0% found this document useful (0 votes)

8 views685 pages

VWAF WebUI User Guide V3.5

Uploaded by

Hernani Bergamo

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

8 views685 pages

VWAF WebUI User Guide V3.5

Uploaded by

Hernani Bergamo

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 685

Hillstone Networks

vWAF WebUI User Guide

Version 3.5

TechDocs | docs.hillstonenet.com
Copyright 2024 Hillstone Networks. All rights reserved.
Information in this document is subject to change without notice. The software
described in this document is furnished under a license agreement or nondisclosure
agreement. The software may be used or copied only in accordance with the terms of
those agreements. No part of this publication may be reproduced, stored in a retrieval
system, or transmitted in any form or any means electronic or mechanical, including
photocopying and recording for any purpose other than the purchaser's personal use
without the written permission of Hillstone Networks.

Contact Information:
US Headquarters:
Hillstone Networks
5201 Great America Pkwy, #420
Santa Clara, CA 95054
Phone: 1-408-508-6750
https://www.hillstonenet.com/about-us/contact/

About this Guide:

This guide gives you comprehensive configuration instructions of Hillstone
NetworksWAF .
For more information, refer to the documentation site: https://docs.hillstonenet.com
To provide feedback on the documentation, please write to us at: TechDoc-
[email protected]
Hillstone Networks
TWNO: TW-WUG-WAF-3.5-EN-V1.0-2024-07-23
Contents

Contents 1

Getting Started Guide 21

Initial Visit to Web Interface 22

WAF Setup Wizard 24

Configuring the Deployment Mode/ Interface 24

Configuring Virtual Wire 26

Configuring the Default Site 27

Configuring DNS 28

Configuring System Time 28

Preparing the WAF System 30

Installing Licenses 30

Creating a System Administrator 30

Adding Trust Hosts 32

Upgrading Firmware 32

Updating Signature Database 34

Restoring Factory Settings 36

Deployment Mode 37

Deploying Web Application Firewall (WAF) in Transparent Proxy Mode 40

Network Topology 40

TOC - 1
Before You Begin 40

Deploy WAF in the Transparent Proxy Mode 41

Q&A 49

Deploying Web Application Firewall (WAF) in Traction Mode 50

Network Topology 50

Before You Begin 51

Deploy WAF in Traction Mode 51

Q&A 61

Deploying Web Application Firewall (WAF) in Reverse Proxy Mode 63

Network Topology 63

Before You Begin 63

Deploy WAF in the Reverse Proxy Mode 64

Q&A 73

Deploying Web Application Firewall (WAF) in One-arm Reverse Proxy Mode 75

Network Topology 75

Before You Begin 76

Deploy WAF in One-arm Proxy Mode 76

Q&A 84

Deploying Web Application Firewall (WAF) in Tap Mode 86

Network Topology 86

Before You Begin 87

TOC - 2
Deploy WAF in Tap Mode 87

Q&A 95

Transparent Tap Mode 96

Network Topology 96

Before You Begin 96

Deploy WAF in the Transparent Tap Mode 97

Q&A 106

Appendix 107

Format Requirements and Conversion Methods of SSL/TLS Certificates and Keys 107

Format Requirements 107

Conversion Methods of SSL/TLS Keys 107

Conversion Methods of SSL/TLS Certificates 112

1. Linux 114

2. Windows 115

Dashboard 125

Attack Severity 125

TOP10 Sites Attack Statistics 125

Attacker 126

Threat Event Type 127

Defacement Alert 127

System Overview 127

TOC - 3
Sites 130

Web Site 131

Searching for a Site 132

Site Configurations 132

Viewing the Auto-learning Profile 132

External Link Rewriting 133

Rule Exception 133

Weak Password 133

Batch Operation 133

Configuring a Site 134

Certificate Chain Check 145

Configuring More Protections 150

Configuring the Acceleration 150

Static Resource Cache 151

Connection Reuse 152

Compression 153

Configuring the Anti-defacement 154

Enabling the Server Health Check 159

Custom Error Page 160

Configuring Load Balancing 161

Configuring the Auto-learning 163

TOC - 4
Configuring the Auto-learning 163

Viewing the Auto-learning Profile 165

Auto-learning Profile URL Statistics 167

URL Details 169

Cookie Details 171

External Link Rewriting 172

Configuring External Link Rewriting 172

Configuring a Weak Password 177

Configuring Weak Password Detection 177

Batch Operation 182

Site Self Discovery 186

Configuring the Site Self Discovery 186

Policy 194

Policy Type 194

Rule Management 195

Updating Rule Database 197

Black List 197

White List 198

Network Protect Action 198

Rule Exception 198

IP Protection Policy 199

TOC - 5
Creating an IP Protection Policy 200

IP Search 204

Access Control Policy 206

Creating an Access Control Policy 206

API Protection Policy 214

Creating an API Protection Policy 214

Importing an OpenAPI File 221

Virtual Patch Policy 222

Creating a Virtual Patch Policy 222

Editing a Virtual Patch Policy 224

Security Policy 225

Creating a Security Policy 226

Auto-learning Policy 269

Creating an Auto-learning Policy 269

User Tracking Policy 272

Creating a User Session Tracking Policy 272

Content Rewrite Policy 275

Creating a Content Rewrite Policy 275

Variables Supported by the System 282

Rule Management 287

Predefined Rule 287

TOC - 6
Rule Search 288

User-defined Rule 288

Network Protect Action 292

Configuring Network Protect Action 292

Black List 299

Client IP Blacklist 300

Importing Client IP Blacklist 302

Exporting Blacklist 303

Viewing Blacklist 303

Deleting Blacklist 304

URL Blacklist 304

White List 307

Client IP Whitelist 307

IP Search 309

Domain/URL Whitelist 309

Domain/URL Search 311

Configuring a Rule Exception 312

Threat Prevention 319

Attack-Defense 320

ICMP Flood and UDP Flood 320

ARP Spoofing 320

TOC - 7
SYN Flood 320

WinNuke Attack 321

IP Address Spoofing 321

IP Address Sweep and Port Scan 321

Ping of Death Attack 321

Teardrop Attack 322

Smurf Attack 322

Fraggle Attack 322

Land Attack 322

IP Fragment Attack 322

IP Option Attack 323

Huge ICMP Packet Attack 323

TCP Flag Attack 323

DNS Query Flood Attack 323

TCP Split Handshake Attack 323

Configuring Attack Defense 324

Monitor 341

Sites Monitor 342

Viewing the Threat Overview 342

Threat Event Level 342

Threat Event Type 343

TOC - 8
Source 344

Viewing the Performance Overview 345

Viewing the Account Security Overview 346

Login Behavior Statistics 347

Risk User Statistics 347

TOP 10 Risk Client 348

Reports 349

Report File 350

Report Template 351

Creating a User-defined Template 352

Editing a User-defined Template 357

Deleting a User-defined Template 358

Cloning a Report Template 358

Report Task 359

Creating a Report Task 359

Editing the Report Task 363

Deleting the Report Task 364

Enabling/Disabling the Report Task 364

Logging 365

Log Severity 366

Destination of Exported Logs 367

TOC - 9
Log Format 367

Block Event Analysis 368

Event Logs 370

Network Logs 371

Configuration Logs 372

Session Logs 372

NAT Logs 374

Web Access Logs 375

Network Security Log 376

IP Protection Logs 377

Access Control Log 378

API Protection Logs 379

Web Event Logs 380

Web Security Log 381

Log 381

Intelligent Log Analysis 388

Log Analysis Report 389

Auto-learning Profile Violation Log 392

Anti-defacement Log 393

Log Management 394

Configuring Logs 394

TOC - 10
Option Descriptions of Various Log Types 394

Log Configuration 407

Creating a Log Server 407

Adding Email Address to Receive Logs 409

Specifying a Unix Server 409

Object 411

Address Book 412

Creating an Address Book 412

Viewing Details 414

Service Book 416

Predefined Service/Service Group 416

Custom Service 416

Custom Service Group 416

Configuring a Service Book 418

Configuring a User-defined Service 418

Configuring a User-defined Service Group 420

Viewing Details 421

Track Object 422

Creating a Track Object 422

Schedule 427

Periodic Schedule 427

TOC - 11
Absolute Schedule 427

Creating a Schedule 427

Network 431

Zone 433

Configuring a Security Zone 433

Interface 435

Configuring an Interface 437

Creating a Virtual Forward Interface 437

Creating a Loopback Interface 446

Creating an Aggregate Interface 451

Creating an Ethernet Sub-interface/ Aggregate Sub-interface 461

Creating a VSwitch Interface 465

Editing an Interface 470

Interface Group 479

Creating an Interface Group 479

Security Policy 480

Configuring a Security Policy Rule 481

Managing Security Policy Rules 495

Enabling/Disabling a Policy Rule 495

Cloning a Policy Rule 495

Adjusting Security Policy Rule Priority 495

TOC - 12
Configuring Default Action 496

Schedule Validity Check 497

Showing Disabled Policies 497

Importing Policy Rule 498

Exporting Policy Rule 499

Searching Policy Rule 501

Configuring an Aggregate Policy 504

Creating an Aggregate Policy 504

Adding an Aggregate Policy Member 505

Removing an Aggregate Policy Member 506

Deleting an Aggregate Policy 506

Adjusting Priority of an Aggregate Policy 507

Enabling/Disabling an Aggregate Policy 508

Configuring a Policy Group 509

Creating a Policy Group 509

Deleting a Policy Group 510

Enabling/Disabling a Policy Group 510

Adding/Deleting a Policy Rule Member 510

Editing a Policy Group 511

Showing Disabled Policy Group 511

Viewing and Searching Security Policy Rules/Policy Groups 512

TOC - 13
Viewing the Policy/Policy Group 512

Searching Security Policy Rules/Policy Groups 513

Policy Optimization 514

Policy Hit Analysis 515

Rule Redundancy Check 517

Configuring the Policy Assistant 518

Enabling the Policy Assistant 518

Displaying Traffic 519

Replacing Policy 521

Application Scenario Example 521

Configuring Replacement Conditions 521

Aggregating Policy 522

Generating Address book 523

Generating Service Book 524

Generating Policy 525

LLDP 528

LLDP Work Mode 528

LLDP Configuration 529

Enabling LLDP 529

Modifying LLDP Configuration 531

Viewing MIB Topology 534

TOC - 14
DNS 536

Configuring a DNS Server 536

Configuring an Analysis 536

Virtual Wire 538

Configuring a Virtual-Wire 539

Configuring the Virtual Wire Mode 539

Virtual Router 541

Creating a Virtual Router 542

Global Configuration 542

Configuring Multiple Virtual Routers 542

Example : Multiple VRouter Mode 543

Virtual Switch 545

Creating a VSwitch 545

Routing 549

Creating a Destination Route 549

Global Network Parameters 552

Configuring Global Network Parameters 552

NAT 555

Basic Translation Process of NAT 555

Implementing NAT 556

Configuring SNAT 557

TOC - 15
Enabling/Disabling a SNAT Rule 563

Copying/Pasting a SNAT Rule 563

Adjusting Priority 564

Hit Count 565

Clearing NAT Hit Count 565

Hit Count Check 565

Configuring DNAT 566

Configuring an IP Mapping Rule 566

Configuring a Port Mapping Rule 568

Configuring an Advanced NAT Rule 571

Enabling/Disabling a DNAT Rule 577

Copying/Pasting a DNAT Rule 577

Adjusting Priority 578

Hit Count 578

Clearing NAT Hit Count 579

Hit Count Check 579

High Availability 580

Basic Concepts 581

HA Cluster 581

HA Group 581

HA Node 581

TOC - 16
Virtual Forward Interface and MAC 581

HA Selection 582

HA Synchronization 582

Configuring HA 583

System Management 592

System Information 593

Viewing System Information 593

WAF Global Configuration 595

Global Parameter Configuration 595

Custom Error Page Management 606

AAA Server 607

Configuring Radius Server 607

Configuring TACACS+ Server 609

Connectivity Test 611

Device Management 613

Administrators 613

Creating an Administrator Account 613

Configuring Login Options for the Default Administrator 615

Trusted Host 616

Creating a Trusted Host 616

Management Interface 618

TOC - 17
System Time 621

Configuring the System Time Manually 621

Configuring NTP 622

NTP Key 624

Creating a NTP Key 624

Settings & Options 625

Rebooting the System 627

System Debug Information 628

Storage Management 628

Configuration File Management 630

Managing Configuration File 630

SNMP 634

SNMP Agent 634

SNMP Host 636

Trap Host 638

V3 User Group 639

V3 User 642

Upgrading System 645

Upgrading Firmware 645

Updating Signature Database 646

Updating Information Database 648

TOC - 18
WAF History Data Upgrade 649

License 650

Applying for a License 652

Installing a License 653

Verifying a License 654

Mail Server 658

Creating a Mail Server 658

System Alarm Rule 660

Configuring an Alarm Rule for CPU Utilization 661

Configuring an Alarm Rule for Memory Usage 662

Configuring an Alarm Rule for Interface Bandwidth 664

ExtendedServices 667

Connecting to HSM 668

HSM Deployment Scenarios 668

Connecting to HSM 669

Connecting to Hillstone Cloud Service Platform 671

Connecting to Hillstone Cloud 672

Diagnosis 674

Test Tools 675

DNS Query 675

Ping 675

TOC - 19
Traceroute 676

Curl 676

Diagnostic Capture 677

Configuring Diagnostic Capture 677

Diagnostic Files 681

Web Console 682

TOC - 20
Getting Started Guide
This guide helps you go through the initial configuration and the basic set-up of your device. This
guide contains the following parts:

1. Initial Visit to Web Interface

2. WAF Setup Wizard

3. Preparing the WAF System

4. Restoring Factory Settings

Getting Started Guide 21

Initial Visit to Web Interface
Interface eth0/0 is configured with IP address 192.168.1.1/24 by default and it is open to SSH、
HTTPS connection types(except for some custom versions). For the initial visit, use this inter-
face.
To visit the web interface for the first time, take the following steps:

1. Go to your computer's Ethernet properties and set the IPv4 protocol as below.

2. Connect an RJ-45 Ethernet cable from your computer to the eth0/0 of the device.

3. In your browser's address bar, type "http://192.168.1.1" and press Enter.

22 Getting Started Guide

4. On the login page, enter the default username and password: hillstone/hillstone.

5. If this is your initial login, you need to read and accept the EULA ( end-user license agree-
ments ). Click EULA to view the details of EULA.

6. Click Login, and the device's system will initiate.

Getting Started Guide 23

WAF Setup Wizard
If the default IP (192.168.1.1) of management interface (MGT interface) is not modified and the
deployment mode is initial, the WAF Setup Wizard dialog will pop up after you log in to the
device successfully. After you configure the device according to the setup wizard, the device will
run in the deployed mode. The setup wizard contains three or four steps:

l Configure the deployment mode/ interface

l Configure the virtual wire (only supported in the Transparent Proxy Mode and Transparent
Tap Mode)

l Configure the default site (only supported in the Transparent Proxy Mode, Traction Mode,
Transparent Tap Mode, and Tap Mode)

l Configure DNS

l Configure the system time

Configuring the Deployment Mode/ Interface

The device can be deployed in six modes: Transparent Proxy Mode, Traction Mode, Reverse
Proxy Mode, One-arm with Reserve Proxy Mode, Transparent Tap Mode, and Tap Mode. You can
choose the different mode according to the location of the device deployed in system. Click the
Legend button to view the typology of each mode.
Please configure the interface of each deployment mode as follows:

Deployment
Interface Configuration
Mode

Transparent LAN Interface: Select the interface connected to the Web

Proxy Mode server. WAN Interface: Select the interface connected to
the internet.

Traction Mode LAN Interface: Select the interface connected to the Web

24 Getting Started Guide

Deployment
Interface Configuration
Mode

server. IP Address: Configure the IP address of the LAN

interface. Netmask: Configure the netmask of the LAN
interface. WAN Interface: Select the interface connected to
the internet. IP Address: Configure the IP address of the
WAN interface. Netmask: Configure the netmask of the
WAN interface。

Reverse Proxy LAN Interface: Select the interface connected to the Web
Mode server. IP Address: Configure the IP address of the LAN
interface. Netmask: Configure the netmask of the LAN
interface. WAN Interface: Select the interface connected to
the internet. IP Address: Configure the IP address of the
WAN interface. Netmask: Configure the netmask of the
WAN interface.

One-arm with WAN Interface: Select the interface connected to the inter-
Reserve Proxy net.
Mode

Tap Mode Tap Interface: Select the Tap interface.

Transparent Tap LAN Interface: Select the interface connected to the Web
Mode server and the corresponding zone. WAN Interface: Select
the interface connected to the internet and the cor-
responding zone.

Click Next.

Getting Started Guide 25

Configuring Virtual Wire

Configure virtual wire in the Virtual Wire step. Only Transparent Proxy Mode and Transparent
Tap Mode supports this function. The system supports the VSwitch-based Virtual Wire. With this
function enabled and the Virtual Wire interface pair configured, the two Virtual Wire interfaces
form a virtual wire that connects the two subnetworks attached to the Virtual Wire interface pair.
The two connected subnetworks can communicate directly on Layer 2, without any requirement
for MAC address learning or other sub network's forwarding.

Option Description

VSwitch The default VSwitch is vswitch1.

Virtual-Wire Specifies the Virtual Wire mode.

Mode
l Strict: In this mode, packets can only be transmitted
between Virtual Wire interfaces, and the VSwitch can-
not operate in Hybrid mode. Any PC connected to Vir-
tual Wire can neither manage devices nor access
Internet over this interface.

l Non-strict: In this mode, packets can be transmitted

between Virtual Wire interfaces, and the VSwitch also
supports data forwarding in Hybrid mode. That is, this
mode only restricts Layer 2 packets' transmission
between Virtual Wire interfaces, and does not affect
the forwarding of Layer 3 packets.

l Disabled: Disable the Virtual Wire function.

Virtual-Wire Configure the Virtual Wire interface pair. To do this, specify

configuration an interface for the virtual wire interface pair from the Inter-
face 1 and Interface 2 drop-down list respectively. The two
interfaces in a single virtual wire interface pair must be dif-

26 Getting Started Guide

Option Description

ferent, and one interface cannot belong to two different vir-

tual wire interface pairs simultaneously. Click to create

more Virtual Wire interface pairs.

Configuring the Default Site

Configure the default site in the Default Site step. Only Transparent Proxy Mode, Traction Mode,
Transparent Tap Mode, and Tap Mode support the default site configuration. You can enable the
Default Site Discoveryand the system will monitor the traffic of HTTP/HTTPS sites in the net-
work. When a Web site is discovered more than the specified number of times, the site will be
protected through the default site.

Option Description

Response Code Enable Response Code Filter and configure the predefined HTTP response
Filter code. System will discover the web server or site with the specified
response code through the self discovery function, and system will protect
them as the default site.

Flow In Inter- The system will automatically configure the flow-in interface according to
face the settings of interfaces in different deployment modes. The system will
also monitor traffic on this interface to configure the default site.

Self Discovery Enable the HTTP Default Site and HTTPS Default Site function and set
Result Auto the minimum number of discoveries. After configuration, when a Web site
Add To is discovered more than the specified number of times, it will be auto-
matically added to the default site discovery (HTTP) list and default site
discovery (HTTPS) on the Site Self Discovery page. And these Web sites
will be protected through WAF default site (default and default_https).
Note: The transparent proxy mode and traction mode support the default
site of HTTP/HTTPS. The tap mode and transparent tap mode support

Getting Started Guide 27

Option Description

the default site of HTTP.

Click next.

Configuring DNS

To ensure normal access to the web page, you need to configure IP addresses of the primary DNS
server and the secondary DNS server. Then click Next.
Note: The primary DNS server and the secondary DNS server configured in the WAF Setup Wiz-
ard have higher priority than the DNS server configured before.

Configuring System Time

System time can be set by three methods: Synchronize with Local Time, Enable NTP and Con-
figure Manually.
Synchronize with Local Time
Enable Synchronize with Local Time and the Time Zone, Date and Time will be displayed. The
device will synchronize with the time.
Enable NTP
Enable Enable NTP and the system time will synchronize with the NTP server. Configure the
parameters as follows:

Option Description

Authentication Enable NTP authentication.

Server Specifies the NTP server that needs to be synchronized.

You can specify at most three NTP servers.

l IP: Enter the IP address of the server.

l Key: Specifies the key of NTP authentication. If

you enable the NTP Authentication function, you

28 Getting Started Guide

Option Description

must specify a key.

l Virtual Router: Specifies the Virtual Router of

interface for NTP communication.

l Source Interface: Specifies the interface to send

and receive NTP packets.

l Preferred Server: Specifies one server as the pre-

ferred server. The device will synchronize with
the preferred server first.

Sync Interval Enter the synchronization interval. The device will syn-
chronize with the server after each interval.

Time Offset Enter the maximum value of time offset. Only when the
time offset between the device and NTP clock server is
within the limit can the device synchronize with the
server successfully.

Configure Manually
Enable Configure Manually to customize the system time.

l Time Zone: Specifies the time zone of the system.

l Date: Specifies the date of the system.

l Time: Specify the system time.

Click Finish. You are automatically logged in again with the default username and password (hill-
stone/hillstone). Please continue to configure sites and other policies.

Getting Started Guide 29

Preparing the WAF System

Installing Licenses
Before installing any license, you must purchase a license code.
To install a license, take the following steps:

1. Go to System > License.

2. Click Import to go to the Import License page. You can install the license by one of the fol-
lowing two methods:

l Upload License File: Click Browse, and select the license file (a .txt file).

l Manual Input: Paste the license code into the text box.

3. Click OK.

4. To make the license take effect, reboot the system. Go to System > Device Management >
Settings & Options, and click Reboot on the System Options tab.

Creating a System Administrator

The system administrator has the authority to read, write and execute all the features in system.
To create a system administrator, take the following steps:

1. Go to System > Device Management > Administrators.

2. Click New.

30 Getting Started Guide

In the Configuration section, configure the following options:

Option Value

Name Admin

Role Administrator

Password 123456

Confirm 123456
Password

Login Type Select Telnet, SSH, HTTPand HTTPS.

3. Click OK.

Notes: The system has a default administrator "hillstone" , which cannot be deleted
or renamed.

Getting Started Guide 31

Adding Trust Hosts
The trust host is administrator's host. Only computers included in the trust hosts can manage sys-
tem.
To add a trust host, take the following steps:

1. Go to System > Device Management > Trusted Host.

2. Click New to configure the trusted hosts.

In the Trust Host Configuration section, configure the following options.

Option Value

Match Address Type Select IPv4

IP Type Select IP/Netmask

IP 192.168.1.2/24

Login Type Select all: Telnet, SSH, HTTP and HTTPS

3. Click OK.

Upgrading Firmware

Notes: Back up your configuration files before upgrading your system.

32 Getting Started Guide

To upgrade your system firmware, take the following steps:

1. Go to System > Upgrade Management > Upgrade Firmware.

On the Upgrade Firmware page, configure the following options.

Upgrade Firmware

Backup Configuration File Make sure you have backed up the con-
figuration file before upgrading. Click
Backup Configuration File to backup
the current firmware file. When the
backup is completed, the system will
automatically go to the Configuration
File Management page. The file backups
are displayed on the Configuration File
List.

Current Version The current firmware version.

Upload Firmware Click Browse to select a firmware file

from your local disk.

Backup Image The backup firmware version.

Reboot Select the Reboot now to make the new

Getting Started Guide 33

Upgrade Firmware

firmware take effect check box and

click Apply to reboot system and make
the firmware take effect. If you click
Apply without selecting the check box,
the firmware will take effect after the
next startup.

Choose a Firmware for the next startup

Current Version The current firmware version.

Choose a Firmware for the Select the firmware that will take effect
next startup for the next startup from the drop-down
list.

Reboot Select the Reboot now to make the new

firmware take effect check box and
click Apply to reboot system and make
the firmware take effect. If you click
Apply without selecting the check box,
the firmware will take effect after the
next startup.

Updating Signature Database

Features that require constant updates of signature are license controlled. You must purchase the
license in order to be able to update the signature libraries. By default, the system will auto-
matically update the databases daily.
To update a database, take the following steps:

34 Getting Started Guide

1. Go to System > Upgrade Management > Signature Database Update.

2. Find your intended database, and choose one of the following two ways to update it.

l Remote Update: Click OK and the system will automatically update the database at
the specific time. Click OK And Online Update to update the signature database
immediately.

l Local Update: Select Browse to open the file explorer and select your local signature
file. Click Upload to import it to the system.

Getting Started Guide 35

Restoring Factory Settings

Notes: Resetting your device will erase all configurations, including the settings that
have been saved. Please be cautious!

To restore factory default settings using a Web interface, take the following steps:

1. Go to System > Configuration File Management > Configuration File List.

2. Click Backup Restore.

3. On the Configuration Backup/ Restore page, click Restore.

4. Click OK to confirm.

5. The device will automatically reboot and be back to factory settings.

36 Getting Started Guide

Deployment Mode
According to different locations of the Web Application Firewall (WAF) device in networking, it
can be deployed in the following modes:

l Transparent Proxy Mode

l Reverse Proxy Mode

l One-arm Reverse Proxy Mode

l Traction Mode

l Tap Mode

l Transparent Tap Mode

Features of modes:

Deployment Mode Feature

Transparent Proxy In transparent proxy mode, the device will not affect the deployment of
Mode whole network. The communication interface is bound to Layer 2 without
IP address configured. In this mode, the function of server load balancing is
not supported. The hardware bypass function is supported in this mode.

Reverse Proxy Mode In reserve proxy mode, the device is deployed as a proxy. The client will
communicate with the device directly, and then the device will com-
municate with the web server. The communication interface is bound to
Layer 3 with IP address configured. The hardware bypass function is not
supported in this mode. When the device fails, web server will not be
accessed, which may prevent web server from providing service outside.

One-arm Reserve In one-arm reverse proxy mode, you can add the device or replace the SLB
Proxy Mode device with the device in the current network, while the network situation

Deployment Mode 37
Deployment Mode Feature

will not be affected. In this mode, the function of server load balancing is
supported and hardware bypass function is not supported.

Traction Mode In traction mode, the traffic will be redirected from client to the device via
router and then returned back to router. When the device fails, web server
will still be accessed. You need to create a route to redirect traffic in this
mode and the hardware bypass function is not supported.

Tap Mode In Tap mode, the device will be connected to a mirrored interface of core
network. The traffic is mirrored to the device for analyzing, and then the
analysis result will be output. The traffic of core network will not be
affected.
Note: If the WAF device has the Attack Block switch turned on and the
Tap Control Interface configured, the system will block traffic when it
matches a security policy with a blocking action. By default, the Attack
Block switch is turned off.

Transparent Tap In transparent tap mode, the device will not affect the deployment of whole
Mode network. The communication interface is bound to Layer 2 without IP
address configured. In this mode, WAF device only forward, detect, and
analyze traffic and will not block the traffic. The function of MPLS packet
detection can be enabled in this mode. The hardware bypass function is sup-
ported in this mode.

Relationship between function and deployment modes:

l The protection function of the WAF device is supported in the above modes.

l The function of server load balancing and forwarding IP are only supported in one-arm reverse
proxy mode and reverse proxy mode.

38 Deployment Mode
l Once the deployment mode is changed, the configured site, routing, etc. will be cleared and
the device needs to be rebooted. Then, you need to configure them again.

Deployment Mode 39
Deploying Web Application Firewall (WAF) in Transparent
Proxy Mode
In transparent proxy mode, WAF can be simply and quickly deployed in the current network
while the configurations of upstream and downstream devices are not modified. In this mode, you
can directly deploy WAF as a plug-and-play device between network devices. The deployment is
easy to use and widely applied in the network.

Network Topology

As shown in the above figure, a web server is deployed in the current network to provide web ser-
vices. The IP address of the server is 10.180.11.22. WAF is deployed in transparent proxy mode
in the network to protect the server.

Before You Begin

l Make sure that WAF is deployed in the current network based on the network topology.

40 Deployment Mode
l Make sure that you have the key file and the certificate file of the web server. The format of
key files and certificate files needs to meet certain requirements. For more information, see
Format Requirements and Conversion Methods of SSL/TLS Certificates and Keys.

l Select System > PKI > Certificate Chain. Click New to go to the Certificate Chain Con-
figuration page. Import certificate and key pair to the certificate chain.

Deploy WAF in the Transparent Proxy Mode

Step 1: Selecting the transparent proxy mode and configuring the WAN interface in the con-
figuration wizard

1. If this is your first time

to access WAF, enter the
default IP address
192.168.1.1 of the MGT
interface in the address
bar and press Enter. On
the page that appears, log
in to the WebUI.

l Select Deployment
Mode: Transparent
Proxy Mode

l LAN Interface: eth-

ernet0/2; Zone: l2-
trust (This interface is
used to connect to the
web server.)

l WAN Interface: eth-

Deployment Mode 41
Step 1: Selecting the transparent proxy mode and configuring the WAN interface in the con-
figuration wizard

ernet0/3; Zone: l2-

untrust (This interface
is used to connect to
the Internet.)

2. Click Next.

(Optional) If you do not use the configuration wizard, you can take the following steps:

1. Select System > WAF

Global Configuration >
Global Parameter Con-
figuration. Select the
Transparent Proxy Mode,
and then click OK.

2. Select Network > Inter-

face.

l Double-click Inter-
face ethernet0/3 that
is connected to the
Internet.

l In the Ethernet Inter-

face dialog box, set
the Binding Interface
parameter to Layer 2

42 Deployment Mode
Interface, set the
Zone parameter to l2-
untrust, and then click
OK.

3. Go back to the interface

list and double-click Inter-
face ethernet0/2 that is con-
nected to the web server. In
the Ethernet Interface dia-
log box, set the Binding
Interface parameter to Layer
2 Interface, set the Zone
parameter to l2-trust, and
then click OK.

Step 2: Configuring the Virtual Wire

1. Configure the virtual wire.

l Virtual-wire Mode:
Strict

l Configure other
options as needed.

2. Click Next.

Deployment Mode 43
Step 3: Configuring a Default Site

1. Configure the default site.

l Default Site Dis-

covery: enabled

l Maximum Number of
Discoveries: 1000

l Configure other
options as needed.

2. Click Next.

(Optional) If you do not use the configuration wizard, you can go to Site > Site Self Dis-
covery to make configurations.

Step 4: Configuring DNS

1. Configure the DNS server

IP addresses.

l Primary DNS Server

IP: Specifies the
actual IP address of
the primary DNS
server. In this
example, set the value
to 10.88.44.1.

44 Deployment Mode
Step 4: Configuring DNS

l Secondary DNS
Server IP 1: Specifies
the actual IP address
of the secondary DNS
server. In this
example, set the value
to 10.188.44.1.

2. Click Next.

(Optional) If you do not use

the configuration wizard,
you can take the following
steps:
1. Select Network > DNS >
DNS Server. Click New. In
the DNS Server Con-
figuration dialog box, con-
figure the following option:

l Server IP: 10.88.44.1

(You can specify this
parameter based on
the actual envir-
onment.)

Deployment Mode 45
Step 5: Configuring the system time

1. Enable Synchronize with

Local Time.

2. Click Finish.

(Optional) If you do not

use the configuration wiz-
ard, you can take the fol-
lowing steps:
1. Select Network > DNS
> DNS Server. Click
New. In the DNS Server
Configuration dialog box,
configure the following
option:

l Server IP: 10.88.44.1

2. Click OK.

46 Deployment Mode
Step 6: Creating a site and configuring a security policy to protect the server

1. Select Site > Web Site

and then click New. On the
Site Configuration page,
click Basic tab and configure
the following options:

l Name: Web-Server

l Status: Protect

l Type: HTTPS

l Service:
10.180.11.22; 443
(Configure the IP
address and port of
the web server.)

l Domain: Any

l Client:

l SSL Protocol:
TLSv1,
TLSv1.1,
TLSv1.2;

l SSL/TLS
Encryption
Suite: Medium

Deployment Mode 47
Step 6: Creating a site and configuring a security policy to protect the server

2. If you deploy WAF for

the first time, you need to
configure the profile of the
security policy. The con-
figurations of other policies
are optional.

l Security Policy:
policy_normal

l For other options, you

can keep the default
settings.

3. Click OK.

4. If you need to create another site, repeat Step 1 to 3.

Step 7: Checking the results

Now, WAF is successfully deployed in the transparent proxy mode. This way, WAF can imple-
ment basic security protection for traffic from the client, which ensures the network security of
the web server.

You can customize the configurations of security protection for the site on the Acceleration,
Anti-defacement, Server Health Check, and Custom Error Page tabs. For more information, see
WAF WebUI User Guide.

48 Deployment Mode
Q&A

l Q：Does WAF support the WebSocket feature in the transparent proxy mode?
A：Yes. WAF supports this feature in the transparent proxy mode by default.

l Q：When WAF is deployed in the transparent proxy mode, how to ensure normal access to
services that are not associated with web applications?
A：Access to services that are not associated with web applications is not affected in the
transparent proxy mode.

l Q：Which configurations are affected after I select System > WAF Global Configuration >
Global Parameter Configuration > Reset Deployment Mode?
A： All configurations related to the network are cleared, except the configurations of net-
work and route management. For example, sites, interface configurations, virtual switches, and
virtual wires are cleared. This prevents network faults caused by improper configurations after
the mode is switched.

Deployment Mode 49
Deploying Web Application Firewall (WAF) in Traction Mode
In traction mode, WAF is deployed in the network in a bypass manner to ensure proper running
of the backbone network. Traffic is sent from the client to the server based on the following
steps. First, a router redirects access traffic from the client to WAF. Next, WAF implements
security protection for the traffic and reinjects the traffic to the router. Then, the router forwards
the traffic to web servers. In this mode, WAF can be quickly deployed in the current network
with a slight impact and provides security protection for web servers.

Network Topology

As shown in the above figure, a web server is deployed in the current network to provide web ser-
vices. The IP address of the server is 10.180.11.22. WAF is deployed in traction mode in the net-
work to protect security of the server.

50 Deployment Mode
Before You Begin

l Make sure that WAF is deployed in the current network based on the network topology.

l Make sure that you have the key file (server.key) and the certificate file (server.crt) of the web
server. The format of key files and certificate files needs to meet certain requirements. For
more information, see Format Requirements and Conversion Methods of SSL/TLS Cer-
tificates and Keys.

l Select System > PKI > Certificate Chain. Click New to go to the Certificate Chain Con-
figuration page. Import certificate and key pair to the certificate chain.

Deploy WAF in Traction Mode

Step 1: Selecting the traction mode and configuring the WAN interface in the configuration wiz-
ard

1. If this is your first time to access WAF, enter the default IP address 192.168.1.1 of the MGT
interface in the address bar and press Enter. On the page that appears, log in to the WebUI.

l Select Deployment Mode: Traction Mode

l LAN Interface: ethernet0/2; Zone: trust; IP Address: 192.168.3.1; mask: 24 (This inter-
face is used to connect to the web server.)

l WAN Interface: ethernet0/3; Zone: untrust; IP Address: 192.168.2.2; mask: 24 (This

interface is used to connect to the Internet.)

Deployment Mode 51
Step 1: Selecting the traction mode and configuring the WAN interface in the configuration wiz-
ard

2. Click Next.

(Optional) If you do not use the configuration wizard, you can take the following steps:

1. Select System > WAF Global Configuration > Global Parameter Configuration. Select the
Traction Mode, and then click OK.

52 Deployment Mode
2. Select Network > Inter-
face. On the Interface page,
double-click Interface eth-
ernet0/3 that is connected
to the Internet. In the Eth-
ernet Interface dialog box,
configure the following
options:

l Binding Interface:
Layer 3 Interface

l Zone: untrust

l Type: Static IP

l IP Address:
192.168.2.2

l Netmask: 24
Click OK.

3. Go back to the interface

list and double-click Inter-
face ethernet0/2 that is con-
nected to the web server. In
the Ethernet Interface dia-
log box, configure the fol-
lowing options:

l Binding Interface:
Layer 3 Interface

Deployment Mode 53
l Zone: trust

l Type: Static IP

l IP Address:
192.168.3.1

l Netmask: 24

Step 2: Configuring default sites

1. Configure default sites

in the configuration wiz-
ard:

l HTTP Default Site:

Enabled

l HTTPS Default Site:

Enabled

l Minimum Number of
Discoveries: 1000

l You can configure

other options as
required.

2. Click Next.

(Optional) If you do not use the configuration wizard, you can select Site > Site Self Discovery
to configure default sites.

54 Deployment Mode
Step 3: Configuring DNS

1. Configure the DNS server

IP addresses.

l Primary DNS Server

IP: Specifies the
actual IP address of
the primary DNS
server. In this
example, set the value
to 10.88.44.1.

l Secondary DNS
Server IP 1: Specifies
the actual IP address
of the secondary DNS
server. In this
example, set the value
to 10.188.44.1.

2. Click Next.

(Optional) If you do not use

the configuration wizard,
you can take the following
steps:
1. Select Network > DNS >
DNS Server. Click New. In
the DNS Server Con-

Deployment Mode 55
Step 3: Configuring DNS

figuration dialog box, con-

figure the following option:

l Server IP: 10.88.44.1

2. Click OK.

Step 4: Configuring the system time

1. Enable Synchronize with

Local Time.

2. Click Finish.

(Optional) If you do not use

the configuration wizard,
you can take the following
steps. 1. Select System >
Device Management > Sys-
tem Time. On the System
Time Configuration page,
select Sync Zone&Time. 2.
On the pop-up Please Select
Your Time Zone page,

56 Deployment Mode
Step 4: Configuring the system time

select your time zone and

click OK.

Step 5: Configuring a route

l Destination:
10.180.11.0

l Netmask: 24

l Next-hop: Gateway

l Gateway: 192.168.3.2

2. Click OK.

Deployment Mode 57
Step 5: Configuring a route

3. Click New to create a

default route for the
response traffic.

l Destination: 0.0.0.0

l Netmask: 0

l Next-hop: Gateway

l Gateway: 192.168.2.1

4. Click OK.

Note: Delete the route to the web server. Configure a static route that routes to the network seg-
ment 10.180.11.0/24 and whose next hop IP address is 192.168.2.2. In addition, configure a
route that forwards traffic from the server to WAF. This ensures that the traffic can be accessed.

58 Deployment Mode
Step 6: Creating a site and configuring a security policy to protect the servers

1. Select Site > Web Site

and then click New. On the
Site Configuration page,
click Basic tab and configure
the following options:

l Name: Web-Server

l Status: Protect

l Type: HTTPS

l Service:
10.180.11.22; 443
(Specify the IP
address and port of
the web server.)

l Domain: Any

l Client:

l SSL Protocol:
TLSv1,
TLSv1.1,
TLSv1.2;

l SSL/TLS
Encryption
Suite: Medium

Deployment Mode 59
Step 6: Creating a site and configuring a security policy to protect the servers

l SSL/TLS Cer-
tificate Chain:
Select the cre-
ated certificate
chain.

l Server:

l SSL Protocol:
TLSv1,
TLSv1.1,
TLSv1.2;

l SSL/TLS
Encryption
Suite: Medium

2. If you deploy WAF for

the first time, you need to
configure the profile of the
security policy. The con-
figurations of other policies
are optional.

l Security Policy:
policy_normal

l For other options, you

can keep the default

60 Deployment Mode
Step 6: Creating a site and configuring a security policy to protect the servers

settings.

3. Click OK.

Step 7: Checking the results

Now, WAF is successfully deployed in the traction mode. This way, traffic from the client is
redirected to WAF by the router, basic security protection is implemented for the traffic and the
traffic is reinjected to the router by WAF, and then the traffic is forwarded to the web server by
the router. This ensures the network security of the server.

Q&A

l Q: How can a server get the actual IP address of the client by using WAF?
A: WAF provides the following two methods for a server to get the actual IP address:

1. Select Site > Web Site. Click New. On the Site Configuration page, enable X-For-
warded-For. This way, WAF stores the IP address of the client in the X-Forwarded-
For HTTP header.

2. Select System > WAF Global Configuration > Global Parameter Configuration. On
the page that appears, enable Source IP Transparent Transmit. This way, WAF uses
the client IP address to assemble the source IP address of the network layer of HTTP
request messages.

Deployment Mode 61
l Q: Does WAF support the WebSocket feature in traction mode?
A: Yes. Select Site > Web Site. Click New. On the Site Configuration page, enable
WebSocket.

l Q: Can I access services that are not associated with web applications in the server when
WAF is deployed in the network?
A: Yes. You can access these services without any further configurations. In the traction
mode, only web traffic is redirected to WAF.

l Q: Which configurations are affected after I select System > WAF Global Configuration >
Global Parameter Configuration > Reset Deployment Mode?
A: All configurations related to the network are cleared, except the configurations of network
and route management. For example, sites, interface configurations, virtual switches, and vir-
tual wires are cleared. This prevents network faults caused by improper configurations after
the mode is switched.

62 Deployment Mode
Deploying Web Application Firewall (WAF) in Reverse Proxy
Mode
In the reverse proxy mode, WAF is deployed as a proxy that sits between the client and web serv-
ers, and Layer 3 interfaces are configured in the network to implement the SLB function. In addi-
tion, IP addresses of web servers are hidden to the client, which provides higher security.

Network Topology

As shown in the above figure, three web servers are deployed in the current network to provide
web services. The IP addresses of these servers are 10.180.11.11, 10.180.11.22, and
10.180.11.33. In the reverse proxy mode, WAF is deployed as the server proxy in the network.
This balances traffic load and protects security of the web servers.

Before You Begin

l Make sure that WAF is deployed in the current network based on the network topology.

l Make sure that you have the key file and the certificate file of the web servers. The format of
key files and certificate files needs to meet certain requirements. For more information, see
Format Requirements and Conversion Methods of SSL/TLS Certificates and Keys.

Deployment Mode 63
l Select System > PKI > Certificate Chain. Click New to go to the Certificate Chain Con-
figuration page. Import certificate and key pair to the certificate chain.

Deploy WAF in the Reverse Proxy Mode

Step 1: Selecting the reverse proxy mode and configuring the WAN interface in the con-
figuration wizard

1. If this is your first time to access WAF, enter the default IP address 192.168.1.1 of the MGT
interface in the address bar and press Enter. On the page that appears, log in to the WebUI

l Select Deployment Mode: Reserve Proxy Mode

l LAN Interface: ethernet0/2; Zone: trust; IP Address: 192.168.3.1; mask: 24 (This inter-
face is used to connect to the web servers.)

l WAN Interface: ethernet0/1; Zone: untrust; IP Address: 192.168.2.2; mask: 24 (This

interface is used to connect to the Internet.)

2. Click Next.

64 Deployment Mode
Step 1: Selecting the reverse proxy mode and configuring the WAN interface in the con-
figuration wizard

(Optional) If you do not use the configuration wizard, you can take the following steps:

1. Select System > WAF Global Configuration > Global Parameter Configuration. Select the
Reverse Proxy Mode, and then click OK.

2. Select Network > Inter-

face. On the Interface page,
double-click Interface eth-
ernet0/1 that is connected
to the Internet. In the Eth-
ernet Interface dialog box,
configure the following
options:

l Binding Interface:
Layer 3 Interface

l Zone: untrust

l Type: Static IP

l IP Address:
192.168.2.2

l Netmask: 24
Click OK.

Deployment Mode 65
3. Go back to the interface
list and double-click Inter-
face ethernet0/2 that is con-
nected to the web servers.
In the Ethernet Interface dia-
log box, configure the fol-
lowing options:

l Binding Interface:
Layer 3 Interface

l Zone: trust

l Type: Static IP

l IP Address:
192.168.3.1

l Netmask: 24

Step 2: Configuring DNS

1. Configure the DNS server

IP addresses.

l Primary DNS Server

IP: Specifies the
actual IP address of
the primary DNS
server. In this
example, set the value
to 10.88.44.1.

66 Deployment Mode
Step 2: Configuring DNS

l Secondary DNS
Server IP 1: Specifies
the actual IP address
of the secondary DNS
server. In this
example, set the value
to 10.188.44.1.

2. Click Next.

(Optional) If you do not use

the configuration wizard,
you can take the following
steps:
1. Select Network > DNS >
DNS Server. Click New. In
the DNS Server Con-
figuration dialog box, con-
figure the following option:

l Server IP: 10.88.44.1

Deployment Mode 67
Step 3: Configuring the system time

1. Enable Synchronize with

Local Time. and click
Finish.

(Optional) If you do not use

the configuration wizard,
you can take the following
steps.
1. Select System > Device
Management > System
Time. On the System Time
Configuration page, select
Sync Zone&Time.
2. On the pop-up Please
Select Your Time Zone
page, select your time zone
and click OK.

68 Deployment Mode
Step 4: Configuring a route

l Destination:
10.180.11.0

l Netmask: 24

l Next-hop: Gateway

l Gateway:
192.168.3.2

2. Click OK.

3. Click New to create a

default route.

l Destination: 0.0.0.0

l Netmask: 0

l Next-hop: Gateway

Deployment Mode 69
Step 4: Configuring a route

l Gateway: 192.168.2.1

4. Click OK.

Step 5: Creating a site and configuring a security policy to protect the servers

1. Select Site > Web Site

and then click New. On the
Site Configuration page,
click Basic tab and configure
the following options:

l Name: Web-Server-
proxy

l Status: Protect

l Virtual Router: trust-

l Type: HTTPS

l Service: 192.168.2.2;
443 (Set this para-
meter to the IP
address of the WAN
interface or another IP
address in the same
network segment.
You can access this IP

70 Deployment Mode
Step 5: Creating a site and configuring a security policy to protect the servers

address.)

l Domain: Any

l Client:

l SSL Protocol:
TLSv1,
TLSv1.1,
TLSv1.2;

l SSL/TLS
Encryption
Suite: Medium

l SSL/TLS Cer-
tificate Chain:
Select the cre-
ated certificate
chain.

l Server:

l SSL Protocol:
TLSv1,
TLSv1.1,
TLSv1.2;

l SSL/TLS
Encryption
Suite: Medium

Deployment Mode 71
Step 5: Creating a site and configuring a security policy to protect the servers

2. If you deploy WAF for

the first time, you need to
configure the profile of the
security policy. The con-
figurations of other policies
are optional.

l Security Policy:
policy_normal

l For other options, you

can keep the default
settings.

3. Click the Load Balance

tab and configure the fol-
lowing options:
Load Balance Algorithm: IP
Hash
SLB Server: (Configure the
IP address, port number, and
weight of the three servers.)
10.180.11.11;
10.180.11.22; 10.180.11.33.

Note: If the load servers need to check the login behavior, we recommend that you select the IP
Hash algorithm. If you select the Least Connection algorithm, the traffic might not be distributed

72 Deployment Mode
Step 5: Creating a site and configuring a security policy to protect the servers

to the same server, which causes repeated login requests.

4. Click OK.

Step 6: Checking the results

Now, WAF is successfully deployed in the reverse proxy mode. WAF is used as the server proxy
to provide web services. You can access the virtual IP address (192.168.2.2) of the protection
site in WAF to use web services. In addition, WAF can implement basic web security protection
for the three servers and distribute access traffic to different servers based on the load balancing
algorithm. This prevents excessive traffic pressure on a single server.

Q&A

l Q: Does WAF support load balancing based on XFF?

A: Yes. Select System > WAF Global Configuration > Global Parameter Configuration. On
the page that appears, set the Using IP in X-Header parameter to Used as Load Balance IP.
Then, Select Site > Web Site. Click New to go to the Site Configuration page. On the Load
Balance tab, set the Load Balance Algorithm parameter to IP Hash.

l Q: How can a server get the actual IP address of the client by using WAF?
A: WAF provides the following two methods for a server to get the actual IP address:

1. Select Site > Web Site. Click New. On the Site Configuration page, enable X-For-
warded-For. This way, WAF stores the IP address of the client in the X-Forwarded-

Deployment Mode 73
For HTTP header.

l Q: Does WAF support the WebSocket feature?

A: Yes. Select Site > Web Site. Click New. On the Site Configuration page, enable
WebSocket.

l Q: How can I access services that are not associated with web applications in the server when
WAF is deployed in the network?
A: In reverse proxy mode, NAT configurations are required in certain scenarios to guarantee
normal access to these services.

74 Deployment Mode
Deploying Web Application Firewall (WAF) in One-arm
Reverse Proxy Mode
One-arm reverse proxy mode is a special case of reverse proxy mode. In this mode, you can add
WAF to the current network while the whole network is not affected. Compared with reverse
proxy mode, one-arm reverse proxy mode is deployed in an easier way. One-arm reverse proxy
mode also supports the SLB function. IP addresses of web servers are hidden to the client, which
provides higher security.。

Network Topology

As shown in the above figure, three web servers are deployed in the current network to provide
web services. The IP addresses of these servers are 10.180.11.11, 10.180.11.22, and
10.180.11.33. WAF is deployed in one-arm reverse proxy mode as the server proxy in the net-
work. This balances traffic load and protects security of the web servers.

Deployment Mode 75
Before You Begin

l Make sure that WAF is deployed in the current network based on the network topology.

l Select System > PKI > Certificate Chain. Click New to go to the Certificate Chain Con-
figuration page. Import certificate and key pair to the certificate chain.

Deploy WAF in One-arm Proxy Mode

Step 1: Selecting the one-arm proxy reverse proxy mode and configuring the WAN interface in
the configuration wizard

1. If this is your first time to access WAF, enter the default IP address 192.168.1.1 of the MGT
interface in the address bar and press Enter. On the page that appears, log in to the WebUI.

l Select Deployment Mode: One-arm with Reserve Proxy Mode

l WAN Interface: ethernet0/1; Zone: untrust; IP Address: 192.168.2.2; mask: 24 (This

interface is used to connect to the Internet.)

2. Click Next.

76 Deployment Mode
Step 1: Selecting the one-arm proxy reverse proxy mode and configuring the WAN interface in
the configuration wizard

(Optional) If you do not use the configuration wizard, you can take the following steps:

1. Select System > WAF Global Configuration > Global Parameter Configuration. Select the
One-arm with Reserve Proxy Mode, and then click OK.

2. Select Network > Inter-

face to go to the Interface
page. Double-click Interface
ethernet0/1 that is con-
nected to the Internet. In
the Ethernet Interface dia-
log box, configure the fol-
lowing options:

l Binding Interface:
Layer 3 Interface

l Zone: untrust

l Type: Static IP

l IP Address:
192.168.2.2

l Netmask: 24
3. Click OK.

Deployment Mode 77
Step 2: Configuring DNS

1. Configure the DNS server

IP addresses.

l Primary DNS Server

IP: Specifies the
actual IP address of
the primary DNS
server. In this
example, set the value
to 10.88.44.1.

l Secondary DNS
Server IP 1: Specifies
the actual IP address
of the secondary DNS
server. In this
example, set the value
to 10.188.44.1.

2. Click Next.

(Optional) If you do not use

the configuration wizard,
you can take the following
steps:
1. Select Network > DNS >
DNS Server. Click New. In
the DNS Server Con-

78 Deployment Mode
Step 2: Configuring DNS

figuration dialog box, con-

figure the following option:

l Server IP: 10.88.44.1

Step 3: Configuring the system time

1. Enable Synchronize with

Local Time.and click Finish.

(Optional) If you do not use

the configuration wizard,
you can take the following
steps:
1. Select System > Device
Management > System
Time. On the System Time
Configuration page, select
Sync Zone&Time.
2. On the pop-up Please
Select Your Time Zone
page, select your time zone
and click OK.

Deployment Mode 79
Step 4: Configuring a default route

1. Select Network > Rout-

ing > Destination Route
and click New. On the
Destination Route Con-
figuration page, configure
the following options:

l Destination: 0.0.0.0

l Netmask: 0

l Next-hop: Gateway

l Gateway: 192.168.2.1

2. Click OK.

Note: Delete the static routes to server1, server2, and server3. Configure a static route that
routes to the network segment 192.168.2.0/24 whose next hop IP address is 192.168.2.2.

80 Deployment Mode
Step 5: Creating a site and configuring a security policy to protect the servers

1. Select Site > Web Site

and then click New. On the
Site Configuration page,
click Basic tab and configure
the following options:

l Name: Web-Server-
proxy

l Status: Protect

l Type: HTTPS

l Service: 192.168.2.2;
443 (Set this para-
meter to the IP
address of the WAN
interface or another IP
address in the same
network segment.
You can access this IP
address.)

l Domain: Any

l Client:

l SSL Protocol:
TLSv1,
TLSv1.1,

Deployment Mode 81
Step 5: Creating a site and configuring a security policy to protect the servers

TLSv1.2;

l SSL/TLS
Encryption
Suite: Medium

l SSL/TLS Cer-
tificate Chain:
Select the cre-
ated certificate
chain

l Server:

l SSL Protocol:
TLSv1,
TLSv1.1,
TLSv1.2;

l SSL/TLS
Encryption
Suite: Medium

2. If you deploy WAF for

the first time, you need to
configure the profile of the
security policy. The con-
figurations of other policies
are optional.

82 Deployment Mode
Step 5: Creating a site and configuring a security policy to protect the servers

l Security Policy:
policy_normal

l For other options, you

can keep the default
settings.

3. Click the Load Balance

tab and configure the fol-
lowing options:
Load Balance Algorithm: IP
Hash

SLB Server: (Configure

the IP address, port num-
ber, and weight of the
three servers.)
10.180.11.11,
10.180.11.22, and
10.180.11.33.

Note: If the load servers need to check the login behavior, we recommend that you select the IP
Hash algorithm. If you select the Least Connection algorithm, the traffic might not be distributed
to the same server, which causes repeated login requests.

4. Click OK.

Step 6: Checking the results

Now, WAF is successfully deployed in the one-arm reverse proxy mode. WAF is used as the

Deployment Mode 83
Step 6: Checking the results

server proxy to provide web services. You can access the virtual IP address (192.168.2.2) of the
protection site in WAF to use web services. In addition, WAF can implement basic web security
protection for the three servers and distribute access traffic to different servers based on the load
balancing algorithm. This prevents excessive traffic pressure on a single server.

Q&A

l Q: How can a server get the actual IP address of the client by using WAF?
A: WAF provides the following two methods for a server to get the actual IP address:

1. Select Site > Web Site. Click New. On the Site Configuration page, enable X-For-
warded-For. This way, WAF stores the IP address of the client in the X-Forwarded-
For HTTP header.

l Q: Does WAF support load balancing based on XFF?

84 Deployment Mode
l Q: Does WAF support the WebSocket feature in one-arm reverse proxy mode?
A: Yes. Select Site > Web Site. Click New. On the Site Configuration page, enable
WebSocket.

l Q: How can I access services that are not associated with web applications in the server when
WAF is deployed in the network?
A: In one-arm reverse proxy mode, NAT configurations are required in certain scenarios to
guarantee normal access to these services.

Deployment Mode 85
Deploying Web Application Firewall (WAF) in Tap Mode
In Tap Mode, a tap interface obtains the traffic that you want to detect by configuring port mir-
roring. Then, the interface analyzes the traffic and returns the analysis results. In this mode, WAF
does not forward or interfere with traffic in the network, but analyzes the behavior of the traffic
for attack detection. In most cases, WAF and a firewall are deployed together. This way, if attack
traffic is detected, WAF reports the IP address blacklist to the firewall for blocking.

Network Topology

As shown in the above figure, a web server is deployed in the current network to provide web ser-
vices. The IP address of the server is 10.180.11.22. WAF is deployed in the network through the
bypass TAP to monitor traffic that is sent to websites and analyze the behavior of the traffic for
attack detection.
Then, a network cable (marked as the green line in the above figure) is used to connect WAF to a
firewall (Only firewalls developed by Hillstone Networks are supported). If attack traffic is detec-
ted, WAF reports the IP address blacklist to the firewall for blocking.

86 Deployment Mode
Before You Begin

l Make sure that WAF is bypassed on the switch based on the network topology.

l Make sure that WAF and the firewall are reachable through the router if they need to work
together. In this case, a network cable is used to connect WAF to the firewall.

Deploy WAF in Tap Mode

Step 1: Selecting the tap mode and configuring the WAN interface in the configuration wizard

1. If this is your first time to

access WAF, enter the
default IP address
192.168.1.1 of the MGT
interface in the address bar
and press Enter. On the page
that appears, log in to the
WebUI.

l Select Deployment
Mode: Tap Mode

l Tap Interface: eth-

ernet0/1; Zone: tap-
waf (This interface is
used to connect to the
switch)

2. Click Next.

Deployment Mode 87
Step 1: Selecting the tap mode and configuring the WAN interface in the configuration wizard

(Optional) If you do not use the configuration wizard, you can take the following steps:

1. Select System > WAF

Global Configuration >
Global Parameter Con-
figuration. Select the Tap
Mode, and then click OK.

2. Select Network > Inter-

face. On the Interface page,
double-click Interface eth-
ernet0/1 that is connected
to the switch. In the Eth-
ernet Interface dialog box,
configure the following
options:

l Binding Interface:
TAP

l Zone: tap-waf

l Firewall Linkage Con-

figuration:

l IP: 192.168.4.1

l Port: 22

l User: hillstone

88 Deployment Mode
Step 1: Selecting the tap mode and configuring the WAN interface in the configuration wizard

(specifies your
own username)

l Password: hill-
stone (specifies
your own pass-
word)

3. Go back to the interface

list and double-click Inter-
face ethernet0/2 that is con-
nected to the firewall. In the
Ethernet Interface dialog
box, configure the following
options:

l Binding Interface:
Layer 3 Interface

l Zone: trust

l Type: Static IP

l IP Address:
192.168.4.2

l Netmask: 24

4. Note: Set the IP address of the peer firewall interface to 192.168.4.1/24.

Deployment Mode 89
Step 2: Configuring a Default Site

1. Configure the default site.

l Default Site Dis-

covery: Enable

l Maximum Number of
Discoveries: 1000

2. Click Next.

(Optional) If you do not use the configuration wizard, go to Site > Site Self Discovery to make
configurations.

Step 3: Configuring DNS

1. Configure the DNS server

IP addresses.

l Primary DNS Server

IP: Specifies the
actual IP address of
the primary DNS
server. In this
example, set the value
to 10.88.44.1.

l Secondary DNS
Server IP 1: Specifies

90 Deployment Mode
Step 3: Configuring DNS

the actual IP address

of the secondary DNS
server. In this
example, set the value
to 10.188.44.1.

2. Click Next.

(Optional) If you do not use

the configuration wizard,
you can take the following
steps:
1. Select Network > DNS >
DNS Server. Click New. In
the DNS Server Con-
figuration dialog box, con-
figure the following option:

l Server IP: 10.88.44.1

(You can specify this
parameter based on
the actual envir-
onment.)

Deployment Mode 91
Step 4: Configuring the system time

1. Enable Synchronize with

Local Time.

2. Click Finish.

(Optional) If you do not use

the configuration wizard,
you can take the following
steps:
1. Select Network > DNS >
DNS Server. Click New. In
the DNS Server Con-
figuration dialog box, con-
figure the following option:

l Server IP: 10.88.44.1

(You can specify this
parameter based on
the actual envir-
onment.)

92 Deployment Mode
Step 5: Creating a site and configuring a security policy to protect the server

1. Select Site > Web Site

and then click New. On the
Site Configuration page,
click Basic tab and configure
the following options:

l Name: Web-Server

l Status: Protect

l Type: HTTP

l Service:
10.180.11.22; 80
(Configure the IP
address and port of
the web server)

l Domain: Any

2. If you deploy WAF for

the first time, you need to
configure the profile of the
security policy. The con-
figurations of other policies
are optional. The system
detects traffic based on the
security policy. It does not
block any traffic but gen-

Deployment Mode 93
Step 5: Creating a site and configuring a security policy to protect the server

erates alarm logs.

l Security Policy:
policy_normal

l Check Request Body:

Enable

l For other options, you

can keep the default
settings.

3. Click OK.

4. If you need to monitor other websites, repeat above steps.

Step 6: Checking the results

Now, WAF is successfully deployed in the tap mode. This way, WAF can analyzes the behavior
of traffic from the client for attack detection. If attack traffic is detected, WAF sends alarm noti-
fications to you. WAF also reports the IP address blacklist to the firewall for blocking.
Note: WAF can interact with a firewall not only in the tap mode but also in other modes. For
other modes, you can configure the interaction based on the tap interface or Layer-3 interface
and guarantee that WAF and the firewall are reachable through the router. This linkage achieves
threat intelligence sharing in the internal network and thus protects web security of the internal
network. This function is available only for the trust-vr virtual router, which means that the
zone of the tap interface is bound to the router.

You can customize the configurations of security detection for the site on the Anti-defacement

94 Deployment Mode
Step 6: Checking the results

and Server Health Check tabs. For more information, see WAF WebUI User Guide.

Q&A

l Q: Which types of traffic security protection are supported by WAF and what are the restric-
tions of the protection function in tap mode?
A: WAF supports security protection for IPv4, IPv6, HTTP, and HTTPS traffic, and sup-
ports bidirectional detection between requests and responses. In the tap mode, WAF does not
interfere with traffic and cannot modify packets. Therefore, WAF does not support the secur-
ity detection function that is related to packet modification, such as the content rewrite policy
and machine traffic analysis.

l Q: What is the difference between selecting System > WAF Global Configuration > Global
Parameter Configuration > Switch to Transparent Proxy and selecting System > WAF Global
Configuration > Global Parameter Configuration > Reset Deployment Mode?
A: The Switch to Transparent Proxy function is available only in the transparent tap mode and
tap mode. If you enable this function, the continuity of protection configurations such as site
configurations is ensured. This helps the quick transfer from tap mode, transparent tap mode
to transparent proxy mode. If you enable the Reset Deployment Mode function, all con-
figurations related to the network are cleared, except the configurations of network and route
management. For example, sites, interface configurations, virtual switches, and virtual wires
are cleared. This prevents network faults caused by improper configurations after the mode is
switched.

Deployment Mode 95
Transparent Tap Mode
In transparent tap mode, WAF can be simply and quickly deployed in the current network to for-
ward traffic and detect and analyze attacks while the configurations of upstream and downstream
devices are not modified. In this mode, you can directly deploy WAF as a plug-and-play device
between network devices. The deployment is easy to use and widely applied in the network. This
mode allows you to parse, detect, and forward MPLS packets.

Network Topology

As shown in the above figure, a web server is deployed in the current MPLS network. The IP
address of the server is 10.1.1.1. WAF is deployed in transparent tap mode in the network to
listen to web traffic that flows to the web server and detect and analyze attacks.

Before You Begin

Make sure that WAF is deployed in the current network based on the network topology.

96 Deployment Mode
Deploy WAF in the Transparent Tap Mode

Step 1: Selecting the transparent tap mode and configuring the LAN and WAN interfaces in the
configuration wizard

1. If this is your first time

to access WAF, enter the
default IP address
192.168.1.1 of the MGT
interface in the address
bar and press Enter. On
the page that appears, log
in to the WebUI.

l Select Deployment
Mode: Transparent
Tap Mode

l LAN Interface: eth-

ernet0/2; Zone: l2-
trust (This interface is
used to connect to the
web server.)

l WAN Interface: eth-

ernet0/3; Zone: l2-
untrust (This interface
is used to connect to
the Internet.)

2. Click Next.

Deployment Mode 97
Step 1: Selecting the transparent tap mode and configuring the LAN and WAN interfaces in the
configuration wizard

(Optional) If you do not use the configuration wizard, you can take the following steps:

1. Select System > WAF

Global Configuration >
Global Parameter Con-
figuration. Select the
Transparent Tap Mode,
and then click OK.

2. Select Network > Inter-

face.

l Double-click Inter-
face ethernet0/3 that
is connected to the
Internet.

l In the Ethernet Inter-

face dialog box, set
the Binding Interface
parameter to Layer 2
Interface, set the
Zone parameter to l2-
untrust, and then click
OK.

98 Deployment Mode
Step 1: Selecting the transparent tap mode and configuring the LAN and WAN interfaces in the
configuration wizard

3. Go back to the interface

Step 2: Configuring the Virtual Wire

1. Configure the virtual

wire.

l Virtual-wire Mode:
Strict

l Configure other
options as needed.

2. Click Next.

Deployment Mode 99
Step 3: Configuring a Default Site

1. Configure the default

site.

l HTTP Default Site:

enabled

l Minimum Number of
Discoveries: 1000

l Configure other
options as needed.

2. Click Next.

(Optional) If you do not use the configuration wizard, you can select Site > Site Self Dis-
covery to configure a default site:

Step 4: Configuring DNS

1. Configure the DNS

server IP addresses.

l Primary DNS Server

IP: Specifies the
actual IP address of
the primary DNS
server. In this
example, set the value
to 10.88.44.1.

l Secondary DNS

100 Deployment Mode

Step 4: Configuring DNS

Server IP 1: Specifies
the actual IP address
of the secondary DNS
server. In this
example, set the value
to 10.188.44.1.

2. Click Next.

(Optional) If you do not

use the configuration wiz-
ard, you can take the fol-
lowing steps:
1. Select Network > DNS
> DNS Server. Click
New. In the DNS Server
Configuration dialog box,
configure the following
option:

l Server IP: 10.88.44.1

(You can specify this
parameter based on
the actual envir-
onment.)

Deployment Mode 101

Step 5: Configuring the system time

1. Enable Synchronize
with Local Time.

2. Click Finish.

(Optional) If you do not

use the configuration wiz-
ard, you can take the fol-
lowing steps:
1. Select System >
Device Management >
System Time. On the Sys-
tem Time Configuration
page, select Sync
Zone&Time.
2. In the Please Select
Your Time Zone panel,
select your time zone and
click OK.

102 Deployment Mode

Step 6: Creating a site and configuring a security policy to protect the server

1. Select Site > Web Site

and then click New. On
the Site Configuration
page, click Basic tab and
configure the following
options:

l Name: Web-Server

l Status: Protect

l Type: HTTP

l Service:
10.180.11.22；80
(Configure the IP
address and port of
the web server.)

l Domain: Any

2. If you deploy WAF for

the first time, you need to
configure the profile of
the security policy. The
configurations of other
policies are optional.

l Security Policy:
policy_normal

l For other options, you

can keep the default

Deployment Mode 103

Step 6: Creating a site and configuring a security policy to protect the server

settings.

3. Click OK.

4. If you need to create another site, repeat Step 1 to 3.

Step 7: Enabling MPLS Inspection

1. Select Network >

Global Network Para-
meters > Global Net-
work Parameters.

l Non-IP and
Non-ARP
Packet: Forward

2. Click OK.

3. Select Network >

VSwitch. Select
vswitch1 to which the
layer-2 interface
belongs and click Edit.

104 Deployment Mode

Step 7: Enabling MPLS Inspection

4. On the VSwitch Con-

figuration page, con-
figure the following
option:

l MPLS Inspec-
tion: Enabled

5. Click OK.

Note: Before you enable MPLS Inspection, you need to set the Non-IP and Non-ARP
Packet parameter to Forward on the Network > Global Network Parameters > Global Net-
work Parameters page.

