0% found this document useful (0 votes)

22 views691 pages

NIPS WebUI User Manual-6-1

Uploaded by

Lenin Hernán Cortés Llanganate

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

22 views691 pages

NIPS WebUI User Manual-6-1

Uploaded by

Lenin Hernán Cortés Llanganate

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 691

Hillstone Networks

NIPS WebUI User Guide

Version 4.0

TechDocs | docs.hillstonenet.com
Copyright 2021Hillstone Networks. All rights reserved.
Information in this document is subject to change without notice. The software
described in this document is furnished under a license agreement or nondisclosure agree-
ment. The software may be used or copied only in accordance with the terms of those
agreements. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted in any form or any means electronic or mechanical, including photocopying
and recording for any purpose other than the purchaser's personal use without the written
permission of Hillstone Networks.

Contact Information:
US Headquarters:
Hillstone Networks
5201 Great America Pkwy, #420
Santa Clara, CA 95054
Phone: 1-408-508-6750
https://www.hillstonenet.com/about-us/contact/

About this Guide:

This guide gives you comprehensive configuration instructions of Hillstone Net-
worksNIPS .
For more information, refer to the documentation site: https://docs.hillstonenet.com.cn
To provide feedback on the documentation, please write to us at: TechDoc-
[email protected]
Hillstone Networks
TWNO: TW-WUG-SS-A-4.0-EN-V1.0-4/6/2021
Contents

Contents 1

Conventions 23

Explorer Compatibility 31

Chapter 1 Getting Started Guide 32

Transparent Mode 33

Tap Mode 37

Routing Mode 39

Initial Visit to Web Interface 54

Preparing the System 56

Installing Licenses 56

Creating a System Administrator 56

Adding Trusted Hosts 57

Updating Signature Database 58

Restoring to Factory Settings 60

Chapter 2 Dashboard 61

System Status 61

Threat Type/Detected by 61

Hot Events 63

Top5 Threat Tags/Top5 Threats 64

TOC - 1
Threat Geographical Distribution 65

Refresh Interval 65

Statistical Period 66

Chapter 3 iCenter 66

Hot Threat Intelligence 66

Critical Assets 67

Risk Computers 70

Threat 73

Mitigation 78

Threat Alarm Rule 79

Chapter 4 Monitor 80

User Monitor 81

Summary 81

User Details 82

Address Book Details 83

Monitor Address Book 84

Statistical Period 84

Application Monitor 85

Summary 85

Application Details 86

Group Details 87

TOC - 2
Select Application Group 88

Statistical Period 89

Computer Monitor 90

Computer Details 90

URL Hit Monitor 91

Summary 91

User/IP 92

URL 94

URL Category 95

Statistical Period 97

Service/Network Monitor 97

Viewing Service/Network Node Monitor Information 101

Device Monitor 103

Summary 103

Statistical Period 105

Application Block 106

Summary 106

Application 106

User/IP 107

Statistical Period 108

Alarm 109

TOC - 3
Alarm as a Monitor 109

Alarms by Time 109

Alarm by Severity 110

Alarm Details 111

Authenticated User 114

Monitor Configuration 114

Chapter 5 Report & Log 116

Reporting 116

Report File 117

Report Template 118

Creating a User-defined Template 119

Editing a User-defined Template 124

Deleting a User-defined Template 124

Cloning a Report Template 124

Report Task 125

Creating a Report Task 125

Editing the Report Task 132

Deleting the Report Task 132

Enabling/Disabling the Report Task 132

Logging 133

Log Severity 133

TOC - 4
Destination of Exported Logs 134

Log Format 135

Threat Log 136

Event Log 137

Network Log 137

Configuration Log 138

Session Log 139

PBR Log 141

NAT Log 142

URL Log 143

Content Filter Log 143

Network Behavior Record Log 144

CloudSandBox Log 144

Managing Logs 146

Configuring Log Settings 146

Creating a Log Server 157

Adding Email Address to Receive Logs 158

Specifying a Unix Server 159

Chapter 6 Configuration Management 159

System and Signature Database 160

Viewing System and Signature DB Information 160

TOC - 5
Policy 163

Security Policy 164

Configuring a Security Policy Rule 165

Managing Security Policy Rules 181

Enabling/Disabling a Policy Rule 182

Exporting a Policy Rule 182

Importing a Policy Rule 182

Cloning a Policy Rule 183

Adjusting Security Policy Rule Position 183

Schedule Validity Check 183

Showing Disabled Policies 184

NAT 186

Basic Translation Process of NAT 186

Implementing NAT 187

Configuring SNAT 188

Enabling/Disabling an SNAT Rule 196

Adjusting Priority 196

Copying/Pasting a SNAT Rule 197

Hit Count 198

Clearing NAT Hit Count 198

Hit Count Check 198

TOC - 6
Configuring DNAT 199

Configuring an IP Mapping Rule 199

Configuring a Port Mapping Rule 201

Configuring an Advanced NAT Rule 204

Enabling/Disabling a DNAT Rule 210

Copying/Pasting a DNAT Rule 210

Adjusting Priority 211

Hit Count 212

Clearing NAT Hit Count 212

Hit Count Check 212

iQoS 213

Implement Mechanism 213

Pipes and Traffic Control Levels 214

Pipes 214

Traffic Control Levels 216

Enabling iQoS 217

Pipes 219

Basic Operations 219

Configuring a Pipe 220

Viewing Statistics of Pipe Monitor 233

Session Limit 234

TOC - 7
Configuring a Session Limit Rule 234

Clearing Statistic Information 237

ARP Defense 238

Configuring ARP Defense 240

Configuring Binding Settings 240

Adding a Static IP-MAC-Port Binding 240

Obtaining a Dynamic IP-MAC-Port Bindings 241

Bind the IP-MAC-Port Binding Item 243

Importing/Exporting Binding Information 244

Configuring Authenticated ARP 244

Configuring ARP Inspection 246

Configuring DHCP Snooping 247

Viewing DHCP Snooping List 250

Configuring Host Defense 251

Security Protection Configuration 253

Threat Protection Signature Database 255

Intrusion Prevention System 255

Configuring IPS profiles 256

Signature List 296

Searching Signatures 296

Managing Signatures 297

TOC - 8
IPS Global Configuration 301

Configuring IPS White list 303

Anti Virus 306

Configuring Anti-Virus 307

Preparing 307

Configuring Anti-Virus Function 307

Configuring Anti-Virus Global Parameters 310

Enabling/Disabling the Anti-Virus function 310

Configuring the Decompression Control Function 311

Antispam 313

Configuring Antispam 313

Preparing 314

Configuring Antispam Function 314

Configuring an Antispam Profile 315

Configuring an Antispam User-defined Blacklist 318

Antispam Global Configuration 320

Botnet C&C Prevention 320

Address Library 321

Enabling/Disabling the Address Entry 321

Creating a Custom Address Entry 321

Botnet C&C Prevention Global Configuration 322

TOC - 9
Configuring Botnet C&C Prevention 322

Preparing 323

Configuring Botnet C&C Prevention Function 323

Configuring a Botnet C&C Prevention Rule 324

Perimeter Traffic Filtering 325

Enabling Perimeter Traffic Filtering 326

Configuring IP Blacklist 327

Static IP Blacklist 327

Redundancy Check 328

Blacklist Library 329

Dynamic IP Blacklist 331

Hit Statics 332

Service Blacklist 332

MAC Blacklist 334

IP Reputation Filtering 335

White List 337

Global Search 337

Configuration 338

URL Filtering 339

Configuring URL Filtering 339

Cloning a URL filtering Rule 347

TOC - 10
Viewing URL Hit Statistics 348

Viewing Web Surfing Records 348

Configuring URL Filtering Objects 348

Predefined URL DB 349

Configuring Predefined URL Database Update Parameters 349

Upgrading Predefined URL Database Online 351

Upgrading Predefined URL Database from Local 351

User-defined URL DB 351

Configuring User-defined URL DB 352

Importing User-defined URL 353

Clearing User-defined URL 353

URL Lookup 353

Inquiring URL Information 354

Configuring URL Lookup Servers 354

Keyword Category 355

Configuring a Keyword Category 356

Warning Page 357

Enabling/ Disabling the Block Warning 358

Enabling/ Disabling the Audit Warning 359

First Access of Uncategorized URL 360

Sandbox 362

TOC - 11
Configuring Sandbox 364

Preparation 364

Configuring Sandbox 364

Configuring a Sandbox Rule 365

Threat List 368

Trust List 369

Sandbox Global Configurations 369

Data Security 370

Web Content 372

Configuring Web Content 372

Viewing Logs of Keyword Blocking in Web Content 376

Network Behavior Record 377

Configuring Network Behavior Recording 377

Viewing Logs of Network Behavior Recording 381

ACL 381

ACL Profile 381

Attack-Defense 384

Configuring Attack Defense 384

Abnormal Behavior Detection 399

Host Defender 400

DNS Defender 401

TOC - 12
Viewing the Abnormal Behavior Detection Information 401

Advanced Threat Detection 403

Configuring Advanced Threat Detection 403

Viewing Advanced Threat Detection Information 404

Hot Threat Intelligence 406

Viewing Hot Threat Intelligence 410

Mitigation 410

Mitigation Rule 410

Configuring a User-defined Mitigation Rule 411

Enabling Mitigation 413

Viewing Mitigation Action 414

Threat Alarm Rule 414

Configuring a Threat Warning Rule 414

Editing the Threat Alarm Rule 419

Enabling/Disabling the Threat Alarm Rule 420

Deleting the Threat Alarm Rule 420

Viewing the Details of Threat Sound Alarm 420

Network Configuration 422

Security Zone 423

Configuring a Security Zone 423

Management Interface 426

TOC - 13
Configuration a Management Interface 426

Interface 427

Configuring an Interface 429

General Properties of Interfaces 429

Creating a Loopback Interface 436

Creating an Aggregate Interface 439

Creating a Redundant Interface 445

Creating an Ethernet Sub-interface/Aggregate Sub-interface/Redundant Sub-inter-

face 449

Editing an Interface 452

Interface Group 455

Creating an Interface Group 455

LLDP 456

LLDP Work Mode 457

Configuring LLDP 457

Enabling LLDP 457

Modifying LLDP Configuration 460

Viewing MIB Topology 462

DNS 464

Configuring a DNS Server 464

Configuring an Analysis 464

TOC - 14
Configuring a DNS Cache 465

NBT Cache 467

DHCP 469

Configuring a DHCP Server 469

Configuring a DHCPv6 Server 479

Configuring a DHCPv6 Relay Proxy 481

Chapter 5 Advanced Routing 482

Destination Route 483

Creating a Destination Route 483

Source Route 486

Creating a Source Route 486

Source-Interface Route 490

Creating a Source-Interface Route 490

Policy-based Route 493

Creating a Policy-based Route 493

Creating a Policy-based Route Rule 494

Adjusting Priority of a PBR Rule 500

Applying a Policy-based Route 501

DNS Redirect 502

Configuring the Global Match Order 502

RIP 504

TOC - 15
Creating RIP 504

Host Book 508

Creating a Host Book 509

Application Layer Gateway (ALG) 511

Enabling ALG 511

Global Network Parameters 513

Configuring Global Network Parameters 513

Configuring Protection Mode 517

Bypass Configuration 517

Object Configuration 519

Address 520

Creating an Address Book 520

Viewing Details 522

Service Book 524

Predefined Service/Service Group 524

User-defined Service 524

User-defined Service Group 525

Configuring a Service Book 526

Configuring a User-defined Service 526

Configuring a User-defined Service Group 530

Viewing Details 531

TOC - 16
Application Book 532

Editing a Predefined Application 532

Creating a User-defined Application 532

Creating a User-defined Application Group 534

Creating an Application Filter Group 535

Creating a Signature Rule 535

Viewing Details 540

SSL Proxy 541

Work Mode 542

Working as Gateway of Web Clients 543

Configuring SSL Proxy Parameters 543

Specifying the PKI Trust Domain of Device Certificate 544

Obtaining the CN Value 544

Importing Device Certificate to Client Browser 545

Configuring a SSL Proxy Profile 546

Working as Gateway of Web Servers 553

Configuring a SSL Proxy Profile 553

Binding a SSL Proxy Profile to a Policy Rule 556

Schedule 557

Periodic Schedule 557

Timeframe 557

TOC - 17
Creating a Schedule 557

AAA Server 560

Configuring a Local AAA Server 560

Configuring Radius Server 566

Configuring TACACS+ Server 570

Connectivity Test 571

User 573

Configuring a Local User 573

Creating a User Group 574

Export User List 575

Import User List 576

Configuring a LDAP User 578

Synchronizing Users 578

Configuring an Active Directory User 579

Synchronizing Users 579

Configuring IP-User Binding 579

Adding User Binding 579

Import Binding 580

Export Binding 581

Role 582

Configuring a Role 582

TOC - 18
Creating a Role 582

Mapping to a Role Mapping Rule 583

Creating a Role Mapping Rule 584

Creating a Role Combination 585

Critical Assets 588

Configuring Critical Asset Object 589

Connecting or Blocking the Critical Assets 589

Track Object 591

Creating a Track Object 591

System Cnfiguration 596

Device Management 597

Administrators 597

Creating an Administrator Account 598

Configuring Login Options for the Default Administrator 599

Admin Roles 602

Trusted Host 603

Creating a Trusted Host 603

Management Interface 605

System Time 608

Configuring the System Time Manually 608

Configuring NTP 609

TOC - 19
NTP Key 611

Creating a NTP Key 611

Option 612

Rebooting the System 614

System Debug 614

System Debug Information 614

Storage Management 615

Configuration File Management 617

Managing Configuration File 617

Viewing the Current Configuration 619

SNMP 620

SNMP Agent 620

SNMP Host 622

Trap Host 624

V3 User Group 625

V3 User 627

Upgrading System 630

Upgrading Firmware 630

Updating Signature Database 631

Updating Trusted Root Certificate Database 633

License 636

TOC - 20
Applying for a License 639

Installing a License 640

Mail Server 641

Creating a Mail Server 641

Extended Services 643

Connecting to HSM 644

HSM Deployment Scenarios 644

Connecting to HSM 645

Connecting to Hillstone Cloud·View 647

Cloud·View Deployment Scenarios 647

Connecting to Hillstone Cloud·View 647

One-click Disconnection 649

Send Object 649

Creating a Send Object 650

Viewing Relevant Alarm Rules 650

High Availability 651

Basic Concepts 652

HA Cluster 652

HA Group 652

Virtual Forward Interface and MAC 652

HA Selection 652

TOC - 21
HA Synchronization 652

Configuring HA 654

Authentication 660

PKI 662

Creating a PKI Key 663

Creating a Trust Domain 664

Importing/Exporting Trust Domain 667

Importing Trust Certification 668

Chapter 13 Diagnostic Tool 668

Packet Path Detection 669

Configuring Packet Path Detection 669

Emulation Detection 669

Online Detection 672

Imported Detection 675

Detected Sources 677

Packet Capture Tool 678

Configuring Packet Capture Tools 678

Create a Packet Capture Rule 680

Packet Capture Global Configuration 681

Test Tools 683

DNS Query 683

TOC - 22
Ping 683

Traceroute 684

Chapter 7 CLI 686

Logging into a Device 686

Configuring Interfaces 686

Configuring Route 687

Restore Device to Factory Settings 687

Force to Close the Bypass Function 687

Repairing/Reseting Database 688

Conventions
Know the operate method of WebUI common controls, can complete the configuration of most func-
tions.
The common controls and effect of operating as follows:

l Switching between the function category : Select the tab ( at the top of page).

l Switching between Chinese and English: click the drop-down button of the user name in the upper
right corner, and then click the "中-EN" button to switch.

TOC - 23
l Switching between the function : Click specific function node in level-2 navigation pane.

l Open the function list: Click in the level-2 navigation pane;

Close the function list: Click in the level-2 navigation pane.

l Viewing the specified column: Click icon, click "Column" in the drop-down list, select the specified

list.The system support for the list status memory function, the system will display the last con-

TOC - 24
figuration of the list status when logging in to the device.

TOC - 25
l To lock the column: Click icon, click "Lock" in the drop-down list, the locked column will be

always showing at the right of the list.

l To unlock the list: Click icon, click "Unlock".

l To restore the initial state of the list: double-click the list header and click "OK" in the dialog box.

l To restore the initial state of all the list: Click button of the user name in the top right corner of the

page and click "OK" in the dialog box.

TOC - 26
l To view the specified items by setting up filters: click button, select filter conditions from the

Filter drop-down list, and then select filter conditions as needed. To delete a filter condition, hover

your mouse on that condition and then click the icon. To delete all filter conditions, click the
icon on the right side of the row.

l To create a item, click New.

l To edit a item, select the check box and click Edit.

TOC - 27
l To delete the items, select the check box and click Delete.

l To copy a item, select the check box and click Copy.

l To paste a item, select the check box and click Paste.

TOC - 28
l To dispaly the hidden controls , click .

l To update the data displayed on the current page, click refresh.

l To search according one condition , click Filter. In the pop-up line, click +Filter to add a new filter
condition. Then select a filter condition from the drop-down menu and enter a value. And then press
Enter to start searching.

l To search according multiple conditions, click to add another filter condition, Then select a

filter condition from the drop-down menu and enter a value. And then press Enter to start searching.

TOC - 29
l To close the dialog, click 'X' at the top right corner of dialog.

l To save the current configuration, click OK.

l To cancel the current operation, click Cancel.

TOC - 30
l Click Apply, the modification will be took effect.

l Click next page buttons to jump to previous page , next page , dashboard or last page. Enter the page
number, jump to the corresponding page.

Explorer Compatibility
The following browsers have passed compatibility tests:

l IE11

l Chrome

TOC - 31
Chapter 1 Getting Started Guide
This guide helps you go through initial configuration and basic set-up of devices.

l Deploying Devices: for different scenarios, you can use different deployment modes.

l "Transparent Mode" on Page 33: Use this mode to analyze and transmit packets effi-
ciently, to record logs, reset the connection, or block the connection when detecting
attack behavior. To deploy in this mode conveniently, the device has pre-defined con-
figurations for security zones, interfaces, and policies.

l "Tap Mode" on Page 37: Use this mode to inspect the attack behavior and record logs.

l "Routing Mode" on Page 39: Use this mode when you want the routing and NAT
functions provided by the device.

l "Initial Visit to Web Interface" on Page 54

l "Preparing the System" on Page 56

l Installing License

l Creating a System Administrator

l Adding Trusted Hosts

l Updating Signature Databases

l "Restoring to Factory Settings" on Page 60

Chapter 1 Getting Started Guide 32

Transparent Mode
In the transparent mode, the device locates between the router and the switch and inspects the
traffic. When detecting the attack behavior, the device can record logs, reset the connection, or
block the connection.
The device has pre-defined configurations of security zones and security policies for transparent
mode. Complete the following topology to use the transparent mode.

When using this transparent mode, the pre-defined configurations of interfaces, security zones
where the interfaces locate, security policy between the security zones are described as below:
For S2060/S2160/S2200-C/S2560/S2660/S3060/S3100-C/S3260/S3300-
C/S3560/S3860/S3960/S5560, you can use other interface pairs.

33 Chapter 1 Getting Started Guide

S600/S800/S1000-C/S1060/S1100-C/S1200-C/S1560

Interface Security Zone Security Policy

Source zone: l2-dir-

ect-a
Layer 2 zone: l2-dir-
eth0/2
ect-a Destination zone:
Intrusion Pre-
l2-direct-a
vention System:
Source address: Enable
Any
Profile: l2-direct-
Destination a-default-ips
Layer 2 zone: l2-dir-
eth0/3 address: Any
ect-a
Service/Service
group: Any

S2060/S2160/S2200-C/S2560/S2660

Interface Security Zone Security Policy

Source zone: l2-dir-

ect-a
eth0/0
Destination zone:
Intrusion Pre-
l2-direct-a
vention System:
Layer 2 zone: l2-dir- Source address: Enable
ect-a Any
Profile: l2-direct-
Destination a-default-ips
eth0/1 address: Any
Service/Service
group: Any

Chapter 1 Getting Started Guide 34

S2060/S2160/S2200-C/S2560/S2660

Interface Security Zone Security Policy

Source zone: l2-dir-

ect-b
eth0/2
Destination zone:
Intrusion Pre-
l2-direct-b
vention System:
Layer 2 zone: l2-dir- Source address: Enable
ect-b Any
Profile: l2-direct-
Destination b-default-ips
eth0/3 address: Any
Service/Service
group: Any

S3060/S3100-C/S3260/S3300-C/S3560/S3860/S3960/S5560

Interface Security Zone Security Policy

Source zone: l2-dir-

35 Chapter 1 Getting Started Guide

S3060/S3100-C/S3260/S3300-C/S3560/S3860/S3960/S5560

Interface Security Zone Security Policy

Source zone: l2-dir-

ect-c Intrusion Pre-
eth0/4 vention System:
Destination zone:
l2-direct-c Enable
Layer 2 zone: l2-dir- Source address: Profile: l2-direct-
ect-c Any c-default-ips

Destination
eth0/5 address: Any
Service/Service
group: Any

Chapter 1 Getting Started Guide 36

Tap Mode
In the tap mode, the device inspects the received mirror traffic. When detecting the attack beha-
vior, the device records it. Meanwhile, the device can send the Reset packet from the ingress
interface of the mirror traffic according to your IPS configurations.
The device has pre-defined configurations of security zones and security policies for tap mode.
Complete the following topology to use tap mode.

Step1: Configure the switch to mirror the traffic to the interface that connects to S series device.
Step2: Bind the physical interface to the tap-a security zone. After the binding, this physical inter-
face becomes the tap interface.

1. In the WebUI, select Configuration Management > Network Configuration > Interface.

2. Double-click the ethernet0/3 interface to open the Ethernet Interface page.

3. In the Ethernet Interface page, configure the following settings:

37 Chapter 1 Getting Started Guide

Binding
Zone
Zone

TAP tap-a

After the configurations, the device will inspect the received mirror traffic. When using this tap
mode, the configurations of interface, security zone where the interface locates, security policy
between the security zones are described as below:

Interface Security Zone Security Policy

Source zone: tap-a

Destination zone:
tap-a Intrusion Pre-
Source address: vention System:
TAP security zone:
eth0/3 Any Enable
tap-a
Destination Profile: tap-a-
address: Any default-ips

Service/Service
group: Any

Chapter 1 Getting Started Guide 38

Routing Mode
In the routing mode, the device is deployed at the boundary of the network and provides the rout-
ing and NAT functions.
When using the routing mode, you need to configure the interface, trust zone, untrust zone,
DMZ zone, and policies.
The example of deploying the device in the routing mode is based on the following topology.

Step 1: Connecting to the device

1. Connect one interface (e.g. ethernet0/1) to the ISP network and connect the other interface
(e.g. ethernet0/0) to the intranet.

2. Log into the WebUI. For more information, see "Initial Visit to Web Interface" on Page 54.

Step 2: Configuring interfaces

1. Select Configuration Management > Network Configuration > Interface.

39 Chapter 1 Getting Started Guide

2. Double-click the ethernet0/1 interface to open the Ethernet Interface page. The eth-
ernet0/1 interface is connecting to the ISP network.

In the Ethernet Interface page, configure the following settings:

Chapter 1 Getting Started Guide 40

Option Value

Binding Layer 3 Zone

Zone

Zone untrust

Type Static IP

IP Address 202.10.1.2 (public IP address provided by your ISP)

Netmask 255.255.255.0

Management Select protocols that you want to use to access the

device.

3. Click OK.

4. Double-click the ethernet0/0 interface to open the Ethernet Interface page. The eth-
ernet0/0 interface is connecting to the intranet.

41 Chapter 1 Getting Started Guide

In the Ethernet Interface page, configure the following settings:

Option Value

Binding Layer 3 Zone

Zone

Chapter 1 Getting Started Guide 42

Option Value

Zone trust

Type Static IP

IP Address 192.168.1.1

Netmask 255.255.255.0

Management Select protocols that you want to use to access the

device.

43 Chapter 1 Getting Started Guide

5. Double-click the ethernet0/2 interface to open the Ethernet Interface page. The eth-
ernet0/2 interface is connecting to the intranet.

In the Ethernet Interface page, configure the following settings:

Chapter 1 Getting Started Guide 44

Option Value

Binding Layer 3 Zone

Zone

Zone dmz

Type Static IP

IP Address 10.89.19.1

Netmask 255.255.0.0

Management Select protocols that you want to use to access the

device.

6. Click OK.

Step 3: Creating a NAT rule to translate internal IP to public IP

45 Chapter 1 Getting Started Guide

1. Select Configuration Management > Policy > NAT > SNAT.

2. Click New.

In the SNAT Configuration page, enter values

Option Value

Source Address Entry, Any

Address

Destination Address Entry, Any

Address

Egress Egress interface, ethernet0/1

Chapter 1 Getting Started Guide 46

Option Value

Translated Egress IP

Sticky Enable

3. Click OK.

Step 4: Creating a NAT rule to publish internal servers to public IP

1. Select Configuration Management > Policy > NAT > DNAT.

2. Select New > IP Mapping.

47 Chapter 1 Getting Started Guide

In the IP Mapping Configuration page, configure the following settings:

Option Value

Destination Select IP Address from the drop-down menu and enter

Address "202.10.1.2" in the text box. When the destination IP

address of the traffic is the one you entered, the device
will transform the destination IP address to the one you
specified in the Mapped to text box.

Mapped to Select IP Address from the drop-down menu and enter

"10.89.19.2". The destination IP address will be trans-
ferred to this mapping address.

3. Click OK.

Step 5: Creating a security policy to allow internal users access Internet

Chapter 1 Getting Started Guide 48

1. Select Configuration Management > Policy > Security Policy > Policy.

2. Select New > Policy.

In the Policy Configuration page, enter values.

Option Value

Name Enter the name of the security policy.

Source Zone trust

Source Any
Address

49 Chapter 1 Getting Started Guide

Option Value

Destination untrust
Zone

Destination Any
Address

Service Any

Application -----

Expand Protection, configure the IPS setting.

IPS Click the Enable button and select the predef-default

profile. The action of this profile is to reset the packets
that match the IPS rules.

3. Click OK.

Step 6: Creating a security policy to allow internet users access servers

1. Select Configuration Management > Policy > Security Policy > Policy.

Chapter 1 Getting Started Guide 50

2. Select New > Policy.

In the Policy Configuration page, enter values.

Option Value

Name Enter the name of the security policy.

Source Zone untrust

Source Any
Address

Destination dmz

51 Chapter 1 Getting Started Guide

Option Value

Zone

Destination Any
Address

Service Select a service for the internal server

Application -----

Expand Protection, configure the IPS setting.

IPS Click the Enable button and select the predef-default

profile. The action of this profile is to reset the packets
that match the IPS rules.

3. Click OK.

Step 7: Configuring the default route

1. Select Configuration Management > Network Configuration > Routing > Destination
Route.

Chapter 1 Getting Started Guide 52

2. Click New.

In the Destination Route Configuration page, enter values.

Option Value

Destination 0.0.0.0 (means all network)

Netmask 0.0.0.0 (means all subnets)

Gateway 202.10.1.1 (gateway provided by your ISP)

3. Click OK.

53 Chapter 1 Getting Started Guide

Initial Visit to Web Interface
Interface eth0/0 or MGT0 is configured with IP address 192.168.1.1/24 by default, it is open to
all connection types. For the initial visit, use this interface.
To visit the web interface for the first time:

1. Go to your computer's Ethernet properties, set the IPv4 protocol as below.

2. Connect an RJ-45 Ethernet cable from your computer to the eth0/0 or MGT0 of the
device.

Chapter 1 Getting Started Guide 54

3. In your browser's address bar, type "http://192.168.1.1" and press Enter.

4. In the login interface, type the username, password and verification code. The default user-
name and password is hillstone and hillstone.

5. Click Login, and the device's system will initiate.

Notes: To ensure account security, one account can only be uesd for one user to log
in to the WebUI at the same time. If multiple users need to log in with the same
account, the user who logs in later will kick out the user who logs in before.

55 Chapter 1 Getting Started Guide

Preparing the System

Installing Licenses
After you obtain the license string or file from the sales person, take the following steps to install
the license:

1. Select Configuration Management > System Configuration > License.

2. Choose one of the two ways to import a license:

l Upload License file: Select the radio button, click Browse, and select the license file
(a .txt file).

l Manual Input: Select the radio button, and paste the license code into the text box.

3. Click OK.

4. To make the license take effect, reboot the system. Go to Configuration Management > Sys-
tem Configuration > Device Management > Option, and click System Option > Reboot.

Creating a System Administrator

System administrator has the authority to read, write and execute all features in this system. And it
can configure all modules in any mode, view the current and historical configurations.
To create a system administrator, take the following steps:

1. Select Configuration Management > System Configuration > Device Management >
Administrators.

Chapter 1 Getting Started Guide 56

2. Click New.

In the Configuration page, enter values

Option Value

Name Admin

Role Administrator

Password Hillstone@321

Confirm Pass- Hillstone@321

word

Login Type Select Console, Telnet, SSH, HTTPand HTTPS.

3. Click OK.

Notes: The system has a default administrator "hillstone", which cannot be deleted
or renamed.

Adding Trusted Hosts

Trusted host is administrator's host. Only computers included in the trusted hosts can manage the
system.
To add a trusted host, take the following steps:

57 Chapter 1 Getting Started Guide

1. Select Configuration Management > System Configuration > Device Management > Trus-
ted Host.

2. Click New.

In the Trusted Host Configuration page, enter values

Option Value

IP Type Select IP/Netmask

IP 192.168.1.2/24

3. Click OK.

Updating Signature Database

Features that require constant updates of signature are license controlled. You must purchase the
license in order to be able to update the signature libraries. By default, the system will auto-
matically update the databases daily.
To update a database, take the following steps:

1. Select Configuration Management > System Configuration > Upgrade Management > Sig-
nature Database Update.

2. Find your intended database, and choose one of the following two ways to upgrade.

Chapter 1 Getting Started Guide 58

l Remote Update: Click OK And Online Update, and system will automatically update
the database.

l Local Update: Select Browse to open file explorer, and select your local signature file
to import it into the system.

59 Chapter 1 Getting Started Guide

Restoring to Factory Settings

Notes: Resetting your device will erase all configurations, including the settings that
have been saved. Please be cautious!

To restore factory default settings via WebUI, take the following steps:

1. Select Configuration Management > System Configuration > Configuration File Man-
agement > Configuration File List..

2. Click Backup Restore.

3. In the Configuration Backup/Restore page, click Restore.

4. In the Restore to Factory Defaults page, click OK to confirm. To delete the history content
in the database, including threat logs, reports, and captured packets, select the Clear History
check box.

5. The device will automatically reboot and be back to factory settings. All configurations,
including the backed-up system configuration file and the history content in the database
will be deleted.

Chapter 1 Getting Started Guide 60

Chapter 2 Dashboard
The dashboard shows the system and threat information. The layout of the dashboard is shown
below:

System Status
Display the current system CPU utilization, memory utilization, hard disk utilization, session util-
ization, and chassis temperature.

Threat Type/Detected by
Display the threat distribution and the threat trend through Threat Type and Detected by.
Threat Type: Select the Threat Type tab, and then system will display the number of threat
events of various types, and display the changing trend of the threat events in different periods in
the Threat Event Trends line chart.

Chapter 2 Dashboard 61
l Click the number under the name of a certain threat type to open the iCenter > Threat page,
and then system will filter threat events by the corresponding threat type to display all intranet
threat events of the threat type in the list.

l Hover your mouse over the line chart to display the number of attacks of each threat type at
the specified time point.

Detected by: Select the Detected by tab, and then system will display the number of threat events
detected by each detection engine, and display the changing trend of the threat events in different
periods in the Threat Event Trends line chart.

62 Chapter 2 Dashboard
l Click the number under the name of a certain detection engine to open the iCenter > Threat
page, and then system will filter threat events by the corresponding detection engine to dis-
play all intranet threat events detected by the detection engine in the list.

l Hover your mouse over the line chart to display the number of attacks detected by each detec-
tion engine at the specified time point.

Hot Events
Display the names of the latest ten pieces of threat intelligence obtained. If system has been
attacked by a threat described in a piece of certain threat intelligence, the intelligence will be dis-
played in red, otherwise it will be in blue. Click the name of a piece of intelligence to open the
iCenter > Hot Threat Intelligence page, and system will display details of the selected intelligence
in the list.

Chapter 2 Dashboard 63
Top5 Threat Tags/Top5 Threats
Top5 Threat Tags: Select the Top5 Threat Tags tab to display the top 5 threat tags by the num-
ber.

l Click the the name of a certain threat tag to open the iCenter > Threat page, and then sys-
tem will filter threat events by the corresponding threat tag to display all intranet threat
events of the threat tag in the list.

l Click All to open the iCenter > Threat page, and then system will display details of all
threat events in the list.

Top5 Threats: Select the Top5 Threats tab to display the top 5 threats by the number of attacks.

l Click the name of a certain threat to open the iCenter > Threat page, and then system will
display details of the selected threat event in the list.

l Click All to open the iCenter > Threat page, and then system will display details of all
threat events in the list.

64 Chapter 2 Dashboard
Threat Geographical Distribution
Display the top 5 threat distribution areas by the number of attacks.

l Hover your mouse over the map and scroll the mouse wheel to zoom in and out the map to
view the specific location of an attack source, or click the "+" and "-" icons on the left side of
the map to zoom in and out.

l Hover your mouse over a certain area to display the number of threats in the area.

Refresh Interval
You can specify the refresh interval as needed, and system will refresh the statistics on the page
according to the time period you set. Otherwise, you can select Manual and click to refresh
the statistics on the page immediately

Chapter 2 Dashboard 65
Statistical Period
System supports the predefined time cycle and the custom time cycle. Click Last 30 Days on the
top right corner to set the time cycle.

l Last 60 Minutes: Displays the statistical information within the latest 1 hour.

l Last 24 Hours: Displays the statistical information within the latest 1 day.

l Last 7 Days: Displays the statistical information within the latest 1 week.

l Last 30 Days: Displays the statistical information within the latest 1 month.

l Custom: Customize the time cycle. Select Custom to open the Custom Date and Time
page, and then select the start time and the end time as needed. For the supported most dis-
tant time in the past, you can specify the start time as a time point in the 30th day before
the current time.

Chapter 3 iCenter
The multi-dimensional features show all the critical assets, risk computers, and threats threats of
the whole network.

Hot Threat Intelligence

Hot threat intelligence page displays the intelligence of hot threats on the Internet, including IPS
vulnerabilities, viruses, and threats detected by the cloud sandbox. You can view the details of the
hot threats, or carry out protection operations to prevent them. Click iCenter > Hot Threat Intel-
ligence to enter the Hot Threat Intelligence page. For detailed information, see "Hot Threat Intel-
ligence" on Page 406.

66 Chapter 2 Dashboard
Critical Assets
The Critical Assets page displays the detailed information of critical assets and the related threat
information. Click iCenter > Critical Assets to enter the Critical Assets page.

Click the link of the critical asset name in the list to view the following information of this critical
asset:

l Detailed information: Displays the name of the critical asset, the ComputerName/IP (If the
computername cannot be identified, IP will be displayed), operating system, status, zone, risk
level (the white line points to the risk level of this critical assets), and certainty.

l Threat information: Displays the kill chain, threats, and mitigation.

l In the Kill Chain tab, view the attacks and threats to this critical asset that exist in each
stage of the kill chain. A highlighted stage means there are attacks and threats in this
stage. Click this stage to display all threat information in this stage. Click the threat
name in the list to view the threat information.

Chapter 2 Dashboard 67
l In the Threats tab, view all attacks and threats from or to the critical asset.

68 Chapter 2 Dashboard
l In the Mitigation tab, view the mitigation actions and the mitigation rules.

l Statistical information: The statistics about the applications, traffic, and connections related to
the critical asset, including the statistic that the critical asset is the source IP of the sessions,
the statistic that the critical asset is the destination IP of the sessions, and the statistic that the
critical asset is source IP or destination IP.

l Internal connection: The Risk Computers tab displays the computer information that interacts
with the critical asset, the Address tab displays traffic and new sessions of IPs that interact
with the critical asset, the Application tab displays traffic and new sessions of applications that

Chapter 2 Dashboard 69
interact with the critical asset.

Risk Computers
Risk computer refers to the attacker computer and the victim computer. Based on the threat
level, the Risk Computers tab displays the statistics of all risk computers and threat information of
the whole network. Select iCenter > Risk Computers.

Click a computer name link on the list to view detailed information about the risks, kill chain, and
threat details.

l Detailed information: Displays the computer name/IP (if the computer name cannot be
identified, the IP will be displayed), operating system, status, zone, risk level (the white

70 Chapter 2 Dashboard
line points to the risk level of this critical assets), and certainty.

l Kill Chain: View the threat about the risk computer in each phase of the kill chain.

Chapter 2 Dashboard 71
l Threats: View all the threats about the risk computer.

l Mitigation: View all of the mitigation rules and the mitigation action results details of mit-
igation rules.

For a Mitigation function introduction, see "Mitigation" on Page 410.

Click a threat name link in the list to view the detailed information, source/destination, know-
ledge base and history about threat. For a detailed description , see the next section Threat .

72 Chapter 2 Dashboard
Threat
Threats tab statistics and displays all threats information of the whole network within the spe-
cified period. Click iCenter, and click Threat tab.

Click a threat name link in the list to view the detailed information, source/destination, know-
ledge base and history about the threat.

l Threat Analysis: Depending on the threats of the different detection engine, the content of
Threat Analysis tab is also different.

l Anti Virus/IPS: Display the detailed threat information and view or download the
evidence packets.

Chapter 2 Dashboard 73
For the Anti Virus/ IPS function introduction, see "Anti Virus" on Page 306/"Intru-
sion Prevention System" on Page 255.

l Attack Defense/Perimeter Traffic Filtering: Display the threat detailed information.

For the Attack Defense/Perimeter Traffic Filtering function introduction, see

"Attack-Defense" on Page 384/"Perimeter Traffic Filtering" on Page 325.

74 Chapter 2 Dashboard
l Sandbox Threat Detection: Display the detailed threat information of the suspicious
file.

For the Sandbox function, see "Sandbox" on Page 362.

l Abnormal Behavior Detection: Display the abnormal behavior detection information.

For the Abnormal Behavior Detection function introduction, see"Abnormal Beha-

vior Detection" on Page 399.

Chapter 2 Dashboard 75
l Advanced Threat Detection: Display the advanced threat detection information, mal-
ware reliability information etc.

For the Advanced Threat Detection function introduction, see "Advanced Threat
Detection" on Page 403.

76 Chapter 2 Dashboard
l Anti-Spam:Display the spam filter information, such as sender and subject of spam.

For the Anti-Spam information, see "Antispam" on Page 313.

l Knowledge Base: Display the specified threat description, solution, etc. of the threats detec-
ted by IPS, Abnormal Behavior Detection and Advanced Threat Detection.

l Threat History: Display the selected threat historical information of the whole network .

l Admin Action: Click to modify the threat state (Ignore, Confirmed, False Positive,

Fixed).

Chapter 2 Dashboard 77
In the Admin Action page, enter the configurations.

Option Description

Change to Select the state of threat, includes Ignore, Confirmed,

False Positive and Fixed.

View history View the analysis history of selected threat.

Marking Select the marking scope of the threat entry. The system

Scope supports batch tagging of the threat entries of same

source address or the same destination address.

Comment Specify the comment of the action.

Mitigation
System can identify the potential risks and network attacks dynamically, and take action on the
risk that hits the mitigation rules. For the Mitigation function introduction, see "Mitigation" on
Page 410.

78 Chapter 2 Dashboard
Threat Alarm Rule
The threat alarm rules, including threat conditions and action method. When a threat event that
meets the threat conditions (such as threat type, severity, behavior category, threat name, etc.)
occurs, system will notify the user in time according to the action method specified in the rule
(such as linked to the firewall, sound alarm or email), and the user can perform subsequent action
processing for the threat event. For the Threat Alarm Rule function introduction, see Threat
Alarm Rule.

Chapter 2 Dashboard 79
Chapter 4 Monitor
The Monitor module analyzes the traffic via the device and provides the statistics in various
aspects and styles.
System can monitor the following objects:

l User Monitor: Displays the users-based application statistics within the specified period (real-
time, latest 1 hour, latest 1 day, latest 1 month ). The statistics include the users that use
applications, application traffic and applications' concurrent sessions.

l Application Monitor: Displays the application statistics within the specified period (real-time,
latest 1 hour, latest 1 day, latest 1 month). The statistics include the users that used one applic-
ation, application traffic and applications' concurrent sessions.

l Computer Monitor:Displays the statistics of all risky computers of the whole network.

l URL Hit: Displays the accessed URL statistics within the specified period (real-time, latest 1
hour, latest 1 day, latest 1 month). The statistics include the users and IPs who are surfing,
and URLs accessed by users/IPs.

l Service/Network Monitor:Displays the statistics of packet loss rate and latency of ser-
vice/network nodes.

l Device Monitor: Displays the device statistics within the specified period (real-time, latest 1
hour, latest 1 day, latest 1 month), including the total traffic, interface traffic, zone, Online IP,
new/concurrent sessions, and hardware status.

l Application Block: If system is configured with Security Policy, the application block can
gather statistics on the applications and user/IPs.

l Monitor Configuration: Enable or disable some monitor items as needed.

Chapter 4 Monitor 80
User Monitor
This feature may vary slightly on different platforms . If there is a conflict between this guide and
the actual page, the latter shall prevail.
User monitor displays the application statistics within the specified period (Realtime, latest 1
hour, latest 1 day, latest 1 month). The statistics include the application traffic and applications'
concurrent sessions.
If IPv6 is enabled, system will support to monitor both IPv4 and IPv6 address.

Notes: Non-root VSYS also supports user monitor, but does not support address
book statistics.

Summary
Summary displays the user traffic/concurrent sessions ranking during a specified period or of spe-
cified interfaces/zones. Click Monitor > User Monitor > Summary.

l Select a different Statistical_Period to view the statistical information in that period of

time.

l Click to refresh the monitoring data in this page.

l Click to close the current frame.

l Hover your mouse over a bar to view the user 's average upstream traffic, downstream traffic,
total traffic or concurrent sessions .

l When displaying the user traffic statistics, the Upstream and Downstream legends are used to
select the statistical objects in the bar chart.

81 Chapter 4 Monitor
User Details
Click Monitor > User Monitor> User Details.

l Click to select the condition in the drop-down list to search the desired users.

l To view the detailed information of a certain user, select the user entry in the list, and click
"+".

l Application(real-time): Select the Application(real-time) tab and display the detailed

information of the category, subcategory, risk level, technology, upstream traffic, down-
stream traffic, total traffic. Click Details in the list to view the line chart.

l Cloud Application (real-time): Select the Cloud Application tab to display the cloud
application information of selected user.

l URL (real-time): Select the URL tab to display the URL hit count of selected user.

l URL Category (real-time) : Select the URL Category tab to display the URL category hit
count of selected user.

l Traffic: Select the Traffic tab to display the traffic trends of selected user.

Chapter 4 Monitor 82
l Concurrent Sessions: Select the Concurrent Sessions tab to display the concurrent ses-
sions trends of selected user.

l Within the user entry list, hover your cursor over a user entry, and there is a button to its

right. Click this button and select Add to Black List.

Address Book Details

Click Monitor> User Monitor>Address Book Details.

l Click to select the condition in the drop-down list to search the desired address

entry.

l To view the detailed information of an address entry, select the address entry in the list, and
click "+".

l Application (real-time): Select the Application (real-time) tab to display the detailed
information of the upstream traffic, downstream traffic, and total traffic. Click Details in
the list to view the line chart.

l Cloud Application(real-time): Select the Cloud Application tab to display the cloud
application information of selected address book.

l User (real-time): Select the User tab to display the total traffic of selected address book.

l Traffic: Select the Traffic tab to display the traffic trends of selected address book.

l Concurrent Sessions: Select the Concurrent Sessions tab to display the concurrent ses-
sions trends of selected address book.

83 Chapter 4 Monitor
Monitor Address Book
The monitor address is a database that stores the user's address which is used for statistics.

Click Monitor > User Monitor > Select Address Book, and Click at the
top left corner.

In this page, you can perform the following actions:

l Click the desired address entry to add it to the left list.

l In the left list, click an address entry and click × to remove it from the list.

Statistical Period
System supports the predefined time cycle and the custom time cycle. Click the time button on
the top right corner of each tab to set the time cycle.

l Real-time: Displays the current statistical information.

l Last Hour: Displays the statistical information within the latest 1 hour.

Chapter 4 Monitor 84
l Last Day: Displays the statistical information within the latest 1 day.

l Last Month: Displays the statistical information within the latest 1 month.

Application Monitor
This feature may vary slightly on different platforms. If there is a conflict between this guide and
the actual page, the latter shall prevail.
Application monitor displays the statistics of applications, application categories, application sub-
categories, application risk levels, application technologies, and application characteristics within
the specified period (Realtime, latest 1 hour, latest 1 day, latest 1 month) .The statistics include
theapplication traffic and applications' concurrent sessions.
If IPv6 is enabled, system will support to monitor both IPv4 and IPv6 address.

Notes: Non-root VSYS also supports application monitor, but does not support to
monitor application group.

Summary
The summary displays the following contents of specified interfaces/zones during a specified
period:

l The concurrent sessions of top 10 hot and high-risk applications.

l The traffic/concurrent sessions of top 10 applications.

l The traffic/concurrent sessions of top 10 application categories.

l The traffic/concurrent sessions of top 10 application subcategories.

l The traffic/concurrent sessions organized by application risk levels.

l The traffic/concurrent sessions organized by application technologies.

l The traffic/concurrent sessions organized by application characteristics.

Click Monitor > Application Monitor > Summary.

85 Chapter 4 Monitor
l Select different Statistical_Period to view the statistical information in different periods of
time.

l From the drop-down menu, specify the type of statistics: Traffic or Concurrent Sessions.

l Click to refresh the monitoring data in this page.

l Click to close the current frame.

l Hover your mouse over a bar or a pie graph to view the concrete statistical values of total
traffic or concurrent sessions .

Application Details
Click Monitor > Application Monitor > Application Details.

l Click the Time drop-down menu to select different Statistical_Period to view the statistical
information in that periods of time.

Chapter 4 Monitor 86
l Click button and select Application in the drop-down menu. You can search the
desired application by entering the keyword of the application's name in the text field.

l To view the detailed information of a certain application, select the application group entry in
the list, and click "+".

l Users (real-time): Select the Users (real-time) tab to display the detailed information of

users who are using the selected application. Click in details column to see the

trends of upstream traffic, downstream traffic, total traffic.

l Traffic: Select the Traffic tab to display the traffic trends of selected application.

l Concurrent Sessions: Select the Concurrent Sessions tab to display the concurrent ses-
sions trends of the selected application.

l Description: Select the Description tab to display the detailed information of the selec-
ted application.

Group Details
Click Monitor > Application Monitor > Group Details.

l Click Time drop-down menu to select a different Statistical_Period to view the statistical
information in that periods of time.

l Click button and select Application Group in the drop-down menu. You can search

the desired application group by entering the keyword of the application group name in the
text field.

87 Chapter 4 Monitor
l To view the detailed information of a certain application group, select the application group
entry in the list, and click "+".

l User (real-time): Select the Users (real-time) tab to display the detailed information of

users who are using the selected application group. Click in details column, you can

see the trends of the upstream traffic, downstream traffic, total traffic.

l Application(real-time): Select the Application(real-time) tab to display the detailed

information of applications in use which belongs to the selected application group. Click
in details column to see the trends of the upstream traffic, downstream traffic, total

traffic of the selected application.

l Traffic: Select the Traffic tab to display the traffic trends of selected application group.

l Concurrent Sessions: Select the Concurrent Sessions tab to display the concurrent ses-
sions trends of the selected application group.

Select Application Group

Click Monitor > Application Monitor > Select Application Group. There are global application
groups in the right column.

Chapter 4 Monitor 88
In this page, you can perform the following actions:

l Click the desired application group entry to add it to the left list.

l In the left list, click an application group entry and click × to remove it from the list.

Statistical Period
System supports the predefined time cycle and the custom time cycle. Click Real-time on the top
right corner of each tab to set the time cycle.

l Real-time: Displays the current statistical information.

l Last 60 Minutes: Displays the statistical information within the latest 1 hour.

l Last 24 Hours: Displays the statistical information within the latest 1 day.

l Last 30 Days: Displays the statistical information within the latest 1 month.

89 Chapter 4 Monitor
Computer Monitor
This feature may vary slightly on different platforms. If there is a conflict between this guide and
the actual page, the latter shall prevail.
Computer monitor displays the statistics of all risky computers of the whole network.

Computer Details
Computer details displays the statistics of all risky computers of the whole network.

l Click to select the condition in the drop-down list to search for the risky computers.

Chapter 4 Monitor 90
URL Hit Monitor
After the system is configured with , URL hit monitor displays URL visit statistics of user/IPs,
statistics of accessed URLs and URL categories within the specified period (real-time, latest 1
hour, latest 1 day, latest 1 month).

Summary
Click Monitor > URL Hit > Summary.

l Select a different Statistical_Period to view the statistical information in that period of time.

l Hover your mouse over a bar, to view the hit count of User/IP, URL or URL Category .

91 Chapter 4 Monitor
l Click at top-right corner of every table and enter the corresponding details.

l Click and to switch between the bar chart and the pie chart.

User/IP
Click Monitor > URL Hit > User/IP.

Chapter 4 Monitor 92
93 Chapter 4 Monitor
l The User/IPs and detailed hit count are displayed in the list below.

l Click "+" before a User/IP entry in the list to display the corresponding URL hit statistics in
the curve chart below.

l URL Trend: Displays the hit statistics of the selected User/IP, including the real-time
statistics and statistics for the latest 1 hour, 24 hours, and 30 days.

l URL: Displays the URLs' real-time hit count of selected User/IP. Click the URL link,
you can view the corresponding URLs detailed statistics page. Click the Detail link, you
can view the URL hit trend of the selected User/IP in the URL Filter Details page.

l URL Category: Displays the URL categories' read-time hit count of selected User/IP.
Click the URL category link, you can view the corresponding URL categories' detailed
statistics page. Click the Detail link, and you can view the URL category hit trend of
the selected User/IP.

l Click the Filter button at the top-left corner. Select User/IP and you can search the User/IP
hit count information by entering the keyword of the username or IP.

URL
Click Monitor > URL Hit > URL.

l The URL, URL category and detailed hit count are displayed in the list below.

l Click "+" before a URL entry in the list to view its detailed statistics.

l Statistics: Displays the hit statistics of the selected URL, including the real-time stat-
istics and statistics for the latest 1 hour, 24 hours, and 30 days.

l User/IP: Displays the User/IP's real-time hit count of selected URL. Click the User/IP
link and you can view the corresponding user/IPs detailed statistics page. Click the

Chapter 4 Monitor 94
Detail link and you can view the URL hit trend of the selected user/IP in the URL Fil-
ter Details page.

l Click the Filter button at the top-left corner. Select URL and you can search the URL hit
count information by entering the keyword of the URL.

l Click to refresh the real-time data in the list.

URL Category
Click Monitor > URL Hit > URL Category.

95 Chapter 4 Monitor
Chapter 4 Monitor 96
l The URL category, count, and traffic are displayed in the list.

l Click "+" before a URL category entry in the list to view its detailed statistics displayed in the
Statistics, URL and User/IP tabs.

l Statistics: Displays the trend of the URL category visits, including the real-time trend
and the trend in the last 60 minutes, 24 hours, and 30 days.

l URL: Displays the visit information of the URLs, contained in the URL category, that
are being visited.

l User/IP: Displays the visit information of the users or IPs that are visiting the URL cat-
egory.

l Click to refresh the real-time data in the list.

Statistical Period
System supports the predefined time cycle and the custom time cycle. Click the time button on
the top right corner of each tab to set the time cycle.

l Real-time: Displays the current statistical information.

l Last 60 Minutes: Displays the statistical information within the latest 1 hour.

l Last 24 Hours: Displays the statistical information within the latest 1 day.

l Last 30 Days: Displays the statistical information within the latest 1 month.

Service/Network Monitor
This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
The Service/Network Monitor page displays the latency of the service node that connects to the
current Hillstone device and the latency and packet loss rate of the network node. Click Monitor
> Service/Network Monitor.

97 Chapter 4 Monitor
l Use the table to view the name, detection type, interface, latency, packet loss rate (of network
nodes), and health status of the nodes. Click New.

In Node Configuration page, enter the service/network node configurations.

Option Description
Name Specify the name of the service/network node to be cre-
ated.
Address Specify the address of the service/network node.
Interface Specify the interface that connects to the new node.
Group Name Specify the name of the group.
Interval Specify the detection frequency. The range is from 15s
to 120s. The default value is 30s.
Type Specify the detection type. You can choose one type

Chapter 4 Monitor 98
Option Description
from the following options:

l Customize. When selecting Customize, proceed

to select TCP or UDP and then specify the cor-
responding port.

l ICMP.

l DNS. When selecting DNS, proceed to enter

the port and the domain name.

l FTP. When selecting FTP, proceed to enter the

port. To configure the advanced settings, select
the Advanced checkbox to provide the user-
name and password for logging into the FTP
server and enter the path or file name in the
FTP server.

l IMAP4. When selecting IMAP4, proceed to

enter the port.

l POP3. When selecting POP3, proceed to enter

the port.

l SMTP. When selecting SMTP, proceed to enter

the port.

l LDAP. When selecting LDAP, proceed to enter

the port. To configure the advanced settings,
select the Advanced checkbox to provide the
username and password for logging into the
LDAP server.

l HTTP. When selecting HTTP, proceed to enter

the port and the URL.

99 Chapter 4 Monitor
Option Description
Test Click Test to test whether the node is reachable or the
service is available.

l Click to select the condition in the drop-down list. The nodes that meet the search-

ing conditions will be displayed in the table or the topology diagram.

l Viewing_Service/Network_Node_Monitor_information below the list.

l Health status of the network nodes descriptions.

Health status
Description
color

Red Unhealthy. The network is unavailable. Latency>600ms or

packet loss rate>20%.

Yellow Subhealthy. 150ms<=Latency<=600ms or 5%<=packet

loss rate<=20%.

Green Healthy. Latency<150ms and packet loss rate<5%.

Black Unknown. e.g, When the nodes' configuring is finished

and no probe data is returned, that is black.

l Health status of the service nodes descriptions.

Health status
Description
color

Red Unhealthy. Latency>4000ms.

Yellow Subhealthy. 2000ms<=Latency<=4000ms.

Green Healthy. Latency<2000ms.

Black Unknown. e.g, When the nodes' configuring is finished

Chapter 4 Monitor 100

Health status
Description
color

and no probe data is returned , that is black.

Notes: System supports up to 100 nodes.

Viewing Service/Network Node Monitor Information

In the Service/Network Node page, you can view the monitoring results using following meth-
ods:

l Select a node to view the latency/packet loss rate history trend during the latest 1 hour at
the bottom of the page.

l Select a node and click at the top-right corner of the history trend chart to expand
this chart.

After expanding the chart, you can perform the following actions in the expanded chart:

l In the drop-down menu, select Last Hour, Last Day, Last

Week, Last Month, and Customize to display the statistics during the selected period of
time. When selecting Customize, you can specify the time cycle accordingly in the newly
appeared window. The maximum time cycle is 30 days.

l Click Trend Comparison. The Trend Comparison window appears. Choose comparison
items from the Choose Comparison Items drop-down menu. System will display today's his-

101 Chapter 4 Monitor

tory trend and the history trend of the selected items in the trend comparison chart.

Chapter 4 Monitor 102

Device Monitor
This feature may vary slightly on different platforms. If there is a conflict between this guide and
the actual page, the latter shall prevail.
The Device page displays the device statistics within the specified period, including the total
traffic, sessions, CPU/memory status, hardware status, and key process.
If IPv6 is enabled, system will support to monitor both IPv4 and IPv6 address.

Notes: The non-root VSYS does not have hardware status.

Summary
The summary displays the device statistics within last 24 hours. Click Monitor > Device > Sum-
mary.

l Total traffic: Displays the total traffic within the specified statistical period.

l Hover your mouse over the chart to view the total traffic statistics at a specific point in
time.

l Select a different Statistical Period to view the statistical information in that period of
time.

l If IPv6 is enabled, the device traffic will show the total traffic of IPv4 and IPv6.

103 Chapter 4 Monitor

l Hardware status: Displays the real-time hardware status, including storage, chassis temperature
and fan status.

l Storage: Displays the percentage of disk space utilization.

l Click Storage for system to display the disk space utilization trend.

l Hover your mouse over the chart to view the disk space utilization statistics at a
specific point in time.

l Select a different Statistical Period to view the statistical information in that

period of time.

l Chassis temperature: Displays the current CPU/chassis temperature.

l Click Chassis Temperature for system to display the CPU/chassis temperature

trend.

l Hover your mouse over the chart to view the CPU/chassis temperature statistics
at a specific point in time.

l Select a different Statistical Period to view the statistical information in that

period of time.

l Fan status: Displays the operation status of the fan. Green indicates normal, and red
indicates error.

l Power Status: Displays the status of power module. Green indicates normal, and red
indicates error or a power supply module is not used.

l Power Status: Displays the information of power module, including the state of power mod-
ule, voltage/current, temperature and fan speed .

l CPU/memory status: Displays the current CPU utilization, memory utilization and CPU
temperature statistics of device/vSSM/vSCM.

Chapter 4 Monitor 104

l Click legends of CPU Utilization, Memory Utilization or CPU Temperature to specify
the histogram statistical objects. By default, it displays statistics of all objects.

l Hover your mouse over the histogram to view the detailed information, and the link
Details is displayed.

l Click Details to view the trend of specified histogram.

l Hover your mouse over the chart to view CPU utilization, memory utilization or
CPU temperature statistics at a specific point in time.

l Select a different Statistical Period to view the statistical information in different

period of time.

l Sessions: Displays the current sessions utilization.

l Hover your mouse over the chart to view the new sessions and concurrent sessions stat-
istics at a specific point in time.

l Select a different Statistical Period to view the statistical information in different period
of time.

l Key Process: Displays information about key processes on the device, including process
name, PID, state, priority, CPU, memory, and runtime.

Statistical Period
System supports the predefined time cycle. The statistical period may vary slightly on different
monitored objects. If there is conflict between this guide and the actual page, the latter shall pre-
vail. Select statistical period from the drop-down menu at the top right
corner of some statistics page to set the time cycle.

l Real-time: Displays the current statistical information.

l Last 60 Minutes: Displays the statistical information within the latest 1 hour.

105 Chapter 4 Monitor

l Last 24 Hours: Displays the statistical information within the latest 1 day.

l Last 30 Days: Displays the statistical information within the latest 1 month.

Application Block
This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
If system is configured with "Security Policy" on Page 164 the application block can gather stat-
istics on the applications and user/IPs.
If IPv6 is enabled, system will support to monitor both IPv4 and IPv6 address.

Summary
The summary displays the application block's statistics on the top 10 applications and top 10 user-
/IPs. Click Monitor > Application Block > Summary.

l Select a different Statistical_Period to view the statistical information in that period of time.

l Hover your mouse over a bar to view the block count on the applications and user/IPs.

l Click to switch between the bar chart and the pie chart.

l Click to close the chart.

l Click at the top-right corner of every table and enter the corresponding details page.

Application
Click Monitor > Application Block > Application.

Chapter 4 Monitor 106

l The applications and detailed block count are displayed in the list.

l To view the corresponding information of application block on the applications and user/IPs,
select the application entry in the list, and click "+".

l Statistics: Displays the block count statistics of the selected application, including the
real-time statistics and statistics for the latest 1 hour, 24 hours and 30 days.

l User/IP: Displays the user/IPs that are blocked from the selected application. Click a
user/IP in the list to display the corresponding block count statistics in the curve chart
below. Click to jump to the corresponding user/IPs page.

l Click to select the condition in the drop-down list. You can search the application

block information by entering the keyword of the application name.

l Click to refresh the real-time data in the list.

User/IP
Click Monitor > Application Block > User/IP.

107 Chapter 4 Monitor

l The user/IP and detailed block count are displayed in the list.

l Click a user/IP in the list to display the corresponding block count statistics in the curve
chart below. Click to jump to the corresponding user / IPs page.

l Click to select the condition in the drop-down list. You can search the users/IPs

information.

Statistical Period
System supports the predefined time cycle and the custom time cycle. Click (

) on the top right corner of each tab to set the time cycle.

l Real-time: Displays the statistical information within the realtime.

l Last Hour: Displays the statistical information within the latest 1 hour.

l Last Day: Displays the statistical information within the latest 1 day.

l Last Month: Displays the statistical information within the latest 1 month.

Chapter 4 Monitor 108

Alarm
The alarm feature can actively detect protected networks to locate suspicious issues and send out
alarming messages. The rule that defines what behavior should be alerted is called alarm rule.
System can analyze alarm messages and display the analysis results in the form of a chart and time
line. In addition, alarm messages can also be sent to system administrators by sending emails or
sms text. In this way, the administrator can receive alerts in the first place and respond to the
alarms.

Alarm as a Monitor
The alarms are show under the monitor module. When an occurrence defined in the alarm rule
happens, the alarm message is generated and shown in the alarm page. For more information on
alarm rules, refer to Alarm Rule.
In the alarm page, alarms are shown by three categories: alarms arranged by time, alarms arranged
by severity levels and alarms details.

Alarms by Time
In the Time tab, alarm messages are on a two-dimensional coordinate axis. To see the alarm by
time page, select Monitor > Alarm, and select the Time tab.

109 Chapter 4 Monitor

l Configuring filters: The left vertical axis shows the number of alarms. You may define the con-
ditions to filter alarms.

l Type: Select one or more types from the drop-down menu and click Add to add them to
the right.

l Severity: Select one or more severity levels. There are three severity hierarchy: crit-
ical, warning, and informational.

l Status: Select a message status from the drop-down menu: all, unread and read.

l Time: Select the time range when alarms are generated. You may select to view the
last one hour, one day, one week, one month or other user-defined time.

l Hover over a dot (red, yellow or green) and click the link, and then you will be redirected to
the detail page of that alarm.

l Click to jump to the alarm rules configure page.

Alarm by Severity
Alarms in the Severity tab shows the number bar of alarm messages of different severity levels.
Select Monitor > Alarm, and select the Severity tab.

Chapter 4 Monitor 110

l Configuring filters:

l Type: Select one or more types from the drop-down menu, and click Add to add
them to the right.

l Status: Select a message status from the drop-down menu: all, unread and read.

l Time: Select the time range when alarms are generated. You may select to view the
last one hour, one day, one week, one month or other user-defined time.

l Click a bar, you will be redirected to the alarm details page.

l Click to jump to the alarm rules configure page.

Alarm Details
Select Monitor > Alarm, and click the All tab. You will be able to see all alarm messages and their
detailed information.

l Configuring filters.

l Last Alarm Time: Select the time range when alarms are generated. You may select to
view the last one hour, one day, one week, one month or other user-defined time.

111 Chapter 4 Monitor

l Type: Select one or more types from the drop-down menu and click Add to add them to
the right.

l Severity: Select one or more severity levels. There are three severity hierarchy: critical,
warning, and informational.

l Status: Select a message status from the drop-down menu: all status, unread messages
or/and read messages.

l Read at: Select what time the message is being read.

l Read by: Select which person has read the message.

l Comment: Select if you want to see messages with or without a comment.

l Reason: Type keywords you want to search in the reasons that trigger alarm.

l To read and comment alarms, take the following steps:

l Batch reading: Select all the check boxes of alarm messages you want to read, and click
Read Alarm. In the prompt, enter your comment, and click OK.

l Single reading: Hover your cursor over the Status column and click Read. In the
prompt, enter your comment, and click OK.

l To add or modify a comment, take the following steps:

l Batch adding/modifying: Select all the check boxes of alarm messages you want to com-
ment, and click Add/Modify Comment. In the prompt, enter your comment, and click
OK.

l Single adding/modifying: Select the check boxes of alarm message you want to com-
ment, and click Add/Modify Comment. In the prompt, enter your comment, and
click OK.

l To view every messages in an alarm, take the following steps:

Click the number in the Count column, and you will see every occurrence time of this

Chapter 4 Monitor 112

alarm incident.

l Click to jump to the alarm rules configure page.

113 Chapter 4 Monitor

Authenticated User
Displays the user and its information that authenticated by user binding in "Adding User Binding"
on Page 579.
Select Monitor > Authenticated User.

l Click and then specify the search conditions: select a AAA server , or enter the user
name.

l Click to search.

l Click to delete the search conditions.

l Click to close the search fuction.

l Click Kick Out under the Operation column to kick the user out.

Monitor Configuration
This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
You can enable or disable some monitor items as needed. The monitor items for Auth user are
enabled automatically.
To enable/disable a monitor item, take the following steps:

Chapter 4 Monitor 114

1. Click Monitor > Monitor Configuration.

2. Select or clear the monitor item(s) you want to enable or disable.

3. Select subnet monitor address book in the IPv4 Subnet Monitor Address Book or IPv6 Sub-
net Monitor Address Book drop-down list. System will match the traffic which is sent from
the Internet to Subnet according to the specified address. If matched, the traffic will be
counted to the Subnet side.

