Forward (From source to destination)

The following configurations control the traffic that flows from the

874 Chapter 10

Policy
source to the destination. For the traffic that matches the conditions,
system will perform the corresponding actions.

Pipe Band- When configuring the root pipe, specify the pipe band-
width width.
When configuring the sub pipe, specify the maximum
bandwidth and the minimum bandwidth of the pipe:

l Min Bandwidth: Specify the minimum bandwidth.

If you want this minimum bandwidth to be
reserved and cannot be used by other pipes, select
Enable Reserved Bandwidth.

l Max Bandwidth: Specify the maximum bandwidth.

Limit type Specify the maximum bandwidth and minimum band-

width of the pipe for each user/IP:

l Type: Select the type of the bandwidth limitation:

No Limit, Limit Per IP, or Limit Per User.

l No Limit represents that system will not

limit the bandwidth for each IP or each user.

l Limit Per IP represents that system will

limit the bandwidth for each IP. In the Limit
by section, select Source IP to limit the
bandwidth of the source IP in this pipe; or
select Destination IP to limit the bandwidth
of the destination IP in this pipe.

Chapter 10 875

Policy
l Limit Per User represents that system will
limit the bandwidth for each user. In the
Limit by section, specify the min-
imum/maximum bandwidth of the users.

l When configuring the root pipe, you can select the

Enable Average Bandwidth check box to make
each source IP, destination IP, or user to share an
average bandwidth.

Limit by When the Limit type is Limit Per IP or Limit Per User,
you need to specify the minimum bandwidth or the max-
imum bandwidth:

l Min Bandwidth: Specify the minimum bandwidth.

l Max Bandwidth: Specify the maximum bandwidth.

l Delay: Specify the delay time, whose value ranges

from 1 second to 3600 seconds. The maximum
bandwidth limit of each IP/ user is not effective
within the delay time range.

Advanced

Priority Specify the priority for the pipes. Select a number,

between 0 and 7, from the drop-down menu. The smaller
the value is, the higher the priority is. When a pipe has
higher priority, system will first deal with the traffic in it
and borrow the extra bandwidth from other pipes for it.
The priority of the default pipe is 7.

876 Chapter 10

Policy
TOS Specify the TOS fields of the traffic; or click Configure to
specify the TOS fields of the IP header of the traffic in
the appeared TOS Configuration page.

l Precedence: Specify the precedence.

l Delay: Specify the minimum delay.

l Throughput: Specify the maximum throughput.

l Reliability: Specify the highest reliability.

l Cost: Specify the minimum monetary cost.

l Reserved: Specify the normal service.

TrafficClass Specifies the value of the TrafficClass field for IPv6

traffic, The TrafficClass field value of IPv6 traffic match-
ing successfully will be set to the specified value.

Limit Oppos- Click the Enable button to configure the value of limit-
ite Band- strength.The smaller the value, the smaller the limit.
width

Backward (From condition's destination to source)

The following configurations control the traffic that flows from the des-
tination to the source. For the traffic that matches the conditions, sys-
tem will perform the corresponding actions.

Pipe Band- When configuring the root pipe, specify the pipe band-
width width. When configuring the sub pipe, specify the max-
imum bandwidth and the minimum bandwidth of the
pipe:

Chapter 10 877

Policy
l Min Bandwidth: Specify the minimum bandwidth.
If you want this minimum bandwidth to be
reserved and cannot be used by other pipes, select
Enable Reserved Bandwidth.

l Max Bandwidth: Specify the maximum bandwidth.

Limit type Specify the maximum bandwidth and minimum band-

width of the pipe for each user/IP:

l Type: Select the type of the bandwidth limitation:

No Limit, Limit Per IP, or Limit Per User.

l No Limit represents that system will not

limit the bandwidth for each IP or each user.

l Limit Per IP represents that system will limit

the bandwidth for each IP. In the Limit by
section, select Source IP to limit the band-
width of the source IP in this pipe; or select
Destination IP to limit the bandwidth of the
destination IP in this pipe.

l Limit Per User represents that system will

limit the bandwidth for each user. In the
Limit by section, specify the min-
imum/maximum bandwidth of the users.

l When configuring the root pipe, you can click the

Enable Average Bandwidth button to make each
source IP, destination IP, or user to share an aver-

878 Chapter 10

Policy
age bandwidth.

Limit by When the Limit type is Limit Per IP or Limit Per User,
you need to specify the minimum bandwidth or the max-
imum bandwidth:

l Min Bandwidth: Specify the minimum bandwidth.

l Max Bandwidth: Specify the maximum bandwidth.

l Delay：Specify the delay time, whose value ranges

from 1 second to 3600 seconds. The maximum
bandwidth limit of each IP/ user is not effective
within the delay time range.

Advanced

Priority Specify the priority for the pipes. Select a number,

TOS Specify the TOS fields of the traffic; or click Configure to

specify the TOS fields of the IP header of the traffic in
the appeared TOS Configuration page.

l Precedence: Specify the precedence.

l Delay: Specify the minimum delay.

l Throughput: Specify the maximum throughput.

Chapter 10 879

Policy
l Reliability: Specify the highest reliability.

l Cost: Specify the minimum monetary cost.

l Reserved: Specify the normal service.

Limit Oppos- Click the Enable button to configure the value of limit-
ite Band- strength.The smaller the value, the smaller the limit.
width

6. Click OK to save the settings.

Searching QoS Policy

Use the Filter to search for the QoS policy rules that match the filter conditions.

1. Click Policy > iQoS> Policy, and at the top-right corner of the page, click Filter. Then a
new row appears at the top.

2. Click Filter to add a new filter condition. Then select a filter condition from the drop-down
menu and enter a value.

3. Press Enter to search for the QoS policy rules that matches the filter conditions.

4. Repeat the above two steps to add more filter conditions. The relationship between each fil-
ter condition is AND.

5. To delete a filter condition, hover your mouse on that condition and then click icon. To

close the filter, click icon on the right side of the row.

Viewing Statistics of Pipe Monitor

To view the statistics of pipe monitor, see "iQoS" on Page 858.

880 Chapter 10

Policy
NAT
NAT, Network Address Translation, translates the IP address within an IP packet header to
another IP address. When the IP packets pass through the devices or routers, the devices or
routers will translate the source IP address and/or the destination IP address in the IP packets. In
practice, NAT is mostly used to allow the private network to access the public network, vice
versa.

Basic Translation Process of NAT

When a device is implementing the NAT function, it lies between the public network and the
private network. The following diagram illustrates the basic translation process of NAT.

As shown above, the device lies between the private network and the public network. When the
internal PC at 10.1.1.2 sends an IP packet (IP packet 1) to the external server at 202.1.1.2
through the device, the device checks the packet header. Finding that the IP packet is destined to
the public network, the device translates the source IP address 10.1.1.2 of packet 1 to the public
IP address 202.1.1.1 which can get routed on the Internet, and then forwards the packet to the
external server. At the same time, the device also records the mapping between the two addresses
in its NAT table. When the response packet of IP packet 1 reaches the device, the device checks
the packet header again and finds the mapping records in its NAT table, and replaces the des-
tination address with the private address 10.1.1.2. In this process, the device is transparent to the
PC and the Server. To the external server, it considers that the IP address of the internal PC is

Chapter 10 881

Policy
202.1.1.1 and knows nothing about the private address 10.1.1.2. Therefore, NAT hides the
private network of enterprises.

Implementing NAT
The devices translate the IP address and port number of the internal network host to the external
network address and port number, and vice versa. This is the translation between the "private IP
address + port number" and "public IP address + port number".
The devices achieve the NAT function through the creation and implementation of NAT rules.
There are two types of NAT rules, which are source NAT rules (SNAT Rule) and destination
NAT rules (DNAT Rule). SNAT translates source IP addresses, thereby hiding the internal IP
addresses or sharing the limited IP addresses; DNAT translates destination IP addresses, and usu-
ally the IP addresses of internal servers (such as the WWW server or SMTP server) protected by
the device is translated to public IP addresses.

882 Chapter 10

Policy
Configuring SNAT
To create an SNAT rule, take the following steps:

1. Select Policy > NAT > SNAT.

2. Click New to open the SNAT Configuration page.

In this page, configure the following options.

Requirements

Virtual Specifies a VRouter for the SNAT rule. The SNAT rule
Router will take effect when the traffic flows into this VRouter

Chapter 10 883

Policy
Requirements

and matches the SNAT rule conditions.

Type Specifies the type of the SNAT rule, including IPv4,

NAT46, NAT64, and IPv6. The configuration options for
different types of SNAT rules may vary in this page,
please refer to the actual page.

Source Specifies the source IP address of the traffic, including:

Address
l Address Entry - Select an address entry from the
drop-down list.

l IP (IPv6) Address - Type an IP (IPv6) address into

the box. Type an IPv4 address if the type of the
SNAT rule is IPv4 or NAT46. Type an IPv6
address if the type of the SNAT rule is NAT64 or
IPv6.

l IP/Netmask - Type an IPv4 address and its net-

mask into the box. This configuration option is
available if the type of the SNAT rule is IPv4 or
NAT46.

l IPv6/Prefix - Type an IPv6 address and its prefix

length into the box. This configuration option is
available if the type of the SNAT rule is NAT64 or
IPv6.

Destination Specifies the destination IP address of the traffic, includ-

Address ing:

884 Chapter 10

Policy
Requirements

l Address Entry - Select an address entry from the

drop-down list.

l IP (IPv6) Address - Type an IP (IPv6) address into

the box. Type an IPv4 address if the type of the
SNAT rule is IPv4 or NAT46. Type an IPv6
address if the type of the SNAT rule is NAT64 or
IPv6.

l IP/Netmask - Type an IPv4 address and its net-

mask into the box. This configuration option is
available if the type of the SNAT rule is IPv4 or
NAT46.

l IPv6/Prefix - Type an IPv6 address and its prefix

length into the box. This configuration option is
available if the type of the SNAT rule is NAT64 or
IPv6.

Ingress Specifies the ingress traffic, the default value is all traffic.
Traffic
l All traffic - Specifies all traffic as the ingress traffic.
Traffic from any ingress interfaces will continue to
match this SNAT rule.

l Ingress Interface - Specifies the ingress interface of

traffic. Select an interface from the drop-down list.
When the interface is specified, only the traffic
from this interface will continue to match this

Chapter 10 885

Policy
Requirements

SNAT rule, while traffic from other interfaces will

not.

Egress Specifies the egress traffic, the default value is all traffic.

l All traffic - Specifies all traffic as the egress traffic.

Traffic from all egress interfaces will continue to
match this SNAT rule.

l Egress Interface - Specifies the egress interface of

traffic. Select an interface from the drop-down list.
When the interface is specified, only the traffic
from this interface will continue to match this
SNAT rule, while traffic from other interfaces will
not.

l Next Virtual Router - Specifies the next virtual

router of traffic. Select a virtual router from the
drop-down list.

Service Specifies the service type of the traffic from the drop-
down list. To create a new service or service group, click
New Service or New Group.

Translated to

Translated Specifies the translated NAT IP address, including:

l Egress IF IP (IPv4)/Egress IF IP (IPv6) - Spe-

cifies the NAT IP address to be an egress interface
IP address.

886 Chapter 10

Policy
Requirements

l Specified IP - Specifies the NAT IP address to be a

specified IP address. After selecting this option,
continue to specify the available IP address in the
Address drop-down list.

l No NAT - Do not implement NAT.

The translated action for different types of SNAT rules
may vary in this page, please refer to the actual page.

Mode Specifies the translation mode, including:

l Static - Static mode means one-to-one translation.

This mode requires the translated address entry to
contain the same number of IP addresses as that of
the source address entry.

l Dynamic IP - Dynamic IP mode means multiple-to-

one translation. This mode translates the source
address to a specific IP address. Each source
address will be mapped to a unique IP address,
until all specified addresses are occupied.

l Dynamic port - Called PAT. Multiple source

addresses will be translated to one specified IP
address in an address entry.

l If Sticky is enabled, all sessions from an IP

address will be mapped to the same fixed IP
address. Click the Enable button behind

Chapter 10 887

Policy
Requirements

Sticky to enable Sticky.

l If Round-robin is enabled, all sessions from

an IP address will be mapped to the same
fixed IP address. Click the Enable button
behind Round-robin to enable Round-robin.

l If Sticky and Round-robin are not enabled,

the first address in the address entry will be
used first; when the port resources of the
first address are exhausted, the second
address will be used.

l If Track is enabled, the system will track

whether the translated public address is valid,
i.e., use the translated address as the source
address to track if the destination website or
host is accessible. The configured track
object can be a Ping track object, HTTP
track object, TCP track object. For more
details, see "Track Object" on Page 670. This
function only supports SNAT of IPv4 or
NAT64 type, and the translated address
should be an IP address or an address in
address book, as well as the translation mode
is dynamicport mode. The system will pri-
oritize the translated address which is tracked

888 Chapter 10

Policy
Requirements

successfully. When a translated address failed

to visit a website or a host, it will be tem-
porarily disabled until being tracked suc-
cessfully again. When the tracking object
fails, the system will disable the address and
generate a log in the next tracking cycle, and
no longer translate the private address to a
public address until the address restores to
reachable. If all the address in the public
address book of SNAT rules are unreachable,
the system will not disable any translated
address and generate a log. Click the Enable
button behind Track to enable the function,
and select a track object from the drop-down
list
Note：The Sticky function and the Round-robin function
are mutually exclusive and cannot be configured at the
same time.

Chapter 10 889

Policy
Expand Advanced Configuration, configure the corresponding options.

Option Description

HA Group Specifies the HA group that the SNAT rule belongs

to. The default setting is 0.

NAT Log Click the Enable button to enable the log function for
this SNAT rule. The system will generate log inform-
ation when there is traffic matching this NAT rule.

Position Specifies the position of the rule. Each SNAT rule

has a unique ID. When the traffic is flowing into
the device, the device will search the SNAT rules
in order, and then implement NAT on the source
IP of the traffic according to the first matched rule.
The sequence of the ID shown in the SNAT rule
list is the order of the rule matching. Select one of
the following items from the drop-down list:

l Bottom - The rule is located at the bottom of

all the rules in the SNAT rule list. By default,
system will put the newly-created SNAT rule at
the bottom of all SNAT rules.

l Top - The rule is located at the top of all the

rules in the SNAT rule list.

l Before ID - Type the ID number into the text

box. The rule will be located before the ID you
specified.

l After ID - Type the ID number into the text

box. The rule will be located after the ID you

890 Chapter 10

Policy
Option Description

specified.

ID Specifies the method you get the rule ID. Each rule
has its unique ID. It can be automatically assigned by
system or manually assigned by yourself. If you select
Manually assign , type an ID number into the box
behind.

Description Types the description.

3. Click OK to save the settings.

Notes: When configuring a static source NAT66 rule, the minimum subnet mask
must be 48 bits.

Enabling/Disabling a SNAT rule

By default the configured SNAT rule will take effect immediately. You can terminate its control
over the traffic by disabling the rule.
To enable/disable a SNAT rule:

1. Select Policy > NAT > SNAT.

2. Select the SNAT rule that you want to enable/disable.

3. Click Enable or Disable to enable or disable the rule.

Viewing and Searching SNAT Rules

You can view and search the SNAT rules on the SNAT rule list.
View the SNAT rules on the SNAT rule list.

Chapter 10 891

Policy
l Each column displays the corresponding configurations.

l Click icon in the Session Detail column on the SNAT rule list to go to the Session Detail

page. You can view the current session status of the selected SNAT rule. You can also click

to add filtering conditions and search for the sessions that conform to the filtering

conditions.
You can filter Session ID, Source Address, Source Port, Destination Address, Destination
Port, Protocol, Application, Flow0 Interface, Flow1 Interface. You can add multiple filter
conditions at the same time. The relationship between filter conditions is And.

l Hover over your mouse over the configurations in different columns, then the WebUI dis-

plays either icon or the detailed information of this configuration based on the con-

figuration type.

l You can view the detailed configurations directly.

l You can click icon. Based on the configuration type, the WebUI displays Filter or

Add Filter.

l Click Filter or Add Filter, you can see the filter conditions of this configuration
above the list, and then you can filter the SNAT rule according to the filter con-
ditions.

Adjusting Priority

Each SNAT rule has a unique ID. When the traffic flows into the device, the device will search
the SNAT rules in order and then implement NAT on the source IP of the traffic according to the

892 Chapter 10

Policy
first matched rule. The sequence of the ID shown in the SNAT rule list is the order of the rule
matching.
To adjust priority, take the following steps:

1. Select Policy > NAT > SNAT.

2. Select the rule you want to adjust its priority and click Priority.

3. In the Priority page, move the selected rule to:

l Top: The rule is moved to the top of all of the rules in the SNAT rule list.

l Bottom: The rule is moved to the bottom of all of the rules in the SNAT rule list. By
default, system will put the newly-created SNAT rule at the bottom of all of the
SNAT rules.

l Before ID: Specifies an ID number. The rule will be moved before the ID you spe-
cified.

l After ID: Specifies an ID number. The rule will be moved after the ID you specified.

4. Click OK to save the settings.

Copying/Pasting a SNAT rule

When there are a large number of NAT rules in system, to create a NAT rule which is similar to
an configured NAT rule easily, you can copy the NAT rule and paste it to the specified location.
To copy/paste a SNAT rule, take the following steps:

1. Select Policy > NAT > SNAT.

2. Select the SNAT rule that you want to clone and click Copy.

3. Click Paste. In the pop-up, select the desired position. Then the rule will be cloned to the
desired position.

Chapter 10 893

Policy
l Top: The rule is pasted to the top of all the rules in the SNAT rule list.

l Bottom: The rule is pasted to the bottom of all the rules in the SNAT rule list.

l Before the Rule Selected: The rule will be pasted before the Rule being selected.

l After the Rule Selected: The rule will be pasted after the Rule being selected.

Importing SNAT rule

You can import the configuration file of the local SNAT rules into the device to avoid creating
SNAT rules manually. Only the DAT format file is supported currently.
To import the configuration file of SNAT rules, take the following steps:

1. Click Policy > NAT > SNAT .

2. Click the Import button to open the Import page.

3. Click Browse and select the local configuration file of SNAT rule to upload.

4. Click OK, and the imported SNAT rule will be displayed in the list.

Notes:
l When importing the source NAT rule configuration file, please use the expor-
ted original file as far as possible and do not modify the contents of the file.
Otherwise, it may cause formatting errors.

894 Chapter 10

Policy
l If there's an error during import, system will stop importing immediately and
roll back configurations automatically.

l If the ID of the imported source NAT already exists, the configuration of the
original NAT rule will be overwritten.

l The imported SNAT rule will be displayed on the bottom of the SNAT rule
list.

Exporting SNAT rule

You can export the SNAT rules existing on the device to the local in the format of HTML CSV or
DAT formats. At the same time, all the custom objects of address book and service book (only
user defined )can be exported.
To export the SNAT rules, take the following steps:

1. Click Policy > NAT > SNAT .

2. Click Export to open the Export page.

Configure the options as follows:

Chapter 10 895

Policy
Option Description

Range Specify the range of SNAT rules to be exported.

l All SNAT: Select the radio button and export all SNAT rules on
the device.

l Selected SNAT: In the SNAT list, select the snat rule to be expor-
ted, and then click Export > Selected SNAT.

l Page Range: Select the radio button, and enter the page number or
page range of the SNAT list to be exported.
Note: Separate the page number or range with semicolons, e.g.
"3;5-8".

Export Address Select the check box to export all the custom objects including address
And Service book, and service book （only user defined）will be generated.

Export SNAT in Select the check box to export the SNAT configurations in the format
DAT Format of DAT.

3. Click OK to download the exported files. There're four kinds of files: natExport.html, "
snat+exported time.zip", "snat+exported time.cvs" and the "vr_snat +exported time.dat
"configurations in the DAT format.

4. Double-click the natExport.html, click Import File and import the " snat+exported
time.zip" to view the table of exported policies.

Exporting NAT444 Static Mapping Entries

You can export the NAT444 static mapping entries to a file . The exported file contains the ID,
source IP address, translated IP address, start port, end port, and the protocol information.
To export the NAT444 static mapping entries, take the following steps:

896 Chapter 10

Policy
1. Select Policy > NAT > SNAT.

2. Click Export NAT444 Static Mapping Entries.

3. Select a location to store the file and click Save.

The exported file is CSV format. It is recommended to export the file through the management
interface.

Hit Count

The system supports statistics on SNAT rule hit counts, i.e., statistics on the matching between
traffic and SNAT rules. Each time the inbound traffic is matched to a certain SNAT rule, the hit
count will increment by 1 automatically.
To view a SNAT rule hit count, click Policy > NAT > SNAT. In the SNAT rule list, view the
statistics on SNAT rule hit count under the Hit Count column.

Clearing NAT Hit Count

To clear a SNAT rule hit count, take the following steps:

1. Select Policy > NAT > SNAT Hit Analysis.

2. Click Clear to open the Clearing NAT Hit Count page.

l All NAT: Clears the hit counts for all NAT rules.

l NAT ID: Clears the hit counts for a specified NAT rule ID.

3. Click OK.

Hit Count Check

System supports to check SNAT rule hit counts.

To check hit count, take the following steps:

Chapter 10 897

Policy
1. Select Policy > NAT > SNAT Hit Analysis.

2. Click Analyze.

898 Chapter 10

Policy
Configuring DNAT
DNAT translates destination IP addresses, usually the IP addresses of internal servers (such as the
WWW server or SMTP server) protected by the device is translated to the public IP addresses.

Configuring an IP Mapping Rule

To configure an IP mapping rule, take the following steps:

1. Select Policy > NAT > DNAT.

2. Click New and select IP Mapping.

In the IP Mapping Configuration page, configure the corresponding options.

Chapter 10 899

Policy
Requirements

Virtual Specifies a VRouter for the DNAT rule. The DNAT rule
Router will take effect when the traffic flows into this VRouter
and matches the DNAT rule conditions.

Type Specifies the type of the DNAT rule, including IPv4,

NAT46, NAT64, and IPv6. The configuration options for
different types of DNAT rules may vary in this page,
please refer to the actual page.

Destination Specifies the destination IP address or interface of the

Address traffic, including:

l Address Entry - Select an address entry from the

drop-down list.

l IP Address - Type an IP address into the box. Type

an IPv4 address if the type of the DNAT rule is
IPv4 or NAT46. Type an IPv6 address if the type
of the DNAT rule is NAT64 or IPv6.

l IP/Netmask - Type an IPv4 address and its net-

mask into the box. This configuration option is
available if the type of the DNAT rule is IPv4 or
NAT46.

l IPv6/Prefix - Type an IPv6 address and its prefix

length into the box. This configuration option is
available if the type of the DNAT rule is NAT64 or
IPv6.

900 Chapter 10

Policy
Requirements

l Dynamic IP (Physical Interface) - Select an inter-

face which obtains IP via the DHCP and PPPoE
protocols. This configuration option is available if
the type of the DNAT rule is IPv4 or NAT46.

Mapping

Mapped to Specifies the translated NAT IP address, including

Address Entry, IP Address, and IP/Netmask (or
IPv6/Prefix). The number of the translated NAT IP
addresses you specified must be the same as the number
of the destination IP addresses of the traffic.

Others

HA Group Specifies the HA group that the DNAT rule belongs to.
The default setting is 0.

Description Types the description.

3. Click OK to save the settings.

Configuring a Port Mapping Rule

To configure a port mapping rule, take the following steps:

1. Select Policy > NAT > DNAT.

Chapter 10 901

Policy
2. Click New and select Port Mapping.

In the Port Mapping Configuration page configure the corresponding options.

Requirements

Virtual Specifies a VRouter for the DNAT rule. The DNAT rule
Router will take effect when the traffic flows into this VRouter
and matches the DNAT rule conditions.

Type Specifies the type of the DNAT rule, including IPv4,

NAT46, NAT64, and IPv6. The configuration options for
different types of DNAT rules may vary in this page,
please refer to the actual page.

902 Chapter 10

Policy
Requirements

Destination Specifies the destination IP address or interface of the

Address traffic, including:

l Address Entry - Select an address entry from the

drop-down list.

l IP Address - Type an IP address into the box. Type

an IPv4 address if the type of the DNAT rule is
IPv4 or NAT46. Type an IPv6 address if the type
of the DNAT rule is NAT64 or IPv6.

l IP/Netmask - Type an IPv4 address and its net-

mask into the box. This configuration option is
available if the type of the DNAT rule is IPv4 or
NAT46.

l IPv6/Prefix - Type an IPv6 address and its prefix

length into the box. This configuration option is
available if the type of the DNAT rule is NAT64 or
IPv6.

l Dynamic IP(Physical Interface) - Select an interface

which obtains IP via the DHCP and PPPoE pro-
tocols. This configuration option is available if the
type of the DNAT rule is IPv4 or NAT46.

Service Specifies the service type of the traffic from the drop-
down list.
To create a new service or service group, click New Ser-

Chapter 10 903

Policy
Requirements

vice or New Group.

Mapping

Mapped to Specifies the translated NAT IP address, including

Address Entry, IP Address, and IP/Netmask (or
IPv6/Prefix). The number of the translated NAT IP
addresses you specified must be the same as the number
of the destination IP addresses of the traffic.

Port Mapping Types the translated port number of the Intranet server.
The available range is 1 to 65535.

Others

HA Group Specifies the HA group that the DNAT rule belongs to.
The default setting is 0.

Description Types the description.

3. Click OK to save the settings.

Configuring an Advanced NAT Rule

You can create a DNAT rule and configure the advanced settings, or you can edit the advanced
settings of an exiting DNAT rule.
To create a DNAT rule and configure the advanced settings, take the following steps:

1. Select Policy > NAT > DNAT.

2. Click New and select Advanced Configuration. To edit the advanced settings of an existing
DNAT rule, select it and click Edit. The DNAT configuration page will appear.

904 Chapter 10

Policy
In this page, configure the following options.

Requirements

Virtual Specifies a VRouter for the DNAT rule. The DNAT rule
Router will take effect when the traffic flows into this VRouter
and matches the DNAT rule conditions.

Type Specifies the type of the DNAT rule, including IPv4,

NAT46, NAT64, and IPv6. The configuration options for
different types of DNAT rules may vary in this page,
please refer to the actual page.

Chapter 10 905

Policy
Requirements

Source Specifies the source IP address of the traffic, including:

Address
l Address Entry - Select an address entry from the
drop-down list.

l IP Address - Type an IP address into the box. Type

an IPv4 address if the type of the DNAT rule is
IPv4 or NAT46. Type an IPv6 address if the type
of the DNAT rule is NAT64 or IPv6.

l IP/Netmask - Type an IPv4 address and its net-

mask into the box. This configuration option is
available if the type of the DNAT rule is IPv4 or
NAT46.

l IPv6/Prefix - Type an IPv6 address and its prefix

length into the box. This configuration option is
available if the type of the DNAT rule is NAT64 or
IPv6.

Destination Specifies the destination IP address or interface of the

Address traffic, including:

l Address Entry - Select an address entry from the

drop-down list.

l IP Address - Type an IP address into the box. Type

an IPv4 address if the type of the DNAT rule is
IPv4 or NAT46. Type an IPv6 address if the type
of the DNAT rule is NAT64 or IPv6.

906 Chapter 10

Policy
Requirements

l IP/Netmask - Type an IPv4 address and its net-

mask into the box. This configuration option is
available if the type of the DNAT rule is IPv4 or
NAT46.

l IPv6/Prefix - Type an IPv6 address and its prefix

length into the box. This configuration option is
available if the type of the DNAT rule is NAT64 or
IPv6.

l Dynamic IP(Physical Interface): Select an interface

which obtains IP via the DHCP and PPPoE pro-
tocols. This configuration option is available if the
type of the DNAT rule is IPv4 or NAT46.

Service Specifies the service type of the traffic from the drop-
down list.
To create a new service or service group, click Add.

Translated to

Action Specifies the action for the traffic you specified, includ-
ing:

l NAT - Implements NAT for the eligible traffic.

l No NAT - Do not implement NAT for the eligible

traffic.

l V4-MAPPED - Implements NAT for the eligible

Chapter 10 907

Policy
Requirements

traffic, and extracts the destination IPv4 address

from the destination IPv6 address of the packet dir-
ectly. This configuration option is available if the
type of the DNAT rule is NAT64.
The Translated to action for different types of DNAT
rules may vary in this page, please refer to the actual page.

Translate to When selecting the NAT option, you need to specify the
translated IP address. The options include Address Entry,
IP Address, IP/Netmask (or IPv6/Prefix), and SLB
Server Pool. The SLB Server Pool configure option is
available if the type of the DNAT rule is IPv4 or NAT64.
For more information about the SLB Server Pool, view
"SLB Server Pool " on Page 613.

Translate Service Port to

Port Click Enable to translate the port number of the service

that matches the conditions above.

Load Balance Click Enable to enable the function. Traffic will be bal-
anced to different Intranet servers.

Redirect Click Enable to enable the function.

When the number of this Translate to is different from
the Destination Address of the traffic or the Destination
Address address is any, you must enable the redirect func-
tion for this DNAT rule.

Expand Advanced Configuration, configure the following options.

908 Chapter 10

Policy
Track Server

HA Group Specifies the HA group that the DNAT rule belongs to.
The default setting is 0.

Track Ping After enabling this function, system will send Ping pack-
Packets ets to check whether the Intranet servers are reachable.

Track TCP After enabling this function, System will send TCP pack-
Packets ets to check whether the TCP ports of Intranet servers
are reachable.

TCP Port Specifies the TCP port number of the monitored Intranet
server.

NAT Log Enable the log function for this DNAT rule to generate
the log information when traffic matches this NAT rule.

Position Specifies the position of the rule. Each DNAT rule has a
unique ID. When the traffic is flowing into the device,
the device will search the DNAT rules by sequence, and
then implement DNAT on the source IP of the traffic
according to the first matched rule. The sequence of the
ID shown in the DNAT rule list is the order of the rule
matching. Select one of the following items from the
drop-down list:

l Bottom - The rule is located at the bottom of all of

the rules in the DNAT rule list. By default, the sys-
tem will put the newly-created DNAT rule at the
bottom of all of the DNAT rules.

Chapter 10 909

Policy
Track Server

l Top - The rule is located at the top of all of the

rules in the DNAT rule list.

l Before ID - Type the ID number into the text box.

The rule will be located before the ID you spe-
cified.

l After ID - Type the ID number into the text box.

The rule will be located after the ID you specified.

ID The ID number is used to distinguish between NAT

rules. Specifies the method you get the rule ID. It can be
automatically assigned by system or manually assigned by
yourself.

Description Types the description.

3. Click OK to save the settings.

Enabling/Disabling a DNAT Rule

By default the configured DNAT rule will take effect immediately. You can terminate its control
over the traffic by disabling the rule.
To enable/disable a policy rule, take the following steps:

1. Select Policy > NAT > DNAT.

2. Select the DNAT rule that you want to enable/disable.

3. Click Enable or Disable to enable or disable the rule.

910 Chapter 10

Policy
Viewing and Searching DNAT Rules

You can view and search the DNAT rules on the DNAT rule list.
View the DNAT rules on the DNAT rule list.

l Each column displays the corresponding configurations.

l Click icon in the Session Detail column on the DNAT rule list to go to the Session Detail

page. You can view the current session status of the selected DNAT rule. You can also click

to add filtering conditions and search for the sessions that conform to the filtering

l Hover over your mouse over the configurations in different columns, then the WebUI dis-

plays either icon or the detailed information of this configuration based on the con-

figuration type.

l You can view the detailed configurations directly.

l You can click icon. Based on the configuration type, the WebUI displays Filter or

Add Filter.

Chapter 10 911

Policy
l Click Filter or Add Filter, you can see the filter conditions of this configuration
above the list, and then you can filter the DNAT rule according to the filter con-
dition.

Copying/Pasting a DNAT Rule

1. Select Policy > NAT > DNAT.

2. Select the DNAT rule that you want to clone and click Copy.

3. Click Paste. In the pop-up, select the desired position. Then the rule will be cloned to the
desired position.

l Top: The rule is pasted to the top of all of the rules in the DNAT rule list.

l Bottom: The rule is pasted to the bottom of all of the rules in the DNAT rule list.

l Before the Rule Selected: The rule will be pasted before the Rule selected.

l After the Rule Selected: The rule will be pasted after the Rule selected.

Adjusting Priority

Each DNAT rule has a unique ID. When the traffic is flowing into the device, the device will
search the DNAT rules in order, and then implement NAT of the source IP of the traffic accord-
ing to the first matched rule. The sequence of the ID shown in the DNAT rule list is the order of
the rule matching.
To adjust priority, take the following steps:

912 Chapter 10

Policy
1. Select Policy > NAT > DNAT.

2. Select the rule you want to adjust its priority and click Priority.

3. In the Priority page, move the selected rule to:

l Top: The rule is moved to the top of all of the rules in the DNAT rule list.

l Bottom: The rule is moved to the bottom of all of the rules in the DNAT rule list. By
default, system will put the newly-created DNAT rule at the bottom of all of the
DNAT rules.

l Before ID: Specifies an ID number. The rule will be moved before the ID you spe-
cified.

l After ID: Specifies an ID number. The rule will be moved after the ID you specified.

4. Click OK to save the settings.

Importing DNAT rule

You can import the configuration file of the local DNAT rules into the device to avoid creating
DNAT rules manually. Only the DAT format file is supported currently.
To import the configuration file of DNAT rules, take the following steps:

1. Click Policy > NAT > DNAT .

2. Click the Import button to open the Import page.

Chapter 10 913

Policy
3. Click Browse and select the local configuration file of DNAT rule to upload.

4. Click OK, and the imported DNAT rule will be displayed in the list.

l If there's an error during import, system will stop importing immediately and
roll back configurations automatically.

l If the ID of the imported source NAT already exists, the configuration of the
original NAT rule will be overwritten.

l The imported DNAT rule will be displayed on the bottom of the DNAT rule
list.

Exporting DNAT rule

You can export the DNAT rules existing on the device to the local in the format of HTML CSV
or DAT formats. At the same time, all the custom objects of address book , service book (only
user defined ) and slb server (only user defined) can be exported.
To export the DNAT rules, take the following steps:

914 Chapter 10

Policy
1. Click Policy > NAT > DNAT .

2. Click Export to open the Export page.

Configure the options as follows:

Option Description

Range Specify the range of DNAT rules to be exported.

l All DNAT: Select the radio button and export all DNAT rules on
the device.

l Selected DNAT: In the DNAT list, select the DNAT rule to be

exported, and then click Export > Selected DNAT.

l Page Range: Select the radio button, and enter the page number or
page range of the DNAT list to be exported.
Note: Separate the page number or range with semicolons, e.g.
"3;5-8".

Export Address, Select the check box to export all the custom objects including address
Service And Slb book, service book （only user defined）and slb server (only user
Server Pool defined) will be generated.

Chapter 10 915

Policy
Option Description

Export DNAT in Select the check box to export the DNAT configurations in the format
DAT Format of DAT.

3. Click OK to download the exported files. There're four kinds of files: natExport.html, "
dnat+exported time.zip", "dnat+exported time.cvs" and the "vr_dnat +exported time.dat
"configurations in the DAT format.

4. Double-click the natExport.html, click Import File and import the " dnat+exported
time.zip" to view the table of exported policies.

Hit Count

The system supports statistics on DNAT rule hit counts, i.e., statistics on the matching between
traffic and DNAT rules. Each time the inbound traffic is matched to a certain DNAT rule, the hit
count will increment by 1 automatically.
To view a DNAT rule hit count, click Policy > NAT > DNAT. In the DNAT rule list, view the
statistics on DNAT rule hit count under the Hit Count column.

Clearing NAT Hit Count

To clear a DNAT rule hit count, take the following steps:

1. Select Policy > NAT > DNAT Hit Analysis.

2. Click Clear to open the Clearing NAT Hit Count page.

l All NAT: Clears the hit counts for all NAT rules.

l NAT ID: Clears the hit counts for a specified NAT rule ID.

3. Click OK.

Hit Count Check

System supports to check policy rule hit counts.

916 Chapter 10

Policy
To check hit count, take the following steps:

1. Select Policy > NAT > DNAT Hit Analysis.

2. Click Analyze.

Chapter 10 917

Policy
SLB Server
View SLB server status: After you enabling the track function (PING track, TCP track, or UDP
track), system will list the status and information of the intranet servers that are tracked.
View SLB server pool status: After you enabling the server load balancing function, system will
monitor the intranet servers and list the corresponding status and information.

Viewing SLB Server Status

To view the SLB server status, take the following steps:

1. Select Policy > NAT > SLB Server Status.

2. You can set the filtering conditions according to the virtual router, SLB server pool, and
server address and then view the information.

Option Description

Server Shows the IP address of the server.

Type Shows the type of the server, include IPv4 or IPv6.

Port Shows the port number of the server.

Status Shows the status of the server.

Current Ses- Shows the number of current sessions.

sions

DNAT Shows the DNAT rules that uses the server.

HA Group Shows the HA group that the server belongs to.

Viewing SLB Server Pool Status

To view the SLB server pool status, take the following steps:

918 Chapter 10

Policy
1. Select Policy > NAT > SLB Server Pool Status.

2. You can set the filtering conditions according to the virtual router, algorithm, and server
pool name and then view the information.

Option Description

Name Shows the name of the server pool name.

Type Shows the type of the server pool, include IPv4 or IPv6.

Algorithm Shows the algorithm used by the server pool.

DNAT Shows the DNAT rules that use the server.

Abnormal Shows the number of abnormal servers and the total num-
Server/All ber of the servers.
Servers

Current Ses- Shows the number of current sessions.

sions

Chapter 10 919

Policy
Session Limit
The devices support zone-based session limit function. You can limit the number of sessions and
control the session rate to the source IP address, destination IP address, specified IP address,
applications or role/user/user group, thereby protecting from DoS attacks and controlling the
bandwidth of applications, such as IM or P2P.

Configuring a Session Limit Rule

To configure a session limit rule, take the following steps:

1. Select Policy > Session Limit.

920 Chapter 10

Policy
2. Click New. The Session Limit Configuration page will appear.

3. Select the zone where the session limit rule is located.

4. Configure the limit conditions.

Select the IP check box to configure the IP limit conditions.

IP Select the IP radio button and then select an IP address

entry.

Chapter 10 921

Policy
IP

l Select All IPs to limit the total number of sessions

to all IP addresses.

l Select Per IP to limit the number of sessions to

each IP address.

Source IP Select the Source IP radio button and specify the source
IP address entry and destination IP address entry. When
the session's source IP and destination IP are both within
the specified range, system will limit the number of ses-
sion as follows:

l When you select Per Source IP, system will limit

the number of sessions to each source IP address.

l When you select Per Destination IP, system will

limit the number of sessions to each destination IP
address.

Protocol

Protocol Limits the number of sessions to the protocol which has

been set in the text box.

Application

Application Limits the number of sessions to the selected application.

Role/User/User Group

Select the Role/User/User Group check box to configure the cor-

responding limit conditions.

922 Chapter 10

Policy
IP

Role Select the Role radio button and a role from the Role
drop-down list to limit the number of sessions of the
selected role.

User Select the User radio button and a user from the User
drop-down list to limit the number of sessions of the
selected user.

User Group Select the User Group radio button and a user group from
the User Group drop-down list to limit the number of ses-
sions of the selected user group.

l Next to the User Group radio button, select All

Users to limit the total number of sessions to all of
the users in the user group.

l Next to the User Group radio button, select Per

User to limit the number of sessions to each user.

Schedule

Schedule Select the Schedule check box and choose a schedule you
need from the drop-down list to make the session limit
rule take effect within the time period specified by the
schedule.

5. Configure the limit types.

Session Type

Session Num- Specify the maximum number of sessions. The value

ber range is 0 to 1048576. The value of 0 indicates no lim-

Chapter 10 923

Policy
Session Type

itation.

New Con- Specify the maximum number of sessions created per 5

nections/5s seconds. The value range is 1 to 1048576.

6. Select the Enable after Session Limit Log to record the session limit log.

7. Click OK to save your settings.

8. Click Switch Mode to select a matching mode. If you select Use the Minimum Value and an
IP address matches multiple session limit rules, the maximum number of sessions of this IP
address is limited to the minimum number of sessions of all matched session limit rules; if
you select Use the Maximum Value and an IP address matches multiple session limit rules,
the maximum number of sessions of this IP address is the maximum number of sessions of
all matched session limit rlules.

Clearing Statistic Information

After configuring a session limit rule, the sessions which exceed the maximum number of sessions
will be dropped. You can clear the statistical information of the dropped sessions of specified ses-
sion limit rule according to your need.
To clear statistic information, take the following steps:

1. Select Policy > Session Limit.

2. Select the rule whose session's statistical information you want to clear.

3. Click Clear.

924 Chapter 10

Policy
Traffic Quota
System supports the traffic quota function, which can limit and control the allowable flow quota
of users/user groups per day or per month. When the user traffic reaches the daily or monthly
quota defined by the traffic quota profile, the system will block the user traffic.
Related Topics:

l "Configuring the Traffic Quota Rule" on Page 926

l "Configuring the Traffic Quota Profile" on Page 928

l "Configuring the Traffic Quota Zone" on Page 929

l "User Quota Monitor" on Page 1115

Traffic Quota 925

Configuring the Traffic Quota Rule
The traffic quota rule configuration including configuring user/ user group traffic quota rule and
adjusting the traffic quota rule position.

Configuring the User/ User Group Traffic Quota Rule

To configure the user/ user group traffic quota rule, take the following steps:

1. Select Policy > Traffic Quota > Rule.

2. In the User Quota Rule or User Group Quota Rule tab, click New.

In the <User Traffic Quota Rule Configuration> or <User Group Traffic Quota Rule Con-
figuration> page, configure the corresponding options.

Option Description

Name Specifies the name of user/ user group traffic quota rule.

Quota Profile Select the created quota profile from the drop-down list,
or click to create a new traffic quota profile.

For traffic quota profile configuration， see "Configuring

the Traffic Quota Profile" on Page 928.

926 Traffic Quota

Option Description

User/ User Specifies the user/ user group of traffic quota rule.
Group
1. From the User or User Group drop-down list,
select the AAA server where the users and user
groups reside.

2. Based on the type of AAA server, you can

execute one or more actions: search a user/user
group, expand the user/user group list, enter the
name of the user/user group.

3. After selecting users/user groups/roles, click

them to add the them to the left pane.

4. After adding the desired objects, click Close to

complete the user configuration.

3. Click OK to save your settings.

Adjusting Traffic Quota Rule Priority

To adjust the rule priority, take the following steps:

1. Select Policy > Traffic Quota > Rule.

2. Select the check box of the traffic quota rule whose priority will be adjusted, and click Pri-
ority .

3. In the Change User Quota Rule Priorityor Change User Group Quota Rule Priority page,
click First List , Last List , Before This Name or After This Name. Then the rule will be
moved before or after the specified name.

Traffic Quota 927

Configuring the Traffic Quota Profile
To configure the traffic quota profile, use the following steps:

1. Select Policy > Traffic Quota > Profile.

2. Click Newto open the Quota Profile Configuration page.

In the <Quota Profile Configuration> page, configure the corresponding options.

Option Description

Name Specifies the quota profile name.

Daily Quota Type the daily quota in the text box and select the quota
unit in the drop-down list, including KB, MB, GB, TB.

Monthly Type the monthly quota in the text box and select the
Quota quota unit in the drop-down list, including KB, MB, GB,
TB.

3. Click OK to save your settings.

928 Traffic Quota

Configuring the Traffic Quota Zone
To configure the zone that you want to enable the traffic quota function, take the following steps:

1. Select Policy > Traffic Quota > Configuration.

2. Click Select Zones for Traffic Statistics.

3. Click to add a new zone entry to the Selected list.

4. In the Selected list, select the zone entry and click for the zone entry not be counted.

5. Click Apply to save your settings.

Traffic Quota 929

Share Access
Share access means multiple endpoints access network with the same IP. The function of share
access can block access from unknown device and allocate bandwidth for users, so as to prevent
possible risks and ensure good online experience.

Configuring Share Access Rules

To configure a share access rule, take the following steps:

1. Select Policy > Share Access.

2. Click New. The Share Access Configuration page will appear.

Option Description

Name Specifies the name of share access rule.

Source Zone Specify the source zone of share access.

Source Specify the source IP address segment of share access.

930 Traffic Quota

Option Description

Address 1. Click to open the Address page.

2. Select the address type in the Address page.

3. According to different address types, select or

enter the required address.

4. Click Add to add the addresses to the left pane.

5. After adding the desired addresses, click Close to

complete the source address configuration.
You can also perform other operations:

l When selecting the Address Book type, you can

click icon to create a new address entry.

l The default address configuration is any. To restore

the configuration to this default one, select the any
or IPv6-any check box.

Schedule Specify the schedule of share access. The share access

rule takes effect in the period specified by the schedule.
If the schedule is not configured, the share access rule
will always be effective.

Maximum Specify the maximum number of share access endpoints.

Endpoints The range is 1-15. The default value is 2.

Action When the number of endpoints with the same IP address

exceeds the maximum allowed to be shared by system, the
IP address of the endpoints will be processed according

Traffic Quota 931

Option Description

to the specified action.

l Log Only: When the number of shared access end-

points exceeds the maximum, system will only
record logs of the IP address out of limit, without
affecting the normal connection of the access end-
points.

l Warning: When the number of shared access end-

points exceeds the maximum, system will send
warnings to endpoints out of limit and record logs
during the specified control duration.

l Control Duration: Specify the control dur-

ation of warning. The range is 30-3600s. The
default value is 60s. After the duration is
over, the system will re-detect whether the
number of access endpoints exceeds the max-
imum.

l Warning Message: Specify the user-defined

warning message, the range is 0-255 char-
acters.

l Block: When the number of shared access end-

points exceeds the maximum, system will block the
IP address of the endpoints out of the limit and
record logs during the specified control duration.

