Hillstone Networks

StoneOS Cookbook
Version 11

TechDocs | docs.hillstonenet.com
Copyright 2023 Hillstone Networks. All rights reserved.

Information in this document is subject to change without notice. The software described in this document is
furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in
accordance with the terms of those agreements. No part of this publication may be reproduced, stored in a
retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and
recording for any purpose other than the purchaser's personal use without the written permission of Hillstone
Networks.

Hillstone Networks

Commercial use of the document is forbidden.

Contact Information:

US Headquarters:

Hillstone Networks

292 Gibraltar Drive, Suite 105

Sunnyvale, CA 94089

Phone: 1-408 508 6750

https://www.hillstonenet.com/about-us/contact/
About this Guide:

This guide gives you configuration instructions of Hillstone NetworksStoneOS user scenarios.

For more information, refer to the documentation site: https://docs.hillstonenet.com.

To provide feedback on the documentation, please write to us at:

[email protected]

Hillstone Networks

TWNO: TW-CBK-UNI-5.5R10-EN-V11-1/11/2023

Release Date: 1/11/2023

Contents

Contents

Overview

How to Use Cookbook

Target audience 2

StoneOS Versions 2

Reading Sequence 2

Text vs. Screenshots 2

Getting Started and Other Chapters 2

Interface, Name, Topology 3

Clicking OK or Apply 3

Getting Started

Upgrading Firmware to Higher Version 5

Preparation 5

Method 1: Upgrading from WebUI 6

Method 2: Upgrading from CLI 7

Upgrading Firmware to Higher Version in HA mode 9

Preparation 9

Upgrade Steps 10

Using Security Policy to Allow Access to Another Zone 15

Configuration Steps 16

1
Allowing Private Network to Access Internet Using SNAT 21

Configuration Steps 22

Allowing Internet to Visit a Private Server Using DNAT 26

Configuration Steps 27

Deploying Tap Mode to Monitor Network Traffic 31

Preparation 31

Configuring Tap Mode and Threat Detection 32

Configuring the Device to Communicate with Zabbix Using SNMP 40

StoneOS 40

Zabbix: 42

Dynamically Manage Access Authority Via Radius Dynamic Authorization 46

Scenario 46

Configuration Steps 47

DNS Proxy 57

Scenario 57

Preparation 58

Configuration Steps 58

Q&A 61

Adding an SNAT Rule to StoneOS through NETCONF 62

Preparation 62

Configuration Steps 62

Device A 62

2
 NETCONF Client 63

Viewing the results 66

Binding the Log Processing Process and Database Storage Process to Core MAX 67

Configuration Roadmap 67

Configuration Steps 68

Viewing the results 69

Routing

Realizing Multicast Forwarding Through PIM-SM Multicast Protocol 71

Configuration Steps 71

Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol 80

Configuration Steps 80

Deploying HA Scenario for Multicast Forwarding Through PIM-SM 87

Configuration Steps 89

Authentication

Allowing the Internet Access via User Authentication 95

Configuration Steps 95

Using AD Polling for SSO 103

Preparation 103

Configuration Steps 104

Allowing Internet Access via AD Polling 113

Preparation 113

Configuration Steps 114

3
 Allowing Internet Access via AD Agent 125

Preparation 125

Configuration Steps 126

Allowing Internet Access via TS Agent 136

Preparation 136

Configuration Steps 137

VPN

Connection between Two Private Networks Using IPSec VPN (IKEv1) 145

Configuration Steps 145

Device A 145

Device B 151

Connection between Two Private Networks Using IPSec VPN (IKEv2) 158

Configuration Steps 158

Device A 158

Device B 162

Establishment of IPSec VPN Based on Certificate Authentication 168

Configuration Steps 168

Device A 168

Device B 174

Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link 181

Configuration Steps 181

Device A 181

4
 Device B 184

Allowing Remote Users to Access a Private Network Using SSL VPN 194

Configuration Steps 195

Connecting to Microsoft Azure Using Site-to-Site VPN 203

Configure Microsoft Azure 204

Configure Hillstone Device 211

Using an iOS/Android Device to Remotely Access Intranet Services 214

Using an iOS Device to Remotely Access Intranet Services 214

Using an Android Device to Remotely Access Intranet Services 220

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 222

Configuring Basic Settings 222

Configuring IPSec VPN 225

Configuring L2TP VPN 228

Setting up a VPN Connection 230

Adjusting Whether to Use IPSec for L2TP VPN 240

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN 241

Configuring Basic Settings 241

Configuring IPSec VPN 244

Configuring L2TP VPN 247

Set up a VPN connection in iOS/Android 249

Connection between Two Private Networks Using GRE over IPSec VPN 256

Configuring Basic Settings 257

5
 Configuring IPSec VPN 260

Configuring GRE VPN 265

Configuring Route and Policies 268

Configuring VXLAN Static Unicast Tunnel 272

Configuration Steps 272

VTEP1 Configuratio 272

VTEP2 Configuration 273

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and SSL VPN 275

Configure the Branch Firewall 275

Configure Headquarters Firewall 282

Setting up a VPN Connection 286

Zero Trust Network Access (ZTNA)

Windows User Remotely Accessing Internal Server Through ZTNA 289

Networking Scenario 289

Configuration Roadmap 290

Configuration Steps 292

Android User Remotely Accessing Internal Server Through ZTNA 306

Networking Scenario 306

Configuration Roadmap 307

Configuration Steps 308

High Availability

Ensuring Uninterrupted Connection Using HA 317

6
 Configuration Steps 318

Making Two Firewalls Working in Hot Standby Mode by Deploying them in HA Peer to Ensure the
Continuity of Service 325

Configuration Steps 325

Verification 328

Device A and Device B Working Normally 328

Device B Failing and Device A Working Normally 329

Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on HSVRP,
which Rnsures Uniterrupted Business Traffic 330

Configuration Steps 331

Verification 336

M0D1 and D0M1 Working Normally 336

D0M1 Failing and M0D1 Working Normally 337

Quality of Service (QoS)

QoS Control 339

Configuration Steps 340

Outbound Link Load Balance 346

Configuration Steps 347

Q&A 349

Threat Prevention

Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection 352

Configuration Steps 353

Protecting Intranet to Defend Attacks via Intrusion Prevention System 359

7
 Configuration Steps 360

Forensic Analysis 367

Configuration Steps 367

Forensic Analysis Configuration Example 369

Threat Intelligence Via Hillstone Cloud Service Platform 374

Preparation 375

Configuration Steps 375

Viewing the results 376

Data Security

Decrypting HTTPS Traffic and Identifying the Encrypted Application 378

Configuration Steps 379

URL Filtering for HTTPS Traffic without the CA Certificate 382

Preparation 382

Configuration Steps 383

IPv6

Connecting IPv6 and IPv4 Networks 388

Configuring Networks of Headquarters 388

Configuring Networks of Branch A 393

Configuring Networks of Branch B 396

Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 399

Before You Start 400

Configuration Steps of Scenario 1 400

8
 Configuration Steps of Scenario 2 401

Configuration Steps of Scenario 3 404

Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 408

Before You Start 410

Configuration Steps of Scenario 1 410

Configuration Steps of Scenario 2 412

Configuration Steps of Scenario 3 415

Realizing Dual-stack Host in IPv4 Network Accessing IPv6 Network Via ISATAP Tunnel 419

Configuration Steps 419

Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel 422

Configuration Tips 423

Configuration Steps of Scenario 1 423

Configure Headquarters Device (Device) 423

Configure Device A 426

Configuration Steps of Scenario 2 429

Configure Headquarters Device (Device) 429

Configure Device B 432

Result of Scenario 1 435

Result of Scenario 2 436

Change Log

Cookbook V1 438

Cookbook V2 438

9
Cookbook V3 438

Cookbook V4 439

Cookbook V5 439

Cookbook V6 439

Cookbook V7 440

Cookbook V8 440

Cookbook V8.1 440

Cookbook V9 440

Cookbook V10 441

Cookbook V11 441

10
StoneOS Cookbook

Overview

StoneOS Cookbook provides configuration examples for you to user Hillstone network security products. This books covers basic get-
ting-started cases, firewall functions, and advanced user scenarios. All configuration uses graphic user interface (GUI), or also known as
web user interface (WebUI), not command line interface.

Each recipe consists of two parts: scenario settings and configuration steps. Topology and screenshot are used to assist you in under-
standing the key information of the case.

StoneOS Cookbook is very helpful in understanding operational logic, and improving efficiency.

StoneOS Cookbook organizes its recipes into the following chapters:

o "Getting Started" on Page 4 - Basic network connecting features.

o "Routing" on Page 70 -PIM.

o "Authentication" on Page 94- User authentication.

o "VPN" on Page 144- IPSec VPN and SSL VPN.

o "Quality of Service (QoS)" on Page 338 - Bandwidth control.

o "High Availability" on Page 316 - High availability.

o "Threat Prevention" on Page 351 - Threat prevention.

o "Data Security" on Page 377－ Data Security.

o "IPv6" on Page 387 - Connecting IPv6 and IPv4 Networks

This book is updated on requirement, not periodically.

The current version you are using is based on StoneOS 5.5R5.

Overview 1
StoneOS Cookbook

How to Use Cookbook

Before you read the book, there are a few tips you need to know.

Target audience

Cookbook is written with new users in mind. However, if you use this book, you still are required to know how to use WebUI, connect
cables and log in the system. Such information can be found in Getting Started Guide.

StoneOS Versions

This cookbook you are reading now is based on StoneOS 5.5.

With system updates, the user interface is subject to change, and WebUI layout may vary depending on hardware platforms. This cook-
book may not comply with every detail on WebUI, please check your web pages for difference when you use this book.

Reading Sequence

When you open the book, it is better to read it in the sequence below:

1. Go to Table of Contents, and locate the feature you need;

2. Jump to that feature, read the scenario description and topology;

3. Go through step key points (marked as "Step1", "Step2") to understand configuration logic;

4. Read the left text and right screen shots to get the details.

5. Configure your device accordingly, but substitute with your own IP address or names.

Text vs. Screenshots

The step details are explained by combing description text and screenshots. The text on the left gives configuration details, highlights
and notes; the sceenshot on the right is the exact screen capture of this step.

Getting Started and Other Chapters

In this cookbook, the chapter "Getting Started" is the prerequisite for other chapters. Other chapters deem that the protected network
has already finished its basic networking settings mentioned in the Getting Started chapter. In other chapters, steps like NAT, default

How to Use Cookbook 2

 StoneOS Cookbook

routes and DNS are not included. So, when you reference to user scenarios in chapters other than Getting Started, you should ensure
that your protected network has already been basically established.

Interface, Name, Topology

This book explains function configuration by writing scenarios (also called "cases" or "recipes"). Interface addresses, object names, and
topologies are the real laboratory settings. When you configure your own network, substitute the names and addresses with your real
names and addresses.

Clicking OK or Apply

Generally, when you finish filling or editing an option, you must click OK, Apply, or Confirm button to make the setting take effect.
This kind of operation is universal. This book will not write specifically about this operation otherwise else is needed.

3 How to Use Cookbook

StoneOS Cookbook

Getting Started

Recipes in Getting Started chapter introduce basic networking configurations.

This chapter includes the following recipes:

o "Upgrading Firmware to Higher Version" on Page 5

o "Upgrading Firmware to Higher Version in HA mode" on Page 9

o " Using Security Policy to Allow Access to Another Zone" on Page 15

o "Allowing Private Network to Access Internet Using SNAT" on Page 21

o "Allowing Internet to Visit a Private Server Using DNAT" on Page 26

o "Deploying Tap Mode to Monitor Network Traffic " on Page 31

o "Configuring the Device to Communicate with Zabbix Using SNMP" on Page 40

o "Dynamically Manage Access Authority Via Radius Dynamic Authorization" on Page 46

o " DNS Proxy" on Page 57

o "Adding an SNAT Rule to StoneOS through NETCONF" on Page 62

Getting Started 4
StoneOS Cookbook

Upgrading Firmware to Higher Version

This example introduces how to use WebUI and CLI to upgrade firmware to a higher version.

As an exit of the company's network, security device provides protections and services. Now, admin need upgrade firmware to optim-
ize system's performance and get new functions.

Preparation

Before upgrading, we recommend you:

o See the system software version by using WebUI or CLI(show version) to get a suitable upgrading instructions.

o See the release notes of the target version to get a platform upgrading instructions.

o Get upgrade file of your target version from Hillstone.

o Do not upgrade at peak times, because you need to reboot device to make new version effective.

o Do not downgrade, because system configuration may be lost.

o Upgrade from CLI if your device's storage is low, and remember to remove the former firmware version before you upgrade.

o Make sure you have backed up the configuration file before upgrading.

Contact us (Service Line:1-800-889-9860) first when you are in the following situations:

o Make sure whether license is out of date. If it expires, you only can upgrade system to the version whose release date is before the
license expired date. If it doesn't expire, upgrading can be continued. Contact us for the release date.

o Do not cross upgrade. For example, to upgrade the versions 4.0 to 5.0, Hillstone recommends you to first upgrade to version 4.5,
and then upgrade to 5.0. Contact us for cross version upgrade.

o Contact us for upgrading information if you are in HA environment.

Upgrading Firmware to Higher Version 5

 StoneOS Cookbook

Method 1: Upgrading from WebUI

Step 1: Logging in via WebUI with admin accout and viewing current system information.

Select System > System Information to view the

current version is 5.5R1P1.

Step 2: Exporting configuration file as a backup.

Select System > Configuration File Man-

agement.

In the Configuration File List tab, select Startup

check box and click Export. The configuration
file will be exported to your local PC.

Step 3: Uploading upgrade file and rebooting system. Before uploading, make sure your upgrade file is suitable for your plat-
form.

Select System > Upgrade Management.

1. In the Upgrade Firmware tab, click Browse

button and choose the upgrade file
“SG6000-M-3-5.5R1P3.bin”in your
local PC.

2. Select Reboot to make the new firmware

take effect check box and click Apply. Do
not select Reboot to make the new firm-
ware take effect check box at traffic-peak
time. Hillstone suggests you to manually
reboot when you need.

6 Upgrading Firmware to Higher Version

StoneOS Cookbook

Step 4: Verifying the upgrade results.

Log in via WebUI again when system finished

rebooting.

1. Select System > System Information.

2. In the firmware part, you can see the cur-

rent version is 5.5R1P3. Upgrade suc-
ceeded.

Method 2: Upgrading from CLI

Step 1: Logging in system via Telnet, and viewing the current version.

Take an example of using PuTTY.

1. Open PuTTY, and enter the followings:

Host Name：192.168.1.1（manage IP of
your device）
Connetion Type：Telnet

2. Click Open.

Type the username and password of admin. Log

in successfully.

Type show version and knock the Enter

key. It will show you the current system version is
5.5R1P1.

Upgrading Firmware to Higher Version 7

 StoneOS Cookbook

Step 2: Upgrading your device. We upgrade with USB port in this example. Please put your upgrade file in your U-Disk, and
then put it into the USB port of security device.

Type import image from usb0 SG6000-M-3-

5.5R1P3.bin and knock the Enter key.

1. Type reboot and knock the Enter key.

2. System prompts that "System reboot，are you sure?".

Type y to reboot.

3. Choose a configuration file. Type a after "Please choose

one".

Step 3: Verifying the upgrade results.

Log in via Telnet again when system finished

rebooting.

Type show version and knock the Enter

key. It will show you the current system version is
5.5R1P3.

8 Upgrading Firmware to Higher Version

StoneOS Cookbook

Upgrading Firmware to Higher Version in HA mode

This example introduces how to upgrade the firmware of the device in the HA Active-Passive mode.

The topology gives a typical user scenario for HA. In the designed scenario, one (Device A)of the HA devices will be working under
the active mode, while the other (Device B) is under the passive mode. The two devices use heartbeat cables to maintain communication
between devices. Device A and Device B need to be upgraded from StoneOS 5.5R8 to StoneOS 5.5R9.

Preparation

Before upgrading, prepare the following first:

1. Obtained the system software version by WebUI or CLI(show version).

2. Obtained upgrade file of the target version from Hillstone.

3. Obtained the current configurations of the two devices by WebUI or CLI(show configuration) , and back up the cur-
rent configurations.

4. Disable the preempt mode if it is enabled. You can enable the preempt mode when the upgrading is completed. If track objects
are bound to the HA group, removing the binding. You can resume the binding when the upgrading is completed.

Note: To switch over traffic, you are recommended to upgrade the devices in HA mode through the CLI.

Upgrading Firmware to Higher Version in HA mode 9

 StoneOS Cookbook

Upgrade Steps

Step 1:Upgrading backup device (Device B).

1. Take the device B offline by removing the service cable from device B first and then removing the HA heartbeat cable from
device B.

2. Save the configuration of Device B.

Device B

In any configuration mode, use the following command:

save

3. Upgrade Device B to StoneOS 5.5R9.

The detailed steps for device upgrade, see "Upgrading Firmware to Higher Version" on Page 5.

4. After device B reboots successfully, check whether the version of device B and its HA configuration are correct and whether
the configuration is lost.

Device B

In any configuration mode, use the following command:

show configuration

10 Upgrading Firmware to Higher Version in HA mode

StoneOS Cookbook

Step 1:Upgrading backup device (Device B).

5. View the priority values of Device A and Device B. Make sure the priority value of device A is less than that of device B. That
is to say, device A has a higher priority than device B.

Device A

In any configuration mode, use the following command:

show ha group config

Device B

In any configuration mode, use the following command:

show ha group config

Notes: If the priority value of device A is larger than that of device B, modify the latter to make sure device A has a higher priority.

6. Reconnect the HA heartbeat cable and the service cable on device B.

Reconnect the HA heartbeat cable on device B. Wait for device B to complete HA negotiation with device A. In this case, device A
is the master device. Then, reconnect the service cable on device B.

Step 2: HA Synchronization and Master/Backup Device Switchover.

1. Synchronize the configuration of device A and device B by manual.

Device A

In any configuration mode, use the following command:

exec ha sync all

Upgrading Firmware to Higher Version in HA mode 11

 StoneOS Cookbook

Step 2: HA Synchronization and Master/Backup Device Switchover.

2. Check whether the ARP table, session information, etc. are synchronized.

Device A

In any configuration mode, use the following command:

show arp

show session generic

show logging alarm

Notes: After executing the show logging alarm command on master device A. When the prompt "Admin batch syn-
chronization of HA group 0 has completed." appears, it suggests that configuration synchronization is completed

3. Switch the master and backup devices by manual. In this case, device B is switched to the master device.

In any configuration mode, use the following command:

exec ha master switch-over

Step 3: Upgrading Device A.

1. Take the device B offline.

Take the device A offline by removing the service cable from device B first and then removing the HA heartbeat cable from device
A.

2. Save the configuration of Device A.

Device A

In any configuration mode, use the following command:

save

12 Upgrading Firmware to Higher Version in HA mode

StoneOS Cookbook

Step 3: Upgrading Device A.

3. Upgrade Device A to StoneOS 5.5R9.

The detailed steps for device upgrade, see "Upgrading Firmware to Higher Version" on Page 5.

4. After device A reboots successfully, check whether the version of device A and its HA configuration are correct and whether
the configuration is lost.

Device A

In any configuration mode, use the following command:

show configuration

5. View the priority values of Device A and Device B. Make sure the priority value of device A is larger than that of device B.
That is to say, device A has a lower priority than device B.

Device A

In any configuration mode, use the following command:

show ha group config

Device B

In any configuration mode, use the following command:

show ha group config

6. Reconnect the HA heartbeat cable and the service cable on device A.

Reconnect the HA heartbeat cable on device A. Wait for device A to complete HA negotiation with device B. In this case, device B
is the master device. Then, reconnect the service cable on device A

Upgrading Firmware to Higher Version in HA mode 13

 StoneOS Cookbook

Step 4: HA Synchronization

1. Synchronize the configuration of device A and device B by manual.

Device B

In any configuration mode, use the following command:

exec ha sync all

2. Check whether the ARP table, session information, etc. are synchronized.

Device B

In any configuration mode, use the following command:

show arp

show session generic

show logging alarm

Notes: After executing the show logging alarm command on master device A. When the prompt "Admin batch syn-
chronization of HA group 0 has completed." appears, it suggests that configuration synchronization is completed

Step 5: Completing the Upgrading

1. (Optional) Switch device A to the master device by manual.

Device B

In any configuration mode, use the following command:

exec ha master switch-over

2. Complete the upgrading.

14 Upgrading Firmware to Higher Version in HA mode

StoneOS Cookbook

Using Security Policy to Allow Access to Another Zone

This example introduces how to use security policies to control communication between two zones.

The scenario sets up a requirement that the private network users are not allowed to access Internet during work time. As the topology
described, polices and schedules work together to allow internal users to access to server in another zone during work hour (9 a.m. to 17
p.m.). When it's not working time, the server cannot be accessed.

Using Security Policy to Allow Access to Another Zone 15

 StoneOS Cookbook

Configuration Steps

Step 1: Configuring Interface

1. Configuring the interface connected to

private network

Select Network > Interface, double click eth-

ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 192.168.1.1

o Netmask: 255.255.255.0

2. Configuring the interface connected to Server

Select Network > Interface, double click eth-

ernet0/2.

o Binding Zone: Layer 3 Zone

o Zone: dmz

o Type: Static IP

o IP Address: 10.10.1.1

o Netmask: 255.255.255.0

16 Using Security Policy to Allow Access to Another Zone

StoneOS Cookbook

Step 2: Configuring Schedule

Select Object > Schedule, and click New. In the

prompt, click Add.

o Name: work hour

o Type: Daily

o Start Time: 09:00

o End Time: 17:00

Click OK to add it.

Using Security Policy to Allow Access to Another Zone 17

 StoneOS Cookbook

Step 3: Configuring Policies

1. Configuring a policy to allow internal users

access to server during work hour

Select Policy > Security Policy, and click Add.

o Name: work

o Source

o Zone: trust

o Address: Any

o Destination

o Zone: dmz

o Address: Any

o Other Information

o Schedule: work hour

o Action: Permit

18 Using Security Policy to Allow Access to Another Zone

StoneOS Cookbook

Step 3: Configuring Policies

2. Configuring a policy that internal users can-

not visit server

Select Policy > Security Policy, and click Add.

o Name: rest

o Source

o Zone: trust

o Address: Any

o Destination

o Zone: dmz

o Address: Any

o Other Information

o Schedule: work hour

o Action: Deny

3. Adjusting priority of policies

Select Policy > Security Policy, and select the

"work" policy. Select "work" policy, and click
Move, and enter "rest" policy's ID, then click
Before ID.

Note: The priority of a policy is only determined

by its position in the list.

Using Security Policy to Allow Access to Another Zone 19

 StoneOS Cookbook

Step 4: Configuring a default route

Select Network > Routing >Destination Route,

and select New.

o Destination: 0.0.0.0

o Subnet Mask: 0

o Next Hop: Gateway

o Gateway: 10.10.1.1

Step 5: Results

After configuration, the internal PC can ping the

server address successfully during 9:00 to 17:00.

When internal PC pings the server during off-

work time, it fails.

20 Using Security Policy to Allow Access to Another Zone

StoneOS Cookbook

Allowing Private Network to Access Internet Using SNAT

SNAT rule is used to allow users in private network to access Internet. An SNAT rule will translate the internal IP addresses to a public
IP address, so that internal users can have access to public network via the public interface.

As shown in the topology, via SNAT, internal PCs use the eth0/3 (221.224.30.130/20) to visit Internet.

Allowing Private Network to Access Internet Using SNAT 21

 StoneOS Cookbook

Configuration Steps

Step 1: Configuring Interface

1. Configuring the interface connected to

private network

Select Network > Interface, and double click eth-

ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 192.168.1.1

o Netmask: 24

2. Configuring the interface connected to Inter-

net

Select Network > Interface, and double click eth-

ernet0/3.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 221.224.30.130

o Netmask: 20

22 Allowing Private Network to Access Internet Using SNAT

StoneOS Cookbook

Step 2: Configuring security policy

Configuring a security policy to allow private net-

work to Internet

Select Policy > Security Policy, and click Add.

o Name: trust_untrust

o Source Information

o Zone: trust

o Address: Any

o Destination

o Zone: untrust

o Address: Any

o Other Information

o Action: Permit

Step 3: Configuring Address book

Configuring an address range for private net-

work users

Select Object > Address Entry, and click New.

o Name: snat_IP

o Member: add "192.168.1.0/24"

Allowing Private Network to Access Internet Using SNAT 23

 StoneOS Cookbook

Step 4: Configuring SNAT rule

Select Policy > NAT > SNAT, and click New.

o Requirement:

o Source Address: Address Entry, snat_IP

(Note: enter the server's internal IP
address.)

o Translated to:

o Specified IP: "IP Address",

"221.224.30.130"
（Note: enter public IP address here)

o Mode: Dynamic Port (multi-port to one)

(Optional) Under Advanced tab, select NAT log

check box to enable NAT loggling (for checking
results).

Step 5: Configuring default route

Select Network > Routing > Destination Route,

and click New.

o Destination: 0.0.0.0

o Subnet Mask: 0

o Next Hop: Gateway

o Gateway: 221.224.30.1

24 Allowing Private Network to Access Internet Using SNAT

StoneOS Cookbook

Step 6: Results

After configuration, PCs in private network can

ping 221.224.30.131 successfully.

Step 6: Check if DNAT rule works

Make sure NAT logging is enabled in monitor

module (Select Monitor > Log > Log Monitor,
under NAT tab, select Enable.)

Go to Monitor > Log > NAT, you will be able to

see the destination IP 192.168.1.2 has been trans-
lated to internal IP 221.224.30.130.

Allowing Private Network to Access Internet Using SNAT 25

StoneOS Cookbook

Allowing Internet to Visit a Private Server Using DNAT

Destination network address translation (DNAT) is normally used to allow Internet users visit an internal server by providing Internet
IP address for internal server.

As shown in the topology, the FTP server hides its internal IP address using DNAT rule. DNAT rule will give the server an Internet IP
address for FTP users to access. In this way, the server can be accessed from Internet.

Allowing Internet to Visit a Private Server Using DNAT 26

 StoneOS Cookbook

Configuration Steps

Step 1: Configuring interfaces

1. Configuring the interface connected to the

server

Select Network > Interface, and double click eth-

ernet0/2.

o Binding Zone: Layer 3 Zone

o Zone: dmz

o Type: Static IP

o IP Address: 10.10.1.1

o Netmask: 24

2. Configuring the interface connected to Inter-

net

Select Network > Interface, and click eth-

ernet0/3.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 221.224.30.130

o Netmask: 20

27 Allowing Internet to Visit a Private Server Using DNAT

StoneOS Cookbook

Step 2: Configuring security policies

Configuring a policy allowing Internet to visit

internal network

Select Policy > Security Policy, and click Add.

o Name: untrust_dmz

o Source Information

o Zone: untrust

o Address: Any

o Destination

o Zone: dmz

o Address: Any

o Other Information

o Action: Permit

Allowing Internet to Visit a Private Server Using DNAT 28

 StoneOS Cookbook

Step 3: Configuring DNAT rule

Select Policy > NAT > DNAT, and click New >
Advanced Configuration.

o Requirement:

o Destination Address: IP Address,

221.224.30.130 (Note: enter public IP
address here.)

o Translated to:

o Translated to: "IP Address", "10.10.1.2"

（Note: enter the server's internal IP
address)

(Optional) Under Advanced tab, select NAT log

check box to enable NAT logging (for checking
results.)

Step 4: Configuring default route

Select Network > Routing > Destination Route,

and click New.

o Destination: 0.0.0.0

o Subnet Mask: 0

o Next Hop: Gateway

o Gateway: 221.224.30.1

29 Allowing Internet to Visit a Private Server Using DNAT

StoneOS Cookbook

Step 5: Results

After configuration, use a PC in Internet to ping

the server's public address 221.224.30.130.

Step 6: Check if DNAT rule works

Make sure NAT logging is enabled in monitor

module (Select Monitor > Log > Log Monitor,
under NAT tab, select Enable.)

Go to Monitor > Log > NAT, you will be able to

see the destination IP 221.224.30.130 has been
translated to internal IP 10.10.1.2.

Allowing Internet to Visit a Private Server Using DNAT 30

StoneOS Cookbook

Deploying Tap Mode to Monitor Network Traffic

Inline mode places a device directly in the network path, while in tap mode, the device only connects to a mirrored interface of core net-
work. Tap device monitors or sniffs the packet information mirrored from core network gateway. Tap products tend to be resilient and
transparent so as to minimize or eliminate the effect they can have on production traffic. If you just want a sensor to monitor, analyze
and log network traffic, not data forwarding, it is best to choose tap mode.

In this example, a Hillstone device (T-Series Intelligent Next Generation Firewall recommended) is a network tap. Its tap interface
eth0/1 directly connects to mirror interface of inline network gateway. Hillstone T-Series threat detection features to analyze mirrored
data packets in search for network threats.

We present 4 threat detecting functions in this example. All the functions require respective licenses installed before they take effect.

o Intrusion Prevention System (IPS): Requires Threat Prevention (TP) or IPS license installed.

o Application Identification: Requires APP DB license installed. This license is issued with platform license for free. No need to pur-
chase APP DB license individually.

o Advanced Threat Detection (ATD): Requires StoneShield license installed.

o Abnormal Behavior Detection (ABD): Requires StoneShield license installed.

Preparation

As shown in the topology above, you need use a RJ-45 cable to connect the mirror port eth0/4 and the tap interface eth0/1.

Configure port mirroring on gateway of core network. We take Hillstone gateway as example.

Deploying Tap Mode to Monitor Network Traffic 31

 StoneOS Cookbook

Configuring port mirroring

1. Select Network > Interface, and double-

click ethernet0/3.

2. In the pop-up, click the Properties tab,

under Mirror part, select the checkbox to
enable traffic mirroring.

3. Return to interface list, make sure that the

mirror port ethernet0/4 is not bound to any
zone.

4. Select Network > Port Mirroring, select

ethernet0/4 from drop-down menu, and
click OK.

Configuring Tap Mode and Threat Detection

Configure all the following settings on tap device.

Step 1: Creating a tap mode

1. Select Network > Zone, click New.

2. In the Zone Configuration dialog, con-

figure the following:
Zone: tap-eth1
Type: TAP
Virtual Router: trust-vr
Binding Interface: ethernet0/1

32 Deploying Tap Mode to Monitor Network Traffic

StoneOS Cookbook

Step 1: Creating a tap mode

3. Return to Network > Interface, in the inter-

face list, check that eth0/1 is in the "tap-
eth1" zone.

Step 2: Creating a Policy

Creating a "permit" policy on the tap device so

that it can establish sessions within itself.

1. Select Policy > Security Policy, click New.

2. In the Policy Configuration dialog, make a

"permit" rule from and to the same tap
zone.

Step 3: Enabling IPS and viewing IPS attacks

Enabling IPS:

1. Select Network > Zone, double-click tap-

eth1.

2. Under the Threat Prevention tab, select

Enable check-box on the right of Intrusion
Prevention System.
Profile: predef_default
Defense Direction: bidirectional

Deploying Tap Mode to Monitor Network Traffic 33

 StoneOS Cookbook

Step 3: Enabling IPS and viewing IPS attacks

Checking detection results:

1. Select iCenter > Threat.

2. In the list, , items marked as "Intrusion Pre-

vention System" under the Detected by
column are IPS attacks detected by tap
device.

Viewing IPS logs:

1. Select Monitor > Log > Threat, click Fil-

ter on the top right corner.

o Detected by: Intrusion Prevention System

2. Click Query, and the page will show IPS

logs.

34 Deploying Tap Mode to Monitor Network Traffic

StoneOS Cookbook

Step 4: Enabling Application Identification and viewing APP usage statistics

Enabling APP Identification:

1. Select Network > Zone, double-click the

tap-eth1 zone.

2. Under the Basic tab, select the Enable

check-box after Application Identification.

Viewing App monitor results:

Select Monitor > Application.

o Summary: Application usage statistics by user,

traffic, new session or concurrent session.

o Application Details: Details of every applic-

ation.

Deploying Tap Mode to Monitor Network Traffic 35

 StoneOS Cookbook

Step 4: Enabling Application Identification and viewing APP usage statistics

o Group Details: Application group usage

details.

Step 5: Enabling Advanced Threat Detection (ATD) and viewing ATD attacks

Enabling ATD:

1. Select Network > Zone, double-click the

tap-eth1 zone.

2. Under the Threat Prevention tab, select the

Enable check-box after Advance Threat
Detection.

Viewing ATD monitor result:

1. Select Monitor > Threat > Summary,

hover your cursor over Malware bar to
show a balloon of malware attacks.

36 Deploying Tap Mode to Monitor Network Traffic

StoneOS Cookbook

Step 5: Enabling Advanced Threat Detection (ATD) and viewing ATD attacks

2. Click Details after Trojan in the balloon,

you can see details of this attack.

Viewing ATD logs

1. Select Monitor > Log > Threat, and click

Filter on the top right corner.

o Detected by: Advanced Threat Detection

2. Click Query, the page will show ATD logs.

To know more about ATD, you may refer to another case in this cookbook Finding Malware Attacks via Advanced Threat Detec-
tion.

Deploying Tap Mode to Monitor Network Traffic 37

 StoneOS Cookbook

Step 6: Enabling Abnormal Behavior Detection and viewing abnormal behaviors

Enabling ABD:

1. Select Network > Zone, double-click the

tap-eth1 zone.

2. Under the Threat Prevention tab, select the

Enable check-box after Abnormal Beha-
vior Detection.

Viewing monitor results:

1. Select Monitor > Threat > Summary.

2. Hover you cursor over Scan or DoS bar, a

balloon will show up to indicate number of
Scan and DoS attacks.

Viewing ABD logs

1. Select Monitor > Log > Threat, and click

Filter on the top right corner.

o Detected by: Abnormal Behavior Detection

38 Deploying Tap Mode to Monitor Network Traffic

StoneOS Cookbook

Step 6: Enabling Abnormal Behavior Detection and viewing abnormal behaviors

2. Click Query, ABD logs will show.

To know more about ABD, you may refer to another case in cookbook "Protecting Internal Servers and Host to Defend Attack
via Abnormal Behavior Detection" on Page 352.

Deploying Tap Mode to Monitor Network Traffic 39

StoneOS Cookbook

Configuring the Device to Communicate with Zabbix Using SNMP

This example introduces how to configure the device to communicate with Zabbix using SNMP. Zabbix can monitor various network
parameters of the device to ensure the safe operation of the device.

The following shows a network environment. The device connects to Zabbix using SNMPv2 to manage the device.

StoneOS

Step1: Configuring SNMP Agent

Select System > SNMP > SNMP Agent.

o SNMP Agent: Click Enable

o Host Port: 161

o Virtual Router: trust-vr

o Local Engine ID: 111

Configuring the Device to Communicate with Zabbix Using SNMP 40

 StoneOS Cookbook

Step2: Configuring SNMP Host

Select System > SNMP > SNMP Host. Click

New.

o Type: IP Address

o Hostname: 10.1.1.1

o SNMP Version: V2C

o Community: hillstone

o Permission: RO

Step3: Configuring Trap Host

Select System > SNMP > Trap Host. Click New.

o Host： 10.1.1.1

o Trap Host Port: 162

o SNMP Agent: V2C

o Community: hillstone

41 Configuring the Device to Communicate with Zabbix Using SNMP

StoneOS Cookbook

Step4: Enabling the SNMP Mode of the Interface

Select Network > Interface and double click eth-

ernet0/6.

o Zone: trust

o Management: Click SNMP

Zabbix:

Step1: Configuring Host Group

Select Configuration > Host groups. Click

Create host group.

o Group name: Hillstone_FW

Configuring the Device to Communicate with Zabbix Using SNMP 42

 StoneOS Cookbook

Step2: Configuring Templates

Select Configuration > Templates . Click Create

template.

o Template name: Hillstone_SNMP

o Click icon to add Hillstone_FW to In

groups list.

Step3: Configuring Application

Select Configuration >Template >

Applications. Click Create application.

o Name: Hillstone_Interface

43 Configuring the Device to Communicate with Zabbix Using SNMP

StoneOS Cookbook

Step4: Configuring Item

Select Configuration > Templates > Applic-

ations. Click Items of Hillstone_Interface and
click Create item.

o Name: eth0/6 Egress interface rate

o Type: SNMPv2 agent

o SNMP OID:
.1.3.6.1.4.1.28557.2.6.1.3.1.20.36

o SNMP community: hillstone

o Applications: Select Hillstone_Interface

Note: You need to add the index of the specified

interface after OID. To view the index of the
interface, use the command show ip route
interface.

Configuring the Device to Communicate with Zabbix Using SNMP 44

 StoneOS Cookbook

Step5: Configuring Host

Select Configurations > Hosts. Click Create

host.

o Host name：E1100

o Click icon to add Hillstone_FW to In

groups list.

o In SNMP interfaces area, click Add and type

the ip address of StoneOS 192.168.1.1, Port
161.

Step6: Configuring Graph

Select Configuration > Hosts. Click E1100 >

Graphs and click Create graph.

o Name: eth0/6 interface rate

o Click Add in the Items area. Select eth0/6

Egress interface rate.

45 Configuring the Device to Communicate with Zabbix Using SNMP

StoneOS Cookbook

Step7: Results

After configuration, select Monitoring >Latest

data to view the monitoring data.

o Host groups: Select Hillstone_FW

o Hosts: Select E1100

o Application: Select Hillstone_Interface

Click Graph to view the monitoring graph.

Dynamically Manage Access Authority Via Radius Dynamic Authorization

This example introduces how to dynamically manage access authority via radius dynamic authorization.

Scenario

As shown in the topology, one enterprise can configure Radius server authentication and enable authorization policy to dynamically man-
age the access authority of visitors. When the visitor logins the SSLVPN, the radius server issues authorization policy to the firewall
allowing the visitor to visit the network segment 10.160.64.0/21. When the visitor successfully logins, the administrator can use CoA
messages to modify the issued authorization policy, adding new network segment 10.160.32.0/21 that the visitor is allowed to visit.
When the visitor logs out, the firewall will automatically delete the responding authorization policy.

Configuring the Device to Communicate with Zabbix Using SNMP 46

 StoneOS Cookbook

Configuration Steps

Step 1: Configure the Interface to Link Radius Server.

Select Network>Interface, and double click eth-

ernet0/0.

o Binding zone: Layer 3 zone

o Zone: trust

o Type: Static IP

o IP Address: 10.87.1.8

o Netmask: 255.255.255.0

47 Configuring the Device to Communicate with Zabbix Using SNMP

StoneOS Cookbook

Step 2: Create New Aggregate Policy.

Select Policy>Security Policy>Policy, and click

New>Aggregate Policy.

o Name: Visitor

Configuring the Device to Communicate with Zabbix Using SNMP 48

 StoneOS Cookbook

Step 3: Configure Radius Server, and Enable Authorization Policy and Accounting.

