Hillstone Networks

Hillstone iSource Deployment Guide

Version V2.0R12

TechDocs | docs.hillstonenet.com
Copyright 2024 Hillstone Networks. All rights reserved.
Information in this document is subject to change without notice. The software described in this
document is furnished under a license agreement or nondisclosure agreement. The software may
be used or copied only in accordance with the terms of those agreements. No part of this pub-
lication may be reproduced, stored in a retrieval system, or transmitted in any form or any means
electronic or mechanical, including photocopying and recording for any purpose other than the
purchaser's personal use without the written permission of Hillstone Networks.
Hillstone Networks
Commercial use of the document is forbidden.

Contact Information:
US Headquarters:
Hillstone Networks
5201 Great America Pkwy, #420
Santa Clara, CA 95054
Phone: 1-800-889-9860
https://www.hillstonenet.com/about-us/contact/

About this Guide:

This guide gives you comprehensive configuration instructions of Hillstone Networks iSource .
For more information, refer to the documentation site: https://docs.hillstonenet.com
To provide feedback on the documentation, please write to us at: [email protected]
Hillstone Networks
TWNO: TW-DPL-iSourceV2.0R12-EN-V1.0-2024-11-27
Contents

Contents 1

Welcome 1

iSource Deployment 2

Typical Deployment 2

Stand-alone Deployment 3

Cluster Deployment 3

Deploying iSource 5

Scenarios 5

Product Information 5

Deploying iSource on VMware ESXi 5

System Requirements and Limits 6

Procedure 6

Step 1: Log in to VMware ESXi 6.7 6

Step 2: Create a VM 6

Step 3: Configure iSource Access Address and Deploy the System 9

Step 4: Deploy iSource 11

Step 5: Access iSource 11

Deploying iSource on the CentOS 7 Endpoint 12

System Requirements and Limits 12

Before You Start 12

TOC - 1
 Procedure 12

Step 1: Enable the VM Manager GUI 12

Step 2: Create and Configure a VM 13

Step 3: Configure iSource Access Address and Deploy the System 17

Step 4: Deploy iSource 18

Step 5: Access iSource 19

Deploying iSource on the Windows 10 Endpoint 19

System Requirements and Limits 20

Procedure 20

Step 1: Enable the Hyper-V Role 20

Step 2: Create and Configure a VM 20

Step 3: Connect to and Start the VM 26

Step 4: Configure the iSource Access Address 27

Step 5: Deploy iSource 28

Step 6: Access iSource 29

Deploying iSource on the Cluster 29

Activating iSource 32

Activating iSource by Using the CLI 33

Activating iSource by Using the WebUI 34

Deploying Threat Sensors 41

Deploying the ThreatTrace Client 43

Environment Requirements 43

TOC - 2
Deployment Methods 43

Installing ThreatTrace Client on User Endpoint (Stand-alone Installation Mode) 44

Preparation 44

Insalling the ThreatTrace Client 44

Step 1: Update the installer with the UpdateMsi tool 45

Step 2: Run the installer to complete the installation 45

Step 3: Confirm the process 46

Uninstalling the ThreatTrace Client 47

Updating the ThreatTrace Client 47

Installing ThreatTrace Client on User Endpoint (Domain Installation Mode) 48

Preparation 48

Assigning the ThreatTrace Client via Group Policy 49

Assigning to the Domain Users 50

Step 1: Create a group policy object 50

Step 2: User Configuration- Edit group policy and deploy software 51

Step 3: Apply Group Policy to User Organizational Units 55

Step 4: Force the group policy to update 56

Assigning to computers in the domain 57

Step 1: Create a group policy object 57

Step 2: Computer Configuration- Edit group policy and deploy software 58

Step 3: Apply Group Policy to Computer Organizational Units 61

Step 4: Force the group policy to update 62

TOC - 3
Uninstalling the Assigned Client via Group Policy 63

Updating the Assigned Client via Group Policy 64

TOC - 4
Welcome
Thanks for choosing products from Hillstone Networks!
Hillstone provides the following guides to help you understand our products:
Getting Started Guide

l iSource Getting Started Guide

WebUI User Guide

l iSource WebUI User Guide

Cookbook

l iSource Cookbook

Deployment Guide

l iSource Deployment Guide

Other References:

l Website: https://www.hillstonenet.com

l Doc URL: https://docs.hillstonenet.com

l Contact: 1-800-889-9860

Welcome 1
iSource Deployment
Hillstone iSource is an AI analysis and operation system driven by holographic data. The overall
solution is composed of the analysis platform and rich sensors, which can provide network threat
analysis and situation presentation and traceability for customers in various industries, and solve the
problems of customer monitoring blind areas, potential security risks, and operations and main-
tenance (O&M) inefficiency. iSource can collect holographic data by using multiple types of data
sensors and perform intelligent data mining and analysis based on large amounts of network traffic,
threat events, and endpoint logs. This way, global network security and threat situation can be dis-
played in the system. iSource also supports multidimensional display, linked entity response, and
ticket response. This ensures secure business operation.
iSource supports the following four types of data sources:

l Network devices: Syslog and netflow data of network devices (such as firewalls, IDPS devices,
and WAF devices) can be sent to iSource.

l Threat sensors: After threat sensors detect, monitor, and analyze received image traffic, they
can send the generated threat information to iSource in the Syslog form, and send parsed, ana-
lyzed, and extracted meta data or netflow data to iSource.

l Linux-based devices: Logs generated from Linux-based devices can be sent to iSource by using
the Syslog protocol.

l User hosts: Sysmon information such as process creations, network access, file operation, and
registry changes can be sent to iSource by using the ThreatTrace client.

