Professional Documents
Culture Documents
Hillstone Security Management User Guide 3.0R2
Hillstone Security Management User Guide 3.0R2
Contact Information:
US Headquarters:
Hillstone Networks
292 Gibraltar Drive, Suite 105
Sunnyvale, CA 94089
Phone: 1-408-508-6750
http://www.hillstonenet.com/about-us/contact/
Contents 1
Preface 1
Conventions 1
Introduction to HSM 1
HSM Deployment Scenarios 1
Introduction to HSM Device 2
Hardware Specification 2
Deploying HSM Management Environment 3
Deploying HSM Management Environment 4
Configuring HSM IP Address 4
Configuring System Time 6
Adding Hillstone Devices to HSM System 6
Managing the Added Hillstone Devices 8
Main Page 9
Level-1 Navigation Pane 9
Level-2 Navigation Pane 10
Information Bar 11
Toolbar 11
Main Window 11
User Information 12
Alarms 13
Introduction to System Management 14
User Management 15
Creating a User 15
Editing a User 16
Deleting a User 16
Enabling/Disabling a User 16
Resetting Password 16
Creating a Role 17
Deleting a Role 17
AAA Server 17
Authentication Configuration 18
Distribute Management 19
Disk Management 21
Configuring HSM System Time 21
TOC - 1
HSM Network Management 22
Monitor Configuration 23
HSM System Status Monitor 24
Viewing Status 25
Setting Threshold 26
HSM System Configuration Management 26
Back up a System Configuration File 26
Export a System Configuration File 27
Restore a System Configuration File 27
Delete a System Configuration File 27
Configuring Trusted Host 28
Configuring WEB Port 28
HA Management 29
HSM System Upgrade 31
System Upgrade 31
Rollback 31
Restoring to Factory Defaults 31
Upgrading Signature Database for HSM 31
Configuring an Email Account 32
SMS Modem Configuration 33
SMS Modem Baud Rate 33
SMS Modem Signal Intensity 33
SMS Modem Status 33
Configuring SMS Parameters 34
Testing SMS 34
Diagnose Tools 34
Log Backup Management 35
FTP Server Configuration 35
Log Import 36
Log Backup 36
Manual Backup 36
Auto Backup 36
Log Clean 37
Device Management 38
Device Management 39
Creating a Device Group 39
Adding a Device to a Device Group 40
Deleting a Device from a Device Group 40
TOC - 2
Editing a Device Group 40
Deleting a Device Group 40
Favorite Device 41
Viewing Device Details 41
Session Query 43
Deleting a Device from HSM 43
Online Reboot 44
Immediate Reboot 44
Reboot on Schedule 44
Setting Restart Parameter 45
HA management for the managed devices 45
Introduction to Device Upgrade 46
Configuring a Device Upgrading Task 46
Importing/Deleting a Firmware 46
Specifying the Upgrade Management IP 47
Configuring a Device Upgrading Task 47
Checking the Task Status 48
Viewing Device Upgrading Logs 48
Level-1 Navigation Pane 49
Upgrading Navigation Pane 49
Filter 49
Main Window 49
Upgrading Signature Database 50
As a Update server 50
Configuring Upgrade Templates 50
Configuration File Management 52
Managing Configuration File 52
Retrieving Configuration File 52
Retrieving Configuration Files Automatically 52
Retrieving Configuration Files Manually 53
Retrieving Configuration Files on Schedule 53
Viewing Configuration File 54
View Change History 54
Restoring Configuration Files 54
Exporting Configuration Files 55
Importing Configuration Files 55
Comparing Configuration Files 55
Editing Configuration File 56
TOC - 3
Deleting Configuration File 56
Searching Configuration File 56
Managing Configuration Change History 57
Editing Change Record 57
Deleting Change Record 57
Searching Change History 57
Device Management Configuration Example 58
Deployment Scenario 58
Requirement 58
Configuration Steps 58
Introduction to Configuration Management 60
Device Configuration 62
Device Configuration 62
Policy Configuration 62
Creating a Policy Rule 62
Editing Rules 66
Creating a Rule Group 66
Moving Rules and Groups 67
Deleting a Rule Group 67
Creating a Partition Group 68
Deploying a Batch of Rules 68
Choose Partition Group 68
Choose Deploying Position 69
Configure Policy Rules 69
Opening Local Snapshot 69
Rule Match Analysis 69
Policy Rule Management 70
Converting a Policy from Private to Shared 71
Configuring the Policy-based Protection Function 71
iQoS 73
Implement Mechanism 73
Pipes and Traffic Control Levels 74
Pipes 74
Traffic Control Levels 75
Enabling/Disabling Traffic Control 76
Pipe Configuration 76
Basic Operations 76
Creating a Pipe 77
TOC - 4
NAT 82
Creating a SNAT Rule 82
Editing/Deleting a SNAT Rule 83
Creating an IP Mapping Rule 84
Creating a Port Mapping Rule 84
Creating an Advanced DNAT Rule 85
Route 86
Creating an Route Item 86
Synchronizing Configuration 87
Specifying Configuration 89
Snapshot Management 91
Locking Configuration 91
Device Object 92
Zone 93
Address Books 94
Service Books 94
Application Books 96
Schedules 97
Interface 98
SLB Server Pool 101
Intrusion Protection System 103
Configuring IPS Global Parameters 103
Configuring an IPS Rule 103
For NGFW of 5.5R2 or the previous versions 103
Creating an IPS Rule 103
Configuring Protocol Signature 104
Configuring a Protocol 105
Configuring Signature 112
WebServer Configuration 113
For IPS devices and NGFW of 5.5R3 or the later version 119
Creating an IPS rule 119
Enabling the Zone-based or Policy-based IPS Function 132
Avti-Virus 132
Configuring Anti-Virus Global Parameters 132
Creating Anti-Virus Rule 132
Enabling the Zone-based or Policy-based Anti-Vrius Function 134
Threat Protection 134
Editing the Device Threat Protection Configuration 134
TOC - 5
Device Threaten Configuration List 136
Searching the Specific Signature Entry Details 136
Creating a User-defined Signature 137
URL Filter 140
Configuring URL Filter 140
Predefined URL DB 142
User-defined URL DB 142
Configuring User-defined URL DB 142
Keyword Category 143
Configuring a Keyword Category 144
Warning Page 144
Configuring Block Warning 144
Configuring Audit Warning 145
Converting the Private Object to Shared Object 145
Viewing the Operation Records 146
Checking the Redundant Object 146
VPN 146
PKI 154
User 156
Role 162
AAA Server 165
Introduction to Global Configuration 175
Global Configuration 175
Policy Configuration 175
Creating a Shared Policy 175
Rule Configuration 176
Creating a Policy Rule 176
Creating a Rule Group 177
Moving Rules and Groups 177
Deleting a Rule Group 177
Viewing Operation Record 177
Opening Local Snapshot 177
Rule Match Analysis 177
Rule Conflict Check 177
Setting Head or Tail Policy 178
Viewing Policy Relationship 178
Viewing Topology Map 178
Configuring the Policy-based Protection Function 179
TOC - 6
iQoS 180
NAT 181
Creating a SNAT 181
Editing/Deleting a SNAT 182
Creating a SNAT Rule 182
Editing/Deleting a SNAT Rule 183
Creating a DNAT 184
Editing/Deleting a DNAT 184
Creating an IP Mapping Rule 184
Creating a Port Mapping Rule 185
Creating an Advanced DNAT Rule 185
Editing NAT 187
Setting Father NAT 187
Viewing Relationship 187
Viewing Topology Map 187
Editing Topology Map 188
Viewing Operation Record 188
Route 188
Creating a Destination Route 188
Editing/Deleting a Destination Route 189
Creating an Route Item 189
Editing/Deleting a Route Item 190
Configuration Bundle 190
Creating a Configuration Bundle 190
Method 1: 191
Method 2: 191
Joining Configuration Bundle 192
Copying a Configuration Bundle 193
Global Object 193
Zone 193
Address Books 194
Service Book 195
Application Books 196
Schedules 197
Virtual Router 197
Interface 198
SLB Server Pool 199
Intrusion Protection System 201
TOC - 7
Configuring IPS Global Parameters 201
Configuring an IPS Rule 201
For IPS devices and NGFW of 5.5R3 or the later version(New IPS) 201
For NGFW of 5.5R2 or the previous versions(Old IPS) 202
Configuring Protocol Signature 203
Configuring a Protocol 203
Configuring Signature 211
Searching the Specific Signature Entry Details 211
Configuring a Specific Attacking Signature 211
Configuring a WebServer 212
Enabling the Policy-based IPS Function 218
Anti-Virus 218
Configuring Anti-Virus Global Parameters 218
Creating a Shared Anti-Virus Rule 218
Enabling the Policy-based Anti-Virus Function 220
Threat Protection 220
Creating a Shared Threat Protection 220
Configuring a Shared Threat Protection 220
Global Threaten Configuration List 222
Searching the Specific Signature Entry Details 222
Creating a User-defined Signature Rule 223
URL Filter 226
Configuring URL Filter 226
Predefined URL DB 228
User-defined URL DB 228
Configuring User-defined URL DB 228
Keyword Category 229
Configuring a Keyword Category 230
Warning Page 230
Configuring Block Warning 230
Configuring Audit Warning 231
User 231
Role 232
AAA Server 232
Editing/Deleting an Object 232
Default Parameters 233
Task Management 234
Task Management Window 234
TOC - 8
Viewing Task Logs 235
Introduction to Monitor 236
Device Monitor 237
Main Page 237
Details Page 238
Drill-down Sub-page 239
Trend Page 239
User Monitor 240
Main Page 240
Details Page 241
Drill-down Sub-page 242
Trend Page 242
Application Monitor 244
Main Page 244
Details Page 245
Drill-down Sub-page 246
Trend Page 246
Network Threat Monitor 248
Main Page 248
Traditional 248
Intelligence 249
Statistics Period 249
Details Page 250
Drill-down Sub-page 251
Trend Page 251
Network Behavior Monitor 252
Main Page 252
Details Page 254
Drill-down Sub-page 254
Trend Page 255
VPN Monitor 256
Tunnel Statistics Page 256
Device VPN Traffic Statistics Page 257
MyMonitor 261
Adding to MyMonitor 261
Creating a New Monitor Group 261
Deleting a Monitor Group 261
Viewing Information in MyMonitor 262
TOC - 9
Introduction to the Alarm Function 263
Introduction to Alarm 264
Searching Alarm Information 264
Searching Alarm Information 264
Reading Alarm Information 264
Alarm Analysis 265
Device Analysis 265
Trend Analysis 266
Introduction to the Alarm Rule 268
Configuring the Alarm Rule 268
Viewing a Predefined Alarm Rule 268
Creating a User-defined Alarm Rule 269
Editing an Alarm Rule 269
Configuring an Alarm Recipient 269
Enabling/Disabling an Alarm Rule 270
Deleting an Alarm Rule 270
Emptying Recycle Bin 270
Introduction to Report 271
Introduction to Report File 272
Viewing a Report File 272
Managing a Report File 273
Downloading a Report File 274
Deleting a Report File 274
Restoring a Report File 274
Deleting a Report File Permanently 274
Introduction to Report Template 276
Configuring a Report Template 276
Creating a User-defined Template 276
Editing a User-defined Template 280
Deleting a User-defined Template 281
Restoring a User-defined Template 281
Deleting a User-defined Template Permanently 281
Managing a Report Schedule 282
Adding a Report Schedule 282
Viewing a Report Schedule/Report Schedule Running Log 282
Deleting a Report Schedule 282
Enabling/Disabling a Report Schedule 282
Report Server 283
TOC - 10
Configuring Servers 283
Introduction to Log 284
Introduction to Log 284
Log 284
Log Severity 284
Old Version Log 285
Introduction to Log Window 286
Level-1 Navigation Pane 286
Log Navigation Pane 286
Old Version Log 286
Log Filter 286
Log Chart 287
Toolbar 287
Log Window 287
Searching Log Messages 287
Online/Offline Log 288
Operation Log 288
Introduction to Log Window 290
Log Navigation Pane 290
Toolbar 290
Filter 290
Log Window 290
Searching Logs 291
Setting Filter Conditions 291
Managing Logs 294
Creating a New User-defined Search 294
Deleting a User-defined Search 294
Exporting Logs 294
Importing Logs 295
Backing Up Logs 295
Cleaning the Logs 296
HSM Configuration Example 298
Deployment Scenario 298
Requirement 298
Configuration Steps 298
Preparation 298
Configuration Steps(Requirement) 298
Configuration Steps(Requirement 2) 299
TOC - 11
Configuration Steps (Requirement 3) 301
Managing HSM via Console Port 304
Accessing HSM via Console Port 304
Command Introduction 304
TOC - 12
P r eface
Thanks for choosing the network security products from Hillstone Networks, Inc. This document is an online help for Hill-
stone HSM, mainly covering the following contents:
Co nv ent i o ns
This manual uses the following conventions for your convenience to read and understand:
Note: indicates important instructions for you better understanding, or cautions for possible system failure.
Bold font: indicates links, tags, buttons, checkboxes, textboxes, or options. For example, "Click Login to log into the
homepage of the device", or "To change MTU, select Manual, and type an appropriate value into the textbox."
CLI: brace ({ }) indicates a required element; square bracket ([ ]) indicates an optional element; vertical bar (|) sep-
arates multiple mutually exclusive options; bold indicates an essential keyword in the command, and you must enter
this part correctly; italic indicates a user-specified parameter.
The command examples may vary from different platforms. In the command examples, the hostname in the prompt
is referred to as host-name.
Preface 1
In t r odu ct ion t o H SM
Hillstone Security Management (HSM) is a centralized security management system independently researched and
developed by Hillstone. HSM can centralizes the control and management of multiple Hillstone devices in the network.
After successful deployment, HSM allows users to perform the following operations via secure connection:
Viewing the operation status, resource utilization, logs, ect. of the managed devices;
Monitoring the managed devices and viewing monitor details, including traffic monitor, user monitor, NBC monitor,
ect.;
Monitoring the operation status of managed devices by alarms. This function can help you to learn problems in net-
work devices timely, speed up response to network problems, and lower risks of network failures;
Obtaining device statistics reports periodically. This function allows you to learn network status and analyze network
accurately;
Centralizing policy management and batch deploying rules. This function improves availability and usability of
policy management;
H S M D ep l o ym ent S cenar i o s
Typically HSM can be deployed in two scenarios: Internet and Intranet.
Internet deployment: HSM and managed devices are connected via Internet. You can manage devices in different net-
work segments by HSM if the routes between HSM and managed devices are reachable, as shown below:
Intranet deployment: HSM and managed devices belong to the same Intranet. You can manage devices in the
Intranet via HSM, as shown below:
Introduction to HSM 1
Int r o d uct i o n t o H S M D ev i ce
Hillstone provides the following HSM product:
HSM-50: Capable of managing at least 5 (default) and up to 100 Hillstone devices. The amount of managed devices
is controlled by a license.
HSM-200: Capable of managing at least 5 (default) and up to 500 Hillstone devices. The amount of managed devices
is controlled by a license.
H a r d w a r e S p e cif ica t io n
HSM-50 hardware adopts a rack-mountable server. The main hardware specifications are shown below:
Item Specification
HSM-200 hardware adopts a rack-mountable server. The main hardware specifications are shown below:
Item Specification
Introduction to HSM 2
Deployin g H SM M an agem en t En vir on m en t
Main page
1. Place HSM to an appropriate location in the network according to networking and management requirement.
2. Configure an IP address for HSM and make sure the route between HSM and the managed devices are reachable.
4. Configure options related to HSM management on Hillstone devices, and make sure HSM can recognize the devices.
Completing the above configurations, you can centralize device management on HSM.
1. Set the IP address of management PC to an IP address that belongs to the same subnet with 192.168.1.1/24; use an
Ethernet cable to connect the management PC and eth0 port of HSM.
2. In the Web browser (IE9 is recommended) of the management PC, type http://192.168.1.1 or https://192.168.1.1 ,
and press Enter. If using HTTPS to log in, choose Continue to this website(not recommended) when the Web
Browser displays tips. The login page is shown below:
3. Type the default username (admin), password (hillstone) and captcha into the boxes respectively. If typing the
wrong password for three times, HSM will lock your account for 30 minutes, and disable your account for 30 minutes
when you type wrong password the fourth times.
5. On the level-1 navigation pane, click System > Device Management > Network Management.
Eth0: Type the IP address and netmask for eth0 port into the IP Address and Netmask boxes respectively.
Eth1: Type the IP address and netmask for eth1 port into the IP Address and Netmask boxes respectively.
DNS Server: Specify DNS servers for HSM. Type IP addresses for the preferred and backup DNS servers into the
Preferred and Backup boxes respectively.
Click OK to complete.
Con f igu r in g Sy s t em T im e
System time of HSM affects many HSM modules, such as report, log, upgrade, etc. By default, the system time of HSM is
set to Beijing time. You can modify the system time as needed, or synchronize the system time of managed devices and
HSM via an NTP server. Since the system time is related to many modules, you are recommended to configure the system
time properly during initial setup, and do not make any modification thereafter.
To configure system time for HSM, on the level-1 navigation pane, click System > Device Management > Date & Time. In
the HSM System Date and Time dialog, configure options. For more details, see Configuring Date & Time.
Configure settings on Hillstone devices. Hillstone devices will automatically register themselves to HSM when the net-
work is connected between HSM and Hillstone devices.
Configure settings on HSM to add Hillstone devices. You can add single device or multiple devices.
Note:
HSM will get all the VSYS devices of the physical device to manage them when registering.
After the registration is complete, the zero configuration IPS rules and the zero configuration
1. Log into StoneOS. Select System > HSM from the menu bar.
HSM Agent: Select the Enable checkbox to enable HSM agent, i.e., allowing HSM to manage the device.
HSM Server IP: Specify the IP address of the HSM. This IP address cannot be 0.0.0.0, 255.255.255.255 or mul-
ticast address.
HSM Server Port: Specify the port number of HSM. The value range is 1 to 65535, the default value is 9090. For
StoneOS 4.5R4 and higher versions, port number 9091 is recommended.
HSM Password: Specify the password for accessing HSM. HSM authenticates the device using this password.
The value is 1 to 31 characters, the default value is 123456.
OK: Click this button to save the settings and make the settings take effect.
3. With the above options configured, the device can register to the accessible HSM in the network, and be managed
by HSM.
To configure settings on HSM to add Hillstone devices, take the following steps. You can add single device or multiple
devices.
1. Click Device > Management from the level-1 navigation pane to enter the Device Management page.
2. Click the triangle icon ( ) next to the Add Device button and select Add Single Device from the drop-down
menu. The Add Multiple Devices dialog pops up.
Access Protocol: Specify the protocol for the connection between HSM and the device. Enter ssl to use the
SSL protocol or enter telnet to use the Telnet protocol. If not specified, HSM will use SSL by default.
Favorite: Specify whether or not to add this device to your favorite device list.
1. Click Device > Management from the level-1 navigation pane to enter the Device Management page.
2. Click the triangle icon ( ) next to the Add Device button and select Add Multiple Devices from the drop-
down menu. The Add Multiple Devices dialog pops up.
3. Click Download Device Info File Template. The Save As dialog appears.
Protocol: Specify the protocol for the connection between HSM and the device. Enter ssh to use the SSH
protocol or enter telnet to use the Telnet protocol. If not specified, HSM will use SSL by default.
7. In the Add Multiple Devices dialog, click Browse. The Open dialog appears.
8. Locate the modified template and click OK. HSM starts to load the template.
9. After loading the template, click Upload. HSM starts to read the template and add the devices in it to HSM. If
failed to register one device, all devices in the template will be failed to be registered. To view the error inform-
ation, hover over the exclamation mark ( ) in the Status column.
Note: HSM supports for HA management of Active-Passive, Active-Active and Active-Peer modes
for the managed devices. When HSM manages the HA function of the managed devices, you can
view, configure and share information of the master device in HA. For slave device, you can only
view the configuration information on HSM.
When the properties of the IP address, username, password and so on change, you can edit device and modify property
values. Take the following steps:
1. Click Device > Management from the Level-1 navigation pane to enter the device management page.
3. Click Edit Device in the toolbar and the Edit Device dialog pops up.
1. Click Device > Management from the Level-1 navigation pane to enter the device management page.
3. Click Delete Device in the toolbar, and the device will be deleted when you click OK in the pop-up dialog.
You can manually register the device when the device is in an offline state or error state. You can check the link state
between the Hillstone device and HSM, as well as make sure that the device's IP address, login username and password
are correct to make device register in HSM successfully. Take the following steps:
1. Click Device > Management from the Level-1 navigation pane to enter the device management page.
3. Click Register Device in the toolbar and the device will be registered on HSM. You can view the registration result of
the device according to the displaying of status.
Mai n P ag e
After deploying HSM management environment, to log into the system, take the following steps:
1. Type http:// HSM management IP or https:// HSM management IP in the web browser, and press Enter.
2. In the login page, type the username, password and verification code and log into the main page. The default user-
name and password of HSM are admin and hillstone respectively.
The main page layout of HSM is shown below:
Module Description
Device Management Device management page. You can view all the managed
devices, and manage the devices in this page, including delet-
ing devices, adding to groups or favorite, viewing detailed
monitor information, etc.
Upgrade Device upgrade page. You can upgrade StoneOS running on
the managed devices in this page.
Configuration Configuration management manages all kinds of rules
System System User In the User Management dialog, you can configure system
administrators.
Disk Man- Refer to the configuration of cleanup threshold, you can man-
agement age the storage space of system.
Date & Time In the HSM System Date and Time dialog, you can configure
system time for HSM.
Parameters In the Email Configuration dialog, you can configure the mail
server that is used by HSM.
Network Man- In the Internet Management dialog, you can configure IP
agement addresses for the interface, gateway and DNS server of HSM.
Upgrade In the Upgrade dialog, you can upgrade or rollback HSM sys-
tem.
Monitor Con- In the Monitor Configuration dialog, you can enable or dis-
figuration able the monitor functions for certain devices.
Status Mon- In the System Status Monitor dialog, you can view the CPU
itor utilization, memory utilization, and disk utilization of HSM.
Configuration In the HSM System Configuration Management dialog, you
Management can manage the system configuration files.
Register In the License dialog, you can apply for or install a license.
About In the About dialog, you can view HSM system information.
Device Shows all the managed devices. Type a keyword into the searching box to search for
List a device. Click the icon in the top-right corner of the device list to filter IPS
Favorite Shows all the devices that are added to the favorite. Type a keyword into the search-
ing box to search for a device.
Recycle Shows all the devices that are moved to the recycle bin.
Bin
I n f or m at ion Bar
Functions of inoformation bar are described as below:
Option Description
Include Select the checkbox to display all the devices in the selected group and all the
Devices in devices in the sub-groups of the selected group; clear the checkbox to only dis-
Sub- play all the devices in the selected group.
groups
Show/Hide Click the link to show/hide monitor panels (CPU utilization, application traffic,
Monitor user traffic) of the selected device.
Panel
T oolbar
Function buttons of the toolbar are described as below:
Option Description
Delete Click the button to delete the device(s) selected in the main window.
Device
Manual Specify the refreshing mode. Select Manual refresh from the drop-down list, and
refresh click Manual refresh to refresh the page immediately; select a refreshing period from
the drop-down list to refresh the page at the specified interval.
M ain W in dow
Managed devices and main information about the devices is displayed in the main window. Click a device or device
group in the device navigation pane to show corresponding information in the main window. You can customize the
columns displayed in the list from the Column drop-down list. Columns of the list are described as below:
Option Description
Name Shows the name of managed device. Different icons before device names mean
different device types: NGFW , IPS , WAF , BDS , IDS .
Status Shows the status of connection between the managed device and HSM::
Offline ( ): The device has been registered successfully but is not run-
ning or connected. After the device is running or the connection works,
the device will automatically register itself to HSM. You can also register
the device manually.
Error ( ): The device fails to register in HSM. Hover over the icon to view
the error message.
New Sessions Shows the newly created sessions of the managed device.
Configuration Shows the last modified time of the configurations of the managed device.
Modified
Time
Unread Warn- Shows the number of unread warnings related to the managed device.
ings
CPU Shows the average CPU utilization in the latest 5 seconds of the managed
device.
Packet For- Shows the packet forwarding rate of the managed device.
warding Rate
Session Shows the session of the managed device. In the Session Query dialog, you
can filter the source address, source port, destination address, destination port
and protocol to view the information.
License Shows the license of the managed device. In the License List dialog, you can
view customer, type, valid time and other information of the license.
Reboot log Shows the reboot log of the managed device. In the Log dialog, you can filter
the operation result and protocol and then view the information.
Operation Result:You can select All, Waiting, Success or Failure from the
Operation Result drop-down list below.
Time:You can select All, Last 1 hour, Last 1 day, Last 1 week, Last 1 month
or Custom from the Time drop-down list below. Click Custom, the Time dia-
log appears. You can specify the period and then select Period specified
below, Before time specified below or Aafter time specified below.
U s er I n f or m at ion
Shows the username of the current system administrator.
Click Log Off to log off from HSM.
User
Authentication Settings: Specifying the mode of authenticating users who logs in HSM.
Device Management
Date & Time: Configuring HSM system date and time. HSM supports synchronization with NTP servers. HSM sys-
tem time can be referenced by other modules, such as monitor, alarm, log, upgrade, etc.
Network Management: Configuring parameters for Internet management, including IP address, gateway and
DNS servers.
Monitor Configuration: Enabling or disabling the Monitor function. The monitor function is disabled by default
because it consumes more system performance. When the monitor function is disabled, monitor, alarm, report,
and monitor charts shown in the single device page are not available.
Status Monitor: Viewing system status, including CPU utilization, memory utilization, and disk utilization.
Configuration Management: Back up configuration and running data for HSM system.
Trusted host: Configuring IP range of the host which is allowed to log in or manage HSM.
WEB Port: Specify the port number which users access to when logging in HSM by WebUI.
Upgrade: Upgrading or rolling back HSM system, or restoring to the factory defaults.
Email: Configuring parameters for the Email server that is used to send alarm mails.
SMS Modem Configuration: Configuring parameters for sending SMS and viewing SMS Modem status information,
etc.
Diagnose Tools: Testing the devices connection status with HSM, including DNS query, Ping, and Traceroute.
Log Backup Manager: Backing up logs to a FTP server, import logs from a FTP server to HSM, or clear logs in HSM.
Language: Changing the system language. Chinese and English are supported.
Shutdown
Shutdown: Click this menu item to shut the HSM device down.
Help
Help: Click this menu item to go to the help page of the product.
1. System admin can specify privileges for every user, and the privilege can be accurate to every HSM function module
(eg: Device, Configuration, Report).
2. A user can have one or more roles, and a role can be given to one or more users.
Creating a User
Editing a User
Deleting a User
Enabling/Disabling a User
Restting Password
Creating a Role
Deleting a Role
Cr eat in g a U s er
Only the user who has the privilege of a system administrator can create a user. To create a user, take the following steps:
1. Click System > User > User from the Level-1 navigation pane.
2. In the User Management dialog, click New. In the User dialog, configure the following options:
Authentication:Specify the authentication for the user. The default authentication is local. When the authen-
tication is local, the authorization can only be local. When the authentication is remote, the password item is
hidden.
Authorization:Specify the anthorization for the user. The default anthorization is local. When the anthor-
ization is remote, local do not support permission configuration.
Password: .Specify the password for the user. It should be 8-32 characters, including numbers, English char-
acters(case sensitive), and special characters. The default password is hillstone, and you can change the pass-
word as needed.
Enable: Specify the status of the new user. By default the new user is enabled. Clear the checkbox to disable the
user, and the user will not be able to log into HSM.
Timeout (min): Specify the timeout for the user. If the user did not configure any option after timeout, the sys-
tem will log off.
3. Click Privilege tab and configure the role for the current user. Specify the role in the Role text box, and then select
which device the user can manage in the Resource Device box.
1. In the User Management dialog, select a user by selecting the corresponding checkbox from the user list.
2. Click Copy in the toolbar. In the User dialog, all the configurations of the selected user is copied. You only need to
configure the name for the new user, and modify other options as needed.
E dit in g a U s er
To edit a user, take the following steps:
1. In the User Management dialog, click the username you want to edit.
3. Click Apply to save the changes. If needed, click Previous/Next to edit other users.
D elet in g a U s er
To delete a user, take the following steps:
1. In the User Management dialog, select a user by selecting the corresponding checkbox from the user list.
E n ablin g/ D is ablin g a U s er
The disabled users will not be able to log into HSM. To enable/disable a user, take the following steps:
1. In the User Management dialog, select a user by selecting the corresponding checkbox from the user list.
R es et t in g P as s w or d
This operation will reset the user password to the default password hillstone. Only the default administrator admin can
reset password by one of the following methods:
In the User Management dialog, click the username you want to edit. In the Details dialog, click Reset Password.
Cr eat in g a R ole
To create a role, take the following steps:
1. Click System > User > User from the Level-1 navigation pane.
2. In the Role tab, click New and the Add Role dialog pops up. Options are described as belows:
User: Click the text box and select which users the role belongs to.
Privilege: Specify the privileges for the role on each HSM modules.
1. In the Role tab of the User Management dialog, select a role by selecting the corresponding checkbox from the role
list.
2. Click Copy in the toolbar. In the Add Role dialog, all the configurations of the selected role is copied. You only need
to configure the name for the new role, and modify other options as needed.
D elet in g a R ole
Predefined role cannot be deleted. The user who has the system administator privilege can delete user-defined roles.
And once the role is deleted, the users who has specified to the role will lost all the privileges of the role.
To delete a role, take the following steps:
1. In the Role tab of the User Management dialog, select a role by selecting the corresponding checkbox from the role
list.
A A A S er v er
AAA is the abbreviation for Authentication, Authorization and Accounting. Details are as follows:
Accounting: Records the fees users should pay for their network resource usage.
To configure the AAA server, take the following steps:
1. Click System > User > AAA Server from the Level-1 navigation pane. In the AAA Server dialog, local is the default
local server and does not support editing and deletion.
Server Name: Specify the server name. You can specify at most 31 characters.
Server Address: Specify the IP address or domain name for the Radius server. You can specify domains at most
31 characters.
Port: Specify the port number for the Radius server. The value range is 1024 to 65535. The default value is 1812.
Password: Specify the password for communication between the server and HSM.
Link Test: Click link test. The system will verify that the configured Radius address is consistent with the Radius
server configuration. If consistent, the system will prompt AAA server reach. If not, the system will prompt AAA
server can not reach.
RADIUS authentication: User information is stored in an external RADIUS server, and HSM devices authenticate users
by the external server.
1. Click System > User > Authentication Configuration from the Level-1 navigation pane.
When user not in local user list, to user remote authentication, choose Yes and select a default authentication
server, user not in local user list can log in HSM.
When user not in local user list, to user remote authentication, choose No, user not in local user list can not
log in HSM.
Note:
Under the method of radius authentication, the local authorization need set privilege and the
remote authorization get privilege from radius server.
D i s t r i b ut e Manag em ent
For users who need to manage a large number of devices, one HSM cannot meet their requirements. To resolve the prob-
lem, you can use the distributed management function, which means when you configure multiple HSM devices, you can
specify one device as master device and others as slave devices. With this function, you can view information of the slave
devices and their firewalls on the master device. It can alleviate the pressure of single HSM. The distributed management
includes standalone mode, master mode and slave mode.
Master Mode: When one HSM device manages multiple HSM devices and can view information of these HSM devices
and their firewalls, the current device is the master HSM, and the mode is master mode. The master HSM cannot man-
age firewalls directly. One master HSM can register up to 16 slave HSM devices.
Standalone Mode: The HSM device in the standalone mode or in the slave mode can manage the firewalls directly,
while the standalone HSM cannot be registered on the master HSM. The default mode is standalone mode.
Note: When the master mode switches to the salve mode or standalone mode, the association
relationship between all users and devices under the master mode will be cleared. When the salve
mode or standalone mode switches to the master mode, the association relationship between all
users and devices under the slave mode or standalone mode will be cleared too.
1. Click System > Distribute Management from the Level-1 navigation pane.
2. Select the mode check box that you needed in the Distribute Management dialog and click OK.
3. If you select the master mode. Click Device > Distribute List > Add Device from the Level-1 navigation pane to enter
the add device page and add slave HSM(s) for Master HSM.
Option Description
D i s k Manag em ent
HSM disk management refers to the configuration of cleanup threshold, you can manage the storage space of system.
To configure the cleanup threshold for HSM disk management, take the following steps:
1. Click System > Device Management > Disk Management from the Level-1 navigation pane.
Cleanup Threshold Settings: Specify the cleanup threshold. The default value is 90%, the minimum value is 60%.
When the storage reaches the specified threshold , logs of the earliest week will be automatically cleared at
00:15 a.m.
Co nfi g ur i ng H S M S ys t em T i m e
HSM system time can be referenced by other modules, such as log, upgrade, etc. To assure the system time of HSM and
the managed devices are synchronized, you are recommended to configure the same NTP server for HSM and the man-
aged devices. You can configure HSM system time manually or by synchronizing with an NTP server.
To configure HSM system time manually, take the following steps:
1. Select System > Device Management > Date & Time from the Level-1 navigation bar.
2. Select appropriate time zone from the HSM System Time Zone drop-down list. If the selected time zone uses DST, the
"Automatically adjustment of daylight time clock" check box will be selected automatically.
5. The changed time will be applied to new data and time of existing data won't be updated. In the pop-up Warning
dialog , click the yes button to confirm the update.
If the time zone is adjusted from east to west, the time of new business data may be the same as the existing busi-
ness data.
1. Select System > Device Management > Date & Time from the Level-1 navigation bar.
3. Type the IP address for the NTP server into the Server 1 box; if needed, type the IP address for the NTP server into
the Server 2 box, and the system will try to synchronized with Server 2 if synchronization with Server 1 failed.
Note: Configure the system time properly during the initial setup, and if possible, do not change
the system time thereafter. Otherwise, modules that rely on system time (such as report, log) will
be affected.
H S M N et w o r k Manag em ent
HSM network management refers to the configuration of IP address, gateway and DNS servers. These configurations can
assure the connectivity between HSM and the managed devices. To facilitate network configuration, eth0 port of HSM is
configured with a default IP address 192.168.1.1/255.255.255.0.
To configure parameters for HSM network management, take the following steps:
IP Address: Specify the IP addresses for eth0 and eth1 according to network topology.
Netmask: Specify the netmasks for eth0 and eth1 according to network topology.
Preferred: Specify the IP address for the preferred DNS server of HSM.
Backup: Specify the IP address for the backup DNS server of HSM.
Mo ni t o r Co nfi g ur at i o n
To ensure the performance of HSM, HSM does not enable the monitor function for any device by default. If desired, you
can enable the monitor function according to your requirements. After enabling the monitor function, the HSM per-
formance will be affected. To ensure the adequate performance, it is recommended that the number of monitored
devices is less than 500.
To configure the monitor function on HSM, take the following steps:
1. Click System > Device Management > Monitor Configuration from the level-1 navigation pane. The Monitor Con-
figuration dialog appears.
Other: Enable or disable the network threat and network behavior monitor function.