Step 8: Checking the results

Now, WAF is successfully deployed in the transparent tap mode. This way, WAF can imple-
ment basic security protection for traffic from the client, which ensures the network secur-
ity of the web server.

You can customize the configurations of security protection for the site on the Anti-
defacement and Server Health Check tabs. For more information, see Configuring a Site.
For more information about policies, see IP Protection Policy, Access Control Policy,
API Protection Policy, Security Policy, Auto-learning Policy, User Tracking Policy, and
Content Rewrite Policy.

Deployment Mode 105

Q&A

l Q: How many layers of MPLS labels can be parsed by WAF?

A: WAF can parse at most five layers of MPLS labels. If the layers of MPLS labels exceed 5,
the labels can processed based on the action configured for the Non-IP and Non-ARP Packet
parameter on the Network > Global Network Parameters > Global Network Parameters
page.

l Q: What kinds of tap modes does WAF support?

A: The transparent tap mode and tap mode.

l Q: What deployment modes can be quickly switched to the transparent proxy mode?
A: The transparent tap mode and tap mode can be switched to transparent proxy mode by
clicking Switch to Transparent Proxy on the System > WAF Global Configuration > Global
Parameter Configuration page. This button ensures the continuity of protection configuration
such as site.

106 Deployment Mode

Appendix

Format Requirements and Conversion Methods of SSL/TLS Certificates

and Keys

Format Requirements

If you add HTTPS sites to WAF, key files and certificate files of the HTTP sites that use the
SSL/TLS protocol need to meet the following requirements:

l Key files: The files need to be in the PKCS#1 and PKCS #8 (non encrypted format) format.

l Certificate files: The files need to be in the PKCS#7, PKCS#12-DER, and PEM format.

If the formats of the key files and certificate files are different from those supported by the sys-
tem, you need to convert the formats and then add the files to WAF. This section describes how
to convert other formats to the supported formats.

Notes: For HTTPS websites encrypted by GM standard keys, we recommend that

you use key files and certificate files that are issued by the corresponding authorities
instead of converting their formats. If their formats are not supported, we recom-
mend that you contact the authorities to change the files. The format conversion is
complex and you can seek technical help from Hillstone Networks.

Conversion Methods of SSL/TLS Keys

The following are the formats of PKCS#1 and PKCs #8 (non encrypted format)keys. You can
compare the formats of different key files in Notepad.

l Format of PKCS#1 keys:(Suported by WAF)

------BEGIN RSA PRIVATE KEY-----

MIICXAIBAAKBgQDo95Gb-
w0pM2WTK0l8/CpYxXswdnpWkU5SrZBpYKnFY+TvnNHFX

Deployment Mode 107

Wn7r/K+tolGvMBEBp-
b57GqB5/xIbJ2clGGYYCiwFsMOelDcciwMpa2bMftDGJxig
fmUK+0/fEt6bxVKGd-
fMWb8TTbOvBg9kpvcD+jKuaM8mERwngdeco7kxF8wIDAQAB
AoGAZZDpblsp3W85viMRW06mRE-
fr/U3SN54oxsARrDZ0zDF8qEP41fiiNQgpHy4R
Jqtx/qHf9ZOaOxW1MxluooGMoEF1QRYjHz5GDDdO/OIPvmvsKmD-
yHBMDx1cNkUwt
qir0mlso8spKgYh57CXGUv+7X3-
fogGed7vlr4kwzjIe5ESECQQD4s8xdbUeG/itD
8bl7Cf+jAoKtAARvA6zk/D1xL79tO1Qn6bI5b-
bWaYH+m4xay0p0W28WclCrAGE5n
7FJuF1BVAkEA782R/1P/hQWG0qInkeud-
jcKquE8KU9WuRSkWRdYVbjbnC2HA73BG
+Z0Zg-
sR3REn-
is/5GfKFq82dOGkGT/VflJwJAD2c7YhHxmyfE0Dl5bmhpH9R4+XQF
0kZc//Wr-
bIYzifVhufMcabgkxkHxxglMj5jBx/emnpMCrtESkhct58mj3QJAa47F
5EL1weFXt-
pQasX1/3nyo/CAfnriiAM1L+yjp1dR0TwuacQroGr+XGKssX4nQUDFF
xlLUWLZGNsqhKSnKUwJBAMqo+3M5Eg-
mYw/1hGTw7046AXw824PMZJzmBvwHctf4C
o3Q9Z0QW6ct0YxE9ZLqUD9g3SEzcTBJW2RXx4qnwIIA=
-----END RSA PRIVATE KEY-----

l Unencrypted format of PKCS#8 private keys:(Suported by WAF)

-----BEGIN PRIVATE KEY-----

MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAw-

108 Deployment Mode

ggJcAgEAAoGBAOj3kZvDSkzZZMrS
Xz8KljFezB2elaRTlKtkGl-
gqcVj5O+c0cVdafuv8r62iUa8wEQGlvnsaoHn/Ehsn
ZyUYZhgKLAWww56UNxyLAylrZsx+0MYnGKB+-
ZQr7T98S3pvFUoZ18xZvxNNs68GD
2Sm9wP6Mq5ozyYRHCeB15yjuTEXzAgMBAAECg-
YBlkOluWyndbzm+IxFbTqZER+v9
TdI3n-
ijGwBGsNnTMMXy-
oQ/jV+KI1CCk-
fLhEmq3H+od/1k5o7FbUzGW6igYygQXVB
FiMfPkYMN0784g++a+wqYPIcEwPHVw2RTC2qK-
vSaWyjyykqBiHnsJcZS/7tfd+iA
Z53u+WviTDOMh7kRIQJBAPizzF1tR4b+K0PxuXs-
J/6MCgq0ABG8DrOT8PXEvv207
VCfpsjlt-
tZp-
gf6b-
jFrLSnRb-
bxZyUKsAYTmf-
sUm4XUFUCQQDvzZH/U/+FBYbSoieR
652Nwqq4TwpT1a5FKRZF1hVuNucLYcDvcEb5nR-
mCxHdESeKz/kZ8oWrzZ04aQZP9
V+UnAkAPZztiEfGbJ8TQOXlu-
aGkf1Hj5dAXSRlz/9atshjOJ9WG58xxpuCTGQfHG
CUyPmMHH96aek-
wKu0RKSFy3nyaPdAkBrjsXkQvXB4Ve2lBqxfX/e-
fKj8IB+euKIA
zUv7KOnV1HRPC5pxCugav5cYqyxfidBQMUXGUt-
RYtkY2yqEpKcpTAkEAyqj7czkS

Deployment Mode 109

CZjD/WEZPDvT-
joBfDzbg8xknOYG/Ady1/gKjdD1nRBbpy3RjET1ku-
pQP2DdITNxM
ElbZFfHiqfAggA==
-----END PRIVATE KEY-----

l Encrypted format of PKCS#8 private keys:(Not suported by WAF)

-----BEGIN ENCRYPTED PRIVATE KEY-----

MIICoTAbBgkqhkiG9w0BBQMwDgQIEm+q5ru-
a+vUCAggABIICgKWPmmmmAXforVcJ
mLiJZxeFSfe/Vb-
m3IwUO4ENMDyko3ue-
b5Rc3lCkEwvc14LWXuJxxNMGr3NNE4pWv
vd0Lm-
wtImaOCZiXoCoI3lKdxH7h-
cVeJEl+me6odHqWA2NzQSW+8om3x8NRA//TMh
hy8BRn+M7PhMzEngavu2mB5AlLPDUl9y-
f7PLBEd1uoOhUT1o08p0u8lALETjpZYf
QnlkeTyPjXZm-
q4B6OKqNcEnscu7agbu0TLw6YHKqtCpKBVcJZ/9-
1YlsAeesOasVT
4b8ZmPtWDYkAr-
sXVYMkFQfnxJHn/-
frqYXwrxwX7U0dy3sdBomPskGw0OqwnwCaTx
bxWm-
wPBgnFmPz-
sIZJ2kD3zqWlEuOgS6zT0+Gbm-
b/h6AvYb7lePO5qvNQhaVd659T
TFcPQx-
wfSk-

110 Deployment Mode

fKM0p-
kAun-
vGIcNBQGCcFuIk0mJ/z7Wp-
w3ElEdduIn17uCPgckBEFBF
VWQ7ukGG7UV/LrueSuDz+QJh-
deDmSPht2b2n41EinDBVf18vRAXvOXtvD54cviCn
35xBLFBRzDmTBr-
fIUfmeJ-
voMQKBBVGkOZEvSUREFVSm5R32ZrJI+BIgFkn-
7Yu++A
6B2r-
q5JDrK2G-
dasz-
i/71cHl42ls-
f2j43f2cWM9Q5KuT+7Z4hK+NcYGpHZQBRPCSq
5vAOs-
mjxxvPlCYEql09tYXDhMPIXp5n-
w7k1pQl9Na1Fd0QDPIiMAUyHPqCkV0KqT
G0p-
prTPVDpIToHTvRJ5/5KitASgeORjICKSaSqws9bRa-
INUVusiMaGiW/JVSjBmU
r9zTALMyy-
d8y7DFgL0tNs-
bfKO7WoTfLXp/n-
rWrkHrFMrPPE32U1RKMHKXA35fb+S
4sNRVAg=
-----END ENCRYPTED PRIVATE KEY-----

To convert the PKCS#8 encryption format to the unencrypted PKCS#8 key format, you can use
the following method in Linux:

openssl rsa -in an.key -out test.key

Deployment Mode 111

openssl pkcs8 -topk8 -inform PEM -in rsa_pkcs8_enc.key -out-
form PEM -nocrypt -out rsa_pkcs8_no_enc.key

l rsa_pkcs8_enc.key- The name of the pcks#8 key file in the encryption format to be con-
verted.

l test.key - The name of the pcks#8 key file in the converted unencrypted format.

Conversion Methods of SSL/TLS Certificates

Certificates are usually in the Distinguished Encoding Rule (DER), PCSK#7 (also known as
P7B), PKCS#12 (also known as PKCS 12, p12, and pfx), or PEM format. If you cannot determ-
ine the encoding format of a certificate based on its file name extension, you can open the cer-
tificate in Notepad and compare its format with the PEM format to check whether they are the
same.

l PEM certificates (Supported by WAF. They usually contain the ----- BEGIN CERTIFICATE
----- and ----- END CERTIFICATE ---- statements):

l PKCS#7 certificates (Supported by WAF. They usually contain the ----- BEGIN PKCS7 -----
and ----- END PKCS7 ----- statements):

112 Deployment Mode

l PKCS#12-DER certificates (Supported by WAF. You need to use encrypted passwords to
open them)

For certificates in other formats, you need to convert the formats by using the following methods:

l Recommended method: convert to PKCS#7 certificates in the Windows environment

l Prerequisite: change the certificate file name extension from "pem" to "crt"

1. Double-click the test.crt certificate in the Windows environment.

2. In the Certificate dialog box, click the Certificate Path tab. In this tab, you can view all cer-
tificates in the path. "DST Root CA X3" is the root certificate, "Let's Encrypt Authority
X3" is the intermediate certificate, and "www.nbdhyu.edu.cn" is the end-entity certificate.

3. Click the Details tab and then Copy to File to export the certificate chain file that contains
all certificates.

Deployment Mode 113

4. Select Cryptographic Message Syntax Standard and then Include all certificates in the cer-
tification path if possible. Then, click Next.

5. Enter the file name "test.p7b" and click Next.

6. Wait until a message that indicates a successful export appears and click Finish. A file named
"test.p7b" is generated in your PC.

1. Linux

1. To convert a DER certificate to a PEM certificate, run the following command:

openssl x509 -inform der -in certificate.cer -out cer-
tificate.crt

l certificate.cer - the DER certificate

l certificate.crt - the PEM certificate

2. To convert a PCSK#7 certificate to a PEM certificate, run the following command:

openssl pkcs7 -print_certs -in certificate.p7b -out cer-
tificate.crt

l certificate.p7b - the PCSK#7 certificate

l certificate.crt - the PEM certificate

3. To convert a PKCS #12 certificate to a PEM certificate, run the following command:
openssl pkcs12 -in certificate.pfx -out certificate.crt –
nodes

l certificate.pfx - the PKCS#12 certificate

l certificate.crt - the PEM certificate

114 Deployment Mode

2. Windows

l The DER certificate (usually end with .cer):

1. Double-click the certificate, click the <Details> tab, and then click “Copy to
File”.

Deployment Mode 115

2. Select “Base-64 ecoded...” and click Next.

l The PCSK#7 certificate:

1. Right-click the certificate and select “Install Certificate”. On the “Certificate

Store” page, select “Place all certificates in the following store” and then “Per-
sonal”.

116 Deployment Mode

2. Click OK and then Next. Wait until a message that indicates a successful import
appears, as shown in the following figure.

3. Select “Control Panel >Network and Internet >Network and Sharing Cen-
ter>Internet Options”. In the Internet Option dialog box, click the <Content> tab

Deployment Mode 117

and then “Certificates”.

118 Deployment Mode

4. Select the certificate and click Export.

Deployment Mode 119

5. Select “Base-64 encoded...” and click Next.

l The PKCS#12 certificate:

1. Right-click the certificate and select “Install Certificate”. On the “Private key pro-
tection” page, enter a random password, select “Include all extended properties”,
and then click Next.

120 Deployment Mode

2. On the “Certificate Store” page, select “Place all certificates in the following
store” and then “Personal”.

3. Click OK and then Next. Wait until a message that indicates a successful import
appears, as shown in the following figure.

4. Select “Control Panel >Network and Internet >Network and Sharing Cen-
ter>Internet Options”. In the Internet Option dialog box, click the <Content> tab

Deployment Mode 121

and then “Certificates”.

122 Deployment Mode

5. Select the certificate and click Export.

6. On the “Certificate Import Wizard” page, select “No, do not export the private
key” and click Next.

Deployment Mode 123

7. Select “Base64 encoded...” and click Next.

Notes: The file name extension of the exported certificate is not .crt but can
be renamed to .crt.

124 Deployment Mode

Dashboard
The dashboard contains two parts, threat overview and system overview. You can view the threat
information and system information respectively.

Attack Severity
This view shows the number of threats of different severity within the specified statistical period.

TOP10 Sites Attack Statistics

This view shows the top 10 attacked sites (ranked by the number of attacks), the severity of the
attacks and the number of attacks. Click on a site's statistics to jump to the corresponding site's
threat details.

Dashboard 125
Attacker
This view shows the geographical distribution of all attack sources within the specified period,
and also shows the IP address of the Top 10 attack source, the victim site, the severity of the
attack on the victim site and the number of attacks. Click the site link to jump to the site's threat
details. The system can be linked with Hillstone CloudVista, which then, will provide threat intel-
ligence analysis of attackers' IP address. When the analysis is completed, the system marks the
threat intelligence with Red (malicious threat intelligence), Orange (suspicious threat intel-
ligence), and Green (normal threat intelligence) icon. Hover your mouse over the icon and

click to go to the Hillstone CloudVista, where you can view detailed threat intelligence of the
attacker's IP address.

126 Dashboard
Notes:
l Before implementing linked threat intelligence analysis with Hillstone
CloudVista, install the threat intelligence license in advance and enable
CloudVista in System > Connecting to Hillstone Could Service Platform.

l IPv6 addresses are not supported in the linked threat intelligence analysis.

Threat Event Type

This view shows the number of times each threat type has been blocked or detected.

Defacement Alert
This view shows the defaced site.

System Overview
You can view the following information:

Dashboard 127
l Top 10 Sites Hit count: displays the trend of hits of Top 10 sites.

l Top 10 Site Traffic: displays the traffic trend of the top 10 sites that are ranked by access
requests.

l WEB Total Traffic: displays the trend of all Web traffic (HTTP/HTTPS traffic) passing
through the device.

l WEB Engine Traffic: displays the trend of all Web traffic (HTTP/HTTPS traffic) processed
by the WAF engine.

l HTTP&HTTPS Traffic: displays the trend of the HTTP&HTTPS traffic processed by the
WAF engine.

l IPv4/IPv6 Traffic: displays the trend of the IPv4 and IPv6 traffic processed by the WAF
engine.

l WEB Engine TPS&CPS Statistics: displays the trends of transactions per second (TPS) pro-
cessed by the device engine and new connections per second (CPS) of the device engine.

l Max Concurrent Connection: displays the trends of the maximum number of concurrent con-
nections of the entire device and the device engine.

l Access Source: displays the countries/ regions where the Top 10 and the Top 5 access source
IP addresses (ranked by access counts) belong.

l Browser Statistics: displays the browser the client uses to access the WAF engine.

l Operating System Statistics: displays the operating system the client uses to access the WAF
engine.

l Access Time: displays the trend of the average, maximum, and least amount of time the WAF
engine needs to perform an HTTP transaction after receiving a request.

128 Dashboard
l Server Response Time: display the trend of the average, maximum, and least amount of
response time of servers that are protected by the WAF engine.

l Average Time of Engine Detection: display the trend of average time consumed by the WAF
engine to detect traffic within the statistical period.

l Network Layer Protection: displays the threat of network layer and the number of attacks, the
source of attacks, and the last attack time.

l System and Signature Database: displays serial number, hostname, platform, firmware, boot
file and WAF signature version etc.

l Physical Interface: displays the state, IP, upstream and downstream speed, total speed of phys-
ical interface.

l System Status: displays the CPU utilization, CPU utilization of the WAF engine, memory util-
ization, disk space utilization, engine CPU utilization, engine memory utilization, utilization
of engine concurrent connection, CPU temperature and chassis temperature, and fan status.

l License: displays the information of the licenses which are supported by the system, including
the license types and corresponding valid time.

The system supports the predefined and custom statistical period. Click

in the upper-right corner of each section to set the statistical

period.
Real-time: Displays the current statistical information.
Last 60 Minutes: Displays the statistical information within the last 60 minutes.
Last 24 hours: Displays the statistical information within the last 24 hours.
Last 7 Days: Displays the statistical information within the last 7 days.
Last 30 Days: Displays the statistical information within the last 30 days.

Click to refresh current statistics. Click or to close or expand the current frame.

Dashboard 129
Sites
The site function is the core of WAF. Each site is a basic unit for the administrator to monitor
and configure. The Site module includes Web Site and Site Self Discovery.

l Web Site: Introduces how to search for, create or configure a site, how to configure advanced
protection functions (such as Auto-learning, and External Link Rewriting), and how to per-
form batch operations.

l Site Self Discovery: Introduces how to configure site self-discovery, and how to quickly
search for and add a site.

Sites 130
Web Site
The site function is the core of WAF. Each site is a basic unit for the administrator to monitor
and configure. Sites can be divided into the default site (default and default_https) and custom
sites. In the system, you can determine a site or web service by its IP address, port number,
domain, and VR. Both IPv4 address and IPv6 address are supported.
When you log in to the device for the first time, you can go to the Site Self Discovery page and
enable the Default Site Discovery function. This way, the system monitors the HTTP and
HTTPS traffic in the network. For websites which are discovered more than the specified number
of times, the system protects them through the default site. The default site performs basic secur-
ity monitoring and protection for websites, and typically applies to initial security protection for
rapidly deployed devices. To provide comprehensive protection, you need to customize a site and
configure targeted and specific protection policies as needed.

Notes: For default sites, take note of the following items:

l In Transparent Proxy Mode and Traction Mode, the default sites of

HTTP/HTTPS are supported. In Transparent Tap Mode and Tap Mode, the
default site of HTTP is supported.

l The default site displays only part of the site protection configurations.

l In Traction Mode, from WAF3.4.10, the default sites of HTTP/HTTPS are

supported. If the version rolls back to a version earlier than WAF3.4.10, the
default sites are cleared.

l In Traction Mode, when upgrading from a version earlier than WAF3.4.10 to

WAF3.4.10 or later, if the number of sites has reached the upper limit before
the upgrade, no default sites are added. The maximum number of sites sup-
ported by devices varies based on their models.

131 Sites
l In Transparent Proxy Mode, Traction Mode, Transparent Tap Mode, and Tap
Mode, when upgrading from a version that does not support default sites to a
version that supports default sites, if the custom site named default or
default_https (default_https exists only in Transparent Proxy Mode and Trac-
tion Mode) already exists before the upgrade, the custom site name will be
changed to userdef_default and userdef_default_https after the upgrade.

Searching for a Site

Assume that a large number of protected sites are configured in the system. To search for a site,
go to Site > Web Site, and click and select a filter condition. Sites can be filtered by
Name, Type, Service (IPv4), Domain, Virtual Router, SSL/TLS Certificate Chain, and Descrip-
tion.

Site Configurations
To modify the site configuration of a site, take the following steps:

Select Site > Web Site. Select the site that you want to modify and click . Creating a site is
basically the same as configuring a site, including:

l Basic Configurations

l Configuring Load Balancing: Only in the reverse proxy mode and the one-arm reverse proxy
mode can the function be configured.

l Configuring more protections: Includes Acceleration, Anti-defacement, Server Health Check,

and Custom Error Page.

Viewing the Auto-learning Profile

Auto-learning is a complement to protection settings. After the function is enabled, the device
can learn from URLs filtered by the access control policy and security policy. During this process,

Sites 132
the device observes the traffic and quickly generates profiles designed specifically for the unique
traffic. You can change the learning mode to the protected mode to protect the learned URLs.
To view an auto-learning profile of a site, take the following steps:
Select Site > Web Site. Select the site whose auto-learning profile you want to view and click
Auto-learning from the Advanced Protection Functions drop-down list. For more information
about how to configure auto-learning, see Configuring Auto-learning.

External Link Rewriting

WAF supports the external link rewriting function and can rewrite an external IPv4 address to an
IPv6 address. This way, IPv6 website upgrade can be implemented. For more information, see
External Link Rewriting.

Rule Exception
Rule exceptions are a set of exception items. The traffic matching the rule exceptions is exempted
from the rule. The system supports rule exceptions from the Web security logs. Rule exceptions
can also be created manually. For more information, see Configuring a Rule Exception.

Weak Password
Hillstone WAF can detect accounts with weak passwords collect related statistics. For more
information about weak password configuration, see Configuring a Weak Password.

Batch Operation
You can modify sites in batches. Batch operations include adjusting site protection status,
enabling Web access log, configuring site security policies, etc. For more information, see Batch
Operation.

133 Sites
Configuring a Site
Configuring a site includes:

l Basic Configurations

l Configuring Load Balancing: Only in the reverse proxy mode and the one-arm reverse proxy
mode can the function be configured.

l Configuring more protections: Includes Acceleration, Anti-defacement, Server Health Check

and Custom Error Page.

To configure a site, take the following steps:

1. Select Site > Web Site.

2. Click New to go to the Site Configuration page.

3. On the Basic tab of the Site Configuration page, configure the following options:

Option Description
Name Specifies the name of the site. The name needs to be unique.
Description Describe the site as needed.
Status Specifies the status of the site. Valid values: Protect, Forward, and
Maintain.

l Protect: The system performs protection, health check, and

acceleration on websites according to the configuration. The

icon indicates the Protect status.

l Forward: The system only forwards requests accessing the site

Sites 134
Option Description

and does not perform protection. The icon indicates the

Forward status.

l Maintain: The site is under maintenance and the system blocks

all requests accessing the site. The icon indicates the Main-

tain status.
Note：

l The availability of protection status varies depending on dif-

ferent deployment modes. Maintain is not supported in the
transparent tap mode, and tap mode.

l Forward is not supported in one of the following cases:

l The load balancing server contains the domain name.

l The IP address types in the load balancing server and site

service are not the same. For example, the IP address
types of the load balancing server site service are IPv4
and IPv6 respectively.

l The site service has the same IP-port pair as other sites.

l HTTPS site is enabled with the SSL Offload function.

Virtual Router Specifies the virtual router where the LAN port and WAN port
belonging to the site are located. The LAN port and WAN port of the
same site need to be configured under the same virtual router. Only
the reverse proxy mode, one-arm reverse proxy mode and traction
mode support the configuration of virtual router. Application scen-
ario: when the IP, port and domain of two or more sites protected by

135 Sites
Option Description
WAF are the same, you need to specify a virtual router to distinguish
them. Before configuring, enable the multiple virtual router mode.
During the configuration, you can select the two default virtual
routers trust-vr and mgt-vr. To support more virtual routers, you need
to enable the multiple virtual routers mode. For more information,
refer to Virtual Router.
Type Specifies the transmission protocol for the site, including HTTP and
HTTPS. HTTPS is supported in the transparent proxy mode, reverse
proxy mode, one-arm reverse proxy mode and traction mode.
Service Specifies the IP, IP range, IPv4/Netmask or IPv6/prefix length of
the web server of a website. Meanwhile, specifies the port or port
range of the service. You can add one or more services. For IP/IP
range, both IPv6 and IPv4 addresses are supported. Only one type of
IP address can be configured in each row. For the same website, you
can configure both IPv6 address and IPv4 address.
The start IP and the end IP in the IP range need to be connected by "-
" and multiple ports need to be separated by ",". An "IP range + Port
range" combination defines a web service (a single IP or port will be
regarded as a range whose start and end are the same). The system will
split and deduplicate the "IP range + Port range" of all services of the
site and protect all Web services. Click New to add a row to configure
more web services. You can add up to 128 rows. For IP/IP range,
both IPv6 and IPv4 addresses are supported. You can enter only one
type of IP address in the same row. For the same website, both IPv6
and IPv4 addresses are supported.
Note: In reverse proxy mode and one-arm with reverse proxy mode,
take note of the following limits before you configure site service:

l If the site status is Forward, when you configure the IP address

in the site service, the IP address type needs to be the same as

Sites 136
Option Description

that of the load balancing server. For example, if the IP address

type of the load balancing server is IPv4, the IP address type of
the site service cannoe be IPv6.

l If the site status is Forward, the IP-port pair of the site service
cannot be the same as that of the site service of other sites.

l If the site status is Forward or Maintain, the site service cannot

be configured with the same IP-port pair as other sites in the
Forward status.

Domain To protect all domains, select Any. In this case, if you need to restrict
users to access the site through a domain name instead of an IP, select
Forbidden Domain with IP Access. If you need to protect a specified
domain, do not select Any, but click New to enter the name of the
domain. You can add multiple domains (Both IPv4 and IPv6
addresses are supported).
HTTP/2 The HTTP/2 protocol is supported only in the traction mode, one-
arm reverse proxy mode, and reverse proxy mode. If you enable this
function, the system supports the connection from the client to WAF
over HTTP/2.
Note: With this function enabled, the SSL Protocol of the client
needs to support at least TLSv1.2 or TLSv1.3.
Redirect HTTP Enable this function and configure a port (up to 4 ports) from which
to HTTPS an HTTP request will be redirected. With the function enabled, an
HTTP request accessing the specified port of the site will be redir-
ected to an HTTPS port. Therefore, you need to ensure that only one
HTTPS port has been configured in the Service. Besides, you should
ensure that the combination of the HTTP port and the site's "IP +
Domain" cannot be the same as other sites' combinations of "IP +
HTTP Port + Domain" in the system. Otherwise the configuration

137 Sites
Option Description
will fail.
Type Specifies the encryption type of HTTPS websites.
SSL Offload Optional. Click the button to enable the SSL Offload function.

l When the function is enabled, the device will decrypt the

HTTPS traffic sent from a client, and then send the decrypted
data to the web server in plaintext; the device will encrypt the
data sent from the server to the client at the same time.
Besides, you only need to specify the SSL protocol and encryp-
tion algorithm for data transmission from a client to the device.

l When the function is disabled, the device will decrypt the

HTTPS traffic sent from the client, and determine whether the
data is safe. Then, the device encrypts the packets, and send the
packets to the web server in ciphertext. Besides, you need to
specify the SSL protocol and encryption algorithm for data trans-
mission from a client to the device and from the device to the
server.
Note:

l When the SSL Offload function is enabled, if the site is in the

Forward status, the site status automatically changes to Maintain
and the Fail-open function does not take effect for the site.

l In transparent proxy mode, traction mode, reverse proxy mode,

and one-arm with reverse proxy mode, the SSL Offload func-
tion and Forward Unprotected Traffic function cannot be
enabled at the same time.

Sites 138
Option Description
SSL/TLS
Client l SSL Protocol: Specifies the SSL/TLS protocol version for data
transmission between a client and the device. You can select
one or more protocol versions as needed.

l SSL/TLS Encryption Suite: Specifies the SSL/TLS cipher suite

for data transmission between a client and the device. There are
three levels: Medium, High and Custom.

l Medium: Includes cipher suites at medium and high

encryption levels.

l High: Includes cipher suites at a high encryption level.

l Custom: Allows you to select one or more supported

cipher suites.

l SSL/TLS Certificate Chain: Select the SSL/TLS certificate

chain from the drop-down list. You can search the name of the
certificate chain in the search box. Also, you can click to cre-

ate a new certificate chain. For more information about how to

create a certificate chain, see Creating Certificate Chain.
Certificate Chain Check: After the site is created, you can
check whether the certificate configured on the WAF site is
consistent with the certificate on the web server. For more
information about how to check certificate chain, see Cer-
tificate Chain Check.

l Verify Client Certificate: Enable this function and configure the

139 Sites
Option Description

SSL/TLS CA Certificate Chain that needs to be verified. With

this function enabled, the system compares and verifies the
access requests from the client based on the specified cer-
tificate. If they are different, the verification fails and the client
cannot access the website.

l SSL/TLS CA Certificate Chain: Select the SSL/TLS CA Cer-

tificate Chain from the drop-down list. You can search the name
of the certificate chain in the search box. Also, you can click

to create a new certificate chain. For more information about

how to create a certificate chain, see Creating Certificate Chain.

Server SSL Protocol: Specifies the SSL/TLS protocol version for data trans-
mission between the client and the server. You can select one or more
protocol versions as needed.
SSL/TLS Encryption Suite: Specifies the cipher suite for data trans-
mission between the device and the server. There are three levels:
Medium, High and Custom.

l Medium: Includes cipher suites at medium and high encryption

levels.

l High: Includes cipher suites at a high encryption level.

l Custom: Allows you to select one or more supported cipher

suites.

Policy
IP Protection Select an IP protection policy. For more information about how to cre-
Policy ate an IP protection policy, see IP Protection Policy.
Access Control Select one or multiple access control policies. Click + to add more

Sites 140
Option Description
Policy policies. For more information about how to create an access control
policy, see "Access Control Policy" on Page 206.
API Protection Select an API protection policy. For more information about how to
Policy create an API protection policy, see "API Protection Policy" on Page
214.
Security Policy Select a security policy. You can choose a predefined or user-defined
policy. For more information about how to create a user-defined secur-
ity policy, see "Security Policy" on Page 225. Alarm Only: With this
function is enabled, the system only generates related logs and the pro-
tection action configured for the referenced security policy will not
take effect. You can view corresponding logs on the Web security log
page.
Auto-learning Select an auto-learning policy. You can choose a predefined or user-
Policy defined policy. For more information about how to create an auto-
learning policy, see "Auto-learning Policy" on Page 269.
User Tracking Select a user tracking policy. For more information about how to cre-
Policy ate a user tracking policy, see User Tracking Policy.
Content Select one or multiple content rewrite policies. For more information
Rewrite Policy about how to create a content rewrite policy, see "Content Rewrite
Policy" on Page 275.
Web Access If the option is enabled, the system will record the access to the
Log website with web access logs. The Web Access Log page displays
information such as the client IP, site name, domain name, URL for
accessing resources, and protocol. With the function enabled, you
can set filter conditionst to record logs so as to reduce redundant
logs. The detailed information about the filter conditions is shown
as follows:

l Match URI Path: Specifies the URL path that requires the sys-

141 Sites
Option Description

tem to record Web access logs. After the URL path is specified,
the system only logs the access to the URL path. A maximum
of eight URL paths can be specified. If this parameter is not spe-
cified, the client's access to any URL path will be logged.

l Match IP: Specifies the client IP address that requires the sys-
tem to record Web access logs. After this parameter is spe-
cified, the system only logs the access from this client IP
address to a site. A maximum of eight IP addresses (IPv4 and
IPv6 IP) can be specified. If this parameter is not specified, the
access from any client IP address to a site will be logged.

l Exclud Method: Specifies an HTTP request method that

does not require the system to log Web access. If this
parameter is specified, the system does not record the
access log when a client accesses a site using this
HTTP method. By default, the HTTP request methods
that do not require the system to log Web access are
HTTP GET, HEAD, POST, PUT, and DELETE.

l Exclud File: Specifies the type of files that do not need the sys-
tem to record Web access logs. After this parameter is spe-
cified, the system does not record logs when clients access files
of the specified type. By default, the file types that do not need
the system to log Web access are css, js, png, bmp, jpeg, gif,
jpe, jpg, flv, swf, mp4, mp3, and avi.

Advanced Con-
figuration

Sites 142
Option Description
PING This function is only available in the reverse proxy mode and one-arm
reverse proxy mode. If this function is enabled, the system supports
PING responses when the site IP address is not the interface IP
address.
ARP/ND This function is only available in the reverse proxy mode and one-arm
reverse proxy mode. If this function is enabled, the system supports
ARP or ND responses when the site IP address is not the interface IP
address.
Note: In the high availability environment, only the primary device
supports the function.
X-Forwarded- This function is only available in the traction mode, reverse proxy
For mode, and one-arm reverse proxy mode. If this function is enabled,
the forwarded packets will include the X-Forwarded-For field con-
taining the client's real IP, which will be visible to the web server.
WebSocket With this function enabled, the Web-Socket traffic will be passed
through. This function is supported in the reverse proxy mode, one-
arm reverse proxy mode and traction mode. In the transparent proxy
mode, the Web-Socket traffic will be passed through by default.
Proxy con- This function is available only in the one-arm reverse proxy mode,
nection Asso- reverse proxy mode, and traction mode. With the function enabled, an
ciation access request is sent from the client to WAF and then is sent from
WAF to the web server by using a single TCP connection. This
applies to the scenario where authentication requests need to be in a
single TCP connection. For example, if you request authentication
from the Outlook Email server and the server uses WAF as a proxy,
you need to enable this function.
RPC Over If this function is enabled, the system supports the RPC Over HTTP
HTTP protocol. For example, if you request authentication from the website
for email services, you need to enable this function.

143 Sites
Option Description
Forward Unpro- This function is available only in transparent proxy mode, traction
tected Traffic mode, reverse proxy mode, and one-arm reverse proxy mode. With
the function enabled, the system forwards traffic whose IP address
and port match the site but cannot be protected by the site. Example:
non-HTTP traffic from HTTP site, non-SSL traffic from HTTPS site,
and traffic whose Server Name Indication (SNI) does not match the
site domain name.
Note:

l The system cannot forward FTP and MySQL traffic. For two or
more sites whose IP-port pair is the same, this function takes
effect for all sites as long as it is enabled for one site.

l In transparent proxy mode, traction mode, reverse proxy mode,

and one-arm reverse proxy mode, you cannot enable the SSL
Offload function and Forward Unprotected Traffic function at
the same time.

l In reverse proxy mode and one-arm reverse proxy mode, take

note of the following limits when the Forward Unprotected
Traffic function is enabled for the site:

l The load balancing server cannot contain a domain name,

the load balancing algorithm degrades to Round Robin,
and the configuration of Weighted Round Robin,
Weighted Least Connections, and IP Hash does not take
effect.

l The virtual router and IP-port pair in the site service can-
not be the same as those of other sites. The port in the

Sites 144
Option Description

site service or port of redirecting HTTP to HTTPS is

allowed. The logical relationship among the virtual
router, IP address, and port is AND. The Forward Unpro-
tected Traffic function can be enabled as long as one of
these three items is different from that of other sites.

Check Request If this function is enabled, the system will check the content of
Body HTTP request body.
Check If this function is enabled, the system will check the content of
Response Body HTTP response body.
Disable Proxy If this function is enabled, the system will no longer cache the
Buffering response data returned by the website, but immediately send it to the
client. This function is disabled by default. It is recommended to
enable this function (i.e., no caching) for a network environment
requiring high real-time performance. Note: Disable Proxy Buffering
and Check Response Body cannot be enabled at the same time. Other-
wise, the former will be invalid.

4. For the tap mode, transparent tap mode, traction mode, and transparent proxy mode, click
OK to finish basic configurations.
For the reverse proxy mode and one-arm reverse proxy mode, click the Load Balance tab to
continue the configuration.
To configure more protections, click other tabs, or edit the specified site on the site list.

5. Click OK.

Certificate Chain Check

After you create an HTTP site, if WAF fails to protect the site, the operations personnel can
check whether the certificate configured on the WAF site is consistent with the certificate on the
web server. This helps determine if the issue is caused by a certificate inconsistence. If the

145 Sites
certificate chain check fails, the operations personnel can use a third-party tool to obtain the web
server certificate or complete the certificate configured on the WAF site.
To check certificate chain, take the following steps:

1. Select Site > Web Site.

2. In the web site list, select a site and click Edit to enter the Site Configuration page.

3. In the Basic tab, click Certificate Chain Check next to the SSL/TLS Certificate Chain drop-
down list.

In the Certificate Chain Check panel, configure the following options:

Option Description

Server IP Specifies the IP address of the web server.

l In transparent proxy mode, traction mode, transparent tap

mode, and tap mode, the first IP address of the service in the
Basic tab is inputted by default. If you have entered an IP seg-
ment for the service, the first valid IP address of the service is
inputted by default.

l In reverse proxy mode and one-arm with reverse proxy mode,

the first IP address of the SLB server in the Load Balance tab
is inputted by default. If only domain names are configured

Sites 146
Option Description

for the SLB server, no value is inputted.

Server Port Specifies the port of the web server.

l In transparent proxy mode, traction mode, transparent tap

mode, and tap mode, the first port of the service in the Basic
tab is inputted by default. If you have entered multiple ports
for the service, the first port of the service is inputted by
default. If you have entered a port range, the start port of the
port range is inputted by default.

l In reverse proxy mode and one-arm with reverse proxy mode,

the first port of the SLB server in the Load Balance tab is
inputted by default. If only domain names are configured for
the SLB server, no value is inputted.

Virtual Router Specifies the virtual router for the LAN and WAN interfaces of the
site. The LAN and WAN interface of the same site needs to be con-
figured under the same virtual router. This parameter is available
only in reverse proxy mode, one-arm with reverse proxy mode, and
traction mode. By default, the virtual router configuration in the
Basic tab is inputted. This parameter needs to keep consistent with
the virtual router configuration in the Basic tab.

Domain Specifies the domain name of the web server. By default, the first
domain name with a wildcard (*) in the Basic tab is inputted. For
example, if the first domain name is "*test.com" and the second
domain name is "www.123.com", the second domain name is input-
ted by default. If the domain name is "Any", no value is inputted.

147 Sites
4. Click Check. The certificate comparison result is displayed below.

l If the result is consistent, the certificate chain configured on WAF and the certificate
chain on the web server are consistent.

l If the result is inconsistent, you can click Export next to Server Certificate Chain to
export the certificate to your PC, create a certificate chain on the System > PKI >
Certificate Chain page, and then bind the new certificate chain to the site.

Sites 148
Notes:
l If certificate chain check fails, you can use a third-party tool such as
https://tools.keycdn.com/certificate-chain to obtain the certificate chain of
the web server, import the certificate to the certificate chain of WAF, and
then bind the certificate chain to the site.

l In transparent proxy mode, and transparent tab mode, if Virtual Wire is con-
figured in strict mode, the Certificate Chain Check function does not work.

149 Sites
Configuring More Protections

Configuring the Acceleration

With this function enabled, the response returned to a client can be accelerated and the load of
the protected web server can be reduced to improve its performance.
There are four methods to accelerate response: Static Resource Cache, TCP Connection Reuse,
SSL Connection Reuse, and Compression.

l Static Resource Cache: The device forwards a request from a client to the web server, and
then caches static resources of the response returned from the web server. When the same
static resources are visited again, the device will directly return the cached content to the cli-
ent, instead of establishing a connection with the server.

l TCP Connection Reuse: After the device forwards a request from one client to the web server
via a TCP connection, the TCP connection will be kept open for a while. When the device
receives a request from another client, it will check whether the TCP connection with the
server is idle. If it is, the device will forward the request to the idle TCP connection, instead
of establishing a new TCP connection.

l SSL Connection Reuse: The SSL connection reuse between the device and the server is
enabled by default. For an HTTPS site and when the SSL Offload is not enabled, if the SNI
Check is enabled on the load-balancing server, you should disable the TCP Connection Reuse
and SSL Connection Reuse to ensure that a client can access the website normally.

l Compression: The web server can directly send uncompressed response packets to the
device. After analyzing the packets, the device compresses the packets and sends them to the
client, which can reduce the burden on the server and improve the accuracy of identifying
attacks.

Sites 150
Static Resource Cache

To accelerate response from the web server via static resource cache, take the following steps:

1. Select Site > Web Site.

2. Select the site you want to configure and click Edit to go to the Site Configuration page.

3. Select the Acceleration tab and then select Static Resource Cache.

4. Click Enable to enable the Static Resource Cache.

5. Select the type of files to be cached in File Type.

6. You can also customize a file type in the Custom File Type text box.

7. In the HTTP Method, select the method by which the request-response needs to be
cached. The system can cache static resources of the responses by the below four HTTP
methods: GET, HEAD, POST, and PUT. By default, the system caches the request
responses by the HTTP GET method and the HTTP HEAD method. After ticking the
HTTP POST and or the HTTP PUT method, the system will cache the request responses

151 Sites
by these HTTP methods, further reducing the interaction between the client and the server
to speed up client access to request responses.

8. Click OK.

To configure the static resource cache, in the global configurations, take the following steps:

1. Select System > WAF Global Configuration > Global Parameter Configuration.

2. In the Site Cache Timeout field, enter the time to live (TTL) for cached files. When a
cached file is expired, the device will request the file from the web server again.

Clearing cache:

1. Select Site > Web Site.

2. Click Clear Cache above the site list to clear cached files of all sites.

Notes:

l If the request body of the request by HTTP POST/PUT is larger than 32K, the system does
not cache the response.

l To protect client privacy, responses that contain the header set-cookie will not be cached.

l When the cached contents occupy 90% of the whole cache space, system will clear the earli-
est 20% contents automatically.

Connection Reuse

Connection reuse includes TCP connection reuse and SSL connection reuse, which can only be
enabled in the reverse proxy mode, traction mode or one-arm with reverse proxy mode. To accel-
erate response from the web server via connection reuse, take the following steps:

1. Select Site > Web Site.

2. Select the site you want to configure and click Edit to go to the Site Configuration page.

Sites 152
3. Select the Acceleration tab and then select Connections Reuse.

4. Click the button to enable TCP Connection Reuse.

5. Click the button to enable SSL Connection Reuse.

6. Click OK.

Notes:
l The function will be effective only when the server side supports HTTP1.1.

l For an HTTPS site and when the SSL Offload is not enabled, if the SNI
Check is enabled on the load-balancing server, you should disable the TCP
Connection Reuse and SSL Connection Reuse to ensure that a client can
access the website normally.

Compression

When both the Stop Server Compressing and Allow Compressing check boxes are selected, the
web server will send uncompressed response packets to the device directly. After analyzing the
packets, the device compresses and sends the packets to the client, which can reduce the burden
on the server and improve the accuracy of identifying attacks. To configure the function, take the
following steps:

1. Select Site > Web Site.

2. Select the site you want to configure and click Edit to go to the Site Configuration page.

3. Select the Acceleration tab and then select Compression.

4. Enable Stop Server Compressing to stop the web server from compressing packets. Other-
wise, the server will compress the packets.

153 Sites
5. Enable Allow Compressing to compress packets sent from the device to the client. Other-
wise, the device will not compress the packets.

6. Click OK.

Notes:
When this function is enabled, the device performance may be affected.

Configuring the Anti-defacement

With this function enabled, the device crawls web files in specified formats periodically and saves
the crawled files as baseline files. If the web files are modified, the device will generate anti-
defacement logs. You can judge whether the modification is defacement or normal update.
To configure the anti-defacement function, take the following steps:

1. Select Site > Web Site.

2. Select the site you want to configure and click Edit to go to the Site Configuration page.

3. Select the Anti-defacement tab on the top.

4. Click Enable to enable Anti-defacement.

5. Select an operation mode. When the function is enabled for the first time or the website has
been updated, select the Learning Mode. After the device crawls all specified web files,
select the Protected Mode. The device system logs will display whether the crawling is fin-
ished. The two modes need to be switched manually.

l In the Learning Mode, the device starts to crawl from the default web page, and then
crawls web pages in layers. The crawled web files will be saved as the baseline files.
The mode has the following characteristics:

Sites 154
l The device starts to crawl from the specified default page and generates device
system logs.

l After web pages of one or many sites are crawled, the device will generate an
event log informing you of "Baseline update done".

l When the corresponding web file is modified, the device will generate a web
page anti-defacement log. A large number of logs will be generated when the
site is crawled for the first time.

l When parameters of the learning mode are modified, the ongoing crawling will
stop, and the device will generate a related log. The saved baseline files will be
cleared and the device will restart to crawl according to the new configurations.

l When the function of web page anti-defacement is disabled or the site is

deleted, the baseline files will be cleared.

l When the device reboots, the baseline files will not be cleared.

l In the Protected Mode, the device starts to crawl from the default web page, and then
crawls web pages in layers periodically. The device will check whether the crawled
files are consistent with the baseline files. The mode has the following characteristics:

l The crawling period depends on the specified hierarchy. The device crawls the
default page for 1 minute and other pages for the period specified in WAF
Global Configuration.

l When the web files are modified, the device will save the modified files and
generate anti-defacement logs. You can judge whether the files are tampered.

l If the files are modified and the verdict is unconfirmed, requests from the
client will be redirected to the baseline files, and the web pages saved in

155 Sites
baseline files will be returned to the client.

l If the modification is judged as defacement, requests from the client will

be redirected to the baseline files, and the cached files will be cleared.
When the corresponding files on the web server are restored, requests
from the client will not be redirected.

l If the modification is judged as update, the baseline files will be updated,

and the requests from the client will not be redirected, and the cached
files will be cleared.

l After all verdicts, the tampered files will be saved in the device for audit.
The tampered files can be accessed via the URL in anti-defacement logs.
The maximum space for saved tampered files is 10GB.

l The anti-defacement log includes URLs of baseline files, URLs of tampered

files and URLs of pages using the tampered files.

6. In the Learning Mode, configure the following parameters:

l Default Page: Specifies the URL (IPv4 or IPv6) for the device to start to crawl. The
domain name configured for the default page should be the same as the domain name
accessed by the client.

l Specify the Destination IP and Port: Click the button to enable this function and spe-
cify the IP and port of the real sever. If enabled, the IP and Port will be used to crawl
the server link, instead of using the domain name in the URL of the original default
page; if disabled, the domain name in the URL of the default page will be used for
crawling.

l Schedule: During the scheduled period, the system disables Anti-defacement. That is
to say, the system does not judge web file modifications, which are happened during

Sites 156
the scheduled period, as defacement.

Note: During the scheduled period, the system still crawls web pages periodically.
The files crawled during this period will be updated to baseline files. It is recom-
mended that the scheduled period should be at least two times longer than the
crawling period and sites should be updated during the first half of the schedule
period.

l Select an existing Schedule: Select the specified Schedule from the drop-down
list.

l Create a new Schedule: Click to go to the Schedule Configuration section.

For more information, see Object > Schedule.

l Similarity: Enable this function to specify the similarity threshold for the modified
web files. The value range is 0-100%. The default value is 70%. When the site is in
the Protected Mode, the system compares modified web files with baseline files and
works out their similarity percentage. If the similarity percentage is less than the spe-
cified threshold, the system judges the site modification as defacement and records
logs. If the similarity percentage equals to or larger than the specified threshold, the
system judges the site modification as normal update and will not perform anti-deface-
ment protection.

l Exception URL: Specifies the exception URL. If the site is in the Protected Mode, the
system does not perform anti-defacement protection for the specified exception
URLs. In the Learning mode, the device still crawls web files of the specified excep-
tion URLs. Click New to add more exception URLs. To delete a URL, select it and
click Delete. The system supports at most 32 exception URLs.

l Match: Specifies the Match mode, including Match Whole Word (such as
"/test/a.html") and Match Path (such as "/test/").

l URI: Specifies the URL information.

157 Sites
l Page Layer: Specifies the page layers for crawling. The default page is the third level.

l File Type: Select the type of files to be crawled.

l Custom File Type: Specifies the custom type of files to be crawled.

l Learning No Suffix File of File Path: With this function enabled, files without suffix
or file paths can be crawled. For example, https://www.xxx.com/test/ or
https://www.xxx.com/nosuffix.

l Force to Learn Default Page: Specifies the default homepage of the site that is must be
crawled, such as https://www.xxx.com/index.html. Note: If the website homepage is
a dynamic page, lots of anti-defacement logs may be generated.

l File Size: Specifies the file size threshold, exceeding which the file will not be
crawled.

7. Click OK.

To configure the web page anti-defacement function, in the global configurations, take the fol-
lowing steps:

1. Select System > WAF Global Configuration > Global Parameter Configuration.

2. In the Maximum Crawling Memory field, specifies the maximum capacity for crawling in the
specified period. If the maximum capacity is reached, the device will stop crawling and gen-
erate related logs.

3. In the Crawling Period field, specifies the period for crawling.

Notes:

l The device only crawls responses of HTTP GET requests.

l The device doesn't crawl the contents loaded by JS in the AJAX mode.

Sites 158
l The device doesn't crawl the contents triggered by user input, such as the contents displayed
after user login.

Enabling the Server Health Check

With the function of server health check, the device can check server health by determining its
responsiveness. If the web server is responsive, its status will display as "Up" in the event log; if
it is unresponsive, its status will display as "Down" in the event log. The device reacts to an unre-
sponsive server by disabling traffic to that server until it becomes responsive.
To enable the health check, take the following steps:

1. Select Site > Web Site.

2. Select the site you want to configure and click Edit to go to the Site Configuration page.

3. Click the Server Health Check tab.

4. Click Enable to enable the Server Health Check.

l Return Custom Error Page: When the health check shows that all servers are "Down",
you will be returned to the error page or custom content configured in the Site Con-
figuration. Note: In the reverse proxy mode and one-arm with reverse proxy mode,
only when the health check shows that all load-balancing servers are "Down" can you
be returned to the error page or custom content configured in the Site Configuration.

l Interval Time: Specifies the number of seconds between each server health check.

l Unresponsive Times: Specifies the number of consecutive unsuccessful health

checks on the server. If the number is reached, the sever is considered to be unre-
sponsive.

l Responsive Times: Specifies the number of consecutive successful health checks on

the server. If the number is reached, the server is considered to be responsive.

159 Sites
l Server URL: Enter the URL that the HTTP request uses to verify the responsiveness
of the server and select the version of HTTP protocol.

5. Click OK.

Custom Error Page

When the device blocks an access request, it will return an error page to the client so that you can
know the requirements and restrictions of the website. You can customize the error page accord-
ing to the specific situation of the website.
To customize the error page, take the following steps:

1. Select Site > Web Site.

2. Select the site you want to configure and click Edit to go to the Site Configuration page.

3. Click the Custom Error Page.

4. Click Enable to enable the Error Page Customization.

5. Select an error page mode: Error Page or Custom Content.

l If Error page is selected, you should select a specific error page from the drop-down
list. Predefined error pages will be displayed by default. To create a new error page,
visit System > WAF Global Configuration > Custom Error Page Management for
configuration.

l If Custom Content is selected, you should specify the Title and Body of the page.

Sites 160
Configuring Load Balancing
Only in the reverse proxy mode and one-arm reverse proxy mode can this function be configured.
With the load balancing function, traffic can be distributed among several servers to optimize
resource allocation, shorten the access delay, and minimize the damage caused by mis-
configuration. The load balancing function supports the following mechanisms:

l Weighted Round Robin: Distributes HTTP requests using the round-robin method.

l Weighted Least Connections: Distributes HTTP requests to the server with the fewest num-
ber of active connections.

l IP Hash: Distributes HTTP requests to the server using a hash algorithm based on the IP
address of client. A session can be persistent with the method.

When configuring a site, click the Load Balance tab on the Site Configuration page.

1. For Load Balance Algorithm, select Weighted Round Robin, Weighted Least Connections
or IP Hash as needed.

2. Click New at the lower part of the SLB sever list, and enter the IP address, port number and
weight of a server into corresponding fields. The greater the weight, the more the requests
will be received.

3. Repeat the previous step to add another SLB server.

4. Click OK.

Notes:
The load balancing configuration has the following limits:

l If the site status is Forward or the Forward Unprotected Traffic function is

enabled, you cannot configure a domain name in the load balancing server.

161 Sites
l If the site status is Forward, when you configure the IP address of the load
balancing server, the IP address type needs to be the same as that of the site
service. For example, if the IP address type of the site service is IPv4, the IP
address type of the load balancing server cannot be IPv6.

l If the site status is Forward or the Forward Unprotected Traffic function is

enabled, the load balancing algorithm degrades to Round Robin and the con-
figuration of Weighted Round Robin, Weighted Least Connections, and IP
Hash does not take effect.

Sites 162
Configuring the Auto-learning
Auto-learning is a complement to protection settings. With the function, the device will learn
from URLs filtered by the access control policy and security policy. During the learning process,
the device will observe the traffic and quickly generate profiles designed specifically for the
unique traffic. You can change the learning mode to the protected mode to protect the learned
URLs. With the auto-learning policy, if the flowing traffic matches the signatures of profiles, it
will be sent to the web server directly; if the flowing traffic does not match the signatures of pro-
files, the traffic may be operated with the protection actions configured in the auto-learning
policy, such as alarm, block or redirect URL, thereby improving the website security.
Auto-learning compares HTTP requests to attack signatures and observes inputs such as cookies
and URL parameters. There are three statuses of URLs: Learning, Learning-completed and Pro-
tected Mode. The Learning status means the device is learning the URL and generating auto-learn-
ing profiles; the Learning-completed status means the learning condition is met and the device
stops generating auto-learning profiles; the Protected Mode means the URL is protected by the
auto-learning policy.
You can switch the status of a URL from Learning to Learning-completed or Protected Mode. For
a URL in the Learning-completed status, you can switch its status to the Protected Mode directly
or modify the learned URL first, and then switch its status to the Protected Mode; for a URL in
the Protected Mode, if you're not satisfied with the results, you can switch its status to Learning-
completed. The three statuses can be switched as follows:

Configuring the Auto-learning

To configure the auto-learning function, take the following steps:

163 Sites
1. Select Site > Web Site.

2. Select the site you want to configure and select Auto-learning from the Advanced Pro-
tection Functions drop-down list.

3. Click the Configure tab to configure learning conditions. The device finishes learning as
long as either of the conditions is met, and the status of the URL will be switched to Learn-
ing-completed:

l Condition 1: Specifies the number of visits to each URL and the number of source
IPs of each URL.

l Condition 2: Specifies the time for the device to learn each URL.

4. If the Switch to Protected Mode after Learning check box is selected, the status of a URL
that the device finishes learning will be switched to the Protected Mode automatically.
Otherwise, the URL will be in the Learning-completed status.

Sites 164
5. If the Learn URLs without Parameters check box is selected, the device will learn URLs
with and without parameters. Otherwise, the device will only learn URLs with parameters.

6. To exempt a URL from being learned by the device, click New in the URL Exception sec-
tion to add a URL. You can add several URLs and select accurate matching or regular expres-
sion matching for each URL.

7. To exempt an IP reputation category from being learned by the device, select the check box
of the category. For details on IP reputation, refer to Policy > IP Protection Policy.

8. After completing the above configuration, click Start to start to learn URLs. The page will
turn gray and cannot be configured temporarily.

9. To stop learning URLs, click Stop, and then the device will stop generating auto-learning
profiles.

Viewing the Auto-learning Profile

Notes: In versions earlier than WAF 3.5, the URL of the auto-learning model will
record the number of visits but not record the time spent on visits. When upgrading
to WAF 3.5 and later, the auto-learning model may have the following statistics:

l In versions earlier than WAF 3.5, the auto-learning model had URLs that
were either in a completed learning state or in protection mode. After upgrad-
ing to WAF 3.5 and later, the Edit URL Parameter section shows no data for
time spent on visits.

l In versions earlier than WAF 3.5, the auto-learning model had URLs that
were in the learning state. After upgrading to WAF 3.5 and later:

l The Edit URL Parameter section shows no data for time spent on vis-
its, or the average time spent on visits may be less than the shortest

165 Sites
time spent on visits.

l On the Auto-learning Profile URL Statistics page, there may be a dis-

crepancy in the number of URLs between the learning URLs visit
count table and the learning URLs visit time table. For example, the
Learning URLs Count TOP10 table displays 7 URLs, while the URL
Average Access Time table displays only 3 URLs.

After configuring the parameters on the Configure page, click Start, and then the device will start
to generate auto-learning profiles.
Click the Auto-learning Profile tab to view auto-learning profiles grouped by domain names. The
profile counts the number of URLs that the device is learning, finishes learning and has learned, as
well as the number of URLs in the Protected Mode.

Click + next to each domain name to expand the auto-learning details, including URL and Cookie.

Click in the Operation column of each domain to delete the auto-learning results of the
domain name.
Click Delete Auto-learning Profile in the upper-left corner to delete the auto-learning results of
the site.

Sites 166
Auto-learning Profile URL Statistics

Click next to each domain to view the URL statistics for the specified domain in the auto-
learning model, including Top 10 URLs by visit count during the learning phase, Top 10 URLs by
average visit time, and Top 10 URLs by longest visit time.

Click to refresh the URL statistics for all views or a specific view in the auto-learning model.

167 Sites
Sites 168
URL Details

To view the URL details of the profile, click the URL tab. The page will display the URL path,
status, request method, HTTP request count, client IP count and learning time.
Select a URL, and take the following steps:

l Click Not Learn to prevent the device from learning the URL.

l Click Delete or to delete the URL. When the URL is deleted, the device will learn it again.

l Click , and the Edit URL Parameter section will appear.

Note: For URLs that the device is learning, you cannot edit their parameters.

In the Edit URL Parameter section, configure the following:

Option Description

URL Path Displays the path of the URL which cannot be modified.

169 Sites
Option Description

Status Displays the current learning status of the URL. The status
can be switched in Operation.

Average Displays the average access time for the URL, which can-
Access Time not be edited. Unit: ms. The system only updates the
access time data during the learning phase. When the URL
status switches to "Learning Completed" or "Protection
Mode," the response time data for that URL will no longer
be updated.

Maximum Displays the maximum access time for the URL, which can-
Access Time not be edited. Unit: ms. The system only updates the
access time data during the learning phase. When the URL
status switches to "Learning Completed" or "Protection
Mode," the response time data for that URL will no longer
be updated.

Minimum Displays the minimum access time for the URL, which can-
Access Time not be edited. Unit: ms. The system only updates the
access time data during the learning phase. When the URL
status switches to "Learning Completed" or "Protection
Mode," the response time data for that URL will no longer
be updated.

Operate Specifies the action as Switch to Protected Mode, Switch

to Learning-completed Mode, Add to Not Learn List or
Delete. The available action varies depending on different
statuses of URLs.

Request Change the HTTP request method, such as GET and

Sites 170
Option Description

Method POST. Several methods are supported.

Parameter List

Name Specifies the name of the URL parameter. Click + to add

more parameters.

Type Specifies the type of the URL parameter, such as "number"

or "string".

Range Specifies the maximum and minimum length of the URL

parameter.

Is it a Must Specifies whether the URL parameter is required.

Cookie Details

To view the Cookie details of the profile, click the Cookie tab. The page will display the paths of
cookie and HttpOnly parameter.

171 Sites
External Link Rewriting
The external link rewriting function is supported only in reverse proxy mode and one-arm reverse
proxy mode.
When a website implements IPv6 network upgrade, sunroof issues may occur. In other words,
external links on the website are not upgraded to IPv6 addresses. When the client accesses the
website, the web pages may respond slowly or certain content is not displayed on the pages.
WAF supports automatic detection and rewriting of external links. You can add detected external
links to the external link rewriting list. If a response returned to the client contains links in the
external link rewriting list, the system rewrites the response and returns the response to the client.
The next time the client sends a request to the website of the external links, WAF is used as a
proxy to access the website and return a response to the client. This way, sunroof issues are fixed.

Configuring External Link Rewriting

To configure the external link rewriting function, take the following steps:

1. Select Site > Web Site.

2. Select the site you want to configure and select External Link Rewrite from the Advanced
Protection Functions drop-down list.

3. On the External Link Rewrite page, configure the following options:

Sites 172
Option Description

External Click the button to enable the external link rewriting func-
Link tion.
Rewrite

Recusive Click the button to enable the recursive rewriting function.

Rewrite With this function enabled, if the client accesses the rewrit-
ten external link, and the returned response still contains an
external link (IPv4), the device will continue to rewrite the
response.

External Specifies the link prefix for rewriting external links. The
Link Pre- value range is 1 to 63 characters.
fix

173 Sites
Option Description

Import
External
Link Option Description

Discovery The mode for external link detection. Valid

Mode values: All URL and Hyper Link Only. All
URL indicates external links starting with
"http://, "https:// and "//, while Hyper
Link Only indicates external links starting
with href="http://, href="https:// and
href="//.

Domain Enter the domain name for filtering external

Name Fil- links into the text box. Click Query, and the
ter system will display the external links that con-
tain the domain name in the list below. To
restore the list to the status before filtering,
click Clear Filters.

Enable Click Enable External Link Discovery to

External enable the external link discovery function.
Link Dis- This way, when the real server returns a
covery response page to the client, the system will
automatically detect whether the page con-
tains external links (IPv4), and display the
found external links in the list below. This
function will continuously consume system
resources. To disable the function, click Dis-
able External Link Discovery.

Refresh Click Refresh to refresh the external link dis-

covery list.
Sites Clear All Click Clear All to clear the external links that 174

have been added to the external link rewrit-

Option Description

External The list contains external links added from the external link
Link list. To delete an external link, select it and click Delete. To
Rewrite add an external link manually, click New.
list
l Type: Specifies the protocol type to which the system
will rewrite that of external links, including "-----",
HTTP and HTTPS. "-----" means to stick to the ori-
ginal protocol type of the external links.

l Domain: Specifies the domain name for external links.

The system will rewrite the external links that contain
the domain name.
Assume that "HTTPS" is selected as the type, "www.baidu.-
com" as the domain name, "proxy" as the external link prefix.
When the client requests to access the website
(http://www.waf.com:9999/index.com), and the response
returned from the website to the client contains the external
link "//www.baidu.com/123.jpg", the system will rewrite
the link to "http://www.waf.-
com:9999/proxy.https.www.baidu.com/123.jpg".

4. Click OK.

Notes:
l Chinese domain names do not support the external link detection and rewrit-
ing functions.

175 Sites
l Compressed responses do not support the external link detection and rewrit-
ing functions. Therefore, before enabling the external link detection and
rewriting functions, you need to enable the Stop Server Compressing on the
Acceleration tab.

Sites 176
Configuring a Weak Password
Attackers can directly obtain control over a legitimate user's account via account hijacking. Week
password is one of the most common attacking methods that the attacker exploits. Hillstone
WAF can detect accounts with weak passwords collect related statistics. To view information
about the account security, go to the Sites Monitor page.

Configuring Weak Password Detection

To configure weak password detection, take the following steps:

1. Select Site > Web Site.

177 Sites
2. Select the site on which you want to configure weak password detection, click Weak Pass-
word from the Advanced Protection Functions drop-down list.

On the Weak Password page, configure the following options.

Sites 178
Option Description

Weak Password Click the button the enable weak password detection. This function
is disabled by default.

Advanced Configuration

Linked User Click the button to enable Linked User Session Tracking Strategy.
Session Track- This function is disabled by default.
ing Strategy

User Tracking With the Linked User Session Tracking Strategy enabled, the system
Policy synchronizes the user tracking policy that has been referenced by the
site. After that, based on the policy configuration, the system imple-
ments the response method of the site after the successful login of
the user. If the site does not reference any user tracking policy, the
one referenced by the Weak Password will be automatically applied
to the site.

Note: With the Linked User Session Tracking Strategy enabled, if

a user successfully logs in to the site using a weak password, rel-
ative logs are recorded on the Web Event Log page.

Password Specifies the password identifier (used to identify a password) that

Fields needs to be filled during login authentication for the user session
which needs to be matched. The default value is "password; passwd;
pwd; Password; PASSWORD". Separate multiple password fields
with semicolons

Username Specifies the user ID (used to identify a user) that needs to be filled
in during login authentication for the user session which needs to be
matched. The default value is "user-
name;user;name;account;Username;User;USER". Separate multiple

179 Sites
Option Description

usernames with semicolons.

Note: If Linked User Session Tracking Strategy is enabled, this para-
meter is hidden and the system uses the Username parameter in the
user session tracking policy to detect weak password.

Login URL Specifies the relative path of the login URL of the site accessed by
the user session that needs to be matched. The default login URL is
"/.*login.*". Click New to create login URL, such as " /test/-
login.php". To delete a URL, select it and click Delete. You can con-
figure up to 8 login URLs.
Note:

l If Linked User Session Tracking Strategy is enabled, this para-

meter is hidden and the system uses the Login URL parameter
in the user session tracking policy to detect weak password.

l Login URL only supports regular expression.

Password Specify the length of the password. The system determines a pass-
Length word as a weak password when its length is shorter than the spe-
cified password length. The value range is 4-50 and the default value
is 6.

Password Char- Specify how many character categories a password should contain. If
acter the password contains less character categories, it will be determined
as a weak password. The value range is 1-4 and the default value is 2.

Check For The Click the button to enable Check For The Same Username And Pass-
Same Username word. This function is disabled by default.
And Password

Sites 180
Option Description

Password Con- Specifies how many consecutive identical characters of username

tains N Con- can be contained in the password. If a password contains N con-
secutive secutive identical characters of username, this password is determ-
Characters in ined as a weak password when N reaches or exceeds the specified
Username number. The value range is from 3 to 5. The default value is 5.

Continuous Click the button to enable Continuous Character Detection. This

Character function is enabled by default. If a password matches one of the fol-
Detection lowing situations, it is determined as a weak password.

l The password contains six or more continuous ASCII char-

acters, such as 123456.

l The password contains six or more consecutive identical char-

acters, such as 111111.

Specify Weak Click New to specify a weak password. When the login password
Password used by the user exactly matches the specified weak password, it will
be determined as a weak password. Click New to specify multiple
weak passwords. To delete a specified weak password, select it and
click Delete. You can specify up to 128 weak passwords.

181 Sites
Batch Operation
You can modify sites in batches, such as adjusting site protection status in batches, enabling Web
access log in batches, and configuring site security policies in batches. Batch Operation supports
the following functions:

l Adjusting site protection status: The site protection statuses include Protect, Forward, and
Maintain.

l Enabling or disabling security policy alarms

l Enabling or disabling Web access logs

l Configuring policies for sites

l Modifying the SSL/TLS certificate chain of the specified site

l Configuring report tasks for sites

l Configuring PCI-DSS compliance report tasks

To adjust site protection status in batches, take the following steps:

1. Select Site > Web Site.

2. Select the sites whose protection status you want to adjust. Click Protect, Forward, or Main-
tain from the Batch Operation drop-down list.

