Hillstone Networks, Inc.

StoneOS WebUI Guide - E series

Version 5.5R4
Copyright 2017 Hillstone Networks, Inc.. All rights reserved.
Information in this document is subject to change without notice. The software described in this document is fur-
nished under a license agreement or nondisclosure agreement. The software may be used or copied only in accord-
ance with the terms of those agreements. No part of this publication may be reproduced, stored in a retrieval
system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for
any purpose other than the purchaser's personal use without the written permission of Hillstone Networks, Inc..
Hillstone Networks, Inc.

Contact Information:
US Headquarters:
Hillstone Networks
292 Gibraltar Drive, Suite 105
Sunnyvale, CA 94089
Phone: 1-408-508-6750
http://www.hillstonenet.com/about-us/contact/

About this Guide:

This guide gives you comprehensive configuration instructions of Hillstone Networks, Inc. StoneOS .
For more information, refer to the documentation site: http://docs.hillstonenet.com.
To provide feedback on the documentation, please write to us at:
[email protected]

Hillstone Networks, Inc.

TWNO: TW-WUG-UNI-A-5.5R4-EN-V1.0-2017/1/20
Contents

Contents 1
Welcome 1
Chapter 1 Getting Started Guide 2
Initial Visit to Web Interface 3
Preparing the StoneOS System 4
Installing Licenses 4
Creating a System Administrator 4
Adding Trust Hosts 5
Upgrading StoneOS Firmware 6
Updating Signature Database 6
Connecting to Internet Under Routing Mode 7
Restoring to Factory Settings 11
Restoring using a pin 11
Restoring via WebUI 11
Chapter 2 Deploy Your Device 12
How a Firewall Works 13
StoneOS System Architecture 13
General Rules of Security Policy 14
Packet Processing Rule 14
Forwarding Rule in Layer 2 14
Forwarding Rule in Layer 3 16
Deploying Transparent Mode 18
Deploying Routing Mode 22
Deploying Mix Mode 26
Deploying Tap Mode 27
Chapter 3 Dashboard 29
Customize 29
Threats 30
Threatscape 30
User 30
Application 30
Total Traffic 31
Physical Interface 31
System Information 31
Specified Period 32
Chapter 4 iCenter 33

TOC - 1
 Threat 33
Chapter 5 Network 34
Security Zone 35
Configuring a Security Zone 35
Interface 37
Configuring an Interface 38
Creating a PPPoE Interface 38
Creating a Tunnel Interface 41
Creating a Virtual Forward Interface 44
Creating a Loopback Interface 47
Creating an Aggregate Interface 50
Creating a Redundant Interface 54
Creating an Ethernet Sub-interface/an Aggregate Sub-interface/a Redundant Sub-interface 55
Creating a VSwitch Interface/a VLAN Interface 57
Editing an Interface 58
MGT Interface 64
Configuring a MGT Interface 64
VLAN 65
Configuring a VLAN 65
DNS 66
Configuring a DNS Server 66
Configuring a DNS Proxy 66
Configuring a Analysis 67
Configuring a DNS Cache 67
NBT Cache 68
DHCP 70
Configuring a DHCP Server 70
Configuring a DHCP Relay Proxy 73
DDNS 74
Configuring a DDNS 74
PPPoE 76
Configuring PPPoE 76
Virtual Wire 78
Configuring a Virtual-Wire 78
Configuring the Virtual Wire Mode 78
Virtual Router 80
Creating a Virtual Router 80
Global Configuration 80
Virtual Switch 82

TOC - 2
 Creating a VSwitch 82
Port Mirroring 83
WLAN 84
Creating a WLAN 84
Advanced Settings 85
3G 86
Configuring 3G Settings 86
Managing Data Card 87
Automatically Verifying the PIN Code 87
Enabling/Disabling the PIN Code Protection 87
Modifying the PIN Code 88
Manually Verifying the PIN Code 88
Unlocking the PIN Code 88
Link Load Balancing 89
Configuring Outbound LLB 89
Configuring LLB Profile 89
Configuring LLB Rule 91
Configuring DNS Balance 91
Configuring Inbound LLB 92
Creating a SmartDNS Rule Table 92
Application Layer Gateway (ALG) 94
Enabling ALG 94
Global Network Parameters 95
Configuring Global Network Parameters 95
Configuring Protection Mode 96
Chapter 6 Advanced Routing 98
Destination Route 99
Creating a Destination Route 99
Destination-Interface Route 100
Creating a Destination-Interface Route 100
Source Route 102
Creating a Source Route 102
Source-Interface Route 103
Creating a Source-Interface Route 103
ISP Profile 105
Creating an ISP Profile 105
Uploading an ISP Profile 105
Saving an ISP Profile 106
ISP Route 107

TOC - 3
 Creating an ISP Route 107
Policy-based Route 109
Creating a Policy-based Route 109
Creating a Policy-based Route Rule 109
Adjusting Priority of a PBR Rule 112
Applying a Policy-based Route 113
DNS Redirect 114
Configuring the Global Match Order 114
WAP Traffic Distribution 114
Enabling WAP Traffic Distribution 115
Configuring a DNS Server 115
Creating Host Book 115
Creating a Policy-based Route Rule 115
Viewing WAP Traffic Distribution Statistics 115
Video Streaming Redirection 116
RIP 117
Creating RIP 117
Chapter 7 Authentication 120
Authentication Process 120
Web Authentication 121
Using WebAuth Wizard 121
Configuring Global Parameters for WebAuth 122
Modifying WebAuth Page Background Picture 124
Single Sign-On 126
Using AD Agent Software for SSO 126
Using Secure Agent Software for SSO 128
Using a Script for SSO 128
Using SSO-NTLM 131
SSO Agent 133
Configuring SSO Agent 133
802.1x 134
Configuring 802.1x 134
Creating 802.1x Profile 134
802.1x Global Configuration 135
Viewing Online Users 136
PKI 137
Creating a PKI Key 137
Creating a Trust Domain 138
Importing/Exporting Trust Domain 139

TOC - 4
 Importing Trust Certification 140
Online Users 141
Chapter 8 VPN 142
IPSec VPN 143
Basic Concepts 143
Security Association (SA) 143
Encapsulation Modes 143
Establishing SA 143
Using IPSec VPN 143
Configuring an IKE VPN 145
Configuring a Phase 1 Proposal 145
Configuring a Phase 2 Proposal 146
Configuring a VPN Peer 148
Configuring an IKE VPN 150
Configuring a Manual Key VPN 153
Viewing IPSec VPN Monitoring Information 156
Configuring PnPVPN 158
PnPVPN Workflow 158
Configuring a PnPVPN Client 158
Configuring IPSec-XAUTH Address Pool 160
SSL VPN 162
Configuring an SSL VPN 162
Configuring Resource List 168
Configuring an SSL VPN Address Pool 170
Configuring SSL VPN Login Page 172
Host Binding 173
Configuring Host Binding 173
Configuring Host Binding and Unbinding 173
Configuring a Super User 173
Configuring a Shared Host 174
Importing/Exporting Host Binding List 175
Host Checking 176
Role Based Access Control and Host Checking Procedure 176
Configuring a Host Checking Profile 177
SSL VPN Client for Windows 180
Downloading and Installing Secure Connect 180
Using Username/Password Authentication 180
Using Username/Password + Digital Certificate Authentication 182
Using Digital Certificate Only 182

TOC - 5
 Starting Secure Connect 183
Starting via Web 183
Using Username/Password Authentication 183
Using Username/Password + USB Key Certificate Authentication 184
Using Username/Password + File Certificate Authentication 185
Using USB Key Certificate Only Authentication 186
Using File Certificate Only Authentication 186

Starting Directly 187

Using Username/Password Authentication 187
Using Username/Password + USB Key Certificate Authentication 189
Using Username/Password + File Certificate Authentication 190
Using USB Key Certificate Only 192
Using File Certificate Only 193

Viewing Secure Connect GUI 194

General 194
Interface 195
Route 195
Viewing Secure Connect Menu 195
Configuring Secure Connect 196
Configuring General Options 196
Configuring a Login Entry 196
SSL VPN Client for Android 198
Downloading and Installing the Client 198
Starting and Logging into the Client 198
GUI 199
Connection Status 199
Configuration Management 199
Adding a Login Entry 199
Editing a Login Entry 200
Deleting a Login Entry 200
Modifying the Login Password 200
Disconnecting the Connection or Logging into the Client 200

Connection Log 200

System Configuration 200
About Us 201
SSL VPN Client for iOS 202
Deploying VPN Configurations 202
Connecting to VPN 206
Introduction to GUI 206

TOC - 6
 Connection Status 207
Connection Log 207
About US 207
SSL VPN Client for Mac OS 207
Downloading and Installing Client 207
Starting Client and Establishing Connection 207
GUI 208
Toolbar 208
Connection List 209
Connection Information 209
Status Bar 209
Menu 209
SSL VPN Client for Linux 210
Downloading and Installing Client 210
Starting Client and Establishing Connection 211
Upgrading and Uninstalling Client 213
GUI 215
Toolbar 215
Connection List 215
Connection Information 215
Status Bar 216
Menu 216
L2TP VPN 217
Configuring an L2TP VPN 217
Configuring an L2TP VPN Address Pool 219
Viewing L2TP VPN Online Users 221
Chapter 9 Object 222
Address 223
Creating an Address Book 223
Viewing Details 224
Host Book 225
Creating a Host Book 225
Service Book 226
Predefined Service/Service Group 226
User-defined Service 226
User-defined Service Group 226
Configuring a Service Book 226
Configuring a User-defined Service 227
Configuring a User-defined Service Group 228

TOC - 7
 Viewing Details 229
Application Book 230
Editing a Predefined Application 230
Creating a User-defined Application 230
Creating a User-defined Application Group 231
Creating an Application Filter Group 231
Creating a Signature Rule 231
Viewing Details 233
SLB Server Pool 234
Configuring SLB Server Pool and Track Rule 234
Viewing Details of SLB Pool Entries 235
Schedule 236
Periodic Schedule 236
Absolute Schedule 236
Creating a Schedule 236
AAA Server 238
Configuring a Local AAA Server 238
Configuring Radius Server 239
Configuring Active Directory Server 240
Configuring LDAP Server 243
Configuring TACACS+ Server 246
Connectivity Test 247
User 248
Configuring a Local User 248
Creating a Local User 248
Creating a User Group 249
Configuring a LDAP User 250
Configuring a LDAP Server 250
Synchronizing Users 252
Configuring an Active Directory User 252
Configuring an AD Server 252
Synchronizing Users 254
Configuring a IP-User Binding 254
Role 256
Creating a Role 256
Creating a Role Mapping Rule 256
Creating a Role Combination 257
Track Object 259
Creating a Track Object 259

TOC - 8
 URL Filter 261
Configuring URL Filter 261
Viewing URL Hit Statistics 265
Viewing Web Surfing Records 265
Configuring URL Filter Objects 265
Predefined URL DB 265
Configuring Predefined URL Database Update Parameters 266
Upgrading Predefined URL Database Online 266
Upgrading Predefined URL Database from Local 266
User-defined URL DB 266
Configuring User-defined URL DB 267
Importing User-defined URL 267
Clearing User-defined URL 268
URL Lookup 268
Inquiring URL Information 268
Configuring URL Lookup Servers 268
Keyword Category 269
Configuring a Keyword Category 269
Warning Page 270
Configuring Block Warning 270
Configuring Audit Warning 271
Chapter 10 Policy 273
Security Policy 274
Configuring a Security Policy Rule 274
Viewing and Searching Security Policy Rules 278
Managing Security Policy Rules 280
Enabling/Disabling a Policy Rule 280
Cloning a Policy Rule 280
Adjusting Security Policy Rule Position 280
Configuring Default Action 280
Viewing and Clearing Policy Hit Count 281
Hit Count Check 282
Rule Redundancy Check 282
User Online Notification 283
Configuring User Online Notification 283
Configuring the Parameters of User Online Notification 283
Viewing Online Users 284
iQoS 285
Implement Mechanism 285

TOC - 9
 Pipes and Traffic Control Levels 285
Pipes 285
Traffic Control Levels 287
Enabling iQoS 287
Pipes 288
Basic Operations 288
Configuring a Pipe 288
Viewing Statistics of Pipe Monitor 293
NAT 294
Basic Translation Process of NAT 294
Implementing NAT 294
Configuring SNAT 295
Enabling/Disabling a SNAT Rule 297
Adjusting Priority 297
Exporting NAT444 Static Mapping Entries 298
Configuring DNAT 299
Configuring an IP Mapping Rule 299
Configuring a Port Mapping Rule 299
Configuring an Advanced NAT Rule 300
Enabling/Disabling a DNAT Rule 302
Adjusting Priority 302
SLB Server 304
Viewing SLB Server Status 304
Viewing SLB Server Pool Status 304
Session Limit 305
Configuring a Session Limit Rule 305
Clearing Statistic Information 306
ARP Defense 307
Configuring ARP Defense 308
Configuring Binding Settings 308
Adding a Static IP-MAC-Port Binding 308
Obtaining a Dynamic IP-MAC-Port Bindings 308
Bind the IP-MAC-Port Binding Item 309
Importing/Exporting Binding Information 310
Configuring Authenticated ARP 310
Configuring ARP Inspection 311
Configuring DHCP Snooping 312
Viewing DHCP Snooping List 313
Configuring Host Defense 313

TOC - 10
SSL Proxy 315
Work Mode 315
Working as Gateway of Web Clients 316
Configuring SSL Proxy Parameters 316
Specifying the PKI Trust Domain of Device Certificate 316
Obtaining the CN Value 316
Configuring a Trusted SSL Certificate List 317
Importing Device Certificate to Client Browser 317
Configuring a SSL Proxy Profile 317
Working as Gateway of Web Servers 319
Configuring a SSL Proxy Profile 319
Binding a SSL Proxy Profile to a Policy Rule 320
Internet Behavior Control 321
Configuring Internet Behavior Control Objects 322
Predefined URL DB 322
Configuring Predefined URL Database Update Parameters 322
Upgrading Predefined URL Database Online 323
Upgrading Predefined URL Database from Local 323
User-defined URL DB 323
Configuring User-defined URL DB 323
Importing User-defined URL 324
Clearing User-defined URL 324
URL Lookup 325
Inquiring URL Information 325
Configuring URL Lookup Servers 325
Keyword Category 326
Configuring a Keyword Category 326
Warning Page 327
Configuring Block Warning 327
Configuring Audit Warning 328
Bypass Domain 328
User Exception 329
Web Content 330
Creating a Web Content Rule 330
Enabling/Disabling a Rule 333
Prioritizing Rules 333
Viewing Monitored Results of Keyword Blocking in Web Content 333
Viewing Logs of Keyword Blocking in Web Content 333
Web Posting 334

TOC - 11
 Creating Web Posting Rule 334
Enabling/Disabling a Rule 337
Prioritizing Rules 337
Viewing Monitored Results of Keyword Blocking in Web Posts 337
Viewing Logs of Keyword Blocking in Web Posts 337
Email Filter 338
Creating Email Filter Rule 338
Enabling/Disabling a Rule 341
Prioritizing Rules 341
Viewing Monitored Results of Email Keyword Blocking 341
Viewing Logs of Emails Keyword Blocking 341
IM Control 342
Creating IM Control Rule 342
Enabling/Disabling a Rule 345
Prioritizing Rules 345
Viewing Logs of IM Chatting 345
HTTP/FTP Control 346
Creating HTTP/FTP Control Rule 346
Enabling/Disabling a Rule 348
Prioritizing Rules 348
Viewing Logs of HTTP/FTP Behavior Control 349
Global Blacklist 350
Configuring IP Block Settings 350
Configuring Service Block Settings 350
Chapter 11 Threat Prevention 352
Threat Protection Signature Database 352
Anti Virus 353
Configuring Anti-Virus 354
Preparing 354
Configuring Anti-Virus Function 354
Configuring an Anti-Virus Rule 355
Configuring Anti-Virus Global Parameters 357
Intrusion Prevention System 358
Signatures 358
Configuring IPS 359
Preparation 359
Configuring IPS Function 359
Configuring an IPS Rule 360
IPS Global Configuration 371

TOC - 12
 Signature List 372
Searching Signatures 372
Managing Signatures 372
Sandbox 374
Configuring Sandbox 375
Preparation 375
Configuring Sandbox 375
Configuring a Sandbox Rule 376
Sandbox Global Configurations 377
Attack-Defense 379
ICMP Flood and UDP Flood 379
ARP Spoofing 379
SYN Flood 379
WinNuke Attack 379
IP Address Spoofing 379
IP Address Sweep and Port Scan 379
Ping of Death Attack 379
Teardrop Attack 380
Smurf Attack 380
Fraggle Attack 380
Land Attack 380
IP Fragment Attack 380
IP Option Attack 380
Huge ICMP Packet Attack 380
TCP Flag Attack 380
DNS Query Flood Attack 380
TCP Split Handshake Attack 380
Configuring Attack Defense 381
Perimeter Traffic Filtering 388
Enabling Perimeter Traffic Filtering 388
Configuring User-defined Black/White List 388
Configuring Third-party Black List 389
Searching Black/White List 389
Chapter 12 Monitor 391
Monitor 392
User Monitor 393
Summary 393
User Details 393
Address Book Details 394

TOC - 13
 Monitor Address Book 395
Statistical Period 396
Application Monitor 397
Summary 397
Application Details 398
Group Details 398
Select Application Group 399
Statistical Period 400
Cloud Application Monitor 401
Summary 401
Cloud Application Details 401
Statistical Period 402
Share Access Detect 403
Device Monitor 404
Summary 404
Statistical Period 405
Detailed Information 405
Online IP 407
URL Hit 408
Summary 408
User/IP 408
URL 409
URL Category 409
Statistical Period 410
Application Block 411
Summary 411
Application 411
User/IP 412
Statistical Period 412
Keyword Block 413
Summary 413
Web Content 413
Email Content 414
Web Posting 414
User/IP 414
Statistical Period 415
Authentication User 416
Monitor Configuration 417
User-defined Monitor 418

TOC - 14
 Creating a User-defined Stat-set 423
Viewing User-defined Monitor Statistics 424
WAP Traffic Distribution 425
Reporting 426
Report File 427
User-defined Task 428
Creating a User-defined Task 428
Enabling/Disabling the User-defined Task 429
Viewing Report Files 430
Predefined Task 431
Generating Report Tasks 431
Viewing Report Files 432
Logging 433
Log Severity 433
Destination of Exported Logs 433
Log Format 434
Event Logs 435
Network Logs 436
Configuration Logs 437
Threat Logs 438
Session Logs 439
PBR Logs 439
NAT Logs 440
URL Logs 441
NBC Logs 442
CloudSandBox Logs 442
Log Configuration 443
Creating a Log Server 443
Adding Email Address to Receive Logs 443
Specifying a Unix Server 444
Specifying a Mobile Phone 444
Managing Logs 445
Configuring Logs 445
Option Descriptions of Various Log Types 445
Chapter 13 Diagnostic Tool 451
Test Tools 452
DNS Query 452
Ping 452
Traceroute 452

TOC - 15
Chapter 14 High Availability 453
Basic Concepts 453
HA Cluster 453
HA Group 453
HA Node 453
Virtual Forward Interface and MAC 454
HA Selection 454
HA Synchronization 454
Configuring HA 455
Chapter 15 System Management 457
System Information 458
Viewing System Information 458
Device Management 460
Administrators 460
VSYS Administrator 460
Creating an Administrator Account 461
Admin Roles 462
Trust Host 463
Creating a Trust Host 463
Management Interface 464
System Time 465
Configuring the System Time Manually 465
Configuring NTP 466
NTP Key 466
Creating a NTP Key 467
Option 467
Rebooting the System 469
System Debug Information 469
Data collection 469
Configuration File Management 470
Managing Configuration File 470
Viewing the Current Configuration 471
SNMP 472
SNMP Agent 472
SNMP Host 473
Trap Host 474
V3 User Group 474
V3 User 475
Upgrading System 477

TOC - 16
 Upgrading Firmware 477
Updating Signature Database 477
License 479
Viewing License List 480
Applying for a License 480
Installing a License 481
Mail Server 482
Creating a Mail Server 482
SMS Parameters 483
SMS Modem Devices 483
Configuring SMS Parameters 483
Testing SMS 483
Connecting to HSM 484
HSM Deployment Scenarios 484
Connecting to HSM 484
Connecting to Hillstone Cloud·View 485
Cloud·View Deployment Scenarios 485
Connecting to Hillstone Cloud·View 486
VSYS (Virtual System) 487
VSYS Objects 487
Root VSYS and Non-root VSYS 487
VRouter, VSwitch, Zone and Interface 488
Shared VRouter 488
Shared VSwitch 488
Shared Zone 488
Shared Interface 488
Interface Configuration 488
Creating Non-root VSYS 489
Configuring Dedicated and Shared Objects for Non-root VSYS 489
Configuring VSYS Quota 490

TOC - 17
Welcome

Thanks for choosing Hillstone products!

This part introduces how you get user guides of Hillstone products.
Getting Started Guide:

l Getting Started Guide (Download PDF)

Cookbook (recipes):

l StoneOS 5.5 Cookbook (Download PDF)

OS operation guides:

l StoneOS Command Line Interface User Guide (Download PDF)

l StoneOS WebUI User Guide (Download PDF)

l StoneOS Log Messages Reference Guide (Download PDF)

Hardware installation guides:

l Hardware Reference Guide of all series platforms (Download PDF)

l Expansion Modules Reference Guide of all modules (Download PDF)

Virtualization platform installation guides:

l CloudEdge Installation Guide (Download PDF)

l CloudHive Installation Guide (Download PDF)

Other support links:

l Webiste: www.hillstonenet.com

l Technical Support: 1-800-889-9860

Welcome 1
Chapter 1 Getting Started Guide

This guide helps you to go through initial configuration and basic set-up of Hillstone devices. The intended reader is
your company's network administrator.
This guide is used when you have finished mounting your device. After following the steps in this guide, your private
network will be able to access Internet. For security functions, you will need to read the User Guide (WebUI User
Guide or CLI User Guide).
You may configure your firewall in the following sequence:

1. "Initial Visit to Web Interface" on Page 3

2. "Preparing the StoneOS System" on Page 4, including:

l "Installing Licenses" on Page 4

l "Creating a System Administrator" on Page 4

l "Adding Trust Hosts" on Page 5

l "Upgrading StoneOS Firmware" on Page 6

l "Updating Signature Database" on Page 6

3. "Connecting to Internet Under Routing Mode" on Page 7

4. "Restoring to Factory Settings" on Page 11

Chapter 1 Getting Started Guide 2

Initial Visit to Web Interface
Interface eth0/0 is configured with IP address 192.168.1.1/24 by default, it is open to all connection types. For the ini-
tial visit, use this interface.
To visit the web interface for the first time:

1. Go to your computer's Ethernet properties, set the IPv4 protocol as below.

2. Connect an RJ-45 Ethernet cable from your computer to the eth0/0 of the device.

3. In your browser's address bar, type "http://192.168.1.1" and press Enter.

4. In the login interface, type the default username and password: hillstone/hillstone.

5. At the first sign of address, the user needs to read and accept the EULA ( end-user license agreements ), click
EULA to view the details of EULA.

6. Click Login, and the device's system will initiate.

3 Chapter 1 Getting Started Guide

Preparing the StoneOS System
I nstalling Licenses
Licenses control features and performance.
Before installing any license, you must have obtained the license code from sales person.
To install a license:

1. Go to System > License.

2. Choose one of the three ways to import a license:

l Upload License file: Select the radio button, click Browse, and select the license file (a .txt file).

l Manual Input: Select the radio button, and paste the license code into the text box.

l Online Install:Select the Online Install radio button and click the Online Install button, your pur-
chased licenses will be automatically installed. It should be noted that the licenses must be in activated status
in the Hillstone Online Registration Platform(http://onlinelic.hillstonenet.com/reqlicense). (To activate the
license, you need to log into the platform using your username and password of the platform.The username
is the same as your mailbox which was provided when placing an order. Hillstone will send the password by
e-mail.Then activate the licenses that need to be installed. If you purchased the device from the Hillstone
agent, please contact the agent to activate the licenses.)

3. Click OK.

4. To make the license take effect, reboot the system. Go to System > Device Management > Options, click
Reboot.

Creating a System Administrato r

System administrator has the authority to read, write and execute all features in this system.
To create a system administrator:

1. Go to System > Device Management > Administrator.

2. Click New,

Chapter 1 Getting Started Guide 4

 In the Admin Configuration dialog box, enter values
Option Value

Name Admin
Role Administrator
Password 123456
Confirm Pass- 123456
word
Login Type Select Telnet, SSH , HTTP and HTTPS.

3. Click OK.

Note: The system has a default administrator "hillstone" , which cannot be deleted or
renamed.

Adding Trust H o sts

Trust host is administrator's host. Only computers included in the trust hosts can manage the system.
To add a trust host:

1. Go to System > Device Management.

2. Select Trust Host tab, and click New.

In the Trust Host Configuration dialog box, enter value

5 Chapter 1 Getting Started Guide

 Option Value

Type Select IP/Netmask

IP 192.168.1.2/24
Login Type Select all: Telnet, SSH, HTTP and HTTPS

3. Click OK.

Upgrading Sto neOS Firmw are

Note: Back up your configuration files before upgrading your system.

To upgrade your system firmware:

1. Go to System > Upgrade Management.

2. Select Browse and choose the new image from your local computer.

3. Click Reboot to make new firmware take effect, and then click Apply.

4. The system will automatically reboot when it finishes installing new firmware.

Updating Signature D atabase

Features that require constant signature updates are license controlled. You must purchase license in order to be able
to update signature libraries. By default, the system will automatically update databases on a daily basis.
To update a database:

1. Go to System > Upgrade Management, and click the <Signature Database Update> tab.

2. Find your intended database, and choose one of the following two ways to upgrade.

l Remote Update: Click Update , the system will automatically update the database.

l Local Update: Select Browse to open file explorer, and select your local signature file to import it into the
system.

Chapter 1 Getting Started Guide 6

Connecting to Internet Under Routing Mode
In routing mode, the device is working as a gateway and router between two networks. This section shows how to con-
nect and configure a new Hillstone device in route mode to securely connect the private network to Internet.

To get your private network access to Internet through a Hillstone device:

Step 1: Connecting to the device

1. Connect one port (e.g. eth0/1) of Hillstone device to your ISP network. In this way, "eth0/1" is in the untrust
zone.

2. Connect your internal network to another Ethernet interfaces (e.g. eth0/0) of the device. This means "eth0/0" is
connected to the trust zone.

3. Power on the Hillstone device and your PCs.

4. If one of the internal interfaces already has been configured with an IP address, use a browser to visit that
address from one of your internal PCs.
If it is a new device, use the methods in "Initial Visit to Web Interface" on Page 3 to visit.

5. Enter "hillstone" for both username and password.

Step 2: Configuring interfaces

1. Go to Network > Interface.

7 Chapter 1 Getting Started Guide

 2. Double click eth0/1.

In the Ethernet Interface dialog box, enter values

Option Value
Binding Zone L3-zone
Zone untrust

Type Static IP
IP Address 202.10.1.2 (public IP address provided by your ISP)
Netmask 255.255.255.0
Management Select protocols that you want to use to access the device.

3. Click OK.
Step 3: Creating a NAT rule to translate internal IP to public IP

1. Go to Policy > NAT > SNAT.

2. Select New

Chapter 1 Getting Started Guide 8

 In the SNAT Configuration dialog box, enter values
Option Value

Source Address Address Entry, Any

Destination Address Entry, Any
Address
Egress Egress interface, ethernet 0/1
Translated Egress IP
Sticky Enable

3. Click OK.
Step 4: Creating a security policy to allow internal users access Internet.

1. Go to Policy > Security Policy.

2. Click New.

In the Policy Configuration dialog box, enter values.

Source Information
Zone trust
Address Any
Destination Information
Zone untrust
Address Any
Other Information
Service/Service Any
Group
APP/APP Group -----
Action Permit

3. Click OK.
Step 5: Configuring a default route

1. Go to Network >Routing > Destination Route.

9 Chapter 1 Getting Started Guide

 2. Click New.

In the Destination Route Configuration dialog box, enter values.

Option Value

Destination 0.0.0.0 (means all network)

Subnet Mask 0.0.0.0 (means all subnets)
Gateway 202.10.1.1 (gateway provided by your ISP)

3. Click OK.

Chapter 1 Getting Started Guide 10

Restoring to Factory Settings

Note: Resetting your device will erase all configurations, including the settings that have been
saved. Please be cautious!

To restore to factory's default settings, you may use one of the following two ways:

l "Restoring using a pin" on Page 11

l "Restoring via WebUI" on Page 11

Resto ring using a pin

To restore to factory default:

1. Power off the device.

2. Use a pin to press the CLR pinhole on the front panel; keep pressing and power on the devcie.

3. Keep pressing until the STA and ALM indicators on the front panel turn constant red; release the pin. The system
will start to reset itself.

4. When restoring is complete, the system will reboot automatically.

Resto ring via WebUI

To restore to factory settings using Web interface:

1. Go to System > Configuration File Management.

2. Click Backup Restore.

3. In the prompt, click Restore.

4. Click OK to confirm.

5. The device will automatically reboot and be back to factory settings.

11 Chapter 1 Getting Started Guide

Chapter 2 Deploy Your Device

This chapter introduces how a firewall works and its most commonly used scenarios. Understanding the system struc-
ture, basic elements and flow chart will help you in better organizing your network and making the most of the firewall
product.

l "How a Firewall Works" on Page 13

A firewall has more than one deployment scenarios. Each scenario applies to one environment requirement. The usual
deployment modes are:

l "Deploying Transparent Mode" on Page 18

Transparent mode is a situation when the IT administrator does not wish to change his existing network settings.
In transparent mode, the firewall is invisible for the network. No IP address configuration is needed, the firewall
only provides security features.

l "Deploying Routing Mode" on Page 22

Route mode applies when the firewall also offers routing and NAT functions. In route mode, firewall connects two
networks, typically an internal network and Internet, and firewall interfaces are configured with IP addresses.

l "Deploying Mix Mode" on Page 26

If a firewall has Layer-2 interfaces and Layer-3 interfaces, the firewall is in the Mixed mode.

l "Deploying Tap Mode" on Page 27

When an IT administrator wants only monitor, IPS or statistics functions from a firewall, not a gateway device,us-
ing tap mode is the right choice. In tap mode, firewall is not directly connected within the network.

Chapter 2 Deploy Your Device 12

How a Firewall Works
A firewall is a network security device. It protects a network by controlling the traffic that comes in and out of a net-
work. The basic mechanism of how a firewall works is allowing or disallowing data packets by matching its policy
rules. Besides security functions, a firewall can also works as a bridging device to connect a trust zone (internal net-
work) and untrust zone (external network).

Sto neOS System Architecture

The elements that consist StoneOS system architecture are:

l Zone: Zones divide network into multiple segments, for example, trust (usually refers to the trusted segments
such as the Intranet), untrust (usually refers to the untrusted segments where security treats exist), and so on.

l Interface: Interface is the inlet and outlet for traffic going through security zones. An interface must be bound to
a security zone so that traffic can flow into and from the security zone. Furthermore, for the Layer 3 security zone,
an IP address should be configured for the interface and the corresponding policy rules should also be configured
to allow traffic transmission between different security zones. Multiple interfaces can be bound to one security
zone, but one interface cannot be bound to multiple security zones.

l VSwitch: VSwitch is short for Virtual Switch. A VSwitch functions as a switch in Layer 2. After binding a Layer 2
zone to a VSwitch, all the interfaces in the zone are also bound to the VSwitch. There is a default VSwitch named
VSwitch1. By default, all Layer 2 zones will be bound to VSwitch1. You can create new VSwitches and bind Layer 2
zones to VSwitches. Each VSwitch is a Layer 2 forwarding zone with its own MAC address table which supports
the Layer 2 traffic transmission for the device. Furthermore, the VSwitchIF helps on the traffic transmission
between Layer 2 and Layer 3.

l VRouter: VRouter is Virtual Router and also abbreviated as VR. A VRouter functions as a router with its own rout-
ing table. There is a default VR named trust-vr. By default, all the Layer 3 zones will be bound to trust-vr auto-
matically. The system supports the multi-VR function and the max VR number varies from different platforms.
Multiple VRs make the device work as multiple virtual routers, and each virtual router uses and maintains its own
routing table. The multi-VR function allow a device to achieve the effects of the address isolation between different
route zones and address overlapping between different VRs, as well as to avoid route leaking to some extent,
enhancing route security of network.

l Policy: Policy is to control the traffic forwarding between security zones/segments. By default Hillstone devices
will deny all traffic between security zones/segments, while the policy can identify which flow between security
zones or segments will be permitted, and which will be denied, specifically based on policy rules
For the relationship between interface, security zone, VSwitch and VRouter, see the following diagram:

As shown above, the binding relationships among them are:

l Interfaces are bound to security zones. Interfaces bound to Layer 2 security zones and Layer 3 security zones are
known as Layer 2 interfaces and Layer 3 interfaces respectively. One interface can be only bound to one security
zone; interface and its sub interface can belong to different security zones.

13 Chapter 2 Deploy Your Device

 l Security zones are bound to a VSwitch or VRouter. Layer 2 security zones are bound to a VSwitch (by default the
predefined Layer 2 security zone is bound to the default VSwitch1), and Layer 3 security zones are bound to a
VRouter (by default the predefined Layer 3 security zone is bound to the default trust-vr), thus realizing the bind-
ing between the interfaces and VSwitch or VR. One security zone can be only bound to one VSwtich or VR.

General Rules o f Security Po licy

By default, all interfaces, even in the same zone, cannot communicate. Traffic in different zone are not allowed to be
transferred either. In order to change the rule, you need to set up new policy rules to allow traffic forwarding.

Note: To allow bidirectional traffic, you need to set up two policies: one is from source to des-
tination, the other is from destination to source. If there is only one-direction initiative access,
the responsive direction only need to respond to that visit, you will need to create only one-way
policy (from source to destination).

This part explain what policy is needed to allow interfaces in different zones, VSwtiches or Vrouteres to communicate.
The rules are:

l Interfaces in the same zone

To allow interfaces in one same zone to communicate, you need to create a policy whose source and destination
are both the zone the interfaces belong.
For example, to allow eth0/0 and eth0/1 to communicate, you need to create an "allowing" policy with source L3-
zone and destination L3-zone.

l Zones of two interfaces are under the same VSwtich

To allow communication of interfaces in different zones under one same VSwitch, you need to create two policies:
one policy to allow traffic from a zone to another; the other policy to allow traffic in the opposite direction.
For example, to allow eth0/2 and eth0/3 to communicate, you should create a policy whose source is L2-zone1
and destination is L2-zone2, then create another policy to allow traffic from L2-zone2 to L2-zone1.

l Zones of two interfaces are under different VSwitches

Each VSwtich has its VSwtich interface (VSwitchIF) which is bound to a Layer-3 zone. To allow interfaces in dif-
ferent zones under different VSwtiches, you need to create an "allowing" policy in which the source is the zone of
one VSwtichIF and the destination is the the zone of the other VSwtichIF. After that, create another policy of the
opposite direction.

l Zones of two L3 interfaces are under the same VRouter

To allow two L3 interfaces to communicate, you need to create a policy allowing one zone to the other zone.
For example, to allow communication between eth0/0 and eth0/5, you should create a policy from L3-zone1 to L3-
zone2, and then create an opposite direction policy.

l Zones of two L3 interfaces are under different VRouters

To allow two L3 interfaces in two different zones of different VRouters, you need to create a policy with source
being one VRouter and destination with the other VRouter, then you create an opposite direction policy.

l An L2 interface and an L3 interface under the same VRouter

To allow communication between an L2 interface and an L3 interface under the same VRouter, you will need to cre-
ate a policy whose source is the zone which binds the VSwithIF of L2 interface and the destination is the zone of
L3 interface. After taht, create an opposite direction policy.
For example, to allow eth0/0 and eth0/2 to communicate, create a policy from L3-zone1 to L2-zone1, and its
opposite direction policy.

Packet Pro cessing Rule

Forw a rding Rule in La yer 2
Forwarding within Layer 2 means it is in one VSwitch. The StoneOS system creates a MAC address table for a VSwitch
by source address learning. Each VSwitch has its own MAC address table. The packets are forwarded according to the

Chapter 2 Deploy Your Device 14

types of the packets, including IP packets, ARP packets, and non-IP-non-ARP packets.
The forwarding rules for IP packets are:

1. Receive a packet.

2. Learn the source address and update the MAC address table.

3. If the destination MAC address is a unicast address, the system will look up the egress interface according to the
destination MAC address. And in this case, two situations may occur:

l If the destination MAC address is the MAC address of the VSwitchIF with an IP configured, the system will for-
ward the packet according to the related routes; if the destination MAC address is the MAC address of the
VSwitchIF with no IP configured, the system will drop the packet.

l Figure out the egress interface according to the destination MAC address. And if the egress interface is the
source interface of the packet, the system will drop the packet; otherwise, forward the packet from the
egress interface.
If no egress interfaces (unknown unicast) is found in the MAC address table, jump to Step 6 directly.

4. Figure out the source zone and destination zone according to the ingress and egress interfaces.

5. Look up the policy rules and forward or drop the packet according to the matched policy rules.

6. If no egress interface (unknown unicast) is found in the MAC address table, the system will send the packet to all
the other L2 interfaces. The sending procedure is: take each L2 interface as the egress interface and each L2
zone as the destination zone to look up the policy rules, and then forward or drop the packet according to the
matched policy rule. In a word, forwarding of unknown unicast is the policy-controlled broadcasting. Process of
broadcasting packets and multicasting packets is similar to the unknown unicast packets, and the only difference
is the broadcast packets and multicast packets will be copied and handled in Layer 3 at the same time.
For the ARP packets, the broadcast packet and unknown unicast packet are forwarded to all the other interfaces in the
VSwitch, and at the same time, the system sends a copy of the broadcast packet and unknown unicast packet to the
ARP module to handle.

15 Chapter 2 Deploy Your Device

Forw a rding Rule in La yer 3

0. Identify the logical ingress interface of the packet to determine the source zone of the packet. The logical ingress
interface may be a common interface or a sub-interface.

1. The system performs sanity check to the packet. If the attack defense function is enabled on the source zone, the
system will perform AD check simultaneously.

2. Session lookup. If the packet belongs to an existing session, the system will perform Step 11 directly.

3. DNAT operation. If a DNAT rule is matched, the system will mark the packet. The DNAT translated address is
needed in the step of route lookup.

4. Route lookup. The route lookup order from high to low is: PBR > SIBR > SBR > DBR > ISP route.
Till now, the system knows the logical egress and destination zone of the packet.

Chapter 2 Deploy Your Device 16

 5. SNAT operation. If a SNAT rule is matched, the system will mark the packet.

6. VR next hop check. If the next hop is a VR, the system will check whether it is beyond the maximum VR number
(current version allows the packet traverse up to three VRs). If it is beyond the maximum number, the system will
drop the packet; and if it is within the maximum number, return to Step 4. If the next hop is not a VR, go on with
policy lookup.

7. Policy lookup. The system looks up the policy rules according to the packet’s source/destination zones,
source/destination IP and port, and protocol. If no policy rule is matched, the system will drop the packet; if any
policy rule is matched, the system will deal with the packet as the rule specified. And the actions can be one of the
followings:

l Permit: Forwards the packet.

l Deny: Drops the packet.

l Tunnel: Forwards the packet to the specified tunnel.

l Fromtunnel: Checks whether the packet originates from the specified tunnel. The system will forward the
packet from the specified tunnel and drop other packets.

l WebAuth: Performs WebAuth on the specified user.

8. First time application identification. The system tries to identify the type of the application according to the port
number and service specified in the policy rule.

9. Establish the session.

10. If necessary, the system will perform the second time application identification. It is a precise identification based
on the packet contents and traffic action.

11. Application behavior control. After knowing the type of the application, the system will deal with the packet accord-
ing to the configured profiles and ALG.

12. Perform operations according to the records in the session, for example, the NAT mark.

13. Forward the packet to the egress interface.

17 Chapter 2 Deploy Your Device

Deploying Transparent Mode
Transparent mode is also known as bridge mode or transparent bridging mode. Transparent mode is used when the
IT administrator does not wish to change its existing network layout, normally the existing network already has set up
routers and switches. The firewall will be used as a security device.
Transparent mode has the following advantages:

l No need to change IP addresses

l No need to set up NAT rule

Under normal circumstances, firewall in the transparent mode is deployed between the router and switch of the pro-
tected network, or it is installed between Internet and a company's router. The internal network uses its old router to
access Internet, and the firewall only provides security control features.
This section introduces a configuration example of a firewall deployed between a router and a switch. In this example,
the administrator use eth0/0 to manage firewall. The firewall's eth0/1 is connected to router (which is connecting to
Internet) and eth0/2 is connected to a switch (which is connecting to internal network).

Step 1: Initial log in the firewall

1. In the administrator's Ethernet properties, set the IPv4 protocol as below.

Chapter 2 Deploy Your Device 18

2. Connect an RJ-45 Ethernet cable from the computer to the eth0/0 of the device.

3. In the browser's address bar, type "http://192.168.1.1" and press Enter.

4. In the login interface, type the default username and password: hillstone/hillstone.

5. Click Login, and the device's system will initiate.

Step 2: Configure interface and zone

l Configure eth0/1 as Internet connected interface.

1. Select Network > Interface.

2. Double click ethernet0/1, and configure in the prompt.

3. Click OK.

19 Chapter 2 Deploy Your Device

 l Configure eth0/2 as private network connected interface.

1. Select Network > Interface.

2. Double click ethernet0/2, and configure in the prompt.

3. Click OK.

Step 3: Configuring policies

l Creating a policy to allow visiting Internet.

1. Select Policy > Security Policy.

2. Click New.

3. Click OK.

l Creating a policy to allow Internet to visit private network.

1. Select Policy > Security Policy.

2. Click New.

3. Click OK.

Chapter 2 Deploy Your Device 20

 l The two policies above ensure the communication between private network and Internet. If you want to set up
more details, e.g. to limit P2P download, you can add more policies and move new policy above the old one. The
match sequence of policy is determined by its position in the policy list, not its ID number.

(Optional) Step 4: Configuring VSwitch Interface for managing the firwall.

If you want any PC in the private network to visit and configure the firewall, you can configure a VSwitch interface as
management interface.

1. Select Network > Interface.

2. Double click vswtichif1.

3. Click OK.

4. In any PC of private network, enter the IP address of vswtichif1, you will visit the firewall Web user interface.

21 Chapter 2 Deploy Your Device

Deploying Routing Mode
Routing mode deployment often use NAT function as well, so it is also called NAT mode. In routing mode, each inter-
face has its IP address which means interfaces are in the layer 3 zone. A firewall in routing mode can work as a router
and a security devcie.
Routing mode is mostly used when the firewall is installed between an internal network and Internet.
This example is based on the topology below to show you how to connect and configure a new Hillstone device in route
mode. The device connects a private network to Internet.

Step 1: Connecting to the device

1. Connect one port (e.g. eth0/1) of Hillstone device to your ISP network. In this way, "eth0/1" is in the untrust
zone.

2. Connect your internal network to another Ethernet interfaces (e.g. eth0/0) of the device. This means "eth0/0" is
connected to the trust zone.

3. Power on the Hillstone device and your PCs.

4. If one of the internal interfaces already has been configured with an IP address, use a browser to visit that
address from one of your internal PCs.
If it is a new device, use the methods in "Initial Visit to Web Interface" on Page 3 to visit.

5. Enter "hillstone" for both username and password.

Step 2: Configuring interfaces

1. Go to Network > Interface.

2. Double click eth0/1.

Chapter 2 Deploy Your Device 22

 In the Ethernet Interface dialog box, enter values
Option Value
Binding Zone L3-zone
Zone untrust

Type Static IP
IP Address 202.10.1.1 (public IP address provided by your ISP)
Netmask 255.255.255.0
Management Select protocols that you want to use to access the device.

3. Click OK.
Step 3: Creating a NAT rule to translate internal IP to public IP

1. Go to Policy > NAT > SNAT.

2. Select New

In the SNAT Configuration dialog box, enter values

Option Value

Source Address Address Entry, Any

Destination Address Entry, Any
Address
Egress Egress interface, ethernet 0/1
Translated Egress IP
Sticky Enable

3. Click OK.
Step 4: Creating a security policy to allow internal users access Internet.

23 Chapter 2 Deploy Your Device

 1. Go to Policy > Security Policy.

2. Click New.

In the Policy Configuration dialog box, enter values.

Source Information
Zone trust
Address Any
Destination Information
Zone untrust
Address Any
Other Information
Service/Service Any
Group
APP/APP Group -----
Action Permit

3. Click OK.
Step 5: Configuring a default route

1. Go to Network >Routing > Destination Route.

2. Click New.

In the Destination Route Configuration dialog box, enter values.

Chapter 2 Deploy Your Device 24

 Option Value

Destination 0.0.0.0 (means all network)

Subnet Mask 0.0.0.0 (means all subnets)
Gateway 202.10.1.1 (gateway provided by your ISP)

25 Chapter 2 Deploy Your Device

Deploying Mix Mode
If the firewall has both L2 interfaces (transparent mode) and L3 interfaces (routing mode), the firewall is in mix mode.

To configure a mix mode, you need to combine the deployment methods of routing mode and transparent mode. Please
refer the these two modes.

Chapter 2 Deploy Your Device 26

Deploying Tap Mode
In most cases, the security device is deployed within the network as a serial node. However, in some other scenarios,
an IT administrator would just want auditing and statistical functions, like IPS, antivirus, Internet behavior control. For
these features, you just need to connect the device to a mirrored interface of core network. The traffic is mirrored to
the security device for auditing and monitor.

The bypass mode is realized by binding a physical interface to Tap zone, then the interface becomes a bypass inter-
face. The device will monitor, scan, or record the traffic received in the bypass interface.

Use an Ethernet cable to connect e0 of Switch and e1 of the Hillstone device. The interface e1 is the bypass interface
and e2 is the bypass control interface. The interface e0 is the mirror interface of the switch.The switch mirrors the
traffic to e1 and Hillstone device will monitor, scan, and log the traffic received from e1. After configuring IPS, AV, or
network behavior control on the Hillstone device, if the device detects network intrusions, virus, or illegal network
behaviors, it will send TCP RST packet from e2 to the switch to tell it to reset the connections.

Note: Before configuring tap mode in the device, you need to set up interface mirroring in your
primary switch. Mirror the traffic of the switch from e0 to e1, and the device can scan, monitor
and count the mirrored traffic.

Here provides an example of monitoring IPS in tap mode.

Step 1: Creating tap mode by binding an interface

1. Select Network > Zone, and click New.

27 Chapter 2 Deploy Your Device

 Option Value

Zone enter a name, e.g. "tap-zone" .

Type TAP
Binding Interface Select the bypass interface (only a physical interface, aggregate interface
or redundant interface can apply, sub-interface is not allowed).

2. Click OK.

Step 2: Creating an IPS rule

1. Select Object > Intrusion Prevention System.

2. Click New.

3. Enter the rule name.

4. Configure the signatures settings.

5. Configure the protocol settings.

6. Click OK to complete IPS rule configuration.

Step 3: Add IPS rule into Tap zone

1. Select Network > Zone, and double-click the tap zone created in step 1.

2. In the Treat Prevention tab, enable IPS and select the IPS rule just created.

3. Click OK.

(Optional) Block traffic in switch

A bypass control interface is used to send control packets (TCP RST packet is supported in current version). After con-
figuring IPS, AV, or network behavior control on the Hillstone device, if the device detects network intrusions, virus, or
illegal network behaviors, it will send TCP RST packet from e2 to the switch to tell it to reset the connections.
By default, the bypass interface itself is the control interface. However, you may also change the control interface.
To change a bypass control interface, you can only use command line interface:
tap control-interface interface-name

l interface-name - Specifies which interface is used as bypass control interface.

Chapter 2 Deploy Your Device 28

Chapter 3 Dashboard

This feature may vary slightly on different platforms. If there is a conflict between this guide and the actual page, the
latter shall prevail.
The dashboard shows the system and threat information. The layout of the dashboard is shown as below:

Customize
You can customize the dashboard displayed function or modify the function area location as needed.

l To customize the dashboard displayed function:

1. Click Customize at the top-right corner.

2. Select the function check box from the expanded list.

l To modify the function area location:

1. Hover your mouse over the title part in the ribbon.

2. When appears, press and hold the mouse functional area , you can drag it to the regional location to be
displayed .

Chapter 3 Dashboard 29
Threats
Display the top 10 threats information within the specified period.

l Click to specify the type of display: Destination IP, Source IP or Threat Name.

Threatscape
The threat information statistic chart are displayed within the specified period.

l Click the column to jump to the iCenter page, and the list will display with the corresponding threat level.

User
Display the top 10 user traffic information within the specified period.

l Specify the type of display: by Traffic or by Concurrent Sessions from the drop-down menu.

l Click and , switch between the table and the bar chart.

l Hover your mouse over a bar, to view users' upstream traffic, downstream traffic, total traffic or concurrent ses-
sions.

Application
Display the top 10 application traffic information within the specified period.

30 Chapter 3 Dashboard
 l Specify the type of display: by Traffic or by New Sessions from the drop-down menu.

l Click and , switch between the table and the bar chart.

l Hover your mouse over a bar, to view users' total traffic or new sessions.

Total Traffic
Shows the Total Traffic within the specified period .

Physical Interface
Display the Interfaces statistics information, including interface name, IP address, upstream speed, downstream
speed and total speed.

System Information
The system information include.

l Serial number: The serial number of the device.

l Host name: The host name of the device.

l Platform: The platform type of the device.

l System Time: The time of the system.

Chapter 3 Dashboard 31
 l System Uptime: The running time of the system.

l HA State: The HA State of device:

l Standalone: Non-HA mode. That represents HA is disabled.

l Init: Initial state.

l Hello: Negotiation state. That represents the device is consulte the relationship between master and backup.

l Master: Master state. That represents current device is master.

l Backup: Backup state. That represents current device is backup.

l Failed: Fault state. That represents the device is failed.

l Firmware: The version number of and version time of the firmware running on the device.

l Boot File: The boot file name.

l Anti Virus Signature: The version number and time of the anti virus signature database.

l IPS Signature: The version number and time of the IPS signature database.

l URL Category Database: The version number and time of the URL category database.

l Application Signature: The version number and time of the application signature database.

l IP Reputation Database: The version number and time of the IP reputation database.

Specified Period

The system supports the predefined time cycle and the custom time cycle. Click ( ) on the
top right corner of each tab to set the time cycle.

l Realtime: Displays the statistical information within the 5 minutes.

l Last Hour: Displays the statistical information within the latest 1 hour.

l Last Day: Displays the statistical information within the latest 1 day.

l Last Month: Displays the statistical information within the latest 1 month.

32 Chapter 3 Dashboard
Chapter 4 iCenter

This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
Multi-dimensional , in-depth shows the threats of the whole network.

Threat
Threats tab statistics and displays the all threats information of the whole network within the specified period. Click
iCenter.

Click a threat name link in the list , to view detailed information , source/destination, knowledge base and history about
threat.

l Threat Analysis: Depending on the threats of the different detection engine , Threat Analysis tab content is also
different.

l Anti Virus/IPS: Display the threat detailed information .

About Anti Virus/IPS function introduction, see "Anti Virus" on Page 353/" Intrusion Prevention System" on
Page 358.

l Attack Defense/Perimeter Traffic Filtering: Display the threat detailed information.

About Attack Defense/Perimeter Traffic Filtering function introduction, see "Attack-Defense" on Page
379/"Perimeter Traffic Filtering" on Page 388.

l Sandbox Threat Detection: Display the threat detailed information of the suspicious file.

About the Sandbox function, see "Sandbox" on Page 374.

l Knowledge Base: About the threats detected by IPS, display the specified threat description, solution etc.

l Threat History: Display the selected threat historical information of the whole network .

Chapter 4 iCenter 33
Chapter 5 Network

This chapter describes factors and configurations related to network connection, including:

l Security Zone: The security zone divides network into different sections, for example, trust zone or untrust zone.
The device can control the traffic from and to security zones once the configured policy rules have been applied.

l Interface: The interface allows inbound and outbound traffic to security zones. An interface must be bound to a
security zone so that traffic can flow into and from the security zone.

l MGT Interface: To facilitate the management to the device and meet the requirement of separating the man-
agement traffic from the data traffic, system has an independent management interface(MGT Interface).

l VLAN: Virtual LAN.

l DNS: Domain Name System.

l DHCP: Dynamic Host Configuration Protocol.

l DDNS: Dynamic Domain Name Server.

l PPPoE: Point-to-Point Protocol over Ethernet.

l Virtual-Wire: The virtual wire allows direct Layer 2 communications between sub networks.

l Virtual Router: Virtual Routerouter (Virtual Router for short) acts as a router. Different Virtual Routers have their
own independent routing tables.

l Virtual Switch: Running on Layer 2, VSwitch acts as a switch. Once a Layer 2 security zone is bound to a VSwitch,
all the interfaces bound to that zone will also be bound to the VSwitch.

l Port Mirroring: Allows users to mirror the traffic of one interface to another interface (analytic interface) for ana-
lysis and monitoring.

l WLAN: WLAN represents the local area network that uses the wireless channel as the medial. By configuring the
WLAN function, you can establish the wireless local area network and allow the users to access LAN through wire-
less mode.

l 3G: By configuring the 3G function, users can access Internet through wireless mode.

l Link Load Balancing: It takes advantage of dynamic link detection technique to assign traffic to different links
appropriately, thus making full use of all available link resources.

l Application Layer Gate: ALG can assure the data trasmission for the applications that uss multi-channels, and
assure the proper operation of VoIP applications in the strictest NAT mode.

l Global Network Parameters: These parameters mainly include IP packet's processing options, like IP fragmention,
TCP MSS value, etc.

Chapter 5 Network 34
Security Zone
Security zone is a logical entity. One or more interfaces can be bound to one zone. A zone with policy applied is known
as a security zone, while a zone created for a specific function is known as a functional zone. Zones have the following
features:

l An interface should be bound to a zone. A Layer 2 zone will be bound to a VSwitch, while a Layer 3 zone will be
bound to a VRouter. Therefore, the VSwitch to which a Layer 2 zone is bound decides which VSwitch the inter-
faces belong to in that Layer 2 zone, and the VRouter to which a Layer 3 zone is bound decides which VRouter the
interfaces belong to in that Layer 3 zone.

l Interfaces in Layer 2 and Layer 3 are working in Layer 2 mode and Layer 3 mode respectively.

l System supports internal zone policies, like trust-to-trust policy rule

There are 8 pre-defined security zones in StoneOS, which are trust, untrust, dmz, L2-trust, L2-untrust, L2-dmz, vpn-
hub (VPN functional zone) and ha (HA functional zone). You can also customize security zones. Actually pre-defined
security zones and user-defined security zones make no difference in functions, and you can make your choice freely.

Co nfiguring a Security Z o ne
To create a security zone:

1. Select Network > Zone.

2. Click New.

3. In the Zone Configuration dialog, type the name for the zone into the Zone box.

4. Type the descriptions of the zone in the Description text box.

5. Specify a type for the security zone. For a Layer 2 zone, select a VSwitch for the zone from the VSwitch drop-down
list below; for a Layer-3 zone, select a VRouter from the Virtual Router drop-down list. If TAP is selected, the zone
created is a tap zone, which is used in Bypass mode.

6. Bind interfaces to the zone. Select an interface from the Binding Interface drop-down list.

7. If needed, select the Enable check box to enable APP identification for the zone.

35 Chapter 5 Network
 8. If needed, select the Enable check box to set the zone to a WAN zone, assuring the accuracy of the statistic ana-
lysis sets that are based on IP data.

9. If needed, select the Enable check box to enable NetBIOS host query for the zone. For detailed instructions, see
"DNS" on Page 66.

10. If needed, select the Enable check box to enable share access detect for the zone. It is a share access detect
method based on the application characteristic, which is used to detect the users’ private behavior of shared
access to Internet. For detailed instructions, see "Share Access Detect" on Page 403.

11. If needed, select Threat Protection tab and configure the parameters for Threat Protection function. For detailed
instructions, see "Chapter 11 Threat Prevention" on Page 352.

12. Click OK.

Note:
l Pre-defined zones cannot be deleted.

l When changing the VSwitch to which a zone belong, make sure there is no binding inter-
face in the zone.

Chapter 5 Network 36
Interface
Interfaces allow inbound and outbound traffic to security zones. An interface must be bound to a security zone so that
traffic can flow into and from the security zone. Furthermore, for the Layer 3 security zone, an IP address should be
configured for the interface, and the corresponding policy rules should also be configured to allow traffic transmission
between different security zones. Multiple interfaces can be bound to one security zone, but one interface cannot be
bound to multiple security zones.
The security devices support various types of interfaces which are basically divided into physical and logical interfaces
based on the nature.

l Physical Interface: Each Ethernet interface on devices represents a physical interface. The name of a physical
interface, consisting of media type, slot number and location parameter, is pre-defined, like ethernet2/1 or eth-
ernet0/2.

l Logical Interface: Includes sub-interface, VSwitch interface, VLAN interface, loopback interface, tunnel interface,
aggregate interface, redundant interface, PPPoE interface and Virtual Forward interface.
Interfaces can also be divided into Layer 2 interface and Layer 3 interface based on their security zones.

l Layer 2 Interface: Any interface in Layer 2 zone or VLAN.

l Layer 3 Interface: Any interface in Layer 3 zone. Only Layer 3 interfaces can operate in NAT/routing mode.
Different types of interfaces provide different functions, as described in the table below.

Type Description

Sub-interface The name of an sub-interface is an extension to the name of its original

interface, like ethernet0/2.1. System supports the following types of sub-
interfaces: Ethernet sub-interface, aggregate sub-interface and redundant
sub-interface. An interface and its sub-interfaces can be bound to one
single security zone, or to different zones.
VSwitch interface A Layer 3 interface that represents the collection of all the interfaces of a
VSwitch. The VSwtich interface is virtually the upstream interface of a switch
that implements packet forwarding between Layer 2 and Layer 3.
VLAN interface A Layer 3 interface that represents the collection of all the Ethernet inter-
faces within a VLAN. If only one Ethernet interface is in UP state, the VLAN
interface will be UP as well. The VLAN interface is the outbound com-
munication interface for all the devices within a VLAN. Typically its IP
address is the gateway's address of the network device within the VLAN.
Loopback inter- A logical interface. If only the security device with loopback interface con-
face figured is in the working state, the interface will be in the working state as
well. Therefore, the loopback interface is featured with stability.
Tunnel interface Only a Layer 3 interface, the tunnel interface acts as an ingress for VPN com-
munications. Traffic flows into VPN tunnel through this interface.
Aggregate inter- Collection of physical interfaces that include 1 to 16 physical interfaces.
face These interfaces averagely share the traffic load to the IP address of the
aggregate interface, in an attempt to increase the available bandwidth for a
single IP address. If one of the physical interfaces within an aggregate inter-
face fails, other physical interfaces can still process the traffic normally. The
only effect is the available bandwidth will decrease.
Redundant inter- The redundant interface allows backup between two physical interfaces.
face One physical interface, acting as the primary interface, processes the
inbound traffic, and another interface, acting as the alternative interface,
will take over the processing if the primary interface fails.
PPPoE interface A logical interface based on Ethernet interface that allows connection to
PPPoE servers over PPPoE protocol.
Virtual Forward In HA environment, the Virtual Forward interface is HA group's interface
interface designed for traffic transmission.

37 Chapter 5 Network
Co nfiguring an I nterface
The configuration options for different types of interfaces may vary. For more information, see the following instruc-
tions.
Both IPv4 and IPv6 address can be configured for the interface, but IPv6 address is not supported for the PPPoE inter-
face.

Crea ting a PPPoE Interfa c e

To create a PPPoE interface:

1. Select Network > Interface.

2. Click New > PPPoE Interface.

In the Basic tab, configure the followings.

Option Description

Interface Name Specifies a name for the PPPoE interface.

Description Enter descriptions for the PPPoE interface.
Binding Zone If Layer 3 zone is selected, you should also select a security zone from the
Zone drop-down list, and the interface will bind to a Layer 3 zone. If TAP
is selected, the interface will bind to a tap zone. If No Binding is selected,
the interface will not bind to any zone.
Zone Select a security zone from the Zone drop-down list.
HA sync Select this check box to enable HA Sync function, which means disable
Local property and use virtual MAC, and the primary device will syn-
chronize its information with the backup device; don’t select this check
box to disable HA Sync function, which means enable Local property and
use original MAC, and the primary device will not synchronize its inform-
ation with the backup device.
User Specifies a username for PPPoE.
Password Specifies PPPoE user's password.
Confirm pass- Enter the password again to make confirmation.
word
Idle interval If the PPPoE interface has been idling (no traffic) for a certain period, i.e.,
the specified idle interval, system will disconnect the Internet connection;
if the interface requires Internet access, system will connect to Internet
automatically. The value range is 0 to 10000 minutes. The default value is
30.
Re-connect inter- Specifies a re-connect interval (i.e., system will try to re-connect auto-
val matically after being disconnected for the interval). The value range is 0
to 10000 seconds. The default value is 0, which means the function is dis-
abled.
Set gateway With this checkbox selected, system will set the gateway information
information provided by PPPoE server as the default gateway route.
from PPPoE
server as the
default gateway
route
Advanced In the Advanced dialog, configure advanced options for PPPoE, includ-

Chapter 5 Network 38
 Option Description
ing:

l Access concentrator - Specifies a name for the concentrator.

l Authentication - The devices will have to pass PPPoE authentication

when trying to connect to a PPPoE server. The supported authen-
tication methods include CHAP, PAP and Any (the default, anyone
between CHAP and PAP).

l Netmask - Specifies a netmask for the IP address obtained via

PPPoE.

l Static IP - You can specify a static IP address and negotiate to use

this address to avoid IP change. To specify a static IP address, type
it into the box.

l Distance - Specifies a route distance. The value range is 1 to 255. The

default value is 1.

l Weight - Specifies a route weight. The value range is 1 to 255. The

default value is 1.

l Service - Specifies allowed service. The specified service must be the

same with that provided by the PPPoE server. If no service is spe-
cified, system will accept any service returned from the server auto-
matically.

DDNS In the DDNS Configuration dialog, configure DDNS options for the inter-
face. For detailed instructions, see "DDNS" on Page 74.
Management Select one or more management method check boxes to configure the
interface management method.
Reverse Route Enable or Disable reverse route as needed:

l Enable: Enforces to use a reverse route. If the reverse route is not

available, packets will be dropped. This option is enabled by
default.

l Close: Reverse route will not be used. When reaching the interface
the reverse data stream will be returned to its original route without
any reverse route check. That is, reverse packets will be sent from the
ingress interface that initializes the packets.

l Auto: Reverse route will be prioritized. If available, the reverse

route will be used to send packets; otherwise the ingress interface
that initializes the packets will be used as the egress interface that
sends reverse packets.
WAP Traffic Dis- Select the Enable check box and configure as follows:
tribution
l Destination IP Replacement: Select the Enable check box, and spe-
cify the logs you need to record. If All is selected in WAP Log
Record section, system will record all the traffic logs; while if
Destination IP Replacement radio button is selected, system will
record logs for the translated traffic.

l Destination Service Port 1/Destination Service Port 2: Specifies the

HTTP port number for the WAP gateway.

In the Properties tab, configure properties for the interface.

39 Chapter 5 Network
 Option Description

MTU Specifies a MTU for the interface. The value range is 1280 to 1500/1800
bytes. The default value is 1500. The max MTU may vary from different
Hillstone platforms.

ARP Learning Select the Enable checkbox to enable ARP learning.

ARP Timeout Specifies an ARP timeout for the interface. The value range is 5 to 65535
seconds. The default value is 1200.
Keep-alive IP Specifies an IP address that receives the interface's keep-alive packets.
MAC clone Select the MAC clone check box to enable the MAC clone function. The
system clones a MAC address to the Ethernet sub-interface. If the user
click "Restore Default MAC", the Ethernet sub-interface will restore the
default MAC address.
Mirror Enable port mirroring on an Ethernet interface, and select the traffic type
to be mirrored.

In the Advanced tab, configure advanced options for the interface.

Option Description

Shutdown System supports interface shutdown. You can not only enforce to shut
down a specific interface, but also control the time of shutdown by sched-
ule, or control the shutdown according to the link status of tracked
objects. Configure the options as below:

1. Select the Shut down check box to enable interface shutdown.

2. To control the shutdown by schedule or tracked objects, select an

appropriate check box, and then select an appropriate schedule or
tracked object from the drop-down list.

Monitor and Configure the options as below:

Backup
1. Select an appropriate check box, and then select an appropriate
schedule or tracked object from the drop-down list.

2. Select an action:

l Shut down the interface: During the time specified in the

schedule, or when the tracked object fails, the interface will
be shut down and its related route will fail;

l Migrate traffic to backup interface: During the time specified

in the schedule, or when the tracked object fails, traffic to the
interface will be migrated to the backup interface. In such a
case you need to select a backup interface from the Backup
interface drop-down list and type the time into the Migrating
time box. (Migrating time, 0 to 60 minutes, is the period dur-
ing which traffic is migrated to the backup interface before the
primary interface is switched to the backup interface. During
the migrating time, traffic is migrated from the primary inter-
face to the backup interface smoothly. By default the migrat-
ing time is set to 0, i.e., all the traffic will be migrated to the
backup interface immediately.)

In the RIP tab, configure RIP for the interface.

Option Description

Authentication Specifies a packet authentication mode for the system, including plain
mode

Chapter 5 Network 40
 Option Description

text (the default) and MD5. The plain text authentication, during which
unencrypted string is transmitted together with the RIP packet, cannot
assure security, so it cannot be applied to the scenarios that require high
security.
Authentication Specifies a RIP authentication string for the interface.
string
Transmit version Specifies a RIP information version number transmitted by the interface.
By default V1&V2 RIP information will be transmitted.
Receive version Specifies a RIP information version number transmitted by the interface.
By default V1&V2 RIP information will be transmitted.
Split horizon Select the Enable checkbox to enable split horizon. With this function
enabled, routes learned from an interface will not be sent from the same
interface, in order to avoid routing loop and assure correct broadcasting
to some extent.

3. Click OK.

Crea ting a T unnel Interfa c e

To create a tunnel interface:

1. Select Network > Interface.

2. Select New > Tunnel Interface.

In the Basic tab, configure the followings.

Option Description

Interface Name Specifies a name for the tunnel interface.

Description Enter descriptions for the tunnel interface.
Binding Zone If Layer 3 zone is selected, you should also select a security zone from
the Zone drop-down list, and the interface will bind to a Layer 3 zone. If
TAP is selected, the interface will bind to a tap zone. If No Binding is
selected, the interface will not bind to any zone.
Zone Select a security zone from the Zone drop-down list.

41 Chapter 5 Network
 Option Description

HA sync Select this check box to enable HA Sync function, which means disable
Local property and use virtual MAC, and the primary device will syn-
chronize its information with the backup device; don’t select this check
box to disable HA Sync function, which means enable Local property and
use original MAC, and the primary device will not synchronize its inform-
ation with the backup device.
IP Configuration

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.
Set as Local IP: In a HA environment, if specify this option, the interface
IP will not synchronize to the HA peer.
Enable DNS Proxy: Select this check box to enable DNS proxy for the inter-
face.

l When the general DNS proxy is in use, the client in the network
still gets DNS replies from the DNS server configured on itself. If
the DNS server address is configured as an interface address of
Hillstone device, the device will work as a DNS server;

l When the transparent DNS proxy is in use, all DNS requests are
replied by the Hillstone device. In such a case, there is no need to
edit DNS configuration on each client. DNS service can be easily con-
trolled by modifying the device's DNS configuration.

Enable DNS Bypass: Select this check box to enable DNS bypass for the
interface.
Advanced:

l Management IP: Specifies a management IP for the interface. Type

the IP address into the box.

l Secondary IP: Specifies secondary IPs for the interface. You can
specify up to 6 secondary IP addresses.
DHCP: In the DHCP Configuration dialog, configure DHCP options for
the interface. For detailed instructions, see "DHCP" on Page 70.
DDNS: In the DDNS Configuration dialog, configure DDNS options for
the interface. For detailed instructions, see "DDNS" on Page 74.
Auto-obtain Set gateway information from DHCP server as the default gateway route:
With this check box selected, system will set the gateway information
provided by the DHCP server as the default gateway route.
Advanced:

l Distance: Specifies a route distance. The value range is 1 to 255. The

default value is 1.

l Weight: Specifies a route weight. The value range is 1 to 255. The

default value is 1.

l Management Priority: Specifies a priority for the DNS server. Except

for static DNS servers, system can also learn DNS servers dynamically
via DHCP or PPPoE. Therefore, you need to configure priorities for
the DNS servers, so that the system can choose a DNS server accord-
ing to its priority during DNS resolution. The priority is represented
in numbers from 1 to 255. The larger the number is, the higher the

Chapter 5 Network 42
 Option Description
priority is. The priority of static DNS servers is 20.

DDNS: In the DDNS Configuration dialog, configure DDNS options for

the interface. For detailed instructions, see "DDNS" on Page 74.
Management Select one or more management method check boxes to configure the
interface management method.
Reverse Route Enable or Disable reverse route as needed:

l Enable: Enforces to use a reverse route. If the reverse route is not

available, packets will be dropped. This option is enabled by
default.

l Close: Reverse route will not be used. When reaching the interface
the reverse data stream will be returned to its original route without
any reverse route check. That is, reverse packets will be sent from the
ingress interface that initializes the packets.

l Auto: Reverse route will be prioritized. If available, the reverse

route will be used to send packets; otherwise the ingress interface
that initializes the packets will be used as the egress interface that
sends reverse packets.
Tunnel Binding Bind the interface to a IPSec VPN tunnel or a SSL VPN tunnel. One tunnel
interface can be bound to multiple IPSec VPN tunnels, while only to one
SSL VPN tunnel.

l IPSec VPN: Select IPSec VPN radio button. Specifies a name for the
IPSec VPN tunnel that is bound to the interface. And then select a
next-hop address for the tunnel, which can be either the IP address
or the egress IP address of the peering tunnel interface. This para-
meter, which is 0.0.0.0 by default, is only valid when multiple IPSec
VPN tunnels should be bound to the tunnel interface.

l SSL VPN: Select SSL VPN radio button. Specifies a name for the SSL
VPN tunnel that is bound to the interface.

3. In the IPv6 Configuration tab, configure the followings.

Option Description

Enable Enable IPv6 on the interface.

IPv6 Address Specifies the IPv6 address prefix.
Prefix Length Specifies the prefix length.
Autoconfig Select the checkbox to enable Auto-config function. In the address auto-
config mode, the interface receives the address prefix in RA packets first,
and then combines it with the interface identifier to generate a global
address.

l Set Default Route - If the interface is configured with a default

router, this option will generate a default route to the default
router.
Advanced

Static Click Add button to add several IPv6 address, at most 5 IPv6 address.
Click Delete button to delete IPv6 address.
Dynamic Shows IPv6 address which is dynamic.

Link-local Specifies link-local address. Link-local address is used for communication

between adjacent nodes of a single link, for example, communication

43 Chapter 5 Network
 Option Description

between hosts when there is no router on the link. By default the system
will generate a link-local address for the interface automatically if the
interface is enabled with IPv6 (in the interface configuration mode, use
the command ipv6 enable). You can also specify a link-local address for
the interface as needed, and the specified link-local address will replace
the automatically generated one.
MTU Specifies an IPv6 MTU for an interface.

DAD Attempts Specifies NS packet attempts times. The value range is 0 to 20. Value 0
indicates DAD is not enabled on the interface. If the system does not
receive any NA response packet after sending NS packets for the
attempts times, it will verify the IPv6 address is the unique available
address.
DAD (Duplicate Address Detection) is designed to verify the uniqueness
of IPv6 addresses. This function is implemented by sending NS (Neigh-
bor Solicitation) requests. After receiving an NS packet, if any other host
on the link finds the address of the NS requester is duplicated, it will
send an NA (Neighbor Advertisement) packet advertising the address is
already in use, and then the NS requester will mark the address as Duplic-
ate, indicating the address is an invalid IPv6 address.

ND Interval Specifies an interval for sending NS packets.

ND Reachable Specifies reachable time. After sending an NS packet, if the interface
Time receives acknowledge from a neighbor within the specified time, it will
consider the neighbor as reachable. This time is known as reachable time.
Hop Limit Specifies the hop limit. Hop limit refers to the maximum number of hops
for IPv6 or RA packets sent by the interface.

ND RA Suppress Select the checkbox to disable RA suppress on LAN interfaces.

By default Ethernet and FDDI interfaces with IPv6 unicast route con-
figured will send RA packets automatically, and interfaces of other types
will not send RA packets.

Manage Specifies the manage IP/MASK.

IP/MASK

4. "In the Properties tab, configure properties for the interface." on Page 39

5. "In the Advanced tab, configure advanced options for the interface." on Page 40

6. "In the RIP tab, configure RIP for the interface." on Page 40

7. Click OK.

Crea ting a Virtua l Forw a rd Interfa c e

This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
To create a virtual forward interface:

1. Select Network > Interface.

2. Select New > Virtual Forward Interface.

Chapter 5 Network 44
 In the Basic tab, configure the followings.
Option Description

Interface Name Specifies a name for the virtual forward interface.

Description Enter descriptions for the virtual forward interface.
Binding Zone If Layer 3 zone is selected, you should also select a security zone from
the Zone drop-down list, and the interface will bind to a Layer 3 zone. If
TAP is selected, the interface will bind to a tap zone. If No Binding is
selected, the interface will not bind to any zone.
Zone Select a security zone from the Zone drop-down list.
IP Configuration

45 Chapter 5 Network
 Option Description

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.
Set as Local IP: In a HA environment, if specify this option, the interface
IP will not synchronize to the HA peer.
Enable DNS Proxy: Select this check box to enable DNS proxy for the inter-
face.

l When the general DNS proxy is in use, the client in the network
still gets DNS replies from the DNS server configured on itself. If
the DNS server address is configured as an interface address of
Hillstone device, the device will work as a DNS server;

l When the transparent DNS proxy is in use, all DNS requests are
replied by the Hillstone device. In such a case, there is no need to
edit DNS configuration on each client. DNS service can be easily con-
trolled by modifying the device's DNS configuration.

Enable DNS Bypass: Select this check box to enable DNS bypass for the
interface.
Advanced:

l Management IP: Specifies a management IP for the interface. Type

the IP address into the box.

l Secondary IP: Specifies secondary IPs for the interface. You can
specify up to 6 secondary IP addresses.
DHCP: In the DHCP Configuration dialog, configure DHCP options for
the interface. For detailed instructions, see "DHCP" on Page 70.
DDNS: In the DDNS Configuration dialog, configure DDNS options for
the interface. For detailed instructions, see "DDNS" on Page 74.
Auto-obtain Set gateway information from DHCP server as the default gateway route:
With this check box selected, system will set the gateway information
provided by the DHCP server as the default gateway route.
Advanced:

l Distance: Specifies a route distance. The value range is 1 to 255. The

default value is 1.

l Weight: Specifies a route weight. The value range is 1 to 255. The

default value is 1.

l Management Priority: Specifies a priority for the DNS server. Except

for static DNS servers, system can also learn DNS servers dynamically
via DHCP or PPPoE. Therefore, you need to configure priorities for
the DNS servers, so that the system can choose a DNS server accord-
ing to its priority during DNS resolution. The priority is represented
in numbers from 1 to 255. The larger the number is, the higher the
priority is. The priority of static DNS servers is 20.

DDNS: In the DDNS Configuration dialog, configure DDNS options for

the interface. For detailed instructions, see "DDNS" on Page 74.
Management Select one or more management method check boxes to configure the
interface management method.
Reverse Route Enable or Disable reverse route as needed:

Chapter 5 Network 46
 Option Description
l Enable: Enforces to use a reverse route. If the reverse route is not
available, packets will be dropped. This option is enabled by
default.

l Close: Reverse route will not be used. When reaching the interface
the reverse data stream will be returned to its original route without
any reverse route check. That is, reverse packets will be sent from the
ingress interface that initializes the packets.

l Auto: Reverse route will be prioritized. If available, the reverse

route will be used to send packets; otherwise the ingress interface
that initializes the packets will be used as the egress interface that
sends reverse packets.
WAP Traffic Dis- Select the Enable check box and configure as follows:
tribution
l Destination IP Replacement: Select the Enable check box, and spe-
cify the logs you need to record. If All is selected in WAP Log
Record section, system will record all the traffic logs; while if
Destination IP Replacement radio button is selected, system will
record logs for the translated traffic.

l Destination Service Port 1/Destination Service Port 2: Specifies the

HTTP port number for the WAP gateway.

3. "In the IPv6 Configuration tab, configure the followings." on Page 43

4. "In the Properties tab, configure properties for the interface." on Page 39

5. "In the Advanced tab, configure advanced options for the interface." on Page 40

6. "In the RIP tab, configure RIP for the interface." on Page 40

7. Click OK.

Crea ting a Loopba c k Interfa c e

To create a loopback interface:

1. Select Network > Interface.

2. Click New > Loopback Interface.

47 Chapter 5 Network
 In the Basic tab, configure the followings.
Option Description

Interface Name Specifies a name for the loopback interface.

Description Enter descriptions for the loopback interface.
Binding Zone If Layer 3 zone is selected, you should also select a security zone from
the Zone drop-down list, and the interface will bind to a Layer 3 zone. If
TAP is selected, the interface will bind to a tap zone. If No Binding is
selected, the interface will not bind to any zone.
Zone Select a security zone from the Zone drop-down list.
HA sync Select this check box to enable HA Sync function, which means disable
Local property and use virtual MAC, and the primary device will syn-
chronize its information with the backup device; don’t select this check
box to disable HA Sync function, which means enable Local property and
use original MAC, and the primary device will not synchronize its inform-
ation with the backup device.
IP Configuration

Chapter 5 Network 48
 Option Description

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.
Set as Local IP: In a HA environment, if specify this option, the interface
IP will not synchronize to the HA peer.
Enable DNS Proxy: Select this check box to enable DNS proxy for the inter-
face.

l When the general DNS proxy is in use, the client in the network
still gets DNS replies from the DNS server configured on itself. If
the DNS server address is configured as an interface address of
Hillstone device, the device will work as a DNS server;

l When the transparent DNS proxy is in use, all DNS requests are
replied by the Hillstone device. In such a case, there is no need to
edit DNS configuration on each client. DNS service can be easily con-
trolled by modifying the device's DNS configuration.

Enable DNS Bypass: Select this check box to enable DNS bypass for the
interface.
Advanced:

l Management IP: Specifies a management IP for the interface. Type

the IP address into the box.

l Secondary IP: Specifies secondary IPs for the interface. You can
specify up to 6 secondary IP addresses.
DHCP: In the DHCP Configuration dialog, configure DHCP options for
the interface. For detailed instructions, see "DHCP" on Page 70.
DDNS: In the DDNS Configuration dialog, configure DDNS options for
the interface. For detailed instructions, see "DDNS" on Page 74.
Auto-obtain Set gateway information from DHCP server as the default gateway route:
With this check box selected, system will set the gateway information
provided by the DHCP server as the default gateway route.
Advanced:

l Distance: Specifies a route distance. The value range is 1 to 255. The

default value is 1.

l Weight: Specifies a route weight. The value range is 1 to 255. The

default value is 1.

l Management Priority: Specifies a priority for the DNS server. Except

for static DNS servers, system can also learn DNS servers dynamically
via DHCP or PPPoE. Therefore, you need to configure priorities for
the DNS servers, so that the system can choose a DNS server accord-
ing to its priority during DNS resolution. The priority is represented
in numbers from 1 to 255. The larger the number is, the higher the
priority is. The priority of static DNS servers is 20.

DDNS: In the DDNS Configuration dialog, configure DDNS options for

the interface. For detailed instructions, see "DDNS" on Page 74.
Management Select one or more management method check boxes to configure the
interface management method.
Reverse Route Enable or Disable reverse route as needed:

49 Chapter 5 Network
 Option Description
l Enable: Enforces to use a reverse route. If the reverse route is not
available, packets will be dropped. This option is enabled by
default.

l Close: Reverse route will not be used. When reaching the interface
the reverse data stream will be returned to its original route
without any reverse route check. That is, reverse packets will be
sent from the ingress interface that initializes the packets.

l Auto: Reverse route will be prioritized. If available, the reverse

route will be used to send packets; otherwise the ingress interface
that initializes the packets will be used as the egress interface that
sends reverse packets.
WAP Traffic Dis- Select the Enable check box and configure as follows:
tribution
l Destination IP Replacement: Select the Enable check box, and spe-
cify the logs you need to record. If All is selected in WAP Log
Record section, system will record all the traffic logs; while if
Destination IP Replacement radio button is selected, system will
record logs for the translated traffic.

l Destination Service Port 1/Destination Service Port 2: Specifies the

HTTP port number for the WAP gateway.

3. "In the IPv6 Configuration tab, configure the followings." on Page 43

4. "In the Properties tab, configure properties for the interface." on Page 39

5. "In the Advanced tab, configure advanced options for the interface." on Page 40

6. "In the RIP tab, configure RIP for the interface." on Page 40

7. Click OK.

Crea ting a n Aggrega te Interfa c e

To create an aggregate interface:

1. Select Network > Interface.

2. Click New > Aggregate Interface.

Chapter 5 Network 50
3. In the Basic tab, configure the followings.
Option Description

Interface Specifies a name for the aggregate interface.

Name
Description Enter descriptions for the aggregate interface.
Binding Zone Specifies the zone type.
If Layer 3 or Layer 2 zone is selected, you should also select a security zone
from the Zone drop-down list, and the interface will bind to a Layer 3 or
Layer 2 zone.
If TAP is selected, the interface will bind to a tap zone.
If No Binding is selected, you should also select a VLAN/aggregate inter-
face/redundant interface:

Belong to Description
VLAN Acess mode The interface in Access mode is designed for
(one VLAN) terminal users and only allows packets from
one VLAN to pass through.
Trunk mode The interface in Trunk mode is typically used
(multiple for inter-connections between devices, and
VLANs) allows packets from multiple VLANs to pass
through. When Native VLAN is configured,
the interface will delete the tag of the Native
VLAN packets being transmitted, and add a
Native VLAN tag to the received packets with
no tag set.
Aggregate The interface you specified belongs to an aggregate inter-
Interface face. Choose an aggregate interface which the aggregate
interface belongs to from the Interface Group drop-down
list.
Redundant This interface belongs to an aggregate interface. Select
Interface that aggregate interface from the Interface Group drop-
down list.
None This interface does not belong to any object.

Zone Select a security zone from the Zone drop-down list.

51 Chapter 5 Network
 Option Description

LACP l Forced: Aggregates multiple physical interfaces to form an aggregate

interface. These physical interfaces will share the traffic passing
through the aggregate interface averagely.

l Enables LACP on the interface to negotiate aggregate interfaces dynam-

ically. LACP options are:

l System priority: Specifies the LACP system priority. The value

range is 1 to 32768, the default value is 32768. This parameter is
used to assure the interfaces of two ends are consistent. The sys-
tem will select interfaces based on the end with higher LACP sys-
tem priority. The smaller the value is, the higher the priority will
be. If the LACP system priorities of the two ends are equal, the sys-
tem will compare MACs of the two ends. The smaller the MAC is,
the higher the priority will be.

l Max bundle: Specifies the maximum active interfaces. The value

range is 1 to 16, the default value is 16. When the active interfaces
reach the maximum number, the status of other legal interfaces
will change to Standby.

l Min bundle: Specifies the minimum active interfaces. The value

range is 1 to 8, the default value is 1. When the active interfaces
reach the minimum number, the status of all the legal interfaces in
the aggregation group will change to Standby automatically and
will not forward any traffic.

HA sync Select this check box to enable HA sync function. The primary device will
synchronize its information with the backup device.
IP Configuration

Chapter 5 Network 52
 Option Description

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.
Set as Local IP: In a HA environment, if specify this option, the interface IP
will not synchronize to the HA peer.
Enable DNS Proxy: Select this check box to enable DNS proxy for the inter-
face.

l When the general DNS proxy is in use, the client in the network still
gets DNS replies from the DNS server configured on itself. If the DNS
server address is configured as an interface address of Hillstone
device, the device will work as a DNS server;

l When the transparent DNS proxy is in use, all DNS requests are replied
by the Hillstone device. In such a case, there is no need to edit DNS con-
figuration on each client. DNS service can be easily controlled by modi-
fying the device's DNS configuration.