Priority: You can select Low, Middle, and High priority. When the monitor data exceed system capacity, system
will disable the monitor function of low priority device, so as to ensure the monitor data of higher priority
device can be processed.
4. Click OK to save the settings. Monitor Configure dialog will be closed, then Update Configure progress bar dis-
appears. Click OK to close the dialog.
5. On the Monitor Configuration dialog, click Close to save the settings and close the dialog.
Following functions will be affected after the monitor function is disabled.
Module Details
Monitor Statistics of CPU utilizations, memory utilizations, and total traffic keep updating.
Other statistics will not update and can be viewed during a particular period.
Alarm Following alarm rules cannot take effect: VPN Tunnel Interrupt, VPN Tunnel
Traffic Beyond Threshold, AV Attack Count Beyond Threshold, APP Block Count
Beyond Threshold, Email Receiving and Sending Times Beyond Threshold, URL
Category Hit Count Beyond Threshold, Port Traffic Beyond Threshold, and all
user-defined alarm rules that are based on above alarm rules.
Report Since statistics of CPU utilizations, memory utilizations, and total traffic keep
updating, you can generate the report. Other historical statistics will not update
and you can generate the report that contains historical statistics during a par-
ticular period.
H S M S ys t em S t at us Mo ni t o r
The status monitor function monitors the CPU utilization, memory utilization, and disk utilization of HSM. Users can have
a well understanding of system status. By configuring the threshold for each monitored object, HSM can generate the
alarm when the status of an object keeps exceeding the threshold within the specified period (1 minute by default). You
can take measures to deal with the alarms.
The line chart shows the trend of the monitored objects. Based on the specified time cycle, HSM will take samples
accordingly and display the trend in the chart. By default, HSM displays the trend within the latest 1 hour.
The right chart displays the current status of the monitored objects. HSM will refresh the data in every 5 minutes.
View detail: Click the View Detail link of each monitored object to view the detailed information. You can view the
column charts of the top 5 processes that occupy the CPU resources and the memory resources individually, and the
pie charts of all objects that occupy the disk. The following chart displays the top 5 processes that occupy the
memory resources.
HSM supports the predefined time cycle and the custom time cycle. Click Latest 1 Hour on the top right corner to set the
time cycle.
Predefined time cycle: Click Latest 1 Hour and then select a predefined one.
Latest 1 Hour: Displays the statistics of each monitored object within the latest 1 hour. HSM will take samples
every minute.
Latest 1 Day: Displays the statistics of each monitored object within the latest 1 day. HSM will take samples
every 10 minutes.
Latest 1 Month: Displays the statistics of each monitored object within the latest 1 month. HSM will take
samples every 6 hours.
Custom time cycle: Click Latest 1 Hour and then select Custom. The Select Time dialog appears. You can select the
start time and the end time according to your requirements.
If the custom time cycle is within 6 hours, HSM takes samples every minute.
If the custom time cycle exceeds 6 hours and is less than 1 week, HSM takes samples every 10 minutes.
If the custom time cycle exceeds 1 week and is less than 6 months, HSM takes samples every 6 hours.
If the custom time cycle exceeds 6 months and is less than 1 year, HSM takes samples every 24 hours.
Set t in g T h r es h old
If the utilization of the monitored objects keeps exceeding the threshold within the specified period (1 minute by
default), HSM will generate the alarm.
To set the threshold for monitored objects, take the following steps:
1. Click System > Device Management > Status Monitor from the level-1 navigation pane. The System Status Monitor
dialog appears.
3. Set the threshold for each object using one of the methods:
Drag the slider. The exact value will update in the text box.
Enter the value. The slider will move to the exact location.
4. Click OK to save the configuration settings and return to the System Status Monitor dialog. The red line representing
the threshold moves to the correct location.
For more information about configuring alarm rules, refer to Configuring the Alarm Rule.
1. Click System > Device Management > Configuration Management. The HSM System Configuration Management
dialog appears.
3. Specify the name of the backup file. By default, the file is named as backup_date_time, for example, backup_
201311171035.
1. Click System > Device Management > Configuration Management. The HSM System Configuration Management
dialog appears.
1. With the HSM System Configuration Management dialog active, select a backup file from the file list.
2. Click the triangle ( ) next to the Restore button. Then select Selected File. The Restoring window pops up. HSM
starts to analyze the file.
1. With the HSM System Configuration Management dialog active, click the triangle ( ) next to the Restore button.
Then select Local File. The Restoring window pops up.
2. Click the magnifying glass ( ) to locate the local file and then open it.
When restoring a file backed up by the current HSM itself, the historical data of Monitor, Log, and Alarm in HSM
will remain the same.
When restoring a file that is not backed up by the current HSM, the historical data of Monitor, Log, and Alarm in
HSM will be cleared.
4. After uploading the file, HSM analyzes the file and then starts to restore the file.
1. With the HSM System Configuration Management dialog active, select the files to be deleted.
2. By default, the trusted IP range is 0.0.0.0/0, which means all hosts are trusted.
1. Click System > Device Management > Trusted Host from the Level-1 navigation pane.
2. Click New in the Trusted Host Configuration dialog, options are described as belows:
Host Name: Specify the name for the trusted host. It can be null.
IP Address: Specify the IP address or IP range for the trusted host, eg:10.188.1.10 - 10.188.1.15, or
192.168.10.0/24
4. Click OK.
To edit/delete trusted host, take the following steps:
1. Click System > Device Management > Trusted Host from the Level-1 navigation pane.
2. Select a trusted host by selecting the corresponding checkbox from the list, and then click Edit or Delete.
Co nfi g ur i ng W EB P o r t
You can modify the port number which users can access to when logging in HSM by Web, in order to ensure the security
of the system.
To configure the webport for HSM, take the following steps:
1. Click System > Device Management > WEB Port from the Level-1 navigation pane.
HTTP WEB Port: Specify the port number accessing to HTTP service for HSM. The default value is 80.The value
ranges from 1025 to 65535 besides 80,among them 2003~3003、3306、6514、8005、8080、8161、8443、9000、
9090、9091、9092、61616、61617 are preoccupied by system.Preoccupied port number can not be configured.
HTTPS WEB Port: Specify the port number accessing to HTTPS service for HSM.The default value is 443.The value
ranges from 1025 to 65535 besides 443,among them 2003~3003、3306、6514、8005、8080、8161、8443、
Note: After webport is modified successfully, the previous port will be closed and the web service
will be restarted.You need to access web service by the new port after the restart.
H A Manag em ent
HA, the abbreviation for High Availability, provides a fail-over solution for communications line or device failure to
ensure the smooth communication and effectively improve the reliability of the network. To implement the HA function
of the two HSM devices, you need to use the identical hardware platform, firmware version, as well as install the same
device license whose service is within the validity. When one HSM device is not available or cannot handle the request
from the client properly, the request will be promptly directed to the other device that works normally, thus ensuring
uninterrupted network communication and greatly improving the reliability of communications.
To configure the HA management in the HSM system, take the following steps:
1. Click System > Device Management > HA Management from the Level-1 navigation pane to enter the device con-
figuration page.
Select Use data in local device to cover data in peer device. The Submit
prompt box will pop up and display Data in peer device will be reset,
whether to continue? Click OK. When the synchronization completes,
the peer data will be covered.
HA Alarm Select the Enable check box. When the status of interface changes, the
device will alarm.
Database Syn- Displays synchronization status of current database. The statuses include
chronize Status Normal, Synchronizing and Failed to synchronize.
File Synchronize Displays synchronization status of current file. The statuses include Normal,
Status Synchronizing and Failed to synchronize.
HA HeartBeat Displays HeartBeat status of current HA. The statuses include Normal and
Status Failed.
3. Click OK, and the HA Creating dialog will pop up. You can view the process of HA creating in the dialog.
Interface modification You can view the result of modifying the HA connection inter-
face in system.
Wait for configuration of You can view the result of the peer configuration and the con-
the peer and connecting nection between the local device and peer device in system.
to the peer You need to configure the peer parameters before the HA
being built or when the HA is built in process. You also need to
make sure HSM has connected with the peer device. Otherwise,
it cannot be connected successfully.
HA Establish Condition You can view the result of checking if the condition of estab-
Checking lishing HA is met in system.
HA Environment Build You can view the result of building the HA environment in sys-
tem.
Master/Slave Device Data You can view the result of synchronizing data of the master and
Synchronization slave device in system. If the Monitor/Log Synchronization is
enabled, the device will synronize all data. Otherwise the device
will synchronize data except Monitor/Log data.
HA Build Successfully You can view the result that whether HA is built successfully.
H S M S ys t em Up g r ad e
HSM supports system upgrade, rollback and restoring to the factory defaults.
Sy s t em U pgr ade
To upgrade HSM system, take the following steps:
3. Click Upload.
R ollback
To roll back to the previous version, take the following steps:
2. In the Upgrade dialog, click Rollback, and then click OK under the tag.
R es t or in g t o F act or y D ef au lt s
To restore to the factory defaults, take the following steps:
2. In the Upgrade dialog, click Factory Defaults, and then click OK under the tag.
Up g r ad i ng S i g nat ur e D at ab as e fo r H S M
To upgrade IPS signature database, application signature database, Anti-Virus signature database or URL database for
HSM:
1. Select System > Upgrade from the level-1 navigation panel, and then click the target signature upgrade tab.
Auto Upgrade: Select Enable Auto Update and specify the auto
upgrade time. Click Save to save your changes. This function is
enabled by default.
Testing Recipient: Specify the recipient that is used to test the Email account. Click Test to test if Email can be
sent by the Email account successfully.
S MS Mo d em Co nfi g ur at i o n
SMS alarm refers to the alarm information will be sent to the designated administrator by SMS modem.
An external GSM modem device is required for sending SMS messages. First, you need to prepare a mobile phone SIM
card and a GSM SMS Modem. Insert the SIM card into your modem and then, connect the modem and HSM using a USB
cable.
The following two models of SMS modem are recommended:
SM S M odem Bau d R at e
You can view the communication baud rate of SMS modem in Modem SMS Modem Configuration page.
SM S M odem Sign al I n t en s it y
You can view the communication signal intensity of SMS modem in Modem SMS Modem Configuration page. Only when
the signal intensity between 16~31 can the alarm message be sent normally. If the signal intensity is under 15, the alarm
message may fail to be sent.
SM S M odem St at u s
The system will show the modem connection status: sms modem is online, sms modem is offline or no sim in sms
modem.
Option Description
Maximum sending Defines the maximum message number the modem can send in one hour,
number per hour the value ranges from 1 to 1000.
Maximum sending Defines the maximum messages number the modem can send in one day,
number per day the value ranges from 1 to 1000.
T es t in g SM S
To test if the message sending works, you can send a test text to a mobile.
To send a text message to a specified mobile number:
3. click Send.
If the SMS modem is correctly configured and connected, the phone using that number will receive a text message.
D i ag no s e T o o l s
During HSM managing the devices, diagnose tools can help you test network availability and diagnose system errors
qulickly. You can choose the tools according to your requirements.
To use HSM diagnose tools, take the following steps:
1. Select System > Diagnose Tools > Test tools from the Level-1 navigation bar. The Test Tools dialog appears.
2. You can choose the tools according to your requirements, configure the following options:
DNS Query : Specify the DNS domain name. Check the legitimacy of domain name, and then the domain's IP
address and fault messages will be displayed. If the DNS server is not configured, a dialog will pop up to
prompt.
Traceroute: Specify the DNS domain name or IP address, click Test, and then the results of traceroute will be dis-
played.
3. Click Test, and then the results will be displayed in the below text box.
FTP Server Configuration: Specify a FTP server for storing the backed-up logs or storing the logs that is for import.
Log Backup: Back up logs and store them in the FTP server.
Log Clean: Clear the offline logs or the running logs within the specified period.
1. Click System > Log Backup Manager > FTP Config from the level-1 navigation pane. The FTP Configuration dialog
appears.
2. In the toolbar in the dialog, click New. The New FTP Server Configuration dialog appears.
Config Name: Specify the FTP server name. You can also enter other names to mark this entry. You can enter at
most 20 characters.
Address/Port: Specify the IP address and the corresponding port of the FTP server.
User name: Specify the user name that has access right to the FTP server.
Path: Specify the path of the directory in the FTP server for storing logs. Use "/" as the separator.
4. After configuring the settings, click Detection to verify the connection between HSM and FTP server. After testing
successfully, click OK to save this entry and return to the FTP Configuration dialog. This entry is displayed in the FTP
server list.
You can also click OK directly instead of clicking Detection. HSM will not verify the connection and save this entry to
the FTP Configuration dialog. Click the Detection link in the Detect column to verify the connection.
If you want to edit the FTP server settings, select an entry from the FTP server list and then click Edit in the toolbar. To
delete the undesired FTP servers, select the entries from the list and then click Delete in the toolbar.
1. Click System > Log Backup Manager > Log Import from the level-1 navigation pane. The Log Import dialog
appears.
FTP Server: From the drop-down list, select the FTP server where you store the log files. Then the cor-
responding FTP server settings are displayed. You can click Detection to verify the connection between HSM
and the FTP server. If you want to modify the FTP server settings, click FTP Config.
Choose File: From the drop-down list, select log files. You can select folders and/or files. HSM supports the fol-
lowing file types: ZIP, TXT, and CVS.
Log Type: From the drop-down list, select the type of logs you want to import. More than one log type can be
selected.
3. Click Import to start the import task. The task progress will be displayed in task list. For more informatin, see task.
L og Back u p
HSM supports the backup of the logs. You can back up logs manually or automatically.
For the backed-up logs, HSM can import them for viewing.
M anual B ac k up
To back up logs manually, take the following steps :
1. Click System > Log Backup Manager > Log Backup from the level-1 navigation pane. The Log Backup dialog
appears.
2. Click Manual Backup tab, In the dialog, configure the following options:
Log Type: From the drop-down list, select the log types to be backed up.
FTP Server: From the drop-down list, select the FTP server where to store the log files. Then the corresponding
FTP server settings are displayed. You can click Detection to verify the connection between HSM and the FTP
server. If you want to modify the FTP server settings, click FTP Config.
3. Click Backup to start the backup task. The task progress will be displayed in task list. For more informatin, see task.
A uto B ac k up
To back up logs automatically, configure the following options:
1. Click System > Log Backup Manager > Log Backup from the level-1 navigation pane. The Log Backup dialog
appears.
2. Click Auto Backup tab. In this dialog, configure the following options:
Enable Auto Backup: Select the check box to enable backing up logs automatically function.
Interval: Specify the periodical backup cycle, including Every Day, Every Week, Every Month.
Time: Specify the customized time for backing up logs automatically.
3. Click OK to start the backup task. The task progress will be displayed in task list. For more informatin, see task.
L og Clean
HSM supports the clearing of offline logs and running logs within the specified time. For more information of offline
logs and running logs, refer to Searching Log Messages.
To clear logs, take the following steps:
1. Click System > Log Backup Manager > Log Clean from the level-1 navigation pane. The Log Backup dialog appears.
Select Online Log to clear the online logs within the specified time.
Device Configuration File Manage: The configuration file management function in HSM facilitates the management
of configuration files located in different Hillstone devices and the management of configuration file's change his-
tory.
Device Management Configuration Example: Describes a typical deployment scenario and some configuration
examples for your understanding of adding devices and retrieving configuration files.
Device Management 38
D ev i ce Manag em ent
This section describes the device management operations:
Favorite Device
Session Query
Online Reboot
Cr eat in g a D ev ice G r ou p
A device group is a logical managing unit for the devices. You can add related devices into one device group. One device
can be added to different device groups.
To create a device group, take the following steps:
1. Move the cursor to the All Devices area of the device navigation pane, right-click and select Create Device Group.
The Device Group Configuration dialog pops up.
2. Type the device group name in the Name text box. If necessary, give a description to the device group in the Descrip-
tion text box.
3. Select a device group for the newly created device group in the selecting box under the Description text box. The cre-
ated device group will belong to the selected device group.
Device Management 39
The newly created device group will be displayed in the device navigation pane. You can adjust the position of the device
group by drag-and-dropping.
Drag and drop: In the device navigation pane, select the device to be added, drag and drop it to the device group
(the the color of the target device group will become red and release the mouse after the color changed); or you can
select the device to be added from the device table and drag it to the device group in the device navigation pane.
Cut and paste: You can add multiple devices to a device group. The operating steps are listed below.
To add devices to a device group by cutting and pasting, take the following step:
1. Select the devices to be added from the device table (check the corresponding check boxes).
4. Move the mouse back to the device table area, right-click and select Paste Device.
Drag and drop: In the device navigation pane, select the device to be deleted, and then drag it out of the device
group.
Cut and paste: You can delete multiple devices from a device group. The operating steps are listed below.
To delete devices from a device group by cutting and pasting, take the following steps:
1. Select the device group from the device navigation pane, and the device table shows all the devices in the selected
device group.
2. Select the devices to be deleted from the device table (check the corresponding check boxes).
5. Move the mouse back to the device table area, right-click and select Paste Device.
E dit in g a D ev ice G r ou p
To edit a device group, take the following steps:
1. Select the device group to be edited from the device navigation pane.
D elet in g a D ev ice G r ou p
To delete a device group, take the following steps:
Device Management 40
F av or it e D ev ice
You can mark your important devices as favorite to make them easy to be find and managed.
To mark a device to be favorite, in the device table, click the flag in the Name column ( : Favorite; : Common). The
favorite devices will be displayed under the Favorite label in the device navigation pane.
To remove from favorite, use either method below:
In the device table, click the flag in the Name column to make it grayed.
In the device navigation pane, under the Favorite label, select the device, right-click and select Remove From Favor-
ite.
Device Management 41
Option Description
IPS Signature Shows the version of the IPS signature database in the
managed device.
APP Signature Shows the version of the APP signature database in the
managed device.
Interface The device front panel illustration is used to show the interface status and
Information information. The interface statuses are:
Top 10 Aver- Shows the top 10 average user traffic in the last 1 hour.
age User
Traffic in 1
Hour
Top 10 Intru- Shows the top 10 IPS intrusions in the last 1 hour, which is only applicable for
sions in 1 NGFW devices.
Hour
Latest 1 Hour Shows the percentage distribution of each threat in the last 1 hour, which is
Threat Dis- only applicable for NIPS devices.
tribution
Device Management 42
Ses s ion Qu er y
You can search current sessions of managed device according to the specified criteria by session query.
To query sessions, take the following steps:
1. Select the device which you want to query sessions from the device table, then click View in Session column to enter
session query page.
2. Enter value in one or more text fields in the pop-up dialog box, then click the Search button.
Source Addr: Specify the source IP address, you may enter IPv4 or IPv6 address.
Src Port: Specify the source port of service.
Destination Addr: Specify the destination IP address, you may enter IPv4 or IPv6 address.
Dst Port: Specify the destination port of service.
Protocol: Specify the transport layer protocol of service.
The search result will be displayed in the session list. If you don't enter any value and click Search button directly, all
current sessions will be displayed in the list.
1. Select the device to be deleted from the device table, and click the Delete Device button above the device table; or
select the device to be deleted from the device navigation pane, right-click and then select Delete Device.
2. Click Yes on the Information dialog. The device is moved to the recycle bin.
3. Click the Recycle Bin label from the device navigation pane, and the device table shows all the devices in the recycle
bin. Select the device to be deleted, and click the Delete Device button above the device table again.
4. Click Yes on the Warning dialog. Now the device is permanently deleted from HSM.
You can restore the device in the recycle bin.
To restore devices, take the following steps:
1. Click the Recycle Bin label from the device navigation pane, and the device table shows all the devices in the recycle
bin.
2. Select the device to be restored, right-click and select Restore Device, or click the Restore Device button above the
device table. The Device Restoration dialog pops up.
3. If necessary, edit the name of the device in the Name text box.
Device Management 43
4. Select a device group for the device to be restored in the box.
Note: Do not support to delete VSYS device directly from HSM. When a physical device is deleted
from HSM, its VSYS devices will be deleted at the same time.
On lin e R eboot
The managed devices can be restarted immediately or restarted on schedule through HSM.
Im m ed i ate R eb oot
To restart the managed devices immediately, take the following steps:
2. Select the devices to be restarted from the device list, and then click the Reboot Immediately button at the upper
right corner of the toolbar, or click the small triangle to the right of the button and select Reboot Immediately.
The devices will be restarted immediately, and the icon in the Status column will be changed from to . If the
R eb oot on S c hed ul e
You can configure a scheduled reboot task so that one or more managed devices can be restarted according to the time
set in the task.
To configure a scheduled reboot task, take the following steps:
2. Click the small triangle to the right of the Reboot Immediately button at the upper right corner of the toolbar and
select Reboot Schedule Configuration in the menu.
5. Click OK, the newly created task will be displayed in the task list.
The newly created task is enabled by default. Check the task, and then click Disable in the toolbar to disable the task.
Click Edit or Delete in the toolbar to edit or delete the task separately. Click the Log link of the corresponding task in
the Log column to view the logs generated by the task. You can also view the device's reboot log by clicking the icon
in the Reboot Log column on the Device Management page.
When the reboot task which is absolute time type has been executed, its status will become invalid. Invalid task also can
be disabled. The invalid status can be changed to enabled by editing the reboot time to an valid time.
Device Management 44
S etti ng R estart Param eter
You can set the restart parameters to determine whether the configuration of the managed device can be saved or not
before restart. This feature is only applicable for NGFW devices of 5.5R4P1 and higher version.
To set restart parameter, take the following steps:
2. Click the small triangle to the right of the Reboot Immediately button at the upper right corner of the toolbar and
select Restart Param in the menu.
3. Select Save configuration before restart or Do not save configuration before restart radio button in the Restart
Param dialog.
By default, Save configuration before restart is selected. If you select the Do not save configuration before restart
radio button, when you want to reboot device immediately, a prompt box will pop up to prompt you that the con-
figuration will be lost after reboot. You can click the Modify Restart Parameter link to enter the Restart Param page
to modify restart parameters.
Device Management 45
Int r o d uct i o n t o D ev i ce Up g r ad e
HSM supports device upgrade functionality, which enables you to upgrade the firmware of the managed Hillstone
devices. To upgrade StoneOS through HSM, take the following steps:
1. Import the StoneOS firmware to the HSM system first. HSM will match the proper firmware to the managed devices
automatically.
You can check the upgrading task status in the Status page, and also you can get the upgrading logs in the Upgrade Log
page or Task Log page.
This section describes:
1. Click Device > Upgrade > Device Upgrade from the level-1 navigation pane.
3. On the Importing Firmware dialog, select Local, click the browse button and select the firmware to be
uploaded on the pop-up dialog.
4. Click OK to upload.
To import via HTTP, take the following steps:
1. Click Device > Upgrade > Device Upgrade from the level-1 navigation pane.
Device Management 46
3. On the Importing Firmware dialog, select HTTP, and configure the following options:
Username: Specify the username which is used to log into the HTTP server.
4. Click OK to upload.
To import via FTP, take the following steps:
1. Click Device > Upgrade > Device Upgrade from the level-1 navigation pane.
3. On the Importing Firmware dialog, select FTP, and configure the following options:
Username: Specify the username which is used to log into the FTP server.
4. Click OK to upload.
To delete a firmware from HSM, select the firmware to be deleted from the firmware table, and then click the Delete but-
ton from the toolbar.
1. Click Device > Upgrade > Device Upgrade from the level-1 navigation pane.
3. On the Upgrade Management IP Configuration dialog, type the address into the IP text box.
1. Click Device > Upgrade > Device Upgrade from the level-1 navigation pane.
2. Select a firmware from the firmware table (check the corresponding check box), and then click the Task button from
the toolbar. The Device Upgrade dialog pops up. This dialog shows all devices matching with the selected firmware.
Device Management 47
5. Configure the upgrading options. The options are:
Backup Version: Select a version to be the backup firmware on the device (up to 2 versions can be saved on a
device). You can choose the backup version by selecting from the drop-down list. "Active" refers to the version
currently running on the device; "Backup" refers to the backup version on the device.
Backup Configuration: It this check box is selected, HSM will back up the configuration on the device when
upgrading.
Reboot: If this check box is selected, HSM will reboot the device after pushing the firmware to the device suc-
cessfully to make the new firmware take effect.
To configure the upgrading options for all the devices to be upgraded, click the Upgrade Options button and con-
figure on the pop-up dialog.
Waiting for upgrade: The device is waiting for loading the firmware from HSM.
Waiting for reboot: When multiple devices are configured in the task, the devices which have finished uploading the
firmware will be marked as this status.
Cancelling: The administrator cancelled the task and the device is cancelling the task.
Upgrade succeeded: The device has rebooted with the newly upgraded firmware.
Upgrade failed: You can get the failure reason from the upgrade logs.
To check the upgrading task status, take the following steps:
2. On the upgrading page, click the Task button, and on the Current Upgrade Task dialog, check the upgrading status
for each device.
If you want to cancel the upgrading task, click the Cancel Upgrade button in the bottom-right corner of the dialog. The
executing task cannot be cancelled.
1. Click Device > Upgrade > Device Upgrade from the level-1 navigation pane.
2. Click Upgrade Log from the upgrading navigation pane, and the upgrading logs will be displayed in the main win-
dow.
You can filter the log messages by selecting the conditions above the log message table.
The following illustration shows the layout of the device upgrade page.
Device Management 48
L ev el - 1 N av i g ati on Pane
Level-1 navigation pane allows you to navigate to different modules of HSM.
Option Description
Device Goes to the device upgrading page which includes the toolbar and the table of the
Upgrade StoneOS firmware. You can configure the upgrading tasks and view the upgrading
status on this page.
Upgrade Shows the upgrading logs. The search function is supported for you to see required
Log log messages.
Fi l ter
You can filter the log messages by selecting the conditions provided here. The filter conditions are described as below:
Option Description
1. Select a type from the drop-down list before the keyword text box to restrain
the keyword scope.
2. Type the keyword in the text box and click the Enter key. The messages in the
specified scope include the specified keyword will be displayed in the log mes-
sage table.
To cancel the keyword filter, you can take either of the following two methods:
Delete the keyword from the text box and then click the Enter key.
Select None from the drop-down list, move the cursor to the text box and then
click the Enter key.
M ai n W i nd ow
The main window shows all the upgrading log messages. Columns of the log messages table are described as below:
Device Management 49
Option Description
Executor Shows the administrator name who executes the upgrading task.
1. Click Device > Upgrade > Signature Update from the level-1 navigation pane.
2. Click the target signature upgrade tab, and then select signature version from the drop-down menu in the upper-
right corner of the toolbar.
4. According to the current version of signature database, select devices to be upgraded from the device list.
5. Click the Upgrade button to start upgrading the signature database for the selected devices.
You can view the Status column to see if the signature database has been upgraded successfully.
1. Click Device > Upgrade > Signature Update from the level-1 navigation pane.
2. Select the target signature upgrade tab, and then click the New button from the toolbar, the corresponding Update
Server Configuration dialog appears.
Device Management 50
Option Description
the servers according to your need. Entering or selecting are
both supported. In the subsequent drop-down menu, spe-
cify the virtual router(Only applicable for NGFW). You can
also create a new virtual router by clicking Add a vrouter
from the drop-down menu.
Whether Automatic Select the check box and set the update time, the signature
database of managed device will be automatically updated
according to the settings.
Primary Proxy When the device accesses the Internet through a HTTP
proxy server, you need to specify the IP address and the
port number of the HTTP proxy server. With the HTTP proxy
server specified, signature database can be updated nor-
mally. It is optional.
Stand-by Proxy When the primary proxy server can not access the Internet,
the backup proxy server will take effect. It is optional.
Relevant Device Select the device or device group to which the upgrade tem-
plate will be delivered.
4. Click OK, the upgrade template will appear in the template list.
In The Device To SendDown colunm, click the corresponding link to view all relevant devices and their status.
To deliver an upgrade template, take the following steps:
1. Click Device > Upgrade > Signature Update from the level-1 navigation pane.
2. Click the target signature upgrade tab, and then select the upgrade template which you want to deliver, and then
click the SendDown button from the toolbar.
3. In the upper left corner of the dialog, select device type to view devices and their status.
The device to SendDown refers to device whose update server settings are different from the template.
All devices, i.e. the relevant devices, include the device to senddown, the offline device, and device whose
update server settings are the same as the template.
4. Click OK, the configuration in upgrade template starts being delivered, and a task has been generated.
Click View Task Log to view the deliver log for the signature upgrade template. You can also go to the Task Man-
agement page to view information such as the status of the task.
Device Management 51
Co nfi g ur at i o n Fi l e Manag em ent
A configuration file includes all configurations in a Hillstone device. The configuration file management function in HSM
facilitates the management of configuration files located in different Hillstone devices and the management of con-
figuration file's change history. You can perform the management in the following two tabs:
Configuration File List tab: Displays configuration files of Hillstone devices and the corresponding information.
Before performing the Deploy Configuration action in Configuration > Device Configuration
After performing the Import Configuration action in Configuration > Device Configuration
The configuration file retrieved automatically is named as full_xml_config_date_time, for example, full_xml_config_
20130929033151. During the process of retrieving the configuration files, HSM will check the number of files stored in
HSM. If the total number of configuration files does not exceed the limitation, HSM can store the retrieved file suc-
cessfully. If the total number of configuration files reaches the limitation, HSM will delete the oldest deletable files of this
device and then store the retrieved file in HSM. If HSM failed to retrieve the configuration files, you can manually retrieve
them.
For the following situations, there is a green up arrow ( ) next to the device name which indicates that the con-
figurations in the device have changed:
Device Management 52
HSM fails to retrieve the configuration files automatically
Note: If a device contains VSYS devices, green up arrow ( ) is not supported on the device node.
R e t r ie v in g Co n f ig u r a t io n F ile s M a n u a lly
To manually retrieve the configuration files, take the following steps:
1. With the Configuration File List tab active, select a device from the device navigation pane.
Click the icon in the top-right corner of the device list to filter device type, including NGFW, IPS and WAF.
2. Click Retrieve Configurations in the toolbar. The Retrieve Configurations dialog pops up.
3. In the dialog, modify the file name and enter the description (optional).
R e t r ie v in g Co n f ig u r a t io n F ile s o n S ch e d u le
You can set a schedule to obtain configuration files for the specified device at a specified time. To retrieve the con-
figuration files on schedule, take the following steps:
2. Click Retrieve Configurations Schedule in the top-right corner, the Retrieve Configurations Schedule dialog pops
up.
3. Choose devices that will be retrieved configuration files in the left device list.
Click the icon in the top-right corner of the device list to filter device type, including NGFW, IPS and WAF.
Every Day: Select the radio button to specify the specific time each day to get the configuration files.
Every Week: Select the radio button to specify the specific time every week to get the configuration files.
Device Management 53
Every Month: Select the radio button to specify the specific time every month to get the configuration files.
No plan: There is no retrieving schedule for configuration files. This option is selected by default.
5. Click OK , the system will retrieve configuration files at the specified time.
You can enter the HSM System Log page to know whether the configuration file is retrieved successfully or not by
viewing logs of the Get Configuration operation type.
V i ew i ng C onf i g urati on Fi l e
To view the detailed configurations in a configuration file, take the following steps. The configurations will display in CLI
format.
1. With the Configuration File List tab active, select a device from the device navigation pane. The related configuration
files are displayed in the main window.
3. Click View Configurations in the toolbar. The View Configurations dialog pops up and displays the detailed con-
figurations.
V i ew C hang e H i story
The change history of a configuration file records the detailed information about each change record.
To view the change history, take the following steps:
1. With the Configuration File List tab active, select a device from the device navigation pane. The related configuration
files are displayed in the main window.
3. Click the View link in the Change History column. The Configuration Change History dialog pops up and displays
the change history of this selected configuration file.
1. With the Configuration File List tab active, select a device from the device navigation pane. The related configuration
files are displayed in the main window.
2. Select a configuration file. Only one configuration file can be restored to the corresponding device.
3. Click Restore from the toolbar. The Restore Configuration page appears. You may select save the configuration and
reboot the device according to your need. You can take one of the following two methods:
Immediately: Selecting Immediately radio button to restore the specified configuration file immediately.
On Schedule: Selecting On Schedule radio button to specify a time to restore the configuration file. The time
point must be after the current time of HSM system, otherwise, the configuration might not be restored.
4. Click OK to save your settings and close the dialog. A notice of the detailed task will pop up from the below. Click
the information to enter the task schedule page.
Note: The device restoring the configuration file can not execute other tasks of restoring con-
figuration file, otherwise the task will fail.
Device Management 54
Ex p orti ng C onf i g urati on Fi l es
In order to get the backup configuration files, you can export the configuration files from HSM to your local PC.
To export a configuration file, take the following steps:
1. With the Configuration File List tab active, select a device from the device navigation pane. The related configuration
files are displayed in the main window.
4. Click OK, and then Save as page appears. You can select the save path and rename the configuration file according
to your need.
5. Click OK to export the configuration file, and then the system will prompt configuration file had been exported suc-
cessfully.
Note: Format of the configuration file which be export from HSM is ZIP.
1. With the Configuration File List tab active, select a device from the device navigation pane. The related configuration
files are displayed in the main window.
3. Click Import from the toolbar. The Import Configuration page and Open page appears. Select the local con-
figuration file from the Open dialog. Click OK, and the open dialog closes. The name of configuration file to be
imported and the loading progress bar will be displayed in the Import Configuration File dialog.
4. Click Upload, and then the upload progress bar will be displayed. You can see the configuration file which be impor-
ted successfully in the main window.
1. With the Configuration File List tab active, select a device or a device group from the device navigation pane. The
related configuration files are displayed in the main window.
3. Click Add to Compare. The File Comparison List dialog appears. The selected two files are added to this list with the
device name and the file name displayed. To change files, you can delete them from the list by clicking Delete, and
then select new configuration files.
Device Management 55
4. In File Comparison List, click Compare. The Compare Configuration dialog pops up and displays the detailed con-
figurations in each file. The differences are marked with red.
Ed i ti ng C onf i g urati on Fi l e
By editing a configuration file, you can achieve the following aims:
1. With the Configuration File List tab active, select a device from the device navigation pane. The related configuration
files are displayed in the main window.
Status: Select status for this file: Deletable or Permanently Saved. Deletable is the default status and represents
that this file can be deleted. Permanently Saved represents that this file cannot be deleted. For each device, the
maximum number of files with the Permanently Saved status is 10.
1. With the Configuration File List tab active, select a device from the device navigation pane. The related configuration
files are displayed in the main window.
2. Select files to be deleted by selecting the checkboxes before the file name.
3. Click Delete in the toolbar to delete the selected files. If the selected files contain the Permanently Saved files, the
Delete button becomes grey.
1. With the Configuration File List tab active, select a device or a device group. The related configuration files of this
device or this device group are displayed in the main window.
Device Management 56
2. Specify the filter conditions.
Filter
Description
Condition
Time Search the configuration files whose retrieved time is within the specified
period.
Status Search the configuration files that matched the specified file status.
Keyword Search the configuration files whose columns contained the entered keywords.
You can search the contents in the following columns: Device Name, File Name,
SN, and Description.
