Hillstone Security Management User Guide 3.0R2

Hillstone Networks, Inc.
Hillstone Security Management User

Guide
Version 3.0R2
Copyright 2018 Hillstone Networks, Inc.. All rights reserved.
Information in this document is subject to change without notice. The software described in this document is furnished
under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with
the terms of those agreements. No part of this publication may be reproduced, stored in a retrieval system, or trans-
mitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose
other than the purchaser's personal use without the written permission of Hillstone Networks, Inc..
Contact Information:
US Headquarters:
Hillstone Networks
292 Gibraltar Drive, Suite 105
Sunnyvale, CA 94089
Phone: 1-408-508-6750
http://www.hillstonenet.com/about-us/contact/
About this Guide:

This guide gives you comprehensive configuration instructions of Hillstone Networks, Inc. HSM .
For more information, refer to the documentation site: http://docs.hillstonenet.com.
To provide feedback on the documentation, please write to us at:
hs-doc@hillstonenet.com

TWNO: TW-HSM-UNI-3.0R2-EN-V1.0-2018/8/15
Con t en t s
Contents 1
Preface 1
Conventions 1
Introduction to HSM 1
HSM Deployment Scenarios 1
Introduction to HSM Device 2
Hardware Specification 2
Deploying HSM Management Environment 3
Configuring HSM IP Address 4
Configuring System Time 6
Adding Hillstone Devices to HSM System 6
Managing the Added Hillstone Devices 8
Main Page 9
Level-1 Navigation Pane 9
Information Bar 11
Toolbar 11
Main Window 11
User Information 12
Alarms 13
Introduction to System Management 14
User Management 15
Creating a User 15
Editing a User 16
Deleting a User 16
Enabling/Disabling a User 16
Resetting Password 16
Creating a Role 17
Deleting a Role 17
AAA Server 17
Authentication Configuration 18
Distribute Management 19
Disk Management 21
Configuring HSM System Time 21
TOC - 1
HSM Network Management 22
Monitor Configuration 23
HSM System Status Monitor 24
Viewing Status 25
Setting Threshold 26
HSM System Configuration Management 26
Back up a System Configuration File 26
Export a System Configuration File 27
Restore a System Configuration File 27
Delete a System Configuration File 27
Configuring Trusted Host 28
Configuring WEB Port 28
HA Management 29
HSM System Upgrade 31
System Upgrade 31
Rollback 31
Restoring to Factory Defaults 31
Upgrading Signature Database for HSM 31
Configuring an Email Account 32
SMS Modem Configuration 33
SMS Modem Baud Rate 33
SMS Modem Signal Intensity 33
SMS Modem Status 33
Configuring SMS Parameters 34
Testing SMS 34
Diagnose Tools 34
Log Backup Management 35
FTP Server Configuration 35
Log Import 36
Log Backup 36
Manual Backup 36
Auto Backup 36
Log Clean 37
Device Management 38
Creating a Device Group 39
Adding a Device to a Device Group 40
Deleting a Device from a Device Group 40
TOC - 2
Editing a Device Group 40
Deleting a Device Group 40
Favorite Device 41
Viewing Device Details 41
Session Query 43
Deleting a Device from HSM 43
Online Reboot 44
Immediate Reboot 44
Reboot on Schedule 44
Setting Restart Parameter 45
HA management for the managed devices 45
Introduction to Device Upgrade 46
Configuring a Device Upgrading Task 46
Importing/Deleting a Firmware 46
Specifying the Upgrade Management IP 47
Configuring a Device Upgrading Task 47
Checking the Task Status 48
Viewing Device Upgrading Logs 48
Upgrading Navigation Pane 49
Filter 49
Main Window 49
Upgrading Signature Database 50
As a Update server 50
Configuring Upgrade Templates 50
Configuration File Management 52
Managing Configuration File 52
Retrieving Configuration File 52
Retrieving Configuration Files Automatically 52
Retrieving Configuration Files Manually 53
Retrieving Configuration Files on Schedule 53
Viewing Configuration File 54
View Change History 54
Restoring Configuration Files 54
Exporting Configuration Files 55
Importing Configuration Files 55
Comparing Configuration Files 55
Editing Configuration File 56
TOC - 3
Deleting Configuration File 56
Searching Configuration File 56
Managing Configuration Change History 57
Editing Change Record 57
Deleting Change Record 57
Searching Change History 57
Device Management Configuration Example 58
Deployment Scenario 58
Requirement 58
Configuration Steps 58
Introduction to Configuration Management 60
Device Configuration 62
Device Configuration 62
Policy Configuration 62
Creating a Policy Rule 62
Editing Rules 66
Creating a Rule Group 66
Moving Rules and Groups 67
Deleting a Rule Group 67
Creating a Partition Group 68
Deploying a Batch of Rules 68
Choose Partition Group 68
Choose Deploying Position 69
Configure Policy Rules 69
Opening Local Snapshot 69
Rule Match Analysis 69
Policy Rule Management 70
Converting a Policy from Private to Shared 71
Configuring the Policy-based Protection Function 71
iQoS 73
Implement Mechanism 73
Pipes and Traffic Control Levels 74
Pipes 74
Traffic Control Levels 75
Enabling/Disabling Traffic Control 76
Pipe Configuration 76
Basic Operations 76
Creating a Pipe 77
TOC - 4
NAT 82
Creating a SNAT Rule 82
Editing/Deleting a SNAT Rule 83
Creating an IP Mapping Rule 84
Creating a Port Mapping Rule 84
Creating an Advanced DNAT Rule 85
Route 86
Creating an Route Item 86
Synchronizing Configuration 87
Specifying Configuration 89
Snapshot Management 91
Locking Configuration 91
Device Object 92
Zone 93
Address Books 94
Service Books 94
Application Books 96
Schedules 97
Interface 98
SLB Server Pool 101
Intrusion Protection System 103
Configuring IPS Global Parameters 103
Configuring an IPS Rule 103
For NGFW of 5.5R2 or the previous versions 103
Creating an IPS Rule 103
Configuring Protocol Signature 104
Configuring a Protocol 105
Configuring Signature 112
WebServer Configuration 113
For IPS devices and NGFW of 5.5R3 or the later version 119
Creating an IPS rule 119
Enabling the Zone-based or Policy-based IPS Function 132
Avti-Virus 132
Configuring Anti-Virus Global Parameters 132
Creating Anti-Virus Rule 132
Enabling the Zone-based or Policy-based Anti-Vrius Function 134
Threat Protection 134
Editing the Device Threat Protection Configuration 134
TOC - 5
Device Threaten Configuration List 136
Searching the Specific Signature Entry Details 136
Creating a User-defined Signature 137
URL Filter 140
Configuring URL Filter 140
Predefined URL DB 142
User-defined URL DB 142
Configuring User-defined URL DB 142
Keyword Category 143
Configuring a Keyword Category 144
Warning Page 144
Configuring Block Warning 144
Configuring Audit Warning 145
Converting the Private Object to Shared Object 145
Viewing the Operation Records 146
Checking the Redundant Object 146
VPN 146
PKI 154
User 156
Role 162
AAA Server 165
Introduction to Global Configuration 175
Global Configuration 175
Policy Configuration 175
Creating a Shared Policy 175
Rule Configuration 176
Creating a Policy Rule 176
Creating a Rule Group 177
Moving Rules and Groups 177
Deleting a Rule Group 177
Viewing Operation Record 177
Opening Local Snapshot 177
Rule Match Analysis 177
Rule Conflict Check 177
Setting Head or Tail Policy 178
Viewing Policy Relationship 178
Viewing Topology Map 178
Configuring the Policy-based Protection Function 179
TOC - 6
iQoS 180
NAT 181
Creating a SNAT 181
Editing/Deleting a SNAT 182
Creating a SNAT Rule 182
Editing/Deleting a SNAT Rule 183
Creating a DNAT 184
Editing/Deleting a DNAT 184
Creating an IP Mapping Rule 184
Creating a Port Mapping Rule 185
Creating an Advanced DNAT Rule 185
Editing NAT 187
Setting Father NAT 187
Viewing Relationship 187
Viewing Topology Map 187
Editing Topology Map 188
Viewing Operation Record 188
Route 188
Creating a Destination Route 188
Editing/Deleting a Destination Route 189
Creating an Route Item 189
Editing/Deleting a Route Item 190
Configuration Bundle 190
Creating a Configuration Bundle 190
Method 1: 191
Method 2: 191
Joining Configuration Bundle 192
Copying a Configuration Bundle 193
Global Object 193
Zone 193
Address Books 194
Service Book 195
Application Books 196
Schedules 197
Virtual Router 197
Interface 198
SLB Server Pool 199
Intrusion Protection System 201
TOC - 7
Configuring IPS Global Parameters 201
Configuring an IPS Rule 201
For IPS devices and NGFW of 5.5R3 or the later version(New IPS) 201
For NGFW of 5.5R2 or the previous versions(Old IPS) 202
Configuring Protocol Signature 203
Configuring a Protocol 203
Configuring Signature 211
Configuring a Specific Attacking Signature 211
Configuring a WebServer 212
Enabling the Policy-based IPS Function 218
Anti-Virus 218
Configuring Anti-Virus Global Parameters 218
Creating a Shared Anti-Virus Rule 218
Enabling the Policy-based Anti-Virus Function 220
Threat Protection 220
Creating a Shared Threat Protection 220
Configuring a Shared Threat Protection 220
Global Threaten Configuration List 222
Creating a User-defined Signature Rule 223
URL Filter 226
Configuring URL Filter 226
Predefined URL DB 228
User-defined URL DB 228
Configuring User-defined URL DB 228
Keyword Category 229
Configuring a Keyword Category 230
Warning Page 230
Configuring Block Warning 230
Configuring Audit Warning 231
User 231
Role 232
AAA Server 232
Editing/Deleting an Object 232
Default Parameters 233
Task Management 234
Task Management Window 234
TOC - 8
Viewing Task Logs 235
Introduction to Monitor 236
Device Monitor 237
Main Page 237
Details Page 238
Drill-down Sub-page 239
Trend Page 239
User Monitor 240
Main Page 240
Details Page 241
Trend Page 242
Application Monitor 244
Main Page 244
Details Page 245
Trend Page 246
Network Threat Monitor 248
Main Page 248
Traditional 248
Intelligence 249
Statistics Period 249
Details Page 250
Trend Page 251
Network Behavior Monitor 252
Main Page 252
Details Page 254
Trend Page 255
VPN Monitor 256
Tunnel Statistics Page 256
Device VPN Traffic Statistics Page 257
MyMonitor 261
Adding to MyMonitor 261
Creating a New Monitor Group 261
Deleting a Monitor Group 261
Viewing Information in MyMonitor 262
TOC - 9
Introduction to the Alarm Function 263
Introduction to Alarm 264
Searching Alarm Information 264
Searching Alarm Information 264
Reading Alarm Information 264
Alarm Analysis 265
Device Analysis 265
Trend Analysis 266
Introduction to the Alarm Rule 268
Configuring the Alarm Rule 268
Viewing a Predefined Alarm Rule 268
Creating a User-defined Alarm Rule 269
Editing an Alarm Rule 269
Configuring an Alarm Recipient 269
Enabling/Disabling an Alarm Rule 270
Deleting an Alarm Rule 270
Emptying Recycle Bin 270
Introduction to Report 271
Introduction to Report File 272
Viewing a Report File 272
Managing a Report File 273
Downloading a Report File 274
Deleting a Report File 274
Restoring a Report File 274
Deleting a Report File Permanently 274
Introduction to Report Template 276
Configuring a Report Template 276
Creating a User-defined Template 276
Editing a User-defined Template 280
Deleting a User-defined Template 281
Restoring a User-defined Template 281
Deleting a User-defined Template Permanently 281
Managing a Report Schedule 282
Adding a Report Schedule 282
Viewing a Report Schedule/Report Schedule Running Log 282
Deleting a Report Schedule 282
Enabling/Disabling a Report Schedule 282
Report Server 283
TOC - 10
Configuring Servers 283
Introduction to Log 284
Log 284
Log Severity 284
Old Version Log 285
Introduction to Log Window 286
Log Navigation Pane 286
Old Version Log 286
Log Filter 286
Log Chart 287
Toolbar 287
Log Window 287
Searching Log Messages 287
Online/Offline Log 288
Operation Log 288
Introduction to Log Window 290
Log Navigation Pane 290
Toolbar 290
Filter 290
Log Window 290
Searching Logs 291
Setting Filter Conditions 291
Managing Logs 294
Creating a New User-defined Search 294
Deleting a User-defined Search 294
Exporting Logs 294
Importing Logs 295
Backing Up Logs 295
Cleaning the Logs 296
HSM Configuration Example 298
Deployment Scenario 298
Requirement 298
Configuration Steps 298
Preparation 298
Configuration Steps(Requirement) 298
Configuration Steps(Requirement 2) 299
TOC - 11
Configuration Steps (Requirement 3) 301
Managing HSM via Console Port 304
Accessing HSM via Console Port 304
Command Introduction 304
TOC - 12
P r eface
Thanks for choosing the network security products from Hillstone Networks, Inc. This document is an online help for Hill-
stone HSM, mainly covering the following contents:
HSM hardware specifications;
HSM management introduction and configuration;
HSM deployment and configuration example.
Co nv ent i o ns
This manual uses the following conventions for your convenience to read and understand:
Tip: provides related reference, such as links to other chapters or sections.
Note: indicates important instructions for you better understanding, or cautions for possible system failure.
Bold font: indicates links, tags, buttons, checkboxes, textboxes, or options. For example, "Click Login to log into the
homepage of the device", or "To change MTU, select Manual, and type an appropriate value into the textbox."
CLI: brace ({ }) indicates a required element; square bracket ([ ]) indicates an optional element; vertical bar (|) sep-
arates multiple mutually exclusive options; bold indicates an essential keyword in the command, and you must enter
this part correctly; italic indicates a user-specified parameter.
The command examples may vary from different platforms. In the command examples, the hostname in the prompt
is referred to as host-name.
Preface 1
In t r odu ct ion t o H SM
Hillstone Security Management (HSM) is a centralized security management system independently researched and
developed by Hillstone. HSM can centralizes the control and management of multiple Hillstone devices in the network.
After successful deployment, HSM allows users to perform the following operations via secure connection:
Viewing the operation status, resource utilization, logs, ect. of the managed devices;
Monitoring the managed devices and viewing monitor details, including traffic monitor, user monitor, NBC monitor,
ect.;
Monitoring the operation status of managed devices by alarms. This function can help you to learn problems in net-
work devices timely, speed up response to network problems, and lower risks of network failures;
Obtaining device statistics reports periodically. This function allows you to learn network status and analyze network
accurately;
Centralizing policy management and batch deploying rules. This function improves availability and usability of
policy management;
Centralizing device upgrade. This function simplifies software management.
H S M D ep l o ym ent S cenar i o s
Typically HSM can be deployed in two scenarios: Internet and Intranet.
Internet deployment: HSM and managed devices are connected via Internet. You can manage devices in different net-
work segments by HSM if the routes between HSM and managed devices are reachable, as shown below:
Intranet deployment: HSM and managed devices belong to the same Intranet. You can manage devices in the
Intranet via HSM, as shown below:
Int r o d uct i o n t o H S M D ev i ce
Hillstone provides the following HSM product:
HSM-50: Capable of managing at least 5 (default) and up to 100 Hillstone devices. The amount of managed devices
is controlled by a license.
HSM-200: Capable of managing at least 5 (default) and up to 500 Hillstone devices. The amount of managed devices
is controlled by a license.
H a r d w a r e S p e cif ica t io n
HSM-50 hardware adopts a rack-mountable server. The main hardware specifications are shown below:
Item Specification
CPU 4*Intel(R) Xeon(R) CPU E3-1220 v3 @ 3.10GHz
Memory 8GB (4*2GB)
Hard Drive 2TB (2*1TB)
NIC BCM 95720 dual-port gigabit Ethernet NIC
HSM-200 hardware adopts a rack-mountable server. The main hardware specifications are shown below:
Item Specification
CPU 2*Intel Xeon Processor E5606 2.13 GHZ
Memory 8GB (4*2GB)
Hard Drive 4TB (4*1TB)
NIC Broadcom 5716 dual-port gigabit Ethernet NIC
Deployin g H SM M an agem en t En vir on m en t
Configurations related to deploying HSM management environment include:
Deploying HSM Management Environment
Main page

D ep l o yi ng H S M Manag em ent Env i r o nm ent
To deploy HSM management environment, take the following steps:
1. Place HSM to an appropriate location in the network according to networking and management requirement.
2. Configure an IP address for HSM and make sure the route between HSM and the managed devices are reachable.
3. Configure system time for HSM.
4. Configure options related to HSM management on Hillstone devices, and make sure HSM can recognize the devices.
Completing the above configurations, you can centralize device management on HSM.
Con f igu r in g HSM I P Addr es s

The default IP address configured on eth0 port of HSM is 192.168.1.1/24. When using HSM for the first time, you can visit
HSM system management page via this interface and configure network-related options, so that HSM can adapt to the
network environment. HSM supports HTTP and HTTPS login methods. When using HTTPS to log in, HSM will encrypt data
to ensure device's security.
To configure network management options on HSM, take the following steps:
1. Set the IP address of management PC to an IP address that belongs to the same subnet with 192.168.1.1/24; use an
Ethernet cable to connect the management PC and eth0 port of HSM.
2. In the Web browser (IE9 is recommended) of the management PC, type http://192.168.1.1 or https://192.168.1.1 ,
and press Enter. If using HTTPS to log in, choose Continue to this website(not recommended) when the Web
Browser displays tips. The login page is shown below:
3. Type the default username (admin), password (hillstone) and captcha into the boxes respectively. If typing the
wrong password for three times, HSM will lock your account for 30 minutes, and disable your account for 30 minutes
when you type wrong password the fourth times.

4. Click Login to log into the main page of HSM, as shown below:
5. On the level-1 navigation pane, click System > Device Management > Network Management.

6. In the Internet Management dialog, configure IP addresses for HSM.
Eth0: Type the IP address and netmask for eth0 port into the IP Address and Netmask boxes respectively.
Eth1: Type the IP address and netmask for eth1 port into the IP Address and Netmask boxes respectively.
Gateway: Type the IP address for the gateway of HSM.
DNS Server: Specify DNS servers for HSM. Type IP addresses for the preferred and backup DNS servers into the
Preferred and Backup boxes respectively.
Click OK to complete.
Con f igu r in g Sy s t em T im e
System time of HSM affects many HSM modules, such as report, log, upgrade, etc. By default, the system time of HSM is
set to Beijing time. You can modify the system time as needed, or synchronize the system time of managed devices and
HSM via an NTP server. Since the system time is related to many modules, you are recommended to configure the system
time properly during initial setup, and do not make any modification thereafter.
To configure system time for HSM, on the level-1 navigation pane, click System > Device Management > Date & Time. In
the HSM System Date and Time dialog, configure options. For more details, see Configuring Date & Time.
Addin g Hills t on e D ev ices t o HSM Sy s t em

You can add the Hillstone devices to HSM by using one of the following methods:
Configure settings on Hillstone devices. Hillstone devices will automatically register themselves to HSM when the net-
work is connected between HSM and Hillstone devices.
Configure settings on HSM to add Hillstone devices. You can add single device or multiple devices.
Note:
HSM will get all the VSYS devices of the physical device to manage them when registering.
After the registration is complete, the zero configuration IPS rules and the zero configuration

anti-virus rules of IPS devices will not appear in the HSM system until the implementation of
importing configuration.
To configure setting on Hillstone devices, take the following steps:
1. Log into StoneOS. Select System > HSM from the menu bar.
2. In the HSM Agent Configuration dialog, configure the following options:
HSM Agent: Select the Enable checkbox to enable HSM agent, i.e., allowing HSM to manage the device.
Status: Shows the status of HSM management.
HSM Server IP: Specify the IP address of the HSM. This IP address cannot be 0.0.0.0, 255.255.255.255 or mul-
ticast address.
HSM Server Port: Specify the port number of HSM. The value range is 1 to 65535, the default value is 9090. For
StoneOS 4.5R4 and higher versions, port number 9091 is recommended.
HSM Password: Specify the password for accessing HSM. HSM authenticates the device using this password.
The value is 1 to 31 characters, the default value is 123456.
Confirm Password: Type the password again to make confirmation.
OK: Click this button to save the settings and make the settings take effect.
Cancel: Click this button to cancel the settings.
3. With the above options configured, the device can register to the accessible HSM in the network, and be managed
by HSM.
To configure settings on HSM to add Hillstone devices, take the following steps. You can add single device or multiple
devices.
Add single device
1. Click Device > Management from the level-1 navigation pane to enter the Device Management page.
2. Click the triangle icon ( ) next to the Add Device button and select Add Single Device from the drop-down
menu. The Add Multiple Devices dialog pops up.
3. Configure the following options in the dialog:
Device Name: Specify the device name to be displayed in HSM.
IP Address: Specify the device IP address.
Username: Specify the device login name.
Password: Specify the corresponding password.
Device Description: Specify the description for your reference.
Access Protocol: Specify the protocol for the connection between HSM and the device. Enter ssl to use the
SSL protocol or enter telnet to use the Telnet protocol. If not specified, HSM will use SSL by default.
Favorite: Specify whether or not to add this device to your favorite device list.
Device Group: Specify a device group for this device.

4. Click OK to add and register this device to HSM.
Add multiple devices
2. Click the triangle icon ( ) next to the Add Device button and select Add Multiple Devices from the drop-
down menu. The Add Multiple Devices dialog pops up.
3. Click Download Device Info File Template. The Save As dialog appears.
4. Select the location and save the template deviceinfo.xls.
5. Open the template and configure the following options:
Device Name: Specify the device name to be displayed in HSM.
IP Address: Specify the device IP address.
Protocol: Specify the protocol for the connection between HSM and the device. Enter ssh to use the SSH
protocol or enter telnet to use the Telnet protocol. If not specified, HSM will use SSL by default.
Username: Specify the device login name.
Password: Specify the corresponding password.
Device Description: Specify the description for your reference.
6. Save the changes and close the template.
7. In the Add Multiple Devices dialog, click Browse. The Open dialog appears.
8. Locate the modified template and click OK. HSM starts to load the template.
9. After loading the template, click Upload. HSM starts to read the template and add the devices in it to HSM. If
failed to register one device, all devices in the template will be failed to be registered. To view the error inform-
ation, hover over the exclamation mark ( ) in the Status column.
M an agin g t h e Added Hills t on e D ev ices

You can edit, delete and register the device which has been added to HSM.
Note: HSM supports for HA management of Active-Passive, Active-Active and Active-Peer modes
for the managed devices. When HSM manages the HA function of the managed devices, you can
view, configure and share information of the master device in HA. For slave device, you can only
view the configuration information on HSM.
When the properties of the IP address, username, password and so on change, you can edit device and modify property
values. Take the following steps:
1. Click Device > Management from the Level-1 navigation pane to enter the device management page.
2. Select the device that needs to be edited.
3. Click Edit Device in the toolbar and the Edit Device dialog pops up.

4. You can modify the property values which need to change.
5. Click OK to save the configurations and close the dialog.

You can delete the related device when there's no need to manage the specified devices. Take the following steps.
2. Select one or more device(s) that need(s) to be deleted.
3. Click Delete Device in the toolbar, and the device will be deleted when you click OK in the pop-up dialog.
You can manually register the device when the device is in an offline state or error state. You can check the link state
between the Hillstone device and HSM, as well as make sure that the device's IP address, login username and password
are correct to make device register in HSM successfully. Take the following steps:
2. Select one or more device(s) that need(s) to be registered.
3. Click Register Device in the toolbar and the device will be registered on HSM. You can view the registration result of
the device according to the displaying of status.
Mai n P ag e
After deploying HSM management environment, to log into the system, take the following steps:
1. Type http:// HSM management IP or https:// HSM management IP in the web browser, and press Enter.
2. In the login page, type the username, password and verification code and log into the main page. The default user-
name and password of HSM are admin and hillstone respectively.
The main page layout of HSM is shown below:
L ev el-1 N av igat ion P an e

Level-1 navigation pane allows you to navigate to different modules of HSM.
Module Description
Device Management Device management page. You can view all the managed
devices, and manage the devices in this page, including delet-
ing devices, adding to groups or favorite, viewing detailed
monitor information, etc.
Upgrade Device upgrade page. You can upgrade StoneOS running on
the managed devices in this page.
Configuration Configuration management manages all kinds of rules

Module Description
(policy rule, NAT rule, route rule) and related objects on

devices.
Task HSM uses tasks to track the system operations that need to
know the running status and the running results.
Monitor Monitor page. You can view monitor information of the man-
aged devices, and learn and analyze network condition in
this page.
Alarm Alarm page. You can configure alarm rules, view alarm inform-
ation, and learn emergent network accidents and anormalies
timely in this page.
Report Report page. You can create report templates and download
network information and anomalies reports in this page.
Log Log page. You can view logs for the managed devices and
HSM itself.
System System User In the User Management dialog, you can configure system
administrators.
Disk Man- Refer to the configuration of cleanup threshold, you can man-
agement age the storage space of system.
Date & Time In the HSM System Date and Time dialog, you can configure
system time for HSM.
Parameters In the Email Configuration dialog, you can configure the mail
server that is used by HSM.
Network Man- In the Internet Management dialog, you can configure IP
agement addresses for the interface, gateway and DNS server of HSM.
Upgrade In the Upgrade dialog, you can upgrade or rollback HSM sys-
tem.
Monitor Con- In the Monitor Configuration dialog, you can enable or dis-
figuration able the monitor functions for certain devices.
Status Mon- In the System Status Monitor dialog, you can view the CPU
itor utilization, memory utilization, and disk utilization of HSM.
Configuration In the HSM System Configuration Management dialog, you
Management can manage the system configuration files.
Help Help HSM help page.
Register In the License dialog, you can apply for or install a license.
About In the About dialog, you can view HSM system information.
Restart Reboot Reboots HSM.
Shutdown Shuts down HSM.

The level-2 navigation panes of different modules vary. The level-2 navigation pane of the main page (device navigation
pane) allows you to navigate to the managed devices. Select a node from the pane to display corresponding devices
information in the main window. For example, if you select a device group, all devices in the group will be displayed in
the main window; if you select a device, information about the device will be displayed in the main window.
Functions of device navigation pane are described as below:

Option Description
Device Shows all the managed devices. Type a keyword into the searching box to search for
List a device. Click the icon in the top-right corner of the device list to filter IPS
device, WAF device, NGFW device, BDS device or IDS device.
Favorite Shows all the devices that are added to the favorite. Type a keyword into the search-
ing box to search for a device.
Recycle Shows all the devices that are moved to the recycle bin.
Bin
I n f or m at ion Bar
Functions of inoformation bar are described as below:
Option Description
All Devices Shows the statistics of the managed devices.
Include Select the checkbox to display all the devices in the selected group and all the
Devices in devices in the sub-groups of the selected group; clear the checkbox to only dis-
Sub- play all the devices in the selected group.
groups
Show/Hide Click the link to show/hide monitor panels (CPU utilization, application traffic,
Monitor user traffic) of the selected device.
Panel
T oolbar
Function buttons of the toolbar are described as below:
Option Description
Delete Click the button to delete the device(s) selected in the main window.
Device
Manual Specify the refreshing mode. Select Manual refresh from the drop-down list, and
refresh click Manual refresh to refresh the page immediately; select a refreshing period from
the drop-down list to refresh the page at the specified interval.
Column Customizes columns displayed in the devices list.
M ain W in dow
Managed devices and main information about the devices is displayed in the main window. Click a device or device
group in the device navigation pane to show corresponding information in the main window. You can customize the
columns displayed in the list from the Column drop-down list. Columns of the list are described as below:
Option Description
Name Shows the name of managed device. Different icons before device names mean
different device types: NGFW , IPS , WAF , BDS , IDS .
Status Shows the status of connection between the managed device and HSM:：
Online ( ): The device has been registered successfully and is properly

managed by HSM.
Registering ( ): The device is being registered to HSM.
Offline ( ): The device has been registered successfully but is not run-
ning or connected. After the device is running or the connection works,

Option Description
the device will automatically register itself to HSM. You can also register
the device manually.
Error ( ): The device fails to register in HSM. Hover over the icon to view
the error message.
Host Name Shows the host name of the managed device.
New Sessions Shows the newly created sessions of the managed device.
Concurrent Shows the concurrent sessions of the managed device.

Sessions
Configuration Shows the last modified time of the configurations of the managed device.
Modified
Time
Address Shows the IP address of the managed device.
SN Shows the SN of the managed device.
StoneOS Shows the StoneOS version running on the managed device.
System Shows the system uptime of the managed device.

Uptime
Unread Warn- Shows the number of unread warnings related to the managed device.
ings
CPU Shows the average CPU utilization in the latest 5 seconds of the managed
device.
Memory Shows the current memory utilization of the managed device.
Traffic (bps) Shows the current traffic of the managed device.
Packet For- Shows the packet forwarding rate of the managed device.
warding Rate
Session Shows the session of the managed device. In the Session Query dialog, you
can filter the source address, source port, destination address, destination port
and protocol to view the information.
License Shows the license of the managed device. In the License List dialog, you can
view customer, type, valid time and other information of the license.
Platform Shows the platform of the managed device.
Description Shows the other information of the managed device.
Reboot log Shows the reboot log of the managed device. In the Log dialog, you can filter
the operation result and protocol and then view the information.
Operation Result：You can select All, Waiting, Success or Failure from the
Operation Result drop-down list below.
Time：You can select All, Last 1 hour, Last 1 day, Last 1 week, Last 1 month
or Custom from the Time drop-down list below. Click Custom, the Time dia-
log appears. You can specify the period and then select Period specified
below, Before time specified below or Aafter time specified below.
U s er I n f or m at ion
Shows the username of the current system administrator.
Click Log Off to log off from HSM.

Alar m s
Shows the number of unread alarms. Click the alarm message to redirect to the alarm page. You can read detailed alarm
information and process alarms in the alarm page.

In t r odu ct ion t o Syst em M an agem en t
Configurations related to HSM system management include:
User
User: Configuring HSM system administrator.
Authentication Settings: Specifying the mode of authenticating users who logs in HSM.
Device Management
Disk Management : Managing the storage space of system.
Date & Time: Configuring HSM system date and time. HSM supports synchronization with NTP servers. HSM sys-
tem time can be referenced by other modules, such as monitor, alarm, log, upgrade, etc.
Network Management: Configuring parameters for Internet management, including IP address, gateway and
DNS servers.
Monitor Configuration: Enabling or disabling the Monitor function. The monitor function is disabled by default
because it consumes more system performance. When the monitor function is disabled, monitor, alarm, report,
and monitor charts shown in the single device page are not available.
Status Monitor: Viewing system status, including CPU utilization, memory utilization, and disk utilization.
Configuration Management: Back up configuration and running data for HSM system.
Trusted host: Configuring IP range of the host which is allowed to log in or manage HSM.
WEB Port: Specify the port number which users access to when logging in HSM by WebUI.
Upgrade: Upgrading or rolling back HSM system, or restoring to the factory defaults.
License: Viewing, applying for and installing a license.
Email: Configuring parameters for the Email server that is used to send alarm mails.
SMS Modem Configuration: Configuring parameters for sending SMS and viewing SMS Modem status information,
etc.
Diagnose Tools: Testing the devices connection status with HSM, including DNS query, Ping, and Traceroute.
Log Backup Manager: Backing up logs to a FTP server, import logs from a FTP server to HSM， or clear logs in HSM.
Language: Changing the system language. Chinese and English are supported.
Shutdown
Reboot: Click this menu item to reboot the HSM device.
Shutdown: Click this menu item to shut the HSM device down.
Help
Help: Click this menu item to go to the help page of the product.
About: Check the software information.

Us er Manag em ent
HSM supports user access control, and role-based access control mechanism. You can assign different privileges for users
in different roles, which helps different users do different operations.
User and its privilege management has the following characteristics:
1. System admin can specify privileges for every user, and the privilege can be accurate to every HSM function module
(eg: Device, Configuration, Report).
2. A user can have one or more roles, and a role can be given to one or more users.
3. Allows to set a physical device or VSYS privileges for a user.

After login the HSM system administrator can use HSM to manage Hillstone devices. HSM users consist of super admin-
istrator and administrator. Super administrator has all the privileges of a system administrator, which can cre-
ate/delete/enable/disable administrator and specify role/device resources for administrator. The username and password
for the default super administrator of HSM are admin and hillstone respectively.
By default, HSM predefines three roles: system administrator, operator, log auditor. Predefined role cannot be modified
and deleted. And user-defined role can be created according to your need. The followings are descriptions about pre-
defined role:
Role Privilege Descriptions
System Administrator Privilege of all operations.
Operator Privilege of Device, Configurations, Monitor, Alarm.
Log Auditor Privilege of log management.
The administrator can do the following operations in HSM:
Creating a User
Editing a User
Deleting a User
Enabling/Disabling a User
Restting Password
Creating a Role
Deleting a Role
Cr eat in g a U s er
Only the user who has the privilege of a system administrator can create a user. To create a user, take the following steps:
1. Click System > User > User from the Level-1 navigation pane.
2. In the User Management dialog, click New. In the User dialog, configure the following options:
Authentication：Specify the authentication for the user. The default authentication is local. When the authen-
tication is local, the authorization can only be local. When the authentication is remote, the password item is
hidden.
Authorization：Specify the anthorization for the user. The default anthorization is local. When the anthor-
ization is remote, local do not support permission configuration.
User: Specify the username for the user.
Password: .Specify the password for the user. It should be 8-32 characters, including numbers, English char-
acters(case sensitive), and special characters. The default password is hillstone, and you can change the pass-
word as needed.

Password Strength: Shows the hints of password complexity.
Enable: Specify the status of the new user. By default the new user is enabled. Clear the checkbox to disable the
user, and the user will not be able to log into HSM.
Timeout (min): Specify the timeout for the user. If the user did not configure any option after timeout, the sys-
tem will log off.
Department: Specify the department for the user.
Email: Specify the Email for the user.
Comment: Specify the comment for the user.
Cell: Specify the cell phone number for the user.
3. Click Privilege tab and configure the role for the current user. Specify the role in the Role text box, and then select
which device the user can manage in the Resource Device box.
4. Click OK to save the settings.

Also, you can create a new user by a faster way, i.e., copying. To create a user by copying, take the following steps:
1. In the User Management dialog, select a user by selecting the corresponding checkbox from the user list.
2. Click Copy in the toolbar. In the User dialog, all the configurations of the selected user is copied. You only need to
configure the name for the new user, and modify other options as needed.
E dit in g a U s er
To edit a user, take the following steps:
1. In the User Management dialog, click the username you want to edit.
2. In the Details dialog, edit the user as needed.
3. Click Apply to save the changes. If needed, click Previous/Next to edit other users.
D elet in g a U s er
To delete a user, take the following steps:
2. Click Delete in the toolbar.
3. In the OK dialog, Click OK.
E n ablin g/ D is ablin g a U s er
The disabled users will not be able to log into HSM. To enable/disable a user, take the following steps:
2. Click Enable/Disable in the toolbar.
R es et t in g P as s w or d
This operation will reset the user password to the default password hillstone. Only the default administrator admin can
reset password by one of the following methods:

In the User Management dialog, select a user by selecting the corresponding checkbox from the user list, and click
Reset Password in the toolbar.
In the User Management dialog, click the username you want to edit. In the Details dialog, click Reset Password.
Cr eat in g a R ole
To create a role, take the following steps:
1. Click System > User > User from the Level-1 navigation pane.
2. In the Role tab, click New and the Add Role dialog pops up. Options are described as belows:
Role: Specify the name for the role.
Comment: Specify the comment information.
User: Click the text box and select which users the role belongs to.
Privilege: Specify the privileges for the role on each HSM modules.

Also, you can create a new role by a faster way, i.e., copying. To create a role by copying, take the following steps:
1. In the Role tab of the User Management dialog, select a role by selecting the corresponding checkbox from the role
list.
2. Click Copy in the toolbar. In the Add Role dialog, all the configurations of the selected role is copied. You only need
to configure the name for the new role, and modify other options as needed.
D elet in g a R ole
Predefined role cannot be deleted. The user who has the system administator privilege can delete user-defined roles.
And once the role is deleted, the users who has specified to the role will lost all the privileges of the role.
To delete a role, take the following steps:
1. In the Role tab of the User Management dialog, select a role by selecting the corresponding checkbox from the role
list.
A A A S er v er
AAA is the abbreviation for Authentication, Authorization and Accounting. Details are as follows:
Authentication: Authenticates users’identities.
Authorization: Grants certain privileges according to the configuration.
Accounting: Records the fees users should pay for their network resource usage.
To configure the AAA server, take the following steps:
1. Click System > User > AAA Server from the Level-1 navigation pane. In the AAA Server dialog, local is the default
local server and does not support editing and deletion.

2. Click the New .
3. In the AAA Server Configuration dialog, configure the following options:
Server Name: Specify the server name. You can specify at most 31 characters.
Server Name: Specify the server type is RADIUS。
Server Address: Specify the IP address or domain name for the Radius server. You can specify domains at most
31 characters.
Port: Specify the port number for the Radius server. The value range is 1024 to 65535. The default value is 1812.
Password: Specify the password for communication between the server and HSM.
Link Test: Click link test. The system will verify that the configured Radius address is consistent with the Radius
server configuration. If consistent, the system will prompt AAA server reach. If not, the system will prompt AAA
server can not reach.
4. Click OK to save the configuration.
Note: The system supports adding up to 9 AAA servers.
A ut hent i cat i o n Co nfi g ur at i o n

The authentication configuration is used to identify the user's legitimacy. Authenticated users can successfully log in and
operate HSM, and failed users will not be able to log in. HSM support two authentication methods:

Local authentication: Configures user information (including username, password and properties) on HSM devices.
Local authentication is fast, and can reduce operation cost, but the amount of information that will be stored is lim-
ited by the hardware of the device. By default, Hillstone devices use local authentication.
RADIUS authentication: User information is stored in an external RADIUS server, and HSM devices authenticate users
by the external server.
To configure the authentication on HSM, take the following steps:
1. Click System > User > Authentication Configuration from the Level-1 navigation pane.
When user not in local user list, to user remote authentication, choose Yes and select a default authentication
server, user not in local user list can log in HSM.
When user not in local user list, to user remote authentication, choose No, user not in local user list can not
log in HSM.
2. Click OK to save the configuration.
Note:
Under the method of radius authentication, the local authorization need set privilege and the
remote authorization get privilege from radius server.
D i s t r i b ut e Manag em ent
For users who need to manage a large number of devices, one HSM cannot meet their requirements. To resolve the prob-
lem, you can use the distributed management function, which means when you configure multiple HSM devices, you can
specify one device as master device and others as slave devices. With this function, you can view information of the slave
devices and their firewalls on the master device. It can alleviate the pressure of single HSM. The distributed management
includes standalone mode, master mode and slave mode.
Master Mode: When one HSM device manages multiple HSM devices and can view information of these HSM devices
and their firewalls, the current device is the master HSM, and the mode is master mode. The master HSM cannot man-
age firewalls directly. One master HSM can register up to 16 slave HSM devices.

Slave Mode: When one HSM device is managed by one master HSM, the current device is slave HSM, and the mode
is slave Mode. The slave HSM can manage firewalls directly. The slave HSM can only be registered with the user of
admin on the master HSM.
Standalone Mode: The HSM device in the standalone mode or in the slave mode can manage the firewalls directly,
while the standalone HSM cannot be registered on the master HSM. The default mode is standalone mode.
Note: When the master mode switches to the salve mode or standalone mode, the association
relationship between all users and devices under the master mode will be cleared. When the salve
mode or standalone mode switches to the master mode, the association relationship between all
users and devices under the slave mode or standalone mode will be cleared too.
To switch modes of the distributed management, take the following steps:
1. Click System > Distribute Management from the Level-1 navigation pane.
2. Select the mode check box that you needed in the Distribute Management dialog and click OK.
3. If you select the master mode. Click Device > Distribute List > Add Device from the Level-1 navigation pane to enter
the add device page and add slave HSM(s) for Master HSM.
4. Configure parameters in the Add Device dialog.
Option Description
Device Name Specifies the name of the slave HSM device.

Option Description
Address Specifies the IP address or domain name of the slave HSM

device.
Password Specifies the password to log in the slave HSM device.
Device Description Specifies the descriptions of the slave HSM device.
5. Click OK to complete the switching of distributed management modes.
D i s k Manag em ent
HSM disk management refers to the configuration of cleanup threshold, you can manage the storage space of system.
To configure the cleanup threshold for HSM disk management, take the following steps:
1. Click System > Device Management > Disk Management from the Level-1 navigation pane.
2. In the Disk Management dialog, configure the following options:
Cleanup Threshold Settings: Specify the cleanup threshold. The default value is 90%, the minimum value is 60%.
When the storage reaches the specified threshold , logs of the earliest week will be automatically cleared at
00:15 a.m.
Co nfi g ur i ng H S M S ys t em T i m e
HSM system time can be referenced by other modules, such as log, upgrade, etc. To assure the system time of HSM and
the managed devices are synchronized, you are recommended to configure the same NTP server for HSM and the man-
aged devices. You can configure HSM system time manually or by synchronizing with an NTP server.
To configure HSM system time manually, take the following steps:
1. Select System > Device Management > Date & Time from the Level-1 navigation bar.
2. Select appropriate time zone from the HSM System Time Zone drop-down list. If the selected time zone uses DST, the
"Automatically adjustment of daylight time clock" check box will be selected automatically.

3. The current date and time is shown in the HSM System Time box. If you still need to modify the date or time, type
correct date and time into the box.
5. The changed time will be applied to new data and time of existing data won't be updated. In the pop-up Warning
dialog , click the yes button to confirm the update.
If the time zone is adjusted from east to west, the time of new business data may be the same as the existing busi-
ness data.
6. Restart the device and log in again.

To configure HSM system time by synchronizing with an NTP server, take the following steps:
1. Select System > Device Management > Date & Time from the Level-1 navigation bar.
2. Select the Sync with NTP Server check box.
3. Type the IP address for the NTP server into the Server 1 box; if needed, type the IP address for the NTP server into
the Server 2 box, and the system will try to synchronized with Server 2 if synchronization with Server 1 failed.
Note: Configure the system time properly during the initial setup, and if possible, do not change
the system time thereafter. Otherwise, modules that rely on system time (such as report, log) will
be affected.
H S M N et w o r k Manag em ent
HSM network management refers to the configuration of IP address, gateway and DNS servers. These configurations can
assure the connectivity between HSM and the managed devices. To facilitate network configuration, eth0 port of HSM is
configured with a default IP address 192.168.1.1/255.255.255.0.
To configure parameters for HSM network management, take the following steps:

1. Click System > Device Management > Network Management from the Level-1 navigation pane.
2. In the Internet Management dialog, configure the following options:
IP Address: Specify the IP addresses for eth0 and eth1 according to network topology.
Netmask: Specify the netmasks for eth0 and eth1 according to network topology.
Gateway: Specify the IP address for the gateway of HSM.
Preferred: Specify the IP address for the preferred DNS server of HSM.
Backup: Specify the IP address for the backup DNS server of HSM.
Mo ni t o r Co nfi g ur at i o n
To ensure the performance of HSM, HSM does not enable the monitor function for any device by default. If desired, you
can enable the monitor function according to your requirements. After enabling the monitor function, the HSM per-
formance will be affected. To ensure the adequate performance, it is recommended that the number of monitored
devices is less than 500.
To configure the monitor function on HSM, take the following steps:
1. Click System > Device Management > Monitor Configuration from the level-1 navigation pane. The Monitor Con-
figuration dialog appears.

2. To enable or disable the monitor function on HSM for certain devices, choose devices from the device list, and then
click Monitor Configure . The Monitor Configure dialog appears.
3. In the Email Configuration dialog, configure the following options:
VPN: Enable or disable the VPN monitor function.
Traffic: Enable or disable the traffic monitor function.
Other: Enable or disable the network threat and network behavior monitor function.
Priority: You can select Low, Middle, and High priority. When the monitor data exceed system capacity, system
will disable the monitor function of low priority device, so as to ensure the monitor data of higher priority
device can be processed.
4. Click OK to save the settings. Monitor Configure dialog will be closed, then Update Configure progress bar dis-
appears. Click OK to close the dialog.
5. On the Monitor Configuration dialog, click Close to save the settings and close the dialog.
Following functions will be affected after the monitor function is disabled.
Module Details
Monitor Statistics of CPU utilizations, memory utilizations, and total traffic keep updating.
Other statistics will not update and can be viewed during a particular period.
Alarm Following alarm rules cannot take effect: VPN Tunnel Interrupt, VPN Tunnel
Traffic Beyond Threshold, AV Attack Count Beyond Threshold, APP Block Count
Beyond Threshold, Email Receiving and Sending Times Beyond Threshold, URL
Category Hit Count Beyond Threshold, Port Traffic Beyond Threshold, and all
user-defined alarm rules that are based on above alarm rules.
Report Since statistics of CPU utilizations, memory utilizations, and total traffic keep
updating, you can generate the report. Other historical statistics will not update
and you can generate the report that contains historical statistics during a par-
ticular period.
6. Click Close to close the dialog.
H S M S ys t em S t at us Mo ni t o r
The status monitor function monitors the CPU utilization, memory utilization, and disk utilization of HSM. Users can have
a well understanding of system status. By configuring the threshold for each monitored object, HSM can generate the
alarm when the status of an object keeps exceeding the threshold within the specified period (1 minute by default). You
can take measures to deal with the alarms.

V iew in g St at u s
HSM provides the following statistics of the monitored objects: the trend within a specified time cycle, the current status,
and other detailed information.
To view the status, click System > Device Management > Monitor Status from the level-1 navigation pane. The System
Status Monitor dialog appears.
The line chart shows the trend of the monitored objects. Based on the specified time cycle, HSM will take samples
accordingly and display the trend in the chart. By default, HSM displays the trend within the latest 1 hour.
The right chart displays the current status of the monitored objects. HSM will refresh the data in every 5 minutes.
View detail: Click the View Detail link of each monitored object to view the detailed information. You can view the
column charts of the top 5 processes that occupy the CPU resources and the memory resources individually, and the
pie charts of all objects that occupy the disk. The following chart displays the top 5 processes that occupy the
memory resources.
HSM supports the predefined time cycle and the custom time cycle. Click Latest 1 Hour on the top right corner to set the
time cycle.
Predefined time cycle: Click Latest 1 Hour and then select a predefined one.
Latest 1 Hour: Displays the statistics of each monitored object within the latest 1 hour. HSM will take samples
every minute.
Latest 1 Day: Displays the statistics of each monitored object within the latest 1 day. HSM will take samples
every 10 minutes.

Latest 1 Week: Displays the statistics of each monitored object within the latest 1 week. HSM will take samples
every hour.
Latest 1 Month: Displays the statistics of each monitored object within the latest 1 month. HSM will take
samples every 6 hours.
Custom time cycle: Click Latest 1 Hour and then select Custom. The Select Time dialog appears. You can select the
start time and the end time according to your requirements.
If the custom time cycle is within 6 hours, HSM takes samples every minute.
If the custom time cycle exceeds 6 hours and is less than 1 week, HSM takes samples every 10 minutes.
If the custom time cycle exceeds 1 week and is less than 6 months, HSM takes samples every 6 hours.
If the custom time cycle exceeds 6 months and is less than 1 year, HSM takes samples every 24 hours.
Set t in g T h r es h old
If the utilization of the monitored objects keeps exceeding the threshold within the specified period (1 minute by
default), HSM will generate the alarm.
To set the threshold for monitored objects, take the following steps:
1. Click System > Device Management > Status Monitor from the level-1 navigation pane. The System Status Monitor
dialog appears.
2. Click Set Threshold. The Set Threshold dialog appears.
3. Set the threshold for each object using one of the methods:
Drag the slider. The exact value will update in the text box.
Enter the value. The slider will move to the exact location.
4. Click OK to save the configuration settings and return to the System Status Monitor dialog. The red line representing
the threshold moves to the correct location.
For more information about configuring alarm rules, refer to Configuring the Alarm Rule.
H S M S ys t em Co nfi g ur at i o n Manag em ent

As a centralized security management system in network, HSM system must guarantee its own stability. For this purpose,
HSM is developed to support the following management of its own system configuration file:
Backup: Back up the system configuration file.
Restore: Restore the system configuration file.
Export: Export the system configuration file to the local disk.
Deletion: Delete the backed-up system configuration file.

With these facilities, HSM can quickly resume after accidental breakdown.
Back u p a Sy s t em Con f igu r at ion F ile

To back up the system configuration file, take the following steps:
1. Click System > Device Management > Configuration Management. The HSM System Configuration Management
dialog appears.
2. Click Backup. The Backup dialog appears.
3. Specify the name of the backup file. By default, the file is named as backup_date_time, for example, backup_
201311171035.

4. If desired, specify the description for this backup file.
5. Click OK. HSM starts to back up the system configuration file.

After backing up the file, HSM lists this file in the list of the HSM System Configuration Management dialog. You can view
the detailed information, including the file name, the size, the backup time, the operated user, and the description.
E x por t a Sy s t em Con f igu r at ion F ile

To export the system configuration file from HSM to the local disk, take the following steps:
1. Click System > Device Management > Configuration Management. The HSM System Configuration Management
dialog appears.
2. Select a file to be exported.
3. Click Export. The Save As dialog appears.
4. Select a location and click OK to save the file.
R es t or e a Sy s t em Con f igu r at ion F ile

After HSM resumes from a breakdown, or changes or upgrades to a new hardware platform, you can restore the system
configuration file. Considering the compatibility, it is strongly recommended to restore the configuration file to HSM that
has the same version.
To restore HSM system configurations to a file saved in HSM, take the following steps:
1. With the HSM System Configuration Management dialog active, select a backup file from the file list.
2. Click the triangle ( ) next to the Restore button. Then select Selected File. The Restoring window pops up. HSM
starts to analyze the file.
3. After analyzing the file, HSM starts to restore the file.
4. After restoring the file, HSM restarts.

To restore HSM system configurations to a local-saved file, take the following steps.
1. With the HSM System Configuration Management dialog active, click the triangle ( ) next to the Restore button.
Then select Local File. The Restoring window pops up.
2. Click the magnifying glass ( ) to locate the local file and then open it.
When restoring a file backed up by the current HSM itself, the historical data of Monitor, Log, and Alarm in HSM
will remain the same.
When restoring a file that is not backed up by the current HSM, the historical data of Monitor, Log, and Alarm in
HSM will be cleared.
3. Click Upload. HSM uploads the file to HSM.
4. After uploading the file, HSM analyzes the file and then starts to restore the file.
5. After restoring the file, HSM restarts.
D elet e a Sy s t em Con f igu r at ion F ile

To delete a system configuration file, take the following steps:
1. With the HSM System Configuration Management dialog active, select the files to be deleted.
2. Click Delete. The Delete dialog appears.
3. Click OK to delete the selected files.

Co nfi g ur i ng T r us t ed H o s t
HSM device allows only trusted host to manage the system. Trusted hosts are recognized by their IP addresses. If the host
IP address is in the specified IP range, the host is a trusted host. Trusted host includes the following rules:
1. Only system admin can configure a trusted host.
2. By default, the trusted IP range is 0.0.0.0/0, which means all hosts are trusted.
3. Trusted host can be a IP address, IP range or multiple IP addresses.

To configure trusted host, take the following steps:
1. Click System > Device Management > Trusted Host from the Level-1 navigation pane.
2. Click New in the Trusted Host Configuration dialog, options are described as belows:
Host Name: Specify the name for the trusted host. It can be null.
IP Address: Specify the IP address or IP range for the trusted host, eg:10.188.1.10 - 10.188.1.15, or
192.168.10.0/24
Remarks: Specify the remark information for the trusted host.
3. Click Save to save the settings.
4. Click OK.
To edit/delete trusted host, take the following steps:
1. Click System > Device Management > Trusted Host from the Level-1 navigation pane.
2. Select a trusted host by selecting the corresponding checkbox from the list, and then click Edit or Delete.
Co nfi g ur i ng W EB P o r t
You can modify the port number which users can access to when logging in HSM by Web, in order to ensure the security
of the system.
To configure the webport for HSM, take the following steps:
1. Click System > Device Management > WEB Port from the Level-1 navigation pane.
2. In the WEB Port dialog, configure the following options:
HTTP WEB Port: Specify the port number accessing to HTTP service for HSM. The default value is 80.The value
ranges from 1025 to 65535 besides 80,among them 2003~3003、3306、6514、8005、8080、8161、8443、9000、
9090、9091、9092、61616、61617 are preoccupied by system.Preoccupied port number can not be configured.
HTTPS WEB Port: Specify the port number accessing to HTTPS service for HSM.The default value is 443.The value
ranges from 1025 to 65535 besides 443,among them 2003~3003、3306、6514、8005、8080、8161、8443、

9000、9090、9091、9092、61616、61617 are preoccupied by system.Preoccupied port number can not be con-
figured.
Note: After webport is modified successfully, the previous port will be closed and the web service
will be restarted.You need to access web service by the new port after the restart.
H A Manag em ent
HA, the abbreviation for High Availability, provides a fail-over solution for communications line or device failure to
ensure the smooth communication and effectively improve the reliability of the network. To implement the HA function
of the two HSM devices, you need to use the identical hardware platform, firmware version, as well as install the same
device license whose service is within the validity. When one HSM device is not available or cannot handle the request
from the client properly, the request will be promptly directed to the other device that works normally, thus ensuring
uninterrupted network communication and greatly improving the reliability of communications.
To configure the HA management in the HSM system, take the following steps:
1. Click System > Device Management > HA Management from the Level-1 navigation pane to enter the device con-
figuration page.
2. Configure the parameters in the HA Management dialog.
The parameters of HA management are explained as follows.

Option Description
Current Role Displays current device's role. When the HA link is not built, the name of
role is standalone. When the HA link has been built, the current name is the
name of the specified management device's role.
Role Specifies the role of the management device. When the role is Master, the
configurations can be issued. When the role is Slave, the configurations
only can be viewed. When the role is Standalone, the page will display Dis-
able HA and system will disable HA function.
HA Control link Specifies a name of the HA control link interface. The control link can syn-
interface chronize all data of the two devices.
Local IP Specifies the IP address and netmask of the HA control link interface.
Peer IP Specifies the peer IP address of the HA control link interface.
Virtual IP Specifies the virtual IP address of the HA management device.