3. You can view the change in the Status column.

To enable/disable security policy alarms in batches, take the following steps:

1. Select Site > Web Site.

2. Select the sites on which you want to perform batch operations. Click Enable Security
Policy Alarm Only or Disable Security Policy Alarm Only from the Batch Operation drop-
down list. Note: When the security policy alarm function is enabled, the system only

Sites 182
generates related logs and the protection action configured for the referenced security policy
will not take effect.

3. You can select a specific site and click Edit to view whether Alarm Only is enabled.

To enable/disable Web access logs in batches, take the following steps:

1. Select Site > Web Site.

2. Select the sites on which you want to perform batch operations. Click Enable Web Access
Log or Close Web Access Log from the Batch Operation drop-down list.

3. You can view the change in the Web Access Log column.

To configure security policies in batches, take the following steps:

1. Select Site > Web Site.

2. Select the sites on which you want to perform batch operations. Click Policy Configure
from the Batch Operation drop-down list.

3. On the Policy Configure section, select the new policy from the Security Policy drop-down
list for the specific site.

4. Click OK.

5. You can view the change in the Security Policy column.

To modify the SSL/TLS certificate chain, take the following steps:

1. Select Site > Web Site.

2. Select the HTTPS typed sites on which you want to perform batch operations. Click
SSL/TLS Certificate Chain from the Batch Operation drop-down list to go to the Site Con-
figuration panel.

183 Sites
3. From the SSL/TLS Certificate Chain drop-down list, select a new SSL/TLS certificate
chain to be applied to the specified site.

4. Click OK.

5. The newly selected SSL/TLS certificate chain is displayed in the SSL/TLS Certificate
Chain column of the specified sites.

To configure report tasks in batches, take the following steps:

1. Select Site > Web Site.

2. Select the sites on which you want to perform batch operations. Click Report from the
Batch Operation drop-down list to go to the Report Task Configuration panel. If no site is
selected, the Select Site parameter is Any or left empty by default, according to the different
device models. Any indicates that the Report batch operation is performed on all sites.

3. On the Report Task Configuration panel, configure the report task. For more information,
see Report Task.

4. Click OK.

5. You can view the report tasks from Monitor > Reports > Report Task. By default, the
report task is enabled.

To configure PCI-DSS Compliance Report tasks in batches, take the following steps:

1. Select Site > Web Site.

2. Select the sites on which you want to perform batch operations. Click PCI-DSS Compliance
Report from the Batch Operation drop-down list to go to the Report Task Configuration
panel. If no site is selected, the Select Site parameter is Any or left empty by default, accord-
ing to the different device models. Any indicates that the batch operation for PCI-DSS com-
pliance report is performed on all sites.

Sites 184
3. On the Report Task Configuration panel, configure the PCI-DSS compliance report task.
For more information, see Report Task.

4. Click OK.

5. You can view the report tasks from Monitor > Reports > Report Task. By default, the
report task is enabled.

185 Sites
Site Self Discovery
Only in the transparent proxy mode, transparent tap mode, tap mode and traction mode can the
Site Self Discovery function be configured. With the function, the system will automatically mon-
itor the HTTP/HTTPS traffic in the network to find websites or servers. You can select one or
more websites to be protected, and add them to a site with one click, realizing rapid deployment
of the device. In addition, system can discover websites in a specified network segment, and filter
the discovered sites by HTTP response codes.
In addition, you can enable the Default Self Discovery function. With the function enabled, sys-
tem will monitor the HTTP/HTTPS traffic in the network, and automatically add websites which
are discovered more than the specified number of times, to the Default Site Discovery list so that
the system protects them through the default site. When you have not added a specific protection
site at the beginning of the deployment, the default site can be used for providing basic security
protection to the network. For more information about how to comprehensively protect websites,
see Creating a Site.

Notes: The default site of HTTPS is bound to the "default-rsa2048-cert-chain" cer-

tificate chain by default. If multiple web servers use the same certificate in your
scenario, we recommend that you replace the certificate chain of the default HTTPS
site with the certificate chain of the actual web server on the Web Site page before
enabling the Default Site Discovery function.

Configuring the Site Self Discovery

To configure the site self discovery, take the following steps:

Sites 186
1. Select Site > Site Self Discovery.

2. On the Site Self Discovery page, configure the following options.

Option Description

Flow In Inter- Select the egress interface of the traffic from the drop-down list. Sys-
face tem will search the inbound traffic of the interface for websites. You
can specify multiple interfaces. If the egress interface is not spe-
cified, the traffic of all interfaces will be searched by default. It is
recommended to select an interface connected to the Internet, i.e.,
the WAN port.

Discovery Seg- In the segment list, click New and enter the IPv4 address/netmask
ment or IPv6 address/prefix of the traffic into the corresponding text
boxes. You can specify one or more segments. If discovery segment
is not specified, all traffic will be searched.

Domain Filter To self-discover websites or services of specified domain names,

turn on the switch next to Domain Filter and then enter a domain
name in the field. A maximum of 255 characters can be entered. If
not enabled, the system will self-discover all domain names in the

187 Sites
Option Description

network environment. By default, this function is disabled.

The system matches domain names in Domain Filter by using exact
match and fuzzy match:

l Exact match: When a complete domain name is entered, the

system will match the domain name exactly. For example, if
the domain is configured as www.test.com or 10.10.10.1, the
system will only match that specific domain.

l Fuzzy match: When a wildcard domain name is entered, the

system will match the domain name fuzzily. For example, if
the domain is configured as *.test.com, the system can match
domain names ending in .test.com, including abc.test.com,
123.test.com, etc.

Response Code If you need to discover a website or server with a specified

Filter response code, click the button to enable Response Code Filter.
Select a predefined HTTP response code or customize a response
code. Note: Currently, this feature does not support HTTPS Site
Discovery so that all HTTPS responses will be discovered.

HTTPS Site To discover HTTPS websites or servers, click the button to enable
Discovery HTTPS Site Discovery. System will search HTTPS traffic and the
discovered HTTPS websites or servers will be displayed in the list
below.

Site Discovery Turn on the switch button to enable HTTP Default Site and HTTPS
Result Auto Default Site. Set the minimum number of times a website has been
Add To discovered. If a website is discovered more than the specified num-
ber of times, the system will automatically add it to the Default Site

Sites 188
Option Description

Discovery (HTTP) list and Default Site Discovery (HTTPS) list in

the Default Site Service tab, and then protect it through the default
site (default and default_https).
Note: The transparent proxy mode and traction mode support the
default site of both HTTP and HTTPS. The tap mode and trans-
parent tap mode support the default site of HTTP.

3. Click Start. When the traffic of the specified segment flows through the device, the system
discovers the website or server of the traffic automatically, and displays it in the cor-
responding list. To stop the self discovery, click Stop. The discovered websites or servers
are classified into the following categories:

l HTTP Site Discovery: Displays the IP address, port number, domain name, finding
times, available operation, protection mode, protocol, and request method of all
found HTTP websites or servers.

l HTTPS Site Discovery: Displays the IP address, port number, domain name, finding
times, available operation, protection mode, protocol, and request method of all
found HTTPS websites or servers.

l Default Site Service: The transparent proxy mode and traction mode support the
default site service of both HTTP and HTTPS. The tap mode and transparent tap
mode support the default site service of HTTP. Includes Default Site Discovery
(HTTTP), HTTP Custom Services, Default Site Discovery (HTTPS), and HTTPS

189 Sites
Custom Services.

l Default Site Discovery (HTTTP): Displays the IP address, port number and
domain name of all found default HTTP sites or servers (The site that supports
all domain names will be displayed as "any"). The items displayed on the list
will be protected by the default site. When the Default Site Discovery function
is disabled, the found items on the list still exist. For an item that does not
need to be protected, select it and click Add to Exception to add it to Default
Site Exception. Then, the item will be removed from the list.

l HTTP Custom Services: Click New and then enter the IP, IP range, IPv4/Net-
mask, or IPv6/Prefix of the Web server sites, as well as the port number or
port range of the services. You can add up to 16 items. Click OK. The new
items will be immediately protected by the default site.
Note：The IP, IP range, IPv4/Netmask, or IPv6/Prefix can be specified as
"any". The port number or port range can also be specified as "any". But these
two fields can not be specified as "any" at the same time. For example, if IP is
specified as "any" and the port number is specified as 12, the default site will
protect any Web server sites whose port number is 12.

l Default Site Discovery (HTTPS): Displays the IP address, port number and
domain name of all found default HTTPS sites or servers (The site that sup-
ports all domain names will be displayed as "any"). The items displayed on the
list will be protected by the default site (default_https). When the Default Site
Discovery function is disabled, the found items on the list still exist. For an
item that does not need to be protected, select it and click Add to Exception
to add it to Default Site Exception. Then, the item will be removed from the
list.

Sites 190
l HTTPS Custom Services: Click New and then enter the IP, IP range,
IPv4/Netmask, or IPv6/Prefix of the Web server sites, as well as the port num-
ber or port range of the services. You can add up to 16 items. Click OK. The
new items will be immediately protected by the default site (default_https).
Note: The IP, IP range, IPv4/Netmask, or IPv6/Prefix can be specified as
"any". The port number or port range can also be specified as "any". But these
two fields can not be specified as "any" at the same time. For example, if IP is
specified as "any" and the port number is specified as 12, the default site will
protect any Web server sites whose port number is 12.

l Default Site Exception: The transparent proxy mode and traction mode support the
default site exception of both HTTP and HTTPS. The tap mode and transparent tap
mode support the default site exception of HTTP.

l Default Site Exception (HTTP): Displays the default sites that have been
added to the exception list. The items displayed on the list will not be pro-
tected by the default site.

l HTTP Custom Exception Service: Click New and then enter the IP, IP range,
IPv4/Netmask, or IPv6/Prefix of the Web server sites, as well as the port num-
ber or port range of the services. You can add up to 16 items. Click OK. The
added items will not be protected by the default site.

l Default Site Exception (HTTPS): Displays the default sites that have been
added to the exception list. The items displayed on the list will not be pro-
tected by the default site (default_https).

l HTTPS Custom Exception Service: Click New and then enter the IP, IP range,
IPv4/Netmask, or IPv6/Prefix of the Web server sites, as well as the port num-

191 Sites
ber or port range of the services. You can add up to 16 items. Click OK. The
added items will not be protected by the default site (default_https).

4. Click any site discovery tab, select an item on the list, and click Create. On the Site Con-
figuration page, configure the related options. For more information, refer to Configuring a
Site.

5. Click in the upper-left corner of the list, and select a filter condition from the drop-

down list. For example, to quickly add web servers with the same domain name but dif-
ferent IP/ports to a WAF site for protection, filter web servers by Domain Name, and after
selecting all the results, click Create to add a site.

6. If there is a web server whose IP address and port number are the same as those of the exist-
ing site while the domain names are different, or whose domain name is the same as that of
the existing site while IP addresses and port numbers are different, you can select the item,
and click Add to Site to add it to the existing site.

7. To delete an invalid or unnecessary item, select the item and click Delete.

Notes:
l The item for which you have created a site or that has been added to the exist-
ing site will be automatically deleted.

l The websites that have been found frequently may be experiencing heavy
traffic, so it is recommended to protect them first.

Sites 192
l The self discovery can only be stopped by clicking Stop. It will not be
stopped by closing the dialog box or logging out.

l For a complex network, some websites may not be discovered because their
the traffic does not pass through the WAF device for a while. To solve this
problem, you can enable the self-discovery function multiple times or extend
the finding time.

193 Sites
Policy
By configuring policies, you can defend the network against web attacks. A policy is a set of pro-
tection rules, including matching conditions and the actions that system will manipulate when the
conditions are matched. A policy will only take effect after being bound to a site.

Policy Type
Policies include IP Protection Policy, Access Control Policy, API Protection Policy, Security
Policy, Auto-learning Policy, User Tracking Policy and Content Rewrite Policy:

l With the IP protection policy, some high risk source IPs or IPs from certain coun-
tries/regions will be prohibited from accessing websites based on IP reputation categories or
IP address ranges by country/region.

l With the access control policy, the traffic flowing to the site will be filtered by HTTP request
method, file type, HTTP protocol version, URL path, client IP and so on.

l With the API protection policy, API traffic on the site can be detected and protected.

l With the security policy, you can defend against the known threats.

l With the auto-learning policy, if the traffic flowing through the device does not match the sig-
natures of auto-learning profiles, the traffic will be defended by the protection actions con-
figured in the auto-learning policy.

l With the user session tracking policy, cyber attacks can be traced and reproduced by record-
ing, tracking and analyzing user names and session identifiers. It is a protection method com-
plementary to the access control policy, auto-learning policy and security policy.

l With the content rewrite policy, requests to websites can be redirected, or requests to or
responses from websites can be rewritten, so as to avoid some security risks or code vul-
nerabilities.

Policy 194
When a site references the seven policies at the same time, the execution priority is: IP protection
policy, access control policy, API protection policy, security policy, auto-learning policy, user
tracking policy and content rewrite policy. By referencing policies, the site can be protected by
the rules of policies. One site can reference one security policy, one auto-learning policy, one API
protection policy, one IP protection policy, one user tracking policy, several access control
policies and content rewrite policies.

Rule Management
In this section, you can manage both predefined and custom protection rules. One protection rule
can be a single rule or a set of rules. There are 10 predefined protection types: HTTP Protocol
Anomaly, Injection Attack, XSS, Information Leakage, Access Detection, Special Web Vul-
nerability, Illegal Resource Access and Malware.

l HTTP Protocol Anomaly: With the rule enabled, system can detect and block attacks with
massive malformed HTTP protocol packets.

l Injection Attack: With the rule enabled, system can detect attacks deceiving the server into
executing the SQL, LDAP and SSI commands by uploading the commands as parts of data to
the web server.

l XSS: With the rule enabled, system can prevent attackers from stealing a user's information by
exploiting network vulnerabilities when the user browses a website or uses IM software.

l Information Leakage: With the rule enabled, system will filter and drop the sensitive inform-
ation to prevent information leakage.

l Access Detection: With the rule enabled, system can defend the web server against unknown
destination scanning by scanners, crawling behavior and directory traversal behavior.

l Special Web Vulnerability: With the rule enabled, system can defend the network against web
vulnerabilities, such as web server vulnerability, web framework vulnerability and web applic-
ation vulnerability.

195 Policy
l Malware: With the rule enabled, system can defend the network against the malware attacks,
such as WebShell attacks, Trojan and malicious user access.

l DDoS: DDoS includes HTTP flood attacks of application layer and common flood attacks of
network layer. It may cause non-responsiveness of the web server. Currently, with the rule
enabled, the system only detects the HTTP flood attacks.

l Cookie Security: With the rule enabled, the system can defend the user information saved in
the browser cookies from being used or stolen.

l Illegal Resource Access: Illegal resources access includes uploading and downloading illegal
files and hot-linking. With the rule enabled, the system can detect illegal files uploaded to and
downloaded from the server. The links of the site are also defended from being used illegally.

Types of protection rules and their subtypes:

Type Subtype

HTTP Pro- ----

tocol Anom-
aly

DDoS HTTP Flood.

Injection SQL Injection, LDAP Injection, SSI Directive Injection,

Attack XPath Injection, Command Injection, Remote File Inclusion,
Local File Inclusion, Code Injection, Email Injection, XML
Injection, and Other Injection.

XSS XSS.

Information Server Information Leakage, Database Information Leakage,

Leakage Directory Content Leakage, Code Information Leakage, Key-
word Leakage, Personal Information Leakage and Other Leak-
age.

Policy 196
Type Subtype

Cookie Secur- HTTP Only, Cookie Defacement, and Cookie Hijacking.

ity

Access Detec- Scanner, Crawler, and Directory Traversal.

tion

Special Web Web Server Vulnerability, Web Framework Vulnerability,

Vulnerability Web Application Vulnerability, and Other Vulnerability.

Illegal Illegal Upload, Illegal Download, and Hotlinking.

Resource
Access

Malware WebShell, and Trojan.

Notes:
l Custom rules and predefined rules are global and can be shared among
policies.

l Custom rules have a higher priority than predefined rules.

Updating Rule Database

The rule database updates daily by default and the update configurations can be modified. There
are two predefined update servers: "update1.hillstonenet.com" and "update2.hillstonenet.com",
and two update methods: online update and local update. For more information about the update,
go to System > Upgrade Management > Signature Database Update.

Black List
The system allows you to add client IP addresses and URLs to the blacklist for blocking. The sys-
tem can identify IPv4 and IPv6 blacklists. The blacklist has two categories: global and site-spe-
cific. Global blacklist applies to all sites while site-specific blacklist only applies to the specified

197 Policy
site. If a client IP address is blacklisted, traffic from the client IP address does not need to match
security policies and is its access to the current site is denied by the system.

White List
For some trusted source IP addresses or specific public URL paths, you can add them to the
White List. This way, for a request initiated by a host whose IP address is included in the whitel-
ist or a request to access a URL included in the whitelist, security policies except for content
rewrite policies are skipped, and the request is forwarded to the site server. For a request that
does not match an item in the whitelist, the device continues to perform blacklisting and addi-
tional filtering.
Whitelists can be divided into domain/URL whitelists and client IP whitelists. The system can
identify IPv4 and IPv6 whitelists. Client IP whitelists has two categories: global and site-specific.
Global client IP whitelist applies to all sites while site-specific client IP whitelist only applies to
the specified site.

Network Protect Action

Hillsotne WAF provides designated security protection measures for special application scenarios.
For example, in the Cyber Attack and Defense Drill, sites can be comprehensively protected by
WAF with the Network Protect Action function.

Policy 198
IP Protection Policy
IP protection policy is a protection method that prohibits some high risk source IPs or IPs from
certain countries/regions from accessing websites based on IP reputation categories or IP address
ranges by country/region. IP protection includes IP reputation protection and Geo IP protection.
Besides, you can configure IP protection exception for IP addresses that do need to be filtered by
IP protection policies.

l IP Reputation Protection: Based on the signature rules in the WAF IP reputation signature
database, the system filters out the high risk host IPs that access a site. The system supports
the following IP reputation categories: Bot, Spam, TorNode, Compromised, Proxy, Scanner,
Brute-forcer and DDoS attacker. You can specify different protection actions for different IP
reputation categories.

l Geo IP Protection: You can configure different protection actions for client IP addresses
from different countries/regions. For example, you can prohibit users from certain coun-
tries/regions from accessing a site.

l Protection Exception: You can configure protection exceptions. You can add the IP addresses
that do not need to be filtered to the protection exception list so that the traffic from these
IPs will be exempted from being filtered by IP protection policies.

The configured IP protection policy will only take effect after being bound to a site.

Notes:
l To enable the IP reputation protection function, you need to install the WAF
IP reputation license and update the WAF IP reputation signature database.
To ensure uninterrupted connection to the default update server, configure a
DNS server for the device before updating.

199 Policy
Creating an IP Protection Policy
To create an IP protection policy, take the following steps:

1. Select Policy > Policy Type > IP Protection Policy.

2. Click New to go to the IP Protection Policy Configuration page.

Configure the following options:

Option Description

Name Specifies the name of the IP protection policy.

Description Specifies the description of the policy.

IP Reputation Protection

Enable Click the Enable button to enable the IP reputation pro-

tection function. When the function is enabled, the sys-
tem will filter out the high risk host IPs that access a site
based on the signature rules in the WAF IP reputation
signature database. The system supports the following IP
reputation categories: Bot, Spam, TorNode, Com-
promised, Proxy, Scanner, Brute-forcer and DDoS
attacker. You can specify different protection actions for

Policy 200
Option Description

different IP reputation categories. Note: A host IP may

belong to multiple IP reputation categories at the same
time.

Capture Pack- Click the button to enable the packet capture function.
ets When the function is enabled, the device will capture
abnormal data packets. You can view the abnormal data
in logs.

Log Only Click the button to enable the logging function. When
the function is enabled, the system will generate logs of
the traffic that matches the signature rules.

IP Reputation List

Name Displays the name of the IP reputation category with

high risks.

Status Enable or disable the rule. When the rule is enabled, it

can take effect in the IP protection policy.

Action Select the protection action:

l Block: Block HTTP requests and related logs will

be generated.

l Pass: Exempt HTTP requests from the filtering of

the IP reputation protection rule, but they have to
be filtered by other security policies.

l Redirect: Redirect HTTP requests to the specified

URL and related logs will be generated.

201 Policy
Option Description

Note: Certain IP address may belong to multiple IP

reputation categories at the same time. If the pro-
tection actions configured for different categories are
different, the priority of executing the actions on the
IP is: Block > Redirect > Pass. For example, if an IP
address belongs to both Bot and Spam, while the pro-
tection actions for them are Block and Redirect
respectively, the final action for the IP is Block.

Status Code The option is available when the protection action is

Block. You can customize the web page that the device
returns to the client with the HTTP status code.

Block Type The option is available when the protection action is

Block. Select the block type as Block Once or Period
Block. If Block Once is selected, the current request
will be blocked; if Period Block is selected, the client IP
will be added to the blacklist and the requests from the
client IP will be blocked for a while.

Block Period The option is available when the protection action is

Block and the block type is Period Block. Specifies the
period for blocking the client IP.

Redirecting The option is available when the protection action is

URL Redirect. Specifies the destination URL for redirecting.

Geo IP Protection

Enable Click the Enable button to enable the Geo IP protection

function. When the function is enabled, the system will
perform protection actions on the IPs from specified

Policy 202
Option Description

countries/regions.

Capture Pack- Click the button to enable the packet capture function.
ets When the function is enabled, the device will capture
abnormal data packets. You can view the abnormal data
in logs.

Log Only Click the button to enable the logging function. When
the function is enabled, the system will generate logs of
the traffic that matches the signature rules.

Action Select the protection action:

l Block: Block HTTP requests and related logs will

be generated.

l Pass: Exempt HTTP requests from being filtered

by the Geo IP protection rule, but they have to be
filtered by other security policies.

l Redirect: Redirect HTTP requests to the specified

URL and related logs will be generated.

Matching Select the method for matching countries/regions,

Mode including Belong to and Not Belong to. If Belong to is
selected, the system will perform the configured action
on the IPs from the selected countries/regions. If Not
Belong to is selected, the system will perform the con-
figured action on the IPs not from the selected coun-
tries/regions.

203 Policy
Option Description

Countries Click New to select a country/region from the drop-

Choose down list. You can add multiple ones. To delete a coun-
try/region, select it and click Delete.

Protection Exception

Protection For IP addresses that do not need to be filtered by the

Exception IP reputation protection and Geo IP protection rules,
you can add them to the protection exception list so that
the traffic from these IPs will be exempted from being
filtered by IP protection policies. Click New and select
the IP type from the drop-down list. Then, enter the IP
address and netmask/prefix.

3. Click OK.

Notes: For an IP address that belongs to both an IP reputation category and a coun-
try/region that will be filtered by the Geo IP protection rule, if Block is configured
for the IP reputation category, there will be no subsequent filtering; if Redirect or
Pass is configured for the IP reputation category, the system will continue to filter
the IP according to the Geo IP protection rule.

IP Search
The system supports IP Search function, which allows you to search the reputation type and coun-
try/region of the IP address. To Search the IP, take the following steps:

Policy 204
1. Select Policy > Policy Type > IP Protection Policy.

2. Click IP Search to go to the IP Search panel.

3. Enter IP address ,Click Search.

4. The Search result page will display the reputation type and country/region of the IP address
that you have entered.

205 Policy
Access Control Policy
Access control policy filters traffic flowing through the site by configuring matching conditions,
including HTTP request method, HTTP protocol version, URI path and client IP. Only when the
traffic meets all the configured conditions can the protection action be triggered. Protection
actions include Block, Pass and Redirect. You can configure the matching conditions and the cor-
responding protection actions to create an access control policy. With the access control policy
configured, various access requests can be controlled, and resources of the site can be defended
from being accessed illegally or hit by DoS attacks.

Creating an Access Control Policy

To create an access control policy, take the following steps:

Policy 206
1. Select Policy > Policy Type > Access Control Policy.

2. Click New to go to the Access Control Policy Configuration page.

Configure the following options:

207 Policy
Option Description

Name Specifies the name of the access control policy.

Description Specifies the description of the policy.

Matching Condition

HTTP Select the matching method, including Belong to and

Method Not Belong to, and enter the HTTP request method to
be matched (0 to 2047 bytes (case insensitive) are sup-
ported). You can add multiple methods at the same time,
and should separate them by ";", e.g., "GET;POST;".

HTTP Con- Select the matching method, including Belong to and

tent Type Not Belong to, and enter the HTTP content type to be
matched (0 to 2047 bytes are supported). You can add
multiple types at the same time, and should separate
them by ";", e.g., "text/xml;application/json;".

HTTP Select the matching method, including Included and

Header Excluded, and enter the HTTP request header name to
Name be matched (0 to 2047 bytes are supported). You can add
multiple names at the same time, and should separate
them by ";", e.g., "Host;Accept;".

l Included: Matches all the configured HTTP

request header names.

l Excluded: Matches none of the configured HTTP

request header names.

Case Insensitive: With this check box selected, the sys-

Policy 208
Option Description

tem will perform matching in a case-insensitive manner.

HTTP Enter a specific HTTP header name in the Header Name

Header field. HTTP requests with the same header name will be
Value matched.
Select the matching method, including Match Regex,
Not Match Regex, Equal To and Not Equal To, and
enter the HTTP header value to be matched in the
Matching Text field (0 to 2047 bytes are supported).
The system compares headers of HTTP requests with
the configured Matching Text. For example, with the
Header Name specified as "Host", to filter the headers:
"Host: www.domin1.com", "Host: www.domin2.com",
"Host: www.domin3.com" and "Accept: www.-
domain1.com":

l If Match Regex is selected and the Matching Text

is "www.domin1.com|www.domin2.com", "Host:
www.domin1.com" and "Host: www. dom-
in2.com" which conform to the regular expression
of the matching text will be matched; if Not
Match Regex is selected, "Host: www.-
domin3.com" will be matched.

l If Equal To is selected and the Matching Text is

"www.domin1.com", "Host: www.domin1.com"
which is the same as the matching text will be
matched; if Not Equal To is selected, "Host:

209 Policy
Option Description

www.domin2.com" and "Host: www.-

domin3.com" will be matched.
Case Insensitive: With this check box selected, the sys-
tem will perform matching in a case-insensitive manner.

HTTP Ver- Select the matching method, including Belong to or Not

sion Belong to, and enter the HTTP protocol version to be
matched (0 to 2047 bytes (case insensitive) are sup-
ported). Currently, HTTP/0.9, HTTP/1.0 and
HTTP/1.1 are supported. You can add multiple versions
at the same time, and should separate them by ";", e.g.,
"HTTP/1.0;HTTP/1.1;".

URI Path Select the matching method, including Match Regex,

Not Match Regex, Equal To, Not Equal To, Match Path
and Not Match Path. Enter the URI path to be matched
in the Matching Text field. To add an URI path, click
New. To delete a path, click Delete. You can add up to
32 URL paths at the same time.
Encoding: Select an encoding method.
Case Insensitive: With this check box selected, system
will perform matching in a case-insensitive manner.
Note: As a part of the URI, the URI path is the file path
used to locate a specific resource on the server. For
example, if the URI of an HTTP request is
"http://www.baidu.com/example/test.html?id=3", the
URI path is "/example/test.html".

Policy 210
Option Description

The system compares the URI path with the configured

Matching Text. For example, to filter the URI paths:
"/demo/index.php", "/demo/index.asp", "/de-
mo/index/index.php" and "/aaa/index.php":

l If Match Regex is selected and the Matching Text

is "/demo/index.*php", the "/demo/index.php"
and "/demo/index/index.php" which conform to
the regular expression of the matching text will be
matched. If Not Match Regex is selected, "/de-
mo/index.asp" and "/aaa/index.php" will be
matched.

l If Equal To is selected and the Matching Text is

"/demo/index.php", "/demo/index.php" which is
the same as the matching text will be matched. If
Not Equal To is selected, "/demo/index.asp",
"/aaa/index.php" and "/demo/index/index.php"
will be matched.

l If Match Path is selected and the Matching Text is

"/demo/", "/demo/index.php", "/de-
mo/index/index.php" and "/demo/index.asp"
whose prefix is the same as the matching text will
be matched. If Not Match Path is selected,
"/aaa/index.php" will be matched.

Client IP Select the matching method, including Match IP and Not

211 Policy
Option Description

Match IP. Enter the client IP address to be matched. For

IP Type, both IPv4 and IPv6 are supported. To add a cli-
ent IP, click New. To delete an IP, click Delete. You
can add up to 32 IP addresses at the same time.

Action Select the protection action:

l Block: Block HTTP requests.

l Pass: Exempt HTTP requests from being filtered

by the policy, but they have to be filtered by other
security policies.

l Redirect: Redirect HTTP requests to the specified

address.

Schedule Specifies the schedule for the policy. Then, the policy
will only take effect in the period specified in the sched-
ule. Select a schedule from the Schedule drop-down list.
To create a schedule, click + at the end of the drop-
down list to create a new schedule.

Status Code The option is available when the protection action is

Block. You can customize the web page that the device
returns to the client with the HTTP status code.

Redirect The option is available when the protection action is

URL Redirect. Specifies the destination URL for redirecting.

Record Log Click the button to enable the logging function. Then,

Policy 212
Option Description

the system will generate logs of the traffic that matches

the access control policy.

Capture Pack- Click the button to enable the packet capture function.
ets Then, the device will capture abnormal data packets. You
can view the abnormal data in logs.

3. Click OK.

On the Access Control Policy page, you can also perform the following operations:

l Click Edit at the top of the list to modify the existing access control policy.

l Click Delete at the top of the list to delete the access control policy that is not bound to a
site. "built_in_default_all_pass_ac_policy" is the default allow_all_traffic policy. If this policy
is not bound to a site, you can click Delete to delete it, or disable Site Traffic Log Record on
the System > WAF Global Configuration > Global Parameter Configuration page to auto-
matically delete the policy.

l Click Copy and then Paste at the top of the list to copy the existing access control policy and
paste it to create a new one.

213 Policy
API Protection Policy
The public information of Web API may cause many security issues such as data theft, tampering,
and leaks. Therefore, the detection and protection for API traffic becomes more and more import-
ant. The system allows you to configure an API protection policy and bind the policy to a site.
This way, API traffic on the site can be detected and protected.
API protection policies can be used to detect the compliance of API traffic. The administrator
can upload OpenAPI specifications to WAF or customize protection specifications. This way,
WAF can detect and protect traffic. OpenAPI specifications usually define the URL, header, para-
meters, and request body of API traffic. If any unusual API traffic is detected, the system pro-
cesses the traffic with the specified action. Unusual traffic is generated in one of the following
cases:

l The request method is not supported.

l The required request header is missing.

l The value of the request header is invalid.

l An unknown parameter is contained.

l The required parameter is missing.

l The request value is invalid.

l The request body type and request content are invalid.

Creating an API Protection Policy

To create an API protection policy, take the following steps:

Policy 214
1. Select Policy > Policy Type > API Protection Policy.

2. On the API Protection Policy tab, click New in the upper-left corner.

3. On the API Protection Policy Configuration page, configure the following options:

Option Description

Name Specifies the name of the API protection policy.

Description Specifies the description of the API protection

policy.

Protection Rule: The system detects API traffic based on the pro-
tection rules in top-bottom order. For API traffic that hits a protection
rule, the system processes the traffic with the specified action.

Name Specifies the name of the unusual API traffic.

Severity Displays the severity (High, Low, Medium) of the

unusual API traffic.

215 Policy
Option Description

Status Enable or disable the API protection rule. After

the rule is enabled, it takes effect in the API pro-
tection policy.

Action The protection action that the system takes if the

protection rule is triggered. Valid values:

l Block: The system blocks the connection

request and records logs.

l Pass: The system sends alarm logs to you.

l Redirect: The system redirects the HTTP

request to the specified URL and records
logs.

Status Code The HTTP status code. This parameter is available

if the Action parameter is set to Block.

Block Type This parameter is available if the Action parameter

is set to Block. Valid values: Block Once, Per-
manently block IP, and Period Block. Block Once
indicates that only the current connection request
is blocked. Permanently block IP indicates that all
connection requests from the client are blocked.
Period Block indicates that the IP address of the
client from which the API request is sent is added
to the blacklist and blocked for a certain period.

Capture Packets Click the button to enable the packet capture func-

Policy 216
Option Description

tion. Then, the device will capture abnormal data

packets. You can view the abnormal data in logs.

Protection Type The type of the API protection policy. Valid val-
ues: OpenAPI and Custom Protection. If you set
the parameter to OpenAPI, you need to set the
OpenAPI File parameter and the system detects
API traffic based on the specification require-
ments. If you set the parameter to Custom Pro-
tection, you need to customize the protection
configurations and the system detects API traffic
based on your configurations.

OpenAPI File Select an OpenAPI file from the OpenAPI File

drop-down list. You can select one or more files. A
maximum of 32 files can be selected. You need to
import OpenAPI files in advance. For more inform-
ation, see Importing an OpenAPI File.

Note: If domain names and URLs are the same

in multiple OpenAPI files, the specifications cor-
responding to the latest domain name and URL
are used to detect API traffic.

If you set the Protection Type parameter to Custom Protection, click

New. In the Custom Protection Configuration panel, configure the fol-
lowing options:

Host Specifies the address or domain name of the host

217 Policy
Option Description

that requires API protection.

URI Select a matching method and specify the URI that

requires API protection.

HTTP Method The HTTP method of API requests. You can add
multiple HTTP request methods such as GET and
POST, and separate them with semicolons (;). If
the API request method does not hit one of the
specified methods, the Request Method Violation
rule is triggered and the system processes the
traffic with the specified action.

HTTP Header Enter the name of the HTTP header and configure
Value the matching rule. (You need to set the Required,
Matching Method, and Matching Text parameters.)
Click New to add an HTTP header or click Delete
to delete an HTTP header. You can add up to 32
headers.

l Assume that you set the Required parameter

to yes for an HTTP header. If API request
traffic does not contain the header, the Miss-
ing Required Request Header rule is
triggered and the system processes the traffic
with the specified action.

l If the API request header does not contain

the specified matching text, the Request

Policy 218
Option Description

Header Value Violation rule is triggered and

the system processes the traffic with the spe-
cified action.

Parameter in Enter the name of the request line, such as User-

Request Line Agent, and configure the matching rule. (You

need to set the Required, Data Type, Min
Value/Length, and Max Value/Length para-
meters.) Click New or Delete to add or delete an
item. You can add up to 32 items.

l Assume that you set the Required parameter

to yes. If API request traffic does not con-
tain the parameter, the missing required
request line parameter rule is triggered and
the system processes the traffic with the spe-
cified action.

l If the data type of the API request does not

meet the specified type or the value or
length of the API request does not fall into
the specified value or length range, the
Request Line Parameter Value Violation rule
is triggered and the system processes the
traffic with the specified action.

l If the API request contains parameters that

are not specified, the Unkown Request Line
Parameter rule is triggered and the system

219 Policy
Option Description

processes the traffic with the specified

action.

Request Body Set the Type parameter, enter the name of the
request body, and then configure the matching
rule. (You need to set the Data Type, Min
Value/Length, and Max Value/Length parameters.)

l If the data type of the request body does not

meet the specified type, the Invalid Con-
tent-Type rule is triggered and the system
processes the traffic with the specified
action.

l If the value or length of the request body

does not fall into the specified value or
length range, the Invalid Request Body rule
is triggered and the system processes the
traffic with the specified action.

Edit Select the user-defined API protection rule you

want to edit, and click Edit to modify its con-
figuration.

Delete Select the user-defined API protection rule you

want to delete, and click Delete.

4. Click OK.

Policy 220
5. Select Site > Web Site. Select the site that requires API protection and bind the API pro-
tection policy to the site.

Importing an OpenAPI File

You need to import an OpenAPI file, and then directly reference the file in the API protection
policy. The system detects the compliance of API traffic based on the requirements and spe-
cifications of the file.
To import an OpenAPI file, take the following steps:

1. Select Policy > Policy Type > API Protection Policy. Select the OpenAPI File tab.

2. Click Import.

3. In the Import OpenAPI File panel, configure the following options:

Option Description

OpenAPI Click Browse and upload an OpenAPI file. The system

File supports OpenAPI files of version 3.0 in the YML,
YAML, and JSON formats. The maximum file size varies
with different platforms and is subject to the actual
requirements.

Description The description of the OpenAPI file.

4. Click OK.

5. If you need to update an OpenAPI file because the API operation of the site changes, select
the file, click Edit , and then upload a new file.

6. If you need to delete an OpenAPI file that expires or is useless, select the file and click
Delete.

7. If you need to preview an OpenAPI file, select the file and click View.

221 Policy
Virtual Patch Policy
After scanning by the built-in scanner or the AppScan scanner, you can quickly create a virtual
patch policy to defend against the detected vulnerabilities, replacing the conventional vul-
nerability fix method by code or patch (relatively slow), and ensuring business continuity.

Creating a Virtual Patch Policy

To create a virtual patch policy, take the following steps:

1. Select Scan > Scan Report, and click the Scan Report or Import Scan Report tab.

2. Click in the Operation column of an item, and the New Virtual Patch Policy dialog box

will appear.

3. Configure the following options:

Policy 222
Option Description

Name Specify the name of the virtual patch policy.

Description Specify the description for the policy, such as protection

rules and actions.

Virtual Patch List: Repairable Vulnerability and Unrepairable Vul-

nerability. The system can defend against only repairable vulnerabilities.

ID Displays the vulnerability ID.

Name Displays the vulnerability name.

URL Displays the URL of the vulnerability.

Severity Displays the severity of the vulnerability.

Status Displays the protection status of the vulnerability.

Green means the protection is enabled.

Action Select the protection action for the vulnerability:

l Block: Block HTTP requests and related logs will

be generated.

l Alarm: Allow HTTP requests to pass and related

logs will be generated.

Available Site List: Displays sites on which virtual patch policies can be
applied. Select the check box before a site and the virtual patch policy
will be applied on the site.

Name Displays the site name.

Site IP and Displays the domain name of the site.

Domain
Name

223 Policy
Option Description

Is Domain Displays whether the domain name of the site

Matched matches the IP. If not matched, "no" will be dis-

played; if matched, the matched IP will be displayed.

Virtual Patch Displays the bound virtual patch policy.

Policy Bind-
ing

Editing a Virtual Patch Policy

To edit a virtual patch policy, take the following steps:

1. Select Policy > Policy Type > Virtual Patch Policy.

2. Select a virtual patch policy, click Edit, and the Edit Virtual Patch Policy dialog box will
appear.

Policy 224
Security Policy
The system has five default security policy templates at different security levels, including loose
detection mode, normal detection mode, strict detection mode, debug mode, and network protect
action mode. Types and the number of enabled protection rules vary depending on policy tem-
plates at different levels:

Security Level Protection Type Effect

Loose Detection Mode Security protection rules with high and This mode only
(policy_loose) severe alarm levels and high accuracy defends against
will be enabled. critical vul-
nerabilities. This
mode has a low
false alarm rate,
but may miss
alarms.

Normal Detection Mode Security protection rules with relatively It is recom-

(policy_normal) high alarm level and accuracy will be mended to be
enabled. This mode can achieve a used in most busi-
tradeoff between the protection cap- ness scenarios.
ability and the false alarm rate. (Recom-
mended)

Strict Detection Mode Most security protection rules will be This mode is suit-
(policy_strict) enabled. This mode has the strongest able for scenarios
protection capability, but may have a that need high
high false alarm rate, which requires protection.
administrators to do rigorous
troubleshooting.

225 Policy
Security Level Protection Type Effect

Debug Mode (policy_ All security protection rules and secur- This mode is gen-
debug) ity detection will be disabled. erally used for
debugging and
troubleshooting.

Network Protect Action Most key security protection rules will This mode is suit-
Mode (policy_emergency) be enabled. This mode has strong pro- able for cyber-
tection capability, but some false pos- security drill
itives may occur. scenarios.

The supported maximum number of policies vary depending on different device platforms.
When configuring a security policy, you can enable required protection rules under the policy. For
more information about how to create protection rules, see Custom Rule.

Creating a Security Policy

To create a security policy, take the following steps:

Policy 226
1. Select Policy > Policy Type > Security Policy.

2. Click New to go to the Policy Configuration page.

3. In the Basic tab, configure the following options.

Option Description

Name Specifies the name of the security policy.

Template Select the security level for the security policy template,
including:

l Loose Detection Mode (policy_loose): Security

protection rules with high and severe alarm levels
and high accuracy will be enabled. This mode has a

227 Policy
Option Description

low false alarm rate, but may miss alarms.

l Normal Detection Mode: Security protection rules

with relatively high alarm level and accuracy will
be enabled. This mode can achieve a tradeoff
between the protection capability and the false
alarm rate. It is recommended to be used in most
business scenarios.

l Strict Detection Mode (policy_strict): Most secur-

ity protection rules will be enabled. This mode has
the strongest protection capability, but may have a
high false alarm rate, which requires administrators
to do rigorous troubleshooting. This mode is suit-
able for scenarios that need high protection.

l Debug Mode (policy_debug): All security pro-

tection rules and security detection will be dis-
abled. This mode is generally used for debugging
and troubleshooting.

l Network Protect Action Mode (policy_emer-

gency): Most key security protection rules will be
enabled. This mode has strong protection cap-
ability, but some false positives may occur.

Filtering Select the following filters to filter the protection rules

as needed. The filtered protection rules will be displayed
in the Protection Rule tab. "Unspecified" means select-

Policy 228
Option Description

ing all.

l DataBase: Select the database type to be pro-

tected.

l Framework: Select the framework of the server to

be protected.

l Language: Select the language of the server to be

protected.

l OS: Select the operating system of the server to be

protected.

l Web Server: Select the server to be protected.

Behavior When defending against malicious acts, HTTP Flood

Protection attacks, and brute force cracking attacks, the system col-
Mode lects statistics on the attacks and determines whether to
trigger defense actions and generate logs based on the
statistics. There are two protection modes:

l Reach Limit : When the statistics reaches the limit,

the system triggers defense and generates logs.

l End of the cycle : The system triggers a defense

action and generates a log only when the statistics
reaches the limit in a period.
Note:

l In the End of the Cycle mode, the protection

229 Policy
Option Description

actions specified in the Protection Rule tab should

be Permanently block IP, Period Block, or Alarm.
When the End of the Cycle mode is selected,
modify protection actions accordingly.

l As for Scanner attacks, the defense actions are

always triggered when the threshold is reached, no
matter whether the behavior protection mode is
set to Reach Limit or End of the Cycle.

4. In the Protection Rule tab, you can enable protection rules and specify the protection
action. On the protection rule page, all protection rules will be displayed, including pre-
defined rules and custom rules. Some protection rule have subtypes. You can enable or dis-
able the rules as needed. When a certain rule type is enabled, the rule list or the parameter
configuration page may be displayed below.

l Rule list: To sort a column or batch edit parameters in a column, click the column
header or the down arrow behind the header. To edit a parameter in the Parameter
column, click the icon, and the Rule Parameter Edit dialog box will appear. If there
is no icon in the Parameter column, it means the parameter cannot be edited. For

detailed configurations, refer to the following description.

Policy 230
l Parameter configuration page: You can modify parameters on the page as needed. For
detailed configurations, refer to the following description.

Enable HTTP Protocol Anomaly, and configure the options in the rule list as follows:
Option Description
Action Select the protection action:

l Block: Block HTTP requests

and related logs will be gen-
erated.

l Alarm: Allow HTTP requests to

pass and related logs will be gen-
erated.

l Redirect: Redirect HTTP

requests to the specified URL
and related logs will be gen-
erated.

Status Code The option is available when the pro-

tection action is Block. You can cus-

231 Policy
Option Description
tomize the web page that the device
returns to the client with the HTTP
status code.
Block Type The option is available when the pro-
tection action is Block. Select the
block type as Block Once, Period
Block or Permanently Block IP. If
Block Once is selected, the current
request will be blocked; if Period
Block is selected, the client IP will be
added to the blacklist and the requests
from the client IP will be blocked for
a while; if Permanently Block IP is
selected, the requests from the client
IP will be blocked until you remove
the IP from the blacklist.
Block Period The option is available when the pro-
tection action is Block and the block
type is Period Block. Specifies the
time for blocking the client IP.
Redirecting URL The option is available when the pro-
tection action is Redirect. You need to
specify the destination URL (IPv4 or
IPv6) for redirecting.
Severity Displays the severity of the threat
defended against by the rule.
Capture Packets Click the button to enable the Capture
Packets function. When the function
is enabled, the device will capture
abnormal data packets. You can view

Policy 232
Option Description
the abnormal data in logs.
When HTTP Protocol Anomaly is enabled, configure the editable
parameters in the Parameter column as follows:
URI Max Length Configure the maximum URL
length of HTTP requests. The value
range is 1 to 10240. The default
value is 8192.
User-agent Max Length Configure the maximum length of the
User-agent HTTP request header. The
value range is 1 to 10240. The default
value is 4096.
Referer Max Length Configure the maximum length of the
Referer HTTP request header. The
value range is 1 to 10240. The default
value is 4096.
Accept-charset Max Length Configure the maximum length of the
Accept-charset HTTP request header.
The value range is 1 to 10240. The
default value is 4096.
Content Max Length Configure the maximum length of the
Content HTTP request header. The
value range is 1 to 2147436480. The
default value is 16384000.
Cookie Max Length Configure the maximum length of the
Cookie HTTP request header. The
value range is 1 to 10240. The default
value is 4096.
Cookie Limit Configure the maximum number of
cookies in the Cookie HTTP request

233 Policy
Option Description
header. The value range is 1 to 10240.
The default value is 64.
Accept Max Length Configure the maximum length of the
Accept HTTP request header. The
value range is 1 to 10240. The default
value is 4096.
Range Segment Limit Configure the maximum number of
ranges in the Range HTTP request
header. The value range is 1 to 32.
The default value is 5.
Header Limit Configure the maximum number of
HTTP headers. The value range is 1 to
256. The default value is 128.
Header Name Max Length Configure the maximum length of
HTTP header names. The value range
is 1 to 256. The default value is 128.
Header Max Length Configure the maximum length of
HTTP header values. The value range
is 1 to 10240. The default value is
4096.
Parameter Limit Configure the maximum number of
parameters of HTTP requests sent
to the web server. The value range
is 1 to 2048. The default value is
256.
Parameter Max Length Configure the maximum length of para-
meters of HTTP requests sent to the
web server. The value range is 1 to
131072. The default value is 8192.

Policy 234
Option Description
Multipart Upload File Limit Configure the maximum number of
files uploaded by Multipart. The value
range is 0 to 1024. The default value is
50.
Response header value max Configure the maximum length of the
length response header value. The value
range is 1 to 4096. The default value is
1024.
Response header name max Configure the maximum length of the
length response header name. The value
range is 1 to 128. The default value is
64.

Enable DDoS > HTTP Flood, and configure the options as follows. DDoS is enabled by
default.
Option Description
Action Select the protection action:

l Block: Block HTTP requests and related logs

will be generated.

l Alarm: Allow HTTP requests to pass and related

logs will be generated.

Status Code The option is available when the protection action is

235 Policy
Option Description
ted, the current request will be blocked; if Period
Block is selected, the client IP will be added to the
blacklist and the requests from the client IP will be
blocked for a while; if Permanently Block IP is selec-
ted, the requests from the client IP will be blocked
until you remove the IP from the blacklist.
Block Period The option is available when the protection action is
Block and the block type is Period Block. You need to
specify the time for blocking the client IP.
Severity Displays the severity of the threat defended against by
the rule.
Packet Cap- Click the button to enable the Packet Capture func-
ture tion. When the function is enabled, the device will cap-
ture abnormal data packets. You can view the abnormal
data in logs.
HTTP Flood Quick Attack
Human Veri- Select whether to enable human verification, and con-
fication figure the authentication method. After it is enabled,
the system will perform human verification based on
the human verification type for HTTP GET access
requests that are identified as HTTP Flood attacks. If
the verification succeeds, the system will not perform
defense actions for the source IP address within five
minutes. If the verification fails, the system will con-
tinue man-machine verification until it fails for three
times within five minutes. After that , the system will
take protective action. Human verification type
include: Auto (JS Cookie), Auto (Redirect), Manual
(Access Confirmation), Manual (CAPCHA）. When
the Automatic type is selected , users cannot perceive

Policy 236
Option Description
the verification process. When the Manual type is selec-
ted, users should perform correct authentication oper-
ations. Note: When Behavior Protection Mode of a
security policy is set to End of the Cycle, Human Veri-
fication will not take effect.
Count Period Specifies the period for counting requests.
Threshold Specifies the threshold of requests in the specified
period, after which the situation will be considered as
an HTTP Flood attack.
Top 10 URL Enable the Top 10 URL function to protect the top 10
URLs ranked by access counts.
Custom URL If the option is enabled, you need to specify the URLs
to be protected in the URLs list.
HTTP Flood Slow Attack
Request Specifies the timeout value of HTTP requests.
Timeout
Times Specifies the number of times that the HTTP request
times out consecutively.

Enable Injection Attack/XSS/Information Leakage/Special Web Vulnerability and its

subtypes. In the rule list, configure the options as follows:
Option Description
ID Displays the ID of the protection rule.
Name Displays the name of the protection rule.
Status Enable or disable the rule. When the rule is enabled, it
can take effect in the security policy.
Severity Displays the severity of the threat defended against by
the rule.

237 Policy
Option Description
Action Select the protection action:

l Block: Block HTTP requests and related logs

will be generated.

l Alarm: Allow HTTP requests to pass and related

logs will be generated.

l Redirect: Redirect HTTP requests to the spe-

cified URL and related logs will be generated.

Status Code The option is available when the protection action is

Block. You can customize the web page that the device
returns to the client with the HTTP status code.
Block Type The option is available when the protection action is
Block. Select the block type as Block Once, Period
Block or Permanently Block IP. If Block Once is selec-
ted, the current request will be blocked; if Period
Block is selected, the client IP will be added to the
blacklist and the requests from the client IP will be
blocked for a while; if Permanently Block IP is selec-
ted, the requests from the client IP will be blocked
until you remove the IP from the blacklist. (Only
Block Once is supported for the Information Leakage
type.)
Block Period The option is available when the protection action is
Block and the block type is Period Block. You need to
specify the time for blocking the client IP.
Redirecting The option is available when the protection action is
URL Redirect. You need to the destination URL (IPv4 or
IPv6) for redirecting.

Policy 238
Option Description
Capture Click the button to enable the Capture Packets func-
Packets tion. When the function is enabled, the device will cap-
ture abnormal data packets. You can view the abnormal
data in logs.
Parameter Click to configure the editable parameters in the
Parameter column as needed.

l Enable Injection Attack > XML Injection, and

click in the Parameter column to configure

the maximum length of XML node. The value

range is 1 to 131072. The default value is 1024.

l Enable Information Leakage > Keyword Leak-

age, and specify keywords. The system will filter
and drop the response packets containing the
keywords to prevent information leakage.
Several keywords can be separated by semi-
colons (;).

Note: Only the Check Response Body is

enabled can the information leakage pro-
tection take effect.

l Enable Information Leakage > Personal Inform-

ation Leakage, and click in the Parameter

column to configure allowed mainland China

phone number and email address. Several phone
numbers or email addresses can be separated by
semicolons (;). The default value is None.

239 Policy
Option Description

l Enable XSS > XSS or Injection Attack > SQL

Injection and click in the Parameter column

to configure sensitivity of semantic rule. The sys-

tem will detect the access request parameters
entered by the user according to the sensitivity,
and then take protective actions and record logs.
The level of attacks protected against by the sys-
tem varies with sensitivity: The higher the sens-
itivity is, the wider the attack range protected
against by the system will be. The system sup-
ports the following three sensitivities:

l High: After setting the sensitivity of

semantic detection rules to High, the sys-
tem will protect against and log suspicious
XSS/SQL injection attacks of the low,
medium, and high levels.

l Medium: After setting the sensitivity of

semantic detection rules to Medium, the
system will protect against and log sus-
picious XSS/SQL injection attacks of the
medium, and high.

l Low: After setting the sensitivity of

semantic detection rules to Low, the sys-
tem only protect against and log sus-
picious XSS/SQL injection attacks of the

Policy 240
Option Description

high level.

Enable XSS > CSRF, and specify URLs.

Form URL Specifies the URL in the form.
Target URL Specifies the destination URL.

Enable Cookie Security, and configure the options as follows:

Option Description
Enable Cookie Security > HTTP Only. Cookie is only visible to
browsers and cannot be captured by the client, which prevents cookie
from being used illegitimately.
New Click New, and type the domain name into the
Domain text box and the cookie name to be pro-
tected into the Cookie text box. Each text box sup-
ports one cookie. Click + to add more cookies.
Delete Click Delete to delete the selected cookie.
Enable Cookie Security > Cookie Tampering or Cookie Security >
Cookie Hijacking, and configure the options as follows:
Action Select the protection action:

l Block: Block HTTP requests and related logs

will be generated.

l Alarm: Allow HTTP requests to pass and

related logs will be generated.

l Redirect: Redirect HTTP requests to the spe-

cified URL and related logs will be generated.

Status Code The option is available when the protection action is

Block. You can customize the web page that the

241 Policy
Option Description
device returns to the client with the HTTP status
code.
Block Type The option is available when the protection action is
Block. Select the block type as Block Once, Period
Block or Permanently Block IP. If Block Once is
selected, the current request will be blocked; if
Period Block is selected, the client IP will be added
to the blacklist and the requests from the client IP
will be blocked for a while; if Permanently Block IP
is selected, the requests from the client IP will be
blocked until you remove the IP from the blacklist.
Block Period The option is available when the protection action is
Block and the block type is Period Block. You need
to specify the time for blocking the client IP.
Redirecting The option is available when the protection action is
URL Redirect. You need to specify the destination URL
(IPv4 or IPv6) for redirecting.
Severity The option is available when the protection action is
Alarm. Select the severity of the threat defended
against by the rule.
Packet Capture Click the button to enable the Packet Capture func-
tion. When the function is enabled, the device will
capture abnormal data packets. You can view the
abnormal data in logs.
Protection Select the mode in which the system protects the
Mode cookie. Valid values:

l Signature: If the response returned by the

server includes the cookie to be protected, the

Policy 242
Option Description

system generates a signature for the cookie and

then returns the cookie and its signature to the
client. When the client sends another request,
the system verifies its signature. If the veri-
fication fails, the system performs the cor-
responding protection for the request. If the
verification succeeds, the system sends the
request that includes the cookie to the server.

l Encryption: If the response returned by the

server includes the cookie to be protected, the
system encrypts the cookie and then returns
the encrypted cookie to the client. When the
client sends another request, the system
decrypts its cookie. If the decryption fails, the
system performs the corresponding protection
for the request. If the verification succeeds,
the system replaces the cookie in the request
with the decrypted cookie and then sends the
request to the server.

Cookie Com- If the client has obtained the cookie value before you
patibility enable Cookie Security, you can set the Cookie Com-
patibility parameter. Valid values:

l Compatible: The system does not perform pro-

tection for a request that includes a cookie
value no matter whether the cookie decryption

243 Policy
Option Description

or verification fails. Instead, the system sends

the request to the server.

l Incompatible: The system performs protection

for a request that includes a cookie value if the
cookie decryption or verification fails. Other-
wise, the system sends the request to the
server.

l Custom time: If you set the parameter to this

value, you need to specify a point in time from
the Cookie Compatibility Time drop-down
list. After the specified time arrives, the sys-
tem processes the cookie value obtained from
a request in the same way as processing the
cookie value when the Cookie Compatibility
parameter is set to Incompatible.

New Click New, and configure as follows:

l Type the domain name (IPv4 or IPv6) into the

Domain text box.

l Type the cookie name to be protected into the

Cookie text box.

l Type the cookie TTL into the Valid Time text

box. If the TTL expires, the system will oper-
ate cookies as the configured action.

Each text box supports one cookie. Click New to

Policy 244
Option Description
add more cookies.
Delete Click Delete to delete the selected cookie.

Enable Access Detection > Scanner/Crawler/Directory Traversal, and configure the

options as follows:
Option Description
Enable Scanner/ Crawler/ Directory Traversal, and configure the fol-
lowing options in the Rule tab.
ID Displays the ID of the protection
rule.
Name Displays the name of the pro-
tection rule.
Status Enable or disable the rule. When
the rule is enabled, it can take
effect in the security policy.
Severity Displays the severity of the
threat defended against by the
rule.
Action Select the protection action:

l Block: Block HTTP

requests and related logs
will be generated.

l Alarm: Allow HTTP

requests to pass and
related logs will be gen-
erated.

l Redirect: Redirect HTTP

245 Policy
Option Description

requests to the specified

URL and related logs will
be generated.

Status Code The option is available when the

protection action is Block. You
can customize the web page that
the device returns to the client
with the HTTP status code.
Block Type The option is available when the
protection action is Block. Select
the block type as Block Once,
Period Block or Permanently
Block IP. If Block Once is selec-
ted, the current request will be
blocked; if Period Block is selec-
ted, the client IP will be added to
the blacklist and the requests
from the client IP will be
blocked for a while; if Per-
manently Block IP is selected,
the requests from the client IP
will be blocked until you remove
the IP from the blacklist.
Block Period The option is available when the
protection action is Block and
the block type is Period Block.
You need to specify the time for
blocking the client IP.
Redirecting URL The option is available when the

Policy 246
Option Description
protection action is Redirect.
You need to specify the des-
tination URL (IPv4 or IPv6) for
redirecting.
Capture Packets Click the button to enable the
Capture Packets function. When
the function is enabled, the
device will capture abnormal data
packets. You can view the abnor-
mal data in logs.
Enable Scanner, and configure the following options in the Scanner
Behavior tab.
Scanner Behavior Switch Click the button to enable pro-
tection against scanner behaviors.
The default statuses of the scan-
ner behavior switch are as fol-
lows:

l When the security policy

template is set to policy_
nomal_template or policy_
strict_template, the scan-
ner behavior switch is
enabled by default.

l When the security policy

template is set to policy_
loose_template, the scan-
ner behavior switch is dis-

247 Policy
Option Description

abled by default.

Human Verification You can choose whether to

enable Human Verification. If
yes, continue to configure the
verification type. The HTTP
access request will be determined
as Scanner behavior attacks if the
thresholds of all types of enabled
scanner behaviors are reached. In
this case, with Human Veri-
fication enabled, the system veri-
fies the traffic based on the
configured human verification
type. If the human verification
succeeds, the protective action
will not be performed. Mean-
while, the source IP will not be
verified again in the next five
minutes. If the verification fails,
human verification will be carried
out again. If the verification fails
three times within five minutes,
the protective action will be
executed. Human verification
types include Auto(JS Cookie),
Auto(Redirect), Manual(Access
Confirm), and Manual
(CAPCHA). When the veri-
fication type is manual, the user
needs to fill in the correct veri-

Policy 248
Option Description
fication information. When the
verification type is automatic, the
user will not perceive the veri-
fication process.
Action The HTTP access request will be
determined as Scanner behavior
attacks if the thresholds of all
types of enabled scanner beha-
viors are reached. In this case,
WAF executes protection
actions. Select the protection
action:

l Block: Block HTTP

requests and related logs
will be generated.

l Alarm: Allow HTTP

requests to pass and
related logs will be gen-
erated.

l Redirect: Redirect HTTP

requests to the specified
URL and related logs will
be generated.

Block Type This option is available when the

protection action is Block. Select
the block type as Block Once,
Period Block, or Permanently

249 Policy
Option Description
Blocking. If Block Once is selec-
ted, the current request will be
blocked; if Period Block is selec-
ted, the client IP will be added to
the blacklist and the requests
from the client IP will be
blocked for a while; if Per-
manently Blocking is selected,
the requests from the client IP
will be blocked until you remove
the IP from the blacklist.
Status Code This option is available when the
protection action is Block. You
can customize the web page that
the device returns to the client
with the HTTP status code.
Severity The option is available when the
protection action is Alarm. Select
the severity of the threat caused
by scanner behavior attacks.
Packet Capture Click the button to enable the
Packet Capture function. When
the function is enabled, the
device will capture abnormal data
packets. You can view the abnor-
mal data in logs. By default,
Packet Capture is enabled.
Count Period Specifies the period for counting
HTTP requests. The value range
is from 5 to 60 seconds. The

Policy 250
Option Description
default value is 30.
Sensitive URL Access Click the button to enable the
Sensitive URL Access func-
tion, allowing WAF to count
how many times sensitive
URLs are accessed by HTTP
requests within the count
period. By default, this func-
tion is disabled.
Sensitive URL Access Threshold This option is available when
Sensitive URL Access is enabled.
You can specify the threshold for
accessing sensitive URLs. The
value range is from 5 to 200
times and the default value is 20.
Backup Files Access Click the button to enable the
Backup Files Access function,
allowing WAF to count how
many times backup files are
accessed by HTTP requests
within the count period. By
default, this function is dis-
abled.
Backup Files Access Threshold This option is available when
Backup Files Access is enabled.
You can specify the threshold for
accessing backup files. The value
range is from 5 to 200 times and
the default value is 20.

251 Policy
Option Description
Rare Method Access Click the button to enable the
Rare Method Access function,
allowing WAF to count
accesses with rare request
methods within the count
period. Rare request methods
are those that are not defined
by the HTTP/1.1 protocol. By
default, this function is dis-
abled.
Rare Method Access Threshold This option is available when
Rare Method Access is enabled.
You can specify the threshold of
rare method accesses. The value
range is from 5 to 200 times and
the default value is 20.
Percentage of 404 Click the button to enable the
Percentage of 404 function,
allowing WAF to count the pro-
portion of responses with status
code 404 within the count
period. By default, this function
is disabled.
Percentage of 404 Threshold This option is available when Per-
centage of 404 is enabled. You
can specify the proportion
threshold of responses whose
status code is 404. The value
range is from 40% to 100% and
the default value is 50%.

Policy 252
Option Description
Minimum Number of Samples Specifies the minimum number
of samples for the Percentage of
404. The value range is from 20
to 200 and the default value is
50.
Alarm Statistics Click the button to enable the
Alarm Statistics function, allow-
ing WAF to count the number of
Web security logs generated
within the count period. By
default, this function is disabled.
Note: If Log Aggregation is
selected when you configure
the Web Security Log, the
Alarm Statistics function
allows WAF to count the num-
ber of detected Web attacks
within the count period.
Alarm Statistics Threshold This option is available when
Alarm Statistics is enabled. You
can specify the threshold for the
Alarm Statistics parameter. The
value range is from 5 to 1000
times and the default value is 20.
Minimum Number of Rules Specifies the minimum number
of different protection rules that
need to be hit when Alarm Stat-
istics is enabled. The value range
is from 1 to 10 and the default
value is 5.

253 Policy
Enable Illegal Resource Access > Illegal Upload/Illegal Download, and configure the
options as follows. The system will filter types of the uploaded or downloaded files.
When there are illegal file types detected, the system will operate the files as the con-
figured action. Enable Illegal Resource Access > Hotlinking, and configure the options
as follows. You can specify the URL which can be referenced as a link.
Option Description
After you enable Illegal Upload / Illegal Download / Hotlinking, con-
figure the following options as needed in the File Extension Check
tab of Illegal Upload or the corresponding tab of Illegal Download /
Hotlinking.
Action Select the protection action:

l Block: Block HTTP requests and related logs

will be generated.

l Alarm: Allow HTTP requests to pass and related

logs will be generated.

l Redirect: Redirect HTTP requests to the spe-

cified URL and related logs will be generated.

Status Code The option is available when the protection action is

Policy 254
Option Description
After you enable Illegal Upload / Illegal Download / Hotlinking, con-
figure the following options as needed in the File Extension Check
tab of Illegal Upload or the corresponding tab of Illegal Download /
Hotlinking.
Block Period The option is available when the protection action is
Block and the block type is Period Block. You need to
specify the time for blocking the client IP.
Redirecting The option is available when the protection action is
URL Redirect. You need to specify the destination URL
(IPv4 or IPv6) for redirecting.
Severity The option is available when the protection action is
Alarm. Select the severity of the threat defended
against by the rule.
Packet Cap- Click the button to enable the Packet Capture func-
ture tion. When the function is enabled, the device will cap-
ture abnormal data packets. You can view the abnormal
data in logs.
Illegal exten- Click the button to check whether the extension of a
sion check file to be uploaded is illegal. If this function is enabled,
switch the system will detect the extension of a file to be
uploaded. The file with the extension consisting of
non-English characters or numbers will be judged as
abnormal data and will not be uploaded.
Empty exten- Click the button to check whether the extension of a
sion check file to be uploaded is empty. If the function is enabled,
switch the system will detect whether a file to be uploaded has
an extension. The file without an extension will be
judged as abnormal data and will not be uploaded.
File Size Click the button check the size of a file to be

255 Policy
Option Description
After you enable Illegal Upload / Illegal Download / Hotlinking, con-
figure the following options as needed in the File Extension Check
tab of Illegal Upload or the corresponding tab of Illegal Download /
Hotlinking.
check switch uploaded, and specify the size limit. If the size exceeds
the limit, the file will not be uploaded.
File Size Specifies the maximum size of a file to be uploaded or
Limit to be downloaded.
File Exten- Specifies the restricted extension of a file to be
sion Limit uploaded or to be downloaded. Type the extensions
into the text box.
Enable If this function is enabled, the system will detect the
MIME MIME type of a downloaded file. You can view the
abnormal data in logs.
MIME Type Specifies the MIME type to be defended. If there is a
downloaded file of the specified MIME type detected,
the system will operate it as the configured action.
Referer Specifies the URL (IPv4 or IPv6) which can be ref-
Address that erenced as a link. Click New to add more URLs.
can be ref-
erenced as
links
Enable Enable this function and click New to add requests
Request without Referer. Empty list indicates that all URLs can
without be accessed without Referer.
Referer
After you enable Illegal Upload, you can enable the check for content
of files in different formats in the File Content Check tab.

Policy 256
Option Description
After you enable Illegal Upload / Illegal Download / Hotlinking, con-
figure the following options as needed in the File Extension Check
tab of Illegal Upload or the corresponding tab of Illegal Download /
Hotlinking.
ID Displays the ID of the rule.
Name Displays the name of the rule.
Status Enable or disable the rule. When the rule is enabled, it
can take effect in the security policy.
Severity Displays the severity of the threat defended against by
the rule.
Action Select the protection action:

l Block: Block HTTP requests and related logs

will be generated.

l Alarm: Allow HTTP requests to pass and related

logs will be generated.

l Redirect: Redirect HTTP requests to the spe-

cified URL and related logs will be generated.