As a product in the software-only form, iSource is deployed and run on endpoint hosts and virtual
machines.

Typical Deployment
Typical deployments in iSource include iSource deployment, threat sensor deployment, and the
ThreatTrace client deployment. iSource deployment consists of stand-alone deployment and cluster

iSource Deployment 2
 deployment.

Stand-alone Deployment
iSource (stand-alone) and threat sensors are deployed in the intranet environment, while the
ThreatTrace client is deployed on user servers or endpoints. After the deployment is completed,
iSource can receive information from threat sensors, Linux-based devices, network devices, user
servers, and endpoints (meta data, Syslog data, NetFlow data, Linux data, Sysmon information, and
threat information). This way, iSource can monitor and analyze the overall network.
The following figure shows you how to deploy iSource in the stand-alone scenario with a firewall as
the network device.

To deploy iSource in the stand-alone scenario, take the following steps:

1. "Deploying iSource" on Page 5

2. "Deploying Threat Sensors" on Page 41 (Optional)

3. "Deploying the ThreatTrace Client" on Page 43 (Optional)

Cluster Deployment
When your data volume increases, the single device that deploys iSource may fail to meet your
requirements. iSouce supports cluster deployment, which means that you can deploy iSource on

3 iSource Deployment
 multiple devices to reduce data volume in each device.
By default, if the number of devices that deploy iSource in the cluster is greater than or equals to 3,
the cluster supports the HA function. If a device in the cluster fails, the other devices will continue
to receive and process data to ensure uninterrupted data communication and enhance network reli-
ability.
The following figure shows how to deploy iSource in the cluster scenario with a Hillstone firewall
as the network device. iSource (cluster) and threat sensors are deployed in the intranet envir-
onment, while the ThreatTrace client is deployed on user servers or endpoints. All devices that
deploy iSource in the cluster are deployed in the same layer 2 network. The first device that deploys
iSource in the cluster is HA master, which will assign available internal IP addresses to other
devices in the cluster based on its own internal IP segment (address). After the deployment is com-
pleted, HA master can receive information from threat sensors, Linux-based devices, network
devices, user servers, and endpoints (meta data, Syslog data, NetFlow data, Linux data, Sysmon
information, and threat information), and then distribute the information to the other devices
based on their internal IP address.

To deploy iSource in the cluster scenario, take the following steps:

1. Deploying iSource (Cluster Deployment)

2. "Deploying Threat Sensors" on Page 41 (Optional)

3. "Deploying the ThreatTrace Client" on Page 43 (Optional)

iSource Deployment 4
Deploying iSource
This part describes how to deploy iSource in different environments, including VMware, Linux-
based endpoints, and Windows-based endpoints.

Scenarios

l To deploy iSource on the ESXi Server host, see Deploying iSource on VMware ESXi.

l To deploy iSource on the Linux-based endpoint, see Deploying iSource on the CentOS 7 End-
point.

l To deploy iSource on the Windows-based endpoint, see Deploying iSource on the Windows 10
Endpoint.

Product Information
iSource supports multiple models, and you can choose one based on your actual requirements. The
following table describes the minimum configuration requirement for each model.

Model Minimum Configuration Requirement

SG-6000- 64-bit CPU + 20 cores for installation and running + 128 GB of

ISC6305 memory

SG-6000- 64-bit CPU + 24 cores for installation and running + 128 GB of

ISC6310 memory

SG-6000- 64-bit CPU + 48 cores for installation and running + 256 GB of

ISC6320 memory

Deploying iSource on VMware ESXi

If iSource is encapsulated in the VMDK format, it can be installed on any x86 device that is capable
of running VMware ESXi.

5 iSource Deployment
 Before you deploy iSource on VMware ESXi, you need to familiarize yourself with VMware
vSphere Hypervisor architecture, ESXi host configuration, and VMware deployment.

System Requirements and Limits

The iSource system has the following requirements and limits:

l The version of VMware ESXi is 6.7.

l The VM requires at least 64-bit CPU, 24 cores for installation and running, and 128 GB of
memory. For more information about iSource models, see Product Information.

Procedure

Before you deploy iSource, you need to configure the ESXi server host and obtain the OVF and
VMDK files.

Step 1: Log in to VMware ESXi 6.7

1. Save the OVF and VMDK files to your PC.

2. Access VMware ESXi 6.7, enter your username and password, and then click Login.

Step 2: Create a VM

1. After you log in to VMware ESXi 6.7, click Virtual Machines in the left-side navigation pane.
On the page that appears, click Create/Register VM.

iSource Deployment 6
 2. In the New virtual machine dialog box, select 1 Select creation type > Deploy a virtual
machine from an OVF or OVA file, and click Next.

7 iSource Deployment
 3. Enter a name for the VM, and click the upload section to select the OVF and VMDK files or
drag the file to the upload section. Then, click Next.

iSource Deployment 8
 4. Select a storage type and datastore and click Next.

Note: The hard disk needs to be at least 1 TB in size.

5. Select deployment options. Set the Network mappings parameter based on your network
environment and set the Disk provisioning parameter to Thin. Then, click Next.