Option Description
Hello interval Specifies the Hello interval value. Hello interval refers to the interval for the
HA device to send heartbeats (Hello packets) to other devices in the HA
group. The Hello interval in the same HA group must be identical.
Preempt Specifies whether the device enables the preemption mode. Only the master
device can be configured in the preemption mode currently. If the pree-
mption mode is enabled, the master device will preempt to be master again
when it recovered from breaking down. The preemption mode is disabled
by default.
Track Object System uses the track object to monitor the working status of the device.
Once the device cannot work normally, system will take corresponding meas-
ures immediately.
ping: type a legal IP address or domain name. If the typed IP address or
domain can be connected, it indicates that the device is running normally. If
not, the master and backup device will switch.
Monitor/Log Select the Enable check box. System will synchronize monitoring and log
Synchronization data.
Manual Syn- Click the Synchronize, the Manual Synchronization dialog will pop up.
chronization
Select Use data in peer device to cover data in local device. The Submit
prompt box will pop up and display Data in local device will be reset,
whether to continue? Click OK. When the synchronization completes,
the local data will be covered.
Select Use data in local device to cover data in peer device. The Submit
prompt box will pop up and display Data in peer device will be reset,
whether to continue? Click OK. When the synchronization completes,
the peer data will be covered.
HA Alarm Select the Enable check box. When the status of interface changes, the
device will alarm.
Database Syn- Displays synchronization status of current database. The statuses include
chronize Status Normal, Synchronizing and Failed to synchronize.
File Synchronize Displays synchronization status of current file. The statuses include Normal,
Status Synchronizing and Failed to synchronize.
HA HeartBeat Displays HeartBeat status of current HA. The statuses include Normal and
Status Failed.
3. Click OK, and the HA Creating dialog will pop up. You can view the process of HA creating in the dialog.
The parameters are explained as follws.

Option Description
Interface modification You can view the result of modifying the HA connection inter-
face in system.
Wait for configuration of You can view the result of the peer configuration and the con-

Option Description
the peer and connecting nection between the local device and peer device in system.
to the peer You need to configure the peer parameters before the HA
being built or when the HA is built in process. You also need to
make sure HSM has connected with the peer device. Otherwise,
it cannot be connected successfully.
HA Establish Condition You can view the result of checking if the condition of estab-
Checking lishing HA is met in system.
HA Environment Build You can view the result of building the HA environment in sys-
tem.
Master/Slave Device Data You can view the result of synchronizing data of the master and
Synchronization slave device in system. If the Monitor/Log Synchronization is
enabled, the device will synronize all data. Otherwise the device
will synchronize data except Monitor/Log data.
HA Build Successfully You can view the result that whether HA is built successfully.
4. Click Done to complete the HA building.
H S M S ys t em Up g r ad e
HSM supports system upgrade, rollback and restoring to the factory defaults.
Sy s t em U pgr ade
To upgrade HSM system, take the following steps:
1. Click System > Upgrade from the Level-1 navigation pane.
2. In the Upgrade dialog, click to select an HSM system file.
3. Click Upload.
4. Complete the upgrade procedure as prompted.
R ollback
To roll back to the previous version, take the following steps:
2. In the Upgrade dialog, click Rollback, and then click OK under the tag.
R es t or in g t o F act or y D ef au lt s
To restore to the factory defaults, take the following steps:
2. In the Upgrade dialog, click Factory Defaults, and then click OK under the tag.
Up g r ad i ng S i g nat ur e D at ab as e fo r H S M
To upgrade IPS signature database, application signature database, Anti-Virus signature database or URL database for
HSM:

Note: When HSM manages the HA function of the managed devices, it supports the upgrade of
signature database of the managed devices. If the signature databases of the master device and
slave device are upgraded to different visions, the signature database of the master device will be
synchronized to that of the slave device.
1. Select System > Upgrade from the level-1 navigation panel, and then click the target signature upgrade tab.
2. In the pop-up Library Upgrade dialog box, configure as follows.

Option Description
Current VersionShow the current version number of signature database.
SN Show the product series number of HSM.
Magic Show the Magic code of HSM. Magic code is an encrypted string generated
according to the SN of HSM, which is required when you download the
latest signature file from a default update server.
Remote Upgrade Configure remote online upgrade for signature database.
Upgrade Now: Click Upgrade Online to upgrade the signature data-

base right now.
Auto Upgrade: Select Enable Auto Update and specify the auto
upgrade time. Click Save to save your changes. This function is
enabled by default.
Configure Update Server: System updates the signature database

everyday automatically by default. HSM provides three default update
servers: update1.hillstonenet.com, update2.hillstonenet.com and HSM
device. You can customize the servers according to your need. Click
Update Server Configuration, then in the pop-up Update Server dia-
log, specify the server IP or domain name.
Local Upgrade
Click and select the IPS signature file , Anti-Virus signature file or
URL database file in your local PC, and then click Upload.
Note: To get the latest signature file, please enter update1.hill-
stonenet.com or update2.hillstonenet.com in the browser's address bar,
then click target signature upgrade link in the upper-left corner of the
page. Copy the SN number and Magic code displayed in HSM, then paste
them into the SN and Magic text fields respectively. Fill in the engine ver-
sion, platform or current version in accordance with the instruction, then
click Download to download the latest signature file(e.g. ips.sig).
Co nfi g ur i ng an Em ai l A cco unt

The Email account configured in HSM is used to send alarm mails.
To configure the Email account in HSM, take the following steps:

1. Click System > Email from the Level-1 navigation pane.
2. In the Email Configuration dialog, configure the following options:
Mail Server: Specify the IP address of mail server.
Username: Specify the username of Email account.
Password: Specify the password of Email account.
Email Address: Specify the Email address of the Email account.
Testing Recipient: Specify the recipient that is used to test the Email account. Click Test to test if Email can be
sent by the Email account successfully.
S MS Mo d em Co nfi g ur at i o n
SMS alarm refers to the alarm information will be sent to the designated administrator by SMS modem.
An external GSM modem device is required for sending SMS messages. First, you need to prepare a mobile phone SIM
card and a GSM SMS Modem. Insert the SIM card into your modem and then, connect the modem and HSM using a USB
cable.
The following two models of SMS modem are recommended:
Model Type Chip Interface

Huatengtongyu GSM GSM WAVECOM USB Interface
MODEM
Jindi GSM MODEM GSM WAVECOM USB Interface
SM S M odem Bau d R at e
You can view the communication baud rate of SMS modem in Modem SMS Modem Configuration page.
SM S M odem Sign al I n t en s it y
You can view the communication signal intensity of SMS modem in Modem SMS Modem Configuration page. Only when
the signal intensity between 16~31 can the alarm message be sent normally. If the signal intensity is under 15, the alarm
message may fail to be sent.
SM S M odem St at u s
The system will show the modem connection status: sms modem is online, sms modem is offline or no sim in sms
modem.

Con f igu r in g SM S P ar am et er s
You can define the maximum SMS message number in one hour or in one day. If the messages exceed the maximum num-
ber, the system will not make the modem to send messages, but it will keep a log for this behavior.
Option Description
Maximum sending Defines the maximum message number the modem can send in one hour,
number per hour the value ranges from 1 to 1000.
Maximum sending Defines the maximum messages number the modem can send in one day,
number per day the value ranges from 1 to 1000.
T es t in g SM S
To test if the message sending works, you can send a test text to a mobile.
To send a text message to a specified mobile number:
1. Select System > SMS Modem Configuration.
2. Enter a mobile phone number in the text box.
3. click Send.
If the SMS modem is correctly configured and connected, the phone using that number will receive a text message.
Note: vHSM does not support SMS alarm.
D i ag no s e T o o l s
During HSM managing the devices, diagnose tools can help you test network availability and diagnose system errors
qulickly. You can choose the tools according to your requirements.
To use HSM diagnose tools, take the following steps:
1. Select System > Diagnose Tools > Test tools from the Level-1 navigation bar. The Test Tools dialog appears.
2. You can choose the tools according to your requirements, configure the following options:
DNS Query : Specify the DNS domain name. Check the legitimacy of domain name, and then the domain's IP
address and fault messages will be displayed. If the DNS server is not configured, a dialog will pop up to
prompt.

Ping: Specify the DNS domain name or IP address, click Test, and then the results of ping will be displayed.
Traceroute: Specify the DNS domain name or IP address, click Test, and then the results of traceroute will be dis-
played.
3. Click Test, and then the results will be displayed in the below text box.
L o g B ack up Manag em ent

HSM system supports the logs' backup and import. Before backing up or importing logs, you must configure the FTP
server settings.
FTP Server Configuration: Specify a FTP server for storing the backed-up logs or storing the logs that is for import.
Log Import: Import logs from the FTP server to HSM.
Log Backup: Back up logs and store them in the FTP server.
Log Clean: Clear the offline logs or the running logs within the specified period.
F T P Ser v er Con f igu r at ion

Configuring FTP server settings is the prerequisite to back up and import logs. To configure settings, take the following
steps:
1. Click System > Log Backup Manager > FTP Config from the level-1 navigation pane. The FTP Configuration dialog
appears.
2. In the toolbar in the dialog, click New. The New FTP Server Configuration dialog appears.
3. In the dialog, configure the following options:
Config Name: Specify the FTP server name. You can also enter other names to mark this entry. You can enter at
most 20 characters.
Address/Port: Specify the IP address and the corresponding port of the FTP server.
User name: Specify the user name that has access right to the FTP server.
Password: Specify the password for the user.
Path: Specify the path of the directory in the FTP server for storing logs. Use "/" as the separator.
4. After configuring the settings, click Detection to verify the connection between HSM and FTP server. After testing
successfully, click OK to save this entry and return to the FTP Configuration dialog. This entry is displayed in the FTP
server list.
You can also click OK directly instead of clicking Detection. HSM will not verify the connection and save this entry to
the FTP Configuration dialog. Click the Detection link in the Detect column to verify the connection.
If you want to edit the FTP server settings, select an entry from the FTP server list and then click Edit in the toolbar. To
delete the undesired FTP servers, select the entries from the list and then click Delete in the toolbar.

L og I m por t
HSM system supports the import and viewing logs. To import logs, take the following steps:
1. Click System > Log Backup Manager > Log Import from the level-1 navigation pane. The Log Import dialog
appears.
2. In the dialog, configure the following options:
FTP Server: From the drop-down list, select the FTP server where you store the log files. Then the cor-
responding FTP server settings are displayed. You can click Detection to verify the connection between HSM
and the FTP server. If you want to modify the FTP server settings, click FTP Config.
Choose File: From the drop-down list, select log files. You can select folders and/or files. HSM supports the fol-
lowing file types: ZIP, TXT, and CVS.
Log Type: From the drop-down list, select the type of logs you want to import. More than one log type can be
selected.
Time Set: You can customize the time of logs.
3. Click Import to start the import task. The task progress will be displayed in task list. For more informatin, see task.
L og Back u p
HSM supports the backup of the logs. You can back up logs manually or automatically.
For the imported logs, HSM cannot back up them again.
For the backed-up logs, HSM can import them for viewing.
M anual B ac k up
To back up logs manually, take the following steps :
1. Click System > Log Backup Manager > Log Backup from the level-1 navigation pane. The Log Backup dialog
appears.
2. Click Manual Backup tab, In the dialog, configure the following options:
Log Type: From the drop-down list, select the log types to be backed up.
Start Time: Specify the start time of logs.
End Time: Specify the end time of logs.
FTP Server: From the drop-down list, select the FTP server where to store the log files. Then the corresponding
FTP server settings are displayed. You can click Detection to verify the connection between HSM and the FTP
server. If you want to modify the FTP server settings, click FTP Config.
3. Click Backup to start the backup task. The task progress will be displayed in task list. For more informatin, see task.
A uto B ac k up
To back up logs automatically, configure the following options:
1. Click System > Log Backup Manager > Log Backup from the level-1 navigation pane. The Log Backup dialog
appears.
2. Click Auto Backup tab. In this dialog, configure the following options:
Enable Auto Backup: Select the check box to enable backing up logs automatically function.
Interval: Specify the periodical backup cycle, including Every Day, Every Week, Every Month.
Time: Specify the customized time for backing up logs automatically.

Backup Relative Time: From the drop-down list, select the number of days to be backed up. Logs of the specifies
days will be exported, 90 days at most.
FTP Server: From the drop-down list, select the FTP server where to store the log files. Then the corresponding FTP
server settings are displayed. You can click Detection to verify the connection between HSM and the FTP server. If
you want to modify the FTP server settings, click FTP Config.
Delete date after backup: Select the check box to delete the specified date after backup.
3. Click OK to start the backup task. The task progress will be displayed in task list. For more informatin, see task.
L og Clean
HSM supports the clearing of offline logs and running logs within the specified time. For more information of offline
logs and running logs, refer to Searching Log Messages.
To clear logs, take the following steps:
1. Click System > Log Backup Manager > Log Clean from the level-1 navigation pane. The Log Backup dialog appears.
Select Offline Log to clear the offline logs.
Select Online Log to clear the online logs within the specified time.
2. Click OK. The Tip dialog appears.
3. Click Yes. HSM starts to clear the logs.

Device M an agem en t
This chapter describes the device management operations:
Device Management: Introduction to the operational processes for device management.
Device Upgrade: HSM supports device upgrade functionality.
Device Configuration File Manage: The configuration file management function in HSM facilitates the management
of configuration files located in different Hillstone devices and the management of configuration file's change his-
tory.
Device Management Configuration Example: Describes a typical deployment scenario and some configuration
examples for your understanding of adding devices and retrieving configuration files.
D ev i ce Manag em ent
This section describes the device management operations:
Creating a Device Group
Adding a Device to a Device Group
Deleting a Device from a Device Group
Editing a Device Group
Deleting a Device Group
Favorite Device
Viewing Device Details
Session Query
Deleting a Device from HSM
Online Reboot
HA management for the managed devices
Cr eat in g a D ev ice G r ou p
A device group is a logical managing unit for the devices. You can add related devices into one device group. One device
can be added to different device groups.
To create a device group, take the following steps:
1. Move the cursor to the All Devices area of the device navigation pane, right-click and select Create Device Group.
The Device Group Configuration dialog pops up.
2. Type the device group name in the Name text box. If necessary, give a description to the device group in the Descrip-
tion text box.
3. Select a device group for the newly created device group in the selecting box under the Description text box. The cre-
ated device group will belong to the selected device group.
4. Click OK to save the changes and close the dialog.
The newly created device group will be displayed in the device navigation pane. You can adjust the position of the device
group by drag-and-dropping.
Addin g a D ev ice t o a D ev ice G r ou p

Two methods are supported to add a device to a device group:
Drag and drop: In the device navigation pane, select the device to be added, drag and drop it to the device group
(the the color of the target device group will become red and release the mouse after the color changed); or you can
select the device to be added from the device table and drag it to the device group in the device navigation pane.
Cut and paste: You can add multiple devices to a device group. The operating steps are listed below.
To add devices to a device group by cutting and pasting, take the following step:
1. Select the devices to be added from the device table (check the corresponding check boxes).
2. Right-click and select Cut Device.
3. Select the device group from the device navigation pane.
4. Move the mouse back to the device table area, right-click and select Paste Device.
D elet in g a D ev ice f r om a D ev ice G r ou p

Two methods are supported to delete a device from a device group:
Drag and drop: In the device navigation pane, select the device to be deleted, and then drag it out of the device
group.
Cut and paste: You can delete multiple devices from a device group. The operating steps are listed below.
To delete devices from a device group by cutting and pasting, take the following steps:
1. Select the device group from the device navigation pane, and the device table shows all the devices in the selected
device group.
2. Select the devices to be deleted from the device table (check the corresponding check boxes).
3. Right-click and select Cut Device.
4. Select another device group from the device navigation pane.
5. Move the mouse back to the device table area, right-click and select Paste Device.
E dit in g a D ev ice G r ou p
To edit a device group, take the following steps:
1. Select the device group to be edited from the device navigation pane.
2. Right-click and select Edit Device Group.
3. Edit on the Device Group Configuration dialog.
D elet in g a D ev ice G r ou p
To delete a device group, take the following steps:
1. Select the device to be deleted from the device navigation pane.
2. Right-click and select Delete Device.
3. Click Yes on the Information dialog.
F av or it e D ev ice
You can mark your important devices as favorite to make them easy to be find and managed.
To mark a device to be favorite, in the device table, click the flag in the Name column ( : Favorite; : Common). The
favorite devices will be displayed under the Favorite label in the device navigation pane.
To remove from favorite, use either method below:
In the device table, click the flag in the Name column to make it grayed.
In the device navigation pane, under the Favorite label, select the device, right-click and select Remove From Favor-
ite.
V iew in g D ev ice D et ails

The device details are displayed in the device detail page, including basic information, interface information, alarm
information, resource information, traffic information and threat information. To get the detailed information, select the
device you want to read details from the device table first, then click Show Monitor Panel in the
upper-right corner, and click Details in the monitor panel.
Here is the illustration of device detail page:
Options of the device detail page are described as below:
Option Description
Device SN Shows the serial number of the managed device.

Information
Name Shows the host name of the managed device.
Platform Shows the platform of the managed device.
System Time Shows the system time of the managed device.
StoneOS Shows the version of the firmware in the device. Click

Upgrade to upgrade the device. For more information
about device upgrade, see Device Upgrade.
Running File Shows the name of the running firmware.
AV Signature Shows the version of the AV signature database in the

managed device.
IPS Signature Shows the version of the IPS signature database in the
managed device.
URL DB Shows the version of the URL database in the managed

device.
APP Signature Shows the version of the APP signature database in the
managed device.
Interface The device front panel illustration is used to show the interface status and
Information information. The interface statuses are:
: The interface is connected normally.
: The interface is not connected or the interface connection failed.

Move the mouse over the icon of a interface, the interface information will pop
up.
This function works on the version of StoneOS 4.5R4 and above.
Unread Warn- Shows the unread warnings in the managed device.

ings
CPU Util- Shows the CPU utilization in the last 10 minutes.

ization
Memory Util- Shows the memory utilization in the last 10 minutes.

ization
Traffic Trend Shows the traffic trend in the last 10 minutes.
Top 10 Shows the top 10 application traffic in the last 1 hour.

Application
Traffic in 1
Hour
Top 10 Aver- Shows the top 10 average user traffic in the last 1 hour.
age User
Traffic in 1
Hour
Top 10 Intru- Shows the top 10 IPS intrusions in the last 1 hour, which is only applicable for
sions in 1 NGFW devices.
Hour
Latest 1 Hour Shows the percentage distribution of each threat in the last 1 hour, which is
Threat Dis- only applicable for NIPS devices.
tribution
Ses s ion Qu er y
You can search current sessions of managed device according to the specified criteria by session query.
To query sessions, take the following steps:
1. Select the device which you want to query sessions from the device table, then click View in Session column to enter
session query page.
2. Enter value in one or more text fields in the pop-up dialog box, then click the Search button.
Source Addr: Specify the source IP address, you may enter IPv4 or IPv6 address.
Src Port: Specify the source port of service.
Destination Addr: Specify the destination IP address, you may enter IPv4 or IPv6 address.
Dst Port: Specify the destination port of service.
Protocol: Specify the transport layer protocol of service.
The search result will be displayed in the session list. If you don't enter any value and click Search button directly, all
current sessions will be displayed in the list.
D elet in g a D ev ice f r om HSM

To delete a device from HSM, take the following steps:
1. Select the device to be deleted from the device table, and click the Delete Device button above the device table; or
select the device to be deleted from the device navigation pane, right-click and then select Delete Device.
2. Click Yes on the Information dialog. The device is moved to the recycle bin.
3. Click the Recycle Bin label from the device navigation pane, and the device table shows all the devices in the recycle
bin. Select the device to be deleted, and click the Delete Device button above the device table again.
4. Click Yes on the Warning dialog. Now the device is permanently deleted from HSM.
You can restore the device in the recycle bin.
To restore devices, take the following steps:
1. Click the Recycle Bin label from the device navigation pane, and the device table shows all the devices in the recycle
bin.
2. Select the device to be restored, right-click and select Restore Device, or click the Restore Device button above the
device table. The Device Restoration dialog pops up.
3. If necessary, edit the name of the device in the Name text box.
4. Select a device group for the device to be restored in the box.
Note: Do not support to delete VSYS device directly from HSM. When a physical device is deleted
from HSM, its VSYS devices will be deleted at the same time.
On lin e R eboot
The managed devices can be restarted immediately or restarted on schedule through HSM.
Im m ed i ate R eb oot
To restart the managed devices immediately, take the following steps:
1. Click Device > Management from the level-1 navigation pane.
2. Select the devices to be restarted from the device list, and then click the Reboot Immediately button at the upper
right corner of the toolbar, or click the small triangle to the right of the button and select Reboot Immediately.
3. Click OK in the pop-up dialog.
The devices will be restarted immediately, and the icon in the Status column will be changed from to . If the
reboot is successful, the icon will be changed from to .
R eb oot on S c hed ul e
You can configure a scheduled reboot task so that one or more managed devices can be restarted according to the time
set in the task.
To configure a scheduled reboot task, take the following steps:
2. Click the small triangle to the right of the Reboot Immediately button at the upper right corner of the toolbar and
select Reboot Schedule Configuration in the menu.
3. Click New in the Timing Task dialog.
4. Configure the parameters in the pop-up dialog.

Task Name: Specifies the name of the scheduled reboot task, which is 1 to 31 characters.
Select Device: Select the devices that need to be restarted on schedule. You can click the filter icon at the upper right
corner to filter the device type.
Set Reboot Time: Specifies the detailed time that the device reboots, including both the absolute time and the peri-
odic time. In the periodic time scenario, you can set the device to restart at a specific time on a day, certain day of
the week, or the month. If you want to restart the device on the last day of each month, select the last day in Every
Month.
5. Click OK, the newly created task will be displayed in the task list.
The newly created task is enabled by default. Check the task, and then click Disable in the toolbar to disable the task.
Click Edit or Delete in the toolbar to edit or delete the task separately. Click the Log link of the corresponding task in
the Log column to view the logs generated by the task. You can also view the device's reboot log by clicking the icon
in the Reboot Log column on the Device Management page.
When the reboot task which is absolute time type has been executed, its status will become invalid. Invalid task also can
be disabled. The invalid status can be changed to enabled by editing the reboot time to an valid time.
S etti ng R estart Param eter
You can set the restart parameters to determine whether the configuration of the managed device can be saved or not
before restart. This feature is only applicable for NGFW devices of 5.5R4P1 and higher version.
To set restart parameter, take the following steps:
2. Click the small triangle to the right of the Reboot Immediately button at the upper right corner of the toolbar and
select Restart Param in the menu.
3. Select Save configuration before restart or Do not save configuration before restart radio button in the Restart
Param dialog.
By default, Save configuration before restart is selected. If you select the Do not save configuration before restart
radio button, when you want to reboot device immediately, a prompt box will pop up to prompt you that the con-
figuration will be lost after reboot. You can click the Modify Restart Parameter link to enter the Restart Param page
to modify restart parameters.
HA m an agem en t f or t h e m an aged dev ices

HSM supports for HA management of Active-Passive, Active-Active and Active-Peer modes for the managed devices.
When HSM manages the HA function of the managed devices, you can view, configure and share information of the mas-
ter device in HA. For slave device, you can only view the configuration information on HSM.
After configuring the Active-Peer mode, you need to create a virtual interface on the master device of the managed
devices. When the virtual interface is synchronized to slave device, HA cluster can be registered on HSM. For more inform-
ation about HA function of the managed devices, refer to the StoneOS CLI User Guide.
Int r o d uct i o n t o D ev i ce Up g r ad e
HSM supports device upgrade functionality, which enables you to upgrade the firmware of the managed Hillstone
devices. To upgrade StoneOS through HSM, take the following steps:
1. Import the StoneOS firmware to the HSM system first. HSM will match the proper firmware to the managed devices
automatically.
2. Create upgrading tasks according to your own requirements.

HSM also supports to upgrade signature database of the managed Hillstone devices, including two parts: one is that the
managed device can obtain the signature database file from HSM who is as a update server for online upgrade, and the
other is to configure the signature database upgrade template in HSM to be delivered to the managed device. IPS sig-
nature database, application signature database, Anti-Virus signature database and URL database can be upgraded.
You can check the upgrading task status in the Status page, and also you can get the upgrading logs in the Upgrade Log
page or Task Log page.
This section describes:
Configuring a Device Upgrading task
Viewing Device Upgrading Logs
Upgrading Signature Database
Con f igu r in g a D ev ice U pgr adin g T as k

NGFW, IPS , WAF , BDS and IDS devices of Hillstone Networks, Inc. can be upgraded through HSM by batch. To upgrade
the managed devices through HSM, take the following steps:
1. Import StoneOS firmware to HSM.
2. Specify the upgrading management IP address.
3. Configure the device upgrading task.

After the task is successfully configured, you can check the upgrading status from the Current Upgrade Task dialog, and
also you can view the upgrading logs from the upgrading log page.
Im p orti ng / Del eti ng a Fi rm w are

Three importing methods are supported by HSM: importing from the local PC, importing via HTTP, and importing via
FTP.
To import from the local PC, take the following steps:
1. Click Device > Upgrade > Device Upgrade from the level-1 navigation pane.
2. Click the Import button from the toolbar.
3. On the Importing Firmware dialog, select Local, click the browse button and select the firmware to be
uploaded on the pop-up dialog.
4. Click OK to upload.
To import via HTTP, take the following steps:
3. On the Importing Firmware dialog, select HTTP, and configure the following options:
HTTP URL: Specify the HTTP address of the firmware to be uploaded.
Username: Specify the username which is used to log into the HTTP server.
Password: Specify the password of the user.
To import via FTP, take the following steps:
3. On the Importing Firmware dialog, select FTP, and configure the following options:
FTP URL: Specify the FTP address of the firmware to be uploaded.
Username: Specify the username which is used to log into the FTP server.
Password: Specify the password of the user.
Anonymous: Specify to access the FTP server anonymously.
To delete a firmware from HSM, select the firmware to be deleted from the firmware table, and then click the Delete but-
ton from the toolbar.
S p ec i f yi ng the U p g rad e M anag em ent IP

When upgrading devices through HSM, in order to successfully push the firmware to the managed devices, you must spe-
cify a upgrade management IP before executing the upgrading task. The management IP must be a reachable IP for the
managed devices (usually, it is the management IP of the HSM device)
To specify the upgrade management IP, take the following steps:
2. Click the Upgrade Configuration button from the toolbar.
3. On the Upgrade Management IP Configuration dialog, type the address into the IP text box.
4. Click Save to save the changes and close the dialog.
C onf i g uri ng a Dev i c e U p g rad i ng T ask

When the firmware is uploaded into HSM, HSM will match the firmware with the managed devices automatically. The
upgrading task specifies the device to be upgraded, the upgrade time and so on.
To configure the device upgrading task, take the following steps:
2. Select a firmware from the firmware table (check the corresponding check box), and then click the Task button from
the toolbar. The Device Upgrade dialog pops up. This dialog shows all devices matching with the selected firmware.
3. Specify the upgrade type, including:
Immediately: Upgrade the devices to the specified firmware immediately.
On Schedule: Upgrade the devices to the specified firmware at a specified time.
4. Select the devices to be upgraded from the device table.
5. Configure the upgrading options. The options are:
Backup Version: Select a version to be the backup firmware on the device (up to 2 versions can be saved on a
device). You can choose the backup version by selecting from the drop-down list. "Active" refers to the version
currently running on the device; "Backup" refers to the backup version on the device.
Backup Configuration: It this check box is selected, HSM will back up the configuration on the device when
upgrading.
Reboot: If this check box is selected, HSM will reboot the device after pushing the firmware to the device suc-
cessfully to make the new firmware take effect.
To configure the upgrading options for all the devices to be upgraded, click the Upgrade Options button and con-
figure on the pop-up dialog.
6. Click the Upgrade button to create the upgrading task.
C hec k i ng the T ask S tatus

You can check the task status on the Current Upgrade Task (in the device upgrade page, click the Status button) dialog.
There are 7 task statuses:
Waiting for upgrade: The device is waiting for loading the firmware from HSM.
Upgrading: HSM is pushing the firmware to the device.
Waiting for reboot: When multiple devices are configured in the task, the devices which have finished uploading the
firmware will be marked as this status.
Rebooting: The firmware is uploaded successfully and the device is rebooting.
Cancelling: The administrator cancelled the task and the device is cancelling the task.
Upgrade succeeded: The device has rebooted with the newly upgraded firmware.
Upgrade failed: You can get the failure reason from the upgrade logs.
To check the upgrading task status, take the following steps:
1. Configure the upgrading task.
2. On the upgrading page, click the Task button, and on the Current Upgrade Task dialog, check the upgrading status
for each device.
If you want to cancel the upgrading task, click the Cancel Upgrade button in the bottom-right corner of the dialog. The
executing task cannot be cancelled.
V iew in g D ev ice U pgr adin g L ogs

Device upgrading logs record the upgrading status of devices.
To view the device upgrading logs, take the following steps:
2. Click Upgrade Log from the upgrading navigation pane, and the upgrading logs will be displayed in the main win-
dow.
You can filter the log messages by selecting the conditions above the log message table.
The following illustration shows the layout of the device upgrade page.
L ev el - 1 N av i g ati on Pane
Level-1 navigation pane allows you to navigate to different modules of HSM.
U p g rad i ng N av i g ati on Pane

Select different options from the upgrading navigation pane to go to the corresponding upgrading pages. Functions of
the upgrading navigation pane are described as below:
Option Description
Device Goes to the device upgrading page which includes the toolbar and the table of the
Upgrade StoneOS firmware. You can configure the upgrading tasks and view the upgrading
status on this page.
Upgrade Shows the upgrading logs. The search function is supported for you to see required
Log log messages.
Fi l ter
You can filter the log messages by selecting the conditions provided here. The filter conditions are described as below:
Option Description
Status Filter the log messages with the task status.
Device Filter the log message with the device name.

Name
Keyword Filter the log messages with keywords.

To filter with a keyword, take the following steps:
1. Select a type from the drop-down list before the keyword text box to restrain
the keyword scope.
2. Type the keyword in the text box and click the Enter key. The messages in the
specified scope include the specified keyword will be displayed in the log mes-
sage table.
To cancel the keyword filter, you can take either of the following two methods:
Delete the keyword from the text box and then click the Enter key.
Select None from the drop-down list, move the cursor to the text box and then
click the Enter key.
Time Filter the log messages with time.
M ai n W i nd ow
The main window shows all the upgrading log messages. Columns of the log messages table are described as below:
Option Description
Start Time Shows the start time of the task.
End Time Shows the end time of the task.
Device Name Shows the name of the upgraded device.
Platform Shows the platform of the upgraded device.
IP Shows the IP address of the upgraded device.
Name Shows the firmware name.
Version Shows the firmware version.
Status Shows the upgrading status.
Executor Shows the administrator name who executes the upgrading task.
Log Shows the content of the message.
U pgr adin g Sign at u r e D at abas e

A s a U p d ate serv er
After you have configured the signature database update server with IP address of HSM in the managed device, the man-
aged device can obtain the signature database file from HSM and upgrade it online.
In addition, you can also upgrade the managed device's signature database immediately via HSM:
1. Click Device > Upgrade > Signature Update from the level-1 navigation pane.
2. Click the target signature upgrade tab, and then select signature version from the drop-down menu in the upper-
right corner of the toolbar.
3. Click the Update Right Now button from the toolbar.
4. According to the current version of signature database, select devices to be upgraded from the device list.
5. Click the Upgrade button to start upgrading the signature database for the selected devices.
You can view the Status column to see if the signature database has been upgraded successfully.
C onf i g uri ng U p g rad e T em p l ates

If the configurations in an signature database upgrade template is delivered to managed device, the signature database
of the managed device will be upgraded according to the template. At most 100 signature database upgrade templates
can be created respectively.
To create an signature database upgrade template, take the following steps:
2. Select the target signature upgrade tab, and then click the New button from the toolbar, the corresponding Update
Server Configuration dialog appears.
3. In the dialog, configure the signature database upgrade template information.

Option Description
Configuration Name Specifies the name of signature database upgrade template.

You can use the system default name or customize it.
Device Select the device type to apply the upgrade template.
Configure Update Server: HSM provides three default
update servers: update1.hillstonenet.com, update2.hill-
stonenet.com and HSM's IP address. Click the text box, the
above three servers will be prompted. You can customize
Option Description
the servers according to your need. Entering or selecting are
both supported. In the subsequent drop-down menu, spe-
cify the virtual router(Only applicable for NGFW). You can
also create a new virtual router by clicking Add a vrouter
from the drop-down menu.
Whether Automatic Select the check box and set the update time, the signature
database of managed device will be automatically updated
according to the settings.
Primary Proxy When the device accesses the Internet through a HTTP
proxy server, you need to specify the IP address and the
port number of the HTTP proxy server. With the HTTP proxy
server specified, signature database can be updated nor-
mally. It is optional.
Stand-by Proxy When the primary proxy server can not access the Internet,
the backup proxy server will take effect. It is optional.
Relevant Device Select the device or device group to which the upgrade tem-
plate will be delivered.
4. Click OK, the upgrade template will appear in the template list.
In The Device To SendDown colunm, click the corresponding link to view all relevant devices and their status.
To deliver an upgrade template, take the following steps:
2. Click the target signature upgrade tab, and then select the upgrade template which you want to deliver, and then
click the SendDown button from the toolbar.
3. In the upper left corner of the dialog, select device type to view devices and their status.
The device to SendDown refers to device whose update server settings are different from the template.
All devices, i.e. the relevant devices, include the device to senddown, the offline device, and device whose
update server settings are the same as the template.
4. Click OK, the configuration in upgrade template starts being delivered, and a task has been generated.
Click View Task Log to view the deliver log for the signature upgrade template. You can also go to the Task Man-
agement page to view information such as the status of the task.
Co nfi g ur at i o n Fi l e Manag em ent
A configuration file includes all configurations in a Hillstone device. The configuration file management function in HSM
facilitates the management of configuration files located in different Hillstone devices and the management of con-
figuration file's change history. You can perform the management in the following two tabs:
Configuration File List tab: Displays configuration files of Hillstone devices and the corresponding information.
Configuration Change History tab: Displays change history of configuration files.

For detailed information about configuration file management, see the following topics:
Managing Configuration File
Managing Configuration Change History
M an agin g Con f igu r at ion F ile

The Configuration File List tab displays the retrieved configuration files and related information. You can manage the con-
figuration files as follows:
Retrieving Configuration File
Viewing Configuration File
Viewing Change History
Restoring Configuration Files
Exporting Configuration Files
Importing Configuration Files
Comparing Configuration Files
Editing Configuration File
Deleting Configuration File
Searching Configuration File
R etri ev i ng C onf i g urati on Fi l e

After you perform the retrieval action, HSM retrieved the running configuration file from the selected Hillstone device.
HSM supports the automatic retrieving of configuration files, manual retrieving of configuration files and retrieving of
configuration files on schedule. The maximum number of configuration files can be stored by HSM is 10,000.
R e t r ie v in g Co n f ig u r a t io n F ile s A u t o m a t ica lly

HSM will automatically retrieve the configuration files in following situations:
Before performing the Deploy Configuration action in Configuration > Device Configuration
After performing the Import Configuration action in Configuration > Device Configuration
The configuration file retrieved automatically is named as full_xml_config_date_time, for example, full_xml_config_
20130929033151. During the process of retrieving the configuration files, HSM will check the number of files stored in
HSM. If the total number of configuration files does not exceed the limitation, HSM can store the retrieved file suc-
cessfully. If the total number of configuration files reaches the limitation, HSM will delete the oldest deletable files of this
device and then store the retrieved file in HSM. If HSM failed to retrieve the configuration files, you can manually retrieve
them.
For the following situations, there is a green up arrow ( ) next to the device name which indicates that the con-
figurations in the device have changed:
HSM fails to retrieve the configuration files automatically
The configuration file in Hillstone devices changes
Note: If a device contains VSYS devices, green up arrow ( ) is not supported on the device node.
R e t r ie v in g Co n f ig u r a t io n F ile s M a n u a lly
To manually retrieve the configuration files, take the following steps:
1. With the Configuration File List tab active, select a device from the device navigation pane.
Click the icon in the top-right corner of the device list to filter device type, including NGFW, IPS and WAF.
2. Click Retrieve Configurations in the toolbar. The Retrieve Configurations dialog pops up.
3. In the dialog, modify the file name and enter the description (optional).
4. Click OK to start the retrieving.

After retrieving the configuration file successfully, you can view the retrieved file in the main window in the Con-
figuration File List tab.
R e t r ie v in g Co n f ig u r a t io n F ile s o n S ch e d u le
You can set a schedule to obtain configuration files for the specified device at a specified time. To retrieve the con-
figuration files on schedule, take the following steps:
1. Enter the Configuration File List tab.
2. Click Retrieve Configurations Schedule in the top-right corner, the Retrieve Configurations Schedule dialog pops
up.
3. Choose devices that will be retrieved configuration files in the left device list.
Click the icon in the top-right corner of the device list to filter device type, including NGFW, IPS and WAF.
4. Set retrieving time for configuration files in the right panel.
Every Day: Select the radio button to specify the specific time each day to get the configuration files.
Every Week: Select the radio button to specify the specific time every week to get the configuration files.
Every Month: Select the radio button to specify the specific time every month to get the configuration files.
No plan: There is no retrieving schedule for configuration files. This option is selected by default.
5. Click OK , the system will retrieve configuration files at the specified time.
You can enter the HSM System Log page to know whether the configuration file is retrieved successfully or not by
viewing logs of the Get Configuration operation type.
V i ew i ng C onf i g urati on Fi l e
To view the detailed configurations in a configuration file, take the following steps. The configurations will display in CLI
format.
1. With the Configuration File List tab active, select a device from the device navigation pane. The related configuration
files are displayed in the main window.
2. Select a configuration file.
3. Click View Configurations in the toolbar. The View Configurations dialog pops up and displays the detailed con-
figurations.
V i ew C hang e H i story
The change history of a configuration file records the detailed information about each change record.
To view the change history, take the following steps:
3. Click the View link in the Change History column. The Configuration Change History dialog pops up and displays
the change history of this selected configuration file.
R estori ng C onf i g urati on Fi l es

In order to apply the backup configuration files to the device, you can restore the configuration files.
To restore a configuration file, take the following steps:
2. Select a configuration file. Only one configuration file can be restored to the corresponding device.
3. Click Restore from the toolbar. The Restore Configuration page appears. You may select save the configuration and
reboot the device according to your need. You can take one of the following two methods:
Immediately: Selecting Immediately radio button to restore the specified configuration file immediately.
On Schedule: Selecting On Schedule radio button to specify a time to restore the configuration file. The time
point must be after the current time of HSM system, otherwise, the configuration might not be restored.
4. Click OK to save your settings and close the dialog. A notice of the detailed task will pop up from the below. Click
the information to enter the task schedule page.
Note: The device restoring the configuration file can not execute other tasks of restoring con-
figuration file, otherwise the task will fail.
Ex p orti ng C onf i g urati on Fi l es
In order to get the backup configuration files, you can export the configuration files from HSM to your local PC.
To export a configuration file, take the following steps:
3. Click Export from the toolbar. The Save page appears.
4. Click OK, and then Save as page appears. You can select the save path and rename the configuration file according
to your need.
5. Click OK to export the configuration file, and then the system will prompt configuration file had been exported suc-
cessfully.
Note: Format of the configuration file which be export from HSM is ZIP.
Im p orti ng C onf i g urati on Fi l es

In order to backup the local configuration files, you can import the local configuration files to HSM.
To import a configuration file, take the following steps:
3. Click Import from the toolbar. The Import Configuration page and Open page appears. Select the local con-
figuration file from the Open dialog. Click OK, and the open dialog closes. The name of configuration file to be
imported and the loading progress bar will be displayed in the Import Configuration File dialog.
4. Click Upload, and then the upload progress bar will be displayed. You can see the configuration file which be impor-
ted successfully in the main window.
Note: Only DAT and ZIP files can be imported.
C om p ari ng C onf i g urati on Fi l es

Use the Compare function to view the differences between two configuration files. The configuration files for comparison
can be from one device or from two different devices.
To compare configuration files, take the following steps:
1. With the Configuration File List tab active, select a device or a device group from the device navigation pane. The
related configuration files are displayed in the main window.
2. Select the two files for comparison by selecting their checkboxes.
3. Click Add to Compare. The File Comparison List dialog appears. The selected two files are added to this list with the
device name and the file name displayed. To change files, you can delete them from the list by clicking Delete, and
then select new configuration files.
4. In File Comparison List, click Compare. The Compare Configuration dialog pops up and displays the detailed con-
figurations in each file. The differences are marked with red.
Ed i ti ng C onf i g urati on Fi l e
By editing a configuration file, you can achieve the following aims：
Modify the file name
Add the file description
Set the file status

To edit the configuration file, take the following steps:
3. Click Edit in the toolbar. The Edit dialog appears.
4. Configure the following options:
File Name: Modify the file name.
Status: Select status for this file: Deletable or Permanently Saved. Deletable is the default status and represents
that this file can be deleted. Permanently Saved represents that this file cannot be deleted. For each device, the
maximum number of files with the Permanently Saved status is 10.
Description (optional): Add or modify the description.
Del eti ng C onf i g urati on Fi l e

To delete configuration files, take the following steps:
2. Select files to be deleted by selecting the checkboxes before the file name.
3. Click Delete in the toolbar to delete the selected files. If the selected files contain the Permanently Saved files, the
Delete button becomes grey.
S earc hi ng C onf i g urati on Fi l e

Use the Filter function to quickly locate the desired configuration files that meets the filter conditions.
To use the Filter function, take the following steps:
1. With the Configuration File List tab active, select a device or a device group. The related configuration files of this
device or this device group are displayed in the main window.
2. Specify the filter conditions.
Filter
Description
Condition
Time Search the configuration files whose retrieved time is within the specified
period.
Status Search the configuration files that matched the specified file status.
Keyword Search the configuration files whose columns contained the entered keywords.
You can search the contents in the following columns: Device Name, File Name,
SN, and Description.
3. Click Search. The configuration files that meet all filter conditions are displayed in the main window.
M an agin g Con f igu r at ion Ch an ge His t or y

The Configuration Change History tab displays the change records and related information. You can manage the change
records as follows:
Editing Change Record
Deleting Change Record
Searching Change Record
Ed i ti ng C hang e R ec ord
To edit a change record, take the following steps:
1. With the Configuration Change History tab active, select a device from the device navigation pane. The related
change records of this device are displayed in the main window.
2. Select a change record.
3. Click Edit in the toolbar. The Edit dialog appears.
4. Enter the description in the Description text box.
Del eti ng C hang e R ec ord

To delete change records, take the following steps:
1. With the Configuration Change History tab active, select a device from the device navigation pane. The related
change records of this device are displayed in the main window.
2. Select change records.
3. Click Delete in the toolbar. The Delete dialog appears.
4. Click OK to delete the selected change records.
S earc hi ng C hang e H i story

Use the Filter function to quickly locate the desired configuration files that meets the filter conditions.
To use the Filter function, take the following steps:
1. With the Configuration Change History tab active, select a device or a device group. The related change records of
this device or this device group are displayed in the main window.
2. Specify the filter conditions.
Filter
Description
Condition
Time Search the change records whose retrieved time was within the specified
period.
Operation Search the change records that matched the specified operation.
Keyword Search the change records whose columns contained the entered keywords.
You can search the contents in the following columns: User, Device Name, File
Name, and Description.
3. Click Search. The change records that meet all filter conditions are displayed in the main window.
D ev i ce Manag em ent Co nfi g ur at i o n Ex am p l e

This page describes a typical deployment scenario and some configuration examples for your understanding of adding
devices and retrieving configuration files. The requirements and configurations are shown below.
D eploy m en t Scen ar io
A company is headquartered in Beijing and has branches in Shanghai and Guangzhou. Each office is deployed with a Hill-
stone security appliance to control Internet access. The requirement is to deploy an HSM in Beijing to manage the three
devices, as shown below:
R equ ir em en t
Requirement 1: Add three security appliances
Requirement 2: Retrieve configuration files
Con f igu r at ion St eps
Preparation
Configure a management IP address and the system time on HSM as described in Deploying HSM Management Envir-
onment.
Configuration Steps (Requirement 1)

To add three security appliances to HSM, take the following steps:
2. Click the triangle icon ( ) next to the Add Device button and select Add Multiple Devices from the drop-down
menu. The Add Multiple Devices dialog pops up.
3. Click Download Device Info File Template. The Save As dialog appears.
4. Select the location and save the template deviceinfo.xls.
5. Open the template and configure the options as shown below:
6. Save the changes and close the template.
7. In the Add Multiple Devices dialog, click Browse. The Open dialog appears.
8. Locate the modified template and click OK. HSM starts to load the template.
9. After loading the template, click Upload. HSM starts to read the template and add the devices in it to HSM. If failed
to register one device, all devices in the template will be failed to be registered.
Configuration Steps (Requirement 2)
When there is a green up arrow ( ) next to the device name, it indicates that the configurations in the device have
changed.
To retrieve the running configuration file to HSM, take the following steps:
1. Click Device > Management from the level-1 navigation pane and then click the Device Management tab.
2. In the device navigation pane, select the device from which you want to retrieve the configuration file.
3. With the Configuration File Management tab active, click Retrieve Configuration in the toolbar. The Retrieve Con-
figurations dialog appears.
4. Change the file name to test by myself_201311191354 and add the description: this is a test.
5. Click OK. HSM starts to retrieve the configuration file.
In t r odu ct ion t o Con figu r at ion M an agem en t
Configuration management manages all kinds of rules (policy rule, NAT rule, route rule) and related objects on devices.
By using HSM, you can get the rule configurations of each device, and also you can deploy rules from HSM to devices, in
which way, the devices can be centrally managed. In order to reduce the configuration errors, HSM provides the following
functions to help administrators find and resolve problems: rule conflict check, redundant object check, object reference
check, etc.
Here are the descriptions of configuration management related concepts:
Policy: HSM supports to configure policy rules for device. One policy can be deployed to multiple devices, but one
device can only have one policy. HSM supports private policy and shared policy.
Private Policy: The policy that only belongs to one certain device, and cannot be used by other devices. A
private policy can be converted to a shared policy.
Shared Policy: One shared policy can be used by any device. A shared policy can be copied as a private policy.
There is a in front of the shared policy name.
NAT: HSM supports to configure SNAT and DNAT rules, and supports private NAT rule and shared NAT rule.
Private NAT : The NAT that only belongs to one certain device, and cannot be used by other devices. A private
NAT cannot be converted to a shared NAT.
Shared NAT : One shared NAT can be used by any device. A shared NAT cannot be copied as a private NAT .
There is a in front of the shared NAT rule name.
Route: HSM supports to configure destination route rules, and supports private destination route rule and shared
destination route rule.
Private Route: The route that only belongs to one certain device, and cannot be used by other devices. A
private route cannot be converted to a shared route .
Shared Route: One shared route can be used by any device. A route NAT cannot be copied as a private route .
There is a in front of the shared route rule name.
Object: The objects referenced by rules in policies/NAT/routes. HSM supports private object and shared object.
Private Object: The object that only belongs to one certain device. When a private policy is converted to a
shared policy, the private objects of the private policy are converted to shared objects as well.
Shared Object: A shared object can be referenced by all rules, including the private rules. A shared object can-
not be converted to a private object.
Device Configuration Sync: HSM checks the configuration of a device on both the local device and HSM, and list the
configuration differences. Administrators can choose to upload the configuration from the local device to HSM or
deploy configuration from HSM to local device according to the differences.
Rule Redundance check: In order to make the rules in the policy are effective, HSM provides a method to check the
conflicts among rules in a policy. With this method, administrators can get the rule shadow information.
Rule hit statistics: For the rules running on the devices, HSM gathers the hitting statistics and shows the result with a
pie chart, helping administrators learn the traffic matching status in their networks.
Redundant object check: Redundant objects refers to the objects those unreferenced by any policy or the objects
having different names but with same contents.
HSM supports single device policy management (device configuration) and global policy management (shared con-
figuration). HSM provides the task management method to track the policy related tasks, and also the log messages are
generated for you to know the task status and results. For more information, see task.
For the detailed information about policy management, see the following sections:

Device Configuration
Global Configuration

D ev i ce Co nfi g ur at i o n
Device configuration manages the rules and objects on a certain device. On HSM, all the rules and objects in the device
configuration on a device are listed, and you can specify a new rule/object or edit the existing rule/object on the device
according to your own requirements.
For more information about device configuration, see the following sections:
Device Configuration
Device Object
D ev ice Con f igu r at ion

Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration page.
The related configurations are:
Policy
iQoS
NAT
Route
Synchronizing Configuration
Specifying Configuration
Snapshot Management
Locking Configuration
The rules created on the device configuration page are all private rules, and belong to a certain device. On HSM, you can
create, edit, and delete the private rules. After configuring the private rules, you need to deploy the private rules to the
managed device if you want to take effect on the device. For more detailed information about deploying configuration,
see Synchronizing Configuration.
Pol i c y C onf i g urati on

Policy configuration includes creating/editing/deleting/moving a rule or rule group, enabling/disabling a rule and so
on.
Cr e a t in g a P o licy R u le
Two ways can be used to create a new rule as below.
To create a rule by inserting, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the device configuration
page.
2. Select a device from the devices navigation pane.
3. Click Policies node in the object navigation pane at the bottom.

Option Description
ID Displays the policy ID.

Name Displays the policy name.
Status Edit the policy status as needed.
Src Zone Specifies a source zone of the policy rule. There are 8 predefined
security zones in system, which are trust, untrust, dmz, L2-trust,
L2-untrust, L2-dmz, vpnhub (VPN functional zone) and ha (HA

Option Description
functional zone). You can also use the customized zones of

StoneOS.
Src Address Specifies the source addresses.
Dst Zone Specifies a destination zone of the policy rule. There are 8 pre-
defined security zones in system, which are trust, untrust, dmz,
L2-trust, L2-untrust, L2-dmz, vpnhub (VPN functional zone) and
ha (HA functional zone). You can also use the customized zones
of StoneOS.
Dst Address Specifies the destination addresses.
User Specifies a user or user group for the security policy rule.
Service Specifies a service or service group.
Application Specifies an application/application group/application filters.
Schedule Specifies a schedule when the security policy rule will take effect.
Select a desired schedule from the Schedule drop-down list. This
option supports fuzzy search. After selecting the desired sched-
ules, click the blank area in this dialog to complete the schedule
configuration.
To create a new schedule, click New Schedule.
Action Specifies an action for the traffic that is matched to the policy
rule, including:
Permit - Select Permit to permit the traffic to pass through.
Deny - Select Deny to deny the traffic.
Secured connection:
From tunnel (VPN) - For the traffic from a peer to local,

if this option is selected, the system will first determine
if the traffic originates from a tunnel. Only such traffic
will be permitted. Select From tunnel (VPN) from the
drop-down list after selecting the Security Connection
option, and then select a tunnel from the following
drop-down list.
Tunnel (VPN) - For the traffic from local to a peer, select

this option to allow the traffic to pass through the VPN
tunnel. Select Tunnel (VPN) from the drop-down list
after selecting the Security Connection option, and
then select a tunnel from the following drop-down list.
Record Log You can log policy rule matching in system logs according to
your needs.
For the policy rules of Permit, logs will be generated in two

conditions: the traffic that is matched to policy rules starts
and ends its session.
For the policy rules of Deny, logs will be generated when the
traffic that is matched to policy rules is denied.
Select one or more check boxes to enable the corresponding log
types.
Deny - Generates logs when the traffic that is matched to

Option Description
policy rules is denied.
Session start - Generates logs when the traffic that is

matched to policy rules starts its session.
Session end - Generates logs when the traffic that is

matched to policy rules ends its session.
Defense Status You can edit defense status.
Antivirus: Specifies an antivirus profile. The combination of

security policy rule and antivirus profile enables the devices
to implement fine-grained application layer policy control.
IPS: Specifies an IPS profile. The combination of security

policy rule and IPS profile enables the devices to implement
fine-grained application layer policy control.
URL Filter: Specifies a URL filter profile. The combination of

security policy rule and URL filter profile enables the devices
Note: The Antivirus/IPS/URL filter func-

tion is controlled by the license. The
policy can be correctly issued only after
the device has been installed with a cor-
responding license.
Data Security You can view the state of data security on HSM.
File Filter: Specifies a file filter profile. The combination of

security policy rule and file filter profile enables the devices
Content Filter:
Web Content: Specifies a web content profile. The com-

bination of security policy rule and Web Content profile
enables the devices to implement fine-grained applic-
ation layer policy control.
Web Posting: Specifies a web posting profile. The com-

bination of security policy rule and web posting profile
Email Filter: Specifies an email filter profile. The com-

bination of security policy rule and email filter profile
HTTP/FTP Control: Specifies a HTTP/FTP control profile.

The combination of security policy rule and HTTP/FTP
control profile enables the devices to implement fine-
grained application layer policy control.

Option Description
Network Behavior Record: Specifies a NBR profile. The com-
bination of security policy rule and NBR profile enables the
devices to implement fine-grained application layer policy
control.
SSL Proxy Displays the SSL Proxy rule in the HSM device. The device can be
decrypted and HTTPS traffic can be controlled by the com-
bination of policies and the SSL Proxy rule.
Description Type descriptions into the Description box.
QoS Tag Add QoS tag to the matched traffic by typing the value into the
box.
The smaller the value of the QoS tag is, the higher the priority of
the device allowing the traffic to pass will be.
Operation Record Record the detailed information about your operation of some
policy.
Hits Displays the number of user traffic which hits the security policy.
Shadow Select the Rule Conflict Check box. You can view the number of
rules and ID which are covered, and delete the rules as needed.
Last Hit Date The last date when user traffic hits the security policy.
4. In Security Policy page, three ways can be used to insert a new rule:
Click the New Rule arrow after, select the position ( Bottom, Top, Bottom in group, Top in group, After, Before)
from the menu where the inserted rule locates;
Right-click on a rule in the entry list and select New Rule, then choose Bottom/Top/After/Before from the pop-
up menu;
Right-click on a rule group in the entry list and select New Rule, then choose Bottom/Top/Bottom in
group/Top in group/After/Before from the pop-up menu.
An all-deny rule will be created at the specified position. Click the New Rule button directly without specifying the
position, the system will create an all-deny rule at the bottom of the rule list.
5. Edit the rule according to your own requirements. For more information, please refer to "Editing Rules" on page 66.
To create a rule by the copy/paste way, take the following steps:
1. In Security Policy page, select a rule from the rule list, right-click on the rule and choose Copy from the pop-up
menu.
You can copy one or more security policy rules :
Left-click or right-click to select one rule;
Select one rule first and hold the Ctrl key to choose discontinuous rules;
Select one rule first and hold the Shift key to choose continuous rules.
2. Paste rules. Three ways can be used to paste new rules:
Right-click on the blank cell and select Paste, then choose Bottom/Top from the pop-up menu;
Right-click on a rule in the entry list and select Paste, then choose Bottom/Top/After/Before from the pop-up
menu;
Right-click on a rule group in the entry list and select Paste, then choose Bottom/Top/Bottom in group/Top in
group/After/Before from the pop-up menu.
The copied rules will be pasted at the specified position.