Enable DNS Bypass: Select this check box to enable DNS bypass for the inter-
face.
Advanced:

l Management IP: Specifies a management IP for the interface. Type

the IP address into the box.

l Secondary IP: Specifies secondary IPs for the interface. You can spe-
cify up to 6 secondary IP addresses.
DHCP: In the DHCP Configuration dialog, configure DHCP options for the
interface. For detailed instructions, see "DHCP" on Page 70.
DDNS: In the DDNS Configuration dialog, configure DDNS options for the
interface. For detailed instructions, see "DDNS" on Page 74.
Auto-obtain Set gateway information from DHCP server as the default gateway route:
With this check box selected, system will set the gateway information
provided by the DHCP server as the default gateway route.
Advanced:

l Distance: Specifies a route distance. The value range is 1 to 255. The

default value is 1.

l Weight: Specifies a route weight. The value range is 1 to 255. The

default value is 1.

l Management Priority: Specifies a priority for the DNS server. Except for
static DNS servers, system can also learn DNS servers dynamically via
DHCP or PPPoE. Therefore, you need to configure priorities for the
DNS servers, so that the system can choose a DNS server according to
its priority during DNS resolution. The priority is represented in num-
bers from 1 to 255. The larger the number is, the higher the priority is.
The priority of static DNS servers is 20.

DDNS: In the DDNS Configuration dialog, configure DDNS options for the
interface. For detailed instructions, see "DDNS" on Page 74.
PPPoE Obtain IP through PPPoE。Configure the following options：

l User - Specifies a username for PPPoE.

l Password - Specifies PPPoE user's password.

53 Chapter 5 Network
 Option Description
l Confirm password - Enter the password again to make confirmation.

l Idle interval - If the PPPoE interface has been idling (no traffic) for a cer-
tain period, i.e., the specified idle interval, system will disconnect the
Internet connection; if the interface requires Internet access, system will
connect to Internet automatically. The value range is 0 to 10000
minutes. The default value is 30.

l Re-connect interval - Specifies a re-connect interval (i.e., system will try

to re-connect automatically after being disconnected for the interval).
The value range is 0 to 10000 seconds. The default value is 0, which
means the function is disabled.

l Set gateway information from PPPoE server as the default gateway

route - With this checkbox selected, system will set the gateway inform-
ation provided by PPPoE server as the default gateway route.

Management Select one or more management method check boxes to configure the inter-
face management method.
Reverse Route Enable or Disable reverse route as needed:

l Enable: Enforces to use a reverse route. If the reverse route is not

available, packets will be dropped. This option is enabled by default.

l Close: Reverse route will not be used. When reaching the interface the
reverse data stream will be returned to its original route without any
reverse route check. That is, reverse packets will be sent from the
ingress interface that initializes the packets.

l Auto: Reverse route will be prioritized. If available, the reverse route

will be used to send packets; otherwise the ingress interface that ini-
tializes the packets will be used as the egress interface that sends
reverse packets.
WAP Traffic Select the Enable check box and configure as follows:
Distribution
l Destination IP Replacement: Select the Enable check box, and spe-
cify the logs you need to record. If All is selected in WAP Log Record
section, system will record all the traffic logs; while if Destination IP
Replacement radio button is selected, system will record logs for the
translated traffic.

l Destination Service Port 1/Destination Service Port 2: Specifies the

HTTP port number for the WAP gateway.

4. "In the IPv6 Configuration tab, configure the followings." on Page 43

5. "In the Properties tab, configure properties for the interface." on Page 39

6. "In the Advanced tab, configure advanced options for the interface." on Page 40

7. "In the RIP tab, configure RIP for the interface." on Page 40

8. In the Load Balance tab, configure a load balance mode for the interface. "Flow-based" means enabling automatic
load balance based on the flow. This is the default mode. "Tuple" means enabling load based on the source/des-
tination IP, source/destination MAC, source/destination interface or protocol type of packet, or the combination of
the selected items.

9. Click OK.

Crea ting a Redunda nt Interfa c e

To create a redundant interface:

Chapter 5 Network 54
1. Select Network > Interface.

2. Click New > Redundant Interface.

3. "In the Basic tab, configure the followings." on Page 51

4. "In the IPv6 Configuration tab, configure the followings." on Page 43

5. "In the Properties tab, configure properties for the interface." on Page 39

6. "In the Advanced tab, configure advanced options for the interface." on Page 40

7. "In the RIP tab, configure RIP for the interface." on Page 40

8. Click OK.

Crea ting a n Ethernet Sub-interfa c e/a n Aggrega te Sub-interfa c e/a Redunda nt

Sub-interfa c e
To create an ethernet sub-interface/an aggregate sub-interface/a redundant sub-interface:

1. Select Network > Interface.

2. Click New > Ethernet Sub-interface/Aggregate Sub-interface/Redundant Sub-interface.

3. In the Basic tab, configure the followings.

Option Description

Interface Name Specifies a name for the virtual forward interface.

Description Enter descriptions for the virtual forward interface.
Binding Zone If Layer 3 zone is selected, you should also select a security zone from
the Zone drop-down list, and the interface will bind to a Layer 3 zone. If
TAP is selected, the interface will bind to a tap zone. If No Binding is
selected, the interface will not bind to any zone.
Zone Select a security zone from the Zone drop-down list.
IP Configuration

55 Chapter 5 Network
 Option Description

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.
Set as Local IP: In a HA environment, if specify this option, the interface
IP will not synchronize to the HA peer.
Enable DNS Proxy: Select this check box to enable DNS proxy for the inter-
face.

l When the general DNS proxy is in use, the client in the network
still gets DNS replies from the DNS server configured on itself. If
the DNS server address is configured as an interface address of
Hillstone device, the device will work as a DNS server;

l When the transparent DNS proxy is in use, all DNS requests are
replied by the Hillstone device. In such a case, there is no need to
edit DNS configuration on each client. DNS service can be easily con-
trolled by modifying the device's DNS configuration.

Enable DNS Bypass: Select this check box to enable DNS bypass for the
interface.
Advanced:

l Management IP: Specifies a management IP for the interface. Type

the IP address into the box.

l Secondary IP: Specifies secondary IPs for the interface. You can
specify up to 6 secondary IP addresses.
DHCP: In the DHCP Configuration dialog, configure DHCP options for
the interface. For detailed instructions, see "DHCP" on Page 70.
DDNS: In the DDNS Configuration dialog, configure DDNS options for
the interface. For detailed instructions, see "DDNS" on Page 74.
Auto-obtain Set gateway information from DHCP server as the default gateway route:
With this check box selected, system will set the gateway information
provided by the DHCP server as the default gateway route.
Advanced:

l Distance: Specifies a route distance. The value range is 1 to 255. The

default value is 1.

l Weight: Specifies a route weight. The value range is 1 to 255. The

default value is 1.

l Management Priority: Specifies a priority for the DNS server. Except

for static DNS servers, system can also learn DNS servers dynamically
via DHCP or PPPoE. Therefore, you need to configure priorities for
the DNS servers, so that the system can choose a DNS server accord-
ing to its priority during DNS resolution. The priority is represented
in numbers from 1 to 255. The larger the number is, the higher the
priority is. The priority of static DNS servers is 20.

DDNS: In the DDNS Configuration dialog, configure DDNS options for

the interface. For detailed instructions, see "DDNS" on Page 74.
PPPoE Obtain IP through PPPoE。Configure the following options：(Effective
only when creating a aggregate sub-interface)

l User - Specifies a username for PPPoE.

Chapter 5 Network 56
 Option Description
l Password - Specifies PPPoE user's password.

l Confirm password - Enter the password again to make confirmation.

l Idle interval - If the PPPoE interface has been idling (no traffic) for a
certain period, i.e., the specified idle interval, system will disconnect
the Internet connection; if the interface requires Internet access, sys-
tem will connect to Internet automatically. The value range is 0 to
10000 minutes. The default value is 30.

l Re-connect interval - Specifies a re-connect interval (i.e., system will

try to re-connect automatically after being disconnected for the
interval). The value range is 0 to 10000 seconds. The default value is
0, which means the function is disabled.

l Set gateway information from PPPoE server as the default gateway

route - With this checkbox selected, system will set the gateway
information provided by PPPoE server as the default gateway route.

Management Select one or more management method check boxes to configure the
interface management method.
Reverse Route Enable or Disable reverse route as needed:

l Enable: Enforces to use a reverse route. If the reverse route is not

available, packets will be dropped. This option is enabled by
default.

l Close: Reverse route will not be used. When reaching the interface
the reverse data stream will be returned to its original route without
any reverse route check. That is, reverse packets will be sent from the
ingress interface that initializes the packets.

l Auto: Reverse route will be prioritized. If available, the reverse

route will be used to send packets; otherwise the ingress interface
that initializes the packets will be used as the egress interface that
sends reverse packets.
WAP Traffic Dis- Select the Enable check box and configure as follows:
tribution
l Destination IP Replacement: Select the Enable check box, and spe-
cify the logs you need to record. If All is selected in WAP Log
Record section, system will record all the traffic logs; while if
Destination IP Replacement radio button is selected, system will
record logs for the translated traffic.

l Destination Service Port 1/Destination Service Port 2: Specifies the

HTTP port number for the WAP gateway.

4. "In the IPv6 Configuration tab, configure the followings." on Page 43

5. "In the Properties tab, configure properties for the interface." on Page 39

6. "In the Advanced tab, configure advanced options for the interface." on Page 40

7. "In the RIP tab, configure RIP for the interface." on Page 40

8. Click OK.

Crea ting a VSw itc h Interfa c e/a VLAN Interfa c e

To create a VSwitch interface/a VLAN interface:

57 Chapter 5 Network
 1. Select Network > Interface.

2. Click New > VSwitch Interface/VLAN Interface.

3. "In the Basic tab, configure the followings." on Page 45

4. "In the IPv6 Configuration tab, configure the followings." on Page 43

5. "In the Properties tab, configure properties for the interface." on Page 39

6. "In the Advanced tab, configure advanced options for the interface." on Page 40

7. "In the RIP tab, configure RIP for the interface." on Page 40

8. Click OK.

Editing a n Interfa c e
To edit an interface:

1. Select Network > Interface.

2. Select the interface you want to edit from the interface list and click Edit.

3. In the Basic tab, configure the followings.

Option Description

Interface Name Specifies a name for the interface.

Description Enter descriptions for the interface.
Binding Zone Specifies the zone type.
If Layer 3 or Layer 2 zone is selected, you should also select a security
zone from the Zone drop-down list, and the interface will bind to a Layer
3 or Layer 2 zone.
If TAP is selected, the interface will bind to a tap zone.
If No Binding is selected, you should also select a VLAN/aggregate inter-
face/redundant interface:

Belong to Description
VLAN Acess The interface in Access mode is designed for
mode(one terminal users and only allows packets from
VLAN) one VLAN to pass through.
Trunk The interface in Trunk mode is typically
mode(mul- used for inter-connections between devices,
tiple and allows packets from multiple VLANs to
VLANs) pass through. When Native VLAN is con-
figured, the interface will delete the tag of
the Native VLAN packets being transmitted,
and add a Native VLAN tag to the received
packets with no tag set.
Aggregate The interface you specified belongs to a aggregate inter-
Interface face. Choose an aggregate interface which the aggreg-
ate interface belongs to from Interface Group drop-down
list.
Redundant This interface belongs to an aggregate interface. Select
Interface that aggregate interface from the Interface Group drop-
down list.
None This interface does not belong to any object.

LACP l Forced: Aggregates multiple physical interfaces to form an aggreg-

Chapter 5 Network 58
 Option Description
ate interface. These physical interfaces will share the traffic passing
through the aggregate interface averagely.

l Enables LACP on the interface to negotiate aggregate interfaces

dynamically. LACP options are:

l System priority: Specifies the LACP system priority. The value

range is 1 to 32768, the default value is 32768. This parameter is
used to assure the interfaces of two ends are consistent. The sys-
tem will select interfaces based on the end with higher LACP sys-
tem priority. The smaller the value is, the higher the priority will
be. If the LACP system priorities of the two ends are equal, the
system will compare MACs of the two ends. The smaller the
MAC is, the higher the priority will be.

l Max bundle: Specifies the maximum active interfaces. The value

range is 1 to 16, the default value is 16. When the active inter-
faces reach the maximum number, the status of other legal inter-
faces will change to Standby.

l Min bundle: Specifies the minimum active interfaces. The value

range is 1 to 8, the default value is 1. When the active interfaces
reach the minimum number, the status of all the legal interfaces
in the aggregation group will change to Standby automatically
and will not forward any traffic.

Zone Select a security zone from the Zone drop-down list.

IP Configuration

59 Chapter 5 Network
 Option Description

Static IP IP address: Specifies an IP address for the interface.

Netmask: Specifies a netmask for the interface.
Set as Local IP: In a HA environment, if specify this option, the interface
IP will not synchronize to the HA peer.
Enable DNS Proxy: Select this check box to enable DNS proxy for the inter-
face.

l When the general DNS proxy is in use, the client in the network
still gets DNS replies from the DNS server configured on itself. If
the DNS server address is configured as an interface address of
Hillstone device, the device will work as a DNS server;

l When the transparent DNS proxy is in use, all DNS requests are
replied by the Hillstone device. In such a case, there is no need to
edit DNS configuration on each client. DNS service can be easily con-
trolled by modifying the device's DNS configuration.

Enable DNS Bypass: Select this check box to enable DNS bypass for the
interface.
Advanced:

l Management IP: Specifies a management IP for the interface. Type

the IP address into the box.

l Secondary IP: Specifies secondary IPs for the interface. You can
specify up to 6 secondary IP addresses.
DHCP: In the DHCP Configuration dialog, configure DHCP options for
the interface. For detailed instructions, see "DHCP" on Page 70.
DDNS: In the DDNS Configuration dialog, configure DDNS options for
the interface. For detailed instructions, see "DDNS" on Page 74.
Auto-obtain Set gateway information from DHCP server as the default gateway route:
With this check box selected, system will set the gateway information
provided by the DHCP server as the default gateway route.
Advanced:

l Distance: Specifies a route distance. The value range is 1 to 255. The

default value is 1.

l Weight: Specifies a route weight. The value range is 1 to 255. The

default value is 1.

l Management Priority: Specifies a priority for the DNS server. Except

for static DNS servers, system can also learn DNS servers dynamically
via DHCP or PPPoE. Therefore, you need to configure priorities for
the DNS servers, so that the system can choose a DNS server accord-
ing to its priority during DNS resolution. The priority is represented
in numbers from 1 to 255. The larger the number is, the higher the
priority is. The priority of static DNS servers is 20.

DDNS: In the DDNS Configuration dialog, configure DDNS options for

the interface. For detailed instructions, see "DDNS" on Page 74.
PPPoE User: Specifies a username for PPPoE.
Password: Specifies PPPoE user's password.
Confirm Password: Enter the password again to make confirmation.

Chapter 5 Network 60
 Option Description

Idle Interval: If the PPPoE interface has been idling (no traffic) for a cer-
tain period, i.e., the specified idle interval, system will disconnect the
Internet connection; if the interface requires Internet access, system
will connect to Internet automatically. The value range is 0 to 10000
minutes. The default value is 30.
Re-connect Interval: Specifies a re-connect interval (i.e., system will
try to re-connect automatically after being disconnected for the inter-
val). The value range is 0 to 10000 seconds. The default value is 0,
which means the function is disabled.
Set gateway information from PPPoE server as the default gateway
route: With this check box selected, system will set the gateway inform-
ation provided by PPPoE server as the default gateway route.
Advanced Access concentrator: Specifies a name for the con-
centrator.
Authentication: The devices will have to pass PPPoE
authentication when trying to connect to a PPPoE
server. The supported authentication methods include
CHAP, PAP and Any (the default, anyone between CHAP
and PAP). Click an authentication method.
Netmask: Specifies a netmask for the IP address
obtained via PPPoE.
Static IP: You can specify a static IP address and nego-
tiate to use this address to avoid IP change. To specify a
static IP address, type it into the box.
Service: Specifies allowed service. The specified ser-
vice must be the same with that provided by the PPPoE
server. If no service is specified, Hillstone will accept
any service returned from the server automatically.
Distance: Specifies a route distance. The value range is
1 to 255. The default value is 1.
Weight: Specifies a route weight. The value range is 1
to 255. The default value is 1.
DDNS: In the DDNS Configuration dialog, configure DDNS options for
the interface. For detailed instructions, see "DDNS" on Page 74.

Management Select one or more management method check boxes to configure the
interface management method.
Reverse Route Enable or Disable reverse route as needed:

l Enable: Enforces to use a reverse route. If the reverse route is not

available, packets will be dropped. This option is enabled by
default.

l Close: Reverse route will not be used. When reaching the interface
the reverse data stream will be returned to its original route without
any reverse route check. That is, reverse packets will be sent from the
ingress interface that initializes the packets.

l Auto: Reverse route will be prioritized. If available, the reverse

route will be used to send packets; otherwise the ingress interface
that initializes the packets will be used as the egress interface that
sends reverse packets.
WAP Traffic Dis- Select the Enable check box and configure as follows:
tribution

61 Chapter 5 Network
 Option Description
l Destination IP Replacement: Select the Enable check box, and spe-
cify the logs you need to record. If All is selected in WAP Log
Record section, system will record all the traffic logs; while if
Destination IP Replacement radio button is selected, system will
record logs for the translated traffic.

l Destination Service Port 1/Destination Service Port 2: Specifies the

HTTP port number for the WAP gateway.

4. "In the IPv6 Configuration tab, configure the followings." on Page 43

5. In the Properties tab, configure properties for the interface.

Property Description

Duplex Specifies a duplex working mode for the interface. Options include auto,
full duplex and half duplex. Auto is the default working mode, in which
the system will select the most appropriate duplex working mode auto-
matically. 1000M half duplex is not supported.
Rate Specifies a working rate for the interface. Options include Auto, 10M,
100M and 1000M. Auto is the default working mode, in which the system
will detect and select the most appropriate working mode automatically.
1000M half duplex is not supported.
Combo type This option is applicable to the Combo port of copper port + fiber port. If
both the copper port and the fiber port are plugged with cable, the fiber
port will be prioritized by default; if the copper port is used at first, and
then the cable is plugged into the fiber port, after reboot the fiber port
will be used for data transmission. You can specify how to use a copper
port or fiber port. For detailed options, see the following instructions:

l Auto: The above default scenario.

l Copper forced: The copper port is enforced.

l Copper preferred: The copper port is prioritized.

l Fiber forced: The fiber port is enforced.

l Fiber preferred: The fiber port is prioritized. With this option con-
figured, the device will migrate the traffic on the copper port to the
fiber port automatically without reboot.

MTU Specifies a MTU for the interface. The value range is 1280 to 1500/1800
bytes. The default value is 1500. The max MTU may vary from different
Hillstone models.
ARP Learning Select the Enable checkbox to enable ARP learning.
ARP Timeout Specifies an ARP timeout for the interface. The value range is 5 to 65535
seconds. The default value is 1200.
Keep-alive IP Specifies an IP address that receives the interface's keep-alive packets.
MAC clone Select the MAC clone check box to enable the MAC clone funtion. The
system clones a MAC address to the Ethernet sub-interface. If the user
click "Restore Default MAC", the Ethernet sub-interface will retore the
default MAC address.

6. "In the Advanced tab, configure advanced options for the interface." on Page 40

7. "In the RIP tab, configure RIP for the interface." on Page 40

8. Click OK.

Chapter 5 Network 62
 Note:
l Before deleting an aggregate/redundant interface, you must cancel other interfaces' bind-
ings to it, aggregate/redundant sub-interface's configuration, its IP address configuration
and its binding to the security zone.

l An Ethernet interface can only be edited but cannot be deleted.

l When a VSwitch interface is deleted, the corresponding VSwitch will be deleted as well.

63 Chapter 5 Network
MGT Interface
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
To facilitate the management to the device and meet the requirement of separating the management traffic from the
data traffic, system has an independent management interface(MGT Interface). By default, the management interface
belongs to the trust zone and the trust-vr virtual router. To separate the traffic of the management interface from the
traffic of other interfaces completely, you can add the management interface to the mgt zone. The mgt zone belongs to
the mgt-vr virtual router, the information of routing, ARP table are independent.

Co nfiguring a MGT I nterface

To configure a MGT interface:

1. Select Network > MGT Interface.

2. Specify the zone for the management interface in the Zone drop-down list. You can only select a Lay 3 zone.

3. Specify the method of obtaining IP address in the IP Configuration section. "Static IP" means specifying a static IP
address and the netmask. Click Advanced to specify the secondary IP address into the text box. You can specify
up to 6 secondary IP addresses. "Auto-obtain" means obtaining the IP address through DHCP.

4. Specify the management methods by selecting the "Telnet/SSH/Ping/HTTP/HTTPS/SNMP" check boxes of the
desired management methods.

5. Specify the mode and rate of the management interface. If you select the Auto duplex transmission mode , you can
only select the Auto rate.

6. Select the Shut Down check box to shut down the management interface.

7. Click OK.

Chapter 5 Network 64
VLAN
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
VLAN, the abbreviation for Virtual Local Area Network, is defined in IEEE 802.1Q. VLAN has the following features:

l A physical LAN can be divided into multiple VLANs, and a VLAN might include devices from multiple physical net-
works.

l A VLAN is virtually a broadcast domain. Layer 2 packets between VLANs are isolated. Communications between
VLANs can only be implemented by Layer 3 route technique (through routers, Layer 3 switches or other Layer 3
network devices).
VLANs are differentiated by VLAN numbers. The value range is 1 to 4094. System reserves 32 VLAN numbers (224 to
255) for BGroup, but the unused numbers within the range are also available to VLANs.

Co nfiguring a V LAN
To create a VLAN:

1. Select Network > VLAN.

2. Click New.
In the VLAN Configuration dialog, type a number in the VLAN ID text box, the value range is from 1 to 4094.

3. Click OK.

65 Chapter 5 Network
DNS
DNS, the abbreviation for Domain Name System, is a computer and network service naming system in form of domain
hierarchy. DNS is designed for TCP/IP network to query for Internet domain names (e.g., www.xxxx.com) and trans-
late them into IP addresses (e.g., 10.1.1.1) to locate related computers and services.
The security device's DNS provides the following functions:

l Server: Configures DNS servers and default domain names for the security device.

l Proxy: The security device acts as a DNS proxy server and provides proxy service for the connected PCs and other
clients. Besides, the security device can also choose different DNS servers according to domain names.

l Analysis: Sets retry times and timeout for device's DNS service.

l Cache: DNS mappings to cache to speed up query. You can create, edit and delete DNS mappings.

l NBT Cache: Displays NBT cache information.

Co nfiguring a D NS Server
You can configure a DNS server for system to implement DNS resolution. To create a DNS server:

1. Select Network > DNS > DNS Server.

2. click New in the DNS Server section.

3. In the DNS Server Configuration dialog, type the IP address for the DNS server into the Server IP box.

4. Select a VRouter from the VR drop-down list. The default VRouter is trust-vr.

5. Select an interface from the Egress Interface drop-down list. This parameter is mainly used for multi-egress DNS
agent. If only for the device's DNS, you can keep the default "----".

6. Click OK.

Co nfiguring a D NS Pro xy
To enable a DNS proxy:

1. Configure a DNS proxy list that contains domain names and corresponding DNS servers.

2. Enable DNS proxy on an interface of the device (For more details, see "Configuring an Interface" on Page 38).

3. Connect the client to the interface with DNS proxy enabled.

To create a DNS proxy:

1. Select Network > DNS > DNS Proxy.

2. click New in the DNS Proxy section.

3. In the DNS Proxy Configuration dialog, specify a suffix for a domain name in the Domain Type section.

4. In the Domain Server section, specify a DNS server or servers. "Use system" means using the DNS server
bundled with system."User-defined" means defining IP address for the server. Click User-defined and select a
VRouter from the VR drop-down list, then type the IP address for the DNS servers into the boxes below (6 servers
at most).

5. Click OK.
The multi-egress DNS proxy supports DNS management , which provides load balancing for the configured egress
interfaces of DNS servers. Then system sends DNS request packets out from the egress interface with lower band-
width utilization . Enable " DNS Balance Configuration" to realize this function, for detailed information, refer to Con-
figuring outbound LLB.

Chapter 5 Network 66
Co nfiguring a Analysis
Analysis configuration includes DNS requests' retry times and timeout.

l Retry: If the DNS request is not responded after timeout, system will send the request again; if still not responded
after the specified retry times (i.e., the repetition times of the DNS request), System will send the request to the
next DNS server.

l Timeout: System will wait for DNS server's response after sending the DNS request, and will send the request
again if no response returns after a specified time. The period of waiting for response is known as timeout.
To configure the retry times and timeout for DNS requests:

1. Select Network > DNS > Analysis

2. Select the retry times radio button.

3. Select the timeout values radio button.

4. Type the value in the TTL text box to specify the survival time of the response message for the device's DNS.

5. Click Apply.

Co nfiguring a D NS Cache
When using DNS, system might store the DNS mappings to its cache to speed up the query. There are three ways to
obtain DNS mappings:

l Dynamic: Obtains from DNS response.

l Static: Adds DNS mappings to cache manually.

l Register: DNS hosts specified by some modules of security devices, such as NTP, AAA, etc.
For convenient management , DNS static cache supports group function, which means users make the multiple
domain hosts with the same IP address and virtual router be a DNS static cache group.
To add a static DNS mapping to cache:

1. Select Network > DNS > Cache

2. Click New.

67 Chapter 5 Network
 Option Description

Hostname Specify the hostname of a DNS cache group. You can click to add or

click button to delete the specified hostname. The maximum number

of domain hosts is 128, and the maximum length of each hostname is
255 characters.
IP Specify the host IPv4 address of a DNS cache group. You can click to

add or click button to delete the specified IP. The maximum number
host IP address is 8, and the earlier configured IP will be matched first.
Virtual Router Select a VRouter.

3. Click OK.

Note:

l Only DNS static cache group can support new, edit and delete operation , while dynamic
and register cache cannot .

l The DNS dynamic cache can be deleted by command or the lifetime reset. For detailed
information , refer to StoneOS CLI User Guide and download PDF on website.

l User can clear the register cache only by deleting the defined hosts in function module.

l DNS static cache is superior to dynamic and register cache, which means the static cache
will cover the same existed dynamic or register cache.

NB T Cache
System supports NetBIOS name resolution. With this function enabled, system can automatically obtain all the
NetBIOS host names registered by the hosts within the managed network, and store them in the cache to provide IP
address to NetBIOS host name query service for other modules.
Enabling a NetBIOS name resolver is the pre-requisition for displaying host names in NAT logs. For more information
on how to display host names in the NAT logs, see "Log Configuration" on Page 443.

Chapter 5 Network 68
To enable NetBIOS for a zone, select the NBT cache check box when creating or editing the zone. For more details, see
"Security Zone" on Page 35. The security zone with NetBIOS enabled should not be the zone that is connected to WAN.
After NetBIOS is enabled, the query process might last for a while, and the query result will be added to the NetBIOS
cache table. System will perform the query again periodically and update the result.

Note: Only when PCs have NetBIOS enabled can their host names be queried. For more inform-
ation on how to enable NetBIOS, see the detailed instructions of your PC's Operating System.

To clear NBT cache:

1. Select Network > DNS > NBT Cache.

2. Select a VRouter from the VR drop-down list to display NBT cache in that VRouter.

3. Select a NBT cache entry from the list and click Delete.

69 Chapter 5 Network
DHCP
DHCP, the abbreviation for Dynamic Host Configuration Protocol, is designed to allocate appropriate IP addresses and
related network parameters for subnetworks automatically, thus reducing requirement on network administration.
Besides, DHCP can avoid address conflict to assure the re-allocation of idle resources.
System supports DHCP client, DHCP server and DHCP relay proxy.

l DHCP client: The interface can be configured as a DHCP client and obtain IP addresses from the DHCP server. For
more information on configuring a DHCP client, see "Configuring an Interface" on Page 38.

l DHCP server: The interface can be configured as a DHCP server and allocate IP addresses chosen from the con-
figured address pool for the connected hosts.

l DHCP relay proxy: The interface can be configured as a DHCP relay proxy to obtain DHCP information from the
DHCP server and forward the information to connected hosts.
The security devices are designed with all the above three DHCP functions, but an individual interface can be only con-
figured with one of the above functions.

Co nfiguring a D H CP Server
To create a DHCP server:

1. Select Network > DHCP.

2. Select New > DHCP Server.

3. In the DHCP Configuration dialog, configure as follows:

Option Description

Interface Configures a interface which enables the DHCP server.

Gateway Configures a gateway IP for the client.
Netmask Configures a netmask for the client.
DNS1 Configures a primary DNS server for the client. Type the server's IP
address into the box.
DNS2 Configures an alternative DNS server for the client. Type the server's IP
address into the box.
Address pool Configures an IP range in the address pool. The IPs within this range will
be allocated. Take the following steps:

Chapter 5 Network 70
 Option Description
1. Type the start IP and end IP into the Start IP and End IP box respect-
ively.

2. Click Add to add an IP range which will be displayed in the list

below.

3. Repeat the above steps to add more IP ranges. To delete an IP

range, select the IP range you want to delete from the list and click
Delete.

4. Configure Reserved Address ( IP addresses in the Reserved Address, within the IP range of the address pool, are
reserved for the DHCP server and will not be allocated).
To configure a reserved address, click the Reserved Address tab, type the start and end IP for an IP range into
the Start IP and End IP box respectively, and then click Add. To delete an IP range, select the IP range you want to
delete from the list and then click Delete.

5. Configure IP-MAC Binding. If the IP is bound to a MAC address manually, the IP will only be allocated to the spe-
cified MAC address.
To configure an IP-MAC Binding, click the IP-MAC Binding tab and type the IP and MAC address into the IP
address and MAC box respectively, type the description in the Description text box if necessary, and then click
Add. Repeat the above steps to add multiple entries. To delete an IP-MAC Binding, select an entry from the list and
click Delete.

6. In the Option tab, configure the options supported by DHCP server

Option Description

49 After you configure the option 49 settings, the DHCP client can obtain
the list of the IP addresses of systems that are running the X window Sys-
tem Display Manager.
To configure the option 49 settings:

1. Select 49 from the Option drop-down list.

2. Enter the IP address of the system that is running the X window

System Display Manager into the IP address box.

3. Click Add.

4. Repeat the above steps to add multiple entries. To delete an entry,

select it from the list and click Delete.
60 After configuring the VCI carried by option 60 for DHCP server, the DHCP
packets sent by the DHCP server will carry this option and the cor-
responding VCI.

1. Select 60 from the Option drop-down list.

2. Select the type of the VCI, ASCII or HEX. When selecting ASCII, the
VCI matching string must be enclosed in quotes if it contains spaces.

3. Enter the VCI in the Sign text box.

4. Click Add.

5. Click OK to save the settings.

138 The DHCP server uses option 138 to carry a list of 32-bit (binary) IPv4
addresses indicating one or more CAPWAP ACs available to the WTP.
Then the WTP discovers and connects to the AC according to the
provided AC list.

71 Chapter 5 Network
 Option Description
1. Select 138 from the Option drop-down list.

2. Enter the AC IP address in the IP address text box.

3. Click Add.
You can add up to four AC IP addresses.
If you do not set the option 138 for the DHCP server or the DHCP client
does not request option 138, DHCP server will not offer the option 138
settings.

7. Click the Advanced tab to configure the DHCP server's advanced options.
Option Description

Domain The domain name configured by the DHCP client.

Lease Specifies a lease time. The value range is 300 to 1048575 seconds. The
default value is 3600. Lease is the period during which a client is allowed
to use an IP address, starting from the time the IP address is assigned.
After the lease expired, the client will have to request an IP address again
from the DHCP server.
Auto configure Enables automatic configuration. Select an interface with DHCP client
enabled on the same gateway from the drop-down list. "----"indicates
auto configure is not enabled.
Auto configure will function in the following condition: Another inter-
face with DHCP configured on the device enables DHCP client. When
auto configure is enabled, if the DHCP server (Hillstone device) does not
have DNS, WINS or domain name configured, the DHCP client (DHCP)
will dispatch the DNS, WINS and domain name information obtained
from a connected DHCP server to the host that obtains such information
from the DHCP server (Hillstone device). However, the DNS, WINS and
domain name that are configured manually still have the priority.

WINS1 Configures a primary WINS server for the client. Type the server's IP
address into the box.
WINS2 Configures an alternative WINS server for the client. Type the server's IP
address into the box.
SMTP server Configures a SMTP server for the client. Type the server's IP address into
the box.

POP3 server Configures a POP3 server for the client. Type the server's IP address into
the box.

News server Configures a news server for the client. Type the server's IP address into
the box.

Relay agent When the device1 with DHCP server enabled is connected to another
device2 with DHCP relay enabled, and the PC obtains device1's DHCP
information from device2, then only when the relay agent's IP address
and netmask are configured on device1 can the DHCP information be
transmitted to the PC successfully.
Relay agent: Type relay agent's IP address and netmask, i.e., the IP
address and netmask for the interface with relay agent enabled on
device2.

VCI-match-string The DHCP server can verify the VCI carried by option 60 in the client’s
DHCP packets. When the VCI in client’s DHCP packet matches the VCI
matching string you configured in the DHCP server, DHCP server will
offer the IP address and other corresponding information. If not, DHCP

Chapter 5 Network 72
 Option Description
server will drop client’s DHCP packets and will not reply to the client. If
you do not configure a VCI matching string for the DHCP server, it will
ignore the VCI carried by option 60.

1. Select the type of the VCI matching string, ASCII or HEX. When
selecting ASCII, the VCI matching string must be enclosed in
quotes if it contains spaces.

2. Enter the VCI matching string in the text box.

8. Click OK.

Co nfiguring a D H CP Relay Pro xy

The device can act as a DHCP relay proxy to receive requests from a DHCP client and send requests to the DHCP server,
and then obtain DHCP information from the server and return it to the client.
To create a DHCP relay proxy:

1. Select Network > DHCP.

2. Click New > DHCP Relay Proxy.

3. In the DHCP Relay Proxy dialog, select an interface to which the DHCP Relay Proxy will be applied from the Inter-
face drop-down list.

4. Type the IP addresses of DHCP servers into the Server 1/Server 2/Server 3 boxes.

5. Click OK.

73 Chapter 5 Network
DDNS
DDNS (Dynamic Domain Name Server) is designed to resolve fixed domain names to dynamic IP addresses. Generally
you will be allocated with a dynamic IP address from ISP each time you connect to the Internet, i.e., the allocated IP
addresses for different Internet connections will vary. DDNS can bind the domain name to your dynamic IP address,
and the binding between them will be updated automatically each time you connect to Internet.
In order to enable DDNS, you will have to register in a DDNS provider to obtain a dynamic domain name. Hillstone
devices support the following 5 DDNS providers, and you can visit one of the following websites to complete regis-
tration:

l dyndns.org: http://dyndns.com/dns

l 3322.org: http://www.pubyun.com

l no-ip.com: http://www.noip.com

l Huagai.net: http://www.ddns.com.cn

l ZoneEdit.com: http://www.zoneedit.com

Co nfiguring a D D NS
To create a DDNS, take the following steps:

1. Select Network > DDNS.

2. Click New.

Chapter 5 Network 74
3. In the DDNS Configuration dialog, configure as follows:
Option Description

DDNS name Specifies the name of DDNS.

Interface Specifies the interface to which DDNS is applied.
Host name Specifies the domain name obtained from the DDNS provider.
Provider Specifies a DDNS provider. Choose one from the drop-down list.
Server name Specifies a server name for the configured DDNS.
Server port Specifies a server port number for the configured DDNS. The value range
is 1 to 65535.

Username Specifies the username registered in the DDNS provider.

Password Specifies the corresponding password.

Confirm pass- Enter the password again to confirm.

word
Min update inter- When the IP address of the interface with DDNS enabled changes, sys-
val tem will send an update request to the DDNS server. If the request is not
responded, system will send the request again according to the con-
figured min update interval. For example, if the min update interval is set
to 5 minutes, then system will send the second request 5 minutes after
the first request failure; if failed again, system will send the request again
10 (5x2) minutes later; and 20 (10x2) minutes later, so and forth. The
value will not increase anymore when reaching 120, that is, system will
send the request at a fixed interval of 120 minutes. Type the min update
interval into the box. The value range is 1 to 120 minutes. The default
value is 5.

Max update inter- On the condition that IP address has not changed, system will send an
val update request to the DDNS server at the max update interval. Type the
max update interval into the box. The value range is 24 to 8760 hours.
The default value is 24.

4. Click OK.

Note: The Server name and Server port in the configuration options must be the cor-
responding name and port of the DDNS server. Do not configure these options if the exact
information is unknown. The server will return the name and port information automatically
after connection to the DDNS server has been established successfully.

75 Chapter 5 Network
PPPoE
PPPoE, the abbreviation for Point-to-Point Protocol over Ethernet, combines PPP protocol and Ethernet to implement
access control, authentication and accounting on clients during IP address allocation.
The implementation of PPPoE protocol consists of two stages: discovery stage and PPP session stage.

l Discovery stage: The client discovers the access concentrator by identifying the Ethernet MAC address of the
access concentrator and establishing a PPPoE session ID.

l PPP session stage: The client and the access concentrator negotiate over PPP. The negotiation procedure is the
same with that of a standard PPP negotiation.
Interfaces can be configured as PPPoE clients to accept PPPoE connections.

Co nfiguring PPPo E
To create a PPPoE instance:

1. Select Network > PPPoE.

2. Click New.

3. In the PPPoE Configuration dialog, configure as follows.

Option Description

PPPoE Name Specifies a name for the PPPoE instance.

Interface Select an interface from the drop-down list.
Username Specifies a username.
Password Specifies the corresponding password.
Conform pass- Enter the password again to make confirmation.
word
Idle Interval Automatic connection. If the PPPoE interface has been idling (no traffic)
for a certain period, i.e., the specified idle interval, system will disconnect

Chapter 5 Network 76
 Option Description

the Internet connection; if the interface requires Internet access, system

will connect to Internet automatically. The value range is 0 to 10000
minutes. The default value is 30.
Re-connect Inter- If the PPPoE connection has been disconnected due to any reasons for a
val certain period, i.e., the specified re-connect interval, system will try to re-
connect automatically. The value range is 0 to 10000 seconds. The default
value is 0, which means the function is disabled.
Access Con- Specifies a name for the concentrator.
centrator
Authentication The devices will have to pass PPPoE authentication when trying to con-
nect to a PPPoE server. The supported authentication methods include
CHAP, PAP and Any (the default, anyone between CHAP and PAP). To
configure a PPPoE authentication method, click the authentication you
want to select. The configured authentication must be the same with that
configured in the PPPoE server.
Netmask Specifies a netmask for the IP address obtained via PPPoE.
Distance Specifies a route distance. The value range is 1 to 255. The default value
is 1.
Weight Specifies a route weight. The value range is 1 to 255. The default value is
1.
Service Specifies allowed service. The specified service must be the same with
that provided by the PPPoE server. If no service is specified, system will
accept any service returned from the server automatically.
Static IP You can specify a static IP address and negotiate to use this address to
avoid IP change. To specify a static IP address, type it into the Static IP
box.

4. Click OK.

77 Chapter 5 Network
Virtual Wire
System supports VSwitch-based Virtual Wire. With this function enabled and Virtual Wire interface pair configured,
two Virtual Wire interfaces form a virtual wire that connects the two subnetworks attaching to Virtual Wire interface
pair together. The two connected subnetworks can communicate directly on Layer 2, without any requirement on MAC
address learning or other sub network's forwarding. Furthermore, controls of policy rules or other functions are still
available when Virtual Wire is used.
Virtual Wire operates in two modes, which are Strict and Non-Strict mode respectively, as detailed below:

l Strict Virtual Wire mode: Packets can only be transmitted between Virtual Wire interfaces, and the VSwitch
cannot operate in Hybrid mode. Any PC connected to Virtual Wire can neither manage devices nor access Internet
over this interface.

l Non-Strict Virtual Wire mode: Packets can be transmitted between Virtual Wire interfaces, and the VSwitch
also supports data forwarding in Hybrid mode. That is, this mode only restricts Layer 2 packets' transmission
between Virtual Wire interfaces, and does not affect Layer 3 packets' forwarding.
The table below lists packet transmission conditions in Strict Virtual Wire and Non-Strict Virtual Wire mode. You can
choose an appropriate Virtual Wire mode according to the actual requirement.

Packet Strict Non-strict

Egress and ingress are interfaces of one Virtual Wire interface pair Allow Allow
Ingress is not Virtual Wire's interface Deny Deny
Egress and ingress are interfaces of different Virtual Wire interface Deny Deny
pairs
Ingress of to-self packet is a Virtual Wire’s interface Deny Allow
Ingress is Virtual Wire's interface, and egress is a Layer 3 interface Deny Allow

Co nfiguring a V irtual-Wire
To create a Virtual-Wire:

1. Select Network > Virtual-Wire.

2. Click New.

3. In the Virtual-Wire Configuration dialog, select a virtual switch from the VSwitch drop-down list.

4. In the Interface 1 drop-down list, specify an interface for virtual wire interface pair. The two interfaces of one
single virtual wire interface pair must be different, and one interface cannot belong to two virtual wire interface
pairs simultaneously.

5. In the Interface 2 drop-down list, specify an interface for virtual wire interface pair. The two interfaces of one
single virtual wire interface pair must be different, and one interface cannot belong to two virtual wire interface
pairs simultaneously.

6. Click OK.

Co nfiguring the V irtual Wire Mo de

To configure a virtual wire mode:

1. Select Network > Virtual-Wire.

2. Click Virtual-Wire Mode.

3. In the Virtual-Wire Mode Configuration dialog, select a virtual switch from the VSwitch drop-down list.

Chapter 5 Network 78
4. Specify a virtual wire mode from one of the below options:

l Strict - Packets can only be transmitted between virtual wire interfaces, and the VSwitch cannot operate in
Hybrid mode. Any PC connected to the virtual wire can neither manage devices nor access Internet over this
interface.

l Non-strict - Packets can be transmitted between virtual wire interfaces, and the VSwitch also supports data
forwarding in Hybrid mode. That is, this mode only restricts Layer 2 packets' transmission between virtual
wire interfaces, and does not affect Layer 3 packets' forwarding.

l Disabled - Disables the virtual wire.

5. Click OK.

79 Chapter 5 Network
Virtual Router
Virtual Router (VRouter) is known as VR in the system. VR acts as a router, and different VRs have their own inde-
pendent routing tables. A VR named "trust-vr" is bundled with the system, and by default all the Layer 3 security
zones are bound to trust-vr automatically. Hillstone devices support multiple VRs, and the max amount of supported
VRs may vary from different hardware platforms. Multiple VRs divide a device into multiple virtual routers, and each of
the routers utilizes and maintains their completely independent routing table. In such a case one single device is act-
ing as multiple routers. Multiple VRs allow a device to achieve the effects of the address isolation between different
route zones and address overlapping between different VRs, as well as to avoid route leaking to some extent, enhan-
cing route security of network. For more information about the relationship between interface, security zone, VSwitch
and VRouter, see the following diagram:

As shown above, the binding relationship between them are:

l Interfaces are bound to security zones. Those that are bound to Layer 2 security zones and Layer 3 security zones
are known as Layer 2 interfaces and Layer 3 interfaces respectively. One interface can be only bound to one secur-
ity zone; the primary interface and sub interface can belong to different security zones.

l Security zones are bound to a VSwitch or VRouter. Layer 2 security zones are bound to a VSwitch (by default the
pre-defined Layer 2 security zone is bound to the default VSwitch1), and Layer 3 security zones are bound to a
VRouter (by default the pre-defined Layer 3 security zone is bound to the default trust-vr), thus realizing the bind-
ing between the interfaces and VSwitch or VR. One security zone can be only bound to one VSwtich or VR.

Creating a V irtual Ro uter

To create a Virtual Router:

1. Select Network > Virtual Router > Virtual Router.

2. Click New.

3. Type the name into the Virtual Router name box.

4. Select the Enable check box for Vsys Share to share the Virtual Router between different virtual systems.

5. Click OK.

Glo bal Co nfiguratio n

Virtual Router's global configuration is the configuration for multiple Virtual Routers. To configure Multi-Virtual Router:

1. Select Network > Virtual Router > Global Configuration.

2. Select the Enable check box for Multi-Virtual Router.

3. Click Apply.

Chapter 5 Network 80
 Note:

l After Multi-Virtual Router is enabled or disabled, the system must reboot to make it take
effect. After rebooting, system's max concurrent sessions will decrease by 15% if the func-
tion is enabled, or restore to normal if the function is disabled. When AV and Multi-Virtual
Router are enabled simultaneously, the max concurrent session will further decrease by
50% (with AV enabled, the max concurrent session will decrease by half). The formula is:
Actual max concurrent sessions = original max concurrent sessions*(1-0.15)*(1-0.5).

l If Multi-Virtual Router is enabled, traffic can traverse up to 3 Virtual Routers, and any
traffic that has to traverse more than 3 Virtual Routers will be dropped.

81 Chapter 5 Network
Virtual Switch
System might allow packets between some interfaces to be forwarded in Layer 2 (known as transparent mode), and
packets between some interfaces to be forwarded in Layer 3 (known as routing mode), specifically depending on
actual requirement. To facilitate a flexible configuration of hybrid mode of Layer 2 and Layer3, the system introduces
the concept of Virtual Switch (VSwitch). By default the system ships with a VSwitch known as VSwitch1. Each time you
create a VSwitch, the system will create a corresponding VSwitch interface (VSwitchIF) for the VSwitch automatically.
You can bind an interface to a VSwitch by binding that interface to a security zone, and then binding the security zone
to the VSwitch.
A VSwitch acts as a Layer 2 forwarding zone, and each VSwitch has its own independent MAC address table, so the
packets of different interfaces in one VSwitch will be forwarded according to Layer 2 forwarding rules. You can con-
figure policy rules conveniently in a VSwitch. A VSwitchIF virtually acts as a switch uplink interface, allowing packets
forwarding between Layer 2 and Layer 3.

Creating a V Sw itch
To create a VSwitch:

1. Select Network > VSwitch.

2. Click New.

Options are described as belows.

Option Description

VSwitch Name Specifies a name for the VSwitch.

Vsys Shared Select Enable check box and then system will share the VSwitch in dif-
ferent VSYS.
Virtual-Wire Specifies a Virtual-Wire mode for the VSwitch, including (for specific
Mode information on Virtual Wire, see "Virtual Wire" on Page 78)

l Strict - Packets can only be transmitted between Virtual Wire inter-

faces, and the VSwitch cannot operate in Hybrid mode. Any PC con-
nected to Virtual Wire can neither manage devices nor access
Internet over this interface.

l Non-strict - Packets can be transmitted between Virtual Wire inter-

faces, and the VSwitch also supports data forwarding in Hybrid
mode. That is, this mode only restricts Layer 2 packets' transmission
between Virtual Wire interfaces, and does not affect Layer 3 packets'
forwarding.

l Disabled - Disables Virtual Wire.

IGMP Snooping Enables IGMP snooping on the VSwitch.

Forward Tagged Enables VLAN transparent so that the device can transmit VLAN tagged
Packets packets transparently, i.e., packets tagged with VLAN ID will still keep the
original ID after passing through the device.
Forward Double Enables VLAN transparent so that the device can transmit VLAN double
Tagged Packets tagged packets transparently, i.e., packets tagged with VLAN ID will still
keep the original ID after passing through the device.

Drop Unknown Drops the packets sent to unknown multicast to save bandwidth.
Multicast Packets

3. Click OK.

Chapter 5 Network 82
Port Mirroring
Some low-end platforms do not support port mirroring.
The device is designed with port mirroring on Ethernet interfaces. This function allows users to mirror the traffic of
one interface to another interface (analytic interface) for analysis and monitoring.
To configure port mirroring:

1. Enable port mirroring on an Ethernet interface, and select the traffic type to be mirrored.

2. Configure a destination interface.

To configure the destination interface of port mirroring:

1. Select Network > Port Mirroring.

2. Select an interface from the Destination Interface drop-down list, and click OK. All the source and destination
interface will be listed in the table below.

83 Chapter 5 Network
WLAN
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
WLAN (Wireless Local Area Network) represents the local area network that uses the wireless channel as the medial.
WLAN is important supplements and extensions of the wired LAN. By configuring the WLAN function, you can estab-
lish the wireless local area network and allow the users to access LAN through wireless mode.

Creating a WLAN
To create a WLAN:

1. Select Network > WLAN.

2. Click New.

In the WLAN Configuration dialog, specify the following information.

Option Description

SSID Specifies the name of the WLAN.

WLAN Interface Specifies the WLAN interface bound to this newly-created WLAN.
SSID Broadcast Selects Enable to enable the SSID broadcast. After enabling SSID broad-
cast, any user can search it.
Security Mode Configures the security mode:

l No encryption - Do not perform the encryption.

l MAC-PSK - Integrates MAC authentication with WPA-WPA2-PSK

authentication.

l WEP - Specifies the security mode as wired equivalent privacy.

l WPA、 WPA2 - Specifies the security mode as Wi-FI and uses

802.1X authentication. WPA and WPA2 have stronger per-
formance than WEP. The safety of WPA2 is more reliable than
WPA.

l WPA-WPA2 - Compatible with WPA and WPA-2.

l WPA-PSK、 WPA2-PSK - Specifies the security mode as Wi-FI

and uses the pre-shared key authentication.

l WPA-WPA2-PSK - Compatible with WPA-PSK and WPA2-PSK.

Link-lay- When using the WEP security mode, specifies the authentication
erAuthentication mode for the WLAN.
Mode
l open-system - The default authentication mode. This is the easi-
est authentication, ie. do not certify.

l shared-key - Certify with the same shared key authentication.

Data Encryption When using the security mode except WEP, specifies the data encryp-
tion mode, including TKIP, CCMP, and TKIP-CCMP.

Key When using the WEP security mode, specifies the form and the value
of the key. The form of the key can be character string or hexadecimal
number. When using character string, you can specify 5 characters or
13 characters. When using hexadecimal number, you can specify 10
hexadecimal numbers or 26 hexadecimal numbers.

Pre-shared Key When using the MAC-PSK, WPA-PSK, WPA2-PSK, WPA-WPA2-PSK

Chapter 5 Network 84
 Option Description
security modes, specifies the form and the value of the pre-defined
key. The form of the key can be character string or hexadecimal num-
ber. When using character string, you can specify 8-63 characters.
When using hexadecimal number, you can specify 64 hexadecimal
numbers.

Maximum Users Specifies the allowed maximum number of users that can access this
WLAN. The value ranges from 1 to 128. The default value is 64.

User Isolation Select Enable to enable the user isolation function. After enabling the
user isolation, users within one WLAN cannot access each other. User
isolation enhances the security for different users.

AAA Server When specifying the security mode as WPA, WPA2, WPA-WPA2, or
MAC-PSK, you must select a configured AAA server as the authen-
tication server for user identification.

3. Click OK.

Advanced Settings
To configure the advanced settings for WLAN:

1. Select Network > WLAN.

2. Click Advanced.

3. In the Advanced dialog, specify the following information.

Option Description

Countries & Regions Different countries or regions have different management and lim-
itations on RF use. The country/region code determines the avail-
able frequency range, channel, and legal level of transmit power.
The default value is United States.
Working Mode Configure the working mode.

l 802.11b represents that the interface works in the 802.11b

mode.

l 802.11g represents that the interface works in the 802.11g

mode.

l 802.11an represents that the interface works in the 802.11n

mode of 5GHz.

l 802.11bgn represents that the interface works in the 802.11n

mode of 2.4GHz.

Channel The available channels you can select vary with the country/region
code and RF type. The default value is auto, which represents to ask
the system to select the channel automatically. After the coun-
try/region code or the operation mode is changed, the system will
select the channel automatically.
Maximum Transmit The maximum transmit power varies with the country/region code
Power and RF type. By default, there are four levels: 12.5% of the max-
imum transmit power, 25% of the maximum transmit power, 50% of
the maximum transmit power, and 100% of the maximum transmit
power.

4. Click OK.

85 Chapter 5 Network
3G
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
The third generation of mobile telecommunications technology supports the high speed data transmission. There are
three standards of 3G: CDMA2000, WCDMA, and TD-SCDMA. By configuring the 3G function, users can access Inter-
net through wireless mode.
The 3G function needs the support of ISP. Before configuring the 3G function, you need to purchase the SIM card from
the ISP, enable the data connection service, and obtain the following 3G parameters: access point, username, pass-
word, dial-up string and install SIM card correctly.

Co nfiguring 3G Settings
To configure 3G settings:

1. Select Network > 3G.

2. In the 3G tab, you can view the 3G connection status in the Status section. Click Connect to connect to the 3G net-
work.

3. Select Enable to enable the 3G function. By default, the 3G function is enabled.

4. Enter the name of the access point in the Access point text box. You can enter up to 31 characters.

5. Specify the 3G user information. In the Username text box, enter the username of the 3G user. You can enter up
to 31 characters. In the Password text box, enter the corresponding password.

6. Configure the dial-up string. Ask your ISP to provide the dial-up string and enter the dial-up string in the Dial
number text box.

7. Specify the authentication mode. When 3G dial-up establishes the connection, it needs to pass the PPP protocol
verification. The device supports the following verification methods: CHAP, PAP, and Any. Select the desired
method by selecting the Authentication radio button.

8. Configure the IP address information for the 3G interface. Select Auto-obtain to make the 3G interface obtain the
IP address automatically. Select Static IP to enter the static IP address and the netmask.

9. Specify the online mode in Redialing options. 3G dial-up has two online modes as follows:

l Redial interval: when the 3G connection disconnects due to certain reasons and the disconnection time lasts
the specified length of time, the system will redial automatically. Specify the length of time in the Redial inter-
val text box.

l Idle time before hanging up: When the idle time of the 3G (cellular) interface reaches the specified value, the

Chapter 5 Network 86
 system will disconnection the 3G connection. Specify the length of time in the Idle time before hanging up
text box.

Note: The above two modes cannot be used meanwhile. Without configuring the
schedule, the system will use the "Redial interval" mode by default.

10. Specify the security zone of the 3G interface.

11. Click OK.

Note: After installing the SIM card, the system can automatically configure the settings in the
3G tab based on the information of the 3G module. The settings include the name of the access
point, 3G user information, and dial-up string. You can modify the settings according to your
requirements.

Managing D ata Card

PIN (Personal Identification Number) code is used to identify the user of the SIM card and avoid the illegal use of the
SIM card.

Autom a tic a lly Verifying the PIN Code

After enabling the PIN code protection, you can save the PIN code in the system. After the system reboots, it can auto-
matically verify the PIN code.
To automatically verify the PIN code:

1. Select Network > 3G.

2. Click Data Card tab.

3. Enter the PIN code in the PIN Code text box. The value ranges from 4 to 8 numbers.

4. Click Apply to make the system save the PIN code.

Note: After three consecutive failed attempts at PIN code, the SIM card will be locked.

Ena bling/D is a bling the PIN Code Protec tion

To enable/disable the PIN code protection:

1. Select Network > 3G.

2. Click Data Card tab.

3. Click Enable PIN code protection in the PIN code management section to enable the PIN code protection function.
To disable the function, click Disable PIN code protection.

4. nter the PIN code in the PIN code text box. The PIN code consists of 4-8 decimal numbers.

5. Click Apply.

87 Chapter 5 Network
Modifying the PIN Code
To modify the PIN code:

1. Select Network > 3G.

2. Click Data Card tab.

3. Click Change PIN code in the PIN code management section.

4. Specify the current PIN code in the Current PIN code text box. The PIN code consists of 4-8 decimal numbers.

5. Specify a new PIN code in the New PIN code text box. The PIN code consists of 4-8 decimal numbers.

6. Confirm the new PIN code in the Confirm PIN code text box.

7. Click Apply.

Ma nua lly Verifying the PIN Code

To manually verify the PIN code:

1. Select Network > 3G.

2. Click Data Card tab.

3. click Verify PIN Code in the PIN code management section.

4. Enter the PIN code in the PIN code text box. The PIN code consists of 4-8 decimal numbers.

5. Click Apply.

Unloc k ing the PIN Code

If the SIM card is locked, you need to obtain the PUK code from the ISP to unlock the SIM card and set the new PIN
code. To use the PUK code to unlock the PIN code:

1. Select Network > 3G.

2. Click Data Card tab.

3. Click Unlock PIN Code in the PIN code management section.

4. Enter the PUK code in the PUK code text box.

5. Specify a new PIN code in the New PIN code text box. The PIN code consists of 4-8 decimal numbers.

6. Confirm the new PIN code in the Confirm PIN code text box.

7. Click Apply.

Chapter 5 Network 88
Link Load Balancing
For users who rent multiple ISP links, Link Load Balancing(LLB) takes advantage of dynamic link detection technique to
assign traffic to different links appropriately, thus making full use of all available link resources.
You can enable LLB in inbound and outbound directions respectively. The two directions adopts two different dynamic
link detection techniques: network parameter detection and SmartDNS.

Co nfiguring Outbo und LLB

You can configure a flexible LLB profile to bind to the route (the current system only supports DBR and PBR), forming
LLB rules to implement outbound dynamic link load balancing, and thus make efficient use of network bandwidth.

Configuring LLB Profile

The LLB profile contains the parameters of the load balancing algorithm, such as bandwidth utilization threshold,
probe switch, probe mode, and equalization direction.

1. Select Network > Outbound > Profile.

2. Click New.

89 Chapter 5 Network
 3. In the LLB Profile Configurion, configure as follows:
Option Description

Profile Name Specifies the Profile name,length of 1-96 char-

acters
Bandwidth Specifies the bandwidth utilization threshold.
It is in the range of 0-100 (0% -100%) and
Utilization
defaults to 60.

Detect Enable or disable the detect function.When

the function is enabled, the system detects the
network link status according to the para-
meters configured by the user and then selects
the optimal route. The priority is as follows:
1. Select the optimal link with low packet loss,
low delay, and small jitter when each link does
not exceed the configured bandwidth
threshold.
2. When the optimal link exceeds the band-
width threshold, select the sub-optimal link,
and then down;
3. When all links exceed the bandwidth
threshold, increase the bandwidth on each link
synchronously so as to keep the bandwidth
usage on each link as close as possible.
When the function is disabled,the system does
not send detect packets, and can not know the
delay, packet loss, and jitter of each link. There-
fore, the system adjusts the load according to
the bandwidth occupancy of each egress link.

Subnet Mask When the detect function is enabled, you need

to configure the destination IP address of the
detect. The system will randomly grab a num-
ber of IP probes in the network segment and
record the detection results to load balance
the system. It is in the range of 20 to 32 and
defaults to 28.
Balance Mode There are two equalization modes: High Per-
formance and High Compatibility.

l High Performance - In this mode, the sys-

tem adjusts link to keep the link balance
as fast as possible

l High Compatibility - When the link load

changes, the system does not switch the
link frequently, but ensures that the ser-
vice is as far as possible on the previous
link. Only when the previous link is over-
loaded, This mode is suitable for services
that are sensitive to link switching, such as
banking services.

Description Configure Additional details of llb profile.

4. Click OK.

Chapter 5 Network 90
Configuring LLB Rule
LLB Profile and the route is bound to the formation of LLB rules, it can really take effect, currently support binding des-
tination routing (DBR) and policy-based routing (PBR).

1. Select Network > Outbound > Rule.

2. Click New.

3. In the LLB Rule Configurion, configure as follows:

Option Description

Rule Name Specifies the Rule name,length of 1-96 char-

acters
Profile Name Specifies the bandwidth utilization threshold.
It is in the range of 0-100 (0% -100%) and
defaults to 60.

Bind Route Specify the route to be bound in the

rule:Destination Route or Policy Based Route.

l Destination Route - When this option is

selected, specify the Vrouter and des-
tination address of the destination route.

l Policy Based Route - Select this option to

specify the name and id of the policy
route.

4. Click OK.

Configuring D NS Ba la nc e
When the LLB DNS balancing function is enabled, the system will load balance the outgoing interfaces of all the con-
figured DNS servers. The DNS request packets will be redirected to the link with lower load.
To enable DNS Balance:

1. SelectNetwork >Outbound >DNS Balance Configuration.

2. Select Enable. The system will enable DNS Balance.

91 Chapter 5 Network
 Note: To enable LLB DNS equalization, you must first enable the DNS transparent proxy func-
tion.

Co nfiguring I nbo und LLB

After enabling LLB for inbound traffic, system will resolve domains to different IPs based on the sources of DNS
requests, and return IPs for different ISPs to the corresponding users who initiate the requests, thus reducing
accesses across ISPs. Such a resolution method is known as SmartDNS.
You can enable inbound LLB by the following steps:

1. Enable SmartDNS. This is the prerequisite for the implementation of inbound LLB.

2. Configure a SmartDNS rule table. The smart domain-to-IP resolution is implemented based on the rule table.

Crea ting a Sm a rtD NS Rule T a ble

To create a SmartDNS rule table:

1. Select Network > Inbound.

2. Click New > Domain Table.

3. In the Domain Configuration dialog, type a domain table name into Domain Table text box.

4. Type a domain name into Domain text box. Separate multiple domain names with comma. Each rule table supports
up to 64 domain names (case insensitive).

5. Click OK.

6. In the Inbound LLB page, click the domain table name you already created and then click New > SmartDNS
Rule.

Chapter 5 Network 92
 In the New SmartDNS Rule, configure as follows:
Option Description

ISP Static Select a predefined or user-defined ISP from the drop-down list. If the
Address source address matches any address entry of the ISP, system will return
the specified IP.

Return IP Specifies the return IP for different request sources. Options include:

l IP - Specifies the return IP. You can configure up to 64 IPs for a

domain name.

l Weight - Specifies the weight of the return IP. The value range is 1
to 100. The default value is 1. In the SmartDNS rule table, one
domain name might correspond to multiple IPs. The system will
sort the IPs based on the weight and then return to the users.
ISP Link Specifies the proximity address to which the request source address will
be matched. If the source address matches any proximity address entry
of the interface,
system will return the specified IP. Options include:

l Inbound Interface - Select the proximity address to which the

request source address will be matched from the drop-down list.

l Track Object - Select a track object of interface type from the drop-
down list, or create a new track object. When the track object fails,
the proximity address on the corresponding interface will also fail.

7. Click OK.

Note:

l The priority of proximity address is lower than that of the ISP static address. The system
will not match the proximity address unless the matching of ISP static address fails.

l The ISP route being referenced by the SmartDNS rule table cannot be deleted.

l The status of the SmartDNS rule table can be active or inactive, specifically relying on the
configured interface and track object on the interface:

l If only ISP is configured while interface is not configured, then the rule status will
always be active;

l If interface is configured but it is not configured with track object, then the rule status
will be active when the protocol status of the interface is UP, and will be inactive when
the protocol status is DOWN;

l If interface is configured and it is configured with track object, then the rule status
will be active when track succeeds, and will be inactive when track fails.

93 Chapter 5 Network
Application Layer Gateway (ALG)
Some applications use multi-channels for data transmission, such as the commonly used FTP. In such a condition the
control channel and data channel are separated. Devices under strict security policy control may set strict limits on
each data channel, for example, only allow FTP data from internal network to external network to transfer on the well-
known port TCP 21. Once in the FTP active mode, if a FTP server in the public network tries to initiate a connection to a
random port of the host in the internal network, Devices will reject the connection and the FTP server will not work
properly in such a condition. This requires devices to be intelligent enough to properly handle the randomness of legit-
imate applications under strict security policies. In FTP instances, by analyzing the transmission information of the
FTP control channel, devices will be aware that the server and the client reached an agreement, and open up a tem-
porary communication channel when the server takes the initiative to connect to a port of the client, thus assuring the
proper operation of FTP.
The system adopts the strictest NAT mode. Some VoIP applications may work improperly after NAT due to the change
of IP address and port number. The ALG mechanism can ensure the normal communication of VoIP applications after
the NAT. Therefore, the ALG supports the following functions:

l Under strict security policy rules, ensures the normal communication of multi-channel applications.

l Ensures the proper operation of VoIP applications such as SIP and H.323 in NAT mode, and performs monitoring
and filtering according to policies.

Enabling ALG
The system allows you to enable or disable ALG for different applications. Devices support ALG for the following applic-
ations: FTP, HTTP, MSRPC, PPTP, Q.931, RAS, RSH, RTSP, SIP, SQLNetV2, SUNRPC, TFTP, DNS, and Auto. You can not
only enable ALG for applications, but also specify H323's session timeout.
To enable the ALG for applications:

1. Select Networl> Application Layer Gate.

2. In the Application Layer Gateway dialog, select the applications that require ALG.

3. To modify H323's session timeout, type the value into the H323 session timeout box. The value range is 60 to
1800 seconds. The default value is 60.

4. Click OK to save your changes.

Chapter 5 Network 94
Global Network Parameters
Global network parameter configuration includes IP fragment, TCP packet processing methods and other options.

Co nfiguring Glo bal Netw o rk Parameters

To configure global network parameters:

1. Select Network > Global Network Parameters > Global Network Parameters.

95 Chapter 5 Network
 2. Configure the following parameters.
Option Description

IP Fragment
Maximum Frag- Specifies a maximum fragment number for every IP packet. The value
ment Number range is 1 to 1024. The default value is 48. Any IP packet that contains
more fragments than this number will be dropped.
Timeout Specifies a timeout period of fragment reassembling. The value range is
1 to 30. The default value is 2. If the Hillstone device has not received all
the fragments after the timeout, the packet will be dropped.
Long Duration Enables or disables long duration session. If this function is enabled, spe-
Session cify long duration session's percentage in the Percentage text box below.
The default value is 10, i.e., 10% of long duration session in the total ses-
sions.
TCP

TCP MSS Specifies a MSS value for all the TCP SYN/ACK packets. Select the Enable
check box, and type the value into the Maximum MSS text box below.
Maximum MSS Type the max MSS value into the Maximum MSS text box below. The
value range is 64 to 65535. The default value is 1448.
TCP MSS VPN Specifies a MSS value for IPSec VPN's TCP SYN packets. Select the Enable
check box, and type the value into the Maximum MSS text box below.
Maximum MSS Type the max MSS value for IPSEC VPN into the Maximum MSS text box
below. The value range is 64 to 65535. The default value is 1380.
TCP Sequence Configures if the TCP sequence number will be checked. When this func-
Number Check tion is enabled, if the TCP sequence number exceeds TCP window, that
TCP packet will be dropped.
TCP Three-way Configures if the timeout of TCP three-way handshaking will be checked.
Handshaking Select the Enable check box to enable this function, and specify a
timeout value in the Timeout text box below. The value range is 1 to 1800
seconds. The default value is 20. If the three-way handshaking has not
been completed after timeout, the connection will be dropped.
TCP SYN Packet Select the Enable check box to enable this function, and only when a
Check packet is a TCP SYN packet can a connection be established.
Others

Non-IP and Specifies how to process packets that are neither IP nor ARP.
Non-ARP Packet

3. Click OK.

Co nfiguring Pro tectio n Mo de

To configure the protection mode:

1. Select Network > Global Network Parameters > Protection Mode.

2. Click Protection Mode tab, configure the traffic working mode.

l Log & reset - System not only generates protocol anomaly alarms and attacking behavior logs, but also blocks
attackers or resets connections.

Chapter 5 Network 96
 l Log only - System only generates protocol anomaly alarms and attacking behavior logs, but will not block
attackers or reset connections.

Note: Log & reset mode is recommended. In this mode, the security performance of the device
can take effect normally. If log only mode is selected, system can only record logs, and func-
tions which can block traffic in system will be invalid, including policy, IPS, AV, QoS, etc.

97 Chapter 5 Network
Chapter 6 Advanced Routing

Routing is the process of forwarding packets from one network to the destination address in another network. Router,
a packet forwarding device between two networks, is designed to transmit packets based on the various routes stored
in routing tables. Each route is known as a routing entry.
Hillstone devices are designed with Layer 3 routing. This function allows you to configure routing options and forward
various packets via VRouter. the system ships with a default VRouter trust-vr, and also supports multiple VRouters
(multi-VR).
Hillstone devices support destination routing, ISP routing, Source-Based Routing (SBR), Source-Interface-Based Rout-
ing (SIBR), Destination-Interface-Based Routing (DIBR), Policy-Based Routing (PBR), dynamic routing (including RIP,
OSPF and BGP) and Equal Cost MultiPath Routing (ECMP).

l Destination Routing: A manually-configured route which determines the next routing hop according to the des-
tination IP address.

l DIBR: A manually-configured route which determines the next routing hop according to the destination IP address
and ingress interface.

l SBR: Source IP based route which selects router and forwards data according to the source IP address.

l SIBR: Source IP and ingress interface based route.

l ISP Profile: Add a subnet to an ISP.

l ISP Routing: A kind of route which determines the next hop based on different ISPs.

l PBR: A route which forwards data based on the source IP, destination IP address and service type.

l Proximity Routing: Selects routers and forwards data according to the result of proximity detection.

l Dynamic Routing: Selects routers and forwards data according to the dynamic routing table generated by
dynamic routing protocols (RIP, OSPF or BGP).

l ECMP: Load balancing traffic destined to the same IP address or segment in multiple routes with equal man-
agement distance.
When forwarding the inbound packets, the device selects a route in the following sequence: PBR > SIBR > SBR > DIBR
> Destination routing/ISP routing/Proximity routing/Dynamic routing.
Routing supports IPv4 and IPv6 address. If IPv6 is enabled, you can configure IPv6 address entry for the routing rule.
Related Topics:

l "Destination Route" on Page 99

l "Destination-Interface Route" on Page 100

l "Source Route" on Page 102

l "Source-Interface Route" on Page 103

l "ISP Profile" on Page 105

l "ISP Route" on Page 107

l "Policy-based Route" on Page 109

l Configuring a Proximity Route

l "RIP" on Page 117

Chapter 6 Advanced Routing 98

Destination Route
The destination route is a manually-configured route entry that determines the next routing hop based on the des-
tination IP address. Usually a network with comparatively a small number of outbound connections or stable Intranet
connections will use a destination route. You can add a default route entry at your own choice as needed.

Creating a D estinatio n Ro ute

To create a destination route:

1. Select Network > Routing > Destination Route.

2. Click New.

In the Destination Route Configuration dialog box, enter values.

Option Description

Virtual Router From the Virtual Router drop-down list, select the Virtual Routerouter for
the new route. The default value is "trust-vr".
Destination Type the IP address for the route into the text box.
Subnet Mask Type the corresponding subnet mask into the text box.
Next Hop To specify the type of next hop, click Gateway, Current VRouter, Inter-
face, or Other VRouter.

l Gateway: Type the IP address into the Gateway text box.

l Current VRouter: Select a name from the drop-down list.

l Interface: Select a name from the Interface drop-down list. Type

the IP address into the Gateway text box. For a tunnel interface,
you need to type the gateway address for the tunnel's peer in the
optional box below.

l Other VRouter: Select a name from the Vsys drop-down list. Select
a name from the Virtual Router drop-down list.
Precedence Type the route precedence into the text box. The smaller the parameter
is, the higher the precedence is. If multiple routes are available, the route
with higher precedence will be prioritized. The value range is 1 to 255.
The default value is 1. When the value is set to 255, the route is invalid.
Weight Type the weight for the route into the text box. This parameter is used to
determine the weight of traffic forwarding in load balance. The value
range is 1 to 255. The default value is 1.
Description Type the description information into the Description text box if neces-
sary.

99 Chapter 6 Advanced Routing

3. Click OK.

Destination-Interface Route
Destination interface route is designed to select a route and forward data based on the Destination IP address and
ingress interface of a packet.

Creating a D estinatio n-I nterface Ro ute

To create a Destination-Interface route:

1. Select Network > Routing > Destination Interface Route.

2. Click New.

In the Destination Interface Route Configuration dialog box, enter values.

Option Description

Virtual Router From the Virtual Router drop-down list, select the Virtual Routerouter for
the new route. The default value is "trust-vr".
Ingress Interface Select an interface for the route from the drop-down list.
Destination IP Type the Destination IP for the route into the textbox.
Subnet Mask Type the corresponding subnet mask into the textbox.
Next Hop To specify the type of next hop, click Gateway, Virtual Router in current
Vsys, Interface, or Virtual Router in other Vsys.

l Gateway: Type the IP address into the Gateway text box.

l Virtual Router in current Vsys: Select a name from the Virtual

Router drop-down list.

l Interface: Select a name from the Interface drop-down list. Type

the IP address into the Gateway text box. For a tunnel interface,
you need to type the gateway address for the tunnel's peer in the
optional box below.

l Virtual Router in other Vsys: Select a name from the Vsys drop-
down list. Select a name from the Virtual Router drop-down list.
Precedence Type the route precedence into the textbox. The smaller the parameter is,
the higher the precedence is. If multiple routes are available, the route
with higher precedence will be prioritized. The value range is 1 to 255.
The default value is 1. When the value is set to 255, the route is invalid.
Weight Type the weight for the DIBR into the textbox. This parameter is used to
determine the weight of traffic forwarding in load balance. The value

Chapter 6 Advanced Routing 100

 Option Description

range is 1 to 255. The default value is 1.

Description Type the description information into the Description text box if neces-
sary.

3. Click OK.

101 Chapter 6 Advanced Routing

Source Route
Source route is designed to select a router and forward data based on the source IP address of a packet.

Creating a So urce Ro ute

To create a source route:

1. Select Network > Routing > Source Route.

2. Click New.

In the Source Route Configuration dialog box, enter values.

Option Description

Virtual Router From the Virtual Router drop-down list, select the Virtual Routerouter for
the new route. The default value is "trust-vr".
Source IP type the source IP for the route into the box.
Subnet Mask Type the corresponding subnet mask into the box.
Next Hop To specify the type of next hop, click Gateway, Virtual Router in current
Vsys, Interface, or Virtual Router in other Vsys.

l Gateway: Type the IP address into the Gateway text box.

l Virtual Router in current Vsys: Select a name from the drop-down

list.

l Interface: Select a name from the Interface drop-down list. Type

the IP address into the Gateway text box. For a tunnel interface,
you need to type the gateway address for the tunnel's peer in the
optional box below.

l Virtual Router in other Vsys: Select a name from the Vsys drop-
down list. Select a name from the Virtual Router drop-down list.
Precedence Type the route precedence into the box. The smaller the parameter is, the
higher the precedence is. If multiple routes are available, the route with
higher precedence will be prioritized. The value range is 1 to 255. The
default value is 1. When the value is set to 255, the route is invalid.
Weight Type the weight for the route into the box. This parameter is used to
determine the weight of traffic forwarding in load balance. The value
range is 1 to 255. The default value is 1.
Description Type the description information into the Description text box if neces-
sary.

3. Click OK.

Chapter 6 Advanced Routing 102

Source-Interface Route
Source interface route is designed to select a router and forward data based on the source IP address and ingress
interface of a packet.

Creating a So urce-I nterface Ro ute

To create a Source-Interface route:

1. Select Network > Routing > Source Interface Route.

2. Click New.

In the Source Interface Route Configuration dialog box, enter values.

Option Description

Virtual Router From the Virtual Router drop-down list, select the Virtual Routerouter for
the new route. The default value is "trust-vr".
Ingress Interface Select an interface for the route from the drop-down list.
Source IP Type the source IP for the route into the textbox.
Subnet Mask Type the corresponding subnet mask into the textbox.
Next Hop To specify the type of next hop, click Gateway, Virtual Router in current
Vsys, Interface, or Virtual Router in other Vsys.

l Gateway: Type the IP address into the Gateway text box.

l Virtual Router in current Vsys: Select a name from the Virtual

Router drop-down list.

l Interface: Select a name from the Interface drop-down list. Type

the IP address into the Gateway text box. For a tunnel interface,
you need to type the gateway address for the tunnel's peer in the
optional box below.

l Virtual Router in other Vsys: Select a name from the Vsys drop-
down list. Select a name from the Virtual Router drop-down list.
Precedence Type the route precedence into the textbox. The smaller the parameter is,
the higher the precedence is. If multiple routes are available, the route
with higher precedence will be prioritized. The value range is 1 to 255.
The default value is 1. When the value is set to 255, the route is invalid.
Weight Type the weight for the ISP route into the textbox. This parameter is used
to determine the weight of traffic forwarding in load balance. The value
range is 1 to 255. The default value is 1.

103 Chapter 6 Advanced Routing

 Option Description

Description Type the description information into the Description text box if neces-
sary.

3. Click OK.

Chapter 6 Advanced Routing 104

ISP Profile
To configure an ISP route, you need to firstly add a subnet to an ISP, and then configure the ISP route. The destination
of the route is determined by the name of the ISP. You can customize ISP information, or upload profiles that contain
different ISP information.

Creating an I SP Pro file

To create an ISP Profile:

1. Select Network > Routing > ISP Profile.

2. Click New.

In the ISP Configuration dialog box, enter values.

Option Description

ISP Profile Type the name for the new ISP profile into the textbox.
Subnet Prefix Type the IP address for the subnet into the textbox.
Subnet Mask Type the subnet mask into the textbox.

Add Add the subnet to the ISP profile. The subnet will be displayed in the ISP
subnet list below. If needed, repeat the steps to add multiple subnets for
the ISP profile.
Delete Delete the selected ISP profiles.

3. Click OK.

Uplo ading an I SP Pro file

To upload an ISP Profile:

1. Select Network > Routing > ISP Profile.

2. Click Upload.

In the Upload ISP File dialog box, enter values.

105 Chapter 6 Advanced Routing

 Option Description

Upload Pre- To update the predefined IPS file:

defined IPS File
1. Select Upload Predefined IPS File.

2. Click Browse to select an ISP profile in your PC.

User-defined IPS To update the user-defined IPS file:
File
1. Select Upload Predefined IPS File.

2. Click Browse to select an ISP profile in your PC.

3. Click Upload to upload the selected ISP profile to device.

Saving an I SP Pro file

To save an ISP Profile:

1. Select Network > Routing > ISP Profile.

2. Click Save.

3. In the Save User-defined ISP Configuration dialog box, select an ISP profile from the ISP profile drop-down list.

4. Click Save to save the profile to a specified location in PC.

Chapter 6 Advanced Routing 106

ISP Route
Generally many users might apply for multiple lines for load balancing purpose. However, a typical balance will not
function based on the traffic's direction. For such a scenario, device provides ISP Route which allows traffics from dif-
ferent ISPs to take their proprietary routes, thus accelerating network access.
To configure an ISP route, first you need to add a subnet to an ISP, and then configure the ISP route. The destination of
the route is determined by the name of the ISP. You can customize ISP information, or upload profiles that contain dif-
ferent ISP information.

Creating an I SP Ro ute
To create an ISP route:

1. Select Network > Routing > ISP Route.

2. Click New.

In the ISP Configuration dialog box, enter values.

Option Description

ISP Profile Select an ISP profile name from the drop-down list.
Virtual Router From the Virtual Router drop-down list, select the Virtual Router for the
new route. The default value is "trust-vr".
Next hop To specify the type of next hop, click Gateway, Current VRouter, Inter-
face, or Other VRouter.

l Gateway: Type the IP address into the Gateway text box.

l Current VRouter: Select a name from the Virtual Router drop-

down list.

l Interface: Select a name from the Interface drop-down list. Type

the IP address into the Gateway text box. For a tunnel interface,
you need to type the gateway address for the tunnel's peer in the
optional box below.

l Other VRouter: Select a name from the Vsys drop-down list. Select
a name from the Virtual Router drop-down list.
Precedence Type the route precedence into the textbox. The smaller the parameter is,
the higher the precedence is. If multiple routes are available, the route
with higher precedence will be prioritized. The value range is 1 to 255.
The default value is 10. When the value is set to 255, the route is invalid.
Weight Type the weight for the ISP route into the textbox. This parameter is used
to determine the weight of traffic forwarding in load balance. The value
range is 1 to 255. The default value is 1.
Description Type the description information into the Description text box if neces-

107 Chapter 6 Advanced Routing

 Option Description

sary.

3. Click OK.

Chapter 6 Advanced Routing 108

Policy-based Route
Policy-based Route (PBR) is designed to select a router and forward data based on the source IP address, destination
IP address and service type of a packet.

Creating a Po licy-based Ro ute

To create a Policy-based route:

1. Select Network > Routing > Policy based Routing.

2. Click New. Select PBR from the drop-down list.

In the Policy-based Route Configuration dialog box, enter values.

Option Description

PBR name Specifies a name for the policy-based route.

Virtual Router From the Virtual Router drop-down list, select the Virtual Router for the
new route. The default value is "trust-vr".
Type Specifies the object type that the policy-based route binds to. You can
select Zone, Virtual Router, Interface or No Binding.

l Zone: Click this option button and select a zone from the Zone
drop-down list.

l Virtual Router: Click this option button and show the virtual router
that the policy-based route bind to.

l Interface: Click this option button and select a interface from the
Interface drop-down list.

l No Binding: This policy-based route is no binding.

3. Click OK.

Creating a Po licy-based Ro ute Rule

To create a Policy-based Route rule:

109 Chapter 6 Advanced Routing

1. Select Network > Routing > Policy Based Routing.

2. Click New. Select Rule from the drop-down list.

In the Rule Condition tab, enter values.

Option Description

PBR name Specifies a name for the policy-based route.

Description Type information about the PBR rule.
（Optional）
Source

Address Specifies the source addresses of PBR rule.

1. Select an address type from the Address drop-down list.

2. Select or type the source addresses based on the selected type.

3. Click to add the addresses to the right pane.

4. After adding the desired addresses, click the blank area in this dia-
log to complete the source address configuration.
You can also perform other operations:

l When selecting the Address Book type, you can click Add to cre-
ate a new address entry.

l The default address configuration is any. To restore the con-

figuration to this default one, select the any check box.
User Specifies a role, user or user group for the PBR rule.

1. From the User drop-down menu, select the AAA server where the
users and user groups reside. To specify a role, select Role from
the AAA Server drop-down list.

2. Based on different types of AAA server, you can execute one or

more actions: search a user/user group/role, expand the user-
/user group list, enter the name of the user/user group.

3. After selecting users/user groups/roles, click to add the them

to the right pane.

4. After adding the desired objects, click the blank area in this dialog
to complete the user configuration.

Chapter 6 Advanced Routing 110

 Option Description
Destination

Address Specifies the destination addresses of PBR rule.

1. Select an address type from the Address drop-down list.

2. Select or type the source addresses based on the selected type.

3. Click to add the addresses to the right pane.

4. After adding the desired addresses, click the blank area in this dia-
log to complete the destination address configuration.
You can also perform other operations:

l When selecting the Address Book type, you can click Add to cre-
ate a new address entry.

l The default address configuration is any. To restore the con-

figuration to this default one, select the any check box.
Other

Host Book Specifies the Host-book of PBR rule. Select an Host-book from the Host
Book drop-down list.

Service Specifies a service or service group.

1. From the Service drop-down menu, select a type: Service, Service

Group.

2. You can search the desired service/service group, expand the ser-
vice/service group list.

3. After selecting the desired services/service groups, click to add

them to the right pane.

4. After adding the desired objects, click the blank area in this dialog
to complete the service configuration.
You can also perform other operations:

l To add a new service or service group, click Add.

l The default service configuration is any. To restore the con-

figuration to this default one, select the any check box.
Application Specifies an application/application group/application filters.

1. From the Application drop-down menu, you can search the

desired application/application group/application filter, expand the
list of applications/application groups/application filters.

2. After selecting the desired applications/application groups/ap-

plication filters, click to add them to the right pane.

3. After adding the desired objects, click the blank area in this dialog
to complete the application configuration.
You can also perform other operations:

l To add a new application group, click New AppGroup.

l To add a new application filter, click New AppFilter.

111 Chapter 6 Advanced Routing

 Option Description

Schedule Specifies a schedule when the PBR rule will take effect. Select a desired
schedule from the Schedule drop-down list. After selecting the desired
schedules, click the blank area in this dialog to complete the schedule
configuration.
To create a new schedule, click New Schedule.

Record log select the Enable check box to enable the logging function for PBR rules.

In the Next Hop tab, enter values.

Option Description

Set Nest-hop To specify the type of next hop, click IP Address, Virtual Router in cur-
rent Vsys, Interface, or Virtual Router in other Vsys.

l IP Address: Type IP address into the IP address text box and spe-
cify the weight into the Weight text box. When more than one next
hops are available, the traffic will be allocated to the different next
hops according to the weight value.

l Virtual Router in current Vsys: Select a name from the Next-Hop

Virtual Router drop-down list and specify the weight into the
Weight text box. When more than one next hops are available, the
traffic will be allocated to the different next hops according to the
weight value.

l Interface: Select an interface from the Interface drop-down list

and specify the weight into the Weight text box. When more than
one next hops are available, the traffic will be allocated to the dif-
ferent next hops according to the weight value.

l Virtual Router in other Vsys: Check the radio button to specify a vir-
tual router in the current VSYS as the next hop. Select a virtual
router from the Virtual Router drop-down list and specify the
weight into the Weight text box. When more than one next hops
are available, the traffic will be allocated to the different next hops
according to the weight value.
Track Object Select the tarck object from the drop-down list. See "Track Object" on
Page 259.

Weight Specifies the weight for the next hop. The value range is 1 to 255. The
default value is 1. If a PBR rule is configured with multiple next hops, the
system will distribute the traffic in proportion to the corresponding
weight.

Add Click to add the specified next hop.