4. Click OK .

Notes: After a monitor item is enabled or disabled in the root VSYS, the item of all
VSYSs will be enabled or disabled(except that the non-root VSYS does not support
this monitor item). You can not enable or disable monitor item in non-root VSYSs.

115 Chapter 4 Monitor

Chapter 5 Report & Log
This chapter includes the followings:

l "Reporting" on Page 116

l "Logging" on Page 133

Reporting
This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
System provides rich and vivid reports that allow you to analyze network risk, network access and
device status comprehensively by all-around and multi-dimensional statistics and charts.
You can configure report task in "Report Template" on Page 118 and "Report Task" on Page 125,
and view generated report files in "Report File" on Page 117.
Related Topics:

l "Report File" on Page 117

l "Report Template" on Page 118

l "Report Task" on Page 125

Chapter 5 Report & Log 116

Report File
Go to Report & Log > Report > Report File, and the report file page shows all the generated
report files.

l Sort report files by different conditions: Select Group by Time, Group by Task or Group
by Status from the drop-down list, and then select a time, task or status from the selective
table, and the related report files will be shown in the report file table.

l The bold black entry indicates that the report file status is "unread".

l Click Delete to delete the selected report files.

l Click Export, the browser launches the default download tool, and downloads the selected
report file.

l Click Mark as Read to modify the status of the selected report files.

l Click to select the condition in the drop-down list. In the text box, enter the
keyword to search for the report files.

l In the File Type column, click the icon of the report file to preview the report file. You can
preview report files in PDF, HTML format, and you can download report files in WORD
format.

Notes: If your browser has enabled "Blocking pop-up windows", you will not see
the generated file. Make sure to set your browser "Always allow pop-up windows",
or you can go to your blocked window history to find the report file.

117 Chapter 5 Report & Log

Report Template
Report templates define all the contents in the report files. To generate the report file, you need
to configure the report template first.
Report templates are classified as predefined and user-defined templates, providing a variety of
pre-categorized report items.

l Predefined Template: Predefined templates are built in system. By default, different report
items have been selected for each predefined template category. The predefined template can-
not be edited or deleted. The predefined template categories are as follows:

Category Description

Global Net- Statistics of the global network and risk status, covering
work and the overview, network and application traffic, network
Risk Assess- threats and host details.
ment Report

Network and Statistics of the current network situation, covering the

Application network traffic, application traffic and URL hits.
Traffic
Report

Network Statistics of the threats in the current network, covering

Threat the threat trend, external attackers and threat categories.
Report

Top 10 Hosts Statistics of the top 10 hosts by application traffic, cov-

by Applic- ering the host application traffic, network threats and URL
ation Traffic hits.

Top 10 Hosts Statistics of the top 10 hosts by network threats, covering

by Network the host application traffic, network threats and URL hits.

Chapter 5 Report & Log 118

Category Description

Threats

Top 10 Hosts Statistics of the top 10 hosts by URL hits, covering the
by URL Hits host application traffic, network threats and URL hits.

l User-defined Template: The report template created as needed. You can select the report
items. Up to 32 user-defined templates can be created.

Creating a User-defined Template

To create a user-defined template, take the following steps:

1. Click Report & Log > Report > Template.

2. Click New.

In the Report Template Configuration page, configure the following values.

119 Chapter 5 Report & Log

Opt-
Description
ion

Na- Specifies the name of the report template.

Con- Select the check box of the report item as needed. By default, all

tent report items are selected. The report items are described as fol-
lows:

l Network and Security Risk Summary: Statistics of the com-

prehensive and overall assessment for the health status and
security risks of the entire network.

Chapter 5 Report & Log 120

Opt-
Description
ion

l Network Traffic Details: Statistics of network traffic, help-

ing you better understand the usage of bandwidth, traffic des-

121 Chapter 5 Report & Log

Opt-
Description
ion

tination and management.

Chapter 5 Report & Log 122

Opt-
Description
ion

123 Chapter 5 Report & Log

Opt-
Description
ion

Des- Specifies the description of the report template.

crip-
tion

3. Click OK to complete user-defined template configurations.

Editing a User-defined Template

To edit a user-defined report template, take the following steps:

1. Click Report & Log > Report > Template.

2. In the templates list, select the user-defined report template entry that needs to be edited.

3. Click Edit.

4. Click OK to save the settings.

Deleting a User-defined Template

To delete a user-defined report template, take the following steps:

1. Click Report & Log > Report > Template.

2. In the templates list, select the user-defined report template entry that needs to be deleted.

3. Click Delete.

Cloning a Report Template

System supports the rapid clone of a report template. You can clone and generate a new report
template by modifying some parameters of one current report template.
To clone a report template, take the following steps:

Chapter 5 Report & Log 124

1. Click Report & Log > Report > Template.

2. In the templates list, select a report template that needs to be cloned.

3. Click the Clone button above the list, and in the Report Template Configuration page, enter
the newly cloned report template name into the "Name" .

4. The cloned report template will be generated in the list.

Report Task
The report task is the schedule related to report file. It defines the report template, data range,
generation period, generation time, and the output method of report files.
You can configure report tasks and generate report files on the device according to your needs.

Creating a Report Task

To create a report task, take the following steps:

125 Chapter 5 Report & Log

1. Select Report & Log > Report > Report Task.

Chapter 5 Report & Log 126

2. Click New.

127 Chapter 5 Report & Log

Chapter 5 Report & Log 128
In this page, configure the values of report task.

Option Description

Name Specifies the name of the report task.

Description Specifies the description of the report task. You can

modify according to your requirements.

Expand Report Template, select the report template you want to use for the report task.

Option Description

Report Tem- Specifies the report template to be used by the report

plate task:

1. Select the report template (predefined report tem-

plate or created user-defined report template)
from the Report Template list on the left.

2. When the report template is selected, the selec-

ted report template list shows the description of
the template and the details of the report item on
the right.
You can also click New or Edit button in the Report
Template list on the left to open the Report Template
Configuration page and create or edit a user-defined
report template quickly.

Expand Threat Data Range, configure the IP address range.

129 Chapter 5 Report & Log

Option Description

IP Specifies the IP address range of the report statistics:

1. Click "+" and then select IPv4/Netmask, IPv4

Range, IPv6/Prefix or IPv6 Range as needed.

2. Enter the corresponding IP address in the text

box.

3. Click Add to add the specified IP address/IP

address range to the drop-down list.

4. To delete the added address, click after the

address in the drop-down list.

Expand Schedule, configure the running time of the report task.

Option Description

Schedule The schedule specifies the running time of the report

task. The report task can be run periodically or run imme-
diately.
Periodic: Generates report files as planned.

l Schedule: Specifies the statistical period.

l Generate At: Specifies the generation time.

Generate Now: Generates report files immediately.

l Specifies the start time and end time of absolute

statistical period in the time text box.

l Type: Generates report file based on the data in the

Chapter 5 Report & Log 130

Option Description

specified statistical period.

Expand Output, configure the output mode information of the report.

Option Description

File Format Specifies the output format of the report file, including
PDF, HTML, and WORD formats.

Recipient Sends report file via email. To add recipients, enter the
email addresses in to the recipient text box (use ";" to sep-
arate multiple email addresses. Up to 5 recipients can be
configured).

Send via FTP Click the Enable button to send the report file to a spe-
cified FTP server.

l Server Name/IP: Specifies the FTP server name or

the IP address.

l Virtual Router: Specifies the virtual router of the

FTP server.

l Username: Specifies the username used to log on

to the FTP server.

l Password: Enter the password of the FTP user-

name.

l Anonymous: Select the check box to log on to the

FTP server anonymously.

l Path: Specifies the location where the report file

131 Chapter 5 Report & Log

Option Description

will be saved.

3. Click OK to complete report task configuration.

Editing the Report Task

To edit the report task, take the following steps:

1. Select Report & Log > Report > Report Task.

2. In the report task list, select the report task entry that needs to be edited.

3. Click the Edit button on the top to open the Report Task Configuration page to edit the
selected report task.

4. Click OK to save the settings.

Deleting the Report Task

To delete the report task, take the following steps:

1. Select Report & Log > Report > Report Task.

2. In the report task list, select the report task entry that needs to be deleted.

3. Click the Delete button on the top to delete the selected report task.

Enabling/Disabling the Report Task

To enable or disable the report task, take the following steps:

1. Select Report & Log > Report > Report Task.

2. Select the task, and click the Enable or Disable button on the top.
By default, the user-defined task is enabled.

Chapter 5 Report & Log 132

Logging
The Log module records and displays the following logs:

l Threat - logs related to behaviors threatening the protected system, e.g. attack defense logs,
AV logs, and IPS logs.

l Event - logs about the system, like ARP logs and login logs.

l Network - logs about network services, like DHCP logs and route logs.

l Configuration - logs about configuration, e.g. interface configuration logs.

l Session - Session logs, e.g. session protocols, source and destination IP addresses and ports.

l PBR - logs about policy-based route.

l NAT - NAT logs, including NAT type, source and destination IP addresses and ports.

l URL - logs about network surfing, e.g. Internet visiting time, web pages visiting history, URL
filtering logs.

l Content filter logs – logs related with content filter function, e.g. Web content filter, Web
posting, Email filter and HTTP/FTP control.

l Network behavior record logs – Logs related with network behavior record function, e.g. IM
behavior ,etc.

l CloudSandBox - logs about sandbox.

System logs record running status of the device, thus provide information for analysis and evid-
ence.

Log Severity
Event logs are categorized into eight severity levels.

Logging 133
Severity Level Description

Emergencies 0 Identifies illegitimate system events.

Alerts 1 Identifies problems which need immediate atten-

tion such as device is being attacked.

Critical 2 Identifies urgent problems, such as hardware fail-

ure.

Errors 3 Generates messages for system errors.

Warnings 4 Generates messages for warning.

Notifications 5 Generates messages for notice and special atten-

tion.

Informational 6 Generates informational messages.

Debugging 7 Generates all debugging messages, including

daily operatiol messages.

Destination of Exported Logs

Log messages can be sent to the following destinations:

l Console - The default output destination. You can close this destination via CLI.

l Remote - Includes Telnet and SSH.

l Buffer - Memory buffer.

l File - By default, the logs are sent to the specified USB destination in form of a file.

l Syslog Server - Sends logs to UNIX or Windows Syslog Server.

l Email - Sends logs to a specified email account.

134 Logging
Log Format
To facilitate the access and analysis of the system logs, system logs follow a fixed pattern of
information layout, i.e. date/time, severity level@module: descriptions.See the example below:
2000-02-05 01:51:21, WARNING@LOGIN: Admin user "admin" logged in through console
from localhost.

Logging 135
Threat Log
Threat logs can be generated under the conditions that:

l Threat logging in the Logging feature is enabled. Refer to "Managing Logs" on Page 146

l You have enabled one or more of the following features: "Anti Virus" on Page 306,"Intrusion
Prevention System" on Page 255, "Attack-Defense" on Page 384.

To view threat logs, select Report & Log > Log > Threat Log.

l In the Detection Period drop-down menu, Specify the detection period to view the logs dur-
ing the specified time range.

l Click Filter to configure more filter conditions. After configure the filter conditions, the sys-
tem will automatically display the matched logs. Click the drop-dow menu after the Filter and
select "Save Filter" to save the current filter conditions, so that the next time you can directly
select the save filter conditions, and view the corresponding log.

l Configure: Configure the threat log settings.

l Export: Export all threat logs that matches the filter conditions. The separator is used to facil-
ity the process of importing logs to other auditing system.

l Delete: Delete the threat logs in the specified time range.

l Merge Log: Specifies the type of merging log. The system supports source IP, destination IP,
and threat name to merge logs. When specified, the logs in the list are displayed after merged.
You can enter the IPv4 or IPv6 address if the filter condition is selected as source or des-
tination IP.

l Select a threat log in the table and then you can view the detailed information in the Log
Details tab. In the Log Details tab, you can do the following:

136 Logging
l View the severity, application/protocol, source/destination port, threat start time,
end time, and other threat-related information (such as plain-text SQL command,
plain-text paths to URI, etc.).

l Click "ViewPcap" to see the message package of the threat, or click "Download" to
download the packet to local for viewing. IPv6 and IPv4 protocol type messages are
both supported for users to view.

l Click "Signature ID" "Add Whitelist" "Disable Rule" to quickly link to the relevant
page.

l If the threat log is detected by Intrusion Prevention system model or Antivirus, you
can click Add Blacklist to add the source IP address of attacker to the blacklist to block
its flow. In the page that pops up, configure the IP range, schedule, and status of the
blacklist.

Event Log
This feature may vary slightly on different platforms. Please see the actual page of the feature that
your device delivers.
To view event logs, select Report & Log > Log > Event Log.
In this page, you can perform the following actions:

l Filter: Click to add conditions to show logs that match your filter.

l Configure: Click to jump to the configuration page.

l Clear: Click to clear the selected logs.

l Export: Click to export the displayed logs as a TXT or CSV file.

Network Log
This feature may vary slightly on different platforms. Please see the actual page of the feature that
your device delivers.
To view network logs, select Report & Log > Log > Network Log.

Logging 137
In this page, you can perform the following actions:

l Filter: Click to add conditions to show logs that match your filter.

l Configure: Click to jump to the configuration page.

l Export: Click to export the displayed logs as a TXT or CSV file.

Configuration Log
This feature may vary slightly on different platforms. Please see the actual page of the feature that
your device delivers.
To view configuration logs, select Report & Log > Log > Configuration Log.
In this page, you can perform the following actions:

l Filter: Click to add conditions to show logs that match your filter.

l Configure: Click to jump to the configuration page.

l Export: Click to export the displayed logs as a TXT or CSV file.

138 Logging
Session Log
Session logs can be generated under the conditions that:

l Session logging in the Logging feature is enabled. Refer to "Managing Logs" on Page 146.

l The logging function has been enabled for policy rules. Refer to "Security Policy" on Page
164.

To view session logs, select Report & Log > Log > Session Log.

Notes:
l For ICMP session logs, system will only record the ICMP type value and its
code value. As ICMP 3, 4, 5, 11 and 12 are generated by other com-
munications, not a complete ICMP session, system will not record such kind
of packets.

l For TCP and UDP session logs, system will check the packet length first. If
the packet length is 20 bytes (i.e., with IP header, but no loads), it will be
defined as a malformed packet and be dropped; if a packet is over 20 bytes,

Logging 139
but it has errors, system will drop it either. So, such abnormal TCP and UDP
packets will not be recorded.

140 Logging
PBR Log
PBR logs can be generated under the conditions that:

l PBR logging in the Logging feature is enabled. Refer to "Managing Logs" on Page 146.

l You have enabled logging function in PBR rules. Refer to "Policy-based Route" on Page
493.

To view PBR logs, select Report & Log > Log > PBR Log.

Logging 141
NAT Log
NAT logs are generated under the conditions that:

l NAT logging in the Logging feature is enabled. Refer to "Managing Logs" on Page 146.

l NAT logging of the NAT rule configuration is enabled. Refer to "Configuring SNAT" on
Page 188 and "Configuring DNAT" on Page 199.

To view NAT logs, select Report & Log > Log > NAT Log.

142 Logging
URL Log
URL logs can be generated under the conditions that:

l URL logging in the Logging feature is enabled. Refer to "Managing Logs" on Page 146.

l You have enabled logging function in URL rules. Refer to "URL Filtering" on Page 339.

To view URL logs, select Report & Log > Log > URL Log.

Content Filter Log

Content Filter logs can be generated under the conditions that:

l Content Filter logging in the Logging feature is enabled. Refer to "Managing Logs" on Page
146.

l You have enabled one or more of the following features: "Web Content" on Page 372 func-
tion.

To view Content Filter logs, select Report & Log > Log > Content Filter.

l Filter: Click to add conditions to show logs that match your filter.

l Configure: Click to jump to the configuration page.

Logging 143
l Clear: Click to delete all the displayed logs.

l Export: Click to export the displayed logs as a TXT or CSV file.

Network Behavior Record Log

Network Behavior Record logs can be generated under the conditions that:

l Network Behavior Record logging in the Logging feature is enabled. Refer to "Managing
Logs" on Page 146.

l You have enabled the function of"Network Behavior Record" on Page 377.

To view Network Behavior Record logs, select Report & Log > Log > Network Behavior
Record.

l Filter: Click to add conditions to show logs that match your filter.

l Configure: Click to jump to the configuration page.

l Clear: Click to delete all the displayed logs.

l Export: Click to export the displayed logs as a TXT or CSV file.

CloudSandBox Log
This feature may vary slightly on different platforms. Please see the actual page of the feature that
your device delivers.
To view sandbox logs, select Report & Log > Log > Cloud SandBox Log.
In this page, you can perform the following actions:

l Filter: Click to add conditions to show logs that match your filter. You can enter the

IPv4 or IPv6 address if the filter condition is selected as source or destination IP.

l Configure: Click to jump to the CloudSandBox page.

144 Logging
l Clear: Click to delete all the displayed logs.

l Export: Click to export the displayed logs as a TXT or CSV file.

Logging 145
Managing Logs
In the Log Management page, you can configure log settings, log servers, Web emails, and UNIX
servers.

Configuring Log Settings

To configure parameters of different log types:

1. Select Log > Log Management.

2. With a tab active, configure the corresponding settings.

Threat Log

Option Description

Enable Select this check box to enable threat logging function.

Terminal Send logs to terminals.

l Lowest severity - Specifies the lowest severity

level. Logs below the severity level selected here
will not be exported.

Cache Export threat logs to cache.

l Lowest severity - Specifies the lowest severity

level. Logs below the severity level selected here
will not be exported.

l Max buffer size - The maximum size of the cached

threat logs. The default value may vary from dif-
ferent hardware platforms.

File Export threat logs as a file to USB.

146 Logging
Option Description

l Lowest severity - Specifies the lowest severity

level. Logs below the severity level selected here
will not be exported.

l Max File Size - The maximum size of exported

log file.

l Save logs to USB - Select a USB device and

enter a name as the log file name.

Log Server Export threat logs to log server.

l View Log Server - Click to see all existing log

servers or to add new server.

l Lowest severity - Specifies the lowest severity

level. Logs below the severity level selected here
will not be exported.

l Syslog Distribution Methods - The distributed logs

can be in the format of binary or text. If you select
the check box, you will send log messages to dif-
ferent log servers, which will relieve the pressure of
a single log server. The algorithm can be Round
Robin or Src IP Hash.

Email address Select the check box to export logs to the specified
email address.

l Lowest severity - Specifies the lowest severity

level. Logs below the severity level selected here
will not be exported.

Logging 147
Option Description

l Viewing Email Address: Click to see or add

email address.

Event Log

Option Description

Enable Select the check box to enable the event logging function.

Console Select the check box to send to Console.

l Lowest severity - Specifies the lowest severity

level. Logs below the severity level selected here
will not be exported.

Terminal Select the check box to send to the terminal.

l Lowest severity - Specifies the lowest severity

level. Logs below the severity level selected here
will not be exported.

Cache Select the check box to send to the cache.

l Lowest severity - Specifies the lowest severity

level. Logs below the severity level selected here
will not be exported.

l Max buffer size - The maximum size of the

cached logs. The default value may vary from dif-
ferent hardware platforms.

File Select the check box to send to a file.

l Lowest severity - Specifies the lowest severity

level. Logs below the severity level selected here
will not be exported.

148 Logging
Option Description

l Max file size - Specifies the maximum size of the

log file. The value range is 4096 to 4294967295
bytes. The default value is 1048576 bytes.

l Save logs to USB - Select the check box and

select a USB drive from the drop-down list.
Type a name for the file in the File Name text
box.

Log server Select the check box to export event logs to the log
server.

l View Log Server - Click to see all existing log

servers or to add new server.

l Lowest severity - Specifies the lowest severity

level. Logs below the severity level selected here
will not be exported.

Email address Select the check box to send event logs to the email.

l View Email Address: Click to see all existing email

addresses or add new address.

l Lowest severity - Specifies the lowest severity

level. Logs below the severity level selected here
will not be exported.

Network Log

Option Description

Enable Select the check box to enable network logging function.

Cache Select the check box to export network logs to cache.

Logging 149
Option Description

l Max buffer size - The maximum size of the cached

network logs. The value range is 4096 to
4294967295 bytes. The default value may vary
from different hardware platforms.

Log server Select the check box to export network logs to the log
server.

l View Log Server - Click to see all existing log

servers or to add new server.

Configuration Log
Option Description
Enable Select the check box to enable configuration logging
function.
Cache Select the check box to export configuration logs to
cache.

l Max buffer size - The maximum size of the

cached configuration logs. The value range is
4096 to 4294967295 bytes. The default value
may vary from different hardware platforms.

Log Server Select the check box to export network logs to the
log server.

l View Log Server - Click to see all existing log

servers or to add new server.
Log Gen- Select the check box to define the maximum the effi-
erating Lim- ciency of generating logs.
itation
l Maximum Speed - Specified the speed (mes-

150 Logging
Option Description
sages per second).

Session Log
Option Description
Enable Select the check box to enable session logging func-
tion.

l Record User Name: Select to show user's name

in the session log messages.

l Record Host Name: Select to show host's

name in the session log messages.
Cache Select the check box to export session logs to
cache.

l Max buffer size - The maximum size of the

cached session logs. The value range is 4096 to
4294967295 bytes. The default value may vary
from different hardware platforms.

Log Server Select the check box to export session logs to the
syslog server.

l View Log Server - Click to see all existing sys-

log servers or to add new server.

l Syslog Distribution Methods - the distributed

logs can be in the format of binary or text. If you
select the check box, you will send log messages
to different log servers, which will relieve the
pressure of a single log server. The algorithm

Logging 151
Option Description

can be Round Robin or Src IP Hash.

PBR Log
Option Description
Enable Select the check box to enable PBR logging func-
tion.

l Record User Name: Select to show user's name

in the PBR log messages.

l Record Host Name: Select to show host's

name in the PBR log messages.
Cache Select the check box to export PBR logs to cache.

l Max buffer size - The maximum size of the

cached PBR logs. The value range is 4096 to
4294967295 bytes. The default value may vary
from different hardware platforms.

Log Server Select the check box to export session logs to

thePBR server.

l View Log Server - Click to see all existing

PBR servers or to add new server.

l Syslog Distribution Methods - the distributed

logs can be in the format of binary or text. If you
select the check box, you will send log messages
to different log servers, which will relieve the
pressure of a single log server. The algorithm
can be Round Robin or Src IP Hash.

152 Logging
NAT Log
Option Description
Enable Select the check box to enable NAT logging func-
tion.

l Record Host Name: Select to show host's

name in the NAT log messages.
Cache Select the check box to export NAT logs to cache.

l Max buffer size - The maximum size of the

cached NAT logs. The default value may vary
from different hardware platforms.

Log Server Select the check box to export NAT logs to log
servers.

l View Log Server - Click to see all existing

log servers or to add new server.

l Syslog Distribution Methods - the distributed

logs can be in the format of binary or text. If
you select the check box, you will send log
messages to different log servers, which will
relieve the pressure of a single log server. The
algorithm can be Round Robin or Src IP Hash.

URL Log
Option Description
Enable Select the check box to enable URL logs.

l Record Host Name: Select to show host's

name in the URL logs.

Logging 153
Option Description
Cache Select the check box to export URL logs to
cache.

l Max buffer size - The maximum size of the

cached URL logs. The default value may vary
from different hardware platforms.

Log Server Select the check box to export URL logs to log
server.

l View Log Server - Click to see all existing

log servers or to add new server.

l Syslog Distribution Methods - the dis-

tributed logs can be in the format of binary or
text. If you select the check box, you will
send log messages to different log servers,
which will relieve the pressure of a single log
server. The algorithm can be Round Robin or
Src IP Hash.

Content filter Log

Option Description
Enable Select the check box to enable content filter logs.
Cache Select the check box to export content filter logs
to cache.

l Max buffer size - The maximum size of the

cached content filter logs. The default value
may vary from different hardware platforms.

154 Logging
Option Description
Log Server Select the check box to export content filter logs
to log server.

l View Log Server - Click to see all existing log

servers or to add new server.

l Syslog Distribution Methods - the distributed

logs can be in the format of binary or text. If
you select the check box, you will send log
messages to different log servers, which will
relieve the pressure of a single log server. The
algorithm can be Round Robin or Src IP Hash.

Network Behavior Record Log

Option Description
Enable Select the check box to enable network behavior
record logs.
Cache Select the check box to export network behavior
record logs to cache.

l Max buffer size - The maximum size of the

cached network behavior record logs. The
default value may vary from different hardware
platforms.

Log Server Select the check box to export content filter logs to
log server.

l View Log Server - Click to see all existing log

servers or to add new server.

Logging 155
Option Description

l Syslog Distribution Methods - the distributed

CloudSandBox Log
Option Description
Enable Select the check box to enable CloudSandBox logs.
Cache Select the check box to export CloudSandBox logs to
cache.

l Max buffer size - The maximum size of the

cached CloudSandBox logs. The default value
may vary from different hardware platforms.

Log Server Select the check box to exportCloudSandBox logs to

log server.

l View Log Server - Click to see all existing log

servers or to add new server.

l Syslog Distribution Methods - the distributed logs

can be in the format of binary or text. If you
select the check box, you will send log messages
to different log servers, which will relieve the
pressure of a single log server. The algorithm can
be Round Robin or Src IP Hash.

3. Click OK.

156 Logging
Creating a Log Server

To create a log server:

1. Select Log > Log Management.

2. On the right top corner, click Config > Log Server.

3. Click New.

In the Log Server dialog box, enter values.

Option Description

Host name Enter the name or IP of the log server.

Binding Specifies the source IP address to receive logs.

l Source Interface: Select Source Interface and

then select a source interface from the drop-
down list. The device will use the IP address of
the interface as the source IP to send logs to the
syslog server. If management IP address is con-
figured on the interface, the management IP
address will be preferred.

Protocol Specifies the protocol type of the log server. If "Secure-

TCP" is selected, you can select Do not validate the
server certificate option, and system can transfer logs nor-

Logging 157
Option Description

mally and do not need any certifications.

Port Specifies the port number of the syslog server.

Log Type Specifies the log types the syslog server will receive.

4. Click OK to save the settings.

5. Click the Log Encoding Config button in the upper right corner to open the Log Encod-
ing Config dialog box.

6. Select the check box to enable the GBK encoding.

7. Click OK to save the settings.

Notes: You can add at most 15 log servers.

Adding Email Address to Receive Logs

An email in log management setting is an email address for receiving log messages.
To add an email address:

1. Select Log > Log Management.

2. On the right top corner, click Config > Web Mail.

158 Logging
3. Enter an email address and click Add.

4. If you want to delete an existing email, click Delete.

5. Click OK.

Notes: You can add at most 3 email addresses.

Specifying a Unix Server

To specify a Unix server to receive logs:

1. Select Log > Log Management.

2. On the right top corner, click Config > Facility Configuration.

3. Select a device you want, the logs will be exported to that Unix server.

4. Click OK.

Chapter 6 Configuration Management

This chapter includes the followings:

l "System Cnfiguration" on Page 596

l "Policy" on Page 163

Logging 159
l " Security Protection Configuration" on Page 253

l "Network Configuration " on Page 422

l "Object Configuration" on Page 519

l "System Cnfiguration" on Page 596

System and Signature Database

You can view system information and signature database information in this page.

Viewing System and Signature DB Information

To view system and signature DB information, select Configuration Management > System and
Signature Database.

System Information

Serial Number Show the serial number of device.

Hostname Show the name of device.

Platform Show the platform model of device.

System Time Show the system date and time of device.

System Show the system uptime of device.

Uptime

HA State Show the HA status of device.

l Standalone: Non-HA mode that represents HA is dis-

abled.

l Init: Initial state.

l Hello: Negotiation state that represents the device is

160 Logging
System Information

consulting the relationship between the master and

backup.

l Master: Master state that represents the current device is

the master.

l Backup: Backup state that represents the current device

is the backup.

l Failed: Fault state that represents the device has failed.

Firmware Show the current firmware version of the device.

Boot File Show the current boot file of the device.

Signature DB Information

Anti-Virus Sig- Show the current version of the antivirus signature database
nature and the date of the last update.

IPS Signature Show the current version of the IPS signature database and the
date of the last update.

Botnet C&C Show the current version of the Botnet C&C Prevention sig-
Prevention Sig- nature database and the date of the last update.
nature

URL Category Show the current version of the URL signature database and
Database the date of the last update.

Application Show the current version of the application signature database

Identification and the date of the last update.
Database

Sandbox Show the current version of the Sandbox Whitelist DB and the
Whitelist Data- date of the last update.

Logging 161
System Information

base

IP Reputation Show the current version of the perimeter traffic filtering sig-
Database nature database and the date of the last update.

Mitigation Sig- Show the current version of the mitigation signature database
nature and the date of the last update.

Abnormal Show the current version of the abnormal behavior detection

Behavior signature database and the date of the last update.
Detection Sig-
nature

Advanced Show the current version of the advanced threat detection sig-
Threat Detec- nature database and the date of the last update.
tion Signature

Notes: The signature is all license controlled, so you need to make sure that your
system has installed that license. Refer to "License" on Page 636.

162 Logging
Policy
The Policy module provides the following functions:

l Security policy: Security policy the basic function of devices that is designed to control the
traffic forwarding between security zones/segments. By default all traffic between security
zones/segments will be denied.

l NAT: When the IP packets pass through the devices or routers, the devices or routers will
translate the source IP address and/or the destination IP address in the IP packets.

l Session limit: The session limit function limit the number of sessions and control the session
rate to the source IP address, destination IP address, specified IP address, service or role/user-
/user group, thereby to protect from DoS attacks.

l ARP defense: ARP defense function protects your network against various ARP attacks

l URL filter: URL filter controls the access to some certain websites and records log messages
for the access actions.

l Global blacklist: After adding the IP addresses or services to the global blacklist, the system
will perform the block action to the IP address and service until the block duration ends.

Policy 163
Security Policy
Security policy is the basic function of devices that is designed to control the traffic forwarding
between security zones/segments. Without security policy rules, the devices will deny all traffic
between security zones/segments by default. After configuring the security policy rule, the
device can identify what traffic between security zones or segments will be permitted, and the oth-
ers will be denied.
The basic elements of policy rules:

l The source zone and address of the traffic

l The destination zone and address of the traffic

l The service type of the traffic

l Actions that the devices will perform when processing the specific type of traffic, including
Permit and Deny.

Generally a security policy rule consists of two parts: filtering conditions and actions. You can set
the filtering conditions by specifying traffic's source zone/address, destination zone/address, ser-
vice type, and user. Each policy rule is labeled with a unique ID which is automatically generated
when the rule is created. You can also specify a policy rule ID at your own choice. All policy rules
in system are arranged in a specific order. When traffic flows into a device, the device will query
for policy rules by turn, and processes the traffic according to the first matched rule.
The max global security policy rule numbers may vary in different models.
Security policy supports IPv4 and IPv6 address. If IPv6 is enabled, you can configure IPv6
address entry for the policy rule.
This section contains the following contents:

l Configure a security policy rule

l Manage the security policy rules: enable/disable a policy rule, clone a policy rule, export or
import policy rules, adjust security rule position,view and clear policy hit count, hit count

164 Policy
check, and rule redundancy check.

l View and search the security policy rules

Configuring a Security Policy Rule

To configure a security policy rule, take the following steps:

1. Select Configuration Management > Policy > Security Policy > Policy.

2. At the top-left corner, click New to open the Policy Configuration page.

Configure the corresponding options.

Policy 165
Option Description

Name Type the name of the security policy.

Type Select the IP type, including IPv4 or IPv6. Only the

IPv6 firmware can configure the IPv6 type. If IPv6 is
selected, all of the IPv6/prefix, IP range, and address-
book should be configured in the IPv6 format.

Source Information

Zone Specifies a source zone.

Address Specifies the source addresses.

1. Select an address type from the Address drop-

down list.

2. Select or type the source addresses based on the

selected type.

3. Click Add to add the addresses to the left pane.

4. After adding the desired addresses, click Close

to complete the source address configuration.
You can also perform other operations:

l When selecting the Address Book type, you can

click icon to create a new address entry.

l The default address configuration is any. To

restore the configuration to this default one,
select the any check box.

User Specifies a role, user or user group for the security

166 Policy
Option Description

policy rule.

1. From the User drop-down menu, select the

AAA server where the users and user groups
reside. To specify a role, select Role from the
AAA Server/Role drop-down list.

2. Based on the type of AAA server, you can

execute one or more actions: search a user/user
group/role, expand the user/user group list,
enter the name of the user/user group.

3. After selecting users/user groups/roles, click

the selected users/user groups/roles to add
them to the left pane.

4. After adding the desired objects, click Close to

complete the user configuration.

Destination

Zone Specifies a destination zone.

Address Specifies the destination addresses.

1. >Select an address type from the Address drop-

down list.

2. Select or type the destination addresses based

on the selected type.

3. Click Add to add the addresses to the left pane.

Policy 167
Option Description

4. After adding the desired addresses, click Close

to complete the destination address con-
figuration.
You can also perform other operations:

l When selecting the Address Book type, you can

click icon to create a new address entry.

l The default address configuration is any. To

restore the configuration to this default one,
select the any check box.

Other Information

Service Specifies a service or service group.

1. From the Service drop-down menu, select a

type: Service, Service Group.

2. You can search the desired service/service

group, expand the service/service group list.

3. After selecting the desired services/service

groups, click the selected services/service
groups to add them to the left pane.

4. After adding the desired objects, click Close to

complete the service configuration.
You can also perform other operations:

l To add a new service or service group, click User-

168 Policy
Option Description

defined from the Predefined drop-down menu,

and click icon.

l The default service configuration is any. To

restore the configuration to this default one,
select the any check box.
Specifies a service rule.
When configuring the service rule of the policy rule, you
can add a predefined or user-defined service that have
been configured in the service book. When the required
service does not exist in the service book, the admin-
istrator can specify the protocol type and port number of
the service by configuring the service rules, thus sim-
plifying the configuration steps of the policy.
Specify a protocol type for the user-defined service. The
available options include TCP, UDP, ICMP and Others.
If needed, you can add multiple service items.
The parameters for the protocol types are described as
follows:

1. From the Service drop-down menu, select a

type: Service Rule.

2. From the Protocol Typedrop-down menu,

select a protocol type: TCP, UDP, ICMP,
ICMPv6 and All.
The parameters for the protocol types are

Policy 169
Option Description

described as follows:
TCP/UDP：

l Destination port:

l Min - Specifies the minimum port

number of the specified service
rule.

l Max - Specifies the maximum port

number of the specified service
rule. The value range is 0 to 65535.

l Source port:

l Min - Specifies the minimum port

number of the specified service
rule.

l Max - Specifies the maximum port

number of the specified service
rule. The value range is 0 to 65535.

Notes:
l The minimum port num-
ber cannot exceed the
maximum port number.

l The "Min" of the des-

tination port is required,

170 Policy
Option Description

and other options are

optional.

l If "Max " is not con-

figured, system will use
"Min" as the single code.

ICMP:

l Type: Specifies an ICMP type for the ser-

vice rule. The value range is 0（Echp-
Reply）, 3（Destination-Unreachable）,
4（Source Quench）, 5（Redirect）, 8
（Echo）, 11（Time Exceeded）, 12
（Parameter Problem）, 13
（Timestamp）, 14（Timestamp
Reply） , 15（Information Request）,
16（Information Reply）, 17（Address
Mask Request）, 18（Address Mask
Reply）, 30（Traceroute）, 31（Data-
gram Conversion Error）, 32（Mobile
Host Redirect）, 33（IPv6 Where-Are-
You）, 34（IPv6 I-Am-Here）, 35
（Mobile Registration Request）, 36
（Mobile Registration Reply）.

l Code: Specifies a minimum value and

Policy 171
Option Description

maximum value for ICMP code. The

value range is 0 to 15, the default value is
: min code - 0, max code - 15.

Notes:
l The minimum code can-
not exceed the maximum
code.

l If "Max " is not con-

figured, system will use
"Min" as the single code.

ICMPv6:

l Type: Specifies an ICMPv6 type for the

service rule. The value range is 1（Dest-
Unreachable）, 2（Packet Too Big）, 3
（Time Exceeded）, 4（Parameter Prob-
lem）, 100（Private experimentation）,
101（Private experimentation）, 127
（Reserved for expansion of ICMPv6
error message）, 128（Echo Request）,
129（Echo Reply）, 130（Multicast
Listener Query）, 131（Multicast
Listener Report）, 132（Multicast

172 Policy
Option Description

Listener Done）, 133（Router Soli-

citation）, 134（Router Advert-
isement）, 135（Neighbor
Solicitation）, 136（Neighbor Advert-
isement）, 137（Redirect Message）,
138（Router Renumbering）, 139
（ICMP Node Information Query）,
140（ICMP Node Information
Response）, 141（Inverse Neighbor Dis-
covery Solicitation Message）, 142
（Inverse Neighbor Discovery Advert-
isement Message）, 143（Version 2
Multicast Listener Report）, 144
（Home Agent Address Discovery
Request Massage）, 145（Home Agent
Address Discovery Reply Massage）, 146
（Mobile Prefix Solicitation）, 147
（Mobile Prefix Advertisement ）, 148
（Certification Path Solicitation Mes-
sage）, 149（Certification Path Advert-
isement Message）, 150（ICMP message
utilized by experimental mobility pro-
tocols such as Seamoby）, 151（Mult-
icast Router Advertisement）, 152
（Multicast Router Solicitation ）, 153

Policy 173
Option Description

l Code: Specifies a minimum value and

maximum value for ICMP code. The
value range is 0 to 255, the default value
is : min code - 0, max code - 255.
ALL:

l Protocol: Specifies a protocol name for

the service rule. If it is a unknown pro-
tocol, you can directly enter the cor-
responding protocol number. .

Notes:
l The minimum code can-
not exceed the maximum
code.

l If "Max " is not con-

figured, system will use
"Min" as the single code.

3. Click Add to add the configured service rules to

the list on the left.

4. Click Close .

Application Specifies an application/application group/application

filters.

174 Policy
Option Description

1. From the Application drop-down menu, you

can search the desired application/application
group/application filter, expand the list of
applications/application groups/application fil-
ters.

2. After selecting the desired applic-

ations/application groups/application filters,
click the selected applications/application
groups/application filters to add them to the
left pane.

3. After adding the desired objects, click Close to

complete the application configuration.
You can also perform other operations:

l To add a new application group, select Applic-

ation Groups from the Application drop-down

menu and click icon.

l To add a new application filter, select Application

Filters from the Application drop-down menu and

click icon.

Action

Action Specifies an action for the traffic that is matched to the

policy rule, including:

l Permit - Select Permit to permit the traffic to pass

Policy 175
Option Description

through.

l Deny - Select Deny to deny the traffic.

l WebAuth - Performs Web authentication on the

matched traffic. Select WebAuth from the drop-
down list after selecting the Secured Connection
option, and then select an authentication server
from the following drop-down list.

l From tunnel (VPN) - For the traffic from a peer

to local, if this option is selected, system will first
determine if the traffic originates from a tunnel.
Only such traffic will be permitted. Select From
tunnel (VPN) from the drop-down list after select-
ing the Secured Connection option, and then
select a tunnel from the following drop-down list.

l Tunnel (VPN) - For the traffic from local to a

peer, select this option to allow the traffic to pass
through the VPN tunnel. Select Tunnel (VPN)
from the drop-down list after selecting the
Secured Connection option, and then select a tun-
nel from the following drop-down list.

l Portal server - Performs portal authentication on

the matched traffic. Select Portal server from the
drop-down list after selecting the Secured Con-
nection option, and then type the URL address of

176 Policy
Option Description

the portal server.

Enable Web Enable the Web redirect function to redirect the HTTP
Redirect request from clients to a specified page automatically.
With this function enabled, system will redirect the page
you are requesting over HTTP to a prompt page.

1. Click the Enable Web Redirect button.

2. Type a redirect URL into the Notification page

URL box.
When using Web redirect function, you need to con-
figure the Web authentication function. For more con-
figurations, see User Online Notification.

Expand Protection, configure the corresponding options.

Option Description

Antivirus Specifies an antivirus profile. The combination of security

policy rule and antivirus profile enables the devices to
implement fine-grained application layer policy control.

IPS Specifies an IPS profile. The combination of security

policy rule and IPS profile enables the devices to imple-
ment fine-grained application layer policy control.

Antispam Specifies an anti-spam profile. The combination of secur-

ity policy rule and anti-spam profile enables the devices to
implement fine-grained application layer policy control.

URL Fil- Specifies a URL filter profile. The combination of security

Policy 177
Option Description

tering policy rule and URL filter profile enables the devices to
implement fine-grained application layer policy control.

Sandbox Specifies a sandbox profile. The combination of security

policy rule and sandbox profile enables the devices to
implement fine-grained application layer policy control.

Botnet C&C Specifies a botnet C&C prevention profile. The com-

Prevention bination of security policy rule and botnet C&C pre-
vention profile enables the devices to implement fine-
grained application layer policy control.

Expand Data Security, configure the corresponding options.

Option Description

File Filter Specifies a file filter profile. The combination of secur-

ity policy rule and file filter profile enables the devices
to implement fine-grained application layer policy con-
trol.

Content Filter l Web Content: Specifies a web content profile.

The combination of security policy rule and Web
Content profile enables the devices to imple-
ment fine-grained application layer policy con-
trol.

l Web Posting: Specifies a web posting profile.

The combination of security policy rule and web
posting profile enables the devices to implement
fine-grained application layer policy control.

178 Policy
Option Description

l Email Filter: Specifies an email filter profile. The

combination of security policy rule and email fil-
ter profile enables the devices to implement
fine-grained application layer policy control.

l HTTP/FTP Control: Specifies a HTTP/FTP

control profile. The combination of security
policy rule and HTTP/FTP control profile
enables the devices to implement fine-grained
application layer policy control.

Network Beha- Specifies a NBR profile. The combination of security

vior Record policy rule and NBR profile enables the devices to
implement fine-grained application layer policy control.

Expand Options, configure the corresponding options.

Option Description

Schedule Specifies a schedule when the security policy rule takes

effect. Select a desired schedule from the Schedule drop-
down list. This option supports fuzzy search.
After selecting the desired schedules, click the blank area
in this page to complete the schedule configuration. To
create a new schedule, click icon.

Log You can log policy rule matching in the system logs
according to your needs.

l For the policy rules of Permit, logs will be gen-

Policy 179
Option Description

erated in two conditions: the traffic that is matched

to the policy rules starts and ends its session.

l For the policy rules of Deny, logs will be generated

when the traffic that is matched to the policy rules
is denied.
Select one or more check boxes to enable the cor-
responding log types.

l Deny - Generates logs when the traffic that is

matched to the policy rules is denied.

l Session start - Generates logs when the traffic that

is matched to the policy rules starts its session.

l Session end - Generates logs when the traffic that is

matched to the policy rules ends its session.

SSL Proxy Specifies a SSL proxy profile. The combination of security

policy rule and SSL proxy profile enables the devices to
decrypt the HTTPS traffic.

Policy Assist- Click the Enable button to enable policy assistant. After
ant enabling the policy assistant, you can specify the policy
ID as the traffic hit policy. System can analyze the traffic
data hit the specified policy ID, and aggregate the traffic
list according to the user-defined aggregation rules, and
finally the security policy rules that meet your expect-
ations can be generated. For how to use policy assistant,
see Configuring the Policy Assitant.

180 Policy
Option Description

ACL Click the Enable button to enable the access control func-
tion and select the ACL profile. With the combination of
security policy and ACL rules, system can achieve accur-
ate access controlling.

Aggregate Click the Aggregate Policy drop-down menu, and select

Policy the aggregate policy to be added to the aggregate policy to
which you want to add.

Position Select a rule position from the Position drop-down list.

Each policy rule is labeled with a unique ID or name.
When traffic flows into a device, the device will query for
the policy rules by turn, and processes the traffic accord-
ing to the first matched rule. However, the policy rule ID
is not related to the matching sequence during the query.
The sequence displayed in policy rule list is the query
sequence for policy rules. The rule position can be an
absolute position, i.e., at the top or bottom, or a relative
position, i.e., before or after an ID or a name.

Description Type descriptions into the Description box.

3. Click OK to save your settings.

Managing Security Policy Rules

Managing security policy rules include the following matters: enable/disable a policy rule, clone a
policy rule, adjust security rule position, configure default action, view and clear policy hit count,
hit count check, and rule redundancy check.

Policy 181
Enabling/Disabling a Policy Rule

By default the configured policy rule will take effect immediately. You can terminate its control
over the traffic by disabling the rule.
To enable/disable a policy rule:

1. Select Configuration Management > Policy > Security Policy > Policy.

2. Select the security policy rule that you want to enable/disable.

3. Click icon, and then select Enable or Disable to enable or disable the rule.

The disabled rule will not display in the list. Click icon , and then select Show Disabled
Policies to show them.

Exporting a Policy Rule

To export a policy rule, take the following steps:

1. Select Configuration Management > Policy > Security Policy > Policy.

2. Select the security policy rule that you want to export and click Export.

3. In the Export page, select Selected Policy and click OK. The selected security policies will
be exported in the format of ".zip ". You can also select All policies to export all security
policies or select Page Range and specify the page number to export the security policies for
the specified page number.

Importing a Policy Rule

The exported policies can be imported on another device. To import a policy rule, take the fol-
lowing steps:

1. Select Configuration Management > Policy > Security Policy > Policy.

2. Click Import to open the Import page.

182 Policy
3. In the Import page, click the Browse to select the security policy file to be imported.

4. Click OK to import policies.

Cloning a Policy Rule

When there are a large number of policy rules in system, to create a policy rule which is similar to
an configured policy rule easily, you can copy the policy rule and paste it to the specified location.
To clone a policy rule, take the following steps:

1. Select Configuration Management > Policy > Security Policy > Policy.

2. Select the security policy rule that you want to clone and click Copy.

3. Click Paste. In the drop-down list, select the desired position. Then the rule will be cloned
to the desired position.

Adjusting Security Policy Rule Position

To adjust the rule position, take the following steps:

1. Select Configuration Management > Policy > Security Policy > Policy.

2. Select the check box of the security policy whose position will be adjusted.

3. Click Move.

4. In the drop-down list, type the rule ID or name , and click Top, Bottom, Before ID , After
ID , Before Name ,or After Name. Then the rule will be moved to the top, to the bottom,
before or after the specified ID or name.

Schedule Validity Check

In order to make sure that the policies based on schedule are effective, system provides a method
to check the validity of policies. After checking the policy, the invalid policies based on schedule
will be highlighted by yellow.
To check schedule validity:

Policy 183
1. Select Configuration Management > Policy > Security Policy > Policy.

2. Click icon and select Schedule Validity Check. After check, system will highlight the

invalid policy based on schedule by yellow. Meanwhile, you can view the validity status in
the policy list.

Showing Disabled Policies

To show disabled policies:

1. Select Configuration Management > Policy > Security Policy > Policy.

2. Click icon and select Show Disabled Policies. The disabled policies will be highlighted

by gray in the policy list.

Notes:

l By default( the "Schedule Validity Check" and "Show Disabled Policies" are
not selected), the policy list only displays the enabled policies which are not
highlighted.

l When you select both "Schedule Validity Check" and "Show Disabled
Policies", the policy is managed as follows:

184 Policy
l The policy list will display the "Validity" column, which shows the
validity status of policies.

l The invalid policy based on schedule will be highlighted by yellow no

matter if the policy is disabled or not.

l If the valid policy based on schedule is disabled, it will be highlighted

by gray.

Policy 185
NAT
This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
NAT, Network Address Translation, translates the IP address within an IP packet header to
another IP address. When the IP packets pass through the devices or routers, the devices or
routers will translate the source IP address and/or the destination IP address in the IP packets. In
practice, NAT is mostly used to allow the private network to access the public network, vice
versa.

Basic Translation Process of NAT

When a device is implementing the NAT function, it lies between the public network and the
private network. The following diagram illustrates the basic translation process of NAT.

As shown above, the device lies between the private network and the public network. When the
internal PC at 10.1.1.2 sends an IP packet (IP packet 1) to the external server at 202.1.1.2
through the device, the device checks the packet header. Finding that the IP packet is destined to
the public network, the device translates the source IP address 10.1.1.2 of packet 1 to the public
IP address 202.1.1.1 which can get routed on the Internet, and then forwards the packet to the
external server. At the same time, the device also records the mapping between the two addresses
in its NAT table. When the response packet of IP packet 1 reaches the device, the device checks
the packet header again and finds the mapping records in its NAT table, and replaces the des-
tination address with the private address 10.1.1.2. In this process, the device is transparent to the

186 Policy
PC and the Server. To the external server, it considers that the IP address of the internal PC is
202.1.1.1 and knows nothing about the private address 10.1.1.2. Therefore, NAT hides the
private network of enterprises.

Implementing NAT

The devices translate the IP address and port number of the internal network host to the external
network address and port number, and vice versa. This is the translation between the "private IP
address + port number" and "public IP address + port number".
The devices achieve the NAT function through the creation and implementation of NAT rules.
There are two types of NAT rules, which are source NAT rules (SNAT Rule) and destination
NAT rules (DNAT Rule). SNAT translates source IP addresses, thereby hiding the internal IP
addresses or sharing the limited IP addresses; DNAT translates destination IP addresses, and usu-
ally the IP addresses of internal servers (such as the WWW server or SMTP server) protected by
the device is translated to public IP addresses.

Policy 187
Configuring SNAT

To create an SNAT Rule, take the following steps:

1. Select Configuration Management > Policy > NAT > SNAT.

2. Click New to open the SNAT Configuration page.

In this page, configure the following options.

Requirements

Virtual Specifies a VRouter for the SNAT rule. The SNAT rule
Router will take effect when the traffic flows into this VRouter

188 Policy
Requirements

and matches the SNAT rule conditions.

Type Specifies the type of the SNAT rule, including IPv4,

NAT46, NAT64, and IPv6. The configuration options for
different types of SNAT rules may vary in this page,
please refer to the actual page.

Source Specifies the source IP address of the traffic, including:

Address
l Address Entry - Select an address entry from the
drop-down list.

l IP Address - Type an IP address into the box. Type

an IPv4 address if the type of the SNAT rule is
IPv4 or NAT46. Type an IPv6 address if the type
of the SNAT rule is NAT64 or IPv6.

l IP/Netmask - Type an IPv4 address and its net-

mask into the box. This configuration option is
available if the type of the SNAT rule is IPv4 or
NAT46.

l IPv6/Prefix - Type an IPv6 address and its prefix

length into the box. This configuration option is
available if the type of the SNAT rule is NAT64 or
IPv6.

Destination Specifies the destination IP address of the traffic, includ-

Address ing:

l Address Entry - Select an address entry from the

Policy 189
Requirements

drop-down list.

l IP Address - Type an IP address into the box. Type

an IPv4 address if the type of the SNAT rule is
IPv4 or NAT46. Type an IPv6 address if the type
of the SNAT rule is NAT64 or IPv6.

l IP/Netmask - Type an IPv4 address and its net-

mask into the box. This configuration option is
available if the type of the SNAT rule is IPv4 or
NAT46.

l IPv6/Prefix - Type an IPv6 address and its prefix

length into the box. This configuration option is
available if the type of the SNAT rule is NAT64 or
IPv6.

Ingress Specifies the ingress traffic, the default value is all traffic.
Traffic
l All traffic - Specifies all traffic as the ingress traffic.
Traffic from any ingress interfaces will continue to
match this SNAT rule.

l Ingress Interface - Specifies the ingress interface of

traffic. Select an interface from the drop-down list.
When the interface is specified, only the traffic
from this interface will continue to match this
SNAT rule, while traffic from other interfaces will
not.

Egress Specifies the egress traffic, the default value is all traffic.

190 Policy
Requirements

l All traffic - Specifies all traffic as the egress traffic.

Traffic from all egress interfaces will continue to
match this SNAT rule.

l Egress Interface - Specifies the egress interface of

l Next Virtual Router - Specifies the next virtual

router of traffic. Select a virtual router from the
drop-down list.

Service Specifies the service type of the traffic from the drop-
down list. To create a new service or service group, click
New Service or New Group.

Translated to

Translated Specifies the translated NAT IP address, including:

l Egress IF IP - Specifies the NAT IP address to be

an egress interface IP address.

l Specified IP - Specifies the NAT IP address to be a

specified IP address. After selecting this option,
continue to specify the available IP address in the
Address drop-down list.

Policy 191
Requirements

l No NAT - Do not implement NAT.

The translated action for different types of SNAT rules
may vary in this page, please refer to the actual page.

Mode Specifies the translation mode, including:

l Static - Static mode means one-to-one translation.

This mode requires the translated address entry to
contain the same number of IP addresses as that of
the source address entry.

l Dynamic IP - Dynamic IP mode means multiple-to-

one translation. This mode translates the source
address to a specific IP address. Each source
address will be mapped to a unique IP address,
until all specified addresses are occupied.

l Dynamic port - Called PAT. Multiple source

addresses will be translated to one specified IP
address in an address entry.

l If Sticky is enabled, all sessions from an IP

address will be mapped to the same fixed IP
address. Click the Enable button behind
Sticky to enable Sticky.

l If Round-robin is enabled, all sessions from

an IP address will be mapped to the same
fixed IP address. Click the Enable button
behind Round-robin to enable Round-robin.

192 Policy
Requirements

l If Sticky and Round-robin are not enabled,

the first address in the address entry will be
used first; when the port resources of the
first address are exhausted, the second
address will be used.

l If Track is enabled, the system will track

whether the translated public address is valid,
i.e., use the translated address as the source
address to track if the destination website or
host is accessible. The configured track
object can be a Ping track object, HTTP
track object, TCP track object. For more
details, see "Track Object" on Page 591. This
function only supports SNAT of IPv4 or
NAT64 type, and the translated address
should be an IP address or an address in
address book, as well as the translation mode
is dynamicport mode. The system will pri-
oritize the translated address which is tracked
successfully. When a translated address failed
to visit a website or a host, it will be tem-
porarily disabled until being tracked suc-
cessfully again. When the tracking object
fails, the system will disable the address and
generate a log in the next tracking cycle, and

Policy 193
Requirements

no longer translate the private address to a

public address until the address restores to
reachable. If all the address in the public
address book of SNAT rules are unreachable,
the system will not disable any translated
address and generate a log. Click the Enable
button behind Track to enable the function,
and select a track object from the drop-down
list
Note：The Sticky function and the Round-robin function
are mutually exclusive and cannot be configured at the
same time.

194 Policy
Expand Advanced Configuration, configure the corresponding options.

Option Description

HA Group Specifies the HA group that the SNAT rule belongs

to. The default setting is 0.

NAT Log Click the Enable button to enable the log function for
this SNAT rule. The system will generate log inform-
ation when there is traffic matching this NAT rule.

Position Specifies the position of the rule. Each SNAT rule

has a unique ID. When the traffic is flowing into
the device, the device will search the SNAT rules
in order, and then implement NAT on the source
IP of the traffic according to the first matched rule.
The sequence of the ID shown in the SNAT rule
list is the order of the rule matching. Select one of
the following items from the drop-down list:

l Bottom - The rule is located at the bottom of

all the rules in the SNAT rule list. By default,
system will put the newly-created SNAT rule at
the bottom of all SNAT rules.

l Top - The rule is located at the top of all the

rules in the SNAT rule list.

l Before ID - Type the ID number into the text

box. The rule will be located before the ID you
specified.

l After ID - Type the ID number into the text

box. The rule will be located after the ID you

Policy 195
Option Description

specified.

ID Specifies the method you get the rule ID. Each rule
has its unique ID. It can be automatically assigned by
system or manually assigned by yourself. If you select
Manually assign , type an ID number into the box
behind.

Description Types the description.

3. Click OK to save the settings.

Enabling/Disabling an SNAT Rule

By default the configured SNAT rule will take effect immediately. You can terminate its control
over the traffic by disabling the rule.
To enable/disable a policy rule:

1. Select Configuration Management > Policy > NAT > SNAT.

2. Select the SNAT rule that you want to enable/disable.

3. Click Enable or Disable to enable or disable the rule.

Adjusting Priority

Each SNAT rule has a unique ID. When the traffic flows into the device, the device will search
the SNAT rules in order and then implement NAT on the source IP of the traffic according to the
first matched rule. The sequence of the ID shown in the SNAT rule list is the order of the rule
matching.
To adjust priority, take the following steps:

1. Select Configuration Management > Policy > NAT > SNAT.

2. Select the rule you want to adjust its priority and click Priority.

196 Policy
3. In the Priority page, move the selected rule to:

l Top: The rule is moved to the top of all the rules in the SNAT rule list.

l Bottom: The rule is moved to the bottom of all the rules in the SNAT rule list. By
default, system will put the newly-created SNAT rule at the bottom of all the SNAT
rules.

l Before ID: Specifies an ID number. The rule will be moved before the ID you spe-
cified.

l After ID: Specifies an ID number. The rule will be moved after the ID you specified.

4. Click OK to save the settings.

Copying/Pasting a SNAT Rule

When there are a large number of NAT rules in system, to create a NAT rule which is similar to
an configured NAT rule easily, you can copy the NAT rule and paste it to the specified location.
To copy/paste a SNAT rule, take the following steps:

1. Select Configuration Management > Policy > NAT > SNAT.

2. Select the SNAT rule that you want to clone and click Copy.

3. Click Paste. In the pop-up, select the desired position. Then the rule will be cloned to the
desired position.

l Top: The rule is pasted to the top of all the rules in the SNAT rule list.

l Bottom: The rule is pasted to the bottom of all the rules in the SNAT rule list.

l Before the Rule Selected: The rule will be pasted before the Rule being selected.

l After the Rule Selected: The rule will be pasted after the Rule being selected.

Policy 197
Hit Count

The system supports statistics on SNAT rule hit counts, i.e., statistics on the matching between
traffic and SNAT rules. Each time the inbound traffic is matched to a certain SNAT rule, the hit
count will increment by 1 automatically.
To view a SNAT rule hit count, click Configuration Management > Policy > NAT > SNAT. In
the SNAT rule list, view the statistics on SNAT rule hit count under the Hit Count column.

Clearing NAT Hit Count

To clear a SNAT rule hit count, take the following steps:

1. Select Configuration Management > Policy > NAT > SNAT Hit Analysis.

2. Click Clear to open the Clearing NAT Hit Count page.

l All NAT: Clears the hit counts for all NAT rules.

l NAT ID: Clears the hit counts for a specified NAT rule ID.

3. Click OK.

Hit Count Check

System supports to check policy rule hit counts.

To check hit count, take the following steps:

1. Select Configuration Management > Policy > NAT > SNAT Hit Analysis.

2. Click Analyze.

198 Policy
Configuring DNAT

DNAT translates destination IP addresses, usually the IP addresses of internal servers (such as the
WWW server or SMTP server) protected by the device is translated to the public IP addresses.

Configuring an IP Mapping Rule

To configure an IP mapping rule, take the following steps:

1. Select Configuration Management > Policy > NAT > DNAT.

2. Click New and select IP Mapping.

In the IP Mapping Configuration page, configure the corresponding options.

Policy 199
Requirements

Virtual Specifies a VRouter for the DNAT rule. The DNAT rule
Router will take effect when the traffic flows into this VRouter
and matches the DNAT rule conditions.

Type Specifies the type of the DNAT rule, including IPv4,

NAT46, NAT64, and IPv6. The configuration options for
different types of DNAT rules may vary in this page,
please refer to the actual page.

Destination Specifies the destination IP address or interface of the

Address traffic, including:

l Address Entry - Select an address entry from the

drop-down list.

l IP Address - Type an IP address into the box. Type

an IPv4 address if the type of the DNAT rule is
IPv4 or NAT46. Type an IPv6 address if the type
of the DNAT rule is NAT64 or IPv6.

l IP/Netmask - Type an IPv4 address and its net-

mask into the box. This configuration option is
available if the type of the DNAT rule is IPv4 or
NAT46.

l IPv6/Prefix - Type an IPv6 address and its prefix

length into the box. This configuration option is
available if the type of the DNAT rule is NAT64 or
IPv6.

200 Policy
Requirements

l Dynamic IP (Physical Interface) - Select an inter-

face which obtains IP via the DHCP and PPPoE
protocols. This configuration option is available if
the type of the DNAT rule is IPv4 or NAT46.

Mapping

Mapped to Specifies the translated NAT IP address, including

Address Entry, IP Address, and IP/Netmask (or
IPv6/Prefix). The number of the translated NAT IP
addresses you specified must be the same as the number
of the destination IP addresses of the traffic.

Others

HA Group Specifies the HA group that the DNAT rule belongs to.
The default setting is 0.

Description Types the description.

3. Click OK to save the settings.

Configuring a Port Mapping Rule

To configure a port mapping rule, take the following steps:

1. Select Configuration Management > Policy > NAT > DNAT.

Policy 201
2. Click New and select Port Mapping.

In the Port Mapping Configuration page configure the corresponding options.

Requirements

Virtual Specifies a VRouter for the DNAT rule. The DNAT rule
Router will take effect when the traffic flows into this VRouter
and matches the DNAT rule conditions.

Type Specifies the type of the DNAT rule, including IPv4,

NAT46, NAT64, and IPv6. The configuration options for
different types of DNAT rules may vary in this page,
please refer to the actual page.

202 Policy
Requirements

Destination Specifies the destination IP address or interface of the

Address traffic, including:

l Address Entry - Select an address entry from the

drop-down list.

l IP Address - Type an IP address into the box. Type

an IPv4 address if the type of the DNAT rule is
IPv4 or NAT46. Type an IPv6 address if the type
of the DNAT rule is NAT64 or IPv6.

l IP/Netmask - Type an IPv4 address and its net-

mask into the box. This configuration option is
available if the type of the DNAT rule is IPv4 or
NAT46.

l IPv6/Prefix - Type an IPv6 address and its prefix

length into the box. This configuration option is
available if the type of the DNAT rule is NAT64 or
IPv6.

l Dynamic IP(Physical Interface) - Select an interface

which obtains IP via the DHCP and PPPoE pro-
tocols. This configuration option is available if the
type of the DNAT rule is IPv4 or NAT46.

Service Specifies the service type of the traffic from the drop-
down list.
To create a new service or service group, click New Ser-
vice or New Group.

Policy 203
Requirements

Mapping

Mapped to Specifies the translated NAT IP address, including

Address Entry, IP Address, and IP/Netmask (or
IPv6/Prefix). The number of the translated NAT IP
addresses you specified must be the same as the number
of the destination IP addresses of the traffic.

Port Mapping Types the translated port number of the Intranet server.
The available range is 1 to 65535.

Others

HA Group Specifies the HA group that the DNAT rule belongs to.
The default setting is 0.

Description Types the description.

3. Click OK to save the settings.

Configuring an Advanced NAT Rule

You can create a DNAT rule and configure the advanced settings, or you can edit the advanced
settings of an exiting DNAT rule.
To create a DNAT rule and configure the advanced settings, take the following steps:

1. Select Configuration Management > Policy > NAT > DNAT.

2. Click New and select Advanced Configuration. To edit the advanced settings of an existing
DNAT rule, select it and click Edit. The DNAT configuration page will appear.

204 Policy
In this page, configure the following options.

Requirements

Virtual Specifies a VRouter for the DNAT rule. The DNAT rule
Router will take effect when the traffic flows into this VRouter
and matches the DNAT rule conditions.

Type Specifies the type of the DNAT rule, including IPv4,

NAT46, NAT64, and IPv6. The configuration options for
different types of DNAT rules may vary in this page,
please refer to the actual page.

Policy 205
Requirements

Source Specifies the source IP address of the traffic, including:

Address
l Address Entry - Select an address entry from the
drop-down list.

l IP Address - Type an IP address into the box. Type

an IPv4 address if the type of the DNAT rule is
IPv4 or NAT46. Type an IPv6 address if the type
of the DNAT rule is NAT64 or IPv6.

l IP/Netmask - Type an IPv4 address and its net-

mask into the box. This configuration option is
available if the type of the DNAT rule is IPv4 or
NAT46.

l IPv6/Prefix - Type an IPv6 address and its prefix

length into the box. This configuration option is
available if the type of the DNAT rule is NAT64 or
IPv6.

Destination Specifies the destination IP address or interface of the

Address traffic, including:

l Address Entry - Select an address entry from the

drop-down list.

l IP Address - Type an IP address into the box. Type

an IPv4 address if the type of the DNAT rule is
IPv4 or NAT46. Type an IPv6 address if the type
of the DNAT rule is NAT64 or IPv6.

206 Policy
Requirements

l IP/Netmask - Type an IPv4 address and its net-

mask into the box. This configuration option is
available if the type of the DNAT rule is IPv4 or
NAT46.

l IPv6/Prefix - Type an IPv6 address and its prefix

length into the box. This configuration option is
available if the type of the DNAT rule is NAT64 or
IPv6.

l Dynamic IP(Physical Interface): Select an interface

which obtains IP via the DHCP and PPPoE pro-
tocols. This configuration option is available if the
type of the DNAT rule is IPv4 or NAT46.

Service Specifies the service type of the traffic from the drop-
down list.
To create a new service or service group, click Add.

Translated to

Action Specifies the action for the traffic you specified, includ-
ing:

l NAT - Implements NAT for the eligible traffic.

l No NAT - Do not implement NAT for the eligible

traffic.

l V4-MAPPED - Implements NAT for the eligible

traffic, and extracts the destination IPv4 address

Policy 207
Requirements

from the destination IPv6 address of the packet dir-

ectly. This configuration option is available if the
type of the DNAT rule is NAT64.
The Translated to action for different types of DNAT
rules may vary in this page, please refer to the actual page.