3. Edit the rule according to your own requirements. For more information, please refer to "Editing Rules" on page 66.
The security policy rules will be displayed in the following order: head policy rules, policy rules of the device, and tail
policy rules.
Note: HSM does not support to copy private policy rules to another private policy.
E d it in g R u le s
To edit a rule, take one of the following methods:
In the rule list, double-click the cell of the object to be edited to edit.
To enter into Advanced Edit mode, in the policy rule list page, hold the Ctrl key, click a cell with the left mouse but-
ton, and then the cell content will be copied to clipboard. Click the policy rule option which you want to modify with
the left mouse button, select Cover Paste to cover the clipboard contents to the policy option, or select Add Paste to
add the clipboard contents to the policy option.
Note: Only Address/Service/Application/Schedule option support to be edited in the Advanced

Edit mode.
Cr e a t in g a R u le G r o u p
Security policy rule group is the management unit of rules . HSM will not deploy rule group to the managed devices. You
can organize the rule which has already existed to the rule group, and create new rules in the rule group also. Rule
groups can be folded and expanded. Two ways can be used to create a new rule group as below.
To create a rule group by inserting, take the following steps:

1. In Security Policy page, three ways can be used to insert a new rule group:
Click the New Rule Group arrow after, select the position ( With selected rules, Bottom, Top, After, Before) from
the menu where the inserted rule locates;
Select one rule, right-click and select New Rule Group, then choose With selected rules/Bot-
tom/Top/After/Before from the pop-up menu; or hold the Shift key to choose continuous ungrouped rules in
the entry list, right-click and select New Rule Group, then choose With selected rules/Bottom/Top from the
pop-up menu;
If With selected rules was selected, the specified rules would be added to the new group.
Right-click on a rule group in the entry list and select New Rule Group, then choose Bottom/Top/After/Before
from the pop-up menu.
2. In the New Rule Group dialog box, enter group name and click OK.
A rule group will be created at the specified position. Click the New Rule Group button directly without specifying
the position, the system will create a rule group with selected rules. You can click the group name to modify the
name.
To create a rule group by the copy/paste way, take the following steps:
1. In Security Policy page, select a rule group from the rule list, right-click on the rule group and choose Copy from the
pop-up menu.
You can copy one or more security policy rule groups:
Left-click or right-click to select one rule group;
Select one rule group first and hold the Ctrl key to choose discontinuous rule groups;
Select one rule group first and hold the Shift key to choose continuous rule groups.
2. Paste rule groups. Three ways can be used to paste new rule groups:
Right-click on the blank cell and select Paste, then choose Bottom/Top from the pop-up menu;
Right-click on a rule in the entry list and select Paste, then choose Bottom/Top/After/Before from the pop-up
menu;
Right-click on a rule group in the entry list and select Paste, then choose Bottom/Top/After/Before from the
pop-up menu.
The copied rule groups will be pasted at the specified position, in which all oringinal rules are included. Meanwhile,
group name remains unchanged.
Note: HSM does not support to copy private rule groups to another private policy.
M o v in g R u le s a n d G r o u p s
To move a rule or group, select the rule or group to be moved, press and hold the left mouse button and move to the tar-
get position, then release the left button. If a rule group is moved, the relative position of the rules in the rule group will
remain unchanged. Rules can be arbitrarily moved in or out of rule group, but the rule group can not be moved into
another rule group.
De le t in g a R u le G r o u p
To delete a rule group, take the following steps:
1. In Security Policy page, select a rule group from the rule list and click Delete from the toolbar.
In the pop-up dialog box, if the Delete rules check box is checked, the system will delete the rule group and all the

rules belonging to the group; if not, the system will only delete the rule group.
2. Click OK in the dialog box.
Note: When all the rules in the rule group are deleted, the rule group will be empty, rather than
be deleted.
Cr e a t in g a P a r t it io n G r o u p
Partition group is the management unit of devices. You can add correlated devices into one partition group.
To create a partition group, take the following steps:
page.
2. In the device navigation pane, right-click All devices, and then select Deploy a batch of rules from the pop-up
menu. The Deploy a batch of rules guide dialog appears.
3. Click New in the dialog.
4. Type the partition group name into the Name text box.
5. Select the devices to be added from the Relevant Device drop-down list.
6. Click OK to save the configurations and close the dialog.
De p lo y in g a B a t ch o f R u le s
HSM provides a guide to help you deploy a batch of rules.
To deploy a batch of rules, take the following steps:
page.
2. In the device navigation pane, right-click All devices, and then select Deploy a batch of rules from the pop-up
menu. The Deploy a batch of rules guide dialog appears.
The following are three steps in the guide. Click Next once one step is completed.
C hoos e P ar t it ion G r oup
You can select partition groups or click New to create one.

C hoos e D e ploying P os it ion
You can select the position for the incoming security policy rules: top or bottom.
C onf igur e P olic y R ule s
You can configure policy rules for the partition groups. Policy configuration includes creating/editing/deleting/moving
rules. For more detailed information about deploying configuration, see Policy Configuration.
After the above configurations, click Deploy to add the policy rules to the devices in the partition group.
O p e n in g Lo ca l S n a p s h o t
This feature is used to display the security policy section in the local snapshot file, in order to facilitate users to copy the
local modification to a shared or private policy. To copy rules or groups in snapshot, take the following steps:
1. In Security Policy page, click Open Local Snapshot from the toolbar to select local snapshot, then click Open.
2. Click Upload in the pop-up dialog box.

The system will display details of the security policy configuration in the local snapshot.
3. Right-click rules or groups and select Copy.
4. Click the minimize or close button to locate the target security policy page, right-click and choose Paste to select the
position from the menu where the copied rule locates.
R u le M a t ch A n a ly s is
Rule match analysis can search security policy rules that meet your requirements. For example, if the source IP address
you specified is included in the source address entries of a certain rule, then this rule will be displayed in result list.

Please take the following steps:
1. In Security Policy page, click Rule Match Analysis from the toolbar.
2. Enter value in one or more text fields in the pop-up dialog box.
Source Addr: Specify the source IP address.
Src Port: Specify the source port of service.
Destination Addr: Specify the destination IP address.
Dst Port: Specify the destination port of service.
Protocol: Specify the transport layer protocol of service.
3. Click Analysis to search.

The analysis result will be displayed in the rule list. Click Reset to clear all the contents of text fields so that you can
re-enter.
P o licy R u le M a n a g e m e n t
Policy rule management includes:
Enable/disable rules: Control policy rule whether comes into effect.
Rule Conflict Check: Check whether the rules overshadow each other. The effectiveness of the rules will be improved
by using this function.
Rule Hit Statistics: Gather the rule hit statistics and show the statistics by pie chart.
In Security Policy page, select a rule to be operated from the rule list, then double click the icon in Status column to
change the status.
Two ways are supported to perform the rule conflict check function:
Select the Rule Conflict Check check box from the toolbar, system begins to check the conflicts among rules in the
policy. When the checking process is finished, the useless rules will become hatched, and all the rule IDs that over-
shadow the rule will be listed in the last column (shadow) of the rule list. You can select all of the redundant rules by
clicking on the number in brackets after the check box, so that you can delete them in batches.
From the device navigation pane, right-click on the device you want to check the rule conflict, and then select Rule
Conflict Check from the pop-up menu. The system generates the task and begins to check. When the checking pro-
cess is finished, click the View Report button to read the detailed information. Click on the upper right corner to
save the PDF format report locally.
To view the rule hit statistics, take the following steps:
1. From the device navigation pane, right-click on the device you want to know the rule hit statistics, and then select
Rule Hit Statistics from the pop-up menu.

2. In the Rule Hit Statistics dialog, specify a time period of statistics (the default time period is the latest month), and
click View Report. The report appears. Click Save to save the PDF format report locally.
Co n v e r t in g a P o licy f r o m P r iv a t e t o S h a r e d
The private policy only belongs to one device, and you can convert a private policy to a shared one for other devices.
Note: Private policies can not be converted to shared ones when security policies are configured
with Data Security and SSL Proxy or linked with From Tunnel(VPN) or Tunnel(VPN).
To convert a policy from private to shared, take the following steps:
page.
2. From the device navigation pane, select the device whose policy will be converted. From the object navigation pane,
right-click on the policy and click Convert to Shared from the pop-up menu.
3. Specify the name for the converted policy in the Policy Name text box.
Co n f ig u r in g t h e P o licy -b a s e d P r o t e ct io n F u n ct io n
The HSM system currently supports policy-based anti-Virus, IPS, URL filtering, or sandbox protection check.
To realize the policy-based protection function, take the following steps:
page.
2. From the device navigation pane, select the device whose policy will be edited. From the object navigation pane,
and select Policies. The main window shows the policy rule list.
3. Click the policy entry list. The configuration dialog appears.
In the configuration dialog, configure the followings.

Option Description
Anti Virus Select the On check box to enable Anti Virus function. Select the
Anti Virus rule from the drop-down list.
Two ways can be used to configure an Anti Virus rule:
Predefined: By default, HSM has three default Anti Virus

rules, including predef_low, predef_middle, and predef_
high. Depending on the different rules, file types and pro-
tocol types can be filtered also different. The higher the Anti
Virus rule is, the higher security level is.
User-defined: The user-defined Anti Virus rules. According

to the actual needs of users, select an Anti Virus rule from
the drop-down list, or you can click New from the drop-
down list to create an Anti Virus rule. For more information,
see Anti-Vrius.
: In the drop-down list, you

can specify the filtering conditions. The system will display all
Anti Virus rules that matches the searching conditions.
Intrusion Protection Select the On check box to enable IPS function. Select the IPS
rule from the drop-down list.
System
Two ways can be used to configure an IPS rule:
Predefined: By default, HSM has two default IPS rules,

including predef_default and predef_loose. predef_default
rule which includes all the IPS signatures is strict with the
detecting attacks results, and default action for attacks is
reset. predef_loose which only has the IPS signatures with
critical severity and above or high popularity has the high
detection efficiency, and default action for attacks is log
only.
User-defined: The user-defined IPS rules. According to the

actual needs of users, select an IPS rule from the drop-down
list, or you can click New from the drop-down list to create
an IPS rule. For more information, see Configuring IPS.

can specify the searching conditions. The system will display all
IPS rules that matches the searching conditions.
URL Filter Select the On check box to enable URL Filter function. Select the
URL Filter rule from the drop-down list.
According to the actual needs of users, select an URL Filter rule
from the drop-down list, or you can click New from the drop-
down list to create an URL Filter rule. For more information, see
URL Filter.

can specify the filtering conditions. HSM will display all URL Filter
rules that matches the searching conditions.
Sandbox You can view whether the sandbox protection is enabled on the
managed device. Sandbox protection configurations are cur-
rently not supported on HSM.
Two ways can be used to configure a Sandbox rule:

Option Description
Predefined: HSM has three default sandbox rules, including
predef_low, predef_middle and predef_high. predef_low rule
whose file type is PE and protocol types are
HTTP/FTP/POP3/SMTP/IMAP4, with white list and filter
enabled. predef_middle rule whose file types are
PE/APK/JAR/MS-Office/PDF and protocol types are
enabled.predef_high rule whose file types are
PE/APK/JAR/MS-Office/PDF/SWF/RAR/ZIP and protocol
types are HTTP/FTP/POP3/SMTP/IMAP4, with white list and
filter enabled.
User-defined: The user-defined Sandbox rules.
4. After configuring settings, displays the Anti Virus function status which is enabled, displays the IPS function
status which is enabled, displays the URL Filter function status which is enabled, displays the Sandbox func-
tion status which is enabled.
i QoS
HSM can manage iQoS (intelligent quality of service) intensively which guarantees the customer's network performance,
manages and optimizes the key bandwidth for critical business traffic, and helps the customer greatly in fully utilizing
their bandwidth resources.
iQoS is used to provide different priorities to different traffic, in order to control the delay and flapping, and decrease the
packet loss rate. iQoS can assure the normal transmission of critical business traffic when the network is overloaded or
congested. iQoS is controlled by license. To configure iQoS for managed device, please apply and install the iQoS license
on managed device.
Note: HSM only supports the centralized management of iQoS function whose NGFW version is
5.5R1 or above.
I m p le m e n t M e ch a n is m
The packets are classified and marked after entering the system from the ingress interface. For the classified and marked
traffic, the system will smoothly forward the traffic through shaping mechanism, or drop the traffic through policing
mechanism. If selecting shaping mechanism to forward the traffic, the congestion management and congestion avoid-
ance mechanisms give different priorities to different types of packets so that the packets of higher priority can pass the
gateway earlier to avoid network congestion.
In general, implementing QoS includes:
Classification and marking mechanism: Classification and marking is the process of identifying the priority of each
packet. This is the first step of iQoS.
Policing and shaping mechanisms: Policing and shaping mechanisms are used to identify traffic violation and make
responses. The policing mechanism checks traffic in real time, and takes immediate actions according to the settings
when it discovers violation. The shaping mechanism works together with queuing mechanism. It makes sure that the
traffic will never exceed the defined flow rate so that the traffic can go through that interface smoothly.
Congestion management mechanism: Congestion management mechanism uses queuing theory to solve problems
in the congested interfaces. As the data rate can be different among different networks, congestion may happen to
both wide area network (WAN) and local area network (LAN). Only when an interface is congested will the queuing
theory begin to work.
Congestion avoidance mechanism: Congestion avoidance mechanism is a supplement to the queuing algorithm,

and it also relies on the queuing algorithm. The congestion avoidance mechanism is designed to process TCP-based
traffic.
P ip e s a n d T r a f f ic Co n t r o l Le v e ls
The system supports two-level traffic control: level-1 control and level-2 control. In each level, the traffic control is imple-
mented by pipes.
P ipe s
By configuring pipes, the devices implement iQoS. Pipe, which is a virtual concept, represents the bandwidth of trans-
mission path. The system classifies the traffic by using the pipe as the unit, and control the traffic crossing the pipes
according to the actions defined for the pipes. For all traffic crossing the device, they will flow into virtual pipes according
to the traffic matching conditions they match. If the traffic does not match any condition, they will flow into the default
pipe predefined by the system.
Pipes, except the default pipe, include two parts of configurations: traffic matching conditions and traffic management
actions:
Traffic matching conditions: Defines the traffic matching conditions to classify the traffic crossing the device into
matched pipes. The system will limit the bandwidth to the traffic that matches the traffic matching conditions. You
can define multiple traffic matching conditions to a pipe. The logical relation between each condition is OR. When
the traffic matches a traffic matching condition of a pipe, it will enter this pipe. If the same conditions are configured
in different root pipes, the traffic will first match the root pipe listed at the top of the Level-1 Control list in the Policy
> iQoS page.
Traffic management actions: Defines the actions adopted to the traffic that has been classified to a pipe. The data
stream control includes the forward control and the backward control. Forward control controls the traffic that flows
from the source to the destination; backward control controls the traffic flows from the destination to the source.
To provide flexible configurations, the system supports the multiple-level pipes. Configuring multiple-level pipes can
limit the bandwidth of different applications of different users. This can ensure the bandwidth for the key services and
users. Pipes can be nested to at most four levels. Sub pipes cannot be nested to the default pipe. The logical relation
between pipes is shown as below:
You can create multiple root pipes that are independent individually. At most three levels of sub pipes can be nested
to the root pipe.
For the sub pipes at the same level, the total of their minimum bandwidth cannot exceed the minimum bandwidth
of their upper-level parent pipe, and the total of their maximum bandwidth cannot exceed the maximum bandwidth
of their upper-level parent pipe.

If you have configured the forward or backward traffic management actions for the root pipe, all sub pipes that
belongs to this root pipe will inherit the configurations of the traffic direction set on the root pipe.
The root pipe that is only configured the backward traffic management actions cannot work.
The following chart illustrates the application of multiple-level pipes in a company. The administrator can create the fol-
lowing pipes to limit the traffic:
1. Create a root pipe to limit the traffic of the office located in Beijing.
2. Create a sub pipe to limit the traffic of its R&D department.
3. Create a sub pipe to limit the traffic of the specified applications so that each application has its own bandwidth.
4. Create a sub pipe to limit the traffic of the specified users so that each user owns the defined bandwidth when using
the specified application.
T r af f ic C ont r ol L e v e ls
The system supports two-level traffic control: level-1 control and level-2 control. In each level, the traffic control is imple-
mented by pipes. Traffic that is dealt with by level-1 control flows into the level-2 control, and then the system performs
the further management and control according to the pipe configurations of level-2 control. After the traffic flows into
the device, the process of iQoS is shown as below:
According to the chart above, the process of traffic control is described below:
1. The traffic first flows into the level-1 control, and then the system classifies the traffic into different pipes according
to the traffic matching conditions of the pipe of level-1 control. The traffic that cannot match any pipe will be clas-
sified into the default pipe. If the same conditions are configured in different root pipes, the traffic will first match
the root pipe listed at the top of the Level-1 Control list in the Policy > iQoS page. After the traffic flows into the
root pipe, the system classifies the traffic into different sub pipes according to the traffic matching conditions of
each sub pipe.
2. According to the traffic management actions configured for the pipes, the system manages and controls the traffic
that matches the traffic matching conditions.
3. The traffic dealt with by level-1 control flows into the level-2 control. The system manages and controls the traffic in
level-2 control. The principle of traffic matching, management and control are the same as the one of the level-1 con-

trol.
4. Complete the process of iQoS.
E n a b lin g / Dis a b lin g T r a f f ic Co n t r o l

The first level traffic control is enabled by default. To disable it, take the following steps:
page.
3. Select Policies > iQoS to enter iQoS page.
4. In the Level-1 Control tab, click Disable First Level Control from the toolbar.
First level traffic control will be disabled. If you need to enable it, please click Enable First Level Control from the tool-
bar.
The second level traffic control is disabled by default. To enable it, take the following steps:
page.
3. Select Policies > iQoS to enter iQoS page.
4. In the Level-2 Control tab, click Enable Second Level Control from the toolbar.
Second level traffic control will be enabled. If you need to disable it, please click Disable Second Level Control from
the toolbar.
P ip e Co n f ig u r a t io n
By using pipes, devices implement iQoS. Pipes in different traffic control levels will take effect in different stages.
Configuring pipes includes the following sections:
1. Create the traffic matching conditions, which are used to capture the traffic that matches these conditions. If con-
figuring multiple traffic matching conditions for a pipe, the logical relation between each condition is OR.
2. Create a white list according to your requirements. The system will not control the traffic in the white list. Only root
pipe and the default pipe support the white list.
3. Specify the traffic management actions, which are used to deal with the traffic that is classified into a pipe.
4. Specify the schedule. The pipe will take effect during the specified time period.
B as ic Ope r at ions
Select Policy > iQoS to open the iQoS page.
You can perform the following actions in this page:

View pipe information: The pipe list displays the name, mode, action, schedule, and so on.
Click the icon to expand the root pipe and display its sub pipes.
Click the icon in Condition column to view the condition settings.
Click the icon of the root pipe in Whitelist column to view the white list settings.
If there is a red exclamation mark before pipe name, it means the pipe is not used. To view the unusable reason,
please hover over the exclamation mark.
Create a root pipe: Select the Level-1 Control or Level-2 Control tab, then click New in the menu bar to create a new
root pipe.
Create a sub pipe: Click the icon of the root pipe or the sub pipe to create the corresponding sub pipe.
Click Enable in the menu bar to enable the selected pipe. By default, the newly-created pipe will be enabled.
Click Disable in the menu bar to disable the selected pipe. The disabled pipe will not take effect.
Click Delete to delete the selected pipe. The default pipe cannot be deleted.
C r e at ing a P ipe
To create a pipe:
1. According to the methods above, create a root pipe or sub pipe. The Pipe Configuration page appears.
2. In the Basic tab, specify the basic pipe information.
Parent Pipe/Control Level: Displays the control level or the parent pipe of the newly created pipe.
Pipe Name: Specify a name for the new pipe.
Description: Specify the description of this pipe.
QoS Mode: Shape, Policy, or Monitor.
The Shape mode can limit the data transmission rate and smoothly forward the traffic. This mode supports
the bandwidth borrowing and priority adjusting for the traffic within the root pipe.
The Policy mode will drop the traffic that exceeds the bandwidth limit. This mode does not support the
bandwidth borrowing and priority adjusting, and cannot guarantee the minimum bandwidth.
The Monitor mode will monitor the matched traffic, generate the statistics, and will not control the traffic.

3. In the Condition tab, click New.
In the Condition Configuration tab, configure the corresponding options.

Source Information
Zone Specify the source zone of the traffic. Select the zone name from the drop-
down menu.
Interface Specify the source interface of the traffic. Select the interface name from
the drop-down menu.
Address Specify the source address of the traffic.
1. Select an address type from the Address drop-down list.
2. Select or type the source addresses based on the selected type.
3. Click to add the addresses to the right pane.
4. After adding the desired addresses, click the blank area in this dialog
to complete the address configuration.
You can also perform other operations:
When selecting the Address Book type, you can click Add to create a
new address entry.
The default address configuration is any. To restore the configuration

to this default one, select the any check box.
Destination Information
Zone Specify the destination zone of the traffic. Select the zone name from the
drop-down menu.
Interface Specify the destination interface of the traffic. Select the interface name
from the drop-down menu.
Address Specify the destination address of the traffic.
1. Select an address type from the Address drop-down list.
2. Select or type the source addresses based on the selected type.
3. Click to add the addresses to the right pane.
4. After adding the desired addresses, click the blank area in this dialog
to complete the address configuration.
When selecting the Address Book type, you can click Add to create a
new address entry.
The default address configuration is any. To restore the configuration

User Information Specify a user or user group that the traffic belongs to.
1. From the User drop-down menu, select the AAA server where the
users and user groups reside.
2. Based on different types of AAA server, you can execute one or more
actions: search a user/user group/role, expand the user/user group
list, enter the name of the user/user group.
3. After selecting users/user groups/roles, click to add the them to

the right pane.

4. After adding the desired objects, click the blank area in this dialog to
complete the user information configuration.
Service Specify a service or service group that the traffic belongs to.
1. From the Service drop-down menu, select a type: Service, Service

Group.
2. You can search the desired service/service group, expand the ser-
vice/service group list.
3. After selecting the desired services/service groups, click to add

them to the right pane.
4. After adding the desired objects, click the blank area in this dialog to
complete the service configuration.
To add a new service or service group, click Add.
The default service configuration is any. To restore the configuration

Application Specify an application or application group that the traffic belongs to.
The system supports at most 8-layer nested application group.
Expand Application Group from the left pane, select applications, applic-
ation groups, or software, and then click to add them to the right
pane. To remove a selected application or application group, select it from
the right pane, and then click .

To add a new application group, click New AppGroup.
URL Category Specifies the URL category that the traffic belongs to.
After the user specifies the URL category, the system matches the traffic
according to the specified category.
1. In the "URL category" drop-down menu, the user can select one or
more URL categories, up to 8 categories.
2. After selecting the desired filters, click the blank area in this dialog to
complete the configuration.
To add a new URL category, click the " New" button, the page will pop up
"URL category" dialog box. In this dialog box, the user can configure the
category name and URL.
Select a URL category, click the " Edit" button, the page will pop up "URL
category" dialog box. In this dialog box, the user can edit the URL in the
category.
Advanced
VLAN Specify the VLAN information of the traffic.
TOS Specify the TOS fields of the traffic; or click Configure to specify the TOS
fields of the IP header of the traffic in the appeared TOS Configuration dia-
log.
Precedence: Specify the precedence.
Delay: Specify the minimum delay.
Throughput: Specify the maximum throughput.

Reliability: Specify the highest reliability.
Cost: Specify the minimum monetary cost.
Reserved: Specify the normal service.
4. If you are configuring root pipes, you can specify the white list settings based on the description of configuring con-
ditions.
5. In the Action tab, configuring the corresponding actions.

Forward (From source to destination)
The following configurations controls the traffic that flows from the source to the des-
tination. For the traffic that matches the conditions, the system will perform the cor-
responding actions.
Pipe Bandwidth When configuring the root pipe, specify the pipe bandwidth.
When configuring the sub pipe, specify the maximum bandwidth and the
minimum bandwidth of the pipe:
Min Bandwidth: Specify the minimum bandwidth. If you want this

minimum bandwidth to be reserved and cannot be used by other
pipes, select Enable Reserved Bandwidth.
Max Bandwidth: Specify the maximum bandwidth.

Limit type Specify the maximum bandwidth and minimum bandwidth of the pipe for
each user/IP:
Type: Select the type of the bandwidth limitation: No Limit, Limit Per
IP, or Limit Per User.
No Limit represents that the system will not limit the bandwidth
for each IP or each user.
Limit Per IP represents that the system will limit the bandwidth
for each IP. In the Limit by section, select Source IP to limit the
bandwidth of the source IP in this pipe; or select Destination IP
to limit the bandwidth of the destination IP in this pipe.
Limit Per User represents that the system will limit the band-
width for each user. In the Limit by section, specify the min-
imum/maximum bandwidth of the users.
When configuring the root pipe, you can select the Enable Average
Bandwidth check box to make each source IP, destination IP, or user
to share an average bandwidth.
Limit by When the Limit type is Limit Per IP or Limit Per User, you need to specify
the minimum bandwidth or the maximum bandwidth:
Min Bandwidth: Specify the minimum bandwidth.

Advanced
Priority Specify the priority for the pipes. Select a number, between 0 and 7, from
the drop-down menu. The smaller the value is, the higher the priority is.
When a pipe has higher priority, the system will first deal with the traffic
in it and borrow the extra bandwidth from other pipes for it. The priority
of the default pipe is 7.
fields of the IP header of the traffic in the appeared TOS Configuration
page.


Backward (From condition's destination to source)
The following configurations controls the traffic that flows from the destination to the
source. For the traffic that matches the conditions, the system will perform the cor-
responding actions.
Pipe Bandwidth When configuring the root pipe, specify the pipe bandwidth.
When configuring the sub pipe, specify the maximum bandwidth and the
minimum bandwidth of the pipe:
Min Bandwidth: Specify the minimum bandwidth. If you want this

minimum bandwidth to be reserved and cannot be used by other
pipes, select Enable Reserved Bandwidth.

Limit type Specify the maximum bandwidth and minimum bandwidth of the pipe for
each user/IP:
Type: Select the type of the bandwidth limitation: No Limit, Limit Per
IP, or Limit Per User.
No Limit represents that the system will not limit the bandwidth
for each IP or each user.
Limit Per IP represents that the system will limit the bandwidth
for each IP. In the Limit by section, select Source IP to limit the
bandwidth of the source IP in this pipe; or select Destination IP
to limit the bandwidth of the destination IP in this pipe.
Limit Per User represents that the system will limit the band-
width for each user. In the Limit by section, specify the min-
imum/maximum bandwidth of the users.
When configuring the root pipe, you can select the Enable Average
Bandwidth check box to make each source IP, destination IP, or user
to share an average bandwidth.
Limit by When the Limit type is Limit Per IP or Limit Per User, you need to specify
the minimum bandwidth or the maximum bandwidth:
Min Bandwidth: Specify the minimum bandwidth.

Advanced
Priority Specify the priority for the pipes. Select a number, between 0 and 7, from
the drop-down menu. The smaller the value is, the higher the priority is.
When a pipe has higher priority, the system will first deal with the traffic
in it and borrow the extra bandwidth from other pipes for it. The priority
of the default pipe is 7.
fields of the IP header of the traffic in the appeared TOS Configuration
page.

6. In the Schedule tab, configure the time period when the pipe will take effect. Select the schedule from the drop-
down list, or create a new one.
NAT
Cr e a t in g a S N A T R u le
To create a SNAT Rule, take the following steps:
1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation pane to enter the device con-
figuration page.
2. From the device navigation pane, click the device you want to configure a SNAT rule.
3. From the object navigation pane, click SNAT. The main window shows the SNAT rule list.
4. From the toolbar of the SNAT rules list, click New. The SNAT Configuration page appears.
In the Basic tab in the SNAT Configuration dialog, configure the SNAT basic options.
Virtual Router: Specify a Virtual Router for the SNAT rule.
Source Addr: Specify the source IP address of the traffic, including:

Address Entry - Select an address entry from the drop-down list.
IP Address - Type an IP address into the IP address box.IP/netmask - Type an IP address and subnet mask into
the box.
Destination Addr: Specify the destination IP address of the traffic, including:

the box.
Ingress: Specify the ingress traffic of the source NAT rule. The default ingress is all traffic.
All Traffic: Specify the ingress traffic of the source NAT rule is all traffic. The traffic from any interface will match
the source NAT rule.
Ingress Interface: Specify the ingress interface of traffic in the source NAT rule. Select an interface from the
drop-down list. Only the traffic flowing from the configured ingress interface will match the source NAT rule.
Egress: Specify the egress traffic, including:

All Traffic - Specify all traffic as the egress traffic.
Egress interface - Specify the egress interface of traffic. Select an interface from the drop-down list.
Next Virtual Router - Specify the next Virtual Router of traffic. Select a Virtual Router from the drop-down list.
Service: Select the service you need from the Service drop-down list.
NAT Address: Specify the translated NAT IP address, including:

Egress - Specify the NAT IP address to be an egress interface IP address. If Sticky is enabled, all sessions from an
IP address will be mapped to the same fixed IP address. Click the Enable checkbox behind Sticky to enable
Sticky.
Specified IP - Specify the NAT IP address to be a specified IP address.Select Static radio button. Static mode
means one-to-one translation. This mode requires the translated address entry contains the same number of IP
addresses as that of the source address entry.Select Dynamic IP radio button. Dynamic IP mode means mul-
tiple-to-one translation. This mode translates the source address to a specific IP address. Each source address
will be mapped to a unique IP address, until all specified addresses are occupied.Select Dynamic Port radio but-
ton. Namely PAT. Multiple source addresses will be translated to one specified IP address in an address entry. If
Sticky is not enabled, the first address in the address entry will be used first; when port resources of the first
address are exhausted, the second address will be used. If Sticky is enabled, all sessions from an IP address will
be mapped to the same fixed IP address. Click the Enable checkbox behind Sticky to enable Sticky. You can also
track if the public address after NAT is available, i.e., use the translated address as the source address to track if
the destination website or host is accessible. Select the Enable checkbox behind Track to enable the function,
and select a track object from the drop-down list.No NAT - Do not implement NAT.
Specified IP - Specify the NAT IP address to be a specified IP address.Select Static radio button. Static mode
means one-to-one translation. This mode requires the translated address entry contains the same number of IP
addresses as that of the source address entry.Select Dynamic IP radio button. Dynamic IP mode means mul-
tiple-to-one translation. This mode translates the source address to a specific IP address. Each source address
will be mapped to a unique IP address, until all specified addresses are occupied.Select Dynamic Port radio but-
ton. Namely PAT. Multiple source addresses will be translated to one specified IP address in an address entry. If
Sticky is not enabled, the first address in the address entry will be used first; when port resources of the first
address are exhausted, the second address will be used. If Sticky is enabled, all sessions from an IP address will
be mapped to the same fixed IP address. Click the Enable checkbox behind Sticky to enable Sticky. You can also
track if the public address after NAT is available, i.e., use the translated address as the source address to track if
the destination website or host is accessible. Select the Enable checkbox behind Track to enable the function,
and select a track object from the drop-down list.No NAT - Do not implement NAT.
Description: Specify the description of the SNAT rule.
In the Advanced tab, configure the SNAT advanced options.
HA Group: Specify the HA group that the SNAT rule belongs to. The default setting is 0.
NAT Log: Select the Enable check box to enable the log function for this SNAT rule (generating log information
when there is traffic matching to this NAT rule).
Rule Position: Specify the position of the rule. Each SNAT rule has a unique ID. When traffic flowing into the
device, the device will search SNAT rules by sequence, and then implement NAT on the source IP of the traffic
according to the first matched rule. The sequence of the ID showed in the SNAT rule list is the order of the rule
matching. Select one of the following items from the drop-down list:Bottom - The rule is located at the bottom
of all the rules in the SNAT rule list. By default, the system will put the newly-created SNAT rule at the bottom
of all SNAT rules.Top - The rule is located at the top of all the rules in the SNAT rule list.Before ID - Type the ID
number into the text box. The rule will be located before the ID you specified.After ID - Type the ID number into
the text box. The rule will be located after the ID you specified.
ID: Specify the method you get the rule ID. It can be automatically assigned by system or manually assigned by
yourself. If you click Manually assign ID, you should type an ID number into the box behind.
5. Click OK to save your settings. The new SNAT rule will be shown in the SNAT rule list.
E d it in g / De le t in g a S N A T R u le
To edit/delete a SNAT rule, take the following steps:
figuration page.
2. From the device navigation pane, click the device you want to edit or delete a SNAT rule.
3. From the object navigation pane, click SNAT. The main window shows the SNAT rule list.

4. Select the SNAT rule you want to edit/delete from the SNAT rules list.
5. Click Edit/Delete from the toolbar.
Cr e a t in g a n I P M a p p in g R u le
To create an IP Mapping rule, take the following steps:
figuration page.
2. From the device navigation pane, click the device you want to configure an IP mapping rule.
3. From the object navigation pane, click DNAT. The main window shows the DNAT rule list.
4. From the toolbar of DNAT rules list, click New>IP Mapping, then IP Mapping Configuration page appears.
In the IP Mapping Configuration page, configure the DNAT options.
Virtual Router: Specify a Virtual Router for the DNAT rule.
HA Group: Specify the HA group that the DNAT rule belongs to. The default setting is 0.

IP Address - Type an IP address into the IP address box.
IP/Netmask - Type an IP address and subnet mask into the box.
Translated to : Specify translated IP address, including:

Description: Specify the description of the DNAT rule.
5. Click OK to save your settings. The new DNAT rule will be shown in the DNAT rules list.
Cr e a t in g a P o r t M a p p in g R u le
To create a Port Mapping rule, take the following steps:
figuration page.
2. From the device navigation pane, click the device you want to configure a port mapping rule.
4. From the toolbar of DNAT rules list, click "New>Port Mapping", then Port Mapping Configuration page appears.
In the Port Mapping Configuration page, configure the DNAT options.

Address EEntry - Select an address entry from the drop-down list.

Address EEntry - Select an address entry from the drop-down list.

Translated to: Specify translated IP address, including:

Destination Port: Specify translated port, type the port number into the box.
Cr e a t in g a n A d v a n ce d DN A T R u le
To create an Advanced DNAT rule, take the following steps:
figuration page.
2. From the device navigation pane, click the device you want to configure an advanced DNAT rule.
4. From the toolbar of the DNAT rules list, click New > Advanced, then DNAT Configuration page appears.
In the Basic tab in the DNAT Configuration dialog, configure the DNAT basic options.

the box.

the box.
Server: Select the service you need from the Service drop-down list.
Action: Specify the action for the traffic you specified, including:
NAT - Implements NAT for the eligible traffic.
Translated to: For the NAT option, you need to specify the translated IP address. Select an address entry or SLB
server pool from the Translated to drop-down list or type an IP address in the Translated to box or type an IP
address and netmask in the Translated to box.NAT Port: Select the Enable check box and type the translated
port number into the Port box. The range is 1 to 65535.
address and netmask in the Translated to box.NAT Port: Select the Enable check box and type the translated
port number into the Port box. The range is 1 to 65535.
Load Balancing: Select the Enable check box to enable the function. Then, traffic will be balanced to different
Intranet servers.No NAT - Do not implement NAT for the eligible traffic.
In the Advanced tab, configure the DNAT advanced options.
Ping Track: Select the Enable check box to enable Ping track, which means the system will send Ping packets to

check whether the Intranet servers are reachable.
TCP Track: Select the Enable check box to enable TCP track, which means the system will send TCP packets to
check whether the TCP ports of Intranet servers are reachable.
TCP Port: Specify the port number. The value range is 1 to 65535.
NAT Log: Select the Enable check box to enable the log function for this DNAT rule (generating log information
Rule Position: Specify the position of the rule. Each DNAT rule has a unique ID. When traffic flowing into the
device, the device will search DNAT rules by sequence, and then implement NAT on the destination IP of the
traffic according to the first matched rule. The sequence of the ID showed in the DNAT rule list is the order of
the rule matching. Select one of the following items from the drop-down list:Bottom - The rule is located at the
bottom of all the rules in the DNAT rule list. By default, the system will put the newly-created DNAT rule at the
bottom of all DNAT rules.Top - The rule is located at the top of all the rules in the DNAT rule list.Before ID -
Type the ID number into the box. The rule will be located before the ID you specified.After ID - Type the ID num-
ber into the box. The rule will be located after the ID you specified.
R oute
Cr e a t in g a n R o u t e I t e m
To create a Route Item on the HSM device configuration page, take the following steps:
figuration page.
2. From the device navigation pane, click the device you want to create a route entry.
3. From the object navigation pane, click Destination Route(Private). The Route items list will appear from the main win-
dow below.
4. From the toolbar of the Route items list, click New. The Destination Route Configuration page appears.
In the Destination Route Configuration dialog, configure the destination route options.

Destination: Specify the destination IP address of the route item.
Subnet Mask: Specify the corresponding subnet mask of destination IP address.
Next Hop : Click Gateway or Interface or Virtual Router radio button. If Gateway is selected, type the IP address
into the Gateway box below; if Interface is selected, select a name from the Interface drop-down list below; if
Virtual Router is selected, select a name from the Virtual Router drop-down list below.
Schedule：Specifies a schedule when the rule will take effect. Select a desired schedule from the Schedule drop-
down list. After selecting the desired schedules, click the blank area in this dialog to complete the schedule con-
figuration.
Precedence: Specify the precedence of route. The smaller the parameter is, the higher the precedence is. If mul-
tiple routes are available, the route with higher precedence will be prioritized. The value range is 1 to 255. The
default value is 1. When the value is set to 255, the route is invalid.
Weight: Specify the weight of route. This parameter is used to determine the weight of traffic forwarding in load
balance. The value range is 1 to 255. The default value is 1.
Description: If necessary, type description information for the route item in this text box.
5. Click OK to save your settings. The new route item will be shown in the route items list.
S ync hroni z i ng C onf i g urati on

HSM can get the policy configuration of a device, and also, you can configure the policy of the device on HSM. After the
policy is modified on HSM or on the local device, the device configuration saved on HSM will be not the same as local. In
this case, you can decide whether to synchronize the configuration according to the differences.
The icons shown in the device navigation pane indicate the differences:
: Configurations are not the same. The Configuration on HSM has been modified. The detailed changes will be
shown when the mouse hovers over the icon.
: Configurations are not the same. The configuration on the local device has been modified. The detailed
changes will be shown when the mouse hovers over the icon.
On HSM, you can synchronize the configuration by two ways, they are:
Import Configuration: Import the local configuration to HSM.
Deploy Configuration: Deploy the HSM configuration to the device. The configuration on device will be replaced by
the deployed configuration.
HSM provides the function of viewing the latest configuration information of the managed devices. To read the latest
configuration information of the device, take the following steps:
page.
2. In the device navigation pane, right-click on the device, and then select View Latest Configurations from the pop-
up menu.
To import the local configuration to HSM, take the following steps:
page.

2. In the device navigation pane, right-click on the device, and then select Import Configuration from the pop-up
menu.
3. Click OK on the confirmation dialog. HSM starts to uploading the local configuration to HSM.
Note: When you import the local configuration to HSM, if the association relationship or inher-
itance relationship between the device and the shared configuration of the device on HSM is con-
sistent, reserve and directly import the previous relationship. If not, the tooltip of The relation
between shared configuration and device will be changed, continue? will prompt on the HSM .
Click OK, and then the shared configuration of the device on HSM will be relieved. The imported
configuration is private. Click Cancel, and then the configuration of the local device will be not
imported to HSM.
To batch import the local configuration to HSM, take the following steps:
page.
2. In the device navigation pane, right-click and then select Batch Import Configuration from the pop-up menu. The
Batch Import Configuration dialog appears.
3. Select the devices or VSYS from the device entry list.
4. Specify the import mode. If Immediately is selected, HSM will generate a task and execute the taks immediately; if
Generate Task is selected, HSM will generate a task, and you can execute the task at the Task Management page. For
more information about task, see Task.
5. Click OK.
Deploy HSM configuration to a device, take the following steps:
page.

2. In the device navigation pane, right-click on the device, and then select Deploy Configuration from the pop-up
menu. The Deploy Configuration dialog appears.
3. Specify the deployment mode. If Immediately is selected, HSM will generate a task and execute the taks immediately;
if Generate Task is selected, you can execute the tasks by scheduling or manually. If On Schedule is selected, HSM
will execute the task according the user-defined time. Otherwise, you need execute the task manually in the Task
Management page. You can view the task status and related logs at the Task Management page. For more inform-
ation about task, see Task.
4. Click OK.
To batch deploy HSM configuration to the devices, take the following steps:
page.
2. In the device navigation pane, right-click and then select Batch Deploy Configuration from the pop-up menu. The
Batch Deploy Configuration dialog appears.
3. Select the devices or VSYS from the device entry list.
4. Specify the deployment mode. If Immediately is selected, HSM will generate a task and execute the taks immediately;
if Generate Task is selected, you can execute the tasks by scheduling or manually. If On Schedule is selected, HSM
will execute the task according the user-defined time. Otherwise, you need execute the task manually in the Task
Management page. You can view the task status and related logs at the Task Management page. For more inform-
ation about task, see Task.
5. Click OK.
S p ec i f yi ng C onf i g urati on
On HSM, the shared rule on the device configuration page can be specified to a certain device. After specifying con-
figuration to the device, the binding relationship between the device and configuration is changed. However, you still
have to deploy the specified configuration to the device if you want the configuration take effect on the device. For more
detailed information about deploying configuration, see Synchronizing Configuration.
To specify a policy, take the following steps:
page.

2. In the device navigation pane, right-click on the decice you want to specify a policy on, and then select Specify Con-
figuration>Specify Policy from the pop-up menu. The Specify Policy dialog appears.
3. Choose a shared policy from the Choose a Shared Policy selective box for the device. If you want to maintain the
policy on the device as a private policy, select the Copy as a Private Policy check box.
4. Click OK.
To specify a SNAT, take the following steps:
page.
2. In the device navigation pane, right-click on the decice you want to specify a SNAT on, and then select Specify Con-
figuration>Specify SNAT from the pop-up menu. The Specify SNAT dialog appears.
3. Choose a shared SNAT from the Choose a Shared Source NAT selective box for the device.
4. Click OK.
To specify a DNAT, take the following steps:
page.
2. In the device navigation pane, right-click on the decice you want to specify a DNAT on, and then select Specify Con-
figuration>Specify DNAT from the pop-up menu. The Specify DNAT dialog appears.
3. Choose a shared DNAT from the Choose a Shared Destination NAT selective box for the device.
4. Click OK.
To specify a destination route, take the following steps:
page.
2. In the device navigation pane, right-click on the decice you want to specify a destination route on, and then select
Specify Configuration>Specify DRouter from the pop-up menu. The Specify DRouter dialog appears.
3. Choose a shared destination route from the Choose a Shared Destination Route selective box for the device.
4. Click OK.
To specify a threat protection rule, take the following steps:
page.

2. In the device navigation pane, right-click on the decice you want to specify a threat protection rule on, and then
select Specify Configuration>Specify Threat Protection from the pop-up menu. The Specify Theat Protection dialog
appears.
3. Choose a shared Threat Ptotection rule from the Choose a Shared Threat Protection selective box for the device.
4. Click OK.
S nap shot M anag em ent

On HSM, You can create a snapshot to back up the current configuration of the selected device. And you can also restore
the configurations of the snapshot to HSM according to your need.
To create a snapshot, take the following steps:
1. From the device navigation pane, right-click on the device you want to create a snapshot, and then select Create
Snapshot from the pop-up menu.
2. On the Creating Snapshot dialog, specify a snapshot name and its description, and click OK.
To restore a snapshot, take the following steps:
1. From the device navigation pane, right-click on the device you want to restore a snapshot, and then select Restore
Snapshot from the pop-up menu.
2. On the Restoring Snapshot dialog, specify a version you want to restore in the Choose a backup version drop-down
list, and then Click Restore.
To manage snapshots, take the following steps:
page.
2. From the device navigation pane, select All Devices and the main window will show all the devices list. Click Manage
from the Snapshot column, Snapshot Management dialog appears. Description of the options on the dialog:
Create Snapshot: Specify the snapshot name and its description, and click OK.
View: Show the configurations of the snapshot.
Export: Export snapshot to the local, and the format is zip for XML. Please click OK in the pop-up dialog box, then
choose the location to save. You can edit the snapshot file in local.
Delete: Delete the selected snapshot.
Compare: Select Compared with Last Deployment, the current snapshot will be compared with last deployed snap-
shot; select Compared with Configuration in Device, the current snapshot will be compared with the current con-
figurations of device which HSM manages; select Compared with Configuration in HSM, the current snapshot will be
compared with the current configurations of HSM.
Restore: Restore the configurations of the snapshot.
3. Close the Snapshot Management dialog.
L oc k i ng C onf i g urati on
Configuration lock can lock all configurations of the managed device to prevent multiple administrators from modifying
the device configuration simultaneously, in order to avoid confusion. Once device configurations are locked by one
administrator, only this administrator can configure the device and unlock the device configuration as well, and other
administrators can not deploy the configuration to device during locking period.

Note:
When HSM manages the HA function of the managed devices, as long as the master(slave)
device is locked, the slave(master) device will be automatically locked.
When the managed device has been registered and locked on HSM, if it is added to HA cluster
and specified as the slave device, when the HA cluster is synchronized to HSM, its locking status
will be decided by that of the master device.
To lock or unlock device configuration, take the following steps:
page.
2. In the device navigation pane, click the lock icon after device which you want to lock or unlock.
When the lock icon is , you can click it to lock device configuration; when the lock icon is , you can click it to
unlock device configuration.
After device configurations are locked by one administrator, please be noted that:
If other administrators move the mouse to the lock icon, the name of locked administrator will be displayed.
Not only can the private configuration but also the shared configuration be locked. If the shared configuration is
locked by multiple administrators, no one can modify the shared configuration.
If the shared object is locked, system will prompt "locked by xxx, operation denied: locked devices(xxx)" when non-
locked administrators modify it; if the shared rule is locked, "Configuration is locked by xxx" will be prompted on the
location bar.
If you cancel the relevant relationship between device and shared configuration, the shared configuration will be
unlocked, and private configuration will be locked.
All configurations that relevant to device directly or indirectly will be locked, others can not modify.
When modifying the private configuration, if new shared configuration is cited, the shared configuration will be
locked. Conversely, the shared configuration will be unlocked.
For example, if user A locked configuration of device 1, modify a rule in security policy 1 to cite shared address entry
addr1. After modification, user A has locked addr1.
D ev ice Object
On the device configuration page, you can create a private or shared object. The private object that only belongs to one
certain device, and cannot be used by other devices. The shared object can be referenced by all devices.
On HSM, you can edit zone, and threat protection, and you can also create, edit, delete address entry, service group, ser-
vice entry, application group, schedule, SLB server pool, intrusion protection system rule, Anti-Virus rule, threat pre-
vention, URL filter, user, role and AAA server. After configuring the device object, you have to deploy the device object
to the security device if you want to take effect on the device. For more detailed information about deploying con-
figuration, see Synchronizing Configuration.
Note:
Only after licenses of the relevant functions had been installed, can corresponding functions
be configured in HSM.
Object names of different device types can be the same.

Zone
Configuring the Zone-based Anti-Virus and Intrusion Protection System Function

To realize the zone-based Anti-Virus and IPS function, take the following steps:
1. Log on to HSM, click Configuration > Device Configuration from the Level-1 navigation pane to enter the device
configuration page.
2. From the device navigation pane, select the device whose zone will be configured. From the object navigation pane,
and select Zones. The main window shows the zone entry list.
3. In the zone entry list, click the zone you want to enable the Anti-Virus and IPS function, and then click Edit from the
toolbar. The Zone dialog appears.
4. In the Zone dialog, specify the defense status configurations.

Option Description
Anti Virus Select the On check box to enable Anti Virus function. Select the
Anti-Virus rule from the drop-down list.
Predefined: By default, HSM has three default Anti-Virus

high. Depending on the different Anti-Virus rules, file types
and protocol types can be filtered also different. The higher
the Anti Virus rule is, the higher security level is.
User-defined: The user-defined Anti-Virus rules. According

to the actual needs of users, select an Anti-Virus rule from
down list to create an Anti Virus rule. For more information,
see Anti-Virus.

can specify the filtering conditions. The security device will dis-
play all Anti-Virus rules that matches the searching conditions.
Intrusion Protection Select the On check box to enable IPS function. Select the IPS
rule from the drop-down list.
Two ways can be used to configure an IPS rule:
Predefined: By default, HSM has three default IPS rules,

including predef_default, predef_loose and no-ips. predef_
default rule which includes all the IPS signatures is strict
with the detecting attacks results, and default action for
attacks is reset. predef_loose which only has the IPS sig-
natures with critical severity and above or high popularity
has the high detection efficiency, and default action for
attacks is log only. No-ips rule does not includes any IPS sig-
natures.

Option Description
an IPS rule. For more information, see Configuring IPS.
Defense Protection: If IPS function is enabled, you need con-
figure a direction(Bi-direct, Egress, Ingress) from Defense Dir-
ection drop-down list. The IPS rule will be applied to the traffic
that is matched with the specified secuity zone and direction.

can specify the searching conditions. HSM will display all IPS
5. Click OK.
A d d ress B ook s
Creating an Address Entry

To create a new address entry on HSM, take the following steps:
page.
2. In the device navigation pane, select the device you want to create address entry, go to the object navigation pane
and select Address Book. The main window shows the address entry list.
3. Click New from the toolbar. The Address dialog appears.
4. In the Address dialog, specify the address entry configurations.

Type : Specify the type of the object. It can be private or shared.
Name : Type the name of the address entry in the Name text box. If necessary, give a description to the address
entry in the Description text box.
Member : Select the member type from the drop-down list in the Member tab, and then type the IP address/net-
mask, IP range or hostname in the text box or choose another address enrty. Click Add to add the member to the
member entry list. Repeat this step to add multiple members. Click Delete to delete the selected address entry.
Exclude Member : Specify the exclude member. In the Exclude Member tab, select the exclude member type from the
drop-down list, and then tap the IP adress/netmask, IP range in the text box. Click Add to add the exclude member
to the exclude member entry list. Repeat this step to add multiple exclude member. Click Delete to delete the selec-
ted address entry.
S erv i c e B ook s
Creating a Service Group

To create a new service group on HSM, take the following steps:
page.
2. In the device navigation pane, select the device you want to create service group, go to the object navigation pane
and select Service Book>User-defined Service Group. The main window shows the service group entry list.
3. Click New from the toolbar. The Service Group dialog appears.

The options are described as below:
Type: The type of the object. It can be private or shared.
Name: The name of the service group.
Description: Give a description to the service group. It is optional.
Member: Select the service or service group from the left selective list, and click the righ-arrow button to add it. To
delete a selected service, select the service to be deleted from the right selective list, and then click the left-arrow but-
ton.
Creating a Service
To create a new service on HSM, take the following steps:
page.
2. In the device navigation pane, select the device you want to create service, go to the object navigation pane and
select Service Book > User-defined Service. The main window shows the user-defined service entry list.
3. Click New from the toolbar. The Service dialog appears.

Type: The type of the object. It can be private or shared.
Name: The name of the service.
Description: Give a description to the service. It is optional.
Member: Specify the protocol type of the member, it can be TCP, UDP, ICMP or others. The parameters of each pro-
tocl are described as below:
TCP/UDP
Dst Port: Specify the destination port range of the member. The value range is 1 to 65535.
Src Port: Specify the source port range of the member. The value range is 1 to 65535.
Application Type: Specify the application type of the member.
Timeout: Specify the timeout value of the member, in second or day. The defalt value is 1800 seconds.
ICMP
Type: Specify the ICMP type value of the member. It can be one of the following: 3 (Destination-Unreachable), 4
(Source Quench), 5 (Redirect), 8 (Echo), 11 (Time Exceeded), 12 (Parameter Problem), 13 (Timestamp), and 15 (Inform-
ation).
Min Code: Specify the minimum ICMP code value of the member. The value range is 0 to 5.
Max Code: Specify the maximum ICMP code value of the member. The value range is 0 to 5.
Timeout: Specify the timeout value of the member, in second. The value range is 1 to 65535. The defalut value is 6
seconds.
Others
Protocol No.: Specify the protocol number of the member. The value range is 1 to 255.
Timeout: Specify the timeout value of the member, in second or day. The default timeout value is 60 seconds.
After specifying the values of parameters, click Add to add it to the service. Repeat the above steps to add multiple
members. Click Delete to delete the selected member.
A p p l i c ati on B ook s
Creating an Application Group

To create a new application group on HSM, take the following steps:
page.
2. In the device navigation pane, select the device you want to create application group, go to the object navigation
pane and select Application Books > User-defined Application Group. The main window shows the user-defined
application group information.

3. Click New from the toolbar. The APP Group dialog appears.
Options are described as below:

Type: Specify the type of the application group. It can be private or shared.
Name: Specify the name of the application group.
Description: Give a description to the application group. It is optional.
Member: Specify members for the application group. Select the wanted applications from the selective list, and click
to add the selected objects to the application group.
S c hed ul es
Creating a Schedule
To create a schedule on HSM, take the following steps:
page.
2. In the device navigation pane, select the device you want to create application group, go to the object navigation
pane and select Schedule. The main window shows schedule entry list.
3. Click New from the toolbar. The Schedule dialog appears.
4. Specify the type for the schedule. It can be private or shared.
5. Enter the name in the Name text box.
6. In the Absolute Schedule section, specify the start time and end time in which the periodic schedule will take effect.
7. Click New, and configure a periodic schedule in the dialog as below. The periodic schedule will take effect repeatedly
during the time range specified by the absolute schedule.

Daily: The periodic schedule will take effect everyday. Click the button and specify the start time and end time.
Days: The periodic schedule will take effect in the specified days of a week. Click the button, select the days in the
Periodic Schedule section, and specify the start time and end time.
Due: The periodic schedule will take effect during a continuous period of a week. Click the button and specify the
start date/time and end date/time.Click Preview to preview the periodic schedule; click Save to add the periodic
schedule to the schedule.
8. Repeat Step 7 to add more periodic schedules.
Interf ac e
HSM supports how to create, edit and delete a tunnel interface for the managed devices.
Creating a tunnel interface

To create a tunnel interface, take the following steps:
1. Click Configuration > Device Configuration from the Level-1 navigation pane.
2. Select the device in which you want to create an interface.
3. Select Interface in the Object navigation pane. The main window then shows the related information about the inter-
face and toolbar.
4. Click New from the toolbar and the Tunnel Interface dialog box will pop up.
In the Basic tab, configure basic options for the interface.

Option Description
Interface Name Specifies a name for the tunnel interface.