Delete Select next-hop entries from the next hop table and click this button to
delete.

Adj usting Prio rity o f a PB R Rule

To adjust priority of a Policy-based Route rule:

1. Select Network > Routing > Policy Based Routing.

2. From the Virtual Router drop-down list, select the Virtual Router for the new route.

3. Select the rule you want to adjust priority from the list below, click Priority.

4. In the Adjust Priority dialog box, enter values.

Chapter 6 Advanced Routing 112

 Option Description

Top Click this option button to move the PBR rule to the top.
Bottom Click this option button to move the PBR rule to the bottom.
Before ID Click this option button and type the ID into the box behind to move the
PBR rule to the position before the ID.

After ID Click this option button and type the ID into the box behind to move the
PBR rule to the position after the ID.

Note: Each PBR rule is labeled with a unique ID. When traffic flows into a Hillstone device,
the device will query for PBR rules by turn, and processes the traffic according to the first
matched rule. However, the PBR rule ID is not related to the matching sequence during the
query. You can move a PBR rule's location up or down at your own choice to adjust the
matching sequence accordingly.

Applying a Po licy-based Ro ute

You can apply a policy-based route by binding it to an interface, virtual router or zone.
To apply a policy-based route:

1. Select Network > Routing > Policy Based Routing.

2. From the Virtual Router drop-down list, select the Virtual Router for the new route.

3. Click Bind to.

In the Policy-based Route Configuration dialog box, enter values.

Option Description

PBR Name Select a route from the PBR name drop-down list.
Virtual Router From the Virtual Router drop-down list, select the Virtual Router for the
new route. The default value is "trust-vr".
Type Specifies the object type that the policy-based route binds to. You can

113 Chapter 6 Advanced Routing

 Option Description
select Zone, Virtual Router, Interface or No Binding.

l Zone: Click this option button and select a zone from the Zone
drop-down list.

l Virtual Router: Click this option button and show the virtual router
that the policy-based route bind to.

l Interface: Click this option button and select a interface from the
Interface drop-down list.

l No Binding: This policy-based route is no binding.

4. Click OK.

D NS Redirect
The system supports the DNS redirect funtion, which redirects the DNS requests to a specified DNS server. For more
informaiton about specifying IP addresses of the DNS server, see Configuring a DNS Server. Currently, the DNS redir-
ect function is mainly used to redirect the video traffic for load balancing. With the policy based route working
together, the system can redirect the Web video traffic to different links, improving the user experience.
To enable the DNS redirect function:

1. Select Network > Routing > Policy Based Routing.

2. Click Enable DNS Redirect.

Co nfiguring the Glo bal Match Order

By default, If the PRB rule is bound to both an interface , VRouter and the security zone the interface belongs to, the
traffic matching sequence will be: Interface > Zone > VRouter. You can configure the global match order of PBR.
To configure the global match order:

1. Select Network > Routing > Policy Based Routing.

2. Click Config Global Match Order.

3. Select the items that need to be adjusted, and click and .

4. To restore the default matching sequence, click Restore Default.

5. Click OK.

WAP Traffic D istributio n

The WAP traffic distribution function is designed to distribute HTTP flow through the WAP gateway, so as to relieve the
traffic on WAP gateway.

Chapter 6 Advanced Routing 114

As shown in the topology above, the device that enabled WAP traffic distribution is deployed in front of the WAP server.
When the HTTP traffic goes through the device, the system analyzes the traffic, and then distributes the flow to WAP
gateway or Internet according to the configuration of the device. Normally, you will want to distribute your business
service traffic to WAP gateway, and allocates other traffic (e.g. Internet surfing or downloading) to Internet.
WAP traffic distribution function adopts policy-based route rule. When the HTTP traffic of an interface matches a
policy-based route rule, the system will distribute the traffic to the specified next-hop IP address according to the PBR
rule. For the traffic distributed to Internet, you need to enable IP replacement function. Because the original des-
tination is the WAP gateway address, to enable accessibility, translating the original address to actual destination
address is necessary.
To configure WAP traffic distribution:

l Enabling WAP traffic distribution

l Configuring a DNS Server

l Creating Host-book

l Creating a Policy-based Route Rule

l Checking WAP traffic distribution statistics

Ena bling WAP T ra ffic D is tribution

To enable WAP traffic distribution on a specified interface:

1. Select Network > Interface, double click the interface you want.

2. Under the Basic tab, select the check box of WAP traffic distribution. For more information about Host-book,
see "Configuring an Interface" on Page 38.

Configuring a D NS Server
DNS server can be used to analyze the real destination IP address. For more information about DNS server, see "DNS"
on Page 66.A domain name can be corresponded to multiple IP address, so the system only support the first IP
address that had been analyzed.

Crea ting H os t Book

To use WAP traffic distribution function, you need to add a host book into the policy-based route rule. When the HTTP
traffic matches the policy-based route rule, the system will distribute the traffic to the WAP gateway or Internet accord-
ing to the PBR rule and whether match the domain entry. For more information about Host-book, see "Host Book" on
Page 225.

Crea ting a Polic y-ba s ed Route Rule

To apply host book domain entry in the policy-based route rule, and then binding the policy-based route rule to the
interface that enabled WAP traffic distribution function. For more information about policy-based route, see "Policy-
based Route" on Page 109.

View ing WAP T ra ffic D is tribution Sta tis tic s

To see WAP traffic distribution statistics, see "WAP Traffic Distribution" on Page 425.

115 Chapter 6 Advanced Routing

Video Strea m ing Redirec tion
You can configure to redirect HTTP video streaming to a designated link to ensure a better streaming speed. The con-
figuration of video streaming redirection combines multiple modules. The configuration logic is introduced here.
To configure video streaming redirection:

1. Configuring application identification: set up traffic control based on the data type.

2. Enabling video streaming redirection: enable WAP traffic distribution and assign the port number used for certain
website's HTTP video. IP replacement is not needed.

3. Configuring PBR: Creating a policy based route and add the APP or services for video streaming, then bind this
route rule to the interface which enabled video streaming redirection.

Chapter 6 Advanced Routing 116

RIP
RIP, the abbreviation for Routing Information Protocol, is an internal gateway routing protocol that is designed to
exchange routing information between routers. At present devices support both RIP versions, i.e., RIP-1 and RIP-2.
RIP configuration includes basic options, redistribute, Passive IF, neighbor, network and distance. Besides, you also
need to configure RIP parameters for different interfaces, including RIP version, split horizon and authentication
mode.

Creating RI P
To create RIP:

1. Select Network > Routing > RIP.

2. From the Virtual Router drop-down list, select the Virtual Router for the new route.

3. Click New.

In the Basic tab, enter values.

Option Description

Version Specifies a RIP version. Hillstone devices support RIP-1 and RIP-2. RIP-1
transmits packets by broadcasting, while RIP-2 transmits packet by mul-
ticasting. Select a version from the drop-down list. The default version is
RIP-2.
Metric Specifies a default metric. The value range is 1 to 15. If no value is spe-
cified, the value of 1 will be used. RIP measures the distance to the des-
tination network by hops. This distance is known as metric. The metric
from a router to a directly connected network is 1, and increments by 1
for every additional router between them. The max metric is 15, and the
network with metric larger than 15 is not reachable. The default metric
will take effect when the route is redistributed.

Distance Specifies a default distance. The value range is 1 to 255. If no value is spe-
cified, the value of 120 will be used.
Information ori- Specifies if the default route will be redistributed to other routers with
ginat RIP enabled. By default RIP will not redistribute the default route. Select
the check box to redistribute the default route.
Update interval Specifies an interval in which all RIP routes will be sent to all the neigh-
bors. The value range is 0 to 16777215 seconds. The default value is 30.
Invalid time If a route has not been updated for the invalid time, its metric will be set
to 16, indicating an unreachable route. The value range is 1 to 16777215
seconds. The default value is 180.

117 Chapter 6 Advanced Routing

 Option Description

Holddown time If the metric becomes larger (e.g., from 2 to 4) after a route has been
updated, the route will be assigned with a holddown time. During the
holddown time, the route will not accept any update. The value range is
1 to 16777215 seconds. The default value is 180.
Flush time System will keep on sending the unreachable routes (metric set to 16) to
other routers during the flush time. If the route still has not been
updated after the flush time ends, it will be deleted from the RIP inform-
ation database. The value range is 1 to 16777215 seconds. The default
value is 240.

In the Redistribute tab, enter values.

Option Description

Protocol Select a protocol type for the route from the Protocol drop-down list.
The type can be Connected, Static, OSPF or BGP.
Metric Type the metric for the route into the Metric box. If no value is specified,
system will use the default metric value.
Add Click Add to add the Redistribute route entry. All the entries that have
been added will be displayed in the Redistribute Route list below.
Delete Repeat the above steps to add more Redistribute route entries. To delete
a Redistribute route entry, select the entry you want to delete from the
list, and click Delete.

In the Passive IF tab, enter values.

Option Description

Interface Select a passive interface from the Interface drop-down list.

Add Click Add to add the passive interface. All the interfaces that have been
added will be displayed in the list below.
Delete Repeat the above steps to add more Passive IFs. To delete a Passive IF,
select the entry you want to delete from the list, and click Delete.

In the Neighbor tab, enter values.

Option Description

Neighbor IP Type the neighbor IP into the Neighbor IP box.

Add Click Add to add the neighbor IP. All the neighbor IPs that have been
added will be displayed in the list below.
Delete Repeat the above steps to add more neighbor IPs. To delete a neighbor
IP, select the entry you want to delete from the list, and click Delete.

In the Network tab, enter values.

Option Description

Network(IP/net- Type the IP address and netmask into the Network(IP/netmask) box.
mask)
Add Click Add to add the network. All the networks that have been added will
be displayed in the list below.
Delete Repeat the above steps to add more networks. To delete a network,
select the entry you want to delete from the list, and click Delete.

In the Distance tab, enter values.

Chapter 6 Advanced Routing 118

 Option Description

Distance Type the distance into the Distance box. The priority of the specified dis-
tance is higher than than the default distance.
Network(IP/net- Type the IP prefix and netmask into the Network(IP/netmask) box.
mask)
Add Click Add to add the distance. All the distances that have been added will
be displayed in the list below.
Delete Repeat the above steps to add more distances. To delete a distance,
select the entry you want to delete from the list, and click Delete.

In the DB tab, enter values.

Route entries to all the reachable networks are stored in the database.

4. Click OK.

Note: Configuration for RIP on Hillstone device's interfaces includes: RIP version, split horizon
and authentication mode. For more information on how to configure RIP on an interface, see
"Configuring an Interface" on Page 38.

119 Chapter 6 Advanced Routing

Chapter 7 Authentication

Authentication is a behavior to identify a user or a host. Authentication is one the key features for a security product.
When a security product enables authentication, users or hosts can be denied or allowed to access certain networks.
From a user's point of view, authentication is divided into the following categories:

l If you are a user from internal network who wants to access Internet, you can use:

l "Web Authentication" on Page 121

l "Single Sign-On" on Page 126

l "PKI" on Page 137

l If you are a user from Internet who wants to visit an internal network (usually with VPN), you can use:

l "SSL VPN" on Page 162

l "IPSec VPN" on Page 143 (IPSec VPN (with radius server)+Xauth)

l "L2TP VPN" on Page 217 (L2TP over IPsec VPN)

Authentication Process
A user uses his/her terminal to connect the firewall. The firewall calls user data from AAA server to check the user's
identity.

l User: authentication applicant. The applicant initiate an authentication request, and enters his/her username and
password to prove his/her identity.

l Authentication system (i.e. the firewall in this case): Firewall receives username and password and send the
request to AAA server. It is an agent between applicant and AAA server.

l "AAA Server" on Page 238: authentication server. This server stores user information like username and pass-
word, etc. When AAA server receives a legitimate request, it checks if the applicant has the right to user network
services, and sends back the decision. For more information, refer to "AAA Server" on Page 238. AAA server has
the following four types:

l Local server

l Radius server

l LDAP server

l AD server

l TACACS+server

Chapter 7 Authentication 120

Web Authentication
Web authentication is used to identify the user who wants to visit Internet. When Web authentication is enabled, the
browser in the PC which is trying to access Internet will show login request. You need to input username and pass-
word. When your information is correct, the system will allocate your PC an IP address and give you a role which con-
trols your authority.

l General Web authentication (WebAuth): a general Web authentication means that an authentication page will
appear to check your information.

l "Single Sign-On" on Page 126: Single Sign On is a simplified WebAuth method. The authentication applicant will
not be required to open an authentication page. When a user is a legitimate applicant in the AAA server, he/she
can pass the identification automatically. For SSO, the AAA server type must be Active Directory server.
There are three different methods to achieve SSO. The three methods are independent from each other, and all of
them do not require usernmae/password input.

l Security Agent

l Installation script on AD server

l SSO-NTLM based on AD server

Using WebAuth Wizard

WebAuth wizard is the most convenient way to configure WebAuth.
The prerequiste of using the wizard is that you have already added AAA server in the system and users are also added
in that AAA server (refer to "AAA Server" on Page 238).

1. Select Network > Authentication Management > WebAuth.

2. Click WebAuth Wizard on the right top corner.

3. In the prompt, follow the steps.

Follow the steps in wizard to complete authentication settings.

Parameters

Mode Specify an authentication methods: general web auth(HTTP/HTTPS) and

121 Chapter 7 Authentication

 Parameters
single sign on (SSO-NTLM).

l If you select HTTP or HTTPS, the auth user will be required to

enter username and password. HTTP and HTTPS indicate the pro-
tocol when transmitting user's credential between client and AAA
server. HTTPS is encrypted, and can avoid information theft.

l If you select SSO-NTLM, auth user will not need to open an authen-
tication page. The system gets the user's PC login credential and
send it to AAA server. Refer to "Single Sign-On" on Page 126.
Auth User
AAA Server Specify the AAA server. Make sure that your selected AAA server has
already set up all user's credentials and the server has been added in
StoneOS system. Refer to "AAA Server" on Page 238.
Policy
Src Zone Specify the source zone where auth users are from.
Dst Zone Specify the destination zone where the auth users will visit.
DNS Zone Specify the DNS zone.
When you click OK, the system will automatically generates three security policies which are
used for web auth. If you wish to customize some parts of this authentication process, like
limit accessing time, you can go to modify the security policies. Refer to "Security Policy" on
Page 274 .

4. Click OK.
After WebAuth is configured, the users who matched WebAuth policy is recommended to input the correct username
and password, and then users can access to the network. The system supports to take actions for brute-force to avoid
the illegal users getting username and password by force. If failed to log in through the same host for three times in
two minutes, the host that attempts to log in will be blocked for 2 minutes.

Co nfiguring Glo bal Parameters fo r WebAuth

Global parameters apply to all WebAuth polices.
To configure WebAuth global parameters:

1. Select Network > Authentication Management > WebAuth.

2. Under the WebAuth tab, select the radio button of the authentication method you want.

Under different mode, the configuration options vary.

Authentication Mode

Mode Specify an authentication methods: general web auth(HTTP/HTTPS) and

single sign on (SSO-NTLM).

Chapter 7 Authentication 122

 Authentication Mode
l If you select HTTP or HTTPS, the auth user will be required to
enter username and password. HTTP and HTTPS indicate the pro-
tocol when transmitting user's credential between client and AAA
server. HTTPS is encrypted, and can avoid information theft.

l If you select SSO-NTLM, auth user will not need to open an authen-
tication page. The system gets the user's PC login credential and
send it to AAA server. Refer to "Single Sign-On" on Page 126.

l If you do not allow webauth, select Disable.

HTTP port Specifies the HTTP protocol transmission port number of the authen-
tication server. The range is 1 to 65535, and the default value is 8181.
HTTPS port Specifies the HTTP protocol transmission port number of the authen-
tication server. The range is 1 to 65535, and the default value is 44433.
HTTPS trust Specifies the HTTPS trust domain. This domain is previously created in
domain PKI and has imported international CA certified certificate.
When SSO- This option is used for SSO NTLM authentication. It defines the next
NTLM Fails action when user fails to pass SSO login.
Select Use HTTP Mode, the next move is to use HTTP web-auth to con-
tinue authentication.
Select Deny, the users is deemed failure and cannot log in.

User Login
Multiple login If you disable multiple login, one account cannot login elsewhere if he
has already logged in. You can choose to kick out the first login visitor or
you can disable second login.
If you allow multiple login, more than one clients can login with the
same account. But you can still set up the maximum number of clients
using one account.

Advanced
Idle interval The maximum time length of an inactive account after it has login.
Client Heartbeat When the authenticator sends a request to ask the client to submit its
Timeout username, the client need to responds within a specified period. If client
does not respond until timeout, the system will resend the authen-
tication request message.
Re-Auth Interval When the client is authorized to access network, the authenticator can
re-authenticate the client.
Forced Re-login If the forced re-login function is enabled, users must re-login after the
Interval configured interval ends.
Proxy Port Specify the port number for HTTPS, HTTPS and SSO proxy server. The
port number applies to all. It it changes in any page, other modes also
use the new port. The range is 1 to 65535.
Redirect URL The redirect URL function redirects the client to the specified URL after
successful authentication. You need to turn off the pop-up blocker of
your web browser to ensure this function can work properly. The format
of URL should be "http://www.abc.com" or "https://www.abc.com".

123 Chapter 7 Authentication

 Note:

l If the WebAuth success page is closed, you can log out not only by timeout, but also by vis-
iting the WebAuth status page (displays online users, online times and logout button). You
can visit it through "http(https):// IP-Address: Port-Number". In the URL, IP-Address
refers to the IP address of the WebAuth interface, and Port-Number refers to HTTP/HTTPS
port. By default, the HTTP port is 8181, the HTTPS port is 44433. The WebAuth status
page will be invalid if there is no online users on the client or the WebAuth is disabled.

l You can specify the username and password in the URL address. When the specified redir-
ect URL is the application system page with the authentication needed in the intranet, you
do not need the repeat authentication and can access the application system. The cor-
responding keywords are $USER, $PWD, or $HASHPWD. Generally, you can select one
keyword between $PWD and $HASHPWD. The formart of the URL is "URL" +"user-
name=$USER&password=$PWD".

l When entering the redirect URL in CLI, add double quotations to the URL address if the
URL address contains question mark. For example, "http://192.10.5.201/oa/-
login.do?username=$USER&password=$HASHPWD"

3. Click Apply.

Mo difying WebAuth Page B ackgro und Picture

The WebAuth page is the redirected page when an auth user opens the browser. In this webauth page, the auth user
enters his username and password. The system has its default background, but you can also customize background
picture.

1. Select Network > Authentication Management > WebAuth, and click Customize on the right top corner.

2. In the prompt, specify the directory where you stores the background pictures.

Note: The backgound pictures must comply with the following requirements:

l The picture name must be "login_page_bg_en.gif" (for English login page) or "login_
page_bg_cn.gif" (for Chinese login page)

Chapter 7 Authentication 124

 l The resolution should be 624px * 376px, other resolution will be shrinked or expanded to
this size.

l The pictures must be compressed as a zip file before uploading. The two pictures (Chinese
and English) can be zipped in one file, or two separate files.

125 Chapter 7 Authentication

Single Sign-On
Single Sign-On is a type of Web authentication. Unlike general WebAuth, which usually triggers browser to indicate
users input username and password, SSO authentication does not require information typing, it can check user's com-
puter login information, if the computer's user complies with AAA server, this user can pass authentication.
StoneOS requires that the AAA server for SSO must be Active-Directory server.
SSO has three login methods. The three ways are independent from each other, but they all can achieve the "no-sign-
on" authentication.

l Installing AD Agent Software: This methods needs to install software on the AD server or a connected PC. The
software is responsible to send user login information to StoneOS. If you do not want to change your AD server,
you are suggested to choose this method.

l Installing a script on AD Server: A script installed on AD server can also send login user's information to
StoneOS. This method is best if you do not mind editing your AD server and you want accurate monitor results.

l SSO-NTLM: This method still needs to trigger a browser, but users do not input user information. The SSO-
NTLM uses browser to send user identity to AAA server. This method can be used with WebAuth: when SSO fails,
you can configure to initiate a second authentication of WebAuth to require manually inputting of username and
password.

Using AD Agent So ftw are fo r SSO

Security Agent is a software tool installed on any PC or server in the domain. When domain user logs in or out, the soft-
ware will record the user's name, address and online time, and send it to StoneOS.
Contact a technical support person to get the install file of AD Agent.

1. Download and save AD Agent in a PC or server in the domain.

2. Double click to open ADAgentSetup.exe. Click Next all the way down until the wizard finishes its installation.

3. Use one of the two methods to start AD Agent:

l Double click AD Agent Configuration Tool shortcut on the desktop.

l Click Start menu, and select All app > Hillstone AD Agent >AD Agent Configuration Tool.

4. Click the <General> tab.

On the <General> tab, configure basic options.

Chapter 7 Authentication 126

 Option Description

Agent Port Enter agent port number. The firewall communicates to AD Agent using this port. The
range is 1025 to 65535. The default value is 6666. This port must be the same port number
as it was configured in StoneOS, otherwise, agent and StoneOS cannot communicate with
each other.
AD User Name Enter the user name to log into AD server. This user must have right to query logs.

Password Enter password that associates with the user name.

Server Monitor Log
Enable Security Log Select to enable logging.
Monitor
Monitor Frequency Specify the monitoring interval. The default value is 5 seconds.
Client probing WMI and NetBIOS probing can search for PC terminal. When an unmatched terminal
domain name is found, the saved domain name will be replaced with probed name.
Enable WMI probing Select the check box to enable WMI probing.
Enable NetBIOS prob- Select the check box to enable NetBIOS probing.
ing
Probing Frequency Specify the interval of active probing action.

5. On the <Discovered Server> tab, click Auto Discover to start auto scanning of AD servers in the domain. Or, if
your intended server is not scanned, you can click Add to input IP address of server to add it.
When there are two or more AD servers, the order of authenticating a use is from top to bottom in the list.

6. Click the <Discovered User> tab to view detected logged users.

7. On the <SSO Agent> tab, click Get SSO Agent to get a script which can be installed on AD server. (For intro-
duction and set up of this script, refer to "Using a Script for SSO" on Page 128) .

8. Click Commit to submit all settings and start AD Agent service in the mean time.

Note: After you have committed, AD Agent service will be running in the background all the
time. If you want to modify settings, you can edit in the AD Agent Configuration Tool and
click Commit. The new settings can take effect immediately.

127 Chapter 7 Authentication

Using Secure Agent So ftw are fo r SSO
Security Agent is a software tool installed on Active-Directory server. When domain user log in or out, the software will
record the user's name, address and online time, and send it to StoneOS.
Contact a technical support person to get the install file of Security Agent.

1. Copy the software Security Agent to a local internal PC, and double click Setup.exe.

2. Follow the wizard until it is installed.

3. Use one of the methods below to open software:

l Double click the Security Agent Configuration Tool shortcut on the desktop;

l Click Start menu, and choose All Programs > Security Agent > Security Agent Configuration Tool.

4. (Optional) Under the General tab, enter port number of the agent port. Firewall contacts this port to connect to
Security Agent. This port must be the one specified in the firewall settings.

5. (Optional) Click <Exception User List>,<Exception IP List> or <Exception Host List> tab to configure users/IP
addresses?hosts who are not monitored.

Using a Script fo r SSO

A script installed in AD server is able to accurately record user login and logout behavior. When a user goes online or
offline, the script is triggered and send the action to StoneOS system.
To configure script on AD server:

Chapter 7 Authentication 128

1. Contact your technical support to get the script. (RepotLogon.exe), and save it under a directory where all AD
server user can access.

2. In AD server, go to Start menu, select Mangement Tools > Active Directory User and Computer.

3. In the prompt, right click the domain of SSO, and select Properties, then click Group Properties tab.

4. Double click the group policy of SSO, and in the prompt, select User Configuration > Windows > Script
(Logon/Logout).

129 Chapter 7 Authentication

 5. Double click Logon on the right, and click Add in the prompt.

6. In the prompt, click Browse and select the logon script (RepotLogon.exe), and then enter IP address of StoneOS
for authentication, followed by a space and text "logon".

7. Click OK.

8. Similarly, import the script into the logout setting, repeat 5 - 7, and use logoff in the step 6.

Chapter 7 Authentication 130

 Note: The directory of saving the script must be accessible to all domain users, otherwise,
when a user who does not have access will not trigger the script when he log in or out.

Using SSO-NTLM
SSO-NTLM creates a situation that visitor will also need to open a brower, but no need to enter identity information.
The browser triggers authenticating and sends user's PC login credentials to AD server.
The configuration of SSO-NTLM is the same as WebAuth, please refer to WebAuth.
After using WebAuth wizard, you still need to configure the following two steps for SSO-NTLM.
Step 1: Changing setting in StoneOS

1. Select Network > Authentication Management > WebAuth.

2. Select the SSO-NTLM radio button

Authentication Mode

When SSO- If you select Use HTTP Mode, when a user fails SSO authentication, he
NTLM fails still has a second chance to input username and password.

User Login
Multiple login If you disable multiple login, one account cannot login elsewhere if he
has already logged in. You can choose to kick out the first login visitor or
you can disable second login.
If you allow multiple login, more than one clients can login with the
same account. But you can still set up the maximum number of clients
using one account.

Advanced
Idle interval The maximum time length of an inactive account after it has login.
Force Re-login The time interval to force the login account to enter login credential
Interval again.
Proxy port Specifies the proxy port number of SSO proxy server. The range is 1 to
65535.

3. Click Apply.
Step 2: Changing settings of User's Browser

1. On the user's PC, open a browser (use IE as example).

2. In IE's menu bar, select Tools > Internet options.

131 Chapter 7 Authentication

 3. In the prompt, under the Security tab, and click Custom level....

4. In the prompt, find User Authentication and select Automatic logon with current user name and password.

5. Click OK.

Chapter 7 Authentication 132

  SSO Agent
With the SSO (Single Sign-on) agent enabled, after you successfully log on to the authentication server, you log on to
Hillstone device simultaneously. The system supports SSO agent of active directory server.
Hillstone provides the script file named "ReportLogin.exe" to deploy the SSO agent function. As long as you add the
script file to the login/log off script of the active directory server, you can use the SSO agent function.
For how to add the script file to the active directory server, you can refer to the active directory server manual. The
script file "ReportLogin.exe" is stored in the disk packed with the device chassis together.

Configuring SSO Agent

To configure the SSO agent function, take the following steps:

1. Click Network > Authentication Management > SSO Agent to visit the SSO agent page. The SSO agent func-
tion is disabled by default.

2. Select the Enable check box of SSO-Agent to enable the function.

3. Select the AAA server that sends the login/log off script from the AAA server drop-down list.

4. Specify the idle interval. It is the interval that the authentication page keeps online without any traffic. After wait-
ing for the idle interval, the connection will disconnect. The value range is 0 to 1440 minutes. 0 means always
online.

5. Configure the multiple login. This function permits one user to sign in at more than one place simultaneously.

6. Click Apply to save the changes.

133 Chapter 7 Authentication

802.1x
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
802.1X is a standard defined by IEEE for Port-based Network Access Control. It uses Layer-2 based authentication
(protocol: EAPOL, Extensible Authentication Protocol over LAN) to verify the legality of the users accessing the network
trough LAN. Before authentication, the security device only allows 802.1X message to pass through the port. And after
authentication, all the normal traffic can pass through.
The AAA servers for 802.1x are Local server and Radius server. Other types of AAA servers like AD or LDAP server do
not support 802.1x.
The authenticating process is the same with other authentication, please refer to "Chapter 7 Authentication" on Page
120.

Co nfiguring 802.1x
A complete configuration for 802.1x authentication includes the following points:

l Prerequisite: Before configuration, you should already have the AAA server you want (only local or Radius server
is supported for 802.1x). The AAA server has been added in the firewall system (refer to AAA server), and the
interface or VLAN for authentication has been bound to a security zone (refer to interface or vlan).

l Configuration key steps:

1. Creating a 802.1x profile.

2. Creating a security policy to allow accessing.

l In the user's PC, modify the network adapter's properties: If computer is connected to the 802.1x interface, this
computer should enable its authentication function on its LAN port (right click LAN and select Properties, in the
prompt, under the <Authentication> tab, select MD5-Challenge or Microsoft: Protected EAP (PEAP), and
click OK to confirm.)

Note: Early versions of Windows have enabled 802.1x by default, but Windows 7 and Window
8 do not have this feature enabled. To enable 802.1x, please search online for a solution that
suits your system.

Crea ting 802. 1x Profile

To create a 802.1x profile:

1. Select Network > 802.1x > 802.1x.

2. Click New and a prompt appears.

Under the Basic tab and Advanced tab, enter values

Chapter 7 Authentication 134

 Basic

802.1x Name Enter a name for the 802.1x profile

Interface Select the interface for 802.1x authentication. It should be a Layer-2 inter-
face or a VLAN interface.
AAA Server Select the AAA server for 802.1x authentication. It should be a local
server or a Radius server.
Access Mode Select an access mode. If you select Port, if one of the clients connected
to 802.1x interface has passed authentication, all clients can access the
Internet. If you select MAC, every client must pass authentication before
using Internet.
Advanced
Port authorized If you select Auto, the system will allow users who have successfully
passed authentication to connect to network;
If you select Force-unauthorized, the system will disable the author-
ization of the port, as a result, no client can connect to the port, thus no
way to connect to network.

Re-auth period Enter a time period as the re-authentication time. After a user has suc-
cessfully connected to network, the system will automatically re-auth the
user's credentials. The range is from 0 to 65535 seconds. If the values is
set to 0, this function is disabled.
Quiet period If the authentication fails, it takes a moment before the system can pro-
cess the authenticating request from the same client again. The range is
0 to 65535 seconds, and the default value is 60 seconds. If this value is
set to 0, the system will not wait, and will immediately process the
request from the same client.
Retry times Specify a number for retry times. If the authentication system does not
receive any response from client, the system will try to require user's cre-
dential again. When the system has tries for the specified times, it will
stop trying. The range is 1 to 10 times, the default is 2 times.
Sever timeout Specify a server timeout value. The authenticator transmits the client's
credentials to the authentication server. If the server does not answer the
authenticator within a specified time, the authenticator will resend
request to the authentication server. The range is 1 to 65535 seconds, the
default value is 30 seconds.
Client timeout When the authenticator sends a request to ask the client to submit its
username, the client need to responds within a specified period. If client
does not respond until timeout, the system will resend the authen-
tication request message. The range is 1 to 65535 seconds, the default
value is 30 seconds.

3. Click OK.

802. 1x Globa l Configura tion

Global parameters apply to all 802.1x profiles.
To configure global parameters:

135 Chapter 7 Authentication

 1. Select Network > 802.1x> Global Configuration.

In the Global Configuration dialog box, specify the parameters that will be applicable for all 802.1x
profiles.
Option Description

Max user num- The maximum user client number for a authentication port.
ber
Multiple login You may choose to allow or disable one account to login from different
clients.

l Disable: If you select Disable, one account can only login from one
client simultaneously.
Then, when you want to kick off the old login user, you should
select Replace; if you want to disallow new login user, select
Refuse.

l Enable: If you select Enable, different clients can use one

account to login.
If you do not limit the login client number, select Unlimited; if you
want to set up a maximum login number, select Max attempts
and enter a value for maximum user client number.
Re-Auth time Specify a time for authentication timeout value. If the client does not
respond within the timeout period, the client will be required to re-enter
its credentials. The range is 180 to 86400 seconds, the default value is 300
seconds.

2. Click OK.

V iew ing Online Users

To view which authenticated users are online:

1. Select Network > 802.1x > Online user.

2. The page will show all online users. You can set up filters to view results that match your conditions.

Chapter 7 Authentication 136

PKI
PKI (Public Key Infrastructure) is a system that provides public key encryption and digital signature service. PKI is
designed to automate secret key and certificate management, and assure the confidentiality, integrity and non-repu-
diation of data transmitted over Internet. The certificate of PKI is managed by a public key by binding the public key
with a respective user identity by a trusted third-party, thus authenticating the user over Internet. A PKI system con-
sists of Public Key Cryptography, CA (Certificate Authority), RA (Certificate Authority), Digital Certificate and related
PKI storage library.
PKI terminology:

l Public Key Cryptography: A technology used to generate a key pair that consists of a public key and a private key.
The public key is widely distributed, while the private key is known only to the recipient. The two keys in the key
pair complement each other, and the data encrypted by one key can only be decrypted by another key of the key
pair.

l CA: A trusted entity that issues digital certificates to individuals, computers or any other entities. CA accepts
requests for certificates and verifies the information provided by the applicants based on certificate management
policy. If the information is legal, CA will sign the certificates with its private key and issue them to the applicants.

l RA: The extension to CA. RA forwards requests for a certificate to CA, and also forwards the digital certificate and
CRL issued by CA to directory servers in order to provide directory browsing and query services.

l CRL: Each certificate is designed with expiration. However, CA might revoke a certificate before the date of expir-
ation due to key leakage, business termination or other reasons. Once a certificate is revoked, CA will issue a CRL
to announce the certificate is invalid, and list the series number of the invalid certificate.
PKI is used in the following two situations:

l IKE VPN: PKI can be used by IKE VPN tunnel.

l HTTPS/SSH: PKI applies to the situation when a user accesses a Hillstone device over HTTPS or SSH.

l "Sandbox" on Page 374: Support the verification for the trust certification of PE files.

Creating a PKI Key

1. Select System > PKI > Key.

2. Click New.

In the PKI Key Configuration dialog, enter values.

Option Description

Label Specifies the name of the PKI key. The name must be unique.
Key con- Specifies the generation mode of keys, which includes Generate and
figuration mode Import.
Key Pair Type Specifies the type of key pair, either RSA or DSA.
Key modulus Specifies the modulus of the key pair. The options are 1024 (the default
value), 2048, 512 and 768 bits.

137 Chapter 7 Authentication

 Option Description

Import Key Browse your local file system and import the key file.

3. Click OK.

Creating a Trust D o main

1. Select System > PKI > Trust Domain.

2. Click New.

In the Basic tab, enter values for basic properties.

Option Description
Basic

Trust Domain Enter the name of the new trust domain.

Enrollment Type Use one of the two following methods:

l Select Manual Input, and click Browse to find the certificate and
click Import to import it into the system.

l Select Self-signed Certificate, the certificate will be generated

by the device itself.
Key Pair Select a key pair.
Subject
Name Enter a name of the subject.
Country Enter the name of applicant's country or region. Only an abbreviation of
(Region) two letters are allowed, like CN.
Location Optional. The location of the applicant.
State/Province Optional. State or province name.
Organization Optional. Organization name.
Organization Optional. Department name within applicant's organization.
unit

3. Click Apply Certificate, a series of code will appear.

Chapter 7 Authentication 138

4. Copy this code and send it to CA via email.

5. When you receive the certificate sent from CA. Click Browse to import the certificate.

6. (Optional) In the CRL tab, enter values.

Certification Revocation List

Check l No Check - The system does not check CRL. This is the default
option.

l Optional - The system accepts certificating from peer, no matter if

CRL is available or not.

l Force - The system only accepts certificating from pper when CRL
is available.
URL 1-3 The URL address for receiving CRL. At most 3 URLs are allowed, and their
priority is from 1 to 3.

l Select http:// if you want to get CRL via HTTP.

l Select ldap:// if you want to get CRL via LDAP.

l If you use LDAP to receive CRL, you need to enter the login-DN of
LDAP server and password. If not login-DN or password is added,
transmission will be anonymous.
Auto Update Update frequency of CRL list
Manual Update Get the CRL immediately by clicking Obtaining CRL .

7. Click OK.

I mpo rting/ Expo rting Trust D o main

To simplify configurations, you can export certificates (CA or local) and private key (in the format of PKSC12) to a com-
puter and import them to another device.
To export a PKI trust domain:

1. Select System > PKI > Trust Domain Certificate.

2. Select a domain from drop-down menu.

139 Chapter 7 Authentication

 3. Select the radio button of the item you want to export, and click Export.
If you choose PKCS, you need to set up password.

4. Click OK, and select a storage path to save the item.

To import the saved trust domain to another device:

1. Log in the other device, select System > PKI > Trust Domain Certificate.

2. Select a domain from drop-down menu.

3. Select the radio button of the item you want to import, and click Import.
If you choose PKCS, you need to enter the password when it was exported.

4. Click Browse and find the file to import.

5. Click OK. The domain file is imported.

I mpo rting Trust Certificatio n

System will not detect the PE file whose certification is trusted. To import trust certification of PE files,

1. Select System > PKI > Credible Root Certificate.

2. Click Import and choose a certificate file in your PC.

3. Click OK and then the file will be imported.

Chapter 7 Authentication 140

Online Users
To view which authenticated users are online:

1. Select Network >Authentication Management > Online User.

2. The page will show all online users. You can set up filters to view results that match your conditions.

141 Chapter 7 Authentication

Chapter 8 VPN

The system supports the following VPN functions:

l "IPSec VPN" on Page 143: IPSec is a security framework defined by the Internet Engineering Task Force (IETF) for
securing IP communications. It is a Layer 3 virtual private network (VPN) technology that transmits data in a
secure tunnel established between two endpoints.

l "SSL VPN" on Page 162: SSL provides secure connection services for TCP-based application layer protocols by
using data encryption, identity authentication, and integrity authentication mechanisms.

l "L2TP VPN" on Page 217: L2TP is one protocol for VPDN tunneling. VPDN technology uses a tunneling protocol to
build secure VPNs for enterprises across public networks. Branch offices and traveling staff can remotely access
the headquarters’ Intranet resources through a virtual tunnel over public networks.

Chapter 8 VPN 142

IPSec VPN
IPSec is a widely used protocol suite for establishing VPN tunnel. IPSec is not a single protocol, but a suite of protocols
for securing IP communications. It includes Authentication Headers (AH), Encapsulating Security Payload (ESP), Inter-
net Key Exchange (IKE) and some authentication methods and encryption algorithms. IPSec protocol defines how to
choose the security protocols and algorithms, as well as the method of exchanging security keys among com-
munication peers, offering the upper layer protocols with network security services including access control, data
source authentication, data encryption, etc.

B asic Co ncepts
l Security association

l Encapsulation modes

l Establishing SA

l Using IPSec VPN

Sec urity As s oc ia tion (SA)

IPSec provides encrypted communication between two peers which are known as IPSec ISAKMP gateways. Security
Association (SA) is the basis and essence of IPSec. SA defines some factors of communication peers like the protocols,
operational modes, encryption algorithms (DES, 3DES, AES-128, AES-192 and AES-256), shared keys of data pro-
tection in particular flows and the life cycle of SA, etc.
SA is used to process data flow in one direction. Therefore, in a bi-directional communication between two peers, you
need at least two security associations to protect the data flow in both of the directions.

Enc a ps ula tion Modes

IPSec supports the following IP packet encapsulation modes:

l Tunnel mode - IPSec protects the entire IP packet, including both the IP header and the payload. It uses the entire
IP packet to calculate an AH or ESP header, and then encapsulates the original IP packet and the AH or ESP header
with a new IP header. If you use ESP, an ESP trailer is also encapsulated. Tunnel mode is typically used for pro-
tecting gateway-to-gateway communications.

l Transport mode - IPSec protects only the IP payload. It uses only the IP payload to calculate the AH or ESP header,
and inserts the calculated header between the original IP header and payload. If you use ESP, an ESP trailer is also
encapsulated. The transport mode is typically used for protecting host-to-host or host-to-gateway com-
munications.

Es ta blis hing SA
There are two ways to establish SA: manual and IKE auto negotiation (ISAKMP).

l Manually configuring SA is complicated as all the information will be configured by yourself and some advanced
features of IPSec are not supported (e.g. timed refreshing), but the advantage is that manually configured SA can
independently fulfill IPSec features without relying on IKE. This method applies to a small number of devices con-
dition, or an environment of static IP addresses.

l IKE auto negotiation method is comparatively simple. You only need to configure information of IKE negotiation
and leave the rest jobs of creating and maintaining SA to the IKE auto negotiation function. This method is for
medium and large dynamic network. Establishing SA by IKE auto negotiation consists of two phases. The Phase 1
negotiates and creates a communication channel (ISAKMP SA) and authenticates the channel to provide con-
fidentiality, data integrity and data source authentication services for further IKE communication; the Phase 2 cre-
ates IPSec SA using the established ISAKMP. Establishing SA in two phases can speed up key exchanging.

Us ing IPSec VPN

To apply VPN tunnel feature in the device, you can use policy-based VPN or route-based VPN.

143 Chapter 8 VPN

 l Policy-based VPN - Applies the configured VPN tunnel to a policy so that the data flow which conforms the policy
settings can pass through the VPN tunnel.

l Route-based VPN - Binds the configured VPN tunnel to the tunnel interface and define the next hop of static route
as the tunnel interface.

Chapter 8 VPN 144

Co nfiguring an I KE V PN
IKE auto negotiation method is comparatively simple. You only need to configure information of IKE negotiation and
leave the rest jobs of creating and maintaining SA to the IKE auto negotiation function. This method is for medium and
large dynamic network. Establishing SA by IKE auto negotiation consists of two phases. The Phase 1 negotiates and
creates a communication channel (ISAKMP SA) and authenticates the channel to provide confidentiality, data integrity
and data source authentication services for further IKE communication; the Phase 2 creates IPSec SA using the estab-
lished ISAKMP. Establishing SA in two phases can speed up key exchanging.
To configure an IKE VPN, you need to confirm the Phase 1 proposal, the Phase 2 proposal, and the VPN peer. After con-
firming these three content, you can proceed to configure the IKE VPN settings.

Configuring a Pha s e 1 Propos a l

The P1 proposal is used to negotiate the IKE SA. To configure a P1 proposal:

1. Select Network > VPN > IPSec VPN.

2. In the P1 Proposal tab, click New.

In the Phase1 Proposal Configuration dialog, configure the corresponding options.

Option Description

Proposal Name Specifies the name of the Phase1 proposal.

Authentication Specifies the IKE identity authentication method. IKE identity authen-
tication is used to verify the identities of both communication parties.
There are three methods for authenticating identity: pre-shared key, RSA
signature and DSA signature. The default value is pre-shared key. For
pre-shared key method, the key is used to generate a secret key and the
keys of both parties must be the same so that it can generate the same
secret keys.
Hash Specifies the authentication algorithm for Phase1. Select the algorithm
you want to use.

l MD5 – Uses MD5 as the authentication algorithm. Its hash value is

128-bit.

l SHA – Uses SHA as the authentication algorithm. Its hash value is

160-bit. This is the default hash algorithm.

l SHA-256 – Uses SHA-256 as the authentication algorithm. Its hash

value is 256-bit.

l SHA-384 – Uses SHA-384 as the authentication algorithm. Its hash

value is 384-bit.

l SHA-512 – Uses SHA-512 as the authentication algorithm. Its hash

value is 512-bit.
Encryption Specifies the encryption algorithm for Phase1.

l 3DES - Uses 3DES as the encryption algorithm. The key length is

145 Chapter 8 VPN

 Option Description
192-bit. This is the default encryption algorithm.

l DES – Uses DES as the encryption algorithm. The key length is 64-
bit.

l AES – Uses AES as the encryption algorithm. The key length is

128-bit.

l AES-192 – Uses 192-bit AES as the encryption algorithm. The key

length is 192-bit.

l AES-256 – Uses 256-bit AES as the encryption algorithm. The key

length is 256-bit.
DH Group Specifies the DH group for Phase1 proposal.

l Group1 – Uses Group1 as the DH group. The key length is 768-bit.

l Group2 – Uses Group2 as the DH group. The key length is 1024-

bit. Group2 is the default value.

l Group5 – Uses Group5 as the DH group. The key length is 1536-

bit.

l Group14 – Uses Group14 as the DH group. The key length is

2048-bit.

l Group15 – Uses Group5 as the DH group. The key length is 3072-

bit.

l Group16 – Uses Group5 as the DH group. The key length is 4096-

bit.
Lifetime Specifies the lifetime of SA Phase1. The value range is 300 to 86400
seconds. The default value is 86400. Type the lifetime value into the Life-
time box. When the SA lifetime runs out, the device will send a SA P1
deleting message to its peer, notifying that the P1 SA has expired and it
requires a new SA negotiation.

3. Click OK to save the settings.

Configuring a Pha s e 2 Propos a l

The P2 proposal is used to negotiate the IPSec SA. To configure a P2 proposal:

1. Select Network > VPN > IPSec VPN.

2. In the P2 Proposal tab, click New.

In the Phase2 Proposal Configuration dialog, configure the corresponding options.

Chapter 8 VPN 146

 Option Description

Proposal Name Specifies the name of the Phase2 proposal.

Protocol Specifies the protocol type for Phase2. The options are ESP and AH. The
default value is ESP.
Hash Specifies the authentication algorithm for Phase2. Select the algorithm
you want to use.

l MD5 – Uses MD5 as the authentication algorithm. Its hash value is

128-bit.

l SHA – Uses SHA as the authentication algorithm. Its hash value is

160-bit. This is the default hash algorithm.

l SHA-256 – Uses SHA-256 as the authentication algorithm. Its hash

value is 256-bit.

l SHA-384 – Uses SHA-384 as the authentication algorithm. Its hash

value is 384-bit.

l SHA-512 – Uses SHA-512 as the authentication algorithm. Its hash

value is 512-bit.

l Null – No authentication.
Encryption Specifies the encryption algorithm for Phase2.

l 3DES - Uses 3DES as the encryption algorithm. The key length is

192-bit. This is the default encryption algorithm.

l DES – Uses DES as the encryption algorithm. The key length is 64-
bit.

l AES – Uses AES as the encryption algorithm. The key length is

128-bit.

l AES-192 – Uses 192-bit AES as the encryption algorithm. The key

length is 192-bit.

l AES-256 – Uses 256-bit AES as the encryption algorithm. The key

length is 256-bit.

l Null – No authentication.
Compression Specifies the compression algorithm for Phase2. By default, no com-
pression algorithm is used.

PFS Group Specifies the PFS function for Phase2. PFS is used to protect DH
algorithm.

l No PFS - Disables PFS. This is the default value.

l Group1 – Uses Group1 as the DH group. The key length is 768-bit.

l Group2 – Uses Group2 as the DH group. The key length is 1024-

bit. Group2 is the default value.

l Group5 – Uses Group5 as the DH group. The key length is 1536-

bit.

l Group14 – Uses Group14 as the DH group. The key length is

2048-bit.

147 Chapter 8 VPN

 Option Description
l Group15 – Uses Group5 as the DH group. The key length is 3072-
bit.

l Group16 – Uses Group5 as the DH group. The key length is 4096-

bit.
Lifetime You can evaluate the lifetime by two standards which are the time length
and the traffic volume. Type the lifetime length of P2 proposal into the
box. The value range is 180 to 86400 seconds. The default value is 28800.
Lifesize Select Enable to enable the P2 proposal traffic-based lifetime. By default,
this function is disabled. After selecting Enable, specifies the traffic
volume of lifetime. The value range is 1800 to 4194303 KBs. The default
value is 1800. Type the traffic volume value into the box.

3. Click OK to save the settings.

Configuring a VPN Peer

To configure a VPN peer:

1. Select Network > VPN > IPSec VPN.

2. In the VPN Peer List tab, click New.

In the VPN Peer Configuration dialog, configure the corresponding options.

Basic

Name Specifies the name of the ISAKMP gateway.

Interface Specifies interface bound to the ISAKMP gateway.
Interface Type Select the interface type, including IPv4 or IPv6. Only the IPv6 firmware
supports to configure IPv6 type interface.
Mode Specifies the mode of IKE negotiation. There are two IKE negotiation
modes: Main and Aggressive. The main mode is the default mode. The
aggressive mode cannot protect identity. You have no choice but use the
aggressive mode in the situation that the IP address of the center device
is static and the IP address of client device is dynamic.

Type Specifies the type of the peer IP. If the peer IP is static, type the IP
address into the Peer IP box; if the peer IP type is user group, select the
AAA server you need from the AAA Server drop-down list.

Local ID Specifies the local ID. The system supports five types of ID: FQDN, U-
FQDN, Asn1dn (only for license), KEY-ID and IP. Select the ID type you
want, and then type the content for this ID into the Local ID box or the
Local IP box.

Peer ID Specifies the peer ID. The system supports five types of ID: FQDN, U-

Chapter 8 VPN 148

 Basic
FQDN, Asn1dn (only for license), KEY-ID and IP. Select the ID type you
want, and then type the content for this ID into the Peer ID box or the
Peer IP box.

Proposal1/2/3/4 Specifies a P1 proposal for ISAKMP gateway. Select the suitable P1 pro-
posal from the Proposal1 drop-down list. You can define up to four P1
proposals for an ISAKMP gateway
Pre-shared Key If you choose using pre-shared key to authenticate, type the key into the
box.
Trust Domain If you choose to use RSA signature or DSA signature, select a trust
domain.
User Key Click Generate. In the Generate the User Key dialog, type the IKE ID into
the IKE ID box, and then click Generate. The generated user key will be
displayed in the Generate Result box. PnPVPN client uses this key as the
password to authenticate the login users.

3. If necessary, click the Advanced tab to configure some advanced options.

In the Advanced tab, configure the corresponding options.

Advanced

Connection Type Specifies the connection type for ISAKMP gateway.

l Bidirection - Specifies that the ISAKMP gateway serves as both the

initiator and responder. This is the default value.

l Initiator - Specifies that the ISAKMP gateway serves only as the ini-
tiator.

l Responder - Specifies that the ISAKMP gateway serves only as the

responder.
NAT Traversal This option must be enabled when there is a NAT device in the IPSec or
IKE tunnel and the device implements NAT. By default, this function is
disabled.
Any Peer ID Makes the ISAKMP gateway accept any peer ID and not check the peer
IDs.
Generate Route Select the Enable check box to enable the auto routing function. By
default, this function is disabled. This function allows the device to auto-
matically add routing entries which are from the center device to the
branch, avoiding the problems caused by manual configured routing.
DPD Select the Enable check box to enable the DPD (Delegated Path Dis-
covery) function. By default, this function is disabled. When the respon-
der does not receive the peer's packets for a long period, it can enable
DPD and initiate a DPD request to the peer so that it can test if the
ISAKMP gateway exists.

l DPD Interval - The interval of sending DPD request to the peer. The
value range is 1 to 10 seconds. The default value is 10 seconds.

l DPS Retries - The times of sending DPD request to the peer. The
device will keep sending discovery requests to the peer until it
reaches the specified times of DPD reties. If the device does not
receive response from the peer after the retry times, it will determ-
ine that the peer ISAKMP gateway is down. The value range is 1 to
10 times. The default value is 3.

149 Chapter 8 VPN

 Advanced

Description Type the description for the ISAKMP gateway.

XAUTH Select Enable to enable the XAUTH server in the device. Then select an
address pool from the drop-down list. After enabling the XAUTH server,
the device can verify the users that try to access the IPSec VPN network
by integrating the configured AAA server.

4. Click OK to save the settings.

Configuring a n IKE VPN

Use IKE to negotiate IPSec SA automatically. To configure IKE VPN:

1. Select Network > VPN > IPSec VPN.

2. In the IKE VPN List tab, click New.

In the Basic tab, configure the corresponding options.

Peer

Peer Name Specifies the name of the ISAKMP gateway. To edit an ISAKMP gateway,
click Edit.
Information Shows the information of the selected peer.
Tunnel

Name Type a name for the tunnel.

Mode Specifies the mode, including tunnel mode and transport mode.
P2 Proposal Specifies the P2 proposal for tunnel.
Proxy ID Specifies ID of Phase 2 for the tunnel which can be Auto or Manual.

l Auto - The Phase 2 ID is automatically designated.

l Manual - The Phase 2 ID is manually designated. Manual con-

figuration of P2 ID includes the following options:

l Local IP/Netmask - Specifies the local ID of Phase 2.

l Remote IP/Netmask - Specifies the Phase 2 ID of the peer

device.

l Service - Specifies the service.

3. If necessary, click the Advanced tab to configure some advanced options.

Chapter 8 VPN 150

 In the Advanced tab, configure the corresponding options.
Advanced

DNS1/2 Specifies the IP address of the DNS server allocated to the client by the
PnPVPN server. You can define one primary DNS server and a backup
DNS server.
WINS1/2 Specifies the IP address of WINS server allocated to the client by the
PnPVPN server. You can define one primary WINS server and a backup
WINS server.
Enable Idle Time Select the Enable check box to enable the idle time function. By default,
this function is disabled. This time length is the longest time the tunnel
can exist without traffic passing through. When the time is over, SA will
be cleared.
DF-Bit Select the check box to allow the forwarding device execute IP packet frag-
mentation. The options are:

l Copy - Copies the IP packet DF options from the sender directly.

This is the default value.

l Clear - Allows the device to execute packet fragmentation.

l Set - Disallows the device to execute packet fragmentation.

Anti-Replay Anti-replay is used to prevent hackers from attacking the device by
resending the sniffed packets, i.e., the receiver rejects the obsolete or
repeated packets. By default, this function is disabled.

l Disabled - Disables this function.

l 32 -Specifies the anti-replay window as 32.

l 64 - Specifies the anti-replay window as 64.

l 128 - Specifies the anti-replay window as 128.

l 256 - Specifies the anti-replay window as 256.

l 512 - Specifies the anti-replay window as 512.

Commit Bit Select the Enable check box to make the corresponding party configure
the commit bit function, which can avoid packet loss and time difference.
However, commit bit may slow the responding speed.
Accept-all- This function is disabled by default. With this function enabled, the
proxy-ID device which is working as the initiator will use the peer's ID as its Phase
2 ID in the IKE negotiation, and return the ID to its peer.
Auto Connect Select the Enable check box to enable the auto connection function. By
default, this function is disabled. The device has two methods of estab-
lishing SA: auto and traffic intrigued. When it is auto, the device checks
SA status every 60 seconds and initiates negotiation request when SA is
not established; when it is traffic intrigued, the tunnel sends negotiation
request only when there is traffic passing through the tunnel. By default,
traffic intrigued mode is used.
Note: Auto connection works only when the peer IP is static and the local
device is initiator.

Tunnel Route This item only can be modified after this IKE VPN is created. Click Choose
to add one or more tunnel routes in the appeared Tunnel Route Con-
figuration dialog. You can add up to 128 tunnel routes.

151 Chapter 8 VPN

 Advanced

Description Type the description for the tunnel.

VPN Track Select the Enable check box to enable the VPN track function. The device
can monitor the connectivity status of the specified VPN tunnel, and also
allows backup or load sharing between two or more VPN tunnels. This
function is applicable to both route-based and policy-based VPNs. The
options are:

l Track Interval - Specifies the interval of sending Ping packets. The

unit is second.

l Threshold - Specifies the threshold for determining the track failure.

If the system did not receive the specified number of continuous
response packets, it will identify a track failure, i.e., the target tunnel
is disconnected.

l Src Address - Specifies the source IP address that sends Ping pack-
ets.

l Dst Address - Specifies the IP address of the tracked object.

l Notify Track Event - Select the Enable check box to enable the VPN
tunnel status notification function. With this function enabled, for
route-based VPN, the system will inform the routing module about
the information of the disconnected VPN tunnel and update the tun-
nel route once detecting any VPN tunnel disconnection; for policy-
based VPN, the system will inform the policy module about the
information of the disconnected VPN tunnel and update the tunnel
policy once detecting any VPN tunnel disconnection.

4. Click OK to save the settings.

Chapter 8 VPN 152

Co nfiguring a Manual Key V PN
Manually configuring SA is complicated as all the information will be configured by yourself and some advanced fea-
tures of IPSec are not supported (e.g. timed refreshing), but the advantage is that manually configured SA can inde-
pendently fulfill IPSec features without relying on IKE. This method applies to a small number of devices condition, or
an environment of static IP addresses.
To create a manual key VPN:

1. Select Network > VPN > IPSec VPN.

2. In the Manual Key VPN Configuration section, click New.

In the Manual Key VPN Configuration dialog, configure the corresponding options.
Basic

Tunnel Name Specifies the name of manually created key VPN.

Mode Specifies the mode, including Tunnel and Transport. The tunnel mode is
the default mode.
Peer IP Specifies the IP address of the peer.
Local SPI Type the local SPI value. SPI is a 32-bit value transmitted in AH and ESP
header, which uniquely identifies a security association. SPI is used to
seek corresponding VPN tunnel for decryption.

Remote SPI Type the remote SPI value.

Note: When configuring an SA, you should configure the parameters of
both the inbound and outbound direction. Furthermore, SA parameters
of the two ends of the tunnel should be totally matched. The local
inbound SPI should be the same with the outbound SPI of the other end;
the local outbound SPI should be the same with the inbound SPI of the
other end.

Interface Specifies the egress interface for the manual key VPN. Select the interface
you want from the Interface drop-down list.
Interface Type Select the interface type, including IPv4 or IPv6. Only the IPv6 firmware
supports to configure IPv6 type interface.

153 Chapter 8 VPN

 Basic
Encryption

Protocol Specifies the protocol type. The options are ESP and AH. The default
value is ESP.
Encryption Specifies the encryption algorithm.

l None – No authentication.

l 3DES – Uses 3DES as the encryption algorithm. The key length is

192-bit. This is the default encryption algorithm.

l DES – Uses DES as the encryption algorithm. The key length is 64-
bit.

l AES – Uses AES as the encryption algorithm. The key length is

128-bit.

l AES-192 – Uses 192-bit AES as the encryption algorithm. The key

length is 192-bit.

l AES-256 – Uses 256-bit AES as the encryption algorithm. The key

length is 256-bit.
Inbound Encryp- Type the encryption key of the inbound direction. You should configure
tion Key the keys of both ends of the tunnel. The local inbound encryption key
should be the same with the peer's outbound encryption key, and the
local outbound encryption key should be the same with the peer's
inbound encryption key.
Outbound Type the encryption key of the outbound direction.
Encryption Key
Hash Specifies the authentication algorithm. Select the algorithm you want to
use.

l None – No authentication.

l MD5 – Uses MD5 as the authentication algorithm. Its hash value is

128-bit.

l SHA-1 – Uses SHA as the authentication algorithm. Its hash value

is 160-bit. This is the default hash algorithm.

l SHA-256 – Uses SHA-256 as the authentication algorithm. Its hash

value is 256-bit.

l SHA-384 – Uses SHA-384 as the authentication algorithm. Its hash

value is 384-bit.

l SHA-512 – Uses SHA-512 as the authentication algorithm. Its hash

value is 512-bit.
Inbound Hash Type the hash key of the inbound direction. You should configure the
Key keys of both ends of the tunnel. The local inbound hash key should be
the same with the peer's outbound hash key, and the local outbound
hash key should be the same with the peer's inbound hash key.
Outbound Hash Type the hash key of the outbound direction.
Key
Compression Select a compression algorithm. By default, no compression algorithm is
used.

Chapter 8 VPN 154

 Basic

Description
Description Type the description for the manual key VPN.

3. Click OK to save the settings.

155 Chapter 8 VPN

V iew ing I PSec V PN Mo nito ring I nfo rmatio n
By using the ISAKMP SA table, IPSec SA table, and Dial-up User table, IPSec VPN monitoring function can show the SA
negotiation results of IPSec VPN Phase1 and Phase2 as well as information of dial-up users.
To view the VPN monitoring information:

1. Select Network > VPN > IPSec VPN.

2. In the IKE VPN Configuration section, click IPSec VPN Monitor.

Options in these tabs are described as follows:

ISAKMP SA
Option Description

Cookie Displays the negotiation cookies which are used to match SA Phase 1.
Status Displays the status of SA Phase1.

Peer Displays the IP address of the peer.

Port The port number used by the SA Phase1. 500 indicates that no NAT has
been found during the SA Phase 1; 4500 indicates that NAT has been detec-
ted.
Algorithm Displays the algorithm of the SA Phase1, including authentication method,
encryption algorithm and verification algorithm.
Lifetime Displays the lifetime of SA Phase1. The unit is second.

IPSec SA
Option Description

ID Displays the tunnel ID number which is auto assigned by the system.

VPN Name Displays the name of VPN.
Direction Displays the direction of VPN.
Peer Displays the IP address of the peer.
Port The port number used by the SA Phase2.
Algorithm The algorithm used by the tunnel, including protocol type, encryption
algorithm, verification algorithm and depression algorithm.
SPI Displays the local SPI and the peer SPI. The direction of inbound is local SPI,
while outbound is peer SPI.
CPI Displays the compression parameter index (CPI) used by SA Phase2.
Lifetime (s) Displays the lifetime of SA Phase2 in second, i.e. SA Phase2 will restart nego-
tiating after X seconds.
Lifetime (KB) Displays the lifetime of SA Phase2 in KB, i.e. SA Phase2 will restart nego-
tiating after X kilobytes of data flow.
Status Displays the status of SA Phase2.

Dial-up User
Option Description

Peer Displays the statistic information of the peer user. Select the peer you
want from the Peer drop-down list.
User ID Displays the IKE ID of the user selected.
IP Displays the corresponding IP address.
Encrypted Packets Displays the number of encrypted packets transferred through the tun-
nel.

Chapter 8 VPN 156

 Option Description

Encrypted Bytes Displays the number of encrypted bytes transferred through the tunnel.
Decrypted Packets Displays the number of decrypted packets transferred through the tun-
nel.
Decrypted Bytes Displays the number of decrypted bytes transferred through the tunnel.

157 Chapter 8 VPN

Co nfiguring PnPV PN
IPSec VPN requires sophisticated operation skills and high maintenance cost. To relieve network administrators from
the heavy work, the system provides an easy-to-use VPN technology - PnPVPN (Plug-and-Play VPN). PnPVPN consists
of two parts: PnPVPN Server and PnPVPN Client.

l PnPVPN Server: Normally deployed in the headquarters and maintained by an IT engineer. The PnPVPN Server
issues most of the configuration commands to clients. The device usually works as a PnPVPN Server and one
device can serve as multiple servers.

l PnPVPN Client: Normally deployed in the branch offices and controlled remotely by headquarters engineer. With
simple configuration, such as client ID, password and server IP settings, the PnPVPN Client can obtain con-
figuration commands (e.g. DNS, WINS, DHCP address pool, etc.) from PnPVPN Server.
The device can serve as both a PnPVPN Server and a PnPVPN Client. When working as a PnPVPN Server, the maximum
number of VPN instance and the supported client number of each device may vary according to the platform series.

PnPVPN Work flow

The workflow for PnPVPN is as follows:

1. The client initiates a connection request and sends its own ID and password to the server.

2. The server verifies the ID and password when it receives the request. If the verification succeeds, the server
issues configuration information, including DHCP address pool, DHCP mask, DHCP gateway, WINS, DNS and tun-
nel routes, etc,. to the client.

3. The client distributes the received information to corresponding functional modules.

4. The client PC automatically gains an IP address, IP mask, gateway address and other network parameters and con-
nects itself to the VPN.

Configuring a PnPVPN Client

To configure a PnPVPN client:

1. Select Network > VPN > IPSec VPN.

2. In the IKE VPN Configuration section, click PnPVPN Client.

In the PnPVPN Configuration dialog, configure the corresponding options.

Option Description

Server Address Type the IP address of PnPVPN Server into the box.
ID Specifies the IKE ID assigned to the client by the server.
Password Specifies the password assigned to the client by the server.
Confirm Pass- Enter the password again to make confirmation.
word

Chapter 8 VPN 158

 Option Description

Auto Save Select Enable to auto save the DHCP and WINS information released by
PnPVPN Server.
Outgoing IF Specifies the interface connecting to the Internet.
Incoming IF Specifies the interface on PnPVPN Client accessed by Intranet PC or
application servers.

3. Click OK to save the settings.

159 Chapter 8 VPN

Co nfiguring I PSec-X AUTH Address Po o l
XAUTH server assigns the IP addresses in the address pool to users. After the client has established a connection to
the XAUTH server successfully, the XAUTH server will choose an IP address along with other related parameters (such
as DNS server address, WINS server address, etc) from the address pool, and assigns them to the client.
XAUTH server provides fixed IP addresses by creating and implementing IP binding rules that consist of static IP bind-
ing rule and IP-role binding rule. The static IP binding rule binds the client user to a fixed IP address in the address
pool. Once the client has established a connection successfully, the system will assign the binding IP to the client. The
IP-role binding rule binds the role to a specific IP range in the address pool. Once the client has established a con-
nection successfully, the system will assign an IP address within the IP range to the client.
When the XAUTH server is allocating IP addresses in the address pool, the system will check the IP binding rule and
determine how to assign IP addresses for the client based on the specific checking order below:

1. Check if the client is configured with any static IP binding rule. If so, assign the binding IP address to the client;
otherwise, further check other configurations. Note if the binding IP address is in use, the user will be unable to
log in.

2. Check if the client is configured with any IP-role binding rule. If so, assign an IP address within the binding IP
range to the client; otherwise, the user will be unable to log in.

Note: The IP addresses defined in the static IP binding rule and IP-role binding rule should not
be overlapped.

To configure the IPSec-XAUTH address pool:

1. Select Network > VPN > IPSec.

2. At the top-right corner, Select IPSec-XAUT Address Pool.

3. In the XAUTH Address Pool Configuration dialog, click New.

In the Basic tab, configure the corresponding options.

Option Description

Address Pool Specifies the name of the address pool.

Name
Start IP Specifies the start IP of the address pool.
End IP Specifies the end IP of the address pool.
Reserved Start IP Specifies the reserved start IP of the address pool.

Reserved End IP Specifies the reserved end IP of the address pool.

Netmask Specifies the netmask of the IP address.
DNS1/2 Specifies the DNS server IP address for the address pool. It is optional. At
most two DNS servers can be configured for one address pool.
WINS1/2 Specifies the WIN server IP addresses for the address pool. It is optional.
At most two WIN servers can be configured for one address pool.

In the IP User Binding tab, configure the corresponding options.

Option Description

User Type the user name into the User box.

IP Type the IP address into the IP box.

Chapter 8 VPN 160

 Option Description

Add Click Add to add the item that binds the specified user to the IP address.

In the IP Role Binding tab, configure the corresponding options.

Option Description

Role Select a role from the Roledrop-down list.

Start IP Type the start IP address into the Start IP box.
End IP Type the end IP address into the End IP box.
Add Click Add to add the item that binds the specified role to the IP
address range.
Up/Down/Top/Bottom Move the selected IP-role binding rule . For the user that is bound
to multiple roles and the roles are also configured with their cor-
responding IP-role binding rules, the system will query the IP-role
binding rules in turn, and assign an IP address based on the first
matched rule.

4. Click OK to save the settings.

161 Chapter 8 VPN

SSL VPN
The device provides an SSL based remote access solution. Remote users can access the intranet resource safely
through the provided SSL VPN.
SSL VPN consists of two parts: SSL VPN server and SSL VPN client. The device configured as the SSL VPN server
provides the following functions:

l Accept client connections.

l Allocate IP addresses, DNS server addresses, and WIN server addresses to SSL VPN clients.

l Authenticate and authorize clients.

l Perform host checking to client.

l Encrypt and forward IPSec data.

By default, the concurrent online client number may vary from different platform series. You can expand the sup-
ported number by purchasing the corresponding license.
After successfully connecting to the SSL VPN server, the SSL VPN client secures your communication with the server.
The following SSL VPN clients are available:

l "SSL VPN Client for Windows" on Page 180

l "SSL VPN Client for Android" on Page 198

l "SSL VPN Client for iOS" on Page 202

l "SSL VPN Client for Mac OS" on Page 207

Co nfiguring an SSL V PN
To configure an SSL VPN:

1. Select Network > VPN > SSL VPN.

2. In the SSL VPN page, click New.

In the Name/Access User tab, configure the corresponding options.

Option Description

SSL VPN Name Type the name of the SSL VPN instance
Assigned Users
AAA Server Select an AAA server from the AAA Server drop-down list. You can click

Chapter 8 VPN 162

 Option Description
View AAA Server to view the detailed information of this AAA server.

Domain Type the domain name into the Domain box. The domain name is used
to distinguish the AAA server.
Verify User After enable this function, the system will verify the username and its
Domain Name domain name.
Add Click Add to add the assigned users. You can repeat to add more items.

In the Interface tab, configure the corresponding options.

Access Interface
Egress Interface1 Select the interface from the drop-down list as the SSL VPN server inter-
face. This interface is used to listen to the request from SSL VPN client.
Egress Interface2 Select the interface from the drop-down list. This interface is needed
when the optimal path detection function is enabled.
Service Port Specifies the SSL VPN service port number.
Tunnel Interface
Tunnel Interface Specifies the tunnel interface used to bind to the SSL VPN tunnel. Tunnel
interface transmits traffic to/from SSL VPN tunnel.

l Select a tunnel interface from the drop-down list, and then click Edit
to edit the selected tunnel interface.

l Click New in the drop-down list to create a new interface.

Information Shows the zone, IP address, and netmask of the selected tunnel interface.
Address Pool
Address Pool Specifies the SSL VPN address pool.

l Select an address pool from the drop-down list, and then click Edit
to edit the selected address pool.

l Click New in the drop-down list to create a new address pool.

Information Shows the start IP address, end IP address, and mask of the address pool.

In the Tunnel Route tab, configure the corresponding options.

Tunnel Route
Specify the destination network segment that you want to access through SCVPN tunnel.
The specified destination network segment will be distributed to the VPN client, then the cli-
ent uses it to generate the route to the specified destination.

IP Type the destination IP address.

Mask Type the netmask of the destination IP address.
Metric Type the metric value.
Add Click Add to add this route. You can repeat to add more items.
Delete Click Delete to delete the selected route.
Enable domain name
Specify the destination domain name that you want to access through SCVPN tunnel.
After selecting the Enable domain name check box, the system will distribute the specified
domain names to the VPN client, and the client will generate the route to the specified des-
tination according to the resolving results from DNS.

163 Chapter 8 VPN

 Domain Specify the URL of the domain name. The URL cannot exceed 63 char-
acters and it cannot end with a dot (.). Both wildcards and a single top
level domain, e.g. com and .com are not supported.
Add Click Add to add the domain name to the list and you can add up to 64
domain names.
Delete Click Delete to delete the selected domain name.
Domain route The maximum numbers of routes that can be generated after obtaining
max entries the resolved IP addresses of the domain name. The value ranges from 1
to 10000.

In the Binding Resource tab, configure the binding relationship between user groups and resources.
Binding Resource
Resource List Types or selects an existing resource name.
User Specifies a user group name.

1. From the User drop-down menu, select the AAA server where user
groups reside. Currently, only the local authentication server and
the RADIUS server are available.

2. Based on different types of AAA server, you can execute one or

more actions: search a user group, expand the user group list,
enter the name of the user group.

3. After selecting user groups, click to add the them to the right
pane.

4. After adding the desired objects, click the blank area in this dialog
to complete the configuration.
Note:

l A user group can be bound with multiple resources, and a

resource can also be bound with multiple user groups.

l Only 32 binding entries can be configured in an SSL VPN instance.

Add Click Add to add binding entries for resources and user groups to the list
below. You can repeat to add more items.
Delete Click Delete to delete the selected item.

3. If necessary, click Advanced to configure the advanced functions, including parameters, client, host security,
SMS authentication, and optimized path.

In the Parameters tab, configure the corresponding options.

Security Kit
SSL Version Specifies the SSL protocol version. Any indicates one of SSLv2, SSLv3,
TLSv1, TLSv1.1 and TLSv1.2 protocol will be used.
If tlsv1.2 or any is specified to the SSL protocol in SSL VPN server, you
need to convert the certificate that you are going to import to the
browser or certificate in the USB Key to make it support the tlsv1.2 pro-
tocol before the digital certificate authentication via SSL VPN client, so
that the SSL VPN server can be connected successfully when the User-
name/Password + Digital Certificate or Digital Certificate Only authen-
tication method is selected. Prepare a PC with Windows or Linux system
which has been installed with OpenSSL 1.0.1 or later before processing
the certificate. We will take the certificate file named oldcert.pfx as an

Chapter 8 VPN 164

 example, the procedure is as follows:

1. In the OpenSSL software interface, enter the following command to

convert a certificate in .pfx format to a certificate in .pem format.
openssl pkcs12 –in oldcert.pfx –out cert.pem

2. Enter the following command to convert the certificate in .pem

format to a .pfx format certificate that supports tlsv1.2 protocol.
openssl pkcs12 –export –in cert.pem –out newcert.pfx –
CSP “Microsoft Enhanced RSA and AES Cryptographic Pro-
vider”

3. Import the newly generated .pfx format certificate into your

browser or USB Key.
After the above operation, you have to log into SSL VPN server with SSL
VPN client whose version is 1.4.6.1239 or later.

Trust Domain Specifies the trust domain.

Encryption Specifies the encryption algorithm of the SSL VPN tunnel. The default
value is 3DES. NULL indicates no encryption.
Hash Specifies the hash algorithm of the SSL VPN tunnel. The default value is
SHA-1. NULL indicates no hash.
Compression Specifies the compression algorithm of the SSL VPN tunnel. By default,
no compression algorithm is used.

Client Connection
Idle Time Specifies the time that a client keeps online without any traffic with the
server. After waiting for the idle time, the server will disconnect the con-
nection with the client. The value range is 15 to 1500 minutes. The
default value is 30.
Multiple Login This function permits one client to sign in at more than one place sim-
ultaneously. Select the Enable check box to enable the function.
Multiple Login Type the login time into the Multiple Login Times box. The value range
Times is 0 to 99,999,999. The value of 0 indicates no login time limitation.
Advanced Parameters
Anti-Replay The anti-replay function is used to prevent replay attacks. The default
value is 32.
DF-Bit Specifies whether to permit packet fragmentation on the device for-
warding the packets. The actions include:

l Set - Permits packet fragmentation.

l Copy - Copies the DF value from the destination of the packet. It is

the default value.

l Clear - Forbids packet fragmentation.

Port (UDP) Specifies the UDP port number for the SSL VPN connection.

In the Client tab, configure the corresponding options.

Client Configuration
Redirect URL This function redirects the client to the specified redirected URL after suc-
cessful authentication. Type the redirected URL into the box. The value
range is 1 to 255 characters. HTTP (http://) and HTTPS (https://) URLs are
supported. Based on the type of the URL, the corresponding fixed format
of URL is required. Take the HTTP type as the example:

165 Chapter 8 VPN

 l For the UTF-8 encoding page - The format is URL+user-
name=$USER&password=$PWD, e.g., http://www.-
abc.com/oa/login.do?username=$USER&password=$PWD

l For the GB2312 page - The format is URL+user-

name=$GBUSER&password=$PWD, e.g., http://www.-
abc.com/oa/login.do?username=$GBUSER&password=$PWD

l Other pages: - Type the URL directly, e.g., http://www.abc.com

Title Specifies the description for the redirect URL. The value range is 1 to 31
bytes. This title will appear as a client menu item.
Delete privacy Select Enable to delete the corresponding privacy data after the client's
data after dis- disconnection.
connection
Digital Certificate Authentication
Authentication Select the Enable check box to enable this function. There are two
options available:

l Username/Password + Digital Certificate - To pass the authen-

tication, you need to have the correct file certificate, or the USB Key
that stores the correct digital certificate, and also type the correct
username and password. The USB Key certificate users also need
to type the USB Key password.

l Digital Certificate only - To pass the authentication, you need to

have the correct file certificate, or the USB Key that stores the cor-
rect digital certificate. The USB Key certificater users also need to
type the USB Key password. No username or user's password is
required.
When Digital Certificate only is selected:

l The system can map corresponding roles for the authenticated

users based on the CN or OU field of the USB Key certificate. For
more information about the role mapping based on CN or OU, see
"Role" on Page 256.

l The system does not allow the local user to change the password.

l The system does not support SMS authentication.

l The client will not re-connect automatically if the USB Key is

removed.

Download URL When USB Key authentication is enabled, you can download the UKey
driver from this URL.
Trust Domain To configure the trust domain and the subject & username checking func-
tion:
Sub-
ject&Username 1. From the Trust domain drop-down list, select the PKI trust domain
Checking that contains the CA (Certification Authority) certificate. If only the
CN Matching certificate submitted by the client is matched to any CA certificate
of the trust domain, the authentication will succeed.
OU Matching
2. If necessary, select the Subject&Username Checking check box
to enable the subject & username check function. After enabling it,
when the user is authenticated by the USB Key certificate, the sys-
tem will check whether the subject CommonName in the client cer-

Chapter 8 VPN 166

 tificate is the same as the name of the login user. You can also
enter the strings in the CN Match box and the OU box and determ-
ine whether to match the them.

3. Click Add. The configured settings will be displayed in the list below.
To delete an item, select the item you want to delete from the list,
and then click Delete.

In the SMS Authentication tab, configure the corresponding options.

SMS Authentication
SMS Authentic- Select the Enable check box to enable the function.
ation
l Specify the lifetime of the SMS authentication code. Type the life-
time value into the Lifetime of SMS Auth Code box.

SMS Test To check whether the device works normally, specify a mobile phone
number in the box and then click Send.

In the Host Checking/Binding tab, configure the corresponding options.

Host Checking
Creates a host checking rule to perform the host checking function. Before creating a host
checking rule, you must first configure the host checking profile in "Configuring a Host
Checking Profile" on Page 177.

Role Specify the role to which the host checking rule will be applied. Select the
role from the Role drop-down list. Default indicates the rule will take
effect to all the roles.
Host Checking Specify the host checking profile. Select the profile from the Host Check-
Name ing Name drop-down list.

Guest Role Select the guest role from the Guest Role drop-down list. The user will
get the access permission of the guest role when the host checking fails.
If Null is selected, the system will disconnect the connection when the
host checking fails.
Periodic Check- Specify the checking period. The system will check the status of the host
ing automatically according to the host checking profile in each period.
Add Click Add. The configured settings will be displayed in the table below.

Delete To delete an item, select the item you want to delete from the list, and
then click Delete.
Host Binding

Enable Host Bind- Select the Enable Host Binding check box to enable the function. By
ing default, one user can only log in on one host. You can change the login
status by configuring the following options.

l Allow one user to login through multiple hosts.

l Allow multiple users to login on one host.

l Automatically add the user-host ID entry into the binding list at the
first login.
Note: To use the host binding function, you still have to configure it in
the host binding configuration page. For more information about host
binding, see "Host Binding" on Page 173.

In the Optimized Path tab, configure the corresponding options.

167 Chapter 8 VPN

 Option Description
Optimal path detection can automatically detect which ISP service is better, giving remote
users a better user experience.
No Check Do not detect.
Client The client selects the optimal path automatically by sending UDP probe
packets.
The device When the client connect the server directly without any NAT device, the
detection process is:

1. The server recognizes the ISP type of the client according to the cli-
ent's source address.

2. The server sends all the sorted IP addresses of the egress inter-
faces to the client.

3. The client selects the optimal path.

When the client connects the server through a NAT device, the detection
process is:

1. The server recognizes the ISP type of the client according to the cli-
ent's source address.

2. The server sends all the sorted NAT IP addresses of the external
interfaces to the client.

3. The client selects the optimal path.

NAT Mapping If necessary, in the NAT mapping address and port section, specify the
Address and mapped public IPs and ports of the server referenced in the DNAT rules
Port of the DNT device. When the client connects to the server through the
DNAT device, the NAT device will translate the destination address of the
client to the server's egress interface address. Type the IP address of the
NAT device's external interface and the HTTPS port number (You are not
recommended to specify the HTTPS port as 443, because 443 is the
default HTTPS port of WebUI management). You can configure up to 4
IPs.

4. Click Done to save the settings.

To view the SSL VPN online users:

1. Select Configure > Network > SSL VPN.

2. Select an SSL VPN instance.

3. View the detailed information of the online users in the table.

Co nfiguring Reso urce List

Resource list refers to resources configured in the system that can be easily accessible by users. Each resource con-
tains multiple resource items. The resource item is presented in the form of resource item name followed by URL in
your default browser page. After the SSL VPN user is authenticated successfully, the authentication server will send
the user group information of the user to the SSL VPN server. Then, according to the binding relationship between the
user group and resources in the SSL VPN instance, the server will send a resource list which the user can access to
the client. After that, the client will analyze and make the IE browser that your system comes with pop up a page to dis-
play the received resource list information so that the user can access the private network resource directly by clicking
the URL link. The resource list page is poped up only once after the authentication is passed. If a user does not belong
to any user group, the browser will not pop up the resource list page after authentication is passed.
To configure resource list for SSL VPN:

Chapter 8 VPN 168

1. Select Network > VPN > SSL VPN.

2. Click Resources List at the top-right corner.

3. Click New.

In the Resources Configuration dialog, configure the corresponding options.

Option Description
Name Enters a name for the new created resource.
Resource Item

Name Enters a name for a new resource item. Names of resource items in
different resources can not be the same.
URL Enters a URL for a new resource item.
Add Click Addto add this binding item to the list below.
Note: The number of resource items that can be added in a
resource ranges from 0 to 48. The total number of resource items
that can be added in all resources can not exceed 48.

Delete To delete a rule, select the rule you want to delete from the list and
click Delete.
Up/Down/Top/Bottom You can move the location for items at your own choice to adjust
the presentation sequence accordingly.

4. Click OK, the new resource will be displayed in the resource list.
At most 3 resource items can be displayed in the resource list for each resource, and the other items will be dis-
played as "...". You can click Edit or Delete button to edit or delete the selected resource.

169 Chapter 8 VPN

 Note:
l Less than 48 resources can be configured in a SSL VPN instance.

l The resource list function is only available for Windows SSL VPN clients.

Co nfiguring an SSL V PN Address Po o l

The SSL VPN servers allocate the IPs in the SSL VPN address pools to the clients. After the client connects to the server
successfully, the server will fetch an IP address along with other related parameters (e.g., DNS server address, and
WIN server address) from the SSL VPN address pool and then allocate the IP and parameters to the client.
You can create IP binding rule to meet the fixed IP requirement. IP binding rule includes IP-user binding rule and IP-
role binding rule. The IP-user binding rule binds the client to a fixed IP in the configured address pool. When the client
connects to the server successfully, the server will allocate the binding IP to the client. The IP-role binding rule binds
the role to an IP range in the configured address pool. When the client connects to the server successfully, the server
will select an IP from the IP range and allocate the IP to the client.
After the client successfully connects to the server, the server will check the binding rules in a certain order to determ-
ine which IP to allocate. The order is shown as below:

l Check whether the IP-user binding rule is configured for the client. If yes, allocate the bound IP to the client; if no,
the server will select an IP which is not bound or used from the address pool, then allocate it to the client.

l Check whether the IP-role binding rule is configured for the client. If yes, get an IP from the IP range and allocate
to the client; if no, the server will select an IP which is not bound or used from the address pool, then allocate it to
the client.

Note: IP addresses in the IP-user binding rule and the IP address in the IP-role binding rules
should not overlap.

To configure an address pool:

1. Select Network > VPN > SSL VPN.

2. Click Address Pool at the top-right corner.

Chapter 8 VPN 170

3. Click New.

In the Basic tab, configure the corresponding options.

Option Description
Address Pool Specifies the name of the address pool.
Name
Start IP Specifies the start IP of the address pool.
End IP Specifies the end IP of the address pool.
Reserved Start IP Specifies the reserved start IP of the address pool.
Reserved End IP Specifies the reserved end IP of the address pool.
Mask Specifies the netmask in the dotted decimal format.
DNS1/2/3/4 Specifies the DNS server IP address for the address pool. It is optional. At
most 4 DNS servers can be configured for one address pool.
WINS1/2 Specifies the WIN server IP addresses for the address pool. It is optional.
At most 2 WIN servers can be configured for one address pool.

In the IP User Binding tab, configure the corresponding options.

Option Description
User Type the user name into the User box.
IP Type the IP address into the IP box.
Add Click Add to add this IP user binding rule.
Delete To delete a rule, select the rule you want to delete from the list and click
Delete.

In the IP Role Binding tab, configure the corresponding options.

Option Description
Role Type the role name into the Role box.
Start IP Type the start IP address into the Start IP box.
End IP Type the end IP address into the End IP box.
Add Click Addto add this IP role binding rule.
Delete To delete a rule, select the rule you want to delete from the list and
click Delete.

171 Chapter 8 VPN

 Up/Down/Top/Bottom The system will query for IP role binding rules by turn, and allocate
the IP address according to the first matched rule. You can move
the location up or down at your own choice to adjust the matching
sequence accordingly.

4. Click OK to save the settings.

Co nfiguring SSL V PN Lo gin Page

You can customize the title and background of the SSL VPN login page. The default title is Login and the login page is
shown as below:

To customize the SSL VPN login page:

1. Select Network > VPN > SSL VPN.

2. At the top-right corner, click Login Page Configuration.

3. Click Browse to select the background picture. The selected pictures must be zipped, and the file name must be
Login_box_bg_en.gif for English pages. The picture size must be 624px*376px.

4. Click Upload to upload the background picture to the system. After uploading successfully, you have completed
the background picture modification.

5. Enter the title in the Authentication Page Title box to customize the title of the login page.

6. Click OK to save the settings. Clicking Cancel will only affect the authentication page title modification.
If you want to use the default authentication title Login, click Clear Page Title. Then click OK. If you want to restore
the default picture, click Restore Default Background and select English in the pop-up dialog. Then click OK.