932 Traffic Quota

Option Description

l Control Duration: Specify the control dur-

ation of block. The range is 30-3600s. The
default value is 60s. After the duration is
over, the system will re-detect whether the
number of access endpoints exceeds the max-
imum.

Endpoint Specify the timeout time of endpoint. After the timeout

Timeout time, when the endpoint no longer accesses network with
the IP, system will clear the endpoint information. The
range is 300-86400s. The default value is 600s.

Traffic Quota 933

ARP Defense
StoneOS provides a series of ARP defense functions to protect your network against various ARP
attacks, including:

l ARP Learning: Devices can obtain IP-MAC bindings in an Intranet from ARP learning, and
add them to the ARP list. By default this function is enabled. The devices will always keep
ARP learning on, and add the learned IP-MAC bindings to the ARP list. If any IP or MAC
address changes during the learning process, the devices will add the updated IP-MAC bind-
ing to the ARP list. If this function is disabled, only IP addresses in the ARP list can access
the Internet.

l MAC Learning: Devices can obtain MAC-Port bindings in an Intranet from MAC learning, and
add them to the MAC list. By default this function is enabled. The devices will always keep
MAC learning on, and add the learned MAC-Port bindings to the MAC list. If any MAC
address or port changes during the learning process, the devices will add the updated MAC-
Port binding to the MAC list.

l IP-MAC-Port Binding: If IP-MAC, MAC-Port or IP-MAC-Port binding is enabled, packets

that are not matched to the binding will be dropped to protect against ARP spoofing or MAC
address list attacks. The combination of ARP and MAC learning can achieve the effect of
"real-time scan + static binding", and make the defense configuration more simple and effect-
ive.

l Authenticated ARP: Authenticated ARP is implemented on the ARP client Hillstone Secure
Defender. When a PC with Hillstone Secure Defender installed accesses the Internet via the
interface that enables Authenticated ARP, it will perform an ARP authentication with the
device, for the purpose that the MAC address of the device being connected to the PC is trus-
ted.

934 Traffic Quota

l ARP Inspection: Devices support ARP Inspection for interfaces. With this function enabled,
StoneOS will inspect all ARP packets passing through the specified interfaces, and compare
the IP addresses of the ARP packets with the static IP-MAC bindings in the ARP list and IP-
MAC bindings in the DHCP Snooping list.

l DHCP Snooping: With this function enabled, system can create a binding relationship
between the MAC address of the DHCP client and the allocated IP address by analyzing the
packets between the DHCP client and server.

l Host Defense: With this function enabled, the system can send gratuitous ARP packets for dif-
ferent hosts to protect them against ARP attacks.

Traffic Quota 935

Configuring ARP Defense

Configuring Binding Settings

Devices support IP-MAC binding, MAC-Port binding and IP-MAC-Port binding to reinforce net-
work security control. The bindings obtained from ARP/MAC learning and ARP scan are known
as dynamic bindings, and those manually configured are known as static bindings.

Adding a Static IP-MAC-Port Binding

To add a static IP-MAC-Port binding, take the following steps:

1. Select Policy > ARP Defense > IP-MAC Binding.

2. Click New.

936 Traffic Quota

In the IP-MAC Binding Configuration page, configure the corresponding settings.

Option Description

MAC Specify a MAC address.

IP Specify an IP address.

Port Select a port from the drop-down list behind.

Virtual Select the virtual router that the binding item belongs to.
Router By default, the binding item belongs to trust-vr.

Description Specify the description for this item.

Authenticated Click the Enable button the authenticated ARP function.

ARP

3. Click OK to save the settings.

Obtaining a Dynamic IP-MAC-Port Bindings

Devices can obtain dynamic IP-MAC-Port binding information from:

l ARP/MAC learning

l IP-MAC scan

To configure the ARP/MAC learning, take the following steps:

1. Select Policy > ARP Defense > IP-MAC Binding.

Traffic Quota 937

2. Click and click ARP/MAC Learning from the pop-up menu.

3. In the ARP/MAC Learning Configuration page, select the interface that you want to enable
the ARP/MAC learning function.

4. Click Enable and then select ARP Learning or MAC Learning in the pop-up menu. The sys-
tem will enable the selected function on the interface you select.

938 Traffic Quota

5. Close the page and return to the IP-MAC Binding page.

To configure the ARP scan, take the following steps:

1. Select Policy > ARP Defense > IP-MAC Binding.

2. Select Binding Configuration and then click IP-MAC Scan from the pop-up menu.

3. In the IP-MAC Scan page, enter the start IP and the end IP.

4. Click OK to start scanning the specified IP addresses. The result will display in the table in
the IP-MAC binding page.

Bind the IP-MAC-Port Binding Item

To bind the IP-MAC-Port binding item, take the following steps:

1. Select Policy > ARP Defense > IP-MAC Binding.

2. Select Binding Configuration and then click Bind All from the pop-up menu.

3. In the Bind All page, select the binding type.

4. Click OK to complete the configurations.

To unbind an IP-MAC-Port binding item:

1. Select Policy > ARP Defense > IP-MAC Binding.

2. Select Binding Configuration and then click Unbind All from the pop-up menu.

Traffic Quota 939

3. In the Unbind All page select the unbinding type.

4. Click OK to complete the configurations.

Importing/Exporting Binding Information

To import the binding information, take the following steps:

1. Select Policy > ARP Defense > IP-MAC Binding.

2. Select and then click lmport from the pop-up menu.

3. In the Import page, click Browse to select the file that contains the binding information.
Only the UTF-8 encoding file is supported.

To export the binding information, take the following steps:

1. Select Policy > ARP Defense > IP-MAC Binding.

2. Select and then click Export from the pop-up menu.

3. Choose the binding information type.

4. Click OK to export the binding information to a file.

Configuring Authenticated ARP

This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
The devices provide Authenticated ARP to protect the clients against ARP spoofing attacks.
Authenticated ARP is implemented on the ARP client Hillstone Secure Defender. When a PC
with Hillstone Secure Defender installed accesses the Internet via the interface that enables
Authenticated ARP, it will perform an ARP authentication with the device to assure the MAC
address of the device being connected to the PC is trusted. Besides. The ARP client is also
designed with powerful anti-spoofing and anti-replay mechanisms to defend against various ARP
attacks.

940 Traffic Quota

Notes: The Loopback interface and PPPoE sub-interface are not designed with
ARP learning, so these two interfaces do not support Authenticated ARP.

To use the Authenticated ARP function, you need to enable the Authenticated ARP function in
the device and install the Hillstone Secure Defender in the PCs.
To enable the Authenticated ARP in the device, take the following steps:
To install Hillstone Secure Defender in the PCs, take the following steps:

Configuring ARP Inspection

Devices support ARP Inspection for interfaces. With this function enabled, system will inspect
all the ARP packets passing through the specified interfaces, and compare the IP addresses of the
ARP packets with the static IP-MAC bindings in the ARP list and IP-MAC bindings in the
DHCP Snooping list:

l If the IP address is in the ARP list and the MAC address matches, the ARP packet will be for-
warded;

l If the IP address is in the ARP list but the MAC address does not match, the ARP packet will
be dropped;

l If the IP address is not in the ARP list, continue to check if the IP address is in the DHCP
Snooping list;

l If the IP address is in the DHCP Snooping list and the MAC address also matches, the ARP
packet will be forwarded;

l If the IP address is in the DHCP Snooping list but the MAC address does not match, the
ARP packet will be dropped;

l If the IP address is not in the DHCP Snooping, the ARP packet will be dropped or forwarded
according to the specific configuration.

Traffic Quota 941

Both the VSwitch and VLAN interface of the system support ARP Inspection. This function is
disabled by default.
To configure ARP Inspection of the VSwitch interface, take the following steps:

1. Select Policy > ARP Defense > ARP Inspection.

2. System already lists the existing VSwitch interfaces.

3. Double-click the item of a VSwitch interface.

4. In the Interface Configuration page, click the Enable button.

5. To drop the traffic whose sender's IP address is not in the ARP table, select Drop. To for-
ward the traffic whose sender's IP address is not in the ARP table, select Forward.

6. Click OK to save the settings and close the page.

7. For the interfaces belonging to the VSwitch interface, you can set the following options:

l If you do not need the ARP inspection in the interface, in the Advanced Options sec-
tion, double-click the interface and select Do Not Inspect option in the pop-up page.

l Configure the number of ARP packets received per second. When the ARP packet
rate exceeds the specified value, the excessive ARP packets will be dropped. The
value range is 0 to 10000. The default value is 0, i.e., no rate limit.

942 Traffic Quota

8. Click OK to save the settings.

To configure the ARP inspection of the VLAN interface, take the following steps:

1. Select Policy > ARP Defense > ARP Inspection.

2. Click New.

3. In the Interface Configuration page, specify the VLAN ID.

4. To drop the traffic whose sender's IP address is not in the ARP table, select Drop. To for-
ward the traffic whose sender's IP address is not in the ARP table, select Forward.

5. Click OK to save the settings.

Configuring DHCP Snooping

DHCP, Dynamic Host Configuration Protocol, is designed to allocate appropriate IP addresses

and related network parameters for sub networks automatically. DHCP Snooping can create a bind-
ing relationship between the MAC address of the DHCP client and the allocated IP address by ana-
lyzing the packets between the DHCP client and the server. When ARP Inspection is also
enabled, the system will check if an ARP packet passing through can be matched to any binding
on the list. If not, the ARP packet will be dropped. In the network that allocates addresses via
DHCP, you can prevent against ARP spoofing attacks by enabling ARP inspection and DHCP
Snooping.

Traffic Quota 943

DHCP clients look for the server by broadcasting, and only accept the network configuration para-
meters provided by the first reachable server. Therefore, an unauthorized DHCP server in the net-
work might lead to DHCP server spoofing attacks. The devices can prevent DHCP server
spoofing attacks by dropping DHCP response packets on related ports.
Besides, some malicious attackers send DHCP requests to a DHCP server in succession by for-
ging different MAC addresses, and eventually lead to IP address unavailability to legal users by
exhausting all the IP address resources. This kind of attacks is commonly known as DHCP Star-
vation. The devices can prevent against such attacks by dropping request packets on related ports,
setting rate limit or enabling validity check.
The VSwitch interface of the system supports DHCP snooping. This function is disabled by
default.
To configure DHCP snooping, take the following steps:

1. Select Policy > ARP Defense > DHCP Snooping.

944 Traffic Quota

2. Click DHCP Snooping Configuration.

3. In the Interface tab, select the interfaces that need the DHCP snooping function.

4. Click Enable to enable the DHCP snooping function.

Traffic Quota 945

5. In the Port tab, configure the DHCP snooping settings:

l Validity check: Check if the client's MAC address of the DHCP packet is the same as
the source MAC address of the Ethernet packet. If not, the packet will be dropped.
Select the interfaces that need the validity check and then click Enable to enable this
function.

l Rate limit: Specify the number of DHCP packets received per second on the inter-
face. If the number exceeds the specified value, system will drop the excessive
DHCP packets. The value range is 0 to 10000. The default value is 0, i.e., no rate
limit. To configure the rate limit, double-click the interface and then specify the value
in the Rate text box in the pop-up Port Configuration page.

l Drop: In the Port Configuration page, if the DHCP Request check box is selected,
the system will drop all of the request packets sent by the client to the server; if the
DHCP Response check box is selected, system will drop all the response packets
returned by the server to the client.

6. Click OK to save the settings.

Viewing DHCP Snooping List

With DHCP Snooping enabled, system will inspect all of the DHCP packets passing through the
interface, and create and maintain a DHCP Snooping list that contains IP-MAC binding inform-
ation during the process of inspection. Besides, if the VSwitch, VLAN interface or any other
Layer 3 physical interface is configured as a DHCP server, the system will create IP-MAC binding
information automatically and add it to the DHCP Snooping list even if DHCP Snooping is not
enabled. The bindings in the list contain information like legal users' MAC addresses, IPs, inter-
faces, ports, lease time, etc.
To view the DHCP snooping list, take the following steps:

946 Traffic Quota

1. Select Policy > ARP Defense > DHCP Snooping.

2. In the current page, you can view the DHCP snooping list.

Configuring Host Defense

Host Defense is designed to send gratuitous ARP packets for different hosts to protect them
against ARP attacks.
To configure host defense, take the following steps:

1. Select Policy > ARP Defense > Host Defense.

2. Click New.

In the Host Defense page, configure the corresponding options.

Sending Settings

Interface Specify an interface that sends gratuitous ARP packets.

Traffic Quota 947

Sending Settings

Excluded Specify an excluded port, i.e., the port that does not send
Port gratuitous ARP packets. Typically it is the port that is con-
nected to the proxied host.

Host

IP Specify the IP address of the host that uses the device as

a proxy.

MAC Specify the MAC address of the host that uses the device
as a proxy.

Sending Rate Specify a gratuitous ARP packet that sends rate. The
value range is 1 to 10/sec. The default value is 1.

3. Click OK to save your settings and return to the Host Defense page.

4. Repeat Step 2 and Step 3 to configure gratuitous ARP packets for more hosts. You can con-
figure the device to send gratuitous ARP packets for up to 16 hosts.

948 Traffic Quota

Chapter 11 Threat Prevention
Threat prevention is a device that can detect and block network threats. By configuring the threat
prevention function, Hillstone devices can defend network attacks and reduce losses of the
internal network.
Threat protections include:

l Anti Virus: It can detect the common file types and protocol types which are most likely to
carry the virus and protect the network from them.. Hillstone devices can detect protocol
types of POP3, HTTP, SMTP, IMAP4 and FTP, and the file types of archives (including
GZIP, BZIP2, TAR, ZIP and RAR-compressed archives), PE , HTML, MAIL, RIFF and
JPEG.

l Intrusion Prevention: It can detect and protect mainstream application layer protocols (DNS,
FTP, POP3, SMTP, TELNET, MYSQL, MSSQL, ORACLE, NETBIOS), against web-based
attacks and common Trojan attacks.

l Attack Defense: It can detect various types of network attacks, and take appropriate actions
to protect the Intranet against malicious attacks, thus assuring the normal operation of the
Intranet and systems.

l Perimeter Traffic Filtering: It can filter the perimeter traffic based on known IP of black-
/white list, and take block action on the malicious traffic that hits the blacklist.

l Sandbox protection: It can executes suspicious files in the virtual environment, collect
dynamic behaviors of suspicious files, analyze these dynamic behaviors, and determine the
validity of files based on the analysis results

l Anti-Spam: It can filter the mails transmitted by SMTP and POP3 protocol through the cloud
server, and discover the mail threats.

Chapter 11 949

Threat Prevention
l Botnet Prevention: It can detect botnet host in the internal network timely, as well as locate
and take other actions according to the configuration, so as to avoid further threat attacks.

The threat protection configurations are based on security zones and policies.

l If a security zone is configured with the threat protection function, system will perform detec-
tion on the traffic that is matched to the binding zone specified in the rule, and then do
according to what you specified.

l If a policy rule is configured with the threat protection function, system will perform detec-
tion on the traffic that is matched to the policy rule you specified, and then respond.

l The threat protection configurations in a policy rule is superior to that in a zone rule if spe-
cified at the same time, and the threat protection configurations in a destination zone is super-
ior to that in a source zone if specified at the same time.

Notes:

l Threat protection is controlled by a license. To use Threat protection, apply

and install the Threat Protection（TP） license, Intrusion Prevention Sys-
tem（IPS）license.

Threat Protection Signature Database

The threat protection signature database includes a variety of virus signatures, Intrusion pre-
vention signatures, Perimeter traffic filtering signatures, . By default system updates the threat pro-
tection signature database everyday automatically. You can change the update configuration as
needed. Hillstone devices provide two default update servers: https://update1.hillstonenet.com
and https://update2.hillstonenet.com. Hillstone devices support auto updates and local updates.
Non-root VSYS does not support updating signature database.
According to the severity, signatures can be divided into three security levels: critical, warning
and informational. Each level is described as follows:

950 Chapter 11

Threat Prevention
l Critical: Critical attacking events, such as buffer overflows.

l Warning: Aggressive events, such as over-long URLs.

l Informational: General events, such as login failures.

Chapter 11 951

Threat Prevention
Anti-Virus
This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
The system is designed with an Anti-Virus that is controlled by licenses to provide an AV solu-
tion featuring high speed, high performance and low delay. With this function configured in
StoneOS, Hillstone devices can detect various threats including worms, Trojans, malware, mali-
cious websites, etc., and proceed with the configured actions.
Anti-Virus function can detect the common file types and protocol types which are most likely to
carry the virus and protect the network from them. Hillstone devices can detect protocol types of
HTTP, FTP, SMTP, POP3 IMAP4 and SMB, and the file types of archives (including GZIP,
BZIP2, TAR, ZIP and RAR-compressed archives), PE、HTML、MAIL、RIFF、ELF、PDF、
MS OFFICE、Raw Data and Others. Others means scans the other file, including GIF, BMP,
PNG, JPEG, FWS, CWS, RTF, MPEG, Ogg, MP3, wma, WMV, ASF, RM, etc.
If IPv6 is enabled, Anti-Virus function will detect files and protocols based on IPv6. How to
enable IPv6, see StoneOS_CLI_User_Guide_IPv6.
The virus signature database includes over 10 million signatures, and supports both daily auto
update and real-time local update. See "Security Policy" on Page 788.

Notes: Anti-Virus is controlled by license. To use Anti-Virus , apply and install the
Anti-Virus （AV）license.

952 Chapter 11

Threat Prevention
Configuring Anti-Virus
This chapter includes the following sections:

l Preparation for configuring Anti-Virus function

l Configuring Anti-Virus function

l Configuring Anti-Virus global parameters

Preparing

Before enabling Anti-Virus, make the following preparations:

1. Make sure your system version supports Anti-Virus.

2. Import an Anti-Virus license and reboot. The Anti-Virus will be enabled after the rebooting.

Notes:

l You need to update the Anti-Virus signature database before enabling the
function for the first time. To assure a proper connection to the default
update server, you need to configure a DNS server for StoneOS before updat-
ing.

l After Anti-Virus is enabled, system's max concurrent sessions might

decrease. For more information about the maximum concurrent sessions, see
"The Maximum Concurrent Sessions" on Page 1346.

Configuring Anti-Virus Function

The Anti-Virus configurations are based on security zones or policies.

Chapter 11 953

Threat Prevention
l If a security zone is configured with the Anti-Virus function, system will perform detection
on the traffic that is matched to the binding zone specified in the rule, and then do according
to what you specified.

l If a policy rule is configured with the threat protection function, system will perform detec-
tion on the traffic that is matched to the policy rule you specified, and then respond.

To realize the zone-based Anti-Virus, take the following steps:

1. Create a zone. For more information, refer to "Security Zone" on Page 85.

2. In the Zone Configuration page, expand Threat Protection.

3. Enable the threat protection you need and select an Anti-Virus rule from the profile drop-
down list below; or you can click from the profile drop-down list. To create an Anti-

Virus rule, see Configuring_Anti-Virus_Rule.

4. Click OK to save the settings.

To realize the zone-based Anti-Virus, take the following steps:

1. Create a security policy rule. For more information, refer to "Security Policy" on Page 788.

2. In the Policy Configuration page, expand the Protection tab.

3. Click the Enable button of Anti-virus. Then select an Anti-Virus rule from the Profile drop-
down list, or you can click from the Profile drop-down list to create an Anti-Virus rule.

For more information, see Configuring_Anti-Virus_Rule.

4. Click OK to save the settings.

954 Chapter 11

Threat Prevention
Configuring an Anti-Virus Rule

To configure an Anti-Virus rule, take the following steps:

1. Select Object > Anti-Virus > Profile.

2. Click New.

In the Anti-Virus Rules Configuration page, enter the Anti-Virus rule configurations.

Chapter 11 955

Threat Prevention
Option Description

Name Specifies the rule name.

File Types Specifies the file types you want to scan. It can be GZIP,
JPEG, MAIL, RAR, HTML .etc. Other means scans the
other file, including GIF, BMP, PNG, JPEG, FWS, CWS,
RTF, MPEG, Ogg, MP3, wma, WMV, ASF, RM, etc.

Protocol Specifies the protocol types (HTTP, SMTP, POP3,

Types IMAP4, FTP,SMB) you want to scan and specifies the
action the system will take after the virus is found.

l Fill Magic - Processes the virus file by filling magic

words, i.e., fills the file with the magic words
(Virus is found, cleaned) from the beginning to the
ending part of the infected section.

l Log Only - Only generates log.

l Warning - Pops up a warning page to prompt that a

virus has been detected. This option is only effect-
ive to the messages transferred over HTTP.

l Reset Connection - If virus has been detected, sys-

tem will reset connections to the files.

Malicious Click the button behind Malicious Website Access Con-

Website trol to enable the function.
Access Con-
trol

Action Specifies the action the system will take after the mali-

956 Chapter 11

Threat Prevention
Option Description

cious website is found.

l Log Only - Only generates log.

l Reset Connection - If a malicious website has been

detected, system will reset connections to the files.

l Warning - Pops up a warning page to prompt that a

malicious website has been detected. This option is
only effective to the messages transferred over
HTTP.

Enable Label If an email transferred over SMTP is scanned, you can

E-mail enable label email to scan the email and its attachment(s).
The scanning results will be included in the mail body,
and sent with the email. If no virus has been detected, the
message of "No virus found" will be labeled; otherwise
information related to the virus will be displayed in the
email, including the filename, result and action.
Type the end message content into the box. The range is
1 to 128.

3. Click OK.

Notes: By default, according to virus filtering protection level, system comes with
three default virus filtering rules: predef_low, predef_middle, predef_high. The
default rule is not allowed to edit or delete.

Chapter 11 957

Threat Prevention
Cloning an Anti-Virus Rule

System supports the rapid clone of an Anti-Virus rule. You can clone and generate a new Anti-
Virus rule by modifying some parameters of the one current Anti-Virus rule.
To clone an Anti-Virus rule, take the following steps:

1. Select Object > Anti-Virus > Profile.

2. Select an Anti-Virus rule in the list.

3. Click the Clone button above the list, and the Name configuration box will appear below
the button. Then enter the name of the new Anti-Virus rule.

4. The cloned Anti-Virus rule will be generated in the list.

Configuring Anti-Virus Global Parameters

The Anti-Virus global parameters configuration includes:

l Enabling / Disabling the Anti-Virus function

l Configuring the decompression control function

Enabling / Disabling the Anti-Virus function

To enable / disable the Anti-Virus function, take the following steps:

1. Select Object > Anti-Virus > Configuration.

2. Click / clear the Enable button to enable / disable the Anti-Virus function.

3. Click OK.

Notes: After the configuration is completed, system must be rebooted to make it

take effect。

958 Chapter 11

Threat Prevention
Configuring the Decompression Control Function

After configuring the decompression control function, StoneOS can decompress the transmitted
compressed files, and can handle the files that exceed the max decompression layer as well as the
encrypted compressed files in accordance with the specified actions. This function supports to
decompress the files in type of RAR, ZIP, TAR, GZIP, and BZIP2. To configure the decom-
pression control function, take the following steps:

1. Select Object > Anti-Virus > Configuration.

2. Click / clear the Enable button to enable / disable the Anti-Virus function.

3. Click Configuration.

Chapter 11 959

Threat Prevention
In the Decompression Configuration page, configure the following options.

Option Description

Decompression Click / clear the Enable button to enable / disable

the decompression function.

Max Decom- By default, StoneOS can check the files of up to 5

pression Layer decompression layers. To specify a decompression
layer, select a value from the drop-down list. The
value range is 1 to 5.

Exceed Action Specifies an action for the compressed files that

exceed the max decompression layer. Select an
action from the drop-down list:

l Log Only - Only generates logs but will not

scan the files. This action is enabled by
default.

l Reset Connection - Resets connections for

the files.

Encrypted Com- Specifies an action for encrypted compressed files:

pressed File
l No Action - Will not take any actions against
the files, but might further scan the files
according to the Anti-Virus rule.

l Log Only - Only generates logs but will not

scan the files.

l Reset Connection - Resets connections for

the files.

960 Chapter 11

Threat Prevention
4. Click OK.

Notes: For compressed files containing docx, pptx, xlsx, jar, and apk formats, when
Exceed Action is specified as Reset Connection, the maximum compression layers
should be added one more layer to prevent download failure.

Chapter 11 961

Threat Prevention
Intrusion Prevention System
IPS, Intrusion Prevention System, is designed to monitor various network attacks in real time and
take appropriate actions (like block) against the attacks according to your configuration.
The IPS can implement a complete state-based detection which significantly reduces the false pos-
itive rate. Even if the device is enabled with multiple application layer detections, enabling IPS
will not cause any noticeable performance degradation. Besides, StoneOS will update the sig-
nature database automatically everyday to assure its integrity and accuracy.

l IPS will support IPv6 address if the IPv6 function is enabled.

l By integrating with the SSL proxy function, IPS can monitor the HTTPS traffic.

The protocol detection procedure of IPS consists of two stages: signature matching and protocol
parse.

l Signature matching: IPS abstracts the interested protocol elements of the traffic for signature
matching. If the elements are matched to the items in the signature database, system will pro-
cess the traffic according to the action configuration. This part of detection is configured in
the Select Signature section.

l Protocol parse: IPS analyzes the protocol part of the traffic. If the analysis results show the
protocol part containing abnormal contents, system will process the traffic according to the
action configuration. This part of detection is configured in the Protocol Configuration sec-
tion.

Notes: Intrusion Prevention System is controlled by a license. To use Threat pro-

tection, apply and install the Intrusion Prevention System (IPS) license.

Signatures
The IPS signatures are categorized by protocols, and identified by a unique signature ID. The sig-
nature ID consists of two parts: protocol ID (1st bit or 1st and 2nd bit) and attacking signature

962 Chapter 11

Threat Prevention
ID (the last 5 bits). For example, in ID 605001, "6" identifies a Telnet protocol, and "00120" is
the attacking signature ID. The 1st bit in the signature ID identifies protocol anomaly signatures,
while the others identify attacking signatures. The mappings between IDs and protocols are
shown in the table below:

ID Protocol ID Protocol ID Protocol ID Protocol

1 DNS 7 Other- 13 TFTP 19 NetBIOS

TCP

2 FTP 8 Other- 14 SNMP 20 DHCP

UDP

3 HTTP 9 IMAP 15 MySQL 21 LDAP

4 POP3 10 Finger 16 MSSQL 22 VoIP

5 SMTP 11 SUNRPC 17 Oracle - -

6 Telnet 12 NNTP 18 MSRPC - -

In the above table, Other-TCP identifies all the TCP protocols other than the standard TCP pro-
tocols listed in the table, and Other-UDP identifies all the UDP protocols other than the standard
UDP protocols listed in the table.

Chapter 11 963

Threat Prevention
Configuring IPS
This chapter includes the following sections:

l Preparation for configuring IPS function

l Configuring IPS function

Preparation

Before enabling IPS, make the following preparations:

1. Make sure your system version supports IPS.

2. Import an Intrusion Prevention System (IPS) license and reboot. The IPS will be enabled
after the rebooting.

Notes: After IPS is enabled, system's max concurrent sessions might decrease. For
more information about the maximum concurrent sessions, see "The Maximum Con-
current Sessions" on Page 1346.

Configuring IPS Function

The IPS configurations are based on security zones or policies.

l To perform the IPS function on the HTTPS traffic, see the policy-based IPS.

To realize the zone-based IPS, take the following steps:

1. Create a zone. For more information, refer to "Security Zone" on Page 85.

2. In the Zone Configuration page, expand Threat Protection.

964 Chapter 11

Threat Prevention
3. Enable the IPS you need and select an IPS rules from the profile drop-down list below, or
you can click from the profile drop-down list below. To create an IPS rule, see Con-

figuring_an_IPS_Rule.

4. Click a direction (Inbound, Outbound, Bi-direction). The IPS rule will be applied to the
traffic that is matched with the specified security zone and direction.

To realize the policy-based IPS, take the following steps:

1. Create a policy rule. For more inform action, refer to "Security Policy" on Page 788.

2. In the Policy Configuration page, expand Protection.

3. Click the Enable button of IPS. Then select an IPS rule from the Profile drop-down list, or
you can click from the Profile drop-down list to create an IPS rule. For more inform-

ation, see Configuring_an_IPS_Rule.

4. To perform the IPS function on the HTTPS traffic, you need to enable the SSL proxy func-
tion for the above specified security policy rule. System will decrypt the HTTPS traffic
according to the SSL proxy profile and then perform the IPS function on the decrypted
traffic.

According to the various configurations of the security policy rule, system will perform the
following actions:

Policy Rule
Actions
Configurations

SSL proxy System decrypts the HTTPS traffic according to the SSL
enabled proxy profile but it does not perform the IPS function
IPS disabled on the decrypted traffic.

SSL proxy System decrypts the HTTPS traffic according to the SSL

Chapter 11 965

Threat Prevention
Policy Rule
Actions
Configurations

enabledIPS proxy profile and performs the IPS function on the

enabled decrypted traffic.

SSL proxy dis- System performs the IPS function on the HTTP traffic
abled according to the IPS profile. The HTTPS traffic will not
IPS enabled be decrypted and system will transfer it.

If the destination zone or the source zone specified in the security policy rule is con-
figured with IPS as well, system will perform the following actions:

Policy Rule Zone Con-

Actions
Configurations figurations

SSL proxy IPS enabled System decrypts the HTTPS traffic

enabled according to the SSL proxy profile and
IPS disabled performs the IPS function on the decryp-
ted traffic according to the IPS rule of
the zone.

SSL proxy IPS enabled System decrypts the HTTPS traffic

enabled according to the SSL proxy profile and
IPS enabled performs the IPS function on the decryp-
ted traffic according to the IPS rule of
the policy rule.

SSL proxy dis- IPS enabled System performs the IPS function on the
abled HTTP traffic according to the IPS rule
IPS enabled of the policy rule. The HTTPS traffic
will not be decrypted and system will

966 Chapter 11

Threat Prevention
Policy Rule Zone Con-
Actions
Configurations figurations

transfer it.

5. Click OK to save the settings.

Configuring an IPS Rule

System has three default IPS rules: predef_default , predef_loose and predef_critical.

l The predef_default rule includes all the IPS signatures and its default action is reset.

l The predef_loose includes all the IPS signatures and its default action is log only.

l The predef_critical includes all the IPS signatures with high severity and its default action is
log only.

To configure an IPS rule, take the following steps:

1. Select Object > Intrusion Prevention System > Profile.

Chapter 11 967

Threat Prevention
2. Click New to create a new IPS rule. To edit an existing one, select the check box of this
rule and then click Edit. To view it, click the name of this rule.

3. Type the name into the Rule name box.

4. Type the description information into the Description text box.

5. In the Signature Set area, the existing signature sets and their settings will be displayed in
the table. Select the desired signature sets. You can also manage the signature sets, including
New, Edit, and Delete.

Click New to create a new signature set rule.

Option Description

There are two methods: Filtering Feature and Selection Feature. Creat-
ing a new signature set contains:

968 Chapter 11

Threat Prevention
Option Description

l Name: Specify the name of signature.

l Action: Specify the action performed on the abnormal traffic that

match the signature set.

Methods

Filter System categorizes the signatures according to the fol-

lowing aspects (aka main categories): affected OS, attack
type, protocol, severity, confidence, released year,
affected application, and bulletin board. A signature can
be in several subcategories of one main category. For
example, the signature of ID 105001 is in the Linux sub-
category, the FreeBSD subcategory, and Other Linux sub-
category at the same time.
With Filter selected, system displays the main categories
and subcategories above. You can select the subcategories
to choose the signatures in this subcategory. As shown
below, after selecting the Web Attack subcategory in the
Attack Type main category, system will choose the sig-
natures related to this subcategory. To view the detailed
information of these chosen signatures, you can click the
ID in the table. Click Disable or Enable button to dis-
able or re-enable the signature. The enabled/disabled
state here is only for the current profile, but the global
state is not affected.

Chapter 11 969

Threat Prevention
Option Description

When selecting main category and subcategory, note the

following matters:

l You can select multiple subcategories of one main

category. The logic relation between them is OR.

l The logic relation between each main category is

AND.

l For example, you have selected Windows and

Linux in OS and select HIGH in Severity. The
chosen signatures are those whose severity is high
and meanwhile whose affected operating system is
either Windows or Linux.

Action

Log Only Record a log.

970 Chapter 11

Threat Prevention
Option Description

Reset connections (TCP) or sends destination unreach-

Reset
able packets (UDP) and also generate logs.

Block the IP address of the attacker. Specify a block dur-

Block IP ation. The value range is 60 to 3600 seconds, and the
default value is 60.

Block the service of the attacker. Specify a block dur-

Block Ser-
ation. The value range is 60 to 3600 seconds, and the
vice
default value is 60.

Default Excute the action specifiled in the signature rule.

Note: You create several signature sets and some of them contain a par-
ticular signature. If the actions of these signature sets are different and
the attack matches this particular signature , system will adopt the fol-
lowing rules:

l Always perform the stricter action on the attack. The signature set
with stricter action will be matched. The strict level is: Block IP
> Block Service > Rest > Log Only > Deault. If one signature
set is Block IP with 15s and the other is Block Service with 30s,
the final action will be Block IP with 30s.

l The action of the signature set created by Search Condition has

higher priority than the action of the signature set created by Fil-
ter.

6. Click OK to complete signature set configurations.

Chapter 11 971

Threat Prevention
7. In the Disabled Signature area, the signatures that are Disabled in the template will be
shown. Select one or more signatures, and then click the Enable button to re-enable the sig-
nature.

8. In the Protocol Configuration area, click . The protocol configurations specify the require-

ments that the protocol part of the traffic must meet. If the protocol part contains abnormal
contents, system will process the traffic according to the action configuration. System sup-
ports the configurations of HTTP, DNS, FTP, MSRPC, POP3, SMTP, SUNRPC, and Tel-
net.

In the HTTP tab, configure the following settings:

Option Description

Max Scan Length: Specify the maximum length of scan-

ning when scanning the HTTP packets.
Banner Detection: Click the Enable button to enable pro-
tection against HTTP server banners.

l Banner information - Type the new information

into the box that will replace the original server ban-
ner information.
HTTP
Protocol Anomaly Detection: Click Enable to analyze the
HTTP packets. If abnormal contents exist, you can:

l Protocol Anomaly list: Click to open the <Pro-

tocol Anomaly list> dialog, which will display the

signature rules related to the HTTP protocol anom-
aly in this profile. Select one or more rules and
click Enable to enable the rules; And Click Disable

972 Chapter 11

Threat Prevention
Option Description

to disable the rules.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends destination unreachable
packets (UDP) and also generate logs. Block IP -
Block the IP address of the attacker and specify a
block duration. Block Service - Block the service
of the attacker and specify a block duration.
Max URI Length: Specify a max URI length for the
HTTP protocol. If the URI length exceeds the limitation,
you can:

l Action: Log Only - Record a log. Rest - Reset con-

To protect the Web server, configure Web Server in the HTTP tab.
Protecting the Web server means system can detect the following attacks: SQL injection,
XSS injection, external link check, ACL, and HTTP request flood and take actions when
detecting them. A pre-defined Web server protection rule named default is built in. By
default, this protection rule is enabled and cannot be disabled or deleted.
Configure the following settings to protect the Web server:

Chapter 11 973

Threat Prevention
Option Description

Name Specify the name of the Web server protection rule.

Configure Specify domains protected by this rule. Click the link

Domain and the Configure Domain page will appear. Enter the
domain names in the Domain text box. At most 5
domains can be configured. The traffic to these
domains will be checked by the protection rule.
The domain name of the Web server follows the
longest match rule from the back to the front. The
traffic that does not match any rules will match the
default Web server. For example, you have configured
two protection rules: rule1 and rule2. The domain
name in rule1 is abc.com. The domain name in rule2 is
email.abc.com. The traffic that visits news.abc.com
will match rule1, the traffic that visits www.e-
mail.abc.com will match rule2, and the traffic that vis-
its www.abc.com.cn will match the default protection
rule.

High Frequency Click the Enable button to enable the High Frequency
Access Control Access Control feature. When this function is enabled,
system will block the traffic of this IP address，whose
access frequency exceeds the threshold.

o Threshold: Specifies the maximum number of

times a single source IP accesses the URL path
per minute. When the frequency of a source IP

974 Chapter 11

Threat Prevention
Option Description

address exceeds this threshold, system will block

the flow of the IP. The value ranges from 1 to
65535 times per minute.

o URL Path: Click the link and the URL Page Con-
figuration page appears. Click New and enter the
URL path in the Path text box. After the con-
figuration, all paths that contain the name of the
path are also counted. System accesses the fre-
quency statistics for HTTP requests that access
these paths. If the access frequency of the
HTTP request exceeds the threshold, the source
IP of the request is blocked, and the IP will not
be able to access the Web server. For example:
configure'/home/ab', system will perform a fre-
quency check on the 'access/home/ab/login'
and '/home/BC/login' HTTP requests. URL
path does not support the path format which
contains the host name or domain name, for
example: you can not configure www.baidu.-
com/home/login.html, you should configure '/
home / login.html', and 'www.baidu.com' should
be configured in the corresponding Web server
domain name settings. You can configure up to
32 URL paths. The length of each path is in the

Chapter 11 975

Threat Prevention
Option Description

range of 1-255 characters.

SQL Injection Click the Enable button to enable SQL injection

Protection check.

l Action: Log Only - Record a log. Rest - Reset

connections (TCP) or sends destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the
service of the attacker and specify a block dur-
ation.

l Sensitivity: Specifies the sensitivity for the SQL

injection protection function. The higher the
sensitivity is, the lower the false negative rate is.

l Check point: Specifies the check point for the

SQL injection check. It can be Cookie, Cookie2,
Post, Referer or URI.

XSS Injection Click the Enable button box to enable XSS injection
Protection check for the HTTP protocol.

l Action: Log Only - Record a log. Rest - Reset

connections (TCP) or sends destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the

976 Chapter 11

Threat Prevention
Option Description

service of the attacker and specify a block dur-

ation.

l Sensitivity: Specifies the sensitivity for the XSS

injection protection function. The higher the
sensitivity is, the lower the false negative rate is.

l Check point: Specifies the check point for the

XSS injection check. It can be Cookie, Cookie2,
Post, Referer or URI.

External Link Click the Enable button to enable external link check
Check for the Web server. This function controls the resource
reference from the external sites.

l External link exception: Click this link, and the

External Link Exception Configuration page will
appear. All the URLs configured on this page can
be linked by the Web sever. At most 32 URLs
can be specified for one Web server.

l Action: Log Only - Record a log. Rest - Reset

connections (TCP) or sends destination unreach-
able packets (UDP) and also generate logs.

Hotlinking Click the Enable button to enable Hotlinking Check.

Check System checks the headers of the HTTP packets and
obtains the source site of the HTTP request. If the

Chapter 11 977

Threat Prevention
Option Description

source site is in the Hotlinking Exception list, system

will release it; otherwise, log or reset the connection.
Thus controlling the Web site from other sites and to
prevent chain of CSRF (Cross Site Request Forgery
cross-site request spoofing) attacks occur.

l Hotlinking Exception: Click the 'Hotlinking

Exception ' to open the <Hotlinking Exception
Configuration> page, where the configured URL
can refer to the other Web site. Each Web server
can be configured with up to 32 URLs.

l Action: Specify the action for the HTTP request

for the chaining behavior, either "Log only" or
"Reset".“

Iframe check Click the Enable button to enable iframe checking. Sys-
tem will identify if there are hidden iframe HTML
pages by this function, then log it or reset its link.
After iframe checking is enabled, system checks the
iframe in the HTML page based on the specified iframe
height and width, and when any height and width is
less than or equal to the qualified value, system will
identify as a hidden iframe attack, record, or reset con-
nection that occurred.

l Height: Specifies the height value for the iframe,

978 Chapter 11

Threat Prevention
Option Description

range from 0 to 4096.

l Width: Specifies the width value of the iframe,

range from 0 to 4096.

l Action: Specify the action for the HTTP request

that hides iframe behavior, which is 'Only
logged' or 'Reset'.
Log Only - Record a log.
Reset - Reset connections (TCP) or sends des-
tination unreachable packets (UDP) and also gen-
erate logs.

ACL Click the Enable button to enable access control for

the Web server. The access control function checks
the upload paths of the websites to prevent the mali-
cious code uploading from attackers.

l ACL: Click this link, the ACL Configuration

page appears. Specify websites and the prop-
erties on this page. "Static" means the URI can
be accessed statically only as the static resource
(images and text), otherwise, the access will
handle as the action specified (log only/reset);
"Block" means the resource of the website is not
allowed to access.

l Action: Log Only - Record a log. Rest - Reset

Chapter 11 979

Threat Prevention
Option Description

connections (TCP) or sends destination unreach-

able packets (UDP) and also generate logs.

HTTP Request Select the Enable check box to enable the HTTP
Flood Pro- request flood protection. Both IPv4 and IPv6 address
tection are supported.

l Request threshold: Specifies the request

threshold.

l For the protected domain name, when the

number of HTTP connecting request per
second reaches the threshold and this lasts
20 seconds, system will treat it as a HTTP
request flood attack, and will enable the
HTTP request flood protection.

l For the protected full URL, when the

number of HTTP connecting request per
second towards this URL reaches the
threshold and this lasts 20 seconds, sys-
tem will treat it as a HTTP request flood
attack towards this URL, and will enable
the HTTP request flood protection.

l Full URL: Enter the full URLs to protect par-

ticular URLs. Click this link to configure the
URLs, for example, www.ex-

980 Chapter 11

Threat Prevention
Option Description

ample.com/index.html. When protecting a par-

ticular URL, you can select a statistic object.
When the number of HTTP connecting request
per second by the object reaches the threshold
and this lasts 20 seconds, system will treat it as a
HTTP request flood attack by this object, and
will enable the HTTP request flood protection.

l x-forwarded-for: Select None, system will

not use the value in x-forwarded-for as the
statistic object. Select First, system will
use the first value of the x-forwarded-for
field as the statistic object. Select Last,
system will use the last value of the x-for-
warded-for field as the statistic object.
Select All, system will use all values in x-
forwarded-for as the statistic object.

l x-real-ip: Select whether to use the value

in the x-real-ip field as the statistic field.
When the HTTP request flood attack is discovered,
you can make the system take the following actions:

l Authentication: Specifies the authentication

method. System judges the legality of the HTTP
request on the source IP through the authen-

Chapter 11 981

Threat Prevention
Option Description

tication. If a source IP fails on the authen-

tication, the current request from the source IP
will be blocked. The available authentication
methods are:

l Auto (JS Cookie): The Web browser will

finish the authentication process auto-
matically.

l Auto (Redirect): The Web browser will

finish the authentication process auto-
matically.

l Manual (Access Configuration): The ini-

tiator of the HTTP request must confirm
by clicking OK on the returned page to
finish the authentication process.

l Manual (CAPTCHA): The initiator of the

HTTP request must be confirmed by
entering the authentication code on the
returned page to finish the authentication
process.

l Crawler-friendly: If this button is clicked, sys-

tem will not authenticate to the crawler.

l Request limit: Specifies the request limit for the

982 Chapter 11

Threat Prevention
Option Description

HTTP request flood protection. After con-

figuring the request limit, system will limit the
request rate of each source IP. If the request rate
is higher than the limitation specified here and
the HTTP request flood protection is enabled,
system will handle the exceeded requests accord-
ing to the action specified (Block IP/Reset). To
record a log, click the Record log enable button.

l Proxy limit: Specifies the proxy limit for the

HTTP request flood protection. After con-
figuring the proxy limit, system will check
whether each source belongs to the each source
IP proxy server. If belongs to, according to con-
figuration to limit the request rate. If the request
rate is higher than the limitation specified here
and the HTTP request flood protection is
enabled, system will handle the exceeded
requests according to the action specified (Block
IP/Reset). To record a log, click the Record log
enbale button.

l White List: Specifies the white list for the

HTTP request flood protection. The source IP
added to the white list will not check the HTTP
request flood protection.

Chapter 11 983

Threat Prevention
In the DNS tab, configure the following settings:

Option Description

Max Scan Length: Specify the maximum length of scan-

ning when scanning the DNS packets.
Protocol Anomaly Detection: Select Enable to analyze
the DNS packets. If abnormal contents exist, you can:

l Protocol Anomaly list: Click to open the <Pro-

tocol Anomaly list> dialog, which will display the

signature rules related to the HTTP protocol anom-
aly in this profile. Select one or more rules and
DNS
click Enable to enable the rules; And Click Disable
to disable the rules.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or send the destination unreachable
packets (UDP) and also generate logs. Block IP -
Block the IP address of the attacker and specify a
block duration. Block Service - Block the service
of the attacker and specify a block duration.

In the FTP tab, configure the following settings:

Option Description

Max Scan Length: Specify the maximum length of scan-

ning when scanning the FTP packets.
FTP
Banner Detection: Click the Enable button to enable pro-
tection against FTP server banners.

984 Chapter 11

Threat Prevention
Option Description

l Banner Information: Type the new information

into the box that will replace the original server
banner information
Protocol Anomaly Detection: Select Enable to analyze
the FTP packets. If abnormal contents exist, you can:

l Protocol Anomaly list: Click to open the <Pro-

tocol Anomaly list> dialog, which will display the

signature rules related to the HTTP protocol
anomaly in this profile. Select one or more rules
and click Enable to enable the rules; And Click
Disable to disable the rules.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the
service of the attacker and specify a block dur-
ation.
Max Command Line Length: Specifies a max length
(including carriage return) for the FTP command line. If
the length exceeds the limits, you can:

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

Chapter 11 985

Threat Prevention
Option Description

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the
service of the attacker and specify a block duration
Max Response Line Length: Specifies a max length for
the FTP response line.If the length exceeds the limits,
you can:

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the
service of the attacker and specify a block dur-
ation.
Action for Brute-force: If the login attempts per minute
fail for the times specified by the threshold, system will
identify the attempts as an intrusion and take an action
according to the configuration. Click the Enable button
to enable brute-force. Non-root VSYS does not support
this option.