Status Code The option is available when the protection action is

257 Policy
Option Description
After you enable Illegal Upload / Illegal Download / Hotlinking, con-
figure the following options as needed in the File Extension Check
tab of Illegal Upload or the corresponding tab of Illegal Download /
Hotlinking.
requests from the client IP will be blocked until you
remove the IP from the blacklist.
Block Period The option is available when the protection action is
Block and the block type is Period Block. You need to
specify the time for blocking the source URL.
Redirecting The option is available when the protection action is
URL Redirect. You need to specify the destination URL
(IPv4 or IPv6) for redirecting.
Capture Click the button to enable the Capture Packets func-
Packets tion. When the function is enabled, the device will cap-
ture abnormal data packets. You can view the abnormal
data in logs.

Enable Malware, and configure the options as follows:

Option Description
Enable Malware > WebShell to detect Web Shell attacks.
ID Displays the ID of the protection rule.
Name Displays the name of the protection rule.
Status Enable or disable the rule. When the rule is enabled, it
can take effect in the security policy.
Severity Displays the severity of the threat defended against by
the rule.
Action Select the protection action:

l Block: Block HTTP requests and related logs

Policy 258
Option Description

will be generated.

l Alarm: Allow HTTP requests to pass and related

logs will be generated.

l Redirect: Redirect HTTP requests to the spe-

cified URL and related logs will be generated.

Status Code The option is available when the protection action is

Block. You can customize the web page that the
device returns to the client with the HTTP status
code.
Block Type The option is available when the protection action is
Block. Select the block type as Block Once, Period
Block or Permanently Block IP. If Block Once is selec-
ted, the current request will be blocked; if Period
Block is selected, the URL will be added to the black-
list and the requests from the URL will be blocked for
a while; if Permanently Block IP is selected, the
requests from the client IP will be blocked until you
remove the IP from the blacklist.
Block Period The option is available when the protection action is
Block and the block type is Period Block. You need to
specify the time for blocking the source URL.
Redirecting The option is available when the protection action is
URL Redirect. You need to specify the destination URL
(IPv4 or IPv6) for redirecting.
Capture Pack- Click the button to enable the Capture Packets func-
ets tion. When the function is enabled, the device will cap-
ture abnormal data packets. You can view the abnormal
data in logs.

259 Policy
Option Description
Enable Malware > Malicious Behavior to defend against illegal access.
Human Veri- Select whether to enable human verification, and con-
fication figure the authentication method. After it is enabled,
the system will perform human verification based on
the human verification type for HTTP GET access
requests that are identified as malicious behavior
attacks. If the verification succeeds, the system will
not perform defense actions for the source IP address
within five minutes. If the verification fails, the system
will continue man-machine verification until fails for
three times within five minutes. After that , the system
will take protective action. Human verification type
include: Auto (JS Cookie), Auto (Redirect), Manual
(Access Confirmation), Manual (CAPCHA）. When
the Automatic type is selected , users cannot perceive
the verification process. When the Manual type is selec-
ted, users should perform correct authentication oper-
ations. Note: When Behavior Protection Mode of a
security policy is set to End of the Cycle, Human Veri-
fication will not take effect.
Action Select the protection action:

l Block: Block HTTP requests and related logs

will be generated.

l Alarm: Allow HTTP requests to pass and related

logs will be generated.

l Redirect: Redirect HTTP requests to the spe-

cified URL and related logs will be generated.

Status Code The option is available when the protection action is

Policy 260
Option Description
Block. You can customize the web page that the
device returns to the client with the HTTP status
code.
Block Type The option is available when the protection action is
Block. Select the block type as Block Once, Period
Block or Permanently Block IP. If Block Once is selec-
ted, the current request will be blocked; if Period
Block is selected, the client IP will be added to the
blacklist and the requests from the client IP will be
blocked for a while; if Permanently Block IP is selec-
ted, the requests from the client IP will be blocked
until you remove the IP from the blacklist.
Block Period The option is available when the protection action is
Block and the block type is Period Block. You need to
specify the time for blocking the client IP.
Severity Displays the severity of the threat defended against by
the rule.
Redirecting The option is available when the protection action is
URL Redirect. You need to specify the destination URL
(IPv4 or IPv6) for redirecting.
Packet Cap- Click the button to enable the Packet Capture func-
ture tion. When the function is enabled, the device will cap-
ture abnormal data packets. You can view the abnormal
data in logs.
Count Period Specifies the period for counting visits.
URL Access Specifies the threshold of visits from the client IP,
Limit after which the client IP will be considered as a mali-
cious user.
Request Specifies the HTTP request method, including POST,

261 Policy
Option Description
Method GET and HEAD. You can select them all.
Request Specifies the threshold of requests from the client IP
Limit to the URL in the specified period, after which the cli-
ent IP will be considered as a malicious user.
Returning Specifies the threshold of times that the server returns
Status Code a status code (non-200) to the client IP in the spe-
Limit cified period, after which the client IP will be con-
sidered as a malicious user.
Enable Malware > Trojan to defend against Trojan attacks.
ID Displays the ID of the protection rule.
Name Displays the name of the protection rule.
Status Enable or disable the rule. When the rule is enabled, it
can take effect in the security policy.
Severity Displays the severity of the threat defended against by
the rule.
Action Select the protection action:

l Block: Block HTTP requests and related logs

will be generated.

l Alarm: Allow HTTP requests to pass and related

logs will be generated.

l Redirect: Redirect HTTP requests to the spe-

cified URL and related logs will be generated.

Status Code The option is available when the protection action is

Block. You can customize the web page that the
device returns to the client with the HTTP status
code.

Policy 262
Option Description
Block Type The option is available when the protection action is
Block. Select the block type as Block Once, Period
Block or Permanently Block IP. If Block Once is selec-
ted, the current request will be blocked; if Period
Block is selected, the client IP will be added to the
blacklist and the requests from the client IP will be
blocked for a while; if Permanently Block IP is selec-
ted, the requests from the client IP will be blocked
until you remove the IP from the blacklist.
Block Period The option is available when the protection action is
Block and the block type is Period Block. You need to
specify the time for blocking the client IP.
Redirecting The option is available when the protection action is
URL Redirect. You need to specify the destination URL
(IPv4 or IPv6) for redirecting.
Capture Pack- Click the button to enable the Capture Packets func-
ets tion. When the function is enabled, the device will cap-
ture abnormal data packets. You can view the abnormal
data in logs.
Enable Malware > Brute-force Cracking to defend against brute-force
cracking of passwords.
Human Veri- Select whether to enable human verification, and con-
fication figure the authentication method. After it is enabled,
the system will perform human verification based on
the human verification type for HTTP GET access
requests that are identified as Brute-force Cracking
attacks. If the verification succeeds, the system will
not perform defense actions for the source IP address
within five minutes. If the verification fails, the system

263 Policy
Option Description
will continue man-machine verification until fails for
three times within five minutes. After that , the system
will take protective action. Human verification type
include: Auto (JS Cookie), Auto (Redirect), Manual
(Access Confirmation), Manual (CAPCHA). When the
Automatic type is selected, users cannot perceive the
verification process. When the Manual type is selected,
users should perform correct authentication oper-
ations.
Note: When Behavior Protection Mode of a security
policy is set to End of the Cycle, Human Veri-
fication will not take effect.
Action Select the protection action:

l Block: Block HTTP requests and related logs

will be generated.

l Alarm: Allow HTTP requests to pass and related

logs will be generated.

l Redirect: Redirect HTTP requests to the spe-

cified URL and related logs will be generated.

Status Code The option is available when the protection action is

Policy 264
Option Description
Block is selected, the client IP will be added to the
blacklist and the requests from the client IP will be
blocked for a while; if Permanently Block IP is selec-
ted, the requests from the client IP will be blocked
until you remove the IP from the blacklist.
Block Period The option is available when the protection action is
Block and the block type is Period Block. You need to
specify the time for blocking the client IP.
Severity Displays the severity of the threat defended against by
the rule.
Packet Cap- Click the button to enable the Packet Capture func-
ture tion. When the function is enabled, the device will cap-
ture abnormal data packets. You can view the abnormal
data in logs.
Redirecting The option is available when the protection action is
URL Redirect. You need to specify the destination URL
(IPv4 or IPv6) for redirecting.
Login URL Specifies the URL of the login page.
Referer With this function enabled, you can specify the source
Check page of the login page to be matched in the following
list. Click New to add more addresses of the source
page. After the configuration is completed, the system
will check the source page of the login page. If the
address of the source page is not in the list, the system
will defend the login page as the configured action.
Request Select the request method, and the system will count
Method the login frequency according to the selected request
method.
Request When the request method is selected as GET, you

265 Policy
Option Description
Limit (GET) need to specify the threshold for login frequency in the
specified period. If the login frequency exceeds or
equals to the threshold, the situation will be con-
sidered as a brute-force cracking attack.
Request When the request method is selected as POST, you
Limit need to specify the threshold for login frequency in the
(POST) specified period. If the login frequency exceeds or
equals to the threshold, the situation will be con-
sidered as a brute-force cracking attack.
Count Period Specifies the period for counting login frequency.

To customize protection rules, enable User-defined Rule, and configure the options as fol-
lows. The configured custom rule has the highest priority.
Option Description
ID Displays the ID of the protection rule.
Name Displays the name of the protection rule.
Status Enable or disable the rule. When the rule is enabled, it
can take effect in the security policy.
Schedule Displays the schedule of the protection rule. When you
reference the schedule, the user-defined rule takes
effect only when the schedule is active. To view the
status of the schedule, go to Object > Schedule.
Severity Displays the severity of the threat defended against by
the rule.
Action Select the protection action:

l Permit: Allow HTTP requests that meet the rule

to pass and related logs will be generated.

l Block: Block HTTP requests and related logs

Policy 266
Option Description

will be generated.

l Alarm: Allow HTTP requests to pass and related

logs will be generated.

l Redirect: Redirect HTTP requests to the spe-

cified URL and related logs will be generated.

l Observe: Log web traffic from which no attack is

detected. The protection action is Observe when
the protection subtype is Non Web Attack. This
action cannot be modified.

Status Code The option is available when the protection action is

Block. You can customize the web page that the device
returns to the client with the HTTP status code.
Block Type The option is available when the protection action is
Block. Select the block type as Block Once, Period
Block or Permanently Block IP. If Block Once is selec-
ted, the current request will be blocked; if Period
Block is selected, the client IP will be added to the
blacklist and the requests from the client IP will be
blocked for a while; if Permanently Block IP is selec-
ted, the requests from the client IP will be blocked
until you remove the IP from the blacklist.
Block Period The option is available when the protection action is
Block and the block type is Period Block. You need to
specify the time for blocking the client IP.
Redirecting The option is available when the protection action is
URL Redirect. You need to specify the destination URL
(IPv4 or IPv6) for redirecting.

267 Policy
Option Description
Capture Click the button to enable the Capture Packets func-
Packets tion. When the function is enabled, the device will cap-
ture abnormal data packets. You can view the abnormal
data in logs.

Policy 268
Auto-learning Policy
Auto-learning policy is a complement to protection settings. When the auto-learning policy is ref-
erenced, the device will only filter the traffic flowing to the URL in the protected mode. If the
flowing traffic matches the signatures of profiles, it will be sent to web server directly; if the flow-
ing traffic does not match the signatures of profiles, the traffic may be operated with the pro-
tection actions configured in the auto-learning policy, such as alarm, block and redirect URL.

Creating an Auto-learning Policy

To create an auto-learning policy, take the following steps:

1. Select Policy > Policy Type > Auto-learning Policy.

2. Click New to go to the Auto-learning Policy Configuration page.

3. Configure the following options:

Option Description

Name Specifies the name of the auto-learning policy.

Description Specifies the description of the policy, such as pro-

tection rules and actions.

269 Policy
Option Description

Protection Rule

Name Displays the name of the protection rule.

Status Enable or disable the rule. When the rule is enabled, it

can take effect in the auto-learning policy.

Severity Displays the severity of the threat defended against by

the rule.

Action Select the protection action:

l Block: Block HTTP requests and related logs will

be generated.

l Alarm: Allow HTTP requests to pass and related

logs will be generated.

l Redirect: Redirect HTTP requests to the spe-

cified URL and related logs will be generated.

Status Code The option is available when the protection action is

Block. You can customize the web page that the device
returns to the client with the HTTP status code.

Block Type The option is available when the protection action is

Block. Select the block type as Block Once, Per-
manently block IP, or Period Block. If Block Once is
selected, the current request will be blocked; if Period
Block is selected, the client IP will be added to the
blacklist and the requests from the client IP will be
blocked for a while. If Permanently block IP is selected,

Policy 270
Option Description

all connection requests from the client are blocked.

Block Period The option is available when the protection action is

Block and the block type is Period Block. Specifies the
period for blocking the client IP.

Redirecting The option is available when the protection action is

URL Redirect. Specifies the destination URL for redirecting.

Capture Pack- Click the button to enable the packet capture function.
ets When the function is enabled, the device will capture
abnormal data packets. You can view the abnormal data
in logs.

Click OK.

271 Policy
User Tracking Policy
With the advancement of attack techniques, it is difficult to accurately locate an attacker by using
the conventional method of tracking the source IP. Therefore, the tracking and tracing of user ses-
sions are becoming increasingly important.
You can track user sessions by configuring user session tracking policies and logging. Generally, a
user tracking policy needs to be applied together with other security policies such as access con-
trol policy and auto-learning policy. For attack traffic that matches an access control policy, auto-
learning policy, etc., you can still configure a user tracking policy to track the user name of the
traffic. In this way, you can view information (such as username and session identifier) of the
attack traffic in the access control logs, auto-learning profile violation logs or web security logs.
By querying and analyzing the logs by using filtering conditions such as username and session iden-
tifier, the system can trace an attacker and the attack process and identify the attacker information.
Moreover, the attack process can be reproduced, so that you can fix the bugs of your security
policies, improving the protection effect.
When creating a user tracking policy, you can configure filter conditions such as username, ses-
sion identifier, login and logout URLs, and then bind the policy to the corresponding site. After
that, the system will track and record the username and session identifier of the attack traffic that
matches an access control policy, auto-learning policy or another security policy. Then, you can
view the record in the access control logs, auto-learning profile violation logs or web security
logs.

Creating a User Session Tracking Policy

To create a user session tracking policy, take the following steps:

Policy 272
1. Select Policy > Policy Type > User Tracking Policy.

2. Click New to go to the and the User Tracking Policy Configuration panel.

3. Configure the following options:

Option Description

Name Specifies the name of the user tracking policy.

Description Specifies the description of the policy.

Parameter Config:

Username Specifies the user ID (used to identify a user) that needs

to be filled in during login authentication for the user
session which needs to be matched, e.g., "username"
and "login".

Host Specifies the domain name accessed by the user session

to be matched, e.g., "hillstonenet.com". If not con-
figured, any domain name will be matched.

Login URL Specifies the relative path of the login URL of the site
accessed by the user session that needs to be matched,
e.g., "/test/login.php".

Logout URL Specifies the relative path of the request URL sent when
the user session, which needs to be matched, logs out,

273 Policy
Option Description

e.g., "/test/logout.php".

Session Specifies the name of the session identifier to be

Name matched that identifies a session. e.g., "JSESSIONID"
and "PHPSESSID".

Timeout Specifies the session tracking time. The default value is

30 minutes. If the time expires, the system will stop ses-
sion tracking. You should set the value the same as the
session timeout for the site's server.

Login Succes Select the response method of the site after successful
Options login of the session to be matched, including Status
Code or Redirect Address.

Login Succes If Status Code is selected for Login Successful Options,

Message enter the corresponding status code. If Redirect Address
is selected, enter the URL address you want to redirect
to, e.g., "http://www.test.com/abc/index.jsp".

4. Click OK.

5. Click OK.

Notes: Currently, the user tracking policy can only be applied to sessions with
HTML form-based authentication. Sessions with key and certificate-based authen-
tication are not supported.

Policy 274
Content Rewrite Policy
For the traffic that has been filtered by access control policies, security policies, and auto-learning
policies, you can still create content rewrite policies and bound them to a site. Then, the system
will perform URL redirection, URL rewriting, or HTTP header or content rewriting on the eli-
gible HTTP traffic, eliminating certain security risks or code vulnerabilities, and improving the
website security.
Common application scenarios are as follows:

1. Redirecting HTTP requests to the HTTPS URL, enhancing the website security through
SSL offloading.

2. Rewriting a URL address that exposes the implementation details of the web application to
avoid security risks.

3. Redirecting HTTP requests accessing a website under maintenance to a temporary page.

4. Redirecting HTTP requests accessing one website to another.

5. Redirecting HTTP requests from different countries/regions to different URLs.

Creating a Content Rewrite Policy

To create a content rewrite policy, take the following steps:

275 Policy
1. Select Policy > Policy Type > Content Rewrite Policy.

2. Click New to go to the Content Rewrite Policy Configuration page.

3. Configure the following options:

Option Description

Name Specifies the name of the content rewrite policy.

Template Select a template for the policy. The system predefines

multiple templates for common scenarios. After select-
ing a template, the configuration for the matching con-
dition, action and other options in the template will be
displayed below, and then you can modify it or apply it
without change. For example, the system provides two
templates that transfer client certificate information to
the server: extracting the Subject DN to the request
header and extracting the complete certificate (in PEM

Policy 276
Option Description

format) to the request header.

Direction Select the direction for content rewrite.

l If Request is selected, the content of HTTP

requests will be rewritten.

l If Response is selected, the content of HTTP

responses will be rewritten.

Text encod- Select the text encoding method for HTTP messages,
ing mode including UTF-8, GB2312, GBK and GB18030. This
way, the eligible traffic can be filtered more accurately.

Match Click New to add a matching condition. Direction:

Select the matching direction. Both client requests and
server responses are supported. Match object: Select a
matching object to be matched of the HTTP traffic. Ele-
ment: Specifies the element of Head or Cookie. Oper-
ator: Select the matching method, including Regex
Match, Regex Not Match, Equal, No Equal, Exist and
Not Exist. If Regex Match is selected, the system will
rewrite the HTTP messages that match the Match Text.
If Regex Not Match is selected, the system will rewrite
the HTTP messages that do not match the Match Text.
Match text: Specifies the text to be matched. Both a reg-
ular expression and a keyword are supported, e.g., "^ht-
tps://ORIGINAL_HOST(.*)". Match IP Version:
Specifies the IP version to be matched. IP versions

277 Policy
Option Description

include Any, IPv4, and IPv6. After configuring the

above options, click OK, and a matching condition will
be displayed in the list. If multiple conditions are con-
figured, HTTP traffic needs to meet all of them at the
same time before triggering the action for the policy. If
no condition is configured, the action will be applied to
all traffic. Matching conditions are case sensitive: With
this function enabled, the system will perform matching
in a case-sensitive manner.

Action Specifies the action for the HTTP traffic that meets the
matching condition(s).

l 301 Permanent redirection: Redirect the HTTP

traffic to the specified URL permanently.

l 302 Temporary redirection: Redirect the HTTP

traffic to the specified URL for a limited amount
of time.

l Rewrite URL: Rewrite the URL of the HTTP

traffic to the specified URL.

l Rewrite Head: Rewrite headers of the HTTP mes-

sages to the specified header content.

l Insert Head: Insert the header field into HTTP

requests or responses after you specify the name
and content of the header.

Policy 278
Option Description

l Insert Cookie: Insert the cookie field into HTTP

requests or responses after you specify the name
and content of the cookie.

l Delete Head: Delete the specified header field of

the HTTP messages.

l Delete Cookie: Delete the specified cookie field

of the HTTP messages.

l Rewrite Cookie: Rewrite the cookie of the HTTP

messages to the specified cookie.

l Add IP Protocol Type ID: Add an identifier for

the IP protocol type to the HTTP messages.
Click Advanced and modify IPv4 text/IPv6 text,
position, size, color, background color and opa-
city for HTTP responses.

l Rewrite Response Body: Rewrite the response

body of the HTTP messages to the specified
response body content.

Redirect If 301 Permanent redirection or 302 Temporary redir-

URL ection is selected, you need to specify the URL to be
redirected to. The system will redirect the eligible
HTTP traffic to the specified URL. URL addresses sup-
port regular expressions and backreferences, e.g.,
"https://$0$1".

279 Policy
Option Description

Element Specifies the specific element for the header or cookie.

Insert If Insert Head or Insert Cookie is selected, you need to

specify the content where the system inserts the HTTP
packets that meet the matching conditions. The inserted
URL addresses supports regular expressions and back-
references, e.g., "https://$0$1".
When Use Variable is enabled, you can enter the
required variable name based on the supported variable
list. The system will retrieve variable content that
matches the content rewrite direction and matching con-
ditions, and insert this variable content into the header
or cookie of HTTP messages. For each content rewrite
policy, you can enter only one variable. For example,
"${X509.subject_dn}" is used for the system to obtain
subject information from the client certificate and trans-
fer the information to the server. By default, Use Vari-
able is disabled. For more information about supported
variables, see Variables Supported by the System.

Rewrite Con- If Rewrite URL, Rewrite Head, Rewrite Response

tent Body, or Rewrite Cookie is selected, you need to spe-
cify the rewritten content. The system will rewrite the
corresponding content of HTTP messages to the spe-
cified content. URL addresses support regular expres-
sions and backreferences, e.g., "https://$0$1".

Policy 280
Option Description

When Use Variable is enabled, you can enter the

required variable name based on the supported variable
list. The system will retrieve variable content that
matches the content rewrite direction and matching con-
ditions, and rewrite this variable content into the header,
response body, or cookie of HTTP messages. For each
content rewrite policy, you can enter only one variable.
For example, "${X509.subject_dn}" is used for the sys-
tem to obtain subject information from the client cer-
tificate and transfer the information to the server. By
default, Use Variable is disabled. For more information
about supported variables, see Variables Supported by
the System.

Description Specifies the description of the policy.

4. Click OK.

Notes:
l You can only configure a content rewrite policy in the transparent proxy
mode, one-arm reverse proxy mode, traction mode and reverse proxy mode.

l If a site references multiple content rewrite policies, the system will perform
matching from top to down and rewrite the matched HTTP message. The
HTTP message rewritten according to the first policy will be used as the con-
tent to be rewritten according to the second policy, and so on.

281 Policy
l When the Match Object is configured as Response Body, you can specify the
action as Rewrite Response Body or Add IP Protocol Type ID, and only part
of the matched HTTP message will be rewritten. When the Match Object is
not configured as Response Body, you can specify the action as Rewrite
Response Body, and the whole matched HTTP message will be rewritten.

l Before binding content rewrite policies to a site, enable Stop Server Com-
pressing. Otherwise, the content rewrite policies may not take effect. For
example, when Content-Encoding: gzip is included in the body of the
response returned by the Web server, if Stop Server Compressing is not
enabled, the content rewrite policies cannot take effect.

l If an HTTP site is bound to a content rewrite policy that uses the client cer-
tificate-related variable, the content rewrite policy does not take effect.

Variables Supported by the System

Variable Description

${X509.version} The version of the client certificate.

${X509.serial_num} The SN of the client certificate.

${X509.signature_algorithm} The signature algorithm of the client certificate.

${X509.not_valid_before} The time when the client certificate starts to take effect.

${X509.not_valid_after} The time when the client certificate expires.

${X509.public_key_algorithm} The public key algorithm of the client certificate.

${X509.public_key_type} The public key type of the client certificate.

${X509.public_key_bits} The public key length of the client certificate.

Policy 282
Variable Description

${X509.md5} The MD5 hash value of the client certificate.

${X509.whole} The original client certificate (in the PEM format).

${X509.der_whole} The original client certificate (in the DER format, which is
Base64 encoded).

${X509.subject_dn} The subject of the client certificate (multiple parts are sep-
arated with ",").

${X509.subject_dn_r} The subject of the client certificate in reverse order (mul-

tiple parts are separated with ",").

${X509.subject_dn_cn} The name of the subject of the client certificate.

${X509.subject_dn_e} The email of the subject of the client certificate.

${X509.subject_dn_o} The company/organization of the subject of the client cer-

tificate.

${X509.subject_dn_ou} The organization unit of the subject of the client certificate.

${X509.subject_dn_c} The country of the subject of the client certificate.

${X509.subject_dn_st} The state/province of the subject of the client certificate.

${X509.subject_dn_l} The city of the subject of the client certificate.

${X509.issuer_dn} The issuer of the client certificate. Multiple parts are sep-
arated with ",".

${X509.issuer_dn_r} The issuer of the client certificate in reverse order. Multiple

parts are separated with ",".

${X509.issuer_dn_cn} The name of the issuer of the client certificate.

${X509.issuer_dn_e} The email of the issuer of the client certificate.

${X509.issuer_dn_o} The company/organization of the issuer of the client cer-

tificate.

283 Policy
Variable Description

${X509.issuer_dn_ou} The organization unit of the issuer of the client certificate.

${X509.issuer_dn_c} The country of the issuer of the client certificate.

${X509.issuer_dn_st} The state/province of the issuer of the client certificate.

${X509.issuer_dn_l} The city of the issuer of the client certificate.

${SSL.version} The version of the SSL/TLS protocol.

${SSL.cipher_id} The negotiation algorithm ID of the SSL/TLS protocol.

${SSL.cipher_name} The negotiation algorithm name of the SSL/TLS protocol.

${SSL.client_verify_result_code} The error code for the client certificate verification.

${SSL.client_verify_result_string} The result of the client certificate verification.

${SSL.session_id} The session ID of SSL/TLS.

${SSL.tlsext_sni} The SNI extension field of the TLS protocol.

${HTTP.args} The arguments in the HTTP protocol request line.

${HTTP.content_length} The Content_Length field in the HTTP protocol request

header.

${HTTP.content_type} The Content_Type field in the HTTP protocol request

header.

${HTTP.cookie_name} The name field specified in the cookie of the HTTP pro-
tocol. name indicates the name of the specified field.

${HTTP.host} The Host field name in the HTTP protocol request, which
is obtained in the following priority: host name in the
request line > host name in the request header > name of
the server that handles the request. When a Host field name
with a higher priority is obtained, other Host field names
will no longer be obtained.

Policy 284
Variable Description

${HTTP.http_name} The name field specified in the request header or response

header of the HTTP protocol. name indicates the name of
the specified field. Whether it is a request header or
response header is based on the content rewrite direction.

${HTTP.cookie} The Cookie field in the HTTP protocol request header.

${HTTP.header_host} The Host field in the HTTP protocol request header.

${HTTP.referer} The Referer field in the HTTP protocol request header.

${HTTP.user_agent} The User-Agent field in the HTTP protocol request header.

${HTTP.via} The Via field in the HTTP protocol request header.

${HTTP.x_forwarded_for} The X_Forwarded_For field in the HTTP protocol request

header.

${HTTP.with_args} If the HTTP protocol request line includes arguments, "?" is

obtained. Otherwise, an empty string is obtained.

${HTTP.remote_user} The username that is authenticated by Basic Authentication

in the HTTP protocol request.

${HTTP.request_line} The complete raw data of the HTTP protocol request line.

${HTTP.request_method} The Method field such as "GET" and "POST" in the HTTP
protocol request line.

${HTTP.request_uri_with_args} The complete URL field that includes arguments in the

HTTP protocol request line.

${HTTP.scheme} The URL Scheme field such as "http" and "https" in the
HTTP protocol request line.

${HTTP.protocol} The protocol field such as "HTTP/1.0", "HTTP/1.1", and

"HTTP/2.0" in the HTTP protocol request line.

285 Policy
Variable Description

${HTTP.uri} The unencoded or encoded URL of the URL field in the

HTTP protocol request line.

${HTTP.version} The HTTP_Version field such as "0.9", "1.0", "1.1", and

"2.0" in the HTTP protocol request line.

Policy 286
Rule Management
On the Rule Management page, the protection rules referenced by security policies can be man-
aged. You can view predefined rules or create custom rules.

Predefined Rule
To defend against common attacks, system predefines various rules for you to reference. To view
a predefined rule, take the following steps:

1. Select Policy > Rule Management > Predefined Rule, and then all predefined rules will be
displayed.

2. The left section of the page shows the category tree of predefined rules, and each category
name is followed by the total number of rules under the category. To expand sub-categories,
click +; to collapse them, click -.

3. After selecting a category, all protection rules under that category will be displayed in the
middle of the page. Click to add a filter condition. Then, the rules that meet the con-

dition will be displayed on the list.

4. Click + before each protection rule to view its detailed information, including ID, name,
CNNVD\CVE-ID, sub-type, severity, etc.

287 Policy
Rule Search
The system allows you to search for vulnerability information in CNNVD and CVE databases.
The system will obtain the latest vulnerability information from the official CNNVD website
every Tuesday and save it. The saved vulnerability information and CNNVD entries will be
mapped, and will be released with the updated signature database every two weeks.

l CNNVD: China National Vulnerability Database of Information Security (CNNVD) is run by

China Information Technology Security Evaluation Center (CNITSEC) to provide services of
vulnerability analysis and risk assessment, which is fundamental to China's information secur-
ity. The CNNVD Compatibility Service is the service provided by CNNVD for information
security practitioners to conduct standardized assessment and certification of vulnerability
information related to their products/services. With the information security product-
s/services of the CNNVD Compatibility Service, vulnerabilities can be given standardized
names and description, contributing to improving sharing and service capabilities of vul-
nerability information in China's domestic information security industry. By using the
CNNVD-ID, vulnerability information can be shared across security platforms, strengthening
the capabilities of security products.

l CVE: Common Vulnerabilities and Exposures. CVE is a dictionary of publicly disclosed cyber-
security vulnerabilities and exposures. It identifies a unique name and a standardized descrip-
tion for each vulnerability and exposure. You can access the fix information corresponding to
CVE entries in a separate database that is compatible with CVE to fix security vulnerabilities.

Click in the upper-left corner of the rule list to add a filter condition: CNNVD-ID or
CVE-ID, and enter the specific content into the search box behind the filter condition. Then, the
rule that meets the condition will be displayed in the rule list.

User-defined Rule
To create a user-defined rule, take the following steps:

Policy 288
1. Select Policy > Rule Management > User-defined Rule, and then the custom rule list will
be displayed.

2. Click New to go to the Rule Configuration page.

3. Enter the name of the rule that you want to create.

4. Default Status is a global switch for user-defined rules. When enabled, user-defined rules
will take effect in all security policies bound to sites. By default, Default Status is turned
on.
Note: If user-defined rules are not enabled in the security policies bound to a site, regardless
of the 'Default Status' setting, user-defined rules will not take effect in that security policy.
For example, the predefined security policy 'policy_debug' defaults to disabling all pro-
tection rules.

5. In the Direction field, select the direction for applying the rule, including Request,
Response or Both.

289 Policy
6. In the Matching Condition field, click New to create a matching condition, and specify the
field, sub-field, operator, matching text/regular expression, and decoding method for the
condition. To create more conditions, click New; to delete a condition, select it and click
Delete

7. Specify the protection subtype of the user-defined rule based on the type of attacks to be
detected. The protection subtype can be user-defined rule, non-web attacks, SQL injection,
etc. If you cannot determine the specific protection subtype, you can set the subtype to
User-defined Rule. If you need to record web traffic from which no attack is detected based
on security policy, you can set the subtype to Non Web Attacks. In this case, the Action
parameter is displayed as Observe and the Severity parameter is displayed as Riskless.

8. Specifies the protection action as needed:

l Permit: Allow HTTP requests that meet the condition to pass.

l Block - Block HTTP requests that meet the condition and related logs will be gen-
erated. After selecting this action, select a response status code from the Status Code
drop-down list.

l Alarm - Allow HTTP requests to pass and related logs will be generated. After select-
ing this action, enter the alarm message to be displayed in logs in the Alarm Message
field.

l Redirect - Redirect HTTP requests to the specified URL and related logs will be gen-
erated. After selecting this action, enter the destination URL (IPv4 or IPv6) for redir-
ecting in the Redirecting URL field.

l Observe - The action is Observe only when the protection subtype is Non Web
Attacks. Related logs will be generated. Other protection subtypes do not support
this action.

9. Select the threat severity from the Severity drop-down list as needed.

Policy 290
10. Enable the Packet Capture as needed. When the function is enabled, the device will capture
abnormal data packets. You can view the abnormal data in logs.

11. From the Schedule drop-down list, select an existing schedule or create a new one. User-
defined rules only take effect when the schedule is active. If no schedule is referenced and
Default Status is enabled, user-defined rules take effect immediately. After referencing a
schedule, you can view its status in the user-defined rules list.

12. In the Alarm Message field, enter the alarm message to be displayed in logs.

13. Click OK.

Notes: When you select a protection subtype other than "User-defined rule" or
"Non Web Attack", the logs, threat overview, and report of the corresponding rule
will be collected to the corresponding protection subtype, similar to how they are
treated for predefined rules. They will not be collected to the User-defined Rule
type. For example. if you filter logs of SQL injection, all logs generated based on pre-
defined and user-defined SQL injection rules are filtered.

After a user-defined rule is created, you can its details on the user-defined rule list, including rule
ID, rule name, security policy with rule enabled, action, etc. Click Details in the Security Policy
with Rule Enabled column to go to the Details panel, where you can view and edit Security
Policy with Rule Enabled and Correlated Site.

291 Policy
Network Protect Action
Hillsotne WAF provides designated security protection measures for special application scenarios.
For example, in the Cyber Attack and Defense Drill, sites can be comprehensively protected by
WAF with the Network Protect Action function.
Targeting real networks, the Cyber Attack and Defense Drill carries out cyber attacks and
defenses to discover, expose, and address cybersecurity issues, as well as to test whether cyber-
security measures are well implemented and emergencies are properly responded to.
WAF supports Network Protect Action by providing a wizard for configuring database upgrade,
security policies, etc. This helps you configure your device quickly, purposefully, properly during
the Cyber Attack and Defense Drill so that the security operations efficiency is improved.
Click Policy > Comprehensive Protection > Network Protect Action to go to the Network Pro-
tect Action Setting page, and specify the configuration in the following sequence: Protection Rule
Database Upgrade > Site Selection > Configuration.

Configuring Network Protect Action

To configure the network protect action, take the following steps:

Policy 292
1. Select Policy > Network Protect Action.

2. Turn on the switch next to Network Protect Action Setting.

On the Network Protect Action Setting page, configure the following options:

Option Description

Protection Rule Database Upgrade

Current Ver- Displays the current version of the protection rule database.

sion

Auto Update Click the button to enable the Auto Update function. Select the
update frequency, which can be Every Hour or a fixed point in time
every day or every week. The system will update the protection rule

293 Policy
Option Description

database according to the schedule. By default, this update fre-

quency is the same as the current update frequency of WAF pro-
tection rule database configured on the System > Upgrade
Management > Signature Database Update page.

Multistage Escape

Engine Detec- When the average time consumed for WAF engine detection
tion Timeout exceeds the threshold, the system allows traffic to pass through for a
Permit certain period. After the pass-through period, WAF resumes security
detection on the traffic. If the threshold is reached again, the traffic
continues to be allowed.
We recommend that you disable this function in network protect
action mode. When you configure the network protect action mode
for the first time, the status of this function is displayed as the same
as the current status of the Engine Detection Timeout Permit func-
tion on the System > WAF Global Configuration > Global Para-
meter Configuration page.

Enable Fail- When the Fail-open function is triggered, the device enters the Fail-
open open mode. In this mode, the device can still forward packets but
cancels security detection for certain packets. This helps prevent net-
work congestion caused by device exceptions. This function is sup-
ported only for the transparent proxy mode, reverse proxy mode,
one-arm with reverse proxy mode, and traction mode.
We recommend that you disable this function in network protect
action mode. When you configure the network protect action mode
for the first time, the status of this function is displayed as the same

Policy 294
Option Description

as the current status of the Enable Fail-open function on the System

> WAF Global Configuration > Global Parameter Configuration
page.

Other configuration

Log Aggreg- The system merges multiple logs that hit the same protection rule of
ation the specified subtype based on the Merge Cycle and then outputs a
new web security log.
We recommend that you disable this function in network protect
action mode. When you configure the network protect action mode
for the first time, the status of this function is displayed as the same
as the current status of the Log Aggregation function of Web Secur-
ity Log on the Monitor > Log > Log Management.

Network Pro- Displays the security policy "policy_emergency" of the network pro-
tect Security tect action mode.
Policy No Web Attack Log: Select the check box. The system will auto-
matically generate the user-defined rule "none_web_attack_capture"
and bind the rule to the network protect security policy. The rule is
used to record non-web attack traffic in web security logs, help you
trace and analyze logs during network protection, and detect attacks
that are not detected by security device. When you disable the net-
work protect action mode, the system automatically deletes the
"none_web_attack_capture" rule.

Site Specifies the site for which you want to configure the network pro-
tect action mode. By default, Any or a site to which "policy_emer-
gency" is bound is selected. To configure network protect action

295 Policy
Option Description

mode for a site, click "+" and select the required site in the Site
panel. If the site has already referenced other security policies (such
as policy_normal), the network protect security policy is auto-
matically referenced when you add the site to the network protect
action mode. When you disable the network protect action mode or
cancel a site in the network protect action mode, the security policy
of the site will be recovered.

In Protection Rule Database Upgrade section, configure the following options.

Option Description

Current Ver- Displays the current version of the protection rule data-

sion base.

Auto Update Click the button to enable the Auto Update function.
Select the update frequency, which can be Every Hour or
a fixed point in time every day or every week. The sys-
tem will update the protection rule database according to
the schedule.

3. Click Next to move on to the Site Selection section.

In the Site Selection section, configure the following option.

Policy 296
Option Description

Site Specifies the sites that needs to be comprehensively pro-

tected. Related configurations (Security Policy and Web
Access Log) of the sites which are selected in this step
will be modified in the next step. The default value is
Any or blank. Any means implementing Network Protect
Action for all sites. Click + to go to the Site pop-up and
select the sites.
Notes

l Any means there are less than 200 sites. Blank

means there are more than 200 sites.

l When this field is blank, you need to select sites.

You can select up to 200 sites.

4. Click Next to move on to the Configuration section.

In the Configuration section, configure the following options.

Option Description

Security Specifies an security policy for the selected sites. During

Policy network protection, Security Policy policy_normal is
recommended. If false positives are accepted, you can
use policy_strict.

Web Access Click the button to enable Web Access Log. The func-

297 Policy
Option Description

Log tion is enabled by default.

5. Click OK.

After the network protect action mode is enabled, you can perform the following operations:

l Use Recommended Configurations: On the Network Protect Action Setting page, click Use
Recommended Configurations and then OK to directly use the system recommended net-
work protect action mode configurations. We recommend that you set the Auto Update of
protection rule database upgrade to Every hour, disable the Engine Detection Timeout Per-
mit, Enable Fail-open, and Log Aggregation functions, and select the No Web Attack Log
check box.

Policy 298
l To disable the network protect action mode, you can use one of the following methods. After
you disable the mode, all related configurations are restored to their state before enabling the
network protect action mode.

l Click Restore Configuration in the lower part.

l Turn off the switch next to Network Protect Action Setting and click OK in the lower
part.

Black List
The system allows you to add client IP addresses and URLs to the blacklist for blocking.
The blacklist includes:

l Client IP Blacklist

l URL Blacklist

299 Policy
Client IP Blacklist
The system allows you to add client IP addresses to the blacklist for blocking. The system can
identify IPv4 and IPv6 blacklists.
Client IP blacklists can not only be added on the blacklist page, but also generated based on secur-
ity policies except for the Information Leakage and HTTP Only, or based on IP protection
policies, API protection policies, auto-learning policies, and web security logs. When traffic that
matches the mentioned rules or policies accesses the site, the client IP address of the traffic is
blacklisted. This way, the IP address cannot access the current site next time.
The client IP blacklist has two categories: global client IP blacklist and site-specific client IP
blacklist. Global client IP blacklist applies to all sites while site-specific client IP blacklist only
applies to the specified site. If a client IP address is blacklisted, traffic from the client IP address
does not need to match security policies and is its access to the current site is denied by the sys-
tem.

Notes:

l The priority of filtering the traffic by whitelists and blacklists: Global Whitel-
ist > Site Whitelist > Global Client IP Blacklist > Site Client IP Blacklist >
Site URL Blacklist. Once the traffic matches an item in a list, the system will
process the traffic without further matching.

l When you add, modify, or delete a blacklist, the corresponding webpage

event logs are generated.

l After a device reboot, the system only retain permanently blocked blacklist.

To configure a client IP blacklist, take the following steps:

1. Select Policy >Black List > Client IP. On the Client IP page, click New.

Policy 300
2. On the IP Blacklist Configuration page, configure the following options:

Option Description

Site Specifies the site from the drop-down list. * Global Site indicates
that the blacklist applies to all sites.

Type Select the type of IP address. Valid values: IP Address, IP Range,

and IP/Netmask(Prefix).

Client IP Based on the value of the Type parameter. Enter one or more IP
addresses, IP ranges, or IP addresses with subnet masks. Each item
should occupy a line. During the blocking period, traffic from the
blacklisted client IP addresses does not need to match policies and
is its access to the current site is denied.

Permanent If you enable Permanent Blocking, the specified IP addresses are per-
Blocking manently denied to access the current site.

Block Time This parameter is available if you do not enable Permanent Blocking.

301 Policy
Option Description

During the specified time period, the specified IP addresses are

denied to access the current site.

Description Enter the description of the blacklist as needed.

3. Click OK. The added client IP blacklist will be displayed in the client IP blacklist list.

Importing Client IP Blacklist

You can import blacklist profiles in csv or txt format.

To import blacklist, take the following steps:

1. Select Policy >Black List > Client IP to go to the Client IP page.

2. Select the site from the Site drop-down list. * Global Site indicates that the client IP black-
list applies to all sites.

3. Click Import to go to the Import Blacklist panel.

Policy 302
4. On the Import Blacklist panel, configure the following options:

Option Description

Uppload File Click Browse to upload the blacklist file. Currently, only
csv and txt files are supported.

Permanent If you enable Permanent locking, the specified IP

Blocking addresses are permanently denied to access the current
site.

Block Time This parameter is available if you do not enable Per-

manent Blocking. During the specified time period, the
specified IP addresses are denied to access the current
site.

5. Click OK.

Exporting Blacklist

You can export the blacklist file in CSV format.

To export blacklist, take the following steps:

1. Select Policy >Black List > Client IP to go to the Client IP page.

2. Select the site from the Site drop-down list. * Global Site indicates that the client IP black-
list applies to all sites.

3. Click Export.

Viewing Blacklist

You can add filter conditions to search for IP addresses that meet the filters. Filter conditions
include Client IP, Permanent Blocking, Remain Block Period (minute), Block Reason Source
Country/Area, Total Attacks, and Description.

303 Policy
1. Select Policy >Black List > Client IP to go to the Client IP page.

2. Select the site from the Site drop-down list. * Global Site indicates that the client IP black-
list applies to all sites.

3. Click to set filter conditions. You can see filtered items on the below list.

4. Repeat Step1 - 3 to add more filter conditions. The logic between filter conditions is And.

5. To remove a filter condition, click behind it. To clear all filter conditions, click

at the end of status bar.

Deleting Blacklist

You can delete the specified blacklist.

To delete blacklist, take the following steps:

1. Select Policy >Black List > Client IP to go to the Client IP page.

2. Select the site from the Site drop-down list. * Global Site indicates that the client IP black-
list applies to all sites.

3. Select the blacklists you want to delete and click Delete.

URL Blacklist
The system allows you to add URLs to the blacklist for blocking.
The URL blacklist can only be added on the blacklist page. In addition, only URL blacklists for
specified sites can be configured. When a specified URL is on the blacklist, the system will dir-
ectly deny client requests to access that URL.

Policy 304
Notes:

l Domain names are not matched when traffic matches the URL blacklist.

l When you add, modify, or delete a blacklist, the corresponding webpage

event logs are generated.

l After a device reboot, the system only retain permanently blocked blacklist.

To configure a URL blacklist, take the following steps:

1. Select Policy >Black List > URL.

2. On the URL page, click New.

3. Configure the following options:

Option Description

Site Specifies the site from the drop-down list.

305 Policy
Option Description

URL Enter the URL to be added to the blacklist.

Permanent If you enable Permanent Blocking, the specified URLs are per-
Blocking manently denied to access the current site.

Block Time This parameter is available if you do not enable Permanent Blocking.
During the specified time period, the specified URLs are denied to
access the current site.

Description Enter the description of the blacklist as needed.

4. Click OK. The added URL blacklist will be displayed in the URL blacklist list.

You can also perform the following operations:

l Delete: On the URL blacklist page, select the URL blacklist that you want to delete and click
Delete.

l Search: On the URL blacklist page, select a site and click Filter to add filter conditions. The
URL blacklist entries that meet the filter conditions will be displayed. The filter conditions
include URL, permanent blocking, remaining block period, total attacks, etc.

Policy 306
White List
For some trusted source IP addresses or specific public URL paths, you can add them to the
White List. This way, for a request initiated by a host whose IP address is included in the whitel-
ist or a request to access a URL included in the whitelist, security policies except for content
rewrite policies are skipped, and the request is forwarded to the site server. For a request that
does not match an item in the whitelist, the device continues to perform blacklisting and addi-
tional filtering.
Whitelists can be divided into domain/URL whitelists and client IP whitelists. The system can
identify IPv4 and IPv6 whitelists. Client IP whitelists has two categories: global and site-specific.
Global client IP whitelist applies to all sites while site-specific client IP whitelist only applies to
the specified site.

Client IP Whitelist
To configure a client IP whitelist, take the following steps:

1. Select Policy > White List > Client IP.

2. Click New to go to the Client IP Whitelist Configuration page.

307 Policy
3. Configure the following options:

Option Description

Site Specifies the site from the drop-down list. * Global Site indicates
that the client IP whitelist applies to all sites.

Type Select the type of IP address. Valid values: IP Address, IP Range,

and IP/Netmask(Prefix).

Client IP Based on the value of the Type parameter. Enter one or more IP
addresses, IP ranges, or IP addresses with subnet masks. Each item
should occupy a line. The system allows these IP addresses to access
the current site.

Schedule When Type is set to IP Address, you can select an existing schedule
from the Schedule drop-down list or create a schedule. When a
schedule is referenced, the client IP whitelist will only be effective
when the schedule is active. If no schedule is referenced, the client
IP whitelist will be effective permanently. To view the status of the
schedule, go to the Object > Schedule page.
Note: If multiple client IP whitelist entries with the same client IP
are configured but with different schedules, the system will follow
the latest configured client IP whitelist entry. For example, for the
site 'test', if a client IP whitelist entry with client IP 10.10.10.1 and
schedule 'time1' is added, and then the whitelist entry is modified by
adding a client IP 10.10.10.1 with schedule 'time2', the system will
follow the latter whitelist entry configuration.

Description Enter the description of the whitelist as needed.

4. Click OK.

You can also perform the following operation on the whitelist:

Policy 308
l Delete: Select the items you want to delete and click Delete.

IP Search

You can query whether the IP address is contained in the whitelist.

To query an IP address, take the following steps:

1. Select Policy > White List > Client IP.

2. Click IP Search to go to IP Search page.

3. Enter the IP address and click Query.

4. Query result is displayed in the Search Result field.

Domain/URL Whitelist
To configure a domain/URL whitelist, take the following steps:

1. Select Policy > White List > Domain/URL.

309 Policy
2. Click New to go to the URL Whitelist Configuration page.

3. Configure the following options:

Option Description

Site Specifies the site from the drop-down list.

Matching Pat- Includes Match Whole Word and Match Regular Expression.
tern

Matching Includes Matching Domain, Matching URL, and Matching Domain

Object and URL. If you set the Matching Object parameter to Matching
Domain and URL, only traffic from both the specified domain and
URL is whitelisted.

Domain Enter the domain that needs matching

URL Enter URL that needs matching

Description Enter the description of the whitelist as needed.

4. Click OK.

You can also perform the following operation on the whitelist:

Policy 310
l Delete: Select the items you want to delete and click Delete.

Domain/URL Search

You can query whether the domain/URL is contained in the whitelist.

To query an domain/URL, take the following steps:

1. Select Policy > White List > Domain/URL.

2. Click Domain/URL Search to go to Domain/URL Search page.

3. Enter the domain/URL and click Query.

4. Query result is displayed in the Search Result field.

311 Policy
Configuring a Rule Exception
Rule exceptions are a set of exception items. The traffic matching the rule exceptions is exempted
from the rule but is still filtered by the access control policy, other security policy rules, auto-
learning policy, and content rewriting policy. The system supports rule exceptions from the Web
security logs. Rule exceptions can also be created manually.
There are two types of rule exceptions: the global rule exception and the site rule exception. The
former applies to all sites while the latter only applies to the selected site. The filtering order of
the two types of rule exceptions is global rule exception > site rule exception. Once the traffic
matches the global rule exceptions, it is exempted from the rule and will not be matched to the
site rule exceptions.
To add a rule exception, take the following steps:

1. Select Policy > Rule Exception.

2. Select the site that you want to add a rule exception to from the Site drop-down list. *
Global Site indicates global rule exception.

Policy 312
3. Click New. On the Rule Exception Configuration panel, configure the following options:

Option Description

Subtype Select the subtype of the protection rule to be added to the rule
exception from the drop-down list.

Illegal Upload Select File Content Check or File Extension Check of illegal upload
that you want to add to the rule exception. This parameter is avail-
able if the Sub-type parameter is set to Illegal Upload.

313 Policy
Option Description

Rule Name Click + to select the name of the protection rule subtype to be
added to the rule exception. If you add multiple rule names, the sys-
tem can generate rule exceptions for different rule names but these
rule exceptions share the same configuration.

Exception Click New to add an exception source IP item. Access requests

source IP from the source IP address are not restricted by the specified pro-
tection rule. To specify an exception source IP, you can enter its IP
address, IP range, IPv4/Netmask, or IPv6/Prefix. If you enter an IP
range, you need to connect the start IP address and the end IP
address with a hyphen (-). Click New to add multiple exception
source IP items. To delete an exception source IP item, select it and
click Delete. The maximum number of Exception Source IP items
supported by the system varies with devices.

Exception URL Select the matching mode from the drop-down list. Click New and
enter the URL/path/Regex to specify an exception URL item. The
system supports six matching modes, which are Equal To, Not
Equal To, Match Regex, Not Match Regex, Match Path, and Not
Match Path. Click New to add multiple matching text items, such as
"/path/index.html". To delete a matching text item, select it and
click Delete. The maximum number of Exception URL items sup-
ported by the system varies with devices.
Notes:

l When the matching mode is selected as Match Regex, Equal

To, or Match Path, access requests from the regex/URL/path
are not restricted by the specified protection rule.

Policy 314
Option Description

l When the matching mode is selected as Not Match Regex,

Not Equal To, or Not Match Path, access requests from the
not-matching regex/URL/path are not restricted by the spe-
cified protection rule.

HTTP Header Select the matching mode from the drop-down list. Click New and
Exception enter the header name and header value to specify an HTTP header
exception item. The system supports four matching modes, which
are Equal To, Not Equal To, Match Regex, and Not Match Regex.
For Header Name, you can enter 1 to 255 characters. For Header
Value, the default value is Any. Click New to add multiple HTTP
header exception items. To delete a header exception item, select it
and click Delete. The maximum number of HTTP Header Excep-
tion items supported by the system varies with devices.
Notes:

l When the matching mode is selected as Match Regex or Equal

To, access requests from the HTTP header are not restricted
by the specified protection rule.

l When the matching mode is selected as Not Match Regex or

Not Equal To, access requests from the not-matching HTTP
header are not restricted by the specified protection rule.

Request Line Select the matching mode from the drop-down list. Click New and
Parameter enter the parameter name and parameter value to specify a request
Exception line parameter exception item. The system supports four matching
modes, which are Equal To, Not Equal To, Match Regex, and Not

315 Policy
Option Description

Match Regex. For Parameter Name, you can enter 1 to 255 char-
acters. For Parameter Value, the default value is Any. Click New to
add multiple request line parameter exception items. To delete a
request line parameter exception item, select it and click Delete.
The maximum number of Request Line Parameter Exception items
supported by the system varies with devices.
Notes:

l When the matching mode is selected as Match Regex or Equal

To, access requests from the request line parameter are not
restricted by the specified protection rule.

l When the matching mode is selected as Not Match Regex or

Not Equal To, access requests from the not-matching request
line parameter are not restricted by the specified protection
rule.

Request Body Select the matching mode from the drop-down list. Click New and
Exception enter the matching text to specify a request body exception item.
The system supports four matching modes, which are Equal To, Not
Equal To, Match Regex, and Not Match Regex. Click New to add
multiple matching text items. To delete a matching text item, select
it and click Delete. The maximum number of Request Body Excep-
tion items supported by the system varies with devices.
Notes:

l When the matching mode is selected as Match Regex or Equal

To, access requests from the request body are not restricted
by the specified protection rule.

Policy 316
Option Description

l When the matching mode is selected as Not Match Regex or

Not Equal To, access requests from the not-matching request
body are not restricted by the specified protection rule.

4. Click OK.

Notes:
l Different exception conditions are in the AND logical relation. The rule
exception takes effect only when all of its exception conditions are met. For
example, when Exception Source IP, Exception URL, and Request Line Para-
meter Exception are all configured, the traffic is exempted from the pro-
tection rule only when it matches all of the three exception conditions.

l Logical operator among different items of the same exception condition: If

the matching mode is set to Match Regex/Match Path/Equal To, the logical
operator among the items of this exception condition is OR, which indicates
that the exception condition is met when one of its items is matched. If the
matching mode is set to Not Match Regex/Not Match Path/Not Equal To,
the logical operator among the items of this exception condition is AND,
which indicates that the exception condition is met when all of its items are
matched.

l Rule Exception configured in WAF3.0 or earlier versions will be auto-

matically upgraded when the system is upgraded to WAF3.1 or later and the
default matching mode of Exception URL is Match Regex.

317 Policy
You can also perform the following actions:

l On the Rule Exception list, click + in front of the rule exception to view its details. Click
New below the selected rule exception to add more items. Different items of the same rule
exception are in the OR logical relation, which indicates that the rule exception will be met
when any item is matched.

l Select Monitor > Log > Web Security Log > Log. On the Web Security Log page, select a log
and click Add to Rule Exception to add the rules that are involved in the log to the rule excep-
tion.

l Select Site > Web Site. On the Web Site page, select a site and click Rule Exception to go to
the Rule Exception Configuration panel.

l To delete a rule exception, select it and click Delete.

l To filter rule exceptions, click Filter to select the filter conditions from the drop-down list.

Policy 318
Threat Prevention
With the threat prevention function, the device can detect and block network threats. By con-
figuring the threat protection function, Hillstone device can defend network against external
attacks, reducing losses to internal network.
Threat protection includes:

l Attack Defense: Detects various types of network attacks, and takes appropriate actions to
protect Intranet against malicious attacks, thus assuring the normal operation of the Intranet
and systems.

The system supports the configuration of Threat Prevention based on security zones:

l If a security zone is configured with the threat protection function, the system will perform
detection on the traffic that is destined to the binding zone specified in the rule, and then take
actions according to your configuration.

Threat Prevention 319

Attack-Defense
There are various inevitable attacks in networks, such as compromise or sabotage of servers, sens-
itive data theft, service intervention, or even direct network device sabotage that causes service
anomaly or interruption. Security gates, belonging to a category of network security devices, must
be designed with attack defense functions to detect various types of network attacks, and take
appropriate actions to protect Intranet against malicious attacks, thus assuring the normal oper-
ation of the Intranet and systems.
Devices provide attack defense functions based on security zones, and can take appropriate
actions against network attacks to assure the security of your network systems.

ICMP Flood and UDP Flood

An ICMP Flood/UDP Flood attack sends huge amount of ICMP messages (such as ping)/UDP
packets to a target within a short period and requests for responses. Due to the heavy load, the
attacked target cannot complete its normal transmission tasks.

ARP Spoofing
LAN transmits network traffic based on MAC addresses. ARP spoofing launches attacks by filling
in the wrong MAC address and IP address to make a wrong corresponding relationship of the tar-
get host's ARP cache table. This will lead to the wrong destination host IP packets, unreachable
target network, and packet resources being stolen.

SYN Flood
Due to resource limitations, a server will only permit a certain number of TCP connections. SYN
Flood just makes use of this weakness. During the attack an attacker will craft a SYN packet, set
its source address to a forged or non-existing address, and initiate a connection to a server. Typ-
ically the server should reply the SYN packet with SYN-ACK, while for such a carefully crafted
SYN packet, the client will not send any ACK for the SYN-ACK packet, leading to a half-open
connection. The attacker can send large amount of such packets to the attacked host and establish
equally large number of half-open connections until timeout. As a result, resources will be

320 Threat Prevention

exhausted and normal accesses will be blocked. In the environment of unlimited connections,
SYN Flood will exhaust all the available memory and other resources of the system.

WinNuke Attack
A WinNuke attack sends OOB (out-of-band) packets to the NetBIOS port (139) of a Windows
system, leading to NetBIOS fragment overlap and host crash. Another attacking vector is ICMP
fragment. Generally an ICMP packet will not be fragmented; so many systems cannot properly pro-
cess ICMP fragments. If your system receives any ICMP fragment, it's almost certain that the sys-
tem is under attack.

IP Address Spoofing
IP address spoofing is a technology used to gain unauthorized accesses to computers. An attacker
sends packets with a forged IP address to a computer, and the packets are disguised as if they
were from a real host. For applications that implement validation based on IP addresses, such an
attack allows unauthorized users to gain access to the attacked system. The attacked system might
be compromised even if the response packets cannot reach the attacker.

IP Address Sweep and Port Scan

This kind of attack makes a reconnaissance of the destination address and port via scanners, and
determines their existence from the response. By IP address sweep or port scan, an attacker can
determine which systems are alive and connected to the target network, and which ports are used
by the hosts to provide services.

Ping of Death Attack

Ping of Death is designed to attack systems by some over-sized ICMP packets. The field length
of an IP packet is 16 bits, which means the max length of an IP packet is 65535 bytes. For an
ICMP response packet, if the data length is larger than 65507 bytes, the total length of ICMP
data, IP header (20 bytes) and ICMP header (8 bytes) will be larger than 65535 bytes. Some
routers or systems cannot properly process such a packet, and might result in crash, system down
or reboot.

Threat Prevention 321

Teardrop Attack
Teardrop attack is a denial of service attack. It is an attack method based on morbid fragmented
UDP packets. It works by sending multiple fragmented IP packets to the victim (IP fragmented
packets include information such as which packet the fragmented packets belong to, and where
the fragmented packets are located), and some operating systems will crash or reboot when receiv-
ing forged fragmented packets containing overlapping offset.

Smurf Attack
Smurf attacks consist of two types: basic attack and advanced attack. A basic Smurf attack is used
to attack a network by setting the destination address of ICMP ECHO packets to the broadcast
address of the attacked network. In such a condition all the hosts within the network will send
their own response to the ICMP request, leading to network congestion. An advanced Smurf
attack is mainly used to attack a target host by setting the source address of ICMP ECHO packets
to the address of the attacked host, eventually leading to host crash. Theoretically, the more hosts
in a network, the better the attacking effect will be.

Fraggle Attack
A fraggle attack is basically the same with a smurf attack. The only difference is the attacking vec-
tor of fraggle is UDP packets.

Land Attack
During a Land attack, an attacker will carefully craft a packet and set its source and destination
address to the address of the server that will be attacked. In such a condition the attacked server
will send a message to its own address, and this address will also return a response and establish a
Null connection. Each of such connections will be maintained until timeout. Many servers will
crash under Land attacks.

IP Fragment Attack

An attacker sends the victim an IP packet with an offset smaller than 5 but greater than 0, which
causes the victim to malfunction or crash.

322 Threat Prevention

IP Option Attack

An attacker sends IP packets in which the IP options are abnormal. This attack intends to probe
the network topology. The target system will break down if it is incapable of processing error
packets.

Huge ICMP Packet Attack

An attacker sends large ICMP packets to crash the victim. Large ICMP packets can cause memory
allocation error and crash the protocol stack.

TCP Flag Attack

An attacker sends packets with defective TCP flags to probe the operating system of the target
host. Different operating systems process unconventional TCP flags differently. The target system
will break down if it processes this type of packets incorrectly.

DNS Query Flood Attack

The DNS server processes and replies all DNS queries that it receives. A DNS flood attacker
sends a large number of forged DNS queries. This attack consumes the bandwidth and resources
of the DNS server, which prevents the server from processing and replying legal DNS queries.

TCP Split Handshake Attack

When a client establishes TCP connection with a malicious TCP server, the TCP server responses
with a fake SYN package and uses this fake one to initialize the TCP connection with the client.
After establishing the TCP connection, the malicious TCP server switches its role and becomes
the client side of the TCP connection. Thus, the malicious traffic might enter into the intranet.

Notes: IPv6 protocol is not supported for the attack-defense function.

Threat Prevention 323

Configuring Attack Defense
To configure the Attack Defense based on security zones:

1. Create a zone. For more information about how to create, refer to Security Zone.

2. On the Zone Configuration page, expand Threat Protection.

3. Enable Attack Defense and click Configure.

On the Attack Defense panel, configure the following options:

Option Description

Whitelist IP address or IP range in the whitelist is exempt from

324 Threat Prevention

Option Description

attack defense check. click Configure.

l Type - Specifies the Type as Source or Destin-

ation.

l Content Type- Specifies the content type to be

added to the whitelist. If IP/Netmask is selected,
enter the IP address and netmask to be added to
the whitelist in the Member field. If Address Entry
is selected, select the address entry to be added to
the whitelist from the Member drop-down list.

Enable all the Attack Defense functions for the secur-

Enable All
ity zone.

Specifies an action for all the Attack Defense functions,

i.e., the defense measure the system will take if any
attack has been detected.
Action
l Drop - Drops packets. This is the default action.

l Alarm - Issues an alarm but still permits packets to

pass through.

Click the button to expand the information of all flood

attack defenses. Select the Flood Attack Defense check
box to enable all flood attack defenses. ICMP flood:
Flood Attack
Click this button to enable ICMP flood defense for the
Defense
security zone.

l Threshold - Specifies a threshold for inbound

Threat Prevention 325

Option Description

ICMP packets. If the number of inbound ICMP

packets destined to one single IP address per
second exceeds the threshold, the system will
identify the traffic as an ICMP flood and take the
specified action. The value range is 1 to 50000.
The default value is 1500.

l Action - Specifies an action for ICMP flood

attacks. If the default action Drop is selected, the
system will only permit the specified number
(threshold) of IMCP packets to pass through dur-
ing the current and the next second, and also issues
an alarm. All the excessive packets of the same
type will be dropped during this period.

UDP flood:: Click this button to enable UDP flood

defense for the security zone.

l Src threshold - Specifies a threshold for outbound

UDP packets. If the number of outbound UDP
packets originating from one single source IP
address per second exceeds the threshold, the sys-
tem will identify the traffic as a UDP flood and
take the specified action. The value range is 1 to
50000. The default value is 1500.

l Dst threshold - Specifies a threshold for inbound

UDP packets. If the number of inbound UDP

326 Threat Prevention

Option Description

packets destined to one single port of one single

destination IP address per second exceeds the
threshold, the system will identify the traffic as a
UDP flood and take the specified action. The
value range is 1 to 50000. The default value is
1500.

l Action - Specifies an action for UDP flood attacks.

If the default action Drop is selected, the system
will only permit the specified number (threshold)
of UDP packets to pass through during the current
and the next second, and also give an alarm. All the
excessive packets of the same type will be dropped
during this period.

l Session State Check - Click the button to enable

the function of session state check. After the func-
tion is enabled, the system will not check whether
there is UDP Flood attack in the backward traffic
of UDP packet of the identified sessions.

DNS Query Flood: Click this button to enable DNS

query flood defense for the security zone.

l Src threshold - Specifies a threshold for outbound

DNS query packets. If the number of outbound
DNS query packets originating from one single IP
address per second exceeds the threshold, the sys-

Threat Prevention 327

Option Description

tem will identify the traffic as a DNS query flood

and take the specified action.

l Dst threshold - Specifies a threshold for inbound

DNS query packets. If the number of inbound
DNS query packets matched to one single IP
address per second exceeds the threshold, the sys-
tem will identify the traffic as a DNS query flood
and take the specified action.

l Action - Specifies an action for DNS query flood

attacks. If the default action Drop is selected, the
system will only permit the specified number
(threshold) of DNS query packets to pass through
during the current and next second, and also give
an alarm. All the excessive packets of the same
type will be dropped during this period. If Alarm is
selected, the system will give an alarm but still per-
mit the DNS query packets to pass through.

Recursive DNS Query Flood: Click this button to enable

recursive DNS query flood defense for the security zone.

l Src threshold - Specifies a threshold for outbound

recursive DNS query packets packets. If the num-
ber of outbound DNS query packets originating
from one single IP address per second exceeds the

328 Threat Prevention

Option Description

threshold, the system will identify the traffic as a

DNS query flood and take the specified action.

l Dst threshold - Specifies a threshold for inbound

recursive DNS query packets packets. If the num-
ber of inbound DNS query packets destined to one
single IP address per second exceeds the
threshold, the system will identify the traffic as a
DNS query flood and take the specified action.

l Action - Specifies an action for recursive DNS

query flood attacks. If the default action Drop is
selected, the system will only permit the specified
number (threshold) of recursive DNS query pack-
ets to pass through during the current and next
second, and also give an alarm. All the excessive
packets of the same type will be dropped during
this period; if Alarm is selected, the system will
give an alarm but still permit the recursive DNS
query packets to pass through.

DNS Reply Flood: Click this button to enable DNS reply

flood defense for the security zone.

l Src threshold - Specifies a threshold for outbound

DNS reply packets. If the number of outbound
DNS reply packets originating from one single IP
address per second exceeds the threshold, the sys-

Threat Prevention 329

Option Description

tem will identify the traffic as a DNS query flood

and take the specified action.

l Dst threshold - Specifies a threshold for inbound

DNS reply packets. If the number of inbound
DNS reply packets matched to one single IP
address per second exceeds the threshold, the sys-
tem will identify the traffic as a DNS reply flood
and take the specified action.

l Action - Specifies an action for DNS reply flood

attacks. If the default action Drop is selected, the
system will only permit the specified number
(threshold) of DNS reply packets to pass through
during the current and next second, and also give
an alarm. All the excessive packets of the same
type will be dropped during this period; if Alarm is
selected, the system will give an alarm but still per-
mit the DNS reply packets to pass through.