Chapter 8 VPN 172

H o st B inding
The host binding function verifies the hosts running SSL VPN clients according to their host IDs and user information.
The verification process is:

1. When an SSL VPN user logs in via the SSL VPN client, the client collects the host information of main board serial
number, hard disk serial number, CUP ID, and BIOS serial number.

2. Based on the above information, the client performs the MD5 calculation to generate a 32-digit character, which is
named host ID.

3. The client sends the host ID and user/password to the SSL VPN server.

4. The SSL VPN server verifies the host according to the entries in the host unbinding list and host binding list, and
deal with the verified host according to the host binding configuration.
The host unbinding list and host binding list are describes as follows:

l Host unbinding list: The host unbinding list contains the user-host ID entries for the first-login users.

l Host binding list: The host binding list contains the user-host ID entries for the users who can pass the veri-
fication. The entries in the host unbinding list can be moved to the host binding list manually or automatically for
the first login. When a user logs in, the SSL VPN server will check whether the host binding list contains the user-
host ID entry of the login user. If there is the matched entry in the host binding list, the user will pass the veri-
fication and the sever will go on checking the user/password. If there is no matched entry for the login user, the
connection will be disconnected.

Configuring H os t Binding
Configuring host binding includes host binding/unbinding configurations, super user configurations, shared host con-
figurations, and user-host binding list importing/exporting.

Configuring H ost Binding a nd U nbinding

To add a binding entry to the host binding list:

1. Select Network > VPN > SSL VPN.

2. At the top right corner, click Host Checking/Binding to visit the Host Checking/Binding page.

2. Click Host Binding.

3. With the Binding and Unbinding tab active, select the entries you want to add in the Host Unbinding List.

4. Click Add to add the selected entries to the Host Binding List.
To delete a binding entry from the host binding list:

1. Select Network > VPN > SSL VPN.

2. At the top right corner, click Host Checking/Binding to visit the Host Checking/Binding page.

3. Click Host Binding.

4. With the Binding and Unbinding tab active, select the entries you want to delete in the Host binding List.

5. Click Unbinding to remove the selected entries from this list.

Configuring a Supe r U se r
The super user won't be controlled by the host checking function, and he can log in at any host. To configure a super
user:

1. Select Network > VPN > SSL VPN.

2. At the top right corner, click Host Checking/Binding to visit the Host Checking/Binding page.

173 Chapter 8 VPN

 3. Click Host Binding.

4. With the User Privilege tab active, click New.

In the New dialog, configure the corresponding options.

Option Description

User Specifies the name of the user.

Super User Select the Enable check box to make it a super user.
Pre-approved If the system allows one user to login from multiple hosts, and the
Number option of automatically adding the user-host ID entry into the host bind-
ing list at the first login is enabled, then by default the system only
records the user and first login host ID entry to the host binding list, i.e.,
if the user logs in from other hosts, the user and host ID will be added to
the host unbinding list. This pre-approved number specifies the max-
imum number of user-host ID entries for one user in the host binding
list.

5. Click OK to save the settings.

Configuring a Sha re d H ost

Clients that log in from the shared host won't be controlled by the host binding list. To configure a shared host:

1. Select Network > VPN > SSL VPN.

2. At the top right corner, click Host Checking/Binding to visit the Host Checking/Binding page.

3. Click Host Binding.

4. With the Host ID Privilege tab active, click New.

Chapter 8 VPN 174

 In the New dialog, configure the corresponding options.
Option Description

Host ID Type the host ID into the Host ID box.

Shared Host Select the Enable check to make it a shared host. By default, this check
box is selected.

5. Click OK to save the settings.

Importing/Exporting H ost Binding List

To import the host binding list:

1. Select Network > VPN > SSL VPN.

2. At the top right corner, click Host Checking/Binding to visit the Host Checking/Binding page.

3. Click Host Binding.

4. With the Binding and Unbinding tab active, click Import.

5. Click Browse to find the binding list file and click Upload.
To export the host binding list:

1. Select Network > VPN > SSL VPN.

2. At the top right corner, click Host Checking/Binding to visit the Host Checking/Binding page.

3. Click Host Binding.

4. With the Binding and Unbinding tab active, click Export.

5. Select a path to save the host binding list.

175 Chapter 8 VPN

H o st Checking
The host checking function checks the security status of the hosts running SSL VPN clients, and according to the
check result, the SSL VPN server will determine the security level for each host and assign corresponding resource
access right based on their security level. It a way to assure the security of SSL VPN connection. The checked factors
include the operating system, IE version, and the installation of some specific software.
The factors to be checked by the SSL VPN server are displayed in the list below:

Factor Description

Operating system l Operating system, e.g., Windows 2000, Windows 2003, Windows
XP, Windows Vista, Windows 7m Windows 8, etc.

l Service pack version, e.g., Service Pack 1

l Windows patch, e.g., KB958215, etc.

l Whether the Windows Security Center and Automatic Updates are
enabled

l Whether the installation of AV software is compulsory, and whether the

real-time monitor and the auto update of signature database are
enabled

l Whether the installation of anti-spyware is compulsory, and whether

the real-time monitor and the online update of signature database are
enabled

l Whether the personal firewall is installed, and whether the real-time

protection is enabled

Whether the IE version and security level reach the specified requirements
Other con- Whether the specified processes are running
figurations
Whether the specified services are installed
Whether the specified services are running
Whether the specified registry key values exist
Whether the specified files exist in the system

Role Ba s ed Ac c es s Control a nd H os t Chec k ing Proc edure

Role Based Access Control (RBAC) means that the permission of the user is not determined by his user name, but his
role. The resources can be accessed by a user after the login is determined by his corresponding role. So role is the
bridge connecting the user and permission.
The SSL VPN host checking function supports RBAC. And the concepts of primary role and guest role are introduced in
the host checking procedure. The primary role determines which host checking profile (contains the host checking
contents and the security level) will be applied to the user and what access permission can the user have if he passes
the host checking. And the guest role determines the access permission for the users who failed in the host checking.
The host checking procedure is shown as below

1. The SSL VPN client sends request for connection and passes the authentication.

2. The SSL VPN server sends host checking profile to the client.

3. The client checks the host security status according to the items in the host checking profile. If it failed in the host
checking, the system will notify the checking result.

4. The client sends the checking result back to the server.

5. The server disconnects the connection for the failed client or gives the guest role's access permission to the failed
client.

Chapter 8 VPN 176

The host checking function also supports dynamic access permission control. On one side, when the client's security
status changes, the server will send a new host checking profile to the client to make him re-check; on the other side,
the client can perform the security checking periodically, e.g., if the AV software is disabled and it is detected by the
host checking function, the assigned role to the client may changed, and so does the access permission.

Configuring a H os t Chec k ing Profile

To configuring host checking profile:

1. Select Network > VPN > SSL VPN.

2. At the top right corner, click Host Checking/Binding to visit the Host Checking/Binding page.

3. In the Host Checking tab, click New to create a new host checking rule.

In the Basic tab, configure the corresponding options.

Option Description

Hostname Specifies the name of the host checking profile.

OS Version Specifies whether to check the OS version on the client host. Click one of
the following options:

l No Check: Do not check the OS version.

l Must Match: The OS version running on the client host must be the
same as the version specified here. Select the OS version and ser-
vice pack version from the drop-down lists respectively.

l At Least: The OS version running on the client host should not be

lower than the version specified here. Select the OS version and
service pack version from the drop-down lists respectively.
Patch1/2/3/4/5 Specifies the patch that must be installed on the client host. Type the
patch name into the box. Up to 5 patches can be specified.
Lowest IE Version Specifies the lowest IE version in the Internet zone on the client host. The
IE version running on the client host should not be lower than the ver-
sion specified here.
Lowest IE Secur- Specifies the lowest IE security level on the client host. The IE security
ity Level level on the host should not be lower than the level specified here.

In the Advanced tab, configure the corresponding options.

Option Description

177 Chapter 8 VPN

 Security Center Checks whether the security center is enabled on the client host.
Auto Update Checks whether the Windows auto update function is enabled.
Anti-Virus Soft- Checks the status and configurations of the anti-virus software:
ware
l Installed: The client host must have the AV software installed.

l Monitor: The client host must enable the real-time monitor of the
AV software.

l Virus Signature DB Update: The client host must enable the sig-
nature database online update function.
Anti-spyware Checks the status and configurations of the anti-spyware software:
Software
l Installed: The client host must have the anti-spyware installed.

l Monitor: The client host must enable the real-time monitor of the
anti-spyware.

l Virus Signature DB Update: The client host must enable the sig-
nature database online update function.
Firewall Checks the status and configurations of the firewall:

l Installed: The client host must have the personal firewall installed.

l Monitor: The client host must enable the real-time monitor function
of the personal firewall.
Registry Key Value
Key1/2/3/4/5 Checks whether the key value exists. Up to 5 key values can be con-
figured. The check types are:

l No Check: Do not check the key value.

l Exist: The client host must have the key value. Type the value into
the box.

l Do not Exist: The client cannot have the key value. Type the value
into the box.
File Path Name
File1/2/3/4/5 Checks whether the file exists. Up to 5 files can be configured. The check
types are:

l No Check: Do not check file.

l Exist: The client host must have the file. Type the value into the
box.

l Do not Exist: The client cannot have the file. Type the value into the
box.
Running Process Name
Process1/2/3/4/5 Checks whether the process is running. Up to 5 processes can be con-
figured. The check types are:

l No Check: Do not check the process.

l Exist: The client host must have the process running. Type the pro-
cess name into the box.

Chapter 8 VPN 178

 l Do not Exist: The client cannot have the process running. Type the
process name into the box.
Installed Service Name
Service1/2/3/4/5 Checks whether the service is installed. Up to 5 services can be con-
figured. The check types are:

l No Check: Do not check the service.

l Exist: The client host must have the service installed. Type the ser-
vice name into the box.

l Do not Exist: The client host cannot have the service installed.
Type the service name into the box.
Running Service name
Service1/2/3/4/5 Checks whether the service is running. Up to 5 services can be con-
figured. The check types are:

l No Check: Do not check the service.

l Exist: The client host must have the service running. Type the ser-
vice name into the box.

l Do not Exist: The client host cannot have the service running. Type
the service name into the box.

4. Click OK to save the settings.

179 Chapter 8 VPN

SSL V PN Client fo r Windo w s
SSL VPN client for Windows is named as Hillstone Secure Connect. Hillstone Secure Connect can be run in the fol-
lowing operating systems: Windows 2000/2003/XP/Vista/Windows 7/Windows 8/Windows 2008/Windows 10/Win-
dows 2012. The encrypted data can be transmitted between the SSL VPN client and SSL VPN server after a connection
has been established successfully. The functions of the client are:

l Get interface and route information from the PC on which the client is running.

l Show the connecting status, statistics, interface information, and route information.

l Show SSL VPN log messages.

l Upgrade the client software.

l Resolve the resource list information received from the server.

This section mainly describes how to download, install, start, uninstall the SSL VPN client, and its GUI and menu. The
method for downloading, installing and starting the client may vary from the authentication methods configured on the
server. The SSL VPN server supports the following authentication methods:

l Username/Password

l Username/Password + Digital Certificate

l Digital Certificate only

D ow nloa ding a nd Ins ta lling Sec ure Connec t

When using the SSL VPN client for the first time, you need to download and install the client software Hillstone Secure
Connect. This section describes three methods for downloading and installing the client software based on three avail-
able authentication methods. For the Username/Password + Digital Certificate authentication, the digital certificate
can either be the USB Key certificate provided by the vendor, or the file certificate provided by the administrator.

U sing U se rna me /P a ssword Authe ntica tion

When the Username/Password authentication is configured on the server, take the following steps to download and
install the SSL VPN client software - Hillstone Secure Connect:

1. Visit the following URL with a web browser: https://IP-Address:Port-Number. In the URL, IP-Address and Port-
Number refer to the IP address and HTTPS port number of the egress interface specified in the SSL VPN instance.

2. In the SSL VPN login page (shown in Figure 1), type the username and password into the Username and Pass-
word boxes respectively, and then click Login.

l If local authentication server is configured on the device, the username and password should be configured
before on the device.

l If "Radius authentication + RSA SecurID Token authentication by RSA Server" is configured on the device,
and the user logs in for the first time, the username should be the username configured on the Radius
server, and the password should be the dynamic Token password being bound to the user. Click Login, and
in the PIN Setting page (shown in Figure 2), set a PIN (4 to 8 digits). After the PIN has been set successfully,
you will be prompted to login again with the new password (shown in Figure 3). Click Login again to return
to the login page, type the correct username and new password, and click Login. The new password is PIN +
dynamic Token password. For example, if the PIN is set to 54321, and the dynamic Token password is
808771, then the new password is 54321808771.

l If "Radius authentication + RSA SecurID Token authentication by RSA Server" is configured on the device, but
the user is not logging in for the first time, the username should be the username configured on the Radius
server, and the password should be PIN + dynamic Token password.

Chapter 8 VPN 180

 Figure 1

Figure 2

Figure 3

3. If SMS authentication is enabled on the SSL VPN server, the SMS Authentication dialog will appear. Type the
authentication code and click Authenticate. If you have not received the authentication code in one minute, you
can re-apply.

l After passing the authentication, you have three chances to type the authentication code. If you give incorrect
authentication code three times in succession, the connection will be disconnected automatically.

l You have three chances to apply the authenticate code, and the sending interval is one minute. Re-applying
authentication code will void the old code, thus you must provide the latest code to pass the authentication.

4. After login, IE will download the client software automatically, and you can install it just following the prompts; for
other web browsers, e.g., Firefox, you should click Download to download the client software scvpn.exe first,
and then double-click it to install.
A virtual network adapter will be installed on your PC together with Secure Connect. It is used to transmit encrypted
data between the SSL VPN server and client.

181 Chapter 8 VPN

U sing U se rna me /P a ssword + D igita l Ce rtifica te Authe ntica tion
When the Username/Password + Digital Certificate authentication is configured on the server, take the following steps
to download and install the SSL VPN client software - Hillstone Secure Connect:

1. Insert the USB Key to the USB port of the PC, or import the file certificate provided by the administrator manually.

2. Visit the following URL with a web browser: https://IP-Address:Port-Number. In the URL, IP-Address and Port-
Number refer to the IP address and HTTPS port number of the egress interface specified in the SSL VPN instance.

3. In the Select Digital Certificate dialog, select the certificate you want and click OK. If USB Key certificate is selec-
ted, in the pop-up dialog, provide the UKey PIN code (1111 by default) and click OK.

4. In the SSL VPN login page shown below, type the username and password into the Username and Password
boxes respectively, and then click Login. The login user should be configured before in the device.

5. If SMS authentication is enabled on the SSL VPN server, the SMS Authentication dialog will appear. Type the
authentication code and click Authenticate. If you have not received the authentication code in one minute, you
can re-apply.

l After passing the authentication, you have three chances to type the authentication code. If you give incorrect
authentication code three times in succession, the connection will be disconnected automatically.

l You have three chances to apply the authenticate code, and the sending interval is one minute. Re-applying
authentication code will void the old code, thus you must provide the latest code to pass the authentication.

6. After login, IE will download the client software automatically, and you can install it just following the prompts; for
other web browsers, e.g., Firefox, you should click Download to download the client software scvpn.exe first,
and then double-click it to install.
A virtual network adapter will be installed on your PC together with Secure Connect. It is used to transmit encrypted
data between the SSL VPN server and client.

U sing D igita l Ce rtifica te Only

When the Digital Certificate only authentication is configured on the server, take the following steps to download and
install the SSL VPN client software - Hillstone Secure Connect:

1. Insert the USB Key to the USB port of the PC, or import the file certificate provided by the administrator manually.

2. Visit the following URL with a web browser: https://IP-Address:Port-Number. In the URL, IP-Address and Port-
Number refer to the IP address and HTTPS port number of the egress interface specified in the SSL VPN instance.

3. In the Select Digital Certificate dialog, select the certificate you want and click OK. If USB Key certificate is selec-
ted, in the Enter Password dialog, provide the UKey user password (1111 by default) and click OK.

4. After login, IE will download the client software automatically, and you can install it just following the prompts; for
other web browsers, e.g., Firefox, you should click Download to download the client software scvpn.exe first,
and then double-click it to install.

Chapter 8 VPN 182

A virtual network adapter will be installed on your PC together with Secure Connect. It is used to transmit encrypted
data between the SSL VPN server and client.

Sta rting Sec ure Connec t

After installing Secure Connect on your PC, you can start it in two ways:

l Starting via Web

l Starting directly

Sta rting v ia We b
This section describes how to start Secure Connect via Web based on the three authentication methods configured on
the server. For the Username/Password + Digital Certificate authentication, the digital certificate can either be the USB
Key certificate provided by the vendor, or the file certificate provided by the administrator.

Us i ng Us er nam e/ Pas s wo r d A uthenti c ati o n

When the Username/Password authentication is configured on the server, take the following steps to start Secure Con-
nect via web:

1. Type the URL https://IP-Address:Port-Number into the address bar of your web browser.

2. In the login page (shown in Figure 4), type the username and password into the Username and Password boxes
respectively, and then click Login.

l If local authentication server is configured on the device, the username and password should be configured
before on the device;

l If "Radius authentication + RSA SecurID Token authentication by RSA Server" is configured on the device,
and the user logs in for the first time, the username should be the username configured on the Radius
server, and the password should be the dynamic Token password being bound to the user. Click Login, and
in the PIN Setting page (shown in Figure 5), set a PIN (4 to 8 digits). After the PIN has been set successfully,
you will be prompted to login again with the new password (shown in Figure 6). Click Login again to return
to the login page, type the correct username and new password, and click Login. The new password is PIN +
dynamic Token password. For example, if the PIN is set to 54321, and the dynamic Token password is
808771, then the new password is 54321808771.

l If "Radius authentication + RSA SecurID Token authentication by RSA Server" is configured on the device, but
the user is not logging in for the first time, the username should be the username configured on the Radius
server, and the password should be PIN + dynamic Token password.

Figure 4

183 Chapter 8 VPN

 Figure 5

Figure 6

3. If the SMS authentication function is enabled, type the SMS authentication code into the box, and then click
Authenticate. If you have not received the code in one minute, you can re-apply.

l After passing the authentication, you have three chances to type the authentication code. If you give incorrect
authentication code three times in succession, the connection will be disconnected automatically.

l You have three chances to apply the authenticate code, and the sending interval is one minute. Re-applying
authentication code will void the old code, thus you must provide the latest code to pass the authentication.
Finishing the above steps, the client will connect to the server automatically. After the connection has been established

successfully, the icon ( ) will be displayed in the notification area. And the encrypted communication between the
client and server can be implemented now.

Us i ng Us er nam e/ Pas s wo r d + USB K ey Cer ti f i c ate A uthenti c ati o n

When the Username/Password + Digital Certificate authentication is configured on the server, for the USB Key cer-
tificate, to start Secure Connect via web:

1. Insert the USB Key to the USB port of the PC.

2. Type the URL https://IP-Address:Port-Number into the address bar of your web browser.

3. In the Select Digital Certificate dialog, select the digital certificate you want and click OK. In the Enter Password
dialog, provide the UKey user password (1111 by default) and click OK.

4. In the SSL VPN login page shown below, type the username and password into the Username and Password
boxes respectively, and then click Login. The login user should be configured before on the device.

Chapter 8 VPN 184

5. If the SMS authentication function is enabled, type the SMS authentication code into the box, and then click
Authenticate. If you have not received the code in one minute, you can re-apply.

l After passing the authentication, you have three chances to type the authentication code. If you give incorrect
authentication code three times in succession, the connection will be disconnected automatically.

l You have three chances to apply the authenticate code, and the sending interval is one minute. Re-applying
authentication code will void the old code, thus you must provide the latest code to pass the authentication.

6. In the USB Key PIN dialog shown below, type the UKey PIN (1111 by default), and click OK.

Finishing the above steps, the client will connect to the server automatically. After the connection has been established

successfully, the icon ( ) will be displayed in the notification area. And the encrypted communication between the
client and server can be implemented now.

Us i ng Us er nam e/ Pas s wo r d + Fi l e Cer ti f i c ate A uthenti c ati o n

When the Username/Password + Digital Certificate authentication is configured on the server, for the file certificate, to
start Secure Connect via web:

1. Import the file certificate provided by the administrator manually.

2. Type the URL https://IP-Address:Port-Number into the address bar of your web browser.

3. In the Select Digital Certificate dialog, select the digital certificate you want and click OK.

4. In the SSL VPN login page shown below, type the username and password into the Username and Password
boxes respectively, and then click Login. The login user should be configured before on the device.

185 Chapter 8 VPN

 5. If the SMS authentication function is enabled, type the SMS authentication code into the box, and then click
Authenticate. If you have not received the code in one minute, you can re-apply.

l After passing the authentication, you have three chances to type the authentication code. If you give incorrect
authentication code three times in succession, the connection will be disconnected automatically.

l You have three chances to apply the authenticate code, and the sending interval is one minute. Re-applying
authentication code will void the old code, thus you must provide the latest code to pass the authentication.
Finishing the above steps, the client will connect to the server automatically. After the connection has been established

successfully, the icon ( ) will be displayed in the notification area. And the encrypted communication between the
client and server can be implemented now.

Us i ng USB K ey Cer ti f i c ate O nl y A uthenti c ati o n

When the Digital Certificate Only authentication is configured on the server, for the USB Key certificate, to start Secure
Connect via web:

1. Insert the USB Key to the USB port of the PC.

2. Type the URL https://IP-Address:Port-Number into the address bar of your web browser.

3. In the Select Digital Certificate dialog, select the digital certificate you want and click OK. In the Enter Password
dialog, provide the UKey user password (1111 by default) and click OK.

4. In the USB Key PIN dialog shown below, type the UKey PIN (1111 by default), and click OK.

Finishing the above steps, the client will connect to the server automatically. After the connection has been established

successfully, the icon ( ) will be displayed in the notification area. And the encrypted communication between the
client and server can be implemented now.

Us i ng Fi l e Cer ti f i c ate O nl y A uthenti c ati o n

When the Digital Certificate Only authentication is configured on the server, for the file certificate, to start Secure Con-
nect via web:

1. Import the file certificate provided by the administrator manually.

2. Type the URL https://IP-Address:Port-Number into the address bar of your web browser.

Chapter 8 VPN 186

3. In the Select Digital Certificate dialog, select the digital certificate you want and click OK.
Finishing the above steps, the client will connect to the server automatically. After the connection has been established

successfully, the icon ( ) will be displayed in the notification area. And the encrypted communication between the
client and server can be implemented now.

Sta rting D ire ctly

This section describes how to start Secure Connect directly based on the three authentication methods configured on
the server. For the Username/Password + Digital Certificate authentication, the digital certificate can either be the USB
Key certificate provided by the vendor, or the file certificate provided by the administrator.

U sing U se rna me /P a ssword Authe ntica tion

When the Username/Password authentication is configured on the server, to start Secure Connect directly:

1. In your PC, double click the shortcut to Hillstone Secure Connect on your desktop.

2. In the Login dialog, click Mode. In the Login Mode dialog shown below, click Username/Password, and then
click OK.

3. In the Login dialog of the Username/Password authentication mode (shown in Figure 7), configure the options to
login.

Option Description

Saved Con- Provides the connection information you have filled before. Select a con-
nection nection from the drop-down list.
Server Enter the IP address of SSL VPN server.
Port Enter the HTTPS port number of SSL VPN server.
Username Enter the name of the login user.
Password Enter the password of the login user.

l If local authentication server is configured on the device, the username and password should be configured
before on the device;

l If "Radius authentication + RSA SecurID Token authentication by RSA Server" is configured on the device,
and the user logs in for the first time, the username should be the username configured on the Radius
server, and the password should be the dynamic Token password being bound to the user. Click Login, and
in the PIN Setting page (shown in Figure 8), set a PIN (4 to 8 digits). After the PIN has been set successfully,
you will be prompted to login again with the new password (shown in Figure 9). Click Login again to return
to the login page, type the correct username and new password, and click Login. The new password is PIN +
dynamic Token password. For example, if the PIN is set to 54321, and the dynamic Token password is
808771, then the new password is 54321808771.

187 Chapter 8 VPN

 l If "Radius authentication + RSA SecurID Token authentication by RSA Server" is configured on the device, but
the user is not logging in for the first time, the username should be the username configured on the Radius
server, and the password should be PIN + dynamic Token password.

Figure 7

Figure 8

Figure 9

4. Click Login. If SMS authentication is enabled, type the authentication code into the box in the SMS Auth dialog (as
shown below) and click Verify. If you have not received the authentication code in one minute, you can re-apply
by clicking Reapply.

Chapter 8 VPN 188

Finishing the above steps, the client will connect to the server automatically. After the connection has been established

successfully, the icon ( ) will be displayed in the notification area. And the encrypted communication between the
client and server can be implemented now.

Us i ng Us er nam e/ Pas s wo r d + USB K ey Cer ti f i c ate A uthenti c ati o n

When the Username/Password + Digital Certificate authentication is configured on the server, for the USB Key cer-
tificate, to start Secure Connect directly:

1. Insert the USB Key to the USB port of the PC.

2. In your PC, double click the shortcut to Hillstone Secure Connect on your desktop.

3. In the Login dialog, click Mode. In the Login Mode dialog, first click Username/Password + Digital
Certificate, and if necessary, click Select Cert. In the Select Certificate dialog shown below, select a USB Key
certificate. If the USB Key certificate is not listed, click Update. The client will send the selected certificate to the
server for authentication. Finally click OK.

4. In the Login dialog of the Username/Password + Digital Certificate authentication mode (as shown below), con-
figure the options to login.

189 Chapter 8 VPN

 5. Click Login. If SMS authentication is enabled, type the authentication code into the box in the SMS Auth dialog (as
shown below) and click Verify. If you have not received the authentication code in one minute, you can re-apply
by clicking Reapply.

Finishing the above steps, the client will connect to the server automatically. After the connection has been established

successfully, the icon ( ) will be displayed in the notification area. And the encrypted communication between the
client and server can be implemented now.

Us i ng Us er nam e/ Pas s wo r d + Fi l e Cer ti f i c ate A uthenti c ati o n

When the Username/Password + Digital Certificate authentication is configured on the server, for the file certificate, to
start Secure Connect directly:

1. Import the file certificate provided by the administrator manually.

2. In your PC, double click the shortcut to Hillstone Secure Connect on your desktop.

3. In the Login dialog, click Mode. In the Login Mode dialog, first click Username/Password + Digital
Certificate, and if necessary, click Select Cert. In the Select Certificate dialog shown below, select a file cer-
tificate. If the file certificate is not listed, click Update. The client will send the selected certificate to the server
for authentication. Finally click OK.

Chapter 8 VPN 190

4. In the Login dialog of the Username/Password + Digital Certificate authentication mode (as shown below), con-
figure the options to login.

5. Click Login. If SMS authentication is enabled, type the authentication code into the box in the SMS Auth dialog (as
shown below) and click Verify. If you have not received the authentication code in one minute, you can re-apply
by clicking Reapply.

191 Chapter 8 VPN

Finishing the above steps, the client will connect to the server automatically. After the connection has been established

successfully, the icon ( ) will be displayed in the notification area. And the encrypted communication between the
client and server can be implemented now.

Us i ng USB K ey Cer ti f i c ate O nl y

When the Digital Certificate Only authentication is configured on the server, for the USB Key certificate, to start Secure
Connect directly:

1. Insert the USB Key to the USB port of the PC.

2. In your PC, double click the shortcut to Hillstone Secure Connect on your desktop.

3. In the Login dialog, click Mode. In the Login Mode dialog, first click Username/Password + Digital
Certificate, and if necessary, click Select Cert. In the Select Certificate dialog shown below, select a USB Key
certificate. If the USB Key certificate is not listed, click Update. The client will send the selected certificate to the
server for authentication. Finally click OK.

4. In the Login dialog of the Username/Password + Digital Certificate authentication mode (as shown below), con-
figure the options to login.

Chapter 8 VPN 192

5. Finishing the above configuration, click Login.
Finishing the above steps, the client will connect to the server automatically. After the connection has been established

successfully, the icon ( ) will be displayed in the notification area. And the encrypted communication between the
client and server can be implemented now.

Us i ng Fi l e Cer ti f i c ate O nl y

When the Digital Certificate Only authentication is configured on the server, for the file certificate, to start Secure Con-
nect directly:

1. Import the file certificate provided by the administrator manually.

2. In your PC, double click the shortcut to Hillstone Secure Connect on your desktop.

3. In the Login dialog, click Mode. In the Login Mode dialog, first click Username/Password + Digital
Certificate, and if necessary, click Select Cert. In the Select Certificate dialog shown below, select a file cer-
tificate. If the file certificate is not listed, click Update. The client will send the selected certificate to the server
for authentication. Finally click OK.

193 Chapter 8 VPN

 4. In the Login dialog of the Digital Certificate Only authentication mode (as shown below), configure the options to
login.

5. Finishing the above configuration, click Login.

Finishing the above steps, the client will connect to the server automatically. After the connection has been established

successfully, the icon ( ) will be displayed in the notification area. And the encrypted communication between the
client and server can be implemented now.

View ing Sec ure Connec t GUI

Double click the Secure Connect icon ( ) in the notification area, the Network Information dialog appears. This dia-
log shows information about statistics, interfaces, and routes.

G e ne ra l
Descriptions of the options on the General tab:

Address Information

Server The IP address of the connected SSL VPN server.

Client The IP address of the client.
Crypto Suite

Cipher he encryption algorithm and authentication algorithm used by SSL VPN.

Version The SSL version used by SSL VPN.
Connection Status

Status The current connecting state between the client and server. The possible
states are: connecting, connected, disconnecting, and disconnected.
IPCompress

Algorithm Shows the compression algorithm used by SSL VPN.

Tunnel Packets

Sent The number of sent packets through the SSL VPN tunnel.
Received The number of received packets through the SSL VPN tunnel.
Tunnel Bytes

Sent The number of sent bytes through the SSL VPN tunnel.
Received The number of received bytes through the SSL VPN tunnel.
Connected Time

Chapter 8 VPN 194

 Address Information

Duration Shows the time period during which the client is keeping online.
Compress Ratio

Sent Shows the length ratio of sent data after compression.

Received Shows the length ratio of received data after compression.

Inte rfa ce
Descriptions of the options on the Interface tab:

Option Description

Adapter Name The name of the adapter used to send SSL VPN encrypted data.
Adapter Type The type of the adapter used to send SSL VPN encrypted data.
Adapter Status The status of the adapter used to send SSL VPN encrypted data.
Physical Address The MAC address of the interface used to send SSL VPN encrypted data.
IP Address Type The type of the interface address used to send SSL VPN encrypted data.
Network Address The IP address (allocated by SSL VPN server) of the interface used to send
SSL VPN encrypted data.
Subnet Mask The subnet mask of the interface used to send SSL VPN encrypted data.
Default Gateway The gateway address of the interface used to send SSL VPN encrypted data.
DNS Server The DNS server addresses used by the client.
Address
WINS Address The WINS server addresses used by the client.

Route
Description of the option on the Route tab:

Option Description

Local LAN Routes The routes used by the virtual network adapter.

View ing Sec ure Connec t Menu

Right-click the Secure Connect icon ( ) in the notification area, the menu appears.

Descriptions of the menu items:

Option Description

Network Displays the related information in the Network Information dialog.

Information
Log Shows Secure Connect log messages in the Log dialog.
This dialog shows the main log messages. To view the detailed log messages, click
Detail. Click Clear to remove the messages in the dialog. Click OK to close the Log
dialog.

Debug Configures Secure Connect's debug function in the Debug dialog.

About Shows Secure Connect related information in the About dialog.
Connect When Secure Connect is disconnected, click this menu item to connect.
Disconnect When Secure Connect is connected, click this menu item to disconnect.
Option Configures Secure Connect options, including login information, auto start, auto
login, and so on. For more information, see "Configuring Secure Connect" on
Page 196.

195 Chapter 8 VPN

 Option Description
Exit Click Exit to exit the client. If the client is connected to the server, the connection
will be disconnected.

Configuring Sec ure Connec t

You can configure Secure Connect in the Secure Connect Options dialog (click Option from the client menu). The con-
figurations include:

l Configuring General Options

l Configuring a Login Entry

Configuring G e ne ra l Options
In the Secure Connect Options dialog, select General from the navigation pane and the general options will be dis-
played.
Descriptions of the options:

Option Description

Auto Start Select this check box to autorun the SSL VPN client when the PC is started.
Auto Login Select this check box to allow the specified user to login automatically when
the PC is started. Select the auto login user from the Default Connection
drop-down list.
Auto Reconnect Select this check box to allow the client to reconnect the SSL VPN server
automatically after the unexpected disconnection.
Select Cert Click the button to select a USB Key certificate in the Select Certificate dia-
log. This option is available when USB KEY authentication is enabled.

Configuring a Login Entry

Login entry contains the login information for clients. The configured login entries will be displayed in the Saved Con-
nection drop-down list in the Login dialog. You can login by simply choosing the wanted connection instead of filling
up the options in the Login dialog.
To add a login entry:

1. In the Secure Connect Options dialog, select Saved Connection from the navigation pane and the login options
will be displayed.

Chapter 8 VPN 196

 In the dialog, configure the corresponding options.
Option Description

Connection Specifies the name for the connection to identify it. The system will
Name assign a name to the connection based on its server, port, and user auto-
matically if keeping this option blank.
Server Specifies the IP address of the SSL VPN server.
Port Specifies the HTTPS port number of the SSL VPN server.
Username Specifies the login user.
Login Mode Specifies the login mode. It can be one of the following options:

l Password (the username/password authentication method). If

Password is selected, select Remember Password to make the
system remember the password and type the password into the
Password box.

l Password + UKey (the USB KEY authentication method). If Pass-

word + UKey is selected, select Remember PIN to make the sys-
tem remember the PIN number and type PIN number into the UKey
PIN box.
Proximity Auto Select the option to enable optimal path detection function. For more
Detection information about optimal path detection, see "Configuring an SSL VPN"
on Page 162.

2. Click Apply.

197 Chapter 8 VPN

SSL V PN Client fo r Andro id
The SSL VPN client for Android is Hillstone Secure Connect. It can run on Android 4.0 and above. The functions of Hill-
stone Secure Connect contains the following items:

l Obtain the interface information of the Android OS.

l Display the connection status with the device, traffic statistics, interface information, and routing information.

l Display the log information of the application.

D ow nloa ding a nd Ins ta lling the Client

To download and install the client, take the following steps:

1. Visit the downloading page.

2. Use your mobile phone to scan the QR code of the client for Android at the right sidebar, and the URL of the client
displays.

3. Open the URL and download the Hillstone-Secure-Connect-Versione_Number.apk file.

4. After downloading successfully, find this file in your mobile phone.

5. 5Click it and the installation starts.

6. Read the permission requirments.

7. Click Install.
After installing the client successfully, the icon of Hillstone Secure Connect appears in the desktop as shown below:

Sta rting a nd Logging into the Client

To start and log into the client, take the following steps:

1. Click the icon of Hillstone Secure Connect. The login page appears.

2. Provide the following information and then click Login.

l Please Choose: Select a login entry. A login entry stores the login information and it facilities your next login.
For more information on login entry, see the Configuration Management section below.

l Server: Enters the IP address or the server name of the device that acts as the VPN server.

l Port: Enters the HTTPs port number of the device.

l Username: Enters the username for logging into the VPN.

l Password: Enters the corresponding password.

3. If the SSL VPN server enables the SMS authentication, the SMS authentication page will appear. In this page, enter
the received authentication code and then submit it. If you do not receive the authentication code, you can request
it after one minute.

After the client connects to the SSL VPN server, the key icon ( ) will appear at the notification area of your Android
system.

Chapter 8 VPN 198

GUI
After the client connects to the SSL VPN server, you can view the following pages: Connection Status page, Con-
figuration Management page, Connection Log page, System Configuration page, and About Us page.

Conne ction Sta tus

Click Status at the bottom of the page to enter into the Connection Status page and it displays the statistics and
routing information:

l The Connection Time: Time period during which the client is online.

l Received Bytes: Shows the received bytes through the SSL VPN tunnel.

l Sent Bytes: Shows the sent bytes through the SSL VPN tunnel.

l Server: Shows the IP address or the server name of the device that client connects to.

l Port: Shows the HTTPs port number of the device.

l Account: Shows the username that logs into the VPN instance.

l Private Server Address: Shows the interface’s IP address of the device that the client connects to.

l Client Private Address: Shows the IP address of the interface. This interface transmits the encrypted traffic and
this IP address is assigned by the SSL VPN server.

l Address Mask: Shows the netmask of the IP address of the interface. This interface transmits the encrypted
traffic.

l DNS Address: Shows the DNS Address used by the client.

l Routing Information: Shows the routing information for transmitting encrypted data.

l Disconnection Connection: Click this button to disconnect the current connection with the server.

Configura tion Ma na ge me nt
Click VPN at the bottom of the page to enter into the Configuration Management page. In this page, you can per-
form the following operations:

l Add/Edit/Delete a login entry

l Modify the login password

l Disconnect the connection with SSL VPN server

l Connect to the SSL VPN server

A d d i ng a Lo g i n E ntr y

To facilities the login process, you can add a login entry that stores the login information. The added login entry will
display in the drop-down list of Please Choose in the login page. You can select a login entry and the login inform-
ation will be filled in automatically.
To add a login entry, take the following steps:

1. In the Configuration Management page, click the icon at the top-right corner.

2. In the pop-up window, enter the following information:

a. Connection Name: Enters a name as an identifier for this login entry

b. Server: Enters the IP address or the server name of the device that acts as the VPN server.

c. Port: Enters the HTTPs port number of the device.

199 Chapter 8 VPN

 d. Username: Enters the username for logging into the VPN.

3. Click Confirm to save this login entry.

E d i ti ng a Lo g i n E ntr y

To edit a login entry, take the following steps:

1. In the login entry list, click the one that you want to edit and several buttons display.

2. Click Edit. The Edit Configuration dialog appears.

3. In the dialog, edit the login entry.

4. Click Confirm to save the modifications.

Del eti ng a Lo g i n E ntr y

To delete a login entry, take the following steps:

1. In the login entry list, click the one that you want to delete and several buttons display.

2. Click Delete.

3. Click Yes in the pop-up dialog to delete this login entry.

M o d i f yi ng the Lo g i n Pas s wo r d

To modify the login passwor, take the following steps:

1. In the login entry list, click the one that you want to modify the password and several buttons display.

2. Click Modify Password.

3. Enter the current password and new password in the pop-up dialog.

4. Click Confirm to save the settings.

Di s c o nnec ti ng the Co nnec ti o n o r Lo g g i ng i nto the Cl i ent

To disconnect the connection or log into the client, take the following steps:

1. In the login entry list, click a login entry and several buttons display.

2. If the connection status to this server is disconnected, you can click Login to log into the client; if the connection
status is connected, you can click Disconnect Connection to disconnect the connection.

3. In the pop-up dialog, confirm your operation.

Conne ction Log

Click Log at the bottom of the page to enter into the Configuration Log page. In this page, you can view the logs.

Sy ste m Configura tion

Click Config at the bottom of the page to enter into the System Configuration page. In this page, you can configure
the following options:

l Auto Reconnect: After turning on this switch, the client wil automatically reconnect to the server if the connection
is disconnected unexpectedly.

l Show Notify: After turning on this switch, the client icon will display in the notification area.

Chapter 8 VPN 200

 l Allow To Sleep: After turning on this switch, the client can keep connected while the Android systew is in the
sleep status. With this switch turned off, the client might disconnect the connection and cannot keep connected
for a long time while the Android systew is in the sleep status.

l Auto Login: After turning on this switch, the client will automatically connect to the server when it stars. The
server is the one that the client connects to the last time.

l Remember The Password: After turning on this switch, the client wil remember the password and automatically
fill in the login entry.

l Exit: Click Exit to exit this application.

About U s
Click About at the bottom of the page to enter into the About US page. This page displays the version information, con-
tact information, copyright information, etc.

201 Chapter 8 VPN

SSL V PN Client fo r iOS
The SSL VPN client for iOS is called Hillstone BYOD Client (HBC) and it supports iOS 6.0 and higher versions. HBC
mainly has the following functions:

l Simplify the VPN creation process between the Apple device and the Hillstone device

l Display the VPN connection status between the Apple device and the Hillstone device

l Display the log information

To use the SSL VPN client for iOS, download and install the Hillstone BYOD Client app from the App Store.

D eploying VPN Configura tions

For the first-time logon, you need to deploy the VPN configurations, as shown below:

1. Click the HBC icon located at the desktop of iOS. The login page of HBC appears.

2. In the login page, specify the following information and then click Login.

l Connection: Enters a name for this newly created connection instance.

l Server: Enters the IP address or the server name of the device that acts as the VPN server.

l Port: Enters the HTTPs port number of the device.

l Username: Enters the username for logging into the VPN.

l Password: Enters the corresponding password.

3. After logging the VPN server successfully, the Install Profile page pops up and the deployment process starts
automatically.

Chapter 8 VPN 202

203 Chapter 8 VPN
 4. In the Install Profile page, click Install. The Unsigned Profile window pops up.

Chapter 8 VPN 204

5. Click Install Now. The Enter Passcode page appears.

6. Enter your passcode. The passcode is the one for unlocking your iOS screen. With the correct passcode entered,
iOS starts to install the profile.

205 Chapter 8 VPN

 7. After the installation is completes, click Done in the Profile Installed page.

The profile deployed is for the instance with the above parameters (connection, server, port, username, and pass-
word). If the value of one parameter changes, you need to deploy the VPN configuration profile again.

Connec ting to VPN

After the VPN configuration deployment is finished, take the following steps to connect to VPN:

1. Start HBC.

2. In the login page, enters the required information. The value of these parameters should be the ones that you
have specified in the above section of Deploying VPN Configurations. If one of the parameter changes, you need to
re-deploy the VPN configurations.

3. Click Login. HBC starts to connects to the Hillstone device.

4. Start Settings of iOS and navigate to VPN.

5. In the VPN page, select the configuration that has the same name as the one you configured in the section of
Deploying VPN Configurations.

6. Click the VPN switch. iOS starts the VPN connection.

7. In this VPN page, when the Status value is Connected, it indicates the VPN between the iOS device and the Hill-
stone device has been established.

Introduc tion to GUI

After logging into HBC, you can view the following pages: Connection Status, Connection Log, and About US.

Chapter 8 VPN 206

Conne ction Sta tus
Click Connection at the bottom of the page to enter into the Connection Status page and it displays the current con-
nection status. You can configure the following options:

l Remember password: Remembers the password for this connection instance.

l Import configuration: If HBC can connects to the Hillstone device successfully but the iOS VPN connection is
failed, you need to re-deploy the VPN configurations. After turning on this Import configuration switch, HBC
will re-deploy the VPN configurations when you log in for the next time.

Conne ction Log

Click Log at the bottom of the page to enter into the Connection Log page and it displays the connection log mes-
sages.

About U S
Click About at the bottom of the page to enter into the About Us page and it displays the information of version, copy-
right, etc.

SSL V PN Client fo r Mac OS

The SSL VPN client for Mac OS is Hillstone Secure Connect. It can run on Mac OS X 10.6.8 and above. The encrypted
data can be transmitted between the SSL VPN client and SSL VPN server after a connection has been established suc-
cessfully. The functions of the client are:

l Establish the SSL VPN connection with the SSL VPN server.

l Show the connection status, traffic statistics, and route information.

l Show log messages.

D ow nloa ding a nd Ins ta lling Client

Visit http://swupdate.hillstonenet.com:1337/sslvpn/download?os=osx to download the installation file of the client.
After downloading the installation file, double-click it. In the pop-up, drag SCVPN to Applications to perform the install-
ation.

To open the installation file, you must have the administrator permission and select Anywhere in System Prefer-
ences > Security & Privacy > General > Allow apps downloaded from.

Sta rting Client a nd Es ta blis hing Connec tion

To start the client and establish the connection with the server side, take the following steps:

207 Chapter 8 VPN

 1. In Mac OS, select Launchpad > SCVPN. The client starts.

2. Click New. The Create connection profile window appears.

3. Provide the following information and then click OK.

l Name: Specify a name for this VPN connection.

l Description: Specify the description for this VPN connection.

l Server: Enter the IP address or the server name of the device that acts as the VPN server.

l Port: Enters the HTTPs port number of the device.

l User name: Enters the login name.

l Password: Enters the corresponding password.

l Remember password : Select this check box to remember the password.

4. Select the connection name in the connection list.

5. In the toolbar, click Connect. If you do not select Remember password in step 3, enter the password in the
pop-up and then click OK.
After the client connects to the SSL VPN server, the status bar displays Connection established. Meanwhile, the noti-

fication area of Mac displays . The encrypted data can be transmitted between the SSL VPN client and SSL VPN
server now.

GUI
The GUI of the client includes four areas: toolbar, connection list, connection information, and status bar.

Toolba r
In the toolbar, you can perform the following actions:

l Connect: Select a connection from the connection list and then click Connect. The client starts to establish the con-
nection with server side.

l New: Create a new connection. For details, see Starting Client and Establishing Connection.

l Modify: Select a connection from the connection list and then click Modify. For details of modifying the para-
meters, see Starting Client and Establishing Connection.

l Delete: Select a connection from the connection list and then click Delete to delete this connection.

l Settings: Set to minimize the client when the connection is established and select whether to check the update of
the client when it starts.

Chapter 8 VPN 208

 l Cancel: Click this button to cancel the connection. When the client is connecting the server side, this button dis-
plays.

l Disconnect: Disconnect the current connection. After the connection is established, this button displays.

l Info: View the channel information and the route information of the current connection. After the connection is
established, this button displays.

Conne ction List

Displays all created connections.

Conne ction Informa tion

When selecting a connection in the connection list, the connection information area displays the corresponding inform-
ation of this connection.
After establishing the connection, the connection information area displays the connection duration, server IP
address, the IP assigned to the client, the number of packets sent/received through the SSL VPN tunnel, and the bytes
sent/received through the SSL VPN tunnel.

Sta tus Ba r
Displays the connection status.

Menu
The SCVPN item in the menu includes the following options:

l About SCVPN: Displays the information of this client.

l Quit SCVPN: Quit the client.

The Logging item in the menu includes the following options:

l View: View the logs.

l Level: Select the log level. When selecting the lower level in the menu, the displayed logs will include the logs of
upper level. However, when selecting the upper level in the menu, the displayed logs will not include the logs of
lower level.

209 Chapter 8 VPN

SSL V PN Client fo r Linux
The SSL VPN client for Linux is Hillstone Secure Connect. It can run on the following operation system.

l 64-bit desktop version of Ubuntu12.04 (GNOME desktop);

l 64-bit desktop version of Ubuntu14.04(GNOME desktop);

l 64-bit desktop version of Ubuntu Kylin16.04(default desktop );

l 64-bit desktop version of CentOS6.5(GNOME desktop);

The encrypted data can be transmitted between the SSL VPN client and SSL VPN server after a connection has been
established successfully. The functions of the client are:

l Get interface and route information from the PC on which the client is running.

l Show the connection status, traffic statistics, and route information.

l Show log messages.

Take 64-bit Ubuntu Kylin16.04 desktop as an example to introduce downloading and installing client, starting client
and establishing connection, upgrading and uninstalling client, the client GUI and menu. The client configuration of
other three Linux systems can refer to 64-bit Ubuntu Kylin16.04 desktop.

D ow nloa ding a nd Ins ta lling Client

Downloading and installing Hillstone Secure Connect, take the following steps:

1. Visit http://www.hillstonenet.com.cn/product/technology/VPN.html to download the installation file of the client.

2. After downloading the installation file, right-click the client icon and select Properties to go to the properties
page.

Chapter 8 VPN 210

3. In the properties page, click Permissions tab and check Allow executing files as program, then close it.

4. Double-click the client icon and follow the setup wizard to complete the installation.

Sta rting Client a nd Es ta blis hing Connec tion

To start the client and establish the connection with the server side, take the following steps:

1. Double-click the SCVPN icon on the desktop of the Linux system, and system enters the super user authentication
page. Then enter the password of super user , and click Authenticate to enter the main interface of the client.

211 Chapter 8 VPN

 2. In the client main interface, click New. The Create connection profile dialog box appears.

3. Provide the following information and then click OK.

l Name: Specify a name for this VPN connection.

l Description: Specify the description for this VPN connection.

l Server: Enter the IP address or the server name of the device that acts as the VPN server.

l Port: Enters the HTTPs port number of the device.

l User name: Enters the login name. For detailed information, refer to "User" on Page 248.

Chapter 8 VPN 212

 l Password: Enters the corresponding password.

l Remember password : Select this check box to remember the password.

4. Select the connection name in the connection list. In the toolbar, click Connect. If you do not select Remember
password in step 3, enter the password in the pop-up and then click OK.

5. After the client connects to the SSL VPN server, the status bar displays Connection established. The encrypted
data can be transmitted between the SSL VPN client and SSL VPN server now.

Upgra ding a nd Unins ta lling Client

Updating and Uninstalling the SSL VPN Client, take the following steps:

213 Chapter 8 VPN

 1. Double-click the MaintenanceTool icon to enter the Maintain SCVPN page.

2. In the Maintain SCVPN page, select Update components or Remove all components to upgrade or unin-
stall the client, then click Next.

3. Follow the setup wizard to complete the upgrade or uninstall of client.

Chapter 8 VPN 214

GUI
The GUI of the client includes four areas: toolbar, connection list, connection information, and status bar.

Toolba r
In the toolbar, you can perform the following actions:

l Connect: Select a connection from the connection list and then click Connect. The client starts to establish the
connection with server side.

l New: Create a new connection. For details, see Starting Client and Establishing Connection.

l Modify: Select a connection from the connection list and then click Modify. For details of modifying the para-
meters, see Starting Client and Establishing Connection.

l Delete: Select a connection from the connection list and then click Delete to delete this connection.

l Settings: Set to minimize the client when the connection is established

l Cancel: Click this button to cancel the connection. When the client is connecting the server side, this button dis-
plays, see Starting Client and Establishing Connection.

l Disconnect: Disconnect the current connection. After the connection is established, this button displays, see
Starting Client and Establishing Connection.

l Info: View the channel information and the route information of the current connection. After the connection is
established, this button displays, see Starting Client and Establishing Connection.

Conne ction List

Displays all created SSL VPN connections, and uses different icons to distinguish between connected and uncon-
nected.

Conne ction Informa tion

When selecting a connection in the connection list, the connection information area displays the corresponding inform-
ation of this connection.

215 Chapter 8 VPN

 l When the client doesn't connect or has connected to the server, the connection information area displays the
server IP address, the port number, the user name and the authentication type.

l After establishing the connection, the connection information area displays the connection duration, server IP
address, the IP assigned to the client, the number of packets sent/received through the SSL VPN tunnel, and the
bytes sent/received through the SSL VPN tunnel.

Sta tus Ba r
Displays the connection status and the connection progress when connecting the server, see Starting Client and Estab-
lishing Connection.

Menu
Click the logging menu in the top-left corner of the client interface .

l View: View the logs.

l Level: Select the log level. When selecting a level in the menu, the system will display the logs of upper levels and
will not display the logs of lower levels.

l About: Display the version information, copyright information and other relevant information.

Chapter 8 VPN 216

L2TP VPN
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
L2TP (Layer Two Tunneling Protocol) is a VPDN technique that allows dial-up users to launch VPN connection from
L2TP clients or L2TP access concentrators (LAC), and connect to a L2TP network server (LNS) via PPP. After the con-
nection has been established successfully, LNS will assign IP addresses to legal users and permit them to access the
private network.
The device acts as LNS in the L2TP tunnel network. The device accepts connections from L2TP clients or LACs, imple-
ments authentication and authorization, and assigns IP addresses, DNS server addresses and WINS server addresses
to legal users.
L2TP does not encrypt the data transmitted through the tunnel, so it cannot assure security during the transmission.
You can use L2TP in combination with IPsec, and encrypt data by IPSec, thus assuring the security for the data trans-
mitted through the L2TP tunnel.

Co nfiguring an L2TP V PN
To create an L2TP VPN instance:

1. Select Network > VPN > L2TP VPN.

2. In the L2TP VPN page, click New.

In the Name/Access User tab, configure the corresponding options.

Option Description

L2TP VPN Name Type the name of the L2TP VPN instance
Assigned Users
AAA Server Select an AAA server from the AAA Server drop-down list. You can click
View AAA Server to view the detailed information of this AAA server.

Domain Type the domain name into the Domain box. The domain name is used
to distinguish the AAA server.
Verify User After enable this function, the system will verify the username and its
Domain Name domain name.
Add Click Add to add the assigned users. You can repeat to add more items.

In the Interface/Address Pool/IPSec Tunnel tab, configure the corresponding options.

Access Interface
Egress Interface Select the interface from the drop-down list as the L2TP VPN server inter-
face. This interface is used to listen to the request from L2TP clients.

217 Chapter 8 VPN

 Tunnel Interface
Tunnel Interface Specifies the tunnel interface used to bind to the L2TP VPN tunnel. Tun-
nel interface transmits traffic to/from L2TP VPN tunnel.

l Select a tunnel interface from the drop-down list, and then click Edit
to edit the selected tunnel interface.

l Click New in the drop-down list to create a new interface.

Information Shows the zone, IP address, and netmask of the selected tunnel interface.
Address Pool
Address Pool Specifies the L2TP VPN address pool.

l Select an address pool from the drop-down list, and then click Edit
to edit the selected address pool.

l Click New in the drop-down list to create a new address pool.

For more information about creating/editing address pools, see "Con-
figuring an L2TP VPN Address Pool" on Page 219.

Information Shows the start IP address, end IP address, and mask of the address pool.
L2TP over IPSec
L2TP over IPSec Select a referenced IPSec tunnel from the drop-down list. L2TP does not
encrypt the data transmitted through the tunnel, so it cannot assure
security during the transmission. You can use L2TP in combination with
IPSec, and encrypt data by IPSec, thus assuring the security for the data
transmitted through the L2TP tunnel..

3. If necessary, click Advanced to configure the advanced functions.

In the Parameters tab, configure the corresponding options.

Security
Tunnel Authentic- Click Enable to enable tunnel authentication to assure the security of
ation the connection. The tunnel authentication can be launched by either
LNS or LAC. The tunnel cannot be established unless the both ends are
authenticated, i.e., the secret strings of the two ends are consistent.
AVP Hidden Click Enable to enable AVP hidden. L2TP uses AVP (attribute value
pair) to transfer and negotiate some L2TP parameters and attributes.
By default AVP is transferred in plain text. For data security con-
sideration, you can encrypt the data by the secret string to hide the
AVP during the transmission.
Secret Specifies the secret string that is used for LNS tunnel authentication.
Peer Specifies the host name of LAC. If multiple LACs are connected to LNS,
you can specify different secret strings for different LACs by this para-
meter.
Add Click Add to add the configured secret and peer name pair to the list.
Client Connection
Accept Client IP Click Enable to allow to accept IP address specified by the client. By
default the client IP is selected from the address pool, and allocated by
LNS automatically. If this function is enabled, you can specify an IP
address. However, this IP address must belong to the specified address
pool, and be consistent with the username and role. If the specified IP
is already in use, the system will not allow the user to log on.
Multiple Login Click Enable to allow a user to log on and be authenticated on dif-
ferent hosts simultaneously.

Chapter 8 VPN 218

 Hello Interval Specifies the interval at which Hello packets are sent. LNS sends Hello
packets to the L2TP client or LAC regularly, and will drop the con-
nection to the tunnel if no response is returned after the specified
period.
LNS Name Specifies the local name of LNS.
Tunnel Windows Specifies the window size for the data transmitted through the tunnel.
Control Packet Specifies the retry times of control packets. If no response is received
Transmit Retry from the peer after the specified retry times, the system will determine
the tunnel connection is disconnected.
PPP Configuration
LCP Interval Specifies parameters for LCP Echo packets used for PPP negotiation.
The options are:
Transmit Retry
l Interval: Specifies the interval at which LCP Echo packets are
sent.

l Transmit Retry: Specifies the retry times for sending LCP Echo pack-
ets. If LNS has not received any response after the specified retry
times, it will determine the connection is disconnected.

PPP Authentic- Specifies a PPP authentication protocol. The options are:

ation
l PAP: Uses PAP for PPP authentication.

l CHAP: Uses CHAP for PPP authentication. This is the default

option.

l Any: Uses CHAP for PPP authentication by default. If CHAP is not

supported, then uses PAP.

4. Click Done to save the settings.

Co nfiguring an L2TP V PN Address Po o l

LNS assigns the IP addresses in the address pool to users. After the client has established a connection to LNS suc-
cessfully, LNS will choose an IP address along with other related parameters (such as DNS server address, WINS
server address, etc) from the address pool, and assigns them to the client.
L2TP provides fixed IP addresses by creating and implementing IP binding rules.

l The static IP binding rule binds the client user to a fixed IP address in the address pool. Once the client has estab-
lished a connection successfully, the system will assign the binding IP to the client.

l The IP-role binding rule binds the role to a specific IP range in the address pool. Once the client has established a
connection successfully, the system will assign an IP address within the IP range to the client.
When LNS is allocating IP addresses in the address pool, the system will check the IP binding rule and determine how
to assign IP addresses for the client based on the specific checking order below:

Note: The IP addresses defined in the static IP binding rule and IP-role binding rule should not
be overlapped.

To create an address pool:

1. Select Network > VPN > L2TP VPN.

2. At the top-right corner, click Address Pool.

219 Chapter 8 VPN

 3. In the pop-up window, click New.

In the Basic tab, configure the corresponding options.

Option Description

Address Pool Specifies the name of the address pool.

Name
Start IP Specifies the start IP of the address pool.
End IP Specifies the end IP of the address pool.
Reserved Start IP Specifies the reserved start IP of the address pool.
Reserved End IP Specifies the reserved end IP of the address pool.
DNS1/2 Specifies the DNS server IP address for the address pool. It is optional. At
most 2 DNS servers can be configured for one address pool.
WINS1/2 Specifies the WIN server IP addresses for the address pool. It is optional.
At most 2 WIN servers can be configured for one address pool.

In the IP User Binding tab, configure the corresponding options.

Option Description
User Type the user name into the User box.
IP Type the IP address into the IP box.
Add Click Addto add this IP user binding rule.
Delete To delete a rule, select the rule you want to delete from the list and click
Delete.

In the IP Role Binding tab, configure the corresponding options.

Option Description
Role Type the role name into the Role box.
Start IP Type the start IP address into the Start IP box.
End IP Type the end IP address into the End IP box.
Add Click Addto add this IP role binding rule.
Delete To delete a rule, select the rule you want to delete from the list and
click Delete.
Up/Down/Top/Bottom The system will query for IP role binding rules by turn, and allocate
the IP address according to the first matched rule. You can move
the location up or down at your own choice to adjust the matching
sequence accordingly.

Chapter 8 VPN 220

4. Click OK to save the settings.

V iew ing L2TP V PN Online Users

To view the L2TP VPN online users:

1. Select Network > VPN > L2TP VPN.

2. Select an L2TP VPN instance.

3. View the detailed information of the online users in the table.

Option Description

Name Displays the name of L2TP VPN.

Login Time Displays the login time of the L2TP VPN online user.
Public IP Displays the public IP of the L2TP VPN online user.
Private IP Displays the private IP of the L2TP VPN online user.
Operation Displays the executable operation of the L2TP VPN online user.

221 Chapter 8 VPN

Chapter 9 Object

This chapter describes the concept and configuration of objects that will be referenced by other modules in system,
including:

l "Address" on Page 223: Contains address information, and can be used by multiple modules, such as policy
rules, NAT rules, QoS, session limit rules, etc.

l "Host Book" on Page 225: A collection of one domain name or several domain names.

l "Service Book" on Page 226: Contains service information, and can be used by multiple modules, such as policy
rules, NAT rules, QoS, etc.

l "Application Book" on Page 230: Contains application information, and can be used by multiple modules, such as
policy rules, NAT rules, QoS, etc.

l "SLB Server Pool " on Page 234: Describes SLB server configurations.

l "Schedule" on Page 236: Specifies a time range or period. The functions (such as policy rules, QoS rules, host
blacklist, connections between the PPPoE interface and Internet) that use the schedule will take effect in the time
range or period specified by the schedule.

l "AAA Server" on Page 238: Describes how to configure an AAA server.

l "User" on Page 248: Contains information about the functions and services provided by a Hillstone device, and
users authenticated and managed by the device.

l "Role" on Page 256: Contains role information that associates users to privileges. In function configurations, dif-
ferent roles are assigned with different services. Therefore, the mapped users can gain the corresponding ser-
vices as well.

l "Track Object" on Page 259: Tracks if the specified object (IP address or host) is reachable or if the specified
interface is connected. This function is designed to track HA and interfaces.

l "URL Filter" on Page 261: URL filter controls the access to some certain websites and records log messages for the
access actions.

Chapter 9 Object 222

Address
IP address is an important element for the configurations of multiple modules, such as policy rules, NAT rules and ses-
sion limit rules. Therefore, System supports address book to facilitate IP address reference and flexible configuration.
You can specify a name for an IP range, and only reference the name during configuration. Address book is the data-
base in system that is used to store the mappings between IP ranges and the corresponding names. The mapping
entry between an IP address and its name in the address book is known as an address entry.
System provides a global address book. You need to specify an address entry for the global address book. When spe-
cifying the address entry, you can replace the IP range with a DNS name. Interfaces of the configured IPs will be used
as address entries and added to the address book automatically. You can use them for NAT conveniently. Furthermore,
an address entry also has the following features:

l All address books contain a default address entry named Any. The IP address of Any is 0.0.0.0/0, i.e., any IP
address. Any can neither be edited nor deleted.

l One address entry can contain another address entry in the address book.

l If the IP range of an address entry changes, StoneOS will update other modules that reference the address entry
automatically.
Address book supports IPv4 and IPv6 address. If IPv6 is enabled, you can configure IPv6 address entry.

Creating an Address B o o k
To create an address book:

1. Click Object>Address Entry.

2. Click New.

In Address Configuration dialog, enter the address entry configuration.

Basic

Name Type the address entry name into the Name box.
Type Select the IP type, including IPv4 or IPv6. Only the IPv6 firmware sup-
ports to configure IPv6 type IP. If IPv6 is selected, all the IP/netmask, IP
range, address entry configured should be in IPv6 format.

Member

Member Select an address entry member from the drop-down list, and configure
IP/netmask, IP range, Host name， Address entry， or Country/Region
as needed.

l The Country/Region member is supported in the address entry of

the IPv4 type.

223 Chapter 9 Object

 Basic
l Only the security policy and the policy-based route support the
address entry with the Country/Region member added.

l The address entry with the Country/Region member added does

not support the Excluded Member settings.
Add Click Add to add the configured member to the list below. If needed,
repeat the above steps to add more members.
Delete Delete the selected address entry from the list.

Excluded Member

Member Specify the excluded member. Select an address entry member from the
drop-down list, and configure IP/netmask, IP range, Host name or
Address entry as needed.
Note: Excluded members address range need to in the address range of
members, otherwise can not complete the configuration.

Add Click Add to add the configured excluded member to the list below. If
needed, repeat the above steps to add more excluded members.
Delete Delete the selected excluded member entry from the list.

3. Click OK.

V iew ing D etails

To view the details of an address entry, including the name, member, description and reference:

1. Click Object>Address Entry.

2. In the Address Book dialog, select an address entry from the member list, and view the details under the list.

Chapter 9 Object 224

Host Book
You can specify a name to be a collection of one domain name or several domain names, and reference this host book
when configuring. Host book is the database to store the relationships of domain integrations and the specified names
in system.
The entry of the relationship of domain integrations and the specified name is called host entry.

Note:
l The maximum number of host entries is one fourth of the maximum number of address
entries.

l At most one host entry can be configured for each PBR rule.

Creating a H o st B o o k
To create a host book:

1. Select Object > Host Book.

2. Click New.

Configure the following options.

Option Description

Name Type a name for the host book.

Member Specifies the host entry member. Enter IP address or domain name in the
Member text box and then click Add. If needed, you can add multiple
host entries in the host book. Select the host entry you want to delete
and click Delete, the selected entry will be removed.
Description Type the description of host book.

3. Click OK.

225 Chapter 9 Object

Service Book
Service is information stream designed with protocol standards. Service has some specific distinguishing features,
like corresponding protocol, port number, etc. For example, the FTP service uses TCP protocol, and its port number is
21. Service is an essential element for the configuration of multiple StoneOS modules including policy rules, NAT
rules, QoS rules, etc.
System ships with multiple predefined services/service groups. Besides, you can also customize user-defined ser-
vices/service groups as needed. All these service/service groups are stored in and managed by StoneOS service book.

Predefined Service/ Service Gro up

System ships with multiple predefined services, and identifies the corresponding application types based on the ser-
vice ports. The supported predefined services may vary from different Hillstone device models. Predefined service
groups contain related predefined services to facilitate user configuration.

User-defined Service
Except for the above predefined services, you can also create your own user-defined services easily. The parameters
that will be specified for the user-defined service entries include:

l Name

l Protocol type

l The source and destination port for TCP or UDP service, and the type and code value for ICMP service.

User-defined Service Gro up

You can organize some services together to form a service group, and apply the service group to StoneOS policies dir-
ectly to facilitate management. The service group has the following features:

l Each service of the service book can be used by one or more service groups.

l A service group can contain both predefined services and user-defined services.

l A service group can contain another service group. The service group of StoneOS supports up to 8 layers of
nests.
The service group also has the following limitations:

l The name of a service and service group should not be identical.

l The service group being used by any policy cannot be deleted. To delete such a service group, you must first end
its relationship with other modules.

l If a user-defined service is deleted from the service group, the service will also be deleted from all the service
groups using it.

Co nfiguring a Service B o o k
This section describes how to configure a user-defined service and service group.

Chapter 9 Object 226

Configuring a Us er-defined Servic e
1. Select Object > Service Book > Service.

2. Click New.

Configure the following options.

Service Configuration

Service Type the name for the user-defined service into the textbox.
Member Specify a protocol type for the user-defined service. The available
options include TCP, UDP, ICMP and Others. If needed, you can add mul-
tiple service items.
Click New and the parameters for the protocol types are described as fol-
lows:

TCP/UDP Destination port:

l Min - Specifies the minimum port number of the

specified service entry.

l Max - Specifies the maximum port number of the

specified service entry. The value range is 0 to
65535.
Source port:

l Min - Specifies the minimum port number of the

specified service entry.

l Max - Specifies the maximum port number of the

specified service entry. The value range is 0 to
65535.

Note: The minimum port num-

ber cannot exceed the maximum
port number.

ICMP Type: Specifies a ICMP type for the service entry. The
value range is 3 (Destination-Unreachable), 4 (Source

227 Chapter 9 Object

 Service Configuration

Quench), 5 (Redirect), 8 (Echo), 11 (Time Exceeded), 12

(Parameter Problem), 13 (Timestamp) and 15 (Inform-
ation).
Min Code: Specifies a minimum value for ICMP code. The
value range is 0 to 5.
Max Code: Specifies a maximum value for ICMP code.
The value range is 0 to 5.

Note: The minimum port num-

ber cannot exceed the maximum
port number.

Others Protocol: Specifies a protocol number for the service entr-

y. The value range is 1 to 255.

Description If needed, type the description for the service into the text box.

3. Click OK.

Configuring a Us er-defined Servic e Group

1. Select Object > Service Book > Service Group.

2. Click New.

Configure the following options.

Service Group Configuration

Name Type the name for the user-defined service group into the text box.
Description If needed, type the description for the service into the text box.
Member Add services or service groups to the service group. The system supports
at most 8-layer nested service group.
Expand Pre-defined Service or User-defined Service from the left pane,
select services or service groups, and then click Add to add them to the
right pane. To remove a selected service, select it from the right pane,

Chapter 9 Object 228

 Service Group Configuration
and then click Remove.

3. Click OK.

View ing D eta ils

To view the details of a service entry, including the name, protocol, destination port and reference:

1. Click Object>Service Book > Service.

2. In the service dialog, select an address entry from the member list, and view the details under the list.

229 Chapter 9 Object

Application Book
Application has some specific features, like corresponding protocol, port number, application type, etc. Application is
an essential element for the configuration of multiple Device modules including policy rules, NAT rules, application
QoS management, etc.
System ships with multiple predefined applications and predefined application groups. Besides, you can also cus-
tomize user-defined application and application groups as needed. All these applications and application groups are
stored in and managed by StoneOS application book.

Editing a Predefined Applicatio n

You can view and use all the supported predefined applications and edit TCP timeout, but cannot delete any of them.
To edit a predefined application:

1. Select Object > APP Book > Application.

2. Select the application you want to edit from the application list, and click Edit.

3. In the Application Configuration dialog, edit TCP timeout for the application.

Creating a User-defined Applicatio n

You can create your own user-defined applications. By configuring the customized application signature rules, the sys-
tem can identify and manage the traffic that crosses into the device, thus identifying the type of the traffic.
To create a user-defined application:

1. Select Object > APP Book > Application.

2. Click New.

Configure the following options.

Option Description

Name Specify the name of the user-defined application.

Description Specify the description of the user-defined application.
Timeout Configure the application timeout value. If not, the system will use the
default value of the protocol.
Signature Select the signature of the application and then click Add.
To create a new signature, see "Creating a Signature Rule" on Page 231.

3. Click OK.

Chapter 9 Object 230

Creating a User-defined Applicatio n Gro up
To create a user-defined application group:

1. Select Object > APP Book > Application Groups

2. Click New.

Configure the following options.

Option Description

Name Specifies a name for the new application group.

Description Specifies the description for the application group.
Member Add applications or application groups to the application group. The sys-
tem supports at most 8-layer nested application group.
Expand Application or Application Group from the left pane, select applic-
ations or application groups, and then click Add to add them to the right
pane. To remove a selected application or application group, select it
from the right pane, and then click Remove.

3. Click OK.

Creating an Applicatio n Filter Gro up

Application Filter Group allows you to create a gourp to filter applications according to application category, sub-cat-
egory, technology, risk, and attributes.
To create an application filter group:

1. Select Object > APP Book > Application Filters.

2. Click New.

3. Type an application filter group name in the Name text box.

4. Specifies the filter condition. Choose category, subcategory, technology, risk and characteristic by sequence in
the drop-down list. You can click Clear Filter to clear all the selected filter conditions according to your need.

5. Click OK.

Creating a Signature Rule

By configuring the customized application signature rules, the system can identify and manage the traffic that crosses
into the device. When the traffic matches all conditions defined in the signature rule, it hits this signature rule. Then
the system identifies the application type.

231 Chapter 9 Object

To create a new signature rule:

1. Select Object > APP Book > Signature Rule.

2. Click New.

Configure the following options.

Option Description

Source
Zone Specify the source security zone of the signature rule.
Address Specify the source address. You can use the Address Book type or the
IP/Netmask type.
Destination
Address Specify the source address. You can use the Address Book type or the
IP/Netmask type.
Protocol

Enable Select the Enable check box to configure the protocol of the signature
rule.
Type When selecting TCP or UDP,

l Destination Port: Specify the destination port number of the user-

defined application signature. If the destination port number is
within a range, the system will identify the value of min-port as the
minimum port number and identify the value of max-port as the
maximum port number. The range of destination port number is 0
to 66535. The port number cannot be 0. For example, the destination
port number is in the range of 0 to 20, but it cannot be 0.

l Source Port: Specify the source port number of the user-defined

application signature. If the source port number is within a range,
the system will identify the value of min-port as the minimum port
number and identify the value of max-port as the maximum port
number. The range of source port number is 0 to 66535.
When selecting ICMP:

l Type: Specify the value of the ICMP type of the application sig-
nature. The options are as follows: 3 (Destination-Unreachable), 4
(Source Quench)， 5 (Redirect), 8 (Echo), 11 (Time Exceeded),
12 (Parameter Problem), 13 (Timestamp), 15 (Information), and

Chapter 9 Object 232

 Option Description
any (any represents all above values).

l Min Code: Specify the value of the ICMP code of the application sig-
nature. The ICMP code is in the range of 0 to 5. The default value is
0-5.
When selecting Others:

l Protocol: Specifies the protocol number of the application sig-

nature. The protocol number is in the range of 1 to 255.
Action
App-Signature Select Enable to make this signature rule take effect after the con-
Rule figurations. Otherwise, it will not take effect.
Continue Without selecting this check box, if the traffic satisfies the user-defined
Dynamic Iden- signature rule and the system has identified the application type, the sys-
tification tem will not continue identifying the application. To be more accurate,
you can select this check box to set the system to continue dynamically
identification.

3. Click OK.

V iew ing D etails

To view the details of an application entry, including the name, category, risk and reference:

1. Click Object>APP Book > Application.

2. In the application dialog, select an address entry from the member list, and view the details under the list.

233 Chapter 9 Object

SLB Server Pool
The SLB function uses the load balancing algorithm to distribute the traffic and this utilizes the resources of the
intranet servers. You can use the following methods to perform the server load balance:

l Distribute the traffic to the specified port of each intranet server. This is applicable to the scenario that different
intranet servers meanwhile and individually provide the same service via specified port.

l Distribute the traffic to different ports of an intranet server. This is applicable to the scenario that an intranet
server provides the same service by running the same process at different ports.

l Combine the above two methods.

Co nfiguring SLB Server Po o l and Track Rule

To configure an SLB server pool and track rule:

1. Select Object > SLB Server Pool.

2. Click New. The SLB Server Pool Configuration dialog appears.

In the SLB Server Pool Configuration dialog, configure the following options.
Option Description

Name Specifies the name of the SLB server pool

Algorithm Select an algorithm for load balancing.
Member

Member Specifies the member of the pool. You can type the IP range or the IP
address and the netmask.

Port Specifies the port number of the server.

Maximum Ses- Specifies the allowed maximum sessions of the server. The value ranges
sions from 0 to 1,000,000,000. The default value is 0, which represents no lim-
itation.

Weight Specifies the traffic forwarding weight during the load balancing. The
value ranges from 1 to 255.

Add Add the SLB address pool member to the SLB server pool. You can add
up to 256 members.
Track

Track Type Selects a track type.

Port Specifies the port number that will be tracked. The value ranges from 0 to
65535.

l When the members in the SLB server pool have the same IP
address and different ports, you don’t need to specify the port

Chapter 9 Object 234

 Option Description
when configuring the track rule. The system will track each IP
address and its port in the SLB server pool.

l When there is a member whose port is not configured exists in the

SLB sever pool, you must specify the port when configuring the
track rule. The system will track the specified port of the IP
addresses in the SLB server pool.

l When the members in the SLB server pool are all configured with
IP addresses and ports and these configured IP addresses are dif-
ferent from each other, you can select whether to specify the port
when configuring the track rule. If specified, the system will track
the specified port of these IP addresses. If not, the system will
track the configured ports of the IP addresses of the members.
Interval Specifies the interval between each Ping/TCP/UDP packet. The unit is
second. The value ranges from 3 to 255.

Retries Specifies a retry threshold. If no response packet is received after the spe-
cified times of retries, The system will determine this track entry fails, i.e.,
the track entry is unreachable. The value range is 1 to 255.

Weight Specifies a weight for the overall failure of the whole track rule if this
track entry fails. The value range is 1 to 255.

Add Click Add to add the configured track rule to the list.
Threshold Types the threshold for the track rule into the Threshold box. The value
range is 1 to 255. If the sum of weights for failed entries in the track rule
exceeds the threshold, the system will conclude that the track rule fails.

Description Types the description for this track rule.

3. Click OK to save the settings.

V iew ing D etails o f SLB Po o l Entries

To view the details of the servers in the SLB pool:

1. Click Object > SLB Server Pool.

2. Select an SLB pool entry.

3. In the Server List tab at the bottom of this page, view the information of the servers that are in this SLB pool.

4. In the Monitoring tab, view the information of the track rules.

5. In the Referenced tab, view the DNAT rules that use the SLB pool.

235 Chapter 9 Object

Schedule
System supports schedule. This function allows a policy rule to take effect in a specified time, and controls the dur-
ation for the connection between a PPPoE interface and Internet. The schedule consists of periodic schedule and abso-
lute schedule. The periodic schedule specifies a time point or time range by periodic schedule entries, while the
absolute schedule decides a time range in which the periodic schedule will take effect.

Periodic Sc hedule
Periodic schedule is the collection of periods specified by all the schedule entries within the schedule. You can add up
to 16 schedule entries to a periodic schedule. These entries can be divided into 3 types:

l Daily: The specified time of every day, such as Everyday 09:00 to 18:00.

l Days: The specified time of a specified day during a week, such as Monday Tuesday Saturday 09:00 to 13:30.

l Period: A continuous period during a week, such as from Monday 09:30 to Wednesday 15:00.

Abs olute Sc hedule

Absolute schedule is a time range in which periodic schedule will take effect. If no absolute schedule is specified, the
periodic schedule will take effect as soon as it is used by some module.

Creating a Schedule
To create a schedule:

1. Select Object > Schedule.

2. Click New.

Configure the following options.

Schedule Configuration Dialog

Name Specifies a name for the new schedule.

Add Specifies a type for the periodic schedule in Add Periodic Schedules sec-
tion.

Type l Daily - The specified time of every day. Click this

radio button, and then, in the Time section, select a
start time and end time from the Start time and End
time drop-down list respectively.

Chapter 9 Object 236

 Schedule Configuration Dialog

l Days - The specified time of a specified day during a

week. Click this radio button, and then select a
day/days in the Days and Time section, and finally
select a start time and end time from the Start time
and End time drop-down list respectively.

l Period - A continuous period during a week. Click

this radio button, and then in the Duration section
select a start day/time and end day/time from the
Start time and End time drop-down list respectively.

Preview Preview the detail of configured periodic schedule in the

Preview section.

Delete Select the entry you want to delete from the period schedule list below,
and click Delete.
Absolute Sched- The absolute schedule decides a time range in which the periodic sched-
ule ule will take effect. Without configuring a absolute schedule, the periodic
schedule will take effect as soon as it is used by some module.

3. Click OK.

237 Chapter 9 Object

AAA Server
An AAA server is a server program that handles user requests for access to computer resources and, for an enter-
prise, provides authentication, authorization, and accounting (AAA) services. The AAA server typically interacts with
network access and gateway servers and with databases and directories containing user information.
Here in StoneOS system, authentication supports the following four types of AAA server:

l Local server: a local server is the firewall itself. The firewall stores user identity information and handles
requests. A local server authentication is fast and cheap, but its storage space is limited by the firewall hardware
size.

l External servers:

l Radius server

l LDAP server

l Active-Directory server (AD server)

l TACACS+ server
According to the type of authentication, you need to choose different AAA server:

l "Single Sign-On" on Page 126: Only AD server supports SSO.

l "802.1x" on Page 134 and "Configuring IPSec-XAUTH Address Pool" on Page 160: Only local and Radius servers
supports these two types of authentication.

l Other authentication methods mentioned in this guide: all four servers can support other authentication.

Co nfiguring a Lo cal AAA Server

1. Select Object > AAA Server, and click New > Local Server.

2. The Local Server dialog box prompts.

In the prompt, enter values.

Option Description

Server Name Type the name for the new server into the text box.
Role Mapping Specifies a role mapping rule for the server. With this option selected, sys-
Rule tem will allocate a role for users who have been authenticated to the
server according to the specified role mapping rule.
Change Pass- If needed, select the Enable checkbox. With this function enabled, the sys-
word tem allows users to change their own passwords after the successful
WebAuth or SCVPN authentication.
Backup To configure a backup authentication server, select a server from the
Authentication drop-down list. After configuring a backup authentication server for the
Server local server, the backup authentication server will take over the authen-
tication task when the primary server malfunctions or authentication fails
on the primary server. The backup authentication server can be any exist-
ing local, Active-Directory, RADIUS or LDAP server defined in the system.

Chapter 9 Object 238

3. Click OK.

Co nfiguring Radius Server

1. Select Object > AAA Server, and select New > Radius Server.

2. The Radius Sever dialog box prompts.

In the prompt, enter values.

Basic Configuration

Server Name Specifies a name for the Radius server.

Server Address Specifies an IP address or domain name for the Radius server.
Virtual Router Specifies a VR for the Radius server.
Port Specifies a port number for the Radius server. The value range is 1024 to
65535. The default value is 1812.
Password Specifies a password for the Radius server. You can specify at most 31
characters.

Optional

Role Mapping Specifies a role mapping rule for the server. With this option selected, sys-
Rule tem will allocate a role for users who have been authenticated to the
server according to the specified role mapping rule.
Backup server Specifies an IP address or domain name for backup server 1 or backup
1/Backup server server 2.
2
Virtual Router- Specifies a VR for the backup server.
1/Virtual Router2
Retries Specifies a retry time for the authentication packets sent to the AAA
server. The value range is 1 to 10. The default value is 3.
Timeout Specifies a timeout for the server response. The value range is 1 to 30
seconds. The default value is 3.
Backup Auth Specifies a backup authentication server. After configuring a backup
Server authentication server for the Radius server, the backup authentication

239 Chapter 9 Object

 Basic Configuration

server will take over the authentication task when the primary server mal-
functions or authentication fails on the primary server. The backup
authentication server can be any existing local, Active-Directory, RADIUS
or LDAP server defined in the system.
Enable Account Select the Enable Account checkbox to enable accounting for the Radius
server, and then configure options in the sliding out area.

Server Address Specifies an IP address or domain name for the account-

ing server.
Virtual Router Specifies a VR for the accounting server.
Port Specifies a port number for the accounting server. The
value range is 1024 to 65535. The default value is 1813.
Password Specifies a password for the accounting server.
Confirm Pass- Enter the password again to confirm.
word
Backup server Specifies an IP address or domain name for backup
1/Backup server 1 or backup server 2.
server 2
Virtual Router- Specifies a VR for the backup server.
1/Virtual
Router2

3. Click OK.

Co nfiguring Active D irecto ry Server

1. Select Object > AAA Server, and then select New > Active Directory Server.

2. The Active Directory Server dialog box prompts.

Chapter 9 Object 240

 In the prompt, enter values.
Basic Configuration

Server Name Specifies a name for the Active Directory server.

Server Address Specifies an IP address or domain name for the Active Directory
server.
Virtual Router Specifies a VR for the Active Directory server.
Port Specifies a port number for the Active Directory server. The value
range is 1 to 65535. The default value is 389.
Base-dn Specifies a Base-dn for the AD server. Base-dn is the starting point
at which your search will begin when the AD server receives an
authentication request.
Take the example of abc.xyz.com described above, the format of
Base-dn is "dc=abc,dc=xyz,dc=com".

Login-dn Specifies authentication characteristics for Login-dn (typically a

user account with query privilege pre-defined by the AD server).
DN (Distinguished name) is a username of the AD server who has a
read access to read user information. The format of DN is"cn=xxx,
DC=xxx,...". For example, the server domain is abc.xyz.com, and the
AD server admin name is administrator who locates in Users dir-
ectory. Then the login-dn should be "cn=a-
administrator,cn=users,dc=abc,dc=xyz,dc=com".

sAMAccountName Specifies the sAMAccountName, which is a string of 1 to 63 char-

acters and is case sensitive.
Authentication Mode Specifies an authentication or synchronization method (either plain
text or MD5). The default method is MD5.

241 Chapter 9 Object

 Basic Configuration
If the sAMAccountName is not configured after you specify the
MD5 method, the plain method will be used in the process of syn-
chronizing user from the server, and the MD5 method will be used
in the process of authenticating user.

Password Specifies a password for the AD server. This should correspond to

the password for Admin DN.

Optional

Role Mapping Rule Specifies a role mapping rule for the server. With this option selec-
ted, system will allocate a role for users who have been authen-
ticated to the server according to the specified role mapping rule.
Backup server Specifies an IP address or domain name for backup server 1 or
1/Backup server 2 backup server 2.
Virtual Router1/Virtual Specifies a VR for the backup server.
Router2
Synchronization Check the checkbox to enable the synchronization function; clear
the checkbox to disable the synchronization function, and the sys-
tem will stop synchronizing and clear the existed user information.
By default, the system will synchronize the user information on the
configured Active-Directory server to the local every 30 minutes.
Automatic Syn- Click the radio button to specify the automatic synchronization.
chronization
Interval Synchronization Specifies the time interval of
automatic synchronization. The
value range is 30 to 1440
minutes. The default value is
30.
Daily Synchronization Specifies the time when the
user information is syn-
chronized everyday. The format
is HH:MM, HH and MM indicates
hour and minute respectively.
Once Synchronization If this parameter is specified, the
system will synchronize auto-
matically when the configuration
of Active-Directory server is mod-
ified. After executing this com-
mand , the system will
synchronize user information
immediately.