986 Chapter 11

Threat Prevention
Option Description

l Login Threshold per Min - Specifies a permitted

authentication/login failure count per minute.

l Block IP - Block the IP address of the attacker

and specify a block duration.

l Block Service - Block the service of the attacker

and specify a block duration.

l Block Time - Specifies the block duration.

In the MSRPC tab, configure the following settings:

Option Description

Max Scan Length: Specify the maximum length of scan-

ning when scanning the MSRPC packets.
Protocol Anomaly Detection: Select Enable to analyze
the MSRPC packets. If abnormal contents exist, you can:

l Protocol Anomaly list: Click to open the <Pro-

tocol Anomaly list> dialog, which will display the

MSRPC signature rules related to the HTTP protocol anom-
aly in this profile. Select one or more rules and
click Enable to enable the rules; And Click Disable
to disable the rules.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block

Chapter 11 987

Threat Prevention
Option Description

IP - Block the IP address of the attacker and spe-

cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Max bind length: Specifies a max length for MSRPC's
binding packets. If the length exceeds the limits, you can:

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Max request length: Specifies a max length for MSRPC's
request packets. If the length exceeds the limits, you can:

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Action for Brute-force: If the login attempts per minute
fail for the times specified by the threshold, system will
identify the attempts as an intrusion and take an action
according to the configuration. Select the Enable check
box to enable brute-force. Non-root VSYS does not sup-

988 Chapter 11

Threat Prevention
Option Description

port this option.

l Login Threshold per Min - Specifies a permitted

authentication/login failure count per minute.

l Block IP - Block the IP address of the attacker and

specify a block duration.

l Block Service - Block the service of the attacker

and specify a block duration.

l Block Time - Specifies the block duration.

In the POP3 tab, configure the following settings:

Option Description

Max Scan Length: Specify the maximum length of scan-

ning when scanning the POP3 packets.
Protocol Anomaly Detection: Click the Enable button to
analyze the POP3 packets. If abnormal contents exist,
you can:

POP3 l Protocol Anomaly list: Click to open the <Pro-

tocol Anomaly list> dialog, which will display the

signature rules related to the HTTP protocol anom-
aly in this profile. Select one or more rules and
click Enable to enable the rules; And Click Disable
to disable the rules.

Chapter 11 989

Threat Prevention
Option Description

l Action: Log Only - Record a log. Rest - Reset con-

l Banner information - Type the new information

into the box that will replace the original server ban-
ner information.
Max Command Line Length: Specifies a max length
(including carriage return) for the POP3 command line. If
the length exceeds the limits, you can:

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Max Parameter Length: Specifies a max length for the
POP3 client command parameter. If the length exceeds
the limits, you can:

l Action: Log Only - Record a log. Rest - Reset con-

990 Chapter 11

Threat Prevention
Option Description

nections (TCP) or sends destination unreachable

packets (UDP) and also generates logs. Block IP -
Block the IP address of the attacker and specify a
block duration. Block Service - Block the service
of the attacker and specify a block duration.
Max failure time: Specifies a max failure time (within one
single POP3 session) for the POP3 server. If the failure
time exceeds the limits, you can:

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Action for Brute-force: If the login attempts per minute
fail for the times specified by the threshold, system will
identify the attempts as an intrusion and take an action
according to the configuration. Click the Enable button
to enable brute-force. Non-root VSYS does not support
this option.

l Login Threshold per Min - Specifies a permitted

authentication/login failure count per minute.

l Block IP - Block the IP address of the attacker and

Chapter 11 991

Threat Prevention
Option Description

specify a block duration.

l Block Service - Block the service of the attacker

and specify a block duration.

l Block Time - Specifies the block duration.

In the SMTP tab, configure the following settings:

Option Description

Max Scan Length: Specify the maximum length of scan-

ning when scanning the SMTP packets.Protocol Anomaly
Detection: Click Enable to analyze the SMTP packets. If
abnormal contents exist, you can:

l Protocol Anomaly list: Click to open the <Pro-

tocol Anomaly list> dialog, which will display the

signature rules related to the HTTP protocol anom-
aly in this profile. Select one or more rules and
SMTP
click Enable to enable the rules; And Click Disable
to disable the rules.

l Action: Log Only - Record a log. Rest - Reset con-

992 Chapter 11

Threat Prevention
Option Description

Banner Detection: Click the Enable button to enable pro-

tection against SMTP server banners.

l Banner information - Type the new information

into the box that will replace the original server ban-
ner information.
Max Command Line Length: Specifies a max length
(including carriage return) for the SMTP command line. If
the length exceeds the limits, you can:

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Max Path Length: Specifies a max length for the reverse-
path and forward-path field in the SMTP client command.
If the length exceeds the limits, you can:

l Action: Log Only - Record a log. Rest - Reset con-

Chapter 11 993

Threat Prevention
Option Description

Max Reply Line Length: Specifies a max length reply

length for the SMTP server. If the length exceeds the lim-
its, you can:

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Max Text Line Length: Specifies a max length for the E-
mail text of the SMTP client. If the length exceeds the
limits, you can:

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Max Content Type Length: Specifies a max length for the
content-type of the SMTP protocol. If the length exceeds
the limits, you can:

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block

994 Chapter 11

Threat Prevention
Option Description

IP - Block the IP address of the attacker and spe-

cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Max Content Filename Length: Specifies a max length for
the filename of E-mail attachment. If the length exceeds
the limits, you can:

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Max Failure Time: Specifies a max failure time (within
one single SMTP session) for the SMTP server. If the
length exceeds the limits, you can:

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Action for Brute-force: If the login attempts per minute
fail for the times specified by the threshold, system will
identify the attempts as an intrusion and take an action

Chapter 11 995

Threat Prevention
Option Description

according to the configuration. Click the Enable button

to enable brute-force. Non-root VSYS does not support
this option.

l Login Threshold per Min - Specifies a permitted

authentication/login failure count per minute.

l Block IP - Block the IP address of the attacker and

specify a block duration.

l Block Service - Block the service of the attacker

and specify a block duration.

l Block Time - Specifies the block duration.

In the SUNRPC tab, configure the following settings:

Option Description

Max Scan Length: Specify the maximum length of scan-

ning when scanning the SUNRPC packets.
Protocol Anomaly Detection: Click Enable to analyze the
SUNRPC packets. If abnormal contents exist, you can:

l Protocol Anomaly list: Click to open the <Pro-

SUNRPC
tocol Anomaly list> dialog, which will display the
signature rules related to the HTTP protocol anom-
aly in this profile. Select one or more rules and
click Enable to enable the rules; And Click Disable
to disable the rules.

996 Chapter 11

Threat Prevention
Option Description

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Action for Brute-force: If the login attempts per minute
fail for the times specified by the threshold, system will
identify the attempts as an intrusion and take an action
according to the configuration. Click the Enable button
to enable brute-force. Non-root VSYS does not support
this option.

l Login Threshold per Min - Specifies a permitted

authentication / login failure count per minute.

l Block IP - Block the IP address of the attacker and

specify a block duration.

l Block Service - Block the service of the attacker

and specify a block duration.

l Block Time - Specifies the block duration.

In the Telnet tab, configure the following settings:

Option Description

Telnet Max Scan Length: Specify the maximum length of scan-

Chapter 11 997

Threat Prevention
Option Description

ning when scanning the Telnet packets.

Protocol Anomaly Detection: Click Enable to analyze the
Telnet packets. If abnormal contents exist, you can:

l Protocol Anomaly list: Click to open the <Pro-

tocol Anomaly list> dialog, which will display the

signature rules related to the HTTP protocol anom-
aly in this profile. Select one or more rules and
click Enable to enable the rules; And Click Disable
to disable the rules.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Username/Password Max Length: Specifies a max length
for the username and password used in Telnet. If the
length exceeds the limits, you can:

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends destination unreachable
packets (UDP) and also generates logs. Block IP -
Block the IP address of the attacker and specify a
block duration. Block Service - Block the service
of the attacker and specify a block duration.

998 Chapter 11

Threat Prevention
Option Description

Action for Brute-force: If the login attempts per minute

fail for the times specified by the threshold, system will
identify the attempts as an intrusion and take an action
according to the configuration. Click the Enable button
to enable brute-force. Non-root VSYS does not support
this option.

l Login Threshold per Min - Specifies a permitted

authentication/login failure count per minute.

l Block IP - Block the IP address of the attacker and

specify a block duration.

l Block Service - Block the service of the attacker

and specify a block duration.

l Block Time - Specifies the block duration.

9. Click Save to complete the protocol configurations.

10. Click OK to complete the IPS rule configurations.

Cloning an IPS Rule

System supports the rapid cloning of an IPS rule. The user can generate a new IPS rule by modi-
fying some parameters of the cloned IPS rule.
To clone an IPS rule, take the following steps:

1. Select Object > Intrusion Prevention System > Profile.

2. Select an IPS rule in the list.

Chapter 11 999

Threat Prevention
3. Click Clone above the list, the Name configuration box will appear below the button, enter
the name of the cloned IPS rule.

4. A cloned IPS rule will be generated in the list.

IPS Global Configuration

Configuring the IPS global settings includes:

l Enable the IPS function

l Specify how to merge logs

l Specify the work mode

Click Object > Intrusion Prevention System > Configuration to configure the IPS global set-
tings.

Option Description

IPS Click/clear the Enable button to enable/disable the IPS func-

tion.

Log Aggregate System can merge IPS logs which have the same protocol ID,
Type the same VSYS ID, the same Signature ID, the same log ID,
and the same merging type. Thus it can help reduce the num-
ber of logs and avoid receiving redundant logs. The function is
disabled by default. Select the merging types in the drop-down
list:

l Do Not Merge - Do not merge any logs.

l Source IP - Merge the logs with the same Source IP.

l Destination IP - Merge the logs with the same Destin-

ation IP.

1000 Chapter 11

Threat Prevention
Option Description

l Source IP, Destination IP - Merge the logs with the

same Source IP and the same Destination IP.

Aggregate Specifies the time granularity for IPS threat log of the same
Time merging type ( specified above) to be stored in the database. At
the same time granularity, the same type of log is only stored
once. It ranges from 10 to 600 seconds.

Mode Specifies a working mode for IPS:

l IPS - If attacks have been detected, StoneOS will gen-

erate logs, and will also reset connections or block attack-
ers. This is the default mode.

l Log only - If attacks have been detected, StoneOS will

only generate logs, but will not reset connections or
block attackers.

Record HTTP Click Enable check box to enable the device to record

Proxy IP HTTP proxy IP. When enabled, system will only record the
IP address of the HTTP proxy and not the real IP address of
the threat source in threat log. After disabled, system will
parse the HTTP header to obtain the real IP address of the
threat source, and display the real IP address of the threat
source in threat log. The function is enabled by default.
Note:

l This function only takes effect in the HTTP proxy

deployment scenario and only for HTTP traffic.

l This function only takes effect in the threat logs gen-

erated by IPS filtering, otherwise will not takes effect.

Chapter 11 1001

Threat Prevention
After the configurations, click OK to save the settings.

Notes: Non-root VSYS does not support IPS global configuration.

Signature List
Select Object > Intrusion Prevention System > Signature List. You can see the signature list.

The upper section is for searching signatures. The lower section is for managing signatures.

Searching Signatures

In the upper section, click Filter to set the search conditions to search the signatures that match
the condition.

To clear all search conditions, click Remove All. To save the search conditions, click and then
click Save Filters to name this set of search conditions and save it.

1002 Chapter 11

Threat Prevention
Managing Signatures

You can view signatures, create a new signature, load the database, delete a signature, edit a sig-
nature, enable a signature, and disable a signature.

l View signatures: In the signature list, click the "+" button before the ID of a signature to
view the details.

l Create a new signature: click New.

In the User-defined Signature page, configure the following settings:

Option Description

Name Specifies the signature name.

Description Specifies the signature descriptions.

Protocol Specifies the affected protocol.

Flow Specifies the direction.

l To_Server means the package of attack is from the

server to the client.

l To_Client means the package of attack is from the

client to the server.

l Any includes To_Server and To_Client.

Source Port Specifies the source port of the signature.

l Any - Any source port.

l Included - The source port you specified should be

included. It can be one port, several ports, or a
range. Specifies the port number in the text box, and

Chapter 11 1003

Threat Prevention
Option Description

use "," to separate.

l Excluded - The source port you specified should be

excluded. It can be one port, several ports, or a
range. Specifies the port number in the text box, and
use "," to separate.

Destination Specifies the destination port of the signature.

Port
l Any - Any destination port.

l Included - The destination port you specified

should be included. It can be one port, several
ports, or a range. Specifies the port number in the
text box, and use "," to separate.

l Excluded - The destination port you specified

should be excluded. It can be one port, several
ports, or a range. Specifies the port number in the
text box, and use "," to separate.

Dsize Specifies the payload message size. Select "----",">", "<"

or "=" from the drop-down list and specifies the value in
the text box. "----" means no setting of the parameters.

Severity Specifies the severity of the attack.

Attack Type Select the attack type from the drop-down list.

Application Select the affected applications. "----" means all applic-

ations.

1004 Chapter 11

Threat Prevention
Option Description

Operating Sys- Select the affected operating system from the drop-down
tem list. "----" means all the operating systems.

Bulletin Select a bulletin board of the attack.

Board

Year Specifies the released year of attack.

Detection Fil- Specifies the frequency of the signature rule.

ter
l Track - Select the track type from the drop-down
list. It can be by_source or by_destination. System
will use the statistic of the source IP or the des-
tination IP to check whether the attack matches this
rule.

l Count - Specifies the maximum times the rule

occurs in the specified time. If the attacks exceed
the Count value, system will trigger rules and act as
specified.

l Seconds - Specifies the interval value of the rule

occurs.

Configure Content, click New to specify the content of the signature:

Option Description

Content Specifies the signature content. Select the following check

box if needed:

l HEX - Means the content is hexadecimal.

Chapter 11 1005

Threat Prevention
Option Description

l Case Insensitive - Means the content is not case

sensitive.

l URI - Means the content needs to match URI field

of HTTP request.

Relative Specifies the signature content location.

l If Beginning is selected, system will search from the

header of the application layer packet.

l Offset: System will start searching after the

offset from the header of the application layer
packet. The unit is byte.

l Depth: Specifies the scanning length after the

offset. The unit is byte.

l If Last Content is selected, system will search from

the content end position.

l Distance: System will start searching after the

distance from the former content end pos-
ition. The unit is byte.

l Within: Specifies the scanning length after the

distance. The unit is byte.

l Load the database: After you create a new signature, click Load Database to make the newly
created signature take effect.

1006 Chapter 11

Threat Prevention
l Edit a signature: Select a signature and then click Edit. You can only edit the user-defined sig-
nature. After editing the signature, click Load Database to make the modifications take effect.

l Delete a signature: Select a signature and then click Delete. You can only delete the user-
defined signature. After deleting the signature, click Load Database to make the deletion take
effect.

l Enable/Disable signatures: After selecting signatures, click Enable or Disable.

Notes: Non-root VSYS does not support signature list.

Configuring IPS White list

The device detects the traffic in the network in real time. When a threat is detected, the device
generates alarms or blocks threats. With the complexity of the network environment, the threat of
the device will generate more and more warning, too much threat to the user can not start making
the alarm, and many of them are false positives. By providing IPS whitelist, the system no longer
reports alarms or blocks to the whitelist, thus reducing the false alarm rate of threats. The IPS
whitelist consists of source address, destination address, and threat ID, and the user selects at
least one item for configuration.
To configure an IPS white list :

Chapter 11 1007

Threat Prevention
1. Select Object> Intrusion Prevention System >Whitelist

2. Click New.

In the WhiteList Configuration page, enter the White List configurations.

Option Description

Name Specifies the white-list name.

Type Select the address type, including IPv4 or IPv6.

Source Specifies the source address of the traffic to be matched

Address by IPS.

Destination Specifies the destination address of the traffic to be

Address matched by IPS.

Next-hop Vir- Select the Next-hop VRouter from the drop-down list.
tual Router

Signature ID Select the signature ID from the drop-down list. A whitel-

ist can be configured with a maximum of one threat ID.
When the threat ID is not set, the traffic can be filtered

1008 Chapter 11

Threat Prevention
Option Description

based on the source and destination IP address. When

user have configured threat ID, the source address, des-
tination address and threat ID must be all matched suc-
cessfully before the packets can be released.

3. Click OK.

Sandbox
A sandbox executes a suspicious file in a virtual environment, collects the actions of this file, ana-
lyzes the collected data, and verifies the legality of the file.
The Sandbox function of the system uses the cloud sandbox and the local sandbox technology.
The suspicious file will be uploaded to the cloud sandbox or the local sandbox. The cloud sand-
box or the local sandbox will collect the actions of this file, analyze the collected data, verify the
legality of the file, give the analysis result to the system and deal with the malicious file with the
actions set by system.
The Sandbox function contains the following parts:

l Collect and upload the suspicious file: The Sandbox function parses the traffic, and extracts
the suspicious file from the traffic.

l If there are no analyze result about this file in the local database, system will upload this
file to the local sandbox or to the Hillstone cloud service platform, and the local sand-
box will analyze the file or the cloud service platform will upload the suspicious file to
the cloud sandbox for analysis. For how to connect to the Hillstone cloud service plat-
form, refer to "Connecting to Hillstone Cloud Service Platform" on Page 1283.

l If this file has been identified as an illegal file in the local database of the Sandbox func-
tion, system will generate corresponding threat logs and cloud sandbox logs.
Additionally, you can specify the criteria of the suspicious files by configuring a sandbox

Chapter 11 1009

Threat Prevention
profile.

l Check the analysis result and take actions: The Sandbox function checks the analysis results of
the suspicious file returned from the cloud sandbox or the local sandbox, verifies the legality
of the file, saves the result to the local database. If this suspicious file is identified as an illegal
file, you need to deal with the file according to the actions (reset the connection or report
logs) set by system. If it's the first time to find malicious file by the cloud sandbox or the local
sandbox, system will record threat logs and cloud sandbox logs and cannot stop the malicious
link. When malicious file accesses the cached threat information in the local device, the threat
will be effective only by resetting connection.

l Maintain the local database of the Sandbox function: Record the information of the uploaded
files, including uploaded time and analysis result. This part is completed by the Sandbox func-
tion automatically.

Notes: The cloud sandbox function is controlled by license. To use the cloud sand-
box function, install the cloud sandbox license.

l Preparation for configuring the Sandbox function

l Configuring the Sandbox rules

l Sandbox global configurations

Preparation

Before enabling the Sandbox function, make the following preparations:

1010 Chapter 11

Threat Prevention
Make sure your system version supports the Sandbox function.

The current device is registered to the Hillstone cloud service platform. For how to connect to the
Hillstone cloud service platform, refer to "Connecting to Hillstone Cloud Service Platform" on
Page 1283.

Import the cloud sandbox license and reboot. The cloud sandbox function will be enabled after
rebooting.

Notes: After the Sandbox function is enabled, system's max concurrent sessions
might decrease. For more information about the maximum concurrent sessions, see
"The Maximum Concurrent Sessions" on Page 1346.

Configuring Sandbox

The System supports the zone-based and policy-based Sandbox:

l If a security zone is configured with the Sandbox function, system will perform sandbox detec-
tion on the traffic that is sourced from or destined to the binding zone specified in the rule.

l If a policy rule is configured with the Sandbox filtering function, system will perform sandbox
detection on the traffic that is destined to the policy rule you specified.

l The sandbox configurations in a policy rule are superior to that in a zone rule if they are spe-
cified at the same time, and the sandbox configurations in a destination zone are superior to
that in a source zone if they are specified at the same time.

To create the zone-based Sandbox, take the following steps:

1. Create a zone. For more information , refer to Security Zone.

2. In the Zone Configuration page, expand Threat Protection.

Chapter 11 1011

Threat Prevention
3. Click the Enable button after the Sandbox. Select a existing Sandbox rule from the profile
drop-down list or click the "+" button to create a sandbox rule you need.

4. Click OK.

To create the policy-based Sandbox, take the following steps:

1. Click Object > Sandbox > Configuration. Click the Enable button after the Cloud Sandbox
or the Local Sandbox to enable the Sandbox function. If you do not have a cloud sandbox
license, you can enable the Free Cloud Sandbox function. The Free Cloud Sandbox function
only supports to detect PE files.

2. Click Object > Sandbox > Profile to create a sandbox rule you need.

3. Bind the sandbox rule to a policy. Click Policy > Security Policy.Select the policy rule you
want to bind or click New to create a new policy. In the Policy Configuration page, expand
Protection and then click the Enable button of Sandbox. Select a existing Sandbox rule
from the drop-down list or click the "+" button to create a sandbox rule you need.

Configuring a Sandbox Rule

A sandbox rule contains the files types that device has detected, the protocols types that the
device has detected, the white list settings, and the file filter settings.

l File Type: Support to detect PE, APK, JAR, MS-Office, PDF, SWF, RAR, ELF, ZIP and
Script file.

l Protocol Type: Support to detect HTTP, FTP, POP3, SMTP, IMAP4 and SMB protocol.

l White list: A white list includes domain names that are safe. When a file extracted from the
traffic is from a domain name in the white list, this file will not be marked as a suspicious file
and it will not be upload to the cloud sandbox or the local sandbox.

1012 Chapter 11

Threat Prevention
l File filter: Mark the file as a suspicious file if it satisfies the criteria configured in the file filter
settings. The analysis result from the cloud sandbox tor he local sandbox determines whether
this suspicious file is legal or not.

l Actions: When the suspicious file accesses the threat items in the sandbox, system will deal
with the malicious file with the set actions.

There are five built-in sandbox rules with the files and protocols type configured, white list
enabled and file filter configured. The four default sandbox rules includes predef_low, predef_
middle, predef_high, predef_pe and no_sandbox.

l predef_low: A loose sandbox detection rule, whose file type is PE and protocol types are
HTTP/FTP/POP3/SMTP/IMAP4/SMB, with white list and file filter enabled.

l predef_middle: A middle-level sandbox detection rule, whose file types are

PE/APK/JAR/MS-Office/PDF and protocol types are
HTTP/FTP/POP3/SMTP/IMAP4/SMB, with white list and file filter enabled.

l predef_high: A strict sandbox detection rule, whose file types are PE/APK/JAR/MS-
Office/PDF/SWF/RAR/ZIP/ELF/Script and protocol types are
HTTP/FTP/POP3/SMTP/IMAP4/SMB, , with white list and file filter enabled.

l predef_pe: A sandbox detection rule, whose file type is only PE and protocol types are
HTTP/FTP/POP3/SMTP/IMAP4, with white list and file filter enabled.

l no_sandbox:With this detection rule, the system does not perform any sandbox detection.

Notes: When the SSL proxy function is enabled, the system will support sandbox
detection of HTTPS/POP3S/SMTPS/IMAPS traffic.

To create a new sandbox rule, take the following steps:

Chapter 11 1013

Threat Prevention
1. Select Object > Sandbox > Profile.

2. Click New to create a new sandbox rule. To edit an existing one, select the check box of
this rule and then click Edit.

In the Sandbox Configuration page, configure the following settings.

1014 Chapter 11

Threat Prevention
Option Description

Name Enter the name of the sandbox rule.

Action When the suspicious file accesses the threat items in the
local sandbox, system will deal with the malicious file
with the set actions. Actions:

l Log Only - When detecting malicious files, system

will pass traffic and record logs only (threat log and
cloud sandbox log).

l Reset - When detecting malicious files, system will

reset connection of malicious link and record threat
logs and cloud sandbox logs only.

White List Click Enable to enable the white list function. A white
list includes domain names that are safe. When a file
extracted from the traffic is from a domain name in the
white list, this file will not be marked as a suspicious file
and it will not be upload to the cloud sandbox.

You can update the white list in System > Upgrade

Management > Signature Database Update > Sandbox
Whitelist Database Update.

Trusted Cer- Click Enable to enable the verification for the trusted cer-
tificate Veri- tification. After enabling, system will not detect the PE
fication file whose certification is trusted.

File Upload By default, the file will be uploaded to the cloud sandbox
when it marks it is classified as suspicious. You can dis-
able the function of suspicious file uploading, which will

Chapter 11 1015

Threat Prevention
Option Description

prevent the suspicious file from being uploaded to the

cloud sandbox. Click the Disable to disable the function
of suspicious file uploading.

File Filter: Mark the file as a suspicious file if it satisfies the criteria con-
figured in the file filter settings. The analysis result from the cloud sand-
box determines whether this suspicious file is legal or not. The logical
relation is AND.

File Type Mark the file of the specified file type as a suspicious file.
Click the Enable button of the file type, select Cloud
Sandbox Detection to specify that suspicious files will be
uploaded to the cloud sandbox for detection, or select
Local Sandbox Detection to specify that suspicious files
will be uploaded to the local sandbox for detection. The
system can mark the PE(.exe), APK, JAR, MS-Office,
PDF, SWF, ELF, RAR, ZIP and Script file as a suspicious
file now. If no file type is specified, the Sandbox function
will mark no file as a suspicious one.

Protocol Specifies the protocol to scan. System can scan the

HTTP, FTP, POP3, SMTP, IMAP4 and SMB traffic now.
If no protocol is specified, the Sandbox function will not
scan the network traffic. After specifying the protocol
type, you have to specify the direction of the detection:

l Upload - The direction is from client to server.

l Download - The direction is from server to client.

1016 Chapter 11

Threat Prevention
Option Description

l Bi-directional - The direction includes uploading

and downloading directions.

3. Click OK to save the settings.

Threat List

The threat list means the list of threat items in the Hillstone device. There are three sources of
the threat items:

l The Hillstone device finds suspicious file and upload this file to the local sandbox or to the
cloud sandbox. After verifying the file is malicious, the cloud sandbox or the local sandbox
will send the analysis results and MD5 to the device, and the threat item will be listed in the
threat list.

l The Hillstone device finds suspicious file and successfully queries MD5 of the threat in the
cloud sandbox or the local sandbox, the threat item will be listed in the threat list.

l The Hillstone device receives the synchronous threat MD5 from the Hillstone cloud service
platform and matches the threat, the threat item will be listed in the threat list.

You can filter and check threat items through specifying MD5 or the name of virus on the threat
list page, as well as add the selected threat item to trust list. Take the following steps:

1. Click Object > Sandbox > Threat List.

2. Select the threat item that needs to be added to the trust list and click Add to Trust button.
When threat item is added, once it's matched, the corresponding traffic will be released.

Trust List

You can view all the sandbox threat information which can be detected on the device and add
them to the trust list. Once the item in trust list is matched, the corresponding traffic will be
released and not controlled by the actions of sandbox rule.

Chapter 11 1017

Threat Prevention
To remove threat items in the trust list, take the following steps:

1. Click Object > Sandbox > Trust List.

2. Select the threat item that needs to be removed in the trust list and click Remove from
Trust button. The threat item will be removed from the trust list.

Sandbox Global Configurations

To configure the sandbox global configurations, take the following steps:

1. Select Object > Sandbox > Configuration.

1018 Chapter 11

Threat Prevention
2. Click the Enable button of Cloud Sandbox to enable the cloud sandbox function. If you do
not have a cloud sandbox license, you can enable the Free Cloud Sandbox function. The
Free Cloud Sandbox function only supports to detect PE files.

Chapter 11 1019

Threat Prevention
3. Click the Enable button of Local Sandbox to enable the local sandbox function., and then
specifies the IP address and the VRouter for the local sandbox.Specify the file size for the
files you need. The file that is smaller than the specified file size will be marked as a sus-
picious file.

4. Specify the file size for the files you need. The file that is smaller than the specified file size
will be marked as a suspicious file.

5. If you click the Report benign file log button, system will record cloud sandbox logs of the
file when it marks it as a benign file. By default, system will not record logs for the benign
files.

6. If you click the Report greyware file log button, system will record cloud sandbox logs of
the file when it marks it as a greyware file. A greyware file is the one system cannot judge it
is a benign file or a malicious file. By default, system will not record logs for the greyware
files.

7. Click OK to save the settings.

1020 Chapter 11

Threat Prevention
Attack-Defense
There are various inevitable attacks in networks, such as compromise or sabotage of servers, sens-
itive data theft, service intervention, or even direct network device sabotage that causes service
anomaly or interruption. Security gates, belonging to a category of network security devices, must
be designed with attack defense functions to detect various types of network attacks, and take
appropriate actions to protect the Intranet against malicious attacks, thus assuring the normal oper-
ation of the Intranet and systems.
Devices provide attack defense functions based on security zones, and can take appropriate
actions against network attacks to assure the security of your network systems.

ICMP Flood and UDP Flood

An ICMP Flood/UDP Flood attack sends huge amounts of ICMP messages (such as ping)/UDP
packets to a target within a short period and requests for a response. Due to the heavy load, the
attacked target cannot complete its normal transmission task.

ARP Spoofing
LAN transmits network traffic based on MAC addresses. ARP spoofing attacks occur by filling in
the wrong MAC address and IP address to make a wrong corresponding relationship of the target
host's ARP cache table. This will lead to the wrong destination host IP packets, and the packet
network's target resources will be stolen.

SYN Flood
Due to resource limitations, a server will only permit a certain number of TCP connections. SYN
Flood just makes use of this weakness. During the attack an attacker will craft a SYN packet, set
its source address to a forged or non-existing address, and initiate a connection to a server. Typ-
ically the server should reply the SYN packet with SYN-ACK, while for such a carefully crafted
SYN packet, the client will not send any ACK for the SYN-ACK packet, leading to a half-open
connection. The attacker can send large amount of such packets to the attacked host and establish
are equally large number of half-open connections until timeout. As a result, resources will be

Chapter 11 1021

Threat Prevention
exhausted and normal accesses will be blocked. In the environment of unlimited connections,
SYN Flood will exhaust all the available memory and other resources of the system.

WinNuke Attack
A WinNuke attack sends OOB (out-of-band) packets to the NetBIOS port (139) of a Windows
system, leading to NetBIOS fragment overlap and host crash. Another attacking vector is ICMP
fragment. Generally an ICMP packet will not be fragmented; so many systems cannot properly pro-
cess ICMP fragments. If your system receives any ICMP fragment, it's almost certain that the sys-
tem is under attack.

IP Address Spoofing
IP address spoofing is a technology used to gain unauthorized access to computers. An attacker
sends packets with a forged IP address to a computer, and the packets are disguised as if they
were from a real host. For applications that implement validation based on IP addresses, such an
attack allows unauthorized users to gain access to the attacked system. The attacked system might
be compromised even if the response packets cannot reach the attacker.

IP Address Sweep and Port Scan

This kind of attack makes a reconnaissance of the destination address and port via scanners, and
determines the existence from the response. By IP address sweeping or port scanning, an attacker
can determine which systems are alive and connected to the target network, and which ports are
used by the hosts to provide services.

Ping of Death Attack

Ping of Death is designed to attack systems by some over-sized ICMP packets. The field length
of an IP packet is 16 bits, which means the max length of an IP packet is 65535 bytes. For an
ICMP response packet, if the data length is larger than 65507 bytes, the total length of ICMP
data, IP header (20 bytes) and ICMP header (8 bytes) will be larger than 65535 bytes. Some
routers or systems cannot properly process such a packet, and might result in crash, system down
or reboot.

1022 Chapter 11

Threat Prevention
Teardrop Attack
Teardrop attack is a denial of service attack. It is a attack method based on morbid fragmented
UDP packets, which works by sending multiple fragmented IP packets to the attacker (IP frag-
mented packets include the fragmented packets of which packet, the packet location, and other
information). Some operating systems contain overlapping offset that will crash, reboot, and so on
when receiving fragmented packets.

Smurf Attack
Smurf attacks consist of two types: basic attack and advanced attack. A basic Smurf attack is used
to attack a network by setting the destination address of ICMP ECHO packets to the broadcast
address of the attacked network. In such a condition all the hosts within the network will send
their own response to the ICMP request, leading to network congestion. An advanced Smurf
attack is mainly used to attack a target host by setting the source address of ICMP ECHO packets
to the address of the attacked host, eventually leading to host crash. Theoretically, the more hosts
in a network, the better the attacking effect will be.

Fraggle Attack
A fraggle attack is basically the same with a smurf attack. The only difference is the attacking vec-
tor of fraggle is UDP packets.

Land Attack
During a Land attack, an attacker will carefully craft a packet and set its source and destination
address to the address of the server that will be attacked. In such a condition the attacked server
will send a message to its own address, and this address will also return a response and establish a
Null connection. Each of such connections will be maintained until timeout. Many servers will
crash under Land attacks.

IP Fragment Attack
An attacker sends the victim an IP datagram with an offset smaller than 5 but greater than 0,
which causes the victim to malfunction or crash.

Chapter 11 1023

Threat Prevention
IP Option Attack
An attacker sends IP datagrams in which the IP options are abnormal. This attack intends to
probe the network topology. The target system will break down if it is incapable of processing
error packets.

Huge ICMP Packet Attack

An attacker sends large ICMP packets to crash the victim. Large ICMP packets can cause memory
allocation error and crash the protocol stack.

TCP Flag Attack

An attacker sends packets with defective TCP flags to probe the operating system of the target
host. Different operating systems process unconventional TCP flags differently. The target system
will break down if it processes this type of packets incorrectly.

DNS Query Flood Attack

The DNS server processes and replies to all DNS queries that it receives. A DNS flood attacker
sends a large number of forged DNS queries. This attack consumes the bandwidth and resources
of the DNS server, which prevents the server from processing and replying legal DNS queries.

DNS Reply Flood Attack

When the DNS server receives the reply message, it will process the message regardless whether
it is valid. DNS reply flood is that the attacker sends a large number of DNS reply message to the
DNS cache server, causing the cache server to run out of resources by processing these reply mes-
sages.

TCP Split Handshake Attack

When a client establishes TCP connection with a malicious TCP server, the TCP server will
respond to a fake SYN packet and use this fake one to initialize the TCP connection with the cli-
ent. After establishing the TCP connection, the malicious TCP server switches its role and

1024 Chapter 11

Threat Prevention
becomes the client side of the TCP connection. Thus, the malicious traffic might enter into the
intranet.

Chapter 11 1025

Threat Prevention
Configuring Attack Defense
To configure the Attack Defense based on security zones, take the following steps:

1. Create a zone. For more information, refer to "Security Zone" on Page 85.

2. In the Zone Configuration page, expand Threat Protection.

3. To enable the Attack Defense functions, click the Enable button, and click Configure.

In the Attack Defense page, enter the Attack Defense configurations.

1026 Chapter 11

Threat Prevention
Option Description

IP address or IP range in the whitelist is exempt from attack

defense check.
Click Configure,and in the White Configuration tab, click New to
create a whitelist.
Select the type for the whitelist, including source whitelist and
Whitelist destination whitelist. And then select the IP type, including:

l IP/Netmask - Specifies the IPv4 address and netmask.

l IPv6/Prefix - Specifies the IPv6 address and prefix, range

120 to 128.

l Address entry - Specifies the address entry.

Enable all: Click this button to enable all the Attack Defense
functions for the security zone.
Action: Specifies an action for all the Attack Defense functions,
i.e., the defense measure system will be taken if any attack has
been detected.
Select All
l Drop - Drops packets. This is the default action.

l Alarm - Gives an alarm but still permits packets to pass

through.

l Do not specify global actions.

Flood Attack Click the button to expand the information of all flood attack

Defense
defenses. Select the Flood Attack Defense check box to enable
all flood attack defenses.

Chapter 11 1027

Threat Prevention
Option Description

ICMP Flood: Click this button to enable ICMP flood defense for
the security zone.

l Threshold - Specifies a threshold for inbound ICMP pack-

ets. If the number of inbound ICMP packets matched to
one single IP address per second exceeds the threshold,
system will identify the traffic as an ICMP flood and take
the specified action. The value range is 1 to 50000. The
default value is 1500.

l Action - Specifies an action for ICMP flood attacks. If the

default action Drop is selected, system will only permit the
specified number (threshold) of IMCP packets to pass
through during the current and the next second, and also
give an alarm. All the excessive packets of the same type
will be dropped during this period.

UDP Flood: Click this button to enable UDP flood defense for
the security zone.

l Src threshold - Specifies a threshold for outbound UDP

packets. If the number of outbound UDP packets ori-
ginating from one single source IP address per second
exceeds the threshold, system will identify the traffic as a
UDP flood and take the specified action. The value range
is 1 to 50000. The default value is 1500.

l Dst threshold - Specifies a threshold for inbound UDP

packets. If the number of inbound UDP packets destined

1028 Chapter 11

Threat Prevention
Option Description

to one single port of one single destination IP address per

second exceeds the threshold, system will identify the
traffic as a UDP flood and take the specified action. The
value range is 1 to 50000. The default value is 1500.

l Action - Specifies an action for UDP flood attacks. If the

default action Drop is selected, system will only permit the
specified number (threshold) of UDP packets to pass
through during the current and the next second, and also
give an alarm. All the excessive packets of the same type
will be dropped during this period.

l Session State Check - Select this check box to enable the

function of session state check. After the function is
enabled, system will not check whether there is UDP
Flood attack in the backward traffic of UDP packet of the
identified sessions.

DNS Query Flood: Click this button to enable DNS query flood
defense for the security zone.

l Src threshold - Specifies a threshold for outbound DNS

query packets. If the number of outbound DNS query
packets originating from one single IP address per second
exceeds the threshold, StoneOS will identify the traffic as a
DNS query flood and take the specified action.

l Dst threshold - Specifies a threshold for inbound DNS

Chapter 11 1029

Threat Prevention
Option Description

query packets. If the number of inbound DNS query pack-

ets matched to one single IP address per second exceeds
the threshold, StoneOS will identify the traffic as a DNS
query flood and take the specified action.

l Action - Specifies an action for DNS query flood attacks.

If the default action Drop is selected, StoneOS will only
permit the specified number (threshold) of DNS query
packets to pass through during the current and next
second, and also give an alarm. All the excessive packets of
the same type will be dropped during this period; if Alarm
is selected, StoneOS will give an alarm but still permit the
DNS query packets to pass through.

Recursive DNS Query Flood: Click this button to enable recurs-

ive DNS query flood defense for the security zone.

l Src threshold - Specifies a threshold for outbound recurs-

ive DNS query packets packets. If the number of out-
bound DNS query packets originating from one single IP
address per second exceeds the threshold, StoneOS will
identify the traffic as a DNS query flood and take the spe-
cified action.

l Dst threshold - Specifies a threshold for inbound recursive

DNS query packets packets. If the number of inbound
DNS query packets destined to one single IP address per
second exceeds the threshold, StoneOS will identify the

1030 Chapter 11

Threat Prevention
Option Description

traffic as a DNS query flood and take the specified action.

l Action - Specifies an action for recursive DNS query flood

attacks. If the default action Drop is selected, StoneOS
will only permit the specified number (threshold) of recurs-
ive DNS query packets to pass through during the current
and next second, and also give an alarm. All the excessive
packets of the same type will be dropped during this
period; if Alarm is selected, StoneOS will give an alarm but
still permit the recursive DNS query packets to pass
through.

SYN Flood: Select this check box to enable SYN flood defense
for the security zone.

l Src threshold - Specifies a threshold for outbound SYN

packets (ignoring the destination IP address and port num-
ber). If the number of outbound SYN packets originating
from one single source IP address per second exceeds the
threshold, StoneOS will identify the traffic as a SYN flood.
The value range is 0 to 50000. The default value is 1500.
The value of 0 indicates the Src threshold is void.

l Dst threshold - Specifies a threshold for inbound SYN

packets destined to one single destination IP address per
second.

l IP-based - Click IP-based and then type a threshold

Chapter 11 1031

Threat Prevention
Option Description

value into the box behind. If the number of inbound

SYN packets matched to one single destination IP
address per second exceeds the threshold, StoneOS
will identify the traffic as a SYN flood. The value
range is 0 to 50000. The default value is 1500. The
value of 0 indicates the Dst threshold is void.

l Port-based - Click Port-based and then type a

threshold value into the box behind. If the number of
inbound SYN packets matched to one single des-
tination port of the destination IP address per second
exceeds the threshold, StoneOS will identify the
traffic as a SYN flood. The value range is 0 to 50000.
The default value is 1500. The value of 0 indicates
the Dst threshold is void. After clicking Port-based,
you also need to type an address into or select an IP
Address or Address entry from the Dst address
combo box to enable port-based SYN flood defense
for the specified segment. The SYN flood attack
defense for other segments will be IP based. The
value range for the mask of the Dst address is 24 to
32.

l Action - Specifies an action for SYN flood attacks. If the

default action Drop is selected, StoneOS will only permit
the specified number (threshold) of SYN packets to pass

1032 Chapter 11

Threat Prevention
Option Description

through during the current and the next second, and also
give an alarm. All the excessive packets of the same type
will be dropped during this period. Besides if Src threshold
and Dst threshold are also configured, StoneOS will first
detect if the traffic is a destination SYN flood attack: if so,
StoneOS will drop the packets and give an alarm, if not,
StoneOS will continue to detect if the traffic is a source
SYN attack.

DNS Reply Flood: Click this button to enable DNS reply flood
defense for the security zone.

l Src threshold - Specifies a threshold for outbound DNS

reply packets. If the number of outbound DNS reply pack-
ets originating from one single IP address per second
exceeds the threshold, StoneOS will identify the traffic as a
DNS query flood and take the specified action.

l Dst threshold - Specifies a threshold for inbound DNS

reply packets. If the number of inbound DNS reply pack-
ets matched to one single IP address per second exceeds
the threshold, StoneOS will identify the traffic as a DNS
reply flood and take the specified action.

l Action - Specifies an action for DNS reply flood attacks. If

the default action Drop is selected, StoneOS will only per-
mit the specified number (threshold) of DNS reply packets
to pass through during the current and next second, and

Chapter 11 1033

Threat Prevention
Option Description

also give an alarm. All the excessive packets of the same

type will be dropped during this period; if Alarm is selec-
ted, StoneOS will give an alarm but still permit the DNS
reply packets to pass through.

ARP Spoofing Click the button to expand the information of the ARP spoof-

ing. Select the ARP Spoofing check box to enable all ARP spoof-
ing defenses.

Max IP number per MAC: Click this button to check the max IP
number per MAC.
Specifies whether system will check the IP number per MAC in
the ARP table. If the parameter is set to 0, system will not check
the IP number; if it is set to a value other than 0, system will
check the IP number, and if the IP number per MAC is larger
than the parameter value, system will take the specified action.
The value range is 0 to 1024.

ARP Send Rate: Click this button to check the ARP send rate.
Specifies if StoneOS will send gratuitous ARP packet(s). If the
parameter is set to 0 (the default value), StoneOS will not send
any gratuitous ARP packet; if it is set to a value other than 0,
StoneOS will send gratuitous ARP packet(s), and the number
sent per second is the specified parameter value. The value range
is 0 to 10.

Reverse Query: Click this button to enable Reverse query.

Select this check box to enable Reverse query. When StoneOS

1034 Chapter 11

Threat Prevention
Option Description

receives an ARP request, it will log the IP address and reply with
another ARP request; and then StoneOS will check if any packet
with a different MAC address will be returned, or if the MAC
address of the returned packet is the same as that of the ARP
request packet.

ND Spoofing Max IP number per MAC: Click this button to check the max IP
number per MAC. Specifies whether system will check the IP
number per MAC in the ND table. System will check the IP num-
ber, and if the IP number per MAC is larger than the parameter
value, system will take the specified action. The value range is 1
to 1024.
ND Send Rate: Click this button to check the ND send rate. Spe-
cifies if StoneOS will send gratuitous ND packet(s). StoneOS
will send gratuitous ND packet(s), and the number sent per
second is the specified parameter value. The value range is 1 to
10.
Reverse Query: Click this button to enable Reverse query. Select
this check box to enable Reverse query. When StoneOS receives
a NS/NA packet, it will log the IP address and reply with another
NS/NA packet; and then StoneOS will check if any packet with a
different MAC address will be returned, or if the MAC address of
the returned packet is the same as that of the ND packet.

MS-Windows Click the button to expand the information of MS-Windows

Defense
defense.

Chapter 11 1035

Threat Prevention
Option Description

Select the MS-Windows Defense check box to enable MS-Win-

dows defense.

Win Nuke Attack: Click this button to enable WinNuke attack

defense for the security zone. If any WinNuke attack has been
detected, system will drop the packets and give an alarm.

Scan/Spoof Click the button to expand the information of Scan/Spoof

Defense
Defense. Select the Scan/Spoof Defense check box to enable all
scan/spoof defenses.

IP Address Spoof: Click this button to enable IP address spoof

defense for the security zone. If any IP address spoof attack has
been detected, StoneOS will drop the packets and give an alarm.

IP Address Sweep: Click this button to enable IP address sweep

defense for the security zone.

l Threshold - Specifies a time threshold for IP address

sweep. If over 10 ICMP packets from one single source IP
address are sent to different hosts within the period spe-
cified by the threshold, StoneOS will identify them as an
IP address sweep attack. The value range is 1 to 5000 mil-
liseconds. The default value is 1.

l Action - Specifies an action for IP address sweep attacks.

If the default action Drop is selected, StoneOS will only
permit 10 IMCP packets originating from one single source
IP address while matched to different hosts to pass

1036 Chapter 11

Threat Prevention
Option Description

through during the specified period (threshold), and also

give an alarm. All the excessive packets of the same type
will be dropped during this period.

Port Scan: Click this button to enable port scan defense for the
security zone.

l Threshold - Specifies a time threshold for port scan. If

over 10 TCP SYN packets are sent to different ports
within the period specified by the threshold, StoneOS will
identify them as a port scan attack. The value range is 1 to
5000 milliseconds. The default value is 1.

l Action - Specifies an action for port scan attacks. If the

default action Drop is selected, StoneOS will only permit
10 TCP SYN packets destined to different ports to pass
through and drops the other packets of the same type dur-
ing the specified period, and also gives an alarm.

Denial of Ser- Click the button to expand the information of denial of ser-

vice Defense
vice defense. Select the Denial of Service Defense check box to
enable all denial of service defenses.

Ping of Death Attack:Click this button to enable Ping of Death

attack defense for the security zone. If any Ping of Death attack
has been attacked, StoneOS will drop the attacking packets, and
also give an alarm.