6. After you check that the configurations are correct, click Finish. You can ignore error mes-
sages.

7. After the system files are uploaded to the disk, the VM is created.

Step 3: Configure iSource Access Address and Deploy the System

1. In the Virtual Machines list, click the name of the created VM.

2. Select Console>Open browser console or click the console thumbnail to open the console.

3. Run the show network internal segment command to check whether the
internal IP segment conflicts with the IP address in your network. If not, retain the internal

9 iSource Deployment
 IP segment. Otherwise, run thenetwork internal segment --ip sub-
net/mask command to change the internal IP segment (the subnet mask needs to be smal-
ler than 24 bits, example: 192.168.82.0/23) and set the first IP address of the configured IP
segment as the internal one of the device.
Note: Make sure that no IP address in the configured IP segment conflicts with the IP
address in your network and this step is performed before deploying the system. After you
deploy the system, do not change the internal IP address of the system.

4. Configure the IP address of software based iSource (Example: 10.180.0.4) for the host inter-
face (Example: ethernet0_0) by running the following command:
network ifconfig --interfaceethernet0_0 --ipv410.180.0.4/24
(If the IP address of software based iSource is of IPv6 type, you can run the network ifconfig
--interfaceethernet0_0 --ipv6X:X:X:X::X/ipv6-prefix command.)

5. Configure the default gateway by running the following command:

SG-6000#network routeconfig --dst 0.0.0.0/0 –-gateway
10.180.0.1
(If the IP address is of IPv6 type, you can run the SG-6000#network routev6-
config --dst::/0 –-gatewayX:X:X:X::X command.)

6. (Optional) If you want to manage iSource by using multiple CIDR blocks, configure the IP
address for another interface. For more information, see Step 4.
Note: Software based iSource can only have one default gateway. Therefore, to ensure that
iSource can be connected by using multiple CIDR blocks, you need to configure routes based
on actual network topology and requirements. For more information, see Step 5.

7. Run the deploy standalone command and select the system language.
Note: If you need to change your system language, reset the device and take the deployment
steps again.

iSource Deployment 10
 8. Select a time zone as prompted and specify the system time. This way, you can automatically
deploy the iSource system.

Step 4: Deploy iSource

1. Run the deploy standalone command and select the system language.
Note: If you need to change your system language, reset the device and take the deployment
steps again.

2. Select a time zone as prompted and specify the system time.

Note: To modify the time, you can configure the time synchronization server.

3. This way, you can automatically deploy the iSource system.

Step 5: Access iSource

1. Type the IP address of iSource (Example: https://10.180.0.4) in the address bar of a browser
and press Enter.

2. Enter your username, password, and the verification code in the image, and then click Login.
(Default username/password: hillstone/hillstone)

Notes:
l iSource can be used properly only in the active state. For more information
about how to activate iSource, see Activating iSource.

l To prevent issues, we recommend that you use the latest version of Google
Chrome to access the WebUI of iSource. If the The current browser version
is too outdated message appears, upgrade the version of Google Chrome or
use another browser.

11 iSource Deployment
 l We recommend that you change the default password immediately after you
log in to iSource for the first time.

Deploying iSource on the CentOS 7 Endpoint

If iSource is encapsulated in the QCOW2 format, it can be installed on any Linux-based endpoint.
Before you deploy iSource on the CentOS 7 endpoint, you need to familiarize yourself with libvirt
environment and qemu-kvm environment setup.

System Requirements and Limits

The iSource system has the following requirements and limits:

l The Linux version is CentOS 7 and the system can access the Internet.

l At least 64-bit CPU, 24 cores for installation and running, and 128 GB of memory are required.
For more information about iSource models, see Product Information.

Before You Start

Before you install the iSource system, set up libvirt and qemu-kvm environments, configure the net-
work, install remote endpoint control software (in this example, MobaXterm is used), and obtain
the system file in the QCOW2 format.

Procedure

Step 1: Enable the VM Manager GUI

1. Open the homepage of MobaXterm. In the navigation bar, select X server>Start X server to
enable X server.

iSource Deployment 12
 2. Run the virt-manager command.

3. Wait until the VM Manager GUI appears.

Step 2: Create and Configure a VM

1. Select File>New Virtual Machine.

13 iSource Deployment
 2. In the dialog box that appears, select Import existing disk image and click Forward.

iSource Deployment 14
 3. Click Browse and then Browse Local. In the dialog box that appears, select the obtained sys-
tem file in the QCOW2 format and click Forward.

15 iSource Deployment
 4. Configure the VM memory and CPU based on your product model (for more information,
see Product Information). Then, click Forward.

iSource Deployment 16
 5. Specify the name of the VM and select a network for the VM based on the actual network
environment. Then, click Finish.

6. After you finish the above configurations, the VM will start properly.

Step 3: Configure iSource Access Address and Deploy the System

1. Run the show network internal segment command to check whether the
internal IP segment conflicts with the IP address in your network. If not, retain the internal
IP segment. Otherwise, run thenetwork internal segment --ipsubnet/mask

17 iSource Deployment
 command to change the internal IP segment (the subnet mask needs to be smaller than 24
bits, example: 192.168.82.0/23) and set the first IP address of the configured IP segment as
the internal one of the device.
Note: Make sure that no IP address in the configured IP segment conflicts with the IP
address in your network and this step is performed before deploying the system. After you
deploy the system, do not change the internal IP address of the system.