Synchronous Oper- Specifies user synchronization mode, including Group Syn-

ation Mode chronization and OU Synchronization. By default, user information
will be synchronized to the local based on Group.
OU maximum depth Specifies the maximum depth of OU to be synchronized. The value
range is 1 to 12, and the default value is 12.
OU structure that exceeds the maximum depth will not be syn-
chronized, but users that exceed the maximum depth will be syn-
chronized to the specified deepest OU where they belong to. If the
total characters of the OU name for each level(including the
“OU=” string and punctuation) is more than 128, OU information
that exceeds the length will not be synchronized to the local.

Chapter 9 Object 242

 Basic Configuration

User Filter Specifies the user-filter conditions, the system can only synchronize
and authenticate users that are in accordance with the filtering con-
dition on the authentication server. The length is 0 to 120 char-
acters. For example, if the condition is configured to
“memberOf=CN=Admin,DC=test,DC=com”,which manifests that
the system only can synchronize or authenticate user whose DN is
“memberOf=CN=Admin,DC=test,DC=com”. The commonly used
operators are: =(equals a value)、&(and）、|(or)、!(not)、*(Wild-
card.Matches zero or more charactors.)、～=( fuzzy query.)、>=(Be
equal or greater than a specified value in lexicographical order.)、
<=( Be equal or less than a specified value in lexicographical
order.).
Security Agent Select the Enable check box to enable Security Agent. With this
function enabled, the system will be able to obtain the mappings
between the usernames of the domain users and IP addresses from
the AD server, so that the domain users can gain access to network
resources. In this way "Single Sign-On" on Page 126 is imple-
mented. Besides, by making use of the obtained mappings, the sys-
tem can also implement other user-based functions, like security
statistics, logging, behavior auditing, etc. To enable Security Agent
on the AD server, you need to install and run Security Agent first
on the server. After that when a domain user is logging in or log-
ging off, Security Agent will log the user's username, IP address,
current time and other information, and add the mapping between
the username and IP address to the system. In this way the system
can obtain every online user's IP address.

Agent Port Specifies an agent port. The value range is 1025 to

65535. The default port is 6666.
Login Info Specifies a login info timeout. The value range is 0 to
Timeout 1800 seconds. The default value is 300. The value of 0
indicates never timeout.

Backup Authentic- Specifies a backup authentication server. After configuring a

ation Server backup authentication server for the Radius server, the backup
authentication server will take over the authentication task when
the primary server malfunctions or authentication fails on the
primary server. The backup authentication server can be any exist-
ing local, Active-Directory, RADIUS or LDAP server defined in the
system.

3. Click OK.

Co nfiguring LD AP Server
1. Select Object > AAA Server, and then select New > LDAP Server.

2. The LDAP Server dialog box prompts.

243 Chapter 9 Object

 In the prompt, enter values.
Basic Configuration

Server Name Specifies a name for the LDAP server.

Server Address Specifies an IP address or domain name for the LDAP server.
Virtual Router Specifies a VR for the LDAP server.
Port Specifies a port number for the LDAP server. The value range is 1 to
65535. The default value is 389.
Base-dn Specifies details for Base-dn. Base-dn is the starting point at which your
search will begin when the LDAP server receives an authentication
request.
Login-dn Specifies authentication characteristics for Login-dn (typically a user
account with query privilege pre-defined by the LDAP server).
Authid Specifies the Authid, which is a string of 1 to 63 characters and is case
sensitive.
Authentication Specifies an authentication or synchronization method (either plain text
Mode or MD5). The default method is MD5.
If the Authid is not configured after you specify the MD5 method, the
plain method will be used in the process of synchronizing user from the
server, and the MD5 method will be used in the process of authenticating
user.

Password Specifies a password for the LDAP server. This should correspond to the
password for Admin DN.

Optional

Role Mapping Specifies a role mapping rule for the server. With this option selected, sys-
Rule

Chapter 9 Object 244

 Basic Configuration

tem will allocate a role for users who have been authenticated to the
server according to the specified role mapping rule.
Backup server Specifies an IP address or domain name for backup server 1 or backup
1/Backup server server 2.
2
Virtual Router- Specifies a VR for the backup server.
1/Virtual Router2
Synchronization Check the checkbox to enable the synchronization function; clear the
checkbox to disable the synchronization function, and the system will
stop synchronizing and clear the existed user information. By default, the
system will synchronize the user information on the configured LDAP
server to the local every 30 minutes.
Automatic Syn- Click the radio button to specify the automatic synchronization.
chronization
Interval Synchronization Specifies the time interval of auto-
matic synchronization. The value
range is 30 to 1440 minutes. The
default value is 30.
Daily Synchronization Specifies the time when the user
information is synchronized every-
day. The format is HH:MM, HH and
MM indicates hour and minute
respectively.
Once Synchronization If this parameter is specified, the sys-
tem will synchronize automatically
when the configuration of LDAP server
is modified. After executing this com-
mand , the system will synchronize
user information immediately.

Synchronous Specifies user synchronization mode, including Group Synchronization

Operation Mode and OU Synchronization. By default, user information will be syn-
chronized to the local based on Group.
OU maximum Specifies the maximum depth of OU to be synchronized. The value range
depth is 1 to 12, and the default value is 12.
OU structure that exceeds the maximum depth will not be synchronized,
but users that exceed the maximum depth will be synchronized to the
specified deepest OU where they belong to. If the total characters of the
OU name for each level(including the “OU=” string and punctuation)
is more than 128, OU information that exceeds the length will not be syn-
chronized to the local.

User Filter Specifies the user filters, the system can only synchronize and authen-
ticate users that match the filters on the authentication server. The
length is 0 to 120 characters. For example, if the condition is configured
to “(|(objectclass=inetOrgperson)(objectclass=person))”,which mani-
fests that the system only can synchronize or authenticate users which
are defined as inetOrgperson or person. The commonly used operators
are as follows: =(equals a value)、&(and）、|(or)、!(not)、*(Wildcard.
Matches zero or more characters.)、～=( fuzzy query.)、>=(Be equal or
greater than a specified value in lexicographical order.)、<=( Be equal or
less than a specified value in lexicographical order.).
Naming Attrib- Specifies a naming attribute for the LDAP server. The default naming
ute attribute is uid.

245 Chapter 9 Object

 Basic Configuration

Member Attrib- Specifies a member attribute for the LDAP server. The default member
ute attribute is uniqueMember.
Group Class Specifies a group class for the LDAP server. The default class is groupo-
funiquenames.
Backup Specifies a backup authentication server. After configuring a backup
Authentication authentication server for the LDAP server, the backup authentication
Server server will take over the authentication task when the primary server mal-
functions or authentication fails on the primary server. The backup
authentication server can be any existing local, Active-Directory, RADIUS
or LDAP server defined in the system.

3. Click OK.

Co nfiguring TACACS+ Server

1. Select Object > AAA Server.

2. Click New > TACACS+ Server, and the <TACACS+ Server Configuration> dialog will appear.

Enter values in the <TACACS+ Server Configuration> dialog.

Basic Configuration

Server Name Enter a name for TACACS+ server.

Server Address Specify the IP address or host name of TACACS+ server.
Virtual Router Specify the VRouter of TACACS+ server.
Port Enter port number of TACACS+ server. Default value is 49. The value
range is 1 to 65535.
Secret Enter the shared secret to connect TACACS+ server.
Confirm Secret Re-enter shared key.

Optional

Role mapping Select a role mapping rule for the server. With this option selected, sys-
rule tem will allocate a role for users who have been authenticated to the
server according to the specified role mapping rule.
Backup Server 1 Enter the domain name or IP address of backup TACACS+ server.
(2)
Virtual Router 1 Select the VRouter of backup server.

Chapter 9 Object 246

 Basic Configuration

(2)

Co nnectivity Test
When AAA server parameters are configured, you can test if they are correct by testing server connectivity.
To test server connectivity:

1. Select Object > AAA Server, and click New.

2. Select your AAA server type, which can be Radius, AD, LDAP or TACACS+. Local server does not need connectivity
test.

3. After filling out the fields, click Test Connectivity.

4. For Radius or TACACS+ server, enter a username and password in the popped <Test Connectivity> dialog. If the
server is AD or LDAP, the login-dn and secret is used to test connectivity.

5. Click Test Connectivity. If "Test connectivity success" message appears, the AAA server settings are correct.
If there is an error message, here are the causes:

l Connect AAA server timeout: Wrong server address, port or wrong virtual router.

l AAA server configuration error: Secret is wrong.

l Wrong name or password: Username or password for testing is wrong.

247 Chapter 9 Object

User
User refers to the user who uses the functions and services provided by the Hillstone device, or who is authenticated
or managed by the device. The authenticated users consist of local user and external user. The local users are created
by administrators. They belong to different local authentication servers, and are stored in system's configuration files.
The external users are stored in external servers, such as AD server or LDAP server. System supports User Group to
facilitate user management. Users belonging to one local authentication server can be allocated to different user
groups, while one single user can belong to different user groups simultaneously; similarly, user groups belonging to
one local authentication server can be allocated to different user groups, while one single user group can belong to dif-
ferent user groups simultaneously. The following diagram take the default AAA server Local as an example and shows
the relationship between users and user groups:

As shown above, User1, User2 and User3 belong to UserGroup1, while User3 also belongs to UserGroup2, and User-
Group2 also contains User4, User5 and UserGroup1.

Co nfiguring a Lo cal User

This section describes how to configure a local user and user group.

Crea ting a Loc a l Us er

To create a local user:

1. Select Object > User > Local User.

2. Click New > User.

Chapter 9 Object 248

 In the Basic tab in User Configuration dialog, configure the followings.
Option Description

Name Specifies a name for the user.

Password Specifies a password for the user.
Confirm password Type the password again to make confirmation.

Mobile+country Specified the user's mobile number. When users log in the SCVPN cli-
code ent, system will send the verification code to the mobile number.
Description If needed, type the description for the user.
Group Add the user to a selected usergroup. Click Choose, and in the
Choose User Group dialog, select the usergroup you want and click
Add.

Expiration Select the Enable check box to enable expiration for the user, and
then specify a date and time. After expiration, the user cannot be
authenticated, therefore cannot be used in the system. By default
expiration is not enabled.

In the VPN Options tab, configure network parameters for the PnPVPN client.
Option Description

IKE ID Specifies a IKE ID type for dial-up VPN users. If FQDN or ASN1 is selec-
ted, also type the ID's content in the text box below.
DHCP Start IP Specifies a start IP for the DHCP address pool.
DHCP End IP Specifies an end IP for the DHCP address pool.
DHCP Netmask Specifies a netmask for the DHCP address pool.

DHCP Gateway Specifies a gateway for the DHCP address pool. The IP address of the
gateway corresponds to the IP address of PnPVPN client's Intranet
interface and PC's gateway address. The PC's IP address is determined
by the segment and netmask configured in the above DHCP address
pool. Therefore, the gateway's address and DHCP address pool
should be in the same segment.
DNS1 Specifies an IP address for the DNS server. You can specify one
primary DNS server (DNS1) and up to three alternative DNS servers.
DNS2
DNS3
DNS4
WINS1 Specifies an IP address for the WINS server. You can specify one
primary WINS server (WINS1)and one alternative WINS server.
WINS2
Tunnel IP Specifies an IP address for the PnPVPN client's tunnel interface. Select
the Enable SNAT check box to enable SNAT.

3. Click OK.

Crea ting a Us er Group

To create a user group:

1. Select Object > User > Local User.

2. Click New > User Group.

3. Type the name for the user group into the Name box.

4. Specifies members for the user group. Expand User or User Group in the Available list, select a user or user

249 Chapter 9 Object

 group and click Add to add it to the Selected list on the right. To delete a selected user or user group, select it in
the Selected list and then click Remove. One user group can contain multiple users or user groups, but system
only supports up to 5 layers of nested user groups, and does not support loopback nest, i.e., a user group should
not nest the upper-layer user group it belongs to.

5. Click OK.

Co nfiguring a LD AP User
This section describes how to configure a LDAP user.

Configuring a LD AP Server
To create a LDAP user, firstly, you need to configure a LDAP server to import an LDAP user and perform authentication.
To configure an LDAP server:

1. Select Object > User > LDAP User.

2. Select a LDAP server name from LDAP Server drop-down list.

3. Click Configure.

Configure the following options.

Basic Configuration

Server Name Specifies a name for the LDAP server.

Server Address Specifies an IP address or domain name for the LDAP server.
Virtual Router Specifies a VR for the LDAP server.
Port Specifies a port number for the LDAP server. The value range is 1 to
65535. The default value is 389.
Login-dn Specifies authentication characteristics for Login-dn (typically a user
account with query privilege pre-defined by the LDAP server).
Base-dn Specifies a Base-dn for the LDAP server. Base-dn is the starting point at
which your search will begin when the LDAP server receives an authen-
tication request.
Authid Specifies the Authid, which is a string of 1 to 63 characters and is case
sensitive.

Chapter 9 Object 250

 Basic Configuration

Authentication Specifies an authentication or synchronization method (either plain text

Mode or MD5). The default method is MD5.
If the Authid is not configured after you specify the MD5 method, the
plain method will be used in the process of synchronizing user from the
server, and the MD5 method will be used in the process of authenticating
user.

Password Specifies a password for the LDAP server. This should correspond to the
password for Admin DN.
Confirm Pass- Enter the password again to confirm.
word

Optional

Backup server Specifies an IP address or domain name for Backup server 1/Backup
1/Backup server server 2.
2
Virtual Router- Specifies a VR for the backup server.
1/Virtual Router2
Synchronous Specifies user synchronization mode, including Group Synchronization
Operation Mode and OU Synchronization. By default, user information will be syn-
chronized to the local based on Group.
OU maximum Specifies the maximum depth of OU to be synchronized. The value range
depth is 1 to 12, and the default value is 12.
OU structure that exceeds the maximum depth will not be synchronized,
but users that exceed the maximum depth will be synchronized to the
specified deepest OU where they belong to. If the total characters of the
OU name for each level(including the “OU=” string and punctuation)
is more than 128, OU information that exceeds the length will not be syn-
chronized to the local.

User Filter Specifies the user filters, the system can only synchronize and authen-
ticate users that match the filters on the authentication server. The
length is 0 to 120 characters. For example, if the condition is configured
to “(|(objectclass=inetOrgperson)(objectclass=person))”,which mani-
fests that the system only can synchronize or authenticate users which
are defined as inetOrgperson or person. The commonly used operators
are as follows: =(equals a value)、&(and）、|(or)、!(not)、*(Wildcard.
Matches zero or more characters.)、～=( fuzzy query.)、>=(Be equal or
greater than a specified value in lexicographical order.)、<=( Be equal or
less than a specified value in lexicographical order.).
Naming Attrib- Specifies a naming attribute for the LDAP server. The default naming
ute attribute is uid.
Member Attrib- Specifies a member attribute for the LDAP server. The default member
ute attribute is uniqueMember.
Group Class Specifies a group class for the LDAP server. The default class is
GroupOfUiqueNames.
Backup Specifies a backup authentication server. After configuring a backup
Authentication authentication server for the LDAP server, the backup authentication
Server server will take over the authentication task when the primary server mal-
functions or authentication fails on the primary server. The backup
authentication server can be any existing local, Active-Directory, RADIUS
or LDAP server defined in the system.

4. Click OK.

251 Chapter 9 Object

Sync hroniz ing Us ers
You can synchronize users in a LDAP server to the Hillstone device. To synchronize users:

1. Select Object > User > LDAP User.

2. Select a server from the LDAP Server drop-down list, and click Sync Users.

Co nfiguring an Active D irecto ry User

This section describes how to configure an active directory (AD) user.

Configuring a n AD Server
To create an AD user, first you need to configure an AD server to import an AD user and perform authentication. To
configure an AD server:

1. Select Object > User >AD User.

2. Select a AD server name from Active Directory Server drop-down list.

3. Click Configure.

Configure the following options.

Basic Configuration

Server Name Specifies a name for the AD server.

Server Address Specifies an IP address or domain name for the AD server.
Virtual Router Specifies a VR for the AD server.
Port Specifies a port number for the AD server. The value range is 1 to
65535, and the default value is 389.
Login-dn Specifies authentication characteristics for Login-dn (a user account
with query privilege pre-defined by the AD server).
Base-dn Specifies a Base-dn for the AD server. Base-dn is the starting point at
which your search will begin when the AD server receives an authen-
tication request.
sAMAccountName Specifies the sAMAccountName, which is a string of 1 to 63 characters

Chapter 9 Object 252

 Basic Configuration

and is case sensitive.

Authentication Specifies an authentication or synchronization method (either plain text
Mode or MD5). The default method is MD5.
If the sAMAccountName is not configured after you specify the MD5
method, the plain method will be used in the process of synchronizing
user from the server, and the MD5 method will be used in the process
of authenticating user.

Password Specifies a password for the AD server. This should correspond to the
password for Admin DN.
Confirm password Enter the password again to confirm.

Optional

Backup Server 1/2 Specifies an IP address or domain name for the backup AD server 1 or
2.
Virtual Router- Specifies a VR for the backup server.
1/Virtual Router2
Synchronous Oper- Specifies user synchronization mode, including Group Synchronization
ation Mode and OU Synchronization. By default, user information will be syn-
chronized to the local based on Group.
OU maximum Specifies the maximum depth of OU to be synchronized. The value
depth range is 1 to 12, and the default value is 12.
OU structure that exceeds the maximum depth will not be syn-
chronized, but users that exceed the maximum depth will be syn-
chronized to the specified deepest OU where they belong to. If the total
characters of the OU name for each level(including the “OU=” string
and punctuation) is more than 128, OU information that exceeds the
length will not be synchronized to the local.

User Filter Specifies the user-filter conditions, the system can only synchronize
and authenticate users that are in accordance with the filtering con-
dition on the authentication server. The length is 0 to 120 characters.
For example, if the condition is configured to “mem-
berOf=CN=Admin,DC=test,DC=com”,which manifests that the system
only can synchronize or authenticate user whose DN is “mem-
berOf=CN=Admin,DC=test,DC=com”. The commonly used operators
are: =(equals a value)、&(and）、|(or)、!(not)、*(Wildcard.Matches
zero or more charactors.)、～=( fuzzy query.)、>=(Be equal or greater
than a specified value in lexicographical order.)、<=( Be equal or less
than a specified value in lexicographical order.).
Security Agent Select the Enable check box to enable Security Agent. With this func-
tion enabled, the system will be able to obtain the mappings between
the usernames of the domain users and IP addresses from the AD
server, so that the domain users can gain access to network resources.
In this way "Single Sign-On" on Page 126 is implemented. Besides, by
making use of the obtained mappings, the system can also implement
other user-based functions, like security statistics, logging, behavior
auditing, etc. To enable Security Agent on the AD server, you need to
install and run Security Agent first on the server. After that when a
domain user is logging in or logging off, Security Agent will log the
user's username, IP address, current time and other information, and
add the mapping between the username and IP address to the system.
In this way the system can obtain every online user's IP address.

253 Chapter 9 Object

 Basic Configuration

Agent Port Specifies an agent port. The value range is 1025 to

65535. The default port is 6666.
Login Info Specifies a login info timeout. The value range is 0 to
Timeout 1800 seconds. The default value is 300. The value of 0
indicates never timeout.

Backup Authentic- Specifies a backup authentication server. After configuring a backup

ation Server authentication server for the LDAP server, the backup authentication
server will take over the authentication task when the primary server
malfunctions or authentication fails on the primary server. The backup
authentication server can be any existing local, Active-Directory,
RADIUS or LDAP server defined in the system.

4. Click OK.

Sync hroniz ing Us ers

You can synchronize users in an AD server to the device. To synchronize users:

1. Select Object > User >AD User.

2. Select an AD server from the Active Directory Server drop-down list, and click Sync Users.

Co nfiguring a I P-User B inding

To bind an IP or MAC address to a user, take the following steps:

1. Select Object > User > IP-User Binding .

2. Click Add User Binding.

Configure the following options.

User

AAA Server Select an AAA server from the drop-down list.

User Select a user for the binding from the drop-down list.

Binding Type

Binding Type By specifying the binding type, you can bind the user to a IP address or
MAC address.

l IP - If IP is selected, type the IP address into the IP text box. And

select a VR from the Virtual Router drop-down list. Select the

Chapter 9 Object 254

 User
Check WebAuth IP-User Mapping Relationship check box to
apply the IP-User mapping only to the check for IP-user mapping
during Web authentication if needed.

l MAC - If MAC is selected, type the MAC address into the MAC text
box. And select a VR from the Virtual Router drop-down list.

3. Click OK.

255 Chapter 9 Object

Role
Roles are designed with certain privileges. For example, a specific role can gain access to some specified network
resources, or make exclusive use of some bandwidth. In StoneOS, users and privileges are not directly associated.
Instead, they are associated by roles.
The mappings between roles and users are defined by role mapping rules. In function configurations, different roles
are assigned with different services. Therefore, the mapped users can gain the corresponding services as well.
System supports role combination, i.e., the AND, NOT or OR operation on roles. If a role is used by different modules,
the user will be mapped to the result role generated by the specified operation.
System support the following role-based functions:

l Role-based policy rules: Implements access control for users of different types.

l Role-based QoS: Implements QoS for users of different types.

l Role-based statistics: Collects statistics on bandwidth, sessions and new sessions for users of different types.

l Role-based session limits: Implements session limits for specific users.

l SCVPN role-based host security detection: Implements control over accesses to specific resources for users of dif-
ferent types.

l Role-based PBR: Implements routing for users of different types.

Creating a Ro le
To create a role:

1. Select Object > Role > Role.

2. Click New.

Configure the following options.

Option Description

Role Name Type the role name into the Role Name box.
Description Type the description for the role into the Description box.

3. Click OK.

Creating a Ro le Mapping Rule

To create a role mapping rule:

1. Select Object > Role > Role Mapping .

2. Click New.

Chapter 9 Object 256

3. Type the name for the rule mapping rule into the Name box.

4. In the Member section, select a role name from the first drop-down list, and then select a user, user group, cer-
tificate name (the CN field of USB Key certificate) or organization unit (the OU field of USB Key certificate) from the
second drop-down list. If User, User group, CN or OU is selected, also select or enter the corresponding user
name, user group name, CN or OU into the box behind.

5. Click Add to add to the role mapping list.

6. If needed, repeat Step 4 and Step 5 to add more mappings. To delete a role mapping, select the role mapping you
want to delete from the mapping list, and click Delete.

7. Click OK.

Creating a Ro le Co mbinatio n
To create a role combination:

1. Select Object > Role > Role Combination.

2. Click New.

Configure the following options.

Option Description

First Prefix Specifies a prefix for the first role in the role regular expression.
First Role Select a role name from the First Role drop-down list to specify a name
for the first role in the role regular expression.

257 Chapter 9 Object

 Option Description

Operator Specifies an operator for the role regular expression.

Second Prefix Specifies a prefix for the second role in the role regular expression.
Second Role Select a role name from the Second Role drop-down list to specify a
name for the second role in the role regular expression.
Result Role Select a role name from the Result Role drop-down list to specify a name
for the result role in the role regular expression.

3. Click OK.

Chapter 9 Object 258

Track Object
The devices provide the track object to track if the specified object (IP address or host) is reachable or if the specified
interface is connected. This function is designed to track HA and interfaces.

Creating a Track Obj ect

To create a track object:

1. Select Object > Track Object.

2. Click New.

Configure the following options.

Option Description

Name Specifies a name for the new track object.

Threshold Type the threshold for the track object into the text box. If the sum of
weights for failed entries in the track object exceeds the threshold, the
system will conclude that the whole track object fails.
Track Type Select a track object type. One track object can only be configured with
one type.
Select Interface radio button:

l Click Add in Add Track Members section and then configure the fol-
lowing options in the Add Interfaces dialog:

l Interface - Select a track interface from the drop-down list.

l Weight - Specifies a weight for the interface, i.e. the weight for
overall failure of the whole track object if this track entry fails.
Select HTTP Ping ARP DNS TCPradio button:

l Click Add, select a packet type from the drop-down list, and then
configure the following options in the Add
HTTP/Ping/ARP/DNS/TCP Member dialog:

l IP/Host - Specifies an IP address or host name for the track

object when the track is implemented by HTTP/Ping/TCP pack-
ets.

259 Chapter 9 Object

 Option Description
IP - Specifies an IP address for the track object when the track is
implemented by ARP packets.
DNS - Specifies an IP address for the track object when the track
is implemented by DNS packets.

l Weight - Specifies a weight for overall failure of the whole track

object if this track entry fails.

l Retries: Specifies a retry threshold. If no response packet is

received after the specified times of retries, the system will
determine this track entry fails, i.e., the track entry is unreach-
able. The value range is 1 to 255. The default value is 3.

l Interval - Specifies an interval for sending packets. The value

range is 1 to 255 seconds. The default value is 3.

l Egress Interface - Specifies an egress interface on which

HTTP/Ping/ARP/DNS/TCP packets are sent.

l Source Interface- Specifies a source interface for

HTTP/Ping/ARP/DNS/TCP packets.

HA sync Select this check box to enable HA sync function. The primary device will
synchronize its information with the backup device.

3. Click OK.

Chapter 9 Object 260

URL Filter
URL filter controls the access to some certain websites and records log messages for the access actions. URL filter
helps you control the network behaviors in the following aspects:

l Access control to certain category of websites, such as gambling and pornographic websites.

l Access control to certain category of websites during the specified period. For example, forbid to access IM web-
sites during the office hours.

l Access control to the website whose URL contains the specified keywords. For example, forbid to access the URL
that contains the keyword of game.

Co nfiguring URL Filter

Configuring URL filter contains two parts:

l Create a URL filter rule

l Bind a URL filter rule to a security zone or policy rule

Part 1: Creating a URL filter rule

1. Select Object > URL Filter.

2. Click New.

261 Chapter 9 Object

 In the URL Filter Rule Configuration dialog, configure the following options.
Option Description

Name Specifies the name of the rule. You can configure same URL filter rule
name in different VSYSs.
Control Type Control types are URL Category, URL Keyword Category, and Web Surf-
ing Record. You can select one type for each URL filter rule.
URL Category controls the access to some certain category of website.
The options are:

l SSL inspection: Select the Enable check box to enable SSL nego-
tiation packets inspection. For HTTPS traffic, the system can
acquire the domain name of the site which you want to access from
the SSL negotiation packets after this feature is configured. Then,
the system will perform URL filter in accordance with the domain
name. If SSL proxy is configured at the same time, SSL negotiation
packets inspection method will be preferred for URL filter.

l New: Creates a new URL category. For more information about URL
category, see "User-defined URL DB" on Page 266.

l Edit: Selects a URL category from the list, and click Edit to edit the
selected URL category.

l URL category: Shows the name of pre-defined and user-defined

URL categories in the VSYS.

l Block: Selects the check box to block access to the corresponding

URL category.

l Log: Selects the check box to log access to the corresponding URL
category.

l Other URLS: Specifies the actions to the URLs that are not in the
list, including Block Access and Record Log.
URL Keyword Category controls the access to the website who's URL con-
tains the specific keywords. Click the URL Keyword Categoryoption to
configure. The options are:

l New: Creates new keyword categories. For more information about

keyword category, see "Keyword Category" on Page 269.

l Edit: Select a URL keyword category from the list, and click Edit to
edit the selected URL keyword category.

l Keyword category: Shows the name of the configured keyword cat-

egories.

l Block: Selects the check box to block the access to the website
whose URL contains the specified keywords.

l Log: Selects the check box to log the access to the website whose
URL contains the specified keywords.

l Other URLS: Specifies the actions to the URLs that do not contain
the keywords in the list, including Block Access and Record Log.
Web Surfing Record logs the GETand POST methods of HTTP.

l Get: Records the logs when having GET methods.

l Post: Records the logs when having POST methods.

Chapter 9 Object 262

 Option Description
l Post Content: Records the posted content.

3. Click OK to save the settings.

Part 2: Binding a URL filter rule to a security zone or security policy rule
The URL filter configurations are based on security zones or policies.

l If a security zone is configured with the URL filter function, the system will perform detection on the traffic that is
destined to the binding zone specified in the rule, and then do according to what you specified.

l If a policy rule is configured with the URL filter function, the system will perform detection on the traffic that is
destined to the policy rule you specified, and then response.

l The threat protection configurations in a policy rule is superior to that in a zone rule if specified at the same time,
and the URL filter configurations in a destination zone is superior to that in a source zone if specified at the same
time.

l To perform the URL filter function on the HTTPS traffic, see the policy-based URL filter.
To realize the zone-based URL filter:

1. Create a zone. For more information about how to create, refer to "Security Zone" on Page 35.

2. In the Zone Configuration dialog, select Threat Protection tab.

3. Enable the threat protection you need, and select an URL filter rules from the profile drop-down list below; or you
can click Add Profile from the profile drop-down list below, to creat an URL filter rule, see "Part 1: Creating a URL
filter rule" on Page 261.

4. Click OK to save the settings.

To realize the policy-based URL filter:

1. Configure a security policy rule. See "Configuring a Security Policy Rule" on Page 274.

2. In the Protection tab, select the Enable check box of URL Filter.

3. From the Profile drop-down list, select a URL filter rule. You can also click Add Profile to create a new URL filter
rule.

4. To perform the URL filter function on the HTTPS traffic, you need to enable the SSL proxy function for this security
policy rule. The system will decrypt the HTTPS traffic according to the SSL proxy profile and then perform the URL
filter function on the decrypted traffic.

According to the various configurations of the security policy rule, the system will perform the fol-
lowing actions:

Policy Rule Con-

Actions
figurations
SSL proxy The system decrypts the HTTPS traffic according to the SSL proxy profile
enabled but it does not perform the URL filter function on the decrypted traffic.
URL filter dis-
abled
SSL proxy The system decrypts the HTTPS traffic according to the SSL proxy profile
enabled and performs the URL filter function on the decrypted traffic.
URL filter
enabled
SSL proxy dis- The system performs the URL filter function on the HTTP traffic according
abled to the URL filter profile. The HTTPS traffic will not be decrypted and the

263 Chapter 9 Object

 Policy Rule Con-
Actions
figurations
URL filter system will transfer it.
enabled

If the SSL proxy and URL filter functions are enabled on a security policy rule but the control type of the selected
URL filter rule is the Web surfing record, the system will not record the GET and POST methods and the posted
contents via HTTPS.
If the zone which the security policy rule binds with is also configured with URL filter, the system will perform the
following actions:

Policy Rule Con- Zone Con-

Actions
figurations figurations
SSL proxy URL filter The system decrypts the HTTPS traffic according to the
enabled enabled SSL proxy profile and performs the URL filter function on
the decrypted traffic according to the URL filter rule of
URL filter dis-
the zone.
abled
SSL proxy URL filter The system decrypts the HTTPS traffic according to the
enabled enabled SSL proxy profile and performs the URL filter function on
the decrypted traffic according to the URL filter rule of
URL filter
the policy rule.
enabled
SSL proxy dis- URL filter The system performs the URL filter function on the HTTP
abled enabled traffic according to the URL filter rule of the policy rule.
The HTTPS traffic will not be decrypted and the system
URL filter
will transfer it.
enabled

5. Click OK to save the settings.

If necessary, you can go on to configure the functions of "Predefined URL DB" on Page 265, "URL Lookup" on Page 268,
and "Warning Page" on Page 270.

Object Description

Predefined URL The predefined URL database includes dozens of categories and tens of mil-
DB lions of URLs and you can use it to specify the URL categories.

URL Lookup Use the URL lookup function to inquire URL information from the URL data-
base, including the URL category and the category type.

Warning Page l Block warning: When your network access is blocked, you will be
prompted with a warning page in the Web browser.

l Audit warning: When your network access is audited, you will be

prompted with a warning page in the Web browser.

Note:
l Only after cancelling the binding can you delete the URL filter rule.

l To get the latest URL categories, you are recommended to update the URL database first.
For more information about URL database, see "Predefined URL DB" on Page 265.

l You can export the log messages to specified destinations. For more information about log
messages, see "NBC Logs" on Page 442.

Chapter 9 Object 264

V iew ing URL H it Statistics
The URL access statistics includes the following parts:

l Summary: The statistical information of the top 10 user/IPs, the top 10 URLs, and the top 10 URL categories dur-
ing the specified period of time are displayed.

l User/IP: The user/IP and detailed hit count are displayed.

l URL:The URL and detailed hit count are displayed.

l URL Category:The URL category and detailed hit count and traffic are displayed.
To view the URL hit statistics, see "URL Hit" on Page 408 in Monitor.

l To view the URL hit statistics, enable URL Hit in "Monitor Configuration" on Page 417.

l To view the traffic of the URL category, enable URL Hit and URL Category Bandwidth in "Monitor Con-
figuration" on Page 417.

V iew ing Web Surfing Reco rds

To view the Web surfing records, view "URL Logs" on Page 441. Before you view the Web surfing records, see "Log
Configuration" on Page 443 to enable URL Log function.

Co nfiguring URL Filter Obj ects

When using URL filter function, you need to configure the following objects:

Object Description

Predefined URL The predefined URL database includes dozens of categories and tens of mil-
DB lions of URLs and you can use it to specify the URL categories.

User-defined URL The user-defined URL database is defined by yourself and you can use it to
DB specify the URL category.

URL Lookup Use the URL lookup function to inquire URL information from the URL data-
base.

Keyword Cat- Use the keyword category function to customize the keyword categories.
egory
Warning Page l Block warning: When your network access is blocked, you will be
prompted with a warning page in the Web browser.

l Audit warning: When your network access is audited, you will be

prompted with a warning page in the Web browser.

Predefined URL D B
The system contains a predefined URL database.

Note: The predefined URL database is controlled by a license controlled. Only after a URL
license is installed, the predefined URL database can be used.

The predefined URL database provides URL categories for the configurations of URL filter. It includes dozens of cat-
egories and tens of millions of URLs .
When identifying the URL category, the user-defined URL database has a higher priority than the predefined URL data-
base.

265 Chapter 9 Object

Configuring P re de fine d U RL D a ta ba se U pda te P a ra me te rs
By default, the system updates predefined URL database everyday. You can change the update parameters according
to your own requirements. Currently, two default update servers are provides: update1.hillstonenet.com and
update2.hillstonenet.com. Besides, you can update the predefined URL database from your local disk.
To change the update parameters:

1. Select System > Upgrade Management > Signature Database Update.

2. In the URL category database update section, you can view the current version of the database, perform the
remote update, configure the remote update, and perform the local update.

3. Select Enable Auto Update to enable the automatic update function. And then continue to specify the frequency
and time. Click OK to save your settings.

4. Click Configure Update Server to configure the update server URL. In the pop-up dialog, specify the URL or IP
address of the update server, and select the virtual router that can connect to the server. To restore the URL set-
tings to the default ones, click Restore Default.

5. Click Configure Proxy Server, then enter the IP addresses and ports of the main proxy server and the backup
proxy server. When the device accesses the Internet through a HTTP proxy server, you need to specify the IP
address and the port number of the HTTP proxy server. With the HTTP proxy server specified, various signature
database can update normally.

6. Click OK to save the settings.

U pgra ding P re de fine d U RL D a ta ba se Online

To upgrade the URL database online:

1. Select System > Upgrade Management > Signature Database Update.

2. In the URL category database update section, click Update to update the predefined URL database.

U pgra ding P re de fine d U RL D a ta ba se from Loca l

To upgrade the predefined URL database from local:

1. System > Upgrade Management > Signature Database Update

2. In the URL category database update section, click Browse to select the URL database file from your local disk.

3. Click Upload to update the predefined URL database.

Note: You can not upgrade the predefined URL database from local in non-root VSYS.

Us er-defined URL D B
Besides categories in predefined URL database, you can also create user-defined URL categories, which provides URL
categories for the configurations of URL filter. When identifying the URL category, the user-defined URL database has
a higher priority than the predefined URL database.
System provides three predefined URL categories: custom1, custom2, custom3. You can import your own URL lists
into one of the predefined URL category.

Chapter 9 Object 266

 Note: You can not import your own URL lists into one of the predefined URL category in non-
root VSYS.

Configuring U se r- de fine d U RL D B
To configure a user-defined URL category:

1. Select Policy > URL Filter.

2. At the top-right corner, select Configuration > User-defined URL DB. The User-defined URL DB dialog
appears.

3. Click New. The URL Category dialog appears.

4. Type the category name in the Category box. URL category name cannot only be a hyphen (-). And you can create
at most 16 user-defined categories.

5. Type a URL into the URL http:// box.

6. Click Add to add the URL and its category to the table.

7. To edit an existing one, select it and then click Edit. After editing it, click Add to save the changes.

8. Click OK to save the settings.

Importing U se r- de fine d U RL
System supports to batch import user-defined URL lists into the predefined URL category named custom1/2/3. To
import user-defined URL:

1. Select Object > URL Filter.

2. At the top-right corner, select Configuration > User-defined URL DB. The User-defined URL DB dialog
appears.

3. Select one of the predefined URL category(custom1/2/3), and then click Import.

267 Chapter 9 Object

 4. In the Batch Import URL dialog, click Browse button to select your local URL file. The file should be less than 1 M,
and has at most 1000 URLs. Wildcard is supported to use once in the URL file, which should be located at the start
of the address.

5. Click OK to finish importing.

Cle a ring U se r- de fine d U RL

In the predefined URL category named custom1/2/3, clear user-defined URL:

1. Select Object > URL Filter.

2. At the top-right corner, select Configuration > User-defined URL DB. The User-defined URL DB dialog
appears.

3. Select one of the predefined URL category(custom1/2/3), and then click Clear, the URL in the custom 1/2/3 will
be cleared from the system.

URL Look up
You can inquire a URL to view the details by URL lookup, including the URL category and the category type.

Inquiring U RL Informa tion

To inquiry URL information:

1. Select Policy > URL Filter.

2. At the top-right corner, click Configuration > URL Lookup. The URL Lookup dialog appears.

3. Type the URL into the Please enter the URL to inquire box.

4. Click Inquire, and the results will be displayed at the bottom of the dialog.

Configuring U RL Lookup Se rv e rs
URL lookup server can classify an uncategorized URL (URL is neither in predefined URL database nor in user-defined
URL database) you have accessed, and then add it to the URL database during database updating. Two default URL
lookup servers are provided: url1.hillstonenet.com and url2.hillstonenet.com. By default, the URL lookup servers are
enabled.
To configure a URL lookup server:

1. Select Policy > URL Filter.

2. At the top-right corner, Select Configuration > Predefined URL DB. The Predefined URL DB dialog appears.

Chapter 9 Object 268

3. Click Inquiry Server Configuration. The Predefined URL DB Inquiry Server Configuration dialog appears.

4. In the Inquiry server section, double-click the cell in the IP/Port/Virtual Router column of Server1/2 and type a
new value.

5. Select the check box in the Enable column to enable this URL lookup server.

6. Click OK to save the settings.

Keyw ord Ca tegory

You can customize the keyword category and use it in the URL filter function.
After configuring a URL filter rule, the system will scan traffic according to the configured keywords and calculate the
trust value for the hit keywords. The calculating method is: adding up the results of times * trust value of each
keyword that belongs to the category. Then the system compares the sum with the threshold 100 and performs the fol-
lowing actions according to the comparison result:

l If the sum is larger than or equal to category threshold (100), the configured category action will be triggered;

l If more than one category action can be triggered and there is block action configured, the final action will be
Block;

l If more than one category action can be triggered and all the configured actions are Permit, the final action will be
Permit.
For example, a URL filter rule contains two keyword categories C1 with action block and C2 with action permit. Both of
C1 and C2 contain the same keywords K1 and K2. Trust values of K1 and K2 in C1 are 20 and 40. Trust values of K1
and K2 in C2 are 30 and 80.
If the system detects 1 occurrence of K1 and K2 each on a URL, then C1 trust value is 20*1＋ 40*1=60<100, and C2
trust value is 30*1+80*1=110>100. As a result, the C2 action is triggered and the URL access is permitted.
If the system detects 3 occurrences of K1 and 1 occurrence of K2 on a URL, then C1 trust value is 20*3+40*1=100,
and C2 trust value C2 is 30*3+80*1=170>100. Conditions for both C1 and C2 are satisfied, but the block action for
C1 is triggered, so the web page access is denied.

Configuring a Ke y word Ca te gory

To configure a keyword category:

1. Select Policy > URL Filter.

2. At the top-right corner, Select Configuration > Keyword Category. The Keyword Category dialog appears.

269 Chapter 9 Object

 3. Click New. The Keyword Category Configuration dialog appears.

4. Type the category name.

5. Click New. In the slide area, specify the keyword, character matching method (simple/regular expression), and
trust value (100 by default).

6. Click Add to add the keyword to the list below.

7. Repeat the above steps to add more keywords.

8. To delete a keyword, select the keyword you want to delete from the list and click Delete.

9. Click OK to save your settings.

Wa rning Pa ge
The warning page shows the user block information and user audit information.

Configuring Block Wa rning

If the internet behavior is blocked by the URL filter function, the Internet access will be denied. The information of
Access Denied will be shown in your browser, and some web surfing rules will be shown to you on the warning page at
the same time. According to the different network behaviors, the default block warning page includes the following
two situations:

l Visiting a certain type of URL.

l Visiting the URL that contains a certain type of keyword category.

The block warning function is disabled by default. To configure the block warning function:

Chapter 9 Object 270

1. Click Object > URL Filter.

2. At the top-right corner, Select Configuration > Warning Page. The Warning Page dialog appears.

3. In the Block Warning section, select Enable.

4. Configure the display information in the blocking warning page.

Option Description

Default Use the default blocking warning page as shown above.

Redirect page Redirect to the specified URL. Type the URL in the URL http:// box. You
can click Detection to verify whether the URL is valid.
Custom Customize the blocking warning page. Type the title in the Title box and
the description in the Description box. You can click Preview to preview
the blocking warning page.

5. Click OK to save the settings.

Configuring Audit Wa rning

After enabling the audit warning function, when your network behavior matches the configured URL filter rule, your
HTTP request will be redirected to a warning page, on which the audit and privacy protection information is displayed.
See the picture below:

The audit warning function is disabled by default. To configure the audit warning function:

1. Select Object > URL Filter.

2. At the top-right corner, Select Configuration > Warning Page. The Warning Page dialog appears.

3. In the Audit Warning section, select Enable.

271 Chapter 9 Object

 4. Configure the display information in the audit warning page.
Option Description

Default Use the audit blocking warning page as shown above.

Custom Customize the audit blocking warning page. Type the title in the Title
box and the description in the Description box. You can click Preview to
preview the audit warning page.

5. Click OK to save the settings.

Chapter 9 Object 272

Chapter 10 Policy

The Policy module provides the following functions:

l Security policy: Security policy the basic function of devices that is designed to control the traffic forwarding
between security zones/segments. By default all traffic between security zones/segments will be denied.

l NAT: When the IP packets pass through the devices or routers, the devices or routers will translate the source IP
address and/or the destination IP address in the IP packets.

l QoS: QoS is used to provide different priorities to different traffic, in order to control the delay and flapping, and
decrease the packet loss rate. QoS can assure the normal transmission of critical business traffic when the net-
work is overloaded or congested.

l Session limit: The session limit function limit the number of sessions and control the session rate to the source IP
address, destination IP address, specified IP address, service or role/user/user group, thereby to protect from
DoS attacks and control the bandwidth of applications, such as IM or P2P.

l Internet behavior control: The Internet behavior control allows you to flexibly configure control rules to com-
prehensively control and audit (by behavior logs and content logs) on user network behavior.

l Global blacklist: After adding the IP addresses or services to the global blacklist, the system will perform the block
action to the IP address and service until the block duration ends.

Chapter 10 Policy 273

Security Policy
Security policy is the basic function of devices that is designed to control the traffic forwarding between security
zones/segments. Without security policy rules, the devices will deny all traffic between security zones/segments by
default. After configuring the the security policy rule, the device can identify which flow between security zones or seg-
ments will be permitted, and which will be denied.
The basic elements of policy rules:

l The source zone and address of the traffic

l The destination zone and address of the traffic

l The service type of the traffic

l Actions that the devices will perform when processing the specific type of traffic, including Permit, Deny, Tunnel,
From tunnel, WebAuth, and Portal server.
Generally a security policy rule consists of two parts: filtering conditions and actions. You can set the filtering con-
ditions by specifying traffic's source zone/address, destination zone/address, service type, and user. Each policy rule
is labeled with a unique ID which is automatically generated when the rule is created. You can also specify a policy rule
ID at your own choice. All policy rules in the system are arranged in a specific order. When traffic flows into a device,
the device will query for policy rules by turn, and processes the traffic according to the first matched rule.
The max global security policy rule numbers may vary from different models.
Security policy supports IPv4 and IPv6 address. If IPv6 is enabled, you can configure IPv6 address entry for the policy
rule.
This section contains the following contents:

l Configure a security policy rule

l View and search the security policy rules

l Manage the security policy rules: enable/disable a policy rule, clone a policy rule, adjust security rule position,
configure default action, view and clear policy hit count, hit count check, and rule redundancy check.

Co nfiguring a Security Po licy Rule

To configure a security policy rule:

1. Select Policy > Security Policy.

2. At the top-left corner, click New. The Policy Configuration dialog appears.

In the Basic tab, configure the corresponding options.

Option Description

Type Select the IP type, including IPv4 or IPv6. Only the IPv6 firmware sup-
ports to configure IPv6 type IP. If IPv6 is selected, all the IP/netmask, IP

274 Chapter 10 Policy

 Option Description

range, address entry configured should be in IPv6 format.

Source Information

Zone Specifies a source zone.

Address Specifies the source addresses.

1. Select an address type from the Address drop-down list.

2. Select or type the source addresses based on the selected type.

3. Click to add the addresses to the right pane.

4. After adding the desired addresses, click the blank area in this dia-
log to complete the source address configuration.
You can also perform other operations:

l When selecting the Address Book type, you can click Add to cre-
ate a new address entry.

l The default address configuration is any. To restore the con-

figuration to this default one, select the any check box.
User Specifies a role, user or user group for the security policy rule.

1. From the User drop-down menu, select the AAA server where the
users and user groups reside. To specify a role, select Role from
the AAA Server drop-down list.

2. Based on different types of AAA server, you can execute one or

more actions: search a user/user group/role, expand the user-
/user group list, enter the name of the user/user group.

3. After selecting users/user groups/roles, click to add the them

to the right pane.

4. After adding the desired objects, click the blank area in this dialog
to complete the user configuration.
Destination

Zone Specifies a destination zone.

Address Specifies the destination addresses.

1. Select an address type from the Address drop-down list.

2. Select or type the destination addresses based on the selected

type.

3. Click to add the addresses to the right pane.

4. After adding the desired addresses, click the blank area in this dia-
log to complete the destination address configuration.
You can also perform other operations:

l When selecting the Address Book type, you can click Add to cre-
ate a new address entry.

l The default address configuration is any. To restore the con-

figuration to this default one, select the any check box.

Chapter 10 Policy 275

 Option Description

Other Information
Service Specifies a service or service group.

1. From the Service drop-down menu, select a type: Service, Service

Group.

2. You can search the desired service/service group, expand the ser-
vice/service group list.

3. After selecting the desired services/service groups, click to add

them to the right pane.

4. After adding the desired objects, click the blank area in this dialog
to complete the service configuration.
You can also perform other operations:

l To add a new service or service group, click Add.

l The default service configuration is any. To restore the con-

figuration to this default one, select the any check box.
Application Specifies an application/application group/application filters.

1. From the Application drop-down menu, you can search the

desired application/application group/application filter, expand the
list of applications/application groups/application filters.

2. After selecting the desired applications/application groups/ap-

plication filters, click to add them to the right pane.

3. After adding the desired objects, click the blank area in this dialog
to complete the application configuration.
You can also perform other operations:

l To add a new application group, click New AppGroup.

l To add a new application filter, click New AppFilter.

Action

Action Specifies an action for the traffic that is matched to the policy rule, includ-
ing:

l Permit - Select Permit to permit the traffic to pass through.

l Deny - Select Deny to deny the traffic.

l WebAuth - Performs Web authentication on the matched traffic.

Select WebAuth from the drop-down list after selecting the Secur-
ity Connection option, and then select an authentication server
from the following drop-down list.

l From tunnel (VPN) - For the traffic from a peer to local, if this
option is selected, the system will first determine if the traffic ori-
ginates from a tunnel. Only such traffic will be permitted. Select
From tunnel (VPN) from the drop-down list after selecting the
Security Connection option, and then select a tunnel from the fol-
lowing drop-down list.

l Tunnel (VPN) - For the traffic from local to a peer, select this option

276 Chapter 10 Policy

 Option Description
to allow the traffic to pass through the VPN tunnel. Select Tunnel
(VPN) from the drop-down list after selecting the Security Con-
nection option, and then select a tunnel from the following drop-
down list.

l Portal server - Performs portal authentication on the matched

traffic. Select Portal server from the drop-down list after select-
ing the Security Connection option, and then type the URL
address of the portal server.
Enable Web Enable the Web redirect function to redirect the HTTP request from cli-
Redirect ents to a specified page automatically. With this function enabled, the
system will redirect the page you are requesting over HTTP to a prompt
page.

1. Select the Enable Web Redirect check box.

2. Type a redirect URL into the Notification page URL box.

When using Web redirect function, you need to configure the Web
authentication function meanwhile. For more configurations, see "User
Online Notification" on Page 283.

In the Protection tab, configure the corresponding options.

Option Description

Antivirus Specifies an antivirus profile. The combination of security policy rule and
antivirus profile enables the devices to implement fine-grained applic-
ation layer policy control.

IPS Specifies an IPS profile. The combination of security policy rule and IPS
profile enables the devices to implement fine-grained application layer
policy control.

URL Filter Specifies a URL filter profile. The combination of security policy rule and
URL filter profile enables the devices to implement fine-grained applic-
ation layer policy control.

In the Options tab, configure the corresponding options.

Option Description

Schedule Specifies a schedule when the security policy rule will take effect. Select a
desired schedule from the Schedule drop-down list. After selecting the
desired schedules, click the blank area in this dialog to complete the
schedule configuration.
To create a new schedule, click New Schedule.

QoS Add QoS tag to the matched traffic by typing the value into the box,
which is used to control traffic combined with QoS. For more information
about QoS configuration, see "Pipes" on Page 288.

Log You can log policy rule matching in system logs according to your needs.

l For the policy rules of Permit, logs will be generated in two con-
ditions: the traffic that is matched to policy rules starts and ends
its session.

l For the policy rules of Deny, logs will be generated when the traffic
that is matched to policy rules is denied.
Select one or more check boxes to enable the corresponding log types.

Chapter 10 Policy 277

 Option Description
l Deny - Generates logs when the traffic that is matched to policy
rules is denied.

l Session start - Generates logs when the traffic that is matched to

policy rules starts its session.

l Session end - Generates logs when the traffic that is matched to

policy rules ends its session.
Position Select a rule position from the Position drop-down list.
Each policy rule is labeled with a unique ID. When traffic flows into a
device, the device will query for policy rules by turn, and processes the
traffic according to the first matched rule. However, the policy rule ID is
not related to the matching sequence during the query. The sequence
displayed in policy rule list is the query sequence for policy rules. The
rule position can be an absolute position, i.e., at the top or bottom, or a
relative position, i.e., before or after an ID.

Description Type descriptions into the Description box.

3. Click OK to save your settings.

V iew ing and Searching Security Po licy Rules

View the security policy rules in the policy rule list.

278 Chapter 10 Policy

 l Each column displays the corresponding configurations.

l Click the button under Session column in the Policy list, and then the Session Detail dialog appears. You can
view the current session status of the selected policy.

l Click the button under Session column, and then the Session Detail dialog appears. You can view the current
session status of the selected policy.

l Hover over your mouse on the configuration in a certain column. Then based on the configuration type, the WebUI
displays either the icon or the detailed configurations.

l You can view the detailed configurations directly.

l You can click the icon. Based on the configuration type, the WebUI displays Filter or Detail. Click Detail
to see the detailed configurations. Click Filter to display all policy rules that have the same configuration as
the current one where you hover over the mouse on.
Use the Filter to search out the policy rules that matches the filter conditions.

Chapter 10 Policy 279

1. Click Policy > Security Policy.

2. At the top-right corner, click Filter. Then a new row appears at the top.

3. Click +Filter to add a new filter condition. Then select a filter condition from the drop-down menu and enter a
value.

4. Press Enter to search out the policy rules that matches the filter conditions.

5. Repeat the above two steps to add more filter conditions. The relationship between each filter condition is AND.

6. To delete a filter condition, hover over your mouse on that condition and then click the icon. To close the filter,

click the icon at the right side of the row.

Managing Security Po licy Rules

Managing security policy rules include the following matters: enable/disable a policy rule, clone a policy rule, adjust
security rule position, configure default action, view and clear policy hit count, hit count check, and rule redundancy
check.

Ena bling/D is a bling a Polic y Rule

By default the configured policy rule will take effect immediately. You can terminate its control over the traffic by dis-
abling the rule.
To enable/disable a policy rule:

1. Select Policy > Security Policy.

2. Select the security policy rule that you want to enable/disable.

3. Click More, and then select Enable or Disable to enable or disable the rule.
The disabled rule will not display in the list. Click More > Show Disabled Policies to show them.

Cloning a Polic y Rule

To clone a policy rule:

1. Select Policy > Security Policy.

2. Select the security policy rule that you want to clone and click Copy.

3. Click Paste. In the pop-up, select the desired position. Then the rule will be cloned to the desired position.

Adjus ting Sec urity Polic y Rule Pos ition

To adjust the rule position:

1. Select Policy > Security Policy.

2. Select the check box of the security policy whose position will be adjusted.

3. Click Move.

4. In the pop-up menu, type the rule ID and then click Before ID or After ID. Then the rule will be moved before or
after the specified ID.

Configuring D efa ult Ac tion

You can specify a default action for the traffic that is not matched to any configured policy rule. The system will pro-
cess the traffic according to the specified default action. By default the system will deny such traffic.

280 Chapter 10 Policy

To specify a default policy action:

1. Select Policy > Security Policy.

2. Click More and select Default Policy Action.

In the Default Policy Action dialog, configure the following options.

Option Description

Hit count Shows the statistics on policy matching.

Default action Specify a default action for the traffic that is not matched to any con-
figured policy rule.

l Click Permit to permit the traffic to pass through.

l Click Deny to deny the traffic.

Log Configure to generate logs for the traffic that is not matched to any con-
figured policy rule. By default the system will not generate logs for such
traffic. To enable log, select the Enable check box, and the system will
generate logs for such traffic.

3. Click OK to save your changes.

View ing a nd Clea ring Polic y H it Count

The system supports statistics on policy hit counts, i.e., statistics on the matching between traffic and policy rules.
Each time the inbound traffic is matched to a certain policy rule, the hit count will increment by 1 automatically.
To view a policy hit count, click Policy > Security Policy. In the policy rule list, view the statistics on policy hit count
under the Hit Count column.
To clear a policy hit count:

1. Select Policy > Security Policy.

2. Click More and select Clearing Policy Hit Count.

Chapter 10 Policy 281

 In the Clearing Hit Count dialog, configure the following options.
Option Description

All policies Clears the hit counts for all policy rules.
Default policy Clears the hit counts for the default action policy rules.
Policy ID Clears the hit counts for a specified policy rule ID.

3. Click OK to perform the hit count clearing.

H it Count Chec k
System supports to check policy rule hit counts.
To check hit count:

1. Select Policy > Security Policy.

2. Click More and select Hit Count Check. After the check, the policy rules whose hit count is 0 will be highlight,
that is to say, the policy rule is not used in the system.

Rule Redunda nc y Chec k

In order to make the rules in the policy are effective, system provides a method to check the conflicts among rules in a
policy. With this method, administrators can check whether the rules overshadow each other.
To start rule redundancy check:

1. Select Policy > Security Policy.

2. Click More and select Redundancy Check. After the check, system will highlight the policy rule which is over-
shadowed.

Note: Status will be shown below the policy list when redundancy check is started. It is
not recommended to edit a policy rule during the redundancy check. You can click to
stop the check manually.

282 Chapter 10 Policy

User Online No tificatio n
The system provides the policy-based user online notification function. The user online notification function integrates
WebAuth function and Web redirect function.
After configuring the user online notification function, the system redirects your HTTP request to a new notification
page when you visit Internet for the first time. In the process, a prompt page (see the picture below) will be shown
first, and after you click continue on this page, the system will redirect your request to the specified notification
page. And if you want to visit your original URL, you need to type the URL address in Web browser.

Before you use enable the user online notification function, you must configure the WebAuth function. For more inform-
ation about configuring WebAuth function, view "Web Authentication" on Page 121.

Configuring Us er Online Notific a tion

To configure the user online notification function:

1. Select Policy > Security Policy.

2. Select the security policy rule that you want to enable the user online notification function. Generally, it is recom-
mended to select the security policy rule that is under the WebAuth policy rule and whose action is permit to the
HTTP traffic.

3. Click Edit.

4. In the Basic tab, select the Enable Web Redirect check box and type the notification URL into the Notification
page URL box.

5. Click OK to save the settings.

Configuring the Pa ra m eters of Us er Online Notific a tion

The parameters are:

l Idle time: The time that an online user keeps online without traffic transmitting. If exceeding the idle time, the
HTTP request will be redirected to the user online notification page again.

l Background picture: You can change the background picture on the prompt page.
To configure the parameters:

1. Select Policy > Security Policy.

2. Select the security policy rule with the user online notification function enabled.

3. Click More and select Web Redirect Configuration.

4. Type the idle time value into the Idle time box. The default value is 30 minutes. The range is 3 to 1440 minutes.

Chapter 10 Policy 283

5. Change the background picture of the prompt page. Click Browse to choose the picture you want, and then click
Upload. The uploaded picture must be zipped and named as web_redirect_bg_en.gif, with the size of
800px*600px.

View ing Online Us ers

After configuring the user online notification function, you can get the information of online users from the Online Noti-
fication Users dialog.

1. Select Policy > Security Policy.

2. Click More and select Web Redirect IP List.

3. In the Web Redirect IP List dialog, view the following information.

Option Description

IP address The IP address of the online user.

Session number Session number of the online user.
Interface The source interface of the online user.
Lifetime (s) The period of time during which the user is keeping online.
Expiration (s) The idle time of the user.

284 Chapter 10 Policy

iQoS
The system provides iQoS (intelligent quality of service) which guarantees the customer's network performance, man-
ages and optimizes the key bandwidth for critical business traffic, and helps the customer greatly in fully utilizing
their bandwidth resources.
iQoS is used to provide different priorities to different traffic, in order to control the delay and flapping, and decrease
the packet loss rate. iQoS can assure the normal transmission of critical business traffic when the network is over-
loaded or congested. iQoS is controlled by license. To use iQoS, apply and install the iQoS license.

Note: If you have configured QoS in the previous QoS function before upgrading the system to
verion 5.5, the previous QoS function will take effect. You still need to configure the previous
QoS function in CLI. You cannot use the newest iQoS function in version 5.5 and the newest
iQoS function will not display in the WebUI and will not take effect. If you have not configured
the previous QoS function before upgrading the system to version 5.5, the system will enable
the newest iQoS function in version 5.5. You can configure iQoS function in the WebUI and the
previous QoS function will not take effect.

I mplement Mechanism
The packets are classified and marked after entering the system from the ingress interface. For the classified and
marked traffic, the system will smoothly forward the traffic through shaping mechanism, or drop the traffic through
policing mechanism. If selecting shaping mechanism to forward the traffic, the congestion management and con-
gestion avoidance mechanisms give different priorities to different types of packets so that the packets of higher pri-
ority can pass the gateway earlier to avoid network congestion.
In general, implementing QoS includes:

l Classification and marking mechanism: Classification and marking is the process of identifying the priority of each
packet. This is the first step of iQoS.

l Policing and shaping mechanisms: Policing and shaping mechanisms are used to identify traffic violation and
make responses. The policing mechanism checks traffic in real time, and takes immediate actions according to the
settings when it discovers violation. The shaping mechanism works together with queuing mechanism. It makes
sure that the traffic will never exceed the defined flow rate so that the traffic can go through that interface
smoothly.

l Congestion management mechanism: Congestion management mechanism uses queuing theory to solve prob-
lems in the congested interfaces. As the data rate can be different among different networks, congestion may hap-
pen to both wide area network (WAN) and local area network (LAN). Only when an interface is congested will the
queuing theory begin to work.

l Congestion avoidance mechanism: Congestion avoidance mechanism is a supplement to the queuing algorithm,
and it also relies on the queuing algorithm. The congestion avoidance mechanism is designed to process TCP-
based traffic.

Pipes and Traffic Co ntro l Levels

The system supports two-level traffic control: level-1 control and level-2 control. In each level, the traffic control is
implemented by pipes.

Pipes
By configuring pipes, the devices implement iQoS. Pipe, which is a virtual concept, represents the bandwidth of trans-
mission path. The system classifies the traffic by using the pipe as the unit, and control the traffic crossing the pipes
according to the actions defined for the pipes. For all traffic crossing the device, they will flow into virtual pipes accord-
ing to the traffic matching conditions they match. If the traffic does not match any condition, they will flow into the
default pipe predefined by the system.

Chapter 10 Policy 285

Pipes, except the default pipe, include two parts of configurations: traffic matching conditions and traffic management
actions:

l Traffic matching conditions: Defines the traffic matching conditions to classify the traffic crossing the device into
matched pipes. The system will limit the bandwidth to the traffic that matches the traffic matching conditions.
You can define multiple traffic matching conditions to a pipe. The logical relation between each condition is OR.
When the traffic matches a traffic matching condition of a pipe, it will enter this pipe. If the same conditions are
configured in different root pipes, the traffic will first match the root pipe listed at the top of the Level-1 Control
list in the Policy > iQoS page.

l Traffic management actions: Defines the actions adopted to the traffic that has been classified to a pipe. The data
stream control includes the forward control and the backward control. Forward control controls the traffic that
flows from the source to the destination; backward control controls the traffic flows from the destination to the
source.
To provide flexible configurations, the system supports the multiple-level pipes. Configuring multiple-level pipes can
limit the bandwidth of different applications of different users. This can ensure the bandwidth for the key services and
users. Pipes can be nested to at most four levels. Sub pipes cannot be nested to the default pipe. The logical relation
between pipes is shown as below:

l You can create multiple root pipes that are independent individually. At most three levels of sub pipes can be nes-
ted to the root pipe.

l For the sub pipes at the same level, the total of their minimum bandwidth cannot exceed the minimum bandwidth
of their upper-level parent pipe, and the total of their maximum bandwidth cannot exceed the maximum band-
width of their upper-level parent pipe.

l If you have configured the forward or backward traffic management actions for the root pipe, all sub pipes that
belongs to this root pipe will inherit the configurations of the traffic direction set on the root pipe.

l The root pipe that is only configured the backward traffic management actions cannot work.
The following chart illustrates the application of multiple-level pipes in a company. The administrator can create the fol-
lowing pipes to limit the traffic:

1. Create a root pipe to limit the traffic of the office located in Beijing.

2. Create a sub pipe to limit the traffic of its R&D department.

3. Create a sub pipe to limit the traffic of the specified applications so that each application has its own bandwidth.

286 Chapter 10 Policy

 4. Create a sub pipe to limit the traffic of the specified users so that each user owns the defined bandwidth when
using the specified application.

T ra ffic Control Levels

The system supports two-level traffic control: level-1 control and level-2 control. In each level, the traffic control is
implemented by pipes. Traffic that is dealt with by level-1 control flows into the level-2 control, and then the system
performs the further management and control according to the pipe configurations of level-2 control. After the traffic
flows into the device, the process of iQoS is shown as below:

According to the chart above, the process of traffic control is described below:

1. The traffic first flows into the level-1 control, and then the system classifies the traffic into different pipes accord-
ing to the traffic matching conditions of the pipe of level-1 control. The traffic that cannot match any pipe will be
classified into the default pipe. If the same conditions are configured in different root pipes, the traffic will first
match the root pipe listed at the top of the Level-1 Control list in the Policy > iQoS page. After the traffic flows
into the root pipe, the system classifies the traffic into different sub pipes according to the traffic matching con-
ditions of each sub pipe.

2. According to the traffic management actions configured for the pipes, the system manages and controls the
traffic that matches the traffic matching conditions.

3. The traffic dealt with by level-1 control flows into the level-2 control. The system manages and controls the traffic
in level-2 control. The principle of traffic matching, management and control are the same as the one of the level-
1 control.

4. Complete the process of iQoS.

Enabling iQo S
To enable iQoS:

1. Select Policy > iQoS > Configuration.

2. Select Enable iQoS. The system will enable iQoS.

Chapter 10 Policy 287

Pipes
By using pipes, devices implement iQoS. Pipes in different traffic control levels will take effect in different stages.
Configuring pipes includes the following sections:

1. Create the traffic matching conditions, which are used to capture the traffic that matches these conditions. If con-
figuring multiple traffic matching conditions for a pipe, the logical relation between each condition is OR.

2. Create a white list according to your requirements. The system will not control the traffic in the white list. Only
root pipe and the default pipe support the white list.

3. Specify the traffic management actions, which are used to deal with the traffic that is classified into a pipe.

4. Specify the schedule. The pipe will take effect during the specified time period.

Ba s ic Opera tions
Select Policy > iQoS > Policy to open the Policy page.

You can perform the following actions in this page:

l Disable the level-2 traffic control: Click Disable second level control. The pipes in the level-2 traffic control will
not take effect. And the Level-2 Control tab will not appears in this page.

l View pipe information: The pipe list displays the name, mode, action, schedule, and the description of the pipes.

l Click the icon to expand the root pipe and display its sub pipes.

l Click the icon of the root pipe or the sub pipe to view the condition settings.

l Click the icon of the root pipe to view the white list settings.

l represents the root pipe is usable, represents the root pipe is unusable, represents the sub

pipe is usable, represents the sub pipe is unusable, the gray text represents the pipe is dis-
abled.

l Create a root pipe: Select the Level-1 Control or Level-2 Control tab, then click New in the menu bar to create a
new root pipe.

l Create a sub pipe: Click the icon of the root pipe or the sub pipe to create the corresponding sub pipe.

l Click Enable in the menu bar to enable the selected pipe. By default, the newly-created pipe will be enabled.

l Click Disable in the menu bar to disable the selected pipe. The disabled pipe will not take effect.

l Click Delete to delete the selected pipe. The default pipe cannot be deleted.

Configuring a Pipe
To configure a pipe:

288 Chapter 10 Policy

 1. According to the methods above, create a root pipe or sub pipe. The Pipe Configuration page appears.

2. In the Basic tab, specify the basic pipe information.

l Parent Pipe/Control Level: Displays the control level or the parent pipe of the newly created pipe.

l Pipe Name: Specify a name for the new pipe.

l Description: Specify the description of this pipe.

l QoS Mode: Shape, Policy, or Monitor.

l The Shape mode can limit the data transmission rate and smoothly forward the traffic. This mode sup-
ports the bandwidth borrowing and priority adjusting for the traffic within the root pipe.

l The Policy mode will drop the traffic that exceeds the bandwidth limit. This mode does not support the
bandwidth borrowing and priority adjusting, and cannot guarantee the minimum bandwidth.

l The Monitor mode will monitor the matched traffic, generate the statistics, and will not control the traffic.

l Bandwidth borrowing: All sub pipes in a root pipe can lend the idle bandwidth to the pipes that are lack
of bandwidth. The prerequisite is the bandwidth of themselves are enough to forward their traffic.

l Priority adjusting: When there is traffic congestion, the system will arrange the traffic to enter the wait-
ing queue. You can set the traffic to have higher priority and the system will deal with the traffic in order
of precedence.

3. In the Condition tab, click New.

In the Condition Configuration tab, configure the corresponding options.

Source Information

Zone Specify the source zone of the traffic. Select the zone name from the
drop-down menu.
Interface Specify the source interface of the traffic. Select the interface name from
the drop-down menu.
Address Specify the source address of the traffic.

1. Select an address type from the Address drop-down list.

2. Select or type the source addresses based on the selected type.

3. Click to add the addresses to the right pane.

4. After adding the desired addresses, click the blank area in this dia-
log to complete the address configuration.
You can also perform other operations:

l When selecting the Address Book type, you can click Add to cre-
ate a new address entry.

Chapter 10 Policy 289

 l The default address configuration is any. To restore the con-
figuration to this default one, select the any check box.
Destination Information

Zone Specify the destination zone of the traffic. Select the zone name from the
drop-down menu.
Interface Specify the destination interface of the traffic. Select the interface name
from the drop-down menu.
Address Specify the destination address of the traffic.

1. Select an address type from the Address drop-down list.

2. Select or type the source addresses based on the selected type.

3. Click to add the addresses to the right pane.

4. After adding the desired addresses, click the blank area in this dia-
log to complete the address configuration.
You can also perform other operations:

l When selecting the Address Book type, you can click Add to cre-
ate a new address entry.

l The default address configuration is any. To restore the con-

figuration to this default one, select the any check box.
User Information Specify a user or user group that the traffic belongs to.

1. From the User drop-down menu, select the AAA server where the
users and user groups reside.

2. Based on different types of AAA server, you can execute one or

more actions: search a user/user group/role, expand the user-
/user group list, enter the name of the user/user group.

3. After selecting users/user groups/roles, click to add the them

to the right pane.

4. After adding the desired objects, click the blank area in this dialog
to complete the user information configuration.
Service Specify a service or service group that the traffic belongs to.

1. From the Service drop-down menu, select a type: Service, Service

Group.

2. You can search the desired service/service group, expand the ser-
vice/service group list.

3. After selecting the desired services/service groups, click to add

them to the right pane.

4. After adding the desired objects, click the blank area in this dialog
to complete the service configuration.
You can also perform other operations:

l To add a new service or service group, click Add.

l The default service configuration is any. To restore the con-

figuration to this default one, select the any check box.

290 Chapter 10 Policy

 Application Specify an application, application group, or application filters that the
traffic belongs to.

1. From the Application drop-down menu, you can search the

desired application/application group/application filter, expand the
list of applications/application groups/application filters.

2. After selecting the desired applications/application groups/ap-

plication filters, click to add them to the right pane.

3. After adding the desired objects, click the blank area in this dialog
to complete the application configuration.
You can also perform other operations:

l To add a new application group, click New AppGroup.

l To add a new application filter, click New AppFilter.

Advanced

VLAN Specify the VLAN information of the traffic.

TOS Specify the TOS fields of the traffic; or click Configure to specify the TOS
fields of the IP header of the traffic in the appeared TOS Configuration
dialog.

l Precedence: Specify the precedence.

l Delay: Specify the minimum delay.

l Throughput: Specify the maximum throughput.

l Reliability: Specify the highest reliability.

l Cost: Specify the minimum monetary cost.

l Reserved: Specify the normal service.

4. If you are configuring root pipes, you can specify the white list settings based on the description of configuring
conditions.

5. In the Action tab, configuring the corresponding actions.

Forward (From source to destination)
The following configurations controls the traffic that flows from the source to the des-
tination. For the traffic that matches the conditions, the system will perform the cor-
responding actions.
Pipe Bandwidth When configuring the root pipe, specify the pipe bandwidth.
When configuring the sub pipe, specify the maximum bandwidth and
the minimum bandwidth of the pipe:

l Min Bandwidth: Specify the minimum bandwidth. If you want this

minimum bandwidth to be reserved and cannot be used by other
pipes, select Enable Reserved Bandwidth.

l Max Bandwidth: Specify the maximum bandwidth.

Limit type Specify the maximum bandwidth and minimum bandwidth of the pipe
for each user/IP:

l Type: Select the type of the bandwidth limitation: No Limit, Limit

Per IP, or Limit Per User.

Chapter 10 Policy 291

 l No Limit represents that the system will not limit the band-
width for each IP or each user.

l Limit Per IP represents that the system will limit the band-
width for each IP. In the Limit by section, select Source IP to
limit the bandwidth of the source IP in this pipe; or select
Destination IP to limit the bandwidth of the destination IP in
this pipe.

l Limit Per User represents that the system will limit the band-
width for each user. In the Limit by section, specify the min-
imum/maximum bandwidth of the users.

l When configuring the root pipe, you can select the Enable Aver-
age Bandwidth check box to make each source IP, destination IP,
or user to share an average bandwidth.
Limit by When the Limit type is Limit Per IP or Limit Per User, you need to specify
the minimum bandwidth or the maximum bandwidth:

l Min Bandwidth: Specify the minimum bandwidth.

l Max Bandwidth: Specify the maximum bandwidth.

Advanced

Priority Specify the priority for the pipes. Select a number, between 0 and 7, from
the drop-down menu. The smaller the value is, the higher the priority is.
When a pipe has higher priority, the system will first deal with the traffic
in it and borrow the extra bandwidth from other pipes for it. The priority
of the default pipe is 7.

TOS Specify the TOS fields of the traffic; or click Configure to specify the TOS
fields of the IP header of the traffic in the appeared TOS Configuration
page.

l Precedence: Specify the precedence.

l Delay: Specify the minimum delay.

l Throughput: Specify the maximum throughput.

l Reliability: Specify the highest reliability.

l Cost: Specify the minimum monetary cost.

l Reserved: Specify the normal service.

Limit Opposite Select the LImit Opposite Bandwidth check box to configure the value of
Bandwidth limit-strength.The smaller the value, the smaller the limit.

Backward (From condition's destination to source)

The following configurations controls the traffic that flows from the destination to the
source. For the traffic that matches the conditions, the system will perform the cor-
responding actions.
Pipe Bandwidth When configuring the root pipe, specify the pipe bandwidth.
When configuring the sub pipe, specify the maximum bandwidth and
the minimum bandwidth of the pipe:

l Min Bandwidth: Specify the minimum bandwidth. If you want this

minimum bandwidth to be reserved and cannot be used by other
pipes, select Enable Reserved Bandwidth.

292 Chapter 10 Policy

 l Max Bandwidth: Specify the maximum bandwidth.
Limit type Specify the maximum bandwidth and minimum bandwidth of the pipe
for each user/IP:

l Type: Select the type of the bandwidth limitation: No Limit, Limit

Per IP, or Limit Per User.

l No Limit represents that the system will not limit the band-
width for each IP or each user.

l Limit Per IP represents that the system will limit the band-
width for each IP. In the Limit by section, select Source IP to
limit the bandwidth of the source IP in this pipe; or select
Destination IP to limit the bandwidth of the destination IP in
this pipe.

l Limit Per User represents that the system will limit the band-
width for each user. In the Limit by section, specify the min-
imum/maximum bandwidth of the users.

l When configuring the root pipe, you can select the Enable Aver-
age Bandwidth check box to make each source IP, destination IP,
or user to share an average bandwidth.
Limit by When the Limit type is Limit Per IP or Limit Per User, you need to specify
the minimum bandwidth or the maximum bandwidth:

l Min Bandwidth: Specify the minimum bandwidth.

l Max Bandwidth: Specify the maximum bandwidth.

Advanced

Priority Specify the priority for the pipes. Select a number, between 0 and 7, from
the drop-down menu. The smaller the value is, the higher the priority is.
When a pipe has higher priority, the system will first deal with the traffic
in it and borrow the extra bandwidth from other pipes for it. The priority
of the default pipe is 7.

TOS Specify the TOS fields of the traffic; or click Configure to specify the TOS
fields of the IP header of the traffic in the appeared TOS Configuration
page.

l Precedence: Specify the precedence.

l Delay: Specify the minimum delay.

l Throughput: Specify the maximum throughput.

l Reliability: Specify the highest reliability.

l Cost: Specify the minimum monetary cost.

l Reserved: Specify the normal service.

Limit Opposite Select the LImit Opposite Bandwidth check box to configure the value of
Bandwidth limit-strength.The smaller the value, the smaller the limit.

6. In the Schedule tab, configure the time period when the pipe will take effect. Select the schedule from the drop-
down list, or create a new one.

7. Click OK to save the settings.

View ing Sta tis tic s of Pipe Monitor

To view the statistics of pipe monitor, see "iQoS" on Page 285.

Chapter 10 Policy 293

NAT
NAT, the abbreviation for Network Address Translation, it translates the IP address within an IP packet header to
another IP address. When the IP packets pass through the devices or routers, the devices or routers will translate the
source IP address and/or the destination IP address in the IP packets. In practice, NAT is mostly used to allow the
private network to access the public network, or vice versa.

B asic Translatio n Pro cess o f NAT

When a device is implementing the NAT function, it lies between the public network and the private network. The fol-
lowing diagram illustrates the basic translation process of NAT.

As shown above, the device lies between the private network and the public network. When the internal PC at 10.1.1.2
sends an IP packet (IP packet 1) to the external server at 202.1.1.2 through the device, the device checks the packet
header. Finding that the IP packet is destined to the public network, the device translates the source IP address
10.1.1.2 of packet 1 to the public IP address 202.1.1.1 which can get routed on the Internet, and then forwards the
packet to the external server. At the same time, the device also records the mapping between the two addresses in its
NAT table. When the response packet of IP packet 1 reaches the device, the device checks the packet header again and
finds the mapping records in its NAT table, then replaces the destination address with the private address 10.1.1.2.
In this process, the device is transparent to the PC and the Server. To the external server, it considers that the IP
address of the internal PC is 202.1.1.1 and knows nothing about the private address 10.1.1.2. Therefore, NAT hides
the private network of enterprises.

I mplementing NAT
The devices translates the IP address and port number of the internal network host to the external network address
and port number of the device, and vice versa. That is translation between the "private IP address + port number" and
the "public IP address + port number".
The devices achieve the NAT function through the creation and implementation of NAT rules. There are two types of
NAT rules, which are source NAT rules (SNAT Rule) and destination NAT rules (DNAT Rule). SNAT translates source IP
addresses, thereby hiding the internal IP addresses or sharing the limited IP addresses; DNAT translates destination
IP addresses, usually translating IP addresses of internal servers (such as the WWW server or SMTP server) protected
by the device to public IP addresses.

294 Chapter 10 Policy

Co nfiguring SNAT
To create an SNAT rule:

1. Select Policy > NAT > SNAT.

2. Click New. The SNAT Configuration dialog appears.

In the Basic tab, configure the following options.

Requirements

Virtual Router Specifies a VRouter for the SNAT rule. The SNAT rule will take effect when
the traffic flows into this VRouter and matches the SNAT rule conditions.
Source Address Specifies the source IP address of the traffic, including:

l Address Entry - Select an address entry from the drop-down list.

l IP Address - Type an IP address into the box.

l IP/Netmask - Type an IP address and its netmask into the box.

Destination Specifies the destination IP address of the traffic, including:
Address
l Address Entry - Select an address entry from the drop-down list.

l IP Address - Type an IP address into the box.

l IP/Netmask - Type an IP address and its netmask into the box.

Egress Specifies the egress traffic, including:

l All traffic - Specifies all traffic as the egress traffic.

l Egress Interface - Specifies the egress interface of traffic. Select

an interface from the drop-down list.

l Next Virtual Router - Specifies the next virtual router of traffic.

Select a virtual router from the drop-down list.
Service Specifies the service type of the traffic from the drop-down list.
To create a new service or service group, click New Service or New
Group.
Translate to

Translated Specifies the translated NAT IP address, including:

Chapter 10 Policy 295

 Requirements
l Egress IF IP - Specifies the NAT IP address to be an egress inter-
face IP address.

l Specified IP - Specifies the NAT IP address to be a specified IP

address. After selecting this option, continue to specify the avail-
able IP address in the Address drop-down list.

l No NAT - Do not implement NAT.

Mode Specifies the translation mode, including:

l Static - Static mode means one-to-one translation. This mode

requires the translated address entry contains the same number of
IP addresses as that of the source address entry.

l Dynamic IP - Dynamic IP mode means multiple-to-one translation.

This mode translates the source address to a specific IP address.
Each source address will be mapped to a unique IP address, until all
specified addresses are occupied.

l Dynamic port - Namely PAT. Multiple source addresses will be

translated to one specified IP address in an address entry. If Sticky
is not enabled, the first address in the address entry will be used
first; when port resources of the first address are exhausted, the
second address will be used. If Sticky is enabled, all sessions from
an IP address will be mapped to the same fixed IP address. Click
the Enable check box behind Sticky to enable Sticky. You can also
track if the public address after NAT is available, i.e., use the trans-
lated address as the source address to track if the destination web-
site or host is accessible. Select the Enable check box behind
Track to enable the function, and select a track object from the
drop-down list.
Others

HA Group Specifies the HA group that the SNAT rule belongs to. The default set-
ting is 0.
Description Types the description.

296 Chapter 10 Policy

 In the Advanced tab, configure the corresponding options.
Option Description

NAT Log Select the Enable check box to enable the log function for this SNAT
rule. The system will generate log information when there is traffic
matching to this NAT rule.
Position Specifies the position of the rule. Each SNAT rule has a unique ID.
When traffic flowing into the device, the device will search SNAT
rules by sequence, and then implement NAT on the source IP of the
traffic according to the first matched rule. The sequence of the ID
showed in the SNAT rule list is the order of the rule matching. Select
one of the following items from the drop-down list:

l Bottom - The rule is located at the bottom of all the rules in the
SNAT rule list. By default, the system will put the newly-cre-
ated SNAT rule at the bottom of all SNAT rules.

l Top - The rule is located at the top of all the rules in the SNAT
rule list.

l Before ID - Type the ID number into the text box. The rule will
be located before the ID you specified.

l After ID - Type the ID number into the text box. The rule will
be located after the ID you specified.
ID Specifies the method you get the rule ID. Each rule has its unique ID.
It can be automatically assigned by system or manually assigned by
yourself. If you select Manually assign , type an ID number into the
box behind.

3. Click OK to save the settings.

Ena bling/D is a bling a SNAT Rule

By default the configured SNAT rule will take effect immediately. You can terminate its control over the traffic by dis-
abling the rule.
To enable/disable a policy rule:

1. Select Policy > NAT > SNAT.

2. Select the SNAT rule that you want to enable/disable.

3. Click Enable or Disable to enable or disable the rule.

Adjus ting Priority

Each SNAT rule has a unique ID. When traffic flows into the device, the device will search SNAT rules by sequence,
and then implement NAT on the source IP of the traffic according to the first matched rule. The sequence of the ID
showed in the SNAT rule list is the order of the rule matching.
To adjust priority:

1. Select Policy > NAT > SNAT.

2. Select the rule you want to adjust its priority and click Priority.

3. In the Priority dialog, move the selected rule to:

l Top: The rule is moved to the top of all the rules in the SNAT rule list.

l Bottom: The rule is moved to the bottom of all the rules in the SNAT rule list. By default, the system will put

Chapter 10 Policy 297

 the newly-created SNAT rule at the bottom of all SNAT rules.

l Before ID: Specifies an ID number. The rule will be moved before the ID you specified.

l After ID: Specifies an ID number. The rule will be moved after the ID you specified.

4. Click OK to save the settings.

Ex porting NAT 444 Sta tic Ma pping Entries

You can export the NAT444 static mapping entries to a file . The exported file contains the ID, source IP address, trans-
lated IP address, start port, end port, and the protocol information.
To export the NAT444 static mapping entries:

1. Select Policy > NAT > SNAT.

2. Click Export NAT444 Static Mapping Entries.

3. Select a location to store the file and click Save.

The exported file is CSV format. It is recommended to export the file through the management interface.

298 Chapter 10 Policy

Co nfiguring D NAT
DNAT translates destination IP addresses, usually translating IP addresses of internal servers (such as the WWW
server or SMTP server) protected by the device to public IP addresses.

Configuring a n IP Ma pping Rule

To configure an IP mapping rule:

1. Select Policy > NAT > DNAT.

2. Click New and select IP Mapping.

In the IP Mapping Configuration dialog, configure the corresponding options.

Requirements

Virtual Router Specifies a VRouter for the DNAT rule. The DNAT rule will take effect
when the traffic flows into this VRouter and matches the DNAT rule con-
ditions.
Destination Specifies the destination IP address of the traffic, including:
Address
l Address Entry - Select an address entry from the drop-down list.

l IP Address - Type an IP address into the box.

l IP/Netmask - Type an IP address and its netmask into the box.

Mapping

Translate to Specifies the translated NAT IP address, including Address Entry, IP

Address, and IP/Netmask. The number of the translated NAT IP
addresses you specified must be the same as the number of the des-
tination IP addresses of the traffic.
Others

HA Group Specifies the HA group that the DNAT rule belongs to. The default set-
ting is 0.
Description Types the description.

3. Click OK to save the settings.

Configuring a Port Ma pping Rule

To configure a port mapping rule:

1. Select Policy > NAT > DNAT.

Chapter 10 Policy 299

2. Click New and select Port Mapping.

In the Port Mapping Configuration dialog, configure the corresponding options.

Requirements

Virtual Router Specifies a VRouter for the DNAT rule. The DNAT rule will take effect
when the traffic flows into this VRouter and matches the DNAT rule con-
ditions.
Destination Specifies the destination IP address of the traffic, including:
Address
l Address Entry - Select an address entry from the drop-down list.

l IP Address - Type an IP address into the box.

l IP/Netmask - Type an IP address and its netmask into the box.

Service Specifies the service type of the traffic from the drop-down list.
To create a new service or service group, click New Service or New
Group.
Mapping

Translate to Specifies the translated NAT IP address, including Address Entry, IP

Address, and IP/Netmask. The number of the translated NAT IP
addresses you specified must be the same as the number of the des-
tination IP addresses of the traffic.