Teardrop Attack: Click this button to enable Teardrop attack

Chapter 11 1037

Threat Prevention
Option Description

defense for the security zone. If any Teardrop attack has been
attacked, StoneOS will drop the attacking packets, and also give
an alarm.

IP Fragment: Click this button to enable IP fragment defense for

the security zone.

l Action - Specifies an action for IP fragment attacks. The

default action is Drop.

IP Option: Click this button to enable IP option attack defense

for the security zone. StoneOS will defend against the following
types of IP options: Security, Loose Source Route, Record
Route, Stream ID, Strict Source Route and Timestamp.

l Action - Specifies an action for IP option attacks. The

default action is Drop.

Smurf or Fragile Attack: Click this button to enable Smurf or fra-

gile attack defense for the security zone.

l Action - Specifies an action for Smurf or fragile attacks.

The default action is Drop.

Land Attack: Click this button to enable Land attack defense for
the security zone.

l Action - Specifies an action for Land attacks. The default

action is Drop.

Large ICMP Packet: Click this button to enable large ICMP

packet defense for the security zone.

1038 Chapter 11

Threat Prevention
Option Description

l Threshold - Specifies a size threshold for ICMP packets. If

the size of any inbound ICMP packet is larger than the
threshold, StoneOS will identify it as a large ICMP packet
and take the specified action. The value range is 1 to
50000 bytes. The default value is 1024.

l Action - Specifies an action for large ICMP packet attacks.

The default action is Drop.

Proxy Click the button to expand the information of proxy defense.

Select the Proxy check box to enable all proxy defenses.

SYN Proxy: Click this button to enable SYN proxy for the secur-
ity zone. SYN proxy is designed to defend against SYN flood
attacks in combination with SYN flood defense. When both SYN
flood defense and SYN proxy are enabled, SYN proxy will act on
the packets that have already passed detections for SYN flood
attacks.

l Proxy trigger rate - Specifies a min number for SYN pack-

ets that will trigger SYN proxy or SYN-Cookie (if the
Cookie check box is selected). If the number of inbound
SYN packets matched to one single port of one single des-
tination IP address per second exceeds the specified value,
StoneOS will trigger SYN proxy or SYN-Cookie. The value
range is 1 to 50000. The default value is 1000.

l Cookie - Select this check box to enable SYN-Cookie.

Chapter 11 1039

Threat Prevention
Option Description

SYN-Cookie is a stateless SYN proxy mechanism that

enables StoneOS to enhance its capacity of processing mul-
tiple SYN packets. Therefore, you are advised to expand
the range between "Proxy trigger rate" and "Max SYN
packet rate" appropriately.

l Max SYN packet rate - Specifies a max number for SYN

packets that are permitted to pass through per second by
SYN proxy or SYN-Cookie (if the Cookie check box is
selected). If the number of inbound SYN packets destined
to one single port of one single destination IP address per
second exceeds the specified value, StoneOS will only per-
mit the specified number of SYN packets to pass through
during the current and the next second. All the excessive
packets of the same type will be dropped during this
period. The value range is 1 to 1500000. The default value
is 3000.

l Timeout - Specifies a timeout for half-open connections.

The half-open connections will be dropped after timeout.
The value range is 1 to 180 seconds. The default value is
30.

Protocol Click the button to expand the information of protocol anom-

Anomaly
aly report. Select the Protocol Anomaly Report check box to
Report
enable the function of all protocol anomaly reports.

TCP Anomalies: Click this button to enable TCP option anomaly

1040 Chapter 11

Threat Prevention
Option Description

defense for the security zone.

l Action - Specifies an action for TCP option anomaly

attacks. The default action is Drop.
TCP Split Handshake: Click this button to enable TCP split
handshake defense for the security zone.

l Action - Specifies an action for TCP split handshake

attacks. The default action is Drop.

4. To restore the system default settings, click Restore Default.

5. Click OK.

Chapter 11 1041

Threat Prevention
Perimeter Traffic Filtering
Perimeter Traffic Filtering can filter the perimeter traffic based on known risk IP, MAC or Service
list, and take logging/block action on the malicious traffic that hits the risk IP, MAC or Service
list.
The risk IP list includes the following three types:

l IP Blacklist: The system supports Static IP Blacklist, Blacklist Library, Dynamic IP Blacklist
and Hit Statistics.

l Service Blacklist: After adding the services to the service blacklist, system will perform the
block action to the service until the block duration ends.

l MAC Blacklist: After adding the MAC of the host to the blacklist to prevent users from
accessing the network during the specified period.

l IP Reputation list: Retrieve the risk IP (such as Botnet, Spam, Tor nodes, Compromised,
Brute-forcer, and so on.) list from the Perimeter Traffic Filtering signature database.

l White List: After adding the services to the service blacklist, the system will not block the IP
address.

l Global Search: Show the static IP blacklist, blacklist library, dynamic IP blacklist, exception
whitelist, service blacklist and IP reputation list entriesof specified IP address .

l Configuration: Blacklist global configuration, including Blacklist Log , Session Rematch and
IP Blacklist TCP Reset.

Notes:

l You need to update the IP reputation database before enabling the IP Repu-
tation function for the first time. By default, system will update the database

1042 Chapter 11

Threat Prevention
at the certain time everyday, and you can modify the updating settings accord-
ing to your own requirements, see "Upgrading System" on Page 1304.

l To upgrade the IP reputation database, install the IP reputation license and

reboot. The IP reputation database upgrade function is available only after the
device is reboot.

Configuring IP Blacklist

Static IP Blacklist

The static IP blacklist will block specified IP address or prevent hosts from accessing the net-
work during the specified period.
To configure the static IP blacklist, take the following steps:

1. Select Policy > Perimeter Traffic Filtering > IP Blacklist.

2. Click New in the Static IP Blacklist page.

Configure the corresponding options.

Chapter 11 1043

Threat Prevention
Option Description

IP Type Select the address type, including IPv4 and IPv6.

Entry Type Select the address entry type and then type the address.

Scope Specify the blacklist applied to global, zone or Virtual

Router. When selecting zone or Virtual Router, select the
desired entry in the corresponding drop-down list.

Schedule Specifies a schedule when the blacklist will take effect.

Select a desired schedule from the Schedule drop-down
list.

Status Specify the status of the static IP blacklist.

3. Click OK to save the settings.

Redundancy Check

The system supports to check the conflicts among blacklists. You can check whether the black-
lists overshadow each other.
To configure the redundancy check, take the following steps:

1. Select Policy > Perimeter Traffic Filtering > IP Blacklist.

2. Click Redundancy Check in the Static IP Blacklist page. Click OK in the following prompt
dialog.

1044 Chapter 11

Threat Prevention
3. After the check, system will highlight the policy rule which is overshadowed.

4. To delete an blacklist, select the blacklist you want to delete from the list and click Delete.

Blacklist Library Rule

The system support to import/export the blacklist library file or update the blacklist from the spe-
cified server, and specify the rule of the blacklist library.
To configure the blacklist library rule, take the following steps:

1. Select Policy > Perimeter Traffic Filtering > IP Blacklist.

2. Click New in the Blacklist Library Rule page.

Configure the corresponding options.

Chapter 11 1045

Threat Prevention
Option Description

Scope Specify the blacklist applied to global, zone or Virtual

Router. When selecting zone or Virtual Router, select the
desired entry in the corresponding drop-down list.

Status Specify the status of the blacklist library rule.

3. Click OK to save the settings.

Blacklist Library Details

Click Blacklist Library Details to open the Blacklist Library Details page.

To import blacklist library file, take the following steps:

1046 Chapter 11

Threat Prevention
1. Click Import Blacklist in the Blacklist Library Details page.

2. Select the import mode, including incremental import and overwrite import.

l Incremental Import: Import the blacklist library file on the basis of the original file.

l Overwrite import: Overwrite the original blacklist library file.

3. Click the Browse to select the local file to be imported in the File Name area.

4. Click OK to save the settings.

To configure auto update, take the following steps:

1. Click Update Configuration in the Blacklist Library Details page.

2. Click Auto Update to automatically update the blacklist library file from the specified
server.

Configure the corresponding options.

Option Description

Type Specifies the time interval for auto update, update at the
specified time of every day or the specified time of a spe-
cified day during a week.

Server Type Specifies the server type, including FTP or TFTP.

IP address Specifies the IP address of the server.

Virtual Specifies the virtual router of the server.

Router

User Name Specifies the username used to log on to the FTP server.

Password Enter the password of the FTP username.

Import Mode Select the import mode, including incremental import and

Chapter 11 1047

Threat Prevention
Option Description

overwrite import.

File Name Enter the name of the file to be imported in the text box.

3. Click OK to save the settings.

Notes:

l The blacklist library file only supports TXT and CSV formats.

l The size of the blacklist file cannot be larger than 2M.

l The imported blacklist library files will be checked for redundancy in the
order of import. If the imported entries are completely covered by the first
imported entries, the importing will be failed.

You can also perform the following operations:

l Export Blacklist: Click Export Blacklist to export blacklist file to local PC.

l Delete Blacklist Library: Click Delete Blacklist Library to delete the blacklist file.

Dynamic IP Blacklist
After adding the IP addresses to the global blacklist, system will perform the block action to the
IP address and service until the block duration ends.
To configure the dynamic IP blacklist , take the following steps:

1048 Chapter 11

Threat Prevention
1. Select Policy > Perimeter Traffic Filtering > IP Blacklist.

2. Click New in the Dynamic IP Blacklist page.

Configure the corresponding options.

Option Description

IP Type Select the address type, including IPv4 and IPv6.

IP Type the IP address that you want to block. This IP

address can be not only the source IP address, but also
the destination IP address.

Virtual Select the virtual router that the IP address belongs to.
Router

Block Type Select the block type, including Permanent Block and
Blocked Time. When Select Blocked Time, type the dur-
ation that the IP address will be blocked. The unit is
second. The value ranges from 60 to 1296000.

3. Click OK to save the settings.

Chapter 11 1049

Threat Prevention
Hit Statics

System supports statistics on blacklist hit counts, you can view all hit entries and TOP100 black-
list entries on the hit statistics page when there is a large number of blacklist entries.
To view a blacklist hit count take the following steps:

1. Select Policy > Perimeter Traffic Filtering > IP Blacklist.

2. View all hit entries in the Hit Statics page.

3. Click TOP 100 to view the TOP 100 hit entries in the Hit Statistics Ranking page.

4. Select the items that need to be cleared, click Clear Selected Hit(s ) to clear the hit statistics
of the specified IP. Click Delete All to clear all hit statistics.

Notes: After deleting the IP blacklist entry, the corresponding hit statistics will also
be cleared.

Service Blacklist
To configure the service blacklist, take the following steps:

1050 Chapter 11

Threat Prevention
1. Select Policy > Perimeter Traffic Filtering > Service Blacklist.

2. Click New.

Configure the corresponding options.

Option Description

Virtual Select the virtual router that the IP address belongs to.
Router

IP Type Select the address type, including IPv4 and IPv6.

Source IP Type the source IP address of the blocked service. The

service block function will block the service from the
source IP address to the destination IP address.

Destination Type the destination IP address of the blocked service.

Destination Type the port number of the blocked service.

Port

Chapter 11 1051

Threat Prevention
Option Description

Protocol Select the protocol of the blocked service.

Blocked Type the duration that the IP address will be blocked.

Time The unit is second. The value ranges from 60 to 1296000.

3. Click OK to save the settings.

MAC Blacklist
To configure the MAC blacklist, take the following steps:

1. Select Policy > Perimeter Traffic Filtering > MAC Blacklist.

2. Click New.

1052 Chapter 11

Threat Prevention
Configure the corresponding options.

Option Description

MAC address Type the MAC address of the host that will be added to
the blacklist.

Schedule Specifies a schedule when the blacklist will take effect.

Select a desired schedule from the Schedule drop-down
list.

Status Specify the status of the MAC blacklist.

3. Click OK to save the settings.

Notes: The configuration of multicast MAC addresses is not supported.

IP Reputation Filtering
To configure the IP Reputation Filtering function, take the following steps:

Chapter 11 1053

Threat Prevention
1. Select Policy > Perimeter Traffic Filtering > IP Reputation Filtering.

2. Click New.

Configure the corresponding options.

Option Description

Scope Specify the blacklist applied to global, zone or Virtual

Router. When selecting zone or Virtual Router, select the
desired entry in the corresponding drop-down list.

1054 Chapter 11

Threat Prevention
Option Description

Category Select the types of risky IPs and block the corresponding
IP.

3. Click OK to save the settings.

White List
To configure the white list, take the following steps:

1. Select Policy > Perimeter Traffic Filtering > White List.

2. Click New.

Configure the corresponding options.

Option Description

IP Type Select the address type, including IPv4 and IPv6.

IP/Netmask Type the IP address and netmask for the user-defined

white list.

Scope Specify the whitelist applied to global, zone or Virtual

Router. When selecting zone or Virtual Router, select the
desired entry in the corresponding drop-down list.

3. Click OK to save the settings.

Chapter 11 1055

Threat Prevention
Global Search
To view black/white list entry of specified IP address, take the following steps:

1. Select Policy > Perimeter Traffic Filtering > Global Search.

2. Type the IP address, click Search to jump to the corresponding blacklist tab to view the cor-
responding entry.

Configuration
To configure the blacklist global configuration, take the following steps:

1. Select Policy > Perimeter Traffic Filtering > Configuration.

2. Click Enable button of Blacklist Log to enable the log of blacklist.

3. Click Enable button of Session Rematch. When you add, modify or delete the blacklist, the
session will match the optimal blacklist again.

4. Click Enable button of IP BlackList TCP Reset. After the IP BlackList TCP Reset is
enabled, the system will send a TCP-RST packet to the IP address of TCP traffic that hits
the blacklist, thus blocking the IP address.

1056 Chapter 11

Threat Prevention
Antispam
SG-6000-A200 and SG-6000-A200W do not support this function.
The system is designed with an Antispam function, which enables user to identify and filter mails
transmitted by SMTP and POP3 protocol through the cloud server, timely discover the mail
threats, such as spam, phishing and worm mail, and then process the found spam according to the
configuration, so as to protect the user's mail client or mail server.

Notes: The Antispam function will not work unless an Antispam license has been
installed on a StoneOS that supports Antisspam.

l "Configuring Antispam" on Page 1058

l "Antispam Global Configuration" on Page 1065

Chapter 11 1057

Threat Prevention
Configuring Antispam
This chapter includes the following sections:

l Preparation for configuring Antispam function

l Configuring Antispam function

Preparing

Before enabling Antispam, make the following preparations:

1. Make sure your system version supports Antispam.

2. Import an Antispam license and reboot. The Antispam will be enabled after the rebooting.

Notes: To assure a proper connection to the cloud server, you need to configure a
DNS server for StoneOS before configuring the anti-spam.

Configuring Antispam Function

The Antispam configurations are based on security zones or policies.

l If a security zone is configured with the Antispam function, system will perform detection on
the traffic that is matched to the binding zone specified in the rule, and then do according to
what you specified.

l If a policy rule is configured with the threat protection function, system will perform detec-
tion on the traffic that is matched to the policy rule you specified, and then respond.

To realize the zone-based Antispam, take the following steps:

1058 Chapter 11

Threat Prevention
1. Create a zone. For more information, refer to "Security Zone" on Page 85.

2. In the Zone Configuration page, expand Threat Protection.

3. Enable the threat protection you need and select an Anti-Spam rule from the profile drop-
down list below; or you can click from the profile drop-down list. To create an Anti-

Spam rule, see Configuring an Anti-Spam Rule.

4. Click OK to save the settings.

To realize the zone-based Antispam, take the following steps:

1. Create a security policy rule. For more information, refer to "Security Policy" on Page 788.

2. In the Policy Configuration page, expand the Protection.

3. Click the Enable button of Antispam. Then select an Antispam rule from the Profile drop-
down list, or you can click from the Profile drop-down list to create an Anti-Spam rule.

For more information, see Configuring an Anti-spam Rule.

4. Click OK to save the settings.

Configuring an Antispam Rule

To configure an Antispam rule, take the following steps:

Chapter 11 1059

Threat Prevention
1. Select Object > Antispam > Profile.

2. Click New

In the Antispam Configuration page, enter the Antispam rule configurations

Option Description

Name Specifies the rule name.

Mail Protocol Specifies the mail protocol (SMTP, POP3), spam cat-
Type egory and action.spam category:

l Confirmed Spam: The mail from spam source.

1060 Chapter 11

Threat Prevention
Option Description

l Bulk Spam: The malicious mass mail from

uncertain spam sources.

l Suspicious Spam: The mail from suspicious

spam sources.

l Valid Bulk: Mass mail from legitimate senders.

Action:

l Log Only - Only generates log. This is the

default action.

l Reset Connection - If spams has been detec-

ted, system will reset connections.
Note: The spams transferred over POP3 only sup-
ports generate logs action.

User-defined Click the Enable button to enable the Antispam

Blacklist User-defined Blacklist. When it is enabled, the email
from the sender who is in the User-defined Blacklist
will be directly identified as spam, and then system
will process it according to the action specified by
users, log or reset connection.

Whitelist of The whitelist is used to specify the mail domains or

Sender email that will not be filtered by Anti-Spam. Each
Anti-Spam profile can specify up to 64 whitelist
items.

Chapter 11 1061

Threat Prevention
Option Description

l Select "Domain " or "Email " and enter the cor-

responding parameter values in the text box.
The parameter values range from 1 to 255 char-
acters. When "Domain" is selected, the max-
imum length between the two periods (.) is
only 63 characters.

l Click New to add the domain name or email

address to whitelist of sender.

l Select the domain or email address of sender

item, and click Deleteto delete the items of
sender.

3. Click OK.

Notes: By default, system comes with one default spams filtering rules: predef_
default. The default rule is not allowed to edit or delete.

Configuring an Anti-Spam User-defined Blacklist

You can add the sender's domain name or email address to the User-defined Blacklist. When Anti-
Spam User-defined Blacklist function is enabled, system will directly identify the email from the
User-defined Blacklist as spam, and reset the link or record to the threat log.
To configure an Anti-Spam User-defined Blacklist, take the following steps:

1062 Chapter 11

Threat Prevention
1. Select Object > Antispam > User-defined Blacklist and click New.

2. In < User-defined Blacklist Configuration > page, select "Sender Domain " or "Sender E-
mail " and enter the corresponding parameter values in the text box. The parameter values
range from 1 to 255 characters. When "Sender Domain" is selected, the maximum length
between the two periods (.) is only 63 characters.

3. Click OK.

To export the sender User-defined Blacklist, take the following steps:

1. Select Object > Antispam > User-defined Blacklist.

2. Click Export and all the item of the User-defined Blacklist will be exported as an file in the
format of ".txt ".

The exported User-defined Blacklists can be imported on another device. To import the sender
User-defined Blacklist, take the following steps:

1. Select Object> Antispam > User-defined Blacklist and click Import.

2. In the<Import User-defined Blacklist> page, click the Browse to select the User-defined
Blacklist file to be imported.

3. Click OK to import User-defined Blacklist .

Chapter 11 1063

Threat Prevention
Notes: If you import a new anti-spam blacklist, all the existing user-defined anti-
spam blacklists are replaced. To retain the existing user-defined anti-spam blacklists,
export and merge them with the new one, and then import the merged result.

1064 Chapter 11

Threat Prevention
Antispam Global Configuration
To configure the Antispam global settings, take the following steps:

1. Click Object > Antispam > Configuration.

2. Type in the mail scan maximum limit in the Mail Scan Upper Limit text box. The range is
512 Kb to 2048 Kb, the default value is 1024 Kb.

3. Click OK to save the settings.

Chapter 11 1065

Threat Prevention
Botnet Prevention
Botnet refers to a kind of network that uses one or more means of communication to infect a
large number of hosts with bots, forming a one-to-many controlled network between the con-
troller and the infected host, which will cause a great threat to network and data security.
The botnet prevention function can detect botnet host in the internal network timely, as well as
locate and take other actions according to the configuration, so as to avoid further threat attacks.
The botnet prevention configurations are based on security zones or policies. If the botnet pre-
vention profile is bound to a security zone, the system will detect the traffic destined to the spe-
cified security zone based on the profile configuration. If the botnet prevention profile is bound
to a policy rule, the system will detect the traffic matched to the specified policy rule based on
the profile configuration.

DGA Detection
DNS as the domain name resolution protocol, is designed to resolve fixed domain names to IP
addresses. Due to the use of domain name is convenient, and is widely used, so the attacker will
take different means to use the domain name to generate attack. For example, A IP address can
correspond to multiple domain name, the server according to the endpoint field of HTTP packet
to find the Goal URL, the malware will use this feature by modifying the endpoint field to dis-
guise the domain name, and generate the abnormal behavior. DGA, is the domain generation
algorithm, this algorithm will generate a large number of pseudo random domain name, and will be
used by malware.
To solve these problem, system supports to enable DGA detection function to detect DNS
response messages and detect whether the device is attacked by DGA domain name. If a DGA
domain name is detected, the system will perform the specified processing actions on the detec-
ted DGA domain name according to the configuration of the botnet prevention rules (record the
related threat log or reset the connection).

DNS Tunnel Detection

DNS tunnel is a kind of covert channel, which establishes communication by encapsulating other
protocols in DNS protocol for transmission. However, most firewalls and detection devices

1066 Chapter 11

Threat Prevention
release DNS traffic, and DNS tunnel attacks formally use the features of the release to implement
operations such as remote control and file transfer, which cause harm to users' network security
and data security. Therefore, the detection, warning, and processing of DNS tunnels are par-
ticularly important.
System provides the DNS tunnel detection function. Through the detection of DNS request mes-
sages and the monitoring of DNS traffic, the feature extraction and comprehensive analysis of the
DNS tunnel can be realized. At the same time, the specified processing action can be performed
on the detected DNS tunnel ( Record the relevant threat log or reset the connection) to prevent
the threat brought by the DNS tunnel.

Notes: The botnet prevention function is controlled by license. DGA detection and
DNS tunnel detection are included in the botnet prevention function. Therefore,
botnet prevention, DGA detection, and DNS tunnel detection can be used only
after the Botnet Prevention license is installed in StoneOS.

l "Configuring Botnet Prevention" on Page 1068

l "Address Liberary" on Page 1072

l "Botnet Prevention Global Configuration" on Page 1076

Chapter 11 1067

Threat Prevention
Configuring Botnet Prevention
This chapter includes the following sections:

l Preparation for configuring Botnet Prevention function

l Configuring Botnet Prevention function

Preparing

Before enabling botnet prevention, make the following preparations:

1. Make sure your system version supports botnet prevention.

2. Import a botnet prevention license and reboot. The botnet prevention will be enabled after
the rebooting.

Notes:

l You need to update the botnet prevention signature database before enabling
the function for the first time. To assure a proper connection to the default
update server, you need to configure a DNS server for system before updat-
ing.

Configuring Botnet Prevention Function

The Botnet Prevention configurations are based on security zones or policies.

To realize the zone-based Botnet Prevention, take the following steps:

1. Create a zone. For more information, refer to "Security Zone" on Page 85.

2. In the Zone Configuration page, expand Threat Protection.

1068 Chapter 11

Threat Prevention
3. Enable the threat protection you need and select a Botnet Prevention rule from the profile
drop-down list below; or you can click from the profile drop-down list. To create a Bot-

net Prevention rule, see Configuring a Botnet Prevention Rule.

4. Click OK to save the settings.

To realize the zone-based Botnet Prevention, take the following steps:

1. Create a security policy rule. For more information, refer to "Security Policy" on Page 788.

2. In the Policy Configuration page, expand the Protection.

3. Click the Enable button of Botnet Prevention. Then select an Anti-Spam rule from the Pro-
file drop-down list, or you can click from the Profile drop-down list to create a Botnet

Prevention rule. For more information, see Configuring a Botnet Prevention Rule.

4. Click OK to save the settings.

Configuring a Botnet Prevention Rule

To configure a Botnet Prevention rule, take the following steps:

1. Click Object > Botnet Prevention> Profile.

2. Click New.

Chapter 11 1069

Threat Prevention
In the Botnet Prevention Rule Configuration page, enter the Botnet Prevention rule con-
figurations.

Option Description

Name Specifies the rule name.

Protocol Specifies the protocol types (TCP, HTTP, DNS) you

Types want to scan and specifies the action the system will take
after the botnet is found.

l Log Only - Only generates log.

l Reset Connection - If botnets has been detected,

system will reset connections to the files.

l Sinkhole-Replace - When the protocol type is

DNS, you can specify the processing action as
"Sinkhole Address Replacement". After the threat
is discovered, the system will replace the IP
address in the DNS response packet with the Sink-

1070 Chapter 11

Threat Prevention
Option Description

hole IP address.

DNS Tunnel Detection: Click the Enable button to

enable the DNS tunnel detection function, and specify
the processing actions after the DNS tunnel is detected
(Log Only, Reset Connection).

DGA Detection: Click tthe Enable button to enable the

DGA detection function, and specify the processing
actions after the DGA domain name is detected (Log
Only, Reset Connection).

3. Click OK.

Chapter 11 1071

Threat Prevention
Address Liberary
The address library includes a predefined address library and a custom address library, each of
which contains a block list and an exclude list, which are described as follows:

l Predefined exclude list: It contains domains automatically obtained through the botnet pre-
vention signature database. When the traffic matches to the domain name in the list, system
will not control the traffic with botnet prevention function.

l Custom exclude list: It contains IPs, domains and URLs manually added by the user. When
the traffic matches to the IP address, domain name or URL in the list, system will not control
the traffic with botnet prevention function.

l Predefined block list: It contains IPs, domains and URLs automatically obtained through the
botnet prevention signature database. When the traffic matches to the IP address, domain
name or URL in the list, system will control the traffic with botnet prevention function.

l Custom block list: It contains IPs, domains and URLs manually added by the user. When the
traffic matches to the IP address, domain name or URL in the list, system will control the
traffic with botnet prevention function.

The traffic matching sequence will be: Custom exclude list > Custom block list > Predefined
exclude list > Predefined block list.

Configuring the Exclude List

Creating a Custom Exclude List

To create a custom exclude list entry, take the following steps:

1. Click Object > Botnet Prevention > Address Library.

2. In the Exclude List tab, click New to open the Exclude Entry Configuration page.

1072 Chapter 11

Threat Prevention
3. Click IP, Domain or URL to specify the entry type.

l IP: Enter the IP address and Port in the text box. If not specified the port,it will be
any port.

l Domain: Enter the domain name in the text box. You can click the enable button of
"Including subdomains" to specify the domain as a wildcard domain.

l URL: Select HTTP or HTTPS from the URL drop-down list and enter the URL
address in the text box.

4. Click OK.

Deleting a Custom Exclude List

To delete a custom exclude list entry, take the following steps:

1. Click Object > Botnet Prevention > Address Library.

2. In the Exclude List tab, select the entry you want to delete from the exclude list.

3. Click Delete.

Filtering a Entry in the Exclude List

Users can filter and view an exclude list entry in the predefined address library and the custom
address library. To filter an exclude list entry, take the following steps:

1. Click Object > Botnet Prevention > Address Library.

2. In the Exclude List tab, click the Filter button to add filtering conditions and search out the
filtered entry.

Configuring the Block List

Creating a Custom Block List

To create a custom block list entry, take the following steps:

Chapter 11 1073

Threat Prevention
1. Click Object > Botnet Prevention > Address Library.

2. In the Block List tab, click New to open the Blocklist Entry Configuration page.

3. Click IP, Domain or URL to specify the entry type.

l IP: Enter the IP address and Port in the text box. If not specified the port,it will be
any port.

l Domain: Enter the domain name in the text box. You can click the enable button of
"Including subdomains" to specify the domain as a wildcard domain.

4. Click OK.

Deleting a Custom Block List

To delete a custom block list entry, take the following steps:

1. Click Object > Botnet Prevention > Address Library.

2. In the Blick List tab, select the entry you want to delete from the block list.

3. Click Delete.

Filtering a Entry in the Block List

Users can filter and view a block list entry in the predefined address library and the custom
address library. To filter a block list entry, take the following steps:

1. Click Object > Botnet Prevention > Address Library.

2. In the Block List tab, click the Filter button to add filtering conditions and search out the
filtered entry.

Adding to Exclude List

To add a block list entry to the exclude list, take the following steps:

1074 Chapter 11

Threat Prevention
1. Click Object > Botnet Prevention > Address Library.

2. In the Block List tab, click Add to exclude list under the Operation column in the block list
to add the entry to the exclude list.

Chapter 11 1075

Threat Prevention
Botnet Prevention Global Configuration
To configure the Botnet Prevention global settings, take the following steps:

1. Click Object > Botnet Prevention > Configuration.

2. Click/clear the Enable button to enable/disable the Botnet Prevention function.

3. Specify the Sinkhole IP address that replaces the IP address in the DNS response message.
You can select the system's predefined Sinkhole IP address or specify a user-defined Sink-
hole IP address. After selecting User-defined Sinkhole, specify a custom IPv4 address and
an IPv6 address. If only the IPv4 address is configured, the system will automatically map
the configured IPv4 address to the corresponding IPv6 address when the DNS server com-
municates by using the IPv6 protocol.

4. In the DNS Tunnel Log Interval, specify the minimum time interval for logging after the
system detects the DNS tunnel. The range is 1 to 3600 seconds, the default value is 60
seconds.

5. Click Apply to apply the settings.

1076 Chapter 11

Threat Prevention
Chapter 12 Monitor
The monitor section includes the following functions:

l Monitor: The Monitor function statistically analyzes the devices and displays the statistics in a
bar chart, line chart, tables, and so on, which helps the users have information about the
devices.

l Report: Through gathering and analyzing the device traffic data, traffic management data,
threat data, monitor data and device resource utilization data, the function provides the all-
around and multi-demensional staticstcs.

l Log: Records various system logs, including system logs, threat logs, session logs, NAT logs.

Chapter 12 1077

Monitor
Monitor
System can monitor the following objects.

l User Monitor: Displays the application statistics within the specified period (Realtime, latest 1
hour, latest 1 day, latest 1 month ) The statistics include the application traffic and applic-
ations' concurrent sessions.

l Device Monitor: Displays the device statistics within the specified period (Realtime, latest 1
hour, latest 1 day, latest 1 month ), including the total traffic, CPU/memory status, sessions
and hardware status.

l Keyword Block: If system is configured with "File Content Filter" on Page 725, "Web Con-
tent" on Page 730, "Email Filter" on Page 742, "Web Posting" on Page 736, the predefined
stat-set of Keyword Block can gather statistics on the file content keyword, Web keyword,
Web keywords, email keywords, posting keywords and users/IPs.

l Monitor Configuration: Enable or disable some monitor items as needed.

Notes: If IPv6 is enabled, system will count the total traf-

fic/sessions/AD/URLs/applications of IPv4 and IPv6 address. Only User Mon-
itor/Application Monitor/Cloud Application Monitor/Device Monitor/URL
Hit/Application Block/User-defined Monitor support IPv6 address.

1078 Chapter 12

Monitor
User Monitor
User monitor displays the application statistics within the specified period (Realtime, latest 1
hour, latest 1 day, latest 1 month ）. The statistics include the application traffic and applications'
concurrent sessions.
If IPv6 is enabled, system will support to monitor both IPv4 and IPv6 address.

Notes: Non-root VSYS also supports user monitor, but does not support address
book statistics.

Summary

Summary displays the user traffic/concurrent sessions ranking during a specified period or of spe-
cified interfaces/zones. Click Monitor > User Monitor > Summary.

l Select a different Statistical_Period to view the statistical information in that period of time.

l Click " " to refresh the monitoring data in this page.

l Click " " to close the current frame.

l Hover your mouse over a bar to view the user's average upstream traffic, downstream traffic,
total trafficor concurrent sessions .

l When displaying the user traffic statistics, the Upstream and Downstream legends are used to
select the statistical objects in the bar chart.

Chapter 12 1079

Monitor
User Details

Click Monitor > User Monitor> User Details.

l Click to select the condition in the drop-down list to search the desired users.

l To view the detailed information of a certain user , select the user entry in the list, and click
"+".

l Application (real-time): Select the Application(real-time)tab and display the detailed

information of the upstream traffic, downstream traffic, total traffic. Click Details in the
list to view the line chart.

l Cloud Application (real-time): Select the Cloud Application tab to display the cloud
application information of selected user.

l URL (real-time): Select the URL tab to display the URL hit count of selected user.

l URL Category (real-time) : Select the URL Category tab to display the URL category hit
count of selected user.

l Traffic: Select the Traffic tab to display the traffic trends of selected user .

l Concurrent Sessions: Select the Concurrent Sessions tab to display the concurrent ses-
sions trends of selected user .

1080 Chapter 12

Monitor
l Within the user entry list, hover your cursor over a user entry, and there is a button to its

right. Click this button and select Add to Black List.

l Select an user item in the user list, and click the button in the Session Detail column to

open the <Session Detail> page and check all the session details of the selected user.

l Click to select the condition in the drop-down list to search the desired ses-

sions.

Address Book Details

Click Monitor>User Monitor>Address Book Details.

Monitor Address Book

The monitor address is a database that stores the user 's address which is used for statistics.
Click Monitor > User Monitor> Select Address Book.

Chapter 12 1081

Monitor
In this page, you can perform the following actions:

Statistical Period

System supports the predefined time cycle and the custom time cycle. Click the time button on
the top right corner of each tab to set the time cycle.

1082 Chapter 12

Monitor
l Real-time: Displays the current statistical information.

l Last Hour: Displays the statistical information within the latest 1 hour.

l Last Day: Displays the statistical information within the latest 1 day.

l Last Month: Displays the statistical information within the latest 1 month.

Chapter 12 1083

Monitor
Application Monitor
Application monitor displays the statistics of applications, application categories, application sub-
categories, application risk levels, application technologies, and application characteristics within
the specified period (Realtime, latest 1 hour, latest 1 day, latest 1 month ) .The statistics include
the application traffic and applications' concurrent sessions.
If IPv6 is enabled, system will support to monitor both IPv4 and IPv6 address.

Notes: Non-root VSYS also supports application monitor, but does not support to
monitor application group.

Summary

The summary displays the following contents during a specified period:

l The concurrent sessions of top 10 hot and high-risk applications.

l The traffic/concurrent sessions of top 10 applications.

l The traffic/concurrent sessions of top 10 application categories.

l The traffic/concurrent sessions of top 10 application subcategories.

l The traffic/concurrent sessions organized by application risk levels.

l The traffic/concurrent sessions organized by application technologies.

l The traffic/concurrent sessions organized by application characteristics.

Click Monitor>Application Monitor>Summary.

1084 Chapter 12

Monitor
l Select different Statistical_Period to view the statistical information in different periods of
time.

l From the drop-down menu, specify the type of statistics: Traffic or Concurrent Sessions.

l Click " " to refresh the monitoring data in this page.

l Click " " to close the current frame.

l Hover your mouse over a bar or a pie graph to view the concrete statistical values of total
traffic or concurrent sessions.

Application Details

Click Monitor > Application Monitor > Application Details.

Chapter 12 1085

Monitor
l Click the Time drop-down menu to select different Statistical_Period to view the statistical
information in that periods of time.

l Click button and select Application in the drop-down menu. You can search the

desired application by entering the keyword of the application's name in the text field.

l To view the detailed information of a certain application, select the application entry in the
list, and click "+".

l Users(real-time): Select the Users (real-time) tab to displays the detailed information of

users who are using the selected application. Click in details column to see the

trends of upstream traffic, downstream traffic, total traffic.

l Traffic: Select the Traffic tab to display the traffic trends of selected application.

l Concurrent Sessions: Select the Concurrent Sessions tab to display the concurrent ses-
sions trends of the selected application.

l Description: Select the Description tab to displays the detailed information of the selec-
ted application.

Group Details

Click Monitor>Application Monitor>Group Details.

1086 Chapter 12

Monitor
l Click Time drop-down menu to select a different Statistical_Period to view the statistical
information in that periods of time.

l Click button and select Application Group in the drop-down menu. You can search

the desired application group by entering the keyword of the application group name in the
text field.

l To view the detailed information of a certain application group, select the application group
entry in the list, and click "+".

l User (real-time): Select the Users (real-time)tab to display the detailed information of

users who are using the selected application group. Click in details column, you can

see the trends of the upstream traffic, downstream traffic, total traffic .

l Traffic: Select the Traffic tab to display the traffic trends of selected application group.

l Concurrent Sessions: Select the Concurrent Sessions tab to display the concurrent ses-
sions trends of the selected application group.

Select Application Group

Click Monitor>Application Monitor>Select Application Group. There are global application

groups in the right column.

Chapter 12 1087

Monitor
In this page, you can perform the following actions:

l Click the desired address entry check box to add a new address entry to the left list.

l In the left list, click an address entry to remove it from the list.

1088 Chapter 12

Monitor
Statistical Period

System supports the predefined time cycle and the custom time cycle. Click Real-time on the top
right corner of each tab to set the time cycle.

l Real-time: Displays the current statistical information.

l Last 60 Minutes: Displays the statistical information within the latest 1 hour.

l Last 24 Hours: Displays the statistical information within the latest 1 day.

l Last 30 Days: Displays the statistical information within the latest 1 month.

Chapter 12 1089

Monitor
Cloud Application Monitor
This feature may vary slightly on different platforms and not be available in VSYS on a part of plat-
forms. If there is a conflict between this guide and the actual page, the latter shall prevail.
A cloud application is an application program that functions in the cloud. It resides entirely on a
remote server and is delivered to users through the Internet.
Cloud application monitor page displays the statistics of cloud applications and users within a spe-
cified period (realtime, latest 1 hour, latest 1 day, latest 1 month ), including application traffic,
user number, and usage trend.
If IPv6 is enabled, system will support to monitor both IPv4 and IPv6 address.

Summary

The summary displays the following contents during a specified period:

l Top 10 cloud application rank by traffic/concurrent session number with in a specified period
( realtime, latest 1 hour, latest 1 day, latest 1 month ).

l Top 10 cloud application user rank by application number/traffic/concurrent session/new ses-

sion.

Click Monitor > Cloud Application Monitor> Summary.

l By selecting different filters, you can view the statistics of different time period.

l By selecting the drop-down menu of trafficor concurrent sessions, you can view your inten-
ded statistics.

1090 Chapter 12

Monitor
l Click the update icon to update the displayed data.

l Hover your cursor over bar or pie chart to view exact data. Click the Details link on
hover box, and you will jump to the Cloud Application Details page.

Cloud Application Details

Click Monitor > Cloud Application Monitor>Cloud Application Details.

l Click the Time drop-down menu to select different time period to view the statistics in that
period.

l Click the Filter button, and select Application. In the new text box, enter the name of your
intended application.

l To view the detailed information of a certain application group, select the application group

entry in the list and click before it.

l User(real-time): Select the Users(real-time) tab to display the detailed information of

users who are using the selected application group. Click in details column to see

the trends of the upstream traffic, downstream traffic, total traffic .

l Traffic: Select the Traffic tab to display the traffic trends of selected application.

l Concurrent Sessions: Select the Concurrent Sessions tab to display the concurrent ses-
sions trends of the selected application.

l Description: Select the Description tab to display the detailed description of the selec-
ted application.

Chapter 12 1091

Monitor
Statistical Period

System supports the predefined time cycle and the custom time cycle. Click Real-time on the top
right corner of each tab to set the time cycle.

l Real-time: Displays the current statistical information.

l Last 60 Minutes: Displays the statistical information within the latest 1 hour.

l Last 24 Hours: Displays the statistical information within the latest 1 day.

l Last 30 Days: Displays the statistical information within the latest 1 month.

1092 Chapter 12

Monitor
Share Access Monitor
To detect the users’ private behavior of shared access to the Internet, system supports to ana-
lyze the User-agent filed of HTTP packet, a share access detect method which is based on the
application characteristic. The share access detect page can display the share access information
with specified filter condition.
Click Monitor> Share Access.

l Click to select the condition in the drop-down list to search for the share access.

l Source IP: Displays the endpoints statistics of the specified source IP (IPv4 or IPv6).

l Rule Name: Displays the endpoints statistics of the specified share access rule.

l Source Zone: Displays the endpoints statistics of the specified source zone.

l Endpoint Number: Displays the endpoints statistics of the specified endpoint number.

l Status: Displays the endpoints statistics of the specified status, including the normal status,
logging status, warning status, and blocking status.

Move the mouse to Endpoint Number list, click button, you will view the list of Endpoint
info and First Detection Time.

Chapter 12 1093

Monitor
End Point Monitor
If system is configured with "Configuring End Point Security Control Center Parameters" on Page
771, the endpoint detect page displays the endpoint data information list synchronized with the
endpoint security control center.
Click Monitor > End Point Monitor.

1094 Chapter 12

Monitor
iQoS Monitor
This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
When the iQoS policy is configured and the function of iQoS is enabled, you can view the real-
time traffic details or traffic trends of pipes and sub-pipes in Level-1 Control or Level-2 Control.

Notes: The iQoS monitor function is controlled by license, To use the function,
install the iQoS license.For more information on license, please refer to the License
.

l Click the "Edit" button to edit the selected pipe.

l Mouse over the bar of the Traffic columns to see the forward and backward traffic of the pipe.

Chapter 12 1095

Monitor
Device Monitor
This feature may vary slightly on different platforms. If there is a conflict between this guide and
the actual page, the latter shall prevail.
The Device page displays the device statistics within the specified period, including the total
traffic, interface traffic, zone traffic, CPU/memory status, sessions, hardware status and online IP.
If IPv6 is enabled, system will support to monitor both IPv4 and IPv6 address.

Summary

The summary displays the device statistics within last 24 hours. Click Monitor>Device Mon-
itor>Summary.

1096 Chapter 12

Monitor
l Total traffic: Displays the total traffic within the specified statistical period.

l Hover your mouse over the chart to view the total traffic statistics at a specific point in
time.

l Select a different Statistical Period to view the statistical information in that period of
time.

l Select the address type from the drop-down list to

view the IPv4 traffic, IPv6 traffic or total traffic of IPv4 and IPv6.

l Interface traffic: Displays the upstream traffic, downstream traffic, total traffic and concurrent
sessions of interface within the specified statistical period by rank.

l Click Traffic In, Traffic Out, Traffic, or Concurrent Sessions. System displays the inter-
face traffic according to the value(from large to small) of the specified object. By
default, the interface traffic is displayed according to the total traffic value of interface.

l Select the address type from the drop-down list to

view the IPv4 traffic, IPv6 traffic or total traffic of IPv4 and IPv6.

l Select a different Statistical Period to view the statistical information in that period of
time.

l Click the interface name to view the Detailed Information.

l If IPv6 is enabled, the interface traffic will show the traffic of IPv4 and IPv6.

l Zone traffic: Displays the upstream traffic, downstream traffic, total traffic and concurrent ses-
sions of zone within the specified statistical period by rank.

Chapter 12 1097

Monitor
l Click Traffic In, Traffic Out, Traffic, or Concurrent Sessions. System displays the zone
traffic according to the value(from large to small) of the specified object. By default, the
zone traffic is displayed according to the total traffic value of zone.

l Select the address type from the drop-down list to

view the IPv4 traffic, IPv6 traffic or total traffic of IPv4 and IPv6.

l Select a different Statistical Period to view the statistical information in that period of
time.

l Click the zone name to view the Detailed Information.

l Hardware status: Displays the real-time hardware status, including storage, chassis temperature
and fan status.

l EMMC Storage: Displays the EMMC storage space of the current device. Only devices
with hard disks support this function

l SSD Storage: Displays the SSD storage space of the current device.

l Chassis temperature: Displays the current CPU/chassis temperature.

l Click Chassis Temperature for system to display the CPU/chassis temperature

trend.

l Hover your mouse over the chart to view the CPU/chassis temperature statistics
at a specific point in time.

l Select a different Statistical Period to view the statistical information in that

period of time.

l Fan status: Displays the operation status of the fan. Green indicates normal, and red
indicates error or a power supply module is not used.

1098 Chapter 12

Monitor
l Power Status：Displays the power status of the device. Green indicates that the power
module is normal. Red indicates that the power module is faulty or not in use.

l CPU/memory status: Displays current CPU utilization, memory utilization and CPU tem-
perature statistics.

l Click legends of CPU Utilization, Memory Utilization or CPU Temperature to specify

the histogram statistical objects. By default, it displays statistics of all objects.

l Key Process: Displays information about key processes on the device, including process
name, PID, state, priority, and CPU percentage .

Statistical Period

System supports the predefined time cycle. Select statistical period from the drop-down menu
at the top right corner of some statistics page to set the time cycle.

l Real-time: Displays the current statistical information.

l Last 60 Minutes: Displays the statistical information within the latest 1 hour.

l Last 24 Hours: Displays the statistical information within the latest 1 day.

l Last 30 Days: Displays the statistical information within the latest 1 month.

Detailed Information

The detailed information page displays detailed statistics of certain monitored objects. In addition,
in the detailed information page, hover your mouse over the chart that represents a certain object
to view the statistics of history trend and other information.
For example, click ethernet0/2 in the Interface Traffic , and the detailed information of eth-
ernet0/2 appears.

Chapter 12 1099

Monitor
l The drop-down list is used to specify the statistical type of

interface traffic, including all, IPv4 and IPv6.

l Icon and are used to switch the line chart and stacked chart, which display the history

trend of sessions and concurrent sessions.

l In traffic trend section, click legends of Traffic In or Traffic Out to specify the statistical
objects. By default, it displays all statistical objects.

l In the User or Application section, click Username/IP or Application to display the real-time
trend of the specified user or application. For example, the user traffic trend is shown as

1100 Chapter 12

Monitor
below.

Online IP

Click Monitor>Device>Online IP to view the historical trend of the number of online users.
You can select the statistical period as last 60 minutes, last 24 hours or last 30 days.

Chapter 12 1101

Monitor
URL Hit
This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
If the " URL Filtering" on Page 677 function is enabled in the security policy rule, the predefined
stat-set of URL filter can gather statistics on user/IPs, URLs and URL categories.
If IPv6 is enabled, system will support to monitor both IPv4 and IPv6 address.