1. Select Object>AAA Server, and click

New>Radius Server.

o Name: Visitor

o Server Address: 10.87.1.9

o Virtual Router: trust-vr

o Port: 1812

o Secret: 12345678

2. Click the Enable button of Authorization, and

select Visitor from the drop-down menu.

3. Click the Enable button of Accounting.

o Server Address: 10.87.1.9

o Virtual Router: trust-vr

o Port: 1813

o Password: 12345678

49 Configuring the Device to Communicate with Zabbix Using SNMP

StoneOS Cookbook

Step 3: Configure Radius Server, and Enable Authorization Policy and Accounting.

4. Create a new user account.

Client needs to created a new user account on

Radius server.

o Username: user1

o Password: 123456

o Authorized network segment:

10.160.64.0/21

Step 4: Enable Radius Dynamic Authorization.

Click Object>Radius Dynamic Authorization,

and click the Enable button of Radius Dynamic
Authorization.

o Port: 3799

o Server IP: 10.87.1.9

o Destination IP: 10.87.1.8

o Shared Key: 12345678

Configuring the Device to Communicate with Zabbix Using SNMP 50

 StoneOS Cookbook

Step 5: Configure SSLVPN on StoneOS.

1. Configure SSLVPN address pool.

Select Network>SSL VPN, click Con-

figuration>Address Pool, and click New.

o Address Pool: pool1

o Start IP: 20.1.1.2

o End IP: 20.1.1.200

o Netmast: 255.255.255.0

o DNS1: 10.160.64.60

o WINS1: 10.160.64.61

2. Create new zone.

Select Network>Zone, and click New.

o Zone: VPN

o Type: Layer 3 Zone

o Virtual Router: trust-vr

51 Configuring the Device to Communicate with Zabbix Using SNMP

StoneOS Cookbook

Step 5: Configure SSLVPN on StoneOS.

3. Create new tunnel interface.

Select Network>Interface, and click New>Tun-

nel Interface.

o Interface Name: tunnel 1

o Binding Zone: Layer 3 Zone

o Zone: VPN

o Type: Static IP

o IP Address: 20.1.1.1

o Netmask: 24

Configuring the Device to Communicate with Zabbix Using SNMP 52

 StoneOS Cookbook

Step 5: Configure SSLVPN on StoneOS.

4. Configure SSLVPN.

Select Network>SSL VPN, and click New.

In the Name/Access User tab, configure as

below.

o SSL VPN Name: Visitor

o AAA Server: Visitor

In the Interface tab, configure as below.

o Egress Interface 1：ethernet0/5

o Service Port：443

o Tunnel Interface：tunnel1

o Address Pool：pool1

In the Tunnel Route tab, configure as below.

o IP：10.160.64.0

o Netmask：255.255.248.0

53 Configuring the Device to Communicate with Zabbix Using SNMP

StoneOS Cookbook

Step 6: Results.

1. User1 can access 10.160.64.52.

o Server: 10.160.64.51

o Port: 4433

o Username: user1

o Password: 123456

2. Corresponding policy is created on Firewall.

Configuring the Device to Communicate with Zabbix Using SNMP 54

 StoneOS Cookbook

Step 7: Use CoA message to modify the access authority of the authorized user.

1. Use CoA message in CLI commands to modify

the network segment that the authorized user has
access to (If the radius server that the client uses is
customized, the client can operate directly on
radius server rather than use CLI commands).

o Create a new txt file named coa-auth of

which the content is as below:
User-Name：user1
Framed-IP-Address=20.1.1.3
NAS-IP-Address=10.87.1.8
Acct-Seesion-Id=“1”
Hillstone-User-Data-Filter=“rule 1 permit
dst 10.160.64.0/21”
Hillstone-User-Data-Filter=“rule2 permit
dst 10.160.32.0/21”
Calling-Station-Id="00-1c-54-ff-08-05"

o Use the blow CLI command to send the

instruction (take freeradius for example):
root@hillstone-HVM-domU:/etc/-
freeradius# radclient 10.87.1.8:3799 coa
12345678 -f coa-auth.txt -x

2. Policies are updated on Firewall.

55 Configuring the Device to Communicate with Zabbix Using SNMP

StoneOS Cookbook

Step 8: User1 logs out of SSLVPN.

User1 logs out of SSLVPN, and the cor-

responding policies are deleted from Firewall.

Configuring the Device to Communicate with Zabbix Using SNMP 56

StoneOS Cookbook

DNS Proxy
This example shows how to configure the DNS proxy function. By configuring flexible DNS proxy rules, users from different seg-
ments are assigned to different DNS servers for domain name resolution.

Scenario

A secondary ISP rents the bandwidth of telecom, netcom and other ISP to different users for Internet access. The telecom and netcom
ISP have their own DNS servers. So the secondary ISP want to assign users of different network segments to the DNS servers of cor-
responding ISP for domain name resolution through DNS proxy devices.

This example simulates the export scenario of the above secondary ISP through the following configuration. Use eth0/1 (IP:101.0.0.1)
of the device to connect to the telecom special line to access the Internet, and use eth0/2 (IP: 201.1.1.1) to connect to the netcom special
line to access the Internet. In the public network, the DNS server of telecom is DNS1:102.1.1.1, and that of netcom is DNS2:202.1.1.1.
Also, eth0/3, eth0/4 connect to the Intranet user groups. The administrator now has the following requirements:

1. The DNS request of user group 1 (network segment: 192.168.10.1 / 28) is uniformly proxy to dns1 for domain name resolution;

2. The DNS request of user group 2 (network segment: 172.168.10.1 / 24) is uniformly proxy to dns2 for domain name resolution;

3. The DNS request of intranet server (172.168.10.88) is not restricted and bypassed directly.

DNS Proxy 57
 StoneOS Cookbook

Preparation

The basic interface and route configuration have been completed, and users can access the Internet normally.

Configuration Steps

Step 1：Configure a DNS proxy rules to proxy DNS requests of user group 1 to DNS1 for domain name resolution;

Login WebUI and select Network > DNS

>DNS Proxy, and click New.

o Ingress Interface: ethernet0/3;

o Source Address: Configure a new address

book 192.168.10.1/28

o Destination Address: Any

o Domain: any

o Action: Proxy

o DNS Proxy Failed: Block

o DNS Server：

o IP Address: 102.1.1.1

o Virtual Router: trust-vr

o Egress Interface：etherent0/1

58 DNS Proxy
StoneOS Cookbook

Step 2: Configure another DNS proxy rule to uniformly proxy DNS requests of user group 2 to DNS2 for domain name res-
olution.

Continue to configure another rule. Select Net-

work > DNS >DNS Proxy, and click New.

o Ingress Interface: ethernet0/4;

o Source Address: Configure a new address

book 172.168.10.1/24

o Destination Address: Any

o Domain: any

o Action: Proxy

o DNS Proxy Failed: Block

o DNS Server：

o IP Address: 202.1.1.1

o Virtual Router: trust-vr

o Egress Interface：etherent0/2

DNS Proxy 59
 StoneOS Cookbook

Step 3: Configure one more DNS proxy rule to release DNS requests from the Intranet server (172.168.10.88) directly.

Continue to configure one more rule. Select Net-

work > DNS >DNS Proxy, and click New.

o Ingress Interface: ethernet0/4;

o Source Address: Configure a new address

book 172.168.10.88/32

o Destination Address: Any

o Domain: any

o Action: Bypass

(Optional）In addition to creating a new address

rule, the following methods can also be used to
bypass the DNS requests from intranet servers.
Select Object > Address Book,and select the
“172.168.10.1/24”item, and click Edit to add
the IP address of intranet server to the Exclude
Member.

o Exclude Member: 172.168.10.88

Step 4: Adjust the priority of DNS proxy rules.

After the above steps, you will get three DNS

proxy rules. Because the DNS proxy rules match
from top to bottom, so the DNS rules for releas-
ing the Intranet server should be placed on top of
the other two. When configuring, select the cor-
responding rule item and click Priorityto adjust.

60 DNS Proxy
StoneOS Cookbook

Step 5：Results

After configuration, capture packets on eth0 / 1 and eth0 / 2 interfaces. The results are as follows:

o The users of 192.168.10.1/28 network segment in user group 1 can still access the Internet normally, and their DNS requests
will be sent to the DNS1 server of Telecom for domain name resolution through the device.

o The uesrs of 172.168.10.1/24 network segment in user group 2 can still access the Internet normally, and DNS requests will be
sent to the DNS2 server of Netcom for domain name resolution.

o The DNS request of the internal server 172.168.10.88 will not be proxy through the device, but will be resolved according to
the DNS server set by itself.

Q&A

o Q：What is the order and manner of matching multiple DNS proxy rules?
A：The device will query for DNS proxy rules by turns from up to down. In each rule, only if all matching conditions are met can
the matching be successful.

o Q：When multiple DNS servers are configured in a DNS proxy rule, what is the priority of preferred and bound out interface
properties?
A：When you configure multiple DNS servers, the DNS server with preferred property will be selected for domain name res-
olution. If no preferred server is specified, the system will query whether there are DNS servers that have specified the egress inter-
face.

o Q：Can DNS proxy for specific domain names?

A：Yes, you can configure a specific domain name in the option "Domain Name", and then configure the proxy action and the
corresponding DNS server when creating a new rule.

DNS Proxy 61
StoneOS Cookbook

Adding an SNAT Rule to StoneOS through NETCONF

Network Configuration Protocol (NETCONF) provides a mechanism for managing network devices. You can add, modify, and delete
configurations of network devices, and obtain configuration and status information of network devices. This example shows how to
add an SNAT rule to the device through the NETCONF client.

The topology is shown as below. Device A connects to the NETCONF client. It is required to add an SNAT rule to device A using
NETCONF.

Preparation

Before configuring the NETCONF function, prepare the following first:

1. The NETCONF client software has been correctly installed on the client PC, and the client environment has been configured.
This case takes the client software netopeer2-cli as an example.

2. Device A is connected to the NETCONF client, and messages can be sent between them.

Configuration Steps

Device A

Step 1: Configuring the management method of the interface as NETCONF.

hostname(config)# interface ethernet0/0

hostname(config-if-eth0/0)# manage netconf

hostname(config-if-eth0/0)# exit

hostname(config)#

Adding an SNAT Rule to StoneOS through NETCONF 62

 StoneOS Cookbook

Step 2: Configuring the access of the administrator as NETCONF (Take the administrator hillstone as an example).

hostname(config)# admin user hillstone

hostname(config-admin)# access netconf

hostname(config-admin)# exit

hostname(config)#

Step 3: Configuring the login type of the trusted host as NETCONF.

hostname(config)# admin host any netconf

hostname(config)#

Step 4: Enabling the NETCONF agent and the NETCONF candidate functions.

hostname(config)# netconf-manager enable

hostname(config)# netconf-manager candidate

hostname(config)#

NETCONF Client

Step 1: Connecting to the Device.

63 Adding an SNAT Rule to StoneOS through NETCONF

StoneOS Cookbook

Running the client software netopeer2-cli in Linux and connecting to the device:

[root@linux1~]# netopeer2-cli

> connect --ssh --host 192.168.1.1 --port 830 --login hillstone

[email protected] password:

cmd_connect: Already connected to 192.168.1.1.

In the above command:

o --host: specifies the IP address of the device.

o --login: specifies the login user name which must be the same as the device administrator name.

After the above command is executed, a prompt for password will appear. Enter the password of the
administrator hillstone and press Enter.

Step 2: Getting the Yang model of the device.

> get-schema --model configuration

Executing the above command to get the Yang model of the device.

Step 3: Editing the XML file which will be used to add an SNAT rule to the device.

Adding an SNAT Rule to StoneOS through NETCONF 64

 StoneOS Cookbook

Editing the XML file according to the Yang model obtained in step 2 and saving it as snat.xml. The con-
tents of the XML file are as follows:

-<vr xmlns="https://hillstone.com/yang/SG6000-K-2-5.5R9-v6-r1208/hc" >

<!--The namespace "https://hillstone.com/yang/SG6000-K-2-5.5R9-v6-r1208/hc" in the XML file

must be consistent with the namespace of the device Yang model-->

-<vrouter>

<vr_name>trust-vr</vr_name>

-<snat_rule>

<rule_id>1</rule_id>

<group_id>0</group_id>

<from>192.168.2.2</from>

<from_is_ip>1</from_is_ip>

<to>Any</to>

<to_is_ip>0</to_is_ip>

<service>Any</service>

<trans_to>192.168.1.10</trans_to>

<trans_to_is_ip>1</trans_to_is_ip>

<flag>1</flag>

<log>0</log>

<enable>0</enable>

<trans_type>1</trans_type>

</snat_rule>

</vrouter>

</vr>

65 Adding an SNAT Rule to StoneOS through NETCONF

StoneOS Cookbook

Step 4: Adding the SNAT rule to the device.

> edit-config --target running --config=snat.xml

In the above command:

o --target: "running" means that the distributed configuration will immediately change the running con-
figuration of the device, which will have an impact on the current business. If you select the parameter
"candidate", the distributed configuration will remain in the configuration repository and will not have
any impact on the current business. If you want to use the candidate configuration to replace the run-
ning configuration of the device, you can first execute the "validate-- source candidate" command to
check whether the candidate configuration is valid, and then execute the "commit" command.

o --config: specifies the path and file name of the xml file. If you do not specify this parameter, the sys-
tem automatically opens an empty XML file after the command is executed, and you can edit the con-
tent in this empty document.

Viewing the results

After configuring the above steps, you can see that the SNAT rule has been added to the device using the Show command.

hostname(config)# show configuration vrouter trust-vr

ip vrouter "trust-vr"

snatrule id 1 from ip 192.168.2.2 to address-book "Any" service "Any" trans-to ip 192.168.1.10 mode
static disable

exit

hostname(config)#

Adding an SNAT Rule to StoneOS through NETCONF 66

 StoneOS Cookbook

Binding the Log Processing Process and Database Storage Process to Core
MAX
This example introduces how to bind the log processing process and database storage process to Core MAX. Core MAX is the CPU
core with the largest number. For example, if the system has 12 CPU cores in total, which are numbered as Core0 to Core11, Core11 is
the Core MAX. The example including the following two scenarios:

o Scenario 1: A Hillstone security device is deployed on an enterprise network. Operation and maintenance personnel periodically
check the session logs and NAT logs stored in the database. The system's log processing process (LOGD) and database storage pro-
cess (MYSQLD) work on Core0 of the CPU. When session logs and NAT logs are exported to the local disk, Core0 can be over-
loaded with a large amount of high speed log data storage operations, potentially affecting the normal operation of other functional
modules.

o Scenario 2: A Hillstone security device is deployed on an enterprise network. Operation and maintenance personnel need to peri-
odically check traffic and session monitoring statistics. The device supports the storage of statistics on device traffic and sessions
over the last 180 days to the device disk. The system's database storage process (MYSQLD) work on Core0 of the CPU. Core0 can
be overloaded with a large amount of high speed traffic and session data storage operations, potentially affecting the normal oper-
ation of other functional modules.

Based on the above scenarios, if the performance consumption of Core0 is too high or you need to increase the speed at which logs are
sent to the log processing process, you can move log processing process and database storage process from Core0 to Core MAX, and
then configure the speed at which logs are sent to the log processing process.

Configuration Roadmap

1. Use the command flow-core-num number to specify the number of CPU cores occupied by the system data. number is
recommended to be max_core_number-1. max_core_number is the number of total CPU cores of the system.

2. Bind the log processing process and database storage process to Core MAX.

3. Restart the device to make the configurations in Step 1 and Step 2 take effect.

4. For scenario 1, you can increase the the speed at which logs are sent to the log processing process.

Before binding the log processing process and database storage process to Core MAX, prepare the following first:

67 Adding an SNAT Rule to StoneOS through NETCONF

StoneOS Cookbook

1. The NETCONF client software has been correctly installed on the client PC, and the client environment has been configured.
This case takes the client software netopeer2-cli as an example.

2. Device A is connected to the NETCONF client, and messages can be sent between them.

o Scenario 1: The session logs and NAT logs have been stored in the device disk with the command.

o Scenario 2: The device has enabled the Long-term Monitor function for traffic and sessions.

o The function of binding the log processing process and database storage process to Core MAX is only supported by SG-6000-
A2700 and later models. SG-6000-A3000 with a hard disk is used as an example to describe the configuration.

Configuration Steps

Step 1: Specifying the number of CPU cores occupied by the system data.

hostname(config)# flow-core-num 3

hostname(config)# exit

Step 2: Binding the log processing process and database storage process to Core MAX, and restarting the for the above con-
figuration to take effect.

hostname(config)# cp-multi-cores logd

hostname(config)# exit

hostname# reboot

System reboot, are you sure? [y]/n: y

Step 3: For scenario 1, adjusting the speed at which logs are sent to log processing process. The default sending speed of SG-6000-
A3000 is 2000 logs per second.

hostname(config)# logging speed-limit to local 3000

hostname(config)# show logging speed-limit

Log speed limit:3000

Adding an SNAT Rule to StoneOS through NETCONF 68

 StoneOS Cookbook

Viewing the results

After configuring the above steps, you can see that the CPU utilization of Core 0 is decreasing and that of Core MAX is increasing by
using the command show cpu detail.

hostname(config)# show cpu detail

69 Adding an SNAT Rule to StoneOS through NETCONF

StoneOS Cookbook

Routing

This chapter introduces different routing configuration use cases.

This chapter contains the following recipes:

o "Realizing Multicast Forwarding Through PIM-SM Multicast Protocol" on Page 71

o "Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol" on Page 80

Routing 70
StoneOS Cookbook

Realizing Multicast Forwarding Through PIM-SM Multicast Protocol

This example introduces how to configure the basic functions of PIM-SM to realize multicast forwarding so that users can receive data
from any multicast source.

In the topology below, the multicast source sends data to the multicast group, and the multicast address is 225.0.0.1. The receivers PC1
and PC2 send IGMPv2 Report to join the multicast group, and the PIM domain adopts the PIM-SM mode. Assume that Device A is
the candidate RP and candidate BSR, the interface loopback1 is the interface for electing the RP, and the interface eth0/1 is the mul-
ticast data inbound interface. By configuring the PIM-SM function on each device in the PIM domain, multicast data can be forwarded
to the recipient PC in a normal multicast manner.

Configuration Steps

Step 1: Configure the IP address and unicast routing protocol of each device interface (OSPF is used in this example).

Realizing Multicast Forwarding Through PIM-SM Multicast Protocol 71

 StoneOS Cookbook

Device A：

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 1.1.1.2/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 2.1.1.2/24

hostname(config-if-eth0/1)# exit

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# router ospf

hostname(config-router)# router-id 1.1.1.1

hostname(config-router)# network 1.1.1.0/24 area 0

hostname(config-router)# network 2.1.1.0/24 area 0

72 Realizing Multicast Forwarding Through PIM-SM Multicast Protocol

StoneOS Cookbook

Device B：

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 2.1.1.2/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 3.1.1.2/24

hostname(config-if-eth0/1)# exit

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# router ospf

hostname(config-router)# router-id 2.2.2.2

hostname(config-router)# network 2.1.1.0/24 area 0

hostname(config-router)# network 3.1.1.0/24 area 0

Realizing Multicast Forwarding Through PIM-SM Multicast Protocol 73

 StoneOS Cookbook

Device C：

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 2.1.1.3/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 4.1.1.1/24

hostname(config-if-eth0/1)# exit

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# router ospf

hostname(config-router)# router-id 3.3.3.3

hostname(config-router)# network 2.1.1.0/24 area 0

hostname(config-router)# network 4.1.1.0/24 area 0

Step 2: Enable a multicast route.

Device A：

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip multicast-routing

hostname(config-vrouter)# exit

hostname(config)#

74 Realizing Multicast Forwarding Through PIM-SM Multicast Protocol

StoneOS Cookbook

Device B：

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip multicast-routing

hostname(config-vrouter)# exit

hostname(config)#

Device C：

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip multicast-routing

hostname(config-vrouter)# exit

hostname(config)#

Step 3: Enable and configure PIM-SM.

Device A：

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter))# router pim

hostname(config-vrouter)# pim-sm enable

hostname(config-vrouter))# exit

hostname(config)#interface ethernet0/1

hostname(config-if-eth0/1)# ip pim sparse-mode

hostname(config-if-eth0/1)# exit

hostname(config)#interface ethernet0/2

hostname(config-if-eth0/2)# ip pim sparse-mode

Realizing Multicast Forwarding Through PIM-SM Multicast Protocol 75

 StoneOS Cookbook

Device B：

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter))# router pim

hostname(config-vrouter)# pim-sm enable

hostname(config-vrouter))# exit

hostname(config)#interface ethernet0/1

hostname(config-if-eth0/1)# ip pim sparse-mode

hostname(config-if-eth0/1)# exit

hostname(config)#interface ethernet0/2

hostname(config-if-eth0/2)# ip pim sparse-mode

Device C：

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter))# router pim

hostname(config-vrouter)# pim-sm enable

hostname(config-vrouter))# exit

hostname(config)#interface ethernet0/1

hostname(config-if-eth0/1)# ip pim sparse-mode

hostname(config-if-eth0/1)# exit

hostname(config)#interface ethernet0/2

hostname(config-if-eth0/2)# ip pim sparse-mode

Step 4: Configure RP and Candidate BSR.

76 Realizing Multicast Forwarding Through PIM-SM Multicast Protocol

StoneOS Cookbook

Device A：

hostname(config)# interface loopback1

hostname(config-if-loo1))# zone trust

hostname(config-if-loo1)# ip address 2.2.2.2/24

hostname(config-if-loo1)# ip pim sparse-mode

hostname(config-if-loo1))# exit

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# rp-candidate loopback1

hostname(config-vrouter)# bsr-candidate loopback1

hostname(config-vrouter))# exit

hostname(config)#

Step 5: Verify result.

Realizing Multicast Forwarding Through PIM-SM Multicast Protocol 77

 StoneOS Cookbook

Device A：

hostname(config)# show ip mroute

U:interface up D:interface down

V:valid multicast entry I:invalid multicast entry Y:sync multicast entry

=========================================================-
=====================

source: 1.1.1.2 group : 225.0.0.1 vrouter: trust-vr

status: V update time: -

ingress interface: ethernet0/1(U)

egress interface : ethernet0/2(U)

=========================================================-
=====================

hostname(config)# show ip pim rp

PIM Rendezvous Point for Virtual Router <trust-vr>

=========================================================-
=====================

Group: 225.0.0.1, RP:2.2.2.2, v2, via bootstrap, priority 0 holdtime 35.

=========================================================-
=====================

hostname(config)# show ip pim bsr-router

PIM Bootstrap Router for Virtual Router <trust-vr>

=========================================================-
=====================

PIMv2 Bootstrap information

BSR address: 2.2.2.2

78 Realizing Multicast Forwarding Through PIM-SM Multicast Protocol

StoneOS Cookbook

BSR Priority: 0

=========================================================-
=====================

Realizing Multicast Forwarding Through PIM-SM Multicast Protocol 79

StoneOS Cookbook

Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol

This example introduces how to configure the basic functions of PIM-SSM to realize multicast forwarding so that users can receive
data from any multicast source.

In the topology below, the multicast source sends data to the multicast group, and the multicast address is 232.0.0.1. Receivers PC1 and
PC2 send IGMPv3 Report to join the multicast group. The PIM domain adopts the PIM-SSM mode. The relationship between the host
and the devices in the PIM domain is maintained through IGMPv3, so that the members of the multicast group can quickly join, directly
at the multicast source SPT (Shortest Path Tree) is established with the recipient PC. Assume that the interface eth0/1 of Device A is
used as the inbound interface for multicast data. By configuring the PIM-SSM function on each device in the PIM domain, multicast
data can be multicast forwarded to the recipient PC normally.

Configuration Steps

Step 1: Configure the IP address and unicast routing protocol of each device interface (OSPF is used in this example).

Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol 80

 StoneOS Cookbook

Device A：

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 1.1.1.2/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 2.1.1.2/24

hostname(config-if-eth0/1)# exit

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# router ospf

hostname(config-router)# router-id 1.1.1.1

hostname(config-router)# network 1.1.1.0/24 area 0

hostname(config-router)# network 2.1.1.0/24 area 0

81 Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol

StoneOS Cookbook

Device B：

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 2.1.1.2/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 3.1.1.2/24

hostname(config-if-eth0/1)# exit

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# router ospf

hostname(config-router)# router-id 2.2.2.2

hostname(config-router)# network 2.1.1.0/24 area 0

hostname(config-router)# network 3.1.1.0/24 area 0

Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol 82

 StoneOS Cookbook

Device C：

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 2.1.1.3/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 4.1.1.1/24

hostname(config-if-eth0/1)# exit

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# router ospf

hostname(config-router)# router-id 3.3.3.3

hostname(config-router)# network 2.1.1.0/24 area 0

hostname(config-router)# network 4.1.1.0/24 area 0

Step 2: Enable a multicast route.

Device A：

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip multicast-routing

hostname(config-vrouter)# exit

hostname(config)#

83 Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol

StoneOS Cookbook

Device B：

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip multicast-routing

hostname(config-vrouter)# exit

hostname(config)#

Device C：

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip multicast-routing

hostname(config-vrouter)# exit

hostname(config)#

Step 3: Configure PIM-SSM.

Device A：

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter))# router pim

hostname(config-vrouter)# pim-sm enable

hostname(config-vrouter)# pim-ssm default

hostname(config-vrouter))# exit

hostname(config)#interface ethernet0/1

hostname(config-if-eth0/1)# ip pim sparse-mode

hostname(config-if-eth0/1)# exit

hostname(config)#interface ethernet0/2

hostname(config-if-eth0/2)# ip pim sparse-mode

Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol 84

 StoneOS Cookbook

Device B：

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter))# router pim

hostname(config-vrouter)# pim-sm enable

hostname(config-vrouter)# pim-ssm default

hostname(config-vrouter))# exit

hostname(config)#interface ethernet0/1

hostname(config-if-eth0/1)# ip pim sparse-mode

hostname(config-if-eth0/1)# exit

hostname(config)#interface ethernet0/2

hostname(config-if-eth0/2)# ip pim sparse-mode

Device C：

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter))# router pim

hostname(config-vrouter)# pim-sm enable

hostname(config-vrouter)# pim-ssm default

hostname(config-vrouter))# exit

hostname(config)#interface ethernet0/1

hostname(config-if-eth0/1)# ip pim sparse-mode

hostname(config-if-eth0/1)# exit

hostname(config)#interface ethernet0/2

hostname(config-if-eth0/2)# ip pim sparse-mode

Step 4: Verify result.

85 Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol

StoneOS Cookbook

Device A：

hostname(config)# show ip mroute

U:interface up D:interface down

V:valid multicast entry I:invalid multicast entry Y:sync multicast entry

=========================================================-
=====================

source: 1.1.1.2 group : 232.0.0.1 vrouter: trust-vr

status: V update time: -

ingress interface: ethernet0/1(U)

egress interface : ethernet0/2(U)

=========================================================-
=====================

Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol 86

StoneOS Cookbook

Deploying HA Scenario for Multicast Forwarding Through PIM-SM

This example introduces how to deploy the HA AP (Active-Passive) mode in the pim-ssm multicast environment to ensure that each
router device in the PIM domain can transmit multicast data with high reliability.

In the initial network as topology below, the multicast source sends data to the multicast group, and the multicast address is 232.0.0.1.
Receivers PC1 and PC2 send IGMPv3 Report to join the multicast group. The PIM domain adopts the PIM-SSM mode. The rela-
tionship between the host and the devices in the PIM domain is maintained through IGMPv3, so that the members of the multicast
group can quickly join, directly at the multicast source SPT (Shortest Path Tree) is established with the recipient PC. Assume that the
interface eth0/1 of Device A is used as the inbound interface for multicast data. By configuring the PIM-SSM function on each device
in the PIM domain, multicast data can be multicast forwarded to the recipient PC normally. For details, see Realizing Multicast For-
warding Through PIM-SSM Multicast Protocol .

In this example, Device A , Device B and Device C in the PIM domain are deployed in HA AP mode. After deployment, Device A ,
Device B and Device C are elected as as the master devices, and Device Aa , Device Bb and Device Cc are elected as backup devices.
Meanwhile, the multicast route generated in the master device Device A(Device B or Device C) will be quickly synchronized to the
backup device with a temporary status of Y; When the master device Device A (Device B or Device C) fails or cannot forward traffic
normally, the backup device Device Aa (Device Bb or Device Cc) will switch as the master device. At this time, the multicast route in Y
state will be based on to forward multicast traffic without affecting the original normal communication. AfterDevice Aa receives the
IGMPv3 report messages, The status in the multicast routing table will be updated to the normal status V.

Original Multicast Network：

Deploying HA Scenario for Multicast Forwarding Through PIM-SM 87

 StoneOS Cookbook

Multicast Network after HA-AP Deployment：

88 Deploying HA Scenario for Multicast Forwarding Through PIM-SM

StoneOS Cookbook

Configuration Steps

Step 1: Configure the PIM-SSM multicast protocol according to the example Realizing Multicast Forwarding Through PIM-SSM
Multicast Protocol .

Step 2: Configure the Device A and Device Aa as HA AP mode and HA negotiate successfully.

Device A

hostname(config)# track track1

hostname(config-trackip)# interface ethernet0/1 weight

255////Monitor the status of interface eth0/1 and eth0/2.

hostname(config-trackip)# interface ethernet0/2 weight 255

hostname(config-trackip)# exit

hostname(config)# ha group 0

hostname(config-ha-group)# priority 50

hostname(config-ha-group)# monitor track track1

hostname(config-ha-group)# exit

hostname(config)# ha link interface ethernet0/3

hostname(config)# ha link ip 100.1.1.1/24

hostname(config)# ha cluster 1

Deploying HA Scenario for Multicast Forwarding Through PIM-SM 89

 StoneOS Cookbook

Device Aa

hostname(config)# ha group 0

hostname(config-ha-group)# priority 100

hostname(config-ha-group)# exit

hostname(config)#

hostname(config)# ha link interface ethernet0/3

hostname(config)# ha link ip 100.1.1.2/24

hostname(config)# ha cluster 1

Step 3: Configure management IP addresses for the two devices and monitor objects on the standby Device after HA negotiation
between Device A and Device Aa is successful .

Device A：

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# manage ip 1.1.1.253

Device Aa：

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# manage ip 1.1.1.254

hostname(config-if-eth0/1)# exit

hostname(config)# ha group 0

hostname(config-ha-group)# monitor track track1

hostname(config-ha-group)# exit

hostname(config)#

Step 4：Results

90 Deploying HA Scenario for Multicast Forwarding Through PIM-SM

StoneOS Cookbook

1. Configurations related to multicast have been synchronized on the standby device.

Device Aa

hostname(B)#show configuration vrouter

ip vrouter "mgt-vr"

exit

ip vrouter "trust-vr"

ip multicast-routing

router-id 1.1.1.1

network 1.1.1.0/24 area 0

network 2.1.1.0/24 area 0

exit

router pim

pim-sm enable

pim-ssm default

exit

exit

2. The stutas of multicast routing table is V. On the back device, the multicast routing table is synchronized and its status is Y.

Deploying HA Scenario for Multicast Forwarding Through PIM-SM 91

 StoneOS Cookbook

Device A：

hostname(M)# show ip mroute

U:interface up D:interface down

V:valid multicast entry I:invalid multicast entry Y:sync mul-

ticast entry

================================================================-
==============

source: 1.1.1.2 group : 232.0.0.1 vrouter: trust-vr

status: V update time: -

ingress interface: ethernet0/1(U)

egress interface : ethernet0/2(U)

================================================================-
==============

Device Aa：

hostname(B)# show ip mroute

U:interface up D:interface down

V:valid multicast entry I:invalid multicast entry Y:sync mul-

ticast entry

================================================================-
==============

source: 1.1.1.2 group : 232.0.0.1 vrouter: trust-vr

status: Y update time: -

ingress interface: ethernet0/1(U)

egress interface : ethernet0/2(U)

================================================================-

92 Deploying HA Scenario for Multicast Forwarding Through PIM-SM

StoneOS Cookbook

==============

3.Restart Device A (or change eth0 / 1 and eth0 / 2 of Device A to shutdown). At this time, the backup device Device Aa will quickly
switch to the master device, and the multicast route in Y state can forward multicast traffic without affecting the original com-
munication; After Device Aa receives the IGMPv3 report message, the status in the multicast routing table will be updated to V, and
the multicast traffic will continue to be forwarded later. The status is shown as follows:

Device Aa：

hostname(M)# show ip mroute

U:interface up D:interface down

V:valid multicast entry I:invalid multicast entry Y:sync mul-

ticast entry

================================================================-
==============

source: 1.1.1.2 group : 232.0.0.1 vrouter: trust-vr

status: V update time: -

ingress interface: ethernet0/1(U)

egress interface : ethernet0/2(U)

================================================================-
==============

Step 5: You can deploy device B and device C to the HA AP mode as required according to the above steps.

Deploying HA Scenario for Multicast Forwarding Through PIM-SM 93

StoneOS Cookbook

Authentication

Authentication is a method of verifying visitor's identity. When a visitor is confirmed as a valid user, he is allowed to use a certain net-
work. The visitor can be a PC, a mobile phone or a tablet.

This chapter contains the following recipe:

o "Allowing the Internet Access via User Authentication" on Page 95

o " Using AD Polling for SSO" on Page 103

o " Allowing Internet Access via AD Polling" on Page 113

o " Allowing Internet Access via AD Agent" on Page 125

o " Allowing Internet Access via TS Agent" on Page 136

Authentication 94
StoneOS Cookbook

Allowing the Internet Access via User Authentication

This example shows how to use Web authentication (WebAuth). An AAA server is required in this example to confirm the identity of a
user.

The topology describes the scenarios of the case. In this scenario, only user 1 passes the authentication, and then accesses the Internet;
while other users fail to pass the authentication, and they are not allowed to access the Internet.

Configuration Steps

Step 1: Configuring the user and address book

Select Object > User > Local User. Under Local

Server, click New > User.

o Name: user1

o Password: 123456

o Confirm Password: 123456

Allowing the Internet Access via User Authentication 95

 StoneOS Cookbook

Step 1: Configuring the user and address book

Select Object > Address Book > New.

o Name: addr

o Type: IPv4

o Member: Click New , and select IP/Netmask,

enter 192.168.1.2, 32

Step 2: Configuring the interface and zone

Select Network > Interface, and double click eth-

ernet0/0.

o Binding Zone: Layer 3 Zone

o Zone: trust

o IP Configuration

o Type: Static IP

o IP Address: 192.168.1.1

o Netmask: 255.255.255.0

o WebAuth

o Auth Service: Enable

96 Allowing the Internet Access via User Authentication

StoneOS Cookbook

Step 2: Configuring the interface and zone

Select Network > Interface, and double click eth-

ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o IP Configuration

o Type: Static IP

o IP Address: 221.224.30.130

o Netmask: 20

Step 3: Configuring Web Authentication

Select Network > WebAuth > WebAuth,

and configure the followings:

o WebAuth: Click the Enable button

o Protocol: HTTP

o Port: 8181

o Authentication Mode:

o Type: Password

Allowing the Internet Access via User Authentication 97

 StoneOS Cookbook

Step 3: Configuring Web Authentication

After the above configurations, continue to

create policy rules in Security Policy to make
WebAuth effective. Click policy template for
reference.

Step 4: Configuring Security Policy

Click the " policy page" quick link on the bottom

of the Web authentication page or select Policy >
Security Policy > Policy, and click New > Policy.

o Name: DNS

o Source Zone: Any

o Source Address: Any

o Destination Zone: Any

o Destination Address: Any

o Service: DNS

o Action: Permit

98 Allowing the Internet Access via User Authentication

StoneOS Cookbook

Step 4: Configuring Security Policy

Click New, and create the “Web-auth”policy.

o Name: Web-auth

o Source Zone: Any

o Source Address: addr

o Source User: Click +, select "Role" from the

AAA Server/Role drop-down list and select
"UNKNOWN"

o Destination Zone: Any

o Destination Address: Any

o Action: Secured connection

o WebAuth: local

Allowing the Internet Access via User Authentication 99

 StoneOS Cookbook

Step 4: Configuring Security Policy

Click New, and create the “user” policy. Spe-

cify the source user who is allowed to access the
Internet.

o Name: user

o Source Zone: Any

o Source Address: Any

o Source User: Click +, select "local" from the

AAA Server/Role drop-down list and select
"user1"

o Destination Zone: Any

o Destination Address: Any

o Action: Permit

100 Allowing the Internet Access via User Authentication

StoneOS Cookbook

Step 5: Triggering WebAuth through HTTP requests

After the above configurations, when there are

HTTP requests sent from the interface
192.168.1.2/32, user1 will be prompted to authen-
ticate by entering the username/password
(user1/123456) before accessing the Internet.

Step 6: Triggering WebAuth through HTTPS requests

Export the certificate from the device.

Select System > PKI > Trust Domain

Certificate.

o Trust Domain: trust_domain_ssl_proxy

o Content: CA Certificate

o Action: Export

Click OK to export the certificate.

Allowing the Internet Access via User Authentication 101

 StoneOS Cookbook

Step 6: Triggering WebAuth through HTTPS requests

Import the certificate to client's Web browser.

1. In the Chrome Web browser, select Set-

tings > Show advanced settings.

2. In the HTTPS/SSL section, select Manage

certificates.

3. In the Trusted Root Certification Author-

ities tab, select Import.

4. Follow the wizard to import the certificate.

After the above configurations are finished, when

there are HTTPS requests sent from the interface
192.168.1.2/32, user1 will be prompted to authen-
ticate by entering the username/password
(user1/123456) before accessing the Internet.
Note: Triggering WebAuth through HTTPS
requests depends on the feature of SSL proxy . If
the device does not support the SSL proxy. Trig-
gering WebAuth through HTTPS requests will
not work and you can then trigger WebAuth
through HTTP requests.

102 Allowing the Internet Access via User Authentication

StoneOS Cookbook

Using AD Polling for SSO

This example introduces how the domain users access the Internet directly without Web authentication, after logging in the AD domain
via configuring AD Polling.

The following shows a network environment. An enterprise sets up a Hillstone security device as the export gateway to connect internal
network with the Internet. Only the staffs in R&D department join in the AD domain (scep.pki.com), while the staffs in marketing
department are excluded. The security device enables Web authentication. All the staffs of the enterprise are allowed to access the Inter-
net only after they pass the authentication. After the AD Polling being configured, there will be login logs when staff in R&D depart-
ment login though the AD server (Log in the PC which is added into the AD domain through domain user name and password). The
device can check the logs through AD Polling, as well as obtain authentication users information on the AD server. With this inform-
ation, staff of R&D department can access the Internet directly without Web authentication.