Description Enter descriptions for the tunnel interface.
Binding Zone If Layer 3 zone is selected, you should also select a security zone
from the Zone drop-down list, and the interface will bind to a
Layer 3 zone. If TAP is selected, the interface will bind to a tap
zone. If No Binding is selected, the interface will not bind to any
zone.
Zone Select a security zone from the Zone drop-down list.
HA sync Select this check box to enable HA Sync function, which means
disable Local property and use virtual MAC, and the primary
device will synchronize its information with the backup device;
don’t select this check box to disable HA Sync function, which
means enable Local property and use original MAC, and the
primary device will not synchronize its information with the
backup device.
IP Type Specifies an IP type for the interface, including static IP and
DHCP.
IP address Specifies an IP address for the interface.
Netmask Specifies a netmask for the interface.
Set as Local IP In a HA environment, if specify this option, the interface IP will
not synchronize to the HA peer.
Enable DNS Proxy Select this check box to enable DNS proxy for the interface.
When the general DNS proxy is in use, the client in the net-
work still gets DNS replies from the DNS server configured
on itself. If the DNS server address is configured as an inter-
face address of Hillstone device, the device will work as a
DNS server;
When the transparent DNS proxy is in use, all DNS requests

are replied by the Hillstone device. In such a case, there is
no need to edit DNS configuration on each client. DNS ser-
vice can be easily controlled by modifying the device's DNS
configuration.
Enable DNS Bypass Select this check box to enable DNS bypass function for the
interface. The function means that if the DNS bypass is enabled,
the DNS packet will be forwarded to the original IP directly
when the DNS proxy is disabled.
Advanced Management IP: Specifies a management IP for the interface.
Type the IP address into the box.
Secondary IP: Specifies secondary IPs for the interface. You can
specify up to 6 secondary IP addresses.
Management Select one or more management method check boxes to con-

figure the interface management method.
Reverse Route Enable or Disable reverse route as needed:
Enable: Enforces to use a reverse route. If the reverse route

is not available, packets will be dropped. This option is
enabled by default.
Close: Reverse route will not be used. When reaching the

Option Description
interface the reverse data stream will be returned to its ori-
ginal route without any reverse route check. That is, reverse
packets will be sent from the ingress interface that ini-
tializes the packets.
Auto: Reverse route will be prioritized. If available, the

reverse route will be used to send packets; otherwise the
ingress interface that initializes the packets will be used as
the egress interface that sends reverse packets.
Tunnel Binding IPSec VPN: Specifies the name of IPsec VPN bound to the tun-
nel interface, and then click Add from the Gateway options to
add a next-hop address for the tunnel, which can be either the
IP address or the egress IP address of the peering tunnel inter-
face. This parameter, which is 0.0.0.0 by default, is only valid
when multiple IPSec VPN tunnels should be bound to the tun-
nel interface.
In the Properties tab, configure properties option for the tunnel interface.
Option Description
MTU Specifies a MTU for the interface. The value range is 1280 to
1500/1800 bytes. The default value is 1500. The max MTU may
vary from different Hillstone platforms.
Keep-alive-IP Specifies an IP address that receives the interface's keep-alive
packets.
In the Advanced tab, configure advanced option for the tunnel interface.
Option Description
Shutdown System supports interface shutdown. You can not only enforce
to shut down a specific interface, but also control the time of
shutdown by schedule, or control the shutdown according to
the link status of tracked objects. Configure the options as
below:
1. Select the Shut down check box to enable interface shut-

down.
2. To control the shutdown by schedule or tracked objects,

select an appropriate check box, and then select an appro-
priate schedule or tracked object from the drop-down list.
Monitor and Backup Configure the options as below:
1. Select an appropriate check box, and then select an appro-

priate schedule or tracked object from the drop-down list.
2. Select an action:
Shut down the interface: During the time specified in

the schedule, or when the tracked object fails, the inter-
face will be shut down and its related route will fail;
Migrate traffic to backup interface: During the time spe-

cified in the schedule, or when the tracked object fails,
traffic to the interface will be migrated to the backup
interface. In such a case you need to select a backup

Option Description
interface from the Backup interface drop-down list and
type the time into the Migrating time box. (Migrating
time, 0 to 60 minutes, is the period during which traffic
is migrated to the backup interface before the primary
interface is switched to the backup interface. During
the migrating time, traffic is migrated from the primary
interface to the backup interface smoothly. By default
the migrating time is set to 0, i.e., all the traffic will be
migrated to the backup interface immediately.)
In the RIP tab, configure RIP option for the tunnel interface.
Option Description
Authentication mode Specifies a packet authentication mode for the system, includ-
ing plain text (the default) and MD5. The plain text authen-
tication, during which unencrypted string is transmitted
together with the RIP packet, cannot assure security, so it can-
not be applied to the scenarios that require high security.
Authentication string Specifies a RIP authentication string for the interface.
Transmit version Specifies a RIP information version number transmitted by the
interface. By default V1&V2 RIP information will be transmitted.
Receive version Specifies a RIP information version number transmitted by the
interface. By default V1&V2 RIP information will be transmitted.
Split horizon Select the Enable checkbox to enable split horizon. With this
function enabled, routes learned from an interface will not be
sent from the same interface, in order to avoid routing loop and
assure correct broadcasting to some extent.
S L B S erv er Pool
Creating a SLB Server Pool

To create a SLB server pool on HSM, take the following steps:
page.
2. In the device navigation pane, select the device you want to create SLB server pool, go to the object navigation pane
and select SLB Server Pool. The main window shows the user-defined SLB server pool information.
3. Click New from the toolbar. The SLB Server Pool Configuration dialog appears.

In the SLB Server Pool Configuration dialog, configure the following options.
Option Description
Type Specify the type of the object. It can be private or shared.
Name Specify the name of the SLB server pool.You can enter up to 31 chars.
Algorithm Select an algorithm for load balancing, including:
Weighted Hash: Assign requests to SLB server pool members accord-

ing to HASH algorithm.
Weighted Least Connection: Assign requests to the member who has

the least connections in the current SLB server pool.
Weighted Round Robin: Assign requests according to weighted value

of every SLB server pool members.
Sticky If selecting Sticky, the security device will consider all requests from the
same source IP to be the same client, and then forward the requests to a
server.
Member
Member Specify the member of the pool. You can type the IP range or the IP
address and the netmask.
Port Specify the port number of the server.

Maximum Ses- Specify the allowed maximum sessions of the server. The value ranges
sions from 0 to 1,000,000,000. The default value is 0, which represents no lim-
itation.
Weight Specify the traffic forwarding weight during the load balancing. The value
ranges from 1 to 255.
Add Add the SLB address pool member to the SLB server pool.
Delete Click Delete to delete the selected SLB address pool member.
Track
Track Type Select a track type.

Port Specify the port number that will be tracked. The value ranges from 1 to
65535.

Option Description
Interval Specify the interval between each Ping/TCP/UDP packet. The unit is
second. The value ranges from 3 to 255.
Retries Specify a retry threshold. If no response packet is received after the spe-
cified times of retries, the system will consider this track entry failed, i.e.,
the track entry is unreachable. The value range is 1 to 255.
Weight Specify a weight for the overall failure of the whole track rule if this track
entry fails. The value range is 1 to 255.
Add Click Add to add the configured track rule to the list.
Delete Click Delete to delete the selected track rule.
Threshold Types the threshold for the track rule into the Threshold box. The value
range is 1 to 255. If the sum of weights for failed entries in the track rule
exceeds the threshold, the security device will conclude that the track rule
fails.
Description Types the description for this track rule. You can enter up to 95 chars.

To view the details of the servers in the SLB pool:
page.
2. In the device navigation pane, select the device you want to create SLB server pool, go to the object navigation pane
and select SLB Server Pool. The main window shows the user-defined SLB server pool information.
3. Select an SLB pool entry.
4. In the Server List tab at the bottom of this page, view the information of the servers that are in this SLB pool.
5. In the Server List tab, view the retries information of the SLB server pool. The retries information include IP/mask,
port, weight, and maximum sessions.
6. In the Monitoring tab, view the information of the track rules. The track rules information include track type, prot,
interval,and retries.
Intrusi on Protec ti on S ystem

IPS, the abbreviation for Intrusion Protection System, is designed to monitor various network attacks in real time and
take appropriate actions (like block) against the attacks according to your configuration.
To take the following steps to configure IPS function:
Configuring IPS Global Parameters
Configuring an IPS Rule
Enabling the Policy-based IPS Function
Co n f ig u r in g I P S G lo b a l P a r a m e t e r s
You can enable or disable the IPS function, and configure the IPS global parameters. About configuring IPS global para-
meters, see Threat Protection.
Co n f ig u r in g a n I P S R u le
For NG FW of 5 . 5 R 2 or t he pr e v ious v e r s ions
Cr e a t in g a n I P S R u le
You can use the default IPS rules and the user-defined IPS rules. HSM has three default IPS rules: predef_default, predef_
loose and no-ips. Predef_default rule which includes all the IPS signatures is strict with the detecting attacks results, and

default action for attacks is reset. Predef_loose which only has the IPS signatures with critical severity and above or high
popularity has the high detection efficiency, and default action for attacks is log only. No-ips rule does not includes any
IPS signatures.
To create an IPS rule on HSM, take the following steps:
figuration page.
2. From the device navigation pane, select the device you want to create an IPS rule.
3. Go to the object navigation pane and select lntrusion Protection System. The main window shows the IPS rule list.
4. Click New from the toolbar. The Intrusion Protection System dialog appears.
In the Intrusion Protection System dialog, configure the values.

Type: Specify the type of the object. It can be private or shared.
Threat Protection: If the rule type is shared, you need select global threaten configuration from the Threat Pro-
tection drop-down list. For more information, see Threat Protection.
Name: Type the name into the Name box.
Capture Packets: According to your requirements, select the Enable check box to enable capture packets function.
The security device will capture packets of the selected protocol, and save the evidence messages. You can view and
download the evidence message on the security device.
Protocol Types: In the Protocol types section, select the protocol check box as you need. You can click the Select All
button to select all protocol types quickly, and click the Unselect button to unselect all the protocol types. About
attacking signature configurations, see Configuring Protocol Signature.
Relevant Device: Specify the devices which you want to make a relationship with the shared IPS rule. If choosing
VSYS devices of the device, the shared IPS rule will be relevant to the VSYS devices of the device, not the device itself.
After configuring the shared IPS rule, you have to deploy the rule to the relevant device if you want to take effect on
the device. For more detailed information about deploying configuration, see Synchronizing Configuration.
Co n f ig u r in g P r o t o co l S ig n a t u r e
Protocol signature consists protocol configuration and signature configuration. You can specify actions for attacks of dif-
ferent levels (Log only, Reset, Block attacker) and actions for a specific attacking signature (the priority is higher than that
of the action configured in the signature set).

For the HTTP protocol signature, you can configure the Web server to detect and protect Web-based attacks, see Web-
server Configuration.
C onf igur ing a P r ot oc ol
To configure protocol signature on HSM, take the following steps:
figuration page.
2. From the device navigation pane, click the device you want to configure a protocol.
3. From the object navigation pane, click Intrusion Protection System. The main window shows the IPS rule list.
4. Click the specified protocol type in the IPS rule list. The protocol configuration dialog appears.
5. Click Protocol Configuration tab.
In Protocol Configuration tab，configure actions for attacks of different levels and other related options.
Option Description
Action for Crit- Capture Packets: Select the Enable check box to enable
ical/Warning/Information level the capture packet tools. The security device will cap-
attack ture packets of the selected protocol, and save the
evidence messages. You can view or download the
evidence message on the security device.
Action: Specify an action for attacks of different levels.
Select the radio button below:
Log only - Only generates logs if intrusions have

been detected.
Reset - Resets connections (TCP) or sends des-

tination unreachable packets (UDP) and also gen-
erates logs if intrusions have been detected.
Block attacker: Select the Enable check box to block
the specified attacker.
IP - Specify a block duration for the block IP

address. The value range is 60 to 3600 seconds,
and the default value is 60.
Service - Specify a block duration for the block ser-

vice. The value range is 60 to 3600 seconds, and
the default value is 60.

Option Description
Other Configuration Other related options that may vary from different
types of protocols. For detailed instructions, see the
description of other configuration.
Other related options that may vary from different types of protoclos, the description of other configuration.
Option Description
DNS Protocol Anomaly Detection ：Specify a check level for the pro-
tocol validity check of the signature set.
Strict - When the Check level is set to Strict, if any protocol

anomaly has been detected during the parsing, the secur-
ity device will take the action that is specified in the cor-
responding attack level against the attacking packets
according to the security level of the anomaly.
Loose - When the Check level is set to Loose, if any pro-

tocol anomaly has been detected during the parsing, the
security device will only generate logs and invoke the
engine to perform signature matching.
FTP Action for Brute-force：If the login attempts per minute fail
for the times specified by the threshold, the security device will
identify the attempts as an intrusion and take an action accord-
ing to the configuration. Select the Enable Brute-force check
box to enable brute-force.
Login Threshold per Min - Specify a permitted authen-

tication/login failure count per minute. The value range is
1 to 100000.
Block - Select the block object whose login failure count

exceeds the threshold.
Block Time - Specify the block duration. The value range is

60 to 3600 seconds.
Protocol Anomaly Detection ：Specify a check level for the pro-


tocol anomaly has been detected during the parsing, sys-
tem will only generate logs and invoke the engine to
perform signature matching.
Banner Detection ：Select the Enable check box to enable pro-
tection against FTP server banners.
Banner Information: Type the new information into the

box that will replace the original server banner inform-
ation.
Max Command Line Length ：Specify a max length (including
carriage return) for the FTP command line. The value range is 5
to 1024 bytes.

Option Description
Security Level: Specify a security level for the events that
exceed the max command line length. The security device
will take action according to this level.
Max Response Line Length ：Specify a max length for the FTP
response line. The value range is 5 to 1024 bytes.
Security Level: Specify a security level for the events that

exceed the max response line length. The security device
HTTP Protocol Anomaly Detection ：Specify a check level for the pro-


Banner Detection：Select the Enable check box to enable pro-
tection against HTTP server banners.
Banner information - Type the new information into the

ation.
Max URI Line Length ：Specify a max URI length for the HTTP
protocol. The value range is 64 to 4096 bytes.
Security level：Specify a security level for the events that

exceed the max URI length. The security device will take
action according to this level.
Allowed Methods ：Specify allowed HTTP method(s).
POP3 Action for Brute-force：If the login attempts per minute fail
for the times specified by the threshold, The security device will
ing to the configuration. Select the Enable check box to enable
brute-force.

1 to 100000.


60 to 3600 seconds.


Option Description

Banner Detection ：Select the Enable check box to enable pro-
tection against POP3 server banners.

ation.
Max Command Line Length ：Specify a max length (including
carriage return) for the POP3 command line. The value range is
64 to 1024 bytes.
Security Level - Specify a security level for the events that

Max Parameter Length ：Specify a max length for the POP3 cli-
ent command parameter. The value range is 8 to 256 bytes.

exceed the max parameter length. The security device will
take action according to this level.
Max Failure Time：Specify a max failure time (within one single
POP3 session) for the POP3 server. The value range is 0 to 512
times.

exceed the max failure time. The security device will take
SMTP Action for Brute-force：If the login attempts per minute fail
brute-force.

1 to 100000.


60 to 3600 seconds.
Protocol Anomaly Detection：Specify a check level for the pro-


Option Description
Banner Detection：Select the Enable check box to enable pro-
tection against POP3 server banners.

ation.
Max Command Line Length：Specify a max length (including
carriage return) for the POP3 command line. The value range is
5 to 1024 bytes.

Max Path Line Length：Specify a max length for the reverse-
path and forward-path field in the SMTP client command. The
value range is 16 to 512 bytes (including punctuation marks).

exceed the max path length. The system will take action
according to this level.
Max Reply Line Length：Specify a max reply line length for the
SMTP server. The value range is 64 to 1024 bytes (including car-
riage return).

exceed the max reply line length. The security device will
Max Text Line Length：Specify a max length for the E-mail text
of the SMTP client. The value range is 64 to 2048 bytes (includ-
ing carriage return).

exceed the max text line length. The security device will
Max Content Filename Length：Specify a max length for the
filename of E-mail attachment. The value range is 64 to 1024
bytes.

exceed the max Content-Type length. The security device
Max Content Filename Length：Specify a max length for the
filename of E-mail attachment. The value range is 64 to 1024
bytes.

exceed the max content filename length. The security
device will take action according to this level.
Max Failure Time：Specify a max failure time (within one single
SMTP session) for the SMTP server. The value range is 0 to 512
times.

Option Description
exceed the max failure time. The security device will take
Telnet Action for Brute-force：If the login attempts per minute fail
brute-force.

1 to 100000.


60 to 3600 seconds.


Username/Password Max Length：Specify a max length for the
username and password used in Telnet. The value range is 64 to
1024 bytes.

exceed the max username/password length. the security
device will take action according to this level.
IMAP/Finger/ Max Scan Length ：Specify a max scan length. The value range
NNTP/TFTP/ is 0 to 65535 bytes.
SNMP/MYSQL/
MSSQL/ORACLE/
NETBIOS/DHCP/
LDAP/VoIP /Other-TCP/
Other-UDP
SUNRPC Action for Brute-force：If the login attempts per minute fail
brute-force.

1 to 100000.


Option Description
60 to 3600 seconds.


MSRPC Action for Brute-force：If the login attempts per minute fail
brute-force.

1 to 100000.


60 to 3600 seconds.


Max Bind Length：Specify a max length for MSRPC's binding
packets. The value range is 16 to 65535 bytes.

exceed the max bind length. The security device will take
Max Request Length：Specify a max length for MSRPC's
request packets. The value range is 16 to 65535 bytes.

exceed the max request length. the security device will take
6. Select Signature List tab，to view or configure the signature, see Configuring Signature.

7. Click OK.
C onf igur ing S ignat ur e
In the specific protocols Signature List tab, you can view , enable/disable or configure the signature.
Viewing the Specific Signature Entry Details
To view the specific signature entry details, take the following steps:
1. In the filter bar, click a filter name, and input a value for this filer. You may select more than one filters. Hover your
mouse over a parameter to view the drop-down list. The parameters include status, operating system, attack type,
popularity, severity, service type, global status and type, etc.
2. Click , results that match your criteria will be shown in the signature list.
3. In the specific protocols Signature List, click ID. You can view the specific signature details in pop-up dialog.
Note:
Hover your mouse over the icon to view search tips.
Click the icon to reset the filter condition.
The icon can expand to show search history. If Auto Open is selected, the history can auto-
matically be opened while you use the search box.
Configuring a Specific Attacking Signature

To configure a specific attacking signature of the user-defined IPS rules, take the following steps:
1. In the specific protocol Signature List tab, select the signature you want to edit from the signature list, and click Edit
from the toolbar. The Signature List Configuration dialog appears.

In Signature List Configuration dialog, configuring a specific attacking signature.
Option Description
Capture Packets Select the Enable check box to enable the capture packet tools. The secur-
ity device will capture packets of the selected protocol, and save the evid-
ence messages. You can view or download the evidence message on the
security device.
Action Specify an action for attacks of different levels.
Follow General Configuration - If Follow General Configuration is

selected, it means the action depends on the configuration of the sig-
nature attack level.
Log Only - If attacks have been detected, the security device will only
generate protocol behavior logs.
Reset - If attacks have been detected, resets connections (TCP) or

sends destination unreachable packets (UDP) and also generates logs
if intrusions have been detected.
Block Attacker Block the specified attacker.

Block - Specify a service for blocking the specified attacker.

Block IP - Specify a block duration for the block IP address. The value
range is 60 to 3600 seconds, and the default value is 60.
Block Service - Specify a block duration for the block service. The
value range is 60 to 3600 seconds, and the default value is 60.
Never Block - If attacks have been detected, the security device will
not block the service from the attacker.
2. Click OK.
W e bS e r v e r C onf igur at ion
To create a WebServer, take the following steps:
figuration page.
2. From the device navigation pane, click the device you want to create a WebServer.
3. From the object navigation pane, click Intrusion Protection System. The main window shows IPS rule list.
4. Select the user-defined IPS rule from the IPS rule list, and then click HTTP.
5. Click Webserver Configuration tab.

6. From the toolbar, click New. The Web Server Configuration dialog appears.
In Webserver Configuration dialog, configure the Web Server configuration.

For NGFW of 5.5R2 or the previous versions:
Option Description
Name Specify the name of the Web server.

Configure Specify domains for the Web server. Click this link, the Configure Domain
Domain dialog appears.
At most 5 domains can be configured for one Web server. The domain
name of the Web server follows the longest match rule from the back to
the front. The traffic that does not match any rules will match the default
Web server. For example, you have configured two Web servers: web_
server1 and web_server2. web_server1 contains the domain name abc.-
com and web_server2 contains the domain name email.abc.com. After
configuring the settings, the traffic that visits news.abc.com will match
the web_server1, the traffic that visits www.email.abc.com will math web_
server2, and the traffic that visits www.abc.com.cn will match the default
Web server.
SQL Injection Pro- Select the Enable check box to enable SQL injection check for the HTTP
tection protocol.
Capture Packets： Select the Enable check box to enable the capture
packet tools. The security device will capture packets of the selected
protocol, and save the evidence messages. You can view or down-
load the evidence message on the security device.
Action：Specify an action for SQL injection check.
Block Attacker：Block the specified attacker.
Block IP - Specify a block duration for the block IP address. The

Block Service - Specify a block duration for the block service.

The value range is 60 to 3600 seconds, and the default value is
60.
Sensitivity：Specify the sensitivity for the SQL injection protection

function. The higher the sensitivity is, the lower the false negative
rate is.

Option Description
Check point：Specify the check point for the SQL injection check. It
can be HTTP cookie, HTTP cookie2, HTTP post, HTTP referer or HTTP
URI.
XSS Injection Pro- Select the Enable check box to enable XSS injection check for the HTTP
tection protocol.
Capture Packets ： Select the Enable check box to enable the capture
packet tools. The security device will capture packets of the selected
protocol, and save the evidence messages. You can view or down-
load the evidence message on the security device.
Action：Specify an action for XSS check.


60.
Sensitivity: Specify the sensitivity for the XSS injection protection

rate is.
Check point: Specify the check point for the XSS injection check. It
URI.
External Link Select the Enable check box to enable external link check for the Web
Check server. This function controls the access to the external resource.
packet tools. The security device will save the evidence messages,
and support to view or download the messages.
External link exception：Click this link, the External Link Exception

Configuration dialog appears. All the URLs configured on this dialog
can be linked by the Web sever. At most 32 URLs can be specified for
one Web server.
Action：Specify the action of the behavior of linking to the external

resource.
Log only: Only record the related logs when the external link
behavior is detected.
Reset: Reset the TCP connection or send the UDP unreachable

packet and record the related logs when external link behavior
is detected.
ACL Select the Enable check box to enable access control for the Web server.
The access control function checks the upload paths of the websites to
prevent the malicious code uploading from attackers.
ACL: Click this link, the ACL Configuration dialog appears. Specify
websites and the properties on this dialog. "Static" means the URI
can be accessed statically only as the static resource (images and
text), otherwise, the access will handle as the action specified (log

Option Description
only/reset); "Block" means the resource of the website is not allowed
to access.

resource.

is detected.
HTTP Request Select the Enable check box to enable the HTTP request flood protection.
Flood Protection
Request threshold: Specify the request threshold. When the number
of HTTP connecting request reaches the threshold, the security
device will treat it as a HTTP request flood attack, and will enable the
HTTP request flood protection.
Authentication: Specify the authentication method. The security

device judges the legality of the HTTP request on the source IP
through the authentication. If a source IP fails on the authen-
tication, the current request from the source IP will be blocked.
Choose the proper authentication method from the drop-down list.
The available authentication methods are:
Auto (JS Cookie): The Web browser will finish the authen-
tication process automatically.
Auto (Redirect): The Web browser will finish the authentication

process automatically.
Manual (Access Confirm): The initiator of the HTTP request

must confirm by clicking OK on the returned page to finish the
authentication process.
Manual (CAPTCHA): The initiator of the HTTP request must con-

firm by entering the authentication code on the returned page
to finish the authentication process.
Crawler-friendly: If this check box is selected, the security device will

not authenticate to the crawler.
Request limit: Specify the request limit for the HTTP request flood
protection. After configuring the request limit, the security device
will limit the request rate of each source IP. If the request rate is
higher than the limitation specified here and the HTTP request flood
protection is enabled, the security device will handle the exceeded
requests according to the action specified (Block IP/Reset).
Proxy limit：Specify the proxy limit for the HTTP request flood pro-
tection. After configuring the proxy limit, the security device will
check whether each source belongs to the each source IP proxy
server. If belongs to, according to configuration to limit the request
rate. If the request rate is higher than the limitation specified here
and the HTTP request flood protection is enabled, the security
device will handle the exceeded requests according to the action spe-
cified (Block IP/Reset).

Option Description
White List：Specify the white list for the HTTP request flood pro-
tection. The source IP added to the white list not check the HTTP
request flood protection. Select the address entry from the drop-
down list, the address entry can not be a domain name or IPv6
address. If the source IP address traffic in whitelist exceeds the
threshold for the HTTP request flood protection, it will enable the
For NGFW of 5.5R3 or the later version and IPS devices:
Option Description
Name Specify the name of the Web server protection rule.

Configure Specify domains protected by this rule.
Domain
Click the link and the Configure Domain dialog appears. Enter the domain
names in the Domain text box. At most 5 domains can be configured. The traffic
to these domains will be checked by the protection rule.
The domain name of the Web server follows the longest match rule from the
back to the front. The traffic that does not match any rules will match the
default Web server. For example, you have configured two protection rules:
rule1 and rule2. The domain name in rule1 is abc.com. The domain name in
rule2 is email.abc.com. The traffic that visits news.abc.com will match rule1, the
traffic that visits www.email.abc.com will math rule2, and the traffic that visits
www.abc.com.cn will match the default protection rule.
SQL Injec- Select the Enable check box to enable SQL injection check.
tion Pro-
tection Capture Packets: Capture the abnormal packets. You can view them in the
threat log.
Action: Log Only - Record a log. Rest - Reset connections (TCP) or sends
destination unreachable packets (UDP) and also generates logs. Block IP -
Block the IP address of the attacker and specify a block duration. Block Ser-
vice - Block the service of the attacker and specify a block duration.
Sensitivity: Specifies the sensitivity for the SQL injection protection func-
tion. The higher the sensitivity is, the lower the false negative rate is.
Check point: Specifies the check point for the SQL injection check. It can be
Cookie, Cookie2, Post, Referer or URI.
XSS Injec- Select the Enable check box to enable XSS injection check for the HTTP protocol.
tion Pro-
threat log.
Sensitivity: Specifies the sensitivity for the XSS injection protection func-
Check point: Specifies the check point for the XSS injection check. It can be
External Select the Enable check box to enable external link check for the Web server.
Link This function controls the resource reference from the external sites.
Check

Option Description
Capture Packets: Capture the abnormal packets. You can view them in the
threat log.
External link exception: Click this link, the External Link Exception Con-
figuration dialog appears. All the URLs configured on this dialog can be
linked by the Web sever. At most 32 URLs can be specified for one Web
server.
destination unreachable packets (UDP) and also generates logs.
ACL Action: Log Only - Record a log. Rest - Reset connections (TCP) or sends
HTTP Select the Enable check box to enable the HTTP request flood protection.
Request
Flood Pro- Request threshold: Specifies the request threshold.
tection
For the protected domain name, when the number of HTTP con-
necting request per second reaches the threshold and this lasts 20
seconds, the system will treat it as a HTTP request flood attack, and will
enable the HTTP request flood protection.
For the protected full URL, when the number of HTTP connecting
request per second towards this URL reaches the threshold and this
lasts 20 seconds, the system will treat it as a HTTP request flood attack
towards this URL, and will enable the HTTP request flood protection. It
is only applicable to IPS devices.
Full URL: Enter the full URLs to protect particular URLs. Click this link to con-
figure the URLs, for example, www.example.com/index.html. When pro-
tecting a particular URL, you can select a statistic object. When the number
of HTTP connecting request per second by the object reaches the threshold
and this lasts 20 seconds, the system will treat it as a HTTP request flood
attack by this object, and will enable the HTTP request flood protection. It
x-forwarded-for: Select None, the system will not use the value in x-for-
warded-for as the statistic object. Select First, the system will use the
first value of the x-forwarded-for field as the statistic object. Select
Last, the system will use the last value of the x-forwarded-for field as
the statistic object. Select All, the system will use all values in x-for-
warded-for as the statistic object.
x-real-ip: Select whether to use the value in the x-real-ip field as the
statistic field.
When the HTTP request flood attack is discovered, you can make the system
take the following actions:
Authentication: Specifies the authentication method. The system judges

the legality of the HTTP request on the source IP through the authen-
tication. If a source IP fails on the authentication, the current request from
the source IP will be blocked. The available authentication methods are:
Auto (JS Cookie): The Web browser will finish the authentication pro-
cess automatically.
Auto (Redirect): The Web browser will finish the authentication pro-
cess automatically.

Option Description
Manual (Access Configuration): The initiator of the HTTP request must
confirm by clicking OK on the returned page to finish the authen-
tication process.
Manual (CAPTCHA): The initiator of the HTTP request must confirm by

entering the authentication code on the returned page to finish the
Crawler-friendly: If this check box is selected, the system will not authen-
ticate to the crawler.
Request limit: Specifies the request limit for the HTTP request flood pro-
tection. After configuring the request limit, the system will limit the request
rate of each source IP. If the request rate is higher than the limitation spe-
cified here and the HTTP request flood protection is enabled, the system
will handle the exceeded requests according to the action specified (Block
IP/Reset). To record a log, select the Record log check box.
Proxy limit: Specifies the proxy limit for the HTTP request flood protection.
After configuring the proxy limit, the system will check whether each source
belongs to the each source IP proxy server. If belongs to, according to con-
figuration to limit the request rate. If the request rate is higher than the lim-
itation specified here and the HTTP request flood protection is enabled, the
system will handle the exceeded requests according to the action specified
(Block IP/Reset). To record a log, select the Record log check box.
White List: Specifies the white list for the HTTP request flood protection.
The source IP added to the white list not check the HTTP request flood pro-
tection.
7. Click OK.
Note: After you create a HTTP signature, HSM will automatically create a default Web Server. The
default Web Server is enabled by default, and can not be disabled or deleted. At most 32 Web
servers can be configured for one signature, not including the default server.
For I P S de v ic e s and NG FW of 5 . 5 R 3 or t he lat e r v e r s ion
Cr e a t in g a n I P S r u le
System has three default IPS rules: predef_default, predef_loose and no-ips. The predef_default rule includes all the IPS
signatures and its default action is reset. The predef_loose includes all the IPS signatures and its default action is log
only. No-ips rule does not includes any IPS signatures.
To create an IPS rule on HSM, take the following steps:
figuration page.
2. From the device navigation pane, select the device you want to create an IPS rule.
3. Go to the object navigation pane and select lntrusion Protection System. The main window shows the IPS rule list.

4. Click New from the toolbar. The Intrusion Protection System Configuration dialog appears.
5. Specifies the type of IPS rule. It can be private or shared.
6. Type the name into the Name box.
7. According to your requirements, select the Enable check box of Global Packet Capture to capture packets. The secur-
ity device will capture packets of the selected protocol in this rule, and save the evidence messages. You can view
and download the evidence message on the security device. This feature may not be available on all security devices,
please refer to the actual page.
8. In the Select Signature area, you can also manage the signature sets, including New, Edit, and Delete. All existing sig-
nature sets and their settings will be displays in the table.
Click New to create a new signature set rule.

Option Description
Creating a new signature set contains:
Select By: Select the method of how to choose the signature set. There are two meth-
ods: Filter and Search Condition.

Option Description
Capture package: Capture the abnormal packets that match the configured signature
set. You can view them in the threat log.
Action: Specify the action performed on the abnormal traffic that match the signature
set.
Select By
Filter The system categorizes the signatures according to the fol-
lowing aspects (aka main categories): affected OS, attack
type, protocol, severity, released year, affected application,
and bulletin board. A signature can be in several sub-
categories of one main category. For example, the signature
of ID 105001 is in the Linux subcategory, the FreeBSD sub-
category, and Other Linux subcategory at the same time.
With Filter selected, the system displays the main categories
and subcategories above. You can select the subcategories to
choose the signatures in this subcategory. As shown below,
after selecting the Web Attack subcategory in the Attack
Type main category, the system will choose the signatures
related to this subcategory. To view the detailed information
of these chosen signatures, you can click the ID in the table.
When selecting main category and subcategory, note the fol-
lowing matters:
You can select multiple subcategories of one main cat-

egory. The logic relation between them is OR.
The logic relation between each main category is AND.
For example, you have selected Windows and Linux in

OS and select HIGH in Severity. The chosen signatures
are those whose severity is high and meanwhile whose
affected operating system is either Windows or Linux.
Search Condition Enter the information of the signatures and press Enter to
search the signatures. The system will perform the fuzzy
matching in the following field: attack ID, attack name,
description, and CVE-ID.
In the search results displayed in the table, select the check
box of the desired signatures. Then click to

add them to the right pane. The ID displayed in the right
pane are the ones that are included in this signature set.
To add all signatures in the left to the right, click
Use or to cancel the selected

signatures or all signatures in the right.
Capture Packet
Capture the abnormal packets that match the configured sig-
Capture Packet
nature set. You can view them in the threat log.
Action
Log Only Record a log.

Option Description
Reset connections (TCP) or sends destination unreachable

Reset
packets (UDP) and also generates logs
Block the IP address of the attacker. Specify a block duration.
Block IP The value range is 60 to 3600 seconds, and the default value
is 60.
Block the service of the attacker. Specify a block duration.
Block Service The value range is 60 to 3600 seconds, and the default value
is 60.
Note: You create several signature sets and some of them contain a particular signature. If
the actions of these signature sets are different and the attack matches this particular sig-
nature , the system will adopt the following rules:
Always perform the stricter action on the attack. The signature set with stricter action
will be matched. The strict level is: Block IP > Block Service > Rest > Log Only. If one sig-
nature set is Block IP with 15s and the other is Block Service with 30s, the final action
will be Block IP with 30s.
If one signature set is configured with Capture Packet, the system will capture the pack-
ets.
The action of the signature set created by Search Condition has high priority than the
action of the signature set created by Filter.
9. Click OK to complete signature set configurations. Repeat the above steps to create more signature sets.
10. In the Protocol Configuration area, click Edit to configure. The protocol configurations specify the requirements that
the protocol part of the traffic must meet. If the protocol part contains abnormal contents, the system will process
the traffic according to the action configuration. The system supports the configurations of HTTP, DNS, FTP, MSRPC,
POP3, SMTP, SUNRPC, and Telnet.
In the HTTP tab, select the Protocol tab, and configure the following settings:
Option Description
Max Scan Length: Specify the maximum length of scanning when
scanning the HTTP packets.
Protocol Anomaly Detection: Select Enable to analyze the HTTP pack-
ets. If abnormal contents exist, you can:
Capture Packets: Capture the abnormal packets. You can view

them in the threat log.
Action: Log Only - Record a log. Rest - Reset connections (TCP)

or sends destination unreachable packets (UDP) and also gen-
erates logs. Block IP - Block the IP address of the attacker and
HTTP specify a block duration. Block Service - Block the service of the
attacker and specify a block duration.
Banner Detection: Select the Enable check box to enable protection
against HTTP server banners.
Banner information - Type the new information into the box

that will replace the original server banner information.
Max URI Length: Specify a max URI length for the HTTP protocol. If
the URI length exceeds the limitation, you can:


Option Description
specify a block duration. Block Service - Block the service of the
Allowed Methods: Specify the allowed HTTP methods.
To protect the Web server, select Web Server in the HTTP tab.
Protecting the Web server means the system can detect the following attacks: SQL injection, XSS injection, external
link check, ACL, and HTTP request flood and take actions when detecting them. A pre-defined Web server protection
rule named default is built in. By default, this protection rule is enabled and cannot be disabled or deleted.
Configure the following settings to protect the Web server:
Option Description

Configure Domain Specify domains protected by this rule.
Click the link and the Configure Domain dialog appears. Enter the
domain names in the Domain text box. At most 5 domains can be
configured. The traffic to these domains will be checked by the pro-
tection rule.
The domain name of the Web server follows the longest match rule
from the back to the front. The traffic that does not match any rules
will match the default Web server. For example, you have configured
two protection rules: rule1 and rule2. The domain name in rule1 is
abc.com. The domain name in rule2 is email.abc.com. The traffic that
visits news.abc.com will match rule1, the traffic that visits www.e-
mail.abc.com will math rule2, and the traffic that visits www.-
abc.com.cn will match the default protection rule.
SQL Injection Pro- Select the Enable check box to enable SQL injection check.
tection

Sensitivity: Specifies the sensitivity for the SQL injection pro-

tection function. The higher the sensitivity is, the lower the false
negative rate is.
Check point: Specifies the check point for the SQL injection
check. It can be Cookie, Cookie2, Post, Referer or URI.
XSS Injection Pro- Select the Enable check box to enable XSS injection check for the
tection HTTP protocol.



Option Description
Sensitivity: Specifies the sensitivity for the XSS injection pro-

tection function. The higher the sensitivity is, the lower the false
negative rate is.
Check point: Specifies the check point for the XSS injection
check. It can be Cookie, Cookie2, Post, Referer or URI.
External Link Check Select the Enable check box to enable external link check for the Web
server. This function controls the resource reference from the
external sites.

External link exception: Click this link, the External Link Excep-
tion Configuration dialog appears. All the URLs configured on
this dialog can be linked by the Web sever. At most 32 URLs can
be specified for one Web server.

erates logs.
ACL Action: Log Only - Record a log. Rest - Reset connections (TCP)
erates logs.
HTTP Request Flood Select the Enable check box to enable the HTTP request flood pro-
Protection tection.
Request threshold: Specifies the request threshold. When the

number of HTTP connecting request per second reaches the
threshold and this lasts 20 seconds, the system will treat it as a
HTTP request flood attack, and will enable the HTTP request
flood protection.
When the HTTP request flood attack is discovered, you can make the
system take the following actions:
Authentication: Specifies the authentication method. The sys-

tem judges the legality of the HTTP request on the source IP
Auto (Redirect): The Web browser will finish the authen-

Manual (Access Configuration): The initiator of the HTTP

request must confirm by clicking OK on the returned page
Manual (CAPTCHA): The initiator of the HTTP request must

Option Description
confirm by entering the authentication code on the
returned page to finish the authentication process.
Crawler-friendly: If this check box is selected, the system will not

authenticate to the crawler.
Request limit: Specifies the request limit for the HTTP request
flood protection. After configuring the request limit, the system
higher than the limitation specified here and the HTTP request
flood protection is enabled, the system will handle the exceeded
requests according to the action specified (Block IP/Reset). To
record a log, select the Record log check box.
Proxy limit: Specifies the proxy limit for the HTTP request flood
protection. After configuring the proxy limit, the system will
server. If belongs to, according to configuration to limit the
request rate. If the request rate is higher than the limitation spe-
cified here and the HTTP request flood protection is enabled,
the system will handle the exceeded requests according to the
action specified (Block IP/Reset). To record a log, select the
Record log check box.
White List: Specifies the white list for the HTTP request flood pro-
request flood protection.
In the DNS tab, configure the following settings:

Option Description
scanning the DNS packets.
Protocol Anomaly Detection: Select Enable to analyze the DNS pack-

DNS them in the threat log.

In the FTP tab, configure the following settings:

Option Description
scanning the FTP packets.
Protocol Anomaly Detection: Select Enable to analyze the FTP pack-
FTP

Option Description
against FTP server banners.
Banner Information: Type the new information into the box that
will replace the original server banner information.
Max Command Line Length: Specifies a max length (including car-
riage return) for the FTP command line. If the length exceeds the lim-
its, you can:


Max Response Line Length: Specifies a max length for the FTP
response line.If the length exceeds the limits, you can:


Action for Brute-force: If the login attempts per minute fail for the
times specified by the threshold, system will identify the attempts as
an intrusion and take an action according to the configuration.
Select the Enable check box to enable brute-force.
Login Threshold per Min - Specifies a permitted authen-

tication/login failure count per minute.
Block IP - Block the IP address of the attacker and specify a

block duration.
Block Service - Block the service of the attacker and specify a

block duration.
Block Time - Specifies the block duration.
In the MSRPC tab, configure the following settings:

Option Description
scanning the MSRPC packets.
MSRPC
Protocol Anomaly Detection: Select Enable to analyze the MSRPC
packets. If abnormal contents exist, you can:

Option Description

Max bind length: Specifies a max length for MSRPC's binding pack-
ets. If the length exceeds the limits, you can:


Max request length: Specifies a max length for MSRPC's request pack-
ets. If the length exceeds the limits, you can:


an intrusion and take an action according to the configuration.

Block IP - Block the IP address of the attacker and specify a

block duration.

block duration.
In the POP3 tab, configure the following settings:

Option Description
scanning the POP3 packets.
Protocol Anomaly Detection: Select Enable to analyze the POP3 pack-
POP3


Option Description
against POP3 server banners.
Banner information - Type the new information into the box that
riage return) for the POP3 command line. If the length exceeds the
limits, you can:


Max Parameter Length: Specifies a max length for the POP3 client
command parameter. If the length exceeds the limits, you can:


Max failure time: Specifies a max failure time (within one single POP3
session) for the POP3 server. If the failure time exceeds the limits, you
can:


an intrusion and take an action according to the configuration. Select
the Enable check box to enable brute-force.

Block IP - Block the IP address of the attacker and specify a block

duration.

Option Description
block duration.
In the SMTP tab, configure the following settings:

Option Description
scanning the SMTP packets.
Protocol Anomaly Detection: Select Enable to analyze the SMTP pack-


against SMTP server banners.
Banner information - Type the new information into the box that
riage return) for the SMTP command line. If the length exceeds the
limits, you can:

SMTP them in the threat log.

Max Path Length: Specifies a max length for the reverse-path and for-
ward-path field in the SMTP client command. If the length exceeds
the limits, you can:


Max Reply Line Length: Specifies a max length reply length for the
SMTP server. If the length exceeds the limits, you can:


Option Description
Max Text Line Length: Specifies a max length for the E-mail text of
the SMTP client. If the length exceeds the limits, you can:


Max Content Type Length: Specifies a max length for the content-
type of the SMTP protocol. If the length exceeds the limits, you can:


Max Content Filename Length: Specifies a max length for the file-
name of E-mail attachment. If the length exceeds the limits, you can:


Max Failure Time: Specifies a max failure time (within one single
SMTP session) for the SMTP server. If the length exceeds the limits,
you can:



Option Description

duration.

block duration.
In the SUNRPC tab, configure the following settings:

Option Description
Max Scan Length: Specify the maximum length of scanning when scan-
ning the SUNRPC packets.
Protocol Anomaly Detection: Select Enable to analyze the SUNRPC pack-
Capture Packets: Capture the abnormal packets. You can view them
in the threat log.
Action: Log Only - Record a log. Rest - Reset connections (TCP) or

sends destination unreachable packets (UDP) and also generates
logs. Block IP - Block the IP address of the attacker and specify a
block duration. Block Service - Block the service of the attacker and
specify a block duration.
SUNRPC Action for Brute-force: If the login attempts per minute fail for the times
specified by the threshold, system will identify the attempts as an intru-
sion and take an action according to the configuration. Select the Enable
check box to enable brute-force.
Login Threshold per Min - Specifies a permitted authentication/login

failure count per minute.

duration.
Block Service - Block the service of the attacker and specify a block
duration.
In the Telnet tab, configure the following settings:

Option Description
scanning the Telnet packets.
Protocol Anomaly Detection: Select Enable to analyze the Telnet pack-
Telnet Capture Packets: Capture the abnormal packets. You can view


Option Description
block duration. Block Service - Block the service of the attacker
and specify a block duration.
Username/Password Max Length: Specifies a max length for the user-
name and password used in Telnet. If the length exceeds the limits,
you can:


block duration. Block Service - Block the service of the attacker
and specify a block duration.


duration.

block duration.
11. Click OK to complete the protocol configurations, then click OK to complete the IPS rule configurations.
E n a b lin g t h e Z o n e -b a s e d o r P o licy -b a s e d I P S F u n ct io n
To realize the zone-based or policy-based IPS, take the following steps:
To enable the zoned-based IPS on HSM, see zone.
To enable the policy-based IPS on HSM, see configuring the policy-based Protection function.
A v ti - V i rus
To take the following steps to configure Anti-Virus function:
Configuring Anti-Virus Global Parameters
Creating a Shared Anti-Virus Rule
Enabling the Policy-based Anti-Virus Function
Co n f i g u r i n g A n t i -V i r u s Gl o b a l P a r a m et er s
You can enable/disable the Anti-Viurs functin, and configure the global parameters. About configuring Anti-Virus global
parameters, see Threat Protection.
Cr e a t in g A n t i-Vir u s R u le
To create an Anti-Virus rule on HSM, take the following steps:
page.

2. In the device navigation pane, select the device you want to create AV rule, go to the object navigation pane and
select Anti-Virus. The main window shows the Anti-Virus rule list.
3. Click New from the toolbar. The Anti-Virus dialog appears.
In the Anti-Virus dialog , enter the values.

Option Description
Type Specify the type of the object. It can be private or shared.

Name Specify the rule name.
File Specify the file types you want to scan. It can be GZIP, JPEG, MAIL, RAR, HTML.,
Types PE, BZIPE, RIFF, TAR, ELF, RAWDATA, MSOFFICE, PDF and OTHERS.
Protocol Specify the protocol types (HTTP, SMTP, POP3, IMAP4, FTP) you want to scan
Types and specifies the action the security device will take after virus is found.
Fill Magic - Processes the virus file by filling magic words, i.e., fills the file
with the magic words (Virus is found, cleaned) from the beginning to the
ending part of the infected section.
Log Only - Only generates log.
Warning - Pops up a warning page to prompt that a virus has been detec-
ted. This option is only effective to the messages transferred over HTTP.
Reset Connection - If virus has been detected, the security device will reset
connections to the files.
Capture Select the Enable check box before Capture Packet to enable the capture func-
tion. The security device will save the evidence messages, and support to view or
download the messages.
Malicious Select the check box behind Malicious Website Access Control to enable the func-
Website tion.
Access
Control
Action Specify the action the security device will take after the malicious website is
found.
Reset Connection - If malicious website has been detected, the security

device will reset connections to the files.
Warning - Pops up a warning page to prompt that a malicious website has

Option Description
been detected.This option is only effective to the messages transferred over
HTTP.
Enable If an email transferred over SMTP is scanned, you can enable label email to scan
Label e- the email and its attachment(s). The scanning results will be included in the mail
mail body, and sent with the email. If no virus has been detected, the message of "No
virus found" will be labeled; otherwise information related to the virus will be dis-
played in the email, including the filename, result and action.
Type the end message content into the box. The range is 1 to 128.
4. Click OK.
Note: By default, according to virus filtering protection level, HSM comes with three default Anti-
Virus rules: predef_low, predef_middle, predef_high. The default rule is not allowed to edit or
delete.
E n a b lin g t h e Z o n e -b a s e d o r P o licy -b a s e d A n t i-Vr iu s F u n ct io n

To realize the zone-based or policy-based AV, take the following steps:
To enable the zoned-based AV on HSM, see zone.
To enable the policy-based AV on HSM, see configuring the policy-based Protection function.
T hreat Protec ti on
Configuring Threat Protection

Threat protection that only belongs to one certain device, but a shared threat protection can be referenced by all devices.
For more details of the shared threat protection, see Threat Protection. One security device can only have one threat pro-
tection configuration, and keep the lastest configuration.
E d it in g t h e De v ice T h r e a t P r o t e ct io n Co n f ig u r a t io n
To edit the device threat protection configuration, take the following steps:
figuration page.
2. From the device navigation pane, click the device you want to configure a threat protection configuration.
3. Expend Object from the object navigation pane, and then select Threat Protection. The Device Threaten Con-
figuration tab appears.
In Device Threaten Configuration tab, specify the IPS configurations.

Option Description
APP Force Select/clear the Enable check box to enable/disable force check , the secur-
Check ity device will check application layer IPS, AV content filtering, IM and Web
Content, application-layer behavior control. It should be noted that IPS
device and the 5.5R3 and later versions of NGFW device do not support
this feature.
If you disabled this feature , when the CPU usage exceeds 68%, the security
device will forwarding packets for new sessions, and not check the applic-
ation layer randomly.

Option Description
IPS Global Configuration
Intrusion Pro- Select/clear the Enable check box to enable/disable IPS. After enabling this
tection System function, you have to reboot the security decice if you want to take effect
on the security device.
Merge Log The security device can merge IPS logs which have the same protocol ID,
the same VSYS ID, the same Signature ID, the same log ID, and the same
merging type. Thus it can help avoid to receive redundant logs, and the
merging log is displayed to the standard output according to your
requires. The function is disabled by default.
Select the merging types in the drop-down list:
---- - Do not merge any logs.
Source IP - Merge the logs with the same Source IP.
Destination IP - Merge the logs with the same Destination IP.
Source IP, Destination IP - Merge the logs with the same Source IP and
the same Destination IP.
Mode Specify a working mode for IPS:
Intrusion Protection System - If attacks have been detected, The fire-

wall will generate protocol anormaly alarms and attacking behavior
logs, and will also reset connections or block attackers. This is the
default mode.
Log Only - If attacks have been detected, the firewall will only gen-
erate protocol anormaly alarms and attacking behavior logs, but will
not reset connections or block attackers.
AV Global Configuration
Anti Virus Select/clear the Enable check box to enable/disable Anti-Virus. The new
configuration will take effect after reset the relevant device.
Max Decom- By default the firewall can scan the files of up to 5 decompression layers.
pression Layer To specify a decompression layer, select a value from the drop-down list.
The value range is 1 to 5.
Exceed Action Specify an action for the compressed files that exceed the max decom-
pression layer. Select an action from the drop-down list:
Log Only - Only generates logs but will not scan the files. This action
is enabled by default.
Reset Connection - If virus has been detected, the firewall will reset
Encrypted Com- Specify an action for encrypted compressed files:

pressed File
------ - Will not take any special anti-virus actions against the files,
but might further scan the files according to the configuration.
Log Only - Only generates logs but will not scan the files.
Reset Connection - Resets connections to the files.
4. Select Device Threaten Configuration List tab, you can view the details info of all IPS signature list. For more inform-
ation, see Device Threaten Configuration List.
5. Click OK.

De v ice T h r e a t e n Co n f ig u r a t io n Lis t
In the Device Threaten Configuration List tab, you can edit, delete, enable/disable a specific signature, or customize the
signature as needed.
Sea r ch i n g t h e Sp eci f i c Si g n a t u r e E n t r y Det a i l s
To search the specific signature entry details, take the following steps:
figuration page.
2. From the device navigation pane, click the device you want to view.
3. Expend Object from the object navigation pane, and then select Threat Protection.
4. Click Device Threaten Configuration List tab.
5. You can click filtername, and then input the value for this filter in the search bar. You can also hover the mouse over
the parameter(include protocol, operating system, attack type, popularity, severity, service type, status and type.
etc.) to view the drop-down list, and select the filter condition.
6. Click , results that match your criteria will be shown.
7. In the signature List, click ID. You can view the specific signature details in pop-up dialog.
Note:

Cr ea t i n g a Us er -d ef i n ed Si g n a t u r e
figuration page.
2. From the device navigation pane, click the device you want to cusmize a signature rule on.
3. Expend Object from the object navigation pane, and then select Threat Protection.
4. Select the Device Threaten Configuration List tab, and the main window shows the IPS signature list.
5. Click New from the toolbar. The User-defined Signature dialog appears.
6. In the User-defined Signature dialog, configure the signature settings.
For NGFW of 5.5R2 or the previous versions

Option Description
General tab
Name Specify the signature name.
Description Specify the signature descriptions.
Protocol Specify the protocol that signature supports.
Flow Specify the direction for the signature."To_Server" means the package of
attack is from server to the client. "To_Client" means the package of attack
is from client to the server. "Both" means bidirection.
Source Port Specify the source port of the signature.
Any - Any source port.
Included - The source port you specified should be included. It can

be a port, several ports, or a range. Specify the port number in the
text box, and use "," to separate.
Excluded - The source port you specified should be excluded. It can

Destination Specify the destination port of the signature.

Port
Any - Any destination port.
Included - The destination port you specified should be included. It

can be a port, several ports, or a range. Specify the port number in
the text box, and use "," to separate.
Excluded - The destination port you specified should be excluded. It

Dsize Specify the payload message size. Select "----",">", "<" or "=" from the
drop-down list and specifies the value in the text box. "----" means not
set the parameter.
Severity Specify the severity of the attack.
Attack Type Select the attack type from the drop-down list.
Service Type Select the service type from the drop-down list. "----" means all services.
Operating Sys- Select the operating system from the drop-down list. "----" means all the
tem operating systems.
Detection Filter Specify the frequency of the signature rule.
Track - Select the track type from the drop-down list. It can be by

Option Description
source IP and destination IP. After specifying, the system will match
the attack according to the analysis of the source IP and destination
IP.
Count - Specify the maximum times the rule occurs in the specified
time. If the attacks exceed the Count value, the security device will
trigger rules and act as specified.
Seconds - Specify the interval value of the rule occurs.
Content tab: Create New and configure the signature contents. Click OK to save your set-
tings.
Content Specify the signature content. Select the following check box if needed:
HEX - Means the content is hexadecimal.
Case Insensitive - Means the content is case sensitive.
URI - Means the content needs to match URI field of HTTP request.
Relative Specifies the signature content location.
If Beginning is selected, system will search from the header of the

application layer packet.
Offset: System will start searching after the offset from the
header of the application layer packet. The unit is byte.
Depth: Specifies the scanning length after the offset. The unit is
byte.
If Last Content is selected, system will search from the content end
position.
Distance: System will start searching after the distance from the
former content end position. The unit is byte.
Within: Specifies the scanning length after the distance. The unit
is byte.
For IPS devices and NGFW of 5.5R3 or the later version

Option Description
Name Specifies the signature name.

Description Specifies the signature descriptions.
Protocol Specifies the affected protocol.
Flow Specifies the direction.
To_Server means the package of attack is from server to the cli-

ent.
To_Client means the package of attack is from client to the

server.
Any includes To_Server and To_Client.
Source Port Specifies the source port of the signature.

Option Description
Included - The source port you specified should be included. It
can be a port, several ports, or a range. Specifies the port num-
ber in the text box, and use "," to separate.
Excluded - The source port you specified should be excluded. It

Destination Port Specifies the destination port of the signature.
Included - The destination port you specified should be

included. It can be a port, several ports, or a range. Specifies the
port number in the text box, and use "," to separate.
Excluded - The destination port you specified should be

excluded. It can be a port, several ports, or a range. Specifies the
port number in the text box, and use "," to separate.
Dsize Specifies the payload message size. Select "----",">", "<" or "=" from
the drop-down list and specifies the value in the text box. "----"
means not set the parameter.
Severity Specifies the severity of the attack.
Application Select the affected applications. "----" means all applications.

Operating System Select the affected operating system from the drop-down list. "----"
means all the operating systems.
Bulletin Board Select a bulletin board of the attack.
Year Specifies the released year of attack.
Detection Filter Specifies the frequency of the signature rule.
Track - Select the track type from the drop-down list. It can be
by_src or by_dst. System will use the statistic of source IP or des-
tination IP to check whether the attack matches this rule.
Count - Specifies the maximum times the rule occurs in the spe-
cified time. If the attacks exceed the Count value, system will trig-
ger rules and act as specified.
Seconds - Specifies the interval value of the rule occurs.
In the Content tab, click New to specify the content of the signature:
Option Description
Content Specifies the signature content. Select the following check box if
needed:
Case Insensitive - Means the content is not case sensitive.
URI - Means the content needs to match URI field of HTTP

request.