SYN flood: Click this button to enable SYN flood

defense for the security zone.

l Src threshold - Specifies a threshold for outbound

SYN packets (ignoring the destination IP address
and port number). If the number of outbound SYN
packets originating from one single source IP
address per second exceeds the threshold, the sys-

330 Threat Prevention

Option Description

tem will identify the traffic as a SYN flood. The

value range is 0 to 50000. The default value is
1500. The value of 0 indicates the Src threshold is
void.

l Dst threshold - Specifies a threshold for inbound

SYN packets destined to one single destination IP
address per second.

l IP-based - Click IP-based and then type a

threshold value into the box behind. If the
number of inbound SYN packets destined to
one single destination IP address per second
exceeds the threshold, the system will
identify the traffic as a SYN flood. The value
range is 0 to 50000. The default value is
1500. The value of 0 indicates the Dst
threshold is voided.

l Port-based - Click Port-based and then type

a threshold value into the box behind. If the
number of inbound SYN packets destined to
one single destination port of the destination
IP address per second exceeds the
threshold, the system will identify the traffic
as a SYN flood. The value range is 0 to
50000. The default value is 1500. The value

Threat Prevention 331

Option Description

: ClickSpoof-
ARP this Click the button to expand the information of the ARP
button to
ing spoofing. Select the ARP Spoofing check box to enable
enable SYN all ARP spoofing defenses.
flood Max IP number per MAC: Click this button to enable
defense for Max IP number per MAC.Specifies whether the system
the security will check the IP number per MAC in ARP table. If the
zone. parameter is set to 0, the system will not check the IP
number. If it is set to a value other than 0, the system
l Src
will check the IP number, and if the IP number per MAC
thresh-
is larger than the parameter value, the system will take
old -
the specified action. The value range is 0 to 1024.
Spe-
ARP Send Rate: Click this button to enable ARP Send
cifies a
Rate.Specifies if the system will send gratuitous ARP
thresh-
packet(s). If the parameter is set to 0 (the default value),
old for
the system will not send any gratuitous ARP packet. If it
out-
is set to a value other than 0, the system will send gra-
bound
tuitous ARP packet(s), and the number sent per second
SYN
is the specified parameter value. The value range is 0 to
pack-
10.
ets
Reverse Query: Click this button to enable Reverse
(ignor-
Query.When the system receives an ARP request, it will
ing the
log the IP address and reply with another ARP request;
des-
and then the system will check if any packet with a dif-
tin-
ferent MAC address will be returned, or if the MAC
ation
address of the returned packet is the same as that of the
IP
ARP request packet.
addres-
s and
port
num-
332 Threat Prevention
ber).
If the
Option Description

ND Spoof- Click the button to expand the information of the ND

ing Spoofing.
Max IP number per MAC: Click this button to enable
the max IP number per MAC. Specifies whether system
will check the IP number per MAC in the ND table. The
system will check the IP number, and if the IP number
per MAC is larger than the parameter value, the system
will take the specified action. The value range is 1 to
1024.
ND Send Rate: Click this button to enable the ND send
rate. Specifies if the system will send gratuitous ND
packet(s). The system will send gratuitous ND packet(s),
and the number sent per second is the specified para-
meter value. The value range is 1 to 10.
Reverse Query: Click this button to enable Reverse
query. When the system receives a NS/NA packet, it will
log the IP address and reply with another NS/NA packet,
and then the system will check if any packet with a dif-
ferent MAC address will be returned, or if the MAC
address of the returned packet is the same as that of the
ND packet

MS-Win- Click the button to expand the information of the MS-

dows Windows Defense. Select the MS-Windows Defense
Defense check box to enable all MS-Windows defenses.
WinNuke attack: Click this button to enable WinNuke

Threat Prevention 333

Option Description

attack defense for the security zone. If any WinNuke

attack has been detected, the system will drop the pack-
ets and give an alarm.

Click the button to expand the information of the

Scan/Spoof Defense. Select the Scan/Spoof Defense
check box to enable all scan/spoof defenses. IP Address
Spoof: Click this button to enable IP address spoof
defense for the security zone. If any IP address spoof
attack has been detected, the system will drop the pack-
ets and give an alarm.

IP Address Sweep: Click this button to enable IP address

sweep defense for the security zone.

l Threshold - Specifies a time threshold for IP

Scan/Spoof
address sweep. If over 10 ICMP packets from one
Defense
single source IP address are sent to different hosts
within the period specified by the threshold, the
system will identify them as an IP address sweep
attack. The value range is 1 to 5000 milliseconds.
The default value is 1.

l Action - Specifies an action for IP address sweep

attacks. If the default action Drop is selected, the
system will only permit 10 IMCP packets ori-
ginating from one single source IP address while
matched to different hosts to pass through during

334 Threat Prevention

Option Description

the specified period (threshold), and also give an

alarm. All the excessive packets of the same type
will be dropped during this period.

Port Scan: Click this button to enable port scan defense

for the security zone.

l Threshold - Specifies a time threshold for port

scan. If over 10 TCP SYN packets are sent to dif-
ferent ports within the period specified by the
threshold, the system will identify them as a port
scan attack. The value range is 1 to 5000 mil-
liseconds. The default value is 1.

l Action - Specifies an action for port scan attacks.

If the default action Drop is selected, the system
will only permit 10 TCP SYN packets destined to
different ports to pass through and drops the other
packets of the same type during the specified
period, and also gives an alarm.

Click the button to expand the information of the

Denial of Service Defense. Select the Denial of Service
Defense check box to enable all denial of service
Denial of Ser-
defenses. Ping of Death attack: Click this button to
vice Defense
enable Ping of Death attack defense for the security
zone. If any Ping of Death attack has been detected, the
system will drop the attacking packets, and also give an

Threat Prevention 335

Option Description

alarm.

336 Threat Prevention

Option Description

Teardrop attack: Click this button to enable Teardrop

attack defense for the security zone. If any Teardrop
attack has been detected, the system will drop the attack-
ing packets, and also give an alarm.

IP fragment: Click this button to enable IP fragment

defense for the security zone.

l Action - Specifies an action for IP fragment

attacks. The default action is Drop.

IP option: Click this button to enable IP option attack

defense for the security zone. The system will defend
against the following types of IP options: Security, Loose
Source Route, Record Route, Stream ID, Strict Source
Route and Timestamp.

l Action - Specifies an action for IP option attacks.

The default action is Drop.

Smurf or fraggle attack: Click this button to enable

Smurf or fraggle attack defense for the security zone.

l Action - Specifies an action for Smurf or fraggle

attacks. The default action is Drop.

Land attack: Click this button to enable Land attack

defense for the security zone.

l Action - Specifies an action for Land attacks. The

default action is Drop.

Threat Prevention 337

Option Description

Large ICMP packe: Click this button to enable large

ICMP packet defense for the security zone.

l Threshold - Specifies a size threshold for ICMP

packets. If the size of any inbound ICMP packet is
larger than the threshold, the system will identify it
as a large ICMP packet and take the specified
action. The value range is 1 to 50000 bytes. The
default value is 1024.

l Action - Specifies an action for large ICMP packet

attacks. The default action is Drop.

Click the button to expand the information of the

Proxy . Select the Proxy check box to enable all proxy
defenses. SYN proxy: Click this button to enable SYN
proxy for the security zone. SYN proxy is designed to
defend against SYN flood attacks in combination with
SYN flood defense. When both SYN flood defense and
SYN proxy are enabled, SYN proxy will act on the pack-
Proxy ets that have already passed detections for SYN flood
attacks.

l Proxy trigger rate - Specifies a min number for

SYN packets that will trigger SYN proxy or SYN-
Cookie (if Cookie is enabled). If the number of
inbound SYN packets matched to one single port
of one single destination IP address per second

338 Threat Prevention

Option Description

exceeds the specified value, the system will trigger

SYN proxy or SYN-Cookie. The value range is 1 to
50000. The default value is 1000.

l Cookie - Click this button to enable SYN-Cookie.

SYN-Cookie is a stateless SYN proxy mechanism
that enables the system to enhance its capacity of
processing multiple SYN packets. Therefore, you
are advised to expand the range between "Proxy
trigger rate" and "Max SYN packet rate" appro-
priately.

l Max SYN packet rate - Specifies a max number for

SYN packets that are permitted to pass through per
second by SYN proxy or SYN-Cookie (if Cookie is
enabled). If the number of inbound SYN packets
matched to one single port of one single des-
tination IP address per second exceeds the spe-
cified value, the system will only permit the
specified number of SYN packets to pass through
during the current and the next second. All the
excessive packets of the same type will be dropped
during this period. The value range is 1 to
1500000. The default value is 3000.

l Timeout - Specifies a timeout for half-open con-

nections. The half-open connections will be

Threat Prevention 339

Option Description

dropped after timeout. The value range is 1 to 180

seconds. The default value is 30.

Click the button to expand the information of the Pro-

tocol Anomaly Report. Select the Protocol Anomaly
Report check box to enable all protocol anomaly reports.
TCP Anomalies: Click this button to enable TCP anom-
aly defense for the security zone.
Protocol
Anomaly l Action - Specifies an action for TCP anomaly
Report attacks. The default action is Drop.
TCP Split Handshake: Click this button to enable TCP
split handshake defense for the security zone.

l Action - Specifies an action for TCP split hand-

shake attacks. The default action is Drop.

4. To restore the system default settings, click Restore Default.

5. Click OK.

340 Threat Prevention

Monitor
The system provides the following monitoring methods:

l Sites Monitor: Monitors the performance and threats of Web sites managed by the device and
displays collected statistics in charts. This way, the administrator can quickly understand the
overall status of the sites.

l Reports: Monitors report tasks (custom tasks and predefined tasks) and report files.

l Log: The device supports the log management function and can record and output log inform-
ation, which includes the logs of the device system, NAT, Web access, network securities, IP
protection, web page events, web page security, anti-tampering protection, access control,
API protection, and auto-learning model violations.

Monitor 341
Sites Monitor
The system monitors the performance and threats of Web sites managed by the device and dis-
plays collected statistics in charts. This way, the administrator can quickly understand the overall
status of the sites. Threat Overview displays information about threat events. Performance Over-
view displays information about device performance. Account Security Overview displays inform-
ation about account security.

Viewing the Threat Overview

Select the site whose threat details you want to view from the Site Name drop-down list. Click
the Threat Overview tab in the upper-right corner.

Threat Event Level

The pie chart displays the number of threat events under each security level. Hover your mouse
over each sector of the pie chart to view the severity level of threat events and the corresponding

342 Monitor
attack numbers. Click Details to go to the Web Security Log > Log page.

Threat Event Type

The bar chart displays the number of detected and blocked threats of each threat type. Click the
bar to go to the Web Security Log > Log page.

Monitor 343
Source

This section displays the geographic distribution of all attack sources within the specified period.
It also displays the IP address, attack severity, and last attack time of the Top 10 Source IPs.
Click in the upper-right corner of the section to switch the map. The system can be linked
with Hillstone CloudVista, which then, will provide threat intelligence analysis of attackers' IP
address. When the analysis is completed, the system marks the threat intelligence with Red
(malicious threat intelligence), Orange (suspicious threat intelligence), and Green (normal

threat intelligence) icon. Hover your mouse over the icon and click to go to the Hillstone
CloudVista, where you can view detailed threat intelligence of the attacker's IP address.

Notes:
l Before implementing linked threat intelligence analysis with Hillstone
CloudVista, install the threat intelligence license in advance and enable
CloudVista in System > Connecting to Hillstone Could Service Platform.

l IPv6 addresses are not supported in the linked threat intelligence analysis.

344 Monitor
Last 60 Minutes: Displays the statistical information within the last 60 minutes.
Today: Displays the statistical information within today.
Last 7 Days: Displays the statistical information within the last 7 days (excluding today).
Last 30 Days: Displays the statistical information within the last 30 days (excluding today).
Custom: Customize the statistical period. Select Custom to go to the Custom Date and Time
panel. Select the start time and the end time according to your requirements.

Click to refresh the monitored data. Click or to close or expand the current frame.

Viewing the Performance Overview

Select the site whose performance details you want to view from the Site Name drop-down list.
Click the Performance Overview tab in the upper-right corner.

Monitor 345
l Site Hit Count: displays the hit trends of the site.

l Site Web Traffic: displays the trend of the upstream and downstream traffic (HTTP/HTTPS
traffic) of the site

l Browser Statistics: displays the browser used by clients to access the site.

l Operating System Statistics: displays the operating systems used by clients to access the site.

l Access Time: displays the trend of the average/maximum/minimum time consumed by the
site from receiving the request to processing the HTTP service.

l Server Response Time: displays the trend of average/maximum/minimum response time of

servers protected by the site.

l Top 10 URLs: The top 10 access URLs and the last time when the site was accessed.

The system supports the predefined statistical period. Click in the upper-
right corner of each section to set the statistical period.
Real-time: Displays the current statistical information.
Last 60 Minutes: Displays the statistical information within the last 60 minutes.
Today: Displays the statistical information within today.
Last 7 Days: Displays the statistical information within the last 7 days (excluding today).
Last 30 Days: Displays the statistical information within the last 30 days (excluding today).

Click to refresh the monitored data. Click or to close or expand the current frame.

Viewing the Account Security Overview

Select the site whose account security details you want to view from the Site Name drop-down
list. Click the Account Security Overview tab in the upper-right corner.

346 Monitor
Login Behavior Statistics

This section displays the trend of weak password logins and total logins. Weak Password Login
Times indicates how many times a user logs in to the site using a weak password. Total Logins
indicates the total number of login requests. Hover your mouse over the trend chart to view the
weak password login times and total logins at a specific point in time.

Risk User Statistics

This section displays the number of risk users logging in to the site and the trend of the risk users
within the statistical period. Click Detailed List to go to the List of Risk User Details panel,
where information about the risk users, who log in to the site with weak passwords in the stat-
istical period, is displayed. You can view risk users' User Name, Client IP, Risk Reasons, Login
Status, etc. You can also export the risk user list in a CSV file.

Monitor 347
l If the Weak Password function is not linked with the user session tracing policy, the Login
Status shows Unknown.

l If the Weak Password function is linked with the user session tracing policy, the Login Status
shows Succeed or Failed.

TOP 10 Risk Client

This section displays the information about the Top 10 risk clients, including their source IP,
Geographical Position, Risk Login Times, etc.

The system supports the predefined and custom statistical period. Click in
the upper-right corner of each section to set the statistical period.
Real-time: Displays the current statistical information.
Last 60 Minutes: Displays the statistical information within the last 60 minutes.
Today: Displays the statistical information within today.
Last 7 Days: Displays the statistical information within the last 7 days (excluding today).
Last 30 Days: Displays the statistical information within the last 30 days (excluding today).

Click to refresh current statistics. Click or to close or expand the current frame.

348 Monitor
Reports
The reporting feature gathers and analyzes statistics of traffic, threat defense, resource usage and
so on, providing all-around and multidimensional reports. You can understand network conditions
and analyze network issues with these reports. The report can be send via email or FTP to the spe-
cified user in HTML, WORD, or PDF format.

l Report File: You can view generated report files on the Report File page.

l Template: Report templates define all the contents in the report files. To generate report files,
you need to configure the report template first.

l Report Task: The report task defines the report content, including the report template, gen-
eration schedule, and the output method of report files.

Monitor 349
Report File
Go to Monitor > Report > Report File and the Report File page shows all of the generated report
files.

l Sort report files by different conditions: Select Group by Time, Group by Task or Group by
Status from the drop-down list, and select a time, task or status from the selective table loc-
ated below the drop-down list. The related report files will be shown on the report file list.

l When the entry is in bold, it indicates that this report file is Unread.

l Click Delete to delete the selected report files.

l Click Export to download the selected report files.

l Click Mark as Read to modify the status of the selected report files.

l Click to select the condition from the drop-down list. In the text box, enter the

keyword to search for specific report files.

l In the File Type column, click the icon of the report file to preview the report file. HTML,
Word and PDF formats are supported.

350 Monitor
Report Template
Report templates define all the contents in the report files. To generate report files, you need to
configure the report template first.
Report templates are classified as predefined and user-defined templates, providing a variety of
pre-categorized report items.

l Predefined Template: Predefined templates are built in the system. By default, different report
items have been selected for each predefined template category. The predefined template can-
not be edited or deleted. The predefined template categories are as follows:

Option Description

Site and Risk Gathers and analyzes statistics of attacks on the applic-
Assessment ation layer.
Report

PCI-DSS Analyze whether site configuration, protection rules ref-

Compliance erenced by security policies, password of the default
Report account, etc. comply with PCI DSS (Payment Card
Industry Data Security Standard) requirements. PCI DSS
sets data security standards for all organizations that
involve credit card payment. The content of the PCI-DSS
Compliance Report template is different from that of other
predefined or user-defined templates. The content descrip-
tion is shown below:

l PCI-DSS Standard Compliance Status: Analyze

whether site configuration, protection rules ref-
erenced by security policies, password of the default
account, etc. comply with PCI DSS (Payment Card
Industry Data Security Standard) requirements. Solu-

Monitor 351
Option Description

tions are advised according to different compliance

statuses (fully satisfied, partially satisfied, or unsat-
isfied).

Site Access Gathers and analyzes statistics of the access volume and
and Web Web traffic of the device.
Traffic
Report

l User-defined Template: Indicates report template created as needed. You can select the report
items. Up to 32 user-defined templates can be created.

Creating a User-defined Template

To create a user-defined template, take the following steps:

352 Monitor
1. Click Monitor > Reports > Template.

2. Click New.

On the Report Template Configuration page, configure the following values.

Option Description

Name Specifies the name of the report template.

Content Select the check box of the report item as needed. By default, all report
items are selected. The report items are described as follows:

l Security Risk Summary: Display Web risk summary of the device

from aspects of attack trend, attack source, attack type, severity,

Monitor 353
Option Description

etc.

l Site Risk Detail: Display details from aspects of attack trend, sum-
maries, and various attack types.

l Attack Type Detail: Display details about various attack types

and user-defined rules, including attack trend, attacked sites,
attack source, attacked URLs, etc.

354 Monitor
Option Description

l Site Access Analyze: Display site access statistics, Top 10 URLs

of site access, and site access trend.

l Web Traffic Analyze: Display upstream/downstream traffic of

the device, device engine, and sites.

Monitor 355
Option Description

l Network Threat Details: Display summary of attacks at the net-

work layer and details about network intrusion attacks, scanning,
and DoS.

l Device Status: Display the status of device's CPU, memory, and

hard disk.

356 Monitor
Option Description

l Threat Description: Describe the definition, methods, and mali-

cious effects of web security threats and network-layer threats.

Description Specifies the description of the report template.

3. Click OK to complete user-defined template configurations.

Editing a User-defined Template

To edit a user-defined report template, take the following steps:

Monitor 357
1. Click Monitor > Reports > Template.

2. On the templates list, select the user-defined report template entry that needs to be edited.

3. Click Edit and select the report items as needed.

4. Click OK to save the settings.

Deleting a User-defined Template

To delete a user-defined report template, take the following steps:

1. Click Monitor > Reports > Template.

2. On the templates list, select the user-defined report template entry that needs to be deleted.

3. Click Delete.

Cloning a Report Template

The system supports the rapid clone of a report template. You can clone and generate a new
report template by modifying some parameters of a current report template.
To clone a report template, take the following steps:

1. Click Monitor > Reports > Template.

2. On the templates list, select a report template that needs to be cloned.

3. Click the Clone button above the list, and on the Report Template Configuration page,
enter the name of the newly cloned report template .

4. Click OK. The cloned report template will be displayed on the list.

Notes: PCI-DSS Compliance Report template cannot be cloned.

358 Monitor
Report Task
The report task is the schedule related to the report file. It defines the report template, generation
schedule, and the output method of report files.
You can configure report tasks and generate report files on the device according to your needs.

Creating a Report Task

To create a report task, take the following steps:

1. Select Monitor> Reports> Report Task.

2. Click New.

On this page, configure the values of report task.

Option Description

Name Specifies the name of the report task.

Select Site Select the site from the expanded panel. Any indicates
that report task is configured for all sites. Click + to go

Monitor 359
Option Description

to the Site dialogue box. Select the site, and then you
can configure report task for this site.

Description Specifies the description of the report task.

Expand Report Template, select the report template you want to use for the report task.

Option Description

Report Tem- Specifies the report template to be used by the report

plate task:

360 Monitor
Option Description

1. Select the report template (predefined report

template or created user-defined report tem-
plate) from the Report Template list on the left.

2. When the report template is selected, the selec-

ted report template list on the right shows the
description of the template and the details of the
report items.
You can also click New or Edit button in the Report
Template list on the left to open the Report Template
Configuration panel and quickly create or edit a user-
defined report template.

Expand Schedule, configure the running time of the report task.

Option Description

Schedule The schedule specifies the running time of the report

task. The report task can be run periodically or run imme-
diately.
Periodic: Generates report files as planned.

l Schedule: Specifies the statistical period.

Monitor 361
Option Description

l Generate At: Specifies the generation time.

Generate Now: Generates report files immediately.

l Specifies the start time and end time of absolute

statistical period in the time text box. Note: You
do not need to specify the start time and end time
of absolute statistical period if PCI-DSS Com-
pliance Report template is selected.

Expand Output, configure the output mode information of the report.

Option Description

File Format Specifies the output format of the report file, including
PDF, HTML, and WORD formats.

362 Monitor
Option Description

Recipient Sends report files via email. To add recipients, enter the
email addresses in the recipient text box (use ";" to sep-
arate multiple email addresses. Up to 5 recipients can be
configured).

Send via Click the button to enable this function. You can send
FTP the report file to a specified FTP server.

l Server Name/IP: Specifies the FTP server name

or the IP address.

l Virtual Router: Specifies the virtual router of the

FTP server.

l Username: Specifies the username used to log in

to the FTP server.

l Password: Enter the password for the FTP user-

name.

l Anonymous: Select the check box to log in to the

FTP server anonymously.

l Path: Specifies the location where the report file

will be saved.

3. Click OK.

Editing the Report Task

To edit the report task, take the following steps:

Monitor 363
1. Select Monitor > Reports > Report Task.

2. On the report task list, select the report task entry that needs to be edited.

3. Click Edit on the top to edit the selected report task on the Report Task Configuration
page.

4. Click OK.

Deleting the Report Task

To delete the report task, take the following steps:

1. Select Monitor > Reports > Report Task.

2. On the report task list, select the report task entry that needs to be deleted.

3. Click Delete on the top to delete the selected report task.

Enabling/Disabling the Report Task

To enable or disable the report task, take the following steps:

1. Select Monitor > Reports > Report Task.

2. Select the task, and click the Enable or Disable button on the top. By default, user-defined
tasks are enabled.

364 Monitor
Logging
Logging is a feature that records various kinds of system logs, including event log, network log,
configuration log, NAT log, Web access log, network security log, IP protection log, access con-
trol log, API protection log, Web event log, web security log, auto-learning profile violation log,
and anti-defacement log.

l Event - includes 8 severity levels: debugging, information, notification, warning, error, crit-
ical, alert, and emergency.

l Network - logs about network services, like PPPoE and DDNS.

l Configuration - logs about configuration on command line interface, e.g. interface IP address
setting.

l Session Log - logs related to sessions, including the protocol, source/destination IP address,
and source/destination port of sessions.

l NAT Log - NAT logs, including NAT type, source and destination IP addresses and ports.

l Web Access Log - logs related to access to websites, such as the client IP, site name,
domain name, URL, and protocol.

l Network Security Log - logs related to attack defense in network layer and transmission layer,
like DDoS. (IPv6 address cannot be identified for this kind of log.)

l IP Protection Log - logs generated when the IP protection policy is matched.

l Access Control Log - logs generated when the access control policy is matched.

l API Protection Log - logs generated when the API protection policy is matched

l Web Event Log - logs about web-related events, such as blacklist and anti-defacement.

l Web Security Log - logs related to SQL injection, HTTP Flood and so on.

Monitor 365
l Auto-learning Profile Violation Log - logs generated when traffic violates the auto-learning pro-
file.

l Anti-defacement Log - logs related to defacement of web.

The system logs the running status of the device, thus providing information for analysis and evid-
ence.

Log Severity
Event logs are categorized into eight severity levels.

Log Defin-
Severity Level Description
ition

Emergency 0 Identifies illegitimate system LOG_

events. EMERG

Alert 1 Identifies problems which need LOG_

immediate attention such as ALERT
device is being attacked.

Critical 2 Identifies urgent problems, such LOG_CRIT

as hardware failure.

Error 3 Generates messages for system LOG_ERR

errors.

Warning 4 Generates messages for warning. LOG_

WARNING

Notice 5 Generates messages for notice and LOG_

special attention. NOTICE

Informational 6 Generates informational messages. LOG_INFO

366 Monitor
Log Defin-
Severity Level Description
ition

Debug 7 Generates all debugging messages, LOG_

including daily operation mes- DEBUG
sages.

Destination of Exported Logs

Log messages can be sent to the following destinations:

l Console - The default output destination. You can close this destination via CLI.

l Remote - Includes Telnet and SSH.

l Buffer - Memory buffer.

l File - By default, the logs are sent to the specified USB destination in form of a file.

l Syslog server - Sends logs to UNIX or Windows Syslog Server.

l Email - Sends logs to a email account.

l Text message - Sends logs to a mobile phone.

Log Format
To facilitate the access and analysis of the system logs, WAF logs follow a fixed pattern of inform-
ation layout, i.e. date/time, severity level@module: descriptions.See the example below:
2000-02-05 01:51:21, WARNING@LOGIN: Admin user "admin" logged in through console from
localhost.

Monitor 367
Block Event Analysis
When the client is blocked by WAF from accessing the Web server site, the user's browser will
return the blocking page. If the site is not configured with a custom error page (i.e., using the
default error pages provided by WAF) or has a predefined error page configured, the blocking
page will include the blocking event ID, accessed domain, URL, and access time. You can per-
form block event analysis on the Blocking Event Analysis page by using the blocking event ID,
swiftly navigating to the blocking log or blacklist. This allows you to confirm the blocking reason
and enhance operational efficiency. For more information about how to configure a custom error
page for a site, see Custom Error Page Management.

Notes:
l If a site selects "Custom Content" or an imported custom error page when
configuring the Custom Error Prompt page, the blocking page will not con-
tain the blocking event ID, accessed domain name, URL, and access time
when a block occurs.

l When a block occurs with a response code of 400 and the blocking event
ID starts with 14, you cannot jump to the log or blacklist page through the
"View Details" button to view specific log or blacklist entries.

l When a blocking action is triggered by a client request that matches a vir-

tual patch policy, clicking View Details will jump to the Web Security Log
page and filter out the logs corresponding to the virtual patch policy.

To analyze block events, take the following steps:

1. Select Monitor > Log > Block Event Analysis.

368 Monitor
2. In the Block Event Analysis field, enter the block event ID and click Query. The query res-
ult will be displayed below.

3. When the client request is blocked by the IP protection policy, access control policy, API
protection policy, virtual patch policy, security policy, self-learning policy, or blacklist, you
can click View Details to view the log entry details on the log page of the corresponding
policy or view the blacklist entry details on the blacklist page.
The block event ID consists of the block event type, site ID, virtual system ID, and event
ID. When you go to view the log entry or blacklist entry details, the event ID is used for fil-
tering, which uniquely identifies a log or blacklist.
When you go to view log entry details, for the Time filter condition, Web security logs use
"Today" as the filter condition by default and other types of logs use "Last 30 Days" as the
filter condition.

Monitor 369
Event Logs
To view event logs, select Monitor > Log > Event Log to go to the Event Log page.
On this page, you can perform the following actions:

l Configure: Click Configure to go to the Event Log page. For more information about the con-
figuration, see Log Management.

l Export: Click Export to export displayed logs in a TXT or CSV file.

l Filter: Select a period from the Time drop-down list. Click to add filter conditions.

Logs marching the filters are displayed on the below list.

370 Monitor
Network Logs
To view network logs, select Monitor > Log > Network Log to go to the Network Log page.
On this page, you can perform the following actions:

l Configure: Click Configure to go to the Network Log page. For more information about the
configuration, see Log Management.

l Export: Click Export to export displayed logs in a TXT or CSV file.

l Filter: Select a period from the Time drop-down list. Click to add filter conditions.

Logs marching the filters are displayed on the below list.

Monitor 371
Configuration Logs
To view configuration logs, select Monitor > Log > Configuration Log to go to the Configuration
Log page.
On this page, you can perform the following actions:

l Configure: Click Configure to go to the Configuration Log page. For more information about
the configuration, see Log Management.

l Export: Click Export to export displayed logs in a TXT or CSV file.

l Filter: Select a period from the Time drop-down list. Click to add filter conditions.

Logs marching the filters are displayed on the below list.

Session Logs
Session logs can be generated under the conditions that:

l Session logging in the Logging feature is enabled. Refer to "Log Configuration" on Page
407.

l The Logging feature is enabled for policy rules. Refer to "Security Policy" on Page 480.

To view session logs, select Monitor > Log > Session.

In this page, you can perform the following actions:

l Filter: Click to add a filter condition to show logs that match the condition. The fil-

ter conditions include:

l Time - Displays the session logs within the specified time range (from start time to
end time).

l Policy ID - Displays the session logs of the policy rule with the specified ID.

l Source IP - Displays the session logs of the specified source IP address.

372 Monitor
l Source Port - Displays the session logs of the specified source port.

l Destination IP - Displays the session logs of the specified destination IP.

l Destination Port - Displays the session logs of the specified destination port.

l Protocol - Displays the session logs of the specified protocol.

l Action - Displays the session logs of the specified action.

l Close Reason - Displays the session logs of the specified close reason

l Configure: Click to jump to the Log Management page.

l Clear: Click to clear all the displayed logs.

l Export: Click to export all the displayed logs or search results (search first and then export)

Notes:
l For ICMP session logs, the system will only record the ICMP type value and
its code value. As ICMP 3, 4, 5, 11 and 12 are generated by other com-
munications, not a complete ICMP session, system will not record such kind
of packets.

l For TCP and UDP session logs, system will check the packet length first. If
the packet length is 20 bytes (i.e., with IP header, but no loads), it will be
defined as a malformed packet and be dropped; if a packet is over 20 bytes,
but it has errors, system will drop it either. So, such abnormal TCP and UDP
packets will not be recorded.

Monitor 373
NAT Logs
NAT logs are generated under the conditions that:

l NAT logging in the Logging feature is enabled. For more information about the configuration,
see Log Management.

l NAT logging of the NAT rule configuration is enabled. For more information about the con-
figuration, see Configuring SNAT and Configuring DNAT.

To view NAT logs, select Monitor > Log> NAT Log to go to the NAT Log page.
On this page, you can perform the following actions:

l Configure: Click Configure to go to the NAT Logs page. For more information about the con-
figuration, see Log Management.

l Export: Click Export to export displayed logs in a TXT or CSV file.

l Clear: Click Clear to delete all displayed logs.

l Filter: Select an NAT type from the NAT Type drop-down list. Click to add filter con-

ditions. Logs marching the filters are displayed on the below list.

374 Monitor
Web Access Logs
You can view, search for, or export web access logs on the Web Access Log page. This page dis-
plays logs of access to websites, such as the client IP, site name, domain name, URL, and pro-
tocol.
Select Monitor > Log > Web Access Log to go to the Web Access Log page.
On this page, you can perform the following actions:

l Configure: Click Configure to go to the Event Log page. For more information about the con-
figuration, see Log Management.

l Export: Click Export to export displayed logs in a TXT or CSV file.

l Filter: Select a period from the Time drop-down list. Click to add filter conditions.

Logs marching the filters are displayed on the below list.

Monitor 375
Network Security Log
To generate network security logs, make sure the device has enabled related defense function in
network layer and transmission layer.
Click Monitor >Log > Network Security Log to go to the Network Security Log page.
On this page, you can perform the following actions:

l Configure: Click Configure to go to the Network Security Log page. For more information
about the configuration, see Log Management.

l Export: Click Export to export displayed logs in a TXT or CSV file.

l Filter: Select a period from the Time drop-down list. Click to add filter conditions.

Logs marching the filters are displayed on the below list.

l If Hillstone CloudVista is enabled, it will provide threat intelligence analysis of the source IP
and MD5 in the Network security logs. When the analysis is completed, the system marks the

threat intelligence with Red (malicious threat intelligence), Orange (suspicious threat

intelligence), and Green (normal threat intelligence) icon. Hover your mouse over the icon

and click to go to the Hillstone CloudVista, where you can view detailed threat intelligence

of the attacker's IP address.

376 Monitor
IP Protection Logs
You can view, search for, or export IP protection logs on the IP Protection Log page. You can
also add a log to the blacklist on this page. Only after the device enables the function that is
related to IP protection can IP protection logs be generated.
Select Monitor > Log > IP Protection Log to go to the IP Protection Log page.
On this page, you can perform the following actions:

l Configure: Click Configure to go to the IP Protection Log page. For more information about
the configuration, see Log Management.

l Export: Click Export to export displayed logs in a TXT or CSV file.

l Filter: Select a period from the Time drop-down list. Click to add filter conditions.

Logs marching the filters are displayed on the below list.

l You can select a log and click Add to Blacklist to add the source IP address to the blacklist.
This prevents the relevant traffic from flowing to web servers.

Monitor 377
Access Control Log
You can view, search or export the access control logs on the page. To generate the access control
logs, make sure the device has configured the access control policies.
Select Monitor >Log > Access Control Log to go to the Access Control Log page.
On this page, you can perform the following actions:

l Filter: Select a period from the Time drop-down list. Click to add filter conditions.

Logs marching the filters are displayed on the below list.

l Configure: Click Configure to go to the Access Control Log page. For more information about
the configuration, see Log Management.

l Export: Click Export to export access control logs stored in the system, including or exclud-
ing access content. When you export logs that include access content, you can configure the
number of logs to export, which is 1,000 by default.

378 Monitor
API Protection Logs
You can view, search for, or export API protection logs on the API Protection Log page. You can
also add a log to the blacklist on this page. Only after the device enables the function that is
related to API protection can API protection logs be generated. For more information, see API
Protection Policy.
Select Monitor >Log > API Protection Log to go to the API Protection Log page.
On this page, you can perform the following actions:

l Configure: Click Configure to go to the API Protection Log page. For more information about
the configuration, see Log Management.

l Export: Click Export to export displayed logs in a TXT or CSV file.

l Filter: Select a period from the Time drop-down list. Click to add filter conditions.

Logs marching the filters are displayed on the below list.

l You can select a log and click Add to Blacklist to add the source IP address of the log to the
blacklist. This prevents the relevant traffic from flowing to web servers.

Monitor 379
Web Event Logs
You can view, search for, or export web event logs on the Web Event Log page. This page dis-
plays web-based event logs, such as logs about blacklists and anti-defacement.
Select Monitor > Log > Web Event Log. On the Web Event Log page, you can view the time
when logs are generated and the level, type, and message of different logs.
On this page, you can perform the following actions:

l Configure: Click Configure to go to the Web Event Log page. For more information about the
configuration, see Log Management.

l Export: Click Export to export displayed logs in a TXT or CSV file.

l Filter: Select a period from the Time drop-down list. Click to add filter conditions.

Logs marching the filters are displayed on the below list.

380 Monitor
Web Security Log
You can view, search or export the web security logs on the page, as well as add logs to the rule
exception or blacklist. To generate the web security logs, make sure the device has enabled
related web defense function.

Log

Select Monitor >Log > Web Security Log > Log to go to the Log page.
Select the Protection Types tab.

l Configure: Click Configure to go to the Web Security Log page. For more information about
the configuration, see Log Management.

l Click + before an item to see all logs related to this protection type.

l Filter: Select a period from the Time drop-down list. Click to add filter conditions.

Logs marching the filters are displayed on the below list.

Select the Client IP tab.

Monitor 381
l Filter: Select a period from the Time drop-down list. Click to add filter conditions.

Logs marching the filters are displayed on the below list.

l Configure: Click Configure to go to the Web Security Log page. For more information about
the configuration, see Log Management.

l Export: Click Export to export displayed logs in a TXT or CSV file.

l Add to Blacklist: Select a log and click the button to add the source IP of the log to the global
or site-specific client IP blacklist, then the traffic flowing from the source IP will be blocked.
Any indicates global client IP blacklist, after you select this option, the system will block this
traffic from accessing all the web servers added to the system.

l Click + before an item to see all logs related to this client IP.

Select the Do Not Merge tab.

382 Monitor
l Filter: Select a period from the Time drop-down list. Click to add filter conditions.

Logs marching the filters are displayed on the below list. You can filter logs of intercepted or
not-intercepted packets with the filter condition Interception Status. Interception status indic-
ates whether the packet was eventually intercepted. By default, the column Interception
Status of the log list is not displayed. When the same packet triggers multiple logs, perhaps
only one log action is blocked or redirected. In this case, the packet is eventually intercepted.
If Intercepted is filtered, all logs of the intercepted packet will be displayed, and if the Not
Intercepted is filtered, only logs generated by not-intercepted packet are displayed. If you
need to analyze logs for the same client IP address, hover your mouse over the icon on the
right side of the client IP address and click Add Filter. The log list will display all logs with
the same client IP address.

l Configure: Click Configure to go to the Web Security Log page. For more information about
the configuration, see Log Management.

l Export: Click Export to export displayed logs in a TXT or CSV file.

l Delete: Click the button to delete the logs in the specified period, including the real-time, last
60 minutes, today, last 7 days (excluding today), last 30 days (excluding today), and the cus-
tom period.

Monitor 383
l Add to Rule Exception: Select a log and click the button. On the Rule Exception Con-
figuration panel, make configurations as needed. By default, the system adds the URL and
Source IP of the selected log to the rule exception. You can configure other exception items.
All configured rule exceptions can be applied globally by selecting Any from the Name drop-
down list. The traffic that matches the rule exception will flows to the web server directly.
For more information, see Configuring a Rule Exception.

l Adjust Policy: Select a log and click the button to enter the security policy configuration page.
You can change or adjust the policy on this page.

l Log Refresh: Select Real-time or Last 60 Minutes from the Time drop-down list and click

Manual or in the upper-right corner to manually refresh logs. You can also select a cycle

to automatically refresh logs every 1 minute, 2 minutes, or 5 minutes. The time will be auto-
matically updated after a log refresh.
Note: When you double-click a log to view its details, logs cannot be automatically refreshed
based on the cycle. After you view the details, the cycle resumes to "Manual"; If you click
View Details to view log details, tasks of automatically refreshing logs based on cycle are not
affected.

l Log Details: Double click an item and the Log Details panel will appear.
The Log Details panel can display "Matched Pattern" and "Decoding", in which the matched
pattern is highlight in "Message", "Attack Request" and "Attack Response". "Matched Pattern"
is the request data that matches the rule and "Decoding" is the decoding method used by
WAF for HTTP requests. For certain decoding methods, such as url, WAF will attempt to

384 Monitor
find corresponding matched patterns in attack request or response by using reverse encoding.
In some cases, the matched pattern cannot be highlighted in the log details, e.g., "Matched Pat-
tern" is N/A, or the attack request/response contains multiple patterns.
If Hillstone CloudVista is enabled, it will provide threat intelligence analysis of the source IP
and MD5 in the Web security logs. When the analysis is completed, the system marks the

threat intelligence with Red (malicious threat intelligence), Orange (suspicious threat

intelligence), and Green (normal threat intelligence) icon. Hover your mouse over the

icon next to the mark icon and click View Threat Intelligence to go to the Hillstone
CloudVista, where you can view detailed threat intelligence of the attacker's IP address.

Monitor 385
l Attack Replay: On the Log Details panel, Click Attack Replay.

l On the Attack Replay page, you can edit Target Address, Request Header, and Request
Body, and then click Replay to view response details of the server.

l Target Address: To ensure the success of the Attack Replay, edit the target
address based on the deployment modes.

l Transparent Proxy Mode/ Transparent Tap Mode: In this mode, the target
address that is auto-filled by the system is the address of the real server.
You need to configure the IP address of the VSwitch interface. For more
information, see Configuring an Interface.

l Traction Mode: In this mode, the target address that is auto-filled by the
system is the address of the real server. There is no need to make any modi-
fication.

386 Monitor
l Reverse Proxy Mode/One-arm with Reserve Proxy Mode: In this mode,
the target address that is auto-filled by the system is not the address of the
real server. You need to modify the target address to the address of the real
server configured in the load balancing module.

l Tap Mode: In this mode, the target address that is auto-filled by the system
is the address of the real server. You need to ensure that other interfaces
can be routed to the web server.

l Click Replay. If the request is successful, response details will be displayed in

the Response Message field.

l Click Replay. If the request is not successful, you will see prompts describing
the failure reason.

Notes:
l Currently, the system supports only one attack playback request. If an admin-
istrator requests attack playback, the attack playback request of another admin-
istrator fails.

l In transparent proxy mode, and transparent tap mode, if Virtual Wire is con-
figured in strict mode, the attack playback request fails.

l False Positives Feedback: On the Log Details panel, Click False Positives Feedback.

Monitor 387
l When the function of Connecting to Hillstone Cloud Service Platform is enabled, the
system will send false positive feedback to Hillstone Cloud service.

l When the function of Connecting to Hillstone Cloud Service Platform is disabled, a

prompt appears. Click Ok to go to System > Connecting to Hillstone Cloud Service
Platform > CloudView, and select the check box of False Positive Feedback. After con-
figuration, the system will send false positive feedback to Hillstone Cloud service.

Notes:
l Intelligence linkage on IPv6 addresses is currently not supported.

l The False Positives Feedback function is not supported for logs of non-web
attack traffic.

Intelligent Log Analysis

You can enable the Intelligent Log Analysis function when a certain number of logs is generated
after the device has been online for a while or the number of logs has suddenly increased because
of a change of the back-end server business. The system will automatically count and analyze the
web security logs of each site via intelligent analysis algorithms after the function is enabled. The
system will generate log analysis reports after the analysis. You can view the false positives and
threats as well as detailed analysis data and optimize suggestions in reports. You can optimize the
configuration of security policies and other configurations to protect the Web server in a more
intelligent way based on the analysis results and optimize suggestions.

Notes: The Intelligent Log Analysis function only supports analyzing the web secur-
ity logs generated by security policies. Logs generated by other functions are not
supported.

To configure the Intelligent Log Analysis function, take the following steps:

388 Monitor
1. Select Monitor > Log > Web Security Log > Intelligent Log Analysis, and select the Intel-
ligent Log Analysis tab.

2. Select the period from the Log Analysis Start-End Time drop-down list.

3. Enter the minimum log volume of a site in the Site Minimum Log Volume field. The value
ranges from 1000 to 100000. If the log volume of a site has not reached the specified value,
the system will not analyze the logs nor generate log analysis reports for the site. The log
volume for analysis cannot be too small. Otherwise, it will lead to inaccuracy or occa-
sionality of the data analysis. You can control the minimum log volume by setting Site Min-
imum Log Volume. However, the log volume for analysis cannot be too large. Too many
logs may result in a slower analysis process and occupy too many system resources.

4. Click Start Analysis to analyze logs for all sites. When the logs in the selected period is smal-
ler than the minimum log volume, the system will not analyze the site. The 100% process
bar of the analysis process indicates the analysis is finished. You can click Stop Analysis as
needed to stop the analysis during the process.

Notes: The log analysis report of the site will not be displayed when its log
volume has not reached the minimum value required for analysis. It is recom-
mended to analyze logs when the business traffic is low because this func-
tion occupies a large amount of CPU.

Log Analysis Report

The system will generate the analysis report after the intelligent log analysis. Click Monitor > Log
> Web Security Log > Intelligent Log Analysis, and select the Log Analysis Report tab.

Monitor 389
The report, with a site as a unit, displays the false positive analysis and threat analysis separately of
a site.

1. Click + in front of the site to view the details of false positive analysis and threat analysis.

2. False positive analysis: analyzing by protection rules. The list displays the subtype of the
protection rule, protection rule ID, log accuracy, log volume/log volume ratio, client IP
number/client IP ratio, URL number/URL ratio, false positive probability, and optimize sug-
gestions.

l Click View Log in the Operation column to go to the Log page. The system will auto-
matically filter logs of the corresponding site during the start-end time for you to view
details. You can also click Add to Rule Exception or Adjust Policy on the log page to
remove or reduce the false positives based on the optimize suggestions.

l Click Jump To Rule to go to the Security Policy Configuration page. You can adjust
the parameters of the rule to remove or reduce the false positives.

l Click Disable Rule and then click OK. The system will close the corresponding rule
to remove or reduce the false positives.

3. Threat analysis: analyzing by client IP. The list displays the IP, log volume/log volume
ratio, alert type, IP reputation, URL number/URL ratio, and threat percent of the client that
may become a threat.

390 Monitor
l Click View Log in the Operation column of the list to go to the Log page. The sys-
tem will automatically filter logs of the corresponding client IP of the site during the
start-end time for you to view details.

l Click Add To Blacklist to permanently block the threat IP or set the blocking period
for the threat IP.

4. Click One-click Optimization at the top of the list, then the system will close the rules
recommended to be closed in False Positive Analysis with one click, and block all client IPs
recommended to be added to the blacklist in Threat Analysis with one-click block or block
them for a while.

Monitor 391
Auto-learning Profile Violation Log
You can view, search or export the auto-learning profile violation logs on the page. To generate
the auto-learning profile violation logs , make sure the device has configured the auto-learning
function and the site has referenced related auto-learning policies.
Click Monitor >Log > Auto-learning Profile Violation Log to go to the Auto-learning Profile
Violation Log page.

l Filter: Select a period from the Time drop-down list. Click to add filter conditions.

Logs marching the filters are displayed on the below list.

l Configure: Click Configure to go to the Event Log page. For more information about the con-
figuration, see Log Management.

l Export: Click Export to export displayed logs in a TXT or CSV file.

l Add to Blacklist: Select a log and click the button to add the source IP of the log to the black-
list, then the traffic flowing from the source IP will be blocked.

l Adjust Auto-learning Result: Select a log and click the button, the page for configuring the
self-learning policy will be displayed. You can modify or adjust the self-learning policy.

392 Monitor
Anti-defacement Log
You can view, search, confirm or export the anti-defacement logs on the page. To generate anti-
defacement logs, make sure the device has enabled anti-defacement related function.
Click Monitor >Log > Antidefacement Log to go to the Antidefacement Log page.

l Filter: Select a period from the Time drop-down list. Click to add filter conditions.

Logs marching the filters are displayed on the below list.

l Configure: Click Configure to go to the Event Log page. For more information about the con-
figuration, see Log Management.

l Export: Click the button to export the displayed anti-defacement logs.

l Confirm: Click the button and confirm that whether the selected log is defacement.

l Click + in front of an item to view detailed information about this log.

Monitor 393
Log Management
On the Log Management page, you can enable and configure different logs.

Configuring Logs

To configure parameters of various log types, take the following steps:

1. Select Monitor > Log > Log Management.

2. Click the button behind All Logs to enable all logging functions.

3. Click the enable button of a specific log type, and click the button to enter the cor-

responding log settings.

4. Click OK.

Option Descriptions of Various Log Types

This section describes the options when you set the properties of each log types.

Event Log
Option Description
Enable Click the button to enable the event logging function.
Console Select the check box to export a event log to the Console.

l Lowest severity - Specifies the lowest severity level.

Logs below the severity level selected here will not be
exported.

Terminal Select the check box to export a event log to the terminal.

l Lowest severity - Specifies the lowest severity level.

Logs below the severity level selected here will not be
exported.

394 Monitor
Option Description
Cache Select the check box to export event logs to the cache.

l Lowest severity - Specifies the lowest severity level.

Logs below the severity level selected here will not be
exported.

l Max buffer size - The maximum size of the cached

logs. The default value may vary for different hard-
ware platforms.

Log server Select the check box to export event logs to the syslog
server.

l View Log Server - Click to see all existing syslog serv-

ers or to add new server.

l Lowest severity - Specifies the lowest severity level.

Logs below the severity level selected here will not be
exported.

Email address Select the check box to send event logs to the email.

l View Email Address: Click to see all existing email

addresses or add a new address.

l Lowest severity - Specifies the lowest severity level.

Logs below the severity level selected here will not be
exported.

Network Log
Option Description
Enable Click the button to enable the network logging function.
Cache Select the check box to export network logs to the cache.

Monitor 395
Option Description

l Max buffer size - The maximum size of the cached net-

work logs. The value range is 4096 to 524288 bytes.
The default value may vary for different hardware plat-
forms.

Log server Select the check box to export a network log to the syslog
server.

l View Log Server - Click to see all existing syslog serv-

ers or to add a new server.

Configuration Log
Option Description
Enable Click the button to enable the configuration logging func-
tion.
Cache Select the check box to export configuration logs to the
cache.

l Max buffer size - The maximum size of the cached

configuration logs. The value range is 4096 to 524288
bytes. The default value may vary for different hard-
ware platforms.

Log Server Select the check box to export network logs to the syslog
server.

l View Log Server - Click to see all existing syslog serv-

ers or to add new server.

Log Speed Select the check box to define the maximum efficiency of
Limit generating logs.

l Maximum Speed - Specified the speed (messages per

396 Monitor
Option Description

second).

NAT Log
Option Description
Enable Click the button to enable the NAT logging function.

l Record Host Name: Enable it to show the host's name

in the NAT log messages.

Cache Select the check box to export NAT logs to cache.

l Max buffer size - The maximum size of the cached

NAT logs. The default value may vary for different
hardware platforms.

Log Server Select the check box to export a NAT log to log servers.

l View Log Server - Click to see all existing syslog serv-

ers or to add a new server.

l Syslog Distribution Methods - The distributed logs

can be in the format of binary or custom. If you select
the check box, you will send log messages to different
log servers, which will relieve the pressure of a single
log server. The algorithm can be Round Robin or Src
IP Hash.

Web Access Log

Option Description
Enable Click the button to enable the Web Access logging function.

Console Select the check box to export Web access logs to the Con-

Monitor 397
Option Description
sole.
Cache Select the check box to enable the Web Access logs to
cache.

l Max buffer size - The maximum size of the cached

Web acces logs.

Log Server Select the check box to export Web access logs to log serv-
ers.

l View Log Server - Click to see all existing syslog serv-

ers or to add a new server.

l Syslog Distribution Methods - The distributed logs

can be in the format of binary custom. If you select
the check box, you will send log messages to different
log servers, which will relieve the pressure of a single
log server. The algorithm can be Round Robin or Src
IP Hash.

Local DB Select the check box to export Web access logs to local data-
base.
Log Field Click to view log fields. You can rename and tailor log
fields.
Custom Log Click New to custom log fields. You can custom header dir-
Field ection, header name, and header display name of the log
field.

Network Security Log

Option Description

Enable Click the button to enable the network security logging func-

398 Monitor
Option Description

tion.

Terminal Select the check box to send a network security log to the ter-
minal.

l Lowest Severity - Specifies the lowest severity level.

Logs below the severity level selected here will not be
exported.

Cache Select the check box to network security logs to the cache.

l Lowest Severity - Specifies the lowest severity level.

Logs below the severity level selected here will not be
exported.

l Max Buffer Size - The maximum size of the cached con-

figuration logs.

Log Server Select the check box to export network security logs to the
syslog server.

l View Log Server - Click to see all existing syslog serv-

ers or to add new server.

l Syslog Distribution Methods - the distributed logs can

be in the format of binary or text. If you select the
check box, you will send log messages to different log
servers, which will relieve the pressure of a single log
server. The algorithm can be Round Robin or Src IP
Hash.

Email Select the check box to export network security logs to the
Address email.

Monitor 399
Option Description

l View Email Address: Click to see all existing email

addresses or add a new address.

l Lowest Severity - Specifies the lowest severity level.

Logs below the severity level selected here will not be
exported.

IP Protection Log

Option Description

Enable Click the button to enable the IP protection logging func-

tion.

Terminal Select the check box to export a IP protection log to the

terminal.

Cache Select the check box to export IP Protection logs to the

cache.

l Max Buffer Size - The maximum size of the cached

IP Protection logs.

Log Server Select the check box to export IP protection logs to the
log server.

l View Log Server - Click to see all existing syslog

servers or to add new server.

Email Address Select the check box to export IP protection logs to the
Email Address.

l View Email Address: Click to see all existing email

addresses or add a new address.

400 Monitor
Access Control Log

Option Description

Enable Click the button to enable the access control logging function.

Terminal Select the check box to send a access control log to the ter-
minal.

Cache Select the check box to export access control logs to the
cache.

l Max Buffer Size - The maximum size of the cached

access control logs.

Log Server Select the check box to export access control logs to the sys-
log server.

l View Log Server - Click to see all existing syslog serv-

ers or to add new server.

Email Select the check box to send IP protection logs to the email.
Address
l View Email Address: Click to see all existing email
addresses or add a new address.

API Protection Log

Option Description

Enable Click the button to enable the API protection logging

function.

Terminal Select the check box to send a API protection log to the
terminal.

Cache Select the check box to export the API protection logs

Monitor 401
Option Description

to the terminal.

l Max Buffer Size - The maximum size of the

cached API protection logs.

Log Server Select the check box to export API protection logs to
the syslog server.

l View Log Server - Click to see all existing syslog

servers or to add new server.

Email Address Select the check box to send API protection logs to the
email.

l View Email Address: Click to see all existing email

addresses or add a new address.

Web Event Log

Option Description
Enable Click the button to enable the Web event logging function.
Console Select the check box to export Web event logs to the Con-
sole.
Terminal Select the check box to export a Web Event log the ter-
minal.
Cache Select the check box to export the Web event logs to cache.

l Max Buffer Size - The maximum size of the cached

Web event logs.

Log Server Select the check box to export Web event logs to the syslog
server.

l View Log Server - Click to see all existing syslog serv-

402 Monitor
Option Description

ers or to add new server.

l Lowest severity - Specifies the lowest severity level.

Logs below the severity level selected here will not be
exported.

Email Select the check box to send Web event logs to the email.
Address
l View Email Address: Click to see all existing email
addresses or add a new address.

Web Security Log

Option Description
Enable Select the check box to enable the Web security logging
function.
Terminal Select the check box to send a Web security log to the ter-
minal.
Cache Select the check box to export Web security logs to the
cache.

l Max Buffer Size - The maximum size of the cached

Web security logs.

Log Server Select the check box to export Web security logs to the sys-
log server.

l View Log Server - Click to see all existing syslog serv-

ers or to add new server.

l Syslog Distribution Methods - the distributed logs can

be in the format of binary or text. If you select the
check box, you will send log messages to different log

Monitor 403
Option Description

servers, which will relieve the pressure of a single log

server. The algorithm can be Round Robin or Src IP
Hash.

Email Select the check box to send Web security logs to the email.
Address

l View Email Address: Click to see all existing email

addresses or add a new address.

Log Aggreg- To reduce the number of stored logs and redundant logs,
ation you can tick the Log Aggregation check box to enable the
Log Aggregation function to merge the Web security logs.
To configure the log aggregation function, you need to spe-
cify the Merge Cycle and Merge Protection Subtype. The
protection subtype contains multiple protection rules. After
a protection subtype is specified, the function is valid for
any protection rule under the protection subtype. After the
log aggregation function is configured, the system merges
multiple logs that hit the same protection rule of the spe-
cified subtype based on the Merge Cycle and then outputs a
new web security log. For details about the protection rules
of each protection type, see Policy > Security Policy > Pro-
tection Rules.

l Merge Cycle: Specify the merge cycle for web security

logs. The default cycle is 10 seconds. The circle range
is from 10 seconds to 600 seconds.

l Merge Protection Subtype: Specify the protection sub-

type for log merging. By default, the system enables
the merging of web security logs generated by pre-

404 Monitor
Option Description

venting threat types such as HTTP Protocol Anomaly,

Server Information Leakage, Scanner, and Crawler.

l Reset Log Aggregation: Click "Reset Log Aggreg-

ation", then the system will reset the merge cycle to
10 seconds, and reset the merge protection subtypes
to HTTP Protocol Anomaly, Server Information Leak-
age, Scanner, and Crawler.
Note: There are differences between log aggregation and log
merging. The former refers to the function that the system
merges logs that meet the merging conditions and outputs a
new log before generating logs. Its main function is to
reduce the number of log storage and reduce the redundant
logs. The latter refers to the function that after the system
generates logs, the logs that meet the merge type are folded
to reduce log numbers on the log list. Its main function is to
facilitate users to view and analyze logs.

Auto-learning Profile Violation Log

Option Description
Enable Click the button to enable the Auto-learning profile viol-
ation logging function.
Terminal Select the check box to send a Auto-learning profile viol-
ation log to the terminal.
Cache Select the check box to export Auto-learning profile viol-
ation logs to the cache.

l Max Buffer Size - The maximum size of the cached

Auto-learning profile violation logs.

Log Server Select the check box to export Auto-learning profile viol-

Monitor 405
Option Description
ation logs to the syslog server.

l View Log Server - Click to see all existing syslog serv-

ers or to add new server.

Email Select the check box to send Auto-learning profile violation

Address logs to the email.

l View Email Address: Click to see all existing email

addresses or add a new address.

Anti-defacement Log
Option Description
Enable Click the button to enable the Anti-defacement logging func-
tion.
Terminal Select the check box to send a Anti-defacement log to the
terminal.
Cache Select the check box to export Anti-defacement logs to the
cache.

l Max Buffer Size - The maximum size of the cached

Anti-defacement logs.

Log Server Select the check box to export Anti-defacement logs to the
syslog server.

l View Log Server - Click to see all existing syslog serv-

ers or to add new server.

Email Select the check box to send Anti-defacement logs to the

Address email.

l View Email Address: Click to see all existing email

addresses or add a new address.

406 Monitor
Log Configuration
You can create log server, set up log email address.

Creating a Log Server

To create a log server, take the following steps:

1. Select Monitor > Log > Log Configuration.

2. Click Log Server Configuration tab.

3. Click New.

Monitor 407
In the Log Server Configuration dialog box, configure these values.

Option Description

Hostname Enter the name or IP of the log server.

Binding Specifies the source IP address to receive logs.

l Virtual Router: Select Virtual Router and then

select a virtual router form the drop-down list. If a
virtual router is selected, the device will determine
the source IP address by searching the reachable
routes in the virtual router.

l Source Interface: Select Source Interface and then

select a source interface from the drop-down list.
The device will use the IP address of the interface
as the source IP to send logs to the syslog server.
If management IP address is configured on the
interface, the management IP address will be pre-
ferred.

Protocol Specifies the protocol type of the syslog server. If

"Secure-TCP" is selected, you can enable Do not validate
the server certificate, and the system can transfer logs
normally and do not need any certifications.

Port Specifies the port number of the syslog server.

Log Format Specifies the format of the logs received by the syslog
server.

Log Type Specifies the log types the syslog server will receive.

4. Click OK to save the settings.

408 Monitor
Notes: You can add at most 15 log servers.

Adding Email Address to Receive Logs

An email in the log management setting is an email address for receiving log messages.
To add an email address, take the following steps:

1. Select Monitor > Log > Log Configuration.

2. Click Web Mail Configuration tab.

3. Click New to enter an email address.

4. If you want to delete an existing email, click Delete.

Notes: You can add at most 3 email addresses.

Specifying a Unix Server

To specify a Unix server to receive logs, take the following steps:

1. Select Monitor >Log > Log Configuration.

2. Click the Facility Configuration tab.

3. Select the device you want and the logs will be exported to that Unix server.

4. Click OK.

Monitor 409
410 Monitor
Object
This chapter describes the concept and configuration of objects that will be referenced by other
modules in system, including:

l "Address Book" on Page 412: Contains address information, and can be referenced by the
NAT Rules module.

l "Service Book" on Page 416: Contains service information, and can be referenced by the NAT
Rules module.

l "Schedule" on Page 427: Specifies a time range or period. The functions that use the schedule
will take effect in the time range or period specified by the schedule.

l "Track Object" on Page 422: Tracks if the specified object (IP address or host) is reachable or
if the specified interface is connected. This function is designed to track HA and interfaces.

Object 411
Address Book
IP address is an important element for the configurations of multiple modules, such NAT rules.
Therefore, the system uses an address book to facilitate IP address reference and flexible con-
figuration. You can specify a name for an IP range, and only the name is referenced during con-
figuration. The address book is the database in the system that is used to store the mappings
between IP ranges and the corresponding names. The mapping entry between an IP address and
its name in the address book is known as an address entry.
The system provides a global address book. You need to specify an address entry for the global
address book. When specifying the address entry, you can replace the IP range with a DNS name.
Interfaces of the configured IPs will be used as address entries and added to the address book
automatically. You can use them for NAT conveniently. Furthermore, an address entry also has
the following features:

l All address books contain a default address entry named Any and private_network. The IP
address of Any is 0.0.0.0/0, which indicates any IP address. Any can neither be edited nor
deleted. The IP addresses of private_network are 10.0.0.0/8, 172.16.0.0/12, and
192.168.0.0/16, which can be referenced directly. The private_network can be edited and
deleted.

l One address entry can contain another address entry in the address book.

l If the IP range of an address entry changes, the system will automatically update other mod-
ules that reference the address entry.

Address book supports IPv4 and IPv6 address. If IPv6 is enabled, you can configure IPv6
address entry.

Creating an Address Book

To create an address book, take the following steps:

412 Object
1. Click Object>Address Book.

2. Click New.

On Address Book Configuration page, configure the following options.

Option Description

Name Specifies the name of the address entry in the Name

field.

Type Select the IP type, including IPv4 or IPv6. Only the

IPv6 firmware supports the configuration of IPv6 type
IP. If IPv6 is selected, all the configured IP/netmask, IP
range, address entry should be in the IPv6 format.

Member Specifies the member of the address entry. Click New to

add an address entry member.

l When you select IPv4 type, configure IP/Net-

Object 413
mask, IP Range, Hostname, Address Book, or
IP/Wildcard as needed.

l When you select IPv6 type, configure IPv6/Pre-

fix, IPv6 Range, Hostname or Address Book as
needed.

To delete an address entry member, select it and then

click Delete.

Excluded Specifies the excluded member. Click New and con-

Member figure IP/Netmask, and IP range for the excluded
address entry member as needed. To delete an excluded
address entry member, select it and then click Delete
Note: Excluded members' address range need to be
within the address range of the members. Otherwise, the
configuration cannot be completed.

Description Specifies the description of the address book as needed.

3. Click OK.

Viewing Details
To view the details of an address entry, including the name, member, description and reference,
take the following steps:

1. Click Object>Address Book.

2. On Address Book page, click + in front of each address book to view its details.

Details

Name View the name of the address book.

Type View the IP type.

414 Object
Member View address entry members in the address book.

Excluded View excluded address entry members in the address

Member book.

References View how many times the address book is referenced.

Description View the description of the address entry.

Referenced By

Address View information about other address books that ref-

Book erence the address book.

SNAT View information about the SNAT rules that reference

the address book.

DNAT View information about the DNAT rules that reference

the address book.

Object 415
Service Book
Service is an information stream designed with protocol standards. Service has some specific dis-
tinguishing features, like corresponding protocol, port number, etc. For example, the FTP service
uses TCP protocol, and its port number is 21. Service is an essential element for the configuration
of multiple modules including NAT rules.
The system ships with multiple predefined services/service groups. Besides, you can also cus-
tomize services/service groups as needed. All these service/service groups are stored in and man-
aged by service books.

Predefined Service/Service Group

The system ships with multiple predefined services, and identifies the corresponding application
types based on the service ports. Predefined service groups contain related predefined services to
facilitate user configuration.

Custom Service
Except for the above predefined services, you can also create your own services easily. The para-
meters that will be specified for the custom service entries include:

l Name

l Protocol type

l The source and destination port for TCP or UDP service, and the type and code value for
ICMP service.

Custom Service Group

You can organize some services together to form a service group, and apply the service group to
device policies directly to facilitate management. The service group has the following features:

l Each service of the service book can be referenced by one or more service groups.

l A service group can contain both predefined services and custom services.

416 Object
l A service group can contain other service groups. The service group supports up to 8 layers of
nests.

The service group also has the following limitations:

l The name of a service and service group should not be identical.

l A service group being used by any policy cannot be deleted. To delete such a service group,
you must first end its relationship with the other modules.

l If a custom service is deleted from a service book, the service will also be deleted from all ser-
vice groups referencing it.

Object 417
Configuring a Service Book
This section describes how to configure a user-defined service and service group.

Configuring a User-defined Service

1. Select Object > Service Book > Service.

2. Click New.

Configure the following options.

Service Configuration

Service Specifies the name of the user-defined service.

418 Object
Service Configuration

Member

TCP/UDP Destination port:

l Min - Specifies the minimum port number of the

specified service entry.

l Max - Specifies the maximum port number of the

specified service entry. The value range is 0 to
65535.
Source port:

l Min - Specifies the minimum port number of the

specified service entry.

l Max - Specifies the maximum port number of the

specified service entry. The value range is 0 to
65535.

Notes:
l The minimum port number can-
not exceed the maximum port
number.

l The minimum destination port

number is required. Other fields
are optional.

l When the maximum port num-

ber is left blank, the system
Object takes the minimum value as the 419

port number.
Service Configuration

Description If it's needed, enter the description for the service.

3. Click OK.

Configuring a User-defined Service Group

1. Select Object > Service Book > Service Group.

2. Click New.

Configure the following options.

Service Group Configuration

Name Specifies the name of the user-defined service group.

Member Specifies the member of the service group. Click + to

expand the Member dialog box and select services or ser-
vice groups to add them to the service group. The sys-
tem supports at most 8-layer nested service group. To
delete a member, click ×.

Description If needed, enter the description of the service group.

420 Object
3. Click OK.

Viewing Details

To view the details of a service entry, take the following steps, including the name, protocol, des-
tination port and reference:

1. Click Object>Service Book > Service.

2. On Service page, click + in front of each service entry to view its details.

Details

Description View detailed description of the service.

Referenced By

Service View information about other service groups that ref-

Group erence this service

SNAT View information about the SNAT rules that reference

this service.

DNAT View information about the DNAT rules that reference

this service.

Object 421
Track Object
The devices provide the Track Object function to track if the specified object (IP address or
host) is reachable or if the specified interface is connected. This function is designed to track HA
and interfaces.

Creating a Track Object

To create a track object, take the following steps:

1. Select Object > Track Object.

2. Click New.

Configure the following options.

Option Description

Name Specifies a name for the new track object.

Threshold Specifies the threshold for the track object. If the sum of
weights for failed entries in the track object exceeds the

422 Object
Option Description

threshold, the system will conclude that the whole track

object fails.

Track Select a track object type. One track object can only be
Type configured with one type.Select Interface:

l Click Add in Add Track Members section and then

configure the following options in the Add Interface
Member panel:

l Interface - Select a track interface from the

drop-down list.

l Weight - Specifies a weight for the interface,

i.e. the weight for overall failure of the whole
track object if this track entry fails.
Select HTTP/ICMP/ICMPv6/ARP/NDP/DNS/TCP:

l Click Add, in Add Track Members section, select a

packet type from the drop-down list, and then con-
figure the following options:

l IP Type: Specifies the IP type for the track

object when the track is implemented by
HTTP/DNS/TCP packets.

l IP/Host - Specifies an IP address or host

name for the track object when the track is
implemented by
HTTP/ICMP/ICMPv6/TCP packets.