Translate to When selecting the NAT option, you need to specify the
translated IP address. The options include Address Entry,
IP Address, IP/Netmask (or IPv6/Prefix), and SLB
Server Pool. The SLB Server Pool configure option is
available if the type of the DNAT rule is IPv4 or NAT64.
For more information about the SLB Server Pool, view
Configuring SLB Server Pool.

Translate Service Port to

Port Click Enable to translate the port number of the service

that matches the conditions above.

Load Balance Click Enable to enable the function. Traffic will be bal-
anced to different Intranet servers.

Redirect Click Enable to enable the function.

When the number of this Translate to is different from
the Destination Address of the traffic or the Destination
Address address is any, you must enable the redirect func-
tion for this DNAT rule.

Expand Advanced Configuration, configure the following options.

208 Policy
Track Server

Track Ping After enabling this function, system will send Ping pack-
Packets ets to check whether the Intranet servers are reachable.

Track TCP After enabling this function, System will send TCP pack-
Packets ets to check whether the TCP ports of Intranet servers
are reachable.

TCP Port Specifies the TCP port number of the monitored Intranet
server.

NAT Log Enable the log function for this DNAT rule to generate
the log information when traffic matches this NAT rule.

Position Specifies the position of the rule. Each DNAT rule has a
unique ID. When the traffic is flowing into the device,
the device will search the DNAT rules by sequence, and
then implement DNAT on the source IP of the traffic
according to the first matched rule. The sequence of the
ID shown in the DNAT rule list is the order of the rule
matching. Select one of the following items from the
drop-down list:

l Bottom - The rule is located at the bottom of all of

the rules in the DNAT rule list. By default, the sys-
tem will put the newly-created DNAT rule at the
bottom of all of the SNAT rules.

l Top - The rule is located at the top of all of the

rules in the DNAT rule list.

l Before ID - Type the ID number into the text box.

Policy 209
Track Server

The rule will be located before the ID you spe-

cified.

l After ID - Type the ID number into the text box.

The rule will be located after the ID you specified.

ID The ID number is used to distinguish between NAT

rules. Specifies the method you get the rule ID. It can be
automatically assigned by system or manually assigned by
yourself.

Description Types the description.

3. Click OK to save the settings.

Enabling/Disabling a DNAT Rule

By default the configured DNAT rule will take effect immediately. You can terminate its control
over the traffic by disabling the rule.
To enable/disable a policy rule, take the following steps:

1. Select Configuration Management > Policy > NAT > DNAT.

2. Select the DNAT rule that you want to enable/disable.

3. Click Enable or Disable to enable or disable the rule.

Copying/Pasting a DNAT Rule

210 Policy
1. Select Configuration Management > Policy > NAT > DNAT.

2. Select the DNAT rule that you want to clone and click Copy.

3. Click Paste. In the pop-up, select the desired position. Then the rule will be cloned to the
desired position.

l Top: The rule is pasted to the top of all of the rules in the DNAT rule list.

l Bottom: The rule is pasted to the bottom of all of the rules in the DNAT rule list.

l Before the Rule Selected: The rule will be pasted before the Rule selected.

l After the Rule Selected: The rule will be pasted after the Rule selected.

Adjusting Priority

Each DNAT rule has a unique ID. When the traffic is flowing into the device, the device will
search the DNAT rules in order, and then implement NAT of the source IP of the traffic accord-
ing to the first matched rule. The sequence of the ID shown in the DNAT rule list is the order of
the rule matching.
To adjust priority, take the following steps:

1. Select Configuration Management > Policy > NAT > DNAT.

2. Select the rule you want to adjust its priority and click Priority.

3. In the Priority page, move the selected rule to:

l Top: The rule is moved to the top of all of the rules in the DNAT rule list.

l Bottom: The rule is moved to the bottom of all of the rules in the DNAT rule list. By
default, system will put the newly-created DNAT rule at the bottom of all of the
DNAT rules.

l Before ID: Specifies an ID number. The rule will be moved before the ID you spe-

Policy 211
cified.

l After ID: Specifies an ID number. The rule will be moved after the ID you specified.

4. Click OK to save the settings.

Hit Count

The system supports statistics on DNAT rule hit counts, i.e., statistics on the matching between
traffic and DNAT rules. Each time the inbound traffic is matched to a certain DNAT rule, the hit
count will increment by 1 automatically.
To view a DNAT rule hit count, click Configuration Management > Policy > NAT > DNAT. In
the DNAT rule list, view the statistics on DNAT rule hit count under the Hit Count column.

Clearing NAT Hit Count

To clear a DNAT rule hit count, take the following steps:

1. Select Configuration Management > Policy > NAT > DNAT Hit Analysis.

2. Click Clear to open the Clearing NAT Hit Count page.

l All NAT: Clears the hit counts for all NAT rules.

l NAT ID: Clears the hit counts for a specified NAT rule ID.

3. Click OK.

Hit Count Check

System supports to check policy rule hit counts.

To check hit count, take the following steps:

1. Select Configuration Management > Policy > NAT > DNAT Hit Analysis.

2. Click Analyze.

212 Policy
iQoS
System provides iQoS (intelligent quality of service) which guarantees the customer's network per-
formance, manages and optimizes the key bandwidth for critical business traffic, and helps the cus-
tomer greatly in fully utilizing their bandwidth resources.
iQoS is used to provide different priorities to different traffic, in order to control the delay and
flapping, and decrease the packet loss rate. iQoS can assure the normal transmission of critical
business traffic when the network is overloaded or congested. iQoS is controlled by license. To
use iQoS, apply and install the iQoS license.

Implement Mechanism

The packets are classified and marked after entering system from the ingress interface. For the clas-
sified and marked traffic, system will smoothly forward the traffic through the shaping mech-
anism, or drop the traffic through the policing mechanism. If the shaping mechanism is selected
to forward the traffic, the congestion management and congestion avoidance mechanisms will give
different priorities to different types of packets so that the packets of higher priority can pass
though the gateway earlier to avoid network congestion.
In general, implementing QoS includes:

l Classification and marking mechanism: Classification and marking is the process of identi-
fying the priority of each packet. This is the first step of iQoS.

l Policing and shaping mechanisms: Policing and shaping mechanisms are used to identify
traffic violation and make responses. The policing mechanism checks the traffic in real time
and takes immediate actions according to the settings when it discovers a violation. The
shaping mechanism works together with queuing mechanism. It makes sure that the traffic
will never exceed the defined flow rate so that the traffic can go through that interface
smoothly.

l Congestion management mechanism: Congestion management mechanism uses the queuing

theory to solve problems in the congested interfaces. As the data rate can be different
among different networks, congestion may happen to both wide area network (WAN) and
local area network (LAN). Only when an interface is congested will the queuing theory

Policy 213
begin to work.

l Congestion avoidance mechanism: Congestion avoidance mechanism is a supplement to the

queuing algorithm, and it also relies on the queuing algorithm. The congestion avoidance
mechanism is designed to process TCP-based traffic.

Pipes and Traffic Control Levels

System supports two-level traffic control: level-1 control and level-2 control. In each level, the
traffic control is implemented by pipes.

Pipes

By configuring pipes, the devices implement iQoS. Pipe, which is a virtual concept, represents
the bandwidth of transmission path. System classifies the traffic by using the pipe as the unit, and
controls the traffic crossing the pipes according to the actions defined for the pipes. For all traffic
crossing the device, they will flow into virtual pipes according to the traffic matching conditions
they match. If the traffic does not match any condition, they will flow into the default pipe pre-
defined by the system.
Pipes, except the default pipe, include two parts of configurations: traffic matching conditions and
traffic management actions:

l Traffic matching conditions: Defines the traffic matching conditions to classify the traffic
crossing the device into matched pipes. System will limit the bandwidth to the traffic that
matches the traffic matching conditions. You can define multiple traffic matching con-
ditions to a pipe. The logical relation between each condition is OR. When the traffic
matches a traffic matching condition of a pipe, it will enter this pipe. If the same conditions
are configured in different root pipes, the traffic will first match the root pipe listed at the
top of the Level-1 Control list in the Configuration Management > Policy > iQoS page.

l Traffic management actions: Defines the actions adopted to the traffic that has been classified
to a pipe. The data stream control includes the forward control and the backward control. For-
ward control controls the traffic that flows from the source to the destination; backward con-
trol controls the traffic flows from the destination to the source.

214 Policy
To provide flexible configurations, system supports the multiple-level pipes. Configuring mul-
tiple-level pipes can limit the bandwidth of different applications of different users. This can
ensure the bandwidth for the key services and users. Pipes can be nested to at most four levels.
Sub pipes cannot be nested to the default pipe. The logical relation between pipes is shown as
below:

l You can create multiple root pipes that are independent. At most three levels of sub pipes can
be nested to the root pipe.

l For the sub pipes at the same level, the total of their minimum bandwidth cannot exceed the
minimum bandwidth of their upper-level parent pipe, and the total of their maximum band-
width cannot exceed the maximum bandwidth of their upper-level parent pipe.

l If you have configured the forward or backward traffic management actions for the root pipe,
all sub pipes that belong to this root pipe will inherit the configurations of the traffic direction
set on the root pipe.

l The root pipe that is only configured the backward traffic management actions cannot work.

The following chart illustrates the application of multiple-level pipes in a company. The admin-
istrator can create the following pipes to limit the traffic:

Policy 215
1. Create a root pipe to limit the traffic of the office located in Beijing.

2. Create a sub pipe to limit the traffic of its R&D department.

3. Create a sub pipe to limit the traffic of the specified applications so that each application has
its own bandwidth.

4. Create a sub pipe to limit the traffic of the specified users so that each user owns the
defined bandwidth when using the specified application.

Traffic Control Levels

System supports two-level traffic control: level-1 control and level-2 control. In each level, the
traffic control is implemented by pipes. Traffic that is dealt with by level-1 control flows into the
level-2 control, and then system performs the further management and control according to the
pipe configurations of level-2 control. After the traffic flowing into the device, the process of
iQoS is shown as below:

According to the chart above, the process of traffic control is described below:

216 Policy
1. The traffic first flows into the level-1 control, and then system classifies the traffic into dif-
ferent pipes according to the traffic matching conditions of the pipe of level-1 control. The
traffic that cannot match any pipe will be classified into the default pipe. If the same con-
ditions are configured in different root pipes, the traffic will first match the root pipe listed
at the top of the Level-1 Control list in the Configuration Management > Policy > iQoS
page. After the traffic flows into the root pipe, system classifies the traffic into different sub
pipes according to the traffic matching conditions of each sub pipe.

2. According to the traffic management actions configured for the pipes, system manages and
controls the traffic that matches the traffic matching conditions.

3. The traffic dealt with by level-1 control flows into the level-2 control. System manages and
controls the traffic in level-2 control. The principles of traffic matching, management and
control are the same as the one of the level-1 control.

4. Complete the process of iQoS.

Enabling iQoS

To enable iQoS, take the following steps:

Policy 217
1. Select Policy > iQoS > Configuration.

2. Click the Enable iQoS button.

3. If you click the Enable NAT IP matching button in Level-1 Control or Level-2 Control, sys-
tem will use the IP addresses between the source NAT and the destination NAT as the
matching items. If the matching is successful, system will limit the speed of these IP
addresses.

Notes: Before enabling NAT IP matching, you must config the NAT rules.
Otherwise, the configuration will not take effect.

4. Click Apply to save the configurations.

218 Policy
Pipes

By using pipes, devices implement iQoS. Pipes in different traffic control levels will take effect in
different stages.
Configuring pipes includes the following sections:

1. Create the traffic matching conditions, which are used to capture the traffic that matches
these conditions. If configuring multiple traffic matching conditions for a pipe, the logical
relation between each condition is OR.

2. Create a white list according to your requirements. System will not control the traffic in the
white list. Only root pipe and the default pipe support the white list.

3. Specify the traffic management actions, which are used to deal with the traffic that is clas-
sified into a pipe.

4. Specify the schedule. The pipe will take effect during the specified time period.

Basic Operations

Select Configuration Management > Policy > iQoS > Policy to open the Policy page.

You can perform the following actions in this page:

l Disable the level-2 traffic control: Click Disable second level control. The pipes in the level-2
traffic control will not take effect. The Level-2 Control tab will not appears in this page.

l View pipe information: The pipe list displays the name, mode, action, schedule, and the
description of the pipes.

l Click the icon to expand the root pipe and display its sub pipes.

l Click the icon of the root pipe or the sub pipe to view the condition settings.

Policy 219
l Click the icon of the root pipe to view the white list settings.

l represents the root pipe is usable, represents the root pipe is unusable, rep-

resents the sub pipe is usable, represents the sub pipe is unusable,

the gray text represents the pipe is disabled.

l Create a root pipe: Select the Level-1 Control or Level-2 Control tab, then click New in the
menu bar to create a new root pipe.

l Create a sub pipe: Click the icon of the root pipe or the sub pipe to create the cor-

responding sub pipe.

l Click Enable in the menu bar to enable the selected pipe. By default, the newly-created
pipe will be enabled.

l Click Disable in the menu bar to disable the selected pipe. The disabled pipe will not take
effect.

l Click Delete to delete the selected pipe. The default pipe cannot be deleted.

Configuring a Pipe

To configure a pipe, take the following steps:

1. According to the methods above, create a root pipe or sub pipe. The Pipe Configuration
page appears.

2. In this page, specify the basic pipe information.

Option Description

Parent Pipe/Con- Displays the control level or the parent pipe of the newly created pipe.
trol Level

Pipe Name Specify a name for the new pipe.

220 Policy
Option Description

Description Specify the description of this pipe.

Mode Shape, Policy, or Monitor.

l The Shape mode can limit the data transmission rate and smoothly
forward the traffic. This mode supports the bandwidth borrowing
and priority adjusting for the traffic within the root pipe.

l The Policy mode will drop the traffic that exceeds the bandwidth
limit. This mode does not support the bandwidth borrowing and
priority adjusting, and cannot guarantee the minimum bandwidth.

l The Monitor mode will monitor the matched traffic, generate the
statistics, and will not control the traffic.

l Bandwidth borrowing: All of the sub pipes in a root pipe can lend
their idle bandwidth to the pipes that are lacking bandwidth. The
prerequisite is that their bandwidth must be enough to forward
the traffic in their pipes.

l Priority adjusting: When there is traffic congestion, system will

arrange the traffic to enter the waiting queue. You can set the
traffic to have higher priority and system will deal with the traffic
in order of precedence.

Policy 221
3. In Condition, click New.

In the Condition Configuration page, configure the corresponding options.

Option Description

Type Select the IP type, including IPv4 or IPv6. Only the IPv6
firmware supports to configure IPv6 type IP. If IPv6 is
selected, all the IP/netmask, IP range, address entry con-
figured should be in the IPv6 format.

222 Policy
Option Description

Source Information

Zone Specify the source zone of the traffic. Select the zone
name from the drop-down menu.

Interface Specify the source interface of the traffic. Select the inter-
face name from the drop-down menu.

Address Specify the source address of the traffic.

1. Select an address type from the Address drop-

down list.

2. Select or type the source addresses based on the

selected type.

3. Click Add to add the addresses to the left pane.

4. After adding the desired addresses, click Close to

complete the address configuration.
You can also perform other operations:

l When selecting the Address Book type, you can

click to create a new address entry.

l The default address configuration is any. To restore

the configuration to this default one, select the any
check box.

Destination Information

Zone Specify the destination zone of the traffic. Select the zone
name from the drop-down menu.

Policy 223
Option Description

Interface Specify the destination interface of the traffic. Select the

interface name from the drop-down menu.

Address Specify the destination address of the traffic.

1. Select an address type from the Address drop-

down list.

2. Select or type the source addresses based on the

selected type.

3. Click Add to add the addresses to the right pane.

4. After adding the desired addresses, click Close to

complete the address configuration.
You can also perform other operations:

l When selecting the Address Book type, you can

click to create a new address entry.

l The default address configuration is any. To restore

the configuration to this default one, select the any
check box.

User Inform- Specify a user or user group that the traffic belongs to.
ation
1. From the User drop-down menu, select the AAA
server where the users and user groups reside.

2. Based on different types of AAA server, you can

execute one or more actions: search a user/user
group/role, expand the user/user group list, and

224 Policy
Option Description

enter the name of the user/user group.

3. After selecting users/user groups/roles, click

them to add them to the left pane.

4. After adding the desired objects, click Close to

complete the user information configuration.

Service Specify a service or service group that the traffic belongs

to.

1. From the Service drop-down menu, select a type:

Service, Service Group.

2. You can search the desired service/service group,

expand the service/service group list.

3. After selecting the desired services/service

groups, click them to add them to the right pane.

4. After adding the desired objects, click Close to

complete the service configuration.

You can also perform other operations:

l To add a new service or service group, select User-

defined from the "Predefined" drop-down list, and

click .

l The default service configuration is any. To restore

the configuration to this default one, select the any
check box.

Policy 225
Option Description

Application Specify an application, application group, or application fil-

ters that the traffic belongs to.

1. From the Application drop-down menu, you can

search the desired application/application
group/application filter, expand the list of applic-
ations/application groups/application filters.

2. After selecting the desired applic-

ations/application groups/application filters,
click them to add them to the left pane.

3. After adding the desired objects, click Close com-

plete the application configuration.

You can also perform other operations:

l To add a new application group, click .

l To add a new application filter, click .

URL Cat- Specifies the URL category that the traffic belongs to.
egory After the user specifies the URL category, the system
matches the traffic according to the specified category.

1. In the "URL category" drop-down menu, the user

can select one or more URL categories, up to 8
categories.

2. After selecting the desired filters, click the blank

area in this page to complete the configuration.

226 Policy
Option Description
To add a new URL category, click , the page will pop

up "URL category" page. In this page, the user can con-

figure the category name and URL.

Advanced

VLAN Specify the VLAN information of the traffic.

TOS Specify the TOS fields of the traffic; or click Configure to

specify the TOS fields of the IP header of the traffic in
the TOS Configuration page.

l Precedence: Specify the precedence.

l Delay: Specify the minimum delay.

l Throughput: Specify the maximum throughput.

l Reliability: Specify the highest reliability.

l Cost: Specify the minimum cost.

l Reserved: Specify the normal service.

TrafficClass Specify the TOS fields of the traffic.

4. If you are configuring root pipes, you can specify the white list settings based on the descrip-
tion of configuring conditions.

5. In Action, configuring the corresponding actions.

Forward (From source to destination)

The following configurations control the traffic that flows from the
source to the destination. For the traffic that matches the conditions,

Policy 227
system will perform the corresponding actions.

Pipe Band- When configuring the root pipe, specify the pipe band-
width width.
When configuring the sub pipe, specify the maximum
bandwidth and the minimum bandwidth of the pipe:

l Min Bandwidth: Specify the minimum bandwidth.

If you want this minimum bandwidth to be
reserved and cannot be used by other pipes, select
Enable Reserved Bandwidth.

l Max Bandwidth: Specify the maximum bandwidth.

Limit type Specify the maximum bandwidth and minimum band-

width of the pipe for each user/IP:

l Type: Select the type of the bandwidth limitation:

No Limit, Limit Per IP, or Limit Per User.

l No Limit represents that system will not

limit the bandwidth for each IP or each user.

l Limit Per IP represents that system will

limit the bandwidth for each IP. In the Limit
by section, select Source IP to limit the
bandwidth of the source IP in this pipe; or
select Destination IP to limit the bandwidth
of the destination IP in this pipe.

l Limit Per User represents that system will

limit the bandwidth for each user. In the

228 Policy
Limit by section, specify the min-
imum/maximum bandwidth of the users.

l When configuring the root pipe, you can select the

Enable Average Bandwidth check box to make
each source IP, destination IP, or user to share an
average bandwidth.

Limit by When the Limit type is Limit Per IP or Limit Per User,
you need to specify the minimum bandwidth or the max-
imum bandwidth:

l Min Bandwidth: Specify the minimum bandwidth.

l Max Bandwidth: Specify the maximum bandwidth.

l Delay: Specify the delay time, whose value ranges

from 1 second to 3600 seconds. The maximum
bandwidth limit of each IP/ user is not effective
within the delay time range.

Advanced

Priority Specify the priority for the pipes. Select a number,

between 0 and 7, from the drop-down menu. The smaller
the value is, the higher the priority is. When a pipe has
higher priority, system will first deal with the traffic in it
and borrow the extra bandwidth from other pipes for it.
The priority of the default pipe is 7.

TOS Specify the TOS fields of the traffic; or click Configure to

specify the TOS fields of the IP header of the traffic in

Policy 229
the appeared TOS Configuration page.

l Precedence: Specify the precedence.

l Delay: Specify the minimum delay.

l Throughput: Specify the maximum throughput.

l Reliability: Specify the highest reliability.

l Cost: Specify the minimum monetary cost.

l Reserved: Specify the normal service.

Limit Oppos- Click the Enable button to configure the value of limit-
ite Band- strength.The smaller the value, the smaller the limit.
width

Backward (From condition's destination to source)

The following configurations control the traffic that flows from the des-
tination to the source. For the traffic that matches the conditions, sys-
tem will perform the corresponding actions.

Pipe Band- When configuring the root pipe, specify the pipe band-
width width. When configuring the sub pipe, specify the max-
imum bandwidth and the minimum bandwidth of the
pipe:

l Min Bandwidth: Specify the minimum bandwidth.

If you want this minimum bandwidth to be
reserved and cannot be used by other pipes, select
Enable Reserved Bandwidth.

l Max Bandwidth: Specify the maximum bandwidth.

230 Policy
Limit type Specify the maximum bandwidth and minimum band-
width of the pipe for each user/IP:

l Type: Select the type of the bandwidth limitation:

No Limit, Limit Per IP, or Limit Per User.

l No Limit represents that system will not

limit the bandwidth for each IP or each user.

l Limit Per IP represents that system will limit

the bandwidth for each IP. In the Limit by
section, select Source IP to limit the band-
width of the source IP in this pipe; or select
Destination IP to limit the bandwidth of the
destination IP in this pipe.

l Limit Per User represents that system will

limit the bandwidth for each user. In the
Limit by section, specify the min-
imum/maximum bandwidth of the users.

l When configuring the root pipe, you can click the

Enable Average Bandwidth button to make each
source IP, destination IP, or user to share an aver-
age bandwidth.

Limit by When the Limit type is Limit Per IP or Limit Per User,
you need to specify the minimum bandwidth or the max-
imum bandwidth:

l Min Bandwidth: Specify the minimum bandwidth.

Policy 231
l Max Bandwidth: Specify the maximum bandwidth.

l Delay：Specify the delay time, whose value ranges

from 1 second to 3600 seconds. The maximum
bandwidth limit of each IP/ user is not effective
within the delay time range.

Advanced

Priority Specify the priority for the pipes. Select a number,

TOS Specify the TOS fields of the traffic; or click Configure to

specify the TOS fields of the IP header of the traffic in
the appeared TOS Configuration page.

l Precedence: Specify the precedence.

l Delay: Specify the minimum delay.

l Throughput: Specify the maximum throughput.

l Reliability: Specify the highest reliability.

l Cost: Specify the minimum monetary cost.

l Reserved: Specify the normal service.

Limit Oppos- Click the Enable button to configure the value of limit-
ite Band- strength.The smaller the value, the smaller the limit.

232 Policy
width

6. Click OK to save the settings.

Viewing Statistics of Pipe Monitor

To view the statistics of pipe monitor, see "iQoS" on Page 213.

Policy 233
Session Limit
The devices support zone-based session limit function. You can limit the number of sessions and
control the session rate to the source IP address, destination IP address, specified IP address,
applications or role/user/user group, thereby protecting from DoS attacks and controlling the
bandwidth of applications, such as IM or P2P.

Configuring a Session Limit Rule

To configure a session limit rule, take the following steps:

1. Select Configuration Management > Policy > Session Limit.

2. Click New. The Session Limit Configuration page will appear.

3. Select the zone where the session limit rule locates.

4. Configure the limit conditions.

Select the IP check box to configure the IP limit conditions.

IP Select the IP radio button and then select an IP

234 Policy
IP

address entry.

l Select All IPs to limit the total number of sessions

to all IP addresses.

l Select Per IP to limit the number of sessions to

each IP address.

Source IP Select the Source IP radio button and specify the

source IP address entry and destination IP address
entry. When the session's source IP and destination IP
are both within the specified range, system will limit
the number of session as follows:

l When you select Per Source IP, system will limit

the number of sessions to each source IP address.

l When you select Per Destination IP, system will

limit the number of sessions to each destination IP
address.

Protocol

Protocol Limits the number of sessions to the protocol which

has been set in the text box.

Application

Application Limits the number of sessions to the selected applic-

ation.

Role/User/User Group

Select the Role/User/User Group check box to configure the cor-

responding limit conditions.

Policy 235
IP

Role Select the Role radio button and a role from the Role
drop-down list to limit the number of sessions of the
selected role.

User Select the User radio button and a user from the User
drop-down list to limit the number of sessions of the
selected user.

User Group Select the User Group radio button and a user group
from the User Group drop-down list to limit the num-
ber of sessions of the selected user group.

l Next to the User Group radio button, select All

Users to limit the total number of sessions to all
users in the user group.

l Next to the User Group radio button, select Per

User to limit the number of sessions to each user.

Schedule

Schedule Select the Schedule check box and choose a schedule you
need from the drop-down list to make the session limit
rule take effect within the time period specified by the
schedule.

5. Configure the limit types.

Session Type

Session Num- Specify the maximum number of sessions. The value

ber range is 0 to 1048576. The value of 0 indicates no

limitation.

New Con- Specify the maximum number of sessions created

236 Policy
Session Type

nections/5s per 5 seconds. The value range is 1 to 1048576.

6. Select the Enable after Session Limit Log to record the session limit log.

7. Click OK to save your settings.

8. Click Switch Mode to select a matching mode. If you select Use the Minimum Value and an
IP address matches multiple session limit rules, the maximum number of sessions of this IP
address is limited to the minimum number of sessions of all matched session limit rules; if
you select Use the Maximum Value and an IP address matches multiple session limit rules,
the maximum number of sessions of this IP address is the maximum number of sessions of
all matched session limit rules.

Clearing Statistic Information

After configuring a session limit rule, the sessions which exceed the maximum number of sessions
will be dropped. You can clear the statistical information of the dropped sessions of specified ses-
sion limit rule according to your need.
To clear statistic information, take the following steps:

1. Select Configuration Management > Policy > Session Limit.

2. Select the rule whose session's statistical information you want to clear.

3. Click Clear.

Policy 237
ARP Defense
System provides a series of ARP defense functions to protect your network against various ARP
attacks, including:

l ARP Learning: Devices can obtain IP-MAC bindings in an Intranet from ARP learning, and
add them to the ARP list. By default this function is enabled. The devices will always keep
ARP learning on, and add the learned IP-MAC bindings to the ARP list. If any IP or MAC
address changes during the learning process, the devices will add the updated IP-MAC bind-
ing to the ARP list. If this function is disabled, only IP addresses in the ARP list can access
the Internet.

l MAC Learning: Devices can obtain MAC-Port bindings in an Intranet from MAC learning,
and add them to the MAC list. By default this function is enabled. The devices will always
keep MAC learning on, and add the learned MAC-Port bindings to the MAC list. If any
MAC address or port changes during the learning process, the devices will add the updated
MAC-Port binding to the MAC list.

l IP-MAC-Port Binding: If IP-MAC, MAC-Port or IP-MAC-Port binding is enabled, packets

that are not matched to the binding will be dropped to protect against ARP spoofing or MAC
address list attacks. The combination of ARP and MAC learning can achieve the effect of
"real-time scan + static binding", and make the defense configuration more simple and effect-
ive.

l Authenticated ARP: Authenticated ARP is implemented on the ARP client Hillstone

Secure Defender. When a PC with Hillstone Secure Defender installed accesses the Inter-
net via the interface that enables Authenticated ARP, it will perform an ARP authentication
with the device, for the purpose that the MAC address of the device being connected to
the PC is trusted.

l ARP Inspection: Devices support ARP Inspection for interfaces. With this function
enabled, StoneOS will inspect all ARP packets passing through the specified interfaces, and
compare the IP addresses of the ARP packets with the static IP-MAC bindings in the ARP

238 Policy
list and IP-MAC bindings in the DHCP Snooping list.

l DHCP Snooping: With this function enabled, system can create a binding relationship
between the MAC address of the DHCP client and the allocated IP address by analyzing
the packets between the DHCP client and server.

l Host Defense: With this function enabled, system can send gratuitous ARP packets for dif-
ferent hosts to protect them against ARP attacks.

Policy 239
Configuring ARP Defense

Configuring Binding Settings

Devices support IP-MAC binding, MAC-Port binding and IP-MAC-Port binding to reinforce net-
work security control. The bindings obtained from ARP/MAC learning and ARP scan are known
as dynamic bindings, and those manually configured are known as static bindings.

Adding a Static IP-MAC-Port Binding

To add a static IP-MAC-Port binding, take the following steps:

1. Select Configuration Management > Policy > ARP Defense > IP-MAC Binding.

2. Click New.

240 Policy
In the IP-MAC Binding Configuration, configure the corresponding settings.

Option Description

MAC Specify a MAC address.

IP Select the Enable check box to enable the IP-MAC bind-

ing, and then specify an IP address.

Port Select the Enable check box to enable the port bind-
ing, and then select a port from the drop-down list
behind.

Description Specify the description for this item.

Authenticated Select Enable to enable the authenticated ARP function.

ARP

3. Click OK to save the settings.

Obtaining a Dynamic IP-MAC-Port Bindings

Devices can obtain dynamic IP-MAC-Port binding information from:

l ARP/MAC learning

l IP-MAC scan

To configure the ARP/MAC learning, take the following steps:

1. Select Configuration Management > Policy > ARP Defense > IP-MAC Binding.

Policy 241
2. Click and click ARP/MAC Learning from the pop-up menu.

3. In the ARP/MAC Learning Configuration page, select the interface that you want to enable
the ARP/MAC learning function.

4. Click Enable and then select ARP Learning or MAC Learning in the pop-up menu. The sys-
tem will enable the selected function on the interface you select.

242 Policy
5. Close the page and return to the IP-MAC Binding page.

To configure the ARP scan, take the following steps:

1. Select Configuration Management > Policy > ARP Defense > IP-MAC Binding.

2. Select Binding Configuration and then click IP-MAC Scan from the pop-up menu.

3. In the IP-MAC Scan page, enter the start IP and the end IP.

4. Click OK to start scanning the specified IP addresses. The result will display in the table in
the IP-MAC binding page.

Bind the IP-MAC-Port Binding Item

To bind the IP-MAC-Port binding item, take the following steps:

1. Select Configuration Management > Policy > ARP Defense > IP-MAC Binding.

2. Select Binding Configuration and then click Bind All from the pop-up menu.

3. In the Bind All page, select the binding type.

4. Click OK to complete the configurations.

To unbind an IP-MAC-Port binding item:

1. Select Configuration Management > Policy > ARP Defense > IP-MAC Binding.

2. Select Binding Configuration and then click Unbind All from the pop-up menu.

Policy 243
3. In the Unbind All page select the unbinding type.

4. Click OK to complete the configurations.

Importing/Exporting Binding Information

To import the binding information, take the following steps:

1. Select Configuration Management > Policy > ARP Defense > IP-MAC Binding.

2. Select and then click lmport from the pop-up menu.

3. In the Import page, click Browse to select the file that contains the binding information.
Only the UTF-8 encoding file is supported.

To export the binding information, take the following steps:

1. Select Configuration Management > Policy > ARP Defense > IP-MAC Binding.

2. Select and then click Export from the pop-up menu.

3. Choose the binding information type.

4. Click OK to export the binding information to a file.

Configuring Authenticated ARP

This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
The devices provide Authenticated ARP to protect the clients against ARP spoofing attacks.
Authenticated ARP is implemented on the ARP client Hillstone Secure Defender. When a PC
with Hillstone Secure Defender installed accesses the Internet via the interface that enables
Authenticated ARP, it will perform an ARP authentication with the device to assure the MAC
address of the device being connected to the PC is trusted. Besides, the ARP client is also
designed with powerful anti-spoofing and anti-replay mechanisms to defend against various ARP
attacks.

244 Policy
Notes: The Loopback interface and PPPoE sub-interface are not designed with
ARP learning, so these two interfaces do not support Authenticated ARP.

To use the Authenticated ARP function, you need to enable the Authenticated ARP function in
the device and install the Hillstone Secure Defender in the PCs.
To enable the Authenticated ARP in the device, take the following steps:

1. Select Configuration Management > Policy > ARP Defense > Authenticated ARP.

2. Select the interfaces on which you want to enable the Authenticated ARP function.

3. Click Enable and select Force Authenticated ARP to enable the authenticated ARP func-
tion.

4. Enable or disable Force Install as needed. If the Force Install option is selected, PCs cannot
access the Internet via the corresponding interface unless the ARP client has been installed;
if the Force Install option is not selected, only PCs with the ARP client installed are con-
trolled by Authenticated ARP.

To install Hillstone Secure Defender in the PCs, take the following steps:

1. Enable Authenticated ARP for an interface, and also select the Force Install option for the
interface.

2. When a PC accesses the Internet via this interface, the Hillstone Secure Defneder's down-
load page will pop up. Download HillstoneSecureDefender.exe as prompted.

Policy 245
3. After downloading, double-click HillstoneSecureDefender.exe and install the client as
prompted by the installation wizard.

Configuring ARP Inspection

Devices support ARP Inspection for interfaces. With this function enabled, system will inspect
all the ARP packets passing through the specified interfaces, and compare the IP addresses of the
ARP packets with the static IP-MAC bindings in the ARP list and IP-MAC bindings in the
DHCP Snooping list:

l If the IP address is in the ARP list and the MAC address matches, the ARP packet will be
forwarded;

l If the IP address is in the ARP list but the MAC address does not match, the ARP packet will
be dropped;

l If the IP address is not in the ARP list, continue to check if the IP address is in the DHCP
Snooping list;

l If the IP address is in the DHCP Snooping list and the MAC address also matches, the
ARP packet will be forwarded;

l If the IP address is in the DHCP Snooping list but the MAC address does not match, the
ARP packet will be dropped;

l If the IP address is not in the DHCP Snooping, the ARP packet will be dropped or for-
warded according to the specific configuration.

The VSwitch interface of the system supports ARP Inspection. This function is disabled by
default.
To configure ARP Inspection of the VSwitch interface, take the following steps:

1. Select Configuration Management > Policy > ARP Defense > ARP Inspection.

2. System already lists the existing VSwitch interfaces.

246 Policy
3. Double-click the item of a VSwitch interface.

4. In the Interface Configuration page, click the Enable button.

5. To drop the traffic whose sender's IP address is not in the ARP table, select Drop. To for-
ward the traffic whose sender's IP address is not in the ARP table, select Forward.

6. Click OK to save the settings and close the page.

7. For the interfaces belonging to the VSwitch interface, you can set the following options:

l If you do not need the ARP inspection in the interface, in the Advanced Options sec-
tion, double-click the interface and select Do Not Inspect option in the pop-up page.

l Configure the number of ARP packets received per second. When the ARP packet
rate exceeds the specified value, the excessive ARP packets will be dropped. The
value range is 0 to 10000. The default value is 0, i.e., no rate limit.

8. Click OK to save the settings.

Configuring DHCP Snooping

DHCP, Dynamic Host Configuration Protocol, is designed to allocate appropriate IP addresses

and related network parameters for sub networks automatically. DHCP Snooping can create a bind-
ing relationship between the MAC address of the DHCP client and the allocated IP address by ana-
lyzing the packets between the DHCP client and the server. When ARP Inspection is also

Policy 247
enabled, the system will check if an ARP packet passing through can be matched to any binding
on the list. If not, the ARP packet will be dropped. In the network that allocates addresses via
DHCP, you can prevent against ARP spoofing attacks by enabling ARP inspection and DHCP
Snooping.
DHCP clients look for the server by broadcasting, and only accept the network configuration para-
meters provided by the first reachable server. Therefore, an unauthorized DHCP server in the net-
work might lead to DHCP server spoofing attacks. The devices can prevent DHCP server
spoofing attacks by dropping DHCP response packets on related ports.
Besides, some malicious attackers send DHCP requests to a DHCP server in succession by for-
ging different MAC addresses, and eventually lead to IP address unavailability to legal users by
exhausting all the IP address resources. This kind of attacks is commonly known as DHCP Star-
vation. The devices can prevent against such attacks by dropping request packets on related ports,
setting rate limit or enabling validity check.
The VSwitch interface of the system supports DHCP snooping. This function is disabled by
default.
To configure DHCP snooping, take the following steps:

1. Select Configuration Management > Policy > ARP Defense > DHCP Snooping.

248 Policy
2. Click DHCP Snooping Configuration.

3. In the Interface tab, select the interfaces that need the DHCP snooping function.

4. Click Enable to enable the DHCP snooping function.

Policy 249
5. In the Port tab, configure the DHCP snooping settings:

l Validity check: Check if the client's MAC address of the DHCP packet is the same as
the source MAC address of the Ethernet packet. If not, the packet will be dropped.
Select the interfaces that need the validity check and then click Enable to enable this
function.

l Rate limit: Specify the number of DHCP packets received per second on the inter-
face. If the number exceeds the specified value, system will drop the excessive
DHCP packets. The value range is 0 to 10000. The default value is 0, i.e., no rate
limit. To configure the rate limit, double-click the interface and then specify the value
in the Rate text box in the pop-up Port Configuration page.

l Drop: In the Port Configuration page, if the DHCP Request check box is selected,
the system will drop all of the request packets sent by the client to the server; if the
DHCP Response check box is selected, system will drop all the response packets
returned by the server to the client.

6. Click OK to save the settings.

Viewing DHCP Snooping List

With DHCP Snooping enabled, system will inspect all of the DHCP packets passing through the
interface, and create and maintain a DHCP Snooping list that contains IP-MAC binding inform-
ation during the process of inspection. Besides, if the VSwitch interface or any other Layer 3 phys-
ical interface is configured as a DHCP server, the system will create IP-MAC binding information
automatically and add it to the DHCP Snooping list even if DHCP Snooping is not enabled. The
bindings in the list contain information like legal users' MAC addresses, IPs, interfaces, ports,
lease time, etc.
To view the DHCP snooping list, take the following steps:

250 Policy
1. Select Configuration Management > Policy > ARP Defense > DHCP Snooping.

2. In the current page, you can view the DHCP snooping list.

Configuring Host Defense

Host Defense is designed to send gratuitous ARP packets for different hosts to protect them
against ARP attacks.
To configure host defense:

1. Select Configuration Management > Policy > ARP Defense.

2. Click New.

In the Host Defense page, configure the corresponding options.

Sending Settings

Interface Specify an interface that sends gratuitous ARP packets.

Excluded Specify an excluded port, i.e., the port that does not send

Policy 251
Sending Settings

Port gratuitous ARP packets. Typically it is the port that is con-

nected to the proxied host.

Host

IP Specify the IP address of the host that uses the device as

a proxy.

MAC Specify the MAC address of the host that uses the device
as a proxy.

Sending Rate Specify a gratuitous ARP packet that sends rate. The
value range is 1 to 10/sec. The default value is 1.

3. Click OK to save your settings and return to the Host Defense page.

4. Repeat Step 2 and Step 3 to configure gratuitous ARP packets for more hosts. You can con-
figure the device to send gratuitous ARP packets for up to 16 hosts.

252 Policy
Security Protection Configuration
You can configure the Security protection functions to detect and block network threats. After
configuring , Hillstone devices can defend network attacks and reduce losses of the internal net-
work.
Security protections include:

l "Intrusion Prevention System" on Page 255 Prevention: It can detect and protect mainstream
application layer protocols (DNS, FTP, POP3, SMTP, TELNET, MYSQL, MSSQL,
ORACLE, NETBIOS), against web-based attacks and common Trojan attacks.

l "Anti Virus" on Page 306: It can detect the common file types and protocol types which are
most likely to carry the virus and protect the network from them.. Hillstone devices can
detect protocol types of POP3, HTTP, SMTP, IMAP4 and FTP, and the file types of archives
(including GZIP, BZIP2, TAR, ZIP and RAR-compressed archives), PE , HTML, MAIL,
RIFF and JPEG.

l "Attack-Defense" on Page 384: It can detect various types of network attacks, and take appro-
priate actions to protect the Intranet against malicious attacks, thus assuring the normal oper-
ation of the Intranet and systems.

l "Antispam" on Page 313: It can filter the mails transmitted by SMTP and POP3 protocol
through the cloud server, and discover the mail threats.

l "Botnet C&C Prevention" on Page 320: It can detect botnet host in the internal network
timely, as well as locate and take other actions according to the configuration, so as to avoid
further threat attacks.

l "Perimeter Traffic Filtering" on Page 325 : It can filter the perimeter traffic based on known
IP of black/white list, and take block action on the malicious traffic that hits the blacklist.

Security Protection Configuration 253

l "URL Filtering" on Page 339: URL filtering controls the access to some certain websites and
records log messages for the access actions.

l "Sandbox" on Page 362: It can execute a suspicious file in a virtual environment, collect the
actions of this file, analyzes the collected data, and verify the legality of the file.

l "Data Security" on Page 370:The data security function allows you to flexibly configure con-
trol rules to comprehensively control and audit (by behavior logs and content logs) on user
network behavior.

l "ACL " on Page 381:You can create access control profile based on MAC addresses and bind
the profile to security policies to achieve access control of the specific MAC addresses.

l "Abnormal Behavior Detection" on Page 399: Traffic of sessions is detected based on the
abnormal behavior detection signature database. When one detected object has multiple abnor-
mal parameters, system will analyze the relationship among the abnormal parameters to see
whether an abnormal behavior was formed.

l "Advanced Threat Detection" on Page 403: It can intelligent analysis the suspicious traffic of
Host, to detect malicious behavior and to identify APT (Advanced Persistent Threat) attack.

The threat protection configurations based on security zones and policies.

l If a security zone is configured with the threat protection function, the system will perform
detection on the traffic that is destined to the binding zone specified in the rule, and then do
according to what you specified.

l If a policy rule is configured with the threat protection function, the system will perform
detection on the traffic that is destined to the policy rule you specified, and then response.

l The threat protection configurations in a policy rule is superior to that in a zone rule if spe-
cified at the same time, and the threat protection configurations in a destination zone is super-
ior to that in a source zone if specified at the same time.

254 Security Protection Configuration

Notes:

l Threat protection is controlled by a license. To use Threat protection, apply

and install the Threat Protection (TP) license, Anti Virus (AV) license or
Intrusion Prevention System (IPS) license.

Threat Protection Signature Database

The threat protection signature database includes a variety of virus signatures, Intrusion pre-
vention signatures, Perimeter traffic filtering signatures, Abnormal behavior detection signature,
and Advanced threat detection signatures. By default system updates the threat protection sig-
nature database everyday automatically. You can change the update configuration as needed. Hill-
stone devices provide two default update servers: https://update1.hillstonenet.com and
https://update2.hillstonenet.com. Hillstone devices support auto updates and local updates.
According to the severity, signatures can be divided into three security levels: critical, warning
and informational. Each level is described as follows:

l Critical: Critical attacking events, such as buffer overflows.

l Warning: Aggressive events, such as over-long URLs.

l Informational: General events, such as login failures.

Intrusion Prevention System

Intrusion Prevention System is designed to monitor various network attacks in real time and take
appropriate actions (like block) against the attacks according to your configuration. It can detect
the following types of attacks:

l Scanning

l Network attacks

l Deny of service

Security Protection Configuration 255

l Phishing

l Spam

l Malware

The detection performed by IPS consists of two methods: signature matching and protocol parse.

l Signature matching: IPS abstracts the interested protocol elements of the traffic for signature
matching. If the elements are matched to the items in the signature database, the system will
process the traffic according to the action configuration. This part of detection is configured
in the Select Signature section.

l Protocol parse: IPS analyzes the protocol part of the traffic. If the analyze results shows the
protocol part contains abnormal contents, the system will process the traffic according to the
action configuration. This part of detection is configured in the Protocol Configuration sec-
tion.

IPS configurations includes the following two parts:

l Configuring IPS profiles

l IPS global configuration

l Signature List

l Configuring IPS whitelist

Configuring IPS profiles

Configure an IPS profile and bind it to a certain security policy. The system will perform the IPS
function on the traffic that matches this security profile.
The system defines multiple IPS profiles and binds them to various pre-defined security policy.
You can check the detailed settings of these profiles and adjust them according to your real net-
work environment.
You can also customize IPS profiles. The configuration includes two parts:

256 Security Protection Configuration

l Signature set configurations

l Protocol configurations

To configure an IPS Profile, take the following steps:

1. Select Configuration Management > Security Protection Configuration > Intrusion Pre-
vention System > Profile.

Security Protection Configuration 257

2. Click New to create a new IPS rule. To edit an existing one, select the check box of this
rule and then click Edit. To view it, click the name of this rule.

258 Security Protection Configuration

Security Protection Configuration 259
3. In the Name text box, enter the name of the newly-created IPS profile. If you just con-
figure the name and click OK, this profile will not take effect.

4. According to your requirements, click the Enable button of Global Packet Capture to cap-
ture packets.

5. Type the description information into the Description text box.

6. In the Signature Set area, the existing signature sets and their settings will be displayed in
the table. You can manage the signature sets, including New, Edit, and Delete. When cre-
ating a new signature set rule, you can select Filtering Signature or Selection Signature as
needed to filter and retrieve the signature database to select the desired signature sets.

l Filtering Signature: Filter signature sets by certain filter conditions. Click the Filter
Signature button to search for the signatures you want. In this way, you can quickly
select the signatures that have been classified by system.

l Selection Signature: Select a particular signature set from the signature database. In
this way, you can quickly select a particular signature.

7. Click New to create a new signature set rule.

O-
pti- Description
on

Na- Specify the name of signature.

m-
e

Ac- Specify the action performed on the abnormal traffic that matches

tio- the signature set.

n l Log Only: Record a log.

260 Security Protection Configuration

O-
pti- Description
on

l Reset: Reset connections (TCP) or send destination unreach-

able packets (UDP) and also generate logs.

l Block IP: Block the IP address of the attacker. Specify a

block duration. The value range is 60 to 3600 seconds, and
the default value is 60.

l Block Service: Block the service of the attacker. Specify a

block duration. The value range is 60 to 3600 seconds, and
the default value is 60.

l Default: Excute the action specifiled in the signature rule.

Ca- Capture the abnormal packets that match the configured signature
pt- set. You can view them in the threat log.
ur-
e
Pa-
ck-
et

Fil- If Filtering Signature is selected: System categorizes the sig-

ter- natures according to the following aspects (aka main categories):

affected OS, attack type, protocol, severity, confidence, released
in-
year, affected application, and bulletin board. A signature can be
g in several subcategories of one main category. For example, the
Si- signature of ID 200211 is in the Linux subcategory, the FreeBSD
gn- subcategory, and Other Linux subcategory at the same time.

Security Protection Configuration 261

O-
pti- Description
on

at- You can view the detailed information of the signature by clicking

ur- the signature ID, and you can select one or more signatures. Click
the Disable or Enable button to disable or re-enable the sig-
e
nature. Note: The enabled/disabled state here is only for the cur-
rent profile, but the global state is not affected.

262 Security Protection Configuration

O-
pti- Description
on

Security Protection Configuration 263

O-
pti- Description
on

Se- If Selection Signature is selected: Type the signature information

lec- into the Keyword text box, and system will perform fuzzy search
in the following fields: signature ID, signature name, and descrip-
tio-
tion.
n
Si-
gn-
at-
ur-
e

264 Security Protection Configuration

O-
pti- Description
on

After the matched signature is found, select the signature, and it

Security Protection Configuration 265

O-
pti- Description
on

will be added to the Selected Signatures tab, indicating the sig-

nature is included in the signature set.
After the matched signature is found, select the signature, and
then click the Enable or Disable button to disable or re-enable
the signature. The enabled/disabled state here is only for the cur-
rent profile, but the global state is not affected.

Note: You create several signature sets and some of them contain a par-
ticular signature. If the actions of these signature sets are different and
the attack matches this particular signature , system will adopt the fol-
lowing rules:

l Always perform the stricter action on the attack. The signature set
with stricter action will be matched. The strict level is: Block IP
> Block Service > Rest > Log Only > Deault. If one signature
set is Block IP with 15s and the other is Block Service with 30s,
the final action will be Block IP with 30s.

l If one signature set is configured with Capture Packet, system

will capture the packets.

l The action of the signature set created by Selection Signature has

higher priority than the action of the signature set created by Fil-
ter.

8. Click OK to complete signature set configurations.

266 Security Protection Configuration

9. In the Disable Signature area, the signatures that are Disabled in the template will be shown.
Select one or more signatures, and then click the Enable button to re-enable the signature.

10. In the Protocol Configuration area, click . The protocol configurations specify the require-

ments that the protocol part of the traffic must meet. If the protocol part contains abnormal
contents, system will process the traffic according to the action configuration. System sup-
ports the configurations of HTTP, DNS, FTP, MSRPC, POP3, SMTP, SUNRPC, and Tel-
net.

In the HTTP tab, configure the following settings:

Option Description

Max Scan Length: Specify the maximum length of scan-

ning when scanning the HTTP packets.
Banner Detection: Click the Enable button to enable pro-
tection against HTTP server banners.

l Banner information - Type the new information

into the box that will replace the original server ban-
ner information.
HTTP Protocol Anomaly Detection: Click Enable to analyze the
HTTP packets. If abnormal contents exist, you can:

l Protocol Anomaly list: Click to open the Pro-

tocol Anomaly List page, which will display the sig-

nature rules related to the HTTP protocol anomaly
in this profile. Select one or more rules and click
Enable to enable the rules; and click Disable to dis-
able the rules.

Security Protection Configuration 267

Option Description

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends destination unreachable
packets (UDP) and also generate logs. Block IP -
Block the IP address of the attacker and specify a
block duration. Block Service - Block the service
of the attacker and specify a block duration.
Max URI Length: Specify a max URI length for the
HTTP protocol. If the URI length exceeds the limitation,
you can:

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

To protect the Web server, configure Web Server in the HTTP tab.
Protecting the Web server means system can detect the following attacks: SQL injection,
XSS injection, external link check, ACL, and HTTP request flood and take actions when
detecting them. A pre-defined Web server protection rule named default is built in. By

268 Security Protection Configuration

default, this protection rule is enabled and cannot be disabled or deleted.
Configure the following settings to protect the Web server:

Option Description

Name Specify the name of the Web server protection rule.

Configuration Specify domains protected by this rule. Click the link

Domain and the Configure Domain page will appear. Enter the
domain names in the Domain text box. At most 5
domains can be configured. The traffic to these
domains will be checked by the protection rule.
The domain name of the Web server follows the
longest match rule from the back to the front. The
traffic that does not match any rules will match the
default Web server. For example, you have configured
two protection rules: rule1 and rule2. The domain
name in rule1 is abc.com. The domain name in rule2 is
email.abc.com. The traffic that visits news.abc.com
will match rule1, the traffic that visits www.e-
mail.abc.com will match rule2, and the traffic that vis-
its www.abc.com.cn will match the default protection
rule.

High Frequency Click the Enable button to enable the High Frequency
Access Control Access Control feature. When this function is enabled,
system will block the traffic of this IP address，whose
access frequency exceeds the threshold.

o Threshold: Specifies the maximum number of

Security Protection Configuration 269

Option Description

times a single source IP accesses the URL path

per minute. When the frequency of a source IP
address exceeds this threshold, system will block
the flow of the IP. The value ranges from 1 to
65535 times per minute.

o URL Path: Click the link and the URL Page Con-
figuration page appears. Click New and enter the
URL path in the Path text box. After the con-
figuration, all paths that contain the name of the
path are also counted. System accesses the fre-
quency statistics for HTTP requests that access
these paths. If the access frequency of the
HTTP request exceeds the threshold, the source
IP of the request is blocked, and the IP will not
be able to access the Web server. For example:
configure'/home/ab', system will perform a fre-
quency check on the 'access/home/ab/login'
and '/home/BC/login' HTTP requests. URL
path does not support the path format which
contains the host name or domain name, for
example: you can not configure www.baidu.-
com/home/login.html, you should configure '/
home / login.html', and 'www.baidu.com' should
be configured in the corresponding Web server
domain name settings. You can configure up to

270 Security Protection Configuration

Option Description

32 URL paths. The length of each path is in the

range of 1-255 characters.

SQL Injection Click the Enable button to enable SQL injection

Protection check.

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset

connections (TCP) or sends destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the
service of the attacker and specify a block dur-
ation.

l Sensitivity: Specifies the sensitivity for the SQL

injection protection function. The higher the
sensitivity is, the lower the false negative rate is.

l Check point: Specifies the check point for the

SQL injection check. It can be Cookie, Cookie2,
Post, Referer or URI.

XSS Injection Click the Enable button to enable XSS injection check
Protection for the HTTP protocol.

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

Security Protection Configuration 271

Option Description

l Action: Log Only - Record a log. Rest - Reset

l Sensitivity: Specifies the sensitivity for the XSS

injection protection function. The higher the
sensitivity is, the lower the false negative rate is.

l Check point: Specifies the check point for the

XSS injection check. It can be Cookie, Cookie2,
Post, Referer or URI.

External Link Click the Enable button to enable external link check
Check for the Web server. This function controls the resource
reference from the external sites.

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l External link exception: Click this link, and the

External Link Exception Configuration page will
appear. All the URLs configured on this page can
be linked by the Web sever. At most 32 URLs
can be specified for one Web server.

272 Security Protection Configuration

Option Description

l Action: Log Only - Record a log. Rest - Reset

connections (TCP) or sends destination unreach-
able packets (UDP) and also generate logs.

Hotlinking Click the Enable button to enable Hotlinking Check.

Check System checks the headers of the HTTP packets and
obtains the source site of the HTTP request. If the
source site is in the Hotlinking Exception list, system
will release it; otherwise, log or reset the connection.
Thus controlling the Web site from other sites and to
prevent chain of CSRF (Cross Site Request Forgery
cross-site request spoofing) attacks occur.

l Hotlinking Exception: Click the 'Hotlinking

Exception' to open the Hotlinking Exception
Configuration page, where the configured URL
can refer to the other Web site. Each Web server
can be configured with up to 32 URLs.

l Action: Specify the action for the HTTP request

for the chaining behavior, either "Log only" or
"Reset".“

Iframe check Click the Enable button to enable iframe checking. Sys-
tem will identify if there are hidden iframe HTML
pages by this function, then log it or reset its link.
After iframe checking is enabled, system checks the
iframe in the HTML page based on the specified iframe

Security Protection Configuration 273

Option Description

height and width, and when any height and width is

less than or equal to the qualified value, system will
identify as a hidden iframe attack, record, or reset con-
nection that occurred.

l Height: Specifies the height value for the iframe,

range from 0 to 4096.

l Width: Specifies the width value of the iframe,

range from 0 to 4096.

l Action: Specify the action for the HTTP request

that hides iframe behavior, which is 'Only
logged' or 'Reset'.
Log Only - Record a log.
Reset - Reset connections (TCP) or sends des-
tination unreachable packets (UDP) and also gen-
erate logs.

ACL Click the Enable button to enable access control for

the Web server. The access control function checks
the upload paths of the websites to prevent the mali-
cious code uploading from attackers.

l ACL: Click this link, the ACL Configuration

page appears. Specify websites and the prop-
erties on this page. "Static" means the URI can
be accessed statically only as the static resource

274 Security Protection Configuration

Option Description

(images and text), otherwise, the access will

handle as the action specified (log only/reset);
"Block" means the resource of the website is not
allowed to access.

l Action: Log Only - Record a log. Rest - Reset

connections (TCP) or sends destination unreach-
able packets (UDP) and also generate logs.

HTTP Request Click the Enable button to enable the HTTP request
Flood Pro- flood protection. Both IPv4 and IPv6 address are sup-
tection ported.

l Request threshold: Specifies the request

threshold.

l For the protected domain name, when the

number of HTTP connecting request per
second reaches the threshold and this lasts
20 seconds, system will treat it as a HTTP
request flood attack, and will enable the
HTTP request flood protection.

l For the protected full URL, when the

number of HTTP connecting request per
second towards this URL reaches the
threshold and this lasts 20 seconds, sys-
tem will treat it as a HTTP request flood

Security Protection Configuration 275

Option Description

attack towards this URL, and will enable

the HTTP request flood protection.

l Full URL: Enter the full URLs to protect par-

ticular URLs. Click this link to configure the
URLs, for example, www.ex-
ample.com/index.html. When protecting a par-
ticular URL, you can select a statistic object.
When the number of HTTP connecting request
per second by the object reaches the threshold
and this lasts 20 seconds, system will treat it as a
HTTP request flood attack by this object, and
will enable the HTTP request flood protection.

l x-forwarded-for: Select None, system will

not use the value in x-forwarded-for as the
statistic object. Select First, system will
use the first value of the x-forwarded-for
field as the statistic object. Select Last,
system will use the last value of the x-for-
warded-for field as the statistic object.
Select All, system will use all values in x-
forwarded-for as the statistic object.

l x-real-ip: Select whether to use the value

in the x-real-ip field as the statistic field.
When the HTTP request flood attack is discovered,

276 Security Protection Configuration

Option Description

you can make the system take the following actions:

l Authentication: Specifies the authentication

method. System judges the legality of the HTTP
request on the source IP through the authen-
tication. If a source IP fails on the authen-
tication, the current request from the source IP
will be blocked. The available authentication
methods are:

l Auto (JS Cookie): The Web browser will

finish the authentication process auto-
matically.

l Auto (Redirect): The Web browser will

finish the authentication process auto-
matically.

l Manual (Access Configuration): The ini-

tiator of the HTTP request must confirm
by clicking OK on the returned page to
finish the authentication process.

l Manual (CAPTCHA): The initiator of the

HTTP request must be confirmed by
entering the authentication code on the
returned page to finish the authentication
process.

Security Protection Configuration 277

Option Description

l Crawler-friendly: If this button is clicked, sys-

tem will not authenticate to the crawler.

l Request limit: Specifies the request limit for the

HTTP request flood protection. After con-
figuring the request limit, system will limit the
request rate of each source IP. If the request rate
is higher than the limitation specified here and
the HTTP request flood protection is enabled,
system will handle the exceeded requests accord-
ing to the action specified (Block IP/Reset). To
record a log, click the Record log enable button.

l Proxy limit: Specifies the proxy limit for the

HTTP request flood protection. After con-
figuring the proxy limit, system will check
whether each source belongs to the each source
IP proxy server. If belongs to, according to con-
figuration to limit the request rate. If the request
rate is higher than the limitation specified here
and the HTTP request flood protection is
enabled, system will handle the exceeded
requests according to the action specified (Block
IP/Reset). To record a log, click the Record log
enbale button.

l White List: Specifies the white list for the

278 Security Protection Configuration

Option Description

HTTP request flood protection. The source IP

added to the white list will not check the HTTP
request flood protection.

In the DNS tab, configure the following settings:

Option Description

Max Scan Length: Specify the maximum length of scan-

ning when scanning the DNS packets.
Protocol Anomaly Detection: Select Enable to analyze
the DNS packets. If abnormal contents exist, you can:

l Protocol Anomaly list: Click to open the Pro-

tocol Anomaly List page, which will display the sig-

nature rules related to the HTTP protocol anomaly
in this profile. Select one or more rules and click
Enable to enable the rules; and click Disable to dis-
DNS
able the rules.

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or send the destination unreachable
packets (UDP) and also generate logs. Block IP -
Block the IP address of the attacker and specify a
block duration. Block Service - Block the service
of the attacker and specify a block duration.

Security Protection Configuration 279

In the FTP tab, configure the following settings:

Option Description

Max Scan Length: Specify the maximum length of scan-

ning when scanning the FTP packets.
Banner Detection: Click the Enable button to enable
protection against FTP server banners.

l Banner Information: Type the new information

into the box that will replace the original server
banner information
Protocol Anomaly Detection: Select Enable to analyze
the FTP packets. If abnormal contents exist, you can:

l Protocol Anomaly list: Click to open the Pro-

tocol Anomaly List page, which will display the

FTP
signature rules related to the HTTP protocol
anomaly in this profile. Select one or more rules
and click Enable to enable the rules; and click Dis-
able to disable the rules.

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the

280 Security Protection Configuration

Option Description

service of the attacker and specify a block dur-

ation.
Max Command Line Length: Specifies a max length
(including carriage return) for the FTP command line. If
the length exceeds the limits, you can:

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the
service of the attacker and specify a block duration
Max Response Line Length: Specifies a max length for
the FTP response line.If the length exceeds the limits,
you can:

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

Security Protection Configuration 281

Option Description

ation.
Action for Brute-force: If the login attempts per 5
minutes fail for the times specified by the threshold, sys-
tem will identify the attempts as an intrusion and take an
action according to the configuration. Click the Enable
button to enable brute-force.

l Login Threshold per 5 Mins - Specifies a per-

mitted authentication/login failure count per 5
minutes.

l Block IP - Block the IP address of the attacker

and specify a block duration.

l Block Service - Block the service of the attacker

and specify a block duration.

l Block Time - Specifies the block duration.

In the MSRPC tab, configure the following settings:

Option Description

Max Scan Length: Specify the maximum length of scan-

ning when scanning the MSRPC packets.
Protocol Anomaly Detection: Select Enable to analyze
MSRPC the MSRPC packets. If abnormal contents exist, you can:

l Protocol Anomaly list: Click to open the Pro-

tocol Anomaly List page, which will display the sig-

282 Security Protection Configuration

Option Description

nature rules related to the HTTP protocol anomaly

in this profile. Select one or more rules and click
Enable to enable the rules; and click Disable to dis-
able the rules.

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Max Bind Length: Specifies a max length for MSRPC's
binding packets. If the length exceeds the limits, you can:

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Max Request Length: Specifies a max length for MSRPC's
request packets. If the length exceeds the limits, you can:

Security Protection Configuration 283

Option Description

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Action for Brute-force: If the login attempts per 5
minutes fail for the times specified by the threshold, sys-
tem will identify the attempts as an intrusion and take an
action according to the configuration. Click the Enable
button to enable brute-force.

l Login Threshold per 5 Mins - Specifies a permitted

authentication/login failure count per 5 minutes.

l Block IP - Block the IP address of the attacker and

specify a block duration.

l Block Service - Block the service of the attacker

and specify a block duration.

l Block Time - Specifies the block duration.

In the POP3 tab, configure the following settings:

284 Security Protection Configuration

Option Description

Max Scan Length: Specify the maximum length of scan-

ning when scanning the POP3 packets.
Protocol Anomaly Detection: Click the Enable button to
analyze the POP3 packets. If abnormal contents exist,
you can:

l Protocol Anomaly list: Click to open the Pro-

tocol Anomaly List page, which will display the sig-

nature rules related to the HTTP protocol anomaly
in this profile. Select one or more rules and click
Enable to enable the rules; and click Disable to dis-
able the rules.

POP3 l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

l Banner information - Type the new information

into the box that will replace the original server ban-

Security Protection Configuration 285

Option Description

ner information.
Max Command Line Length: Specifies a max length
(including carriage return) for the POP3 command line. If
the length exceeds the limits, you can:

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Max Parameter Length: Specifies a max length for the
POP3 client command parameter. If the length exceeds
the limits, you can:

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

286 Security Protection Configuration

Option Description

one single POP3 session) for the POP3 server. If the fail-
ure time exceeds the limits, you can:

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Action for Brute-force: If the login attempts per 5
minutes fail for the times specified by the threshold, sys-
tem will identify the attempts as an intrusion and take an
action according to the configuration. Click the Enable
button to enable brute-force.

l Login Threshold per 5 Mins - Specifies a permitted

authentication/login failure count per 5 minutes.

l Block IP - Block the IP address of the attacker and

specify a block duration.

l Block Service - Block the service of the attacker

and specify a block duration.

l Block Time - Specifies the block duration.

In the SMTP tab, configure the following settings:

Security Protection Configuration 287

Option Description

Max Scan Length: Specify the maximum length of scan-

ning when scanning the SMTP packets.Protocol Anomaly
Detection: Click Enable to analyze the SMTP packets. If
abnormal contents exist, you can:

l Protocol Anomaly list: Click to open the Pro-

tocol Anomaly List page, which will display the sig-

nature rules related to the HTTP protocol anomaly
in this profile. Select one or more rules and click
Enable to enable the rules; and click Disable to dis-
able the rules.

l Capture Packets: Capture the abnormal packets.

SMTP You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

l Banner information - Type the new information

into the box that will replace the original server ban-
ner information.