3. Click Search. The configuration files that meet all filter conditions are displayed in the main window.
Ed i ti ng C hang e R ec ord
To edit a change record, take the following steps:
1. With the Configuration Change History tab active, select a device from the device navigation pane. The related
change records of this device are displayed in the main window.
1. With the Configuration Change History tab active, select a device from the device navigation pane. The related
change records of this device are displayed in the main window.
1. With the Configuration Change History tab active, select a device or a device group. The related change records of
this device or this device group are displayed in the main window.
Device Management 57
2. Specify the filter conditions.
Filter
Description
Condition
Time Search the change records whose retrieved time was within the specified
period.
Operation Search the change records that matched the specified operation.
Keyword Search the change records whose columns contained the entered keywords.
You can search the contents in the following columns: User, Device Name, File
Name, and Description.
3. Click Search. The change records that meet all filter conditions are displayed in the main window.
D eploy m en t Scen ar io
A company is headquartered in Beijing and has branches in Shanghai and Guangzhou. Each office is deployed with a Hill-
stone security appliance to control Internet access. The requirement is to deploy an HSM in Beijing to manage the three
devices, as shown below:
R equ ir em en t
Requirement 1: Add three security appliances
Requirement 2: Retrieve configuration files
Preparation
Configure a management IP address and the system time on HSM as described in Deploying HSM Management Envir-
onment.
Device Management 58
1. Click Device > Management from the level-1 navigation pane to enter the Device Management page.
2. Click the triangle icon ( ) next to the Add Device button and select Add Multiple Devices from the drop-down
menu. The Add Multiple Devices dialog pops up.
3. Click Download Device Info File Template. The Save As dialog appears.
7. In the Add Multiple Devices dialog, click Browse. The Open dialog appears.
8. Locate the modified template and click OK. HSM starts to load the template.
9. After loading the template, click Upload. HSM starts to read the template and add the devices in it to HSM. If failed
to register one device, all devices in the template will be failed to be registered.
When there is a green up arrow ( ) next to the device name, it indicates that the configurations in the device have
changed.
To retrieve the running configuration file to HSM, take the following steps:
1. Click Device > Management from the level-1 navigation pane and then click the Device Management tab.
2. In the device navigation pane, select the device from which you want to retrieve the configuration file.
3. With the Configuration File Management tab active, click Retrieve Configuration in the toolbar. The Retrieve Con-
figurations dialog appears.
4. Change the file name to test by myself_201311191354 and add the description: this is a test.
Device Management 59
In t r odu ct ion t o Con figu r at ion M an agem en t
Configuration management manages all kinds of rules (policy rule, NAT rule, route rule) and related objects on devices.
By using HSM, you can get the rule configurations of each device, and also you can deploy rules from HSM to devices, in
which way, the devices can be centrally managed. In order to reduce the configuration errors, HSM provides the following
functions to help administrators find and resolve problems: rule conflict check, redundant object check, object reference
check, etc.
Here are the descriptions of configuration management related concepts:
Policy: HSM supports to configure policy rules for device. One policy can be deployed to multiple devices, but one
device can only have one policy. HSM supports private policy and shared policy.
Private Policy: The policy that only belongs to one certain device, and cannot be used by other devices. A
private policy can be converted to a shared policy.
Shared Policy: One shared policy can be used by any device. A shared policy can be copied as a private policy.
NAT: HSM supports to configure SNAT and DNAT rules, and supports private NAT rule and shared NAT rule.
Private NAT : The NAT that only belongs to one certain device, and cannot be used by other devices. A private
NAT cannot be converted to a shared NAT.
Shared NAT : One shared NAT can be used by any device. A shared NAT cannot be copied as a private NAT .
Route: HSM supports to configure destination route rules, and supports private destination route rule and shared
destination route rule.
Private Route: The route that only belongs to one certain device, and cannot be used by other devices. A
private route cannot be converted to a shared route .
Shared Route: One shared route can be used by any device. A route NAT cannot be copied as a private route .
Object: The objects referenced by rules in policies/NAT/routes. HSM supports private object and shared object.
Private Object: The object that only belongs to one certain device. When a private policy is converted to a
shared policy, the private objects of the private policy are converted to shared objects as well.
Shared Object: A shared object can be referenced by all rules, including the private rules. A shared object can-
not be converted to a private object.
Device Configuration Sync: HSM checks the configuration of a device on both the local device and HSM, and list the
configuration differences. Administrators can choose to upload the configuration from the local device to HSM or
deploy configuration from HSM to local device according to the differences.
Rule Redundance check: In order to make the rules in the policy are effective, HSM provides a method to check the
conflicts among rules in a policy. With this method, administrators can get the rule shadow information.
Rule hit statistics: For the rules running on the devices, HSM gathers the hitting statistics and shows the result with a
pie chart, helping administrators learn the traffic matching status in their networks.
Redundant object check: Redundant objects refers to the objects those unreferenced by any policy or the objects
having different names but with same contents.
HSM supports single device policy management (device configuration) and global policy management (shared con-
figuration). HSM provides the task management method to track the policy related tasks, and also the log messages are
generated for you to know the task status and results. For more information, see task.
For the detailed information about policy management, see the following sections:
Global Configuration
Device Configuration
Device Object
Policy
iQoS
NAT
Route
Synchronizing Configuration
Specifying Configuration
Snapshot Management
Locking Configuration
The rules created on the device configuration page are all private rules, and belong to a certain device. On HSM, you can
create, edit, and delete the private rules. After configuring the private rules, you need to deploy the private rules to the
managed device if you want to take effect on the device. For more detailed information about deploying configuration,
see Synchronizing Configuration.
Cr e a t in g a P o licy R u le
Two ways can be used to create a new rule as below.
To create a rule by inserting, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
Schedule Specifies a schedule when the security policy rule will take effect.
Select a desired schedule from the Schedule drop-down list. This
option supports fuzzy search. After selecting the desired sched-
ules, click the blank area in this dialog to complete the schedule
configuration.
To create a new schedule, click New Schedule.
Action Specifies an action for the traffic that is matched to the policy
rule, including:
Secured connection:
Record Log You can log policy rule matching in system logs according to
your needs.
For the policy rules of Deny, logs will be generated when the
traffic that is matched to policy rules is denied.
Select one or more check boxes to enable the corresponding log
types.
Data Security You can view the state of data security on HSM.
Content Filter:
SSL Proxy Displays the SSL Proxy rule in the HSM device. The device can be
decrypted and HTTPS traffic can be controlled by the com-
bination of policies and the SSL Proxy rule.
Description Type descriptions into the Description box.
QoS Tag Add QoS tag to the matched traffic by typing the value into the
box.
The smaller the value of the QoS tag is, the higher the priority of
the device allowing the traffic to pass will be.
Operation Record Record the detailed information about your operation of some
policy.
Hits Displays the number of user traffic which hits the security policy.
Shadow Select the Rule Conflict Check box. You can view the number of
rules and ID which are covered, and delete the rules as needed.
Last Hit Date The last date when user traffic hits the security policy.
4. In Security Policy page, three ways can be used to insert a new rule:
Click the New Rule arrow after, select the position ( Bottom, Top, Bottom in group, Top in group, After, Before)
from the menu where the inserted rule locates;
Right-click on a rule in the entry list and select New Rule, then choose Bottom/Top/After/Before from the pop-
up menu;
Right-click on a rule group in the entry list and select New Rule, then choose Bottom/Top/Bottom in
group/Top in group/After/Before from the pop-up menu.
An all-deny rule will be created at the specified position. Click the New Rule button directly without specifying the
position, the system will create an all-deny rule at the bottom of the rule list.
5. Edit the rule according to your own requirements. For more information, please refer to "Editing Rules" on page 66.
To create a rule by the copy/paste way, take the following steps:
1. In Security Policy page, select a rule from the rule list, right-click on the rule and choose Copy from the pop-up
menu.
You can copy one or more security policy rules :
Select one rule first and hold the Ctrl key to choose discontinuous rules;
Select one rule first and hold the Shift key to choose continuous rules.
Right-click on the blank cell and select Paste, then choose Bottom/Top from the pop-up menu;
Right-click on a rule in the entry list and select Paste, then choose Bottom/Top/After/Before from the pop-up
menu;
Right-click on a rule group in the entry list and select Paste, then choose Bottom/Top/Bottom in group/Top in
group/After/Before from the pop-up menu.
The copied rules will be pasted at the specified position.
Note: HSM does not support to copy private policy rules to another private policy.
E d it in g R u le s
To edit a rule, take one of the following methods:
In the rule list, double-click the cell of the object to be edited to edit.
To enter into Advanced Edit mode, in the policy rule list page, hold the Ctrl key, click a cell with the left mouse but-
ton, and then the cell content will be copied to clipboard. Click the policy rule option which you want to modify with
the left mouse button, select Cover Paste to cover the clipboard contents to the policy option, or select Add Paste to
add the clipboard contents to the policy option.
Cr e a t in g a R u le G r o u p
Security policy rule group is the management unit of rules . HSM will not deploy rule group to the managed devices. You
can organize the rule which has already existed to the rule group, and create new rules in the rule group also. Rule
groups can be folded and expanded. Two ways can be used to create a new rule group as below.
To create a rule group by inserting, take the following steps:
Click the New Rule Group arrow after, select the position ( With selected rules, Bottom, Top, After, Before) from
the menu where the inserted rule locates;
Select one rule, right-click and select New Rule Group, then choose With selected rules/Bot-
tom/Top/After/Before from the pop-up menu; or hold the Shift key to choose continuous ungrouped rules in
the entry list, right-click and select New Rule Group, then choose With selected rules/Bottom/Top from the
pop-up menu;
If With selected rules was selected, the specified rules would be added to the new group.
Right-click on a rule group in the entry list and select New Rule Group, then choose Bottom/Top/After/Before
from the pop-up menu.
2. In the New Rule Group dialog box, enter group name and click OK.
A rule group will be created at the specified position. Click the New Rule Group button directly without specifying
the position, the system will create a rule group with selected rules. You can click the group name to modify the
name.
To create a rule group by the copy/paste way, take the following steps:
1. In Security Policy page, select a rule group from the rule list, right-click on the rule group and choose Copy from the
pop-up menu.
You can copy one or more security policy rule groups:
Select one rule group first and hold the Ctrl key to choose discontinuous rule groups;
Select one rule group first and hold the Shift key to choose continuous rule groups.
2. Paste rule groups. Three ways can be used to paste new rule groups:
Right-click on the blank cell and select Paste, then choose Bottom/Top from the pop-up menu;
Right-click on a rule in the entry list and select Paste, then choose Bottom/Top/After/Before from the pop-up
menu;
Right-click on a rule group in the entry list and select Paste, then choose Bottom/Top/After/Before from the
pop-up menu.
The copied rule groups will be pasted at the specified position, in which all oringinal rules are included. Meanwhile,
group name remains unchanged.
Note: HSM does not support to copy private rule groups to another private policy.
M o v in g R u le s a n d G r o u p s
To move a rule or group, select the rule or group to be moved, press and hold the left mouse button and move to the tar-
get position, then release the left button. If a rule group is moved, the relative position of the rules in the rule group will
remain unchanged. Rules can be arbitrarily moved in or out of rule group, but the rule group can not be moved into
another rule group.
De le t in g a R u le G r o u p
To delete a rule group, take the following steps:
1. In Security Policy page, select a rule group from the rule list and click Delete from the toolbar.
In the pop-up dialog box, if the Delete rules check box is checked, the system will delete the rule group and all the
Note: When all the rules in the rule group are deleted, the rule group will be empty, rather than
be deleted.
Cr e a t in g a P a r t it io n G r o u p
Partition group is the management unit of devices. You can add correlated devices into one partition group.
To create a partition group, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, right-click All devices, and then select Deploy a batch of rules from the pop-up
menu. The Deploy a batch of rules guide dialog appears.
4. Type the partition group name into the Name text box.
5. Select the devices to be added from the Relevant Device drop-down list.
De p lo y in g a B a t ch o f R u le s
HSM provides a guide to help you deploy a batch of rules.
To deploy a batch of rules, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, right-click All devices, and then select Deploy a batch of rules from the pop-up
menu. The Deploy a batch of rules guide dialog appears.
The following are three steps in the guide. Click Next once one step is completed.
You can select the position for the incoming security policy rules: top or bottom.
You can configure policy rules for the partition groups. Policy configuration includes creating/editing/deleting/moving
rules. For more detailed information about deploying configuration, see Policy Configuration.
After the above configurations, click Deploy to add the policy rules to the devices in the partition group.
O p e n in g Lo ca l S n a p s h o t
This feature is used to display the security policy section in the local snapshot file, in order to facilitate users to copy the
local modification to a shared or private policy. To copy rules or groups in snapshot, take the following steps:
1. In Security Policy page, click Open Local Snapshot from the toolbar to select local snapshot, then click Open.
4. Click the minimize or close button to locate the target security policy page, right-click and choose Paste to select the
position from the menu where the copied rule locates.
R u le M a t ch A n a ly s is
Rule match analysis can search security policy rules that meet your requirements. For example, if the source IP address
you specified is included in the source address entries of a certain rule, then this rule will be displayed in result list.
1. In Security Policy page, click Rule Match Analysis from the toolbar.
2. Enter value in one or more text fields in the pop-up dialog box.
Source Addr: Specify the source IP address.
Src Port: Specify the source port of service.
Destination Addr: Specify the destination IP address.
Dst Port: Specify the destination port of service.
Protocol: Specify the transport layer protocol of service.
P o licy R u le M a n a g e m e n t
Policy rule management includes:
Rule Conflict Check: Check whether the rules overshadow each other. The effectiveness of the rules will be improved
by using this function.
Rule Hit Statistics: Gather the rule hit statistics and show the statistics by pie chart.
In Security Policy page, select a rule to be operated from the rule list, then double click the icon in Status column to
change the status.
Two ways are supported to perform the rule conflict check function:
Select the Rule Conflict Check check box from the toolbar, system begins to check the conflicts among rules in the
policy. When the checking process is finished, the useless rules will become hatched, and all the rule IDs that over-
shadow the rule will be listed in the last column (shadow) of the rule list. You can select all of the redundant rules by
clicking on the number in brackets after the check box, so that you can delete them in batches.
From the device navigation pane, right-click on the device you want to check the rule conflict, and then select Rule
Conflict Check from the pop-up menu. The system generates the task and begins to check. When the checking pro-
cess is finished, click the View Report button to read the detailed information. Click on the upper right corner to
save the PDF format report locally.
To view the rule hit statistics, take the following steps:
1. From the device navigation pane, right-click on the device you want to know the rule hit statistics, and then select
Rule Hit Statistics from the pop-up menu.
Co n v e r t in g a P o licy f r o m P r iv a t e t o S h a r e d
The private policy only belongs to one device, and you can convert a private policy to a shared one for other devices.
Note: Private policies can not be converted to shared ones when security policies are configured
with Data Security and SSL Proxy or linked with From Tunnel(VPN) or Tunnel(VPN).
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. From the device navigation pane, select the device whose policy will be converted. From the object navigation pane,
right-click on the policy and click Convert to Shared from the pop-up menu.
3. Specify the name for the converted policy in the Policy Name text box.
Co n f ig u r in g t h e P o licy -b a s e d P r o t e ct io n F u n ct io n
The HSM system currently supports policy-based anti-Virus, IPS, URL filtering, or sandbox protection check.
To realize the policy-based protection function, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. From the device navigation pane, select the device whose policy will be edited. From the object navigation pane,
and select Policies. The main window shows the policy rule list.
Anti Virus Select the On check box to enable Anti Virus function. Select the
Anti Virus rule from the drop-down list.
Two ways can be used to configure an Anti Virus rule:
URL Filter Select the On check box to enable URL Filter function. Select the
URL Filter rule from the drop-down list.
According to the actual needs of users, select an URL Filter rule
from the drop-down list, or you can click New from the drop-
down list to create an URL Filter rule. For more information, see
URL Filter.
Sandbox You can view whether the sandbox protection is enabled on the
managed device. Sandbox protection configurations are cur-
rently not supported on HSM.
Two ways can be used to configure a Sandbox rule:
4. After configuring settings, displays the Anti Virus function status which is enabled, displays the IPS function
status which is enabled, displays the URL Filter function status which is enabled, displays the Sandbox func-
tion status which is enabled.
i QoS
HSM can manage iQoS (intelligent quality of service) intensively which guarantees the customer's network performance,
manages and optimizes the key bandwidth for critical business traffic, and helps the customer greatly in fully utilizing
their bandwidth resources.
iQoS is used to provide different priorities to different traffic, in order to control the delay and flapping, and decrease the
packet loss rate. iQoS can assure the normal transmission of critical business traffic when the network is overloaded or
congested. iQoS is controlled by license. To configure iQoS for managed device, please apply and install the iQoS license
on managed device.
Note: HSM only supports the centralized management of iQoS function whose NGFW version is
5.5R1 or above.
I m p le m e n t M e ch a n is m
The packets are classified and marked after entering the system from the ingress interface. For the classified and marked
traffic, the system will smoothly forward the traffic through shaping mechanism, or drop the traffic through policing
mechanism. If selecting shaping mechanism to forward the traffic, the congestion management and congestion avoid-
ance mechanisms give different priorities to different types of packets so that the packets of higher priority can pass the
gateway earlier to avoid network congestion.
In general, implementing QoS includes:
Classification and marking mechanism: Classification and marking is the process of identifying the priority of each
packet. This is the first step of iQoS.
Policing and shaping mechanisms: Policing and shaping mechanisms are used to identify traffic violation and make
responses. The policing mechanism checks traffic in real time, and takes immediate actions according to the settings
when it discovers violation. The shaping mechanism works together with queuing mechanism. It makes sure that the
traffic will never exceed the defined flow rate so that the traffic can go through that interface smoothly.
Congestion management mechanism: Congestion management mechanism uses queuing theory to solve problems
in the congested interfaces. As the data rate can be different among different networks, congestion may happen to
both wide area network (WAN) and local area network (LAN). Only when an interface is congested will the queuing
theory begin to work.
Congestion avoidance mechanism: Congestion avoidance mechanism is a supplement to the queuing algorithm,
P ip e s a n d T r a f f ic Co n t r o l Le v e ls
The system supports two-level traffic control: level-1 control and level-2 control. In each level, the traffic control is imple-
mented by pipes.
P ipe s
By configuring pipes, the devices implement iQoS. Pipe, which is a virtual concept, represents the bandwidth of trans-
mission path. The system classifies the traffic by using the pipe as the unit, and control the traffic crossing the pipes
according to the actions defined for the pipes. For all traffic crossing the device, they will flow into virtual pipes according
to the traffic matching conditions they match. If the traffic does not match any condition, they will flow into the default
pipe predefined by the system.
Pipes, except the default pipe, include two parts of configurations: traffic matching conditions and traffic management
actions:
Traffic matching conditions: Defines the traffic matching conditions to classify the traffic crossing the device into
matched pipes. The system will limit the bandwidth to the traffic that matches the traffic matching conditions. You
can define multiple traffic matching conditions to a pipe. The logical relation between each condition is OR. When
the traffic matches a traffic matching condition of a pipe, it will enter this pipe. If the same conditions are configured
in different root pipes, the traffic will first match the root pipe listed at the top of the Level-1 Control list in the Policy
> iQoS page.
Traffic management actions: Defines the actions adopted to the traffic that has been classified to a pipe. The data
stream control includes the forward control and the backward control. Forward control controls the traffic that flows
from the source to the destination; backward control controls the traffic flows from the destination to the source.
To provide flexible configurations, the system supports the multiple-level pipes. Configuring multiple-level pipes can
limit the bandwidth of different applications of different users. This can ensure the bandwidth for the key services and
users. Pipes can be nested to at most four levels. Sub pipes cannot be nested to the default pipe. The logical relation
between pipes is shown as below:
You can create multiple root pipes that are independent individually. At most three levels of sub pipes can be nested
to the root pipe.
For the sub pipes at the same level, the total of their minimum bandwidth cannot exceed the minimum bandwidth
of their upper-level parent pipe, and the total of their maximum bandwidth cannot exceed the maximum bandwidth
of their upper-level parent pipe.
The root pipe that is only configured the backward traffic management actions cannot work.
The following chart illustrates the application of multiple-level pipes in a company. The administrator can create the fol-
lowing pipes to limit the traffic:
1. Create a root pipe to limit the traffic of the office located in Beijing.
3. Create a sub pipe to limit the traffic of the specified applications so that each application has its own bandwidth.
4. Create a sub pipe to limit the traffic of the specified users so that each user owns the defined bandwidth when using
the specified application.
T r af f ic C ont r ol L e v e ls
The system supports two-level traffic control: level-1 control and level-2 control. In each level, the traffic control is imple-
mented by pipes. Traffic that is dealt with by level-1 control flows into the level-2 control, and then the system performs
the further management and control according to the pipe configurations of level-2 control. After the traffic flows into
the device, the process of iQoS is shown as below:
According to the chart above, the process of traffic control is described below:
1. The traffic first flows into the level-1 control, and then the system classifies the traffic into different pipes according
to the traffic matching conditions of the pipe of level-1 control. The traffic that cannot match any pipe will be clas-
sified into the default pipe. If the same conditions are configured in different root pipes, the traffic will first match
the root pipe listed at the top of the Level-1 Control list in the Policy > iQoS page. After the traffic flows into the
root pipe, the system classifies the traffic into different sub pipes according to the traffic matching conditions of
each sub pipe.
2. According to the traffic management actions configured for the pipes, the system manages and controls the traffic
that matches the traffic matching conditions.
3. The traffic dealt with by level-1 control flows into the level-2 control. The system manages and controls the traffic in
level-2 control. The principle of traffic matching, management and control are the same as the one of the level-1 con-
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
4. In the Level-1 Control tab, click Disable First Level Control from the toolbar.
First level traffic control will be disabled. If you need to enable it, please click Enable First Level Control from the tool-
bar.
The second level traffic control is disabled by default. To enable it, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
4. In the Level-2 Control tab, click Enable Second Level Control from the toolbar.
Second level traffic control will be enabled. If you need to disable it, please click Disable Second Level Control from
the toolbar.
P ip e Co n f ig u r a t io n
By using pipes, devices implement iQoS. Pipes in different traffic control levels will take effect in different stages.
Configuring pipes includes the following sections:
1. Create the traffic matching conditions, which are used to capture the traffic that matches these conditions. If con-
figuring multiple traffic matching conditions for a pipe, the logical relation between each condition is OR.
2. Create a white list according to your requirements. The system will not control the traffic in the white list. Only root
pipe and the default pipe support the white list.
3. Specify the traffic management actions, which are used to deal with the traffic that is classified into a pipe.
4. Specify the schedule. The pipe will take effect during the specified time period.
B as ic Ope r at ions
Click the icon to expand the root pipe and display its sub pipes.
Click the icon of the root pipe in Whitelist column to view the white list settings.
If there is a red exclamation mark before pipe name, it means the pipe is not used. To view the unusable reason,
please hover over the exclamation mark.
Create a root pipe: Select the Level-1 Control or Level-2 Control tab, then click New in the menu bar to create a new
root pipe.
Create a sub pipe: Click the icon of the root pipe or the sub pipe to create the corresponding sub pipe.
Click Enable in the menu bar to enable the selected pipe. By default, the newly-created pipe will be enabled.
Click Disable in the menu bar to disable the selected pipe. The disabled pipe will not take effect.
Click Delete to delete the selected pipe. The default pipe cannot be deleted.
C r e at ing a P ipe
To create a pipe:
1. According to the methods above, create a root pipe or sub pipe. The Pipe Configuration page appears.
Parent Pipe/Control Level: Displays the control level or the parent pipe of the newly created pipe.
The Shape mode can limit the data transmission rate and smoothly forward the traffic. This mode supports
the bandwidth borrowing and priority adjusting for the traffic within the root pipe.
The Policy mode will drop the traffic that exceeds the bandwidth limit. This mode does not support the
bandwidth borrowing and priority adjusting, and cannot guarantee the minimum bandwidth.
The Monitor mode will monitor the matched traffic, generate the statistics, and will not control the traffic.
4. After adding the desired addresses, click the blank area in this dialog
to complete the address configuration.
You can also perform other operations:
When selecting the Address Book type, you can click Add to create a
new address entry.
4. After adding the desired addresses, click the blank area in this dialog
to complete the address configuration.
You can also perform other operations:
When selecting the Address Book type, you can click Add to create a
new address entry.
1. From the User drop-down menu, select the AAA server where the
users and user groups reside.
2. Based on different types of AAA server, you can execute one or more
actions: search a user/user group/role, expand the user/user group
list, enter the name of the user/user group.
2. You can search the desired service/service group, expand the ser-
vice/service group list.
4. After adding the desired objects, click the blank area in this dialog to
complete the service configuration.
You can also perform other operations:
ation groups, or software, and then click to add them to the right
pane. To remove a selected application or application group, select it from
1. In the "URL category" drop-down menu, the user can select one or
more URL categories, up to 8 categories.
2. After selecting the desired filters, click the blank area in this dialog to
complete the configuration.
To add a new URL category, click the " New" button, the page will pop up
"URL category" dialog box. In this dialog box, the user can configure the
category name and URL.
Select a URL category, click the " Edit" button, the page will pop up "URL
category" dialog box. In this dialog box, the user can edit the URL in the
category.
Advanced
VLAN Specify the VLAN information of the traffic.
TOS Specify the TOS fields of the traffic; or click Configure to specify the TOS
fields of the IP header of the traffic in the appeared TOS Configuration dia-
log.
4. If you are configuring root pipes, you can specify the white list settings based on the description of configuring con-
ditions.
Type: Select the type of the bandwidth limitation: No Limit, Limit Per
IP, or Limit Per User.
No Limit represents that the system will not limit the bandwidth
for each IP or each user.
Limit Per IP represents that the system will limit the bandwidth
for each IP. In the Limit by section, select Source IP to limit the
bandwidth of the source IP in this pipe; or select Destination IP
to limit the bandwidth of the destination IP in this pipe.
Limit Per User represents that the system will limit the band-
width for each user. In the Limit by section, specify the min-
imum/maximum bandwidth of the users.
When configuring the root pipe, you can select the Enable Average
Bandwidth check box to make each source IP, destination IP, or user
to share an average bandwidth.
Limit by When the Limit type is Limit Per IP or Limit Per User, you need to specify
the minimum bandwidth or the maximum bandwidth:
Type: Select the type of the bandwidth limitation: No Limit, Limit Per
IP, or Limit Per User.
No Limit represents that the system will not limit the bandwidth
for each IP or each user.
Limit Per IP represents that the system will limit the bandwidth
for each IP. In the Limit by section, select Source IP to limit the
bandwidth of the source IP in this pipe; or select Destination IP
to limit the bandwidth of the destination IP in this pipe.
Limit Per User represents that the system will limit the band-
width for each user. In the Limit by section, specify the min-
imum/maximum bandwidth of the users.
When configuring the root pipe, you can select the Enable Average
Bandwidth check box to make each source IP, destination IP, or user
to share an average bandwidth.
Limit by When the Limit type is Limit Per IP or Limit Per User, you need to specify
the minimum bandwidth or the maximum bandwidth:
6. In the Schedule tab, configure the time period when the pipe will take effect. Select the schedule from the drop-
down list, or create a new one.
NAT
Cr e a t in g a S N A T R u le
To create a SNAT Rule, take the following steps:
1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation pane to enter the device con-
figuration page.
2. From the device navigation pane, click the device you want to configure a SNAT rule.
3. From the object navigation pane, click SNAT. The main window shows the SNAT rule list.
4. From the toolbar of the SNAT rules list, click New. The SNAT Configuration page appears.
In the Basic tab in the SNAT Configuration dialog, configure the SNAT basic options.
Ingress: Specify the ingress traffic of the source NAT rule. The default ingress is all traffic.
All Traffic: Specify the ingress traffic of the source NAT rule is all traffic. The traffic from any interface will match
the source NAT rule.
Ingress Interface: Specify the ingress interface of traffic in the source NAT rule. Select an interface from the
drop-down list. Only the traffic flowing from the configured ingress interface will match the source NAT rule.
Service: Select the service you need from the Service drop-down list.
HA Group: Specify the HA group that the SNAT rule belongs to. The default setting is 0.
NAT Log: Select the Enable check box to enable the log function for this SNAT rule (generating log information
when there is traffic matching to this NAT rule).
Rule Position: Specify the position of the rule. Each SNAT rule has a unique ID. When traffic flowing into the
device, the device will search SNAT rules by sequence, and then implement NAT on the source IP of the traffic
according to the first matched rule. The sequence of the ID showed in the SNAT rule list is the order of the rule
matching. Select one of the following items from the drop-down list:Bottom - The rule is located at the bottom
of all the rules in the SNAT rule list. By default, the system will put the newly-created SNAT rule at the bottom
of all SNAT rules.Top - The rule is located at the top of all the rules in the SNAT rule list.Before ID - Type the ID
number into the text box. The rule will be located before the ID you specified.After ID - Type the ID number into
the text box. The rule will be located after the ID you specified.
ID: Specify the method you get the rule ID. It can be automatically assigned by system or manually assigned by
yourself. If you click Manually assign ID, you should type an ID number into the box behind.
5. Click OK to save your settings. The new SNAT rule will be shown in the SNAT rule list.
E d it in g / De le t in g a S N A T R u le
To edit/delete a SNAT rule, take the following steps:
1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation pane to enter the device con-
figuration page.
2. From the device navigation pane, click the device you want to edit or delete a SNAT rule.
3. From the object navigation pane, click SNAT. The main window shows the SNAT rule list.
Cr e a t in g a n I P M a p p in g R u le
To create an IP Mapping rule, take the following steps:
1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation pane to enter the device con-
figuration page.
2. From the device navigation pane, click the device you want to configure an IP mapping rule.
3. From the object navigation pane, click DNAT. The main window shows the DNAT rule list.
4. From the toolbar of DNAT rules list, click New>IP Mapping, then IP Mapping Configuration page appears.
HA Group: Specify the HA group that the DNAT rule belongs to. The default setting is 0.
5. Click OK to save your settings. The new DNAT rule will be shown in the DNAT rules list.
Cr e a t in g a P o r t M a p p in g R u le
To create a Port Mapping rule, take the following steps:
1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation pane to enter the device con-
figuration page.
2. From the device navigation pane, click the device you want to configure a port mapping rule.
3. From the object navigation pane, click DNAT. The main window shows the DNAT rule list.
4. From the toolbar of DNAT rules list, click "New>Port Mapping", then Port Mapping Configuration page appears.
HA Group: Specify the HA group that the DNAT rule belongs to. The default setting is 0.
Destination Port: Specify translated port, type the port number into the box.
5. Click OK to save your settings. The new DNAT rule will be shown in the DNAT rules list.
Cr e a t in g a n A d v a n ce d DN A T R u le
To create an Advanced DNAT rule, take the following steps:
1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation pane to enter the device con-
figuration page.
2. From the device navigation pane, click the device you want to configure an advanced DNAT rule.
3. From the object navigation pane, click DNAT. The main window shows the DNAT rule list.
4. From the toolbar of the DNAT rules list, click New > Advanced, then DNAT Configuration page appears.
In the Basic tab in the DNAT Configuration dialog, configure the DNAT basic options.
Server: Select the service you need from the Service drop-down list.
Action: Specify the action for the traffic you specified, including:
NAT - Implements NAT for the eligible traffic.
Translated to: For the NAT option, you need to specify the translated IP address. Select an address entry or SLB
server pool from the Translated to drop-down list or type an IP address in the Translated to box or type an IP
address and netmask in the Translated to box.NAT Port: Select the Enable check box and type the translated
port number into the Port box. The range is 1 to 65535.
Translated to: For the NAT option, you need to specify the translated IP address. Select an address entry or SLB
server pool from the Translated to drop-down list or type an IP address in the Translated to box or type an IP
address and netmask in the Translated to box.NAT Port: Select the Enable check box and type the translated
port number into the Port box. The range is 1 to 65535.
Load Balancing: Select the Enable check box to enable the function. Then, traffic will be balanced to different
Intranet servers.No NAT - Do not implement NAT for the eligible traffic.
Ping Track: Select the Enable check box to enable Ping track, which means the system will send Ping packets to
TCP Track: Select the Enable check box to enable TCP track, which means the system will send TCP packets to
check whether the TCP ports of Intranet servers are reachable.
TCP Port: Specify the port number. The value range is 1 to 65535.
NAT Log: Select the Enable check box to enable the log function for this DNAT rule (generating log information
when there is traffic matching to this NAT rule).
HA Group: Specify the HA group that the DNAT rule belongs to. The default setting is 0.
Rule Position: Specify the position of the rule. Each DNAT rule has a unique ID. When traffic flowing into the
device, the device will search DNAT rules by sequence, and then implement NAT on the destination IP of the
traffic according to the first matched rule. The sequence of the ID showed in the DNAT rule list is the order of
the rule matching. Select one of the following items from the drop-down list:Bottom - The rule is located at the
bottom of all the rules in the DNAT rule list. By default, the system will put the newly-created DNAT rule at the
bottom of all DNAT rules.Top - The rule is located at the top of all the rules in the DNAT rule list.Before ID -
Type the ID number into the box. The rule will be located before the ID you specified.After ID - Type the ID num-
ber into the box. The rule will be located after the ID you specified.
ID: Specify the method you get the rule ID. It can be automatically assigned by system or manually assigned by
yourself. If you click Manually assign ID, you should type an ID number into the box behind.
5. Click OK to save your settings. The new DNAT rule will be shown in the DNAT rules list.
R oute
Cr e a t in g a n R o u t e I t e m
To create a Route Item on the HSM device configuration page, take the following steps:
1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation pane to enter the device con-
figuration page.
2. From the device navigation pane, click the device you want to create a route entry.
3. From the object navigation pane, click Destination Route(Private). The Route items list will appear from the main win-
dow below.
4. From the toolbar of the Route items list, click New. The Destination Route Configuration page appears.
In the Destination Route Configuration dialog, configure the destination route options.
Next Hop : Click Gateway or Interface or Virtual Router radio button. If Gateway is selected, type the IP address
into the Gateway box below; if Interface is selected, select a name from the Interface drop-down list below; if
Virtual Router is selected, select a name from the Virtual Router drop-down list below.
Schedule:Specifies a schedule when the rule will take effect. Select a desired schedule from the Schedule drop-
down list. After selecting the desired schedules, click the blank area in this dialog to complete the schedule con-
figuration.
Precedence: Specify the precedence of route. The smaller the parameter is, the higher the precedence is. If mul-
tiple routes are available, the route with higher precedence will be prioritized. The value range is 1 to 255. The
default value is 1. When the value is set to 255, the route is invalid.
Weight: Specify the weight of route. This parameter is used to determine the weight of traffic forwarding in load
balance. The value range is 1 to 255. The default value is 1.
Description: If necessary, type description information for the route item in this text box.
5. Click OK to save your settings. The new route item will be shown in the route items list.
: Configurations are not the same. The Configuration on HSM has been modified. The detailed changes will be
shown when the mouse hovers over the icon.
: Configurations are not the same. The configuration on the local device has been modified. The detailed
changes will be shown when the mouse hovers over the icon.
On HSM, you can synchronize the configuration by two ways, they are:
Deploy Configuration: Deploy the HSM configuration to the device. The configuration on device will be replaced by
the deployed configuration.