2. Configure the IP address of software based iSource (Example: 10.180.0.4) for the host inter-
face (Example: ethernet0_0) by running the following command:
network ifconfig --interfaceethernet0_0 --ipv410.180.0.4/24
(If the IP address of software based iSource is of IPv6 type, you can run the network ifconfig
--interfaceethernet0_0 --ipv6X:X:X:X::X/ipv6-prefix command.)

3. Configure the default gateway by running the following command:

network routeconfig --dst0.0.0.0/0 –-gateway10.180.0.1
(If the IP address is of IPv6 type, you can run the network routev6config --dst::/0 –-gate-
wayX:X:X:X::X command.)

4. (Optional) If you want to manage iSource by using multiple CIDR blocks, configure the IP
address for another interface. For more information, see Step 2.
Note: Software based iSource can only have one default gateway. Therefore, to ensure that
iSource can be connected by using multiple CIDR blocks, you need to configure routes based
on actual network topology and requirements. For more information, see Step 3.

5. Run the show network ifconfig and show network routeconfig commands to check the cur-
rent interface and route configurations.

Step 4: Deploy iSource

1. Run the deploy standalone command and select the system language.
Note: If you need to change your system language, reset the device and take the deployment

iSource Deployment 18
 steps again.

2. Select a time zone as prompted and specify the system time.

Note: To modify the time, you can configure the time synchronization server.

3. This way, you can automatically deploy the iSource system.

Step 5: Access iSource

1. Type the IP address of iSource (Example: https://10.180.0.4) in the address bar of a browser
and press Enter.

2. Enter your username, password, and the verification code in the image, and then click Login.
(Default username/password: hillstone/hillstone)

Notes:
l iSource can be used properly only in the active state. For more information
about how to activate iSource, see Activating iSource.

l To prevent issues, we recommend that you use the latest version of Google
Chrome to access the WebUI of iSource. If the The current browser version
is too outdated message appears, upgrade the version of Google Chrome or
use another browser.

l We recommend that you change the default password immediately after you
log in to iSource for the first time.

Deploying iSource on the Windows 10 Endpoint

If iSource is encapsulated in the VHD format, it can be installed on any Windows 10-based end-
point.

19 iSource Deployment
System Requirements and Limits

The iSource system has the following requirements and limits:

l The Windows version is Windows 10.

l At least 64-bit CPU, 20 cores for installation and running, and 128 GB of memory are required.
For more information about iSource models, see Product Information.

Procedure

Before you install the iSource system, obtain the system file in the VHD format.

Step 1: Enable the Hyper-V Role

1. On the endpoint, select Control Panel>Programs>Programs and Features, and then select
Turn Windows Features on or off.

2. In the Windows Features dialog box, select Hyper-V and click OK. Then, complete the
update.

Step 2: Create and Configure a VM

1. After you restart the endpoint system, search for Hyper-V Manager in the task bar and open
the Hyper-V Manager page.

2. In the Actions section on the right, select New>Virtual Machine. In the New Virtual
Machine Wizard dialog box, click Next.

3. Specify the name and location. Specify the VM name in the Name field and use the default
storage location, or select Store the virtual machine in a different location and click Browse
to specify the storage location. Then, click Next.

iSource Deployment 20
 Note: Make sure that the location that you select has enough free space (20 GB or above).

21 iSource Deployment
 4. Specify the generation. By default, Generation 1 is selected. Then, click Next.

iSource Deployment 22
 5. Assign the memory to the VM. In the Startup memory field, specify the memory size based
on your product model (for more information, see Product Information). Then, click Next.

23 iSource Deployment
 6. Configure the network. Select a network for the VM based on the actual network envir-
onment. Then, click Next.

iSource Deployment 24
 7. Connect to the virtual hard disk. Select Use an existing virtual hard disk, click Browse, and
then select the system file in the VHD format based on the iSource model. Then, click Next.

25 iSource Deployment
 8. View the summary. View the completed configurations and click Finish.

Step 3: Connect to and Start the VM

1. Before you connect to the VM, make sure that the number of vCPUs meets the configuration
requirements.
On the Hyper-V Manager page, select the created VM in the Virtual Machines list. In the
Actions section on the right, click Settings. In the dialog box that appears, click Processor in
the left-side navigation pane, and then check whether the number of virtual processors meets
the configuration requirements. If not, change the number in the Number of virtual pro-
cessors field. For more information about the configuration requirements, see Product
Information.

2. On the Hyper-V Manager page, select the created VM in the Virtual Machines list. In the
Actions section on the right, click Connect.

iSource Deployment 26
 3. In the dialog box that appears, click Start.

4. After the VM is started, enter your username and password to log in to the VM. (Default user-
name/password: hillstone/hillstone)

Step 4: Configure the iSource Access Address

1. Run the show network internal segment command to check whether the
internal IP segment conflicts with the IP address in your network. If not, retain the internal
IP segment. Otherwise, run thenetwork internal segment --ipsubnet/mask
command to change the internal IP segment (the subnet mask needs to be smaller than 24
bits, example: 192.168.82.0/23) and set the first IP address of the configured IP segment as
the internal one of the device.
Note: Make sure that no IP address in the configured IP segment conflicts with the IP
address in your network and this step is performed before deploying the system. After you
deploy the system, do not change the internal IP address of the system.