Summary

Click Monitor> URL Hit>Summary.

l Select a different Statistical_Period to view the statistical information in that period of time.

l Hover your mouse over a bar, to view the hit count of User/IP, URL or URL Category .

l Click at top-right corner of every table and enter the corresponding details.

l Click and to switch between the bar chart and the pie chart.

User/IP

Click Monitor> URL Hit>User/IP.

1102 Chapter 12

Monitor
l The User/IPs and detailed hit count are displayed in the list below.

l Click a User/IP in the list to display the corresponding URL hit statistics in the curve chart
below.

l Statistics: Displays the hit statistics of the selected User/IP, including the real-time stat-
istics and statistics for the latest 1 hour, 24 hours 30 days .

l URL(real-time): Displays the URLs' real-time hit count of selected User/IP. Click URL
link ,you can view the corresponding URLs detailed statistics page. Click Detail link,
you can view the URL hit trend of the selected User/IP in the URL Filter Detailsdialog
.

l URL category(real-time): Displays the URL categories' read-time hit count of selected
User/IP. Click URL category link , you can view the corresponding URL categories'
detailed statistics page. Click Detail link, you can view the URL category hit trend of
the selected User/IP in the pop-up dialog .

l Click the Filter button at top-left corner. Select User/IP and you can search the User/IP hit
count information by entering the keyword of the username or IP.

Chapter 12 1103

Monitor
URL

Click Monitor > URL Hit > URL.

l The URL, URL category and detailed hit count are displayed in the list below.

l Click a URL in the list to view its detailed statistics.

l Statistics: Displays the hit statistics of the selected URL, including the real-time stat-
istics and statistics for the latest 1 hour, 24 hours 30 days .

l User/IP(real-time): Displays the User/IP's real-time hit count of selected URL. Click
the User/IP link and you can view the corresponding user/IPs detailed statistics page.
Click the Detail link and you can view the URL hit trend of the selected user/IP in the
URL Filter Details page.

l Click the Filter button at the top-left corner. Select URLand you can search the URL hit
count information by entering the keyword of the URL.

l Click to refresh the real-time data in the list.

URL Category

Click Monitor> URL Hit > URL Category.

1104 Chapter 12

Monitor
l The URL category, count, traffic are displayed in the list.

l Click a URL category in the list to view its detailed statistics displayed in the Statistics, URL
(real-time), User/IP(real-tiime) tabs.

l Statistics: Displays the trend of the URL category visits, including the real-time trend
and the trend in the last 60 minutes, 24 hours , 30 days.

l URL(real-time): Displays the visit information of the URLs, contained in the URL cat-
egory, that are being visited.

l User/IP(real-time): Displays the visit information of the users or IPs that are visiting the
URL category.

l Click to refresh the real-time data in the list.

Statistical Period

System supports the predefined time cycle and the custom time cycle. Click the time button on
the top right corner of each tab to set the time cycle.

Chapter 12 1105

Monitor
l Real-time: Displays the current statistical information.

l Last 60 Minutes: Displays the statistical information within the latest 1 hour.

l Last 24 Hours: Displays the statistical information within the latest 1 day.

l Last 30 Days: Displays the statistical information within the latest 1 month.

1106 Chapter 12

Monitor
Link Status Monitor
Link status monitoring can calculate the sampling traffic information of the specific interface in
the link, including latency, packet loss rate, and jitter, to monitor and display the overall status of
the link. System also supports for link detection to calculate the traffic information of the specific
destination IP address in the link, including latency, and jitter.

Link User Experience

The link user experience page displays the traffic statistics of the interfaces that have been bound
within a specified period (Realtime, latest 1 hour, latest 1 day, latest 1 month)
Click Monitor > Link Status Monitor. For more information about configuration of binding inter-
faces, refer to Link Configuration.

l Select a different Statistical_Period to view the statistical information in that periods of time.

l Select the binding interface Binding Interface drop-down list, Click the Binding Interface
drop-down menu and select the interface name to view the link status monitoring statistics for
this interface. You can select multiple interfaces.

Chapter 12 1107

Monitor
l Click the IP Type drop-down menu and select the IP type to view the link status monitoring
statistics for this IP type, including IPv4, IPv6 and All.

l Click button and select Application in the drop-down menu. You can select the TOP

10 or Application / Application group name to view the link status monitoring statistics
according to the specified application

Notes:
l "Time" , "Binding Interface" and "IP Type" are required in the filter con-
dition, and "IP type" is selected as "All" by default.

l If the application switch of the specified interface is not enabled in the link
configuration, the Application filter condition cannot be added.

Statistical Period

System supports the predefined time cycle and the custom time cycle. Click Last 60 Minutes on
the top right corner of each tab to set the time cycle.

l Real-time: Displays the current statistical information.

l Last 60 Minutes: Displays the statistical information within the latest 1 hour.

l Last 24 Hours: Displays the statistical information within the latest 1 day.

l Last 30 Days: Displays the statistical information within the latest 1 month.

Link Detection

The link detection page displays real-time traffic statistics of specified detection destination IP to
link or link to detection destination IP, include latency, and jitter.
To configure the link detection, take the following steps:

1108 Chapter 12

Monitor
1. Click Monitor > Link Status Monitor > Link Detection.

2. Select the interface name to view the link status monitoring statistics for this interface, you
can select up to 8 interfaces. Click New to add interfaces, you can add up to 16 interfaces.
For more information about configuration of binding interfaces, refer to Link Configuration.

3. Select the IP address to view the link status monitoring statistics for this destination
address, you can select up to 8 addresses. Click New to add destination address, you can add
up to 32 addresses. For more information about configuration of destination addresses, refer
to Detection Destination.

4. Click Start Detection, and view the statistics of the real-time link detection at the bottom of
the page. Select Detection Destination IP->Link or Link->Detection Destination IP tab to
view the trend chart of latency and jitter. Click Trend Chart and Table to switch between
the trend chart and table.

5. Click End Detection to end the real-time link detection

Link Configuration

In the link configuration page, you can configure the binding interface to monitor the link state
and can enable the application switch and link user experience.
To configure the link, take the following steps:

Chapter 12 1109

Monitor
1. Click Monitor > Link Status Monitor > Link Configuration.

2. Click New.

In the Link Configuration page, configure these values

Option Description

Binding Inter- Select the interface in the drop down menu.

face

Interface Type the description for the interface.

Description

Application Click the Enable button. After enabling, you can see
details of the specific application in this interface.

Monitor Click the Enable button. After enabling, you can see
traffic statistics in this interface.

3. Click OK.

1110 Chapter 12

Monitor
Detection Destination

In the detection destination page, you can configure the destination IP address to monitor the
link state.
To configure the detection destination, take the following steps:

1. Click Monitor > Link Status Monitor > Detection Destination

2. Click New.

In the Detection Destination Configuration page, configure these values

Option Description

IP Type Select the IP address type, include IPv4 or IPv6.

Detection Specifies the IP address of the detection destination.

Destination
IP

Chapter 12 1111

Monitor
Option Description

Protocol Specifies the protocol of the detection destination,

include TCP or ICMP.

Port Specifies the port number of the detection destination.

Interval Specifies the interval time of the detection packet. The

value range is 1 to 5 seconds, the default value is 1.

Description Type the description for the detection destination

3. Click OK.

1112 Chapter 12

Monitor
IoT Monitor
IoT Monitor function displays the manufacturers and types distribution of network video mon-
itoring devices, as well as the detailed statistics, such as device number, IP address, MAC address,
up/downstream traffic, IoT profile and device status.

Summary

On the Summary page, you can obtain the real-time distribution of manufacturers and device
types.
Click Monitor > IoT Monitor > Summary.

l Click the button to refresh the monitoring data.

l Hover your mouse over the bar chart to view the device number of different manufacturers
and different device types.

l Different manufactures and devices are marked with different colors of legends. When your
mouse hovers over an legend, the corresponded part will be highlighted on the bar chart.

Details

Click Monitor > IoT Monitor > Details to view the detailed information of the network video
monitoring devices.

Chapter 12 1113

Monitor
l Click the button to add filter conditions and the required information will be filtered

out in the following list.

l Select the check box, and click Delete to delete the selected item.

l Select the check box, and click Check, then the IoT Profile Configuration page pops up. You
can modify the manufacturer, model, type and trust status manually. The manually changed
configuration is prior to the automatically detected result. When the device logs in again, the
manually changed configurations will be cleared.

1114 Chapter 12

Monitor
l Select the check box and click Add to Admittance List to add the selected item to the target
admittance list template. For the detailed steps, refer to Adding to Admittance List.

l For the icons in the Terminal list, if the icon is gray, it means that the device is offline; if the
icon is blue, it means that the device is online. When you hover the mouse over the icon, you
can also view the online status of the device. The icons represent the following devices
respectively:

l : The network video monitoring devices of other manufacturers.

l : The IPC device.

l : The NVR device.

l Null: The item hasn't been identified.

User Quota Monitor

After the "Traffic Quota" on Page 925 function is configured, the user quota detect page displays
the user traffic quota statistics list, including the user's daily/ monthly quota, daily/ monthly used
traffic value, the user group, and the corresponding traffic quota rule name.

l Type the user name into the User Name text box to filter the user traffic quota statistics for
the specified name.

l Click in the Clear/Reset column of the list to clear the selected user daily used traffic.

l Click in the Clear/Reset column of the list to clear the selected user monthly used traffic.

Chapter 12 1115

Monitor
l Click in the Clear/Reset column of the list to reset all used traffic for the selected user.

l Click Clear All Used Traffic to clear all used traffic of all users in the list.

1116 Chapter 12

Monitor
Application Block
If system is configured with "Security Policy" on Page 788 the application block can gather stat-
istics on the applications and user/IPs.
If IPv6 is enabled, system will support to monitor both IPv4 and IPv6 address.

Summary

The summary displays the application block's statistics on the top 10 applications and top 10 user-
/IPs. Click Monitor>Application Block> Summary.

l Select a different Statistical_Period to view the statistical information in that period of time.

l Hover your mouse over a bar to view the block count on the applications and user/IPs.

l Click to switch between the bar chart and the pie chart.

l Click to close the chart.

l Click at the top-right corner of every table and enter the corresponding details page.

Application

Click Monitor>Application Block> Application.

Chapter 12 1117

Monitor
l The applications and detailed block count are displayed in the list.

l To view the corresponding information of application block on the applications and user/IPs,
select the application entry in the list, and click "+".

l Statistics: Displays the block count statistics of the selected application, including the
real-time statistics and statistics for the latest 1 hour, 24 hours and 30 days.

l User/IP: Displays the user/IPs that are blocked from the selected application. Click a
user/IP in the list to display the corresponding block count statistics in the curve chart
below. Click to jump to the corresponding user / IPs page.

l Click to select the condition in the drop-down list. You can search the application

block information by entering the keyword of the application name.

l Click to refresh the real-time data in the list.

User/IP

Click Monitor>Application Block> User/IP.

1118 Chapter 12

Monitor
l The user/IP and detailed block count are displayed in the list.

l Click a user/IP in the list to display the corresponding block count statistics in the curve
chart below. Click to jump to the corresponding user / IPs page.

l Click to select the condition in the drop-down list. You can search the users/IPs

information.

Statistical Period

System supports the predefined time cycle and the custom time cycle. Click (

) on the top right corner of each tab to set the time cycle.

l Real-time: Displays the statistical information within the realtime.

l Last Hour: Displays the statistical information within the latest 1 hour.

l Last Day: Displays the statistical information within the latest 1 day.

l Last Month: Displays the statistical information within the latest 1 month.

Chapter 12 1119

Monitor
Keyword Block
This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
If system is configured with "File Content Filter" on Page 725, "Web Content" on Page 730,
"Email Filter" on Page 742, or "Web Posting" on Page 736, the predefined stat-set of the Key-
word Block can gather statistics on the file content keyword, Web keyword, Web keywords, email
keywords, posting keywords and users/IPs.

Summary

The summary displays the predefined stat-set of the Keyword Block that can gather statistics on
the top 10 blocked file content keywords, the top 10 blocked Web keywords, the top 10 blocked
email keywords, the top 10 posting keywords, and the top 10 users/IPs. Click Monitor > Key-
word Block > Summary.

l Select a different Statistical_Period to view the statistical information in that period of time.

l Hover your mouse over a bar to view the block count on the keywords .

1120 Chapter 12

Monitor
l Click at the top-right corner of every table and enter the corresponding details page.

l Click to switch between the bar chart and the pie chart.

File Content

Click Monitor>Keyword Block> File Content.

For a page description, see Web_Content.

Web Content

Click Monitor>Keyword Block> Web Content.

l The Web content and detailed block count are displayed in the list below.

l To view the corresponding information of keyword block on the Web content, select the
keyword entry in the list.

l Statistics: Displays the statistics of the selected keyword, including the real-time stat-
istics and statistics for the latest 1 hour, 24 hours and 30 days.

l User/IP: Displays the user/IPs that are blocked by the selected keyword. Click a user-
/IP in the list to display the corresponding block count statistics in the curve chart
below. Click to jump to the corresponding user / IPs page.

Chapter 12 1121

Monitor
l Click to select the condition in the drop-down list. You can search the keyword

block information by entering the keyword .

l Click to refresh the real-time data in the list.

Email Content

Click Monitor>Keyword Block> Email Content.

For a page description, see Web_Content.

Web Posting

Click Monitor>Keyword Block>Web Posting.

For a page description, see Web_Content.

User/IP

Click Monitor>Keyword Block>User/IP.

l The user/IP and detailed block count are displayed in the list below.

l Click a user/IP in the list to display the corresponding statistics , Web content, Email Con-
tent, Web Posting in the curve chart below. Click to jump to the corresponding detail

page.

1122 Chapter 12

Monitor
l Click to select the condition in the drop-down list. You can search the users/IPs

information .

Statistical Period

System supports the predefined time cycle and the custom time cycle. Click (

) on the top right corner of each tab to set the time cycle.

l Real-time: Displays the current statistical information.

l Last Hour: Displays the statistical information within the latest 1 hour.

l Last Day: Displays the statistical information within the latest 1 day.

l Last Month: Displays the statistical information within the latest 1 month.

Chapter 12 1123

Monitor
Authentication User
If system is configured with"Web Authentication" on Page 329, "Single Sign-On" on Page 342,
"SSL VPN" on Page 445, "L2TP VPN" on Page 541the authentication user can gather statistics
on the authenticated users. The column "IP/MAC" displays the IPv6 address of the authenticated
users only when the system version is the IPv6 version.
Click Monitor>Authenticated User.

l Click to select the condition in the drop-down list to filter the users.

l Click Kick Out under the Operation column to kick the user out.

l Click to refresh the real-time data in the list.

1124 Chapter 12

Monitor
User-defined Monitor
This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
A user-defined stat-set provides a more flexible approach to view the statistics. You can view the
statistics as needed. The statistical data may vary in the data types you have selected.
If IPv6 is enabled, system will support to monitor both IPv4 and IPv6 address.

The IP type-based statistical information table.

Data type

Dir- Condi- Key- Applic-

URL
ection tion Ramp- word ation
Traffic Session hit
up rate block block
count
count count

Stat-
Stat- Stat-
istics
istics istics
on the
on the on the Stat-
session Stat- Stat-
Ini- traffic new ses- istics
number
tiator of the sions of istics on the istics on
of the
ini- the ini- on the keywo- the
ini-
tiator's tiator's URL rd
applic-
No dir- tiator's hit ation
IP IP block
ection IP count block
count
Stat- Stat- Stat- of the of the count of
istics istics istics spe- the spe-
spe-
on the on the on the cified cified cified
Respon-
traffic session new ses- IPs IPs
IPs
der
of the number sions of
respon- of the the
der's IP respon- respon-

Chapter 12 1125

Monitor
Data type

Dir- Condi- Key- Applic-

URL
ection tion Ramp- word ation
Traffic Session hit
up rate block block
count
count count

der's IP der's IP

1126 Chapter 12

Monitor
Data type

Dir- Condi- Key- Applic-

URL
ection tion Ramp- word ation
Traffic Session hit
up rate block block
count
count count

Stat- Stat-
Stat-
istics istics
istics
on the on the
on the
session new ses-
traffic
number sions of
of an IP
Belong of an IP an IP
that
to zone that that
belongs
belongs belongs
to a spe-
to a spe- to a spe-
cific
cific cific
security
security security
zone
zone zone

Stat- Stat- Stat-

istics istics istics
on the on the on the
traffic session new ses-
of an IP number sions of
Not that of an IP an IP
belong does that that
to zone not does does
belong not not
to a spe- belong belong
cific to a spe- to a spe-
security cific cific
zone security security

Chapter 12 1127

Monitor
Data type

Dir- Condi- Key- Applic-

URL
ection tion Ramp- word ation
Traffic Session hit
up rate block block
count
count count

zone zone

1128 Chapter 12

Monitor
Data type

Dir- Condi- Key- Applic-

URL
ection tion Ramp- word ation
Traffic Session hit
up rate block block
count
count count

Stat- Stat-
Stat-
istics istics
istics
on the on the
on the
session new ses-
traffic
number sions of
Belong of an IP
of an IP an IP
to inter- that
that that
face belongs
belongs belongs
to a spe-
to a spe- to a spe-
cific
cific cific
inter-
inter- inter-
face
face face

Stat- Stat- Stat-

istics istics istics
on the on the on the
traffic session new ses-
of an IP number sions of
Not
that of an IP an IP
belong
does that that
to inter-
not does does
face
belong not not
to a spe- belong belong
cific to a spe- to a spe-
inter- cific cific
face inter- inter-

Chapter 12 1129

Monitor
Data type

Dir- Condi- Key- Applic-

URL
ection tion Ramp- word ation
Traffic Session hit
up rate block block
count
count count

face face

1130 Chapter 12

Monitor
Data type

Dir- Condi- Key- Applic-

URL
ection tion Ramp- word ation
Traffic Session hit
up rate block block
count
count count

Stat- Stat-
Stat-
istics istics
istics
on the on the
on the
inboun- number
new
d and of
receive-
Ini- out- receive-
d and
tiator bound d and
sent ses-
traffic sent ses-
sions of
of the sions of
the ini-
ini- the ini-
tiator's
tiator's tiator's
Bi-dir- IP
IP IP
ectiona-
l Stat-
Stat- Stat-
istics
istics istics
on the
on the on the
number
inboun- new
of
d and receive-
Respon- receive-
out- d and
der d and
bound sent ses-
sent ses-
traffic sions of
sions of
of the the
the
respon- respon-
respon-
der's IP der's IP
der's IP

Chapter 12 1131

Monitor
Data type

Dir- Condi- Key- Applic-

URL
ection tion Ramp- word ation
Traffic Session hit
up rate block block
count
count count

Stat-
Stat- Stat-
istics
istics istics
on the
on the on the
number
inboun- new
of
d and receive-
receive-
out- d and
d and
bound sent ses-
Belong sent ses-
traffic sions of
to zone sions of
of an IP an IP
an IP
that that
that
belongs belongs
belongs
to a spe- to a spe-
to a spe-
cific cific
cific
security security
security
zone zone
zone

Stat- Stat- Stat-

istics istics istics
on the on the on the
inboun- number new
Not
d and of receive-
belong
out- receive- d and
to zone
bound d and sent ses-
traffic sent sessions of
of an IP sions of an IP
that an IP that

1132 Chapter 12

Monitor
Data type

Dir- Condi- Key- Applic-

URL
ection tion Ramp- word ation
Traffic Session hit
up rate block block
count
count count

that
does does
does
not not
not
belong belong
belong
to a spe- to a spe-
to a spe-
cific cific
cific
security security
security
zone zone
zone

Stat-
Stat- Stat-
istics
istics istics
on the
on the on the
number
inboun- new
of
d and receive-
receive-
out- d and
d and
Belong bound sent ses-
sent ses-
to inter- traffic sions of
sions of
face of an IP an IP
an IP
that that
that
belongs belongs
belongs
to a spe- to a spe-
to a spe-
cific cific
cific
inter- inter-
inter-
face face
face

Chapter 12 1133

Monitor
Data type

Dir- Condi- Key- Applic-

URL
ection tion Ramp- word ation
Traffic Session hit
up rate block block
count
count count

Stat-
Stat- Stat-
istics
istics istics
on the
on the on the
number
inboun- new
of
d and receive-
receive-
out- d and
d and
bound sent ses-
Not sent ses-
traffic sions of
belong sions of
of an IP an IP
to inter- an IP
that that
face that
does does
does
not not
not
belong belong
belong
to a spe- to a spe-
to a spe-
cific cific
cific
inter- inter-
inter-
face face
face

The interface, zone, user, application, URL, URL category, VSYS type-based statistical inform-
ation table.

1134 Chapter 12

Monitor
Data type

Group Dir- Key- Applic-

URL
by ection Ramp- word ation
Traffic Session hit
up rate block block
count
count count

Stat-
Stat- Stat-
istics on
istics on istics on
the ses-
the the new
sion
traffic sessions
No dir- number
of the of the
ection of the
spe- spe- Stat-
spe-
cified cified istics
cified
security security on the
security
zones zones URL
zones
hit
Stat- count
Zone Stat- N/A N/A
istics on Stat- of the
istics on
the istics on spe-
the
number the new cified
inbound
of receive- secur-
and out-
Bi-dir- receive- d and ity
bound
ectiona- d and sent ses- zones
traffic
l sent sessions of
of the
sions of the spe-
spe-
the specified
cified
cified security
security
security zones
zones
zones

Inter- No dir- Stat- Stat- Stat- Stat-

N/A N/A
face ection istics on istics on istics on istics

Chapter 12 1135

Monitor
Data type

Group Dir- Key- Applic-

URL
by ection Ramp- word ation
Traffic Session hit
up rate block block
count
count count

the ses-
the the new
sion
traffic sessions
number
of the of the
of the
spe- spe-
spe-
cified cified
cified
inter- inter-
inter- on the
faces faces
faces URL
Stat- hit
Stat- count
istics on Stat-
istics on
the istics on of the
the spe-
number the new
inbound
of receive- cified
and out- inter-
Bi-dir- receive- d and
bound
ectiona- d and sent ses- faces
traffic
l sent sessions of
of the
sions of the spe-
spe-
the specified
cified
cified inter-
inter-
interfaces
faces
faces

Stat- Stat- Stat- Stat-

Applic- istics on istics on istics on istics on
N/A N/A N/A
ation the the ses- the new the
traffic sion sessions block

1136 Chapter 12

Monitor
Data type

Group Dir- Key- Applic-

URL
by ection Ramp- word ation
Traffic Session hit
up rate block block
count
count count

number count
of the of the
of the of the
spe- spe-
spe- spe-
cified cified
cified cified
applic- applic-
applic- applic-
ations ations
ations ations

Stat-
istics on
the
No dir- traffic
ection of the Stat- Stat-
spe- Stat-
Stat- istics istics on
cified Stat- istics
istics on on the the
users istics on on the
the ses- keyw- applic-
the new URL
Stat- sion ord ation
sessions hit
User istics on number block block
of the count
the of the count count
spe- of the
inbound spe- of the of the
cified spe-
Bi-dir- and out- cified spe- spe-
users cified
ectiona- bound users cified cified
users
l traffic users users
of the
spe-
cified
users

Chapter 12 1137

Monitor
Data type

Group Dir- Key- Applic-

URL
by ection Ramp- word ation
Traffic Session hit
up rate block block
count
count count

Stat-
istics
on the
hit
URL N/A N/A N/A N/A count N/A N/A
of the
spe-
cified
URLs

Stat-
istics
on the
hit
count
URL
of the
Cat- N/A N/A N/A N/A N/A N/A
spe-
egory
cified
URL
cat-
egor-
ies

Stat- Stat- Stat- Stat-

istics on istics on istics on istics
VSYS N/A N/A N/A
the the ses- the new on the
traffic sion sessions URL

1138 Chapter 12

Monitor
Data type

Group Dir- Key- Applic-

URL
by ection Ramp- word ation
Traffic Session hit
up rate block block
count
count count

hit
number
of the of the count
of the
spe- spe- of the
spe-
cified cified spe-
cified
VSYSs VSYSs cified
VSYSs
VSYSs

You can configure a filtering condition for the stat-set to gather statistics on the specified con-
dition, such as statistics on the session number of the specified security zone, or the traffic of
the specified IP. The system supports up to 32 filters for each stat-set, among which the num-
ber of filters for each type of the user, user group and role filters cannot exceed 8. If multiple
filters configured for the same stat-set belong to the same type, then the logical relationship
among these conditions will be OR; if they belong to different types, the logical relationship
among these conditions will be AND.

The filtering conditions supported table.

Type Description
filter zone Data is filtered by security zone.
filter zone zone-name ingress Data is filtered by ingress security
zone.
filter zone zone-name egress Data is filtered by egress security
zone.
filter interface Data is filtered by interface.
filter interface if-name ingress Data is filtered by ingress interface.
filter interface if-name egress Data is filtered by egress interface.

Chapter 12 1139

Monitor
Type Description
filter application Data is filtered by application.
filter ip Data is filtered by address entry.
filter ip add-entry source Data is filtered by source address
(address entry).
filter ip add-entry destination Data is filtered by destination address
(address entry).
filter ip A.B.C.D/M Data is filtered by IP.
filter ip A.B.C.D/M source Data is filtered by source IP.
filter ip A.B.C.D/M destination Data is filtered by destination IP.
filter user Data is filtered by user.
filter user-group Data is filtered by user group.
filter role Data is filtered by user role.
filter service Data is filtered by service.

Click Monitor>User-defined Monitor.

l Click New. For more information, see Creating_a_User-defined_Stat-set

l Click the user-defined stat-set name link. For more information, see Viewing_User-defined_
Stat-set_Statistics.

1140 Chapter 12

Monitor
Creating a User-defined Stat-set

To create a user-defined stat-set, take the following steps:

1. Click Monitor>User Defined Monitor.

2. Click New.

In the User-defined Monitor Configuration page, modify according to your needs.

Option Description

Name Type the name for the stat-set into the Name box.

Data Type Select an appropriate data type from the Data type list.

Group by Select an appropriate grouping method from the Group

by list.

Root vsys If you only want to perform the data statistics for the root
only VSYS, click the Enable button. This button will take
effect when the data type is Traffic, Session, Ramp-up
rate, or URL hit. If the data grouping method is con-

Chapter 12 1141

Monitor
Option Description

figured to VSYS, this button will be unavailable.

Advanced To configure a filtering condition, expand Advanced Con-

Configuration figuration. In the Advanced Configuration page, select a
filter condition from the Type drop-down list. For more
details about this option, see The_filtering_conditions_
supported_table.

3. Click OK to save your settings . The configured stat-set will be displayed .

Notes: You need to pay attention to the following when configure a stat-set.

l The URL hit statistics are only available to users who have a URL license.

l If the Data type is Traffic, Session, Ramp-up rate, Virus attack count, Intru-
sion count or URL hit count, then the Filter should not be Attack log.

l If the Data type is URL hit count, then the Filter should not be Service.

l System will hide unavailable options automatically.

Viewing User-defined Monitor Statistics

Click the user-defined stat-set name link, and then select the stat-set you want to view.

1142 Chapter 12

Monitor
l Displays the top 10 statistical result from multiple aspects in forms of bar chart.

l View specified historic statistics by selecting a period from the statistic period drop-down list.

l Click All Data to view all the statistical result from multiple aspects in forms of list, trend.
Click TOP 10 returns bar chart.

Chapter 12 1143

Monitor
Reporting
This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
System provides rich and vivid reports that allow you to analyze network risk, network access and
device status comprehensively by all-around and multi-dimensional statistics and charts.
You can configure report task in "Report Template" on Page 1147 and "Report Task" on Page
1153, and view generated report files in "Report File" on Page 1145.
Related Topics:

l "Report File" on Page 1145

l "Report Template" on Page 1147

l "Report Task" on Page 1153

1144 Chapter 12

Monitor
Report File
Go to Monitor > Reports > Report File and the report file page shows all of the generated report
files.

l Sort report files by different conditions: Select Group by Time, Group by Task or Group by
Status from the drop-down list, and then select a time, task or status from the selective table,
and the related report files will be shown in the report file table.

l The bold black entry indicates that the report file status is "unread".

l Click Delete to delete the selected report files.

l Click Export , the browser launches the default download tool, and downloads the selected
report file.

l Click Mark as Read to modify the status of the selected report files.

l Click to select the condition in the drop-down list. Search for specific report files

based on filter condition.

l In the File Type column, click the icon of the report file to preview the report file. Not all
platforms support this function.

l Hover your mouse over the Send Object column, and the system will prompt the Email
addresses or FTP information about sending.

Chapter 12 1145

Monitor
Notes: If your browser has enabled "Blocking pop-up windows", you will not see
the generated file. Make sure to set your browser "Always allow pop-up windows",
or you can go to your blocked window history to find the report file.

1146 Chapter 12

Monitor
Report Template
Report templates, define all the contents in the report files. To generate the report file, you need
to configure the report template first.
Report templates are classified as predefined and user-defined templates, providing a variety of
pre-categorized report items.

l Predefined Template: Predefined templates are built in system. By default, different report
items have been selected for each predefined template category. The predefined template can-
not be edited or deleted. The predefined template categories are as follows:

Category Description

Global Net- Statistics of the global network and risk status, covering
work and the overview, network and application traffic, network
Risk Assess- threats and host details.
ment Report

Network and Statistics of the current network situation, covering the

Application network traffic, application traffic and URL hits.
Traffic
Report

Network Statistics of the threats in the current network, covering

Threat the threat trend, external attackers and threat categories.
Report

l User-defined Template: The report template created as needed. You can select the report
items. Up to 32 user-defined templates can be created.

Creating a User-defined Template

To create a user-defined template, take the following steps:

Chapter 12 1147

Monitor
1. Click Monitor > Reports > Template.

2. Click New.

In the Report Template Configuration page, configure the following values.

Option Description

Name Specifies the name of the report template.

Content Select the check box of the report item as needed. By

default, all report items are selected. The report items
are described as follows:

l Network and Security Risk Summary: Statistics of

the comprehensive and overall assessment for the
health status and security risks of the entire net-

1148 Chapter 12

Monitor
Option Description

work.

l Network Traffic Details: Statistics of network

traffic, helping you better understand the usage of
bandwidth, traffic destination and management.

l Application Statistics and Risk Details: Statistics of

the traffic of all applications on the device and
obtains the usage of the main service applications

Chapter 12 1149

Monitor
Option Description

in the intranet. Click the TOP drop-down list to

specify the number of applications that need to
count the traffic for ranking, including TOP5,
TOP10, TOP20 and TOP50.

l URL Activity and Risk Details: Statistics of device

URL access trends and rankings.

l Network Threat Details: Statistics of the threat

events detected by the device, the distribution of

1150 Chapter 12

Monitor
Option Description

external attacks, etc., in order to know the network

threats and risks existing in the current network.

l Threat Description: Display the detailed descrip-

tion of the threat, helping understand the threat
information.

Description Specifies the description of the report template.

3. Click OK to complete user-defined template configurations.

Editing a User-defined Template

To edit a user-defined report template, take the following steps:

Chapter 12 1151

Monitor
1. Click Monitor > Reports > Template.

2. In the templates list, select the user-defined report template entry that needs to be edited.

3. Click Edit.

4. Click OK to save the settings.

Deleting a User-defined Template

To delete a user-defined report template, take the following steps:

1. Click Monitor > Reports > Template.

2. In the templates list, select the user-defined report template entry that needs to be deleted.

3. Click Delete.

Cloning a Report Template

System supports the rapid clone of a report template. You can clone and generate a new report
template by modifying some parameters of one current report template.
To clone a report template, take the following steps:

1. Click Monitor > Reports > Template.

2. In the templates list, select a report template that needs to be cloned.

3. Click the Clone button above the list, and in the Report Template Configuration page, enter
the newly cloned report template name into the "Name" .

4. The cloned report template will be generated in the list.

1152 Chapter 12

Monitor
Report Task
The report task is the schedule related to report file. It defines the report template, generation
period, generation time, and the output method of report files.
You can configure report tasks and generate report files on the device according to your needs.

Creating a Report Task

To create a report task, take the following steps:

Chapter 12 1153

Monitor
1. Select Monitor> Reports> Report Task.

1154 Chapter 12

Monitor
2. Click New.

Chapter 12 1155

Monitor
1156 Chapter 12

Monitor
In this page, configure the values of report task.

Option Description

Name Specifies the name of the report task.

Description Specifies the description of the report task. You can

modify according to your requirements.

Expand Report Template, select the report template you want to use for the report task.

Option Description

Report Tem- Specifies the report template to be used by the report

plate task:

1. Select the report template (predefined report tem-

plate or created user-defined report template)
from the Report Template list on the left.

2. When the report template is selected, the selec-

ted report template list shows the description of
the template and the details of the report item on

Chapter 12 1157

Monitor
Option Description

the right.
You can also click New or Edit button in the Report
Template list on the left to open the Report Template
Configuration page and create or edit a user-defined
report template quickly.

Expand Threat Data Range

Option Description

Threat Type Specify the type of threat to generate report statistics.

Severity Specifies the threat level for generating report statistics.

The threat level can be Critical, High, Medium, or Low.

Zone Specifies the security zone of the report statistics.

Interface Specifies the interface of the report statistics.

IP Specifies the IP address range of the report statistics:

1. Click IP drop-down list.

2. Select the IP address type, including IPv4/mask

and IPv4 range, from the Type drop-down list in

1158 Chapter 12

Monitor
Option Description

the pop-up dialog box.

3. Enter the required address of the address type.

4. Click Add to add the addresses to the right pane.

5. After adding the desired addresses, click Close to

complete the configuration.

6. If you need to delete the added address, select

the address you want to delete in the right pane,

and click .

Notes: This configuration item is supported only by devices with hard disks.

Expand Schedule, configure the running time of the report task.

Option Description

Schedule The schedule specifies the running time of the report

task. The report task can be run periodically or run imme-

Chapter 12 1159

Monitor
Option Description

diately.
Periodic: Generates report files as planned.

l Schedule: Specifies the statistical period.

l Generate At: Specifies the generation time.

Generate Now: Generates report files immediately.

l Type: Generates report file based on the data in the

specified statistical period.

Expand Output, configure the output mode information of the report.

Option Description

File Format Specifies the output format of the report file, including
PDF, HTML, and WORD formats.

Recipient Sends report file via email. To add recipients, enter the
email addresses in to the recipient text box (use ";" to sep-
arate multiple email addresses. Up to 5 recipients can be

1160 Chapter 12

Monitor
Option Description

configured).

Send via FTP Click the Enable button to send the report file to a spe-
cified FTP server.

l Server Name/IP: Specifies the FTP server name or

the IP address.

l Virtual Router: Specifies the virtual router of the

FTP server.

l Username: Specifies the username used to log on to

the FTP server.

l Password: Enter the password of the FTP user-

name.

l Anonymous: Select the check box to log on to the

FTP server anonymously.

l Path: Specifies the location where the report file

will be saved.

3. Click OK to complete report task configuration.

Editing the Report Task

To edit the report task, take the following steps:

1. Select Monitor > Reports > Report Task.

2. In the report task list, select the report task entry that needs to be edited.

Chapter 12 1161

Monitor
3. Click the Edit button on the top to open the Report Task Configuration page to edit the
selected report task.

4. Click OK to save the settings.

Deleting the Report Task

To delete the report task, take the following steps:

1. Select Monitor > Reports > Report Task.

2. In the report task list, select the report task entry that needs to be deleted.

3. Click the Delete button on the top to delete the selected report task.

Enabling/Disabling the Report Task

To enable or disable the report task, take the following steps:

1. Select Monitor > Reports > Report Task.

2. Select the task, and click the Enable or Disable button on the top.
By default, the user-defined task is enabled.

1162 Chapter 12

Monitor
Logging
Logging is a feature that records various kinds of system logs, including device log, threat log, ses-
sion log, NAT log, Content filter log, File filter log, share access logs, and URL logs.

l Device log

l Event - includes 8 severity levels: debugging, information, notification, warning, error,

critical, alert, emergency.

l Network - logs about network services, like PPPoE and DDNS.

l Configuration - logs about configuration on command line interface, e.g. interface IP

address setting.

l Threat - logs related to behaviors threatening the protected system, e.g. attack defense and
application security.

l Session - Session logs, e.g. session protocols, source and destination IP addresses and ports.

l NAT - NAT logs, including NAT type, source and destination IP addresses and ports.

l EPP - logs related with end point protection function.

l File Filter - logs related with file filter function.

l Content filter logs – logs related with content filter function, e.g. Web content filter, Web
posting, Email filter and HTTP/FTP control.

l Network behavior record logs – Logs related with network behavior record function, e.g. IM
behavior ,etc.

l URL - logs about network surfing, e.g. Internet visiting time, web pages visiting history, an
URL filtering logs.

l PBR - logs about policy-based route.

Chapter 12 1163

Monitor
l CloudSandBox - logs about sandbox.

l Share Access Logs - logs about share access rule.

The system logs the running status of the device, thus providing information for analysis and evid-
ence.

Log Severity
Event logs are categorized into eight severity levels.

Log Defin-
Severity Level Description
ition

Emergencies 0 Identifies illegitimate system events. LOG_

EMERG

Alerts 1 Identifies problems which need imme- LOG_

diate attention such as device is being ALERT
attacked.

Critical 2 Identifies urgent problems, such as LOG_CRIT

hardware failure.

Errors 3 Generates messages for system errors. LOG_ERR

Warnings 4 Generates messages for warning. LOG_

WARNING

Notifications 5 Generates messages for notice and LOG_

special attention. NOTICE

Informational 6 Generates informational messages. LOG_

INFO

Debugging 7 Generates all debugging messages, LOG_

1164 Chapter 12

Monitor
Log Defin-
Severity Level Description
ition

including daily operation messages. DEBUG

Destination of Exported Logs

Log messages can be sent to the following destinations:

l Console - The default output destination. You can close this destination via CLI.

l Remote - Includes Telnet and SSH.

l Buffer - Memory buffer.

l File - By default, the logs are sent to the specified USB destination in form of a file.

l Syslog Server - Sends logs to UNIX or Windows Syslog Server.

l Email - Sends logs to a specified email account.

l Local database - Sends logs to the local database of the device.

Log Format
To facilitate the access and analysis of the system logs, StoneOS logs follow a fixed pattern of
information layout, i.e. date/time, severity level@module: descriptions.See the example below:
2000-02-05 01:51:21, WARNING@LOGIN: Admin user "admin" logged in through console from
localhost.

Chapter 12 1165

Monitor
Event Log
This feature may vary slightly on different platforms. Please see the actual page of the feature that
your device delivers.
To view event logs, select Monitor > Log > Event Log.
In this page, you can perform the following actions:

l Filter: Click Filter to add conditions to show logs that march your filter.

l Configure: Click to jump to the configuration page.

l Export: Click to export the displayed logs as a TXT or CSV file.

1166 Chapter 12

Monitor
Network Log
This feature may vary slightly on different platforms. Please see the actual page of the feature that
your device delivers.
To view network logs, select Monitor > Log > Network Log.
In this page, you can perform the following actions:

l Filter: Click to add conditions to show logs that march your filter.

l Configure: Click to jump to the configuration page.

l Export: Click to export the displayed logs as a TXT file.

Chapter 12 1167

Monitor
Configuration Log
This feature may vary slightly on different platforms. Please see the actual page of the feature that
your device delivers.
To view configuration logs, select Monitor > Log > Configuration Log.
In this page, you can perform the following actions:

l Filter: Click to add conditions to show logs that march your filter.

l Configuration: Click to jump to the configuration page.

l Export: Click to export the displayed logs as a TXT or CSV file.

Share Access Logs

To view share access logs, select Monitor > Log > Share Access Log.
In this page, you can perform the following actions:

l Configuration: Click to jump to the Log Management page.

l Export: Click to export the displayed logs as a TXT file.

l Add to My Log: Click to add the current filtered results to MyLog list.

l Filter: Click to add conditions to show logs that march your filter.

1168 Chapter 12

Monitor
Threat Log
This feature may vary slightly on different platforms. Please see the actual page of the feature that
your device delivers.
Threat logs can be generated under the conditions that:

l Threat logging in the Logging feature is enabled. Refer to "Log Configuration" on Page 1179.

l You have enabled one or more of the following features: , " Intrusion Prevention System" on
Page 962, "Attack-Defense" on Page 1021 or "Perimeter Traffic Filtering" on Page 1042 .

To view threat logs, select Monitor > Log > Threat Log.
In this page, you can perform the following actions:

l Configure: Click to jump to the configuration page.

l Export: Click to export the displayed logs as a TXT or CSV file.

l Filter: Click to add conditions to show logs that march your filter.You can enter the

IPv4 or IPv6 address if the filter condition is selected as source or destination IP.

l View the details of selected log in the Log Details tab. In the Log Details tab, you can click
"View Pcap" "Download" "Add Whitelist" "Disable Signatures" to quickly link to the relevant
page.

Chapter 12 1169

Monitor
Session Log
Session logs can be generated under the conditions that:

l Session logging in the Logging feature is enabled. Refer to "Log Configuration" on Page 1179.

l The logging function has been enabled for policy rules. Refer to "Security Policy" on Page
788.

To view session logs, select Monitor > Log > Session log.

Notes:
l For ICMP session logs, the system will only record the ICMP type value and
its code value. As ICMP 3, 4, 5, 11 and 12 are generated by other com-
munications, not a complete ICMP session, system will not record such kind
of packets.

l For TCP and UDP session logs, system will check the packet length first. If
the packet length is 20 bytes (i.e., with IP header, but no loads), it will be
defined as a malformed packet and be dropped; if a packet is over 20 bytes,
but it has errors, system will drop it either. So, such abnormal TCP and UDP
packets will not be recorded.

PBR Log
This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.

1170 Chapter 12

Monitor
PBR logs can be generated under the conditions that:

l PBR logging in the Logging feature is enabled. Refer to "Log Configuration" on Page 1179.

l You have enabled logging function in PBR rules. Refer to "Creating a Policy-based Route
Rule" on Page 287 .

To view PBR logs, select Monitor > Log > PBR Log.

Chapter 12 1171

Monitor
NAT Log
NAT logs are generated under the conditions that:

l NAT logging in the Logging feature is enabled. Refer to "Log Configuration" on Page 1179.

l NAT logging of the NAT rule configuration is enabled. Refer to"Configuring SNAT" on Page
883 and"Configuring DNAT" on Page 899.

To view NAT logs, select Monitor > Log > NAT Log.

1172 Chapter 12

Monitor
URL Log
This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
URL logs can be generated under the conditions that:

l URL logging in the Logging feature is enabled. Refer to "Log Configuration" on Page 1179.

l You have enabled logging function in URL rules. Refer to " URL Filtering" on Page 677

To view URL logs, select Monitor > Log > URL Log.

Chapter 12 1173

Monitor
EPP Log
To view EPP logs, select Monitor > Log > EPP.
In this page, you can perform the following actions:

l Configuration: Click to jump to the EPP page.

l Clear: Click to clear the selected logs.

l Export: Click to export the displayed logs as a TXT or CSV file.

l Filter: Click to add conditions to show logs that march your filter.

1174 Chapter 12

Monitor
IoT Log
You can view, configure, clear or export IoT logs.
The following condition should be met before log's generation:

l The IoT logging function has been enabled on the device. For the detailed configurations,
refer to Log Management.

Click Monitor > Log > IoT Log to enter the <IoT Log> page.

l Click the button to add filter conditions and the required information will be filtered

out in the following list.

l Configure: Click the Configure button and enter the Log Management page.

l Clear: Click the Clear button to delete all the filtered IoT logs in system.

l Export: Click the Export button to export part or all logs in the format of TXT or CSV.

Chapter 12 1175

Monitor
File Filter Log
This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
File Filter logs can be generated under the conditions that:

l File Filter logging in the Logging feature is enabled. Refer to "Log Configuration" on Page
1179.

l You have enabled the function of "File Filter" on Page 721.

To view File Filter logs, select Monitor > Log > File Filter.

l Filter: Click Filter to add conditions to show logs that march your filter

l Configure: Click to jump to the configuration page

l Clear: Click to delete all the displayed logs.

l Export: Click to export the displayed logs as a TXT or CSV file.

1176 Chapter 12

Monitor
Content Filter Log
This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
Content Filter logs can be generated under the conditions that:

l Content Filter logging in the Logging feature is enabled. Refer to "Log Configuration" on Page
1179.

l You have enabled one or more of the following features: "Web Content" on Page 730, "Web
Posting" on Page 736, "Email Filter" on Page 742 and"APP Behavior Control" on Page 747
function.

To view Content Filter logs, select Monitor > Log > Content Filter.

l Filter: Click Filter to add conditions to show logs that march your filter

l Configure: Click to jump to the configuration page

l Clear: Click to delete all the displayed logs.

l Export: Click to export the displayed logs as a TXT or CSV file.

Chapter 12 1177

Monitor
Network Behavior Record Log
This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
Network Behavior Record logs can be generated under the conditions that:

l Network Behavior Record logging in the Logging feature is enabled. Refer to "Log Con-
figuration" on Page 1179.

l You have enabled the function of"Network Behavior Record" on Page 754.

To view Network Behavior Record logs, select Monitor > Log > Network Behavior Record.

l Filter: Click Filter to add conditions to show logs that march your filter

l Configure: Click to jump to the configuration page

l Clear: Click to delete all the displayed logs.

l Export: Click to export the displayed logs as a TXT or CSV file.

CloudSandBox Log
This feature may vary slightly on different platforms. Please see the actual page of the feature that
your device delivers.
To view sandbox logs, select Monitor > Log > Cloud SandBox Log.
In this page, you can perform the following actions:

l Configure: Click to jump to the CloudSandBox page.

l Clear: Click to clear the selected logs.

l Export: Click to export the displayed logs as a TXT or CSV file.

l Filter: Click to add conditions to show logs that march your filter.

1178 Chapter 12

Monitor
Log Configuration
You can create log server, set up log email address, add UNIX serversand configure sending
sourceport .

Creating a Log Server

To create a log server, take the following steps:

1. Select Monitor > Log > Log Configuration.

2. Click Log Server Configuration tab.

3. Click New.

Chapter 12 1179

Monitor
In the Log Server Configuration page, configure these values.

Option Description

Hostname Enter the name or IP of the log server.

Log Format Specify the log formats of Syslog Server log Server,
including Hillstone, SGCC S5000 and SGCC S6000.
Select the format according to the log Server type.

l Hillstone：Syslog Server log Server can only

receive the Hillstone log format.

l S5000 - Syslog Server log Server can only receive

SGCC-S5000 log format, such as the log Server's of
State Grid Corporation of China.

l S6000 - Syslog Server log Server can only receive

SGCC- 6000 log format, such as the monitoring
Server's of State Grid Corporation of China.

Binding Specifies the source IP address to receive logs.

l Virtual Router: Select Virtual Router and then

select a virtual router form the drop-down list. If a
virtual router is selected, the device will determine
the source IP address by searching the reachable
routes in the virtual router.

l Source Interface: Select Source Interface and then

select a source interface from the drop-down list.
The device will use the IP address of the interface
as the source IP to send logs to the syslog server. If
management IP address is configured on the inter-

1180 Chapter 12

Monitor
Option Description

face, the management IP address will be preferred.

Protocol Specifies the protocol type of the syslog server. If

"Secure-TCP" is selected, you can select Do not validate
the server certificate option, and system can transfer logs
normally and do not need any certifications.

Port Specifies the port number of the syslog server.

Log Type Specifies the log types the syslog server will receive.

4. Click OK to save the settings.

Notes: You can add at most 15 log servers.

Configuring Sending Souceport Number

The system supports to specify the sending sourceport number used to send log messages to the
Syslog Server. When the sending sourceport number is specified, the system will use the specified
sending sourceport to send log messages to the Syslog Server. If the sending sourceport number
is not specified, the system will use the random sourceport to send log messages to the Syslog
Server by default.
To configure sending souceport number, take the following steps:

1. Click Monitor > Log > Log Configuration and select the Log Server Configuration tab.

Chapter 12 1181

Monitor
2. Click the Sending Sourceport Configuration button to open the Sending Sourceport Con-
figuration page.

3. Enter the specified sourceport number. The range is from 1024 to 65535. If you want to
cancel the configuration of the currenr sourceport number, delete the value.

4. Click OK.

Notes:
l The binary logs sent to the Syslog Server is not influenced by the sending
sourceport configuration. The binary logs are sent by UDP protocol using
5566 sourceport.

l When SNAT is enabled, the system will randomly select port as the sending
sourceport according to the port resources of network addresses translated by
NAT.

Configuring Log Encoding

The default encoding format for the log information that is output to the log server is utf-8, and
the user can start GBK encoding as needed. After the GBK encoding format is opened, the log
encoding format that is output to the log server will be GBK encoding. To enable the GBK
encoding :

1182 Chapter 12

Monitor
1. Select Monitor > Log > Log Configuration.

2. Click Log Server Configuration tab.

3. Click the Log Encoding Configuration button in the upper right corner to open the Log
Encoding Configuration page.

4. Click the button to enable the GBK Encoding.

5. .Click OK to save the settings.

Adding Email Address to Receive Logs

An email in the log management setting is an email address for receiving log messages.
To add an email address, take the following steps:

1. Select Monitor > Log > Log Configuration.

2. Click Web Mail Configuration tab.

3. Enter an email address and click New.

4. If you want to delete an existing email, click Delete.

Notes: You can add at most 3 email addresses.

Specifying a Unix Server

To specify a Unix server to receive logs, take the following steps:

Chapter 12 1183

Monitor
1. Select Monitor > Log > Log Configuration.

2. Click the Facility Configuration tab.

3. Select the device you want and the logs will be exported to that Unix server.

4. Click OK.

Specifying a Mobile Phone

To specify a mobile phone to receive logs, take the following steps:

1. Select Monitor > Log > Log Configuration.

2. Click SMS Configuration tab.

3. Enter a mobile phone number and click New.

4. If you want to delete an existing mobile phone number, click Delete.

Notes: You can add at most 3 mobile phone numbers.

1184 Chapter 12

Monitor
Managing Logs
You can configure system to enable the logging function, including enabling various logs.

Configuring Logs

To configure parameters of various log types, take the following steps:

1. Select Monitor > Log > Log Management.

2. Click the Enable button of the log type that you want, and click the button to enter the

corresponding log settings.

3. Click OK.

Option Descriptions of Various Log Types

This section describes the options when you set the properties of each log types.

Event Log
Option Description
Enable Click the button to enable the event logging function.
Console Select the check box to send a syslog to the Console.

l Lowest Severity - Specifies the lowest severity

level. Logs below the severity level selected here
will not be exported.

Terminal Select the check box to send a syslog to the terminal.

l Lowest Severity - Specifies the lowest severity

level. Logs below the severity level selected here
will not be exported.

Cache Select the check box to send a syslog to the cache.

Chapter 12 1185

Monitor
Option Description

l Lowest Severity - Specifies the lowest severity

level. Logs below the severity level selected here
will not be exported.

l Max Buffer Size - The maximum size of the cached

logs. The default value may vary for different hard-
ware platforms.

File Select the check box to send a syslog to a file.

l Max File Size - Specifies the maximum size of the

syslog file. The value range is 4096 to 1048576
bytes. The default value is 1048576 bytes.

l Save logs to USB - Select the check box and select

a USB drive (USB0 or USB1) from the drop-down
list. Type a name for the syslog file into the File
Name box.

Log Server Select the check box to export event logs to the syslog
server.

l View Log Server - Click to see all existing syslog

servers or to add new server.

l Lowest Severity - Specifies the lowest severity

level. Logs below the severity level selected here
will not be exported.

Email Address Select the check box to send event logs to the email.

l View Email Address: Click to see all existing email

addresses or add a new address.

1186 Chapter 12

Monitor
Option Description

l Lowest Severity - Specifies the lowest severity

level. Logs below the severity level selected here
will not be exported.

SMS Select the check box to send event logs to the SMS.

l Lowest Severity - Specifies the lowest severity

level. Logs below the severity level selected here
will not be exported.

Network Log
Option Description
Enable Click the button to enable the network logging function.
Cache Select the check box to export network logs to the cache.

l Max Buffer Size - The maximum size of the cached net-

work logs. The value range is 4096 to 524288 bytes.
The default value may vary for different hardware plat-
forms.

File Select the check box to send a syslog to a file.

l Max File Size - Specifies the maximum size of the sys-

log file. The value range is 4096 to 1048576 bytes.
The default value is 1048576 bytes.

l Save logs to USB - Select the check box and select a

USB drive (USB0 or USB1) from the drop-down list.
Type a name for the syslog file into the File Name box.

Log Server Select the check box to export network logs to the syslog
server.

Chapter 12 1187

Monitor
Option Description

l View Log Server - Click to see all existing syslog serv-

ers or to add a new server.

Configuration Log
Option Description
Enable Click the button to enable the configuration logging func-
tion.
Cache Select the check box to export configuration logs to the
cache.

l Max Buffer Size - The maximum size of the cached

configuration logs. The value range is 4096 to 524288
bytes. The default value may vary for different hard-
ware platforms.

Log Server Select the check box to export network logs to the syslog
server.

l View Log Server - Click to see all existing syslog serv-

ers or to add new server.

Log Speed Select the check box to define the maximum efficiency of
Limit generating logs.

l Maximum Speed - Specified the speed (messages per

second).

Session Log
Option Description
Enable Click the button to enable the session logging function.

l Record User Name: Select to show the user's name in

1188 Chapter 12

Monitor
Option Description

the session log messages.

l Record Host Name: Select to show the host's name in

the session log messages.

Cache Select the check box to export session logs to cache.

l Max Buffer Size - The maximum size of the cached ses-

sion logs. The value range is 4096 to 2097152 bytes.
The default value may vary for different hardware plat-
forms.

Log Server Select the check box to export session logs to the syslog
server.

l View Log Server - Click to see all existing syslog serv-

ers or to add a new server.

l Syslog Distribution Methods - The distributed logs can

be in the format of binary or text. If you select the
check box, you will send log messages to different log
servers, which will relieve the pressure of a single log
server. The algorithm can be Round Robin or Src IP
Hash.

PBR Log

Option Description

Enable Click the button to enable a PBR logging function.

l Record User Name: Select to show the user's name in

the PBR log messages.

Chapter 12 1189

Monitor
Option Description

l Record Host Name: Select to show the host's name in

the PBR log messages.

Cache Select the check box to export PBR logs to the cache.

l Max Buffer Size - The maximum size of the cached PBR

logs. The value range is 4096 to 2097152 bytes. The
default value may vary for different hardware platforms.

Log Server Select the check box to export PBR logs to the syslog server.

l View Log Server - Click to see all existing syslog servers

or to add a new server.

l Syslog Distribution Methods - The distributed logs can

be in the format of plain text. If you select the check
box, you will send log messages to different log servers,
which will relieve the pressure of a single log server.
The algorithm can be Round Robin or Src IP Hash.

NAT Log
Option Description
Enable Click the button to enable the NAT logging function.

l Record Host Name: Select to show the host's name in the

NAT log messages.

Cache Select the check box to export NAT logs to cache.

l Max Buffer Size - The maximum size of the cached NAT logs.
The default value may vary for different hardware platforms.

Log Select the check box to export NAT logs to log servers.

1190 Chapter 12

Monitor
Option Description
Server l View Log Server - Click to see all existing syslog servers or to
add a new server.

l Syslog Distribution Methods - The distributed logs can be in

the format of binary or text. If you select the check box, you
will send log messages to different log servers, which will
relieve the pressure of a single log server. The algorithm can
be Round Robin or Src IP Hash.

IoT Log
Option Description
Enable Click the button to enable the IoT logging function.

l Record Host Name: Select to show the host's name in

the IoT log messages.

Cache Select the check box to export IoT logs to cache.

l Max Buffer Size - The maximum size of the cached

IoT logs.

Log Server Select the check box to export IoT logs to log servers.

l View Log Server - Click to see all existing servers or to

add a new server.

l Syslog Distribution Methods - The distributed logs can

Chapter 12 1191

Monitor
Option Description

Hash.

EPP Log
Option Description
Enable Click the button to enable the EPP logging function.
Terminal Select the check box to send a syslog to the terminal.

l Lowest Severity - Specifies the lowest severity level.

Logs below the severity level selected here will not be
exported.

Cache Select the check box to export EPP logs to cache.

l Lowest Severity - Specifies the lowest severity level.

Logs below the severity level selected here will not be
exported.

l Max Buffer Size - The maximum size of the cached

logs.

File Select the check box to send EPP logs to a file.

l Lowest Severity - Specifies the lowest severity level.

Logs below the severity level selected here will not be
exported.

l Max File Size - Specifies the maximum size of the EPP

log file. The value range is 4096 to 1048576 bytes.
The default value is 1048576 bytes.

Log Server Select the check box to export EPP logs to log servers.

l View Log Server - Click to see all existing servers or to

1192 Chapter 12

Monitor
Option Description

add a new server.

l Lowest Severity - Specifies the lowest severity level.

Logs below the severity level selected here will not be
exported.

l Syslog Distribution Methods - The distributed logs can

Email Address Select the check box to send EPP logs to the email.

l View Email Address: Click to see all existing email

addresses or add a new address.

l Lowest Severity - Specifies the lowest severity level.

Logs below the severity level selected here will not be
exported.

URL Log
Option Description
Enable Click the button to enable the URL logging function.

l Record Host Name: Select to show the host's name in

the URL log messages.

Cache Select the check box to export URL logs to the cache.

l Max Buffer Size - The maximum size of the cached

Chapter 12 1193

Monitor
Option Description

URL logs. The default value may vary for different

hardware platforms.

Log Server Select the check box to export URL logs to a log server.

l View Log Server - Click to see all existing syslog serv-

ers or to add a new server.

l Syslog Distribution Methods - The distributed logs can

File Filter Log

Option Description
Enable Click the button to enable the File Filter logging function.
Cache Select the check box to export File Filter logs to cache.

l Max Buffer Size - The maximum size of the cached

File Filter logs. The default value may vary for dif-
ferent hardware platforms.

Log Server Select the check box to export File Filter logs to log server.

l View Log Server - Click to see all existing syslog serv-

ers or to add a new server.

l Syslog Distribution Methods - The distributed logs can

be in the format of binary or text. If you select the
check box, you will send log messages to different log

1194 Chapter 12

Monitor
Option Description

servers, which will relieve the pressure of a single log

server. The algorithm can be Round Robin or Src IP
Hash.

Content Filtering Log

Option Description
Enable Click the button to enable the Content Filter logging func-
tion.
Cache Select the check box to export Content Filter logs to cache.

l Max Buffer Size - The maximum size of the cached

Content Filter logs. The default value may vary for dif-
ferent hardware platforms.

Log Server Select the check box to export Content Filter logs to log
server.

l View Log Server - Click to see all existing syslog serv-

ers or to add a new server.

l Syslog Distribution Methods - The distributed logs can

Network Behavior Record Log

Option Description
Enable Click the button to enable the Network Behavior Record log-

Chapter 12 1195

Monitor
Option Description
ging function.
Cache Select the check box to export Network Behavior Record
logs to cache.

l Max Buffer Size - The maximum size of the cached

Network Behavior Record logs. The default value may
vary from different hardware platforms.

Log Server Select the check box to export Network Behavior Record
logs to log server.

l View Log Server - Click to see all existing syslog serv-

ers or to add a new server.

l Syslog Distribution Methods - The distributed logs can

CloudSandBox Log
Option Description
Enable Click the button to enable the CloudSandBox logging func-
tion.
Cache Select the check box to export CloudSandBox logs to the
cache.

l Max Buffer Size - The maximum size of the cached

CloudSandBox logs.

File Select to export CloudSandBox logs as a file.

1196 Chapter 12

Monitor
Option Description

l Max File Size - Specifies the maximum size of the sys-

log file. The value range is 4096 to 1048576 bytes.
The default value is 1048576 bytes.

l Save logs to USB - Select the check box and select a

USB drive (USB0 or USB1) from the drop-down list.
Type a name for the syslog file into the File Name box.

Log Server Select the check box to export CloudSandBox logs to log
server.

l View Log Server - Click to see all existing syslog serv-

ers or to add a new server.

Threat Log
Option Description
Enable Click the button to enable the threat logging function.
Cache Select the check box to export threat logs to the cache.

l Max buffer size - The maximum size of the cached

threat logs. The default value may vary from different
hardware platforms.

l Lowest Severity - Specifies the lowest severity level.

Logs below the severity level selected here will not be
exported.

File Select to export threat logs as a file to USB.

l Lowest Severity - Specifies the lowest severity level.

Logs below the severity level selected here will not be

Chapter 12 1197

Monitor
Option Description

exported.

l Max File Size - Exported log file maximum size.

l Save logs to USB - Select a USB device and enter a

name as the log file name.

Terminal Select to send logs to terminals.

Log Server Select the check box to export threat logs to log server.

l View Log Server - Click to see all existing syslog serv-

ers or to add a new server.

l Syslog Distribution Methods - the distributed logs can

Email address Select the check box to export logs to the specified email
address.

l Viewing Email Address: Click to see or add email

address.

Database Select the checkbox to save logs in the local device. Only
several platforms support this parameters.

l Disk Space - Enter a number as the percentage of a

storage the logs will take. For example, if you enter 30,
the threat logs will take at most 30% of the total disk
size.

1198 Chapter 12

Monitor
Option Description

l Disk Space Limit - If Auto Overwrite is selected, the

logs which exceed the disk space will overwrite the
old logs automatically. If Stop Storing is selected, sys-
tem will stop storing new logs when the logs exceed
the disk space.

Share Access Log

Option Description
Enable Click the button to enable the Share Access logging function.

Console Select to export Share Access logs to the console.

Cache Select the check box to export Share Access logs to the
cache.

l Max buffer size - The maximum size of the cached

Share Access logs.

Log Server Select the check box to export Share Access logs to log
server.

l View Log Server - Click to see all existing syslog serv-

ers or to add a new server.

Chapter 12 1199

Monitor
Chapter 13 Diagnostic Tool
This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
System supports the following diagnostic methods:

l Test Tools: DNS Query, Ping and Traceroute can be used when troubleshooting the network.

Chapter 13 1200
Diagnostic Tool
Packet Path Detection
This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
Based on the packet process flow, the packet path detection function detects the packets and
shows the detection processes and results to the users with charts an descriptions. This function
can detect the following packet sources: emulation packet, online packet, and imported packet
(system provides the Packet Capture Tool for you that can help you capture the packets).
The detectable packets from different packet sources have different detection measures. System
supports the following measures:

l Emulation packet detection: Emulate a packet and detect the process flow in the system of
this packet.

l Online packet detection: Perform a real-time detection of the process flow of the packets in
system.

l Imported packet detection: Import the existing packets and detect the process flow in system
of the packets.

Configuring Packet Path Detection

You can configure the packet path detection configurations and view the detection results in the
report.

Emulation Detection

To perform the emulation detection, take the following steps:

1. Select System > Diagnostic Tool > Packet Path Detection.

2. Click Choose Detected Source.

3. Click New , in the drop-down list, select Emulation Packet tab.

1201 Chapter 13
Diagnostic Tool
Configure options as follows.

Option Description

Name Specifies the name of the emulation packet.

Ingress Inter- Select the ingress interface of the emulation packet from
face the drop-down list.

Source Specifies the source IP address of the emulation packet in

Address the text box.

Destination Specifies the destination IP address of the emulation

Address packet in the text box.

Protocol Select the protocol of the emulation packet from the

drop-down list. When selecting TCP or UDP, specify the
source and destination ports in the Source Port and

Chapter 13 1202
Diagnostic Tool
Option Description

Destination Port text boxes; when selecting ICMP, enter

the ICMP type and code in the Type and Value text
boxes.

Description Specifies the description for this emulation packet.

4. Click Start to start the detection. The system displays the detection flow in the flow chart
and describes the detection process. The flow chart contains all modules the packets passes
in the system. After the detection for a particular module is completed, the status indicator
above the module indicates the detection results.

l Green indicator( ) - Indicates the detection for this module has been passed. Sys-

tem will proceed with the detection. Hover your mouse over this step to view its
introduction.

l Yellow indicator( ) - Indicates the detection for this module has been passed, but

there are potential security risks. System will proceed with the detection. Hover your
mouse over this step to view its introduction and the detection results. You can click
the View Results link to view the detailed detection report.

l Red indicator( ) - Indicates the detection for this module fails to pass. System has

stopped the detection. Hover your mouse over this step to view its introduction and
the detection results. You can click the View Results link to view the detailed detec-
tion report. If the failure is caused by the policy rule configurations, you can click the
link in the Policy Rule step to jump to the policy rule configuration page.

5. After the detection is completed, view the detection results in the Detection Result tab.
The detection results include the status indicator and detection result summary. You can

1203 Chapter 13
Diagnostic Tool
click the View Details link to view the detailed detection report. The meanings of status
indicators are as follows:

l Green indicator( ) - Indicates the detected source has passed all detection.

l Yellow indicator( ) - Indicates the detected source has passed all detection, but

there are potential security risks in one or more steps. You can click the View Details
link to view the potential risks and advice.

l Red indicator( ) - Indicates not all detection is passed by the detected source. You

can click the View Details link to view the failure reasons and advice.

Online Detection

To perform the online detection, take the following steps:

1. Select System > Diagnostic Tool > Packet Path Detection.

2. Click Choose Detected Source.

3. Click New , in the drop-down list, select Online Packet tab.

Chapter 13 1204
Diagnostic Tool
Configure options as follows.

Option Description

Name Specifies the name of the online packet.

Ingress Interface Select the ingress interface of the online packet from
the drop-down list.

Source Specifies the source IP address or the user/user

group of the online packet.

l Address: Select the Address radio button and

enter the IP address in the text box.

1205 Chapter 13
Diagnostic Tool
Option Description

l User/User Group: Select the User/User

Group radio button and select the user/user
group from the drop-down list.

Destination Specifies the destination IP address of the online

packet.

l Address: Select the radio button and enter the

IP address in the text box.

l URL: Select the radio button and enter the

URL in the text box.

Protocol Specifies the protocol type or the protocol number

of the packet.

Source Port Specifies the source port of the online packet.

Destination Port Specifies the destination port of the online packet.

Application Specifies the application type of the online packet.

Description Enter the description of the online packet in the text

box.

4. Click OK.

5. If needed, specify the detecting duration in the Detecting Duration section. After reaching
the specified duration, system will automatically stop the detection. The default value is 30
minutes.

6. Click Start to start the detection. The system displays the detection process. If errors occurr
during the detection, a flow thumbnail in the area of the flow chart pops up to display the

Chapter 13 1206
Diagnostic Tool
corresponding errors. After the detection is completed, you can click the flow thumbnail to
view the details. During each detection process, the system can pop up at most six thumb-
nails.

7. After the detection is completed, view the detection results in the Detection Result tab.
The detection results include the status indicator and detection result summary. You can
click the View Details link to view the detailed detection report. About the meanings of
status indicators, view step 3 in Emulation Detection.

Notes: If one of the following situations happens during the detection, the system
will stop the detection.

l Click the Stop button.

l Reach the upper limit of the detecting duration. If you do not set the detect-
ing duration, the detecting duration keeps the default value (30 minutes).

l The total number of errors of the same type reaches 10. For example, the
flow is blocked by the same policy.

l The total number of errors of different types reaches 5. Errors of different

types mean the errors occurred in different modules or errors occurred in one
module but are different types.

Imported Detection

To perform the imported detection, take the following steps:

1. Select System > Diagnostic Tool > Packet Path Detection.

2. Click Choose Detected Source.

3. Click New , in the drop-down list, select Imported Packet tab.

1207 Chapter 13
Diagnostic Tool
Configure options as follows.

Option Description

Packet Click the Browse button and select the packet file to
import it. The maximum size of the imported packet file
can be 20M.

Name Specifies the name of the imported packet.

Ingress Inter- Select the ingress interface of the imported packet from
face the drop-down list.

Description Enter the description of the online packet in the text box.

Chapter 13 1208
Diagnostic Tool
Option Description

Advanced

Source Specifies the source IP address of the imported packet.

Address

Destination Specifies the destination IP address of the imported

Address packet.

Protocol Specifies the protocol type or the protocol number of the

imported packet.

Source Port Specifies the source port of the imported packet.

Destination Specifies the destination port of the imported packet.

Port

Application Specifies the application type of the imported packet.

4. Click OK.

5. Click Start to start the detection. The system displays the detection process in the Detec-
tion Process tab. If errors occurr during the detection, a flow thumbnail in the area of the
flow chart pops up to display the corresponding errors. After the detection is completed,
you can click the flow thumbnail to view the details. During each detection process, the sys-
tem can pop up at most six thumbnails.

6. After the detection is completed, view the detection results in the Detection Result tab.
The detection results include the status indicators and detection result summary. You can
click the View Details link to view the detailed detection report. For the meanings of the
status indicators, view step 3 in Emulation Detection.

1209 Chapter 13
Diagnostic Tool
Notes: If one of following situations happens during the detection, the system will
stop the detection.

l Click the Stop button.

l The total number of errors of the same type reaches 10. For example the flow
is blocked by the same policy.

l The total number of errors of different types reaches 5. Errors of different

types mean the errors occurred in different modules or errors occurred in one
module but are different types.

l The imported packets have been all detected.

Detected Sources

The detected sources dialog box lists all detected sources in the system, including the emulation
packet, online packet, and imported packet.
Click Choose Detected Source. In the Choose Detected Source dialog box, select the Detected
Sources tab. You can then perform the following actions:

l Click Details in the Result column to view the detection report of the detected source.

l Click Export in the Export Packet column to export the detected packet to the desired dir-
ectory.

l Click Edit in the Option column to edit the configurations of the detected source.

l Click Delete in the Option column to delete the detected source.

Chapter 13 1210
Diagnostic Tool
Packet Capture Tool
This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
You can capture packets in the system with multiple capture tasks by Packets Capture Tools.
With one or more packets capture rules in the task, and system will capture packages with mul-
tiple conditions in real time. At the same time, you can view the current captured and lost pack-
ages at any time. The captured packages can be downloaded or exported to a local location and
then viewed through a third-party packet capture tool.

Configuring Packet Capture Tools

To capture packets, take the following steps:

1. Select System > Diagnostic Tool > Packet Capture Tool.

2. Click New.

In the Packet Capture Configuration page, configure as follows.

1211 Chapter 13
Diagnostic Tool
Option Description

Name Enter the name of the packets capture entry.

Packet Cap- Click New, and configure the packet capture rules in the
ture Rule Packet Capture Rules page. For the configuration
method, refer to the Create a Packet Capture Rule.
Select the check box of the packet capture rule in the list
and click the Edit button to edit the configuration of the
packet capture rule again.
Select the check box of the packet capture rule in the list
and click the Delete button to delete the packet capture
rule.

Packets Time Enter the packets time in the text box.

Description Enter the entry description in the text box.

3. Click OK.

4. For each task, click Start button in the Capture Packets column to start capturing packets,
and Start button will change to Capturing. Click the Status to view the current size/number
of packets captured.

5. To stop capturing packets, click Capturing button in the Capture Packets column.

6. After you stop capturing packets or the capturing is completed, click Download at the top-
right corner of the Capture Grid List to save the captured packets to a specified location.

7. You can select one or more file entries, and click Export at the top right corner of the list to
export the package files. The exported grab package files are in compressed format.

8. To clear packet capture data, select a packet capture task and click the Clear Data button.
All files captured under this task will be cleared.

Chapter 13 1212
Diagnostic Tool
Notes: The system allows you to create at most 5 packets capture tasks.

Create a Packet Capture Rule

To create a packet capture rule, take the following steps:

1. Select System > Diagnostic Tool > Packet Capture Tool.

2. Click New.

3. Click New at Package Capture Rule to open the Packet Capture Rule page.

In the Packet Capture Rule page, configure as follows.

Option Description

Source Type Specify the source IP address/range or the user/user

group of the packet.

l IP/Netmask: Enter the IPv4 address and its mask

in the text box.

1213 Chapter 13
Diagnostic Tool
Option Description

l IP Range: Enter the IPv4 range in the text box.

l IPv6/Prefix: Enter the IPv6 address and its prefix

in the text box.

l IPv6 Range: Enter the IPv6 range in the text box.

l User/User Group: Select the user/user group from

the drop-down list.

Destination Specify the destination IP address/range of the packet.

Type
l IP/Netmask: Enter the IPv4 address and its mask
in the text box.

l IP Range: Enter the IPv6 address and its range in

the text box

l IPv6/Prefix: Enter the IPv6 address and its prefix

in the text box.

l IPv6 Range: Enter the IPv6 range in the text box.

l URL: Enter the URL in the text box.

Application Specifies the application type of the packet.

Protocol Specifies the protocol type or the protocol number of the

packet.

Source Port When the protocol is TCP or UDP, the source port num-
ber can be specified. Specifies the source port of the
packet.

Chapter 13 1214
Diagnostic Tool
Option Description

Destination When the protocol is TCP or UDP, the destination port

Port number can be specified. Specifies the destination port of
the packet.

4. Click OK.

Notes: A maximum of 8 packet capture rules can be created in the same packet cap-
ture task.

Packet Capture Global Configuration

The global configuration items of packet capture vary according to the type of device:

l For devices with hard disks, you can configure the percentage of the packet capture files to
the total hard disk size.

l For devices without hard disks, you can configure the packet capture file save percent and the
packet capture file save time.

To configure the global configuration, take the following steps:

1. Select System > Diagnostic Tool > Packet Capture Tool.

2. Click the Global Configuration button in the upper right corner of the page to open the
Global Configuration page.

1215 Chapter 13
Diagnostic Tool
3. The global configuration page of the device with hard disk is as follows:

Option Description

Disk Space Enter the percentage of the packet capture file to the
Percent total hard disk size in the text box. The range is 5%-50%.
The default value is 10%.

4. The global configuration page of packet capture for devices without hard disk is as follows:

Option Description

File Save Per- Enter the maximum percentage of the remaining memory
cent allowed by the packet capture file in the text box, the
range is 5%-50%, and the default value is 10%.

File Save Enter the length of time the packet capture file is saved
Time in the text box, the unit is minutes, the range is 1-1440
minutes, and the default value is 30 minutes.

5. Click OK.

Chapter 13 1216
Diagnostic Tool
Test Tools
DNS Query, Ping and Traceroute can be used when troubleshooting the network.

DNS Query
To check the DNS working status of the device, take the following steps:

1. Select System > Diagnostic Tool > Test Tools.

2. Type a domain name into the DNS Query box.

3. Click Test, and the testing result will be displayed in the list below.

Ping
To check the network connecting status, take the following steps:

1. Select System > Diagnostic Tool > Test Tools.

2. Type an IP address into the Ping box.

3. Click Test, and the testing result will be displayed in the list below.

4. The testing result contains two parts:

l The Ping packet response. If there is no response from the target after timeout, it will
print Destination Host Not Response, etc. Otherwise, the response contains
sequence of packet, TTL and the response time.

l Overall statistics, including number of packet sent, number of packet received, per-
centage of no response, the minimum, average and maximum response time.

Traceroute
Traceroute is used to test and record gateways the packet has traversed from the originating host
to the destination. It is mainly used to check whether the network connection is reachable, and

1217 Chapter 13
Diagnostic Tool
analyze the broken point of the network. The common Traceroute function is performed as fol-
lows: first, send a packet with TTL 1, so the first hop sends back an ICMP error message to indic-
ate that this packet can not be sent (because of the TTL timeout); then this packet is re-sent, with
TTL 2, TTL timeout is sent back again; repeat this process till the packet reaches the destination.
In this way, each ICMP TTL timeout source address is recorded. As the result, the path from the
originating host to the destination is identified. The system supports IPv4 and IPv6 peer
addresses.
To test and record gateways the packet has traversed by Traceroute, take the following steps:

1. Select System > Diagnostic Tool > Test Tools.

2. Select the VR in the Virtual Router drop-down list.

3. Select IPv4 or IPv6.

4. Type an IP address into the Traceroute box.

5. Click Test, and the testing result will be displayed in the list below.

Chapter 13 1218
Diagnostic Tool
Chapter 14 High Availability
HA, the abbreviation for High Availability, provides a fail-over solution for communications lines
or device failure to ensure the smooth communication and effectively improve the reliability of
the network.
To implement the HA function, you need to configure the two devices as HA clusters with
identical settings for the following:

l Hardware platform

l Firmware version

l VSYS（enable VSYS on two devices that are installed with VSYS license or not use VSYS on
both devices)

l Virtual Router (enable VR simultaneously on two devices or not use VR on both devices)

When one device is not available or cannot handle the request from the client properly, the
request will be promptly directed to the other device that works normally, thus ensuring unin-
terrupted network communication and greatly improving the reliability of communications.

Notes: The configuration of HA clusters is not affected if certain functions, such as

AV, are not consistent on the two HA devices. In this scenario, the system sends
an alarm showing that certain settings on the two devices are not consistent. It indic-
ates that when the master device fails, the backup device may have problems taking
over its work. Settings that cause the above scenario include but are not limited to
the below ones:

l enable or disable Antivirus, IPS, URL DB, Perimeter Traffic Filtering,

Threat Prevention, Botnet C&C Prevention, Sandbox, IoT Monitor, and
Antispam.

l install or not install licenses such as Antivirus License, IPS License, URL

Chapter 14 1219
High Availability
DB License, PTF License, Threat Prevention License, Antispam License,
Botnet Prevention License, IoT Monitor License, Twin-mode License,
Cloud Sandbox Prevention License, Signature Database Application
License, and QoS/iQoS License.

It is suggested to concern on the alarms when the above functions are not con-
sistent on the two HA devices.

System supports three HA modes: Active-Passive (A/P) and Peer Active-Active (A/A).

l Active-Passive (A/P) mode: In the HA cluster, configure two devices to form an HA

group, with one device acting as a primary device and the other acting as its backup device.
The primary device is active, forwarding packets, and meanwhile synchronizes all of its net-
work and configuration information and current session information to the backup device.
When the primary device fails, the backup device will be promoted to primary and takes
over its work to forward packets. This A/P mode is redundant, and features a simple net-
work structure for you to maintain and manage.

l Peer Active-Active (A/A) mode: the Peer A/A mode is an HA Active-Active mode. In
the Peer A/A mode, two devices are both active, perform their own tasks simultaneously,
and monitor the operation status of each other. When one device fails, the other will take
over the work of the failure device and also run its own tasks simultaneously. In the Peer
A/A mode, only the device at the active status can send/receive packets. The device at the
disabled status can make two devices have the same configuration information but its inter-
faces do not send/receive any packets. The Peer A/A mode is more flexible and is suitable
for the deployment in the asymmetric routing environment.

Basic Concepts

HA Cluster
For the external network devices, an HA cluster is a single device which handles network traffic
and provides security services. The HA cluster is identified by its cluster ID. After specifying an
HA cluster ID for the device, the device will be in the HA state to implement HA function.

1220 Chapter 14
High Availability
HA Group
System will select the primary and backup device of the same HA group ID in an HA cluster
according to the HCMP protocol and the HA configuration. The primary device is in the active
state and processes network traffic. When the primary device fails, the backup device will take
over its work.
When assigning a cluster ID to the device, the HA group with ID 0 will be automatically created.
In Active-Passive (A/P) mode, the device only has HA group 0.

HA Node
To distinguish the HA devices in an HA group, you can use the value of HA Node to mark the
devices. StoneOS support the values of 0 and 1.
In the HA Peer mode, the system can decide which device is the master according to the HA
Node value. In the HA group 0, the device whose HA Node value is 0 will be active and the
device whose HA Node value is 1 is at the disabled status. In the HA group 1, this does not make
sense because both times is HA Node value of 0

Virtual Forward Interface and MAC

In the HA environment, each HA group has an interface to forward traffic, which is known as the
Virtual Forward Interface. The primary device of each HA group manages a virtual MAC (VMAC)
address which is corresponding with its interface, and the traffic is forwarded on the interface. Dif-
ferent HA groups in an HA cluster cannot forward data among each other. VMAC address is
defined by HA base MAC, HA cluster ID, HA group ID and the physical interface index.

HA Selection
In an HA cluster, if the group ID of the HA devices is the same, the one with higher priority will
be selected as the primary device.

HA Synchronization
To ensure the backup device can take over the work of the primary device when it fails, the
primary device will synchronize its information with the backup device. There are three types of

Chapter 14 1221
High Availability
information that can be synchronized: configuration information, files and RDO (Runtime
Dynamic Object). The specific content of RDO includes:

l Session information (The following types of session information will not be synchronized: the
session to the device itself, tunnel session, deny session, ICMP session, and the tentative ses-
sion)

l IPsec VPN information

l SCVPN information

l DNS cache mappings

l ARP table

l PKI information

l DHCP information

l MAC table

l WebAuth information

System supports two methods to synchronize: real-time synchronization and batch syn-
chronization. When the primary device has just been selected successfully, the batch syn-
chronization will be used to synchronize all information of the primary device to the backup
device. When the configurations change, the real-time synchronization will be used to syn-
chronize the changed information to the backup device. Except for the HA related configurations
and local configurations (for example, the host name), all the other configurations will be syn-
chronized.

1222 Chapter 14
High Availability
Configuring HA
This feature may vary slightly on different platforms, if there is a conflict between this guide and
the actual page, the latter shall prevail.
To configure the HA function, take the following steps:

1. Configure an HA Virtual Forward Interface. For more information on configuring the inter-
face, see "Configuring an Interface" on Page 92.

2. Configure an HA link interface which is used for the device synchronization and HA pack-
ets transmission.

l Configure an HA cluster. Specify the HA VMAC prefix(optional) and ID of HA

cluster to enable the HA function.

l Configure an HA group. Specify the priority for devices and HA messages parameters.

3. Configure an HA cluster. Specify the HA VMAC prefix(optional) and ID of HA cluster to

enable the HA function.

4. Configure an HA group. Specify the priority for devices and HA messages parameters.

You need to configure the HA data link interface when configuring the HA function, and make
sure the HA group interface 0 and interface 1 can be configured as an HA control link interface,
but not an HA data link interface.
To configure HA, take the following steps:

Chapter 14 1223
High Availability
1. Go to System > HA.

Option Description

Control link Specifies the name of the HA control link interface.

interface 1 The control link interface is used to synchronize all data
between two devices.

1224 Chapter 14
High Availability
Option Description

Control link Specifies the name of HA control link interface

interface 2 (Backup device).

Control link Specifies the name of interface on I/O module inter-

interface 5 face as the HA control link interface. For X10800
device, the system supports to configure the interface
on I/O module as the HA control link interface in
order to avoid the abnormal HA heartbeat and syn-
chronization message due to the abnormal link of the
interface on the control module. By default, the HA
control link interface is on the control module.

Control link Specifies the name of HA control link interface

interface 6 (Backup device).

Assist link Specifies the name of the HA assist link interface. In

interface the Active-Passive (A/P) mode, you can specify the
HA assist link interface to receive and send heartbeat
packets (Hello packets), and ensure the main and
backup device of HA switches normally when the HA
link fails. Note:

l Before the HA link is restored, the HA assist link

interface can only receive and send heartbeat
packets and the data packets cannot be syn-
chronized. You are advised not to modify the cur-
rent configurations. After the HA link is
restored, manually synchronize session inform-

Chapter 14 1225
High Availability
Option Description

ation.

l The HA assist link interface must use an inter-

face other than the HA link interface and be
bound to the zone.

l You need to specify the same interface as the HA

assist link interface for the main and backup
device, and ensure that the interface of the main
and backup device belongs to the same VLAN.

Data link inter- Specifies the name of the HA data link interface .

face The data link interface is used to synchronize the

data packet information. After specifying this data
link, the session information will be synchronized
over this data link. You can configure the physical
interface or aggregate interface as the interface of the
data link.
Note: You can specify at most one aggregate inter-
face as the HA data link interface, or at most two
physical interfaces as the HA data link interface.

Data link inter- Specifies the name of the HA data link interface 2. The
face 2 data link interface is used to synchronize the data
packet information. After specifying this data link, the
session information will be synchronized over this data
link. You can configure the physical interface or aggreg-
ate interface as the interface of the data link.
Note: You can specify at most one aggregate interface

1226 Chapter 14
High Availability
Option Description

as the HA data link interface, or at most two physical

interfaces as the HA data link interface.

IP address Specifies the IP address and netmask of the HA link

interface, which can be an IPv4 address or an IPv6
address. When an IPv4 address is specified, the input
format is A.B.C.D/M (e.g. 1.1.1.1/24). When an IPv6
address is specified, the input format is X.X.X.X::X/M
(e.g. 2001::1/64). X.X.X.X::X is the IPv6 address pre-
fix. M is the prefix length. The value range of the prefix
length is 1 to 128.

MTU Specifies the MTU value of HA link interface. After it

is specified, the sender will send the message separately
and the receiver will reorganize the message after receiv-
ing it when the size of the message exceeds the MTU
value of the HA link interface. The default value is
1500.

Layer 2 unicast Click the enable button to specify that two device nego-
negotiation tiate through two-layer unicast mode. When this func-
communication tion is enabled, you need to enter the IPv4 address of
(v4) HA link interface of peer device in the "HA Peer IP"
text box, and you can also enter the MAC address of
HA link interface of peer device in the "HA Peer
MAC" text box.

Layer 2 unicast Click the enable button to specify that two device nego-

Chapter 14 1227
High Availability
Option Description

negotiation tiate through two-layer unicast mode. When this func-

communication tion is enabled, you need to enter the IPv6 address of
(v6) HA link interface of peer device in the "HA Peer IP"
text box, and you can also enter the MAC address of
HA link interface of peer device in the "HA Peer
MAC" text box.

HA VMAC pre- Specifies the prefix of the HA base MAC in hexa-

fix decimal format. Its length can only be configured as
seven or eight. If more than 8 HA clusters in a network
segment need to be configured, you can configure the
prefix of the HA virtual base MAC address, i.e., the HA
virtual MAC prefix, in order to avoid the HA virtual
MAC address duplication. By default, the HA virtual
MAC prefix is 0x001C54FF. It should be noted that
0x00000000, 0x0000000, 0xFFFFFFFF, 0xFFFFFFF
or multicast addresses (i.e., the second hexadecimal
number is odd) are invalid. After the configuration is
complete, the configuration will take effect after
reboot. Note: With the HA function enabled, if you
want to modify the HA virtual MAC prefix, you may
need to disable the HA function first.

HA cluster ID Specifies an ID for HA cluster. When the length of pre-

fix is set to 7 hexadecimal, the ID ranges from 1~128.
When the length of prefix is set to 8 or by default, the
ID ranges from 1~8. None indicates to disable the HA

1228 Chapter 14
High Availability
Option Description

function.

Node ID After enabling the HA function, specify the Node ID

(HA Node) for the device. The IDs for two devices
must be different. The range is 0 to 1. If you do not spe-
cify this value, the devices will obtain the Node ID by
automatic negotiation.

Peer-mode Selects the Enable checkbox to enable the HA Peer

mode and specifies the role of this device in the HA
cluster. The range is 0 to 1. By default, the group 0 in
the device whose HA Node ID is 0 will be active and
the group 0 in the device whose HA Node ID is will be
in the disabled status.

Symmetric- Select Symmetric-routing to make the device work in

routing the symmetrical routing environment.

HA Syn- In some exceptional circumstances, the master and

chronize Con- backup configurations may not be synchronized. In
figuration such a case you need to manually synchronize the con-
figuration information of the master and backup device.
Click HA Synchronize Configuration to synchronize
the configuration information of the master and backup
device.

HA Syn- By default the system will synchronize sessions

chronize Ses- between HA devices automatically. Session syn-
sion chronization will generate some traffic, and will pos-

Chapter 14 1229
High Availability
Option Description

sibly impact device performance when the device is

overloaded. You can enable automatic HA session syn-
chronization according to the device workload to assure
stability. Click HA Synchronize Session to enable auto-
matic HA session synchronization.

New After specifying the HA cluster ID, the system will cre-
ate the HA group 0 automatically. Click New to create
the HA group 1.

Delete Click Delete to remove HA group 1 if needed.

Priority Specifies the priority for the device. The device with
higher priority (smaller number) will be selected as the
primary device.

Preempt Configure the preempt mode. When the preempt mode

is enabled, once the backup device finds that its own
priority is higher than the primary device, it will
upgrade itself to become the primary device and the ori-
ginal primary device will become the backup device.
The value of 0 indicates to disable the preempt mode.
When the preempt mode is disabled, even if the
device's priority is higher than the primary device, it
will not take over the primary device unless the primary
device fails.

Hello interval Specifies the Hello interval value. The Hello interval
refers to the interval for the HA device to send heart-

1230 Chapter 14
High Availability
Option Description

beats (Hello packets) to other devices in the HA group.

The Hello interval in the same HA group must be
identical.

Hello Specifies the threshold value of the Hello message. If

threshold the device does not receive the specified number of
Hello messages from the other device, it will suppose
the other device's heartbeat stops.

Gratuitous Specifies the number of gratuitous ARP packets. When

ARP packet the backup device is selected as the primary device, it
number will send an ARP request packet to the network to
inform the relevant network devices to update its ARP
table.

Track object Specifies the track object you have configured or click
button to create a new track object. The track object

is used to monitor the working status of the device.

Once finding the device stop working normally, system
will take the corresponding action.

Description Type the descriptions of HA group into the box.

2. Click OK.

HA Interface Traffic Monitor

The HA interface traffic monitor function statistically analyzes the historical traffic trend of HA
interfaces in a specified statistical period.
To view the historical traffic trend of HA interfaces, go to System > HA, and then click the

button.

Chapter 14 1231
High Availability
l Select a different Statistical Period from the drop-down menu to view the statistical inform-
ation in that period of time.

l Click and to switch between the curve chart and the area chart.

l Click " " to refresh the monitoring data.

l Click " " to collapse the chart or click " " to expand the chart.

l Hover your mouse over the chart to view upstream traffic, downstream traffic or total traffic
of the HA interface.

l Click Upstream Traffic, Downstream Traffic or Total Traffic, system displays the interface
traffic of the specified object.

1232 Chapter 14
High Availability
Viewing the HA Status of the Device
In the HA environment, you can view the HA status of current device at the Device Name in the
upper right corner of the main page of system.

l M: M state that represents the current device is the master.

l B: B state that represents the current device is the backup.

Chapter 14 1233
High Availability
Chapter 15 System Management
The device's maintenance and management include:

l " System Information" on Page 1235

l "Device Management" on Page 1238

l "Configuration File Management" on Page 1271

l "Warning Page Management" on Page 1275

l "SNMP" on Page 1288

l "Upgrading System" on Page 1304

l "License" on Page 1311

l "Mail Server" on Page 1321

l "SMS Parameters" on Page 1324

l "Extended Services" on Page 1280

l "Test Tools" on Page 1217

l "VSYS (Virtual System)" on Page 1332

l "The Maximum Concurrent Sessions" on Page 1346

Chapter 15 1234

System Management
System Information
Users can view the general information of the system in the System Information page, including
Serial Number, Hostname, Platform, System Time, System Uptime, HA State, Firmware, Boot
File, Signature Database and so on.

Viewing System Information

To view system information, select System > System And Database.

System Information

Serial Number Show the serial number of device.

Hostname Show the name of device.

Platform Show the platform model of device.

System Time Show the system date and time of device.

System Show the system uptime of device.

Uptime

HA State Show the HA status of device.

l Standalone: Non-HA mode that represents HA is dis-

abled.

l Init: Initial state.

l Hello: Negotiation state that represents the device is

consulting the relationship between the master and
backup.

l Master: Master state that represents the current device is

the master.

l Backup: Backup state that represents the current device

1235 Chapter 15

System Management
System Information

is the backup.

l Failed: Fault state that represents the device has failed.

Firmware Show the current firmware version of the device.

Boot File Show the current boot file of the device.

API Get RESTful API User Guide.

Signature DB Information

Application Show the current version of the application signature database

Identification and the date of the last update.
Signature

URL Category Show the current version of the URL signature database and
Signature the date of the last update.

IP Reputation Show the current version of the perimeter traffic filtering sig-
Database nature database and the date of the last update.

Anti-Virus Sig- Show the current version of the antivirus signature database
nature and the date of the last update.

IPS Signature Show the current version of the IPS signature database and the
date of the last update.

Botnet Pre- Show the current version of the Botnet Prevention signature
vention Sig- database and the date of the last update.
nature

Sandbox Show the current version of the Sandbox Whitelist DB and the
Whitelist DB date of the last update.

Chapter 15 1236

System Management
Notes: The signature is all license controlled, so you need to make sure that your
system has installed that license. Refer to "License" on Page 1311.

1237 Chapter 15

System Management
Device Management
Introduces how to configure the Administrator, Trust Host, MGT Interface, System Time, NTP
Key and system options.

Administrators
Device administrators of different roles have different privileges. The system supports pre-
defined administrator roles and customized administrator roles. By default, the system supports
the following administrators, which cannot be deleted or edited:

l admin: Permission for reading, executing and writing. This role has the authority over all fea-
tures. You can view the current or historical configuration information.

l admin-read-only: Permission for reading and executing. You can view the current or historical
configuration information.

l operator: Permission for reading, executing and writing. You have the authority over all fea-
tures except modify the Administrator's configuration, view the current or historical con-
figuration information , but no permission to check the log information.

l auditor: You can only operate on the log information, including view, export and clear.

The following table shows the permissions to different types of administrators.

Administratior
Operation Administratior Auditor Operator
(read-only)

Configure (includ- √ χ χ √
ing saving con-
figuration)

Configure admin- √ χ χ χ
istrator

Chapter 15 1238

System Management
Administratior
Operation Administratior Auditor Operator
(read-only)

Restore factory √ χ χ χ
default

Delete con- √ χ χ √
figuration file

Roll back con- √ χ χ √

figuration

Reboot √ χ χ χ

View configuration √ √ χ √
information

View log inform- √ √ √ χ

ation

Modify current √ √ χ √
admin password

ping/traceroute √ √ χ √

Notes:
l The device ships with a default administrator named hillstone. You can
modify the setting of hillstone.

l Other administrator roles (except default administrator) cannot configure the

admin settings, except modifying its own password.

l The system auditor can manage one or more logs, but only the system admin-
istrator can manage the log types.

1239 Chapter 15

System Management
VSYS Administrator

Administrators in different VSYSs are independent from each other. Administrators in the root
VSYS are known as root administrators and administrators in the non-root VSYS are known as
non-root administrators. The system supports four types of administrator, including Admin-
istrators, Administrator(read-only), Operator, and Auditor.
When creating VSYS administrators, you must follow the rules listed below:

l Backslash (\) cannot be used in administrator names.

l The non-root administrators are created by root administrators or root operators after logging
into the non-root VSYS.

l After logging into the root VSYS, the root administrators can switch to the non-root VSYS
and configure it.

l Non-root administrators can enter the corresponding non-root VSYS after a successful login,
but the non-root administrators cannot switch to the root VSYS.

l Each administrator name should be unique in the VSYS it belongs to, while administrator
names can be the same in different VSYSs. In such a case, when logging in, you must specify
the VSYS the administrator belongs to in form of vsys_name\admin_name. If no VSYS is spe-
cified, you will enter the root VSYS.

The following table shows the permissions to different types of VSYS administrators.

Chapter 15 1240

System Management
No-
Root Non-root
Root Root Non- n-
Root VSYS Non-root VSYS
VSY- VSY- root root
VSYS Admin- VSYS Admin-
Operation S S VSYS VSY-
Admin- istratior Admin- istratior
Aud- Oper- Oper- S
istratior (read- istratior (read-
itor ator ator Aud-
only) only)
itor

Configure √ χ χ √ √ χ √ χ
(including
saving
con-
fig-
uration)

Configure √ χ χ χ √ χ χ χ
admin-
istrator

Restore √ χ χ χ χ χ χ χ
factory
default

Delete √ χ χ √ √ χ √ χ
con-
figuration
file

Roll back √ χ χ √ √ χ √ χ
con-
figuration

1241 Chapter 15

Reboot √ χ χ χ χ χ χ χ

View con- √ √ χ √ View View View χ

figuration inform- inform- inform-
information in ation in ation in
ation current current current
VSYS VSYS VSYS

View log √ √ √ χ √ √ χ √
inform-
ation

Modify √ √ √ √ √ √ √ √
current
admin
password

ping/trac- √ √ χ √ χ χ χ χ
eroute

Creating an Administrator Account

To create an administrator account, take the following steps:

Chapter 15 1242

System Management
1. Select System > Device Management > Administrators.

2. Click New.

3. In the Configuration dialog box, configure the following.

Configure the following options.

Option Description

Name Type a name for the system administrator account.

Role From the Role drop-down list, select a role for the
administrator account. Different roles have different
privileges.

l Administrator: Permission for reading, execut-

ing and writing. This role has the authority
over all features.

1243 Chapter 15

System Management
Option Description

l Operator: This role has the authority over all

features except modifying the Administrator's
configurations, and has no permission to
check the log information

l Auditor: You can only operate on the log

information, including the view, export and
clear.

l Administrator-read-only: Permission for read-

ing and executing. You can view the current
or historical configuration information.

Authentication Select the authentication type, including:

Type l Local Authentication: When an administrator

accesses StoneOS, the administrator is authen-
ticated based on the administrator information
(including the account and password) con-
figured in StoneOS.

l Server Authentication: When an administrator

accesses StoneOS, the administrator is authen-
ticated based on the administrator information
(including the account and password) con-
figured on the authentication server.

Authentication If Authentication Type is set to Server Authentic-

Server ation, you need to select an authentication server

Chapter 15 1244

System Management
Option Description

from the drop-down list or click to create an

authentication server. For details, see AAA
Server. The following servers are supported:

l Radius Server

l Active Directory Server

l LDAP Server

l TACACS+ Server

Retry Local After this function is enabled, local password veri-

fication will be performed if the server is unreach-
able. If the server returns the notification of the
password error to StoneOS, this function is invalid.
By default, the function is disabled.

Password Type a login password for the admin into the Pass-
word box. The password should meet the require-
ments of Password Strategy.

Confirm Password Re-type the password into the Confirm Password

box.

Login Type Select the access method(s) for the admin, including
Console, Telnet, SSH, HTTP, HTTPS, and
NETCONF. If you need all access methods, select
Select All.

Description Enter descriptions for the administrator account.

4. Click OK.

1245 Chapter 15

System Management
Notes: If you select the Local Authentication Model on the Option page, you need
to configure the administrator and authentication information.

Changing the Password for Admin Users

Device administrators can change the password of other admin users (including other admin-
istrators, operators and auditors) by editing the users. To change the password of other admin
users, take the following steps:

1. Select System > Device Management > Administrators.

2. Select the admin users from the user list, click Edit and change the password in the Con-
figuration page.

Admin users can change their own password by clicking the user name in the top-right corner. To
change the password, , take the following steps:

1. Click the user icon or user name in the top-right corner, and select Change Password from
the drop-down list.

2. In the Password Configuration page, enter the old password and the new one. The new pass-
word should be set in accordance with the password policy.

Chapter 15 1246

System Management
Notes: If the old password is entered incorrectly three times in one minute,
the user will be locked for two minutes during which the user cannot
change the passwords.

3. Click OK.

Configuring Login Options for the Default Administrator

System has a default administrator "hillstone" and a default password "hillstone". However, there
is a risk that the default username and password may be cracked. To avoid that risk, when you
logs in with the default username and password for the first time, the system will prompt to
change the default password. Then, you can log in again with the new password.

Notes: In the HA Active-Passive (A/P) mode, the backup device does not support
this function, and you can log in with the default username and password.

Enabling Telnet/HTTP Login Type for the Default Administrator

Admin users can access the device via Console, Telnet, SSH, HTTP or HTTPS. By default, The
Telnet and HTTP login types for the default administrator "hillstone" are disabled. To enable the
Telnet or HTTP login type for the default administrator, take the following steps:

1247 Chapter 15

System Management
1. Select System > Device Management > Administrators.

2. Select "hillstone" from the user list, and click Edit to open the Configuration page.

3. Select Telnet or HTTP .

4. Click OK.

Notes: When the "Telnet" or "HTTP" login type is enabled, the system will prompt
the protocols are not secure.

Admin Roles
Device administrators of different roles have different privileges. The system supports pre-
defined administrator roles and customized administrator roles. The pre-defined administrator role
cannot be deleted or edited. You can customize administrator roles according to your require-
ments:
To create a new administrator role, take the following steps:

1. Select System > Device Management > Admin Roles.

Chapter 15 1248

System Management
2. Click New.

3. In the Configuration dialog box, configure the following:

1249 Chapter 15

System Management
Option Description

Role Enter the role name.

CLI Specify the administrator role's privileges of CLI.

WebUI Priv- Click module name to set the administrator role's priv-
ilege ilege. represents the administrator role does not have

privilege of the specified module, and cannot read and

edit the configurations of the specified module. rep-

resents the administrator role has the read privilege of the

specified module, and cannot edit the configurations.

represents the administrator role can read and edit the

configurations of the specified module.

Description Specify the description for this administrator role.

4. Click OK to save the settings.

Trusted Host
The device only allows the trusted host to manage the system to enhance the security. Admin-
istrator can specify an IP range, MAC address or MAC range, and the hosts in the specified range
are the trusted hosts. Only trusted hosts could access the management interface to manage the
device.

Notes:
l If system cannot be managed remotely, check the trusted host configurations.

l System allows users to configure 128 trusted hosts at most.

Chapter 15 1250

System Management
Creating a Trusted Host

To create a trust host, take the following steps:

1. Select System > Device Management > Trusted Host.

2. Click New.

3. In the Trusted Host Configuration dialog box, configure these values.

Configure the following options.

Option Description

When the system is IPv4 version, configure the following options:

Match Select the address type to match the trusted host.

Address
l When "IPv4" is selected, you need to specify the
Type
IP range, and only the hosts in the IP range can be
the trust hosts;

l When "IPv4&MAC" is selected, you need to spe-

cify the IP range or MAC address/range, and only

1251 Chapter 15

System Management
Option Description

the hosts in the specified IP range and MAC range

can be the trusted hosts.

IP Type Specify the IP range of the trusted hosts:

l IP/Netmask: Type the IP address and netmask of

the trusted hosts.

l IP Range: Type the start IP and end IP of the trus-

ted hosts.

MAC Type Specifies the MAC address or MAC range of the trusted
hosts:

l MAC Address: Type the MAC address of the trus-

ted hosts.

l MAC Range: Type the start MAC address and end

MAC address of the trusted hosts.

When the system is IPv6 version, configure the following options:

Type Select the address type to match the trusted host: "IPv4"
or "IPv6".

Host Type Configure the IPv6 trusted host or the IPv4 trusted
host.

l If the user chooses "IPv4" type, specify the IP

address or the IP range of the IPv4 trusted host:

Chapter 15 1252

System Management
Option Description

l IP/Netmask: Type the IP address and net-

mask of the trusted hosts.

l IP Range: Type the start IP and end IP of

the trusted hosts.

l If the user chooses "IPv6" type, specify the IPv6

address or the IPv6 range of the IPv6 trusted host:

l IPv6/Prefix: Type the IPv6 address and pre-

fix of the trusted hosts.

l IPv6 Range: Type the start IPv6 address and

end IPv6 addressof the trusted hosts.

MAC Type Click the Enable button to use the MAC address or the
MAC range to match the trusted host. By default, this but-
ton is disabled.

MAC Specify the MAC address or the MAC range of the trus-

Address ted host.

l MAC address: Type the MAC address of the trus-

ted hosts.

l MAC range: Type the start MAC address and end

MAC address of the trusted hosts.

4. Click OK.

1253 Chapter 15

System Management
Management Interface
The device supports the following access methods: Console, Telnet, SSH and WebUI. You can
configure the timeout value, port number, PKI trust domain of HTTPS,and PKI trust domain of
certificate authentication. When accessing the device through Telnet, SSH, HTTP or HTTPS, if
login fails three times in one minute, the IP address that attempts the login will be blocked for 2
minutes during which the IP address cannot connect to the device.
To configure the access methods:

1. Select System > Device Management > Management Interface.

2. In the Management Interface tab, configure these values.

Configure the following options.

Option Description

Console Configure the Console access method parameters.

l Timeout: Type the Console timeout value into the

Timeout box. The value range is 0 to 60. The
default value is 10. The value of 0 indicates never
timeout. If there is no activity until the timeout,
system will drop the console connection.

Telnet Configure the Telnet access method parameters.

l Timeout: Specifies the Telnet timeout value. The

value range is 1 to 60. The default value is 10.

l Port: Specifies the Telnet port number. The value

range is 1 to 65535. The default value is 23.

SSH Configure the SSH access method parameters.

Chapter 15 1254

System Management
Option Description

l Timeout: Specifies the SSH timeout value. The

value range is 1 to 60. The default value is 10.

l Port: Specifies the SSH port number. The value

range is 1 to 65535. The default value is 22.

Web Configure the WebUI access method parameters.

l Multiple Login with Same Account: Select the

check box and users are allowed to log in to
devices with the same account simultaneously. By
default, the function is disabled. In the default situ-
ation, when a same account is used to log in again,
the previous login account will be kicked out.

l Timeout: Specifies the WebUI timeout value. The

value range is 1 to 1440. The default value is 10.

l HTTP Port: Specifies the HTTP port number. The

value range is 1 to 65535. The default value is 80.

l HTTPS Port: Specifies the HTTPS port number.

The value range is 1 to 65535. The default value is
443.

l HTTPS Trust Domain: Select the trust domain

existing in the system from the drop-down list.
When HTTPS starts, HTTPS server will use the
certificate with the specified trusted domain. By

1255 Chapter 15

System Management
Option Description

default, the trust domain trust_domain_default will

be used.

l Certificate Authentication: With this checkbox

selected, system will start the certificat authen-
tication. The certificate includes the digital cer-
tificate of users and secondary CA certificate
signed by the root CA.Certificate authentication is
one of two-factor authentication. The two-factor
authentication does not only need the user's name
and password authentication, but also needs other
authentication methods, like a certificate or fin-
gerprint.

l Certificate Trust Domain: After enabling the cer-

tificate authentication and logging into the device
over HTTPS, HTTPS server will use the certificate
with the specified trusted domain.Make sure that
root CA certificate is imported into it.

l CN Check：After the CN check is enabled, the

name of the root CA certificate is checked and veri-
fied when the user logs in. Only the certificate and
the user can be consistent, and the login succeeds.

3. Click OK.

Chapter 15 1256

System Management
Notes: When changing HTTP port, HTTPS port or HTTPS Trust Domain, the web
server will restart. You may need to log in again if you are using the Web interface.

System Time
You can configure the current system time manually, or synchronize the system time with the
NTP server time via NTP protocol.

Configuring the System Time Manually

To configure the system time manually, take the following steps:

1. Select System > Device Management > System Time.

2. Under System Time Configuration in the System Time tab, configure the following.

Option Description

Sync with Specifies the method of synchronize with local PC. You
Local PC can select Sync Time or Sync Zone&Time.

l Sync Time: Synchronize the system time with local

PC.

l Sync Zone&Time: Synchronize the system zone&-

time with local PC.

Specified the Configure parameter of system time.

system time.
l Time Zone: Select the time zone from the drop-
down list.

l Date: Specifies the date.

l Time: Specifies the time.

1257 Chapter 15

System Management
3. Click OK.

Configuring NTP

The system time may affect the establishment time of VPN tunnel and the schedule, so the accur-
acy of the system time is very important. To ensure the system is able to maintain an accurate
time, the device allows you to synchronize the system time with a NTP server on the network via
NTP protocol.
To configure NTP:

1. Select System > Device Management > System Time.

2. Under NTP Configuration in the System Time tab, configure the following.

Option Description

Enable Select the Enable check box to enable the NTP func-
tion. By default, the NTP function is disabled.

Authentication Select the Authentication check box to enable the NTP

Authentication function.

Server Specifies the NTP server that device need to syn-

chronize with. You can specify at most 3 servers.

l IP: Type IP address of the server .

l Key: Select a key from the Key drop-down list. If

you enable the NTP Authentication function, you
must specify a key.

l Virtual Router: Select the Virtual Router of inter-

face for NTP communication from the drop-
down list.

Chapter 15 1258

System Management
Option Description

l Source interface: Select an interface for sending

and receiving NTP packets.

l Specify as a preferred server: Click Specify as a

preferred server to set the server as the first pre-
ferred server. The system will synchronizate with
the first preferred server.

Sync Interval Type the interval value. The device will synchronize the
system time with the NTP server at the interval you spe-
cified to ensure the system time is accurate.

Time Offset Type the time value. If the time difference between the
system time and the NTP server's time is within the
max adjustment value you specified, the synchronization
will succeed, otherwise it will fail.

3. Click OK.

NTP Key
After enabling NTP Authentication function, you need to configure MD5 key ID and keys. The
device will only synchronize with the authorized servers.

Creating a NTP Key

To create an NTP key:

1. Select System > Device Management > NTP Key.

2. Click NEW.

1259 Chapter 15

System Management
3. In the NTP Key Configuration dialog box, configure these values.

Configure the following options.

Option Description

Key ID Type the ID number into the Key ID box. The value
range is 1 to 65535.

Password Type a MD5 key into the Password box. The value range
is 1 to 31.

Confirm Pass- Re-type the same MD5 key you have entered into the
word Confirm box.

4. Click OK.

Option
Specifies system options, including system language, administrator authentication server, host
name, password strategy, reboot and exporting the system debugging information.
To change system option, take the following steps:

1. Select System > Device Management > Option.

2. Select System Setting .Configure the following.

Chapter 15 1260

System Management
Option Description

Hostname Type a host name you want to change into the Host-
name box.

1261 Chapter 15

System Management
Option Description

Domain Type a domain name you want to specify into the

Domain box.

System Lan- You can select Chinese or English according to your

guage own requirements.

Authentication Select the authentication model, including:

Model l Local Authentication Model: After Local

Authentication Model is configured, you need to
configure administrator and authentication inform-
ation.

l Server Authentication Model: After Server

Authentication Model is configured, you need to
configure administrator and authentication inform-
ation.

Authentication If Authentication Model is set to Server Authentic-

Server ation Model, you need to select an authentication

server from the drop-down list or click to create
an authentication server. For details, see AAA Server.
The following servers are supported:

l Radius Server

l TACACS+ Server

Local Pass- After this function is enabled, local password veri-

word Retry fication will be performed if the server returns the noti-
fication of the password error to StoneOS. If the server

Chapter 15 1262

System Management
Option Description

is unreachable, the StoneOS system will enable the

Local Password Retry by default. By default, the func-
tion is enabled.

Lock IP

Maximum Specify the maximum number of login attempts of an

count of login IP. The value range is from 0 to 256. The default value
attempts is 256.

Locking Time Specify the locking time of the lock IP. The value range
is 1 to 65535 minutes, and the default value is 2
minutes.

Lock Account

Maximum Specify the maximum number of login attempts of an

count of login account. The value range is from 1 to 5. The default
attempts value is 3.

Locking Time Specify the locking time of the lock account. The value
range is 1 to 65535 minutes, and the default value is 2
minutes.

Minimum Pass- Specifies the minimum length of password. The value

word Length range is 4 to 16 characters. The default value is 4.

Password Com- None means no restriction on the selection of password

plexity characters.You can select Password Complexity Settings
to enable password complexity checking and configure
password complexity.

1263 Chapter 15

System Management
Option Description

l Minimum Capital letters length: The default value

is 2 and the range is 0 to 16.

l Minimum Lowercase Letter Length: The default

value is 2 and the range is 0 to 16.

l Minimum Number Length: The default value is 2

and the range is 0 to 16.

l Minimum Special Character Length: The default

value is 2 and the range is 0 to 16.

l Validity Period: The unit is day.The range is 0 to

365.The default value is 0, which indicates that
there is no restriction on validity period of the
password.

3. Click OK.

Rebooting the System

Some operations like license installation or image upgrading will require the system to reboot
before it can take effect.
To reboot a system, take the following steps:

1. Go to System > Device Management > Option .

2. Click Reboot, and select Yes in the prompt.

3. The system will reboot. You need to wait a while before it can start again.

Chapter 15 1264

System Management
System Debug

System debug is supported for you to check and analyze the problems.

Failure Feedback

To enable the failure feedback function, take the following steps:

1. Select System > Device Management> Option.

2. In the System Tools dialog box, select the Enable check box for Failure feedback, and then
system will automatically send the technical support file to the manufacturer.

System Debug Information

System debugging helps you to diagnose and identify system errors by the exported file.
To export the system debugging information, take the following steps:

1. Select System > Device Management> Option.

2. Click Export, system will pack the file in /etc/local/core and prompt to save tech-support
file. After selecting the saved location and click OK, you can export the file successfully.

Application Layer Security Bypass

System supports to bypass the application layer functions, including Intrusion Prevention System,
Anti Virus, and other application layer security protection function.
To enable application layer security bypass, take the following steps:

1. Select System > Device Management> Option.

2. In the System Setting page, select the Enable button for application layer security bypass,
and click OK.

1265 Chapter 15

System Management
Configuration Audit

System support the policy audit function. When you create or modify the policy rule/aggregate
policy, you can use this function to add policy audit comments of the policy rule/aggregate policy
so that you can understand the change reasons and change history of the policy rule/aggregate
policy.
By default, the configuration audit function is disabled. To enable this function, take the fol-
lowing steps:

1. Select System > Device Management > Option.

2. In the System Setting page, select the Enable button for Configuration Audit, and click OK

Notes: For how to configure the audit comment content of the policy rule, please
refer to

Storage Management
The storage management function help you manage system storage space by deleting logs or stop-
ping logging.
To configure the storage management function, take the following step:

Chapter 15 1266

System Management
1. Select System > Device Management > Storage Management.

2. Configure the corresponding options.

Option Description

Threshold When the system storage ratio or storage space reaches the specified
threshold, the system will perform the specified action to control the sys-
tem storage. The storage ratio ranges from 1% to 90%.

Threshold Alarm When the system storage ratio or storage space reaches the specified
threshold, the system will record a log message.

Action When reached the specified threshold, the system will perform the spe-
cified action, including override the earliest data and stop recording data.

l Override the earliest data: The system will delete earliest logs.

l Stop recording data: The system will stop storing new logs.

1267 Chapter 15

System Management
Option Description

Custom Storage

View Current Show the Total Storage, Allocated Storage and Utilization. Click View
Storage Status Current Storage Status to view maximum storage space and utilization of
each module log and report files.

Report Storage Specify the disk space size of the report file. The system allocates a
Setting default disk space size for the report file, and you can customize the disk
space size for the report file as needed.

Log Storage Set- Click Enable button to specify the disk space size of each module log.
ting The system allocates a default disk space size for the log of each module,
and you can customize the disk space size for the log as needed.

3. Click OK to save the settings.

Password Reset Management

The password reset function enables you to change passwords through the security question. You
can easily reset the password without knowing the previous password. If this function is con-
figured and enabled, when you enter the wrong username or password for three consecutive times
through the console port, the system will prompt you to reset the password by the security ques-
tion. To configure the password reset function, take the following steps:

Chapter 15 1268

System Management
1. Select System > Device Management > Password Reset Management.

2. Click the Enable button and configure the following options.

Option Description

Password Reset Click the Enable button to enable the password reset function.

Security Problem Specify the type of Security Problem as User-defined or Predefined.

Type

Security Ques- Configure the security question. If the type of Security Problem is spe-
tion cified as user-defined, enter a user-defined security question in the text
box. If the type of Security Problem is specified as predefined, select a
predefined security question from the drop-down list. The value range is
1 to 256 characters. The security question can only include letters, num-
bers, and special characters (excluding "). Chinese characters cannot be
included in the security question.

Security Answer Configure the security answer. The value range is 1 to 256 characters.
The security answer can only include letters, numbers, and special char-
acters (excluding "). Chinese characters cannot be included in the secur-
ity question.

1269 Chapter 15

System Management
Option Description

Confirm Security Enter the security answer again in the text box which must be consistent
Answer with the content in the security answer text box.

3. Click OK.

Chapter 15 1270

System Management
Configuration File Management
System configuration information is stored in the configuration file, and it is stored and displayed
in the format of command line. The information that is used to initialize the Hillstone device in
the configuration file is known as the initial configuration information. If the initial configuration
information is not found, the Hillstone device will use the default parameters for the initialization.
The information being taking effect is known as the current configuration information.
System initial configuration information includes current initial configuration information (used
when the system starts) and backup initial configuration information. System records the latest ten
saved configuration information, and the most recently saved configuration information for the
system will be recorded as the current initial configuration information. The current configuration
information is marked as Startup; the previous nine configuration information is marked with num-
ber from 0 to 8, in the order of save time.
You can not only export or delete the saved configuration files, but also export the current system
configurations.

Notes: For any device platform, the maximum number of system configuration files
that can be backed up is 5.

Managing Configuration File

This feature may vary slightly on different platforms. If there is a conflict between this guide and
the actual page, the latter shall prevail.
To manage the system configuration files, take the following steps:

1. Select System > Configuration File Management > Configuration File List.

2. In the Configuration File List page, configure the following.

l Export: Select the configuration file you want to export, and click Export.

l Delete: Select the configuration file you want to delete, and click Delete.

1271 Chapter 15

System Management
l Backup Restore: You can restore the system configurations to the saved configuration
file or factory default, or you can backup the current configurations.

Option Description

Back up Cur- Type descriptions for the configuration file into

rent Con- Description box. Click Start to backup.
figurations

Restore Con- Roll back to Saved Configurations:

figuration
l Select Backup System Configuration File:
Click this button, then select Backup Con-
figuration File from the list. Click OK.

l Upload Configuration File: Click this button.

In the Importing Configuration File dialog
box, click Browse and choose a local con-
figuration file you need in your PC. If you
need to make the configuration file take
effect, select the check box. Click OK.

Chapter 15 1272

System Management
Option Description

Restore to Factory Defaults:

l Click Restore, in the Restore to Factory

Defaults dialog box, click OK.

Notes: Device will be restored to factory defaults. Meanwhile, all the system con-
figurations will be cleared, including backup system configuration files.

Viewing the Current Configuration

To view the current configuration file:

1. Select System > Configuration File Management > Current Configurations.

2. Click Export to export the current configuration file.

Importing/Exporting the Configuration of All VSYS

You can export the current configuration file of VSYS, and import the saved configuration file of
VSYS.
To export the current configuration file of VSYS, take the following steps:

1. Select System > Configuration File Management > Configuration File List.

2. Click Export All Vsys Configuration to export the current configuration file of VSYS.

To import the saved configuration file of VSYS, take the following steps:

1. Select System > Configuration File Management > Configuration File List.

2. Click Import All Vsys Configuration .

1273 Chapter 15

System Management
3. Click Brown to select the configuration file needed to be imported. The file type can be GZ
and ZIP.

4. After importing the configuration file, you need to reboot to take effect. Select the Restart
now, make the new configuration take effect checkbox to reboot immediately.

5. Click OK.

Chapter 15 1274

System Management
Warning Page Management
Warning page management includes picture management and page management of user-defined
warning pages.
Related links：

l Configuring URL Filtering Objects -Warning Page

l Configuring Content Filtering Objects - Warning Page

Page Management
You can upload the required pictures and reference the picture in the user-defined warning page
as needed. In the picture management page, the name , previews and the last modification time of
uploaded picture will be displayed in a list.

Uploading the Picture

To upload the picture, take the following steps:

1. Select System > Warning Page Management > Picture Management.

2. Click New to open the Upload Picture Configuration dialog.

3. Type the name of the user-defined picture into the Name box.

4. Click Upload Picture and select the local picture file to be uploaded.

5. After uploading, the picture will be previewed in the dialog.

6. Click OK to save the configuration.

1275 Chapter 15

System Management
Notes: Only the following types of pictures can be uploaded: jpeg, jpg, png, gif, jfif;
the size of uploaded pictures is limited to 24KB; the system allows up to 32 picture
files to be uploaded.

Editing the Picture

To replace and modify the uploaded picture, take the following steps:

1. Select System > Warning Page Management > Picture Management.

2. Select the check box of the picture to be edited in the list and click the Edit.

3. In the Upload Picture Configuration dialog, click the Upload Picture button to upload the
picture file.

4. Click OK to save the configuration.

Deleting the Picture

To delete the picture, take the following steps:

1. Select System > Warning Page Management > Picture Management.

2. Select the check box of the picture to be deleted in the list and click the Delete.

3. In the delete confirmation dialog, click the Yes button to complete the deletion.

Notes: Before deleting the picture, please make sure that the picture is not ref-
erenced by the user-defined warning page, otherwise it cannot be deleted.

Page Management
System supports 6 types of user-defined warning pages, and the user-defined warning page already
contains the reference string and warning information content displayed by default. You can add

Chapter 15 1276

System Management
or modify the reference string by using html encoding to customize the warning message text, pic-
tures and other content.

l url-adudit-notification: Inform user that traffic will be scanned by URL filtering.

l url-block: Inform user that traffic is blocked by URL filtering.

l av- malware: Warn user that malware is detected during Antivirus scanning.

l av-malicious-website: Warn user that malicious website is detected during Antivirus scanning.

l ontentfilter-audit-notification: Inform user that traffic will be scanned by Content filter.

l contentfilter-block: Inform user that traffic is blocked by Content filter.

To configure the user-defined warning page, take the following steps:

1. Select System > Warning Page Management > Page Management.

In the Page Management page, view the details of user-defined warning page.

l The list at the top of the page shows the name, description, last modification time and
the enable status of 6 types of user-defined warning pages supported by system.

1277 Chapter 15

System Management
l In the lower left part of the page, a page preview showing the selected user-defined
warning page.

l In the lower right part of the page, the default html encoding of the user-defined warn-
ing page is displayed, and you can use the html encoding method to customize the
page content in this part.

2. In the list above, select the check box of the warning page that needs to be customized.

3. In the html encoding page below, modify the content of the warning message, or enter
"%%" to select the reference string to be added and reference the corresponding content or
picture.

User-defined warning page can contain the following reference strings.

Reference String Description

%%AUDIT_ It's used to display a button on the page.

BUTTON%% When you click the button, you can connect
to the Internet.
Note: This reference string is required in the

Chapter 15 1278

System Management
Reference String Description

"url-adudit-notification" and "contentfilter-

audit-notification" pages. Please do not
delete or modify this keyword.

%%IGNORE_ It is used to display a button on the page.

WARNING%% You can click the button to ignore the
prompt and continue browsing.
Note: This reference string is the default ref-
erence string displayed on the page. After
modification, it may cause ignore prompts
and buttons to be displayed normally.

%%IMAGE_NAME%% Picture prefix, which is used to reference a

picture uploaded in Picture Management, and
output the picture on the user-defined warn-
ing page.

%%URLFILTER_ It's used to display the reason for URL fil-

REASON%% tering blocking on the "url-block" page.
Note: This reference string is the default ref-
erence string displayed on the page. After
modification, the reason may not be dis-
played normally.

%%VIRUS_NAME%% It's used to display the virus name on the

"av- malware" page.
Note:This reference string is the default ref-
erence string displayed on the page. After

1279 Chapter 15

System Management
Reference String Description

modification, the virus name may not be dis-

played normally.

%%CONTENTFILTER_ It's used to display the reason for content fil-

REASON%% tering blocking on the "contentfilter-block"
page.
Note:This reference string is the default ref-
erence string displayed on the page. After
modification, the reason may not be dis-
played normally.

4. After modifying the html encoding, click Save to save the configuration. At the same time,
the user-defined warning page will be enabled, and will be displayed in the "User-

defined" column of the upper list.

5. If you need to restore the default content of the cuser-defined warning page, click the
Restore Default.

Extended Services
This feature may vary slightly on different platforms. If there is a conflict between this guide and
the actual page, the latter shall prevail.
System supports to connect to other Hillstone products to provide more services. Currently, the
extended services include connecting Hillstone Security Management ( HSM ) . For specific con-
figurations, refer to one of the following topics:

l Connecting to HSM

Chapter 15 1280

System Management
Connecting to HSM
Hillstone Security Management (HSM) is a centralized management platform to manage and con-
trol multiple Hillstone devices. Using WEB2.0 and RIA (Rich Internet Application) technology,
HSM supports visualized interface to centrally manage policies, monitor devices, and generates
reports.
Each firewall system has an HSM module inside it. When the firewall is configured with correct
HSM parameters, it can connect to HSM and be managed by HSM.

Notes: For more information about HSM, please refer to HSM User Guide.

HSM Deployment Scenarios

HSM normally is deployed in one of the two scenarios: installed in public network or in private
network:

l Installed in public network: HSM is remotely deployed and connected to managed devices via
Internet. When the HSM and managed devices have a accessible route, the HSM can control
the devices.

1281 Chapter 15

System Management
l Installed in private network: In this scenario, HSM and the managed devices are in the same
subnet. HSM can manage devices in the private network.

Connecting to HSM

To configure HSM parameters in the firewall, take the following steps:

1. Select System > Extended Services > Connecting to HSM.Click Edit button.

2. Click Enable button of HSM Agent field to enable this feature.

3. Input HSM server's IP address in the Sever IP/Domain text box. The address cannot be
0.0.0.0 or 255.255.255.255, or mutlicast address.

Chapter 15 1282

System Management
4. Enter the port number of HSM server.

5. Click OK.

Notes: The Syslog Server part shows the HSM server's syslog server and its port.

Connecting to Hillstone Cloud Service Platform

Hillstone Cloud Service Platform is a cloud security services platform, which provides cloud ser-
vices including CloudView, Cloud Sandbox and CloudVista (Threat Intelligence Center). Hill-
stone Cloud Service is the cloud capability center of Hillstone and the brain of the cloud-network
integration. After the service is enabled, your device will be connected with the Hillstone cloud,
which will provide you with a wider range of threat intelligence, improve the protection capability
of your device, and enable you to carry out real-time monitoring, inspection and report acquisition
of the device and traffic on the cloud anytime and anywhere. These Hillstone cloud applications
can greatly enhance the security, visibility, and usability of networks.

l CloudView: CloudView is a SaaS product. It is deployed on the public cloud to provide users
with online on-demand services. Hillstone devices register with the cloud service platform
and upload device information, traffic data, threat events, system logs and so on to the cloud
service platform, and the visual display is provided by CloudView . Users can monitor the
device status, gain reports and threat analysis through the Web or mobile phone APP. For
more information about CloudView, refer to the CloudView FAQs.

l Cloud Sandbox: It is a technology adopted by the Sandbox function. After a suspicious file
being uploaded to the Hillstone cloud service platform, the cloud sandbox will collect beha-
viors of the file, analyze the collected data, verify the legality of the file, send the analysis res-
ult to system and deal with the malicious file according to the actions set by system. For
specific configurations of cloud sandbox, refer to Threat Prevention > Sandbox.

l CloudVista (Threat Intelligence Center): Threat Intelligence function can upload some ele-
ments in the logs generated by each module to the cloud service platform, such as IP address,

1283 Chapter 15

System Management
domain, etc. The cloud service platform will check whether the elements have threat intel-
ligence through the threat center. You can view threat intelligence information related to ele-
ments through the threat intelligence center.

Connecting to Hillstone Cloud Service Platform

To connect to the Hillstone Cloud Service Platform, take the following steps:

1. Select System > Connecting to Hillstone Cloud Service Platform.

2. At the lower-left corner, click the Edit button. The Hillstone Cloud Service Platform con-
figuration page appears.

Chapter 15 1284

System Management
In this page, configure the following options.

Option Description

Enter the IP address or domain name of the cloud service

Address
platform. The default value is cloud.hillstonenet.com.cn.

Virtual Select the VRouter of the Cloud service platform from

Router the drop-down list.

Enter the username of the cloud service platform and

bind the device with this account. Click the Register but-
User ton and sign up for an account on the Hillstone cloud ser-
vice login page. Click Unbind to remove the binding
relationship between the device and the account.

Password Enter the password of the user.

3. Click the Hillstone CloudView button. The Hillstone CloudView page appears.

In this page, configure the following options.

Option Description

Click the Enable button to enable the Hillstone

Enable
CloudView service.

Upload Data Check the checkbox of the data items that need to be

1285 Chapter 15

System Management
Option Description

Item uploaded to the cloud service platform.

Click the Enable button to enable the cloud inspection

function and upload the collected inspection data to the
cloud service platform. With the cloud inspection func-
Cloud Inspec- tion, the device can receive and execute the inspection
tion instructions from the cloud, and upload the collected
inspection data to the cloud service platform, which
enables you to carry out real-time monitoring and man-
agement on the cloud anytime and anywhere.

Scan QR Scan the QR code using a QR reader app on your smart-

code to con- phone or mobile device to connect to Hillstone
nect to Hill- CloudView via APP.
stone
CloudView
use APP

Visit Click the button to visit CloudView.

CloudView

4. Click the Cloud Sandbox button. In the Cloud Sandbox page, click Sandbox and configure
the cloud sandbox function in the sandbox configuration page. For more information about
the cloud sandbox, refer to Threat Prevention > Sandbox.

5. Click the CloudVista button. In the CloudVista page, click the Enable button to enable the
CloudVista service. The CloudVista service is controlled by license. To use the CloudVista
service, install the threat intelligence license.

Chapter 15 1286

System Management
6. Click the Enable button to join the user experience improvement program. This function
will upload the threat prevention data to the cloud service platform. The uploaded data will
be used for internal research to reduce the false positives and improve the protection cap-
ability of your device.

7. Click EULA & Privacy to read confidentiality and privacy statements, user authorizations
and other content.

1287 Chapter 15

System Management
SNMP
The device is designed with a SNMP Agent, which can receive the operation request from the
Network Management System and give the corresponding information of the network and the
device.
The device supports SNMPv1 protocol, SNMPv2 protocol and SNMPv3 protocol. SNMPv1 pro-
tocol and SNMPv2 protocol use community-based authentication to limit the Network Man-
agement System to get device information. SNMPv3 protocol introduces an user-based security
module for information security and a view-based access control module for access control.
The device supports all relevant Management Information Base II (MIB II) groups defined in
RFC-1213, the Interfaces Group MIB (IF-MIB) using SMIv2 defined in RFC-2233, the User-
based Security Model (USM) for version 3 defined in RFC-2574 and the View-based Access Con-
trol Model (VACM) defined in RFC-2575. Besides, the system offers a private MIB, which con-
tains the system information, IPSec VPN information and statistics information of the device.
You can use the private MIB by loading it into an SNMP MIB browser on the management host.

SNMP Agent
The device is designed with a SNMP Agent, which provides network management and monitors
the running status of the network and devices by viewing statistics and receiving notification of
important system events.
To configure an SNMP Agent, take the following steps:

1. Select System > SNMP > SNMP Agent.

2. Click Enable button. In the SNMP Agent page, configure these values.

Chapter 15 1288

System Management
Option Description

SNMP Agent Select the Enable check box for Service to enable the
SNMP Agent function.

ObjectID The Object ID displays the SNMP object ID of the sys-

tem. The object ID is specific to an individual system and
cannot be modified.

System Type the SNMP system contact information of the device

Contact into the System Contact box. System contact is a man-
agement variable of the group system in MIB II and it
contains the ID and contact of relevant administrator of
the managed device. By configuring this parameter, you
can save the important information to the device for the
possible use in case of emergency.

1289 Chapter 15

System Management
Option Description

Location Type the location of the device into the Location box.

Host Port Type the port number of the managed device into the
Host Port box.

Virtual Select the VRouter from the Virtual Router drop-down

Router list.

Local Type the SNMP engine ID into the Local EngineID box.
EnginelID

3. Click Apply.

Notes: SNMP Engine ID identifies an engine uniquely. SNMP Engine is an import-

ant component of the SNMP entity (Network Management System or managed net-
work device) which implements the functions like the reception/sending and
verification of SNMP messages, PDU abstraction, encapsulation, and com-
munications with SNMP applications.

SNMP Host
To create an SNMP host, take the following steps:

1. Select System > SNMP > SNMP Host.

2. Click New.

3. In the SNMP Agent dialog box, configure these values.

Chapter 15 1290

System Management
Option Description

Type Select the SNMP host type from the Type drop-down
list. You can select IP Address, IP Range or
IP/Netmask.

l IP Address: Type the IP address for SNMP host

into Hostname box.

l IP Range: Type the start IP and end IP into the

Hostname box respectively.

l IP/Netmask: Type the start IP address and Net-

mask for SNMP host into the Hostname box
respectively.

SNMP Ver- Select the SNMP version from the SNMP Version drop-
sion down list.

Community Type the community for the SNMP host into the Com-

1291 Chapter 15

System Management
Option Description

munity box. Community is a password sent in clear text

between the manager and the agent. This option is only
effective if the SNMP version is V1 or V2C.

Permission Select the read and write permission for the community
from the Permission drop-down list. This option is only
effective if the SNMP version is V1 or V2C.

l RO: Stand for read-only, the read-only community

is only allowed to read the MIB information.

l RW: Stand for read-write, the read-write com-

munity is allowed to read and modify the MIB
information.

4. Click OK.

Trap Host
To create a Trap host, take the following steps:

1. Select System > SNMP > Trap Host.

2. Click New.

3. In the Trap Host Configuration dialog box, configure these values.

Chapter 15 1292

System Management
Option Description

Host Type the domain name or IP address of the Trap host

into the Host box.

Trap Host Type the port number for the Trap host into the Trap
Port Host Port box.

SNMP Agent Select the SNMP version from the SNMP Agent drop-
down list.

l V1 or V2C: Type the community for the Trap host

into the Community box.

l V3: Select the V3 user from the V3 User drop-

down list. Type the Engine ID for the trap host
into the Engine ID box.

4. Click OK.

V3 User Group
SNMPv3 protocol introduces a user-based security module. You need to create an SNMP V3 user
group for the SNMP host if the SNMP version is V3.

1293 Chapter 15

System Management
To create a V3 user group:

1. Select System > SNMP > V3 User Group.

2. Click New.

3. In the V3 Group Configuration dialog box, enter values.

Chapter 15 1294

System Management
Option Description

Name Type the SNMP V3 user group name into the Name box.

Security The Security model option displays the security model

Model for the SNMP V3 user group.

Security Select the security level for the user group from the
Level Security Level drop-down list. Security level determines
the security mechanism used in processing an SNMP
packet. Security levels for V3 user groups include No
Authentication (no authentication and encryption),
Authentication (authentication algorithm based on MD5
or SHA) and Authentication and Encryption (authen-
tication algorithm based on MD5 or SHA and message
encryption based on AES and DES).

Read View Select the read-only MIB view name for the user group:

l All: The user group can read all MIB views.

4. Click OK.

1295 Chapter 15

System Management
V3 User
If the selected SNMP version is V3, you need to create an SNMP V3 user group for the SNMP
host and then add users to the user group.
To create a user for an existing V3 user group, take the following steps:

1. Select System > SNMP > V3 User.

2. Click New.

3. In the V3 User Configuration dialog box, configure these values.

Chapter 15 1296

System Management
Option Description

Name Type the SNMP V3 user name into the Name box.

V3 User Select an existing user group for the user from the
Group Group drop-down list.

Security The Security model option displays the security model

Model for the SNMP V3 user.

Remote IP Type the IP address of the remote management host

into the Remote IP box.

Authentication Select the authentication protocol from the Authentic-

4. Click OK.

1297 Chapter 15

System Management
Chapter 15 1298

System Management
SNMP Server
You can configure the SNMP server to get the ARP information through the SNMP protocol.

Creating an SNMP Server

To create an SNMP server, take the following steps:

1. Select System > SNMP server.

2. Click New.

In the SNMP Server Configuration dialog box, configure these values

Option Description

Server IP Type the SNMP server IP address into the Server

IP box.

Port Type the port number for the SNMP server into the
Port box. The value range is 1 to 65535, the default
value is 161.

1299 Chapter 15

System Management
Option Description

Community Type the community for the SNMP server into the
Community box. This option is only effective if the
SNMP version is V1 or V2C.

Virtual Router Select the VRouter from the drop-down list.

Source Interface Select the source interface from the drop-down list
for receiving ARP information on the SNMP server.

Interval Time Type the the interval into the Interval Time box for
receiving ARP information on the SNMP server.
The value range is 5 to 1800 seconds, the default
value is 60 seconds.

3. Click OK.

NETCONF
Network Configuration Protocol (NETCONF) provides a mechanism for managing network
devices. You can add, modify, and delete configurations of network devices, and obtain con-
figuration and status information of network devices. Through NETCONF, network devices
provide standard application programming interfaces (API). Applications can directly use these
application programming interfaces to send and obtain configurations from network devices.
Comparison between NETCONF and SNMP:

Function SNMP NETCONF

Configuration SNMP does not NETCONF provides a locking mechanism to avoid con-
management provide a locking mech- figuration conflicts arising from multi-user operations.
anism.

Inquiry You can inquire about You can inquire about all configurations of the system.

Chapter 15 1300

System Management
Function SNMP NETCONF

one or more nodes of

the table through mul-
tiple interactions with
the system.

Extensibility Poor extensibility Good extensibility. NETCONF adopts a layered archi-

tecture and each layer is independent. Therefore, the
impact on the upper-layer protocol will be minimalized
when you extend a layer of NETCONF. Also,
NETCONF adopts the XML, which allows the protocol
to be extensible in terms of management ability and sys-
tem compatibility.

Security Take the latest NETCONF exploits current security protocols to

SNMPv3 as an provide security protection. It is not bound to a specific
example. SNMPv3 only security protocol. Therefore, in practice, NETCONF is
provides the user-based more flexible than SNMP.
security module and Note: SSH is the priority at the NETCONF transport
cannot be added to layer. XML message is carried by SSH protocol.
other security modules.