Preparation

Before configuring the AD Polling function, prepare the following first:

o The AD server has been set up according to the user network environment.

o To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should open the RPC service and
remote management. To enable the RPC service, you need to enter the Control Panel > Administrative Tools > Services and open

Using AD Polling for SSO 103

 StoneOS Cookbook

the Remote Procedure Call and Remote Procedure Call Locator; to enable the remote management, you need to run the command
prompt window (cmd) as administrator and enter the command netsh firewall set service RemoteAdmin

o To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should permit WMI function to pass
through Windows firewall. Select Control Panel >System and Security> Windows Firewall >Allow an APP through Windows
Firewall, in the Allowed apps and features list, click the corresponding check box of Domain for Windows Management Instru-
mentation (WMI) function.

o The security device should be configured with related policy to protect the AD server, which may result in the port used by WMI
service (port 135 and random port) being restricted by policy. Therefore, it’s necessary to configure another policy ( the source IP
is the IP address of ethernet0/3) allows all interface traffic to pass through.

o The rule has been configured on the security device that all the staff of the enterprise should pass the Web authentication before
they access the Internet. For the detailed configuration method, please see "Allowing the Internet Access via User Authentication"
on Page 95.

Configuration Steps

Step 1: Creating a new domain user on the AD

server and configuring the user as the Domain
Admins group.

Access the PC with AD server, select Start >

Administrative Tools > Active Directory Users
and Computers, and enter the Active Directory
Users and Computers page.

104 Using AD Polling for SSO

StoneOS Cookbook

Step 1: Creating a new domain user on the AD

server and configuring the user as the Domain
Admins group.

Right-click Users and select New Object > User.

Click Next.

o First name: test

o User logon name: [email protected]

Configure a password on the New Object- User

page, and click Next.

o Password: Hillstone123456

o Confirm password: Hillstone123456

o Password never expires: Select the check box

Using AD Polling for SSO 105

 StoneOS Cookbook

Step 1: Creating a new domain user on the AD

server and configuring the user as the Domain
Admins group.

Click Finish to finish the creating of domain user

test.

In the user list, right-click test, and select Add to

group. Click OK.

o Enter the object names to select: Domain

Admins

106 Using AD Polling for SSO

StoneOS Cookbook

Step 2: Adding PCs of R&D staff into the AD

domain (taking one PC as example).

Select Control Panel > Network and Internet >

Network and Sharing Center to check the attrib-
ute of network connection. Double-click Internet
Protocol Version 4 (TCP/IPv4), enter the Inter-
net Protocol Version 4 (TCP/IPv4) Properties
page and change the IP address of Preferred
DNS server to the IP address of AD domain con-
troller.

o Preferred DNS server: 10.180.201.8

o Alternate DNS server: 8.8.8.8

Search cmd in the Start menu and double-click to

open the command prompt(cmd) application win-
dow, so as to make sure that the PC can be con-
nected to the AD domain controller
(scep.pki.com).

Using AD Polling for SSO 107

 StoneOS Cookbook

Step 2: Adding PCs of R&D staff into the AD

domain (taking one PC as example).

Select Control Panel > System and Security >

System > Computer name, domain, and work-
group settings > Change settings, and add the
PC into the AD domain (scep.pki.com). Click
OK.

o Domain: scep.pki.com

108 Using AD Polling for SSO

StoneOS Cookbook

Step 2: Adding PCs of R&D staff into the AD

domain (taking one PC as example).

In the Windows security dialog box, enter

Domain name\User name and Password. The
user name should be the one in the Domain
Admins group.

o Domain name\User name: scep\test

o Password: Hillstone123456

After the PC being added in the AD domain

(scep.pki.com) successfully, restart the computer
to make it take effect.

Using AD Polling for SSO 109

 StoneOS Cookbook

Step 3: Configuring AD server parameters in StoneOS.

Select Object > AAA server, and select Active Directory

Server from the newly created drop-down list.

o Server Name: ad-polling

o Server Address: 10.180.201.8

o Base-dn: dc=scep,dc=pki,dc=com

o Login-dn: cn=test,cn=users,dc=scep,dc=pki,dc=com

o sAMAccountName: test

o Authentication Mode: MD5

o Password: Hillstone123456

Click OK and the AD server is created successfully.

110 Using AD Polling for SSO

StoneOS Cookbook

Step 4: Configuring AD Polling in StoneOS

Select Object > SSO Client > AD Polling, click

Create and enter AD Polling Configuration page.

o Name: ad-polling

o Status: click Enable

o Host: 10.180.201.8

o Virtual Router: trust-vr

o Account: scep\test

o Password: Hillstone123456

o AAA Server: select the AD server ad-polling

created in step 3

o AD Polling Interval: 2 seconds

o Client Probing Interval: 5 minutes

o Force Timeout: 10 minutes

Click OK to finish AD Polling configuration.

Using AD Polling for SSO 111

 StoneOS Cookbook

Step 5: Verifying result

After all the above configurations being finished,

staff of R&D department (such as the user test
added in AD domain in this example) can access
the Internet without passing Web authentication.
However, the staff of marketing department still
needs to pass Web authentication before visiting
the Internet.

If user needs to check the mapping information

between user and IP on the device via AD
Polling, you're suggested to log in the StoneOS
commands operation system and enter the com-
mand show user-mapping user-sso ad-polling or
show auth-user.

As shown in the figure, in the authentication user

list obtained via AD Polling, the corresponding IP
of the user test is 10.180.203.74.

112 Using AD Polling for SSO

StoneOS Cookbook

Allowing Internet Access via AD Polling

This example introduces how to configure AD polling to allow users to access the Internet.

The following shows a network environment. An enterprise sets up a Hillstone security device as the export gateway to connect internal
network with the Internet. All the staff in R&D department and marketing department join in the AD domain (scep.pki.com). After the
AD Polling being configured, there will be login logs when staffs login though the AD server (Log in the PC which is added into the
AD domain through domain user name and password). System can check the logs through AD Polling, as well as obtain authentication
users information (user name and IP) on the AD server. With the user-based security policy, only the R&D manager can access the
Internet, while other staffs of the R&D department cannot access the Internet, and the staff of the marketing department can access
the Web service based on HTTP or HTTPS.

Preparation

Before configuring the AD Polling function, prepare the following first:

o The AD server has been set up according to the user network environment.

o To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should open the RPC service and
remote management. To enable the RPC service, you need to enter the Control Panel > Administrative Tools > Services and open

Allowing Internet Access via AD Polling 113

 StoneOS Cookbook

the Remote Procedure Call and Remote Procedure Call Locator; to enable the remote management, you need to run the command
prompt window (cmd) as administrator and enter the command netsh firewall set service RemoteAdmin

o To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should permit WMI function to pass
through Windows firewall. Select Control Panel >System and Security > Windows Firewall >Allow an APP through Windows
Firewall, in the Allowed apps and features list, click the corresponding check box of Domain for Windows Management Instru-
mentation (WMI) function.

o The security device should be configured with related policy to protect the AD server, which may result in the port used by WMI
service (port 135 and random port) being restricted by policy. Therefore, it’s necessary to configure another policy ( the source IP
is the IP address of ethernet0/3) allows all interface traffic to pass through.

o The rule has been configured on the security device that all the staff of the enterprise should pass the Web authentication before
they access the Internet. For the detailed configuration method, please see "Allowing the Internet Access via User Authentication"
on Page 95.

Configuration Steps

Step 1: Create a new domain user on the AD

server and configuring the user as the Domain
Admins group.

Access the PC with AD server, select Start >

Administrative Tools > Active Directory Users
and Computers, and enter the Active Directory
Users and Computers page.

114 Allowing Internet Access via AD Polling

StoneOS Cookbook

Step 1: Create a new domain user on the AD

server and configuring the user as the Domain
Admins group.

Right-click Users and select New Object > User.

Click Next.

o First name: test

o User logon name: [email protected]

Configure a password on the New Object- User

page, and click Next.

o Password: Hillstone123456

o Confirm password: Hillstone123456

o Password never expires: Select the check box

Allowing Internet Access via AD Polling 115

 StoneOS Cookbook

Step 1: Create a new domain user on the AD

server and configuring the user as the Domain
Admins group.

Click Finish to finish the creating of domain user

test.

In the user list, right-click test and select Add to

group. Click OK.

o Enter the object names to select: Domain

Admins

116 Allowing Internet Access via AD Polling

StoneOS Cookbook

Step 2: Add PCs of R&D staff into the AD

domain (taking the PC of R&D manager as
example).

Select Control Panel > Network and Internet >

Network and Sharing Center to check the attrib-
ute of network connection. Double-click Internet
Protocol Version 4 (TCP/IPv4), enter the Inter-
net Protocol Version 4 (TCP/IPv4) Properties
page and change the IP address of Preferred
DNS server to the IP address of AD domain con-
troller.

o Preferred DNS server: 10.180.201.8

o Alternate DNS server: 8.8.8.8

Search cmd in the Start menu and double-click to

open the command prompt(cmd) application win-
dow, so as to make sure that the PC can be con-
nected to the AD domain controller
(scep.pki.com).

Allowing Internet Access via AD Polling 117

 StoneOS Cookbook

Step 2: Add PCs of R&D staff into the AD

domain (taking the PC of R&D manager as
example).

Select Control Panel > System and Security >

System > Computer name, domain, and work-
group settings > Change settings, and add the
PC into the AD domain (scep.pki.com). Click
OK.

o Domain: scep.pki.com

118 Allowing Internet Access via AD Polling

StoneOS Cookbook

Step 2: Add PCs of R&D staff into the AD

domain (taking the PC of R&D manager as
example).

In the Windows security dialog box, enter

Domain name\User name and Password. The
user name should be the one in the Domain
Admins group.

o Domain name\User name: scep\test

o Password: Hillstone123456

After the PC being added in the AD domain

(scep.pki.com) successfully, restart the computer
to make it take effect.

Allowing Internet Access via AD Polling 119

 StoneOS Cookbook

Step 3: Configure AD server parameters in StoneOS.

Select Object > AAA server, and select Active

Directory Server from the newly created drop-
down list.

o Server Name: ad-polling

o Server Address: 10.180.201.8

o Base-dn: dc=scep,dc=pki,dc=com

o Login-dn: cn=test,c-
cn=users,dc=scep,dc=pki,dc=com

o sAMAccountName: test

o Authentication Mode: MD5

o Password: Hillstone123456

Click OK and the AD server is created suc-

cessfully.

120 Allowing Internet Access via AD Polling

StoneOS Cookbook

Step 4: Configure AD Polling in StoneOS

Select Object > SSO Client > AD Polling, click

Create and enter AD Polling Configuration page.

o Name: ad-polling

o Status: click Enable

o Host: 10.180.201.8

o Virtual Router: trust-vr

o Account: scep\test

o Password: Hillstone123456

o AAA Server: select the AD server ad-polling

created in step 3

o AD Polling Interval: 2 seconds

o Client Probing Interval: 5 minutes

o Force Timeout: 10 minutes

Click OK to finish AD Polling configuration.

Allowing Internet Access via AD Polling 121

 StoneOS Cookbook

Step 5: Configure policies

Configuring a policy to allow the manager of

R&D department to access the Internet

Select Policy > Security Policy, and click New.

o Name: manager

o Source

o Zone: trust

o Address: any

o User: Select the user name "test" of R&D

manager

o Destination

o Zone: untrust

o Address: any

o Other Information

o Action: Permit

122 Allowing Internet Access via AD Polling

StoneOS Cookbook

Step 5: Configure policies

Configuring a policy to allow the staff of the

marketing department to access the Web service
based on HTTP or HTTPS

Select Policy > Security Policy, and click New.

o Name: market

o Source

o Zone: trust

o Address: any

o User: Select the user group "market" of

the marketing department

o Destination

o Zone: untrust

o Address: any

o Other Information

o Service: HTTP, HTTPS

o Action: Permit

Allowing Internet Access via AD Polling 123

 StoneOS Cookbook

Step 5: Configure policies

Adjusting the priority of policies

1. Select Policy > Security Policy to enter the

Security Policy page.

2. Select the check box of "manager" and

"market" policies, and click Move.

3. Type the ID (2) of the second WebAuth

policy into the ToID text, and click After
ID.

Step 6: Verify result

After all the above configurations, only the R&D

manager can access the Internet, while other
staffs of the R&D department cannot access the
Internet, and the staff of the marketing depart-
ment can access the Web service based on HTTP
or HTTPS.

124 Allowing Internet Access via AD Polling

StoneOS Cookbook

Allowing Internet Access via AD Agent

This example introduces how to configure AD agent to allow users to access the Internet.

The following shows a network environment. An enterprise sets up a Hillstone security device as the export gateway to connect internal
network with the Internet. All the staff in the R&D department and marketing department join in the AD domain (scep.pki.com). After
the AD Agent being configured, there will be login information when staffs login though the AD server (Log in the PC which is added
into the AD domain through domain user name and password). The AD Security Agent will send the authentication users information (
user name and IP) to system. With the user-based security policy, only the R&D manager can access the Internet, while other staffs of
the R&D department cannot access the Internet, and the staff of the marketing department can access the Web service based on HTTP
or HTTPS.

Preparation

Before configuring the AD Agent function, prepare the following first:

o The AD server has been set up according to the user network environment.

o To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should open the RPC service and
remote management. To enable the RPC service, you need to enter the Control Panel > Administrative Tools > Services and open

Allowing Internet Access via AD Agent 125

 StoneOS Cookbook

the Remote Procedure Call and Remote Procedure Call Locator; to enable the remote management, you need to run the command
prompt window (cmd) as administrator and enter the command netsh firewall set service RemoteAdmin

o To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should permit WMI function to pass
through Windows firewall. Select Control Panel >System and Security > Windows Firewall >Allow an APP through Windows
Firewall, in the Allowed apps and features list, click the corresponding check box of Domain for Windows Management Instru-
mentation (WMI) function.

o The security device should be configured with related policy to protect the AD server, which may result in the port used by WMI
service (port 135 and random port) being restricted by policy. Therefore, it’s necessary to configure another policy ( the source IP
is the IP address of ethernet0/3) allows all interface traffic to pass through.

o The rule has been configured on the security device that all the staff of the enterprise should pass the Web authentication before
they access the Internet. For the detailed configuration method, please see "Allowing the Internet Access via User Authentication"
on Page 95.

Configuration Steps

Step 1: Create a new domain user on the AD

server and configuring the user as the Domain
Admins group.

Access the PC with AD server, select Start >

Administrative Tools > Active Directory Users
and Computers, and enter the Active Directory
Users and Computers page.

126 Allowing Internet Access via AD Agent

StoneOS Cookbook

Step 1: Create a new domain user on the AD

server and configuring the user as the Domain
Admins group.

Right-click Users and select New Object > User.

Click Next.

o First name: test

o User logon name: [email protected]

Configure a password on the New Object- User

page, and click Next.

o Password: Hillstone123456

o Confirm password: Hillstone123456

o Password never expires: Select the check box

Allowing Internet Access via AD Agent 127

 StoneOS Cookbook

Step 1: Create a new domain user on the AD

server and configuring the user as the Domain
Admins group.

Click Finish to finish the creating of domain user

test.

In the user list, right-click test and select Add to

group. Click OK.

o Enter the object names to select: Domain

Admins

128 Allowing Internet Access via AD Agent

StoneOS Cookbook

Step 2: Add PCs of R&D staff into the AD

domain (taking the PC of R&D manager as
example).

Select Control Panel > Network and Internet >

Network and Sharing Center to check the attrib-
ute of network connection. Double-click Internet
Protocol Version 4 (TCP/IPv4), enter the Inter-
net Protocol Version 4 (TCP/IPv4) Properties
page and change the IP address of Preferred
DNS server to the IP address of AD domain con-
troller.

o Preferred DNS server: 10.180.201.8

o Alternate DNS server: 8.8.8.8

Search cmd in the Start menu and double-click to

open the command prompt(cmd) application win-
dow, so as to make sure that the PC can be con-
nected to the AD domain controller
(scep.pki.com).

Allowing Internet Access via AD Agent 129

 StoneOS Cookbook

Step 2: Add PCs of R&D staff into the AD

domain (taking the PC of R&D manager as
example).

Select Control Panel > System and Security >

System > Computer name, domain, and work-
group settings > Change settings, and add the
PC into the AD domain (scep.pki.com). Click
OK.

o Domain: scep.pki.com

In the Windows security dialog box, enter

Domain name\User name and Password. The
user name should be the one in the Domain
Admins group.

o Domain name\User name: scep\test

o Password: Hillstone123456

130 Allowing Internet Access via AD Agent

StoneOS Cookbook

Step 2: Add PCs of R&D staff into the AD

domain (taking the PC of R&D manager as
example).

After the PC being added in the AD domain

(scep.pki.com) successfully, restart the computer
to make it take effect.

Step 3: Install and configure AD Security Agent in AD server.

1. Click http://swup-
date.hillstonenet.com:1337/sslvpn/download?os=windows-
adagent to download an AD Security Agent installation program,
and copy it to the AD server.

2. Double-click ADAgentSetup.exe to open it and follow the

installation wizard to install it.

3. Double-click the AD Agent Configuration Tool

shortcut, and the AD Agent Configuration Tool dialog pops up.

4. Click the General tab.

o Agent Port: 6666

o AD User Name: scep\test

o Password: Hillstone123456

o Server Monitor: Select the Enable Security Log Monitor

check box, and configure the Monitor Frequency as 5
seconds

o Client Probing: Select the Enable WMI probing check box,

and configure the Probing Frequency as 20 minutes

Allowing Internet Access via AD Agent 131

 StoneOS Cookbook

Step 3: Install and configure AD Security Agent in AD server.

Click Commit to commit the above configurations and start the AD

Agent service.

Step 4: Configure AD server parameters in StoneOS.

Select Object > AAA server, and select Active

Directory Server from the newly created drop-
down list.

o Server Name: ad-polling

o Server Address: 10.180.201.8

o Base-dn: dc=scep,dc=pki,dc=com

o Login-dn: cn=test,c-
cn=users,dc=scep,dc=pki,dc=com

o sAMAccountName: test

o Authentication Mode: MD5

o Password: Hillstone123456

o Security Agent: Select the check box, and con-

figure the Agent Port as 6666

Click OK to finish AD server configuration.

132 Allowing Internet Access via AD Agent

StoneOS Cookbook

Step 5: Configure policies

Configuring a policy to allow the manager of

R&D department to access the Internet

Select Policy > Security Policy, and click New.

o Name: manager

o Source

o Zone: trust

o Address: any

o User: Select the user name "test" of R&D

manager

o Destination

o Zone: untrust

o Address: any

o Other Information

o Action: Permit

Allowing Internet Access via AD Agent 133

 StoneOS Cookbook

Step 5: Configure policies

Configuring a policy to allow the staff of the

marketing department to access the Web service
based on HTTP or HTTPS

Select Policy > Security Policy, and click New.

o Name: market

o Source

o Zone: trust

o Address: any

o User: Select the user group "market" of

the marketing department

o Destination

o Zone: untrust

o Address: any

o Other Information

o Service: HTTP, HTTPS

o Action: Permit

134 Allowing Internet Access via AD Agent

StoneOS Cookbook

Step 5: Configure policies

Adjusting the priority of policies

1. Select Policy > Security Policy to enter the

Security Policy page.

2. Select the check box of "manager" and

"market" policies, and click Move.

3. Type the ID (2) of the second WebAuth

policy into the ToID text, and click After
ID.

Step 6: Verify result

After all the above configurations being finished,

only the R&D manager can access the Internet,
while other staffs of the R&D department cannot
access the Internet, and the staff of the marketing
department can access the Web service based on
HTTP or HTTPS.

Allowing Internet Access via AD Agent 135

StoneOS Cookbook

Allowing Internet Access via TS Agent

This example introduces how to configure TS Agent to allow users to access the Internet.

The following shows a network environment. An enterprise sets up a Hillstone security device as the export gateway to connect internal
network with the Internet. Internal users connect to a Windows server through thin clients. After the TS Agent is configured, when
users log in the Windows server using remote desktop services, the Hillstone Terminal Service Agent will allocate port ranges to users
and send the port ranges and users information to the system. At the same time, the system will create the mappings of traffic IPs, port
ranges and users. With the user-based security policy, only user 1 can access the Internet, while user 2 cannot access the Internet, and
user 3 can access the Web service based on HTTP or HTTPS.

Preparation

Before configuring the TS Agent function, prepare the following first:

o The Windows server has been set up according to the user network environment. Windows Server 2008 R2, Windows Server
2016, and Windows Server 2019 are currently supported. Windows Server 2008 R2 Service Pack 1 and KB3033929 must be
installed if Windows Server 2008 R2 is used.

o The SNAT rule has been configured on the security device, and all the internal users can access the Internet. For the detailed con-
figuration method, please see "Allowing Private Network to Access Internet Using SNAT" on Page 21.

Allowing Internet Access via TS Agent 136

 StoneOS Cookbook

Configuration Steps

Step 1: Installing and configuring Hillstone Terminal Service Agent in Windows server.

1. Click http://swupdate.hillstonenet.com:1337/sslvpn/download?os=windows-tsagent to download a Hillstone Terminal Ser-

vice Agent installation program, and copy it to the Windows server.

2. Double-click HSTSAgent.exe to open it and follow the installation wizard to install it.

3. Double-click the Hillstone Terminal Service Agent shortcut, and the Hillstone Terminal Service Agent dia-
log pops up.

4. Click the Agent config tab.

o Listening Address IPv4: 0.0.0.0

o Listening Port (1025-65534)：5019

o Heartbeat Interval (1-30s): 5

o Heartbeat Timeout (10-300s): 60

Click Save to save the configurations.

137 Allowing Internet Access via TS Agent

StoneOS Cookbook

Step 1: Installing and configuring Hillstone Terminal Service Agent in Windows server.

5. Click the Port config tab.

o User Allocable Port Range (1025-65534):

20000-39999

o User Port Block Size (20-2000): 200

o User Port Block Max (1-256): 1

o Passthrough when user port exhausted: Select

the check box

Click Save to save the configurations.

Step 2: Configuring TS Agent parameters in StoneOS via WebUI and CLI.

WebUI

Select Object > SSO Client > TS Agent, and

click New .

o Name: tsagent1

o Status: Select the Enable check box

o HOST: 10.1.1.1

o Virtual Router: trust-vr

o Port: 5019

o AAA Server: local

o Disconnection Timeout: 300

o Traffic IP: Enter 10.1.1.1, and click Add

Allowing Internet Access via TS Agent 138

 StoneOS Cookbook

Step 2: Configuring TS Agent parameters in StoneOS via WebUI and CLI.

Click OK to save the configurations.

CLI

host-name(config)# user-sso client ts-agent tsagent1

host-name(config-ts-agent)# host 10.1.1.1

host-name(config-ts-agent)# aaa-server local

host-name(config-ts-agent)# traffic-ip 10.1.1.1

host-name(config-ts-agent)# enable

host-name(config-ts-agent)# exit

Step 3: Configuring policies in StoneOS via WebUI and CLI.

WebUI

139 Allowing Internet Access via TS Agent

StoneOS Cookbook

Step 3: Configuring policies in StoneOS via WebUI and CLI.

Configuring a policy to allow all DNS traffic to

get through.

Because DNS traffic is system traffic of the Win-

dows Server, not the traffic of one specific user,
configure a policy to allow all DNS traffic to get
through first.

Select Policy > Security Policy, and click New.

o Name: DNS

o Source

o Zone: any

o Address: any

o Destination

o Zone: any

o Address: any

o Service: DNS

o Action: Permit

Allowing Internet Access via TS Agent 140

 StoneOS Cookbook

Step 3: Configuring policies in StoneOS via WebUI and CLI.

Configuring a policy to allow user 1 to access

the Internet.

Select Policy > Security Policy, and click New.

o Name: User1

o Source

o Zone: trust

o Address: any

o User: user1

o Destination

o Zone: untrust

o Address: any

o Action: Permit

141 Allowing Internet Access via TS Agent

StoneOS Cookbook

Step 3: Configuring policies in StoneOS via WebUI and CLI.

Configuring a policy to allow user 3 to access

the Web service based on HTTP or HTTPS

Select Policy > Security Policy, and click New.

o Name: User3

o Source

o Zone: trust

o Address: any

o User: user3

o Destination

o Zone: untrust

o Address: any

o Service: HTTP, HTTPS

o Action: Permit

CLI

Allowing Internet Access via TS Agent 142

 StoneOS Cookbook

host-name(config)# rule name DNS from any to any service DNS permit

Rule id 2 is created.

host-name(config)# rule name User1 user local user1 from any to any from-
zone trust to-zone untrust permit

Rule id 3 is created.

host-name(config)# rule name User3 user local user3 from any to any from-
zone trust to-zone untrust service HTTP permit

Rule id 4 is created.

host-name(config)# rule id 4

host-name(config-policy-rule)# service HTTPS

host-name(config-policy-rule)# exit

Step 4: Verifying result

After all the above configurations are finished, only user 1 can access the Internet, while user 2 cannot access the Internet, and user
3 can access the Web service based on HTTP or HTTPS.

143 Allowing Internet Access via TS Agent

StoneOS Cookbook

VPN

This chapter introduces virtual private network deployment.

This chapter contains the following recipes:

o IPSec VPN

o "Connection between Two Private Networks Using IPSec VPN (IKEv1)" on Page 145

o "Connection between Two Private Networks Using IPSec VPN (IKEv2)" on Page 158

o "Connecting to Microsoft Azure Using Site-to-Site VPN" on Page 203

o "Establishment of IPSec VPN Based on Certificate Authentication " on Page 168

o "Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link" on Page 181

o SSL VPN

o "Allowing Remote Users to Access a Private Network Using SSL VPN" on Page 194

o "Using an iOS/Android Device to Remotely Access Intranet Services" on Page 214

o L2TP over IPSec VPN

o "Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN" on Page 222

o "Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN" on Page 241

o GRE over IPSec VPN

o "Connection between Two Private Networks Using GRE over IPSec VPN" on Page 256

o VXLAN

o " Configuring VXLAN Static Unicast Tunnel" on Page 272

VPN 144
StoneOS Cookbook

Connection between Two Private Networks Using IPSec VPN (IKEv1)

This example tells how to create IPSec VPN (IKEv1)tunnels to encrypt and protect the communication between two private networks
. Usually, IPSec VPN tunnel is to connect the Device A in a branch office and the Device B in the headquarters.

* Note: This topology uses laboratory environment. In this recipe, 10.10.1.0/24 represents public network.

Configuration Steps

Device A

Step 1: Configuring interface

1. Configuring the interface connected to

private network

Select Network > Interface, and double click eth-

ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 192.168.1.1

o Netmask: 255.255.255.0

Connection between Two Private Networks Using IPSec VPN (IKEv1) 145
 StoneOS Cookbook

Step 1: Configuring interface

2. Configuring the interface connected to Inter-

net

Select Network > Interface, and double click eth-

ernet0/2.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 10.10.1.1

o Netmask: 255.255.255.0

146 Connection between Two Private Networks Using IPSec VPN (IKEv1)
StoneOS Cookbook

Step 2: Configuring security policies

1. Creating a policy to allow private network to

visit Internet

Select Policy > Security Policy, and click New.

o Name: trust_untrust

o Source Information

o Zone: trust

o Address: Any

o Destination

o Zone: untrust

o Address: Any

o Other Information

o Action: Permit

Connection between Two Private Networks Using IPSec VPN (IKEv1) 147
 StoneOS Cookbook

Step 2: Configuring security policies

2. Creating a security policy to allow Internet

visit private network

Select Policy > Security Policy, and click New.

o Name: untrust_trust

o Source Information

o Zone: untrust

o Address: Any

o Destination

o Zone: trust

o Address: Any

o Other Information

o Action: Permit

Step 3: Configuring IPSec VPN

1. Configuring P1 proposal for IKE SA

Select Network > VPN > IPSec VPN, under the

P1 Proposal tab, click New.

o Proposal Name: Headquarter_to_Branch_P1

o Authentication: Pre-share

o Hash: SHA

o Encryption: 3DES

148 Connection between Two Private Networks Using IPSec VPN (IKEv1)
StoneOS Cookbook

Step 3: Configuring IPSec VPN

2. Configuring P2 proposal for IPSec SA

Select Network > VPN > IPSec VPN, under the

P2 Proposal tab, click New.

o Proposal Name: Headquarter_to_Branch_P2

o Authentication: ESP

o Hash: SHA

o Encryption: 3DES

3. Configuring VPN peer

Select Network > VPN > IPSec VPN, under the

VPN Peer List tab, click New.

o Name: Headquarter_to_Branch

o Interface: ethernet0/2

o Mode: Main

o Type: Static IP

o Peer IP: 10.10.1.2

o Proposal 1: Headquarter_to_Branch_P1

o Pre-share Key: 123456

Connection between Two Private Networks Using IPSec VPN (IKEv1) 149
 StoneOS Cookbook

Step 3: Configuring IPSec VPN

4. Configuring IKE VPN

Select Network > VPN > IPSec VPN, under the

IKE VPN List tab, click New.

o Peer Name: Headquarter_to_Branch

o Tunnel Name: Tunnel

o Mode: tunnel

o P2 Proposal: Headquarter_to_Branch_P2

Step 4: Creating tunnel interface

Select Network > Interface, and click New >

Tunnel Interface.

o Basic

o Name: 1

o Zone: untrust

o Tunnel Binding

o Tunnel Type: IPSec VPN

o VPN Name: Tunnel

150 Connection between Two Private Networks Using IPSec VPN (IKEv1)
StoneOS Cookbook

Step 5: Configuring route

Select Network > Routing > Destination Rout-

ing, and click New.

o Destination: 192.168.2.0

o Subnet Mask: 24

o Next Hop: Interface

o Interface: tunnel1

Device B

Step 1: Configuring interface

1. Configuring the interface connected to

private network

Select Network > Interface, and double click eth-

ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 192.168.2.1

o Netmask: 255.255.255.0

Connection between Two Private Networks Using IPSec VPN (IKEv1) 151
 StoneOS Cookbook

Step 1: Configuring interface

2. Configuring the interface connected to Inter-

net

Select Network > Interface, and double click eth-

ernet0/2.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 10.10.1.2

o Netmask: 255.255.255.0

152 Connection between Two Private Networks Using IPSec VPN (IKEv1)
StoneOS Cookbook

Step 2: Configuring security policies

1. Creating a policy to allow private network to

visit Internet

Select Policy > Security Policy, and click New.

o Name: trust_untrust

o Source Information

o Zone: trust

o Address: Any

o Destination

o Zone: untrust

o Address: Any

o Other Information

o Action: Permit

Connection between Two Private Networks Using IPSec VPN (IKEv1) 153
 StoneOS Cookbook

Step 2: Configuring security policies

2. Creating a security policy to allow Internet

visit private network

Select Policy > Security Policy, and click New.

o Name: untrust_trust

o Source Information

o Zone: untrust

o Address: Any

o Destination

o Zone: trust

o Address: Any

o Other Information

o Action: Permit

Step 3: Configuring IPSec VPN

1. Configuring P1 proposal for IKE SA

Select Network > VPN > IPSec VPN, under the

P1 Proposal tab, click New.

o Proposal Name: Branch_to_Headquarter_P1

o Authentication: Pre-share

o Hash: SHA

o Encryption: 3DES

154 Connection between Two Private Networks Using IPSec VPN (IKEv1)
StoneOS Cookbook

Step 3: Configuring IPSec VPN

2. Configuring P2 proposal for IPSec SA

Select Network > VPN > IPSec VPN, under the

P2 Proposal tab, click New.

o Proposal Name: Branch_to_Headquarter_P2

o Authentication: ESP

o Hash: SHA

o Encryption: 3DES

3. Configuring VPN peer

Select Network > VPN > IPSec VPN, under the

VPN Peer List tab, click New.

o Name: Branch_to_Headquarter

o Interface: ethernet0/2

o Mode: Main

o Type: Static IP

o Peer IP: 10.10.1.2

o Proposal 1:Branch_to_Headquarter_P1

o Pre-share Key: 123456

Connection between Two Private Networks Using IPSec VPN (IKEv1) 155
 StoneOS Cookbook

Step 3: Configuring IPSec VPN

4. Configuring IKE VPN

Select Network > VPN > IPSec VPN, under the

IKE VPN List tab, click New.

o Peer Name: Branch_to_Headquarter

o Tunnel Name: Tunnel

o Mode: tunnel

o P2 Proposal: Branch_to_Headquarter_P2

Step 4: Creating tunnel interface

Select Network > Interface, and click New >

Tunnel Interface.

o Basic

o Name: 1

o Zone: untrust

o Tunnel Binding

o Tunnel Type: IPSec VPN

o VPN Name: Tunnel

156 Connection between Two Private Networks Using IPSec VPN (IKEv1)
StoneOS Cookbook

Step 5: Configuring route

Select Network > Routing > Destination Rout-

ing, and click New.

o Destination: 192.168.1.0

o Subnet Mask: 24

o Next Hop: Interface

o Interface: tunnel1

Step 6: Results

Use PC1 in the headquarters to ping PC2 in the

branch. It works.

Step 7: Check if IPSec VPN tunnel has been established

Go to Network > VPN > IPSec VPN, and click

IPSec VPN Monitor on the top right corner,
under the <ISAKMP SA> tab and under the
IPSec SA tab, you will see the status of the tunnel.

Connection between Two Private Networks Using IPSec VPN (IKEv1) 157
StoneOS Cookbook

Connection between Two Private Networks Using IPSec VPN (IKEv2)

This example tells how to create IPSec VPN (IKEv2) tunnels to encrypt and protect the communication between two private networks
. Usually, IPSec VPN tunnel is to connect the Device A in a branch office and the Device B in the headquarters.

* Note: This topology uses laboratory environment. In this recipe, 10.10.1.0/24 represents public network.

Configuration Steps

Device A

Step 1: Configuring interface

1.Configuring the interface connected to private network.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 192.168.1.1/24

hostname(config-if-eth0/1)# exit

2.Configuring the interface connected to Internet.

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ip address 10.10.1.1/24

hostname(config-if-eth0/2)# exit

Step 2: Configuring security policies

Connection between Two Private Networks Using IPSec VPN (IKEv2) 158
 StoneOS Cookbook

hostname(config)# rule from 192.168.1.0/24 to 192.168.2.0/24 service any per-

mit

hostname(config)# rule from 192.168.2.0/24 to 192.168.1.0/24 service any per-

mit

Step 3: Configuring IPSec VPN

159 Connection between Two Private Networks Using IPSec VPN (IKEv2)
StoneOS Cookbook

1.Configuring P1 proposal for IKEv2 SA.

hostname(config)# ikev2 proposal Headquarters_to_Branch_P1

hostname(config-ikev2-proposal)# hash sha

hostname(config-ikev2-proposal)# encryption 3des

hostname(config-ikev2-proposal)# group 2

hostname(config-ikev2-proposal)# exit

2.Configuring P2 proposal for IPSec IKEv2 SA.

hostname(config)# ikev2 ipsec-proposal Headquarters_to_Branch_P2

hostname(config-ikev2-ipsec-proposal)#protocol esp

hostname(config-ikev2-ipsec-proposal)#hash sha

hostname(config-ikev2-ipsec-proposal)#encryption 3des

hostname(config-ikev2-ipsec-proposal)#exit

3. Configuring IKEv2 peer.

hostname(config)# ikev2 peer peer2

hostname(config-ikev2-peer)# interface ethernet0/2

hostname(config-ikev2-peer)# match-peer 10.10.1.2

hostname(config-ikev2-peer)# local-id fqdn Headquarters

hostname(config-ikev2-peer)# ikev2-proposal Headquarters_to_Branch_P1

4.Creating IKEv2 Profile.

hostname(config-ikev2-peer)# ikev2-profile 1

hostname(config-ikev2-profile)# remote id fqdn Branch1

hostname(config-ikev2-profile)# remote key 123456

hostname(config-ikev2-profile)# traffic-selector src subnet 192.168.1.0/24

hostname(config-ikev2-profile)# traffic-selector dst subnet 192.168.2.0/24

Connection between Two Private Networks Using IPSec VPN (IKEv2) 160
 StoneOS Cookbook

hostname(config-ikev2-profile)# exit

hostname(config-ikev2-peer)# exit

hostname(config)#

5.Viewing the P1 and P2 proposal information of IPsec VPN IKEv2.

hostname# show ikev2 proposal Headquarters_to_Branch_P1

Name: Headquarters_to_Branch_P1

Encryption: 3des

PRF: sha

Hash: sha

Group: 2

Lifetime: 86400

hostname# show ikev2 proposal Headquarters_to_Branch_P2

Name: Headquarters_to_Branch_P2

Protocol: esp

Encryption: 3des

Hash: sha

Group: 0

Lifetime: 28800

Lifesize: 0

Step 4: Creating IPsec VPN IKEv2 tunnel

161 Connection between Two Private Networks Using IPSec VPN (IKEv2)
StoneOS Cookbook

hostname(config)# tunnel ipsec test-ikev2 ikev2

hostname(config-ikev2-tunnel)# ikev2-peer peer2

hostname(config-ikev2-tunnel)# ipsec-proposal Headquarters_to_Branch_P2

hostname(config-ikev2-tunnel)# exit

hostname(config)#

Step 5 : Binding the tunnel interface to the IPsec VPN IKEv2 tunnel

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone trust

hostname(config-if-tun1)# tunnel ikev2 test-ikev2

hostname(config-if-tun1)# exit

hostname(config)#

Step 6: Configuring route

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip route 192.168.2.0/24 tunnel1

hostname(config-vrouter)# exit

Device B

Step 1: Configuring interface.

Connection between Two Private Networks Using IPSec VPN (IKEv2) 162
 StoneOS Cookbook

1.Configuring the interface connected to private network.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 192.168.2.1/24

hostname(config-if-eth0/1)# exit

2.Configuring the interface connected to Internet.

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ip address 10.10.1.2/24

hostname(config-if-eth0/2)# exit

Step 2: Configuring security policies

hostname(config)# rule from 192.168.1.0/24 to 192.168.2.0/24 service any per-

mit

hostname(config)# rule from 192.168.2.0/24 to 192.168.1.0/24 service any per-

mit

Step 3: Configuring IPSec VPN (IKEv2).