Option Description
If Beginning is selected, system will search from the header of
the application layer packet.
Depth: Specifies the scanning length after the offset. The

unit is byte.
If Last Content is selected, system will search from the content

end position.
Distance: System will start searching after the distance from

the former content end position. The unit is byte.
Within: Specifies the scanning length after the distance. The

unit is byte.
7. Click OK.
Note: Only the user-defined signature lists can be edited or deleted.
U R L Fi l ter
URL filter controls the access to some certain websites and records log messages for the access actions. URL filter helps
you control the network behaviors in the following aspects:
Access control to certain category of websites, such as gambling and pornographic websites.
Access control to certain category of websites during the specified period. For example, forbid to access IM websites
during the office hours.
Access control to the website whose URL contains the specified keywords. For example, forbid to access the URL that
contains keyword "game".
Note: HSM only supports the centralized management of URL filter function whose NGFW ver-
sion is 5.5R1 or above.
Co n f ig u r in g U R L F ilt e r
Configuring URL filter contains two parts:
Create a URL filter rule
Bind a URL filter rule to a security policy rule

Part 1: Creating a URL filter rule
1. Select Configuration > Device Configuration, then click Object > URL Filter Bundle > URL Filter.
2. Click New.

In the URL Filter dialog, configure the following options.
Option Description
Type Specify the type of URL filter rule, including private and shared.
Name Specify the name of the rule.
Control Type Control types are URL Category, URL Keyword Category, and Web Surfing
Record. You can select one type for each URL filter rule.
URL Category controls the access to some certain category of website. The
options are:
New: Create a new URL category. For more information about URL cat-
egory, see "User-defined URL DB" on page 142.
Edit: Select a URL category from the list, and click Edit to edit the selec-
ted URL category.
URL category: Shows the name of pre-defined and user-defined URL

categories.
Block: Select the check box to block access to the corresponding URL
category.
Log: Select the check box to log access to the corresponding URL cat-
egory.
Other URLS: Specify the actions to the URLs that are not in the list,
including Block Access and Record Log.
URL Keyword Category controls the access to the website who's URL con-
tains the specific keywords. Click the URL Keyword Categoryoption to con-
figure. The options are:
New: Create new keyword categories. For more information about

keyword category, see "Keyword Category" on page 143.
Edit: Select a URL keyword category from the list, and click Edit to edit
the selected URL keyword category.
Keyword category: Shows the name of the configured keyword cat-

egories.
Block: Select the check box to block the access to the website whose
URL contains the specified keywords.
Log: Select the check box to log the access to the website whose URL
contains the specified keywords.

Option Description
Other URLS: Specify the actions to the URLs that do not contain the
keywords in the list, including Block Access and Record Log.
Web Surfing Record logs the GETand POST methods of HTTP.
Get: Records the logs when having GET methods.
Post: Records the logs when having POST methods.
Post Content: Records the posted content.

Relevant Device Specify the devices which you want to make a relationship with the shared
URL filter rule. If choosing VSYS devices of the device, the rule will only be
relevant to the root VSYS. After configuring the rule, you have to deploy
the rule to the relevant device if you want to take effect on the device. For
more detailed information about deploying configuration, see Syn-
chronizing Configuration .

Part 2: Binding a URL filter rule to a security policy rule
After binding a URL filter rule to a security policy rule, the system will perform the URL filter function on the traffic that
matches the security policy rule. For more information, please refer to Configuring the Policy-based Protection function.
P r e d e f in e d U R L DB
The system contains a predefined URL database.
The predefined URL database provides URL categories for the configurations of URL filter. It includes dozens of categories
and tens of millions of URLs .
When identifying the URL category, the user-defined URL database has a higher priority than the predefined URL data-
base.
Note: The predefined URL database is controlled by a license controlled. Only after a URL license
is installed, the predefined URL database can be used.
U s e r -d e f in e d U R L DB
Besides categories in predefined URL database, you can also create user-defined URL categories, which provides URL cat-
egories for the configurations of URL filter. When identifying the URL category, the user-defined URL database has a
higher priority than the predefined URL database.
System provides three user-defined URL categories by default: custom1, custom2, custom3.
C onf igur ing U s e r - de f ine d U R L D B
To configure a user-defined URL category:

1. Select Objects > URL Filter Bundle > User-defined URL DB.
2. Click New in the toolbar. The URL Category dialog appears.
3. Type the category name in the Name text box. URL category name cannot only be a hyphen (-). And you can create
at most 1000 user-defined categories.
4. Type the category description in the Description text box. The value range is 0 to 255 characters.
5. Type a URL into the URL http:// box.
6. Click Add to add the URL and its category to the table.
7. Repeat the above steps to add more URLs.
8. To delete an existing one, select its check box and then click Delete.
K e y w o r d Ca t e g o r y
You can customize the keyword category and use it in the URL filter function.
After configuring a URL filter rule, the system will scan traffic according to the configured keywords and calculate the
trust value for the hit keywords. The calculating method is: adding up the results of times * trust value of each keyword
that belongs to the category. Then the system compares the sum with the threshold 100 and performs the following
actions according to the comparison result:
If the sum is larger than or equal to category threshold (100), the configured category action will be triggered;
If more than one category action can be triggered and there is block action configured, the final action will be Block;
If more than one category action can be triggered and all the configured actions are Permit, the final action will be
Permit.
For example, a URL filter rule contains two keyword categories C1 with action block and C2 with action permit. Both of C1
and C2 contain the same keywords K1 and K2. Trust values of K1 and K2 in C1 are 20 and 40. Trust values of K1 and K2 in
C2 are 30 and 80.
If the system detects 1 occurrence of K1 and K2 each on a URL, then C1 trust value is 20*1＋40*1=60<100, and C2 trust
value is 30*1+80*1=110>100. As a result, the C2 action is triggered and the URL access is permitted.
If the system detects 3 occurrences of K1 and 1 occurrence of K2 on a URL, then C1 trust value is 20*3+40*1=100, and C2
trust value C2 is 30*3+80*1=170>100. Conditions for both C1 and C2 are satisfied, but the block action for C1 is triggered,
so the web page access is denied.

C onf igur ing a K e yw or d C at e gor y
To configure a keyword category:
1. Select Object > URL Filter Bundle > Keyword Category. The Keyword Category dialog appears.
2. Click New. The Keyword Category dialog appears.
3. Type the category name.
5. Specify the keyword, character matching method (simple/regular expression), and trust value.
6. Click Add to add the keyword to the list below.
7. Repeat the above steps to add more keywords.
8. To delete a keyword, select the keyword you want to delete from the list and click Delete.
9. Click OK to save your settings.
W a r n in g P a g e
The warning page shows the user block information and user audit information.
C onf igur ing B loc k W ar ning
If the Internet behavior is blocked by the URL filter function, the Internet access will be denied. The information of Access
Denied will be shown in your browser, and some web surfing rules will be shown to you on the warning page at the same
time. See the picture below:
After enabling the block warning function, block warning information will be shown in the browser when one of the fol-
lowing actions is blocked:
Visiting a certain type of URL
Visiting the URL that contains a certain type of keyword category

The block warning function is disabled by default. To configure the block warning function:

1. From the device navigation pane, select the device you want to configure the block warning function.
2. Click Object > URL Filter Bundle > Warning Page, the Warning Page dialog appears.
3. Select Enable check box in the Block Warning section.
4. Configure the display information in the blocking warning page.

Option Description
Default Use the default blocking warning page as shown above.
Redirect page Redirect to the specified URL. Type the URL in the URL http:// box. You can
click Detection to verify whether the URL is valid.
Custom Customize the blocking warning page. Type the title in the Title box and
the description in the Description box. You can click Preview to preview
the blocking warning page.
C onf igur ing A udit W ar ning
After enabling the audit warning function, when your network behavior matches the configured URL filter rule, your
HTTP request will be redirected to a warning page, on which the audit and privacy protection information is displayed.
See the picture below:
The audit warning function is disabled by default. To configure the audit warning function:
1. From the device navigation pane, select the device you want to configure the audit warning function.
2. Select Object > URL Filter Bundle > Warning Page, the Warning Page dialog appears.
3. Select Enable check box in the Audit Warning section.
C onv erti ng the Pri v ate Ob j ec t to S hared Ob j ec t

To convert the private object to shared object, enter the corresponding page, select the private object, and then click Con-
vert to Shared from the toolbar.
HSM can check whether the object is referenced by rules or other objects. To view the reference information of an object,
take the following steps:
1. From the device navigation pane, select the device you want to view the reference information.
2. From the object navigation pane, select the object type, the main window shows the detailed information of the
object.
3. From the object table, click View in the Referenced by column. The security device shows the Referenced by dialog
of the corresponding object.

V i ew i ng the Op erati on R ec ord s
HSM records the operations you have made to the objects, for example, editing a service, adding a member, etc. To view
the operation records, take the following steps:
1. From the device navigation pane, select the device you want to view the operation records.
2. From the object navigation pane, select the object type, the main window shows the detailed information of the
object.
3. From the object table, click in the Operation Record column. The system shows the Operation Record dialog of
the corresponding object.
C hec k i ng the R ed und ant Ob j ec t

To ensure the effectiveness of the objects in the system, HSM provides the Redundant Object Check function. By using
this function, the objects have not been referenced and the objects having same elements except names will be listed.
You can modify the object based on the checking result according to your own requirement.
When the system performs the redundant object check function, please note that:
The application type and timeout value of services are not checked.
The descriptions of all objects are not checked.
The IPv6 IP addresses are not checked.
The hostnames in address entries are case-sensitive.

To execute the object redundant check function, take the following steps:
1. From the device navigation pane, right-click on the device you want to check and then click Redundant Object
Check on the pop-up menu.
2. The system generates the related task and begins to check. After checking, a report will be generated. Click the View
Report button to view the detailed information. You can view the report at the task management page as well.
Here is the description of the report:
Total Zone/Address Entry/Service Entry/Service Group/Schedule Number: Number of objects of a certain object
type in the policy of the device.
Unreferenced Zone/Address Entry/Service Entry/Service Group/Schedule: Number of unreferenced objects of a cer-
tain type in the policy of the device.
Same Zone/Address Entry/Service Entry/Service Group/Schedule: Number of objects having same elements except
names of a certain object type in the policy of the device.
3. Click Save button on the upper right corner to save the PDF format report locally.
V PN
IPSec is a widely used protocol suite for establishing VPN tunnel. IPSec is not a single protocol, but a suite of protocols
for securing IP communications. It includes Authentication Headers (AH), Encapsulating Security Payload (ESP), Internet
Key Exchange (IKE) and some authentication methods and encryption algorithms. IPSec protocol defines how to choose
the security protocols and algorithms, as well as the method of exchanging security keys among communication peers,

offering the upper layer protocols with network security services including access control, data source authentication,
data encryption, etc.
Authentication Header (AH): AH is a member of the IPsec protocol suite. AH guarantees connectionless integrity and
data source verification of IP packets, and furthermore, it protects against replay attacks. AH can provide sufficient
authentications for IP headers and upper-layer protocols.
Encapsulating Security Payload (ESP): ESP is a member of the IPsec protocol suite. ESP provides encryption for con-
fidential data and implements data integrity check of IPsec ESP data in order to guarantee confidentiality and integ-
rity. Both ESP and AH can provide service of confidentiality (encryption), and the key difference between them is the
coverage.
Internet Key Exchange (IKE): IKE is used to negotiate the AH and ESP password algorithm and put the necessary key
of the algorithm to the right place.
IPsec provides encrypted communication between two peers which are known as IPsec ISAKMP gateways. There are two
ways to set SA, one is manual and another is IKE ISAKMP. HSM support only IKE ISAKMP. HSM do not support share IP
Seck VPN.
Creating IPSec VPN

IPSec VPN configuration page consists of four pages. They are IKE VPN List, VPN Peer List, P1 Proposal and P2 Proposal.
Take the following steps:
1. Click Device Configuration from the Level-1 navigation pane and enter the configuration page.
2. Select the device you want to change.
3. Select VPN > IPSec VPN in the object navigation pane. The main window then displays the related information
about IPSec VPN and toolbar.
4. Click New in the IKE VPN List and the IKE VPN Configuration dialog box will pop up.
In the IKE VPN Configuration tab, configure the corresponding options.

Option Description
Peer Name Specifies the name of the ISAKMP gateway. To edit an ISAKMP
gateway, click Edit.
Information Shows the information of the selected peer.
Name Type a name for the tunnel.
Mode Specifies the mode, including tunnel mode and transport mode.
P2 Proposal Specifies the P2 proposal for tunnel.
Proxy ID Specifies ID of Phase 2 for the tunnel which can be Auto or

Option Description
Manual.
Auto - The Phase 2 ID is automatically designated.
Manual - The Phase 2 ID is manually designated. Manual

configuration of P2 ID includes the following options:
Local IP/Netmask - Specifies the local ID of Phase 2.
Remote IP/Netmask - Specifies the Phase 2 ID of the

peer device.
Service - Specifies the service.
DNS1/2 Specifies the IP address of the DNS server allocated to the client
by the PnPVPN server. You can define one primary DNS server
and a backup DNS server.
WINS1/2 Specifies the IP address of WINS server allocated to the client by
the PnPVPN server. You can define one primary WINS server and
a backup WINS server.
Enable Idle Time Select the Enable check box to enable the idle time function. By
default, this function is disabled. This time length is the longest
time the tunnel can exist without traffic passing through. When
the time is over, SA will be cleared.
DF-Bit Select the check box to allow the forwarding device execute IP
packet fragmentation. The options are:
Copy - Copies the IP packet DF options from the sender dir-

ectly. This is the default value.
Clear - Allows the device to execute packet fragmentation.
Set - Disallows the device to execute packet fragmentation.
Anti-Replay Anti-replay is used to prevent hackers from attacking the device

by resending the sniffed packets, i.e., the receiver rejects the
obsolete or repeated packets. By default, this function is dis-
abled.
Disabled - Disables this function.
32 -Specifies the anti-replay window as 32.
64 - Specifies the anti-replay window as 64.
Commit Bit Select the Enable check box to make the corresponding party
configure the commit bit function, which can avoid packet loss
and time difference. However, commit bit may slow the respond-
ing speed.
Accept-all-proxy-ID This function is disabled by default. With this function enabled,
the device which is working as the initiator will use the peer's ID
as its Phase 2 ID in the IKE negotiation, and return the ID to its
peer.

Option Description
Auto Connect Select the Enable check box to enable the auto connection func-
tion. By default, this function is disabled. The device has two
methods of establishing SA: auto and traffic intrigued. When it
is auto, the device checks SA status every 60 seconds and ini-
tiates negotiation request when SA is not established; when it is
traffic intrigued, the tunnel sends negotiation request only when
there is traffic passing through the tunnel. By default, traffic
intrigued mode is used.
Note: Auto connection works only when the peer IP is static and
the local device is initiator.
Tunnel Route This item only can be modified after this IKE VPN is created. Click
Choose to add one or more tunnel routes in the appeared Tun-
nel Route Configuration dialog. You can add up to 128 tunnel
routes.
Description Type the description for the tunnel.
VPN Track Select the Enable check box to enable the VPN track function.
The device can monitor the connectivity status of the specified
VPN tunnel, and also allows backup or load sharing between two
or more VPN tunnels. This function is applicable to both route-
based and policy-based VPNs. The options are:
Track Interval - Specifies the interval of sending Ping pack-

ets. The unit is second.
Threshold - Specifies the threshold for determining the

track failure. If the system did not receive the specified num-
ber of continuous response packets, it will identify a track
failure, i.e., the target tunnel is disconnected.
Src Address - Specifies the source IP address that sends Ping

packets.
Dst Address - Specifies the IP address of the tracked object.
Notify Track Event - Select the Enable check box to enable

the VPN tunnel status notification function. With this func-
tion enabled, for route-based VPN, the system will inform
the routing module about the information of the dis-
connected VPN tunnel and update the tunnel route once
detecting any VPN tunnel disconnection; for policy-based
VPN, the system will inform the policy module about the
information of the disconnected VPN tunnel and update
the tunnel policy once detecting any VPN tunnel dis-
connection.

5. In the VPN Peer List tab, click New and the VPN Peer Configuration dialog box will pop up.
In the VPN Peer Configuration tab, configure the corresponding options.

Option Description
Name Specifies the name of the ISAKMP gateway.

Interface Specifies interface bound to the ISAKMP gateway.
Mode Specifies the mode of IKE negotiation. There are two IKE nego-
tiation modes: Main and Aggressive. The main mode is the
default mode. The aggressive mode cannot protect identity. You
have no choice but use the aggressive mode in the situation that
the IP address of the center device is static and the IP address of
client device is dynamic.
Type Specifies the type of the peer IP. If the peer IP is static, type the
IP address into the Peer IP box; if the peer IP type is user group,
select the AAA server you need from the AAA Server drop-down
list.
Local ID Specifies the local ID. The system supports five types of ID:
FQDN, U-FQDN, Asn1dn (only for license), KEY-ID and IP. Select
the ID type you want, and then type the content for this ID into
the Local ID box or the Local IP box.
Peer ID Specifies the peer ID. The system supports five types of ID:
FQDN, U-FQDN, Asn1dn (only for license), KEY-ID and IP. Select
the ID type you want, and then type the content for this ID into
the Peer ID box or the Peer IP box.
Proposal1/2/3/4 Specifies a P1 proposal for ISAKMP gateway. Select the suitable

P1 proposal from the Proposal1 drop-down list. You can define
up to four P1 proposals for an ISAKMP gateway
Pre-shared Key If you choose using pre-shared key to authenticate, type the key
into the box.
Trust Domain If you choose to use RSA signature or DSA signature, select a
trust domain.
User Key Click Generate. In the Generate the User Key dialog, type the IKE
ID into the IKE ID box, and then click Generate. The generated
user key will be displayed in the Generate Result box. PnPVPN cli-
ent uses this key as the password to authenticate the login users.
Connection Type Specifies the connection type for ISAKMP gateway.

Option Description
Bidirection - Specifies that the ISAKMP gateway serves as
both the initiator and responder. This is the default value.
Initiator - Specifies that the ISAKMP gateway serves only as

the initiator.
Responder - Specifies that the ISAKMP gateway serves only

as the responder.
NAT Traversal This option must be enabled when there is a NAT device in the
IPSec or IKE tunnel and the device implements NAT. By default,
this function is disabled.
Any Peer ID Makes the ISAKMP gateway accept any peer ID and not check the
peer IDs.
Generate Route Select the Enable check box to enable the auto routing function.
By default, this function is disabled. This function allows the
device to automatically add routing entries which are from the
center device to the branch, avoiding the problems caused by
manual configured routing.
DPD Select the Enable check box to enable the DPD (Delegated Path
Discovery) function. By default, this function is disabled. When
the responder does not receive the peer's packets for a long
period, it can enable DPD and initiate a DPD request to the peer
so that it can test if the ISAKMP gateway exists.
DPD Interval - The interval of sending DPD request to the

peer. The value range is 1 to 10 seconds. The default value is
10 seconds.
DPS Retries - The times of sending DPD request to the peer.

The device will keep sending discovery requests to the peer
until it reaches the specified times of DPD reties. If the
device does not receive response from the peer after the
retry times, it will determine that the peer ISAKMP gateway
is down. The value range is 1 to 10 times. The default value
is 3.
Description Type the description for the ISAKMP gateway.

XAUTH Select Enable to enable the XAUTH server in the device. Then
select an address pool from the drop-down list. After enabling
the XAUTH server, the device can verify the users that try to
access the IPSec VPN network by integrating the configured AAA
server.
6. In the P1 Proposal List tab, click New and the Phase1 Proposal Configuration dialog box will pop up.
In the Phase1 Proposal Configuration tab, configure the corresponding options.

Option Description
Proposal Name Specifies the name of the Phase1 proposal.

Authentication Specifies the IKE identity authentication method. IKE identity
authentication is used to verify the identities of both com-
munication parties. There are three methods for authenticating
identity: pre-shared key, RSA signature and DSA signature. The
default value is pre-shared key. For pre-shared key method, the
key is used to generate a secret key and the keys of both parties
must be the same so that it can generate the same secret keys.
Hash Specifies the authentication algorithm for Phase1. Select the
algorithm you want to use.
MD5 – Uses MD5 as the authentication algorithm. Its hash

value is 128-bit.
SHA – Uses SHA as the authentication algorithm. Its hash

value is 160-bit. This is the default hash algorithm.
SHA-256 – Uses SHA-256 as the authentication algorithm.

Its hash value is 256-bit.


Encryption Specifies the encryption algorithm for Phase1.
3DES - Uses 3DES as the encryption algorithm. The key

length is 192-bit. This is the default encryption algorithm.
DES – Uses DES as the encryption algorithm. The key length

is 64-bit.
AES – Uses AES as the encryption algorithm. The key length

is 128-bit.
AES-192 – Uses 192-bit AES as the encryption algorithm.

The key length is 192-bit.

DH Group Specifies the DH group for Phase1 proposal.
Group1 – Uses Group1 as the DH group. The key length is

768-bit.

1024-bit. Group2 is the default value.

1536-bit.

2048-bit.

3072-bit.

Option Description
4096-bit.
Lifetime Specifies the lifetime of SA Phase1. The value range is 300 to

86400 seconds. The default value is 86400. Type the lifetime
value into the Lifetime box. When the SA lifetime runs out, the
device will send a SA P1 deleting message to its peer, notifying
that the P1 SA has expired and it requires a new SA negotiation.
7. In the P2 Proposal List tab, click New and the Phase2 Proposal Configuration dialog box will pop up.
In the Phase2 Proposal Configuration tab, configure the corresponding options.

Option Description
Proposal Name Specifies the name of the Phase2 proposal.

Protocol Specifies the protocol type for Phase2. The options are ESP and
AH. The default value is ESP.
Hash Specifies the authentication algorithm for Phase2. Select the
algorithm you want to use.
MD5 – Uses MD5 as the authentication algorithm. Its hash

value is 128-bit.
SHA – Uses SHA as the authentication algorithm. Its hash

value is 160-bit. This is the default hash algorithm.



Null – No authentication.
Encryption Specifies the encryption algorithm for Phase2.
3DES - Uses 3DES as the encryption algorithm. The key

length is 192-bit. This is the default encryption algorithm.
DES – Uses DES as the encryption algorithm. The key length

is 64-bit.

Option Description
AES – Uses AES as the encryption algorithm. The key length
is 128-bit.


Null – No authentication.
Compression Specifies the compression algorithm for Phase2. By default, no

compression algorithm is used.
PFS Group Specifies the PFS function for Phase2. PFS is used to protect DH
algorithm.
No PFS - Disables PFS. This is the default value.

768-bit.

1024-bit. Group2 is the default value.

1536-bit.

2048-bit.

3072-bit.

4096-bit.
Lifetime You can evaluate the lifetime by two standards which are the
time length and the traffic volume. Type the lifetime length of
P2 proposal into the box. The value range is 180 to 86400
seconds. The default value is 28800.
Lifesize Select Enable to enable the P2 proposal traffic-based lifetime. By
default, this function is disabled. After selecting Enable, specifies
the traffic volume of lifetime. The value range is 1800 to 4194303
KBs. The default value is 1800. Type the traffic volume value into
the box.
PK I
PKI (Public Key Infrastructure) is a system that provides public key encryption and digital signature service. PKI is
designed to automate secret key and certificate management, and assure the confidentiality, integrity and non-repu-
diation of data transmitted over Internet. The certificate of PKI is managed by a public key by binding the public key with
a respective user identity by a trusted third-party, thus authenticating the user over Internet. A PKI system consists of
Public Key Cryptography, CA (Certificate Authority), RA (Certificate Authority), Digital Certificate and related PKI storage
library.
PKI terminology:
Public Key Cryptography: A technology used to generate a key pair that consists of a public key and a private key.
The public key is widely distributed, while the private key is known only to the recipient. The two keys in the key pair
complement each other, and the data encrypted by one key can only be decrypted by another key of the key pair.
CA: A trusted entity that issues digital certificates to individuals, computers or any other entities. CA accepts

requests for certificates and verifies the information provided by the applicants based on certificate management
policy. If the information is legal, CA will sign the certificates with its private key and issue them to the applicants.
RA: The extension to CA. RA forwards requests for a certificate to CA, and also forwards the digital certificate and CRL
issued by CA to directory servers in order to provide directory browsing and query services.
CRL: Each certificate is designed with expiration. However, CA might revoke a certificate before the date of expiration
due to key leakage, business termination or other reasons. Once a certificate is revoked, CA will issue a CRL to
announce the certificate is invalid, and list the series number of the invalid certificate.
Note: HSM only support the display of trust domain in PKI.
Viewing the Trust Domain

To view the trust domain in the device configuration page, take the follwing steps:
page.
2. Select the device in which you want to view the trust domain.
3. Click PKI > Trust Domain and then main window will display the related information about trust domain and tool-
bar.
4. Select the trust domain you want to view, and click View.
In the Basic tab, view basic parameters of the trust domain.

Option Description
Basic
Trust Domain Enter the name of the new trust domain.
Enrollment Use one of the two following methods:
Type
Select Manual Input, and click Browse to find the certificate and click
Import to import it into the system.
Select Self-signed Certificate, the certificate will be generated by the

device itself.
Key Pair Select a key pair.
Subject

Option Description
Basic
Name Enter a name of the subject.
Country Enter the name of applicant's country or region. Only an abbreviation of two
(Region) letters are allowed, like CN.
Location Optional. The location of the applicant.
State/Province Optional. State or province name.
Organization Optional. Organization name.
Organization Optional. Department name within applicant's organization.
unit
In the CRL tab, view CRL parameters.

Certification Revocation List
Check No Check - The system does not check CRL. This is the default
option.
Optional - The system accepts certificating from peer, no matter

if CRL is available or not.
Force - The system only accepts certificating from pper when

CRL is available.
URL 1-3 The URL address for receiving CRL. At most 3 URLs are allowed, and
their priority is from 1 to 3.
Select http:// if you want to get CRL via HTTP.
Select ldap:// if you want to get CRL via LDAP.
If you use LDAP to receive CRL, you need to enter the login-DN
of LDAP server and password. If not login-DN or password is
added, transmission will be anonymous.
Auto Update Update frequency of CRL list
Manual Update Get the CRL immediately by clicking Obtaining CRL .
U ser
User refers to the user who uses the functions and services provided by the Hillstone device, or who is authenticated or
managed by the device. The authenticated users consist of local user and external user. The local users are created by
administrators. They belong to different local authentication servers, and are stored in system's configuration files. The
external users are stored in external servers, such as AD server or LDAP server. System supports User Group to facilitate
user management. Users belonging to one local authentication server can be allocated to different user groups, while
one single user can belong to different user groups simultaneously; similarly, user groups belonging to one local authen-
tication server can be allocated to different user groups, while one single user group can belong to different user groups
simultaneously.
Creating a Local User

To create a new local user on HSM, take the following steps:
page.
2. In the device navigation pane, select the device you want to create local user, go to the Objects navigation pane and
select User>Local User. The main window shows the local user list.
3. Click New from the toolbar. The User Configuration dialog appears.

Option Description
Name Specifies a name for the user.

Password Specifies a password for the user.
Confirm pass- Type the password again to make confirmation.
word
Mobile+country Specified the user's mobile number. When users log in the SCVPN client,
code system will send the verification code to the mobile number.
Description If needed, type the description for the user.
Group Add the user to a selected usergroup. Click Choose, and in the Choose
User Group dialog, select the usergroup you want and click Add.
Expiration Select the Enable check box to enable expiration for the user, and then
specify a date and time. After expiration, the user cannot be authen-
ticated, therefore cannot be used in the system. By default expiration is
not enabled.

Click the View link in the user's Reference By column to view all policy rules, user groups, and iQoS pipes that ref-
erence the user. Click the Remove link in Remove Relationship column of each tab to release the reference rela-
tionship between this user and the corresponding policy rule, user group, or iQoS pipe. Before deleting a user that
has been referenced by a user group, remove the reference or delete the user group first.
Creating a User Group
To create a new local user group on HSM, take the following steps:
page.
2. In the device navigation pane, select the device you want to create local user group, go to the Objects navigation
pane and select User>Local User. The main window shows the local user list.
3. Click New>User Group from the toolbar. The User Group Configuration dialog appears.

4. Type the name for the user group into the Name box.
5. Specifies members for the user group. Expand User or User Group in the Available list, select a user or user group
and click Add to add it to the Selected list on the right. To delete a selected user or user group, select it in the Selec-
ted list and then click Remove. One user group can contain multiple users or user groups, but system only supports
up to 5 layers of nested user groups, and does not support loopback nest, i.e., a user group should not nest the
upper-layer user group it belongs to.

Importing List
You can import a local user binding list or user password list to HSM, and the existing configurations will be updated by
the imported configurations. If the imported list contains a user that does not exist in the system, the user binding rule
or user password item will be automatically created. The list file format must be .txt. If the binding type is IP, the user
binding list content format is "AAA server name, user name, IP, virtual router, 0 or 1"; if the binding type is MAC, the user
binding list content format is "AAA server name , User name, MAC, virtual router, 0 ". The last bit indicates the whether
the check login IP for Webauth user function is enabled. "0" means no, "1" means yes. User password list content format
is "local server name, user name, password".
To import list on HSM, take the following steps:
page.
2. In the device navigation pane, select the device you want to import list, go to the Objects navigation pane and select
User>Local User. The main window shows the local user list.
3. Click the black triangle to the right of the Import button from the toolbar, and select Import User Binding List or
Import User Password List.
4. Browse the local directory and select the file you want to import.
5. Click Open to import.

Exporting List
You can export a local user binding list or user password list to your local PC.
To export list on HSM, take the following steps:
page.

2. In the device navigation pane, select the device you want to export list, go to the Objects navigation pane and select
User>Local User. The main window shows the local user list.
3. Click the black triangle to the right of the Export button from the toolbar, and select Export User Binding List or
Export User Password List.
4. Click OK in the prompt dialog and select the location you want to export.
5. Click Save to export.
Creating a LDAP User

You can synchronize users in a LDAP server to the Hillstone device. To synchronize users from a LDAP user, firstly, you
need to configure a LDAP server. To configure a LDAP server, see "AAA Server" on page 165.
To synchronize users on HSM, take the following steps:
page.
2. In the device navigation pane, select the device you want to synchronize users, go to the Objects navigation pane
and select User>LDAP User. The main window shows the LDAP user list.
3. Select a server from the LDAP Server drop-down list, and click Sync User from the toolbar.
Importing Binding
You can import a LDAP user binding list to HSM. The list file format must be .txt.
page.
User>LDAP User. The main window shows the LDAP user list.
3. Click the Import Binding button from the toolbar.

Exporting Binding
You can export a LDAP user binding list to your local PC.
page.
User>LDAP User. The main window shows the LDAP user list.
3. Click the Export Binding button from the toolbar.
Creating a Active Directory User

You can synchronize users in an Active Directory server to the Hillstone device. To synchronize users from an Active Dir-
ectory user, firstly, you need to configure an Active Directory server. To configure an Active Directory server, see "AAA
Server" on page 165.
To synchronize users on HSM, take the following steps:

page.
2. In the device navigation pane, select the device you want to synchronize users, go to the Objects navigation pane
and select User>Active Directory User. The main window shows the Active Directory user list.
3. Select a server from the Active Directory Server drop-down list, and click Sync User from the toolbar.
Importing Binding
You can import an Active Directory user binding list to HSM. The list file format must be .txt.
page.
User>Active Directory User. The main window shows the Active Directory user list.

Exporting Binding
You can export an Active Directory user binding list to your local PC.
page.
User>Active Directory User. The main window shows the Active Directory user list.
Creating User Binding

To bind an IP or MAC address to a user, take the following steps:
page.
2. In the device navigation pane, select the device you want to add user binding, go to the Objects navigation pane
and select User>User Binding.
3. Click Add User Binding from the toolbar. The IP MAC Binding dialog appears.

User
AAA Server Select an AAA server from the drop-down list.

User Select a user for the binding from the drop-down list.
Binding Type
Binding Type By specifying the binding type, you can bind the user to a IP address or
MAC address. In a virtual router, the same IP or MAC address can only be
bound to one user. One user can bind multiple MAC addresses.
IP - If IP is selected, type the IP address into the IP text box. And

select a VR from the Virtual Router drop-down list. Select the Check
WebAuth IP-User Mapping Relationship check box to apply the IP-
User mapping only to the check for IP-user mapping during Web
authentication if needed. When the check box is checked, an AAA
user can only bind one IP address.
MAC - If MAC is selected, type the MAC address into the MAC text
box. And select a VR from the Virtual Router drop-down list.

Importing List
You can import a user binding list to HSM.
page.
User>User Binding.

Exporting List
You can export a user binding list to your local PC.
page.
User>User Binding.


Searching for User Binding Items
You can select AAA server type, enter the IP address or MAC address to filter and search the user binding items in the
upper right corner of the toolbar.
R ol e
Roles are designed with certain privileges. For example, a specific role can gain access to some specified network
resources, or make exclusive use of some bandwidth. In StoneOS, users and privileges are not directly associated. Instead,
they are associated by roles.
The mappings between roles and users are defined by role mapping rules. In function configurations, different roles are
assigned with different services. Therefore, the mapped users can gain the corresponding services as well.
System supports role combination, i.e., the AND, NOT or OR operation on roles. If a role is used by different modules,
the user will be mapped to the result role generated by the specified operation.
Creating a Role
To create a role on HSM, take the following steps:
page.
2. In the device navigation pane, select the device you want to create role, go to the Objects navigation pane and
select Role>Role. The main window shows the role list.
3. Click New from the toolbar. The Role Configuration dialog appears.
Option Description
Type Specifies the type for new role, including private and shared.
Role Name Type the role name into the Role Name box.
Description Type the description for the role into the Description box.

The created role will be displayed in the role list. You can click the Edit or Delete button on the toolbar to edit or
delete roles. Click Convert to Shared to convert a private role into a shared role. In the search box at the upper right
corner of the toolbar , enter a appropriate keyword about name to search for the role. Click the View link in the
role's Reference By column to view all policy rules, role mapping rule, and role combination that reference the role.
Click the Remove link in Remove Relationship column of each tab to release the reference relationship between this
role and the corresponding policy rule or role mapping rule. Before deleting a role that has been referenced by a
role mapping rule, remove the reference or delete the role mapping rule first.
Associating to Existing Mapping Rule
You can associate the role with the user, user group, certificate name, or organization unit of the existing mapping rule.
To associate the role on HSM, take the following steps:
page.
2. In the device navigation pane, select the device you want to associate the role, go to the Objects navigation pane
and select Role>Role. The main window shows the role list.
3. Select a role, and click Mapping To from the toolbar. The Mapping To dialog appears.

Select a role mapping rule from the first drop-down list, and then select a user, user group, certificate name (the CN
field of USB Key certificate) or organization unit (the OU field of USB Key certificate) from the second drop-down list.
If User, User group, CN or OU is selected, also select or enter the corresponding user name, user group name, CN or
OU into the box behind.
4. Click Add to add to the role mapping list.
5. If needed, repeat Step 3 and Step 4 to add more mappings. To delete a role mapping, select the role mapping you
want to delete from the mapping list, and click Delete.
Creating a Role Mapping Rule

You can associate the role with the user, user group, certificate name, or organization unit. 64 role mapping rules can be
configured, and 256 mapping items can be added in each role mapping rule.
To create a role mapping rule on HSM, take the following steps:
page.
2. In the device navigation pane, select the device you want, go to the Objects navigation pane and select Role>Role
Mapping. The main window shows the role mapping rule list.
3. Click New from the toolbar. The Role Mapping Configuration dialog appears.
Type : Specifies the type for new role mapping rule, including private and shared.
Mapping Name : Type the name for the role mapping rule.
In the Member section, select a role from the first drop-down list, and then select a user, user group, certificate name
(the CN field of USB Key certificate) or organization unit (the OU field of USB Key certificate) from the second drop-
down list. If User, User group, CN or OU is selected, also select or enter the corresponding user name, user group
name, CN or OU into the box behind.
4. Click Add to add to the role mapping list.
5. If needed, repeat Step 3 and Step 4 to add more mappings. To delete a role mapping, select the role mapping you
want to delete from the mapping list, and click Delete.

You can click the Edit or Delete button on the toolbar to edit or delete role mapping rules. In the search box at the

upper right corner of the toolbar , enter a appropriate keyword about name to search for the role mapping rules.
Click the View link in the role mapping rule's Reference By column to view all AAA servers that reference the rule.
Click the Remove link in Remove Relationship column of each tab to release the reference relationship between this
rule and the corresponding AAA server. Before deleting a role mapping rule that has been referenced by a AAA
server, remove the reference or delete the AAA server first.
Creating a Role Combination

Different roles can be grouped together logically to form a new role.
To create a role combination on HSM, take the following steps:
page.
2. In the device navigation pane, select the device you want, go to the Objects navigation pane and select Role>Role
Combination. The main window shows the role combination list.
3. Click New from the toolbar. The Role Combination Configuration dialog appears.
Option Description
Type Specifies the type for new role combination, including private and shared.
First Prefix Specifies a prefix for the first role in the role regular expression.
First Role Select a role name from the First Role drop-down list to specify a name for
the first role in the role regular expression.
Operator Specifies an operator for the role regular expression.
Second Prefix Specifies a prefix for the second role in the role regular expression.
Second Role Select a role name from the Second Role drop-down list to specify a name
for the second role in the role regular expression.
Result Role Select a role name from the Result Role drop-down list to specify a name
for the result role in the role regular expression.

You can click the Delete button on the toolbar to delete role combinations. Click Convert to Shared to convert a
private role combination into a shared one. In the search box at the upper right corner of the toolbar , enter a appro-
priate keyword about name to search for the role combination.

A A A S erv er
An AAA server is a server program that handles user requests for access to computer resources and, for an enterprise,
provides authentication, authorization, and accounting (AAA) services. The AAA server typically interacts with network
access and gateway servers and with databases and directories containing user information.
Here in system, authentication supports the following five types of AAA server:
Local server: a local server is the firewall itself. The firewall stores user identity information and handles requests. A
local server authentication is fast and cheap, but its storage space is limited by the firewall hardware size.
External servers:
Radius server
LDAP server
Active-Directory server (AD server)
TACACS+ server
Creating a Local Server

To create a local server on HSM, take the following steps:
page.
2. In the device navigation pane, select the device you want, go to the Objects navigation pane and select AAA Server.
3. Click New from the toolbar. The Local Server Configuration dialog appears.
Option Description
Type Specifies the type for new local server, including private and shared.
Server Name Type the name for the new server into the text box.
Role Mapping Specifies a role mapping rule for the server. With this option selected, sys-
Rule tem will allocate a role for users who have been authenticated to the
server according to the specified role mapping rule.
Change Pass- If needed, select the Enable checkbox. With this function enabled, the sys-
word tem allows users to change their own passwords after the successful
WebAuth or SCVPN authentication.
Backup To configure a backup authentication server, select a server from the
Authentication drop-down list. After configuring a backup authentication server for the
Server local server, the backup authentication server will take over the authen-
tication task when the primary server malfunctions or authentication fails
on the primary server. The backup authentication server can be any exist-
ing local, Active-Directory, RADIUS or LDAP server defined in the system.

You can click the Delete button on the toolbar to delete servers. Click Convert to Shared to convert a private local

server into a shared one. In the search box at the upper right corner of the toolbar , enter a appropriate keyword
about name to search for the local server, and Fuzzy and Accurate can be selected in the searching drop-down
menu.
Click the View link in the AAA server's Reference By column to view all objects that reference the AAA server. Click the
Remove link in Remove Relationship column of each tab to release the reference relationship between this AAA server
and the corresponding object.
Creating a Radius Server

To create a Radius server on HSM, take the following steps:
page.
3. Click the black triangle to the right of the New button from the toolbar, and select Radius Server. The Radius Server
Configuration dialog appears.
Basic Configuration
Type Specifies the type for new Radius server, including private and shared.
Server Name Specifies a name for the Radius server.
Server Address Specifies an IP address or domain name for the Radius server.
Virtual Router Specifies a VR for the Radius server.
Port Specifies a port number for the Radius server. The value range is 1024 to
65535. The default value is 1812.
Password Specifies a password for the Radius server. You can specify at most 31 char-
acters.
Optional
Backup server Specifies an IP address or domain name for backup server 1 or backup
1/Backup server server 2.

Basic Configuration
2
Virtual Router- Specifies a VR for the backup server.
1/Virtual
Router2
Retries Specifies a retry time for the authentication packets sent to the AAA
server. The value range is 1 to 10. The default value is 3.
Timeout Specifies a timeout for the server response. The value range is 1 to 30
seconds. The default value is 3.
Backup Auth Specifies a backup authentication server. After configuring a backup
Server authentication server for the Radius server, the backup authentication
server will take over the authentication task when the primary server mal-
functions or authentication fails on the primary server. The backup
authentication server can be any existing local, Active-Directory, RADIUS
or LDAP server defined in the system.
Enable Account Select the Enable Account checkbox to enable accounting for the Radius
server, and then configure options in the sliding out area.
Server Address Specifies an IP address or domain name for the

accounting server.
Virtual Router Specifies a VR for the accounting server.
Port Specifies a port number for the accounting server. The
value range is 1024 to 65535. The default value is 1813.
Secret Specifies a password for the accounting server.
Backup server Specifies an IP address or domain name for backup
1/Backup server 1 or backup server 2.
server 2
1/Virtual
Router2

You can click the Delete button on the toolbar to delete servers. Click Convert to Shared to convert a private Radius
about name to search for the Radius server, and Fuzzy and Accurate can be selected in the searching drop-down
menu.
Creating a Active Directory Server

To create an Active Directory server on HSM, take the following steps:
page.
3. Click the black triangle to the right of the New button from the toolbar, and select Active Directory Server. The Act-

ive Directory Server Configuration dialog appears.
Basic Configuration
Type Specifies the type for new Active Directory server, including private and
shared.
Server Name Specifies a name for the Active Directory server.
Server Address Specifies an IP address or domain name for the Active Directory server.
Virtual Router Specifies a VR for the Active Directory server.
Port Specifies a port number for the Active Directory server. The value range
is 1 to 65535. The default value is 389.
Base-dn Specifies a Base-dn for the AD server. Base-dn is the starting point at
which your search will begin when the AD server receives an authen-
tication request.
Take the example of abc.xyz.com described above, the format of Base-
dn is "dc=abc,dc=xyz,dc=com".
Login-dn Specifies authentication characteristics for Login-dn (typically a user

account with query privilege pre-defined by the AD server).
DN (Distinguished name) is a username of the AD server who has a
read access to read user information. The format of DN is"cn=xxx,
DC=xxx,...". For example, the server domain is abc.xyz.com, and the AD
server admin name is administrator who locates in Users directory. Then
the login-dn should be "cn=a-
administrator,cn=users,dc=abc,dc=xyz,dc=com".
sAMAccountName Specifies the sAMAccountName, which is a string of 1 to 63 characters

and is case sensitive.
Authentication Specifies an authentication or synchronization method (either plain text
Mode or MD5). The default method is MD5.
If the sAMAccountName is not configured after you specify the MD5
method, the plain method will be used in the process of synchronizing
user from the server, and the MD5 method will be used in the process
of authenticating user.

Basic Configuration
Password Specifies a password for the AD server. This should correspond to the
password for Admin DN.
Optional
Role Mapping Specifies a role mapping rule for the server. With this option selected,
Rule system will allocate a role for users who have been authenticated to the
1/Backup server 2 server 2.
1/Virtual Router2
Synchronization Check the checkbox to enable the synchronization function; clear the
checkbox to disable the synchronization function, and the system will
stop synchronizing and clear the existed user information. By default,
the system will synchronize the user information on the configured Act-
ive-Directory server to the local every 30 minutes.
Automatic Syn- Click the radio button to specify the automatic synchronization.
chronization
Interval Synchronization Specifies the time interval of auto-
matic synchronization. The value
range is 30 to 1440 minutes. The
default value is 30.
Daily Synchronization Specifies the time when the user
information is synchronized every-
day. The format is HH:MM, HH and
MM indicates hour and minute
respectively.
Once Synchronization If this parameter is specified, the sys-
tem will synchronize automatically
when the configuration of Active-Dir-
ectory server is modified. After
executing this command , the system
will synchronize user information
immediately.
Synchronous Oper- Specifies user synchronization mode, including Group Synchronization

ation Mode and OU Synchronization. By default, user information will be syn-
chronized to the local based on Group.
OU maximum Specifies the maximum depth of OU to be synchronized. The value
depth range is 1 to 12, and the default value is 12.
OU structure that exceeds the maximum depth will not be syn-
chronized, but users that exceed the maximum depth will be syn-
chronized to the specified deepest OU where they belong to. If the total
characters of the OU name for each level(including the “OU=” string
and punctuation) is more than 128, OU information that exceeds the
length will not be synchronized to the local.
User Filter Specifies the user-filter conditions, the system can only synchronize
and authenticate users that are in accordance with the filtering con-
dition on the authentication server. The length is 0 to 120 characters.
For example, if the condition is configured to “mem-
berOf=CN=Admin,DC=test,DC=com”,which manifests that the system
only can synchronize or authenticate user whose DN is “mem-
berOf=CN=Admin,DC=test,DC=com”. The commonly used operators
are: =(equals a value)、&(and）、|(or)、!(not)、*(Wildcard.Matches

Basic Configuration
zero or more charactors.)、～=( fuzzy query.)、>=(Be equal or greater

than a specified value in lexicographical order.)、<=( Be equal or less
than a specified value in lexicographical order.).
Security Agent Select the Enable check box to enable Security Agent. With this func-
tion enabled, the system will be able to obtain the mappings between
the usernames of the domain users and IP addresses from the AD
server, so that the domain users can gain access to network resources.
Besides, by making use of the obtained mappings, the system can also
implement other user-based functions, like security statistics, logging,
behavior auditing, etc. To enable Security Agent on the AD server, you
need to install and run Security Agent first on the server. After that
when a domain user is logging in or logging off, Security Agent will log
the user's username, IP address, current time and other information,
and add the mapping between the username and IP address to the sys-
tem. In this way the system can obtain every online user's IP address.
Agent Specifies an agent port. The value range is 1025 to 65535.

Port The default port is 6666.
Login Specifies a login info timeout. The value range is 0 to 1800
Info seconds. The default value is 300. The value of 0 indicates
Timeout never timeout.
Backup Authentic- Specifies a backup authentication server. After configuring a backup

ation Server authentication server for the Radius server, the backup authentication
server will take over the authentication task when the primary server
malfunctions or authentication fails on the primary server. The backup
authentication server can be any existing local, Active-Directory,
RADIUS or LDAP server defined in the system.

You can click the Delete button on the toolbar to delete servers. Click Convert to Shared to convert a private Active-
Directory server into a shared one. In the search box at the upper right corner of the toolbar , enter a appropriate
keyword about name to search for the Active-Directory server, and Fuzzy and Accurate can be selected in the search-
ing drop-down menu.
Creating a LDAP Server

To create a LDAP server on HSM, take the following steps:
page.
3. Click the black triangle to the right of the New button from the toolbar, and select LDAP Server. The LDAP Server

Configuration dialog appears.
Basic Configuration
Type Specifies the type for new LDAP server, including private and shared.
Server Name Specifies a name for the LDAP server.
Server Address Specifies an IP address or domain name for the LDAP server.
Virtual Router Specifies a VR for the LDAP server.
Port Specifies a port number for the LDAP server. The value range is 1 to
65535. The default value is 389.
Base-dn Specifies details for Base-dn. Base-dn is the starting point at which your
search will begin when the LDAP server receives an authentication
request.
Login-dn Specifies authentication characteristics for Login-dn (typically a user
account with query privilege pre-defined by the LDAP server).
Authid Specifies the Authid, which is a string of 1 to 63 characters and is case
sensitive.
Authentication Specifies an authentication or synchronization method (either plain text
Mode or MD5). The default method is MD5.
If the Authid is not configured after you specify the MD5 method, the
plain method will be used in the process of synchronizing user from the
server, and the MD5 method will be used in the process of authenticating
user.
Password Specifies a password for the LDAP server. This should correspond to the
password for Admin DN.
Optional
1/Backup server server 2.
2

Basic Configuration

1/Virtual
Router2
Synchronization Check the checkbox to enable the synchronization function; clear the
checkbox to disable the synchronization function, and the system will
stop synchronizing and clear the existed user information. By default, the
system will synchronize the user information on the configured LDAP
server to the local every 30 minutes.
Automatic Syn- Click the radio button to specify the automatic synchronization.
chronization
Interval Synchronization Specifies the time interval of automatic
synchronization. The value range is 30
to 1440 minutes. The default value is
30.
Daily Synchronization Specifies the time when the user
information is synchronized everyday.
The format is HH:MM, HH and MM
indicates hour and minute respectively.
Once Synchronization If this parameter is specified, the sys-
tem will synchronize automatically
when the configuration of LDAP server
is modified. After executing this com-
mand , the system will synchronize
user information immediately.
Synchronous Specifies user synchronization mode, including Group Synchronization

Operation Mode and OU Synchronization. By default, user information will be syn-
chronized to the local based on Group.
OU maximum Specifies the maximum depth of OU to be synchronized. The value range
depth is 1 to 12, and the default value is 12.
OU structure that exceeds the maximum depth will not be synchronized,
but users that exceed the maximum depth will be synchronized to the spe-
cified deepest OU where they belong to. If the total characters of the OU
name for each level(including the “OU=” string and punctuation) is
more than 128, OU information that exceeds the length will not be syn-
chronized to the local.
User Filter Specifies the user filters, the system can only synchronize and authen-
ticate users that match the filters on the authentication server. The length
is 0 to 120 characters. For example, if the condition is configured to “(|
(objectclass=inetOrgperson)(objectclass=person))”,which manifests that
the system only can synchronize or authenticate users which are defined
as inetOrgperson or person. The commonly used operators are as follows:
=(equals a value)、&(and）、|(or)、!(not)、*(Wildcard. Matches zero or
more characters.)、～=( fuzzy query.)、>=(Be equal or greater than a spe-
cified value in lexicographical order.)、<=( Be equal or less than a spe-
cified value in lexicographical order.).
Naming Attrib- Specifies a naming attribute for the LDAP server. The default naming
ute attribute is uid.
Member Attrib- Specifies a member attribute for the LDAP server. The default member
ute attribute is uniqueMember.
Group Class Specifies a group class for the LDAP server. The default class is groupo-
funiquenames.
Backup Specifies a backup authentication server. After configuring a backup

Basic Configuration
Authentication authentication server for the LDAP server, the backup authentication
Server server will take over the authentication task when the primary server mal-
functions or authentication fails on the primary server. The backup
authentication server can be any existing local, Active-Directory, RADIUS
or LDAP server defined in the system.

You can click the Delete button on the toolbar to delete servers. Click Convert to Shared to convert a private LDAP
about name to search for the LDAP server, and Fuzzy and Accurate can be selected in the searching drop-down
menu.
Creating a TACACS+ Server

To create a TACACS+ server on HSM, take the following steps:
page.
3. Click the black triangle to the right of the New button from the toolbar, and select TACACS+ Server. The TACACS+
Server Configuration dialog appears.
Basic Configuration
Type Specifies the type for new TACACS+ server, including private and shared.
Server Name Enter a name for TACACS+ server.
Server Address Specify the IP address or host name of TACACS+ server.
Virtual Router Specify the VRouter of TACACS+ server.
Port Enter port number of TACACS+ server. Default value is 49. The value
range is 1 to 65535.
Secret Enter the shared secret to connect TACACS+ server.
Confirm Secret Re-enter shared key.
Optional
Role mapping Select a role mapping rule for the server. With this option selected, system
rule will allocate a role for users who have been authenticated to the server
according to the specified role mapping rule.

Basic Configuration
Backup Server 1 Enter the domain name or IP address of backup TACACS+ server.
(2)
Virtual Router 1 Select the VRouter of backup server.
(2)

You can click the Delete button on the toolbar to delete servers. Click Convert to Shared to convert a private
TACACS+ server into a shared one. In the search box at the upper right corner of the toolbar , enter a appropriate
keyword about name to search for the TACACS+ server, and Fuzzy and Accurate can be selected in the searching
drop-down menu.

Int r o d uct i o n t o Gl o b al Co nfi g ur at i o n
Global configuration mainly provides a configuration method based on multiple devices sharing. You can design your
network configuration comprehensively, improving the managing efficiency. You can configure two kinds of rules in
global configuration page: private and shared. The shared rules and objects can be used by all devices.The private rules
can help users to understand all the private rules from a global perspective. A shared security policy based on centralized
management allow to be configured and deployed to multiple devices, realizing the unified management of device
traffic and reducing the workload of configuration and error odds.
For more detailed configuration information, see the following topics:
Global Configuration
Global Object
G lobal Con f igu r at ion

Click Configuration > Global Configuration from the Level-1 navigation pane to enter the global configuration page. In
this page, you can create, edit, delete the shared or private rules. The shared rules can be used by all devices.
Note: HSM supports for HA management of Active-Passive, Active-Active and Active-Peer modes
for the managed devices. When HSM manages the HA function of the managed devices, you can
view, configure and share information of the master device in HA. For slave device, you can only
view the configuration information on HSM.
After configuring the shared rules, you have to deploy the shard rules to the managed device if you want to take effect
on the device. For more detailed information about deploying configuration, see Synchronizing Configuration.
The related configurations are:
Policy
iQoS
NAT
Route
Configuration Bundle
P o l i cy Co n f i g u r a t i o n
Cr e a t in g a S h a r e d P o licy
To create a shared policy on the HSM global configuration page, take the following steps:
1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation pane to enter the global con-
figuration page.

2. In the left navigation pane, select device types tab, then expand Configure and Security Policy nodes.
3. From the toolbar, click New. The Shared Policy Configuration dialog appears.
In the Shared Policy Configuration dialog, configure the followings.

Policy Name: Specify the name of shared policy.
Description: If necessary, type description information for the policy in this text box.
4. Click OK. The new policy will be shown in the policy list.
5. Click on the policy name in the policy list or select the newly added policy from the configuration navigation pane to
enter the rule editing page.
6. Configure rules for the policy. For the detailed information about how to configure, see " Rule Configuration" on
page 176.
After selecting a policy in the policy list, you can click the Edit button from the toolbar to edit the shared or private
policy, and click the Delete button to delete the shared policy.
Note: The newly created policy only exists on HSM before the deployment, even though you
have specified devices for the policy, it will not take effect on the specified devices.
R u le Co n f ig u r a t io n
C r e at ing a P olic y R ule
In the global configuration page, click Security Policy > Shared/Private from the configuration navigation pane, then
select a shared or private policy to enter the policy configuration page. For the details about how to create, please refer
to "Creating a Policy Rule" on page 62 in Device Configuration.

