Scribd
Upload
134 views532 pages

StoneOS Cookbook V5.5R11

Uploaded by

Donny Tahir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
134 views532 pages

StoneOS Cookbook V5.5R11

Uploaded by

Donny Tahir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 532

Hillstone Networks

StoneOS Cookbook
Version 5.5R11 V12

TechDocs | docs.hillstonenet.com
Copyright 2024 Hillstone Networks. All rights reserved.

Information in this document is subject to change without notice. The software described in this document is
furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in
accordance with the terms of those agreements. No part of this publication may be reproduced, stored in a
retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and
recording for any purpose other than the purchaser's personal use without the written permission of Hillstone
Networks.

Hillstone Networks

Contact Information:

US Headquarters:

Hillstone Networks

5201 Great America Pkwy, #420

Santa Clara, CA 95054

Phone: 1-408-508-6750

http://www.hillstonenet.com/about-us/contact/

About this Guide:

This guide gives you configuration instructions of Hillstone Networks StoneOS user scenarios.

For more information, refer to the documentation site: https://docs.hillstonenet.com.

To provide feedback on the documentation, please write to us at:

[email protected]

Hillstone Networks

TWNO: TW-CBK-UNI-5.5R11-EN-V12-7/15/2024
Contents

Contents

Overview

How to Use Cookbook

Target audience 2

StoneOS Versions 2

Reading Sequence 2

Text vs. Screenshots 2

Getting Started and Other Chapters 2

Interface, Name, Topology 3

Clicking OK or Apply 3

Getting Started

Upgrading Firmware to Higher Version 5

Preparation 5

Method 1: Upgrading from WebUI 6

Method 2: Upgrading from CLI 7

Upgrading Firmware to Higher Version in HA mode 9

Preparation 9

Upgrade Steps 10

Using Security Policy to Allow Access to Another Zone 15

Configuration Steps 16

1
Allowing Internet to Visit a Private Server Using DNAT 21

Configuration Steps 22

Allowing Private Network to Access Internet Using SNAT 26

Configuration Steps 27

Configuring the Device to Communicate with Zabbix Using SNMP 31

StoneOS 31

Zabbix: 33

Dynamically Manage Access Authority Via Radius Dynamic Authorization 38

Scenario 38

Configuration Steps 39

Deploying Tap Mode to Monitor Network Traffic 48

Preparation 48

Configuring Tap Mode and Threat Detection 49

DNS Proxy 57

Scenario 57

Preparation 58

Configuration Steps 59

Q&A 62

Adding an SNAT Rule to StoneOS through NETCONF 63

Preparation 63

Configuration Steps 63

Device A 63

2
NETCONF Client 64

Viewing the results 67

Binding the Log Processing Process and Database Storage Process to Core MAX 68

Configuration Roadmap 68

Configuration Steps 69

Viewing the results 70

DHCP ZTP 71

Networking Scenario 71

Preparations 71

Procedure 72

Routing

Realizing Multicast Forwarding Through PIM-SM Multicast Protocol 75

Configuration Steps 75

Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol 84

Configuration Steps 84

Deploying HA Scenario for Multicast Forwarding Through PIM-SM 91

Configuration Steps 93

Authentication

Allowing the Internet Access via User Authentication 99

Configuration Steps 99

Using AD Polling for SSO 107

Preparation 107

3
Configuration Steps 108

Allowing Internet Access via AD Polling 116

Preparation 116

Configuration Steps 117

Allowing Internet Access via AD Agent 127

Preparation 127

Configuration Steps 128

Allowing Internet Access via TS Agent 138

Preparation 138

Configuration Steps 139

VPN

Connection between Two Private Networks Using IPSec VPN (IKEv1) 147

Configuration Steps 147

Device A 147

Device B 153

Connection between Two Private Networks Using IPSec VPN (IKEv2) 160

Configuration Steps 160

Device A 160

Device B 166

Establishment of IPSec VPN Based on Certificate Authentication 173

Configuration Steps 173

Device A 173

4
Device B 179

Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link 186

Configuration Steps 186

Device A 186

Device B 189

Allowing Remote Users to Access a Private Network Using SSL VPN 199

Networking Scenario 199

Configuration Steps 200

Connecting to Microsoft Azure Using Site-to-Site VPN 212

Configure Microsoft Azure 213

Configure Hillstone Device 220

Using an iOS/Android Device to Remotely Access Intranet Services 223

Using an iOS Device to Remotely Access Intranet Services 223

Using an Android Device to Remotely Access Intranet Services 228

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 230

Configuring Basic Settings 230

Configuring IPSec VPN 233

Configuring L2TP VPN 236

Setting up a VPN Connection 238

Adjusting Whether to Use IPSec for L2TP VPN 248

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN 249

Configuring Basic Settings 249

5
Configuring IPSec VPN 252

Configuring L2TP VPN 255

Set up a VPN connection in iOS/Android 257

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and SSL VPN 264

Configure the Branch Firewall 264

Configure Headquarters Firewall 271

Setting up a VPN Connection 275

Connection between Two Private Networks Using GRE over IPSec VPN 277

Configuring Basic Settings 278

Configuring IPSec VPN 281

Configuring GRE VPN 286

Configuring Route and Policies 289

Configuring VXLAN Static Unicast Tunnel 293

Configuration Steps 293

VTEP1 Configuratio 293

VTEP2 Configuration 294

Zero Trust Network Access (ZTNA)

Windows User Accessing Internal Server by Using Internal Network Access via ZTNA 298

Networking Scenario 298

Configuration Roadmap 299

Preparations 300

Configuration Steps 301

6
Windows User Remotely Accessing Internal Server Through ZTNA 314

Networking Scenario 314

Configuration Roadmap 315

Preparations 316

Configuration Steps 319

Android User Remotely Accessing Internal Server Through ZTNA 335

Networking Scenario 335

Configuration Roadmap 336

Preparations 337

Configuration Steps 338

High Availability

Ensuring Uninterrupted Connection Using HA 347

Configuration Steps 348

Making Two Firewalls Working in Hot Standby Mode by Deploying them in HA Peer to Ensure the Continuity
of Service 355

Configuration Steps 355

Verification 358

Device A and Device B Working Normally 358

Device B Failing and Device A Working Normally 359

Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on HSVRP,
which Ensures Uniterrupted Business Traffic 360

Configuration Steps 361

Verification 366

7
M0D1 and D0M1 Working Normally 366

D0M1 Failing and M0D1 Working Normally 367

Quality of Service (QoS)

QoS Control 369

Configuration Steps 370

Outbound Link Load Balance 376

Configuration Steps 377

Q&A 379

Outbound Link Load Balance with Customizable SLA Metrics 381

Configuration Instructions 382

Configuration Roadmap 382

Configuration Steps of WebUI 382

Configuration Steps of CLI 386

Threat Prevention

Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection 390

Configuration Steps 391

Protecting Intranet to Defend Attacks via Intrusion Prevention System 398

Configuration Steps 398

Forensic Analysis 406

Configuration Steps 406

Forensic Analysis Configuration Example 408

Threat Intelligence Via Hillstone Cloud Service Platform 413

8
Preparation 414

Configuration Steps 414

Viewing the results 415

Identifying IoT Assets to Enable Security Control of IoT by Using Built-in Docker 416

Networking Requirements 416

Preparations 417

Configuration Steps 417

Configuration Steps of WebUI 419

IoT Asset Identification Configuration 419

IoT Monitor Management 423

IoT Policy Control 425

IoT Data Analysis 427

Configuration Steps of CLI 427

IoT Asset Identification Configuration 427

IoT Monitor Management 429

IoT Policy Control 429

IoT Data Analysis 430

Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on the VM 431

Networking Requirements 431

Preparations 432

Configuration Steps 433

Configuration Steps of WebUI 434

9
IoT Asset Identification Configuration 434

VM Configuration 434

Firewall Configuration 440

IoT Monitor Management 443

IoT Policy Control 445

IoT Data Analysis 447

Configuration Steps of CLI 447

IoT Asset Identification Configuration 447

VM Configuration 447

Firewall Configuration 447

IoT Monitor Management 448

IoT Policy Control 449

IoT Data Analysis 449

Data Security

Decrypting HTTPS Traffic and Identifying the Encrypted Application 452

Configuration Steps 453

URL Filtering for HTTPS Traffic without the CA Certificate 456

Preparation 456

Configuration Steps 457

IPv6

Connecting IPv6 and IPv4 Networks 463

Configuring Networks of Headquarters 463

10
Configuring Networks of Branch A 468

Configuring Networks of Branch B 471

Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 474

Before You Start 475

Configuration Steps of Scenario 1 475

Configuration Steps of Scenario 2 476

Configuration Steps of Scenario 3 479

Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 483

Before You Start 485

Configuration Steps of Scenario 1 485

Configuration Steps of Scenario 2 487

Configuration Steps of Scenario 3 490

Realizing Dual-stack Host in IPv4 Network Accessing IPv6 Network Via ISATAP Tunnel 494

Configuration Steps 494

Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel 497

Configuration Tips 498

Configuration Steps of Scenario 1 498

Configure Headquarters Device (Device) 498

Configure Device A 501

Configuration Steps of Scenario 2 504

Configure Headquarters Device (Device) 504

Configure Device B 507

11
Result of Scenario 1 510

Result of Scenario 2 511

Change Log

Cookbook V1 513

Cookbook V2 513

Cookbook V3 513

Cookbook V4 514

Cookbook V5 514

Cookbook V6 514

Cookbook V7 515

Cookbook V8 515

Cookbook V8.1 515

Cookbook V9 515

Cookbook V10 516

Cookbook V11 516

Cookbook V12 517

12
StoneOS Cookbook

Overview

StoneOS Cookbook provides configuration examples for you to user Hillstone network security products. This books covers basic get-
ting-started cases, firewall functions, and advanced user scenarios. All configuration uses graphic user interface (GUI), or also known as
web user interface (WebUI), not command line interface.

Each recipe consists of two parts: scenario settings and configuration steps. Topology and screenshot are used to assist you in under-
standing the key information of the case.

StoneOS Cookbook is very helpful in understanding operational logic, and improving efficiency.

StoneOS Cookbook organizes its recipes into the following chapters:

o "Getting Started" on Page 4 - Basic network connecting features.

o "Routing" on Page 74 -PIM.

o "Authentication" on Page 98- User authentication.

o "VPN" on Page 146- IPSec VPN and SSL VPN.

o "Quality of Service (QoS)" on Page 368 - Bandwidth control.

o "High Availability" on Page 346 - High availability.

o "Threat Prevention" on Page 389 - Threat prevention.

o "Data Security" on Page 451- Data Security.

o "IPv6" on Page 462 - Connecting IPv6 and IPv4 Networks

This book is updated on requirement, not periodically.

The current version you are using is based on StoneOS 5.5R5.

Overview 1
StoneOS Cookbook

How to Use Cookbook

Before you read the book, there are a few tips you need to know.

Target audience

Cookbook is written with new users in mind. However, if you use this book, you still are required to know how to use WebUI, connect
cables and log in the system. Such information can be found in Getting Started Guide.

StoneOS Versions

This cookbook you are reading now is based on StoneOS 5.5.

With system updates, the user interface is subject to change, and WebUI layout may vary depending on hardware platforms. This cook-
book may not comply with every detail on WebUI, please check your web pages for difference when you use this book.

Reading Sequence

When you open the book, it is better to read it in the sequence below:

1. Go to Table of Contents, and locate the feature you need;

2. Jump to that feature, read the scenario description and topology;

3. Go through step key points (marked as "Step1", "Step2") to understand configuration logic;

4. Read the left text and right screen shots to get the details.

5. Configure your device accordingly, but substitute with your own IP address or names.

Text vs. Screenshots

The step details are explained by combing description text and screenshots. The text on the left gives configuration details, highlights
and notes; the sceenshot on the right is the exact screen capture of this step.

Getting Started and Other Chapters

In this cookbook, the chapter "Getting Started" is the prerequisite for other chapters. Other chapters deem that the protected network
has already finished its basic networking settings mentioned in the Getting Started chapter. In other chapters, steps like NAT, default

How to Use Cookbook 2


StoneOS Cookbook

routes and DNS are not included. So, when you reference to user scenarios in chapters other than Getting Started, you should ensure
that your protected network has already been basically established.

Interface, Name, Topology

This book explains function configuration by writing scenarios (also called "cases" or "recipes"). Interface addresses, object names, and
topologies are the real laboratory settings. When you configure your own network, substitute the names and addresses with your real
names and addresses.

Clicking OK or Apply

Generally, when you finish filling or editing an option, you must click OK, Apply, or Confirm button to make the setting take effect.
This kind of operation is universal. This book will not write specifically about this operation otherwise else is needed.

3 How to Use Cookbook


StoneOS Cookbook

Getting Started

Recipes in Getting Started chapter introduce basic networking configurations.

This chapter includes the following recipes:

o "Upgrading Firmware to Higher Version" on Page 5

o "Upgrading Firmware to Higher Version in HA mode" on Page 9

o " Using Security Policy to Allow Access to Another Zone" on Page 15

o "Allowing Private Network to Access Internet Using SNAT" on Page 26

o "Allowing Internet to Visit a Private Server Using DNAT" on Page 21

o "Deploying Tap Mode to Monitor Network Traffic " on Page 48

o "Configuring the Device to Communicate with Zabbix Using SNMP" on Page 31

o "Dynamically Manage Access Authority Via Radius Dynamic Authorization" on Page 38

o " DNS Proxy" on Page 57

o "Adding an SNAT Rule to StoneOS through NETCONF" on Page 63

o "Binding the Log Processing Process and Database Storage Process to Core MAX" on Page 68

o "DHCP ZTP" on Page 71

Getting Started 4
StoneOS Cookbook

Upgrading Firmware to Higher Version


This example introduces how to use WebUI and CLI to upgrade firmware to a higher version.

As an exit of the company's network, security device provides protections and services. Now, admin need upgrade firmware to optim-
ize system's performance and get new functions.

Preparation

Before upgrading, we recommend you:

o See the system software version by using WebUI or CLI(show version) to get a suitable upgrading instructions.

o See the release notes of the target version to get a platform upgrading instructions.

o Get upgrade file of your target version from Hillstone.

o Do not upgrade at peak times, because you need to reboot device to make new version effective.

o Do not downgrade, because system configuration may be lost.

o Upgrade from CLI if your device's storage is low, and remember to remove the former firmware version before you upgrade.

o Make sure you have backed up the configuration file before upgrading.

Contact us (Service Line:1-800-889-9860) first when you are in the following situations:

o Make sure whether license is out of date. If it expires, you only can upgrade system to the version whose release date is before the
license expired date. If it doesn't expire, upgrading can be continued. Contact us for the release date.

o Do not cross upgrade. For example, to upgrade the versions 4.0 to 5.0, Hillstone recommends you to first upgrade to version 4.5,
and then upgrade to 5.0. Contact us for cross version upgrade.

o Contact us for upgrading information if you are in HA environment.

Upgrading Firmware to Higher Version 5


StoneOS Cookbook

Method 1: Upgrading from WebUI

Step 1: Logging in via WebUI with admin accout and viewing current system information.

Select System > System Information to view the


current version is 5.5R1P1.

Step 2: Exporting configuration file as a backup.

Select System > Configuration File Man-


agement.

In the Configuration File List tab, select Startup


check box and click Export. The configuration
file will be exported to your local PC.

Step 3: Uploading upgrade file and rebooting system. Before uploading, make sure your upgrade file is suitable for your plat-
form.

Select System > Upgrade Management.

1. In the Upgrade Firmware tab, click Browse


button and choose the upgrade file
“SG6000-M-3-5.5R1P3.bin”in your
local PC.

2. Select Reboot to make the new firmware


take effect check box and click Apply. Do
not select Reboot to make the new firm-
ware take effect check box at traffic-peak
time. Hillstone suggests you to manually
reboot when you need.

6 Upgrading Firmware to Higher Version


StoneOS Cookbook

Step 4: Verifying the upgrade results.

Log in via WebUI again when system finished


rebooting.

1. Select System > System Information.

2. In the firmware part, you can see the cur-


rent version is 5.5R1P3. Upgrade suc-
ceeded.

Method 2: Upgrading from CLI

Step 1: Logging in system via Telnet, and viewing the current version.

Take an example of using PuTTY.

1. Open PuTTY, and enter the followings:


Host Name:192.168.1.1(manage IP of
your device)
Connetion Type:Telnet

2. Click Open.

Type the username and password of admin. Log


in successfully.

Type show version and knock the Enter


key. It will show you the current system version is
5.5R1P1.

Upgrading Firmware to Higher Version 7


StoneOS Cookbook

Step 2: Upgrading your device. We upgrade with USB port in this example. Please put your upgrade file in your U-Disk, and
then put it into the USB port of security device.

Type import image from usb0 SG6000-


M-3-5.5R1P3.bin and knock the Enter key.

1. Type reboot and knock the Enter key.

2. System prompts that "System reboot,are you


sure?". Type y to reboot.

3. Choose a configuration file. Type a after "Please


choose one".

Step 3: Verifying the upgrade results.

Log in via Telnet again when system finished


rebooting.

Type show version and knock the Enter


key. It will show you the current system version is
5.5R1P3.

8 Upgrading Firmware to Higher Version


StoneOS Cookbook

Upgrading Firmware to Higher Version in HA mode


This example introduces how to upgrade the firmware of the device in the HA Active-Passive mode.

The topology gives a typical user scenario for HA. In the designed scenario, one (Device A)of the HA devices will be working under
the active mode, while the other (Device B) is under the passive mode. The two devices use heartbeat cables to maintain communication
between devices. Device A and Device B need to be upgraded from StoneOS 5.5R8 to StoneOS 5.5R9.

Preparation

Before upgrading, prepare the following first:

1. Obtained the system software version by WebUI or CLI(show version).

2. Obtained upgrade file of the target version from Hillstone.

3. Obtained the current configurations of the two devices by WebUI or CLI(show configuration) , and back up the cur-
rent configurations.

4. Disable the preempt mode if it is enabled. You can enable the preempt mode when the upgrading is completed. If track objects
are bound to the HA group, removing the binding. You can resume the binding when the upgrading is completed.

Note: To switch over traffic, you are recommended to upgrade the devices in HA mode through the CLI.

Upgrading Firmware to Higher Version in HA mode 9


StoneOS Cookbook

Upgrade Steps

Step 1:Upgrading backup device (Device B).

1. Take the device B offline by removing the service cable from device B first and then removing the HA heartbeat cable from
device B.

2. Save the configuration of Device B.

Device B

In any configuration mode, use the following command:

save

3. Upgrade Device B to StoneOS 5.5R9.

The detailed steps for device upgrade, see "Upgrading Firmware to Higher Version" on Page 5.

4. After device B reboots successfully, check whether the version of device B and its HA configuration are correct and whether
the configuration is lost.

Device B

In any configuration mode, use the following command:

show configuration

10 Upgrading Firmware to Higher Version in HA mode


StoneOS Cookbook

Step 1:Upgrading backup device (Device B).

5. View the priority values of Device A and Device B. Make sure the priority value of device A is less than that of device B. That
is to say, device A has a higher priority than device B.

Device A

In any configuration mode, use the following command:

show ha group config

Device B

In any configuration mode, use the following command:

show ha group config

Notes: If the priority value of device A is larger than that of device B, modify the latter to make sure device A has a higher priority.

6. Reconnect the HA heartbeat cable and the service cable on device B.

Reconnect the HA heartbeat cable on device B. Wait for device B to complete HA negotiation with device A. In this case, device A
is the master device. Then, reconnect the service cable on device B.

Step 2: HA Synchronization and Master/Backup Device Switchover.

1. Synchronize the configuration of device A and device B by manual.

Device A

In any configuration mode, use the following command:

exec ha sync all

Upgrading Firmware to Higher Version in HA mode 11


StoneOS Cookbook

Step 2: HA Synchronization and Master/Backup Device Switchover.

2. Check whether the ARP table, session information, etc. are synchronized.

Device A

In any configuration mode, use the following command:

show arp

show session generic

show logging alarm

Notes: After executing the show logging alarm command on master device A. When the prompt "Admin batch syn-
chronization of HA group 0 has completed." appears, it suggests that configuration synchronization is completed

3. Switch the master and backup devices by manual. In this case, device B is switched to the master device.

In any configuration mode, use the following command:

exec ha master switch-over

Step 3: Upgrading Device A.

1. Take the device B offline.

Take the device A offline by removing the service cable from device B first and then removing the HA heartbeat cable from device
A.

2. Save the configuration of Device A.

Device A

In any configuration mode, use the following command:

save

12 Upgrading Firmware to Higher Version in HA mode


StoneOS Cookbook

Step 3: Upgrading Device A.

3. Upgrade Device A to StoneOS 5.5R9.

The detailed steps for device upgrade, see "Upgrading Firmware to Higher Version" on Page 5.

4. After device A reboots successfully, check whether the version of device A and its HA configuration are correct and whether
the configuration is lost.

Device A

In any configuration mode, use the following command:

show configuration

5. View the priority values of Device A and Device B. Make sure the priority value of device A is larger than that of device B.
That is to say, device A has a lower priority than device B.

Device A

In any configuration mode, use the following command:

show ha group config

Device B

In any configuration mode, use the following command:

show ha group config

6. Reconnect the HA heartbeat cable and the service cable on device A.

Reconnect the HA heartbeat cable on device A. Wait for device A to complete HA negotiation with device B. In this case, device B
is the master device. Then, reconnect the service cable on device A

Upgrading Firmware to Higher Version in HA mode 13


StoneOS Cookbook

Step 4: HA Synchronization

1. Synchronize the configuration of device A and device B by manual.

Device B

In any configuration mode, use the following command:

exec ha sync all

2. Check whether the ARP table, session information, etc. are synchronized.

Device B

In any configuration mode, use the following command:

show arp

show session generic

show logging alarm

Notes: After executing the show logging alarm command on master device A. When the prompt "Admin batch syn-
chronization of HA group 0 has completed." appears, it suggests that configuration synchronization is completed

Step 5: Completing the Upgrading

1. (Optional) Switch device A to the master device by manual.

Device B

In any configuration mode, use the following command:

exec ha master switch-over

2. Complete the upgrading.

14 Upgrading Firmware to Higher Version in HA mode


StoneOS Cookbook

Using Security Policy to Allow Access to Another Zone


This example introduces how to use security policies to control communication between two zones.

The scenario sets up a requirement that the private network users are not allowed to access Internet during work time. As the topology
described, polices and schedules work together to allow internal users to access to server in another zone during work hour (9 a.m. to 17
p.m.). When it's not working time, the server cannot be accessed.

Using Security Policy to Allow Access to Another Zone 15


StoneOS Cookbook

Configuration Steps

Step 1: Configuring Interface

1. Configuring the interface connected to


private network

Select Network > Interface, double click eth-


ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 192.168.1.1

o Netmask: 255.255.255.0

2. Configuring the interface connected to Server

Select Network > Interface, double click eth-


ernet0/2.

o Binding Zone: Layer 3 Zone

o Zone: dmz

o Type: Static IP

o IP Address: 10.10.1.1

o Netmask: 255.255.255.0

16 Using Security Policy to Allow Access to Another Zone


StoneOS Cookbook

Step 2: Configuring Schedule

Select Object > Schedule, and click New. In the


prompt, click Add.

o Name: work hour

o Type: Daily

o Start Time: 09:00

o End Time: 17:00

Click OK to add it.

Using Security Policy to Allow Access to Another Zone 17


StoneOS Cookbook

Step 3: Configuring Policies

1. Configuring a policy to allow internal users


access to server during work hour

Select Policy > Security Policy, and click Add.

o Name: work

o Source

o Zone: trust

o Address: Any

o Destination

o Zone: dmz

o Address: Any

o Other Information

o Schedule: work hour

o Action: Permit

18 Using Security Policy to Allow Access to Another Zone


StoneOS Cookbook

Step 3: Configuring Policies

2. Configuring a policy that internal users can-


not visit server

Select Policy > Security Policy, and click Add.

o Name: rest

o Source

o Zone: trust

o Address: Any

o Destination

o Zone: dmz

o Address: Any

o Other Information

o Schedule: work hour

o Action: Deny

3. Adjusting priority of policies

Select Policy > Security Policy, and select the


"work" policy. Select "work" policy, and click
Move, and enter "rest" policy's ID, then click
Before ID.

Note: The priority of a policy is only determined


by its position in the list.

Using Security Policy to Allow Access to Another Zone 19


StoneOS Cookbook

Step 4: Configuring a default route

Select Network > Routing >Destination Route,


and select New.

o Destination: 0.0.0.0

o Subnet Mask: 0

o Next Hop: Gateway

o Gateway: 10.10.1.1

Step 5: Results

After configuration, the internal PC can ping the


server address successfully during 9:00 to 17:00.

When internal PC pings the server during off-


work time, it fails.

20 Using Security Policy to Allow Access to Another Zone


StoneOS Cookbook

Allowing Internet to Visit a Private Server Using DNAT


Destination network address translation (DNAT) is normally used to allow Internet users visit an internal server by providing Internet
IP address for internal server.

As shown in the topology, the FTP server hides its internal IP address using DNAT rule. DNAT rule will give the server an Internet IP
address for FTP users to access. In this way, the server can be accessed from Internet.

Allowing Internet to Visit a Private Server Using DNAT 21


StoneOS Cookbook

Configuration Steps

Step 1: Configuring interfaces

1. Configuring the interface connected to the


server

Select Network > Interface, and double click eth-


ernet0/2.

o Binding Zone: Layer 3 Zone

o Zone: dmz

o Type: Static IP

o IP Address: 10.10.1.1

o Netmask: 24

2. Configuring the interface connected to Inter-


net

Select Network > Interface, and click eth-


ernet0/3.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 221.224.30.130

o Netmask: 20

22 Allowing Internet to Visit a Private Server Using DNAT


StoneOS Cookbook

Step 2: Configuring security policies

Configuring a policy allowing Internet to visit


internal network

Select Policy > Security Policy, and click Add.

o Name: untrust_dmz

o Source Information

o Zone: untrust

o Address: Any

o Destination

o Zone: dmz

o Address: Any

o Other Information

o Action: Permit

Allowing Internet to Visit a Private Server Using DNAT 23


StoneOS Cookbook

Step 3: Configuring DNAT rule

Select Policy > NAT > DNAT, and click New >
Advanced Configuration.

o Requirement:

o Destination Address: IP Address,


221.224.30.130 (Note: enter public IP
address here.)

o Translated to:

o Translated to: "IP Address", "10.10.1.2"


(Note: enter the server's internal IP
address)

(Optional) Under Advanced tab, select NAT log


check box to enable NAT logging (for checking
results.)

Step 4: Configuring default route

Select Network > Routing > Destination Route,


and click New.

o Destination: 0.0.0.0

o Subnet Mask: 0

o Next Hop: Gateway

o Gateway: 221.224.30.1

24 Allowing Internet to Visit a Private Server Using DNAT


StoneOS Cookbook

Step 5: Results

After configuration, use a PC in Internet to ping


the server's public address 221.224.30.130.

Step 6: Check if DNAT rule works

Make sure NAT logging is enabled in monitor


module (Select Monitor > Log > Log Monitor,
under NAT tab, select Enable.)

Go to Monitor > Log > NAT, you will be able to


see the destination IP 221.224.30.130 has been
translated to internal IP 10.10.1.2.

Allowing Internet to Visit a Private Server Using DNAT 25


StoneOS Cookbook

Allowing Private Network to Access Internet Using SNAT


SNAT rule is used to allow users in private network to access Internet. An SNAT rule will translate the internal IP addresses to a public
IP address, so that internal users can have access to public network via the public interface.

As shown in the topology, via SNAT, internal PCs use the eth0/3 (221.224.30.130/20) to visit Internet.

Allowing Private Network to Access Internet Using SNAT 26


StoneOS Cookbook

Configuration Steps

Step 1: Configuring Interface

1. Configuring the interface connected to


private network

Select Network > Interface, and double click eth-


ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 192.168.1.1

o Netmask: 24

2. Configuring the interface connected to Inter-


net

Select Network > Interface, and double click eth-


ernet0/3.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 221.224.30.130

o Netmask: 20

27 Allowing Private Network to Access Internet Using SNAT


StoneOS Cookbook

Step 2: Configuring security policy

Configuring a security policy to allow private net-


work to Internet

Select Policy > Security Policy, and click Add.

o Name: trust_untrust

o Source Information

o Zone: trust

o Address: Any

o Destination

o Zone: untrust

o Address: Any

o Other Information

o Action: Permit

Step 3: Configuring Address book

Configuring an address range for private net-


work users

Select Object > Address Entry, and click New.

o Name: snat_IP

o Member: add "192.168.1.0/24"

Allowing Private Network to Access Internet Using SNAT 28


StoneOS Cookbook

Step 4: Configuring SNAT rule

Select Policy > NAT > SNAT, and click New.

o Requirement:

o Source Address: Address Entry, snat_IP


(Note: enter the server's internal IP
address.)

o Translated to:

o Specified IP: "IP Address",


"221.224.30.130"
(Note: enter public IP address here)

o Mode: Dynamic Port (multi-port to one)

(Optional) Under Advanced tab, select NAT log


check box to enable NAT loggling (for checking
results).

Step 5: Configuring default route

Select Network > Routing > Destination Route,


and click New.

o Destination: 0.0.0.0

o Subnet Mask: 0

o Next Hop: Gateway

o Gateway: 221.224.30.1

29 Allowing Private Network to Access Internet Using SNAT


StoneOS Cookbook

Step 6: Results

After configuration, PCs in private network can


ping 221.224.30.131 successfully.

Step 6: Check if DNAT rule works

Make sure NAT logging is enabled in monitor


module (Select Monitor > Log > Log Monitor,
under NAT tab, select Enable.)

Go to Monitor > Log > NAT, you will be able to


see the destination IP 192.168.1.2 has been trans-
lated to internal IP 221.224.30.130.

Allowing Private Network to Access Internet Using SNAT 30


StoneOS Cookbook

Configuring the Device to Communicate with Zabbix Using SNMP


This example introduces how to configure the device to communicate with Zabbix using SNMP. Zabbix can monitor various network
parameters of the device to ensure the safe operation of the device.

The following shows a network environment. The device connects to Zabbix using SNMPv2 to manage the device.

StoneOS

Step1: Configuring SNMP Agent

Select System > SNMP > SNMP Agent.

o SNMP Agent: Click Enable

o Host Port: 161

o Virtual Router: trust-vr

o Local Engine ID: 111

Configuring the Device to Communicate with Zabbix Using SNMP 31


StoneOS Cookbook

Step2: Configuring SNMP Host

Select System > SNMP > SNMP Host. Click


New.

o Type: IP Address

o Hostname: 10.1.1.1

o SNMP Version: V2C

o Community: hillstone

o Permission: RO

Step3: Configuring Trap Host

Select System > SNMP > Trap Host. Click New.

o Host: 10.1.1.1

o Trap Host Port: 162

o SNMP Agent: V2C

o Community: hillstone

32 Configuring the Device to Communicate with Zabbix Using SNMP


StoneOS Cookbook

Step4: Enabling the SNMP Mode of the Interface

Select Network > Interface and double click eth-


ernet0/6.

o Zone: trust

o Management: Click SNMP

Zabbix:

Step1: Configuring Host Group

Select Configuration > Host groups. Click


Create host group.

o Group name: Hillstone_FW

Configuring the Device to Communicate with Zabbix Using SNMP 33


StoneOS Cookbook

Step2: Configuring Templates

Select Configuration > Templates . Click Create


template.

o Template name: Hillstone_SNMP

o Click icon to add Hillstone_FW to In

groups list.

Step3: Configuring Application

Select Configuration >Template > Applic-


ations. Click Create application.

o Name: Hillstone_Interface

34 Configuring the Device to Communicate with Zabbix Using SNMP


StoneOS Cookbook

Step4: Configuring Item

Select Configuration > Templates > Applic-


ations. Click Items of Hillstone_Interface and
click Create item.

o Name: eth0/6 Egress interface rate

o Type: SNMPv2 agent

o SNMP OID:
.1.3.6.1.4.1.28557.2.6.1.3.1.20.36

o SNMP community: hillstone

o Applications: Select Hillstone_Interface

Note: You need to add the index of the specified


interface after OID. To view the index of the
interface, use the command show ip
route interface.

Configuring the Device to Communicate with Zabbix Using SNMP 35


StoneOS Cookbook

Step5: Configuring Host

Select Configurations > Hosts. Click Create


host.

o Host name:E1100

o Click icon to add Hillstone_FW to In

groups list.

o In SNMP interfaces area, click Add and type


the ip address of StoneOS 192.168.1.1, Port
161.

Step6: Configuring Graph

Select Configuration > Hosts. Click E1100 >


Graphs and click Create graph.

o Name: eth0/6 interface rate

o Click Add in the Items area. Select eth0/6


Egress interface rate.

36 Configuring the Device to Communicate with Zabbix Using SNMP


StoneOS Cookbook

Step7: Results

After configuration, select Monitoring >Latest


data to view the monitoring data.

o Host groups: Select Hillstone_FW

o Hosts: Select E1100

o Application: Select Hillstone_Interface

Click Graph to view the monitoring graph.

Configuring the Device to Communicate with Zabbix Using SNMP 37


StoneOS Cookbook

Dynamically Manage Access Authority Via Radius Dynamic Authorization


This example introduces how to dynamically manage access authority via radius dynamic authorization.

Scenario

As shown in the topology, one enterprise can configure Radius server authentication and enable authorization policy to dynamically man-
age the access authority of visitors. When the visitor logins the SSLVPN, the radius server issues authorization policy to the firewall
allowing the visitor to visit the network segment 10.160.64.0/21. When the visitor successfully logins, the administrator can use CoA
messages to modify the issued authorization policy, adding new network segment 10.160.32.0/21 that the visitor is allowed to visit.
When the visitor logs out, the firewall will automatically delete the responding authorization policy.

Dynamically Manage Access Authority Via Radius Dynamic Authorization 38


StoneOS Cookbook

Configuration Steps

Step 1: Configure the Interface to Link Radius Server.

Select Network>Interface, and double click eth-


ernet0/0.

o Binding zone: Layer 3 zone

o Zone: trust

o Type: Static IP

o IP Address: 10.87.1.8

o Netmask: 255.255.255.0

Step 2: Create New Aggregate Policy.

Select Policy>Security Policy>Policy, and click


New>Aggregate Policy.

o Name: Visitor

39 Dynamically Manage Access Authority Via Radius Dynamic Authorization


StoneOS Cookbook

Step 3: Configure Radius Server, and Enable Authorization Policy and Accounting.

1. Select Object>AAA Server, and click


New>Radius Server.

o Name: Visitor

o Server Address: 10.87.1.9

o Virtual Router: trust-vr

o Port: 1812

o Secret: 12345678

2. Click the Enable button of Authorization, and


select Visitor from the drop-down menu.

3. Click the Enable button of Accounting.

o Server Address: 10.87.1.9

o Virtual Router: trust-vr

o Port: 1813

o Password: 12345678

Dynamically Manage Access Authority Via Radius Dynamic Authorization 40


StoneOS Cookbook

Step 3: Configure Radius Server, and Enable Authorization Policy and Accounting.

4. Create a new user account.

Client needs to created a new user account on


Radius server.

o Username: user1

o Password: 123456

o Authorized network segment:


10.160.64.0/21

Step 4: Enable Radius Dynamic Authorization.

Click Object>Radius Dynamic Authorization,


and click the Enable button of Radius Dynamic
Authorization.

o Port: 3799

o Server IP: 10.87.1.9

o Destination IP: 10.87.1.8

o Shared Key: 12345678

41 Dynamically Manage Access Authority Via Radius Dynamic Authorization


StoneOS Cookbook

Step 5: Configure SSLVPN on StoneOS.

1. Configure SSLVPN address pool.

Select Network>SSL VPN, click Con-


figuration>Address Pool, and click New.

o Address Pool: pool1

o Start IP: 20.1.1.2

o End IP: 20.1.1.200

o Netmast: 255.255.255.0

o DNS1: 10.160.64.60

o WINS1: 10.160.64.61

2. Create new zone.

Select Network>Zone, and click New.

o Zone: VPN

o Type: Layer 3 Zone

o Virtual Router: trust-vr

Dynamically Manage Access Authority Via Radius Dynamic Authorization 42


StoneOS Cookbook

Step 5: Configure SSLVPN on StoneOS.

3. Create new tunnel interface.

Select Network>Interface, and click New>Tun-


nel Interface.

o Interface Name: tunnel 1

o Binding Zone: Layer 3 Zone

o Zone: VPN

o Type: Static IP

o IP Address: 20.1.1.1

o Netmask: 24

43 Dynamically Manage Access Authority Via Radius Dynamic Authorization


StoneOS Cookbook

Step 5: Configure SSLVPN on StoneOS.

4. Configure SSLVPN.

Select Network>SSL VPN, and click New.

In the Name/Access User tab, configure as


below.

o SSL VPN Name: Visitor

o AAA Server: Visitor

In the Interface tab, configure as below.

o Egress Interface 1:ethernet0/5

o Service Port:443

o Tunnel Interface:tunnel1

o Address Pool:pool1

In the Tunnel Route tab, configure as below.

o IP:10.160.64.0

o Netmask:255.255.248.0

Dynamically Manage Access Authority Via Radius Dynamic Authorization 44


StoneOS Cookbook

Step 6: Results.

1. User1 can access 10.160.64.52.

o Server: 10.160.64.51

o Port: 4433

o Username: user1

o Password: 123456

2. Corresponding policy is created on Firewall.

45 Dynamically Manage Access Authority Via Radius Dynamic Authorization


StoneOS Cookbook

Step 7: Use CoA message to modify the access authority of the authorized user.

1. Use CoA message in CLI commands to modify


the network segment that the authorized user has
access to (If the radius server that the client uses is
customized, the client can operate directly on
radius server rather than use CLI commands).

o Create a new txt file named coa-auth of


which the content is as below:
User-Name:user1
Framed-IP-Address=20.1.1.3
NAS-IP-Address=10.87.1.8
Acct-Seesion-Id=“1”
Hillstone-User-Data-Filter=“rule 1 permit
dst 10.160.64.0/21”
Hillstone-User-Data-Filter=“rule2 permit
dst 10.160.32.0/21”
Calling-Station-Id="00-1c-54-ff-08-05"

o Use the blow CLI command to send the


instruction (take freeradius for example):
root@hillstone-HVM-domU:/etc/-
freeradius# radclient 10.87.1.8:3799 coa
12345678 -f coa-auth.txt -x

2. Policies are updated on Firewall.

Dynamically Manage Access Authority Via Radius Dynamic Authorization 46


StoneOS Cookbook

Step 8: User1 logs out of SSLVPN.

User1 logs out of SSLVPN, and the cor-


responding policies are deleted from Firewall.

47 Dynamically Manage Access Authority Via Radius Dynamic Authorization


StoneOS Cookbook

Deploying Tap Mode to Monitor Network Traffic


Inline mode places a device directly in the network path, while in tap mode, the device only connects to a mirrored interface of core net-
work. Tap device monitors or sniffs the packet information mirrored from core network gateway. Tap products tend to be resilient and
transparent so as to minimize or eliminate the effect they can have on production traffic. If you just want a sensor to monitor, analyze
and log network traffic, not data forwarding, it is best to choose tap mode.

In this example, a Hillstone device (T-Series Intelligent Next Generation Firewall recommended) is a network tap. Its tap interface
eth0/1 directly connects to mirror interface of inline network gateway. Hillstone T-Series threat detection features to analyze mirrored
data packets in search for network threats.

We present 4 threat detecting functions in this example. All the functions require respective licenses installed before they take effect.

o Intrusion Prevention System (IPS): Requires Threat Prevention (TP) or IPS license installed.

o Application Identification: Requires APP DB license installed. This license is issued with platform license for free. No need to pur-
chase APP DB license individually.

o Advanced Threat Detection (ATD): Requires StoneShield license installed.

o Abnormal Behavior Detection (ABD): Requires StoneShield license installed.

Preparation

As shown in the topology above, you need use a RJ-45 cable to connect the mirror port eth0/4 and the tap interface eth0/1.

Configure port mirroring on gateway of core network. We take Hillstone gateway as example.

Deploying Tap Mode to Monitor Network Traffic 48


StoneOS Cookbook

Configuring port mirroring

1. Select Network > Interface, and double-


click ethernet0/3.

2. In the pop-up, click the Properties tab,


under Mirror part, select the checkbox to
enable traffic mirroring.

3. Return to interface list, make sure that the


mirror port ethernet0/4 is not bound to any
zone.

4. Select Network > Port Mirroring, select


ethernet0/4 from drop-down menu, and
click OK.

Configuring Tap Mode and Threat Detection

Configure all the following settings on tap device.

Step 1: Creating a tap mode

1. Select Network > Zone, click New.

2. In the Zone Configuration dialog, con-


figure the following:
Zone: tap-eth1
Type: TAP
Virtual Router: trust-vr
Binding Interface: ethernet0/1

49 Deploying Tap Mode to Monitor Network Traffic


StoneOS Cookbook

Step 1: Creating a tap mode

3. Return to Network > Interface, in the inter-


face list, check that eth0/1 is in the "tap-
eth1" zone.

Step 2: Creating a Policy

Creating a "permit" policy on the tap device so


that it can establish sessions within itself.

1. Select Policy > Security Policy, click New.

2. In the Policy Configuration dialog, make a


"permit" rule from and to the same tap
zone.

Step 3: Enabling IPS and viewing IPS attacks

Enabling IPS:

1. Select Network > Zone, double-click tap-


eth1.

2. Under the Threat Prevention tab, select


Enable check-box on the right of Intrusion
Prevention System.
Profile: predef_default
Defense Direction: bidirectional

Deploying Tap Mode to Monitor Network Traffic 50


StoneOS Cookbook

Step 3: Enabling IPS and viewing IPS attacks

Checking detection results:

1. Select iCenter > Threat.

2. In the list, , items marked as "Intrusion Pre-


vention System" under the Detected by
column are IPS attacks detected by tap
device.

Viewing IPS logs:

1. Select Monitor > Log > Threat, click Fil-


ter on the top right corner.

o Detected by: Intrusion Prevention System

2. Click Query, and the page will show IPS


logs.

51 Deploying Tap Mode to Monitor Network Traffic


StoneOS Cookbook

Step 4: Enabling Application Identification and viewing APP usage statistics

Enabling APP Identification:

1. Select Network > Zone, double-click the


tap-eth1 zone.

2. Under the Basic tab, select the Enable


check-box after Application Identification.

Viewing App monitor results:

Select Monitor > Application.

o Summary: Application usage statistics by user,


traffic, new session or concurrent session.

o Application Details: Details of every applic-


ation.

Deploying Tap Mode to Monitor Network Traffic 52


StoneOS Cookbook

Step 4: Enabling Application Identification and viewing APP usage statistics

o Group Details: Application group usage


details.

Step 5: Enabling Advanced Threat Detection (ATD) and viewing ATD attacks

Enabling ATD:

1. Select Network > Zone, double-click the


tap-eth1 zone.

2. Under the Threat Prevention tab, select the


Enable check-box after Advance Threat
Detection.

Viewing ATD monitor result:

1. Select Monitor > Threat > Summary,


hover your cursor over Malware bar to
show a balloon of malware attacks.

53 Deploying Tap Mode to Monitor Network Traffic


StoneOS Cookbook

Step 5: Enabling Advanced Threat Detection (ATD) and viewing ATD attacks

2. Click Details after Trojan in the balloon,


you can see details of this attack.

Viewing ATD logs

1. Select Monitor > Log > Threat, and click


Filter on the top right corner.

o Detected by: Advanced Threat Detection

2. Click Query, the page will show ATD logs.

To know more about ATD, you may refer to another case in this cookbook Finding Malware Attacks via Advanced Threat Detec-
tion.

Deploying Tap Mode to Monitor Network Traffic 54


StoneOS Cookbook

Step 6: Enabling Abnormal Behavior Detection and viewing abnormal behaviors

Enabling ABD:

1. Select Network > Zone, double-click the


tap-eth1 zone.

2. Under the Threat Prevention tab, select the


Enable check-box after Abnormal Beha-
vior Detection.

Viewing monitor results:

1. Select Monitor > Threat > Summary.

2. Hover you cursor over Scan or DoS bar, a


balloon will show up to indicate number of
Scan and DoS attacks.

Viewing ABD logs

1. Select Monitor > Log > Threat, and click


Filter on the top right corner.

o Detected by: Abnormal Behavior Detection

55 Deploying Tap Mode to Monitor Network Traffic


StoneOS Cookbook

Step 6: Enabling Abnormal Behavior Detection and viewing abnormal behaviors

2. Click Query, ABD logs will show.

To know more about ABD, you may refer to another case in cookbook "Protecting Internal Servers and Host to Defend Attack
via Abnormal Behavior Detection" on Page 390.

Deploying Tap Mode to Monitor Network Traffic 56


StoneOS Cookbook

DNS Proxy
This example shows how to configure the DNS proxy function. By configuring flexible DNS proxy rules, users from different seg-
ments are assigned to different DNS servers for domain name resolution.

Scenario

A secondary ISP rents the bandwidth of telecom, netcom and other ISP to different users for Internet access. The telecom and netcom
ISP have their own DNS servers. So the secondary ISP want to assign users of different network segments to the DNS servers of cor-
responding ISP for domain name resolution through DNS proxy devices.