HSM provides the function of viewing the latest configuration information of the managed devices. To read the latest
configuration information of the device, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, right-click on the device, and then select View Latest Configurations from the pop-
up menu.
To import the local configuration to HSM, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
3. Click OK on the confirmation dialog. HSM starts to uploading the local configuration to HSM.
Note: When you import the local configuration to HSM, if the association relationship or inher-
itance relationship between the device and the shared configuration of the device on HSM is con-
sistent, reserve and directly import the previous relationship. If not, the tooltip of The relation
between shared configuration and device will be changed, continue? will prompt on the HSM .
Click OK, and then the shared configuration of the device on HSM will be relieved. The imported
configuration is private. Click Cancel, and then the configuration of the local device will be not
imported to HSM.
To batch import the local configuration to HSM, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, right-click and then select Batch Import Configuration from the pop-up menu. The
Batch Import Configuration dialog appears.
4. Specify the import mode. If Immediately is selected, HSM will generate a task and execute the taks immediately; if
Generate Task is selected, HSM will generate a task, and you can execute the task at the Task Management page. For
more information about task, see Task.
5. Click OK.
Deploy HSM configuration to a device, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
3. Specify the deployment mode. If Immediately is selected, HSM will generate a task and execute the taks immediately;
if Generate Task is selected, you can execute the tasks by scheduling or manually. If On Schedule is selected, HSM
will execute the task according the user-defined time. Otherwise, you need execute the task manually in the Task
Management page. You can view the task status and related logs at the Task Management page. For more inform-
ation about task, see Task.
4. Click OK.
To batch deploy HSM configuration to the devices, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, right-click and then select Batch Deploy Configuration from the pop-up menu. The
Batch Deploy Configuration dialog appears.
4. Specify the deployment mode. If Immediately is selected, HSM will generate a task and execute the taks immediately;
if Generate Task is selected, you can execute the tasks by scheduling or manually. If On Schedule is selected, HSM
will execute the task according the user-defined time. Otherwise, you need execute the task manually in the Task
Management page. You can view the task status and related logs at the Task Management page. For more inform-
ation about task, see Task.
5. Click OK.
S p ec i f yi ng C onf i g urati on
On HSM, the shared rule on the device configuration page can be specified to a certain device. After specifying con-
figuration to the device, the binding relationship between the device and configuration is changed. However, you still
have to deploy the specified configuration to the device if you want the configuration take effect on the device. For more
detailed information about deploying configuration, see Synchronizing Configuration.
To specify a policy, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
3. Choose a shared policy from the Choose a Shared Policy selective box for the device. If you want to maintain the
policy on the device as a private policy, select the Copy as a Private Policy check box.
4. Click OK.
To specify a SNAT, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, right-click on the decice you want to specify a SNAT on, and then select Specify Con-
figuration>Specify SNAT from the pop-up menu. The Specify SNAT dialog appears.
3. Choose a shared SNAT from the Choose a Shared Source NAT selective box for the device.
4. Click OK.
To specify a DNAT, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, right-click on the decice you want to specify a DNAT on, and then select Specify Con-
figuration>Specify DNAT from the pop-up menu. The Specify DNAT dialog appears.
3. Choose a shared DNAT from the Choose a Shared Destination NAT selective box for the device.
4. Click OK.
To specify a destination route, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, right-click on the decice you want to specify a destination route on, and then select
Specify Configuration>Specify DRouter from the pop-up menu. The Specify DRouter dialog appears.
3. Choose a shared destination route from the Choose a Shared Destination Route selective box for the device.
4. Click OK.
To specify a threat protection rule, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
3. Choose a shared Threat Ptotection rule from the Choose a Shared Threat Protection selective box for the device.
4. Click OK.
1. From the device navigation pane, right-click on the device you want to create a snapshot, and then select Create
Snapshot from the pop-up menu.
2. On the Creating Snapshot dialog, specify a snapshot name and its description, and click OK.
To restore a snapshot, take the following steps:
1. From the device navigation pane, right-click on the device you want to restore a snapshot, and then select Restore
Snapshot from the pop-up menu.
2. On the Restoring Snapshot dialog, specify a version you want to restore in the Choose a backup version drop-down
list, and then Click Restore.
To manage snapshots, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. From the device navigation pane, select All Devices and the main window will show all the devices list. Click Manage
from the Snapshot column, Snapshot Management dialog appears. Description of the options on the dialog:
Create Snapshot: Specify the snapshot name and its description, and click OK.
View: Show the configurations of the snapshot.
Export: Export snapshot to the local, and the format is zip for XML. Please click OK in the pop-up dialog box, then
choose the location to save. You can edit the snapshot file in local.
Delete: Delete the selected snapshot.
Compare: Select Compared with Last Deployment, the current snapshot will be compared with last deployed snap-
shot; select Compared with Configuration in Device, the current snapshot will be compared with the current con-
figurations of device which HSM manages; select Compared with Configuration in HSM, the current snapshot will be
compared with the current configurations of HSM.
Restore: Restore the configurations of the snapshot.
L oc k i ng C onf i g urati on
Configuration lock can lock all configurations of the managed device to prevent multiple administrators from modifying
the device configuration simultaneously, in order to avoid confusion. Once device configurations are locked by one
administrator, only this administrator can configure the device and unlock the device configuration as well, and other
administrators can not deploy the configuration to device during locking period.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, click the lock icon after device which you want to lock or unlock.
When the lock icon is , you can click it to lock device configuration; when the lock icon is , you can click it to
unlock device configuration.
After device configurations are locked by one administrator, please be noted that:
If other administrators move the mouse to the lock icon, the name of locked administrator will be displayed.
Not only can the private configuration but also the shared configuration be locked. If the shared configuration is
locked by multiple administrators, no one can modify the shared configuration.
If the shared object is locked, system will prompt "locked by xxx, operation denied: locked devices(xxx)" when non-
locked administrators modify it; if the shared rule is locked, "Configuration is locked by xxx" will be prompted on the
location bar.
If you cancel the relevant relationship between device and shared configuration, the shared configuration will be
unlocked, and private configuration will be locked.
All configurations that relevant to device directly or indirectly will be locked, others can not modify.
When modifying the private configuration, if new shared configuration is cited, the shared configuration will be
locked. Conversely, the shared configuration will be unlocked.
For example, if user A locked configuration of device 1, modify a rule in security policy 1 to cite shared address entry
addr1. After modification, user A has locked addr1.
D ev ice Object
On the device configuration page, you can create a private or shared object. The private object that only belongs to one
certain device, and cannot be used by other devices. The shared object can be referenced by all devices.
On HSM, you can edit zone, and threat protection, and you can also create, edit, delete address entry, service group, ser-
vice entry, application group, schedule, SLB server pool, intrusion protection system rule, Anti-Virus rule, threat pre-
vention, URL filter, user, role and AAA server. After configuring the device object, you have to deploy the device object
to the security device if you want to take effect on the device. For more detailed information about deploying con-
figuration, see Synchronizing Configuration.
Note:
Only after licenses of the relevant functions had been installed, can corresponding functions
be configured in HSM.
1. Log on to HSM, click Configuration > Device Configuration from the Level-1 navigation pane to enter the device
configuration page.
2. From the device navigation pane, select the device whose zone will be configured. From the object navigation pane,
and select Zones. The main window shows the zone entry list.
3. In the zone entry list, click the zone you want to enable the Anti-Virus and IPS function, and then click Edit from the
toolbar. The Zone dialog appears.
Anti Virus Select the On check box to enable Anti Virus function. Select the
Anti-Virus rule from the drop-down list.
Two ways can be used to configure an Anti Virus rule:
Intrusion Protection Select the On check box to enable IPS function. Select the IPS
rule from the drop-down list.
Two ways can be used to configure an IPS rule:
5. Click OK.
A d d ress B ook s
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to create address entry, go to the object navigation pane
and select Address Book. The main window shows the address entry list.
S erv i c e B ook s
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to create service group, go to the object navigation pane
and select Service Book>User-defined Service Group. The main window shows the service group entry list.
3. Click New from the toolbar. The Service Group dialog appears.
Creating a Service
To create a new service on HSM, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to create service, go to the object navigation pane and
select Service Book > User-defined Service. The main window shows the user-defined service entry list.
Dst Port: Specify the destination port range of the member. The value range is 1 to 65535.
Src Port: Specify the source port range of the member. The value range is 1 to 65535.
Application Type: Specify the application type of the member.
Timeout: Specify the timeout value of the member, in second or day. The defalt value is 1800 seconds.
ICMP
Type: Specify the ICMP type value of the member. It can be one of the following: 3 (Destination-Unreachable), 4
(Source Quench), 5 (Redirect), 8 (Echo), 11 (Time Exceeded), 12 (Parameter Problem), 13 (Timestamp), and 15 (Inform-
ation).
Min Code: Specify the minimum ICMP code value of the member. The value range is 0 to 5.
Max Code: Specify the maximum ICMP code value of the member. The value range is 0 to 5.
Timeout: Specify the timeout value of the member, in second. The value range is 1 to 65535. The defalut value is 6
seconds.
Others
Protocol No.: Specify the protocol number of the member. The value range is 1 to 255.
Timeout: Specify the timeout value of the member, in second or day. The default timeout value is 60 seconds.
After specifying the values of parameters, click Add to add it to the service. Repeat the above steps to add multiple
members. Click Delete to delete the selected member.
A p p l i c ati on B ook s
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to create application group, go to the object navigation
pane and select Application Books > User-defined Application Group. The main window shows the user-defined
application group information.
S c hed ul es
Creating a Schedule
To create a schedule on HSM, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to create application group, go to the object navigation
pane and select Schedule. The main window shows schedule entry list.
6. In the Absolute Schedule section, specify the start time and end time in which the periodic schedule will take effect.
7. Click New, and configure a periodic schedule in the dialog as below. The periodic schedule will take effect repeatedly
during the time range specified by the absolute schedule.
Interf ac e
HSM supports how to create, edit and delete a tunnel interface for the managed devices.
1. Click Configuration > Device Configuration from the Level-1 navigation pane.
3. Select Interface in the Object navigation pane. The main window then shows the related information about the inter-
face and toolbar.
4. Click New from the toolbar and the Tunnel Interface dialog box will pop up.
When the general DNS proxy is in use, the client in the net-
work still gets DNS replies from the DNS server configured
on itself. If the DNS server address is configured as an inter-
face address of Hillstone device, the device will work as a
DNS server;
Enable DNS Bypass Select this check box to enable DNS bypass function for the
interface. The function means that if the DNS bypass is enabled,
the DNS packet will be forwarded to the original IP directly
when the DNS proxy is disabled.
Advanced Management IP: Specifies a management IP for the interface.
Type the IP address into the box.
Secondary IP: Specifies secondary IPs for the interface. You can
specify up to 6 secondary IP addresses.
Tunnel Binding IPSec VPN: Specifies the name of IPsec VPN bound to the tun-
nel interface, and then click Add from the Gateway options to
add a next-hop address for the tunnel, which can be either the
IP address or the egress IP address of the peering tunnel inter-
face. This parameter, which is 0.0.0.0 by default, is only valid
when multiple IPSec VPN tunnels should be bound to the tun-
nel interface.
In the Properties tab, configure properties option for the tunnel interface.
Option Description
MTU Specifies a MTU for the interface. The value range is 1280 to
1500/1800 bytes. The default value is 1500. The max MTU may
vary from different Hillstone platforms.
Keep-alive-IP Specifies an IP address that receives the interface's keep-alive
packets.
In the Advanced tab, configure advanced option for the tunnel interface.
Option Description
Shutdown System supports interface shutdown. You can not only enforce
to shut down a specific interface, but also control the time of
shutdown by schedule, or control the shutdown according to
the link status of tracked objects. Configure the options as
below:
2. Select an action:
In the RIP tab, configure RIP option for the tunnel interface.
Option Description
Authentication mode Specifies a packet authentication mode for the system, includ-
ing plain text (the default) and MD5. The plain text authen-
tication, during which unencrypted string is transmitted
together with the RIP packet, cannot assure security, so it can-
not be applied to the scenarios that require high security.
Authentication string Specifies a RIP authentication string for the interface.
Transmit version Specifies a RIP information version number transmitted by the
interface. By default V1&V2 RIP information will be transmitted.
Receive version Specifies a RIP information version number transmitted by the
interface. By default V1&V2 RIP information will be transmitted.
Split horizon Select the Enable checkbox to enable split horizon. With this
function enabled, routes learned from an interface will not be
sent from the same interface, in order to avoid routing loop and
assure correct broadcasting to some extent.
S L B S erv er Pool
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to create SLB server pool, go to the object navigation pane
and select SLB Server Pool. The main window shows the user-defined SLB server pool information.
3. Click New from the toolbar. The SLB Server Pool Configuration dialog appears.
Name Specify the name of the SLB server pool.You can enter up to 31 chars.
Algorithm Select an algorithm for load balancing, including:
Sticky If selecting Sticky, the security device will consider all requests from the
same source IP to be the same client, and then forward the requests to a
server.
Member
Member Specify the member of the pool. You can type the IP range or the IP
address and the netmask.
Weight Specify the traffic forwarding weight during the load balancing. The value
ranges from 1 to 255.
Add Add the SLB address pool member to the SLB server pool.
Delete Click Delete to delete the selected SLB address pool member.
Track
Interval Specify the interval between each Ping/TCP/UDP packet. The unit is
second. The value ranges from 3 to 255.
Retries Specify a retry threshold. If no response packet is received after the spe-
cified times of retries, the system will consider this track entry failed, i.e.,
the track entry is unreachable. The value range is 1 to 255.
Weight Specify a weight for the overall failure of the whole track rule if this track
entry fails. The value range is 1 to 255.
Add Click Add to add the configured track rule to the list.
Delete Click Delete to delete the selected track rule.
Threshold Types the threshold for the track rule into the Threshold box. The value
range is 1 to 255. If the sum of weights for failed entries in the track rule
exceeds the threshold, the security device will conclude that the track rule
fails.
Description Types the description for this track rule. You can enter up to 95 chars.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to create SLB server pool, go to the object navigation pane
and select SLB Server Pool. The main window shows the user-defined SLB server pool information.
4. In the Server List tab at the bottom of this page, view the information of the servers that are in this SLB pool.
5. In the Server List tab, view the retries information of the SLB server pool. The retries information include IP/mask,
port, weight, and maximum sessions.
6. In the Monitoring tab, view the information of the track rules. The track rules information include track type, prot,
interval,and retries.
Co n f ig u r in g I P S G lo b a l P a r a m e t e r s
You can enable or disable the IPS function, and configure the IPS global parameters. About configuring IPS global para-
meters, see Threat Protection.
Co n f ig u r in g a n I P S R u le
Cr e a t in g a n I P S R u le
You can use the default IPS rules and the user-defined IPS rules. HSM has three default IPS rules: predef_default, predef_
loose and no-ips. Predef_default rule which includes all the IPS signatures is strict with the detecting attacks results, and
1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation pane to enter the device con-
figuration page.
2. From the device navigation pane, select the device you want to create an IPS rule.
3. Go to the object navigation pane and select lntrusion Protection System. The main window shows the IPS rule list.
4. Click New from the toolbar. The Intrusion Protection System dialog appears.
Co n f ig u r in g P r o t o co l S ig n a t u r e
Protocol signature consists protocol configuration and signature configuration. You can specify actions for attacks of dif-
ferent levels (Log only, Reset, Block attacker) and actions for a specific attacking signature (the priority is higher than that
of the action configured in the signature set).
1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation pane to enter the device con-
figuration page.
2. From the device navigation pane, click the device you want to configure a protocol.
3. From the object navigation pane, click Intrusion Protection System. The main window shows the IPS rule list.
4. Click the specified protocol type in the IPS rule list. The protocol configuration dialog appears.
In Protocol Configuration tab,configure actions for attacks of different levels and other related options.
Option Description
Action for Crit- Capture Packets: Select the Enable check box to enable
ical/Warning/Information level the capture packet tools. The security device will cap-
attack ture packets of the selected protocol, and save the
evidence messages. You can view or download the
evidence message on the security device.
Action: Specify an action for attacks of different levels.
Select the radio button below:
Other Configuration Other related options that may vary from different
types of protocols. For detailed instructions, see the
description of other configuration.
Other related options that may vary from different types of protoclos, the description of other configuration.
Option Description
DNS Protocol Anomaly Detection :Specify a check level for the pro-
tocol validity check of the signature set.
FTP Action for Brute-force:If the login attempts per minute fail
for the times specified by the threshold, the security device will
identify the attempts as an intrusion and take an action accord-
ing to the configuration. Select the Enable Brute-force check
box to enable brute-force.
HTTP Protocol Anomaly Detection :Specify a check level for the pro-
tocol validity check of the signature set.
POP3 Action for Brute-force:If the login attempts per minute fail
for the times specified by the threshold, The security device will
identify the attempts as an intrusion and take an action accord-
ing to the configuration. Select the Enable check box to enable
brute-force.
SMTP Action for Brute-force:If the login attempts per minute fail
for the times specified by the threshold, the security device will
identify the attempts as an intrusion and take an action accord-
ing to the configuration. Select the Enable check box to enable
brute-force.
Telnet Action for Brute-force:If the login attempts per minute fail
for the times specified by the threshold, the security device will
identify the attempts as an intrusion and take an action accord-
ing to the configuration. Select the Enable check box to enable
brute-force.
IMAP/Finger/ Max Scan Length :Specify a max scan length. The value range
NNTP/TFTP/ is 0 to 65535 bytes.
SNMP/MYSQL/
MSSQL/ORACLE/
NETBIOS/DHCP/
LDAP/VoIP /Other-TCP/
Other-UDP
SUNRPC Action for Brute-force:If the login attempts per minute fail
for the times specified by the threshold, the security device will
identify the attempts as an intrusion and take an action accord-
ing to the configuration. Select the Enable check box to enable
brute-force.
MSRPC Action for Brute-force:If the login attempts per minute fail
for the times specified by the threshold, the security device will
identify the attempts as an intrusion and take an action accord-
ing to the configuration. Select the Enable check box to enable
brute-force.
6. Select Signature List tab,to view or configure the signature, see Configuring Signature.
In the specific protocols Signature List tab, you can view , enable/disable or configure the signature.
Viewing the Specific Signature Entry Details
To view the specific signature entry details, take the following steps:
1. In the filter bar, click a filter name, and input a value for this filer. You may select more than one filters. Hover your
mouse over a parameter to view the drop-down list. The parameters include status, operating system, attack type,
popularity, severity, service type, global status and type, etc.
2. Click , results that match your criteria will be shown in the signature list.
3. In the specific protocols Signature List, click ID. You can view the specific signature details in pop-up dialog.
Note:
The icon can expand to show search history. If Auto Open is selected, the history can auto-
matically be opened while you use the search box.
1. In the specific protocol Signature List tab, select the signature you want to edit from the signature list, and click Edit
from the toolbar. The Signature List Configuration dialog appears.
Capture Packets Select the Enable check box to enable the capture packet tools. The secur-
ity device will capture packets of the selected protocol, and save the evid-
ence messages. You can view or download the evidence message on the
security device.
Log Only - If attacks have been detected, the security device will only
generate protocol behavior logs.
Never Block - If attacks have been detected, the security device will
not block the service from the attacker.
2. Click OK.
1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation pane to enter the device con-
figuration page.
2. From the device navigation pane, click the device you want to create a WebServer.
3. From the object navigation pane, click Intrusion Protection System. The main window shows IPS rule list.
4. Select the user-defined IPS rule from the IPS rule list, and then click HTTP.
Option Description
SQL Injection Pro- Select the Enable check box to enable SQL injection check for the HTTP
tection protocol.
Capture Packets: Select the Enable check box to enable the capture
packet tools. The security device will capture packets of the selected
protocol, and save the evidence messages. You can view or down-
load the evidence message on the security device.
XSS Injection Pro- Select the Enable check box to enable XSS injection check for the HTTP
tection protocol.
Capture Packets : Select the Enable check box to enable the capture
packet tools. The security device will capture packets of the selected
protocol, and save the evidence messages. You can view or down-
load the evidence message on the security device.
Check point: Specify the check point for the XSS injection check. It
can be HTTP cookie, HTTP cookie2, HTTP post, HTTP referer or HTTP
URI.
External Link Select the Enable check box to enable external link check for the Web
Check server. This function controls the access to the external resource.
Capture Packets : Select the Enable check box to enable the capture
packet tools. The security device will save the evidence messages,
and support to view or download the messages.
Log only: Only record the related logs when the external link
behavior is detected.
ACL Select the Enable check box to enable access control for the Web server.
The access control function checks the upload paths of the websites to
prevent the malicious code uploading from attackers.
ACL: Click this link, the ACL Configuration dialog appears. Specify
websites and the properties on this dialog. "Static" means the URI
can be accessed statically only as the static resource (images and
text), otherwise, the access will handle as the action specified (log
Log only: Only record the related logs when the external link
behavior is detected.
HTTP Request Select the Enable check box to enable the HTTP request flood protection.
Flood Protection
Request threshold: Specify the request threshold. When the number
of HTTP connecting request reaches the threshold, the security
device will treat it as a HTTP request flood attack, and will enable the
HTTP request flood protection.
Auto (JS Cookie): The Web browser will finish the authen-
tication process automatically.
Request limit: Specify the request limit for the HTTP request flood
protection. After configuring the request limit, the security device
will limit the request rate of each source IP. If the request rate is
higher than the limitation specified here and the HTTP request flood
protection is enabled, the security device will handle the exceeded
requests according to the action specified (Block IP/Reset).
Proxy limit:Specify the proxy limit for the HTTP request flood pro-
tection. After configuring the proxy limit, the security device will
check whether each source belongs to the each source IP proxy
server. If belongs to, according to configuration to limit the request
rate. If the request rate is higher than the limitation specified here
and the HTTP request flood protection is enabled, the security
device will handle the exceeded requests according to the action spe-
cified (Block IP/Reset).
Option Description
SQL Injec- Select the Enable check box to enable SQL injection check.
tion Pro-
tection Capture Packets: Capture the abnormal packets. You can view them in the
threat log.
Action: Log Only - Record a log. Rest - Reset connections (TCP) or sends
destination unreachable packets (UDP) and also generates logs. Block IP -
Block the IP address of the attacker and specify a block duration. Block Ser-
vice - Block the service of the attacker and specify a block duration.
Sensitivity: Specifies the sensitivity for the SQL injection protection func-
tion. The higher the sensitivity is, the lower the false negative rate is.
Check point: Specifies the check point for the SQL injection check. It can be
Cookie, Cookie2, Post, Referer or URI.
XSS Injec- Select the Enable check box to enable XSS injection check for the HTTP protocol.
tion Pro-
tection Capture Packets: Capture the abnormal packets. You can view them in the
threat log.
Action: Log Only - Record a log. Rest - Reset connections (TCP) or sends
destination unreachable packets (UDP) and also generates logs. Block IP -
Block the IP address of the attacker and specify a block duration. Block Ser-
vice - Block the service of the attacker and specify a block duration.
Sensitivity: Specifies the sensitivity for the XSS injection protection func-
tion. The higher the sensitivity is, the lower the false negative rate is.
Check point: Specifies the check point for the XSS injection check. It can be
Cookie, Cookie2, Post, Referer or URI.
External Select the Enable check box to enable external link check for the Web server.
Link This function controls the resource reference from the external sites.
Check
External link exception: Click this link, the External Link Exception Con-
figuration dialog appears. All the URLs configured on this dialog can be
linked by the Web sever. At most 32 URLs can be specified for one Web
server.
Action: Log Only - Record a log. Rest - Reset connections (TCP) or sends
destination unreachable packets (UDP) and also generates logs.
ACL Action: Log Only - Record a log. Rest - Reset connections (TCP) or sends
destination unreachable packets (UDP) and also generates logs.
HTTP Select the Enable check box to enable the HTTP request flood protection.
Request
Flood Pro- Request threshold: Specifies the request threshold.
tection
For the protected domain name, when the number of HTTP con-
necting request per second reaches the threshold and this lasts 20
seconds, the system will treat it as a HTTP request flood attack, and will
enable the HTTP request flood protection.
For the protected full URL, when the number of HTTP connecting
request per second towards this URL reaches the threshold and this
lasts 20 seconds, the system will treat it as a HTTP request flood attack
towards this URL, and will enable the HTTP request flood protection. It
is only applicable to IPS devices.
Full URL: Enter the full URLs to protect particular URLs. Click this link to con-
figure the URLs, for example, www.example.com/index.html. When pro-
tecting a particular URL, you can select a statistic object. When the number
of HTTP connecting request per second by the object reaches the threshold
and this lasts 20 seconds, the system will treat it as a HTTP request flood
attack by this object, and will enable the HTTP request flood protection. It
is only applicable to IPS devices.
x-forwarded-for: Select None, the system will not use the value in x-for-
warded-for as the statistic object. Select First, the system will use the
first value of the x-forwarded-for field as the statistic object. Select
Last, the system will use the last value of the x-forwarded-for field as
the statistic object. Select All, the system will use all values in x-for-
warded-for as the statistic object.
x-real-ip: Select whether to use the value in the x-real-ip field as the
statistic field.
When the HTTP request flood attack is discovered, you can make the system
take the following actions:
Auto (JS Cookie): The Web browser will finish the authentication pro-
cess automatically.
Auto (Redirect): The Web browser will finish the authentication pro-
cess automatically.
Crawler-friendly: If this check box is selected, the system will not authen-
ticate to the crawler.
Request limit: Specifies the request limit for the HTTP request flood pro-
tection. After configuring the request limit, the system will limit the request
rate of each source IP. If the request rate is higher than the limitation spe-
cified here and the HTTP request flood protection is enabled, the system
will handle the exceeded requests according to the action specified (Block
IP/Reset). To record a log, select the Record log check box.
Proxy limit: Specifies the proxy limit for the HTTP request flood protection.
After configuring the proxy limit, the system will check whether each source
belongs to the each source IP proxy server. If belongs to, according to con-
figuration to limit the request rate. If the request rate is higher than the lim-
itation specified here and the HTTP request flood protection is enabled, the
system will handle the exceeded requests according to the action specified
(Block IP/Reset). To record a log, select the Record log check box.
White List: Specifies the white list for the HTTP request flood protection.
The source IP added to the white list not check the HTTP request flood pro-
tection.
7. Click OK.
Note: After you create a HTTP signature, HSM will automatically create a default Web Server. The
default Web Server is enabled by default, and can not be disabled or deleted. At most 32 Web
servers can be configured for one signature, not including the default server.
Cr e a t in g a n I P S r u le
System has three default IPS rules: predef_default, predef_loose and no-ips. The predef_default rule includes all the IPS
signatures and its default action is reset. The predef_loose includes all the IPS signatures and its default action is log
only. No-ips rule does not includes any IPS signatures.
To create an IPS rule on HSM, take the following steps:
1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation pane to enter the device con-
figuration page.
2. From the device navigation pane, select the device you want to create an IPS rule.
3. Go to the object navigation pane and select lntrusion Protection System. The main window shows the IPS rule list.
7. According to your requirements, select the Enable check box of Global Packet Capture to capture packets. The secur-
ity device will capture packets of the selected protocol in this rule, and save the evidence messages. You can view
and download the evidence message on the security device. This feature may not be available on all security devices,
please refer to the actual page.
8. In the Select Signature area, you can also manage the signature sets, including New, Edit, and Delete. All existing sig-
nature sets and their settings will be displays in the table.
Select By: Select the method of how to choose the signature set. There are two meth-
ods: Filter and Search Condition.
Action: Specify the action performed on the abnormal traffic that match the signature
set.
Select By
Filter The system categorizes the signatures according to the fol-
lowing aspects (aka main categories): affected OS, attack
type, protocol, severity, released year, affected application,
and bulletin board. A signature can be in several sub-
categories of one main category. For example, the signature
of ID 105001 is in the Linux subcategory, the FreeBSD sub-
category, and Other Linux subcategory at the same time.
With Filter selected, the system displays the main categories
and subcategories above. You can select the subcategories to
choose the signatures in this subcategory. As shown below,
after selecting the Web Attack subcategory in the Attack
Type main category, the system will choose the signatures
related to this subcategory. To view the detailed information
of these chosen signatures, you can click the ID in the table.
When selecting main category and subcategory, note the fol-
lowing matters:
Search Condition Enter the information of the signatures and press Enter to
search the signatures. The system will perform the fuzzy
matching in the following field: attack ID, attack name,
description, and CVE-ID.
In the search results displayed in the table, select the check
Capture Packet
Capture the abnormal packets that match the configured sig-
Capture Packet
nature set. You can view them in the threat log.
Action
Log Only Record a log.
Always perform the stricter action on the attack. The signature set with stricter action
will be matched. The strict level is: Block IP > Block Service > Rest > Log Only. If one sig-
nature set is Block IP with 15s and the other is Block Service with 30s, the final action
will be Block IP with 30s.
If one signature set is configured with Capture Packet, the system will capture the pack-
ets.
The action of the signature set created by Search Condition has high priority than the
action of the signature set created by Filter.
9. Click OK to complete signature set configurations. Repeat the above steps to create more signature sets.
10. In the Protocol Configuration area, click Edit to configure. The protocol configurations specify the requirements that
the protocol part of the traffic must meet. If the protocol part contains abnormal contents, the system will process
the traffic according to the action configuration. The system supports the configurations of HTTP, DNS, FTP, MSRPC,
POP3, SMTP, SUNRPC, and Telnet.
In the HTTP tab, select the Protocol tab, and configure the following settings:
Option Description
Max Scan Length: Specify the maximum length of scanning when
scanning the HTTP packets.
Protocol Anomaly Detection: Select Enable to analyze the HTTP pack-
ets. If abnormal contents exist, you can:
To protect the Web server, select Web Server in the HTTP tab.
Protecting the Web server means the system can detect the following attacks: SQL injection, XSS injection, external
link check, ACL, and HTTP request flood and take actions when detecting them. A pre-defined Web server protection
rule named default is built in. By default, this protection rule is enabled and cannot be disabled or deleted.
Configure the following settings to protect the Web server:
Option Description
SQL Injection Pro- Select the Enable check box to enable SQL injection check.
tection
Capture Packets: Capture the abnormal packets. You can view
them in the threat log.
Check point: Specifies the check point for the SQL injection
check. It can be Cookie, Cookie2, Post, Referer or URI.
XSS Injection Pro- Select the Enable check box to enable XSS injection check for the
tection HTTP protocol.
Check point: Specifies the check point for the XSS injection
check. It can be Cookie, Cookie2, Post, Referer or URI.
External Link Check Select the Enable check box to enable external link check for the Web
server. This function controls the resource reference from the
external sites.
External link exception: Click this link, the External Link Excep-
tion Configuration dialog appears. All the URLs configured on
this dialog can be linked by the Web sever. At most 32 URLs can
be specified for one Web server.
ACL Action: Log Only - Record a log. Rest - Reset connections (TCP)
or sends destination unreachable packets (UDP) and also gen-
erates logs.
HTTP Request Flood Select the Enable check box to enable the HTTP request flood pro-
Protection tection.
Auto (JS Cookie): The Web browser will finish the authen-
tication process automatically.
Request limit: Specifies the request limit for the HTTP request
flood protection. After configuring the request limit, the system
will limit the request rate of each source IP. If the request rate is
higher than the limitation specified here and the HTTP request
flood protection is enabled, the system will handle the exceeded
requests according to the action specified (Block IP/Reset). To
record a log, select the Record log check box.
Proxy limit: Specifies the proxy limit for the HTTP request flood
protection. After configuring the proxy limit, the system will
check whether each source belongs to the each source IP proxy
server. If belongs to, according to configuration to limit the
request rate. If the request rate is higher than the limitation spe-
cified here and the HTTP request flood protection is enabled,
the system will handle the exceeded requests according to the
action specified (Block IP/Reset). To record a log, select the
Record log check box.
White List: Specifies the white list for the HTTP request flood pro-
tection. The source IP added to the white list not check the HTTP
request flood protection.
Banner Information: Type the new information into the box that
will replace the original server banner information.
Max Command Line Length: Specifies a max length (including car-
riage return) for the FTP command line. If the length exceeds the lim-
its, you can:
Banner information - Type the new information into the box that
will replace the original server banner information.
Max Command Line Length: Specifies a max length (including car-
riage return) for the POP3 command line. If the length exceeds the
limits, you can:
Banner information - Type the new information into the box that
will replace the original server banner information.
Max Command Line Length: Specifies a max length (including car-
riage return) for the SMTP command line. If the length exceeds the
limits, you can:
Capture Packets: Capture the abnormal packets. You can view them
in the threat log.
Block Service - Block the service of the attacker and specify a block
duration.
Telnet Capture Packets: Capture the abnormal packets. You can view
them in the threat log.
11. Click OK to complete the protocol configurations, then click OK to complete the IPS rule configurations.
E n a b lin g t h e Z o n e -b a s e d o r P o licy -b a s e d I P S F u n ct io n
To realize the zone-based or policy-based IPS, take the following steps:
To enable the policy-based IPS on HSM, see configuring the policy-based Protection function.
A v ti - V i rus
To take the following steps to configure Anti-Virus function:
Co n f i g u r i n g A n t i -V i r u s Gl o b a l P a r a m et er s
You can enable/disable the Anti-Viurs functin, and configure the global parameters. About configuring Anti-Virus global
parameters, see Threat Protection.
Cr e a t in g A n t i-Vir u s R u le
To create an Anti-Virus rule on HSM, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
Fill Magic - Processes the virus file by filling magic words, i.e., fills the file
with the magic words (Virus is found, cleaned) from the beginning to the
ending part of the infected section.
Warning - Pops up a warning page to prompt that a virus has been detec-
ted. This option is only effective to the messages transferred over HTTP.
Reset Connection - If virus has been detected, the security device will reset
connections to the files.
Capture Select the Enable check box before Capture Packet to enable the capture func-
tion. The security device will save the evidence messages, and support to view or
download the messages.
Malicious Select the check box behind Malicious Website Access Control to enable the func-
Website tion.
Access
Control
Action Specify the action the security device will take after the malicious website is
found.
Enable If an email transferred over SMTP is scanned, you can enable label email to scan
Label e- the email and its attachment(s). The scanning results will be included in the mail
mail body, and sent with the email. If no virus has been detected, the message of "No
virus found" will be labeled; otherwise information related to the virus will be dis-
played in the email, including the filename, result and action.
Type the end message content into the box. The range is 1 to 128.
4. Click OK.
Note: By default, according to virus filtering protection level, HSM comes with three default Anti-
Virus rules: predef_low, predef_middle, predef_high. The default rule is not allowed to edit or
delete.
To enable the policy-based AV on HSM, see configuring the policy-based Protection function.
T hreat Protec ti on
E d it in g t h e De v ice T h r e a t P r o t e ct io n Co n f ig u r a t io n
To edit the device threat protection configuration, take the following steps:
1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation pane to enter the device con-
figuration page.
2. From the device navigation pane, click the device you want to configure a threat protection configuration.
3. Expend Object from the object navigation pane, and then select Threat Protection. The Device Threaten Con-
figuration tab appears.