163 Connection between Two Private Networks Using IPSec VPN (IKEv2)
StoneOS Cookbook

1.Configuring P1 proposal for IKE SA .

hostname(config)# ikev2 proposal Branch_to_Headquarters_P1

hostname(config-ikev2-proposal)# hash sha

hostname(config-ikev2-proposal)# encryption 3des

hostname(config-ikev2-proposal)# group 2

hostname(config-ikev2-proposal)# exit

2.Configuring P2 proposal for IPSec (IKEv2) SA.

hostname(config)# ikev2 ipsec-proposal Branch_to_Headquarters_P2

hostname(config-ikev2-ipsec-proposal)#protocol esp

hostname(config-ikev2-ipsec-proposal)#hash sha

hostname(config-ikev2-ipsec-proposal)#encryption 3des

hostname(config-ikev2-ipsec-proposal)#exit

3. Configuring IKEv2 peer.

hostname(config)# ikev2 peer peer1

hostname(config-ikev2-peer)# interface ethernet0/2

hostname(config-ikev2-peer)# match-peer 10.10.1.1

hostname(config-ikev2-peer)# local-id fqdn Branch1

hostname(config-ikev2-peer)# ikev2-proposal Branch_to_Headquarters_P1

4.Creating IKEv2 Profile.

hostname(config-ikev2-peer)# ikev2-profile 1

hostname(config-ikev2-profile)# remote id fqdn Headquarters

hostname(config-ikev2-profile)# remote key 123456

hostname(config-ikev2-profile)# traffic-selector src subnet 192.168.2.0/24

hostname(config-ikev2-profile)# traffic-selector dst subnet 192.168.1.0/24

Connection between Two Private Networks Using IPSec VPN (IKEv2) 164
 StoneOS Cookbook

hostname(config-ikev2-profile)# exit

hostname(config-ikev2-peer)# exit

hostname(config)#

5.Viewing the P1 and P2 proposal information of IPsec VPN IKEv2.

hostname# show ikev2 proposal Branch_to_Headquarters_P1

Name: Branch_to_Headquarters_P1

Encryption: 3des

PRF: sha

Hash: sha

Group: 2

Lifetime: 86400

hostname# show ikev2 proposal Branch_to_Headquarters_P2

Name: Branch_to_Headquarters_P2

Protocol: esp

Encryption: 3des

Hash: sha

Group: 0

Lifetime: 28800

Lifesize: 0

Step 4: Creating IPsec VPN IKEv2 tunnel .

165 Connection between Two Private Networks Using IPSec VPN (IKEv2)
StoneOS Cookbook

hostname(config)# tunnel ipsec test-ikev2 ikev2

hostname(config-ikev2-tunnel)# ikev2-peer peer1

hostname(config-ikev2-tunnel)# ipsec-proposal Branch_to_Headquarters_P2

hostname(config-ikev2-tunnel)# auto-connect

hostname(config-ikev2-tunnel)# exit

Step 5 : Binding the tunnel interface to the IPsec VPN IKEv2 tunnel.

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone trust

hostname(config-if-tun1)# tunnel ikev2 test-ikev2

hostname(config-if-tun1)# exit

Step 6: Configuring route

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip route 192.168.1.0/24 tunnel1

hostname(config-vrouter)# exit

hostname(config)#

Step 7: Results

Use PC1 in the headquarters to ping PC2 in the branch. It works.

Step 8: Check if IPSec VPN tunnel has been established

1.With the command show ikev2 ike-sa, you can see that the first phase of IPsec VPN has been successfully established.

Connection between Two Private Networks Using IPSec VPN (IKEv2) 166
 StoneOS Cookbook

hostname# show ikev2 ike-sa

Total: 1

L-time - Lifetime

============================================================================-
====

Cookies Gateway Port Algorithm L-time Prof-id

----------------------------------------------------------------------------
----

aba8467000~ 10.10.1.2 500 psk/sha/sha/3des 84972 1

============================================================================-
====

2.With the command show ikev2 ipsec-sa, you can see that the second phase of IPsec VPN has been successfully estab-
lished.

hostname# show ikev2 ipsec-sa

Total: 1

S - Status, I - Inactive, A - Active;

============================================================================-
====

Id VPN Peer IP Port Algorithms SPI Life(s) S

----------------------------------------------------------------------------
----

1 test-ikev2 >10.10.1.2 500 ESP:3des/sha 2c21b5d6 27355 A

1 test-ikev2 <10.10.1.2 500 ESP:3des/sha 292b6e44 27355 A

============================================================================-
====

167 Connection between Two Private Networks Using IPSec VPN (IKEv2)
StoneOS Cookbook

Establishment of IPSec VPN Based on Certificate Authentication

This example introduces how to establish IPSec VPN tunnels based on certificate authentication to improve communication security.

As shown in the figure below, an IPsec VPN security tunnel based on certificate authentication is established between Device A and
Device B. PC1 is the host of Device A, and PC2 is the host of Device B. It is required to protect the data flow between the subnet
(192.168.1.0/24) represented by PC1 and the subnet (10.1.1.0/24) represented by PC2. RSA Signature is used for authentication, ESP
protocol is used for security protocol, SHA is adopted for Hash algorithm, 3DES is adopted for encryption algorithm, so as to ensure
the integrity and security of communication data.

Configuration Steps

Device A

Step 1: Configuring interface

Select Network > Interface, and double click ethernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 192.168.1.1

o Netmask: 255.255.255.0

Establishment of IPSec VPN Based on Certificate Authentication 168

 StoneOS Cookbook

Step 1: Configuring interface

Select Network > Interface, and double click ethernet0/4.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address：1.1.1.1

o Netmask: 255.255.255.0

Step 2: Configuring the trust domain and importing the authentication certificate

Select System > PKI > Trust Domain, and click New.

o Trust Domain: trust_domain

o Enrollment Type: Manual Input

Select System > PKI > Trust Domain Certificate.

o Trust Domain: trust_domain

o Content: Select "CA Certificate" and "Local Certificate"

respectively
Tip: If the certificate is in ". p12" format, please select "PKCS#12-

DER".

o Action: Import. Click Browse and select the local

certificate of Device A and the CA certificate of Device B
to be imported from the local PC.

169 Establishment of IPSec VPN Based on Certificate Authentication

StoneOS Cookbook

Step 3: Configuring IPSec VPN

1.Configuring Phase 1 Proposal.

Select Network > VPN > IPSec VPN, and click New. On the IPSec VPN

Configuration page, click the button in the Peer Name drop-down list, then

on the VPN Peer Configuration page, and click the button in the

Proposal1 drop-down list.

o Proposal Name: P1

o Authentication: RSA-Signature

o Hash: SHA

o Encryption: 3DES

o DH group: Group2

2.Configuring Phase 2 Proposal.

Select Network > VPN > IPSec VPN, and click New. On the IPSec VPN

Configuration page, click the button in the P2 Proposal drop-down list.

o Proposal Name: P2

o Protocol: ESP

o Hash: SHA

o Encryption: 3DES

Establishment of IPSec VPN Based on Certificate Authentication 170

 StoneOS Cookbook

Step 3: Configuring IPSec VPN

3.Configuring peer

Select Network > VPN > IPSec VPN, and click New. On the IPSec VPN

Configuration page, click the button in the Peer Name drop-down list.

o Name: peer1

o Interface: ethernet0/4

o Interface Type: IPv4

o Protocol Standard: IKEV1

o Mode: Main

o Type: Static IP

o Peer Address: 1.1.1.2

o Local ID Type: ASN1-DN

o Peer ID Type: ASN1-DN，peer ID value is

/C=sz/ST=jiangsu/L=company/O=hillstone/OU=qa/CN=qzhang/em-
[email protected]
Tip: The peer ID value is the "Subject" name of the local certificate on the peer device,

which needs to be obtained from the peer device.

o Proposal1: P1

o Self-signed Trust Domain: trust_domain

171 Establishment of IPSec VPN Based on Certificate Authentication

StoneOS Cookbook

Step 4: Configuring a tunnel instance

Select Network > VPN > IPSec VPN, and click New.

o Peer Name

o Peer Name: peer1

o Tunnel

o Name: tunnel

o Mode: Tunnel

o P2 Proposal: P2

o Proxy ID: Auto

Step 5: Configuring a tunnel interface and binding it to the tunnel instance

Select Network > Interface, click New and select Tunnel

Interface

o Basic

o Interface Name: 1

o Binding Zone: Layer 3 Zone

o Zone: trust

o Tunnel Binding

o Type: IPSec VPN

o VPN Name: tunnel

Establishment of IPSec VPN Based on Certificate Authentication 172

 StoneOS Cookbook

Step 6: Configuring a tunnel route

Select Network > Routing > Destination Route, and click

New.

o Virtual Router: trust-vr

o Destination: 10.1.1.0

o Netmask: 24

o Next-hop: Interface

o Interface: tunnel1

Step 7: Configuring a security policy

Select Policy > Security Policy > Policy, and click New.

o Name: policy

o Source Zone: trust

o Source Address: Any

o Destination Zone: trust

o Destination Address: Any

o Service: Any

o Action: Permit

173 Establishment of IPSec VPN Based on Certificate Authentication

StoneOS Cookbook

Device B

Step 1: Configuring interface

Select Network > Interface, and double click ethernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 10.1.1.100

o Netmask: 255.255.255.0

Select Network > Interface, and double click ethernet0/4.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address：1.1.1.2

o Netmask: 255.255.255.0

Establishment of IPSec VPN Based on Certificate Authentication 174

 StoneOS Cookbook

Step 2: Configuring the trust domain and importing the authentication certificate

Select System > PKI > Trust Domain, and click New.

o Trust Domain: trust_domain

o Enrollment Type: Manual Input

Select System > PKI > Trust Domain Certificate.

o Trust Domain: trust_domain

o Content: Select "CA Certificate" and "Local Certificate"

respectively
Tip: If the certificate is in ". p12" format, please select "PKCS#12-

DER".

o Action: Import. Click Browse and select the local

certificate of Device B and the CA certificate of Device A
to be imported from the local PC.

175 Establishment of IPSec VPN Based on Certificate Authentication

StoneOS Cookbook

Step 3: Configuring IPSec VPN

1.Configuring Phase 1 Proposal

Select Network > VPN > IPSec VPN, and click New. On the IPSec VPN

Configuration page, click the button in the Peer Name drop-down list, then

on the VPN Peer Configuration page, and click the button in the

Proposal1 drop-down list.

o Proposal Name: P1

o Authentication: RSA-Signature

o Hash: SHA

o Encryption: 3DES

o DH group: Group2

2.Configuring Phase 1 Proposal

Select Network > VPN > IPSec VPN, and click New. On the IPSec VPN

Configuration page, click the button in the P2 Proposal drop-down list.

o Proposal Name: P2

o Protocol: ESP

o Hash: SHA

o Encryption: 3DES

Establishment of IPSec VPN Based on Certificate Authentication 176

 StoneOS Cookbook

Step 3: Configuring IPSec VPN

3.Configuring Peer

Select Network > VPN > IPSec VPN, and click New. On the IPSec VPN

Configuration page, click the button in the Peer Name drop-down list.

o Name: peer1

o Interface: ethernet0/4

o Interface Type: IPv4

o Protocol Standard: IKEV1

o Mode: Main

o Type: Static IP

o Peer Address: 1.1.1.1

o Local ID Type: ASN1-DN

o Peer ID Type: ASN1-DN，peer ID value is

/C=sz/ST=jiangsu/L=company/O=hillstone/OU=qz/CN=balabala/e-
[email protected]
Tip: The peer ID value is the "Subject" name of the local certificate on the peer device,

which needs to be obtained from the peer device.

o Proposal1: P1

o Self-signed Trust Domain: trust_domain

177 Establishment of IPSec VPN Based on Certificate Authentication

StoneOS Cookbook

Step 4: Configuring a tunnel instance

Select Network > VPN > IPSec VPN, and click New.

o Peer Name

o Peer Name: peer1

o Tunnel

o Name: tunnel

o Mode: Tunnel

o P2 Proposal: P2

o Proxy ID: Auto

Step 5: Configuring a tunnel interface and binding it to the tunnel instance

Select Network > Interface, click New and select Tunnel

Interface

o Basic

o Interface Name: 1

o Binding Zone: Layer 3 Zone

o Zone: trust

o Tunnel Binding

o Type: IPSec VPN

o VPN Name: tunnel

Establishment of IPSec VPN Based on Certificate Authentication 178

 StoneOS Cookbook

Step 6: Configuring a tunnel route

Select Network > Routing > Destination Route, and click

New.

o Virtual Router: trust-vr

o Destination: 192.168.1.0

o Netmask: 24

o Next-hop: Interface

o Interface: tunnel1

Step 7: Configuring a security policy

Select Policy > Security Policy > Policy, and click New.

o Name: policy

o Source Zone: trust

o Source Address: Any

o Destination Zone: trust

o Destination Address: Any

o Service: Any

o Action: Permit

179 Establishment of IPSec VPN Based on Certificate Authentication

StoneOS Cookbook

Step 8: Check if the network has been interconnected

After the above configuration steps are completed, PC1 and

PC2 can ping each other, indicating that the networks between
them has been interconnected.

Step 9: Check if IPSec VPN tunnel has been established

Go to Network > VPN > IPSec VPN, and click IPSec VPN
Monitor on the top right corner, under the <ISAKMP SA>
tab, it can be seen that the phase 1 of IPSec VPN has been
successfully established.

Go to Network > VPN > IPSec VPN, and click IPSec VPN
Monitor on the top right corner, under the <IPSec SA> tab,
it can be seen that the phase 2 of IPSec VPN has been
successfully established.

Establishment of IPSec VPN Based on Certificate Authentication 180

StoneOS Cookbook

Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link
This example tells how to configure IPSec VPN smart link to realize dynamic switch between IPSec links.

As shown in the figure below, IPSec VPN tunnel is to connect the Device A in a branch office and the Device B in the headquarters. If
the packet loss rate or latency of the tunnel that is established based on Link1 exceeds the specified threshold, the system would switch
to Link2 to establish a new IPSec VPN tunnel. ESP protocol is used for security protocol, SHA-256 is adopted for Hash algorithm,
AES-256 is adopted for encryption algorithm, so as to ensure the integrity and security of communication data.

Configuration Steps

Device A

Step 1: Configuring interface

1.Configuring the interface connected to private network.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 173.16.1.1/24

hostname(config-if-eth0/1)# exit

2.Configuring the interface connected to Internet.

hostname(config)# interface xethernet3/0

hostname(config-if-xe3/0)# zone untrust

hostname(config-if-xe3/0)# ip address 1.1.1.1/24

hostname(config-if-xe3/0)# exit

Step 2: Configuring an AAA server and pre-shared key

Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link 181
 StoneOS Cookbook

hostname(config)# aaa-server local type local

hostname(config-aaa-server)# user test1

hostname(config-user)# ike-id fqdn client1

hostname(config-user)# exit

hostname(config-aaa-server)# exit

hostname(config)# exit

hostname# exec generate-user-key rootkey hillstone1 userid client1

userkey: OG64Mk1CPfRLKou3yCwOehMLfQw=

Step 3: Configuring IPSec VPN

182 Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link
StoneOS Cookbook

1.Configuring P1 proposal.

hostname(config)# isakmp proposal p1

hostname(config-isakmp-proposal)# hash sha256

hostname(config-isakmp-proposal)# encryption aes-256

hostname(config-isakmp-proposal)# group 2

hostname(config-isakmp-proposal)# exit

2.Configuring P2 proposal.

hostname(config)# ipsec proposal p2

hostname(config-ipsec-proposal)# protocol esp

hostname(config-ipsec-proposal)# hash sha256

hostname(config-ipsec-proposal)# encryption aes-256

hostname(config-ipsec-proposal)# exit

3. Configuring ISAKMP peer.

hostname(config)# isakmp peer peer1

hostname(config-isakmp-peer)# isakmp-proposal p1

hostname(config-isakmp-peer)# mode aggressive

hostname(config-isakmp-peer)# type usergroup

hostname(config-isakmp-peer)# local-id fqdn server1

hostname(config-isakmp-peer)# aaa-server local

hostname(config-isakmp-peer)# interface xethernet3/0

hostname(config-isakmp-peer)# pre-share hillstone1

hostname(config-isakmp-peer)# nat-traversal

hostname(config-isakmp-peer)# generate-route

hostname(config-isakmp-peer)# exit

Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link 183
 StoneOS Cookbook

Step 4: Creating IPsec VPN tunnel

hostname(config)# tunnel ipsec vpn1 auto

hostname(config-tunnel-ipsec-auto)# ipsec-proposal p2

hostname(config-tunnel-ipsec-auto)# isakmp-peer peer1

hostname(config-tunnel-ipsec-auto)# id local 173.16.1.0/24 remote

173.15.1.0/24 service any

hostname(config-tunnel-ipsec-auto)# exit

Step 5 : Creating the tunnel interface to the IPsec VPN tunnel

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone trust

hostname(config-if-tun1)# tunnel ipsec vpn1

hostname(config-if-tun1)# exit

Step 6: Configuring security policies

hostname(config)# rule from 173.16.1.0/24 to 173.15.1.0/24 service any per-

mit

Device B

Step 1: Configuring interface.

184 Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link
StoneOS Cookbook

1.Configuring the interface connected to private network.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 173.15.1.1/24

hostname(config-if-eth0/1)# exit

2.Configuring the interface connected to Internet.

hostname(config)# interface xethernet0/2.1

hostname(config-if-xe0/2.1)# zone untrust

hostname(config-if-xe0/2.1)# ip address 191.1.101.1/24

hostname(config-if-xe0/2.1)# exit

hostname(config)# interface xethernet0/2.2

hostname(config-if-xe0/2.2)# zone untrust

hostname(config-if-xe0/2.2)# ip address 191.1.102.1/24

hostname(config-if-xe0/2.2)# exit

Step 2: Configuring smart link rules

hostname(config)# ipsec smart-link profile smart_profile1

hostname(config-ipsec-smart-link-profile)# link 1 interface xethernet0/2.1

peer 1.1.1.1

hostname(config-ipsec-smart-link-profile)# link 2 interface xethernet0/2.2

peer 1.1.1.1

hostname(config-ipsec-smart-link-profile)# link-track-threshold delay 500

loss-rate 30

hostname(config-ipsec-smart-link-profile)# exit

Step 3: Configuring IPSec VPN

Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link 185
 StoneOS Cookbook

1.Configuring P1 proposal.

hostname(config)# isakmp proposal p1

hostname(config-isakmp-proposal)# hash sha256

hostname(config-isakmp-proposal)# encryption aes-256

hostname(config-isakmp-proposal)# group 2

hostname(config-isakmp-proposal)# exit

2.Configuring P2 proposal.

hostname(config)# ipsec proposal p2

hostname(config-ipsec-proposal)# protocol esp

hostname(config-ipsec-proposal)# hash sha256

hostname(config-ipsec-proposal)# encryption aes-256

hostname(config-ipsec-proposal)# exit

3. Configuring ISAKMP peer.

hostname(config)# isakmp peer peer1

hostname(config-isakmp-peer)# isakmp-proposal p1

hostname(config-isakmp-peer)# mode aggressive

hostname(config-isakmp-peer)# local-id fqdn client1

hostname(config-isakmp-peer)# peer-id fqdn server1

hostname(config-isakmp-peer)# pre-share OG64Mk1CPfRLKou3yCwOehMLfQw=

hostname(config-isakmp-peer)# nat-traversal

hostname(config-isakmp-peer)# generate-route

hostname(config-isakmp-peer)# exit

Step 4: Creating IPsec VPN tunnel .

186 Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link
StoneOS Cookbook

hostname(config)# tunnel ipsec vpn1 auto

hostname(config-tunnel-ipsec-auto)# ipsec-proposal p2

hostname(config-tunnel-ipsec-auto)# isakmp-peer peer1

hostname(config-tunnel-ipsec-auto)# id local 173.15.1.0/24 remote

173.16.1.0/24 service any

hostname(config-tunnel-ipsec-auto)# smart-link-profile smart_profile1

hostname(config-tunnel-ipsec-auto)# auto-connect

hostname(config-tunnel-ipsec-auto)# exit

Step 5 : Binding the tunnel interface to the IPsec VPN tunnel.

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone trust

hostname(config-if-tun1)# tunnel ipsec vpn1

hostname(config-if-tun1)# exit

Step 6: Configuring route

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip route 173.16.1.0/24 tunnel1

hostname(config-vrouter)# exit

Step 7: Configuring security policies

hostname(config)# rule from 173.15.1.0/24 to 173.16.1.0/24 service any per-

mit

Step 8: Check if IPSec VPN tunnel has been established

1.With the command show isakmp sa, you can see that the first phase of IPsec VPN has been successfully established.

Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link 187
 StoneOS Cookbook

hostname# show isakmp sa

Total: 1

L-time - Lifetime

============================================================================-
====

Cookies Gateway Port Algorithm Lifetime

----------------------------------------------------------------------------
----

99933c2b~ 1.1.1.1 500 pre-share sha256/aes-256 86388

============================================================================-
====

2.With the command show ipsec sa, you can see that the second phase of IPsec VPN has been successfully established.

hostname# show ipsec sa

Total: 1

S - Status, I - Inactive, A - Active;

============================================================================-
====

Id VPN Peer IP Port Algorithms SPI Life(s) S

----------------------------------------------------------------------------
----

1 vpn1 >1.1.1.1 500 esp:aes-256/sha256 6ddafe72 27332 A

1 vpn1 <1.1.1.1 500 esp:aes-256/sha256 309c97c0 27332 A

============================================================================-
====

188 Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link
StoneOS Cookbook

Step 9: When the packet loss rate or latency of the tunnel that is established based on Link1(191.1.101.1->1.1.1.1) exceeds the specified
threshold, verify that the system can successfully switch to Link2(191.1.102.1->1.1.1.1) to establish a new IPSec VPN tunnel.

1.With the command show ipsec smart-link-profile smart_profile1, you can see that the Link1 is currently
used to establish IPSec tunnel.

Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link 189
 StoneOS Cookbook

hostname(config)# show ipsec smart-link-profile smart_profile1

Total: 1

Status:I - Invalid, A - Active, C - Current negotiation link, * - Cycle

start link

============================================================================-
====

Name: smart_profile1

Tunnel name: vpn1

Status: enable

Loss-rate(%): 30

Delay(ms): 500

Track-source: 191.1.101.1

Track-destination: 1.1.1.1

Track-interval(s): 3

Track-count: 10

Switch-cycles: 5

Switch-back-time(s): 600

Switched-count: 0

Switched-cycles: 0

Link-list:

Id interface local-ip peer-ip delay(ms) loss-rate(%) Status

1 xethernet0/2.1 191.1.101.1 1.1.1.1 1 0 *AC

2 xethernet0/2.2 191.1.102.1 1.1.1.1 0 0 I

============================================================================-
====

190 Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link
StoneOS Cookbook

2.When the packet loss rate or latency of the tunnel that is established based on Link1 exceeds the specified threshold, verify that the sys-
tem can successfully switch to Link2 to establish a new IPSec VPN tunnel. With the command show ipsec smart-link-
profile smart_profile1,you can see that the Link2 has been automatically switched to establish an IPSec tunnel.

Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link 191
 StoneOS Cookbook

2022-12-26 19:27:28，Event WARNING@VPN: IPSec smart link smart_profile1 is

switched from link1 to link2, because the time delay 509 is higher than the
threshold 500(IPSec Tunnel=vpn1, Loss Rate=0%, Time Delay=509ms).

hostname(config)# show ipsec smart-link-profile smart_profile1

Total: 1

Status:I - Invalid, A - Active, C - Current negotiation link, * - Cycle

start link

============================================================================-
====

Name: smart_profile1

Tunnel name: vpn1

Status: enable

Loss-rate(%): 30

Delay(ms): 500

Track-source: 191.1.102.1

Track-destination: 1.1.1.1

Track-interval(s): 3

Track-count: 10

Switch-cycles: 5

Switch-back-time(s): 600

Switched-count: 1

Switched-cycles: 0

Link-list:

Id interface local-ip peer-ip delay(ms) loss-rate(%) Status

1 xethernet0/2.1 191.1.101.1 1.1.1.1 509 0 *I

192 Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link
StoneOS Cookbook

2 xethernet0/2.2 191.1.102.1 1.1.1.1 0 0 AC

============================================================================-
===

Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link 193
StoneOS Cookbook

Allowing Remote Users to Access a Private Network Using SSL VPN

This example shows how to use SSL VPN to provide remote users with access to corporate internal network.

The topology describes a remote user trying to visit the internal server within a corporate. Using SSL VPN tunnel, the connection
between remote users and private server is encrypted and safe. Besides, enabling the Two-Step Verification function based on the SMS
Modem method to enhance the security of user's login; transmitting data over TCP protocol to strengthen communication stability.

Allowing Remote Users to Access a Private Network Using SSL VPN 194
 StoneOS Cookbook

Configuration Steps

Step 1: Creating local user

Select Object > User > Local User. Under Local

Server "local", click New > User.

o Name: test1

o Password: 123456

o Confirm Password: 123456

o Mobile + country code: Configure your valid

mobile number. When you log in to the
SCVPN client, the StoneOS device will send
the verification code to the mobile.

195 Allowing Remote Users to Access a Private Network Using SSL VPN
StoneOS Cookbook

Step 2: Configuring SMS Gateway

Select System > SMS Parameters > SMS Gate-

way, click New.

o Protocol Type：UMS

o Service Provider：hillstone

o UMS Protocol：HTTP

o Virtual Router：trust-vr

o Host：Name；sms.api.ums86.com

o Port：8899

o Company Code：245588

o User name and Password：Enter the actual

user name and password to log in SMS gate-
way.

Allowing Remote Users to Access a Private Network Using SSL VPN 196
 StoneOS Cookbook

Step 3: Configuring SCVPN address pool

Select Network > VPN > SSL VPN, and click

Configuration > Address Pool . In the IPv4 tab,
click New.

o Address Pool Name: scpool

o Start IP: 20.1.1.2

o End IP: 20.1.1.100

o Mask: 255.255.255.0

o DNS1: 10.160.65.60

o WINS1: 10.160.65.61

Step 4: Creating tunnel interface

Select Network > Zone, and click New.

o Zone: VPN

o Type: Layer 3 Zone

o Virtual Router：trust-vr

197 Allowing Remote Users to Access a Private Network Using SSL VPN
StoneOS Cookbook

Step 4: Creating tunnel interface

Select Network > Interface, and click New >

Tunnel Interface.

o Interface Name: tunnel1

o Binding Zone: Layer 3 Zone

o Zone: VPN

o Type: Static IP

o IP Address: 20.1.1.1

o Netmask: 255.255.255.0

Note: Tunnel interface must be of the same net-

work segment of SSL VPN address pool.

Step 5: Configuring SCVPN

Select Network > VPN > SSL VPN, and click

New.

In the Name/Access User tab:

o SSL VPN Name: scvpn

o Assigned Users:: Click New, and select

localfor the AAA serverdrop-down list

Allowing Remote Users to Access a Private Network Using SSL VPN 198
 StoneOS Cookbook

Step 5: Configuring SCVPN

In the Interface tab:

o Egress Interfaces: ethernet0/3

o Service port: 4433

o Tunnel Interface: tunnel1

o Address Pool: scpool

In the Tunnel Route tab:

o IP: 10.160.65.0

o Netmask: 255.255.255.0

Note: Tunnel route must be of the same network

segment of internal server ("Server").

Click Advanced Configuration, in the Para-

meters tab:

o Advanced Parameters

o Port(TCP)：10000

After configuring SCVPN on the StoneOS

device, you need to add the following con-
figuration to the SCVPN client: Enable the Com-
munication Stability Optimization function.
Therefore, the SCVPN client can communicate
with the StoneOS device over TCP protocol.

199 Allowing Remote Users to Access a Private Network Using SSL VPN
StoneOS Cookbook

Step 5: Configuring SCVPN

Click Advanced Configuration, in the Two-Step

Verification tab：

o Two-Step Verification ：Click the Enable

button

o Type：SMS Authentication

o SMS Auth Type： SMS Gateway

o SMS Gateway Name：hillstone

o Lifetime of SMS Verification Code：10

o Sender Name：FWvisitAPP

o Verification Code Length：8

Step 6: Creating policy from VPN to any

Select Policy > Security Policy > Policy , and

click New.

o Name: policy

o Source Zone: VPN

o Source Address: Any

o Destination Zone: trust

o Destination Address: Any

o Service: Any

o Action: Permit

Allowing Remote Users to Access a Private Network Using SSL VPN 200
 StoneOS Cookbook

Step 7: Results

After configuration above, the remote user enters

address "https://10.182.159.103:4433" in a
browser. In the pop-up page, select Windows tab
and click Download.

On the PC, follow the steps to install the SCVPN

client ("Hillstone Secure Connect").

Double click the shortcut of the Hillstone Secure

Connect on your desktop, right click the icon ( )

and click Option to open the Secure Connect

Option dialog.

o Select the check box in front of Com-

munication Stability Optimization

Click Apply button. After logging in to the Hill-

stone Secure Connect, you can access the server
over TCP protocol.

201 Allowing Remote Users to Access a Private Network Using SSL VPN
StoneOS Cookbook

Step 7: Results

Open the Hillstone Secure Connect client, and

enter the information as below:

o Server：10.182.159.103

o Port：4433

o Username：test1

o Password：123456

After entering the configuration above, the SMS

Auth dialog will pop up.

Check the mobile of user (test1) to obtain the

authentication code, and then enter the code in the
text box. Click Verify.

After the connection has been established suc-

cessfully, When the icon in the taskbar becomes

green( ), the client is connected. Then, the

remote user can access the internal server via SSL

VPN.

Allowing Remote Users to Access a Private Network Using SSL VPN 202
StoneOS Cookbook

Connecting to Microsoft Azure Using Site-to-Site VPN

Today, more and more customers are using public cloud service providers such as Microsoft Azure to deploy their server or services, to
get high performance, reliable services that are easy to deploy and get to market fastest.

This example shows how to configure site-to-site VPN to establish a VPN tunnel (IPSec VPN tunnel) between Microsoft Azure and
Hillstone device.

The topology is shown as below, the Hillstone device is the gateway for the enterprise. It requires an IPsec VPN tunnel between the
company and Microsoft Azure through the Hillstone device. The authentication algorithm uses SHA and the encryption algorithm uses
3DES, thus the local service can be connected with hosted cloud services.

* Note: This topology uses laboratory environment. In this recipe, 124.193.87.66 represents Hillstone device public IP, 192.168.0.0/16 represents the internal subnet of enterprise,
13.94.46.90 represents public IP of Microsoft Azure, 10.11.0.0/16 the internal subnet of Microsoft Azure.

The configuration process as follows:

Configure Microsoft Azure:

1. Create a virtual network

2. Create the gateway subnet

3. Create the VPN gateway

4. Create the local network gateway

5. Create the VPN connection

Configure Hillstone device:

Connecting to Microsoft Azure Using Site-to-Site VPN 203

 StoneOS Cookbook

1. Configuring IPSec VPN

2. Creating IPsec VPN IKEv2 tunnel

3. Binding the tunnel interface to the IPsec VPN IKEv2 tunnel

4. Configuring route

Configure Microsoft Azure

In Microsoft Azure, configure the following settings:

204 Connecting to Microsoft Azure Using Site-to-Site VPN

StoneOS Cookbook

Step 1 : Create a virtual network

1. Access the Microsoft Azure website via the

browser and sign in with your Azure
account.

2. Click Virtual networks in the "Azure ser-

vice" section of the Home page to open the
virtual network page.

3. Click +Add.

4. In the Create virtual network page, con-

figure the following information (take the
environment in the topology as an
example):

o Name: VNet

o Address space: 10.11.0.0/16

o Subscription: select the existing sub-

scription to use: “Pay-As-You-Go”

o Resource group: cloudedge-test

o Location: East US

o Subnet name: default

o Subnet address range: 10.11.0.0/16

5. Click Create to create the virtual network.

Connecting to Microsoft Azure Using Site-to-Site VPN 205

 StoneOS Cookbook

Step 2: Create the gateway subnet

1. In the list of virtual network page, select the

created virtual network "VNet" in the list
and click its name.

2. In the Settings section on the left side of the

virtual network detail page, select Subnet.

3. In "VNet-Subnets" page. click +Gateway

subnet.

4. In Add subnet page, configure the fol-

lowing information (take the environment
in the topology as an example):

o Name: The default value "Gate-

waySubnet"

o o Address range (CIDR block):

10.11.255.0/27

5. Click OK to create the gateway subnet.

206 Connecting to Microsoft Azure Using Site-to-Site VPN

StoneOS Cookbook

Step 3: Create a VPN geteway

1. Click Create a resource in the "Azure ser-

vice" section of the Home page.

2. In Search the Marketplace field, search Vir-

tual Network Gateway.

3. Click Create.

4. In Create virtual network gateway page,

configure the following information (take
the environment in the topology as an
example):

o Name: VNetGateway

o Region: West US (choose the one

where your virtual network is located)

o Gateway type: VPN

o VPN type: Route-based

o SKU: VpnGw1 (About SKU, refer to

https://docs.microsoft.com/en-
us/azure/vpn-gateway/vpn-gateway-
about-vpn-gateway-settings#gwsku)

o Virtual network: VNet (choose the one

to which you want to add the gateway)

o Public IP address: Create new (only

dynamic Public IP address allocation is
supported currently; input the public
address name)

Connecting to Microsoft Azure Using Site-to-Site VPN 207

 StoneOS Cookbook

Step 3: Create a VPN geteway

o Public IP address name: PublicIP

5. Click Review +create and wait for the vir-

tual network gateway deployment. After
the virtual network gateway created, the
public IP address will be assigned

208 Connecting to Microsoft Azure Using Site-to-Site VPN

StoneOS Cookbook

Step 4: Create the local network gateway

1. Click Create a resource in the "Azure ser-

vice" section of the Home page.

2. In Search the Marketplace field, search

Local Network Gateway

3. Click Create.

4. In Create local network gateway page, con-

figure the following information (take the
environment in the topology as an
example):

o Name: Hillstone

o IP address: 124.193.87.66

o Address space: 192.168.0.0/16

o Subscription: select the existing sub-

scription to use: “Pay-As-You-Go”

o Resource group: cloudedge-test

o Location: East US

5. Click Create to create the local network

gateway.

Connecting to Microsoft Azure Using Site-to-Site VPN 209

 StoneOS Cookbook

Step 5: Create the VPN connection (This step is performed after completing the "Configure Hillstone Device")

1. Click the created virtual network gateway

VNetGateway in the Recent resources list
on the home page.

2. In the Settings section on the left side of the

virtual network gateway detail page, select
Connections

3. Click Add.

4. In Add connection page, configure the fol-

lowing information (take the environment
in the topology as an example):

o Name: VNet1toSite2

o Connection type: Site-to-site (IPSec)

o Virtual network gateway: VNetGate-

way

o Loacl network gateway: Hillstone

o Shared key (PSK): hillstone (Consistent

with "Configure Hillstone Device")

o Resource group: cloudedge-test

5. Click OK to create the connection.

Note:

o About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections, refer to the Microsoft Azure doc-
umentation:
https://docs.microsoft.com/en-gb/azure/vpn-gateway/vpn-gateway-about-vpn-devices.

210 Connecting to Microsoft Azure Using Site-to-Site VPN

StoneOS Cookbook

o About "Create a Site-to-Site connection in the Azure portal", refer to the Microsoft Azure documentation:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal.

Configure Hillstone Device

Step 1: Configuring IPSec VPN

Connecting to Microsoft Azure Using Site-to-Site VPN 211

 StoneOS Cookbook

1.Configuring P1 proposal for IKEv2 SA.

hostname(config)# ikev2 proposal Azure_to_Hillstone_P1

hostname(config-ikev2-proposal)# hash sha

hostname(config-ikev2-proposal)# encryption 3des

hostname(config-ikev2-proposal)# group 2

hostname(config-ikev2-proposal)# lifetime 10800

hostname(config-ikev2-proposal)# exit

2.Configuring P2 proposal for IPSec IKEv2 SA.

hostname(config)# ikev2 ipsec-proposal Azure_to_Hillstone_P2

hostname(config-ikev2-ipsec-proposal)#hash sha

hostname(config-ikev2-ipsec-proposal)#encryption aes

hostname(config-ikev2-ipsec-proposal)#lifetime 3600

hostname(config-ikev2-ipsec-proposal)#exit

3. Configuring IKEv2 peer.

hostname(config)# ikev2 peer peer1

hostname(config-ikev2-peer)# interface ethernet0/1

hostname(config-ikev2-peer)# match-peer 13.94.46.90

hostname(config-ikev2-peer)# ikev2-proposal Azure_to_Hillstone_P1

hostname(config-ikev2-peer)# local-id ip 124.193.87.66

4.Creating IKEv2 Profile.

hostname(config-ikev2-peer)# ikev2-profile esp-peer1

hostname(config-ikev2-profile)# remote id ip 13.94.46.90

hostname(config-ikev2-profile)# remote key hillstone

hostname(config-ikev2-profile)# traffic-selector src subnet 192.168.0.0/16

212 Connecting to Microsoft Azure Using Site-to-Site VPN

StoneOS Cookbook

hostname(config-ikev2-profile)# traffic-selector dst subnet 10.11.0.0/16

hostname(config-ikev2-profile)# exit

hostname(config-ikev2-peer)# exit

hostname(config)#

Step 2: Creating IPsec VPN IKEv2 tunnel

hostname(config)# tunnel ipsec Azure ikev2

hostname(config-ikev2-tunnel)# ikev2-peer peer1

hostname(config-ikev2-tunnel)# ipsec-proposal Azure_to_Hillstone_P2

hostname(config-ikev2-tunnel)# auto-connect

hostname(config-ikev2-tunnel)# exit

hostname(config)#

Step 3 : Binding the tunnel interface to the IPsec VPN IKEv2 tunnel

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone trust

hostname(config-if-tun1)# tunnel ikev2 Azure

hostname(config-if-tun1)# exit

hostname(config)#

Step 4: Configuring route

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip route 10.11.0.0/16 tunnel1

hostname(config-vrouter)# exit

Connecting to Microsoft Azure Using Site-to-Site VPN 213

StoneOS Cookbook

Using an iOS/Android Device to Remotely Access Intranet Services

This example introduces how to use an iOS/Android device to remotely access the resources in the private network.

In the topology below, a remote user located in the Internet uses an iOS/Android device to access the intranet server Server1. The
authentication method requires username and password, and the connection is based on SSL VPN. Please first see step 1 to 5 in "Allow-
ing Remote Users to Access a Private Network Using SSL VPN" on Page 194 to create a SSL VPN instance.

Using an iOS Device to Remotely Access Intranet Services

Take the VPN client of version 2.0.8 for example.

Using an iOS/Android Device to Remotely Access Intranet Services 214

 StoneOS Cookbook

Step 1: Downloading and installing Hillstone Access Client

In APP Store, search Hillstone Access Client,

click Get to download and install this application.

Step 2: Connecting to the device

Click the HSAccess icon in the iOS desktop.

In the login page:

o Connection: connection1

o Server: 153.34.29.1

o Port: 4433

o Account: user1

o Password: 123456

Click Login. The client starts to connect to the

server.

215 Using an iOS/Android Device to Remotely Access Intranet Services

StoneOS Cookbook

Step 3: Installing the VPN configuration profile

In the Add VPN Configurations dialog, click

Allow to install the VPN configuration profile.