Object 423
Option Description

IP - Specifies an IP address for the track

object when the track is implemented by
ARP/NDP packets.DNS - Specifies a domain
for the track object when the track is imple-
mented by DNS packets.Port - Specifies a port
for the track object when the track is imple-
mented by TCP packets

l Weight - Specifies a weight for overall failure

of the whole track object if this track entry
fails. The value range is 1 - 255. The default
value is 255.

l Retries: Specifies a retry threshold. If no

response packet is received after the specified
times of retries, the system will determine this
track entry fails, i.e., the track entry is unreach-
able. The value range is 1 to 255. The default
value is 3.

l Interval - Specifies an interval for sending

HTTP/ICMP/ICMPv6/ARP/NDP/DNS/T-
CP packets. The value range is 1 to 255
seconds. The default value is 3.

l Egress Interface - Specifies an egress interface

from which
HTTP/ICMP/ICMPv6/ARP/NDP/DNS/T-

424 Object
Option Description

CP packets are sent.

l Source Interface- Specifies a source interface

for HTTP/ICMP/ICMPv6/DNS/TCP pack-
ets.
Select Traffic Quality:

l Click Add, in Add Track Members section and then

configure the following options in the Add Traffic
Quality Member panel:

l Interface: Specifies name of the tracked inter-

face.

l Interval - Specifies the duration of per track

period. The unit is second. The value range is
1 to 255. The default value is 3. After a track
period is finished, system will reset the
tracked value of new session.

l Retries: Specifies the threshold value which

concludes the track entry is failed. The value
range is 1 to 255. The default value is 3.

l Weight - Specifies how important this track

failure is to the judgment of track object fail-
ure. The value range is 1 to 255. The default
value is 255.

Object 425
Option Description

l Low Watermark - Specifies the failure

threshold value of new session success rate.
The value range is 0 to 100. The default value
is 30. During a track period, when the new
session success rate is below the specified low
watermark, system will conclude the track is
failed.

l High Watermark - Specifies the failure

threshold value of new session success rate.
The value range is 0 to 100. The default value
is 50. During a track period, when the new
session success rate exceeds the specified low
watermark, system will conclude the track is
successful.
Note: During a track period, when the new session success
rate is equal to or exceeds the low watermark, and is equal
to or below the low watermark, system will keep the pre-
vious track state.

HA sync Click the button to enable HA sync function. The primary

device will synchronize its information with the backup
device.

3. Click OK. The created track object will be displayed in the track object list.

426 Object
Schedule
the system supports a schedule. This function allows a policy rule to take effect in a specified
period. The schedule consists of a periodic schedule and an absolute schedule. The periodic
schedule specifies a point in time or time range for periodic schedule entries, while the absolute
schedule decides a time range in which the periodic schedule will take effect.

Periodic Schedule

Periodic schedule is the collection of periods specified by all of the schedule entries within the
schedule. You can add up to 16 schedule entries to a periodic schedule. These entries can be
divided into 3 types:

l Daily: The specified time of every day, such as Everyday 09:00 to 18:00.

l Days: The specified time of a specified day during a week, such as Monday Tuesday Saturday
09:00 to 13:30.

l Period: A continuous period during a week, such as from Monday 09:30 to Wednesday 15:00.

Absolute Schedule

An absolute schedule is a time range in which a periodic schedule will take effect. If no absolute
schedule is specified, the periodic schedule will take effect as soon as it is used by some module.
If the absolute schedule of the schedule has expired, the status of the schedule will be inactive; if
the absolute schedule of the schedule has not expired, the status of the schedule will be active.

Creating a Schedule
To create a schedule, take the following steps:

Object 427
1. Select Object > Schedule.

2. Click New.

Configure the following options.

Schedule Configuration Page

Name Specifies a name for the new schedule.

428 Object
Schedule Configuration Page

Add Specifies a type for the periodic schedule in Add Peri-

odic Schedules panel.

Type l Daily - The specified time of every

day. Click Daily, and then, in the
Time section, select a start time and
end time from the Start Time and
End Time drop-down list respect-
ively.

l Days - The specified time of a spe-

cified day during a week. Click Days,
and then select a day/days in the
Days and Time section, and finally
select a start time and end time from
the Start Time and End Time drop-
down list respectively.

l Duration - A continuous period dur-

ing a week. Click Duration, and then
in the Duration section select a start
day/time and end day/time from the
Start Time and End Time drop-down
list respectively.

Preview Preview the detail of the configured peri-

odic schedule in the Preview section.

Delete Select the entry you want to delete from the period

Object 429
Schedule Configuration Page

schedule list below, and click Delete.

Absolute Specifies the start time and end time of the absolute
Schedule schedule.

3. Click OK.

430 Object
Network
This chapter describes factors and configurations related to network connection, including:

l Security Zone: The security zone divides the network into different section, such as the trust
zone and the untrust zone. The device can control the traffic flow from and to security zones
once the configured policy rules have been applied. For Layer 3 Zone, you also need to con-
figure the IP address.

l Interface: The interface allows inbound and outbound traffic flow to security zones. An inter-
face must be bound to a security zone so that traffic can flow into and from the security zone.

l Interface Group: The system binds the status of several interfaces to form a logical group. If
any interface in the group is faulty, the status of the other interfaces will be down.

l Security Policy: Security policy can control traffic forwarding between security zones/seg-
ments.

l LLDP: LLDP (Link Layer Discovery Protocol ) is a neighbor discovery protocol defined in
IEEE 802.1ab, which provides a discovery method in link layer network. By means of the
LLDP technology, the system can quickly master the information of topology and its changes
of the layer-2 network when the scale of network expands rapidly.

l DNS: Domain Name System.

l Virtual-Wire: The virtual wire allows direct Layer 2 communications between sub networks.

l Virtual Router: Virtual Routerouter (Virtual Router for short) acts as a router. Different Vir-
tual Routers have their own independent routing tables.

l Virtual Switch: Running on Layer 2, VSwitch acts as a switch. Once a Layer 2 security zone is
bound to a VSwitch, all the interfaces bound to that zone will also be bound to the VSwitch.

Network 431
l Routing: Configure the routing manually and specify the next-hop according to the des-
tination.

l Global Network Parameters: These parameters mainly include the IP packet's processing
options, like IP fragmentation, TCP MSS value, etc.

l NAT: The system support the NAT function by configuring and implementing NAT rules,
which can be categorized to SNAT Rule and DNAT Rule.

432 Network
Zone
Zone is a logical entity. One or more interfaces can be bound to one zone. A zone applied with a
policy is known as a security zone, while a zone created for a specific function is known as a func-
tional zone. Zones have the following features:

l An interface should be bound to a zone. A Layer 2 zone will be bound to a VSwitch, while a
Layer 3 zone will be bound to a VRouter. Therefore, the VSwitch to which a Layer 2 zone is
bound decides which VSwitch the interfaces belong to in that Layer 2 zone, and the VRouter
to which a Layer 3 zone is bound decides which VRouter the interfaces belong to in that
Layer 3 zone.

l Interfaces in Layer 2 and Layer 3 are working in Layer 2 mode and Layer 3 mode respectively.

l The system supports internal zone policies, like trust-to-trust policy rule.

There are 7 pre-defined security zones, which are mgt, trust, untrust, L2-trust, L2-untrust, L2-
dmz, HA (HA functional zone), and tap-waf. You can also customize security zones. Pre-defined
security zones and user-defined security zones have no difference in functions, so you can make
your choice freely.

Configuring a Security Zone

To create a security zone, take the following steps：

1. Select Network > Zone.

2. Click New.

3. On the Zone Configuration page, enter the name of the zone into the Zone box. The value
range is 1-31 characters.

4. Enter the descriptions of the zone in the Description text box as needed. The value range is
0-63 characters.

Network 433
5. Specifies a type for the security zone. For a Layer 2 zone, select a VSwitch for the zone
from the VSwitch drop-down list below. For a Layer-3 zone, select a VRouter from the Vir-
tual Router drop-down list. If TAP is selected, the zone created is a tap zone, which is used
in Bypass mode.

6. Bind interfaces to the zone. Select an interface from the Binding Interface drop-down list.

7. If needed, enable Threat Protection and configure the parameters for Threat Protection func-
tion. For detailed instructions, see "Threat Prevention" on Page 319.

8. Click OK.

Notes:
l Pre-defined zones cannot be deleted.

l When changing the VSwitch or VRouter to which a zone belong, make sure
there is no binding interface in the zone.

434 Network
Interface
Interfaces allow inbound and outbound traffic to flow to security zones. An interface must be
bound to a security zone so that traffic can flow into and from the security zone. Furthermore, for
the Layer 3 security zone, an IP address should be configured for the interface. Multiple interfaces
can be bound to one security zone, but one interface cannot be bound to multiple security zones.
The security devices support various types of interfaces which are basically divided into physical
and logical interfaces based on their nature.

l Physical Interface: Each Ethernet interface on devices represents a physical interface. The
name of a physical interface, consisting of media type, slot number and location parameter, is
pre-defined, like ethernet2/1 or ethernet0/2.

l Logical Interface: Include sub-interface, VSwitch interface, loopback interface, aggregate inter-
face, and Virtual Forward interface.

Interfaces can also be divided into Layer 2 interface and Layer 3 interface based on their security
zones.

l Layer 2 Interface: Any interface in Layer 2 zone.

l Layer 3 Interface: Any interface in Layer 3 zone. Only Layer 3 interfaces can operate in
NAT/routing mode.

Different types of interfaces provide different functions, as described in the table below.

Type Description

Sub-interface The name of an sub-interface is an extension to the name of

its original interface, like ethernet0/2.1. The system supports
the following types of sub-interfaces: Ethernet sub-interface,
and aggregate sub-interface. An interface and its sub-interfaces
can be bound to one single security zone, or to different
zones.

Network 435
Type Description

VSwitch inter- A Layer 3 interface that represents the collection of all the
face interfaces of a VSwitch. The VSwtich interface is virtually the
upstream interface of a switch that implements packet for-
warding between Layer 2 and Layer 3.

Loopback A logical interface. If the security device with loopback inter-

interface face configured is in the working state, the loopback interface
will be in the working state as well. Therefore, the loopback
interface is featured with stability.

Aggregate Collection of physical interfaces that include 1 to 16 physical

interface interfaces. These interfaces averagely share the traffic load to
the IP address of the aggregate interface, in an attempt to
increase the available bandwidth for a single IP address. If one
of the physical interfaces within an aggregate interface fails,
other physical interfaces can still process the traffic normally.
The only effect is that the available bandwidth will decrease.

Virtual For- In HA environment, the Virtual Forward interface is HA

ward interface group's interface. It is designed for traffic transmission.

436 Network
Configuring an Interface

Creating a Virtual Forward Interface

To create a virtual forward interface, take the following steps:

Network 437
1. Select Network > Interface.

2. Select Virtual Forward Interface from the New drop-down list.

3. Configure the following options.

438 Network
Option Description

Interface Specifies a name for the virtual forward interface.

Name

Description Enter descriptions for the virtual forward interface.

Binding Inter- Specifies the zone type.

face If Layer 2 Interface or Layer 3 Interface is selected,
you should continue to select a zone from the Zone
drop-down list.
If Layer 3 Interface is selected, you can work with fire-
wall by specifying firewall details (firewall's IP address,
port number of SSH protocol, user name, and pass-
word) under Firewall Linkage Configuration.
If No Binding is selected, the interface will not bind
to any zone.

Zone Select the security zone from the drop-down list.

IP Configuration

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.

Set as Local IP: In a HA environment, if this option is

selected, the interface IP will not synchronize to the
HA peer.

Advanced:

l Management IP: Specifies a management IP for

the interface. Type the IP address into the box.

Network 439
Option Description

l Secondary IP: Specifies secondary IPs for the

interface. You can specify up to 10 secondary IP
addresses.

DHCP Set gateway information from DHCP server as the

default gateway route: With this check box selected,
the system will set the gateway information provided
by the DHCP server as the default gateway route.

Advanced:

l Distance: Specifies a route distance. The value

range is 1 to 255. The default value is 1.

l Weight: Specifies a route weight. The value

range is 1 to 255. The default value is 1.

l Management Priority: Specifies a priority for the

DNS server. Except for static DNS servers, the
system can also learn DNS servers dynamically
via DHCP or PPPoE. Therefore, you need to
configure priorities for the DNS servers so that
the system can choose a DNS server according
to its priority during DNS resolution. The pri-
ority is represented in numbers from 1 to 255.
The larger the number is, the higher the priority
is. The priority of static DNS servers is 20.

l Classless Static Routes: Enable the classless

440 Network
Option Description

static routing function. When this function is

enabled, the DHCP client will send a request
message with the Option121 (i.e., classless
static routing option) to the server, and then the
server will return the classless static route
information. Finally, the client will add the class-
less static routing information to the routing
table.

Management Select one or more management method check boxes

to configure the interface management method.

Firewall Linkage Configuration

Firewall Link- When Layer 3 Interface is selected as the binding inter-

age Con- face, you can continue to configure the IP address,
figuration port, user name, and password of the linked firewall. If
attack traffic is detected by the device and IP blacklist
is generated, the system synchronously sends the IP
blacklist to the linked firewall. The firewall will block
traffic from the attack source IP. Suggestion: configure
Firewall Linkage Configuration on only one layer-3
interface.

l IP: Specifies the accessible IP address of the

firewall to be linked.

l Port: Specifies the accessible port of the firewall

to be linked.

Network 441
Option Description

l User: Specifies the user name of the firewall to

be linked.

l Password: Specifies the password of the firewall

to be linked.

4. In the Interface Properties section, configure properties for the interface.

Property Description

MTU Specifies a MTU for the interface. The value range is

1280 to 1600 bytes. The default value is 1500. The max
MTU may vary in different devices.

ARP Learn- Click the button to enable ARP learning.

ing

ARP Specifies an ARP timeout for the interface. The value

Timeout range is 5 to 65535 seconds. The default value is 1200.

Keep-alive Specifies an IP address that receives the interface's keep-

IP alive packets.

MAC Clone Specifies the MAC address, which the system clones in
the Ethernet sub-interface. If you click Restore Default
MAC, the Ethernet sub-interface will restore to the
default MAC address.

5. In the Advanced Configuration section, configure advanced options for the interface.
Option Description
Reverse Enable or Disable reverse route as needed:
Route

442 Network
Option Description

l Enable: Force to use a reverse route. If the

reverse route is not available, packets will be
dropped. This option is enabled by default.

l Close: Reverse route will not be used. When

reaching the interface, the reverse data stream
will be returned to its original route without any
reverse route check. That is, reverse packets will
be sent from the ingress interface that initializes
the packets.

l Auto: Reverse route will be prioritized. If avail-

able, the reverse route will be used to send pack-
ets; otherwise the ingress interface that initializes
the packets will be used as the egress interface
that sends reverse packets.

Shutdown The system supports interface shutdown.

l Select the Shut down check box to enable inter-

face shutdown.

6. In the IPv6 Configuration section, configure the following.

Option Description
Enable Enable IPv6 in the interface.
IPv6 Specifies the IPv6 address prefix.
Address
Prefix Specifies the prefix length.
Length

Network 443
Option Description
Autoconfig Select the checkbox to enable Auto-config function.
In the address auto-config mode, the interface receives
the address prefix in RA packets first, and then com-
bines it with the interface identifier to generate a global
address.

l Set Default Route - If the interface is configured

with a default router, this option will generate a
default route to the default router.

DHCP Select DHCP check box to enable DHCP client for

the interface. After enabling, the system will act as a
DHCPv6 client and obtain IPv6 addresses from the
DHCP server. Selecting Rapid-commit option can help
to quickly get IPv6 addresses from the server. You
need to enable both of the DHCP client and the
server's Rapid-commit function.
Advanced
Static Click New to add IPv6 addresses. You can add up to 5
IPv6 addresses. Click Delete to delete an IPv6
address.
Dynamic Shows IPv6 address which is dynamic.
Link-local Specifies link-local address. Link-local address is used
for communication between adjacent nodes of a single
link. For example, communication between hosts
when there are no routers on the link. By default, the
system will generate a link-local address for the inter-
face automatically if the interface is enabled with IPv6.
You can also specify a link-local address for the inter-
face as needed, and the specified link-local address will

444 Network
Option Description
replace the automatically generated one.
MTU Specifies an IPv6 MTU for an interface. The default
MTU value is 1500 bytes. The range is 1280 bytes to
1600 bytes.
DAD Specifies NS packet attempt times. The value range is
Attempts 0 to 20. Value 0 indicates DAD is not enabled on the
interface. DAD (Duplicate Address Detection) is
designed to verify the uniqueness of IPv6 addresses.
This function is implemented by sending NS (Neigh-
bor Solicitation) requests. After receiving a NS packet,
if any other host on the link finds that the address of
the NS requester is duplicated, it will send a NA
(Neighbor Advertisement) packet advertising that the
address is already in use, and then the NS requester
will mark the address as duplicate, indicating that the
address is an invalid IPv6 address.
ND Interval Specifies an interval for sending NS packets. The range
is 1,000 to 3,600,000 milliseconds.
ND Reach- Specifies reachable time. After sending an NS packet,
able Time if the interface receives acknowledgment from a neigh-
bor within the specified time, it will consider the neigh-
bor as reachable. This time is known as reachable time.
Hot Limit Specifies the hop limit. Hop limit refers to the max-
imum number of hops for IPv6 or RA packets sent by
the interface. The value range is 0 to 255.
ND RA Sup- Click the button to disable RA suppress on LAN inter-
press faces.
By default, FDDI interface configured with IPv6 uni-
cast route will send RA packets automatically, and

Network 445
Option Description
interfaces of other types will not send RA packets.
Manage Specifies the manage IP/MASK.
IP/MASK

7. Click OK.

Creating a Loopback Interface

To create a loopback interface, take the following steps:

446 Network
1. Select Network > Interface.

2. Select Loopback Interface from the New drop-down list.

Network 447
Configure the following options.

Option Description

Interface Specifies a name for the loopback interface.

Name

Description Enter descriptions for the loopback interface.

Binding Inter- Specifies the zone type.

face If Layer 3 Interface is selected, you should continue to
select a zone from the Zone drop-down list. You can
work with firewall by specifying firewall details (fire-
wall's IP address, port number of SSH protocol, user
name, and password) under Firewall Linkage Con-
figuration.
If No Binding is selected, the interface will not bind to
any zone.

Zone Select the security zone from the drop-down list.

HA sync Click this button to enable the HA Sync function,

which disables Local property and uses the virtual
MAC, and the primary device will synchronize its
information with the backup device. Not clicking this
button disables the HA Sync function, which enables
Local property and uses the original MAC, and the
primary device will not synchronize its information
with the backup device.

IP Configuration

448 Network
Option Description

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.

Set as Local IP: In a HA environment, if this option is

selected, the interface IP will not synchronize to the
HA peer.

Advanced:

l Management IP: Specifies a management IP for

the interface. Type the IP address into the box.

l Secondary IP: Specifies secondary IPs for the

interface. You can specify up to 10 secondary IP
addresses.

DHCP Set gateway information from DHCP server as the

default gateway route: With this check box selected,
the system will set the gateway information provided
by the DHCP server as the default gateway route.

Advanced:

l Distance: Specifies a route distance. The value

range is 1 to 255. The default value is 1.

l Weight: Specifies a route weight. The value

range is 1 to 255. The default value is 1.

l Management Priority: Specifies a priority for the

DNS server. Except for static DNS servers, the
system can also learn DNS servers dynamically

Network 449
Option Description

via DHCP or PPPoE. Therefore, you need to

configure priorities for the DNS servers so that
the system can choose a DNS server according
to its priority during DNS resolution. The pri-
ority is represented in numbers from 1 to 255.
The larger the number is, the higher the priority
is. The priority of static DNS servers is 20.

l Classless Static Routes: Enable the classless

static routing function. When this function is
enabled, the DHCP client will send a request
message with the Option121 (i.e., classless static
routing option) to the server, and then the server
will return the classless static route information.
Finally, the client will add the classless static
routing information to the routing table.

Management Select one or more management method check boxes

to configure the interface management method.

Firewall Linkage Configuration

Firewall Link- When Layer 3 Interface is selected as the binding inter-

450 Network
Option Description

Firewall Linkage Configuration on only one layer-3

interface.

l IP: Specifies the accessible IP address of the fire-

wall to be linked.

l Port: Specifies the accessible port of the firewall

to be linked.

l User: Specifies the user name of the firewall to

be linked.

l Password: Specifies the password of the firewall

to be linked.

3. "In the Interface Properties section, configure properties for the interface." on Page 442

4. "In the Advanced Configuration section, configure advanced options for the interface." on
Page 442

5. "In the IPv6 Configuration section, configure the following." on Page 443

6. Click OK.

Creating an Aggregate Interface

To create an aggregate interface, take the following steps：

Network 451
1. Select Network > Interface.

452 Network
2. Select Aggregate Interface from the New drop-down list.

Network 453
454 Network
3. On this page, configure the following options.

Option Description

Interface Specifies a name for the aggregate interface.

Name

Description Enter descriptions for the aggregate interface.

Binding Inter- Specifies the zone type.

face If Layer 2 Interface, Layer 3 Interface, or TAP is
selected, you should continue to select a zone from
the Zone drop-down list.
If Layer 3 Interface or TAP is selected, you can work
with firewall by specifying firewall details (firewall's IP
address, port number of SSH protocol, user name, and
password) under Firewall Linkage Configuration.
If No Binding is selected, the interface will not bind
to any zone.

Zone Select the security zone from the drop-down list.

Aggregate Specifies the aggregate methods.

Mode
l Forced: Aggregates multiple physical interfaces
to form an aggregate interface. These physical
interfaces will share the traffic passing through
the aggregate interface equally.

l Enables LACP on the interface to negotiate

aggregate interfaces dynamically. LACP options
are:

Network 455
Option Description

l System priority: Specifies the LACP sys-

tem priority. The value range is 1 to
32768, the default value is 32768. This
parameter is used to assure the interfaces
of two ends are consistent. The system
will select interfaces based on the end
with higher LACP system priority. The
smaller the value is, the higher the pri-
ority will be. If the LACP system pri-
orities of the two ends are equal, the
system will compare MACs of the two
ends. The smaller the MAC is, the higher
the priority will be.

l Max bundle: Specifies the maximum act-

ive interfaces. The value range is 1 to 16,
the default value is 16. When the active
interfaces reach the maximum number,
the status of other legal interfaces will
change to Standby.

l Min bundle: Specifies the minimum act-

ive interfaces. The value range is 1 to 8,
the default value is 1. When the active
interfaces reach the minimum number,
the status of all the legal interfaces in the

456 Network
Option Description

aggregation group will change to Standby

automatically and will not forward any
traffic.

HA sync Click the button to enable HA sync function. The

primary device will synchronize its information with
the backup device.

IP Configuration

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.

Set as Local IP: In a HA environment, if this option is

specified, the interface IP will not synchronize to the
HA peer.

Advanced:

l Management IP: Specifies a management IP for

the interface. Type the IP address into the box.

l Secondary IP: Specifies secondary IPs for the

interface. You can specify up to 6 secondary IP
addresses.

DHCP Set gateway information from DHCP server as the

default gateway route: With this check box selected,
the system will set the gateway information provided
by the DHCP server as the default gateway route.

Advanced:

Network 457
Option Description

l Distance: Specifies a route distance. The value

range is 1 to 255. The default value is 1.

l Weight: Specifies a route weight. The value

range is 1 to 255. The default value is 1.

l Management Priority: Specifies a priority for the

l Classless Static Routes: Enable the classless

static routing function. When this function is
enabled, the DHCP client will send a request
message with the Option121 (i.e., classless
static routing option) to the server, and then the
server will return the classless static route
information. Finally, the client will add the class-
less static routing information to the routing
table.

Management Select one or more management method check boxes

458 Network
Option Description

to configure the interface management method.

Binding Port Specify a physical port for the interface. Select a port
from the drop-down list. The port cannot belong to
any other interface or zone.

TAP Configuration

Control Inter- Specify the control interface of the tap configuration,

face which is used to send TCP RST control packets.
When Binding Interface is set to TAP, this parameter
can be configured. In tap deployment mode, if the
device has the Attack Block switch turned on and
traffic matches a security policy with a blocking action,
the system will send TCP RST control packets to both
the client and the web server via the control interface,
reset the TCP connection, and thus blocking the
traffic. By default, the control interface is the tap inter-
face itself. During configuration, ensure that the con-
trol interface can successfully send packets to both the
client and the web server.
Note: The control interface is only effective in tap
deployment mode when the Attack Block switch is
turned on. The Attack Block switch needs to be
turned on in System > WAF Global Configuration >
Global Parameter Configuration. Only aggregate inter-
faces and Ethernet interfaces can be used as control
interfaces.

Network 459
Option Description

Firewall Linkage Configuration

Firewall Link- When Layer 3 Interface or TAP is selected as the bind-

age Con- ing interface, you can continue to configure the IP
figuration address, port, user name, and password of the linked
firewall. If attack traffic is detected by the device and
IP blacklist is generated, the system synchronously
sends the IP blacklist to the linked firewall. The fire-
wall will block traffic from the attack source IP.
Suggestion: configure Firewall Linkage Configuration
on only one layer-3 interface or TAP interface.

l IP: Specifies the accessible IP address of the

firewall to be linked.

l Port: Specifies the accessible port of the firewall

to be linked.

l User: Specifies the user name of the firewall to

be linked.

l Password: Specifies the password of the firewall

to be linked.

4. "In the Interface Properties section, configure properties for the interface." on Page 442

5. "In the Advanced Configuration section, configure advanced options for the interface." on
Page 442

6. In the Load Balance section, configure a load balancing mode for the interface. "Flow-
based" means enabling automatic load balancing based on the flow. This is the default mode.

460 Network
"Tuple" means enabling load based on the source/destination IP, source/destination MAC,
source/destination interface or protocol type of packet, or the combination of the selected
items.

7. "In the IPv6 Configuration section, configure the following." on Page 443

8. Click OK.

Creating an Ethernet Sub-interface/ Aggregate Sub-interface

To create an ethernet sub-interface/ aggregate sub-interface, take the following steps:

1. Select Network > Interface.

2. Select Ethernet Sub-interface/Aggregate Sub-interface from the New drop-down list.

3. Configure the following options.

Option Description

Interface Specifies a name for the ethernet sub-interface or the

Name aggregate sub-interface.

Description Enter descriptions for the ethernet sub-interface or the

aggregate sub-interface.

Binding Inter- Specifies the zone type.

Network 461
Option Description

If No Binding is selected, the interface will not bind

to any zone.

Zone Select the security zone from the drop-down list.

IP Configuration

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.

Set as Local IP: In a HA environment, if this option is

specified, the interface IP will not synchronize to the
HA peer.

Advanced:

l Management IP: Specifies a management IP for

the interface. Type the IP address into the box.

l Secondary IP: Specifies secondary IPs for the

interface. You can specify up to 6 secondary IP
addresses.

DHCP Set gateway information from DHCP server as the

default gateway route: With this check box selected,
the system will set the gateway information provided
by the DHCP server as the default gateway route.

Advanced:

l Distance: Specifies a route distance. The value

range is 1 to 255. The default value is 1.

462 Network
Option Description

l Weight: Specifies a route weight. The value

range is 1 to 255. The default value is 1.

l Management Priority: Specifies a priority for the

l Classless Static Routes: Enable the classless

static routing function. When this function is
enabled, the DHCP client will send a request
message with the Option121 (i.e., classless
static routing option) to the server, and then the
server will return the classless static route
information. Finally, the client will add the class-
less static routing information to the routing
table.

Management Select one or more management method check boxes

to configure the interface management method.

Firewall Linkage Configuration

Network 463
Option Description

Firewall Link- When Layer 3 Interface is selected as the binding inter-

l IP: Specifies the accessible IP address of the

firewall to be linked.

l Port: Specifies the accessible port of the firewall

to be linked.

l User: Specifies the user name of the firewall to

be linked.

l Password: Specifies the password of the firewall

to be linked.

4. "In the Interface Properties section, configure properties for the interface." on Page 442

5. "In the Advanced Configuration section, configure advanced options for the interface." on
Page 442

6. "In the IPv6 Configuration section, configure the following." on Page 443

7. Click OK.

464 Network
Creating a VSwitch Interface

To create a VSwitch interface, take the following steps：

Network 465
1. Select Network > Interface.

2. Select VSwitch Interface from the New drop-down list.

466 Network
3. On this page, configure the following options.

Option Description

Interface Specifies a name for the VSwitch interface.

Name

Description Enter descriptions for the VSwitch interface.

Binding Inter- Specifies the zone type.

face If Layer 3 Interface is selected, you should continue
to select a zone from the Zone drop-down list. You
can work with firewall by specifying firewall details
(firewall's IP address, port number of SSH protocol,
user name, and password) under Firewall Linkage Con-
figuration.
If No Binding is selected, the interface will not bind
to any zone.

Zone Select the security zone from the drop-down list.

IP Configuration

Network 467
Option Description

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.

Set as Local IP: In a HA environment, if this option is

specified, the interface IP will not synchronize to the
HA peer.

Advanced:

l Management IP: Specifies a management IP for

the interface. Type the IP address into the box.

l Secondary IP: Specifies secondary IPs for the

interface. You can specify up to 6 secondary IP
addresses.

DHCP Set gateway information from DHCP server as the

default gateway route: With this check box selected,
the system will set the gateway information provided
by the DHCP server as the default gateway route.

Advanced:

l Distance: Specifies a route distance. The value

range is 1 to 255. The default value is 1.

l Weight: Specifies a route weight. The value

range is 1 to 255. The default value is 1.

l Management Priority: Specifies a priority for the

DNS server. Except for static DNS servers, the

468 Network
Option Description

system can also learn DNS servers dynamically

via DHCP or PPPoE. Therefore, you need to
configure priorities for the DNS servers so that
the system can choose a DNS server according
to its priority during DNS resolution. The pri-
ority is represented in numbers from 1 to 255.
The larger the number is, the higher the priority
is. The priority of static DNS servers is 20.

l Classless Static Routes: Enable the classless

static routing function. When this function is
enabled, the DHCP client will send a request
message with the Option121 (i.e., classless
static routing option) to the server, and then the
server will return the classless static route
information. Finally, the client will add the class-
less static routing information to the routing
table.

Management Select one or more management method check boxes

to configure the interface management method.

Firewall Linkage Configuration

Firewall Link- When Layer 3 Interface is selected as the binding inter-

age Con- face, you can continue to configure the IP address,
figuration port, user name, and password of the linked firewall. If
attack traffic is detected by the device and IP blacklist

Network 469
Option Description

is generated, the system synchronously sends the IP

blacklist to the linked firewall. The firewall will block
traffic from the attack source IP. Suggestion: configure
Firewall Linkage Configuration on only one layer-3
interface.

l IP: Specifies the accessible IP address of the

firewall to be linked.

l Port: Specifies the accessible port of the firewall

to be linked.

l User: Specifies the user name of the firewall to

be linked.

l Password: Specifies the password of the firewall

to be linked.

4. "In the Interface Properties section, configure properties for the interface." on Page 442

5. "In the Advanced Configuration section, configure advanced options for the interface." on
Page 442

6. "In the IPv6 Configuration section, configure the following." on Page 443

7. Click OK.

Editing an Interface

To edit an interface, take the following steps:

470 Network
1. Select Network > Interface.

2. Select the interface you want to edit from the interface list and click Edit.

3. Configure the following options.

Option Description

Interface Specifies a name for the interface.

Name

Description Enter descriptions for the interface.

Binding Inter- Specifies the zone type.

Zone Select the security zone from the drop-down list.

Belong To Specifies whether the interface belongs to an aggregate

interface. If Aggregate Interface is selected, you
should continue to configure the following options:

l Interface Group: Choose an aggregate interface

which the interface belongs to from the Inter-
face Group drop-down list.

Network 471
Option Description

l Port LACP priority: Port LACP priority determ-

ines the sequence of becoming the Selected
status for the members in the aggregate group.
The smaller the number is, the higher the pri-
ority will be. Link in the aggregate group that
will be aggregated is determined by the interface
LACP priority and the LACP system priority

l Port timeout mode: The LACP timeout refers

to the time interval for the members to wait to
receive the LACPDU packets. The system sup-
ports Fast and Slow. If the local member does
not receive the LACPDU packet from its peer
in three timeout values, the peer will be con-
clude as down, and the status of the local mem-
ber will change from Active to Selected, and
stop traffic forwarding

IP Configuration

472 Network
Option Description

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.

Set as Local IP: In a HA environment, if this option is

specified, the interface IP will not synchronize to the
HA peer.

Advanced:

l Management IP: Specifies a management IP for

the interface. Type the IP address into the box.

l Secondary IP: Specifies secondary IPs for the

interface. You can specify up to 6 secondary IP
addresses.

DHCP Set gateway information from DHCP server as the

default gateway route: With this check box selected,
the system will set the gateway information provided
by the DHCP server as the default gateway route.

Advanced:

l Distance: Specifies a route distance. The value

range is 1 to 255. The default value is 1.

l Weight: Specifies a route weight. The value

range is 1 to 255. The default value is 1.

l Management Priority: Specifies a priority for the

DNS server. Except for static DNS servers, the

Network 473
Option Description

system can also learn DNS servers dynamically

l Classless Static Routes: Enable the classless

static routing function. When this function is
enabled, the DHCP client will send a request
message with the Option121 (i.e., classless
static routing option) to the server, and then the
server will return the classless static route
information. Finally, the client will add the class-
less static routing information to the routing
table.

Management Select one or more management method check boxes

to configure the interface management method.

Tap Configuration

Control Inter- Specify the control interface of the tap configuration,

face which is used to send TCP RST control packets.
When Binding Interface is set to TAP, this parameter
can be configured. In tap deployment mode, if the

474 Network
Option Description

device has the Attack Block switch turned on and

traffic matches a security policy with a blocking action,
the system will send TCP RST control packets to both
the client and the web server via the control interface,
reset the TCP connection, and thus blocking the
traffic. By default, the control interface is the tap inter-
face itself. During configuration, ensure that the con-
trol interface can successfully send packets to both the
client and the web server.
Note: The control interface is only effective in tap
deployment mode when the Attack Block switch is
turned on. The Attack Block switch needs to be
turned on in System > WAF Global Configuration >
Global Parameter Configuration. Only aggregate inter-
faces and Ethernet interfaces can be used as control
interfaces.

Firewall Linkage Configuration

Firewall Link- When Layer 3 Interface or TAP is selected as the bind-

Network 475
Option Description

on only one layer-3 interface or TAP interface.

l IP: Specifies the accessible IP address of the

firewall to be linked.

l Port: Specifies the accessible port of the firewall

to be linked.

l User: Specifies the user name of the firewall to

be linked.

l Password: Specifies the password of the firewall

to be linked.

4. In the Interface Properties section, configure properties for the interface.

Property Description

Duplex Specifies a duplex working mode for the interface.

Options include auto, full duplex and half duplex. Auto
is the default working mode, in which the system will
select the most appropriate duplex working mode auto-
matically. 1000M half duplex is not supported.

Rate Specifies a working rate for the interface. Options

include Auto, 10M, 100M and 1000M. Auto is the
default working mode, in which the system will detect
and select the most appropriate working mode auto-
matically. 1000M half duplex is not supported.

MTU Specifies a MTU for the interface. The value range is

1280 to 1600 bytes. The default value is 1500. The max

476 Network
Property Description

MTU may vary in different Hillstone models.

ARP Learn- Click the button to enable ARP learning.

ing

ARP Specifies an ARP timeout for the interface. The value

Timeout range is 5 to 65535 seconds. The default value is 1200.

Keep-alive Specifies an IP address that receives the interface's keep-

IP alive packets.

MAC clone Specifies the MAC address, which the system clones in
the Ethernet sub-interface. If you click Restore Default
MAC, the Ethernet sub-interface will restore to the
default MAC address.

5. "In the Advanced Configuration section, configure advanced options for the interface." on
Page 442

6. "In the IPv6 Configuration section, configure the following." on Page 443

7. Click OK.

Notes:
l Before deleting an aggregate interface, you must cancel other interfaces' bind-
ings to it, the configuration of aggregate sub-interface, its IP address con-
figuration, and its binding to the security zone.

l An Ethernet interface can only be edited but cannot be deleted.

Network 477
l When a VSwitch interface is deleted, the corresponding VSwitch will be
deleted as well.

478 Network
Interface Group
The interface group function binds the status of several interfaces to form a logical group. If any
interface in the group is faulty, the status of the other interfaces will be down. After all the inter-
faces return to normal, the status of the interface group will be Up. The interface group function
can binds the status of interfaces on different expansion modules.

Creating an Interface Group

To create an interface group, take the following steps:

1. Select Network > Interface Group.

2. Click New.

3. On the Interface Group Configuration page, type the name for the interface group. Names
of the interface group can not be the same.

4. In the Member drop-down list, select the interface you want to add to the interface group.
The maximum number of interfaces is 8.
Note: Members of an interface group can not conflict with other interface groups.

5. Click OK.
You can click Edit or Delete button to edit the members of interface group or delete the
interface group.

Network 479
Security Policy
Security policy is the function designed to control the traffic forwarding between security
zones/segments. Without security policy rules, the WAF device will permit all traffic between
security zones/segments by default. After configuring the security policy rule, the device can
identify what traffic between security zones or segments will be permitted, and the others will be
denied.
The basic elements of policy rules:

l The source zone and address of the traffic

l The destination zone and address of the traffic

l The service type of the traffic

l Actions that the devices will perform when processing the specific type of traffic, including
Permit and Deny.

Generally a security policy rule consists of two parts: filtering conditions and actions. You can set
the filtering conditions by specifying traffic's source zone/address, destination zone/address and
service type. Each policy rule is labeled with a unique ID which is automatically generated when
the rule is created. You can also specify a policy rule ID at your own choice. All policy rules in sys-
tem are arranged in a specific order. When traffic flows into a device, the device will query for
policy rules by turn, and processes the traffic according to the first matched rule.
The max global security policy rule numbers may vary in different WAF models.
Security policy supports IPv4 and IPv6 address.
This section contains the following contents:

l Configure a security policy rule

l Manage the security policy rules: enable/disable a policy rule, clone a policy rule, adjust secur-
ity rule priority, configure default action, view and clear policy hit count, rule redundancy

480 Network
check, hit count check, schedule validity check, show disabled policies, import/export poli-
ciies, and hit query.

l Configure an aggregate policy

l Configure a security policy group

l View and search the security policy rules/security policy groups

l Configure Policy Optimization: when there are a large number of policy rules on the device, it
is hard to determine which policy rules need to be deleted. The system supports to operate
the Policy Hit Analysis, operate the Rule Redundancy Check, and configure the Policy Assist-
ant.

Configuring a Security Policy Rule

To configure a security policy rule, take the following steps:

Network 481
1. Select Network > Security Policy > Policy.

2. On the Policy page, select New > Policy, and the Policy Configuration page will appear.

Configure the corresponding options.

Option Description

Name Type the name of the security policy.

Type Select the IP type, including IPv4 or IPv6.

482 Network
Option Description

Only the IPv6 firmware can configure the

IPv6 type IP.

Source Information

Source Click "+" to specify the source zone. This

Zone option will save the security zone selected
in the security policy that was created last
time.

Source Click "+" to specify the source address.

Address
1. Select an address type from the
drop-down list.

2. Select or type the source addresses

based on the selected type.

3. After adding the desired addresses,

click Close to complete the source
address configuration.
You can also perform other operations:

l When selecting the Address Book

type, you can click to create a

new address entry.

l The default address configuration is

any. To restore the configuration to
this default one, turn on the switch in

Network 483
Option Description

front of Any.

Destination Information

Destination Click "+" and specify the destination zone.

Zone This option will save the security zone selec-
ted in the security policy that was created
last time.

Destination Click "+" and specify the destination

Address addresses.

1. Select an address type from the

drop-down list.

2. Select or type the destination

addresses based on the selected
type.

3. After adding the desired addresses,

click Close to complete the des-
tination address configuration.
You can also perform other operations:

l When selecting the Address Book

type, you can click to create a

new address entry.

l The default address configuration is

any. To restore the configuration to

484 Network
Option Description

this default one, turn on the switch in

front of Any.

Other Information

Service Click "+" to specify a service or service

group.

1. From the Service drop-down

menu, select a type: Service, Ser-
vice Group. From the Predefined
drop-down menu, select a type: Pre-
defined, User-defined.

2. You can search the desired ser-

vice/service group, expand the ser-
vice/service group list.

3. After selecting the desired ser-

vices/service groups, click the selec-
ted services/service groups to add
them to the left pane.

4. After adding the desired objects,

click Close to complete the service
configuration.

You can also perform other operations:

l To add a new service or service

group, select User-defined from the

Network 485
Option Description

Predefined drop-down menu, and

click icon.

l The default service configuration is

any. To restore the configuration to
this default one, turn on the Any
switch.
Specify a service rule. When the required
service does not exist in the service book,
the administrator can specify the protocol
type and port number of the service by con-
figuring the service rules, thus simplifying
the configuration steps of the policy.

1. From the Service drop-down

menu, select a type: Service Rule.

2. From the Protocol Typedrop-down

menu, select a protocol type: TCP,
UDP, ICMP, ICMPv6 and All.
The parameters for the protocol
types are described as follows:
TCP/UDP：

l Destination port:

l Min - Specifies the min-

imum port number of the

486 Network
Option Description

specified service rule.

l Max - Specifies the max-

imum port number of the
specified service rule. The
value range is 0 to 65535.

l Source port:

l Min - Specifies the min-

imum port number of the
specified service rule.

l Max - Specifies the max-

imum port number of the
specified service rule. The
value range is 0 to 65535.

Notes:
l The minimum
port number can-
not exceed the
maximum port
number.

l The "Min" of the

destination port is
required, and

Network 487
Option Description

other options are

optional.

l If "Max " is not

configured, sys-
tem will use "Min"
as the single
code.

ICMP:

l Type: Specifies an ICMP type

for the service rule. The value
range is 0( Echp-Reply) , 3
( Destination-Unreachable) ,
4( Source Quench) , 5
( Redirect) , 8( Echo) , 11
( Time Exceeded) , 12( Para-
meter Problem) , 13
( Timestamp) , 14
( Timestamp Reply) , 15
( Information Request) , 16
( Information Reply) , 17
( Address Mask Request) , 18
( Address Mask Reply) , 30
( Traceroute) , 31( Data-

488 Network
Option Description

gram Conversion Error) , 32

( Mobile Host Redirect) , 33
( IPv6 Where-Are-You) , 34
( IPv6 I-Am-Here) , 35
( Mobile Registration
Request) , 36( Mobile Regis-
tration Reply) .

l Code: Specifies a minimum

value and maximum value for
ICMP code. The value range is
0 to 15, the default value is :
min code - 0, max code - 15.

Notes:
l The minimum
code cannot
exceed the max-
imum code.

l If "Max " is not

configured, sys-
tem will use "Min"
as the single
code.

ICMPv6:

Network 489
Option Description

l Type: Specifies an ICMPv6 type for

the service rule. The value range is 1
（Dest-Unreachable）, 2（Packet
Too Big）, 3（Time Exceeded）, 4
（Parameter Problem）, 100（Private
experimentation）, 101（Private
experimentation）, 127（Reserved for
expansion of ICMPv6 error message）,
128（Echo Request）, 129（Echo
Reply）, 130（Multicast Listener
Query）, 131（Multicast Listener
Report）, 132（Multicast Listener
Done）, 133（Router Solicitation）,
134（Router Advertisement）, 135
（Neighbor Solicitation）, 136
（Neighbor Advertisement）, 137
（Redirect Message）, 138（Router
Renumbering）, 139（ICMP Node
Information Query）, 140（ICMP
Node Information Response）, 141
（Inverse Neighbor Discovery Soli-
citation Message）, 142（Inverse
Neighbor Discovery Advertisement
Message）, 143（Version 2 Multicast

490 Network
Option Description

Listener Report）, 144（Home Agent

Address Discovery Request Mas-
sage）, 145（Home Agent Address
Discovery Reply Massage）, 146
（Mobile Prefix Solicitation）, 147
（Mobile Prefix Advertisement ）,
148（Certification Path Solicitation
Message）, 149（Certification Path
Advertisement Message）, 150
（ICMP message utilized by exper-
imental mobility protocols such as
Seamoby）, 151（Multicast Router
Advertisement）, 152（Multicast
Router Solicitation ）, 153（Multicast
Router Termination）, 154（FMIPv6
Messages）, 200（Private exper-
imentation）, 201（Private exper-
imentation）and 255（Reserved for
expansion of ICMPv6 informational）.

l Code: Specifies a minimum value and

maximum value for ICMP code. The
value range is 0 to 255, the default
value is : min code - 0, max code - 255.
ALL:

Network 491
Option Description

l Protocol: Specifies a protocol name for

the service rule. If it is a unknown pro-
tocol, you can directly enter the cor-
responding protocol number. .

Notes:
l The minimum code
cannot exceed the max-
imum code.

l If "Max " is not con-

figured, system will
use "Min" as the single
code.

3. Click Close.

Action Specify an action for the traffic that is

matched to the policy rule, including:

l Permit - Select Permit to permit the

traffic to pass through.

l Deny - Select Deny to deny the

traffic.

Expand the Options section, and configure the corresponding options.

492 Network
Option Description

Schedule Specify a schedule when the security policy rule

takes effect. Select a desired schedule from the
Schedule drop-down list. This option supports
fuzzy search.
After selecting the desired schedules, click the
blank area in this page to complete the schedule
configuration. To create a new schedule, click
.

Log You can log policy rule matching in the system logs
according to your needs.

l For the policy rules of Permit, logs will be gen-

erated in two conditions: the traffic that is
matched to the policy rules starts its session
(Select the Session start check box) and ends its
session (Select the Session end check box).

l For the policy rules of Deny, logs will be gen-

erated when the traffic that is matched to the
policy rules is denied (Select the Deny check
box).

Select one or more check boxes to enable the cor-

responding log types.

Policy Assist- Turn on the switch to enable policy assistant.

ant After enabling the policy assistant, you can spe-
cify the policy ID as the traffic hit policy. System

Network 493
Option Description

can analyze the traffic data hit the specified

policy ID, and aggregate the traffic list according
to the user-defined aggregation rules, and finally
the security policy rules that meet your expect-
ations can be generated. For how to use policy
assistant, see Configuring the Policy Assistant.

Aggregate Click the Aggregate Policy drop-down menu, and

Policy select the aggregate policy to be added to the
aggregate policy to which you want to add.

Position Select a rule priority from the Position drop-down

list. Each policy rule is labeled with a unique ID
or name. When traffic flows into a device, the
device will query for the policy rules by turn, and
processes the traffic according to the first
matched rule. However, the policy rule ID is not
related to the matching sequence during the
query. The sequence displayed in policy rule list
is the query sequence for policy rules. The rule
priority can be an absolute priority, i.e., at the top
or bottom, or a relative priority, i.e., before or after
an ID or a name.

Description Type the description for the security policy.

3. Click OK.

494 Network
Managing Security Policy Rules
This section describes how to manage security policy rules, including: enable/disable a policy
rule, clone a policy rule, adjust security rule priority, configure default action, view and clear
policy hit count, rule redundancy check, hit count check, schedule validity check and show dis-
abled policies.

Enabling/Disabling a Policy Rule

By default the configured policy rule will take effect immediately. You can terminate its control
over the traffic by disabling the rule.
To enable/disable a policy rule, take the following steps:

1. Select Network > Security Policy > Policy.

2. Select the security policy rule that you want to enable/disable.

3. Click , and then select Enable or Disable to enable or disable the rule.

The disabled rule will not be displayed in the list. Click , and then select Show Disabled Policies
to show them.

Cloning a Policy Rule

To clone a policy rule, take the following steps:

1. Select Network > Security Policy > Policy.

2. Select the security policy rule that you want to clone and click Copy.

3. Click Paste. In the drop-down list, select the desired position. Then the rule will be cloned
to the desired position.

Adjusting Security Policy Rule Priority

To adjust the rule priority, take the following steps:

Network 495
1. Select Network > Security Policy > Policy.

2. Select the check box of the security policy whose position will be adjusted and click Move.

3. In the drop-down list, type the rule ID or name , and click Top, Bottom, Before ID , After
ID , Before Name ,or After Name. Then the rule will be moved to the top, to the bottom,
before or after the specified ID or name.

Configuring Default Action

You can specify a default action for the traffic that is not matched with any configured policy rule.
System will process the traffic according to the specified default action. By default system will
deny such traffic.
To specify a default policy action, take the following steps:

1. Select Network > Security Policy > Policy.

2. Click and select Default Policy Action.

In the Default Policy Action panel, configure the following options.

Option Description

Hit count Shows the statistics on policy matching.

496 Network
Option Description

Default Specify a default action for the traffic that is not

action matched with any configured policy rule.

l Click Permit to permit the traffic to pass through.

l Click Deny to deny the traffic.

Log Configure whether to generate logs for the traffic that is

not matched with any configured policy rule. By default
system will not generate logs for such traffic. To enable
log, select the Enable check box, and system will gen-
erate logs for such traffic.

3. Click OK.

Schedule Validity Check

To make sure that the policies based on schedule are effective, system provides a method to
check the validity of policies. After checking the policy, the invalid policies based on schedule
will be highlighted by yellow.

1. Select Network > Security Policy > Policy .

2. Click and select Schedule Validity Check. After check, system will highlight the invalid
policy based on schedule by yellow. Meanwhile, you can view the validity status in the
policy list.

Showing Disabled Policies

To show disabled policies, take the following steps:

Network 497
1. Select Network > Security Policy > Policy.

2. Click and select Show Disabled Policies. The disabled policies will be highlighted by gray
in the policy list.

Notes:

l By default( the "Schedule Validity Check" and "Show Disabled Policies" are
not selected), the policy list only displays the enabled policies which are not
highlighted.

l When you select both "Schedule Validity Check" and "Show Disabled
Policies", the policy is managed as follows:

l The policy list will display the "Validity" column, which shows the
validity status of policies.

l The invalid policy based on schedule will be highlighted by yellow no

matter if the policy is disabled or not.

l If the valid policy based on schedule is disabled, it will be highlighted

by gray.

Importing Policy Rule

You can import the configuration file of the local policy rules into the device to avoid creating
policy rules manually. Only the DAT format file is supported currently.
To import the configuration file of policy rules, take the following steps:

498 Network
1. Click Network > Security Policy > Policy.

2. Click Import to open the Import panel.

l Click Browse and select the local configuration file of policy rule to upload.

l Click OK, and the imported policy rule will be displayed in the list.

Notes:
l If there's an error during import, system will stop importing immediately and
roll back configurations automatically.

l The imported policy will be displayed on the bottom of the policy list.

Exporting Policy Rule

You can export the policy rules existing on the device to the local in the format of HTML or
DAT formats. At the same time, all the custom objects such as address book and service book
can be exported.
To export the policy rules, take the following steps:

Network 499
1. Click Network > Security Policy > Policy.

2. Click Export to open the Export panel.

Configure the options as follows:

Option Description

Range Specify the range of policy rules to be exported.

l All Policy: Select the option and export all policy rules on the
device.

l Selected Policy: In the policy list, select the policy to be expor-

ted, and then click Export > Selected Policy.

l Page Range: Select the option, and enter the page number or page
range of the policy list to be exported.
Note: Separate the page number or range with semicolons, e.g.
"3;5-8".

Export All Select the check box to export all the custom objects including
Address Book address book and service book, and a Zip file named "book+-
And Service exported time" will be generated.

Export Policy Select the check box to export the policy configurations in the
in DAT Format format of DAT.

500 Network
3. Click OK to download the exported files. There're four kinds of files: policyExport.html, "
policy+exported time.zip", "book+exported time.zip" and the policy configurations in the
DAT format.

4. Double-click the policyExport.html, click Import File and import the " policy+exported
time.zip" to view the table of exported policies.

5. Double-click the policyExport.html, click Import File and import the "book+exported
time.zip" to view the table of object configurations.

Searching Policy Rule

You can view the detailed information of the policy matching the five-tuple filtering conditions
(including source IP address, destination IP address, protocol, source port and destination port),
take the following steps:

1. Click Network > Security Policy > Policy.

2. Click Search to open the configuration dialog box.

Configure the options as follows:

Option Description

Source Zone Click the drop-down list to select the specified source
zone, and search the policy rules that comply with the
specified source zone.

Network 501
Option Description

Source Enter the source address in the text box to search the
Address policy rules that comply with the specified source
address. The source address supports fuzzy matching,
and can search the policy rules containing the input
address.

Destination Click the drop-down list to select the specified des-

Zone tination zone, and search the policy rules that comply
with the specified destination zone.

Destination Enter the source address in the text box to search the
Address policy rules that comply with the specified destination
address. The destination address supports fuzzy match-
ing, and can search the policy rules containing the input
address.

Protocol Select the protocol type in the Protocol drop-down

list to search the policy rules that comply with the spe-
cified protocol.

l When the protocol is specified as TCP or UDP,

you can specify the source/destination port range,
the value range is 0-65535, if you specify the same
minimum and maximum source/destination port
number, system will use this port number as the
single source/destination port number.

l When the protocol is specified as ICMP, the type

and code range can be specified. If you specify the

502 Network
Option Description

same minimum and maximum code value, the sys-

tem will use the code value as a single code value.
The value range of the code is 0-15.

l When the protocol is specified as ICMPv6, the

type and code range can be specified. If you spe-
cify the same minimum and maximum code value,
the system will use the code value as a single code
value. The value range of the code is 0-255.

l When the protocol is specified as another protocol

type, it does not support configuring the port
range or code range.

Note: If you specify a port range or code range, the

maximum port number/code value and the minimum
port number/code value must be configured at the
same time.

3. Click the OK, the list will display the search results.

4. If you need to clear the configuration and display all the policy rules, click Clear Search
Conditions.

Notes: The search function and the filter conditions are mutually exclusive and can-
not be configured at the same time. When the search function is configured, the fil-
ter condition configuration will be cleared, and vice versa.

Network 503
Configuring an Aggregate Policy
According to the needs of different scenarios, you can create an aggregate policy, and add some
policy rules with the same effect or the same attributes to the aggregation policy. If the admin-
istrator adjusts the priority of an aggregate policy, the priorities of all its members will be adjusted
accordingly, so as to manage policy rules in bulk.
Configuring an aggregate policy includes: creating an aggregate policy, adding an aggregate policy
member, removing an aggregate policy member, deleting an aggregate policy, adjusting the priority
of an aggregate policy, and enabling/disabling an aggregate policy.

Creating an Aggregate Policy

To create an aggregate policy, take the following steps:

1. Click Network > Security Policy > Policy.

2. Click the New drop-down list, and select Aggregate Policy to open the Aggregate Policy
Configuration page .

Configure the following.

Option Description

Name Specifies the name of an aggregate policy. The range is 1 to 95 char-

504 Network
Option Description

acters.

Position The rule order can be an absolute order, i.e., at the top or bottom, or
a relative order, i.e., before or after an ID or a name. In the Position
drop-down list, you can select a order for the aggregate policy.

Description Type descriptions into the Description box.

3. Click OK.

Adding an Aggregate Policy Member

After creating an aggregate policy, the administrator can add a policy rule to the aggregate policy to
be an aggregate policy member. There are two methods for adding an aggregate policy member.

l Editing the policy configuration：

Take the following steps:

1. Click Network > Security Policy > Policy.

2. Select the policy rule that you want to add to an aggregate policy from the list.

3. Click Edit to open the Policy Configuration page.

4. Click Options to expand the relevant configuration items.

5. Click the Aggregate Policy drop-down menu, and select the aggregate policy to be
added to the aggregate policy to which you want to add.

6. Click OK.

l Selecting a policy rule you want to add：

Take the following steps:

Network 505
1. Click Network > Security Policy > Policy.

2. Select the policy rule that you want to add to an aggregate policy from the list. You
can select multiple policy rules at a time

3. Click the Add to aggregate policy drop-down list, and select the aggregate policy to
which you want to add.

Removing an Aggregate Policy Member

To remove a member from an aggregate policy, take the following steps:

1. Click Network > Security Policy > Policy.

2. In the list, click the arrow before an aggregate policy to expand it

3. Select the aggregate policy member that you want to remove. You can select multiple policy
rules at a time.

4. Click Remove from Aggregate Policy.

Notes:
l If the member at the top is removed from an aggregate policy, the removed
member will be put before the aggregate policy.

l If a member at a non-top position is removed from an aggregate policy, the

removed member will be put after the aggregate policy.

l If several aggregate policy members (including the member at the top) in con-
secutive order are removed, they will be put before the policy all together.

Deleting an Aggregate Policy

To delete an aggregate policy, take the following steps:

506 Network
1. Click Network > Security Policy > Policy.

2. Select the aggregate policy that you want to delete from the list.

3. Click Delete.

4. Select a deletion method from the drop-down list.

l Delete aggregate policy and members: When deleting an aggregate policy, the mem-
bers in it will also be deleted.

l Delete aggregate policy, unbind members: When deleting an aggregate policy, all mem-
bers in it will be removed.

Adjusting Priority of an Aggregate Policy

The administrator can adjust the priority of an aggregate policy by the following two methods.
After the adjustment, the priorities of all its members will be adjusted accordingly.

l Editing the aggregate policy configuration:

Take the following steps:

1. Click Network > Security Policy > Policy.

2. Select the aggregate policy whose priority that you want to adjust from the list.

3. Click Edit to open the Aggregate Policy Configurationpage.

4. Click the Position drop-down list, select a priority for the aggregate policy.

l Adjust directly in the policy list：

Take the following steps:

1. Click Network > Security Policy > Policy.

2. Select the aggregate policy whose priority that you want to adjust from the list.

Network 507
3. Click Move.

4. In the pop-up menu, click Top, Bottom or type the rule ID /name , and click Before
ID , After ID , Before Name or After Name. Then the rule will be moved before or
after the specified ID or name.

Notes:
l The method for adjusting the priority of an aggregate policy member is the
same as the method for adjusting the priority of an aggregate policy.

l The priority adjustment for an aggregate policy member can only be per-
formed in the aggregate policy to which it belongs.

l It is not supported to add a policy rule to or remove a policy rule from an

aggregate policy by adjusting the priority of the policy rule.

Enabling/Disabling an Aggregate Policy

By default, the configured aggregate policy will take effect immediately. By disabling an aggregate
policy, the administrator can terminate its control over the traffic.
To enable/disable an aggregate policy, take the following steps:

1. Click Network > Security Policy > Policy.

2. Select the aggregate policy that you want to enable/disable from the list.

3. Click , and then select Enable or Disable to enable or disable the aggregate policy.

The disabled rule will not display in the list. Click , and then select Show Disabled Policies to
show them.

508 Network
Notes:
l After disabling an aggregate policy, its members will be disabled too.

l After enabling an aggregate policy, the original status (enabled/disabled) of its

members will remain unchanged. For example, if the original status of an
aggregate policy member is "disabled", the status will remain unchanged after
the policy to which it belongs is enabled.

Configuring a Policy Group

You can organize some policy rules together to form a policy group, and configure the policy
group directly.
Configuring a security policy group include the following matters: creating a policy group, deleting
a policy group, enable/disable a policy group, add/delete a policy rule member, edit a policy
group and show disabled policy group.

Creating a Policy Group

To create a policy group, take the following steps:

1. Select Network > Security Policy > Policy Group .

2. Click New to enter the Policy Group Configuration page.

Configure the following options.

Option Description

Name Specify the name of the policy group. The length is 1 to

95 characters.

Description Specify the description for the policy group. The length
is 1 to 255 characters.

Network 509
Option Description

Add Policy In the policy rule list, select the security policy rule you
want to add to the policy group.

3. Click OK.

Deleting a Policy Group

To delete a policy group, take the following steps:

1. Select Network > Security Policy > Policy Group .

2. Select the check box of the policy group that you want to delete, and click Delete.

Enabling/Disabling a Policy Group

By default the configured policy group will take effect immediately.

To enable/disable a policy group, take the following steps:

1. Select Network > Security Policy > Policy Group .

2. Select the policy group that you want to enable or disable, and click the enable button under
the Status column. The enabled state is displayed as , and the disabled state is displayed
as .

Adding/Deleting a Policy Rule Member

To add a policy rule member to the policy group, take the following steps:

1. Select Network > Security Policy > Policy Group .

2. In the policy group list, click the "+" in front of the policy group item to expand the mem-
ber list of the policy group.

510 Network
3. Click Add Member to open the Policy Group-Add policy panel, which displays the list of
policy rules that are not added to the policy group.

4. Select the check box of the policy rules that you want to add to the policy group.

5. Click OK.

Notes: A policy rule only can be added to a policy group.

To delete a policy rule member from the policy group, take the following steps:

1. Select Network > Security Policy > Policy Group .

2. In the policy group list, click the "+" in front of the policy group item to expand the mem-
ber list of the policy group.

3. Select the policy group that you want to delete, and click Delete Member.

Editing a Policy Group

To modify the name or description of a policy group, take the following steps:：

1. Select Network > Security Policy > Policy Group .

2. Select the policy group that you want to edit, and click Edit.

3. On the Policy Group Configuration page, modify the name or description of the policy
group.

Showing Disabled Policy Group

To show disabled policy groups, take the following steps:

Network 511
1. Select Network > Security Policy > Policy Group .

2. Select the check box of Show Disabled Policy Group above the list. The disabled policy
group will be displayed in the policy group list, otherwise the policy group list will show
only the enabled policy group.

Viewing and Searching Security Policy Rules/Policy Groups

You can view and search the policy rules or policy groups in the policy/policy group list.

Viewing the Policy/Policy Group

View the security policy rules in the policy rule list:

l Each column displays the corresponding configurations.

l Click under the Session Detail column in the Policy list to open then the Session Detail

page. You can view the current session status of the selected policy. You can also click

to add filtering conditions and search out the filtered sessions.

l Hover over your mouse on the configuration in a certain column. Then based on the con-
figuration type, the WebUI displays either the or the detailed configurations.

512 Network
l You can view the detailed configurations directly.

l You can click . Based on the configuration type, the WebUI displays Filter or Detail.

l Click Detail to see the detailed configurations.

l Click Filter, the filter condition of the configuration you are hovering over with
your mouse appears on the top of the list, and then you can filter the policy rule
according to the filter condition. For detailed information of filtering policy rules,
see Searching Security Policy Rules/Policy Groups.

View the policy groups in the policy group list:

l Each column displays the corresponding configurations.

l You can view the current policy group status under the Status column. The enabled state is
displayed as , and the disabled state is displayed as .

Searching Security Policy Rules/Policy Groups

Use the Filter to search for the policy rules that match the filter conditions.

1. Click Network > Security Policy > Policy or Network > Security Policy > Policy Group.

2. At the top-right corner of the Security Policy/Security Policy Group page, click Filter.
Then a new row appears at the top and select a filter condition from the drop-down list, and
then enter a value.

3. Press Enter to search for the policy rules that match the filter conditions.

4. Repeat the above two steps to add more filter conditions. The relationship between each fil-
ter condition is AND.

Network 513
5. To delete a filter condition, hover your mouse on that condition and then click . To

close the filter, click on the right side of the row.

Save the filter conditions.

1. After adding the filter conditions, click in , in the drop-down menu, click Save

Filters.

2. Specify the name of the filter condition you want to save. The maximum length of the name
is 32 characters, and the name supports only Chinese and English characters and under-
scores.

3. Click Save on the right side of the text box.

4. To use the saved filter condition, double click the name of the saved filter condition.

5. To delete the saved filter condition, click on the right side of the filter condition.

Notes:
l You can add up to 20 filter conditions as needed.

l After the device has been upgraded, the saved filter conditions will be
cleared.

Policy Optimization
If you want to clear up the rules which haven't been used for a long time, it is hard to determine
which policy rules need to be deleted when there are a large number of policy rules on the device.
The system supports the policy optimization function, including:

514 Network
l Policy Hit Analysis

l Rule Redundancy Check

l Policy Assistant

Policy Hit Analysis

Policy Hit Analysis is a process to check the policy rule hit counts, that is, when traffic matches a
certain policy rule, the hit count will increase by 1 automatically. With the statistics of the first hit
time, the last hit time, and the days since last hit, you can identify the policy rule that need to be
cleared. You can view the specified policy rules by setting up filters.
To check the hit counts, take the following steps:

1. Select Network > Security Policy > Policy Optimization, and select the Policy Hit Analysis
tab.

2. Select filter conditions from the drop-down list, and configure filter conditions

as needed.

Configure the options as follows.

Option Description

Days Specify the day after the first hit. Then the policy
Since First rules which were hit before the specified day will
Hit> be displayed.

Days Specify the day after the last hit. Then the policies
Since Last rules before the specified day will be displayed.
Hit>

Days Specify the day after the policy is created. Then

Since the policy rules before the specified day will be dis-

Network 515
Option Description

Policy played.
Created>

3. Click Enter or any blank space on the page to view the latest result of Policy Optimization.

4. Click the Export button, and the analysis of the filtered policy rules will be exported in the
format of CSV.

5. Click in front of policy ID to view the details of the policy rule.

6. Click icon on the right side of to save the selected filters. Click Save Filters,

type the name of the filters and click Save. After saved, the combined filters can be selected
directly in the drop-down list.

7. To delete a filter condition, hover your mouse on that condition and then click . To

close the filter, click on the right side of the row.

To clear a policy hit count, take the following steps:

1. Select Network > Security Policy > Policy Optimization, and select the Policy Hit Analysis
tab.

2. Click Clear to open the Clear panel.

Configure the following options.

516 Network
Option Description

All policies Clears the hit counts of all policy rules.

Default Clears the hit counts of the default action policy

policy rules.

Policy ID Clears the hit counts of a specified ID policy rule.

Name Clears the hit counts of a specified name policy

rule.

3. Click OK.

You can also perform other operations:

l Click to delete the policy rule.

l Click to disable the policy rule.

Rule Redundancy Check

In order to make the rules in the policy effective, system provides a method to check the con-
flicts among rules in a policy. With this method, administrators can check whether the rules over-
shadow each other.
To start a rule redundancy check, take the following steps:

1. Select Network > Security Policy > Policy Optimization, and select the Redundancy
Check tab.

2. Select Redundancy Check. After the check, system will list the policy rule which is over-
shadowed.

Network 517
Notes: Status will be shown below the policy list when redundancy check is started.
It is not recommended to edit a policy rule during the redundancy check. You can
click to stop the check manually.

Configuring the Policy Assistant

The policy assistant can help users generate targeted policies more quickly and accurately. With
the function, system can analyze the traffic of a specified policy ID, optimize the traffic via set-
ting replacement conditions and aggregation conditions, generate address books and service books
on the basis of the traffic, and then generate the target policies.
Click Network > Security Policy > Policy Optimization, and select the Policy Assistant tab. In
the Policy Assistant tab, generate target policies as the wizard:
Display Traffic ->Replace ->Aggregate ->Generate Address Book ->Generate Service Book->
Generate Policy

Enabling the Policy Assistant

Before configuring policy assistant related function, please enable the function first.

1. Select Network > Security Policy > Policy.

2. Create a rule or select an existing rule which needs to enable the policy assistant function
and click Edit to open the Policy Configuration page.

518 Network
3. Expand Options, and click the Policy Assistant button to enable the function.

Notes: For the root VSYS, at most 4 policies are allowed to enable the policy assist-
ant function, while for the non-root VSYS, only 1 policy can enable the function.