Intrusion Pro- Select/clear the Enable check box to enable/disable IPS. After enabling this
tection System function, you have to reboot the security decice if you want to take effect
on the security device.
Merge Log The security device can merge IPS logs which have the same protocol ID,
the same VSYS ID, the same Signature ID, the same log ID, and the same
merging type. Thus it can help avoid to receive redundant logs, and the
merging log is displayed to the standard output according to your
requires. The function is disabled by default.
Select the merging types in the drop-down list:
Source IP, Destination IP - Merge the logs with the same Source IP and
the same Destination IP.
Log Only - If attacks have been detected, the firewall will only gen-
erate protocol anormaly alarms and attacking behavior logs, but will
not reset connections or block attackers.
AV Global Configuration
Anti Virus Select/clear the Enable check box to enable/disable Anti-Virus. The new
configuration will take effect after reset the relevant device.
Max Decom- By default the firewall can scan the files of up to 5 decompression layers.
pression Layer To specify a decompression layer, select a value from the drop-down list.
The value range is 1 to 5.
Exceed Action Specify an action for the compressed files that exceed the max decom-
pression layer. Select an action from the drop-down list:
Log Only - Only generates logs but will not scan the files. This action
is enabled by default.
Reset Connection - If virus has been detected, the firewall will reset
connections to the files.
Log Only - Only generates logs but will not scan the files.
4. Select Device Threaten Configuration List tab, you can view the details info of all IPS signature list. For more inform-
ation, see Device Threaten Configuration List.
5. Click OK.
To search the specific signature entry details, take the following steps:
1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation pane to enter the device con-
figuration page.
2. From the device navigation pane, click the device you want to view.
3. Expend Object from the object navigation pane, and then select Threat Protection.
5. You can click filtername, and then input the value for this filter in the search bar. You can also hover the mouse over
the parameter(include protocol, operating system, attack type, popularity, severity, service type, status and type.
etc.) to view the drop-down list, and select the filter condition.
7. In the signature List, click ID. You can view the specific signature details in pop-up dialog.
Note:
The icon can expand to show search history. If Auto Open is selected, the history can auto-
matically be opened while you use the search box.
1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation pane to enter the device con-
figuration page.
2. From the device navigation pane, click the device you want to cusmize a signature rule on.
3. Expend Object from the object navigation pane, and then select Threat Protection.
4. Select the Device Threaten Configuration List tab, and the main window shows the IPS signature list.
5. Click New from the toolbar. The User-defined Signature dialog appears.
General tab
Name Specify the signature name.
Description Specify the signature descriptions.
Protocol Specify the protocol that signature supports.
Flow Specify the direction for the signature."To_Server" means the package of
attack is from server to the client. "To_Client" means the package of attack
is from client to the server. "Both" means bidirection.
Dsize Specify the payload message size. Select "----",">", "<" or "=" from the
drop-down list and specifies the value in the text box. "----" means not
set the parameter.
Attack Type Select the attack type from the drop-down list.
Service Type Select the service type from the drop-down list. "----" means all services.
Operating Sys- Select the operating system from the drop-down list. "----" means all the
tem operating systems.
Detection Filter Specify the frequency of the signature rule.
Track - Select the track type from the drop-down list. It can be by
Count - Specify the maximum times the rule occurs in the specified
time. If the attacks exceed the Count value, the security device will
trigger rules and act as specified.
Content tab: Create New and configure the signature contents. Click OK to save your set-
tings.
Content Specify the signature content. Select the following check box if needed:
URI - Means the content needs to match URI field of HTTP request.
Offset: System will start searching after the offset from the
header of the application layer packet. The unit is byte.
Depth: Specifies the scanning length after the offset. The unit is
byte.
If Last Content is selected, system will search from the content end
position.
Distance: System will start searching after the distance from the
former content end position. The unit is byte.
Within: Specifies the scanning length after the distance. The unit
is byte.
Dsize Specifies the payload message size. Select "----",">", "<" or "=" from
the drop-down list and specifies the value in the text box. "----"
means not set the parameter.
Attack Type Select the attack type from the drop-down list.
Track - Select the track type from the drop-down list. It can be
by_src or by_dst. System will use the statistic of source IP or des-
tination IP to check whether the attack matches this rule.
Count - Specifies the maximum times the rule occurs in the spe-
cified time. If the attacks exceed the Count value, system will trig-
ger rules and act as specified.
In the Content tab, click New to specify the content of the signature:
Option Description
Content Specifies the signature content. Select the following check box if
needed:
Offset: System will start searching after the offset from the
header of the application layer packet. The unit is byte.
7. Click OK.
U R L Fi l ter
URL filter controls the access to some certain websites and records log messages for the access actions. URL filter helps
you control the network behaviors in the following aspects:
Access control to certain category of websites, such as gambling and pornographic websites.
Access control to certain category of websites during the specified period. For example, forbid to access IM websites
during the office hours.
Access control to the website whose URL contains the specified keywords. For example, forbid to access the URL that
contains keyword "game".
Note: HSM only supports the centralized management of URL filter function whose NGFW ver-
sion is 5.5R1 or above.
Co n f ig u r in g U R L F ilt e r
Configuring URL filter contains two parts:
1. Select Configuration > Device Configuration, then click Object > URL Filter Bundle > URL Filter.
2. Click New.
New: Create a new URL category. For more information about URL cat-
egory, see "User-defined URL DB" on page 142.
Edit: Select a URL category from the list, and click Edit to edit the selec-
ted URL category.
Block: Select the check box to block access to the corresponding URL
category.
Log: Select the check box to log access to the corresponding URL cat-
egory.
Other URLS: Specify the actions to the URLs that are not in the list,
including Block Access and Record Log.
URL Keyword Category controls the access to the website who's URL con-
tains the specific keywords. Click the URL Keyword Categoryoption to con-
figure. The options are:
Edit: Select a URL keyword category from the list, and click Edit to edit
the selected URL keyword category.
Block: Select the check box to block the access to the website whose
URL contains the specified keywords.
Log: Select the check box to log the access to the website whose URL
contains the specified keywords.
P r e d e f in e d U R L DB
The system contains a predefined URL database.
The predefined URL database provides URL categories for the configurations of URL filter. It includes dozens of categories
and tens of millions of URLs .
When identifying the URL category, the user-defined URL database has a higher priority than the predefined URL data-
base.
Note: The predefined URL database is controlled by a license controlled. Only after a URL license
is installed, the predefined URL database can be used.
U s e r -d e f in e d U R L DB
Besides categories in predefined URL database, you can also create user-defined URL categories, which provides URL cat-
egories for the configurations of URL filter. When identifying the URL category, the user-defined URL database has a
higher priority than the predefined URL database.
System provides three user-defined URL categories by default: custom1, custom2, custom3.
3. Type the category name in the Name text box. URL category name cannot only be a hyphen (-). And you can create
at most 1000 user-defined categories.
4. Type the category description in the Description text box. The value range is 0 to 255 characters.
6. Click Add to add the URL and its category to the table.
8. To delete an existing one, select its check box and then click Delete.
K e y w o r d Ca t e g o r y
You can customize the keyword category and use it in the URL filter function.
After configuring a URL filter rule, the system will scan traffic according to the configured keywords and calculate the
trust value for the hit keywords. The calculating method is: adding up the results of times * trust value of each keyword
that belongs to the category. Then the system compares the sum with the threshold 100 and performs the following
actions according to the comparison result:
If the sum is larger than or equal to category threshold (100), the configured category action will be triggered;
If more than one category action can be triggered and there is block action configured, the final action will be Block;
If more than one category action can be triggered and all the configured actions are Permit, the final action will be
Permit.
For example, a URL filter rule contains two keyword categories C1 with action block and C2 with action permit. Both of C1
and C2 contain the same keywords K1 and K2. Trust values of K1 and K2 in C1 are 20 and 40. Trust values of K1 and K2 in
C2 are 30 and 80.
If the system detects 1 occurrence of K1 and K2 each on a URL, then C1 trust value is 20*1+40*1=60<100, and C2 trust
value is 30*1+80*1=110>100. As a result, the C2 action is triggered and the URL access is permitted.
If the system detects 3 occurrences of K1 and 1 occurrence of K2 on a URL, then C1 trust value is 20*3+40*1=100, and C2
trust value C2 is 30*3+80*1=170>100. Conditions for both C1 and C2 are satisfied, but the block action for C1 is triggered,
so the web page access is denied.
1. Select Object > URL Filter Bundle > Keyword Category. The Keyword Category dialog appears.
4. Type the category description in the Description text box. The value range is 0 to 255 characters.
5. Specify the keyword, character matching method (simple/regular expression), and trust value.
8. To delete a keyword, select the keyword you want to delete from the list and click Delete.
W a r n in g P a g e
The warning page shows the user block information and user audit information.
If the Internet behavior is blocked by the URL filter function, the Internet access will be denied. The information of Access
Denied will be shown in your browser, and some web surfing rules will be shown to you on the warning page at the same
time. See the picture below:
After enabling the block warning function, block warning information will be shown in the browser when one of the fol-
lowing actions is blocked:
2. Click Object > URL Filter Bundle > Warning Page, the Warning Page dialog appears.
After enabling the audit warning function, when your network behavior matches the configured URL filter rule, your
HTTP request will be redirected to a warning page, on which the audit and privacy protection information is displayed.
See the picture below:
The audit warning function is disabled by default. To configure the audit warning function:
1. From the device navigation pane, select the device you want to configure the audit warning function.
2. Select Object > URL Filter Bundle > Warning Page, the Warning Page dialog appears.
1. From the device navigation pane, select the device you want to view the reference information.
2. From the object navigation pane, select the object type, the main window shows the detailed information of the
object.
3. From the object table, click View in the Referenced by column. The security device shows the Referenced by dialog
of the corresponding object.
1. From the device navigation pane, select the device you want to view the operation records.
2. From the object navigation pane, select the object type, the main window shows the detailed information of the
object.
3. From the object table, click in the Operation Record column. The system shows the Operation Record dialog of
the corresponding object.
The application type and timeout value of services are not checked.
1. From the device navigation pane, right-click on the device you want to check and then click Redundant Object
Check on the pop-up menu.
2. The system generates the related task and begins to check. After checking, a report will be generated. Click the View
Report button to view the detailed information. You can view the report at the task management page as well.
Here is the description of the report:
Total Zone/Address Entry/Service Entry/Service Group/Schedule Number: Number of objects of a certain object
type in the policy of the device.
Unreferenced Zone/Address Entry/Service Entry/Service Group/Schedule: Number of unreferenced objects of a cer-
tain type in the policy of the device.
Same Zone/Address Entry/Service Entry/Service Group/Schedule: Number of objects having same elements except
names of a certain object type in the policy of the device.
3. Click Save button on the upper right corner to save the PDF format report locally.
V PN
IPSec is a widely used protocol suite for establishing VPN tunnel. IPSec is not a single protocol, but a suite of protocols
for securing IP communications. It includes Authentication Headers (AH), Encapsulating Security Payload (ESP), Internet
Key Exchange (IKE) and some authentication methods and encryption algorithms. IPSec protocol defines how to choose
the security protocols and algorithms, as well as the method of exchanging security keys among communication peers,
Authentication Header (AH): AH is a member of the IPsec protocol suite. AH guarantees connectionless integrity and
data source verification of IP packets, and furthermore, it protects against replay attacks. AH can provide sufficient
authentications for IP headers and upper-layer protocols.
Encapsulating Security Payload (ESP): ESP is a member of the IPsec protocol suite. ESP provides encryption for con-
fidential data and implements data integrity check of IPsec ESP data in order to guarantee confidentiality and integ-
rity. Both ESP and AH can provide service of confidentiality (encryption), and the key difference between them is the
coverage.
Internet Key Exchange (IKE): IKE is used to negotiate the AH and ESP password algorithm and put the necessary key
of the algorithm to the right place.
IPsec provides encrypted communication between two peers which are known as IPsec ISAKMP gateways. There are two
ways to set SA, one is manual and another is IKE ISAKMP. HSM support only IKE ISAKMP. HSM do not support share IP
Seck VPN.
1. Click Device Configuration from the Level-1 navigation pane and enter the configuration page.
3. Select VPN > IPSec VPN in the object navigation pane. The main window then displays the related information
about IPSec VPN and toolbar.
4. Click New in the IKE VPN List and the IKE VPN Configuration dialog box will pop up.
Peer Name Specifies the name of the ISAKMP gateway. To edit an ISAKMP
gateway, click Edit.
Information Shows the information of the selected peer.
Name Type a name for the tunnel.
Mode Specifies the mode, including tunnel mode and transport mode.
P2 Proposal Specifies the P2 proposal for tunnel.
Proxy ID Specifies ID of Phase 2 for the tunnel which can be Auto or
DNS1/2 Specifies the IP address of the DNS server allocated to the client
by the PnPVPN server. You can define one primary DNS server
and a backup DNS server.
WINS1/2 Specifies the IP address of WINS server allocated to the client by
the PnPVPN server. You can define one primary WINS server and
a backup WINS server.
Enable Idle Time Select the Enable check box to enable the idle time function. By
default, this function is disabled. This time length is the longest
time the tunnel can exist without traffic passing through. When
the time is over, SA will be cleared.
DF-Bit Select the check box to allow the forwarding device execute IP
packet fragmentation. The options are:
Commit Bit Select the Enable check box to make the corresponding party
configure the commit bit function, which can avoid packet loss
and time difference. However, commit bit may slow the respond-
ing speed.
Accept-all-proxy-ID This function is disabled by default. With this function enabled,
the device which is working as the initiator will use the peer's ID
as its Phase 2 ID in the IKE negotiation, and return the ID to its
peer.
Auto Connect Select the Enable check box to enable the auto connection func-
tion. By default, this function is disabled. The device has two
methods of establishing SA: auto and traffic intrigued. When it
is auto, the device checks SA status every 60 seconds and ini-
tiates negotiation request when SA is not established; when it is
traffic intrigued, the tunnel sends negotiation request only when
there is traffic passing through the tunnel. By default, traffic
intrigued mode is used.
Note: Auto connection works only when the peer IP is static and
the local device is initiator.
Tunnel Route This item only can be modified after this IKE VPN is created. Click
Choose to add one or more tunnel routes in the appeared Tun-
nel Route Configuration dialog. You can add up to 128 tunnel
routes.
Description Type the description for the tunnel.
VPN Track Select the Enable check box to enable the VPN track function.
The device can monitor the connectivity status of the specified
VPN tunnel, and also allows backup or load sharing between two
or more VPN tunnels. This function is applicable to both route-
based and policy-based VPNs. The options are:
Type Specifies the type of the peer IP. If the peer IP is static, type the
IP address into the Peer IP box; if the peer IP type is user group,
select the AAA server you need from the AAA Server drop-down
list.
Local ID Specifies the local ID. The system supports five types of ID:
FQDN, U-FQDN, Asn1dn (only for license), KEY-ID and IP. Select
the ID type you want, and then type the content for this ID into
the Local ID box or the Local IP box.
Peer ID Specifies the peer ID. The system supports five types of ID:
FQDN, U-FQDN, Asn1dn (only for license), KEY-ID and IP. Select
the ID type you want, and then type the content for this ID into
the Peer ID box or the Peer IP box.
NAT Traversal This option must be enabled when there is a NAT device in the
IPSec or IKE tunnel and the device implements NAT. By default,
this function is disabled.
Any Peer ID Makes the ISAKMP gateway accept any peer ID and not check the
peer IDs.
Generate Route Select the Enable check box to enable the auto routing function.
By default, this function is disabled. This function allows the
device to automatically add routing entries which are from the
center device to the branch, avoiding the problems caused by
manual configured routing.
DPD Select the Enable check box to enable the DPD (Delegated Path
Discovery) function. By default, this function is disabled. When
the responder does not receive the peer's packets for a long
period, it can enable DPD and initiate a DPD request to the peer
so that it can test if the ISAKMP gateway exists.
6. In the P1 Proposal List tab, click New and the Phase1 Proposal Configuration dialog box will pop up.
7. In the P2 Proposal List tab, click New and the Phase2 Proposal Configuration dialog box will pop up.
Null – No authentication.
Null – No authentication.
PFS Group Specifies the PFS function for Phase2. PFS is used to protect DH
algorithm.
Lifetime You can evaluate the lifetime by two standards which are the
time length and the traffic volume. Type the lifetime length of
P2 proposal into the box. The value range is 180 to 86400
seconds. The default value is 28800.
Lifesize Select Enable to enable the P2 proposal traffic-based lifetime. By
default, this function is disabled. After selecting Enable, specifies
the traffic volume of lifetime. The value range is 1800 to 4194303
KBs. The default value is 1800. Type the traffic volume value into
the box.
PK I
PKI (Public Key Infrastructure) is a system that provides public key encryption and digital signature service. PKI is
designed to automate secret key and certificate management, and assure the confidentiality, integrity and non-repu-
diation of data transmitted over Internet. The certificate of PKI is managed by a public key by binding the public key with
a respective user identity by a trusted third-party, thus authenticating the user over Internet. A PKI system consists of
Public Key Cryptography, CA (Certificate Authority), RA (Certificate Authority), Digital Certificate and related PKI storage
library.
PKI terminology:
Public Key Cryptography: A technology used to generate a key pair that consists of a public key and a private key.
The public key is widely distributed, while the private key is known only to the recipient. The two keys in the key pair
complement each other, and the data encrypted by one key can only be decrypted by another key of the key pair.
CA: A trusted entity that issues digital certificates to individuals, computers or any other entities. CA accepts
RA: The extension to CA. RA forwards requests for a certificate to CA, and also forwards the digital certificate and CRL
issued by CA to directory servers in order to provide directory browsing and query services.
CRL: Each certificate is designed with expiration. However, CA might revoke a certificate before the date of expiration
due to key leakage, business termination or other reasons. Once a certificate is revoked, CA will issue a CRL to
announce the certificate is invalid, and list the series number of the invalid certificate.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. Select the device in which you want to view the trust domain.
3. Click PKI > Trust Domain and then main window will display the related information about trust domain and tool-
bar.
4. Select the trust domain you want to view, and click View.
If you use LDAP to receive CRL, you need to enter the login-DN
of LDAP server and password. If not login-DN or password is
added, transmission will be anonymous.
Auto Update Update frequency of CRL list
Manual Update Get the CRL immediately by clicking Obtaining CRL .
U ser
User refers to the user who uses the functions and services provided by the Hillstone device, or who is authenticated or
managed by the device. The authenticated users consist of local user and external user. The local users are created by
administrators. They belong to different local authentication servers, and are stored in system's configuration files. The
external users are stored in external servers, such as AD server or LDAP server. System supports User Group to facilitate
user management. Users belonging to one local authentication server can be allocated to different user groups, while
one single user can belong to different user groups simultaneously; similarly, user groups belonging to one local authen-
tication server can be allocated to different user groups, while one single user group can belong to different user groups
simultaneously.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to create local user, go to the Objects navigation pane and
select User>Local User. The main window shows the local user list.
3. Click New from the toolbar. The User Configuration dialog appears.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to create local user group, go to the Objects navigation
pane and select User>Local User. The main window shows the local user list.
3. Click New>User Group from the toolbar. The User Group Configuration dialog appears.
5. Specifies members for the user group. Expand User or User Group in the Available list, select a user or user group
and click Add to add it to the Selected list on the right. To delete a selected user or user group, select it in the Selec-
ted list and then click Remove. One user group can contain multiple users or user groups, but system only supports
up to 5 layers of nested user groups, and does not support loopback nest, i.e., a user group should not nest the
upper-layer user group it belongs to.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to import list, go to the Objects navigation pane and select
User>Local User. The main window shows the local user list.
3. Click the black triangle to the right of the Import button from the toolbar, and select Import User Binding List or
Import User Password List.
4. Browse the local directory and select the file you want to import.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
3. Click the black triangle to the right of the Export button from the toolbar, and select Export User Binding List or
Export User Password List.
4. Click OK in the prompt dialog and select the location you want to export.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to synchronize users, go to the Objects navigation pane
and select User>LDAP User. The main window shows the LDAP user list.
3. Select a server from the LDAP Server drop-down list, and click Sync User from the toolbar.
Importing Binding
You can import a LDAP user binding list to HSM. The list file format must be .txt.
To import list on HSM, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to import list, go to the Objects navigation pane and select
User>LDAP User. The main window shows the LDAP user list.
4. Browse the local directory and select the file you want to import.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to export list, go to the Objects navigation pane and select
User>LDAP User. The main window shows the LDAP user list.
4. Click OK in the prompt dialog and select the location you want to export.
2. In the device navigation pane, select the device you want to synchronize users, go to the Objects navigation pane
and select User>Active Directory User. The main window shows the Active Directory user list.
3. Select a server from the Active Directory Server drop-down list, and click Sync User from the toolbar.
Importing Binding
You can import an Active Directory user binding list to HSM. The list file format must be .txt.
To import list on HSM, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to import list, go to the Objects navigation pane and select
User>Active Directory User. The main window shows the Active Directory user list.
4. Browse the local directory and select the file you want to import.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to export list, go to the Objects navigation pane and select
User>Active Directory User. The main window shows the Active Directory user list.
4. Click OK in the prompt dialog and select the location you want to export.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to add user binding, go to the Objects navigation pane
and select User>User Binding.
3. Click Add User Binding from the toolbar. The IP MAC Binding dialog appears.
Binding Type By specifying the binding type, you can bind the user to a IP address or
MAC address. In a virtual router, the same IP or MAC address can only be
bound to one user. One user can bind multiple MAC addresses.
MAC - If MAC is selected, type the MAC address into the MAC text
box. And select a VR from the Virtual Router drop-down list.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to import list, go to the Objects navigation pane and select
User>User Binding.
4. Browse the local directory and select the file you want to import.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to export list, go to the Objects navigation pane and select
User>User Binding.
4. Click OK in the prompt dialog and select the location you want to export.
R ol e
Roles are designed with certain privileges. For example, a specific role can gain access to some specified network
resources, or make exclusive use of some bandwidth. In StoneOS, users and privileges are not directly associated. Instead,
they are associated by roles.
The mappings between roles and users are defined by role mapping rules. In function configurations, different roles are
assigned with different services. Therefore, the mapped users can gain the corresponding services as well.
System supports role combination, i.e., the AND, NOT or OR operation on roles. If a role is used by different modules,
the user will be mapped to the result role generated by the specified operation.
Creating a Role
To create a role on HSM, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to create role, go to the Objects navigation pane and
select Role>Role. The main window shows the role list.
3. Click New from the toolbar. The Role Configuration dialog appears.
Option Description
Type Specifies the type for new role, including private and shared.
Role Name Type the role name into the Role Name box.
Description Type the description for the role into the Description box.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want to associate the role, go to the Objects navigation pane
and select Role>Role. The main window shows the role list.
3. Select a role, and click Mapping To from the toolbar. The Mapping To dialog appears.
5. If needed, repeat Step 3 and Step 4 to add more mappings. To delete a role mapping, select the role mapping you
want to delete from the mapping list, and click Delete.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want, go to the Objects navigation pane and select Role>Role
Mapping. The main window shows the role mapping rule list.
3. Click New from the toolbar. The Role Mapping Configuration dialog appears.
Type : Specifies the type for new role mapping rule, including private and shared.
Mapping Name : Type the name for the role mapping rule.
In the Member section, select a role from the first drop-down list, and then select a user, user group, certificate name
(the CN field of USB Key certificate) or organization unit (the OU field of USB Key certificate) from the second drop-
down list. If User, User group, CN or OU is selected, also select or enter the corresponding user name, user group
name, CN or OU into the box behind.
5. If needed, repeat Step 3 and Step 4 to add more mappings. To delete a role mapping, select the role mapping you
want to delete from the mapping list, and click Delete.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want, go to the Objects navigation pane and select Role>Role
Combination. The main window shows the role combination list.
3. Click New from the toolbar. The Role Combination Configuration dialog appears.
Option Description
Type Specifies the type for new role combination, including private and shared.
First Prefix Specifies a prefix for the first role in the role regular expression.
First Role Select a role name from the First Role drop-down list to specify a name for
the first role in the role regular expression.
Operator Specifies an operator for the role regular expression.
Second Prefix Specifies a prefix for the second role in the role regular expression.
Second Role Select a role name from the Second Role drop-down list to specify a name
for the second role in the role regular expression.
Result Role Select a role name from the Result Role drop-down list to specify a name
for the result role in the role regular expression.
Local server: a local server is the firewall itself. The firewall stores user identity information and handles requests. A
local server authentication is fast and cheap, but its storage space is limited by the firewall hardware size.
External servers:
Radius server
LDAP server
TACACS+ server
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want, go to the Objects navigation pane and select AAA Server.
3. Click New from the toolbar. The Local Server Configuration dialog appears.
Option Description
Type Specifies the type for new local server, including private and shared.
Server Name Type the name for the new server into the text box.
Role Mapping Specifies a role mapping rule for the server. With this option selected, sys-
Rule tem will allocate a role for users who have been authenticated to the
server according to the specified role mapping rule.
Change Pass- If needed, select the Enable checkbox. With this function enabled, the sys-
word tem allows users to change their own passwords after the successful
WebAuth or SCVPN authentication.
Backup To configure a backup authentication server, select a server from the
Authentication drop-down list. After configuring a backup authentication server for the
Server local server, the backup authentication server will take over the authen-
tication task when the primary server malfunctions or authentication fails
on the primary server. The backup authentication server can be any exist-
ing local, Active-Directory, RADIUS or LDAP server defined in the system.
Click the View link in the AAA server's Reference By column to view all objects that reference the AAA server. Click the
Remove link in Remove Relationship column of each tab to release the reference relationship between this AAA server
and the corresponding object.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want, go to the Objects navigation pane and select AAA Server.
3. Click the black triangle to the right of the New button from the toolbar, and select Radius Server. The Radius Server
Configuration dialog appears.
Basic Configuration
Type Specifies the type for new Radius server, including private and shared.
Server Name Specifies a name for the Radius server.
Server Address Specifies an IP address or domain name for the Radius server.
Virtual Router Specifies a VR for the Radius server.
Port Specifies a port number for the Radius server. The value range is 1024 to
65535. The default value is 1812.
Password Specifies a password for the Radius server. You can specify at most 31 char-
acters.
Optional
Role Mapping Specifies a role mapping rule for the server. With this option selected, sys-
Rule tem will allocate a role for users who have been authenticated to the
server according to the specified role mapping rule.
Backup server Specifies an IP address or domain name for backup server 1 or backup
1/Backup server server 2.
2
Virtual Router- Specifies a VR for the backup server.
1/Virtual
Router2
Retries Specifies a retry time for the authentication packets sent to the AAA
server. The value range is 1 to 10. The default value is 3.
Timeout Specifies a timeout for the server response. The value range is 1 to 30
seconds. The default value is 3.
Backup Auth Specifies a backup authentication server. After configuring a backup
Server authentication server for the Radius server, the backup authentication
server will take over the authentication task when the primary server mal-
functions or authentication fails on the primary server. The backup
authentication server can be any existing local, Active-Directory, RADIUS
or LDAP server defined in the system.
Enable Account Select the Enable Account checkbox to enable accounting for the Radius
server, and then configure options in the sliding out area.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want, go to the Objects navigation pane and select AAA Server.
3. Click the black triangle to the right of the New button from the toolbar, and select Active Directory Server. The Act-
Basic Configuration
Type Specifies the type for new Active Directory server, including private and
shared.
Server Name Specifies a name for the Active Directory server.
Server Address Specifies an IP address or domain name for the Active Directory server.
Virtual Router Specifies a VR for the Active Directory server.
Port Specifies a port number for the Active Directory server. The value range
is 1 to 65535. The default value is 389.
Base-dn Specifies a Base-dn for the AD server. Base-dn is the starting point at
which your search will begin when the AD server receives an authen-
tication request.
Take the example of abc.xyz.com described above, the format of Base-
dn is "dc=abc,dc=xyz,dc=com".
Password Specifies a password for the AD server. This should correspond to the
password for Admin DN.
Optional
Role Mapping Specifies a role mapping rule for the server. With this option selected,
Rule system will allocate a role for users who have been authenticated to the
server according to the specified role mapping rule.
Backup server Specifies an IP address or domain name for backup server 1 or backup
1/Backup server 2 server 2.
Virtual Router- Specifies a VR for the backup server.
1/Virtual Router2
Synchronization Check the checkbox to enable the synchronization function; clear the
checkbox to disable the synchronization function, and the system will
stop synchronizing and clear the existed user information. By default,
the system will synchronize the user information on the configured Act-
ive-Directory server to the local every 30 minutes.
Automatic Syn- Click the radio button to specify the automatic synchronization.
chronization
Interval Synchronization Specifies the time interval of auto-
matic synchronization. The value
range is 30 to 1440 minutes. The
default value is 30.
Daily Synchronization Specifies the time when the user
information is synchronized every-
day. The format is HH:MM, HH and
MM indicates hour and minute
respectively.
Once Synchronization If this parameter is specified, the sys-
tem will synchronize automatically
when the configuration of Active-Dir-
ectory server is modified. After
executing this command , the system
will synchronize user information
immediately.
User Filter Specifies the user-filter conditions, the system can only synchronize
and authenticate users that are in accordance with the filtering con-
dition on the authentication server. The length is 0 to 120 characters.
For example, if the condition is configured to “mem-
berOf=CN=Admin,DC=test,DC=com”,which manifests that the system
only can synchronize or authenticate user whose DN is “mem-
berOf=CN=Admin,DC=test,DC=com”. The commonly used operators
are: =(equals a value)、&(and)、|(or)、!(not)、*(Wildcard.Matches
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want, go to the Objects navigation pane and select AAA Server.
3. Click the black triangle to the right of the New button from the toolbar, and select LDAP Server. The LDAP Server
Basic Configuration
Type Specifies the type for new LDAP server, including private and shared.
Server Name Specifies a name for the LDAP server.
Server Address Specifies an IP address or domain name for the LDAP server.
Virtual Router Specifies a VR for the LDAP server.
Port Specifies a port number for the LDAP server. The value range is 1 to
65535. The default value is 389.
Base-dn Specifies details for Base-dn. Base-dn is the starting point at which your
search will begin when the LDAP server receives an authentication
request.
Login-dn Specifies authentication characteristics for Login-dn (typically a user
account with query privilege pre-defined by the LDAP server).
Authid Specifies the Authid, which is a string of 1 to 63 characters and is case
sensitive.
Authentication Specifies an authentication or synchronization method (either plain text
Mode or MD5). The default method is MD5.
If the Authid is not configured after you specify the MD5 method, the
plain method will be used in the process of synchronizing user from the
server, and the MD5 method will be used in the process of authenticating
user.
Password Specifies a password for the LDAP server. This should correspond to the
password for Admin DN.
Optional
Role Mapping Specifies a role mapping rule for the server. With this option selected, sys-
Rule tem will allocate a role for users who have been authenticated to the
server according to the specified role mapping rule.
Backup server Specifies an IP address or domain name for backup server 1 or backup
1/Backup server server 2.
2
User Filter Specifies the user filters, the system can only synchronize and authen-
ticate users that match the filters on the authentication server. The length
is 0 to 120 characters. For example, if the condition is configured to “(|
(objectclass=inetOrgperson)(objectclass=person))”,which manifests that
the system only can synchronize or authenticate users which are defined
as inetOrgperson or person. The commonly used operators are as follows:
=(equals a value)、&(and)、|(or)、!(not)、*(Wildcard. Matches zero or
more characters.)、~=( fuzzy query.)、>=(Be equal or greater than a spe-
cified value in lexicographical order.)、<=( Be equal or less than a spe-
cified value in lexicographical order.).
Naming Attrib- Specifies a naming attribute for the LDAP server. The default naming
ute attribute is uid.
Member Attrib- Specifies a member attribute for the LDAP server. The default member
ute attribute is uniqueMember.
Group Class Specifies a group class for the LDAP server. The default class is groupo-
funiquenames.
Backup Specifies a backup authentication server. After configuring a backup
Authentication authentication server for the LDAP server, the backup authentication
Server server will take over the authentication task when the primary server mal-
functions or authentication fails on the primary server. The backup
authentication server can be any existing local, Active-Directory, RADIUS
or LDAP server defined in the system.
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. In the device navigation pane, select the device you want, go to the Objects navigation pane and select AAA Server.
3. Click the black triangle to the right of the New button from the toolbar, and select TACACS+ Server. The TACACS+
Server Configuration dialog appears.
Basic Configuration
Type Specifies the type for new TACACS+ server, including private and shared.
Server Name Enter a name for TACACS+ server.
Server Address Specify the IP address or host name of TACACS+ server.
Virtual Router Specify the VRouter of TACACS+ server.
Port Enter port number of TACACS+ server. Default value is 49. The value
range is 1 to 65535.
Secret Enter the shared secret to connect TACACS+ server.
Confirm Secret Re-enter shared key.
Optional
Role mapping Select a role mapping rule for the server. With this option selected, system
rule will allocate a role for users who have been authenticated to the server
according to the specified role mapping rule.
Backup Server 1 Enter the domain name or IP address of backup TACACS+ server.
(2)
Virtual Router 1 Select the VRouter of backup server.
(2)
Global Configuration
Global Object
Note: HSM supports for HA management of Active-Passive, Active-Active and Active-Peer modes
for the managed devices. When HSM manages the HA function of the managed devices, you can
view, configure and share information of the master device in HA. For slave device, you can only
view the configuration information on HSM.
After configuring the shared rules, you have to deploy the shard rules to the managed device if you want to take effect
on the device. For more detailed information about deploying configuration, see Synchronizing Configuration.
The related configurations are:
Policy
iQoS
NAT
Route
Configuration Bundle
P o l i cy Co n f i g u r a t i o n
Cr e a t in g a S h a r e d P o licy
To create a shared policy on the HSM global configuration page, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
3. From the toolbar, click New. The Shared Policy Configuration dialog appears.
4. Click OK. The new policy will be shown in the policy list.
5. Click on the policy name in the policy list or select the newly added policy from the configuration navigation pane to
enter the rule editing page.
6. Configure rules for the policy. For the detailed information about how to configure, see " Rule Configuration" on
page 176.
After selecting a policy in the policy list, you can click the Edit button from the toolbar to edit the shared or private
policy, and click the Delete button to delete the shared policy.
Note: The newly created policy only exists on HSM before the deployment, even though you
have specified devices for the policy, it will not take effect on the specified devices.
R u le Co n f ig u r a t io n
In the global configuration page, click Security Policy > Shared/Private from the configuration navigation pane, then
select a shared or private policy to enter the policy configuration page. For the details about how to create, please refer
to "Creating a Policy Rule" on page 62 in Device Configuration.
In the global configuration page, click Security Policy > Shared/Private from the configuration navigation pane, then
select a shared or private policy to enter the policy configuration page. For the details about how to create, please refer
to "Creating a Rule Group" on page 66 in Device Configuration.
Note: HSM supports to copy shared policy rule groups to private or shared policy, but does not
support to copy private policy rule groups to shared policy or another private policy.
To view operation record of policy rule and rule group, take the following steps:
1. Click Configuration > Global Configuration from the Level-1 navigation pane to enter the global configuration
page.