Using an iOS/Android Device to Remotely Access Intranet Services 216

 StoneOS Cookbook

Step 3: Installing the VPN configuration profile

Enter your passcode.

217 Using an iOS/Android Device to Remotely Access Intranet Services

StoneOS Cookbook

Step 4: Creating a VPN connection

In iOS, select Settings > VPN.

In the list, select connection1.

Turn on the VPN switch. iOS connects to the

VPN.

Step 5: Verifying the connection status.

When the VPN status is Connected and the Con-

nection tab of the client displays Connected, the
client successfully establishes VPN connection to
the device.

Using an iOS/Android Device to Remotely Access Intranet Services 218

 StoneOS Cookbook

Step 5: Verifying the connection status.

219 Using an iOS/Android Device to Remotely Access Intranet Services

StoneOS Cookbook

Step 6: Accessing intranet services

Use the iOS device to visit Server1.

Using an Android Device to Remotely Access Intranet Services

Step 1: Downloading and installing Hillstone Secure Connect

https://play.google.com/store/apps/details?id=com.hillstone.vpn
Visit Google Play to download and install Hill-
stone Secure Connect VPN.

Step 4: Creating a VPN connection

In Android, click the Hillstone Secure Connection

icon:

o Server: 153.34.29.1

o Port: 4433

o Account: user1

o Password: 123456

Click Login.

Using an iOS/Android Device to Remotely Access Intranet Services 220

 StoneOS Cookbook

Step 4: Creating a VPN connection

After the VPN connection is established suc-

cessfully, the key icon will appear at the noti-
fication area of your Android system.

Step 6: Accessing intranet services

Use the Android device to visit Server1.

221 Using an iOS/Android Device to Remotely Access Intranet Services

StoneOS Cookbook

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over

IPSec VPN
This example shows how to use L2TP over IPSec VPN to provide remote users with access to corporate internal network.

The topology is shown as below. A remote user, located at home or a hotel, accesses the Internet through a router with NAT enabled.
This remote user uses L2TP over IPSec VPN to visit the server (PC1) in the corporate internal network. And this server is protected by
the device A.

*Due to lab environment, use 10.10.1.0./24 to represent the public network segment.

The configuration process consists of five parts:

o Configure basic settings

o Configure IPSec VPN

o Configure L2TP VPN

o Set up a VPN connection in Windows/ Mac

o Adjust whether to use IPSec for L2TP VPN

Configuring Basic Settings

In device A, configure the following settings:

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 222
 StoneOS Cookbook

Step 1: Configuring an interface

Configuring the interface connected to the

intranet

Select Network > Interface, and double-click eth-

ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: dmz

o Type: Static IP

o IP Address: 192.168.1.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Configuring the interface connected to Internet

Select Network > Interface, and double-click eth-

ernet0/2.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 10.10.1.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

223 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Step 1: Configuring an interface

Configuring the tunnel interface.

Select Network > Interface > New > Tunnel

Interface.

o Interface name: tunnel1

o Binding Zone: Layer 3 Zone

o Zone: trust

o IP Address: 192.168.3.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 224
 StoneOS Cookbook

Step 2: Configuring a security policy

Configure a security policy that allows the traffic

to flow from the Trust zone where the tunnel
interface locates to the DMZ zone where the
internal server locates.

Select Policy > Security Policy > New.

o Name: trust_to_dmz

o Source

o Zone: trust

o Address: Any

o Destination

o Zone: dmz

o Address: Any

o Other

o Service/Service Group: Any

o Action: Permit

Configuring IPSec VPN

In device A, configure the following settings:

225 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Step 1: Creating a P1 proposal and a P2 proposal

Click Network > VPN > IPSec VPN. In the P1

Proposal tab, click New.

o Proposal Name: p1forl2tp

o Authentication: Pre-share

o Hash: SHA

o Encryption: 3DES

o DH Group: Group2

o Lifetime: 86400

In the P2 Proposal tab, click New.

o Proposal Name: p2forl2tp

o Protocol: ESP

o HASH: SHA

o Encryption: 3DES

o Compression: None

o PFS Group: No PFS

o Lifetime: 28800

o Lifesize: Enable

o Lifesize: 250000

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 226
 StoneOS Cookbook

Step 2: Configuring a VPN peer

Click Network > VPN > IPSec VPN. In the

VPN Peer List tab, click New.

In the Basic tab, configure the following settings:

o Name: toclient

o Interface: ethernet0/2

o Mode: Main

o Type: User Group

o AAA Server: local

o Proposal1: p1forl2tp

o Pre-shared Key: hillstone

In the Advanced tab, configure the following set-

tings:

o NAT Traversal: Enable

o Any Peer ID: Enable

o Keep the default of other parameters

227 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Step 3: Configuring IKE VPN

Click Network > VPN > IPSec VPN. In the

IKE VPN List tab, click New.

In the Basic tab, configure the following settings:

o Peer

o Peer Name: toclient

o Tunnel

o Name: toclienttunnel

o Mode: transport

o P2 proposal: p2forl2tp

In the Advanced tab, configure the following set-

tings:

o Accept-all-proxy-ID: Enable

o Keep the default of other parameters

Configuring L2TP VPN

In device A, configure the following settings:

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 228
 StoneOS Cookbook

Step 1: Creating a L2TP pool

Select Network > VPN > L2TP VPN >

Address Pool.

In the Address Pool dialog, click New.

o Address Pool Name: pool1

o Start IP: 192.168.3.2

o End IP: 192.168.3.100

Step 2: Adding a user in the 'local' AAA server

Select Object > User > Local User > New >
User.

o Name: user1

o Password: hillstone

o Confirm Password: hillstone

229 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Step 3: Configuring a L2TP VPN instance

Select Network > VPN > L2TP VPN > New.

In the Name/Access User tab, configure the fol-

lowing settings:

o L2TP VPN Name: l2tpinstance1

o AAA Server: local

o Click Add

In the Interface/Address Pool/IPSec Tunnel tab,

configure the following settings:

o Egress Interface: ethernet0/2

o Tunnel Interface: tunnel1

o Address Pool: pool1

o L2TP over IPSec: toclienttunnel

Setting up a VPN Connection

The steps of setting up a VPN connection differ in different PC operating systems. Take Windows 7, Windows XP/2003 and Mac OS
for example.

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 230
 StoneOS Cookbook

Steps of setting up a VPN connection in Windows XP/2003

Set up a connection:

1. In Control Panel , double-click Network

Connections.

2. From the Network Tasks pane, Click

Create a new connection. The New Con-
nection Wizard dialog appears

3. In the pop-up dialog, click Next.

4. Select Connect to the network at my work-

place. Then click Next.

5. Select Virtual Private Network

connection. Then click Next.

6. Enter a name for this connection in the

Company Name text box:
L2TPoverIPSec. Then click Next.

7. Enter the IP address of the VPN server:

10.10.1.1. Then click Next.

8. Click Finish.

231 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Steps of setting up a VPN connection in Windows XP/2003

Configure the Security properties of this con-

nection:

1. After you have completed the new con-

nection wizard, the Connect L2TPover-
IPSec dialog appears.

2. Click Properties. The L2TPoverIPSec Prop-

erties dialog appears.

3. Select the Security tab.

4. Select Advanced (custom settings). Then

click Settings. The Advanced Security Set-
tings dialog appears.

5. In the Data encryption drop-down menu,

select Optional encryption (connect even
if no encrypting).

6. In the Logon security section, select Allow

these protocols.

7. Continue to select Unencrypted password

(PAP) and Challenge Handshake
Authentication Protocol (CHAP).

8. Click OK to close the Advanced Security

Settings dialog and return to the L2TPover-
IPSec Properties dialog.

9. Click IPSec Settings.

10. Select Use pre-shared key for authen-

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 232
 StoneOS Cookbook

Steps of setting up a VPN connection in Windows XP/2003

tication and enter the pre-shared key hill-

stone.

11. Click OK to close the IPSec Settings dialog.

Configure the Networking properties of this

connection:

1. In the L2TPoverIPSec Properties dialog,

select the Networking tab.

2. In the Type of VPN drop-down menu,

select L2TP IPSec VPN.

3. Ensure that you have select the Internet

Protocol (TCP/IP) check box.

4. Click OK to save the configurations.

Connect to the L2TPoverIPSec VPN:

1. Find the L2TPoverIPSec connection and

double-click it.

2. Enter the user name: user1

3. Enter the password: hillstone

4. Click Connect.

5. After the connection is successful, you can

visit the internal server 192.168.1.2

233 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Steps of setting up a VPN connection in Windows 7

Set up a connection:

1. Select Control Panel > Network and Inter-

net > Network and Sharing Center.

2. Click Set up a new connection or

network.

3. In the pop-up dialog, select Connect to a

workplace. Then click Next.

4. Select Use my Internet connection (VPN).

5. Enter the IP address of the VPN server:

10.10.1.1

6. Enter the destination name: L2TPover-

IPSec

7. Select Don't connect now; just set it up so

I can connect later. Then click Next.

8. Enter the username: user1

9. Enter the password: hillstone

10. Click Creat.

11. After the connection is ready to use, click

Close.

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 234
 StoneOS Cookbook

Steps of setting up a VPN connection in Windows 7

Configure the Security properties of this con-

nection:

1. In the Network and Sharing Center, click

Change adapter settings.

2. Find the L2TPoverIPSec connection and

right-click it.

3. In the pop-up menu, select Properties. The

L2TPoverIPSec Properties dialog appears.

4. Select the Security tab.

5. In the Type of VPN drop-down menu,

select Layer 2 Tunneling Protocol with
IPsec (L2TP/IPSec).

6. Click Advanced settings, select Use pre-

shared key for authentication, then enter
the key hillstone.

7. In the Data encryption drop-down menu,

select Optional encryption (connect even
if no encryption).

8. In the Authentication section, select Allow

these protocols and then select Unen-
crypted password (PAP) and Challenge
Handshank Authentication Protocol
(CHAP).

235 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Steps of setting up a VPN connection in Windows 7

Configure the Networking properties of this

connection:

1. In the L2TPoverIPSec Properties dialog,

select the Networking tab.

2. Ensure that you have select the Internet

Protocol Version 4 (TCP/IPv4) check
box.

3. Click OK to save the configurations.

Connect to the L2TPoverIPSec VPN:

1. Find the L2TPoverIPSec connection and

double-click it.

2. Enter the password: hjllstone

3. Click Connect.

4. After the connection is successful, you can

visit the intranet server 192.168.1.2

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 236
 StoneOS Cookbook

Steps of setting up a VPN connection in Mac OS

Set up a connection:

1. Select System Preferences > Network.

2. Click + to create a new network connection

3. Enter the connection configuration in the

pop-up dialog.

4. Click Interface drop-down list and select

VPN

5. Click VPN Type drop-down list and select

L2TP over IPSec.

6. Enter the Service Name: L2TP over IPSec.

7. Click Create.

237 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Steps of setting up a VPN connection in Mac OS

Configure the properties of connection:

1. Find L2TP over IPSec on the left web page

and click it.

2. Enter the Server Addresson the right web

page: 10.10.1.1.

3. Enter the Account Name: user1.

4. Click Authentication Settings button and

enter authentication password in the pop-up
dialog.

5. In the User Authentication section, select

Passwordbutton and enter the cor-
responding password: hillstone.

6. In the Machine Authentication section,

select Shared Secret button in the Machine
Authentication and enter the Shared Secret:
hillstone.

7. Click OK to save the configurations.

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 238
 StoneOS Cookbook

Steps of setting up a VPN connection in Mac OS

Configure the advanced properties of con-

nection:

1. Click Advanced button.

2. Configure the advanced properties in the

pop-up dialog.

3. Select all the check boxes in Session

Options and make sure that the check box
of Send all traffic over VPN connection is
selected.

4. Click OK to save the configurations.

Connect to the L2TP over IPSec VPN:

1. Find L2TP over IPSec on the left web page

and click it.

2. Click Connect button on the right page.

3. The status shows Connecting.

4. After connecting successfully, the page

shows Status: Connected, Connect Time
and so on.

5. Click Apply to save the configurations.

6. After the connection is successful, you can

visit the intranet server 192.168.1.2.

7. If you need to disconnect the connection,

click Disconnect button.

239 Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Adjusting Whether to Use IPSec for L2TP VPN

By default, the L2TP VPN is required by Windows to use IPSec. For the above L2TP over IPSec VPN, you do not need to modify the
system's registry.

If the system has disabled IPSec, take the following steps to make the system use L2TP over IPSec:

Enable IPSec

1. Select Start > Run.

2. In Run, enter regedit.

3. Click OK

4. Navigate to HKEY_Local_Machine\Sys-
tem\CurentControl Set\Ser-
vices\RasMan\Parameters.

5. In the right pane, find the entry Pro-

hibitIPSec whose type is REG_DWORD.

6. Double-click this entry and modify the

value in the Value data text box to 0.

o 0 represents that the system enables

IPSec.

o 1 represents that the system disables

IPSec.

7. Save the modifications and restart the sys-

tem.

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN 240
StoneOS Cookbook

Allowing Remote Users (iOS/Android) to Access a Private Network Using

L2TP over IPSec VPN
This example shows how to use L2TP over IPSec VPN to provide remote users (iOS/Android) with access to corporate internal net-
work.

The topology is shown as below. A remote user, located at home or a hotel, accesses the Internet via mobile 3G/4G or Wi-Fi. This
remote user (iOS/Android) uses L2TP over IPSec VPN to visit the server (PC1) in the corporate internal network. And this server is
protected by the device A.

*Due to lab environment, use 10.10.1.0./24 to represent the public network segment.

The configuration process consists of five parts:

o Configure basic settings

o Configure IPSec VPN

o Configure L2TP VPN

o Set up a VPN connection in iOS/Android

Configuring Basic Settings

In device A, configure the following settings:

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN 241
 StoneOS Cookbook

Step 1: Configuring an interface

Configuring the interface connected to the

intranet

Select Network > Interface, and double-click eth-

ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: dmz

o Type: Static IP

o IP Address: 192.168.1.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Configuring the interface connected to Internet

Select Network > Interface, and double-click eth-

ernet0/2.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 10.10.1.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

242 Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Step 1: Configuring an interface

Configuring the tunnel interface.

Select Network > Interface > New > Tunnel

Interface.

o Interface name: tunnel1

o Binding Zone: Layer 3 Zone

o Zone: trust

o IP Address: 192.168.3.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN 243
 StoneOS Cookbook

Step 2: Configuring a security policy

Configure a security policy that allows the traffic

to flow from the Trust zone where the tunnel
interface locates to the DMZ zone where the
internal server locates.

Select Policy > Security Policy > New.

o Name: trust_to_dmz

o Source

o Zone: trust

o Address: Any

o Destination

o Zone: dmz

o Address: Any

o Other

o Service/Service Group: Any

o Action: Permit

Configuring IPSec VPN

In device A, configure the following settings:

244 Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Step 1: Creating a P1 proposal and a P2 proposal

Click Network > VPN > IPSec VPN. In the P1

Proposal tab, click New.

o Proposal Name: p1forl2tp

o Authentication: Pre-share

o Hash: SHA

o Encryption: 3DES

o DH Group: Group2

o Lifetime: 86400

In the P2 Proposal tab, click New.

o Proposal Name: p2forl2tp

o Protocol: ESP

o HASH: SHA

o Encryption: 3DES, DES, AES

o Compression: None

o PFS Group: No PFS

o Lifetime: 28800

o Lifesize: Enable

o Lifesize: 250000

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN 245
 StoneOS Cookbook

Step 2: Configuring a VPN peer

Click Network > VPN > IPSec VPN. In the

VPN Peer List tab, click New.

In the Basic tab, configure the following settings:

o Name: toclient

o Interface: ethernet0/2

o Mode: Main

o Type: User Group

o AAA Server: local

o Proposal1: p1forl2tp

o Pre-shared Key: hillstone

In the Advanced tab, configure the following set-

tings:

o NAT Traversal: Enable

o Any Peer ID: Enable

o Keep the default of other parameters

246 Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Step 3: Configuring IKE VPN

Click Network > VPN > IPSec VPN. In the

IKE VPN List tab, click New.

In the Basic tab, configure the following settings:

o Peer

o Peer Name: toclient

o Tunnel

o Name: toclienttunnel

o Mode: transport

o P2 proposal: p2forl2tp

In the Advanced tab, configure the following set-

tings:

o Accept-all-proxy-ID: Enable

o Keep the default of other parameters

Configuring L2TP VPN

In device A, configure the following settings:

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN 247
 StoneOS Cookbook

Step 1: Creating a L2TP pool

Select Network > VPN > L2TP VPN >

Address Pool.

In the Address Pool dialog, click New.

o Address Pool Name: pool1

o Start IP: 192.168.3.2

o End IP: 192.168.3.100

Step 2: Adding a user in the 'local' AAA server

Select Object > User > Local User > New >
User.

o Name: user1

o Password: hillstone

o Confirm Password: hillstone

248 Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Step 3: Configuring a L2TP VPN instance

Select Network > VPN > L2TP VPN > New.

In the Name/Access User tab, configure the fol-

lowing settings:

o L2TP VPN Name: l2tpinstance1

o AAA Server: local

o Click Add

In the Interface/Address Pool/IPSec Tunnel tab,

configure the following settings:

o Egress Interface: ethernet0/2

o Tunnel Interface: tunnel1

o Address Pool: pool1

o L2TP over IPSec: toclienttunnel

Set up a VPN connection in iOS/ Android

Take iOS 10 and Android 7 as examples.

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN 249
 StoneOS Cookbook

Steps of setting up a VPN connection in iOS 10. (Before configuring your iPhone, make sure that it can access the Internet nor-
mally.)

Enter VPN configuration page:

1. Select Settings > General in your iPhone.

2. Swipe down and click VPN.

3. Click Add VPN Configuration…

250 Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Steps of setting up a VPN connection in iOS 10. (Before configuring your iPhone, make sure that it can access the Internet nor-
mally.)

Configuring VPN properties:

1. Click Add VPN Configuration on VPN

page.

2. Enter the following configurations on Add

Configuration page.

o Type: Click the drop-down list and

select L2TP.

o Description: Enter the custom name

L2TP over IPSec to mark the L2TP
connection.

o Server: 10.10.1.1

o Account: user1, the login account that

has been added in local AAA server

o Password: hillstone, the corresponding

password of the account.

o Secret: hillstone, the pre-shared key.

3. Click Done on the top right corner.

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN 251
 StoneOS Cookbook

Steps of setting up a VPN connection in iOS 10. (Before configuring your iPhone, make sure that it can access the Internet nor-
mally.)

Enabling VPN and connect L2TP over IPSec

VPN:

1. Select the configured VPN: L2TP over

IPSec.

2. Swipe the Status button.

3. After VPN being connected successfully,

the status shows Connected and there will
appear VPN on the top of screen.

4. After VPN being connected successfully,

you can access the internal server:
192.168.1.2.

252 Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Steps of setting up a VPN connection in Android. (Before configuring your iPhone, make sure that it can access the Internet
normally.)

Enter the VPN configuration page:

1. Select Settings > VPN in your Android

phone.

2. Click Add VPN at the bottom of screen.

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN 253
 StoneOS Cookbook

Steps of setting up a VPN connection in Android. (Before configuring your iPhone, make sure that it can access the Internet
normally.)

Configuring VPN properties:

1. Enter the following configurations on Add

VPN page.

o Enter the custom name L2TP over

IPSec to mark the L2TP connection.

o TYPE: Click the drop-down list and

select L2TP/IPSec PSK.

o Server address: 10.10.1.1

o IPSec pre-shared key: hillstone

o Account: user1, the login account that

has been added in local AAA server.

o Password: hillstone, the corresponding

password of the account.

2. Click OK on the top right corner.

254 Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN
StoneOS Cookbook

Steps of setting up a VPN connection in Android. (Before configuring your iPhone, make sure that it can access the Internet
normally.)

Enabling VPN and connect L2TP over IPSec

VPN:

1. Select the configured VPN: L2TP over

IPSec.

2. Swipe the VPN button.

3. After VPN being connected successfully,

the status shows Connected and there will
appear a VPN sign on the top screen.

4. After VPN being connected successfully,

you can access the internal server:
192.168.1.2.

Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN 255
StoneOS Cookbook

Connection between Two Private Networks Using GRE over IPSec VPN
This example introduces how to create GRE over IPSec VPN to protect the communication between the private network of the
headquarters and the private network of the branch.

The topology is shown as below. Device A acts as the gateway of the headquarters and device B acts as the gateway of the branch. To
protect the communication between two private networks, use GRE over IPSec VPN.

*Due to lab environment, use 10.89.16.0/22 to represent the public network segment.

The configuration process consists of five parts:

o Configure basic settings

o Configure IPSec VPN

o Configure GRE VPN

o Configure route and policies

Connection between Two Private Networks Using GRE over IPSec VPN 256
 StoneOS Cookbook

Configuring Basic Settings

Step 1: Configuring interfaces for device A

Configuring the interface connected to the

intranet

Select Network > Interface, and double-click eth-

ernet0/0.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 192.168.1.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Configuring the interface connected to Internet

Select Network > Interface, and double-click eth-

ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 10.89.17.226

o Netmask: 255.255.252.0

o Keep the default of other parameters

257 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Step 1: Configuring interfaces for device A

Configuring the tunnel interface.

Select Network > Interface > New > Tunnel

Interface.

o Interface name: tunnel1

o Binding Zone: Layer 3 Zone

o Zone: trust

o IP Address: 172.2.2.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Step 2: Configuring interfaces for device B

Configuring the interface connected to the

intranet

Select Network > Interface, and double-click eth-

ernet0/4.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 192.168.2.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Connection between Two Private Networks Using GRE over IPSec VPN 258
 StoneOS Cookbook

Step 2: Configuring interfaces for device B

Configuring the interface connected to Internet

Select Network > Interface, and double-click eth-

ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 10.89.18.131

o Netmask: 255.255.252.0

o Keep the default of other parameters

Configuring the tunnel interface.

Select Network > Interface > New > Tunnel

Interface.

o Interface name: tunnel1

o Binding Zone: Layer 3 Zone

o Zone: trust

o IP Address: 172.2.2.2

o Netmask: 255.255.255.0

o Keep the default of other parameters

259 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Configuring IPSec VPN

Step 1: Configuring IPSec VPN for device A

Create a P1 proposal and a P2 proposal.

Click Network > VPN > IPSec VPN. In the P1

Proposal tab, click New.

o Proposal Name: p1forgre

o Authentication: Pre-share

o Hash: SHA

o Encryption: 3DES

o DH Group: Group2

o Lifetime: 86400

In the P2 Proposal tab, click New.

o Proposal Name: p2forl2tp

o Protocol: ESP

o HASH: SHA

o Encryption: 3DES

o Compression: None

o PFS Group: No PFS

o Lifetime: 28800

Connection between Two Private Networks Using GRE over IPSec VPN 260
 StoneOS Cookbook

Step 1: Configuring IPSec VPN for device A

Configure a VPN peer.

Click Network > VPN > IPSec VPN. In the

VPN Peer List tab, click New.

In the Basic tab, configure the following settings:

o Name: center2branch1_ipsec

o Interface: ethernet0/1

o Mode: Main

o Type: Static IP

o Peer IP: 10.89.18.131

o Proposal1: p1forgre

o Pre-shared Key: hillstone

o Keep the default of other parameters

261 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Step 1: Configuring IPSec VPN for device A

Configure IKE VPN.

Click Network > VPN > IPSec VPN. In the

IKE VPN List tab, click New.

In the Basic tab, configure the following settings:

o Peer

o Peer Name: center2branch1_ipsec

o Tunnel

o Name: center2branch1_ipsec_tunnel

o Mode: tunnel

o P2 proposal: p2forgre

o Keep the default of other parameters

Connection between Two Private Networks Using GRE over IPSec VPN 262
 StoneOS Cookbook

Step 2: Configuring IPSec VPN for device B

Create a P1 proposal and a P2 proposal.

Click Network > VPN > IPSec VPN. In the P1

Proposal tab, click New.

o Proposal Name: p1forgre

o Authentication: Pre-share

o Hash: SHA

o Encryption: 3DES

o DH Group: Group2

o Lifetime: 86400

In the P2 Proposal tab, click New.

o Proposal Name: p2forgre

o Protocol: ESP

o HASH: SHA

o Encryption: 3DES

o Compression: None

o PFS Group: No PFS

o Lifetime: 28800

263 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Step 2: Configuring IPSec VPN for device B

Configure a VPN peer.

Click Network > VPN > IPSec VPN. In the

VPN Peer List tab, click New.

In the Basic tab, configure the following settings:

o Name: tocenter_ipsec

o Interface: ethernet0/1

o Mode: Main

o Type: Static IP

o Peer IP: 10.89.17.226

o Proposal1: p1forgre

o Pre-shared Key: hillstone

o Keep the default of other parameters

Connection between Two Private Networks Using GRE over IPSec VPN 264
 StoneOS Cookbook

Step 2: Configuring IPSec VPN for device B

Configure IKE VPN.

Click Network > VPN > IPSec VPN. In the

IKE VPN List tab, click New.

In the Basic tab, configure the following settings:

o Peer

o Peer Name: tocenter_ipsec

o Tunnel

o Name: tocenter_ipsec_tunnel

o Mode: tunnel

o P2 proposal: p2forgre

o Keep the default of other parameters

Configuring GRE VPN

GRE VPN configurations are not supported by WebUI. You need to use CLI to complete the following GRE VPN configurations.

265 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Step 1: Configuring GRE VPN for device A

Create a GRE tunnel.

1. In the global configuration mode, create a

GRE tunnel:
tunnel gre center2branch1

2. Specify the source IP address of the tunnel:

source 10.89.17.226

3. Specify the destination IP address of the tun-

nel:
destination 10.89.18.131

4. Specify the egress interface of the tunnel:

interface ethernet0/1

5. Specify the IPSec VPN tunnel:

next-tunnel ipsec center2branch1_ipsec_
tunnel

Bind the GRE tunnl to the tunnel interface.

1. Enter the interface configuration mode of

tunnel1:
int tunnel1

2. Bind the GRE tunnel:

tunnel gre center2branch1

Connection between Two Private Networks Using GRE over IPSec VPN 266
 StoneOS Cookbook

Step 2: Configuring GRE VPN for device B

Create a GRE tunnel.

1. In the global configuration mode, create a

GRE tunnel:
tunnel gre branch1

2. Specify the source IP address of the tunnel:

source 10.89.18.131

3. Specify the destination IP address of the tun-

nel:
destination 10.89.17.226

4. Specify the egress interface of the tunnel:

interface ethernet0/1

5. Specify the IPSec VPN tunnel:

next-tunnel ipsecto_center_tunnel

Bind the GRE tunnl to the tunnel interface.

1. Enter the interface configuration mode of

tunnel1: int tunnel1

2. Bind the GRE tunnel: tunnel gre branch1

267 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Configuring Route and Policies

Step 1: Configuring route and policies for device A

Configure routes.

Select Network > Routing > Destination Route.

Click New.

o Destination: 192.168.2.0

o Subnet Mask: 255.255.255.0

o Next Hop: Interface

o Interface: tunnel1

o Keep the default of other parameters

Connection between Two Private Networks Using GRE over IPSec VPN 268
 StoneOS Cookbook

Step 1: Configuring route and policies for device A

Configure a security policy that allows the traffic

to flow from the Trust zone where the tunnel
interface locates to the Trust zone where the
internal server locates.

Select Policy > Security Policy. Click New.

o Name: trust_to_trust

o Source

o Zone: trust

o Address: Any

o Destination

o Zone: trust

o Address: Any

o Other

o Service/Service Group: Any

o Action: Permit

269 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Step 2: Configuring route and policies for device B

Configure routes.

Select Network > Routing > Destination Route.

Click New.

o Destination: 192.168.1.0

o Subnet Mask: 255.255.255.0

o Next Hop: Interface

o Interface: tunnel1

o Keep the default of other parameters

Connection between Two Private Networks Using GRE over IPSec VPN 270
 StoneOS Cookbook

Step 2: Configuring route and policies for device B

Configure a security policy that allows the traffic

to flow from the Trust zone where the tunnel
interface locates to the Trust zone where the
internal server locates.

Select Policy > Security Policy > New.

o Name: trust_to_trust

o Source

o Zone: trust

o Address: Any

o Destination

o Zone: trust

o Address: Any

o Other

o Service/Service Group: Any

o Action: Permit

Step 3: Verifying the connection between two private networks

After completing the above steps, the headquar-

ters and branch can visit each other.

271 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Configuring VXLAN Static Unicast Tunnel

This example introduces how to configure VXLAN static unicast tunnel. VXLAN uses MAC-in-UDP encapsulation to extend Layer 2
networks, allowing a large number of tenant accesses to virtual networks.

In the topology below, PC1 and PC2 communicate through the VXLAN tunnel (VNI100).

Note: In the same tunnel, different VNIs cannot communicate with each other.

Configuration Steps

VTEP1 Configuratio

Step 1: Configure the interface.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone l2-trust

hostname(config-if-eth0/1)# ip address 10.1.2.1/24

hostname(config-if-eth0/1)# exit

Step2: Configure VXLAN tunnel.

hostname(config)# tunnel vxlan tunnel 1

hostname(config-tunnel-vxlan)# interface ethernet0/7

hostname(config-tunnel-vxlan)# destination 7.1.1.2

hostname(config-tunnel-vxlan)# vni 100

hostname(config-tunnel-vxlan)# exit

hostname(config)#

Step 3: Configure the tunnel interface and bind the Layer 2 security zone.

Connection between Two Private Networks Using GRE over IPSec VPN 272
 StoneOS Cookbook

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone l2-trust

hostname(config-if-tun1)#tunnel vxlan tunnel1

hostname(config-if-tun1)# exit

hostname(config)#

Step 4: Configure the policy.

hostname(config)# policy-global

hostname(config-policy)# rule id 1

Rule id 1 is created

hostname(config-policy-rule)# src-addr -any

hostname(config-policy-rule)# dst-addr any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# exit

hostname(config)#

VTEP2 Configuration

Step 1: Configure the interface.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone l2-trust

hostname(config-if-eth0/1)# exit

Step2: Configure VXLAN tunnel.

273 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

hostname(config)# tunnel vxlan tunnel 1

hostname(config-tunnel-vxlan)# interface ethernet0/7

hostname(config-tunnel-vxlan)# destination 7.1.1.1

hostname(config-tunnel-vxlan)# vni 100

hostname(config-tunnel-vxlan)# exit

hostname(config)#

Step 3: Configure the tunnel interface and bind the Layer 2 security zone.

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone l2-trust

hostname(config-if-tun1)#tunnel vxlan tunnel1

hostname(config-if-tun1)# exit

hostname(config)#

Step 4: Configure the policy

hostname(config)# policy-global

hostname(config-policy)# rule id 1

Rule id 1 is created

hostname(config-policy-rule)# src-addr -any

hostname(config-policy-rule)# dst-addr any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# exit

hostname(config)#

Step5: Verify result

Connection between Two Private Networks Using GRE over IPSec VPN 274
 StoneOS Cookbook

PC1 and PC2 can communicate with each other through the VXLAN tunnel successfully.

Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and

SSL VPN
This example shows how to use L2TP and SSL VPN to provide remote users with access to corporate internal network.

The topology is shown below. A remote user (PC) , located at a branch office of the corporate , uses SSL VPN to visit the branch fire-
wall . The branch firewall functions as an L2TP client to establish a tunnel connection with the headquarters firewall. Then, the traffic
from the remote user(PC) is routed to the L2TP tunnel , and the remote user (PC) in the branch office can communicate with the server
in the corporate internal network.

* This example is used in a laboratory environment. Please configure the IP addresses of each interface according to the actual con-
nections.

Configure the Branch Firewall

In Branch Firewall, configure the following settings:

275 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Step 1: Configuring an interface

Configuring the interface connected to the

branch network

Select Network > Interface, and double-click eth-

ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 10.182.55.49

o Netmask: 255.255.255.0

o Keep the default of other parameters

Configuring the interface connected to Internet

Select Network > Interface, and double-click eth-

ernet0/2.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 100.1.1.2

o Netmask: 255.255.255.0

o Keep the default of other parameters

Connection between Two Private Networks Using GRE over IPSec VPN 276
 StoneOS Cookbook

Step 1: Configuring an interface

Configuring the L2TP VPN tunnel interface.

Select Network > Interface > New > Tunnel

Interface.

o Interface name: tunnel1

o Binding Zone: Layer 3 Zone

o Zone: VPNHub

o Keep the default of other parameters

Configuring the SSL VPN tunnel interface.

Select Network > Interface > New > Tunnel

Interface.

o Interface name: tunnel2

o Binding Zone: Layer 3 Zone

o Zone: VPNHub

o IP Address: 60.1.1.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

277 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Step 2: Configuring a security policy and NAT

Configure a traffic-all-pass policy

Select Policy > Security Policy > New.

o Name: Any_to_Any

o Source

o Zone: Any

o Address: Any

o Destination

o Zone: Any

o Address: Any

o Service : Any

o Action: Permit

Connection between Two Private Networks Using GRE over IPSec VPN 278
 StoneOS Cookbook

Step 2: Configuring a security policy and NAT

Configure source NAT to convert the IP

address of the branch network to the IP address
of the L2TP tunnel interface

Select Policy > NAT > SNAT. Click New

o Virtual Router : trust-vr

o Source Address

o IP/Netmask：60.1.1.0/24

o Destination Address

o IP Address：172.16.2.2

o Egress：Egress interface ：tunnel1

o Translated to : Egress IF IP(IPv4)

o Keep the default of other parameters

Step 3: Configuring a routing

Select Network > Routing > Destination

Route > New.

o Destination：172.16.2.0

o Netmask：255.255.255.0

o Next-hop：Interface

o Interface：tunnel1

279 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Step 4: Adding a user in the 'local' AAA server

Select Object > User > Local User > New >
User.

o Name: user1

o Password: hillstone

o Confirm Password: hillstone

Step 5: Configure SSL VPN

Configure SSL VPN address pool . Select Net-

work > VPN > SSL VPN, and click Con-
figuration > Address Pool , click New.

o Address Pool Name: scpool

o Start IP: 60.1.1.2

o End IP: 60.1.1.100

o Mask: 255.255.255.0

o Keep the default of other parameters

Note: SSL VPN address pool must be of the

same network segment of Tunnel interface tun-
nel2.

Connection between Two Private Networks Using GRE over IPSec VPN 280
 StoneOS Cookbook

Step 5: Configure SSL VPN

Select Network > VPN > SSL VPN, and click

New.

In the Name/Access User tab:

o SSL VPN Name: ssl1

o AAA Server: click New , and select local

In the Interface tab:

o Egress Interface 1: ethernet0/1

o Service port: 4433

o Tunnel Interface: tunnel2

o Address Pool: scpool

In the Tunnel Route tab:

o IP: 172.16.2.0

o Netmask: 255.255.255.0

Note : Tunnel route must be of the same net-

work segment of internal server ("Server")

281 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Step 6: Configuring a L2TP Client instance

Select Network > VPN > L2TP VPN >L2TP

Client > New.

o Client Name: client1

o Tunnel Interface: tunnel1

o Egress Interface: ethernet0/2

o LNS IP：100.1.1.1

o Keepalive：60 seconds

o Control Packet Transmit Retry：5 times

o User Name：l2tp_user1

o Password：hillstone

o LCP-echo Interval：30 seconds

o Transmit Retries：4 times

o PPP Authentication：CHAP

o Auto connect：Enabled

Configure Headquarters Firewall

In the Headquarters Firewall, configure the following settings:

Connection between Two Private Networks Using GRE over IPSec VPN 282
 StoneOS Cookbook

Step 1: Configuring an interface

Configuring the interface connected to the Inter-

net

Select Network > Interface, and double-click eth-

ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o Type: Static IP

o IP Address: 100.1.1.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Configuring the interface connected to internal

network

Select Network > Interface, and double-click eth-

ernet0/2.

o Binding Zone: Layer 3 Zone

o Zone: trust

o Type: Static IP

o IP Address: 172.16.2.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

283 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Step 1: Configuring an interface

Configuring the L2TP VPN tunnel interface.

Select Network > Interface > New > Tunnel

Interface.

o Interface name: tunnel1

o Binding Zone: Layer 3 Zone

o Zone: VPNHub

o IP Address: 70.1.1.1

o Netmask: 255.255.255.0

o Keep the default of other parameters

Connection between Two Private Networks Using GRE over IPSec VPN 284
 StoneOS Cookbook

Step 2: Configuring a security policy

Configure a traffic-all-pass policy

Select Policy > Security Policy > New

o Name: Any_to_Any

o Source

o Zone: Any

o Address: Any

o Destination

o Zone: Any

o Address: Any

o Service: Any

o Action: Permit

Step 3: Adding a user in the 'local' AAA server

Select Object > User > Local User > New >
User.

o Name: l2tp_user1

o Password: hillstone

o Confirm Password: hillstone

285 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Step 4: Creating a L2TP pool

Select Network > VPN > L2TP VPN >

Address Pool.

In the Address Pool dialog, click New.

o Address Pool Name: pool1

o Start IP: 70.1.1.2

o End IP: 70.1.1.100

Step 5: Configuring a L2TP VPN

Select Network > VPN > L2TP VPN > New.

o L2TP VPN Name: l2tp1

o AAA Server: local

o Egress Interface: ethernet0/1

o Tunnel Interface: tunnel1

o Address Pool: pool1

o Keep the default of other parameters

Setting up a VPN Connection

After completing the above configuration, users in the branch office can dial-up to connect to the intranet server.

Connection between Two Private Networks Using GRE over IPSec VPN 286
 StoneOS Cookbook

Step 1: Download Hillstone Secure Connect client

Enter https://10.182.55.49:4433 in the browser,

and download the SCVPN client on the page that
pops up. The IP address: 10.182.55.49 is the IP
address of the egress interface of the SSL VPN

Step 2: Log in

The remote user open the Hillstone Secure Con-

nect client, and enter information below:

o Server: 10.182.55.49

o Port: 4433

o Username: user1

o Password: hillstone

When the icon in the taskbar becomes green, the

client is connected. Then, the remote user access
the internal server via SSL VPN and L2TP VPN.

287 Connection between Two Private Networks Using GRE over IPSec VPN
StoneOS Cookbook

Zero Trust Network Access (ZTNA)

Compared with the traditional VPN access mode, which allows an authorized user to access any resources on the internal network,
ZTNA (Zero Trust Network Access) starts with a default deny posture of zero trust on any entities, whether outside or inside the enter-
prise network perimeter. Hillstone ZTNA solutions adopts a dynamic authorization method with user identity being the focus and per-
sistently evaluates the creditability based on user identity and terminal device environment to achieve granular management of user,
terminal device and application and realize precise and secure service access control.

o Creditable identity: Identity evaluation is not restricted to account and password authentication but incorporates more identity
factors to provide enterprises with fine-grained user access control for profound access security.

o Creditable terminal device: Verified terminal state does not mean permanent access authorization. ZTNA persistently evaluates the
terminal environment and dynamically adjust the authorization scope to enure that the connected terminal is always under security
control.

o Creditable access: The old security concept that internal network is secure is broken. Any implicit creditability is eliminated. Access
to resources will be granted only when the user and the access device satisfy specific requirements so as to effectively mitigate
internal network security risks.

This chapter contains the following recipe:

o " Windows User Remotely Accessing Internal Server Through ZTNA" on Page 289

o " Android User Remotely Accessing Internal Server Through ZTNA" on Page 306

Zero Trust Network Access (ZTNA) 288

StoneOS Cookbook

Windows User Remotely Accessing Internal Server Through ZTNA

This example introduces how to configure ZTNA to enable Windows users to remotely access enterprise servers on the internal net-
work.

Networking Scenario

An enterprise has R&D and Finance departments. The R&D department need to access enterprise application resources including the
Bug management system and OA system on the enterprise network. The Finance department needs to access enterprise application
resources including the Finance system and OA system on the enterprise network. Now, the enterprise hopes that employees in these
two departments can access these systems when they are on a business trip. Meantime, the employes are expected to access the system
using terminal devices that meet the enterprise's network security requirements. Therefore, the enterprise deploys ZTNA and for-
mulates the following control policies based on user identity and security requirements on access terminal devices:

o R&D employees are allowed to access the Bug management system and OA system.

o Finance employees are allowed to access the Finance and OA systems.

o The access device used for remote access must meet these requirements: OS is Windows 10; firewall is enabled; and the anti-spy
and anti-virus software are updated to the latest version.

o For remote access using a device that meet these requirements, the employee is allowed to access the OA system only: OS is Win-
dows 10; firewall is enabled; and the anti-spy and anti-virus software are not updated to the latest version.

o A user that does not meet any one of the previous requirements will be denied from accessing any resources.

The networking diagram is shown as follows.

Windows User Remotely Accessing Internal Server Through ZTNA 289

 StoneOS Cookbook

Configuration Roadmap

1. Create user group "rd-group" for R&D employees and add R&D employee accounts to it.

2. Create user group "fin-group" for Finance employees and add Finance employee accounts to it

3. Configure ZTNA server parameters for establishing secure connections from the client to the device and to the application
resources:

a. ZTNA server name: name of the ZTNA service that users will access

b. Egress interface and service port: address and port number of the ZTNA service

c. Address pool: used for allocating private addresses to connect the internal network

d. Tunnel interface and tunnel route: used to establish the dedicated tunnel between the user and the application resources

e. Allow download client from browser: allow users to download ZTNA client by accessing the ZTNA service address in the
browser

f. Multiple login: allow the same user account to log in on multiple clients at the same time

g. Two-step verification: configure the user to pass SMS code verification after logging in with user account and password

4. Create application resources "Bug System", "Finance System" and "OA System", which correspond with the Bug management
system, Finance system and OA system respectively, and set their URL addresses. After a user logs in on the client, the user can

290 Windows User Remotely Accessing Internal Server Through ZTNA

StoneOS Cookbook

view the names and URL addresses of the application resources that are granted and not granted access. In addition, configure
application resource "Inter-DNS" for the DNS server on the enterprise network to provide domain name resolution for user
traffic.

5. Configure endpoint tags. For terminal devices meeting the enterprise network security requirements, configure "tag1" for the
device whose OS is Windows 10, firewall is enabled and anti-spy and anti-virus software are updated to the latest version.

6. Configure and enable ZTNA policies. When a user's group and tag match the ZTNA policy with action Permit, the user is gran-
ted access to specific application resources. In addition, configure a ZTNA policy to allow user traffic flowing to the internal
DNS server "Inter-DNS" for domain name resolution and place the policy at the beginning of all ZTNA policies.

7. Configure the default action as being Deny, so that a user that do not match any ZTNA policy will be denied from accessing any
application resources.

Windows User Remotely Accessing Internal Server Through ZTNA 291

 StoneOS Cookbook

Configuration Steps

Step 1: : Creating local users and user groups

Select ZTNA > User > Local User. Click New

> User to create user "rduser01", add it to user
group "rd-group" and set the password and
phone number for two-step verification.

Then, follow the same step to create user

"finuser01" and add it to user group "fin-group".

292 Windows User Remotely Accessing Internal Server Through ZTNA

StoneOS Cookbook

Step 2: Configuring ZTNA

Select ZTNA > Gateway. In the Name/Access

User tab:

o Server Name: ztna-w

o Type: IPv4

o Assigned Users: Click New, and select "local"

for the AAA Server dropdown list

In the Interface tab:

o Egress Interfaces: ethernet0/3

o Service port: 8890

o Tunnel Interface: tunnel23

o Address Pool: pool-1

The IP address of the tunnel interface must be on

the same network segment with the address pool
"pool-1".

In the Tunnel Route tab, click New:

o IP: 10.160.65.0

o Netmask: 255.255.255.0

Tunnel route must be on the same network seg-

ment with the internal server.

Windows User Remotely Accessing Internal Server Through ZTNA 293

 StoneOS Cookbook

Step 2: Configuring ZTNA

In the Parameters tab, enable the Allow Down-

load Client from Browser and Multiple login
functions and set the Multiple login times option
to 0.

In the Two-Step Verification tab：

o Two-Step Verification: Click the Enable but-

ton

o Type: SMS Authentication

o SMS Auth Type: SMS Gateway

o SMS Gateway Name: hillstone

o Lifetime of SMS Verification Code: 10

o Sender Name: hillstone

o Verification Code Length: 8

294 Windows User Remotely Accessing Internal Server Through ZTNA

StoneOS Cookbook

Step 3: Creating application resources

Select ZTNA > Application Resource Book >

Application Resource and click New. In the
Application Resource Configuration tab, click
New to create application resource "Bug System".

o Name: Bug System (Name of the Bug man-

agement system displayed on ZTNA portal
page)

o Hyperlink: https://bug000.com (URL

address of the Bug management system)

o Address Type: IPv4/Netmask

o Address: 10.160.65.1/32

o Protocol: TCP

o Port: 10001

Windows User Remotely Accessing Internal Server Through ZTNA 295

 StoneOS Cookbook

Step 3: Creating application resources

Repeat the previous operation to create applic-

ation resource "Finance System".

o Name: Finance System (Name of the finance

system displayed on ZTNA portal page)

o Hyperlink: https://finance111.com (URL

address of the finance system)

o Address Type: IPv4/Netmask

o Address: 10.160.65.2/32

o Protocol: TCP

o Port: 20001

Repeat the previous operation to create applic-

ation resource "OA System".

o Name: OA System (Name of the OA system

displayed on ZTNA portal page)

o Hyperlink: https://oa333.com (URL address

of the OA system)

o Address Type: IPv4/Netmask

o Address: 10.160.65.3/32

o Protocol: TCP

o Port: 30001

296 Windows User Remotely Accessing Internal Server Through ZTNA

StoneOS Cookbook

Step 3: Creating application resources

Repeat the previous operation to create applic-

ation resource "Inter-DNS" for domain name res-
olution.

o Name: Inter-DNS

o Hyperlink: empty

o Address Type: IPv4/Netmask

o Address: 10.160.65.5/32

o Protocol: UDP

o Port: 12335

Windows User Remotely Accessing Internal Server Through ZTNA 297

 StoneOS Cookbook

Step 4: Creating endpoint tags

Select ZTNA > Endpoint > Tag and click New.

In the Tag Configuration tab:

o Name: tag1

Click Add Criteria Set:

o Operating System: windows

o Endpoint Info Type: Select os-version.

Continue to select is and then windows10.

Click the + button to create the following con-

dition:

o Operating System: windows

o Endpoint Info Type: Select firewall. Continue

to select is and then enabled.

Click the + button to create the following con-

dition:

o Operating System: windows

o Endpoint Info Type: Select anti-virus.

Continue to select is and then updated.

Click the + button to create the following con-

dition:

o Operating System: windows

o Endpoint Info Type: Select anti-spyware.

Continue to select is and then updated.

298 Windows User Remotely Accessing Internal Server Through ZTNA

StoneOS Cookbook

Step 5: Configuring ZTNA policies

Select ZTNA > Policy and click New. In the

Policy Configuration tab:

o Name: z-policy1

o User: rd-group

o Application Resource: Bug System

o Endpoint tag: tag1

o Action: Permit

Repeat the previous operation to create "z-

policy2":

o Name: z-policy2

o User: fin-group

o Application Resource: Finance System

o Endpoint tag: tag1

o Action: Permit

Windows User Remotely Accessing Internal Server Through ZTNA 299

 StoneOS Cookbook

Step 5: Configuring ZTNA policies

Repeat the previous operation to create "z-

policy3":

o Name: z-policy3

o User: rd-group, fin-group

o Application Resource: OA System

o Endpoint tag: tag1

o Action: Permit

300 Windows User Remotely Accessing Internal Server Through ZTNA

StoneOS Cookbook

Step 5: Configuring ZTNA policies

Repeat the previous operation to create "dns-

policy" for user traffic domain name resolution on
the internal DNS server:

o Name: dns-policy

o User: rd-group, fin-group

o Application Resource: Inter-DNS

o Endpoint tag: empty

o Action: Permit

Step 6: Check that ZTNA policies are enabled

Select ZTNA > Policy and check whether these

ZTNA policies are enabled. If not, select "z-
policy1", "z-policy2", "z-policy3" and "dns-
policy", click ┇ and then select Enable.

Windows User Remotely Accessing Internal Server Through ZTNA 301

 StoneOS Cookbook

Step 7: Configuring the default action

Select ZTNA > Policy, click ┇ and select Default

Policy Action. In the Default Policy Action dia-
log box, specify the default action to Deny.

Step 8: Results

Verification Method:

1. Download Secure Connect Client. On PC1

and PC2, access
https://10.182.159.103:8890 to download
Secure Connect Windows client. The IP
address and port number are the ones con-
figured in the Interface tab.

2. Log in the client on PC1 and PC2 to check

whether the access privilege for each applic-
ation is correct in the ZTNA portal page.

3. Click an application resource with access

privilege to check whether the user will be
directed to the resource page.

302 Windows User Remotely Accessing Internal Server Through ZTNA

StoneOS Cookbook

Step 8: Results

Verification Steps:

Enter the address "https://10.182.159.103:8890"

in the browser on PC1 and PC2. In the pop-up
page, select Windows tab and click Download.
Then, follow the steps to install the client.

Windows User Remotely Accessing Internal Server Through ZTNA 303

 StoneOS Cookbook

Step 8: Results

In the client on PC1 and PC2, use the R&D

account to log in:

o Server: 10.182.159.103

o Port: 8890

o Username: rduser01

o Password: password for rduser01

After passing the SMS code verification:

o In the ZTNA portal page displayed on PC1,

Bug System and OA System are in the access-
ible state. Clicking the Bug System icon, the
user is redirected to the Bug management
page.

o In the ZTNA portal page displayed on PC2,

OA System is in the accessible state; Bug Sys-
tem is grayed out. Clicking the Bug System
icon, the user is prompted with a message
indicating that the user is not granted access.

304 Windows User Remotely Accessing Internal Server Through ZTNA

StoneOS Cookbook

Step 8: Results

Log out rduser01 from the client on PC1 and

PC2. Repeat the previous steps to log in with Fin-
ance user account finuser01.

o Server: 10.182.159.103

o Port: 8890

o Username: finuser01

o Password: password for finuser01

After passing SMS code verification:

o In the ZTNA portal page displayed on PC1,

Finance System and OA System are in the
accessible state. Clicking the Finance System
icon, the user is redirected to the Finance sys-
tem page.

o In the ZTNA portal page displayed on PC2,

OA System is in the accessible state; Finance
System is grayed out. Clicking the Finance Sys-
tem icon, the user is prompted with a message
indicating that the user is not granted access.

Windows User Remotely Accessing Internal Server Through ZTNA 305

StoneOS Cookbook

Android User Remotely Accessing Internal Server Through ZTNA

This example introduces how to configure ZTNA to enable Android users to remotely access bank service system on the internal net-
work.

Networking Scenario

A bank needs the staff to handle services for customers on the go by accessing the bank service system via hand-held terminals. To
ensure access security, the bank wants to deploy ZTNA and requires that the staff use the Android device with customized device
model number designated by the bank, to access ZTNA and the system version of the device be updated to Android 13.

Specific privilege setting and requirements are as follows:

o The bank staff can log in the ZTNA gateway with the specified account and password when using the designated Android device,
and can switch to the bank service system via the ZTNA Portal page after login.

o The bank staff can log in the ZTNA gateway with the specified account and password when using other Android devices or using
the designated device whose system version is not Android 13, but cannot access the bank service system. When clicking the bank
service system displayed on the ZTNA Portal, the staff will see a tip indicating "Please use designated device and update system ver-
sion to Android 13!".

o Except the specified account, other account cannot log in the ZTNA gateway.

In addition, the bank hopes that the ZTNA service port be closed by default so as to make it and the bank service system invisible on the
network and not be scanned. For users needing to access the ZTNA service, the service port will be particularly open to the user only
after the user has passed the verification of the ZTNA service by sending single packet authorization (SPA) packets to knock the
ZTNA service port.

The networking diagram is shown as follows.

Android User Remotely Accessing Internal Server Through ZTNA 306

 StoneOS Cookbook

Configuration Roadmap

1. Create a local user "user01" for the bank work to log in the ZTNA gateway.

2. Configure ZTNA server parameters for establishing secure connects from the client to the device and to the application
resources.

a. ZTNA service: name of the ZTNA service that users will access

b. Egress interface and service port: address and port number of the ZTNA service

c. Address pool: used for allocating private addresses to connecting the internal network

d. Tunnel interface and tunnel route: used to establish the dedicated tunnel between the user and the application resources

3. Configure Single Packet Authorization (SPA) to hide the ZTNA service IP and port number. The ZTNA service port will be
open to the user who accesses through the Hillstone Secure Connect client and passes SPA.

4. Configure the bank service system as application resource "Bank System" and specify a hyperlink for it so that the user can switch
to the bank service system via the ZTNA Portal after login.

5. Configure the designated Android device's model number A-bank-2256 as a custom endpoint item "m-device".

307 Android User Remotely Accessing Internal Server Through ZTNA

StoneOS Cookbook

6. Create endpoint tag "m-device-tag" for the designated Android device whose device model number is "m-device" and system
version is Android 13 and configure the tip "Please use designated device and update system version to Android 13!", which will
be displayed when the user is not granted access to the bank service system because the endpoint tag is not matched.

7. Configure and enable ZTNA policy "m-policy", allowing the bank staff to access the bank service system via the designated
Android device.

8. Configure the default action as being Deny, so that a user that do not match "m-policy" will be denied from accessing the bank
service system.

Configuration Steps

Step 1: Creating local user.

Select ZTNA > User > Local User. Click New

> User to create user "user01" and set the pass-
word

Step 2: Configuring ZTNA

Select ZTNA > Gateway. In the Name/Access

User tab:

o Server Name: ztna-s

o Type: IPv4

o Assigned Users: Click New, and select local

for the AAA Server dropdown list

Android User Remotely Accessing Internal Server Through ZTNA 308

 StoneOS Cookbook

Step 2: Configuring ZTNA

In the Interface tab:

o Egress Interfaces: ethernet1/2

o Service port: 20081

o Tunnel Interface: tunnel2

o Address Pool: pool-ad

The IP address of the tunnel interface must be on

the same network segment with the address pool
pool-d.

In the Tunnel Route tab, click New:

o IP: 10.182.190.0

o Netmask: 255.255.255.0

Tunnel route must be on the same network seg-

ment with the internal server.

309 Android User Remotely Accessing Internal Server Through ZTNA

StoneOS Cookbook

Step 3: Configure Single Packet Authorization (SPA).

Select ZTNA > SPA > SPA Configuration to

enable SPA and set the knock port:

o Enable: click to enable SPA

o Port: 60001

Click new to add ZTNA service address as hid-

den address:

o IP: 10.8.6.19

o Port: 20081

o Virtual Router: trust-vr

Android User Remotely Accessing Internal Server Through ZTNA 310

 StoneOS Cookbook

Step 4: Creating application resource

Select ZTNA > Application Resource Book >

Application Resource and click New. In the
Application Resource Configuration tab, click
New to create application resource "Bank Sys-
tem".

o Name: Bank System (Name of the bank ser-

vice system displayed on ZTNA portal page)

o Hyperlink: https://10.182.190.175 (URL

address of the bank service system)

Click New to configure application resource rule:

o Type: Domain

o Domain: bankserv.com

o Protocol: HTTPS

Step 5: Adding the designated Android device as endpoint information to be collected

Select ZTNA > Endpoint > Information and

click Android. Click Device Model and add the
model number of the designated device:

o Alias: m-device

o Device Model: A-bank-2256

311 Android User Remotely Accessing Internal Server Through ZTNA

StoneOS Cookbook

Step 6: Creating endpoint tag

Select ZTNA > Endpoint > Tagand click New

to create endpoint tag in the Tag Configuration
tab:

o Name: m-device-tag

o Tips: Please use designated device and update

system version to Android 13!

Click Add Criteria Set and add the device model

and system version as criteria:

o Operating System: Android

o Endpoint Info Type: Select OS Version.

Continue to select is and then Android 13.

Click the + button to create the following con-

dition:

o Operating System: Android

o Endpoint Info Type: Select Device Model.

Continue to select is and then m-device.

Android User Remotely Accessing Internal Server Through ZTNA 312

 StoneOS Cookbook

Step 7: Configuring ZTNA policy

Select ZTNA > Policy and click New. In the

Policy Configuration tab:

o Name: m-policy

o User: user01

o Application Resource: Bank System

o Endpoint Tag: m-device-tag

o Action: Permit

Step 8: Checking that ZTNA policy is enabled

Select ZTNA > Policy and check whether the

ZTNA policy is enabled. If not, select "m-policy",
click ┇ and then select Enable.

313 Android User Remotely Accessing Internal Server Through ZTNA

StoneOS Cookbook

Step 9: Configuring the default action

Select ZTNA > Policy, click ┇ and select Default

Policy Action. In the Default Policy Action dia-
log box, specify the default action to Deny.

Step 10: Results

Access the client download page: http://www.hill-

stonenet.com.cn/product/technology/VPN.html.

Locate the QR code for Android client and use the designated
Android device to scan the code.

Download the installation file and install the Hillstone Secure Con-
nect client.

Android User Remotely Accessing Internal Server Through ZTNA 314

 StoneOS Cookbook

Step 10: Results

Open the client and click Add Connection on the upper right. In
the displayed dialog box, fill the following information and then
click Add Connection at the lower part:

o Connection Name: ZTNA-Bank

o Server: 10.8.6.19

o Port: 20081

o User: user01

o Password: password of the user "user01"

o SPA: on

o Port: 60001

Return to the Hillstone Secure Connect client and click Connect

on the ZTNA-Bank session.

After login, the ZTNA Portal Page is displayed. Click Bank Sys-
tem, the user is switched to the bank service system.

315 Android User Remotely Accessing Internal Server Through ZTNA

StoneOS Cookbook

High Availability

High Availability is a redundancy backup methhod. It uses two identical devices to ensure that when one fails to work, the other will
immediately takes over to provide network consistency.

This chapter includes the following recipe:

o " Ensuring Uninterrupted Connection Using HA" on Page 317

o "Making Two Firewalls Working in Hot Standby Mode by Deploying them in HA Peer to Ensure the Continuity of Service " on
Page 325

o "Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on HSVRP, which Rnsures Uniter-
rupted Business Traffic" on Page 330

High Availability 316

StoneOS Cookbook

Ensuring Uninterrupted Connection Using HA

This example introduces how to configure two devices working under Active-Passive mode to provide high availability for the pro-
tected network.

The topology gives a typical user scenario for HA. In the designed scenario, one (Device A)of the HA devices will be working under
the active mode, while the other (Device B) is under passive mode. The active device will synchronize its data and status to the passive
device. When the active one fails, the passive device will immediately switch to be active, without interrupting the network.

Ensuring Uninterrupted Connection Using HA 317

 StoneOS Cookbook

Configuration Steps

Step 1: Configuring track object. Each device monitors eth0 respectively.

Device A

Select Object > Track Object, and click New.

o Name: track1

o Threshold: 255

o HA sync: Disable

o Track Type: Select Interface, and click Add.

In the prompt, select ethernet0/0, and weight
as 255.

Device B

Select Object > Track Object, and click New.

o Name: track1

o Threshold: 255

o HA sync: Disable

o Track Type: Select Interface, and click Add.

In the prompt, select ethernet0/0, and weight
as 255.

318 Ensuring Uninterrupted Connection Using HA

StoneOS Cookbook

Step 2: Configuring Device A's interface and

policy

Select Network > Interface, and double click eth-

ernet0/0.

o Binding Zone: Layer 3 Zone

o Zone: untrust

o HA sync: Enable

o Type: Static IP

o IP Address: 100.1.1.4

o Netmask: 29

Select Network > Interface, and double click eth-

ernet0/1.

o Binding Zone: Layer 3 Zone

o Zone: trust

o HA sync: Enable

o Type: Static IP

o IP Address: 192.168.1.4

o Netmask: 29

Ensuring Uninterrupted Connection Using HA 319

 StoneOS Cookbook

Step 2: Configuring Device A's interface and

policy

Select Policy > Security Policy > Policy, and click

New.

o Name: policy

o Source Zone: trust

o Source Address: Any

o Destination Zone: untrust

o Destination Address: Any

o Service: Any

o Action: Permit

320 Ensuring Uninterrupted Connection Using HA

StoneOS Cookbook

Step 3: Configuring HA function

Device A

Select System > HA.

o Working Mode: Active-

Passive

o Control link interface 1: eth-

ernet0/4

o Control link interface 2: eth-

ernet0/8

o IP Address: 1.1.1.1/24

o HA cluster ID: 1

o Node ID: 0

o HA Group Configuration:
Enter 10 for "Priority" and
select track1 for "Track
Object".

Ensuring Uninterrupted Connection Using HA 321

 StoneOS Cookbook

Step 3: Configuring HA function

Device B

Select System > HA.

o Working Mode: Active-

Passive

o Control link interface 1: eth-

ernet0/4

o Control link interface 2: eth-

ernet0/8

o IP Address: 1.1.1.2/24

o HA cluster ID: 1

o Node ID: 1

o HA Group Configuration:
Enter 100 for "Priority" and
select track1 for "Track
Object".

322 Ensuring Uninterrupted Connection Using HA

StoneOS Cookbook

Step 4: Configuring management IP of active and passive devices after synchronization

Device A

Select Network > Interface, and double click eth-

ernet0/1. Under IP Configuration, click
Advanced.

o Management IP

o IP Address: 192.168.1.253

Device B

Select Network > Interface, and double click eth-

ernet0/1. Under IP Configuration, click
Advanced.

o Management IP

o IP Address: 192.168.1.254

Ensuring Uninterrupted Connection Using HA 323

 StoneOS Cookbook

Step 5: Results

After configuration, select System > System and Device A：

Signature Database. Under System Information,
the "HA State" item shows the device's HA
status. Device B：

Device A

o HA State: Master

Device B

o HA State: Backup

When Device A fails to forward traffic or its Device A：

eth0/0 is disconnected, Device B will turn to Act-
ive and starts forwarding without interrupting pro-
tected network. Device B：

Select System > System and Signature Database.

Under System Information, the "HA State" item
shows the device's HA status.

Device A

o HA State: Monitor Failed

Device B

o HA State: Master

324 Ensuring Uninterrupted Connection Using HA

StoneOS Cookbook

Making Two Firewalls Working in Hot Standby Mode by Deploying them in

HA Peer to Ensure the Continuity of Service
This example introduces how to configure two firewalls to work in the HA Peer Active-Active(A/A) mode. They will backup each
other while processing their own work in order that network communication will not be interrupted.

As shown in the figure below, without affecting the original network architecture, the two Hillstone firewalls Device A and Device B
are connected transparently to the upstream and downstream devices.

The eth0/3 and eth0/4 interfaces of Device A are used to connected to the upstream and downstream routers. The eth0/3:1 and eth-
0/4:1 interfaces of Device B are used to connected to the upstream and downstream routers. Also, Device A and Device B use the
eth0/1 and eth0/2 interfaces as HA link interfaces.

Normally, both Device A and Device B forward the traffic from PC to the Server. When one of them fails, the other one takes over all
the traffic.

Configuration Steps

Step 1: Configuring HA Peer

Making Two Firewalls Working in Hot Standby Mode by Deploying them in HA Peer to Ensure the 325
Continuity of Service
 StoneOS Cookbook

Device A

hostname(config)# ha link interface ethernet0/1

hostname(config)# ha link data interface ethernet0/2

hostname(config)# ha link ip 1.1.1.2/24

hostname(config)# ha cluster 1 peer-mode node 0

hostname(config)# ha group 0

hostname(config-ha-group)# exit

hostname(config)# ha group 1

hostname(config-ha-group)# exit

hostname(config)# ha traffic enable

hostname(config)#

Device B

hostname(config)# ha link interface ethernet0/1

hostname(config)# ha link data interface ethernet0/2

hostname(config)# ha link ip 1.1.1.3/24

hostname(config)# ha cluster 1 peer-mode node 1

hostname(config)# ha group 0

hostname(config-ha-group)# exit

hostname(config)# ha group 1

hostname(config-ha-group)# exit

hostname(config)# ha traffic enable

hostname(config)#

Step 2: Configuring the interfaces.

326 Making Two Firewalls Working in Hot Standby Mode by Deploying them in HA Peer to Ensure the
Continuity of Service
StoneOS Cookbook

Device A

hostname(M0D1)(config)# interface ethernet0/4

hostname(M0D1)(config-if-eth0/4)# zone l2-untrust

hostname(M0D1)(config-if-eth0/4)# exit

hostname(M0D1)(config)# interface ethernet0/3

hostname(M0D1)(config-if-eth0/3)# zone l2-trust

hostname(M0D1)(config-if-eth0/3)# exit

hostname(M0D1)(config)# interface ethernet0/4:1

hostname(M0D1)(config-if-eth0/4:1)# zone l2-untrust

hostname(M0D1)(config-if-eth0/4:1)# exit

hostname(M0D1)(config)# interface ethernet0/3:1

hostname(M0D1)(config-if-eth0/3:1)# zone l2-trust

hostname(M0D1)(config-if-eth0/3:1)# exit

hostname(M0D1)(config)#

Step 3: Configuring track objects and binding them to HA groups.

Device A

hostname(M0D1)(config)# track track1 local

hostname(M0D1)(config-trackip)# interface ethernet0/3

hostname(M0D1)(config-trackip)# interface ethernet0/4

hostname(M0D1)(config-trackip)# exit

hostname(M0D1)(config)# ha group 0

hostname(M0D1)(config-ha-group)# monitor track track1

hostname(M0D1)(config-ha-group)# exit

hostname(M0D1)(config)#

Making Two Firewalls Working in Hot Standby Mode by Deploying them in HA Peer to Ensure the 327
Continuity of Service
 StoneOS Cookbook

Device B

hostname(D0M1)(config)# track track2 local

hostname(D0M1)(config-trackip)# interface ethernet0/3:1

hostname(D0M1)(config-trackip)# interface ethernet0/4:1

hostname(D0M1)(config-trackip)# exit

hostname(D0M1)(config)# ha group 1

hostname(D0M1)(config-ha-group)# monitor track track2

hostname(D0M1)(config-ha-group)# exit

hostname(D0M1)(config)#

Step 4: Configuring an security policy.

hostname(M0D1)(config)# policy-global

hostname(M0D1)(config-policy)# rule id 1

Rule id 1 is created

hostname(M0D1)(config-policy-rule)# src-zone trust

hostname(M0D1)(config-policy-rule)# dst-zone untrust

hostname(M0D1)(config-policy-rule)# service Any

hostname(M0D1)(config-policy-rule)# action permit

hostname(M0D1)(config-policy-rule)# exit

hostname(M0D1)(config)#

Verification

Device A and Device B Working Normally

When Device A and Device B work normally, both of them forward traffic from PC to Server(IP：30.1.2.10/24).

As shown below, you can use trace 30.1.2.10 command to view the path information of the traffic on PC.

328 Making Two Firewalls Working in Hot Standby Mode by Deploying them in HA Peer to Ensure the
Continuity of Service
StoneOS Cookbook

o Traffic forwarded by Device A:

o Traffic forwarded by Device B:

Device B Failing and Device A Working Normally

When Device B fails and Device A works normally, Device A takes over all the traffic from PC to server.

In this case, the status of Device A is still . The status of Device B changes from to . You can use ping

command on the PC to test if PC can still connect to Server successfully.

Making Two Firewalls Working in Hot Standby Mode by Deploying them in HA Peer to Ensure the 329
Continuity of Service
StoneOS Cookbook

Using Two Devices as Gateways to Forward Business Traffic and Back Up

Each Other Based on HSVRP, which Rnsures Uniterrupted Business Traffic
This example introduces how to configure the HSVRP function when the firewall devices are deployed in the HA Peer A/A and work
as gateways. So that, when one of the firewalls goes faulty, the original IP of its gateway can still be reached.

As shown in the figure below, the two Hillstone devices M0D1 and D0M1 are deployed in the Peer A/A mode. The connection of the
interfaces on the two firewalls is as follows:

o M0D1:

o The xethernet1/10 is used as the HA control link interface and xethernet2/10 is used as the HA data link interface.

o The xethernet1/14 is directly connected to the upstream switch and its IP address is 20.1.1.11/24. The xethernet2/15 is dir-
ectly connected to the downstream switch and its IP address is 30.1.1.11/16.

o D0M1:

o The xethernet1/10 is used as the HA control link interface and xethernet2/10 is used as the HA data link interface.

o The xethernet1/14:1 is directly connected to the upstream switch and its IP address is 20.1.1.12/24. The xethernet2/15:1 is dir-
ectly connected to the downstream switch and its IP address is 30.1.1.12/16.

Four HSVRP groups are configured: hsvrp 1, hsvrp 2, hsvrp 3 and hsvrp 4. Their virtual IP address are different from each other.

Take hsvrp 1 and hsvrp 2 as example, the xethernet1/14 interface is used as the primary interface of hsvrp 1 and the xethernet1/14:1
interface is used as the secondary interface of hsvrp 1. The xethernet1/14:1 interface is used as the primary interface of hsvrp 2 and the
xethernet1/14 interface is used as the secondary interface of hsvrp 2.

If D0M1 fails, the virtual IP address of hsvrp 1 will still take effect on the xethernet1/14 interface. And the virtual IP address of hsvrp
2 will take effect on the xethernet1/14 interface too.

The virtual IP address of hsvrp 1 is configured as the gateway of the host PC1. The virtual IP address of hsvrp 2 is configured as the
gateway of the host PC2. The virtual IP address of hsvrp 4 is configured as the gateway of the server.

Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on 330
HSVRP, which Rnsures Uniterrupted Business Traffic
 StoneOS Cookbook

o If M0D1 and D0M1 work normally, M0D1 forwards the traffic from PC1 to Server and D0M1 forwards the traffic from PC2 to
Server.

o If D0M1 fails and the gateways of PC2 and Server are not changed, M0D1 will forward all the traffic from PC1 and PC2. This
ensures that network communication is not interrupted.

Configuration Steps

Step 1: Configuring HA Peer.

M0D1 Device

hostname(config)# ha link interface xethernet1/10

hostname(config)# ha link data interface xethernet2/10

hostname(config)# ha link ip 112.1.1.1/24

hostname(config)# ha cluster 5 peer-mode node 0

hostname(config)# ha group 0

hostname(config-ha-group)# exit

hostname(config)# ha group 1

hostname(config-ha-group)# exit

hostname(config)# ha traffic enable

hostname(config)# exit

331 Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on
HSVRP, which Rnsures Uniterrupted Business Traffic
StoneOS Cookbook

D0M1 Device

hostname(config)# ha link interface xethernet1/10

hostname(config)# ha link data interface xethernet2/10

hostname(config)# ha link ip 112.1.1.2/24

hostname(config)# ha cluster 5 peer-mode node 1

hostname(config)# ha group 0

hostname(config-ha-group)# exit

hostname(config)# ha group 1

hostname(config-ha-group)# exit

hostname(config)# ha traffic enable

hostname(config)# exit

Step 2: Configuring HSVRP groups.

Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on 332
HSVRP, which Rnsures Uniterrupted Business Traffic
 StoneOS Cookbook

M0D1 Device

hostname(M0D1)(config)# hsvrp id 1

hostname(M0D1)(config-hsvrp)# ip address 20.1.1.1

hostname(M0D1)(config-hsvrp)# exit

hostname(M0D1)(config)# hsvrp id 2

hostname(M0D1)(config-hsvrp)# ip address 20.1.1.2

hostname(M0D1)(config-hsvrp)# exit

hostname(M0D1)(config)# hsvrp id 3

hostname(M0D1)(config-hsvrp)# ip address 30.1.1.1

hostname(M0D1)(config-hsvrp)# exit

hostname(M0D1)(config)# hsvrp id 4

hostname(M0D1)(config-hsvrp)# ip address 30.1.1.2

hostname(M0D1)(config-hsvrp)# exit

Step 3: Configuring interfaces and referencing the HSVRP group for the interfaces.

hostname(M0D1)(config)# interface xethernet1/14

hostname(M0D1)(config-if-xe1/14)# zone trust

hostname(M0D1)(config-if-xe1/14)# ip address 20.1.1.11/24

hostname(M0D1)(config-if-xe1/14)# hsvrp id 1 primary

hostname(M0D1)(config-if-xe1/14)# hsvrp id 2 secondary

hostname(M0D1)(config-if-xe1/14)# exit

333 Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on
HSVRP, which Rnsures Uniterrupted Business Traffic
StoneOS Cookbook

hostname(M0D1)(config)# interface xethernet1/14:1

hostname(M0D1)(config-if-xe1/14:1)# zone trust

hostname(M0D1)(config-if-xe1/14:1)# ip address 20.1.1.12/24

hostname(M0D1)(config-if-xe1/14:1)# hsvrp id 2 primary

hostname(M0D1)(config-if-xe1/14:1)# hsvrp id 1 secondary

hostname(M0D1)(config-if-xe1/14:1)# exit

hostname(M0D1)(config)# interface xethernet2/15

hostname(M0D1)(config-if-xe2/15)# zone untrust

hostname(M0D1)(config-if-xe2/15)# ip address 30.1.1.11/16

hostname(M0D1)(config-if-xe2/15)# hsvrp id 3 primary

hostname(M0D1)(config-if-xe2/15)# hsvrp id 4 secondary

hostname(M0D1)(config-if-xe2/15)# exit

hostname(M0D1)(config)# interface xethernet2/15:1

hostname(M0D1)(config-if-xe2/15:1)# zone untrust

hostname(M0D1)(config-if-xe2/15:1)# ip address 30.1.1.12/16

hostname(M0D1)(config-if-xe2/15:1)# hsvrp id 4 primary

hostname(M0D1)(config-if-xe2/15:1)# hsvrp id 3 secondary

hostname(M0D1)(config-if-xe2/15:1)# exit

Step 4: Checking the configuration of the HSVRP groups.

Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on 334
HSVRP, which Rnsures Uniterrupted Business Traffic
 StoneOS Cookbook

M0D1 Device

hostname(M0D1)(config)# show hsvrp

===================================================

ID: 1

Virtual IP: 20.1.1.1 255.255.255.0

Virtual MAC: 0000.5e00.0101

Primary bind interface: xethernet1/14

Secondary bind interface: xethernet1/14:1

Status: active(xethernet1/14)

===================================================

ID: 2

Virtual IP: 20.1.1.2 255.255.255.0

Virtual MAC: 0000.5e00.0102

Primary bind interface: xethernet1/14:1

Secondary bind interface: xethernet1/14

Status: inactive

===================================================

ID: 3

Virtual IP: 30.1.1.1 255.255.255.0

Virtual MAC: 0000.5e00.0103

Primary bind interface: xethernet2/15

Secondary bind interface: xethernet2/15:1

Status: active(xethernet2/15)

===================================================

335 Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on
HSVRP, which Rnsures Uniterrupted Business Traffic
StoneOS Cookbook

ID: 4

Virtual IP: 30.1.1.2 255.255.255.0

Virtual MAC: 0000.5e00.0104

Primary bind interface: xethernet2/15:1

Secondary bind interface: xethernet2/15

Status: inactive

===================================================

Step 5: Configuring an security policy.

hostname(M0D1)(config)# policy-global

hostname(M0D1)(config-policy)# rule id 1

Rule id 1 is created

hostname(M0D1)(config-policy-rule)# src-zone trust

hostname(M0D1)(config-policy-rule)# dst-zone untrust

hostname(M0D1)(config-policy-rule)# service Any

hostname(M0D1)(config-policy-rule)# action permit

hostname(M0D1)(config-policy-rule)# exit

hostname(M0D1)(config)#

Verification

M0D1 and D0M1 Working Normally

When M0D1 and D0M1 work normally, M0D1 forwards the traffic from PC1 to Server and D0M1 forwards the traffic from PC2 to
Server.

As shown below, on the M0D1 device, in any configuration mode, you can use show flow0-interface xethernet1/14 command to
view the information of corresponding sessions.

Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on 336
HSVRP, which Rnsures Uniterrupted Business Traffic
 StoneOS Cookbook

o The value "flag 104000" represents that this session is processed by M0D1 so it tests that M0D1 forwards the traffic from PC1 to
Server.

o The value "flag 204000" represents that this session is processed by the peer device D0M1 so it tests that D0M1 forwards the
traffic from PC2 to Server.

D0M1 Failing and M0D1 Working Normally

When D0M1 fails and the gateways of PC2 and Server are not changed, PC1 and PC2 can still connect to Server successfully. M0D1
forwards all the traffic from PC1 and PC2.

As shown below, on the M0D1 device, in any configuration mode, you can use show flow0-interface xethernet1/14 command to
view the information of corresponding sessions.

o The value "flag 104000" represents that this session is processed by M0D1. That is to say, M0D1 forwards all the traffic from PC1
and PC2.

337 Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on
HSVRP, which Rnsures Uniterrupted Business Traffic
StoneOS Cookbook

Quality of Service (QoS)

QoS adopts the concept "pipe" to indicate traffic control method. A pipe is a bandwidth limit. The system divides bandwidth by creating
pipe of different sizes.

This chapter contains the following recipe:

o " QoS Control" on Page 339

o "Outbound Link Load Balance" on Page 346

Quality of Service (QoS) 338

StoneOS Cookbook

QoS Control
This examples shows how to control Internet bandwidth allocation to different users and applications. The key feature that applies in
this situation is 2-Stage QoS flow control.