This example simulates the export scenario of the above secondary ISP through the following configuration. Use eth0/1 (IP:101.0.0.1)
of the device to connect to the telecom special line to access the Internet, and use eth0/2 (IP: 201.1.1.1) to connect to the netcom special
line to access the Internet. In the public network, the DNS server of telecom is DNS1:102.1.1.1, and that of netcom is DNS2:202.1.1.1.
Also, eth0/3, eth0/4 connect to the Intranet user groups. The administrator now has the following requirements:

1. The DNS request of user group 1 (network segment: 192.168.10.1 / 28) is uniformly proxy to dns1 for domain name resolution;

2. The DNS request of user group 2 (network segment: 172.168.10.1 / 24) is uniformly proxy to dns2 for domain name resolution;

3. The DNS request of intranet server (172.168.10.88) is not restricted and bypassed directly.

DNS Proxy 57
StoneOS Cookbook

Preparation

The basic interface and route configuration have been completed, and users can access the Internet normally.

58 DNS Proxy
StoneOS Cookbook

Configuration Steps

Step 1:Configure a DNS proxy rules to proxy DNS requests of user group 1 to DNS1 for domain name resolution;

Login WebUI and select Network > DNS


>DNS Proxy, and click New.

o Ingress Interface: ethernet0/3;

o Source Address: Configure a new address


book 192.168.10.1/28

o Destination Address: Any

o Domain: any

o Action: Proxy

o DNS Proxy Failed: Block

o DNS Server:

o IP Address: 102.1.1.1

o Virtual Router: trust-vr

o Egress Interface:etherent0/1

DNS Proxy 59
StoneOS Cookbook

Step 2: Configure another DNS proxy rule to uniformly proxy DNS requests of user group 2 to DNS2 for domain name res-
olution.

Continue to configure another rule. Select Net-


work > DNS >DNS Proxy, and click New.

o Ingress Interface: ethernet0/4;

o Source Address: Configure a new address


book 172.168.10.1/24

o Destination Address: Any

o Domain: any

o Action: Proxy

o DNS Proxy Failed: Block

o DNS Server:

o IP Address: 202.1.1.1

o Virtual Router: trust-vr

o Egress Interface:etherent0/2

60 DNS Proxy
StoneOS Cookbook

Step 3: Configure one more DNS proxy rule to release DNS requests from the Intranet server (172.168.10.88) directly.

Continue to configure one more rule. Select Net-


work > DNS >DNS Proxy, and click New.

o Ingress Interface: ethernet0/4;

o Source Address: Configure a new address


book 172.168.10.88/32

o Destination Address: Any

o Domain: any

o Action: Bypass

(Optional)In addition to creating a new address


rule, the following methods can also be used to
bypass the DNS requests from intranet servers.
Select Object > Address Book,and select the
“172.168.10.1/24”item, and click Edit to add
the IP address of intranet server to the Exclude
Member.

o Exclude Member: 172.168.10.88

Step 4: Adjust the priority of DNS proxy rules.

After the above steps, you will get three DNS


proxy rules. Because the DNS proxy rules match
from top to bottom, so the DNS rules for releas-
ing the Intranet server should be placed on top of
the other two. When configuring, select the cor-
responding rule item and click Priorityto adjust.

DNS Proxy 61
StoneOS Cookbook

Step 5:Results

After configuration, capture packets on eth0 / 1 and eth0 / 2 interfaces. The results are as follows:

o The users of 192.168.10.1/28 network segment in user group 1 can still access the Internet normally, and their DNS requests
will be sent to the DNS1 server of Telecom for domain name resolution through the device.

o The uesrs of 172.168.10.1/24 network segment in user group 2 can still access the Internet normally, and DNS requests will be
sent to the DNS2 server of Netcom for domain name resolution.

o The DNS request of the internal server 172.168.10.88 will not be proxy through the device, but will be resolved according to
the DNS server set by itself.

Q&A

o Q:What is the order and manner of matching multiple DNS proxy rules?
A:The device will query for DNS proxy rules by turns from up to down. In each rule, only if all matching conditions are met can
the matching be successful.

o Q:When multiple DNS servers are configured in a DNS proxy rule, what is the priority of preferred and bound out interface
properties?
A:When you configure multiple DNS servers, the DNS server with preferred property will be selected for domain name res-
olution. If no preferred server is specified, the system will query whether there are DNS servers that have specified the egress inter-
face.

o Q:Can DNS proxy for specific domain names?


A:Yes, you can configure a specific domain name in the option "Domain Name", and then configure the proxy action and the
corresponding DNS server when creating a new rule.

62 DNS Proxy
StoneOS Cookbook

Adding an SNAT Rule to StoneOS through NETCONF


Network Configuration Protocol (NETCONF) provides a mechanism for managing network devices. You can add, modify, and delete
configurations of network devices, and obtain configuration and status information of network devices. This example shows how to
add an SNAT rule to the device through the NETCONF client.

The topology is shown as below. Device A connects to the NETCONF client. It is required to add an SNAT rule to device A using
NETCONF.

Preparation

Before configuring the NETCONF function, prepare the following first:

1. The NETCONF client software has been correctly installed on the client PC, and the client environment has been configured.
This case takes the client software netopeer2-cli as an example.

2. Device A is connected to the NETCONF client, and messages can be sent between them.

Configuration Steps

Device A

Step 1: Configuring the management method of the interface as NETCONF.

hostname(config)# interface ethernet0/0

hostname(config-if-eth0/0)# manage netconf

hostname(config-if-eth0/0)# exit

hostname(config)#

Adding an SNAT Rule to StoneOS through NETCONF 63


StoneOS Cookbook

Step 2: Configuring the access of the administrator as NETCONF (Take the administrator hillstone as an example).

hostname(config)# admin user hillstone

hostname(config-admin)# access netconf

hostname(config-admin)# exit

hostname(config)#

Step 3: Configuring the login type of the trusted host as NETCONF.

hostname(config)# admin host any netconf

hostname(config)#

Step 4: Enabling the NETCONF agent and the NETCONF candidate functions.

hostname(config)# netconf-manager enable

hostname(config)# netconf-manager candidate

hostname(config)#

NETCONF Client

Step 1: Connecting to the Device.

64 Adding an SNAT Rule to StoneOS through NETCONF


StoneOS Cookbook

Running the client software netopeer2-cli in Linux and connecting to the device:

[root@linux1~]# netopeer2-cli

> connect --ssh --host 192.168.1.1 --port 830 --login hillstone

[email protected] password:

cmd_connect: Already connected to 192.168.1.1.

In the above command:

o --host: specifies the IP address of the device.

o --login: specifies the login user name which must be the same as the device administrator name.

After the above command is executed, a prompt for password will appear. Enter the password of the
administrator hillstone and press Enter.

Step 2: Getting the Yang model of the device.

> get-schema --model configuration

Executing the above command to get the Yang model of the device.

Step 3: Editing the XML file which will be used to add an SNAT rule to the device.

Adding an SNAT Rule to StoneOS through NETCONF 65


StoneOS Cookbook

Editing the XML file according to the Yang model obtained in step 2 and saving it as snat.xml. The con-
tents of the XML file are as follows:

-<vr xmlns="https://hillstone.com/yang/SG6000-K-2-5.5R9-v6-r1208/hc" >

<!--The namespace "https://hillstone.com/yang/SG6000-K-2-5.5R9-v6-r1208/hc" in the XML file


must be consistent with the namespace of the device Yang model-->

-<vrouter>

<vr_name>trust-vr</vr_name>

-<snat_rule>

<rule_id>1</rule_id>

<group_id>0</group_id>

<from>192.168.2.2</from>

<from_is_ip>1</from_is_ip>

<to>Any</to>

<to_is_ip>0</to_is_ip>

<service>Any</service>

<trans_to>192.168.1.10</trans_to>

<trans_to_is_ip>1</trans_to_is_ip>

<flag>1</flag>

<log>0</log>

<enable>0</enable>

<trans_type>1</trans_type>

</snat_rule>

</vrouter>

</vr>

66 Adding an SNAT Rule to StoneOS through NETCONF


StoneOS Cookbook

Step 4: Adding the SNAT rule to the device.

> edit-config --target running --config=snat.xml

In the above command:

o --target: "running" means that the distributed configuration will immediately change the running con-
figuration of the device, which will have an impact on the current business. If you select the parameter
"candidate", the distributed configuration will remain in the configuration repository and will not have
any impact on the current business. If you want to use the candidate configuration to replace the run-
ning configuration of the device, you can first execute the "validate-- source candidate" command to
check whether the candidate configuration is valid, and then execute the "commit" command.

o --config: specifies the path and file name of the xml file. If you do not specify this parameter, the sys-
tem automatically opens an empty XML file after the command is executed, and you can edit the con-
tent in this empty document.

Viewing the results

After configuring the above steps, you can see that the SNAT rule has been added to the device using the Show command.

hostname(config)# show configuration vrouter trust-vr

ip vrouter "trust-vr"

snatrule id 1 from ip 192.168.2.2 to address-book "Any" service "Any" trans-to ip 192.168.1.10 mode
static disable

exit

hostname(config)#

Adding an SNAT Rule to StoneOS through NETCONF 67


StoneOS Cookbook

Binding the Log Processing Process and Database Storage Process to Core
MAX
This example introduces how to bind the log processing process and database storage process to Core MAX. Core MAX is the CPU
core with the largest number. For example, if the system has 12 CPU cores in total, which are numbered as Core0 to Core11, Core11 is
the Core MAX. The example including the following two scenarios:

o Scenario 1: A Hillstone security device is deployed on an enterprise network. Operation and maintenance personnel periodically
check the session logs and NAT logs stored in the database. The system's log processing process (LOGD) and database storage pro-
cess (MYSQLD) work on Core0 of the CPU. When session logs and NAT logs are exported to the local disk, Core0 can be over-
loaded with a large amount of high speed log data storage operations, potentially affecting the normal operation of other functional
modules.

o Scenario 2: A Hillstone security device is deployed on an enterprise network. Operation and maintenance personnel need to peri-
odically check traffic and session monitoring statistics. The device supports the storage of statistics on device traffic and sessions
over the last 180 days to the device disk. The system's database storage process (MYSQLD) work on Core0 of the CPU. Core0 can
be overloaded with a large amount of high speed traffic and session data storage operations, potentially affecting the normal oper-
ation of other functional modules.

Based on the above scenarios, if the performance consumption of Core0 is too high or you need to increase the speed at which logs are
sent to the log processing process, you can move log processing process and database storage process from Core0 to Core MAX, and
then configure the speed at which logs are sent to the log processing process.

Configuration Roadmap

1. Use the command flow-core-num number to specify the number of CPU cores occupied by the system data. number is
recommended to be max_core_number-1. max_core_number is the number of total CPU cores of the system.

2. Bind the log processing process and database storage process to Core MAX.

3. Restart the device to make the configurations in Step 1 and Step 2 take effect.

4. For scenario 1, you can increase the the speed at which logs are sent to the log processing process.

Before binding the log processing process and database storage process to Core MAX, prepare the following first:

68 Adding an SNAT Rule to StoneOS through NETCONF


StoneOS Cookbook

1. The NETCONF client software has been correctly installed on the client PC, and the client environment has been configured.
This case takes the client software netopeer2-cli as an example.

2. Device A is connected to the NETCONF client, and messages can be sent between them.

o Scenario 1: The session logs and NAT logs have been stored in the device disk with the command.

o Scenario 2: The device has enabled the Long-term Monitor function for traffic and sessions.

o The function of binding the log processing process and database storage process to Core MAX is only supported by SG-6000-
A2700 and later models. SG-6000-A3000 with a hard disk is used as an example to describe the configuration.

Configuration Steps

Step 1: Specifying the number of CPU cores occupied by the system data.

hostname(config)# flow-core-num 3

hostname(config)# exit

Step 2: Binding the log processing process and database storage process to Core MAX, and restarting the for the above con-
figuration to take effect.

hostname(config)# cp-multi-cores logd

hostname(config)# exit

hostname# reboot

System reboot, are you sure? [y]/n: y

Step 3: For scenario 1, adjusting the speed at which logs are sent to log processing process. The default sending speed of SG-6000-
A3000 is 2000 logs per second.

hostname(config)# logging speed-limit to local 3000

hostname(config)# show logging speed-limit

Log speed limit:3000

Adding an SNAT Rule to StoneOS through NETCONF 69


StoneOS Cookbook

Viewing the results

After configuring the above steps, you can see that the CPU utilization of Core 0 is decreasing and that of Core MAX is increasing by
using the command show cpu detail.

hostname(config)# show cpu detail

70 Adding an SNAT Rule to StoneOS through NETCONF


StoneOS Cookbook

DHCP ZTP
This example introduces the DHCP zero touch provisioning (ZTP) process. As the DHCP client, the Hillstone security device auto-
matically obtains a specified configuration file via DHCP and uses it as the startup configuration of the device, achieving ZTP of the
device, thus enhancing deployment efficiency.

Networking Scenario

An enterprise purchases a batch of Hillstone A-series security devices and needs to deploy them in various regions. However, the O&M
personnel cannot go to each location personally to make the new device come online. Therefore, they require devices that support ZTP.
In addition, due to security protection requirements, the use of USB ports to achieve USB ZTP is not allowed. In this case, the plan is to
use the Hillstone security device as the DHCP client to achieve DHCP ZTP.

The networking diagram is shown as follows.

Preparations

Before you configure the DHCP service for ZTP setup, prepare the following first:

DHCP ZTP 71
StoneOS Cookbook

o The DHCP client, DHCP server, TFTP server have been networked based on the actual scenario.

o The DHCP server has been configured with the address of the TFTP server where the XML file is located and with the path to the
XML file, corresponding to the Option 66 and Option 67 fields in the DHCP message respectively.

o DHCP ZTP is supported only by A-series devices and certain K-series devices from the factory or with empty configuration (only
system default configuration, no custom configuration). The ethernet0/3 interface of the device automatically obtains an address
via the DHCP protocol by factory default. Please use the ethernet0/3 interface for DHCP ZTP.

o The servers where the XML file and the configuration file are located need to be TFTP servers, and they can be the same TFTP
server.

o The configuration file on the TFTP server needs to be named after the device SN number with a .cfg suffix.

Procedure

Step 1: The StoneOS system determines whether the device is from the factory or is with empty configuration.

After the device from the factory or with empty configuration is powered on and started, it will automatically enter the DHCP ZTP pro-
cedure.

Step 2: Obtain DHCP information.

The device sends a request message to the DHCP server, and the DHCP server returns a response message to the device. The device
obtains the DHCP client address, default gateway and other information by parsing the response message.

Step 3: Parse the response message and download the XML file.

The device parses the response message from the DHCP server to obtain the address of the TFTP server where the XML file is located
and the path to download the XML file, and then downloads the XML file from the corresponding TFTP server.

Step 4: Parse the XML file and download the configuration file.

The device parses the downloaded XML file, obtains the address of the TFTP server where the configuration file is located and the path
to download the configuration file, and then downloads the configuration file named with the device SN number, such as
"5931844225000750.cfg", from the corresponding TFTP server.

Step 5: Restart the device automatically.

72 DHCP ZTP
StoneOS Cookbook

After the configuration file is downloaded, the system will use it as the startup configuration file when the device starts, and the con-
figuration file will be loaded when the device restarts automatically, and the initiation can be completed after the restart is finished. If
you log into the device successfully, the initiation is successful.

[Optional] Step 6: Compare whether the configuration files in the device and on the TFTP server are consistent.

Due to the skipping of loading for incorrectly formatted configurations during the configuration file loading process, the initialization
may be successful but some services fail to start. You can run the save command to save the current running configuration to the star-
tup configuration file. Then, export the startup file from the device and compare it with the configuration file on the TFTP server to
verify consistency. Any inconsistencies can be manually adjusted on the device by adding or modifying configurations, which is intended
for subsequent initialization tasks on new devices.

DHCP ZTP 73
StoneOS Cookbook

Routing

This chapter introduces different routing configuration use cases.

This chapter contains the following recipes:

o "Realizing Multicast Forwarding Through PIM-SM Multicast Protocol" on Page 75

o "Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol" on Page 84

Routing 74
StoneOS Cookbook

Realizing Multicast Forwarding Through PIM-SM Multicast Protocol


This example introduces how to configure the basic functions of PIM-SM to realize multicast forwarding so that users can receive data
from any multicast source.

In the topology below, the multicast source sends data to the multicast group, and the multicast address is 225.0.0.1. The receivers PC1
and PC2 send IGMPv2 Report to join the multicast group, and the PIM domain adopts the PIM-SM mode. Assume that Device A is
the candidate RP and candidate BSR, the interface loopback1 is the interface for electing the RP, and the interface eth0/1 is the mul-
ticast data inbound interface. By configuring the PIM-SM function on each device in the PIM domain, multicast data can be forwarded
to the recipient PC in a normal multicast manner.

Configuration Steps

Step 1: Configure the IP address and unicast routing protocol of each device interface (OSPF is used in this example).

Realizing Multicast Forwarding Through PIM-SM Multicast Protocol 75


StoneOS Cookbook

Device A:

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 1.1.1.2/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 2.1.1.2/24

hostname(config-if-eth0/1)# exit

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# router ospf

hostname(config-router)# router-id 1.1.1.1

hostname(config-router)# network 1.1.1.0/24 area 0

hostname(config-router)# network 2.1.1.0/24 area 0

76 Realizing Multicast Forwarding Through PIM-SM Multicast Protocol


StoneOS Cookbook

Device B:

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 2.1.1.2/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 3.1.1.2/24

hostname(config-if-eth0/1)# exit

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# router ospf

hostname(config-router)# router-id 2.2.2.2

hostname(config-router)# network 2.1.1.0/24 area 0

hostname(config-router)# network 3.1.1.0/24 area 0

Realizing Multicast Forwarding Through PIM-SM Multicast Protocol 77


StoneOS Cookbook

Device C:

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 2.1.1.3/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 4.1.1.1/24

hostname(config-if-eth0/1)# exit

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# router ospf

hostname(config-router)# router-id 3.3.3.3

hostname(config-router)# network 2.1.1.0/24 area 0

hostname(config-router)# network 4.1.1.0/24 area 0

Step 2: Enable a multicast route.

Device A:

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip multicast-routing

hostname(config-vrouter)# exit

hostname(config)#

78 Realizing Multicast Forwarding Through PIM-SM Multicast Protocol


StoneOS Cookbook

Device B:

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip multicast-routing

hostname(config-vrouter)# exit

hostname(config)#

Device C:

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip multicast-routing

hostname(config-vrouter)# exit

hostname(config)#

Step 3: Enable and configure PIM-SM.

Device A:

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter))# router pim

hostname(config-vrouter)# pim-sm enable

hostname(config-vrouter))# exit

hostname(config)#interface ethernet0/1

hostname(config-if-eth0/1)# ip pim sparse-mode

hostname(config-if-eth0/1)# exit

hostname(config)#interface ethernet0/2

hostname(config-if-eth0/2)# ip pim sparse-mode

Realizing Multicast Forwarding Through PIM-SM Multicast Protocol 79


StoneOS Cookbook

Device B:

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter))# router pim

hostname(config-vrouter)# pim-sm enable

hostname(config-vrouter))# exit

hostname(config)#interface ethernet0/1

hostname(config-if-eth0/1)# ip pim sparse-mode

hostname(config-if-eth0/1)# exit

hostname(config)#interface ethernet0/2

hostname(config-if-eth0/2)# ip pim sparse-mode

Device C:

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter))# router pim

hostname(config-vrouter)# pim-sm enable

hostname(config-vrouter))# exit

hostname(config)#interface ethernet0/1

hostname(config-if-eth0/1)# ip pim sparse-mode

hostname(config-if-eth0/1)# exit

hostname(config)#interface ethernet0/2

hostname(config-if-eth0/2)# ip pim sparse-mode

Step 4: Configure RP and Candidate BSR.

80 Realizing Multicast Forwarding Through PIM-SM Multicast Protocol


StoneOS Cookbook

Device A:

hostname(config)# interface loopback1

hostname(config-if-loo1))# zone trust

hostname(config-if-loo1)# ip address 2.2.2.2/24

hostname(config-if-loo1)# ip pim sparse-mode

hostname(config-if-loo1))# exit

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# rp-candidate loopback1

hostname(config-vrouter)# bsr-candidate loopback1

hostname(config-vrouter))# exit

hostname(config)#

Step 5: Verify result.

Realizing Multicast Forwarding Through PIM-SM Multicast Protocol 81


StoneOS Cookbook

Device A:

hostname(config)# show ip mroute

U:interface up D:interface down

V:valid multicast entry I:invalid multicast entry Y:sync multicast entry

=========================================================-
=====================

source: 1.1.1.2 group : 225.0.0.1 vrouter: trust-vr

status: V update time: -

ingress interface: ethernet0/1(U)

egress interface : ethernet0/2(U)

=========================================================-
=====================

hostname(config)# show ip pim rp

PIM Rendezvous Point for Virtual Router <trust-vr>

=========================================================-
=====================

Group: 225.0.0.1, RP:2.2.2.2, v2, via bootstrap, priority 0 holdtime 35.

=========================================================-
=====================

hostname(config)# show ip pim bsr-router

PIM Bootstrap Router for Virtual Router <trust-vr>

=========================================================-
=====================

PIMv2 Bootstrap information

BSR address: 2.2.2.2

82 Realizing Multicast Forwarding Through PIM-SM Multicast Protocol


StoneOS Cookbook

BSR Priority: 0

=========================================================-
=====================

Realizing Multicast Forwarding Through PIM-SM Multicast Protocol 83


StoneOS Cookbook

Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol


This example introduces how to configure the basic functions of PIM-SSM to realize multicast forwarding so that users can receive
data from any multicast source.

In the topology below, the multicast source sends data to the multicast group, and the multicast address is 232.0.0.1. Receivers PC1 and
PC2 send IGMPv3 Report to join the multicast group. The PIM domain adopts the PIM-SSM mode. The relationship between the host
and the devices in the PIM domain is maintained through IGMPv3, so that the members of the multicast group can quickly join, directly
at the multicast source SPT (Shortest Path Tree) is established with the recipient PC. Assume that the interface eth0/1 of Device A is
used as the inbound interface for multicast data. By configuring the PIM-SSM function on each device in the PIM domain, multicast
data can be multicast forwarded to the recipient PC normally.

Configuration Steps

Step 1: Configure the IP address and unicast routing protocol of each device interface (OSPF is used in this example).

Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol 84


StoneOS Cookbook

Device A:

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 1.1.1.2/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 2.1.1.2/24

hostname(config-if-eth0/1)# exit

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# router ospf

hostname(config-router)# router-id 1.1.1.1

hostname(config-router)# network 1.1.1.0/24 area 0

hostname(config-router)# network 2.1.1.0/24 area 0

85 Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol


StoneOS Cookbook

Device B:

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 2.1.1.2/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 3.1.1.2/24

hostname(config-if-eth0/1)# exit

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# router ospf

hostname(config-router)# router-id 2.2.2.2

hostname(config-router)# network 2.1.1.0/24 area 0

hostname(config-router)# network 3.1.1.0/24 area 0

Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol 86


StoneOS Cookbook

Device C:

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 2.1.1.3/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 4.1.1.1/24

hostname(config-if-eth0/1)# exit

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# router ospf

hostname(config-router)# router-id 3.3.3.3

hostname(config-router)# network 2.1.1.0/24 area 0

hostname(config-router)# network 4.1.1.0/24 area 0

Step 2: Enable a multicast route.

Device A:

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip multicast-routing

hostname(config-vrouter)# exit

hostname(config)#

87 Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol


StoneOS Cookbook

Device B:

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip multicast-routing

hostname(config-vrouter)# exit

hostname(config)#

Device C:

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip multicast-routing

hostname(config-vrouter)# exit

hostname(config)#

Step 3: Configure PIM-SSM.

Device A:

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter))# router pim

hostname(config-vrouter)# pim-sm enable

hostname(config-vrouter)# pim-ssm default

hostname(config-vrouter))# exit

hostname(config)#interface ethernet0/1

hostname(config-if-eth0/1)# ip pim sparse-mode

hostname(config-if-eth0/1)# exit

hostname(config)#interface ethernet0/2

hostname(config-if-eth0/2)# ip pim sparse-mode

Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol 88


StoneOS Cookbook

Device B:

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter))# router pim

hostname(config-vrouter)# pim-sm enable

hostname(config-vrouter)# pim-ssm default

hostname(config-vrouter))# exit

hostname(config)#interface ethernet0/1

hostname(config-if-eth0/1)# ip pim sparse-mode

hostname(config-if-eth0/1)# exit

hostname(config)#interface ethernet0/2

hostname(config-if-eth0/2)# ip pim sparse-mode

Device C:

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter))# router pim

hostname(config-vrouter)# pim-sm enable

hostname(config-vrouter)# pim-ssm default

hostname(config-vrouter))# exit

hostname(config)#interface ethernet0/1

hostname(config-if-eth0/1)# ip pim sparse-mode

hostname(config-if-eth0/1)# exit

hostname(config)#interface ethernet0/2

hostname(config-if-eth0/2)# ip pim sparse-mode

Step 4: Verify result.

89 Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol


StoneOS Cookbook

Device A:

hostname(config)# show ip mroute

U:interface up D:interface down

V:valid multicast entry I:invalid multicast entry Y:sync multicast entry

=========================================================-
=====================

source: 1.1.1.2 group : 232.0.0.1 vrouter: trust-vr

status: V update time: -

ingress interface: ethernet0/1(U)

egress interface : ethernet0/2(U)

=========================================================-
=====================

Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol 90


StoneOS Cookbook

Deploying HA Scenario for Multicast Forwarding Through PIM-SM


This example introduces how to deploy the HA AP (Active-Passive) mode in the pim-ssm multicast environment to ensure that each
router device in the PIM domain can transmit multicast data with high reliability.

In the initial network as topology below, the multicast source sends data to the multicast group, and the multicast address is 232.0.0.1.
Receivers PC1 and PC2 send IGMPv3 Report to join the multicast group. The PIM domain adopts the PIM-SSM mode. The rela-
tionship between the host and the devices in the PIM domain is maintained through IGMPv3, so that the members of the multicast
group can quickly join, directly at the multicast source SPT (Shortest Path Tree) is established with the recipient PC. Assume that the
interface eth0/1 of Device A is used as the inbound interface for multicast data. By configuring the PIM-SSM function on each device
in the PIM domain, multicast data can be multicast forwarded to the recipient PC normally. For details, see Realizing Multicast For-
warding Through PIM-SSM Multicast Protocol .

In this example, Device A , Device B and Device C in the PIM domain are deployed in HA AP mode. After deployment, Device A ,
Device B and Device C are elected as as the master devices, and Device Aa , Device Bb and Device Cc are elected as backup devices.
Meanwhile, the multicast route generated in the master device Device A(Device B or Device C) will be quickly synchronized to the
backup device with a temporary status of Y; When the master device Device A (Device B or Device C) fails or cannot forward traffic
normally, the backup device Device Aa (Device Bb or Device Cc) will switch as the master device. At this time, the multicast route in Y
state will be based on to forward multicast traffic without affecting the original normal communication. AfterDevice Aa receives the
IGMPv3 report messages, The status in the multicast routing table will be updated to the normal status V.

Original Multicast Network:

Deploying HA Scenario for Multicast Forwarding Through PIM-SM 91


StoneOS Cookbook

Multicast Network after HA-AP Deployment:

92 Deploying HA Scenario for Multicast Forwarding Through PIM-SM


StoneOS Cookbook

Configuration Steps

Step 1: Configure the PIM-SSM multicast protocol according to the example Realizing Multicast Forwarding Through PIM-SSM
Multicast Protocol .

Step 2: Configure the Device A and Device Aa as HA AP mode and HA negotiate successfully.

Device A

hostname(config)# track track1

hostname(config-trackip)# interface ethernet0/1 weight


255////Monitor the status of interface eth0/1 and eth0/2.

hostname(config-trackip)# interface ethernet0/2 weight 255

hostname(config-trackip)# exit

hostname(config)# ha group 0

hostname(config-ha-group)# priority 50

hostname(config-ha-group)# monitor track track1

hostname(config-ha-group)# exit

hostname(config)# ha link interface ethernet0/3

hostname(config)# ha link ip 100.1.1.1/24

hostname(config)# ha cluster 1

Deploying HA Scenario for Multicast Forwarding Through PIM-SM 93


StoneOS Cookbook

Device Aa

hostname(config)# ha group 0

hostname(config-ha-group)# priority 100

hostname(config-ha-group)# exit

hostname(config)#

hostname(config)# ha link interface ethernet0/3

hostname(config)# ha link ip 100.1.1.2/24

hostname(config)# ha cluster 1

Step 3: Configure management IP addresses for the two devices and monitor objects on the standby Device after HA negotiation
between Device A and Device Aa is successful .

Device A:

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# manage ip 1.1.1.253

Device Aa:

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# manage ip 1.1.1.254

hostname(config-if-eth0/1)# exit

hostname(config)# ha group 0

hostname(config-ha-group)# monitor track track1

hostname(config-ha-group)# exit

hostname(config)#

Step 4:Results

94 Deploying HA Scenario for Multicast Forwarding Through PIM-SM


StoneOS Cookbook

1. Configurations related to multicast have been synchronized on the standby device.

Device Aa

hostname(B)#show configuration vrouter

ip vrouter "mgt-vr"

exit

ip vrouter "trust-vr"

ip multicast-routing

router-id 1.1.1.1

network 1.1.1.0/24 area 0

network 2.1.1.0/24 area 0

exit

router pim

pim-sm enable

pim-ssm default

exit

exit

2. The stutas of multicast routing table is V. On the back device, the multicast routing table is synchronized and its status is Y.

Deploying HA Scenario for Multicast Forwarding Through PIM-SM 95


StoneOS Cookbook

Device A:

hostname(M)# show ip mroute

U:interface up D:interface down

V:valid multicast entry I:invalid multicast entry Y:sync mul-


ticast entry

================================================================-
==============

source: 1.1.1.2 group : 232.0.0.1 vrouter: trust-vr

status: V update time: -

ingress interface: ethernet0/1(U)

egress interface : ethernet0/2(U)

================================================================-
==============

Device Aa:

hostname(B)# show ip mroute

U:interface up D:interface down

V:valid multicast entry I:invalid multicast entry Y:sync mul-


ticast entry

================================================================-
==============

source: 1.1.1.2 group : 232.0.0.1 vrouter: trust-vr

status: Y update time: -

ingress interface: ethernet0/1(U)

egress interface : ethernet0/2(U)

================================================================-

96 Deploying HA Scenario for Multicast Forwarding Through PIM-SM


StoneOS Cookbook

==============

3.Restart Device A (or change eth0 / 1 and eth0 / 2 of Device A to shutdown). At this time, the backup device Device Aa will quickly
switch to the master device, and the multicast route in Y state can forward multicast traffic without affecting the original com-
munication; After Device Aa receives the IGMPv3 report message, the status in the multicast routing table will be updated to V, and
the multicast traffic will continue to be forwarded later. The status is shown as follows:

Device Aa:

hostname(M)# show ip mroute

U:interface up D:interface down

V:valid multicast entry I:invalid multicast entry Y:sync mul-


ticast entry

================================================================-
==============

source: 1.1.1.2 group : 232.0.0.1 vrouter: trust-vr

status: V update time: -

ingress interface: ethernet0/1(U)

egress interface : ethernet0/2(U)

================================================================-
==============

Step 5: You can deploy device B and device C to the HA AP mode as required according to the above steps.

Deploying HA Scenario for Multicast Forwarding Through PIM-SM 97


StoneOS Cookbook

Authentication

Authentication is a method of verifying visitor's identity. When a visitor is confirmed as a valid user, he is allowed to use a certain net-
work. The visitor can be a PC, a mobile phone or a tablet.

This chapter contains the following recipe:

o "Allowing the Internet Access via User Authentication" on Page 99

o " Using AD Polling for SSO" on Page 107

o " Allowing Internet Access via AD Polling" on Page 116

o " Allowing Internet Access via AD Agent" on Page 127

o " Allowing Internet Access via TS Agent" on Page 138

Authentication 98
StoneOS Cookbook

Allowing the Internet Access via User Authentication


This example shows how to use Web authentication (WebAuth). An AAA server is required in this example to confirm the identity of a
user.

The topology describes the scenarios of the case. In this scenario, only user 1 passes the authentication, and then accesses the Internet;
while other users fail to pass the authentication, and they are not allowed to access the Internet.

Configuration Steps

Step 1: Configuring the user and address book

Select Object > User > Local User. Under Local


Server, click New > User.

o Name: user1

o Password: 123456

o Confirm Password: 123456

Allowing the Internet Access via User Authentication 99


StoneOS Cookbook

Step 1: Configuring the user and address book

Select Object > Address Book > New.

o Name: addr

o Type: IPv4

o Member: Click New , and select IP/Netmask,


enter 192.168.1.2, 32

Step 2: Configuring the interface and zone

Select Network > Interface, and double click eth-


ernet0/0.

o Binding Zone: Layer 3 Zone

o Zone: trust

o IP Configuration

o Type: Static IP

o IP Address: 192.168.1.1

o Netmask: 255.255.255.0

o WebAuth

o Auth Service: Enable

100 Allowing the Internet Access via User Authentication


StoneOS Cookbook

Step 2: Configuring the interface and zone

Select Network > Interface, and double click eth-


ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o IP Configuration

o Type: Static IP

o IP Address: 221.224.30.130

o Netmask: 20

Step 3: Configuring Web Authentication

Select Network > WebAuth > WebAuth,


and configure the followings:

o WebAuth: Click the Enable button

o Protocol: HTTP

o Port: 8181

o Authentication Mode:

o Type: Password

Allowing the Internet Access via User Authentication 101


StoneOS Cookbook

Step 3: Configuring Web Authentication

After the above configurations, continue to


create policy rules in Security Policy to make
WebAuth effective. Click policy template
for reference.

Step 4: Configuring Security Policy

Click the " policy page" quick link on the bottom


of the Web authentication page or select Policy >
Security Policy > Policy, and click New > Policy.

o Name: DNS

o Source Zone: Any

o Source Address: Any

o Destination Zone: Any

o Destination Address: Any

o Service: DNS

o Action: Permit

102 Allowing the Internet Access via User Authentication


StoneOS Cookbook

Step 4: Configuring Security Policy

Click New, and create the “Web-auth”policy.

o Name: Web-auth

o Source Zone: Any

o Source Address: addr

o Source User: Click +, select "Role" from the


AAA Server/Role drop-down list and select
"UNKNOWN"

o Destination Zone: Any

o Destination Address: Any

o Action: Secured connection

o WebAuth: local

Allowing the Internet Access via User Authentication 103


StoneOS Cookbook

Step 4: Configuring Security Policy

Click New, and create the “user” policy. Spe-


cify the source user who is allowed to access the
Internet.

o Name: user

o Source Zone: Any

o Source Address: Any

o Source User: Click +, select "local" from the


AAA Server/Role drop-down list and select
"user1"

o Destination Zone: Any

o Destination Address: Any

o Action: Permit

104 Allowing the Internet Access via User Authentication


StoneOS Cookbook

Step 5: Triggering WebAuth through HTTP requests

After the above configurations, when there are


HTTP requests sent from the interface
192.168.1.2/32, user1 will be prompted to authen-
ticate by entering the username/password
(user1/123456) before accessing the Internet.

Step 6: Triggering WebAuth through HTTPS requests

Export the certificate from the device.

Select System > PKI > Trust Domain


Certificate.

o Trust Domain: trust_domain_ssl_proxy

o Content: CA Certificate

o Action: Export

Click OK to export the certificate.

Allowing the Internet Access via User Authentication 105


StoneOS Cookbook

Step 6: Triggering WebAuth through HTTPS requests

Import the certificate to client's Web browser.

1. In the Chrome Web browser, select Set-


tings > Show advanced settings.

2. In the HTTPS/SSL section, select Manage


certificates.

3. In the Trusted Root Certification Author-


ities tab, select Import.

4. Follow the wizard to import the certificate.

After the above configurations are finished, when


there are HTTPS requests sent from the interface
192.168.1.2/32, user1 will be prompted to authen-
ticate by entering the username/password
(user1/123456) before accessing the Internet.
Note: Triggering WebAuth through HTTPS
requests depends on the feature of SSL proxy . If
the device does not support the SSL proxy. Trig-
gering WebAuth through HTTPS requests will
not work and you can then trigger WebAuth
through HTTP requests.

106 Allowing the Internet Access via User Authentication


StoneOS Cookbook

Using AD Polling for SSO


This example introduces how the domain users access the Internet directly without Web authentication, after logging in the AD domain
via configuring AD Polling.

The following shows a network environment. An enterprise sets up a Hillstone security device as the export gateway to connect internal
network with the Internet. Only the staffs in R&D department join in the AD domain (scep.pki.com), while the staffs in marketing
department are excluded. The security device enables Web authentication. All the staffs of the enterprise are allowed to access the Inter-
net only after they pass the authentication. After the AD Polling being configured, there will be login logs when staff in R&D depart-
ment login though the AD server (Log in the PC which is added into the AD domain through domain user name and password). The
device can check the logs through AD Polling, as well as obtain authentication users information on the AD server. With this inform-
ation, staff of R&D department can access the Internet directly without Web authentication.

Preparation

Before configuring the AD Polling function, prepare the following first:

o The AD server has been set up according to the user network environment.

o To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should open the RPC service and
remote management. To enable the RPC service, you need to enter the Control Panel > Administrative Tools > Services and open

Using AD Polling for SSO 107


StoneOS Cookbook

the Remote Procedure Call and Remote Procedure Call Locator; to enable the remote management, you need to run the command
prompt window (cmd) as administrator and enter the command netsh firewall set service RemoteAdmin

o To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should permit WMI function to pass
through Windows firewall. Select Control Panel >System and Security> Windows Firewall >Allow an APP through Windows
Firewall, in the Allowed apps and features list, click the corresponding check box of Domain for Windows Management Instru-
mentation (WMI) function.

o The security device should be configured with related policy to protect the AD server, which may result in the port used by WMI
service (port 135 and random port) being restricted by policy. Therefore, it’s necessary to configure another policy ( the source IP
is the IP address of ethernet0/3) allows all interface traffic to pass through.

o The rule has been configured on the security device that all the staff of the enterprise should pass the Web authentication before
they access the Internet. For the detailed configuration method, please see "Allowing the Internet Access via User Authentication"
on Page 99.

Configuration Steps

Step 1: Creating a new domain user on the AD server and configuring the user as the Domain Admins group.

Access the PC with AD server, select Start > Administrative Tools > Active Directory Users and Computers, and enter the Act-
ive Directory Users and Computers page.

108 Using AD Polling for SSO


StoneOS Cookbook

Step 1: Creating a new domain user on the AD server and configuring the user as the Domain Admins group.

Right-click Users and select New Object > User.


Click Next.

o First name: test

o User logon name: [email protected]

Configure a password on the New Object- User


page, and click Next.

o Password: Hillstone123456

o Confirm password: Hillstone123456

o Password never expires: Select the check box

Using AD Polling for SSO 109


StoneOS Cookbook

Step 1: Creating a new domain user on the AD server and configuring the user as the Domain Admins group.

Click Finish to finish the creating of domain user


test.

In the user list, right-click test, and select Add to


group. Click OK.

o Enter the object names to select: Domain


Admins

110 Using AD Polling for SSO


StoneOS Cookbook

Step 2: Adding PCs of R&D staff into the AD domain (taking one PC as example).

Select Control Panel > Network and Internet >


Network and Sharing Center to check the attrib-
ute of network connection. Double-click Internet
Protocol Version 4 (TCP/IPv4), enter the Inter-
net Protocol Version 4 (TCP/IPv4) Properties
page and change the IP address of Preferred
DNS server to the IP address of AD domain con-
troller.

o Preferred DNS server: 10.180.201.8

o Alternate DNS server: 8.8.8.8

Search cmd in the Start menu and double-click to


open the command prompt(cmd) application win-
dow, so as to make sure that the PC can be con-
nected to the AD domain controller
(scep.pki.com).

Using AD Polling for SSO 111


StoneOS Cookbook

Step 2: Adding PCs of R&D staff into the AD domain (taking one PC as example).

Select Control Panel > System and Security >


System > Computer name, domain, and work-
group settings > Change settings, and add the
PC into the AD domain (scep.pki.com). Click
OK.

o Domain: scep.pki.com

In the Windows security dialog box, enter Domain name\User name and Password. The user name should be the one in the
Domain Admins group.

o Domain name\User name: scep\test

o Password: Hillstone123456

After the PC being added in the AD domain (scep.pki.com) successfully, restart the computer to make it take effect.

112 Using AD Polling for SSO


StoneOS Cookbook

Step 3: Configuring AD server parameters in StoneOS.

Select Object > AAA server, and select Active Directory


Server from the newly created drop-down list.

o Server Name: ad-polling

o Server Address: 10.180.201.8

o Base-dn: dc=scep,dc=pki,dc=com

o Login-dn: cn=test,c-
cn=users,dc=scep,dc=pki,dc=com

o sAMAccountName: test

o Authentication Mode: MD5

o Password: Hillstone123456

Click OK and the AD server is created successfully.

Using AD Polling for SSO 113


StoneOS Cookbook

Step 4: Configuring AD Polling in StoneOS

Select Object > SSO Client > AD Polling, click


Create and enter AD Polling Configuration page.

o Name: ad-polling

o Status: click Enable

o Host: 10.180.201.8

o Virtual Router: trust-vr

o Account: scep\test

o Password: Hillstone123456

o AAA Server: select the AD server ad-polling


created in step 3

o AD Polling Interval: 2 seconds

o Client Probing Interval: 5 minutes

o Force Timeout: 10 minutes

Click OK to finish AD Polling configuration.

Step 5: Verifying result

After all the above configurations being finished, staff of R&D department (such as the user test added in AD domain in this
example) can access the Internet without passing Web authentication. However, the staff of marketing department still needs to
pass Web authentication before visiting the Internet.

114 Using AD Polling for SSO


StoneOS Cookbook

Step 5: Verifying result

If user needs to check the mapping information


between user and IP on the device via AD
Polling, you're suggested to log in the StoneOS
commands operation system and enter the com-
mand show user-mapping user-sso ad-polling
or show auth-user.

As shown in the figure, in the authentication user


list obtained via AD Polling, the corresponding
IP of the user test is 10.180.203.74.

Using AD Polling for SSO 115


StoneOS Cookbook

Allowing Internet Access via AD Polling


This example introduces how to configure AD polling to allow users to access the Internet.

The following shows a network environment. An enterprise sets up a Hillstone security device as the export gateway to connect internal
network with the Internet. All the staff in R&D department and marketing department join in the AD domain (scep.pki.com). After the
AD Polling being configured, there will be login logs when staffs login though the AD server (Log in the PC which is added into the
AD domain through domain user name and password). System can check the logs through AD Polling, as well as obtain authentication
users information (user name and IP) on the AD server. With the user-based security policy, only the R&D manager can access the
Internet, while other staffs of the R&D department cannot access the Internet, and the staff of the marketing department can access
the Web service based on HTTP or HTTPS.

Preparation

Before configuring the AD Polling function, prepare the following first:

o The AD server has been set up according to the user network environment.

o To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should open the RPC service and
remote management. To enable the RPC service, you need to enter the Control Panel > Administrative Tools > Services and open

Allowing Internet Access via AD Polling 116


StoneOS Cookbook

the Remote Procedure Call and Remote Procedure Call Locator; to enable the remote management, you need to run the command
prompt window (cmd) as administrator and enter the command netsh firewall set service RemoteAdmin

o To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should permit WMI function to pass
through Windows firewall. Select Control Panel >System and Security > Windows Firewall >Allow an APP through Windows
Firewall, in the Allowed apps and features list, click the corresponding check box of Domain for Windows Management Instru-
mentation (WMI) function.

o The security device should be configured with related policy to protect the AD server, which may result in the port used by WMI
service (port 135 and random port) being restricted by policy. Therefore, it’s necessary to configure another policy ( the source IP
is the IP address of ethernet0/3) allows all interface traffic to pass through.

o The rule has been configured on the security device that all the staff of the enterprise should pass the Web authentication before
they access the Internet. For the detailed configuration method, please see "Allowing the Internet Access via User Authentication"
on Page 99.

Configuration Steps

Step 1: Create a new domain user on the AD server and configuring the user as the Domain Admins group.

Access the PC with AD server, select Start > Administrative Tools > Active Directory Users and Computers, and enter the Act-
ive Directory Users and Computers page.

117 Allowing Internet Access via AD Polling


StoneOS Cookbook

Step 1: Create a new domain user on the AD server and configuring the user as the Domain Admins group.

Right-click Users and select New Object > User.


Click Next.

o First name: test

o User logon name: [email protected]

Configure a password on the New Object- User


page, and click Next.

o Password: Hillstone123456

o Confirm password: Hillstone123456

o Password never expires: Select the check box

Allowing Internet Access via AD Polling 118


StoneOS Cookbook

Step 1: Create a new domain user on the AD server and configuring the user as the Domain Admins group.

Click Finish to finish the creating of domain user


test.

In the user list, right-click test and select Add to


group. Click OK.

o Enter the object names to select: Domain


Admins

119 Allowing Internet Access via AD Polling


StoneOS Cookbook

Step 2: Add PCs of R&D staff into the AD domain (taking the PC of R&D manager as example).

Select Control Panel > Network and Internet >


Network and Sharing Center to check the attrib-
ute of network connection. Double-click Internet
Protocol Version 4 (TCP/IPv4), enter the Inter-
net Protocol Version 4 (TCP/IPv4) Properties
page and change the IP address of Preferred
DNS server to the IP address of AD domain con-
troller.

o Preferred DNS server: 10.180.201.8

o Alternate DNS server: 8.8.8.8

Search cmd in the Start menu and double-click to


open the command prompt(cmd) application win-
dow, so as to make sure that the PC can be con-
nected to the AD domain controller
(scep.pki.com).

Allowing Internet Access via AD Polling 120


StoneOS Cookbook

Step 2: Add PCs of R&D staff into the AD domain (taking the PC of R&D manager as example).