2. In the left navigation pane, select device types tab, then expand Configure and Security Policy nodes.
3. Click icon in Operation Record column. Operation record dialog for the security policy appears.
You can view the detailed operation record of rules and rule groups, including add, edit, delete, paste and so on.
You can also view operation record in HSM System Log page, please refer to "Operation Log" on page 288.
R ule M at c h A nalys is
This feature is used to check whether there is useless rule. Select the Rule Conflict Check check box from the toolbar, sys-
tem begins to check the conflicts among rules in the policy. When the checking process is finished, the useless rules will
become hatched, and all the rule IDs that overshadow the rule will be listed in the last column (shadow) of the rule list.
You can select all of the redundant rules by clicking on the number in brackets after the check box, so that you can delete
them in batches.
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Security Policy nodes, and then
select the policy you want to set head or tail policy from the policy list.
3. If you choose a shared policy, click Apply Policy from the toolbar. The Apply Policy Guide page appears. The con-
figuration that can be performed is as follows:
As head policy of devices: Click Next to select the device to use this shared policy as the head policy.
As tail policy of devices: Click Next to select the device to use this shared policy as the tail policy.
Override policies of devices: Click Next to select the device to be replaced own policy with this shared policy.
As head policy of shared policy: Click Next to select shared policies to use this shared policy as the head policy.
4. If you choose a private policy, click Set Head Policy or Set Tail Policy from the toolbar. Select shared policies in the
pop-up dialog box.
5. Click OK.
The configuration you just made will be shown in the Head Policy and Tail Policy column.
Note:
Only shared policy can be specified to be head or tail policy.
If a shared policy has been specified as a tail policy for a private policy, it is not allowed to
become the head policy for other policies.
If a shared policy has been designated as the head policy for a policy, it is not allowed to
become the tail policy for another policy.
A shared policy which has already been designated with a head policy is not allowed to
become a tail policy for other policies.
Vie w in g P o licy R e la t io n s h ip
In order to make users to understand the relationship of all policies more intuitively, HSM supports to view policy topo-
logy map.
V ie w ing T opology M ap
To view the topology map of the policy relationship, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, and then expand Configure and Security Policy node in turn.
3. Click Relationship View at the top right corner of the main window and view the topology map of policy rela-
tionship.
Topology map shows the relationship of private policies that the current administrator can access to and all the
shared policies. Click Grid View to switch to the original view.
Co n f ig u r in g t h e P o licy -b a s e d P r o t e ct io n F u n ct io n
The HSM system currently supports policy-based anti-Virus, IPS, URL filtering, or viewing sandbox protection.
To realize the policy-based protection function, take the following steps:
1. Click Configuration > Global Configuration from the Level-1 navigation pane to enter the global configuration
page.
2. In the left navigation pane, select device types tab, then expand Configure and Security Policy nodes, select the
policy which will be edited. The main window shows the policy entry list.
Anti-Virus Select the On check box to enable Anti-Virus function. Select the
Anti-Virus rule from the drop-down list.
Two ways can be used to configure an Anti Virus rule:
URL Filter Select the On check box to enable URL Filter function. Select the
URL Filter rule from the drop-down list.
According to the actual needs of users, select an URL Filter rule
from the drop-down list, or you can click New from the drop-
down list to create an URL Filter rule. For more information, see
URL Filter.
Sandbox You can view whether the sandbox protection is enabled on the
managed device. Sandbox protection configuration on HSM is
currently not supported.
Two ways can be used to configure a Sandbox rule:
4. After configuring the Shared Policy-based AV and IPS function on HSM, displays the Anti Virus function status
which is enabled, displays the IPS function status which is enabled, displays the URL Filter function status
which is enabled, displays the Sandbox function status which is enabled.
i QoS
To create a shared iQoS on the HSM global configuration page, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, expand Configure and iQoS nodes in NGFW tab.
Please enter iQoS name in the dialog, Relevant Device and Description are optional.
4. Click OK. The new iQoS will be shown in the iQoS list.
For more information about how to configure iQoS, please refer to iQoS in Device Configuration.
NAT
Cr e a t in g a S N A T
SNAT is an assemblage of 0 and multiple SNAT rules.
To create a SNAT on the HSM global configuration page, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and NAT nodes, select SNAT or Shared.
3. From the toolbar, click New. The Add Shared SNAT page appears.
4. Click OK. The new SNAT will be shown in the SNAT list.
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and NAT nodes, select SNAT or Shared.
Select the SNAT you want to edit/delete from the NAT list.
Cr e a t in g a S N A T R u le
To create a SNAT Rule, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and NAT nodes, click Shared or Private.
Double-click the SNAT name you want to create SNAT rules from the SNAT list. The main window shows the SNAT
rule list.
3. From the toolbar of the SNAT rules list, click New. The SNAT Configuration page appears.
In the Basic tab in the SNAT Configuration dialog, configure the followings.
Ingress: Specify the ingress traffic of the source NAT rule. The default ingress is all traffic.
All Traffic: Specify the ingress traffic of the source NAT rule is all traffic. The traffic from any interface will match
the source NAT rule.
Ingress Interface: Specify the ingress interface of traffic in the source NAT rule. Select an interface from the
drop-down list. Only the traffic flowing from the configured ingress interface will match the source NAT rule.
Service: Select the service you need from the Service drop-down list.
HA Group: Specify the HA group that the SNAT rule belongs to. The default setting is 0.
NAT Log: Select the Enable check box to enable the log function for this SNAT rule (generating log information
when there is traffic matching to this NAT rule).
Rule Position: Specify the position of the rule. Each SNAT rule has a unique ID. When traffic flowing into the
device, the device will search SNAT rules by sequence, and then implement NAT on the source IP of the traffic
according to the first matched rule. The sequence of the ID showed in the SNAT rule list is the order of the rule
matching. Select one of the following items from the drop-down list:
Bottom - The rule is located at the bottom of all the rules in the SNAT rule list. By default, the system will put
the newly-created SNAT rule at the bottom of all SNAT rules.
Top - The rule is located at the top of all the rules in the SNAT rule list.
Before ID - Type the ID number into the text box. The rule will be located before the ID you specified.
After ID - Type the ID number into the text box. The rule will be located after the ID you specified.
ID: Specify the method you get the rule ID. It can be automatically assigned by system or manually assigned by
yourself. If you click Manually assign ID, you should type an ID number into the box behind.
4. Click OK to save your settings. The new SNAT rule will be shown in the SNAT rules list.
E d it in g / De le t in g a S N A T R u le
To edit/delete a SNAT rule, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and NAT nodes, click Shared or Private.
Double-click the SNAT name you want to edit/delete SNAT rules from the SNAT list. The main window shows the
SNAT rule list.
Cr e a t in g a DN A T
DNAT is an assemblage of 0 and multiple DNAT rules.
To create a DNAT on the HSM global configuration page, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and NAT nodes, select DNAT or Shared.
3. From the toolbar, click New. The Add Shared DNAT dialog appears.
4. Click OK. The new DNAT will be shown in the DNAT list.
E d it in g / De le t in g a DN A T
To edit/delete a DNAT, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and NAT nodes, select DNAT or Shared.
Select the DNAT you want to edit/delete from the DNAT list.
Cr e a t in g a n I P M a p p in g R u le
To create an IP Mapping rule, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
3. From the toolbar of the DNAT rules list, click New > IP Mapping, then IP Mapping Configuration page appears.
HA Group: Specify the HA group that the DNAT rule belongs to. The default setting is 0.
4. Click OK to save your settings. The new DNAT rule will be shown in the DNAT rules list.
Cr e a t in g a P o r t M a p p in g R u le
To create a Port Mapping rule, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. Expand NAT from the configuration navigation pane, and then select DNAT or Shared. Double-click the DNAT
name you want to create DNAT rules from the DNAT list. The main window shows the DNAT rule list.
3. From the toolbar of the DNAT rules list, click New > Port Mapping, then Port Mapping Configuration page appears.
HA Group: Specify the HA group that the SNAT rule belongs to. The default setting is 0.
Service: Select the service you need from the Service drop-down list.
Destination Port: Specify translated port, type the port number into the box.
4. Click OK to save your settings. The new DNAT rule will be shown in the DNAT rules list.
Cr e a t in g a n A d v a n ce d DN A T R u le
To create an Advanced DNAT rule, take the following steps:
2. Expand NAT from the configuration navigation pane, and then select DNAT or Shared. Double-click the DNAT
name you want to create DNAT rules from the DNAT list. The main window shows the DNAT rule list.
3. From the toolbar of the DNAT rules list, click New > Advanced, then DNAT Configuration page appears.
In the Basic tab in the DNAT Configuration dialog, configure the DNAT basic options.
Server: Select the service you need from the Service drop-down list.
Action: Specify the action for the traffic you specified, including:
NAT - Implements NAT for the eligible traffic.
Translated to: For the NAT option, you need to specify the translated IP address. Select an address entry or SLB
server pool from the Translated to drop-down list or type an IP address in the Translated to box or type an IP
address and netmask in the Translated to box.
NAT Port: Select the Enable check box and type the translated port number into the Port box. The range is 1 to
65535.
Load Balancing: Select the Enable check box to enable the function. Then, traffic will be balanced to different
Intranet servers.
No NAT - Do not implement NAT for the eligible traffic.
Ping Track: Select the Enable check box to enable Ping track, which means the system will send Ping packets to
check whether the Intranet servers are reachable.
TCP Track: Select the Enable check box to enable TCP track, which means the system will send TCP packets to
check whether the TCP ports of Intranet servers are reachable.
TCP Port: Specify the port number. The value range is 1 to 65535.
NAT Log: Select the Enable check box to enable the log function for this DNAT rule (generating log information
when there is traffic matching to this NAT rule).
HA Group: Specify the HA group that the DNAT rule belongs to. The default setting is 0.
Rule Position: Specify the position of the rule. Each DNAT rule has a unique ID. When traffic flowing into the
device, the device will search DNAT rules by sequence, and then implement NAT on the destination IP of the
traffic according to the first matched rule. The sequence of the ID showed in the DNAT rule list is the order of
the rule matching. Select one of the following items from the drop-down list:
Bottom - The rule is located at the bottom of all the rules in the DNAT rule list. By default, the system will put
the newly-created DNAT rule at the bottom of all DNAT rules.
Top - The rule is located at the top of all the rules in the DNAT rule list.
Before ID - Type the ID number into the box. The rule will be located before the ID you specified.
After ID - Type the ID number into the box. The rule will be located after the ID you specified.
ID: Specify the method you get the rule ID. It can be automatically assigned by system or manually assigned by
yourself. If you click Manually Assign ID, you should type an ID number into the box behind.
E d it in g N A T
To edit a shared or private NAT, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. Expand NAT from the configuration navigation pane, and then select Shared or Private. Select the NAT you want to
edit from the NAT list.
S e t t in g F a t h e r N A T
Private NAT or shared NAT inherit the configuration of the other shared NAT. The inherited NAT is father NAT which has
higher priority than the sub NAT. Through the inheritance relations of NAT, one and multiple rules can be applied on the
device. The priority of rules which are applied on the device is higher than the existing rules on the device.
When there are multi-level inheritance relationship, the top-level father NAT rules are shown at the top of the NAT rule
list, and then the sub father NAT rules are displayed, and so on, the specified NAT rules are shown at last. The inherited
NAT rules are marked to orange by default, and they cannot be edited and moved. You can mark the color of NAT to dis-
tinguish the inherited NAT rules, please refer to Viewing Relationship.
To set a father NAT for private NAT or shared NAT, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. Select NAT from the configuration navigation pane, and then select Shared or Private. Select the NAT you want to
set father NAT from the NAT list.
When SNAT or DNAT is selected, the main window shows the private NAT of device that the current administrator
can access to and all shared NATs; when shared is selected, the main window shows all of the shared NAT; when
private is selected, the main window shows all the private NAT of device that the current administrator can access to.
The Father NAT column displays the direct father NAT, and the Child NAT column displays all direct and indirect
child NAT.
3. Click Set Father NAT from the toolbar. The Set Father NAT page appears. You can select NAT which need to set
father NAT according to your requirements.
Vie w in g R e la t io n s h ip
In order to make users to understand the relationship of all NAT more intuitively, HSM supports to view and edit NAT
topology map.
V ie w ing T opology M ap
To view the topology map of the NAT inheritance relationship, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. Select NAT from the configuration navigation pane, and then select SNAT or DNAT.
The icon of private NAT is , and the icon of shared NAT is . Private NAT is folded by default, while the shared NAT
is expanded, NAT which has no inherit relationship will be displayed in the first level. The hidden private NAT list will be
shown when the mouse hovers over the private icon. If you need to expand the private NAT node, please click the input
box on the top right of the view, all NAT will be displayed, then select the check box in front of the private NAT that you
need to expand and click the blank space.
You can change the inheritance relationship of NAT by editing the topology map. The operations include:
Right click on the blank space or shared NAT icon, select New in the pop-up menu to create a new shared NAT.
Right click on the private or shared NAT icon, select Edit in the pop-up menu to edit a NAT.
Right click on the shared NAT icon, select Delete in the pop-up menu to delete a NAT.
Right click on the private or shared NAT icon, select Cut in the pop-up menu, if select Paste on shared NAT icon, it
means the pasted NAT will inherit this shared NAT; if select Paste on blank space, it means the pasted NAT will
inherit no NAT.
Right click on the shared NAT icon, select Mark in the pop-up menu to mark color for NAT, then the NAT name will
become the corresponding color.
Vie w in g O p e r a t io n R e co r d
To view operation record of NAT rule, take the following steps:
1. Click Configuration > Global Configuration from the Level-1 navigation pane to enter the global configuration
page.
2. Select NAT from the configuration navigation pane, and then select Shared or Private.
3. Click icon in Operation Record column. Operation record dialog for the NAT appears.
You can view the detailed operation record of rules , including add, edit, delete, setting father NAT, and so on.
R oute
Cr e a t in g a De s t in a t io n R o u t e
Destination Route is an assemblage of 0 and multiple route item.
To create a Destination Route on the HSM global configuration page, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Route nodes.
4. Click OK. The new destination route will be shown in the destination route list.
E d it in g / De le t in g a De s t in a t io n R o u t e
To edit/delete a Destination Route on the HSM global configuration page, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. Expend Route from the configuration navigation pane. Select the destination route you want to edit/delete from the
destination route list.
Cr e a t in g a n R o u t e I t e m
To create a Route Item on the HSM global configuration page, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. Select Route from the configuration navigation pane. Double-click the destination route name you want to create
route item from the destination route items list. The main window shows the route item list.
3. From the toolbar of the Route items list, click New. The Destination Route Configuration page appears.
4. Click OK to save your settings. The new route item will be shown in the route items list.
E d it in g / De le t in g a R o u t e I t e m
To edit/delete a Route Item on the HSM global configuration page, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. Select Route from the configuration navigation pane. Double-click the destination route name you want to edit/de-
lete route item from the destination route list. The main window shows the route item list.
3. Select the route item you want to edit/delete from the route items list.
Cr e a t in g a Co n f ig u r a t io n B u n d le
To create a Configuration Bundle on the HSM global configuration page, take the following two methods:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configuration Bundle nodes.
3. From the toolbar, click New. The Create Configuration Bundle dialog appears.
In the Create Configuration Bundle dialog, configure the configuration bundle options.
Name : Specify the name of configuration bundle.
Relevant Device: Specify the relevant devices or VSYS devices for the configuration bundle. When deploying, the con-
figuration bundle will be deployed to the relevant devices or VSYS devices. For more detailed information about
deploying configuration, see Synchronizing Configuration.
Description: If necessary, type description information for the configuration bundle in this text box.
4. Click OK. The new configuration bundle will be shown in the configuration bundle table.
5. Click the name of configuration bundle, you can check the content in the configuration bundle.
M e t hod 2 :
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. Select the configuration which need be added to the configuration bundle from the configuration navigation pane,
including security policy, NAT, and route. Right click the mouse, and click Create Configuration Bundle.
4. Click OK. The new configuration bundle will be shown in the configuration bundle table.
5. Click the name of configuration bundle, you can check the content in the configuration bundle.
J o in in g Co n f ig u r a t io n B u n d le
You can add the configurations to the configuration bundle according to your requirements. Take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. Select the configuration which need be added to the configuration bundle from the configuration navigation pane,
including security policy, NAT, and route. Right click the mouse, and click Add to Configuration Bundle.
3. In the Add to Configuration Bundle dialog appears. Configure the options as below.
4. Select a configuration bundle from the drop-down list, then click OK. The configuration will be joined in the con-
figuration bundle you selected.
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. Select Configuration Bundle from the configuration navigation pane, and then select the configuration bundle you
want to copy from the configuration bundle table.
3. Click Copy from the toolbar. The configuration bundle which is copied will be shown in the configuration bundle
table below. For example, the replicated configuration bundle called "test", system will automatically named it
"CopyOftest".
G lobal Object
The global objects created on the global configuration page are all shared objects, and can be used by all devices. In the
global configuration page, you can create, edit, delete zone, address entry, service group entry, service group, applic-
ation group, schedule, virtual router, interface, SLB server pool, IPS rule, anti virus rule, threat protection, URL filter, user,
role and AAA server global configuration. After configuring the global object, you have to deploy the global object to
the security device if you want to take effect on the device. For more detailed information about deploying con-
figuration, see Synchronizing Configuration.
Note:
If choosing VSYS devices of the device from the relevant device, the shared object will be rel-
evant to the VSYS devices of the device, not the device itself.
Only after licenses of the relevant functions had been installed, can corresponding functions
be configured in HSM.
Zone
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Zone. The
zone entry list will appear from the main window below.
3. From the toolbar, click New. The Share Zone dialog appears.
4. Click OK. The new shared zone will be shown in the zone entry list.
A d d ress B ook s
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Address
books. The main window shows the address entry list.
3. From the toolbar, click New. The Share Address dialog appears.
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Service
Book>User-defined Service Group. The main window shows the user-defined service group list.
3. From the toolbar, click New. The Shared Service Group dialog appears.
5. Click OK. The new shared service group entry will be shown in service group list.
6. from the right selective list, and then click the left-arrow button.
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Service
Book>User-defined Service. The main window shows the user-defined service list.
3. Click New from the toolbar. The Shared Service dialog appears.
TCP/UDP
Dst Port: Specify the destination port range of the member. The value range is 1 to 65535.
Src Port: Specify the source port range of the member. The value range is 1 to 65535.
Application Type: Specify the application type of the member.
Timeout: Specify the timeout value of the member, in second or day. The defalt value is 1800 seconds.
ICMP
Protocol No.: Specify the protocol number of the member. The value range is 1 to 255.
Timeout: Specify the timeout value of the member, in second or day. The default timeout value is 60 seconds.
After specifying the values of parameters, click Add to add it to the service. Repeat the above steps to add multiple
members. Click Delete to delete the selected member.
Relevant Device : Specify the devices which you want to make a relationship with the user-defined service. If choos-
ing VSYS devices of the device, the user-defined service will be relevant to the VSYS devices of the device, not the
device itself. After configuring the user-defined service, you have to deploy the rule to the relevant device if you
want to take effect on the device. For more detailed information about deploying configuration, see Synchronizing
Configuration.
A p p l i c ati on B ook s
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Applic-
ation>User-defined Application Group. The main window shows user-defined applicaton group list.
3. Click New from the toolbar. The Shared APP Group dialog appears.
S c hed ul es
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Schedules. The
main window shows the schedule list.
3. Click New from the toolbar. The Shared Schedule dialog appears.
5. In the Absolute Schedule section, specify the start time and end time in which the periodic schedule will take effect.
6. Click New, and configure a periodic schedule in the dialog as below. The periodic schedule will take effect repeatedly
during the time range specified by the absolute schedule.
Click Preview to preview the periodic schedule; click Save to add the periodic schedule to the schedule. To delete a
select schedule, select the schedule to be deleted from the schedule list, and then click Delete.
V i rtual R outer
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Virtual Router.
3. From the toolbar, click New. The Share Virtual Router page appears.
4. Click OK. The new shared virtual router will be shown in the virtual router list.
Interf ac e
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Interface.
3. From the toolbar, click New. The Share Interface page appears.
4. Click OK. The new shared interface will be shown in the interface list.
S L B S erv er Pool
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, expand Configure and Objects nodes in NGFW tab, then select SLB Server Pool. The
main window shows the user-defined SLB server pool information.
3. Click New from the toolbar. The SLB Server Pool Configuration dialog appears.
4. In the SLB Server Pool Configuration dialog, configure the following options.
Name Specify the name of the SLB server pool.You can enter up to 31 chars.
Algorithm Select an algorithm for load balancing, including:
Sticky If selecting Sticky, the security device will consider all requests from the
same source IP to be the same client, and then forward the requests to a
server.
Member
Member Specify the member of the pool. You can type the IP range or the IP
address and the netmask.
Weight Specify the traffic forwarding weight during the load balancing. The value
ranges from 1 to 255.
Add Add the SLB address pool member to the SLB server pool.
Delete Click Delete to delete the selected SLB address pool member.
Track
Interval Specify the interval between each Ping/TCP/UDP packet. The unit is
second. The value ranges from 3 to 255.
Retries Specify a retry threshold. If no response packet is received after the spe-
cified times of retries, the system will consider this track entry failed , i.e.,
the track entry is unreachable. The value range is 1 to 255.
Weight Specify a weight for the overall failure of the whole track rule if this track
entry fails. The value range is 1 to 255.
Add Click Add to add the configured track rule to the list.
Delete Click Delete to delete the selected track rule.
Threshold Type the threshold for the track rule into the Threshold box. The value
range is 1 to 255. If the sum of weights for failed entries in the track rule
exceeds the threshold, the security device will conclude that the track rule
fails.
Description Type the description for this track rule. You can enter up to 95 chars.
Relevant Device Specify the devices which you want to make a relationship with the
shared SLB server pool. If choosing VSYS devices of the device, the shared
SLB server pool will be relevant to the VSYS devices of the device, not the
device itself. After configuring the shared SLB server pool, you have to
deploy the rule to the relevant device if you want to take effect on the
device. For more detailed information about deploying configuration, see
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, expand Configure and Objects nodes in NGFW tab, and then select SLB Server Pool. The
main window shows the user-defined SLB server pool information.
4. In the Server List tab at the bottom of this page, view the information of the servers that are in this SLB pool.
5. In the Server List tab, view the retries information of the SLB server pool. The retries informaton include IP/mask,
port, weight, and maximum sessions.
6. In the Monitoring tab, view the information of the track rules. The track rules information include track type, prot,
interval,and retries.
Note: IPS device does not support the configuration of SLB server pool.
Co n f ig u r in g I P S G lo b a l P a r a m e t e r s
You can enable or disable the IPS function, and configure the IPS global parameters. About configuring IPS global para-
meters, see Threat Protection.
Co n f ig u r in g a n I P S R u le
You can use the default IPS rules and the user-defined IPS rules. System has three default IPS rules: predef_default, pre-
def_loose and no-ips. Predef_default rule which includes all the IPS signatures is strict with the detecting attacks results,
and default action for attacks is reset. Predef_loose which only has the IPS signatures with critical severity and above or
high popularity has the high detection efficiency, and default action for attacks is log only. No-ips rule does not includes
any IPS signatures.
To create a shared IPS rule of new version on HSM, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Intrusion Pro-
tection System, then click the New IPS tab.
For the detailed configuration, you can refer to "For IPS devices and NGFW of 5.5R3 or the later version" on page 119 in
Device Configuration.
You can use the default IPS rules and the user-defined IPS rules. System has three default IPS rules: predef_default, pre-
def_loose and no-ips. Predef_default rule which includes all the IPS signatures is strict with the detecting attacks results,
and default action for attacks is reset. Predef_loose which only has the IPS signatures with critical severity and above or
high popularity has the high detection efficiency, and default action for attacks is log only. No-ips rule does not includes
any IPS signatures.
To create a shared IPS rule of old version on HSM, take the following steps:
2. In the left navigation pane, then expand Configure and Objects nodes in NGFW, select Intrusion Protection System,
then click the Old IPS tab.
3. Click New from the toolbar. The Intrusion Protection System dialog appears.
Protocol signature consists protocol configuration and signature configuration.Specify actions for attacks of different
levels (Log only, Reset, Block attacker) and actions for a specific attacking signature (the priority is higher than that of the
action configured in the signature set).
For the HTTP protocol signature, you can configure the Web server to detect and protect Web -based attacks, see
WebServer Configuration.
Co n f ig u r in g a P r o t o co l
To configure protocol signature on HSM, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, expand Configure and Objects nodes in NGFW, select Intrusion Protection System, then
click the Old IPS tab. The main window shows the IPS list of old IPS version.
3. Click the specified protocol type in the IPS rule list. The protocol configuration dialog appears.
Action for Crit- Capture Packets: Select the Enable check box to enable
ical/Warning/Information level the capture packet tools. The security device will cap-
attack ture packets of the selected protocol, and save the
evidence messages. You can view and download the
evidence message on the security device.
Action: Specify an action for attacks of different levels.
Select the radio button below:
Other Configuration Other related options that may vary from different
types of protocols. For detailed instructions, see the
description of other configuration.
Other related options that may vary from different types of protoclos.the description of other configuration.
Option Description
IMAP/Finger/ NNTP/TFTP/ Max Scan Length :Specify a max scan length. The
SNMP/MYSQL/ MSSQL/ORACLE/ value range is 0 to 65535 bytes.
NETBIOS/DHCP/ LDAP/VoIP
/Other-TCP/ Other-UDP
SUNRPC Action for Brute-force:If the login attempts per
minute fail for the times specified by the threshold, the
managed security device will identify the attempts as
an intrusion and take an action according to the con-
figuration. Select the Enable check box to enable brute-
force.
6. Click OK.
Co n f ig u r in g S ig n a t u r e
In the specific protocols Signature List tab, you can view , enable/disable or configure the signature.
To search the specific signature entry details, take the following steps:
1. In the specific protocol Signature List tab, you can click filtername, and then input the value for this filter in the
search bar. You can also hover the mouse over the parameter(includestatus, operating system, attack type, pop-
ularity, severity, service type, global status and type, etc.) to view the drop-down list, and select the filter condition.
2. Click , results that match your criteria will be shown in the signature list.
3. In the signature List, click ID. You can view the specific signature details in pop-up dialog.
Note:
The icon can expand to show search history. If Auto Open is selected, the history can auto-
matically be opened while you use the search box.
To configure a specific attacking signature of the user-defined IPS rules, take the following steps:
1. In the specific protocol Signature List tab, select the signature you want to edit from the signature list, and then click
Edit from the toolbar. The Signature List Configuration dialog appears.
Capture Packets Select the Enable check box to enable the capture packet tools. The secur-
ity device will capture packets and save the evidence messages, and sup-
port to view or download the messages.
Action Specify an action for attacks of different levels.
Log Only - If attacks have been detected, the system will only gen-
erate protocol behavior logs.
Never Block - If attacks have been detected, the system will not block
the service from the attacker.
2. Click OK.
Co n f ig u r in g a W e b S e r v e r
To create a WebServer, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. Expand Object from the configuration navigation pane in NGFW tab, and then select Intrusion Protection System,
then click the Old IPS tab. The main window shows the IPS rule list of old IPS version.
3. From the IPS rule list, select the user-defined IPS rule to be configured, and then click HTTP. The protocol con-
figuration dialog appears.
5. From the toolbar, click New. The Web Server Configuration dialog appears.
Option Description
SQL Injection Pro- Select the Enable check box to enable SQL injection check for the HTTP
tection protocol.
Capture Packets: Select the Enable check box to enable the capture
packet tools.The security device will save the evidence messages,
and support to view or download the messages.
Check point:Specify the check point for the SQL injection check. It
can be HTTP cookie, HTTP cookie2, HTTP post, HTTP referer or HTTP
XSS Injection Pro- Select the Enable check box to enable XSS injection check for the HTTP
tection protocol.
Capture Packets : Select the Enable check box to enable the capture
packet tools. The security device will save the evidence messages,
and support to view or download the messages.
Check point: Specify the check point for the XSS injection check. It
can be HTTP cookie, HTTP cookie2, HTTP post, HTTP referer or HTTP
URI.
External Link Select the Enable check box to enable external link check for the Web
Check server. This function controls the access to the external resource.
Capture Packets : Select the Enable check box to enable the capture
packet tools. The security device will save the evidence messages,
and support to view or download the messages.
Log only: Only record the related logs when the external link
behavior is detected.
ACL Select the Enable check box to enable access control for the Web server.
The access control function checks the upload paths of the websites to
prevent the malicious code uploading from attackers.
ACL: Click this link, the ACL Configuration dialog appears. Specify
websites and the properties on this dialog. "Static" means the URI
can be accessed statically only as the static resource (images and
text), otherwise, the access will handle as the action specified (log
only/reset); "Block" means the resource of the website is not allowed
to access.
Log only: Only record the related logs when the external link
behavior is detected.
HTTP Request Select the Enable check box to enable the HTTP request flood protection.
Flood Protection
Request threshold: Specify the request threshold. When the number
of HTTP connecting request reaches the threshold, the security
device will treat it as a HTTP request flood attack, and will enable the
HTTP request flood protection.
Auto (JS Cookie): The Web browser will finish the authen-
tication process automatically.
Request limit: Specify the request limit for the HTTP request flood
protection. After configuring the request limit, the security device
will limit the request rate of each source IP. If the request rate is
higher than the limitation specified here and the HTTP request flood
protection is enabled, the security device will handle the exceeded
requests according to the action specified (Block IP/Reset).
Proxy limit:Specify the proxy limit for the HTTP request flood pro-
tection. After configuring the proxy limit, the security device will
check whether each source belongs to the each source IP proxy
server. If belongs to, according to configuration to limit the request
rate. If the request rate is higher than the limitation specified here
and the HTTP request flood protection is enabled, the security
device will handle the exceeded requests according to the action spe-
cified (Block IP/Reset).
White List:Specify the white list for the HTTP request flood pro-
tection. The source IP added to the white list not check the HTTP
Option Description
SQL Injec- Select the Enable check box to enable SQL injection check.
tion Pro-
tection Capture Packets: Capture the abnormal packets. You can view them in the
threat log.
Action: Log Only - Record a log. Rest - Reset connections (TCP) or sends
destination unreachable packets (UDP) and also generates logs. Block IP -
Block the IP address of the attacker and specify a block duration. Block Ser-
vice - Block the service of the attacker and specify a block duration.
Sensitivity: Specifies the sensitivity for the SQL injection protection func-
tion. The higher the sensitivity is, the lower the false negative rate is.
Check point: Specifies the check point for the SQL injection check. It can be
Cookie, Cookie2, Post, Referer or URI.
XSS Injec- Select the Enable check box to enable XSS injection check for the HTTP protocol.
tion Pro-
tection Capture Packets: Capture the abnormal packets. You can view them in the
threat log.
Action: Log Only - Record a log. Rest - Reset connections (TCP) or sends
destination unreachable packets (UDP) and also generates logs. Block IP -
Block the IP address of the attacker and specify a block duration. Block Ser-
vice - Block the service of the attacker and specify a block duration.
Sensitivity: Specifies the sensitivity for the XSS injection protection func-
tion. The higher the sensitivity is, the lower the false negative rate is.
Check point: Specifies the check point for the XSS injection check. It can be
Cookie, Cookie2, Post, Referer or URI.
External Select the Enable check box to enable external link check for the Web server.
Link This function controls the resource reference from the external sites.
Check
Capture Packets: Capture the abnormal packets. You can view them in the
threat log.
Action: Log Only - Record a log. Rest - Reset connections (TCP) or sends
destination unreachable packets (UDP) and also generates logs.
ACL Action: Log Only - Record a log. Rest - Reset connections (TCP) or sends
destination unreachable packets (UDP) and also generates logs.
HTTP Select the Enable check box to enable the HTTP request flood protection.
Request
Flood Pro- Request threshold: Specifies the request threshold.
tection
For the protected domain name, when the number of HTTP con-
necting request per second reaches the threshold and this lasts 20
seconds, the system will treat it as a HTTP request flood attack, and will
enable the HTTP request flood protection.
For the protected full URL, when the number of HTTP connecting
request per second towards this URL reaches the threshold and this
lasts 20 seconds, the system will treat it as a HTTP request flood attack
towards this URL, and will enable the HTTP request flood protection. It
is only applicable to IPS devices.
Full URL: Enter the full URLs to protect particular URLs. Click this link to con-
figure the URLs, for example, www.example.com/index.html. When pro-
tecting a particular URL, you can select a statistic object. When the number
of HTTP connecting request per second by the object reaches the threshold
and this lasts 20 seconds, the system will treat it as a HTTP request flood
attack by this object, and will enable the HTTP request flood protection. It
is only applicable to IPS devices.
x-forwarded-for: Select None, the system will not use the value in x-for-
warded-for as the statistic object. Select First, the system will use the
first value of the x-forwarded-for field as the statistic object. Select
Last, the system will use the last value of the x-forwarded-for field as
the statistic object. Select All, the system will use all values in x-for-
warded-for as the statistic object.
x-real-ip: Select whether to use the value in the x-real-ip field as the
statistic field.
When the HTTP request flood attack is discovered, you can make the system
take the following actions:
Auto (JS Cookie): The Web browser will finish the authentication pro-
cess automatically.
Auto (Redirect): The Web browser will finish the authentication pro-
cess automatically.
Crawler-friendly: If this check box is selected, the system will not authen-
ticate to the crawler.
Request limit: Specifies the request limit for the HTTP request flood pro-
tection. After configuring the request limit, the system will limit the request
rate of each source IP. If the request rate is higher than the limitation spe-
cified here and the HTTP request flood protection is enabled, the system
will handle the exceeded requests according to the action specified (Block
IP/Reset). To record a log, select the Record log check box.
Proxy limit: Specifies the proxy limit for the HTTP request flood protection.
After configuring the proxy limit, the system will check whether each source
belongs to the each source IP proxy server. If belongs to, according to con-
figuration to limit the request rate. If the request rate is higher than the lim-
itation specified here and the HTTP request flood protection is enabled, the
system will handle the exceeded requests according to the action specified
(Block IP/Reset). To record a log, select the Record log check box.
White List: Specifies the white list for the HTTP request flood protection.
The source IP added to the white list not check the HTTP request flood pro-
tection.
6. Click OK.
Note: After you create a HTTP signature, HSM will automatically create a default Web Server. The
default Web Server is enabled by default, and can not be disabled or deleted. At most 32 Web
servers can be configured for one signature, not including the default server.
E n a b lin g t h e P o licy -b a s e d I P S F u n ct io n
To enable the policy-based IPS on HSM, see configuring the policy-based protection function.
A nti - V i rus
To take the following steps to configure Anti-Virus function:
Co n f i g u r i n g A n t i -V i r u s Gl o b a l P a r a m et er s
You can enable or disable the Anti-Virus function, and configure the global parameters. About configuring Anti-Virus
global parameters, see Threat Protection.
Cr e a t in g a S h a r e d A n t i-Vir u s R u le
To create a shared Anti-Virus rule on HSM, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
Fill Magic - Processes the virus file by filling magic words, i.e., fills the
file with the magic words (Virus is found, cleaned) from the begin-
ning to the ending part of the infected section.
Reset Connection - If virus has been detected, the security device will
reset connections to the files.