Displaying Traffic

On the Display Traffic page, the source zone, source IP, destination zone, destination IP and ser-
vice of traffic hit the selected policy ID will be displayed.
To display the traffic data, take the following steps:

1. Click Network > Security Policy > Policy Optimization, and select the Policy Assistant
tab.

2. Click Display Traffic on the configuration wizard.

Configure the options as follows:

Network 519
Option Description

Traffic Search Select the ID of policy which has enabled

the policy assistant function from the Policy
ID drop-down list, click Search Traffic and
the traffic hit the policy will be displayed in
the following list. Note:

l At most 1,000 traffic data can be dis-

played in the list. If the traffic data
exceeds 1,000, the oldest traffic data will
be covered.

l If the selected policy is edited, or the

policy assistant function is disabled or the
device is rebooted, the traffic data will be
cleared.

Traffic Filtering Edit filtering conditions, and the filtered

traffic data will be displayed in the list.

Hide descrip- Click the Hide description or Show descrip-

tion/Show description button in the upper right corner to
tion view/hide the step-by-step instructions of
policy assistant.

Clear Click the Clear button to delete the

searched traffic data in the list.
Note: Make sure the searched traffic has
been analyzed before clearing.

3. Click Next to enter into the next configurations.

520 Network
Replacing Policy

You can set the condition of source IP, destination IP or service. When the items of policies
meet the condition, the items will be replaced with the condition.

Application Scenario Example

For example, when the admin get some traffic data originating form 172.16.1.10. After the ana-
lysis of the traffic data, the source IP is judged as normal. What's more, all IP address of
172.16.1.0/24 is judged as normal too. To enlarge the source IP range to 172.16.1.0/24, the
admin can set the 172.16.1.0/24 as the replacement condition on the Replace Policy page, then
the source IP of the searched traffic which is within the IP range will be changed to
172.16.1.0/24.

Configuring Replacement Conditions

To configure replacement conditions for the policy items, take the following steps:

1. Click Replace on the configuration wizard.

Configure the options as follows:

Option Description

Source IP Specify the replacement condition of source IP.

At most 3 conditions can be set for the source IP.

Network 521
Option Description

1. Click the +Source IP button.

2. Select IP/Netmask or IP Range from the drop

down list and set the replacement conditions as
needed.

Destination Specify the replacement condition of destination

IP IP. At most 3 conditions can be set for the des-
tination IP.

1. Click the +Destination IP button.

2. Select IP/Netmask or IP Range from the drop

down list and set the replacement conditions as
needed.

Service Specify the replacement condition of service. At

most 3 conditions can be set for the service.

1. Click the +Service button.

2. Specify the protocol from the drop-down list

and set the port range as needed.

2. Click Next to enter into the next configurations.

Aggregating Policy

You can aggregate the policy items of the same source IP, destination IP and service, so as to
reduce the redundant policies.
To aggregate policies, take the following steps:

522 Network
1. Click Aggregate on the configuration wizard.

2. Select the Aggregation conditions as Source IP, Destination IP , Service or Application, and
the policy items in the list will be aggregated as the selected condition.

3. Select the Address Book Generation conditions as Source IP or Destination IP to enable

the Address Book Generation function. In doing so, the corresponding address book entries
will be listed in the "Generating Address book" procedure according to the generation con-
ditions. By default, all the Address Book Generation conditions are selected. If no con-
dition is selected, then the Address Book Generation function will be disabled, the
"Generate Address Book" procedure will be removed from the configuration wizard, and
the system generates policies based on IP address, not on address book.

4. Click Next to enter into the next configurations.

Generating Address book

The searched traffic data can display the Source IP and the Destination IP. After the procedures
of replacing and aggregating, if the user select the Address Book Generation conditions in the
Aggregate procedure and therefore generable address book entries are displayed in the Generate

Network 523
Address book page. According to your demands, you can select desirable entries to be generated
as address books and then added into the system address books.
If you does not want to generate address books, then you can directly click Next to enter the next
configurations.
To generate address book, take the following steps:

1. Click Generate Address book on the configuration wizard. The Generate Address Book
page displays items of all address books, including the type, member and status.

2. Specify the prefix for the source address book in the list. The range is 1 -80 characters. The
default prefix is "policy_assistant_src". When the prefix is specified, the name of address
book in the list will be changed to "the specified prefix_addr+serial number".

3. Specify the prefix for the destination address book in the list. The range is 1 -80 characters.
The default prefix is "policy_assistant_dst". When the prefix is specified, the name of
address book in the list will be changed to "the specified prefix_addr+serial number".

4. Select the check box before the desirable address book entry and click Generate Address
book button, the corresponding address book will be generated (which can be seen in
Object> Address book). After successfully generating address books, the Status column
will indicate Generated; if unsuccessfully, the Status column will indicate the failure reason.

5. Click Next to enter into the next configurations.

Generating Service Book

The searched traffic data can display the protocol and port, and you can generate corresponding
service books based on the protocol and service. After replacing, aggregating, address book gen-
eration, generable service book entries are displayed in the Generate Service book page. Accord-
ing to your demands, you can select desirable entries to be generated as service books and then
added into the system service books.
If you does not want to generate service books, then you can directly click Next to enter the next
configurations.
To generate service, take the following steps:

524 Network
1. Click Generate Service Book on the configuration wizard. The Generate Service Book page
displays items of all service books, including the protocol, destination/source port and
status.

2. Specify the prefix for the service book in the list. The range is 1 -95 characters. The default
prefix is "policy_assistant". When the prefix is specified, the name of service book in the list
will be changed to "the specified prefix + protocol configurations".

3. Select the check box before the desirable service book entry, click Generate Service, and
the corresponding service book will be generated (which can be seen in Object > Service
Book > Service). After successfully generating address books, the Status column will indic-
ate Generated; if unsuccessfully, the Status column will indicate the failure reason.

4. Click Next to enter into the next configurations.

Generating Policy

The Generate Policy page displays all policy items after the configurations in Replace, Aggregate,
Generate Address Book and Generate Service Book page. You can select policy items as needed
to generate policy and the selected policy will be display on the Security Policy > Policy page.
Note: For the generated security policies, the source IP, destination IP, service and application
are determined by the selected aggregation conditions, while the source zone, destination zone
and action keep the same with the original policy items.
To generate policies, take the following steps:

Network 525
1. Click Generate Policy on the configuration wizard.

Configure the options as follows:

Option Description

Generate & Select the check box before the policy items as
Enable needed, click Generate & Enable, and the policies
will take effect after generation. The generated
policies will be displayed on the Policy page and
on the above of the original policies.

Generate & Select the check box before the policy items as
Disable needed, click Generate & Disable, and the
policies will not take effect after generation. The
generated policies will be displayed on the Policy
page and on the above of the original policies.

Delete Select the check box before the policy items as

needed, click Delete, and the policies will be

526 Network
Option Description

deleted.

2. Click Finish to finish the configurations of policy assistant.

Network 527
LLDP
Network devices are increasingly diverse, and their configurations are respectively complicate.
Therefore, mutual discovery and interactions in information of system and configuration between
devices of different manufacturers are necessary to facilitate management. LLDP (Link Layer Dis-
covery Protocol ) is a neighbor discovery protocol defined in IEEE 802.1ab, which provides a dis-
covery method in link layer network. By means of the LLDP technology, the system can quickly
master the information of topology and its changes of the layer-2 network when the scale of net-
work expands rapidly.
By means of LLDP, the LLDP information of the device, including the device information, sys-
tem name, system description, port description, network management address and so on, can be
sent in the form of standard TLV (Type Length Value) multicast message from the physical port
to the directly-connected neighbor. If the neighbor enables LLDP too, then neighbor relations
will be established between both sides. When the neighbor receives these messages, they are
stored in the form of MIB in the SNMP MIB database, in order to be utilized by the network man-
agement system to search and analyze the two-layer topology and the problems in it of the current
network.

LLDP Work Mode

The 4 work modes of LLDP are listed below:

l Transmit and Receive: the port transmits and receives LLDP messages.

l Receive only: the port only receives LLDP messages.

l Transmit only: the port only transmits LLDP messages.

l Not work: the port neither transmits nor receives LLDP messages.

l Viewing MIB Topology

528 Network
LLDP Configuration
Configuring LLDP can enable neighbor devices' collection of network topology changes.

l Enabling LLDP

l Modifying LLDP Configuration

Enabling LLDP

LLDP is enabled only when the "Global LLDP" and the "LLDP of Port" are enabled at the same
time, so the corresponding port can transmit and receive LLDP messages.

l By default, the global LLDP and the LLDP of port are both disabled.

l When the global LLDP is enabled, the LLDP of port of all the ports of the system will be
enabled.

l When the global LLDP is disabled, the LLDP of port of all the ports of the system will be dis-
abled.

l When the global LLDP is enabled, the user does not have to modify LLDP configuration, for
LLDP can be enabled by default configuration. If there is a need to optimize LLDP con-
figuration, please see Modifying LLDP Configuration.

Notes: Only the physical port of the device supports enabling LLDP. Logical port
does not support this function.

To enable the global LLDP, take the following steps:

Network 529
1. Select Network > LLDP > LLDP Configuration.

2. Click Global Enable button.

3. Click OK to enable LLDP by default configuration.

LLDP default configuration is as follows:

Option Default

Initialization 2 seconds
Delay

Transmission 1 seconds
Delay

Transmission 30 seconds
Interval

TTL Mul- 4 seconds

530 Network
Option Default

tiplier

port LLDP is enabled in all the physical ports with the work
mode being Transmit and Receive.

Modifying LLDP Configuration

According to the loading condition of network, you can modify related LLDP configuration to
reduce the consumption of system resources and optimize the LLDP performance.
To modify LLDP configuration, take the following steps:

Network 531
l Select Network > LLDP > LLDP Configuration.

On the LLDP Configuration page, configure as follows:

Option Description

Initialization When the LLDP work mode of the port changes, the sys-
Delay tem will operate initialization on the port. Configuring
the initialization delay of the port can avoid continuous
initialization of the port due to frequent changes of the
LLDP work mode.
Type the delay time of initialization of the port in the Ini-
tialization Delay text box. The measurement is second-
based, and the range is from 1 to 10.

Transmission Transmission delay refers to the minimal delay time

Delay before the LLDP messages are sent to the neighbor
device when the state of the local device frequently
changes.
Type the minimal delay time before the LLDP message is
sent in the Transmission Delay text box. The meas-
urement is second-based, and the range is from 1 to 900.

Transmission Transmission interval refers to the time period of trans-

Interval mitting the LLDP message to the neighbor device when
the state of the local device state remains stable.
Type the transmission period before the LLDP message
is sent in the Transmission Interval text box. The meas-
urement is second-based, and the range is from 1 to
3600.

TTL Mul- TTL (Time to Live) refers to the living time of the local

532 Network
Option Description

tiplier device information in the neighbor device.

TTL multiplier is used to adjust the living time of the
local device information in the neighbor device. The
computational formula is: TTL = Transmission Interval
× TTL Multiplier.
Type the TTL multiplier value in the TTL Multiplier text
box. The range is from 1 to 100.

port Click the Enable button under LLDP Enable to enable

the LLDP function of the port.
Select LLDP work mode from the Work Mode drop-
down menu to modify the LLDP work mode of the port.
Note: For the introduction of the LLDP work mode,
please see LLDP Work Mode.

l Click OK.

Network 533
Viewing MIB Topology
The user can view the LLDP local information and the neighbor information (the LLDP inform-
ation sent from the neighbor device to the local device) of the port on the MIB Topology page.
To view the MIB topology, take the following steps.

1. Select Network > LLDP > MIB Topology.

2. Click the Local Information button to open the Local Information page and view the LLDP
local information, including chassis ID, system name, system description, system-supported
capabilities, management address and so on.

534 Network
3. View the MIB topology and neighbor information of all the ports which enable LLDP in the
list in the MIB Topology page.

Network 535
DNS
DNS, the abbreviation for Domain Name System, is a computer and network service naming sys-
tem in form of domain hierarchy. DNS is designed for TCP/IP network to query for Internet
domain names (e.g., www.xxxx.com) and translate them into IP addresses (e.g., 10.1.1.1) to locate
related computers and services. The system supports the identification of both IPv4 and Ipv6
addresses.
The security device's DNS provides the following functions:

l Server: Configures DNS servers and default domain names for the security device.

l Analysis: Sets retry times and timeout for device's DNS service.

Configuring a DNS Server

You can configure a DNS server for system to implement DNS resolution. To create a DNS
server, take the following steps:

1. Select Network > DNS > DNS Server.

2. Click New to go to the DNS Server Configuration page.

3. Select IPv4 or IPv6.

4. Select a VRouter from the VR drop-down list. The default VRouter is trust-vr.

5. Enter the IP address of the DNS server in the Server IP field.

6. Click OK.

Configuring an Analysis
Analysis configuration includes DNS requests' retry times and timeout.

l Retry: If there is no response from the DNS server after the timeout, the system will send the
request again; if there is still no response from the DNS server after the specified retry times

536 Network
(i.e. the number of times to repeat the DNS request), the system will send the request to the
next DNS server.

l Timeout: The system will wait for the DNS server's response after sending the DNS request
and will send the request again if no response returns after a specified time. The period of wait-
ing for a response is known as timeout.

To configure the retry times and timeout for DNS requests, take the following steps:

1. Select Network > DNS > Analysis

2. Select the retry times.

3. Select the timeout values.

4. Click OK.

Network 537
Virtual Wire
The system supports the VSwitch-based Virtual Wire. With this function enabled and the Virtual
Wire interface pair configured, the two Virtual Wire interfaces form a virtual wire that connects
the two subnetworks attached to the Virtual Wire interface pair together. The two connected sub-
networks can communicate directly on Layer 2, without any requirement on MAC address learn-
ing or other sub network's forwarding. Furthermore, controls of policy rules or other functions are
still available when Virtual Wire is used.
Virtual Wire operates in two modes, which are Strict and Non-Strict mode respectively, as
detailed below:

l Strict Virtual Wire mode: Packets can only be transmitted between Virtual Wire interfaces,
and the VSwitch cannot operate in Hybrid mode. Any PC connected to Virtual Wire can
neither manage devices nor access Internet over this interface.

l Non-Strict Virtual Wire mode: Packets can be transmitted between Virtual Wire interfaces,
and the VSwitch also supports data forwarding in Hybrid mode. That is, this mode only
restricts Layer 2 packets' transmission between Virtual Wire interfaces, and does not affect
Layer 3 packets' forwarding.

The table below lists packet transmission conditions in Strict Virtual Wire and Non-Strict Virtual
Wire mode. You can choose an appropriate Virtual Wire mode according to the actual require-
ment.

Packet Strict Non-strict

Egress and ingress are interfaces of one Virtual Wire Allow Allow
interface pair

Ingress is not Virtual Wire's interface Deny Deny

Egress and ingress are interfaces of different Virtual Deny Deny

Wire interface pairs

Ingress of to-self packet is a Virtual Wire’s interface Deny Allow

538 Network
Packet Strict Non-strict

Ingress is Virtual Wire's interface, and egress is a Deny Allow

Layer 3 interface

Configuring a Virtual-Wire
To create a Virtual-Wire, take the following steps:

1. Select Network > Virtual-Wire.

2. Click New.

3. In the Virtual-Wire Configuration page, select a virtual switch from the VSwitch drop-down
list.

4. In the Interface 1 drop-down list, specify an interface for the virtual wire interface pair. The
two interfaces in a single virtual wire interface pair must be different, and one interface can-
not belong to two different virtual wire interface pairs simultaneously.

5. In the Interface 2 drop-down list, specify an interface for the virtual wire interface pair. The
two interfaces in a single virtual wire interface pair must be different, and one interface can-
not belong to two different virtual wire interface pairs simultaneously.

6. Click OK.

Configuring the Virtual Wire Mode

To configure a virtual wire mode, take the following steps:

1. Select Network > Virtual-Wire.

2. Click Virtual-Wire Mode.

3. In the Virtual Wire Mode Configuration panel, select a virtual switch from the VSwitch
drop-down list.

Network 539
4. Specify a virtual wire mode from one of the following options:

l Strict - Packets can only be transmitted between virtual wire interfaces, and the
VSwitch cannot operate in Hybrid mode. Any PC connected to the virtual wire can
neither manage devices nor access Internet over this interface.

l Non-strict - Packets can be transmitted between virtual wire interfaces, and the
VSwitch also supports data forwarding in Hybrid mode. That is, this mode only
restricts Layer 2 packets' transmission between virtual wire interfaces, and does not
affect Layer 3 packets' forwarding.

l Disabled - Disables the virtual wire.

5. Click OK.

540 Network
Virtual Router
Virtual Router (VRouter) is known as VR in system. VR acts as a router, and different VRs have
their own independent routing tables. Two VRs named "trust-vr" and "mgt-vr" are implemented
with the system by default. You can also create new VRs. The system supports multiple VRs, and
the max amount of supported VRs may vary with different hardware platforms. Multiple VRs
divide a device into multiple virtual routers, and each virtual router utilizes and maintains their
independent routing table. In such a case one device is acting as multiple routers. Multiple VRs
allow a device to achieve the effects of the address isolation between different route zones and
address overlapping between different VRs, as well as to avoid route leaking to some extent,
enhancing route security of network. For more information about the relationship between inter-
face, security zone, VSwitch and VRouter, see the following diagram:

As shown above, the binding relationship between them are:

l Interfaces are bound to security zones. Those that are bound to Layer 2 security zones and
Layer 3 security zones are known as Layer 2 interfaces and Layer 3 interfaces respectively.
One interface can be only bound to one security zone. The primary interface and sub interface
can belong to different security zones.

l Security zones are bound to a VSwitch or VRouter. Layer 2 security zones are bound to a
VSwitch (by default the pre-defined Layer 2 security zone is bound to the default VSwitch1),
and Layer 3 security zones are bound to a VRouter (by default the pre-defined Layer 3 secur-
ity zone is bound to the default trust-vr), thus realizing the binding between the interfaces and
VSwitch or VR. One security zone can be only bound to one VSwtich or VR.

Network 541
Creating a Virtual Router
To create a virtual router, take the following steps:

1. Select Network > Virtual Router > Virtual Router .

2. Click NEW.

3. On the Virtual Router Configuration page, enter the name of the virtual router.

4. Click OK .

Global Configuration
This section introduces how to enable or disable multiple virtual routers.

Configuring Multiple Virtual Routers

By default, the multiple virtual routers mode is disabled. You cannot create two or more sites
with the same IP, the same port and same domain. If enabling it, the sites can be bound to dif-
ferent virtual routers and thus the system can identify sites to protect them. In this case, you can
create sites with the same IP/port/domain. If the multiple virtual routers mode is disabled, the
system can use the combination of the default VR and IP address + port number + domain name
to determine a unique site. After the multiple virtual routers mode is enabled, the system can cre-
ate new virtual routers, so that the same IP address + port number + domain name can be com-
bined with more virtual routers, so that more sites can be uniquely identified.

1. Select Network > Virtual Router > Global Configuration .

2. On the Global Configuration page , enable Multiple Virtual Routers.

542 Network
3. Click OK.

4. Restart the system to make this function take effect.

After the restart, you can create multiple virtual routers as needed. For more information, refer to
"Creating a Virtual Router " on Page 542.

Notes: If Multi-Virtual Router is enabled, traffic can traverse up to 3 Virtual

Routers, and any traffic that has to traverse more than 3 Virtual Routers will be
dropped.

Example : Multiple VRouter Mode

Assume that site1 and site2 protected by WAF have the same IP, port, and domain. To configure
the multiple virtual routers, take the following steps:

1. Select Network > Virtual Router > Global Configuration , enable the multiple virtual
router mode. For more information , refer to "Global Configuration" on Page 542.

2. Select Network > Virtual Router > Virtual Router ,create two virtual routers named
VRouter1 and VRouter2. For more information ,refer to "Creating a Virtual Router " on
Page 542.

3. Select Network > Zone, create four security zones named zone1, zone2, zone3, and zone4,
bind the interfaces to the security zones , bind security zones to the virtual vrouters. For
more information , refer to Configuring a Security Zone. The binding relationship between
them are:

l Bind the WAN port eth0/0 ,LAN port eth0/1 to zone1 and zone2 respectively and
bind zone1 and zone2 to VRouter1.

l Bind the WAN port eth0/2 ,LAN port eth0/3 to zone3,zone4 respectively and bind
zone3 and zone4 to VRouter2.

Network 543
4. Select Site > Web Site. Click New to go to Site Configuration page. Create two sites named
site1 and site2 and bind them to VRouter1, VRouter2. For more information ,refer to Creat-
ing/Configuring a Site.

Through the above configurations, WAF can protect sites with the same IP address, port number,
and domain.

544 Network
Virtual Switch
The system might allow packets between some interfaces to be forwarded in Layer 2 (known as
transparent mode), and packets between some interfaces to be forwarded in Layer 3 (known as
routing mode), specifically depending on the actual requirements. To facilitate a flexible con-
figuration of hybrid mode of Layer 2 and Layer3, the system introduces the concept of Virtual
Switch (VSwitch). By default, the system uses a VSwitch known as VSwitch1. Each time you cre-
ate a VSwitch, the system will create a corresponding VSwitch interface (VSwitchIF) for the
VSwitch automatically. You can bind an interface to a VSwitch by binding that interface to a secur-
ity zone, and then binding the security zone to the VSwitch.
A VSwitch acts as a Layer 2 forwarding zone, and each VSwitch has its own independent MAC
address table, so the packets of different interfaces in one VSwitch will be forwarded according to
Layer 2 forwarding rules. You can easily configure policy rules in a VSwitch. A VSwitchIF vir-
tually acts as a switch uplink interface, allowing packets forwarding between Layer 2 and Layer 3.

Creating a VSwitch
To create a VSwitch, take the following steps:

Network 545
1. Select Network > VSwitch.

2. Click New.

Options are described as follows.

Option Description

VSwitch Specifies a name for the VSwitch.

Name

Virtual-Wire Specifies a Virtual-Wire mode for the VSwitch, including

Mode (for specific information on Virtual Wire, see "Virtual
Wire" on Page 538)

l Strict - Packets can only be transmitted between

Virtual Wire interfaces, and the VSwitch cannot
operate in Hybrid mode. Any PC connected to Vir-
tual Wire can neither manage devices nor access

546 Network
Option Description

Internet over this interface.

l Non-strict - Packets can be transmitted between

Virtual Wire interfaces, and the VSwitch also sup-
ports data forwarding in Hybrid mode. That is, this
mode only restricts Layer 2 packets' transmission
between Virtual Wire interfaces, and does not
affect Layer 3 packets' forwarding.

l Disabled - Disables Virtual Wire.

IGMP Enable IGMP snooping on the VSwitch.

Snooping

Forward Enable VLAN transparent so that the device can transmit

Tagged Pack- VLAN tagged packets transparently, i.e., packets tagged
ets with VLAN ID will still keep the original ID after
passing through the device.

Forward Enable VLAN transparent so that the device can transmit

Double VLAN double tagged packets transparently, i.e., packets
Tagged Pack- tagged with VLAN ID will still keep the original ID after
ets passing through the device.

Drop Drops the packets sent to unknown multicast to save

Unknown bandwidth.
Multicast
Packets

MPLS Turn on the switch button to enable MPLS Inspection.

Network 547
Option Description

Inspection Note: This function is only supported in transparent tap

mode. Before enabling MPLS Inspection, select
Forwardfor the Non-IP and non-ARP Packet in Net-
work > Global Network Parameters.

3. Click OK.

548 Network
Routing
The destination route is a manually-configured route entry that determines the next routing hop
based on the destination IP address. Typically, a network with comparatively a small number of
outbound connections or stable Intranet connections will use a destination route. You can add a
default route entry at your own choice as needed.

Creating a Destination Route

To create a destination route, take the following steps:

1. Select Network > Routing > Destination Route.

2. Click New.

On the Destination Route Configuration page, enter values.

Option Description

Virtual From the Virtual Router drop-down list, select the vir-
Router tual router for the new route. The default value is "trust-

Network 549
Option Description

vr".

Destination Enter the IP address for the route into the text box.

Netmask Enter the corresponding subnet mask into the text box.

Next-hop To specify the type of next hop, click Gateway, Inter-

face, or Current VRouter.

l Gateway: Enter the IP address into the Gateway

text box.

l Interface: Select a name from the Interface drop-

down list. Enter the IP address into the Gateway
text box.

l Virtual Router: Select a virtual router from the Vir-

tual Router drop-down list.

Track Object Select a track object from the drop-down list. In this
case, the route remains active if the track object fails.

Precedence Enter the route precedence into the text box. The smal-
ler the parameter is, the higher the precedence is. If mul-
tiple routes are available, the route with higher
precedence will be prioritized. The value range is 1 to
255. The default value is 1. When the value is set to
255, the route will be invalid.

Weight Enter the weight for the route into the text box. This
parameter is used to determine the weight of traffic for-
warding in load balancing. The value range is 1 to 255.

550 Network
Option Description

The default value is 1.

Description Enter the description information into the Description

text box if necessary.

3. Click OK.

Network 551
Global Network Parameters
Global network parameter configuration includes IP fragment, TCP packet processing methods
and other options.

Configuring Global Network Parameters

To configure global network parameters, take the following steps:

1. Select Network > Global Network Parameters > Global Network Parameters.

2. Configure the following parameters.

Option Description

IP Fragment

Maximum of Specifies a maximum fragment number for every IP

Fragment packet. The value range is 1 to 1024. The default value

552 Network
Option Description

is 48. Any IP packet that contains more fragments than

this number will be dropped.

Timeout Specifies a timeout period of fragment reassembling.

The value range is 1 to 30 seconds. The default value is
2 seconds. If the device has not received all the frag-
ments after the timeout period, the packet will be
dropped.

Long Dur- Enable or disable long duration session. If this function

ation Session is enabled, specify long duration session's percentage in
the Percentage field. The default value is 10, i.e., 10%
of long duration session in the total sessions.

TCP

TCP MSS Specifies a MSS value for all the TCP SYN/ACK pack-
ets. Click the button to enable TCP MSS, and enter the
value into the Maximum MSS field.

TCP Configure if the TCP sequence number will be

Sequence checked. When this function is enabled, if the TCP
Number sequence number exceeds TCP window, that TCP
Check packet will be dropped.

TCP Three- Configure if the timeout of TCP three-way handshaking

way Hand- will be checked. Click the button to enable this func-
shaking tion, and specify a timeout value in the Timeout field.
The value range is 1 to 1800 seconds. The default
value is 20. If the three-way handshaking has not been

Network 553
Option Description

completed after timeout, the connection will be

dropped.

TCP SYN Click the button to enable this function, and only when
Packet Check a packet is a TCP SYN packet can a connection be
established.

Others

Non-IP and Specifies how to process packets that are neither IP nor
Non-ARP ARP. You can select Select or Drop.
Packet

3. Click OK.

554 Network
NAT
NAT, the abbreviation for Network Address Translation, is the protocol to translate the IP
address within an IP packet header to another IP address. When the IP packets pass through the
devices or routers, the devices or routers will translate the source IP address and/or the des-
tination IP address in the IP packets. In practice, NAT is mostly used to allow the private net-
work to access the public network, or vice versa.

Basic Translation Process of NAT

When a device is implementing the NAT function, it lies between the public network and the
private network. The following legend illustrates the basic translation process of NAT.

As shown above, the device lies between the private network and the public network. When the
internal PC at 10.1.1.2 sends an IP packet (IP packet 1) to the external server at 202.1.1.2
through the device, the device checks the packet header. Finding that the IP packet is destined to
the public network, the device translates the source IP address 10.1.1.2 of packet 1 to the public
IP address 202.1.1.1 which can get routed on the Internet, and then forwards the packet to the
external server. At the same time, the device also records the mapping between the two addresses
in its NAT table. When the response message of IP packet 1 reaches the device, the device
checks the packet header again and finds the mapping records in its NAT table, then replaces the
destination address with the private address 10.1.1.2. In this process, the device is transparent to
the PC and the Server. To the external server, it considers that the IP address of the internal PC is
202.1.1.1 and knows nothing about the private address 10.1.1.2. Therefore, NAT hides the
private network of enterprises.

Network 555
Implementing NAT
The devices translates the IP address and port number of the internal network host to the external
network address and port number of the device, and vice versa. That is translation between the
"private IP address + port number" and the "public IP address + port number".
The devices achieve the NAT function through the creation and implementation of NAT rules.
There are two types of NAT rules, which are source NAT rules (SNAT Rule) and destination
NAT rules (DNAT Rule). SNAT translates source IP addresses, thereby hiding the internal IP
addresses or sharing the limited IP addresses; DNAT translates destination IP addresses, usually
translating IP addresses of internal servers (such as the WWW server or SMTP server) protected
by the device to public IP addresses.

556 Network
Configuring SNAT
To create an SNAT Rule:

1. Select Network > NAT > SNAT.

2. Click New to go to the SNAT Configuration page.

On the SNAT Configuration page, configure the following options.

Requirements

Virtual Specifies a VRouter for the SNAT rule.

Router

Type Specifies the type of the SNAT rule, including IPv4,

NAT46, NAT64, and IPv6. The configuration options
for different types of SNAT rules may vary. Please refer
to the actual page.

Source Specifies the source IP address of the traffic, including:

Network 557
Requirements

Address l Address Entry - Select an address entry from the

drop-down list. Click to add new address

books.

l IP Address - Enter an IP address into the box.

Enter an IPv4 address if the type of the SNAT
rule is IPv4 or NAT46. Type an IPv6 address if
the type of the SNAT rule is NAT64 or IPv6.

l IP/Netmask - Enter an IP address and its netmask

into the box. This configuration option is available
if the type of the SNAT rule is IPv4 or NAT46.

l IPv6/Prefix - Enter an IPv6 address and its prefix

length into the box. This configuration option is
available if the type of the SNAT rule is NAT64 or
IPv6.

Destination Specifies the destination IP address of the traffic, includ-

Address ing:

l Address Entry - Select an address entry from the

drop-down list. Click to add new address

books.

l IP Address - Enter an IP address into the box.

Enter an IPv4 address if the type of the SNAT
rule is IPv4 or NAT46. Type an IPv6 address if
the type of the SNAT rule is NAT64 or IPv6.

558 Network
Requirements

l IP/Netmask - Type an IP address and its netmask

into the box. This configuration option is available
if the type of the SNAT rule is IPv4 or NAT46.

l IPv6/Prefix - Enter an IPv6 address and its prefix

length into the box. This configuration option is
available if the type of the SNAT rule is NAT64 or
IPv6.

Ingress Specifies the ingress traffic, the default value is all traffic.
Traffic
l All traffic - Specifies all traffic as the ingress
traffic. Traffic from any ingress interfaces will con-
tinue to match this SNAT rule.

l Ingress Interface - Specifies the ingress interface

of traffic. Select an interface from the drop-down
list. When the interface is specified, only the
traffic from this interface will continue to match
this SNAT rule, while traffic from other interfaces
will not.

Egress Specifies the egress traffic, the default value is all traffic.

l All traffic - Specifies all traffic as the egress traffic.

Traffic from all egress interfaces will continue to
match this SNAT rule.

l Egress Interface - Specifies the egress interface of

traffic. Select an interface from the drop-down list.

Network 559
Requirements

When the interface is specified, only the traffic

from this interface will continue to match this
SNAT rule, while traffic from other interfaces will
not.

Service Specifies the service type of the traffic from the drop-
down list. To create a new service or service group, click
in the User-defined section.

Translate to

Translated Specifies the translated NAT IP address, including:

l Egress IF IP - Specifies the NAT IP address to be

an egress interface IP address.

l Specified IP - Specifies the NAT IP address to be

a specified IP address. After selecting this option,
continue to specify the available IP address in the
Address drop-down list.

l No NAT - Do not implement NAT.

Mode Specifies the translation mode, including:

l Static - Static mode means one-to-one translation.

This mode requires the translated address entry
contains the same number of IP addresses as that
of the source address entry.

l Dynamic IP - Dynamic IP mode means multiple-

to-one translation. This mode translates the source

560 Network
Requirements

address to a specific IP address. Each source

address will be mapped to a unique IP address,
until all specified addresses are occupied.

l Dynamic port - Namely PAT. Multiple source

addresses will be translated to one specified IP
address in an address entry.

l If Sticky is enabled, all sessions from an IP

address will be mapped to the same fixed IP
address. Click the button to enable Sticky.

l If Round-robin is enabled, all sessions from

an IP address will be mapped to the same
fixed IP address. Click the button to enable
Round-robin.

l If neither Sticky nor Round-robin is

enabled, the first address in the address
entry will be used first. When the port
resources of the first address are exhausted,
the second address will be used.
Note：The Sticky function and the Round-robin func-
tion are mutually exclusive and cannot be configured at
the same time.

Network 561
Expand the Advanced section, and configure the corresponding options.

Option Description

HA group Specifies the HA group that the SNAT rule belongs to.
The default setting is 0.

NAT Log Click the button to enable the log function for this
SNAT rule. The system will generate log information
when there is traffic matching this NAT rule.

Position Specifies the position of the rule. Each SNAT rule has a
unique ID. When traffic flowing into the device, the
device will search SNAT rules by sequence, and then
implement NAT on the source IP of the traffic according
to the first matched rule. The sequence of the ID
showed in the SNAT rule list is the order of the rule
matching. Select one of the following items from the
drop-down list:

l Bottom - The rule is located at the bottom of all

the rules in the SNAT rule list. By default, the sys-
tem will put the newly-created SNAT rule at the
bottom of all SNAT rules.

l Top - The rule is located at the top of all the rules

in the SNAT rule list.

l Before ID - Enter the ID number into the text

box. The rule will be located before the ID you
specified.

l After ID - Enter the ID number into the text box.

562 Network
Option Description

The rule will be located after the ID you specified.

ID Specifies the method you get the rule ID. Each rule has
its unique ID. It can be automatically assigned by the sys-
tem or manually assigned by yourself. If you select Manu-
ally assign , enter an ID number into the box below.

Description Specifies the description of the SNAT.

3. Click OK.

Enabling/Disabling a SNAT Rule

By default, the configured SNAT rule will take effect immediately. You can terminate its control
over the traffic by disabling the rule.
To enable/disable a policy rule:

1. Select Network > NAT > SNAT.

2. Select the SNAT rule that you want to enable/disable.

3. Click Enable or Disable to enable or disable the rule.

Copying/Pasting a SNAT Rule

When there are a large number of NAT rules in the system, to easily create a NAT rule which is
similar to an configured NAT rule, you can copy the NAT rule and paste it to the specified loc-
ation.
To copy/paste a SNAT rule, take the following steps:

1. Select Policy > NAT > SNAT.

2. Select the SNAT rule that you want to clone and click Copy.

Network 563
3. Click Paste. In the pop-up, select the desired position. Then the rule will be cloned to the
desired position.

l Top: The rule is pasted to the top of all the rules in the SNAT rule list.

l Bottom: The rule is pasted to the bottom of all the rules in the SNAT rule list.

l Before the Rule Selected: The rule will be pasted before the Rule being selected.

l After the Rule Selected: The rule will be pasted after the Rule being selected.

Adjusting Priority

Each SNAT rule has a unique ID. When traffic flows into the device, the device will search
SNAT rules by sequence, and then implement NAT on the source IP of the traffic according to
the first matched rule. The sequence of the ID showed in the SNAT rule list is the order of the
rule matching.
To adjust priority:

1. Select Network> NAT > SNAT.

2. Select the rule whose priority you want to adjust and click Priority.

3. In the Priority panel, move the selected rule to:

l Top: The rule is moved to the top of all the rules in the SNAT rule list.

l Bottom: The rule is moved to the bottom of all the rules in the SNAT rule list. By
default, the system will put the newly-created SNAT rule at the bottom of all SNAT
rules.

l Before ID: Specifies an ID number. The rule will be moved before the ID you spe-
cified.

564 Network
l After ID: Specifies an ID number. The rule will be moved after the ID you specified.

4. Click OK.

Hit Count

The system supports statistics on SNAT rule hit counts, i.e., statistics on the matching between
traffic and SNAT rules. Each time the inbound traffic is matched to a certain SNAT rule, the hit
count will increment by 1 automatically.
To view a SNAT rule hit count, click Network > NAT > SNAT. On the SNAT rule list, view
the statistics on SNAT rule hit count under the Hit Count column.

Clearing NAT Hit Count

To clear a SNAT rule hit count, take the following steps:

1. Select Network > NAT > SNAT Hit Analysis.

2. Click Clear to open the Clearing NAT Hit Count panel.

l All NAT: Clears the hit counts for all NAT rules.

l NAT ID: Clears the hit counts for a specified NAT rule ID.

3. Click OK.

Hit Count Check

The system supports the checking of the policy rule hit counts.
To check hit count, take the following steps:

1. Select Network > NAT > SNAT Hit Analysis.

2. Click Analyze.

Network 565
Configuring DNAT
DNAT translates destination IP addresses. Typically, it translates IP addresses of internal servers
(such as the WWW server or SMTP server) protected by the device to public IP addresses.

Configuring an IP Mapping Rule

To configure an IP mapping rule:

1. Select Networks> NAT > DNAT.

2. Click New and select IP Mapping.

On the IP Mapping Configuration page, configure the corresponding options.

Requirements

Virtual Specifies a VRouter for the DNAT rule.

Router

Type Specifies the type of the DNAT rule, including IPv4,

566 Network
Requirements

NAT46, NAT64, and IPv6. The configuration options

for different types of DNAT rules may vary. Please refer
to the actual page.

Destination Specifies the destination IP address of the traffic, includ-

Address ing:

l Address Entry - Select an address entry from the

drop-down list. Click to add new address

books.

l IP Address - Enter an IP address into the box.

Enter an IPv4 address if the type of the DNAT
rule is IPv4 or NAT46. Enter an IPv6 address if
the type of the DNAT rule is NAT64 or IPv6.

l IP/Netmask - Type an IP address and its netmask

into the box. This configuration option is available
if the type of the DNAT rule is IPv4 or NAT46.

l IPv6/Prefix - Type an IPv6 address and its prefix

length into the box. This configuration option is
available if the type of the DNAT rule is NAT64
or IPv6.

l Dynamic IP (Physical Interface) - Select an inter-

face which obtains IP via the DHCP protocols.
This configuration option is available if the type of
the DNAT rule is IPv4 or NAT46.

Network 567
Requirements

Mapping

Mapped to Specifies the translated NAT IP address, including

Address Entry, IP Address, and IP/Netmask (or
IPv6/Prefix). The number of the translated NAT IP
addresses you specified must be the same as the number
of the destination IP addresses of the traffic.

Others

HA Group Specifies the HA group that the DNAT rule belongs to.
The default setting is 0.

Description Specifies the description.

3. Click OK.

Configuring a Port Mapping Rule

To configure a port mapping rule:

1. Select Networks > NAT > DNAT.

568 Network
2. Click New and select Port Mapping.

On the Port Mapping Configuration page, configure the corresponding options.

Requirements

Virtual Specifies a VRouter for the DNAT rule.

Router

Type Specifies the type of the DNAT rule, including IPv4,

NAT46, NAT64, and IPv6. The configuration options
for different types of DNAT rules may vary. Please refer
to the actual page.

Destination Specifies the destination IP address of the traffic, includ-

Address ing:

l Address Entry - Select an address entry from the

drop-down list. Click to add new address

books.

Network 569
Requirements

l IP Address - Enter an IP address into the box.

Enter an IPv4 address if the type of the DNAT
rule is IPv4 or NAT46. Enter an IPv6 address if
the type of the DNAT rule is NAT64 or IPv6.

l IP/Netmask - Enter an IP address and its netmask

into the box. This configuration option is available
if the type of the DNAT rule is IPv4 or NAT46.

l IPv6/Prefix - Type an IPv6 address and its prefix

length into the box. This configuration option is
available if the type of the DNAT rule is NAT64
or IPv6.

l Dynamic IP (Physical Interface) - Select an inter-

face which obtains IP via the DHCP protocols.
This configuration option is available if the type of
the DNAT rule is IPv4 or NAT46.

Service Specifies the service type of the traffic from the drop-
down list. To create a new service or service group, click
in the User-defined section.

Mapping

Mapped to Specifies the translated NAT IP address, including

Address Entry, IP Address, and IP/Netmask (or
IPv6/Prefix). The number of the translated NAT IP
addresses you specified must be the same as the number
of the destination IP addresses of the traffic.

570 Network
Requirements

Port Map- Enter the translated port number of the Intranet server.
ping The available range is 1 to 65535.

Others

HA Group Specifies the HA group that the DNAT rule belongs to.
The default setting is 0.

Description Specifies the description.

3. Click OK.

Configuring an Advanced NAT Rule

You can create a DNAT rule and configure the advanced settings. Or you can edit the advanced
settings of an exiting DNAT rule.
To create a DNAT rule and configure the advanced settings:

1. Select Networks > NAT > DNAT.

2. Click New and select Advanced Configuration. To edit the advanced settings of an existing
DNAT rule, select it and click Edit. The DNAT configuration page appears.

Network 571
On DNAT configuration page, configure the following options.

Requirements

Virtual Specifies a VRouter for the DNAT rule.

Router

Type Specifies the type of the DNAT rule, including IPv4,

NAT46, NAT64, and IPv6. The configuration options
for different types of DNAT rules may vary. Please refer
to the actual page.

Source Specifies the source IP address of the traffic, including:

Address
l Address Entry - Select an address entry from the
drop-down list. Click to add new address

books.

l IP Address - Enter an IP address into the box.

Enter an IPv4 address if the type of the DNAT

572 Network
Requirements

rule is IPv4 or NAT46. Enter an IPv6 address if

the type of the DNAT rule is NAT64 or IPv6.

l IP/Netmask - Enter an IP address and its netmask

into the box. Enter an IP address and its netmask
into the box. This configuration option is available
if the type of the DNAT rule is IPv4 or NAT46.

l IPv6/Prefix - Enter an IPv6 address and its prefix

length into the box. This configuration option is
available if the type of the DNAT rule is NAT64
or IPv6.

Destination Specifies the destination IP address of the traffic, includ-

Address ing:

l Address Entry - Select an address entry from the

drop-down list. Click to add new address

books.

l IP Address - Enter an IP address into the box.

Enter an IPv4 address if the type of the DNAT
rule is IPv4 or NAT46. Enter an IPv6 address if
the type of the DNAT rule is NAT64 or IPv6.

l IP/Netmask - Enter an IP address and its netmask

into the box. Enter an IP address and its netmask
into the box. This configuration option is available
if the type of the DNAT rule is IPv4 or NAT46.

Network 573
Requirements

l IPv6/Prefix - Enter an IPv6 address and its prefix

length into the box. This configuration option is
available if the type of the DNAT rule is NAT64
or IPv6.

l Dynamic IP (Physical Interface) - Select an inter-

face which obtains IP via the DHCP protocols.
This configuration option is available if the type of
the DNAT rule is IPv4 or NAT46.

Service Specifies the service type of the traffic from the drop-
down list. To create a new service or service group, click
in the User-defined section.

Translated to

Action Specifies the action for the traffic you specified, includ-
ing:

l NAT - Implements NAT for the eligible traffic.

l No NAT - Do not implement NAT for the eligible

traffic.

l V4-MAPPED - Implements NAT for the eligible

traffic, and extracts the destination IPv4 address
from the destination IPv6 address of the packet
directly. This configuration option is available if
the type of the DNAT rule is NAT64.
The Translate to action for different types of DNAT

574 Network
Requirements

rules may vary. Please refer to the actual page.

Translate to When selecting the NAT option, you need to specify the
translated IP address. The options include Address
Entry, IP Address, IP/Netmask/IPv6 Prefix, and SLB
Server Pool.

Translate Service Port to

Port Click the enable button to translate the port number of

the service that matches the conditions above.

Load Balance Click the button to enable the function. Traffic will be
balanced to different Intranet servers.

Expand the Advanced section and configure the following options.

Option Description

HA Group Specifies the HA group that the DNAT rule belongs to.
The default setting is 0.

Track Ping After enabling this function, the system will send Ping
Packets packets to check whether the Intranet servers are reach-
able.

Track TCP After enabling this function, The system will send TCP
Packets packets to check whether the TCP ports of Intranet serv-
ers are reachable.

TCP Port Specifies the TCP port number of the monitored

Intranet server.

NAT Log Enable the log function for this DNAT rule to generate

Network 575
the log information when traffic matches this NAT rule.

Position Specifies the position of the rule. Each DNAT rule has a
unique ID. When traffic flowing into the device, the
device will search DNAT rules by sequence, and then
implement DNAT on the source IP of the traffic accord-
ing to the first matched rule. The sequence of the ID
showed in the DNAT rule list is the order of the rule
matching. Select one of the following items from the
drop-down list:

l Bottom - The rule is located at the bottom of all

the rules in the DNAT rule list. By default, the sys-
tem will put the newly-created DNAT rule at the
bottom of all DNAT rules.

l Top - The rule is located at the top of all the rules

in the DNAT rule list.

l Before ID - Enter the ID number into the text

box. The rule will be located before the ID you
specified.

l After ID - Enter the ID number into the text box.

The rule will be located after the ID you specified.

Description Specifies the description of the DNAT.

576 Network
3. Click OK to save the settings.

Enabling/Disabling a DNAT Rule

By default, the configured DNAT rule will take effect immediately. You can terminate its control
over the traffic by disabling the rule.
To enable/disable a policy rule:

1. Select Networks > NAT > DNAT.

2. Select the DNAT rule that you want to enable/disable.

3. Click Enable or Disable to enable or disable the rule.

Copying/Pasting a DNAT Rule

1. Select Policy > NAT > DNAT.

2. Select the DNAT rule that you want to clone and click Copy.

3. Click Paste. In the pop-up, select the desired position. Then the rule will be cloned to the
desired position.

l Top: The rule is pasted to the top of all the rules in the DNAT rule list.

l Bottom: The rule is pasted to the bottom of all the rules in the DNAT rule list.

l Before the Rule Selected: The rule will be pasted before the Rule being selected.

l After the Rule Selected: The rule will be pasted after the Rule being selected.

Network 577
Adjusting Priority

Each DNAT rule has a unique ID. When traffic flowing into the device, the device will search
DNAT rules by sequence, and then implement NAT on the source IP of the traffic according to
the first matched rule. The sequence of the ID showed in the DNAT rule list is the order of the
rule matching.
To adjust priority:

1. Select Networks > NAT > DNAT.

2. Select the rule whose priority you want to adjust and click Priority.

3. In the Priority panel, move the selected rule to:

l Top: The rule is moved to the top of all the rules in the DNAT rule list.

l Bottom: The rule is moved to the bottom of all the rules in the DNAT rule list. By
default, the system will put the newly-created DNAT rule at the bottom of all
DNAT rules.

l Before ID: Specifies an ID number. The rule will be moved before the ID you spe-
cified.

l After ID: Specifies an ID number. The rule will be moved after the ID you spe-
cified.

4. Click OK.

Hit Count

The system supports statistics on DNAT rule hit counts, i.e., statistics on the matching between
traffic and DNAT rules. Each time the inbound traffic is matched to a certain DNAT rule, the hit
count will increment by 1 automatically.
To view a DNAT rule hit count, click Network > NAT > DNAT. On the DNAT rule list, view
the statistics on DNAT rule hit count under the Hit Count column.

578 Network
Clearing NAT Hit Count

To clear a DNAT rule hit count, take the following steps:

1. Select Network > NAT > DNAT Hit Analysis.

2. Click Clear to open the Clearing NAT Hit Count panel.

l All NAT: Clears the hit counts for all NAT rules.

l NAT ID: Clears the hit counts for a specified NAT rule ID.

3. Click OK.

Hit Count Check

The system supports the checking of the policy rule hit counts.
To check hit count, take the following steps:

1. Select Network > NAT > DNAT Hit Analysis.

2. Click Analyze.

Network 579
High Availability
HA, the abbreviation for High Availability, provides a fail-over solution for communication lines
or device failure to ensure the smooth communication and effectively improve the reliability of
the network. To implement the HA function, you need to configure the two devices as HA
clusters, using the identical hardware platform and firmware version, both enabling Virtual Router.
When one device is not available or can not handle the request from the client properly, the
request will be promptly directed to the other device that works normally, thus ensuring unin-
terrupted network communication and greatly improving the reliability of communications.
HA devices with the same Virtual Router feature indicate that Multi-Virtual Router is enabled or
disabled for both the HA devices.

Notes: We recommend that you set the engine ID of master device and backup
device in the HA scenario to different values. This prevents that the trap host can-
not receive trap alarms normally during HA switchover when the SNMPv3 trap
function is enabled.

The system supports two HA modes: Active-Passive (A/P), and Peer.

l Active-Passive (A/P) mode: In the HA cluster, configure two devices to form a HA group,
with one device acting as a primary device and the other acting as its backup device. The
primary device is active, forwarding packets, and meanwhile synchronizes all of its network
and configuration information and current session information to the backup device. When
the primary device fails, the backup device will be promoted to primary and takes over its
work to forward packets. This A/P mode is redundant, and features a simple network struc-
ture for you to maintain and manage.

l Peer mode: In the Peer mode, two devices are both active, perform their own tasks sim-
ultaneously, and monitor the operation status of each other. When one device fails, the other
will take over the work of the failure device and also run its own tasks simultaneously. In the
Peer mode, only the device at the active status can send/receive packets. The device at the

High Availability 580

disabled status can make two devices have the same configuration information but its inter-
faces do not send/receive any packets. The Peer mode is more flexible and is suitable for the
deployment in the asymmetric routing environment.

Basic Concepts

HA Cluster
For the external network devices, a HA cluster is a single device which handles network traffic
and provides security services. The HA cluster is identified by its cluster ID. After specifying a
HA cluster ID for the device, the device will be in the HA state to implement HA function.

HA Group
The system will select the primary and backup device of the same HA group ID in a HA cluster
according to the HCMP protocol and the HA configuration. The primary device is in the active
state and processes network traffic. When the primary device fails, the backup device will take
over its work.
When assigning a cluster ID to the device, the HA group with ID 0 will be automatically created.
In Active-Passive (A/P) mode, the device only has HA group 0.

HA Node
To distinguish the HA devices in a HA group, you can use the value of HA Node to mark the
devices. StoneOS support the values of 0 and 1.

Virtual Forward Interface and MAC

In the HA environment, each HA group has an interface to forward traffic, which is known as the
Virtual Forward Interface. The primary device of each HA group manages a virtual MAC (VMAC)
address which is corresponding with its interface, and the traffic is forwarded on the interface. Dif-
ferent HA groups in a HA cluster cannot forward data among each other. VMAC address is
defined by HA cluster ID, HA group ID and the physical interface index.

581 High Availability

HA Selection
In a HA cluster, if the group ID of the HA devices is the same, the one with higher priority will
be selected as the primary device.

HA Synchronization
To ensure the backup device can take over the work of the primary device when it fails, the
primary device will synchronize its information with the backup device. There are three types of
information that can be synchronized: configuration information, files and RDO (Runtime
Dynamic Object). The specific content of RDO includes:

l DNS cache mappings

l ARP table

l PKI information

l DHCP information

l MAC table

The system supports two methods to synchronize: real-time synchronization and batch syn-
chronization. When the primary device has just been selected successfully, the batch syn-
chronization will be used to synchronize all information of the primary device to the backup
device. When the configurations change, the real-time synchronization will be used to syn-
chronize the changed information to the backup device. Except for the HA related configurations
and local configurations (for example, the host name), all the other configurations will be syn-
chronized.

High Availability 582

Configuring HA
To configure the HA function, take the following steps:

1. Configure a HA Virtual Forward Interface. For more information on configuring the inter-
face, see "Configuring an Interface" on Page 437.

2. Configure a HA link interface which is used for the device synchronization and HA packets
transmission.

3. Configure a HA cluster. Specify the ID of HA cluster to enable the HA function.

4. Configure a HA group. Specify the priority for devices and HA messages parameters.

To configure HA, take the following steps:

583 High Availability

1. Go to System > HA.>

On the HA page, configure the following options.

Option Description

Control Link Specifies the name of the HA control link interface.

Interface 1 The control link interface is used to synchronize all
data between two devices.

High Availability 584

Option Description

Assist link inter- Specifies the name of the HA assist link interface.
face In the Active-Passive (A/P) mode, you can specify
the HA assist link interface to receive and send
heartbeat packets (Hello packets), and ensure the
main and backup device of HA switches normally
when the HA link fails. Note:

l Before the HA link is restored, the HA assist

link interface can only receive and send heart-
beat packets and the data packets cannot be
synchronized. You are advised not to modify
the current configurations. After the HA link
is restored, manually synchronize session
information.

l The HA assist link interface must use an

interface other than the HA link interface and
be bound to the zone.

HA Link Local Specifies the source MAC address for the HA

MAC Address device to send heartbeats (Hello packets) to other
devices in HA group:

l Default: The system uses the default MAC

address to send Hello packets.

l Control link interface MAC: Specifies the

MAC address of control link interface as the
MAC address of HA link interface. When

585 High Availability

Option Description

there is more than one configured control

link interfaces, system will use the MAC
address of the first control link interface as
the MAC address of HA link interface.

l Customize: Specifies a customized MAC

address as the MAC address of HA link inter-
face. If this option is selected, enter the cus-
tomized MAC address in the "MAC" textbox.

HA Link local IP Specifies the IP address and netmask of the HA

address link interface.

HA Link Local Specifies the MTU value of HA link interface. After

MTU it is specified, the sender will send the message sep-
arately and the receiver will reorganize the message
after receiving it when the size of the message
exceeds the MTU value of the HA link interface.
The default value is 1500.

HA link Peer IP Specifies the peer IP address and MAC IP address

and MAC address of the HA link.

HA virtual prefix Specifies the prefix of the HA base MAC in hexa-

decimal format. Its length can only be configured as
seven or eight. If more than 8 HA clusters in a net-
work segment need to be configured, you can con-
figure the prefix of the HA virtual base MAC
address, i.e., the HA virtual MAC prefix, in order to

High Availability 586

Option Description

avoid the HA virtual MAC address duplication. By

default, the HA virtual MAC prefix is 0x001C54FF.
It should be noted that 0x00000000, 0x0000000,
0xFFFFFFFF, 0xFFFFFFF or multicast addresses
(i.e., the second hexadecimal number is odd) are
invalid.

HA Cluster ID Specifies an ID for HA cluster. The range is 1-8.

None indicates to disable the HA function.

Node ID After enabling the HA function, specify the Node

ID (HA Node) for the device. The IDs for two
devices must be different. The range is 0 to 1. If
you do not specify this value, the devices will
obtain the Node ID by automatic negotiation.

Peer-mode Click the button to enable the HA Peer mode and

specifies the role of this device in the HA cluster.
The range is 0 to 1. By default, the group 0 in the
device whose HA Node ID is 0 will be active and
the group 0 in the device whose HA Node ID is
will be in the disabled status.

Symmetric-rout- Enable Symmetric-routing to make the device work

ing in the symmetrical routing environment.

HA Transmit If this function is enabled, HA Hello packets are

UDP transmitted by using UDP protocol. By default, HA
Hello packets are transmitted by using VRRP pro-

587 High Availability

Option Description

tocol. In a virtual environment, the core switch lim-

its the VRRP transmission rate and its packet size,
which affects the synchronization between HA
primary and back up devices. Transmission by using
UDP protocol avoids such limitations.

Business interface By default, the interface forwards traffic with the

use physical MAC virtual MAC address provided by system. After con-
figuring the function, each interface will use its
physical MAC address for communication.

Deploy Mode Specifies the deploy mode. Only vWAF supports

this funciton.

HAVIP Only the vWAF deployed on Tencent and Alibaba

Cloud supports this function.

Accesskey ID Only the vWAF deployed on Tencent and Alibaba

Cloud supports this function. Specify the
AccessKey ID of your Alibaba Cloud account.

Accesskey Secret Only the vWAF deployed on Tencent and Alibaba

Cloud supports this function. Specify the
AccessKey ID of your Alibaba Cloud account.

Cloud Platform Specifies the cloud platform. Select None if it is not

Tencent Cloud.

L3 port down-up Click the button to enable the Layer 3 port down-
up function. This function is enabled by default.
When this function is disabled, the following types

High Availability 588

Option Description

of physical interfaces do not perform down-up oper-

ations when the device is switched from a master
device to a backup device for HA switching:

l The physical interface that is bound to a

Layer 3 zone.

l The physical interface that belongs to an

aggregate interface, and the aggregate inter-
face is bound to a Layer 3 zone

HA Synchronize In some exceptional circumstances, the master and

Configuration backup configurations may not be synchronized. In
such a case you need to manually synchronize the
configuration information of the master and backup
device. Click HA Synchronize Configuration to syn-
chronize the configuration information of the mas-
ter and backup device.

HA Synchronize By default the system will synchronize sessions

Session between HA devices automatically. Session syn-
chronization will generate some traffic, and will pos-
sibly impact device performance when the device is
overloaded. You can enable automatic HA session
synchronization according to the device workload
to assure stability. Click HA Synchronize Session to
enable automatic HA session synchronization.

Group 0

589 High Availability

Option Description

New After specifying the HA cluster ID, the system will

create the HA group 0 automatically. Click New to
create the HA group 1.

Delete Click Delete to remove HA group 1 if needed.

Priority Specifies the priority for the device. The device

with higher priority (smaller number) will be selec-
ted as the primary device.

Preempt Configure the preempt mode. When the preempt

mode is enabled, once the backup device finds that
its own priority is higher than the primary device, it
will upgrade itself to become the primary device
and the original primary device will become the
backup device. The value of 0 indicates to disable
the preempt mode. When the preempt mode is dis-
abled, even if the device's priority is higher than the
primary device, it will not take over the primary
device unless the primary device fails.

Hello Interval Specifies the Hello interval value. The Hello inter-
val refers to the interval for the HA device to send
heartbeats (Hello packets) to other devices in the
HA group. The Hello interval in the same HA
group must be identical.

Hello Threshold Specifies the threshold value of the Hello message.

If the device does not receive the specified number

High Availability 590

Option Description

of Hello messages from the other device, it will sup-

pose the other device's heartbeat stops.

Gratuitous ARP Specifies the number of gratuitous ARP packets.

Packet Number When the backup device is selected as the primary
device, it will send an ARP request packet to the
network to inform the relevant network devices to
update its ARP table.

Track Object Specifies the track object you have configured. The
track object is used to monitor the working status
of the device. Once finding the device stop work-
ing normally, system will take the corresponding
action.

Description Enter the descriptions of HA group into the box.

2. Click OK.

591 High Availability

System Management
The device's maintenance and management include:

l "System Information" on Page 593

l "Device Management" on Page 613

l "Configuration File Management" on Page 630

l "SNMP" on Page 634

l "Upgrading System" on Page 645

l "License" on Page 650

l "Mail Server" on Page 658

l "System Alarm Rule" on Page 660

l "Connecting to HSM" on Page 668

l "Connecting to Hillstone Cloud Service Platform" on Page 671

l "Test Tools" on Page 675

l PKI

l "Diagnosis" on Page 674

System Management 592

System Information
You can view the general information of the system on the System and Signature Database page,
including Serial Number, Hostname, Platform, System Time, System Uptime, Firmware, Signature
Database and so on.

Viewing System Information

To view system information, select System > System and Signature Database.

System Information

Serial Number Show the serial number of device.

Hostname Show the name of device.

Platform Show the platform model of device.

System Time Show the system date and time of device.

System Show the system uptime of device.

Uptime

HA State Show the HA status of device.

l Standalone: Non-HA mode that represents HA is dis-

abled.

l Init: Initial state.

l Hello: Negotiation state that represents the device is

consulting the relationship between the master and
backup.

l Master: Master state that represents the current device

is the master.

l Backup: Backup state that represents the current device

593 System Management

System Information

is the backup.

l Failed: Fault state that represents the device has failed.

Firmware Show the current firmware version of the device and the date
of the last firmware upgrade.

Boot File Show the current name of boot file and the date of the last
update.

Signature Database Information

Protection Show the current version of the WAF protection rule data-
Rule Database base and the date of the last update.

Vulnerability Show the current version of the WAF vulnerability database

DB and the date of the last update.

IP Geography Show the current version of the IP geography database and

Database the date of the last update.

The WAF IP Show the current version of the WAF IP reputation database
Reputation and the date of the last update.
Library

Notes: The signature is all license controlled, so you need to make sure that your
system has installed that license. Refer to "License" on Page 650.

System Management 594

WAF Global Configuration
WAF Global Configuration manages the Global Parameter Configuration and the Custom Error
Page Management.

Global Parameter Configuration

To configure the global parameters, take the following steps:

1. Select System > WAF Global Configuration > Global Parameter Configuration.

2. Select a deployment as needed and click OK. For more information about the deployment
details, see Deployment Mode.
Note: When you select Tap Mode, click Attack Block to turn on this switch. After the
Attack Block switch is turned on and the Tap Control Interface is configured, the system
will block traffic when it matches a security policy with a blocking action. By default, the

595 System Management

Attack Block switch is turned off.

System Management 596

3. Configure the following global parameters. After configuring a parameter, click OK.

597 System Management

System Management 598
HTTP Forward & Rewrite:

l Site Cache Timeout: Specifies the time to live for cached files. When the cached file is
expired, the device will request the file from the web server again. For more inform-
ation about site acceleration, see Configuring the Acceleration.

l Client Connection Timeout: Specifies the timeout value of connection between the
client and the device. If there's no data transmission between the client and the
device, the connection will be interrupted after timeout.

l Server Response Timeout: Specifies the timeout value of connection between the
proxy server and the device. If there's no data transmission between the proxy server
and the device, the connection will be interrupted after timeout.

l Maximum Length of Request Header: Specifies the maximum length of the request
header. The range value is 1 to 1,024 KB. The default value is 32 KB. When the
HTTP request header exceeds the threshold, the site cannot be accessed.

l Maximum rewrite length of response body content: Enable the function and set the
maximum rewrite length. By default, this function is disabled. If the response body
that needs to be rewritten is too long, you need to enable the function. Assume that
the function is enabled. When the action of the content rewrite policy is set to rewrit-
ing response body and the rewrite length exceeds the specified value, the system dir-
ectly forwards messages without the matching and rewriting.

l Client Temp File Cache: Caches the request body. You can cache the request body in
the memory of the WAF engine or cache request body exceeding the request body buf-
fer size to the disk. If the request body is smaller than the request body buffer size
(128 KB by default), regardless of whether the Client Temp File Cache function is
enabled, the request body will be cached in the memory of the WAF engine. After
receiving complete traffic, WAF detects and then forwards the traffic.

599 System Management

l Enable Client Temp File Cache: Cache request body exceeding the request
body buffer size to the disk. After receiving complete traffic, WAF detects and
then forwards the traffic.

l Disable Client Temp File Cache: Cache request body to the memory of the
WAF engine. When the request body exceeds the request body buffer size,
WAF will forward excess data in real time. By default, this function is disabled.
Note: HTTP/2.0 requests are not controlled by the Client Temp File Cache
switch.

l Server Temp File Cache: With the function enabled, files returned from the server to
the client are cached in the system. If the bandwidth between the client and WAF is
much small than that between the server and WAF, we recommend that you disable
the function to prevent download interruption caused by long cache time.

l Default processing action of server: Sets the action to process the requests that hit site
services (IP address and port) but do not hit the site domain. Valid values: Permit and
Block. Hit Count displays how many time the default server permits or blocks the
request.

Client IP Resolution & Passthrough:

l Using IP in X-Header: Select Used as Client IP. Then, the device will interpret the X-
Header of packet (such as X-Forwarded-For, X-Real-IP, or other specified X-Header)
as client IP, and then defend the new client IP in related functions, such as exception
rule and blacklist. You can select to use the left IP or right IP of X-Forwarded-For,
and select which IP address from the left or right in the X-Header as client IP/load bal-
ancing IP from the drop-down list. When the parameter is disabled, the default value
will be restored, i.e. specifying the source IP of packet as client IP.
Note：

System Management 600

l When the specified position of IP does not match the number of addresses in
the X-Header, the network-layer IP will be used as the client IP/load balancing
IP. For example, if there are only three IPs in the X-Header and you select the
10th IP from the right in the X-Forwarded-For as the client IP/load balancing
IP, the system will select the network-layer IP as the client IP/load balancing
IP. If there are invalid IPs in the X-Header, they will be skipped and not coun-
ted for position.

l The system's selection of the X-Header address as the client IP/load balancing
IP is not affected by whether the network-layer IP in the request packet and the
X-Header address are of the same address type. For example, if the network-
layer IP is of IPv4 type and the X-Header address is of IPv6 type, the system
will still select the X-Header address as the client IP/load balancing IP.

l TCP Option Address: This function is available only in transparent proxy mode. Select
Used as Client IP and set the Type parameter. The valid values of the Type parameter
are from 9 to 254. The system will interpret the IP address in the corresponding TCP
option as the client IP address, and then defend the new client IP in related functions,
such as rule exception and blacklist. If both the Using IP in X-header and TCP Option
Address functions are enabled, the Using IP in X-header function is preferentially
used.

l Source IP Transparent Transmit: This function is available only in reverse proxy

mode, one-arm reserve proxy, and traction mode. When it is enabled, the source IP
and port of the message will be restored to the source IP and port of the original cli-
ent, and then forwarded to the server.
Note: Because this function conflicts with the site TCP connection reuse, disable the
TCP connection reuse function firstly and then enable the function.

601 System Management

l When you use the function, make sure that the client connection timeout is set
to a non-zero value and Proxy connection Association is enabled for all sites.
For more information, see Client Connection Timout and Proxy connection
Association.

l In reverse proxy mode and one-arm with reverse proxy mode, if you want to
implement IPv4 to IPv6 site upgrade for the web server by using WAF, disable
the Source IP Transparent Transmit function.

Safety Monitor:

l Encoding Detection: Since URL may contain characters which cannot be forwarded
via network, it's necessary to encode the characters. The request result will be dif-
ferent with different encoding methods, which may affect the auto-learning result.

l After you enable the parameter via request line or request body, the system will
confirm its encoding. If the encoding method is GB18030, the system will
change it to UTF-8 encoding with the auto-learning function, and then learn all
requests in UTF-8 encoding.

l If Response Body is selected, the system will detect the encoding method of
the response body in the response packet, and preferentially use the encoding
method of the response body to decode, and then match the policy rules, so as
to improve the accuracy of the detection of Chinese characters in the response
body. Note: Before enabling this function, you need to enable Stop Server Com-
pressing in the Site Configuration page.

Anti-defacement:

l Maximum Crawling Memory: Specifies the maximum capacity for crawling in the spe-
cified period. If the maximum capacity is reached, the device will stop crawling and
generate related logs.