Through the NETCONF client, you can modify the configuration of Hillstone devices and obtain
configuration and status information. You can configure the following function modules:

l Object module: You can create/delete/edit address book and host book through the
NETCONF client.

l Network module: You can create/delete/edit zone, interface, DNS server, DNS proxy,
DHCP, destination route, source route, policy route, OSPF, BGP, IPsec VPN, and SSL
VPN through the NETCONF client.

1301 Chapter 15

System Management
l Policy module: You can create/delete/edit a policy, SNAT, and DNAT through the
NETCONF client.

Notes:
l NETCONF function requires you to configure the login type of admin-
istrators and the trusted host as NETCONF, and the management method of
interfaces as NETCONF. It is recommended to configure the three options
before you enable NETCONF.

l When the root VSYS enables NETCONF, you can configure the login type
of non-root administrators as NETCONF to enable NETCONF on non-root
VSYS.

Configuring the NETCONF Agent

The StoneOS system is equipped with a NETCONF agent, which manages the configuration of
the device.
You can configure the NETCONF agent only by CLI. For more information, refer to the chapter
on Network Configuration Protocol (NETCONF) of the StoneOS CLI User Guide.

Configuring NETCONF Candidate

NETCONF candidate enables you to modify the configuration of the current device but apply the
modification later so that the current service traffic is not influenced. You can modify the con-
figuration of the candidate, and replace the current configuration with the candidate configuration
according to your own needs. The replacement takes effect immediately. By default, the
NETCONF candidate is disabled.
You can configure the NETCONF candidate only by CLI. For more information, refer to the
chapter on Network Configuration Protocol (NETCONF) of the StoneOS CLI User Guide.

Chapter 15 1302

System Management
Configuring NETCONF Timeout
You can perform operations such as offering configuration to a Hillstone device through the
NETCONF client. If you do not perform any operations on the NETCONF client for a certain
amount of time, you will be required to log in again to perform subsequent operations. By default,
the timeout period is 10 minutes.
You can configure NETCONF timeout only by CLI. For more information, refer to the chapter
on Network Configuration Protocol (NETCONF) of the StoneOS CLI User Guide.

1303 Chapter 15

System Management
Upgrading System
The firmware upgrade wizard helps you:

l Upgrade system to a new version or roll back system to a previous version.

l Update the Signature Database.

l Update the Trusted Root Certificate Database.

Upgrading Firmware
To upgrade firmware, take the following steps:

1. Select System > Upgrade Management > Upgrade Firmware.

2. In the Upgrade Firmware tab, configure the following.

Upgrade Firmware

Backup Con- Make sure you have backed up the configuration file

Chapter 15 1304

System Management
Upgrade Firmware

figuration before upgrading. Click Backup Configuration File to

File backup the current fireware file and the system will auto-
matically redirect the Configuration File Management
page after the backup.

Current Ver- The current firmware version.

sion

Upload Firm- Click Browse to select a firmware file from your local
ware disk.

Backup The backup firmware version.

Image

Reboot Select the Reboot now to make the new firmware take
effect check box and click Apply to reboot system and
make the firmware take effect. If you click Apply without
selecting the check box, the firmware will take effect
after the next startup.

Choose a Firmware for the next startup

Select the Select the firmware that will take effect for the next star-
firmware that tup.
will take
effect for the
next startup.

Reboot Select the Reboot now to make the new firmware take
effect check box and click Apply to reboot system and

1305 Chapter 15

System Management
Upgrade Firmware

make the firmware take effect. If you click Apply without

selecting the check box, the firmware will take effect
after the next startup.

Updating Signature Database

To update signature database, take the following steps:

1. Select System > Upgrade Management > Signature Database Update.

2. In the Signature Database Update page, configure the following.

Option Description

Current Ver- Show the current version number.

sion

Remote Application signature database, URL signature database,

Update Antivirus signature database, IPS signature database , IP
reputation database , Botnet Prevention signature data-
base.

l Protocol: Select the update method of the sig-

nature database, including HTTP and HTTPS.
Click Restore Default to restore the default
HTTPS transmission method.

l Update Server: By default the system updates the

signature database everyday automatically. You can
change the update configuration as needed. The
IPv4 and IPv6 address are supported for con-

Chapter 15 1306

System Management
Option Description

figuring the update server address. Hillstone

devices provide two default update servers:
https://update1.hillstonenet.com and https://up-
date2.hillstonenet.com. You can customize the
servers according to your need. In Update Server,
specify the server IP or domain name and Virtual
Router.

l Update Proxy Server: When the device accesses

the Internet through a HTTP proxy server, you
need to specify the IP address and the port number
of the HTTP proxy server. With the HTTP proxy
server specified, various signature database can
update normally. In Update Proxy Server, enter the
IP addresses and ports of the main proxy server and
the backup proxy server.

l Auto Update: Click the Enable button of Auto

Update and specify the auto update time. Click Ok
to save your changes.

l Update Now: Click Ok And Online Update to

update the signature database right now.

Local Update Download the update package from the default feature
update server for local update.

l Download the upgrade packages of the applic-

1307 Chapter 15

System Management
Option Description

ation signature database, URL signature database,

Antivirus signature database, IPS signature data-
base , IP reputation database , Botnet Prevention
signature database from https://up-
date1.hillstonenet.com and https://up-
date2.hillstonenet.com.

l Click Browse and select the signature file in your

local PC, and then click Upload.

Notes: Before StoneOS R8P4 version,

please download the Botnet Prevention
signature database upgrade package
through the "Botnet C&C Detection
Package" link of the default update
server. From StoneOS R8P4 version,
please download the Botnet Prevention
signature database upgrade package
through the "Encrypt Botnet C&C Detec-
tion Package" link of the default update
server.

Updating Trusted Root Certificate Database

To ensure that the root certificates stored on your device are sufficient and up-to-date, and to
reduce errors occurred during server certificate verification, you need to update the trusted
root certificate database timely. System supports both remote upgrade and local upgrade. When
updating the trusted root certificate database, system will delete revoked certificates and
expired certificates, and add new certificates.
To update the trusted root certificate database, take the following steps:

Chapter 15 1308

System Management
1. Select System > Upgrade Management > Trusted Root Certificate Update.

2. In the Trusted Root Certificate Update page, configure the following.

Option Description

Current Ver- Show the current version number.

sion

Remote Click Remote Update and configure the following

Update update parameters.

l Update Server: By default, system updates the

trusted root certificate database everyday auto-
matically. You can change the update con-
figuration as needed. Hillstone devices provide
two default update servers: https://up-
date1.hillstonenet.com and https://up-
date2.hillstonenet.com. You can customize the
servers as needed. Under Update Server, specify
the server IP or domain name and virtual router.

l Update Proxy Server: When the device accesses

the Internet through an HTTP proxy server, you
need to specify the IP address and the port num-
ber of the HTTP proxy server to ensure the trus-
ted root certificate database can be updated
normally. Under Update Proxy Server, enter the
IP addresses and ports of the main proxy server
and the backup proxy server.

l Auto Update: Click the Enable button and spe-

1309 Chapter 15

System Management
Option Description

cify the auto update time. Click OK to save your

changes.

l OK And Online Update: Click the button to

update the trusted root certificate database imme-
diately.

Local Click Local Update, and click Browse to select a trusted

Update root certificate database file in your local PC, and then
click Upload.

Chapter 15 1310

System Management
License
Licenses are used to authorize the users' features, authorize the users' services, or extend the per-
formance. If you do not buy and install the corresponding license, the features, services, and per-
formance which is based on the license will not be used or cannot be achieved.

License classes and rules.

Platform License Description Valid Time Whether to
Restart

Platform Trial Platform license is the You cannot Not

basis of the other modify the required.
licenses operation. If existing con-
the platform license is figuration
invalid, the other when License
licenses are not effect- expires. The
ive. The device have system will
been pre-installed plat- restore to fact-
form trial license for ory defaults
15 days in the factory. when the
device
reboot.

Platform You can install the plat- System can- Not

form license after the not upgrade required.
device formal sale. The the OS ver-
license provide basic fire- sion when the
wall and VPN function. license
expires, but
the system
could still
work nor-
mally.

1311 Chapter 15

System Management
Function Description Valid Time Whether to
License Restart

VSYS Authorizing the available Permanent Restart is

number of VSYS. required for
each install-
ation.

SCVPN Authorizing the max- Permanent All versions,

imum number of SSL except the
VPN access. Through following
installing multiple should be
SCVPN licenses, you can restarted
add the maximum num- after each
ber of SSL VPN access. installation.
Versions
that do not
need restart-
ing
are5.5R6P21
and later
5.5R6P ver-
sions,
5.5R8P7 and
later 5.5R8P
versions,
5.5R9 and
later.

QoS Enable QoS function. Permanent Not

required.

Cloud sandbox Providing Cloud sandbox The valid Restart is

License required for

Chapter 15 1312

System Management
function and white list time includ- the first
update, authorizing the ing 1 year, 2 installation.
number of suspicious years and 3 Do not
files uploaded per day. years. System require
Including 4 licenses: cannot ana- restart when
Cloud sandbox-200, lyze the col- you renew
Cloud sandbox-300, lected data the sub-
Cloud sandbox-500 and and cannot scription.
Cloud sandbox-1000. update the
The number of files white list
allowed to upload per day when the
is different for different license
licenses. expires. The
Cloud sand-
box pro-
tection
function can
only be used
according to
the local data-
base cache res-
ults. If you
restart the
device, the
function can-
not be used.

Twin-mode Providing the twin-mode System can- Not

License function. The related not upgrade required.
parameters of the twin- the twin-
mode function can be dis- mode func-
played and configured. tion and can-
not provide

1313 Chapter 15

System Management
the main-
tenance ser-
vice when
License
expired.

EPP Providing the End Point The End Not

Prevention function. Point Pre- required.
vention func-
tion cannot
be used when
the license
expires.

Service License Description Valid Time Whether to

Restart

AntiVirus Providing antivirus func- System can- Restart is

tion and antivirus sig- not update required for
nature database update. the antiviru the first
signature data- installation.
base when the Do not
license require
expires, but restart when
the antivirus you renew
function the sub-
could still be scription.
used normally

URL DB Providing URL database System can- Restart is

and URL signature data- not provide required for
base update. the search the first
URL database installation.

Chapter 15 1314

System Management
online func- Do not
tion when the require
license restart when
expires, but you renew
the user- the sub-
defined URL scription.
and URL fil-
tering func-
tion can be
used nor-
mally.

IPS Providing IPS function System can- Restart is

and IPS signature data- not update required for
base update. the IPS sig- the first
nature data- installation.
base when the Do not
license require
expires, but restart when
the IPS func- you renew
tion could the sub-
still be used scription.
normally.

APP signature APP signature license is System can- Not

issued with platform not update required.
license, you do not need the APP sig-
to apply alone. The valid nature data-
time of license is same as base when the
platform license. license
expires, but
the included
functions and

1315 Chapter 15

System Management
rules could
still be used
normally.

Threat Pre- A package of features, System can- Whether to

vention including AntiVirus, not update all restart,
IPS, threat intelligence, signature data- please refer
and corresponding sig- bases when to the restart
nature database update. the license policies for
expires, but the indi-
the included vidual
functions and licenses of
rules could AntiVirus,
still be used IPS, threat
normally. intelligence.

IP Reputation Providing Perimeter System can- Restart is

Traffic Filtering function not update required for
of IP reputation and IP the IP repu- the first
reputation database tation data- installation.
update. From 5.5R6, base when the Do not
StoneOS will support the license require
Perimeter Traffic Fil- expires. restart when
tering function of IP you renew
Reputation instead of pre- the sub-
defined black list. You scription.
can buy the license of IP
reputation to upgrade.

Antispam Providing Anti-Spam The Anti- Restart is

function. Spam func- required for
tion cannot the first
be used when installation.

Chapter 15 1316

System Management
the license Do not
expires. require
restart when
you renew
the sub-
scription.

Botnet Pre- Providing Botnet Pre- System can- Restart is

vention vention function and Bot- not update all required for
net Prevention database signature data- the first
update. bases when installation.
license Do not
expires. But require
the functions restart when
included and you renew
rules could be the sub-
used nor- scription.
mally.

IoT mon- Providing the IoT policy Permanent. Not

itor&control function. required.

IoT mon- After the installation of The IoT Not

itor&control trail IoT monitor&control policy func- required.
trail license, you will get tion cannot
the same IoT policy func- be used when
tion as system with IoT the license
monitor&control license. expires. If
But the duration will be you restart
shorter. the device,
the existing
IoT policy
configurations
will not be

1317 Chapter 15

System Management
lost, but
won't take
effect.

Threat intel- Providing the threat intel- The threat Not

ligence License ligence function. intelligence required.
function can-
not be used
when the
license
expires.

Bundle License1 A package of features, For expir- Whether to

including IPS, AntiVirus, ation, refer to restart,
threat intelligence, QoS, the respective please refer
URL DB, and cor- license policy. to the restart
responding signature data- policies for
base update. the indi-
vidual
licenses of
IPS,
AntiVirus,
threat intel-
ligence,
QoS, URL
DB.

Bundle License3 A package of features, For expir- Whether to

including IPS, AntiVirus, ation, refer to restart,
threat intelligence, QoS, the respective please refer
URL DB, Botnet Pre- license policy. to the restart
vention, IP Reputation, policies for
Cloud sandbox, and cor- the indi-

Chapter 15 1318

System Management
responding signature data- vidual
base update. licenses of
IPS,
AntiVirus,
threat intel-
ligence,
QoS, URL
DB, Botnet
Prevention,
IP Repu-
tation,
Cloud sand-
box.

Applying for a License

Before you apply for a license, you have to generate a license request first.

1. Click Apply For. Under License Request, input user information. All fields are required.

2. Click Generate, and then appears a bunch of code.

1319 Chapter 15

System Management
3. Send the code to your sales contact. The sales person will issue the license and send the
code back to you.

Installing a License
After obtaining the license, you must install it to the device.
To install a license, take the following steps:

1. Select System > License , and click Import.

2. Under Import License page, configure options below.

Option Description

Upload Select Upload License File. Click Browse to select the

License File license file, using the TXT format, and then click OK to
upload it.

Manual Input Select Manual Input. Type the license string into the box.

3. Click OK.

Chapter 15 1320

System Management
Mail Server
By configuring the mail server in the Mail Server page, the system can send the log messages,
report or alarm information to the specified email address.

Creating a Mail Server

To create a mail server, take the following steps:

1. Select System > Mail Server.

2. In the Mail Server Configuration page, configure these values.

1321 Chapter 15

System Management
Option Description

Name Type a name for the mail server into the box.

Server Type Domain name or IP address for the mail server into
the box.

Transmission Select the transmission mode for the email.

Mode
l PLAIN: Specifies that the mail is sent in plain text
and is not encrypted. This mode is the default trans-
mission mode.

l STARTTLS: STARTTLS is an extension to the

plain text communication protocol that upgrades
plain text connections to encrypted connections.
Specified in this mode, the mail will be transmitted
using encrypted mode.

3. Click Apply.

Chapter 15 1322

System Management
1323 Chapter 15

System Management
SMS Parameters
This Section contains the following contents:

l "SMS Modem" on Page 1324

l "SMS Gateway" on Page 1325

SMS Modem
An external GSM modem device is required for sending SMS messages. First, you need to prepare
a mobile phone SIM card and a GSM SMS Modem . Insert the SIM card into your modem and
then, connect the modem and the firewall using a USB cable.
The following one models of SMS modem is recommended:

Model Type Interface

4G MODEM M1806-NC5 LTE(FDD) USB interface

LTE(TDD)
WCDMA
TD-SCOMA
GSM/GPRS/EDGE
CDMA2000

GSM MODEM M1206B GSM USB interface

System will show the modem connection status: correctly connected, not exist or no signal.

Configuring SMS Parameters

You can define the maximum SMS message number in one hour or in one day. If the messages
exceed the maximum number, system will not make the modem to send messages, but it will keep
a log for this behavior.

Chapter 15 1324

System Management
Option Description

Maximum mes- Defines the maximum message number the modem can send in
sages per hour one hour.

Maximum mes- Defines the maximum messages number the modem can send
sages per day in one day.

Testing SMS

To test if the message sending works, you can send a test text to a mobile.
To send a text message to a specified mobile number, take the following steps:

1. Select System > SMS Parameters.

2. Enter a mobile phone number in the text box.

3. Click Send. If the SMS modem is correctly configured and connected, the phone using that
number will receive a text message; if it fails, an error message will indicate where the error
is.

SMS Gateway

Configuring SMS Gateway

To configure the SMS gateway, take the following steps:

1325 Chapter 15

System Management
1. Select System > SMS Parameters >SMS Gateway.

2. Click New.

In the SMS Gateway Configuration dialog box, configure the following options.

Option Description

Protocol Type Specifies the protocol of SMS gateway. SGIP indic-

ates the SGIP protocol of Chinaunicom. UMS indic-

Chapter 15 1326

System Management
Option Description

ates the enterprise information platform of Chin-

aunicom. ACC indicates the ACC protocol of Chin-
atelecom. ALIYUNSMS indicates the SMS service
platform of Alibaba Cloud. XUANWU indicates the
Xuanwu Technology SMS service platform. CAS
indicates the 12302 SMS service platform.

Service Provider Specifies the service provider name. The value range
is 1 to 31.

UMS Protocol When the protocol type is specified as "UMS", users

can specify the UMS protocol type. The default pro-
tocol type is HTTPS.

Protocol When the protocol type is specified as "ACC,

"ALIYUNSMS" or "CAS", users can specify the pro-
tocol type.
When the protocol type is specified as "CAS", the
default protocol type is HTTPS.
When the protocol type is specified as "ACC or
"ALIYUNSMS", the default protocol type is HTTP.

Virtual Router Specifies the VRouter which gateway belongs to.

The system supports multi-VR, and the default VR
is trust-vr.

Host Specifies the gateway address.

Port Specifies the port number of the gateway. When the

protocol type is specified as "SGIP", the default port

1327 Chapter 15

System Management
Option Description

number is 8801; When the protocol type is specified

as "UMS", the default port number is 9600. When
the protocol type is specified as "XUANWU" or
"CAS", the default port number is 8080.

Device Code Specifies the device code, the range is 1 to

4294967295. When the protocol type is specified as
"SGIP", and before configuring the SMS gateway,
you have to ask your supplier to provide the device
ID of SP, which sends the SMS messges.

Source Number When the protocol type is specified as "SGIP", and

aftering enabling the SMS Authentication function,
the system will send an Auth-message to the mobile
phone number. Specifies the user's phone number,
the range is 1 to 21.

Company Code When the protocol type is specified as "UMS", users

can specify the enterprise code registered on the
UMS platform. The range is 1 to 31 digits.

Username Specifies the username to log in SMS gateway. When

the protocol type is specified as "UMS", "SGIP" or
"CAS", the range is 1-31. When the protocol type is
specified as "XUANWU", the range is 1-6.

Password Specifies the password for the user. When the pro-
tocol type is specified as "UMS", "SGIP" or "CAS",
the range is 1-31. When the protocol type is spe-

Chapter 15 1328

System Management
Option Description

cified as "XUANWU", the range is 1-6.

Confirm Password Re-type the password into the Confirm Password

box to confirm.

SMS Limit/hour Defines the maximum message number the gateway

can send in one hour.

SMS Limit/day Defines the maximum messages number the gateway

can send in one day.

AccessKeyId Specifies the AccessKeyId which will be used as the

username for authentication between the device and
the SMS gateway of Alibaba Cloud. This parameter
should be the same with the template AccessKeyId
applied in the SMS of Alibaba Cloud.

AccessKeySecret Specifies the AccessKeySecret which will be used as

the password for authentication between the device
and the SMS gateway of Alibaba Cloud. This para-
meter should be the same with the template
AccessKeySecret applied in the SMS of Alibaba
Cloud.

Confirm Re-type the AccessKeySecret to confirm.

AccessKeySecret

Trading Code If the protocol of SMS gateway that the SP instance

is running is XUANWU, you must ask the Xuanwu
Technology SMS service platform for the trading
code. The range is 1-7.

1329 Chapter 15

System Management
Option Description

Channel If the protocol of SMS gateway that the SP instance

is running is XUANWU, you must ask the Xuanwu
Technology SMS service platform for the channel.
The range is a-z.

Request Type If the protocol of SMS gateway that the SP instance

is running is CAS, you can ask the 12302 SMS ser-
vice platform for the request type. The range is 1-6.

Organization If the protocol of SMS gateway that the SP instance

Code is running is CAS, you can ask the 12302 SMS ser-
vice platform for the organization code. The range is
1-31.

SMS Service Type If the protocol of SMS gateway that the SP instance
is running is CAS, you can ask the 12302 SMS ser-
vice platform for the SMS service type. The range is
1-31.

Testing SMS

To test if the message sending works, you can send a test text to a mobile.
To send a text message to a specified mobile number, take the following steps:

1. Select System > SMS Parameters >SMS Gateway.

2. Click the "SMS test" link in the SMS Test column of the SMS gateway list.

3. In the SMS Test dialog box, enter a mobile phone number in the text box.

Chapter 15 1330

System Management
4. Click Send. If the SMS modem is correctly configured and connected, the phone using that
number will receive a text message; if it fails, an error message will indicate where the error
is.

1331 Chapter 15

System Management
VSYS (Virtual System)
This feature may vary slightly on different platforms. If there is a conflict between this guide and
the actual page, the latter shall prevail.
VSYS (Virtual System) is logically divides the physical firewall into several virtual firewalls. Each
virtual firewall can work independently as a physical device with its own system resources, and it
provides most firewall features. A VSYS is separated from other VSYS, and by default, they can-
not directly communicate with each other.
VSYS has the following characteristics:

l Each VSYS has its own administrator;

l Each VSYS has an its own virtual router, zone, address book and service book;

l Each VSYS can have its own physical or logical interfaces;

l Each VSYS has its own security policies.

Notes:

l SG-6000-A1100、SG-6000-A1000、SG-6000-A200 and SG-6000-A200W

do not support this function.

l The maximum VSYS number is determined by the platform capacity and

license. You can expand VSYS maximum number by purchasing addition
licenses.

VSYS Objects
This section describes VSYS objects, including root VSYS, non-root VSYS, administrator,
VRouter, VSwitch, zone, and interface.

Chapter 15 1332

System Management
Root VSYS and Non-root VSYS

System contains only one root VSYS which cannot be deleted. You can create or delete non-root
VSYSs after installing a VSYS license and rebooting the device. When creating or deleting non-
root VSYSs, you must follow the rules listed below:

l When creating or deleting non-root VSYSs through CLI, you must be under the root VSYS
configuration mode.

l Only the root VSYS administrators and root VSYS operators can create or delete non-root
VSYS. For more information about administrator permissions, see "Device Management" on
Page 1238.

l When creating a non-root VSYS, the following corresponding objects will be created sim-
ultaneously:

l A non-root VSYS administrator named admin. The password is vsys_name-admin.

l A VRouter named vsys_name-vr.

l A L3 zone named vsys_name-trust.

For example, when creating the non-root VSYS named vsys1, the following objects will be cre-
ated:

l The RXW administrator named admin with the password vsys1-admin.

l The default VRouter named vsys1-vr.

l The L3 zone named vsys1-trust and it is bound to vsys1-vr automatically.

l When deleting a non-root VSYS, all the objects and logs in the VSYS will be deleted sim-
ultaneously.

l The root VSYS contains a default VSwitch named VSwitch1, but there is no default VSwitch
in a newly created non-root VSYS. Therefore, before creating l2 zones in a non-root VSYS, a

1333 Chapter 15

System Management
VSwitch must be created. The first VSwitch created in a non-root VSYS will be considered as
the default VSwitch, and the l2 zone created in the non-root VSYS will be bound to the
default VSwitch automatically.

Creating Non-root VSYS

To create a new non-root VSYS, take the following steps:

1. Select System > VSYS > VSYS.

2. Click New to add a non-root VSYS.

3. In the prompt, configure these values.

Option Description

Name Enter a name for the non-root VSYS.

Description Enter the description information for the non-root VSYS.

Chapter 15 1334

System Management
Option Description

Interface Select a physical or a logical interface. In VSYS, a physical

Binding interface can have its sub-interfaces, but logical interfaces
cannot.

l Physically Import: Select the interface you want,

and click Physically Import to add it to the right
pane.

l Logically Allocate: Select the interface you want,

and click Logically Allocate to add it to the right
pane.

l Release: Select the added interface(s), and click

Release to delete it.

Quota Select an existing quota.

4. Click OK to save configuration. The new VSYS will be seen in the VSYS list.

Configuring VSYS Quota

VSYSs work independently in functions but share system resources including concurrent ses-
sions, zone number, policy rule number, SNAT rule number, DNAT rule number, session limit
rules number, memory buffer, URL resources, IPS resources, AV resources and PTF resources.
You can specify the reserved quota and maximum quota for each type of system resource in a
VSYS by creating a VSYS profile. Reserved quota refers to the resource number reserved for the
VSYS; maximum quota refers to the maximum resource number available to the VSYS. The root
administrator have the permission to create VSYS quota. The total for each resource of all VSYSs
cannot exceed the system capacity.
To define a quota for VSYS, take the following steps:

1335 Chapter 15

System Management
1. Select System > VSYS > Quota.

2. Click New .

3. In the prompt, configure these values.

Chapter 15 1336

System Management
1337 Chapter 15

System Management
Option Description

Basic Configuration

Name Enter a name for the new quota.

CPU Specify values for parameters of CPU.

l Limit: Specifies the maximum performance limit

for processing 1 Mbps packets.

l Reserve: A dedicated reservered value for CPU in

this VSYS. The value range is 0 to 20000.

l Alarm Threshold: Specifies a percentage value for

alarms. When the CPU usage reaches this value,
the system will generate alarm logs.

System Resources

System Specify the maximum quota and reserved quota of system

Chapter 15 1338

System Management
Option Description

Basic Configuration

Resources resources.

l Sessions: Specifies the maximum and reserved

number for sessions in the VSYS.

l Zone: Specifies the maximum and reserved number

for zones in the VSYS.

l Policy rules: Specifies the maximum and reserved

number for policy rules in the VSYS.

l Policy Groups: Specifies the maximum and

reserved number for policy groups in the VSYS.

l SNAT rules: Specifies the maximum and reserved

number for SNAT rules in the VSYS.

l DNAT rules: Specifies the maximum and reserved

number for SNAT rules in the VSYS.

l Stat-set (session): Specifies the maximum and

reserved number for sessions of a staticstic set in
the VSYS.

l Stat-set (others): Specifies the maximum and

reserved number for other items than sessions of a
staticstic set in the VSYS.

l IPSec: Specifies the maximum and reserved num-

1339 Chapter 15

System Management
Option Description

Basic Configuration

ber for IPSec tunnels in the VSYS.

l SCVPN users: Specifies the maximum and

reserved number for SCVPN users.

l Session Limit Rules: Specifies the maximum and

reserved number for session limit rules in the
VSYS.

l Keyword Categories: Specifies the maximum and

reserved number for keyword categories in the
VSYS.

l URL Regex Keywords: Specifies the maximum and

reserved number for regular expression keywords
in a URL category in the VSYS.

l Keyword: Specifies the maximum and reserved

number for simple keywords in a URL category in
the VSYS.

l New Session Rate: Specifies the maximum number

for the new session rate in the VSYS.

l IQoS: Select the Enable check box to enable the

QoS function and specifies the maximum and
reserved number for root-pipe in the VSYS.

Protection

Chapter 15 1340

System Management
Option Description

Basic Configuration

AV Specify the maximum quota and reserved quota of AV

Resources resources.

l AV: Select the Enable check box to enable the

Anti-Virus function.

l AV Profile: Specifies the maximum and reserved

number for AV profiles in a VSYS. The range of
maximum quota varies from 0 to 32. The reserved
quota should not exceed the maximum quota. The
default value of maximum quota is 32 and the
default value of reserved quota is 0.

URL Specify the maximum quota and reserved quota of URL

Resources resources.

l URL: Select the Enable check box to enable the

URL filter function.

l URL Profiles: Specifies the maximum and reserved

number for URL filter profiles in a VSYS.

l URL Categories: Specifies the maximum and

reserved number for user-defined URL categories
in a VSYS.

l URL: Specifies the maximum and reserved number

for URLs in a VSYS.

1341 Chapter 15

System Management
Option Description

Basic Configuration

IPS Specify the maximum quota and reserved quota of IPS

Resources resources.

l IPS: Select the Enable check box to enable the

IPS function.

l IPS Profiles: Specifies the maximum and reserved

number for IPS profiles in a VSYS. You can create
one IPS Profile at most in non-root VSYS, i.e., the
range of maximum quota varies from 0 to 1. The
default value of maximum quota and reserved
quota is 0, which means only predefined IPS Pro-
files can be used in non-root VSYS.

Perimeter Enable or disable perimeter traffic filtering and configure

Traffic Fil- user-defined black/white list resources in a VSYS Profile.
tering
Resources
l Perimeter Traffic Filtering: Select the Enable
check box to enable the perimeter traffic filtering
function.

l User-Defined Black/White List: Specifies the max-

imum quota and reserved quota of user-defined
black list and white list. The range of maximum
quota varies from 0 to 1000. The reserved quota
should not exceed the maximum quota. The

Chapter 15 1342

System Management
Option Description

Basic Configuration

default value of maximum quota is 1000 and the

default value of reserved quota is 0.

Log Configuration

Log Con- Specify the maximum quota and reserved quota of

figuration memory buffer for each type of log in a VSYS. The
reserved quota should not exceed the maximum quota. If
the logs’ capacity in a VSYS exceeds its maximum
quota, the new logs will override the earliest logs in the
buffer.

l Config Logs: Specify the maximum and reserved

value of buffer for configuration logs in a VSYS.

l Event Logs: Specify the maximum and reserved

value of buffer for event logs in a VSYS.

l Network Logs: Specify the maximum and reserved

value of buffer for network logs in a VSYS.

l Threat Logs: Specify the maximum and reserved

value of buffer for threat logs in a VSYS.

l Session Logs: Specify the maximum and reserved

value of buffer for session logs in a VSYS.

l NAT Logs: Specify the maximum and reserved

value of buffer for NAT logs in a VSYS.

1343 Chapter 15

System Management
Option Description

Basic Configuration

l Web Surfing: Specify the maximum and reserved

value of buffer for websurf logs in a VSYS.

l PBR: Surfing: Specify the maximum and reserved

value of buffer for PBR logs in a VSYS.

4. Click OK to save settings. The new VSYS quota will be shown in the list.

Notes:

l Up to 128 VSYS quotas are supported.

l The default VSYS profile of the root VSYS named root-vsys-profile and the
default VSYS profile of non-root VSYS named default-vsys-profile cannot be
edited or deleted.

l Before deleting a VSYS profile, you must delete all the VSYSs referencing
the VSYS profile.

l The maximum quota varies from one platform to another. The reserved quota
cannot exceed maximum quota.

Entering the VSYS

To enter a root VSYS, take the following steps:

1. In your browser's address bar, type "https://IP" ("IP" is the management IP of the root
VSYS) and press Enter.

Chapter 15 1344

System Management
2. In the login interface, type the username and password, which can be the username and pass-
word of the root administrator or the user configured in the authentication server (local
server / Radius server / TACACS+ server) of the root VSYS.

3. Click Login and enter the root VSYS.

To enter a non-root VSYS, the following two ways are available:

The first way: to enter a non-root VSYS, take the following steps:

1. Enter a root VSYS.

2. In the root VSYS, create a non-root VSYS. For more information on creating non-root
VSYS, see System Management > VSYS(Virtual System) in StoneOS_WebUI_User_Guide.

3. In your browser's address bar, type "https://IP" ("IP" is the management IP of the root
VSYS) and press Enter.

4. In the login interface, type the username (vsys_name\admin) and password (vsys_name-
admin) of the non-root administrator. For more information on configuring administrators,
see System Management > Device Management in StoneOS_WebUI_User_Guide.

5. Click Login and enter the non-root VSYS.

The second way: the root VSYS administrator can enter the non-root VSYS from root VSYS. The
administrator in the root VSYS can configure the functions of the non-root VSYS after entering it.
To enter a non-root VSYS, take the following steps:

1. Enter a root VSYS.

2. Select System > VSYS > VSYS to enter the VSYS page.

3. In the VSYS list, click the name of non-root VSYS, and enter the non-root VSYS.

4. Return to the root VSYS, click in the right top corner of the page, and click Return Root

VSYS in the pop-up dialog box.

Note: If you enter the non-root VSYS directly, you cannot back to the root VSYS.

1345 Chapter 15

System Management
The Maximum Concurrent Sessions
If multi-VR, AV, IPS, URL signature database, Sandbox, Anti-Spam, Botnet Prevention and/or
NetFlow is enabled on devices, or IPv6 firmware version is used, the maximum concurrent ses-
sions might change. For more information, see the table below:

Platform / Expan-
Firmware Max Concurrent Sessions
sion Module

SG-6000 A-Ser- StoneOS IPv4 With multiple virtual routers, anti-virus, IPS, URL sig-
ies devices version nature database, Sandbox, Anti-Spam, Botnet Pre-
vention and/or NetFlow enabled on the system , the
maximum concurrent sessions will not change.

StoneOS IPv6 l The original maximum concurrent sessions of the

version IPv6 version is the same as that of the IPv4 ver-
sion;

l With multiple virtual routers, anti-virus, IPS,

URL signature database, Sandbox, Anti-Spam,
Botnet Prevention and/or NetFlow enabled on
the system , the maximum concurrent sessions
will not change.

Chapter 15 1346

System Management

SpiderCloud System Commissioning Guide (LCI) Release 3.1
50% (2)
SpiderCloud System Commissioning Guide (LCI) Release 3.1
76 pages
Schaum's Outline of Computer Networking
From Everand
Schaum's Outline of Computer Networking
Ed Tittel
No ratings yet
MikroTik Security Guide v2
No ratings yet
MikroTik Security Guide v2
121 pages
StoneOS WebUI User Guide A 5.5R8-1
No ratings yet
StoneOS WebUI User Guide A 5.5R8-1
1,310 pages
StoneOS WebUI User Guide (A Series) V5.5R8
No ratings yet
StoneOS WebUI User Guide (A Series) V5.5R8
1,292 pages
StoneOS WebUI User Guide E
No ratings yet
StoneOS WebUI User Guide E
512 pages
StoneOS WebUI User Guide E-Series
No ratings yet
StoneOS WebUI User Guide E-Series
531 pages
StoneOS T Series WebUI User Guide
No ratings yet
StoneOS T Series WebUI User Guide
465 pages
StoneOS WebUI User Guide CloudEdge-3 PDF
No ratings yet
StoneOS WebUI User Guide CloudEdge-3 PDF
503 pages
Stoneos Webui Guide - Cloudedge: Version 5.5R8
No ratings yet
Stoneos Webui Guide - Cloudedge: Version 5.5R8
1,175 pages
StoneOS WebUI User Guide (a Series) V5.5R11
100% (1)
StoneOS WebUI User Guide (a Series) V5.5R11
1,906 pages
StoneOS CLI User Guide Complete Book 5.5R7 Completo
No ratings yet
StoneOS CLI User Guide Complete Book 5.5R7 Completo
1,933 pages
StoneOS Cookbook V5.5R10
No ratings yet
StoneOS Cookbook V5.5R10
496 pages
NIPS WebUI User Manual-6-1
No ratings yet
NIPS WebUI User Manual-6-1
691 pages
StoneOS Cookbook V5.5R11
No ratings yet
StoneOS Cookbook V5.5R11
532 pages
vWAF WebUI User Guide V3.3
No ratings yet
vWAF WebUI User Guide V3.3
593 pages
StoneOS CLI User Guide Complete Book 5.5R10
No ratings yet
StoneOS CLI User Guide Complete Book 5.5R10
2,509 pages
Fortigate SSLVPN 40 mr3
No ratings yet
Fortigate SSLVPN 40 mr3
88 pages
Network and Provisioning VR4 04 GGS-000393-01E NW-SYS-PROV
100% (1)
Network and Provisioning VR4 04 GGS-000393-01E NW-SYS-PROV
600 pages
StoneOS CLI User Guide V5.5R11
No ratings yet
StoneOS CLI User Guide V5.5R11
2,831 pages
Cookbook V10 1
No ratings yet
Cookbook V10 1
400 pages
PAN OS 7.0 Web Interface Ref
100% (1)
PAN OS 7.0 Web Interface Ref
500 pages
StoneOS-CookbookV5.5R10
No ratings yet
StoneOS-CookbookV5.5R10
455 pages
Ipaso Vr2 04 GGS-000403-23E Provisioning
No ratings yet
Ipaso Vr2 04 GGS-000403-23E Provisioning
748 pages
DO IPsec VPNs 2018 PDF
100% (1)
DO IPsec VPNs 2018 PDF
390 pages
Security VPN Ipsec@@@ PDF
No ratings yet
Security VPN Ipsec@@@ PDF
1,678 pages
Hillstone Security Management User Guide 3.0R2
No ratings yet
Hillstone Security Management User Guide 3.0R2
321 pages
ZebOS Core Configuration Guide Version 75
No ratings yet
ZebOS Core Configuration Guide Version 75
84 pages
VR4 04 GGS-000393-06E NW-SYS-PROV NoRestriction PDF
No ratings yet
VR4 04 GGS-000393-06E NW-SYS-PROV NoRestriction PDF
726 pages
BDS WebUI User Guide V5.0
No ratings yet
BDS WebUI User Guide V5.0
463 pages
Fortigate-SSLVPN's FortiOS Handbook 4.0 MR1a
No ratings yet
Fortigate-SSLVPN's FortiOS Handbook 4.0 MR1a
106 pages
57 ManualCollection - GRS103 - HiOS-2S-09100 - en
No ratings yet
57 ManualCollection - GRS103 - HiOS-2S-09100 - en
643 pages
smartflex-configuration-manual-20230505
No ratings yet
smartflex-configuration-manual-20230505
211 pages
ManualCollection EAGLE HiSecOS-04600 en
No ratings yet
ManualCollection EAGLE HiSecOS-04600 en
773 pages
Getting Started
No ratings yet
Getting Started
122 pages
MRX-UserManual
No ratings yet
MRX-UserManual
254 pages
Security VPN Ipsec
No ratings yet
Security VPN Ipsec
1,420 pages
Instrukcja Konfiguracji
No ratings yet
Instrukcja Konfiguracji
170 pages
UR5i Configuration Manual
No ratings yet
UR5i Configuration Manual
148 pages
Fw1000 Series Firewall
No ratings yet
Fw1000 Series Firewall
277 pages
Westermo MG 6623-3210 BRD-MRD
No ratings yet
Westermo MG 6623-3210 BRD-MRD
278 pages
PAN OS 6.0 Admin Guide
No ratings yet
PAN OS 6.0 Admin Guide
478 pages
QRadar 71MR2 AdminGuide
No ratings yet
QRadar 71MR2 AdminGuide
316 pages
PAN OS 6.0 Admin Guide PDF
No ratings yet
PAN OS 6.0 Admin Guide PDF
348 pages
Quickstart Guide For Branch SRX Series Services Gateways
No ratings yet
Quickstart Guide For Branch SRX Series Services Gateways
11 pages
Barracuda Firewall (PDFDrive)
No ratings yet
Barracuda Firewall (PDFDrive)
339 pages
Junos Os Multipoint VPN Configuration With Next-Hop Tunnel Binding
No ratings yet
Junos Os Multipoint VPN Configuration With Next-Hop Tunnel Binding
29 pages
Junos Os Multipoint VPN Configuration With Next-Hop Tunnel Binding
No ratings yet
Junos Os Multipoint VPN Configuration With Next-Hop Tunnel Binding
29 pages
Palo Alto Networks Administrators Guide
No ratings yet
Palo Alto Networks Administrators Guide
274 pages
Easy Configuration Guide StoneOS 5.5
No ratings yet
Easy Configuration Guide StoneOS 5.5
85 pages
Datapower Redbook
No ratings yet
Datapower Redbook
286 pages
icr-2-0456-00-configuration-manual-6.5.2-20250303
No ratings yet
icr-2-0456-00-configuration-manual-6.5.2-20250303
193 pages
Manual Referenciav5.3 EN
No ratings yet
Manual Referenciav5.3 EN
354 pages
ManualCollection MSP HiOS 3A MR 09000 en
No ratings yet
ManualCollection MSP HiOS 3A MR 09000 en
1,161 pages
UPS Network Interface
No ratings yet
UPS Network Interface
88 pages
Archer Vr300
No ratings yet
Archer Vr300
98 pages
Network with Practical Labs Configuration: Step by Step configuration of Router and Switch configuration
From Everand
Network with Practical Labs Configuration: Step by Step configuration of Router and Switch configuration
Mulayam Singh
No ratings yet
CISCO PACKET TRACER LABS: Best practice of configuring or troubleshooting Network
From Everand
CISCO PACKET TRACER LABS: Best practice of configuring or troubleshooting Network
Mulayam Singh
No ratings yet
Windows Server 2012 Hyper-V Installation and Configuration Guide
From Everand
Windows Server 2012 Hyper-V Installation and Configuration Guide
Aidan Finn
No ratings yet
Red Hat Enterprise Linux 9 Essentials: Learn to Install, Administer and Deploy RHEL 9 Systems
From Everand
Red Hat Enterprise Linux 9 Essentials: Learn to Install, Administer and Deploy RHEL 9 Systems
Neil Smyth
No ratings yet
Sophos Firewall Vs Checkpoint BC
No ratings yet
Sophos Firewall Vs Checkpoint BC
8 pages
Sophos Quick Start Guide SD Red 60
No ratings yet
Sophos Quick Start Guide SD Red 60
32 pages
Cyberoam-iView Linux Installation Guide PDF
No ratings yet
Cyberoam-iView Linux Installation Guide PDF
11 pages
Cyberoam-iView Linux Installation Guide
No ratings yet
Cyberoam-iView Linux Installation Guide
11 pages
36 - Extracted - CN LAB FILE
No ratings yet
36 - Extracted - CN LAB FILE
21 pages
Ccnpv7.1 Switch Lab 10-1 Securing Layer2 Student
No ratings yet
Ccnpv7.1 Switch Lab 10-1 Securing Layer2 Student
37 pages
Vipin-Bangwal Resume
No ratings yet
Vipin-Bangwal Resume
2 pages
WCF Interview Questions: 1) What Is Service Host Factory in WCF?
No ratings yet
WCF Interview Questions: 1) What Is Service Host Factory in WCF?
68 pages
RAN 3G Interfaces+Protocols
No ratings yet
RAN 3G Interfaces+Protocols
15 pages
Administrasi Sistem Jaringan Xi 2019 - 2020 - Ulangan Semester Akhir - SMK Muh 1 Boyolali (1-21)
No ratings yet
Administrasi Sistem Jaringan Xi 2019 - 2020 - Ulangan Semester Akhir - SMK Muh 1 Boyolali (1-21)
45 pages
E90-DTU (433L30E) Usermanual EN v1.1
No ratings yet
E90-DTU (433L30E) Usermanual EN v1.1
31 pages
MC Important Questions
No ratings yet
MC Important Questions
4 pages
28.1.5 Lab - Use RESTCONF To Access An IOS XE Device
No ratings yet
28.1.5 Lab - Use RESTCONF To Access An IOS XE Device
16 pages
Sophos Firewall Question 2
No ratings yet
Sophos Firewall Question 2
4 pages
Command Alu
No ratings yet
Command Alu
3 pages
MS-16R6 v1.0 Polish
No ratings yet
MS-16R6 v1.0 Polish
56 pages
Ds-2Cd3143G2-I (S) U 4 MP Acusense Fixed Dome Network Camera
No ratings yet
Ds-2Cd3143G2-I (S) U 4 MP Acusense Fixed Dome Network Camera
7 pages
ipsets-with-ufw
No ratings yet
ipsets-with-ufw
3 pages
Etsi DMR Protocolo
No ratings yet
Etsi DMR Protocolo
177 pages
A1 10805443
No ratings yet
A1 10805443
8 pages
Security zOS
No ratings yet
Security zOS
360 pages
ltrt-12630-unify-hipath-3000-ip-pbx-with-broadcloud-sip-trunk-using-mediant-e-sbc-configuration-note-ver-70
No ratings yet
ltrt-12630-unify-hipath-3000-ip-pbx-with-broadcloud-sip-trunk-using-mediant-e-sbc-configuration-note-ver-70
68 pages
IP PBX Configuration Guide
No ratings yet
IP PBX Configuration Guide
12 pages
Lab - 8 Assessment 1 Subnetted IPv4 Configuration V2
No ratings yet
Lab - 8 Assessment 1 Subnetted IPv4 Configuration V2
2 pages
VLSM Lab Demo-V2-3
No ratings yet
VLSM Lab Demo-V2-3
18 pages
TP SW24M G2 POE+ - POE - Switch
No ratings yet
TP SW24M G2 POE+ - POE - Switch
2 pages
IPTV Overview - Part 2 - WWW - Ipcisco
No ratings yet
IPTV Overview - Part 2 - WWW - Ipcisco
6 pages
Unit 4 1st Passages For Comprehension Reading 1: What Is TCP/IP?
No ratings yet
Unit 4 1st Passages For Comprehension Reading 1: What Is TCP/IP?
4 pages
Network Layer Hand Written Notes
No ratings yet
Network Layer Hand Written Notes
25 pages
gxp1610 Brochure English
No ratings yet
gxp1610 Brochure English
2 pages
Manual Tecnico Bulletplusac-Cat9
No ratings yet
Manual Tecnico Bulletplusac-Cat9
211 pages
SAML2 Configuration for SAP Firoi Gateway for Non-Production_NV1_amssap75
No ratings yet
SAML2 Configuration for SAP Firoi Gateway for Non-Production_NV1_amssap75
46 pages
Voxai Solutions ASV Scan Q1 Summary Report 20 November 2023
No ratings yet
Voxai Solutions ASV Scan Q1 Summary Report 20 November 2023
10 pages
HiddenServices 2020-1-10
No ratings yet
HiddenServices 2020-1-10
222 pages