As shown in the topology below, a company of 155 MB Internet bandwidth has a 2-Stage QoS requirement:

o In 1st Stage QoS: Within the 155 Mbps bandwidth, 40 Mbps will be allocated to Department A, 40 Mbps to Department B, and the
remaining 75 Mbps will be shared by all employees.

o In 2nd Stage QoS: The total P2P flow is limited to 10 Mbps, in which downloading is limited to 2 Mbps, streaming video is limited
to 8 Mbps, and within the video bandwidth, Youku streaming is limited to 6 Mbps.

QoS Control 339

 StoneOS Cookbook

Configuration Steps

Step 1: Creating address entries for Dept. A and Dept. B

Select Object > Address Entry, and click New.

o Name: DeptA

o Member: select IP Range, and enter

"10.89.9.2" and "10.89.9.50" and click Add.

Create another address entry:

o Name: DeptB

o Member: select IP Range, and enter

"10.89.9.52" and "10.89.9.60" and click Add.

Step 2: Create a root pipe of 155 Mbps under Level-1 Control

Select Policy > QoS, click Level-1 Control, and

click New > Pipe.

o Pipe Name: TotalBW

In the same tab, click New.

o Source Information

o Interface: ethernet0/2

340 QoS Control

StoneOS Cookbook

Step 2: Create a root pipe of 155 Mbps under Level-1 Control

Under the Action tab:

o Forward

o Pipe Bandwidth: 155000 Kbps

o Backward

o Pipe Bandwidth: 155000 Kbps

Step 3: Creating sub-pipes for two departments below root pipe

Select root pipe "TotalBW"and click New.

o Pipe Name: pipeA

o Click New, and under Source Information,

select "DeptA" as Address.

o Click the Action tab:

o Forward: Bandwidth: min: 40000 Kbps;

max: 155000 Kbps

o Backward Bandwidth: min:40000 Kbps;

max: 155000 Kbps

QoS Control 341

 StoneOS Cookbook

Step 3: Creating sub-pipes for two departments below root pipe

Use the same steps to create "pipe B":

o Pipe name: pipeB

o Source address: DeptB

o (Forward and Backward) min bandwidth:

40000 kbps

o (Forward and Backward) max bandwidth:

155000 kbps

Step 4: Creating root pipe "p2p" under Level-2 control to limit P2P total to 10 Mbps

Select Policy > QoS, select Level-2 Control and

click New > Pipe.

o Pipe Name: p2p

342 QoS Control

StoneOS Cookbook

Step 4: Creating root pipe "p2p" under Level-2 control to limit P2P total to 10 Mbps

In the same tab, click New.

o Source Information

o Interface: ethernet0/2

o Other

o APP/APP Group: P2P. P2P_Stream

Under the Action tab:

o Forward

o Bandwidth: 10000 kbps

o Backward:

o Bandwidth: 10000 kbps

QoS Control 343

 StoneOS Cookbook

Step 5: Creating sub pipes under root pipe "p2p"

1. Creating a sub-pipe to limit p2p software

Under Level-2 Control, select root pipe "p2p",

and click New > Pipe.

o Pipe Name: p2p_soft

o Click New: in the prompt, select P2P as

APP/APP Group.

o Select the Action tab:

o Forward bandwidth: min: 32; max 2000

o Backward bandwidth: min: 32; max: 2000

2. Creating a sub-pipe to limit p2p video stream-

ing

Under Level-2 Control, select root pipe "p2p",

and click New > Pipe.

o Pipe Name: p2p_stream

o Click New: in the prompt, select P2P_Stream

as APP/APP Group.

o Select the Action tab:

o Forward bandwidth: min: 32; max 8000

o Backward bandwidth: min: 32; max: 8000

3. Creating a sub-pipe to limit p2p video stream-

ing

Under Level-2 Control, select sub pipe "p2p_

stream", and click New > Pipe.

344 QoS Control

StoneOS Cookbook

Step 5: Creating sub pipes under root pipe "p2p"

o Pipe Name: p2p_stream

o Click New: in the prompt, select Youku and

Youku_Stream as APP/APP Group.

o Select the Action tab:

o Forward bandwidth: min: 32; max 6000

o Backward bandwidth: min: 32; max: 6000

QoS Control 345

StoneOS Cookbook

Outbound Link Load Balance

This example shows how to configure outbound link load balancing. Through the configuration of efficient drainage strategy to
achieve dynamic link load balancing, improve the export bandwidth utilization.

As shown in the following figure, this lab environment simulates the deployment of equipment at the second-level ISP exit scene.The
second-level ISP rent Tele-com, China Netcom and other operators of the bandwidth to the user to achieve Internet access. The figure
use 101.0.0.1 to connect to the Internet by Tele-com and 201.1.1.1 to connect to Netcom.

Outbound Link Load Balance 346

 StoneOS Cookbook

Configuration Steps

Step 1: Configure multiple equal-cost routes

1.Select Network > Routing >Destination

Route, and click New.

o Destination：0.0.0.0

o Subnet Mask：0

o Next Hop：interface

o Interface：ethernet0/1

o Gateway：101.1.1.1

2.Select Network > Routing >Destination

Route, and click Newto configure another equal-
cost route.

o Destination：0.0.0.0

o Subnet Mask：0

o Next Hop：interface

o Interface：ethernet0/2

o Gateway：201.1.1.1

347 Outbound Link Load Balance

StoneOS Cookbook

Step 2: Configure the outbound interface bandwidth

Network > Interface, select interface ethernet0 / 1, and click

Edit to configure the bandwidth as 50M (according to the
actual situation to determine the value of the configuration
bandwidth).

o Bandwidth

o Up Bandwidth：50000000bps

o Down Bandwidth：50000000bps

Follow the same steps to set the bandwidth of the interface eth-
ernet0 / 2 to 50M.

Step 3: Configure the outbound load balancr profile

Select Network > Outbound >Profile, click New.

o Profile：HP_LLB

o Bandwidth Utillzation : 60%

o Balance Mode：High Performance

Outbound Link Load Balance 348

 StoneOS Cookbook

Step 4: Configure the outbound load balancr rule

Select Network > Outbound >Rule, click New.

o Rule Name：HP_LLB_rule

o LLB Profile：Select the Profile "HP_LLB"

o Bind Route：Destination Route

o Vitual Router：trust-vr

o Destination Address：0.0.0.0/0

Step 5: Verify that outbound load balance is in effect

After completing the above steps, use the test tool to construct traffic through ethernet0/1 and ethernet0/2, respectively, and then
observe the traffic on each link.By changing the size of outgoing traffic,you can find that the traffic on two links can be adjusted
equitably. The system routing mechanism is as follows:

o When the bandwidth of each link does not exceed 30M (50M*60%), the system calculates the link overhead based on the link
delay, jitter and packet loss rate. The link with the lower link overhead eventually allocates more traffic, while the other link has
less traffic,but the two links are basically balanced.

o When the link bandwidth exceeds 30M, the system adds the bandwidth utilization factor to the calculation, that is, the system cal-
culates the link overhead based on the delay, jitter, packet loss rate and bandwidth utilization. The link with lower link overhead
eventually allocates more traffic, while the other link has less traffic, but the two links are basically balanced.

Q&A

o Q: What factors in the network affect the link load balancing routing of the system?
A: The delay, jitter, packet loss rate and bandwidth utilization of each link are the impact factors. System can intelligently oute and
dynamically adjust the traffic load of each link by monitoring the delay, jitter, packet loss rate and bandwidth utilization of each link
in real-time.

349 Outbound Link Load Balance

StoneOS Cookbook

o Q: Which modes do link load balancing support?

A: Two load balancing modes are supported, namely, high performance and high compatibility modes.

o High Performance - In this mode, system adjusts link to keep the link balance as fast as possible

o High Compatibility - In this mode, When the link load changes, system does not switch the link frequently, but ensures that the
service is as far as possible on the previous link. This mode is suitable for services that are sensitive to link switching, such as
banking services, only when the previous link is overloaded.

Outbound Link Load Balance 350

StoneOS Cookbook

Threat Prevention

Threat prevention, that device can detect and block network threats occur. By configuring the threat protection function, Device can
defense network attacks, and reduce losses caused by internal network.

This chapter includes the following recipes:

o "Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection" on Page 352

o "Protecting Intranet to Defend Attacks via Intrusion Prevention System" on Page 359

o "Forensic Analysis " on Page 367

Threat Prevention 351

StoneOS Cookbook

Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior
Detection
This example introduces how to use Abnormal Behavior Detection to find attacks about servers as early as possible, and integrate with
Mitigation to protect servers better.

As shown in the topology, the device is deployed in the data center exit. After enable and configure the Abnormal Behavior Detection,
when a Web server is infected by SYN flood frequently, a mail server is infected by port scan attacks periodically, Trojan implanted to
the intranet host, Trojan fake domain name by DGA algorithm technology, and connect external network control server, the admin-
istrator can find these attacks and protect the internal hosts and servers.

* To use Abnormal Behavior Detection, apply and install the StoneShield license.

Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection 352
 StoneOS Cookbook

Configuration Steps

Step 1: Enabling Abnormal Behavior Detection to defend internal hosts

Select Network > Zone. Select 'trust' zone, click

Edit, and select the <Threat Protection>tab.

o Abnormal Behavior Detection: Select the

Enable check box .

o Host Defender : Select the Host Defender

check box. To enable the abnormal behavior
detection of the HTTP factor, select the
Advanced Protection check box. To enable
the DDoS protection for the host, select the
DDoS Protection check box. To capture and
save the corresponding evidence that leads to
the alarm of abnormal behavior, select
Forensic.

Step 2: Configuring the critical asset object (Web Server and Mail Server)

Select Network > Zone. Select 'dmz' zone, click

Edit, and select the <Threat Protection>tab.

o Abnormal Behavior Detection: Select the

Enable check box .

353 Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection
StoneOS Cookbook

Step 2: Configuring the critical asset object (Web Server and Mail Server)

1. Configuring the Abnormal Behavior Detec-

tion object (Web Server ), and enabling the web
server advanced protection.

Click Object > Critical Assets, and click New.

o Name: Web Server

o Type: Server

o IP: 172.20.0.10

o Web Server Advanced Protection: Select the

check box.

2. Configuring the Abnormal Behavior Detec-

tion object (Mail Server )

Click Object > Critical Assets, and click New.

o Name: Mail Server

o Type: Server

o IP: 172.18.1.20

Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection 354
 StoneOS Cookbook

Step 3: Viewing the results of Abnormal Behavior Detection

1. Viewing the results from iCenter

Results of Web Server:

o Select iCenter>Critical Assets, click the crit-

ical assets name 'Web Server' link in the list,
to view the information of this critical asset.

o For example, click the Internal Recon> 'TCP

SYN Flood Attack' link in the kill chain list, to
view the Abnormal Behavior Detection
information and the trend chart of the actual
value, predictive value of the detected object.

355 Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection
StoneOS Cookbook

Step 3: Viewing the results of Abnormal Behavior Detection

Results of Mail Server:

o Select iCenter>Critical Assets, click the crit-

ical assets name 'Mail Server' link in the list, to
view the information of this critical asset.

o For example, click the Initial Exploit> 'Port

Scan' link in the kill chain list, to view the
Abnormal Behavior Detection information
and the trend chart of the baseline, thresholds
of the detected object.

Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection 356
 StoneOS Cookbook

Step 3: Viewing the results of Abnormal Behavior Detection

Results of Internal Host:

1. Click iCenter > Threat, and click Filter to add

conditions.

o Detected by : Abnormal Behavior Detection

2. For example, click the The Domain Name of

DNS Response Is Malicious Domain Generated
by DGA link in the list, to view the malware and
abnormal behavior attack details detected accord-
ing the DNS mapping.

In Threat Analysis tab, you can view the inform-

ation of host that send DGA fake domain name
attack.

2. Viewing the results from threat log

1. Select Monitor>Log>Threat, click Filter to

add conditions to show logs that march your filter.

o Detected By: Abnormal Behavior Detection

357 Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection
StoneOS Cookbook

Step 3: Viewing the results of Abnormal Behavior Detection

2. The log of Abnormal Behavior Detection will

be displayed.

Step 4: Integrating with Mitigation, and configuring the mitigation rules for attacks.

Select iCenter> Mitigation> Mitigation Rule, and select the

Enable Auto Mitigation check box.

Configuring mitigation rules for Port Scan

In Mitigation Rulepage, click New

o Log Type: Scan

o Severity: Low

o Value: >= 10 Time

o Action Type: User defined > IP Block

o Duration: 60

Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection 358
 StoneOS Cookbook

Step 4: Integrating with Mitigation, and configuring the mitigation rules for attacks.

Configuring mitigation rules for TCP SYN Flood Attack

In Mitigation Rulepage, click New

o Log Type: DoS> DDoS Flood

o Severity: Low

o Value: >= 10 Time

o Role: Attacker

o Action Type: User defined >Session Control

o Session Type: New Session

o Total Number: 20

o Drop Percent: 50

o Duration: 60

Step 5: Viewing the results of mitigation rules

Click iCenter > Mitigation>Mitigation Action to

view the mitigation action results details of mit-
igation rules

Protecting Intranet to Defend Attacks via Intrusion Prevention System

This example introduces how to use Intrusion Prevention System to monitor various network attacks in real time and take appropriate
actions (like block) against the attacks according to your configuration.

359 Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection
StoneOS Cookbook

As shown in the following topology, the device is deployed in the Intranet exit. After enabling and configuring the Intrusion Prevention
System, the device will protect Intranet against internet attacks.

Configuration Steps

Step 1: Installing the Intrusion Prevention System license

1. Select System> License. Under License

Request, input all user information. Then send the
code to your sales contact. The sales person will
get the license and send it back to you.

2. Select Upload License File, Click Browse to

select the Intrusion Prevention System license file,
and then click OK to upload it.

3. Select System > Device

Management>Option, and click Reboot. When
it starts again, the installed license will take effect.

Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection 360
 StoneOS Cookbook

Step 2: Enabling Intrusion Prevention System and updating Signature Database

1. Select Object>Intrusion Prevention Sys-

tem>Configuration to view the Intrusion Pre-
vention System function status. If disabled, click
Enable and reboot.

2. Select System>Upgrade Man-

agement>Signature Database Update. Under
IPS Signature Database Update, click Update to
update IPS Signature Database to assure its integ-
rity and accuracy.

Step 3: Binding internal and external interfaces to the specified zones

1. Binding internal interface ethernet0/2 to trust.

Select Network>Zone, select trust and click Edit
to jump to the Zone Configuration dialog.

o Binding Interface: ethernet0/2

2. Binding internal interface ethernet0/1 to dmz,

which can be configured as above.

361 Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection
StoneOS Cookbook

Step 3: Binding internal and external interfaces to the specified zones

3. Binding external interface ethernet0/3 to

untrust , which can be configured as above.

Step 4: Creating Intrusion Prevention System rules

Users can use the default rule or create a new rule.

Select Object>Intrusion Prevention Sys-
tem>Profile, click New to jump to the IPS dialog.
This example uses the predef_default rule, which
includes all the IPS signatures and the default
action is reset.

Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection 362
 StoneOS Cookbook

Step 5: Creating Security Policies.

Security policy: untrust to dmz

By default, the devices will deny all traffic

between security zones. This case permits internet
and internal hosts to access internal servers. Take
the following steps to configure the security
policies:

1.Select Policy> Security Policy, click new to

jump to the Policy Configuration Dialog. In the
Basic tab:

Source:

o Zone：untrust

o Address：any

Destination:

o Zone：dmz

o Address：any

Others:

o Service：any

o Action：Permit

2.In the Protection Tab:

o IPS：Click the Enable check box .

o Profile：Select predef_default from the

drop-down list

363 Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection
StoneOS Cookbook

Step 5: Creating Security Policies.

Security policy: trust to dmz

1.Select Policy> Security Policy, click new to

jump to the Policy Configuration Dialog. In the
Basic tab:

Source:

o Zone：trust

o Address：any

Destination:

o Zone：dmz

o Address：any

Others:

o Service：any

o Action：Permit

2.In the Protection Tab:

o IPS：Select the Enable check box .

o Profile：predef_default

Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection 364
 StoneOS Cookbook

Step 6: Viewing the results

After configuring the above steps, the device can protect

Intranet against the known attacks. For example: the
attacker creates SQL injections to attack the HTTP Server,
and visits the URL of ' http://192.168.4.79/ccmcip/xml

directorylist.jsp?n=X'or%20telephonenumber%20like%20''.

The device will display the attack information and block the
attack.

Viewing the results from iCenter

1. Select iCenter>Threat, click to add the con-

ditions.

o Detected by: Intrusion Prevention System

2. The log of Intrusion Prevention System will be displayed.

Click the threat name to view the detailed information.

Viewing the results from Threat log

1. Select Monitor>Log>Threat, click to add the

conditions.

o Detected by: Intrusion Prevention System

365 Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection
StoneOS Cookbook

Step 6: Viewing the results

2. The log of Intrusion Prevention System will be displayed.

Click the threat name to view the detailed information.

Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection 366
StoneOS Cookbook

Forensic Analysis
This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers this feature.

This example shows how to in-depth view the threat of the whole network and analyze the threat evidence.

Forensic Analysis provides evidence chain of network threats to collect, multi-perspective analysis and the depth of integration.

o Evidence Collection: Through the configuration of Forensic Analysis function (packet capture), detect the attack generated at the
same time evidence collection.

o Evidence Analysis: Analyze the collected evidence.

o Evidence Presentation: Display the threat details, logs, evidence pacp via iCenter, to achieve the threat of visualization.

Configuration Steps

At present, the system only supports the Forensic Analysis function of three threat detection engines (Advanced Threat Detection, Intru-
sion Prevention System, Anti Virus)

Forensic Analysis 367

 StoneOS Cookbook

Advanced Threat Detection

Enable the packet capture for Advanced Threat

Detection, the system will capture packets when
generating logs.

Select Network > Zone, Select "trust" zone, click

Edit, and select the <Threat Protection>tab .
Select the Capture Packets check box.

Intrusion Prevention System

1. Enable the packet capture for IPS rules, it will

enable all this profile's protocols.

Select Object>Intrusion Prevention System,

click New, and select the Enable check box to
enable capture packets.

368 Forensic Analysis

StoneOS Cookbook

Intrusion Prevention System

2. According to your requirements, configure the

capture packets for a specific protocol.

Select Object>Intrusion Prevention System, in

the IPS rules list, click protocol type, for example '
DHCP', select the Enable check box to enable
the capture packet for different attack levels.

Anti Virus

Enable the packet capture for Anti Virus rules.

Select Object > Antivirus, click New, Select the

Enable check box before Capture Packet to
enable the capture function.

Forensic Analysis Configuration Example

As follows, taking advanced threat detection (ATD) as an example to demonstrate the process of Forensic Analysis

Forensic Analysis 369

 StoneOS Cookbook

Step 1: Threat Detection

Enabling Advanced Threat Detection and cap-

ture packets

Select Network > Zone. Select "trust" zone, click

Edit, and select the <Threat Protection> tab.

o Advanced Threat Detection: Select the

Enable check box .

o Capture Packets: Select the check box , the

system will save the evidence messages, and
support to download it.

Step 2: Evidence Collection

When ATD attacks occurred, the system will generate a relevant threat log and capture evidence, sent to the system database.

According to the source IP, Advanced threat detection engine capture relational pacp at the same time, it is the HTTP traffic data
(including TCP interaction) in 5 minutes or 64K size package, and used to assist in the analysis.

Step 3: Evidence Analysis

1. Analyze and get the threat detail information .

2. Collect the analysis of evidence.

370 Forensic Analysis

StoneOS Cookbook

Step 4: Evidence Presentation

1. Display the threat information, including the

threat name, type, severity, victim host, attack
host, etc.

Click "iCenter", and select Threat tab.

Click the threat name link in the list, to view the

threat details.

Forensic Analysis 371

 StoneOS Cookbook

Step 4: Evidence Presentation

2. Viewing the evidence details.

Select the select the <Details>tab, and click View

PACP.

372 Forensic Analysis

StoneOS Cookbook

Step 4: Evidence Presentation

3. Viewing the relational pacp details.

Select the select the <Details>tab, and click Rela-

tional Pacp.

4. Downloading evidence.

Select the select the <Details>tab, and click

Download Pacp, the evidence will be down-
loaded to local.

Forensic Analysis 373

StoneOS Cookbook

Threat Intelligence Via Hillstone Cloud Service Platform

Hillstone Cloud Service Platform is a cloud security services platform, which provides cloud services including CloudView, Cloud Sand-
box and CloudVista (Threat Intelligence Center). Hillstone Cloud Service is the cloud capability center of Hillstone and the brain of the
cloud-network integration. After the service is enabled, your device will be connected with the Hillstone cloud, which will provide you
with a wider range of threat intelligence, improve the protection capability of your device, and enable you to carry out real-time mon-
itoring, inspection and report acquisition of the device and traffic on the cloud anytime and anywhere. These Hillstone cloud applic-
ations can greatly enhance the security, visibility, and usability of networks.

o CloudView: CloudView is a SaaS product. It is deployed on the public cloud to provide users with online on-demand services. Hill-
stone devices register with the cloud service platform and upload device information, traffic data, threat events, system logs and so
on to the cloud service platform, and the visual display is provided by CloudView . Users can monitor the device status, gain reports
and threat analysis through the Web or mobile phone APP. For more information about CloudView, refer to the CloudView FAQs.

o Cloud Sandbox: It is a technology adopted by the Sandbox function. After a suspicious file being uploaded to the Hillstone cloud ser-
vice platform, the cloud sandbox will collect behaviors of the file, analyze the collected data, verify the legality of the file, send the
analysis result to system and deal with the malicious file according to the actions set by system.

o CloudVista (Threat Intelligence Center): Threat Intelligence function can upload some elements in the logs generated by each mod-
ule to the cloud service platform, such as IP address, domain, etc. The cloud service platform will check whether the elements have
threat intelligence through the threat center. You can view threat intelligence information related to elements through the threat
intelligence center.

This example shows how to Obtain threat intelligence services through the Hillstone Cloud Service Platform.

The topology is shown as below. Device connects to theHillstone Cloud Service Platform, upload some elements in the logs generated
by each module to the cloud service platform and obtain the threat intelligence .

Threat Intelligence Via Hillstone Cloud Service Platform 374

 StoneOS Cookbook

Preparation

Before configuring the NETCONF function, prepare the following first:

1. Install the threat intelligence license.

2. Register a Cloud Service account. Enter the address "https://user.hillstonenet.com/login" in the web browser of the PC to
register.

Configuration Steps

Step 1: Connect to the Hillstone Cloud Service Platform

Select System > Connecting to Hillstone Cloud

Service Platform.

o Address: cloud.hillstonenet.com.cn

o Virtual Router: trust-vr

o User: hillstone

o Password: password@123

Note: When using the default password to connect to the cloud platform, you can also get the corresponding cloud service,
but you cannot view the data uploaded by the device from the cloud platform.

375 Threat Intelligence Via Hillstone Cloud Service Platform

StoneOS Cookbook

Step 2: Enable CloudVista Service

Select System > Connecting to Hillstone Cloud

Service Platform, click the CloudVista button. In
the CloudVista page, click the Enable button to
enable the CloudVista service.

Viewing the results

After configuring the above steps, You can view the entries with threat intelligence on the ICenter page. In the threat list, hover your
cursor over a object, and there is a button to its right. The button appears on the right. Click this button and select View threat intel-

ligence.

Threat Intelligence Via Hillstone Cloud Service Platform 376

StoneOS Cookbook

Data Security

The data security allows you to flexibly configure control rules to comprehensively control and audit (by behavior logs ) on user net-
work behavior.

This chapter contains the following recipe:

o "Decrypting HTTPS Traffic and Identifying the Encrypted Application" on Page 378

o "URL Filtering for HTTPS Traffic without the CA Certificate" on Page 382

Data Security 377

StoneOS Cookbook

Decrypting HTTPS Traffic and Identifying the Encrypted Application

This example introduces how to decrypt HTTPS traffic and identify the encrypted application, which meets the requirements of fine-
grained application management.

As shown in the below scenario, an internal user accesses a HTTPS website and the traffic is encrypted by SSL protocol. With the SSL
proxy and application identification functions enabled, the device can decrypt the HTTPS traffic and identify the encrypted application.

Decrypting HTTPS Traffic and Identifying the Encrypted Application 378

 StoneOS Cookbook

Configuration Steps

Step 1: Configuring a SSL proxy profile

Select Policy > SSL Proxy, and click New.

In the Basic tab:

o Name: profile1

o Expired certificate: Decrypt

o Unsupported version: Block

o Unsupported encryption algorithms: Block

o Client verification: Block

o Warning: Enable

Step 2: Specifying a SSL profile in the security policy

Configure a security policy that allows internal

users to access Internet, and specify a SSL proxy
profile in the Advanced tab:

o SSL Proxy: Select the Enable checkbox and

select profile1 from the drop-down list.

379 Decrypting HTTPS Traffic and Identifying the Encrypted Application

StoneOS Cookbook

Step 3: Importing the device certificate to client's Web browser

Export the certificate from the device.

Click System > PKI. In the Management tab:

o Trust Domain: trust_domain_ssl_proxy

o Content: CA Certificate

o Action: Export

Click OK to export the certificate.

Import the certificate to client's Web browser.

1. In the Chrome Web browser, select Set-

tings > Show advanced settings.

2. In the HTTPS/SSL section, select Manage

certificates.

3. In the Trusted Root Certification Author-

ities tab, select Import.

4. Follow the wizard to import the certificate.

Step 4: Upgrading to the professional application signature database and enabling the application identification function

In CLI, execute the upgrade command to

upgrade to the professional application signature
database

Decrypting HTTPS Traffic and Identifying the Encrypted Application 380

 StoneOS Cookbook

Step 4: Upgrading to the professional application signature database and enabling the application identification function

Select Network > Zone, and double-click the

untrust zone. In the Basic tab:

o Application Identification: Select Enable.

Step 6: Viewing application monitor

Select Monitor > Application > Application

Details.

When an internal user accesses a HTTPS website,

the SSL proxy function decrypts the HTTPS
traffic and the application identification function
identify the encrypted application.

381 Decrypting HTTPS Traffic and Identifying the Encrypted Application

StoneOS Cookbook

URL Filtering for HTTPS Traffic without the CA Certificate

This example shows how to achieve the URL filtering for HTTPS traffic without installing the CA certificate.

As shown in the following topology, Hillstone device works as the gateway of an enterprise. The ethernet0/0 connects the Internet and
belongs to the untrust zone. The ethernet0/1 connects to the Intranet and belongs to the trust zone.

With the configured URL filtering rule, staff of the enterprise (the network segment: 10.100.0.0/16) are prohibited from accessing
shopping websites and the entertainment websites https:// www.bcd.com during working hours (09:00 to 18:00, Monday to Friday).
The access and search attempts will be logged.

Preparation

Before configuring the URL filtering function, prepare the following first:

1. Install the URL service license and reboot the device.

2. Update the predefined URL database.

URL Filtering for HTTPS Traffic without the CA Certificate 382

 StoneOS Cookbook

Configuration Steps

Step 1: Configure a schedule

Select Object > Schedule, and click New.

In the Schedule Configuration dialog:

o Name: workday

o Days: Click Add to add a periodic schedule.

o Type: Days.

o Days: Monday, Tuesday, Wednesday,

Thursday, Friday

o Start Time: 09:00

o End Time: 18:00

Step 2: Configure the user-defined URL category named bcd that contains https://www.bcd.com

Select Object > URL Filtering, and select Con-

figuration > User-defined URL DB at the top-
right corner.

383 URL Filtering for HTTPS Traffic without the CA Certificate

StoneOS Cookbook

Step 2: Configure the user-defined URL category named bcd that contains https://www.bcd.com

In the User-defined URL DB dialog, click New.

In the URL Category dialog:

o Category: bcd

o URL http(s)://: www.bcd.com

o Click Add to add the "https://www.b-

cd.com" and its category to the table.

URL Filtering for HTTPS Traffic without the CA Certificate 384

 StoneOS Cookbook

Step 3: Configure the URL filtering rule named URLcontrol, and enable the SSL Inspection

Select Object > URL Filtering, and click New.

In the URL Filtering Rule Configuration dialog:

o Name: URLcontrol

o Control Type: URL Category

o SSL Inspection: Select the Enable check box

to enable SSL negotiation packets inspection.

o Select the predefined URL category Shop-

ping, and then select the Block check box and
Log check box.

o Select the user-defined URL category bcd,

and then select the Block check box and Log
check box.

Step 4: Bind the URL filtering rule to a policy rule

Select Policy > Security Policy, and click New.

In the Basic Configuration tab of the Policy Con-

figuration dialog:

o Name: policy1

o Source Address: Select the address type

IP/Netmask , type 10.100.0.0 and 16 into the
IPand Netmask text box respectively, and
click -> to add the address to the right pane.

385 URL Filtering for HTTPS Traffic without the CA Certificate

StoneOS Cookbook

Step 4: Bind the URL filtering rule to a policy rule

In the Protection tab of the Policy Configuration

dialog:

o URL Filtering: Select the Enable check box.

o Profile: Select the created URL filtering rule

"URLcontrol" from the drop-down list.

In the Options tab of the Policy Configuration

dialog:

o Schedule: Select the schedule "workday"

from the Schedule drop-down list.

Step 5: Result

After the configuration, adjust the configured rule

to the highest priority rule for traffic matching.

When the rule takes effect, during the working

hours, company staff cannot access shopping web-
sites and the entertainment websites "https://
www.bcd.com". The system will log the access
and search attempts.

URL Filtering for HTTPS Traffic without the CA Certificate 386

 StoneOS Cookbook

IPv6

StoneOS is dual-stack firmware that supports both IPv4 and IPv6. It also supports tunneling technique (the latest version supports
manual IPv6 tunnel) for IPv6 communication.

This chapter includes the following recipe:

o "Connecting IPv6 and IPv4 Networks" on Page 388

o "Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG" on Page 399

o "Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG" on Page 408

o "Realizing Dual-stack Host in IPv4 Network Accessing IPv6 Network Via ISATAP Tunnel" on Page 419

o "Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel" on Page 422

387 URL Filtering for HTTPS Traffic without the CA Certificate

StoneOS Cookbook

Connecting IPv6 and IPv4 Networks

One enterprise has a headquarters, branch A and branch B. The headquarters and two branches all can access the Internet. The
headquarters and branch A are deployed with IPv6 network for intranet and IPv4 network for internet, while the branch B is deployed
with IPv4-only networks for both intranet and internet. For the business needs, it’s necessary to connect IPv6 and IPv4 networks to
achieve the following goals:

o The IPv6 network of headquarters can connect with the IPv4 Internet and be accessed by the Internet users.

o The networks of headquarters can connect with the IPv6 network of branch A via 6in4 tunnel.

o The networks of headquarters can connect with the IPv4 network of branch B.

The headquarters, branch A and branch B is deployed with a Hillstone device separately and the topology is as follows:

There are three parts of configurations:

o Configuring networks of headquarters

o Configuring networks of branch A

o Configuring networks of branch B

Configuring Networks of Headquarters

Step 1: Configure the interface and zone.

Connecting IPv6 and IPv4 Networks 388

 StoneOS Cookbook

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone untrust

hostname(config-if-eth0/1)# ip address 200.0.0.2 255.255.255.0

hostname(config-if-eth0/1)# manage http

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone trust

hostname(config-if-eth0/2)# dns-proxy

hostname(config-if-eth0/2)# ipv6 enable

hostname(config-if-eth0/2)# ipv6 address 2005::1/96

hostname(config-if-eth0/2)# manage ping

hostname(config-if-eth0/2)# exit

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone trust

hostname(config-if-tun1)# ipv6 enable

hostname(config-if-tun1)# tunnel ip6in4 branchA

hostname(config-if-tun1)# exit

Step 2: Configure the route and NAT rules, including headquarters accessing the Internet, headquarters communicating with
branch B, and public IP accessing IPv6 server of headquarters.

389 Connecting IPv6 and IPv4 Networks

StoneOS Cookbook

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# snatrule id 1 from 2005::/96 to 2003::/96 service any eif ethernet0/1 trans-
to eif-ip mode dynamicport

hostname(config-vrouter)# snatrule id 2 from 2005::2/96 to 2004::2 service any eif ethernet0/1 trans-
to eif-ip mode dynamicport

hostname(config-vrouter)# snatrule id 3 from any to 200.0.0.2 service any eif ethernet0/2 trans-to
2005::1 mode dynamicport

hostname(config-vrouter)# dnatrule id 1 from 2005::/96 to 2003::/96 service any v4-mapped

hostname(config-vrouter)# dnatrule id 2 from 2005::2/96 to 2004::2 service any trans-to 200.0.0.4

hostname(config-vrouter)# dnatrule id 3 from any to 200.0.0.2 service any trans-to 2005::2

hostname(config-vrouter)# ip route 0.0.0.0/0 200.0.0.1

hostname(config-vrouter)# ipv6 route 2001::/96 tunnel1

hostname(config-vrouter)# exit

Step 3: Configure the policy.

Connecting IPv6 and IPv4 Networks 390

 StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 1

Rule id 1 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-addr any

hostname(config-policy-rule)# dst-addr any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

hostname(config)# policy-global

hostname(config-policy)# rule id 2

Rule id 2 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-ip 2005::/96

hostname(config-policy-rule)# dst-ip 2004::/96

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

hostname(config)# policy-global

hostname(config-policy)# rule id 3

Rule id 3 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-ip 2005::/96

hostname(config-policy-rule)# dst-ip 2003::/96

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

391 Connecting IPv6 and IPv4 Networks

StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 4

Rule id 4 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-ip 2005::/96

hostname(config-policy-rule)# dst-ip 2001::/96

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

hostname(config)# policy-global

hostname(config-policy)# rule id 5

Rule id 5 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-ip 2001::/96

hostname(config-policy-rule)# dst-ip 2005::/96

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

hostname(config)# policy-global

hostname(config-policy)# rule id 6

Rule id 6 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-ip ipv6-any

hostname(config-policy-rule)# dst-ip ipv6-any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

Connecting IPv6 and IPv4 Networks 392

 StoneOS Cookbook

Step 4: Configure an IPv6 tunnel.

hostname(config)# tunnel ip6in4 branchA manual

hostname(config-ip6in4-manual)# interface ethernet0/1

hostname(config-ip6in4-manual)# destination 200.0.0.3

hostname(config-ip6in4-manual)# exit

hostname(config)# ip name-server 8.8.8.8 vrouter trust-vr

hostname(config)# ip dns-proxy domain any name-server 8.8.8.8 vrouter trust-vr

hostname(config)# ipv6 dns64-proxy id 1 prefix 2003::/96 source 2005::/96 trans-mapped-ip any

Note: The ipv6 dns64-proxy command is not supported for some versions.

Configuring Networks of Branch A

Step 1: Configure the interface and zone.

393 Connecting IPv6 and IPv4 Networks

StoneOS Cookbook

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone untrust

hostname(config-if-eth0/1)# ip address 200.0.0.3 255.255.255.0

hostname(config-if-eth0/1)# manage ping

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone trust

hostname(config-if-eth0/2)# ipv6 enable

hostname(config-if-eth0/2)# ipv6 address 2001::1/96

hostname(config-if-eth0/2)# manage ping

hostname(config-if-eth0/2)# exit

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone trust

hostname(config-if-tun1)# ipv6 enable

hostname(config-if-tun1)# tunnel ip6in4 headquarters

hostname(config-if-tun1)# exit

Step 2: Configure the route and NAT rules.

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip route 0.0.0.0/0 200.0.0.1

hostname(config-vrouter)# ipv6 route 2005::/96 tunnel1

hostname(config-vrouter)# exit

Step 3: Configure the policy.

Connecting IPv6 and IPv4 Networks 394

 StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 31

Rule id 31 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-addr any

hostname(config-policy-rule)# dst-addr any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

hostname(config)# policy-global

hostname(config-policy)# rule id 32

Rule id 32 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-ip 2001::/96

hostname(config-policy-rule)# dst-ip 2005::/96

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

hostname(config)# policy-global

hostname(config-policy)# rule id 33

Rule id 33 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-ip 2005::/96

hostname(config-policy-rule)# dst-ip 2001::/96

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

395 Connecting IPv6 and IPv4 Networks

StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 34

Rule id 34 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-ip ipv6-any

hostname(config-policy-rule)# dst-ip ipv6-any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

Step 4: Configure an IPv6 tunnel.

hostname(config)# tunnel ip6in4 headquarters manual

hostname(config-ip6in4-manual)# interface ethernet0/1

hostname(config-ip6in4-manual)# destination 200.0.0.2

hostname(config-ip6in4-manual)# exit

Configuring Networks of Branch B

Step 1: Configure the interface and zone.

Connecting IPv6 and IPv4 Networks 396

 StoneOS Cookbook

hostname(config)# interface ethernet0/3

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 192.168.2.1 255.255.255.0

hostname(config-if-eth0/1)# manage ping

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/4

hostname(config-if-eth0/4)# zone untrust

hostname(config-if-eth0/4)# ip address 200.0.0.4 255.255.255.0

hostname(config-if-eth0/4)# manage ping

hostname(config-if-eth0/4)# exit

Step 2: Configure the route and NAT rules.

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# snatrule id 1 from any to any service any eif ethernet0/4 trans-to eif-ip
mode dynamicport

hostname(config-vrouter)# dnatrule id 1 from 200.0.0.2 to 200.0.0.4 service any trans-to 192.168.2.254

hostname(config-vrouter)# ip route 0.0.0.0/0 200.0.0.1

hostname(config-vrouter)# exit

Step 3: Configure the policy.

397 Connecting IPv6 and IPv4 Networks

StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 35

Rule id 35 is created

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# src-addr any

hostname(config-policy-rule)# dst-addr any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# exit

Connecting IPv6 and IPv4 Networks 398

StoneOS Cookbook

Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using

ALG
This example introduces how to configure ALG to realize the FTP service in IPv6-only or IPv4/IPv6 hybrid networks, including the
following three scenarios:

o Scenario 1: IPv6-only network. In the topology below, an enterprise sets up a Hillstone security device as the export gateway to
connect internal network with the Internet. Both internal and external network IP addresses are deployed with IPv6 addresses.
With the ALG function configured, the internal FTP client can access the FTP server in the extranet.

o Scenario 2: IPv4 network to IPv6 network. In the topology below, an enterprise sets up a Hillstone security device as the export
gateway to connect internal network with the Internet. The internal network is deployed with IPv4 addresses and the external net-
work is deployed with IPv6 addresses. With the ALG function configured, the internal FTP client can access the FTP server in the
extranet.

o Scenario 3: IPv6 network to IPv4 network. In the topology below, an enterprise sets up a Hillstone security device as the export
gateway to connect internal network with the Internet. The internal network is deployed with IPv6 addresses and the external net-
work is deployed with IPv4 addresses. With the ALG function configured, the internal FTP client can access the FTP server in the
extranet.

Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 399
 StoneOS Cookbook

Before You Start

Before starting the configuration, you need to ensure that the configuration of the FTP server and the FTP client has been completed.
This example only describes the relevant configuration on the device.

Configuration Steps of Scenario 1

Step 1: Configure the interface and zone.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ipv6 enable

hostname(config-if-eth0/1)# ip address 2002::1/64

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ipv6 enable

hostname(config-if-eth0/2)# ipv6 address 2003::1/64

hostname(config-if-eth0/2)# exit

Step 2: Configure the policy.

hostname(config)# rule id 1 from ipv6-any to ipv6-any service ftp permit

Rule id 1 is created

hostname(config-policy)# rule id 1

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# exit

Step 3: Enable the ALG function of FTP.

400 Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG
StoneOS Cookbook

hostname(config)# alg ftp

Note: The ALG function of FTP is enabled by default.

Step 4: Verify result.

Download session in FTP active mode:

session: id 44, proto 6, flag 0, flag1 20000, flag2 0, flag3 0, created 39340, life 1787, policy 1,app 4(FTP)
flag 0x1, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40308b10): [2003::2]:64348->[2001::2]:21

flow1(31(ethernet0/1)/308b10): [2001::2]:21->[2003::2]:64348

session: id 2, proto 6, flag 8000000, flag1 20000, flag2 0, flag3 0, created 39408, life 1800, policy 1,app
70(FTP-DATA) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(31(ethernet0/1)/208810): [2001::2]:20->[2003::2]:64363

flow1(32(ethernet0/2)/40208810): [2003::2]:64363->[2001::2]:20

Download session in FTP passive mode:

session: id 61, proto 6, flag 10000, flag1 20000, flag2 0, flag3 0, created 39683, life 1775, policy 1,app 4
(FTP) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40308b10): [2003::2]:64362->[2001::2]:21

flow1(31(ethernet0/1)/308b10): [2001::2]:21->[2003::2]:64362

session: id 22, proto 6, flag 8000000, flag1 20000, flag2 0, flag3 0, created 39684, life 1776, policy 1,app
70(FTP-DATA) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40208810): [2003::2]:64398->[2001::2]:56008

flow1(31(ethernet0/1)/208810): [2001::2]:56008->[2003::2]:64398

Configuration Steps of Scenario 2

Step 1: Configure the interface and zone.

Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 401
 StoneOS Cookbook

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 192.168.2.1/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ipv6 enable

hostname(config-if-eth0/2)# ipv6 address 2001::1/64

hostname(config-if-eth0/2)# exit

Step 2: Configure the policy.

hostname(config)# rule id 1 from any to any service ftp permit

Rule id 1 is created

hostname(config-policy)# rule id 1

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# exit

Step 3: Configure the NAT rule.

402 Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG
StoneOS Cookbook

hostname(config)# nat

hostname(config-nat)# snatrule id 1 from any to 192.168.2.10 service any trans-to 2001::10 mode
dynamicport

rule ID=1

hostname(config-nat)# dnatrule id 1 from any to 192.168.2.10 service any trans-to ip 2001::2

rule ID=1

hostname(config-nat)# exit

Step 4: Enable the ALG function of FTP.

hostname(config)# alg ftp

Note: The ALG function of FTP is enabled by default.

Step 5: Verify result.

Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 403
 StoneOS Cookbook

Download session in FTP active mode:

session: id 64, proto 6, flag e, flag1 20007, flag2 0, flag3 0, created 133143, life 1797, policy 2,app 4(FTP)
flag 0x1, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40300b10): 192.168.2.2:58259->192.168.2.10:21

flow1(31(ethernet0/1)/308b10): [2001::2]:21->[2001::10]:1025

session: id 14, proto 6, flag 8000016, flag1 2000b, flag2 0, flag3 0, created 133147, life 297, policy 2,app
70(FTP-DATA) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(31(ethernet0/1)/208810): [2001::2]:20->[2001::10]:58261

flow1(32(ethernet0/2)/40200810): 192.168.2.2:58261->192.168.2.10:20

Download session in FTP passive mode:

session: id 20, proto 6, flag e, flag1 20007, flag2 0, flag3 0, created 133393, life 1797, policy 2,app 4(FTP)
flag 0x1, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40300b10): 192.168.2.2:58272->192.168.2.10:21

flow1(31(ethernet0/1)/308b10): [2001::2]:21->[2001::10]:1030

session: id 2, proto 6, flag 800000e, flag1 20007, flag2 0, flag3 0, created 133397, life 1797, policy 2,app
70(FTP-DATA) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40200810): 192.168.2.2:58273->192.168.2.10:61665

flow1(31(ethernet0/1)/208810): [2001::2]:61665->[2001::10]:61665

Configuration Steps of Scenario 3

Step 1: Configure the interface and zone.

404 Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG
StoneOS Cookbook

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ipv6 enable

hostname(config-if-eth0/1)# ipv6 address 2003::1/64

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ip address 192.168.1.1/24

hostname(config-if-eth0/2)# exit

Step 2: Configure the policy.

hostname(config)# rule id 1 from ipv6-any to ipv6-any service ftp permit

Rule id 1 is created

hostname(config-policy)# rule id 1

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# exit

Step 3: Configure the NAT rule.

Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 405
 StoneOS Cookbook

hostname(config)# nat

hostname(config-nat)# snatrule id 1 from ipv6-any to 2003::10 service any trans-to 192.168.1.10 mode
dynamicport

rule ID=1

hostname(config-nat)# dnatrule id 1 from ipv6-any to 2003::10 service any trans-to ip 192.168.1.2

rule ID=1

hostname(config-nat)# exit

Step 4: Enable the ALG function of FTP.

hostname(config)# alg ftp

Note: The ALG function of FTP is enabled by default.

Step 5: Verify result.

406 Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG
StoneOS Cookbook

Download session in FTP active mode:

session: id 6, proto 6, flag e, flag1 2000b, flag2 0, flag3 0, created 40792, life 1799, policy 1,app 4(FTP)
flag 0x1, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40308b10): [2003::2]:64537->[2003::10]:21

flow1(31(ethernet0/1)/300b10): 192.168.1.2:21->192.168.1.10:1034

session: id 5, proto 6, flag 8000016, flag1 20007, flag2 0, flag3 0, created 40798, life 1799, policy 1,app
70(FTP-DATA) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(31(ethernet0/1)/200810): 192.168.1.2:20->192.168.1.10:64538

flow1(32(ethernet0/2)/40208810): [2003::2]:64538->[2003::10]:20

Download session in FTP passive mode:

session: id 21, proto 6, flag e, flag1 2000b, flag2 0, flag3 0, created 40093, life 1799, policy 1,app 4(FTP)
flag 0x1, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40308b10): [2003::2]:64435->[2003::10]:21

flow1(31(ethernet0/1)/300b10): 192.168.1.2:21->192.168.1.10:1026

session: id 14, proto 6, flag 800000e, flag1 2000b, flag2 0, flag3 0, created 40099, life 300, policy 1,app 70
(FTP-DATA) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40208810): [2003::2]:64436->[2003::10]:56075

flow1(31(ethernet0/1)/200810): 192.168.1.2:56075->192.168.1.10:56075

Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 407
StoneOS Cookbook

Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks

Using ALG
This example introduces how to configure ALG to realize the SIP communication in IPv6-only or IPv4/IPv6 hybrid networks, includ-
ing the following three scenarios:

o Scenario 1: IPv6-only network. In the topology below, an enterprise sets up a Hillstone security device as the export gateway to
connect internal network with the Internet. Both internal and external network IP addresses are deployed with IPv6 addresses.
With the ALG function configured, the internal SIP UC1 and the external SIP UC3 can successfully establish communication with
each other.

o Scenario 2: IPv4 network to IPv6 network. In the topology below, an enterprise sets up a Hillstone security device as the export
gateway to connect internal network with the Internet. The internal network is deployed with IPv4 addresses and the external net-
work is deployed with IPv6 addresses. With the ALG function configured, the internal SIP UC1 and the external SIP UC3 can suc-
cessfully establish communication with each other.

Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 408
 StoneOS Cookbook

o Scenario 3: IPv6 network to IPv4 network. In the topology below, an enterprise sets up a Hillstone security device as the export
gateway to connect internal network with the Internet. The internal network is deployed with IPv6 addresses and the external net-
work is deployed with IPv4 addresses. With the ALG function configured, the internal SIP UC1 and the external SIP UC3 can suc-
cessfully establish communication with each other.

409 Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG
StoneOS Cookbook

Before You Start

Before starting the configuration, you need to ensure that the configuration of the SIP Server and the SIP user agent (SIP UC) has been
completed. This example only describes the relevant configuration on the device.

Configuration Steps of Scenario 1

Step 1: Configure the interface and zone.

Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 410
 StoneOS Cookbook

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ipv6 enable

hostname(config-if-eth0/1)# ipv6 address 2001::1/64

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ipv6 enable

hostname(config-if-eth0/2)# ipv6 address 2003::1/64

hostname(config-if-eth0/2)# exit

Step 2: Configure the policy.

hostname(config)# rule id 1 from ipv6-any to ipv6-any service sip permit

Rule id 1 is created

hostname(config-policy)# rule id 1

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# exit

Step 3: Enable the ALG function of SIP.

hostname(config)# alg sip

Note: The ALG function of SIP is enabled by default.

Step 4: Verify result.

411 Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG
StoneOS Cookbook

View the information of media pinhole. Total pinhole count is 5, including 1 register pinhole and 4 media
pinhole.

hostname# show pinhole

Total pinhole count in D-Plane: 5

[Pinhole0]========================================

Seq 10

App SIP MEDIA (id:875)

Flag: Enabled,

[Ingress info]---------------------------------------------------

Zone trust (id:2)

Flow0 (ifid 0) :::any -> 2003::2:5001

[Egress info]----------------------------------------------------

Zone untrust (id:3)

Flow1 (ifid 0) 2003::2:5001 -> :::any

[Life info]------------------------------------------------------

After_hit 600

Before_hit 120

Timer 217

[Other info]-----------------------------------------------------

Auth_user_id 0

Configuration Steps of Scenario 2

Step 1: Configure the interface and zone.

Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 412
 StoneOS Cookbook

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 192.168.1.1/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ipv6 enable

hostname(config-if-eth0/2)# ipv6 address 2003::1/64

hostname(config-if-eth0/2)# exit

Step 2: Configure the policy.

hostname(config)# rule id 1 from any to any service sip permit

Rule id 1 is created

hostname(config-policy)# rule id 1

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# exit

Step 3: Configure the NAT rule.

413 Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG
StoneOS Cookbook

hostname(config)# nat

hostname(config-nat)# snatrule id 1 from any to 192.168.1.10 service any trans-to 2003::10 mode
dynamicport

rule ID=1

hostname(config-nat)# dnatrule id 1 from any to 192.168.1.10 service any trans-to ip 2003::3

rule ID=1

hostname(config-nat)# exit

Step 4: Enable the ALG function of SIP.

hostname(config)# alg sip

Note: The ALG function of SIP is enabled by default.

Step 5: Verify result.

Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 414
 StoneOS Cookbook

View the information of media pinhole. Total pinhole count is 5, including 1 register pinhole and 4 media
pinhole.

hostname# show pinhole

Total pinhole count in D-Plane: 5

[Pinhole
1]========================================================-
====

Seq 15

App SIP MEDIA (id:875)

Flag: Enabled,

[Ingress info]---------------------------------------------------

Zone untrust (id:3)

Flow0 (ifid 0) :::any -> 2003::10:1025

[Egress info]----------------------------------------------------

Zone trust (id:2)

Flow1 (ifid 31) 192.168.1.2:5002 -> 192.168.1.10:any

[Life info]------------------------------------------------------

After_hit 600

Before_hit 120

Timer 38

[Other info]-----------------------------------------------------

Auth_user_id 0

Configuration Steps of Scenario 3

Step 1: Configure the interface and zone.

415 Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG
StoneOS Cookbook

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ipv6 enable

hostname(config-if-eth0/1)# ipv6 address 2002::1/64

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ip address 192.168.2.1/24

hostname(config-if-eth0/2)# exit

Step 2: Configure the policy.

hostname(config)# rule id 1 from ipv6-any to ipv6-any service sip permit

Rule id 1 is created

hostname(config-policy)# rule id 1

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# exit

Step 3: Configure the NAT rule.

Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 416
 StoneOS Cookbook

hostname(config)# nat

hostname(config-nat)# snatrule id 1 from ipv6-any to 2001::10 service any trans-to 192.168.2.10 mode
dynamicport

rule ID=1

hostname(config-nat)# dnatrule id 1 from ipv6-any to 2001::10 service any trans-to ip 192.168.2.3

rule ID=1

hostname(config-nat)# exit

Step 4: Enable the ALG function of SIP.

hostname(config)# alg sip

Note: The ALG function of SIP is enabled by default.

Step 5: Verify result.

417 Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG
StoneOS Cookbook

View the information of media pinhole. Total pinhole count is 5, including 1 register pinhole and 4 media
pinhole.

SG-6000# show pinhole

Total pinhole count in D-Plane: 5

[Pin-
hole1]====================================================

Seq 36

App SIP MEDIA (id:875)

Flag: Enabled,

[Ingress info]---------------------------------------------------

Zone trust (id:2)

Flow0 (ifid 0) 0.0.0.0:any -> 192.168.2.10:5002

[Egress info]----------------------------------------------------

Zone trust (id:2)

Flow1 (ifid 31) 2001::2:5002 -> 2001::10:any

[Life info]------------------------------------------------------

After_hit 600

Before_hit 120

Timer 107

[Other info]-----------------------------------------------------

Auth_user_id 0

Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG 418
StoneOS Cookbook

Realizing Dual-stack Host in IPv4 Network Accessing IPv6 Network Via

ISATAP Tunnel
This example introduces how to configure ISATAP tunnel to realize dual stack host access to IPv6 network in IPv4 network.

In the topology below, PC supports dual protocol stacks. Hillstone device is connected to the corresponding IPv6 network and IPv4 net-
work. It is required to configure the ISATAP tunnel so that the dual-stack host PC in the IPv4 network can access the server in the
intranet IPv6 network.

Configuration Steps

Step 1: Configure the interface and zone.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone untrust

hostname(config-if-eth0/1)# ip address 10.1.2.1/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone trust

hostname(config-if-eth0/2)# ipv6 enable

hostname(config-if-eth0/2)# ipv6 address 3001::1/24

hostname(config-if-eth0/2)# exit

Step 2: Configure ISATAP tunnel and bind a interface

Realizing Dual-stack Host in IPv4 Network Accessing IPv6 Network Via ISATAP Tunnel 419
 StoneOS Cookbook

hostname(config)# tunnel ip6in4 tunnel isatap

hostname(config-ip6in4-isatap)# interface ethernet0/1

hostname(config-ip6in4-isatap)# exit

hostname(config)#

Configure the tunnel interface and bind the tunnel interface to the ISATAP tunnel.

hostname(config)# interface tunnel1

hostname(config-if-tun1)# ipv6 enable

hostname(config-if-tun1)# ipv6 address 2001::/64 eui-64

hostname(config-if-tun1)# ipv6 address fe80::5efe:10.1.2.1 link-local

hostname(config-if-tun1)# tunnel ip6in4 tunnel

hostname(config-if-tun1)# no ipv6 nd ra suppress

hostname(config-if-tun1)# exit

hostname(config)#

Step 4: Configure the policy.

420 Realizing Dual-stack Host in IPv4 Network Accessing IPv6 Network Via ISATAP Tunnel
StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 1

Rule id 1 is created

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# src-addr ipv6-any

hostname(config-policy-rule)# dst-addr ipv6-any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# exit

hostname(config)#

Step 5 : Configure routing for PC, take win7 PC as an example

C:\>netsh interface ipv6 isatap set router 10.1.2.1

C:\>netsh interface ipv6 isatap set router 10.1.2.1 enabled

Step 6: Verify result.

The dual-stack host (10.1.2.2) can access the IPv6 Server (3001::8) through FTP successfully.

Realizing Dual-stack Host in IPv4 Network Accessing IPv6 Network Via ISATAP Tunnel 421
StoneOS Cookbook

Allowing Communication Between IPv6 networks by Configuring a 6RD Tun-

nel
This example shows you how to configure a 6RD (IPv6 Rapid Deployment on IPv4 Infrastructures) tunnel to allow service providers
to deploy IPv6 in a lightweight and secure manner via their existing IPv4-access network infrastructure.

* This example is used in a laboratory environment. Please configure the IP addresses of each interface according to the actual con-
nections.

The figure above shows the network topology. This example includes the following two scenarios:

o Scenario 1: 6RD Domain -6RD Domain.The headquarters deploys a Hillstone security device Device and branch A deploys a Hill-
stone security device Device A. Device and Device A support both IPv4 and IPv6 and they are CE devices. Both Device and
Device A are connected to the IPv6 network on one end and the IPv4 network on the other end. Assume that the ISP provides an
IPv6 prefix of 1001:AABB::/32. To allow hosts in two different 6RD domains to communicate, you need to configure a 6RD tun-
nel between Device and Device A.

o Scenario 2: 6RD Domain -IPv6 Network.The headquarters deploys a Hillstone security device Device and branch B deploys a Hill-
stone security device Device B. Both Device and Device B are connected to the IPv6 network on one end and the IPv4 network on
the other end. Device in headquarters is a 6RD CE device and connects to the 6RD domain, which is an IPv6 network. Device B in
branch B is a 6RD BR device and connects to a regular IPv6 network outside the 6RD domain. To allow hosts in the 6RD domain
and IPv6 network to communicate, you need to configure a 6RD tunnel between Device and Device B.

Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel 422

 StoneOS Cookbook

Configuration Tips

For the 6RD Domain -6RD Domain in Scenario 1, the addresses of devices and PC1 at the headquarters and branch A need to meet
the following requirements:

o The IPv6 prefix of the interface ethernet0/1 on the headquarters device (Device) needs to be consistent with the 6RD delegated
prefix calculated by device. (In this example, the 6RD delegated prefix is 1001: AABB: A05::/48)

o The IP address of PC1 and the interface ethernet0/1 of the headquarters device (Device) need to belong to the same IPv6 network
segment. The IP address of PC2 and the interface ethernet0/1 of the branch A device (Device A) need to belong to the same IPv6
network segment.

o The headquarters device (Device) and branch A device (Device A) need to have the same IPv4 prefix for ethernet0/1, and this pre-
fix length needs to be the same as that of the IPv4 prefix configured on the 6RD tunnel (In this example, the IPv4 prefix length is
ipv4-mask-len 16 ).

Configuration Steps of Scenario 1

Configure Headquarters Device (Device)

Step 1: Configure the IPv4 address and zone of the interface ethernet 0/0 of the headquarters device (Device).

hostname(config)# interface ethernet0/0

hostname(config-if-eth0/0)# zone untrust

hostname(config-if-eth0/0)# ip address 220.119.10.5/24

hostname(config-if-eth0/0)# exit

Step 2: Configure the 6RD tunnel.

423 Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel

StoneOS Cookbook

hostname(config)# tunnel ip6in4 test 6rd

hostname(config-ip6in4-6rd)# interface ethernet0/0

hostname(config-ip6in4-6rd)# ipv6-prefix 1001:AABB::/32(Specify the 6RD prefix)

hostname(config-ip6in4-6rd)# ipv4-mask-len 16(Specify the IPv4 prefix length)

hostname(config-ip6in4-6rd)# subtunnel-limit 10(Specify the maximum number of 6RD subtunnels)

hostname(config-ip6in4-6rd)# exit

Note: After you specify the 6RD prefix and IPv4 prefix length, the 6RD CE automatically calculates the 6RD delegated
prefix. To view the 6RD delegated prefix via command show ip6in4 6rd-tunnel [tunnel-name].

Step 3: Configure the tunnel interface.

hostname(config)# interface tunnel1

hostname(config-if-tun1)# tunnel ip6in4 test

hostname(config-if-tun1)# zone untrust

hostname(config-if-tun1)# ipv6 enable

hostname(config-if-tun1)# exit

Step 4: View the 6RD tunnel configurations.

Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel 424

 StoneOS Cookbook

SG-6000(config)#show ip6in4 6rd-tunnel test

Name: test

Index: 11

Interface: ethernet0/0

IPv6-prefix: 1001:AABB::/32

IPv4-mask-length: 16

Border-relay-address: 0.0.0.0

Tunnel interface: tunnel1

IPv6-delegated-prefix: 1001:AABB:A05::/48（The 6RD delegated prefix calculated by device）

Sub-tunnel Limit: 10

Step 5: Configure the IPv6 address and zone of the interface ethernet 0/1 of the headquarters device (Device).

hostname(config)#1interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ipv6 enable

hostname(config-if-eth0/1)# ipv6 address 1001:AABB:A05::1/48（Note: This prefix must be con-

sistent with the 6RD delegated prefix calculated by device）

hostname(config-if-eth0/1)# exit

Step 6: Configure a route for tunnel.

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ipv6 route 1001:AABB::/32 tunnel1

hostname(config-vrouter)# exit

Step 7: Configure the policy.

425 Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel

StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 1

Rule id 1 is created

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# src-addr ipv6-any

hostname(config-policy-rule)# dst-addr ipv6-any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# exit

hostname(config)#

Step 8: Configure an address and default route for PC1

Set the address to 1001:AABB:A05::2/48 for PC1 based on the 6RD delegated prefix,. This address is in the same network segment as
that of ethernet0/1 of Device.

Note:The method for configuring IPv6 addresses and default route varies based on the operating system of your PC.

Configure Device A

Step 1: Configure the IPv4 address and zone of the interface ethernet 0/0 of the Device A

hostname(config)# interface ethernet0/0

hostname(config-if-eth0/0)# zone untrust

hostname(config-if-eth0/0)# ip address 220.119.10.9/24

hostname(config-if-eth0/0)# exit

Step 2: Configure the 6RD tunnel.

Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel 426

 StoneOS Cookbook

hostname(config)# tunnel ip6in4 test 6rd

hostname(config-ip6in4-6rd)# interface ethernet0/0

hostname(config-ip6in4-6rd)# ipv6-prefix 1001:AABB::/32(Specify the 6RD prefix)

hostname(config-ip6in4-6rd)# ipv4-mask-len 16(Specify the IPv4 prefix length)

hostname(config-ip6in4-6rd)# subtunnel-limit 10(Specify the maximum number of 6RD subtunnels)

hostname(config-ip6in4-6rd)# exit

Note: After you specify the 6RD prefix and IPv4 prefix length, the 6RD CE automatically calculates the 6RD delegated
prefix. To view the 6RD delegated prefix via command show ip6in4 6rd-tunnel [tunnel-name].

Step 3: Configure the tunnel interface.

hostname(config)# interface tunnel1

hostname(config-if-tun1)# tunnel ip6in4 test

hostname(config-if-tun1)# zone untrust

hostname(config-if-tun1)# ipv6 enable

hostname(config-if-tun1)# exit

Step 4: View the 6RD tunnel configurations.

427 Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel

StoneOS Cookbook

SG-6000(config)#show ip6in4 6rd-tunnel test

Name: test

Index: 11

Interface: ethernet0/0

IPv6-prefix: 1001:AABB::/32

IPv4-mask-length: 16

Border-relay-address: 0.0.0.0

Tunnel interface: tunnel1

IPv6-delegated-prefix: 1001:AABB:A09::/48（The 6RD delegated prefix calculated by device）

Sub-tunnel Limit: 10

Step 5: Configure the IPv6 address and zone of the interface ethernet 0/1 of the Device A.

hostname(config)#1interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ipv6 enable

hostname(config-if-eth0/1)# ipv6 address 1001:AABB:A09::1/48（Note: This prefix must be con-

sistent with the 6RD delegated prefix calculated by device）

hostname(config-if-eth0/1)# exit

Step 6: Configure a route for tunnel.

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ipv6 route 1001:AABB::/32 tunnel1

hostname(config-vrouter)# exit

Step 7: Configure the policy.

Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel 428

 StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 1

Rule id 1 is created

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# src-addr ipv6-any

hostname(config-policy-rule)# dst-addr ipv6-any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# exit

hostname(config)#

Step 8: Configure an address and default route for PC2.

Set the address to 1001:AABB:A05::2/48 for PC2 based on the 6RD delegated prefix. This address is in the same network segment as
that of ethernet0/1 of Device A.

Note:The method for configuring IPv6 addresses and default route varies based on the operating system of your PC.

Configuration Steps of Scenario 2

Configure Headquarters Device (Device)

Step 1: Configure the IPv4 address and zone of the interface ethernet 0/0 of the headquarters device (Device).

hostname(config)# interface ethernet0/0

hostname(config-if-eth0/0)# zone untrust

hostname(config-if-eth0/0)# ip address 220.119.10.5/24

hostname(config-if-eth0/0)# exit

Step 2: Configure the 6RD tunnel.

429 Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel

StoneOS Cookbook

hostname(config)# tunnel ip6in4 test 6rd

hostname(config-ip6in4-6rd)# interface ethernet0/0

hostname(config-ip6in4-6rd)# ipv6-prefix 1001:AABB::/32(Specify the 6RD prefix)

hostname(config-ip6in4-6rd)# ipv4-mask-len 16(Specify the IPv4 prefix length)

hostname(config-ip6in4-6rd)# subtunnel-limit 10(Specify the IPv4 prefix length)

hostname(config-ip6in4-6rd)# border-relay-address 220.119.10.8 (Specify the IPv4 address of 6RD BR)

hostname(config-ip6in4-6rd)# exit

Note: After you specify the 6RD prefix and IPv4 prefix length, the 6RD CE automatically calculates the 6RD delegated
prefix. To view the 6RD delegated prefix via command show ip6in4 6rd-tunnel [tunnel-name].

Step 3: Configure the tunnel interface.

hostname(config)# interface tunnel1

hostname(config-if-tun1)# tunnel ip6in4 test

hostname(config-if-tun1)# zone untrust

hostname(config-if-tun1)# ipv6 enable

hostname(config-if-tun1)# exit

Step 4: View the 6RD tunnel configurations.

Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel 430

 StoneOS Cookbook

SG-6000(config)#show ip6in4 6rd-tunnel test

Name: test

Index: 11

Interface: ethernet0/0

IPv6-prefix: 1001:AABB::/32

IPv4-mask-length: 16

Border-relay-address: 220.119.10.8

Tunnel interface: tunnel1

IPv6-delegated-prefix: 1001:AABB:A05::/48（The 6RD delegated prefix calculated by device）

Sub-tunnel Limit: 10

Step 5: Configure the IPv6 address and zone of the interface ethernet 0/1 of the headquarters device (Device)

hostname(config)#1interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ipv6 enable

hostname(config-if-eth0/1)# ipv6 address 1001:AABB:A05::1/48（Note: This prefix must be con-

sistent with the 6RD delegated prefix calculated by device.）

hostname(config-if-eth0/1)# exit

Step 6: Configure a route for tunnel.

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ipv6 route 2333:aabb::/32 tunnel1

hostname(config-vrouter)# exit

Step 7: Configure the policy.

431 Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel

StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 1

Rule id 1 is created

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# src-addr ipv6-any

hostname(config-policy-rule)# dst-addr ipv6-any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# exit

hostname(config)#

Step 8: Configure an address and default route for PC1.

Set the address to 1001:AABB:A05::2/48 for PC1 based on the 6RD delegated prefix. This address is in the same network segment as
that of ethernet0/1 of Device.

Note:The method for configuring IPv6 addresses and default route varies based on the operating system of your PC.

Configure Device B

Step 1: Configure the IPv4 address and zone of the interface ethernet 0/0 of the Device B.

hostname(config)# interface ethernet0/0

hostname(config-if-eth0/0)# zone untrust

hostname(config-if-eth0/0)# ip address 220.119.10.8/24

hostname(config-if-eth0/0)# exit

Step 2: Configure the 6RD tunnel.

Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel 432

 StoneOS Cookbook

hostname(config)# tunnel ip6in4 test 6rd

hostname(config-ip6in4-6rd)# interface ethernet0/0

hostname(config-ip6in4-6rd)# ipv6-prefix 1001:AABB::/32(Specify the 6RD prefix)

hostname(config-ip6in4-6rd)# ipv4-mask-len 16(Specify the IPv4 prefix length)

hostname(config-ip6in4-6rd)# subtunnel-limit 10(Specify the maximum number of 6RD subtunnels)

hostname(config-ip6in4-6rd)# exit

Note: After you specify the 6RD prefix and IPv4 prefix length, the 6RD CE automatically calculates the 6RD delegated
prefix. To view the 6RD delegated prefix via command show ip6in4 6rd-tunnel [tunnel-name].

Step 3: Configure the tunnel interface.

hostname(config)# interface tunnel1

hostname(config-if-tun1)# tunnel ip6in4 test

hostname(config-if-tun1)# zone untrust

hostname(config-if-tun1)# ipv6 enable

hostname(config-if-tun1)# exit

Step 4: View the 6RD tunnel configurations.

433 Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel

StoneOS Cookbook

SG-6000(config)#show ip6in4 6rd-tunnel test

Name: test

Index: 11

Interface: ethernet0/0

IPv6-prefix: 1001:AABB::/32

IPv4-mask-length: 16

Border-relay-address: 0.0.0.0

Tunnel interface: tunnel1

IPv6-delegated-prefix: 1001:AABB:A08::/48（The 6RD delegated prefix calculated by device）

Sub-tunnel Limit: 10

Step 5: Configure the IPv6 address and zone of the interface ethernet 0/1 of the Device B.

hostname(config)#1interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ipv6 enable

hostname(config-if-eth0/1)# ipv6 address 2333:aabb::1/64

hostname(config-if-eth0/1)# exit

Step 6: Configure a route for tunnel.

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ipv6 route 1001:AABB::/32 tunnel1

hostname(config-vrouter)# exit

Step 7: Configure the policy.

Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel 434

 StoneOS Cookbook

hostname(config)# policy-global

hostname(config-policy)# rule id 1

Rule id 1 is created

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# src-addr ipv6-any

hostname(config-policy-rule)# dst-addr ipv6-any

hostname(config-policy-rule)# service any

hostname(config-policy-rule)# action permit

hostname(config-policy-rule)# exit

hostname(config)#

Step 8: Configure an address and default route for PC3.

Set the address to 2333:aabb::2/64 for PC3 , this address is in the same network segment as that of ethernet0/1 of Device B.

Note:The method for configuring IPv6 addresses and default route varies based on the operating system of your PC.

Result of Scenario 1

Step 1: Use the Ping command on Device to view the tunnel established between headquarters and branch A and their con-
nectivity.

435 Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel

StoneOS Cookbook

SG-6000# ping ipv6 1001:AABB:A09::1

Sending ICMPv6 packets to 1001:AABB:A09::1

Seq hop time(ms)

1 64 0.109

2 64 0.131

3 64 0.115

4 64 0.128

5 64 0.110

statistics:

5 packets sent, 5 received, 0% packet loss, time 4000ms

rtt min/avg/max/mdev = 0.109/0.118/0.131/0.015 ms

Step 2: View the session information of the tunnel.

SG-6000# show session tunnel

session: id 3407871, proto 41, flag 20, flag1 0, flag2 0, flag3 0, created 272719, life 64000, policy type 0,
policy default, app 0(Other) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/0)/200951): 220.119.10.9:0->220.119.10.5:0

flow1(18): tunnel session, tunnel_id: 4, valid

Result of Scenario 2

Step 1: Use the Ping command on Device to view the tunnel established between headquarters and branch B and their con-
nectivity.

Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel 436

 StoneOS Cookbook

SG-6000# ping ipv6 2333:aabb::1

Sending ICMPv6 packets to 2333:aabb::1

Seq hop time(ms)

1 64 0.115

2 64 0.120

3 64 0.113

4 64 0.112

5 64 0.126

statistics:

5 packets sent, 5 received, 0% packet loss, time 3996ms

rtt min/avg/max/mdev = 0.112/0.117/0.126/0.008 ms

Step 2: View the session information of the tunnel.

SG-6000# show session tunnel

session: id 3407871, proto 41, flag 20, flag1 0, flag2 0, flag3 0, created 272719, life 64000, policy type 0,
policy default, app 0(Other) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/0)/200951): 220.119.10.8:0->220.119.10.5:0

flow1(18): tunnel session, tunnel_id: 4, valid

437 Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel

StoneOS Cookbook

Change Log

Cookbook V1

Release Date: January, 2015

Added the following cases:

1. " Using Security Policy to Allow Access to Another Zone" on Page 15 (Security Policy)

2. "Allowing Internet to Visit a Private Server Using DNAT" on Page 26 (DNAT)

3. "Allowing Private Network to Access Internet Using SNAT" on Page 21 (SNAT)

4. "Allowing the Internet Access via User Authentication" on Page 95 (User Authentication, WebAuth)

5. "Connection between Two Private Networks Using IPSec VPN (IKEv1)" on Page 145 (IPSec VPN)

6. "Allowing Remote Users to Access a Private Network Using SSL VPN" on Page 194 (SSL VPN, SCVPN)

7. " Ensuring Uninterrupted Connection Using HA" on Page 317 (High Availability, HA)

8. " QoS Control" on Page 339 (Quality of Service, QoS, Traffic Management)

Cookbook V2

Release Date: April, 2015

Added the following cases:

1. "Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection" on Page 352 (Abnormal Behavior
Detection, ABD)

2. Finding Malware Attacks via Advanced Threat Detection (Advanced Threat Detection, ATD)

Cookbook V3

Release Date: July, 2015

Add the following cases:

Change Log 438

 StoneOS Cookbook

1. "Decrypting HTTPS Traffic and Identifying the Encrypted Application" on Page 378 (SSL Proxy, Decryption, Encrytion)

2. "Using an iOS/Android Device to Remotely Access Intranet Services" on Page 214 (iOS, Android, Mobile, iPad, remote device,
SSL VPN)

3. "Forensic Analysis " on Page 367

4. "Deploying Tap Mode to Monitor Network Traffic " on Page 31(Tap Mode)

Cookbook V4

Release Date: September, 2015

Add the following cases:

1. "Upgrading Firmware to Higher Version" on Page 5 (Upgrade)

2. "Allowing Remote Users ( PC ) to Access a Private Network Using L2TP over IPSec VPN" on Page 222 (L2TP VPN)

3. "Connection between Two Private Networks Using GRE over IPSec VPN" on Page 256 (GRE, IPSec VPN)

Cookbook V5

Release Date : January, 2017

Add the following cases:

1. "Protecting Intranet to Defend Attacks via Intrusion Prevention System" on Page 359( IPS )

2. "Outbound Link Load Balance" on Page 346( LLB )

Optimize the following cases:

1. "Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection" on Page 352( ABD )

2. Finding Malware Attacks via Advanced Threat Detection( ATD )

Cookbook V6

Release Date : October, 2017

Add the following cases:

439 Change Log

StoneOS Cookbook

1. "Allowing Remote Users (iOS/Android) to Access a Private Network Using L2TP over IPSec VPN" on Page 241 (L2TP VPN)

Cookbook V7

Release Date : August, 2018

Add the following cases:

1. " Using AD Polling for SSO" on Page 103 (Authentication)

2. " Allowing Internet Access via AD Polling" on Page 113(Authentication)

3. " Allowing Internet Access via AD Agent" on Page 125(Authentication)

4. "Connecting IPv6 and IPv4 Networks" on Page 388

5. "URL Filtering for HTTPS Traffic without the CA Certificate" on Page 382

Cookbook V8

Release Date : June, 2019

Add the following cases:

1. "Connection between Two Private Networks Using IPSec VPN (IKEv2)" on Page 158 (IPSec VPN)

2. "Upgrading Firmware to Higher Version in HA mode" on Page 9 (Upgrade)

3. "Configuring the Device to Communicate with Zabbix Using SNMP" on Page 40 (SNMP)

Cookbook V8.1

Release Date : November, 2019

Add the following cases:

1. "Connecting to Microsoft Azure Using Site-to-Site VPN" on Page 203 (IPSec VPN)

Cookbook V9

Release Date : October, 2020

Add the following cases:

Change Log 440

 StoneOS Cookbook

1. " DNS Proxy" on Page 57 (DNS Proxy)

2. "Dynamically Manage Access Authority Via Radius Dynamic Authorization" on Page 46 （Authorization）

3. "Realizing Multicast Forwarding Through PIM-SM Multicast Protocol" on Page 71 （Routing, PIM）

4. "Realizing Multicast Forwarding Through PIM-SSM Multicast Protocol" on Page 80 （Routing, PIM）

5. Ensuring Uninterrupted Connection Using HA AA （HA）

6. " Allowing Internet Access via TS Agent" on Page 136 （Authentication）

7. " Configuring VXLAN Static Unicast Tunnel" on Page 272（VPN）

8. "Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG" on Page 399（IPv6）

9. "Realizing SIP Communication in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG" on Page 408 （IPv6）

10. "Realizing Dual-stack Host in IPv4 Network Accessing IPv6 Network Via ISATAP Tunnel" on Page 419 （IPv6）

Cookbook V10

Release Date : December, 2021

Add the following cases:

1. "Deploying HA Scenario for Multicast Forwarding Through PIM-SM" on Page 87 （Routing, PIM）

2. "Adding an SNAT Rule to StoneOS through NETCONF" on Page 62 (NETCONF)

3. "Allowing Remote Users ( PC ) to Access a Private Network Using L2TP and SSL VPN" on Page 275(SSL VPN L2TP VPN)

4. "Threat Intelligence Via Hillstone Cloud Service Platform" on Page 374（Hillstone Cloud Service Platform）

Optimize the following cases:

1. "Allowing Remote Users to Access a Private Network Using SSL VPN" on Page 194 (Add the scene of using the Two-Step Veri-
fication function and communicating through TCP.)

Cookbook V11

Release Date : January, 2023

Add the following cases:

441 Change Log

StoneOS Cookbook

1. "Binding the Log Processing Process and Database Storage Process to Core MAX" on Page 67 (Core MAX)

2. "Making Two Firewalls Working in Hot Standby Mode by Deploying them in HA Peer to Ensure the Continuity of Service " on
Page 325（HA）

3. "Using Two Devices as Gateways to Forward Business Traffic and Back Up Each Other Based on HSVRP, which Rnsures
Uniterrupted Business Traffic" on Page 330（HA）

4. "Establishment of IPSec VPN Based on Certificate Authentication " on Page 168 (IPSec VPN)

5. "Realizing Dynamic Switch between IPSec Links Using IPSec VPN Smart Link" on Page 181 (IPSec VPN)

6. "Allowing Communication Between IPv6 networks by Configuring a 6RD Tunnel" on Page 422 (IPv6)

7. " Windows User Remotely Accessing Internal Server Through ZTNA" on Page 289 (ZTNA)

8. " Android User Remotely Accessing Internal Server Through ZTNA" on Page 306 (ZTNA)

This book is updated on requirement, not periodically.

The current version you are using is based on StoneOS 5.5R10.

Change Log 442