288 Security Protection Configuration

Option Description

Max Command Line Length: Specifies a max length

(including carriage return) for the SMTP command line. If
the length exceeds the limits, you can:

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Max Path Length: Specifies a max length for the reverse-
path and forward-path field in the SMTP client command.
If the length exceeds the limits, you can:

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Max Reply Line Length: Specifies a max length reply
length for the SMTP server. If the length exceeds the lim-

Security Protection Configuration 289

Option Description

its, you can:

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Max Text Line Length: Specifies a max length for the E-
mail text of the SMTP client. If the length exceeds the
limits, you can:

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Max Content Type Length: Specifies a max length for the
content-type of the SMTP protocol. If the length exceeds
the limits, you can:

290 Security Protection Configuration

Option Description

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Max Content Filename Length: Specifies a max length for
the filename of E-mail attachment. If the length exceeds
the limits, you can:

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Max Failure Time: Specifies a max failure time (within
one single SMTP session) for the SMTP server. If the
length exceeds the limits, you can:

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

Security Protection Configuration 291

Option Description

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Action for Brute-force: If the login attempts per 5
minutes fail for the times specified by the threshold, sys-
tem will identify the attempts as an intrusion and take an
action according to the configuration. Click the Enable
button to enable brute-force.

l Login Threshold per 5 Mins - Specifies a permitted

authentication/login failure count per 5 minutes.

l Block IP - Block the IP address of the attacker and

specify a block duration.

l Block Service - Block the service of the attacker

and specify a block duration.

l Block Time - Specifies the block duration.

In the SUNRPC tab, configure the following settings:

Option Description

Max Scan Length: Specify the maximum length of scan-

SUNRPC ning when scanning the SUNRPC packets.
Protocol Anomaly Detection: Click Enable to analyze the

292 Security Protection Configuration

Option Description

SUNRPC packets. If abnormal contents exist, you can:

l Protocol Anomaly list: Click to open the Pro-

tocol Anomaly List page, which will display the sig-

nature rules related to the HTTP protocol anomaly
in this profile. Select one or more rules and click
Enable to enable the rules; and click Disable to dis-
able the rules.

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-
cify a block duration. Block Service - Block the ser-
vice of the attacker and specify a block duration.
Action for Brute-force: If the login attempts per 5
minutes fail for the times specified by the threshold, sys-
tem will identify the attempts as an intrusion and take an
action according to the configuration. Click the Enable
button to enable brute-force.

l Login Threshold per 5 Mins - Specifies a permitted

authentication / login failure count per 5 minutes.

l Block IP - Block the IP address of the attacker and

Security Protection Configuration 293

Option Description

specify a block duration.

l Block Service - Block the service of the attacker

and specify a block duration.

l Block Time - Specifies the block duration.

In the Telnet tab, configure the following settings:

Option Description

Max Scan Length: Specify the maximum length of scan-

ning when scanning the Telnet packets.
Protocol Anomaly Detection: Click Enable to analyze the
Telnet packets. If abnormal contents exist, you can:

l Protocol Anomaly list: Click to open the Pro-

tocol Anomaly List page, which will display the sig-

nature rules related to the HTTP protocol anomaly
in this profile. Select one or more rules and click
Telnet
Enable to enable the rules; and click Disable to dis-
able the rules.

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends the destination unreach-
able packets (UDP) and also generate logs. Block
IP - Block the IP address of the attacker and spe-

294 Security Protection Configuration

Option Description

cify a block duration. Block Service - Block the ser-

vice of the attacker and specify a block duration.
Username/Password Max Length: Specifies a max length
for the username and password used in Telnet. If the
length exceeds the limits, you can:

l Capture Packets: Capture the abnormal packets.

You can view them in the threat log.

l Action: Log Only - Record a log. Rest - Reset con-

nections (TCP) or sends destination unreachable
packets (UDP) and also generates logs. Block IP -
Block the IP address of the attacker and specify a
block duration. Block Service - Block the service
of the attacker and specify a block duration.
Action for Brute-force: If the login attempts per 5
minutes fail for the times specified by the threshold, sys-
tem will identify the attempts as an intrusion and take an
action according to the configuration. Click the Enable
button to enable brute-force.

l Login Threshold per 5 Mins - Specifies a permitted

authentication/login failure count per 5 minutes.

l Block IP - Block the IP address of the attacker and

specify a block duration.

l Block Service - Block the service of the attacker

Security Protection Configuration 295

Option Description

and specify a block duration.

l Block Time - Specifies the block duration.

11. Click OK.

Signature List

Select Configuration Management > Security Protection Configuration > Intrusion Prevention
System > Signature List. You can see the signature list.

The upper section is for searching signatures. The lower section is for managing signatures.

Searching Signatures

In the upper section, click Filter to set the search conditions to search the signatures that match
the condition.

To clear all search conditions, click Remove All. To save the search conditions, click and then
click Save Filters to name this set of search conditions and save it.

296 Security Protection Configuration

Managing Signatures

You can view signatures, create a new signature, load the database, delete a signature, edit a sig-
nature, enable a signature, and disable a signature.

l View signatures: In the signature list, click the "+" button before the ID of a signature to
view the details.

l Create a new signature: click New.

In the User-defined Signature page, configure the following settings:

Option Description

Name Specifies the signature name.

Description Specifies the signature descriptions.

Protocol Specifies the affected protocol.

Flow Specifies the direction.

l To_Server means the package of attack is from the

server to the client.

l To_Client means the package of attack is from the

client to the server.

l Any includes To_Server and To_Client.

Source Port Specifies the source port of the signature.

l Any - Any source port.

l Included - The source port you specified should be

included. It can be one port, several ports, or a
range. Specifies the port number in the text box, and
use "," to separate.

Security Protection Configuration 297

Option Description

l Excluded - The source port you specified should be

excluded. It can be one port, several ports, or a
range. Specifies the port number in the text box, and
use "," to separate.

Destination Specifies the destination port of the signature.

Port
l Any - Any destination port.

l Included - The destination port you specified

should be included. It can be one port, several
ports, or a range. Specifies the port number in the
text box, and use "," to separate.

l Excluded - The destination port you specified

should be excluded. It can be one port, several
ports, or a range. Specifies the port number in the
text box, and use "," to separate.

Dsize Specifies the payload message size. Select "----",">", "<"

or "=" from the drop-down list and specifies the value in
the text box. "----" means no setting of the parameters.

Severity Specifies the severity of the attack.

Attack Type Select the attack type from the drop-down list.

Application Select the affected applications. "----" means all applic-

ations.

Operating Sys- Select the affected operating system from the drop-down
tem list. "----" means all the operating systems.

298 Security Protection Configuration

Option Description

Bulletin Select a bulletin board of the attack.

Board

Year Specifies the released year of attack.

Detection Fil- Specifies the frequency of the signature rule.

ter
l Track - Select the track type from the drop-down
list. It can be by_source or by_destination. System
will use the statistic of the source IP or the des-
tination IP to check whether the attack matches this
rule.

l Count - Specifies the maximum times the rule

occurs in the specified time. If the attacks exceed
the Count value, system will trigger rules and act as
specified.

l Seconds - Specifies the interval value of the rule

occurs.

Configure Content, click New to specify the content of the signature:

Option Description

Content Specifies the signature content. Select the following check

box if needed:

l HEX - Means the content is hexadecimal.

l Case Insensitive - Means the content is not case

sensitive.

Security Protection Configuration 299

Option Description

l URI - Means the content needs to match URI field

of HTTP request.

Relative Specifies the signature content location.

l If Beginning is selected, system will search from the

header of the application layer packet.

l Offset: System will start searching after the

offset from the header of the application layer
packet. The unit is byte.

l Depth: Specifies the scanning length after the

offset. The unit is byte.

l If Last Content is selected, system will search from

the content end position.

l Distance: System will start searching after the

distance from the former content end pos-
ition. The unit is byte.

l Within: Specifies the scanning length after the

distance. The unit is byte.

l Load the database: After you create a new signature, click Load Database to make the newly
created signature take effect.

l Edit a signature: Select a signature and then click Edit. You can only edit the user-defined sig-
nature. After editing the signature, click Load Database to make the modifications take effect.

300 Security Protection Configuration

l Delete a signature: Select a signature and then click Delete. You can only delete the user-
defined signature. After deleting the signature, click Load Database to make the deletion take
effect.

l Enable/Disable signatures: After selecting signatures, click Enable or Disable.

Signatures are categorized by protocols, and identified by a unique signature ID. The signature ID
consists of two parts: protocol ID (1st bit or 1st and 2nd bit) and attacking signature ID (the last
5 bits). For example, in ID 605001, "6" identifies a Telnet protocol, and "00120" is the attacking
signature ID. 1st bit in signature ID identify protocol anomaly signatures, the others identify
attacking signatures. The mappings between IDs and protocols are shown in the table below:

ID Protocol ID Protocol ID Protocol ID Protocol

1 DNS 7 Other- 13 TFTP 19 NetBIOS

TCP

2 FTP 8 Other- 14 SNMP 20 DHCP

UDP

3 HTTP 9 IMAP 15 MySQL 21 LDAP

4 POP3 10 Finger 16 MSSQL 22 VoIP

5 SMTP 11 SUNRPC 17 Oracle - -

6 Telnet 12 NNTP 18 MSRPC - -

In the above table, Other-TCP identifies all the TCP protocols other than the standard TCP pro-
tocols listed in the table, and Other-UDP identifies all the UDP protocols other than the standard
UDP protocols listed in the table.

IPS Global Configuration

Configuring the IPS global settings includes:

Security Protection Configuration 301

l Enable the IPS function

l Specify how to merge logs

l Specify the work mode

Click Policy > Intrusion Prevention System > Configuration to configure the IPS global set-
tings.

Option Description

IPS Select/clear the Enable check box to enable/disable the IPS

function.

Merge System can merge IPS logs which have the same protocol ID,

Log the same VSYS ID, the same Signature ID, the same log ID, and
the same merging type. Thus it can help reduce logs and avoid to
receive redundant logs. The function is disabled by default.
Select the merging types in the drop-down list:

l ---- - Do not merge any logs.

l Source IP - Merge the logs with the same Source IP.

l Destination IP - Merge the logs with the same Destination

IP.

l Source IP, Destination IP - Merge the logs with the same

Source IP and the same Destination IP.

Aggregate Specifies the time granularity for IPS threat log of the same mer-
Time ging type ( specified above) to be stored in the database. At the
same time granularity, the same type of log is only stored once. It
ranges from 10 to 600 seconds.

Mode Specifies a working mode for IPS :

l IPS - If attacks have been detected, StoneOS will generate

logs, and will also reset connections or block attackers.

302 Security Protection Configuration

Option Description

This is the default mode.

l Log only - If attacks have been detected, StoneOS will

only generate logs, but will not reset connections or block
attackers.

Record Click Enable check box to enable the device to record HTTP

HTTP proxy IP. When enabled, system will only record the IP address
of the HTTP proxy and not the real IP address of the threat
Proxy IP
source in threat log. After disabled, system will parse the HTTP
header to obtain the real IP address of the threat source, and dis-
play the real IP address of the threat source in threat log. The
function is enabled by default.
Note:

l This function only takes effect in the HTTP proxy deploy-

ment scenario and only for HTTP traffic.

l Since the real source IP is obtained by parsing the HTTP

header, the real source IP address cannot be displayed for
threats that occur before parsing the HTTP request header.

l This function only takes effect in the threat logs generated by

IPS filtering, otherwise will not takes effect.

After the configurations, click OK to save the settings.

Configuring IPS White list

The device detects the traffic in the network in real time. When a threat is detected, the device
generates alarms or blocks threats. With the complexity of the network environment, the threat of
the device will generate more and more warning, too much threat to the user can not start making
the alarm, and many of them are false positives. By providing IPS whitelist, the system no longer
reports alarms or blocks to the whitelist, thus reducing the false alarm rate of threats. The IPS

Security Protection Configuration 303

whitelist consists of source address, destination address, and threat ID, and the user selects at
least one item for configuration.
To configure an IPS white list :

1. Select Configuration Management > Security Protection Configuration > Intrusion Pre-
vention System > White list

2. Click New.

304 Security Protection Configuration

In the WhiteList Configuration page, enter the White List configurations.

Option Description

Name Specifies the white-list name.

Type Select the address type, including IPv4 or IPv6.

Source Specifies the source address of the traffic to be matched

Address by IPS.

Destination Specifies the destination address of the traffic to be

Address matched by IPS.

Next-hop Vir- Select the Next-hop VRouter from the drop-down list.
tual Router

Signature ID Select the signature ID from the drop-down list. A whitel-

ist can be configured with a maximum of one threat ID.
When the threat ID is not set, the traffic can be filtered
based on the source and destination IP address. When the
user has configured threat ID, the source address, des-
tination address and threat ID must be all matched suc-
cessfully before the packets can be released.

3. Click OK.

Security Protection Configuration 305

Anti Virus
With the Anti Virus function configured, the device can detect various threats including worms,
Trojans, malware, malicious websites, etc., and take appropriate actions against the attacks accord-
ing to your configurations.
Anti Virus function can detect the common file types and protocol types which are most likely to
carry the virus and protect.

l Detect file types of GZIP, PE, RAR, TAR, MS OFFICE, HTML, MAIL, RIFF, ELF, Raw
data, JPEG, BZIP2, ZIP, PDF and others.

l Detect protocol types of POP3, HTTP, SMTP, IMAP4 and FTP.

The virus signature database includes over 10,000 signatures, and supports both daily auto update
and real-time local update. For more information, see "Upgrading System" on Page 630.

Notes:

l Anti Virus is controlled by license. To use Anti Virus, apply and install the
Anti Virus（AV）license.

306 Security Protection Configuration

Configuring Anti-Virus

Configuring Anti-Virus includes the followings:

l Preparing

l Configuring Anti-Virus function

l Configuring Anti-Virus global parameters

Preparing

Before enabling Anti-Virus, make the following preparations:

l Install the Anti-Virus license and reboot. The Anti-Virus will be enabled after the reboot-
ing.

l Update the Anti-Virus signature database when you use this function the first time. To assure
a proper connection to the default update server, you need to configure a DNS server for sys-
tem before updating.

Configuring Anti-Virus Function

The Anti-Virus function is running based on security policies. After configuring the Anti-Virus
function for a security policy, the system will perform detection on the traffic that matches the
security policy and perform the corresponding actions according to the detect result.
So, there are two steps:

1. Configure an Anti-Virus rule

2. Bind the rule to a security policy. For details, see "Security Policy" on Page 164.

To configure an Anti-Virus rule, take the following steps:

1. Select Configuration Management > Security Protection Configuration > Anti-Virus > Pro-
file.

Security Protection Configuration 307

2. Click New.

In the Anti-Virus Rules Configuration page, enter the Anti-Virus rule configurations.

Option Description

Name Specifies the rule name.

File Types Specifies the file types you want to scan. It can be GZIP,
JPEG, MAIL, RAR, HTML .etc. Other means scans the
other file, including GIF, BMP, PNG, JPEG, FWS, CWS,
RTF, MPEG, Ogg, MP3, wma, WMV, ASF, RM, etc.

Protocol Specifies the protocol types (HTTP, SMTP, POP3,

Types IMAP4, FTP) you want to scan and specifies the action
the system will take after the virus is found.

l Fill Magic - Processes the virus file by filling magic

words, i.e., fills the file with the magic words
(Virus is found, cleaned) from the beginning to the
ending part of the infected section.

308 Security Protection Configuration

Option Description

l Log Only - Only generates log.

l Warning - Pops up a warning page to prompt that a

virus has been detected. This option is only effect-
ive to the messages transferred over HTTP.

l Reset Connection - If virus has been detected, sys-

tem will reset connections to the files.

Capture Pack- Click the Enable button before Capture Packet to enable
ets the capture function.

Malicious Click the button behind Malicious Website Access Con-

Website trol to enable the function.
Access Con-
trol

Action Specifies the action the system will take after the mali-
cious website is found.

l Log Only - Only generates log.

l Reset Connection - If a malicious website has been

detected, system will reset connections to the files.

l Warning - Pops up a warning page to prompt that a

malicious website has been detected. This option is
only effective to the messages transferred over
HTTP.

Enable Label If an email transferred over SMTP is scanned, you can

E-mail enable label email to scan the email and its attachment(s).

Security Protection Configuration 309

Option Description

The scanning results will be included in the mail body,

and sent with the email. If no virus has been detected, the
message of "No virus found" will be labeled; otherwise
information related to the virus will be displayed in the
email, including the filename, result and action.
Type the end message content into the box. The range is
1 to 128.

3. Click OK.

Notes: By default, system comes with multiple default Anti-Virus rules. You can
check these rules and use them according to their configurations and your read net-
work environment.

Configuring Anti-Virus Global Parameters

The Anti-Virus global parameters configuration includes:

l Enabling/Disabling the Anti-Virus function

l Configuring the decompression control function

Enabling/Disabling the Anti-Virus function

To enable/disable the Anti-Virus function, take the following steps:

1. Select Configuration Management > Security Protection Configuration > Anti-Virus > Con-
figuration.

2. Click/clear the Enable button to enable/disable the Anti-Virus function.

3. Click OK.

310 Security Protection Configuration

Notes: After the configuration is completed, system must be rebooted to make it
take effect.

Configuring the Decompression Control Function

After configuring the decompression control function, system can decompress the transmitted
compressed files, and can handle the files that exceed the max decompression layer as well as the
encrypted compressed files in accordance with the specified actions. This function supports to
decompress the files in type of RAR, ZIP, TAR, GZIP, and BZIP2. To configure the decom-
pression control function, take the following steps:

1. Select Configuration Management > Security Protection Configuration > Anti-Virus > Con-
figuration.

2. Click/clear the Enable button to enable/disable the Anti-Virus function.

3. Click Configuration.

Security Protection Configuration 311

In the Decompression Configuration page, configure the following options.

Option Description

Decompression Click/clear the Enable button to enable/disable the

decompression function.

Max Decom- By default, system can check the files of up to 5

pression Layer decompression layers. To specify a decompression
layer, select a value from the drop-down list. The
value range is 1 to 5.

Exceed Action Specifies an action for the compressed files that

exceed the max decompression layer. Select an
action from the drop-down list:

l Log Only - Only generates logs but will not

scan the files. This action is enabled by
default.

l Reset Connection - Resets connections for

the files.

Encrypted Com- Specifies an action for encrypted compressed files:

pressed File
l No Action - Will not take any actions against
the files, but might further scan the files
according to the Anti-Virus rule.

l Log Only - Only generates logs but will not

scan the files.

l Reset Connection - Resets connections for

the files.

312 Security Protection Configuration

4. Click OK.

Notes: For compressed files containing docx, pptx, xlsx, jar, and apk formats, when
Exceed Action is specified as Reset Connection, the maximum compression layers
should be added one more layer to prevent download failure.

Antispam
This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
The system is designed with an Antispam function, which enables user to identify and filter mails
transmitted by SMTP and POP3 protocol through the cloud server, timely discover the mail
threats, such as spam, phishing and worm mail, and then process the found spam according to the
configuration, so as to protect the user's mail client or mail server.

Notes: The Antispam function will not work unless an Antispam license has been
installed on the devic that supports Antispam.

l "Configuring Antispam" on Page 313

l "Antispam Global Configuration" on Page 320

Configuring Antispam

This chapter includes the following sections:

l Preparation for configuring Antispam function

l Configuring Antispam function

l Configuring an Antispam Profile

l Configuring an Antispam User-defined Blacklist

Security Protection Configuration 313

Preparing

Before enabling Antispam, make the following preparations:

1. Make sure your system version supports Antispam.

2. Import an Antispam license and reboot. The Antispam will be enabled after the rebooting.

Notes: To assure a proper connection to the cloud server, you need to configure a
DNS server before configuring the Antispam.

Configuring Antispam Function

The Antispam configurations are based on security zones or policies.

l If a security zone is configured with the Antispam function, system will perform detection on
the traffic that is matched to the binding zone specified in the rule, and then do according to
what you specified.

l If a policy rule is configured with the threat protection function, system will perform detec-
tion on the traffic that is matched to the policy rule you specified, and then respond.

To realize the zone-based Antispam, take the following steps:

1. Create a zone. For more information, refer to "Security Zone" on Page 423.

2. In the Zone Configuration page, expand Threat Protection.

3. Enable the threat protection you need and select an Antispam rule from the profile drop-

down list below; or you can click from the profile drop-down list. To create an Antis-

314 Security Protection Configuration

pam rule, see Configuring an Antispam Profile.

4. Click OK to save the settings.

To realize the zone-based Antispam, take the following steps:

1. Create a security policy rule. For more information, refer to "Security Policy" on Page 164.

2. In the Policy Configuration page, expand the Protection.

3. Click the Enable button of Antispam. Then select an Antispam rule from the Profile drop-

down list, or you can click from the Profile drop-down list to create an Antispam rule.

For more information, see Configuring an Antispam Profile.

4. Click OK to save the settings.

Configuring an Antispam Profile

To configure an Antispam rule, take the following steps:

1. Select Configuration Management > Security Protection Configuration > Antispam > Pro-
file.

Security Protection Configuration 315

2. Click New

In the Antispam Configuration page, enter the Antispam rule configurations

Option Description

Name Specifies the rule name.

Mail Protocol Specifies the mail protocol (SMTP, POP3), spam cat-
Type egory and action.spam category:

l Confirmed Spam: The mail from spam source.

l Bulk Spam: The malicious mass mail from

316 Security Protection Configuration

Option Description

uncertain spam sources.

l Suspicious Spam: The mail from suspicious

spam sources.

l Valid Bulk: Mass mail from legitimate senders.

Action:

l Log Only - Only generates log. This is the

default action.

l Reset Connection - If spams has been detec-

ted, system will reset connections.
Note: The spams transferred over POP3 only sup-
ports generate logs action.

User-defined Click the Enable button to enable the Antispam

Blacklist User-defined Blacklist. When it is enabled, the email
from the sender who is in the User-defined Blacklist
will be directly identified as spam, and then system
will process it according to the action specified by
users, log or reset connection.

Whitelist of The whitelist is used to specify the mail domains or

Sender email that will not be filtered by Antispam. Each
Antispam profile can specify up to 64 whitelist items.

l Select "Domain" or "Email" and enter the cor-

responding parameter values in the text box.
The parameter values range from 1 to 255 char-

Security Protection Configuration 317

Option Description

acters. When "Domain" is selected, the max-

imum length between the two periods (.) is
only 63 characters.

l Click New to add the domain name or email

address to whitelist of sender.

l Select the domain or email address of sender

item, and click Delete to delete the items of
sender.

3. Click OK.

Notes: By default, system comes with one default spams filtering rules: predef_
default. The default rule is not allowed to edit or delete.

Configuring an Antispam User-defined Blacklist

You can add the sender's domain name or email address to the User-defined Blacklist. When Antis-
pam User-defined Blacklist function is enabled, system will directly identify the email from the
User-defined Blacklist as spam, and reset the link or record to the threat log.
To configure an Antispam User-defined Blacklist, take the following steps:

1. Select Configuration Management > Security Protection Configuration > Antispam >
User-defined Blacklist and click New.

318 Security Protection Configuration

2. In the User-defined Blacklist Configuration page, select "Sender Domain" or "Sender E-
mail" and enter the corresponding parameter values in the text box. The parameter values
range from 1 to 255 characters. When "Sender Domain" is selected, the maximum length
between the two periods (.) is only 63 characters.

3. Click OK.

To export the sender User-defined Blacklist, take the following steps:

1. Select Configuration Management > Security Protection Configuration > Antispam >
User-defined Blacklist.

2. Click Export and all the item of the User-defined Blacklist will be exported as an file in the
format of ".txt ".

The exported User-defined Blacklists can be imported on another device. To import the sender
User-defined Blacklist, take the following steps:

1. Select Configuration Management > Security Protection Configuration > Antispam >
User-defined Blacklist and click Import.

2. In the Import User-defined Blacklist page, click the Browse to select the User-defined
Blacklist file to be imported.

3. Click OK to import User-defined Blacklist.

Security Protection Configuration 319

Antispam Global Configuration

To configure the Antispam global settings, take the following steps:

1. Click Configuration Management > Security Protection Configuration > Antispam > Con-
figuration.

2. Type in the mail scan maximum limit in the Mail Scan Upper Limit text box. The range is
512 Kb to 2048 Kb, the default value is 1024 Kb.

3. Click OK to save the settings.

Botnet C&C Prevention

Botnet refers to a kind of network that uses one or more means of communication to infect a
large number of hosts with bots, forming a one-to-many controlled network between the con-
troller and the infected host, which will cause a great threat to network and data security.
The botnet C&C prevention function can detect botnet host in the internal network timely, as
well as locate and take other actions according to the configuration, so as to avoid further threat
attacks.
The botnet C&C prevention configurations are based on security zones or policies. If the botnet
C&C prevention profile is bound to a security zone, the system will detect the traffic destined to
the specified security zone based on the profile configuration. If the botnet C&C prevention pro-
file is bound to a policy rule, the system will detect the traffic matched to the specified policy rule
based on the profile configuration.

Notes: The botnet C&C prevention function is controlled by license. To use the
botnet C&C prevention function, install the Botnet C&C Prevention license.

320 Security Protection Configuration

l "Configuring Botnet C&C Prevention" on Page 322

l "Address Library" on Page 321

l "Botnet C&C Prevention Global Configuration" on Page 322

Address Library

Select Configuration Management > Security Protection Configuration > Botnet C&C Pre-
vention > Address Library. You can see the IP address and domain name list.

Enabling/Disabling the Address Entry

To disable the signature of the specified IP/domain, take the following steps:

1. Click IP , Domain, Custom IP or Custom Domain tab.

2. Select the IP or domain entry that you want to enable/disable, and then click Enable or Dis-
able.

Creating a Custom Address Entry

To create a signature of the specified IP/domain name, take the following steps:

1. Click Custom IP or Custom Domain tab.

2. Click New to open the Botnet Custom IP Configuration or Botnet Custom Domain Con-
figuration page.

Security Protection Configuration 321

3. Enter the IP or domain name entry in the text box.

4. Click OK.

5. Select the IP or domain name entry that you want to delete/enable/disable, and then click
Delete, Enable or Disable.

Botnet C&C Prevention Global Configuration

To configure the Botnet C&C Prevention global settings, take the following steps:

1. Click Configuration Management > Security Protection Configuration Policy > Botnet
C&C Prevention > Configuration.

2. Click/clear the Enable button to enable/disable the Botnet C&C Prevention function.

3. Specify the Sinkhole IP address that replaces the IP address in the DNS response message.
You can select the system's predefined Sinkhole IP address or specify a user-defined Sink-
hole IP address. After selecting User-defined Sinkhole, specify a custom IPv4 address and
an IPv6 address. If only the IPv4 address is configured, the system will automatically map
the configured IPv4 address to the corresponding IPv6 address when the DNS server com-
municates by using the IPv6 protocol.

4. Click Apply to apply the settings.

Configuring Botnet C&C Prevention

This chapter includes the following sections:

322 Security Protection Configuration

l Preparation for configuring Botnet C&C Prevention function

l Configuring Botnet C&C Prevention function

Preparing

Before enabling botnet C&C prevention, make the following preparations:

1. Make sure your system version supports botnet C&C prevention.

2. Import a botnet C&C prevention license and reboot. The botnet C&C prevention will be
enabled after the rebooting.

Notes:

l You need to update the botnet C&C prevention signature database before
enabling the function for the first time. To assure a proper connection to the
default update server, you need to configure a DNS server for system before
updating.

Configuring Botnet C&C Prevention Function

The Botnet C&C Prevention configurations are based on security zones or policies.
To realize the zone-based Botnet C&C Prevention, take the following steps:

1. Create a zone. For more information, refer to "Security Zone" on Page 423.

2. In the Zone Configuration page, expand Threat Protection.

3. Enable the threat protection you need and select a Botnet C&C Prevention rule from the

profile drop-down list below; or you can click from the profile drop-down list. To cre-

ate a Botnet C&C Prevention rule, see Configuring a Botnet C&C Prevention Rule.

4. Click OK to save the settings.

To realize the zone-based Botnet C&C Prevention, take the following steps:

Security Protection Configuration 323

1. Create a security policy rule. For more information, refer to "Security Policy" on Page 164.

2. In the Policy Configuration page, expand the Protection.

3. Click the Enable button of Botnet C&C Prevention. Then select an Anti-Spam rule from

the Profile drop-down list, or you can click from the Profile drop-down list to create a

Botnet C&C Prevention rule. For more information, see Configuring a Botnet C&C Pre-
vention Rule.

4. Click OK to save the settings.

Configuring a Botnet C&C Prevention Rule

To configure a Botnet C&C Prevention rule, take the following steps:

1. Click Configuration Management > Security Protection Configuration > Botnet C&C Pre-
vention> Profile.

2. Click New.

In the Botnet C&C Prevention Rule Configuration page, enter the Botnet C&C Prevention
rule configurations.

324 Security Protection Configuration

Option Description

Name Specifies the rule name.

Protocol Specifies the protocol types (TCP, HTTP, DNS) you

Types want to scan and specifies the action the system will take
after the botnet is found.

l Log Only - Only generates log.

l Reset Connection - If botnets has been detected,

system will reset connections to the files.

l Sinkhole-Replace - When the protocol type is

DNS, you can specify the processing action as
"Sinkhole Address Replacement". After the threat
is discovered, the system will replace the IP
address in the DNS response packet with the Sink-
hole IP address.

3. Click OK.

Perimeter Traffic Filtering

Perimeter Traffic Filtering can filter the perimeter traffic based on known risk IP, MAC or Service
list, and take logging/block action on the malicious traffic that hits the risk IP, MAC or Service
list.
The risk IP list includes the following types:

l IP Blacklist: The system supports Static IP Blacklist, Blacklist Library, Dynamic IP Blacklist
and Hit Statistics.

l Service Blacklist: After adding the services to the service blacklist, system will perform the
block action to the service until the block duration ends.

Security Protection Configuration 325

l MAC Blacklist: After adding the MAC of the host to the blacklist to prevent users from
accessing the network during the specified period.

l IP Reputation list: Retrieve the risk IP (such as Botnet, Spam, Tor nodes, Compromised,
Brute-forcer, and so on.) list from the Perimeter Traffic Filtering signature database.

l White List: After adding the services to the service blacklist, the system will not block the IP
address.

l Global Search: Show the static IP blacklist, blacklist library, dynamic IP blacklist, exception
whitelist, service blacklist and IP reputation list entriesof specified IP address .

l Configuration: Blacklist global configuration, including Blacklist Log and Session Rematch.

Notes:

l You need to update the IP reputation database before enabling the IP Repu-
tation function for the first time. By default, system will update the database
at the certain time everyday, and you can modify the updating settings accord-
ing to your own requirements, see "Upgrading System" on Page 630.

l Perimeter Traffic Filtering is controlled by license. To use Threat protection,

apply and install the PTF license.

Enabling Perimeter Traffic Filtering

To realize the zone-based Perimeter Traffic Filtering, take the following steps:

1. Create a zone. For more information, refer to "Security Zone" on Page 423;

2. In the Zone Configuration page, expand Threat Protection.

3. Click the Enable button after the Perimeter Traffic Filtering.

326 Security Protection Configuration

4. Specifies an action for the malicious traffic that hits the blacklist. Click the User-defined or
IP Reputation button , and select the action from drop-down list:

l Log Only: Only generates logs if the malicious traffic hits the blacklist. This is the
default option.

l Drop: Drop packets if the malicious traffic hits the blacklist.

l Block IP: Block the IP address and specify a block duration if the malicious traffic
hits the IP Reputation list.

Configuring IP Blacklist

Static IP Blacklist

The static IP blacklist will block specified IP address or prevent hosts from accessing the net-
work during the specified period.
To configure the static IP blacklist, take the following steps:

1. Select Configuration Management > Security Protection Configuration > Perimeter Traffic
Filtering > IP Blacklist.

2. Click New in the Static IP Blacklist page.

Configure the corresponding options.

Security Protection Configuration 327

Option Description

IP Type Select the address type, including IPv4 and IPv6.

Entry Type Select the address entry type and then type the address.

Scope Specify the blacklist applied to global, zone or Virtual

Router. When selecting zone or Virtual Router, select the
desired entry in the corresponding drop-down list.

Schedule Specifies a schedule when the blacklist will take effect.

Select a desired schedule from the Schedule drop-down
list.

Status Specify the status of the static IP blacklist.

3. Click OK to save the settings.

Redundancy Check

The system supports to check the conflicts among blacklists. You can check whether the black-
lists overshadow each other.
To configure the redundancy check, take the following steps:

1. Select Configuration Management > Security Protection Configuration > Perimeter Traffic
Filtering > IP Blacklist.

2. Click Redundancy Check in the Static IP Blacklist page. Click OK in the following prompt
dialog.

328 Security Protection Configuration

3. After the check, system will highlight the policy rule which is overshadowed.

4. To delete an blacklist, select the blacklist you want to delete from the list and click Delete.

Blacklist Library

The system support to import/exporti the blacklist library file or update the blacklist from the spe-
cified server, and specify the rule of the blacklist library.
To configure the blacklist library rule, take the following steps:

1. Select Configuration Management > Security Protection Configuration > Perimeter Traffic
Filtering > IP Blacklist.

2. Click New in the Blacklist Library Rule page.

Configure the corresponding options.

Security Protection Configuration 329

Option Description

Scope Specify the blacklist applied to global, zone or Virtual

Router. When selecting zone or Virtual Router, select the
desired entry in the corresponding drop-down list.

Status Specify the status of the blacklist library rule.

3. Click OK to save the settings.

Click Blacklist Library Details to open the Blacklist Library Details page.

You can perform the following operations:

l Import Blacklist: Click Import Blacklist and select Import Mode in the Import page, includ-
ing Incremental Import and Overwrite Import. Click the Browse and select the local file
needed to import into the system.

330 Security Protection Configuration

l Export Blacklist: Click Export Blacklist to export blacklist file to local PC.

l Delete Blacklist Library: Click Delete Blacklist Library to delete the blacklist file.

l Update Configuration: Click Update Configuration to enable the auto update function.

Dynamic IP Blacklist

After adding the IP addresses to the global blacklist, system will perform the block action to the
IP address and service until the block duration ends.
To configure the dynamic IP blacklist, take the following steps:

1. Select Configuration Management > Security Protection Configuration > Perimeter Traffic
Filtering > IP Blacklist.

2. Click New in the Dynamic IP Blacklist page.

Configure the corresponding options.

Option Description

IP Type Select the address type, including IPv4 and IPv6.

IP Type the IP address that you want to block. This IP

address can be not only the source IP address, but also

Security Protection Configuration 331

Option Description

the destination IP address.

Virtual Select the virtual router that the IP address belongs to.
Router

Block Type Select the block type, including Permanent Block and
Blocked Time. When Select Blocked Time, type the dur-
ation that the IP address will be blocked. The unit is
second. The value ranges from 60 to 1296000.

3. Click OK to save the settings.

Hit Statics

System supports statistics on blacklist hit counts, you can view all hit entries and TOP100 black-
list entries on the hit statistics page when there is a large number of blacklist entries.
To view a blacklist hit count take the following steps:

1. Select Policy > Perimeter Traffic Filtering > IP Blacklist.

2. View all hit entries in the Hit Statics page.

3. Click TOP 100 to view the TOP 100 hit entries in the Hit Statistics Ranking page.

Service Blacklist

To configure the service blacklist, take the following steps:

332 Security Protection Configuration

1. Select Configuration Management > Security Protection Configuration > Perimeter Traffic
Filtering > Service Blacklist.

2. Click New.

Configure the corresponding options.

Option Description

Virtual Select the virtual router that the IP address belongs to.
Router

IP Type Select the address type, including IPv4 and IPv6.

Source IP Type the source IP address of the blocked service. The

service block function will block the service from the
source IP address to the destination IP address.

Destination Type the destination IP address of the blocked service.

Destination Type the port number of the blocked service.

Security Protection Configuration 333

Option Description

Port

Protocol Select the protocol of the blocked service.

Blocked Type the duration that the IP address will be blocked.

Time The unit is second. The value ranges from 60 to 1296000.

3. Click OK to save the settings.

MAC Blacklist

To configure the MAC blacklist, take the following steps:

1. Select Configuration Management > Security Protection Configuration > Perimeter Traffic
Filtering > MAC Blacklist.

2. Click New.

334 Security Protection Configuration

Configure the corresponding options.

Option Description

MAC address Type the MAC address of the host that will be added to
the blacklist.

Schedule Specifies a schedule when the blacklist will take effect.

Select a desired schedule from the Schedule drop-down
list.

Status Specify the status of the MAC blacklist.

3. Click OK to save the settings.

IP Reputation Filtering

To configure the IP Reputation Filtering function, take the following steps:

1. Select Configuration Management > Security Protection Configuration > Perimeter Traffic
Filtering > IP Reputation Filtering.

Security Protection Configuration 335

2. Click New.

Configure the corresponding options.

Option Description

Scope Specify the blacklist applied to global, zone or Virtual

Router. When selecting zone or Virtual Router, select the
desired entry in the corresponding drop-down list.

Category Select the types of risky IPs and block the corresponding
IP.

336 Security Protection Configuration

3. Click OK to save the settings.

White List

To configure the white list, take the following steps:

1. Select Configuration Management > Security Protection Configuration > Perimeter Traffic
Filtering > White List.

2. Click New.

Configure the corresponding options.

Option Description

IP Type Select the address type, including IPv4 and IPv6.

IP/Netmask Type the IP address and netmask for the user-defined

white list.

Scope Specify the whitelist applied to global, zone or Virtual

Router. When selecting zone or Virtual Router, select the
desired entry in the corresponding drop-down list.

3. Click OK to save the settings.

Global Search

To view black/white list entry of specified IP address, take the following steps:

Security Protection Configuration 337

1. Select Configuration Management > Security Protection Configuration > Perimeter Traffic
Filtering > Global Search.

2. Type the IP address, click Search to jump to the corresponding blacklist tab to view the cor-
responding entry.

Configuration

To configure the blacklist global configuration, take the following steps:

1. Select Configuration Management > Security Protection Configuration > Perimeter Traffic
Filtering > Configuration.

2. Click Enable button of Blacklist Log to enable the log of blacklist.

3. Click Enable button of Session Rematch. When you add, modify or delete the blacklist, the
session will match the optimal blacklist again.

338 Security Protection Configuration

URL Filtering
URL filtering controls the access to some certain websites and records log messages for the access
actions. URL filtering helps you control the network behaviors in the following aspects:

l Access control to certain category of websites, such as gambling and pornographic websites.

l Access control to certain category of websites during the specified period. For example, for-
bid to access IM websites during the office hours.

l Access control to the website whose URL contains the specified keywords. For example, for-
bid to access the URL that contains the keyword of game.

Configuring URL Filtering

Configuring URL filtering contains two parts:

l Create a URL filtering rule

l Bind a URL filtering rule to a security zone or policy rule

Part 1: Creating a URL filtering rule

Security Protection Configuration 339

1. Select Configuration Management > Security Protection Configuration > URL Filtering.

2. Click New.

Configure the following options.

Option Description

Name Specifies the name of the rule. You can configure the
same URL filtering rule name in different VSYSs.

340 Security Protection Configuration

Option Description

Single URL Click New to add information for a single URL, and select
Configuration the Block or Log check box to specify the action that sys-
tem will perform when accessing the URL.

3. In the URL Category part to configure the URL category control type for URL filtering rules
to control the access to some certain category of website.

In the URL Category part, configure the following options.

Option Description

New Creates a new URL category. For more information about

URL categories, see "User-defined URL DB" on Page
351.

Edit Selects a URL category from the list, and click Edit to
edit the selected URL category. URL Keyword Category
controls the access to the website whose URL contains
the specific keywords. Click the URL Keyword
Categoryoption to configure. The options are:

l New: Creates new keyword categories. For more

information about keyword category, see "Keyword
Category" on Page 355.

l Edit: Select a URL keyword category from the list,

and click Edit to edit the selected URL keyword
categories.

l Keyword category: Shows the name of the con-

figured keyword categories.

Security Protection Configuration 341

Option Description

l Block: Selects the check box to block access to the

website whose URL contains the specified
keywords.

l Log: Selects the check box to log the access to the

website whose URL contains the specified
keywords.

l Other URLS: Specifies the actions to the URLs that

do not contain the keywords in the list, including
Block Access and Record Log.

URL category Shows the name of pre-defined and user-defined URL cat-
egories in the VSYS.

Block Selects the check box to block access to the cor-

responding URL category.

Log Selects the check box to log access to the corresponding

URL category.

Other URLs Specifies the actions to the URLs that are not in the list,
including Block Access and Record Log.

SSL inspec- Select the Enable button to enable SSL negotiation pack-
tion ets inspection. For HTTPS traffic, system can acquire the
domain name of the site which you want to access from
the SSL negotiation packets after this feature is con-
figured. Then, system will perform URL filtering in
accordance with the domain name. If SSL proxy is con-
figured at the same time, SSL negotiation packets inspec-

342 Security Protection Configuration

Option Description

tion method will be preferred for URL filtering.

4. In the URL Keyword Category part to configure the URL keyword category control type for
URL filtering rules to control the access to the website whose URL contains the specific
keywords.

In the URL Keyword Category part, configure the following options.

Option Description

New Creates new keyword categories. For more information

about keyword category, see "Keyword Category" on Page
355.

Edit Select a URL keyword category from the list, and click
Edit to edit the selected URL keyword categories.

Keyword cat- Shows the name of the configured keyword categories.

egory

Block Selects the check box to block access to the website

whose URL contains the specified keywords.

Log Selects the check box to log the access to the website
whose URL contains the specified keywords.

Other URLs Specifies the actions to the URLs that do not contain the
keywords in the list, including Block Access and Record
Log.

5. Click OK to save the settings.

Security Protection Configuration 343

Notes: The control type of a URL filtering rule can configure both the URL cat-
egory and the URL keyword category.

Part 2: Binding a URL filtering rule to a security zone or security policy rule
The URL filtering configurations are based on security zones or policies.

l If a security zone is configured with the URL filtering function, system will perform detection
on the traffic that is destined to the binding zone specified in the rule, and then do according
to what you specified.

l If a policy rule is configured with the URL filtering function, system will perform detection
on the traffic that is destined to the policy rule you specified, and then respond.

l The threat protection configurations in a policy rule are superior to that in a zone rule if they
are specified at the same time, and the URL filtering configurations in a destination zone are
superior to that in a source zone if they are specified at the same time.

l To perform the URL filtering function on the HTTPS traffic, see the policy-based URL fil-
tering.

To create the zone-based URL filtering, take the following steps:

1. Create a zone. For more information about how to create this, refer to "Security Zone" on
Page 423.

2. In the Zone Configuration page, select the Threat Protection tab.

3. Enable the threat protection that you need, and select the URL filtering rules from the pro-
file drop-down list below; you can click Add Profile from the profile drop-down list below
to create a URL filtering rule. For more information, see "Part 1: Creating a URL filtering
rule" on Page 339.

4. Click OK to save the settings.

To create the policy-based URL filtering, take the following steps:

344 Security Protection Configuration

1. Configure a security policy rule. For more information, see "Configuring a Security Policy
Rule" on Page 165.

2. In the Protection tab, click the Enable button after URL Filtering.

3. From the Profile drop-down list, select a URL filtering rule. You can also click Add Profile
to create a new URL filtering rule.

4. To perform the URL filtering function on the HTTPS traffic, you need to enable the SSL
proxy function for this security policy rule. System will decrypt the HTTPS traffic according
to the SSL proxy profile and then perform the URL filtering function on the decrypted
traffic.

According to the various configurations of the security policy rule, system will perform the
following actions:

Policy Rule
Actions
Configurations
SSL proxy System decrypts the HTTPS traffic according to the
enabled URL SSL proxy profile but it does not perform the URL fil-
filtering dis- tering function on the decrypted traffic.
abled
SSL proxy System decrypts the HTTPS traffic according to the
enabled URL SSL proxy profile and performs the URL filtering func-
filtering tion on the decrypted traffic.
enabled
SSL proxy dis- System performs the URL filtering function on the
abled URL fil- HTTP traffic according to the URL filtering profile.
tering enabled The HTTPS traffic will not be decrypted and system
will transfer it.

If the SSL proxy and URL filtering functions are enabled on a security policy rule but
the control type of the selected URL filtering rule is the Web surfing record, the

Security Protection Configuration 345

system will not record the GET and POST methods and the posted contents via
HTTPS.
If the zone which the security policy rule binds with is also configured with a URL fil-
tering, system will perform the following actions:

Policy Rule Zone Con-

Actions
Configurations figurations
SSL proxy URL filtering System decrypts the HTTPS traffic
enabled enabled according to the SSL proxy profile and
URL fil- performs the URL filtering function on
tering dis- the decrypted traffic according to the
abled URL filter rule of the zone.

SSL proxy URL filtering System decrypts the HTTPS traffic

enabled URL enabled according to the SSL proxy profile and
filtering performs the URL filtering function on
enabled the decrypted traffic according to the
URL filtering rule of the policy rule.
SSL proxy dis- URL filtering System performs the URL filtering
abled URL fil- enabled function on the HTTP traffic accord-
tering enabled ing to the URL filtering rule of the
policy rule. The HTTPS traffic will not
be decrypted and system will transfer
it.

5. Click OK to save the settings.

If necessary, you can go on to configure the functions of "Predefined URL DB" on Page 349,
"URL Lookup" on Page 353, and "Warning Page" on Page 357.

Object Description

Predefined The predefined URL database includes dozens of categories

URL DB and tens of millions of URLs and you can use it to specify the
URL categories.

346 Security Protection Configuration

Object Description

URL Lookup Use the URL lookup function to inquire URL information
from the URL database, including the URL category and the
category type.

Warning Page l Block warning: When your network access is blocked, a

warning page will prompt in the Web browser.

l Audit warning: When your network access is audited, a

warning page will prompt in the Web browser.

Notes:
l Only after canceling the binding can you delete the URL filtering rule.

l To get the latest URL categories, you are recommended to update the URL
database first. For more information about URL database, see "Predefined
URL DB" on Page 349.

l You can export the log messages to specified destinations. For more inform-
ation about log messages, see "Managing Logs" on Page 146.

Cloning a URL filtering Rule

System supports the rapid clone of a URL filtering rule. You can clone and generate a new URL fil-
tering rule by modifying some parameters of the one current URL filtering rule.
To clone a URL filtering rule, take the following steps:

1. Select Configuration Management > Security Protection Configuration > URL Filtering.

2. Select a URL filtering rule in the list.

3. Click the Clone button above the list, and the Name configuration box will appear below

Security Protection Configuration 347

the button. Then enter the name of the new URL filtering rule.

4. The cloned URL filtering rule will be generated in the list.

Viewing URL Hit Statistics

The URL access statistics includes the following parts:

l Summary: The statistical information of the top 10 user/IPs, the top 10 URLs, and the top 10
URL categories during the specified period of time are displayed.

l User/IP: The user/IP and detailed hit count are displayed.

l URL: The URL and detailed hit count are displayed.

l URL Category: The URL category and detailed hit count and traffic are displayed.

Viewing Web Surfing Records

To view the Web surfing records, view "URL Log" on Page 143. Before you view the Web surf-
ing records, see "Managing Logs" on Page 146 to enable URL Log function.

Configuring URL Filtering Objects

When using URL filtering function, you need to configure the following objects:

Object Description

Predefined The predefined URL database includes dozens of categories

URL DB and tens of millions of URLs and you can use it to specify the
URL categories.

User-defined The user-defined URL database is defined by you and you can
URL DB use it to specify the URL category.

URL Lookup Use the URL lookup function to inquire URL information
from the URL database.

348 Security Protection Configuration

Object Description

Keyword Cat- Use the keyword category function to customize the keyword
egory categories.

Warning Page Enable or disable the warning page.

l Block warning: When your network access is blocked, a

warning page will prompt in the Web browser.

l Audit warning: When your network access is audited, a

warning page will prompt in the Web browser.

Predefined URL DB

System contains a predefined URL database.

Notes: The predefined URL database is controlled by a license . Only after a URL
license is installed, the predefined URL database can be used.

The predefined URL database provides URL categories for the configurations of a URL filtering.
It includes dozens of categories and tens of millions of URLs .
When identifying the URL category, the user-defined URL database has a higher priority than the
predefined URL database.

Configuring Predefined URL Database Update Parameters

By default, system updates predefined URL database everyday. You can change the update para-
meters according to your own requirements. Currently, two default update servers are provided:
https://update1.hillstonenet.com and https://update2.hillstonenet.com. Besides, you can update
the predefined URL database from your local disk.
To change the update parameters, take the following steps:

Security Protection Configuration 349

1. Select Configuration Management > System Configuration > Upgrade Management > Sig-
nature Database Update.

2. In the URL category database update section, you can view the current version of the data-
base, perform the remote update, configure the remote update, and perform the local
update.

3. Click Enable button of Auto Update to enable the automatic update function and then con-
tinue to specify the frequency and time. Click OK to save your settings.

4. Double click an entry of Update Server to configure the update server URL. Specify the
URL or IP address of the update server, and select the virtual router that can connect to the
server. To restore the URL settings to the default ones, click Restore Default.

5. Double click an entry of Proxy Server, then enter the IP addresses and ports of the main
proxy server and the backup proxy server. When the device accesses the Internet through a
HTTP proxy server, you need to specify the IP address and the port number of the HTTP
proxy server. With the HTTP proxy server specified, various signature databases can update
normally.

6. Click OK to save the settings.

350 Security Protection Configuration

Upgrading Predefined URL Database Online

To upgrade the URL database online, take the following steps:

1. Select Configuration Management > System Configuration > Upgrade Management > Sig-
nature Database Update.

2. In the URL category database update section, click Update to update the predefined URL
database.

Upgrading Predefined URL Database from Local

To upgrade the predefined URL database from local, take the following steps:

1. Select Configuration Management > System Configuration > Upgrade Management > Sig-
nature Database Update

2. In the URL category database update section, click Browse to select the URL database file
from your local disk.

3. Click Upload to update the predefined URL database.

Notes: You can not upgrade the predefined URL database from local in non-root
VSYS.

User-defined URL DB

Besides categories in predefined URL database, you can also create user-defined URL categories,
which provides URL categories for the configurations of URL filtering. When identifying the URL
category, the user-defined URL database has a higher priority than the predefined URL database.
System provides three predefined URL categories: custom1, custom2, custom3. You can import
your own URL lists into one of the predefined URL categories.

Security Protection Configuration 351

Notes: You can not import your own URL lists into one of the predefined URL cat-
egory in non-root VSYS.

Configuring User-defined URL DB

To configure a user-defined URL category, take the following steps:

1. Select Configuration Management > System Configuration > URL Filtering.

2. At the top-right corner, select Configuration > User-defined URL DB. The User-defined
URL DB page will appear.

3. Click New to open the URL Category page.

4. Type the category name in the Category box. URL category name cannot only be a hyphen
(-). And you can create at most 16 user-defined categories.

5. Type a URL into the URL http(s):// box.

6. Click Add to add the URL and its category to the table.

7. To edit an existing one, select it and then click Edit. After editing it, click Add to save the
changes.

8. Click OK to save the settings.

352 Security Protection Configuration

Importing User-defined URL

System supports to batch imported user-defined URL lists into the predefined URL category
named custom1/2/3. To import user-defined URL, take the following steps:

1. Select Configuration Management > System Configuration > URL Filtering.

2. At the top-right corner, select Configuration > User-defined URL DB. The User-defined
URL DB page will appear.

3. Select one of the predefined URL category(custom1/2/3), and then click Import.

4. In the Batch Import URL page, click Browse button to select your local URL file. The file
should be less than 1 M, and have at most 1000 URLs. Wildcard is supported to use once in
the URL file, which should be located at the start of the address.

5. Click OK to finish importing.

Clearing User-defined URL

In the predefined URL category named custom1/2/3, clear a user-defined URL, take the fol-
lowing steps:

1. Select Configuration Management > System Configuration > URL Filtering.

2. At the top-right corner, select Configuration > User-defined URL DB. The User-defined
URL DB page will appear.

3. Select one of the predefined URL categories(custom1/2/3), and then click Clear. The URL
in the custom 1/2/3 will be cleared from the system.

URL Lookup

You can inquire a URL to view the details by URL lookup, including the URL category and the
category type.

Security Protection Configuration 353

Inquiring URL Information

To inquiry URL information, take the following steps:

1. Select Configuration Management > Security Protection Configuration > URL Filtering.

2. At the top-right corner, select Configuration > URL Lookup. The URL Lookup page will
appear.

3. Type the URL into the Please enter the URL to inquire box.

4. Click Inquiry, and the results will be displayed at the bottom of the page.

Configuring URL Lookup Servers

URL lookup server can classify an uncategorized URL (URL is neither in predefined URL data-
base nor in user-defined URL database) you have accessed, and then add it to the URL database
during database updating. Two default URL lookup servers are provided: url1.hillstonenet.com
and url2.hillstonenet.com. By default, the URL lookup servers are enabled.
To configure a URL lookup server, take the following steps:

354 Security Protection Configuration

1. Select Configuration Management > Security Protection Configuration > URL Filtering.

2. At the top-right corner, Select Configuration > Predefined URL DB. The Predefined URL
DB page will appear.

3. Click Inquiry Server Configuration to open the Predefined URL DB Inquiry Server Con-
figuration page will appear.

4. In the Inquiry server section, double-click the cell in the IP/Port/Virtual Router column of
Server1/2 and type a new value.

5. Select the check box in the Enable column to enable this URL lookup server.

6. Click OK to save the settings.

Keyword Category

You can customize the keyword category and use it in the URL filtering function.
After configuring a URL filtering rule, system will scan traffic according to the configured
keywords and calculate the trust value for the hit keywords. The calculating method is: adding up
the results of times * trust value of each keyword that belongs to the category. Then system com-
pares the sum with the threshold 100 and performs the following actions according to the com-
parison result:

Security Protection Configuration 355

l If the sum is larger than or equal to category threshold (100), the configured category action
will be triggered;

l If more than one category action can be triggered and there is block action configured, the
final action will be Block;

l If more than one category action can be triggered and all the configured actions are Permit, the
final action will be Permit.

For example, a URL filtering rule contains two keyword categories C1 with action block and C2
with action permit. Both of C1 and C2 contain the same keywords K1 and K2. Trust values of
K1 and K2 in C1 are 20 and 40. Trust values of K1 and K2 in C2 are 30 and 80.
If system detects 1 occurrence of K1 and K2 each on a URL, then C1 trust value is 20*1＋40*1-
1=60<100, and C2 trust value is 30*1+80*1=110>100. As a result, the C2 action is triggered
and the URL access is permitted.
If system detects 3 occurrences of K1 and 1 occurrence of K2 on a URL, then C1 trust value is
20*3+40*1=100, and C2 trust value C2 is 30*3+80*1=170>100. Conditions for both C1 and
C2 are satisfied, but the block action for C1 is triggered, so the web page access is denied.

Configuring a Keyword Category

To configure a keyword category, take the following steps:

1. Select Configuration Management > Security Protection Configuration > URL Filtering.

2. At the top-right corner, select Configuration > Keyword Category. The Keyword Category
page will appear.

356 Security Protection Configuration

3. Click New. The Keyword Category Configuration page will appear.

4. Type the category name.

5. Click New. In the slide area, specify the keyword, character matching method (sim-
ple/regular expression), and trust value (100 by default).

6. Click Add to add the keyword to the list below.

7. Repeat the above steps to add more keywords.

8. To delete a keyword, select the keyword you want to delete from the list and click Delete.

9. Click OK to save your settings.

Warning Page

The warning page shows the user block information and user audit information. You can enable or
disable the warning page as needed.
The warning page include predefined warning page and user-defined warning page.

l Predefined warning page: Displays the predefined warning information content, including
prompt information and warning reasons.

l User-defined warning page: You can customize the warning page by custom warning inform-
ation and pictures. For details, please refer to Warning Page Management..

Security Protection Configuration 357

Enabling/ Disabling the Block Warning

The block warning is disabled by default. If the internet behavior is blocked by the URL filtering
function, the Internet access will be denied. The information of Access Denied will be shown in
your browser, and some web surfing rules will be shown to you on the warning page at the same
time. According to the different network behaviors, the predefined warning page includes the fol-
lowing two situations:

l Visiting a certain type of URL.

l Visiting the URL that contains a certain type of keyword category.

To enable or disable the block warning , take the following steps:

1. Click Configuration Management > Security Protection Configuration > URL Filtering.

2. At the top-right corner, select Configuration > Warning Page. The Warning Page page will
appear.

358 Security Protection Configuration

3. In the Block Warning section, click the Enable button. To disable this function, clear the
Enable button.

4. Configure the display information in the blocking warning page.

Option Description

Default Use the default blocking warning page as shown above.

After selecting the Default radio button:

l If the user-defined warning page is not configured,

the predefined warning page will be used.

l If the user-defined warning page is configured and

enabled, the user-defined warning page will be
used.

Redirect page Redirect to the specified URL. Type the URL in the URL
http:// box. You can click Detection to verify whether
the URL is valid.

5. Click OK to save the settings.

Enabling/ Disabling the Audit Warning

The audit warning function is disabled by default. After enabling the audit warning function, when
your network behavior matches the configured URL filtering rule, your HTTP request will be

Security Protection Configuration 359

redirected to a warning page where the audit and privacy protection information is displayed. See
the picture below:

To enable or disable the audit warning function, take the following steps:

1. Select Configuration Management > Security Protection Configuration > URL Filtering.

2. At the top-right corner, select Configuration > Warning Page. The Warning Page page will
appear.

3. In the Audit Warning section, click the Enable button. To disable this function, clear the
Enable button.

l If the user-defined warning page is not configured, the predefined warning page will
be used.

l If the user-defined warning page is configured and enabled, the user-defined warning
page will be used.
For details, please refer to Warning Page Management..

4. Click OK to save the settings.

First Access of Uncategorized URL

For the uncategorized URL that you visit for the first time, that is, the URL which is neither in
the system's predefined URL database nor in the user-defined URL database, system will continue
to query the category of the URL in the cloud. Because the query may takes a litter while, system
cannot process the uncategorized URL immediately until the query result is returned.

360 Security Protection Configuration

To solve the above problem, you can specify the waiting time of query and enable the block
action when waiting times out. After the waiting time of query is exceeded, system will block the
access to the uncategorized URL.
To configure related content of the first access of an uncategorized URL, take the following steps:

1. Select Configuration Management > Security Protection Configuration > URL Filtering.

2. At the top-right corner, select Configuration > First Access of Uncategorized URL. The
First Access of Uncategorized URL page will appear.

3. Type the waiting time value of query into the Waiting Time of Query text box. The range is
0 to 5000ms. The default value is 0, which means there is no wait time limit.

4. Select the Enable check box after Block after Waiting Timeout to enable the block action,
after the waiting time of query is exceeded, system will block the access of uncategorized
URL. After clearing the Enable check box, after the waiting time of query is exceeded, sys-
tem will continue to perform URL filtering according to the configuration of URL filtering
profile.

5. Click OK to save the settings.

Security Protection Configuration 361

Sandbox
This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
A sandbox executes a suspicious file in a virtual environment, collects the actions of this file, ana-
lyzes the collected data, and verifies the legality of the file.
The Sandbox function of the system uses the cloud sandbox technology. The suspicious file will
be uploaded to the cloud side. The cloud sandbox will collect the actions of this file, analyze the
collected data, verify the legality of the file, give the analysis result to the system and deal with
the malicious file with the actions set by system.
The Sandbox function contains the following parts:

l Collect and upload the suspicious file: The Sandbox function parses the traffic, and extracts
the suspicious file from the traffic.

l If there are no analyze result about this file in the local database, system will upload this
file to the cloud intelligence server, and the cloud server intelligence will upload the
suspicious file to the cloud sandbox for analysis.

l If this file has been identified as an illegal file in the local database of the Sandbox func-
tion, system will generate corresponding threat logs and cloudsandbox logs.

Additionally, you can specify the criteria of the suspicious files by configuring a sandbox
profile.

l Check the analysis result returned from the cloud sandbox and take actions: The Sandbox func-
tion checks the analysis results of the suspicious file returned from the cloud sandbox, verifies
the legality of the file, saves the result to the local database. If this suspicious file is identified
as an illegal file, you need to deal with the file according to the actions (reset the connection
or report logs) set by system. If it's the first time to find malicious file in local sandbox, sys-
tem will record threat logs and cloud sandbox logs and cannot stop the malicious link. When

362 Security Protection Configuration

malicious file accesses the cached threat information in the local machine, the threat will be
effective only by resetting connection.

l Maintain the local database of the Sandbox function: Record the information of the uploaded
files, including uploaded time and analysis result. This part is completed by the Sandbox func-
tion automatically.

Notes: The Sandbox function is controlled by license. To use the Sandbox function,
install the Cloud sandbox license.

Security Protection Configuration 363

Configuring Sandbox

This chapter includes the following sections:

l Preparation for configuring the Sandbox function

l Configuring the Sandbox rules

l Sandbox global configurations

Preparation

Before enabling the Sandbox function, make the following preparations:

1. Make sure your system version supports the Sandbox function.

2. The current device is registered to the Cloud View platform.

3. Import the Cloud sandbox license and reboot. The Sandbox function will be enabled after
rebooting.

Notes: If the Sandbox function is enabled, the max amount of concurrent sessions
will decrease by half.

Configuring Sandbox

System supports the policy-based Sandbox. To create the policy-based Sandbox, take the fol-
lowing steps:

1. Click Configuration Management > Security Protection Configuration > Sandbox > Con-
figuration. Click the Enable button to enable the Sandbox function.

2. Click Configuration Management > Security Protection Configuration > Sandbox > Profile
to create a sandbox rule you need.

3. Bind the sandbox rule to a policy. Click Configuration Management > Policy > Security
Policy > Policy. Select the policy rule you want to bind or click New to create a new policy.

364 Security Protection Configuration

n the Policy Configuration page, expand Protection and then click the Enable button of
Sandbox.

Configuring a Sandbox Rule

A sandbox rule contains the files types that device has detected, the protocols types that the
device has detected, the white list settings, and the file filter settings.

l File Type: Support to detect PE, APK, JAR, MS-Office, PDF, SWF, RAR and ZIP file.

l Protocol Type: Support to detect HTTP, FTP, POP3, SMTP and IMAP4 protocol.

l White list: A white list includes domain names that are safe. When a file extracted from the
traffic is from a domain name in the white list, this file will not be marked as a suspicious file
and it will not be upload to the cloud sandbox.

l File filter: Mark the file as a suspicious file if it satisfies the criteria configured in the file filter
settings. The analysis result from the cloud sandbox determines whether this suspicious file is
legal or not.

l Actions: When the suspicious file accesses the threat items in the local sandbox, system
will deal with the malicious file with the set actions.

There are three built-in sandbox rules with the files and protocols type configured, white list
enabled and file filter configured. The three default sandbox rules includes predef_low, predef_
middle and predef_high.

l predef_low: A loose sandbox detection rule, whose file type is PE and protocol types are
HTTP/FTP/POP3/SMTP/IMAP4, with white list and file filter enabled.

l predef_middle: A middle-level sandbox detection rule, whose file types are

PE/APK/JAR/MS-Office/PDF and protocol types are HTTP/FTP/POP3/SMTP/IMAP4,
with white list and file filter enabled.

Security Protection Configuration 365

l predef_high: A strict sandbox detection rule, whose file types are PE/APK/JAR/MS-
Office/PDF/SWF/RAR/ZIP and protocol types are HTTP/FTP/POP3/SMTP/IMAP4,
with white list and file filter enabled.

To create a new sandbox rule, take the following steps:

1. Select Configuration Management > Security Protection Configuration > Sandbox > Pro-
file.

2. Click New to create a new sandbox rule. To edit an existing one, select the check box of
this rule and then click Edit.

In the Sandbox Configuration page, configure the following settings.

Option Description

Name Enter the name of the sandbox rule.

Action When the suspicious file accesses the threat items in the
local sandbox, system will deal with the malicious file
with the set actions. Actions:

366 Security Protection Configuration

Option Description

l Log Only - When detecting malicious files, system

will pass traffic and record logs only (threat log and
cloud sandbox log).

l Reset - When detecting malicious files, system will

reset connection of malicious link and record threat
logs and cloud sandbox logs only.

White List Click Enable to enable the white list function. A white
list includes domain names that are safe. When a file
extracted from the traffic is from a domain name in the
white list, this file will not be marked as a suspicious file
and it will not be upload to the cloud sandbox.

You can update the white list in Configuration Man-

agement > System Management > Upgrade Man-
agement > Signature Database Update > Sandbox
Whitelist Database Update.

Trusted Cer- Click Enable to enable the verification for the trusted cer-
tificate Veri- tification. After enabling, system will not detect the PE
fication file whose certification is trusted.

File Upload By default, the file will be uploaded to the cloud sandbox
when it marks it is classified as suspicious. You can dis-
able the function of suspicious file uploading, which will
prevent the suspicious file from being uploaded to the
cloud sandbox. Click the Disable to disable the function
of suspicious file uploading.

File Filter: Mark the file as a suspicious file if it satisfies the criteria con-

Security Protection Configuration 367

Option Description

figured in the file filter settings. The analysis result from the cloud sand-
box determines whether this suspicious file is legal or not. The logical
relation is AND.

File Type Mark the file of the specified file type as a suspicious file.
The system can mark the PE(.exe), APK, JAR, MS-
Office, PDF, SWF, RAR, ZIP and Script file as a sus-
picious file now. If no file type is specified, the Sandbox
function will mark no file as a suspicious one.

Protocol Specifies the protocol to scan. System can scan the

HTTP, FTP, POP3, SMTP, IMAP4 and SMB traffic now.
If no protocol is specified, the Sandbox function will not
scan the network traffic.After specifying the protocol
type, you have to specify the direction of the detection:

l Upload - The direction is from client to server.

l Download - The direction is from server to client.

l Bi-directional - The direction includes uploading

and downloading directions.