Capture Select the Enable check box before Capture Packet to enable the capture
function. The security device will save the evidence messages, and sup-
port to view or download the messages.
Malicious Web- Select the check box behind Malicious Website Access Control to enable
site Access Con- the function.
trol
Action Specify the action the security device will take after the malicious website
is found.
Enable Label e- If an email transferred over SMTP is scanned, you can enable label email
mail to scan the email and its attachment(s). The scanning results will be
included in the mail body, and sent with the email. If no virus has been
detected, the message of "No virus found" will be labeled; otherwise
information related to the virus will be displayed in the email, including
the filename, result and action.
Type the end message content into the box. The range is 1 to 128.
4. Click OK.
T hreat Protec ti on
Cr e a t in g a S h a r e d T h r e a t P r o t e ct io n
To create a shared threat protection on the HSM global configuration page, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Threat Pro-
tection, then click the New IPS or Old IPS tab. The main window shows the corresponding threat protection global
configuration rule list.
3. From the toolbar, click New. The Threat Protection page appears.
4. Click OK.
Co n f ig u r in g a S h a r e d T h r e a t P r o t e ct io n
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Threat Pro-
tection, then click the New IPS or Old IPS tab.
3. Double click the threat protection rule name you want to configure. The Global Threaten Configuration tab appears.
Intrusion Pro- Select/clear the Enable check box to enable/disable IPS. After enabling this
tection System function, you have to reboot the security device if you want to take effect
on the security device.
Merge Log The security device can merge IPS logs which have the same protocol ID,
the same VSYS ID, the same Signature ID, the same log ID, and the same
merging type. Thus it can help avoid to receive redundant logs, and the
merging log is displayed to the standard output according to your
requires. The function is disabled by default.
Select the merging types in the drop-down list:
Source IP, Destination IP - Merge the logs with the same Source IP and
the same Destination IP.
Log Only - If attacks have been detected, the firewall will only gen-
erate protocol anormaly alarms and attacking behavior logs, but will
not reset connections or block attackers.
AV Global Configuration
Anti Virus Select/clear the Enable check box to enable/disable Anti-Virus. The new
configuration will take effect after reset the relevant device.
Max Decom- By default the firewall can scan the files of up to 5 decompression layers.
pression Layer To specify a decompression layer, select a value from the drop-down list.
The value range is 1 to 5.
Exceed Action Specify an action for the compressed files that exceed the max decom-
pression layer. Select an action from the drop-down list:
Log Only - Only generates logs but will not scan the files. This action
is enabled by default.
Reset Connection - If virus has been detected, the firewall will reset
connections to the files.
Log Only - Only generates logs but will not scan the files.
4. Select Global Threaten Configuration List tab, you can view the details info of all IPS signature list. For more inform-
ation, see Global Threaten Configuration List.
5. Click OK.
G lo b a l T h r e a t e n Co n f ig u r a t io n Lis t
In the Global Threaten Configuration tab, you can view all details info of the IPS signature list. You can edit, delete,
enable/disable a specific signature, or customize the signature as needed.
To search the specific signature entry details, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Threat Pro-
tection, then click the New IPS or Old IPS tab.
3. Double click the threat protection rule name you want to configure.
5. You can click filtername, and then input the value for this filter in the search bar. You can also hover the mouse over
the parameter(include protocol, operating system, attack type, popularity, severity, service type, status and type.
etc.) to view the drop-down list, and select the filter condition.
7. In the signature List, click ID. You can view the specific signature details in pop-up dialog.
The icon can expand to show search history. If Auto Open is selected, the history can auto-
matically be opened while you use the search box.
Cr ea t i n g a Us er -d ef i n ed Si g n a t u r e Ru l e
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Threat Pro-
tection, then click the New IPS or Old IPS tab.
3. Double click the threat protection rule name you want to create a user-defined signature rule.
4. Select the Global Threaten Configuration List tab, and the main window shows the IPS signature list.
5. Click New from the toolbar. The User-defined Signature dialog appears.
General tab
Name Specify the signature name.
Description Specify the signature descriptions.
Protocol Specify the protocol that signature supports.
Flow Specify the direction for the signature."To_Server" means the package of
attack is from server to the client. "To_Client" means the package of attack
is from client to the server. "Both" means bi-direction.
Dsize Specify the payload message size. Select "----",">", "<" or "=" from the
drop-down list and specifies the value in the text box. "----" means not
set the parameter.
Attack Type Select the attack type from the drop-down list.
Service Type Select the service type from the drop-down list. "----" means all services.
Operating Sys- Select the operating system from the drop-down list. "----" means all the
tem operating systems.
Detection Filter Specify the frequency of the signature rule.
Track - Select the track type from the drop-down list. It can be by
source IP and destination IP. After specifying, the system will match
the attack according to the analysis of the source IP and destination
IP.
Count - Specify the maximum times the rule occurs in the specified
time. If the attacks exceed the Count value, the security device will
trigger rules and act as specified.
Content tab: Create New and configure the signature contents. Click OK to save your set-
tings.
Content Specify the signature content. Select the following check box if needed:
URI - Means the content needs to match URI field of HTTP request.
Offset: System will start searching after the offset from the
header of the application layer packet. The unit is byte.
Depth: Specifies the scanning length after the offset. The unit is
byte.
If Last Content is selected, system will search from the content end
position.
Distance: System will start searching after the distance from the
former content end position. The unit is byte.
Within: Specifies the scanning length after the distance. The unit
is byte.
Dsize Specifies the payload message size. Select "----",">", "<" or "="
from the drop-down list and specifies the value in the text box. "----
" means not set the parameter.
Attack Type Select the attack type from the drop-down list.
Track - Select the track type from the drop-down list. It can be
by_src or by_dst. System will use the statistic of source IP or des-
tination IP to check whether the attack matches this rule.
Count - Specifies the maximum times the rule occurs in the spe-
cified time. If the attacks exceed the Count value, system will
trigger rules and act as specified.
Option Description
Content Specifies the signature content. Select the following check box if needed:
URI - Means the content needs to match URI field of HTTP request.
If Beginning is selected, system will search from the header of the application
layer packet.
Offset: System will start searching after the offset from the header of the
application layer packet. The unit is byte.
Depth: Specifies the scanning length after the offset. The unit is byte.
If Last Content is selected, system will search from the content end position.
Distance: System will start searching after the distance from the former
content end position. The unit is byte.
Within: Specifies the scanning length after the distance. The unit is byte.
6. Click OK.
U R L Fi l ter
URL filter controls the access to some certain websites and records log messages for the access actions. URL filter helps
you control the network behaviors in the following aspects:
Access control to certain category of websites, such as gambling and pornographic websites.
Access control to certain category of websites during the specified period. For example, forbid to access IM websites
during the office hours.
Access control to the website whose URL contains the specified keywords. For example, forbid to access the URL that
contains the keyword of game.
Note: HSM only supports the centralized management of URL filter function whose NGFW ver-
sion is 5.5R1 or above.
Co n f ig u r in g U R L F ilt e r
Configuring URL filter contains two parts:
2. Click New.
New: Create a new URL category. For more information about URL cat-
egory, see "User-defined URL DB" on page 228.
Edit: Select a URL category from the list, and click Edit to edit the
selected URL category.
Block: Select the check box to block access to the corresponding URL
category.
Log: Select the check box to log access to the corresponding URL cat-
egory.
Other URLS: Specify the actions to the URLs that are not in the list,
including Block Access and Record Log.
URL Keyword Category controls the access to the website who's URL con-
tains the specific keywords. Click the URL Keyword Categoryoption to
configure. The options are:
Edit: Select a URL keyword category from the list, and click Edit to
edit the selected URL keyword category.
Block: Select the check box to block the access to the website whose
URL contains the specified keywords.
Other URLS: Specify the actions to the URLs that do not contain the
keywords in the list, including Block Access and Record Log.
Web Surfing Record logs the GETand POST methods of HTTP.
Relevant Device Specify the devices which you want to make a relationship with the URL fil-
ter rule. If choosing VSYS devices of the device, the rule will only be rel-
evant to the root VSYS. After configuring the rule, you have to deploy the
rule to the relevant device if you want to take effect on the device. For
more detailed information about deploying configuration, see Syn-
chronizing Configuration .
P r e d e f in e d U R L DB
The system contains a predefined URL database.
The predefined URL database provides URL categories for the configurations of URL filter. It includes dozens of categories
and tens of millions of URLs .
When identifying the URL category, the user-defined URL database has a higher priority than the predefined URL data-
base.
Note: The predefined URL database is controlled by a license controlled. Only after a URL license
is installed, the predefined URL database can be used.
U s e r -d e f in e d U R L DB
Besides categories in predefined URL database, you can also create user-defined URL categories, which provides URL cat-
egories for the configurations of URL filter. When identifying the URL category, the user-defined URL database has a
higher priority than the predefined URL database.
System provides three user-defined URL categories by default: custom1, custom2, custom3.
3. Type the category name in the Name text box. URL category name cannot only be a hyphen (-). And you can create
at most 1000 user-defined categories.
4. Type the category description in the Description text box. The value range is 0 to 255 characters.
6. Click Add to add the URL and its category to the table.
8. To delete an existing one, select its check box and then click Delete.
9. Specify the deployment device for the URL category in the Relevant Device drop-down menu if necessary.
K e y w o r d Ca t e g o r y
Keyword can be grouped into different categories. URL filter that contains keyword category will control the access to
websites of certain categories.
When a URL filter rule includes keyword category, the system will scan traffic according to the configured keywords and
calculate the trust value for the hit keywords. The calculating method is: adding up the results of times * trust value of
each keyword that belongs to the category. Then the system compares the sum with the threshold 100 and performs the
following actions according to the comparison result:
If the sum is larger than or equal to category threshold (100), the configured category action will be triggered;
If more than one category action can be triggered and there is block action configured, the final action will be Block;
If more than one category action can be triggered and all the configured actions are Permit, the final action will be
Permit.
For example, a URL filter rule contains two keyword categories C1 with action block and C2 with action permit. Both of C1
and C2 contain the same keywords K1 and K2. Trust values of K1 and K2 in C1 are 20 and 40. Trust values of K1 and K2 in
C2 are 30 and 80.
If the system detects 1 occurrence of K1 and K2 each on a URL, then C1 trust value is 20*1+40*1=60<100, and C2 trust
value is 30*1+80*1=110>100. As a result, the C2 action is triggered and the URL access is permitted.
If the system detects 3 occurrences of K1 and 1 occurrence of K2 on a URL, then C1 trust value is 20*3+40*1=100, and C2
trust value C2 is 30*3+80*1=170>100. Conditions for both C1 and C2 are satisfied, but the block action for C1 is triggered,
so the web page access is denied.
1. Select Object > URL Filter Bundle > Keyword Category. The Keyword Category dialog appears.
4. Type the category description in the Description text box. The value range is 0 to 255 characters.
5. Specify the keyword, character matching method (simple/regular expression), and trust value.
8. To delete a keyword, select the keyword you want to delete from the list and click Delete.
9. Specify the deployment device for the keyword category in the Relevant Device drop-down menu if necessary.
W a r n in g P a g e
To create a new warning page, take the following steps:
3. Click OK.
You can also click Edit in the toolbar to edit the selected page, and click Delete to delete the page.
The warning page shows the user block information and user audit information.
If the Internet behavior is blocked by the URL filter function, the Internet access will be denied. The information of Access
Denied will be shown in your browser, and some web surfing rules will be shown to you on the warning page at the same
time. See the picture below:
1. Click Object > URL Filter Bundle > Warning Page, choose the page you want to configure the block warning func-
tion in left page list.
After enabling the audit warning function, when your network behavior matches the configured URL filter rule, your
HTTP request will be redirected to a warning page, on which the audit and privacy protection information is displayed.
See the picture below:
The audit warning function is disabled by default. To configure the audit warning function:
1. Select Object > URL Filter Bundle > Warning Page, choose the page you want to configure the audit warning func-
tion in left page list.
U ser
To configure shared users, click Configuration > Global Configuration from the Level-1 navigation pane to enter the
global configuration page. In the left navigation pane, select NGFW tab, and then expand Configure, Objects and User
nodes in turn, select the target node for the next configuration.
For the detailed configuration, see "User" on page 156 in Device Object.
A A A S erv er
To configure shared AAA servers, click Configuration > Global Configuration from the Level-1 navigation pane to enter
the global configuration page. In the left navigation pane, select NGFW tab, and then expand Configure, Objects and
AAA Server nodes in turn.
For the detailed configuration, see "AAA Server" on page 165 in Device Object.
Ed i ti ng / Del eti ng an Ob j ec t
To edit or delete an object, enter the corresponding object page, select the object, and then click the Edit or Delete but-
ton. For how to enter the object page and the description of the options of each object, see the creating object sections.
Note: Only shared virtual router and shared interface can be edited or deleted.
1. Log into HSM, click Configuration > Default Parameters from the Level-1 navigation pane, the Configure Para-
meters dialog appears.
2. Select default action for new security policy rules, including Permit and Deny.
3. Click OK.
HSM uses tasks to track the system operations that need to know the running status and the running results. When you
do an operation on HSM, such as deploying a policy to devices, or checking the rule conflicts, the related task is gen-
erated for you to track the operation. When the system executes the task, the related logs will be generated, and you can
learn the detailed task information and task failure reason from the logs.
This chapter describes the task management configurations, including:
T as k Manag em ent W i nd o w
Click Task from the Level-1 navigation pane to enter the task management page. The following is the layout of the page.
Option Description
Option Description
Status Shows the status of the task. It can be one of the following:
Check: After clicking Start, the system check the executing situations of the
task.
Waiting: When there is more than one task is started, since the system does
not support running multiple tasks simultaneously, the other started tasks will
be in this status. The task in this status can be paused or terminated.
Running: The task is running. The running task cannot be paused or ter-
minated.
Failed: Failed to run the task. You can get the failure reason from the related
logs.
Log Click the icon to view the related logs. Logs will be generated for each executed
task. You can also read the logs in the page of Log > HSM Log > Task Man-
agement.
Vi ew i ng T as k L o g s
In the task table, click the log icon in the Log column, the system will show the log window of the responding task.
By reading the log messages, you can analyze the failure reason for the failed tasks. The system provides the log search
function for you get the desired information quickly.
The HSM monitor function gathers data of managed devices and display the statistics by bar chart, pie chart, line char,
table and so on. You can learn the network situation and resolve network problems through the statistics. HSM provides
monitor data in multiple aspects, include
Device monitor: Shows the statistics in the aspect of the managed device (traffic, attack defense, anti-virus, IPS, CPU,
memory). When problem happens in the network, you can figure out the problem device according to the result of
the device rank, and under the help of the drill-down function, you can investigate further in different factors.
User monitor: Shows the statistics in the aspect of user/IP (traffic, attack defense, anti-virus, IPS). When problem hap-
pens in the network, you can figure out the problem user/IP according to result of user/IP rank, and under the help
of the drill-down function, you can investigate further in different factors.
Application monitor: Shows the statistics in the aspect of application (application traffic). Application monitor helps
you know the applications in the network and learn the network behavior of the managed people. Under the help of
the drill-down function, you can get the application related statistics from different factors in details.
Network threat: Shows the statistics in the aspect of network threats (attack defense, anti-virus, IPS). When network
threats occurs in the network, you can figure out the threat according to the result of the threat rank, and under the
help of the drill-down function, you can investigate further.
Network behavior: Shows the statistics in the aspect of network behavior (URL hit and URL category hit). Network
behavior monitor helps you know the network behavior of the managed people and hold the network access inform-
ation.
VPN monitor: Shows the statistics in the aspect of VPN (tunnel information and VPN traffic). VPN monitor helps you
get the VPN information of all managed devices.
HSM provides the My Monitor function. With this function,
you can access the favorite monitor page conveniently to get interested information;
M ain P age
Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page. The page shows
the following information with bar charts:
Top 10 devices by Average Rate: The device average rate rank in a specified time period. With the drill-down func-
tion, namely click a bar of a device, and select a factor from the pop-up menu to see the related statistics. The sup-
ported factors are zone, interface, user/IP, application, and traffic trend.
Top 10 Devices by Threat: The threat count rank of devices in a specified time period, including virus attack counts,
intrusion counts and AD attack counts. With the drill-down function, namely click a bar of a device, and select a
factor from the pop-up menu to see the related statistics. The supported factors are interface, attacker, victim, and
trend.
Top 10 Devices by CPU Utilization: The CPU utilization rank of devices in a specified time period. With the drill-down
function, namely click a bar of a device, and select Trend to see the CPU utilization trend statistics of the device.
Top 10 Devices by Memory Utilization: The memory utilization rank of devices in a specified time period. With the
drill-down function, namely click a bar of a device, and select Trend to see the memory utilization trend statistics of
the device.
1. Click Select Device (Group) from the up-left corner of the main page. The Select Device
(Group) dialog pops up.
2. Select the Device or Device Group radio option, and then select the device or device group from the box.
3. Click OK to save the changes and close the dialog. The monitor page only shows the statistics of the selected
devices.
HSM support pre-defined time period and customized time period. You can specify the time period by configuring the
options in the upper-right corner.
: Customize the time period. Select this option, the Select Time dialog appears. You can spe-
cify the time period according to your own requirements. The minimum interval between the start time and the end
time is 15 minutes, and at most the latest 1 year statistics can be showed.
The devices and time period specified here will impact the details page, drill-down sub-page, and trend page.
D et ails P age
In the main page, click Details of each chart to go to the corresponding details page.
The details page shows the detailed statistics with bar charts and tables. The bar charts are used to show the device rank
by different factors and you can switch factors by clicking the buttons in the up-left corner.
Also the drill-down function and the specification of time period are supported; the tables are used to display the
detailed data, and you can get the interested data quickly by using the search function.
What's more, the Add to MyMonitor function is provided in the details page. Click the Add to MyMonitor button, the
current chart and table information will be saved to MyMonitor. You can get your interested monitor quickly in the
MyMonitor module.
Take the details page of device average rate as the example:
As shown in the screenshot above, the Top 10 drop-down list is used to determine the number of bar shown in the bar
chart; the Average Rate, Forwarding Rate, and New Sessions buttons are used to switch among different factors; the time
options in the upper-right corner are used to specify the time period of the statistics; use the drill-down function on the
bars to get more detailed statistics in the specified factors.
Note: High, Middle, Low factors of the IPS details page refer to the severities of IPS signatures
which are high, middle and low.
D r ill-dow n Su b-page
On the main page or the details page, click a bar and select a menu option, the pop-up page is the drill-down sub-page.
For example, in the device monitor main page, click the bar named M2105, and select Interface from the pop-up menu, a
new page showing interface traffic rank of M2105 appears. The data in the drill-down sub-page is organized in the same
way as the details page (excluding the trend page).
T r en d P age
In the bar chart, click a bar and select Traffic Trend/Trend, the trend page of the selected factor appears. HSM uses line
charts to show the developing trend in multiple factors.
Real-time Trend Monitor
To monitor a device in real-time, take the following steps:
1. In the main page or details page, click a bar and select Traffic Trend/Trend.
2. In the trend page, select Real-time from drop-down list in the upper-right corner.
1. In the main page or details page, click a bar and select Traffic Trend/Trend.
3. The dialog showing the application distribution or the user/IP rank appears.
Us er Mo ni t o r
The user monitor page shows kinds of statistics in the aspect of users on the managed device. The user monitor statistics
is organized in the main page (summary of user monitor), details page (detailed statistics of each module), drill-down
sub-page (statistics in a specified factor), and trend page.
M ain P age
Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page. Click User in the
monitor navigation pane to enter the user monitor main page. The user monitor main page shows the following inform-
ation with bar charts:
Top 10 User Traffic: The user traffic rank in a specified time period. With the drill-down function, namely click a bar
of a user, and select Traffic Trend from the pop-up menu to see the corresponding statistics.
1. Click Select Device (Group) from the up-left corner of the main page. The Select Device
(Group) dialog pops up.
2. Select the Device or Device Group radio option, and then select the device or device group from the box.
3. Click OK to save the changes and close the dialog. The monitor page only shows the statistics of the selected
devices.
HSM support pre-defined time period and customized time period. You can specify the time period by configuring the
options in the upper-right corner.
: The drop-down list of pre-defined time period. The menu items are described as
below:
: Customize the time period. Select this option, the Select Time dialog appears. You can spe-
cify the time period according to your own requirements. The minimum interval between the start time and the end
time is 15 minutes, and at most the latest 1 year statistics can be showed.
The devices and time period specified here will impact the details page, drill-down sub-page, and trend page.
D et ails P age
In the main page, click Details of each chart to go to the corresponding details page.
As shown in the screenshot above, the Top 10 drop-down list is used to determine the number of bar shown in the bar
chart; the Average Rate, Sent, Received, Forwarding Rate, and New Sessions buttons are used to switch among different
factors; the time options in the upper-right corner are used to specify the time period of the statistics; use the drill-down
function on the bars to get more detailed statistics in the specified factors.
As shown in the screenshot above, the detailed data of each user is displayed in the table. At most, the data of top 200
users can be displayed. By using the search function, you can get the information you want quickly.
D r ill-dow n Su b-page
On the main page or the details page, click a bar and select a menu option, the pop-up page is the drill-down sub-page.
The drill-down page shows the detailed statistics in a specified factor of the user or the trending information of the user.
For example, in the user monitor main page, click a bar from the user traffic rank chart, and select Application from the
pop-up menu, a new page showing application traffic rank of the user appears. The data in the drill-down sub-page is
organized in the same way as the details page (excluding the trend page).
T r en d P age
In the bar chart, click a bar and select Traffic Trend/Trend, the trend page of the selected factor appears. HSM uses line
charts to show the developing trend in multiple factors.
Real-time Trend Monitor
1. In the user monitor main page, click , and select a device on the Select Device (Group) dialog.
2. In the main page or details page, click a bar and select Traffic Trend/Trend.
3. In the trend page, select Real-time from drop-down list in the upper-right corner.
1. In the main page or details page, click a bar and select Traffic Trend/Trend.
A p p l i cat i o n Mo ni t o r
The application monitor page shows kinds of statistics in the aspect of applications on the managed device. The user
monitor statistics is organized in the main page (summary of application monitor), details page (detailed statistics of
each module), drill-down sub-page (statistics in a specified factor), and trend page.
M ain P age
Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page. Click Application
in the monitor navigation pane to enter the application monitor main page. The application monitor main page shows
the following information with bar charts:
Top 10 Application Traffic: The application traffic rank in the specified time period. With the drill-down function,
namely click a bar of an application, and select a factor from the pop-up menu to see the related statistics. The sup-
ported factors are device, user/IP, and Trend.
1. Click Select Device (Group) from the up-left corner of the main page. The Select Device
(Group) dialog pops up.
2. Select the Device or Device Group radio option, and then select the device or device group from the box.
3. Click OK to save the changes and close the dialog. The monitor page only shows the statistics of the selected
devices.
HSM support pre-defined time period and customized time period. You can specify the time period by configuring the
options in the upper-right corner.
: Customize the time period. Select this option, the Select Time dialog appears. You can spe-
cify the time period according to your own requirements. The minimum interval between the start time and the end
time is 15 minutes, and at most the latest 1 year statistics can be showed.
The devices and time period specified here will impact the details page, drill-down sub-page, and trend page.
D et ails P age
In the main page, click Details of each chart to go to the corresponding details page.
The details page shows the detailed statistics with bar charts and tables. The bar charts are used to show the application
rank by different factors and you can switch factors by clicking the buttons in the up-left corner.
Also the drill-down function and the specification of time period are supported; the tables are used to display the
detailed data, and you can get the interested data quickly by using the search function.
What's more, the Add to MyMonitor function is provided in the details page. Click the Add to MyMonitor button, the
current chart and table information will be saved to MyMonitor. You can get your interested monitor quickly in the
MyMonitor module.
Take the details page of application traffic as the example:
As shown in the screenshot above, the Top 10 drop-down list is used to determine the number of bar shown in the bar
chart; the Average Rate, Forwarding Rate, and New Sessions buttons are used to switch among different factors; the time
options in the upper-right corner are used to specify the time period of the statistics; use the drill-down function on the
bars to get more detailed statistics in the specified factors.
D r ill-dow n Su b-page
On the main page or the details page, click a bar and select a menu option, the pop-up page is the drill-down sub-page.
The drill-down page shows the detailed statistics in a specified factor of the application or the trending information of
the application. For example, in the application monitor main page, click the HTTP bar from the application traffic rank
chart, and select Device from the pop-up menu, a new page showing device rank of the HTTP application appears. The
data in the drill-down sub-page is organized in the same way as the details page (excluding the trend page).
T r en d P age
In the bar chart, click a bar and select Traffic Trend/Trend, the trend page of the selected factor appears. HSM uses line
charts to show the developing trend in multiple factors.
Real-time Trend Monitor (Method 1)
To monitor an application on a device in real-time, take the following steps:
1. In the user monitor main page, click and select a device on the Select Device (Group) dialog.
2. In the main page or details page, click a bar and select Traffic Trend/Trend.
1. In the main page or details page, click a bar and select Device.
2. In the device rank bar chart, click a bar and select Trend from the pop-up menu.
3. In the trend page, select Real-time from drop-down list in the upper-right corner.
Drill-down in Trend Page
In the current trend page, if the further information based on user/IP is available, you can get the information by the
drill-down function. HSM uses bar chart to show the user/IP rank of the application.
To view the drill-down sub-page of the trend chart, take the following steps:
1. In the main page or details page, click a bar and select Trend.
N et w o r k T hr eat Mo ni t o r
The network threat monitor page shows kinds of statistics in the aspect of network threat on the managed device. The
user monitor statistics is organized in the main page (summary of application monitor), details page (detailed statistics of
each module), drill-down sub-page (statistics in a specified factor), and trend page.
M ain P age
T rad i ti onal
Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page. Click Network
Threat > Traditional in the monitor navigation pane to enter the network traditional threat monitor main page. The net-
work threat monitor main page shows the following information with bar charts:
Top 10 Attacks: The AD attack count rank in the specified time period. With the drill-down function, namely click a
bar of an attack, and select a factor from the pop-up menu to see the related statistics. The supported factors are
attacker, victim, device, and trend.
Top 10 Virus: The virus attack count in a specified time period. With the drill-down function, namely click a bar of an
virus, and select a factor from the pop-up menu to see the related statistics. The supported factors are attack, victim,
device, and trend.
Intel l i g enc e
Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page. Click Network
Threat > Intelligence in the monitor navigation pane to enter the network Intelligence threat monitor main page. Only
NIPS and IDS devices support Intelligence threat monitor. The threat monitor main page shows the following inform-
ation:
Week Threat Distribution: A pie chart shows the different threat types distributing in the specified time period.
Week Threat Deal Distribution: A doughnut chart shows threat deal distributing in the specified time period. The
inner ring displays proportion of blocking numbers and detecting numbers of all threats, while the outer ring dis-
plays proportion of blocking numbers and detecting numbers of different types threats.
Week Top 10 Threat: The threat count in a specified time period, including virus attack counts, intrusion counts and
AD attack counts.
Week Top 10 Distribution: The subtypes threat count in a specified time period.
St at is t ics P er iod
The managed devices and time period can be specified.
To specify the devices whose statistics will be showed, take the following steps:
1. Click Select Device (Group) from the up-left corner of the main page. The Select Device
(Group) dialog pops up.
2. Select the Device or Device Group radio option, and then select the device or device group from the box.
3. Click OK to save the changes and close the dialog. The monitor page only shows the statistics of the selected
devices.
HSM support pre-defined time period and customized time period. You can specify the time period by configuring the
options in the upper-right corner.
: The drop-down list of pre-defined time period. The menu items are described as
below:
D et ails P age
In the main page, click Details of each chart to go to the corresponding details page.
The details page shows the detailed statistics with bar charts and tables. The bar charts are used to show the attack rank.
Also the drill-down function and the specification of time period are supported; the tables are used to display the
detailed data, and you can get the interested data quickly by using the search function.
What's more, the Add to MyMonitor function is provided in the details page. Click the Add to MyMonitor button, the
current chart and table information will be saved to MyMonitor. You can get your interested monitor quickly in the
MyMonitor module.
Take the details page of AD attack as the example:
As shown in the screenshot above, the Top 10 drop-down list is used to determine the number of bar shown in the bar
chart; the time options in the upper-right corner are used to specify the time period of the statistics; use the drill-down
function on the bars to get more detailed statistics in the specified factors.
As shown in the screenshot above, the detailed data of each attack is displayed in the table. At most, the data of top 200
attack can be displayed. By using the search function, you can get the information you want quickly.
Note: High, Middle, Low factors of the IPS details page refer to the severities of IPS signatures
which are high, middle and low.
T r en d P age
In the bar chart, click a bar and select Trend, the trend page of the selected factor appears. HSM uses line charts to show
the developing trend in multiple factors.
Real-time Trend Monitor (Method 1)
To monitor an attack on a device in real-time, take the following steps:
1. In the network threat monitor main page, click and select a device on the Select Device
(Group) dialog.
2. In the main page or details page, click a bar and select Trend.
3. In the trend page, select Real-time from drop-down list in the upper-right corner.
1. In the main page or details page, click a bar and select Device.
2. In the device rank bar chart, click a bar and select Trend from the pop-up menu.
3. In the trend page, select Real-time from drop-down list in the upper-right corner.
Drill-down in Trend Page
In the current trend page, if the further information based on user/IP or destination IP (victim) is available, you can get
the information by the drill-down function. HSM uses bar chart to show the user/IP rank of the application.
To view the drill-down sub-page of the trend chart, take the following steps:
3. The dialog showing the attacker rank and victim rank appears.
N et w o r k B ehav i o r Mo ni t o r
The network behavior monitor page shows URL/URL category hit count statistics in the aspect network behavior . The net-
work behavior monitor statistics is organized in the main page (summary of device monitor), details page (detailed stat-
istics of each module), drill-down sub-page (statistics in a specified factor), and trend page.
M ain P age
Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page. Click NBC in the
monitor navigation pane to enter the network behavior monitor main page. The page shows the following information
with bar charts:
Top 10 URL Category Hit Count: The URL category hit count rank in a specified time period. With the drill-down func-
tion, namely click a bar of an URL category, and select a factor from the pop-up menu to see the related statistics.
The supported factors are URL, user/IP, device, and Trend.
1. Click Select Device (Group) from the up-left corner of the main page. The Select Device
(Group) dialog pops up.
2. Select the Device or Device Group radio option, and then select the device or device group from the box.
3. Click OK to save the changes and close the dialog. The monitor page only shows the statistics of the selected
devices.
HSM support pre-defined time period and customized time period. You can specify the time period by configuring the
options in the upper-right corner.
: The drop-down list of pre-defined time period. The menu items are described as
below:
: Customize the time period. Select this option, the Select Time dialog appears. You can spe-
cify the time period according to your own requirements. The minimum interval between the start time and the end
time is 15 minutes, and at most the latest 1 year statistics can be showed.
The devices and time period specified here will impact the details page, drill-down sub-page, and trend page.
The details page shows the detailed statistics with bar charts and tables. The bar charts are used to show the URL cat-
egory/URL hit count rank.
Also the drill-down function and the specification of time period are supported; the tables are used to display the
detailed data, and you can get the interested data quickly by using the search function.
What's more, the Add to MyMonitor function is provided in the details page. Click the Add to MyMonitor button, the
current chart and table information will be saved to MyMonitor. You can get your interested monitor quickly in the
MyMonitor module.
Take the details page of URL category rank chart as the example:
As shown in the screenshot above, the Top 10 drop-down list is used to determine the number of bar shown in the bar
chart; the time options in the upper-right corner are used to specify the time period of the statistics; use the drill-down
function on the bars to get more detailed statistics in the specified factors.
As shown in the screenshot above, the detailed data of each URL category/URL is displayed in the table. At most, the
data of top 200 attack can be displayed. By using the search function, you can get the information you want quickly.
D r ill-dow n Su b-page
On the main page or the details page, click a bar and select a menu option, the pop-up page is the drill-down sub-page.
The drill-down page shows the detailed statistics in a specified factor of the URL category/URL or the trending inform-
ation of the URL category/URL. For example, in the network behavior monitor main page, click a bar of a URL category
from the URL category hit count rank chart, and select URL from the pop-up menu, a new page showing URL hit count
rank of the specified URL category appears. The data in the drill-down sub-page is organized in the same way as the
details page (excluding the trend page).
1. In the network behavior monitor main page, click and select a device on the Select Device
(Group) dialog.
2. In the main page or details page, click a bar and select Trend.
3. In the trend page, select Real-time from drop-down list in the upper-right corner.
1. In the main page or details page, click a bar and select Device.
2. In the device rank bar chart, click a bar and select Trend from the pop-up menu.
3. In the trend page, select Real-time from drop-down list in the upper-right corner.
Drill-down in Trend Page
In the current trend page, if the further information based on user/IP is available, you can get the information by the
drill-down function. HSM uses bar chart to show the user/IP rank of the URL category/URL hit count.
To view the drill-down sub-page of the trend chart, take the following steps:
VP N Mo ni t o r
The VPN monitor page shows kinds of statistics in the aspect of VPN on the managed devices. The VPN monitor statistics
is organized in the tunnel statistics page and device VPN traffic statistics page (VPN traffic trend, and VPN traffic rank).
T u n n el St at is t ics P age
Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page. Click VPN in the
monitor navigation pane to enter the tunnel statistics page. This page shows a table with detailed tunnel information.
Options of the table are described as below:
Option Description
VPN Name Shows the tunnel name. Click the tunnel name, the system enters the traffic
trend/traffic rank page of the tunnel.
: Connected.
: Disconnected.
(bps)
Sent Traffic Shows the sent traffic rate of the tunnel interface.
Rate (bps)
Duration If the tunnel is connected, shows the duration of the tunnel since it is connected.
If the tunnel is disconnected, shows the duration of the tunnel since it is dis-
connected.
Re-con- Shows the re-connecting times of the tunnel. Click the number in the cell, the
necting Reconnetion Time dialog appears. You can check the detailed re-connecting
Times information of the tunnel in a specified time period.
VPN Type Shows the type of the tunnel. Only IPSec VPN is supported in the version.
Device Shows the device name the tunnel belongs to. Click the device name, the system
Name enters the VPN traffic trend/VPN traffic rank page.
Algorithm Shows the algorithm used by the tunnel (protocol, encryption, authentication,
compression).
Latency Shows the time consumed between sending the packet and receiving the
response.
The search function is supported for you to find the desired information. The search conditions are listed above the tun-
nel table, and you can find information according to you own requirements.
You can select devices to be shown in the chart, specify the statistical time period, and view the tunnel traffic trend/rank.
To specify the devices whose statistics will be shown, take the following steps:
2. Select the devices you want from the dialog box. Use the search function to find the desired device from the upper-
right corner if necessary.
3. Click anywhere outside the dialog box to close it. The selected devices will be shown on the line chart.
HSM support pre-defined time period. You can specify the time period by configuring the options in the upper-right
corner.
: The drop-down list of pre-defined time period. The menu items are described as below:
You can select tunnels to be shown in the chart, and specify the statistical time period.