Select Control Panel > System and Security >


System > Computer name, domain, and work-
group settings > Change settings, and add the
PC into the AD domain (scep.pki.com). Click
OK.

o Domain: scep.pki.com

In the Windows security dialog box, enter Domain name\User name and Password. The user name should be the one in the
Domain Admins group.

o Domain name\User name: scep\test

o Password: Hillstone123456

After the PC being added in the AD domain (scep.pki.com) successfully, restart the computer to make it take effect.

121 Allowing Internet Access via AD Polling


StoneOS Cookbook

Step 3: Configure AD server parameters in StoneOS.

Select Object > AAA server, and select Active Dir-


ectory Server from the newly created drop-down
list.

o Server Name: ad-polling

o Server Address: 10.180.201.8

o Base-dn: dc=scep,dc=pki,dc=com

o Login-dn: cn=test,c-
cn=users,dc=scep,dc=pki,dc=com

o sAMAccountName: test

o Authentication Mode: MD5

o Password: Hillstone123456

Click OK and the AD server is created successfully.

Allowing Internet Access via AD Polling 122


StoneOS Cookbook

Step 4: Configure AD Polling in StoneOS

Select Object > SSO Client > AD Polling, click


Create and enter AD Polling Configuration page.

o Name: ad-polling

o Status: click Enable

o Host: 10.180.201.8

o Virtual Router: trust-vr

o Account: scep\test

o Password: Hillstone123456

o AAA Server: select the AD server ad-polling


created in step 3

o AD Polling Interval: 2 seconds

o Client Probing Interval: 5 minutes

o Force Timeout: 10 minutes

Click OK to finish AD Polling configuration.

123 Allowing Internet Access via AD Polling


StoneOS Cookbook

Step 5: Configure policies

Configuring a policy to allow the manager of


R&D department to access the Internet

Select Policy > Security Policy, and click New.

o Name: manager

o Source

o Zone: trust

o Address: any

o User: Select the user name "test" of R&D


manager

o Destination

o Zone: untrust

o Address: any

o Other Information

o Action: Permit

Allowing Internet Access via AD Polling 124


StoneOS Cookbook

Step 5: Configure policies

Configuring a policy to allow the staff of the


marketing department to access the Web service
based on HTTP or HTTPS

Select Policy > Security Policy, and click New.

o Name: market

o Source

o Zone: trust

o Address: any

o User: Select the user group "market" of


the marketing department

o Destination

o Zone: untrust

o Address: any

o Other Information

o Service: HTTP, HTTPS

o Action: Permit

125 Allowing Internet Access via AD Polling


StoneOS Cookbook

Step 5: Configure policies

Adjusting the priority of policies

1. Select Policy > Security Policy to enter the


Security Policy page.

2. Select the check box of "manager" and


"market" policies, and click Move.

3. Type the ID (2) of the second WebAuth


policy into the ToID text, and click After
ID.

Step 6: Verify result

After all the above configurations, only the R&D manager can access the Internet, while other staffs of the R&D department can-
not access the Internet, and the staff of the marketing department can access the Web service based on HTTP or HTTPS.

Allowing Internet Access via AD Polling 126


StoneOS Cookbook

Allowing Internet Access via AD Agent


This example introduces how to configure AD agent to allow users to access the Internet.

The following shows a network environment. An enterprise sets up a Hillstone security device as the export gateway to connect internal
network with the Internet. All the staff in the R&D department and marketing department join in the AD domain (scep.pki.com). After
the AD Agent being configured, there will be login information when staffs login though the AD server (Log in the PC which is added
into the AD domain through domain user name and password). The AD Security Agent will send the authentication users information (
user name and IP) to system. With the user-based security policy, only the R&D manager can access the Internet, while other staffs of
the R&D department cannot access the Internet, and the staff of the marketing department can access the Web service based on HTTP
or HTTPS.

Preparation

Before configuring the AD Agent function, prepare the following first:

o The AD server has been set up according to the user network environment.

o To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should open the RPC service and
remote management. To enable the RPC service, you need to enter the Control Panel > Administrative Tools > Services and open

Allowing Internet Access via AD Agent 127


StoneOS Cookbook

the Remote Procedure Call and Remote Procedure Call Locator; to enable the remote management, you need to run the command
prompt window (cmd) as administrator and enter the command netsh firewall set service RemoteAdmin

o To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should permit WMI function to pass
through Windows firewall. Select Control Panel >System and Security > Windows Firewall >Allow an APP through Windows
Firewall, in the Allowed apps and features list, click the corresponding check box of Domain for Windows Management Instru-
mentation (WMI) function.

o The security device should be configured with related policy to protect the AD server, which may result in the port used by WMI
service (port 135 and random port) being restricted by policy. Therefore, it’s necessary to configure another policy ( the source IP
is the IP address of ethernet0/3) allows all interface traffic to pass through.

o The rule has been configured on the security device that all the staff of the enterprise should pass the Web authentication before
they access the Internet. For the detailed configuration method, please see "Allowing the Internet Access via User Authentication"
on Page 99.

Configuration Steps

Step 1: Create a new domain user on the AD server and configuring the user as the Domain Admins group.

Access the PC with AD server, select Start > Administrative Tools > Active Directory Users and Computers, and enter the Act-
ive Directory Users and Computers page.

128 Allowing Internet Access via AD Agent


StoneOS Cookbook

Step 1: Create a new domain user on the AD server and configuring the user as the Domain Admins group.

Right-click Users and select New Object > User.


Click Next.

o First name: test

o User logon name: [email protected]

Configure a password on the New Object- User


page, and click Next.

o Password: Hillstone123456

o Confirm password: Hillstone123456

o Password never expires: Select the check box

Allowing Internet Access via AD Agent 129


StoneOS Cookbook

Step 1: Create a new domain user on the AD server and configuring the user as the Domain Admins group.

Click Finish to finish the creating of domain user


test.

In the user list, right-click test and select Add to


group. Click OK.

o Enter the object names to select: Domain


Admins

130 Allowing Internet Access via AD Agent


StoneOS Cookbook

Step 2: Add PCs of R&D staff into the AD domain (taking the PC of R&D manager as example).

Select Control Panel > Network and Internet >


Network and Sharing Center to check the attrib-
ute of network connection. Double-click Internet
Protocol Version 4 (TCP/IPv4), enter the Inter-
net Protocol Version 4 (TCP/IPv4) Properties
page and change the IP address of Preferred
DNS server to the IP address of AD domain con-
troller.

o Preferred DNS server: 10.180.201.8

o Alternate DNS server: 8.8.8.8

Search cmd in the Start menu and double-click to


open the command prompt(cmd) application win-
dow, so as to make sure that the PC can be con-
nected to the AD domain controller
(scep.pki.com).

Allowing Internet Access via AD Agent 131


StoneOS Cookbook

Step 2: Add PCs of R&D staff into the AD domain (taking the PC of R&D manager as example).

Select Control Panel > System and Security >


System > Computer name, domain, and work-
group settings > Change settings, and add the
PC into the AD domain (scep.pki.com). Click
OK.

o Domain: scep.pki.com

In the Windows security dialog box, enter Domain name\User name and Password. The user name should be the one in the
Domain Admins group.

o Domain name\User name: scep\test

o Password: Hillstone123456

After the PC being added in the AD domain (scep.pki.com) successfully, restart the computer to make it take effect.

132 Allowing Internet Access via AD Agent


StoneOS Cookbook

Step 3: Install and configure AD Security Agent in AD server.

1. Click http://swup-
date.hillstonenet.com:1337/sslvpn/download?os=windows-
adagent to download an AD Security Agent installation
program, and copy it to the AD server.

2. Double-click ADAgentSetup.exe to open it and follow


the installation wizard to install it.

3. Double-click the AD Agent Configuration Tool


shortcut, and the AD Agent Configuration Tool dialog pops
up.

4. Click the General tab.

o Agent Port: 6666

o AD User Name: scep\test

o Password: Hillstone123456

o Server Monitor: Select the Enable Security Log Monitor


check box, and configure the Monitor Frequency as 5
seconds

o Client Probing: Select the Enable WMI probing check


box, and configure the Probing Frequency as 20 minutes

Click Commit to commit the above configurations and start the AD Agent service.

Allowing Internet Access via AD Agent 133


StoneOS Cookbook

Step 4: Configure AD server parameters in StoneOS.

Select Object > AAA server, and select Active Dir-


ectory Server from the newly created drop-down
list.

o Server Name: ad-polling

o Server Address: 10.180.201.8

o Base-dn: dc=scep,dc=pki,dc=com

o Login-dn: cn=test,c-
cn=users,dc=scep,dc=pki,dc=com

o sAMAccountName: test

o Authentication Mode: MD5

o Password: Hillstone123456

o Security Agent: Select the check box, and con-


figure the Agent Port as 6666

Click OK to finish AD server configuration.

134 Allowing Internet Access via AD Agent


StoneOS Cookbook

Step 5: Configure policies

Configuring a policy to allow the manager of


R&D department to access the Internet

Select Policy > Security Policy, and click New.

o Name: manager

o Source

o Zone: trust

o Address: any

o User: Select the user name "test" of R&D


manager

o Destination

o Zone: untrust

o Address: any

o Other Information

o Action: Permit

Allowing Internet Access via AD Agent 135


StoneOS Cookbook

Step 5: Configure policies

Configuring a policy to allow the staff of the


marketing department to access the Web service
based on HTTP or HTTPS

Select Policy > Security Policy, and click New.

o Name: market

o Source

o Zone: trust

o Address: any

o User: Select the user group "market" of


the marketing department

o Destination

o Zone: untrust

o Address: any

o Other Information

o Service: HTTP, HTTPS

o Action: Permit

136 Allowing Internet Access via AD Agent


StoneOS Cookbook

Step 5: Configure policies

Adjusting the priority of policies

1. Select Policy > Security Policy to enter the


Security Policy page.

2. Select the check box of "manager" and


"market" policies, and click Move.

3. Type the ID (2) of the second WebAuth


policy into the ToID text, and click After
ID.

Step 6: Verify result

After all the above configurations being finished, only the R&D manager can access the Internet, while other staffs of the R&D
department cannot access the Internet, and the staff of the marketing department can access the Web service based on HTTP or
HTTPS.

Allowing Internet Access via AD Agent 137


StoneOS Cookbook

Allowing Internet Access via TS Agent


This example introduces how to configure TS Agent to allow users to access the Internet.

The following shows a network environment. An enterprise sets up a Hillstone security device as the export gateway to connect internal
network with the Internet. Internal users connect to a Windows server through thin clients. After the TS Agent is configured, when
users log in the Windows server using remote desktop services, the Hillstone Terminal Service Agent will allocate port ranges to users
and send the port ranges and users information to the system. At the same time, the system will create the mappings of traffic IPs, port
ranges and users. With the user-based security policy, only user 1 can access the Internet, while user 2 cannot access the Internet, and
user 3 can access the Web service based on HTTP or HTTPS.

Preparation

Before configuring the TS Agent function, prepare the following first:

o The Windows server has been set up according to the user network environment. Windows Server 2008 R2, Windows Server
2016, and Windows Server 2019 are currently supported. Windows Server 2008 R2 Service Pack 1 and KB3033929 must be
installed if Windows Server 2008 R2 is used.

o The SNAT rule has been configured on the security device, and all the internal users can access the Internet. For the detailed con-
figuration method, please see "Allowing Private Network to Access Internet Using SNAT" on Page 26.

Allowing Internet Access via TS Agent 138


StoneOS Cookbook

Configuration Steps

Step 1: Installing and configuring Hillstone Terminal Service Agent in Windows server.

1. Click http://swupdate.hillstonenet.com:1337/sslvpn/download?os=windows-tsagent to download a Hillstone Terminal Service


Agent installation program, and copy it to the Windows server.

2. Double-click HSTSAgent.exe to open it and follow the installation wizard to install it.

3. Double-click the Hillstone Terminal Service Agent shortcut, and the Hillstone Terminal Service Agent dia-
log pops up.

4. Click the Agent config tab.

o Listening Address IPv4: 0.0.0.0

o Listening Port (1025-65534):5019

o Heartbeat Interval (1-30s): 5

o Heartbeat Timeout (10-300s): 60

Click Save to save the configurations.

139 Allowing Internet Access via TS Agent


StoneOS Cookbook

Step 1: Installing and configuring Hillstone Terminal Service Agent in Windows server.

5. Click the Port config tab.

o User Allocable Port Range (1025-65534):


20000-39999

o User Port Block Size (20-2000): 200

o User Port Block Max (1-256): 1

o Passthrough when user port exhausted: Select


the check box

Click Save to save the configurations.

Step 2: Configuring TS Agent parameters in StoneOS via WebUI and CLI.

WebUI

Select Object > SSO Client > TS Agent, and


click New .

o Name: tsagent1

o Status: Select the Enable check box

o HOST: 10.1.1.1

o Virtual Router: trust-vr

o Port: 5019

o AAA Server: local

o Disconnection Timeout: 300

o Traffic IP: Enter 10.1.1.1, and click Add

Allowing Internet Access via TS Agent 140


StoneOS Cookbook

Step 2: Configuring TS Agent parameters in StoneOS via WebUI and CLI.

Click OK to save the configurations.

CLI

host-name(config)# user-sso client ts-agent tsagent1

host-name(config-ts-agent)# host 10.1.1.1

host-name(config-ts-agent)# aaa-server local

host-name(config-ts-agent)# traffic-ip 10.1.1.1

host-name(config-ts-agent)# enable

host-name(config-ts-agent)# exit

Step 3: Configuring policies in StoneOS via WebUI and CLI.

WebUI

141 Allowing Internet Access via TS Agent


StoneOS Cookbook

Step 3: Configuring policies in StoneOS via WebUI and CLI.

Configuring a policy to allow all DNS traffic to


get through.

Because DNS traffic is system traffic of the Win-


dows Server, not the traffic of one specific user,
configure a policy to allow all DNS traffic to get
through first.

Select Policy > Security Policy, and click New.

o Name: DNS

o Source

o Zone: any

o Address: any

o Destination

o Zone: any

o Address: any

o Service: DNS

o Action: Permit

Allowing Internet Access via TS Agent 142


StoneOS Cookbook

Step 3: Configuring policies in StoneOS via WebUI and CLI.

Configuring a policy to allow user 1 to access


the Internet.

Select Policy > Security Policy, and click New.

o Name: User1

o Source

o Zone: trust

o Address: any

o User: user1

o Destination

o Zone: untrust

o Address: any

o Action: Permit

143 Allowing Internet Access via TS Agent


StoneOS Cookbook

Step 3: Configuring policies in StoneOS via WebUI and CLI.

Configuring a policy to allow user 3 to access


the Web service based on HTTP or HTTPS

Select Policy > Security Policy, and click New.

o Name: User3

o Source

o Zone: trust

o Address: any

o User: user3

o Destination

o Zone: untrust

o Address: any

o Service: HTTP, HTTPS

o Action: Permit

CLI

Allowing Internet Access via TS Agent 144


StoneOS Cookbook

host-name(config)# rule name DNS from any to any service DNS permit

Rule id 2 is created.

host-name(config)# rule name User1 user local user1 from any to any from-
zone trust to-zone untrust permit

Rule id 3 is created.

host-name(config)# rule name User3 user local user3 from any to any from-
zone trust to-zone untrust service HTTP permit

Rule id 4 is created.

host-name(config)# rule id 4

host-name(config-policy-rule)# service HTTPS

host-name(config-policy-rule)# exit

Step 4: Verifying result

After all the above configurations are finished, only user 1 can access the Internet, while user 2 cannot access the Internet, and user
3 can access the Web service based on HTTP or HTTPS.

145 Allowing Internet Access via TS Agent


StoneOS Cookbook

VPN

This chapter introduces virtual private network deployment.

This chapter contains the following recipes:

o IPSec VPN

o "Connection between Two Private Networks Using IPSec VPN (IKEv1)" on Page 147

o "Connection between Two Private Networks Using IPSec VPN (IKEv2)" on Page 160

o "Connecting to Microsoft Azure Using Site-to-Site VPN" on Page 212

o "Establishment of IPSec VPN Based on Certificate Authentication " on Page 173

o "Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link" on Page 186

o SSL VPN

o "Allowing Remote Users to Access a Private Network Using SSL VPN" on Page 199

o "Using an iOS/Android Device to Remotely Access Intranet Services" on Page 223

o L2TP over IPSec VPN

o "Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN" on Page 230

o "Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN" on Page 249

o GRE over IPSec VPN

o "Connection between Two Private Networks Using GRE over IPSec VPN" on Page 277

o VXLAN

o " Configuring VXLAN Static Unicast Tunnel" on Page 293

VPN 146
StoneOS Cookbook

Connection between Two Private Networks Using IPSec VPN (IKEv1)


This example tells how to create IPSec VPN (IKEv1)tunnels to encrypt and protect the communication between two private networks
. Usually, IPSec VPN tunnel is to connect the Device A in a branch office and the Device B in the headquarters.

* Note: This topology uses laboratory environment. In this recipe, 10.10.1.0/24 represents public network.

Configuration Steps

Device A

Step 1: Configuring interface

1. Configuring the interface connected to


private network

Select Network > Interface, and double click eth-


ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 192.168.1.1

o Netmask: 255.255.255.0

Connection between Two Private Networks Using IPSec VPN (IKEv1) 147
StoneOS Cookbook

Step 1: Configuring interface

2. Configuring the interface connected to Inter-


net

Select Network > Interface, and double click eth-


ernet0/2.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 10.10.1.1

o Netmask: 255.255.255.0

148 Connection between Two Private Networks Using IPSec VPN (IKEv1)
StoneOS Cookbook

Step 2: Configuring security policies

1. Creating a policy to allow private network to


visit Internet

Select Policy > Security Policy, and click New.

o Name: trust_untrust

o Source Information

o Zone: trust

o Address: Any

o Destination

o Zone: untrust

o Address: Any

o Other Information

o Action: Permit

Connection between Two Private Networks Using IPSec VPN (IKEv1) 149
StoneOS Cookbook

Step 2: Configuring security policies

2. Creating a security policy to allow Internet


visit private network

Select Policy > Security Policy, and click New.

o Name: untrust_trust

o Source Information

o Zone: untrust

o Address: Any

o Destination

o Zone: trust

o Address: Any

o Other Information

o Action: Permit

Step 3: Configuring IPSec VPN

1. Configuring P1 proposal for IKE SA

Select Network > VPN > IPSec VPN, under the


P1 Proposal tab, click New.

o Proposal Name: Headquarter_to_Branch_P1

o Authentication: Pre-share

o Hash: SHA

o Encryption: 3DES

150 Connection between Two Private Networks Using IPSec VPN (IKEv1)
StoneOS Cookbook

Step 3: Configuring IPSec VPN

2. Configuring P2 proposal for IPSec SA

Select Network > VPN > IPSec VPN, under the


P2 Proposal tab, click New.

o Proposal Name: Headquarter_to_Branch_P2

o Authentication: ESP

o Hash: SHA

o Encryption: 3DES

3. Configuring VPN peer

Select Network > VPN > IPSec VPN, under the


VPN Peer List tab, click New.

o Name: Headquarter_to_Branch

o Interface: ethernet0/2

o Mode: Main

o Type: Static IP

o Peer IP: 10.10.1.2

o Proposal 1: Headquarter_to_Branch_P1

o Pre-share Key: 123456

Connection between Two Private Networks Using IPSec VPN (IKEv1) 151
StoneOS Cookbook

Step 3: Configuring IPSec VPN

4. Configuring IKE VPN

Select Network > VPN > IPSec VPN, under the


IKE VPN List tab, click New.

o Peer Name: Headquarter_to_Branch

o Tunnel Name: Tunnel

o Mode: tunnel

o P2 Proposal: Headquarter_to_Branch_P2

Step 4: Creating tunnel interface

Select Network > Interface, and click New >


Tunnel Interface.

o Basic

o Name: 1

o Zone: untrust

o Tunnel Binding

o Tunnel Type: IPSec VPN

o VPN Name: Tunnel

152 Connection between Two Private Networks Using IPSec VPN (IKEv1)
StoneOS Cookbook

Step 5: Configuring route

Select Network > Routing > Destination Rout-


ing, and click New.

o Destination: 192.168.2.0

o Subnet Mask: 24

o Next Hop: Interface

o Interface: tunnel1

Device B

Step 1: Configuring interface

1. Configuring the interface connected to


private network

Select Network > Interface, and double click eth-


ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 192.168.2.1

o Netmask: 255.255.255.0

Connection between Two Private Networks Using IPSec VPN (IKEv1) 153
StoneOS Cookbook

Step 1: Configuring interface

2. Configuring the interface connected to Inter-


net

Select Network > Interface, and double click eth-


ernet0/2.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 10.10.1.2

o Netmask: 255.255.255.0

154 Connection between Two Private Networks Using IPSec VPN (IKEv1)
StoneOS Cookbook

Step 2: Configuring security policies

1. Creating a policy to allow private network to


visit Internet

Select Policy > Security Policy, and click New.

o Name: trust_untrust

o Source Information

o Zone: trust

o Address: Any

o Destination

o Zone: untrust

o Address: Any

o Other Information

o Action: Permit

Connection between Two Private Networks Using IPSec VPN (IKEv1) 155
StoneOS Cookbook

Step 2: Configuring security policies

2. Creating a security policy to allow Internet


visit private network

Select Policy > Security Policy, and click New.

o Name: untrust_trust

o Source Information

o Zone: untrust

o Address: Any

o Destination

o Zone: trust

o Address: Any

o Other Information

o Action: Permit

Step 3: Configuring IPSec VPN

1. Configuring P1 proposal for IKE SA

Select Network > VPN > IPSec VPN, under the


P1 Proposal tab, click New.

o Proposal Name: Branch_to_Headquarter_P1

o Authentication: Pre-share

o Hash: SHA

o Encryption: 3DES

156 Connection between Two Private Networks Using IPSec VPN (IKEv1)
StoneOS Cookbook

Step 3: Configuring IPSec VPN

2. Configuring P2 proposal for IPSec SA

Select Network > VPN > IPSec VPN, under the


P2 Proposal tab, click New.

o Proposal Name: Branch_to_Headquarter_P2

o Authentication: ESP

o Hash: SHA

o Encryption: 3DES

3. Configuring VPN peer

Select Network > VPN > IPSec VPN, under the


VPN Peer List tab, click New.

o Name: Branch_to_Headquarter

o Interface: ethernet0/2

o Mode: Main

o Type: Static IP

o Peer IP: 10.10.1.2

o Proposal 1:Branch_to_Headquarter_P1

o Pre-share Key: 123456

Connection between Two Private Networks Using IPSec VPN (IKEv1) 157
StoneOS Cookbook

Step 3: Configuring IPSec VPN

4. Configuring IKE VPN

Select Network > VPN > IPSec VPN, under the


IKE VPN List tab, click New.

o Peer Name: Branch_to_Headquarter

o Tunnel Name: Tunnel

o Mode: tunnel

o P2 Proposal: Branch_to_Headquarter_P2

Step 4: Creating tunnel interface

Select Network > Interface, and click New >


Tunnel Interface.

o Basic

o Name: 1

o Zone: untrust

o Tunnel Binding

o Tunnel Type: IPSec VPN

o VPN Name: Tunnel

158 Connection between Two Private Networks Using IPSec VPN (IKEv1)
StoneOS Cookbook

Step 5: Configuring route

Select Network > Routing > Destination Rout-


ing, and click New.

o Destination: 192.168.1.0

o Subnet Mask: 24

o Next Hop: Interface

o Interface: tunnel1

Step 6: Results

Use PC1 in the headquarters to ping PC2 in the


branch. It works.

Step 7: Check if IPSec VPN tunnel has been established

Go to Network > VPN > IPSec VPN, and click


IPSec VPN Monitor on the top right corner,
under the <ISAKMP SA> tab and under the
IPSec SA tab, you will see the status of the tunnel.

Connection between Two Private Networks Using IPSec VPN (IKEv1) 159
StoneOS Cookbook

Connection between Two Private Networks Using IPSec VPN (IKEv2)


This example tells how to create IPSec VPN (IKEv2)tunnels to encrypt and protect the communication between two private networks
. Usually, IPSec VPN tunnel is to connect the Device A in a branch office and the Device B in the headquarters.

* Note: This topology uses laboratory environment. In this recipe, 10.10.1.0/24 represents public network.

Configuration Steps

Device A

Step 1: Configuring interface

1. Configuring the interface connected to private net-


work

Select Network > Interface, and double click eth-


ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 192.168.1.1

o Netmask: 255.255.255.0

Connection between Two Private Networks Using IPSec VPN (IKEv2) 160
StoneOS Cookbook

Step 1: Configuring interface

2. Configuring the interface connected to Internet

Select Network > Interface, and double click eth-


ernet0/2.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 10.10.1.1

o Netmask: 255.255.255.0

Step 2: Configuring trust domain and import certificate

1. Creating a trust domain

Select System > Trust Domain, and click New.

o Trust Domain: trust_domain_IPSecVPN

o Enrollment Type: Manual Input

161 Connection between Two Private Networks Using IPSec VPN (IKEv2)
StoneOS Cookbook

Step 2: Configuring trust domain and import certificate

2. Importing a trust domain certificate

Select System > Trust Domain Certificate, and click New.

o Trust Domain: trust_domain_IPSecVPN

o Content: PKCS#12-DER

o Password: hillstone

o Confirm Password: hillstone

o Action: Import

o Certificate: Click Browse to select local certificate.

Connection between Two Private Networks Using IPSec VPN (IKEv2) 162
StoneOS Cookbook

Step 3: Configuring IPSec VPN

Select Network > VPN > IPSec VPN, click New.

o Peer Name: click button to configure VPN peer

in the drop-down list.

o Name: Headquarter_to_Branch

o Type: Static IP

o Interface: ethernet0/2

o Protocol Standard: IKEv2

o Peer Address: 10.10.1.2

o Local ID Type: ASN1-DN

o Peer ID Type: ASN1-DN, Wildcard: /C=CN/-


/O=unit/CN=client

o Proposal1: click button to configure P1 pro-

posal for IKE SA in the drop-down list.

o Proposal Name: Headquarter_to_Branch_P1

o Authentication: ECDSA-Signature

o Hash: SHA-256

o Encryption: 3DES

o DH Group: Group2

o Self-signed Trust Domain: trust_domain_


IPSecVPN

o Name: tunnel

163 Connection between Two Private Networks Using IPSec VPN (IKEv2)
StoneOS Cookbook

Step 3: Configuring IPSec VPN

o Encapsulation Mode: Tunnel

o P2 Proposal: click button to configure P2 pro-

posal for IPSec SA in the drop-down list.

o Proposal Name: Headquarter_to_Branch_P2

o Protocol: ESP

o Hash: SHA

o Encryption: 3DES

o Proxy ID: Click New to configure proxy ID.

o Local IP/Netmask: 192.168.1.2/32

o Remote IP/Netmask: 172.16.1.2/32

o Service: Any

Step 4: Configuring tunnel interface

Select Network > Interface, and click New > Tunnel


Interface.

o Interface Name: 1

o Zone: VPNHub

o Tunnel Binding

o Type: IPSec VPN

o Name: tunnel

Connection between Two Private Networks Using IPSec VPN (IKEv2) 164
StoneOS Cookbook

Step 5: Configuring security policies

Select Policy > Security Policy, and click New.

o Name: trust_vpn

o Source Address: 192.168.1.2/32

o Destination Address: 172.16.1.2/32

o Action: Permit

Select Policy > Security Policy, and click New.

o Name: vpn_trust

o Source Address: 172.16.1.2/32

o Destination Address: 192.168.1.2/32

o Action: Permit

165 Connection between Two Private Networks Using IPSec VPN (IKEv2)
StoneOS Cookbook

Step6: Configuring route

Select Network > Routing > Destination Routing, and


click New.

o Destination: 172.16.1.0

o Subnet Mask: 24

o Next Hop: Interface

o Interface: tunnel1

Device B

Step 1: Configuring interface

1. Configuring the interface connected to private net-


work

Select Network > Interface, and double click eth-


ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 172.16.1.1

o Netmask: 255.255.255.0

Connection between Two Private Networks Using IPSec VPN (IKEv2) 166
StoneOS Cookbook

Step 1: Configuring interface

2. Configuring the interface connected to Internet

Select Network > Interface, and double click eth-


ernet0/2.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 10.10.1.2

o Netmask: 255.255.255.0

Step 2: Configuring trust domain and import certificate

1. Creating a trust domain

Select System > Trust Domain, and click New.

o Trust Domain: trust_domain_IPSecVPN

o Enrollment Type: Manual Input

167 Connection between Two Private Networks Using IPSec VPN (IKEv2)
StoneOS Cookbook

Step 2: Configuring trust domain and import certificate

2. Importing a trust domain certificate

Select System > Trust Domain Certificate, and click New.

o Trust Domain: trust_domain_IPSecVPN

o Content: PKCS#12-DER

o Password: hillstone

o Confirm Password: hillstone

o Action: Import

o Certificate: Click Browse to select local certificate.

Connection between Two Private Networks Using IPSec VPN (IKEv2) 168
StoneOS Cookbook

Step 3: Configuring IPSec VPN

Select Network > VPN > IPSec VPN, click New.

o Peer Name: click button to configure VPN peer

in the drop-down list.

o Name: Branch_to_Headquarter

o Type: Static IP

o Interface: ethernet0/2

o Protocol Standard: IKEv2

o Peer Address: 10.10.1.1

o Local ID Type: ASN1-DN

o Peer ID Type: ASN1-DN, Wildcard: /C=CN/-


/O=unit/CN=client

o Proposal1: click button to configure P1 pro-

posal for IKE SA in the drop-down list.

o Proposal Name: Branch_to_Headquarter_P1

o Authentication: ECDSA-Signature

o Hash: SHA-256

o Encryption: 3DES

o DH Group: Group2

o Self-signed Trust Domain: trust_domain_


IPSecVPN

o Name: tunnel

169 Connection between Two Private Networks Using IPSec VPN (IKEv2)
StoneOS Cookbook

Step 3: Configuring IPSec VPN

o Encapsulation Mode: Tunnel

o P2 Proposal: click button to configure P2 pro-

posal for IPSec SA in the drop-down list.

o Proposal Name: Branch_to_Headquarter_P2

o Protocol: ESP

o Hash: SHA

o Encryption: 3DES

o Proxy ID: Click New to configure proxy ID.

o Local IP/Netmask: 172.16.1.2/32

o Remote IP/Netmask: 192.168.1.2/32

o Service: Any

Step 4: Configuring tunnel interface

Select Network > Interface, and click New > Tunnel


Interface.

o Interface Name: 3

o Zone: untrust

o Tunnel Binding

o Type: IPSec VPN

o Name: tunnel

Connection between Two Private Networks Using IPSec VPN (IKEv2) 170
StoneOS Cookbook

Step 5: Configuring security policies

Select Policy > Security Policy, and click New.

o Name: trust_vpn

o Source Address: 192.168.1.2/32

o Destination Address: 172.16.1.2/32

o Action: Permit

Select Policy > Security Policy, and click New.

o Name: vpn_trust

o Source Address: 172.16.1.2/32

o Destination Address: 192.168.1.2/32

o Action: Permit

171 Connection between Two Private Networks Using IPSec VPN (IKEv2)
StoneOS Cookbook

Step 6: Configuring route

Select Network > Routing > Destination Routing, and


click New.

o Destination: 192.168.1.0

o Subnet Mask: 24

o Next Hop: Interface

o Interface: tunnel13

Step 7: Check if IPSec VPN tunnel has been established

Use PC1 in the headquarters to ping PC2 in the branch. It works.

Go to Network > VPN > IPSec VPN, and click IPSec VPN Monitor on the top right corner, under the <ISAKMP SA> tab tab,
you will see the status of the tunnel.

选择“网络 > VPN > IPSec VPN > IPSec VPN监控 > IPSec SA”,可以看到IPsec VPN第二阶段已经成功建立。Go
to Network > VPN > IPSec VPN, and click IPSec VPN Monitor on the top right corner, under the <IPSec SA> tab, you will see
the status of the tunnel.

Connection between Two Private Networks Using IPSec VPN (IKEv2) 172
StoneOS Cookbook

Establishment of IPSec VPN Based on Certificate Authentication


This example introduces how to establish IPSec VPN tunnels based on certificate authentication to improve communication security.

As shown in the figure below, an IPsec VPN security tunnel based on certificate authentication is established between Device A and
Device B. PC1 is the host of Device A, and PC2 is the host of Device B. It is required to protect the data flow between the subnet
(192.168.1.0/24) represented by PC1 and the subnet (10.1.1.0/24) represented by PC2. RSA Signature is used for authentication, ESP
protocol is used for security protocol, SHA is adopted for Hash algorithm, 3DES is adopted for encryption algorithm, so as to ensure
the integrity and security of communication data.

Configuration Steps

Device A

Step 1: Configuring interface

Select Network > Interface, and double click


ethernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 192.168.1.1

o Netmask: 255.255.255.0

Establishment of IPSec VPN Based on Certificate Authentication 173


StoneOS Cookbook

Step 1: Configuring interface

Select Network > Interface, and double click


ethernet0/4.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address:1.1.1.1

o Netmask: 255.255.255.0

Step 2: Configuring the trust domain and importing the authentication certificate

Select System > PKI > Trust Domain, and click New.

o Trust Domain: trust_domain

o Enrollment Type: Manual Input

Select System > PKI > Trust Domain Certificate.

o Trust Domain: trust_domain

o Content: Select "CA Certificate" and "Local


Certificate" respectively
Tip: If the certificate is in ". p12" format, please select

"PKCS#12-DER".

o Action: Import. Click Browse and select the local


certificate of Device A and the CA certificate of
Device B to be imported from the local PC.

174 Establishment of IPSec VPN Based on Certificate Authentication


StoneOS Cookbook

Step 3: Configuring IPSec VPN

1.Configuring Phase 1 Proposal.

Select Network > VPN > IPSec VPN, and click New.

On the IPSec VPN Configuration page, click the button

in the Peer Name drop-down list, then on the VPN

Peer Configuration page, and click the button in the

Proposal1 drop-down list.

o Proposal Name: P1

o Authentication: RSA-Signature

o Hash: SHA

o Encryption: 3DES

o DH group: Group2

2.Configuring Phase 2 Proposal.

Select Network > VPN > IPSec VPN, and click New.
On the IPSec VPN Configuration page, click the button

in the P2 Proposal drop-down list.

o Proposal Name: P2

o Protocol: ESP

o Hash: SHA

o Encryption: 3DES

Establishment of IPSec VPN Based on Certificate Authentication 175


StoneOS Cookbook

Step 3: Configuring IPSec VPN

3.Configuring peer

Select Network > VPN > IPSec VPN, and click New.

On the IPSec VPN Configuration page, click the button

in the Peer Name drop-down list.

o Name: peer1

o Interface: ethernet0/4

o Interface Type: IPv4

o Protocol Standard: IKEV1

o Mode: Main

o Type: Static IP

o Peer Address: 1.1.1.2

o Local ID Type: ASN1-DN

o Peer ID Type: ASN1-DN,peer ID value is the


"Subject" name of the local certificate on the peer
device, which needs to be obtained from the peer
device.

o Proposal1: P1

o Self-signed Trust Domain: trust_domain

176 Establishment of IPSec VPN Based on Certificate Authentication


StoneOS Cookbook

Step 4: Configuring a tunnel instance

Select Network > VPN > IPSec VPN, and click New.

o Peer Name

o Peer Name: peer1

o Tunnel

o Name: tunnel

o Mode: Tunnel

o P2 Proposal: P2

o Proxy ID: Auto

Step 5: Configuring a tunnel interface and binding it to the tunnel instance

Select Network > Interface, click New and select Tunnel


Interface

o Basic

o Interface Name: 1

o Binding Zone: Layer 3 Zone

o Zone: trust

o Tunnel Binding

o Type: IPSec VPN

o VPN Name: tunnel

Establishment of IPSec VPN Based on Certificate Authentication 177


StoneOS Cookbook

Step 6: Configuring a tunnel route

Select Network > Routing > Destination Route, and


click New.

o Virtual Router: trust-vr

o Destination: 10.1.1.0

o Netmask: 24

o Next-hop: Interface

o Interface: tunnel1

Step 7: Configuring a security policy

Select Policy > Security Policy > Policy, and click New.

o Name: policy

o Source Zone: trust

o Source Address: Any

o Destination Zone: trust

o Destination Address: Any

o Service: Any

o Action: Permit

178 Establishment of IPSec VPN Based on Certificate Authentication


StoneOS Cookbook

Device B

Step 1: Configuring interface

Select Network > Interface, and double click


ethernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 10.1.1.100

o Netmask: 255.255.255.0

Select Network > Interface, and double click


ethernet0/4.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address:1.1.1.2

o Netmask: 255.255.255.0

Establishment of IPSec VPN Based on Certificate Authentication 179


StoneOS Cookbook

Step 2: Configuring the trust domain and importing the authentication certificate

Select System > PKI > Trust Domain, and click New.

o Trust Domain: trust_domain

o Enrollment Type: Manual Input

Select System > PKI > Trust Domain Certificate.

o Trust Domain: trust_domain

o Content: Select "CA Certificate" and "Local


Certificate" respectively
Tip: If the certificate is in ". p12" format, please select

"PKCS#12-DER".

o Action: Import. Click Browse and select the local


certificate of Device B and the CA certificate of
Device A to be imported from the local PC.

180 Establishment of IPSec VPN Based on Certificate Authentication


StoneOS Cookbook

Step 3: Configuring IPSec VPN

1.Configuring Phase 1 Proposal

Select Network > VPN > IPSec VPN, and click New.

On the IPSec VPN Configuration page, click the button

in the Peer Name drop-down list, then on the VPN

Peer Configuration page, and click the button in the

Proposal1 drop-down list.

o Proposal Name: P1

o Authentication: RSA-Signature

o Hash: SHA

o Encryption: 3DES

o DH group: Group2

2.Configuring Phase 1 Proposal

Select Network > VPN > IPSec VPN, and click New.

On the IPSec VPN Configuration page, click the button

in the P2 Proposal drop-down list.

o Proposal Name: P2

o Protocol: ESP

o Hash: SHA

o Encryption: 3DES

Establishment of IPSec VPN Based on Certificate Authentication 181


StoneOS Cookbook

Step 3: Configuring IPSec VPN

3.Configuring Peer

Select Network > VPN > IPSec VPN, and click New.
On the IPSec VPN Configuration page, click the button

in the Peer Name drop-down list.

o Name: peer1

o Interface: ethernet0/4

o Interface Type: IPv4

o Protocol Standard: IKEV1

o Mode: Main

o Type: Static IP

o Peer Address: 1.1.1.1

o Local ID Type: ASN1-DN

o Peer ID Type: ASN1-DN,peer ID value the


"Subject" name of the local certificate on the peer
device, which needs to be obtained from the peer
device.

o Proposal1: P1

o Self-signed Trust Domain: trust_domain

182 Establishment of IPSec VPN Based on Certificate Authentication


StoneOS Cookbook

Step 4: Configuring a tunnel instance

Select Network > VPN > IPSec VPN, and click New.

o Peer Name

o Peer Name: peer1

o Tunnel

o Name: tunnel

o Mode: Tunnel

o P2 Proposal: P2

o Proxy ID: Auto

Step 5: Configuring a tunnel interface and binding it to the tunnel instance

Select Network > Interface, click New and select Tunnel


Interface

o Basic

o Interface Name: 1

o Binding Zone: Layer 3 Zone

o Zone: trust

o Tunnel Binding

o Type: IPSec VPN

o VPN Name: tunnel

Establishment of IPSec VPN Based on Certificate Authentication 183


StoneOS Cookbook

Step 6: Configuring a tunnel route

Select Network > Routing > Destination Route, and


click New.

o Virtual Router: trust-vr

o Destination: 192.168.1.0

o Netmask: 24

o Next-hop: Interface

o Interface: tunnel1

Step 7: Configuring a security policy

Select Policy > Security Policy > Policy, and click New.

o Name: policy

o Source Zone: trust

o Source Address: Any

o Destination Zone: trust

o Destination Address: Any

o Service: Any

o Action: Permit

184 Establishment of IPSec VPN Based on Certificate Authentication


StoneOS Cookbook

Step 8: Check if the network has been interconnected

After the above configuration steps are completed, PC1


and PC2 can ping each other, indicating that the networks
between them has been interconnected.

Step 9: Check if IPSec VPN tunnel has been established

Go to Network > VPN > IPSec VPN, and click IPSec


VPN Monitor on the top right corner, under the
<ISAKMP SA> tab, it can be seen that the phase 1 of
IPSec VPN has been successfully established.

Go to Network > VPN > IPSec VPN, and click IPSec


VPN Monitor on the top right corner, under the <IPSec
SA> tab, it can be seen that the phase 2 of IPSec VPN has
been successfully established.

Establishment of IPSec VPN Based on Certificate Authentication 185


StoneOS Cookbook

Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link
This example tells how to configure IPSec VPN smart link to realize dynamic switch between IPSec links.

As shown in the figure below, IPSec VPN tunnel is to connect the Device A in a branch office and the Device B in the headquarter. If
the packet loss rate or latency of the tunnel that is established based on Link1 exceeds the specified threshold, the system would switch
to Link2 to establish a new IPSec VPN tunnel. ESP protocol is used for security protocol, SHA-256 is adopted for Hash algorithm,
AES-256 is adopted for encryption algorithm, so as to ensure the integrity and security of communication data.

Configuration Steps

Device A

Step 1: Configuring interface

1.Configuring the interface connected to private network.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 173.16.1.1/24

hostname(config-if-eth0/1)# exit

2.Configuring the interface connected to Internet.

hostname(config)# interface xethernet3/0

hostname(config-if-xe3/0)# zone untrust

hostname(config-if-xe3/0)# ip address 1.1.1.1/24

hostname(config-if-xe3/0)# exit

Step 2: Configuring an AAA server and pre-shared key

Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link 186
StoneOS Cookbook

hostname(config)# aaa-server local type local

hostname(config-aaa-server)# user test1

hostname(config-user)# ike-id fqdn client1

hostname(config-user)# exit

hostname(config-aaa-server)# exit

hostname(config)# exit

hostname# exec generate-user-key rootkey hillstone1 userid client1

userkey: OG64Mk1CPfRLKou3yCwOehMLfQw=

Step 3: Configuring IPSec VPN

187 Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link
StoneOS Cookbook

1.Configuring P1 proposal.

hostname(config)# isakmp proposal p1

hostname(config-isakmp-proposal)# hash sha256

hostname(config-isakmp-proposal)# encryption aes-256

hostname(config-isakmp-proposal)# group 2

hostname(config-isakmp-proposal)# exit

2.Configuring P2 proposal.

hostname(config)# ipsec proposal p2

hostname(config-ipsec-proposal)# protocol esp

hostname(config-ipsec-proposal)# hash sha256

hostname(config-ipsec-proposal)# encryption aes-256

hostname(config-ipsec-proposal)# exit

3. Configuring ISAKMP peer. You are suggested to enable DPD function to


avoid that the old SA cannot be cleared in time after the link switch.

hostname(config)# isakmp peer peer1

hostname(config-isakmp-peer)# isakmp-proposal p1

hostname(config-isakmp-peer)# mode aggressive

hostname(config-isakmp-peer)# type usergroup

hostname(config-isakmp-peer)# local-id fqdn server1

hostname(config-isakmp-peer)# aaa-server local

hostname(config-isakmp-peer)# interface xethernet3/0

hostname(config-isakmp-peer)# pre-share hillstone1

hostname(config-isakmp-peer)# nat-traversal

hostname(config-isakmp-peer)# generate-route

Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link 188
StoneOS Cookbook

hostname(config-isakmp-peer)# dpd

hostname(config-isakmp-peer)# exit

Step 4: Creating IPsec VPN tunnel

hostname(config)# tunnel ipsec vpn1 auto

hostname(config-tunnel-ipsec-auto)# ipsec-proposal p2

hostname(config-tunnel-ipsec-auto)# isakmp-peer peer1

hostname(config-tunnel-ipsec-auto)# id local 173.16.1.0/24 remote


173.15.1.0/24 service any

hostname(config-tunnel-ipsec-auto)# exit

Step 5 : Creating the tunnel interface to the IPsec VPN tunnel

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone trust

hostname(config-if-tun1)# tunnel ipsec vpn1

hostname(config-if-tun1)# exit

Step 6: Configuring security policies

hostname(config)# rule from 173.16.1.0/24 to 173.15.1.0/24 service any per-


mit

Device B

Step 1: Configuring interface.