3. Click OK to save the settings.

Threat List

The threat list means the list of threat items in the local sandbox. There are two sources of the
threat items:

368 Security Protection Configuration

l The local sandbox finds suspicious files and reports to cloud. After verifying the file is mali-
cious, the cloud will send the synchronous threat information to other devices, which has
connected to the cloud and enabled Sandbox function. After the device receiving the syn-
chronous threat information and matching the threat, the threat item will be listed in the
threat list and system will block it with the set actions.

l The local sandbox finds suspicious file and reports to cloud. The cloud then analyzes and
returns the result to the device. If the result is malicious, the threat item will be listed in
the threat list.

You can filter and check threat items through specifying MD5 or the name of virus on the threat
list page, as well as add the selected threat item to trust list. Take the following steps:

1. Click Configuration Management > Security Protection Configuration > Sandbox >
Threat List.

2. Select the threat item that needs to be added to the trust list and click Add to Trust List
button. When threat item is added, once it's matched, the corresponding traffic will be
released.

Trust List

You can view all the sandbox threat information which can be detected on the device and add
them to the trust list. Once the item in trust list is matched, the corresponding traffic will be
released and not controlled by the actions of sandbox rule.
To remove threat items in the trust list, take the following steps:

1. Click Configuration Management > Security Protection Configuration > Sandbox > Trust
List.

2. Select the threat item that needs to be removed in the trust list and click Remove from
Trust button. The threat item will be removed from the trust list.

Sandbox Global Configurations

To configure the sandbox global configurations, take the following steps:

Security Protection Configuration 369

1. Select Configuration Management > Security Protection Configuration > Sandbox > Con-
figuration.

2. Click the Enable button of Sandbox to enable the Sandbox function. Clear the Enable but-
ton to disable the Sandbox function.

3. Specify the file size for the files you need. The file that is smaller than the specified file size
will be marked as a suspicious file.

4. If you click the Report benign file log button, system will record cloudsandbox logs of the
file when it marks it as a benign file. By default, system will not record logs for the benign
files.

5. If you click the Report greyware file log button, system will record cloudsandbox logs of
the file when it marks it as a greyware file. A greyware file is the one system cannot judge it
is a benign file or a malicious file. By default, system will not record logs for the greyware
files.

6. Click OK to save the settings.

Data Security
The data security function allows you to flexibly configure control rules to comprehensively con-
trol and audit (by behavior logs and content logs) on user network behavior.
Data security can audit and filter in the following network behaviors:

Function Description

Content Web content :Controls the network behavior of visiting the

filter webpages that contain certain keywords, and log the actions.

Network Audits the IM applications behaviors and record log messages for the
Behavior access actions.

370 Security Protection Configuration

Function Description

Record

Security Protection Configuration 371

Web Content

The web content function is designed to control the network behavior of visiting the websites
that contain certain keywords. For example, you can configure to block the access to website that
contains the keyword "gamble", and record the access action and website information in the log.

Configuring Web Content

Configuring Web Content contains two parts:

l Create a Web Content rule

l Bind a Web Content rule to a security zone or policy rule

Part 1: Creating a web content rule

1. Select Configuration Management > Security Protection Configuration > Policy > Data
Security > Content Filter > Web Content.

2. Click New.

In the Web Content Rule Configuration page, enter values.

372 Security Protection Configuration

Option Description
Name Specifies the rule name.
Posting Defines the action when a keyword is matched.
information
l New: Creates new keyword categories. For more
with specific
keyword information about keyword category, see Con-
figuring Data Security Objects.

l Edit: Edits selected keyword category.

l Keyword category: Shows the name of con-

figured keyword categories.

l Block: Select the check box to block the web

pages containing the corresponding keywords.

l Log: Select the check box to record log messages

when visiting the web pages containing the cor-
responding keywords.

l Record contents: Select the check box to record

the keyword context. This option is available
only when the device has a storage media (SD
card, U disk, or storage module provided by Hill-
stone) with the NBC license installed.

Control Specify the coverage of this rule. By default, the rule

Range applies to all website.

1. Click Control Range.

2. Select or unselect the websites you want to

monitor and control.

Security Protection Configuration 373

Option Description

3. Click OK.

Part 2: Binding a Web Content rule to a security zone or security policy rule
The Web content configurations are based on security zones or policies.

l If a security zone is configured with the Web content function, the system will perform detec-
tion on the traffic that is destined to the binding zone specified in the rule, and then do
according to what you specified.

l If a policy rule is configured with the Web content function, the system will perform detec-
tion on the traffic that is destined to the policy rule you specified, and then response.

l The threat protection configurations in a policy rule is superior to that in a zone rule if spe-
cified at the same time, and the Web content configurations in a destination zone is superior
to that in a source zone if specified at the same time.

To realize the zone-based Web Content:

1. Create a zone. For more information about how to create, refer to "Security Zone" on
Page 423.

2. In the Zone Configuration page, expand Data Security.

3. Enable the threat protection you need, and select a Web content rules from the profile drop-
down list below; or you can click Add Profile from the profile drop-down list below, to cre-
ate a Web content rule, see Creating a Web content rule.

4. Click OK to save the settings.

To realize the policy-based Web content:

374 Security Protection Configuration

1. Configure a security policy rule. See "Configuring a Security Policy Rule" on Page 165.

2. In the Data Security page, click the Enable button after Web Content.

3. From the Profile drop-down list, select a Web Content rule. You can also click Add Profile
to create a new Web Content rule.

4. Click OK to save the settings.

If necessary, you can configure some additional features by going to the right top corner and click
Configuration.

Option Description

Predefined The predefined URL database includes dozens of categories

URL DB and tens of millions of URLs and you can use it to specify
the URL category and URL range for the URL cat-
egory/Web posting functions.

User-defined The user-defined URL database is defined by yourself and

URL DB you can use it to specify the URL category and URL range
for the URL category/Web posting functions.

URL Lookup Use the URL lookup function to inquire URL information
from the URL database.

Warning Page l Block warning: When your network access is blocked,

you will be prompted with a warning page in the Web
browser.

l Audit warning: When your network access is audited,

you will be prompted with a warning page in the Web
browser.

Bypass Domains that are not controlled by the internet behavior con-
Domain trol rules.

User Excep- Users that are not controlled by the internet behavior con-

tion trol rules.

Security Protection Configuration 375

Notes:
l To enusre you have the latest URL database, it is better to update your data-
base first. Refer to Configuring Data Security Objects.

l You can export logs to a designated destination. Refer to "Managing Logs"

on Page 146.

l By default, a rule will immediately take effect after you click OK to com-
plete configuration.

Viewing Logs of Keyword Blocking in Web Content

To see the system logs of keyword blocking in web content, please refer to the "Content Filter
Log" on Page 143.

376 Security Protection Configuration

Network Behavior Record

Network behavior record function audits the IM applications behaviors and record log messages
for the access actions, includes:

l Audits the QQ, WeChat and sinaweibo user behaviors.

l Log the access behaviors.

Configuring Network Behavior Recording

Configuring network behavior record contains two parts:

l Create a network behavior record rule

l Bind a network behavior record rule to a security zone or policy rule

Part 1: Creating a NBR rule

1. Select Configuration Management > Security Protection Configuration > Data Security >
Network Behavior Record.

2. Click New.

Security Protection Configuration 377

In the Network Behavior Record Configuration page, enter values.
Option Description

Name Specifies the rule name.

QQ To audit the QQ behavior.

1. Click the Enable button after QQ.

2. Timeout: Specifies the timeout value. The unit

is minute. The default value is 10. During the
timeout period, the IM user traffic of the same
UID will not trigger the new logs and after the
timeout reaches, it will trigger new logs.

WeChat To audit the WeChat behavior.

1. Click the Enable button after Wechat.

2. Timeout: Specifies the timeout value. The unit

is minute. The default value is 20. During the

378 Security Protection Configuration

Option Description

timeout period, the IM user traffic of the same

UID will not trigger the new logs and after the
timeout reaches, it will trigger new logs.

Sina Weibo To audit the sina weibo behavior.

1. Click the Enable button after Sina Weibo.

2. Timeout: Specifies the timeout value. The unit

is minute. The default value is 20. During the
timeout period, the IM user traffic of the same
UID will not trigger the new logs and after the
timeout reaches, it will trigger new logs.

Web Surfing Record

URL Log logs the GET and POST methods of HTTP.

l Get: Records the logs when having GET meth-

ods.

l Post: Records the logs when having POST meth-

ods.

POST Content Post Content: Records the posted content.

3. Click OK.

Part 2: Binding a network behavior record rule to a security zone or security policy rule
The network behavior record configurations are based on security zones or policies.

l If a security zone is configured with the network behavior record function, the system will
perform detection on the traffic that is destined to the binding zone specified in the rule, and
then do according to what you specified.

Security Protection Configuration 379

l If a policy rule is configured with the network behavior record function, the system will per-
form detection on the traffic that is destined to the policy rule you specified, and then
response.

l The threat protection configurations in a policy rule is superior to that in a zone rule if spe-
cified at the same time, and the network behavior record configurations in a destination zone
is superior to that in a source zone if specified at the same time.

To realize the zone-based network behavior record:

1. Create a zone. For more information about how to create, refer to "Security Zone" on
Page 423.

2. In the Zone Configuration page, expand Data Security.

3. Enable the threat protection you need, and select a network behavior record rules from the
profile drop-down list below; or you can click Add Profile from the profile drop-down list
below, to create a network behavior record rule, see Creating a network behavior record
rule.

4. Click OK to save the settings.

To realize the policy-based network behavior record:

1. Configure a security policy rule. See "Configuring a Security Policy Rule" on Page 165.

2. In the Data Security page, click the Enable button after Network Behavior Record.

3. From the Profile drop-down list, select a network behavior record rule. You can also click
Add Profile to create a new network behavior record rule.

4. Click OK to save the settings.

380 Security Protection Configuration

Notes:
l You can export logs to a designated destination. Refer to "Managing Logs"
on Page 146

l By default, a rule will immediately take effect after you click OK to com-
plete configuration

Viewing Logs of Network Behavior Recording

To see the logs of network behavior recording, please refer to the "Network Behavior Record
Log" on Page 144.

ACL
System supports ACL (Access Control List) based on MAC addresses. You can create access con-
trol profile based on MAC addresses and bind the profile to security policies to achieve access
control of the specific MAC addresses. With the combination of security policy and ACL rules,
system can achieve accurate access controlling.

ACL Profile

The ACL profile consists of one or more access control rules. In the access rule, you can set the
source MAC address and destination MAC address to filter the packets flowing through the
device, and set access control action for the matched packets, pass or discard. The configured
access control profiles will take effect only when they are bound to security policies.
To configure an ACL profile, take the following steps:

1. Select Configuration Management > Security Protection Configuration > ACL.

2. Click New to open the ACL Profile Configuration page.

Security Protection Configuration 381

3. In the ACL Profile Configuration page, configure the corresponding options.

Option Description

Name Specify the name of the ACL profile.

Default Specify the default action of access control. For the

Action packets which match the access control rule in the list
below, it will be processed according to the action set
in the access control rule; for the packets which fail to
match the access control rule, it will be processed
according to the default action set here. Default con-
trol actions include:

l Pass: By default, packets will be allowed to pass

the detection of access control, but still need to be
detected via IPS, Anti-virus and so on.

l Block: By default, packets will be blocked dir-

ectly and will not pass through the device.

Sequence Click New.

l Priority: Specify the priority of ACL rules to be

matched, ranging from 1 to 32. The bigger the
value, the higher the priority.

l Action: Specify the action to be executed after the

ACL rules have been matched, including:

382 Security Protection Configuration

Option Description

l Pass: Packets will be allowed to pass the

detection of access control, but still need to
be detected via IPS, Anti-virus and so on.

l Block:Packets will be blocked directly and

will not pass through the device.

l Traffic Direction: Specify the traffic direction of

the ACL rule. Forward indicates the traffic dir-
ection where the session is initiated. Backward
indicates traffic direction where the session is
responded. Bidirectional indicates the direction of
both Forward and Backward. By default, system
matches the bidirectional traffic.

l Source MAC Address: Specify the source MAC

address of packets to be matched.

l Destination MAC Address: Specify the destination

MAC address of packets to be matched.

4. Click OK.

Security Protection Configuration 383

Attack-Defense
There are various inevitable attacks in networks, such as compromise or sabotage of servers, sens-
itive data theft, service intervention, or even direct network device sabotage that causes service
anomaly or interruption. The device is designed with attack defense functions to detect various
types of network attacks, and take appropriate actions to protect Intranet against malicious
attacks, thus assuring the normal operation of the Intranet and systems.
Devices provide attack defense functions based on security zones, and can take appropriate
actions against network attacks to assure the security of your network systems.

Configuring Attack Defense

To configure the Attack Defense based on security zones, take the following steps:

1. Select Configuration Management > Network Configuration > Zone.

2. Double-click a security zone to configure its attack defense function.

3. In the Zone Configuration page, expand Threat Protection.

384 Security Protection Configuration

4. To enable the Attack Defense functions, click the Enable button, and click Configure.

In the Attack Defense page, enter the Attack Defense configurations.

Option Description

IP address or IP range in the whitelist is exempt from attack

defense check.

Whitelist Click Configure.

l IP/Netmask - Click New to add to the whitelist and spe-

cifies the IP address and netmask.

Security Protection Configuration 385

Option Description

l Address entry - Click New to add to the whitelist and spe-

cifies the address entry.

Enable all: Click this button to enable all the Attack Defense
functions for the security zone.
Action: Specifies an action for all the Attack Defense functions,
i.e., the defense measure system will be taken if any attack has
been detected.
Enable All
l Drop - Drops packets. This is the default action.

l Alarm - Gives an alarm but still permits packets to pass

through.

l Do not specify global actions.

Flood Attack Click the button to expand the information of all flood attack

Defense
defenses. Select the Flood Attack Defense check box to enable
all flood attack defenses.

ICMP Flood: Click this button to enable ICMP flood defense for
the security zone.

l Threshold - Specifies a threshold for inbound ICMP pack-

ets. If the number of inbound ICMP packets matched to
one single IP address per second exceeds the threshold,
system will identify the traffic as an ICMP flood and take
the specified action. The value range is 1 to 50000. The
default value is 1500.

l Action - Specifies an action for ICMP flood attacks. If the

386 Security Protection Configuration

Option Description

default action Drop is selected, system will only permit the

specified number (threshold) of IMCP packets to pass
through during the current and the next second, and also
give an alarm. All the excessive packets of the same type
will be dropped during this period.

UDP Flood: Click this button to enable UDP flood defense for
the security zone.

l Src threshold - Specifies a threshold for outbound UDP

packets. If the number of outbound UDP packets ori-
ginating from one single source IP address per second
exceeds the threshold, system will identify the traffic as a
UDP flood and take the specified action. The value range
is 1 to 50000. The default value is 1500.

l Dst threshold - Specifies a threshold for inbound UDP

packets. If the number of inbound UDP packets destined
to one single port of one single destination IP address per
second exceeds the threshold, system will identify the
traffic as a UDP flood and take the specified action. The
value range is 1 to 50000. The default value is 1500.

l Action - Specifies an action for UDP flood attacks. If the

default action Drop is selected, system will only permit the
specified number (threshold) of UDP packets to pass
through during the current and the next second, and also
give an alarm. All the excessive packets of the same type

Security Protection Configuration 387

Option Description

will be dropped during this period.

l Session State Check - Click this button to enable the func-

tion of session state check. After the function is enabled,
system will not check whether there is UDP Flood attack
in the backward traffic of UDP packet of the identified ses-
sions.

DNS Query Flood: Click this button to enable DNS query flood
defense for the security zone.

l Src threshold - Specifies a threshold for outbound DNS

query packets. If the number of outbound DNS query
packets originating from one single IP address per second
exceeds the threshold, system will identify the traffic as a
DNS query flood and take the specified action.

l Dst threshold - Specifies a threshold for inbound DNS

query packets. If the number of inbound DNS query pack-
ets matched to one single IP address per second exceeds
the threshold, system will identify the traffic as a DNS
query flood and take the specified action.

l Action - Specifies an action for DNS query flood attacks.

If the default action Drop is selected, system will only per-
mit the specified number (threshold) of DNS query pack-
ets to pass through during the current and next second, and
also give an alarm. All the excessive packets of the same
type will be dropped during this period; if Alarm is selec-

388 Security Protection Configuration

Option Description

ted, system will give an alarm but still permit the DNS
query packets to pass through.

Recursive DNS Query Flood: Click this button to enable recurs-

ive DNS query flood defense for the security zone.

l Src threshold - Specifies a threshold for outbound recurs-

ive DNS query packets packets. If the number of out-
bound DNS query packets originating from one single IP
address per second exceeds the threshold, system will
identify the traffic as a DNS query flood and take the spe-
cified action.

l Dst threshold - Specifies a threshold for inbound recursive

DNS query packets packets. If the number of inbound
DNS query packets destined to one single IP address per
second exceeds the threshold, system will identify the
traffic as a DNS query flood and take the specified action.

l Action - Specifies an action for recursive DNS query flood

attacks. If the default action Drop is selected, system will
only permit the specified number (threshold) of recursive
DNS query packets to pass through during the current and
next second, and also give an alarm. All the excessive pack-
ets of the same type will be dropped during this period; if
Alarm is selected, system will give an alarm but still permit
the recursive DNS query packets to pass through.

SYN Flood: Select this check box to enable SYN flood defense

Security Protection Configuration 389

Option Description

for the security zone.

l Src threshold - Specifies a threshold for outbound SYN

packets (ignoring the destination IP address and port num-
ber). If the number of outbound SYN packets originating
from one single source IP address per second exceeds the
threshold, system will identify the traffic as a SYN flood.
The value range is 0 to 50000. The default value is 1500.
The value of 0 indicates the Src threshold is void.

l Dst threshold - Specifies a threshold for inbound SYN

packets destined to one single destination IP address per
second.

l IP-based - Click IP-based and then type a threshold

value into the box behind. If the number of inbound
SYN packets matched to one single destination IP
address per second exceeds the threshold, system
will identify the traffic as a SYN flood. The value
range is 0 to 50000. The default value is 1500. The
value of 0 indicates the Dst threshold is void.

l Port-based - Click Port-based and then type a

threshold value into the box behind. If the number of
inbound SYN packets matched to one single des-
tination port of the destination IP address per second
exceeds the threshold, system will identify the traffic
as a SYN flood. The value range is 0 to 50000. The

390 Security Protection Configuration

Option Description

default value is 1500. The value of 0 indicates the

Dst threshold is void. After clicking Port-based, you
also need to type an address into or select an IP
Address or Address entry from the Dst address
combo box to enable port-based SYN flood defense
for the specified segment. The SYN flood attack
defense for other segments will be IP based. The
value range for the mask of the Dst address is 24 to
32.

l Action - Specifies an action for SYN flood attacks. If the

default action Drop is selected, system will only permit the
specified number (threshold) of SYN packets to pass
through during the current and the next second, and also
give an alarm. All the excessive packets of the same type
will be dropped during this period. Besides if Src threshold
and Dst threshold are also configured, system will first
detect if the traffic is a destination SYN flood attack: if so,
system will drop the packets and give an alarm, if not, sys-
tem will continue to detect if the traffic is a source SYN
attack.

DNS Reply Flood: Click this button to enable DNS reply flood
defense for the security zone.

l Src threshold - Specifies a threshold for outbound DNS

reply packets. If the number of outbound DNS reply pack-
ets originating from one single IP address per second

Security Protection Configuration 391

Option Description

exceeds the threshold, system will identify the traffic as a

DNS query flood and take the specified action.

l Dst threshold - Specifies a threshold for inbound DNS

reply packets. If the number of inbound DNS reply pack-
ets matched to one single IP address per second exceeds
the threshold, system will identify the traffic as a DNS
reply flood and take the specified action.

l Action - Specifies an action for DNS reply flood attacks. If

the default action Drop is selected, system will only permit
the specified number (threshold) of DNS reply packets to
pass through during the current and next second, and also
give an alarm. All the excessive packets of the same type
will be dropped during this period; if Alarm is selected, sys-
tem will give an alarm but still permit the DNS reply pack-
ets to pass through.

ARP Spoofing Click the button to expand the information of the ARP spoof-

ing. Select the ARP Spoofing check box to enable all ARP spoof-
ing defenses.

Max IP Number per MAC: Click this button to check the max
IP number per MAC.
Specifies whether system will check the IP number per MAC in
the ARP table. If the parameter is set to 0, system will not check
the IP number; if it is set to a value other than 0, system will
check the IP number, and if the IP number per MAC is larger

392 Security Protection Configuration

Option Description

than the parameter value, system will take the specified action.
The value range is 0 to 1024.

ND Spoofing Max IP Number per MAC: Click this button to check the max IP
number per MAC. Specifies whether system will check the IP
number per MAC in the ND table. System will check the IP num-
ber, and if the IP number per MAC is larger than the parameter
value, system will take the specified action. The value range is 1
to 1024.

MS-Windows Click the button to expand the information of MS-Windows

Defense
defense.
Select the MS-Windows Defense check box to enable MS-Win-
dows defense.

Win Nuke Attack: Click this button to enable WinNuke attack

defense for the security zone. If any WinNuke attack has been
detected, system will drop the packets and give an alarm.

Scan/Spoof Click the button to expand the information of Scan/Spoof

Defense
Defense. Select the Scan/Spoof Defense check box to enable all
scan/spoof defenses.

IP Address Sweep: Click this button to enable IP address sweep

defense for the security zone.

l Threshold - Specifies a time threshold for IP address

sweep. If over 10 ICMP packets from one single source IP
address are sent to different hosts within the period spe-
cified by the threshold, system will identify them as an IP

Security Protection Configuration 393

Option Description

address sweep attack. The value range is 1 to 5000 mil-

liseconds. The default value is 1.

l Action - Specifies an action for IP address sweep attacks.

If the default action Drop is selected, system will only per-
mit 10 IMCP packets originating from one single source IP
address while matched to different hosts to pass through
during the specified period (threshold), and also give an
alarm. All the excessive packets of the same type will be
dropped during this period.

Port Scan: Click this button to enable port scan defense for the
security zone.

l Threshold - Specifies a time threshold for port scan. If

over 10 TCP SYN packets are sent to different ports
within the period specified by the threshold, system will
identify them as a port scan attack. The value range is 1 to
5000 milliseconds. The default value is 1.

l Action - Specifies an action for port scan attacks. If the

default action Drop is selected, system will only permit 10
TCP SYN packets destined to different ports to pass
through and drops the other packets of the same type dur-
ing the specified period, and also gives an alarm.

Denial of Ser- Click the button to expand the information of denial of ser-

vice Defense
vice defense. Select the Denial of Service Defense check box to
enable all denial of service defenses.

394 Security Protection Configuration

Option Description

Ping of Death Attack:Click this button to enable Ping of Death

attack defense for the security zone. If any Ping of Death attack
has been attacked, system will drop the attacking packets, and
also give an alarm.

Teardrop Attack: Click this button to enable Teardrop attack

defense for the security zone. If any Teardrop attack has been
attacked, system will drop the attacking packets, and also give an
alarm.

IP Fragment: Click this button to enable IP fragment defense for

the security zone.

l Action - Specifies an action for IP fragment attacks. The

default action is Drop.

IP Option: Click this button to enable IP option attack defense

for the security zone. System will defend against the following
types of IP options: Security, Loose Source Route, Record
Route, Stream ID, Strict Source Route and Timestamp.

l Action - Specifies an action for IP option attacks. The

default action is Drop.

Land Attack: Click this button to enable Land attack defense for
the security zone.

l Action - Specifies an action for Land attacks. The default

action is Drop.

Large ICMP Packet: Click this button to enable large ICMP

packet defense for the security zone.

Security Protection Configuration 395

Option Description

l Threshold - Specifies a size threshold for ICMP packets. If

the size of any inbound ICMP packet is larger than the
threshold, system will identify it as a large ICMP packet
and take the specified action. The value range is 1 to
50000 bytes. The default value is 1024.

l Action - Specifies an action for large ICMP packet attacks.

The default action is Drop.

Proxy Click the button to expand the information of proxy defense.

Select the Proxy check box to enable all proxy defenses.

SYN Proxy: Click this button to enable SYN proxy for the secur-
ity zone. SYN proxy is designed to defend against SYN flood
attacks in combination with SYN flood defense. When both SYN
flood defense and SYN proxy are enabled, SYN proxy will act on
the packets that have already passed detections for SYN flood
attacks.

l Proxy trigger rate - Specifies a min number for SYN pack-

ets that will trigger SYN proxy or SYN-Cookie (if the but-
ton after Cookie is enabled). If the number of inbound
SYN packets matched to one single port of one single des-
tination IP address per second exceeds the specified value,
system will trigger SYN proxy or SYN-Cookie. The value
range is 1 to 50000. The default value is 1000.

l Cookie - Click this button to enable SYN-Cookie. SYN-

Cookie is a stateless SYN proxy mechanism that enables

396 Security Protection Configuration

Option Description

the device to enhance its capacity of processing multiple

SYN packets. Therefore, you are advised to expand the
range between "Proxy trigger rate" and "Max SYN packet
rate" appropriately.

l Max SYN packet rate - Specifies a max number for SYN

packets that are permitted to pass through per second by
SYN proxy or SYN-Cookie (if the button after Cookie is
enabled). If the number of inbound SYN packets destined
to one single port of one single destination IP address per
second exceeds the specified value, system will only per-
mit the specified number of SYN packets to pass through
during the current and the next second. All the excessive
packets of the same type will be dropped during this
period. The value range is 1 to 1500000. The default value
is 3000.

l Timeout - Specifies a timeout for half-open connections.

The half-open connections will be dropped after timeout.
The value range is 1 to 180 seconds. The default value is
30.

Protocol Click the button to expand the information of protocol anom-

Anomaly
aly report. Select the Protocol Anomaly Report check box to
Report
enable the function of all protocol anomaly reports.

TCP Anomalies: Click this button to enable TCP option anomaly

defense for the security zone.

Security Protection Configuration 397

Option Description

l Action - Specifies an action for TCP option anomaly

attacks. The default action is Drop.
TCP Split Handshake: Click this button to enable TCP split hand-
shake defense for the security zone.

l Action - Specifies an action for TCP split handshake

attacks. The default action is Drop.

5. To restore the system default settings, click Restore Default.

6. Click OK.

398 Security Protection Configuration

Abnormal Behavior Detection
This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
There are various threat attacks in networks, such as Web server attacks ,DoS Flood attacks,
application layer attacks , Port/Server scan attacks , Amplification attacks, SSL attacks etc. These
threats have demonstrated a wide variety of abnormal behaviors. System provide an abnormal beha-
vior detection function based on security zones. This function inspects the sessions of the detec-
ted object in multiple factors. When one detected object has multiple abnormal parameters,
system will analyze the relationship among the abnormal parameters to see whether an abnormal
behavior formed. If there is an abnormal behavior, system will send the alarm message and gen-
erate the threat log(s).
The followings are the concept description of the Abnormal Behavior Detection:

l Detected object: The protected objects configured in the Host Defender in this chapter and
the protected objects configured in "Configuring Critical Asset Object" on Page 589.

l Parameter: The basic statistical factor of a session, like the received bytes of inbound ses-
sions per second. The statistical values of the parameters are used by the system to judge
whether the detected object is abnormal or not.

l Baseline: The baseline is the benchmark for the parameters. Value of the baseline is cal-
culated by the system according to the historical data. When the baseline value is higher
than the upper limit or lower than the lower limit, the baseline value is considered to be
abnormal. If several baseline values of the detected object are abnormal, system will analyze
the association of these abnormal baselines, and use discretion in deciding whether this
detected object has abnormal behavior. If it has abnormal behavior, system will generate
threat logs.

l Abnormal behavior mode database: The abnormal behavior mode database includes the abnor-
mal information of the traffic, which are detecting rules, description of the abnormalities, the
reason for the abnormalities, and the suggestions. The information in the database helps you
analyze and resolve the abnormal problems. By default, system will update the database at the

Security Protection Configuration 399

certain time everyday, and you can modify the updating settings according to your own require-
ments. System supports automatically update and manual update, see "Upgrading System" on
Page 630.

Notes: Abnormal Behavior Detection is controlled by license. To use Abnormal

Behavior Detection, apply and install the StoneShield license.

Host Defender

You can enable the Host Defender function for the specific zone. Enabling this function can
achieve the following targets:

l Establish a data model for each host whose host name can be identified

l Analyze the network behavior of host

l Define the corresponding signature dimension for different network behaviors.

l Detect the abnormal behavior of the host based on the signature dimension and find the more
hidden threat attack.

The results are displayed in the iCenter page. For more information, see Viewing_the_Abnormal_
Behavior_Detection_Information.
To enable Host Defender, take the following steps:

1. Create a zone. For more information, refer to "Security Zone" on Page 423;

2. In the Zone Configuration page, expand Threat Protection.

3. Click the Enable button after the Abnormal Behavior Detection.

4. Click the Host Defender button. To enable the abnormal behavior detection of the HTTP
factor, click the Advanced Protection button. To enable the DDoS protection for the host,

400 Security Protection Configuration

click the DDoS Protection button. To capture and save the corresponding evidence that
leads to the alarm of abnormal behavior, click the Forensic button.

DNS Defender

DNS, as the domain name resolution protocol, is designed to resolve fixed domain names to IP
addresses. Due to the use of convenient and widely used domain names, the attacker will take dif-
ferent means to use the domain name to generate an attack. For example, an IP address can cor-
respond to multiple domain name. The server, according to the Host field of the HTTP packet,
can find the Goal URL, which the malware will use by modifying the Host field to disguise the
domain name and generate the abnormal behavior. DGA, domain generation algorithm, will gen-
erate a large number of pseudo random domain names that will be used by the malware. ISP DNS
hijack adds some of the malicious domain names used by the malicious software to its blacklist.
To solve these problems, the DNS domain name analysis can be used as an important basis to
determine the malicious behavior. System will monitor the DNS response packets after the host
defender function is enabled and establish the DNS mapping list. The DNS mapping list is used
to store domain names and IP addresses, the pseudo random domain name generated by DGA
algorithm, and the black and white domain names updated from the cloud. The device can detect
malware and abnormal behavior attacks according to the DNS mapping, generate the threat logs,
and display the results in the iCenter page. For more information, see Viewing_the_Abnormal_
Behavior_Detection_Information.

Viewing the Abnormal Behavior Detection Information

To view the Abnormal Behavior Detection information, take the following steps:

1. Select iCenter.

2. In Threat tab, click , select Detected By and Abnormal Behavior Detection in the

drop-down list, and then click the threat entry name in the list.

3. Click the Threat Analysis tab and view the Abnormal Behavior Detection information and
the trend chart of the actual value and predictive value (baseline, thresholds) of the detected

Security Protection Configuration 401

object.

4. Click the Knowledge Base tab to view the threat attack description information.

402 Security Protection Configuration

Advanced Threat Detection
This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
Advanced Threat Detection learns advanced threat detection signatures to analyze the suspicious
traffic of hosts, as well as detect malicious behavior and identify APT (Advanced Persistent
Threat) attacks, and generates threat logs.

Notes:
l You need to update the Malware behavior model database before enabling the
function for the first time. By default, System will update the database at the
certain time everyday, and you can modify the updating settings according to
your own requirements. For more information, see "Upgrading System" on
Page 630.

l Advanced Threat Detection is controlled by license. To use Advanced Threat

Detection, apply and install the StoneShield license.

Configuring Advanced Threat Detection

To realize the zone-based Advanced Threat Detection, take the following steps:

1. Create a zone. For more information, refer to "Security Zone" on Page 423；

2. In the Zone Configuration page, expand Threat Protection.

3. Click the Enable button after the Advanced Threat Detection.

4. If you need to capture packets, click the Capture Packets button. System will save the evid-
ence messages and have support to download it.

Security Protection Configuration 403

Viewing Advanced Threat Detection Information

To view the Advanced Threat Detection information, take the following steps:

1. Select iCenter.

2. In Threat tab, click , select Detected By and Advanced Threat Detection in the

drop-down list, and then click threat entry name in the list.

3. View the advanced threat detection information, malware reliability information and so on.

404 Security Protection Configuration

4. Click Evidential packets or Relational packets drop-down list and select View to view the
detail of packets.

5. Click Evidential packets or Relational packets drop-down list and select Download to
download the data packets.

6. Click in Admin Action, and select the threat status from the Change to drop-down list

in Admin Action page.

Security Protection Configuration 405

l Open: When the threat entry status is "Open", system will display it again next time.

l False Positive: When the threat entry status is "False Positive", system will upload it
to the cloud and display it again next time.

l Ignore: When the threat entry status is "Ignore", it will not participate in the "Risk
Index" score.

l Confirmed: When the threat entry status is "Confirmed", system will display it again
next time.

l Fixed: When the threat entry status is "Fixed", it will not participate in the "Network
Risk Index" score.

Hot Threat Intelligence

406 Security Protection Configuration

Click iCenter > Hot Threat Intelligence to enter the Hot Threat Intelligence page. By default, the
threats intelligence list shows the information of the latest year, including the release time, name,
type, protection status and operation. Threat intelligence released one year ago will no longer be
displayed.

l Select a time period from the Release Time drop-down list to filter the threat information of

the specified time period. Click to add conditions to filter threat information as

needed.

l Click the Enable button after Hot Threat Intelligence Push. If enabled, Hillstone Cloud
server will push the latest hot threat intelligence to system, and once system gets threat intel-
ligence from the Hillstone Cloud server, it will be notified in the form of pop-up window.
Otherwise, Hillstone cloud platform will no longer push the latest hot threat intelligence.
Meanwhile, the previously received threat intelligence can only be viewed, and relevant pro-
tective operations are not allowed.

l Click "+" before a threat intelligence item in the list and the corresponding threat summary
and protection logs will be displayed below the item.

l Threat Summary: You can view the detailed threat information, including the release
time, the name, signature ID, severity, details, solutions, affected systems and other
information (the items may vary slightly for different types of threat).

Security Protection Configuration 407

Option Description

Release Time Displays the release time of threat intelligence.

Threat Intel- Displays the threat intelligence name.

ligence Name

Signature ID Displays the corresponded signature ID of the IPS signature

database of the threat intelligence.

Severity Displays the severity of threat intelligence.

Details Displays the details of threat intelligence.

Solution Displays the solutions to the threat .

Affected Sys- Displays the name of operating system that the threat will
tems affect.

CVE ID Displays the CVE ID and link of the threat. Click the link
address, and a new page will be opened, where you can view
the CVE details.

CNNVD ID Displays the CNNVD ID and link of the threat. Click the link
address, and a new page will be opened, where you can view
the CNNVD details.

Reference Displays links of the reference information about the threat.

Information Click the link address and a new page will be opened, where
you can view details of the reference information.

l Protection Log: If system has been attacked by the threat described in the threat intel-
ligence in the latest month, the protection logs will be displayed. If not, the protection
log is empty.

l Click the threat intelligence name in the list or the corresponded operation ("Protect Now"

408 Security Protection Configuration

or "View Details") in the "Operation" column, and the Hot Threat Intelligence dialog box
will pop up. You can view the information about the hot threat intelligence in the dialog.

l Click Threat Details to view the information about the threat.

l For some threats in the "unprotected" status, you can see the corresponding pro-
tection solutions in the Solution tab. Click the links in sequence according to the
steps in the solution, and configure the related functions. Only when you finish all
the steps in one solutions (multiple solutions, at least one solution), the threat intel-
ligence status will become "Protected".

o For some threats in the "unprotected" status, the Solutions tab will not be displayed
and you need to take the protective measures on other websites or servers, but sys-
tem provides some solutions in the Threat Details tab. After the threat is protected,
click Confirm As Protected button and the status of threat intelligence will be
changed to "Protected".
l For the threat in the "Protected" status, if it’s protected by system, you can click Pro-
tection List to view the protective measures, and click View Details to view details of
the protective measures.

Notes: Because the operation steps in the Solution tab are correlated, please follow
the steps of the solution in turn. For example, if the signature database has not been
upgraded, the signature ID will not be shown, and subsequent protections may be
unavailable. Or after the signature database is upgraded, the subsequent steps may
change or some of the subsequent steps may be omitted.

Security Protection Configuration 409

Viewing Hot Threat Intelligence

System will obtain and download the latest threat intelligence information from the Hillstone
cloud server at the set time every day or when you log in to system, and the information will be
upgraded in the hot threat intelligence list.
When you enable the "Hot Threat Intelligence Push" function, once system gets a new intel-
ligence, the notice of New Threat Intelligence will display in the upper right corner of the page.
Hover the mouse over the notification, click Details, and the page will jump to the hot threat
intelligence page. On the iCenter > Hot Threat Intelligence page, the new threat intelligence will
be displayed in the form of pop-up windows for users to view.

Mitigation
System can identify the potential risks and network attacks dynamically, and take action on the
risk that hits the mitigation rules.

Mitigation Rule

Mitigation rules includes the following two types:

l Predefined rule: This rule is retrieved from the Mitigation rule database. The predefined rules
may vary by different mitigation signature databases. For more information about updating the
signature database, see "Upgrading System" on Page 630

l User-defined rule: According to the user's needs, specify the trigger condition and action. For
more information, see Configuring a User-defined_Mitigation Rules.

410 Security Protection Configuration

Notes:
l Mitigation rules only for the threat types of Scan, Dos and Spam.

l Predefined rule can not be edited or deleted.

Configuring a User-defined Mitigation Rule

To configure a user-defined mitigation rule, take the following steps:

1. Click iCenter > Mitigation > Mitigation Rule.

2. Click New.

In Mitigation Configuration page, enter the user-defined mitigation rule configurations.

Description

Description Specify the description of user-defined mitigation rule.

Trigger Condition

Log Type Specify the log type of first level and second level for the
trigger condition.

Severity Specify the severity for the trigger condition.

Value Specify the number of threat occurrences for the trigger

condition.

Security Protection Configuration 411

Role The role that this mitigation rule will affect. When
selecting the User defined mitigation method, you can
select the role.

Action

Mitigation There are two mitigation methods:

Method l Auto-mitigation: For the risks that meet the trigger

conditions, system will automatically adopt actions
to mitigate risks and prevent threats.

l Use defined: Customize your mitigation actions to

the threats that meet the trigger conditions:

l Session Control: By limiting the number of

new sessions or concurrent sessions for the
attacker, the consumption of resources is
reduced, slowing the attack on the victim.

l Bandwidth Control: By limiting the threat of

an attacker's traffic, the threat of occupied
bandwidth, CPU resources, etc. are reduced.

l IP Block: By blocking the connection with

the attacker, the victims are cut off from the
threats.

Session Control

Session Type Specify the session type, which includes new session and
concurrent session.

Total Num- Specify the limit of the total number of sessions. System
ber will take action when the risk of attacker traffic is in a con-

412 Security Protection Configuration

dition that triggers the system and when the number of
sessions exceeds the total number. The value range is 1 to
1000000000.

Drop Per- Specify the proportion for dropping the session packets
centage .The range is 1 to 100%.

Duration Specify the timeout value for dropping the session pack-
ets. The value range is 10 to 600 seconds.

Bandwidth Control

Total Num- Specify the limit of the total number of bandwidth. Sys-
ber tem will take action when the risk of attacker traffic is in a
condition that triggers system and the number of band-
width exceeds the total number. The value range is 1 to
1000000000.

Drop Per- Specify the proportion for dropping the bandwidth pack-
centage ets .The range is 1 to 100%.

Duration Specify the timeout value for dropping the bandwidth

packets. The value range is 10 to 600 seconds.

IP Block

Duration Specify the timeout value for block action. The value
range is 10 to 600 seconds.

3. Click OK.

Enabling Mitigation

After enabling mitigation, mitigation rules (user-defined rule and predefined rule) will take effect.
To enable the mitigation, take the following steps:

Security Protection Configuration 413

1. Click iCenter > Mitigation > Mitigation Rule.

2. Click the Enable Mitigation button.

Viewing Mitigation Action

To view the mitigation action results details of mitigation rules, take the following steps:

1. Click iCenter > Mitigation > Mitigation Action.

2. As necessary, you can click Filter to view the mitigation action details of specified con-
ditions.

Notes: Support for fuzzy search, but does not support IP address search in accord-
ance with the IP address containing mask.

Threat Alarm Rule

The threat alarm rules, including threat conditions and action method. When a threat event that
meets the threat conditions (such as threat type, severity, behavior category, threat name, etc.)
occurs , system will notify the user in time according to the action method specified in the rule
(such as linked to the firewall, sound alarm or email), and the user can perform subsequent action
processing for the threat event.

Configuring a Threat Warning Rule

To configuration a threat warning rule, take the following steps:

414 Security Protection Configuration

1. Click iCenter > Threat Warning Rule.

2. Click New.

In the Threat Alarm Rule Configuration page, configure the following options.

Option Description

Rule Name Enter the name of threat alarm rule. The range is 1 to
127 characters.

Description Specifies the description of the threat alarm rule.

The range is 0 to 255 characters.

Security Protection Configuration 415

Option Description

Threat Condition

Threat Condition Specify the generation conditions for generating

threat alarms, including asset type, IP address,
severity, threat type, etc.

l Asset Type: Specifies the asset type which

needs to be matched for generating a threat
alarm. Click the drop-down list and select the
server, endpoint, or all.

l IP: Specifies the IP address (source IP or des-

tination IP) of the asset which needs to be
matched for generating a threat alarm.

1. Click "+" and then select IPv4/Net-

mask, IPv4 Range, IPv6/Prefix or
IPv6 Range as needed.

2. Enter the corresponding IP address in

the text box.

3. Click Add to add the specified IP

address/IP address range to the drop-
down list. System allows up to 8 IP
addresses/IP address ranges to be
added.

4. To delete the added address, click

after the address in the drop-

416 Security Protection Configuration

Option Description

down list.

l Source IP: Specifies the source IP of threat

event which needs to be matched for gen-
erating a threat alarm. The add method steps as
above.

l Destination IP: Specifies the destination IP of

threat event which needs to be matched for
generating a threat alarm. The add method
steps as above.

l Severity: Specifies the severity of threat event

which needs to be matched for generating a
threat alarm. Click the drop-down list and
select the severity of threat event check box.
You can choose more items.

l Threat Type :Specifies the threat type which

needs to be matched for generating a threat
alarm. Click the drop-down list and select the
subtype of the threat event. At most one
threat type can be chosen.

l Threat Name Contains: Specifies the content

included in the threat event name which needs
to be matched for generating a threat alarm, for
example: CVE-199-0067. Only one content is
supported.

Security Protection Configuration 417

Option Description

Note:

l The logical relationship among the threat con-

ditions is AND.

l The logical relationship among the multiple-

choice configuration items for a single threat
condition is OR.

l If the threat condition is not configured,

the default is expressed as all, for example:
when the "threat type" is not specified, it
means that all threat types are included.

Response Method

Threat Sound Specifies whether to enable the threat sound

Alarm alarm.
Click the Enable button to enable the threat
sound alarm. After it's enabled, when there's a
newly generated threat alarm or the threat alarm
hasn't be viewed,, system will use the sound to
remind the user and display a reminder at the
"Notice" in the upper right corner of the system.
For viewing details of the threat sound alarm, refer
to Viewing the Details of Threat Sound Alarm

Mail Alarm Specifies whether to send the alarm mail.

Click the Enable button to enable to send the
alarm email. After it' s enabled, when a threat
alarm is generated, system will send a alarm email
to the specified recipient according to the con-
figuration.

418 Security Protection Configuration

Option Description

l Email: Enter the address of the recipient who

receives the alarm email in the text box. The
email address range is 1 to 255 characters, sep-
arated by semicolons.

l Send Test Mail: Click Send Test Mail button

to whether system can send the email to the
specified email address successfully.

l Mail Title: Specifies the title of the alarm mail.

The title range is 0 to 127 characters. The
default mail title is: notification email from
threat alarm rule "xxx".

l Mail Interval: Specifies the interval between

two alarm emails. The range is to 1440
minutes, and the default minimum interval is
10 minutes.

Editing the Threat Alarm Rule

To edit the threat alarm rule, take the following steps:

1. Click iCenter > Threat Warning Rule to open the threat alarm rules list.

2. Select the check box of the threat alarm rule to be edited and click the Edit button.

3. In the Threat Alarm Rule Configuration page, edit the selected threat alarm rule.

4. Click OK.

Security Protection Configuration 419

Enabling/Disabling the Threat Alarm Rule

To enable/ disable the threat alarm rule, take the following steps:

1. Click iCenter > Threat Warning Rule to open the threat alarm rules list.

2. Select the check box of the threat alarm rule to be enabled/ disabled.

3. Click the Enable or Disable button.

Deleting the Threat Alarm Rule

To delete the threat alarm rule, take the following steps:

1. Click iCenter > Threat Warning Rule to open the threat alarm rules list.

2. Select the check box of the threat alarm rule to be deleted.

3. Click Delete.

Viewing the Details of Threat Sound Alarm

After the Threat Sound Alarm is enabled in the threat alarm rule, when system generates a threat
alarm that matches the rule, the notice of Threat Sound Alarm will display in the upper right
corner of the page.
To view the details of threat sound alarm, take the following steps:

1. Hover the mouse over the notification, click Details after Threat Sound Alarm.

420 Security Protection Configuration

2. Viewing the threat events matching threat alarm rules (threat sound alarm enabled) in the
Threat Sound Alarm dialog.

3. Click Clear Threat Sound Alarm to clear all threat sound alarm.

Security Protection Configuration 421

Network Configuration
This chapter describes factors and configurations related to network connection, including:

l Security Zone: The security zone divides network into different sections, for example, trust
zone or untrust zone. The device can control the traffic from and to security zones once
the configured policy rules have been applied.

l Interface: The interface allows inbound and outbound traffic to security zones. An interface
must be bound to a security zone so that traffic can flow into and from the security zone.

l DNS: Domain Name System.

l DHCP: Dynamic Host Configuration Protocol.

l Application Layer Gate: ALG can assure the data trasmission for the applications that uss
multi-channels, and assure the proper operation of VoIP applications in the strictest NAT
mode.

l Global Network Parameters: These parameters mainly include IP packet's processing options,
like IP fragmention, TCP MSS value, etc.

Network Configuration 422

Security Zone
Security zone is a logical entity. One or more interfaces can be bound to one zone. A zone applied
with a policy is known as a security zone, while a zone created for a specific function is known as
a functional zone. Zones have the following features:

l A Layer 2 zone or a Layer 3 zone decides the interfaces bound to the zone to work in Layer 2
mode or Layer 3 mode.

l Interfaces bound to a Layer 2 zone or a Layer 3 zone are working in Layer 2 mode and
Layer 3 mode respectively.

l The traffic between interfaces that are bound to Layer 2 zones are forwarded according to
Layer 2 forwarding rules. The predefined vswitch1 interface acts as the upstream switch
interface, allowing packets forwarding between Layer 2 and Layer 3.

l The traffic between interfaces that are bound to Layer 3 zones are forwarded according to
Layer 3 forwarding rules.

l System supports internal zone policies, like trust-to-trust policy rule

There are several predefined security zones in system, which cannot be deleted or renamed. You
can modify the configurations of these predefined ones. And you can also customize security
zones. Actually predefined security zones and user-defined security zones make no difference in
functions, and you can make your choice freely.

Configuring a Security Zone

To create a security zone:

423 Network Configuration

1. Select Configuration Management > Network Configuration > Zone.

2. Click New.

3. In the Zone Configuration page, type the name for the zone into the Zone box.

4. Type the descriptions of the zone into the Description text box.

5. Specify a type for the security zone: Layer 2 zone, Layer 3 zone, or TAP zone. The TAP
zone is a functional zone for the TAP mode.

6. Bind interfaces to the zone. Select an interface from the Binding Interface drop-down
list.

7. If needed, expand Advanced and click the Enable button before Application Identification
to enable APP identification for the zone.

Network Configuration 424

8. If needed, expand Advanced and click the Enable button before WAN Zone to set the
zone to a WAN zone, assuring the accuracy of the statistic analysis sets that are based on IP
data.

9. If needed, expand Advanced and click the Enable button before NetBIOS over TCP/IP
(NBT) Cache to enable NetBIOS host query for the zone.

10. If needed, expand Threat Protection and configure the parameters for Threat Protection
function. For detailed instructions, see" Security Protection Configuration" on Page 253

11. If needed, expand Data Security and configure the parameters for Data Security function.
For detailed instructions, see "Data Security" on Page 370.

12. Click OK to save the configurations.

Notes:
The interface bound to the Tap zone only monitor the traffic but does not for-
ward the traffic, but when the device enters the Bypass state (such as system
restart, abnormal operation, and device power off), the Bypass interface pair will
be physically connected, and then the traffic will be forwarded to each other. If
you want to avoid this situation, try to avoid setting the pair of Bypass interfaces
as the tap zone or close the Bypass function, for details refer to "Force to Close
the Bypass Function" on Page 687.

425 Network Configuration

Management Interface
This feature may not be available on all devices. Please check your system's actual page to see if
your device delivers this feature.
To facilitate the management and the HA topology, the device defines the management interface
MGT0 (bound to the mgt zone) and MGT1 (bound to the HA zone).

Configuration a Management Interface

To configure a MGT interface, take the following steps:

1. Select Configuration Management > Network Configuration > Management Interface.

2. Select an interface from the Interface Name drop-down list.

3. Specify the zone for the management interface in the Zone drop-down list. You can only
select a Lay 3 zone.

4. Specify the method of obtaining IP address in the IP Configuration section. "Static IP"
means specifying a static IP address and the netmask. Click Advanced to specify the sec-
ondary IP address into the text box. You can specify up to 6 secondary IP addresses. "Auto-
obtain" means obtaining the IP address through DHCP.

5. Specify the management methods by selecting the "Tel-

net/SSH/Ping/HTTP/HTTPS/SNMP" check boxes of the desired management methods.

6. Specify the mode and rate of the management interface. If you select the Auto duplex
transmission mode, you can only select the Auto rate.

7. Select the Shut Down check box to shut down the management interface.

8. Click OK.

Network Configuration 426

Interface
Interfaces allow inbound and outbound traffic to flow to security zones. An interface must be
bound to a security zone so that traffic can flow into and from the security zone. Furthermore, for
the Layer 3 security zone, an IP address should be configured for the interface, and the cor-
responding policy rules should also be configured to allow traffic transmission between different
security zones. Multiple interfaces can be bound to one security zone, but one interface cannot be
bound to multiple security zones.
The security devices support various types of interfaces which are basically divided into physical
and logical interfaces based on the nature.

l Physical Interface: Each Ethernet interface on devices represents a physical interface. The
name of a physical interface, consisting of media type, slot number and location parameter,
is pre-defined, like ethernet2/1 or ethernet0/2.

l Logical Interface: Includes sub-interface, loopback interface, aggregate interface, and

redundant interface.

Interfaces can also be divided into Layer 2 interface and Layer 3 interface based on their security
zones.

l Layer 2 Interface: Any interface in Layer 2 zone.

l Layer 3 Interface: Any interface in Layer 3 zone. Only Layer 3 interfaces can operate in
NAT/routing mode.

Different types of interfaces provide different functions, as described in the table below.

Type Description

Sub-interface The name of an sub-interface is an extension to the name of its

original interface, like ethernet0/2.1. System supports the fol-
lowing types of sub-interfaces: Ethernet sub-interface, aggreg-
ate sub-interface and redundant sub-interface. An interface and
its sub-interfaces can be bound to one single security zone, or
to different zones.

427 Network Configuration

Type Description

Loopback A logical interface. If only the security device with loopback

interface interface configured is in the working state, the interface will
be in the working state as well. Therefore, the loopback inter-
face is featured with stability.

Aggregate Collection of physical interfaces that include 1 to 16 physical

interface interfaces. These interfaces averagely share the traffic load to
the IP address of the aggregate interface, in an attempt to
increase the available bandwidth for a single IP address. If one
of the physical interfaces within an aggregate interface fails,
other physical interfaces can still process the traffic normally.
The only effect is the available bandwidth will decrease.

Redundant The redundant interface allows backup between two physical

interface interfaces. One physical interface, acting as the primary inter-
face, processes the inbound traffic, and another interface, act-
ing as the alternative interface, will take over the processing if
the primary interface fails.

Network Configuration 428

Configuring an Interface

The configuration options for different types of interfaces may vary. For more information, see
the following instructions.
Both IPv4 and IPv6 address can be configured for the interface.

General Properties of Interfaces

Interfaces of different types share many common properties. The tables below show the common
properties and their description.

1. Select Configuration Management > Network Configuration > Interface.

2. Double click an interface to view the configurations:

Expand Interface Properties, configure properties for the interface.

Option Description

Duplex Specifies a duplex working mode for the interface.

Options include auto, full duplex and half duplex. Auto is
the default working mode, in which the system will select
the most appropriate duplex working mode automatically.
1000M half duplex is not supported.

Rate Specifies a working rate for the interface. Options include

Auto, 10M, 100M and 1000M. Auto is the default work-
ing mode, in which the system will detect and select the
most appropriate working mode automatically. 1000M
half duplex is not supported.

Combo type This option is applicable to the Combo port of copper

port + fiber port. If both the copper port and the fiber
port are plugged with cable, the fiber port will be pri-
oritized by default; if the copper port is used at first,

429 Network Configuration

Option Description

and then the cable is plugged into the fiber port, after
reboot the fiber port will be used for data transmission.
You can specify how to use a copper port or fiber port.
For detailed options, see the following instructions:

l Auto: The above default scenario.

l Copper forced: The copper port is enforced.

l Copper preferred: The copper port is prioritized.

l Fiber forced: The fiber port is enforced.

l Fiber preferred: The fiber port is prioritized.

With this option configured, the device will
migrate the traffic on the copper port to the fiber
port automatically without reboot.

MTU Specifies a MTU for the interface. The value range is

1280 to 1500/1800 bytes. The default value is 1500. The
max MTU may vary from different Hillstone models.

ARP Learn- Select the Enable check box to enable ARP learning.
ing

ARP Specifies an ARP timeout for the interface. The value

Timeout range is 5 to 65535 seconds. The default value is 1200.

Keep-alive Specifies an IP address that receives the interface's keep-

IP alive packets.

MAC clone Select the MAC clone check box to enable the MAC
clone funtion. The system clones a MAC address to the
Ethernet sub-interface. If the user click "Restore Default

Network Configuration 430

Option Description

MAC", the Ethernet sub-interface will retore the default

MAC address.

Exapand Advanced Configuration, configure advanced options for the interface.

Option Description

Shutdown System supports interface shutdown. You can not only

enforce to shut down a specific interface, but also con-
trol the time of shutdown by schedule, or control the
shutdown according to the link status of tracked
objects. Configure the options as below:

1. Select the Shut down check box to enable

interface shutdown.

2. To control the shutdown by schedule or

tracked objects, select an appropriate check
box, and then select an appropriate schedule or
tracked object from the drop-down list.

Monitor and Configure the options as below:

Backup 1. Select an appropriate check box, and then select

an appropriate schedule or tracked object from
the drop-down list.

2. Select an action:

l Shut down the interface: During the time

specified in the schedule, or when the
tracked object fails, the interface will be
shut down and its related route will fail;

431 Network Configuration

Option Description

l Migrate traffic to backup interface: During

the time specified in the schedule, or when
the tracked object fails, traffic to the inter-
face will be migrated to the backup inter-
face. In such a case you need to select a
backup interface from the Backup interface
drop-down list and type the time into the
Migrating time box. (Migrating time, 0 to
60 minutes, is the period during which
traffic is migrated to the backup interface
before the primary interface is switched to
the backup interface. During the migrating
time, traffic is migrated from the primary
interface to the backup interface smoothly.
By default the migrating time is set to 0,
i.e., all the traffic will be migrated to the
backup interface immediately.)

Click the Enable button after IPv6 Configuration configure IPv6 for the interface.

Option Description

IPv6 Specifies the IPv6 address prefix.

Address

Prefix Length Specifies the prefix length.

Autoconfig Select the check box to enable Auto-config function. In

the address auto-config mode, the interface receives the

Network Configuration 432

Option Description

address prefix in RA packets first, and then combines it

with the interface identifier to generate a global address.

l Set Default Route - If the interface is configured

with a default router, this option will generate a
default route to the default router.

DHCP System supports DHCPv6 client, DHCPv6 server and

DHCPv6 relay proxy.

l Select DHCP check box to enable DHCP client for

the interface. After enabling, system will act as a
DHCPv6 client and obtain IPv6 addresses from
the DHCP server. Selecting Rapid-commit option
can help fast get IPv6 addresses from the server.
You need to enable both of the DHCP client and
the server's Rapid-commit function.

l Select DHCPv6 Server from DHCP drop-down list

and configure options as Configuring DHCPv6
Server, system will act as a DHCPv6 server to
appropriate IPv6 addresses for DHCP client.

l Select DHCPv6 Relay Proxy from DHCP drop-

down list and configure options as Configuring
DHCPv6 Relay Proxy, system will act as a
DHCPv6 relay proxy to receive requests from a
DHCPv6 client and send requests to the DHCPv6
server

433 Network Configuration

Option Description

IPv6 Advanced

Static Click New to add several IPv6 address, at most 5 IPv6

addresses.. Click Delete button to delete IPv6 address.

Dynamic Shows IPv6 address which is dynamic.

Link-local Specifies link-local address. Link-local address is used for

communication between adjacent nodes of a single link.
For example, communication between hosts when there
are no routers on the link. By default system will generate
a link-local address for the interface automatically if the
interface is enabled with IPv6 (in the interface con-
figuration mode, use the command ipv6 enable). You can
also specify a link-local address for the interface as
needed, and the specified link-local address will replace
the automatically generated one.

MTU Specifies an IPv6 MTU for an interface. The default

MTU value is 1500 bytes. The range is 1280 bytes to
1800/2000 bytes (Different devices support different
maximum MTU value.).

DAD Specifies NS packet attempt times. The value range is 0

Attempts to 20. Value 0 indicates DAD is not enabled on the inter-
face. If system does not receive any NA response packets
after sending NS packets for the attempt times, it will
verify that the IPv6 address is an unique available
address.

Network Configuration 434

Option Description

DAD (Duplicate Address Detection) is designed to verify

the uniqueness of IPv6 addresses. This function is imple-
mented by sending NS (Neighbor Solicitation) requests.
After receiving a NS packet, if any other host on the link
finds that the address of the NS requester is duplicated, it
will send a NA (Neighbor Advertisement) packet advert-
ising that the address is already in use, and then the NS
requester will mark the address as duplicate, indicating
that the address is an invalid IPv6 address.

ND Interval Specifies an interval for sending NS packets.

ND Reach- Specifies reachable time. After sending an NS packet, if

able Time the interface receives acknowledgment from a neighbor
within the specified time, it will consider the neighbor as
reachable. This time is known as reachable time.

Hop Limit Specifies the hop limit. Hop limit refers to the maximum
number of hops for IPv6 or RA packets sent by the inter-
face.

ND RA Sup- Select the checkbox to disable RA suppress on LAN

press interfaces.
By default, FDDI interface configured with IPv6 unicast
route will send RA packets automatically, and interfaces
of other types will not send RA packets.

Manage Specifies the manage IP/MASK.

IP/MASK

435 Network Configuration

Creating a Loopback Interface

To create a loopback interface, take the following steps:

1. Select Configuration Management > Network Configuration > Interface.

2. Click New > Loopback Interface.

In this page, configure the followings.

Network Configuration 436

Option Description

Interface Specifies a name for the loopback interface.

Name

Description Enter descriptions for the loopback interface.

Binding Bind the interface to a zone or not.

Zone If Layer 3 zone/Layer 2 zone/TAP is selected, pro-

ceed to select a zone from the Zone drop-down list.
If TAP is selected, you can specify the LAN addresses
from the LAN Address drop-down menu. With this
configured, the device can identify the intranet traffic,
and display them in the Monitor.
And you can also specify the firewall information (fire-
wall's IP, SSH port, login name, and password) in Fire-
wall Linkage Configuration to combine the current
device with a Hillstone firewall. When the current
device is working in the following network envir-
onment and configurations, it will send the traffic
information that matches an IPS rule to the firewall
which will block the IP or service:

l The device works in the TAP mode and this inter-

face is the one that receives the mirror traffic;

l The source zone and destination zone in the secur-

ity policy is a TAP zone with this interface bound.

l The action of the IPS rule that referenced by the

above security policy is Block IP or Block service.

If No Binding is selected, the interface will not bind to

any zone.

437 Network Configuration

Option Description

Zone Select a security zone from the Zone drop-down list.

HA sync Click this button to enable HA sync function. The

primary device will synchronize its information with the
backup device.

IP Configuration

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.

Set as Local IP: In an HA environment, if this option is

specified, the interface IP will not synchronize to the HA
peer.

DHCP Set gateway information from DHCP server as the

default gateway route: With this check box selected,
system will set the gateway information provided by
the DHCP server as the default gateway route.
Advanced:

l Distance: Specifies a route distance. The value

range is 1 to 255. The default value is 1.

l Weight: Specifies a route weight. The value

range is 1 to 255. The default value is 1.

l Management Priority: Specifies a priority for the

Network Configuration 438

Option Description

priority during DNS resolution. The priority is

represented in numbers from 1 to 255. The lar-
ger the number is, the higher the priority is. The
priority of static DNS servers is 20.

Management Select one or more management method check boxes to

configure the interface management method.

3. "Expand Interface Properties, configure properties for the interface." on Page 429

4. "Exapand Advanced Configuration, configure advanced options for the interface." on Page
431

5. "Click the Enable button after IPv6 Configuration configure IPv6 for the interface." on
Page 432

6. Click OK.

Creating an Aggregate Interface

To create an aggregate interface, take the following steps:

1. Select Configuration Management > Network Configuration > Interface.

2. Click New > Aggregate Interface.

439 Network Configuration

In this page, configure the followings.

Option Description

Interface Specifies a name for the aggregate interface.

Network Configuration 440

Option Description

Name

Description Enter descriptions for the aggregate interface.

Binding Zone Bind the interface to a zone or not.

If Layer 3 zone/Layer 2 zone/TAP is selected, proceed
to select a zone from the Zone drop-down list.
If TAP is selected, you can specify the LAN addresses
from the LAN Address drop-down menu. With this
configured, the device can identify the intranet traffic,
and display them in the Monitor.
And you can also specify the firewall information (fire-
wall's IP, SSH port, login name, and password) in Fire-
wall Linkage Configuration to combine the current
device with a Hillstone firewall. When the current
device is working in the following network envir-
onment and configurations, it will send the traffic
information that matches an IPS rule to the firewall
which will block the IP or service:

l The device works in the TAP mode and this inter-

face is the one that receives the mirror traffic;

l The source zone and destination zone in the secur-

ity policy is a TAP zone with this interface bound.

l The action of the IPS rule that referenced by the

above security policy is Block IP or Block service.

If No Binding is selected, the interface will not bind to

any zone.

Zone Select a security zone from the Zone drop-down list.

441 Network Configuration

Option Description

Aggregate l Forced: Aggregates multiple physical interfaces to

mode form an aggregate interface. These physical inter-
faces will share the traffic passing through the
aggregate interface equally.

l Enables LACP on the interface to negotiate aggreg-

ate interfaces dynamically. LACP options are:

l System priority: Specifies the LACP system

priority. The value range is 1 to 32768, the
default value is 32768. This parameter is
used to assure the interfaces of two ends are
consistent. System will select interfaces
based on the end with higher LACP system
priority. The smaller the value is, the higher
the priority will be. If the LACP system pri-
orities of the two ends are equal, system will
compare MACs of the two ends. The smaller
the MAC is, the higher the priority will be.

l Max bundle: Specifies the maximum active

interfaces. The value range is 1 to 16, the
default value is 16. When the active inter-
faces reach the maximum number, the status
of other legal interfaces will change to
Standby.

l Min bundle: Specifies the minimum active

Network Configuration 442

Option Description

interfaces. The value range is 1 to 8, the

default value is 1. When the active interfaces
reach the minimum number, the status of all
the legal interfaces in the aggregation group
will change to Standby automatically and will
not forward any traffic.

HA sync Click this button to enable HA sync function. The

primary device will synchronize its information with the
backup device.

IP Configuration

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.

Set as Local IP: In an HA environment, if this option is

specified, the interface IP will not synchronize to the HA
peer.

DHCP Set gateway information from DHCP server as the

default gateway route: With this check box selected,
system will set the gateway information provided by
the DHCP server as the default gateway route.
Advanced:

l Distance: Specifies a route distance. The value

range is 1 to 255. The default value is 1.

l Weight: Specifies a route weight. The value

range is 1 to 255. The default value is 1.

l Management Priority: Specifies a priority for the

443 Network Configuration

Option Description

DNS server. Except for static DNS servers, sys-

tem can also learn DNS servers dynamically via
DHCP or PPPoE. Therefore, you need to con-
figure priorities for the DNS servers, so that the
system can choose a DNS server according to its
priority during DNS resolution. The priority is
represented in numbers from 1 to 255. The lar-
ger the number is, the higher the priority is. The
priority of static DNS servers is 20.

Management Select one or more management method check boxes to

configure the interface management method.

Binding Port Select physical interfaces for the aggregate interface

from the Members drop-down list. The selected phys-
ical interfaces cannot belong to other interfaces or
security zones.

3. "Expand Interface Properties, configure properties for the interface." on Page 429

4. "Exapand Advanced Configuration, configure advanced options for the interface." on Page
431

5. Expand Load Balance, configure a load balance mode for the interface. "Flow-based" means
enabling automatic load balance based on the flow. This is the default mode. "Tuple" means
enabling load based on the source/destination IP, source/destination MAC, source/des-
tination interface or protocol type of packet, or the combination of the selected items.

6. "Click the Enable button after IPv6 Configuration configure IPv6 for the interface." on
Page 432

7. Click OK.

Network Configuration 444

Creating a Redundant Interface

To create a redundant interface, take the following steps:

1. Select Configuration Management > Network Configuration > Interface.

2. Click New > Redundant Interface.

445 Network Configuration

In this page, configure the followings.

Option Description

Interface Specifies a name for the redundant interface.

Network Configuration 446

Option Description

Name

Description Enter descriptions for the redundant interface.

Binding Zone Bind the interface to a zone or not.

l The device works in the TAP mode and this inter-

face is the one that receives the mirror traffic;

l The source zone and destination zone in the secur-

ity policy is a TAP zone with this interface bound.

l The action of the IPS rule that referenced by the

above security policy is Block IP or Block service.

If No Binding is selected, the interface will not bind to

any zone.

Zone Select a security zone from the Zone drop-down list.

447 Network Configuration

Option Description

HA sync Click this button to enable HA sync function. The

primary device will synchronize its information with the
backup device.

IP Configuration

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.

Set as Local IP: In an HA environment, if this option is

specified, the interface IP will not synchronize to the HA
peer.

DHCP Set gateway information from DHCP server as the

default gateway route: With this check box selected,
system will set the gateway information provided by
the DHCP server as the default gateway route.
Advanced:

l Distance: Specifies a route distance. The value

range is 1 to 255. The default value is 1.

l Weight: Specifies a route weight. The value

range is 1 to 255. The default value is 1.

l Management Priority: Specifies a priority for the

DNS server. Except for static DNS servers, sys-
tem can also learn DNS servers dynamically via
DHCP or PPPoE. Therefore, you need to con-
figure priorities for the DNS servers, so that the
system can choose a DNS server according to its
priority during DNS resolution. The priority is
represented in numbers from 1 to 255. The lar-

Network Configuration 448

Option Description

ger the number is, the higher the priority is. The
priority of static DNS servers is 20.

Management Select one or more management method check boxes to

configure the interface management method.

Binding Port Select physical interfaces for the redundant interface

from the Members drop-down list. The selected phys-
ical interfaces cannot belong to other interfaces or
security zones.

3. "Expand Interface Properties, configure properties for the interface." on Page 429

4. "Exapand Advanced Configuration, configure advanced options for the interface." on Page
431

5. "Click the Enable button after IPv6 Configuration configure IPv6 for the interface." on
Page 432

6. Click OK.

Creating an Ethernet Sub-interface/Aggregate Sub-interface/Redundant Sub-

interface

To create an ethernet sub-interface/aggregate sub-interface/redundant sub-interface, take the fol-

lowing steps:

1. Select Configuration Management > Network Configuration > Interface.

2. Click New > Ethernet Sub-interface/Aggregate Sub-interface/Redundant Sub-interface.

In this page, configure the followings.

Option Description

Interface Specifies a name for the aggregate interface.

449 Network Configuration

Option Description

Name

Description Enter descriptions for the aggregate interface.

Binding Zone Bind the interface to a zone or not.

l The device works in the TAP mode and this inter-

face is the one that receives the mirror traffic;

l The source zone and destination zone in the secur-

ity policy is a TAP zone with this interface bound.

l The action of the IPS rule that referenced by the

above security policy is Block IP or Block service.

If No Binding is selected, the interface will not bind to

any zone.

Zone Select a security zone from the Zone drop-down list.

Network Configuration 450

Option Description

IP Configuration

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.

Set as Local IP: In an HA environment, if this option is

specified, the interface IP will not synchronize to the HA
peer.

DHCP Set gateway information from DHCP server as the

default gateway route: With this check box selected,
system will set the gateway information provided by
the DHCP server as the default gateway route.
Advanced:

l Distance: Specifies a route distance. The value

range is 1 to 255. The default value is 1.

l Weight: Specifies a route weight. The value

range is 1 to 255. The default value is 1.

l Management Priority: Specifies a priority for the

Management Select one or more management method check boxes to

configure the interface management method.

451 Network Configuration

3. "Expand Interface Properties, configure properties for the interface." on Page 429

4. "Exapand Advanced Configuration, configure advanced options for the interface." on Page
431

5. "Click the Enable button after IPv6 Configuration configure IPv6 for the interface." on
Page 432

6. Click OK.

Editing an Interface

To edit an interface, take the following steps:

1. Select Configuration Management > Network Configuration > Interface.

2. Select the interface you want to edit from the interface list and click Edit.

Network Configuration 452

In this page, configure the followings.

Option Description

Interface Specifies a name for the interface.

Name

Description Enter descriptions for the interface.

Binding Zone Bind the interface to a zone or not.

l The device works in the TAP mode and this inter-

face is the one that receives the mirror traffic;

l The source zone and destination zone in the secur-

ity policy is a TAP zone with this interface bound.

l The action of the IPS rule that referenced by the

above security policy is Block IP or Block service.

If No Binding is selected, the interface will not bind to

453 Network Configuration

Option Description

any zone.

Zone Select a security zone from the Zone drop-down list.

IP Configuration

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.

Set as Local IP: In an HA environment, if this option is

specified, the interface IP will not synchronize to the HA
peer.

DHCP Set gateway information from DHCP server as the

default gateway route: With this check box selected,
system will set the gateway information provided by
the DHCP server as the default gateway route.
Advanced:

l Distance: Specifies a route distance. The value

range is 1 to 255. The default value is 1.

l Weight: Specifies a route weight. The value

range is 1 to 255. The default value is 1.

l Management Priority: Specifies a priority for the

Network Configuration 454

Option Description

priority of static DNS servers is 20.

Management Select one or more management method check boxes to

configure the interface management method.

2. "Expand Interface Properties, configure properties for the interface." on Page 429

3. "Exapand Advanced Configuration, configure advanced options for the interface." on Page
431

4. "Click the Enable button after IPv6 Configuration configure IPv6 for the interface." on
Page 432

5. Click OK.

Notes:
l Before deleting an aggregate/redundant interface, you must cancel other inter-
faces' bindings to it, aggregate/redundant sub-interface's configuration, its IP
address configuration and its binding to the security zone.

l An Ethernet interface can only be edited but cannot be deleted.

Interface Group
The interface group function binds the status of several interfaces to form a logical group. If any
interface in the group is faulty, the status of the other interfaces will be down. After all the inter-
faces return to normal, the status of the interface group will be Up. The interface group function
can binds the status of interfaces on different expansion modules.

Creating an Interface Group

To create an interface group, take the following steps:

455 Network Configuration

1. Select Configuration Management > Network Configuration > Interface Group.

2. Click New.

3. In the Interface Group Configuration page, type the name for the interface group. Names of
the interface group can not be the same.

4. In the Member drop-down list, select the interface you want to add to the interface group.
The maximum number of interfaces is 8.
Note: Members of an interface group can not conflict with other interface groups.

5. Click OK.
You can click Edit or Delete button to edit the members of interface group or delete the
interface group.

LLDP
Network devices are increasingly diverse, and their configurations are respectively complicate.
Therefore, mutual discovery and interactions in information of system and configuration between
devices of different manufacturers are necessary to facilitate management. LLDP (Link Layer Dis-
covery Protocol ) is a neighbor discovery protocol defined in IEEE 802.1ab, which provides a dis-
covery method in link layer network. By means of the LLDP technology, the system can quickly
master the information of topology and its changes of the layer-2 network when the scale of net-
work expands rapidly.
By means of LLDP, the LLDP information of the device, including the device information, sys-
tem name, system description, port description, network management address and so on, can be
sent in the form of standard TLV (Type Length Value) multicast message from the physical port

Network Configuration 456

to the directly-connected neighbor. If the neighbor enables LLDP too, then neighbor relations
will be established between both sides. When the neighbor receives these messages, they are
stored in the form of MIB in the SNMP MIB database, in order to be utilized by the network man-
agement system to search and analyze the two-layer topology and the problems in it of the current
network.

LLDP Work Mode

The 4 work modes of LLDP are listed below:

l Transmit and Receive: the port transmits and receives LLDP messages.

l Receive only: the port only receives LLDP messages.

l Transmit only: the port only transmits LLDP messages.

l Not work: the port neither transmits nor receives LLDP messages.

l Viewing MIB Topology

Configuring LLDP

Configuring LLDP can enable neighbor devices' collection of network topology changes.

l Enabling LLDP

l Modifying LLDP Configuration

Enabling LLDP

LLDP is enabled only when the "Global LLDP" and the "LLDP of Port" are enabled at the same
time, so the corresponding port can transmit and receive LLDP messages.

457 Network Configuration

l By default, the global LLDP and the LLDP of port are both disabled.

l When the global LLDP is enabled, the LLDP of port of all the ports of the system will be
enabled.

l When the global LLDP is disabled, the LLDP of port of all the ports of the system will be dis-
abled.

l When the global LLDP is enabled, the user does not have to modify LLDP configuration, for
LLDP can be enabled by default configuration. If there is a need to optimize LLDP con-
figuration, please see Modifying LLDP Configuration.

Notes: Only the physical port of the device supports enabling LLDP. Logical port
does not support this function.

To enable the global LLDP, take the following steps:

1. Select Configuration Management > Network Configuration > LLDP > LLDP Con-
figuration.

Network Configuration 458

2. Click Global Enable button.

3. Click OK to enable LLDP by default configuration.

LLDP default configuration is as follows:

Option Default

Initialization 2 seconds
Delay

Transmission 1 seconds
Delay

Transmission 30 seconds
Interval

TTL Mul- 4 seconds

tiplier

459 Network Configuration

Option Default

port LLDP is enabled in all the physical ports with the work
mode being Transmit and Receive.

Modifying LLDP Configuration

According to the loading condition of network, the user can modify related LLDP configuration
to reduce the consumption of system resources and optimize the LLDP performance.
To modify LLDP configuration, take the following steps:

l Select Configuration Management > Network Configuration > LLDP > LLDP
Configuration.

Network Configuration 460

In the LLDP Configuration page, configure as follows:

Option Description

Initialization When the LLDP work mode of the port changes, the sys-
Delay tem will operate initialization on the port. Configuring the
initialization delay of the port can avoid continuous ini-
tialization of the port due to frequent changes of the LLDP
work mode.
Type the delay time of initialization of the port in the Ini-
tialization Delay text box. The measurement is second-
based, and the range is from 1 to 10.

Transmission Transmission delay refers to the minimal delay time before

Delay the LLDP messages are sent to the neighbor device when
the state of the local device frequently changes.
Type the minimal delay time before the LLDP message is
sent in the Transmission Delay text box. The measurement
is second-based, and the range is from 1 to 900.

Transmission Transmission interval refers to the time period of trans-

Interval mitting the LLDP message to the neighbor device when
the state of the local device state remains stable.
Type the transmission period before the LLDP message is
sent in the Transmission Interval text box. The meas-
urement is second-based, and the range is from 1 to 3600.

TTL Mul- TTL (Time to Live) refers to the living time of the local
tiplier device information in the neighbor device.
TTL multiplier is used to adjust the living time of the local
device information in the neighbor device. The com-

461 Network Configuration

Option Description

putational formula is: TTL = Transmission Interval ×

TTL Multiplier.
Type the TTL multiplier value in the TTL Multiplier text
box. The range is from 1 to 100.

Port Click the Enable button under LLDP Enable to enable the
LLDP function of the port.
Select LLDP work mode from the Work Mode drop-down
menu to modify the LLDP work mode of the port.
Note: For the introduction of the LLDP work mode,
please see LLDP Work Mode.

l Click OK.

Viewing MIB Topology

The user can view the LLDP local information and the neighbor information (the LLDP inform-
ation sent from the neighbor device to the local device) of the port in the MIB Topology page.
To view the MIB topology, take the following steps.

1. Select Configuration Management > Network Configuration > LLDP > MIB Topology.

2. Click the Local Information button to open the Local Information page and view the LLDP
local information, including chassis ID, system name, system description, system-supported

Network Configuration 462

capabilities, management address and so on.

3. View the MIB topology and neighbor information of all the ports which enable LLDP in the
list in the MIB Topology page.

463 Network Configuration

DNS
DNS, the abbreviation for Domain Name System, is a computer and network service naming sys-
tem in form of domain hierarchy. DNS is designed for TCP/IP network to query for Internet
domain names (e.g., www.xxxx.com) and translate them into IP addresses (e.g., 10.1.1.1) to locate
related computers and services.
The security device's DNS provides the following functions:

l Server: Configures DNS servers and default domain names for the security device.

l Analysis: Sets retry times and timeout for device's DNS service.

l Cache: DNS mappings to cache can speed up query. You can create, edit and delete DNS
mappings.

l NBT Cache: Displays NBT cache information.

Configuring a DNS Server

You can configure a DNS server for system to implement DNS resolution. To create a DNS
server, take the following steps:

1. Select Configuration Management > Network Configuration > DNS > DNS Server.

2. Click New in the DNS Server section.

3. In the DNS Server Configuration page, type the IP address for the DNS server into the
Server IP box.

4. Select a VRouter from the VR drop-down list. The default VRouter is trust-vr.

5. Click OK.

Configuring an Analysis

Analysis configuration includes DNS requests' retry times and timeout.

Network Configuration 464

l Retry: If there is no response from the DNS server after the timeout, system will send the
request again; if there is still no response from the DNS server after the specified retry
times (i.e. the number of times to repeat the DNS request), system will send the request to
the next DNS server.

l Timeout: System will wait for the DNS server's response after sending the DNS request
and will send the request again if no response returns after a specified time. The period of
waiting for a response is known as timeout.

To configure the retry times and timeout for DNS requests, take the following steps:

1. Select Configuration Management > Network Configuration > DNS > Analysis

2. Select the retry times radio button.

3. Select the timeout values radio button.

4. Click Apply.

Configuring a DNS Cache

When using DNS, system might store the DNS mappings to its cache to speed up the query.
There are three ways to obtain DNS mappings:

l Dynamic: Obtains from DNS response.

l Static: Adds DNS mappings to cache manually.

l Register: DNS hosts specified by some modules of security devices, such as NTP, AAA,
etc.

For convenient management , DNS static cache supports group function, which means users
make the multiple domain hosts with the same IP address and virtual router is a DNS static cache
group.
To add a static DNS mapping to cache, take the following steps:

465 Network Configuration

1. Select Configuration Management > Network Configuration > DNS > Cache.

2. Click New.

Option Description

Hostname Specify the hostname of a DNS cache group. You can

click to add or click button to delete the specified

hostname. The maximum number of domain hosts is 128,

and the maximum length of each hostname is 255 char-
acters.

IP Specify the host IPv4 address of a DNS cache group. You

can click to add or click button to delete the spe-

cified IP. The maximum number of host IP address is 8,

and the earlier configured IP will be matched first.

Virtual Select a VRouter.

Router

Network Configuration 466

3. Click OK.

Notes:

l Only DNS static cache group can support new, edit and delete operation ,
while dynamic and register cache cannot .

l The DNS dynamic cache can be deleted by command or the lifetime reset.
For detailed information , refer to StoneOS CLI User Guide and download
PDF on website.

l User can clear the register cache only by deleting the defined hosts in func-
tion module.

l DNS static cache is superior to dynamic and register cache, which means the
static cache will cover the same existed dynamic or register cache.

NBT Cache

System supports NetBIOS name resolution. With this function enabled, system can automatically
obtain all the NetBIOS host names registered by the hosts within the managed network, and store
them in the cache to provide IP address to NetBIOS host name query service for other modules.
Enabling a NetBIOS name resolver is the pre-requisition for displaying host names in NAT logs.
For more information on how to display host names in the NAT logs, see "Managing Logs" on
Page 146.
To enable NetBIOS for a zone, select the NBT cache check box when creating or editing the
zone. For more details, see "Security Zone" on Page 423. The security zone with NetBIOS
enabled should not be the zone that is connected to WAN. After NetBIOS is enabled, the query
process might last for a while, and the query result will be added to the NetBIOS cache table. Sys-
tem will perform the query again periodically and update the result.

467 Network Configuration

Notes: Only when PCs have NetBIOS enabled can their host names be queried. For
more information on how to enable NetBIOS, see the detailed instructions of your
PC's Operating System.

To clear NBT cache, take the following steps:

1. Select Configuration Management > Network Configuration > DNS > NBT Cache.

2. Select a VRouter from the VR drop-down list to display the NBT cache in that VRouter.

3. Select a NBT cache entry from the list and click Delete.

Network Configuration 468

DHCP
DHCP, the abbreviation for Dynamic Host Configuration Protocol, is designed to allocate appro-
priate IP addresses and related network parameters for subnetworks automatically, thus reducing
requirement on network administration. Besides, DHCP can avoid address conflict to assure the
re-allocation of idle resources.
System supports DHCP client, DHCP server and DHCP relay proxy.

l DHCP client: The interface can be configured as a DHCP client and obtain IP addresses from
the DHCP server. For more information on configuring a DHCP client, see "Configuring an
Interface" on Page 429.

l DHCP server: The interface can be configured as a DHCP server and allocate IP addresses
chosen from the configured address pool for the connected hosts.

l DHCP relay proxy: The interface can be configured as a DHCP relay proxy to obtain DHCP
information from the DHCP server and forward the information to connected hosts.

The devices are designed with all the above three DHCP functions, but an individual interface
can be only configured with one of the above functions.

Configuring a DHCP Server

To create a DHCP server, take the following steps:

1. Select Configuration Management > Network Configuration > DHCP.

2. Select New > DHCP Server.

469 Network Configuration

3. In the DHCP Configuration page, configure as follows:

Option Description

Interface Configures an interface which enables the DHCP server.

Gateway Configures a gateway IP for the client.

Netmask Configures a netmask for the client.

DNS1 Configures a primary DNS server for the client. Type the
server's IP address into the box.

DNS2 Configures an alternative DNS server for the client. Type

the server's IP address into the box.

Address pool Configures an IP range in the address pool. The IPs

within this range will be allocated. Take the following
steps:

1. Type the start IP and end IP into the Start IP and

End IP box respectively.

2. Click New to add an IP range which will be dis-

played in the list below.

3. Repeat the above steps to add more IP ranges.

Network Configuration 470

Option Description

To delete an IP range, select the IP range you

want to delete from the list and click Delete.

4. Configure Reserved Address (IP addresses in the Reserved Address, within the IP range of
the address pool, are reserved for the DHCP server and will not be allocated).
To configure a reserved address, expand Reserved Address, type the start and end IP for an
IP range into the Start IP and End IP box respectively, and then click New. To delete an IP
range, select the IP range you want to delete from the list and then click Delete.

5. Configure IP-MAC Binding. If the IP is bound to a MAC address manually, the IP will only
be allocated to the specified MAC address.
To configure an IP-MAC Binding, expand IP-MAC Binding and type the IP and MAC
address into the IP address and MAC box respectively, type the description in the Descrip-
tion text box if necessary, and then click New. Repeat the above steps to add multiple
entries. To delete an IP-MAC Binding, select an entry from the list and click Delete.

6. Expand Option, configure the options supported by DHCP server.

Option Description

43 Option 43 is used to exchange specific vendor specific

information (VSI) between DHCP client and DHCP
server. The DHCP server uses option 43 to assign Access
Controller (AC) addresses to wireless Access Point (AP),
and the wireless AP use DHCP to discover the AC to
which it is to connect.

1. Click New.

2. Select 43 from the Option drop-down list.

471 Network Configuration

Option Description

3. Select the type of the VSI, ASCII or HEX.

When selecting ASCII, the VSI matching string
must be enclosed in quotes if it contains spaces.

4. Enter the VSI in the Sign text box.

Notes: If the VCI matching string has

been configured, first of all, you need to
verify the VCI carried by the option 60
field in client’s DHCP packets. When
the VCI matches the configured one, the
IP address, option 43 and corresponding
information will be offered. If not,
DHCP server will drop client’s DHCP
packets and will not reply to the client.

49 After you configure the option 49 settings, the DHCP cli-

ent can obtain the list of the IP addresses of systems that
are running the X window System Display Manager.
To configure the option 49 settings:

1. Click New.

2. Select 49 from the Option drop-down list.

3. Enter the IP address of the system that is running

the X window System Display Manager into the
IP address box.

4. Repeat the above steps to add multiple entries.

To delete an entry, select it from the list and

Network Configuration 472

Option Description

click Delete.

60 After configuring the VCI carried by option 60 for DHCP

server, the DHCP packets sent by the DHCP server will
carry this option and the corresponding VCI.

1. Click New.

2. Select 60 from the Option drop-down list.

3. Select the type of the VCI, ASCII or HEX.

When selecting ASCII, the VCI matching string
must be enclosed in quotes if it contains spaces.

4. Enter the VCI in the Sign text box.

5. Repeat the above steps to add multiple entries.

To delete an entry, select it from the list and
click Delete.

66 The option 66 is used to configure the TFTP server name

option. By configuring Option 66, the DHCP client get
the domain name or the IP address of the TFTP server.
You can download the startup file specified in the Option
67 from the TFTP server.

1. Click New.

2. Select 66 from the Option drop-down list.

3. Select the type of the TFTP server name, ASCII

or HEX. When selecting ASCII, the length of

473 Network Configuration

Option Description

TFTP server is 1 to 255 characters, but the max-

imum length between the two periods (.) is only
63 characters.

4. Enter the domain name or the IP address of the

TFTP server in the Sign text box.

5. Repeat the above steps to add multiple entries.

To delete an entry, select it from the list and
click Delete.

67 The option 67 is used to configure the startup file name

option for the TFTP server. By configuring option 67,
the DHCP client can get the name of the startup file.

1. Click New.

2. Select 67 from the Option drop-down list.

3. Select the type of the startup file name, ASCII or

HEX. When selecting ASCII, the length of star-
tup file name is 1 to 255 characters.

4. Enter the startup file name in the Sign text box.

5. Repeat the above steps to add multiple entries.

To delete an entry, select it from the list and
click Delete.

138 The DHCP server uses option 138 to carry a list of 32-bit
(binary) IPv4 addresses indicating one or more CAPWAP

Network Configuration 474

Option Description

ACs available to the WTP. Then the WTP discovers and

connects to the AC according to the provided AC list.

1. Click New.

2. Select 138 from the Option drop-down list.

3. Enter the AC IP address in the IP address text

box.

4. Repeat the above steps to add multiple entries.

To delete an entry, select it from the list and
click Delete.
You can add up to four AC IP addresses.
If you do not set the option 138 for the DHCP server or
the DHCP client does not request option 138, DHCP
server will not offer the option 138 settings.

150 The option 150 is used to configure the address options

for the TFTP server. By configuring option 150, the
DHCP client can get the address of the TFTP server.

1. Click New.

2. Select 150 from the Option drop-down list.

3. Enter the TFTP server IP address in the IP

address text box.

4. Repeat the above steps to add multiple entries.

To delete an entry, select it from the list and

475 Network Configuration

Option Description

click Delete.

242 The option 242 is a private DHCP private option for IP

phones. By configuring option 242, the specific para-
meters information of IP phone can be exchanged
between DHCP server and DHCP client, such as call
server address (MCIPADD), call the server port
(MCPORT), the address of the TLS server (TLSSRVR),
HTTP (HTTPSRVR) HTTP server address and server
port (HTTPPORT) etc.

1. Click New.

2. Select 242 from the Option drop-down list.

3. Select the type of the specific parameters of the

IP phone, ASCII or HEX. When selecting
ASCII, the length of startup file name is 1 to 255
characters.

4. Enter the specific parameters of the IP phone in

the Sign text box.

5. Repeat the above steps to add multiple entries.

To delete an entry, select it from the list and
click Delete.

7. Expand Advanced Configuration to configure the DHCP server's advanced options.

Network Configuration 476

Option Description

Domain The domain name configured by the DHCP client.

Lease Specifies a lease time. The value range is 300 to 1048575

seconds. The default value is 3600. Lease is the period
during which a client is allowed to use an IP address, start-
ing from the time the IP address is assigned. After the
lease expired, the client will have to request an IP address
again from the DHCP server.

Auto con- Enables automatic configuration. Select an interface

figure with DHCP client enabled on the same gateway from

the drop-down list. "----"indicates auto configure is not
enabled.
Auto configure will function in the following con-
dition: Another interface with DHCP configured on
the device enables DHCP client. When auto configure
is enabled, if the DHCP server (Hillstone device) does
not have DNS, WINS or domain name configured, the
DHCP client (DHCP) will dispatch the DNS, WINS
and domain name information obtained from a con-
nected DHCP server to the host that obtains such
information from the DHCP server (Hillstone device).
However, the DNS, WINS and domain name that are
configured manually still have the priority.

WINS1 Configures a primary WINS server for the client. Type

the server's IP address into the box.

WINS2 Configures an alternative WINS server for the client.

Type the server's IP address into the box.

477 Network Configuration

Option Description

Server

SMTP server Configures a SMTP server for the client. Type the
server's IP address into the box.

POP3 server Configures a POP3 server for the client. Type the
server's IP address into the box.

News server Configures a news server for the client. Type the
server's IP address into the box.

Relay agent When the device1 with DHCP server enabled is con-
nected to another device2 with DHCP relay enabled,
and the PC obtains device1's DHCP information from
device2, then only when the relay agent's IP address
and netmask are configured on device1 can the DHCP
information be transmitted to the PC successfully.
Relay agent: Type relay agent's IP address and netmask,
i.e., the IP address and netmask for the interface with
relay agent enabled on device2.

VCI-match- The DHCP server can verify the VCI carried by option
string 60 in the client’s DHCP packets.When the VCI in the
client's DHCP packet matches the VCI matching string
you configured in the DHCP server, the DHCP server
will offer the IP address and other corresponding inform-
ation. If not, the DHCP server will drop the client's
DHCP packets and will not reply to the client. If you do
not configure a VCI matching string for the DHCP
server, it will ignore the VCI carried by option 60.

1. Select the type of the VCI matching string,

Network Configuration 478

Option Description

ASCII or HEX. When selecting ASCII, the VCI

matching string must be enclosed in quotes if it
contains spaces.

2. Enter the VCI matching string in the text box.

8. Click OK.

Configuring a DHCPv6 Server

To create a DHCPv6 server to appropriate IPv6 addresses, take the following steps:

1. Select Configuration Management > Network Configuration > DHCP.

2. Select New > DHCPv6 Server.

479 Network Configuration

3. In the DHCPv6 Configuration page, configure as following:

Option Description

Interface Configures a interface which enables the DHCPv6 server

to appropriate IPv6 addresses.

rapid-commit Clicking this button can help fast get IPv6 address from
the server. You need to enable both of the DHCP client
and server's Rapid-commit function.

Preference Specifies the priority of the DHCPv6 server. The range

should be from 0 to 255. The bigger the value is, the
higher the priority is.

DNS1 Configures a primary DNS server for the client. Type the
server's IP address into the box.

DNS2 Configures an alternative DNS server for the client. Type

the server's IP address into the box.

Domain Configures the domain name for the DHCP client.

Address Pool: System can act as a DHCPv6 server to allocate IPv6

addresses for the DHCP clients in the subnets.

IP Specifies the IPv6 address prefix and prefix length.

Valid Life- Specifies the lifetime of the address.

time

Preferred Specifies the preferred lifetime for the IPv6 address. The
Lifetime preferred lifetime should not be larger than the valid life-
time.

4. Click OK.

Network Configuration 480

Configuring a DHCPv6 Relay Proxy

The device can act as a DHCPv6 relay proxy to receive requests from a DHCPv6 client and send
requests to the DHCPv6 server, and then obtain DHCP information from the server and return it
to the client.
To create a DHCPv6 relay proxy, take the following steps:

1. Select Configuration Management > Network Configuration > DHCP.

2. Click New > DHCPv6 Relay Proxy.

3. In the DHCP Relay Proxy page, select an interface to which the DHCPv6 Relay Proxy will
be applied from the Interface drop-down list.

4. Type the IPv6 addresses of DHCPv6 servers into the Server 1/Server 2/Server 3 boxes.

5. If the DHCPv6 server is specified as link-local address, you need to select the egress inter-
face name from Egress Interface 1/Egress Interface 2/Egress Interface 3 dropdown list.

6. Click OK.

481 Network Configuration

Chapter 5 Advanced Routing
Routing is the process of forwarding packets from one network to the destination address in
another network. Router, a packet forwarding device between two networks, is designed to trans-
mit packets based on the various routes stored in routing tables. Each route is known as a routing
entry.
Devices are designed with Layer 3 routing. This function allows you to configure routing options
and forward various packets via VRouter. the system ships with a default VRouter trust-vr.
Devices support destination routing, source-based routing (SBR), source-interface-based routing
(SIBR), policy-based routing (PBR), RIP, and equal cost multipath routing (ECMP).

l Destination routing: A manually-configured route which determines the next routing hop
according to the destination IP address.

l SBR: Source IP based route which selects router and forwards data according to the source
IP address.

l SIBR: Source IP and ingress interface based route.

l PBR: A route which forwards data based on the source IP, destination IP address and ser-
vice type.

l RIP: A dynamic routing protocol that selects routers and forwards data according to the
dynamic routing table generated by RIP.

l ECMP: Load balancing traffic destined to the same IP address or segment in multiple
routes with equal management distance.

When forwarding the inbound packets, the device selects a route in the following sequence: PBR
> SIBR > SBR > Destination routing/RIP.

Chapter 5 Advanced Routing 482

Destination Route

The destination route is a manually-configured route entry that determines the next routing hop
based on the destination IP address. Usually a network with comparatively a small number of out-
bound connections or stable Intranet connections will use a destination route. You can add a
default route entry at your own choice as needed.

Creating a Destination Route

To create a destination route, take the follwing steps:

1. Select Configuration Management > Network Configuration > Route > Destination Route.

2. Select the IPv4 or IPv6 page, and create an IPv4 destination route or IPv6 destination route
on the corresponding page. This step is only applicable for IPv6 version.

3. Click New. In the Destination Route Configuration page, enter values.

Option Description

Virtual From the Virtual Router drop-down list, select the Vir-
Router tual Routerouter for the new route. The default value is
"trust-vr".

483 Chapter 5 Advanced Routing

Option Description

Destination Type the IP address for the route into the text box.

Netmask Type the corresponding subnet mask into the text box.

Next-hop To specify the type of next hop, click Gateway, Interface

or Virtual Router.

l Gateway: Type the IP address into the Gateway

text box.

l Interface: Select a name from the Interface drop-

down list. Type the IP address into the Gateway
text box. For a tunnel interface, you need to type
the gateway address for the tunnel's peer in the
optional box below.

l Virtual Router: Select a name from the Virtual

Router drop-down list.

Schedule Specifies a schedule when the rule will take effect. Select
a desired schedule from the Schedule drop-down list.
After selecting the desired schedules, click the blank area
in this page to complete the schedule configuration.
To create a new schedule, click .

Precedence Type the route precedence into the text box. The smaller
the parameter is, the higher the precedence is. If multiple
routes are available, the route with higher precedence will
be prioritized. The value range is 1 to 255. The default
value is 1. When the value is set to 255, the route will be

Chapter 5 Advanced Routing 484

Option Description

invalid.

Weight Type the weight for the route into the text box. This para-
meter is used to determine the weight of traffic for-
warding in load balance. The value range is 1 to 255. The
default value is 1.

Tag Specifies the tag value of the destination route. When

OSPF redistributes routes, if the configured routing tag
values here are matched to the rules in the routing map-
ping table, the route will be redistributed to filter its
information. The value range is 1 to 4294967295.

Description Type the description information into the Description

text box if necessary.

4. Click OK.

485 Chapter 5 Advanced Routing

Source Route

Source route is designed to select a router and forward data based on the source IP address of a
packet.

Creating a Source Route

To create a source route, take the following steps:

1. Select Configuration Management > Network Configuration > Routing > Source Route.

2. Select the IPv4 or IPv6 page, and create an IPv4 source route or IPv6 source route on the
corresponding page. This step is only applicable for IPv6 version.

3. Click New. In the Source Route Configuration page, enter values.

Chapter 5 Advanced Routing 486

Option Description

Virtual From the Virtual Router drop-down list, select the Vir-
Router tual Routerouter for the new route. The default value is
"trust-vr".

Source IP Type the source IP for the route into the box.

Netmask Type the corresponding subnet mask into the box.

Next-hop To specify the type of next hop, click Gateway, Interface

487 Chapter 5 Advanced Routing

Option Description

or Virtual Router.

l Gateway: Type the IP address into the Gateway

text box.

l Interface: Select a name from the Interface drop-

down list. Type the IP address into the Gateway
text box. For a tunnel interface, you need to type
the gateway address for the tunnel's peer in the
optional box below.

l Virtual Router: Select a name from the Virtual

Router drop-down list.

Next-hop To specify the type of next hop, click Gateway, Interface

or Virtual Router.

l Gateway: Type the IP address into the Gateway

text box.

l Interface: Select a name from the Interface drop-

down list. Type the IP address into the Gateway
text box. For a tunnel interface, you need to type
the gateway address for the tunnel's peer in the
optional box below.

l Virtual Router: Select a name from the Virtual

Router drop-down list.

Schedule Specifies a schedule when the rule will take effect. Select
a desired schedule from the Schedule drop-down list.

Chapter 5 Advanced Routing 488

Option Description

After selecting the desired schedules, click the blank area

in this dialog to complete the schedule configuration.
To create a new schedule, click .

Precedence Type the route precedence into the box. The smaller the
parameter is, the higher the precedence is. If multiple
routes are available, the route with higher precedence will
be prioritized. The value range is 1 to 255. The default
value is 1. When the value is set to 255, the route will be
invalid.

Weight Type the weight for the route into the box. This para-
meter is used to determine the weight of traffic for-
warding in load balance. The value range is 1 to 255. The
default value is 1.

Description Type the description information into the Description

text box if necessary.

4. Click OK.

489 Chapter 5 Advanced Routing

Source-Interface Route

Source interface route is designed to select a router and forward data based on the source IP
address and ingress interface of a packet.

Creating a Source-Interface Route

To create a Source-Interface route, take the following steps:

1. Select Configuration Management > Network Configuration > Routing > Source Interface
Route.

2. Select the IPv4 or IPv6 tab page, and create an IPv4 Source-Interface route or IPv6 Source-
Interface route on the corresponding page. This step is only applicable for IPv6 version.

3. Click New. In the Source Interface Route Configuration page, enter values.

Option Description

Virtual From the Virtual Router drop-down list, select the Vir-
Router tual Routerouter for the new route. The default value is
"trust-vr".

Ingress Inter- Select an interface for the route from the drop-down list.

Chapter 5 Advanced Routing 490

Option Description

face

Source IP Type the source IP for the route into the textbox.

Netmask Type the corresponding subnet mask into the textbox.

Next-hop To specify the type of next hop, click Gateway, Interface

or Virtual Router.

l Gateway: Type the IP address into the Gateway

text box.

l Interface: Select a name from the Interface drop-

down list. Type the IP address into the Gateway
text box. For a tunnel interface, you need to type
the gateway address for the tunnel's peer in the
optional box below.

l Virtual Router: Select a name from the Virtual

Router drop-down list.

Schedule Specifies a schedule when the rule will take effect. Select
a desired schedule from the Schedule drop-down list.
After selecting the desired schedules, click the blank area
in this dialog to complete the schedule configuration.
To create a new schedule, click .

Precedence Type the route precedence into the textbox. The smaller
the parameter is, the higher the precedence is. If multiple
routes are available, the route with higher precedence will
be prioritized. The value range is 1 to 255. The default

491 Chapter 5 Advanced Routing

Option Description

value is 1. When the value is set to 255, the route will be

invalid.

Weight Type the weight for the ISP route into the textbox. This
parameter is used to determine the weight of traffic for-
warding in load balance. The value range is 1 to 255. The
default value is 1.

Description Type the description information into the Description

text box if necessary.

4. Click OK.

Chapter 5 Advanced Routing 492

Policy-based Route

Policy-based Route (PBR) is designed to select a router and forward data based on the source IP
address, destination IP address and service type of a packet.

Creating a Policy-based Route

To create a policy-based route, take the following steps:

1. Select Configuration Management > Network Configuration > Route > Policy Based Rout-
ing.

2. Click New. Select PBR from the drop-down list.

In the Policy-based Route Configuration page, configure the following.

Option Description

PBR Name Specifies a name for the policy-based route.

Virtual From the Virtual Router drop-down list, select the Vir-
Router tual Router for the new route. The default value is "trust-
vr".

Type Specifies the object type that the policy-based route

493 Chapter 5 Advanced Routing

Option Description

binds to. You can select Zone, Virtual Router, Interface

or No Binding.

l Zone: Click this option button and select a zone

from the Bind To drop-down list.

l Virtual Router: Click this option button and show

the virtual router that the policy-based route bind
to.

l Interface: Click this option button and select a

interface from the Bind To drop-down list.

l No Binding: This policy-based route is no binding.

3. Click OK.

Creating a Policy-based Route Rule

To create a policy-based route rule:

1. Select Configuration Management > Network Configuration > Route > Policy Based Rout-
ing.

2. Click New. Select Rule from the drop-down list.

Chapter 5 Advanced Routing 494

In this page, configure the following.

Option Description

PBR Name Specifies a name for the policy-based route.

Description Type information about the PBR rule.

（Optional）

Source

Address Specifies the source addresses of PBR rule.

1. Select an address type from the Address drop-

down list.

2. Select or type the source addresses based on the

selected type.

3. Click Add to add the addresses to the left pane.

4. After adding the desired addresses, click Close.

495 Chapter 5 Advanced Routing

Option Description

You can also perform other operations:

l When selecting the Address Book type, you can

click button to create a new address entry.

l The default address configuration is any. To restore

the configuration to this default one, click the
Enable button before Any.

Source User Specifies a role, user or user group for the PBR rule.

1. From the User drop-down menu, select the AAA

server which the users and user groups belongs
to. To specify a role, select Role from the AAA
Server drop-down list.

2. Based on different types of AAA server, you can

execute one or more actions: search a user/user
group/role, expand the user/user group list, enter
the name of the user/user group.

3. After selecting users/user groups/roles, click

them to add them to the left panes.

4. After adding the desired objects, click the Close

to complete the user configuration.

Destination

Address Specifies the destination addresses of PBR rule.

1. Select an address type from the Address drop-

Chapter 5 Advanced Routing 496

Option Description

down list.

2. Select or type the source addresses based on the

selected type.

3. Click Add to add the addresses to the left panes.

4. After adding the desired addresses, click Close.

You can also perform other operations:

l When selecting the Address Book type, you can

click button to create a new address entry.

l The default address configuration is any. To restore

the configuration to this default one, click the
Enable button before Any.

Other

Service Specifies a service or service group.

1. From the Service drop-down menu, select a type:

Service, Service Group.

2. You can search the desired service/service group,

expand the service/service group list.

3. After selecting the desired services/service

groups, click them to add them to the left panes.

4. After adding the desired objects, click Close.

You can also perform other operations:

497 Chapter 5 Advanced Routing

Option Description

l To add a new service or service group, select User-

defined from the Predefined drop-down listr, and

click button.

l The default service configuration is any. To restore

the configuration to this default one, click the
Enable button before Any.

Application Specifies an application/application group/application fil-

ters.

1. From the Application drop-down menu, you can

search the desired application/application
group/application filter, expand the list of applic-
ations/application groups/application filters.

2. After selecting the desired applic-

ations/application groups/application filters,
click them to add them to the left panes.

3. After adding the desired objects, click Close to

complete the application configuration.
You can also perform other operations:

l To add a new application group, click New

AppGroup.

l To add a new application filter, click New AppFil-

ter.

Schedule Specifies a schedule when the PBR rule will take effect.

Chapter 5 Advanced Routing 498

Option Description

Select a desired schedule from the Schedule drop-down

list. After selecting the desired schedules, click Close to
complete the schedule configuration.
To create a new schedule, click New Schedule.

Record log Click the Enable button to enable the logging function
for PBR rules.

Expand Next-hop, configure the following.

Option Description

Set Next-hop To specify the type of next hop, click IP Address or Inter-
face.

l IP Address: Type IP address into the IP address

text box and specify the weight into the Weight
text box. When more than one next hops are avail-
able, the traffic will be allocated to the different
next hops according to the weight value.

l Interface: Select an interface from the Interface

drop-down list and specify the weight into the
Weight text box. When more than one next hops
are available, the traffic will be allocated to the dif-
ferent next hops according to the weight value.

Track Object Select the track object from the drop-down list. See
"Track Object" on Page 591.

Weight Specifies the weight for the next hop. The value range is 1
to 255. The default value is 1. If a PBR rule is configured

499 Chapter 5 Advanced Routing

Option Description

with multiple next hops, system will distribute the traffic

in proportion to the corresponding weight.

Add Click to add the specified next hop.

Delete Select next-hop entries from the next hop table and click
this button to delete.

Adjusting Priority of a PBR Rule

To adjust priority of a policy-based route rule, take the following steps:

1. Select Configuration Management > Network Configuration > Route > Policy Based Rout-
ing.

2. Select the rule you want to adjust priority from the list below, click Priority.

Option Description

Top Click this option button to move the PBR rule to the top.

Bottom Click this option button to move the PBR rule to the bot-
tom.

Before ID Click this option button and type the ID into the box
behind to move the PBR rule to the position before
the ID.

After ID Click this option button and type the ID into the box
behind to move the PBR rule to the position after the ID.

Chapter 5 Advanced Routing 500

Notes: Each PBR rule is labeled with a unique ID. When traffic flows into a Hill-
stone device, the device will query for PBR rules by turn, and process the traffic
according to the first matched rule. However, the PBR rule ID is not related to the
matching sequence during the query. You can move a PBR rule's location up or
down at your own choice to adjust the matching sequence accordingly.

Applying a Policy-based Route

You can apply a policy-based route by binding it to an interface or a zone.

To apply a policy-based route, take the following steps:

1. Select Configuration Management > Network Configuration > Route > Policy Based Rout-
ing.

2. Click Bind to.

In the Policy-based Route Configuration page, enter values.

Option Description

PBR Name Select a route from the PBR name drop-down list.

Virtual From the Virtual Router drop-down list, select the Vir-
Router tual Router for the new route. The default value is "trust-
vr".

Type Specifies the object type that the policy-based route

binds to. You can select Zone, Virtual Router, Interface

501 Chapter 5 Advanced Routing

Option Description

or No Binding.

l Zone: Click this option button and select a zone

from the Bind To drop-down list.

l Virtual Router: Click this option button and show

the virtual router that the policy-based route binds
to.

l Interface: Click this option button and select a

interface from the Bind To drop-down list.

l No Binding: This policy-based route is no binding.

3. Click OK.

DNS Redirect

System supports the DNS redirect funtion, which redirects the DNS requests to a specified DNS
server. For more information about specifying IP addresses of the DNS server, see Configuring a
DNS Server. Currently, the DNS redirect function is mainly used to redirect the video traffic for
load balancing. With the policy based route working together, system can redirect the Web video
traffic to different links, improving the user experience.
To enable the DNS redirect function, take the following steps:

1. Select Configuration Management > Network Configuration > Routing > Policy-based
Routing.

2. Click Enable DNS Redirect.

Configuring the Global Match Order

By default, if the PRB rule is bound to both an interface, VRouter and the security zone the inter-
face belongs to, the traffic matching sequence will be: Interface > Zone > VRouter. You can

Chapter 5 Advanced Routing 502

configure the global match order of PBR.
To configure the global match order, take the following steps:

1. Select Configuration Management > Network Configuration > Routing > Policy-based
Routing.

2. Click Config Global Match Order.

3. Select the items that need to be adjusted, and click and .

4. To restore the default matching sequence, click Restore Default.

5. Click OK.

503 Chapter 5 Advanced Routing

RIP

RIP, Routing Information Protocol, is an internal gateway routing protocol that is designed to
exchange routing information between routers. Currently, devices support both RIP versions, i.e.,
RIP-1 and RIP-2.
RIP configuration includes basic options, redistribute, Passive IF, neighbor, network and dis-
tance. You will also need to configure RIP parameters for different interfaces, including RIP ver-
sion, split horizon, and authentication mode.

Creating RIP

To create RIP, take the following steps:

1. Select Configuration Management > Network Configuration > Routing > RIP.

2. From the Virtual Router drop-down list, select the Virtual Router for the new route.

3. Click New.

Chapter 5 Advanced Routing 504

In the configuration tab, configure the following.

Option Description

Version Specifies a RIP version. Hillstone devices support RIP-1

and RIP-2. RIP-1 transmits packets by broadcasting,
while RIP-2 transmits packet by multicasting. Select a ver-
sion from the drop-down list. The default version is RIP-
2.

Network

Network Type the IP address and netmask into the Network

(IP/netmask) (IP/netmask) box.

New Click New to add the network. All the networks that have
been added will be displayed in the list below.

Delete Repeat the above steps to add more networks. To delete a

network, select the entry you want to delete from the list,
and click Delete.

Click Advanced Configuration, configure the following.

Option Description

Metric Specifies a default metric. The value range is 1 to 15. If

no value is specified, the value of 1 will be used. RIP
measures the distance to the destination network by hops.
This distance is known as metric. The metric from a
router to a directly connected network is 1, increment is 1
for every additional router between them. The max metric
is 15, and the network with metric larger than 15 is not
reachable. The default metric will take effect when the

505 Chapter 5 Advanced Routing

Option Description

route is redistributed.

Distance Specifies a default distance. The value range is 1 to 255.

If no value is specified, the value of 120 will be used.

Default-info Specifies if the default route will be redistributed to other

originate routers with RIP enabled. By default RIP will not redis-
tribute the default route. Click the Enable button to redis-
tribute the default route.

Update inter- Specifies an interval in which all RIP routes will be sent
val to all the neighbors. The value range is 0 to 16777215
seconds. The default value is 30.

Invalid time If a route has not been updated for the invalid time, its
metric will be set to 16, indicating an unreachable route.
The value range is 1 to 16777215 seconds. The default
value is 180.

Hold-down If the metric becomes larger (e.g., from 2 to 4) after a

time route has been updated, the route will be assigned with a
holddown time. During the holddown time, the route will
not accept any update. The value range is 1 to 16777215
seconds. The default value is 180.

Flush time System will keep on sending the unreachable routes (met-
ric set to 16) to other routers during the flush time. If the
route still has not been updated after the end of flush
time, it will be deleted from the RIP information data-
base. The value range is 1 to 16777215 seconds. The

Chapter 5 Advanced Routing 506

Option Description

default value is 240.

Redistribute

Protocol Select a protocol type for the route from the Protocol
drop-down list. The type can be Connected, Static, OSPF
or BGP.

New Click New to add the Redistribute route entry. All the
entries that have been added will be displayed in the
Redistribute Route list below.

Delete Repeat the above steps to add more Redistribute route

entries. To delete a Redistribute route entry, select the
entry you want to delete from the list, and click Delete.

Neighbor

Neighbor IP Type the neighbor IP into the Neighbor IP box.

New Click New to add the neighbor IP. All the neighbor IPs
that have been added will be displayed in the list below.

Delete Repeat the above steps to add more neighbor IPs. To

delete a neighbor IP, select the entry you want to delete
from the list, and click Delete.

Distance

Distance Type the distance into the Distance box. The priority of
the specified distance is higher than than the default dis-
tance.

Network Type the IP prefix and netmask into the Network(IP/net-

507 Chapter 5 Advanced Routing

Option Description

(IP/netmask) mask) box.

New Click New to add the distance. All the distances that have
been added will be displayed in the list below.

Delete Repeat the above steps to add more distances. To delete a

distance, select the entry you want to delete from the list,
and click Delete.

Click Interface Configuration, configure the following.

Option Description

Edit Select the check box of an interface from the Interface

page, and click Edit to open the Interface Configuration
page.

In the DB tab, view the database of the RIP route.

All the route entries that can reach target network are stored in the database.

4. Click OK.

Notes: Configuration for RIP on device's interfaces includes: RIP version, split hori-
zon and authentication mode. For more information on how to configure RIP on an
interface, see "Configuring an Interface" on Page 429.

Host Book

You can specify a name to be a collection of one domain name or several domain names, and ref-
erence this host book when configuring. Host book is the database to store the relationships of
domain integrations and the specified names in system.
The entry of the relationship of domain integrations and the specified name is called host entry.

Chapter 5 Advanced Routing 508

Notes:
l The maximum number of host entries is one fourth of the maximum num-
ber of address entries.

l Up to one host entry can be configured for each PBR rule.

Creating a Host Book

To create a host book, take the following steps:

1. Select Network > Route > Host Book.

2. Click New.

Configure the following options.

Option Description

Name Type a name for the host book.

Member Specifies the host entry member. Enter IP address or

domain name in the Member text box and then click Add.
If needed, you can add multiple host entries in the host
book. Select the host entry you want to delete and click
Delete, then the selected entry will be removed.

509 Chapter 5 Advanced Routing

Option Description

Description Type the description of host book.

3. Click OK.

Chapter 5 Advanced Routing 510

Application Layer Gateway (ALG)
Some applications use multi-channels for data transmission, such as the commonly used FTP. In
such a condition the control channel and data channel are separated. Devices under strict security
policy control may set strict limits on each data channel, like only allowing FTP data from the
internal network to the external network to transfer on the well-known port TCP 21. Once in the
FTP active mode, if a FTP server in the public network tries to initiate a connection to a random
port of the host in the internal network, devices will reject the connection and the FTP server
will not work properly in such a condition. This requires devices to be intelligent enough to prop-
erly handle the randomness of legitimate applications under strict security policies. In FTP
instances, by analyzing the transmission information of the FTP control channel, devices will be
aware that the server and the client reached an agreement, and open up a temporary com-
munication channel when the server takes the initiative to connect to a port of the client, thus
assuring the proper operation of FTP.
The system adopts the strictest NAT mode. Some VoIP applications may work improperly after
NAT due to the change of IP address and port number. The ALG mechanism can ensure the nor-
mal communication of VoIP applications after the NAT. Therefore, the ALG supports the fol-
lowing functions:

l Ensures normal communication of multi-channel applications under strict security policy

rules.

l Ensures the proper operation of VoIP applications such as SIP and H.323 in NAT mode, and
performs monitoring and filtering according to policies.

Enabling ALG

The system allows you to enable or disable ALG for different applications. Devices support ALG
for the following applications: FTP, HTTP, MSRPC, PPTP, Q.931, RAS, RSH, RTSP, SIP,
SQLNetV2, SUNRPC, TFTP, DNS, Auto and XDMCP. You can not only enable ALG for applic-
ations, but also specify H323's session timeout.
To enable the ALG for applications, take the following steps:

511 Chapter 5 Advanced Routing

1. Select Configuration Management > Network Configuration > Application Layer Gate.

2. In the Application Layer Gateway page, select the applications that require ALG.

3. To modify H323's session timeout, type the value into the H323 session timeout box. The
value range is 60 to 1800 seconds. The default value is 60.

4. Click OK to save your changes.

Notes: Only when the FTP ALG is enabled can the FTPS ALG be selected.

Chapter 5 Advanced Routing 512

Global Network Parameters
Global network parameter configuration includes IP fragment, TCP packet processing methods
and other options.

Configuring Global Network Parameters

To configure global network parameters, take the following steps:

1. Select Configuration Management > Network Configuration > Global Network Parameters
> Global Network Parameters.

513 Chapter 5 Advanced Routing

2. Configure the following parameters.

Option Description

IP Fragment

Maximum Specifies a maximum fragment number for every IP

Fragment packet. The value range is 1 to 1024. The default value is
Number 48. Any IP packet that contains more fragments than this
number will be dropped.

Timeout Specifies a timeout period of fragment reassembling. The

Chapter 5 Advanced Routing 514

Option Description

value range is 1 to 30. The default value is 2. If the Hill-

stone device has not received all the fragments after the
timeout, the packet will be dropped.

Long Dur- Enables or disables long duration session. If this function

ation Session is enabled, specify long duration session's percentage in
the Percentage text box below. The default value is 10,
i.e., 10% of long duration session in the total sessions.

TCP

TCP MSS Specifies a MSS value for all the TCP SYN/ACK pack-
ets. Click the Enable button, and type the value into the
Maximum MSS text box below.

Maximum Type the max MSS value into the Maximum MSS text box
MSS below. The value range is 64 to 65535. The default value
is 1448.

TCP MSS Specifies a MSS value for IPSec VPN's TCP SYN pack-
VPN ets. Click the Enable button, and type the value into the
Maximum MSS text box below.

Maximum Type the max MSS value for IPSEC VPN into the Max-
MSS imum MSS text box below. The value range is 64 to
65535. The default value is 1380.

TCP Configures if the TCP sequence number will be checked.

Sequence When this function is enabled, if the TCP sequence num-
Number ber exceeds TCP window, that TCP packet will be
Check dropped.

515 Chapter 5 Advanced Routing

Option Description

TCP Three- Configures if the timeout of TCP three-way handshaking

way Hand- will be checked. Click the Enable button to enable this
shaking function, and specify a timeout value in the Timeout text
box below. The value range is 1 to 1800 seconds. The
default value is 20. If the three-way handshaking has not
been completed after timeout, the connection will be
dropped.

TCP SYN Click the Enable button to enable this function and spe-
Packet cify the action for TCP non-SYN packet. When the
Check received packet is a TCP SYN packet, the TCP con-
nection will be established. When the received packet is a
TCP non-SYN packet, the packet will be processed
according to the specified action.

l drop: When the received packet is a TCP non-SYN

packet, the system will drop the packet.

l reset：When the received packet is a TCP non-

SYN packet, the system will drop the packet and
send RST packet to the peer device.

Others

Non-IP and Specifies how to process packets that are neither IP nor
Non-ARP ARP.
Packet

3. Click OK.

Chapter 5 Advanced Routing 516

Configuring Protection Mode

To configure the protection mode, take the following steps:

1. Select Configuration Management > Network Configuration > Global Network Parameters
> Protection Mode.

2. Configure the traffic working mode.

l Log only - System only generates protocol anomaly alarms and attacking behavior
logs, but will not block attackers or reset connections.

l Protect - System not only records attack behavior detected by Intrusion Prevention
System, Anti-Virus or AD, Policy, Black list, but also reset the connection or block
the access.

Notes: Log & reset mode is recommended. In this mode, the security performance
of the device can take effect normally. If log only mode is selected, system can only
record logs, and functions which can block traffic in system will be invalid, includ-
ing policy, IPS, AV, QoS, etc.

Bypass Configuration
Under certain conditions, such as system restart, abnormal operation and power off, system will
automatically enter the bypass state. In the bypass state, the bypass interface pairs each other are
directly connected physically and the traffic will pass directly. In general, the device's etherent

517 Chapter 5 Advanced Routing

0/0 and etherent 0/1 are as the bypass interface pair 0, and so on. You can also view the cor-
responding identification on the front panel of the device. When the device is in the normal oper-
ation state, the bypass interface pair will not be connected physically, but will forward the traffic
normally according to the function configured by the interface. If you need to connect the two
interfaces physically as the bypass state, take the following steps:

1. Select Configuration Management > Network Configuration > Bypass Configuration, and
enter the bypass configuration page.

2. Select the check-box of Bypass Configuration to enable bypass configuration. This option is
only supported when the device ha function is on.

3. Select one or more bypass interface pair entries in the list, and click Enable to force the
bypass function of the interface to make them physically connected.

4. To restore the initial bypass status that can be enabled automatically in certain condition,
select the corresponding bypass interface pair in the list, and then click Auto.

Notes:
l Under normal operation of the device, it is not allowed to be enabledbypass
function and HA function at the same time.

l In the HA deployment environment, it is recommended that you enable

the bypass function of the interface pair for it carefully may cause network
loops. If you need to enable it, please follow the following step : Enable
bypass configuration switch > Enable bypass function of interface pair >
debug > Disable bypass function of interface pair > Disable bypass con-
figuration switch.

l If you want to force to disabled the bypass function, configure it in command

line interface. For details, refer to the Force to Close the Bypass Function.

Chapter 5 Advanced Routing 518

Object Configuration
This chapter describes the concept and configuration of objects that will be referenced by other
modules in system, including:

l "Address" on Page 520: Contains address information, and can be used by multiple modules.

l "Service Book" on Page 524: Contains service information, and can be used by multiple mod-
ules.

l "Application Book" on Page 532: Contains application information, and can be used by mul-
tiple modules.

l "Schedule" on Page 557: Specifies a time range or period. The functions that use the schedule
will take effect in the time range or period specified by the schedule.

l "AAA Server" on Page 560: Configures an AAA server.

l "User" on Page 573: Contains user information. User means the people or the machines that
uses the functions of the devices, or the people and machines that are under the management
of the device.

l "Role" on Page 582: Contains role information that associates users to privileges.

l "Track Object" on Page 591: Tracks if the specified object (IP address or host) is reachable or
if the specified interface is connected.

Object Configuration 519

Address
IP address is an important element for the configurations of multiple modules, such as policy
rules, NAT rules and session limit rules. Therefore, system uses an address book to facilitate IP
address reference and flexible configuration. You can specify a name for an IP range, and only the
name is referenced during configuration. The address book is the database in system that is used
to store the mappings between IP ranges and the corresponding names. The mapping entry
between an IP address and its name in the address book is known as an address entry.
An address entry also has the following features:

l All address books contain the following default address entries named Any and private_net-
work. The IP address of Any is 0.0.0.0/0, which is any IP address. Any can neither be
edited nor deleted. The IP addresses of private_network are 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16, that all private network address. The private_network can be edited and
deleted.

l One address entry can contain another address entry in the address book.

l If the IP range of an address entry changes, system will update other modules that reference
the address entry automatically.

Creating an Address Book

To create an address book:

520 Object Configuration

1. Click Configuration Management > Object Configuration > Address Book.

2. Click New.

In Address Configuration page, enter the address entry configuration.

Basic

Name Type the address entry name into the Name box.

Type Select the IP type, including IPv4 or IPv6. Only the IPv6
firmware supports to configure IPv6 type.

Member

Member Click New to add an address entry member.

l When you select IPv4 type, configure IP/Netmask,

IP Range, Hostname, Address Book, or Coun-
try/Region as needed.

l When you select IPv6 type, configure IPv6/prefix,

IPv6 Range, Hostname or Address Book as needed.
Tips:

l Only the security policy and the policy-based route

support the address entry with the Country/Region

Object Configuration 521

Basic

member added.

l The address entry with the Country/Region mem-

ber added does not support the Excluded Member
settings.

New Click New to add the configured member to the list

below. If it is needed, repeat the above steps to add more
members.

Delete Delete the selected address entry from the list.

Excluded Member

Member Specify the excluded member. Click New to add an

address entry member, and configure IP/netmask, IP
range, Host name or Address entry as needed.
Note: Excluded members' address range need to be in the
address range of the members, otherwise the con-
figuration cannot be completed.

New Click New to add the configured excluded member to the

list below. If needed, repeat the above steps to add more
excluded members.

Delete Delete the selected excluded member entry from the list.

3. Click OK.

Viewing Details

To view the details of an address entry, take the following steps, including the name, member,
description and reference:

522 Object Configuration

1. Click Configuration Management > Object Configuration > Address Book.

2. In the Address Book page, select "+" before an address entry from the member list, and
view the details under the entry.

Object Configuration 523

Service Book
Service is an information stream designed with protocol standards. Service has some specific dis-
tinguishing features, like corresponding protocol, port number, etc. For example, the FTP service
uses TCP protocol, and its port number is 21. Service is an essential element for the configuration
of multiple modules including policy rules, NAT rules, etc.
System ships with multiple predefined services/service groups. Besides, you can also customize
user-defined services/service groups as needed. All these service/service groups are stored in and
managed by service book.

Predefined Service/Service Group

System ships with multiple predefined services, and identifies the corresponding application types
based on the service ports. The supported predefined services may vary from different device
models. Predefined service groups contain related predefined services to facilitate user con-
figuration.

User-defined Service

Except for the above predefined services, you can also create your own user-defined services eas-
ily. The parameters that will be specified for the user-defined service entries include:

l Name

l Protocol type

l The source and destination port for TCP or UDP service, and the type and code value for
ICMP service.

l Timeout

l Application type

524 Object Configuration

User-defined Service Group

You can organize some services together to form a service group, and apply the service group to
policies directly to facilitate management. The service group has the following features:

l Each service of the service book can be used by one or more service groups.

l A service group can contain both predefined services and user-defined services.

l A service group can contain another service group. The service group of the system sup-
ports up to 8 layers of nests.

The service group also has the following limitations:

l The name of a service and service group should not be identical.

l The service group being used by any policy cannot be deleted. To delete such a service
group, you must first end its relationship with other modules.

l If a user-defined service is deleted from a service group, the service will also be deleted
from all the service groups using it.

Object Configuration 525

Configuring a Service Book

This section describes how to configure a user-defined service and service group.

Configuring a User-defined Service

1. Select Configuration Management > Object Configuration > Service Book > Service.

2. Click New.

Option Description

Service Type the name for the user-defined service into the text-
box.

Member Specify a protocol type for the user-defined service. The

available options include TCP, UDP, ICMP, ICMPv6 and
All. If needed, you can add multiple service items. Click
New and the parameters for the protocol types are
described as follows:

TCP/UDP Destination port:

l Min - Specifies the minimum port num-

ber of the specified service entry.

l Max - Specifies the maximum port

526 Object Configuration

Option Description

number of the specified service entry.

The value range is 0 to 65535.
Source port:

l Min - Specifies the minimum port num-

ber of the specified service entry.

l Max - Specifies the maximum port

number of the specified service entry.
The value range is 0 to 65535.

Notes:
l The minimum port
number cannot exceed
the maximum port
number.

l The "Min" of the des-

tination port is
required, and other
options are optional.

l If "Max " is not con-

figured, system will
use "Min" as the single
code.

ICMP Type: Specifies an ICMP type for the service

Object Configuration 527

Option Description

entry. The value range is 0(Echp-Reply), 3

(Destination-Unreachable), 4(Source
Quench), 5(Redirect), 8(Echo), 11(Time
Exceeded), 12(Parameter Problem), 13
(Timestamp), 14(Timestamp Reply) , 15
(Information Request), 16(Information
Reply), 17(Address Mask Request), 18
(Address Mask Reply), 30(Traceroute), 31
(Datagram Conversion Error), 32(Mobile
Host Redirect), 33(IPv6 Where-Are-You), 34
(IPv6 I-Am-Here), 35(Mobile Registration
Request), 36(Mobile Registration Reply).
Code: Specifies a minimum value and max-
imum value for ICMP code. The value range
is 0 to 15, the default value is : min code - 0,
max code - 15.

Notes:
l The minimum code
cannot exceed the max-
imum code.

l If "Max " is not con-

figured, system will
use "Min" as the single

528 Object Configuration

Option Description

code.

ICMPv6 Type: Specifies an ICMPv6 type for the ser-

vice entry. The value range is 1(Dest-
Unreachable), 2(Packet Too Big), 3(Time
Exceeded), 4(Parameter Problem), 100(Priv-
ate experimentation), 101(Private exper-
imentation), 127(Reserved for expansion of
ICMPv6 error message), 128(Echo Request),
129(Echo Reply), 130(Multicast Listener
Query), 131(Multicast Listener Report), 132
(Multicast Listener Done), 133(Router Soli-
citation), 134(Router Advertisement), 135
(Neighbor Solicitation), 136(Neighbor
Advertisement), 137(Redirect Message), 138
(Router Renumbering), 139(ICMP Node
Information Query), 140(ICMP Node Inform-
ation Response), 141(Inverse Neighbor Dis-
covery Solicitation Message), 142(Inverse
Neighbor Discovery Advertisement Mes-
sage), 143(Version 2 Multicast Listener
Report), 144(Home Agent Address Dis-
covery Request Massage), 145(Home Agent
Address Discovery Reply Massage), 146

Object Configuration 529

Option Description

(Mobile Prefix Solicitation), 147(Mobile Pre-

fix Advertisement), 148(Certification Path
Solicitation Message), 149(Certification Path
Advertisement Message), 150(ICMP message
utilized by experimental mobility protocols
such as Seamoby), 151(Multicast Router
Advertisement), 152(Multicast Router Soli-
citation ), 153(Multicast Router Ter-
mination), 154(FMIPv6 Messages), 200
(Private experimentation), 201(Private exper-
imentation) and 255(Reserved for expansion
of ICMPv6 informational). Code: Specifies a
minimum value and maximum value for
ICMP code. The value range is 0 to 255, the
default value is : min code - 0, max code -
255.

All Protocol: Specifies a protocol number for the

service entry. The value range is 1 to 255.

Description If it's needed, type the description for the service into the
text box.

3. Click OK.

Configuring a User-defined Service Group

1. Select Configuration Management > Object Configuration > Service Book > Service
Group.

530 Object Configuration

2. Click New.

Option Description

Name Type the name for the user-defined service group into the
text box.

Description If needed, type the description for the service into the
text box.

Member Add services or service groups to the service group.

The system supports at most 8-layer nested service
group.
Expand Pre-defined Service or User-defined Service
from the left pane, select services or service groups,
and then click Add to add them to the right pane. To
remove a selected service, select it from the right pane,
and then click Remove.