27 iSource Deployment
 2. Configure the IP address of software based iSource (Example: 10.180.0.4) for the host inter-
face (Example: eth0) by running the following command:
network ifconfig --interfaceeth0 --ipv410.180.0.4/24
(If the IP address of software based iSource is of IPv6 type, you can run the network ifconfig
--interfaceeth0 --ipv6X:X:X:X::X/ipv6-prefix command.)

3. Configure the default gateway by running the following command:

network routeconfig --dst0.0.0.0/0 –-gateway10.180.0.1
(If the IP address is of IPv6 type, you can run the network routev6config --dst::/0 –-gate-
wayX:X:X:X::X command.)

4. (Optional) If you want to manage iSource by using multiple CIDR blocks, configure the IP
address for another interface. For more information, see Step 2.
Note: Software based iSource can only have one default gateway. Therefore, to ensure that
iSource can be connected by using multiple CIDR blocks, you need to configure routes based
on actual network topology and requirements. For more information, see Step 3.

Step 5: Deploy iSource

1. Run the deploy standalone command and select the system language.
Note: If you need to change your system language, reset the device and take the deployment
steps again.

2. Select a time zone as prompted and specify the system time.

Note: To modify the time, you can configure the time synchronization server.

3. This way, you can automatically deploy the iSource system.

iSource Deployment 28
Step 6: Access iSource

1. Type the IP address of iSource (Example: https://10.180.0.4) in the address bar of a browser
and press Enter.

2. Enter your username, password, and the verification code in the image, and then click Login.
(Default username/password: hillstone/hillstone)

Notes:
l iSource can be used properly only in the active state. For more information
about how to activate iSource, see Activating iSource.

l To prevent issues, we recommend that you use the latest version of Google
Chrome to access the WebUI of iSource. If the The current browser version
is too outdated message appears, upgrade the version of Google Chrome or
use another browser.

l We recommend that you change the default password immediately after you
log in to iSource for the first time.

Deploying iSource on the Cluster

iSouce supports cluster deployment. After you deploy iSource on multiple endpoints and VMs and
complete the activation, these devices can be deployed as an iSource cluster.

Notes:
l All devices in the cluster need to be deployed in the same layer 2 network.

l Make sure that all devices have registered SN and their SNs are different.

29 iSource Deployment
 The following figure displays the scenario where 4 iSource devices are deployed as software to form
an iSource cluster. In this case, the addresses of HA master, master, and slave are marked in the fig-
ure.

To deploy software based iSource on the cluster, take the following steps:

1. Create/Configure four VMs of iSource respectively and configure the access address of
iSource. For more information, see Deploying iSource on VMware_ESXi, Deploying iSource
on the CentOS7 Endpoint, or Deploying iSource on the Windows_10 Endpoint.

2. Configure HA Master of iSource.

1. Select a device as the HA Master (such as 10.180.0.4) and run the network internal
segment --ipsubnet/mask command to configure the network segment (the subnet
mask needs to be less than 24 bits in length, such as 192.168.82.0/23). The system
will automatically allocate a network segment address for internal use.

2. Deploy the iSource system. After you run the deploy standalone command, select
the system language, time zone, and specify the system time.

3. Activate iSource by using WebUI or CLI. For more information, see Activating
iSource.

iSource Deployment 30
 4. Specify the cluster interface. To do this, run the following command:
cluster interface –interfaceethernet0_0

5. Run the following command to configure the virtual IP address (VIP：10.180.0.10,

which is used to provide services) of the iSource cluster:
cluster ha ipconfig --ip10.180.0.10

3. Activate the system of master and slave.

Use CLI to activate the system of another three iSource Master (10.180.0.5), Master
(10.180.0.6), and Slave (10.180.0.7). For more information, see Activating iSource by Using
the CLI.

4. Add master and slave to the cluster：

1. Access the HA Master address by using SSH: 10.180.0.4。

2. Run the following command to specify the address of each master and slave respect-
ively and add them to the cluster:
Add the master:
cluster add node --ip10.180.0.5
Add the master:
cluster add node --ip10.180.0.6
Add the slave:
cluster add node --ip10.180.0.7

5. Run the cluster deploy command on the HA Master to start deploying the cluster.

6. After a successful prompt, the iSource cluster is deployed.

7. After the cluster is deployed, you can view the following information:

l Run the show cluster ha ipconfig command to view VIP information about the
iSource cluster.

31 iSource Deployment
 l Run the show cluster command to view the summary information about the iSource
cluster, including the cluster status and details about each iSource platform.

8. Access iSource.

1. Open your browser, type the VIP of iSource (https://10.180.0.10) in the address bar,
and press Enter.

2. Enter the default username, password, and the verification code in the image, and
then click Login.

Notes:
l To prevent issues, we recommend that you use the latest version of Google
Chrome to access the WebUI of iSource. If the The current browser version
is too outdated message appears, upgrade the version of Google Chrome or
use another browser.

l We recommend that you change the default password immediately after you
log in to iSource for the first time.

Activating iSource
iSource can be used properly only in the active state. You can use one of the following methods to
activate iSource based on your actual requirements:

l If the system is not deployed, activate iSource by using the CLI.

l If the system is deployed, activate iSource by using the WebUI.

iSource Deployment 32
Activating iSource by Using the CLI

1. Access the device in SSH mode.

2. In the dialog box that appears, enter the password "hillstone" and press Enter to go to the
CLI.

3. Run the bind sn SN-string command to bind the device to SN.

4. Select the activation method, including online activation and offline activation.

l Online activation: If your network is connected to the Internet, we recommend that

you use this method.

1. Run the network dnsconfig dns-server-address command to configure

the DNS server for the device.

2. Run the active online command to activate iSource online.

l Offline activation: If you cannot use online activation, you can use this method.

1. Run the active code command to obtain and copy the activation code.

33 iSource Deployment
 2. Access http://activation.hillstonenet.com/isource_activesn_offline.html to
confirm the activation and obtain the activation result.

3. Run the active offlineActivation Result command to activate iSource.

Activating iSource by Using the WebUI

1. After the system is deployed, type the IP address of iSource in the address bar of a browser
and press Enter.

2. Enter your username, password, and the verification code in the image, and then click Login.
(Default username/password: hillstone/hillstone)

iSource Deployment 34
 3. After you log in to iSource, the activation page appears.

4. Select your activation scheme based on the actual requirements. (In this example, Trial Ver-
sion Activation is selected)

5. Register SN. In the SN Registration Code field, enter the SN registration code that you have
applied for from Hillstone relevant person. Then, click Next.

35 iSource Deployment
 6. Select the activation method, including online activation and offline activation. If your net-
work is connected to the Internet, we recommend that you select Online Activation.

iSource Deployment 36
 l Online Activation: If you select this method, click Activate.

l Offline Activation: If you cannot use online activation, you can use this method.

1. Copy the request string in the field, click the link, and then enter the request
string in the iSource activation request box field.

37 iSource Deployment
 2. After you obtain the activation code, enter it in the field below Step 2.

3. Click Activate.

iSource Deployment 38
 7. After the Activated successfully prompt appears, click Enter the iSOS to go to the system.

Notes:
l If you select the Trial Version Activation scheme to activate the system, you
can access only the activation page upon your next login after iSource expires.
When iSource remains valid, you can select Settings>System Information to
update the activation information. You can change the scheme to Official Ver-
sion Activation or renew your trial version.

l If you select Official Version Activation, you need to use the officially
active SN registration code to activate the device, as described in the
above method.

l If you select Trial Version Activation, you need to use the valid trial
renewal code to extend the trial period of the device.

l To prevent issues, we recommend that you use the latest version of Google
Chrome to access the WebUI of iSource. If the The current browser version

39 iSource Deployment
 is too outdated message appears, upgrade the version of Google Chrome or
use another browser.

iSource Deployment 40
Deploying Threat Sensors
The sBDS device or threat sensor device can be used as a threat sensor to connect to iSource. After
the threat sensor detects, monitors, and analyzes received image traffic, it can send the generated
threat information to iSource.
You can choose whether to deploy threat sensors.
To configure iSource parameters in the sBDS, take the following steps:

1. Log in to the WebUI of sBDS by typing the IP address of the MGT interface in the address
bar of a browser and pressing Enter. The default IP address is 192.168.1.1/24.

2. Select Configuration Management > System Configuration > Extended Services.

3. In the iSource section, click the edit icon. In the iSource panel, click the Enable button to
enable this function.

4. In the Server IP/Domain field, enter the IP address of iSource or VIP address of the iSource
cluster.

5. In the Server Port field, enter the connection port 7777.

6. Click OK.

7. After sBDS is connected to iSource, Connected is displayed in the Status field in the iSource
section.

41 iSource Deployment
 8. Configure the switch to mirror traffic to the eth0/2 interface of the threat sensor. After the
threat sensor detects, monitors, and analyzes the traffic, it will send the generated threat
information to iSource.

Notes: If you use the sBDS device as a threat sensor, complete the following pre-
parations:

1. Enable the Threat Log function.

2. Specify to output threat logs to the log server.

3. Set the hostname of the log server to the IP address/domain of the iSource
platform.

4. In the Log Server Configuration tab, select Threat in the Log Type field for
the log server.

For more information about how to configure the sBDS device, refer to sBDS-
WebUI-User-Guide.

iSource Deployment 42
Deploying the ThreatTrace Client
After the ThreatTrace client is installed and deployed on your endpoint in the intranet, you can col-
lect the corresponding information such as process creations, network access, file operation, and
registry changes. iSource will display the collected endpoint information. This allows you to trace
threat events.
You can choose whether to deploy the ThreatTrace client.

Environment Requirements
The environment requirements include the following two aspects:

l To install the ThreatTrace client, the user endpoint should meet the following requirements:

l Use Windows 7/ Windows server 2008 R2 and higher versions.

l Require at least 1GB memory.

l Hard disk requires more than 20GB.

l Have the Ethernet compatible network card and support TCP/IP protocol.

l Network Environment Requirements: Ensure that the network between the user endpoint and
the iSource device is reachable

Deployment Methods
You can use one of the following methods to install and deploy the ThreatTrace client:

l "Installing ThreatTrace Client on User Endpoint (Stand-alone Installation Mode)" on Page 44

l "Installing ThreatTrace Client on User Endpoint (Domain Installation Mode)" on Page 48

43 iSource Deployment
Installing ThreatTrace Client on User Endpoint (Stand-alone Installation
Mode)
Install the ThreatTrace Client on the user endpoint through the stand-alone installation mode, that
is, run and install the installer in the msi format directly on the user endpoint, including the fol-
lowing aspects:

l Preparation

l Insalling the ThreatTrace Client

l Uninstalling the ThreatTrace Client

l Updating the ThreatTrace Client

Preparation

Before installing the ThreatTrace Client, make the following preparations:

1. Obtain the fixed IP address or domain name of server.

2. Download the msi format installer package (32-bit or 64-bit) and the UpdateMsi tool package
from the Hillstone sales.

Notes: Please select the corresponding client installer according to the user's actual
environment, such as 64-bit system to select 64-bit client installation program.

Insalling the ThreatTrace Client

To install the ThreatTrace Client on the user endpoint through the stand-alone installation mode,
take the following steps:

iSource Deployment 44
Step 1: Update the installer with the UpdateMsi tool

1. Unzip the obtained installer in the msi format.

The installer includes: ThreatTrace Client_x86.msi (32-bit) and ThreatTrace Client_x64.msi
(64-bit)

2. Unzip the obtained UpdateMsi tool.

3. Open the UpdateMsi tool and click Load msi. After the loading is successful, enter the
obtained fixed IP address or domain name of the Threat Trace server and then click Update.

4. After the prompt Update Success, you can complete the update.

Step 2: Run the installer to complete the installation

1. Double-click to run the installer in the msi format.

2. According to the prompt, click the Next button, after confirming the installation location,
click the Install button, and then wait for the installation.

45 iSource Deployment
 3. Click the Finish button to complete the installation.

Step 3: Confirm the process

After the installation is complete, you need to confirm the process of "System activity monitor" and
"winlogbeat" in Task Manager.

iSource Deployment 46
Uninstalling the ThreatTrace Client

If you want to uninstall the installed ThreatTrace Client on the user endpoint, you can use the fol-
lowing two methods:

l Method 1: Run the installer again, click the Remove button as prompted.

l Method 2: Go to the Windows Control Panel, select Programs and Features, and select the
installed ThreatTrace Client in the list, and then click Uninstall.

Updating the ThreatTrace Client

Currently, the ThreatTrace Client does not support direct upgrade. If you need to upgrade the cli-
ent, please uninstall the installed client first, and then reinstall the new version of sBDS
ThreatTrace Client.

47 iSource Deployment
Installing ThreatTrace Client on User Endpoint (Domain Installation
Mode)
On the user endpoint, you can install the ThreatTrace client through the domain installation mode.
That is, the domain server sends the ThreatTrace Client to the domain user.
Install the ThreatTrace client (domain installation mode) on the user endpoint, including the fol-
lowing aspects:

l Preparation

l Assigning the ThreatTrace Client via Group Policy

l Uninstalling the Assigned Client via Group Policy

l Updating the Assigned Client via Group Policy

Preparation

Before installing the ThreatTrace Client, make the following preparations:

1. Download the msi format installer package (32-bit or 64-bit) and the UpdateMsi tool package
from the Hillstone sales.

2. Create a shared folder on the domain server, store the installer in the shared folder, and
ensure that the user has "Read" permission and the computer in the domain can access the

iSource Deployment 48
 shared folder.

3. Update the installer with the UpdateMsi tool (For details, see Update the installer with the
UpdateMsi tool).

Assigning the ThreatTrace Client via Group Policy

There are two methods to assign the ThreatTrace client via group policy:

l Assign to domain users: When the ThreatTrace client is assigned to domain users via group
policy, the client will be installed automatically after the domain user logs on to the computer.

l Assign to computers in the domain: When the ThreatTrace client is assigned to the computer in
the domain via group policy, the client will be installed automatically after the computer
reboots.

49 iSource Deployment
Assigning to the Domain Users

To assign the client to the domain users, take the following steps:

Step 1: Create a group policy object

1. In the domain server, select Start > Control Panel > System and Security > Administrative
Tools, double-click the Group Policy Management to open the Group Policy Management
dialog box.

2. Expand the node in the left navigation bar, right-click Group Policy Object, select New to
open the New GPO dialog box.

iSource Deployment 50
 3. In the New GPO dialog box, enter the group policy name in the Name field.

4. Click OK.

Step 2: User Configuration- Edit group policy and deploy software

1. Right-click the created Group Policy object and select Edit to open the Group Policy Man-
agement Editor dialog box.

51 iSource Deployment
 2. In the left navigation bar, select User Configuration > Policies > Software Settings > Soft-
ware Installation, right-click Software Installation, and select New > Packets.

3. Select the ThreatTrace Client installer that is already stored in the shared folder.

4. In the Deployment Software dialog box, select the Assigned, and then click OK to complete
the package creation and deployment.

iSource Deployment 52
 5. Once the packet is created, it can be displayed in the Group Policy Management Editor dia-
log box.

6. Right-click the deployed installer name and select Properties.

53 iSource Deployment
 7. In the Properties dialog box, select the Deployment tab, in the Deployment options section,
check the Install this application at logon check box.

8. Select the Security tab and make sure the user group has Read permission.

9. Click OK to save the configuration and return to the Group Policy Management dialog box.

Notes:
l When selecting the client installer, use the network path of the shared folder.
Otherwise, the file will not be read.

iSource Deployment 54
 l Select the corresponding client installer based on your actual environment,
such as 64-bit system to select 64-bit client installation program.

Step 3: Apply Group Policy to User Organizational Units

1. In the Group Policy Management dialog box, double-click the created group policy name.

2. In the Security Filtering section, click Add to add a user group to install the ThreatTrace Cli-
ent.

3. In the left navigation bar, select the user organization unit that needs to deploy the group
policy, right-click the user organization name, select Link an Existing GPO to open the
Select GPO dialog box.