Note: HSM supports to copy shared policy rules to private or shared policy, but does not support
to copy private policy rules to shared policy or another private policy.
C r e at ing a R ule G r oup
In the global configuration page, click Security Policy > Shared/Private from the configuration navigation pane, then
select a shared or private policy to enter the policy configuration page. For the details about how to create, please refer
to "Creating a Rule Group" on page 66 in Device Configuration.
Note: HSM supports to copy shared policy rule groups to private or shared policy, but does not
support to copy private policy rule groups to shared policy or another private policy.
M ov ing R ule s and G r oups
please refer to "Moving Rules and Groups" on page 67 in Device Configuration.
D e le t ing a R ule G r oup
please refer to "Deleting a Rule Group" on page 67 in Device Configuration.
V ie w ing Ope r at ion R e c or d
To view operation record of policy rule and rule group, take the following steps:
1. Click Configuration > Global Configuration from the Level-1 navigation pane to enter the global configuration
page.
2. In the left navigation pane, select device types tab, then expand Configure and Security Policy nodes.
3. Click icon in Operation Record column. Operation record dialog for the security policy appears.
You can view the detailed operation record of rules and rule groups, including add, edit, delete, paste and so on.
You can also view operation record in HSM System Log page, please refer to "Operation Log" on page 288.
Ope ning L oc al S naps hot
please refer to "Opening Local Snapshot" on page 69 in Device Configuration.
R ule M at c h A nalys is
please refer to "Rule Match Analysis" on page 69 in Device Configuration.
R ule C onf lic t C he c k
This feature is used to check whether there is useless rule. Select the Rule Conflict Check check box from the toolbar, sys-
tem begins to check the conflicts among rules in the policy. When the checking process is finished, the useless rules will
become hatched, and all the rule IDs that overshadow the rule will be listed in the last column (shadow) of the rule list.
You can select all of the redundant rules by clicking on the number in brackets after the check box, so that you can delete
them in batches.

S e t t in g H e a d o r T a il P o licy
You can specify a head policy or a tail policy for a private policy, and specify a head policy for a shared policy. Through
the inheritance relations of policy, one and multiple rules can be applied on the device. The priority of head policy rules
which are applied on the device is higher than the existing rules on the device, and the priority of tail policy rules is lower
than the existing rules on the device.
To set a head or tail policy for private policy or shared policy, take the following steps:
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Security Policy nodes, and then
select the policy you want to set head or tail policy from the policy list.
3. If you choose a shared policy, click Apply Policy from the toolbar. The Apply Policy Guide page appears. The con-
figuration that can be performed is as follows:
As head policy of devices: Click Next to select the device to use this shared policy as the head policy.
As tail policy of devices: Click Next to select the device to use this shared policy as the tail policy.
Override policies of devices: Click Next to select the device to be replaced own policy with this shared policy.
As head policy of shared policy: Click Next to select shared policies to use this shared policy as the head policy.
4. If you choose a private policy, click Set Head Policy or Set Tail Policy from the toolbar. Select shared policies in the
pop-up dialog box.
5. Click OK.
The configuration you just made will be shown in the Head Policy and Tail Policy column.
Note:
Only shared policy can be specified to be head or tail policy.
If a shared policy has been specified as a tail policy for a private policy, it is not allowed to
become the head policy for other policies.
If a shared policy has been designated as the head policy for a policy, it is not allowed to
become the tail policy for another policy.
A shared policy which has already been designated with a head policy is not allowed to
become a tail policy for other policies.
Vie w in g P o licy R e la t io n s h ip
In order to make users to understand the relationship of all policies more intuitively, HSM supports to view policy topo-
logy map.
V ie w ing T opology M ap
To view the topology map of the policy relationship, take the following steps:
figuration page.
2. In the left navigation pane, select device types tab, and then expand Configure and Security Policy node in turn.
3. Click Relationship View at the top right corner of the main window and view the topology map of policy rela-
tionship.
Topology map shows the relationship of private policies that the current administrator can access to and all the
shared policies. Click Grid View to switch to the original view.

You can enter a policy name in the search box at the top right of the view, and the corresponding policy will be high-
lighted. Click Back to Center at the top right of the view, all the security policies will be displayed in the view. Click Auto
Arrange to switch to the topology view. Click Full Screen to switch to full screen mode. You can also right-click the policy
icon to specify the head policy or tail policy, and mark the policy icon with color (the shared policy can not be designated
with a tail policy).
Co n f ig u r in g t h e P o licy -b a s e d P r o t e ct io n F u n ct io n
The HSM system currently supports policy-based anti-Virus, IPS, URL filtering, or viewing sandbox protection.
To realize the policy-based protection function, take the following steps:
page.
2. In the left navigation pane, select device types tab, then expand Configure and Security Policy nodes, select the
policy which will be edited. The main window shows the policy entry list.
3. Click the policy entry list. The configuration dialog appears.
ln the configuration dialog, configure the followings.

Option Description
Anti-Virus Select the On check box to enable Anti-Virus function. Select the
Anti-Virus rule from the drop-down list.
Predefined: By default, HSM has three default Anti-Virus

high. Depending on the different Anti-Virus rules, file types
and protocol types can be filtered also different. The higher
the Anti-Virus rule is, the higher security level is.
User-defined: The user-defined Anti-Virus rules. According

to the actual needs of users, select an Anti-Virus rule from
down list to create an Anti-Virus rule. For more information,
see Anti-Virus.

can specify the filtering conditions. HSM will display all Anti-
Virus rules that matches the searching conditions.
Intrusion Protection Select the On check box to enable IPS function.

Select the IPS rule from the drop-down list. Two ways can be
used to configure an IPS rule:
Predefined: By default, HSM has two default IPS rules,

including predef_default and predef_loose. Predef_default
which includes all the IPS signatures is strict with the detect-
ing attacks results, and default action for attacks is reset. Pre-
def_loose which only has the IPS signatures with critical

Option Description
severity and above or high popularity has the high detec-
tion efficiency, and default action for attacks is log only.

an IPS rule. For more information, see Intrusion Prevention
System.

can specify the searching conditions. HSM will display all IPS
URL Filter Select the On check box to enable URL Filter function. Select the
URL Filter rule from the drop-down list.
According to the actual needs of users, select an URL Filter rule
from the drop-down list, or you can click New from the drop-
down list to create an URL Filter rule. For more information, see
URL Filter.

can specify the filtering conditions. HSM will display all URL Filter
Sandbox You can view whether the sandbox protection is enabled on the
managed device. Sandbox protection configuration on HSM is
currently not supported.
Two ways can be used to configure a Sandbox rule:
Predefined: By default, HSM has three default Sandbox

rules, including predef_low, predef_middle and predef_high.
predef_low rule whose file type is PE and protocol types are
enabled. predef_middle rule whose file types are
PE/APK/JAR/MS-Office/PDF and protocol types are
enabled.predef_high rule whose file types are
PE/APK/JAR/MS-Office/PDF/SWF/RAR/ZIP and protocol
types are HTTP/FTP/POP3/SMTP/IMAP4, with white list and
filter enabled.
User-defined: The user-defined Sandbox rules.
4. After configuring the Shared Policy-based AV and IPS function on HSM, displays the Anti Virus function status
which is enabled, displays the IPS function status which is enabled, displays the URL Filter function status
which is enabled, displays the Sandbox function status which is enabled.
i QoS
To create a shared iQoS on the HSM global configuration page, take the following steps:
figuration page.
2. In the left navigation pane, expand Configure and iQoS nodes in NGFW tab.

3. From the toolbar, click New. The Add iQoS dialog appears.
Please enter iQoS name in the dialog, Relevant Device and Description are optional.
4. Click OK. The new iQoS will be shown in the iQoS list.
For more information about how to configure iQoS, please refer to iQoS in Device Configuration.
NAT
Cr e a t in g a S N A T
SNAT is an assemblage of 0 and multiple SNAT rules.
To create a SNAT on the HSM global configuration page, take the following steps:
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and NAT nodes, select SNAT or Shared.
3. From the toolbar, click New. The Add Shared SNAT page appears.
In the Add Shared SNAT dialog, configure the followings.

SNAT Name : Specify the name of the SNAT.
Relevant Device: Specify the devices which you want to make a relationship with SNAT. If choosing VSYS devices of
the device, the SNAT will be relevant to the VSYS devices of the device, not the device itself. After configuring the
SNAT, you have to deploy the rule to the relevant device if you want to take effect on the device. For more detailed
information about deploying configuration, see Synchronizing Configuration.
Father NAT: Specify the father NAT for the SNAT. If specified, the SNAT will inherit configuration of the father NAT.
Description: If necessary, type description information for the SNAT in this text box.
4. Click OK. The new SNAT will be shown in the SNAT list.

E d it in g / De le t in g a S N A T
To edit/delete a SNAT, take the following steps:
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and NAT nodes, select SNAT or Shared.
Select the SNAT you want to edit/delete from the NAT list.
Cr e a t in g a S N A T R u le
To create a SNAT Rule, take the following steps:
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and NAT nodes, click Shared or Private.
Double-click the SNAT name you want to create SNAT rules from the SNAT list. The main window shows the SNAT
rule list.
3. From the toolbar of the SNAT rules list, click New. The SNAT Configuration page appears.
In the Basic tab in the SNAT Configuration dialog, configure the followings.
Virtual Router: Specify a Virtual Router for the SNAT rule.


Ingress: Specify the ingress traffic of the source NAT rule. The default ingress is all traffic.
All Traffic: Specify the ingress traffic of the source NAT rule is all traffic. The traffic from any interface will match
the source NAT rule.
Ingress Interface: Specify the ingress interface of traffic in the source NAT rule. Select an interface from the
drop-down list. Only the traffic flowing from the configured ingress interface will match the source NAT rule.
Egress: Specify the egress traffic, including:

All Traffic - Specify all traffic as the egress traffic.
Egress Interface - Specify the egress interface of traffic. Select an interface from the drop-down list.
Next Virtual Router - Specify the next Virtual Router of traffic. Select a Virtual Router from the drop-down list.

Sticky.
Specified IP - Specify the NAT IP address to be a specified IP address.
Select Static radio button. Static mode means one-to-one translation. This mode requires the translated address
entry contains the same number of IP addresses as that of the source address entry.
Select Dynamic IP radio button. Dynamic IP mode means multiple-to-one translation. This mode translates the
source address to a specific IP address. Each source address will be mapped to a unique IP address, until all spe-
cified addresses are occupied.
Select Dynamic Port radio button. Namely PAT. Multiple source addresses will be translated to one specified IP

address in an address entry. If Sticky is not enabled, the first address in the address entry will be used first; when
port resources of the first address are exhausted, the second address will be used. If Sticky is enabled, all ses-
sions from an IP address will be mapped to the same fixed IP address. Click the Enable checkbox behind Sticky
to enable Sticky. You can also track if the public address after NAT is available, i.e., use the translated address as
the source address to track if the destination website or host is accessible. Select the Enable checkbox behind
Track to enable the function, and select a track object from the drop-down list.
No NAT - Do not implement NAT.

Sticky.
Specified IP - Specify the NAT IP address to be a specified IP address.
Select Static radio button. Static mode means one-to-one translation. This mode requires the translated address
entry contains the same number of IP addresses as that of the source address entry.
Select Dynamic IP radio button. Dynamic IP mode means multiple-to-one translation. This mode translates the
source address to a specific IP address. Each source address will be mapped to a unique IP address, until all spe-
cified addresses are occupied.
Select Dynamic Port radio button. Namely PAT. Multiple source addresses will be translated to one specified IP
address in an address entry. If Sticky is not enabled, the first address in the address entry will be used first; when
port resources of the first address are exhausted, the second address will be used. If Sticky is enabled, all ses-
sions from an IP address will be mapped to the same fixed IP address. Click the Enable checkbox behind Sticky
to enable Sticky. You can also track if the public address after NAT is available, i.e., use the translated address as
the source address to track if the destination website or host is accessible. Select the Enable checkbox behind
Track to enable the function, and select a track object from the drop-down list.
No NAT - Do not implement NAT.
Description: Specify the description of the SNAT rule.
In the Advanced tab, configure the followings.
NAT Log: Select the Enable check box to enable the log function for this SNAT rule (generating log information
Rule Position: Specify the position of the rule. Each SNAT rule has a unique ID. When traffic flowing into the
device, the device will search SNAT rules by sequence, and then implement NAT on the source IP of the traffic
according to the first matched rule. The sequence of the ID showed in the SNAT rule list is the order of the rule
matching. Select one of the following items from the drop-down list:
Bottom - The rule is located at the bottom of all the rules in the SNAT rule list. By default, the system will put
the newly-created SNAT rule at the bottom of all SNAT rules.
Top - The rule is located at the top of all the rules in the SNAT rule list.
Before ID - Type the ID number into the text box. The rule will be located before the ID you specified.
After ID - Type the ID number into the text box. The rule will be located after the ID you specified.
4. Click OK to save your settings. The new SNAT rule will be shown in the SNAT rules list.
E d it in g / De le t in g a S N A T R u le
To edit/delete a SNAT rule, take the following steps:
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and NAT nodes, click Shared or Private.
Double-click the SNAT name you want to edit/delete SNAT rules from the SNAT list. The main window shows the
SNAT rule list.

3. Select the SNAT rule you want to edit/delete from the SNAT rules list.
Cr e a t in g a DN A T
DNAT is an assemblage of 0 and multiple DNAT rules.
To create a DNAT on the HSM global configuration page, take the following steps:
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and NAT nodes, select DNAT or Shared.
3. From the toolbar, click New. The Add Shared DNAT dialog appears.
In the Add Shared DNAT dialog, configure the followings.

DNAT Name : Specify the name of the DNAT.
Relevant Device: Specify the devices which you want to make a relationship with the DNAT. If choosing VSYS devices
of the device, the DNAT will be relevant to the VSYS devices of the device, not the device itself. After configuring the
DNAT, you have to deploy the rule to the relevant device if you want to take effect on the device. For more detailed
Father NAT: Specify the father NAT for the DNAT. If specified, the DNAT will inherit configuration of the father NAT.
Description: If necessary, type description information for the DNAT in this text box.
4. Click OK. The new DNAT will be shown in the DNAT list.
E d it in g / De le t in g a DN A T
To edit/delete a DNAT, take the following steps:
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and NAT nodes, select DNAT or Shared.
Select the DNAT you want to edit/delete from the DNAT list.
Cr e a t in g a n I P M a p p in g R u le
To create an IP Mapping rule, take the following steps:
figuration page.

2. Expand NAT from the configuration navigation pane, and then select DNAT or Shared. Double-click the DNAT
name you want to create DNAT rules from the DNAT list. The main window shows the DNAT rule list.
3. From the toolbar of the DNAT rules list, click New > IP Mapping, then IP Mapping Configuration page appears.
In the IP Mapping Configuration dialog, configure the followings.

Translated to : Specify translated IP address, including:

Cr e a t in g a P o r t M a p p in g R u le
To create a Port Mapping rule, take the following steps:
figuration page.
3. From the toolbar of the DNAT rules list, click New > Port Mapping, then Port Mapping Configuration page appears.
In the Port Mapping Configuration page, configure the DNAT options.

Translated to: Specify translated IP address, including:

Destination Port: Specify translated port, type the port number into the box.
Cr e a t in g a n A d v a n ce d DN A T R u le
To create an Advanced DNAT rule, take the following steps:

figuration page.
3. From the toolbar of the DNAT rules list, click New > Advanced, then DNAT Configuration page appears.
In the Basic tab in the DNAT Configuration dialog, configure the DNAT basic options.


Server: Select the service you need from the Service drop-down list.
Action: Specify the action for the traffic you specified, including:
NAT - Implements NAT for the eligible traffic.
address and netmask in the Translated to box.
NAT Port: Select the Enable check box and type the translated port number into the Port box. The range is 1 to
65535.
Load Balancing: Select the Enable check box to enable the function. Then, traffic will be balanced to different
Intranet servers.
No NAT - Do not implement NAT for the eligible traffic.
In the Advanced tab, configure the DNAT advanced options.
Ping Track: Select the Enable check box to enable Ping track, which means the system will send Ping packets to
check whether the Intranet servers are reachable.
TCP Track: Select the Enable check box to enable TCP track, which means the system will send TCP packets to
check whether the TCP ports of Intranet servers are reachable.
TCP Port: Specify the port number. The value range is 1 to 65535.
NAT Log: Select the Enable check box to enable the log function for this DNAT rule (generating log information
Rule Position: Specify the position of the rule. Each DNAT rule has a unique ID. When traffic flowing into the
device, the device will search DNAT rules by sequence, and then implement NAT on the destination IP of the
traffic according to the first matched rule. The sequence of the ID showed in the DNAT rule list is the order of
the rule matching. Select one of the following items from the drop-down list:
Bottom - The rule is located at the bottom of all the rules in the DNAT rule list. By default, the system will put
the newly-created DNAT rule at the bottom of all DNAT rules.
Top - The rule is located at the top of all the rules in the DNAT rule list.
Before ID - Type the ID number into the box. The rule will be located before the ID you specified.
After ID - Type the ID number into the box. The rule will be located after the ID you specified.
yourself. If you click Manually Assign ID, you should type an ID number into the box behind.

E d it in g N A T
To edit a shared or private NAT, take the following steps:
figuration page.
2. Expand NAT from the configuration navigation pane, and then select Shared or Private. Select the NAT you want to
edit from the NAT list.
3. Click Edit from the toolbar.

NAT name does not support the modification, and the relevant device of the private NAT can not be modified
either.
S e t t in g F a t h e r N A T
Private NAT or shared NAT inherit the configuration of the other shared NAT. The inherited NAT is father NAT which has
higher priority than the sub NAT. Through the inheritance relations of NAT, one and multiple rules can be applied on the
device. The priority of rules which are applied on the device is higher than the existing rules on the device.
When there are multi-level inheritance relationship, the top-level father NAT rules are shown at the top of the NAT rule
list, and then the sub father NAT rules are displayed, and so on, the specified NAT rules are shown at last. The inherited
NAT rules are marked to orange by default, and they cannot be edited and moved. You can mark the color of NAT to dis-
tinguish the inherited NAT rules, please refer to Viewing Relationship.
To set a father NAT for private NAT or shared NAT, take the following steps:
figuration page.
2. Select NAT from the configuration navigation pane, and then select Shared or Private. Select the NAT you want to
set father NAT from the NAT list.
When SNAT or DNAT is selected, the main window shows the private NAT of device that the current administrator
can access to and all shared NATs; when shared is selected, the main window shows all of the shared NAT; when
private is selected, the main window shows all the private NAT of device that the current administrator can access to.
The Father NAT column displays the direct father NAT, and the Child NAT column displays all direct and indirect
child NAT.
3. Click Set Father NAT from the toolbar. The Set Father NAT page appears. You can select NAT which need to set
father NAT according to your requirements.
Note: Only shared NAT can be inherited.
Vie w in g R e la t io n s h ip
In order to make users to understand the relationship of all NAT more intuitively, HSM supports to view and edit NAT
topology map.
V ie w ing T opology M ap
To view the topology map of the NAT inheritance relationship, take the following steps:
figuration page.
2. Select NAT from the configuration navigation pane, and then select SNAT or DNAT.

3. Click Relationship View at the top right corner of the main window.
Topology map shows the inheritance relationship of private NAT of device that the current administrator can access
to and all the shared NAT. Click Grid View to switch to the original view.
The icon of private NAT is , and the icon of shared NAT is . Private NAT is folded by default, while the shared NAT
is expanded, NAT which has no inherit relationship will be displayed in the first level. The hidden private NAT list will be
shown when the mouse hovers over the private icon. If you need to expand the private NAT node, please click the input
box on the top right of the view, all NAT will be displayed, then select the check box in front of the private NAT that you
need to expand and click the blank space.
Edit ing T opology M ap
You can change the inheritance relationship of NAT by editing the topology map. The operations include:
Right click on the blank space or shared NAT icon, select New in the pop-up menu to create a new shared NAT.
Right click on the private or shared NAT icon, select Edit in the pop-up menu to edit a NAT.
Right click on the shared NAT icon, select Delete in the pop-up menu to delete a NAT.
Right click on the private or shared NAT icon, select Cut in the pop-up menu, if select Paste on shared NAT icon, it
means the pasted NAT will inherit this shared NAT; if select Paste on blank space, it means the pasted NAT will
inherit no NAT.
Right click on the shared NAT icon, select Mark in the pop-up menu to mark color for NAT, then the NAT name will
become the corresponding color.
Vie w in g O p e r a t io n R e co r d
To view operation record of NAT rule, take the following steps:
page.
2. Select NAT from the configuration navigation pane, and then select Shared or Private.
3. Click icon in Operation Record column. Operation record dialog for the NAT appears.
You can view the detailed operation record of rules , including add, edit, delete, setting father NAT, and so on.
R oute
Cr e a t in g a De s t in a t io n R o u t e
Destination Route is an assemblage of 0 and multiple route item.
To create a Destination Route on the HSM global configuration page, take the following steps:
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Route nodes.

3. From the toolbar, click New. The Add DRouter dialog appears.
In the Add DRouter dialog, configure the DRouter options.

DRouter Name : Specify the name of the destination route.
Relevant Device: Specify the relevant devices or VSYS devices for destination route. When deploying, the destination
routewill be deployed to the relevant devices or VSYS devices. For more detailed information about deploying con-
Description: If necessary, type description information for the destination route in this text box.
4. Click OK. The new destination route will be shown in the destination route list.
E d it in g / De le t in g a De s t in a t io n R o u t e
To edit/delete a Destination Route on the HSM global configuration page, take the following steps:
figuration page.
2. Expend Route from the configuration navigation pane. Select the destination route you want to edit/delete from the
destination route list.
Cr e a t in g a n R o u t e I t e m
To create a Route Item on the HSM global configuration page, take the following steps:
figuration page.
2. Select Route from the configuration navigation pane. Double-click the destination route name you want to create
route item from the destination route items list. The main window shows the route item list.
3. From the toolbar of the Route items list, click New. The Destination Route Configuration page appears.

In the Destination Route Configuration dialog, configure the destination route options.
Destination: Specify the destination IP address of the route item.
Subnet Mask: Specify the corresponding subnet mask of destination IP address.
Next Hop : Click Gateway or Interface or Virtual Router radio button. If Gateway is selected, type the IP address into
the Gateway box below. If Interface is selected, select a name from the Interface drop-down list below. If Virtual
Router in Current VSYS is selected, select a name from the Virtual Router drop-down list below.
Schedule：Specifies a schedule when the rule will take effect. Select a desired schedule from the Schedule drop-
down list. After selecting the desired schedules, click the blank area in this dialog to complete the schedule con-
figuration.
Precedence: Specify the precedence of route. The smaller the parameter is, the higher the precedence is. If multiple
routes are available, the route with higher precedence will be prioritized. The value range is 1 to 255. The default
value is 1. When the value is set to 255, the route is invalid.
Weight: Specify the weight of route. This parameter is used to determine the weight of traffic forwarding in load bal-
ance. The value range is 1 to 255. The default value is 1.
Description: If necessary, type description information for the route item in this text box.
4. Click OK to save your settings. The new route item will be shown in the route items list.
E d it in g / De le t in g a R o u t e I t e m
To edit/delete a Route Item on the HSM global configuration page, take the following steps:
figuration page.
2. Select Route from the configuration navigation pane. Double-click the destination route name you want to edit/de-
lete route item from the destination route list. The main window shows the route item list.
3. Select the route item you want to edit/delete from the route items list.
C onf i g urati on B und l e

Security policy, NAT, and route can be joined in a configuration bundle. When the configuration bundle is deployed to
the device, the security policy, NAT, and route in the configuration bundle can be deployed at the same time. A con-
figuration bundle can be deployed to one and multiple devices.
Cr e a t in g a Co n f ig u r a t io n B u n d le
To create a Configuration Bundle on the HSM global configuration page, take the following two methods:

M e t hod 1 :
figuration page.
2. In the left navigation pane, select device types tab, then expand Configuration Bundle nodes.
3. From the toolbar, click New. The Create Configuration Bundle dialog appears.
In the Create Configuration Bundle dialog, configure the configuration bundle options.
Name : Specify the name of configuration bundle.
Relevant Device: Specify the relevant devices or VSYS devices for the configuration bundle. When deploying, the con-
figuration bundle will be deployed to the relevant devices or VSYS devices. For more detailed information about
deploying configuration, see Synchronizing Configuration.
Description: If necessary, type description information for the configuration bundle in this text box.
4. Click OK. The new configuration bundle will be shown in the configuration bundle table.
5. Click the name of configuration bundle, you can check the content in the configuration bundle.
M e t hod 2 :
figuration page.
2. Select the configuration which need be added to the configuration bundle from the configuration navigation pane,
including security policy, NAT, and route. Right click the mouse, and click Create Configuration Bundle.

3. In the Create Configuration Bundle dialog appears. Configure the options as below.
In the Create Configuration Bundle, configure the configuration bundle options.

Name : Specify the name of configuration bundle.
Relevant Device: Specify the relevant devices or VSYS devices for the configuration bundle. When deploying, the con-
figuration bundle will be deployed to the relevant devices or VSYS devices. For more detailed information about
deploying configuration, see Synchronizing Configuration.
Description: If necessary, type description information for the configuration bundle in this text box.
4. Click OK. The new configuration bundle will be shown in the configuration bundle table.
5. Click the name of configuration bundle, you can check the content in the configuration bundle.
J o in in g Co n f ig u r a t io n B u n d le
You can add the configurations to the configuration bundle according to your requirements. Take the following steps:
figuration page.
2. Select the configuration which need be added to the configuration bundle from the configuration navigation pane,
including security policy, NAT, and route. Right click the mouse, and click Add to Configuration Bundle.
3. In the Add to Configuration Bundle dialog appears. Configure the options as below.
4. Select a configuration bundle from the drop-down list, then click OK. The configuration will be joined in the con-
figuration bundle you selected.

Co p y in g a Co n f ig u r a t io n B u n d le
To copy a configuration bundle, take the following steps:
figuration page.
2. Select Configuration Bundle from the configuration navigation pane, and then select the configuration bundle you
want to copy from the configuration bundle table.
3. Click Copy from the toolbar. The configuration bundle which is copied will be shown in the configuration bundle
table below. For example, the replicated configuration bundle called "test", system will automatically named it
"CopyOftest".
G lobal Object
The global objects created on the global configuration page are all shared objects, and can be used by all devices. In the
global configuration page, you can create, edit, delete zone, address entry, service group entry, service group, applic-
ation group, schedule, virtual router, interface, SLB server pool, IPS rule, anti virus rule, threat protection, URL filter, user,
role and AAA server global configuration. After configuring the global object, you have to deploy the global object to
the security device if you want to take effect on the device. For more detailed information about deploying con-
Note:
If choosing VSYS devices of the device from the relevant device, the shared object will be rel-
evant to the VSYS devices of the device, not the device itself.
Only after licenses of the relevant functions had been installed, can corresponding functions
be configured in HSM.
Object names of different device types can be the same.
Zone
Creating a Shared Zone

You can create zones on HSM, but cannot deploy the created zones to devices successfully. When the deployed policy
contains zones that do not exist in the devices, to avoid mistakes, you are required to create same zones on the devices
before deploying.
To create a shared zone, take the following steps:
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Zone. The
zone entry list will appear from the main window below.
3. From the toolbar, click New. The Share Zone dialog appears.

Name : Specify the name of the shared zone.
Matched Pattern : Specify the private zone which establishing the mapping relation with the shared zone.
Description : If necessary, type description information for the shared zone in this text box.
Zone Device Override : If the name of private zone is different the shared zone, you can map one private zone on
the security deice to the shared zone according to your requirements. Click New . The Zone Device Override dialog
appears. Select the device from the Device drop-down list, and select the mapping private zone from the Zone drop-
down list.
4. Click OK. The new shared zone will be shown in the zone entry list.
A d d ress B ook s
Creating a Shared Address Entry

To create a shared address entry, take the following steps:
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Address
books. The main window shows the address entry list.
3. From the toolbar, click New. The Share Address dialog appears.
4. In the Share Address dialog, configure the following options.

Name : Type the name of the address entry in the Name text box.
Description : If necessary, give a description to the address entry in the Description text box.
Member : Select the member type from the drop-down list in the Member tab, and then type the IP address/net-
mask, IP range or hostname in the text box or choose another address entry. Click Add to add the member to the
member entry list. Repeat this step to add multiple members. Click Delete to delete the selected address entry.
Exclude Member : Specify the exclude member. In the Exclude Member tab, select the exclude member type from the
drop-down list, and then tap the IP adress/netmask, IP range in the text box. Click Add to add the exclude member
to the exclude member entry list. Repeat this step to add multiple exclude member. Click Delete to delete the selec-
ted address entry.

After you select an address book, click Object Copy in the toolbar, and then rename the address book to create a
new shared address book. Shared address books of different device types can be copied each other except address
book which includes the country address member when you copy from NGFW to IPS device .

S erv i c e B ook
Creating a Shared Service Group

To create a shared service group on HSM, take the following steps:
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Service
Book>User-defined Service Group. The main window shows the user-defined service group list.
3. From the toolbar, click New. The Shared Service Group dialog appears.
4. In the Shared Service Group dialog, configure the following options.

Name: The name of the shared service group.
Description: Give a description to the shared service group. It is optional.
Member: Select the service or service group from the left selective list, and click the right-arrow button to add it. To
delete a selected service, select the service to be deleted from the right selective list, and then click the left-arrow but-
ton.
Relevant Device: Specify the devices which you want to make a relationship with the shared service group. If choos-
ing VSYS devices of the device, the shared service group will be relevant to the VSYS devices of the device, not the
device itself. After configuring the shared service group, you have to deploy the rule to the relevant device if you
want to take effect on the device. For more detailed information about deploying configuration, see Synchronizing
Configuration.
5. Click OK. The new shared service group entry will be shown in service group list.
6. from the right selective list, and then click the left-arrow button.
Creating a Shared Service

To create a shared service on HSM, take the following steps:
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Service
Book>User-defined Service. The main window shows the user-defined service list.
3. Click New from the toolbar. The Shared Service dialog appears.
4. In the Shared Service dialog, configure the following options.

Name: The name of the shared service.
Description: Give a description to the shared service. It is optional.
Member: Specify the protocol type of the member, it can be TCP, UDP, ICMP or others. The parameters of each pro-
tocl are described as below:
TCP/UDP
Dst Port: Specify the destination port range of the member. The value range is 1 to 65535.
Src Port: Specify the source port range of the member. The value range is 1 to 65535.
Application Type: Specify the application type of the member.
Timeout: Specify the timeout value of the member, in second or day. The defalt value is 1800 seconds.
ICMP

Type: Specify the ICMP type value of the member. It can be one of the following: 3 (Destination-Unreachable), 4
(Source Quench), 5 (Redirect), 8 (Echo), 11 (Time Exceeded), 12 (Parameter Problem), 13 (Timestamp), and 15 (Inform-
ation).
Min Code: Specify the minimum ICMP code value of the member. The value range is 0 to 5.
Max Code: Specify the maximum ICMP code value of the member. The value range is 0 to 5.
Timeout: Specify the timeout value of the member, in second. The value range is 1 to 65535. The defalut value is 6
seconds.
Others
Protocol No.: Specify the protocol number of the member. The value range is 1 to 255.
Timeout: Specify the timeout value of the member, in second or day. The default timeout value is 60 seconds.
After specifying the values of parameters, click Add to add it to the service. Repeat the above steps to add multiple
members. Click Delete to delete the selected member.
Relevant Device : Specify the devices which you want to make a relationship with the user-defined service. If choos-
ing VSYS devices of the device, the user-defined service will be relevant to the VSYS devices of the device, not the
device itself. After configuring the user-defined service, you have to deploy the rule to the relevant device if you
want to take effect on the device. For more detailed information about deploying configuration, see Synchronizing
Configuration.

After you select a service book, click Object Copy in the toolbar, and then rename the service book to create a new
shared service book. Shared service books of different device types can be copied each other.
A p p l i c ati on B ook s
Creating a Shared Application Group

To create a shared application group on HSM, take the following steps:
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Applic-
ation>User-defined Application Group. The main window shows user-defined applicaton group list.
3. Click New from the toolbar. The Shared APP Group dialog appears.
4. In the Shared APP Group dialog, configure the following options.

Name: Specify the name of the shared application group.
Description: Give a description to the shared application group. It is optional.
Member: Specify members for the shared application group. Select the wanted applications from the selective list,
and click the righ-arrow button to add the selected objects to the shared application group. To delete a selected
application group, select the application group to be deleted from the right selective list, and then click the left-
arrow button.
Relevant Device: Specify the devices which you want to make a relationship with the shared application group. If
choosing VSYS devices of the device, the shared application group will be relevant to the VSYS devices of the device,
not the device itself. After configuring the shared application group, you have to deploy the rule to the relevant
device if you want to take effect on the device. For more detailed information about deploying configuration, see
Synchronizing Configuration.

After you select an application book, click Object Copy in the toolbar, and then rename the application book to cre-
ate a new shared application book. Shared application books of different device types can be copied each other.
S c hed ul es
Creating a Shared Schedule

To create a shared schedule on HSM, take the following steps:
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Schedules. The
main window shows the schedule list.
3. Click New from the toolbar. The Shared Schedule dialog appears.
4. Enter the name in the Name text box.
5. In the Absolute Schedule section, specify the start time and end time in which the periodic schedule will take effect.
6. Click New, and configure a periodic schedule in the dialog as below. The periodic schedule will take effect repeatedly
during the time range specified by the absolute schedule.

Daily: The periodic schedule will take effect everyday. Click the button and specify the start time and end time.
Days: The periodic schedule will take effect in the specified days of a week. Click the button, select the days in the
Periodic Schedule section, and specify the start time and end time.
Due: The periodic schedule will take effect during a continuous period of a week. Click the button and specify the
start date/time and end date/time.
Click Preview to preview the periodic schedule; click Save to add the periodic schedule to the schedule. To delete a
select schedule, select the schedule to be deleted from the schedule list, and then click Delete.
7. Repeat Step 6 to add more periodic schedules.

After you select a schedule, click Object Copy in the toolbar, and then rename the schedule to create a new shared
schedule. Shared schedules of different device types can be copied each other.
V i rtual R outer
Creating a Shared Virtual Router

The function of virtual routeris is same as the real router. Different virtual router has independently of the routing list.

The system has a default VRouter called "trust-vr". By default, all three layers security domain will be bound to trust-vr
automatically. Both NAT and route need to be configured on the virtual router. In order to establish the mapping rela-
tion between the shared virtual router and the virtual router on device, the name of virtual router need to be same.
To create a Shared Virtual Router on the HSM global configuration page, take the following steps:
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Virtual Router.
3. From the toolbar, click New. The Share Virtual Router page appears.
Name : Specify the name of the shared virtual router.

Matched Pattern: Specify the private virtual router which establishing the mapping relation with the shared virtual
router.
Description: If necessary, type description information for the shared virtual router in this text box.
Virtual Router Device Override: If the name of private virtual router is different with the shared virtual router, you
can map one private virtual router on the device to the shared virtual router according to your requirements.
Click New, Virtual Router Device Override page appears. Select the device from the Device drop-down list, and select
the private virtual router from the Virtual Router drop-down list.
4. Click OK. The new shared virtual router will be shown in the virtual router list.
Note: Only shared virtual router can be created.
Interf ac e
Creating a Shared Interface

After creating a shared interface, the shared interface can be mapped to interface on one and multiple devices. In order
to establish the mapping relation between the shared interface and the interface on device, the interface name need to
be the same.
To create a shared interface on the HSM global configuration page, take the following steps:

figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Interface.
3. From the toolbar, click New. The Share Interface page appears.
Name : Specify the name of the shared interface.

Matched Pattern: Specify the interface which establishing the mapping relation with the shared interface.
Description: If necessary, type description information for the shared interface in this text box.
Interface Device Override: If the name of the interface on the device is different with the shared interface, you can
map one interface on the device to the shared interface according to your requirements.
Click New, Interface Device Override page appears. Select the device from the Device drop-down list, and select the
interface from the Interface drop-down list.
4. Click OK. The new shared interface will be shown in the interface list.
Note: Only shared interface can be created.
S L B S erv er Pool
Creating a shared SLB Server Pool

To create a shared SLB server pool on HSM, take the following steps:
figuration page.
2. In the left navigation pane, expand Configure and Objects nodes in NGFW tab, then select SLB Server Pool. The
main window shows the user-defined SLB server pool information.
3. Click New from the toolbar. The SLB Server Pool Configuration dialog appears.
4. In the SLB Server Pool Configuration dialog, configure the following options.

Option Description
Name Specify the name of the SLB server pool.You can enter up to 31 chars.
Algorithm Select an algorithm for load balancing, including:
Weighted Hash: Assign requests to SLB server pool members accord-

ing to HASH algorithm.
Weighted Least Connection: Assign requests to the member who has

the least connections in the current SLB server pool.
Weighted Round Robin: Assign requests according to weighted

value of every SLB server pool members.
Sticky If selecting Sticky, the security device will consider all requests from the
same source IP to be the same client, and then forward the requests to a
server.
Member
Member Specify the member of the pool. You can type the IP range or the IP
address and the netmask.
Port Specify the port number of the server.

Maximum Ses- Specify the allowed maximum sessions of the server. The value ranges
sions from 0 to 1,000,000,000. The default value is 0, which represents no lim-
itation.
Weight Specify the traffic forwarding weight during the load balancing. The value
ranges from 1 to 255.
Add Add the SLB address pool member to the SLB server pool.
Delete Click Delete to delete the selected SLB address pool member.
Track
Track Type Select a track type.

Port Specify the port number that will be tracked. The value ranges from 1 to
65535.
Interval Specify the interval between each Ping/TCP/UDP packet. The unit is
second. The value ranges from 3 to 255.
Retries Specify a retry threshold. If no response packet is received after the spe-
cified times of retries, the system will consider this track entry failed , i.e.,
the track entry is unreachable. The value range is 1 to 255.
Weight Specify a weight for the overall failure of the whole track rule if this track
entry fails. The value range is 1 to 255.
Add Click Add to add the configured track rule to the list.
Delete Click Delete to delete the selected track rule.
Threshold Type the threshold for the track rule into the Threshold box. The value
range is 1 to 255. If the sum of weights for failed entries in the track rule
exceeds the threshold, the security device will conclude that the track rule
fails.
Description Type the description for this track rule. You can enter up to 95 chars.
Relevant Device Specify the devices which you want to make a relationship with the
shared SLB server pool. If choosing VSYS devices of the device, the shared
SLB server pool will be relevant to the VSYS devices of the device, not the
device itself. After configuring the shared SLB server pool, you have to
deploy the rule to the relevant device if you want to take effect on the
device. For more detailed information about deploying configuration, see

Option Description
Synchronizing Configuration.

To view the details of the servers in the SLB pool:
figuration page.
2. In the left navigation pane, expand Configure and Objects nodes in NGFW tab, and then select SLB Server Pool. The
main window shows the user-defined SLB server pool information.
3. Select an SLB pool entry.
4. In the Server List tab at the bottom of this page, view the information of the servers that are in this SLB pool.
5. In the Server List tab, view the retries information of the SLB server pool. The retries informaton include IP/mask,
port, weight, and maximum sessions.
6. In the Monitoring tab, view the information of the track rules. The track rules information include track type, prot,
interval,and retries.
Note: IPS device does not support the configuration of SLB server pool.
Intrusi on Protec ti on S ystem

IPS, the abbreviation for Intrusion Prevention System, is designed to monitor various network attacks in real time and
take appropriate actions (like block) against the attacks according to your configuration.
To take the following steps to configure IPS function:
Configuring IPS Global Parameters
Configuring an IPS Rule
Enabling the Policy-based IPS Function
Co n f ig u r in g I P S G lo b a l P a r a m e t e r s
You can enable or disable the IPS function, and configure the IPS global parameters. About configuring IPS global para-
meters, see Threat Protection.
Co n f ig u r in g a n I P S R u le
For I P S de v ic e s and NG FW of 5 . 5 R 3 or t he lat e r v e r s ion( Ne w I P S )
You can use the default IPS rules and the user-defined IPS rules. System has three default IPS rules: predef_default, pre-
def_loose and no-ips. Predef_default rule which includes all the IPS signatures is strict with the detecting attacks results,
and default action for attacks is reset. Predef_loose which only has the IPS signatures with critical severity and above or
high popularity has the high detection efficiency, and default action for attacks is log only. No-ips rule does not includes
any IPS signatures.
To create a shared IPS rule of new version on HSM, take the following steps:
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Intrusion Pro-
tection System, then click the New IPS tab.

3. Click New from the toolbar. The Intrusion Protection System Configuration dialog appears.
For the detailed configuration, you can refer to "For IPS devices and NGFW of 5.5R3 or the later version" on page 119 in
Device Configuration.
For NG FW of 5 . 5 R 2 or t he pr e v ious v e r s ions ( Old I P S )
You can use the default IPS rules and the user-defined IPS rules. System has three default IPS rules: predef_default, pre-
def_loose and no-ips. Predef_default rule which includes all the IPS signatures is strict with the detecting attacks results,
and default action for attacks is reset. Predef_loose which only has the IPS signatures with critical severity and above or
high popularity has the high detection efficiency, and default action for attacks is log only. No-ips rule does not includes
any IPS signatures.
To create a shared IPS rule of old version on HSM, take the following steps:

figuration page.
2. In the left navigation pane, then expand Configure and Objects nodes in NGFW, select Intrusion Protection System,
then click the Old IPS tab.
3. Click New from the toolbar. The Intrusion Protection System dialog appears.
In the Intrusion Protection System dialog, configure the following options.

Name: Type the name into the Name box.
Capture Packets: According to your requirements, select the Enable check box to enable capture packets of all the
selected protocol. The security device will save the evidence messages, and support to view or download the evid-
ence messages.
Protocol Types: In the Protocol types section, select the protocol check box as you need. You can click the Select All
button to select all protocol types quickly, and click the Unselect button to unselect all the protocol types. About
attacking signature configurations, see Configuring Protocol Signature.
Relevant Device: Specify the devices which you want to make a relationship with the shared IPS rule. If choosing
VSYS devices of the device, the shared IPS rule will be relevant to the VSYS devices of the device, not the device itself.
After configuring the shared IPS rule, you have to deploy the rule to the relevant device if you want to take effect on
the device. For more detailed information about deploying configuration, see Synchronizing Configuration.
C onf igur ing P r ot oc ol S ignat ur e
Protocol signature consists protocol configuration and signature configuration.Specify actions for attacks of different
levels (Log only, Reset, Block attacker) and actions for a specific attacking signature (the priority is higher than that of the
action configured in the signature set).
For the HTTP protocol signature, you can configure the Web server to detect and protect Web -based attacks, see
WebServer Configuration.
Co n f ig u r in g a P r o t o co l
To configure protocol signature on HSM, take the following steps:
figuration page.
2. In the left navigation pane, expand Configure and Objects nodes in NGFW, select Intrusion Protection System, then
click the Old IPS tab. The main window shows the IPS list of old IPS version.
3. Click the specified protocol type in the IPS rule list. The protocol configuration dialog appears.
4. Click Protocol Configuration tab.

In Protocol Configuration tab，configure actions for attacks of different levels and other related options.
Option Description
Action for Crit- Capture Packets: Select the Enable check box to enable
ical/Warning/Information level the capture packet tools. The security device will cap-
attack ture packets of the selected protocol, and save the
evidence messages. You can view and download the
evidence message on the security device.
Action: Specify an action for attacks of different levels.
Select the radio button below:
Log only - Only generates logs if intrusions have

been detected in the security device.
Reset - The security device resets connections

(TCP) or sends destination unreachable packets
(UDP) and also generates logs if intrusions have
been detected.
Block attacker: Select the Enable check box to block
the specified attacker.
IP - Specify a block duration for the block IP

address. The value range is 60 to 3600 seconds,
and the default value is 60.
Service - Specify a block duration for the block ser-

vice. The value range is 60 to 3600 seconds, and
the default value is 60.
Other Configuration Other related options that may vary from different
types of protocols. For detailed instructions, see the
description of other configuration.
Other related options that may vary from different types of protoclos.the description of other configuration.
Option Description
DNS Protocol Anomaly Detection ：Specify a check level for

the protocol validity check of the signature set.
Strict - When the Check level is set to Strict, if any

protocol anomaly has been detected during the
parsing, the security device will take the action
that is specified in the corresponding attack level
against the attacking packets according to the
security level of the anomaly.
Loose - When the Check level is set to Loose, if any

parsing, the security device will only generate logs
and invoke the engine to perform signature match-
ing.
FTP Action for Brute-force：If the login attempts per

minute fail for the times specified by the threshold, sys-
tem will identify the attempts as an intrusion and take
an action according to the configuration. Select the
Enable Brute-force check box to enable brute-force.
Login Threshold per Min - Specify a permitted

authentication/login failure count per minute. The
value range is 1 to 100000.

Option Description
Block - Select the block object whose login failure
count exceeds the threshold.
Block Time - Specify the block duration. The value

range is 60 to 3600 seconds.
Protocol Anomaly Detection ：Specify a check level for

Loose - When the Check level is set to Loose, if

any protocol anomaly has been detected during
the parsing, the security device will only generate
logs and invoke the engine to perform signature
matching.
Banner Detection ：Select the Enable check box to
enable protection against FTP server banners.
Banner Information: Type the new information

into the box that will replace the original server
banner information.
Max Command Line Length ：Specify a max length
(including carriage return) for the FTP command line.
The value range is 5 to 1024 bytes.
Security Level: Specify a security level for the

events that exceed the max command line length.
The security device will take action according to
this level.
Max Response Line Length ：Specify a max length for
the FTP response line. The value range is 5 to 1024
bytes.
Security Level: Specify a security level for the

events that exceed the max response line length.
this level.
HTTP Protocol Anomaly Detection ：Specify a check level for



the parsing, the security device will only generate
logs and invoke the engine to perform signature
matching.

Option Description
Banner Detection：Select the Enable check box to
enable protection against HTTP server banners.
Banner Information - Type the new information

banner information.
Max URI Line Length ：Specify a max URI length for the
HTTP protocol. The value range is 64 to 4096 bytes.
Security level：Specify a security level for the

events that exceed the max URI length. The secur-
ity device will take action according to this level.
Allowed Methods ：Specify allowed HTTP method(s).
POP3 Action for Brute-force：If the login attempts per

minute fail for the times specified by the threshold, the
security device will identify the attempts as an intrusion
and take an action according to the configuration.





parsing, the security device will only generate logs
and invoke the engine to perform signature match-
ing.
Banner Detection ：Select the Enable check box to
enable protection against POP3 server banners.
Banner information - Type the new information

banner information.
Max Command Line Length ：Specify a max length
(including carriage return) for the POP3 command line.
Security Level - Specify a security level for the

this level.

Option Description
Max Parameter Length ：Specify a max length for the
POP3 client command parameter. The value range is 8
to 256 bytes.

events that exceed the max parameter length. The
system will take action according to this level.
Max Failure Time：Specify a max failure time (within
one single POP3 session) for the POP3 server. The
value range is 0 to 512 times.

events that exceed the max failure time. The man-
aged security device will take action according to
this level.
SMTP Action for Brute-force：If the login attempts per

managed security device will identify the attempts as
an intrusion and take an action according to the con-
figuration. Select the Enable check box to enable brute-
force.



Protocol Anomaly Detection：Specify a check level for

parsing, the managed security device will take the
action that is specified in the corresponding attack
level against the attacking packets according to
the security level of the anomaly.

the parsing, the managed security device will only
generate logs and invoke the engine to perform
signature matching.
Banner Detection：Select the Enable check box to
enable protection against POP3 server banners.
Banner information - Type the new information

banner information.
Max Command Line Length：Specify a max length
(including carriage return) for the POP3 command line.

Option Description
The managed security device will take action
Max Path Line Length：Specify a max length for the
reverse-path and forward-path field in the SMTP client
command. The value range is 16 to 512 bytes (includ-
ing punctuation marks).

events that exceed the max path length. The man-
this level.
Max Reply Line Length：Specify a max reply line
length for the SMTP server. The value range is 64 to
1024 bytes (including carriage return).

events that exceed the max reply line length. The
managed security device will take action according
to this level.
Max Text Line Length：Specify a max length for the E-
mail text of the SMTP client. The value range is 64 to
2048 bytes (including carriage return).

events that exceed the max text line length. The
to this level.
Max Content Filename Length：Specify a max length
for the filename of E-mail attachment. The value range
is 64 to 1024 bytes.

events that exceed the max Content-Type length.
The managed security device will take action
Max Content Filename Length：Specify a max length
for the filename of E-mail attachment. The value range
is 64 to 1024 bytes.

events that exceed the max content filename
length. The managed security device will take
Max Failure Time：Specify a max failure time (within
one single SMTP session) for the SMTP server. The
value range is 0 to 512 times.

events that exceed the max failure time. The man-
this level.
Telnet Action for Brute-force：If the login attempts per


Option Description

force.





parsing, the managed will only generate logs and
invoke the engine to perform signature matching.
Username/Password Max Length：Specify a max
length for the username and password used in Telnet.

events that exceed the max username/password
length. The security device will take action accord-
ing to this level.
IMAP/Finger/ NNTP/TFTP/ Max Scan Length ：Specify a max scan length. The
SNMP/MYSQL/ MSSQL/ORACLE/ value range is 0 to 65535 bytes.
NETBIOS/DHCP/ LDAP/VoIP
/Other-TCP/ Other-UDP
SUNRPC Action for Brute-force：If the login attempts per
force.




Option Description

parsing, the managed security device will only gen-
erate logs and invoke the engine to perform sig-
nature matching.
MSRPC Action for Brute-force：If the login attempts per

minute fail for the times specified by the threshold, will
identify the attempts as an intrusion and take an action
according to the configuration. Select the Enable check
box to enable brute-force.





parsing, the managed security device will only gen-
erate logs and invoke the engine to perform sig-
nature matching.
Max Bind Length：Specify a max length for MSRPC's
binding packets. The value range is 16 to 65535 bytes.

events that exceed the max bind length. The man-
this level.
Max Request Length：Specify a max length for
MSRPC's request packets. The value range is 16 to
65535 bytes.

events that exceed the max request length. The
to this level.

5. Select Signature List tab，to view or configure the signature, see Configuring Signature.
6. Click OK.
Co n f ig u r in g S ig n a t u r e
In the specific protocols Signature List tab, you can view , enable/disable or configure the signature.
S e ar c hing t he S pe c if ic S ignat ur e Ent r y D e t ails
1. In the specific protocol Signature List tab, you can click filtername, and then input the value for this filter in the
search bar. You can also hover the mouse over the parameter(includestatus, operating system, attack type, pop-
ularity, severity, service type, global status and type, etc.) to view the drop-down list, and select the filter condition.
2. Click , results that match your criteria will be shown in the signature list.
Note:
C onf igur ing a S pe c if ic A t t ac k ing S ignat ur e
To configure a specific attacking signature of the user-defined IPS rules, take the following steps:
1. In the specific protocol Signature List tab, select the signature you want to edit from the signature list, and then click
Edit from the toolbar. The Signature List Configuration dialog appears.

In Signature List Configuration dialog, configure a specific attacking signature.
Option Description
Capture Packets Select the Enable check box to enable the capture packet tools. The secur-
ity device will capture packets and save the evidence messages, and sup-
port to view or download the messages.
Action Specify an action for attacks of different levels.

Log Only - If attacks have been detected, the system will only gen-
erate protocol behavior logs.
Reset - If attacks have been detected, resets connections (TCP) or

sends destination unreachable packets (UDP) and also generates logs
if intrusions have been detected.
Block Attacker Block the specified attacker.

Block - Specify a service for blocking the specified attacker.

Block IP - Specify a block duration for the block IP address. The value
range is 60 to 3600 seconds, and the default value is 60.
Block Service - Specify a block duration for the block service. The
Never Block - If attacks have been detected, the system will not block
the service from the attacker.
2. Click OK.
Co n f ig u r in g a W e b S e r v e r
To create a WebServer, take the following steps:
figuration page.
2. Expand Object from the configuration navigation pane in NGFW tab, and then select Intrusion Protection System,
then click the Old IPS tab. The main window shows the IPS rule list of old IPS version.
3. From the IPS rule list, select the user-defined IPS rule to be configured, and then click HTTP. The protocol con-
figuration dialog appears.
4. Click Webserver Configuration tab.
5. From the toolbar, click New. The Web Server Configuration dialog appears.

In Webserver Configuration dialog, configure the Web Server configuration.
For NGFW of 5.5R2 or the previous versions:
Option Description
Name Specify the name of the Web server.

Configure Specify domains for the Web server. Click this link, the Configure Domain
Domain dialog appears.
At most 5 domains can be configured for one Web server. The domain
name of the Web server follows the longest match rule from the back to
the front. The traffic that does not match any rules will match the default
Web server. For example, you have configured two Web servers: web_
server1 and web_server2. web_server1 contains the domain name abc.-
com and web_server2 contains the domain name email.abc.com. After
configuring the settings, the traffic that visits news.abc.com will match
the web_server1, the traffic that visits www.email.abc.com will math web_
server2, and the traffic that visits www.abc.com.cn will match the default
Web server.
SQL Injection Pro- Select the Enable check box to enable SQL injection check for the HTTP
tection protocol.
Capture Packets： Select the Enable check box to enable the capture
packet tools.The security device will save the evidence messages,
Action：Specify an action for SQL injection check.


60.
Sensitivity：Specify the sensitivity for the SQL injection protection

rate is.
Check point：Specify the check point for the SQL injection check. It

Option Description
URI.
XSS Injection Pro- Select the Enable check box to enable XSS injection check for the HTTP
tection protocol.
Action：Specify an action for XSS check.


60.
Sensitivity: Specify the sensitivity for the XSS injection protection

rate is.
Check point: Specify the check point for the XSS injection check. It
URI.
External Link Select the Enable check box to enable external link check for the Web
Check server. This function controls the access to the external resource.
External link exception：Click this link, the External Link Exception

Configuration dialog appears. All the URLs configured on this dialog
can be linked by the Web sever. At most 32 URLs can be specified for
one Web server.

resource.

is detected.
ACL Select the Enable check box to enable access control for the Web server.
The access control function checks the upload paths of the websites to
prevent the malicious code uploading from attackers.
ACL: Click this link, the ACL Configuration dialog appears. Specify
websites and the properties on this dialog. "Static" means the URI
can be accessed statically only as the static resource (images and
text), otherwise, the access will handle as the action specified (log
only/reset); "Block" means the resource of the website is not allowed
to access.