Port Mapping Types the translated port number of the Intranet server. The available
range is 1 to 65535.
Others

HA Group Specifies the HA group that the DNAT rule belongs to. The default set-
ting is 0.
Description Types the description.

3. Click OK to save the settings.

Configuring a n Adva nc ed NAT Rule

You can create a DNAT rule and configure the advanced settings. Or you can edit the advanced settings of an exiting
DNAT rule.
To create a DNAT rule and configure the advanced settings:

1. Select Policy > NAT > DNAT.

2. Click New and select Advanced Configuration. To edit the advanced settings of an existing DNAT rule, select it
and click Edit. The DNAT configuration dialog appears.

300 Chapter 10 Policy

 In the Basic tab, configure the following options.
Requirements

Virtual Router Specifies a VRouter for the DNAT rule. The DNAT rule will take effect
when the traffic flows into this VRouter and matches the DNAT rule con-
ditions.
Source Address Specifies the source IP address of the traffic, including:

l Address Entry - Select an address entry from the drop-down list.

l IP Address - Type an IP address into the box.

l IP/Netmask - Type an IP address and its netmask into the box.

Destination Specifies the destination IP address of the traffic, including:
Address
l Address Entry - Select an address entry from the drop-down list.

l IP Address - Type an IP address into the box.

l IP/Netmask - Type an IP address and its netmask into the box.

Service Specifies the service type of the traffic from the drop-down list.
To create a new service or service group, click New Service or New
Group.
Translated to

Action Specifies the action for the traffic you specified, including:

l NAT - Implements NAT for the eligible traffic.

l No NAT - Do not implement NAT for the eligible traffic.

Translate to When selecting the NAT option, you need to specify the translated IP
address. The options include Address Entry, IP Address, IP/Netmask,
and SLB Server Pool. For more information about SLB Server Pool, view
"SLB Server Pool " on Page 234.
Translate Service Port to

Port Select Enable to translate the port number of the service that matches
the conditions above.

Load Balance Select Enable to enable the function. Traffic will be balanced to different
Intranet servers.

Chapter 10 Policy 301

 Requirements
Others

HA Group Specifies the HA group that the DNAT rule belongs to. The default set-
ting is 0.
Description Types the description.

In the Advanced tab, configure the following options.

Track Server

Track Ping Pack- After enabling this function, the system will send Ping packets to check
ets whether the Intranet servers are reachable.
Track TCP Pack- After enabling this function, The system will send TCP packets to check
ets whether the TCP ports of Intranet servers are reachable.
TCP Port Specifies the TCP port number of the monitored Intranet server.
Others

NAT Log Enable the log function for this DNAT rule to generate the log inform-
ation when traffic matches this NAT rule.
Position Specifies the position of the rule. Each DNAT rule has a unique ID. When
traffic flowing into the device, the device will search DNAT rules by
sequence, and then implement DNAT on the source IP of the traffic
according to the first matched rule. The sequence of the ID showed in the
DNAT rule list is the order of the rule matching. Select one of the fol-
lowing items from the drop-down list:

l Bottom - The rule is located at the bottom of all the rules in the
DNAT rule list. By default, the system will put the newly-created
DNAT rule at the bottom of all SNAT rules.

l Top - The rule is located at the top of all the rules in the DNAT rule
list.

l Before ID - Type the ID number into the text box. The rule will be
located before the ID you specified.

l After ID - Type the ID number into the text box. The rule will be loc-
ated after the ID you specified.
ID The ID number is used to distinguish between NAT rules. Specifies the
method you get the rule ID. It can be automatically assigned by system
or manually assigned by yourself.

3. Click OK to save the settings.

Ena bling/D is a bling a D NAT Rule

By default the configured DNAT rule will take effect immediately. You can terminate its control over the traffic by dis-
abling the rule.
To enable/disable a policy rule:

1. Select Policy > NAT > DNAT.

2. Select the DNAT rule that you want to enable/disable.

3. Click Enable or Disable to enable or disable the rule.

Adjus ting Priority

Each DNAT rule has a unique ID. When traffic flowing into the device, the device will search DNAT rules by sequence,
and then implement NAT on the source IP of the traffic according to the first matched rule. The sequence of the ID

302 Chapter 10 Policy

showed in the DNAT rule list is the order of the rule matching.
To adjust priority:

1. Select Policy > NAT > DNAT.

2. Select the rule you want to adjust its priority and click Priority.

3. In the Priority dialog, move the selected rule to:

l Top: The rule is moved to the top of all the rules in the DNAT rule list.

l Bottom: The rule is moved to the bottom of all the rules in the DNAT rule list. By default, the system will put
the newly-created DNAT rule at the bottom of all DNAT rules.

l Before ID: Specifies an ID number. The rule will be moved before the ID you specified.

l After ID: Specifies an ID number. The rule will be moved after the ID you specified.

4. Click OK to save the settings.

Chapter 10 Policy 303

SLB Server
View SLB server status: After you enable the track function (PING track, TCP track, or UDP track), the system will list
the status and information of the intranet servers that are tracked.
View SLB server pool status: After you enable the server load balancing function, the system will monitor the intranet
servers and list the corresponding status and information.

View ing SLB Server Sta tus

To view the SLB server status:

1. Select Policy > NAT > SLB Server Status.

2. You can set the filtering conditions according to the virtual router, SLB server pool, and server address and then
view the information.

Option Description

Server Shows the IP address of the server.

Port Shows the port number of the server.
Status Shows the status of the server.
Current Sessions Shows the number of current sessions.
DNAT Shows the DNAT rules that uses the server.
HA Group Shows the HA group that the server belongs to.

View ing SLB Server Pool Sta tus

To view the SLB server pool status:

1. Select Policy > NAT > SLB Server Pool Status.

2. You can set the filtering conditions according to the virtual router, algorithm, and server pool name and then view
the information.

Option Description

Name Shows the name of the server pool name.

Algorithms Shows the algorithm used by the server pool.
DNAT Shows the DNAT rules that uses the server.
Abnormal Server- Shows the number of abnormal servers and the total number of the serv-
/All Servers ers.
Current Sessions Shows the number of current sessions.

304 Chapter 10 Policy

Session Limit
The devices support zone-based session limit function. You can limit the number of sessions and control the session
rate to the source IP address, destination IP address, specified IP address, applications or role/user/user group,
thereby to protect from DoS attacks and control the bandwidth of applications, such as IM or P2P.

Co nfiguring a Sessio n Limit Rule

To configure a session limit rule:

1. Select Policy > Session Limit.

2. Click New. The Session Limit Configuration dialog appears.

3. Select the zone where the session limit rule locates.

4. Configure the limit conditions.

IP

Select the IP check box to configure the IP limit conditions.

IP Select the IP radio button and then select an IP address entry.

l Select All IPs to limit the total number of sessions to all IP

addresses.

l Select Per IP to limit the number of sessions to each IP address.

Source IP Select the Source IP radio button and specify the source IP address entry
and destination IP address entry. When the session's source IP and des-
tination IP are both within the specified range, the system will limit the
number of session as follows:

l When you select Per Source IP, the system will limit the number
of sessions to each source IP address.

l When you select Per Destination IP, the system will limit the
number of sessions to each destination IP address.
Protocol

Protocol Limits the number of sessions to the protocol which have been setted in
the textbox.
Application

Application Limits the number of sessions to the selected application.

Chapter 10 Policy 305

 IP

Role/User/User Group
Select the Role/User/User Group check box to configure the corresponding limit con-
ditions.

Role Select the Role radio button and a role from the Role drop-down list to
limit the number of sessions of the selected role.

User Select the User radio button and a user from the User drop-down list to
limit the number of sessions of the selected user.

User Group Select the User Group radio button and a user group from the User
Group drop-down list to limit the number of sessions of the selected
user group.

l Next to the User Group radio button, select All Users to limit the
total number of sessions to all users in the user group.

l Next to the User Group radio button, select Per User to limit the
number of sessions to each user.
Schedule

Schedule Select the Schedule check box and choose a schedule you need from the
drop-down list to make the session limit rule take effect within the time
period specified by the schedule.

5. Configure the limit types.

Session Type

Session Number Specify the maximum number of sessions. The value range is 0 to
1048576. The value of 0 indicates no limitation.

New Con- Specify the maximum number of sessions created per 5 seconds. The
nections/5s value range is 1 to 1048576.

6. Click OK to save your settings.

7. Click Switch Mode to select a matching mode. If you select Use the Minimum Value and an IP address
matches multiple session limit rules, the maximum number of sessions of this IP address is limited to the min-
imum number of sessions of all matched session limit rules; if you select Use the Maximum Value and an IP
address matches multiple session limit rules, the maximum number of sessions of this IP address is the maximum
number of sessions of all matched session limit rlules.

Clearing Statistic I nfo rmatio n

After configuring a session limit rule, the sessions which exceed the maximum number of sessions will be dropped.
You can clear the statistic information of the dropped sessions of specified session limit rule according to your need.
To clear statistic information:

1. Select Policy > Session Limit.

2. Select the rule whose sessions statistic information you want to clear.

3. Click Clear.

306 Chapter 10 Policy

ARP Defense
StoneOS provides a series of ARP defense functions to protect your network against various ARP attacks, including:

l ARP Learning: Devices can obtain IP-MAC bindings in an Intranet from ARP learning, and add them to the ARP list.
By default this function is enabled. Thje devices will always keep ARP learning on, and add the learned IP-MAC
bindings to the ARP list. If any IP or MAC address changes during the learning process, the devices will add the
updated IP-MAC binding to the ARP list. If this function is disabled, only IP addresses in the ARP list can access
Internet.

l MAC Learning: Devices can obtain MAC-Port bindings in an Intranet from MAC learning, and add them to the MAC
list. By default this function is enabled. The devices will always keep MAC learning on, and add the learned MAC-
Port bindings to the MAC list. If any MAC address or port changes during the learning process, the devices will
add the updated MAC-Port binding to the MAC list.

l IP-MAC-Port Binding: If IP-MAC, MAC-Port or IP-MAC-Port binding is enabled, packets that are not matched to the
binding will be dropped to protect against ARP spoofing or MAC address list attacks. The combination of ARP and
MAC learning can achieve the effect of "real-time scan + static binding", and make the defense configuration more
simple and effective.

l Authenticated ARP: Authenticated ARP is implemented on the ARP client Hillstone Secure Defender. When a PC
with Hillstone Secure Defender installed accesses Internet via the interface that enables Authenticated ARP, it will
perform an ARP authentication with the device to assure the MAC address of the device being connected to the PC
is trusted.

l ARP Inspection: Devices support ARP Inspection for interfaces. With this function enabled, StoneOS will inspect
all ARP packets passing through the specified interfaces, and compare the IP addresses of the ARP packets with
the static IP-MAC bindings in the ARP list and IP-MAC bindings in the DHCP Snooping list.

l DHCP Snooping: With this function enabled, the system can create binding relationship between the MAC address
of the DHCP client and the allocated IP address by analyzing the packets between the DHCP client and server.

l Host Defense: With this function enabled, the system can send gratuitous ARP packets for different hosts to pro-
tect them against ARP attacks.

Chapter 10 Policy 307

Co nfiguring ARP D efense
Configuring Binding Settings
Devices support IP-MAC binding, MAC-Port binding and IP-MAC-Port binding to reinforce network security control. The
bindings obtained from ARP/MAC learning and ARP scan are known as dynamic bindings, and those manually con-
figured are known as static bindings.

Adding a Sta tic IP - MAC- P ort Binding

To add a static IP-MAC-Port binding:

1. Select Policy > ARP Defense > IP-MAC Binding.

2. Click New.

In the IP-MAC Binding Configuration, configure the corresponding settings.

Option Description

MAC Specify a MAC address.

IP To enable the IP-MAC binding, specify an IP address.
Port To enable the port binding, select a port from the drop-down list behind.

VLAN ID If the port belongs to a VLAN, select the VLAN ID from the VLAN ID
drop-down list.
Virtual Router Select the virtual router that the binding item belongs to. By default, the
binding item belongs to trust-vr.

Description Specify the description for this item.

Authenticated Select Enable to enable the authenticated ARP function.
ARP

3. Click OK to save the settings.

Obta ining a D y na mic IP - MAC- P ort Bindings

Devices can obtain dynamic IP-MAC-Port binding information from:

l ARP/MAC learning

l IP-MAC scan
To configure the ARP/MAC learning:

1. Select Policy > ARP Defense > IP-MAC Binding.

308 Chapter 10 Policy

 2. Select Others and click ARP/MAC Learning from the pop-up menu.

3. In the ARP/MAC Learning Configuration dialog, select the interface that you want to enable the ARP/MAC learning
function.

4. Click Enable and then select ARP Learning or MAC Learning in the pop-up menu. The system will enable the
selected function on the interface you select.

5. Close the dialog and return to the IP-MAC Binding tab.

To confiure the ARP scan:

1. Select Policy > ARP Defense > IP-MAC Binding.

2. Select Binding Configuration and then click IP-MAC Scan from the pop-up menu.

3. In the IP-MAC Scan dialog, enter the start IP and the end IP.

4. Click OK to start scanning the specified IP addresses. The result will display in the table in the IP-MAC binding
tab.

Bind the IP - MAC- P ort Binding Ite m

To bind the IP-MAC-Port binding item:

1. Select Policy > ARP Defense > IP-MAC Binding.

2. Select Binding Configuration and then click Bind All from the pop-up menu.

3. In the Bind All dialog, select the binding type.

4. Click OK to complete the configurations.

To unbind an IP-MAC-Port binding item:

Chapter 10 Policy 309

1. Select Policy > ARP Defense > IP-MAC Binding.

2. Select Binding Configuration and then click Unbind All from the pop-up menu.

3. In the Unbind All dialog, select the unbinding type.

4. Click OK to complete the configurations.

Importing/Exporting Binding Informa tion

To import the binding information:

1. Select Policy > ARP Defense > IP-MAC Binding.

2. Select Others and then click lmport from the pop-up menu.

3. In the Import dialog, click Browse to select the file that contains the binding information. Only the UTF-8 encod-
ing file is supported.
To export the binding information:

1. Select Policy > ARP Defense > IP-MAC Binding.

2. Select Others and then click Export from the pop-up menu.

3. Choose the binding information type.

4. Click OK to export the binding information to a file.

Configuring Authentic a ted ARP

This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
The devices provide Authenticated ARP to protect the clients against ARP spoofing attacks. Authenticated ARP is imple-
mented on the ARP client Hillstone Secure Defender. When a PC with Hillstone Secure Defender installed accesses
Internet via the interface that enables Authenticated ARP, it will perform an ARP authentication with the device to
assure the MAC address of the device being connected to the PC is trusted. Besides, the ARP client is also designed
with powerful anti-spoofing and anti-replay mechanisms to defend against various ARP attacks.

Note: The Loopback interface and PPPoE sub-interface are not designed with ARP learning, so
these two interfaces do not support Authenticated ARP.

To use the Authenticated ARP function, you need to enable the Authenticated ARP function in the device and install the
Hillstone Secure Defender in the PCs.
To enable the Authenticated ARP in the device:

1. Select Policy > ARP Defense > ARP Defense.

2. Select the interfaces on which you want to enable the Authenticated ARP function.

3. Click Enable and select Force Authenticated ARP to enable the authenticated ARP function. Besides, you can

4. Enable or disable Force Install as needed. If the Force Install option is selected, PCs cannot access Internet via
the corresponding interface unless the ARP client has been installed; if the Force Install option is not selected,
only PCs with the ARP client installed are controlled by Authenticated ARP.

310 Chapter 10 Policy

 5. To specify a description that will be displayed in the download page of the client, click Authenticated ARP Cli-
ent Download Page Configuration and then enter the description.
To install Hillstone Secure Defender in the PCs:

1. Enable Authenticated ARP for an interface, and also select the Force Install option for the interface.

2. When a PC accesses Internet via this interface, the Hillstone Secure Defneder's download page will pop up. Down-
load HillstoneSecureDefender.exe as prompted.

3. After downloading, double-click HillstoneSecureDefender.exe and install the client as prompted by the install-
ation wizard.

Configuring ARP Ins pec tion

Devices support ARP Inspection for interfaces. With this function enabled, the system will inspect all the ARP packets
passing through the specified interfaces, and compare the IP addresses of the ARP packets with the static IP-MAC bind-
ings in the ARP list and IP-MAC bindings in the DHCP Snooping list:

l If the IP address is in the ARP list and the MAC address is matched, the ARP packet will be forwarded;

l If the IP address is in the ARP list but the MAC address is not matched, the ARP packet will be dropped;

l If the IP address is not in the ARP list, continue to check if the IP address is in the DHCP Snooping list;

l If the IP address is in the DHCP Snooping list and the MAC address is also matched, the ARP packet will be for-
warded;

l If the IP address is in the DHCP Snooping list but the MAC address is not matched, the ARP packet will be dropped;

l If the IP address is not in the DHCP Snooping, the ARP packet will be dropped or forwarded according to the spe-
cific configuration.
Both the VSwitch and VLAN interface of the system support ARP Inspection. This function is disabled by default.
To configure ARP Inspection of the VSwitch interface:

1. Select Policy > ARP Defense > ARP Inspection.

2. The system already lists the existing VSwitch interfaces.

3. Double-click the item of a VSwitch interface.

4. In the Interface Configuration dialog, select the Enable check box.

5. To drop the traffic whose sender's IP address is not in the ARP table, select Drop. To forward the traffic whose
sender's IP address is not in the ARP table, select Forward.

6. Click OK to save the settings and close the dialog.

7. For the interfaces belongs to the VSwitch interface, you can set the following options:

l If you do not need the ARP inspection in the interface, in the Advanced Options section, double-click the inter-
face and select Do Not Inspect option in the pop-up dialog.

Chapter 10 Policy 311

 l Configure the number of ARP packets received per second. When the ARP packet rate exceeds the specified
value, the excessive ARP packets will be dropped. The value range is 0 to 10000. The default value is 0, i.e.,
no rate limit.

8. Click OK to save the settings.

To configure the ARP inspection of the VLAN interface:

1. Select Policy > ARP Defense > ARP Inspection.

2. Click New.

3. In the Interface Configuration dialog, specify the VLAN ID.

4. To drop the traffic whose sender's IP address is not in the ARP table, select Drop. To forward the traffic whose
sender's IP address is not in the ARP table, select Forward.

5. For the interfaces belongs to the VLAN, you can set the following options:

l If you do not need the ARP inspection in the interface, in the Advanced Options section, double-click the inter-
face and select Do Not Inspect option in the pop-up dialog.

l Configure the number of ARP packets received per second. When the ARP packet rate exceeds the specified
value, the excessive ARP packets will be dropped. The value range is 0 to 10000. The default value is 0, i.e.,
no rate limit.

6. Click OK to save the settings.

Configuring D H CP Snooping
DHCP, the abbreviation for Dynamic Host Configuration Protocol, is designed to allocate appropriate IP addresses and
related network parameters for sub networks automatically. DHCP Snooping can create binding relationship between
the MAC address of the DHCP client and the allocated IP address by analyzing the packets between the DHCP client and
server. When ARP Inspection is also enabled, the system will check if an ARP packet passing through can be matched
to any binding of the list. If not, the ARP packet will be dropped. In the network that allocates addresses via DHCP, you
can prevent against ARP spoofing attacks by enabling ARP inspection and DHCP Snooping.
DHCP clients look for the server by broadcasting, and only accept the network configuration parameters provided by
the first reachable server. Therefore, an unauthorized DHCP server in the network might lead to DHCP server spoofing
attacks. The devices can prevent against DHCP server spoofing attacks by dropping DHCP response packets on related
ports.
Besides, some malicious attackers send DHCP requests to a DHCP server in succession by forging different MAC
addresses, and eventually lead to IP address unavailability to legal users by exhausting all the IP address resources.
This kind of attacks is commonly known as DHCP Starvation. The devices can prevent against such attacks by drop-
ping request packets on related ports, setting rate limit or enabling validity check.
The VSwitch interface of the system supports DHCP snooping. This function is disabled by default.
To configure DHCP snooping:

1. Select Policy > ARP Defense > DHCP Snooping.

312 Chapter 10 Policy

 2. Click DHCP Snooping Configuration.

3. In the Interface tab, select the interfaces that need the DHCP snooping function.

4. Click Enable to enable the DHCP snooping function.

5. In the Port tab, configure the DHCP snooping settings:

l Validity check: Check if the client's MAC address of the DHCP packet is the same with the source MAC address
of the Ethernet packet. If not, the packet will be dropped. Select the interfaces that need the validity check
and then click Enable to enable this function.

l Rate limit: Specify the number of DHCP packets received per second on the interface. If the number exceeds
the specified value, the system will drop the excessive DHCP packets. The value range is 0 to 10000. The
default value is 0, i.e., no rate limit. To configure the rate limit, double-click the interface and then specify the
value in the Rate text box in the pop-up Port Configuration dialog.

l Drop: In the Port Configuration dialog, if the DHCP Request check box is selected, the system will drop all
the request packets sent by the client to the server; if the DHCP Response check box is selected, the system
will drop all the response packets returned by the server to the client.

6. Click OK to save the settings.

Vie wing D H CP Snooping List

With DHCP Snooping enabled, the system will inspect all the DHCP packets passing through the interface, and create
and maintain a DHCP Snooping list that contains IP-MAC binding information during the process of inspection.
Besides, if the VSwitch, VLAN interface or any other Layer 3 physical interface is configured as a DHCP server, the sys-
tem will create IP-MAC binding information automatically and add it to the DHCP Snooping list even if DHCP Snooping is
not enabled. The bindings in the list contain information like legal users' MAC addresses, IPs, interfaces, ports, lease
time, etc.
To view the DHCP snooping list:

1. Select Policy > ARP Defense > DHCP Snooping.

2. In the current page, you can view the DHCP snooping list.

Configuring H os t D efens e
Host Defense is designed to send gratuitous ARP packets for different hosts to protect them against ARP attacks.
To configure host defense:

1. Select Policy > ARP Defense > Host Defense.

Chapter 10 Policy 313

2. Click New.

In the Host Defense dialog, configure the corresponding options.

Sending Settings

Interface Specify an interface that sends gratuitous ARP packets.

Excluded Port Specify an excluded port, i.e., the port that does not send gratuitous ARP
packets. Typically it is the port that is connected to the proxied host.
Host

IP Specify the IP address of the host that uses the device as a proxy.

MAC Specify the MAC address of the host that uses the device as a proxy.

Sending Rate Specify a gratuitous ARP packet send rate. The value range is 1 to 10/sec.
The default value is 1

3. Click OK to save your settings and return to the Host Defense page.

4. Repeat Step 2 and Step 3 to configure gratuitous ARP packets for more hosts. You can configure the device to
send gratuitous ARP packets for up to 16 hosts.

314 Chapter 10 Policy

SSL Proxy
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
To assure the security of sensitive data when being transmitting over networks, more and more websites adopt SSL
encryption to protect their information. The device provides the SSL proxy function to decrypt HTTPS traffic. The SSL
proxy function works in the following two scenarios:
The first scenario, the device works as the gateway of Web clients. The SSL proxy function replaces the certificates of
encrypted websites with the SSL proxy certificate to get the encrypted information and send the SSL proxy certificate
to the client’s Web browser. During the process, the device acts as a SSL client and SSL server to establish con-
nections to the Web server and Web browser respectively. The SSL proxy certificate is generated by using the device's
local certificate and re-signing the website certificate. The process is described as below:

The second scenario, the device works as the gateway of Web servers. The device with SSL proxy enabled can work as
the SSL server, use the certificate of the Web server to establish the SSL connection with Web clients (Web browsers),
and send the decrypted traffic to the internal Web server.

Wo rk Mo de
There are three work modes. For the first scenario, the SSL proxy function can work in the Require mode and the
Exempt mode; for the second scenario, the SSL proxy function can work in the Offload mode.
When the SSL proxy function works in the Require mode and the Exempt mode, it can perform the SSL proxy on spe-
cified websites.
For the websites that do not need SSL proxy, it dynamically adds the IP address and port of the websites to a bypass
list, and the HTTPS traffic will be bypassed.
For the websites proxied by the SSL proxy function, the device will check the parameters of the SSL negotiation. When
a parameter matches an item in the checklist, the corresponding HTTPS traffic can be blocked or bypassed according
to the action you specified.

l If the action is Block, the HTTPS traffic will be blocked by the device.

l If the action is Bypass, the HTTPS traffic will not be decrypted. Meanwhile, the device will dynamically add the IP
address and port number of the Website to the bypass list, and the HTTPS traffic will be bypassed.
The device will decrypt the HTTPS traffic that are not blocked or bypassed.
When the SSL proxy function works in the Offload mode, it will proxy the SSL connections initialized by Web clients,
decrypt the HTTPS traffic, and send the HTTPS traffic as plaintext to the Web server.
You can integrate SSL proxy function with the followings:

l Integrate with the application identification function. Devices can decrypt the HTTPS traffic encrypted using SSL
by the applications and identify the application. After the application identification, you can configure the policy
rule, QoS, session limit, policy-based route.

l Integrate with the Web content function, Web post function, and email filter function. Devices can audit the
actions that access the HTTPS website.

l Support unilateral SSL proxy in WebAuth. SSL client can use SSL connection during authentication stage. When
authentication is completed, SSL proxy will no longer take effect, and the client and server communicate directly
without SSL encryption.

l Integrate with AV, IPS, and URL. Devices can perform the AV protection, IPS protection, and URL filter on the
decrypted HTTPS traffic.

Chapter 10 Policy 315

Wo rking as Gatew ay o f Web Clients
To implement SSL proxy, you need to bind a SSL proxy profile to the policy rule. After binding the SSL proxy profile to a
policy rule, the system will use the SSL proxy profile to deal with the traffic that matches the policy rule. To implement
SSL proxy, take the following steps:

1. Configure the corresponding parameters of SSL negotiation, including the following items: specify the PKI trust
domain of the device certificates, obtain the CN value of the subject field from the website certificate, configure
the trusted SSL certificate list, and import a device certificate to the Web browser.

2. Configure a SSL proxy profile, including the following items: choose the work mode, set the website list (use the
CN value of the Subject field of the website certificate), configure the actions to the HTTPS traffic when its SSL
negotiation matches the item in the checklist, enable the audit warning page, and so on.

3. Bind a SSL proxy profile to a proper policy rule. The device will decrypt the HTTPS traffic that matches the policy
rule and is not blocked or bypassed by the device.

Configuring SSL Prox y Pa ra m eters

Configuring SSL proxy parameters includes the following items:

l Specify the PKI trust domain of the device certificate

l Obtain the CN value of the website certificate

l Configure a trusted SSL certificate list

l Import a device certificate to a Web browser

Spe cify ing the P KI Trust D oma in of D e v ice Ce rtifica te

By default, the certificate of the default trust domain trust_domain_ssl_proxy_2048 will be used to generate the SSL
proxy certificate with the Web server certificate together, and then the system will issue the generated SSL proxy cer-
tificate to the client. You can specify another PKI trust domain in the system as the trust domain of the device cer-
tificate. The specified trust domain must have a CA certificate, local certificate, and the private key of the local
certificate. To specify a trust domain, take the following steps:

1. Click Policy > SSL Proxy.

2. At the top-right corner of the page, click Trust Domain Configuration.

3. Select a trust domain from the Trust domain drop-down list.

l The trust domain of trust_domain_ssl_proxy uses RSA and the modulus size is 1024 bits.

l The trust domain of trust_domain_ssl_proxy_2048 uses RSA and the modulus size is 2048 bits.

4. Click OK to save the settings.

Obta ining the CN Va lue

To get the CN value in the Subject field of the website certificate, take the following steps (take www.gmail.com as the
example):

1. Open the IE Web browser, and visit https://www.gmail.com.

2. Click the Security Report button ( ) next to the URL.

3. In the pop-up dialog, click View certificates.

4. In the Details tab, click Subject. You can view the CN value in the text box.

316 Chapter 10 Policy

Configuring a Truste d SSL Ce rtifica te List
The trusted SSL certificate list contains the well-known CA certificates in the industry, which are used to verify the
validity of site certificates. For the valid certificates, the system will send a SSL proxy certificate to the client browser;
while for the invalid certificates, the system will send an internal certificate to the browser to inform you that the cer-
tificate of the website is invalid. You can import one or multiple trusted SSL certificates, or delete the specified trusted
SSL certificate.

1. Click Policy > SSL Proxy.

2. At the top-right corner of the page, click Trust SSL Certificate Configuration.

l In the pop-up dialog, click Import to import a certificate.

l In the pop-up dialog, select a certificate and then click Delete to delete the selected certificate.

3. After the configurations, click Close to close the dialog.

Importing D e v ice Ce rtifica te to Clie nt Browse r

In the proxy process, the SSL proxy certificate will be used to replace the website certificate. However, there is no SSL
proxy certificate's root certificate in the client browser, and the client cannot visit the proxy website properly. To
address this problem, you have to import the root certificate (certificate of the device) to the browser.
First export the device certificate to local PC:

1. Export the device certificate to local PC. Select System > PKI.

2. In the Management tab in the PKI Management dialog, configure the options as below:

l Trust domain: trust_domain_ssl_proxy or trust_domain_ssl_proxy_2048

l Content: CA certificate

l Action: Export

3. Click OK and select the path to save the certificate. The certificate will be saved to the specified location.
Then, import device certificate to client browser. Take Internet Explore as the example:

1. Open IE.

2. From the toolbar, select Tools > Internet Options.

3. In the Content tab, click Certificates.

4. In the Certificates dialog, click the Trusted Root Certification Authorities tab.

5. Click Import. Import the certificate following the Certificate Import Wizard.

Configuring a SSL Prox y Profile

Configuring a SSL proxy profile includes the following items: choose the work mode, set the website list (use the CN
value of the Subject field of the website certificate), configure the actions to the HTTPS traffic when its SSL negotiation
matches the item in the checklist, enable the audit warning page, and so on. The system supports up to 32 SSL proxy
profiles and each profile supports up to 10,000 statistic website entries.
To configure a SSL proxy profile:

1. Click Policy > SSL Proxy.

2. At the top-left corner, click New to create a new SSL proxy profile.

Chapter 10 Policy 317

 In the Basic tab, configure the settings.
Option Description

Name Specify the name of the SSL proxy profile.

Description Add the description.
Mode When the device works as the gateway of Web clients, the SSL proxy func-
tion can work in the Require mode or the Exempt mode.

l In the Require mode, the device perform the SSL proxy function on
the communication encrypted by the specified website certificate.
The communication encrypted by other website certificatesh will
be bypassed.

l In the Exempt mode, the device does not perform the SSL proxy
function on the communication encrypted by the specified website
certificate. The communication encrypted by other website cer-
tificates will be proxied by SSL proxy function.
Common Name Set the website list based on the work mode. When the SSL proxy is in
the Require mode, set the websites that will be proxied by the SSL proxy
function. When the SSL proxy is in the Exempt mode, set the websites
that will not be proxied by the SSL proxy function and the device will per-
form the SSL proxy on other websites.
To set the website list, specify the CN value of the subject field of the
website certificate and then click Add.

Warning Select Enable to enable the warning page. When the HTTPS traffic is
decrypted by the SSL proxy function, the request to a HTTPS website will
be redirected to a warning page of SSL proxy. In this page, the system
notifies the users that their accesses to HTTPS websites are being mon-
itored and asks the uses to protect their privacy.

In the Decryption Configuration tab, configure the settings.

Option Description
After the system completes the SSL negotiation, the traffic that is not blocked or bypassed
will be decrypted. When the parameters match multiple items in the checklist and you con-
figure difference actions to different items, the Block action will take effect. The cor-
responding HTTPS traffic will be blocked.

Key Modulus Specify the key pair modulus size of the private/public keys that are asso-
ciated with the SSL proxy certificate. You can select 1024 bits or 2048 bits.

318 Chapter 10 Policy

 Option Description

Server certificate check

Expired cer- Check the certificate used by the server. When the certificate is overdue,
tificate you can select Block to block its HTTPS traffic, or select Bypass to bypass
its HTTPS traffic, or select Decrypt to decrypt the HTTPS traffic.
Encryption mode check
Unsupported ver- Check the SSL protocol version used by the server.
sion
l When the system does not support the SSL protocol used by the
SSL server, you can select Block to block its HTTPS traffic, or
select Bypass to bypass its HTTPS traffic.

l When the system supports the SSL protocol used by the SSL
server, it will continue to check other items.
Unsupported Check the encryption algorithm used by the server.
encryption
algorithms l When the system does not support the encryption algorithm used
by the SSL server, you can select Block to block its HTTPS traffic,
or select Bypass to bypass its HTTPS traffic.

l When the system supports the encryption algorithm used by the

SSL server, it will continue to check other items.
Client veri- Check whether the SSL server verifies the client certificate.
fication
l When the SSL server verifies the client certificate, you can select
Block to block its HTTPS traffic, or select Bypass to bypass its
HTTPS traffic.

l When the SSL server does not verify the client certificate, it will
continue to check other items.
Blocking SSL ver- When the SSL server uses the specified version of SSL protocol, the sys-
sion tem can block its HTTPS traffic.
Blocking encryp- When the SSL server uses the specified encryption algorithm, the system
tion algorithm can block its HTTPS traffic.
Resource unavail- When the decryption resource is not enough, the system will bypass the
able HTTPS traffic. This action cannot be changed.

3. Click OK to save the settings.

Wo rking as Gatew ay o f Web Servers

To implement SSL proxy, you need to bind a SSL proxy profile to the policy rule. After binding the SSL proxy profile to a
policy rule, the system will use the SSL proxy profile to deal with the traffic that matches the policy rule. To implement
SSL proxy, take the following steps:

1. Configure a SSL proxy profile, including the following items: choose the work mode, specify the trust domain of
the Web server certificate and the HTTP port number of the Web server.

2. Bind a SSL proxy profile to a proper policy rule. The device will decrypt the HTTPS traffic that matches the policy
rule.

Configuring a SSL Prox y Profile

Configuring a SSL proxy profile includes the following items: choose the work mode, specify the trust domain of the
Web server certificate and the HTTP port number of the Web server.
To configure a SSL proxy profile:

1. lick Policy > SSL Proxy.

Chapter 10 Policy 319

2. At the top-left corner, click New to create a new SSL proxy profile.

In the Basic tab, configure the settings.

Option Description

Name Specify the name of the SSL proxy profile.

Description Add the description.
Mode When the device works as the gatetway of Web servers, the SSL proxy
function can work in the Offload mode.

Service Port Specify the HTTP port number of the Web server.

Server Trust Since the device will work as the SSL server and use the certificate of the
Domain Web server to establish the SSL connection with Web clients (Web
browsers), you need to import the certificate and the key pair into a trust
domain in the device. For more information about importing the cer-
tificate and the key pair, see "PKI" on Page 137.
After you complete the importing, select the trust domain used by this
SSL Profile.

Warning Select Enable to enable the warning page. When the HTTPS traffic is
decrypted by the SSL proxy function, the request to a HTTPS website will
be redirected to a warning page of SSL proxy. In this page, the system
notifies the users that their accesses to HTTPS websites are being mon-
itored and asks the uses to protect their privacy.

3. Click OK to save the settings.

B inding a SSL Pro xy Pro file to a Po licy Rule

After binding the SSL proxy profile to a policy rule, the system will process the traffic that is matched to the rule
according to the profile configuration. To bind the SSL proxy profile to a policy rule, see "Security Policy" on Page 274.

320 Chapter 10 Policy

Internet Behavior Control
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
The Internet behavior control allows you to flexibly configure control rules to comprehensively control and audit (by
behavior logs and content logs) on user network behavior.
Internet behavior control can audit and filter in the following network behaviors:

Function Description

Web content Controls the network behavior of visiting the webpages (including the
webpages encrypted by HTTPS) that contain certain keywords, and log the
actions.
Web posting Controls the network behavior of posting on websites (including the
webpages encrypted by HTTPS) and posting specific keywords, and logs the
posting action and posted content.
Email filter Controls and audit SMTP mails and the web mails (including the encrypted
Gmail mails):

l Control and audit all the behaviors of sending emails;

l Control and audit the behaviors of sending emails that contain spe-
cific sender, recipient, keyword or attachment.
IM Control Controls and audits the MSN, QQ and Yahoo! Messenger chatting.
HTTP/FTP control Controls and audits the actions of HTTP and FTP applications:

l FTP methods, including Login, Get, and Put;

l HTTP methods, including Connect, Get, Put, Head, Options, Post, and
Trace;

l Block downloading of HTTP binary file (such as .bat, .com), ActiveX

and Jave Applets.

Chapter 10 Policy 321

Co nfiguring I nternet B ehavio r Co ntro l Obj ects
When using the internet behavior control function, you need to configure the following objects for the internet beha-
vior control rules:

Object Description

Predefined URL The predefined URL database includes dozens of categories and tens of mil-
DB lions of URLs and you can use it to specify the URL category and URL range
for the URL category/Web posting functions.

User-defined URL The user-defined URL database is defined by yourself and you can use it to
DB specify the URL category and URL range for the URL category/Web posting
functions.

URL Lookup Use the URL lookup function to inquire URL information from the URL data-
base.

Keyword Cat- Use the keyword category function to customize the keyword categories.
egory You can use it to specify the keyword for the URL category/Web post-
ing/email filter functions.

Warning Page l Block warning: When your network access is blocked, you will be
prompted with a warning page in the Web browser.

l Audit warning: When your network access is audited, you will be

prompted with a warning page in the Web browser.
Bypass Domain Domains that are not controlled by the internet behavior control rules.
User Exception Users that are not controlled by the internet behavior control rules.

Predefined URL D B
The system contains a predefined URL database.

Note: The predefined URL database is controlled by a license controlled. Only after a URL
license is installed, the predefined URL database can be used.

The predefined URL database provides URL categories for the configurations of Web content/Web posting. It includes
dozens of categories and tens of millions of URLs .
When identifying the URL category of a URL, the user-defined URL database has a higher priority than the predefined
URL database.

Configuring P re de fine d U RL D a ta ba se U pda te P a ra me te rs

By default, the system updates predefined URL database everyday. You can change the update parameters according
to your own requirements. Currently, two default update servers are provides: update1.hillstonenet.com and
update2.hillstonenet.com. Besides, you can update the predefined URL database from your local disk.
To change the update parameters:

1. Select System > Upgrade Management > Signature Database Update.

322 Chapter 10 Policy

 2. In the URL category database update section, you can view the current version of the database, perform the
remote update, configure the remote update, and perform the local update.

3. Select Enable Auto Update to enable the automatic update function. And then continue to specify the frequency
and time. Click OK to save your settings.

4. Click Configure Update Server to configure the update server URL. In the pop-up dialog, specify the URL or IP
address of the update server, and select the virtual router that can connect to the server. To restore the URL set-
tings to the default ones, click Restore Default.

5. Click Configure Proxy Server, then enter the IP addresses and ports of the main proxy server and the backup
proxy server. When the device accesses the Internet through a HTTP proxy server, you need to specify the IP
address and the port number of the HTTP proxy server. With the HTTP proxy server specified, various signature
database can update normally.

6. Click OK to save the settings.

U pgra ding P re de fine d U RL D a ta ba se Online

To upgrade the URL database online:

1. Select System > Upgrade Management > Signature Database Update.

2. In the URL category database update section, click Update to update the predefined URL database.

U pgra ding P re de fine d U RL D a ta ba se from Loca l

To upgrade the predefined URL database from local:

1. System > Upgrade Management > Signature Database Update

2. In the URL category database update section, click Browse to select the URL database file from your local disk.

3. Click Upload to update the predefined URL database.

Us er-defined URL D B
Besides categories in predefined URL database, you can also create user-defined URL categories, which provides URL
categories for the configurations of Web content/Web posting. When identifying the URL category, the user-defined
URL database has a higher priority than the predefined URL database.
System provides three predefined URL categories: custom1, custom2, custom3. You can import your own URL lists
into one of the predefined URL category.

Configuring U se r- de fine d U RL D B
To configure a user-defined URL category:

1. Select Policy > Internet Behavior Control > Web Content/Web Posting.

2. At the top-right corner, select Configuration > User-defined URL DB. The User-defined URL DB dialog
appears.

Chapter 10 Policy 323

3. Click New. The URL Category dialog appears.

4. Type the category name in the Category box. URL category name cannot only be a hyphen (-). And you can create
at most 16 user-defined categories.

5. Type a URL into the URL http:// box.

6. Click Add to add the URL and its category to the table.

7. To edit an existing one, select it and then click Edit. After editing it, click Add to save the changes.

8. Click OK to save the settings.

Importing U se r- de fine d U RL
System supports to batch import user-defined URL lists into the predefined URL category named custom1/2/3. To
import user-defined URL:

1. Select Object > URL Filter.

2. At the top-right corner, select Configuration > User-defined URL DB. The User-defined URL DB dialog
appears.

3. Select one of the predefined URL category(custom1/2/3), and then click Import.

4. In the Batch Import URL dialog, click Browse button to select your local URL file. The file should be less than 1 M,
and has at most 1000 URLs. Wildcard is supported to use once in the URL file, which should be located at the start
of the address.

5. Click OK to finish importing.

Cle a ring U se r- de fine d U RL

In the predefined URL category named custom1/2/3, clear user-defined URL:

1. Select Object > URL Filter.

2. At the top-right corner, select Configuration > User-defined URL DB. The User-defined URL DB dialog
appears.

3. Select one of the predefined URL category(custom1/2/3), and then click Clear, the URL in the custom 1/2/3 will
be cleared from the system.

324 Chapter 10 Policy

URL Look up
You can inquire a URL to view the details by URL lookup, including the URL category and the category type.

Inquiring U RL Informa tion

To inquiry URL information:

1. Select Policy > Internet Behavior Control > Web Content/Web Posting.

2. At the top-right corner, click Configuration > URL Lookup. The URL Lookup dialog appears.

3. Type the URL into the Please enter the URL to inquire box.

4. Click Inquire, and the results will be displayed at the bottom of the dialog.

Configuring U RL Lookup Se rv e rs
URL lookup server can classify an uncategorized URL (URL is neither in predefined URL database nor in user-defined
URL database) you have accessed, and then add it to the URL database during database updating. Two default URL
lookup servers are provided: url1.hillstonenet.com and url2.hillstonenet.com. By default, the URL lookup servers are
enabled.
To configure a URL lookup server:

1. Select Policy > Internet Behavior Control > Web Content/Web Posting.

2. At the top-right corner, Select Configuration > Predefined URL DB. The Predefined URL DB dialog appears.

3. Click Inquiry Server Configuration. The Predefined URL DB Inquiry Server Configuration dialog appears.

4. In the Inquiry server section, double-click the cell in the IP/Port/Virtual Router column of Server1/2 and type a
new value.

Chapter 10 Policy 325

5. Select the check box in the Enable column to enable this URL lookup server.

6. Click OK to save the settings.

Keyw ord Ca tegory

You can customize the keyword category and use it in the internet behavior control function.
After configuring a internet behavior control rule, the system will scan traffic according to the configured keywords
and calculate the trust value for the hit keywords. The calculating method is: adding up the results of times * trust
value of each keyword that belongs to the category. Then the system compares the sum with the threshold 100 and
performs the following actions according to the comparison result:

l If the sum is larger than or equal to category threshold (100), the configured category action will be triggered;

l If more than one category action can be triggered and there is block action configured, the final action will be
Block;

l If more than one category action can be triggered and all the configured actions are Permit, the final action will be
Permit.
For example, a web content rule contains two keyword categories C1 with action block and C2 with action permit. Both
of C1 and C2 contain the same keywords K1 and K2. Trust values of K1 and K2 in C1 are 20 and 40. Trust values of K1
and K2 in C2 are 30 and 80.
If the system detects 1 occurrence of K1 and K2 each on a web page, then C1 trust value is 20*1＋ 40*1=60<100,
and C2 trust value is 30*1+80*1=110>100. As a result, the C2 action is triggered and the web page access is per-
mitted.
If the system detects 3 occurrences of K1 and 1 occurrence of K2 on a web page, then C1 trust value is 20*3+40*1-
1=100, and C2 trust value C2 is 30*3+80*1=170>100. Conditions for both C1 and C2 are satisfied, but the block
action for C1 is triggered, so the web page access is denied.

Configuring a Ke y word Ca te gory

To configure a keyword category:

1. Select Policy > Internet Behavior Control > Web Content/Web Posting/Email Filter.

2. At the top-right corner, Select Configuration > Keyword Category. The Keyword Category dialog appears.

3. Click New. The Keyword Category Configuration dialog appears.

4. Type the category name.

326 Chapter 10 Policy

 5. Click New. In the slide area, specify the keyword, character matching method (simple/regular expression), and
trust value (100 by default).

6. Click Add to add the keyword to the list below.

7. Repeat the above steps to add more keywords.

8. To delete a keyword, select the keyword you want to delete from the list and click Delete.

9. Click OK to save your settings.

Wa rning Pa ge
The warning page shows the user block information and user audit information.

Configuring Block Wa rning

If the internet behavior is blocked by the internet behavior control function, the Internet access will be denied. The
information of Access Denied will be shown in your browser, and some web surfing rules will be shown to you on the
warning page at the same time. See the picture below:

After enabling the block warning function, block warning information will be shown in the browser when one of the fol-
lowing actions is blocked:

l Visiting the web page that contains a certain type of keyword category

l Posting information to a certain type of website or posting a certain type of keywords

l HTTP actions of Connect, Get, Put, Head, Options, Post, and Trace. HTTP binary file download, such as .bat, .com.
Downloading ActiveX and Java Applet.
The block warning function is enabled by default. To configure the block warning function:

1. Click Policy > Internet Behavior Control > Web Content/Web Posting/Email Filter/HTTP/FTP
Control.

2. At the top-right corner, Select Configuration > Warning Page. The Warning Page dialog appears.

3. In the Block Warning section, select Enable.

Chapter 10 Policy 327

4. Configure the display information in the blocking warning page.
Option Description

Default Use the default blocking warning page as shown above.

Redirect page Redirect to the specified URL. Type the URL in the URL http:// box. You
can click Detection to verify whether the URL is valid.
Custom Customize the blocking warning page. Type the title in the Title box and
the description in the Description box. You can click Preview to preview
the blocking warning page.

5. Click OK to save the settings.

Configuring Audit Wa rning

After enabling the audit warning function, when your internet behavior matches the configured internet behavior
rules, your HTTP request will be redirected to a warning page, on which the audit and privacy protection information is
displayed. See the picture below:

The audit warning function is disabled by default. To configure the audit warning function:

1. Select Policy > Internet Behavior Control > Web Content/Web Posting/Email Filter/HTTP/FTP Con-
trol.

2. At the top-right corner, Select Configuration > Warning Page. The Warning Page dialog appears.

3. In the Audit Warning section, select Enable.

4. Click OK to save the settings.

Bypa s s D om a in
Regardless of internet behavior control rules, requests to the specified bypass domains will be allowed uncon-
ditionally.
To configure a bypass domain:

1. Select Policy > Internet Behavior Control > Web Content/Web Posting/Email Filter/HTTP/FTP Con-
trol.

328 Chapter 10 Policy

 2. At the top-right corner, Select Configuration > Bypass Domain. The Bypass Domain dialog appears.

3. In the text box, type the domain name.

4. Click Add. The domain name will be added to the system and displayed in the bypass domain list.

5. Click OK to save the settings.

Us er Ex c eption
The user exception function is used to specify the users who will not be controlled by the internet behavior control
rules. The system supports the following types of user exception: IP, IP range, role, user, user group, and address
entry.
To configure the user exception:

1. Select Policy > Internet Behavior Control > Web Content/Web Posting/Email Filter/IM Con-
trol/HTTP/FTP Control.

2. At the top-right corner, Select Configuration > User Exception. The User Exception dialog appears.

3. Select the type of the user from the Type drop-down list.

4. Configure the corresponding options.

5. Click Add. The user will be added to the system and displayed in the user exception list.

6. Click OK to save the settings.

Chapter 10 Policy 329

Web Co ntent
The web content function is designed to control the network behavior of visiting the websites that contain certain
keywords. For example, you can configure to block the access to website that contains the keyword "gamble", and
record the access action and website information in the log.
With the combination of web content and SSL proxy, the encrypted HTTPS access can be monitored and controlled.
Refer to "SSL Proxy" on Page 315.

Crea ting a Web Content Rule

To create a web content rule:

1. Select Policy > Internet Behavior Control > Web Content.

2. Click Add.

In the Web Content Rule Configuration dialog box, enter values.

Option Description

Name Rule Name

Destination Specifies the destination zone for the rule.

Zone

User Type Specifies the users for the rule. The rule will be executed on the traffic of
the specified users. The user type includes the following options:

l Source address: The type of source address contains address

entry, IP, IP range, and hostname.

l User: The member of it can be role, user, and user group.

By default, the system use the address entry of any, then the rule will

330 Chapter 10 Policy

 Option Description

be executed on all traffic.

Source Address Specifies the source addresses.

1. Select an address type from the Source Address drop-down list.

2. Select or type the source addresses based on the selected type.

3. Click to add the addresses to the right pane.

4. After adding the desired addresses, click the blank area in this
dialog to complete the source address configuration.

You can also perform other operations:

l When selecting the Address Book type, you can click Add to cre-
ate a new address entry.

l The default address configuration is any. To restore the con-

figuration to this default one, select the any check box.

User Specifies a role, user or user group for the security policy rule.

1. From the User drop-down menu, select the AAA server where the
users and user groups reside. To specify a role, select Role from
the AAA Server drop-down list.

2. Based on different types of AAA server, you can execute one or

more actions: search a user/user group/role, expand the user-
/user group list, enter the name of the user/user group.

3. After selecting users/user groups/roles, click to add the

them to the right pane.

4. After adding the desired objects, click the blank area in this dia-
log to complete the user configuration.

Schedule Specifies the schedule of the rule. The rule will take effect in the period
defined by the schedule. By default, no schedule is specified, and the
rule is available all the time.

Select the check boxes of the wanted schedules in the list or create new
schedules by clicking New Schedule.

Action Defines the action when a keyword is matched.

l New: Creates new keyword categories. For more information

about keyword category, see "Configuring Internet Behavior Con-
trol Objects" on Page 322.

Chapter 10 Policy 331

 Option Description

l Edit: Edits selected keyword category.

l Keyword category: Shows the name of configured keyword cat-

egories.

l Block: Select the check box to block the web pages containing the
corresponding keywords.

l Log: Select the check box to record log messages when visiting
the web pages containing the corresponding keywords.

l Record contents: Select the check box to record the keyword con-
text. This option is available only when the device has a storage
media (SD card, U disk, or storage module provided by Hillstone)
with the NBC license installed.

Apply to URL Cat- Specify the coverage of this rule. By default, the rule applies to all web-
egory site.

1. Click All Websites.

2. Select or unselect the websites you want to monitor and control.

3. Click OK.

3. Click OK.
If necessary, you can configure some additional features by going to the right top corner and click Configuration.

Option Description

Predefined URL The predefined URL database includes dozens of categories and tens of mil-
DB lions of URLs and you can use it to specify the URL category and URL range
for the URL category/Web posting functions.

User-defined URL The user-defined URL database is defined by yourself and you can use it to
DB specify the URL category and URL range for the URL category/Web posting
functions.

URL Lookup Use the URL lookup function to inquire URL information from the URL data-
base.

SSL Proxy Decrypt the traffic encrypted by the SSL protocol.

Warning Page l Block warning: When your network access is blocked, you will be
prompted with a warning page in the Web browser.

l Audit warning: When your network access is audited, you will be

prompted with a warning page in the Web browser.
Bypass Domain Domains that are not controlled by the internet behavior control rules.
User Exception Users that are not controlled by the internet behavior control rules.

332 Chapter 10 Policy

 Note:
l To enusre you have the latest URL database, it is better to update your database first. Refer
to "Configuring Internet Behavior Control Objects" on Page 322.

l You can export logs to a designated destination. Refer to "Log Configuration" on Page 443.

l By default, a rule will immediately take effect after you click OK to complete configuration.

Ena bling/D is a bling a Rule

By default, a complete rule will immediately take effect, but you can still disable a rule to stop it from running.
To enable/disable an web content rule:

1. Select Policy > Internet Behavior Control > Web Content.

2. Select a rule, and click Enable or Disable.

Prioritiz ing Rules

The system takes the first-hit-first-serve method for the rules. And for the position of the rules, the upper it is, the
higher the priority is. If two rules have the same conditions, the rule with higher priority will be matched. You can
adjust the priority of the rules by moving their positions.
To adjust a rule's position:

1. Select Policy > Internet Behavior Control > Web Content.

2. Click Priority.

3. In the prompt, move the selected rule.

4. Click OK.

View ing Monitored Res ults of Keyw ord Bloc k ing in Web Content
If you have configured email filter with keyword blocking, you can view the monitored results of blocking those words.
Select Monitor > Keyword Block > Web Content, you will see the monitored results. For more about monitoring,
refer to "Web Content" on Page 413.

View ing Logs of Keyw ord Bloc k ing in Web Content

To see the system logs of keyword blocking in web content, please refer to the "NBC Logs" on Page 442.

Chapter 10 Policy 333

Web Po sting
The web posting function can control the network behavior of posting on websites and posting specific keywords, and
can log the posting action and posting content. For example, forbid the users to post information containing the
keyword X, and record the action log.
With the combination of web posting and SSL proxy, posting action on the encrypted HTTPS websites can be con-
trolled. For the detailed information of SSL proxy, see "SSL Proxy" on Page 315.

Crea ting Web Pos ting Rule

To create a web posting rule:

1. Select Policy > Internet Behavior Control > Web Posting.

2. Click New.

In the Web Posting Rule Configuration dialog, enter values.

Option Description

Name Specifies the rule name.

Destination Specifies the destination zone for the rule.

Zone

User Type Specifies the users for the rule. The rule will be executed on the traffic of
the specified users. The user type includes the following options:

l Source address: The type of source address contains address

entry, IP, IP range, and hostname.

l User: The member of it can be role, user, and user group.

334 Chapter 10 Policy

 Option Description

By default, the system use the address entry of any, then the rule will
be executed on all traffic.

Source Address Specifies the source addresses.

1. Select an address type from the Source Address drop-down list.

2. Select or type the source addresses based on the selected type.

3. Click to add the addresses to the right pane.

4. After adding the desired addresses, click the blank area in this
dialog to complete the source address configuration.

You can also perform other operations:

l When selecting the Address Book type, you can click Add to cre-
ate a new address entry.

l The default address configuration is any. To restore the con-

figuration to this default one, select the any check box.

User Specifies a role, user or user group for the security policy rule.

1. From the User drop-down menu, select the AAA server where the
users and user groups reside. To specify a role, select Role from
the AAA Server drop-down list.

2. Based on different types of AAA server, you can execute one or

more actions: search a user/user group/role, expand the user-
/user group list, enter the name of the user/user group.

3. After selecting users/user groups/roles, click to add the

them to the right pane.

4. After adding the desired objects, click the blank area in this dia-
log to complete the user configuration.

Schedule Specifies the schedule of the rule. The rule will take effect in the period
defined by the schedule. By default, no schedule is specified, and the
rule is available all the time.

Select the check boxes of the wanted schedules in the list or create new
schedules by clicking New Schedule.

Apply to URL Cat- Specify the coverage of this rule. By default, the rule applies to all web-
egory site.

Chapter 10 Policy 335

 Option Description

1. Click All Websites.

2. Select or unselect the websites you want to monitor and control.

3. Click OK.

Control Type The action applies to all web posting content.

l Block: Select to block all web posting behaviors.

l Record Log: Select to record all logs about web posting.

Posting inform- Controls the action of posting specific keywords. The options are:
ation with spe-
l New: Creates new keyword categories. For more information
cific keyword
about keyword category, see "Keyword Category" on Page 326.

l Edit: Edits selected keyword category.

l Keyword category: Shows the name of configured keyword cat-

egories.

l Block: Blocks the posting action of the corresponding keywords.

l Log: Records log messages when posting the corresponding

keywords.

3. Click OK.
If necessary, you can configure some additional features by going to the right top corner and click Configuration.

Option Description

Predefined URL The predefined URL database includes dozens of categories and tens of mil-
DB lions of URLs and you can use it to specify the URL category and URL range
for the URL category/Web posting functions.

User-defined URL The user-defined URL database is defined by yourself and you can use it to
DB specify the URL category and URL range for the URL category/Web posting
functions.

URL Lookup Use the URL lookup function to inquire URL information from the URL data-
base.

SSL Proxy Decrypt the traffic encrypted by the SSL protocol.

Warning Page l Block warning: When your network access is blocked, you will be
prompted with a warning page in the Web browser.

l Audit warning: When your network access is audited, you will be

prompted with a warning page in the Web browser.
Bypass Domain Domains that are not controlled by the internet behavior control rules.
User Exception Users that are not controlled by the internet behavior control rules.

336 Chapter 10 Policy

 Note:
l To enusre you have the latest URL database, it is better to update your database first. Refer
to "Configuring Internet Behavior Control Objects" on Page 322.

l If there is an action conflict between setting for "all websites" and "specific keywords",
when a traffic matches both rules, the "deny" action shall prevail.

l You can export logs to a designated destination. Refer to "Log Configuration" on Page 443.

l By default, a rule will immediately take effect after you click OK to complete configuration.

Ena bling/D is a bling a Rule

By default, a complete rule will immediately take effect, but you can still disable a rule to stop it from running.
To enable/disable an web posting rule:

1. Select Policy > Internet Behavior Control > Web Posting.

2. Select a rule, and click Enable or Disable.

Prioritiz ing Rules

The system takes the first-hit-first-serve method for the rules. And for the position of the rules, the upper it is, the
higher the priority is. If two rules have the same conditions, the rule with higher priority will be matched. You can
adjust the priority of the rules by moving their positions.
To adjust a rule's position:

1. Select Policy > Internet Behavior Control > Web Content.

2. Click Priority.

3. In the prompt, move the selected rule.

4. Click OK.

View ing Monitored Res ults of Keyw ord Bloc k ing in Web Pos ts
If you have configured web posting rule with keyword blocking, you can view the monitored results of blocking those
words.
Select Monitor > Keyword Block > Web Posting, you will see the monitored results. For more about monitoring,
refer to "Keyword Block" on Page 413.

View ing Logs of Keyw ord Bloc k ing in Web Pos ts

To see the system logs of keyword blocking in web posts, please refer to the "NBC Logs" on Page 442.

Chapter 10 Policy 337

Email Filter
The email filter function is designed to control the email sending actions according to the sender, receiver, email con-
tent and attachment, and record the sending log messages. Both the SMTP emails and the web mails (including the
Gmail encrypted mails) can be controlled.
With the combination of email filter and SSL proxy, the encrypted Gmails can be controlled. For more information about
SSL proxy, see "SSL Proxy" on Page 315.

Crea ting Em a il Filter Rule

This section describes how to configure the email filter function. Based on the conditions of users, schedules, and
sending conditions, the administrators can create proper email filter rules. And the system will deal with the matched
traffic according to the configurations.
To create email filter rule:

1. Select Policy > Internet Behavior Control > Email Filter.

2. Click New.

In the dialog box, enter values.

Option Description

Name Specifies the rule name.

Destination Specifies the destination zone for the rule.

Zone

User Type Specifies the users for the rule. The rule will be executed on the traffic of
the specified users. The user type includes the following options:

l Source address: The type of source address contains address entry,

IP, IP range, and hostname.

l User: The member of it can be role, user, and user group.

By default, the system use the address entry of any, then the rule will

338 Chapter 10 Policy

 Option Description

be executed on all traffic.

Source Address Specifies the source addresses.

1. Select an address type from the Source Address drop-down list.

2. Select or type the source addresses based on the selected type.

3. Click to add the addresses to the right pane.

4. After adding the desired addresses, click the blank area in this
dialog to complete the source address configuration.

You can also perform other operations:

l When selecting the Address Book type, you can click Add to cre-
ate a new address entry.

l The default address configuration is any. To restore the con-

figuration to this default one, select the any check box.

User Specifies a role, user or user group for the security policy rule.

1. From the User drop-down menu, select the AAA server where the
users and user groups reside. To specify a role, select Role from
the AAA Server drop-down list.

2. Based on different types of AAA server, you can execute one or

more actions: search a user/user group/role, expand the user-
/user group list, enter the name of the user/user group.

3. After selecting users/user groups/roles, click to add the

them to the right pane.

4. After adding the desired objects, click the blank area in this dia-
log to complete the user configuration.

Schedule Specifies the schedule of the rule. The rule will take effect in the period
defined by the schedule. By default, no schedule is specified, and the
rule is available all the time.

Select the check boxes of the wanted schedules in the list or create new
schedules by clicking New Schedule.

Control Type All emails - This option applies to all the sending emails.

l Record Log - Select this check box if you want all emails to be
logged.

Specific mail items - This option applies to specific mail items.

Chapter 10 Policy 339

 Option Description

To configure the email sender:

1. Click Sender.

2. In the prompt, enter sender's email address.

3. Click Add.

4. You may select to block the sender or keep a record.

5. Click OK.

To configure the email receiver:

1. Click Sender.

2. In the prompt, enter email receiver's email address.

3. Click Add.

4. You may select to block the receiver or keep a record.

5. Click OK.

To configure the email content keywords:

1. Click email content.

2. In the prompt, click Add. See the Keyword Category part in "Con-
figuring Internet Behavior Control Objects" on Page 322.

3. You may select to block the email containing keywords or keep a

record.

Other Select an action for emails other than which

emails are added above.

Exclusive Mailbox

Exclusive Mail- To configure mail addresses that do not follow the regulations of email
box filter:

1. Click Exclusive Mailbox.

2. In the prompt, enter emails that do not obey email filter.

3. Click Add, and you can add more.

4. Click OK.

If needed, you can also configure SSL proxy, keyword category, warning page, bypass domain and user exception.
To configure those feature, click Configuration on the right top corner of the Email Filter list page.

340 Chapter 10 Policy

 Option Description

Keyword Cat- Use the keyword category function to customize the keyword categories.
egory You can use it to specify the keyword for the URL category/Web post-
ing/email filter functions.

SSL Proxy Decrypt the traffic encrypted by the SSL protocol.

Warning Page l Block warning: When your network access is blocked, you will be
prompted with a warning page in the Web browser.

l Audit warning: When your network access is audited, you will be

prompted with a warning page in the Web browser.
Bypass Domain Domains that are not controlled by the internet behavior control rules.
User Exception Users that are not controlled by the internet behavior control rules.

Note:
l If an email filter rule has added all three of Audit/Block Sender, Receiver and email content,
the rule will take effect when one of them is hit.

l You can export logs to a designated destination. Refer to "Log Configuration" on Page 443.

l By default, a rule will immediately take effect after you click OK to complete configuration.

Ena bling/D is a bling a Rule

By default, a complete rule will immediately take effect, but you can still disable a rule to stop it from running.
To enable/disable an email filter rule:

1. Select Policy > Internet Behavior Control > Email Filter.

2. Select a rule, and click Enable or Disable.

Prioritiz ing Rules

The system takes the first-hit-first-serve method for the rules. And for the position of the rules, the upper it is, the
higher the priority is. If two rules have the same conditions, the rule with higher priority will be matched. You can
adjust the priority of the rules by moving their positions.
To adjust a rule:

1. Select Policy > Internet Behavior Control > Email Filter.

2. Click Priority.

3. In the prompt, move the selected rule.

4. Click OK.

View ing Monitored Res ults of Em a il Keyw ord Bloc k ing

If you have configured email filter with keyword blocking, you can view the monitored results of blocking those words.
Select Monitor > Keyword Block > Email Content, you will see the monitored results. For more about monitoring,
refer to "Email Content" on Page 414.

View ing Logs of Em a ils Keyw ord Bloc k ing

To see the system logs of email's keywords, please refer to the "NBC Logs" on Page 442.

Chapter 10 Policy 341

I M Co ntro l
The IM control function is designed to control and audit the IM chatting actions. By creating the IM control rule, you
can control MSN, QQ, and Yahoo! messenger, and record the login/logout messages.

Crea ting IM Control Rule

To create an IM control rule:

1. Select Policy > Internet Behavior Control > IM Control.

2. Click New.

In the IM Control Rule Configuration dialog box, enter values

Option Description

Name Specifies the rule name.

Destination Zone Specifies the destination zone for the rule.

User Type Specifies the users for the rule. The rule will be executed on the traffic
of the specified users. The user type includes the following options:

l Source address: The type of source address contains address

entry, IP, IP range, and hostname.

l User: The member of it can be role, user, and user group.

By default, the system use the address entry of any, then the rule will
be executed on all traffic.

Source Address Specifies the source addresses.

342 Chapter 10 Policy

 Option Description

1. Select an address type from the Source Address drop-down

list.

2. Select or type the source addresses based on the selected type.

3. Click to add the addresses to the right pane.

4. After adding the desired addresses, click the blank area in this
dialog to complete the source address configuration.

You can also perform other operations:

l When selecting the Address Book type, you can click Add to cre-
ate a new address entry.

l The default address configuration is any. To restore the con-

figuration to this default one, select the any check box.

User Specifies a role, user or user group for the security policy rule.

1. From the User drop-down menu, select the AAA server where
the users and user groups reside. To specify a role, select Role
from the AAA Server drop-down list.

2. Based on different types of AAA server, you can execute one or

more actions: search a user/user group/role, expand the user-
/user group list, enter the name of the user/user group.

3. After selecting users/user groups/roles, click to add the

them to the right pane.

4. After adding the desired objects, click the blank area in this dia-
log to complete the user configuration.

Schedule Specifies the schedule of the rule. The rule will take effect in the period
defined by the schedule. By default, no schedule is specified, and the
rule is available all the time.

Select the check boxes of the wanted schedules in the list or create new
schedules by clicking New Schedule.

Action

MSN To controls the MSN chatting behavior:

1. Type a MSN account into the Account box.

2. Click Add. The added account will be shown in the list below.

3. Select the action check boxes for the accounts in the account list.

Chapter 10 Policy 343

 Option Description

l Block: Blocks the MSN account.

l Log: Records the login/logout log messages of the MSN

account.

4. If necessary, under the Other MSN account part, specify the

actions for the other MSN accounts than accounts added here.
You can block or just log about other accounts.

QQ To controls the QQ chatting behavior:

1. Type a QQ account into the Account box.

2. Click Add. The added account will be shown in the list below.

3. Select the action check boxes for the accounts in the account list.

l Block: Blocks the QQ account.

l Log: Records the login/logout log messages of the QQ

account.

4. If necessary, under the Other QQ account part, specify the

actions for the other QQ accounts than accounts added here. You
can block or just log about other accounts.

Yahoo!Messenger To controls the Yahoo!Messenger chatting behavior:

1. Type a Yahoo!Messenger account into the Account box.

2. Click Add. The added account will be shown in the list below.

3. Select the action check boxes for the accounts in the account list.

l Block: Blocks the Yahoo!Messenger account.

l Log: Records the login/logout log messages of the

Yahoo!Messenger account.

4. If necessary, under the Other Yahoo!Messenger account part,

specify the actions for the other Yahoo!Messenger accounts than
accounts added here. You can block or just log about other
accounts.

3. Click OK.
If necessary, you can configure some additional features by going to the right top corner and click Configuration.

Option Description

User Exception Users that are not controlled by the internet behavior control rules.

344 Chapter 10 Policy

 Note:
l You can export logs to a designated destination. Refer to "Log Configuration" on Page 443.

l By default, a rule will immediately take effect after you click OK to complete configuration.

Ena bling/D is a bling a Rule

By default, a complete rule will immediately take effect, but you can still disable a rule to stop it from running.
To enable/disable an IM control rule:

1. Select Policy > Internet Behavior Control > IM Control.

2. Select a rule, and click Enable or Disable.

Prioritiz ing Rules

The system takes the first-hit-first-serve method for the rules. And for the position of the rules, the upper it is, the
higher the priority is. If two rules have the same conditions, the rule with higher priority will be matched. You can
adjust the priority of the rules by moving their positions.
To adjust a rule's position:

1. Select Policy > Internet Behavior Control > IM Control.

2. Click Priority.

3. In the prompt, move the selected rule.

4. Click OK.

View ing Logs of IM Cha tting

To see the system logs of IM chatting, please refer to the "NBC Logs" on Page 442.

Chapter 10 Policy 345

H TTP/ FTP Co ntro l
The HTTP/FTP control function is designed to control and audit (record log messages) the actions of HTTP and FTP
applications, including:

l Behavior control and audit of controlling the actions of Login, Get, and Put action in FTP;

l Behavior control and audit of controlling the actions of Connect, Get, Put, Head, Options, Post, Trace, Delete in
HTTP.

l Blocking downloading specific format files (e.g. bat and com), ActiveX and Java Applet objects.

Crea ting H T T P/FT P Control Rule

To create an HTTP/FTP behavior control rule:

1. Select Policy > Internet Behavior Control > HTTP/FTP Control.

2. Click New.

In the HTTP/FTP Control Rule Configuration dialog box, enter values.

Option Description

Name Specifies the rule name.

Destination Specifies the destination zone for the rule.
Zone
User Type Specifies the users for the rule. The rule will be executed on the traffic of
the specified users. The user type includes the following options:

l Source address: The type of source address contains address entry,

IP, IP range, and hostname.

l User: The member of it can be role, user, and user group.

By default, the system use the address entry of any, then the rule will be
executed on all traffic.

Source Address Specifies the source addresses.

346 Chapter 10 Policy

 Option Description
1. Select an address type from the Source Address drop-down list.

2. Select or type the source addresses based on the selected type.

3. Click to add the addresses to the right pane.

4. After adding the desired addresses, click the blank area in this dia-
log to complete the source address configuration.
You can also perform other operations:

l When selecting the Address Book type, you can click Add to cre-
ate a new address entry.

l The default address configuration is any. To restore the con-

figuration to this default one, select the any check box.
User Specifies a role, user or user group for the security policy rule.

1. From the User drop-down menu, select the AAA server where the
users and user groups reside. To specify a role, select Role from
the AAA Server drop-down list.

2. Based on different types of AAA server, you can execute one or

more actions: search a user/user group/role, expand the user-
/user group list, enter the name of the user/user group.

3. After selecting users/user groups/roles, click to add the them

to the right pane.

4. After adding the desired objects, click the blank area in this dialog
to complete the user configuration.
Schedule Specifies the schedule of the rule. The rule will take effect in the period
defined by the schedule. By default, no schedule is specified, and the
rule is available all the time.
Select the check boxes of the wanted schedules in the list or create new
schedules by clicking New Schedule.
Action

FTP Controls the FTP methods, including Login, Get, and Put. Expand FTP,
and configure the FTP control options.

l From the first drop-down list, select the method to be controlled, it

can be GET, PUT, or Login.

l Type the file name (for the method of GET or PUT) or user name
(for the method of Login) into the next box.

l From the second drop-down list, select the action. It can be Block
or Permit.

l From the third drop-down list, specify whether to record the log
messages.

l Click Add.

l Repeat Step 1 to 5 to add more control entries. To edit/delete a con-

trol entry, select the entry from the list, and then click Edit or
Delete.

Chapter 10 Policy 347

 Option Description

HTTP Controls the HTTP methods, including Connect, GET, PUT, Head,
Options, Post, Trace, and Delete. Expand HTTP, and configure the HTTP
control options.

l From the first drop-down list, select the method to be controlled, it

can be Connect, GET, PUT, Head, Options, Post, Trace, or Delete.

l Type the domain name into the next box.

l From the second drop-down list, select the action. It can be Block
or Permit.

l From the third drop-down list, specify whether to record the log
messages.

l Click Add.

l Repeat Step 1 to 5 to add more control entries. To edit/delete a con-

trol entry, select the entry from the list, and then click Edit or
Delete.
Block HTTP Blocks the download of HTTP binary files, ActiveX, and Java Applet.
Download Expand Block HTTP download, and select the check boxes of the file
types to be blocked.

3. Click OK.
If necessary, you can configure some additional features by going to the right top corner and click Configuration.

Option Description

Warning Page l Block warning: When your network access is blocked, you will be
prompted with a warning page in the Web browser.

l Audit warning: When your network access is audited, you will be

prompted with a warning page in the Web browser.
Bypass Domain Domains that are not controlled by the internet behavior control rules.
User Exception Users that are not controlled by the internet behavior control rules.

Note:
l You can export logs to a designated destination. Refer to "Log Configuration" on Page 443.

l By default, a rule will immediately take effect after you click OK to complete configuration.

Ena bling/D is a bling a Rule

By default, a complete rule will immediately take effect, but you can still disable a rule to stop it from running.
To enable/disable an HTTP/FTP control rule:

1. Select Policy > Internet Behavior Control > HTTP/FTP Control.

2. Select a rule, and click Enable or Disable.

Prioritiz ing Rules

The system takes the first-hit-first-serve method for the rules. And for the position of the rules, the upper it is, the
higher the priority is. If two rules have the same conditions, the rule with higher priority will be matched. You can
adjust the priority of the rules by moving their positions.

348 Chapter 10 Policy

To adjust a rule:

1. Select Policy > Internet Behavior Control > HTTP/FTP Control.

2. Click Priority.

3. In the prompt, move the selected rule.

4. Click OK.

View ing Logs of H T T P/FT P Beha vior Control

To see the system logs of HTTP/FTP behavior control, please refer to the "NBC Logs" on Page 442.

Chapter 10 Policy 349

Global Blacklist
After adding the IP addresses or services to the global blacklist, the system will perform the block action to the IP
address and service until the block duration ends. You can manually add IP addresses or services to the blacklist and
the system can also automatically add the IP addresses or services to the blacklist after you configure the IPS module.
Configuring global blacklist including IP block settings and service block settings.

Co nfiguring I P B lo ck Settings
To configure the IP block settings:

1. Select Policy > Global Blacklist > IP Block.

2. Click New. The Block IP Configuration dialog appears.

Configure the corresponding options.

Option Description

Virtual Router Selects the virtual router that the IP address belongs to.

IP Types the IP address that you want to block. This IP address can be not
only the source IP address, but also the destination IP address.

Blocked Dur- Types the duration that the IP address will be blocked. The unit is
ation second. The value ranges from 60 to 3600. The default value is 60.

3. Click OK to save the settings.

Co nfiguring Service B lo ck Settings

To configure the service block settings:

1. Select Policy > Global Blacklist > Service Block.

2. Click New. The Block Service Configuration dialog appears.

350 Chapter 10 Policy

 Configure the corresponding options.
Option Description

Virtual Router Selects the virtual router that the IP address belongs to.

Source IP Types the source IP address of the blocked service. The service block func-
tion will block the service from the source IP address to the destination IP
address.

Destination IP Types the destination IP address of the blocked service.

Port Types the port number of the blocked service.
Protocol Selects the protocol of the blocked service.
Blocked Dur- Types the duration that the IP address will be blocked. The unit is
ation second. The value ranges from 60 to 3600. The default value is 60.

3. Click OK to save the settings.

Chapter 10 Policy 351

Chapter 11 Threat Prevention

Threat prevention, that device can detect and block network threats occur. By configuring the threat protection func-
tion, Hillstone device can defense network attacks, and reduce losses caused by internal network.
Threat protection includes:

l Anti Virus: can detect the common file types and protocol types which are most likely to carry the virus and pro-
tect. Hillstone device can detect protocol types of POP3, HTTP, SMTP, IMAP4 and FTP, and the file types of archives
(including GZIP, BZIP2, TAR, ZIP and RAR-compressed archives), PE , HTML, MAIL, RIFF and JPEG.

l Intrusion Prevention: can detect and protect against mainstream application layer protocols (DNS, FTP, POP3,
SMTP, TELNET, MYSQL, MSSQL, ORACLE, NETBIOS), against web-based attacks and common Trojan attacks.

l Attack Defense: detect various types of network attacks, and take appropriate actions to protect Intranet against
malicious attacks, thus assuring the normal operation of the Intranet and systems.

l Perimeter Traffic Filtering: can filter the perimeter traffic based on known IP of black/white list, and take block
action on the malicious traffic that hits the blacklist.
The threat protection configurations based on security zones and policies.

l If a security zone is configured with the threat protection function, the system will perform detection on the traffic
that is destined to the binding zone specified in the rule, and then do according to what you specified.

l If a policy rule is configured with the threat protection function, the system will perform detection on the traffic
that is destined to the policy rule you specified, and then response.

l The threat protection configurations in a policy rule is superior to that in a zone rule if specified at the same time,
and the threat protection configurations in a destination zone is superior to that in a source zone if specified at the
same time.

Note:

l Currently, you can only enable the Anti Virus and Intrusion Prevention function based on
policies.

l Threat protection is controlled by license. To use Threat protection, apply and install the
Threat Protection( TP) license, 、 Anti Virus( AV) license orIntrusion Prevention System
( IPS) license.

Threat Protection Signature Database

Threat protection signature database includes a variety of virus signatures, Intrusion prevention signatures, Peri-
meter traffic filtering signatures, . By default system updates the threat protection signature database everyday auto-
matically. You can change the update configuration as needed. Hillstone devices provide two default update servers:
update1.hillstonenet.com and update2.hillstonenet.com. Hillstone device supports auto update and local update. Non-
root VSYS does not support to update signature database.
According to the severity, signatures can be divided into three security levels: critical, warning and informational.
Each level is described as follows:

l Critical: Critical attacking events, such as buffer overflows.

l Warning: Aggressive events, such as over-long URLs.

l Informational: General events, such as login failures.

Chapter 11 Threat Prevention 352

Anti Virus
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
System is designed with Anti-Virus that is controlled by licenses to provide AV solution featuring high speed, high per-
formance and low delay. With this function configured in StoneOS, Hillstone devices can detect various threats includ-
ing worms, Trojans, malware, malicious websites, etc., and proceed with the configured actions.
Anti Virus function can detect the common file types and protocol types which are most likely to carry the virus and pro-
tect. Hillstone device can detect protocol types of POP3, HTTP, HTTPS, SMTP, IMAP4 and FTP, and the file types of
archives (including GZIP, BZIP2, TAR, ZIP and RAR-compressed archives), PE , HTML, MAIL, RIFF and JPEG.
The virus signature database includes over 10,000 signatures, and supports both daily auto update and real-time
local update. See "Security Policy" on Page 274.

Note: Anti Virus is controlled by license. To use Anti Virus, apply and install the Anti Virus
( AV) license.

353 Chapter 11 Threat Prevention

Co nfiguring Anti-V irus
This chapter includes the following sections:

l Preparation for configuring Anti-Virus function

l Configuring Anti-Virus function

l Configuring Anti-Virus global parameters

Prepa ring
Before enabling Anti-Virus, make the following preparations:

1. Make sure your system version supports Anti-Virus.

2. Import an Anti-Virus license and reboot. The Anti-Virus will be enabled after the rebooting.

Note:

l You need to update the Anti-Virus signature database before enabling the function for the
first time. For more information about how to configure the update. To assure a proper con-
nection to the default update server, you need to configure a DNS server for StoneOS
before updating.

l Except M8860/M8260/M7860/M7360/M7260， if Anti-Virus is enabled, the max amount of

concurrent sessions will decrease by half.

Configuring Anti-Virus Func tion

The Anti-Virus configurations are based on security zones or policies.

l If a security zone is configured with the Anti-Virus function, the system will perform detection on the traffic that is
destined to the binding zone specified in the rule, and then do according to what you specified.

l If a policy rule is configured with the threat protection function, the system will perform detection on the traffic
that is destined to the policy rule you specified, and then response.

l The threat protection configurations in a policy rule is superior to that in a zone rule if specified at the same time,
and the threat protection configurations in a destination zone is superior to that in a source zone if specified at the
same time.

l To perform the Anti-Virus function on the HTTPS traffic, see the policy-based Anti-Virus.
To realize the zone-based Anti-Virus:

1. Create a zone. For more information about how to create, refer to "Security Zone" on Page 35.

2. In the Zone Configuration dialog, select Threat Protection tab.

3. Enable the threat protection you need, and select an Anti-Virus rules from the profile drop-down list below; or you
can click Add Profile from the profile drop-down list below, to creat an Anti-Virus rule, see Configuring_Anti-
Virus_Rule.

4. Click OK to save the settings.

To realize the policy-based Anti-Virus:

1. Create a security policy rule. For more information, refer to "Security Policy" on Page 274.

2. In the Policy Configuration dialog, select the Protection tab.

Chapter 11 Threat Prevention 354

3. Select the Enable check box of Antivirus. Then select an Anti-Virus rule from the Profile drop-down list. Or you
can click Add Profile from the Profile drop-down list to creat an Anti-Virus rule. For more information, see Con-
figuring_Anti-Virus_Rule.

4. To perform the Anti-Virus function on the HTTPS traffic, you need to enable the SSL proxy function for the above
specified security policy rule. The system will decrypt the HTTPS traffic according to the SSL proxy profile and
then perform the Anti-Virus function on the decrypted traffic.

According to the various configurations of the security policy rule, the system will perform the fol-
lowing actions:
Policy Rule Con-
Actions
figurations
SSL proxy The system decrypts the HTTPS traffic according to the SSL proxy profile
enabled but it does not perform the Anti-Virus function on the decrypted traffic.
Anti-Virus dis-
abled
SSL proxy The system decrypts the HTTPS traffic according to the SSL proxy profile
enabled and performs the Anti-Virus function on the decrypted traffic.
Anti-Virus
enabled
SSL proxy dis- The system performs the Anti-Virus function on the HTTP traffic accord-
abled ing to the Anti-Virus profile. The HTTPS traffic will not be decrypted and
the system will transfer it.
Anti-Virus
enabled

If the destination zone or the source zone specified in the security policy rule are configured with Anti-Virus as
well, the system will perform the following actions:

Policy Rule Con- Zone Con-

Actions
figurations figurations
SSL proxy Anti-Virus The system decrypts the HTTPS traffic according to the
enabled enabled SSL proxy profile and performs the Anti-Virus function
on the decrypted traffic according to the Anti-Virus rule
Anti-Virus dis-
of the zone.
abled
SSL proxy Anti-Virus The system decrypts the HTTPS traffic according to the
enabled enabled SSL proxy profile and performs the Anti-Virus function
on the decrypted traffic according to the Anti-Virus rule
Anti-Virus
of the policy rule.
enabled
SSL proxy dis- Anti-Virus The system performs the Anti-Virus function on the
abled enabled HTTP traffic according to the Anti-Virus rule of the
policy rule. The HTTPS traffic will not be decrypted and
Anti-Virus
the system will transfer it.
enabled

5. Click OK to save the settings.

Configuring a n Anti- Virus Rule

To configure an Anti-Virus rule:

1. Select Object > Antivirus > Profile.

2. Click New.

355 Chapter 11 Threat Prevention

 In the Anti-Virus Rules Configuration dialog , enter the Anti-Virus rule configurations.
Option Description

Rule Name Specifies the rule name.

File Types Specifies the file types you want to scan. It can be GZIP, JPEG, MAIL, RAR,
HTML.
Protocol Types Specifies the protocol types (HTTP, SMTP, POP3, IMAP4, FTP) you want
to scan and specifies the action the system will take after virus is found.

l Fill Magic - Processes the virus file by filling magic words, i.e., fills
the file with the magic words (Virus is found, cleaned) from the
beginning to the ending part of the infected section.

l Log Only - Only generates log.

l Warning - Pops up a warning page to prompt that a virus has been

detected. This option is only effective to the messages transferred
over HTTP.

l Reset Connection - If virus has been detected, system will reset con-
nections to the files.

Malicious Web- Select the check box behind Malicious Website Access Control to enable
site Access Con- the function.
trol
Action Specifies the action the system will take after the malicious website is
found.

l Log Only - Only generates log.

l Reset Connection - If malicious website has been detected, system

will reset connections to the files.

l Return to the Alarm Page - Pops up a warning page to prompt that

a malicious website has been detected.This option is only effective
to the messages transferred over HTTP.

Enable label e- If an email transferred over SMTP is scanned, you can enable label email
mail to scan the email and its attachment(s). The scanning results will be
included in the mail body, and sent with the email. If no virus has been
detected, the message of "No virus found" will be labeled; otherwise
information related to the virus will be displayed in the email, including
the filename, result and action.
Type the end message content into the box. The range is 1 to 128.

Chapter 11 Threat Prevention 356

3. Click OK.

Note: By default, according to virus filtering protection level, system comes with three default
virus filtering rules: predef_low, predef_middle, predef_high. The default rule is not allowed
to edit or delete.

Configuring Anti- Virus G loba l P a ra me te rs

To configure the AV global parameters:

1. Select Object > Antivirus > Configuration.

In AV Global Configuration section, enter the AV global configurations.

Option Description

Antivirus Select/clear the Enable check box to enable/disable Anti-Virus.

Max Decom- By default StoneOS can scan the files of up to 5 decompression layers. To
pression Layer specify a decompression layer, select a value from the drop-down list.
The value range is 1 to 5.
Exceed Action Specifies an action for the compressed files that exceed the max decom-
pression layer. Select an action from the drop-down list:

l Log Only - Only generates logs but will not scan the files. This action
is enabled by default.

l Reset Connection - If virus has been detected, StoneOS will reset con-
nections to the files.