4. In the Group Policy objects section, select the created group policy object name.

5. Click OK to save the configuration and return to the Group Policy Management dialog box.

55 iSource Deployment
 6. To ensure that the group policy can be enforced in the user organizational unit and its sub-
organizational units, the group policy can be specified as mandatory. In the Linked Group
Policy Objects tab, right-click the group policy name and select Enforced.

Notes: Before linking a group policy, you need to ensure that the user organizational
unit has been created in the domain.

Step 4: Force the group policy to update

In order for group policy to take effect, you need to force a group policy update after completing
the above steps.

1. On the domain server, select Start > Control Panel > System and Security > Administrative
Tools, double-click the Windows PowerShell.

2. Enter gpupdate /force in the command window.

3. After the prompt "user policy update has completed successfully", close the dialog box.

iSource Deployment 56
Assigning to computers in the domain

To assign the client to computers in the domain, take the following steps:

Step 1: Create a group policy object

1. In the domain server, select Start > Control Panel > System and Security > Administrative
Tools, double-click the Group Policy Management to open the Group Policy Management
dialog box.

2. Expand the node in the left navigation bar, right-click Group Policy Object, select New to
open the New GPO dialog box.

57 iSource Deployment
 3. In the New GPO dialog box, enter the group policy name in the Name field.

4. Click OK.

Step 2: Computer Configuration- Edit group policy and deploy software

1. Right-click the created Group Policy object and select Edit to open the Group Policy Man-
agement Editor dialog box.

iSource Deployment 58
 2. In the left navigation bar, select Computer Configuration > Policies > Software Settings >
Software Installation, right-click Software Installation, and select New > Packets.

3. Select the ThreatTrace Client installer that is already stored in the shared folder.

4. In the Deployment Software dialog box, select the Assigned, and then click OK to complete
the package creation and deployment.

59 iSource Deployment
 5. Once the packet is created, it can be displayed in the Group Policy Management Editor dia-
log box.

Notes:
l When selecting the client installer, use the network path of the shared folder.
Otherwise, the file will not be read.

l Select the corresponding client installer based on your actual environment,

such as 64-bit system to select 64-bit client installation program.

iSource Deployment 60
Step 3: Apply Group Policy to Computer Organizational Units

1. In the Group Policy Management dialog box, double-click the created group policy name.

2. In the Security Filtering section, click Add to add a computer group to install the
ThreatTrace Client.

3. In the left navigation bar, select the computer organization unit that needs to deploy the
group policy, right-click the user organization name, select Link an Existing GPO to open
the Select GPO dialog box.

4. In the Group Policy objects section, select the created group policy object name.

5. Click OK to save the configuration and return to the Group Policy Management dialog box.

6. To ensure that the group policy can be enforced in the computer organizational unit and its
sub-organizational units, the group policy can be specified as mandatory. In the Linked

61 iSource Deployment
 Group Policy Objects tab, right-click the group policy name and select Enforced.

Notes: Before linking a group policy, you need to ensure that the computer organ-
izational unit has been created in the domain.

Step 4: Force the group policy to update

In order for group policy to take effect, you need to force a group policy update after completing
the above steps.

1. On the domain server, select Start > Control Panel > System and Security > Administrative
Tools, double-click the Windows PowerShell.

2. Enter gpupdate /force in the command window.

3. After the prompt "user policy update has completed successfully", close the dialog box.

iSource Deployment 62
Uninstalling the Assigned Client via Group Policy

To uninstall the ThreatTrace Client that has been assigned and installed via the group policy, take
the following steps:

1. In the domain server, select Start > Control Panel > System and Security > Administrative
Tools, double-click the Group Policy Management to open the Group Policy Management
dialog box.

2. Expand the node in the left navigation bar, right-click the created Group Policy object and
select Edit to open the Group Policy Management Editor dialog box.

3. In the left navigation bar, select Computer Configuration > Policies > Software Settings >
Software Installation.

4. In the packet record on the right, right-click the software name and select All Tasks >
Remove to open the Remove Software dialog box.

63 iSource Deployment
 5. In the Remove Software dialog box, select Immediately uninstall the software from users
and computers.

After completing the above steps, when the computer matching the group policy is restarted, the
installed ThreatTrace Client will be uninstalled.

Updating the Assigned Client via Group Policy

To update the ThreatTrace Client that has been assigned and installed via the group policy (taking
"assign to computers in the domain" as an example), take the following steps:

1. In the domain server, select Start > Control Panel > System and Security > Administrative
Tools, double-click the Group Policy Management to open the Group Policy Management
dialog box.

2. Expand the node in the left navigation bar, right-click the created Group Policy object and
select Edit to open the Group Policy Management Editor dialog box.

iSource Deployment 64
 3. In the left navigation bar, select Computer Configuration > Policies > Software Settings >
Software Installation, right-click Software Installation, and select New > Packets.

4. Select the ThreatTrace Client installer that is already stored in the shared folder.

5. In the Deployment Software dialog box, select the Assigned, and then click OK to complete
the new version of package creation and deployment.

65 iSource Deployment
 6. After the new version of the data package is created, perform the "Force the group policy to
update" step to make the updated group policy take effect. (For details, see Step 4: Force the
group policy to update)

After completing the above steps, when the computer matching the group policy is restarted, the cli-
ent will be updated to the new version.

iSource Deployment 66