Option Description
resource.

is detected.
HTTP Request Select the Enable check box to enable the HTTP request flood protection.
Flood Protection
Request threshold: Specify the request threshold. When the number
of HTTP connecting request reaches the threshold, the security
device will treat it as a HTTP request flood attack, and will enable the
Authentication: Specify the authentication method. The security

device judges the legality of the HTTP request on the source IP
Choose the proper authentication method from the drop-down list.
Auto (Redirect): The Web browser will finish the authentication

process automatically.
Manual (Access Confirm): The initiator of the HTTP request

must confirm by clicking OK on the returned page to finish the
Manual (CAPTCHA): The initiator of the HTTP request must con-

firm by entering the authentication code on the returned page
Crawler-friendly: If this check box is selected, the security device will

not authenticate to the crawler.
Request limit: Specify the request limit for the HTTP request flood
protection. After configuring the request limit, the security device
higher than the limitation specified here and the HTTP request flood
protection is enabled, the security device will handle the exceeded
requests according to the action specified (Block IP/Reset).
Proxy limit：Specify the proxy limit for the HTTP request flood pro-
tection. After configuring the proxy limit, the security device will
server. If belongs to, according to configuration to limit the request
rate. If the request rate is higher than the limitation specified here
and the HTTP request flood protection is enabled, the security
device will handle the exceeded requests according to the action spe-
cified (Block IP/Reset).
White List：Specify the white list for the HTTP request flood pro-

Option Description
request flood protection. Select the address entry from the drop-
down list, the address entry can not be a domain name or IPv6
address. If the source IP address traffic in whitelist exceeds the
threshold for the HTTP request flood protection, it will enable the
For NGFW of 5.5R3 or the later version and IPS devices:
Option Description

Configure Specify domains protected by this rule.
Domain
Click the link and the Configure Domain dialog appears. Enter the domain
names in the Domain text box. At most 5 domains can be configured. The traffic
to these domains will be checked by the protection rule.
The domain name of the Web server follows the longest match rule from the
back to the front. The traffic that does not match any rules will match the
default Web server. For example, you have configured two protection rules:
rule1 and rule2. The domain name in rule1 is abc.com. The domain name in
rule2 is email.abc.com. The traffic that visits news.abc.com will match rule1, the
traffic that visits www.email.abc.com will math rule2, and the traffic that visits
www.abc.com.cn will match the default protection rule.
SQL Injec- Select the Enable check box to enable SQL injection check.
tion Pro-
threat log.
Sensitivity: Specifies the sensitivity for the SQL injection protection func-
Check point: Specifies the check point for the SQL injection check. It can be
XSS Injec- Select the Enable check box to enable XSS injection check for the HTTP protocol.
tion Pro-
threat log.
Sensitivity: Specifies the sensitivity for the XSS injection protection func-
Check point: Specifies the check point for the XSS injection check. It can be
External Select the Enable check box to enable external link check for the Web server.
Link This function controls the resource reference from the external sites.
Check
Capture Packets: Capture the abnormal packets. You can view them in the
threat log.

Option Description
External link exception: Click this link, the External Link Exception Con-
figuration dialog appears. All the URLs configured on this dialog can be
linked by the Web sever. At most 32 URLs can be specified for one Web
server.
ACL Action: Log Only - Record a log. Rest - Reset connections (TCP) or sends
HTTP Select the Enable check box to enable the HTTP request flood protection.
Request
Flood Pro- Request threshold: Specifies the request threshold.
tection
For the protected domain name, when the number of HTTP con-
necting request per second reaches the threshold and this lasts 20
seconds, the system will treat it as a HTTP request flood attack, and will
enable the HTTP request flood protection.
For the protected full URL, when the number of HTTP connecting
request per second towards this URL reaches the threshold and this
lasts 20 seconds, the system will treat it as a HTTP request flood attack
towards this URL, and will enable the HTTP request flood protection. It
Full URL: Enter the full URLs to protect particular URLs. Click this link to con-
figure the URLs, for example, www.example.com/index.html. When pro-
tecting a particular URL, you can select a statistic object. When the number
of HTTP connecting request per second by the object reaches the threshold
and this lasts 20 seconds, the system will treat it as a HTTP request flood
attack by this object, and will enable the HTTP request flood protection. It
x-forwarded-for: Select None, the system will not use the value in x-for-
warded-for as the statistic object. Select First, the system will use the
first value of the x-forwarded-for field as the statistic object. Select
Last, the system will use the last value of the x-forwarded-for field as
the statistic object. Select All, the system will use all values in x-for-
warded-for as the statistic object.
x-real-ip: Select whether to use the value in the x-real-ip field as the
statistic field.
When the HTTP request flood attack is discovered, you can make the system
take the following actions:
Authentication: Specifies the authentication method. The system judges

the legality of the HTTP request on the source IP through the authen-
tication. If a source IP fails on the authentication, the current request from
the source IP will be blocked. The available authentication methods are:
Auto (JS Cookie): The Web browser will finish the authentication pro-
cess automatically.
Auto (Redirect): The Web browser will finish the authentication pro-
cess automatically.
Manual (Access Configuration): The initiator of the HTTP request must

confirm by clicking OK on the returned page to finish the authen-
tication process.

Option Description
Manual (CAPTCHA): The initiator of the HTTP request must confirm by
entering the authentication code on the returned page to finish the
Crawler-friendly: If this check box is selected, the system will not authen-
ticate to the crawler.
Request limit: Specifies the request limit for the HTTP request flood pro-
tection. After configuring the request limit, the system will limit the request
rate of each source IP. If the request rate is higher than the limitation spe-
cified here and the HTTP request flood protection is enabled, the system
will handle the exceeded requests according to the action specified (Block
IP/Reset). To record a log, select the Record log check box.
Proxy limit: Specifies the proxy limit for the HTTP request flood protection.
After configuring the proxy limit, the system will check whether each source
belongs to the each source IP proxy server. If belongs to, according to con-
figuration to limit the request rate. If the request rate is higher than the lim-
itation specified here and the HTTP request flood protection is enabled, the
system will handle the exceeded requests according to the action specified
(Block IP/Reset). To record a log, select the Record log check box.
White List: Specifies the white list for the HTTP request flood protection.
The source IP added to the white list not check the HTTP request flood pro-
tection.
6. Click OK.
Note: After you create a HTTP signature, HSM will automatically create a default Web Server. The
default Web Server is enabled by default, and can not be disabled or deleted. At most 32 Web
servers can be configured for one signature, not including the default server.
E n a b lin g t h e P o licy -b a s e d I P S F u n ct io n
To enable the policy-based IPS on HSM, see configuring the policy-based protection function.
A nti - V i rus
To take the following steps to configure Anti-Virus function:
Configuring Anti-Virus Global Parameters
Creating a Shared Anti-Virus Rule
Enabling the Policy-based Anti-Virus Function
Co n f i g u r i n g A n t i -V i r u s Gl o b a l P a r a m et er s
You can enable or disable the Anti-Virus function, and configure the global parameters. About configuring Anti-Virus
global parameters, see Threat Protection.
Cr e a t in g a S h a r e d A n t i-Vir u s R u le
To create a shared Anti-Virus rule on HSM, take the following steps:
figuration page.

2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Anti-Virus.
The main window shows the Anti-virus rule list.
3. Click New from the toolbar. The Anti-Virus dialog appears.
In the Anti-Virus dialog, configure the following options.

Option Description
Tpye Specify the type of the object. It can be private or shared.

Name Specify the rule name.
File Types Specify the file types you want to scan. It can be GZIP, JPEG, MAIL, RAR,
HTML., PE, BZIPE, RIFF, and TAR, ELF, RAWDATA, MSOFFICE, PDF and
OTHERS.
Protocol Types Specify the protocol types (HTTP, SMTP, POP3, IMAP4, FTP) you want to
scan and specifies the action the security device will take after virus is
found.
Fill Magic - Processes the virus file by filling magic words, i.e., fills the
file with the magic words (Virus is found, cleaned) from the begin-
ning to the ending part of the infected section.
Warning - Pops up a warning page to prompt that a virus has been

detected. This option is only effective to the messages transferred
over HTTP.
Reset Connection - If virus has been detected, the security device will
reset connections to the files.
Capture Select the Enable check box before Capture Packet to enable the capture
function. The security device will save the evidence messages, and sup-
port to view or download the messages.
Malicious Web- Select the check box behind Malicious Website Access Control to enable
site Access Con- the function.
trol
Action Specify the action the security device will take after the malicious website
is found.
Reset Connection - If malicious website has been detected, the secur-

ity device will reset connections to the files.
Warning - Pops up a warning page to prompt that a malicious web-

site has been detected.This option is only effective to the messages
transferred over HTTP.
Enable Label e- If an email transferred over SMTP is scanned, you can enable label email
mail to scan the email and its attachment(s). The scanning results will be
included in the mail body, and sent with the email. If no virus has been
detected, the message of "No virus found" will be labeled; otherwise
information related to the virus will be displayed in the email, including
the filename, result and action.
Type the end message content into the box. The range is 1 to 128.
4. Click OK.

Note: By default, according to virus filtering protection level, HSM comes with three default virus
filtering rules: predef_low, predef_middle, predef_high. Depending on the different filtering rules,
file types and protocol types can be filtered also different. The higher the Anti Virus filtering rule
is, the higher security level is. The default rule is not allowed to edit or delete.
E n a b lin g t h e P o licy -b a s e d A n t i-Vir u s F u n ct io n

To enable the policy-based Anti-Virs on HSM, see configuring the policy-based protection function.
T hreat Protec ti on
Configuring Threat Protection
Cr e a t in g a S h a r e d T h r e a t P r o t e ct io n
To create a shared threat protection on the HSM global configuration page, take the following steps:
figuration page.
2. In the left navigation pane, select device types tab, then expand Configure and Objects nodes, select Threat Pro-
tection, then click the New IPS or Old IPS tab. The main window shows the corresponding threat protection global
configuration rule list.
3. From the toolbar, click New. The Threat Protection page appears.
Name: Specify the name of the threat protection global configuration.

Description: If necessary, type description information for the shared threat protection global configuration in this
text box.
Relevant Device: Specify the devices which you want to make a relationship with the global threat protection con-
figuration. If choosing VSYS devices of the device, the global threat protection configuration will be relevant to the
VSYS devices of the device, not the device itself. After configuring the global threat protection configuration, you
have to deploy the configuration to the relevant device if you want to take effect on the device. For more detailed
4. Click OK.
Co n f ig u r in g a S h a r e d T h r e a t P r o t e ct io n
figuration page.
tection, then click the New IPS or Old IPS tab.
3. Double click the threat protection rule name you want to configure. The Global Threaten Configuration tab appears.
In Global Threaten Configuration tab, specify the IPS global configurations.

Option Description
APP Force Select/clear the Enable check box to enable/disable force check , the secur-
Check ity device will check application layer IPS, AV content filtering, IM and Web
Content, application-layer behavior control. It should be noted that the
5.5R3 and later versions of NGFW device(new IPS function) do not support
this feature.
If you disabled this feature , when the CPU usage exceeds 68%, the security
device will forwarding packets for new sessions, and not check the applic-
ation layer randomly.
IPS Global Configuration
Intrusion Pro- Select/clear the Enable check box to enable/disable IPS. After enabling this
tection System function, you have to reboot the security device if you want to take effect
on the security device.
Merge Log The security device can merge IPS logs which have the same protocol ID,
the same VSYS ID, the same Signature ID, the same log ID, and the same
merging type. Thus it can help avoid to receive redundant logs, and the
merging log is displayed to the standard output according to your
requires. The function is disabled by default.
---- - Do not merge any logs.
Source IP - Merge the logs with the same Source IP.
Destination IP - Merge the logs with the same Destination IP.
Source IP, Destination IP - Merge the logs with the same Source IP and
the same Destination IP.
Mode Specify a working mode for IPS:
Intrusion Protection System - If attacks have been detected, The fire-

wall will generate protocol anormaly alarms and attacking behavior
logs, and will also reset connections or block attackers. This is the
default mode.
Log Only - If attacks have been detected, the firewall will only gen-
erate protocol anormaly alarms and attacking behavior logs, but will
not reset connections or block attackers.
AV Global Configuration
Anti Virus Select/clear the Enable check box to enable/disable Anti-Virus. The new
configuration will take effect after reset the relevant device.
Max Decom- By default the firewall can scan the files of up to 5 decompression layers.
pression Layer To specify a decompression layer, select a value from the drop-down list.
The value range is 1 to 5.
Exceed Action Specify an action for the compressed files that exceed the max decom-
pression layer. Select an action from the drop-down list:
Log Only - Only generates logs but will not scan the files. This action
is enabled by default.
Reset Connection - If virus has been detected, the firewall will reset
Encrypted Com- Specify an action for encrypted compressed files:

pressed File
------ - Will not take any special anti-virus actions against the files,

Option Description
but might further scan the files according to the configuration.
Log Only - Only generates logs but will not scan the files.
Reset Connection - Resets connections to the files.
4. Select Global Threaten Configuration List tab, you can view the details info of all IPS signature list. For more inform-
ation, see Global Threaten Configuration List.
5. Click OK.
G lo b a l T h r e a t e n Co n f ig u r a t io n Lis t
In the Global Threaten Configuration tab, you can view all details info of the IPS signature list. You can edit, delete,
enable/disable a specific signature, or customize the signature as needed.
Sea r ch i n g t h e Sp eci f i c Si g n a t u r e E n t r y Det a i l s
figuration page.
3. Double click the threat protection rule name you want to configure.
4. Click Global Threaten Configuration List tab.
5. You can click filtername, and then input the value for this filter in the search bar. You can also hover the mouse over
the parameter(include protocol, operating system, attack type, popularity, severity, service type, status and type.
etc.) to view the drop-down list, and select the filter condition.
6. Click , results that match your criteria will be shown.

Note:
Cr ea t i n g a Us er -d ef i n ed Si g n a t u r e Ru l e
figuration page.
3. Double click the threat protection rule name you want to create a user-defined signature rule.
4. Select the Global Threaten Configuration List tab, and the main window shows the IPS signature list.
5. Click New from the toolbar. The User-defined Signature dialog appears.
In the User-defined Signature dialog, configure the signature settings.
For NGFW of 5.5R2 or the previous versions

Option Description
General tab
Name Specify the signature name.
Description Specify the signature descriptions.
Protocol Specify the protocol that signature supports.
Flow Specify the direction for the signature."To_Server" means the package of
attack is from server to the client. "To_Client" means the package of attack
is from client to the server. "Both" means bi-direction.
Source Port Specify the source port of the signature.
Included - The source port you specified should be included. It can

Excluded - The source port you specified should be excluded. It can

Destination Specify the destination port of the signature.

Port
Included - The destination port you specified should be included. It

Excluded - The destination port you specified should be excluded. It


Option Description
Dsize Specify the payload message size. Select "----",">", "<" or "=" from the
drop-down list and specifies the value in the text box. "----" means not
set the parameter.
Severity Specify the severity of the attack.
Service Type Select the service type from the drop-down list. "----" means all services.
Operating Sys- Select the operating system from the drop-down list. "----" means all the
tem operating systems.
Detection Filter Specify the frequency of the signature rule.
Track - Select the track type from the drop-down list. It can be by
source IP and destination IP. After specifying, the system will match
the attack according to the analysis of the source IP and destination
IP.
Count - Specify the maximum times the rule occurs in the specified
time. If the attacks exceed the Count value, the security device will
Seconds - Specify the interval value of the rule occurs.
Content tab: Create New and configure the signature contents. Click OK to save your set-
tings.
Content Specify the signature content. Select the following check box if needed:
Case Insensitive - Means the content is case sensitive.
If Beginning is selected, system will search from the header of the

application layer packet.
Depth: Specifies the scanning length after the offset. The unit is
byte.
If Last Content is selected, system will search from the content end
position.
Distance: System will start searching after the distance from the
former content end position. The unit is byte.
Within: Specifies the scanning length after the distance. The unit
is byte.
For NGFW of 5.5R3 or the later version and IPS devices

Option Description
Name Specifies the signature name.

Option Description
Description Specifies the signature descriptions.

Protocol Specifies the affected protocol.
Flow Specifies the direction.
To_Server means the package of attack is from server to the cli-

ent.
To_Client means the package of attack is from client to the

server.
Any includes To_Server and To_Client.
Source Port Specifies the source port of the signature.
Included - The source port you specified should be included. It

Excluded - The source port you specified should be excluded. It

Destination Port Specifies the destination port of the signature.
Included - The destination port you specified should be

included. It can be a port, several ports, or a range. Specifies
the port number in the text box, and use "," to separate.
Excluded - The destination port you specified should be

excluded. It can be a port, several ports, or a range. Specifies
the port number in the text box, and use "," to separate.
Dsize Specifies the payload message size. Select "----",">", "<" or "="
from the drop-down list and specifies the value in the text box. "----
" means not set the parameter.
Severity Specifies the severity of the attack.
Application Select the affected applications. "----" means all applications.

Operating System Select the affected operating system from the drop-down list. "----"
means all the operating systems.
Bulletin Board Select a bulletin board of the attack.
Year Specifies the released year of attack.
Detection Filter Specifies the frequency of the signature rule.
Track - Select the track type from the drop-down list. It can be
by_src or by_dst. System will use the statistic of source IP or des-
tination IP to check whether the attack matches this rule.
Count - Specifies the maximum times the rule occurs in the spe-
cified time. If the attacks exceed the Count value, system will
Seconds - Specifies the interval value of the rule occurs.

In the Content tab, click New to specify the content of the signature:
Option Description
Content Specifies the signature content. Select the following check box if needed:
Case Insensitive - Means the content is not case sensitive.
If Beginning is selected, system will search from the header of the application
layer packet.
Offset: System will start searching after the offset from the header of the
application layer packet. The unit is byte.
Depth: Specifies the scanning length after the offset. The unit is byte.
If Last Content is selected, system will search from the content end position.
Distance: System will start searching after the distance from the former
content end position. The unit is byte.
Within: Specifies the scanning length after the distance. The unit is byte.
6. Click OK.
Note: Only the user-defined signature lists can be edited or deleted.
U R L Fi l ter
URL filter controls the access to some certain websites and records log messages for the access actions. URL filter helps
you control the network behaviors in the following aspects:
Access control to certain category of websites, such as gambling and pornographic websites.
Access control to certain category of websites during the specified period. For example, forbid to access IM websites
during the office hours.
Access control to the website whose URL contains the specified keywords. For example, forbid to access the URL that
contains the keyword of game.
Note: HSM only supports the centralized management of URL filter function whose NGFW ver-
sion is 5.5R1 or above.
Co n f ig u r in g U R L F ilt e r
Configuring URL filter contains two parts:
Create a URL filter rule
Bind a URL filter rule to a security policy rule

Part 1: Creating a URL filter rule

1. Select Configuration > Global Configuration, then click Object > URL Filter Bundle > URL Filter.
2. Click New.
In the URL Filter dialog, configure the following options.

Option Description
Name Specify the name of the rule.

Control Type Control types are URL Category, URL Keyword Category, and Web Surf-
ing Record. You can select one type for each URL filter rule.
URL Category controls the access to some certain category of website.
The options are:
New: Create a new URL category. For more information about URL cat-
egory, see "User-defined URL DB" on page 228.
Edit: Select a URL category from the list, and click Edit to edit the
selected URL category.
URL category: Shows the name of pre-defined and user-defined URL

categories.
Block: Select the check box to block access to the corresponding URL
category.
Log: Select the check box to log access to the corresponding URL cat-
egory.
Other URLS: Specify the actions to the URLs that are not in the list,
including Block Access and Record Log.
URL Keyword Category controls the access to the website who's URL con-
tains the specific keywords. Click the URL Keyword Categoryoption to
configure. The options are:
New: Create new keyword categories. For more information about

keyword category, see "Keyword Category" on page 229.
Edit: Select a URL keyword category from the list, and click Edit to
edit the selected URL keyword category.
Keyword category: Shows the name of the configured keyword cat-

egories.
Block: Select the check box to block the access to the website whose
URL contains the specified keywords.

Option Description
Log: Select the check box to log the access to the website whose URL
contains the specified keywords.
Other URLS: Specify the actions to the URLs that do not contain the
keywords in the list, including Block Access and Record Log.
Web Surfing Record logs the GETand POST methods of HTTP.
Get: Records the logs when having GET methods.
Post: Records the logs when having POST methods.
Post Content: Records the posted content.
Relevant Device Specify the devices which you want to make a relationship with the URL fil-
ter rule. If choosing VSYS devices of the device, the rule will only be rel-
evant to the root VSYS. After configuring the rule, you have to deploy the
rule to the relevant device if you want to take effect on the device. For
more detailed information about deploying configuration, see Syn-
chronizing Configuration .

Part 2: Binding a URL filter rule to a security policy rule
After binding a URL filter rule to a security policy rule, the system will perform the URL filter function on the traffic that
matches the security policy rule. For more information, please refer to Configuring the Policy-based Anti-Virus, IPS and
URL Filter Function.
P r e d e f in e d U R L DB
The system contains a predefined URL database.
The predefined URL database provides URL categories for the configurations of URL filter. It includes dozens of categories
and tens of millions of URLs .
When identifying the URL category, the user-defined URL database has a higher priority than the predefined URL data-
base.
Note: The predefined URL database is controlled by a license controlled. Only after a URL license
is installed, the predefined URL database can be used.
U s e r -d e f in e d U R L DB
Besides categories in predefined URL database, you can also create user-defined URL categories, which provides URL cat-
egories for the configurations of URL filter. When identifying the URL category, the user-defined URL database has a
higher priority than the predefined URL database.
System provides three user-defined URL categories by default: custom1, custom2, custom3.
C onf igur ing U s e r - de f ine d U R L D B
To configure a user-defined URL category:

1. Select Objects > URL Filter Bundle > User-defined URL DB.
2. Click New in the toolbar. The URL Category dialog appears.
3. Type the category name in the Name text box. URL category name cannot only be a hyphen (-). And you can create
at most 1000 user-defined categories.
5. Type a URL into the URL http:// box.
6. Click Add to add the URL and its category to the table.
7. Repeat the above steps to add more URLs.
8. To delete an existing one, select its check box and then click Delete.
9. Specify the deployment device for the URL category in the Relevant Device drop-down menu if necessary.
K e y w o r d Ca t e g o r y
Keyword can be grouped into different categories. URL filter that contains keyword category will control the access to
websites of certain categories.
When a URL filter rule includes keyword category, the system will scan traffic according to the configured keywords and
calculate the trust value for the hit keywords. The calculating method is: adding up the results of times * trust value of
each keyword that belongs to the category. Then the system compares the sum with the threshold 100 and performs the
following actions according to the comparison result:
If the sum is larger than or equal to category threshold (100), the configured category action will be triggered;
If more than one category action can be triggered and there is block action configured, the final action will be Block;
If more than one category action can be triggered and all the configured actions are Permit, the final action will be
Permit.
For example, a URL filter rule contains two keyword categories C1 with action block and C2 with action permit. Both of C1
and C2 contain the same keywords K1 and K2. Trust values of K1 and K2 in C1 are 20 and 40. Trust values of K1 and K2 in
C2 are 30 and 80.
If the system detects 1 occurrence of K1 and K2 each on a URL, then C1 trust value is 20*1＋40*1=60<100, and C2 trust
value is 30*1+80*1=110>100. As a result, the C2 action is triggered and the URL access is permitted.
If the system detects 3 occurrences of K1 and 1 occurrence of K2 on a URL, then C1 trust value is 20*3+40*1=100, and C2
trust value C2 is 30*3+80*1=170>100. Conditions for both C1 and C2 are satisfied, but the block action for C1 is triggered,
so the web page access is denied.

C onf igur ing a K e yw or d C at e gor y
To configure a keyword category:
1. Select Object > URL Filter Bundle > Keyword Category. The Keyword Category dialog appears.
2. Click New. The Keyword Category dialog appears.
3. Type a category name.
5. Specify the keyword, character matching method (simple/regular expression), and trust value.
6. Click Add to add the keyword to the list below.
7. Repeat the above steps to add more keywords.
8. To delete a keyword, select the keyword you want to delete from the list and click Delete.
9. Specify the deployment device for the keyword category in the Relevant Device drop-down menu if necessary.
10. Click OK to save your settings.
W a r n in g P a g e
To create a new warning page, take the following steps:
1. Select Object > URL Filter Bundle > Warning Page.
2. Click New in the toolbar. The Warning Page dialog appears.

Please enter Name, Description and Relevant Device are optional.
3. Click OK.
You can also click Edit in the toolbar to edit the selected page, and click Delete to delete the page.
The warning page shows the user block information and user audit information.
C onf igur ing B loc k W ar ning
If the Internet behavior is blocked by the URL filter function, the Internet access will be denied. The information of Access
Denied will be shown in your browser, and some web surfing rules will be shown to you on the warning page at the same
time. See the picture below:

After enabling the block warning function, block warning information will be shown in the browser when one of the fol-
lowing actions is blocked:
Visiting a certain type of URL
Visiting the URL that contains a certain type of keyword category

The block warning function is disabled by default. To configure the block warning function:
1. Click Object > URL Filter Bundle > Warning Page, choose the page you want to configure the block warning func-
tion in left page list.
2. Select Enable check box in the Block Warning section.
3. Configure the display information in the blocking warning page.

Option Description
Default Use the default blocking warning page as shown above.

Redirect page Redirect to the specified URL. Type the URL in the URL http:// box. You
can click Detection to verify whether the URL is valid.
Custom Customize the blocking warning page. Type the title in the Title box and
the description in the Description box. You can click Preview to preview
the blocking warning page.
C onf igur ing A udit W ar ning
After enabling the audit warning function, when your network behavior matches the configured URL filter rule, your
HTTP request will be redirected to a warning page, on which the audit and privacy protection information is displayed.
See the picture below:
The audit warning function is disabled by default. To configure the audit warning function:
1. Select Object > URL Filter Bundle > Warning Page, choose the page you want to configure the audit warning func-
tion in left page list.
2. Select Enable check box in the Audit Warning section.
U ser
To configure shared users, click Configuration > Global Configuration from the Level-1 navigation pane to enter the
global configuration page. In the left navigation pane, select NGFW tab, and then expand Configure, Objects and User
nodes in turn, select the target node for the next configuration.
For the detailed configuration, see "User" on page 156 in Device Object.

R ol e
To configure shared roles, click Configuration > Global Configuration from the Level-1 navigation pane to enter the
global configuration page. In the left navigation pane, select NGFW tab, and then expand Configure, Objects and Role
nodes in turn, select the target node for the next configuration.
For the detailed configuration, see "Role" on page 162 in Device Object.
A A A S erv er
To configure shared AAA servers, click Configuration > Global Configuration from the Level-1 navigation pane to enter
the global configuration page. In the left navigation pane, select NGFW tab, and then expand Configure, Objects and
AAA Server nodes in turn.
For the detailed configuration, see "AAA Server" on page 165 in Device Object.
Ed i ti ng / Del eti ng an Ob j ec t
To edit or delete an object, enter the corresponding object page, select the object, and then click the Edit or Delete but-
ton. For how to enter the object page and the description of the options of each object, see the creating object sections.
Note: Only shared virtual router and shared interface can be edited or deleted.

D efaul t P ar am et er s
To configure the default action for a newly created security policy rule , take the following steps:
1. Log into HSM, click Configuration > Default Parameters from the Level-1 navigation pane, the Configure Para-
meters dialog appears.
2. Select default action for new security policy rules, including Permit and Deny.
3. Click OK.

Task M an agem en t
HSM uses tasks to track the system operations that need to know the running status and the running results. When you
do an operation on HSM, such as deploying a policy to devices, or checking the rule conflicts, the related task is gen-
erated for you to track the operation. When the system executes the task, the related logs will be generated, and you can
learn the detailed task information and task failure reason from the logs.
This chapter describes the task management configurations, including:
Task Management Window
Viewing Task Logs
T as k Manag em ent W i nd o w
Click Task from the Level-1 navigation pane to enter the task management page. The following is the layout of the page.
Level-1 Navigation Pane

Level-1 navigation pane allows you to navigate to different modules of HSM. For detailed information, see Homepage.
Toolbar
Toolbar shows the available tools. Functions of toolbar are described as below:
Option Description
Start For the tasks in the status of initializing or

pause, click this button to execute the task. The
executed tasks cannot be executed again.
Pause After starting a task, when it is in the status of

waiting, click this button to make the system
stop executing the task.
Delete For the tasks in the status of initializing, pause,

and terminate, click this button to deleted the
task.
Terminate For the tasks in the status of initializing, pause,

or waiting, click this button to stop the task. The
stopped task cannot be executed again.
Task search. Enter the keyword in the text box

and then select type from the drop-down list.
The searching result will be shown in the rule
table.
Column Customizes the columns displayed in the main

window.
Task Management 234

Main Window
The main window shows the task table. Columns in the task window are described as below:
Option Description
Task ID Shows the ID of the task.
Task Shows the name of the task.

Name
Operation Shows the operation type of the task.
Status Shows the status of the task. It can be one of the following:
Initializing: The task is generated without execution, and it is initializing. You

can click Start to execute it.
Check: After clicking Start, the system check the executing situations of the
task.
Waiting: When there is more than one task is started, since the system does
not support running multiple tasks simultaneously, the other started tasks will
be in this status. The task in this status can be paused or terminated.
Running: The task is running. The running task cannot be paused or ter-
minated.
Pause: The task is paused.
Terminate: The task is terminated.
Result Shows the running result of the task.
View Report: Click to view the task report.
Failed: Failed to run the task. You can get the failure reason from the related
logs.
: Shows the policy deployment process.

Green indicates successful deployment, orange indicates unsuccessful deploy-
ment, and grey indicates have not deployed. Hover the mouse over the bar,
the text tip appears.
Create Shows the time when the task is generated.

Time
Run Time Shows the time when the task is executed.
Log Click the icon to view the related logs. Logs will be generated for each executed
task. You can also read the logs in the page of Log > HSM Log > Task Man-
agement.
Vi ew i ng T as k L o g s
In the task table, click the log icon in the Log column, the system will show the log window of the responding task.
By reading the log messages, you can analyze the failure reason for the failed tasks. The system provides the log search
function for you get the desired information quickly.
Task Management 235

In t r odu ct ion t o M on it or
The HSM monitor function gathers data of managed devices and display the statistics by bar chart, pie chart, line char,
table and so on. You can learn the network situation and resolve network problems through the statistics. HSM provides
monitor data in multiple aspects, include
Device monitor: Shows the statistics in the aspect of the managed device (traffic, attack defense, anti-virus, IPS, CPU,
memory). When problem happens in the network, you can figure out the problem device according to the result of
the device rank, and under the help of the drill-down function, you can investigate further in different factors.
User monitor: Shows the statistics in the aspect of user/IP (traffic, attack defense, anti-virus, IPS). When problem hap-
pens in the network, you can figure out the problem user/IP according to result of user/IP rank, and under the help
of the drill-down function, you can investigate further in different factors.
Application monitor: Shows the statistics in the aspect of application (application traffic). Application monitor helps
you know the applications in the network and learn the network behavior of the managed people. Under the help of
the drill-down function, you can get the application related statistics from different factors in details.
Network threat: Shows the statistics in the aspect of network threats (attack defense, anti-virus, IPS). When network
threats occurs in the network, you can figure out the threat according to the result of the threat rank, and under the
help of the drill-down function, you can investigate further.
Network behavior: Shows the statistics in the aspect of network behavior (URL hit and URL category hit). Network
behavior monitor helps you know the network behavior of the managed people and hold the network access inform-
ation.
VPN monitor: Shows the statistics in the aspect of VPN (tunnel information and VPN traffic). VPN monitor helps you
get the VPN information of all managed devices.
HSM provides the My Monitor function. With this function,
you can continuously monitor a device in one aspect;
you can access the favorite monitor page conveniently to get interested information;
you can do customized monitor according to your own requirements.

By default, the monitor function is disabled. To enable/disable the monitor function, click System > Device Management > Monitor
Configuration from the Level-1 navigation pane. For detailed information, refer to Monitor Configuration.

D ev i ce Mo ni t o r
The device monitor page shows kinds of statistics in the aspect of the managed device. The device monitor statistics is
organized in the main page (summary of device monitor), details page (detailed statistics of each module), drill-down
sub-page (statistics in a specified factor), and trend page.
M ain P age
Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page. The page shows
the following information with bar charts:
Top 10 devices by Average Rate: The device average rate rank in a specified time period. With the drill-down func-
tion, namely click a bar of a device, and select a factor from the pop-up menu to see the related statistics. The sup-
ported factors are zone, interface, user/IP, application, and traffic trend.
Top 10 Devices by Threat: The threat count rank of devices in a specified time period, including virus attack counts,
intrusion counts and AD attack counts. With the drill-down function, namely click a bar of a device, and select a
factor from the pop-up menu to see the related statistics. The supported factors are interface, attacker, victim, and
trend.
Top 10 Devices by CPU Utilization: The CPU utilization rank of devices in a specified time period. With the drill-down
function, namely click a bar of a device, and select Trend to see the CPU utilization trend statistics of the device.
Top 10 Devices by Memory Utilization: The memory utilization rank of devices in a specified time period. With the
drill-down function, namely click a bar of a device, and select Trend to see the memory utilization trend statistics of
the device.
The managed devices and time period can be specified.

To specify the devices whose statistics will be showed, take the following steps:
1. Click Select Device (Group) from the up-left corner of the main page. The Select Device
(Group) dialog pops up.
2. Select the Device or Device Group radio option, and then select the device or device group from the box.
3. Click OK to save the changes and close the dialog. The monitor page only shows the statistics of the selected
devices.
HSM support pre-defined time period and customized time period. You can specify the time period by configuring the
options in the upper-right corner.

: The drop-down list of pre-defined time period. The menu items are described as
below:
Latest 5 Minutes: Shows the statistics of the latest 5 minutes.
Latest 1 Hour: Shows the statistics of the latest 1 hour.
Latest 1 Day: Shows the statistics of the latest 1 day.
Latest 1 Month: Shows the statistics of the latest 1 month.
: Customize the time period. Select this option, the Select Time dialog appears. You can spe-
cify the time period according to your own requirements. The minimum interval between the start time and the end
time is 15 minutes, and at most the latest 1 year statistics can be showed.
The devices and time period specified here will impact the details page, drill-down sub-page, and trend page.
D et ails P age
In the main page, click Details of each chart to go to the corresponding details page.
The details page shows the detailed statistics with bar charts and tables. The bar charts are used to show the device rank
by different factors and you can switch factors by clicking the buttons in the up-left corner.
Also the drill-down function and the specification of time period are supported; the tables are used to display the
detailed data, and you can get the interested data quickly by using the search function.
What's more, the Add to MyMonitor function is provided in the details page. Click the Add to MyMonitor button, the
current chart and table information will be saved to MyMonitor. You can get your interested monitor quickly in the
MyMonitor module.
Take the details page of device average rate as the example:
As shown in the screenshot above, the Top 10 drop-down list is used to determine the number of bar shown in the bar
chart; the Average Rate, Forwarding Rate, and New Sessions buttons are used to switch among different factors; the time
options in the upper-right corner are used to specify the time period of the statistics; use the drill-down function on the
bars to get more detailed statistics in the specified factors.

As shown in the screenshot above, the detailed data of each device is displayed in the table. At most, the data of top 200
devices can be displayed. By using the search function, you can get the information you want quickly.
Note: High, Middle, Low factors of the IPS details page refer to the severities of IPS signatures
which are high, middle and low.
D r ill-dow n Su b-page
On the main page or the details page, click a bar and select a menu option, the pop-up page is the drill-down sub-page.
For example, in the device monitor main page, click the bar named M2105, and select Interface from the pop-up menu, a
new page showing interface traffic rank of M2105 appears. The data in the drill-down sub-page is organized in the same
way as the details page (excluding the trend page).
T r en d P age
In the bar chart, click a bar and select Traffic Trend/Trend, the trend page of the selected factor appears. HSM uses line
charts to show the developing trend in multiple factors.
Real-time Trend Monitor
To monitor a device in real-time, take the following steps:
1. In the main page or details page, click a bar and select Traffic Trend/Trend.
2. In the trend page, select Real-time from drop-down list in the upper-right corner.

Drill-down in Trend Page
In the current trend page, if the further information based on user/IP or application is available, you can get the inform-
ation by the drill-down function. HSM uses pie chart to show the application distribution status, and uses bar chart to
show the user/IP rank.
To view the drill-down sub-page of the trend chart, take the following steps:
2. In the trend chart, click a statistics value.
3. The dialog showing the application distribution or the user/IP rank appears.
4. Click the User/IP button to switch to the User/IP rank display.
Us er Mo ni t o r
The user monitor page shows kinds of statistics in the aspect of users on the managed device. The user monitor statistics
is organized in the main page (summary of user monitor), details page (detailed statistics of each module), drill-down
sub-page (statistics in a specified factor), and trend page.
M ain P age
Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page. Click User in the
monitor navigation pane to enter the user monitor main page. The user monitor main page shows the following inform-
ation with bar charts:
Top 10 User Traffic: The user traffic rank in a specified time period. With the drill-down function, namely click a bar
of a user, and select Traffic Trend from the pop-up menu to see the corresponding statistics.

Top 10 Users by Threat Count: The threat count rank of users (attacker) in a specified time period,including virus
attack counts, intrusion counts and AD attack counts.. With the drill-down function, namely click a bar of a user, and
select Victim or Trend from the pop-up menu to see the corresponding statistics.
To specify the devices whose statistics will be shown, take the following steps:
devices.
below:
D et ails P age

The details page shows the detailed statistics with bar charts and tables. The bar charts are used to show the user rank by
different factors and you can switch factors by clicking the buttons in the up-left corner.
MyMonitor module.
Take the details page of user traffic as the example:
chart; the Average Rate, Sent, Received, Forwarding Rate, and New Sessions buttons are used to switch among different
factors; the time options in the upper-right corner are used to specify the time period of the statistics; use the drill-down
function on the bars to get more detailed statistics in the specified factors.
As shown in the screenshot above, the detailed data of each user is displayed in the table. At most, the data of top 200
users can be displayed. By using the search function, you can get the information you want quickly.
The drill-down page shows the detailed statistics in a specified factor of the user or the trending information of the user.
For example, in the user monitor main page, click a bar from the user traffic rank chart, and select Application from the
pop-up menu, a new page showing application traffic rank of the user appears. The data in the drill-down sub-page is
organized in the same way as the details page (excluding the trend page).
T r en d P age
Real-time Trend Monitor

To monitor a user on a device in real-time, take the following steps:
1. In the user monitor main page, click , and select a device on the Select Device (Group) dialog.

In the current trend page, if the further information based on application is available, you can get the information by the
drill-down function. HSM uses pie chart to show the application distribution status.

3. The dialog showing the application distribution appears.
A p p l i cat i o n Mo ni t o r
The application monitor page shows kinds of statistics in the aspect of applications on the managed device. The user
monitor statistics is organized in the main page (summary of application monitor), details page (detailed statistics of
each module), drill-down sub-page (statistics in a specified factor), and trend page.
M ain P age
Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page. Click Application
in the monitor navigation pane to enter the application monitor main page. The application monitor main page shows
the following information with bar charts:
Top 10 Application Traffic: The application traffic rank in the specified time period. With the drill-down function,
namely click a bar of an application, and select a factor from the pop-up menu to see the related statistics. The sup-
ported factors are device, user/IP, and Trend.

devices.

below:
D et ails P age
The details page shows the detailed statistics with bar charts and tables. The bar charts are used to show the application
rank by different factors and you can switch factors by clicking the buttons in the up-left corner.
MyMonitor module.
Take the details page of application traffic as the example:
chart; the Average Rate, Forwarding Rate, and New Sessions buttons are used to switch among different factors; the time
options in the upper-right corner are used to specify the time period of the statistics; use the drill-down function on the
bars to get more detailed statistics in the specified factors.

As shown in the screenshot above, the detailed data of each application is displayed in the table. At most, the data of
top 200 applications can be displayed. By using the search function, you can get the information you want quickly.
The drill-down page shows the detailed statistics in a specified factor of the application or the trending information of
the application. For example, in the application monitor main page, click the HTTP bar from the application traffic rank
chart, and select Device from the pop-up menu, a new page showing device rank of the HTTP application appears. The
data in the drill-down sub-page is organized in the same way as the details page (excluding the trend page).
T r en d P age
Real-time Trend Monitor (Method 1)
To monitor an application on a device in real-time, take the following steps:
1. In the user monitor main page, click and select a device on the Select Device (Group) dialog.


To monitor an application on a device in real-time, take the following steps:
1. In the main page or details page, click a bar and select Device.
2. In the device rank bar chart, click a bar and select Trend from the pop-up menu.
In the current trend page, if the further information based on user/IP is available, you can get the information by the
drill-down function. HSM uses bar chart to show the user/IP rank of the application.
1. In the main page or details page, click a bar and select Trend.

3. The dialog showing the user/IP rank appears.
N et w o r k T hr eat Mo ni t o r
The network threat monitor page shows kinds of statistics in the aspect of network threat on the managed device. The
user monitor statistics is organized in the main page (summary of application monitor), details page (detailed statistics of
each module), drill-down sub-page (statistics in a specified factor), and trend page.
M ain P age
T rad i ti onal
Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page. Click Network
Threat > Traditional in the monitor navigation pane to enter the network traditional threat monitor main page. The net-
work threat monitor main page shows the following information with bar charts:
Top 10 Attacks: The AD attack count rank in the specified time period. With the drill-down function, namely click a
bar of an attack, and select a factor from the pop-up menu to see the related statistics. The supported factors are
attacker, victim, device, and trend.
Top 10 Virus: The virus attack count in a specified time period. With the drill-down function, namely click a bar of an
virus, and select a factor from the pop-up menu to see the related statistics. The supported factors are attack, victim,
device, and trend.

Top 10 Intrusions: The intrusion count in a specified time period. With the drill-down function, namely click a bar of
an intrusion, and select a factor from the pop-up menu to see the related statistics. The supported factors are
attacker, victim, device, and trend.
The ID shown in the X-axis is the IPS signature ID.
Intel l i g enc e
Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page. Click Network
Threat > Intelligence in the monitor navigation pane to enter the network Intelligence threat monitor main page. Only
NIPS and IDS devices support Intelligence threat monitor. The threat monitor main page shows the following inform-
ation:
Week Threat Distribution: A pie chart shows the different threat types distributing in the specified time period.
Week Threat Deal Distribution: A doughnut chart shows threat deal distributing in the specified time period. The
inner ring displays proportion of blocking numbers and detecting numbers of all threats, while the outer ring dis-
plays proportion of blocking numbers and detecting numbers of different types threats.
Week Top 10 Threat: The threat count in a specified time period, including virus attack counts, intrusion counts and
AD attack counts.
Week Top 10 Distribution: The subtypes threat count in a specified time period.
St at is t ics P er iod
devices.
below:

D et ails P age
The details page shows the detailed statistics with bar charts and tables. The bar charts are used to show the attack rank.
MyMonitor module.
Take the details page of AD attack as the example:
chart; the time options in the upper-right corner are used to specify the time period of the statistics; use the drill-down
As shown in the screenshot above, the detailed data of each attack is displayed in the table. At most, the data of top 200
attack can be displayed. By using the search function, you can get the information you want quickly.
Note: High, Middle, Low factors of the IPS details page refer to the severities of IPS signatures
which are high, middle and low.

The drill-down page shows the detailed statistics in a specified factor of the attack or the trending information of the
attack. For example, in the network threat monitor main page, click a bar of an attack from the AD attack rank chart, and
select Device from the pop-up menu, a new page showing device rank of the specified attack appears. The data in the
drill-down sub-page is organized in the same way as the details page (excluding the trend page).
T r en d P age
In the bar chart, click a bar and select Trend, the trend page of the selected factor appears. HSM uses line charts to show
the developing trend in multiple factors.
To monitor an attack on a device in real-time, take the following steps:
1. In the network threat monitor main page, click and select a device on the Select Device
(Group) dialog.

In the current trend page, if the further information based on user/IP or destination IP (victim) is available, you can get
the information by the drill-down function. HSM uses bar chart to show the user/IP rank of the application.

3. The dialog showing the attacker rank and victim rank appears.
4. Click the Victim button to switch to the victim rank display.
N et w o r k B ehav i o r Mo ni t o r
The network behavior monitor page shows URL/URL category hit count statistics in the aspect network behavior . The net-
work behavior monitor statistics is organized in the main page (summary of device monitor), details page (detailed stat-
istics of each module), drill-down sub-page (statistics in a specified factor), and trend page.
M ain P age
Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page. Click NBC in the
monitor navigation pane to enter the network behavior monitor main page. The page shows the following information
with bar charts:
Top 10 URL Category Hit Count: The URL category hit count rank in a specified time period. With the drill-down func-
tion, namely click a bar of an URL category, and select a factor from the pop-up menu to see the related statistics.
The supported factors are URL, user/IP, device, and Trend.

Top 10 URL Hit Count: The URL hit count rank in a specified time period. With the drill-down function, namely click a
bar of an URL, and select a factor from the pop-up menu to see the related statistics. The supported factors are user-
/IP, device, and Trend.

devices.
below:

D et ails P age
The details page shows the detailed statistics with bar charts and tables. The bar charts are used to show the URL cat-
egory/URL hit count rank.
MyMonitor module.
Take the details page of URL category rank chart as the example:
chart; the time options in the upper-right corner are used to specify the time period of the statistics; use the drill-down
As shown in the screenshot above, the detailed data of each URL category/URL is displayed in the table. At most, the
data of top 200 attack can be displayed. By using the search function, you can get the information you want quickly.
The drill-down page shows the detailed statistics in a specified factor of the URL category/URL or the trending inform-
ation of the URL category/URL. For example, in the network behavior monitor main page, click a bar of a URL category
from the URL category hit count rank chart, and select URL from the pop-up menu, a new page showing URL hit count
rank of the specified URL category appears. The data in the drill-down sub-page is organized in the same way as the
details page (excluding the trend page).

T r en d P age
In the bar chart, click a bar and select Trend, the trend page of the selected factor appears. HSM uses line charts to show
the developing trend in multiple factors.
To monitor an URL category/URL on a device in real-time, take the following steps:
1. In the network behavior monitor main page, click and select a device on the Select Device
(Group) dialog.

In the current trend page, if the further information based on user/IP is available, you can get the information by the
drill-down function. HSM uses bar chart to show the user/IP rank of the URL category/URL hit count.

3. The dialog showing the user/IP rank appears.
VP N Mo ni t o r
The VPN monitor page shows kinds of statistics in the aspect of VPN on the managed devices. The VPN monitor statistics
is organized in the tunnel statistics page and device VPN traffic statistics page (VPN traffic trend, and VPN traffic rank).
T u n n el St at is t ics P age
Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page. Click VPN in the
monitor navigation pane to enter the tunnel statistics page. This page shows a table with detailed tunnel information.
Options of the table are described as below:
Option Description
VPN Name Shows the tunnel name. Click the tunnel name, the system enters the traffic
trend/traffic rank page of the tunnel.
Status Shows the current status of the tunnel:
: Connected.
: Disconnected.
Peer IP Shows the IP address of the peer.
Received Shows the received traffic rate of the tunnel interface.

Traffic Rate

Option Description
(bps)
Sent Traffic Shows the sent traffic rate of the tunnel interface.
Rate (bps)
Created Shows the time when the tunnel is created.

Time
Duration If the tunnel is connected, shows the duration of the tunnel since it is connected.
If the tunnel is disconnected, shows the duration of the tunnel since it is dis-
connected.
Re-con- Shows the re-connecting times of the tunnel. Click the number in the cell, the
necting Reconnetion Time dialog appears. You can check the detailed re-connecting
Times information of the tunnel in a specified time period.
VPN Type Shows the type of the tunnel. Only IPSec VPN is supported in the version.
Device Shows the device name the tunnel belongs to. Click the device name, the system
Name enters the VPN traffic trend/VPN traffic rank page.
Algorithm Shows the algorithm used by the tunnel (protocol, encryption, authentication,
compression).
Latency Shows the time consumed between sending the packet and receiving the
response.
Packet Loss Shows the packet loss rate of the tunnel.

Rate
Description Shows the description of the tunnel.
The search function is supported for you to find the desired information. The search conditions are listed above the tun-
nel table, and you can find information according to you own requirements.
D ev ice V P N T r af f ic St at is t ics P age

On the tunnel statistics page, click the View button from the upper-right corner to enter the device VPN traffic statistics
page. This page shows the VPN traffic statistics information of all managed devices, including total VPN traffic trend (line
chart) and total traffic rank (bar chart).
Device Total VPN Traffic Trend Page
The system uses line chart to show the total VPN traffic trend of all managed devices.
You can select devices to be shown in the chart, specify the statistical time period, and view the tunnel traffic trend/rank.

1. Click Add Legend Item under the line chart, a dialog box with all managed devices appears.
2. Select the devices you want from the dialog box. Use the search function to find the desired device from the upper-
right corner if necessary.
3. Click anywhere outside the dialog box to close it. The selected devices will be shown on the line chart.
HSM support pre-defined time period. You can specify the time period by configuring the options in the upper-right
corner.
: The drop-down list of pre-defined time period. The menu items are described as below:
Latest 1 Week: Shows the statistics of the latest 1 week.

To view the tunnel traffic trend/rank chart, select a value point on the line chart, click VPN Traffic Trend.
You can select tunnels to be shown in the chart, and specify the statistical time period.
To select tunnels, take the following steps:
1. Click Add Legend Item under the line chart, a dialog box with all tunnels appears.
2. Select the tunnels you want from the dialog box. Use the search function to find the desired tunnel from the upper-
right corner if necessary
3. Click anywhere outside the dialog box to close it. The selected tunnels will be shown on the line chart.
corner.


Device Rank by Total VPN Traffic Page
The system uses the bar chart to show the device rank by total VPN traffic. On the device total VPN traffic trend page,
click the Device Rank by Total VPN Traffic button to switch to the device rank by total VPN traffic page.
You can select devices to be shown in the chart, specify the statistical time period, specify Top X shown in the chart, and
view the tunnel traffic trend/rank of a single device.
1. Click Add Legend Item under the line chart, a dialog box with all managed devices appears.
2. Select the devices you want from the dialog box. Use the search function to find the desired device from the upper-
right corner if necessary.
3. Click anywhere outside the dialog box to close it. The selected devices will be shown on the line chart.
corner.

To specify Top X shown in the chart, take the following steps:
: Top X filter drop-down list. Options are:
TOP10: Shows statistical information of top 10 devices.

Custom: Show statistical information of a customized number of devices. You can specify the number by selecting
devices from the Add Legend Item dialog.
To view the tunnel traffic trend/rank page, select a bar and click VPN Traffic Rank.
You can select tunnels to be shown in the chart, specify the statistical time period, and specify Top X shown in the chart.
To select tunnels, take the following steps:
1. Click Add Legend Item under the line chart, a dialog box with all tunnels appears.
2. Select the tunnels you want from the dialog box. Use the search function to find the desired tunnel from the upper-
right corner if necessary
3. Click anywhere outside the dialog box to close it. The selected tunnels will be shown on the line chart.
corner.

To specify Top X shown in the chart, take the following steps:
: Top X filter drop-down list. Options are:
Custom: Show statistical information of a customized number of devices. You can specify the number by selecting
devices from the Add Legend Item dialog.

MyMo ni t o r
The MyMonitor function enables you to view the important monitor statistics easily and conveniently. The charts added
to MyMonitor are organized by monitor groups (there is a default monitor group named Default Group), all the charts in
one group are displayed in one page. One monitor group can contain 10 charts at most, and the maximum monitor
group number is 10. The default group (Default Group) cannot be deleted.
Addin g t o M y M on it or
To add a monitor chart to MyMonitor, take the following steps:
1. Most of the monitor pages have the Add to MyMonitor button in the upper-right corner.
Click this button, and the Add To MyMonitor dialog appears.
2. Select a monitor group from the MyMonitor Group drop-down list. The chart will be added to the group specified
here.
3. Type a name for the added chart in the MyMonitor Name text box.
Cr eat in g a N ew M on it or G r ou p
To create a new monitor group, take the following steps:
1. Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page. Click
MyMonitor from the monitor navigation pane to expand the monitor group, and click one of the monitor groups.
2. In the main window, click the New Group button. The New Monitor Group dialog appears.
3. Type a name for the new monitor group in the Name text box.
D elet in g a M on it or G r ou p
To delete a monitor group, take the following steps:

1. Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page. Click
MyMonitor from the monitor navigation pane to expand the monitor group. Select the monitor group to be
deleted.
2. Click the Delete button in the main window.
V iew in g I n f or m at ion in M y M on it or
To view the information in MyMonitor, take the following steps:
1. Log in to HSM, select Monitor from the level-1 navigation pane to enter the device monitor main page.
2. Click MyMonitor from the monitor navigation pane to expand the monitor group.
3. Select a monitor group and the charts added to the selected monitor group are displayed in the main window.

In t r odu ct ion t o t h e A lar m Fu n ct ion
HSM is capable of 24-hour monitoring network performance, and send an alarm notification to notice users there is
abnormity. You can choose how to proceed according to alarm contents after receiving alarms.
For more information about the alarm function, see the followings:
Alarm
Alarm Rule

Int r o d uct i o n t o A l ar m
When the alarm event occurs, HSM will generate an alarm message. HSM collects alarm messages which can help you
know the status of devices.
The alarm messages are all in Alarm page. The related topics of Alarm are shown as below:
Searching Alarm Information
Alarm Analysis
Sear ch in g Alar m I n f or m at ion

When the alarm rules event occurs, HSM will generate an alarm message. HSM collects alarm messages which can help
you know the status of devices.
The configurations of this page include:
Searching Alarm Information
Reading Alarm Information
S earc hi ng A l arm Inf orm ati on

To search alarm information, take the following steps:
1. Click Alarm from the level-1 navigation pane.
2. Select Alarm > Alarm Search from the alarm navigation pane, the alarm window will show all the alarm information.
3. Specify searching conditions.

Searching
Description
Condition
Device Search the alarm information including the specified device name.
Alarm Rule Search the alarm information that matched the specified alarm rules.
Severity Search the alarm information that matched the specified severity.
Alarming Time Search the alarm information that matched the specified alarming time. It
can be user-defined.
Status Search the alarm information that matched the specified alarm status.
Read Time Search the alarm information that matched the specified read time of
alarm rules.
Read by Search the alarm information that matched the specified users who read
the rules.
Comment Search the alarm information that matched the specified comments.
Reason Search the alarm information that matched the specified alarm reason.
4. Click Search, the alarm window will show all the alarm information that matched the specified rules.
R ead i ng A l arm Inf orm ati on

Reading alarm information includes two actions: reading the message, and adding a comment.
You can operate one of the followings to read alarm information:
Read one or multiple alarm information, select the checkbox of the alarm message and select Read Selected, Add
Comment dialog appears. Type comment information and then click OK.
Read all the alarm information, select Read All and the Add Comment dialog appears. Type comment information
and then click OK.

Alar m An aly s is
HSM provides the alarm analysis function, which can show you device statistics information or time trend analysis.
Device Analysis
Trend Analysis
Dev i c e A nal ysi s

To view the device analysis, take the following steps:
1. Click Alarm from the level-1 navigation pane to enter the alarm page.
2. Select Alarm > Alarm Analysis > Device Analysis from the alarm navigation pane. This page shows the alarm times
of device with the view of bar chart.
3. Specify searching conditions to view the number of alarms that matched the specified conditions.
Searching Condi-
Description
tion
Status Search the alarm information that matched the specified alarm status.
Ranking Search the alarm information on Top 5/10/15/50 devices ranked by

alarming count.
Analysis Period Search the alarm information that matched the specified alarming time.
It can be user-defined.
Show Devices in Select the checkbox, HSM will count history alarm information that has
Recycle Bin already been deleted in Recycle Bin.
4. To view the statistic information of alarm severity for one device, click the bar chart of this device and select Level in
the popup menu.

5. In the pie chart on the right side, click different colors of alarm severity, the table below will show you alarm inform-
ation for this severity.
6. Use one of the following ways to read alarm status information:
Click the Status column in the table, and the Add Comment dialog appears. Type alarm reason and comment in
the text box and then click OK.
Batch process multiple alarm information, multi-check the check box before alarm information, and then click
Read Selected button on the top of the table, the Add Comment dialog appears. Type alarm reason and com-
ment in the text box and then click OK.
T rend A nal ysi s

The alarming time trend line chart shows the trend of alarm times for one period.
To view the alarm trend analysis, take the following steps:
1. Click Alarm from the level-1 navigation pane.
2. Select Alarm > Alarm Analysis > Trend Analysis from the alarm navigation pane, the alarm trend analysis page
appears.
3. Specify searching conditions to view the alarm trend analysis that matched the specified condition.
Searching Condi-
Description
tion
Severity Search the alarm information that matched the specified severity.
Status Search the alarm information that matched the specified alarm
status.

Searching Condi-
Description
tion
Device Search the alarm information including the specified device name.
Analysis Period Search the alarm information that matched the specified alarming
time.
4. Use one of the following ways to read alarm status information:
Click the Status column in the table, and the Add Comment dialog appears. Type alarm reason and comment in
the text box and then click OK.
Batch process multiple alarm information, multi-check the check box before alarm information, and then click
Read Selected button on the top of the table, the Add Comment dialog appears. Type alarm reason and com-
ment in the text box and then click OK.

Int r o d uct i o n t o t he A l ar m Rul e
The alarm rule defines the generated condition of alarm. HSM will alarm according to the specified alarm rule, and the
admin will handle the event after the alarm.
For more information about the alarm rule, see the followings:
Configuring the Alarm Rule
Con f igu r in g t h e Alar m R u le

The alarm rule defines the generated condition of alarm. HSM will alarm according to the specified alarm rule, and the
admin will handle the event after the alarm. HSM provides multiple alarm rules including resource, status, traditional
threat, intelligent threat, VPN and other. You can use predefined and user-defined rules.
Viewing a Predefined Alarm Rule
Creating a User-defined Alarm Rule
Editing an Alarm Rule
Configuring an Alarm Email Recipient
Enabling/Disabling an Alarm Rule
Deleting an Alarm Rule
Emptying Recycle Bin
V i ew i ng a Pred ef i ned A l arm R ul e

HSM provides multiple predefined alarm rules. Every predefined rule can be modified and it will take effect after modi-
fications.
To view the predefined alarm rule, take the following steps:
1. Click Alarm from the level-1 navigation pane to enter the alarm page.
2. Select Alarm Rule > All Rules > Predefined from the alarm navigation pane.
3. Select the type of the alarm rule, and the alarm window will show you the predefined alarm rule list.
4. Click the name of the predefined rule in the alarm window.
5. Configure the alarm rule as follows:
Rule Name: Show the alarm rule name. Predefined rule name cannot be modified.
Description: Type the descriptions of the rule.
Trigger: Specify the trigger condition that alarm occurs. When monitoring that there is such an event happened on
the selected device, HSM will generate an alarm message. Only some rules need the trigger condition.

Device: Select the device which applied the alarm rule from the drop-down list. Rules of intelligent threat can only
be applied to NIPS devices.
Action: HSM can take the following actions when alarm occurs:
Only alarm.
Besides alarm, HSM can send an alarm email or message to the specified recipient. (Select the check box before
Send via Email or Send via SMS, and click New, configure the recipient name, Email, Mobile Phone and Com-
ment in the Send via Email dialog.)
6. Click OK to finish configurations.
C reati ng a U ser- d ef i ned A l arm R ul e

To create a user-defined alarm rule, take the following steps:
1. Select Alarm Rule > All Rules > User-defined from the alarm navigation pane.
2. Click New in the alarm window.
3. Configure the alarm rule as follows:
Rule Name: Show the alarm rule name. Predefined rule name cannot be modified.
Description: Type the descriptions of the rule.
Trigger: Specify the trigger condition that alarm occurs. When monitoring that there is such an event happened on
the selected device, HSM will generate an alarm message. Only some rules need the trigger condition.
Device: Select the device which applied the alarm rule from the drop-down list. Rules of intelligent threat can only
be applied to NIPS devices.
Action: HSM can take the following actions when alarm occurs:
Only alarm.
Besides alarm, HSM can send an alarm email or message to the specified recipient. (Select the checkbox before
Send via Email or Send via SMS, and click New, configure the recipient name, Email, Mobile phone and Com-
ment in the Send via Email dialog.)
4. Click OK to finish configurations.
Ed i ti ng an A l arm R ul e
To edit an alarm rule that has already created, take the following steps:
1. In the alarm window of the Alarm Rule page, select the rule you want to modify.
2. Modify according to your need.
3. Click OK to save your changes.
C onf i g uri ng an A l arm R ec i p i ent

To manage the mail or message recipients who receive the HSM alarm, take the following steps:

1. In the alarm window of the Alarm Rule page, Click Send via Email.
2. In the Send via Email dialog, configure as one of the methods below:
Click New, and then specify the recipient name, Email, Mobile phone and comment in the text box.
Select the check box before the recipient who you want to delete, and then click Delete. (If a recipient has been
referenced by an alarm rule, the recipient cannot be deleted.)
Enab l i ng / Di sab l i ng an A l arm R ul e

Only the enabled alarm rule can be effective. The rule which is disabled cannot take effect.
To enable/disable an alarm rule, take the following steps:
1. In the alarm window of the Alarm Rule page, select the checkbox before the rule you want to enable/disable.
2. Click Enable or Disable in the toolbar.
3. In the Submit dialog, click OK.
Del eti ng an A l arm R ul e

Only the user-defined alarm rule can be deleted.
To delete an alarm rule, take the following steps:
1. Select Alarm Rule > All Rules > User-defined from the alarm navigation pane.
2. Select the checkbox before the rule you want to delete.
4. In the Submit dialog, click OK.
Note:
The alarm rule will be stored in the Recycle Bin after being deleted. You can click Restore in
the Recycle Bin page to restore the rule to its origin place or click Delete in the Recycle Bin
page to permanently delete the rule.
If the alarm rules are permanently deleted, the alarm information that matched the rule are
all deleted at the same time.
Em p tyi ng R ec yc l e B i n
All the deleted rules are stored in the recycle bin. To delete rules permanently, take the following steps:
1. Select Alarm Rule > Recycle Bin from the alarm navigation pane.
2. Click Empty from the toolbar.
3. Click OK.
Note:
If the alarm rules are permanently deleted, the alarm information that matched the rule are all
deleted at the same time.

In t r odu ct ion t o R epor t
HSM provides rich and vivid reports that allow you to analyze device status, network access and user behaviors com-
prehensively by all-around and multi-dimensional statistics and charts. HSM can generate periodical reports daily,
weekly, monthly and quarterly, and the statistic granularity can be minute, hour and day. Reports can be rendered in
HTML or PDF files, and mailed to specified recipients. At the time of writing HSM supports nearly 100 statistic items,
including traffic, AV, IPS, network behavior, VPN, system, etc. These items can be categorized as below:
Traffic: Traffic information for the specified devices, zones, interfaces, applications, users or time range.
Network threat: Network threat information about AV, IPS and attack defense.
Network behavior: Network behavior information about Internet surfing and IM.
VPN: Tunnel information about IPSec VPN and SSL VPN.
System: CPU, memory and session information for the managed devices.
Note that the above items. may not be available on all devices. Please check your system's actual page to see if your
device delivers this items.
For more information about report, see the following chapters:
Report File
Report Template
Server

Int r o d uct i o n t o Rep o r t Fi l e
Report files, the final display of statistics and analysis, are designed to show the statistics of device status, network traffic,
user behaviors, etc. in form of chart and table combination.
HSM introduces three main concepts for the report: report template, report file and report schedule. Report template and
report schedule are the basis for the generation of report files and define all the contents in the report files; report sched-
ule is a part of the report template that defines the generation cycle and life cycle of report files; report file shows the stat-
istic result in form of charts and tables. The statistic items of a report file rely on the configuration of the corresponding
report template, and the generation time relies on the corresponding report schedule.
For more information about reports files, see the following chapters:
Viewing a Report File
Managing a Report File
V iew in g a R epor t F ile

Report file shows the statistic result in form of charts and tables. The contents, generation time and file format of a report
file rely on the configuraion of the corresponding report template.
To view a report file in the system, take the following steps:
1. Log into HSM. Click Report from the Level-1 navigation pane to enter the report page.
2. In the report navigation pane, click Report File > File Collection to list all the report files in the system in the report
window, as shown below:
3. By default the report files are sorted by the time of creation. Click the column name to sort by the file name of the
corresponding template, time of creation and author name of the corresponding template; click the column name
again to sort the report files in the reversed order.
4. To search for a report file by keywords, type a keyword into the searching box in the toolbar, and press Enter. All the
report files that contain the keyword will be listed in the report window.

5. Expand a report category and double-click the file name to view the report in a new browser window, as shown
below:
6. The report files consist of left and right panes. Report items are listed in the left pane; contents are listed in the right
pane, including the basic information, template modification history and charts and tables. Click an item in the left
pane to jump to the corresponding details in the left pane.
To view a deleted report file, click Report File > Deleted Files in the report navigation pane, and repeat Step 3 to Step 6
above.
Note: By default the report categories are not expanded. Each category may contain several
report files. Only 100 report files can be listed in one page, so possibly there are more categories
in other pages. To view the categories that are not listed in the current page, click the Next but-
ton on the lower-right.
M an agin g a R epor t F ile

Report file shows the statistic result in form of charts and tables. You can download, delete or restore a report file.
The configurations of report file management include:
Downloading a Report File
Deleting a Report File
Restoring a Report File
Deleting a Report File Permanenetly

Dow nl oad i ng a R ep ort Fi l e
HSM can generate report files in PDF or HTML format. The file format is specified in the Output of the file's template.
To download a report file in the system, take the following steps:
window. By default the report files are sorted by the time of creation.
3. Take one of the following operations:
To download a report file, click the icon under the File Type column ( indicates HTML format, and indic-
ates PDF format), and download the file to your local disk as prompted.
To batch download multiple report files, select the checkboxes for the files, click Download in the toolbar, and
download the compressed file package to your local disk as prompted. The file format in the package is spe-
cified in the Output of the file's template.
Del eti ng a R ep ort Fi l e

To delete a report file in the system, take the following steps:
window. By default the report files are sorted by the time of creation.
3. Select the checkbox for the report file (or checkboxes for multiple report files) to be deleted, and click Delete in the
bool bar.
4. In the OK dialog, click OK to delete.
Note: The deleted files are moved to Report File > Deleted Files.
R estori ng a R ep ort Fi l e
You can restore a deleted report file if the file is not cleared. To restore a deleted report file, take the following steps:
2. In the report navigation pane, click Report File > Deleted Files to list all the deleted report files in the report window.
3. Select the checkbox for the report file (or checkboxes for multiple report files) to be restored, and click Restore in the
bool bar.
4. In the OK dialog, click OK to restore.
Del eti ng a R ep ort Fi l e Perm anentl y

The deleted files are moved to Report File > Deleted Files, and can be restored anytime. For more details, see Restoring a
Report File.
To delete a deleted report file permanently, take the following steps:
2. In the report navigation pane, click Report File > Deleted Files to list all the deleted report files in the report window.
3. Select the checkbox for the report file (or checkboxes for multiple report files) to be cleared, and click Delete in the

toolbar.
4. In the OK dialog, click OK to delete the file permanently.

You can also click Clear in the toolbar and then click OK in the OK dialog to delete all the deleted files permanently.
Note: Report files that are deleted permanently cannot be restored. Take this operation with cau-
tion.

Int r o d uct i o n t o Rep o r t T em p l at e
Report templates, the basis for the generation of report files, define all the contents in the report files, including statistic
items, chart format, schedule, output format, etc.
HSM report templates consist of predefined and user-defined templates. Predefined templates are built in HSM and cat-
egorized by analysis contents. Nearly 100 report items in the predefined templates cover analysis data in traffic, network,
network behaviors, VPN, system, etc. User-defined templates are created by users as needed.
Note that some items in predefined templates can be only displayed in the report of NIPS devices, such as Security Risk
Summary, Risk Type Summary and Security Risk Detail.
For more information about the configuration of report template, see the following pages:
Configuring a Report Template
Managing a Report Schedule
Con f igu r in g a R epor t T em plat e

Report templates, the basis for the generation of report files, define all the contents in the report files, including statistic
items, chart format, data time, schedule, output format, etc.
HSM report templates consist of predefined and user-defined templates. Predefined templates are built in HSM, but you
cannot run the predefined template to generate a report file directly; user-defined templates are created by users as
needed, and you can run the user-defined template to generate a report file directly.
Note that some items in predefined templates can be only displayed in the report of NIPS and IDS devices, such as Secur-
ity Risk Summary, Risk Type Summary and Security Risk Detail.
The configurations of report template include:
Creating a User-defined Template
Editing a User-defined Template
Deleting a User-defined Template
Restoring a User-defined Template
Deleting a User-defined Template Permanently
C reati ng a U ser- d ef i ned T em p l ate

HSM provides a template wizard to help you create a user-defined template. You can create a report template step by
step as prompted by the template.
To start the template wizard, take the following steps:
2. In the report navigation pane, click Report Template > User-defined to list all the user-defined templates in the
report window.
3. Click New in the toolbar to start the template wizard.

You can also edit a predefined template to create a user-defined template. In the report navigation pane, click the pre-
defined template to be edited to start the template wizard.
To create a report template, you need to complete eight steps in different wizard tabs. Completing one step, click Next to
go to the next step. Options and notices in each step are shown below:
Basic
This tab contains the basic information of the report template, and will be shown in the first page of the report file. Con-
figure options as below:

Option description:
Name: Specify the name of the template. When creating a user-defined template on a predefined template, name of the
new template is the predefined template name plus the current system time by default.
Company: Specify the company name in the report file.
Description: Add description for the template.
Show: Select a checkbox or checkboxes to show the operation history and/or description of the template in the report
file.
Device
Select the analysis devices. Configure options as below:
Devices: Select one or more checkboxes for the devices to include the device(s) in the report file for statistics.
Counting Type: Select Include Total Sum of Devices to count each device individually; select Not Include Total Sum of
Devices to count each devices and the total sum of all the selected devices.Only when you choose Include Total Sum of
Devices can the system show Security Risk Summary, Risk Type Summary or Security Risk Detail of the NIPS devices.
Data Time
Configure statistic time range and frequency as below:
Data Time: Specify the data time for the statistics. Click Latest and select a time range from the drop-down list which can
be 1 day, 1 week, 1 month or 3 months; click Period and specify the start time and end time of statistics.
Item
Report item, the key component of a report, defines the statistic contents. HSM contains nearly 100 built-in report items,
covering analysis data in traffic, network, network behaviors, VPN, system, etc. A report template can contain multiple
report items.
To add a report item to the template, take the following steps:
1. Expand a report item category node in the left All box, select a category to list all the items in the category in the
Available box.
2. Select an item and click Add, or click Add All. All the selected report item categories will be listed in the Selected box.
To delete an item, select the item (or press Ctrl and left-click to select multiple items) and click Delete, or click Delete
All to delete all the items.
Please note you need to select at least one report item, otherwise you can neither go to the next step nor save the tem-
plate.
Item Options
Configure the following detailed options for each report item under the tab:
Basic: Shows the title and description of the report item (editable). Select the checkbox for Show the above chart to show
the description in the upper of the chart.

Filter: The filter options vary from report items. By default the report item counts all the objects of the selected devices.
To edit a filter parameter, see filter parameter description below.
Parameter Description
Application By default the system counts all the application traffic of the selected devices (all
the checkboxes are not selected).
To only count traffic of the specified application, select Application under Filter;
under the Not Include tab, select the applications that will not be included in the
traffic statistics. If an application is selected under the Include and Not Include
tabs simultaneously, the traffic of the application will not be included in traffic
statistics.
Direction By default the system counts both the sent and received traffic of the selected
devices.
To only count the sent traffic, select the checkbox for Sent Traffic, and clear the
checkbox for Received Traffic; to only count the received traffic, select the check-
box for Received Traffic, and clear the checkbox for Sent Traffic.
Zone By default the system counts all the zone traffic of the selected devices (all the
checkboxes are not selected).
To only count traffic of the specified zone, select Zone under Filter; under the Not
Include tab, select the zones that will not be included in the traffic statistics. If a
zone is selected under the Include and Not Include tabs simultaneously, the
traffic of the zone will not be included in traffic statistics.
Interface By default the system counts all the interface traffic of the selected devices.
To only count traffic of the specified interface, select Interface under Filter; under
the Not Include tab, select the interfaces that will not be included in the traffic
statistics. If an interface is selected under the Include and Not Include tabs sim-
ultaneously, the traffic of the interface will not be included in traffic statistics.
Src IP By default the system counts traffic from all users.

To only count traffic from the specified user, select Src IP under Filter; under the
Include tab, specify the IP or IP range, and click Add. Under the Not Include tab,
specify the IP or IP range that not be included in the traffic statistics, and click
Add. If a user is selected under the Include and Not Include tabs simultaneously,
the user will not be included in attack statistics.
Attacker By default the system counts attacks from all sources.

To only count attacks from the specified source, select Attacker under Filter;
under the Not Include tab, specify the IP or IP range that will not be included in
the attack statistics, and click Add. If a source is selected under the Include and
Not Include tabs simultaneously, the source will not be included in attack stat-
istics.
Dst IP By default the system counts attacks against all destination IPs.
To only count traffic against the specified IP, select Dst IP under Filter; under the
Include tab, specify the IP or IP range, and click Add. Under the Not Include tab,
specify the IP or IP range that not be included in the attack statistics, and click
Add. If a destination IP is selected under the Include and Not Include tabs sim-
ultaneously, the IP will not be included in attack statistics.
Attack By default the system will count all attacks.

To only count the specified attack, under the Include tab, type the attack name
into the text box and click Add; under the Not Include tab, type the attack name
that will not be included in the attack count into the text box and click Add.
Level Specify the severity of attacks which can be High and above, Middle and above
and Low and above.
URL By default the system counts accesses to all URLs.

To only count accesses to the specified website, select URL under Filter; under the
Include tab, type the URL into the text box, and click Add. Under the Not Include

Parameter Description
tab, repeat the above steps to specify the URL that will not be included in URL
access statistics. If a URL is specified under the Include and Not Include tabs sim-
ultaneously, the URL will not be included in URL access statistics.
IM By default the system counts all IM chats, including QQ, MSN, 9158 and Fetion.
To only count the specified IM chat, select IM under Filter, and select IM software
in the right box.
Username By default the system counts traffic of all VPN users.

To only count traffic of the specified VPN user, select Username under Filter;
under the Include tab, type the username into the text box, and click Add. Under
the Not Include tab, repeat the above steps to specify the VPN user that will not
be included in traffic statistics. If a username is specified under the Include and
Not Include tabs simultaneously, the VPN user will not be included in the traffic
statistics.
Time Specify the time range of statistics. By default the time range is the same as the
schedule defined in the report template.
To modify the time range of the report item, clear the checkbox for Inherit from
Template, and select a time range within the time range specified by the report
template.
Device Specify the object devices of statistics. By default the devices are the same as the
devices defined in the report template. To count other devices, clear the checkbox
for Inherit from Template, and select devices from the Counting Type box. In the
Devices section, select Include Total Sum of Devices to count each device indi-
vidually; select Not Include Total Sum of Devices to count each devices and the
total sum of all the selected devices.
Chart： Specify the number of ranking items in the tables and charts of reports. The system can show maximum Top 10
ranking items.
Schedule
Report schedule specifies the time range the corresponding report template will take effect. During the time range spe-
cified by the report schedule, system will generate report files continuous. A report template can contain multiple report
schedules.
To add a report schedule to the report template, take the following steps:
1. Under the Schedule tab, click New. In the New dialog, configure the options as below:
Generation Cycle: Specify the generation cycle of report files which can be daily, weekly, monthly, quarterly or one-
time.
Effective: Specify the start time and end time of the schedule. Select No End to make the template take effect for
ever.
Delete Schedule after End Date: Select the checkbox to delete the schedule after end date.
Generated at: Specify the date and time the report file is generated.
2. Click OK to save the settings. The schedule is enabled by default.

You need to select at least one schedule, otherwise you will neither be able to go to the next step nor save the template.
Output
Output specifies the format of report files and the destination the report files will be sent to. Configure the options as
below:
File Format: Select the format of the report file which can be PDF or HTML. You need to select at least one file format, oth-
erwise you will neither be able to go to the next step nor save the template.
Send via Email: Select the checkbox to send the report files to an Email address.
To add a recipient, type an Email address to the Email box (separate multiple recipients by ";"), or take the following
steps:
1. Click Manage. In the Email Configuration dialog, click New.
2. In the Add dialog, type the name, Email address and comments into the boxes, and click OK.
3. Close the Email Configuration dialog. Click Recipient.
4. In the Recipient dialog, select the checkbox for the recipient, and click OK. The recipient will be listed in the Email
box.
Send via FTP: Select the checkbox to send the report files to an FTP server.
Server Name/IP:Type the server name or IP address.
Username: Type the username to log into the FTP server.
Password: Type the password to log into the FTP server.
Anonymous: Select the checkbox to log into the FTP server anonymously (only applicable to the FTP server that allows
anonymous login).
Path: Type the filepath for the report files.
Test: Click the button to test if the FTP server is available.
Sample
Sample is used to demonstrate the report file based on the template. To view a sample, take the following steps:
1. Click Generate Sample to generate.
2. When the system prompts "Generation succeeded", click View Sample to view the report file.
Ed i ti ng a U ser- d ef i ned T em p l ate

To edit a user-defined report template, take the following steps:
report window.

3. Double-click the report template to be edited, and edit options under each tab.
4. Click Save to save the settings.
Note: To preview the report file based on the configured template, click Generate Now on the
upper-left to generate a report file immediately. Click Report File > File Collection and double-
click the report file with the name specified in the template to open the report file in a new win-
dow of your web browser.
Del eti ng a U ser- d ef i ned T em p l ate

To delete a user-defined report template, take the following steps:
report window.
3. Select the checkbox for the template to be deleted, and click Delete.
4. In the OK dialog, click OK to delete. If any report file has been generated based on this template, also select the
checkbox for Delete Report Files Generated by This Schedule.
R estori ng a U ser- d ef i ned T em p l ate

To restore a deleted user-defined report template, take the following steps:
2. In the report navigation pane, click Report Template > Deleted to list all the deleted templates in the report window.
3. Select the checkbox for the template to be restored, and click Restore.
4. In the OK dialog, click OK to restore.
Note: To also restore the report files deleted along with the template, see the steps described in
Restoring a Report File.
Del eti ng a U ser- d ef i ned T em p l ate Perm anentl y

The deleted report templates are moved to Report Template > Deleted. To delete a user-defined report template per-
manently, take the following steps:
2. In the report navigation pane, click Report Template > Deleted to list all the deleted templates in the report window.
3. Select the checkbox for the template to be deleted permanently, and click Delete.
4. In the OK dialog, click OK.

You can also click Clear in the toolbar and then click OK in the OK dialog to delete all the deleted report templates per-
manently.

M an agin g a R epor t Sch edu le
Report schedule defines the generation cycle and time of report files, and the time range the corresponding report tem-
plate will take effect. The report schedule is configured under the Schedule tab of a report template, and cannot be cre-
ated separately. A report template can contain multiple report schedules to facilitate report file management.
The configurations of report schedule include:
Adding a Report Schedule
Viewing a Report Schedule/Report Schedule Running Log
Deleting a Report Schedule
Enabling/Disabling a Report Schedule
A d d i ng a R ep ort S c hed ul e
For more details about how to add a report schedule when creating a report template, see Schedule in Creating a User-
defined Template.
To add a report schedule to an existing report template, click Report Template > User-defined in the report navigation
pane, and double-click the report template. Create a report schedule under the Schedule tab.
V i ew i ng a R ep ort S c hed ul e/ R ep ort S c hed ul e R unni ng L og

You can view the running log of a report schedule and report template, including the running log of the report schedule
and details, running log and modification history of the report template.
To view the running log of a report template and report schedule, take the following steps:
2. In the report navigation pane, click Report Schedule to list all the report schedules by categories in the report win-
dow.
3. To view the details of a report template, click the name of the template and click a tab below. Details, running logs
and modification of the template will be shown under the corresponding tab. To view the running logs of a report
schedule, expand a template and click the report schedule. Running log of the report schedule will be shown under
the tab below.
Del eti ng a R ep ort S c hed ul e

Report schedule is configured under the Schedule tab of a report template. If a report schedule is deleted, the schedule
in the corresponding report template will be deleted as well.
To delete a report schedule, take the following steps:
dow.
3. Expand a report template and select the checkbox for the report schedule to be deleted. Click Delete.
4. In the OK dialog, click OK to delete.

When editing a report template, you can also click Delete under the Schedule tab to delete the report schedule.
Enab l i ng / Di sab l i ng a R ep ort S c hed ul e

To enable/disable a report schedule, take the following steps:
dow.

3. Expand a report template and select the checkbox for the report schedule to be enabled/disabled. Click Enable/Dis-
able.
4. In the OK dialog, click OK.

When editing a report template, you can also click Enable/Disable under the Schedule tab to enable/disable the report
schedule.
Rep o r t S er v er
NIPS devices support Report Server function. By specifying the name and the IP address of the intranet servers, the
report with the security risk summary and security risk detail selected will display the reports of these servers.
Con f igu r in g Ser v er s

To configure the servers, take the following steps:
1. Log into HSM. Click Report > Server from the Level-1 navigation pane to enter the Server page.
2. Click New. The Server Configuration dialog appears.
Configure the following settings

Option Description
Name Enter the name of servers.
Member Specify the IP addresses of the servers.
Add Click Add to add these servers.
3. Click OK.
In the generated reports, you can search the name of servers you specified to view the corresponding information.

In t r odu ct ion t o Log
HSM collects log information in real-time, centralizes storage and maintenance, and provides multiple query com-
binations in order to view various types of log information. By default, HSM can store up to the last 90 days of log inform-
ation (when enough storage). Currently, HSM can manage logs of NGFW, IPS devices, and WAF devices of Hillstone
Networks, Inc..
Int r o d uct i o n t o L o g
This chapter contains log and old version log. The upgrading descriptions of log and old version log are listed in the
table below.
HSM Version Description
Before version 2.5R2, and logs After upgrading to version 2.5R2 or above, you can manage
have been collected by HSM the collected logs in Old Version Log. For the new collected
logs, you can search and export the logs in Log module, and
backup, import, and clean the logs in System>Log Backup
Management.
Before version 2.5R2, and logs After upgrading to version 2.5R2 or above, you can search and
are not collected by HSM export the new collected logs in Log, and backup, import, and
clean the logs in System>Log Backup Management.
Version 2.5R2 or above You can search and export the logs in Log, and backup,
import, and clean the logs in System>Log Backup Man-
agement.
L og
HSM system optimizes the log management function, using a new searching, backup, importing, and cleaning method to
manage logs. The type of log can be categorized as online log, offline log and operation log.
Online/offline log types can be divided into the followings:
System log: Logs of the managed devices, including event logs, alarm logs, networks logs and configuration logs.
Treat log: Logs of invasion and attack behaviors, including IPS logs, security logs, threat logs, web security logs and
anti defacement logs.
NBC log: Logs related to network behavior of managed devices, including URL logs, IM logs, webpost logs, email
logs and FTP logs. URL logs, IM logs and webpost logs support binary and text format.
Traffic log: Logs of traffic, including NAT logs, NAT444 logs, session logs and PBR logs.
Data Security Log：Logs of data security, including post logs, webpage security logs, URL logs, IM logs, email logs
and FTP logs.
Other log：The other Logs.

Operation log: Refers to HSM system logs, which record the local operation events of HSM system.
L og Sev er it y
Event logs are categorized into eight severity levels, each level has its own color.
Severity Level Description Log Color

Emergencies 0 Identifies illegitimate system events.
Alerts 1 Identifies problems which need immediate atten-
tion such as device is being attacked.
Critical 2 Identifies urgent problems, such as hardware
failure.
Errors 3 Generates messages for system errors.

Severity Level Description Log Color
Warnings 4 Generates messages for warning.
Notifications 5 Generates messages for notice and special atten-
tion.
Informational 6 Generates informational messages.
Debugging 7 Generates all debugging messages, including

daily operatiol messages.
Old V er s ion L og
The types of old version logs can be divided into the followings:
Device system log: Record logs of managed devices, including event logs, alarm logs, networks logs, configuration
logs and others.
Traffic log: Record logs related to traffic, including session logs and NAT logs.
Security log: Record logs related to invasion and attack, including IPS logs.
APP control log: Record logs related to network behavior of managed devices, including FTP logs, IM logs, mail logs,
URL logs, BBS logs.
HSM log: Record HSM system logs and task logs.

Related Topics:
For more information about Log function, see the followings:
Introduction to Log Window
Searching Logs
Introduction to Old Version Log

Int r o d uct i o n t o L o g W i nd o w
Log main page is in the Level-1 Navigation Pane, as shown below.

Level-1 navigation pane displays the general function modules, including dashboard, log, device, task and report.
L og N av igat ion P an e
Log navigation pane has three tabs: online log, offline log and operation log. Click on the tab, the right pane shows the
corresponding log messages.
Old V er s ion L og
Before version 2.5R2, the collected logs are managed in old version log. For more information, see Old Version Log.
L og F ilt er
Searching is available for online and offline logs, not for operation logs. You may input values for filters and keywords to
query result that matches your criteria.
Option Description
Search Box Enter keywords or click filter name to insert into the search box. When you hover
your mouse over , search tips will be shown; after query is done, click to
save it as a bookmark; click , you can view the history and books. If the Auto
open is selected, the history and bookmarks will be automatically open when you
use search box.
Time Range Select the time range of logs for you query.
Click this button to start searching.
Click the pause button to suspend an on-going query.
Click the stop button to abort the on-going query.
If your query takes a long time, switching to another page will discontinue the
query. Click to put the query into background, you can view the search res-
ult in the task list.
When a query takes a long time, you may click the mail icon to put the query
into background, when the query is complete, you will receive an email notice.
Note：To send an email from HSM, you need to set up mailbox first, refer to Con-
figuring an Email Account.

For operation log, you can search logs according to the filters below.
Option Description
Log Type Use log type as a filter.
Operation type Search logs according to user's action
Operation res- Use the result of a query as a filter, including success, unkown, failure.
ult
Time Set the time range for logs.
Operator IP Search for logs of a specific IP address.
Search Click the button to start searching.
L og Ch ar t
Log number of different time is shown in bar chart. You may view the detailed diagram by clicking a bar.
T oolbar
The toolbar contains operation icons.
Option Description
Export In the Export dialog, you can save your search results in your local computer, in
the format of TXT file or CSV file.
Name: Enter a filename for the export file.
File Format: Select a format
Range: Select the pages to be exported. The format for specific pages is the
page number separated by comma, for example, 1, 3, 5-9.
Column Customize your column list.
Merge Log System can merge logs which have the same firewall or the same severity. Thus
it can help reduce logs and avoid to receive redundant logs.
Do not merge: Do not merge any logs.
FW: Merge the logs with the same firewall.
Severity: Merge the logs with the same severity.
L og W in dow
Log window shows detailed log list. The log window may vary slightly on different navigation pane.
Option Description
Received in The time when log is received.
Type Log type
Log Details of the log
Links:
Searching Log Messages
S ear chi ng L o g Mes s ag es

You may view the online, offline and operation logs in HSM.

Online log: logs that are received directly by HSM.
Offline log: logs that are imported into HSM from other server. For more information about how to import the logs,
see Log Import.
Operation log: system logs of HSM itself.

HSM supports viewing logs by log types. You can set conditions to filter the log messages. For example, you may set a
value for firewall device, generation time to view logs that match you filters.
Note: You need to have the right to manage this device when searching logs.
On lin e/ Of f lin e L og
The type of searching can be divided into the followings:
Temporarily searching: Click the search button for direct local searching. The temporarily searching will be ended
when you turn to other pages.
Backstage searching: After temporarily searching, click the backstage running button to create the backstage
searching task. In case of closing the searching page or running other searchings, the task of backstage searching
will keep running.
To search log messages, take the following steps:
1. Log in HSM, and click Log from the level-1 navigation pane. The log window appears.
2. From the left Log Navigation Pane:
Click Online Log to view online log messages.
Click Offline Log to view offline log messages.
3. Select the log type you want to view.
4. In Log Filter, click a filter name, and input a value for this filer. You may select more than one filters.
5. You can quickly add filter conditions for the three types below:
Filter by devices: Click the device name from left navigation.
Filter by log types: Click a log type from the left navigation.
Filter by log contents: In the search box, enter the keyword you want to see in the log content.
6. Click , the matched results will be shown.
Oper at ion L og
To view operation log, take the following steps:
1. Log in HSM, and click Log from the level-1 navigation pane. The log window appears.
2. From the left Log Navigation Pane, Click Operation Log to view HSM system operation logs.
3. Choose the log types you want in the log navigation bar, and set a filter condition in the filter bar, then click Search.
The logs meeting requirements will be shown in the log window.

Log Type: Choose a log type from the drop-down list.
Operation Type: Choose an operation type from the drop-down list.
Operation Result: Choose an operation result from the drop-down list, including All, Waiting, Success, Failure.
Time: Choose the generated time of logs from the drop-down list. You can customize the time yourself.
Operator IP: Type the IP address of HSM in the text box.
Note:
To save your search filters, click to store them in the bookmark tab (in the on the left
of search box).
The icon can expand to show search history and stored collections. If Auto Open is selec-
ted, the history and collection can automatically open while you use the search box.

Int r o d uct i o n t o L o g W i nd o w
Click Log from the level-1 navigation pane , and then click Old Version Login the upper right corner of the log window
to enter the old version log page. Its layout is shown as below:
L og N av igat ion P an e
Log navigation pane includes predefined query and user-defined query. Click different ones in log navigation pane, the
main window will show its related information.
T oolbar
Function buttons of the toolbar are described as below:
Option Description
Predefined Query Export Export logs to local PC. The logs type can be TXT or CSV
file.
Save to Create a new search for user-defined query.
MySearch
User-defined Export Export logs to local PC. The logs type can be TXT or CSV
Query file.
Delete Delete the current log query.
F ilt er
According to different types of logs, filter provides different filter conditions.
Option Description
Device Search logs of the selected device.
Time Search logs of the selected time.
Severity Search logs of the selected log severity.
Type Search logs of the selected log type.
Message Search logs including the selected text.

Search Click this button, search logs to meet the selected requirements.
L og W in dow
Log window shows logs which meet the selected requirements.

Option Description
Device Name Show the device name which generates the logs.
Time Show the generated time of logs.
Severity Show the severity of logs.
Type Show the types of logs.
Message Show the messages of togs
Related Topics:
Searching Logs
Managing Logs
Sear ch in g L ogs
HSM supports the running logs and offline logs. Running logs are generated by the current HSM itself. Offline logs are
the ones that are imported by using the log import function.
For these two types of logs, HSM provides logs classification view and filtering. You can view logs according to different
types of events, or set a filter condition such as device name, log time, log keyword to search logs.
To view log information, take the following steps:
1. Log into HSM.
To view running logs, click Log, and the click Old Version Log in the upper right corner. Click Running Log tab.
To view offline logs, click Log, and the click Old Version Log in the upper right corner. Click Offline Log tab.
2. Choose the log types from the log navigation pane, the log window will show you related log information.
In the running logs window, predefined query is the one which is pre-set by HSM, while user-defined query is
the one which is set by users according to requirements.
In the offline logs window, predefined logs are the ones which are pre-set by HSM, while other logs are the ones
which are set by users according to requirements.
3. To further filter the log information, follow the instructions below to set the filter conditions.
S etti ng Fi l ter C ond i ti ons

Choose the log types you want in the log navigation bar, and set a filter condition in the filter bar, then click Search. The
logs meeting requirements will be shown in the log window.
The filter condition of different log types is described as below:
Device System Log

Filter condition of device system log is described as below:
Device: Choose a device from the drop-down list.

Severity: Choose the log severity from the drop-down list, including Emergency, Alerts, Critical, Error, Warning, Notice,
Informational and Debug.
Message: Type the keyword in the text box.
Traffic Log - Session Log

Service/Protocol: Type the service or protocol in the text box, such as TCP, UDP, QQ.
Source Address: Type the source IP address of session in the text box.
Source Port: Type the source port of session in the text box.
Destination Address: Type the destination IP address of session in the text box.
Destination Port: Type the destination port of session in the text box.
Traffic Log - NAT Log

Service/Protocol: Type the service or protocol in the text box, such as TCP, UDP, QQ.
Source Address: Type the source IP address of traffic in the text box.
Source Port: Type the source port of traffic in the text box.
Destination Address: Type the destination IP address of traffic in the text box.
Destination Port: Type the destination port of traffic in the text box.
Translated Address: Type the translated address after NAT in the text box.
Translated port: Type the translated port after NAT in the text box.
Security Log - IPS Log

Severity: Choose the log severity from the drop-down list, including Emergency, Alerts, Critical, Error, Warning, Notice,
Informational and Debug.
Message: Type the keyword in the text box.
APP Control Log - FTP

Policy: Choose the policy action from the drop-down list, including Block and Permit. All means all the actions.
User: Type the username or user IP address in the text box.
Login ID： Type the username of logging in FTP server in the text box.
FTP Server: Type the IP address of FTP in the text box.
File Name: Type the name of the transferring file in the text box.
APP Control Log - IM

Action: Choose the action for IM client in the drop-down list, including Log in, Log off, Block.

Sender: Type the sender name of IM in the text box.
Content: Type the keyword of chatting in the text box.
APP Control Log - Email

Subject: Type the keyword of a mail subject in the text box.
Sender: Type the sender name of a mail in the text box.
Recipient： Type the receiver name of a mail in the text box.
APP Control Log - URL

URL Category: Choose the URL category from the drop-down list, including Malicious, Compromised, etc.
Policy: Choose the policy action from the drop-down list, including Block and Permit. All means all the actions.
URL: Type the keyword of the URL you want to search in the text box.
APP Control Log - BBS

HSM Log - Operation
Log Type: Choose a log type from the drop-down list.

Operation Type: Choose an operation type from the drop-down list.
Operation Result: Choose an operation result from the drop-down list, including Unknown, Success, Failure.
Operator IP: Type the IP address of HSM in the text box.
HSM Log - Task
Task ID: Enter the task ID in the text box.

Device: Specify the devices whose logs to be searched.
Operation Result: Choose an operation result from the drop-down list.
Operation Type: Choose the operation type from the drop-down list.
Description: Enter the description keyword in the text box.

M an agin g L ogs
You can not only save the current filter condition as a user-defined query, in order to ensure that you can view log
information quickly and effectively,but also export the result of searching logs.
This page includes the following operations:
Creating a New User-defined Search
Deleting a New User-defined Search
Exporting Logs
Importing Logs
Backing up Logs
Cleaning Logs
C reati ng a N ew U ser- d ef i ned S earc h

To save the current filter condition as a user-defined query, take the following steps:
1. Set filter conditions as it is told inSearching Logs.
2. Click Save to MySearch button in the toolbar, and the Save dialog appears.
3. Type a name for the new search and click OK.
Note: The user-defined search only can include one log category.
Del eti ng a U ser- d ef i ned S earc h

To delete a new user-defined search, take the following steps:
1. Log in to HSM, click Log from the Level-1 navigation pane to enter the log management page.
2. Click Old Version Log in the upper right corner of the main window.
3. Click MySearch in the log navigation pane, and then click the user-defined search you want to delete.
4. From the toolbar, click Delete, and the click OK in the Delete dialog.
Ex p orti ng L og s
To save the current search as a TXT file or CSV file in local PC, take the following steps:
3. Set filter conditions as it is told in Searching Logs.
4. Click Search and all the logs meeting the requirements will be shown in the log list.

5. Click Export in the toolbar, and the Export dialog is shown as below:
Name: Type a name for the export file.

File Format: Choose the format of the export file.
Range: Specify the page range of the export file. All Result means to export all the results for the current search;
Page Range means you need to specify a page range (format as 3, 5-9) to export results of these pages.
6. Click OK to save changes.
Im p orti ng L og s
HSM system supports the import and viewing logs.
To import logs, take the following steps:
3. Select Log Import from the Log Backup Manage drop-down list . The Log Import dialog appears.
4. In the Log Import dialog, configure the following options:

FTP Service: From the drop-down list, select the FTP server where you store the log files. Then the corresponding
FTP server settings are displayed. You can click Detection to verify the connection between HSM and the FTP server.
If you want to modify the FTP settings, please click FTP Config .
Choose File: From the drop-down list, select the log files. You can select folders and/or files. The system supports
the following files types: ZIP, TXT, and CVS.
5. Click Import to start the import task. HSM displays the task progress in the current dialog. You can close this dialog
to perform other actions. To stop the import task, click Stop Import.
You can view the imported logs in Offline Log tab.
B ac k i ng U p L og s
HSM supports the backup of the logs. You can back up logs manually.

For the imported logs, HSM cannot backup them again.
For the backed-up logs, HSM can import them for viewing.
To back up the logs, take the following steps:
3. Select Log Backup from the Log Backup Manage drop-down list . The Log Backup dialog appears.
4. In the Log Backup dialog, configure the following options:
Log Type: From the drop-down list, select the log types to be backed up.
Start Time: Specify the start time of logs.
End Time: Specify the end time of logs.
FTP Server: From the drop-down list, select the FTP server where to store the log files. Then the corresponding
FTP server settings are displayed. You can click Detection to verify the connection between HSM and the FTP
server. If you want to modify the FTP server settings, click FTP Config.
5. Click Backup to start the backup task. HSM displays the task progress in the current dialog. You can close this dialog
to perform other actions. To stop the task, click Stop Backup
Old version log can perform only one backup task at the same time. If a backup task is running when opening the Log
Backup dialog, the task progress will be displayed. You can choose to stop the task or wait for its completion.
C l eani ng the L og s
HSM supports the clearing of offline logs and running logs within the specified time. You cannot restore the cleared logs.
For more information of offline logs and running logs, refer to Searching Logs.
To clear logs, take the following steps:
3. Select Log Clean from the Log Backup Manage drop-down list . The Log Clean dialog appears.
4. In the Log Clean dialog, configure the following options:
Offline Log: Select Offline Log to clear the offline logs.
Running Log: Select Running Log to clear the running log within the specified time.

5. Click OK. The Tip dialog appears.
6. Click Yes. HSM starts to clear the logs.

H SM Con figu r at ion Ex am ple
This page describes a typical deployment scenario and some configuration examples for your understanding of HSM. The
requirements and configurations are shown below:
D ep l o ym ent S cenar i o
A company is headquartered in Beijing and has branches in Shanghai and Guangzhou. Each office is deployed with a Hill-
stone security appliance to control Internet access, and in order to manage all the three security appliances centrally, a
HSM is deployed in Beijing. The topology is shown as below:
Req ui r em ent
Requirement 1: Configure a shared policy that permits Internet access from Intranet and deploy the policy to all the man-
aged devices.
Requirement 2: Monitor the managed devices and view the memory utilization ranking, application traffic ranking and
intrusion ranking within the latest one hour.
Requirement 3: Create an alarm rule that will trigger a major alarm and send an E-mail when the CPU utilization exceeds
80% for continuous 10 minutes.
Co nfi g ur at i o n S t ep s
P r epar at ion
Configure a management IP address on HSM as described in Deploying HSM Management Environment, and then add
the Hillstone devices deployed in Beijing, Shanghai and Guangzhou to HSM.
To check if the devices have been registered to HSM, log into HSM and click Device > Management to enter the device
page, as shown below:
Con f igu r at ion St eps (R equ ir em en t )

Create a shared policy that permits Internet access from Intranet in HSM. Before configuring, make sure the trust zone of
the three Hillstone devices is bound to the Intranet interfaces, and the untrust zone is bound to the Internet interface.

Log into HSM and take the following steps:
1. Click Configuration > Shared Configuration from the Level-1 navigation pane to enter the shared policy page.
2. Select Security Policy from the configuration pane, and click New in the toolbar.
3. In the Shared Policy Configuration dialog, configure the options as below:
4. Click OK to save the policy configuration and close the dialog. The newly created policy is listed in the policy table.
In the policy table, click the policy name sample_policy to enter the rule configuration page. From the toolbar, click
Top from the new drop-down list, the policy rule entry appears. Configure the options as below:
5. Click Configuration>Device Configuration from the Level-1 navigation pane to enter the device configuration page.
6. On the device navigation pane, right-click and select Batch Deplay Configuration from the pop-up dialog,
7. From the selective box, select the devices deployed in Beijing, Shanghai, and Guangzhou, and then click OK.
8. The system starts to deploy the configuration to the devices and generates the related task. Go to the task man-
agement page to see the task status.
Con f igu r at ion St eps (R equ ir em en t 2 )

To view multiple monitor charts in one page, take the following steps in My Monitor:
Step1 : Create a Monitor Group
1. Log into HSM. Click Monitor from the Level-1 navigation pane to enter the monitor page.
2. In the left navigation pane, click MyMonitor, and click an arbitrary group.

3. Click New Group. In the New Monitor Group dialog, type monitor_sample into the Name box and click OK.
Step 2: Add Monitor Charts
1. In the left navigation pane, click Device.
2. In the device monitor page, click .
3. In the Select Device (Group) dialog, click Device, and select Beijing, Shanghai and Guangzhou.
4. Select from the drop-down list in the device monitor page.
5. Find the Latest 1 Hour Top 10 Devices by Memory Utilization chart, and click Details on the upper-right.
6. Under the Device Rank by Memory Utilization tab, click Add to MyMonitor on the upper-right.
7. In the Add to MyMonitor dialog, select monitor_sample from the MyMonitor Group drop-down list.
8. Repeat Step 1 to Step 8 to add Latest 1 Hour Top 10 User Traffic and Latest 1 Hour Top 10 Intrusions to the monitor_
sample group.
Step 3: Viewing Monitor Charts

In the left navigation pane, select MyMonitor > monitor_sample to view the selected monitor charts, as shown below:

Con f igu r at ion St eps (R equ ir em en t 3 )
The configurations consist of two steps: configuring an alarm rule and reading/processing the alarms.
Step 1: Configuring an Alarm Rule

Configure an alarm rule that will trigger an alarm and send a notification Email when the CPU utilization of any managed
device exceeds 80%.
This example adopts a predefined alarm rule. Take the following steps:
1. Click Alarm from the Level-1 navigation pane to enter the alarm page.
2. In the alarm navigation pane, click Alarm Rule > All Rules > Predefined > Resource > CPU Utilization.
3. In the Alarm Rule configuration page, configure options as below:
Rule Name: The name of predefined alarm rules cannot be modified.

Description: Type over 80% into the text box.
Device: Select the checkboxes for Beijing, Shanghai and Guangzhou.
Trigger: Select CPU Utilization in consecutive 1 Hours Higher than 80%.
Action: Select Major from the drop-down list. Select Send via Email, and click New. In the Send via Email dialog, type
hsmadmin, hsmadmin@hillstonenet.com and admin into the text boxes, and click OK. In the Email list, select the
checkbox for hsmadmin.

Step 2: Reading and Processing Alarms
1. To view all the alarms, click Alarm from the Level-1 navigation pane. In the alarm navigation pane, click Alarm >
Alarm Search to show all the alarms in the alarm window, as shown below:
2. To view all the alarms, click Alarm from the Level-1 navigation pane. In the alarm navigation pane, click Alarm >
Alarm Search to show all the alarms in the alarm window, as shown below:
3. To view alarm analysis charts, in the alarm navigation pane, click Alarm > Alarm Analysis > Device Analysis to show
all alarms in the alarm window, as shown below:

4. To check if the device deployed in Guangzhou contains any alarm that matches the rule, click the bar chart and click
Level.
5. In the pie chart, click Critical.
6. In the alarm list below, find the alarm with alarm rule named CPU Utilization, and click Unread under the Status
column.
7. In the Add Comment dialog, type Alarm has been read and will find out the reason into the Comment box.
8. Click OK to save the comment.

M an agin g H SM via Con sole P or t
A command line interface (CLI) is a mechanism for you to interact with HSM by typing commands which instruct HSM to
perform specific tasks. Following contents describe how to use HSM command line interface via Console port.
A cces s i ng H S M v i a Co ns o l e P o r t
To deploy the console management environment, take the following steps:
1. Take a standard RS-232 cable. Connect one end of the cable to a computer’s serial port, and the other end to
HSM's console port, as shown below:
2. In PC, start the terminal emulation program (e.g. HyperTerminal) and use the following parameters:
Parameter Value
Baud 115200 bps
Data 8
Parity None
Stop 1
Flow Control None
3. Power on the HSM device and HSM system starts up. Type the default login name (hillstone) and password (hill-
stone), then press Enter to log in.
4. After logging in successfully, the prompt [hillstone] appears for entering commands, as shown below:
Co m m and Int r o d uct i o n

HSM provides a series of commands for management and configuration.
Enter the command after the prompt [hillstone] and press Enter to execute the tasks. The available commands are
described in the following table.
Function Command
Function Command
Displays the help

help inform-
ation
Displays the show version

version, SN, lan-
guage, etc. of
HSM
Displays the IP show interface

address, net-
mask, and

Function Command
status of inter-
faces
Displays the show systemBit

HSM firmware
that is saved in
HSM
Displays the show currentBit

HSM firmware
that is currently
running
Displays the show httpPort

HSM HTTP port
number that is
currently open-
ing
Displays the show httpsPort

HSM HTTPS
port number
that is currently
opening
Modifies the webport httpport-number

HTTP port num-
ber for HSM port-number - Specify the port number accessing to HTTP service for
HSM. The default value is 80.The value ranges from 1025 to 65535
besides 80, among them 2003~3003、3306、6514、8005、8080、
8161、8443、9000、9090、9091、9092、61616、61617 are pre-
occupied by system.Preoccupied port number can not be configured.
Modifies the webport httpsport-number

HTTPS port
number for port-number - Specify the port number accessing to HTTPS service for
HSM HSM.The default value is 443.The value ranges from 1025 to 65535
besides 443, among them 2003~3003、3306、6514、8005、8080、
8161、8443、9000、9090、9091、9092、61616、61617 are pre-
occupied by system.Preoccupied port number can not be configured.
Shut down halt

HSM
Check whether ping [ -LRUbdfnqrvVaA ] [ -c count] [ -iinterval] [ -w deadline] [ -ppattern ] [ -

a remote net- spacketsize] [ -tttl] [ -I interface or address] [ -M mtu discovery hint] [ -Ssnd-
work is reach- buf] [ -T timestamp option ] [ -Qtos ] [ hop1 ... ] destination
able
Displays the route print

route table
Specify the IP route addip-address

address for the
gateway of ip-address - Specify the IP address for the gateway of HSM
HSM
Modifies the passwd webadmin

password of
the WebUI
user: admin
Modifies the passwd hillstone

password of

Function Command
the CLI user:

hillstone
Modifies the IP ipconfiginterfaceip-address netmask

address and
netmask of interface - Specify the interface name to be modified.
interfaces
ip-address - Specify the IP address for the interface.
netmask - Specify the netmask for the interface.
Modifies the ipconfiginterface { up|down }

status of inter-
faces interface - Specify the interface name to be modified.
up|down - Specify the interface status. up represents that this inter-

face can be accessed; down represents that this interface cannot be
accessed.
View the status services status

of HSM services
Manage system service { start|restart|stop}

services { all|image|config|monitor |adapter |report|alarm}
start|restart|stop - Specify the operation type. You can start, restart, or

stop the specified services.
all|image|config|monitor|adapter|repor - Specify the service name. all

represents all services.
Queries DNS to nslookup

obtain domain
name or IP
address map-
ping
Tests and traceroute [ -46dFITUnrAV ] [ -ffirst_ttl ] [ -ggate,... ] [ -idevice ] [ -mmax_

records gate- ttl ] [ -N squeries ] [ -pport ] [ -ttos ] [ -lflow_label ] [ -w waittime ] [ -qnquer-
ways of packets ies ] [ -ssrc_addr ] [ -zsendwait ] host [ packetlen ]
from source
host to the des-
tination
Reboots HSM reboot

Hillstone Security Management User Guide 3.0R2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hillstone Security Management User Guide 3.0R2

Uploaded by

Copyright:

Available Formats

Hillstone Networks, Inc.

Hillstone Security Management User

About this Guide:

Hillstone Networks, Inc.

HSM hardware specifications;

HSM management introduction and configuration;

HSM deployment and configuration example.

Tip: provides related reference, such as links to other chapters or sections.

Centralizing device upgrade. This function simplifies software management.

CPU 4*Intel(R) Xeon(R) CPU E3-1220 v3 @ 3.10GHz

Memory 8GB (4*2GB)

Hard Drive 2TB (2*1TB)

NIC BCM 95720 dual-port gigabit Ethernet NIC

CPU 2*Intel Xeon Processor E5606 2.13 GHZ

Memory 8GB (4*2GB)

Hard Drive 4TB (4*1TB)

NIC Broadcom 5716 dual-port gigabit Ethernet NIC

Configurations related to deploying HSM management environment include:

Deploying HSM Management Environment

Deploying HSM Management Environment 3

3. Configure system time for HSM.

Con f igu r in g HSM I P Addr es s

Deploying HSM Management Environment 4

Deploying HSM Management Environment 5

Gateway: Type the IP address for the gateway of HSM.

Addin g Hills t on e D ev ices t o HSM Sy s t em

Deploying HSM Management Environment 6

To configure setting on Hillstone devices, take the following steps:

2. In the HSM Agent Configuration dialog, configure the following options:

Status: Shows the status of HSM management.

Confirm Password: Type the password again to make confirmation.

Cancel: Click this button to cancel the settings.

Add single device

3. Configure the following options in the dialog:

Device Name: Specify the device name to be displayed in HSM.

IP Address: Specify the device IP address.

Username: Specify the device login name.

Password: Specify the corresponding password.

Device Description: Specify the description for your reference.

Device Group: Specify a device group for this device.

Deploying HSM Management Environment 7

Add multiple devices

4. Select the location and save the template deviceinfo.xls.

5. Open the template and configure the following options:

Device Name: Specify the device name to be displayed in HSM.

IP Address: Specify the device IP address.

Username: Specify the device login name.

Password: Specify the corresponding password.

Device Description: Specify the description for your reference.

6. Save the changes and close the template.

M an agin g t h e Added Hills t on e D ev ices

2. Select the device that needs to be edited.

Deploying HSM Management Environment 8

5. Click OK to save the configurations and close the dialog.

2. Select one or more device(s) that need(s) to be deleted.

2. Select one or more device(s) that need(s) to be registered.

L ev el-1 N av igat ion P an e

Deploying HSM Management Environment 9

(policy rule, NAT rule, route rule) and related objects on

Help Help HSM help page.

Restart Reboot Reboots HSM.

Shutdown Shuts down HSM.

L ev el-2 N av igat ion P an e

Deploying HSM Management Environment 10