Encrypted Com- Specifies an action for encrypted compressed files:

pressed File
l ------ - Will not take any special anti-virus actions against the files,
but might further scan the files according to the configuration.

l Log Only - Only generates logs but will not scan the files.

l Reset Connection - Resets connections to the files.

2. Click OK.

357 Chapter 11 Threat Prevention

 Intrusion Prevention System
IPS, the abbreviation for Intrusion Prevention System, is designed to monitor various network attacks in real time and
take appropriate actions (like block) against the attacks according to your configuration.
The IPS can implement a complete state-based detection which significantly reduces the false positive rate. Even if the
device is enabled with multiple application layer detections, enabling IPS will not cause any noticeable performance
degradation. Besides, StoneOS will update the signature database automatically everyday to assure its integrity and
accuracy.

l IPS supports IPv6 address if the IPv6 function is enabled.

l By integrating with the SSL proxy function, IPS can monitor the HTTPS traffic.
The protocol detection procedure of IPS consists of two stages: signature matching and protocol parse.

l Signature matching: IPS abstracts the interested protocol elements of the traffic for signature matching. If the ele-
ments are matched to the items in the signature database, the system will process the traffic according to the
action configuration. This part of detection is configured in the Select Signature section.

l Protocol parse: IPS analyzes the protocol part of the traffic. If the analyze results shows the protocol part contains
abnormal contents, the system will process the traffic according to the action configuration. This part of detection
is configured in the Protocol Configuration section.

Note: Intrusion Prevention System is controlled by license. To use Threat protection, apply
and install the Intrusion Prevention System (IPS) license.

Signatures
The IPS signatures are categorized by protocols, and identified by a unique signature ID. The signature ID consists of
two parts: protocol ID (1st bit or 1st and 2nd bit) and attacking signature ID (the last 5 bits). For example, in ID
605001, "6" identifies a Telnet protocol, and "00120" is the attacking signature ID. 1st bit in signature ID identify pro-
tocol anomaly signatures, the others identify attacking signatures. The mappings between IDs and protocols are
shown in the table below:

ID Protocol ID Protocol ID Protocol ID Protocol

1 DNS 7 Other-TCP 13 TFTP 19 NetBIOS

2 FTP 8 Other-UDP 14 SNMP 20 DHCP
3 HTTP 9 IMAP 15 MySQL 21 LDAP
4 POP3 10 Finger 16 MSSQL 22 VoIP
5 SMTP 11 SUNRPC 17 Oracle - -
6 Telnet 12 NNTP 18 MSRPC - -

In the above table, Other-TCP identifies all the TCP protocols other than the standard TCP protocols listed in the table,
and Other-UDP identifies all the UDP protocols other than the standard UDP protocols listed in the table.

Chapter 11 Threat Prevention 358

Co nfiguring I PS
This chapter includes the following sections:

l Preparation for configuring IPS function

l Configuring IPS function

Prepa ra tion
Before enabling IPS, make the following preparations:

1. Make sure your system version supports IPS.

2. Import an Prevention System (IPS) license and reboot. The IPS will be enabled after the rebooting.

Note: Except M8860/M8260/M7860/M7360/M7260, if IPS is enabled, the max amount of con-

current sessions will decrease by half.

Configuring IPS Func tion

The IPS configurations are based on security zones or policies.

l To perform the IPS function on the HTTPS traffic, see the policy-based IPS.
To realize the zone-based IPS:

1. Create a zone. For more information about how to create, refer to "Security Zone" on Page 35.

2. In the Zone Configuration dialog, select Threat Protection tab.

3. Enable the IPS you need, and select an IPS rules from the profile drop-down list below; or you can click Add Pro-
file from the profile drop-down list below, to creat an IPS rule, see Configuring_an_IPS_Rule.

4. Click a direction (Inbound, Outbound, Bi-direction). The IPS rule will be applied to the traffic that is matched with
the specified security zone and direction.
To realize the policy-based IPS:

1. Create a policy rule. For more information about how to create, refer to "Security Policy" on Page 274.

2. In the Policy Configuration dialog, select the Protection tab.

3. Select the Enable check box of IPS. Then select an IPS rule from the Profile drop-down list. Or you can click Add
Profile from the Profile drop-down list to creat an IPS rule. For more information, see Configuring_an_IPS_Rule.

4. To perform the IPS function on the HTTPS traffic, you need to enable the SSL proxy function for the above spe-
cified security policy rule. The system will decrypt the HTTPS traffic according to the SSL proxy profile and then
perform the IPS function on the decrypted traffic.

According to the various configurations of the security policy rule, the system will perform the fol-
lowing actions:
Policy Rule Con-
Actions
figurations
SSL proxy The system decrypts the HTTPS traffic according to the SSL proxy profile
enabled but it does not perform the IPS function on the decrypted traffic.
IPS disabled
SSL proxy The system decrypts the HTTPS traffic according to the SSL proxy profile

359 Chapter 11 Threat Prevention

 Policy Rule Con-
Actions
figurations
enabled and performs the IPS function on the decrypted traffic.
IPS enabled
SSL proxy dis- The system performs the IPS function on the HTTP traffic according to
abled the IPS profile. The HTTPS traffic will not be decrypted and the system
will transfer it.
IPS enabled

If the destination zone or the source zone specified in the security policy rule are configured with IPS as well, the
system will perform the following actions:

Policy Rule Con- Zone Con-

Actions
figurations figurations
SSL proxy IPS enabled The system decrypts the HTTPS traffic according to the
enabled SSL proxy profile and performs the IPS function on the
decrypted traffic according to the IPS rule of the zone.
IPS disabled
SSL proxy IPS enabled The system decrypts the HTTPS traffic according to the
enabled SSL proxy profile and performs the IPS function on the
decrypted traffic according to the IPS rule of the policy
IPS enabled
rule.
SSL proxy dis- IPS enabled The system performs the IPS function on the HTTP
abled traffic according to the IPS rule of the policy rule. The
HTTPS traffic will not be decrypted and the system will
IPS enabled
transfer it.

5. Click OK to save the settings.

Configuring a n IP S Rule
System has two default IPS rules: predef_default and predef_loose. The predef_default rule includes all the IPS
signatures and its default action is reset. The predef_loose includes all the IPS signatures and its default action is log
only.
To configure an IPS rule:

1. Select Object > Intrusion Prevention System > Profile.

2. Click New to create a new IPS rule. To edit an existing one, select the check box of this rule and then click Edit. To
view it, click the name of this rule.

3. Type the name into the Rule name box.

Chapter 11 Threat Prevention 360

4. In the Select Signature area, the existing signature sets and their settings will be displays in the table. Select
the desired signature sets. You can also manage the signature sets, including New, Edit, and Delete.

Click New to create a new signature set rule.

Option Description
Creating a new signature set contains:

l Select By: Select the method of how to choose the signature set. There are two meth-
ods: Filter and Search Condition.

l Action: Specify the action performed on the abnormal traffic that match the signature
set.
Select By
Filter The system categorizes the signatures according to the following aspects
(aka main categories): affected OS, attack type, protocol, severity, released
year, affected application, and bulletin board. A signature can be in several
subcategories of one main category. For example, the signature of ID 105001
is in the Linux subcategory, the FreeBSD subcategory, and Other Linux sub-
category at the same time.

With Filter selected, the system displays the main categories and sub-
categories above. You can select the subcategories to choose the signatures
in this subcategory. As shown below, after selecting the Web Attack sub-
category in the Attack Type main category, the system will choose the sig-
natures related to this subcategory. To view the detailed information of
these chosen signatures, you can click the ID in the table.

When selecting main category and subcategory, note the following matters:

l You can select multiple subcategories of one main category. The logic
relation between them is OR.

l The logic relation between each main category is AND.

l For example, you have selected Windows and Linux in OS and select
HIGH in Severity. The chosen signatures are those whose severity is
high and meanwhile whose affected operating system is either Win-
dows or Linux.

361 Chapter 11 Threat Prevention

 Option Description

Search Condi- Enter the information of the signatures and press Enter to search the sig-
tion natures. The system will perform the fuzzy matching in the following field:
attack ID, attack name, description, and CVE-ID.

In the search results displayed in the table, select the check box of the

desired signatures. Then click to add them to the right pane.

The ID displayed in the right pane are the ones that are included in this sig-
nature set.

To add all signatures in the left to the right, click .

Use or to cancel the selected signatures or all

signatures in the right.
Action
Log Only Record a log.

Reset connections (TCP) or sends destination unreachable packets (UDP) and

Reset
also generates logs
Block the IP address of the attacker. Specify a block duration. The value
Block IP
range is 60 to 3600 seconds, and the default value is 60.
Block the service of the attacker. Specify a block duration. The value range is
Block Service
60 to 3600 seconds, and the default value is 60.
Note: You create several signature sets and some of them contain a particular signature. If
the actions of these signature sets are different and the attack matches this particular sig-
nature , the system will adopt the following rules:

l Always perform the stricter action on the attack. The signature set with stricter
action will be matched. The strict level is: Block IP > Block Service > Rest > Log
Only. If one signature set is Block IP with 15s and the other is Block Service with 30s,
the final action will be Block IP with 30s.

l The action of the signature set created by Search Condition has high priority than the
action of the signature set created by Filter.

5. Click OK to complete signature set configurations.

6. In the Protocol Configuration area, click . The protocol configurations specify the requirements that the pro-
tocol part of the traffic must meet. If the protocol part contains abnormal contents, the system will process the
traffic according to the action configuration. The system supports the configurations of HTTP, DNS, FTP, MSRPC,
POP3, SMTP, SUNRPC, and Telnet.

In the HTTP tab, select the Protocol tab, and configure the following settings:

Chapter 11 Threat Prevention 362

 Option Description
Max Scan Length: Specify the maximum length of scanning when scan-
ning the HTTP packets.
Protocol Anomaly Detection: Select Enable to analyze the HTTP packets.
If abnormal contents exist, you can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Banner Detection: Select the Enable check box to enable protection
HTTP against HTTP server banners.

l Banner information - Type the new information into the box that
will replace the original server banner information.
Max URI Length: Specify a max URI length for the HTTP protocol. If the
URI length exceeds the limitation, you can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Allowed Methods: Specify the allowed HTTP methods.

To protect the Web server, select Web Server in the HTTP tab.
Protecting the Web server means the system can detect the following attacks: SQL injection, XSS injection,
external link check, ACL, and HTTP request flood and take actions when detecting them. A pre-defined Web server
protection rule named default is built in. By default, this protection rule is enabled and cannot be disabled or
deleted.
Configure the following settings to protect the Web server:

Option Description

Name Specify the name of the Web server protection rule.

Configure Specify domains protected by this rule.
Domain
Click the link and the Configure Domain dialog appears. Enter the
domain names in the Domain text box. At most 5 domains can be con-
figured. The traffic to these domains will be checked by the protection
rule.
The domain name of the Web server follows the longest match rule from
the back to the front. The traffic that does not match any rules will match
the default Web server. For example, you have configured two protection
rules: rule1 and rule2. The domain name in rule1 is abc.com. The domain
name in rule2 is email.abc.com. The traffic that visits news.abc.com will
match rule1, the traffic that visits www.email.abc.com will math rule2, and
the traffic that visits www.abc.com.cn will match the default protection
rule.

SQL Injection Pro- Select the Enable check box to enable SQL injection check.
tection
l Action: Log Only - Record a log. Rest - Reset connections (TCP) or
sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a

363 Chapter 11 Threat Prevention

 Option Description
block duration. Block Service - Block the service of the attacker and
specify a block duration.

l Sensitivity: Specifies the sensitivity for the SQL injection protection

function. The higher the sensitivity is, the lower the false negative
rate is.

l Check point: Specifies the check point for the SQL injection check. It
can be Cookie, Cookie2, Post, Referer or URI.

XSS Injection Pro- Select the Enable check box to enable XSS injection check for the HTTP
tection protocol.

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.

l Sensitivity: Specifies the sensitivity for the XSS injection protection

function. The higher the sensitivity is, the lower the false negative
rate is.

l Check point: Specifies the check point for the XSS injection check. It
can be Cookie, Cookie2, Post, Referer or URI.

External Link Select the Enable check box to enable external link check for the Web
Check server. This function controls the resource reference from the external
sites.

l External link exception: Click this link, the External Link Exception
Configuration dialog appears. All the URLs configured on this dialog
can be linked by the Web sever. At most 32 URLs can be specified for
one Web server.

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs.
ACL l Action: Log Only - Record a log. Rest - Reset connections (TCP) or
sends destination unreachable packets (UDP) and also generates
logs.
HTTP Request Select the Enable check box to enable the HTTP request flood protection.
Flood Protection
l Request threshold: Specifies the request threshold. When the num-
ber of HTTP connecting request per second reaches the threshold
and this lasts 20 seconds, the system will treat it as a HTTP request
flood attack, and will enable the HTTP request flood protection.
When the HTTP request flood attack is discovered, you can make the sys-
tem take the following actions:

l Authentication: Specifies the authentication method. The system

judges the legality of the HTTP request on the source IP through the
authentication. If a source IP fails on the authentication, the current
request from the source IP will be blocked. The available authen-
tication methods are:

l Auto (JS Cookie): The Web browser will finish the authen-
tication process automatically.

Chapter 11 Threat Prevention 364

 Option Description
l Auto (Redirect): The Web browser will finish the authentication
process automatically.

l Manual (Access Configuration): The initiator of the HTTP

request must confirm by clicking OK on the returned page to
finish the authentication process.

l Manual (CAPTCHA): The initiator of the HTTP request must con-

firm by entering the authentication code on the returned page
to finish the authentication process.

l Crawler-friendly: If this check box is selected, the system will not

authenticate to the crawler.

l Request limit: Specifies the request limit for the HTTP request
flood protection. After configuring the request limit, the system
will limit the request rate of each source IP. If the request rate is
higher than the limitation specified here and the HTTP request
flood protection is enabled, the system will handle the exceeded
requests according to the action specified (Block IP/Reset). To
record a log, select the Record log check box.

l Proxy limit: Specifies the proxy limit for the HTTP request flood pro-
tection. After configuring the proxy limit, the system will check
whether each source belongs to the each source IP proxy server. If
belongs to, according to configuration to limit the request rate. If
the request rate is higher than the limitation specified here and the
HTTP request flood protection is enabled, the system will handle the
exceeded requests according to the action specified (Block IP/Reset).
To record a log, select the Record log check box.

l White List: Specifies the white list for the HTTP request flood pro-
tection. The source IP added to the white list not check the HTTP
request flood protection.

In the DNS tab, configure the following settings:

Option Description
Max Scan Length: Specify the maximum length of scanning when scan-
ning the DNS packets.
Protocol Anomaly Detection: Select Enable to analyze the DNS packets.
If abnormal contents exist, you can:
DNS
l Action: Log Only - Record a log. Rest - Reset connections (TCP) or
sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.

In the FTP tab, configure the following settings:

Option Description
Max Scan Length: Specify the maximum length of scanning when scan-
ning the FTP packets.
FTP
Protocol Anomaly Detection: Select Enable to analyze the FTP packets. If
abnormal contents exist, you can:

365 Chapter 11 Threat Prevention

 Option Description
l Action: Log Only - Record a log. Rest - Reset connections (TCP) or
sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Banner Detection: Select the Enable check box to enable protection
against FTP server banners.

l Banner Information: Type the new information into the box that will
replace the original server banner information.
Max Command Line Length: Specifies a max length (including carriage
return) for the FTP command line. If the length exceeds the limits, you
can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Max Response Line Length: Specifies a max length for the FTP response
line.If the length exceeds the limits, you can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Action for Brute-force: If the login attempts per minute fail for the times
specified by the threshold, system will identify the attempts as an intru-
sion and take an action according to the configuration. Select the Enable
check box to enable brute-force. Non-root VSYS does not support this
option.

l Login Threshold per Min - Specifies a permitted authen-

tication/login failure count per minute.

l Block IP - Block the IP address of the attacker and specify a block

duration.

l Block Service - Block the service of the attacker and specify a block
duration.

l Block Time - Specifies the block duration.

In the MSRPC tab, configure the following settings:

Option Description
Max Scan Length: Specify the maximum length of scanning when scan-
ning the MSRPC packets.
Protocol Anomaly Detection: Select Enable to analyze the MSRPC pack-
MSRPC ets. If abnormal contents exist, you can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a

Chapter 11 Threat Prevention 366

 Option Description
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Max bind length: Specifies a max length for MSRPC's binding packets. If
the length exceeds the limits, you can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Max request length: Specifies a max length for MSRPC's request packets.
If the length exceeds the limits, you can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Action for Brute-force: If the login attempts per minute fail for the times
specified by the threshold, system will identify the attempts as an intru-
sion and take an action according to the configuration. Select the Enable
check box to enable brute-force. Non-root VSYS does not support this
option.

l Login Threshold per Min - Specifies a permitted authen-

tication/login failure count per minute.

l Block IP - Block the IP address of the attacker and specify a block

duration.

l Block Service - Block the service of the attacker and specify a block
duration.

l Block Time - Specifies the block duration.

In the POP3 tab, configure the following settings:

Option Description
Max Scan Length: Specify the maximum length of scanning when scan-
ning the POP3 packets.
Protocol Anomaly Detection: Select Enable to analyze the POP3 packets.
If abnormal contents exist, you can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
POP3 block duration. Block Service - Block the service of the attacker and
specify a block duration.
Banner Detection: Select the Enable check box to enable protection
against POP3 server banners.

l Banner information - Type the new information into the box that
will replace the original server banner information.
Max Command Line Length: Specifies a max length (including carriage
return) for the POP3 command line. If the length exceeds the limits, you

367 Chapter 11 Threat Prevention

 Option Description
can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Max Parameter Length: Specifies a max length for the POP3 client com-
mand parameter. If the length exceeds the limits, you can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Max failure time: Specifies a max failure time (within one single POP3 ses-
sion) for the POP3 server. If the failure time exceeds the limits, you can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Action for Brute-force: If the login attempts per minute fail for the times
specified by the threshold, system will identify the attempts as an intru-
sion and take an action according to the configuration. Select the Enable
check box to enable brute-force. Non-root VSYS does not support this
option.

l Login Threshold per Min - Specifies a permitted authen-

tication/login failure count per minute.

l Block IP - Block the IP address of the attacker and specify a block

duration.

l Block Service - Block the service of the attacker and specify a block
duration.

l Block Time - Specifies the block duration.

In the SMTP tab, configure the following settings:

Option Description
Max Scan Length: Specify the maximum length of scanning when scan-
ning the SMTP packets.
Protocol Anomaly Detection: Select Enable to analyze the SMTP packets.
If abnormal contents exist, you can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

SMTP
sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Banner Detection: Select the Enable check box to enable protection
against SMTP server banners.

Chapter 11 Threat Prevention 368

 Option Description
l Banner information - Type the new information into the box that
will replace the original server banner information.
Max Command Line Length: Specifies a max length (including carriage
return) for the SMTP command line. If the length exceeds the limits, you
can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Max Path Length: Specifies a max length for the reverse-path and for-
ward-path field in the SMTP client command. If the length exceeds the
limits, you can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Max Reply Line Length: Specifies a max length reply length for the SMTP
server. If the length exceeds the limits, you can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Max Text Line Length: Specifies a max length for the E-mail text of the
SMTP client. If the length exceeds the limits, you can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Max Content Type Length: Specifies a max length for the content-type
of the SMTP protocol. If the length exceeds the limits, you can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Max Content Filename Length: Specifies a max length for the filename of
E-mail attachment. If the length exceeds the limits, you can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Max Failure Time: Specifies a max failure time (within one single SMTP
session) for the SMTP server. If the length exceeds the limits, you can:

369 Chapter 11 Threat Prevention

 Option Description
l Action: Log Only - Record a log. Rest - Reset connections (TCP) or
sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Action for Brute-force: If the login attempts per minute fail for the times
specified by the threshold, system will identify the attempts as an intru-
sion and take an action according to the configuration. Select the Enable
check box to enable brute-force. Non-root VSYS does not support this
option.

l Login Threshold per Min - Specifies a permitted authen-

tication/login failure count per minute.

l Block IP - Block the IP address of the attacker and specify a block

duration.

l Block Service - Block the service of the attacker and specify a block
duration.

l Block Time - Specifies the block duration.

In the SUNRPC tab, configure the following settings:

Option Description
Max Scan Length: Specify the maximum length of scanning when scan-
ning the SUNRPC packets.
Protocol Anomaly Detection: Select Enable to analyze the SUNRPC pack-
ets. If abnormal contents exist, you can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Action for Brute-force: If the login attempts per minute fail for the times
specified by the threshold, system will identify the attempts as an intru-
SUNRPC sion and take an action according to the configuration. Select the Enable
check box to enable brute-force. Non-root VSYS does not support this
option.

l Login Threshold per Min - Specifies a permitted authen-

tication/login failure count per minute.

l Block IP - Block the IP address of the attacker and specify a block

duration.

l Block Service - Block the service of the attacker and specify a block
duration.

l Block Time - Specifies the block duration.

In the Telnet tab, configure the following settings:

Option Description
Max Scan Length: Specify the maximum length of scanning when scan-
Telnet
ning the Telnet packets.

Chapter 11 Threat Prevention 370

 Option Description
Protocol Anomaly Detection: Select Enable to analyze the Telnet packets.
If abnormal contents exist, you can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Username/Password Max Length: Specifies a max length for the user-
name and password used in Telnet. If the length exceeds the limits, you
can:

l Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
Action for Brute-force: If the login attempts per minute fail for the times
specified by the threshold, system will identify the attempts as an intru-
sion and take an action according to the configuration. Select the Enable
check box to enable brute-force. Non-root VSYS does not support this
option.

l Login Threshold per Min - Specifies a permitted authen-

tication/login failure count per minute.

l Block IP - Block the IP address of the attacker and specify a block

duration.

l Block Service - Block the service of the attacker and specify a block
duration.

l Block Time - Specifies the block duration.

7. Click Save to complete the protocol configurations.

8. Click OK to complete the IPS rule configurations.

I PS Glo bal Co nfiguratio n

Configuring the IPS global settings includes:

l Enable the IPS function

l Specify how to merge logs

l Specify the work mode

Click Object > Intrusion Prevention System > Configuration to configure the IPS global settings.

Option Description

IPS Select/clear the Enable check box to enable/disable the IPS function.

Merge Log System can merge IPS logs which have the same protocol ID, the same VSYS
ID, the same Signature ID, the same log ID, and the same merging type.
Thus it can help reduce logs and avoid to receive redundant logs. The func-
tion is disabled by default.
Select the merging types in the drop-down list:

l ---- - Do not merge any logs.

371 Chapter 11 Threat Prevention

 Option Description
l Source IP - Merge the logs with the same Source IP.

l Destination IP - Merge the logs with the same Destination IP.

l Source IP, Destination IP - Merge the logs with the same Source IP
and the same Destination IP.
Mode Specifies a working mode for IPS:

l IPS - If attacks have been detected, StoneOS will generate logs, and will
also reset connections or block attackers. This is the default mode.

l Log only - If attacks have been detected, StoneOS will only generate
logs, but will not reset connections or block attackers.

After the configurations, click OK to save the settings.

Note: Non-root VSYS does not support IPS global configuration.

Signature List
Select Object > Intrusion Prevention System > Signature List. You can see the signature list.

The upper section is for searching signatures. The lower section is for managing signatures.

Sea rc hing Signa tures

In the upper section, set the search conditions and then click Search to search the signatures that match the con-
dition.
To clear all search conditions, click Reset. To save the search conditions, click Save Selection As to name this set of
search conditions and save it.

Ma na ging Signa tures

You can view signatures, create a new signature, load the database, delete a signature, edit a signature, enable a sig-
nature, and disable a signature.

Chapter 11 Threat Prevention 372

 l View signatures: In the signature list, click the ID of a signature to view the details.

l Create a new signature: click New.

In the General tab, configure the following settings:

Option Description

Name Specifies the signature name.

Description Specifies the signature descriptions.
Protocol Specifies the affected protocol.

Flow Specifies the direction.

l To_Server means the package of attack is from server to the client.

l To_Client means the package of attack is from client to the server.

l Any includes To_Server and To_Client.

Source Port Specifies the source port of the signature.

l Any - Any source port.

l Included - The source port you specified should be included. It can

be a port, several ports, or a range. Specifies the port number in
the text box, and use "," to separate.

l Excluded - The source port you specified should be excluded. It

can be a port, several ports, or a range. Specifies the port number
in the text box, and use "," to separate.
Destination Port Specifies the destination port of the signature.

l Any - Any destination port.

l Included - The destination port you specified should be included.

It can be a port, several ports, or a range. Specifies the port num-
ber in the text box, and use "," to separate.

l Excluded - The destination port you specified should be excluded.

It can be a port, several ports, or a range. Specifies the port num-
ber in the text box, and use "," to separate.
Dsize Specifies the payload message size. Select "----",">", "<" or "=" from the
drop-down list and specifies the value in the text box. "----" means not
set the parameter.

Severity Specifies the severity of the attack.

Attack Type Select the attack type from the drop-down list.

Application Select the affected applications. "----" means all applications.

Operating Sys- Select the affected operating system from the drop-down list. "----"
tem means all the operating systems.
Bulletin Board Select a bulletin board of the attack.
Year Specifies the released year of attack.
Detection Filter Specifies the frequency of the signature rule.

l Track - Select the track type from the drop-down list. It can be by_
src or by_dst. System will use the statistic of source IP or des-
tination IP to check whether the attack matches this rule.

l Count - Specifies the maximum times the rule occurs in the spe-
cified time. If the attacks exceed the Count value, system will trig-

373 Chapter 11 Threat Prevention

 Option Description
ger rules and act as specified.

l Seconds - Specifies the interval value of the rule occurs.

In the Content tab, click New to specify the content of the signature:
Option Description

Content Specifies the signature content. Select the following check box if needed:

l HEX - Means the content is hexadecimal.

l Case Insensitive - Means the content is not case sensitive.

l URI - Means the content needs to match URI field of HTTP request.
Relative Specifies the signature content location.

l If Beginning is selected, system will search from the header of

the application layer packet.

l Offset: System will start searching after the offset from the
header of the application layer packet. The unit is byte.

l Depth: Specifies the scanning length after the offset. The unit
is byte.

l If Last Content is selected, system will search from the content

end position.

l Distance: System will start searching after the distance from

the former content end position. The unit is byte.

l Within: Specifies the scanning length after the distance. The

unit is byte.

l Load the database: After you create a new signature, click Load Database to make the newly created signature
take effect.

l Edit a signature: Select a signature and then click Edit. You can only edit the user-defined signature. After edit-
ing the signature, click Load Database to make the modifications take effect.

l Delete a signature: Select a signature and then click Delete. You can only delete the user-defined signature.
After deleting the signature, click Load Database to make the deletion take effect.

l Enable/Disable signatures: After selecting signatures, click Enable or Disable.

Note: Non-root VSYS does not support signature list.

Sandbox
A sandbox executes a suspicious file in a virtual environment, collects the actions of this file, analyzes the collected
data, and verifies the legality of the file.
The Sandbox function of the system uses the cloud sandbox technology. The suspicious file will be uploaded to the
cloud side and the cloud sandbox will collect the actions of this file, analyze the collected data, verify the legality of the
file, and give the analyze result to the system.
The Sandbox function contains the following parts:

Chapter 11 Threat Prevention 374

 l Collect and upload the suspicious file: The Sandbox function parses the traffic, extracts the suspicious file from
the traffic.

l If there is no analyze result about this file in the local database, system will upload this file to the cloud intel-
ligence server, and the cloud server intelligence will upload the suspicious file to the cloud sandbox for ana-
lysis.

l If this file has been identified as an illegal file in the local database of the Sandbox function, the system will
generate corresponding threat logs and cloudsandbox logs.
Additionally, you can specify the criteria of the suspicious files by configuring a sandbox profile.

l Check the analyze result returned from the cloud sandbox and take actions: The Sandbox function checks the ana-
lyze result of the suspicious file returned from the cloud sandbox, verifies the legality of the file, saves the result
to the local database. If this suspicious is identified as an illegal file, the system will generate threat logs and
cloudsandbox logs. This part is completed by the Sandbox function automatically.

l Maintain the local database of the Sandbox function: Record the information of the uploaded files, including
uploaded time, analyze result. This part is completed by the Sandbox function automatically.

Note: The Sandbox function is controlled by license. To use the Sandbox function, install the
Cloud sandbox license.

Related Topics: Configuring Sandbox

Co nfiguring Sandbo x
This chapter includes the following sections:

l Preparation for configuring the Sandbox function

l Configuring the Sandbox rules

l Sandbox global configurations

Prepa ra tion
Before enabling the Sandbox function, make the following preparations:

1. Make sure your system version supports the Sandbox function.

2. The current device is registered to the Cloud View platform.

3. Import the Cloud sandbox license and reboot. The Sandbox function will be enabled after the rebooting.

Note: Except M8860/M8260/M7860/M7360/M7260, if the Sandbox function is enabled, the

max amount of concurrent sessions will decrease by half.

Configuring Sa ndbox
The system supports the policy-based Sandbox. To realize the policy-based Sandbox:

1. Click Object > Sandbox > Configuration. Select Enable check box to enable the Sandbox function.

2. Click Object > Sandbox > Profile to create a sandbox rule you need.

375 Chapter 11 Threat Prevention

 3. Bind the sandbox rule to a policy. Click Policy > Security Policy.Select the policy rule you want to bind or click
New to create a new policy. In the Policy Configuration dialog, select the Protection tab and then check the
Enable check box of Sandbox.

Configuring a Sa ndbox Rule

A sandbox rule contains the files types that device detected, the protocols types that device detected, the white list set-
tings and file filter settings.

l File Type: Support to detect PE, APK, JAR, MS-Office, PDF, SWF, RAR and ZIP file.

l Protocol Type: Support to detect HTTP, FTP, POP3, SMTP and IMAP4 protocol.

l White list: A white list includes domain names that are safe. When a file extracted from the traffic is from a
domain name in the white list, this file will not be marked as a suspicious file and it will not be upload to the cloud
sandbox.

l File filter: Mark the file as a suspicious file if it satisfies the criteria configured in the file filter settings. The ana-
lyze result from the cloud sandbox determines whether this suspicious file is legal or not.
There are three built-in sandbox rules with the files and protocols type configured, white list enabled and file filter con-
figured. The three default sandbox rules includes predef_low, predef_middle and predef_high.

l predef_low: A loose sandbox detection rule, whose file type is PE and protocol types are
HTTP/FTP/POP3/SMTP/IMAP4, with white list and file filter enabled.

l predef_middle: A middle-level sandbox detection rule, whose file types are PE/APK/JAR/MS-Office/PDF and pro-
tocol types are HTTP/FTP/POP3/SMTP/IMAP4, with white list and file filter enabled.

l predef_high: A strict sandbox detection rule, whose file types are PE/APK/JAR/MS-Office/PDF/SWF/RAR/ZIP and
protocol types are HTTP/FTP/POP3/SMTP/IMAP4, with white list and file filter enabled.
To create a new sandbox rule:

1. Select Object > Sandbox.

2. Click New to create a new sandbox rule. To edit an existing one, select the check box of this rule and then click
Edit.

Chapter 11 Threat Prevention 376

 In the Sandbox Configuration dialog , configure the following settings.
Option Description

Name Enter the name of the sandbox rule.

White List Select Enable to enable the white list function.
A white list includes domain names that are safe. When a file extracted
from the traffic is from a domain name in the white list, this file will not
be marked as a suspicious file and it will not be upload to the cloud sand-
box.
You can update the white list in System > Upgrade Management > Sig-
nature Database Update > Sandbox Whitelist Database Update.

Certificate verify Select Enable to enable the verification for the trusted certification. After
enabling, system will not detect the PE file whose certification is trusted.

File Filter: Mark the file as a suspicious file if it satisfies the criteria configured in the file fil-
ter settings. The analyze result from the cloud sandbox determines whether this sus-
picious file is legal or not. The logical relation is AND.
File Type Mark the file of the specified file type as a suspicious file. The system can
mark the PE(.exe), APK, JAR, MS-Office, PDF, SWF, RAR and ZIP file as a
suspicious file now. If no file type is specified, the Sandbox function will
mark no file as a suspicious one.
Protocol Specifies the protocol to scan. The system can scan the HTTP, FTP, POP3,
SMTP and IMAP4 traffic now. If no protocol is specified, the Sandbox
function will not scan the network traffic.
After specified the protocol type, you have to specify the direction of the
detection:

l Upload - The direction is from client to server.

l Download - The direction is from server to client.

l Bothway - The direction includes uploading and downloading dir-

ections.
File Size Mark the file that is small than the specified file size as a suspicious file.
By default, the system will mark the files that are small than 6M as sus-
picious files.

3. Click OK to save the settings.

Sa ndbox G loba l Configura tions

To configure the sandbox global configurations:

1. Select Object > Sandbox > Configuration.

2. Select Enable check box of Sandbox to enable the Sandbox function. Clear the Enable check box to disable the
Sandbox function.

3. Specify the file size for the files you need. The file that is smaller than the specified file size will be marked as a
suspicious file.

4. If you select Benign file check box, system will record cloudsandbox logs of the file when it marks it as a benign
file. By default, system will not record logs for the benign files.

5. If you select Greyware file check box, system will record cloudsandbox logs of the file when it marks it as a grey-
ware file. A greyware file is the one system cannot judge it is a benign file or a malicious file. By default, system
will not record logs for the greyware files.

6. Click OK to save the settings.

377 Chapter 11 Threat Prevention

Chapter 11 Threat Prevention 378
Attack-Defense
There are various inevitable attacks in networks, such as compromise or sabotage of servers, sensitive data theft, ser-
vice intervention, or even direct network device sabotage that causes service anomaly or interruption. Security gates,
belonging to a category of network security devices, must be designed with attack defense functions to detect various
types of network attacks, and take appropriate actions to protect Intranet against malicious attacks, thus assuring the
normal operation of the Intranet and systems.
Devices provide attack defense functions based on security zones, and can take appropriate actions against network
attacks to assure the security of your network systems.

I CMP Flo o d and UD P Flo o d

An ICMP Flood/UDP Flood attack sends huge amount of ICMP messages (such as ping)/UDP packets to a target within a
short period and requests for response. Due to the heavy load, the attacked target cannot complete its normal trans-
mission task

ARP Spo o fing

LAN transmission network traffic based on MAC addresses. ARP spoofing attack is by filling in the wrong MAC address
and IP address , to make a wrong corresponding relationship of the target host's ARP cache table. Follow-up will lead
to the wrong destination host IP packets , and packet network unreasonable target resources are stolen.

SYN Flo o d
Due to resource limitations, a server will only permit a certain number of TCP connections. SYN Flood just makes use of
this weakness. During the attack an attacker will craft a SYN packet, set its source address to a forged or non-existing
address, and initiate a connection to a server. Typically the server should reply the SYN packet with SYN-ACK, while
for such a carefully crafted SYN packet, the client will not send any ACK for the SYN-ACK packet, leading to a half-open
connection. The attacker can send large amount of such packets to the attacked host and establish equally large num-
ber of half-open connections until timeout. As a result, resources will be exhausted and normal accesses will be
blocked. In the environment of unlimited connections, SYN Flood will exhaust all the available memory and other
resources of the system.

WinNuke Attack
A WinNuke attack sends OOB (out-of-band) packets to the NetBIOS port (139) of a Windows system, leading to
NetBIOS fragment overlap and host crash. Another attacking vector is ICMP fragment. Generally an ICMP packet will
not be fragmented; so many systems cannot properly process ICMP fragments. If your system receives any ICMP frag-
ment, it's almost certain that the system is under attack.

I P Address Spo o fing

IP address spoofing is a technology used to gain unauthorized accesses to computers. An attacker sends packets with
a forged IP address to a computer, and the packets are disguised as if they were from a real host. For applications that
implement validation based on IP addresses, such an attack allows unauthorized users to gain access to the attacked
system. The attacked system might be compromised even if the response packets cannot reach the attacker.

I P Address Sw eep and Po rt Scan

This kind of attack makes a reconnaissance of the destination address and port via scanners, and determines the exist-
ence from the response. By IP address sweep or port scan, an attacker can determine which systems are alive and con-
nected to the target network, and which ports are used by the hosts to provide services.

Ping o f D eath Attack

Ping of Death is designed to attack systems by some over-sized ICMP packets. The field length of an IP packet is 16
bits, which means the max length of an IP packet is 65535 bytes. For an ICMP response packet, if the data length is lar-
ger than 65507 bytes, the total length of ICMP data, IP header (20 bytes) and ICMP header (8 bytes) will be larger than
65535 bytes. Some routers or systems cannot properly process such a packet, and might result in crash, system
down or reboot.

379 Chapter 11 Threat Prevention

Teardro p Attack
Teardrop attack is a denial of service attack. Is based on the method of attack morbid fragmented UDP packets, which
works by sending multiple fragmented IP packets to the attacker is (IP fragmented packets include the fragmented
packets belong to which the packet and the packet the location and other information ) , some operating systems con-
tain overlapping offset when received fragmented packets will forge a system crash , reboot and so on.

Smurf Attack
Smurf attacks consist of two types: basic attack and advanced attack. A basic Smurf attack is used to attack a network
by setting the destination address of ICMP ECHO packets to the broadcast address of the attacked network. In such a
condition all the hosts within the network will send their own response to the ICMP request, leading to network con-
gestion. An advanced Smurf attack is mainly used to attack a target host by setting the source address of ICMP ECHO
packets to the address of the attacked host, eventually leading to host crash. Theoretically, the more hosts in a net-
work, the better the attacking effect will be.

Fraggle Attack
A fraggle attack is basically the same with a smurf attack. The only difference is the attacking vector of fraggle is UDP
packets.Fraggle.

Land Attack
During a Land attack, an attacker will carefully craft a packet and set its source and destination address to the address
of the server that will be attacked. In such a condition the attacked server will send a message to its own address, and
this address will also return a response and establish a Null connection. Each of such connections will be maintained
until timeout. Many servers will crash under Land attacks.

I P Fragment Attack
An attacker sends the victim an IP datagram with an offset smaller than 5 but greater than 0, which causes the victim
to malfunction or crash.

I P Optio n Attack
An attacker sends IP datagrams in which the IP options are abnormal. This attack intends to probe the network topo-
logy. The target system will break down if it is incapable of processing error packets.

H uge I CMP Packet Attack

An attacker sends large ICMP packets to crash the victim. Large ICMP packets can cause memory allocation error and
crash the protocol stack.

TCP Flag Attack

An attacker sends packets with defective TCP flags to probe the operating system of the target host. Different oper-
ating systems process unconventional TCP flags differently. The target system will break down if it processes this type
of packets incorrectly.

D NS Query Flo o d Attack

The DNS server processes and replies all DNS queries that it receives. A DNS flood attacker sends a large number of
forged DNS queries. This attack consumes the bandwidth and resources of the DNS server, which prevents the server
from processing and replying legal DNS queries.

TCP Split H andshake Attack

When a client establishes TCP connection with a malicious TCP server, the TCP server responses with a fake SYN
packet and uses this fake one to initialize the TCP connection with the client. After establishing the TCP connection, the
malicious TCP server switches its role and becomes the client side of the TCP connection. Thus, the malicious traffic
might enter into the intranet.

Chapter 11 Threat Prevention 380

Co nfiguring Attack D efense
To configure the Attack Defense based on security zones:

1. Create a zone. For more information about how to create, refer to "Security Zone" on Page 35.

2. In the Zone Configuration dialog, select Threat Protection tab.

3. To enable the Attack Defense functions, select the Enable all check box, and click Configure.

381 Chapter 11 Threat Prevention

 In the <Attack Defense> dialog box, enter the Attack Defense configurations.
Option Description
IP address or IP range in the whitelist is exempt from attack defense
Whitelist check.
click Configure.

Chapter 11 Threat Prevention 382

 Option Description
l IP/Netmask - Specifies the IP address and netmask and click Add to
add to the whitelist.

l Address entry - Specifies the address entry and click Add to add to
the whitelist.
Enable all: Select this check box to enable all the Attack Defense func-
tions for the security zone.
Action: Specifies an action for all the Attack Defense functions, i.e., the
defense measure system will take if any attack has been detected.
Select all
l Drop - Drops packets. This is the default action.

l Alarm - Gives an alarm but still permits packets to pass through.

l --- - Do not specify global actions.

ICMP flood: Select this check box to enable ICMP flood defense for the
security zone.

l Threshold - Specifies a threshold for inbound ICMP packets. If the

number of inbound ICMP packets destined to one single IP address
per second exceeds the threshold, the system will identify the traffic
as an ICMP flood and take the specified action. The value range is 1
to 50000. The default value is 1500.

l Action - Specifies an action for ICMP flood attacks. If the default

action Drop is selected, the system will only permit the specified
number (threshold) of IMCP packets to pass through during the
current and the next second, and also give an alarm. All the excess-
ive packets of the same type will be dropped during this period.
UDP flood:: Select this check box to enable UDP flood defense for the
security zone.

l Src threshold - Specifies a threshold for outbound UDP packets. If

the number of outbound UDP packets originating from one single
source IP address per second exceeds the threshold, system will
Flood Attack identify the traffic as a UDP flood and take the specified action. The
Defense value range is 1 to 50000. The default value is 1500.

l Dst threshold - Specifies a threshold for inbound UDP packets. If the

number of inbound UDP packets destined to one single port of one
single destination IP address per second exceeds the threshold, sys-
tem will identify the traffic as a UDP flood and take the specified
action. The value range is 1 to 50000. The default value is 1500.

l Action - Specifies an action for UDP flood attacks. If the default

action Drop is selected, system will only permit the specified number
(threshold) of UDP packets to pass through during the current and
the next second, and also give an alarm. All the excessive packets of
the same type will be dropped during this period.
ARP spoofing: Select this check box to enable ARP spoofing defense for
the security zone.

l Max IP number per MAC - Specifies whether system will check the
IP number per MAC in ARP table. If the parameter is set to 0, sys-
tem will not check the IP number; if set to a value other than 0, the
system will check the IP number, and if the IP number per MAC is
larger than the parameter value, system will take the specified

383 Chapter 11 Threat Prevention

 Option Description
action. The value range is 0 to 1024.

l Gratuitous ARP send rate - Specifies if StoneOS will send gratuitous

ARP packet(s). If the parameter is set to 0 (the default value),
StoneOS will not send any gratuitous ARP packet; if set to a value
other than 0, StoneOS will send gratuitous ARP packet(s), and the
number sent per second is the specified parameter value. The value
range is 0 to 10.

l Reverse query - Select this check box to enable Reverse query. When
StoneOS receives an ARP request, it will log the IP address and reply
with another ARP request; and then StoneOS will check if any packet
with a different MAC address will be returned, or if the MAC address
of the returned packet is the same as that of the ARP request packet.
SYN flood: Select this check box to enable SYN flood defense for the
security zone.

l Src threshold - Specifies a threshold for outbound SYN packets

(ignoring the destination IP address and port number). If the num-
ber of outbound SYN packets originating from one single source IP
address per second exceeds the threshold, StoneOS will identify the
traffic as a SYN flood. The value range is 0 to 50000. The default
value is 1500. The value of 0 indicates the Src threshold is void.

l Dst threshold - Specifies a threshold for inbound SYN packets

destined to one single destination IP address per second.

l IP-based - Click IP-based and then type a threshold value into

the box behind. If the number of inbound SYN packets
destined to one single destination IP address per second
exceeds the threshold, StoneOS will identify the traffic as a
SYN flood. The value range is 0 to 50000. The default value is
1500. The value of 0 indicates the Dst threshold is void.

l Port-based - Click Port-based and then type a threshold value

into the box behind. If the number of inbound SYN packets
destined to one single destination port of the destination IP
address per second exceeds the threshold, StoneOS will
identify the traffic as a SYN flood. The value range is 0 to
50000. The default value is 1500. The value of 0 indicates the
Dst threshold is void. After clicking Port-based, you also need
to type an address into or select an IP Address or Address
entry from the Dst address combo box to enable port-based
SYN flood defense for the specified segment. The SYN flood
attack defense for other segments will be IP based. The value
range for the mask of the Dst address is 24 to 32.

l Action - Specifies an action for SYN flood attacks. If the default

action Drop is selected, StoneOS will only permit the specified num-
ber (threshold) of SYN packets to pass through during the current
and the next second, and also give an alarm. All the excessive pack-
ets of the same type will be dropped during this period. Besides if
Src threshold and Dst threshold are also configured, StoneOS will
first detect if the traffic is a destination SYN flood attack: if so,
StoneOS will drop the packets and give an alarm, if not, StoneOS will
continue to detect if the traffic is a source SYN attack; if so, StoneOS
will drop the packets and give an alarm.

MS-Windows WinNuke attack: Select this check box to enable WinNuke attack defense

Chapter 11 Threat Prevention 384

 Option Description

defense for the security zone. If any WinNuke attack has been detected, StoneOS
will drop the packets and give an alarm.
IP address spoof: Select this check box to enable IP address spoof
defense for the security zone. If any IP address spoof attack has been
detected, StoneOS will drop the packets and give an alarm.
IP address sweep: Select this check box to enable IP address sweep
defense for the security zone.

l Threshold - Specifies a time threshold for IP address sweep. If over

10 ICMP packets from one single source IP address are sent to dif-
ferent hosts within the period specified by the threshold, StoneOS
will identify them as an IP address sweep attack. The value range is 1
to 5000 milliseconds. The default value is 1.

l Action - Specifies an action for IP address sweep attacks. If the

default action Drop is selected, StoneOS will only permit 10 IMCP
packets originating from one single source IP address while destined
Scan/spoof to different hosts to pass through during the specified period
defense (threshold), and also give an alarm. All the excessive packets of the
same type will be dropped during this period.
Port scan: Select this check box to enable port scan defense for the secur-
ity zone.

l Threshold - Specifies a time threshold for port scan. If over 10 TCP

SYN packets are sent to different ports of one single destination
address within the period specified by the threshold, StoneOS will
identify them as a port scan attack. The value range is 1 to 5000 mil-
liseconds. The default value is 1.

l Action - Specifies an action for port scan attacks. If the default

action Drop is selected, StoneOS will only permit 10 TCP SYN packets
destined to different ports of one single destination address to pass
through, and also give an alarm. All the excessive packets of the
same type will be dropped during this period.
Ping of Death attack: Select this check box to enable Ping of Death attack
defense for the security zone. If any Ping of Death attack has been
attacked, StoneOS will drop the attacking packets, and also give an
alarm.
Teardrop attack: Select this check box to enable Teardrop attack defense
for the security zone. If any Teardrop attack has been attacked, StoneOS
will drop the attacking packets, and also give an alarm.
IP fragment: Select this check box to enable IP fragment defense for the
security zone.
Denial of service
l Action - Specifies an action for IP fragment attacks. The default
defense
action is Drop.
IP option: Select this check box to enable IP option attack defense for the
security zone. StoneOS will defend against the following types of IP
options: Security, Loose Source Route, Record Route, Stream ID, Strict
Source Route and Timestamp.

l Action - Specifies an action for IP option attacks. The default action

is Drop.
Smurf or fraggle attack: Select this check box to enable Smurf or fraggle
attack defense for the security zone.

385 Chapter 11 Threat Prevention

 Option Description
l Action - Specifies an action for Smurf or fraggle attacks. The
default action is Drop.
Land attack: Select this check box to enable Land attack defense for the
security zone.

l Action - Specifies an action for Land attacks. The default action is

Drop.
Large ICMP packe: Select this check box to enable large ICMP packet
defense for the security zone.

l Threshold - Specifies a size threshold for ICMP packets. If the size of

any inbound ICMP packet is larger than the threshold, StoneOS will
identify it as a large ICMP packet and take the specified action. The
value range is 1 to 50000 bytes. The default value is 1024.

l Action - Specifies an action for large ICMP packet attacks. The

default action is Drop.
SYN proxy: Select this check box to enable SYN proxy for the security
zone. SYN proxy is designed to defend against SYN flood attacks in com-
bination with SYN flood defense. When both SYN flood defense and SYN
proxy are enabled, SYN proxy will act on the packets that have already
passed detections for SYN flood attacks.

l Proxy trigger rate - Specifies a min number for SYN packets that will
trigger SYN proxy or SYN-Cookie (if the Cookie check box is selec-
ted). If the number of inbound SYN packets destined to one single
port of one single destination IP address per second exceeds the spe-
cified value, StoneOS will trigger SYN proxy or SYN-Cookie. The
value range is 1 to 50000. The default value is 1000.

l Cookie - Select this check box to enable SYN-Cookie. SYN-Cookie is

a stateless SYN proxy mechanism that enables StoneOS to enhance
its capacity of processing multiple SYN packets. Therefore, you are
Proxy
advised to expand the range between "Proxy trigger rate" and "Max
SYN packet rate" appropriately.

l Max SYN packet rate - Specifies a max number for SYN packets that
are permitted to pass through per second by SYN proxy or SYN-
Cookie (if the Cookie check box is selected). If the number of
inbound SYN packets destined to one single port of one single des-
tination IP address per second exceeds the specified value, StoneOS
will only permit the specified number of SYN packets to pass
through during the current and the next second. All the excessive
packets of the same type will be dropped during this period. The
value range is 1 to 1500000. The default value is 3000.

l Timeout - Specifies a timeout for half-open connections. The half-

open connections will be dropped after timeout. The value range is
1 to 180 seconds. The default value is 30.
TCP option anomaly: Select this check box to enable TCP option anomaly
defense for the security zone.

Protocol abnor- l Action - Specifies an action for TCP option anomaly attacks. The
mally report default action is Drop.
TCP split handshake: Select this check box to enable TCP split hand-
shake defense for the security zone.

Chapter 11 Threat Prevention 386

 Option Description
l Action - Specifies an action for TCP split handshake attacks. The
default action is Drop.
DNS query flood: Select this check box to enable DNS query flood
defense for the security zone.

l Src threshold - Specifies a threshold for outbound DNS query pack-

ets. If the number of outbound DNS query packets originating from
one single IP address per second exceeds the threshold, StoneOS
will identify the traffic as a DNS query flood and take the specified
action.

l Dst threshold - Specifies a threshold for inbound DNS query pack-

ets. If the number of inbound DNS query packets destined to one
single IP address per second exceeds the threshold, StoneOS will
identify the traffic as a DNS query flood and take the specified
action.

l Action - Specifies an action for DNS query flood attacks. If the

default action Drop is selected, StoneOS will only permit the spe-
cified number (threshold) of DNS query packets to pass through dur-
ing the current and next second, and also give an alarm. All the
excessive packets of the same type will be dropped during this
period; if Alarm is selected, StoneOS will give an alarm but still per-
DNS query flood mit the DNS query packets to pass through.
Recursive DNS query flood: Select this check box to enable recursive
DNS query flood defense for the security zone.

l Src threshold - Specifies a threshold for outbound recursive DNS

query packets packets. If the number of outbound DNS query pack-
ets originating from one single IP address per second exceeds the
threshold, StoneOS will identify the traffic as a DNS query flood and
take the specified action.

l Dst threshold - Specifies a threshold for inbound recursive DNS

query packets packets. If the number of inbound DNS query packets
destined to one single IP address per second exceeds the threshold,
StoneOS will identify the traffic as a DNS query flood and take the
specified action.

l Action - Specifies an action for recursive DNS query flood attacks. If

the default action Drop is selected, StoneOS will only permit the spe-
cified number (threshold) of recursive DNS query packets to pass
through during the current and next second, and also give an alarm.
All the excessive packets of the same type will be dropped during
this period; if Alarm is selected, StoneOS will give an alarm but still
permit the recursive DNS query packets to pass through.

4. To restore the system default settings, click Restore Default.

5. Click OK.

387 Chapter 11 Threat Prevention

Perimeter Traffic Filtering
Perimeter Traffic Filtering can filter the perimeter traffic based on known IP of black/white list, and take block action on
the malicious traffic that hits the blacklist.
Black/White list includes the following three types:

l Predefined black list: Retrieve the IP of black/white list from the Perimeter Traffic Filtering signature database.

l User-defined black/white list : According to the actual needs of users, the specified IP address is added to a user-
definedblack/white list.

l Third-party black list: Make a linkage with trend of TDA, to get blacklisted from the trend TDA devices regularly.

Note:

l You need to update the IP reputation database before enabling the function for the first
time. By default, System will update the database at the certain time everyday, and you can
modify the updating settings according to your own requirements, see "Upgrading Sys-
tem" on Page 477.

l Perimeter Traffic Filtering is controlled by license. To use Threat protection, apply and
install the PTF license.

Enabling Perimeter Traffic Filtering

To realize the zone-based Perimeter Traffic Filtering, you need:

1. Create a zone. For more information about how to create, refer to "Security Zone" on Page 35;

2. In the Zone Configuration dialog, select Threat Protection tab.

3. Select the Enable check box after the Perimeter Traffic Filtering.

4. Specifies an action for the malicious traffic that hits the blacklist. Select the User-defined , Pre-defined or TDA
check box , and select the action from drop-down list:

l Log Only: Only generates logs if the malicious traffic hits the blacklist.This is the default option.

l Drop: Drop packets if the malicious traffic hits the blacklist.

Co nfiguring User-defined B lack/ White List

To configure the user-defined black/white list :

1. Select Object > Perimeter Traffic Filtering.

2. Click New.

In Perimeter Traffic Filtering Configuration dialog, enter the user-defined black/white list

Chapter 11 Threat Prevention 388

 configuration.
Option Description

IP Specify the IP address for the user-defined black/white list.

mask Specify the netmask of the IP address.
Black/White List Select the radio button to add the IP address to the blacklist or whitelist .

3. Click OK.

Co nfiguring Third-party B lack List

To configure the third-party linkage:

1. Select Object > Perimeter Traffic Filtering.

2. Click The Third Party linkage.

In The Third Party linkage dialog, enter the linkage configuration.

Option Description

Enable linkage Select the check box to enabling linkage with trend of TDA.
with trend of
TDA
The TDA device Specify the address for the TDA device.
address
The TDA device Specify the port number for the TDA device. The value range is 1 to
port 65535.
Linkage request Specify the Linkage request period for getting the blacklisted from the
cycle TDA devices.
Enable Linkage Select the check box to get the blacklist of the TDA device sandbox.
with sandbox

Searching B lack/ White List

To search the black/white list:

389 Chapter 11 Threat Prevention

 1. Select Object > Perimeter Traffic Filtering.

2. Click Search.

3. Enter the IP address and click Search,the results will be displayed in this dialog.

Chapter 11 Threat Prevention 390

Chapter 12 Monitor

Monitor section includes the following functions:

l Monitor: The Monitor function statistically the devices and displays the statistics in bar chart, line chart, tables,
and so on, which helps users have information about the devices.

l WAP traffic distribution: Displays the history result (In the past 24 hours and the last 30 days) of WAP traffic
distribution, including request and response.

l Report: Through gathering and analyzing the device traffic data, traffic management data, threat data, monitor
data and device resource utilization data, the function provides the all-around and multi-demensional staticstcs to
you

l Log: Records various system logs, including system logs, threat logs, session logs, NAT logs, NBC logs and con-
figuration logs.

Chapter 12 Monitor 391

Monitor
The system can monitor the following objects:

l User: Displays the application statistics within the specified period (Realtime, latest 1 hour, latest 1 day, latest 1
month ) The statistics include the application traffic and applications' concurrent sessions.

l Application: Displays the statistics of applications, application categories, application subcategories, application
risk levels, application technologies, application characteristics within the specified period (Realtime, latest 1
hour, latest 1 day, latest 1 month ) The statistics include the application traffic and applications' concurrent ses-
sions.

l Cloud Application: Displays statistics of cloud based applications, including their traffic, new sessions and con-
current sessions.

l Share Access Detect: Displays the access terminal statistics of specified filter condition(Virtual router, IP, host
number), including operation system , online time, login time and last online time of users.

l Device: displays the device statistics within the specified period (Realtime, latest 1 hour, latest 1 day, latest 1
month ), including the total traffic, interface traffic, zone traffic, CPU/memory status, sessions, Online IP and
hardware status.

l URL Hit: If system is configured with "URL Filter" on Page 261, the predefined stat-set of URL Hit can gather stat-
istics on user/IPs, URLs and URL categories.

l Application Block: If system is configured with "Security Policy" on Page 274 the application block can gather
statistics on the applications and user/IPs.

l Keyword Block: If system is configured with"Web Content" on Page 330, "Email Filter" on Page 338, "Web Post-
ing" on Page 334, the predefined stat-set of Keyword Block can gather statistics on the Web keyword, Web
keywords, email keywords, posting keywords and users/IPs.

l Authentication User: If system is configured with"Web Authentication" on Page 121, "Single Sign-On" on Page
126, "SSL VPN" on Page 162 , "L2TP VPN" on Page 217 the auth user can gather statistics on the authenticated
users.

l Monitor Configuration: Enable or disable some monitor items as needed.

l User-defined Monitor: Provides a more flexible approach to view the statistics.

392 Chapter 12 Monitor

User Mo nito r
This feature may vary slightly on different platforms . If there is a conflict between this guide and the actual page, the
latter shall prevail.
User monitor displays the application statistics within the specified period (Realtime, latest 1 hour, latest 1 day, latest
1 month ) The statistics include the application traffic and applications' concurrent sessions.

Note: Non-root VSYS also supports user monitor, but does not support address book stat-
istics.

Sum m a ry
Summary displays the user traffic/concurrent sessions ranking during specified period or of specified inter-
faces/zones. Click Monitor > User > Summary.

l Select different Statistical_Period to view the statistical information in different period of time.

l Click to refresh the monitoring data in this page.

l Hover your mouse over a bar, to view user 's average of upstream traffic, downstream traffic, total trafficor con-
current sessions .

l When displaying the user traffic statistics, the Upstream and Downstream legends are used to select the stat-
istical objects in the bar chart.

Us er D eta ils
Click Monitor > User > User Details.

Chapter 12 Monitor 393

 l Click to select the condition in the drop-down list to search the desired users.

l To view the detailed information of a certain user , select the user entry in the list.

l Application(real-time): Select the Application (real-time)tab, displays the detailed information of the cat-
egory,subcategory,risk level, technology,upstream traffic, downstream traffic, total traffic. Click Detailsin
the list to view the line chart.

l Cloud Application: Select the Cloud Application tab, display the cloud application information of selected user.

l Traffic: Select the Traffic tab, display the traffic trends of selected user .

l Concurrent Sessions: Select the Concurrent Sessions tab, display the concurrent sessions trends of selected
user .

l Frame a region in trends with the mouse, you can enlarge the scope of the displayed time period. Click

, restore the default size of the trend.

l Within the user entry list, hover your cursor over a user entry, its right has a button. Click this button and
select Add to Black List.

Addres s Book D eta ils

Click Monitor>User >Address Book Details.

394 Chapter 12 Monitor

 l Click to select the condition in the drop-down list to search the desired address entry.

l To view the detailed information of a address entry, select the address entry in the list.

l Application (real-time): Select the Application (real-time) tab, displays the detailed information of the
upstream traffic, downstream traffic, total traffic. Click Detailsin the list to view the line chart.

l Cloud Application: Select the Cloud Application tab, display the cloud application information of selected
address book.

l Traffic: Select the Traffic tab, display the traffic trends of selected address entry.

l Concurrent Sessions: Select the Concurrent Sessions tab, display the concurrent sessions trends of selected
address entry.
The monitor address is a database that stores the users' address which is used for the statistics.

Monitor Addres s Book

The monitor address is a database that stores the user 's address which is used for the statistics.

Click Monitor > User > Select Address Book, and Click at the top left corner.

In this dialog, you can perform the following actions:

l Select the address entry check box, and click Add to add a new address entry entry to the Selected list.

l In the Selected list, select the address entry, and click Remove, the address entry will not be counted.

l Below list shows the details of selected address entry.

Chapter 12 Monitor 395

Sta tis tic a l Period
The system supports the predefined time cycle and the custom time cycle. Click the time button on the top right corner
of each tab to set the time cycle.

l Real-time: Displays the current statistical information.

l Last Hour: Displays the statistical information within the latest 1 hour.

l Last Day: Displays the statistical information within the latest 1 day.

l Last Month: Displays the statistical information within the latest 1 month.

396 Chapter 12 Monitor

Applicatio n Mo nito r
This feature may vary slightly on different platforms. If there is a conflict between this guide and the actual page, the
latter shall prevail.
Application monitor displays the statistics of applications, application categories, application subcategories, applic-
ation risk levels, application technologies, application characteristics within the specified period (Realtime, latest 1
hour, latest 1 day, latest 1 month ) .The statistics include the application traffic and applications' concurrent sessions.

Note: Non-root VSYS also supports application monitor, but does not support to monitor applic-
ation group.

Sum m a ry
Summary displays the following contents during specified period:

l The concurrent sessions of top 10 hot and high-risk applications.

l The traffic/concurrent sessions of top 10 applications.

l The traffic/concurrent sessions of top 10 application categories.

l The traffic/concurrent sessions of top 10 application subcategories.

l The traffic/concurrent sessions organized by application risk levels.

l The traffic/concurrent sessions organized by application technologies.

l The traffic/concurrent sessions organized by application characteristics.

Click Monitor>Application>Summary.

l Select different Statistical_Period to view the statistical information in different periods of time.

l From the drop-down menu, specify the type of statistics: Traffic or Concurrent Sessions.

l Click to refresh the monitoring data in this page.

l Hover your mouse over a bar or a pie, to view the concrete statistical values of total trafficor concurrent sessions .

Chapter 12 Monitor 397

Applic a tion D eta ils
Click Monitor > Application > Application Details.

l Click Time drop-down menu,select different Statistical_Period to view the statistical information in different peri-
ods of time.

l Click button, select Application in the drop-down menu,you can search the desired application by
entering the keyword of the application name in the text field.

l To view the detailed information of a certain application, select the application entry in the list.

l Users(real-time): Select the Users (real-time)tab, displays the detailed information of users which are using

the selected application.Click in details column, you can see the trends of upstream traffic, downstream
traffic, total traffic .

l Traffic: Select the Traffic tab, display the traffic trends of selected application.

l Concurrent Sessions: Select the Concurrent Sessions tab, display the concurrent sessions trends of selected
application.

l Description: Select the Description tab, displays the detailed information of the selected application.

Group D eta ils

Click Monitor>Application>Group Details.

398 Chapter 12 Monitor

 l Click Time drop-down menu, select different Statistical_Period to view the statistical information in different peri-
ods of time.

l Click button, select Application Group in the drop-down menu,you can search the desired application
group by entering the keyword of the application group name in the text field.

l To view the detailed information of a certain application group, select the application group entry in the list.

l User(real-time): Select the Users(real-time)tab to display the detailed information of users which are using

the selected application group.Click in details column, you can see the trends of the upstream traffic,
downstream traffic, total traffic .

l Application(real-time): Select the Application(real-time) tab to display the detailed information of applications

in use belonging to the selected application group.Click in details column, you can see the trends of the
upstream traffic, downstream traffic, total traffic of the selected application.

l Traffic: Select the Traffic tab to display the traffic trends of selected application group.

l Concurrent Sessions: Select the Concurrent Sessions tab to display the concurrent sessions trends of selec-
ted application group.

l Description: Select the Description tab to display the detailed description of the selected application.

Selec t Applic a tion Group

Click Monitor>Application>Select Application Group.Click on the top left corner-

,you can configure appliccation groups requiring to be counted in the Select Application Group dialog. There are
global application groups in the left column.

In this dialog, you can perform the following actions:

Chapter 12 Monitor 399

 l Select the application groups check box, and click Add to add a new application groups entry to the Selected list.

l In the Selected list, select the application groups entry, and click Remove, the application groups entry will not
be counted.

Sta tis tic a l Period

The system supports the predefined time cycle and the custom time cycle. Click Real-time on the top right corner of
each tab to set the time cycle.

l Real-time: Displays the current statistical information.

l Last 60 Minutes: Displays the statistical information within the latest 1 hour.

l Last 24 Hours: Displays the statistical information within the latest 1 day.

l Last 30 Days: Displays the statistical information within the latest 1 month.

400 Chapter 12 Monitor

 Clo ud Applicatio n Mo nito r
This feature may vary slightly on different platforms and not be available in vSYS on a part of platforms. If there is a
conflict between this guide and the actual page, the latter shall prevail.
A cloud application is an application program that functions in the cloud. It resides entirely on a remote server and is
delivered to users through Internet.
Cloud application monitor page displays the statistics of cloud applications and users within a specified period (real-
time, latest 1 hour, latest 1 day, latest 1 month ), including application traffic, user number, and usage trend.

Sum m a ry
Summary displays the following contents during specified period:

l Top 10 cloud application rank by traffic/concurrent session number with in a specified period ( realtime, latest 1
hour, latest 1 day, latest 1 month ).

l Top 10 cloud application user rank.

Click Monitor > Cloud Application > Summary.

l By selecting different filter, you can view the statistics of different time period.

l By selecting the drop-down menu of trafficor concurrent sessions, you can view your intended statistics.

l Click the update icon to update the displayed data.

l Hover your cursor over bar or pie chart to view exact data. Click the Details link on hover box, you will jump
to the Cloud Application Details page.

Cloud Applic a tion D eta ils

Click Monitor > Cloud Application >Cloud Application Details.

l Click the Time drop-down menu, you may select different time period to view the statistics in that period.

Chapter 12 Monitor 401

 l Click the Filter button, and select Application. In the new text box, enter the name of your intended application.

l To view the detailed information of a certain application group, select the application group entry in the list.

l User(real-time): Select the Users(real-time)tab to display the detailed information of users which are using

the selected application group.Click in details column, you can see the trends of the upstream traffic,
downstream traffic, total traffic.

l Application(real-time): Select the Application(real-time) tab to display the detailed information of applications

in use belonging to the selected application . Click in details column, you can see the trends of the
upstream traffic, downstream traffic, total traffic of the selected application.

l Traffic: Select the Traffic tab to display the traffic trends of selected application.

l Concurrent Sessions: Select the Concurrent Sessions tab to display the concurrent sessions trends of selec-
ted application.

l Description: Select the Description tab to display the detailed description of the selected application.

Sta tis tic a l Period

The system supports the predefined time cycle and the custom time cycle. Click Real-time on the top right corner of
each tab to set the time cycle.

l Real-time: Displays the current statistical information.

l Last 60 Minutes: Displays the statistical information within the latest 1 hour.

l Last 24 Hours: Displays the statistical information within the latest 1 day.

l Last 30 Days: Displays the statistical information within the latest 1 month.

402 Chapter 12 Monitor

Share Access D etect
To detect the users’ private behavior of shared access to Internet, system supports to analyze the User-agent filed of
HTTP packet, a share access detect method which is based on the application characteristic. The share access detect
page can display the share access detect information of specified filter condition. The aging time of share access
detect information is 2 hours.
Click Monitor> Share Access Detect.

l From Virtual Router drop-down menu, select the virtual router the IP belongs to. By default ,it is trust-vr.

l Click the Filter button and select IP. In the drop-down menu, select the source IP of IP information you want to
view. You can select 1 IP address.

l Click the Filter button and select Host Number>=. In the drop-down menu, select the minimum host number of
IP information you want to view.

l After configuring filter condition, the upside list will display the information of IP, host number and IP login time,
which is matched with the configured filter condition. Click an entry of IP information, the downside list will dis-
play the share access detect of this IP, which includes operation system , online time, login time and last online
time of users.

Chapter 12 Monitor 403

D evice Mo nito r
This feature may vary slightly on different platforms. If there is a conflict between this guide and the actual page, the
latter shall prevail.
The Device page displays the device statistics within the specified period, including the total traffic, interface traffic,
zone traffic, CPU/memory status, sessions, hardware status and online IP.

Sum m a ry
Summary displays the device statistics within last 24 hours. Click Monitor>Device>Summary.

l Total traffic: Displays the total traffic within the specified statistical period.

l Hover your mouse over the chart to view the total traffic statistics at a specific point in time.

l Select different Statistical Period to view the statistical information in different period of time.

l If IPv6 is enabled, device traffic will show the total traffic of IPv4 and IPv6.

l Interface traffic: Displays the upstream traffic, downstream traffic, total traffic and concurrent sessions of inter-
face within the specified statistical period by rank.

l Click Traffic In, Traffic Out, Traffic, or Concurrent Sessions. System displays the interface traffic
according to the value(from large to small) of the specified object. By default, the interface traffic is displayed
according to the total traffic value of interface.

l Select different Statistical Period to view the statistical information in different period of time.

l Click interface name to view the Detailed Information.

l If IPv6 is enabled, interface traffic will show the traffic of IPv4 and IPv6.

l Zone traffic: Displays the upstream traffic, downstream traffic, total traffic and concurrent sessions of zone
within the specified statistical period by rank.

404 Chapter 12 Monitor

 l Click Traffic In, Traffic Out, Traffic, or Concurrent Sessions. System displays the zone traffic according
to the value(from large to small) of the specified object. By default, the zone traffic is displayed according to
the total traffic value of zone.

l Select different Statistical Period to view the statistical information in different period of time.

l Click zone name to view the Detailed Information.

l Hardware status: Displays the real-time hardware status, including storage, chassis temperature and fan status.

l Storage: Displays the percentage of disk space utilization.

l Chassis temperature: Displays the current CPU/chassis temperature.

l Fan status: Displays the operation status of the fan. Green indicates normal, red indicates error or a power supply
module is not used.

l Sessions: Displays the current sessions utilization.

l CPU/memory status: Displays current CPU utilization, memory utilization and CPU temperature statistics.

l Click legends of CPU Utilization, Memory Utilization or CPU Temperature to specify the histogram stat-
istical objects. By default, it displays statistics of all objects.

Sta tis tic a l Period

System supports the predefined time cycle.Select statistical period from the drop-down menu

at the top right corner of some statistics page to set the time cycle.

l Real-time: Displays the current statistical information.

l Last 60 Minutes: Displays the statistical information within the latest 1 hour.

l Last 24 Hours: Displays the statistical information within the latest 1 day.

l Last 30 Days: Displays the statistical information within the latest 1 month.

D eta iled Inform a tion

The detailed information page displays detailed statistics of certain monitored objects. In addition, in the detailed
information page, hover your mouse over the chart that represents a certain object to view the statistics of history
trend and other information.
For example, click ethernet0/0 in the Interface Traffic , and the detailed information of ethernet0/0 appears.

Chapter 12 Monitor 405

 l Icon and are used to switch the line chart and stacked chart, which display the history trend of sessions
and concurrent sessions;

l In traffic trend section, click legends of Traffic In or Traffic Out to specify the statistical objects. By default, it
displays all statistical objects.

l In the User or Application section, click Username/IP or Application to display the real-time trend of the spe-
cified user or application. For example, the user traffic trend is shown as below.

l Select line chart or stacked chart from the pop-up menu at the top right corner .

l Hover your mouse over the chart to view the session statistics at a specific point in time.

406 Chapter 12 Monitor

Online IP
Click Monitor>Device>Online IP to view the historical trend of the number of online users. You can select the stat-
istical period as last 60 minutes, last 24 hours or last 30 days.

l Hover your mouse over the line to view online users information.

Chapter 12 Monitor 407

URL H it
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
If the "URL Filter" on Page 261 function is enabled in the security policy rule, the predefined stat-set of URL filter can
gather statistics on user/IPs, URLs and URL categories.

Sum m a ry
Click Monitor> URL Hit>Summary.

l Select different Statistical_Period to view the statistical information in different period of time.

l Hover your mouse over a bar, to view the hit count of user/IP, URL or URL Category .

l Click at top-right corner of every table, enter the corresponding details page.

l Click , switch between the bar chart and the pie chart.

Us er/IP
Click Monitor> URL Hit>User/IP.

408 Chapter 12 Monitor

 l The user/IPs and detailed hit count are displayed in the list below.

l Click a user/IP in the list to display the corresponding URL hit statistics in the curve chart below.

l Statistics: Displays the hit statistics of the selected User/IP, including the real-time statistics and statistics
for the latest 1 hour, 24 hours 30 days

l URL(real-time): Displays the URLs' real-time hit count of selected User/IP. Click URL link ,you can view the
corresponding URLs detailed statistics page.Click Detail link,you can view the URL hit trend of the selected
User/IP in the URL Filter Detailsdialog .

l URL category(real-time): Displays the URL categories' read-time hit count of selected user/IP. Click URL cat-
egory link , you can view the corresponding URL categories' detailed statistics page. Click Detail link, you
can view the URL category hit trend of the selected user/IP in the pop-up dialog .

l Click at top-right corner,then click the Filter button at top-left corner and select User/IP,You can
search the user/IP hit count information by entering the keyword of the username or IP.

URL
Click Monitor > URL Hit > URL.

l The URL, URL category and detailed hit count are displayed in the list below.

l Click a URL in the list to view its detailed statistics.

l Statistics: Displays the hit statistics of the selected URL, including the real-time statistics and statistics for
the latest 1 hour, 24 hours 30 days .

l User/IP(real-time): Displays the User/IP's real-time hit count of selected URL. Click User/IP link ,you can view
the corresponding user / IPs detailed statistics page.Click Detail link,you can view the URL hit trend of the
selected user/IP in the URL Filter Details dialog .

l Click at top-right corner,then click the Filter button at top-left corner and select URL,You can search
the URL hit count informations by entering the keyword of the URL.

l Click to refresh the real-time data in the list.

URL Ca tegory
Click Monitor> URL Hit > URL Category.

Chapter 12 Monitor 409

 l The URL category, count, traffic are displayed in the list.

l Click a URL category in the list to view its detailed statistics displayed in the Statistics, URL(real-time), User/IP
(real-tiime) tabs.

l Statistics: Displays the trend of the URL category visits, including the real-time trend and the trend in the last
60 minutes, 24 hours , 30 days.

l URL(real-time): Displays the visit information of the URLs, contained in the URL category, that are being vis-
ited.

l User/IP(real-time): Displays the visit information of the users or IPs that are visiting the URL category.

l Click to refresh the real-time data in the list.

Sta tis tic a l Period

The system supports the predefined time cycle and the custom time cycle. Click the time button on the top right corner
of each tab to set the time cycle.

l Real-time: Displays the current statistical information.

l Last 60 Minutes: Displays the statistical information within the latest 1 hour.

l Last 24 Hours: Displays the statistical information within the latest 1 day.

l Last 30 Days: Displays the statistical information within the latest 1 month.

410 Chapter 12 Monitor

Applicatio n B lo ck
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
If system is configured with "Security Policy" on Page 274 the application block can gather statistics on the applic-
ations and user/IPs.

Sum m a ry
Summary displays the application block can gather statistics on the top 10 applications and top 10 user/IPs. Click Mon-
itor>Application Block> Summary.

l Select different Statistical_Period to view the statistical information in different period of time.

l Hover your mouse over a bar, to view the block count on the applications and user/IPs.

l Click at top-right corner of every table, enter the corresponding details page.

l Click , switch between the bar chart and the pie chart.

Applic a tion
Click Monitor>Application Block> Application.

l The applications and detailed block count are displayed in the list below.

l To view the corresponding information of application block on the applications and user/IPs, select the application
entry in the list.

Chapter 12 Monitor 411

 l Statistics: Displays the block count statistics of the selected application, including the real-time statistics and
statistics for the latest 1 hour, 24 hours and 30 days.

l User/IP: Displays the user/IPs that are blocked from the selected application. Click a user/IP in the list to dis-
play the corresponding block count statistics in the curve chart below. Click , jump to the corresponding
user / IPs page.

l Click , and click to select the condition in the drop-down list, you can search the application
block information by entering the keyword of the application name.

l Click to refresh the real-time data in the list.

Us er/IP
Click Monitor>Application Block> User/IP.

l The user/IP and detailed block count are displayed in the list below.

l Click a user/IP in the list to display the corresponding block count statistics in the curve chart below. Click ,
jump to the corresponding user / IPs page.

l Click , and click to select the condition in the drop-down list, you can search the users/IPs
information.

Sta tis tic a l Period

The system supports the predefined time cycle and the custom time cycle. Click ( ) on the
top right corner of each tab to set the time cycle.

l Realtime: Displays the statistical information within the realtime.

l Last Hour: Displays the statistical information within the latest 1 hour.

l Last Day: Displays the statistical information within the latest 1 day.

l Last Month: Displays the statistical information within the latest 1 month.

412 Chapter 12 Monitor

Keyw o rd B lo ck
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
If system is configured with "Web Content" on Page 330, "Email Filter" on Page 338, or "Web Posting" on Page 334,
the predefined stat-set of Keyword Block can gather statistics on the Web keyword, Web keywords, email keywords,
posting keywords and users/IPs.

Sum m a ry
Summary display the predefined stat-set of Keyword Block can gather statistics on the top 10 hit Web keyword, top 10
hit Web keywords, top 10 hit email keywords, top 10 hit posting keywords and top 10 users/IPs. Click Monitor > Key-
word Block > Summary.

l Select different Statistical_Period to view the statistical information in different period of time.

l Hover your mouse over a bar, to view the block count on the keywords .

l Click at top-right corner of every table, enter the corresponding details page.

l Click , switch between the bar chart and the pie chart.

Web Content
Click Monitor>Keyword Block> Web Content.

Chapter 12 Monitor 413

 l The Web content and detailed block count are displayed in the list below.

l To view the corresponding information of keyword block on the Web content, select the keyword entry in the list.

l Statistics: Displays the statistics of the selected keyword, including the real-time statistics and statistics for
the latest 1 hour, 24 hours and 30 days.

l User/IP: Displays the user/IPs that are blocked by the selected keyword. Click a user/IP in the list to display
the corresponding block count statistics in the curve chart below. Click , jump to the corresponding user /
IPs page.

l Click , and click to select the condition in the drop-down list, you can search the keyword
block information by entering the keyword .

l Click to refresh the real-time data in the list.

Em a il Content
Click Monitor>Keyword Block> Email Content.
Page description see Web_Content.

Web Pos ting

Click Monitor>Keyword Block>Web Posting.
Page description see Web_Content.

Us er/IP
Click Monitor>Keyword Block>User/IP.

414 Chapter 12 Monitor

 l The User/IP and detailed block count are displayed in the list below.

l Click a user/IP in the list to display the corresponding statistics , Web content, Email Content, Web Posting in the
curve chart below. Click , jump to the corresponding detail page.

l Click , and click to select the condition in the drop-down list, you can search the users/IPs
information .

Sta tis tic a l Period

The system supports the predefined time cycle and the custom time cycle. Click ( ) on the
top right corner of each tab to set the time cycle.

l Real-time: Displays the current statistical information.

l Last Hour: Displays the statistical information within the latest 1 hour.

l Last Day: Displays the statistical information within the latest 1 day.

l Last Month: Displays the statistical information within the latest 1 month.

Chapter 12 Monitor 415

Authenticatio n User
If system is configured with"Web Authentication" on Page 121, "Single Sign-On" on Page 126, "SSL VPN" on Page 162,
"L2TP VPN" on Page 217 the authentication user can gather statistics on the authenticated users.
Click Monitor>Authentication User.

l Click , and click to select the condition in the drop-down list to filter the users.

l Click Kick Out under the Operation column to kick the user out.

l Click to refresh the real-time data in the list.

416 Chapter 12 Monitor

Mo nito r Co nfiguratio n
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
You can enable or disable some monitor items as needed. The monitor items for Auth user are enabled automatically.
To enable/disable a monitor item:

1. Click Monitor > Monitor Configuration.

2. Select or clear the monitor item(s) you want to enable or disable.

3. Click OK .

Note: After a monitor item is enabled or disabled in the root VSYS, the item of all VSYSs will be
enabled or disabled(except that the non-root VSYS does not support this monitor item). You
can not enable or disable monitor item in non-root VSYSs.

Chapter 12 Monitor 417

User-defined Mo nito r
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
A user-defined stat-set provides a more flexible approach to view the statistics. You can view the statistics as needed.
The statistical data may vary from the data types you have selected.

The IP type-based statistical information table

Data type

Condi- Key- Applic-

Direction
tion Ramp-up URL hit word ation
Traffic Session
rate count block block
count count

Statistics Statistics
Statistics
on the ses- on the
on the
sion num- new ses-
Initiator traffic of
ber of the sions of
the ini-
initiator's the ini-
tiator's IP
IP tiator's IP

Statistics
Statistics Statistics
on the
on the on the ses-
new ses-
Respon- traffic of sion num-
sions of
der the ber of the
the
respon- respon-
respon-
der's IP der's IP
der's IP

Statistics Statistics
Statistics
on the ses- on the
on the
sion num- new ses-
traffic of Stat-
ber of an sions of Stat-
Belong an IP that istics on Statistics
IP that an IP that istics
to zone belongs the on the
belongs belongs on the
to a spe- keywor- applic-
to a spe- to a spe- URL hit
No dir- cific secur- d block ation
cific secur- cific secur- count
ection ity zone count block
ity zone ity zone of the
of the count of
spe-
Statistics Statistics spe- the spe-
Statistics cified
on the ses- on the cified cified IPs
on the IPs
sion num- new ses- IPs
traffic of
ber of an sions of
Not an IP that
IP that an IP that
belong does not
does not does not
to zone belong to
belong to belong to
a specific
a specific a specific
security
security security
zone
zone zone

Statistics Statistics
Statistics
on the ses- on the
on the
sion num- new ses-
traffic of
Belong ber of an sions of
an IP that
to inter- IP that an IP that
belongs
face belongs belongs
to a spe-
to a spe- to a spe-
cific inter-
cific inter- cific inter-
face
face face

418 Chapter 12 Monitor

 Data type

Condi- Key- Applic-

Direction
tion Ramp-up URL hit word ation
Traffic Session
rate count block block
count count

Statistics Statistics
Statistics
on the ses- on the
on the
sion num- new ses-
Not traffic of
ber of an sions of
belong an IP that
IP that an IP that
to inter- does not
does not does not
face belong to
belong to belong to
a specific
a specific a specific
interface
interface interface

Statistics
Statistics Statistics
on the
on the on the
number
inbound new
of
and out- received
Initiator received
bound and sent
and sent
traffic of sessions
sessions
the ini- of the ini-
of the ini-
tiator's IP tiator's IP
tiator's IP

Statistics
Statistics Statistics
on the
on the on the
number
inbound new
of
and out- received
Respon- received
bound and sent
der and sent
traffic of sessions
sessions
the of the
of the
respon- respon-
respon-
der's IP der's IP
der's IP
Bi-dir-
ectional Statistics
Statistics
Statistics on the
on the
on the number
new
inbound of
received
and out- received
and sent
bound and sent
Belong sessions
traffic of sessions
to zone of an IP
an IP that of an IP
that
belongs that
belongs
to a spe- belongs
to a spe-
cific secur- to a spe-
cific secur-
ity zone cific secur-
ity zone
ity zone

Statistics Statistics Statistics

on the on the on the
Not inbound number new
belong and out- of received
to zone bound received and sent
traffic of and sent sessions
an IP that sessions of an IP

Chapter 12 Monitor 419

 Data type

Condi- Key- Applic-

Direction
tion Ramp-up URL hit word ation
Traffic Session
rate count block block
count count

of an IP
that does
does not that does
not
belong to not
belong to
a specific belong to
a specific
security a specific
security
zone security
zone
zone

Statistics
Statistics
Statistics on the
on the
on the number
new
inbound of
received
and out- received
and sent
Belong bound and sent
sessions
to inter- traffic of sessions
of an IP
face an IP that of an IP
that
belongs that
belongs
to a spe- belongs
to a spe-
cific inter- to a spe-
cific inter-
face cific inter-
face
face

Statistics
Statistics
Statistics on the
on the
on the number
new
inbound of
received
and out- received
Not and sent
bound and sent
belong sessions
traffic of sessions
to inter- of an IP
an IP that of an IP
face that does
does not that does
not
belong to not
belong to
a specific belong to
a specific
interface a specific
interface
interface

The interface, zone, user, application, URL, URL category, VSYS type-based statistical information table
Data type

Dir- Key- Applic-

Group by
ection Ramp-up URL hit word ation
Traffic Session
rate count block block
count count

Statistics Statistics
Statistics Statistics
on the on the
on the on the ses-
new ses- URL hit
traffic of sion num-
No dir- sions of count of
Zone the spe- ber of the N/A N/A
ection the spe- the spe-
cified specified
cified cified
security security
security security
zones zones
zones zones

420 Chapter 12 Monitor

 Data type

Dir- Key- Applic-

Group by
ection Ramp-up URL hit word ation
Traffic Session
rate count block block
count count

Statistics
Statistics Statistics
on the
on the on the
number
inbound new
of
and out- received
received
Bi-dir- bound and sent
and sent
ectional traffic of sessions
sessions
the spe- of the spe-
of the spe-
cified cified
cified
security security
security
zones zones
zones

Statistics
Statistics Statistics
on the
on the on the ses-
new ses-
No dir- traffic of sion num-
sions of
ection the spe- ber of the
the spe-
cified specified
cified Statistics
interfaces interfaces
interfaces on the
URL hit
Statistics count of
Interface Statistics Statistics N/A N/A
on the the spe-
on the on the
number cified
inbound new
of inter-
and out- received
Bi-dir- received faces
bound and sent
ectional and sent
traffic of sessions
sessions
the spe- of the spe-
of the spe-
cified cified
cified
interfaces interfaces
interfaces

Statistics Statistics
Statistics Statistics
on the on the
on the on the ses-
new ses- block
traffic of sion num-
Applic- sions of count of
N/A the spe- ber of the N/A N/A
ation the spe- the spe-
cified specified
cified cified
applic- applic-
applic- applic-
ations ations
ations ations

Statistics
on the
Stat-
No dir- traffic of Statistics
istics
ection the spe- Statistics Statistics on the
Statistics on the
cified on the on the applic-
on the ses- keywor-
users new ses- URL hit ation
sion num- d block
User sions of count of block
Statistics ber of the count
the spe- the spe- count of
on the specified of the
cified cified the spe-
inbound users spe-
Bi-dir- users users cified
and out- cified
ectional users
bound users
traffic of

Chapter 12 Monitor 421

 Data type

Dir- Key- Applic-

Group by
ection Ramp-up URL hit word ation
Traffic Session
rate count block block
count count

the spe-
cified
users

Statistics
on the
hit
URL N/A N/A N/A N/A count of N/A N/A
the spe-
cified
URLs

Statistics
on the
hit
URL Cat- count of
N/A N/A N/A N/A N/A N/A
egory the spe-
cified
URL cat-
egories

Statistics Statistics
Statistics Statistics
on the on the
on the on the ses-
new ses- URL hit
traffic of sion num-
VSYS N/A sions of count of N/A N/A
the spe- ber of the
the spe- the spe-
cified specified
cified cified
VSYSs VSYSs
VSYSs VSYSs

You can configure a filtering condition for the stat-set to gather statistics on the specified condition, such as statistics
on the session number of the specified security zone, or on the traffic of the specified IP.