189 Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link
StoneOS Cookbook

1.Configuring the interface connected to private network.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 173.15.1.1/24

hostname(config-if-eth0/1)# exit

2.Configuring the interface connected to Internet.

hostname(config)# interface xethernet0/2.1

hostname(config-if-xe0/2.1)# zone untrust

hostname(config-if-xe0/2.1)# ip address 191.1.101.1/24

hostname(config-if-xe0/2.1)# exit

hostname(config)# interface xethernet0/2.2

hostname(config-if-xe0/2.2)# zone untrust

hostname(config-if-xe0/2.2)# ip address 191.1.102.1/24

hostname(config-if-xe0/2.2)# exit

Step 2: Configuring smart link rules

hostname(config)# ipsec smart-link profile smart_profile1

hostname(config-ipsec-smart-link-profile)# link 1 interface xethernet0/2.1


peer 1.1.1.1

hostname(config-ipsec-smart-link-profile)# link 2 interface xethernet0/2.2


peer 1.1.1.1

hostname(config-ipsec-smart-link-profile)# link-track-threshold delay 500


loss-rate 30

hostname(config-ipsec-smart-link-profile)# exit

Step 3: Configuring IPSec VPN

Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link 190
StoneOS Cookbook

1.Configuring P1 proposal.

hostname(config)# isakmp proposal p1

hostname(config-isakmp-proposal)# hash sha256

hostname(config-isakmp-proposal)# encryption aes-256

hostname(config-isakmp-proposal)# group 2

hostname(config-isakmp-proposal)# exit

2.Configuring P2 proposal.

hostname(config)# ipsec proposal p2

hostname(config-ipsec-proposal)# protocol esp

hostname(config-ipsec-proposal)# hash sha256

hostname(config-ipsec-proposal)# encryption aes-256

hostname(config-ipsec-proposal)# exit

3. Configuring ISAKMP peer.

hostname(config)# isakmp peer peer1

hostname(config-isakmp-peer)# isakmp-proposal p1

hostname(config-isakmp-peer)# mode aggressive

hostname(config-isakmp-peer)# local-id fqdn client1

hostname(config-isakmp-peer)# peer-id fqdn server1

hostname(config-isakmp-peer)# pre-share OG64Mk1CPfRLKou3yCwOehMLfQw=

hostname(config-isakmp-peer)# nat-traversal

hostname(config-isakmp-peer)# generate-route

hostname(config-isakmp-peer)# exit

Step 4: Creating IPsec VPN tunnel .

191 Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link
StoneOS Cookbook

hostname(config)# tunnel ipsec vpn1 auto

hostname(config-tunnel-ipsec-auto)# ipsec-proposal p2

hostname(config-tunnel-ipsec-auto)# isakmp-peer peer1

hostname(config-tunnel-ipsec-auto)# id local 173.15.1.0/24 remote


173.16.1.0/24 service any

hostname(config-tunnel-ipsec-auto)# smart-link-profile smart_profile1

hostname(config-tunnel-ipsec-auto)# auto-connect

hostname(config-tunnel-ipsec-auto)# exit

Step 5 : Binding the tunnel interface to the IPsec VPN tunnel.

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone trust

hostname(config-if-tun1)# tunnel ipsec vpn1

hostname(config-if-tun1)# exit

Step 6: Configuring route

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip route 173.16.1.0/24 tunnel1

hostname(config-vrouter)# exit

Step 7: Configuring security policies

hostname(config)# rule from 173.15.1.0/24 to 173.16.1.0/24 service any per-


mit

Step 8: Check if IPSec VPN tunnel has been established

1.With the command show isakmp sa, you can see that the first phase of IPsec VPN has been successfully established.

Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link 192
StoneOS Cookbook

hostname# show isakmp sa

Total: 1

L-time - Lifetime

============================================================================-
====

Cookies Gateway Port Algorithm Lifetime

----------------------------------------------------------------------------
----

99933c2b~ 1.1.1.1 500 pre-share sha256/aes-256 86388

============================================================================-
====

2.With the command show ipsec sa, you can see that the second phase of IPsec VPN has been successfully established.

hostname# show ipsec sa

Total: 1

S - Status, I - Inactive, A - Active;

============================================================================-
====

Id VPN Peer IP Port Algorithms SPI Life(s) S

----------------------------------------------------------------------------
----

1 vpn1 >1.1.1.1 500 esp:aes-256/sha256 6ddafe72 27332 A

1 vpn1 <1.1.1.1 500 esp:aes-256/sha256 309c97c0 27332 A

============================================================================-
====

193 Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link
StoneOS Cookbook

Step 9: When the packet loss rate or latency of the tunnel that is established based on Link1(191.1.101.1->1.1.1.1) exceeds the specified
threshold, verify that the system can successfully switch to Link2(191.1.102.1->1.1.1.1) to establish a new IPSec VPN tunnel.

1.With the command show ipsec smart-link-profile smart_profile1, you can see that the Link1 is currently
used to establish IPSec tunnel.

Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link 194
StoneOS Cookbook

hostname(config)# show ipsec smart-link-profile smart_profile1

Total: 1

Status:I - Invalid, A - Active, C - Current negotiation link, * - Cycle


start link

============================================================================-
====

Name: smart_profile1

Tunnel name: vpn1

Status: enable

Loss-rate(%): 30

Delay(ms): 500

Track-source: 191.1.101.1

Track-destination: 1.1.1.1

Track-interval(s): 3

Track-count: 10

Switch-cycles: 5

Switch-back-time(s): 600

Switched-count: 0

Switched-cycles: 0

Link-list:

Id interface local-ip peer-ip delay(ms) loss-rate(%) Status

1 xethernet0/2.1 191.1.101.1 1.1.1.1 1 0 *AC

2 xethernet0/2.2 191.1.102.1 1.1.1.1 0 0 I

============================================================================-
====

195 Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link
StoneOS Cookbook

2.When the packet loss rate or latency of the tunnel that is established based on Link1 exceeds the specified threshold, verify that the sys-
tem can successfully switch to Link2 to establish a new IPSec VPN tunnel. With the command show ipsec smart-link-
profile smart_profile1,you can see that the Link2 has been automatically switched to establish an IPSec tunnel.

Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link 196
StoneOS Cookbook

2022-12-26 19:27:28,Event WARNING@VPN: IPSec smart link smart_profile1 is


switched from link1 to link2, because the time delay 509 is higher than the
threshold 500(IPSec Tunnel=vpn1, Loss Rate=0%, Time Delay=509ms).

hostname(config)# show ipsec smart-link-profile smart_profile1

Total: 1

Status:I - Invalid, A - Active, C - Current negotiation link, * - Cycle


start link

============================================================================-
====

Name: smart_profile1

Tunnel name: vpn1

Status: enable

Loss-rate(%): 30

Delay(ms): 500

Track-source: 191.1.102.1

Track-destination: 1.1.1.1

Track-interval(s): 3

Track-count: 10

Switch-cycles: 5

Switch-back-time(s): 600

Switched-count: 1

Switched-cycles: 0

Link-list:

Id interface local-ip peer-ip delay(ms) loss-rate(%) Status

1 xethernet0/2.1 191.1.101.1 1.1.1.1 509 0 *I

197 Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link
StoneOS Cookbook

2 xethernet0/2.2 191.1.102.1 1.1.1.1 0 0 AC

============================================================================-
===

Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link 198
StoneOS Cookbook

Allowing Remote Users to Access a Private Network Using SSL VPN


This example shows how to use SSL VPN to provide remote users with access to corporate internal network.

Networking Scenario

The topology describes remote users A and B on the Internet trying to visit the internal server within a corporate. Using SSL VPN tun-
nel, the connection between remote users and private server is encrypted and safe. Besides, enabling the Two-Step Verification function
based on the SMS Modem method to enhance the security of user's login; Remote User A belongs to group1 and Remote User B
belongs to role1. Users in group 1 are allowed to access the Bug system and users whose role is role1 are allowed to access the OA sys-
tem; transmitting data over TCP protocol to strengthen communication stability.

Allowing Remote Users to Access a Private Network Using SSL VPN 199
StoneOS Cookbook

Configuration Steps

Step 1: Creating a local user

Select Object > User > Local User. Under Local


Server "local", click New > User.

o Name: test1

o Password: 123456

o Confirm Password: 123456

o Mobile + country code: Configure your valid


mobile number. When you log in to the SSL
VPN client, if the SMS authentication func-
tion is enabled, the SMS gateway or SMS
modem will send the verification code to the
mobile.

Repeat the steps above to create a user named


test2.

Step 2: Binding the user "test1" to a user group

Select Object > User > Local User. Under Local Server
"local", click New > User Group.

o Name: group1

o User: test1

200 Allowing Remote Users to Access a Private Network Using SSL VPN
StoneOS Cookbook

Step 3: Binding the user "test2" to a role

Select Object > Role > Role. Click New.

o Role name: role1

Select Object > Role > Role Mapping. Click New.

o Name: mapping-role1

o Role mapping rule: Role-"role1"; Type-"User"; Map-


ping source-"test2"

Select Object > AAA Server. Under Local Server "local",


click Edit.

o Role mapping rule: mapping-role1

Note: When you bind the user to a role, no matter to


which server type the user belongs, you need to configure
a role mapping rule of the local server. Otherwise, the user
cannot deploy a tunnel route of the corresponding role
when logging into the client.

Allowing Remote Users to Access a Private Network Using SSL VPN 201
StoneOS Cookbook

Step 4: Configuring SMS Gateway

Select System > SMS Parameters > SMS Gate-


way, click New.

o Protocol Type:SGIP

o Service Provider:hillstone

o Virtual Router:trust-vr

o Host:IP;43.240.X.X

o Port:8801

o Company Code:27484X

o Source Number: 10690333

o User name and Password:Enter the actual


user name and password to log in SMS gate-
way.

Step 5: Configuring SCVPN address pool

Select Object > Access Address Pool. In the


IPv4 tab, click New.

o Address Pool Name: scpool

o Start IP: 192.168.1.2

o End IP: 192.168.1.100

o Netmask: 255.255.255.0

o DNS1: 10.160.65.60

202 Allowing Remote Users to Access a Private Network Using SSL VPN
StoneOS Cookbook

Step 6: Creating tunnel interface

Select Network > Zone, and click New.

o Zone: VPN

o Type: Layer 3 Zone

o Virtual Router:trust-vr

Select Network > Interface, and click New >


Tunnel Interface.

o Interface Name: tunnel1

o Binding Zone: Layer 3 Zone

o Zone: VPN

o Type: Static IP

o IP Address: 192.168.1.1

o Netmask: 255.255.255.0

Note: Tunnel interface must be of the same net-


work segment of SSL VPN address pool.

Allowing Remote Users to Access a Private Network Using SSL VPN 203
StoneOS Cookbook

Step 7: Configuring resources

Select Network > VPN > SSL VPN. In the upper-right


corner, select Configuration > Resource List. In the
Resource List panel, click New.

o Name: Bug System

o Resource: Name "Bug System"; URL:


"https://bug123.com"

Repeat the steps above to create a resource named OA sys-


tem (with an entry whose name is "OA System" and URL
is "https://oa123.com").

Step 8: Configuring SCVPN

Select Network > VPN > SSL VPN, and click


New.

In the Name/Access User tab:

o SSL VPN Name: ssl vpn

o Assigned Users:: Click New, and select


localfor the AAA serverdrop-down list

In the Interface tab:

o Egress Interfaces: ethernet0/3

o Service port: 4433

o Tunnel Interface: tunnel1

o Address Pool: scpool

204 Allowing Remote Users to Access a Private Network Using SSL VPN
StoneOS Cookbook

Step 8: Configuring SCVPN

In the Tunnel Route tab, configure two tunnel


routes:

tunnel route of User Group group1:

o IP: 10.160.65.0

o Netmask: 255.255.255.0

o Type: User Group

o User Group/Role: group1

o AAA Server: local

tunnel route of Role role1:

o IP: 172.16.12.0

o Netmask: 255.255.255.0

o Type: Role

o User Group/Role: role1

The IP address of tunnel route and the IP address


of internal server must fall into the same CIDR
block.

Allowing Remote Users to Access a Private Network Using SSL VPN 205
StoneOS Cookbook

Step 8: Configuring SCVPN

In the Binding Resource tab, click New and bind


two resources.

Resource of User Group group1:

o Name: Bug System

o Type: User Group

o User Group/Role: group1

o AAA Server: local

Resource of Role role1:

o Name: OA System

o Type: Role

o User Group/Role: role1

Click Advanced Configuration, in the Para-


meters tab:

o Advanced Parameters

o Port(TCP):10000

After configuring SCVPN on the StoneOS


device, you need to add the following con-
figuration to the SCVPN client: Enable the Com-
munication Stability Optimization function.
Therefore, the SCVPN client can communicate
with the StoneOS device over TCP protocol.

206 Allowing Remote Users to Access a Private Network Using SSL VPN
StoneOS Cookbook

Step 8: Configuring SCVPN

Click Advanced Configuration, in the Two-Step


Verification tab:

o Two-Step Verification :Click the Enable


button

o Type:SMS Authentication

o SMS Auth Type: SMS Gateway

o SMS Gateway Name:hillstone

o Lifetime of SMS Verification Code:10

o Sender Name:FWvisitAPP

o Verification Code Length:8

Step 9: Creating policy from VPN to any

Select Object > Address Book. Click New and


configure the source address of security policies
policy1 and policy2.

o Name: address1-src

o Type: IPv4

o Member: IP Range; 192.168.1.2-


192.168.1.100

We recommend that the configuration of address


member is consistent with the IP range of SSL
VPN access address pool.

Allowing Remote Users to Access a Private Network Using SSL VPN 207
StoneOS Cookbook

Step 9: Creating policy from VPN to any

Select Object > Address Book. Click New and


configure the address book of internal server
resource.

Configure the address book of Bug System:

o Name: bug-address

o Type: IPv4

o Member: IP/Netmask; 10.160.65.52/32

Repeat the steps above to configure the address


book of OA System.

o Name: oa-address

o Type: IPv4

o Member: IP/Netmask; 172.16.12.12/32

208 Allowing Remote Users to Access a Private Network Using SSL VPN
StoneOS Cookbook

Step 9: Creating policy from VPN to any

Select Policy > Security Policy > Policy. Then,


select New > Policy and configure the security
policy of the user test1.

o Name: policy1

o Address Type: IPv4

o Source Zone: VPN

o Source Address: address1-src

o Destination Zone: trust

o Destination Address: bug-address

o User: group1

o Service: Any

o Action: Permit

Repeat the steps above to configure the security


policy of the user test2.

o Name: policy2

o Address Type: IPv4

o Source Zone: VPN

o Source Address: address1-src

o Destination Zone: trust

o Destination Address: oa-address

o User: role1

Allowing Remote Users to Access a Private Network Using SSL VPN 209
StoneOS Cookbook

Step 9: Creating policy from VPN to any

o Service: Any

o Action: Permit

Step 10: Results

After configuration above, the user test1 enters


address "https://10.196.4.136:4433" in a
browser. In the pop-up page, select Windows tab
and click Download.

After the user opens the client, click Add Con-


nection in the upper-right corner. In the dialog
box that appears, enter the following information:

o Connection name: test1

o Server: 10.196.4.136

o Port: 4433

o Stability Optimization: Enable (After the user


successfully logs in to the SSL VPN client, it
will use the TCP protocol to securely access
resources of Sever in the trust zone)

Click OK. A login information entry is generated.

210 Allowing Remote Users to Access a Private Network Using SSL VPN
StoneOS Cookbook

Step 10: Results

Click Connect. The Connect dialog box appears.

o Username: test1

o Password: 123456

After you enter the information above, the SMS


Authentication dialog box appears. Then, per-
form the secondary authentication of VPN login.

View the 8-digit verification code received on the


mobile phone of the user test1, enter it into the
field, and then click Verify.

After the client displays a successful connection,


the PC of the user test1 can securely access Bug
System on the internal network via SSL VPN. In
addition, click the Route tab on the client and you
can view the tunnel route deployed by the device
to the user test1, who belongs to the user group
group1.

Repeat the steps above for the PC of the user


test2.
After the client displays a successful connection,
the PC of the user test2 can securely access OA
System on the internal network via SSL VPN. In
addition, click the Route tab on the client and you
can view the tunnel route deployed by the device
to the user test2, who belongs to the role role1.

Allowing Remote Users to Access a Private Network Using SSL VPN 211
StoneOS Cookbook

Connecting to Microsoft Azure Using Site-to-Site VPN


Today, more and more customers are using public cloud service providers such as Microsoft Azure to deploy their server or services, to
get high performance, reliable services that are easy to deploy and get to market fastest.

This example shows how to configure site-to-site VPN to establish a VPN tunnel (IPSec VPN tunnel) between Microsoft Azure and
Hillstone device.

The topology is shown as below, the Hillstone device is the gateway for the enterprise. It requires an IPsec VPN tunnel between the
company and Microsoft Azure through the Hillstone device. The authentication algorithm uses SHA and the encryption algorithm uses
3DES, thus the local service can be connected with hosted cloud services.

* Note: This topology uses laboratory environment. In this recipe, 124.193.87.66 represents Hillstone device public IP, 192.168.0.0/16 represents the internal subnet of enterprise,
13.94.46.90 represents public IP of Microsoft Azure, 10.11.0.0/16 the internal subnet of Microsoft Azure.

The configuration process as follows:

Configure Microsoft Azure:

1. Create a virtual network

2. Create the gateway subnet

3. Create the VPN gateway

4. Create the local network gateway

5. Create the VPN connection

Configure Hillstone device:

Connecting to Microsoft Azure Using Site-to-Site VPN 212


StoneOS Cookbook

1. Configuring IPSec VPN

2. Creating IPsec VPN IKEv2 tunnel

3. Binding the tunnel interface to the IPsec VPN IKEv2 tunnel

4. Configuring route

Configure Microsoft Azure

In Microsoft Azure, configure the following settings:

213 Connecting to Microsoft Azure Using Site-to-Site VPN


StoneOS Cookbook

Step 1 : Create a virtual network

1. Access the Microsoft Azure website via the


browser and sign in with your Azure
account.

2. Click Virtual networks in the "Azure ser-


vice" section of the Home page to open the
virtual network page.

3. Click +Add.

4. In the Create virtual network page, con-


figure the following information (take the
environment in the topology as an
example):

o Name: VNet

o Address space: 10.11.0.0/16

o Subscription: select the existing sub-


scription to use: “Pay-As-You-Go”

o Resource group: cloudedge-test

o Location: East US

o Subnet name: default

o Subnet address range: 10.11.0.0/16

5. Click Create to create the virtual network.

Connecting to Microsoft Azure Using Site-to-Site VPN 214


StoneOS Cookbook

Step 2: Create the gateway subnet

1. In the list of virtual network page, select the


created virtual network "VNet" in the list
and click its name.

2. In the Settings section on the left side of the


virtual network detail page, select Subnet.

3. In "VNet-Subnets" page. click +Gateway


subnet.

4. In Add subnet page, configure the fol-


lowing information (take the environment
in the topology as an example):

o Name: The default value "Gate-


waySubnet"

o o Address range (CIDR block):


10.11.255.0/27

5. Click OK to create the gateway subnet.

215 Connecting to Microsoft Azure Using Site-to-Site VPN


StoneOS Cookbook

Step 3: Create a VPN geteway

1. Click Create a resource in the "Azure ser-


vice" section of the Home page.

2. In Search the Marketplace field, search Vir-


tual Network Gateway.

3. Click Create.

4. In Create virtual network gateway page,


configure the following information (take
the environment in the topology as an
example):

o Name: VNetGateway

o Region: West US (choose the one


where your virtual network is located)

o Gateway type: VPN

o VPN type: Route-based

o SKU: VpnGw1 (About SKU, refer to


https://docs.microsoft.com/en-
us/azure/vpn-gateway/vpn-gateway-
about-vpn-gateway-settings#gwsku)

o Virtual network: VNet (choose the one


to which you want to add the gateway)

o Public IP address: Create new (only


dynamic Public IP address allocation is
supported currently; input the public
address name)

Connecting to Microsoft Azure Using Site-to-Site VPN 216


StoneOS Cookbook

Step 3: Create a VPN geteway

o Public IP address name: PublicIP

5. Click Review +create and wait for the vir-


tual network gateway deployment. After
the virtual network gateway created, the
public IP address will be assigned

217 Connecting to Microsoft Azure Using Site-to-Site VPN


StoneOS Cookbook

Step 4: Create the local network gateway

1. Click Create a resource in the "Azure ser-


vice" section of the Home page.

2. In Search the Marketplace field, search


Local Network Gateway

3. Click Create.

4. In Create local network gateway page, con-


figure the following information (take the
environment in the topology as an
example):

o Name: Hillstone

o IP address: 124.193.87.66

o Address space: 192.168.0.0/16

o Subscription: select the existing sub-


scription to use: “Pay-As-You-Go”

o Resource group: cloudedge-test

o Location: East US

5. Click Create to create the local network


gateway.

Connecting to Microsoft Azure Using Site-to-Site VPN 218


StoneOS Cookbook

Step 5: Create the VPN connection (This step is performed after completing the "Configure Hillstone Device")

1. Click the created virtual network gateway


VNetGateway in the Recent resources list
on the home page.

2. In the Settings section on the left side of the


virtual network gateway detail page, select
Connections

3. Click Add.

4. In Add connection page, configure the fol-


lowing information (take the environment
in the topology as an example):

o Name: VNet1toSite2

o Connection type: Site-to-site (IPSec)

o Virtual network gateway: VNetGate-


way

o Loacl network gateway: Hillstone

o Shared key (PSK): hillstone (Consistent


with "Configure Hillstone Device")

o Resource group: cloudedge-test

5. Click OK to create the connection.

Note:

o About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections, refer to the Microsoft Azure doc-
umentation:
https://docs.microsoft.com/en-gb/azure/vpn-gateway/vpn-gateway-about-vpn-devices.

219 Connecting to Microsoft Azure Using Site-to-Site VPN


StoneOS Cookbook

o About "Create a Site-to-Site connection in the Azure portal", refer to the Microsoft Azure documentation:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal.

Configure Hillstone Device

Step 1: Configuring IPSec VPN

Connecting to Microsoft Azure Using Site-to-Site VPN 220


StoneOS Cookbook

1.Configuring P1 proposal for IKEv2 SA.

hostname(config)# ikev2 proposal Azure_to_Hillstone_P1

hostname(config-ikev2-proposal)# hash sha

hostname(config-ikev2-proposal)# encryption 3des

hostname(config-ikev2-proposal)# group 2

hostname(config-ikev2-proposal)# lifetime 10800

hostname(config-ikev2-proposal)# exit

2.Configuring P2 proposal for IPSec IKEv2 SA.

hostname(config)# ikev2 ipsec-proposal Azure_to_Hillstone_P2

hostname(config-ikev2-ipsec-proposal)#hash sha

hostname(config-ikev2-ipsec-proposal)#encryption aes

hostname(config-ikev2-ipsec-proposal)#lifetime 3600

hostname(config-ikev2-ipsec-proposal)#exit

3. Configuring IKEv2 peer.

hostname(config)# ikev2 peer peer1

hostname(config-ikev2-peer)# interface ethernet0/1

hostname(config-ikev2-peer)# match-peer 13.94.46.90

hostname(config-ikev2-peer)# ikev2-proposal Azure_to_Hillstone_P1

hostname(config-ikev2-peer)# local-id ip 124.193.87.66

4.Creating IKEv2 Profile.

hostname(config-ikev2-peer)# ikev2-profile esp-peer1

hostname(config-ikev2-profile)# remote id ip 13.94.46.90

hostname(config-ikev2-profile)# remote key hillstone

hostname(config-ikev2-profile)# traffic-selector src subnet 192.168.0.0/16

221 Connecting to Microsoft Azure Using Site-to-Site VPN


StoneOS Cookbook

hostname(config-ikev2-profile)# traffic-selector dst subnet 10.11.0.0/16

hostname(config-ikev2-profile)# exit

hostname(config-ikev2-peer)# exit

hostname(config)#

Step 2: Creating IPsec VPN IKEv2 tunnel

hostname(config)# tunnel ipsec Azure ikev2

hostname(config-ikev2-tunnel)# ikev2-peer peer1

hostname(config-ikev2-tunnel)# ipsec-proposal Azure_to_Hillstone_P2

hostname(config-ikev2-tunnel)# auto-connect

hostname(config-ikev2-tunnel)# exit

hostname(config)#

Step 3 : Binding the tunnel interface to the IPsec VPN IKEv2 tunnel

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone trust

hostname(config-if-tun1)# tunnel ikev2 Azure

hostname(config-if-tun1)# exit

hostname(config)#

Step 4: Configuring route

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip route 10.11.0.0/16 tunnel1

hostname(config-vrouter)# exit

Connecting to Microsoft Azure Using Site-to-Site VPN 222


StoneOS Cookbook

Using an iOS/Android Device to Remotely Access Intranet Services


This example introduces how to use an iOS/Android device to remotely access the resources in the private network.

In the topology below, a remote user located in the Internet uses an iOS/Android device to access the intranet server Server1. The
authentication method requires username and password, and the connection is based on SSL VPN. Please first see step 1 to 5 in "Allow-
ing Remote Users to Access a Private Network Using SSL VPN" on Page 199 to create a SSL VPN instance.

Using an iOS Device to Remotely Access Intranet Services

Take the VPN client of version 2.0.8 for example.

Using an iOS/Android Device to Remotely Access Intranet Services 223


StoneOS Cookbook

Step 1: Downloading and installing Hillstone Access Client

In APP Store, search Hillstone Access Client,


click Get to download and install this application.

Step 2: Connecting to the device

Click the HSAccess icon in the iOS desktop.

In the login page:

o Connection: connection1

o Server: 153.34.29.1

o Port: 4433

o Account: user1

o Password: 123456

Click Login. The client starts to connect to the


server.

224 Using an iOS/Android Device to Remotely Access Intranet Services


StoneOS Cookbook

Step 3: Installing the VPN configuration profile

In the Add VPN Configurations dialog, click


Allow to install the VPN configuration profile.

Enter your passcode.

Using an iOS/Android Device to Remotely Access Intranet Services 225


StoneOS Cookbook

Step 4: Creating a VPN connection

In iOS, select Settings > VPN.

In the list, select connection1.

Turn on the VPN switch. iOS connects to the


VPN.

Step 5: Verifying the connection status.

When the VPN status is Connected and the Con-


nection tab of the client displays Connected, the
client successfully establishes VPN connection to
the device.

226 Using an iOS/Android Device to Remotely Access Intranet Services


StoneOS Cookbook

Step 5: Verifying the connection status.

Step 6: Accessing intranet services

Use the iOS device to visit Server1.

Using an iOS/Android Device to Remotely Access Intranet Services 227


StoneOS Cookbook

Using an Android Device to Remotely Access Intranet Services

Step 1: Downloading and installing Hillstone Secure Connect

https://play.google.com/store/apps/details?id=com.hillstone.vpn
Visit Google Play to download and install Hill-
stone Secure Connect VPN.

Step 4: Creating a VPN connection

In Android, click the Hillstone Secure Connection


icon:

o Server: 153.34.29.1

o Port: 4433

o Account: user1

o Password: 123456

Click Login.

After the VPN connection is established suc-


cessfully, the key icon will appear at the noti-
fication area of your Android system.

228 Using an iOS/Android Device to Remotely Access Intranet Services


StoneOS Cookbook

Step 6: Accessing intranet services

Use the Android device to visit Server1.

Using an iOS/Android Device to Remotely Access Intranet Services 229


StoneOS Cookbook

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over


IPSec VPN
This example shows how to use L2TP over IPSec VPN to provide remote users with access to corporate internal network.

The topology is shown as below. A remote user, located at home or a hotel, accesses the Internet through a router with NAT enabled.
This remote user uses L2TP over IPSec VPN to visit the server (PC1) in the corporate internal network. And this server is protected by
the device A.

*Due to lab environment, use 10.10.1.0./24 to represent the public network segment.

The configuration process consists of five parts:

o Configure basic settings

o Configure IPSec VPN

o Configure L2TP VPN

o Set up a VPN connection in Windows/ Mac

o Adjust whether to use IPSec for L2TP VPN

Configuring Basic Settings

In device A, configure the following settings:

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 230
StoneOS Cookbook

Step 1: Configuring an interface

Configuring the interface connected to the


intranet

Select Network > Interface, and double-click eth-


ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: dmz

o Type: Static IP

o IP Address: 192.168.1.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Configuring the interface connected to Internet

Select Network > Interface, and double-click eth-


ernet0/2.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 10.10.1.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

231 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Step 1: Configuring an interface

Configuring the tunnel interface.

Select Network > Interface > New > Tunnel


Interface.

o Interface name: tunnel1

o Binding Zone: Layer 3 Zone

o Zone: trust

o IP Address: 192.168.3.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 232
StoneOS Cookbook

Step 2: Configuring a security policy

Configure a security policy that allows the traffic


to flow from the Trust zone where the tunnel
interface locates to the DMZ zone where the
internal server locates.

Select Policy > Security Policy > New.

o Name: trust_to_dmz

o Source

o Zone: trust

o Address: Any

o Destination

o Zone: dmz

o Address: Any

o Other

o Service/Service Group: Any

o Action: Permit

Configuring IPSec VPN

In device A, configure the following settings:

233 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Step 1: Creating a P1 proposal and a P2 proposal

Click Network > VPN > IPSec VPN. In the P1


Proposal tab, click New.

o Proposal Name: p1forl2tp

o Authentication: Pre-share

o Hash: SHA

o Encryption: 3DES

o DH Group: Group2

o Lifetime: 86400

In the P2 Proposal tab, click New.

o Proposal Name: p2forl2tp

o Protocol: ESP

o HASH: SHA

o Encryption: 3DES

o Compression: None

o PFS Group: No PFS

o Lifetime: 28800

o Lifesize: Enable

o Lifesize: 250000

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 234
StoneOS Cookbook

Step 2: Configuring a VPN peer

Click Network > VPN > IPSec VPN. In the


VPN Peer List tab, click New.

In the Basic tab, configure the following settings:

o Name: toclient

o Interface: ethernet0/2

o Mode: Main

o Type: User Group

o AAA Server: local

o Proposal1: p1forl2tp

o Pre-shared Key: hillstone

In the Advanced tab, configure the following set-


tings:

o NAT Traversal: Enable

o Any Peer ID: Enable

o Keep the default of other parameters

235 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Step 3: Configuring IKE VPN

Click Network > VPN > IPSec VPN. In the


IKE VPN List tab, click New.

In the Basic tab, configure the following settings:

o Peer

o Peer Name: toclient

o Tunnel

o Name: toclienttunnel

o Mode: transport

o P2 proposal: p2forl2tp

In the Advanced tab, configure the following set-


tings:

o Accept-all-proxy-ID: Enable

o Keep the default of other parameters

Configuring L2TP VPN

In device A, configure the following settings:

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 236
StoneOS Cookbook

Step 1: Creating a L2TP pool

Select Network > VPN > L2TP VPN >


Address Pool.

In the Address Pool dialog, click New.

o Address Pool Name: pool1

o Start IP: 192.168.3.2

o End IP: 192.168.3.100

Step 2: Adding a user in the 'local' AAA server

Select Object > User > Local User > New >
User.

o Name: user1

o Password: hillstone

o Confirm Password: hillstone

237 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Step 3: Configuring a L2TP VPN instance

Select Network > VPN > L2TP VPN > New.

In the Name/Access User tab, configure the fol-


lowing settings:

o L2TP VPN Name: l2tpinstance1

o AAA Server: local

o Click Add

In the Interface/Address Pool/IPSec Tunnel tab,


configure the following settings:

o Egress Interface: ethernet0/2

o Tunnel Interface: tunnel1

o Address Pool: pool1

o L2TP over IPSec: toclienttunnel

Setting up a VPN Connection

The steps of setting up a VPN connection differ in different PC operating systems. Take Windows 7, Windows XP/2003 and Mac OS
for example.

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 238
StoneOS Cookbook

Steps of setting up a VPN connection in Windows XP/2003

Set up a connection:

1. In Control Panel , double-click Network


Connections.

2. From the Network Tasks pane, Click


Create a new connection. The New Con-
nection Wizard dialog appears

3. In the pop-up dialog, click Next.

4. Select Connect to the network at my work-


place. Then click Next.

5. Select Virtual Private Network


connection. Then click Next.

6. Enter a name for this connection in the


Company Name text box:
L2TPoverIPSec. Then click Next.

7. Enter the IP address of the VPN server:


10.10.1.1. Then click Next.

8. Click Finish.

239 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Steps of setting up a VPN connection in Windows XP/2003

Configure the Security properties of this con-


nection:

1. After you have completed the new con-


nection wizard, the Connect L2TPover-
IPSec dialog appears.

2. Click Properties. The L2TPoverIPSec Prop-


erties dialog appears.

3. Select the Security tab.

4. Select Advanced (custom settings). Then


click Settings. The Advanced Security Set-
tings dialog appears.

5. In the Data encryption drop-down menu,


select Optional encryption (connect even
if no encrypting).

6. In the Logon security section, select Allow


these protocols.

7. Continue to select Unencrypted password


(PAP) and Challenge Handshake
Authentication Protocol (CHAP).

8. Click OK to close the Advanced Security


Settings dialog and return to the L2TPover-
IPSec Properties dialog.

9. Click IPSec Settings.

10. Select Use pre-shared key for authen-

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 240
StoneOS Cookbook

Steps of setting up a VPN connection in Windows XP/2003

tication and enter the pre-shared key hill-


stone.

11. Click OK to close the IPSec Settings dialog.

Configure the Networking properties of this


connection:

1. In the L2TPoverIPSec Properties dialog,


select the Networking tab.

2. In the Type of VPN drop-down menu,


select L2TP IPSec VPN.

3. Ensure that you have select the Internet


Protocol (TCP/IP) check box.

4. Click OK to save the configurations.

Connect to the L2TPoverIPSec VPN:

1. Find the L2TPoverIPSec connection and


double-click it.

2. Enter the user name: user1

3. Enter the password: hillstone

4. Click Connect.

5. After the connection is successful, you can


visit the internal server 192.168.1.2

241 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Steps of setting up a VPN connection in Windows 7

Set up a connection:

1. Select Control Panel > Network and Inter-


net > Network and Sharing Center.

2. Click Set up a new connection or


network.

3. In the pop-up dialog, select Connect to a


workplace. Then click Next.

4. Select Use my Internet connection (VPN).

5. Enter the IP address of the VPN server:


10.10.1.1

6. Enter the destination name: L2TPover-


IPSec

7. Select Don't connect now; just set it up so


I can connect later. Then click Next.

8. Enter the username: user1

9. Enter the password: hillstone

10. Click Creat.

11. After the connection is ready to use, click


Close.

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 242
StoneOS Cookbook

Steps of setting up a VPN connection in Windows 7

Configure the Security properties of this con-


nection:

1. In the Network and Sharing Center, click


Change adapter settings.

2. Find the L2TPoverIPSec connection and


right-click it.

3. In the pop-up menu, select Properties. The


L2TPoverIPSec Properties dialog appears.

4. Select the Security tab.

5. In the Type of VPN drop-down menu,


select Layer 2 Tunneling Protocol with
IPsec (L2TP/IPSec).

6. Click Advanced settings, select Use pre-


shared key for authentication, then enter
the key hillstone.

7. In the Data encryption drop-down menu,


select Optional encryption (connect even
if no encryption).

8. In the Authentication section, select Allow


these protocols and then select Unen-
crypted password (PAP) and Challenge
Handshank Authentication Protocol
(CHAP).

243 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Steps of setting up a VPN connection in Windows 7

Configure the Networking properties of this


connection:

1. In the L2TPoverIPSec Properties dialog,


select the Networking tab.

2. Ensure that you have select the Internet


Protocol Version 4 (TCP/IPv4) check
box.

3. Click OK to save the configurations.

Connect to the L2TPoverIPSec VPN:

1. Find the L2TPoverIPSec connection and


double-click it.

2. Enter the password: hjllstone

3. Click Connect.

4. After the connection is successful, you can


visit the intranet server 192.168.1.2

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 244
StoneOS Cookbook

Steps of setting up a VPN connection in Mac OS

Set up a connection:

1. Select System Preferences > Network.

2. Click + to create a new network con-


nection

3. Enter the connection configuration in the


pop-up dialog.

4. Click Interface drop-down list and select


VPN

5. Click VPN Type drop-down list and select


L2TP over IPSec.

6. Enter the Service Name: L2TP over


IPSec.

7. Click Create.

245 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Steps of setting up a VPN connection in Mac OS

Configure the properties of connection:

1. Find L2TP over IPSec on the left web


page and click it.

2. Enter the Server Addresson the right web


page: 10.10.1.1.

3. Enter the Account Name: user1.

4. Click Authentication Settings button and


enter authentication password in the pop-
up dialog.

5. In the User Authentication section, select


Passwordbutton and enter the cor-
responding password: hillstone.

6. In the Machine Authentication section,


select Shared Secret button in the Machine
Authentication and enter the Shared
Secret: hillstone.

7. Click OK to save the configurations.

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 246
StoneOS Cookbook

Steps of setting up a VPN connection in Mac OS

Configure the advanced properties of con-


nection:

1. Click Advanced button.

2. Configure the advanced properties in the


pop-up dialog.

3. Select all the check boxes in Session


Options and make sure that the check box
of Send all traffic over VPN connection
is selected.

4. Click OK to save the configurations.

Connect to the L2TP over IPSec VPN:

1. Find L2TP over IPSec on the left web


page and click it.

2. Click Connect button on the right page.

3. The status shows Connecting.

4. After connecting successfully, the page


shows Status: Connected, Connect Time
and so on.

5. Click Apply to save the configurations.

6. After the connection is successful, you can


visit the intranet server 192.168.1.2.

7. If you need to disconnect the connection,


click Disconnect button.

247 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Adjusting Whether to Use IPSec for L2TP VPN

By default, the L2TP VPN is required by Windows to use IPSec. For the above L2TP over IPSec VPN, you do not need to modify the
system's registry.

If the system has disabled IPSec, take the following steps to make the system use L2TP over IPSec:

Enable IPSec

1. Select Start > Run.

2. In Run, enter regedit.

3. Click OK

4. Navigate to HKEY_Local_Machine\Sys-
tem\CurentControl Set\Ser-
vices\RasMan\Parameters.

5. In the right pane, find the entry Pro-


hibitIPSec whose type is REG_DWORD.

6. Double-click this entry and modify the


value in the Value data text box to 0.

o 0 represents that the system enables


IPSec.

o 1 represents that the system disables


IPSec.

7. Save the modifications and restart the sys-


tem.

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 248
StoneOS Cookbook

Allowing Remote Users (iOS/Android) to Access a Private Network Using


L2TP over IPSec VPN
This example shows how to use L2TP over IPSec VPN to provide remote users (iOS/Android) with access to corporate internal net-
work.

The topology is shown as below. A remote user, located at home or a hotel, accesses the Internet via mobile 3G/4G or Wi-Fi. This
remote user (iOS/Android) uses L2TP over IPSec VPN to visit the server (PC1) in the corporate internal network. And this server is
protected by the device A.

*Due to lab environment, use 10.10.1.0./24 to represent the public network segment.

The configuration process consists of five parts:

o Configure basic settings

o Configure IPSec VPN

o Configure L2TP VPN

o Set up a VPN connection in iOS/Android

Configuring Basic Settings

In device A, configure the following settings:

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN 249
StoneOS Cookbook

Step 1: Configuring an interface

Configuring the interface connected to the


intranet

Select Network > Interface, and double-click eth-


ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: dmz

o Type: Static IP

o IP Address: 192.168.1.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Configuring the interface connected to Internet

Select Network > Interface, and double-click eth-


ernet0/2.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 10.10.1.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

250 Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Step 1: Configuring an interface

Configuring the tunnel interface.

Select Network > Interface > New > Tunnel


Interface.

o Interface name: tunnel1

o Binding Zone: Layer 3 Zone

o Zone: trust

o IP Address: 192.168.3.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN 251
StoneOS Cookbook

Step 2: Configuring a security policy

Configure a security policy that allows the traffic


to flow from the Trust zone where the tunnel
interface locates to the DMZ zone where the
internal server locates.

Select Policy > Security Policy > New.

o Name: trust_to_dmz

o Source

o Zone: trust

o Address: Any

o Destination

o Zone: dmz

o Address: Any

o Other

o Service/Service Group: Any

o Action: Permit

Configuring IPSec VPN

In device A, configure the following settings:

252 Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Step 1: Creating a P1 proposal and a P2 proposal

Click Network > VPN > IPSec VPN. In the P1


Proposal tab, click New.

o Proposal Name: p1forl2tp

o Authentication: Pre-share

o Hash: SHA

o Encryption: 3DES

o DH Group: Group2

o Lifetime: 86400

In the P2 Proposal tab, click New.

o Proposal Name: p2forl2tp

o Protocol: ESP

o HASH: SHA

o Encryption: 3DES, DES, AES

o Compression: None

o PFS Group: No PFS

o Lifetime: 28800

o Lifesize: Enable

o Lifesize: 250000

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN 253
StoneOS Cookbook

Step 2: Configuring a VPN peer

Click Network > VPN > IPSec VPN. In the


VPN Peer List tab, click New.

In the Basic tab, configure the following settings:

o Name: toclient

o Interface: ethernet0/2

o Mode: Main

o Type: User Group

o AAA Server: local

o Proposal1: p1forl2tp

o Pre-shared Key: hillstone

In the Advanced tab, configure the following set-


tings:

o NAT Traversal: Enable

o Any Peer ID: Enable

o Keep the default of other parameters

254 Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Step 3: Configuring IKE VPN

Click Network > VPN > IPSec VPN. In the


IKE VPN List tab, click New.

In the Basic tab, configure the following settings:

o Peer

o Peer Name: toclient

o Tunnel

o Name: toclienttunnel

o Mode: transport

o P2 proposal: p2forl2tp

In the Advanced tab, configure the following set-


tings:

o Accept-all-proxy-ID: Enable

o Keep the default of other parameters

Configuring L2TP VPN

In device A, configure the following settings:

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN 255
StoneOS Cookbook

Step 1: Creating a L2TP pool

Select Network > VPN > L2TP VPN >


Address Pool.

In the Address Pool dialog, click New.

o Address Pool Name: pool1

o Start IP: 192.168.3.2

o End IP: 192.168.3.100

Step 2: Adding a user in the 'local' AAA server

Select Object > User > Local User > New >
User.

o Name: user1

o Password: hillstone

o Confirm Password: hillstone

256 Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Step 3: Configuring a L2TP VPN instance

Select Network > VPN > L2TP VPN > New.

In the Name/Access User tab, configure the fol-


lowing settings:

o L2TP VPN Name: l2tpinstance1

o AAA Server: local

o Click Add

In the Interface/Address Pool/IPSec Tunnel tab,


configure the following settings:

o Egress Interface: ethernet0/2

o Tunnel Interface: tunnel1

o Address Pool: pool1

o L2TP over IPSec: toclienttunnel

Set up a VPN connection in iOS/Android

Take iOS 10 and Android 7 as examples.

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN 257
StoneOS Cookbook

Steps of setting up a VPN connection in iOS 10. (Before configuring your iPhone, make sure that it can access the Internet nor-
mally.)

Enter VPN configuration page:

1. Select Settings > General in your iPhone.

2. Swipe down and click VPN.

3. Click Add VPN Configuration…

258 Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Steps of setting up a VPN connection in iOS 10. (Before configuring your iPhone, make sure that it can access the Internet nor-
mally.)

Configuring VPN properties:

1. Click Add VPN Configuration on VPN


page.

2. Enter the following configurations on Add


Configuration page.

o Type: Click the drop-down list and


select L2TP.

o Description: Enter the custom name


L2TP over IPSec to mark the L2TP
connection.

o Server: 10.10.1.1

o Account: user1, the login account that


has been added in local AAA server

o Password: hillstone, the corresponding


password of the account.

o Secret: hillstone, the pre-shared key.

3. Click Done on the top right corner.

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN 259
StoneOS Cookbook

Steps of setting up a VPN connection in iOS 10. (Before configuring your iPhone, make sure that it can access the Internet nor-
mally.)

Enabling VPN and connect L2TP over IPSec


VPN:

1. Select the configured VPN: L2TP over


IPSec.

2. Swipe the Status button.

3. After VPN being connected successfully,


the status shows Connected and there will
appear VPN on the top of screen.

4. After VPN being connected successfully,


you can access the internal server:
192.168.1.2.

260 Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Steps of setting up a VPN connection in Android. (Before configuring your iPhone, make sure that it can access the Internet
normally.)

Enter the VPN configuration page:

1. Select Settings > VPN in your Android


phone.

2. Click Add VPN at the bottom of screen.

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN 261
StoneOS Cookbook

Steps of setting up a VPN connection in Android. (Before configuring your iPhone, make sure that it can access the Internet
normally.)

Configuring VPN properties:

1. Enter the following configurations on Add


VPN page.

o Enter the custom name L2TP over


IPSec to mark the L2TP connection.

o TYPE: Click the drop-down list and


select L2TP/IPSec PSK.

o Server address: 10.10.1.1

o IPSec pre-shared key: hillstone

o Account: user1, the login account that


has been added in local AAA server.

o Password: hillstone, the corresponding


password of the account.

2. Click OK on the top right corner.

262 Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Steps of setting up a VPN connection in Android. (Before configuring your iPhone, make sure that it can access the Internet
normally.)

Enabling VPN and connect L2TP over IPSec


VPN:

1. Select the configured VPN: L2TP over


IPSec.

2. Swipe the VPN button.

3. After VPN being connected successfully,


the status shows Connected and there will
appear a VPN sign on the top screen.

4. After VPN being connected successfully,


you can access the internal server:
192.168.1.2.

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN 263
StoneOS Cookbook

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and


SSL VPN
This example shows how to use L2TP and SSL VPN to provide remote users with access to corporate internal network.

The topology is shown below. A remote user (PC) , located at a branch office of the corporate , uses SSL VPN to visit the branch fire-
wall . The branch firewall functions as an L2TP client to establish a tunnel connection with the headquarters firewall. Then, the traffic
from the remote user(PC) is routed to the L2TP tunnel , and the remote user (PC) in the branch office can communicate with the server
in the corporate internal network.

* This example is used in a laboratory environment. Please configure the IP addresses of each interface according to the actual con-
nections.

Configure the Branch Firewall

In Branch Firewall, configure the following settings:

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and SSL VPN 264
StoneOS Cookbook

Step 1: Configuring an interface

Configuring the interface connected to the


branch network

Select Network > Interface, and double-click eth-


ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 10.182.55.49

o Netmask: 255.255.255.0

o Keep the default of other parameters

Configuring the interface connected to Internet

Select Network > Interface, and double-click eth-


ernet0/2.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 100.1.1.2

o Netmask: 255.255.255.0

o Keep the default of other parameters

265 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and SSL VPN
StoneOS Cookbook

Step 1: Configuring an interface

Configuring the L2TP VPN tunnel interface.

Select Network > Interface > New > Tunnel


Interface.

o Interface name: tunnel1

o Binding Zone: Layer 3 Zone

o Zone: VPNHub

o Keep the default of other parameters

Configuring the SSL VPN tunnel interface.

Select Network > Interface > New > Tunnel


Interface.

o Interface name: tunnel2

o Binding Zone: Layer 3 Zone

o Zone: VPNHub

o IP Address: 60.1.1.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and SSL VPN 266
StoneOS Cookbook

Step 2: Configuring a security policy and NAT

Configure a traffic-all-pass policy

Select Policy > Security Policy > New.

o Name: Any_to_Any

o Source

o Zone: Any

o Address: Any

o Destination

o Zone: Any

o Address: Any

o Service : Any

o Action: Permit

267 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and SSL VPN
StoneOS Cookbook

Step 2: Configuring a security policy and NAT

Configure source NAT to convert the IP


address of the branch network to the IP address
of the L2TP tunnel interface

Select Policy > NAT > SNAT. Click New

o Virtual Router : trust-vr

o Source Address

o IP/Netmask:60.1.1.0/24

o Destination Address

o IP Address:172.16.2.2

o Egress:Egress interface :tunnel1

o Translated to : Egress IF IP(IPv4)

o Keep the default of other parameters

Step 3: Configuring a routing

Select Network > Routing > Destination


Route > New.

o Destination:172.16.2.0

o Netmask:255.255.255.0

o Next-hop:Interface

o Interface:tunnel1

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and SSL VPN 268
StoneOS Cookbook

Step 4: Adding a user in the 'local' AAA server

Select Object > User > Local User > New >
User.

o Name: user1

o Password: hillstone

o Confirm Password: hillstone

Step 5: Configure SSL VPN

Configure SSL VPN address pool . Select Net-


work > VPN > SSL VPN, and click Con-
figuration > Address Pool , click New.

o Address Pool Name: scpool

o Start IP: 60.1.1.2

o End IP: 60.1.1.100

o Mask: 255.255.255.0

o Keep the default of other parameters

Note: SSL VPN address pool must be of the


same network segment of Tunnel interface tun-
nel2.

269 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and SSL VPN
StoneOS Cookbook

Step 5: Configure SSL VPN

Select Network > VPN > SSL VPN, and click


New.

In the Name/Access User tab:

o SSL VPN Name: ssl1

o AAA Server: click New , and select local

In the Interface tab:

o Egress Interface 1: ethernet0/1

o Service port: 4433

o Tunnel Interface: tunnel2

o Address Pool: scpool

In the Tunnel Route tab:

o IP: 172.16.2.0

o Netmask: 255.255.255.0

Note : Tunnel route must be of the same net-


work segment of internal server ("Server")

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and SSL VPN 270
StoneOS Cookbook

Step 6: Configuring a L2TP Client instance

Select Network > VPN > L2TP VPN >L2TP


Client > New.

o Client Name: client1

o Tunnel Interface: tunnel1

o Egress Interface: ethernet0/2

o LNS IP:100.1.1.1

o Keepalive:60 seconds

o Control Packet Transmit Retry:5 times

o User Name:l2tp_user1

o Password:hillstone

o LCP-echo Interval:30 seconds

o Transmit Retries:4 times

o PPP Authentication:CHAP

o Auto connect:Enabled

Configure Headquarters Firewall

In the Headquarters Firewall, configure the following settings:

271 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and SSL VPN
StoneOS Cookbook

Step 1: Configuring an interface

Configuring the interface connected to the Inter-


net

Select Network > Interface, and double-click eth-


ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 100.1.1.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Configuring the interface connected to internal


network

Select Network > Interface, and double-click eth-


ernet0/2.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 172.16.2.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and SSL VPN 272
StoneOS Cookbook

Step 1: Configuring an interface

Configuring the L2TP VPN tunnel interface.

Select Network > Interface > New > Tunnel


Interface.

o Interface name: tunnel1

o Binding Zone: Layer 3 Zone

o Zone: VPNHub

o IP Address: 70.1.1.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

273 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and SSL VPN
StoneOS Cookbook

Step 2: Configuring a security policy

Configure a traffic-all-pass policy

Select Policy > Security Policy > New

o Name: Any_to_Any

o Source

o Zone: Any

o Address: Any

o Destination

o Zone: Any

o Address: Any

o Service: Any

o Action: Permit

Step 3: Adding a user in the 'local' AAA server

Select Object > User > Local User > New >
User.

o Name: l2tp_user1

o Password: hillstone

o Confirm Password: hillstone

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and SSL VPN 274
StoneOS Cookbook

Step 4: Creating a L2TP pool

Select Network > VPN > L2TP VPN >


Address Pool.

In the Address Pool dialog, click New.

o Address Pool Name: pool1

o Start IP: 70.1.1.2

o End IP: 70.1.1.100

Step 5: Configuring a L2TP VPN

Select Network > VPN > L2TP VPN > New.

o L2TP VPN Name: l2tp1

o AAA Server: local

o Egress Interface: ethernet0/1

o Tunnel Interface: tunnel1

o Address Pool: pool1

o Keep the default of other parameters

Setting up a VPN Connection

After completing the above configuration, users in the branch office can dial-up to connect to the intranet server.

275 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and SSL VPN
StoneOS Cookbook

Step 1: Download Hillstone Secure Connect client

Enter https://10.182.55.49:4433 in the browser,


and download the SCVPN client on the page that
pops up. The IP address: 10.182.55.49 is the IP
address of the egress interface of the SSL VPN

Step 2: Log in

The remote user open the Hillstone Secure Con-


nect client, and enter information below:

o Server: 10.182.55.49

o Port: 4433

o Username: user1

o Password: hillstone

When the icon in the taskbar becomes green, the


client is connected. Then, the remote user access
the internal server via SSL VPN and L2TP VPN.

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and SSL VPN 276
StoneOS Cookbook

Connection between Two Private Networks Using GRE over IPSec VPN
This example introduces how to create GRE over IPSec VPN to protect the communication between the private network of the
headquarters and the private network of the branch.

The topology is shown as below. Device A acts as the gateway of the headquarters and device B acts as the gateway of the branch. To
protect the communication between two private networks, use GRE over IPSec VPN.

*Due to lab environment, use 10.89.16.0/22 to represent the public network segment.

The configuration process consists of five parts:

o Configure basic settings

o Configure IPSec VPN

o Configure GRE VPN

o Configure route and policies

Connection between Two Private Networks Using GRE over IPSec VPN 277
StoneOS Cookbook

Configuring Basic Settings

Step 1: Configuring interfaces for device A

Configuring the interface connected to the


intranet

Select Network > Interface, and double-click eth-


ernet0/0.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 192.168.1.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Configuring the interface connected to Internet

Select Network > Interface, and double-click eth-


ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 10.89.17.226

o Netmask: 255.255.252.0

o Keep the default of other parameters

278 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Step 1: Configuring interfaces for device A

Configuring the tunnel interface.

Select Network > Interface > New > Tunnel


Interface.

o Interface name: tunnel1

o Binding Zone: Layer 3 Zone

o Zone: trust

o IP Address: 172.2.2.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Step 2: Configuring interfaces for device B

Configuring the interface connected to the


intranet

Select Network > Interface, and double-click eth-


ernet0/4.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 192.168.2.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Connection between Two Private Networks Using GRE over IPSec VPN 279
StoneOS Cookbook

Step 2: Configuring interfaces for device B

Configuring the interface connected to Internet

Select Network > Interface, and double-click eth-


ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 10.89.18.131

o Netmask: 255.255.252.0

o Keep the default of other parameters

Configuring the tunnel interface.

Select Network > Interface > New > Tunnel


Interface.

o Interface name: tunnel1

o Binding Zone: Layer 3 Zone

o Zone: trust

o IP Address: 172.2.2.2

o Netmask: 255.255.255.0

o Keep the default of other parameters

280 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Configuring IPSec VPN

Step 1: Configuring IPSec VPN for device A

Create a P1 proposal and a P2 proposal.

Click Network > VPN > IPSec VPN. In the P1


Proposal tab, click New.

o Proposal Name: p1forgre

o Authentication: Pre-share

o Hash: SHA

o Encryption: 3DES

o DH Group: Group2

o Lifetime: 86400

In the P2 Proposal tab, click New.

o Proposal Name: p2forl2tp

o Protocol: ESP

o HASH: SHA

o Encryption: 3DES

o Compression: None

o PFS Group: No PFS

o Lifetime: 28800

Connection between Two Private Networks Using GRE over IPSec VPN 281
StoneOS Cookbook

Step 1: Configuring IPSec VPN for device A

Configure a VPN peer.

Click Network > VPN > IPSec VPN. In the


VPN Peer List tab, click New.

In the Basic tab, configure the following settings:

o Name: center2branch1_ipsec

o Interface: ethernet0/1

o Mode: Main

o Type: Static IP

o Peer IP: 10.89.18.131

o Proposal1: p1forgre

o Pre-shared Key: hillstone

o Keep the default of other parameters

282 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Step 1: Configuring IPSec VPN for device A

Configure IKE VPN.

Click Network > VPN > IPSec VPN. In the


IKE VPN List tab, click New.

In the Basic tab, configure the following settings:

o Peer

o Peer Name: center2branch1_ipsec

o Tunnel

o Name: center2branch1_ipsec_tunnel

o Mode: tunnel

o P2 proposal: p2forgre

o Keep the default of other parameters

Connection between Two Private Networks Using GRE over IPSec VPN 283
StoneOS Cookbook

Step 2: Configuring IPSec VPN for device B

Create a P1 proposal and a P2 proposal.

Click Network > VPN > IPSec VPN. In the P1


Proposal tab, click New.

o Proposal Name: p1forgre

o Authentication: Pre-share

o Hash: SHA

o Encryption: 3DES

o DH Group: Group2

o Lifetime: 86400

In the P2 Proposal tab, click New.

o Proposal Name: p2forgre

o Protocol: ESP

o HASH: SHA

o Encryption: 3DES

o Compression: None

o PFS Group: No PFS

o Lifetime: 28800

284 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Step 2: Configuring IPSec VPN for device B

Configure a VPN peer.

Click Network > VPN > IPSec VPN. In the


VPN Peer List tab, click New.

In the Basic tab, configure the following settings:

o Name: tocenter_ipsec

o Interface: ethernet0/1

o Mode: Main

o Type: Static IP

o Peer IP: 10.89.17.226

o Proposal1: p1forgre

o Pre-shared Key: hillstone

o Keep the default of other parameters

Connection between Two Private Networks Using GRE over IPSec VPN 285
StoneOS Cookbook

Step 2: Configuring IPSec VPN for device B

Configure IKE VPN.

Click Network > VPN > IPSec VPN. In the


IKE VPN List tab, click New.

In the Basic tab, configure the following settings:

o Peer

o Peer Name: tocenter_ipsec

o Tunnel

o Name: tocenter_ipsec_tunnel

o Mode: tunnel

o P2 proposal: p2forgre

o Keep the default of other parameters

Configuring GRE VPN

GRE VPN configurations are not supported by WebUI. You need to use CLI to complete the following GRE VPN configurations.

286 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Step 1: Configuring GRE VPN for device A

Create a GRE tunnel.

1. In the global configuration mode, create a


GRE tunnel:
tunnel gre center2branch1

2. Specify the source IP address of the tunnel:


source 10.89.17.226

3. Specify the destination IP address of the tun-


nel:
destination 10.89.18.131

4. Specify the egress interface of the tunnel:


interface ethernet0/1

5. Specify the IPSec VPN tunnel:


next-tunnel ipsec center2branch1_ipsec_
tunnel

Bind the GRE tunnl to the tunnel interface.

1. Enter the interface configuration mode of


tunnel1:
int tunnel1

2. Bind the GRE tunnel:


tunnel gre center2branch1

Connection between Two Private Networks Using GRE over IPSec VPN 287
StoneOS Cookbook

Step 2: Configuring GRE VPN for device B

Create a GRE tunnel.

1. In the global configuration mode, create a


GRE tunnel:
tunnel gre branch1

2. Specify the source IP address of the tunnel:


source 10.89.18.131

3. Specify the destination IP address of the tun-


nel:
destination 10.89.17.226

4. Specify the egress interface of the tunnel:


interface ethernet0/1

5. Specify the IPSec VPN tunnel:


next-tunnel ipsecto_center_tunnel

Bind the GRE tunnl to the tunnel interface.

1. Enter the interface configuration mode of


tunnel1: int tunnel1

2. Bind the GRE tunnel: tunnel gre branch1

288 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Configuring Route and Policies

Step 1: Configuring route and policies for device A

Configure routes.

Select Network > Routing > Destination Route.


Click New.

o Destination: 192.168.2.0

o Subnet Mask: 255.255.255.0

o Next Hop: Interface

o Interface: tunnel1

o Keep the default of other parameters

Connection between Two Private Networks Using GRE over IPSec VPN 289
StoneOS Cookbook

Step 1: Configuring route and policies for device A

Configure a security policy that allows the traffic


to flow from the Trust zone where the tunnel
interface locates to the Trust zone where the
internal server locates.

Select Policy > Security Policy. Click New.

o Name: trust_to_trust

o Source

o Zone: trust

o Address: Any

o Destination

o Zone: trust

o Address: Any

o Other

o Service/Service Group: Any

o Action: Permit

290 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Step 2: Configuring route and policies for device B

Configure routes.

Select Network > Routing > Destination Route.


Click New.

o Destination: 192.168.1.0

o Subnet Mask: 255.255.255.0

o Next Hop: Interface

o Interface: tunnel1

o Keep the default of other parameters

Connection between Two Private Networks Using GRE over IPSec VPN 291
StoneOS Cookbook

Step 2: Configuring route and policies for device B

Configure a security policy that allows the traffic


to flow from the Trust zone where the tunnel
interface locates to the Trust zone where the
internal server locates.

Select Policy > Security Policy > New.

o Name: trust_to_trust

o Source

o Zone: trust

o Address: Any

o Destination

o Zone: trust

o Address: Any

o Other

o Service/Service Group: Any

o Action: Permit

Step 3: Verifying the connection between two private networks

After completing the above steps, the headquar-


ters and branch can visit each other.

292 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Configuring VXLAN Static Unicast Tunnel


This example introduces how to configure VXLAN static unicast tunnel. VXLAN uses MAC-in-UDP encapsulation to extend Layer 2
networks, allowing a large number of tenant accesses to virtual networks.

In the topology below, PC1 and PC2 communicate through the VXLAN tunnel (VNI100).

Note: In the same tunnel, different VNIs cannot communicate with each other.

Configuration Steps

VTEP1 Configuratio

Step 1: Configure the interface.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone l2-trust

hostname(config-if-eth0/1)# exit

Step2: Configure VXLAN tunnel.

hostname(config)# tunnel vxlan tunnel1

hostname(config-tunnel-vxlan)# interface ethernet0/7

hostname(config-tunnel-vxlan)# destination 7.1.1.2

hostname(config-tunnel-vxlan)# vni 100

hostname(config-tunnel-vxlan)# exit

hostname(config)#

Configuring VXLAN Static Unicast Tunnel 293


StoneOS Cookbook

Step 3: Configure the tunnel interface and bind the Layer 2 security zone.

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone l2-trust

hostname(config-if-tun1)#tunnel vxlan tunnel1

hostname(config-if-tun1)# exit

hostname(config)#

Step 4: Configure the policy.

hostname(config)# policy-global

hostname(config-policy)# rule id 1

Rule id 1 is created

hostname(config-policy-rule)# src-addr any

hostname(config-policy-rule)# dst-addr any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# exit

hostname(config)#

VTEP2 Configuration

Step 1: Configure the interface.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone l2-trust

hostname(config-if-eth0/1)# exit

Step2: Configure VXLAN tunnel.

294 Configuring VXLAN Static Unicast Tunnel


StoneOS Cookbook

hostname(config)# tunnel vxlan tunnel1

hostname(config-tunnel-vxlan)# interface ethernet0/7

hostname(config-tunnel-vxlan)# destination 7.1.1.1

hostname(config-tunnel-vxlan)# vni 100

hostname(config-tunnel-vxlan)# exit

hostname(config)#

Step 3: Configure the tunnel interface and bind the Layer 2 security zone.

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone l2-trust

hostname(config-if-tun1)#tunnel vxlan tunnel1

hostname(config-if-tun1)# exit

hostname(config)#

Step 4: Configure the policy

hostname(config)# policy-global

hostname(config-policy)# rule id 1

Rule id 1 is created

hostname(config-policy-rule)# src-addr any

hostname(config-policy-rule)# dst-addr any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# exit

hostname(config)#

Step5: Verify result

Configuring VXLAN Static Unicast Tunnel 295


StoneOS Cookbook

PC1 and PC2 can communicate with each other through the VXLAN tunnel successfully.

296 Configuring VXLAN Static Unicast Tunnel


StoneOS Cookbook

Zero Trust Network Access (ZTNA)

Compared with the traditional VPN access mode, which allows an authorized user to access any resources on the internal network,
ZTNA (Zero Trust Network Access) starts with a default deny posture of zero trust on any entities, whether outside or inside the enter-
prise network perimeter. Hillstone ZTNA solutions adopts a dynamic authorization method with user identity being the focus and per-
sistently evaluates the creditability based on user identity and terminal device environment to achieve granular management of user,
terminal device and application and realize precise and secure service access control.

o Creditable identity: Identity evaluation is not restricted to account and password authentication but incorporates more identity
factors to provide enterprises with fine-grained user access control for profound access security.

o Creditable terminal device: Verified terminal state does not mean permanent access authorization. ZTNA persistently evaluates the
terminal environment and dynamically adjust the authorization scope to enure that the connected terminal is always under security
control.

o Creditable access: The old security concept that internal network is secure is broken. Any implicit creditability is eliminated. Access
to resources will be granted only when the user and the access device satisfy specific requirements so as to effectively mitigate
internal network security risks.

This chapter contains the following recipe:

o "Windows User Accessing Internal Server by Using Internal Network Access via ZTNA" on Page 298

o "Windows User Remotely Accessing Internal Server Through ZTNA" on Page 314

o " Android User Remotely Accessing Internal Server Through ZTNA" on Page 335

Zero Trust Network Access (ZTNA) 297


StoneOS Cookbook

Windows User Accessing Internal Server by Using Internal Network Access


via ZTNA
This example shows how to configure the internal network access function via ZTNA to enable Windows users to securely access local
servers of the enterprise.

Networking Scenario

The R&D department and finance department of an enterprise are located in different network segments. The R&D department needs
to use the intranet application resources including the bug system and OA system; The finance department needs to use the intranet
application resources including the finance system and OA system. These three systems are located in different network segments
within the enterprise. To improve the internal network security, the enterprise hopes that the employees of these two departments use
endpoints that comply with the network security regulations of the company so that they can access the corresponding system resources
as expected. Therefore, the enterprise deploys ZTNA internal network access and formulates the following access control policies
based on user identity and security requirements for access endpoints:

1. R&D employees are allowed to access the Bug management system and OA system.

2. Finance employees are allowed to access the Finance and OA systems.

3. The access device used for intranet access must meet these requirements: McAfee is run. If McAfee is not run, the employee is
allowed only to access the OA system.

4. A user that does not meet any one of the previous requirements will be denied from accessing any resources.

The networking diagram is shown as follows.

Windows User Accessing Internal Server by Using Internal Network Access via ZTNA 298
StoneOS Cookbook

Configuration Roadmap

1. Create user group "rd-group" for R&D employees and add R&D employee accounts to it.

2. Create user group "fin-group" for Finance employees and add Finance employee accounts to it.

3. Configure ZTNA server parameters for establishing secure connections from the client to the device and to the application
resources:

a. ZTNA server name: name of the ZTNA service that users will access

b. Egress interface and service port: address and port number of the ZTNA service

c. Allow download client from browser: allow users to download ZTNA client by accessing the ZTNA service address in the
browser

d. Forced Timeout: configure the user's online duration after successfully connecting to ZTNA. When the user's online dur-
ation reaches the configured time, the system forces the user to go offline.

e. Multiple login: allow the same user account to log in on multiple clients at the same time

4. Create application resources "Bug System", "Finance System" and "OA System", which correspond with the Bug management
system, Finance system and OA system respectively, and set their URL addresses. After a user logs in on the client, the user can
view the names and URL addresses of the application resources that are granted and currently not granted access. Application
resources that you have permission to access are displayed in blue on the ZTNA Portal page, and application resources that you
do not have permission to access are displayed in gray.

299 Windows User Accessing Internal Server by Using Internal Network Access via ZTNA
StoneOS Cookbook

5. Configure endpoint tags. For users whose device status fully complies with the network security regulations of the company, set
two endpoint tags tag1 and tag2, i.e., tag1 requires the device to be a Windows 10 operating system and to select the cor-
responding running process of McAfee; tag2 requires the device to be a Windows 10 operating system.

6. Configure and enable ZTNA policies. When a user's group and tag match the ZTNA policy with action Permit, the user is gran-
ted access to specific application resources.

7. Configure the default action as being Deny, so that a user that do not match any ZTNA policy will be denied from accessing any
application resources.

Preparations

Please follow the steps below to configure the ZTNA security domain "zone" in advance and bind it to the Egress interface "eth-
ernet0/3". For more information, refer to StoneOS WebUI User Guide.

1. Select Network > Zone.

2. Click New, configure the security domain "zone" with "Service Type" as "ZTNA", and bind the security domain to the Egress
interface "ethernet0/3".

Windows User Accessing Internal Server by Using Internal Network Access via ZTNA 300
StoneOS Cookbook

Configuration Steps

Step 1: Creating local users and user groups

Select ZTNA > User > Local User. Click New > User to create user "rduser01" and set the password, add it to user group "rd-
group"

Then, follow the same step to create user "finuser01" and add it to user group "fin-group".

Step 2: Configuring ZTNA

Select ZTNA > Gateway, and Click New > Intranet Access, In the Name/Access User tab:

o Server Name: ZTNA-intranet

o Type: IPv4

o Assigned Users: Click New, and select "local" for the AAA Server dropdown list

Note: In the Assigned Users section, you can configure at most 10 AAA servers. When multiple servers are configured, you need
to configure the Domain parameter.

301 Windows User Accessing Internal Server by Using Internal Network Access via ZTNA
StoneOS Cookbook

Step 2: Configuring ZTNA

In the Access Interface tab:

o Egress Interfaces: ethernet0/3

o Service port: 8890

Note: The Egress interface is bound to a security domain with a service type of ZTNA.

Windows User Accessing Internal Server by Using Internal Network Access via ZTNA 302
StoneOS Cookbook

Step 2: Configuring ZTNA

In the Parameters tab, enable the Allow Download Client from Browser and Multiple login functions and set the Multiple login
times option to 0. And set the Forced Timeout time to 10080.

Note: Use the default values for other parameters.

After the ZTNA is completed, click OK.

303 Windows User Accessing Internal Server by Using Internal Network Access via ZTNA
StoneOS Cookbook

Step 3: Creating application resources

Select ZTNA > Application Resource Book > Application Resource and click New. In the Application Resource Configuration
tab, click New to create application resource "Bug System".

o Name: Bug System (Name of the Bug management system displayed on ZTNA portal page)

o Hyperlink: https://bug000.com:10001 (URL address of the Bug management system)

o Address Type: IPv4/Netmask

o Address: 10.160.65.1/32

o Protocol: TCP

o Port: 10001 - 10001

Windows User Accessing Internal Server by Using Internal Network Access via ZTNA 304
StoneOS Cookbook

Step 3: Creating application resources

Repeat the previous operation to create application resource "Finance System".

o Name: Finance System (Name of the finance system displayed on ZTNA portal page)

o Hyperlink: https://finance111.com:20001(URL address of the finance system)

o Address Type: IPv4/Netmask

o Address: 10.160.66.1/32

o Protocol: TCP

o Port: 20001 - 20001

Repeat the previous operation to create application resource "OA System".

o Name: OA System (Name of the OA system displayed on ZTNA portal page)

o Hyperlink: https://oa333.com:30001 (URL address of the OA system)

o Address Type: IPv4/Netmask

o Address: 10.160.67.1/32

o Protocol: TCP

o Port: 30001 - 30001

305 Windows User Accessing Internal Server by Using Internal Network Access via ZTNA
StoneOS Cookbook

Step 4: Creating endpoint tags

Select ZTNA > Endpoint > Information. In the Windows > Running Process tab, click New to add the following running pro-
cess.

o Alias: McAfee

o Running Process: mcafee.exe (enter the name of the process corresponding to McAfee)

Windows User Accessing Internal Server by Using Internal Network Access via ZTNA 306
StoneOS Cookbook

Step 4: Creating endpoint tags

Select ZTNA > Endpoint > Tag and click New. In the Tag Configuration tab:

o Name: tag1

Click Add Criteria Set:

o Operating System: windows

o Endpoint Info Type: Select OS Version. Continue to select is and Windows10.

Click + button to create the following condition:

o Operating System: windows

o Endpoint Info Type: Select Running Process. Continue to select exist and then McAfee.

307 Windows User Accessing Internal Server by Using Internal Network Access via ZTNA
StoneOS Cookbook

Step 4: Creating endpoint tags

Repeat the previous operation to create "tag2".

o Name: tag2

Click Add Criteria Set:

o Operating System: windows

o Endpoint Info Type: Select OS Version. Continue to select is and Windows10.

Step 5: Configuring ZTNA policies

Select ZTNA > Policy and click New. In the


Policy Configuration tab:

o Name: z-policy1

o User: rd-group

o Endpoint tag: tag1

o Application Resource: Bug System

o Action: Permit

Windows User Accessing Internal Server by Using Internal Network Access via ZTNA 308
StoneOS Cookbook

Step 5: Configuring ZTNA policies

Repeat the previous operation to create "z-


policy2":

o Name: z-policy2

o User: fin-group

o Application Resource: Finance System

o Endpoint tag: tag1

o Action: Permit

Repeat the previous operation to create "z-


policy3":

o Name: z-policy3

o User: rd-group、fin-group

o Application Resource: OA System

o Endpoint tag: tag2

o Action: Permit

309 Windows User Accessing Internal Server by Using Internal Network Access via ZTNA
StoneOS Cookbook

Step 6: Check that ZTNA policies are enabled

Select ZTNA > Policy and check whether these ZTNA policies are enabled. If not, select "z-policy1", "z-policy2", and "z-policy3"
, click ┇ and then select Enable.

Step 7: Configuring the default action

Select ZTNA > Policy, click ┇ and select Default


Policy Action. In the Default Policy Action dia-
log box, specify the default action to Deny.

Windows User Accessing Internal Server by Using Internal Network Access via ZTNA 310
StoneOS Cookbook

Step 8: Results

Verification Method:

1. Download Secure Connect Client. On PC1 and PC2, access https://192.168.7.1:8890 to download Secure Connect Win-
dows client. The IP address and port number are the ones configured in the Access Interface tab.

2. Log in the client on PC1 and PC2 to check whether the access privilege for each application is correct in the ZTNA portal
page.

3. Click an application resource with access privilege to check whether the user will be directed to the resource page.

Note: The operating systems of PC1 and PC2 are both Windows 10, and PC1 is running McAfee, while PC2 is not running
McAfee.

Verification Steps:

Enter the address "https://192.168.7.1:8890" in


the browser on PC1 and PC2. In the pop-up page,
select Windows tab and click Download. Then,
follow the steps to install the client.

311 Windows User Accessing Internal Server by Using Internal Network Access via ZTNA
StoneOS Cookbook

Step 8: Results

In the client on PC1 and PC2, click Add Con-


nection, add a session with the connection name
"ZTNA intalnet":

o Connection name: ZTNA-intranet

o Server: 192.168.7.1

o Port: 8890

In the client, click Connection, use the R&D


account to log in:

o Username: rduser01

o Password: password for rduser01

After successful login:

o In the ZTNA portal page displayed on PC1,


Bug System and OA System are in the access-
ible state. Clicking the Bug System icon, the
user is redirected to the Bug management
page.

o In the ZTNA portal page displayed on PC2,


Bug System is grayed out, OA System is dis-
played in blue. Clicking the Bug System icon,
the user is prompted with a message indic-
ating that the user is not granted access.

Windows User Accessing Internal Server by Using Internal Network Access via ZTNA 312
StoneOS Cookbook

Step 8: Results

Log out rduser01 from the client on PC1 and


PC2. Repeat the previous steps to log in with Fin-
ance user account finuser01.

o Connection name: ZTNA-intranet

o Server: 192.168.7.1

o Port: 8890

o Username: finuser01

o Password: password for finuser01

After successful login:

o In the ZTNA portal page displayed on PC1,


Finance System and OA System are in the
accessible state. Clicking the Finance System
icon, the user is redirected to the Finance sys-
tem page.

o In the ZTNA portal page displayed on PC2,


Finance System is grayed out, OA System is
displayed in blue . Clicking the Finance Sys-
tem icon, the user is prompted with a message
indicating that the user is not granted access.

313 Windows User Accessing Internal Server by Using Internal Network Access via ZTNA
StoneOS Cookbook

Windows User Remotely Accessing Internal Server Through ZTNA


This example introduces how to configure ZTNA to enable Windows users to remotely access enterprise servers on the internal net-
work.

Networking Scenario

An enterprise has R&D and Finance departments. The R&D department need to access enterprise application resources including the
Bug management system and OA system on the enterprise network. The Finance department needs to access enterprise application
resources including the Finance system and OA system on the enterprise network. Now, the enterprise hopes that employees in these
two departments can access these systems when they are on a business trip. Meantime, the employes are expected to access the system
using terminal devices that meet the enterprise's network security requirements. Therefore, the enterprise deploys ZTNA and for-
mulates the following control policies based on user identity and security requirements on access terminal devices:

o R&D employees are allowed to access the Bug management system and OA system.

o Finance employees are allowed to access the Finance and OA systems.

o The access device used for remote access must meet these requirements: OS is Windows 10; McAfee is run. If McAfee is not run,
the employee is allowed only to access the OA system.

o A user that does not meet any one of the previous requirements will be denied from accessing any resources.

The networking diagram is shown as follows.

Windows User Remotely Accessing Internal Server Through ZTNA 314


StoneOS Cookbook

Configuration Roadmap

1. Create user group "rd-group" for R&D employees and add R&D employee accounts to it.

2. Create user group "fin-group" for Finance employees and add Finance employee accounts to it

3. Configure ZTNA server parameters for establishing secure connections from the client to the device and to the application
resources:

a. ZTNA server name: name of the ZTNA service that users will access

b. Egress interface and service port: address and port number of the ZTNA service

c. Address pool: used for allocating private addresses to connect the internal network

d. Tunnel interface and tunnel route: used to establish the dedicated tunnel between the user and the application resources

e. Allow download client from browser: allow users to download ZTNA client by accessing the ZTNA service address in the
browser

f. Multiple login: allow the same user account to log in on multiple clients at the same time

g. Two-step verification: configure the user to pass SMS code verification after logging in with user account and password

4. Create application resources "Bug System", "Finance System" and "OA System", which correspond with the Bug management
system, Finance system and OA system respectively, and set their URL addresses. After a user logs in on the client, the user can

315 Windows User Remotely Accessing Internal Server Through ZTNA


StoneOS Cookbook

view the names and URL addresses of the application resources that are granted and currently not granted access. Application
resources that you have permission to access are displayed in blue on the ZTNA Portal page, and application resources that you
do not have permission to access are displayed in gray. In addition, configure application resource "Inter-DNS" for the DNS
server on the enterprise network to provide domain name resolution for user traffic.

5. Configure endpoint tags. For users whose device status fully complies with the network security regulations of the company, set
two endpoint tags tag1 and tag2, i.e., tag1 requires the device to be a Windows 10 operating system and to select the cor-
responding running process of McAfee; tag2 requires the device to be a Windows 10 operating system.

6. Configure and enable ZTNA policies. When a user's group and tag match the ZTNA policy with action Permit, the user is gran-
ted access to specific application resources. In addition, configure a ZTNA policy to allow user traffic flowing to the internal
DNS server "Inter-DNS" for domain name resolution and place the policy at the beginning of all ZTNA policies.

7. Configure the default action as being Deny, so that a user that do not match any ZTNA policy will be denied from accessing any
application resources.

Preparations

Configure the address pool "pool-1", tunnel interface "tunnel23", and SMS gateway "hillstone" in advance. For more information, refer
to StoneOS WebUI User Guide.

Note: The IP address of the tunnel interface and the address pool "pool-1" needs to fall into the same CIDR block, and cannot conflict
with other internal endpoint that is in use.

Windows User Remotely Accessing Internal Server Through ZTNA 316


StoneOS Cookbook

o Select Object > Access Address Pool. On the Access Address Pool page, configure the address pool "pool-1".

Note: When you configure ZTNA, if you need to access application resources of internal networks by using domain, you need to
configure the DNS parameter.

317 Windows User Remotely Accessing Internal Server Through ZTNA


StoneOS Cookbook

o Select Network > Interface. On the Interface page, click New, select Tunnel Interface from the drop-down list, and then con-
figure the tunnel interface "tunnel23".

Windows User Remotely Accessing Internal Server Through ZTNA 318


StoneOS Cookbook

o Select System > SMS Parameters > SMS Gateway. On the SMS Gateway page, configure the SMS gateway "hillstone".

Configuration Steps

Step 1: Creating local users and user groups

Select ZTNA > User > Local User. Click New > User to create user "rduser01", add it to user group "rd-group" and set the pass-
word and phone number for two-step verification.

Then, follow the same step to create user "finuser01" and add it to user group "fin-group".

319 Windows User Remotely Accessing Internal Server Through ZTNA


StoneOS Cookbook

Step 2: Configuring ZTNA

Select ZTNA > Gateway, and Click New > Remote Access. In the Name/Access User tab:

o Server Name: ZTNA-Connect

o Type: IPv4

o Assigned Users: Click New, and select "local" for the AAA Server dropdown list

Note: In the Assigned Users section, you can configure at most 10 AAA servers. When multiple servers are configured, you need
to configure the Domain parameter.

In the Interface tab:

o Egress Interfaces: ethernet0/3

o Service port: 8890

o Tunnel Interface: tunnel23

o Address Pool: pool-1

Note: You need to configure the tunnel interface "tunnel23" and address pool "pool-1" in advance. The IP address of the tunnel
interface and the address pool need to fall into the same CIDR block.

Windows User Remotely Accessing Internal Server Through ZTNA 320


StoneOS Cookbook

Step 2: Configuring ZTNA

In the Tunnel Route tab, click New:

o IP: 10.160.65.0

o Netmask: 255.255.255.0

o Metric: 35

Note: When you specify the tunnel route, the IP address of the tunnel route and the IP address of the internal network server need
to fall into the same CIDR block.

321 Windows User Remotely Accessing Internal Server Through ZTNA


StoneOS Cookbook

Step 2: Configuring ZTNA

In the Parameters tab, enable the Allow Download Client from Browser and Multiple login functions and set the Multiple login
times option to 0.

Note: Use the default values for other parameters.

Windows User Remotely Accessing Internal Server Through ZTNA 322


StoneOS Cookbook

Step 2: Configuring ZTNA

In the Two-Step Verification tab:

o Two-Step Verification: Click the Enable button

o Type: SMS Authentication

o SMS Auth Type: SMS Gateway

o SMS Gateway Name: hillstone

o Lifetime of SMS Verification Code: 10

o Sender Name: hillstone

o Verification Code Length: 8

o SMS Template (optional)

Note: You need to configure the SMS gateway "hillstone" in advance.

323 Windows User Remotely Accessing Internal Server Through ZTNA


StoneOS Cookbook

Step 2: Configuring ZTNA

After the ZTNA is completed, click OK.

Step 3: Creating application resources

Select ZTNA > Application Resource Book > Application Resource and click New. In the Application Resource Configuration
tab, click New to create application resource "Bug System".

o Name: Bug System (Name of the Bug management system displayed on ZTNA portal page)

o Hyperlink: https://bug000.com:10001 (URL address of the Bug management system)

o Address Type: IPv4/Netmask

o Address: 10.160.65.1/32

o Protocol: TCP

o Port: 10001 - 10001

Windows User Remotely Accessing Internal Server Through ZTNA 324


StoneOS Cookbook

Step 3: Creating application resources

Repeat the previous operation to create application resource "Finance System".

o Name: Finance System (Name of the finance system displayed on ZTNA portal page)

o Hyperlink: https://finance111.com:20001 (URL address of the finance system)

o Address Type: IPv4/Netmask

o Address: 10.160.65.2/32

o Protocol: TCP

o Port: 20001 - 20001

Repeat the previous operation to create application resource "OA System".

o Name: OA System (Name of the OA system displayed on ZTNA portal page)

o Hyperlink: https://oa333.com:30001 (URL address of the OA system)

o Address Type: IPv4/Netmask

o Address: 10.160.65.3/32

o Protocol: TCP

o Port: 30001 - 30001

325 Windows User Remotely Accessing Internal Server Through ZTNA


StoneOS Cookbook

Step 3: Creating application resources

Repeat the previous operation to create application resource "Inter-DNS" for domain name resolution.

o Name: Inter-DNS

o Hyperlink: empty

o Address Type: IPv4/Netmask

o Address: 10.160.65.5/32

o Protocol: UDP

o Port: 53 - 53

Step 4: Creating endpoint tags

Select ZTNA > Endpoint > Information. In the Windows > Running Process tab, click New to add the following running pro-
cess.

o Alias: McAfee

o Running Process: mcafee.exe (enter the name of the process corresponding to McAfee)

Windows User Remotely Accessing Internal Server Through ZTNA 326


StoneOS Cookbook

Step 4: Creating endpoint tags

Select ZTNA > Endpoint > Tag and click New. In the Tag Configuration tab:

o Name: tag1

Click Add Criteria Set:

o Operating System: windows

o Endpoint Info Type: Select OS Version. Continue to select is and Windows10.

Click + button to create the following condition:

o Operating System: windows

o Endpoint Info Type: Select Running Process. Continue to select exist and then McAfee.

327 Windows User Remotely Accessing Internal Server Through ZTNA


StoneOS Cookbook

Step 4: Creating endpoint tags

Repeat the previous operation to create "tag2".

o Name: tag2

Click Add Criteria Set:

o Operating System: windows

o Endpoint Info Type: Select OS Version. Continue to select is and Windows10.

Step 5: Configuring ZTNA policies

Select ZTNA > Policy and click New. In the


Policy Configuration tab:

o Name: z-policy1

o User: rd-group

o Application Resource: Bug System

o Endpoint tag: tag1

o Action: Permit

Windows User Remotely Accessing Internal Server Through ZTNA 328


StoneOS Cookbook

Step 5: Configuring ZTNA policies

Repeat the previous operation to create "z-


policy2":

o Name: z-policy2

o User: fin-group

o Application Resource: Finance System

o Endpoint tag: tag1

o Action: Permit

Repeat the previous operation to create "z-


policy3":

o Name: z-policy3

o User: rd-group, fin-group

o Application Resource: OA System

o Endpoint tag: tag1

o Action: Permit

329 Windows User Remotely Accessing Internal Server Through ZTNA


StoneOS Cookbook

Step 5: Configuring ZTNA policies

Repeat the previous operation to create "dns-


policy" for user traffic domain name resolution on
the internal DNS server:

o Name: dns-policy

o User: rd-group, fin-group

o Application Resource: Inter-DNS

o Endpoint tag: empty

o Action: Permit

Windows User Remotely Accessing Internal Server Through ZTNA 330


StoneOS Cookbook

Step 6: Check that ZTNA policies are enabled

Select ZTNA > Policy and check whether these ZTNA policies are enabled. If not, select "z-policy1", "z-policy2", "z-policy3" and
"dns-policy", click ┇ and then select Enable.

Step 7: Configuring the default action

Select ZTNA > Policy, click ┇ and select Default


Policy Action. In the Default Policy Action dia-
log box, specify the default action to Deny.

331 Windows User Remotely Accessing Internal Server Through ZTNA


StoneOS Cookbook

Step 8: Results

Verification Method:

1. Download Secure Connect Client. On PC1 and PC2, access https://10.182.159.103:8890 to download Secure Connect Win-
dows client. The IP address and port number are the ones configured in the Interface tab.

2. Log in the client on PC1 and PC2 to check whether the access privilege for each application is correct in the ZTNA portal
page.

3. Click an application resource with access privilege to check whether the user will be directed to the resource page.

Note: The operating systems of PC1 and PC2 are both Windows 10, and PC1 is running McAfee, while PC2 is not running
McAfee.

Verification Steps:

Enter the address "https://10.182.159.103:8890"


in the browser on PC1 and PC2. In the pop-up
page, select Windows tab and click Download.
Then, follow the steps to install the client.

Windows User Remotely Accessing Internal Server Through ZTNA 332


StoneOS Cookbook

Step 8: Results

In the client on PC1 and PC2, click Add Con-


nection, add a session with the connection name
"ZTNA-Connect":

o Connection name: ZTNA-Connect

o Server: 10.182.159.103

o Port: 8890

In the client, click Connection, use the R&D


account to log in:

o Username: rduser01

o Password: password for rduser01

After passing the SMS code verification:

o In the ZTNA portal page displayed on PC1,


Bug System and OA System are in the access-
ible state. Clicking the Bug System icon, the
user is redirected to the Bug management
page.

o In the ZTNA portal page displayed on PC2,


Bug System is grayed out, OA System is dis-
played in blue. Clicking the Bug System icon,
the user is prompted with a message indic-
ating that the user is not granted access.

333 Windows User Remotely Accessing Internal Server Through ZTNA


StoneOS Cookbook

Step 8: Results

Log out rduser01 from the client on PC1 and


PC2. Repeat the previous steps to log in with Fin-
ance user account finuser01.

o Server: 10.182.159.103

o Port: 8890

o Username: finuser01

o Password: password for finuser01

After passing SMS code verification:

o In the ZTNA portal page displayed on PC1,


Finance System and OA System are in the
accessible state. Clicking the Finance System
icon, the user is redirected to the Finance sys-
tem page.

o In the ZTNA portal page displayed on PC2,


Finance System is grayed out, OA System is
displayed in blue. Clicking the Finance System
icon, the user is prompted with a message
indicating that the user is not granted access.

Windows User Remotely Accessing Internal Server Through ZTNA 334


StoneOS Cookbook

Android User Remotely Accessing Internal Server Through ZTNA


This example introduces how to configure ZTNA to enable Android users to remotely access bank service system on the internal net-
work.

Networking Scenario

A bank needs the staff to handle services for customers on the go by accessing the bank service system via hand-held terminals. To
ensure access security, the bank wants to deploy ZTNA and requires that the staff use the Android device with customized device
model number designated by the bank, to access ZTNA and the system version of the device be updated to Android 13.

Specific privilege setting and requirements are as follows:

o The bank staff can log in the ZTNA gateway with the specified account and password when using the designated Android device,
and can switch to the bank service system via the ZTNA Portal page after login.

o The bank staff can log in the ZTNA gateway with the specified account and password when using other Android devices or using
the designated device whose system version is not Android 13, but cannot access the bank service system. When clicking the bank
service system displayed on the ZTNA Portal, the staff will see a tip indicating "Please use designated device and update system ver-
sion to Android 13!".

o Except the specified account, other account cannot log in the ZTNA gateway.

In addition, the bank hopes that the ZTNA service port be closed by default so as to make it and the bank service system invisible on the
network and not be scanned. For users needing to access the ZTNA service, the service port will be particularly open to the user only
after the user has passed the verification of the ZTNA service by sending single packet authorization (SPA) packets to knock the
ZTNA service port.

The networking diagram is shown as follows.

Android User Remotely Accessing Internal Server Through ZTNA 335


StoneOS Cookbook

Configuration Roadmap

1. Create a local user "user01" for the bank work to log in the ZTNA gateway.

2. Configure ZTNA server parameters for establishing secure connects from the client to the device and to the application
resources.

a. ZTNA service: name of the ZTNA service that users will access

b. Egress interface and service port: address and port number of the ZTNA service

c. Address pool: used for allocating private addresses to connecting the internal network

d. Tunnel interface and tunnel route: used to establish the dedicated tunnel between the user and the application resources

3. Configure Single Packet Authorization (SPA) to hide the ZTNA service IP and port number. The ZTNA service port will be
open to the user who accesses through the Hillstone Secure Connect client and passes SPA.

4. Configure the bank service system as application resource "Bank System" and specify a hyperlink for it so that the user can switch
to the bank service system via the ZTNA Portal after login.

5. Configure the designated Android device's model number A-bank-2256 as a custom endpoint item "m-device".

336 Android User Remotely Accessing Internal Server Through ZTNA


StoneOS Cookbook

6. Create endpoint tag "m-device-tag" for the designated Android device whose device model number is "m-device" and system
version is Android 13 and configure the tip "Please use designated device and update system version to Android 13!", which will
be displayed when the user is not granted access to the bank service system because the endpoint tag is not matched.

7. Configure and enable ZTNA policy "m-policy", allowing the bank staff to access the bank service system via the designated
Android device.

8. Configure the default action as being Deny, so that a user that do not match "m-policy" will be denied from accessing the bank
service system.

Preparations

Configure the address pool "pool-ad", and tunnel interface "tunnel2". For more information, refer to StoneOS WebUI User Guide.

Note: The IP address of the tunnel interface and the address pool "pool-ad" needs to fall into the same CIDR block, and cannot conflict
with other internal endpoint that is in use.

o Select Object > Access Address Pool. On the Access Address Pool page, configure the address pool "pool-ad".
Note: When you configure ZTNA, if you need to access application resources of internal networks by using domain, you need to
configure the DNS parameter.

Android User Remotely Accessing Internal Server Through ZTNA 337


StoneOS Cookbook

o Select Network > Interface. On the Interface page, click New, select Tunnel Interface from the drop-down list, and then con-
figure the tunnel interface "tunnel2".

Configuration Steps

Step 1: Creating local user.

Select ZTNA > User > Local User. Click New


> User to create user "user01" and set the pass-
word

338 Android User Remotely Accessing Internal Server Through ZTNA


StoneOS Cookbook

Step 2: Configuring ZTNA

Select ZTNA > Gateway, and Click New >


Remote Access. In the Name/Access User tab:

o Server Name: ztna-s

o Type: IPv4

o Assigned Users: Click New, and select local


for the AAA Server dropdown list

In the Interface tab:

o Egress Interfaces: ethernet1/2

o Service port: 20081

o Tunnel Interface: tunnel2

o Address Pool: pool-ad

Note: You need to configure the tunnel interface


"tunnel2" and address pool "pool-ad" in advance.
The IP address of the tunnel interface and the
address pool need to fall into the same CIDR
block.

In the Tunnel Route tab, click New:

o IP: 10.182.190.0

o Netmask: 255.255.255.0

o Metric: 35

Tunnel route must be on the same network seg-


ment with the internal server.

Android User Remotely Accessing Internal Server Through ZTNA 339


StoneOS Cookbook

Step 2: Configuring ZTNA

After the ZTNA is completed, click OK.

Step 3: Configure Single Packet Authorization (SPA).

Select ZTNA > SPA > SPA Configuration to


enable SPA and set the knock port:

o Enable: click to enable SPA

o Port: 60001

Click new to add ZTNA service address as hid-


den address:

o IP: 10.8.6.19

o Port: 20081

o Virtual Router: trust-vr

340 Android User Remotely Accessing Internal Server Through ZTNA


StoneOS Cookbook

Step 4: Creating application resource

Select ZTNA > Application Resource Book >


Application Resource and click New. In the
Application Resource Configuration tab, click
New to create application resource "Bank Sys-
tem".

o Name: Bank System (Name of the bank ser-


vice system displayed on ZTNA portal page)

o Hyperlink: https://10.182.190.175 (URL


address of the bank service system)

Click New to configure application resource rule:

o Type: Domain

o Domain: bankserv.com

o Protocol: HTTPS

o Port: 443 - 443

Step 5: Adding the designated Android device as endpoint information to be collected

Select ZTNA > Endpoint > Information and


click Android. Click Device Model and add the
model number of the designated device:

o Alias: m-device

o Device Model: A-bank-2256

Android User Remotely Accessing Internal Server Through ZTNA 341


StoneOS Cookbook

Step 6: Creating endpoint tag

Select ZTNA > Endpoint > Tagand click New


to create endpoint tag in the Tag Configuration
tab:

o Name: m-device-tag

o Tips: Please use designated device and update


system version to Android 13!

Click Add Criteria Set and add the device model


and system version as criteria:

o Operating System: Android

o Endpoint Info Type: Select OS Version.


Continue to select is and then Android 13.

Click the + button to create the following con-


dition:

o Operating System: Android

o Endpoint Info Type: Select Device Model.


Continue to select is and then m-device.

342 Android User Remotely Accessing Internal Server Through ZTNA


StoneOS Cookbook

Step 7: Configuring ZTNA policy

Select ZTNA > Policy and click New. In the


Policy Configuration tab:

o Name: m-policy

o User: user01

o Application Resource: Bank System

o Endpoint Tag: m-device-tag

o Action: Permit

Step 8: Checking that ZTNA policy is enabled

Select ZTNA > Policy and check whether the


ZTNA policy is enabled. If not, select "m-policy",
click ┇ and then select Enable.

Android User Remotely Accessing Internal Server Through ZTNA 343


StoneOS Cookbook

Step 9: Configuring the default action

Select ZTNA > Policy, click ┇ and select Default


Policy Action. In the Default Policy Action dia-
log box, specify the default action to Deny.

Step 10: Results

Access the client download page: http://www.hill-


stonenet.com.cn/product/technology/VPN.html.

Locate the QR code for Android client and use the designated
Android device to scan the code.

Download the installation file and install the Hillstone Secure Connect
client.

344 Android User Remotely Accessing Internal Server Through ZTNA


StoneOS Cookbook

Step 10: Results

Open the client and click Add Connection on the upper right. In the
displayed dialog box, fill the following information and then click Add
Connection at the lower part:

o Connection Name: ZTNA-Bank

o Server: 10.8.6.19

o Port: 20081

o User: user01

o Password: password of the user "user01"

o SPA: on

o Port: 60001

Return to the Hillstone Secure Connect client and click Connect on


the ZTNA-Bank session.

After login, the ZTNA Portal Page is displayed. Click Bank System,
the user is switched to the bank service system.

Android User Remotely Accessing Internal Server Through ZTNA 345


StoneOS Cookbook

High Availability

High Availability is a redundancy backup methhod. It uses two identical devices to ensure that when one fails to work, the other will
immediately takes over to provide network consistency.

This chapter includes the following recipe:

o " Ensuring Uninterrupted Connection Using HA" on Page 347

o "Making Two Firewalls Working in Hot Standby Mode by Deploying them in HA Peer to Ensure the Continuity of Service " on
Page 355

o "Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on HSVRP, which Ensures Uniter-
rupted Business Traffic" on Page 360

High Availability 346


StoneOS Cookbook

Ensuring Uninterrupted Connection Using HA


This example introduces how to configure two devices working under Active-Passive mode to provide high availability for the pro-
tected network.

The topology gives a typical user scenario for HA. In the designed scenario, one (Device A)of the HA devices will be working under
the active mode, while the other (Device B) is under passive mode. The active device will synchronize its data and status to the passive
device. When the active one fails, the passive device will immediately switch to be active, without interrupting the network.

Ensuring Uninterrupted Connection Using HA 347


StoneOS Cookbook

Configuration Steps

Step 1: Configuring track object. Each device monitors eth0 respectively.

Device A

Select Object > Track Object, and click New.

o Name: track1

o Threshold: 255

o HA sync: Disable

o Track Type: Select Interface, and click Add.


In the prompt, select ethernet0/0, and
weight as 255.

Device B

Select Object > Track Object, and click New.

o Name: track1

o Threshold: 255

o HA sync: Disable

o Track Type: Select Interface, and click Add.


In the prompt, select ethernet0/0, and
weight as 255.

348 Ensuring Uninterrupted Connection Using HA


StoneOS Cookbook

Step 2: Configuring Device A's interface and


policy

Select Network > Interface, and double click eth-


ernet0/0.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o HA sync: Enable

o Type: Static IP

o IP Address: 100.1.1.4

o Netmask: 29

Select Network > Interface, and double click eth-


ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: trust

o HA sync: Enable

o Type: Static IP

o IP Address: 192.168.1.4

o Netmask: 29

Ensuring Uninterrupted Connection Using HA 349


StoneOS Cookbook

Step 2: Configuring Device A's interface and


policy

Select Policy > Security Policy > Policy, and click


New.

o Name: policy

o Source Zone: trust

o Source Address: Any

o Destination Zone: untrust

o Destination Address: Any

o Service: Any

o Action: Permit

350 Ensuring Uninterrupted Connection Using HA


StoneOS Cookbook

Step 3: Configuring HA func-


tion

Device A

Select System > HA.

o Working Mode: Active-


Passive

o Control link interface 1:


ethernet0/4

o Control link interface 2:


ethernet0/8

o IP Address: 10.10.1.1/24

o HA cluster ID: 1

o Node ID: 0

o HA Group Configuration:
Enter 10 for "Priority"
and select track1 for
"Track Object".

Ensuring Uninterrupted Connection Using HA 351


StoneOS Cookbook

Step 3: Configuring HA func-


tion

Device B

Select System > HA.

o Working Mode: Active-


Passive

o Control link interface 1:


ethernet0/4

o Control link interface 2:


ethernet0/8

o IP Address: 10.10.1.2/24

o HA cluster ID: 1

o Node ID: 1

o HA Group Configuration:
Enter 100 for "Priority"
and select track1 for
"Track Object".

352 Ensuring Uninterrupted Connection Using HA


StoneOS Cookbook

Step 4: Configuring management IP of active and passive devices after synchronization

Device A

Select Network > Interface, and double click eth-


ernet0/1. Under IP Configuration, click
Advanced.

o Management IP

o IP Address: 192.168.1.253

Device B

Select Network > Interface, and double click eth-


ernet0/1. Under IP Configuration, click
Advanced.

o Management IP

o IP Address: 192.168.1.254

Ensuring Uninterrupted Connection Using HA 353


StoneOS Cookbook

Step 5: Results

After configuration, select System > System and Device A:


Signature Database. Under System Information,
the "HA State" item shows the device's HA
status. Device B:

Device A

o HA State: Master

Device B

o HA State: Backup

When Device A fails to forward traffic or its Device A:


eth0/0 is disconnected, Device B will turn to Act-
ive and starts forwarding without interrupting pro-
tected network. Device B:

Select System > System and Signature Database.


Under System Information, the "HA State" item
shows the device's HA status.

Device A

o HA State: Monitor Failed

Device B

o HA State: Master

354 Ensuring Uninterrupted Connection Using HA


StoneOS Cookbook

Making Two Firewalls Working in Hot Standby Mode by Deploying them in


HA Peer to Ensure the Continuity of Service
This example introduces how to configure two firewalls to work in the HA Peer Active-Active(A/A) mode. They will backup each
other while processing their own work in order that network communication will not be interrupted.

As shown in the figure below, without affecting the original network architecture, the two Hillstone firewalls Device A and Device B
are connected transparently to the upstream and downstream devices.

The eth0/3 and eth0/4 interfaces of Device A are used to connected to the upstream and downstream routers. The eth0/3:1 and eth-
0/4:1 interfaces of Device B are used to connected to the upstream and downstream routers. Also, Device A and Device B use the
eth0/1 and eth0/2 interfaces as HA link interfaces.

Normally, both Device A and Device B forward the traffic from PC to the Server. When one of them fails, the other one takes over all
the traffic.

Configuration Steps

Step 1: Configuring HA Peer

Making Two Firewalls Working in Hot Standby Mode by Deploying them in HA Peer to Ensure the 355
Continuity of Service
StoneOS Cookbook

Device A

hostname(config)# ha link interface ethernet0/1

hostname(config)# ha link data interface ethernet0/2

hostname(config)# ha link ip 10.10.1.2/24

hostname(config)# ha cluster 1 peer-mode node 0

hostname(config)# ha group 0

hostname(config-ha-group)# exit

hostname(config)# ha group 1

hostname(config-ha-group)# exit

hostname(config)# ha traffic enable

hostname(config)#

Device B

hostname(config)# ha link interface ethernet0/1

hostname(config)# ha link data interface ethernet0/2

hostname(config)# ha link ip 10.10.1.3/24

hostname(config)# ha cluster 1 peer-mode node 1

hostname(config)# ha group 0

hostname(config-ha-group)# exit

hostname(config)# ha group 1

hostname(config-ha-group)# exit

hostname(config)# ha traffic enable

hostname(config)#

Step 2: Configuring the interfaces.

356 Making Two Firewalls Working in Hot Standby Mode by Deploying them in HA Peer to Ensure the
Continuity of Service
StoneOS Cookbook

Device A

hostname(M0D1)(config)# interface ethernet0/4

hostname(M0D1)(config-if-eth0/4)# zone l2-untrust

hostname(M0D1)(config-if-eth0/4)# exit

hostname(M0D1)(config)# interface ethernet0/3

hostname(M0D1)(config-if-eth0/3)# zone l2-trust

hostname(M0D1)(config-if-eth0/3)# exit

hostname(M0D1)(config)# interface ethernet0/4:1

hostname(M0D1)(config-if-eth0/4:1)# zone l2-untrust

hostname(M0D1)(config-if-eth0/4:1)# exit

hostname(M0D1)(config)# interface ethernet0/3:1

hostname(M0D1)(config-if-eth0/3:1)# zone l2-trust

hostname(M0D1)(config-if-eth0/3:1)# exit

hostname(M0D1)(config)#

Step 3: Configuring track objects and binding them to HA groups.

Device A

hostname(M0D1)(config)# track track1 local

hostname(M0D1)(config-trackip)# interface ethernet0/3

hostname(M0D1)(config-trackip)# interface ethernet0/4

hostname(M0D1)(config-trackip)# exit

hostname(M0D1)(config)# ha group 0

hostname(M0D1)(config-ha-group)# monitor track track1

hostname(M0D1)(config-ha-group)# exit

hostname(M0D1)(config)#

Making Two Firewalls Working in Hot Standby Mode by Deploying them in HA Peer to Ensure the 357
Continuity of Service
StoneOS Cookbook

Device B

hostname(D0M1)(config)# track track2 local

hostname(D0M1)(config-trackip)# interface ethernet0/3:1

hostname(D0M1)(config-trackip)# interface ethernet0/4:1

hostname(D0M1)(config-trackip)# exit

hostname(D0M1)(config)# ha group 1

hostname(D0M1)(config-ha-group)# monitor track track2

hostname(D0M1)(config-ha-group)# exit

hostname(D0M1)(config)#

Step 4: Configuring an security policy.

hostname(M0D1)(config)# policy-global

hostname(M0D1)(config-policy)# rule id 1

Rule id 1 is created

hostname(M0D1)(config-policy-rule)# src-zone trust

hostname(M0D1)(config-policy-rule)# dst-zone untrust

hostname(M0D1)(config-policy-rule)# service Any

hostname(M0D1)(config-policy-rule)# action permit

hostname(M0D1)(config-policy-rule)# exit

hostname(M0D1)(config)#

Verification

Device A and Device B Working Normally

When Device A and Device B work normally, both of them forward traffic from PC to Server(IP:30.1.2.10/24).

As shown below, you can use trace 30.1.2.10 command to view the path information of the traffic on PC.

358 Making Two Firewalls Working in Hot Standby Mode by Deploying them in HA Peer to Ensure the
Continuity of Service
StoneOS Cookbook

o Traffic forwarded by Device A:

o Traffic forwarded by Device B:

Device B Failing and Device A Working Normally

When Device B fails and Device A works normally, Device A takes over all the traffic from PC to server.

In this case, the status of Device A is still . The status of Device B changes from to . You can use ping

command on the PC to test if PC can still connect to Server successfully.

Making Two Firewalls Working in Hot Standby Mode by Deploying them in HA Peer to Ensure the 359
Continuity of Service
StoneOS Cookbook

Using Two Devices as Gateways to Forward Business Traffic and Back Up


Each Other Based on HSVRP, which Ensures Uniterrupted Business Traffic
This example introduces how to configure the HSVRP function when the firewall devices are deployed in the HA Peer A/A and work
as gateways. So that, when one of the firewalls goes faulty, the original IP of its gateway can still be reached.

As shown in the figure below, the two Hillstone devices M0D1 and D0M1 are deployed in the Peer A/A mode. The connection of the
interfaces on the two firewalls is as follows:

o M0D1:

o The xethernet1/10 is used as the HA control link interface and xethernet2/10 is used as the HA data link interface.

o The xethernet1/14 is directly connected to the upstream switch and its IP address is 20.1.1.11/24. The xethernet2/15 is dir-
ectly connected to the downstream switch and its IP address is 30.1.1.11/16.

o D0M1:

o The xethernet1/10 is used as the HA control link interface and xethernet2/10 is used as the HA data link interface.

o The xethernet1/14:1 is directly connected to the upstream switch and its IP address is 20.1.1.12/24. The xethernet2/15:1 is dir-
ectly connected to the downstream switch and its IP address is 30.1.1.12/16.

Four HSVRP groups are configured: hsvrp 1, hsvrp 2, hsvrp 3 and hsvrp 4. Their virtual IP address are different from each other.

Take hsvrp 1 and hsvrp 2 as example, the xethernet1/14 interface is used as the primary interface of hsvrp 1 and the xethernet1/14:1
interface is used as the secondary interface of hsvrp 1. The xethernet1/14:1 interface is used as the primary interface of hsvrp 2 and the
xethernet1/14 interface is used as the secondary interface of hsvrp 2.

If D0M1 fails, the virtual IP address of hsvrp 1 will still take effect on the xethernet1/14 interface. And the virtual IP address of hsvrp
2 will take effect on the xethernet1/14 interface too.

The virtual IP address of hsvrp 1 is configured as the gateway of the host PC1. The virtual IP address of hsvrp 2 is configured as the
gateway of the host PC2. The virtual IP address of hsvrp 4 is configured as the gateway of the server.

Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on 360
HSVRP, which Ensures Uniterrupted Business Traffic
StoneOS Cookbook

o If M0D1 and D0M1 work normally, M0D1 forwards the traffic from PC1 to Server and D0M1 forwards the traffic from PC2 to
Server.

o If D0M1 fails and the gateways of PC2 and Server are not changed, M0D1 will forward all the traffic from PC1 and PC2. This
ensures that network communication is not interrupted.

Configuration Steps

Step 1: Configuring HA Peer.

M0D1 Device

hostname(config)# ha link interface xethernet1/10

hostname(config)# ha link data interface xethernet2/10

hostname(config)# ha link ip 172.16.1.1/24

hostname(config)# ha cluster 5 peer-mode node 0

hostname(config)# ha group 0

hostname(config-ha-group)# exit

hostname(config)# ha group 1

hostname(config-ha-group)# exit

hostname(config)# ha traffic enable

hostname(config)# exit

361 Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on
HSVRP, which Ensures Uniterrupted Business Traffic
StoneOS Cookbook

D0M1 Device

hostname(config)# ha link interface xethernet1/10

hostname(config)# ha link data interface xethernet2/10

hostname(config)# ha link ip 172.16.1.2/24

hostname(config)# ha cluster 5 peer-mode node 1

hostname(config)# ha group 0

hostname(config-ha-group)# exit

hostname(config)# ha group 1

hostname(config-ha-group)# exit

hostname(config)# ha traffic enable

hostname(config)# exit

Step 2: Configuring HSVRP groups.

Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on 362
HSVRP, which Ensures Uniterrupted Business Traffic
StoneOS Cookbook

M0D1 Device

hostname(M0D1)(config)# hsvrp id 1

hostname(M0D1)(config-hsvrp)# ip address 20.1.1.1

hostname(M0D1)(config-hsvrp)# exit

hostname(M0D1)(config)# hsvrp id 2

hostname(M0D1)(config-hsvrp)# ip address 20.1.1.2

hostname(M0D1)(config-hsvrp)# exit

hostname(M0D1)(config)# hsvrp id 3

hostname(M0D1)(config-hsvrp)# ip address 30.1.1.1

hostname(M0D1)(config-hsvrp)# exit

hostname(M0D1)(config)# hsvrp id 4

hostname(M0D1)(config-hsvrp)# ip address 30.1.1.2

hostname(M0D1)(config-hsvrp)# exit

Step 3: Configuring interfaces and referencing the HSVRP group for the interfaces.

hostname(M0D1)(config)# interface xethernet1/14

hostname(M0D1)(config-if-xe1/14)# zone trust

hostname(M0D1)(config-if-xe1/14)# ip address 20.1.1.11/24

hostname(M0D1)(config-if-xe1/14)# hsvrp id 1 primary

hostname(M0D1)(config-if-xe1/14)# hsvrp id 2 secondary

hostname(M0D1)(config-if-xe1/14)# exit

363 Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on
HSVRP, which Ensures Uniterrupted Business Traffic
StoneOS Cookbook

hostname(M0D1)(config)# interface xethernet1/14:1

hostname(M0D1)(config-if-xe1/14:1)# zone trust

hostname(M0D1)(config-if-xe1/14:1)# ip address 20.1.1.12/24

hostname(M0D1)(config-if-xe1/14:1)# hsvrp id 2 primary

hostname(M0D1)(config-if-xe1/14:1)# hsvrp id 1 secondary

hostname(M0D1)(config-if-xe1/14:1)# exit

hostname(M0D1)(config)# interface xethernet2/15

hostname(M0D1)(config-if-xe2/15)# zone untrust

hostname(M0D1)(config-if-xe2/15)# ip address 30.1.1.11/16

hostname(M0D1)(config-if-xe2/15)# hsvrp id 3 primary

hostname(M0D1)(config-if-xe2/15)# hsvrp id 4 secondary

hostname(M0D1)(config-if-xe2/15)# exit

hostname(M0D1)(config)# interface xethernet2/15:1

hostname(M0D1)(config-if-xe2/15:1)# zone untrust

hostname(M0D1)(config-if-xe2/15:1)# ip address 30.1.1.12/16

hostname(M0D1)(config-if-xe2/15:1)# hsvrp id 4 primary

hostname(M0D1)(config-if-xe2/15:1)# hsvrp id 3 secondary

hostname(M0D1)(config-if-xe2/15:1)# exit

Step 4: Checking the configuration of the HSVRP groups.

Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on 364
HSVRP, which Ensures Uniterrupted Business Traffic
StoneOS Cookbook

M0D1 Device

hostname(M0D1)(config)# show hsvrp

===================================================

ID: 1

Virtual IP: 20.1.1.1 255.255.255.0

Virtual MAC: 0000.5e00.0101

Primary bind interface: xethernet1/14

Secondary bind interface: xethernet1/14:1

Status: active(xethernet1/14)

===================================================

ID: 2

Virtual IP: 20.1.1.2 255.255.255.0

Virtual MAC: 0000.5e00.0102

Primary bind interface: xethernet1/14:1

Secondary bind interface: xethernet1/14

Status: inactive

===================================================

ID: 3

Virtual IP: 30.1.1.1 255.255.255.0

Virtual MAC: 0000.5e00.0103

Primary bind interface: xethernet2/15

Secondary bind interface: xethernet2/15:1

Status: active(xethernet2/15)

===================================================

365 Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on
HSVRP, which Ensures Uniterrupted Business Traffic
StoneOS Cookbook

ID: 4

Virtual IP: 30.1.1.2 255.255.255.0

Virtual MAC: 0000.5e00.0104

Primary bind interface: xethernet2/15:1

Secondary bind interface: xethernet2/15

Status: inactive

===================================================

Step 5: Configuring an security policy.

hostname(M0D1)(config)# policy-global

hostname(M0D1)(config-policy)# rule id 1

Rule id 1 is created

hostname(M0D1)(config-policy-rule)# src-zone trust

hostname(M0D1)(config-policy-rule)# dst-zone untrust

hostname(M0D1)(config-policy-rule)# service Any

hostname(M0D1)(config-policy-rule)# action permit

hostname(M0D1)(config-policy-rule)# exit

hostname(M0D1)(config)#

Verification

M0D1 and D0M1 Working Normally

When M0D1 and D0M1 work normally, M0D1 forwards the traffic from PC1 to Server and D0M1 forwards the traffic from PC2 to
Server.

As shown below, on the M0D1 device, in any configuration mode, you can use show flow0-interface xethernet1/14 command to
view the information of corresponding sessions.

Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on 366
HSVRP, which Ensures Uniterrupted Business Traffic
StoneOS Cookbook

o The value "flag 104000" represents that this session is processed by M0D1 so it tests that M0D1 forwards the traffic from PC1 to
Server.

o The value "flag 204000" represents that this session is processed by the peer device D0M1 so it tests that D0M1 forwards the
traffic from PC2 to Server.

D0M1 Failing and M0D1 Working Normally

When D0M1 fails and the gateways of PC2 and Server are not changed, PC1 and PC2 can still connect to Server successfully. M0D1
forwards all the traffic from PC1 and PC2.

As shown below, on the M0D1 device, in any configuration mode, you can use show flow0-interface xethernet1/14 command to
view the information of corresponding sessions.

o The value "flag 104000" represents that this session is processed by M0D1. That is to say, M0D1 forwards all the traffic from PC1
and PC2.

367 Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on
HSVRP, which Ensures Uniterrupted Business Traffic
StoneOS Cookbook

Quality of Service (QoS)

QoS adopts the concept "pipe" to indicate traffic control method. A pipe is a bandwidth limit. The system divides bandwidth by creating
pipe of different sizes.

This chapter contains the following recipe:

o " QoS Control" on Page 369

o "Outbound Link Load Balance" on Page 376

o "Outbound Link Load Balance with Customizable SLA Metrics" on Page 381

Quality of Service (QoS) 368


StoneOS Cookbook

QoS Control
This examples shows how to control Internet bandwidth allocation to different users and applications. The key feature that applies in
this situation is 2-Stage QoS flow control.

As shown in the topology below, a company of 155 MB Internet bandwidth has a 2-Stage QoS requirement:

o In 1st Stage QoS: Within the 155 Mbps bandwidth, 40 Mbps will be allocated to Department A, 40 Mbps to Department B, and the
remaining 75 Mbps will be shared by all employees.

o In 2nd Stage QoS: The total P2P flow is limited to 10 Mbps, in which downloading is limited to 2 Mbps, streaming video is limited
to 8 Mbps, and within the video bandwidth, Youku streaming is limited to 6 Mbps.

QoS Control 369


StoneOS Cookbook

Configuration Steps

Step 1: Creating address entries for Dept. A and Dept. B

Select Object > Address Entry, and click New.

o Name: DeptA

o Member: select IP Range, and enter


"10.89.9.2" and "10.89.9.50" and click Add.

Create another address entry:

o Name: DeptB

o Member: select IP Range, and enter


"10.89.9.52" and "10.89.9.60" and click Add.

Step 2: Create a root pipe of 155 Mbps under Level-1 Control

Select Policy > QoS, click Level-1 Control, and


click New > Pipe.

o Pipe Name: TotalBW

370 QoS Control


StoneOS Cookbook

Step 2: Create a root pipe of 155 Mbps under Level-1 Control

In the same tab, click New.

o Source Information

o Interface: ethernet0/2

Under the Action tab:

o Forward

o Pipe Bandwidth: 155000 Kbps

o Backward

o Pipe Bandwidth: 155000 Kbps

QoS Control 371


StoneOS Cookbook

Step 3: Creating sub-pipes for two departments below root pipe

Select root pipe "TotalBW"and click New.

o Pipe Name: pipeA

o Click New, and under Source Information,


select "DeptA" as Address.

o Click the Action tab:

o Forward: Bandwidth: min: 40000 Kbps;


max: 155000 Kbps

o Backward Bandwidth: min:40000 Kbps;


max: 155000 Kbps

Use the same steps to create "pipe B":

o Pipe name: pipeB

o Source address: DeptB

o (Forward and Backward) min bandwidth:


40000 kbps

o (Forward and Backward) max bandwidth:


155000 kbps

372 QoS Control


StoneOS Cookbook

Step 4: Creating root pipe "p2p" under Level-2 control to limit P2P total to 10 Mbps

Select Policy > QoS, select Level-2 Control and


click New > Pipe.

o Pipe Name: p2p

In the same tab, click New.

o Source Information

o Interface: ethernet0/2

o Other

o APP/APP Group: P2P. P2P_Stream

Under the Action tab:

o Forward

o Bandwidth: 10000 kbps

o Backward:

o Bandwidth: 10000 kbps

QoS Control 373


StoneOS Cookbook

Step 5: Creating sub pipes under root pipe "p2p"

1. Creating a sub-pipe to limit p2p software

Under Level-2 Control, select root pipe "p2p",


and click New > Pipe.

o Pipe Name: p2p_soft

o Click New: in the prompt, select P2P as


APP/APP Group.

o Select the Action tab:

o Forward bandwidth: min: 32; max 2000

o Backward bandwidth: min: 32; max: 2000

2. Creating a sub-pipe to limit p2p video stream-


ing

Under Level-2 Control, select root pipe "p2p",


and click New > Pipe.

o Pipe Name: p2p_stream

o Click New: in the prompt, select P2P_Stream


as APP/APP Group.

o Select the Action tab:

o Forward bandwidth: min: 32; max 8000

o Backward bandwidth: min: 32; max: 8000

3. Creating a sub-pipe to limit p2p video stream-


ing

Under Level-2 Control, select sub pipe "p2p_


stream", and click New > Pipe.

374 QoS Control


StoneOS Cookbook

Step 5: Creating sub pipes under root pipe "p2p"

o Pipe Name: p2p_stream

o Click New: in the prompt, select Youku and


Youku_Stream as APP/APP Group.

o Select the Action tab:

o Forward bandwidth: min: 32; max 6000

o Backward bandwidth: min: 32; max: 6000

QoS Control 375


StoneOS Cookbook

Outbound Link Load Balance


This example shows how to configure outbound link load balancing. Through the configuration of efficient drainage strategy to
achieve dynamic link load balancing, improve the export bandwidth utilization.

As shown in the following figure, this lab environment simulates the deployment of equipment at the second-level ISP exit scene.The
second-level ISP rent Tele-com, China Netcom and other operators of the bandwidth to the user to achieve Internet access. The figure
use 101.0.0.1 to connect to the Internet by Tele-com and 201.1.1.1 to connect to Netcom.

Outbound Link Load Balance 376


StoneOS Cookbook

Configuration Steps

Step 1: Configure multiple equal-cost routes

1.Select Network > Routing >Destination


Route, and click New.

o Destination:0.0.0.0

o Subnet Mask:0

o Next Hop:interface

o Interface:ethernet0/1

o Gateway:101.1.1.1

2.Select Network > Routing >Destination


Route, and click Newto configure another equal-
cost route.

o Destination:0.0.0.0

o Subnet Mask:0

o Next Hop:interface

o Interface:ethernet0/2

o Gateway:201.1.1.1

377 Outbound Link Load Balance


StoneOS Cookbook

Step 2: Configure the outbound interface bandwidth

Network > Interface, select interface ethernet0 / 1, and


click Edit to configure the bandwidth as 50M (according
to the actual situation to determine the value of the con-
figuration bandwidth).

o Bandwidth

o Up Bandwidth:50000000bps

o Down Bandwidth:50000000bps

Follow the same steps to set the bandwidth of the inter-


face ethernet0 / 2 to 50M.

Step 3: Configure the outbound load balancr profile

Select Network > Outbound >Profile, click New.

o Profile:HP_LLB

o Bandwidth Utillzation : 60%

o Balance Mode:High Performance

Outbound Link Load Balance 378


StoneOS Cookbook

Step 4: Configure the outbound load balancr rule

Select Network > Outbound >Rule, click New.

o Rule Name:HP_LLB_rule

o LLB Profile:Select the Profile "HP_LLB"

o Bind Route:Destination Route

o Vitual Router:trust-vr

o Destination Address:0.0.0.0/0

Step 5: Verify that outbound load balance is in effect

After completing the above steps, use the test tool to construct traffic through ethernet0/1 and ethernet0/2, respectively, and then
observe the traffic on each link.By changing the size of outgoing traffic,you can find that the traffic on two links can be adjusted
equitably. The system routing mechanism is as follows:

o When the bandwidth of each link does not exceed 30M (50M*60%), the system calculates the link overhead based on the link
delay, jitter and packet loss rate. The link with the lower link overhead eventually allocates more traffic, while the other link has
less traffic,but the two links are basically balanced.

o When the link bandwidth exceeds 30M, the system adds the bandwidth utilization factor to the calculation, that is, the system cal-
culates the link overhead based on the delay, jitter, packet loss rate and bandwidth utilization. The link with lower link overhead
eventually allocates more traffic, while the other link has less traffic, but the two links are basically balanced.

Q&A

o Q: What factors in the network affect the link load balancing routing of the system?
A: The delay, jitter, packet loss rate and bandwidth utilization of each link are the impact factors. System can intelligently oute and
dynamically adjust the traffic load of each link by monitoring the delay, jitter, packet loss rate and bandwidth utilization of each link
in real-time.

379 Outbound Link Load Balance


StoneOS Cookbook

o Q: Which modes do link load balancing support?


A: Two load balancing modes are supported, namely, high performance and high compatibility modes.

o High Performance - In this mode, system adjusts link to keep the link balance as fast as possible

o High Compatibility - In this mode, When the link load changes, system does not switch the link frequently, but ensures that the
service is as far as possible on the previous link. This mode is suitable for services that are sensitive to link switching, such as
banking services, only when the previous link is overloaded.

Outbound Link Load Balance 380


StoneOS Cookbook

Outbound Link Load Balance with Customizable SLA Metrics


In a multi-egress Internet line deployment environment, for some mission-critical applications that are extremely sensitive to packet loss
rate, this example introduces how to configure outbound line load balancing combined with customizable SLA metrics to prioritize lines
with lower packet loss rates for critical business connections to the Internet.

As shown in the following figure, a company has three egress lines, A, B, and C, each connected to the Internet through different ISP
dedicated lines:

o Line A: Connected to a certain ISP dedicated line via eth0/1 (IP: 101.0.0.1);

o Line B: Connected to another ISP dedicated line via eth0/2 (IP: 201.1.1.1);

o Line C: Connected to a third ISP dedicated line via eth0/3 (IP: 5.10.140.0).

The company has multiple research and development centers across the country, and efficient communication is required between
them. Tencent Meeting is the company's primary communication tool. The requirement is to configure the system so that employees
prefer lines with lower packet loss rates when using Tencent Meeting, thus ensuring smooth voice and video calls.

Outbound Link Load Balance with Customizable SLA Metrics 381


StoneOS Cookbook

*This example is configured and verified by using 5.5R11 in a test environment. Please configure the IP address for each interface
based on the actual condition.

Configuration Instructions

The SG-6000-K9180/K6580 and X-series devices do not support SLA functionality.

Configuration Roadmap

1. Configure equal-cost routes to enable load balancing and forwarding of traffic across all egress interfaces.

2. Configure policy-based routes to direct Tencent Meeting application traffic to the three egress lines.

3. Configure outbound line load balance rule based on SLA packet loss threshold values to exclude lines that do not meet the
required packet loss rate, set the LLB packet loss priority factor to prefer lines with lower packet loss rates, and combine the
policy-based routes with the outbound line load balance rule to achieve control and load balancing of Tencent Meeting traffic.

Configuration Steps of WebUI

Step 1: Configure multiple equal-cost routes

1.Select Network > Routing > Destination Route, and


click New.

o Vitual Router: trust-vr

o Destination: 0.0.0.0

o Subnet Mask: 0

o Next Hop: interface

o Interface: ethernet0/1

o Gateway: 101.0.0.2

382 Outbound Link Load Balance with Customizable SLA Metrics


StoneOS Cookbook

Step 1: Configure multiple equal-cost routes

2.Select Network > Routing > Destination Route, and


click Newto configure another equal-cost route.

o Vitual Router: trust-vr

o Destination: 0.0.0.0

o Subnet Mask: 0

o Next Hop: interface

o Interface: ethernet0/2

o Gateway: 201.1.1.2

3.Select Network > Routing >Destination Route, and


click Newto configure another equal-cost route.

o Vitual Router: trust-vr

o Destination: 0.0.0.0

o Subnet Mask: 0

o Next Hop: interface

o Interface: ethernet0/3

o Gateway: 5.10.140.1

Outbound Link Load Balance with Customizable SLA Metrics 383


StoneOS Cookbook

Step 2: Configure policy-based routes

Select Network > Routing > Policy-based Routing, click


New, and select Rule from the drop-down list.

o PBR Name: Click from the drop-down list.

o PBR Name: pbr_meeting

o Vitual Router: trust-vr

o Type: Zone

o Bind to: trust

o Source

o Address: any

o Destination

o Address: any

o Other

o Application: TencentMeeting

o Next-hop

o Click to add a "IP Address" type of next hop

with the member "101.0.0.2". Repeat this step to


add next hops with members "201.1.1.2" and
"5.10.140.1".

384 Outbound Link Load Balance with Customizable SLA Metrics


StoneOS Cookbook

Step 3: Configure the outbound line load balance rule

Select Network > Outbound LLB> Rule, click New.

o Name: LLB_meeting

o Bind Route: Policy-based Routing

o Policy-based Routing:Select "pbr_meeting"

o SLA Profile: Click from the drop-down.

o Name: SLA_loss

o Detect Type: Passive

o Loss Threshold: 1

o LLB Profile: Click from the drop-down.

o Name:LLB_loss

o Weight Factors: Select "Loss First"

Outbound Link Load Balance with Customizable SLA Metrics 385


StoneOS Cookbook

Step 4: Results

After completing the above steps, when employees are using Tencent Meeting, by observing the Tencent Meeting traffic on each
link, it is found that the system can basically prioritize lines with lower packet loss rates. For example, if only Line A and Line B meet
the SLA criteria, while Line C does not, and Line A has a lower packet loss rate than Line B, by executing the command "show
session application TencentMeeting" to check the Tencent Meeting application sessions, it can be observed that
the interface ethernet0/1 of Line A has the highest Tencent Meeting sessions, the interface ethernet0/2 of Line B has a lower Ten-
cent Meeting sessions, and the interface ethernet0/3 of Line C has no Tencent Meeting sessions.

Configuration Steps of CLI

Step 1: Configure multiple equal-cost routes

hostname(config)# ip vrouter trust-vr (Enter the VRouter configuration mode)

hostname(config-vrouter)# ip route 0.0.0.0/0 ethernet0/1 101.0.0.2 (Configure the first


equal-cost route)

hostname(config-vrouter)# ip route 0.0.0.0/0 ethernet0/2 201.1.1.2 (Configure the second


equal-cost route)

hostname(config-vrouter)# ip route 0.0.0.0/0 ethernet0/3 5.10.140.1 (Configure the third


equal-cost route)

hostname(config-vrouter)# exit

hostname(config)#

Step 2: Configure policy-based routes

386 Outbound Link Load Balance with Customizable SLA Metrics


StoneOS Cookbook

hostname(config)# pbr-policy pbr_meeting (Create a PBR policy and enter the PBR policy configuration
mode)

hostname(config-pbr)# match top any any any TencentMeeting nexthop 101.0.0.2


(Create the first PBR policy)

Info: Match ID 1 is created

hostname(config-pbr)# match top any any any TencentMeeting nexthop 201.1.1.2


(Create the second PBR policy)

Info: Match ID 2 is created

hostname(config-pbr)# match top any any any TencentMeeting nexthop 5.10.140.1


(Create the third PBR policy)

Info: Match ID 3 is created

hostname(config-pbr)# exit

hostname(config)#

Step 3: Configure SLA Profile

hostname(config)# sla-profile SLA_loss (Create an SLA profile and enter the SLA profile configuration
mode)

hostname(config-sla-profile)# detect-mode passive type ipv4 (Set the detection mode to passive
detection mode)

hostname(config-sla-profile)# threshold lossrate-thres 1 (Set SLA packet loss rate threshold)

hostname(config-sla-profile)# exit

hostname(config)#

Step 4: Configure LLB Profile

Outbound Link Load Balance with Customizable SLA Metrics 387


StoneOS Cookbook

hostname(config)# llb profile LLB_loss (Create an LLB profile and enter the LLB profile configuration
mode)

hostname(config-llb-profile)#detect weight-factors predefine loss-template (Set packet


loss rate as the primary influence factor for link cost)

hostname(config-llb-profile)# exit

hostname(config)#

Step 5: Configure the outbound line load balance rule

hostname(config)# llb rule LLB_meeting pbr pbr_meeting id 1 profile LLB_loss


SLa-profile SLA_loss (Bind SLA profile and LLB profile to the route to form an LLB rule)

hostname(config)#

Step6: Results

After completing the above steps, when employees are using Tencent Meeting, by observing the Tencent Meeting traffic on each link, it
is found that the system can basically prioritize lines with lower packet loss rates. For example, if only Line A and Line B meet the SLA
criteria, while Line C does not, and Line A has a lower packet loss rate than Line B, by executing the command "show session
application TencentMeeting" to check the Tencent Meeting application sessions, it can be observed that the interface eth-
ernet0/1 of Line A has the highest Tencent Meeting sessions, the interface ethernet0/2 of Line B has a lower Tencent Meeting sessions,
and the interface ethernet0/3 of Line C has no Tencent Meeting sessions.

388 Outbound Link Load Balance with Customizable SLA Metrics


StoneOS Cookbook

Threat Prevention

Threat prevention, that device can detect and block network threats occur. By configuring the threat protection function, Device can
defense network attacks, and reduce losses caused by internal network.

This chapter includes the following recipes:

o "Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection" on Page 390

o "Protecting Intranet to Defend Attacks via Intrusion Prevention System" on Page 398

o "Forensic Analysis " on Page 406

o "Identifying IoT Assets to Enable Security Control of IoT by Using Built-in Docker" on Page 416

o "Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on the VM" on Page 431

Threat Prevention 389


StoneOS Cookbook

Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior
Detection
This example introduces how to use Abnormal Behavior Detection to find attacks about servers as early as possible, and integrate with
Mitigation to protect servers better.

As shown in the topology, the device is deployed in the data center exit. After enable and configure the Abnormal Behavior Detection,
when a Web server is infected by SYN flood frequently, a mail server is infected by port scan attacks periodically, Trojan implanted to
the intranet host, Trojan fake domain name by DGA algorithm technology, and connect external network control server, the admin-
istrator can find these attacks and protect the internal hosts and servers.

* To use Abnormal Behavior Detection, apply and install the StoneShield license.

Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection 390
StoneOS Cookbook

Configuration Steps

Step 1: Enabling Abnormal Behavior Detection to defend internal hosts

Select Network > Zone. Select 'trust' zone, click


Edit, and select the <Threat Protection>tab.

o Abnormal Behavior Detection: Select the


Enable check box .

o Host Defender : Select the Host Defender


check box. To enable the abnormal behavior
detection of the HTTP factor, select the
Advanced Protection check box. To enable
the DDoS protection for the host, select the
DDoS Protection check box. To capture and
save the corresponding evidence that leads to
the alarm of abnormal behavior, select
Forensic.

Step 2: Configuring the critical asset object (Web Server and Mail Server)

Select Network > Zone. Select 'dmz' zone, click


Edit, and select the <Threat Protection>tab.

o Abnormal Behavior Detection: Select the


Enable check box .

391 Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection
StoneOS Cookbook

Step 2: Configuring the critical asset object (Web Server and Mail Server)

1. Configuring the Abnormal Behavior Detec-


tion object (Web Server ), and enabling the web
server advanced protection.

Click Object > Critical Assets, and click New.

o Name: Web Server

o Type: Server

o IP: 172.20.0.10

o Web Server Advanced Protection: Select the


check box.

2. Configuring the Abnormal Behavior Detec-


tion object (Mail Server )

Click Object > Critical Assets, and click New.

o Name: Mail Server

o Type: Server

o IP: 172.18.1.20

Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection 392
StoneOS Cookbook

Step 3: Viewing the results of Abnormal Behavior Detection

1. Viewing the results from iCenter

Results of Web Server:

o Select iCenter>Critical Assets, click the crit-


ical assets name 'Web Server' link in the list,
to view the information of this critical asset.

o For example, click the Internal Recon>


'TCP SYN Flood Attack' link in the kill
chain list, to view the Abnormal Behavior
Detection information and the trend chart of
the actual value, predictive value of the detec-
ted object.

393 Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection
StoneOS Cookbook

Step 3: Viewing the results of Abnormal Behavior Detection

Results of Mail Server:

o Select iCenter>Critical Assets, click the crit-


ical assets name 'Mail Server' link in the list,
to view the information of this critical asset.

o For example, click the Initial Exploit> 'Port


Scan' link in the kill chain list, to view the
Abnormal Behavior Detection information
and the trend chart of the baseline,
thresholds of the detected object.

Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection 394
StoneOS Cookbook

Step 3: Viewing the results of Abnormal Behavior Detection

Results of Internal Host:

1. Click iCenter > Threat, and click Filter to add


conditions.

o Detected by : Abnormal Behavior Detection

2. For example, click the The Domain Name of


DNS Response Is Malicious Domain Gen-
erated by DGA link in the list, to view the mal-
ware and abnormal behavior attack details
detected according the DNS mapping.

In Threat Analysis tab, you can view the inform-


ation of host that send DGA fake domain name
attack.

2. Viewing the results from threat log

1. Select Monitor>Log>Threat, click Filter to


add conditions to show logs that march your fil-
ter.

o Detected By: Abnormal Behavior Detection

395 Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection
StoneOS Cookbook

Step 3: Viewing the results of Abnormal Behavior Detection

2. The log of Abnormal Behavior Detection will


be displayed.

Step 4: Integrating with Mitigation, and configuring the mitigation rules for attacks.

Select iCenter> Mitigation> Mitigation Rule, and select


the Enable Auto Mitigation check box.

Configuring mitigation rules for Port Scan

In Mitigation Rulepage, click New

o Log Type: Scan

o Severity: Low

o Value: >= 10 Time

o Action Type: User defined > IP Block

o Duration: 60

Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection 396
StoneOS Cookbook

Step 4: Integrating with Mitigation, and configuring the mitigation rules for attacks.

Configuring mitigation rules for TCP SYN Flood Attack

In Mitigation Rulepage, click New

o Log Type: DoS> DDoS Flood

o Severity: Low

o Value: >= 10 Time

o Role: Attacker

o Action Type: User defined >Session Control

o Session Type: New Session

o Total Number: 20

o Drop Percent: 50

o Duration: 60

Step 5: Viewing the results of mitigation rules

Click iCenter > Mitigation>Mitigation Action to


view the mitigation action results details of mit-
igation rules

397 Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection
StoneOS Cookbook

Protecting Intranet to Defend Attacks via Intrusion Prevention System


This example introduces how to use Intrusion Prevention System to monitor various network attacks in real time and take appropriate
actions (like block) against the attacks according to your configuration.

As shown in the following topology, the device is deployed in the Intranet exit. After enabling and configuring the Intrusion Prevention
System, the device will protect Intranet against internet attacks.

Configuration Steps

Step 1: Installing the Intrusion Prevention System license

1. Select System> License. Under License


Request, input all user information. Then send the
code to your sales contact. The sales person will
get the license and send it back to you.

Protecting Intranet to Defend Attacks via Intrusion Prevention System 398


StoneOS Cookbook

Step 1: Installing the Intrusion Prevention System license

2. Select Upload License File, Click Browse to


select the Intrusion Prevention System license file,
and then click OK to upload it.

3. Select System > Device


Management>Option, and click Reboot. When
it starts again, the installed license will take effect.

Step 2: Enabling Intrusion Prevention System and updating Signature Database

1. Select Object>Intrusion Prevention Sys-


tem>Configuration to view the Intrusion Pre-
vention System function status. If disabled, click
Enable and reboot.

2. Select System>Upgrade Man-


agement>Signature Database Update. Under
IPS Signature Database Update, click Update to
update IPS Signature Database to assure its integ-
rity and accuracy.

399 Protecting Intranet to Defend Attacks via Intrusion Prevention System


StoneOS Cookbook

Step 3: Binding internal and external interfaces to the specified zones

1. Binding internal interface ethernet0/2 to trust.


Select Network>Zone, select trust and click Edit
to jump to the Zone Configuration dialog.

o Binding Interface: ethernet0/2

2. Binding internal interface ethernet0/1 to dmz,


which can be configured as above.

3. Binding external interface ethernet0/3 to


untrust , which can be configured as above.

Protecting Intranet to Defend Attacks via Intrusion Prevention System 400


StoneOS Cookbook

Step 4: Creating Intrusion Prevention System rules

Users can use the default rule or create a new rule.


Select Object>Intrusion Prevention Sys-
tem>Profile, click New to jump to the IPS dialog.
This example uses the predef_default rule, which
includes all the IPS signatures and the default
action is reset.

401 Protecting Intranet to Defend Attacks via Intrusion Prevention System


StoneOS Cookbook

Step 5: Creating Security Policies.

Security policy: untrust to dmz

By default, the devices will deny all traffic


between security zones. This case permits internet
and internal hosts to access internal servers. Take
the following steps to configure the security
policies:

1.Select Policy> Security Policy, click new to


jump to the Policy Configuration Dialog. In the
Basic tab:

Source:

o Zone:untrust

o Address:any

Destination:

o Zone:dmz

o Address:any

Others:

o Service:any

o Action:Permit

2.In the Protection Tab:

o IPS:Click the Enable check box .

o Profile:Select predef_default from the


drop-down list

Protecting Intranet to Defend Attacks via Intrusion Prevention System 402


StoneOS Cookbook

Step 5: Creating Security Policies.

Security policy: trust to dmz

1.Select Policy> Security Policy, click new to


jump to the Policy Configuration Dialog. In the
Basic tab:

Source:

o Zone:trust

o Address:any

Destination:

o Zone:dmz

o Address:any

Others:

o Service:any

o Action:Permit

2.In the Protection Tab:

o IPS:Select the Enable check box .

o Profile:predef_default

403 Protecting Intranet to Defend Attacks via Intrusion Prevention System


StoneOS Cookbook

Step 6: Viewing the results

After configuring the above steps, the device can protect


Intranet against the known attacks. For example: the attacker
creates SQL injections to attack the HTTP Server, and visits
the URL of ' http://192.168.4.79/ccmcip/xml

directorylist.jsp?n=X'or%20telephonenumber%20like%20''.

The device will display the attack information and block the
attack.

Viewing the results from iCenter

1. Select iCenter>Threat, click to add the con-

ditions.

o Detected by: Intrusion Prevention System

2. The log of Intrusion Prevention System will be displayed.


Click the threat name to view the detailed information.

Viewing the results from Threat log

1. Select Monitor>Log>Threat, click to add the

conditions.

o Detected by: Intrusion Prevention System

Protecting Intranet to Defend Attacks via Intrusion Prevention System 404


StoneOS Cookbook

Step 6: Viewing the results

2. The log of Intrusion Prevention System will be displayed.


Click the threat name to view the detailed information.

405 Protecting Intranet to Defend Attacks via Intrusion Prevention System


StoneOS Cookbook

Forensic Analysis
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers this feature.

This example shows how to in-depth view the threat of the whole network and analyze the threat evidence.

Forensic Analysis provides evidence chain of network threats to collect, multi-perspective analysis and the depth of integration.

o Evidence Collection: Through the configuration of Forensic Analysis function (packet capture), detect the attack generated at the
same time evidence collection.

o Evidence Analysis: Analyze the collected evidence.

o Evidence Presentation: Display the threat details, logs, evidence pacp via iCenter, to achieve the threat of visualization.

Configuration Steps

At present, the system only supports the Forensic Analysis function of three threat detection engines (Advanced Threat Detection, Intru-
sion Prevention System, Anti Virus)

Forensic Analysis 406


StoneOS Cookbook

Advanced Threat Detection

Enable the packet capture for Advanced Threat


Detection, the system will capture packets when
generating logs.

Select Network > Zone, Select "trust" zone, click


Edit, and select the <Threat Protection>tab .
Select the Capture Packets check box.

Intrusion Prevention System

1. Enable the packet capture for IPS rules, it will


enable all this profile's protocols.

Select Object>Intrusion Prevention System,


click New, and select the Enable check box to
enable capture packets.

407 Forensic Analysis


StoneOS Cookbook

Intrusion Prevention System

2. According to your requirements, configure the


capture packets for a specific protocol.

Select Object>Intrusion Prevention System, in


the IPS rules list, click protocol type, for example '
DHCP', select the Enable check box to enable
the capture packet for different attack levels.

Anti Virus

Enable the packet capture for Anti Virus rules.

Select Object > Antivirus, click New, Select the


Enable check box before Capture Packet to
enable the capture function.

Forensic Analysis Configuration Example

As follows, taking advanced threat detection (ATD) as an example to demonstrate the process of Forensic Analysis

Forensic Analysis 408


StoneOS Cookbook

Step 1: Threat Detection

Enabling Advanced Threat Detection and cap-


ture packets

Select Network > Zone. Select "trust" zone, click


Edit, and select the <Threat Protection> tab.

o Advanced Threat Detection: Select the


Enable check box .

o Capture Packets: Select the check box , the


system will save the evidence messages, and
support to download it.

Step 2: Evidence Collection

When ATD attacks occurred, the system will generate a relevant threat log and capture evidence, sent to the system database.

According to the source IP, Advanced threat detection engine capture relational pacp at the same time, it is the HTTP traffic data
(including TCP interaction) in 5 minutes or 64K size package, and used to assist in the analysis.

Step 3: Evidence Analysis

1. Analyze and get the threat detail information .

2. Collect the analysis of evidence.

409 Forensic Analysis


StoneOS Cookbook

Step 4: Evidence Presentation

1. Display the threat information, including the


threat name, type, severity, victim host, attack
host, etc.

Click "iCenter", and select Threat tab.

Click the threat name link in the list, to view the


threat details.

Forensic Analysis 410


StoneOS Cookbook

Step 4: Evidence Presentation

2. Viewing the evidence details.

Select the select the <Details>tab, and click View


PACP.

411 Forensic Analysis


StoneOS Cookbook

Step 4: Evidence Presentation

3. Viewing the relational pacp details.

Select the select the <Details>tab, and click Rela-


tional Pacp.

4. Downloading evidence.

Select the select the <Details>tab, and click


Download Pacp, the evidence will be down-
loaded to local.

Forensic Analysis 412


StoneOS Cookbook

Threat Intelligence Via Hillstone Cloud Service Platform


Hillstone Cloud Service Platform is a cloud security services platform, which provides cloud services including CloudView, Cloud Sand-
box and CloudVista (Threat Intelligence Center). Hillstone Cloud Service is the cloud capability center of Hillstone and the brain of the
cloud-network integration. After the service is enabled, your device will be connected with the Hillstone cloud, which will provide you
with a wider range of threat intelligence, improve the protection capability of your device, and enable you to carry out real-time mon-
itoring, inspection and report acquisition of the device and traffic on the cloud anytime and anywhere. These Hillstone cloud applic-
ations can greatly enhance the security, visibility, and usability of networks.

o CloudView: CloudView is a SaaS product. It is deployed on the public cloud to provide users with online on-demand services. Hill-
stone devices register with the cloud service platform and upload device information, traffic data, threat events, system logs and so
on to the cloud service platform, and the visual display is provided by CloudView . Users can monitor the device status, gain reports
and threat analysis through the Web or mobile phone APP. For more information about CloudView, refer to the CloudView FAQs.

o Cloud Sandbox: It is a technology adopted by the Sandbox function. After a suspicious file being uploaded to the Hillstone cloud ser-
vice platform, the cloud sandbox will collect behaviors of the file, analyze the collected data, verify the legality of the file, send the
analysis result to system and deal with the malicious file according to the actions set by system.

o CloudVista (Threat Intelligence Center): Threat Intelligence function can upload some elements in the logs generated by each mod-
ule to the cloud service platform, such as IP address, domain, etc. The cloud service platform will check whether the elements have
threat intelligence through the threat center. You can view threat intelligence information related to elements through the threat
intelligence center.

This example shows how to Obtain threat intelligence services through the Hillstone Cloud Service Platform.

The topology is shown as below. Device connects to theHillstone Cloud Service Platform, upload some elements in the logs generated
by each module to the cloud service platform and obtain the threat intelligence .

Threat Intelligence Via Hillstone Cloud Service Platform 413


StoneOS Cookbook

Preparation

Before configuring the NETCONF function, prepare the following first:

1. Install the threat intelligence license.

2. Register a Cloud Service account. Enter the address "https://user.hillstonenet.com/login" in the web browser of the PC to
register.

Configuration Steps

Step 1: Connect to the Hillstone Cloud Service Platform

Select System > Connecting to Hillstone Cloud


Service Platform.

o Address: cloud.hillstonenet.com.cn

o Virtual Router: trust-vr

o User: hillstone

o Password: password@123

Note: When using the default password to connect to the cloud platform, you can also get the corresponding cloud service,
but you cannot view the data uploaded by the device from the cloud platform.

414 Threat Intelligence Via Hillstone Cloud Service Platform


StoneOS Cookbook

Step 2: Enable CloudVista Service

Select System > Connecting to Hillstone Cloud


Service Platform, click the CloudVista button. In
the CloudVista page, click the Enable button to
enable the CloudVista service.

Viewing the results

After configuring the above steps, You can view the entries with threat intelligence on the ICenter page. In the threat list, hover your
cursor over a object, and there is a button to its right. The button appears on the right. Click this button and select View threat intel-

ligence.

Threat Intelligence Via Hillstone Cloud Service Platform 415


StoneOS Cookbook

Identifying IoT Assets to Enable Security Control of IoT by Using Built-in


Docker
This example describes how to use the built-in method of local asset identification to identify IoT device assets via WebUI and CLI.
That is, this example uses built-in Docker of the firewall to deploy the asset identification system on the device to implement asset iden-
tification and security control.

Note: The built-in method of local asset identification used in this example supports only A-series firewalls. We recom-
mend that you use A2600 and higher models.

Networking Requirements

As shown in the following figure, a firewall (NGFW: 10.182.191.36) is deployed at the internal network border of the enterprise. The
address of Docker within the firewall is set to 172.25.0.1/24. In addition, the security operation platform (Hillstone iSource
10.182.79.27) is deployed.

The internal IoT of the enterprise contains various types of IoT devices, categorized based on areas as follows:

o IT department (192.168.2.0/24) - IP phone and IPC;

o HR department (192.168.3.0/24) - printer and IPC;

o Administration department (192.168.4.0/24) - tablet and IPC.

To identify detailed information about IoT asset devices by using the built-in method of local asset identification, and to meet the fol-
lowing requirements with the IoT security monitor function of the firewall together:

o Identify&monitor IoT device: Perform asset identification and monitor management on IoT devices in the deployment envir-
onment.

o Manage IoT device traffic: Manage the network permissions of identified tablets. Specifically, disable their network traffic by using
policy rules.

Identifying IoT Assets to Enable Security Control of IoT by Using Built-in Docker 416
StoneOS Cookbook

o Analyze IoT data: Combined with iSource and cloud platform in the deployment environment, upload IoT data to iSource for uni-
fied analysis statistics, control, and asset management.

*This example is configured and verified by using 5.5R10F4 in a test environment. Please configure the IP address for each interface
based on the actual condition.

Preparations

Before you start, make sure that the following prerequisites are met:

o DHCP traffic from IoT devices in the network passes through the firewall or is mirrored to the firewall.

o The system version of the firewall supports the IoT monitor function. You can run the show version command to view the
system version. Please use StoneOS 5.5R10F4 or later F version.

o The IoT license is installed on the firewall device and you have logged in to the device again.

o The image file of local asset identification system is obtained.

o iSource is deployed.

Configuration Steps

IoT asset identification

417 Identifying IoT Assets to Enable Security Control of IoT by Using Built-in Docker
StoneOS Cookbook

1. Create a Docker and allocate system resources.

2. Import the image file of local asset identification system.

3. Configure the CIDR block of the Docker network.

4. Run the container.

5. Enable and configure the local asset identification function.

6. Configure the identification list by specifying the address list of IoT devices.

7. Configure the terminal type——enable/disable the function of automatically synchronizing terminals to repository.

8. Configure the zone to enable IoT Monitor function and bind an identification list.

IoT monitor management

1. Configure the region based on the IoT device CIDR block of the IT department, administration department, and HR depart-
ment.

2. View IoT monitor, including the manufacturer, type, online device, and various detailed statistics of all identified IoT devices.

IoT policy control

1. Configure the device object——specify the category dimension for IoT devices to map identified IoT devices to device objects.

2. Configure the policy rule——configure the policy rule based on device object.

IoT data analysis

o Upload IoT data to iSource——After you upload IoT data to iSource, iSource can implement further threat event response and
handling such as asset management and blocking/policy deployment.

Identifying IoT Assets to Enable Security Control of IoT by Using Built-in Docker 418
StoneOS Cookbook

Configuration Steps of WebUI

IoT Asset Identification Configuration

Step 1: Create a Docker and allocate system resources

Select System > Docker Management. On the Docker


Management page, click New and configure the fol-
lowing parameters:

o Name: IoTDocker

o CPU: Select the CPU core to which Docker is bound.


You can select the default Core0. (To use other CPU
cores, in global configuration mode, use the flow-
core-num number command to free other CPU
cores)

o Memory: 550

o Access Interface: Select ethernet0/0 (the name of the


interface that accesses Docker)

o Port: Click New and configure the port mapping of


Docker communication.

o Protocol-TCP, Host Port-36000, Container Port-


45622

o Protocol-UDP, Host Port-36000, Container Port-


45622

Click OK.

419 Identifying IoT Assets to Enable Security Control of IoT by Using Built-in Docker
StoneOS Cookbook

Step 2: Import the image file of local asset identification system

1. Select System > Docker Management.

2. Click in the Operation column and select Import


image file.

3. In the Import panel, click Browse and select the


obtained image file of local asset identification sys-
tem: "local-iot-identify-docker-1.0.231206.gz".

4. Click OK.

Step 3: Configure the CIDR block of the Docker network

Select System > Docker Management > Configuration


and configure the following parameter:

o IP/Netmask: 172.25.0.1/24. (This IP address is used


for internal and external Docker communication. You
can configure any IP address, which cannot conflict
with other interfaces.)

Step 4: Run the container

Select System > Docker Management and perform the


following operations:

1. Click in the Operation column and select Run.

2. Select the imported image file, load the image file,


and then run the container.

Identifying IoT Assets to Enable Security Control of IoT by Using Built-in Docker 420
StoneOS Cookbook

Step 5: Enable and configure the local asset identification function

Select Object > IoT Policy > Configuration.

o Local Asset Identification: Click Enable.

o Asset Identification Module Type: Local

o IP: 127.0.0.1 (does not require configuration or modi-


fication)

o Port: 36000 (needs to be consistent with the host port


number configured in Step 1)

Click OK.

Step 6: Configure the identification list

Select Object > IoT Policy > Identification List. On the


Identification List page, click New.

o Name: IoT device

o Click New and configure the following options:

o Type: IP

o IP Type: IPv4

o Address Type: IPv4/Netmask

o Address: 192.168.0.1/16 (the address range of


IoT devices within the enterprise)

Click OK.

421 Identifying IoT Assets to Enable Security Control of IoT by Using Built-in Docker
StoneOS Cookbook

Step 7: Configure the terminal type. For example, automatically add the identified IPC to repository

Select Object > IoT Policy > Terminal Type. Then, turn
on the switch in the Add to Repository Automatically
column corresponding to IPC in the list.

Step 8: Configure a zone to enable the IoT Monitor function of the zone. Select the zone used by IoT device traffic passing
through the firewall based on the actual networking environment (In this example, the layer-3 zone "trust" is used)

Select Network > Zone. In the list, select "trust" and click
Edit.

o Advanced: Click Advanced to expand this section.

o IoT Monitor: Click Enable.

o Identification List: Select the identification list "IoT


device" that is created in Step 6.

Click OK.

Identifying IoT Assets to Enable Security Control of IoT by Using Built-in Docker 422
StoneOS Cookbook

IoT Monitor Management

Step 1: Configure the Region

Select Object > IoT Policy > Region Setting. On the


Region Setting page, click New and configure the fol-
lowing parameters:

o Name: IT department

o Member: Click New.

o Type: IP/Netmask

o Member: 192.168.2.0/24

Click OK.

Repeat the steps above to create the region "HR depart-


ment":

o Name: HR department

o Member: Click New.

o Type: IP/Netmask

o Member: 192.168.3.0/24

Click OK.

423 Identifying IoT Assets to Enable Security Control of IoT by Using Built-in Docker
StoneOS Cookbook

Step 1: Configure the Region

Repeat the steps above to create the region "admin-


istration department":

o Name: administration department

o Member: Click New.

o Type: IP/Netmask

o Member: 192.168.4.0/24

Click OK.

Step 2: View IoT monitor

Select Monitor > IoT Monitor > Details to view details about all identified IoT devices in the deployment environment.

Identifying IoT Assets to Enable Security Control of IoT by Using Built-in Docker 424
StoneOS Cookbook

Step 2: View IoT monitor

Select Monitor > IoT Monitor > Summary to view the top 10 device manufacturers and device type distribution.

IoT Policy Control

Step 1: Configure a device object

Select Object > Device. On the Device page, click New.


On the Device Config page, configure the following para-
meters:

o Device Name: tablet

o Type: Select Tablet

o You can configure other options as required

Click OK.

425 Identifying IoT Assets to Enable Security Control of IoT by Using Built-in Docker
StoneOS Cookbook

Step 2: Configure the policy rule to manage permissions on Internet access for tablets

Select Policy > Security Policy > Policy. On the Policy


Configuration page, configure the following parameters:

o Name: Policy-iot

o Source Device: Select the "tablet" device object cre-


ated in Step 1

o Action: Select Deny

o You can configure other options as required or


default

Click OK.

Identifying IoT Assets to Enable Security Control of IoT by Using Built-in Docker 426
StoneOS Cookbook

IoT Data Analysis

Connect to iSource and enable the IoT Asset Monitor function

Select System > Extended Services. In the Connect to


Security Operations Platform section, click in the

lower-left corner. In the Connect to Security Operations


Platform panel, configure the following parameters:

o Enable: Click Enable

o IP/Domain: 10.182.79.27 (the iSource address in the


networking environment)

o IoT Asset Monitor: Click Enable

o Keep the default values for other options

Click OK.

Configuration Steps of CLI

IoT Asset Identification Configuration

Step 1: Create a Docker and allocate system resources

hostname(config)# docker IoTDocker

hostname(config-docker)# cpu 0

hostname(config-docker)# memory 512

hostname(config-docker)# port-map tcp host-port 36000 docker-port 45622

hostname(config-docker)# port-map udp host-port 36000 docker-port 45622

hostname(config-docker)# access-interface ethernet0/0

Step 2: Import the image file of local asset identification system

427 Identifying IoT Assets to Enable Security Control of IoT by Using Built-in Docker
StoneOS Cookbook

hostname# import docker-image-file IoTDocker from ftp server 10.200.6.10 user testuser password
123456 local-iot-identify-docker-1.0.231206.gz

Step 3: Configure the CIDR block of the Docker network

hostname (config)# docker-config network 172.25.0.1/24 (This IP address is used for internal and
external Docker communication. You can configure any IP address, which cannot conflict with other
interfaces.)

Step 4: Run the container

hostname#exec docker IoTDocker run local-iot-identify-docker-1.0.231206.gz

Step 5: Enable and configure the local asset identification function

hostname# (config)# iot-monitor docker-detect enable

hostname# (config)# iot-monitor docker-detect local-docker port 36000 (The port number needs to be
consistent with the host port number configured in Step 1)

Step 6: Configure the identification list

hostname(config)# iot-monitor identify-list iotdevice

hostname(config-IoT-monitor-identify-list)# ip network 192.168.0.1/16 (the address range of IoT


devices within the enterprise)

hostname(config-IoT-monitor-identify-list)# exit

Step 7: Configure a zone to enable the IoT Monitor function of the zone. Select the zone used by IoT device traffic passing
through the firewall based on the actual networking environment (In this example, the layer-3 zone "trust" is used)

hostname(config)#zone trust

hostname(config-zone-trust)# iot-monitor enable iotdevice

hostname(config-zone-trust)# exit

Identifying IoT Assets to Enable Security Control of IoT by Using Built-in Docker 428
StoneOS Cookbook

IoT Monitor Management

Step 1: Configure the Region

hostname(config)# iot-monitor district id 1 name IT (Configure the region of IT department)

hostname(config-IoT-monitor-district)# ip network 192.168.2.0/24

hostname(config)# iot-monitor district id 1 name HR (Configure the region of HR department)

hostname(config-IoT-monitor-district)# ip network 192.168.3.0/24

hostname(config)# iot-monitor district id 1 name admin (Configure the region of administration depart-
ment)

hostname(config-IoT-monitor-district)# ip network 192.168.4.0/24

Step 2: View IoT monitor

hostname(config)# show iot-monitor-list

Total: 5

ip vrouter/vswitch type manufacturer status OS_family Rx(kbps)/Tx(kbps) profile

192.168.4.1 trust-vr Ipad Huawei Online -65.57/7517.99 iotdevice

192.168.3.11 trust-vr IPC Hikvision Online -16600.00/11507.00 iotdevice

192.168.2.11 trust-vr IPC Hikvision Online -9464.91/192.992 iotdevice

192.168.2.1 trust-vr Voip Phone - Online -96.53/4729.00 iotdevice

192.168.3.1 trust-vr Printer HP Online- 166.49/7565.09 iotdevice

IoT Policy Control

Step 1: Configure a device object

hostname(config)# device pad

hostname(config-device)# type Ipad

hostname(config-device)# exit

429 Identifying IoT Assets to Enable Security Control of IoT by Using Built-in Docker
StoneOS Cookbook

Step 2: Configure the policy rule to manage permissions on Internet access for tablets

hostname(config)# policy-global

hostname(config-policy)# rule id 1

Rule id 1 is created

hostname(config-policy-rule)# src-device pad

hostname(config-policy-rule)# action deny

hostname(config-policy-rule)# exit

hostname(config)#

IoT Data Analysis

Connect to iSource and enable the IoT Asset Monitor function

hostname(config)# cloud server isource

hostname(config-isource)# enable

hostname(config-isource)# address 10.182.79.27 (the iSource address in the networking environment)

hostname(config-isource)# upload-type iot-monitor-property

hostname(config-isource)# exit

Identifying IoT Assets to Enable Security Control of IoT by Using Built-in Docker 430
StoneOS Cookbook

Identifying IoT Assets to Enable Security Control by Deploying the Asset


Identifying System on the VM
This example describes how to use the external method of local asset identification to identify IoT device assets via WebUI and CLI.
That is, this example uses the asset identification system deployed on the VM to identify IoT device asset information by installing an
asset identification program on the VM. This implements asset identification and security control.

Networking Requirements

As shown in the following figure, a firewall (NGFW:10.182.191.36) is deployed at the internal network border of the enterprise, and
the asset identification system is deployed on the VMware ESXi server (10.182.197.172). In addition, the security operation platform
(Hillstone iSource 10.182.79.27) is deployed.

The internal IoT of the enterprise contains various types of IoT devices, categorized based on areas as follows:

o IT department (192.168.2.0/24) - IP phone and IPC;

o HR department (192.168.3.0/24) - printer and IPC;

o Administration department (192.168.4.0/24) - tablet and IPC.

To identify detailed information about IoT device assets by using the asset identification system deployed on the VM, and to meet the
following requirements with the IoT monitor function of the firewall together:

o Identify&monitor IoT device: Perform asset identification and monitor management on IoT devices in the deployment envir-
onment.

o Manage IoT device traffic: Manage the network permissions of identified tablets. Specifically, disable their network traffic by using
policy rules.

o Analyze IoT data: Combined with iSource and cloud platform in the deployment environment, upload IoT data to iSource and
cloud platform for unified analysis statistics, control, and asset management.

Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on 431
the VM
StoneOS Cookbook

*This example is configured and verified by using 5.5R10F4 in a test environment. Please configure the IP address for each interface
based on the actual condition.

Preparations

Before you start, make sure that the following prerequisites are met:

Networking environment:

o DHCP traffic from IoT devices in the network passes through the firewall or is mirrored to the firewall.

o iSource is deployed.

Firewall device:

o The system version of the firewall supports the IoT monitor function. You can run the show version command to view the
system version. Please use StoneOS 5.5R10F4 or later F version.

o The IoT license is installed on the firewall device and you have logged in to the device again.

VMware ESXi server deployment:

o The VM environment is deployed based on system requirements: the version of VMware ESXi is 7.0 and later; the VM has at least
4 vCPUs, 4 GB of memory, and 20 GB of disk space and is installed with a NIC.

o The ESXi Server host is configured.

432 Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on
the VM
StoneOS Cookbook

o The installation file in ZIP format (including ovf, vmdk, iso, and mf files) is obtained from Hillstone Networks technical support.
After the package is decompressed, save ovf and vmdk files to your PC.

Configuration Steps

IoT asset identification

o VM configuration:

1. Deploy the asset identification system on the VMware ESXi server.

o Firewall configuration:

1. Enable and configure the local asset identification function.

2. Configure the identification list by specifying the address list of IoT devices.

3. Configure the terminal type——enable/disable the function of automatically synchronizing terminals to repository.

4. Configure the zone to enable IoT Monitor function and bind an identification list.

IoT monitor management

1. Configure the region based on the IoT device CIDR block of the IT department, administration department, and HR depart-
ment.

2. View IoT monitor, including the manufacturer, type, online device, and various detailed statistics of all identified IoT devices.

IoT policy control

1. Configure the device object——specify the category dimension for IoT devices to map identified IoT devices to device objects.

2. Configure the policy rule——configure the policy rule based on device object.

IoT data analysis

o Upload IoT data to iSource——After you upload IoT data to iSource, iSource can implement further threat event response and
handling such as asset management and blocking/policy deployment.

Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on 433
the VM
StoneOS Cookbook

Configuration Steps of WebUI

IoT Asset Identification Configuration

VM Configuration

Step 1: Log in to the VMware ESXi platform

To access the VMware ESXi 7.0 platform, enter the user-


name and password and click Log in.

Step 2: Create a VM

1. After you log in to the VMware ESXi 7.0 platform,


click Virtual Machines in the left-side pane. On the
page that appears, click Create / Register VM.

434 Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on
the VM
StoneOS Cookbook

Step 2: Create a VM

2. Select an existing VM type.

o Select Deploy a virtual machine from an OVF


or OVA file

Click Next.

3. Select OVF and VMDK files for the VM to be


deployed.

o VM name: iot-identify-vm

o Select the ovf, vmdk, and iso files from your PC


or drag the files to the specified position.

Click Next.

4. Select storage.

o Select the storage type and a datastore for the


VM's configuration files and all of its' virtual
disks.

Click Next.
Note: The hard disk needs to be larger than 20 GB
in size.

Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on 435
the VM
StoneOS Cookbook

Step 2: Create a VM

5. Configure deployment options.

o Select network mappings based on the network


environment

o Disk provisioning: select Thin

o Select Power on automatically

Click Next.

6. After you check the configurations, click Finish.

After the system files are uploaded to the disk, the virtual
machine is created.

Note: The deployment process may take a long time. Do not refresh the page before the deployment is completed.

Step 3: Log in to the VM

1. After the VM is created, it will automatically power on and start.

436 Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on
the VM
StoneOS Cookbook

Step 3: Log in to the VM

2. In the left-side Navigator, click Virtual Machines. On the page that appears, select the VM iot-identify-vm created in the
steps above.

3. Select Console > Open browser console or click the console thumbnail to open the console.

4. Enter the default username and password (hillstone/hillstone) to log in to the VM.

Step 4: Configure the NIC

After the VM is deployed, you need to modify the NIC configuration by specifying the configuration file within /etc/netplan based
on the current environment.

1. In the console, enter the cat /etc/netplan/00-installer-config.yaml command to view information


about the current configuration file.

2. Enter the vi /etc/netplan/00-installer-config.yaml command to open the configuration file.

Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on 437
the VM
StoneOS Cookbook

Step 4: Configure the NIC

3. Move the pointer over the position where you want to modify the configuration and press i to enter the edit mode. You can
modify the address to 10.182.197.172.
Note: The IP address needs to be accessible by the firewall and the browser of the PC on which the asset identification system
is installed, and this IP address is used as the IP address of the VM of IoT local asset identification.

4. After you modify the address, press ESC and then :wq to exit the configuration file and save the configuration information.

5. Restart the VM to ensure that the modified NIC information is applied.

Step 5: Install the asset identification program

1. Open the browser and access the IP address con-


figured in the steps above, such as
https://10.182.197.172:22654.

438 Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on
the VM
StoneOS Cookbook

Step 5: Install the asset identification program

2. With a self-signed certificate, your browser will


warn you that "Your connection is private". Click
Advanced > Proceed to XXX.

3. Enter the asset identification program installation


wizard, select Deep Identification Mode, and then
click Next Step.

4. In the Related Configuration step, use the default


values. That is, use Update Server provided by Hill-
stone Networks.

Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on 439
the VM
StoneOS Cookbook

Step 5: Install the asset identification program

5. Confirm the configurations and click Install.

6. After the installation is completed, the asset iden-


tification program will automatically start.

Firewall Configuration

Step 1: Enable and configure the local asset identification function

Log in to the firewall and select Object > IoT Policy >
Configuration.

o Local Asset Identification: Click Enable.

o Asset Identification Module Type: External

o IP: 10.182.197.172 (the deployed VM address)

o Port: 45622 (The default port number is used in this


example. If customization is required, this option must
be consistent with the "Docker Port" configured in
step 5 "Related Configuration " of the virtual machine
configuration)

o Virtual Router: trust-vr

Click OK.

440 Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on
the VM
StoneOS Cookbook

Step 2: Configure the identification list

Select Object > IoT Policy > Identification List. On the


Identification List page, click New.

o Name: IoT device

o Click New and configure the following options:

o Type: IP

o IP Type: IPv4

o Address Type: IPv4/Netmask

o Address: 192.168.0.1/16 (the address range of


IoT devices within the enterprise)

Click OK.

Step 3: Configure the terminal type. For example, automatically add the identified IPC to repository

Select Object > IoT Policy > Terminal Type. Then, turn
on the switch in the Add to Repository Automatically
column corresponding to IPC in the list.

Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on 441
the VM
StoneOS Cookbook

Step 4: Configure a zone to enable the IoT Monitor function of the zone. Select the zone used by IoT device traffic passing
through the firewall based on the actual networking environment (In this example, the layer-3 zone "trust" is used)

Select Network > Zone. In the list, select "trust" and click
Edit.

o Advanced: Click Advanced to expand this section.

o IoT Monitor: Click Enable.

o Identification List: Select the identification list "IoT


device" that is created in Step 2.

Click OK.

442 Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on
the VM
StoneOS Cookbook

IoT Monitor Management

Step 1: Configure the Region

Select Object > IoT Policy > Region Setting. On the


Region Setting page, click New and configure the fol-
lowing parameters:

o Name: IT department

o Member: Click New.

o Type: IP/Netmask

o Member: 192.168.2.0/24

Click OK.

Repeat the steps above to create the region "HR depart-


ment":

o Name: HR department

o Member: Click New.

o Type: IP/Netmask

o Member: 192.168.3.0/24

Click OK.

Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on 443
the VM
StoneOS Cookbook

Step 1: Configure the Region

Repeat the steps above to create the region "admin-


istration department":

o Name: administration department

o Member: Click New.

o Type: IP/Netmask

o Member: 192.168.4.0/24

Click OK.

Step 2: View IoT monitor

Select Monitor > IoT Monitor > Details to view details about all identified IoT devices in the deployment environment.

444 Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on
the VM
StoneOS Cookbook

Step 2: View IoT monitor

Select Monitor > IoT Monitor > Summary to view the top 10 device manufacturers and device type distribution.

IoT Policy Control

Step 1: Configure a device object

Select Object > Device. On the Device page, click New.


On the Device Config page, configure the following para-
meters:

o Device Name: tablet

o Type: Select Tablet

o You can configure other options as required

Click OK.

Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on 445
the VM
StoneOS Cookbook

Step 2: Configure the policy rule to manage permissions on Internet access for tablets

Select Policy > Security Policy > Policy. On the Policy


Configuration page, configure the following parameters:

o Name: Policy-iot

o Source Device: Select the "tablet" device object cre-


ated in Step 1

o Action: Select Deny

o You can configure other options as required or


default

Click OK.

446 Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on
the VM
StoneOS Cookbook

IoT Data Analysis

Connect to iSource and enable the IoT Asset Monitor function

Select System > Extended Services. In the Connect to


Security Operations Platform section, click in the

lower-left corner. In the Connect to Security Operations


Platform panel, configure the following parameters:

o Enable: Click Enable

o IP/Domain: 10.182.79.27 (the iSource address in the


networking environment)

o IoT Asset Monitor: Click Enable

o Keep the default values for other options

Click OK.

Configuration Steps of CLI

IoT Asset Identification Configuration

VM Configuration

For more information, see the VM Configuration section.

Firewall Configuration

Step 1: Enable and configure the local asset identification function

hostname# (config)# iot-monitor docker-detect enable

hostname# (config)# iot-monitor docker-detect external-docker ip 10.182.197.172 port 45622 (In this
example, the default port number is used. If customization is required, the port number needs to be con-
sistent with the "Docker Port" configured in "Related Configuration" in step 5 of the virtual machine con-
figuration.)

Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on 447
the VM
StoneOS Cookbook

Step 2: Configure the identification list

hostname(config)# iot-monitor identify-list iotdevice

hostname(config-IoT-monitor-identify-list)# ip network 192.168.0.1/16 (the address range of IoT


devices within the enterprise)

hostname(config-IoT-monitor-identify-list)# exit

Step 3: Configure a zone to enable the IoT Monitor function of the zone. Select the zone used by IoT device traffic passing
through the firewall based on the actual networking environment (In this example, the layer-3 zone "trust" is used)

hostname(config)#zone trust

hostname(config-zone-trust)# iot-monitor enable iotdevice

hostname(config-zone-trust)# exit

IoT Monitor Management

Step 1: Configure the Region

hostname(config)# iot-monitor district id 1 name IT (Configure the region of IT department)

hostname(config-IoT-monitor-district)# ip network 192.168.2.0/24

hostname(config)# iot-monitor district id 1 name HR (Configure the region of HR department)

hostname(config-IoT-monitor-district)# ip network 192.168.3.0/24

hostname(config)# iot-monitor district id 1 name admin (Configure the region of administration depart-
ment)

hostname(config-IoT-monitor-district)# ip network 192.168.4.0/24

Step 2: View IoT monitor

448 Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on
the VM
StoneOS Cookbook

hostname(config)# show iot-monitor-list

Total: 5

ip vrouter/vswitch type manufacturer status OS_family Rx(kbps)/Tx(kbps) profile

192.168.4.1 trust-vr Ipad Huawei Online -65.57/7517.99 iotdevice

192.168.3.11 trust-vr IPC Hikvision Online -16600.00/11507.00 iotdevice

192.168.2.11 trust-vr IPC Hikvision Online -9464.91/192.992 iotdevice

192.168.2.1 trust-vr Voip Phone - Online -96.53/4729.00 iotdevice

192.168.3.1 trust-vr Printer HP Online- 166.49/7565.09 iotdevice

IoT Policy Control

Step 1: Configure a device object

hostname(config)# device pad

hostname(config-device)# type Ipad

hostname(config-device)# exit

Step 2: Configure the policy rule to manage permissions on Internet access for tablets

hostname(config)# policy-global

hostname(config-policy)# rule id 1

Rule id 1 is created

hostname(config-policy-rule)# src-device pad

hostname(config-policy-rule)# action deny

hostname(config-policy-rule)# exit

hostname(config)#

IoT Data Analysis

Connect to iSource and enable the IoT Asset Monitor function

Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on 449
the VM
StoneOS Cookbook

hostname(config)# cloud server isource

hostname(config-isource)# enable

hostname(config-isource)# address 10.182.79.27 (the iSource address in the networking environment)

hostname(config-isource)# upload-type iot-monitor-property

hostname(config-isource)# exit

450 Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on
the VM
StoneOS Cookbook

Data Security

The data security allows you to flexibly configure control rules to comprehensively control and audit (by behavior logs ) on user net-
work behavior.

This chapter contains the following recipe:

o "Decrypting HTTPS Traffic and Identifying the Encrypted Application" on Page 452

o "URL Filtering for HTTPS Traffic without the CA Certificate" on Page 456

Data Security 451


StoneOS Cookbook

Decrypting HTTPS Traffic and Identifying the Encrypted Application


This example introduces how to decrypt HTTPS traffic and identify the encrypted application, which meets the requirements of fine-
grained application management.

As shown in the below scenario, an internal user accesses a HTTPS website and the traffic is encrypted by SSL protocol. With the SSL
proxy and application identification functions enabled, the device can decrypt the HTTPS traffic and identify the encrypted application.

Decrypting HTTPS Traffic and Identifying the Encrypted Application 452


StoneOS Cookbook

Configuration Steps

Step 1: Configuring a SSL proxy profile

Select Policy > SSL Proxy, and click New.

In the Basic tab:

o Name: profile1

o Expired certificate: Decrypt

o Unsupported version: Block

o Unsupported encryption algorithms: Block

o Client verification: Block

o Warning: Enable

Step 2: Specifying a SSL profile in the security policy

Configure a security policy that allows internal


users to access Internet, and specify a SSL proxy
profile in the Advanced tab:

o SSL Proxy: Select the Enable checkbox and


select profile1 from the drop-down list.

453 Decrypting HTTPS Traffic and Identifying the Encrypted Application


StoneOS Cookbook

Step 3: Importing the device certificate to client's Web browser

Export the certificate from the device.

Click System > PKI. In the Management tab:

o Trust Domain: trust_domain_ssl_proxy

o Content: CA Certificate

o Action: Export

Click OK to export the certificate.

Import the certificate to client's Web browser.

1. In the Chrome Web browser, select Set-


tings > Show advanced settings.

2. In the HTTPS/SSL section, select Manage


certificates.

3. In the Trusted Root Certification Author-


ities tab, select Import.

4. Follow the wizard to import the certificate.

Step 4: Upgrading to the professional application signature database and enabling the application identification function

In CLI, execute the upgrade command to


upgrade to the professional application signature
database

Decrypting HTTPS Traffic and Identifying the Encrypted Application 454


StoneOS Cookbook

Step 4: Upgrading to the professional application signature database and enabling the application identification function

Select Network > Zone, and double-click the


untrust zone. In the Basic tab:

o Application Identification: Select Enable.

Step 6: Viewing application monitor

Select Monitor > Application > Application


Details.

When an internal user accesses a HTTPS website,


the SSL proxy function decrypts the HTTPS
traffic and the application identification function
identify the encrypted application.

455 Decrypting HTTPS Traffic and Identifying the Encrypted Application


StoneOS Cookbook

URL Filtering for HTTPS Traffic without the CA Certificate


This example shows how to achieve the URL filtering for HTTPS traffic without installing the CA certificate.

As shown in the following topology, Hillstone device works as the gateway of an enterprise. The ethernet0/0 connects the Internet and
belongs to the untrust zone. The ethernet0/1 connects to the Intranet and belongs to the trust zone.

With the configured URL filtering rule, staff of the enterprise (the network segment: 10.100.0.0/16) are prohibited from accessing
shopping websites and the entertainment websites https:// www.bcd.com during working hours (09:00 to 18:00, Monday to Friday).
The access and search attempts will be logged.

Preparation

Before configuring the URL filtering function, prepare the following first:

1. Install the URL service license and reboot the device.

2. Update the predefined URL database.

URL Filtering for HTTPS Traffic without the CA Certificate 456


StoneOS Cookbook

Configuration Steps

Step 1: Configure a schedule

Select Object > Schedule, and click New.

In the Schedule Configuration dialog:

o Name: workday

o Days: Click Add to add a periodic schedule.

o Type: Days.

o Days: Monday, Tuesday, Wednesday,


Thursday, Friday

o Start Time: 09:00

o End Time: 18:00

Step 2: Configure the user-defined URL category named bcd that contains https://www.bcd.com

Select Object > URL Filtering, and select Con-


figuration > User-defined URL DB at the top-
right corner.

457 URL Filtering for HTTPS Traffic without the CA Certificate


StoneOS Cookbook

Step 2: Configure the user-defined URL category named bcd that contains https://www.bcd.com

In the User-defined URL DB dialog, click New.

In the URL Category dialog:

o Category: bcd

o URL http(s)://: www.bcd.com

o Click Add to add the "https://www.b-


cd.com" and its category to the table.

URL Filtering for HTTPS Traffic without the CA Certificate 458


StoneOS Cookbook

Step 3: Configure the URL filtering rule named URLcontrol, and enable the SSL Inspection

Select Object > URL Filtering, and click New.

In the URL Filtering Rule Configuration dialog:

o Name: URLcontrol

o Control Type: URL Category

o SSL Inspection: Select the Enable check box


to enable SSL negotiation packets inspection.

o Select the predefined URL category Shop-


ping, and then select the Block check box
and Log check box.

o Select the user-defined URL category bcd,


and then select the Block check box and Log
check box.

459 URL Filtering for HTTPS Traffic without the CA Certificate


StoneOS Cookbook

Step 4: Bind the URL filtering rule to a policy rule

Select Policy > Security Policy, and click New.

In the Basic Configuration tab of the Policy


Configuration dialog:

o Name: policy1

o Source Address: Select the address type


IP/Netmask , type 10.100.0.0 and 16 into
the IPand Netmask text box respectively,
and click -> to add the address to the right
pane.

In the Protection tab of the Policy Con-


figuration dialog:

o URL Filtering: Select the Enable check box.

o Profile: Select the created URL filtering rule


"URLcontrol" from the drop-down list.

In the Options tab of the Policy Configuration


dialog:

o Schedule: Select the schedule "workday"


from the Schedule drop-down list.

URL Filtering for HTTPS Traffic without the CA Certificate 460


StoneOS Cookbook

Step 5: Result

After the configuration, adjust the configured


rule to the highest priority rule for traffic match-
ing.

When the rule takes effect, during the working


hours, company staff cannot access shopping
websites and the entertainment websites
"https:// www.bcd.com". The system will log
the access and search attempts.

461 URL Filtering for HTTPS Traffic without the CA Certificate


StoneOS Cookbook

IPv6

StoneOS is dual-stack firmware that supports both IPv4 and IPv6. It also supports tunneling technique (the latest version supports
manual IPv6 tunnel) for IPv6 communication.

This chapter includes the following recipe:

o "Connecting IPv6 and IPv4 Networks" on Page 463

o "Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG" on Page 474

o "Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG" on Page 483

o "Realizing Dual-stack Host in IPv4 Network Accessing IPv6 Network Via ISATAP Tunnel" on Page 494

o "Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel" on Page 497

IPv6 462
StoneOS Cookbook

Connecting IPv6 and IPv4 Networks


One enterprise has a headquarters, branch A and branch B. The headquarters and two branches all can access the Internet. The
headquarters and branch A are deployed with IPv6 network for intranet and IPv4 network for internet, while the branch B is deployed
with IPv4-only networks for both intranet and internet. For the business needs, it’s necessary to connect IPv6 and IPv4 networks to
achieve the following goals:

o The IPv6 network of headquarters can connect with the IPv4 Internet and be accessed by the Internet users.

o The networks of headquarters can connect with the IPv6 network of branch A via 6in4 tunnel.

o The networks of headquarters can connect with the IPv4 network of branch B.

The headquarters, branch A and branch B is deployed with a Hillstone device separately and the topology is as follows:

There are three parts of configurations:

o Configuring networks of headquarters

o Configuring networks of branch A

o Configuring networks of branch B

Configuring Networks of Headquarters

Step 1: Configure the interface and zone.

Connecting IPv6 and IPv4 Networks 463


StoneOS Cookbook

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone untrust

hostname(config-if-eth0/1)# ip address 200.0.0.2 255.255.255.0

hostname(config-if-eth0/1)# manage http

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone trust

hostname(config-if-eth0/2)# dns-proxy

hostname(config-if-eth0/2)# ipv6 enable

hostname(config-if-eth0/2)# ipv6 address 2005::1/96

hostname(config-if-eth0/2)# manage ping

hostname(config-if-eth0/2)# exit

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone trust

hostname(config-if-tun1)# ipv6 enable

hostname(config-if-tun1)# tunnel ip6in4 branchA

hostname(config-if-tun1)# exit

Step 2: Configure the route and NAT rules, including headquarters accessing the Internet, headquarters communicating with
branch B, and public IP accessing IPv6 server of headquarters.

464 Connecting IPv6 and IPv4 Networks


StoneOS Cookbook

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# snatrule id 1 from 2005::/96 to 2003::/96 service any eif ethernet0/1 trans-
to eif-ip mode dynamicport

hostname(config-vrouter)# snatrule id 2 from 2005::2/96 to 2004::2 service any eif ethernet0/1 trans-
to eif-ip mode dynamicport

hostname(config-vrouter)# snatrule id 3 from any to 200.0.0.2 service any eif ethernet0/2 trans-to
2005::1 mode dynamicport

hostname(config-vrouter)# dnatrule id 1 from 2005::/96 to 2003::/96 service any v4-mapped

hostname(config-vrouter)# dnatrule id 2 from 2005::2/96 to 2004::2 service any trans-to 200.0.0.4

hostname(config-vrouter)# dnatrule id 3 from any to 200.0.0.2 service any trans-to 2005::2

hostname(config-vrouter)# ip route 0.0.0.0/0 200.0.0.1

hostname(config-vrouter)# ipv6 route 2001::/96 tunnel1

hostname(config-vrouter)# exit

Step 3: Configure the policy.

Connecting IPv6 and IPv4 Networks 465


StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 1

Rule id 1 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-addr any

hostname(config-policy-rule)# dst-addr any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

hostname(config)# policy-global

hostname(config-policy)# rule id 2

Rule id 2 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-ip 2005::/96

hostname(config-policy-rule)# dst-ip 2004::/96

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

hostname(config)# policy-global

hostname(config-policy)# rule id 3

Rule id 3 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-ip 2005::/96

hostname(config-policy-rule)# dst-ip 2003::/96

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

466 Connecting IPv6 and IPv4 Networks


StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 4

Rule id 4 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-ip 2005::/96

hostname(config-policy-rule)# dst-ip 2001::/96

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

hostname(config)# policy-global

hostname(config-policy)# rule id 5

Rule id 5 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-ip 2001::/96

hostname(config-policy-rule)# dst-ip 2005::/96

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

hostname(config)# policy-global

hostname(config-policy)# rule id 6

Rule id 6 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-ip ipv6-any

hostname(config-policy-rule)# dst-ip ipv6-any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

Connecting IPv6 and IPv4 Networks 467


StoneOS Cookbook

Step 4: Configure an IPv6 tunnel.

hostname(config)# tunnel ip6in4 branchA manual

hostname(config-ip6in4-manual)# interface ethernet0/1

hostname(config-ip6in4-manual)# destination 200.0.0.3

hostname(config-ip6in4-manual)# exit

hostname(config)# ip name-server 8.8.8.8 vrouter trust-vr

hostname(config)# ip dns-proxy domain any name-server 8.8.8.8 vrouter trust-vr

hostname(config)# ipv6 dns64-proxy id 1 prefix 2003::/96 source 2005::/96 trans-mapped-ip any

Note: The ipv6 dns64-proxy command is not supported for some versions.

Configuring Networks of Branch A

Step 1: Configure the interface and zone.

468 Connecting IPv6 and IPv4 Networks


StoneOS Cookbook

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone untrust

hostname(config-if-eth0/1)# ip address 200.0.0.3 255.255.255.0

hostname(config-if-eth0/1)# manage ping

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone trust

hostname(config-if-eth0/2)# ipv6 enable

hostname(config-if-eth0/2)# ipv6 address 2001::1/96

hostname(config-if-eth0/2)# manage ping

hostname(config-if-eth0/2)# exit

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone trust

hostname(config-if-tun1)# ipv6 enable

hostname(config-if-tun1)# tunnel ip6in4 headquarters

hostname(config-if-tun1)# exit

Step 2: Configure the route and NAT rules.

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip route 0.0.0.0/0 200.0.0.1

hostname(config-vrouter)# ipv6 route 2005::/96 tunnel1

hostname(config-vrouter)# exit

Step 3: Configure the policy.

Connecting IPv6 and IPv4 Networks 469


StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 31

Rule id 31 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-addr any

hostname(config-policy-rule)# dst-addr any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

hostname(config)# policy-global

hostname(config-policy)# rule id 32

Rule id 32 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-ip 2001::/96

hostname(config-policy-rule)# dst-ip 2005::/96

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

hostname(config)# policy-global

hostname(config-policy)# rule id 33

Rule id 33 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-ip 2005::/96

hostname(config-policy-rule)# dst-ip 2001::/96

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

470 Connecting IPv6 and IPv4 Networks


StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 34

Rule id 34 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-ip ipv6-any

hostname(config-policy-rule)# dst-ip ipv6-any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

Step 4: Configure an IPv6 tunnel.

hostname(config)# tunnel ip6in4 headquarters manual

hostname(config-ip6in4-manual)# interface ethernet0/1

hostname(config-ip6in4-manual)# destination 200.0.0.2

hostname(config-ip6in4-manual)# exit

Configuring Networks of Branch B

Step 1: Configure the interface and zone.

Connecting IPv6 and IPv4 Networks 471


StoneOS Cookbook

hostname(config)# interface ethernet0/3

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 192.168.2.1 255.255.255.0

hostname(config-if-eth0/1)# manage ping

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/4

hostname(config-if-eth0/4)# zone untrust

hostname(config-if-eth0/4)# ip address 200.0.0.4 255.255.255.0

hostname(config-if-eth0/4)# manage ping

hostname(config-if-eth0/4)# exit

Step 2: Configure the route and NAT rules.

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# snatrule id 1 from any to any service any eif ethernet0/4 trans-to eif-ip
mode dynamicport

hostname(config-vrouter)# dnatrule id 1 from 200.0.0.2 to 200.0.0.4 service any trans-to 192.168.2.254

hostname(config-vrouter)# ip route 0.0.0.0/0 200.0.0.1

hostname(config-vrouter)# exit

Step 3: Configure the policy.

472 Connecting IPv6 and IPv4 Networks


StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 35

Rule id 35 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-addr any

hostname(config-policy-rule)# dst-addr any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

Connecting IPv6 and IPv4 Networks 473


StoneOS Cookbook

Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using


ALG
This example introduces how to configure ALG to realize the FTP service in IPv6-only or IPv4/IPv6 hybrid networks, including the
following three scenarios:

o Scenario 1: IPv6-only network. In the topology below, an enterprise sets up a Hillstone security device as the export gateway to
connect internal network with the Internet. Both internal and external network IP addresses are deployed with IPv6 addresses.
With the ALG function configured, the internal FTP client can access the FTP server in the extranet.

o Scenario 2: IPv4 network to IPv6 network. In the topology below, an enterprise sets up a Hillstone security device as the export
gateway to connect internal network with the Internet. The internal network is deployed with IPv4 addresses and the external net-
work is deployed with IPv6 addresses. With the ALG function configured, the internal FTP client can access the FTP server in the
extranet.

o Scenario 3: IPv6 network to IPv4 network. In the topology below, an enterprise sets up a Hillstone security device as the export
gateway to connect internal network with the Internet. The internal network is deployed with IPv6 addresses and the external net-
work is deployed with IPv4 addresses. With the ALG function configured, the internal FTP client can access the FTP server in the
extranet.

Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 474
StoneOS Cookbook

Before You Start

Before starting the configuration, you need to ensure that the configuration of the FTP server and the FTP client has been completed.
This example only describes the relevant configuration on the device.

Configuration Steps of Scenario 1

Step 1: Configure the interface and zone.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ipv6 enable

hostname(config-if-eth0/1)# ip address 2002::1/64

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ipv6 enable

hostname(config-if-eth0/2)# ipv6 address 2003::1/64

hostname(config-if-eth0/2)# exit

Step 2: Configure the policy.

hostname(config)# rule id 1 from ipv6-any to ipv6-any service ftp permit

Rule id 1 is created

hostname(config-policy)# rule id 1

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# exit

Step 3: Enable the ALG function of FTP.

475 Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG
StoneOS Cookbook

hostname(config)# alg ftp

Note: The ALG function of FTP is enabled by default.

Step 4: Verify result.

Download session in FTP active mode:

session: id 44, proto 6, flag 0, flag1 20000, flag2 0, flag3 0, created 39340, life 1787, policy 1,app 4(FTP)
flag 0x1, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40308b10): [2003::2]:64348->[2001::2]:21

flow1(31(ethernet0/1)/308b10): [2001::2]:21->[2003::2]:64348

session: id 2, proto 6, flag 8000000, flag1 20000, flag2 0, flag3 0, created 39408, life 1800, policy 1,app
70(FTP-DATA) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(31(ethernet0/1)/208810): [2001::2]:20->[2003::2]:64363

flow1(32(ethernet0/2)/40208810): [2003::2]:64363->[2001::2]:20

Download session in FTP passive mode:

session: id 61, proto 6, flag 10000, flag1 20000, flag2 0, flag3 0, created 39683, life 1775, policy 1,app 4
(FTP) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40308b10): [2003::2]:64362->[2001::2]:21

flow1(31(ethernet0/1)/308b10): [2001::2]:21->[2003::2]:64362

session: id 22, proto 6, flag 8000000, flag1 20000, flag2 0, flag3 0, created 39684, life 1776, policy 1,app
70(FTP-DATA) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40208810): [2003::2]:64398->[2001::2]:56008

flow1(31(ethernet0/1)/208810): [2001::2]:56008->[2003::2]:64398

Configuration Steps of Scenario 2

Step 1: Configure the interface and zone.

Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 476
StoneOS Cookbook

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 192.168.2.1/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ipv6 enable

hostname(config-if-eth0/2)# ipv6 address 2001::1/64

hostname(config-if-eth0/2)# exit

Step 2: Configure the policy.

hostname(config)# rule id 1 from any to any service ftp permit

Rule id 1 is created

hostname(config-policy)# rule id 1

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# exit

Step 3: Configure the NAT rule.

477 Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG
StoneOS Cookbook

hostname(config)# nat

hostname(config-nat)# snatrule id 1 from any to 192.168.2.10 service any trans-to 2001::10 mode
dynamicport

rule ID=1

hostname(config-nat)# dnatrule id 1 from any to 192.168.2.10 service any trans-to ip 2001::2

rule ID=1

hostname(config-nat)# exit

Step 4: Enable the ALG function of FTP.

hostname(config)# alg ftp

Note: The ALG function of FTP is enabled by default.

Step 5: Verify result.

Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 478
StoneOS Cookbook

Download session in FTP active mode:

session: id 64, proto 6, flag e, flag1 20007, flag2 0, flag3 0, created 133143, life 1797, policy 2,app 4(FTP)
flag 0x1, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40300b10): 192.168.2.2:58259->192.168.2.10:21

flow1(31(ethernet0/1)/308b10): [2001::2]:21->[2001::10]:1025

session: id 14, proto 6, flag 8000016, flag1 2000b, flag2 0, flag3 0, created 133147, life 297, policy 2,app
70(FTP-DATA) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(31(ethernet0/1)/208810): [2001::2]:20->[2001::10]:58261

flow1(32(ethernet0/2)/40200810): 192.168.2.2:58261->192.168.2.10:20

Download session in FTP passive mode:

session: id 20, proto 6, flag e, flag1 20007, flag2 0, flag3 0, created 133393, life 1797, policy 2,app 4(FTP)
flag 0x1, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40300b10): 192.168.2.2:58272->192.168.2.10:21

flow1(31(ethernet0/1)/308b10): [2001::2]:21->[2001::10]:1030

session: id 2, proto 6, flag 800000e, flag1 20007, flag2 0, flag3 0, created 133397, life 1797, policy 2,app
70(FTP-DATA) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40200810): 192.168.2.2:58273->192.168.2.10:61665

flow1(31(ethernet0/1)/208810): [2001::2]:61665->[2001::10]:61665

Configuration Steps of Scenario 3

Step 1: Configure the interface and zone.

479 Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG
StoneOS Cookbook

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ipv6 enable

hostname(config-if-eth0/1)# ipv6 address 2003::1/64

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ip address 192.168.1.1/24

hostname(config-if-eth0/2)# exit

Step 2: Configure the policy.

hostname(config)# rule id 1 from ipv6-any to ipv6-any service ftp permit

Rule id 1 is created

hostname(config-policy)# rule id 1

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# exit

Step 3: Configure the NAT rule.

Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 480
StoneOS Cookbook

hostname(config)# nat

hostname(config-nat)# snatrule id 1 from ipv6-any to 2003::10 service any trans-to 192.168.1.10 mode
dynamicport

rule ID=1

hostname(config-nat)# dnatrule id 1 from ipv6-any to 2003::10 service any trans-to ip 192.168.1.2

rule ID=1

hostname(config-nat)# exit

Step 4: Enable the ALG function of FTP.

hostname(config)# alg ftp

Note: The ALG function of FTP is enabled by default.

Step 5: Verify result.

481 Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG
StoneOS Cookbook

Download session in FTP active mode:

session: id 6, proto 6, flag e, flag1 2000b, flag2 0, flag3 0, created 40792, life 1799, policy 1,app 4(FTP)
flag 0x1, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40308b10): [2003::2]:64537->[2003::10]:21

flow1(31(ethernet0/1)/300b10): 192.168.1.2:21->192.168.1.10:1034

session: id 5, proto 6, flag 8000016, flag1 20007, flag2 0, flag3 0, created 40798, life 1799, policy 1,app
70(FTP-DATA) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(31(ethernet0/1)/200810): 192.168.1.2:20->192.168.1.10:64538

flow1(32(ethernet0/2)/40208810): [2003::2]:64538->[2003::10]:20

Download session in FTP passive mode:

session: id 21, proto 6, flag e, flag1 2000b, flag2 0, flag3 0, created 40093, life 1799, policy 1,app 4(FTP)
flag 0x1, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40308b10): [2003::2]:64435->[2003::10]:21

flow1(31(ethernet0/1)/300b10): 192.168.1.2:21->192.168.1.10:1026

session: id 14, proto 6, flag 800000e, flag1 2000b, flag2 0, flag3 0, created 40099, life 300, policy 1,app 70
(FTP-DATA) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40208810): [2003::2]:64436->[2003::10]:56075

flow1(31(ethernet0/1)/200810): 192.168.1.2:56075->192.168.1.10:56075

Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 482
StoneOS Cookbook

Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks


Using ALG
This example introduces how to configure ALG to realize the SIP communication in IPv6-only or IPv4/IPv6 hybrid networks, includ-
ing the following three scenarios:

o Scenario 1: IPv6-only network. In the topology below, an enterprise sets up a Hillstone security device as the export gateway to
connect internal network with the Internet. Both internal and external network IP addresses are deployed with IPv6 addresses.
With the ALG function configured, the internal SIP UC1 and the external SIP UC3 can successfully establish communication with
each other.

o Scenario 2: IPv4 network to IPv6 network. In the topology below, an enterprise sets up a Hillstone security device as the export
gateway to connect internal network with the Internet. The internal network is deployed with IPv4 addresses and the external net-
work is deployed with IPv6 addresses. With the ALG function configured, the internal SIP UC1 and the external SIP UC3 can suc-
cessfully establish communication with each other.

Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 483
StoneOS Cookbook

o Scenario 3: IPv6 network to IPv4 network. In the topology below, an enterprise sets up a Hillstone security device as the export
gateway to connect internal network with the Internet. The internal network is deployed with IPv6 addresses and the external net-
work is deployed with IPv4 addresses. With the ALG function configured, the internal SIP UC1 and the external SIP UC3 can suc-
cessfully establish communication with each other.

484 Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG
StoneOS Cookbook

Before You Start

Before starting the configuration, you need to ensure that the configuration of the SIP Server and the SIP user agent (SIP UC) has been
completed. This example only describes the relevant configuration on the device.

Configuration Steps of Scenario 1

Step 1: Configure the interface and zone.

Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 485
StoneOS Cookbook

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ipv6 enable

hostname(config-if-eth0/1)# ipv6 address 2001::1/64

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ipv6 enable

hostname(config-if-eth0/2)# ipv6 address 2003::1/64

hostname(config-if-eth0/2)# exit

Step 2: Configure the policy.

hostname(config)# rule id 1 from ipv6-any to ipv6-any service sip permit

Rule id 1 is created

hostname(config-policy)# rule id 1

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# exit

Step 3: Enable the ALG function of SIP.

hostname(config)# alg sip

Note: The ALG function of SIP is enabled by default.

Step 4: Verify result.

486 Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG
StoneOS Cookbook

View the information of media pinhole. Total pinhole count is 5, including 1 register pinhole and 4 media
pinhole.

hostname# show pinhole

Total pinhole count in D-Plane: 5

[Pinhole0]========================================

Seq 10

App SIP MEDIA (id:875)

Flag: Enabled,

[Ingress info]---------------------------------------------------

Zone trust (id:2)

Flow0 (ifid 0) :::any -> 2003::2:5001

[Egress info]----------------------------------------------------

Zone untrust (id:3)

Flow1 (ifid 0) 2003::2:5001 -> :::any

[Life info]------------------------------------------------------

After_hit 600

Before_hit 120

Timer 217

[Other info]-----------------------------------------------------

Auth_user_id 0

Configuration Steps of Scenario 2

Step 1: Configure the interface and zone.

Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 487
StoneOS Cookbook

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 192.168.1.1/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ipv6 enable

hostname(config-if-eth0/2)# ipv6 address 2003::1/64

hostname(config-if-eth0/2)# exit

Step 2: Configure the policy.

hostname(config)# rule id 1 from any to any service sip permit

Rule id 1 is created

hostname(config-policy)# rule id 1

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# exit

Step 3: Configure the NAT rule.

488 Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG
StoneOS Cookbook

hostname(config)# nat

hostname(config-nat)# snatrule id 1 from any to 192.168.1.10 service any trans-to 2003::10 mode
dynamicport

rule ID=1

hostname(config-nat)# dnatrule id 1 from any to 192.168.1.10 service any trans-to ip 2003::3

rule ID=1

hostname(config-nat)# exit

Step 4: Enable the ALG function of SIP.

hostname(config)# alg sip

Note: The ALG function of SIP is enabled by default.

Step 5: Verify result.

Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 489
StoneOS Cookbook

View the information of media pinhole. Total pinhole count is 5, including 1 register pinhole and 4 media
pinhole.

hostname# show pinhole

Total pinhole count in D-Plane: 5

[Pinhole
1]========================================================-
====

Seq 15

App SIP MEDIA (id:875)

Flag: Enabled,

[Ingress info]---------------------------------------------------

Zone untrust (id:3)

Flow0 (ifid 0) :::any -> 2003::10:1025

[Egress info]----------------------------------------------------

Zone trust (id:2)

Flow1 (ifid 31) 192.168.1.2:5002 -> 192.168.1.10:any

[Life info]------------------------------------------------------

After_hit 600

Before_hit 120

Timer 38

[Other info]-----------------------------------------------------

Auth_user_id 0

Configuration Steps of Scenario 3

Step 1: Configure the interface and zone.

490 Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG
StoneOS Cookbook

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ipv6 enable

hostname(config-if-eth0/1)# ipv6 address 2002::1/64

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ip address 192.168.2.1/24

hostname(config-if-eth0/2)# exit

Step 2: Configure the policy.

hostname(config)# rule id 1 from ipv6-any to ipv6-any service sip permit

Rule id 1 is created

hostname(config-policy)# rule id 1

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# exit

Step 3: Configure the NAT rule.

Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 491
StoneOS Cookbook

hostname(config)# nat

hostname(config-nat)# snatrule id 1 from ipv6-any to 2001::10 service any trans-to 192.168.2.10 mode
dynamicport

rule ID=1

hostname(config-nat)# dnatrule id 1 from ipv6-any to 2001::10 service any trans-to ip 192.168.2.3

rule ID=1

hostname(config-nat)# exit

Step 4: Enable the ALG function of SIP.

hostname(config)# alg sip

Note: The ALG function of SIP is enabled by default.

Step 5: Verify result.

492 Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG
StoneOS Cookbook

View the information of media pinhole. Total pinhole count is 5, including 1 register pinhole and 4 media
pinhole.

SG-6000# show pinhole

Total pinhole count in D-Plane: 5

[Pin-
hole1]====================================================

Seq 36

App SIP MEDIA (id:875)

Flag: Enabled,

[Ingress info]---------------------------------------------------

Zone trust (id:2)

Flow0 (ifid 0) 0.0.0.0:any -> 192.168.2.10:5002

[Egress info]----------------------------------------------------

Zone trust (id:2)

Flow1 (ifid 31) 2001::2:5002 -> 2001::10:any

[Life info]------------------------------------------------------

After_hit 600

Before_hit 120

Timer 107

[Other info]-----------------------------------------------------

Auth_user_id 0

Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 493
StoneOS Cookbook

Realizing Dual-stack Host in IPv4 Network Accessing IPv6 Network Via


ISATAP Tunnel
This example introduces how to configure ISATAP tunnel to realize dual stack host access to IPv6 network in IPv4 network.

In the topology below, PC supports dual protocol stacks. Hillstone device is connected to the corresponding IPv6 network and IPv4 net-
work. It is required to configure the ISATAP tunnel so that the dual-stack host PC in the IPv4 network can access the server in the
intranet IPv6 network.

Configuration Steps

Step 1: Configure the interface and zone.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone untrust

hostname(config-if-eth0/1)# ip address 10.1.2.1/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone trust

hostname(config-if-eth0/2)# ipv6 enable

hostname(config-if-eth0/2)# ipv6 address 3001::1/24

hostname(config-if-eth0/2)# exit

Step 2: Configure ISATAP tunnel and bind a interface

Realizing Dual-stack Host in IPv4 Network Accessing IPv6 Network Via ISATAP Tunnel 494
StoneOS Cookbook

hostname(config)# tunnel ip6in4 tunnel isatap

hostname(config-ip6in4-isatap)# interface ethernet0/1

hostname(config-ip6in4-isatap)# exit

hostname(config)#

Configure the tunnel interface and bind the tunnel interface to the ISATAP tunnel.

hostname(config)# interface tunnel1

hostname(config-if-tun1)# ipv6 enable

hostname(config-if-tun1)# ipv6 address 2001::/64 eui-64

hostname(config-if-tun1)# ipv6 address fe80::5efe:10.1.2.1 link-local

hostname(config-if-tun1)# tunnel ip6in4 tunnel

hostname(config-if-tun1)# no ipv6 nd ra suppress

hostname(config-if-tun1)# exit

hostname(config)#

Step 4: Configure the policy.

495 Realizing Dual-stack Host in IPv4 Network Accessing IPv6 Network Via ISATAP Tunnel
StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 1

Rule id 1 is created

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# src-addr ipv6-any

hostname(config-policy-rule)# dst-addr ipv6-any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# exit

hostname(config)#

Step 5 : Configure routing for PC, take win7 PC as an example

C:\>netsh interface ipv6 isatap set router 10.1.2.1

C:\>netsh interface ipv6 isatap set router 10.1.2.1 enabled

Step 6: Verify result.

The dual-stack host (10.1.2.2) can access the IPv6 Server (3001::8) through FTP successfully.

Realizing Dual-stack Host in IPv4 Network Accessing IPv6 Network Via ISATAP Tunnel 496
StoneOS Cookbook

Allowing Communication Between IPv6 networks by Configuring a 6RD Tun-


nel
This example shows you how to configure a 6RD (IPv6 Rapid Deployment on IPv4 Infrastructures) tunnel to allow service providers
to deploy IPv6 in a lightweight and secure manner via their existing IPv4-access network infrastructure.

* This example is used in a laboratory environment. Please configure the IP addresses of each interface according to the actual con-
nections.

The figure above shows the network topology. This example includes the following two scenarios:

o Scenario 1: 6RD Domain -6RD Domain.The headquarters deploys a Hillstone security device Device and branch A deploys a Hill-
stone security device Device A. Device and Device A support both IPv4 and IPv6 and they are CE devices. Both Device and
Device A are connected to the IPv6 network on one end and the IPv4 network on the other end. Assume that the ISP provides an
IPv6 prefix of 1001:AABB::/32. To allow hosts in two different 6RD domains to communicate, you need to configure a 6RD tun-
nel between Device and Device A.

o Scenario 2: 6RD Domain -IPv6 Network.The headquarters deploys a Hillstone security device Device and branch B deploys a Hill-
stone security device Device B. Both Device and Device B are connected to the IPv6 network on one end and the IPv4 network on
the other end. Device in headquarters is a 6RD CE device and connects to the 6RD domain, which is an IPv6 network. Device B in
branch B is a 6RD BR device and connects to a regular IPv6 network outside the 6RD domain. To allow hosts in the 6RD domain
and IPv6 network to communicate, you need to configure a 6RD tunnel between Device and Device B.

Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel 497


StoneOS Cookbook

Configuration Tips

For the 6RD Domain -6RD Domain in Scenario 1, the addresses of devices and PC1 at the headquarters and branch A need to meet
the following requirements:

o The IPv6 prefix of the interface ethernet0/1 on the headquarters device (Device) needs to be consistent with the 6RD delegated
prefix calculated by device. (In this example, the 6RD delegated prefix is 1001: AABB: A05::/48)

o The IP address of PC1 and the interface ethernet0/1 of the headquarters device (Device) need to belong to the same IPv6 network
segment. The IP address of PC2 and the interface ethernet0/1 of the branch A device (Device A) need to belong to the same IPv6
network segment.

o The headquarters device (Device) and branch A device (Device A) need to have the same IPv4 prefix for ethernet0/1, and this pre-
fix length needs to be the same as that of the IPv4 prefix configured on the 6RD tunnel (In this example, the IPv4 prefix length is
ipv4-mask-len 16 ).

Configuration Steps of Scenario 1

Configure Headquarters Device (Device)

Step 1: Configure the IPv4 address and zone of the interface ethernet 0/0 of the headquarters device (Device).

hostname(config)# interface ethernet0/0

hostname(config-if-eth0/0)# zone untrust

hostname(config-if-eth0/0)# ip address 220.119.10.5/24

hostname(config-if-eth0/0)# exit

Step 2: Configure the 6RD tunnel.

498 Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel


StoneOS Cookbook

hostname(config)# tunnel ip6in4 test 6rd

hostname(config-ip6in4-6rd)# interface ethernet0/0

hostname(config-ip6in4-6rd)# ipv6-prefix 1001:AABB::/32(Specify the 6RD prefix)

hostname(config-ip6in4-6rd)# ipv4-mask-len 16(Specify the IPv4 prefix length)

hostname(config-ip6in4-6rd)# subtunnel-limit 10(Specify the maximum number of 6RD subtunnels)

hostname(config-ip6in4-6rd)# exit

Note: After you specify the 6RD prefix and IPv4 prefix length, the 6RD CE automatically calculates the 6RD delegated
prefix. To view the 6RD delegated prefix via command show ip6in4 6rd-tunnel [tunnel-name].

Step 3: Configure the tunnel interface.

hostname(config)# interface tunnel1

hostname(config-if-tun1)# tunnel ip6in4 test

hostname(config-if-tun1)# zone untrust

hostname(config-if-tun1)# ipv6 enable

hostname(config-if-tun1)# exit

Step 4: View the 6RD tunnel configurations.

Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel 499


StoneOS Cookbook

SG-6000(config)#show ip6in4 6rd-tunnel test

Name: test

Index: 11

Interface: ethernet0/0

IPv6-prefix: 1001:AABB::/32

IPv4-mask-length: 16

Border-relay-address: 0.0.0.0

Tunnel interface: tunnel1

IPv6-delegated-prefix: 1001:AABB:A05::/48(The 6RD delegated prefix calculated by device)

Sub-tunnel Limit: 10

Step 5: Configure the IPv6 address and zone of the interface ethernet 0/1 of the headquarters device (Device).

hostname(config)#1interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ipv6 enable

hostname(config-if-eth0/1)# ipv6 address 1001:AABB:A05::1/48(Note: This prefix must be con-


sistent with the 6RD delegated prefix calculated by device)

hostname(config-if-eth0/1)# exit

Step 6: Configure a route for tunnel.

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ipv6 route 1001:AABB::/32 tunnel1

hostname(config-vrouter)# exit

Step 7: Configure the policy.

500 Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel


StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 1

Rule id 1 is created

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# src-addr ipv6-any

hostname(config-policy-rule)# dst-addr ipv6-any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# exit

hostname(config)#

Step 8: Configure an address and default route for PC1

Set the address to 1001:AABB:A05::2/48 for PC1 based on the 6RD delegated prefix,. This address is in the same network segment as
that of ethernet0/1 of Device.

Note:The method for configuring IPv6 addresses and default route varies based on the operating system of your PC.

Configure Device A

Step 1: Configure the IPv4 address and zone of the interface ethernet 0/0 of the Device A

hostname(config)# interface ethernet0/0

hostname(config-if-eth0/0)# zone untrust

hostname(config-if-eth0/0)# ip address 220.119.10.9/24

hostname(config-if-eth0/0)# exit

Step 2: Configure the 6RD tunnel.

Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel 501


StoneOS Cookbook

hostname(config)# tunnel ip6in4 test 6rd

hostname(config-ip6in4-6rd)# interface ethernet0/0

hostname(config-ip6in4-6rd)# ipv6-prefix 1001:AABB::/32(Specify the 6RD prefix)

hostname(config-ip6in4-6rd)# ipv4-mask-len 16(Specify the IPv4 prefix length)

hostname(config-ip6in4-6rd)# subtunnel-limit 10(Specify the maximum number of 6RD subtunnels)

hostname(config-ip6in4-6rd)# exit

Note: After you specify the 6RD prefix and IPv4 prefix length, the 6RD CE automatically calculates the 6RD delegated
prefix. To view the 6RD delegated prefix via command show ip6in4 6rd-tunnel [tunnel-name].

Step 3: Configure the tunnel interface.

hostname(config)# interface tunnel1

hostname(config-if-tun1)# tunnel ip6in4 test

hostname(config-if-tun1)# zone untrust

hostname(config-if-tun1)# ipv6 enable

hostname(config-if-tun1)# exit

Step 4: View the 6RD tunnel configurations.

502 Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel


StoneOS Cookbook

SG-6000(config)#show ip6in4 6rd-tunnel test

Name: test

Index: 11

Interface: ethernet0/0

IPv6-prefix: 1001:AABB::/32

IPv4-mask-length: 16

Border-relay-address: 0.0.0.0

Tunnel interface: tunnel1

IPv6-delegated-prefix: 1001:AABB:A09::/48(The 6RD delegated prefix calculated by device)

Sub-tunnel Limit: 10

Step 5: Configure the IPv6 address and zone of the interface ethernet 0/1 of the Device A.

hostname(config)#1interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ipv6 enable

hostname(config-if-eth0/1)# ipv6 address 1001:AABB:A09::1/48(Note: This prefix must be con-


sistent with the 6RD delegated prefix calculated by device)

hostname(config-if-eth0/1)# exit

Step 6: Configure a route for tunnel.

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ipv6 route 1001:AABB::/32 tunnel1

hostname(config-vrouter)# exit

Step 7: Configure the policy.

Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel 503


StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 1

Rule id 1 is created

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# src-addr ipv6-any

hostname(config-policy-rule)# dst-addr ipv6-any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# exit

hostname(config)#

Step 8: Configure an address and default route for PC2.

Set the address to 1001:AABB:A05::2/48 for PC2 based on the 6RD delegated prefix. This address is in the same network segment as
that of ethernet0/1 of Device A.

Note:The method for configuring IPv6 addresses and default route varies based on the operating system of your PC.

Configuration Steps of Scenario 2

Configure Headquarters Device (Device)

Step 1: Configure the IPv4 address and zone of the interface ethernet 0/0 of the headquarters device (Device).

hostname(config)# interface ethernet0/0

hostname(config-if-eth0/0)# zone untrust

hostname(config-if-eth0/0)# ip address 220.119.10.5/24

hostname(config-if-eth0/0)# exit

Step 2: Configure the 6RD tunnel.

504 Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel


StoneOS Cookbook

hostname(config)# tunnel ip6in4 test 6rd

hostname(config-ip6in4-6rd)# interface ethernet0/0

hostname(config-ip6in4-6rd)# ipv6-prefix 1001:AABB::/32(Specify the 6RD prefix)

hostname(config-ip6in4-6rd)# ipv4-mask-len 16(Specify the IPv4 prefix length)

hostname(config-ip6in4-6rd)# subtunnel-limit 10(Specify the IPv4 prefix length)

hostname(config-ip6in4-6rd)# border-relay-address 220.119.10.8 (Specify the IPv4 address of 6RD BR)

hostname(config-ip6in4-6rd)# exit

Note: After you specify the 6RD prefix and IPv4 prefix length, the 6RD CE automatically calculates the 6RD delegated
prefix. To view the 6RD delegated prefix via command show ip6in4 6rd-tunnel [tunnel-name].

Step 3: Configure the tunnel interface.

hostname(config)# interface tunnel1

hostname(config-if-tun1)# tunnel ip6in4 test

hostname(config-if-tun1)# zone untrust

hostname(config-if-tun1)# ipv6 enable

hostname(config-if-tun1)# exit

Step 4: View the 6RD tunnel configurations.

Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel 505


StoneOS Cookbook

SG-6000(config)#show ip6in4 6rd-tunnel test

Name: test

Index: 11

Interface: ethernet0/0

IPv6-prefix: 1001:AABB::/32

IPv4-mask-length: 16

Border-relay-address: 220.119.10.8

Tunnel interface: tunnel1

IPv6-delegated-prefix: 1001:AABB:A05::/48(The 6RD delegated prefix calculated by device)

Sub-tunnel Limit: 10

Step 5: Configure the IPv6 address and zone of the interface ethernet 0/1 of the headquarters device (Device)

hostname(config)#1interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ipv6 enable

hostname(config-if-eth0/1)# ipv6 address 1001:AABB:A05::1/48(Note: This prefix must be con-


sistent with the 6RD delegated prefix calculated by device.)

hostname(config-if-eth0/1)# exit

Step 6: Configure a route for tunnel.

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ipv6 route 2333:aabb::/32 tunnel1

hostname(config-vrouter)# exit

Step 7: Configure the policy.

506 Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel


StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 1

Rule id 1 is created

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# src-addr ipv6-any

hostname(config-policy-rule)# dst-addr ipv6-any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# exit

hostname(config)#

Step 8: Configure an address and default route for PC1.

Set the address to 1001:AABB:A05::2/48 for PC1 based on the 6RD delegated prefix. This address is in the same network segment as
that of ethernet0/1 of Device.

Note:The method for configuring IPv6 addresses and default route varies based on the operating system of your PC.

Configure Device B

Step 1: Configure the IPv4 address and zone of the interface ethernet 0/0 of the Device B.

hostname(config)# interface ethernet0/0

hostname(config-if-eth0/0)# zone untrust

hostname(config-if-eth0/0)# ip address 220.119.10.8/24

hostname(config-if-eth0/0)# exit

Step 2: Configure the 6RD tunnel.

Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel 507


StoneOS Cookbook

hostname(config)# tunnel ip6in4 test 6rd

hostname(config-ip6in4-6rd)# interface ethernet0/0

hostname(config-ip6in4-6rd)# ipv6-prefix 1001:AABB::/32(Specify the 6RD prefix)

hostname(config-ip6in4-6rd)# ipv4-mask-len 16(Specify the IPv4 prefix length)

hostname(config-ip6in4-6rd)# subtunnel-limit 10(Specify the maximum number of 6RD subtunnels)

hostname(config-ip6in4-6rd)# exit

Note: After you specify the 6RD prefix and IPv4 prefix length, the 6RD CE automatically calculates the 6RD delegated
prefix. To view the 6RD delegated prefix via command show ip6in4 6rd-tunnel [tunnel-name].

Step 3: Configure the tunnel interface.

hostname(config)# interface tunnel1

hostname(config-if-tun1)# tunnel ip6in4 test

hostname(config-if-tun1)# zone untrust

hostname(config-if-tun1)# ipv6 enable

hostname(config-if-tun1)# exit

Step 4: View the 6RD tunnel configurations.

508 Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel


StoneOS Cookbook

SG-6000(config)#show ip6in4 6rd-tunnel test

Name: test

Index: 11

Interface: ethernet0/0

IPv6-prefix: 1001:AABB::/32

IPv4-mask-length: 16

Border-relay-address: 0.0.0.0

Tunnel interface: tunnel1

IPv6-delegated-prefix: 1001:AABB:A08::/48(The 6RD delegated prefix calculated by device)

Sub-tunnel Limit: 10

Step 5: Configure the IPv6 address and zone of the interface ethernet 0/1 of the Device B.

hostname(config)#1interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ipv6 enable

hostname(config-if-eth0/1)# ipv6 address 2333:aabb::1/64

hostname(config-if-eth0/1)# exit

Step 6: Configure a route for tunnel.

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ipv6 route 1001:AABB::/32 tunnel1

hostname(config-vrouter)# exit

Step 7: Configure the policy.

Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel 509


StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 1

Rule id 1 is created

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# src-addr ipv6-any

hostname(config-policy-rule)# dst-addr ipv6-any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# exit

hostname(config)#

Step 8: Configure an address and default route for PC3.

Set the address to 2333:aabb::2/64 for PC3 , this address is in the same network segment as that of ethernet0/1 of Device B.

Note:The method for configuring IPv6 addresses and default route varies based on the operating system of your PC.

Result of Scenario 1

Step 1: Use the Ping command on Device to view the tunnel established between headquarters and branch A and their con-
nectivity.

510 Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel


StoneOS Cookbook

SG-6000# ping ipv6 1001:AABB:A09::1

Sending ICMPv6 packets to 1001:AABB:A09::1

Seq hop time(ms)

1 64 0.109

2 64 0.131

3 64 0.115

4 64 0.128

5 64 0.110

statistics:

5 packets sent, 5 received, 0% packet loss, time 4000ms

rtt min/avg/max/mdev = 0.109/0.118/0.131/0.015 ms

Step 2: View the session information of the tunnel.

SG-6000# show session tunnel

session: id 3407871, proto 41, flag 20, flag1 0, flag2 0, flag3 0, created 272719, life 64000, policy type 0,
policy default, app 0(Other) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/0)/200951): 220.119.10.9:0->220.119.10.5:0

flow1(18): tunnel session, tunnel_id: 4, valid

Result of Scenario 2

Step 1: Use the Ping command on Device to view the tunnel established between headquarters and branch B and their con-
nectivity.

Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel 511


StoneOS Cookbook

SG-6000# ping ipv6 2333:aabb::1

Sending ICMPv6 packets to 2333:aabb::1

Seq hop time(ms)

1 64 0.115

2 64 0.120

3 64 0.113

4 64 0.112

5 64 0.126

statistics:

5 packets sent, 5 received, 0% packet loss, time 3996ms

rtt min/avg/max/mdev = 0.112/0.117/0.126/0.008 ms

Step 2: View the session information of the tunnel.

SG-6000# show session tunnel

session: id 3407871, proto 41, flag 20, flag1 0, flag2 0, flag3 0, created 272719, life 64000, policy type 0,
policy default, app 0(Other) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/0)/200951): 220.119.10.8:0->220.119.10.5:0

flow1(18): tunnel session, tunnel_id: 4, valid

512 Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel


StoneOS Cookbook

Change Log

Cookbook V1

Release Date: January, 2015

Added the following cases:

1. " Using Security Policy to Allow Access to Another Zone" on Page 15 (Security Policy)

2. "Allowing Internet to Visit a Private Server Using DNAT" on Page 21 (DNAT)

3. "Allowing Private Network to Access Internet Using SNAT" on Page 26 (SNAT)

4. "Allowing the Internet Access via User Authentication" on Page 99 (User Authentication, WebAuth)

5. "Connection between Two Private Networks Using IPSec VPN (IKEv1)" on Page 147 (IPSec VPN)

6. "Allowing Remote Users to Access a Private Network Using SSL VPN" on Page 199 (SSL VPN, SCVPN)

7. " Ensuring Uninterrupted Connection Using HA" on Page 347 (High Availability, HA)

8. " QoS Control" on Page 369 (Quality of Service, QoS, Traffic Management)

Cookbook V2

Release Date: April, 2015

Added the following cases:

1. "Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection" on Page 390 (Abnormal Behavior
Detection, ABD)

2. Finding Malware Attacks via Advanced Threat Detection (Advanced Threat Detection, ATD)

Cookbook V3

Release Date: July, 2015

Add the following cases:

Change Log 513


StoneOS Cookbook

1. "Decrypting HTTPS Traffic and Identifying the Encrypted Application" on Page 452 (SSL Proxy, Decryption, Encrytion)

2. "Using an iOS/Android Device to Remotely Access Intranet Services" on Page 223 (iOS, Android, Mobile, iPad, remote device,
SSL VPN)

3. "Forensic Analysis " on Page 406

4. "Deploying Tap Mode to Monitor Network Traffic " on Page 48(Tap Mode)

Cookbook V4

Release Date: September, 2015

Add the following cases:

1. "Upgrading Firmware to Higher Version" on Page 5 (Upgrade)

2. "Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN" on Page 230 (L2TP VPN)

3. "Connection between Two Private Networks Using GRE over IPSec VPN" on Page 277 (GRE, IPSec VPN)

Cookbook V5

Release Date : January, 2017

Add the following cases:

1. "Protecting Intranet to Defend Attacks via Intrusion Prevention System" on Page 398( IPS )

2. "Outbound Link Load Balance" on Page 376( LLB )

Optimize the following cases:

1. "Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection" on Page 390( ABD )

2. Finding Malware Attacks via Advanced Threat Detection( ATD )

Cookbook V6

Release Date : October, 2017

Add the following cases:

514 Change Log


StoneOS Cookbook

1. "Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN" on Page 249 (L2TP VPN)

Cookbook V7

Release Date : August, 2018

Add the following cases:

1. " Using AD Polling for SSO" on Page 107 (Authentication)

2. " Allowing Internet Access via AD Polling" on Page 116(Authentication)

3. " Allowing Internet Access via AD Agent" on Page 127(Authentication)

4. "Connecting IPv6 and IPv4 Networks" on Page 463

5. "URL Filtering for HTTPS Traffic without the CA Certificate" on Page 456

Cookbook V8

Release Date : June, 2019

Add the following cases:

1. "Connection between Two Private Networks Using IPSec VPN (IKEv2)" on Page 160 (IPSec VPN)

2. "Upgrading Firmware to Higher Version in HA mode" on Page 9 (Upgrade)

3. "Configuring the Device to Communicate with Zabbix Using SNMP" on Page 31 (SNMP)

Cookbook V8.1

Release Date : November, 2019

Add the following cases:

1. "Connecting to Microsoft Azure Using Site-to-Site VPN" on Page 212 (IPSec VPN)

Cookbook V9

Release Date : October, 2020

Add the following cases:

Change Log 515


StoneOS Cookbook

1. " DNS Proxy" on Page 57 (DNS Proxy)

2. "Dynamically Manage Access Authority Via Radius Dynamic Authorization" on Page 38 (Authorization)

3. "Realizing Multicast Forwarding Through PIM-SM Multicast Protocol" on Page 75 (Routing, PIM)

4. "Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol" on Page 84 (Routing, PIM)

5. Ensuring Uninterrupted Connection Using HA AA (HA)

6. " Allowing Internet Access via TS Agent" on Page 138 (Authentication)

7. " Configuring VXLAN Static Unicast Tunnel" on Page 293(VPN)

8. "Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG" on Page 474(IPv6)

9. "Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG" on Page 483 (IPv6)

10. "Realizing Dual-stack Host in IPv4 Network Accessing IPv6 Network Via ISATAP Tunnel" on Page 494 (IPv6)

Cookbook V10

Release Date : December, 2021

Add the following cases:

1. "Deploying HA Scenario for Multicast Forwarding Through PIM-SM" on Page 91 (Routing, PIM)

2. "Adding an SNAT Rule to StoneOS through NETCONF" on Page 63 (NETCONF)

3. "Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and SSL VPN" on Page 264(SSL VPN L2TP VPN)

4. "Threat Intelligence Via Hillstone Cloud Service Platform" on Page 413(Hillstone Cloud Service Platform)

Optimize the following cases:

1. "Allowing Remote Users to Access a Private Network Using SSL VPN" on Page 199 (Add the scene of using the Two-Step Veri-
fication function and communicating through TCP.)

Cookbook V11

Release Date : January, 2023

Add the following cases:

516 Change Log


StoneOS Cookbook

1. "Binding the Log Processing Process and Database Storage Process to Core MAX" on Page 68 (Core MAX)

2. "Making Two Firewalls Working in Hot Standby Mode by Deploying them in HA Peer to Ensure the Continuity of Service " on
Page 355(HA)

3. "Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on HSVRP, which Ensures
Uniterrupted Business Traffic" on Page 360(HA)

4. "Establishment of IPSec VPN Based on Certificate Authentication " on Page 173 (IPSec VPN)

5. "Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link" on Page 186 (IPSec VPN)

6. "Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel" on Page 497 (IPv6)

7. "Windows User Remotely Accessing Internal Server Through ZTNA" on Page 314 (ZTNA)

8. " Android User Remotely Accessing Internal Server Through ZTNA" on Page 335 (ZTNA)

Optimize the following cases:

1. " Ensuring Uninterrupted Connection Using HA" on Page 347(HA)

Cookbook V12

Release Date :May, 2024

Add the following cases:

1. "DHCP ZTP" on Page 71 (DHCP zero touch provisioning (ZTP) process)

2. "Windows User Accessing Internal Server by Using Internal Network Access via ZTNA" on Page 298 (ZTNA)

3. "Outbound Link Load Balance with Customizable SLA Metrics" on Page 381 (SLA, Quality of Service)

4. "Identifying IoT Assets to Enable Security Control of IoT by Using Built-in Docker" on Page 416 (IOT, Threat Prevention)

5. "Identifying IoT Assets to Enable Security Control by Deploying the Asset Identifying System on the VM" on Page 431 (IOT,
Threat Prevention)

Optimize the following cases:

Change Log 517


StoneOS Cookbook

1. "Allowing Remote Users to Access a Private Network Using SSL VPN" on Page 199 (SSL VPN)

2. "Windows User Remotely Accessing Internal Server Through ZTNA" on Page 314 (ZTNA)

3. " Android User Remotely Accessing Internal Server Through ZTNA" on Page 335 (ZTNA)

4. "Connection between Two Private Networks Using IPSec VPN (IKEv2)" on Page 160

This book is updated on requirement, not periodically.

The current version you are using is based on StoneOS 5.5R11.

518 Change Log

You might also like