3. Click OK.

Viewing Details

To view the details of a service entry, including the name, protocol, destination port and ref-
erence, take the following steps:

1. Click OConfiguration Management > Object Configuration > Service Book > Service.

2. In the service page, click "+" before an address entry from the member list, and view the
details under the entry.

Object Configuration 531

Application Book
Application has some specific features, like corresponding protocol, port number, application
type, etc. Application is an essential element for the configuration of multiple device modules
including policy rules, NAT rules, etc.
System ships with multiple predefined applications and predefined application groups. Besides,
you can also customize user-defined application and application groups as needed. All these applic-
ations and application groups are stored in and managed by application book.

Editing a Predefined Application

You can view and use all the supported predefined applications and edit TCP timeout, but cannot
delete any of them. To edit a predefined application, take the following steps:

1. Select Configuration Management > Object Configuration > APP Book > Application.

2. Select the application you want to edit from the application list, and click Edit.

3. In the Application Configuration page, edit TCP timeout for the application.

Creating a User-defined Application

You can create your own user-defined applications. By configuring the customized application sig-
nature rules, system can identify and manage the traffic that crosses into the device, thus identi-
fying the type of the traffic.
To create a user-defined application, take the following steps:

532 Object Configuration

1. Select Configuration Management > Object Configuration > APP Book > Application.

2. Click New.

Configure the following options.

Option Description

Name Specify the name of the user-defined application.

Timeout Configure the application timeout value. If not, system

will use the default value of the protocol.

Signature Select the signature of the application and then click Add.
To create a new signature, see "Application Book" on
Page 532.

Description Specify the description of the user-defined application.

3. Click OK.

Object Configuration 533

Creating a User-defined Application Group

To create a user-defined application group, take the following steps:

1. Select Configuration Management > Object Configuration > APP Book > Application
Groups

2. Click New.

Configure the following options.

Option Description

Name Specifies a name for the new application group.

Member Add applications or application groups to the application

group. System supports at most 8-layer nested application
group. Expand Application or Application Group from
the left pane, select applications or application groups,
and then click Add to add them to the right pane. To
remove a selected application or application group, select
it from the right pane, and then click Remove.

Description Specifies the description for the application group.

534 Object Configuration

3. Click OK.

Creating an Application Filter Group

Application Filter Group allows you to create a group to filter applications according to applic-
ation category, sub-category, technology, risk, and attributes.
To create an application filter group:

1. Select Configuration Management > Object Configuration > APP Book > Application Fil-
ters.

2. Click New.

3. Type an application filter group name in the Name text box.

4. Specifies the filter condition. Choose the category, subcategory, technology, risk and char-
acteristic by sequence in the drop-down list. You can click Clear Filter to clear all the selec-
ted filter conditions according to your need.

5. Click OK

Creating a Signature Rule

By configuring the customized application signature rules, system can identify and manage the
traffic that crosses into the device. When the traffic matches all conditions defined in the sig-
nature rule, it hits this signature rule. Then system identifies the application type.
To create a new signature rule, take the following steps:

Object Configuration 535

1. Select Configuration Management > Object Configuration > APP Book > Signature Rule.

2. Click New.

Configure the following options.

Option Description

Type Specify the IP address type, including IPv4 and IPv6

address. If IPv6 is enabled, traffic of IPv6 address will be
recognized by StoneOS.

Source

Zone Specify the source security zone of the signature rule.

Address Specify the source address. You can use the Address
Book type or the IP/Netmask type.

Destination

Address Specify the source address. You can use the Address
Book type or the IP/Netmask type.

536 Object Configuration

Option Description

Protocol

Type When selecting TCP or UDP:

l Destination Port: Specify the destination port num-

ber of the user-defined application signature. If the
destination port number is within a range, system
will identify the value of min-port as the minimum
port number and identify the value of max-port as
the maximum port number. The range of des-
tination port number is 0 to 66535. The port num-
ber cannot be 0. For example, the destination port
number is in the range of 0 to 20, but it cannot be
0.

l Source Port: Specify the source port number of the

user-defined application signature. If the source
port number is within a range, system will identify
the value of min-port as the minimum port number
and identify the value of max-port as the maximum
port number. The range of source port number is 0
to 66535.
When selecting ICMP or ICMPv6:

l When IPv4 is selected, select ICMP:

l Type: Specify the value of the ICMP type of

the application signature. The options are as

Object Configuration 537

Option Description

follows: is 0(Echp-Reply), 3(Destination-

Unreachable), 4(Source Quench), 5(Redir-
ect), 8(Echo), 11(Time Exceeded), 12(Para-
meter Problem), 13(Timestamp), 14
(Timestamp Reply) , 15(Information
Request), 16(Information Reply), 17
(Address Mask Request), 18(Address Mask
Reply), 30(Traceroute), 31(Datagram Con-
version Error), 32(Mobile Host Redirect), 33
(IPv6 Where-Are-You), 34(IPv6 I-Am-
Here), 35(Mobile Registration Request), 36
(Mobile Registration Reply).

l Min Code: Specify the value of the ICMP

code of the application signature. The ICMP
code is in the range of 0 to 15. The default
value is 0.

l When IPv6 is selected, select ICMPv6:

l Type: Specify the value of the ICMPv6 type

of the application signature. The options are
as follows: 1(Dest-Unreachable), 2(Packet
Too Big), 3(Time Exceeded), 4(Parameter
Problem), 100(Private experimentation), 101
(Private experimentation), 127(Reserved for

538 Object Configuration

Option Description

expansion of ICMPv6 error message), 128

(Echo Request), 129(Echo Reply), 130(Mult-
icast Listener Query), 131(Multicast Listener
Report), 132(Multicast Listener Done), 133
(Router Solicitation), 134(Router Advert-
isement), 135(Neighbor Solicitation), 136
(Neighbor Advertisement), 137(Redirect
Message), 138(Router Renumbering), 139
(ICMP Node Information Query), 140
(ICMP Node Information Response), 141
(Inverse Neighbor Discovery Solicitation
Message), 142(Inverse Neighbor Discovery
Advertisement Message), 143(Version 2
Multicast Listener Report), 144(Home
Agent Address Discovery Request Massage),
145(Home Agent Address Discovery Reply
Massage), 146(Mobile Prefix Solicitation),
147(Mobile Prefix Advertisement ), 148(Cer-
tification Path Solicitation Message), 149
(Certification Path Advertisement Message),
150(ICMP message utilized by experimental
mobility protocols such as Seamoby), 151
(Multicast Router Advertisement), 152(Mult-
icast Router Solicitation ), 153(Multicast
Router Termination), 154(FMIPv6 Mes-

Object Configuration 539

Option Description

l Min Code: Specify the value of the ICMPv6

code of the application signature. The
ICMPv6 code is in the range of 0 to 255.
The default value is 0.
When selecting Others:

l Protocol: Specifies the protocol number of the

application signature. The protocol number is in
the range of 1 to 255.

Action

App-Sig- Select Enable to make this signature rule take effect after
nature Rule the configurations. Otherwise, it will not take effect.

Continue Without clicking this Enable button, if the traffic satisfies

Dynamic the user-defined signature rule and system has identified
Identification the application type, system will not continue identifying
the application. To be more accurate, you can click the
Enable button to set the system to continue dynamically
identification.

3. Click OK.

Viewing Details

To view the details of an application entry, including the name, category, risk and reference, take
the following steps:

540 Object Configuration

1. Select Configuration Management > Object Configuration > APP Book > Application.

2. In the application page, click "+"before an address entry from the member list, and view the
details under the entry.

SSL Proxy
This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
To assure the security of sensitive data when being transmitting over networks, more and more
websites adopt SSL encryption to protect their information. The device provides the SSL proxy
function to decrypt HTTPS/POP3S/SMTPS/IMAPS traffic. The SSL proxy function works in
the following two scenarios:
The first scenario, the device works as the gateway of Web clients. The SSL proxy function
replaces the certificates of encrypted websites with the SSL proxy certificate to get the encrypted
information and send the SSL proxy certificates to the client’s Web browser. During the pro-
cess, the device acts as a SSL client and SSL server to establish connections to the Web server
and Web browser respectively. The SSL proxy certificate is generated by using the device's local
certificate and re-signing the website certificate. The process is described as below:

The second scenario, the device works as the gateway of Web servers. The device with SSL proxy
enabled can work as the SSL server, use the certificate of the Web server to establish the SSL con-
nection with Web clients (Web browsers), and send the decrypted traffic to the internal Web
server.

Object Configuration 541

Work Mode

There are two work modes. For the first scenario, the SSL proxy function can work in the client-
inspection proxy mode; for the second scenario, the SSL proxy function can work in the server-
inspection proxy /offload mode.
When the SSL proxy function works in the client-inspection proxy mode, it can perform the SSL
proxy on specified websites.
For the websites that do not need SSL proxy, it dynamically adds the IP address and port of the
websites to a bypass list, and the HTTPS/POP3S/SMTPS/IMAPS traffic will be bypassed.
For the websites proxied by the SSL proxy function, the device will check the parameters of the
SSL negotiation. When a parameter matches an item in the checklist, the corresponding
HTTPS/POP3S/SMTPS/IMAPS traffic can be blocked or bypassed according to the action you
specified.

l If the action is Block, the HTTPS/POP3S/SMTPS/IMAPS traffic will be blocked by the

device.

l If the action is Bypass, the HTTPS/POP3S/SMTPS/IMAPS traffic will not be decrypted.

Meanwhile, the device will dynamically add the IP address and port number of the Website to
the bypass list, and the HTTPS/POP3S/SMTPS/IMAPS traffic will be bypassed.

The device will decrypt the HTTPS/POP3S/SMTPS/IMAPS traffic that is not blocked or
bypassed.
When the SSL proxy function works in the server-inspection offload mode, it will proxy the SSL
connections initialized by Web clients, decrypt the HTTPS traffic, and send the HTTPS traffic as
plaintext to the Web server.
You can integrate SSL proxy function with the following:

l Integrate with the application identification function. Devices can decrypt the
HTTPS/POP3S/SMTPS/IMAPS traffic encrypted using SSL by the applications and identify
the application. After the application identification, you can configure the policy rule, QoS,

542 Object Configuration

session limit, policy-based route.

l Integrate with the Web content function, Web post function, and email filter function.
Devices can audit the actions that access the HTTPS website.

l Support unilateral SSL proxy in WebAuth. SSL client can use SSL connection during
authentication stage. When authentication is completed, SSL proxy will no longer take
effect, and the client and server communicate directly without SSL encryption.

l Integrate with AV, IPS , and URL. Devices can perform the AV protection, IPS protection,
and URL filter on the decrypted HTTPS traffic.

Working as Gateway of Web Clients

To implement the SSL proxy, you need to bind a SSL proxy profile to the policy rule. After bind-
ing the SSL proxy profile to a policy rule, system will use the SSL proxy profile to deal with the
traffic that matches the policy rule. To implement the SSL proxy, take the following steps:

1. Configure the corresponding parameters of SSL negotiation, including the following items:
specify the PKI trust domain of the device certificates, obtain the CN value of the subject
field from the website certificate, configure the trusted SSL certificate list, and import a
device certificate to the Web browser.

2. Configure a SSL proxy profile, including the following items: choose the work mode, set the
website list (use the CN value of the Subject field of the website certificate), configure the
actions to the HTTPS traffic when its SSL negotiation matches the item in the checklist,
enable the audit warning page, and so on.

3. Bind a SSL proxy profile to a proper policy rule. The device will decrypt the HTTPS traffic
that matches the policy rule and is not blocked or bypassed by the device.

Configuring SSL Proxy Parameters

Configuring SSL proxy parameters includes the following items:

Object Configuration 543

l Specify the PKI trust domain of the device certificate

l Obtain the CN value of the website certificate

l Configure a trusted SSL certificate list

l Import a device certificate to a Web browser

Specifying the PKI Trust Domain of Device Certificate

By default, the certificate of the default trust domain trust_domain_ssl_proxy_2048 will be used
to generate the SSL proxy certificate with the Web server certificate together, and then system
will issue the generated SSL proxy certificate to the client. You can specify another PKI trust
domain in system as the trust domain of the device certificate. The specified trust domain must
have a CA certificate, local certificate, and the private key of the local certificate. To specify a
trust domain, take the following steps:

1. Click Configuration Management > Object Configuration > SSL Proxy.

2. At the top-right corner of the page, click Trust Domain Configuration.

3. Select a trust domain from the Trust domain drop-down list.

l The trust domain of trust_domain_ssl_proxy uses RSA and the modulus size is 1024
bits.

l The trust domain of trust_domain_ssl_proxy_2048 uses RSA and the modulus size is
2048 bits.

4. Click OK to save the settings.

Obtaining the CN Value

To get the CN value in the Subject field of the website certificate, take the following steps (take
www.gmail.com as the example):

544 Object Configuration

1. Open the IE Web browser, and visit https://www.gmail.com.

2. Click the Security Report button ( ) next to the URL.

3. In the pop-up dialog box, click View certificates.

4. In the Details tab, click Subject. You can view the CN value in the text box.

Importing Device Certificate to Client Browser

In the proxy process, the SSL proxy certificate will be used to replace the website certificate.
However, there is no SSL proxy certificate's root certificate in the client browser, and the client
cannot visit the proxy website properly. To address this problem, you have to import the root cer-
tificate (certificate of the device) to the browser.
To export the device certificate to local PC firstly, take the following steps:

1. Export the device certificate to local PC. Select Configuration Management > System Con-
figuration > PKI > Trust Domain Certificate.

2. In the Trust Domain Certificate page, configure the options as below:

l Trust domain: trust_domain_ssl_proxy or trust_domain_ssl_proxy_2048

l Content: CA certificate

l Action: Export

3. Click OK and select the path to save the certificate. The certificate will be saved to the spe-
cified location.

Then, import the device certificate to the client browser. Take Internet Explorer as an example:

1. Open IE.

2. From the toolbar, select Tools > Internet Options.

3. In the Content tab, click Certificates.

Object Configuration 545

4. In the Certificates dialog box, click the Trusted Root Certification Authorities tab.

5. Click Import. Import the certificate following the Certificate Import Wizard.

Configuring a SSL Proxy Profile

Configuring a SSL proxy profile includes the following items: choose the work mode, set the web-
site list (use the CN value of the Subject field of the website certificate), configure the actions to
the HTTPS/POP3S/SMTPS/IMAPS traffic when its SSL negotiation matches the item in the
checklist, enable the audit warning page, and so on. System supports up to 32 SSL proxy profiles
and each profile supports up to 10,000 statistic website entries.
To configure a SSL proxy profile, take the following steps:

1. Click Configuration Management > Object Configuration > SSL Proxy.

2. At the top-left corner, click New to create a new SSL proxy profile.

546 Object Configuration

In this page, configure the following options.

Option Description

Name Specify the name of the SSL proxy profile.

Description Add the description.

Mode When the device works as the gateway of Web clients, the
SSL proxy function can work in the client-inspection
proxy mode.
When the device works as the gateway of Web servers,
the SSL proxy function can work in the server-inspection
offload mode.

l In the client-inspection proxy mode, the device

does not perform the SSL proxy function on the
communication encrypted by the specified website
certificate. The communication encrypted by other
website certificates will be proxied by SSL proxy
function.

l In the server-inspection proxy /offload mode,

device will proxy the SSL connections initialized by
Web clients, decrypt the HTTPS traffic, and send
the HTTPS traffic as plaintext to the Web server.

App Inspec- Select an application to be proxied by the SSL proxy func-

tion tion. Currently, system supports to perform SSL proxy on
the HTTPS, POP3S, SMTPS and IMAPS traffic passing
through the default port. By default, only the HTTPS

Object Configuration 547

Option Description

traffic will be proxied, but you can select multiple applic-

ations as needed. To make sure the
HTTPS/POP3S/SMTPS/IMAPS traffic passing through
user-defined ports will be proxied by the function, you
can configure the user-defined ports in Configuration
Management > Object Configuration > APP Book >
Static Signature Rule.
Note: Only the predefined applications created in Con-
figuration Management > Object Configuration > APP
Book > Application can be proxied by the SSL proxy
function.

Common Set the website list based on the work mode. When the
Name SSL proxy is in the Require mode, set the websites that
will be proxied by the SSL proxy function. When the SSL
proxy is in the Exempt mode, set the websites that will
not be proxied by the SSL proxy function and the device
will perform the SSL proxy on other websites.To set the
website list, click New and specify the CN value of the
subject field of the website certificate.

Root Cer- Click the Enable button to enable the Root Certificate
tificate Push Push. When the HTTPS traffic is decrypted by the SSL
proxy function, the Install Root Certificate page will dis-
play in your Web browser. In the Install Root Certificate
page, you can select Download or Downloaded, Ignored
as needed.

548 Object Configuration

Option Description

l Download: Click the button to download the root

certificate to your local PC. For details on import-
ing a root certificate to your Web browser, refer to
Importing Device Certificate to Client Browser.

l Downloaded, Ignored: If you click the button, sys-

tem will no longer push the Install Root Certificate
page, and will redirect you to the page you want to
visit.
Notes:

l When the Install Root Certificate page displays, if

you close the browser, system will still push the
page for your next HTTPS request.

l You must install the root certificate. If you do not

install the root certificate, system will prompt the
access is not secure, and the access page may not be
loaded completely.
Click the Enable button to disable the Root Certificate
Push. With the function disabled, when the client initiates
an HTTPS request:

l If the root certificate has been installed in your

Web browser, you will be redirected to the page
you want to visit.

l If the root certificate has not been installed in your

Web browser, you will be prompted that the page

Object Configuration 549

Option Description

you're visiting is not secure.

Decryption Configuration

Key Modulus Specify the key pair modulus size of the private/public
keys that are associated with the SSL proxy certificate.
You can select 1024 bits or 2048 bits.

Encryption mode check

Unsupported Check the SSL protocol version used by the server.

version
l When the SSL protocol used by the SSL server is
not supported in system, you can select Block to
block its HTTPS/POP3S/SMTPS/IMAPS traffic,
or select Bypass to bypass its
HTTPS/POP3S/SMTPS/IMAPS traffic.

l When the SSL protocol used by the SSL server is

supported, it will continue to check other items.

Unsupported Check the encryption algorithm used by the server.

encryption
l When the encryption algorithm used by the SSL
algorithms
server is not supported in system, you can select
Block to block its
HTTPS/POP3S/SMTPS/IMAPS traffic, or select
Bypass to bypass its
HTTPS/POP3S/SMTPS/IMAPS traffic.

l When the encryption algorithm used by the SSL

server is supported, it will continue to check other

550 Object Configuration

Option Description

items.

Unknown Check the unknown error.

Error
l When SSL negotiation fails and the cause of failure
can't be confirmed, you can select Block to block
its HTTPS/POP3S/SMTPS/IMAPS traffic, or
select Bypass to bypass its
HTTPS/POP3S/SMTPS/IMAPS traffic.

l When system do not need check unknown failure,

it will continue to check other items.

Blocking SSL When the SSL server uses the specified version of SSL
version protocol, system can block its
HTTPS/POP3S/SMTPS/IMAPS traffic.

Blocking When the SSL server uses the specified encryption

encryption algorithm, system can block its
algorithm HTTPS/POP3S/SMTPS/IMAPS traffic.

Server certificate check

Expired cer- Check the certificate used by the server. When the cer-
tificate tificate is overdue, you can select Block to block its
HTTPS/POP3S/SMTPS/IMAPS traffic, or select Bypass
to bypass its HTTPS/POP3S/SMTPS/IMAPS traffic, or
select Decrypt to decrypt the
HTTPS/POP3S/SMTPS/IMAPS traffic.

Client veri- Check whether the SSL server verifies the client cer-
fication tificate.

Object Configuration 551

Option Description

l When the SSL server verifies the client certificate,

you can select Block to block its
HTTPS/POP3S/SMTPS/IMAPS traffic, or select
Bypass to bypass its
HTTPS/POP3S/SMTPS/IMAPS traffic.

l When the SSL server does not verify the client cer-
tificate, it will continue to check other items.

Verification Verify the server certificate. You can configure an action

Failed for the HTTPS/POP3S/SMTPS/IMAPS traffic when the
certificate is failed to be verified.

l Decrypt: Decrypt the

HTTPS/POP3S/SMTPS/IMAPS traffic when the
certificate is failed to be verified, and select
whether to use the self-signed certificate.

l Use self-signed certificate: Click the Enable

button to use the self-signed certificate to
complete the SSL negotiation with the Web
browser. Then, the browser will prompt a
warning message.

l Do not use self-signed certificate: Click the

Enable button to disable the self-signed cer-
tificate. Then, system will use the trusted cer-
tificate "SG6000" to complete the SSL
negotiation with the Web browser. If the cer-

552 Object Configuration

Option Description

tificate "SG6000" has been installed, the

browser will not prompt a warning message.

l Block: Block the HTTPS/POP3S/SMTPS/IMAPS

traffic when the certificate is failed to be verified.

l Bypass: Bypass the

HTTPS/POP3S/SMTPS/IMAPS traffic when the
certificate is failed to be verified.

3. Click OK to save the settings.

Working as Gateway of Web Servers

To implement SSL proxy, you need to bind a SSL proxy profile to the policy rule. After binding
the SSL proxy profile to a policy rule, system will use the SSL proxy profile to deal with the traffic
that matches the policy rule. To implement SSL proxy, take the following steps:

1. Configure a SSL proxy profile includes the following items: choose the work mode, specify
the trust domain of the Web server certificate and the HTTP port number of the Web
server.

2. Bind a SSL proxy profile to a proper policy rule. The device will decrypt the HTTPS traffic
that matches the policy rule.

Configuring a SSL Proxy Profile

Configuring a SSL proxy profile includes the following items: choose the work mode, specify the
trust domain of the Web server certificate and the HTTP port number of the Web server.
To configure a SSL proxy profile, take the following steps:

Object Configuration 553

1. Click Configuration Management > Object Configuration > SSL Proxy.

2. At the top-left corner, click New to create a new SSL proxy profile.

554 Object Configuration

Object Configuration 555
In this page, configure the following options.

Option Description

Name Specify the name of the SSL proxy profile.

Description Add the description.

Mode When the device works as the gatetway of Web servers,

the SSL proxy function can work in the Offload mode.

Service Port Specify the HTTP port number of the Web server.

Server Trust Since the device will work as the SSL server and use

Domain the certificate of the Web server to establish the SSL

connection with Web clients (Web browsers), you need
to import the certificate and the key pair into a trust
domain in the device. For more information about
importing the certificate and the key pair, see "PKI" on
Page 662.
After you complete the importing, select the trust
domain used by this SSL Profile.

Warning Select Enable to enable the warning page. When the

HTTPS traffic is decrypted by the SSL proxy function,
the request to a HTTPS website will be redirected to a
warning page of SSL proxy. In this page, system noti-
fies the users that their access to HTTPS websites are
being monitored and asks the users to protect their pri-
vacy.

3. Click OK to save the settings.

Binding a SSL Proxy Profile to a Policy Rule

After binding the SSL proxy profile to a policy rule, system will process the traffic that is matched
to the rule according to the profile configuration. To bind the SSL proxy profile to a policy rule,
see "Security Policy" on Page 164.

556 Object Configuration

Schedule
System supports a schedule. This function allows configurations to take effect in a specified time.
The schedule consists of periodic schedule and timeframe. The periodic schedule specifies a time
point or time range for periodic schedule entries, while the timeframe decides a time range in
which the periodic schedule will take effect.

Periodic Schedule

Periodic schedule is the collection of periods specified by all the schedule entries within the
schedule. You can add up to 16 schedule entries to a periodic schedule. These entries can be
divided into 3 types:

l Daily: The specified time of every day, such as Everyday 09:00:30 to 18:00:20.

l Days: The specified time of a specified day during a week, such as Monday Tuesday
Saturday 09:00:15 to 13:30:45.

l Period: A continuous period during a week, such as from Monday 09:30:30 to Wednesday
15:00:05.

Timeframe

Timeframe is a time range in which periodic schedule will take effect. If no timeframe is spe-
cified, the periodic schedule will take effect as soon as it is used by some module.

Creating a Schedule

To create a schedule, take the following steps:

Object Configuration 557

1. Select Configuration Management > Object Configuration > Schedule.

2. Click New.

Configure the following options.

Option Description

Name Specify a name for the new schedule.

Add Click Add and then specify a type for the periodic
schedule.

Type l Daily - The specified time of

every day. Click this radio but-
ton, and then, in the Time sec-
tion, select a start time and end
time from the Start Time and
End Time drop-down list
respectively.

l Days - The specified time of a

specified day during a week.
Click this radio button, and then
select a day/days in the Days
and Time section, and finally
select a start time and end time
from the Start time and End
time drop-down list respect-

558 Object Configuration

Option Description

ively.

l Duration - A continuous period

during a week. Click this radio
button, and then in the Duration
section select a start day/time
and end day/time from the Start
time and End time drop-down
list respectively.

Preview Preview the detail of the configured peri-

odic schedule in the Preview section.

Delete Select the entry you want to delete from the period sched-
ule list below, and click Delete.

Timeframe

Start Time Specify the start time of the timeframe.

End Time Specify the end time of the timeframe.

3. Click OK.

Object Configuration 559

AAA Server
An AAA server is a server program that handles user requests to access computer resources, and
for an enterprise, this server provides authentication, authorization, and accounting (AAA) ser-
vices. The AAA server typically interacts with network access and gateway servers and with data-
bases and directories containing user information.
Here in system, authentication supports the following types of AAA servers:

l Local server: a local server is the firewall itself. The firewall stores user identity information
and handles requests. A local server authentication is fast and cheap, but its storage space is
limited by the firewall hardware size.

l External servers:

l Radius Server

l TACACS+ Server

Configuring a Local AAA Server

1. Select Configuration Management > Object Configuration > AAA Server, and click New >
Local Server.

2. The Local Server Configuration page opens.

560 Object Configuration

Configure the following.

Object Configuration 561

Option Description

Name Type the name for the new server into the text box.

Role mapping Specifies a role mapping rule for the server. With this
rule option selected, system will allocate a role for the users
who have been authenticated to the server according to
the specified role mapping rule.

Password Con- To prevent account security problem, you can configure

trol the password control function.

l Change Password: Click the Enable button. With

this function enabled, the system allows users to
change their own passwords after the successful
WebAuth or SCVPN authentication.

l History Password Check: Click the Enable but-

ton to enable the history password check func-
tion. With the function, system will verify the
new password with the historical passwords when
you change the password, ensuring the new pass-
word is different from the passwords set in the
specified times.

l Validity Check: Click the Enable button to

enable the password validity check function and
configure the valid period of password.

l Password Expiry Warning: Click the Enable but-

ton to enable the password expiry warning func-

562 Object Configuration

Option Description

tion and configure the days how long users will be

reminded of password expiry before it expities.

l Password Complexity: The lower the complexity

of the password, the more likely it is to be
cracked, such as including the username and short
password length. For security reasons, you can
enable the password complexity configuration and
configure the password complexity requirements
to ensure that the user's password has high com-
plexity. Click the Enable button to enable the
password complexity configuration.

l Minimum Password Length: Specify the

minimum password length, the range is 1-
16, the default value is 1.

l Minimum Capital Letter Length: Specifies

the minimum length of uppercase letters
contained in the password. The range is 0-
16. The default value is 0.

l Minimum Lowercase Letter Length: Spe-

cifies the minimum length of lowercase let-
ters contained in the password. The range
is 0-16. The default value is 0.

l Minimum Number Length: Specifies the

Object Configuration 563

Option Description

minimum length of the number contained

in the password. The range is 0-16. The
default value is 0.

l Minimum Special Character Length: Spe-

cifies the minimum length of the password
containing special characters (that is, non-
numeric characters), the range is 0-16, and
the default value is 0.

l Password cannot contain username: Click the

Enable button. Passwords are not allowed to con-
tain username.

l Change Password after First Login: By default,

the function of changing the password for the
first login is disabled. After the function of chan-
ging the password for the first login is enabled,
when you log in for web authentication or SSL
VPN for the first time, system will prompt the
user to "Change the password for the first login"
to force you to change the password according to
the configured password complexity.

Backup To configure a backup authentication server, select a

Authentication server from the drop-down list. After configuring a
Server backup authentication server for the local server, the
backup authentication server will take over the authen-

564 Object Configuration

Option Description

tication task when the primary server malfunctions or

authentication fails on the primary server. The backup
authentication server can be any existing local, Active-
Directory, RADIUS or LDAP server defined in system.

Username Specifies the input format of the user name.

Format

Brute-force To prevent illegal users from obtaining user name and

Cracking password via brute-forth cracking, you can configure the
Defense brute-force cracking defense by locking out user or IP.

l Select the Lockout User check box to enable the

user-based brute-force cracking defense. If the
failed attempts reached the specified times (1-32
times) within the specified period (1-180
seconds), the login user will be locked out for the
specified time (30-1800 seconds). By default,
within 60 seconds, if the failed attempts reached
5 times, the login user will be locked out for 600
seconds.

l Select the Lockout IP check box to enable the

IP-based brute-force cracking defense. If the
failed attempts reached the specified times (1-
2048 times) within the specified period (1-180
seconds), the IP will be locked out for the spe-
cified time (30-1800 seconds). By default, within

Object Configuration 565

Option Description

60 seconds, if the failed attempts reached 64

times, the IP will be locked out for 60 seconds.

3. Click OK.

Configuring Radius Server

1. Select Configuration Management > Object Configuration > AAA Server, and select New
> Radius Server.

2. The Radius Sever Configuration page opens.

Configure the following.

Basic Configuration

Name Specifies a name for the Radius server.

Server Specifies an IP address (IPv4 or IPv6) or domain name

Address for the Radius server.

566 Object Configuration

Basic Configuration

Virtual Router Specifies a VR for the Radius server.

Port Specifies a port number for the Radius server. The value
range is 1024 to 65535. The default value is 1812.

Secret Specifies a secret for the Radius server. You can specify
at most 31 characters.

Optional Configuration

Authorization When a user is authenticated by the Radius server, when

Policy the user is authenticated successfully, the Radius server
will create a security policy for the authenticated user
that includes the destination network segment, des-
tination port, protocol, and behavior. This policy is
called an authorization policy. System supports two
authorization policies: "Authorization Policy During
Authentication" and "Dynamic Authorization Policy".
You can enable the authorization policy function to
enable to obtain the authorization policy from the
Radius server and add it to the system's policy list to
make it effective. When the authenticated user is dis-
connected, the authorization policy will be deleted auto-
matically.

l By default, the authorization policy is disabled.

Select the checkbox after Authorization Policy
to enable the authorization policy.
After the authorization policy of the Radius server is

Object Configuration 567

Basic Configuration

enabled, you add the obtained authorization policy to

the aggregation policy that has been created, and arrange
it as the member of aggregation policy at the end of
aggregation policy, which is more convenient for the
user to manage the authorization policy uniformly. If it
is not added to the aggregation policy, the authorization
policy will be added to the end of the system policy list
by default.

l Select the aggregate policy name from the drop-

down list.

Username Specifies the input format of the user name.

Format

Backup server Specifies an IP address or domain name for backup

1/ Backup server 1 or backup server 2.
server 2

Virtual Specifies a VR for the backup server.

Router1/ Vir-
tual Router2

Retries Specifies a retry time for the authentication packets sent

to the AAA server. The value range is 1 to 10. The

568 Object Configuration

Basic Configuration

default value is 3.

Timeout Specifies a timeout for the server response. The value

range is 1 to 30 seconds. The default value is 3.

Backup Specifies a backup authentication server. After con-

Authentication figuring a backup authentication server for the Radius
Server server, the backup authentication server will take over
the authentication task when the primary server mal-
functions or authentication fails on the primary server.
The backup authentication server can be any existing
local, Active-Directory, RADIUS or LDAP server
defined in system.

Enable Select the Enable checkbox to enable accounting for

Accounting the Radius server, and then configure options in the slid-
ing out area.

Server Address Specifies an IP address or domain

name for the accounting server.

Virtual Router Specifies a VR for the accounting

server.

Port Specifies a port number for the

accounting server. The value
range is 1024 to 65535. The
default value is 1813.

Password Specifies a password for the

accounting server.

Object Configuration 569

Basic Configuration

Backup server Specifies an IP address or domain

1/Backup name for backup server 1 or
server 2 backup server 2.

Virtual Router- Specifies a VR for the backup

1/Virtual server.
Router2

3. Click OK.

Configuring TACACS+ Server

1. Select Configuration Management > Object Configuration > AAA Server.

2. Click New > TACACS+ Server, and the TACACS+ Server Configuration page opens.

Configure values in the TACACS+ Server Configuration page.

570 Object Configuration

Basic Configuration

Name Enter a name for the TACACS+ server.

Server Specify the IP address or host name for the TACACS+

Address server.

Virtual Specify the VRouter of TACACS+ server.

Router

Port Enter port number for the TACACS+ server. The default
value is 49. The value range is 1 to 65535.

Secret Enter the shared secret to connect the TACACS+ server.

Confirm Re-enter the shared key.

Secret

Optional

Role map- Select a role mapping rule for the server. With this option
ping rule selected, system will allocate a role for the users who
have been authenticated to the server according to the
specified role mapping rule.

Backup Enter the domain name or IP address for the backup

Server 1 (2) TACACS+ server.

Virtual Select the VRouter for the backup server.

Router 1 (2)

Connectivity Test

When AAA server parameters are configured, you can test if they are correct by testing server con-
nectivity.

Object Configuration 571

To test server connectivity, take the following steps:

1. Select Configuration Management > Object Configuration > AAA Server, and click New.

2. Select your AAA server type, which can be Radius or TACACS+. The local server does not
need the connectivity test.

3. After filling out the fields, click Test Connectivity.

4. For Radius or TACACS+ server, enter a username and password in the Test Connectivity
page.

5. Click Test Connectivity. If "Test connectivity success" message appears, the AAA server
settings are correct.

If there is an error message, here are the causes:

l Connect AAA server timeout: Wrong server address, port or virtual router.

l AAA server configuration error: Secret is wrong.

l Wrong name or password: Username or password for testing is wrong.

572 Object Configuration

User
User refers to the user who uses the functions and services provided by the Hillstone device, or
who is authenticated or managed by the device. The authenticated users consist of local user and
external user. The local users are created by administrators. They belong to different local authen-
tication servers, and are stored in system's configuration files. The external users are stored in
external servers, such as AD server or LDAP server. System supports User Group to facilitate
user management. Users belonging to one local authentication server can be allocated to different
user groups, while one single user can belong to different user groups simultaneously; similarly,
user groups belonging to one local authentication server can be allocated to different user groups,
while one single user group can belong to different user groups simultaneously. The following dia-
gram uses the default AAA server, Local, as an example and shows the relationship between users
and user groups:

As shown above, User1, User2 and User3 belong to UserGroup1, while User3 also belongs to
UserGroup2, and UserGroup2 also contains User4, User5 and UserGroup1.

Configuring a Local User

To create a local user, take the following steps:

1. Select Configuration Management > Object Configuration > User > Local User.

2. Click New > User.

Object Configuration 573

Configure the followings.
Option Description
Name Specifies a name for the user.
Password Specifies a password for the user.
Confirm pass- Type the password again to confirm.
word
Mobile+country Specifies the user's mobile number. When users log
code into the SCVPN client, system will send the veri-
fication code to the mobile number.
Description If needed, type the description of the user.
Group Add the user to a selected usergroup. Select the user-
group you want and click Add.
Expiration Click the Enable button to enable expiration for the
user, and then specify a date and time. After expir-
ation, the user cannot be authenticated, therefore can-
not be used in system. By default expiration is not
enabled.

3. Click OK.

Creating a User Group

To create a user group, take the following steps:

574 Object Configuration

1. Select Configuration Management > Object Configuration > User > Local User.

2. Click New > User Group.

Option Description
Name Type the name for the user group into the Name box.
Add Specifies members for the user group. Expand User
or User Group in the Available list, select a user or
user group and click Add to add it to the Selected list
on the right.
One user group can contain multiple users or user
groups, but system only supports up to 12 layers of
nested user groups, and does not support loopback
nest, i.e., a user group should not nest the upper-layer
user group it belongs to.
Remove To delete a selected user or user group, select it in
the Selected list and then click Remove.

3. Click OK.

Export User List

The system exports the user-list file in .csv format, of which the content is the real-time inform-
ation of the user list in the system.
Export user binding list from system to local, take the following steps:

Object Configuration 575

1. Select Configuration Management > Object Configuration > User > Local User.

2. Click Export User List to open the Export User List page, and select the saved position in
local.

3. Click OK to finish export.

Import User List

The system supports the import of user-list files in UTF-8 or GBK ecoding with .txt and .csv
format.csv format. When the user-list file is imported, the system will carry out validity test and
complexity check of the user password. If the results turn out to be successful, the importing is
successful; if the results turn out to be unsuccessful, the importing is unsuccessful.
The user-list in .csv file is illustrated in the figure below.

The user-list in text file is illustrated in the figure below.

576 Object Configuration

Notes: Before importing the user-list file, please read carefully the annotations in
the above figures and fill in the user information according to the format.

Import user binding list to system, take the following steps:

1. Select Configuration Management > Object Configuration > User > Local User.

2. Click Import User List to open the Import User List page.

3. Click Browse to select the file name needed to be imported.

4. Click OK to finish import.

Notes:
l The user password in the import/export file is not encrypted, unless the pass-
word strings match the AES encryption format.

l Please try to keep the import file format consistent with the export file.

l When imported, if the same user name exists under the same server, the ori-
ginal user information will be overwritten.

l When imported, if a user is new to the system, it and its user information will
be added to the system automatically.

l In the imported user-list file, the "username" field should not contain slash/-
comma/double quotation marks/question mark/@; the "group" field should
not contain comma/double quotation marks/question mark.

l In the imported user-list file, the date in the "expire" field should be typed in
the format of DD/MM/YYYY HH:SS.

Object Configuration 577

l If the user-list is imported in the format of text file, special notice should be
given to the following points:

l Every parameter in the file should be separated by half-width commas

l If a parameter does not exist, use a half-width comma to replace it, etc.
"123123,,local".

l The sequence of the parameters in the first row is fixed and case-insens-
itive, etc. "Servername,userName,pAssWord".

l The file should not contain blank lines or gibberish lines, or it is not
able be imported successfully.

l If the length of a parameter is less or more than its length range, it is

not able be imported successfully.
The length range of "username": 1-63 characters
The length range of "password": 1-31 characters
The length range of "phone": 6-15characters
The length range of "email": 1-127 characters
The length range of "description": 0-127 characters

Configuring a LDAP User

This section describes how to configure a LDAP user.

Synchronizing Users

To synchronize users in a LDAP server, firstly, you need to configure a LDAP server, refer to
Configuring LDAP Server. To synchronize users:

578 Object Configuration

1. Select Configuration Management > Object Configuration > User > LDAP User.

2. Select a server from the LDAP Server drop-down list, and click Sync Users.

Notes: By default, after creating a LDAP server, system will synchronize the users
of the LDAP server automatically, and then continue to synchronize every 30
minutes.

Configuring an Active Directory User

This section describes how to configure an active directory (AD) user.

Synchronizing Users

To synchronize users in an AD server to the device, first you need to configure an AD server
,refer to Configuring Active Directory Server. To synchronize users, take the following steps:

1. Select Configuration Management > Object Configuration > User >AD User.

2. Select an AD server from the Active Directory Server drop-down list, and click Sync Users.

Configuring IP-User Binding

Adding User Binding

To bind an IP or MAC address to a user, take the following steps:

1. Select Configuration Management > Object Configuration > User > IP-User Binding.

2. Click Add User Binding.

Object Configuration 579

User

AAA Server Select an AAA server from the drop-down list.

User Select a user for the binding from the drop-down list.

Binding Type

Binding Type By specifying the binding type, you can bind the user
to a IP address or MAC address.

l IP - If IP is selected, type the IP address into the

IP text box.

l MAC - If MAC is selected, type the MAC address

into the MAC text box.

3. Click OK.

Import Binding

To import a user binding list to system, take the following steps:

1. Select Configuration Management > Object Configuration > User > IP-User Binding.

2. Click Import to open the Import User Binding List page.

3. Click Browse to select the file name needed to be imported.

4. Click OK to finish import.

580 Object Configuration

Export Binding

To export a user binding list from system to local, take the following steps:

1. Select Configuration Management > Object Configuration > User > IP-User Binding.

2. Select the exported user category(include local, LDAP, AD and all users) in the Export
drop-down list to pop up the export dialog box, and select the saved position in local.

3. Click OK to finish export.

Object Configuration 581

Role
Roles are designed with certain privileges. For example, a specific role can gain access to some spe-
cified network resources. In system, users and privileges are not directly associated. Instead, they
are associated by roles.
The mappings between roles and users are defined by role mapping rules. In function con-
figurations, different roles are assigned with different services. Therefore, the mapped users can
gain the corresponding services as well.
System supports role combination, i.e., the AND, NOT or OR operation on roles. If a role is used
by different modules, the user will be mapped to the result role generated by the specified oper-
ation.
System supports the following role-based functions:

l Role-based policy rules: Implements access control for users of different types.

l Role-based statistics: Collects statistics on bandwidth and sessions for users of different
types.

l Role-based session limits: Implements session limits for specific users.

l Role-based PBR: Implements routing for users of different types.

Configuring a Role

Creating a Role

To create a role, take the following steps:

1. Select Configuration Management > Object Configuration > Role > Role.

2. Click New.

582 Object Configuration

Configure the following options.

Option Description

Role Name Type the role name into the Role Name box.

Description Type the description for the role into the Description
box.

3. Click OK.

Mapping to a Role Mapping Rule

You can map the role to user, user group, CN or OU through this function or Creating a Role Map-
ping Rule. After Creating a Role Mapping Rule, you can click Mapping To to map the selected
role again.
To map the selected role again, take the following steps:

Object Configuration 583

1. Select Configuration Management > Object Configuration > Role > Role.

2. Select the role need to be mapped, and click Mapping To.

3. In the Mapping name section, select a created mapping rule name from the first drop-down
list ( For detailed information of creating a role mapping role, see Creating a Role Mapping
Rule.), and then select a user, user group, certificate name (the CN field of USB Key cer-
tificate), organization unit (the OU field of USB Key certificate) or any from the second
drop-down list. If User, User group, CN or OU is selected, also select or enter the cor-
responding user name, user group name, CN or OU into the box behind.

4. Click Add to add to the role mapping list.

5. If needed, repeat Step 3 and Step 4 to add more mappings. To delete a role mapping, select
the role mapping you want to delete from the mapping list, and click Delete.

6. Click OK.

Creating a Role Mapping Rule

To create a role mapping rule, take the following steps:

1. Select Configuration Management > Object Configuration > Role > Role Mapping.

2. Click New.

584 Object Configuration

3. Type the name for the rule mapping rule into the Name box.

4. In the Member section, select a role name from the first drop-down list, and then select a
user, user group, certificate name (the CN field of USB Key certificate) or organization unit
(the OU field of USB Key certificate) from the second drop-down list. If User, User group,
CN or OU is selected, also select or enter the corresponding user name, user group name,
CN or OU into the box behind.

5. Click Add to add to the role mapping list.

6. If needed, repeat Step 4 and Step 5 to add more mappings. To delete a role mapping, select
the role mapping you want to delete from the mapping list, and click Delete.

7. Click OK.

Creating a Role Combination

To create a role combination, take the following steps:

1. Select Configuration Management > Object Configuration > Role > Role Combination.

2. Click New.

Object Configuration 585

Configure the following options.

Option Description

First Prefix Specifies a prefix for the first role in the role regular
expression.

First Role Select a role name from the First Role drop-down list to
specify a name for the first role in the role regular expres-
sion.

Operator Specifies an operator for the role regular expression.

Second Pre- Specifies a prefix for the second role in the role regular
fix expression.

Second Role Select a role name from the Second Role drop-down list
to specify a name for the second role in the role regular
expression.

586 Object Configuration

Option Description

Result Role Select a role name from the Result Role drop-down list to
specify a name for the result role in the role regular
expression.

3. Click OK.

Object Configuration 587

Critical Assets
Critical assets refer to IT assets owned by a company that are essential to its ability to operate and
make profit. Those assets include key servers, networking devices, data storage server etc. Since
critical assets are essential for business day-to-day operations, they are grown to targets of cyber-
attacks. Therefore, the critical assets in a company need to be secured and protected with even
stronger defense mechanisms comparing with other individual host machines.
After configuring critical asset object, the system will automatically enable the advanced threat
detection and abnormal behavior detection functions in the select security zone, protect the pri-
ority and resource for critical asset monitoring, and display the related threat and traffic of the crit-
ical asset in the Critical Assets page in iCenter.
Meanwhile, when critical assets or businesses are under attack, you can block the network of crit-
ical assets at once .After clearing the attack, you can also connect with one-click to restore the pre-
vious network environment. System also supports one-click disconnection / recovery via
Cloud·View APP by mobile phone.

588 Object Configuration

Configuring Critical Asset Object

To configure the critical asset object, take the following steps:

1. Select Configuration Management > Object Configuration > Critical Assets.

2. Click New.

In Critical Assets dialog, configure the settings.

Option Description

Name Specify the name of the critical asset object.

Zone Specify the security zone where this object loc-

ates. Enable Abnormal Behavior Detection and
Advanced Threat Detection function on the selec-
ted zone.

IP Specify the IP address of the critical asset.

Description Enter the description for this object.

Connecting or Blocking the Critical Assets

When critical assets or businesses are under attack, you can block the network of critical assets at
once. After clearing the attack, you can also connect with one-click to restore the previous net-

Object Configuration 589

work environment. System also supports one-click disconnection/recovery via Cloud·View
APP by mobile phone.
To connect or block the critical asset object:

1. Select Configuration Management > Object Configuration > Critical Assets.

2. Select one or more critical asset item in the list, and click Block to disconnet network.

3. Or click Connect to recover the network connections.

590 Object Configuration

Track Object
The devices provide the track object to track if the specified object (IP address or host) is reach-
able or if the specified interface is connected. This function is designed to track HA and inter-
faces.

Creating a Track Object

To create a track object, take the following steps:

1. Select Configuration Management > Object Configuration > Track Object.

2. Click New to open the Track Object Configuration page.

Object Configuration 591

Configure the following options.

Option Description

Name Specifies a name for the new track object.

Threshold Type the threshold for the track object into the text box. If
the sum of weights for failed entries in the track object
exceeds the threshold, system will conclude that the whole
track object fails.

Track Type Select a track object type. One track object can only be con-
figured with one type. Select Interface radio button:

l Click Add in Add Track Members section and then

configure the following options in the Add Interface
Member page:

l Interface - Select a track interface from the

drop-down list.

l Weight - Specifies a weight for the interface,

i.e. the weight for overall failure of the whole
track object if this track entry fails.

Select Protocol radio button:

l Click Add in Add Track Members section, select a

packet type from the drop-down list, and then con-
figure the following options in the Add
HTTP/ICMP/ICMPv6/ARP/NDP/DNS/TCP
Member page:

l IP Type - Specifies the IP type for the track

592 Object Configuration

Option Description

object when the track is implemented by

HTTP/DNS/TCP packets.

l IP/Host - Specifies an IP address or host name

for the track object when the track is imple-
mented by HTTP/ICMP/ICMPv6/TCP pack-
ets.
IP - Specifies an IP address for the track object
when the track is implemented by ARP/NDP
packets. DNS - Specifies an IP address for the
track object when the track is implemented by
DNS packets.

l Weight - Specifies a weight for overall failure

of the whole track object if this track entry
fails.

l Retries: Specifies a retry threshold. If no

response packet is received after the specified
times of retries, system will determine this
track entry fails, i.e., the track entry is unreach-
able. The value range is 1 to 255. The default
value is 3.

l Interval - Specifies an interval for sending pack-

ets. The value range is 1 to 255 seconds. The
default value is 3.

l Egress Interface - Specifies an egress interface

Object Configuration 593

Option Description

from which
HTTP/ICMP/ICMPv6/ARP/NDP/DNS/TC-
P packets are sent.

l Source Interface- Specifies a source interface

for HTTP/ICMP/ICMPv6/ARP/DNS/TCP
packets.

Select Traffic Quality radio button:

l Click Add in Add Track Members section and then

configure the following options in the Add Traffic
Quality Member page:

l Interface - Specifies the name of the tracked

interface.

l Interval - Specifies the duration of per track

period. The unit is second. The value range is 1
to 255. The default value is 3. After a track
period is finished, system will reset the tracked
value of new session.

l Retries - Specifies the threshold value which

concludes the track entry is failed. The value
range is 1 to 255. The default value is 3.

l Weight - Specifies how important this track fail-

ure is to the judgment of track object failure.
The value range is 1 to 255. The default value

594 Object Configuration

Option Description

is 255.

l Low Watermark - Specifies the failure

threshold value of new session success rate.
The value range is 0 to 100. The default value
is 30. During a track period, when the new ses-
sion success rate is below the specified low
watermark, system will conclude the track is
failed.

l High Watermark- Specifies the failure

threshold value of new session success rate.
The value range is 0 to 100. The default value
is 50. During a track period, when the new ses-
sion success rate exceeds the specified low
watermark, system will conclude the track is
successful.

Note: During a track period, when the new session

success rate is equal to or exceeds the low water-
mark, and is equal to or below the low watermark,
system will keep the previous track state.

HA sync Select this check box to enable HA sync function. The

primary device will synchronize its information with the
backup device.

3. Click OK.

Object Configuration 595

System Cnfiguration
The device's maintenance and management include:

l " System and Signature Database" on Page 160

l "Device Management" on Page 597

l "Configuration File Management" on Page 617

l "SNMP" on Page 620

l "Upgrading System" on Page 630

l "License" on Page 636

l "Mail Server" on Page 641

l "Connecting to HSM" on Page 644

l "Connecting to Hillstone Cloud·View" on Page 647

l "Test Tools" on Page 683

System Cnfiguration 596

Device Management
Introduces how to configure the Administrator, Trusted Host, MGT Interface, System Time,
NTP Key and system options.

Administrators

Device administrators of different roles have different privileges. The system supports pre-
defined administrator roles and customized administrator roles. By default, the system supports
the following administrators, which cannot be deleted or edited:

l Administrator: Permission for reading, executing and writing. This role has the authority over
all features. You can view the current or historical configuration information.

l Administrator(read-only): Permission for reading and executing. You can view the current or
historical configuration information.

l Operator: You have the authority over all features except modify the Administrator's con-
figuration, and no permission for check the log information.

l Auditor: You can only operate on the log information, including view, export and clear.

Notes:

l The device ships with a default administrator named hillstone. You can
modify the setting of hillstone. However, this account cannot be deleted.

l Other role of administrator (except default administrator) cannot configure

admin settings, except modifying its own password.

l System auditor can manage one or multiple logs, while only system admin-
istrator can manage the log types.

597 System Cnfiguration

Creating an Administrator Account

To create an administrator account, take the following steps:

1. Select Configuration Management > System Configuration > Device Management >
Administrators.

2. Click New.

3. In the Configuration page, enter values.

Configure the following options.

Option Description

Name Type a name for the system administrator account.

Role From the Role drop-down list, select a role for the
administrator account. Different role have different
privilege.

l Administrator: Permission for reading, executing

and writing. This role has the authority over all fea-
tures.

l Operator: You have the authority over all features

except modify the Administrator's configuration,

System Cnfiguration 598

Option Description

and no permission for check the log information.

l Auditor: You can only operate on the log inform-

ation, including the view, export and clear.

l Administrator(read-only): Permission for reading

and executing. You can view the current or his-
torical configuration information.

Password Type a login password for the admin into the Password
box. The password should meet the requirement of Pass-
word Strategy.

Confirm Pass- Re-type the password into the Confirm Password box.

word

Login Type Select the access method(s) for the admin, including Con-
sole, Telnet, SSH, HTTP and HTTPS. If you need all
access methods, select Select All.

Description Enter descriptions for the administrator account.

4. Click OK. The newly-created administrator account will be displayed in the list.

Configuring Login Options for the Default Administrator

System has a default administrator "hillstone" and a default password "hillstone". However, there
is a risk that the default username and password may be cracked. To avoid that risk, when you
logs in with the default username and password, the system will prompt the following inform-
ation:

l Delete Default Administrator: Click the Delete Administrator radio button to delete the
default administrator (hillstone), and then specify a new username , password and other

599 System Cnfiguration

information in respective textboxes to create a new administrator account. After creating the
new administrator account, you can log in again with the new username and password.

System Cnfiguration 600

l Change Default Password: Click the Change Password radio button, and specify a new pass-
word for the default user in the textbox. Then, you can log in again with the new password.

l Ignore Once: Click the Ignore Once radio button, and you will immediately log in with the
default username (hillstone) and password (hillstone). You will be prompted again when log in
with the default username and password next time.

Notes: In the HA Active-Passive (A/P) mode, the backup device does not support
this function, and you can log in with the default username and password.

601 System Cnfiguration

Admin Roles

Device administrators of different roles have different privileges. The system supports pre-
defined administrator roles and customized administrator roles. The pre-defined administrator role
cannot be deleted or edited. You can customize administrator roles according to your require-
ments:
To create a new administrator role, take the following steps:

1. Select Configuration Management > System Configuration > Device Management >
Admin Roles.

2. Click New.

System Cnfiguration 602

3. In the Configuration page, configure as follows:

Option Description

Role Enter the role name.

CLI Specify the administrator role's privileges of CLI.

WebUI Priv- Click module name to set the administrator role's priv-
ilege ilege. represents the administrator role does not have

privilege of the specified module, and cannot read and

edit the configurations of the specified module. rep-

resents the administrator role has the read privilege of the

specified module, and cannot edit the configurations.

represents the administrator role can read and edit the

configurations of the specified module.

Description Specify the description for this administrator role.

4. Click OK to save the settings.

Trusted Host

The device only allows the trusted host to manage the system to enhance the security. Admin-
istrator can specify an IP range, MAC address or MAC range, and the hosts in the specified range
are the trusted hosts. Only trusted hosts could access the management interface to manage the
device.

Creating a Trusted Host

To create a trusted host, take the following steps:

1. Select Configuration Management > System Configuration > Device Management > Trus-
ted Host.

2. Click New.

603 System Cnfiguration

3. In the Trusted Host Configuration page, enter values.

Configure the following options.

Option Description

Match Select the address type to match the trusted host. When
Address "IPv4" is selected, you need to specify the IP range, and
Type only the hosts in the IP range can be the trusted hosts;
when "IPv4&MAC" is selected, you need to specify the
IP range or MAC address/range, and only the hosts in the
specified IP range and MAC range can be the trusted
hosts.

IP Type Specify the IP range of the trusted hosts:

l IP/Netmask: Type the IP address and netmask of

the trusted hosts.

l IP Range: Type the start IP and end IP of the trus-

ted hosts.

MAC Type Specifies theMAC address or MAC range of the trusted

hosts:

l MAC Address: Type the MAC address of the trus-

ted hosts.

System Cnfiguration 604

Option Description

l MAC Range: Type the start IP and end IP of the

trusted hosts.

4. Click OK.

Management Interface

The device supports the following access methods: Console, Telnet, SSH and WebUI. You can
configure the timeout value, port number, PKI trust domain of HTTPS,and PKI trust domain of
certificate authentication. When accessing the device through Telnet, SSH, HTTP or HTTPS, if
login fails three times in one minute, the IP address that attempts the login will be blocked for 2
minutes during which the IP address cannot connect to the device.
To configure the access methods, take the following steps:

1. Select Configuration Management > System Configuration > Device Management > Man-
agement Interface.

2. In the Management Interface page,

configure the following options.

Option Description

Console Configure the Console access method parameters.

l Timeout: Type the Console timeout value into the

Timeout box. The value range is 0 to 60. The
default value is 10. The value of 0 indicates never
timeout. If there is no activity until the timeout,
system will drop the console connection.

605 System Cnfiguration

Option Description

Telnet Configure the Telnet access method parameters.

l Timeout: Specifies the Telnet timeout value. The

value range is 1 to 60. The default value is 10.

l Port: Specifies the Telnet port number. The value

range is 1 to 65535. The default value is 23.

SSH Configure the SSH access method parameters.

l Timeout: Specifies the SSH timeout value. The

value range is 1 to 60. The default value is 10.

l Port: Specifies the SSH port number. The value

range is 1 to 65535. The default value is 22.

Web Configure the WebUI access method parameters.

l Multiple Login with Same Account: Select the

check box and users are allowed to log in to
devices with the same account simultaneously. By
default, the function is disabled. In the default situ-
ation, when a same account is used to log in again,
the previous login account will be kicked out.

l Timeout: Specifies the WebUI timeout value. The

value range is 1 to 1440. The default value is 10.

l HTTP Port: Specifies the HTTP port number. The

value range is 1 to 65535. The default value is 80.

l HTTPS Port: Specifies the HTTPS port number.

System Cnfiguration 606

Option Description

The value range is 1 to 65535. The default value is

443.

l HTTPS Trust Domain: Select the trust domain

existing in the system from the drop-down list.
When HTTPS starts, HTTPS server will use the
certificate with the specified trusted domain. By
default, the trust domain trust_domain_default will
be used.

l Certificate Authentication: With this checkbox

selected, system will start the certificat authen-
tication. The certificate includes the digital cer-
tificate of users and secondary CA certificate
signed by the root CA. Certificate authentication is
one of two-factor authentication. The two-factor
authentication does not only need the user's name
and password authentication, but also needs other
authentication methods, like a certificate or fin-
gerprint.

l Certificate Trust Domain: After enabling the cer-

tificate authentication and logging into the device
over HTTPS, HTTPS server will use the certificate
with the specified trusted domain.Make sure that
root CA certificate is imported into it.

l CN Check: After the CN check is enabled, the

607 System Cnfiguration

Option Description

name of the root CA certificate is checked and veri-

fied when the user logs in. Only the certificate and
the user can be consistent, and the login succeeds.

3. Click OK.

Notes: When changing HTTP port, HTTPS port or HTTPS Trust Domain, the web
server will restart. You may need to log in again if you are using the Web interface.

System Time

You can configure the current system time manually, or synchronize the system time with the
NTP server time via NTP protocol.

Configuring the System Time Manually

To configure the system time manually, take the following steps:

1. Select Configuration Management > System Configuration > Device Management > Sys-
tem Time.

System Cnfiguration 608

2. Under System Time Configuration in the System Time tab, configure the followings.

Option Description

Sync with Specify the method of synchronize with local PC. You

Local PC can select Sync Time or Sync Zone&Time.

l Sync Time: Synchronize the system time with local

PC.

l Sync Zone&Time: Synchronize the system zone&-

time with local PC.

Specified the Configure parameter of system time.

system time. l Time Zone: Select the time zone from the drop-
down list.

l Date: Specifies the date.

l Time: Specifies the time.

3. Click OK.

Configuring NTP

The system time may affect the establishment time of VPN tunnel and the schedule, so the accur-
acy of the system time is very important. To ensure the system is able to maintain an accurate
time, the device allows you to synchronize the system time with a NTP server on the network via
NTP protocol.
To configure NTP, take the following steps:

1. Select Configuration Management > System Configuration > Device Management > Sys-
tem Time.

2. Under NTP Configuration in the System Time tab, configure the followings.

609 System Cnfiguration

Option Description

Enable Click the Enable button to enable the NTP function.

By default, the NTP function is disabled.

Authentication Click the Enable button to enable the NTP

Authentication function.

NTP Server Specifies the NTP server that device need to syn-
chronize with. You can specify at most 3 servers.

l IP: Type IP address of the server .

l Key: Select a key from the Key drop-down list. If

you enable the NTP Authentication function, you
must specify a key.

l Virtual Router: Select the Virtual Router of inter-

face for NTP communication from the drop-
down list.

l Source interface: Select an interface for sending

and receiving NTP packets.

l Preferred server: Select the check box in the Pre-

ferred server column to set the server as the first
preferred server. The system will synchronizate
with the first preferred server.

Sync Interval Type the interval value. The device will synchronize
the system time with the NTP server at the interval
you specified to ensure the system time is accurate.

Time Offset Type the time value. If the time difference between the
system time and the NTP server's time is within the

System Cnfiguration 610

Option Description

max adjustment value you specified, the synchronization

will succeed, otherwise it will fail.

3. Click OK.

NTP Key

After enabling NTP Authentication function, you need to configure MD5 key ID and keys. The
device will only synchronize with the authorized servers.

Creating a NTP Key

To create an NTP key, take the following steps:

1. Select Configuration Management > System Configuration > Device Management > NTP
Key.

2. Click New.

3. In the NTP Key Configuration page, enter values.

Configure the following options.

Option Description

Key ID Type the ID number into the Key ID box. The value
range is 1 to 65535.

Password Type a MD5 key into the Password box. The value
range is 1 to 31.

611 System Cnfiguration

Option Description

Confirm Pass- Re-type the same MD5 key you have entered into the
word Confirm box.

4. Click OK.

Option

Specify system options, including system language, administrator authentication server, host
name, password strategy and reboot.
To change system option, take the following steps:

1. Select Configuration Management > System Configuration > Device Management >
Option

2. Select System Setting. Configure the following.

Option Description

Hostname Type a host name you want to change into the Host-
name box.

Domain Type a domain name you want to specify into the

Domain box.

System Lan- You can select Chinese or English according to your

guage own requirements.

Administrator1. Select a server to authenticate the administrator from

Authentication the drop-down list.
Server

Lock IP

Maximum Specify the maximum number of login attempts of an

System Cnfiguration 612

Option Description

count of login IP. The value range is from 0 to 256. The default value
attempts is 256.

Locking Time Specify the locking time of the lock IP. The value range
is 1 to 65535 minutes, and the default value is 2
minutes.

Lock Account

Maximum Specify the maximum number of login attempts of an

count of login account. The value range is from 1 to 5. The default
attempts value is 3.

Locking Time Specify the locking time of the lock account. The value
range is 1 to 65535 minutes, and the default value is 2
minutes.

Minimum Pass- Specifies the minimum length of password. The value

word Length range is 4 to 16 characters. The default value is 4.

Password Com- None means no restriction on the selection of password

plexity characters.You can select Password Complexity Settings
to enable password complexity checking and configure
password complexity.

l Minimum Capital letters length: The default value

is 2 and the range is 0 to 16.

l Minimum Lowercase Letter Length: The default

value is 2 and the range is 0 to 16.

l Minimum Number Length: The default value is 2

613 System Cnfiguration

Option Description

and the range is 0 to 16.

l Minimum Special Character Length: The default

value is 2 and the range is 0 to 16.

l Validity Period: The unit is day.The range is 0 to

365.The default value is 0, which indicates that
there is no restriction on validity period of the
password.

Failure Feed- Click the Enable button. When errors occurred, system
back will automatically send the exception information to
Hillstone.

3. Click OK.

Rebooting the System

Some operations like license installation or image upgrading will require the system to reboot
before it can take effect.
To reboot a system, take the following steps:

1. Select Configuration Management > System Configuration > Device Management >
Option.

2. Select the System Option tab, click Reboot, and select Yes in the prompt.

3. The system will reboot. You need to wait a while before it can start again.

System Debug

System Debug Information

System debugging helps you to diagnose and identify system errors by the exported file.

System Cnfiguration 614

To export the system debugging information, take the following steps:

1. Select Configuration Management > System Configuration > Device Management >
Option.

2. Select the System Option tab, click Export, and then system will pack the file in /etc/-
local/core and prompt to save tech-support file. After selecting the saved location and click
OK, you can export the file successfully.

Storage Management

The storage management function help you manage system storage space by deleting logs or stop-
ping logging.
To configure the storage management function, take the following step:

1. Select Configuration Management > System Configuration > Device Management > Stor-
age Management.

615 System Cnfiguration

2. Configure the corresponding options.

Option Description

Threshold When the system storage ratio or storage space reaches the specified
threshold, the system will perform the specified action to control the sys-
tem storage. The storage ratio ranges from 1% to 90%.

Threshold Alarm When the system storage ratio or storage space reaches the specified
threshold, the system will record a log message.

Action When reached the specified threshold, the system will perform the spe-
cified action, including override the earliest data and stop recording data.

l Override the earliest data: The system will delete earliest logs.

l Stop recording data: The system will stop storing new logs.

Custom Storage

View Current Show the Total Storage, Allocated Storage and Utilization. Click View
Storage Status Current Storage Status to view maximum storage space and utilization of
each module log and report files.

Report Storage Specify the disk space size of the report file. The system allocates a
Setting default disk space size for the report file, and you can customize the disk
space size for the report file as needed.

Log Storage Set- Click Enable button to specify the disk space size of each module log.
ting The system allocates a default disk space size for the log of each module,
and you can customize the disk space size for the log as needed.

3. Click OK to save the settings.

System Cnfiguration 616

Configuration File Management
System configuration information is stored in the configuration file, and it is stored and displayed
in the format of command line. The information that is used to initialize the Hillstone device in
the configuration file is known as the initial configuration information. If the initial configuration
information is not found, the Hillstone device will use the default parameters for the initialization.
The information being taking effect is known as the current configuration information.
System initial configuration information includes current initial configuration information (used
when the system starts) and backup initial configuration information. System records the latest ten
saved configuration information, and the most recently saved configuration information for the
system will be recorded as the current initial configuration information. The current configuration
information is marked as Startup; the previous nine configuration information is marked with num-
ber from 0 to 8, in the order of save time.
You can not only export or delete the saved configuration files, but also export the current system
configurations.

Managing Configuration File

To manage the system configuration files, take the following steps:

1. Select Configuration Management > System Configuration > Configuration File Man-
agement > Configuration File List.

2. In the Configuration File List page, configure the following.

l Compare: Click Compare, and in the Configuration File Compare page, configure the
first file and the second file to be compared respectively. Click Compare, and the dif-
ference between the two files will be displayed below.

l Export: Select the configuration file you want to export, and click Export.

l Delete: Select the configuration file you want to delete, and click Delete.

l Backup Restore: You can restore the system configurations to the saved configuration

617 System Cnfiguration

file or factory default, or you can backup the current configurations.

Option Description

Back up Cur- Type descriptions for the configuration file into

rent Con- Description box. Click Start to backup.
figurations

Restore Con- Roll back to Saved Configurations:

figuration
l Select Backup System Configuration File:
Click this button, then select Backup Con-
figuration File from the list. Click OK.

l Upload Configuration File: Click this button.

In the Importing Configuration File page,
click Browse and choose a local con-
figuration file you need in your PC. If you
need to make the configuration file take
effect, select the check box. Click OK.
Restore to Factory Defaults:

l Click Restore. In the Restore to Factory

System Cnfiguration 618

Option Description

Defaults page, click OK.

l If needed, select Clear History check box.

The system will clear the history information
automatically.

Notes: Device will be restored to factory defaults. Meanwhile, all the system con-
figurations will be cleared, including backup system configuration files.

Viewing the Current Configuration

To view the current configuration file, take the following steps:

1. Select Configuration Management > System Configuration > Configuration File Man-
agement > Current Configurations.

2. Click Export to export the current configuration file.

619 System Cnfiguration

SNMP
The device is designed with a SNMP Agent, which can receive the operation request from the
Network Management System and give the corresponding information of the network and the
device.
The device supports SNMPv1 protocol, SNMPv2 protocol and SNMPv3 protocol. SNMPv1 pro-
tocol and SNMPv2 protocol use community-based authentication to limit the Network Man-
agement System to get device information. SNMPv3 protocol introduces an user-based security
module for information security and a view-based access control module for access control.
The device supports all relevant Management Information Base II (MIB II) groups defined in
RFC-1213 and the Interfaces Group MIB (IF-MIB) using SMIv2 defined in RFC-2233. Besides,
the system offers a private MIB, which contains the system information, IPSec VPN information
and statistics information of the device. You can use the private MIB by loading it into an SNMP
MIB browser on the management host.

SNMP Agent

The device is designed with a SNMP Agent, which provides network management and monitors
the running status of the network and devices by viewing statistics and receiving notification of
important system events.
To configure an SNMP Agent, take the following steps:

1. Select Configuration Management > System Configuration > SNMP > SNMP Agent.

2. Click Enable button. In the SNMP Agent page, configure these values.

System Cnfiguration 620

Option Description

SNMP Agent Click the Enable button to enable the SNMP Agent func-
tion.

ObjectID The Object ID displays the SNMP object ID of the sys-

tem. The object ID is specific to an individual system and
cannot be modified.

System Type the SNMP system contact information of the device

Contact into the System Contact box. System contact is a man-
agement variable of the group system in MIB II and it
contains the ID and contact of relevant administrator of
the managed device. By configuring this parameter, you
can save the important information to the device for the
possible use in case of emergency.

Location Type the location of the device into the Location box.

621 System Cnfiguration

Option Description

Host Port Type the port number of the managed device into the
Host Port box.

Local Type the SNMP engine ID into the Local EngineID box.
EnginelID

3. Click Apply.

Notes: SNMP Engine ID identifies an engine uniquely. SNMP Engine is an import-

ant component of the SNMP entity (Network Management System or managed net-
work device) which implements the functions like the reception/sending and
verification of SNMP messages, PDU abstraction, encapsulation, and com-
munications with SNMP applications.

SNMP Host

To create an SNMP host, take the following steps:

1. Select Configuration Management > System Configuration > SNMP > SNMP Host.

2. Click New.

3. In the SNMP Host Configuration page, configure these values.

System Cnfiguration 622

Option Description

Type Select the SNMP host type from the Type drop-down
list. You can select IP Address, IP Range or IP/Net-
mask.

l IP Address: Type the IP address for SNMP host

into Hostname box.

l IP Range: Type the start IP and end IP into the

Hostname box respectively.

l IP/Netmask: Type the start IP address and Net-

mask for SNMP host into the Hostname box
respectively.

SNMP Ver- Select the SNMP version from the SNMP Version drop-
sion down list.

Community Type the community for the SNMP host into the Com-
munity box. Community is a password sent in clear text
between the manager and the agent. This option is only
effective if the SNMP version is V1 or V2C.

Permission Select the read and write permission for the com-
munity from the Permission drop-down list. This
option is only effective if the SNMP version is V1 or
V2C.

l RO: Stand for read-only, the read-only community

is only allowed to read the MIB information.

l RW: Stand for read-write, the read-write com-

munity is allowed to read and modify the MIB

623 System Cnfiguration

Option Description

information.

4. Click OK.

Trap Host

To create a Trap host, take the following steps:

1. Select Configuration Management > System Configuration > SNMP > Trap Host.

2. Click New.

3. In the Trap Host Configuration page, configure these values.

System Cnfiguration 624

Option Description

Host Type the domain name or IP address of the Trap host

into the Host box.

Trap Host Type the port number for the Trap host into the Trap
Port Host Port box.

SNMP Agent Select the SNMP version from the SNMP Agent drop-
down list.

l V1 or V2C: Type the community for the Trap host

into the Community box.

l V3: Select the V3 user from the V3 User drop-

down list. Type the Engine ID for the trap host
into the Engine ID box.

4. Click OK.

V3 User Group

SNMPv3 protocol introduces a user-based security module. You need to create an SNMP V3 user
group for the SNMP host if the SNMP version is V3.
To create a V3 user group, take the following steps:

1. Select Configuration Management > System Configuration > SNMP > V3 User Group.

2. Click New.

625 System Cnfiguration

3. IIn the V3 Group Configuration page, configure these values.

Option Description

Name Type the SNMP V3 user group name into the Name
box.

Security The Security model option displays the security model

Model for the SNMP V3 user group.

Security Select the security level for the user group from the

Level Security Level drop-down list.

Security level determines the security mechanism used
in processing an SNMP packet. Security levels for V3
user groups include No Authentication (no authen-
tication and encryption), Authentication (authen-
tication algorithm based on MD5 or SHA) and
Authentication and Encryption (authentication
algorithm based on MD5 or SHA and message encryp-
tion based on AES and DES).

Read View Select the read-only MIB view name for the user group
from the Read View drop-down list. If this parameter is
not specified, all MIB views will be none.

Write View Select the write MIB view name for the user group from
the Write View drop-down list. If this parameter is not

System Cnfiguration 626

Option Description

specified, all MIB views will be none.

4. Click OK.

V3 User

If the selected SNMP version is V3, you need to create an SNMP V3 user group for the SNMP
host and then add users to the user group.
To create a user for an existing V3 user group, take the following steps:

1. Select Configuration Management > System Configuration > SNMP > V3 User.

2. Click New.

3. In the V3 User Configuration page, configure these values.

627 System Cnfiguration

Option Description

Name Type the SNMP V3 user name into the Name box.

V3 User Select an existing user group for the user from the
Group Group drop-down list.

Security The Security model option displays the security model

Model for the SNMP V3 user.

Remote IP Type the IP address of the remote management host

into the Remote IP box.

Authentication Select the authentication protocol from the Authentic-

ation drop-down list. By default, this parameter is None,
i.e., no authentication.

Authentication Type the authentication password into the Authentic-

Password ation password box.

Confirm Pass- Re-type the authentication password into the Confirm

word Password box to confirm.

Encryption Select the encryption protocol from the Encryption

4. Click OK.

System Cnfiguration 628

629 System Cnfiguration
Upgrading System
The upgrade wizard helps you:

l Upgrade system to a new version or roll back system to a previous version.

l Update the Signature Database.

Upgrading Firmware

To upgrade firmware, take the following steps:

1. Select Configuration Management > System Configuration > Upgrade Management >
Upgrade Firmware.

2. In the Upgrade Firmware page, configure the following.

Upgrade Firmware

Backup Con- Make sure you have backed up the configuration file
figuration before upgrading. Click Backup Configuration File to
File backup the current fireware file and the system will auto-
matically redirect the Configuration File Management
page after the backup.

Current Ver- The current firmware version.

System Cnfiguration 630

Upgrade Firmware

sion

Upload Firm- Click Browse to select a firmware file from your local
ware disk.

Backup The backup firmware version.

Image

Reboot Select the Reboot now to make the new firmware take
effect check box and click Apply to reboot system and
make the firmware take effect. If you click Apply without
selecting the check box, the firmware will take effect
after the next startup.

Choose a Firmware for the next startup

Select the Select the firmware that will take effect for the next star-
firmware that tup.
will take
effect for the
next startup.

Updating Signature Database

To update each signature database, take the following steps:

631 System Cnfiguration

1. Select Configuration Management > System Configuration > Upgrade Management > Sig-
nature Database Update.

2. In the Signature Database Update page, configure the following.

Option Description

Current Ver- Show the current version number.

sion

Remote Application Ddentification Database, URL Category data-

Update base, Sandbox Whitelist Database, Anti-virus Signature
Database, IPS Signature Database, and Botnet C&C Pre-
vention Signature DB.

l Update Server: By default the system updates the

signature database everyday automatically. You can
change the update configuration as needed. Hill-
stone devices provide two default update servers:
https://update1.hillstonenet.com and https://up-
date2.hillstonenet.com. You can customize the
servers according to your need. In Update Server,
specify the server IP or domain name and Virtual
Router.

l Update Proxy Server: When the device accesses

the Internet through a HTTP proxy server, you
need to specify the IP address and the port number
of the HTTP proxy server. With the HTTP proxy
server specified, various signature database can
update normally. In Update Proxy Server, enter the
IP addresses and ports of the main proxy server and

System Cnfiguration 632

Option Description

the backup proxy server.

l Auto Update: Click the Enable button of Auto

Update and specify the auto update time. Click
OK to save your changes.

l Update Now: Click Ok And Online Update to

update the signature database right now.
Threat Tag Database.

l Server: Hillstone devices provide a default update

server: sec-cloud.hillstonenet.com.

l Auto Update: Click the Enable button of Auto

Update and specify the auto update time. Click
OK to save your changes.

l Update Now: Click Ok And Online Update to

update the signature database right now.

Local Update Click Browse and select the signature file in your local
PC, and then click Upload.

Updating Trusted Root Certificate Database

To ensure that the root certificates stored on your device are sufficient and up-to-date, and to
reduce errors occurred during server certificate verification, you need to update the trusted root
certificate database timely. System supports both remote upgrade and local upgrade. When updat-
ing the trusted root certificate database, system will delete revoked certificates and expired cer-
tificates, and add new certificates.
To update the trusted root certificate database, take the following steps:

633 System Cnfiguration

1. Select Configuration Management > System Configuration > Upgrade Management > Trus-
ted Root Certificate Update.

2. In the Trusted Root Certificate Update page, configure the following.

Option Description

Current Ver- Show the current version number.

sion

Remote Click Remote Update and configure the following update

Update parameters.

l Update Server: By default, system updates the trus-

ted root certificate database everyday automatically.
You can change the update configuration as
needed. Hillstone devices provide two default
update servers: https://update1.hillstonenet.com
and https://update2.hillstonenet.com. You can cus-
tomize the servers as needed. Under Update
Server, specify the server IP or domain name and
virtual router.

l Update Proxy Server: When the device accesses

the Internet through an HTTP proxy server, you
need to specify the IP address and the port number
of the HTTP proxy server to ensure the trusted
root certificate database can be updated normally.
Under Update Proxy Server, enter the IP addresses
and ports of the main proxy server and the backup
proxy server.

System Cnfiguration 634

Option Description

l Auto Update: Click the Enable button and specify

the auto update time. Click OK to save your
changes.

l OK And Online Update: Click the button to

update the trusted root certificate database imme-
diately.

Local Update Click Local Update, and click Browse to select a trusted
root certificate database file in your local PC, and then
click Upload.

635 System Cnfiguration

License
Licenses are used to authorize the users' features, authorize the users' services, or extend the per-
formance. If you do not buy and install the corresponding license, the features, services, and per-
formance which is based on the license will not be used or cannot be achieved.
License classes and rules.

Platform Description Valid Time

License

Platform Trial Platform license is the basis of the You cannot modify
other licenses operation. If the plat- the existing con-
form license is invalid, the other figuration when the
licenses are not effective. license expired. Sys-
The device have been pre-installed tem will restore to
platform trial license for 15 days in factory defaults
the factory. when the device
reboot.

Platform Platform license is the basis of the System cannot

other licenses operation. upgrade the OS ver-
You can install the platform license sion when expired.
after the device formal sale. The But system could
license provide basic functions. work normally.

Function Description Valid Time

License

Sandbox Providing sandbox function and The valid time

License white list update, authorizing the including 1 year, 2
(This fea- number of suspicious files uploaded years and 3 years.
ture may per day. System cannot
not be avail- Including 3 licenses: provide to analyze
able on all the collected data
l Sandbox-300 license: 300 sus-
platforms) and cannot update

System Cnfiguration 636

picious files are allowed to the white list when

upload every day. License expired.

Only can using the
l Sandbox-500 license: 500 sus-
sandbox protection
picious files are allowed to function according
upload every day. to the local database
cache results. If you
l Sandbox-1000 license: 1000 sus- restart the device,
picious files are allowed to the function cannot
upload every day. be used.

Service Description Valid Time

License

Anti-Virus Providing Anti-Virus function and System cannot

Anti-Virus signature database update the Anti-
update. Virus signature data-
base when the
license expired. But
Anti-Virus function
could be used nor-
mally.

IPS Providing IPS function and IPS sig- System cannot

nature database update. update the IPS sig-
nature database
when the license
expired. But IPS
function could be
used normally.

URL Providing URL database, URL System cannot

lookup and URL signature database update the URL
update. database and cannot
query URL from
URL online data-

637 System Cnfiguration

base when the
license expired. But
user-defined URL
and URL filtering
function could be
used normally.

Antispam Providing Anti-Spam function. The Anti-Spam func-

tion cannot be used
when the license
expires.

Botnet C&C Providing Botnet C&C Prevention System cannot update

Prevention function and Botnet C&C Prevention all signature databases
database update. when license expires.
But the functions
included and rules
could be used nor-
mally.

IP Reputation Providing Perimeter Traffic Filtering System cannot update

function of IP reputation and IP repu- the IP reputation data-
tation database update. base when the license
expires.

APP signature Providing application signature data- System cannot

base update. update the APP sig-
APP signature license is issued with nature database
platform license, you do not need to when the license
apply alone. The valid time of expires. But the
license is same as platform license. functions included
and rules could be
used normally.

System Cnfiguration 638

Session num- Doubling the concurrent session num- Permanent
ber ber.

StoneShield A package of features, including Abnor- System cannot update

mal Behavior Detection, Advanced all signature databases
Threat Detection, and corresponding when license expires.
signature database update. But the functions
included and rules
could be used nor-
mally.

Applying for a License

Before you apply for a license, you have to generate a license request first.

1. Select Configuration Management > System Configuration > License.

2. Click Apply For. Under License Request, input user information. All fields are required.

3. Click Generate, and then appears a bunch of code.

639 System Cnfiguration

4. Send the code to your sales contact. The sales person will issue the license and send the
code back to you.

Installing a License

After obtaining the license, you must install it to the device.

To install a license, take the following steps:

1. Select Configuration Management > System Configuration > License.

2. Click Import. In the Import License page, configure options as below.

Option Description

Upload Select Upload License File. Click Browse to select the

License File license file, using the TXT format, and then click OK to
upload it.

Manual Input Select Manual Input. Type the license string into the box.

3. Click OK.

4. Go to Configuration Management > System Configuration > Device Management >

Option, and select the System Option tab.

5. Click Reboot, and select Yes in the prompt.

6. System will reboot. When it starts again, installed license(s) will take effect.

System Cnfiguration 640

Mail Server
By configuring the mail server in the Mail Server page, the system can send the log messages,
report or alarm information to the specified email address.

Creating a Mail Server

To create a mail server, take the following steps:

1. Select Configuration Management > System Configuration > Mail Server.

2. In the Mail Server Configuration page, configure these values.

641 System Cnfiguration

Option Description

Name Type a name for the mail server into the box.

Server Type Domain name or IP address for the mail server into
the box.

Transmission Select the transmission mode for the email.

Mode
l PLAIN: Specifies that the mail is sent in plain text
and is not encrypted. This mode is the default trans-
mission mode.

l STARTTLS: STARTTLS is an extension to the

plain text communication protocol that upgrades
plain text connections to encrypted connections.
Specified in this mode, the mail will be transmitted
using encrypted mode.

l SSL: SSL protocol is a security protocol that

System Cnfiguration 642

Option Description

provides security and data integrity for network

communication. Specified in this mode, the mail
will be transmitted using encrypted mode.

Port Type the port number for the mail server into the box.
The range is 1 to 65535. The default port number is dif-
ferent for different transmission modes, PLAIN: 25,
STARTTLS: 25, SSL: 465.

Virtual From the Virtual Router drop-down list, select the Vir-
Router tual Router for the SMTP server.

Verification Select the Enable check box for mail verification to

enable it if needed. Type the username and its password
into the corresponding boxes.

Email Type the email address that sends mail.

3. Click Apply.

Extended Services
This feature may vary slightly on different platforms. If there is a conflict between this guide and
the actual page, the latter shall prevail.
System supports to connect to other Hillstone products to provide more services. Currently, the
extended services include connecting Hillstone Security Management (HSM) and Hillstone
Cloud. For specific configurations, refer to one of the following topics:

l Connecting to HSM

l Connecting to Hillstone Cloud

643 System Cnfiguration

Connecting to HSM

Hillstone Security Management (HSM) is a centralized management platform to manage and con-
trol multiple Hillstone devices and it supports device monitoring, upgrade management, and log
viewing.
Each device of S series has an HSM module inside it. When the device is configured with correct
HSM parameters, it can connect to HSM and be managed by HSM.
For more information about HSM, please refer to Hillstone Security Management User Guide.

HSM Deployment Scenarios

HSM normally is deployed in one of the two scenarios: installed in public network or in private
network:

l Installed in public network: HSM is remotely deployed and connected to managed devices via
Internet. When the HSM and managed devices have a accessible route, the HSM can control
the devices.

System Cnfiguration 644

l Installed in private network: In this scenario, HSM and the managed devices are in the same
subnet. HSM can manage devices in the private network.

Connecting to HSM

To configure HSM parameters in the device:

1. Select System > HSM Agent.

2. Select Enable of HSM Agent field to enable this feature.

3. Input HSM server's IP address in the Sever IP/Domain text box. The address cannot be
0.0.0.0 or 255.255.255.255, or mutlicast address.

4. Enter the port number of HSM server.

645 System Cnfiguration

5. Click OK.

6. The Syslog Server part shows the HSM server's syslog server and its port.

System Cnfiguration 646

Connecting to Hillstone Cloud·View

This feature may not be available on all platforms. Please check your system's actual page if your
device delivers this feature.
Cloud·View is a SaaS products of security area and a cloud security services platform in the
mobile Internet era. Cloud·View deployed in the public cloud, to provide users with online on-
demand services. Users can get convenient, high quality and low cost value-added security ser-
vices through the Internet, APP, and get a better security experience.
After the Hillstone device is properly configured to connect the Cloud ·View , you can achieve
the Hillstone device registration to the public cloud and the connection with the Cloud ·View,
and then to achieve the Cloud ·View remote monitoring device.

Cloud·View Deployment Scenarios

The main deployment scenarios of Cloud·View are described as follows:

Hillstone devices registered to the public cloud, the device information, traffic data, threat event,
system logs uploaded to the cloud, the cloud provides a visual display. Users can through the Web
or mobile phone APP monitoring device status information, reports, threat analysis, etc.

Notes: About Cloud·View, see Cloud·View FAQs page.

Connecting to Hillstone Cloud·View

When using the Cloud·View, the device needs to connect to the Cloud·View server.

647 System Cnfiguration

1. Select System > Hillstone Cloud·View.

2. Select the Enable check box of Hillstone Cloud·View.

3. Enter the URL of the Cloud·View server. The default configuration is cloud.hill-
stonenet.com.cn.

4. Enter the username of Cloud·View. Register the device to this user.

5. Enter the password of the user.

6. Server Status displays the Cloud·View status.

7. Select Threat Event to upload the threat events detected by Hillstone device.

8. Select System Log to upload the event logs.

9. Click Emergency response and select One-click Disconnect to permit Cloudview one-click
disconnect or reconnect Internet. Meanwhile, you can click Critical Assets to jump to the
critical assets page and disconnect or reconnect critical assets with internet via WebUI.

10. Select whether to join the Hillstone could security program. This program will upload the
threat prevention data to cloud intelligence server. The uploaded data will be used for
internal research to reduce false positives and to achieve better protection of the equipment.

11. Click OK.

System Cnfiguration 648

One-click Disconnection

When critical assets or businesses are under attack, you can disconnect their businesses from the
Internet temporarily with this function in the CloudView APP to minimize the losses.
After registered to the CloudView, the device will periodically report the critical assets inform-
ation to the cloud, and display some of configurations (such as protocol type, IP port and number
of connections), running status, statistics, etc., of critical assets in the APP.
To configure one-click disconnection, take the following the steps:

1. Select System > Hillstone Cloud.

2. Click Emergency response and select One-click Disconnect, and click OK.

3. Open CloudView on your mobile phone. You can scan the QR code on the page to down-
load the CloudView APP.

4. Enter the username (for example: [email protected]) and password of your CloudView
account.

5. Click the Monitor module, and the registered device will be displayed on the Monitor page.

6. Click the device, and select the One-click Disconnection tab to display all critical assets
under the device and their status.

7. Click Enable to disconnect the selected critical assets with one click, or disconnect critical
assets in batch.

8. If necessary, click Disable to resume traffic forwarding for the down critical assets.

Send Object
This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
After configuring the alarm rules, system will report the warning events to the recipient by send-
ing a warning email or message. In the Send Object page, configure the recipient information.

649 System Cnfiguration

Creating a Send Object

To create a send object, take the following steps:

1. Click Configuration Management > System Configuration > Alarm Rule > Send Object

2. Click New.

In Recipient Configuration dialog, enter the recipient information.

Option Description

Name Specify the recipient's name.

Email Specify the email address for receiving warning emails.

Comment Specify the comments of recipient.

Viewing Relevant Alarm Rules

In the Relevant Warning Rules window, you can view the warning rules that relate to a selected
recipient after selecting recipients.

System Cnfiguration 650

High Availability
HA, the abbreviation for High Availability, provides a fail-over solution for communications lines
or device failure to ensure the smooth communication and effectively improve the reliability of
the network. When one device is not available or can not handle the request from the client prop-
erly, the request will be promptly directed to the other device that works normally, thus ensuring
uninterrupted network communication and greatly improving the reliability of communications.
To implement the HA function, you need to configure the two devices as HA clusters, using the
identical hardware platform, the same R version of firmware, the same licenses, and the same
expansion modules.
System supports three HA modes: Active-Passive (A/P) and Peer.

l Active-Passive (A/P) mode: In the HA cluster, configure two devices to form an HA group,
with one device acting as a primary device and the other acting as its backup device. The
primary device is active, forwarding packets, and meanwhile synchronizes all of its network
and configuration information and current session information to the backup device. When
the primary device fails, the backup device will be promoted to primary and takes over its
work to forward packets. This A/P mode is redundant, and features a simple network struc-
ture for you to maintain and manage.

l Peer mode: the Peer mode is a special HA Active-Active mode. In the Peer mode, two
devices are both active, perform their own tasks simultaneously, and monitor the operation
status of each other. When one device fails, the other will take over the work of the failure
device and also run its own tasks simultaneously. In the Peer mode, only the device at the act-
ive status can send/receive packets. The device at the disabled status can make two devices
have the same configuration information but its interfaces do not send/receive any packets.
The Peer mode is more flexible and is suitable for the deployment in the asymmetric routing
environment.

High Availability 651

Basic Concepts

HA Cluster

For the external network devices, an HA cluster is a single device which handles network traffic
and provides security services. The HA cluster is identified by its cluster ID. After specifying an
HA cluster ID for the device, the device will be in the HA state to implement HA function.

HA Group

System will select the primary and backup device of the same HA group ID in an HA cluster
according to the HCMP protocol and the HA configuration. The primary device is in the active
state and processes network traffic. When the primary device fails, the backup device will take
over its work.
When assigning a cluster ID to the device, the HA group with ID 0 will be automatically created.
In Active-Passive (A/P) mode, the device only has HA group 0.

Virtual Forward Interface and MAC

In the HA environment, each HA group has an interface to forward traffic, which is known as the
Virtual Forward Interface. The primary device of each HA group manages a virtual MAC (VMAC)
address which is corresponding with its interface, and the traffic is forwarded on the interface. Dif-
ferent HA groups in an HA cluster cannot forward data among each other. VMAC address is
defined by HA cluster ID, HA group ID and the physical interface index.

HA Selection

In an HA cluster, if the group ID of the HA devices is the same, the one with higher priority will
be selected as the primary device.

HA Synchronization

To ensure the backup device can take over the work of the primary device when it fails, the
primary device will synchronize its information with the backup device. There are three types of
information that can be synchronized: configuration information, files and RDO (Runtime
Dynamic Object). The specific content of RDO includes:

652 High Availability

l Session information (The following types of session information will not be synchronized: the
session to the device itself, deny session, ICMP session, and the tentative session)

l DNS cache mappings

l ARP table

l DHCP information

l MAC table

System supports two methods to synchronize: real-time synchronization and batch syn-
chronization. When the primary device has just been selected successfully, the batch syn-
chronization will be used to synchronize all information of the primary device to the backup
device. When the configurations change, the real-time synchronization will be used to syn-
chronize the changed information to the backup device. Except for the HA related configurations
and local configurations (for example, the host name), all the other configurations will be syn-
chronized.

High Availability 653

Configuring HA

To configure the HA function, take the following steps:

1. Select control link interfaces ans data link interface.

2. Configure the IP address of the control link interface.

3. Configure a HA cluster. Specify the ID of HA cluster and enable the HA function.

4. Configure a HA group. Specify the priority for devices and HA messages parameters.

To configure HA, take the following steps:

1. Select Configuration Management > System Configuration > HA.

Configure the following HA settings:

Option Description

Control link Select an interface as the HA control link interface.

interface 1 The control link interface is used to synchronize all

data between two devices.

654 High Availability

Option Description

With the default settings, some models bind the

MGT1 interface to the HA zone, and other models
bind the ethernet0/1 interface to the HA zone. The
binding facilitates the selection of control link inter-
faces. You can also select other interfaces that bind to
the HA zone or the interfaces that do not bind to any
zones as the control link interface.

Control link Specifies the name of HA control link interface. The con-
interface 2 trol link interface 2 works as the backup of the control
link interface 1.

Assist link Specifies the name of the HA assist link interface. In the
interface Active-Passive (A/P) mode, you can specify the HA
assist link interface to receive and send heartbeat packets
(Hello packets), and ensure the main and backup device
of HA switches normally when the HA link fails. Note:

l Before the HA link is restored, the HA assist link

interface can only receive and send heartbeat pack-
ets and the data packets cannot be synchronized.
You are advised not to modify the current con-
figurations. After the HA link is restored, manually
synchronize session information.

l The HA assist link interface must use an interface

other than the HA link interface and be bound to
the zone.

l You need to specify the same interface as the HA

High Availability 655

Option Description

assist link interface for the main and backup

device, and ensure that the interface of the main
and backup device belongs to the same VLAN.

Data link Specifies the name of the HA data link interface 1. The

interface 1 data link interface is used to synchronize the data

packet information. After specifying this data link, the
session information will be synchronized over this data
link. You can configure the physical interface or aggreg-
ate interface as the interface of the data link.
Note: You can specify at most one aggregate interface
as the HA data link interface, or at most two physical
interfaces as the HA data link interface.

Data link Specifies the name of the HA data link interface 2. The
interface 2 data link interface is used to synchronize the data packet
information. After specifying this data link, the session
information will be synchronized over this data link. You
can configure the physical interface or aggregate interface
as the interface of the data link.
Note: You can specify at most one aggregate interface as
the HA data link interface, or at most two physical inter-
faces as the HA data link interface.

IP address Specifies the IP address and netmask of the HA link inter-

face.

HA cluster Specifies an ID for HA cluster. The value ranges from 0

ID to 8. None indicates to disable the HA function.

656 High Availability

Option Description

HA Syn- In some exceptional circumstances, the master and

chronize Con- backup configurations may not be synchronized. In such
figuration a case you need to manually synchronize the con-
figuration information of the master and backup device.
Click HA Synchronize Configuration to synchronize the
configuration information of the master and backup
device.

Node ID After enabling the HA function, specify the Node ID

(HA Node) for the device. The IDs for two devices must
be different. The range is 0 to 1. If you do not specify
this value, the devices will obtain the Node ID by auto-
matic negotiation.

Peer-mode Click the Enable button to enable the HA Peer mode and
specifies the role of this device in the HA cluster. The
range is 0 to 1. By default, the group 0 in the device
whose HA Node ID is 0 will be active and the group 0 in
the device whose HA Node ID is will be in the disabled
status.

Symmetric- Select Symmetric-routing to make the device work in the

routing symmetrical routing environment.

HA Syn- By default the system will synchronize sessions between

chronize Ses- HA devices automatically. Session synchronization will
sion generate some traffic, and will possibly impact device per-
formance when the device is overloaded. You can enable

High Availability 657

Option Description

automatic HA session synchronization according to the

device workload to assure stability. Click HA Syn-
chronize Session to enable automatic HA session syn-
chronization.

Group 0

Priority Specifies the priority for the device. The device with
higher priority (smaller number) will be selected as the
primary device.

Preempt Configure the preempt mode. When the preempt mode is

enabled, once the backup device finds that its own pri-
ority is higher than the primary device, it will upgrade
itself to the primary device and the original primary
device will become the backup device. The value of 0
indicates to disable the preempt mode. When the pree-
mpt mode is disabled, even if the device's priority is
higher than the primary device, it will not take over the
primary device unless the primary device fails.

Hello interval Specifies the Hello interval value. Hello interval refers to
the interval for the HA device to send heartbeats (Hello
packets) to other devices in the HA group. The Hello
interval in the same HA group must be identical.

Hello Specifies the threshold value of the Hello message. If the

threshold device does not receive the specified number of Hello
messages from the other device, it will suppose the other

658 High Availability

Option Description

device's heartbeat stops.

Gratuitous Specifies the number of gratuitous ARP packets. When

ARP packet the backup device is selected as the primary device, it
number will send an ARP request packet to the network to
inform the relevant network devices to update its ARP
table.

Track object Specifies the track object you have configured. The track
object is used to monitor the working status of the
device. Once finding the device stop working normally,
system will take the corresponding action.

Description Type the descriptions of HA group into the box.

2. Click OK.

High Availability 659

Authentication
System supports HTTPS-based two-factor authentication. When you log in via HTTPS, the sys-
tem will verify your certificate and your password.
To use the HTTPS-based two-factor authentication, configure the following settings:

l Enable certificate authentication in the device

l Import the certificate to the Web browser

To enable certificate authentication in the device:

1. Select Configuration Management > System Configuration > Device Management > Man-
agement Interface.

2. In the Web section, select the Enable check box of Certificate authentication.

3. Select a trust domain from the Certificate Trust Domain drop-down list. You can create a
new in "PKI" on Page 662.

4. Select whether to check the CN field. If enabled, the login username must match the CN
field of the CA certificate.

5. Click OK to save the settings.

Import the certificate to the Web browser:

1. To export the certificate from the device, select Configuration Management > System Con-
figuration > PKI > Trust Domain Certificate.

2. In the Trust Domain Certificate page, select a target trust domain, CA Certificate, and
Export.

3. Click OK to export the certificate to a selected directory.

4. Copy the certificate file to the client.

Authentication 660
5. In the client, open the Web browser (e.g. IE), select Tools > Internet Options.

6. In the Content tab, click Certificates.

7. In the Certificates dialog, click the Trusted Root Certification Authorities tab.

8. Click Import. Import the certificate following the Certificate Import Wizard.

After all configurations, access the HTTPS management address of the device from the Web
browser. The browser pops up a dialog that asks you to select the correct certificate. Then, the
login page appears.

661 Authentication
PKI

PKI (Public Key Infrastructure) is a system that provides public key encryption and digital sig-
nature service. PKI is designed to automate secret key and certificate management, and assure the
confidentiality, integrity and non-repudiation of data transmitted over the Internet. The certificate
of PKI is managed by a public key by binding the public key with a respective user identity by a
trusted third-party, thus authenticating the user over the Internet. A PKI system consists of
Public Key Cryptography, CA (Certificate Authority), RA (Certificate Authority), Digital Cer-
tificate and related PKI storage library.
PKI terminology:

l Public Key Cryptography: A technology used to generate a key pair that consists of a public
key and a private key. The public key is widely distributed, while the private key is known
only to the recipient. The two keys in the key pair complement each other, and the data
encrypted by one key can only be decrypted by another key of the key pair.

l CA: A trusted entity that issues digital certificates to individuals, computers or any other
entities. CA accepts requests for certificates and verifies the information provided by the
applicants based on certificate management policy. If the information is legal, CA will sign
the certificates with its private key and issue them to the applicants.

l RA: The extension to CA. RA forwards requests for a certificate to CA, and also forwards
the digital certificate and CRL issued by CA to directory servers in order to provide dir-
ectory browsing and query services.

l CRL: Each certificate is designed with expiration. However, CA might revoke a certificate
before the date of expiration due to key leakage, business termination or other reasons.
Once a certificate is revoked, CA will issue a CRL to announce the certificate is invalid,
and list the series number of the invalid certificate.

PKI is used in the following two situations:

l HTTPS/SSH: PKI applies to the situation where a user accesses a Hillstone device over
HTTPS or SSH.

Authentication 662
Creating a PKI Key

1. Select Configuration Management > System Configuration > PKI > Key.

2. Click New.

In the PKI Key Configuration page, configure the following.

Option Description

Label Specifies the name of the PKI key. The name must be
unique.

Key con- Specifies the generation mode of keys, which includes

figuration Generate and Import.
mode

Key Pair Specifies the type of key pair, either RSA, DSA or SM2.
Type

Key modulus Specifies the modulus of the key pair. The modulus of
RSA and DSA is 1024 (the default value), 2048, 512 or
768 bits, and the modulus of SM2 is 256.

663 Authentication
3. Click OK.

Creating a Trust Domain

1. Select Configuration Management > System Configuration > PKI > Trust Domain.

2. Click New.

In this page, configure the following options.

Authentication 664
Option Description

Basic

Trust Domain Enter the name of the new trust domain.

Enrollment Use one of the two following methods:

Type
l Select Manual Input, and click Browse to find
the certificate and click Import to import it into
system.

l Select Self-signed Certificate, and the certificate

will be generated by the device itself.

Key Pair Select a key pair.

Subject

Name Enter a name of the subject.

Country Enter the name of applicant's country or region. Only an

(Region) abbreviation of two letters are allowed, like CN.

Location Optional. The location of the applicant.

State/Province Optional. State or province name.

Organization Optional. Organization name.

Organization Optional. Department name within applicant's organ-

Unit ization.

3. Click Apply Certificate, a series of code will appear.

665 Authentication
4. Copy this code and send it to CA via email.

5. When you receive the certificate sent from CA. Click Browse to import the certificate.

6. (Optional) Expand Certification Revocation List, configure the following.

Certification Revocation List

Check l No Check - System does not check CRL. This is

the default option.

l Optional - System accepts certificating from peer,

no matter if CRL is available or not.

l Force - System only accepts certificating from peer

when CRL is available.

URL 1-3 The URL address for receiving CRL. At most 3 URLs
are allowed, and their priority is from 1 to 3.

l Select http:// if you want to get CRL via HTTP.

l Select ldap:// if you want to get CRL via LDAP.

Authentication 666
Certification Revocation List

l If you use LDAP to receive CRL, you need to

enter the login-DN of LDAP server and password.
If no login-DN or password is added, the trans-
mission will be anonymous.

Auto Update Update frequency of CRL list.

Manual Get the CRL immediately by clicking Obtain CRL.

Update

7. Click OK.

Importing/Exporting Trust Domain

To simplify configurations, you can export certificates (CA or local) and private key (in the format
of PKSC12) to a computer and import them to another device.
To export a PKI trust domain, take the following steps:

1. Select Configuration Management > System Configuration > PKI > Trust Domain Cer-
tificate.

2. Select a domain from drop-down menu.

3. Select the radio button of the item you want to export, and click Export.
If you choose PKCS, you need to set up password.

4. Click OK, and select a storage path to save the item.

To import the saved trust domain to another device:

1. Log in the other device, select Configuration Management > System Configuration > PKI
> Trust Domain Certificate.

2. Select a domain from drop-down menu.

667 Authentication
3. Select the radio button of the item you want to import, and click Import.
If you choose PKCS, you need to enter the password when it was exported.

4. Click Browse and find the file to import.

5. Click OK. The domain file is imported.

Importing Trust Certification

System will not detect the PE file whose certification is trusted. To import trust certification of
PE files, take the following steps:

1. Select Configuration Management > System Configuration > PKI > Trusted Root Cer-
tificate.

2. Click Import and choose a certificate file in your PC.

3. Click OK and then the file will be imported.

Chapter 13 Diagnostic Tool

This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
System supports the following diagnostic methods:

l Global Fault Detection: Displays all information that matches the search conditions, which
facilitates the viewing of the related information. When there are network issues, you can use
the faults such as certain users/groups, certain IPs, or certain applications as the conditions to
search all information that relates to the faults. Then you can locate the cause of faults fast.

l Packet Path Detection: Detects the packets and shows the detection processes and results to
users by chart and description.

Authentication 668
l Packet Capture Tool: Captures packets in the system. After capturing the packets, you can
export them to your local disk and then analyze them by third-party tools.

l Test Tools: DNS Query, Ping and Traceroute can be used when troubleshooting the network.

Packet Path Detection

This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
Based on the packet process flow, the packet path detection function detects the packets and
shows the detection processes and results to the users with charts and descriptions. This function
can detect the following packet sources: emulation packet, online packet, and imported packet
(system provides the Packet Capture Tool for you that can help you capture the packets).
The detectable packets from different packet sources have different detection measures. System
supports the following measures:

l Emulation packet detection: Emulate a packet and detect the process flow in the system of
this packet.

l Online packet detection: Perform a real-time detection of the process flow of the packets in
system.

l Imported packet detection: Import the existing packets and detect the process flow in system
of the packets.

Configuring Packet Path Detection

You can configure the packet path detection configurations and view the detection results in the
report.

Emulation Detection

To perform the emulation detection, take the following steps:

669 Authentication
1. Select Configuration Management > System Configuration > Diagnostic Tool > Packet
Path Detection.

2. Click Choose Source.

3. In the Choose Source page, click New > Emulation Packet.

Configure options as follows.

Option Description

Name Specifies the name of the emulation packet.

Ingress Inter- Select the ingress interface of the emulation packet from
face the drop-down list.

Source Specifies the source IP address of the emulation packet in

Address the text box.

Destination Specifies the destination IP address of the emulation

Address packet in the text box.

Protocol Select the protocol of the emulation packet from the

drop-down list. When selecting TCP or UDP, specify the
source and destination ports in the Source Port and
Destination Port text boxes; when selecting ICMP, enter
the ICMP type and code in the Type and Value text

Authentication 670
Option Description

boxes.

Description Specifies the description for this emulation packet.

4. Click Start to starts the detection. The system displays the detection flow in the flow chart
and describes the detection process. The flow chart contains all modules the packets passes
in the system. After the detection for a particular module is completed, the status indicator
above the module indicates the detection results.

l Green indicator( ) - Indicates the detection for this module has been passed. Sys-

tem will proceed with the detection. Hover your mouse over this step to view its
introduction.

l Yellow indicator( ) - Indicates the detection for this module has been passed,
but there are potential security risks. System will proceed with the detection.
Hover your mouse over this step to view its introduction and the detection results.
You can click the View Results link to view the detailed detection report.

l Red indicator( ) - Indicates the detection for this module fails to pass. System
has stopped the detection. Hover your mouse over this step to view its intro-
duction and the detection results. You can click the View Results link to view the
detailed detection report. If the failure is caused by the policy rule configurations,
you can click the link in the Policy Rule step to jump to the policy rule con-
figuration page.

5. After the detection is completed, view the detection results in the Detection Result tab.
The detection results include the status indicator and detection result summary. You can
click the View Details link to view the detailed detection report. The meanings of status
indicators are as follows:

671 Authentication
l Green indicator( ) - Indicates the detected source has passed all detection.

l Yellow indicator( ) - Indicates the detected source has passed all detection, but
there are potential security risks in one or more steps. You can click the View
Details link to view the potential risks and advice.

l Red indicator( ) - Indicates not all detection is passed by the detected source.
You can click the View Details link to view the failure reasons and advice.

Online Detection

To perform the online detection, take the following steps:

1. Select Configuration Management > System Configuration > Diagnostic Tool > Packet
Path Detection.

2. Click Choose Source.

3. In the Choose Source page, click New > Online Packet.

Authentication 672
Configure options as follows.

Option Description

Name Specifies the name of the online packet.

Ingress Inter- Select the ingress interface of the online packet from the
face drop-down list.

Source Specifies the source IP address or the user/user group

of the online packet.

l Address: Select the Address radio button and

enter the IP address in the text box.

l User/User Group: Select the User/User Group

radio button and select the user/user group from
the drop-down list.

Destination Specifies the destination IP address of the online

packet.

l Address: Select the radio button and enter the IP

address in the text box.

l URL: Select the radio button and enter the URL

in the text box.

Protocol Specifies the protocol type or the protocol number of the

packet.

Source Port Specifies the source port of the online packet.

Destination Specifies the destination port of the online packet.

Port

Application Specifies the application type of the online packet.

Description Enter the description of the online packet in the text box.

673 Authentication
4. Click OK.

5. If needed, specify the detecting duration in the Detecting Duration section. After reaching
the specified duration, system will automatically stop the detection. The default value is 30
minutes

6. If needed, select Capture Packets check box to enable the capture packets function. You
can download the captured packets to a specified directory. Before selecting this check box,
make sure the Packets Capture Tools function is disabled. For more information, see
"Packet Capture Tool" on Page 678.

7. Click Start to start the detection. The system displays the detection process. If errors occurr
during the detection, a flow thumbnail in the area of the flow chart pops up to display the
corresponding errors. After the detection is completed, you can click the flow thumbnail to
view the details. During each detection process, the system can pop up at most six thumb-
nails.

8. After the detection is completed, view the detection results in the Detection Result tab.
The detection results include the status indicator and detection result summary. You can
click the View Details link to view the detailed detection report. About the meanings of
status indicators, view step 3 in Emulation Detection.

Notes: If one of the following situations happens during the detection, the system
will stop the detection.

l Click the Stop button.

l Reach the upper limit of the detecting duration. If you do not set the
detecting duration, the detecting duration keeps the default value (30
minutes).

l The total number of errors of the same type reaches 10. For example, the
flow is blocked by the same policy.

Authentication 674
l The total number of errors of different types reaches 5. Errors of different
types mean the errors occurred in different modules or errors occurred in
one module but are different types.

l After selecting the Capture Packets option, the size of the captured packet
file reaches 10M and errors occurred during the detection.

Imported Detection

To perform the imported detection:

1. Select Configuration Management > System Configuration > Diagnostic Tool > Packet
Path Detection.

2. Click Choose Detected Source.

3. In the Choose Source page, click New > Imported Packet.

Configure options as follows.

Option Description

Packet Click the Browse button and select the packet file to
import it. The maximum size of the imported packet file

675 Authentication
Option Description

can be 20M.

Name Specifies the name of the imported packet.

Ingress Inter- Select the ingress interface of the imported packet from

face the drop-down list.

Description Enter the description of the online packet in the text

box.

Advanced

Source Addr Specifies the source IP address of the imported packet.

Destination Specifies the destination IP address of the imported

Addr packet.

Protocol Specifies the protocol type or the protocol number of the

imported packet.

Source Port Specifies the source port of the imported packet.

Destination Specifies the destination port of the imported packet.

Port

Application Specifies the application type of the imported packet.

4. Click OK.

5. Click Start to start the detection. The system displays the detection process in the Detec-
tion Process tab. If errors occurred during the detection, a flow thumbnail in the area of the
flow chart pops up to display the corresponding errors. After the detection is completed,
you can click the flow thumbnail to view the details. During each detection process, the sys-
tem can pop up at most six thumbnails.

6. After the detection is completed, view the detection results in the Detection Result tab.

Authentication 676
The detection results include the status indicators and detection result summary. You can
click the View Details link to view the detailed detection report. For the meanings of the
status indicators, view step 3 in Emulation Detection.

Notes: If one of following situations happens during the detection, the system will
stop the detection.

l Click the Stop button.

l The total number of errors of the same type reaches 10. For example the
flow is blocked by the same policy.

l The total number of errors of different types reaches 5. Errors of different

types mean the errors occurred in different modules or errors occurred in
one module but are different types.

l The imported packets have been all detected.

Detected Sources

The Choose Source page lists all detected sources in the system, including the emulation packet,
online packet, and imported packet.
Click Choose Source. In the Choose Source page, you can then perform the following actions:

l Click Details in the Result column to view the detection report of the detected source.

l Click Export in the Export Packet column to export the detected packet to the desired dir-
ectory.

l Click Edit in the Option column to edit the configurations of the detected source.

l Click Delete in the Option column to delete the detected source.

677 Authentication
Packet Capture Tool

This feature may not be available on all platforms. Please check your system's actual page to see if
your device delivers this feature.
You can capture packets in the system with multiple capture tasks by Packets Capture Tools.
With one or more packets capture rules in the task, and system will capture packages with mul-
tiple conditions in real time. At the same time, you can view the current captured and lost pack-
ages at any time. The captured packages can be downloaded or exported to a local location and
then viewed through a third-party packet capture tool.

Configuring Packet Capture Tools

To capture packets, take the following steps:

1. Select Configuration Management > System Configuration > Diagnostic Tool > Packet
Capture Tool.

2. Click New.

In the Packet Capture Configuration page, configure as follows.

Option Description

Name Enter the name of the packets capture entry.

Packet Cap- Click New, and configure the packet capture rules in the
ture Rule

Authentication 678
Option Description

Packet Capture Rules page. For the configuration

method, refer to the Create a Packet Capture Rule.
Select the check box of the packet capture rule in the list
and click the Edit button to edit the configuration of the
packet capture rule again.
Select the check box of the packet capture rule in the list
and click the Delete button to delete the packet capture
rule.

Packets Time Enter the packets time in the text box.

Description Enter the entry description in the text box.

3. Click OK.

4. For each task, click Start button in the Capture Packets column to start capturing packets,
and Start button will change to Capturing. Click the Status to view the current size/number
of packets captured.

5. To stop capturing packets, click Capturing button in the Capture Packets column.

6. After you stop capturing packets or the capturing is completed, click Download at the top-
right corner of the Capture Grid List to save the captured packets to a specified location.

7. You can select one or more file entries, and click Export at the top right corner of the list to
export the package files. The exported grab package files are in compressed format.

8. To clear packet capture data, select a packet capture task and click the Clear Data button.
All files captured under this task will be cleared.

Notes: The system allows you to create at most 5 packets capture tasks.

679 Authentication
Create a Packet Capture Rule

To create a packet capture rule, take the following steps:

1. Select Configuration Management > System Configuration > Diagnostic Tool > Packet
Capture Tool.

2. Click New.

3. Click New at Package Capture Rule to open the Packet Capture Rule page.

In the Packet Capture Rule page, configure as follows.

Option Description

Source Type Specify the source IP address/range or the user/user

group of the packet.

l IP/Netmask: Enter the IPv4 address and its mask

in the text box.

l IP Range: Enter the IPv4 range in the text box.

l IPv6/Prefix: Enter the IPv6 address and its prefix

Authentication 680
Option Description

in the text box.

l IPv6 Range: Enter the IPv6 range in the text box.

l User/User Group: Select the user/user group from

the drop-down list.

Destination Specify the destination IP address/range of the packet.

Type
l IP/Netmask: Enter the IPv4 address and its mask
in the text box.

l IP Range: Enter the IPv6 address and its range in

the text box

l IPv6/Prefix: Enter the IPv6 address and its prefix

in the text box.

l IPv6 Range: Enter the IPv6 range in the text box.

l URL: Enter the URL in the text box.

Application Specifies the application type of the packet.

Protocol Specifies the protocol type or the protocol number of the

packet.

4. Click OK.

Notes: A maximum of 8 packet capture rules can be created in the same packet cap-
ture task.

Packet Capture Global Configuration

The global configuration items of packet capture vary according to the type of device:

681 Authentication
l For devices with hard disks, you can configure the percentage of the packet capture files to
the total hard disk size.

l For devices without hard disks, you can configure the packet capture file save percent and the
packet capture file save time.

To configure the global configuration, take the following steps:

1. Select Configuration Management > System Configuration > Diagnostic Tool > Packet
Capture Tool.

2. Click the Global Configuration button in the upper right corner of the page to open the
Global Configuration page.

3. The global configuration page of the device with hard disk is as follows:

Option Description

Disk Space Enter the percentage of the packet capture file to the
Percent total hard disk size in the text box. The range is 5%-50%.
The default value is 10%.

4. The global configuration page of packet capture for devices without hard disk is as follows:

Authentication 682
Option Description

File Save Per- Enter the maximum percentage of the remaining memory
cent allowed by the packet capture file in the text box, the
range is 5%-50%, and the default value is 10%.

File Save Enter the length of time the packet capture file is saved
Time in the text box, the unit is minutes, the range is 1-1440
minutes, and the default value is 30 minutes.

5. Click OK.

Test Tools

DNS Query, Ping and Traceroute can be used when troubleshooting the network.

DNS Query

To check the DNS working status of the device, take the following steps:

1. Select Configuration Management > System Configuration > Diagnostic Tool > Test
Tools.

2. Type a domain name into the DNS Query box.

3. Click Test, and the testing result will be displayed in the list below.

Ping

To check the network connecting status, take the following steps:

683 Authentication
1. Select Configuration Management > System Configuration > Diagnostic Tool > Test
Tools.

2. Type an IP address into the Ping box.

3. Click Test, and the testing result will be displayed in the list below.

4. The testing result contains two parts:

l The Ping packet response. If there is no response from the target after timeout, it will
print Destination Host Not Response, etc. Otherwise, the response contains
sequence of packet, TTL and the response time.

l Overall statistics, including number of packet sent, number of packet received, per-
centage of no response, the minimum, average and maximum response time.

Traceroute

Traceroute is used to test and record gateways the packet has traversed from the originating host
to the destination. It is mainly used to check whether the network connection is reachable, and
analyze the broken point of the network. The common Traceroute function is performed as fol-
lows: first, send a packet with TTL 1, so the first hop sends back an ICMP error message to indic-
ate that this packet can not be sent (because of the TTL timeout); then this packet is re-sent, with
TTL 2, TTL timeout is sent back again; repeat this process till the packet reaches the destination.
In this way, each ICMP TTL timeout source address is recorded. As the result, the path from the
originating host to the destination is identified. The system supports IPv4 and IPv6 peer
addresses.
To test and record gateways the packet has traversed by Traceroute, take the following steps:

1. Select Configuration Management > System Configuration > Diagnostic Tool > Test
Tools.

2. Select the VR in the Virtual Router drop-down list.

3. Select IPv4 or IPv6.

Authentication 684
4. Type an IP address into the Traceroute box.

5. Click Test, and the testing result will be displayed in the list below.

685 Authentication
Chapter 7 CLI
In CLI, you can configure the basic network settings of the device, including the interface set-
tings of ethernet0/0 or MGT0 and the route settings. You can also restore the device to the fact-
ory settings.

Logging into a Device

Connect to a device via Console, Telnet, or SSH. In the logging prompt, provide the following
parameters:
login: hillstone
password: hillstone
After verifying your credentials, your log into the device. Now, you are in the global configuration
mode.

Configuring Interfaces
For the device without MGT0 interfaces, you can configure the ethernet0/0. This interface is
bound to the trust zone and its default IP address is 192.168.1.1.
For the device with MGT0 interface, you can configure the MGT0 interface. This interface is
bound to the mgt zone and its default IP address is 192.168.1.1.
In the global configuration mode, use the following command to enter into the interface con-
figuration mode.
interface ethernet0/0 or interface MGT0
In the interface configuration mode, use the command below to bind the interface to a layer 2
zone or a layer 3 zone. Use the no form to the cancel the settings.
zone zone-name
In the interface configuration mode, use the command below to set the IP address for a interface.
Use the no form to the cancel the settings.
ip address ip-address/mask

Chapter 7 CLI 686

In the interface configuration mode, use the command below to enable the management mode for
a interface. Use the no form to the cancel the settings.
manage {ssh | telnet | ping | snmp | http | https }

Configuring Route
In the global configuration mode, use the command below to add a static route:

ip route { A.B.C.D/M | A.B.C.D A.B.C.D} A.B.C.D

l A.B.C.D/M | A.B.C.D A.B.C.D – Specify the destination network.

l A.B.C.D – Specify the next hop.

Restore Device to Factory Settings

In the global configuration mode, use the command below to restore the device to factory set-
tings.
unset all

l a - Enter a and press Enter to delete all configurations, including the backup system con-
figurations. The database content will not be cleared.

l b - Enter b and press Enter to delete all configurations and database content, including the
backup system configurations, threat logs, reports, and captured packets.

l c - Enter c and press Enter to cancel the restore.

Force to Close the Bypass Function

System will enter Bypass state if the device fails to forward traffic under certain state (such as sys-
tem restart, abnormal operation, and device power off). In Bypass state, the two Bypass interface
is directly connected physically, and can forward traffic for each other to ensure the reliability of
the business. By default, Bypass function is enabled. If you want to avoid this situation, try to
avoid setting the pair of Bypass interfaces as the tap zone or close the Bypass function.
In the global configuration mode, use the command below to force to close the bypass function:

687 Chapter 7 CLI

force-close-bypass
Use the no form to restore bypass functionality:

no force-close-bypass

Notes:
During device restart, if the system configuration information is not loaded, the
device is in Bypass state, and the pair of Bypass interfaces can still forward traffic
to each other.

Repairing/Reseting Database
When there is an alarm prompt such as database or data table exception in the WebUI, the data-
base of the device can be repaired or reset by the following command.

l When there is an alarm prompt "data table query exception" on the WebUI interface, it indic-
ates that part of the database tables in system may be damaged. You can repair the database
with the following command in the global mode：
exec database repair

l When there is an alarm prompt "database not started." or "system data is being initialized,
please wait."on the WebUI interface, and the current database file cannot be repaired through
the database repair command, it indicates that the current database file may be damaged ser-
iously. You can reset the database with the following command in the global mode：
exec database reset
Tips: This command will reset all database files, and the device will restart after reset. All data-
base history information will also be cleared. Please be careful.

Notes: It is very easy to cause database damage and historical data loss by forcibly
removing the power cord for shutdown. If you stop using the device, please operate
in strict accordance with the correct shutdown process, that is, first press the power

Chapter 7 CLI 688

switch on the back of the device, and then remove the power cord after the device
is shut down.

689 Chapter 7 CLI

StoneOS WebUI User Guide (A Series) V5.5R11
100% (1)
StoneOS WebUI User Guide (A Series) V5.5R11
1,906 pages
StoneOS WebUI User Guide E-Series
100% (1)
StoneOS WebUI User Guide E-Series
531 pages
Stormshield Network Security
No ratings yet
Stormshield Network Security
485 pages
StoneOS WebUI User Guide A-12
No ratings yet
StoneOS WebUI User Guide A-12
1,389 pages
Stoneos Webui Guide - Cloudedge: Version 5.5R8
No ratings yet
Stoneos Webui Guide - Cloudedge: Version 5.5R8
1,175 pages
NSP 9.2 Product Guide Revm En-Us
No ratings yet
NSP 9.2 Product Guide Revm En-Us
1,997 pages
StoneOS WebUI User Guide E
100% (1)
StoneOS WebUI User Guide E
512 pages
StoneOS WebUI User Guide A 5.5R8-1
No ratings yet
StoneOS WebUI User Guide A 5.5R8-1
1,310 pages
StoneOS WebUI User Guide (A Series) V5.5R8
No ratings yet
StoneOS WebUI User Guide (A Series) V5.5R8
1,292 pages
Hillstone Security Management User Guide 3.0R2
No ratings yet
Hillstone Security Management User Guide 3.0R2
321 pages
Jweb SRX
No ratings yet
Jweb SRX
971 pages
FPTD FDM Config Guide 740
No ratings yet
FPTD FDM Config Guide 740
900 pages
Official CHFI Study Guide
No ratings yet
Official CHFI Study Guide
976 pages
VWAF WebUI User Guide V3.5
No ratings yet
VWAF WebUI User Guide V3.5
685 pages
Palo Alto Networks Administrators Guide
No ratings yet
Palo Alto Networks Administrators Guide
274 pages
Administration Users Guide
No ratings yet
Administration Users Guide
811 pages
PAN OS 7.0 Web Interface Ref
100% (1)
PAN OS 7.0 Web Interface Ref
500 pages
StoneOS T Series WebUI User Guide
No ratings yet
StoneOS T Series WebUI User Guide
465 pages
FortiADC Handbook
No ratings yet
FortiADC Handbook
517 pages
Networking PDF
No ratings yet
Networking PDF
944 pages
vWAF WebUI User Guide V3.3
No ratings yet
vWAF WebUI User Guide V3.3
593 pages
Oputi L S 6 Oputi L S 6: User Gui de
100% (1)
Oputi L S 6 Oputi L S 6: User Gui de
183 pages
Pan Os
No ratings yet
Pan Os
928 pages
Jweb SRX
No ratings yet
Jweb SRX
1,154 pages
MikroTik Security Guide v2
No ratings yet
MikroTik Security Guide v2
121 pages
BDS WebUI User Guide V5.0
No ratings yet
BDS WebUI User Guide V5.0
463 pages
NSX 64 Admin
No ratings yet
NSX 64 Admin
590 pages
Fw1000 Series Firewall
No ratings yet
Fw1000 Series Firewall
277 pages
10e972adc6ef5b32e9200fa63e16a12c
No ratings yet
10e972adc6ef5b32e9200fa63e16a12c
915 pages
Fortinac Admin Operation 83 PDF
No ratings yet
Fortinac Admin Operation 83 PDF
2,020 pages
Pan Os 6.1
No ratings yet
Pan Os 6.1
680 pages
Pan Os
0% (1)
Pan Os
952 pages
McAfee SMC Administrator's Guide 5.7 PDF
No ratings yet
McAfee SMC Administrator's Guide 5.7 PDF
1,328 pages
Pan Os 61 AdminGuide
No ratings yet
Pan Os 61 AdminGuide
698 pages
Fortiadc-V4 8 0-Handbook
No ratings yet
Fortiadc-V4 8 0-Handbook
539 pages
StoneOS WebUI User Guide CloudEdge-3 PDF
No ratings yet
StoneOS WebUI User Guide CloudEdge-3 PDF
503 pages
Pan Os
No ratings yet
Pan Os
932 pages
FortiADC 4 4 0 Handbook D Series Revision1
No ratings yet
FortiADC 4 4 0 Handbook D Series Revision1
388 pages
PAN OS 6.0 Admin Guide
No ratings yet
PAN OS 6.0 Admin Guide
478 pages
Stealthwatch-Study Guide
No ratings yet
Stealthwatch-Study Guide
356 pages
Fortigate Utm 40 mr3
No ratings yet
Fortigate Utm 40 mr3
313 pages
PAN OS 6.1 Admin Guide
No ratings yet
PAN OS 6.1 Admin Guide
666 pages
G7028 G7052 CR 8-4 PDF
No ratings yet
G7028 G7052 CR 8-4 PDF
418 pages
PAN OS 6.0 Admin Guide PDF
No ratings yet
PAN OS 6.0 Admin Guide PDF
348 pages
NS AppFirewall Guide
No ratings yet
NS AppFirewall Guide
396 pages
Network Management Card For Easy UPS
No ratings yet
Network Management Card For Easy UPS
45 pages
Current Developments in Optical Fiber Technology
No ratings yet
Current Developments in Optical Fiber Technology
598 pages
Security Handbook
No ratings yet
Security Handbook
43 pages
Utm Guide: Fortios™ Handbook V3 For Fortios 4.0 Mr3
No ratings yet
Utm Guide: Fortios™ Handbook V3 For Fortios 4.0 Mr3
313 pages
Trends in Data Mining
No ratings yet
Trends in Data Mining
9 pages
Pan Os 6.0 GSG
No ratings yet
Pan Os 6.0 GSG
108 pages
Mission-Critical Application Driven Intelligent Maritime Networks
No ratings yet
Mission-Critical Application Driven Intelligent Maritime Networks
84 pages
Getting Started Guide PAN-OSv5.0
No ratings yet
Getting Started Guide PAN-OSv5.0
126 pages
Cryptography and Network Security - Module - 1
No ratings yet
Cryptography and Network Security - Module - 1
51 pages
Datapower Redbook
No ratings yet
Datapower Redbook
286 pages
Routing Route Maps Prefix List PBR Route Redistribution Mpls
No ratings yet
Routing Route Maps Prefix List PBR Route Redistribution Mpls
24 pages
Ultra Reliable Low Latency Communication Urllc
No ratings yet
Ultra Reliable Low Latency Communication Urllc
43 pages
Hillstone E-Series V5.5R8 EN
No ratings yet
Hillstone E-Series V5.5R8 EN
8 pages
WP Aws Reference Architecture
No ratings yet
WP Aws Reference Architecture
27 pages
YXC API Spec Basic
No ratings yet
YXC API Spec Basic
129 pages
TSXETG100
No ratings yet
TSXETG100
78 pages
Network Manager Guide
No ratings yet
Network Manager Guide
22 pages
Linux Sea
No ratings yet
Linux Sea
223 pages
RNC Training NOKIA
100% (1)
RNC Training NOKIA
14 pages
Informix Tutorials-Connecting To Informix
No ratings yet
Informix Tutorials-Connecting To Informix
62 pages
ZXHN F670
No ratings yet
ZXHN F670
2 pages
Assessment of The Impact of Information and Communications Technology
No ratings yet
Assessment of The Impact of Information and Communications Technology
127 pages
Technical Vocational Livelihood - ICT
No ratings yet
Technical Vocational Livelihood - ICT
19 pages
Cyberoam CR50ia - & - CR100ia - Quick Start Guide - PDF
0% (1)
Cyberoam CR50ia - & - CR100ia - Quick Start Guide - PDF
12 pages
Cluster Configuration Worksheet
No ratings yet
Cluster Configuration Worksheet
5 pages
Brocade Fabric Vision Technology Faq
No ratings yet
Brocade Fabric Vision Technology Faq
6 pages
Cyberops Associate Product Overview
No ratings yet
Cyberops Associate Product Overview
28 pages
Lecture - 4 - Computers in Our Society
No ratings yet
Lecture - 4 - Computers in Our Society
37 pages
11.5.5 Packet Tracer - Subnet An IPv4 Network
No ratings yet
11.5.5 Packet Tracer - Subnet An IPv4 Network
6 pages
Short Notes-CS601 PDF
No ratings yet
Short Notes-CS601 PDF
10 pages
1 03crypto - Hugo Krawczyk
No ratings yet
1 03crypto - Hugo Krawczyk
41 pages
250M 16 100Mbps Poe Switch With Gigabit Combo Port: Product Highlights
No ratings yet
250M 16 100Mbps Poe Switch With Gigabit Combo Port: Product Highlights
3 pages
School of Engineering Wireless Communication Lab 1: Wireless LAN (WLAN)
No ratings yet
School of Engineering Wireless Communication Lab 1: Wireless LAN (WLAN)
7 pages
Sprawdzarki 2020 Eng
No ratings yet
Sprawdzarki 2020 Eng
2 pages
Intelligent Hospitals Based On IOT
No ratings yet
Intelligent Hospitals Based On IOT
3 pages
Rabe, Kim C.
No ratings yet
Rabe, Kim C.
4 pages
Packet Flows
No ratings yet
Packet Flows
9 pages
VN PPR
No ratings yet
VN PPR
6 pages
Geet Resume
0% (1)
Geet Resume
5 pages
Cambium Quick Deploy Positioner
No ratings yet
Cambium Quick Deploy Positioner
2 pages
Accelerated Computing With HIP: Second Edition
From Everand
Accelerated Computing With HIP: Second Edition
Yifan Sun
No ratings yet
Building Telephony Systems with OpenSIPS - Second Edition
From Everand
Building Telephony Systems with OpenSIPS - Second Edition
Goncalves Flavio E.
No ratings yet
Building Telephony Systems with OpenSER
From Everand
Building Telephony Systems with OpenSER
Goncalves Flavio E.
No ratings yet
CCNA Exam Focus: Study Guide with Practice Tests
From Everand
CCNA Exam Focus: Study Guide with Practice Tests
SUJAN
No ratings yet
FreeSWITCH 1.2
From Everand
FreeSWITCH 1.2
Anthony Minessale
No ratings yet