The filtering conditions supported table

Type Description

filter zone Data is filtered by security zone.

filter zone zone-name ingress Data is filtered by ingress security zone.
filter zone zone-name egress Data is filtered by egress security zone.
filter interface Data is filtered by interface.
filter interface if-name ingress Data is filtered by ingress interface.
filter interface if-name egress Data is filtered by egress interface.
filter application Data is filtered by application.
filter ip Data is filtered by address entry.
filter ip add-entry source Data is filtered by source address (address
entry).
filter ip add-entry destination Data is filtered by destination address (address
entry).
filter ip A.B.C.D/M Data is filtered by IP.
filter ip A.B.C.D/M source Data is filtered by source IP.

422 Chapter 12 Monitor

 Type Description

filter ip A.B.C.D/M destination Data is filtered by destination IP.

filter user Data is filtered by user.
filter user-group Data is filtered by user group.
filter severity Data is filtered by signature severity.

Click Monitor>User-defined Monitor.

l Click New, see Creating_a_User-defined_Stat-set

l Click the user-defined stat-set name link , see Viewing_User-defined_Stat-set_Statistics.

Crea ting a Us er-defined Sta t-s et

To create a user-defined stat-set:

1. Click Monitor>User-defined Monitor.

2. Click New.

In the User-defined Monitor Configuration dialog, modify according to your need

Option Description

Name Type the name for the stat-set into the Name box.
Data Type Select an appropriate data type from the Data type list
Group by Select an appropriate grouping method from the Group by list.
Root vsys only If you only want to perform the data statistics for the root VSYS, select
the Root vsys only checkbox. This checkbox will take effect when the data
type is Traffic, Session, Ramp-up rate, or URL hit. If data grouping
method is configured to VSYS, this checkbox will be not available.
Options To configure a filtering condition, click Option. In the Advanced dialog,
select a filter condition from the Filter drop-down list. For more details
about this option,see The_filtering_conditions_supported_table.

3. Click OK to save your settings . The configured stat-set will be displayed .

Chapter 12 Monitor 423

 Note: When configuring a stat-set:

l The URL hit statistics are only available to users who have a URL license.

l If the Data type is Traffic, Session, Ramp-up rate, Virus attack count, Intrusion count or
URL hit count, then the Filter should not be Attack log.

l If the Data type is URL hit count, then the Filter should not be Service.

l System will hide unavailable options automatically.

View ing Us er-defined Monitor Sta tis tic s

Click the user-defined stat-set name link, and then select the stat-set you want to view.

l Displays the top 10 statistical result from multiple aspects in forms of bar chart.

l View specified historic statistics by selecting a period from the statistic period drop-down list.

l Click All Data, view all the statistical result from multiple aspects in forms of list, trend. Click TOP 10 returns
bar chart.

424 Chapter 12 Monitor

WAP Traffic Distribution
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
If system is configured with WAP traffic distribution function, this page displays the history result (In the past 24
hours and the last 30 days) of WAP traffic distribution, including request and response.

l Request: Shows the count of request distributed to WAP gateway / Internet and all requests.

l Response: Shows the count of successful responses from WAP gateway /Internet ,failed responses from WAP
gateway/ Internet.

Chapter 12 Monitor 425

Reporting
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
The reporting feature gathers and analyzes data for the following report categories, providing all-around and multi-
dimensional statistics to you.

Report Cat-
Description
egories

Security Report Helps users quickly understand the overall risk situation of the servers and
users.
Flow Report Analysis and display of the user, application, interface, zone's traffic and
concurrency.
Content Report Detailed description of the URL hit, including the hit times, trends, cat-
egories, etc.

You can configure report task in "User-defined Task" on Page 428 and "Predefined Task" on Page 431, and view gen-
erated report files in "Report File" on Page 427.

426 Chapter 12 Monitor

Repo rt File
Go to Monitor > Reports > Report File, the report file page shows all the generated report files.

l Hover your mouse to the Send Object column, the system will prompt the Email addresses or FTP information
about sending.

Note: If your browser has enabled "Blocking pop-up windows", you will not see the generated
file. Make sure to set your browser "Always allow pop-up windows", or you can go to your
blocked window history to find the report file.

Chapter 12 Monitor 427

User-defined Task
A user-defined task is a customized report task which can be tailored to meet your requirements.

Crea ting a Us er-defined T a s k

To create a user-defined task:

1. Select Monitor > Reports > User-defined.

2. Click New.

428 Chapter 12 Monitor

 In the Report Task Configuration dialog box, enter values.
Option Description
Basic

Name Specifies the name of the report task.

Description Specifies the description of the report task.
Report Items

Report Items Specifies the content for the report file.

To add report items to the report task:

1. Expand the categories from left list.

2. Select the category item you want, and click Add to add it to right
column.

Schedule
The schedule specifies the running time of report task. The report task can be run peri-
odically or run immediately.
Periodic: Generates report files as planned.

l Schedule: Specifies the statistical period.

l At: Specifies the running time.

Generate Now: Generates report file immediately.

l Type: Generates report file based on the data in the specified statistical period.

Output

File Format The output format of the report file is PDF.

Recipient Sends report file via email. To add recipients, enter the email addresses in
to the recipient text box (use ";" to separate multiple email addresses).

Send via FTP Check the Send via FTP check box to send the report file to a specified
FTP server.

l Server Name/IP: Specifies the FTP server name or the IP address.

l Virtual Router: Specifies the virtual router of the FTP server.

l Username: Specifies the username used to log on to the FTP

server.

l Password: Enter the password of the FTP username.

l Anonymous: Check the check box to log on to the FTP server

anonymously.

l Path: Specifies the location where the report file will be saved.

3. Click OK to complete task configuration.

Ena bling/D is a bling the Us er-defined T a s k

To enable or disable the user-defined task:

1. Select Monitor > Reports > User-defined.

2. Select the task you want, and click the Enable or Disable button on the top.
By default, the user-defined task is enabled.

Chapter 12 Monitor 429

View ing Report Files
To view the generated report files, select Monitor > Reports > Report File.

430 Chapter 12 Monitor

Predefined Task
The predefined tasks are system report task template. Each report task is named according to the name of the report
item, the configured date and time.
The predefined tasks include the following types:

l Security Report

l Flow Report

l Content Report

Genera ting Report T a s k s

1. Select Monitor > Reports > Predefined.

2. In the Action column, click the icon.

Chapter 12 Monitor 431

 In the Report Task Configuration dialog box, enter values.
Option Description
Basic

Name Specifies the name of the report task.

Description Specifies the description of the report task. You can modify according to
your requirements.
Schedule
The schedule specifies the running time of report task. The report task can be run peri-
odically or run immediately.
Periodic: Generates report files as planned.

l Schedule: Specifies the statistical period.

l At: Specifies the running time.

Generate Now: Generates report file immediately.

l Type: Generates report file based on the data in the specified statistical period.
Output

File Format The output format of the report file is PDF.

Recipient Sends report file via email. To add recipients, enter the email addresses in
to the recipient text box (use ";" to separate multiple email addresses).

Send via FTP Check the Send via FTP check box to send the report file to a specified
FTP server.

l Server Name/IP: Specifies the FTP server name or the IP address.

l Virtual Router: Specifies the virtual router of the FTP server.

l Username: Specifies the username used to log on to the FTP

server.

l Password: Enter the password of the FTP username.

l Anonymous: Check the check box to log on to the FTP server

anonymously.

l Path: Specifies the location where the report file will be saved.

3. Click OK to complete task configuration.

View ing Report Files

To view the generated report files, select Monitor > Reports > Report File.

432 Chapter 12 Monitor

Logging
Logging is a feature that records various kinds of system logs, including device log, threat log, session log, NAT log,
NBC log and URL logs.

l Device log

l Event - includes 8 severity levels: debugging, information, notification, warning, error, critical, alert, emer-
gency.

l Network - logs about network services, like PPPoE and DDNS.

l Configuration - logs about configuration on command line interface, e.g. interface IP address setting.

l Threat - logs related to behaviors threatening the protected system, e.g. attack defense and application security.

l Session - Session logs, e.g. session protocols, source and destination IP addresses and ports.

l NAT - NAT logs, including NAT type, source and destination IP addresses and ports.

l NBC - logs about network behavior control, like IM chatting logs and URL browsing history.

l URL - logs about network surfing, e.g. Internet visiting time, web pages visiting history, URL filtering logs.

l PBR - logs about policy-based route.

l CloudSandBox - logs about sandbox.

System logs record running status of the device, thus provide information for analysis and evidence.

Lo g Severity
Event logs are categorized into eight severity levels.

Log Defin-
Severity Level Description
ition

Emergencies 0 Identifies illegitimate system events. LOG_EMERG

Alerts 1 Identifies problems which need immediate LOG_ALERT
attention such as device is being attacked.
Critical 2 Identifies urgent problems, such as hardware LOG_CRIT
failure.
Errors 3 Generates messages for system errors. LOG_ERR
Warnings 4 Generates messages for warning. LOG_
WARNING
Notifications 5 Generates messages for notice and special LOG_NOTICE
attention.
Informational 6 Generates informational messages. LOG_INFO
Debugging 7 Generates all debugging messages, including LOG_DEBUG
daily operatiol messages.

D estinatio n o f Expo rted Lo gs

Log messages can be sent to the following destinations:

l Console - The default output destination. You can close this destination via CLI.

l Remote - Includes Telnet and SSH.

l Buffer - Memory buffer.

l File - By default, the logs are sent to the specified USB destination in form of a file.

Chapter 12 Monitor 433

 l Syslog Server - Sends logs to UNIX or Windows Syslog Server.

l Email - Sends logs to a specified email account.

l Local database - Sends logs to the local database of the device.

Lo g Fo rmat
To facilitate the access and analysis of the system logs, StoneOS logs follow a fixed pattern of information layout, i.e.
date/time, severity level@module: descriptions.See the example below:
2000-02-05 01:51:21, WARNING@LOGIN: Admin user "admin" logged in through console from localhost.

434 Chapter 12 Monitor

Event Lo gs
To view event logs, select Monitor > Log > Event.
In this page, you can perform the following actions:

l Configuration: Click to jump to the configuration page.

l Export: Click to export the displayed logs as a TXT or CSV file.

l Filter: Click Filter to add conditions to show logs that march your filter.

Chapter 12 Monitor 435

Netw o rk Lo gs
To view network logs, select Monitor > Log > Network.
In this page, you can perform the following actions:

l Configuration: Click to jump to the configuration page.

l Export: Click to export the displayed logs as a TXT or CSV file.

l Filter: Click Filter to add conditions to show logs that march your filter.

436 Chapter 12 Monitor

Co nfiguratio n Lo gs
To view configuration logs, select Monitor > Log > Configuration.
In this page, you can perform the following actions:

l Configuration: Click to jump to the configuration page.

l Export: Click to export the displayed logs as a TXT or CSV file.

l Filter: Click Filter to add conditions to show logs that march your filter.

Chapter 12 Monitor 437

Threat Lo gs
Threat logs can be generated under the conditions that:

l Threat logging in the Logging feature is enabled. Refer to "Log Configuration" on Page 443.

l You have enabled one or more of the following features: "Anti Virus" on Page 353, " Intrusion Prevention System"
on Page 358, "Attack-Defense" on Page 379 or "Perimeter Traffic Filtering" on Page 388 .
To view threat logs, select Monitor > Log > Threat.
In this page, you can perform the following actions:

l Export: Click to export the displayed logs as a TXT or CSV file.

l Filter: Click Filter to add conditions to show logs that march your filter.

l View the details of selected log in the Log Details tab.

438 Chapter 12 Monitor

Sessio n Lo gs
Session logs can be generated under the conditions that:

l NBC logging in the Logging feature is enabled. Refer to "Log Configuration" on Page 443.

l You have enabled one or more of the following features: ."Web Content" on Page 330、 "Web Posting" on Page
334、 "Email Filter" on Page 338 and "Internet Behavior Control" on Page 321 functions.
To view session logs, select Monitor > Log > Session.

Note:
l For ICMP session logs, the system will only record the ICMP type value and its code value.
As ICMP 3, 4, 5, 11 and 12 are generated by other communications, not a complete ICMP
session, the system will not record such kind of packets.

l For TCP and UDP session logs, the system will check the packet length first. If the packet
length is 20 bytes (i.e., with IP header, but no loads), it will be defined as a malformed
packet and be dropped; if a packet is over 20 bytes, but it has errors, the system will drop
it either. So, such abnormal TCP and UDP packets will not be recorded.

PB R Lo gs
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
PBR logs can be generated under the conditions that:

l PBR logging in the Logging feature is enabled. Refer to "Log Configuration" on Page 443.

l You have enabled logging function in PBR rules. Refer to "Creating a Policy-based Route Rule" on Page 109 .
To view PBR logs, select Monitor > Log > PBR.

Chapter 12 Monitor 439

NAT Lo gs
NAT logs are generated under the conditions that:

l NAT logging in the Logging feature is enabled. Refer to "Log Configuration" on Page 443.

l NAT logging is the NAT rule configuration is enabled. Refer to"Configuring SNAT" on Page 295 and "Configuring
SNAT" on Page 295"Configuring DNAT" on Page 299.
To view NAT logs, select Monitor > Log> NAT.

440 Chapter 12 Monitor

URL Lo gs
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
URL logs can be generated under the conditions that:

l URL logging in the Logging feature is enabled. Refer to "Log Configuration" on Page 443.

l You have enabled logging function in URL rules. Refer to "URL Filter" on Page 261
To view threat logs, select Monitor > Log > URL.

Chapter 12 Monitor 441

NB C Lo gs
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
NBC logs can be generated under the conditions that:

l NBC logging in the Logging feature is enabled. Refer to "Log Configuration" on Page 443.

l You have enabled one or more of the following features: ."Web Content" on Page 330、 "Web Posting" on Page
334、 "Email Filter" on Page 338 and"Internet Behavior Control" on Page 321 functions.
To view NBC logs, select Monitor > Log > NBC.

Clo udSandB o x Lo gs
To view sandbox logs, select Monitor > Log > CloudSandBox.
In this page, you can perform the following actions:

l Configuration: Click to jump to the CloudSandBox page.

l Clear: Click to clear the selected logs.

l Export: Click to export the displayed logs as a TXT or CSV file.

l Filter: Click Filter to add conditions to show logs that march your filter.

442 Chapter 12 Monitor

Lo g Co nfiguratio n
You can creating log server, setting up log email address, and adding UNIX servers.

Crea ting a Log Server

To create a log server:

1. Select Monitor > Log > Log Management.

2. Click Log Server tab.

3. Click New.

In the Log Server dialog box, enter values.

Option Description

Host name Enter the name or IP of the log server.

Binding Specifies the source IP address to receive logs.

l Virtual Router: Select Virtual Router and then select a virtual router
form the drop-down list. If a virtual router is selected, the device will
determine the source IP address by searching the reachable routes
in the virtual router.

l Source Interface: Select Source Interface and then select a source

interface from the drop-down list. The device will use the IP address
of the interface as the source IP to send logs to the syslog server. If
management IP address is configured on the interface, the man-
agement IP address will be preferred.

Protocol Specifies the protocol type of the syslog server. If "Secure-TCP" is selec-
ted, you can select Do not validate the server certificate option, and sys-
tem can transfer logs normally and do not need any certifications.
Port Specifies the port number of the syslog server.
Log Type Specifies the log types the syslog server will receive.

4. Click OK to save the settings.

Note: You can add at most 3 log servers.

Adding Em a il Addres s to Rec eive Logs

An email in log management setting is an email address for receiving log messages.
To add an email address:

1. Select Monitor > Log > Log Management.

2. Click Web Mail tab.

3. Enter an email address and click Add.

4. If you want to delete an existing email, click Delete.

Chapter 12 Monitor 443

 Note: You can add at most 3 email addresses.

Spec ifying a Unix Server

To specify a Unix server to receive logs:

1. Select Monitor > Log > Log Management.

2. Click Facility Configuration tab.

3. Select a device you want, the logs will be exported to that Unix server.

4. Click OK.

Spec ifying a Mobile Phone

To specify a mobile phone to receive logs:

1. Select Monitor > Log > Log Management.

2. Click SMS tab.

3. Enter a mobile phone number and click Add.

4. If you want to delete an existing mobile phone number, click Delete.

Note: You can add at most 3 mobile phone numbers.

444 Chapter 12 Monitor

Managing Lo gs
You can configure the system to enable logging function, including enabling various logs.

Configuring Logs
To configure parameters of various log types:

1. Select Monitor > Log > Log Management.

2. Click on the tab of the log type you want, and you will enter the corresponding log settings page.

3. Click OK.

Option D e scriptions of Va rious Log Ty pe s

This section describes the options when you setting the properties of each log types.

Event Log
Option Description

Enable Select the check box to enable the event logging function.
Console Select the check box to send syslog to Console.

l Lowest severity - Specifies the lowest severity level. Logs below the
severity level selected here will not be exported.
Terminal Select the check box to send syslog to the terminal.

l Lowest severity - Specifies the lowest severity level. Logs below the
severity level selected here will not be exported.
Cache Select the check box to send syslog to the cache.

l Lowest severity - Specifies the lowest severity level. Logs below the
severity level selected here will not be exported.

l Max buffer size - The maximum size of the cached logs. The default
value may vary from different hardware platforms.

File Select the check box to send syslog to a file.

l Lowest severity - Specifies the lowest severity level. Logs below the
severity level selected here will not be exported.

l Max file size - Specifies the maximum size of the syslog file. The value
range is 4096 to 1048576 bytes. The default value is 1048576 bytes.

l Redirect log to USB - Select the check box and select a USB drive (USB0
or USB1) from the drop-down list. Type a name for the syslog file into
the Name box.

Log server Select the check box to export event logs to the syslog server.

l View Log Server - Click to see all existing syslog servers or to add new
server.

l Lowest severity - Specifies the lowest severity level. Logs below the
severity level selected here will not be exported.
Email address Select the check box to send event logs to the email.

l View Email Address: Click to see all existing email addresses or add
new address.

l Lowest severity - Specifies the lowest severity level. Logs below the
severity level selected here will not be exported.

Chapter 12 Monitor 445

 Option Description

Database Select the checkbox to save logs in the local device. Only several platforms
support this parameters.

l Disk Space - Enter a number as the percentage of a storage the logs will
take. For example, if you enter 30, the event logs will take at most 30%
of the total disk size.

l Disk Space Limit - If Auto Overwrite is selected, the logs which exceed
the disk space will overwrite the old logs automatically. If Stop Storing
is selected, system will stop storing new logs when the logs exceed the
disk space.

Network Log
Option Description

Enable Select the check box to enable network logging function.

Cache Select the check box to export network logs to cache.

l Max buffer size - The maximum size of the cached network logs. The
value range is 4096 to 524288 bytes. The default value may vary
from different hardware platforms.
Log server Select the check box to export network logs to the syslog server.

l View Log Server - Click to see all existing syslog servers or to add new
server.

Database Select the checkbox to save logs in the local device. Only several platforms
support this parameters.

l Disk Space - Enter a number as the percentage of a storage the logs will
take. For example, if you enter 30, the network logs will take at most
30% of the total disk size.

l Disk Space Limit - If Auto Overwrite is selected, the logs which exceed
the disk space will overwrite the old logs automatically. If Stop Storing
is selected, system will stop storing new logs when the logs exceed the
disk space.

Configuration Log
Option Description

Enable Select the check box to enable configuration logging function.

Cache Select the check box to export configuration logs to cache.

l Max buffer size - The maximum size of the cached configuration logs.
The value range is 4096 to 524288 bytes. The default value may vary
from different hardware platforms.
Log Server Select the check box to export network logs to the syslog server.

l View Log Server - Click to see all existing syslog servers or to add new
server.

Database Select the checkbox to save logs in the local device. Only several platforms
support this parameters.

l Disk Space - Enter a number as the percentage of a storage the logs will
take. For example, if you enter 30, the configuration logs will take at
most 30% of the total disk size.

l Disk Space Limit - If Auto Overwrite is selected, the logs which exceed

446 Chapter 12 Monitor

 Option Description
the disk space will overwrite the old logs automatically. If Stop Storing
is selected, system will stop storing new logs when the logs exceed the
disk space.

Log Generating Select the check box to define the maximum the efficiency of generating
Limitation logs.

l Maximum Speed - Specified the speed (messages per second).

Session Log
Option Description

Enable Select the check box to enable session logging function.

l Record User Name: Select to show user's name in the session log mes-
sages.

l Record Host Name: Select to show host's name in the session log mes-
sages.

Cache Select the check box to export session logs to cache.

l Max buffer size - The maximum size of the cached session logs. The
value range is 4096 to 2097152 bytes. The default value may vary
from different hardware platforms.
Log Server Select the check box to export session logs to the syslog server.

l View Log Server - Click to see all existing syslog servers or to add new
server.

l Syslog Distribution Methods - the distributed logs can be in the

format of binary or text. If you select the check box, you will send log
messages to different log servers, which will relieve the pressure of a
single log server. The algorithm can be Round Robin or Src IP Hash.

PBR Log
Option Description

Enable Select the check box to enable PBR logging function.

l Record User Name: Select to show user's name in the PBR log mes-
sages.

l Record Host Name: Select to show host's name in the PBR log mes-
sages.

Cache Select the check box to export PBR logs to cache.

l Max buffer size - The maximum size of the cached PBR logs. The value
range is 4096 to 2097152 bytes. The default value may vary from dif-
ferent hardware platforms.
Log Server Select the check box to export PBR logs to the syslog server.

l View Log Server - Click to see all existing syslog servers or to add new
server.

l Syslog Distribution Methods - the distributed logs can be in the

format of plain text. If you select the check box, you will send log mes-
sages to different log servers, which will relieve the pressure of a
single log server. The algorithm can be Round Robin or Src IP Hash.

NAT Log

Chapter 12 Monitor 447

 Option Description

Enable Select the check box to enable NAT logging function.

l Record Host Name: Select to show host's name in the NAT log mes-
sages.

Cache Select the check box to export NAT logs to cache.

l Max buffer size - The maximum size of the cached NAT logs. The
default value may vary from different hardware platforms.
Log Server Select the check box to export NAT logs to log servers.

l View Log Server - Click to see all existing syslog servers or to add new
server.

l Syslog Distribution Methods - the distributed logs can be in the

format of binary or text. If you select the check box, you will send log
messages to different log servers, which will relieve the pressure of a
single log server. The algorithm can be Round Robin or Src IP Hash.

URL Log
Option Description

Enable Select the check box to enable URL logging function.

l Record Host Name: Select to show host's name in the URL log mes-
sages.

Cache Select the check box to export URL logs to cache.

l Max buffer size - The maximum size of the cached URL logs. The
default value may vary from different hardware platforms.
Log Server Select the check box to export URL logs to log server.

l View Log Server - Click to see all existing syslog servers or to add new
server.

l Syslog Distribution Methods - the distributed logs can be in the

format of binary or text. If you select the check box, you will send log
messages to different log servers, which will relieve the pressure of a
single log server. The algorithm can be Round Robin or Src IP Hash.

NBC Log
Option Description

Enable Select this check box to enable NBC logging function.

Cache Select the check box to export NBC logs to cache.

l Max buffer size - The maximum size of the cached NBC logs. The
default value may vary from different hardware platforms.
File Select to export NBC logs as a file to USB.

l Max File Size - Exported log file maximum size.

l Save logs to USB - Select a USB device and enter a name as the log file
name.

Terminal Select to send logs to terminals.

Log Server Select the check box to export NBC logs to log server.

l View Log Server - Click to see all existing syslog servers or to add new

448 Chapter 12 Monitor

 Option Description
server.

l Syslog Distribution Methods - the distributed logs can be in the

format of binary or text. If you select the check box, you will send log
messages to different log servers, which will relieve the pressure of a
single log server. The algorithm can be Round Robin or Src IP Hash.
Email address Select the check box to export logs to the specified email address.

l Viewing Email Address: Click to see or add email address.

Local DB Select the checkbox to save logs in the local device. The log data will be
stored in SD card or storage expansion module.

l Storage Device Size Percentage - Enter a number as the percentage of a

storage the logs will take. For example, if you enter 30, the NBC logs
will take at most 30% of the total disk size.

l Redirect log to - Select the storage device.

CloudSandBox Log
Option Description

Enable Select this check box to enable CloudSandBox logging function.

Cache Select the check box to export CloudSandBox logs to cache.

l Max buffer size - The maximum size of the cached CloudSandBox

logs.
File Select to export CloudSandBox logs as a file.

Log Server Select the check box to export CloudSandBox logs to log server.

l View Log Server - Click to see all existing syslog servers or to add new
server.

Threat Log
Option Description

Enable Select this check box to enable threat logging function.

Cache Select the check box to export threat logs to cache.

l Max buffer size - The maximum size of the cached threat logs. The
default value may vary from different hardware platforms.
File Select to export threat logs as a file to USB.

l Max File Size - Exported log file maximum size.

l Save logs to USB - Select a USB device and enter a name as the log file
name.

Terminal Select to send logs to terminals.

Log Server Select the check box to export threat logs to log server.

l View Log Server - Click to see all existing syslog servers or to add new
server.

l Syslog Distribution Methods - the distributed logs can be in the

format of binary or text. If you select the check box, you will send log
messages to different log servers, which will relieve the pressure of a
single log server. The algorithm can be Round Robin or Src IP Hash.

Chapter 12 Monitor 449

 Option Description

Email address Select the check box to export logs to the specified email address.

l Viewing Email Address: Click to see or add email address.

Database Select the checkbox to save logs in the local device. Only several platforms
support this parameters.

l Disk Space - Enter a number as the percentage of a storage the logs will
take. For example, if you enter 30, the threat logs will take at most 30%
of the total disk size.

l Disk Space Limit - If Auto Overwrite is selected, the logs which exceed
the disk space will overwrite the old logs automatically. If Stop Storing
is selected, system will stop storing new logs when the logs exceed the
disk space.

450 Chapter 12 Monitor

Chapter 13 Diagnostic Tool

This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers
this feature.
System supports the following diagnostic methods:

l Test Tools: DNS Query, Ping and Traceroute can be used when troubleshooting the network.

Chapter 13 Diagnostic Tool 451

Test Tools
DNS Query, Ping and Traceroute can be used when troubleshooting the network.

D NS Query
To check the DNS working status of the device:

1. Select System > Diagnostic Tool > Test Tools.

2. Type a domain name into the DNS Query box.

3. Click Test, and the testing result will be displayed in the list below.

Ping
To check the network connecting status:

1. Select System > Diagnostic Tool > Test Tools.

2. Type an IP address into the Ping box.

3. Click Test, and the testing result will be displayed in the list below.

4. The testing result contains two parts:

l The Ping packet response. If there is no response from the target after timeout, it will print Destination Host
Not Response, etc. Otherwise, the response contains sequence of packet, TTL and the response time.

l Overall statistics, including number of packet sent, number of packet received, percentage of no response,
the minimum, average and maximum response time.

Tracero ute
Traceroute is used to test and record gateways the packet has traversed from the originating host to the destination. It
is mainly used to check whether the network connection is reachable, and analyze the broken point of the network.
The common Traceroute function is performed as follows: first, send a packet with TTL 1, so the first hop sends back
an ICMP error message to indicate that this packet can not be sent (because of the TTL timeout); then this packet is re-
sent, with TTL 2, TTL timeout is sent back again; repeat this process till the packet reaches the destination. In this
way, each ICMP TTL timeout source address is recorded. As the result, the path from the originating host to the des-
tination is identified.
To test and record gateways the packet has traversed by Traceroute:

1. Select System > Diagnostic Tool > Test Tools.

2. Type an IP address into the Traceroute box.

3. Click Test, and the testing result will be displayed in the list below.

452 Chapter 13 Diagnostic Tool

Chapter 14 High Availability

HA, the abbreviation for High Availability, provides a fail-over solution for communications line or device failure to
ensure the smooth communication and effectively improve the reliability of the network. To implement the HA function,
you need to configure the two devices as HA clusters, using the identical hardware platform, firmware version, both
enabling Virtual Router and AV functions, with anti-virus license installed. When one device is not available or can not
handle the request from the client properly, the request will be promptly directed to the other device that works nor-
mally, thus ensuring uninterrupted network communication and greatly improving the reliability of communications.
System supports three HA modes: Active-Passive (A/P), Active-Active (A/A), and Peer.

l Active-Passive (A/P) mode: In the HA cluster, configure two devices to form a HA group, with one device acting as
a primary device and the other acting as its backup device. The primary device is active, forwarding packets, and
meanwhile synchronizes all of its network and configuration information and current session information to the
backup device. When the primary device fails, the backup device will be promoted to primary and takes over its
work to forward packets. This A/P mode is redundant, and features a simple network structure for you to maintain
and manage.

l Active-Active (A/A) mode: When the security device is in NAT mode, routing mode or a combination of both, you
can configure two Hillstone devices in the HA cluster as active, so that the two devices are running their own tasks
simultaneously, and monitoring the operation status of each other. When one device fails, the other will take over
the work of the failure device and also run its own tasks simultaneously to ensure uninterrupted work. This mode
is known as the Active-Active mode. The A/A mode has the advantage of high-performance, as well as load-bal-
ancing.

l Peer mode: the Peer mode is a special HA Active-Active mode. In the Peer mode, two devices are both active, per-
form their own tasks simultaneously, and monitor the operation status of each other. When one device fails, the
other will take over the work of the failure device and also run its own tasks simultaneously. In the Peer mode, only
the device at the active status can send/receive packets. The device at the disabled status can make two devices
have the same configuration information but its interfaces do not send/receive any packets. The Peer mode is
more flexible and is suitable for the deployment in the asymmetric routing environment.
HA Active-Active (A/A) and Peer mode may not be available on all platforms. Please check your system's actual page to
see if your device delivers this feature.

Basic Concepts
H A Cluster
For the external network devices, a HA cluster is a single device which handles network traffic and provides security
services. The HA cluster is identified by its cluster ID. After specifying a HA cluster ID for the device, the device will be
in the HA state to implement HA function.

H A Gro up
System will select the primary and backup device of the same HA group ID in a HA cluster according to the HCMP pro-
tocol and the HA configuration. The primary device is in active state and processes network traffic. When the primary
device fails, the backup device will take over its work.
When assigning a cluster ID to the device, the HA group with ID 0 will be automatically created. In Active-Passive (A/P)
mode, the device only has HA group 0. In Active-Active (A/A) mode, the latest Hillstone version supports two HA
groups, i.e., Group 0 and Group 1.

H A No de
To distinguish the HA devices in a HA group, you can use the value of HA Node to mark the devices. StoneOS support
the values of 0 and 1.
In the HA Peer mode, the system can decide which device is the master according to the HA Node value. In the HA
group 0, the device whose HA Node value is 0 will be active and the device whose HA Node value is 1 is at the disabled
status. In the HA group 1, the device whose HA Node value is 0 is at the disabled status and the device whose HA Node
value is 0 is active.

Chapter 14 High Availability 453

V irtual Fo rw ard I nterface and MAC
In the HA environment, each HA group has an interface to forward traffic, which is known as Virtual Forward Interface.
The primary device of each HA group manages a virtual MAC (VMAC) address which is corresponding with its inter-
face, and the traffic is forwarded on the interface. Different HA groups in a HA cluster cannot forward data among
each other. VMAC address is defined by HA cluster ID, HA group ID and the physical interface index.

H A Selectio n
In a HA cluster, if the group ID of the HA devices is the same, the one with higher priority will be selected as the
primary device.

H A Synchro nizatio n
To ensure the backup device can take over the work of the primary device when it fails, the primary device will syn-
chronize its information with the backup device. There are three types of information that can be synchronized: con-
figuration information, files and RDO (Runtime Dynamic Object). The specific content of RDO includes:

l Session information (The following types of session information will not be synchronized: the session to the
device itself, tunnel session, deny session, ICMP session, and the tentative session)

l IPsec VPN information

l SCVPN information

l DNS cache mappings

l ARP table

l PKI information

l DHCP information

l MAC table

l WebAuth information
System supports two methods to synchronize: real-time synchronization and batch synchronization. When the
primary device has just been selected successfully, the batch synchronization will be used to synchronize all inform-
ation of the primary device to the backup device. When the configurations change, the real-time synchronization will
be used to synchronize the changed information to the backup device. Except for the HA related configurations and
local configurations (for example, the host name), all the other configurations will be synchronized.

454 Chapter 14 High Availability

Configuring HA
To configure the HA function, take the following steps:

1. Configure a HA Virtual Forward Interface. For more information on configuring the interface, see "Configuring an
Interface" on Page 38.

2. Configure a HA link interface which is used for the device synchronization and HA packets transmission.

3. Configure a HA cluster. Specify the ID of HA cluster and enable the HA function.

4. Configure a HA group. Specify the priority for devices and HA messages parameters.
To configure HA, take the following steps:

1. Go to System > HA.

Option Description

Control link inter- Specifies the name of the HA control link interface. The control link inter-
face 1 face is used to synchronize all data between two devices.
Control link inter- Specifies the name of HA control link interface (Backup device).
face 2
Data link inter- Specifies the name of the HA data link interface. The data link interface is
face used to synchronize the data packet information. After specifying this
data link, the session information will be synchronized over this data
link. You can configure the physical interface or aggregate interface as
the interface of the data link and you can specify at most 1 HA data link
interface.
IP address Specifies the IP address and netmask of the HA link interface.
HA cluster ID Specifies an ID for HA cluster. The value ranges from 0 to 8. None indic-
ates to disable the HA function.
Node ID After enabling the HA function, specifies the Node ID (HA Node) for the
device. The IDs for two devices must be different. The range is 0 to 1. If
you do not specify this value, the devices will obtain the Node ID by auto-
matic negotiation.
Peer-mode Selects the Enable checkbox to enable the HA Peer mode and specifies
the role of this device in the HA cluster. The range is 0 to 1. By default,
the group 0 in the device whose HA Node ID is 0 will be active and the
group 0 in the device whose HA Node ID is will be in the disabled status.
Symmetric-rout- Select Symmetric-routing to make the device work in the symmetrical
ing routing environment.
HA Synchronize In some exceptional circumstances, the master and backup con-
Configuration figurations may not be synchronized. In such a case you need to manu-

Chapter 14 High Availability 455

 Option Description

ally synchronize the configuration information of the master and backup

device. Click HA Synchronize Configuration to synchronize the con-
figuration information of the master and backup device.
HA Synchronize By default the system will synchronize sessions between HA devices auto-
Session matically. Session synchronization will generate some traffic, and will pos-
sibly impact device performance when the device is overloaded. You can
enable automatic HA session synchronization according to the device
workload to assure stability. Click HA Synchronize Session to enable
automatic HA session synchronization.
New After specifying HA cluster ID, system will create HA group 0 auto-
matically by default. Click New to create HA group 1.
Delete Click Delete to remove HA group 1 if needed.
Priority Specifies the priority for the device. The device with higher priority (smal-
ler number) will be selected as the primary device.
Preempt Configure the preempt mode. When the preempt mode is enabled, once
the backup device find its own priority is higher than the primary device,
it will upgrade itself to the primary device and the original primary device
will become the backup device. The value of 0 indicates to disable the
preempt mode. When the preempt mode is disabled, even if the device's
priority is higher than the primary device, it will not take over the primary
device unless the primary device fails.
Hello interval Specifies the Hello interval value. Hello interval refers to the interval for
the HA device to send heartbeats (Hello packets) to other devices in the
HA group. The Hello interval in the same HA group must be identical.
Hello threshold Specifies the threshold value of the Hello message. If the device does not
receive the specified number of Hello messages from the other device, it
will suppose the other device's heartbeat stops.
Gratuitous ARP Specifies the number of gratuitous ARP packets. When the backup
packet number device is selected as the primary device, it will send an ARP request
packet to the network to inform the relevant network devices to update
its ARP table.
Track object Specifies the track object you have configured. The track object is used to
monitor the working status of the device. Once finding the device cannot
work normally, the system will take the corresponding action.
Description Type the descriptions of HA group into the box.

2. Click OK.

456 Chapter 14 High Availability

Chapter 15 System Management

The device's maintenance and management include:

l "System Information" on Page 458

l "Device Management" on Page 460

l "Configuration File Management" on Page 470

l "SNMP" on Page 472

l "Upgrading System" on Page 477

l "License" on Page 479

l "Mail Server" on Page 482

l "SMS Parameters" on Page 483

l "Connecting to HSM" on Page 484

l "Connecting to Hillstone Cloud·View" on Page 485

l "Test Tools" on Page 452

l "VSYS (Virtual System)" on Page 487

Chapter 15 System Management 457

System Information
Users can view the general information of the system in the System Information page, including Serial Number, Host-
name, Platform, System Time, System Uptime, Firmware, Signature Database and so on.

V iew ing System I nfo rmatio n

To view system information, select System > System Information.

Option Description

Serial Number Show the serial number of device.

Hostname Show the name of device.

Platform Show the platform model of device.

System Time Show the system date and time of device.

System Uptime Show the system uptime of device.

HA State Show the HA status of device.

l Standalone: Non-HA mode. That represents HA is disabled.

l Init: Initial state.

l Hello: Negotiation state. That represents the device is consulting the

relationship between master and backup.

l Master: Master state. That represents current device is master.

l Backup: Backup state. That represents current device is backup.

l Failed: Fault state. That represents the device is failed.

Firmware Show the current firmware version of device and the date of firmware
upgrade last time.
Application Sig- Show the current version of application signature database and the date of
nature update last time.
Advanced Threat Show the current version of advanced threat detection signature database
Detection Sig- and the date of update last time.
nature
Abnormal Beha- Show the current version of abnormal behavior detection signature data-
vior Detection Sig- base and the date of update last time.
nature
URL Signature Show the current version of URL signature database and the date of update
last time.
Perimeter Traffic Show the current version of perimeter traffic filtering signature database
Filtering Sig- and the date of update last time.
nature
Antivirus Sig- Show the current version of antivirus signature database and the date of
nature update last time.
IPS Signature Show the current version of IPS signature database and the date of update
last time.
Mitigation Sig- Show the current version of mitigation signature database and the date of
nature update last time.

458 Chapter 15 System Management

 Note: Signature is all license controlled, you need to make sure that your system has installed
that license. Refer to "License" on Page 479.

Chapter 15 System Management 459

Device Management
Introduces how to configure Administrator, Trust Host, MGT Interface, System Time, NTP Key and system options.

Administrato rs
Device administrators of different roles have different privileges. The system supports pre-defined administrator roles
and customized administrator roles. By default, the system supports the following administrators, which cannot be
deleted or edited:

l admin: Permission for reading, executing and writing. This role has the authority over all features. You can view
the current or historical configuration information.

l admin-read-only: Permission for reading and executing. You can view the current or historical configuration
information.

l operator: You have the authority over all features except modify the Administrator's configuration, and no per-
mission for check the log information.

l auditor: You can only operate on the log information, including view, export and clear.

Note:
l The device ships with a default administrator named hillstone. You can modify the setting
of hillstone. However, this account cannot be deleted.

l Other role of administrator (except default administrator) cannot configure admin set-
tings, except modifying its own password.

l System auditor can manage one or multiple logs, while only system administrator can man-
age the log types.

VSYS Adm inis tra tor

Administrators in different VSYSs are independent from each other. Administrators in root VSYS are known as root
administrators and administrators in non-root VSYS are known as non-root administrators. The system supports four
types of administrator, including Administrator, Administrator(read-only), Operator, and Auditor.
When creating VSYS administrators, you must follow the rules listed below:

l Backslash (\) cannot be used in administrator names.

l The non-root administrators are created by root RXW administrators after logging into non-root VSYS.

l After logging into root VSYS, the root administrators can switch to non-root VSYS and configure it.

l Non-root administrators can enter the corresponding non-root VSYS after successful login, but the non-root
administrators cannot switch to the root VSYS.

l Each administrator name should be unique in the VSYS it belongs to, while administrator names can be the same
in different VSYSs. In such a case, when logging in, you must specify the VSYS the administrator belongs to in
form of vsys_name\admin_name. If no VSYS is specified, you will enter the root VSYS.
The following table shows the permissions to different types of VSYS administrators.

460 Chapter 15 System Management

 Non-root
Root VSYS Non- Non-
Root Root Non-root VSYS
Root VSYS Admin- root root
VSYS VSYS VSYS Admin-
Operation Admin- istratior VSYS VSYS
Aud- Oper- Admin- istratior
istratior (read- Oper- Aud-
itor ator istratior (read-
only) ator itor
only)

Configure √ χ χ √ √ χ √ χ
(including
saving con-
figuration)
Configure √ χ χ χ √ χ χ χ
admin-
istrator
Restore fact- √ χ χ χ χ χ χ χ
ory default
Delete con- √ χ χ √ √ χ √ χ
figuration
file
Roll back √ χ χ √ √ χ √ χ
con-
figuration
Reboot √ χ χ √ χ χ χ χ
View con- √ √ χ √ View View View χ
figuration inform- inform- inform-
information ation in ation in ation in
current current current
VSYS VSYS VSYS
View log √ √ √ χ √ √ χ √
information
Modify cur- √ √ χ √ √ √ √ √
rent admin
password
ping/tracer- √ √ χ √ √ √ √ χ
oute

Crea ting a n Adm inis tra tor Ac c ount

To create an administrator account:

1. Select System > Device Management > Administrators.

2. Click New.

Chapter 15 System Management 461

3. In the Configuration dialog box, enter values.

Configure the following options.

Option Description

Name Type a name for the system administrator account.

Role From the Role drop-down list, select a role for the administrator account.
Different role have different privilege.

l Admin: Permission for reading, executing and writing. This role

has the authority over all features.

l Operator: You have the authority over all features except modify
the Administrator's configuration, and no permission for check the
log information.

l Auditor: You can only operate on the log information, including the
view, export and clear.

l Admin-read-only: Permission for reading and executing. You can

view the current or historical configuration information.
Password Type a login password for the admin into the Password box. The pass-
word should meet the requirement of Password Strategy.
Confirm Pass- Re-type the password into the Confirm Password box.
word
Login Type Select the access method(s) for the admin, including Console, Telnet,
SSH, HTTP and HTTPS. If you need all access methods, select Select All.
Description Enter descriptions for the administrator account.

4. Click OK.

Admin Ro les
Device administrators of different roles have different privileges. The system supports pre-defined administrator roles
and customized administrator roles. The pre-defined administrator role cannot be deleted or edited. You can cus-
tomize administrator roles according to your requirements:
To create a new administrator role:

462 Chapter 15 System Management

1. Select System > Device Management > Admin Roles.

2. Click New.

3. In the Configuration dialog, configure as follows:

Option Description

Role Enter the role name.

CLI Specify the administrator role's privileges of CLI.
WebUI Click module name to set the administrator role's privilege. represents
the administrator role does not have privilege of the specified module,
and cannot read and write the configurations of the specified module.
represents the administrator role has the read privilege of the spe-
cified module, and cannot write the configurations. represents the
administrator role can read and write the configurations of the specified
module.
Description Specify the description for this administrator role.

4. Click OK to save the settings.

Trust H o st
Device only allows the trust host to manage the system to enhance the security. Administrator can specify an IP range,
and hosts in the specified IP range are trust hosts. Only trust hosts could access the management interface to manage
the device.

Note: If the system cannot be managed remotely, check the trust host configuration.

Crea ting a T rus t H os t

To create a trust host:

1. Select System > Device Management > Trust Host.

2. Click New.

Chapter 15 System Management 463

3. In the Trust Host Configuration dialog box, enter values.

Configure the following options.

Option Description

Type Specifies the type of host. You can select IP/Netmask or IP Range.

l IP/Netmask: Type the IP address and netmask into the IP box

respectively.

l IP Range: Type the start IP and end IP into the IP box respectively.
Login Type Select the access methods for the trust host, including Telnet, SSH, HTTP
and HTTPS.

4. Click OK.

Management I nterface
Device supports the following access methods: Console, Telnet, SSH and WebUI. You can configure the timeout value,
port number, PKI trust domain of HTTPS,and PKI trust domain of certificate authentication. When accessing the device
through Telnet, SSH, HTTP or HTTPS, if login fails three times in one minute, the IP address that attempts the login will
be blocked for 2 minutes during which the IP address cannot connect to the device.
To configure the access methods:

1. Select System > Device Management > Management Interface.

2. In the Management Interface tab, enter values.

Configure the following options.

Option Description

Console Configure the Console access method parameters.

l Timeout: Type the Console timeout value into the Timeout box.
The value range is 0 to 60. The default value is 10. The value of 0
indicates never timeout. If there is no activities until timeout, sys-
tem will drop the console connection.
Telnet Configure the Telnet access method parameters.

l Timeout: Specifies the Telnet timeout value. The value range is 1 to

60. The default value is 10.

l Port: Specifies the Telnet port number. The value range is 1 to

65535. The default value is 23.
SSH Configure the SSH access method parameters.

l Timeout: Specifies the SSH timeout value. The value range is 1 to

60. The default value is 10.

l Port: Specifies the SSH port number. The value range is 1 to

65535. The default value is 22.

464 Chapter 15 System Management

 Option Description

Web Configure the WebUI access method parameters.

l Timeout: Specifies the WebUI timeout value. The value range is 1

to 1440. The default value is 10.

l HTTP Port: Specifies the HTTP port number. The value range is 1 to
65535. The default value is 80.

l HTTPS Port: Specifies the HTTPS port number. The value range is
1 to 65535. The default value is 443.

l HTTPS Trust Domain: Select the trust domain existing in the sys-
tem from the drop-down list. When HTTPS starts, HTTPS server
will use the certificate with the specified trusted domain. By
default, the trust domain trust_domain_default will be used.

l Certificate Authentication: With this checkbox selected, system will

start certificate authentication. The certificate includes the digital cer-
tificate of users and secondary CA certificate signed by the root
CA.Certificate authentication is one of two-factor authen-
tication.Two-factor authentication is not only needing the user
name and password authentication, but also needing other authen-
tication methods,such as certificate or fingerprint.

l Binding Trust Domain: After enabling certificate authentication

and logging into the device over HTTPS, HTTPS server will use the
certificate with the specified trusted domain.Make sure that root
CA certificate is imported into it.

l CN Check：After the CN check is enabled, the name of the root CA

certificate is checked and verified when the user logs in. Only the cer-
tificate and the user can be consistent, and the login succeeds.

3. Click OK.

Note: When changing HTTP port, HTTPS port or HTTPS Trust Domain, the web server will
restart. You may need to log in again if you are using the Web interface.

System Time
You can configure the current system time manually, or synchronize the system time with the NTP server time via NTP
protocol.

Configuring the Sys tem T im e Ma nua lly

To configure the system time manually:

1. Select System > Device Management > System Time.

2. Under System Time Configuration in the System Time tab, configure the followings.
Option Description

Sync with Local Specifies the method of synchronize with local PC. You can select Sync
PC Time or Sync Zone&Time.

l Sync Time: Synchronize the system time with local PC.

Chapter 15 System Management 465

 Option Description
l Sync Zone&Time: Synchronize the system zone&time with local PC.
Specified the sys- Configure parameter of system time.
tem time.
l Time Zone: Select the time zone from the drop-down list.

l Date: Specifies the date.

l Time: Specified the time.

3. Click OK.

Configuring NT P
The system time may affect the establishment time of VPN tunnel and the schedule, so the accuracy of the system time
is very important. To ensure the system is able to maintain a accurate time, the device allows you to synchronize the
system time with a NTP server on the network via NTP protocol.
To configure NTP:

1. Select System > Device Management > System Time.

2. Under NTP Configuration in the System Time tab, configure the followings.
Option Description

Enable Select the Enable check box to enable the NTP function. By default, the
NTP function is disabled.

Authentication Select the Authentication check box to enable the NTP Authentication
function.

Server Specifies the NTP server that device need to synchronize with. You can
specify at most 3 servers.

l IP: Type IP address of the server .

l Key: Select a key from the Key drop-down list. If you enable the
NTP Authentication function, you must specify a key.

l Virtual Router: Select the Virtual Router of interface for NTP com-
munication from the drop-down list.

l Source interface: Select an interface for sending and receiving NTP

packets.

l Specify as a preferred server: Click Specify as a preferred

server to set the server as the first preferred server. The system
will synchronizate with the first preferred server.
Sync Interval Type the interval value. The device will synchronize the system time with
the NTP server at the interval you specified to ensure the system time is
accurate.

Maximum Adjust- Type the time value. If the time difference between the system time and
ment the NTP server's time is within the max adjustment value you specified,
the synchronization will succeed, otherwise it will fail.

3. Click OK.

NTP Key
After enabling NTP Authentication function, you need to configure MD5 key ID and keys. The device will only syn-
chronize with the authorized servers.

466 Chapter 15 System Management

Crea ting a NT P Key
To create an NTP key:

1. Select System > Device Management > NTP Key.

2. Click NEW.

3. In the NTP Key Configuration dialog box, enter values.

Configure the following options.

Option Description

Key ID Type the ID number into the Key ID box. The value range is 1 to 65535.

Password Type a MD5 key into the Password box. The value range is 1 to 31.

Confirm Pass- Re-type the same MD5 key you have entered into the Confirm box.
word

4. Click OK.

Optio n
Specifies system options, including system language, administrator authentication server, host name, password
strategy, reboot and exporting the system debugging information.
To change system option:

1. Select System > Device Management > Option

2. Configure the followings.

Chapter 15 System Management 467

 Option Description

System Main- Configure the system language and administrator authentication server.
tenance
l System Language: You can select Chinese or English according
to your own requirements.

l Administrator Authentication Server: Select a server to authen-

ticate the administrator from the drop-down list.
Host Con- In some situation, more than one devices are installed within a network.
figuration To distinguish among these devices, different names should be assigned
to different devices. The default host name is assigned according to the
model.

l Hostname: Type a host name you want to change into the Host-
name box.

l Domain: Type a domain name you want to specify into the Domain
box.
Password Configure password complexity for admin user.
Strategy
l Minimum Password Length: Specifies the minimum length of pass-
word. The value range is 4 to 16 characters. The default value is 4.

l Password Complexity: Unlimited means no restriction on the selec-

tion of password characters.You can select Set Password Com-
plexity to enable password complexity checking and configure
password complexity.

l Capital letters length： The default value is 2 and the range is

0 to 16.

l Small letters length： The default value is 2 and the range is 0

to 16.

l Number letters length： The default value is 2 and the range is

0 to 16.

l Special letters Length：The default value is 2 and the range is 0

to 16.

l Validity Period： The unit is day.The range is 0 to 365.The

default value is 0, which indicates that there is no restriction
on validity period of the password.

3. Click OK.

468 Chapter 15 System Management

Rebo o ting the System
Some operations like license installation or image upgrading will require the system to reboot before it can take effect.
To reboot a system:

1. Go to System > Device Management > Option .

2. Click Reboot, and select Yes in the prompt.

3. The system will reboot. You need to wait a while before it can start again.

System D ebug I nfo rmatio n

System debugging helps you to diagnose and identify system errors. Basically, all the protocols and functions can be
debugged. By default, debugging of all functions is disabled. The debugging function can only be configured through
CLI.
To export the system debugging information:

1. Select System > Device Management > Option .

2. Click Export,save the debug file and send it to the manufacturer.

D ata co llectio n
When the user enable the data collection function, in the system operation process, some of the data will be uploaded
to the cloud, the data is used for internal research to reduce false positives and to achieve better protection of the
equipment. User has a clear understanding of this type of case data upload and data using the appropriate function
increases. Data collection items include failure feedback now.
To enable the data collection function:

1. Go to System > Device Management > Option .

2. Select the Enable checkbox of Failure Feedback.

Chapter 15 System Management 469

Configuration File Management
System configuration information is stored in the configuration file, and it is stored and displayed in the format of com-
mand line. The information that is used to initialize the Hillstone device in the configuration file is known as the initial
configuration information. If the initial configuration information is not found, the Hillstone device will use the default
parameters for the initialization. The information being taking effect is known as the current configuration information.
System initial configuration information includes current initial configuration information (used when the system
starts) and backup initial configuration information. System records the latest ten saved configuration information,
and the most recently saved configuration information for the system will be recorded as the current initial con-
figuration information. The current configuration information is marked as Startup; the previous nine configuration
information is marked with number from 0 to 8, in the order of save time.
You can not only export or delete the saved configuration files, but also export the current system configurations.

Managing Co nfiguratio n File

This feature may vary slightly on different platforms. If there is a conflict between this guide and the actual page, the
latter shall prevail.
To manage the system configuration files:

1. Select System > Configuration File Management > Configuration File List.

2. In the Configuration File List page, configure the followings.

l Export: Select the configuration file you want to export, and click Export.

l Delete: Select the configuration file you want to delete, and click Delete.

l Backup Restore: You can restore the system configurations to the saved configuration file or factory default,
or you can backup the current configurations.

Option Description

Back up Current Type descriptions for the configuration file into Description box. Click
Configurations Start to backup.
Restore Con- Roll back to Saved Configurations:
figuration
l Select Backup System Configuration File: Click this button, then
select Backup Configuration File from the list. Click OK.

l Upload Configuration File: Click this button. In the Importing

Configuration File dialog box, click Browse and choose a local
configuration file you need in your PC. If you need to make the
configuration file take effect, select the check box. Click OK.
Restore to Factory Defaults:

470 Chapter 15 System Management

 Option Description
l Click Restore, in the Restore to Factory Defaults dialog box, click
OK.

Note: Device will be restored to factory defaults. Meanwhile, all the system configurations will
be cleared, including backup system configuration files.

V iew ing the Current Co nfiguratio n

To view the current configuration file:

1. Select System > Configuration File Management > Current Configuration.

2. Click Export to export the current configuration file.

Chapter 15 System Management 471

SNMP
Device is designed with a SNMP Agent, which can receive the operation request from the Network Management System
and feedback corresponding information of the network and the device.
Device supports SNMPv1 protocol, SNMPv2 protocol and SNMPv3 protocol. SNMPv1 protocol and SNMPv2 protocol use
community-based authentication to limit the Network Management System to get device information. SNMPv3 protocol
introduces an user-based security module for information security and a view-based access control module for access
control.
Device supports all relevant Management Information Base II (MIB II) groups defined in RFC-1213 and the Interfaces
Group MIB (IF-MIB) using SMIv2 defined in RFC-2233. Besides, the system offers a private MIB, which contains the
system information, IPSec VPN information and statistics information of the device. You can use the private MIB by load-
ing it into an SNMP MIB browser on the management host.

SNMP Agent
The device is designed with a SNMP Agent, which provides network management and monitors the running status of
the network and devices by viewing statistics and receiving notification of important system events.
To configure an SNMP Agent:

1. Select System > SNMP > SNMP Agent.

2. In the SNMP Agent page, enter values.

Option Description

SNMP Agent Select the Enable check box for Service to enable the SNMP Agent func-
tion.
ObjectID The Object ID displays the SNMP object ID of the system. The object ID is
specific to an individual system and cannot be modified.
System Contact Type the SNMP system contact information of the device into the System
Contact box. System contact is a management variable of the group sys-
tem in MIB II and it contains the ID and contact of relevant administrator
of the managed device. By configuring this parameter, you can save the
important information to the device for the possible use in case of emer-
gency.
Location Type the location of the device into the Location box.
Host Port Type the port number of the managed device into the Host Port box.
Virtual Router Select the VRouter from the Virtual Router drop-down list.
Local EnginelID Type the SNMP engine ID into the Local EngineID box.

3. Click Apply.

472 Chapter 15 System Management

 Note: SNMP Engine ID identifies an engine uniquely. SNMP Engine is an important component
of the SNMP entity (Network Management System or managed network device) which imple-
ments the functions like the reception/sending and verification of SNMP messages, PDU
abstraction, encapsulation, and communications with SNMP applications.

SNMP H o st
To create an SNMP host:

1. Select System > SNMP > SNMP Host.

2. Click New.

3. In the SNMP Agent dialog box, enter values.

Option Description

Type Select the SNMP host type from the Type drop-down list. You can select
IP Address, IP Range or IP/Netmask.

l IP Address: Type the IP address for SNMP host into Hostname

box.

l IP Range: Type the start IP and end IP into the Hostnamebox

respectively.

l IP/Netmask: Type the start IP address and Netmask for SNMP host
into the Hostnamebox respectively.
SNMP Version Select the SNMP version from the SNMP Version drop-down list.
Community Type the community for the SNMP host into the Community box. Com-
munity is a password sent in clear text between the manager and the
agent. This option is only effective if the SNMP version is V1 or V2C.
Permission Select the read and write permission for the community from the Per-
mission drop-down list. This option is only effective if the SNMP version
is V1 or V2C.

l RO: Stand for read-only, the read-only community is only allowed

to read the MIB information.

l RW: Stand for read-write, the read-write community is allowed to

Chapter 15 System Management 473

 Option Description
read and modify the MIB information.

4. Click OK.

Trap H o st
To create a Trap host:

1. Select System > SNMP > Trap Host.

2. Click New.

3. In the Trap Host Configuration dialog box, enter values.

Option Description

Host Type the domain name or IP address of the Trap host into the Host box.

Trap Host Port Type the port number for the Trap host into the Trap Host Port box.
SNMP Agent Select the SNMP version from the SNMP Agent drop-down list.

l V1 or V2C: Type the community for the Trap host into the Com-
munity box.

l V3: Select the V3 user from the V3 User drop-down list. Type the
Engine ID for the trap host into the Engine ID box.

4. Click OK.

V 3 User Gro up
SNMPv3 protocol introduces a user-based security module. You need to create an SNMP V3 user group for the SNMP
host if the SNMP version is V3.
To create a V3 user group:

1. Select System > SNMP > V3 User Group.

2. Click New.

3. In the V3 Group Configuration dialog box, enter values.

474 Chapter 15 System Management

 Option Description

Name Type the SNMP V3 user group name into the Name box.

Security Model The Security model option displays the security model for the SNMP V3
user group.
Security Level Select the security level for the user group from the Security Level drop-
down list.
Security level determines the security mechanism used in processing an
SNMP packet. Security levels for V3 user groups include No Authentic-
ation (no authentication and encryption), Authentication (authen-
tication algorithm based on MD5 or SHA) and Authentication and
Encryption (authentication algorithm based on MD5 or SHA and mes-
sage encryption based on AES and DES).

Read View Select the read-only MIB view name for the user group from the Read
View drop-down list. If this parameter is not specified, all MIB views will
be none.
Write View Select the write MIB view name for the user group from the Write View
drop-down list. If this parameter is not specified, all MIB views will be
none.

4. Click OK.

V 3 User
If the selected SNMP version is V3, you need to create an SNMP V3 user group for the SNMP host and then add users to
the user group.
To create a user for an existing V3 user group:

1. Select System > SNMP > V3 User.

2. Click New.

3. In the V3 User Configuration dialog box, enter values.

Chapter 15 System Management 475

 Option Description

Name Type the SNMP V3 user name into the Name box.

V3 User Group Select an existing user group for the user from the Group drop-down list.
Security Model The Security model option displays the security model for the SNMP V3
user.
Remote IP Type the IP address of the remote management host into the Remote IP
box.

Authentication Select the authentication protocol from the Authentication drop-down

list. By default, this parameter is None, i.e., no authentication.
Authentication Type the authentication password into the Authentication password
Password box.
Confirm Pass- Re-type the authentication password into the Confirm Password box to
word make confirmation.
Encryption Select the encryption protocol from the Encryption drop-down list.
Encryption Pass- Type the encryption password into the Encryption Password box.
word
Confirm Pass- Re-type the encryption password into the Confirm Password box to
word make confirmation.

4. Click OK.

476 Chapter 15 System Management

Upgrading System
The firmware upgrade wizard helps you:

l Upgrade system to a new version or roll back system to a previous version.

l Update the Signature Database.

Upgrading Firmw are

To upgrade firmware:

1. Select System > Upgrade Management > Upgrade Firmware.

2. In the Upgrade Firmware tab box, configure the followings.

Upgrade Firmware

Backup Con- Make sure you have backed up the configuration file before upgrading.
figuration File Click Backup Configuration File to backup the current firemare file, the
system will automatically redirect to Configuration File Management
page after backup.
Current Version The current firmware version.
Upload Firmware Click Browse to select a firmware file from your local disk.
Backup Version The backup firmware version.
Reboot Select the Reboot to make the new firmware take effect check box and
click Apply to reboot system and make the firmware take effect. If you
click Apply without selecting the check box, the firmware will take effect
after the next startup.

Choose a Firmware for the next startup

Select the firm- Select the firmware that will take effect for the next startup.
ware that will
take effect for
the next startup.
Reboot Select the Reboot to make the new firmware take effect check box and
click Apply to reboot system and make the firmware take effect. If you
click Apply without selecting the check box, the firmware will take effect
after the next startup.

Updating Signature D atabase

To update signature database:

1. Select System > Upgrade Management > Signature Database Update.

2. In the Signature Database Update tab box, configure the followings.

Chapter 15 System Management 477

 Option Description

Current Version Show the current version number.

Remote Update Application signature database, URL signature database, Antivirus sig-
nature database, IPS signature database or IP reputation database.

l Update Now: Click Update to update the signature database right

now.

l Auto Update: Select Enable Auto Update and specify the auto
update time. Click Save to save your changes.

l Configure Update Server: By default system updates the signature

database everyday automatically. You can change the update con-
figuration as needed. Hillstone devices provide two default update
servers: update1.hillstonenet.com and update2.hillstonenet.com.
You can customize the servers according to your need. In the pop-
up Auto Update Settings dialog, specify the server IP or domain
name and Virtual Router.

l Configure Proxy Server: When the device accesses the Internet

through a HTTP proxy server, you need to specify the IP address and
the port number of the HTTP proxy server. With the HTTP proxy
server specified, various signature database can update normally.
Click Configure Proxy Server, then enter the IP addresses and ports
of the main proxy server and the backup proxy server.
Mitigation rule database, Abnormal behavior mode database or Malware
behavior mode database.

l Update Now: Click Update to update the signature database right

now.

l Auto Update: Select Enable Auto Update and specify the auto
update time. Click Save to save your changes.

l Server: By default system updates the signature database every-

day automatically. You can change the update configuration as
needed. Devices provide two default update servers: update1.hill-
stonenet.com and update2.hillstonenet.com. You can customize
the servers according to your need. In the pop-up Auto Update Set-
tings dialog, specify the server IP or domain name and Virtual
Router.

l Server: Devices provide a default update servers: sec-cloud.hill-

stonenet.com.
Local Update Click Browse and select the signature file in your local PC, and then click
Upload.

478 Chapter 15 System Management

License
License used to authorize users features, services or extending the performance. If you do not buy and install the cor-
responding License, the features, services and performances which is based on License will not be used, or can not
achieve the higher performance.
License classes and rules.

Platform License Description Valid Time

Platform Trial Platform license is the basis of the other You cannot modify the
licenses operation. If the platform license is existing configuration
invalid, the other licenses are not effective. The when License expired. Sys-
device have been pre-installed platform trial tem will restore to factory
license for 15 days in the factory. defaults when the device
reboot.

Platform Base You can install the platform base license after System cannot upgrade the
the device formal sale. The license provide OS version when License
basic firewall and VPN function. expired. But system could
work normally.

Function License Description Valid Time

VSYS Authorizing the available number of VSYS. Permanent
SSL VPN Authorizing the maximum number of SSL VPN Permanent
access. Through installing multiple SSL VPN
licenses, you can add the maximum number of
SSL VPN access.
QoS Enable QoS function. Permanent
WAP Traffic Dis- Providing WAP traffic distribution. Permanent
tribution
Sandbox License Providing sandbox function and white list The valid time including 1
update, authorizing the number of suspicious year, 2 years and 3 years.
files uploaded per day.
System cannot provide to
Including 3 licenses: analyze the collected data
and cannot update the
l Sandbox-300 license: 300 suspicious white list when License
files are allowed to upload every day. expired.

l Sandbox-500 license: 500 suspicious Only can using the sand-

files are allowed to upload every day. box protection function
according to the local data-
l Sandbox-1000 license: 1000 suspicious base cache results. If you
files are allowed to upload every day. restart the device, the func-
tion cannot be used.

Service License Description Valid Time

AntiVirus Providing antivirus function and antivirus sig- System cannot update the
nature database update. antivirus signature data-
base when License expired.
But antivirus function
could be used normally.

URL Providing URL database and URL signature System cannot provide to
database update. search URL database online
function when License
expired. But user-defined
URL and URL filtering func-
tion could be used nor-
mally.

Chapter 15 System Management 479

 IPS Providing IPS function and IPS signature data- System cannot update the
base update. IPS signature database
when License expired. But
IPS function could be used
normally.

APP signature APP signature license is issued with platform System cannot update the
license, you do not need to apply alone. The APP signature database
valid time of license is same as platform when License expires. But
license. the functions included and
rules could be used nor-
mally.

Threat Prevention A package of features, including AntiVirus, IPS, System cannot update all
and corresponding signature database update. signature databases when
license expires. But the func-
tions included and rules
could be used normally.
Expansion and Description Valid Time
Enhancement
License

AEL Advance the maximum value of concurrent ses- Permanent

sions and performance.

V iew ing License List

Select System > License to enter the License List page. All licenses the system supports will be displayed in this
page, including the authorized licenses and unauthorized licenses.
If there is license that is about to expire (the remaining valid period is within 30 days) or has expired:

l When you log into the device, the License Expiration Information dialog will pop up, which prompts for
licenses that are about to expire or have expired. Check the Don't remind me again checkbox so that the dialog
will never prompt again when you login. Click the Update Now button to jump to the License List page.

l The notification icon with the number of notifications is displayed in the upper-right corner. Hover your mouse
over the icon, and click Details after the License Expiration Information, the License Expiration Information
dialog will pop up.

Applying fo r a License
Before you apply for a license, you have to generate a license request first.

1. Select System > License.

2. Under License Request, input user information. All fields are required.

480 Chapter 15 System Management

3. Click Generate, and then appears a bunch of code.

4. Send the code to your sales contact. The sales person will issue the license and send the code back to you.

I nstalling a License
After obtaining the license, you must install it to the device.
To install a license:

1. Select System > License.

2. Under License installation in the License page, configure options as below.

Option Description

Upload License Select Upload License File. Click Browse to select the license file, using
File the TXT format, and then click OK to upload it.
Manual Input Select Manual Input. Type the license string into the box.
Online Install Select the Online Install radio button and click the Online Install button,
your purchased licenses will be automatically installed. It should be
noted that the licenses must be in activated status in the Hillstone Online
Registration Platform(http://onlinelic.hillstonenet.com/reqlicense). (To
activate the license, you need to log into the platform using your user-
name and password of the platform.The username is the same as your
mailbox which was provided when placing an order. Hillstone will send
the password by e-mail.Then activate the licenses that need to be
installed. If you purchased the device from the Hillstone agent, please
contact the agent to activate the licenses.)

3. Click OK.

4. Go to System > Device Management, and click the Option tab.

5. Click Reboot, and select Yes in the prompt.

6. The system will reboot. When it starts again, installed license(s) will take effect.

Chapter 15 System Management 481

Mail Server
By configuring the SMTP server in the Mail Server page, the system can send the log messages to the specified email
address.

Creating a Mail Server

To create a mail server:

1. Select System > Mail Server.

2. In the SMTP Server Configuration page, enter values.

Option Description

Name Type a name for the SMTP server into the box.
Server Type Domain name or IP address for the SMTP server into the box.
Virtual Router From the Virtual Router drop-down list, select the Virtual Router for the
SMTP server.
Verification Select the Enable check box for SMTP verification to enable it if needed.
Type the username and its password into the corresponding boxes.
Email Type the email address that sends log messages.

3. Click Apply.

482 Chapter 15 System Management

SMS Parameters
SMS Mo dem D evices
An external GSM modem device is required for sending SMS messages. First, you need to prepare a mobile phone SIM
card and a GSM SMS Modem. Insert the SIM card into your modem and then, connect the modem and the firewall
using a USB cable.
The system will show the modem connection status: correctly connected, not exist or no signal.

Co nfiguring SMS Parameters

You can define the maximum SMS message number in one hour or in one day. If the messages exceed the maximum
number, the system will not make the modem to send messages, but it will keep a log for this behavior.

Option Description

Maximum mes- Defines the maximum message number the modem can send in one hour.
sages per hour
Maximum mes- Defines the maximum messages number the modem can send in one day.
sages per day

Testing SMS
To test if the message sending works, you can send a test text to a mobile.
To send a text message to a specified mobile number:

1. Select System > SMS Parameters.

2. Enter a mobile phone number in the text box.

3. click Send. If the SMS modem is correctly configured and connected, the phone using that number will receive a
text message; if it fails, an error message will indicate where the error is.

Chapter 15 System Management 483

Connecting to HSM
Hillstone Security Management (HSM) is a centralized management platform to manage and control multiple Hillstone
devices. Using WEB2.0 and RIA (Rich Internet Application) technology, HSM supports visualized interface to centrally
manage policies, monitor devices, and generates reports.
Each firewall system has an HSM module inside it. When the firewall is configured with correct HSM parameters, it can
connect to HSM and be managed by HSM.

Note: For more information about HSM, please refer to HSM User Guide.

H SM D eplo yment Scenario s

HSM normally is deployed in one of the two scenarios: installed in public network or in private network:

l Installed in public network: HSM is remotely deployed and connected to managed devices via Internet. When the
HSM and managed devices have a accessible route, the HSM can control the devices.

l Installed in private network: In this scenario, HSM and the managed devices are in the same subnet. HSM can
manage devices in the private network.

Co nnecting to H SM
To configure HSM parameters in the firewall:

484 Chapter 15 System Management

1. Select System > HSM Agent.

2. Select Enable of HSM Agent field to enable this feature.

3. Input HSM server's IP address in the Sever IP/Domain text box. The address cannot be 0.0.0.0 or
255.255.255.255, or mutlicast address.

4. Enter the port number of HSM server.

5. Click OK.

Note: The Syslog Server part shows the HSM server's syslog server and its port.

Connecting to Hillstone Cloud·View

Cloud·View is a SaaS products of security area and a cloud security services platform in the mobile Internet era.
Cloud·View deployed in the public cloud, to provide users with online on-demand services. Users can get convenient,
high quality and low cost value-added security services through the Internet, APP, and get a better security exper-
ience.
After the Hillstone device is properly configured to connect the Cloud ·View , you can achieve the Hillstone device regis-
tration to the public cloud and the connection with the Cloud ·View, and then to achieve the Cloud ·View remote mon-
itoring device.

Clo ud·V iew D eplo yment Scenario s

The main deployment scenarios of Cloud·View are described as follows:
Hillstone devices registered to the public cloud, the device information, traffic data, threat event, system logs
uploaded to the cloud, the cloud provides a visual display. Users can through the Web or mobile phone APP monitoring
device status information, reports, threat analysis, etc.

Chapter 15 System Management 485

 Note: About Cloud·View, see Cloud·View FAQs page.

Co nnecting to H illsto ne Clo ud·V iew

When using the Cloud·View, the device needs to connect to the Cloud·View server.

1. Select System > Hillstone Cloud·View.

2. Select the Enable check box of Hillstone Cloud·View.

3. Enter the URL of the Cloud·View server. The default configuration is cloud.hillstonenet.com.cn.

4. Enter the username of Cloud·View. Register the device to this user.

5. Enter the password of the user.

6. Server Status displays the Cloud·View status.

7. Select Traffic Data to upload the monitor data.

8. Select Threat Event to upload the threat events detected by Hillstone device.

9. Select System Log to upload the event logs.

10. Select whether to join the Hillstone could security program. This program will upload the threat prevention data to
cloud intelligence server. The uploaded data will be used for internal research to reduce false positives and to
achieve better protection of the equipment.

11. Click OK.

486 Chapter 15 System Management

VSYS (Virtual System)
This feature may vary slightly on different platforms. If there is a conflict between this guide and the actual page, the
latter shall prevail.
VSYS (Virtual System) is to logically divide the physical firewall into several virtual firewalls. Each virtual firewall can
work independently as a physical device with its own system resources, and it provides most firewall features. A VSYS
is separated from other VSYS, and by default, they cannot directly communicate with each other.
VSYS has the following characteristics:

l Each VSYS has its own administrator;

l Each VSYS has an its own virtual router, zone, address book and service book;

l Each VSYS can have its own physical or logical interfaces;

l Each VSYS has its own security policies.

Note: The maximum VSYS number is determined by the platform capacity and license. You can
expand VSYS maximum number by purchasing addition licenses.

V SYS Obj ects

This section describes VSYS objects, including root VSYS, non-root VSYS, administrator, VRouter, VSwitch, zone, and
interface.

Root VSYS a nd Non-root VSYS

The system contains only one root VSYS which cannot be deleted. You can create or delete non-root VSYSs after
installing a VSYS license and rebooting the device. When creating or deleting non-root VSYSs, you must follow the
rules listed below:

l When creating or deleting non-root VSYSs through CLI, you must be under the root VSYS configuration mode.

l Only the administrator with then RXW permission in root VSYS can create or delete non-root VSYS. For more
information about administrator permissions, see "Device Management" on Page 460.

l When creating a non-root VSYS, the following corresponding objects will be created simultaneously:

l An administrator with the RXW permission named admin. The password is vsys_name-admin.

l A VRouter named vsys_name-vr.

l A L3 zone named vsys_name-trust.

For example, when creating the non-root VSYS named vsys1, the following objects will be created:

l The RXW administrator named admin with the password vsys1-admin.

l The default VRouter named vsys1-vr.

l The L3 zone named vsys1-trust and it is bound to vsys1-vr automatically.

l When deleting a non-root VSYS, all the objects and logs in the VSYS will be deleted simultaneously.

l The root VSYS contains a default VSwitch named VSwitch1, but there is no default VSwitch in a newly created
non-root VSYS. Therefore, before creating l2 zones in a non-root VSYS, a VSwitch must be created. The first
VSwitch created in a non-root VSYS will be considered as the default VSwitch, and the l2 zone created in the non-
root VSYS will be bound to the default VSwitch automatically.

Chapter 15 System Management 487

VRouter, VSw itc h, Zone a nd Interfa c e
VRouter, VSwitch, zone, and interface in VSYS have two properties which are shared and dedicated. Objects with ded-
icated property are dedicated objects, while doing specific operations to the object with the shared property will make
it a shared object. The dedicated object and shared object have the following characters:

l Dedicated object: A dedicated object belongs to a certain VSYS, and cannot be referenced by other VSYSs. Both
root VSYS and non-root VSYS can contain dedicated objects.

l Shared object: A shared object can be shared by multiple VSYSs. A shared object can only belong to the root
VSYS and can only be configured in the root VSYS. A non-root VSYS can reference the shared object, but cannot
configure them. The name of the shared object must be unique in the whole system.

The figure below shows the reference relationship among dedicated and shared VRouter, VSwitch, zone,
and interface.

As shown in the figure above, there are three VSYSs in StoneOS: Root VSYS, VSYS-A, and VSYS B.
Root VSYS contains shared objects (including Shared VRouter, Shared VSwitch, Shared L3-zone, Shared L2-zone,
Shared IF1, and Shared IF2) and dedicated objects.
VSYS-A and VSYS-B only contain dedicated objects. The dedicated objects VSYS-A and VSYS-B can reference the
shared objects in Root VSYS. For example, A-zone2 in VSYS-A is bound to the shared object Shared VRouter in Root
VSYS, and B-IF3 in VSYS-B is bound to the shared object Shared L2-zone in Root VSYS.

Sha re d VRoute r
A shared VRouter contains the shared and dedicated L3 zones of the root VSYS. Bind a L3 zone to a shared VRouter
and configure this L3 zone to have the shared property. Then this zone becomes a shared zone.

Sha re d VSwitch
A shared VSwitch contains the shared and dedicated L2 zones of the root VSYS. Bind a L2 zone to a shared VSwitch
and configure this L2 zone to have the shared property. Then this zone becomes a shared zone.

Sha re d Zone
The shared zones consist of L2 shared zones and L3 shared zones. After binding the L2 zone with the shared property
to a shared VSwitch, it becomes a shared L2 zone; after binding the L3 zone with shared property to a shared VRouter,
it becomes a shared L3 zone. A shared zone can contain interfaces in both root VSYS and non-root VSYS. All function
zones cannot be shared.

Sha re d Inte rfa ce

After binding an interface in the root VSYS to a shared zone, it becomes a shared interface automatically.

Inte rfa ce Configura tion

Only RXW administrator in the root VSYS can create or delete interfaces. Configurations to an interface and its sub-
interfaces must be performed in the same VSYS.

488 Chapter 15 System Management

 Note: Only adminitrator has the authority ot delete or create interfaces. If you are about to
delete an interface and its-subinterfaces, you have to do it under the same VSYS.

Creating No n-ro o t V SYS

To create a new non-root VSYS:

1. Select System > VSYS > VSYS.

2. Click New to add a non-root VSYS.

3. In the prompt, enter values.

Option Description

Name Enter a name for the non-root VSYS.

Interface Binding Select a physical or a logical interface. In VSYS, a physical interface can
have its sub-interfaces, but logical interfaces cannot.

l Physically Import: Select the interface you want, and click Phys-
ically Import to add it to the right pane.

l Logically Allocate: Select the interface you want, and click Logic-
ally Allocate to add it to the right pane.

l Release: Select the added interface(s), and click Release to delete

it.
Quota Select an existing quota.

4. Click OK to save configuration. The new VSYS will be seen in the VSYS list.

Co nfiguring D edicated and Shared Obj ects fo r No n-ro o t V SYS

VRouter, VSwitch, zone, and interface in VSYS have two properties which are shared and dedicated. Objects with ded-
icated property are dedicated objects, while doing specific operations to the object with the shared property will make
it a shared object. The dedicated object and shared object have the following characters:

Chapter 15 System Management 489

 l Dedicated object: A dedicated object belongs to a certain VSYS, and cannot be referenced by other VSYSs. Both
root VSYS and non-root VSYS can contain dedicated objects.

l Shared object: A shared object can be shared by multiple VSYSs. A shared object can only belong to the root
VSYS and can only be configured in the root VSYS. A non-root VSYS can reference the shared object, but cannot
configure them. The name of the shared object must be unique in the whole system.
To configure VSYS shared object:

1. Select System > VSYS > VSYS.

2. Click Share Resource.

3. In the prompt, enter values for VSwitch, VRouter and Zone.

Option Description

VSwitch In the VSwtich tab, select a Vswitch and click Share to set it as a shared
object; to make a VSwitch as a dedicated object, click Do Not Share.
VRouter In the VRouter tab, select a Vswitch and click Share to set it as a shared
object; to make a VRouter as a dedicated object, click Do Not Share.

Zone In the Zone tab, select a Zone and click Share to set it as a shared object;
to make a Zone as a dedicated object, click Do Not Share.

4. Click Close to exit.

Co nfiguring V SYS Quo ta

VSYSs work independently in functions but share system resources including concurrent sessions, zone number,
policy rule number, SNAT rule number, DNAT rule number, session limit rules number, memory buffer, URL resources
and IPS resources. You can specify the reserved quota and maximum quota for each type of system resource in a VSYS
by creating a VSYS profile. Reserved quota refers to the resource number reserved for the VSYS; maximum quota
refers to the maximum resource number available to the VSYS. Only root RXW administrators have the permission to
create VSYS quota. The total for each resource of all VSYSs cannot exceed the system capacity.
To define a quota for VSYS:

1. Select System > VSYS > Quota.

2. Click New .

3. In the prompt, enter values.

490 Chapter 15 System Management

 Option Description
Basic Configuration

Name Enter a name for the new quota.

CPU Specify values for parameters of CPU.

l Limit: Specifies the maximum performance limit for processing 1

Mbps packets.

l Reserve: A dedicated reservered value for CPU in this VSYS.

l Alarm Threshold: Specifies a percentage value for alarms. When

the CPU usage reaches this value, the system will generate alarm
logs.
System Resources

System Specify the maximum quota and reserved quota of system resources.
Resources
l Session number: Specifies the maximum and reserved number for
sessions in the VSYS.

l Zones: Specifies the maximum and reserved number for zones in the
VSYS.

l Policy rules: Specifies the maximum and reserved number for

policy rules in the VSYS.

l SNAT rules: Specifies the maximum and reserved number for SNAT
rules in the VSYS.

l DNAT rule: Specifies the maximum and reserved number for SNAT
rules in the VSYS.

l Stat-set (session): Specifies the maximum and reserved number for

sessions of a staticstic set in the VSYS.

l Stat-set (other): Specifies the maximum and reserved number for

other items than sessions of a staticstic set in the VSYS.

l IPsec: Specifies the maximum and reserved number for IPSec tunnels
in the VSYS.

l Session Limit Rules Number: Specifies the maximum and reserved

number for session limit rules in the VSYS.

l Key Categories: Specifies the maximum and reserved number for

keyword categories in the VSYS.

l Regular Keys: Specifies the maximum and reserved number for

regular expression keywords in an URL category in the VSYS.

l Keys: Specifies the maximum and reserved number for simple

Chapter 15 System Management 491

 Option Description
Basic Configuration
keywords in an URL category in the VSYS.
Protection

URL Resources Specify the maximum quota and reserved quota of URL resources.

l URL: Select the Enable check box to enable the URL filter function.

l URL Profiles: Specifies the maximum and reserved number for URL
filter profiles in a VSYS.

l URL Categories: Specifies the maximum and reserved number for

user-defined URL categories in a VSYS.

l URLs: Specifies the maximum and reserved number for URLs in a

VSYS.
IPS Resources Specify the maximum quota and reserved quota of IPS resources.

l IPS: Select the Enable check box to enable the IPS function.

l IPS Profiles: Specifies the maximum and reserved number for IPS
profiles in a VSYS. You can create one IPS Profile at most in non-
root VSYS, i.e., the range of maximum quota varies from 0 to 1.
The default value of maximum quota and reserved quota is 0,
which means only predefined IPS Profiles can be used in non-root
VSYS.
Log Configuration

Log Con- Specify the maximum quota and reserved quota of memory buffer for
figuration each type of logs in a VSYS. The reserved quota should not exceed the
maximum quota. If the logs’ capacity in a VSYS exceeds its maximum
quota, the new logs will override the earliest logs in the buffer.

l Config Logs: Specify the maximum and reserved value of buffer for
configuration logs in a VSYS.

l Event Logs: Specify the maximum and reserved value of buffer for
event logs in a VSYS.

l Network Logs: Specify the maximum and reserved value of buffer

for network logs in a VSYS.

l Threat Logs: Specify the maximum and reserved value of buffer for
threat logs in a VSYS.

l Session Logs: Specify the maximum and reserved value of buffer for
session logs in a VSYS.

l NAT Logs: Specify the maximum and reserved value of buffer for
NAT logs in a VSYS.

l Websurf Logs: Specify the maximum and reserved value of buffer

for websurf logs in a VSYS.

4. Click OK to save settings. The new VSYS quota will be shown in the list.

492 Chapter 15 System Management

 Note:

l Up to 128 VSYS quotas are supported.

l The default VSYS profile of the root VSYS named root-vsys-profile and the default VSYS pro-
file of non-root VSYS named default-vsys-profile cannot be edited or deleted.

l Before deleting a VSYS profile, you must delete all the VSYSs referencing the VSYS profile.

l The maximum quota varies from one platform to another. The reserved quota cannot
exceed maximum quota.

Chapter 15 System Management 493