To select tunnels, take the following steps:
1. Click Add Legend Item under the line chart, a dialog box with all tunnels appears.
2. Select the tunnels you want from the dialog box. Use the search function to find the desired tunnel from the upper-
right corner if necessary
3. Click anywhere outside the dialog box to close it. The selected tunnels will be shown on the line chart.
HSM support pre-defined time period. You can specify the time period by configuring the options in the upper-right
corner.
: The drop-down list of pre-defined time period. The menu items are described as below:
You can select devices to be shown in the chart, specify the statistical time period, specify Top X shown in the chart, and
view the tunnel traffic trend/rank of a single device.
To specify the devices whose statistics will be shown, take the following steps:
1. Click Add Legend Item under the line chart, a dialog box with all managed devices appears.
2. Select the devices you want from the dialog box. Use the search function to find the desired device from the upper-
right corner if necessary.
3. Click anywhere outside the dialog box to close it. The selected devices will be shown on the line chart.
HSM support pre-defined time period. You can specify the time period by configuring the options in the upper-right
corner.
: The drop-down list of pre-defined time period. The menu items are described as below:
You can select tunnels to be shown in the chart, specify the statistical time period, and specify Top X shown in the chart.
To select tunnels, take the following steps:
1. Click Add Legend Item under the line chart, a dialog box with all tunnels appears.
2. Select the tunnels you want from the dialog box. Use the search function to find the desired tunnel from the upper-
right corner if necessary
3. Click anywhere outside the dialog box to close it. The selected tunnels will be shown on the line chart.
HSM support pre-defined time period. You can specify the time period by configuring the options in the upper-right
corner.
: The drop-down list of pre-defined time period. The menu items are described as below:
Custom: Show statistical information of a customized number of devices. You can specify the number by selecting
devices from the Add Legend Item dialog.
Addin g t o M y M on it or
To add a monitor chart to MyMonitor, take the following steps:
1. Most of the monitor pages have the Add to MyMonitor button in the upper-right corner.
Click this button, and the Add To MyMonitor dialog appears.
2. Select a monitor group from the MyMonitor Group drop-down list. The chart will be added to the group specified
here.
3. Type a name for the added chart in the MyMonitor Name text box.
Cr eat in g a N ew M on it or G r ou p
To create a new monitor group, take the following steps:
1. Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page. Click
MyMonitor from the monitor navigation pane to expand the monitor group, and click one of the monitor groups.
2. In the main window, click the New Group button. The New Monitor Group dialog appears.
3. Type a name for the new monitor group in the Name text box.
D elet in g a M on it or G r ou p
To delete a monitor group, take the following steps:
V iew in g I n f or m at ion in M y M on it or
To view the information in MyMonitor, take the following steps:
1. Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page.
2. Click MyMonitor from the monitor navigation pane to expand the monitor group.
3. Select a monitor group and the charts added to the selected monitor group are displayed in the main window.
HSM is capable of 24-hour monitoring network performance, and send an alarm notification to notice users there is
abnormity. You can choose how to proceed according to alarm contents after receiving alarms.
For more information about the alarm function, see the followings:
Alarm
Alarm Rule
Alarm Analysis
2. Select Alarm > Alarm Search from the alarm navigation pane, the alarm window will show all the alarm information.
Device Search the alarm information including the specified device name.
Alarm Rule Search the alarm information that matched the specified alarm rules.
Severity Search the alarm information that matched the specified severity.
Alarming Time Search the alarm information that matched the specified alarming time. It
can be user-defined.
Status Search the alarm information that matched the specified alarm status.
Read Time Search the alarm information that matched the specified read time of
alarm rules.
Read by Search the alarm information that matched the specified users who read
the rules.
Comment Search the alarm information that matched the specified comments.
Reason Search the alarm information that matched the specified alarm reason.
4. Click Search, the alarm window will show all the alarm information that matched the specified rules.
Read one or multiple alarm information, select the checkbox of the alarm message and select Read Selected, Add
Comment dialog appears. Type comment information and then click OK.
Read all the alarm information, select Read All and the Add Comment dialog appears. Type comment information
and then click OK.
Device Analysis
Trend Analysis
1. Click Alarm from the level-1 navigation pane to enter the alarm page.
2. Select Alarm > Alarm Analysis > Device Analysis from the alarm navigation pane. This page shows the alarm times
of device with the view of bar chart.
3. Specify searching conditions to view the number of alarms that matched the specified conditions.
Searching Condi-
Description
tion
Status Search the alarm information that matched the specified alarm status.
Alarm Rule Search the alarm information that matched the specified alarm rules.
Analysis Period Search the alarm information that matched the specified alarming time.
It can be user-defined.
Show Devices in Select the checkbox, HSM will count history alarm information that has
Recycle Bin already been deleted in Recycle Bin.
4. To view the statistic information of alarm severity for one device, click the bar chart of this device and select Level in
the popup menu.
Click the Status column in the table, and the Add Comment dialog appears. Type alarm reason and comment in
the text box and then click OK.
Batch process multiple alarm information, multi-check the check box before alarm information, and then click
Read Selected button on the top of the table, the Add Comment dialog appears. Type alarm reason and com-
ment in the text box and then click OK.
2. Select Alarm > Alarm Analysis > Trend Analysis from the alarm navigation pane, the alarm trend analysis page
appears.
3. Specify searching conditions to view the alarm trend analysis that matched the specified condition.
Searching Condi-
Description
tion
Severity Search the alarm information that matched the specified severity.
Status Search the alarm information that matched the specified alarm
status.
Device Search the alarm information including the specified device name.
Alarm Rule Search the alarm information that matched the specified alarm rules.
Analysis Period Search the alarm information that matched the specified alarming
time.
Click the Status column in the table, and the Add Comment dialog appears. Type alarm reason and comment in
the text box and then click OK.
Batch process multiple alarm information, multi-check the check box before alarm information, and then click
Read Selected button on the top of the table, the Add Comment dialog appears. Type alarm reason and com-
ment in the text box and then click OK.
1. Click Alarm from the level-1 navigation pane to enter the alarm page.
2. Select Alarm Rule > All Rules > Predefined from the alarm navigation pane.
3. Select the type of the alarm rule, and the alarm window will show you the predefined alarm rule list.
Rule Name: Show the alarm rule name. Predefined rule name cannot be modified.
Description: Type the descriptions of the rule.
Trigger: Specify the trigger condition that alarm occurs. When monitoring that there is such an event happened on
the selected device, HSM will generate an alarm message. Only some rules need the trigger condition.
Only alarm.
Besides alarm, HSM can send an alarm email or message to the specified recipient. (Select the check box before
Send via Email or Send via SMS, and click New, configure the recipient name, Email, Mobile Phone and Com-
ment in the Send via Email dialog.)
1. Select Alarm Rule > All Rules > User-defined from the alarm navigation pane.
Rule Name: Show the alarm rule name. Predefined rule name cannot be modified.
Description: Type the descriptions of the rule.
Trigger: Specify the trigger condition that alarm occurs. When monitoring that there is such an event happened on
the selected device, HSM will generate an alarm message. Only some rules need the trigger condition.
Device: Select the device which applied the alarm rule from the drop-down list. Rules of intelligent threat can only
be applied to NIPS devices.
Action: HSM can take the following actions when alarm occurs:
Only alarm.
Besides alarm, HSM can send an alarm email or message to the specified recipient. (Select the checkbox before
Send via Email or Send via SMS, and click New, configure the recipient name, Email, Mobile phone and Com-
ment in the Send via Email dialog.)
Ed i ti ng an A l arm R ul e
To edit an alarm rule that has already created, take the following steps:
1. In the alarm window of the Alarm Rule page, select the rule you want to modify.
2. In the Send via Email dialog, configure as one of the methods below:
Click New, and then specify the recipient name, Email, Mobile phone and comment in the text box.
Select the check box before the recipient who you want to delete, and then click Delete. (If a recipient has been
referenced by an alarm rule, the recipient cannot be deleted.)
1. In the alarm window of the Alarm Rule page, select the checkbox before the rule you want to enable/disable.
1. Select Alarm Rule > All Rules > User-defined from the alarm navigation pane.
Note:
The alarm rule will be stored in the Recycle Bin after being deleted. You can click Restore in
the Recycle Bin page to restore the rule to its origin place or click Delete in the Recycle Bin
page to permanently delete the rule.
If the alarm rules are permanently deleted, the alarm information that matched the rule are
all deleted at the same time.
Em p tyi ng R ec yc l e B i n
All the deleted rules are stored in the recycle bin. To delete rules permanently, take the following steps:
1. Select Alarm Rule > Recycle Bin from the alarm navigation pane.
3. Click OK.
Note:
If the alarm rules are permanently deleted, the alarm information that matched the rule are all
deleted at the same time.
HSM provides rich and vivid reports that allow you to analyze device status, network access and user behaviors com-
prehensively by all-around and multi-dimensional statistics and charts. HSM can generate periodical reports daily,
weekly, monthly and quarterly, and the statistic granularity can be minute, hour and day. Reports can be rendered in
HTML or PDF files, and mailed to specified recipients. At the time of writing HSM supports nearly 100 statistic items,
including traffic, AV, IPS, network behavior, VPN, system, etc. These items can be categorized as below:
Traffic: Traffic information for the specified devices, zones, interfaces, applications, users or time range.
Network threat: Network threat information about AV, IPS and attack defense.
Network behavior: Network behavior information about Internet surfing and IM.
System: CPU, memory and session information for the managed devices.
Note that the above items. may not be available on all devices. Please check your system's actual page to see if your
device delivers this items.
For more information about report, see the following chapters:
Report File
Report Template
Server
1. Log into HSM. Click Report from the Level-1 navigation pane to enter the report page.
2. In the report navigation pane, click Report File > File Collection to list all the report files in the system in the report
window, as shown below:
3. By default the report files are sorted by the time of creation. Click the column name to sort by the file name of the
corresponding template, time of creation and author name of the corresponding template; click the column name
again to sort the report files in the reversed order.
4. To search for a report file by keywords, type a keyword into the searching box in the toolbar, and press Enter. All the
report files that contain the keyword will be listed in the report window.
6. The report files consist of left and right panes. Report items are listed in the left pane; contents are listed in the right
pane, including the basic information, template modification history and charts and tables. Click an item in the left
pane to jump to the corresponding details in the left pane.
To view a deleted report file, click Report File > Deleted Files in the report navigation pane, and repeat Step 3 to Step 6
above.
Note: By default the report categories are not expanded. Each category may contain several
report files. Only 100 report files can be listed in one page, so possibly there are more categories
in other pages. To view the categories that are not listed in the current page, click the Next but-
ton on the lower-right.
1. Log into HSM. Click Report from the Level-1 navigation pane to enter the report page.
2. In the report navigation pane, click Report File > File Collection to list all the report files in the system in the report
window. By default the report files are sorted by the time of creation.
To download a report file, click the icon under the File Type column ( indicates HTML format, and indic-
ates PDF format), and download the file to your local disk as prompted.
To batch download multiple report files, select the checkboxes for the files, click Download in the toolbar, and
download the compressed file package to your local disk as prompted. The file format in the package is spe-
cified in the Output of the file's template.
1. Log into HSM. Click Report from the Level-1 navigation pane to enter the report page.
2. In the report navigation pane, click Report File > File Collection to list all the report files in the system in the report
window. By default the report files are sorted by the time of creation.
3. Select the checkbox for the report file (or checkboxes for multiple report files) to be deleted, and click Delete in the
bool bar.
Note: The deleted files are moved to Report File > Deleted Files.
R estori ng a R ep ort Fi l e
You can restore a deleted report file if the file is not cleared. To restore a deleted report file, take the following steps:
1. Log into HSM. Click Report from the Level-1 navigation pane to enter the report page.
2. In the report navigation pane, click Report File > Deleted Files to list all the deleted report files in the report window.
3. Select the checkbox for the report file (or checkboxes for multiple report files) to be restored, and click Restore in the
bool bar.
1. Log into HSM. Click Report from the Level-1 navigation pane to enter the report page.
2. In the report navigation pane, click Report File > Deleted Files to list all the deleted report files in the report window.
3. Select the checkbox for the report file (or checkboxes for multiple report files) to be cleared, and click Delete in the
Note: Report files that are deleted permanently cannot be restored. Take this operation with cau-
tion.
1. Log into HSM. Click Report from the Level-1 navigation pane to enter the report page.
2. In the report navigation pane, click Report Template > User-defined to list all the user-defined templates in the
report window.
Basic
This tab contains the basic information of the report template, and will be shown in the first page of the report file. Con-
figure options as below:
Device
Select the analysis devices. Configure options as below:
Devices: Select one or more checkboxes for the devices to include the device(s) in the report file for statistics.
Counting Type: Select Include Total Sum of Devices to count each device individually; select Not Include Total Sum of
Devices to count each devices and the total sum of all the selected devices.Only when you choose Include Total Sum of
Devices can the system show Security Risk Summary, Risk Type Summary or Security Risk Detail of the NIPS devices.
Data Time
Configure statistic time range and frequency as below:
Data Time: Specify the data time for the statistics. Click Latest and select a time range from the drop-down list which can
be 1 day, 1 week, 1 month or 3 months; click Period and specify the start time and end time of statistics.
Item
Report item, the key component of a report, defines the statistic contents. HSM contains nearly 100 built-in report items,
covering analysis data in traffic, network, network behaviors, VPN, system, etc. A report template can contain multiple
report items.
To add a report item to the template, take the following steps:
1. Expand a report item category node in the left All box, select a category to list all the items in the category in the
Available box.
2. Select an item and click Add, or click Add All. All the selected report item categories will be listed in the Selected box.
To delete an item, select the item (or press Ctrl and left-click to select multiple items) and click Delete, or click Delete
All to delete all the items.
Please note you need to select at least one report item, otherwise you can neither go to the next step nor save the tem-
plate.
Item Options
Configure the following detailed options for each report item under the tab:
Basic: Shows the title and description of the report item (editable). Select the checkbox for Show the above chart to show
the description in the upper of the chart.
Parameter Description
Application By default the system counts all the application traffic of the selected devices (all
the checkboxes are not selected).
To only count traffic of the specified application, select Application under Filter;
under the Not Include tab, select the applications that will not be included in the
traffic statistics. If an application is selected under the Include and Not Include
tabs simultaneously, the traffic of the application will not be included in traffic
statistics.
Direction By default the system counts both the sent and received traffic of the selected
devices.
To only count the sent traffic, select the checkbox for Sent Traffic, and clear the
checkbox for Received Traffic; to only count the received traffic, select the check-
box for Received Traffic, and clear the checkbox for Sent Traffic.
Zone By default the system counts all the zone traffic of the selected devices (all the
checkboxes are not selected).
To only count traffic of the specified zone, select Zone under Filter; under the Not
Include tab, select the zones that will not be included in the traffic statistics. If a
zone is selected under the Include and Not Include tabs simultaneously, the
traffic of the zone will not be included in traffic statistics.
Interface By default the system counts all the interface traffic of the selected devices.
To only count traffic of the specified interface, select Interface under Filter; under
the Not Include tab, select the interfaces that will not be included in the traffic
statistics. If an interface is selected under the Include and Not Include tabs sim-
ultaneously, the traffic of the interface will not be included in traffic statistics.
Dst IP By default the system counts attacks against all destination IPs.
To only count traffic against the specified IP, select Dst IP under Filter; under the
Include tab, specify the IP or IP range, and click Add. Under the Not Include tab,
specify the IP or IP range that not be included in the attack statistics, and click
Add. If a destination IP is selected under the Include and Not Include tabs sim-
ultaneously, the IP will not be included in attack statistics.
Level Specify the severity of attacks which can be High and above, Middle and above
and Low and above.
tab, repeat the above steps to specify the URL that will not be included in URL
access statistics. If a URL is specified under the Include and Not Include tabs sim-
ultaneously, the URL will not be included in URL access statistics.
IM By default the system counts all IM chats, including QQ, MSN, 9158 and Fetion.
To only count the specified IM chat, select IM under Filter, and select IM software
in the right box.
Time Specify the time range of statistics. By default the time range is the same as the
schedule defined in the report template.
To modify the time range of the report item, clear the checkbox for Inherit from
Template, and select a time range within the time range specified by the report
template.
Device Specify the object devices of statistics. By default the devices are the same as the
devices defined in the report template. To count other devices, clear the checkbox
for Inherit from Template, and select devices from the Counting Type box. In the
Devices section, select Include Total Sum of Devices to count each device indi-
vidually; select Not Include Total Sum of Devices to count each devices and the
total sum of all the selected devices.
Chart: Specify the number of ranking items in the tables and charts of reports. The system can show maximum Top 10
ranking items.
Schedule
Report schedule specifies the time range the corresponding report template will take effect. During the time range spe-
cified by the report schedule, system will generate report files continuous. A report template can contain multiple report
schedules.
To add a report schedule to the report template, take the following steps:
1. Under the Schedule tab, click New. In the New dialog, configure the options as below:
Generation Cycle: Specify the generation cycle of report files which can be daily, weekly, monthly, quarterly or one-
time.
Effective: Specify the start time and end time of the schedule. Select No End to make the template take effect for
ever.
Delete Schedule after End Date: Select the checkbox to delete the schedule after end date.
Generated at: Specify the date and time the report file is generated.
Output
Output specifies the format of report files and the destination the report files will be sent to. Configure the options as
below:
File Format: Select the format of the report file which can be PDF or HTML. You need to select at least one file format, oth-
erwise you will neither be able to go to the next step nor save the template.
Send via Email: Select the checkbox to send the report files to an Email address.
To add a recipient, type an Email address to the Email box (separate multiple recipients by ";"), or take the following
steps:
2. In the Add dialog, type the name, Email address and comments into the boxes, and click OK.
4. In the Recipient dialog, select the checkbox for the recipient, and click OK. The recipient will be listed in the Email
box.
Send via FTP: Select the checkbox to send the report files to an FTP server.
Server Name/IP:Type the server name or IP address.
Username: Type the username to log into the FTP server.
Password: Type the password to log into the FTP server.
Anonymous: Select the checkbox to log into the FTP server anonymously (only applicable to the FTP server that allows
anonymous login).
Path: Type the filepath for the report files.
Test: Click the button to test if the FTP server is available.
Sample
Sample is used to demonstrate the report file based on the template. To view a sample, take the following steps:
2. When the system prompts "Generation succeeded", click View Sample to view the report file.
1. Log into HSM. Click Report from the Level-1 navigation pane to enter the report page.
2. In the report navigation pane, click Report Template > User-defined to list all the user-defined templates in the
report window.
Note: To preview the report file based on the configured template, click Generate Now on the
upper-left to generate a report file immediately. Click Report File > File Collection and double-
click the report file with the name specified in the template to open the report file in a new win-
dow of your web browser.
1. Log into HSM. Click Report from the Level-1 navigation pane to enter the report page.
2. In the report navigation pane, click Report Template > User-defined to list all the user-defined templates in the
report window.
3. Select the checkbox for the template to be deleted, and click Delete.
4. In the OK dialog, click OK to delete. If any report file has been generated based on this template, also select the
checkbox for Delete Report Files Generated by This Schedule.
1. Log into HSM. Click Report from the Level-1 navigation pane to enter the report page.
2. In the report navigation pane, click Report Template > Deleted to list all the deleted templates in the report window.
3. Select the checkbox for the template to be restored, and click Restore.
Note: To also restore the report files deleted along with the template, see the steps described in
Restoring a Report File.
1. Log into HSM. Click Report from the Level-1 navigation pane to enter the report page.
2. In the report navigation pane, click Report Template > Deleted to list all the deleted templates in the report window.
3. Select the checkbox for the template to be deleted permanently, and click Delete.
A d d i ng a R ep ort S c hed ul e
For more details about how to add a report schedule when creating a report template, see Schedule in Creating a User-
defined Template.
To add a report schedule to an existing report template, click Report Template > User-defined in the report navigation
pane, and double-click the report template. Create a report schedule under the Schedule tab.
1. Log into HSM. Click Report from the Level-1 navigation pane to enter the report page.
2. In the report navigation pane, click Report Schedule to list all the report schedules by categories in the report win-
dow.
3. To view the details of a report template, click the name of the template and click a tab below. Details, running logs
and modification of the template will be shown under the corresponding tab. To view the running logs of a report
schedule, expand a template and click the report schedule. Running log of the report schedule will be shown under
the tab below.
1. Log into HSM. Click Report from the Level-1 navigation pane to enter the report page.
2. In the report navigation pane, click Report Schedule to list all the report schedules by categories in the report win-
dow.
3. Expand a report template and select the checkbox for the report schedule to be deleted. Click Delete.
1. Log into HSM. Click Report from the Level-1 navigation pane to enter the report page.
2. In the report navigation pane, click Report Schedule to list all the report schedules by categories in the report win-
dow.
Rep o r t S er v er
NIPS devices support Report Server function. By specifying the name and the IP address of the intranet servers, the
report with the security risk summary and security risk detail selected will display the reports of these servers.
1. Log into HSM. Click Report > Server from the Level-1 navigation pane to enter the Server page.
3. Click OK.
In the generated reports, you can search the name of servers you specified to view the corresponding information.
HSM collects log information in real-time, centralizes storage and maintenance, and provides multiple query com-
binations in order to view various types of log information. By default, HSM can store up to the last 90 days of log inform-
ation (when enough storage). Currently, HSM can manage logs of NGFW, IPS devices, and WAF devices of Hillstone
Networks, Inc..
Int r o d uct i o n t o L o g
This chapter contains log and old version log. The upgrading descriptions of log and old version log are listed in the
table below.
Before version 2.5R2, and logs After upgrading to version 2.5R2 or above, you can manage
have been collected by HSM the collected logs in Old Version Log. For the new collected
logs, you can search and export the logs in Log module, and
backup, import, and clean the logs in System>Log Backup
Management.
Before version 2.5R2, and logs After upgrading to version 2.5R2 or above, you can search and
are not collected by HSM export the new collected logs in Log, and backup, import, and
clean the logs in System>Log Backup Management.
Version 2.5R2 or above You can search and export the logs in Log, and backup,
import, and clean the logs in System>Log Backup Man-
agement.
L og
HSM system optimizes the log management function, using a new searching, backup, importing, and cleaning method to
manage logs. The type of log can be categorized as online log, offline log and operation log.
Online/offline log types can be divided into the followings:
System log: Logs of the managed devices, including event logs, alarm logs, networks logs and configuration logs.
Treat log: Logs of invasion and attack behaviors, including IPS logs, security logs, threat logs, web security logs and
anti defacement logs.
NBC log: Logs related to network behavior of managed devices, including URL logs, IM logs, webpost logs, email
logs and FTP logs. URL logs, IM logs and webpost logs support binary and text format.
Traffic log: Logs of traffic, including NAT logs, NAT444 logs, session logs and PBR logs.
Data Security Log:Logs of data security, including post logs, webpage security logs, URL logs, IM logs, email logs
and FTP logs.
L og Sev er it y
Event logs are categorized into eight severity levels, each level has its own color.
Old V er s ion L og
The types of old version logs can be divided into the followings:
Device system log: Record logs of managed devices, including event logs, alarm logs, networks logs, configuration
logs and others.
Traffic log: Record logs related to traffic, including session logs and NAT logs.
Security log: Record logs related to invasion and attack, including IPS logs.
APP control log: Record logs related to network behavior of managed devices, including FTP logs, IM logs, mail logs,
URL logs, BBS logs.
L og N av igat ion P an e
Log navigation pane has three tabs: online log, offline log and operation log. Click on the tab, the right pane shows the
corresponding log messages.
Old V er s ion L og
Before version 2.5R2, the collected logs are managed in old version log. For more information, see Old Version Log.
L og F ilt er
Searching is available for online and offline logs, not for operation logs. You may input values for filters and keywords to
query result that matches your criteria.
Option Description
Search Box Enter keywords or click filter name to insert into the search box. When you hover
your mouse over , search tips will be shown; after query is done, click to
save it as a bookmark; click , you can view the history and books. If the Auto
open is selected, the history and bookmarks will be automatically open when you
use search box.
Time Range Select the time range of logs for you query.
If your query takes a long time, switching to another page will discontinue the
query. Click to put the query into background, you can view the search res-
ult in the task list.
When a query takes a long time, you may click the mail icon to put the query
into background, when the query is complete, you will receive an email notice.
Note:To send an email from HSM, you need to set up mailbox first, refer to Con-
figuring an Email Account.
Option Description
Operation res- Use the result of a query as a filter, including success, unkown, failure.
ult
L og Ch ar t
Log number of different time is shown in bar chart. You may view the detailed diagram by clicking a bar.
T oolbar
The toolbar contains operation icons.
Option Description
Export In the Export dialog, you can save your search results in your local computer, in
the format of TXT file or CSV file.
Range: Select the pages to be exported. The format for specific pages is the
page number separated by comma, for example, 1, 3, 5-9.
Merge Log System can merge logs which have the same firewall or the same severity. Thus
it can help reduce logs and avoid to receive redundant logs.
L og W in dow
Log window shows detailed log list. The log window may vary slightly on different navigation pane.
Option Description
Links:
Searching Log Messages
Offline log: logs that are imported into HSM from other server. For more information about how to import the logs,
see Log Import.
Note: You need to have the right to manage this device when searching logs.
On lin e/ Of f lin e L og
The type of searching can be divided into the followings:
Temporarily searching: Click the search button for direct local searching. The temporarily searching will be ended
when you turn to other pages.
Backstage searching: After temporarily searching, click the backstage running button to create the backstage
searching task. In case of closing the searching page or running other searchings, the task of backstage searching
will keep running.
To search log messages, take the following steps:
1. Log in HSM, and click Log from the level-1 navigation pane. The log window appears.
4. In Log Filter, click a filter name, and input a value for this filer. You may select more than one filters.
5. You can quickly add filter conditions for the three types below:
Filter by log types: Click a log type from the left navigation.
Filter by log contents: In the search box, enter the keyword you want to see in the log content.
Oper at ion L og
To view operation log, take the following steps:
1. Log in HSM, and click Log from the level-1 navigation pane. The log window appears.
2. From the left Log Navigation Pane, Click Operation Log to view HSM system operation logs.
3. Choose the log types you want in the log navigation bar, and set a filter condition in the filter bar, then click Search.
The logs meeting requirements will be shown in the log window.
Operation Result: Choose an operation result from the drop-down list, including All, Waiting, Success, Failure.
Time: Choose the generated time of logs from the drop-down list. You can customize the time yourself.
Note:
To save your search filters, click to store them in the bookmark tab (in the on the left
of search box).
The icon can expand to show search history and stored collections. If Auto Open is selec-
ted, the history and collection can automatically open while you use the search box.
L og N av igat ion P an e
Log navigation pane includes predefined query and user-defined query. Click different ones in log navigation pane, the
main window will show its related information.
T oolbar
Function buttons of the toolbar are described as below:
Option Description
Predefined Query Export Export logs to local PC. The logs type can be TXT or CSV
file.
Save to Create a new search for user-defined query.
MySearch
User-defined Export Export logs to local PC. The logs type can be TXT or CSV
Query file.
Delete Delete the current log query.
F ilt er
According to different types of logs, filter provides different filter conditions.
Option Description
L og W in dow
Log window shows logs which meet the selected requirements.
Device Name Show the device name which generates the logs.
Related Topics:
Searching Logs
Managing Logs
Sear ch in g L ogs
HSM supports the running logs and offline logs. Running logs are generated by the current HSM itself. Offline logs are
the ones that are imported by using the log import function.
For these two types of logs, HSM provides logs classification view and filtering. You can view logs according to different
types of events, or set a filter condition such as device name, log time, log keyword to search logs.
To view log information, take the following steps:
To view running logs, click Log, and the click Old Version Log in the upper right corner. Click Running Log tab.
To view offline logs, click Log, and the click Old Version Log in the upper right corner. Click Offline Log tab.
2. Choose the log types from the log navigation pane, the log window will show you related log information.
In the running logs window, predefined query is the one which is pre-set by HSM, while user-defined query is
the one which is set by users according to requirements.
In the offline logs window, predefined logs are the ones which are pre-set by HSM, while other logs are the ones
which are set by users according to requirements.
3. To further filter the log information, follow the instructions below to set the filter conditions.
Exporting Logs
Importing Logs
Backing up Logs
Cleaning Logs
2. Click Save to MySearch button in the toolbar, and the Save dialog appears.
Note: The user-defined search only can include one log category.
1. Log in to HSM, click Log from the Level-1 navigation pane to enter the log management page.
2. Click Old Version Log in the upper right corner of the main window.
3. Click MySearch in the log navigation pane, and then click the user-defined search you want to delete.
4. From the toolbar, click Delete, and the click OK in the Delete dialog.
Ex p orti ng L og s
To save the current search as a TXT file or CSV file in local PC, take the following steps:
1. Log in to HSM, click Log from the Level-1 navigation pane to enter the log management page.
2. Click Old Version Log in the upper right corner of the main window.
4. Click Search and all the logs meeting the requirements will be shown in the log list.
Im p orti ng L og s
HSM system supports the import and viewing logs.
To import logs, take the following steps:
1. Log in to HSM, click Log from the Level-1 navigation pane to enter the log management page.
2. Click Old Version Log in the upper right corner of the main window.
3. Select Log Import from the Log Backup Manage drop-down list . The Log Import dialog appears.
5. Click Import to start the import task. HSM displays the task progress in the current dialog. You can close this dialog
to perform other actions. To stop the import task, click Stop Import.
You can view the imported logs in Offline Log tab.
B ac k i ng U p L og s
HSM supports the backup of the logs. You can back up logs manually.
For the backed-up logs, HSM can import them for viewing.
To back up the logs, take the following steps:
1. Log in to HSM, click Log from the Level-1 navigation pane to enter the log management page.
2. Click Old Version Log in the upper right corner of the main window.
3. Select Log Backup from the Log Backup Manage drop-down list . The Log Backup dialog appears.
Log Type: From the drop-down list, select the log types to be backed up.
FTP Server: From the drop-down list, select the FTP server where to store the log files. Then the corresponding
FTP server settings are displayed. You can click Detection to verify the connection between HSM and the FTP
server. If you want to modify the FTP server settings, click FTP Config.
5. Click Backup to start the backup task. HSM displays the task progress in the current dialog. You can close this dialog
to perform other actions. To stop the task, click Stop Backup
Old version log can perform only one backup task at the same time. If a backup task is running when opening the Log
Backup dialog, the task progress will be displayed. You can choose to stop the task or wait for its completion.
C l eani ng the L og s
HSM supports the clearing of offline logs and running logs within the specified time. You cannot restore the cleared logs.
For more information of offline logs and running logs, refer to Searching Logs.
To clear logs, take the following steps:
1. Log in to HSM, click Log from the Level-1 navigation pane to enter the log management page.
2. Click Old Version Log in the upper right corner of the main window.
3. Select Log Clean from the Log Backup Manage drop-down list . The Log Clean dialog appears.
Running Log: Select Running Log to clear the running log within the specified time.
This page describes a typical deployment scenario and some configuration examples for your understanding of HSM. The
requirements and configurations are shown below:
D ep l o ym ent S cenar i o
A company is headquartered in Beijing and has branches in Shanghai and Guangzhou. Each office is deployed with a Hill-
stone security appliance to control Internet access, and in order to manage all the three security appliances centrally, a
HSM is deployed in Beijing. The topology is shown as below:
Req ui r em ent
Requirement 1: Configure a shared policy that permits Internet access from Intranet and deploy the policy to all the man-
aged devices.
Requirement 2: Monitor the managed devices and view the memory utilization ranking, application traffic ranking and
intrusion ranking within the latest one hour.
Requirement 3: Create an alarm rule that will trigger a major alarm and send an E-mail when the CPU utilization exceeds
80% for continuous 10 minutes.
Co nfi g ur at i o n S t ep s
P r epar at ion
Configure a management IP address on HSM as described in Deploying HSM Management Environment, and then add
the Hillstone devices deployed in Beijing, Shanghai and Guangzhou to HSM.
To check if the devices have been registered to HSM, log into HSM and click Device > Management to enter the device
page, as shown below:
1. Click Configuration > Shared Configuration from the Level-1 navigation pane to enter the shared policy page.
2. Select Security Policy from the configuration pane, and click New in the toolbar.
4. Click OK to save the policy configuration and close the dialog. The newly created policy is listed in the policy table.
In the policy table, click the policy name sample_policy to enter the rule configuration page. From the toolbar, click
Top from the new drop-down list, the policy rule entry appears. Configure the options as below:
5. Click Configuration>Device Configuration from the Level-1 navigation pane to enter the device configuration page.
6. On the device navigation pane, right-click and select Batch Deplay Configuration from the pop-up dialog,
7. From the selective box, select the devices deployed in Beijing, Shanghai, and Guangzhou, and then click OK.
8. The system starts to deploy the configuration to the devices and generates the related task. Go to the task man-
agement page to see the task status.
1. Log into HSM. Click Monitor from the Level-1 navigation pane to enter the monitor page.
2. In the left navigation pane, click MyMonitor, and click an arbitrary group.
3. In the Select Device (Group) dialog, click Device, and select Beijing, Shanghai and Guangzhou.
5. Find the Latest 1 Hour Top 10 Devices by Memory Utilization chart, and click Details on the upper-right.
6. Under the Device Rank by Memory Utilization tab, click Add to MyMonitor on the upper-right.
7. In the Add to MyMonitor dialog, select monitor_sample from the MyMonitor Group drop-down list.
8. Repeat Step 1 to Step 8 to add Latest 1 Hour Top 10 User Traffic and Latest 1 Hour Top 10 Intrusions to the monitor_
sample group.
1. Click Alarm from the Level-1 navigation pane to enter the alarm page.
2. In the alarm navigation pane, click Alarm Rule > All Rules > Predefined > Resource > CPU Utilization.
1. To view all the alarms, click Alarm from the Level-1 navigation pane. In the alarm navigation pane, click Alarm >
Alarm Search to show all the alarms in the alarm window, as shown below:
2. To view all the alarms, click Alarm from the Level-1 navigation pane. In the alarm navigation pane, click Alarm >
Alarm Search to show all the alarms in the alarm window, as shown below:
3. To view alarm analysis charts, in the alarm navigation pane, click Alarm > Alarm Analysis > Device Analysis to show
all alarms in the alarm window, as shown below:
6. In the alarm list below, find the alarm with alarm rule named CPU Utilization, and click Unread under the Status
column.
7. In the Add Comment dialog, type Alarm has been read and will find out the reason into the Comment box.
A command line interface (CLI) is a mechanism for you to interact with HSM by typing commands which instruct HSM to
perform specific tasks. Following contents describe how to use HSM command line interface via Console port.
A cces s i ng H S M v i a Co ns o l e P o r t
To deploy the console management environment, take the following steps:
1. Take a standard RS-232 cable. Connect one end of the cable to a computer’s serial port, and the other end to
HSM's console port, as shown below:
2. In PC, start the terminal emulation program (e.g. HyperTerminal) and use the following parameters:
Parameter Value
Data 8
Parity None
Stop 1
3. Power on the HSM device and HSM system starts up. Type the default login name (hillstone) and password (hill-
stone), then press Enter to log in.
4. After logging in successfully, the prompt [hillstone] appears for entering commands, as shown below:
Function Command
Function Command
status of inter-
faces