System Management 602

l Crawling Period: Specifies the period of crawling. For more information about how to
configure web page anti-tampering, see Configuring Web Page Anti-tampering

Multistage Escape: The system supports the Multistage Escape function, including
Engine Detection Timeout Permit, Fail-open. The two escape functions are independent
to each other and have their own trigger condition. They may occur at the same time. If
the device has a traffic surge, overload (memory, CPU, concurrency utilization are too
high), etc., the WAF engine detection may delay or the device may restart. You can enable
the Multistage Escape function to ensure business continuity.

l Engine Detection Timeout Permit: Click Enable. When the average time consumed by
the WAF engine to detect traffic exceeds the threshold, the system allows the traffic
for a certain period. After the period, WAF resumes the security detection of the
traffic and continue to allow the traffic when the threshold is reached again. By
default, this function is disabled.

l Detection Time Threshold: Valid values: 0 to 3000 ms. Default values: 3000.
You can specify the threshold based on the trend chart in Dashboard > System
> Average Time of Engine Detection.

l Permit Period: Valid values: 30 to 600 seconds. Default value: 60. When the
system starts allowing the traffic and stops allowing the traffic, corresponding
webpage event logs are generated.

l Enable Fail-open: After you enable Fail-open, the page displays the configuration
items of CPU Threshold of Engine, Memory Threshold of Engine, and Concurrent
Connection Threshold of Engine. You can enable the corresponding configuration
item and specify the threshold as needed. The logical relationship among the three con-
figuration items is OR. In other words, if multiple configuration items are enabled, the
Fail-open function is triggered as long as the threshold of one of these configuration
items is reached and the device will enter the Fail-open mode. In this mode, the

603 System Management

device can still forward packets but cancel security check for certain messages. This
prevents network congestion. When the utilization is lower than the threshold, the
devices will exit the Fail-open mode. The function is available only in transparent
proxy mode, reverse proxy mode, one-arm with reverse proxy mode, and traction
mode. The function can take effect when the site is in the protection status. In trans-
parent proxy mode, the Fail-open function is enabled by default. In reverse proxy
mode, one-arm with reverse proxy mode, and traction mode, the Fail-open function is
disabled by default. When the system starts allowing the traffic and stops allowing the
traffic, corresponding webpage event logs are generated.

l CPU Threshold of Engine: Enable this configuration item and specify the
thresold. Valid values: 60 to 90. Default value: 80. Unit: %.

l Memory Threshold of Engine: Enable this configuration item and specify the
thresold. Valid values: 60 to 90. Default value: 80. Unit: %.

l Concurrent Connection Threshold of Engine: Enable this configuration item

and specify the thresold. Valid values: 60 to 90. Default value: 80. Unit: %.

Other Configuration

l Site Traffic Log Record: If you turn on the switch, the system automatically creates
the allow_all_traffic policy "built_in_default_all_pass_ac_policy". This policy will
be automatically applied to existing sites and bound to newly created sites. If mul-
tiple access control policies are bound to a site, the allow_all_traffic policy has the
highest priority by default. You can click View Log Detail to go to the Access Con-
trol Log page. On this page, you can view and export access control logs that are
generated from traffic that matches the allow_all_traffic policy. If you turn off the
switch, the allow_all_traffic policy is automatically deleted.

l On the Policy > Policy Type > Access Control Policy page, you can view
and modify the allow_all_traffic policy. The policy name cannot be modified.

System Management 604

l After you enable the allow_all_traffic policy, you can unbind this policy from
a specified site.

Screen View Configuration

l Name: Specify the title of big screen in screen casting mode on the homepage.

Notes:
l In reverse proxy mode and one-arm with reverse proxy mode, the Fail-open
function does not take effect on the following sites:

l The IP address types in the load balancing server and site service are
not the same. For example, if the IP address types of the load balancing
server site service are IPv4 and IPv6 respectively, the Fail-open func-
tion of the site cannot be triggered.

l The site service has the same IP-port pair as other sites. If the client
requests the web service of this IP-port pair, the Fail-open function of
the site cannot be triggered.

l The load balancing server contains the domain name.

l In transparent proxy mode, traction mode, reverse proxy mode, and one-arm
with reverse proxy mode, the Fail-open function does not take effect on the
following sites:

l HTTPS site is enabled with the SSL Offload function.

l For the site whose Fail-open function is triggered in reverse proxy mode and
one-arm with reverse proxy mode, the load balancing algorithm degrades to
Round Robin and the configuration of Weighted Round Robin, Weighted
Least Connections, and IP Hash does not take effect.

605 System Management

Custom Error Page Management
You can create an error page ahead of time, and then select the custom page directly when con-
figuring the site. After the page is configured on the site, when the device blocks the request of
the client, the error page will be returned to the client.
To configure the error page customization, take the following steps:

1. Select System > WAF Global Configuration > Custom Error Page Management.

2. Click New to go to the Custom Error Page Configuration panel.

3. Select error page file and the html, htm, bmp, gif, jpeg, jpg, png and SVG formats are sup-
ported.

4. Configure description as required, then click OK.

5. When editing the error page, the files that are uploaded again must be exactly the same as
the last uploaded with regard to file names and suffix. After editing, all sites referencing the
error page will be replaced by the newly uploaded files.

To export custom error pages, take the following steps:

1. Select System > WAF Global Configuration > Custom Error Page Management.

2. Select a file and click Export in the top toolbar.

System Management 606

AAA Server
An AAA server is a server program that handles user requests to access computer resources, and
for an enterprise, this server provides authentication, authorization, and accounting (AAA) ser-
vices. The AAA server typically interacts with network access and gateway servers and with data-
bases and directories containing user information.
Here in WAF system, authentication supports the following three types of AAA server:

l Local server: a local server is the device itself. The deivce stores user identity information and
handles requests. A local server authentication is fast and cheap, but its storage space is lim-
ited by the device hardware size.

l External servers:

l Radius Server

l TACACS+ Server

Configuring Radius Server

1. Select System > AAA Server, and select New > Radius Server.

2. The Radius Sever Configuration page appears.

607 System Management

Configure the following.

Basic Configuration

Name Specifies a name for the Radius server.

Server Address Specifies an IP address ( IPv4 or IPv6 ) or domain

name for the Radius server.

Virtual Router Specifies a VR for the Radius server.

Port Specifies a port number for the Radius server. The

value range is 1024 to 65535. The default value is
1812.

Secret Specifies a secret for the Radius server. You can spe-
cify at most 31 characters.

Optional Configuration

Backup Server Specifies an IP address or domain name for backup

1/Backup server 1 or backup server 2.
Server 2

Virtual Specifies a VR for the backup server.

Router1/ Vir-
tual Router2

Retries Specifies a retry time for the authentication packets

sent to the AAA server. The value range is 1 to 10.
The default value is 3.

Timeout Specifies a timeout for the server response. The

value range is 1 to 30 seconds. The default value is 3.

Backup Specifies a backup authentication server. After con-

System Management 608

Basic Configuration

Authentication figuring a backup authentication server for the Radius

Server server, the backup authentication server will take
over the authentication task when the primary server
malfunctions or authentication fails on the primary
server. The backup authentication server can be the
local server or RADIUS server in the system.

Extension Configuration

Extended Pass- Specifies the SM4 extended password encryption

word Encryp- algorithm for the Radius server. After configuration,
tion Algorithm the Radius server will use SM4 for the encrypted stor-
age and encrypted transmission of passwords.

3. Click OK.

Configuring TACACS+ Server

1. Select System > AAA Server.

2. Click New > TACACS+ Server, and the TACACS+ Server Configuration page will
appear.

609 System Management

Configure values on the TACACS+ Server Configuration page.

Basic Configuration

Name Enter a name for the TACACS+ server.

Server Specifies the IP address or host name for the TACACS+

Address server.

Virtual Specifies a VR for the TACACS+ server

Router

Port Enter port number for the TACACS+ server. The

default value is 49. The value range is 1 to 65535.

Secret Enter the shared secret to connect the TACACS+

server.

Optional

Backup Enter the domain name or IP address for the backup

Server 1 (2) TACACS+ server.

System Management 610

Basic Configuration

Virtual Specifies a VR for the backup server.

Router1/
Virtual
Router2

Connectivity Test
When AAA server parameters are configured, you can test if they are correct by testing server con-
nectivity.
To test server connectivity, take the following steps:

1. Select System > AAA Server, and click New.

2. Select your AAA server type, which can be Radius or TACACS+. The local server does not
need the connectivity test.

3. After filling out the fields, click Test Connectivity.

4. For Radius or TACACS+ server, enter a username and password in the popped Test Con-
nectivity panel.

5. Click OK. If "Test connectivity success" message appears, the AAA server settings are cor-
rect.

If there is an error message, here are the causes:

611 System Management

l Connect AAA server timeout: Wrong server address, port or virtual router.

l AAA server configuration error: Secret is wrong.

l Wrong name or password: Username or password for testing is wrong.

System Management 612

Device Management
Introduces how to configure the Administrators, Trusted Host, MGT Interface, System Time,
NTP Key, system options, and storage management.

Administrators
Device administrators of different roles have different privileges. The system supports pre-
defined administrator roles and customized administrator roles. By default, the system supports
the following administrators, which cannot be deleted or edited:

l admin: Permission for reading, executing and writing. This role has the authority over all fea-
tures. You can view the current or historical configuration information.

l admin-read-only: Permission for reading and executing. You can view the current or historical
configuration information.

l operator: Permission for reading, executing and writing. You have the authority over all fea-
tures except modify the Administrator's configuration, and has no permission to check the log
information.

l auditor: You can only operate on the log information, including view, export and clear.

Notes:
l The device ships with a default administrator named hillstone. You can
modify the setting of hillstone. However, this account cannot be deleted.

Creating an Administrator Account

To create an administrator account, take the following steps:

1. Select System > Device Management > Administrators.

2. Click New.

613 System Management

3. On the Configuration page, configure the following.

Configure the following options.

Option Description

Name Specifies a name for the system administrator account.

Role From the Role drop-down list, select a role for the
administrator account. Different roles have different
privileges.

l Admin: Permission for reading, executing and writ-

ing. This role has the authority over all features.

l Operator: This role has the authority over all fea-

tures except modifying the Administrator's con-
figurations, and has no permission to check the
log information

l Auditor: You can only operate on the log inform-

System Management 614

Option Description

ation, including the view, export and clear.

l Admin-read-only: Permission for reading and

executing. You can view the current or historical
configuration information.

Password Specifies a login password for the admin into the Pass-
word field. The password should meet the requirements
of Password Strategy.

Confirm Pass- Re-enter the password into the Confirm Password

word field.

Login Type Select the access method(s) for the admin, including
Console, Telnet, SSH, HTTP and HTTPS. If you need
all access methods, select Select All.

Description Enter descriptions for the administrator account.

4. Click OK.

Configuring Login Options for the Default Administrator

The system has a default administrator "hillstone" and a default password "hillstone". However,
there is a risk that the default username and password may be cracked. To avoid that risk, when
you logs in with the default username and password, the system will prompt you to change the

615 System Management

default password. Log in to the system again with the new password.

Notes: In the HA Active-Passive (A/P) mode, the backup device does not support
this function, and you can log in with the default username and password.

Trusted Host
The device only allows the trust hosts to manage the system to enhance the security. Admin-
istrator can specify an IP range, and hosts in the specified IP range are trust hosts. Only trust
hosts could access the management interface to manage the device.

Notes: If the system cannot be managed remotely, check the trust host con-
figuration.

Creating a Trusted Host

To create a trust host, take the following steps:

System Management 616

1. Select System > Device Management > Trusted Host.

2. Click New.

3. On the Trusted Host Configuration page, configure these values.

Configure the following options.

Option Description

Match Select the address type to match the trusted host. When
Address "IPv4" is selected, you need to specify the IP range, and
Type only the hosts in the IP range can be the trust hosts;
when "IPv4&MAC" is selected, you need to specify the
IP range or MAC address/range, and only the hosts in
the specified IP range and MAC range can be the trust
hosts.

IP Type Specifies the IP range of the trusted hosts.

l IP/Netmask: Specifies the IP address and net-

mask.

l IP Range: Specifies the start IP and end IP.

MAC Type Specifies the MAC address or MAC range of the trust

617 System Management

Option Description

hosts:

l MAC Address: Specifies the MAC address of the

trusted hosts.

l MAC Range:Specifies the start IP and end IP of

the trusted hosts.

4. Click OK.

Management Interface
The device supports the following access methods: Console, Telnet, SSH and WebUI. You can
configure the timeout value, port number, PKI trust domain of HTTPS, and PKI trust domain of
certificate authentication. When accessing the device through Telnet, SSH, HTTP or HTTPS, if
login fails three times in one minute, the administrator account that attempts to log in will be
blocked for 2 minutes during which the administrator account cannot connect to the device.
To configure the access methods:

1. Select System > Device Management > Management Interface.

2. Configure the following options.

Option Description

Console Configure the Console access method parameters.

l Timeout: Specifies the Console timeout value into

the Timeout box. The value range is 0 to 60. The
default value is 10. The value of 0 indicates never
timeout. If there is no activity until the timeout,

System Management 618

Option Description

the system will drop the console connection.

Telnet Configure the Telnet access method parameters.

l Timeout: Specifies the Telnet timeout value. The

value range is 1 to 60. The default value is 10.

l Port: Specifies the Telnet port number. The value

range is 1 to 65535. The default value is 23.

SSH Configure the SSH access method parameters.

l Timeout: Specifies the SSH timeout value. The

value range is 1 to 60. The default value is 10.

l Port: Specifies the SSH port number. The value

range is 1 to 65535. The default value is 22.

Web Configure the WebUI access method parameters.

l Multiple Login with Same Account: Select the

check box and users are allowed to log in to
devices with the same account simultaneously. By
default, the function is disabled. In the default situ-
ation, when a same account is used to log in again,
the previous login account will be kicked out.

l Timeout: Specifies the WebUI timeout value. The

value range is 1 to 1440. The default value is 10.

l HTTP Port: Specifies the HTTP port number.

The value range is 1 to 65535. The default value is

619 System Management

Option Description

80.

l HTTPS Port: Specifies the HTTPS port number.

The value range is 1 to 65535. The default value is
443.

l HTTPS Trust Domain: Select the trust domain

existing in the system from the drop-down list.
When HTTPS starts, HTTPS server will use the
certificate with the specified trusted domain. By
default, the trust domain trust_domain_default
will be used.

l Certificate Authentication: With this checkbox

selected, the system will start the certificate
authentication. The certificate includes the digital
certificate of users and secondary CA certificate
signed by the root CA. Certificate authentication is
one of two-factor authentication. The two-factor
authentication does not only need the user's name
and password authentication, but also needs other
authentication methods, like a certificate or fin-
gerprint.

l Certificate Trust Domain: After enabling the cer-

tificate authentication and logging into the device
over HTTPS, the HTTPS server will use the cer-
tificate with the specified trusted domain. Make

System Management 620

Option Description

sure that root CA certificate is imported into it.

l CN Check: After the CN check is enabled, the

name of the root CA certificate is checked and
verified when the user logs in. Only the certificate
and the user can be consistent, and the login suc-
ceeds.

Web Con- Configure the parameter for logging in to the Web

sole Console.

l Port: Enter the TCP port number used for Web

Console login. Valid values: 1 to 65535. Default
value: 420.

3. Click OK.

Notes: When changing HTTP port, HTTPS port or HTTPS Trust Domain, the web
server will restart. You may need to log in again if you are using the Web interface.

System Time
You can configure the current system time manually, or synchronize the system time with the
NTP server time via NTP protocol.

Configuring the System Time Manually

To configure the system time manually, take the following steps:

1. Select System > Device Management > System Time.

2. On the System Time Configuration page, configure the following.

621 System Management

Option Description

Sync with Specifies the method of synchronize with local PC. You
Local PC can select Sync Time or Sync Zone&Time.

l Sync Time: Synchronize the system time with

local PC.

l Sync Zone&Time: Synchronize the system zone&-

time with local PC.

Time Zone Select the time zone from the drop-down list.

Date Specifies the date.

Time Specifies the time.

3. Click OK.

Configuring NTP

To make the system maintain an accurate time, the device allows you to synchronize the system
time with a NTP server on the network via NTP protocol.
To configure NTP:

1. Select System > Device Management > System Time.

2. In the Enable NTP section, configure the following.

Option Description

Enable Click the button to enable the NTP function. By

default, the NTP function is disabled.

Authentication Click the button to enable the NTP Authentication

function.

System Management 622

Option Description

NTP Server Specifies the NTP server that the device need to syn-
chronize with. You can specify at most 3 servers.

l IP: Specifies IP address of the server .

l Key: Select a key from the Key drop-down

list. If you enable the NTP Authentication
function, you must specify a key.

l Virtual Router: Select the Virtual Router of

interface for NTP communication from the
drop-down list.

l Source interface: Select an interface for send-

ing and receiving NTP packets.

l Preferred Server: Select Preferred Server check

box to set the server as the first preferred
server. The system will synchronize with the
first preferred server.

Sync Interval Specifies the interval value. The device will syn-
chronize the system time with the NTP server at the
interval you specified to ensure the system time is
accurate.

Time Offset Specifies the time value. If the time difference

between the system time and the NTP server's time
is within the max adjustment value you specified, the
synchronization will succeed, otherwise it will fail.

623 System Management

3. Click OK.

NTP Key
After enabling NTP Authentication function, you need to configure MD5 key ID and keys. The
device will only synchronize with the authorized servers.

Creating a NTP Key

To create an NTP key:

1. Select System > Device Management > NTP Key.

2. Click NEW.

3. On the NTP Key Configuration page, configure these values.

Configure the following options.

Option Description

Key ID Specifies the ID number into the Key ID box. The

value range is 1 to 65535.

Password Specifies a MD5 key into the Password box. The value
range is 1 to 20.

Confirm Re-type the same MD5 key you have entered into the
Password box.

System Management 624

4. Click OK.

Settings & Options

Specifies system options, including system language, administrator authentication server, host
name, password strategy, reboot and exporting the system debugging information.
To change system settings and options, take the following steps:

1. Select System > Device Management > Settings & Options

2. Configure the following.

625 System Management

Option Description

Hostname Specifies a host name you want to change into the

Hostname box.

Domain Specifies a domain name you want to specify into the

Domain box.

System Lan- You can select Chinese or English according to your

guage own requirements.

Administrator Select a server to authenticate the administrator from

Authentication the drop-down list.
Server

Lock IP

Maximum count Specifies the maximum number of login attempts of

of login an IP. The value range is from 0 to 256. The default
attempts value is 256.

Locking Time Specifies the locking time of the lock IP. The value
range is 1 to 65535 minutes, and the default value is
2 minute

Lock Account

Maximum count Specifies the maximum number of login attempts of

of login an account. The value range is from 1 to 5. The
attempts default value is 3.

Locking Time Specifies the locking time of the lock account. The
value range is 1 to 65535 minutes, and the default
value is 2 minutes.

System Management 626

Option Description

Minimum Pass- Specifies the minimum length of password. The

word Length value range is 4 to 16 characters. The default value is
4.

Password Com- None means no restriction on the selection of pass-

plexity word characters.You can select Password Complexity
Settings to enable password complexity checking and
configure password complexity.

l Minimum Capital letter length: The default

value is 2 and the range is 0 to 16.

l Minimum Lowercase Letter Length: The

default value is 2 and the range is 0 to 16.

l Minimum Number Length: The default value

is 2 and the range is 0 to 16.

l Minimum Special Character Length: The

default value is 2 and the range is 0 to 16.

l Validity Period: The unit is day.The range is 0

to 365.The default value is 0, which indicates
that there is no restriction on validity period of
the password.

3. Click OK.

Rebooting the System

Some operations like license installation or image upgrading will require the system to reboot
before it can take effect.

627 System Management

To reboot a system, take the following steps:

1. Go to System > Device Management > Settings & Options. Click the System Options tab.

2. Click Reboot, and select Yes in the prompt.

3. The system will reboot. You need to wait a while before it can start again.

System Debug Information

System debugging helps you to diagnose and identify system errors by the exported file. By
default, the debugging function is disabled. You can configure the debugging function via CLI.
To export the system debugging information, take the following steps:

1. Select System > Device Management> Settings & Options. Click the System Options tab.

2. Click Export, and the system will save and send the debugging files to provider for dia-
gnosing.

Storage Management
The storage management function help you manage system storage space by deleting logs or stop-
ping logging.
To configure the storage management function, take the following step:

1. Select System > Device Management > Storage Management.

System Management 628

2. Configure the corresponding options.

Option Description

Threshold When the system storage ratio or storage space reaches the specified
threshold, the system will perform the specified action to control the
system storage. The storage ratio ranges from 0.01% to 90%.

Threshold When the system storage ratio or storage space reaches the specified
Alarm threshold, the system will record a log message.

Action When reached the specified threshold, the system will perform the spe-
cified action, including override the earliest data and stop recording data.

l Override the earliest data: The system will delete earliest logs.

l Stop recording data: The system will stop storing new logs.

3. Click OK.

629 System Management

Configuration File Management
System configuration information is stored in the configuration file, and it is stored and displayed
in the format of command line. The information that is used to initialize the device in the con-
figuration file is known as the initial configuration information. If the initial configuration inform-
ation is not found, the device will use the default parameters for the initialization. The
information being taking effect is known as the current configuration information.
System initial configuration information includes current initial configuration information (used
when the system starts) and backup initial configuration information. The system records the
latest ten saved configuration information, and the most recently saved configuration information
for the system will be recorded as the current initial configuration information. The current initial
configuration information is marked as Startup; the previous nine configuration information is
marked with number from 0 to 8, in the order of save time.
You can not only export or delete the saved configuration files, but also export the current system
configurations.
You can export or delete saved system configuration files, or export current effective system con-
figuration. You can also package other modules, including certificate chain, custom error page, per-
manently blocked client IP blacklist, and default site (IP-port pair), and export or import these
modules together with the saved configuration files.

Managing Configuration File

To manage the system configuration files, take the following steps:

1. Select System > Configuration File Management > Configuration File List.

2. On the Configuration File List page, configure the following.

l Export: Select the configuration file you want to export, and click Export.

l Delete: Select the configuration file you want to delete, and click Delete.

System Management 630

l Backup Restore: You can restore the system configurations to the saved configuration
file or factory default, or you can backup the current configurations.

Option Description

Back up Cur- Enter the description for the configuration file

rent Con- into Description box. Click Start to backup.
figurations

Restore Con- Roll back to Saved Configurations:

figuration
l Select Backup System Configuration File:
Click this button, then select Backup Con-
figuration File from the list. Click OK.

l Upload Configuration File: Click this but-

ton. In the Importing Configuration File
panel, click Browse and choose a local
configuration file you need in your PC. If
you need to make the configuration file

631 System Management

Option Description

take effect, select the check box. Click

OK.
Restore to Factory Defaults:

l Click Restore, and click OK in the

prompt.

l Import Pack Configuration: Click Import Pack Configuration. In the Import Pack
Configuration panel, click Browse and select a tar package file to be uploaded. If you
need to make the configuration file take effect immediately, select the check box and
click OK. The package file needs to contain the configuration file and can also con-
tain custom error page, permanently block blacklist, and default site (IP-port pair).

l Export Pack Configuration: Select the configuration that you want to export and click
Export Pack Configuration. In the Export Pack Configuration panel, select the range
that you want to package, including certificate chain, custom error page, permanently
blocked client IP blacklist, and default site (IP-port pair). The default site (IP-port
pair) is the Default Site Discovery (HTTP) and Default Site Exception (HTTP). This
module can be packaged and exported only in transparent proxy mode, transparent tap

System Management 632

mode, and tap mode.

3. On the Current Configuration page, you can view the current configuration file. Click
Export in the lower-right corner if you want to export the current configuration files.

Notes:

l When the device is restored to factory defaults, all the system configurations
will be cleared, including backup system configuration files.

l After you import the pack configuration and reboot the device to make the
configuration take effect, the imported configuration will be updated to the
Startup configuration file.

633 System Management

SNMP
The device is designed with a SNMP Agent, which can receive the operation request from the
Network Management System and give the corresponding information of the network and the
device.
The device supports SNMPv1 protocol, SNMPv2 protocol, and SNMPv3 protocol. SNMPv1 pro-
tocol and SNMPv2 protocol use community-based authentication to limit the Network Man-
agement System to get device information. SNMPv3 protocol introduces an user-based security
module for information security and a view-based access control module for access control.
The device supports all relevant Management Information Base II (MIB II) groups defined in
RFC-1213 and the Interfaces Group MIB (IF-MIB) using SMIv2 defined in RFC-2233, the User-
based Security Model (USM) for version 3 defined in RFC-2574, and the View-based Access Con-
trol Model (VACM) defined in RFC-2575. Besides, the system offers a private MIB, which con-
tains the system information, IPSec VPN information and statistics information of the device.
You can use the private MIB by loading it into an SNMP MIB browser on the management host.

SNMP Agent
The device is designed with a SNMP Agent, which provides network management and monitors
the running status of the network and devices by viewing statistics and receiving notification of
important system events.
To configure an SNMP Agent, take the following steps:

1. Select System > SNMP > SNMP Agent.

2. On the Agent Configuration page, configure these options.

System Management 634

Option Description

SNMP Click the button to enable the SNMP Agent function.

Agent

ObjectID The Object ID displays the SNMP object ID of the sys-

tem. The object ID is specific to an individual system
and cannot be modified.

System Enter the SNMP system contact information of the

Contact device into the System Contact box. System contact is a
management variable of the group system in MIB II and
it contains the ID and contact of relevant administrator
of the managed device. By configuring this parameter,
you can save the important information to the device for
the possible use in case of emergency.

Location Enter the location of the device into the Location box.

Host Port Enter the port number of the managed device into the
Host Port box.

635 System Management

Option Description

Virtual Select the VRouter from the Virtual Router drop-down

Router list.

Local Enter the SNMP engine ID into the Local Engine ID

Engine ID box. When the Local Engine ID parameter is left empty,
the HA master and backup devices generate a default
engine ID respectively, which is different from each
other.

3. Click OK.

Notes: SNMP Engine ID identifies an engine uniquely. SNMP Engine is an import-

ant component of the SNMP entity (Network Management System or managed net-
work device) which implements the functions like the reception/sending and
verification of SNMP messages, PDU abstraction, encapsulation, and com-
munications with SNMP applications.

SNMP Host
To create an SNMP host, take the following steps:

1. Select System > SNMP > SNMP Host.

2. Click New.

3. On the SNMP Host Configuration page, configure these values.

System Management 636

Option Description

Type Select the SNMP host type from the Type drop-down
list. You can select IP Address, IP Range or IP/Net-
mask.

l IP Address: Type the IP address for SNMP host

into Hostname box.

l IP Range: Type the start IP and end IP into the

Hostname box respectively.

l IP/Netmask: Type the start IP address and Net-

mask for SNMP host into the Hostname box
respectively.

SNMP Ver- Select the SNMP version.

sion

Community Enter the community for the SNMP host into the Com-
munity box. Community is a password sent in clear text
between the manager and the agent. This option is only

637 System Management

Option Description

effective if the SNMP version is V1 or V2C.

Permission Select the read and write permission for the community
from the Permission drop-down list. This option is only
effective if the SNMP version is V1 or V2C.

l RO: Stands for read-only. The read-only com-

munity is only allowed to read the MIB inform-
ation.

l RW: Stands for read-write. The read-write com-

munity is allowed to read and modify the MIB
information.

4. Click OK.

Trap Host
To create a Trap host, take the following steps:

1. Select System > SNMP > Trap Host.

2. Click New.

3. On the Trap Host Configuration page, configure these values.

System Management 638

Option Description

Host Enter the domain name or IP address of the Trap host

into the Host box.

Trap Host Enter the port number for the Trap host into the Trap
Port Host Port box.

SNMP Select the SNMP version from the SNMP Agent drop-
Agent down list.

l V1 or V2C: Type the community for the Trap host

into the Community box.

l V3: Select the V3 user from the V3 User drop-

down list. Type the Engine ID for the trap host
into the Engine ID box.

4. Click OK.

V3 User Group
SNMPv3 protocol introduces a user-based security module. You need to create an SNMP V3 user
group for the SNMP host if the SNMP version is V3.
To create a V3 user group:

639 System Management

1. Select System > SNMP > V3 User Group.

2. Click New.

3. On the V3 Group Configuration page, enter values.

Option Description

Name Enter the SNMP V3 user group name into the Name
box.

Security The Security model option displays the security model

Model for the SNMP V3 user group.

Security Select the security level for the user group. Security level
Level determines the security mechanism used in processing an
SNMP packet. Security levels for V3 user groups include
No Authentication (no authentication and encryption),
Authentication (authentication algorithm based on MD5
or SHA) and Authentication and Encryption (authen-
tication algorithm based on MD5 or SHA and message

System Management 640

Option Description

encryption based on AES and DES).

Read View Select the read-only MIB view name for the user group:

l All: The user group can read all MIB views.

l MIB2: The user group can read the public MIB

(MIB-II) defined in RFC-1213 and RFC-2233.

l Private MIB: The user group can read private

MIB.

l VACM MIB: The user group can read the View-

based Access Control Model (VACM) MIB
defined in RFC-2575.

l USM MIB: The user group can read the User-

based Security Model (USM) MIB for version 3
defined in RFC-2574

Write View Select the write MIB view name for the user group:

l All: The user group can modify all MIB views

(USM MIB).

l USM MIB: The user group can modify the User-

based Security Model (USM) MIB for version 3
defined in RFC-2574.

4. Click OK.

641 System Management

V3 User
If the selected SNMP version is V3, you need to create an SNMP V3 user group for the SNMP
host and then add users to the user group.
To create a user for an existing V3 user group, take the following steps:

1. Select System > SNMP > V3 User.

2. Click New.

3. On the V3 User Configuration page, configure these values.

System Management 642

Option Description

Name Enter the SNMP V3 user name into the Name box.

V3 User Group Select an existing user group for the user from the
Group drop-down list.

Security Model The Security model option displays the security

model for the SNMP V3 user.

Remote IP Enter the IP address of the remote management host

into the Remote IP box.

Authentication Select the authentication protocol. By default, this

parameter is None, i.e., no authentication.

Authentication Enter the authentication password into the Authentic-

Password ation password box.

4. Click OK.

643 System Management

System Management 644
Upgrading System
The firmware upgrade wizard helps you:

l Upgrade system to a new version or roll back system to a previous version.

l Update the Signature Database, information database, and WAF history data.

Upgrading Firmware
To upgrade firmware, take the following steps:

1. Select System > Upgrade Management > Upgrade Firmware.

2. On the Upgrade Firmware page, configure the following.

Upgrade Firmware

Backup Con- Make sure you have backed up the configuration file
figuration File before upgrading. Click Backup Configuration File to
backup the current fireware file and the system will
automatically redirect the Configuration File Man-
agement page after the backup.

Current Ver- The current firmware version.

sion

645 System Management

Upgrade Firmware

Upload Firm- Click Browse to select a firmware file from your local
ware disk.

Backup Image The backup firmware version.

Reboot Select the Reboot now to make the new firmware take
effect check box and click Apply to reboot system and
make the firmware take effect. If you click Apply
without selecting the check box, the firmware will
take effect after the next startup.

Choose a Firmware for the Next Startup

Choose a Firm- Select the firmware that will take effect for the next
ware for the startup.
Next Startup

Updating Signature Database

To update signature database, take the following steps:

1. Select System > Upgrade Management > Signature Database Update.

2. On the Signature Database Update page, configure the following.

System Management 646

Option Description

Current Ver- Shows the current version number.

sion

Remote Configure the update parameters.

Update
l Protocol: Select the protocol for signature data-
base update. Click Restore Default to restore to
the default protocol (HTTPS).

l Update Server: By default the device provides two

default update servers: https://up-
date1.hillstonenet.com and https://up-
date2.hillstonenet.com. You can customize the
servers according to your need. In the Update
Server section, specify the server IP or domain
name and Virtual Router.

l Update Proxy Server: When the device accesses

the Internet through a HTTP proxy server, you
need to specify the IP address and the port num-
ber of the HTTP proxy server. With the HTTP
proxy server specified, various signature database
can update normally. In the Update Proxy Server
section, enter the IP addresses and ports of the
main proxy server and the backup proxy server.

l Auto Update: Enable Auto Update and specify the

auto update time. Click OK.

647 System Management

Option Description

l OK And Online Update: Click the button to

update the signature database immediately.

Local Click Browse and select the signature file in your local
Update PC, and then click Upload.

Updating Information Database

Currently, you can update the IP geographic database in information database update page.
To update the IP Geography database, take the following steps:

1. Select System > Upgrade Management > Information Database Update.

2. On the IP Geography Database page, configure the following.

Option Description

Current Ver- Show the current version number.

sion

Remote Configure the update parameters.

Update l Protocol: Select the protocol for signature data-

base update. Click Restore Default to restore to
the default protocol (HTTPS).

l Update Server: By default the device provides two

System Management 648

Option Description

l Update Proxy Server: When the device accesses

l Auto Update: Enable Auto Update and specify the

auto update time. Click OK.

l OK And Online Update: Click the button to

update the signature database immediately.

Local Click Browse and select the signature file in your local
Update PC, and then click Upload.

WAF History Data Upgrade

After the device is updated to the latest version, if the format of log database has changed, you
will be informed to upgrade. Click Update and the update process will be displayed on the right.
If the format of log database has not changed, you will be informed that there's no need to
upgrade the log database.

649 System Management

License
Licenses are used to authorize the users' features, authorize the users' services, or extend the per-
formance. If you do not buy and install the corresponding license, the features, services, and per-
formance which are based on the license will not be used or cannot be achieved.
License classes and rules.

Platform Description Valid Time

License

Platform Trial Platform license is the basis of the You cannot modify
other licenses operation. If the plat- the existing con-
form license is invalid, the other figuration when
licenses are not effective. The device License expires. The
have been pre-installed platform trial system will restore to
license for 15 days in the factory. factory defaults when
the device reboot.

Platform Base You can install the platform base The system cannot
license after the device formal sale. upgrade the OS ver-
The license provide basic WAF func- sion when the license
tion. expires, but the sys-
tem could still work
normally.

Default vWAF is installed with a free default The valid time is 30

license, which you do not need to days. When the
apply for. The system with the default license expires, all sys-
license supports all features but their tem features can not
performance is limited. be accessed and the
system version and sig-

System Management 650

nature database can-
not be upgraded.

Platform Sub This license shares the same features The existing con-
and performance as that of the Plat- figuration cannot be
form Base license. However, the valid modified when the
time of the Platform Sub license is rel- license expires. You
atively shorter and indicates absolute can only access plat-
time. For example, from March 1 st, form features after the
2017 to March 31 st, 2017. device restarts. Mean-
while, the per-
formance of these
features is limited.

Service Description Valid Time

License

WAF Rule Providing update of WAF rule data- System cannot update
DB License base. WAF rule database
when the license
expires, but the
loaded database could
still be used normally

WAF IP Providing update of WAF IP repu- The system auto-

Reputation tation database. matically delete the
Database WAF IP reputation
License database license when
it expires, and the
license cannot be
used normally.

651 System Management

Threat Intel- Providing the threat intelligence func- The threat intel-
ligence tion. ligence function can-
License not be used when the
license expires.

Subscription Description Valid Time

License

CPU Sub Authorizes the maximum number of Official CPU license

License CPUs that can be configured for a is permanent. When
vWAF. There are two types of CPU the trial CPU license
license: official and trial. Official CPU expires, the system
license is permanent. When the trial will not restart. If you
CPU license expires, the system will manually restart the
not restart. If you manually restart the system, the system
system, the system will restore to the will restore to the con-
configuration for the most basic figuration for the
model SG-6000-WV02, that is, 2 most basic model SG-
vCPUs. 6000-WV02, that is, 2
vCPUs.

Notes:
If the platform license installed on vWAF expires, the function license and sub-
scription license installed on vWAF are still valid but the system cannot be
upgraded to later versions.

Applying for a License

Before you apply for a license, you have to generate a license request first.

System Management 652

1. Select System > License.

2. Click Apply For to go to the License Request panel. All fields are required.

3. Click Generate, and a bunch of code appears.

4. Send the code to your sales contact. The sales person will issue the license and send the
code back to you.

Installing a License
After obtaining the license, you must install it to the device.
To install a license, take the following steps:

1. Select System > License.

2. Click Import and configure the following options.

Option Description

Upload Select Upload License File. Click Browse to select the

License File license file, using the TXT format, and then click
Upload.

Manual Select Manual Input. Enter the license string into the

653 System Management

Option Description

Input box and click Upload.

3. Click Upload.

4. System restart is required when platform sub license is imported for the first time or when
the CPU sub license whose vCPU specification is modified is imported. Select System >
Device Management > Settings & Options, and click the System Options tab.

5. Click Reboot and then click Yes in the prompt.

6. The system will restart. After it starts again, installed license(s) will take effect.

Notes:
l Initial installation of the Platform Sub license requires device restart which is
not required after the Platform Sub license is renewed.

l System restart is required when the CPU sub license whose vCPU spe-
cification is modified is imported.

Verifying a License
For vWAF, after the platform license is installed, device SN would change to vSN. If you need to
further apply for the function license, service license, or subscription license, you can apply for
them via this vSN. After vWAF is reinstalled, its licenses are still valid because licenses are not
SN-based. Meanwhile, Hillstone provides public LMS and Intranet LMS to verify and manage
licenses, therefore ensuring license security. LMS can verify the validity of the license to prevent
the license from being cloned and pirated.
Currently, the system supports two verification ways. One way is to connect to the public LMS
(License Management System) via the Internet to verify licenses. The other way is to connect to
the internal LMS via LAN to verify licenses. You can choose either way as needed.

System Management 654

l Internet: Verification through public LMS is suitable for small private cloud or public cloud
scenarios. Once vWAF is connected to the public LMS, the public LMS will provide license
validation (currently the public network LMS does not provide license distribution and man-
agement). If the behavior of license cloning is found, or vWAF is not connected to the server
for license verification, the device will be restarted in 30 days.

l Intranet: Validation Intranet LMS is suitable for large private or industry cloud scenarios.
When vWAF is connected to the Intranet LMS, the Intranet LMS can not only provide the
validation of the license, but also provide the automatic distribution and management of the
license. If the behavior of license cloning is found, the license on the cloning or cloned
vWAF will be uninstalled and the device will be restarted immediately. If vWAF is not con-
nected to the server for license verification, the device will be restarted in 30 days.

To verify licenses, take the following steps:

1. Select System > License, and click License Verify to go to the License Server Status panel.

655 System Management

2. On the License Server Status panel, you can view server's authentication connection status
and the distribution connection status, server address and port, the virtual router, and the
verificaiton type. Click Configuration to go to the License Verification Configuration panel.

Configure the verification type as needed.

l Internet: select Internet and select the virtual router from the drop-down list. click
OK. License for vWAF will be checked through the public server. Click the Connect
via Master check box, and the master device will act as the proxy for the backup
device, and the authentication requests between the backup device and the public
LMS will be firstly forwarded to the master device through the HA link, and then to
the public LMS server. You can enable this function when there is not enough public
network IP available for backup devices to connect to the public LMS.

l Intranet: Select Intranet and specify the Address, Port, Virtual Router for the server.
Click OK. License for vWAF will be checked, distributed and managed through the
Intranet LMS. Click the Connect via Master check box, and the master device will act
as the proxy for the backup device, and the authentication requests between the
backup device and the public LMS will be firstly forwarded to the master device
through the HA link, and then to the public LMS server. You can enable this function
when there is not enough public network IP available for backup devices to connect
to the public LMS.

System Management 656

3. Select System > Device Management > Settings & Options, and click the System Options
tab.

4. Click Reboot , and select Yes in the prompt.

5. The system will restart. After it starts again, installed license(s) will take effect.

Notes: When you verify your license through public server, make sure you can
access the Internet through the interface connected to the public server. For more
information, see LMS WebUI User Guide.

657 System Management

Mail Server
By configuring the SMTP server in the Mail Server page, the system can send the log messages to
the specified email address.

Creating a Mail Server

To create a mail server, take the following steps:

1. Select System > Mail Server.

2. On the Mail Server page, configure these values.

System Management 658

Option Description

Name Specifies a name for the SMTP server into the box.

Server Specifies Domain name or IP address for the SMTP

server into the box.

Transmission Select the transmission mode for the email.

Mode
l PLAIN: Specifies that the mail is sent in plain
text and is not encrypted. This mode is the
default transmission mode.

l STARTTLS: STARTTLS is an extension to the

plain text communication protocol that upgrades
plain text connections to encrypted connections.
Specified in this mode, the mail will be trans-
mitted using encrypted mode.

l SSL: SSL protocol is a security protocol that

provides security and data integrity for network

659 System Management

Option Description

communication. Specified in this mode, the mail

will be transmitted using encrypted mode.

Port Specifies the port number for the mail server into the
box. The range is 1 to 65535. The default port number
is different for different transmission modes, PLAIN:
25, STARTTLS: 25, SSL: 465.

Virtual Router From the Virtual Router drop-down list, select the Vir-
tual Router for the SMTP server.

Verification Click the button to enable this function if needed. Spe-

cifies the username and its password into the cor-
responding boxes.

Email Specifies the email address that sends log messages.

3. Click OK.

System Alarm Rule

The system provides the monitoring&alarming function, which can be used to monitor the CPU
utilization, memory usage, and interface bandwidth of WAF. By configuring alarm rules for CPU
utilization, memory usage, and interface bandwidth, the system generates corresponding event
logs or trap alarms when the alarm rules are matched.
This topic consists of the following sections:

l Configuring an Alarm Rule for CPU Utilization

l Configuring an Alarm Rule for Memory Usage

l Configuring an Alarm Rule for Interface Bandwidth

System Management 660

Configuring an Alarm Rule for CPU Utilization
To configure an alarm rule for CPU utilization, take the following steps:

1. Select System > System Alarm Rule > CPU Utilization.

2. Enable Configure.

3. Configure the following options:

Option Description

Configure Click the button to enable the alarm rule configuration of CPU util-
ization. By default, this button is disabled.

CPU Threshold Enter the alarm threshold of CPU utilization. Valid values: 1% to
99%. Default value: 80%.

Interval Enter the detection interval of CPU utilization. Valid values: 3 to 10

seconds. By default, the system detects the CPU utilization every 10
seconds.

Sampling Enter the sampling period of CPU utilization. Valid values: 30 to

Period 3600 seconds. Default value: 600 seconds.

Min Count Enter the minimum number of times the CPU utilization reaches the

661 System Management

Option Description

threshold. Valid values: 1 to 1000.

Alarm Mode Select an alarm mode. The system can generate event logs or send
trap information to the trap host. After matching the alarm rule for
CPU utilization, the system alarms you based on the specified
alarm mode.

l Send Syslog: If this alarm mode is selected, the system can

generate corresponding event logs. To send event logs of
CPU utilization to a log sever, you need to configure the log
server for the system and select Log Server on the con-
figuration page of event logs.

l Send via Trap: If this alarm mode is selected, the system can
generate corresponding trap alarms and send the trap alarms to
the trap host.

Note: To select Send via Trap, you need to enable SNMP Agent
and configure the trap host in advance. For more information, see
SNMP.

4. Click OK.
To restore to default settings, click Restore Default and then OK.

Configuring an Alarm Rule for Memory Usage

To configure an alarm rule for memory usage, take the following steps:

1. Select System > System Alarm Rule > Memory Utilization.

2. Enable Configure.

System Management 662

3. Configure the following options:

Option Description

Configure Click the button to enable the alarm rule configuration of memory
usage. By default, this button is disabled.

Memory Enter the alarm threshold of memory usage. Valid values: 1% to

Threshold 99%. Default value: 80%.

Interval Enter the detection interval of memory usage. Valid values: 3 to 10

seconds. By default, the system detects the memory usage every 10
seconds.

Sampling Enter the sampling period of memory usage. Valid values: 30 to

Period 3600 seconds. Default value: 600 seconds.

Min Count Enter the minimum number of times the CPU utilization reaches the
threshold. Valid values: 1 to 1000.

Alarm Mode Select an alarm mode. The system can generate event logs or send
trap information to the trap host. After matching the alarm rule for
memory usage, the system alarms you based on the specified alarm
mode.

l Send Syslog: If this alarm mode is selected, the system can

generate corresponding event logs. To send event logs of
memory usage to a log sever, you need to configure the log
server for the system and select Log Server on the con-
figuration page of event logs.

l Send via Trap: If this alarm mode is selected, the system can

663 System Management

Option Description

generate corresponding trap alarms and send the trap alarms to

the trap host.

Note: To select Send via Trap, you need to enable SNMP Agent
and configure the trap host in advance. For more information, see
SNMP.

4. Click OK.
To restore to default settings, click Restore Default and then OK.

Configuring an Alarm Rule for Interface Bandwidth

To configure an alarm rule for interface bandwidth, take the following steps:

System Management 664

1. Select System > System Alarm Rule > Interface Bandwidth.

2. Click New.

3. Configure the following options:

Option Description

Interface Select a physical interface whose bandwidth you want to monitor

from the drop-down list.

665 System Management

Option Description

Bandwidth Enter the alarm threshold of interface bandwidth. Valid values: 1%

Threshold to 99%. Default value: 80%.

Interval Enter the detection interval of interface bandwidth. Valid values: 3

to 10 seconds. By default, the system detects the interface band-
width every 10 seconds.

Sampling Enter the sampling period of interface bandwidth. Valid values: 30

Period to 3600 seconds. Default value: 600 seconds.

Min Count Enter the minimum number of times the interface bandwidth
reaches the threshold. Valid values: 1 to 1000.

Alarm Mode Select an alarm mode. The system can generate event logs or send
trap information to the trap host. After matching the alarm rule for
interface bandwidth, the system alarms you based on the specified
alarm mode.

l Send Syslog: If this alarm mode is selected, the system can

generate corresponding event logs. To send event logs of
interface bandwidth to a log sever, you need to configure the
log server for the system and select Log Server on the con-
figuration page of event logs.

l Send via Trap: If this alarm mode is selected, the system can
generate corresponding trap alarms and send the trap alarms to
the trap host.

Note: To select Send via Trap, you need to enable SNMP Agent
and configure the trap host in advance. For more information, see
SNMP.

4. Click OK.
To restore to default settings, click Restore Default and then OK.

System Management 666

ExtendedServices
The system supports the connection to other Hillstone products to provide more services. Cur-
rently, the extended services include connecting Hillstone Security Management ( HSM ). For spe-
cific configurations, refer to one of the following topic:

l Connecting to HSM

667 System Management

Connecting to HSM
Hillstone Security Management (HSM) is a centralized management platform to manage and con-
trol multiple Hillstone devices. Using WEB2.0 and RIA (Rich Internet Application) technology,
HSM supports visualized interface to centrally manage policies, monitor devices, and generates
reports.
Each device has an HSM module inside it. When the device is configured with correct HSM para-
meters, it can connect to HSM and be managed by HSM.

Notes: For more information about HSM, please refer to HSM User Guide.

HSM Deployment Scenarios

HSM normally is deployed in one of the two scenarios: installed in public network or in private
network:

l Installed in public network: HSM is remotely deployed and connected to managed devices via
Internet. When the HSM and managed devices have a accessible route, the HSM can control
the devices.

System Management 668

l Installed in private network: In this scenario, HSM and the managed devices are in the same
subnet. HSM can manage devices in the private network.

Connecting to HSM

To configure HSM parameters in the device, take the following steps:

1. Select System > Extended Services.

2. Click in the lower-right corner to go to the Connecting to HSM panel. Click to enable

HSM.

3. Input HSM server's IP address in the Sever IP/Domain text box. The address cannot be
0.0.0.0 or 255.255.255.255, or mutlicast address.

669 System Management

4. Enter the port number of HSM server.

5. Click OK.

Notes: The Syslog Server part shows the HSM server's syslog server and its port.

System Management 670

Connecting to Hillstone Cloud Service Platform
Hillstone Cloud is a cloud security services platform in the mobile Internet era, including
CloudView, cloud sandbox and Cloud Vista (Threat Intelligence Center).
After the Hillstone device is properly configured to connect the Cloud , you can register the Hill-
stone device to the public cloud and connect the device with the Cloud, thereby remotely mon-
itoring the device through Cloud.

l CloudView: CloudView is a SaaS products of security area. It is deployed in the public cloud
to provide users with online on-demand services. Users can get convenient, high quality and
low cost value-added security services through the Internet and APP, and get a better security
experience.
The main deployment scenarios of CloudView are described as follows:
When Hillstone devices register to the public cloud, the device information, traffic data,
threat event, and system logs are uploaded to the cloud, which provides a visual display. Users
can monitor the device status information, reports, threat analysis, etc. through the Web or
mobile phone APP.

l Cloud Vista (Threat Intelligence Center): Threat Intelligence function can upload some ele-
ments in the logs generated by each module to the cloud platform, such as IP address,
domain, etc. The cloud platform will check whether the elements have threat intelligence
through the threat center. You can view threat intelligence information related to elements
through the threat intelligence center.

671 System Management

Connecting to Hillstone Cloud
When using the Cloud, the device needs to connect to the Cloud server.

1. Select System > Connecting to Hillstone Could Service Platform.

2. Click Edit to go to the Connecting to Hillstone Cloud Service Platform panel.

3. On this page, configure the following options.

Option Description

Enter the IP address or domain name of the cloud ser-

Address vice platform. The default value is cloud.hill-
stonenet.com.cn.

Virtual Select the VRouter of the Cloud service platform from

Router the drop-down list.

Enter the username of the cloud service platform and

bind the device with this account. Click the Register but-
User ton and sign up for an account on the Hillstone cloud ser-
vice login page. Click Unbind to remove the binding
relationship between the device and the account.

Password Enter the password of the user.

4. Click OK.

System Management 672

5. Click the CloudView button. The Hillstone CloudView page appears.

On this page, configure the following options.

Option Description

Click the button to enable the Hillstone CloudView ser-

Enable
vice.

Upload Data Check the checkbox of the data items that need to be
Item uploaded to the cloud service platform.

Scan QR Scan the QR code using a QR reader app on your smart-

code to con- phone or mobile device to connect to Hillstone
nect to Hill- CloudView via APP.
stone
CloudView
use APP

Visit Click the button to visit CloudView.

CloudView

6. Click OK.

7. Click the CloudVista button. On the CloudVista page, click the button to enable the
CloudVista service. The CloudVista service is controlled by license. To use the CloudVista
service, install the threat intelligence license.

8. Click EULA to read confidentiality and privacy statements, user authorizations and other
content.

673 System Management

Diagnosis
The system supports multiple diagnostic methods and to configure the device by entering com-
mands on the web console, including:

l Diagnostic Capture: You can capture the proxy traffic packets of the WAF device in real-time
and store them in the diagnostic file through the Diagnostic Capture function. You can also
import the diagnostic file to analyze or diagnose via third-party capture software.

l Test Tools: DNS Query, Ping, Traceroute, and Curl can be used when you troubleshoot the
network.

l Diagnostic Files: Displays diagnostic files stored in the system.

l Web Console: Allows configuration and management of the device via command line on the
WebUI.

System Management 674

Test Tools
DNS Query, Ping, Traceroute, and Curl can be used when you troubleshoot the network.

DNS Query

To check the DNS working status of the device, take the following steps:

1. Select System > Diagnostic Tool > Test Tools.

2. Select "trust-vr" from the Virtual Router drop-down list.

3. Type a domain name into the DNS Query box.

4. Click Test, and the testing result will be displayed in the list below.

Ping

To check the network connecting status, take the following steps:

1. Select System > Diagnostic Tool > Test Tools.

2. Select "trust-vr" from the Virtual Router drop-down list.

3. Type an IP address into the Ping box.

4. Click Test, and the testing result will be displayed in the list below.

5. The testing result contains two parts:

l The Ping packet response. If there is no response from the target after timeout, it
will print Destination Host Not Response, etc. Otherwise, the response contains
sequence of packet, TTL and the response time.

l Overall statistics, including number of packet sent, number of packet received, per-
centage of no response, the minimum, average and maximum response time.

675 System Management

Traceroute

Traceroute is used to test and record gateways the packet has traversed from the originating host
to the destination. It is mainly used to check whether the network connection is reachable, and
analyze the broken point of the network. The common Traceroute function is performed as fol-
lows: first, send a packet with TTL 1, so the first hop sends back an ICMP error message to indic-
ate that this packet can not be sent (because of the TTL timeout); then this packet is re-sent, with
TTL 2, TTL timeout is sent back again; repeat this process till the packet reaches the destination.
In this way, each ICMP TTL timeout source address is recorded. As the result, the path from the
originating host to the destination is identified.
To test and record gateways the packet has traversed by Traceroute, take the following steps:

1. Select System > Diagnostic Tool > Test Tools.

2. Select "trust-vr" from the Virtual Router drop-down list.

3. Type an IP address into the Traceroute box.

4. Click Test, and the testing result will be displayed in the list below.

Curl

To test the HTTP server using the Curl tool, take the following steps:

1. Select System > Diagnostic Tool > Test Tools.

2. Select "trust-vr" from the Virtual Router drop-down list.

3. Type the IP address or domain name of the HTTP service to be queried in the Curl text
box.

4. Click Test, and the testing result will be displayed in the list below.

System Management 676

Diagnostic Capture
You can use Diagnostic Capture to real-time capture traffic data packets that are being proxied by
the WAF device based on either a physical or internal interface. The captured packets are saved in
a diagnostic file and can be exported for analysis using third-party software.

Configuring Diagnostic Capture

To configure the diagnostic capture, take the following steps:

1. Select System > Diagnostic Tool > Diagnostic Capture to enter the Capture Configuration
page.

2. Configure the following options:

Option Description

Specifies the type of the interface. The system will cap-

Interface ture traffic data packets of the specified interface.
Type
l Physical Interface: Based on the physical interface,

677 System Management

Option Description

the online packet capture tool captures traffic data

packets destined for data forwarding plane process.
Click + below Physical Interface and the Interface
panel appears. Select the physical interface. You
can select up to 4 physical interfaces. If Any is
enabled, the system will capture traffic data pack-
ets of all physical interfaces.

l Internal Interface: Based on the internal interface,

the online packet capture tool captures traffic data
packets destined for WAF application plane pro-
cess.

Physical Interface

Enter the relevant command parameters for the physical

interface packet capture tool. For example, the argument
"-w filename.pcap" indicates that captured packets will
Arguments
be output as a file named "filename" in .pcap format and
displayed on the list on the Diagnostic Files page for you
to download and view.

Specifies the duration to capture traffic data packets of

Duration the physical interface. You can specify 10 seconds, 30
seconds, 60 seconds, and 120 seconds.

Click New and the Data Plane Pre-Filter Configuration

Data Plane
panel appears, where you can configure pre-filter con-
Pre-Filter
ditions for capturing data packets, such as Source IP,

System Management 678

Option Description

Source Port, Destination IP, Destination Port, and Pro-

tocol. The system will capture traffic data packets meet-
ing the pre-filter conditions. If Other Protocol is
selected, enter the number of the corresponding pro-
tocol.

Internal Interface

Capture Dir- Select the capture direction, which include All, Down-
ection stream, Upstream.
Note: Transparent proxy mode, transparent tap mode,
and tap mode only support the capture direction All.

Time Select the capture duration from the drop-down list.

Client IP Specifies the client IP address . The system will capture

Address the packet whose destination or source IP address is the
client IP address.

Server IP Specifies the server IP address. The system will cap-

Address ture the packets whose destination or source IP

address is the server IP address.

Server Port Specifies the server port to be captured.

3. Click Start Capture.

4. Click Stop to stop capturing. All the captured packets will be store in Diagnostic Tool >
Diagnostic Files.

679 System Management

Notes:
l When traffic data packets of the physical interface are captured, if name of the
packet capture file is not configured in Arguments, capture results will be dis-
played in Packet Capture Text text box.

l Pre-filter conditions can also be configured through the command debug dp

filter and the supported parameters include ipv4, ipv6, dst-ip, dst-port, l2-
type, proto, src-ip, src-port, and vid. After configuration, the configured
source IP, source port, destination IP, destination port, and protocol are lis-
ted in the Data Plane Pre-Filter section.

System Management 680

Diagnostic Files
This page displays the diagnostic files stored in system, which are generated after a diagnostic tool
with the storage function is used.

l View the diagnostic file: On the list of diagnostic files, you can view the name, size, creation
time, and MD5 Sum of a diagnostic file.

l Delete the diagnostic file: On the list of diagnostic files, you can click the export icon in the
File Export column.

l Delete the diagnostic file: To delete a diagnostic file, select the file you want to delete, and
click Delete.

681 System Management

Web Console
Web Console allows you to configure and manage devices via command line on the WebUI.

Notes:
l To log in to the Web Console, the management port of the device (some
devices have a default MGT port), trusted host, and administrator need to
enable the HTTP or HTTPS services.

l Logging in or out of the Web Console generates corresponding event logs.

To enter the Web Console, take the following steps:

1. Select System > Diagnostic Tool > Web Console.

2. Click New. The Web Console will open as a new tab on the browser.

3. On the Web Console, enter the username and password of the administrator. After suc-
cessful login, you can enter and run commands.

System Management 682

l Enter exit to log out of the Web Console. Click Connect below to re-enter the user-
name and password to log in again.

683 System Management

StoneOS WebUI User Guide E-Series
100% (1)
StoneOS WebUI User Guide E-Series
531 pages
JUNIPER SRX Security-Policies
No ratings yet
JUNIPER SRX Security-Policies
736 pages
Orch UserGuide R952
No ratings yet
Orch UserGuide R952
846 pages
MCQ - Class 9 - Matter in Our Surroundings
100% (4)
MCQ - Class 9 - Matter in Our Surroundings
22 pages
StoneOS WebUI User Guide (A Series) V5.5R8
No ratings yet
StoneOS WebUI User Guide (A Series) V5.5R8
1,292 pages
StoneOS WebUI User Guide A 5.5R8-1
No ratings yet
StoneOS WebUI User Guide A 5.5R8-1
1,310 pages
StoneOS WebUI User Guide E
100% (1)
StoneOS WebUI User Guide E
512 pages
BIG-IP Network Firewall Policies and Implementations
No ratings yet
BIG-IP Network Firewall Policies and Implementations
194 pages
NIPS WebUI User Manual-6-1
No ratings yet
NIPS WebUI User Manual-6-1
691 pages
StoneOS CLI User Guide Complete Book 5.5R10
No ratings yet
StoneOS CLI User Guide Complete Book 5.5R10
2,509 pages
OK Fortigate Networking 54
No ratings yet
OK Fortigate Networking 54
281 pages
Official CHFI Study Guide
No ratings yet
Official CHFI Study Guide
976 pages
StoneOS T Series WebUI User Guide
No ratings yet
StoneOS T Series WebUI User Guide
465 pages
Hillstone Security Management User Guide 3.0R2
No ratings yet
Hillstone Security Management User Guide 3.0R2
321 pages
BDS WebUI User Guide V5.0
No ratings yet
BDS WebUI User Guide V5.0
463 pages
vWAF WebUI User Guide V3.3
No ratings yet
vWAF WebUI User Guide V3.3
593 pages
Palo Alto Networks Administrators Guide
No ratings yet
Palo Alto Networks Administrators Guide
274 pages
Cloud Application and Network Security Web Protection - Introduction 2024-11-28-14-02-43
No ratings yet
Cloud Application and Network Security Web Protection - Introduction 2024-11-28-14-02-43
78 pages
Networking PDF
No ratings yet
Networking PDF
944 pages
PAN OS 7.0 Web Interface Ref
100% (1)
PAN OS 7.0 Web Interface Ref
500 pages
Web Application Firewall
No ratings yet
Web Application Firewall
187 pages
Config Guide Policy PDF
No ratings yet
Config Guide Policy PDF
2,720 pages
AkamaiWAF UserGuide
0% (1)
AkamaiWAF UserGuide
136 pages
GFI Product Manual: Administrator Guide
No ratings yet
GFI Product Manual: Administrator Guide
157 pages
FortiADC Handbook
No ratings yet
FortiADC Handbook
517 pages
10e972adc6ef5b32e9200fa63e16a12c
No ratings yet
10e972adc6ef5b32e9200fa63e16a12c
915 pages
Fortiweb v6.1.0 Admin Guide PDF
No ratings yet
Fortiweb v6.1.0 Admin Guide PDF
862 pages
PAN OS 6.0 Admin Guide
No ratings yet
PAN OS 6.0 Admin Guide
522 pages
Guía de Firewall Fortinet
No ratings yet
Guía de Firewall Fortinet
102 pages
Fortiadc-V4 8 0-Handbook
No ratings yet
Fortiadc-V4 8 0-Handbook
539 pages
Pan Os 6.1
No ratings yet
Pan Os 6.1
680 pages
FortiADC 4 4 0 Handbook D Series Revision1
No ratings yet
FortiADC 4 4 0 Handbook D Series Revision1
388 pages
27-Security Policy Concepts
No ratings yet
27-Security Policy Concepts
12 pages
McAfee SMC Administrator's Guide 5.7 PDF
No ratings yet
McAfee SMC Administrator's Guide 5.7 PDF
1,328 pages
Troubleshooting PDF
No ratings yet
Troubleshooting PDF
991 pages
Ccsa Unit3
No ratings yet
Ccsa Unit3
51 pages
Fortinac Admin Operation 83 PDF
No ratings yet
Fortinac Admin Operation 83 PDF
2,020 pages
Kerio Winroute Firewall 6: Administrator'S Guide
No ratings yet
Kerio Winroute Firewall 6: Administrator'S Guide
368 pages
Forceware Networking and Firewall Administrator'S Guide: Software Version 1.0 Fifth Edition Nvidia Corporation June 2004
No ratings yet
Forceware Networking and Firewall Administrator'S Guide: Software Version 1.0 Fifth Edition Nvidia Corporation June 2004
158 pages
Brochure OPNsense® Business Edition
No ratings yet
Brochure OPNsense® Business Edition
5 pages
Fortigate Security: Firewall Policies
No ratings yet
Fortigate Security: Firewall Policies
19 pages
Pcnse Study Guide Strony 1 36
No ratings yet
Pcnse Study Guide Strony 1 36
36 pages
StoneOS WebUI User Guide CloudEdge-3 PDF
No ratings yet
StoneOS WebUI User Guide CloudEdge-3 PDF
503 pages
Pan Os
No ratings yet
Pan Os
932 pages
PAN OS 6.0 Admin Guide
No ratings yet
PAN OS 6.0 Admin Guide
478 pages
SWG11.0 ManagementConsoleUserGuide
No ratings yet
SWG11.0 ManagementConsoleUserGuide
140 pages
Barracuda Web App Firewall Administrator Guide PDF
No ratings yet
Barracuda Web App Firewall Administrator Guide PDF
258 pages
PAN OS 6.1 Admin Guide
No ratings yet
PAN OS 6.1 Admin Guide
666 pages
Pan Os
No ratings yet
Pan Os
928 pages
HRM - 1st Midterm
100% (1)
HRM - 1st Midterm
81 pages
Neuromuscular Assessments of Form and Function (Neuromethods, 204) (Philip J. Atherton (Editor) Etc.) (Z-Library)
No ratings yet
Neuromuscular Assessments of Form and Function (Neuromethods, 204) (Philip J. Atherton (Editor) Etc.) (Z-Library)
323 pages
PAN OS 6.0 Admin Guide PDF
No ratings yet
PAN OS 6.0 Admin Guide PDF
348 pages
Kti Agnes
No ratings yet
Kti Agnes
46 pages
Fortiadc-V5 2 0-Handbook PDF
No ratings yet
Fortiadc-V5 2 0-Handbook PDF
669 pages
McAfee NGFW Reference Guide For Firewall VPN Role v5-7
No ratings yet
McAfee NGFW Reference Guide For Firewall VPN Role v5-7
424 pages
Fortigate Firewall Version 4 OS
No ratings yet
Fortigate Firewall Version 4 OS
122 pages
Pan Os 6.0 GSG
No ratings yet
Pan Os 6.0 GSG
108 pages
SurgeTesting EARbasics 0716
100% (1)
SurgeTesting EARbasics 0716
2 pages
Sophos Firewall Virtual Appliance Getting Started Guide PDF
No ratings yet
Sophos Firewall Virtual Appliance Getting Started Guide PDF
21 pages
Getting Started Guide PAN-OSv5.0
No ratings yet
Getting Started Guide PAN-OSv5.0
126 pages
Global Citizen Lesson Plan
100% (2)
Global Citizen Lesson Plan
4 pages
APPENDIX IV Geotechnical Factual Report
No ratings yet
APPENDIX IV Geotechnical Factual Report
69 pages
Chapter 28
No ratings yet
Chapter 28
148 pages
Indian Mathematicians
No ratings yet
Indian Mathematicians
12 pages
The Clergyman's Wife Chapter Sampler
0% (2)
The Clergyman's Wife Chapter Sampler
21 pages
Pascal Programming
No ratings yet
Pascal Programming
31 pages
New Holland E200SR Excavator Workshop Service Repair Manual
No ratings yet
New Holland E200SR Excavator Workshop Service Repair Manual
21 pages
Checklist and Procedure Ver 3.0
No ratings yet
Checklist and Procedure Ver 3.0
4 pages
Merit Scholarship Form 2021
No ratings yet
Merit Scholarship Form 2021
2 pages
Employee Motivation
No ratings yet
Employee Motivation
78 pages
Rapid Development of India
No ratings yet
Rapid Development of India
21 pages
Circadian Rhythms
No ratings yet
Circadian Rhythms
10 pages
Job Application Letter Volunteer
100% (1)
Job Application Letter Volunteer
6 pages
2022 - Digital Transformation Towards Education 4.0
No ratings yet
2022 - Digital Transformation Towards Education 4.0
28 pages
SIIT Student Handbook
No ratings yet
SIIT Student Handbook
49 pages
Hug Benefits PDF
No ratings yet
Hug Benefits PDF
8 pages
2as Scientific Streams 2020
No ratings yet
2as Scientific Streams 2020
6 pages
Corex Delivery
No ratings yet
Corex Delivery
37 pages
Business Research Methods: Problem Definition and The Research Proposal
No ratings yet
Business Research Methods: Problem Definition and The Research Proposal
37 pages
The Lifestyle Flow
No ratings yet
The Lifestyle Flow
14 pages
Lab 3 Unit 2
No ratings yet
Lab 3 Unit 2
7 pages
Traffic Control in Atm
No ratings yet
Traffic Control in Atm
8 pages
MMS Exam Form Acknowledgment
No ratings yet
MMS Exam Form Acknowledgment
1 page
Stats 101 Assignment 1
No ratings yet
Stats 101 Assignment 1
9 pages
All in The Stars English Practice
No ratings yet
All in The Stars English Practice
4 pages
VMware vSphere Troubleshooting
From Everand
VMware vSphere Troubleshooting
Munir Muhammad Zeeshan
No ratings yet
Learning VMware vRealize Automation: Learn the fundamentals of vRealize Automation to accelerate the delivery of your IT services
From Everand
Learning VMware vRealize Automation: Learn the fundamentals of vRealize Automation to accelerate the delivery of your IT services
Sriram Rajendran
No ratings yet
VMware NSX Network Essentials
From Everand
VMware NSX Network Essentials
Sreejith.C
No ratings yet
Cisco Network Administration Interview Questions: CISCO CCNA Certification Review
From Everand
Cisco Network Administration Interview Questions: CISCO CCNA Certification Review
equitypress
4.5/5 (6)
KVM Virtualization Essentials: Definitive Reference for Developers and Engineers
From Everand
KVM Virtualization Essentials: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet