Chapter 5 – System Management

HCSA-NGFW 2022
 1 Initial System Login
Contents
2 WebUI

3 System Management

4 Configuration File Management

5 Firmware Upgrade

6 License Management
Initial System Login
Device Management Method
• You can access the device directly or remotely by using CLI or WebUI.
• Support to manage via console、telnet、ssh、http、https

COM Ethernet0/0
or MGT

Parameter Value Parameter Value

Baud Rate 9600 bit/s Interface Eth0/0 or MGT
Data bit 8 Username hillstone
Stop bit 1 password hillstone
Flow control None Management IP 192.168.1.1
www.hillstonenet.com
WebUI
• Manage the device via GUI，only HTTPS enabled by default
• Default management setting:
- Management Port: ethernet 0/0 or MGT
- https://192.168.1.1
- Username/password: hillstone

www.hillstonenet.com
CLI Access (1)
• Manage the device via CLI，only SSH enabled by default
• Default management setting:
- Management Port: ethernet 0/0 or MGT
- SSH 192.168.1.1
- Username/password: hillstone

www.hillstonenet.com
CLI Access (2)
• Access the device via console
• Default management setting:
- Baud rate 9600
- Username/password: hillstone

www.hillstonenet.com
Virtualized Management
• Under EVE vitrulized environment, E0/0
management IP will be automatically
assigned.
• Use telnet to access the CLI，show interface
to see the interface IP, use https to access
WebUI

www.hillstonenet.com
WebUI
WebUI Dashboard

www.hillstonenet.com
WebUI System and Signature Database

www.hillstonenet.com
WebUI Network Page

www.hillstonenet.com
WebUI Policy Page

www.hillstonenet.com
WebUI Monitor Page

www.hillstonenet.com
System Management
System Administrator
• A default administrator named “hillstone” is bundled with the system with the default password “hillstone”. You can modify its settings (such
as change the password), but this admin account can not be deleted.

• Default 4 roles of administrator accounts (with different privilege):

– Administrator: Permission for reading, executing and writing. This role has the authority over all features.
– Administrator(read-only): Permission for reading and executing. You can view the current or historical configuration information.
– Operator: You have the authority over all features except modify the Administrator’s configuration, and no permission for check the log
information.
– Auditor: You can only operate on the log information, including the view, export and clear.

• User-defined Admin Role

www.hillstonenet.com
Configure Admin Roles
System>Device Management>Admin Roles：

www.hillstonenet.com
Configure System Administrator
System>Device Management>Administrators：

www.hillstonenet.com
Trusted Host
• Trusted Host
- Device only allows the trust host to manage the system to enhance the security. Administrator can specify an IP range,
and hosts in the specified range are trust hosts.

System > Device Management > Trusted Host

Please be careful with difference：192.168.1.0/24 192.168.1.2/24 192.168.1.2/32

Create New Trusted Host at first, and then delete the default www.hillstonenet.com
one.
Management Interface
System > Device Management > Management Interface

www.hillstonenet.com
System Time
System > Device Management > System Time
『Sync』with local PC、manually configure、sync with NTP server

www.hillstonenet.com
3rd Party AAA Server Admin Authentication
System > Device Management > Option
• Support Radius and Tacacs+ server as Admin authentication

www.hillstonenet.com
3rd Party AAA Server Autentication
System > Device Management > Option > System Setting
• Support Radius and Tacacs+ server to be used as device admin authentication. You can log in to the firewall
through the account and password of the third-party AAA server and manage the FW.

23 www.hillstonenet.com
Configuration File Management
Configuration File Management
System > Configuration File Management

www.hillstonenet.com
Restore to Factory Settings
Caution：Resetting your device will erase all configurations, including the settings that have been saved.
• CLI
- Command: unset all
• WebUI
- System>Configuration File Management>Backup Restore>『Restore』
• CLR button (hard reset)
CLR button is in the pin hole of device’s front panel. When Admin forget the device’s password, it can be
used to restore device to factory default.

To restore device to factory default, take the following steps:

1. Power off the device.
2. Use a pin to press CLR button through the pinhole, keep pressing and power on the device
3. Keep pressing CLR button until STA and ALM indicators turn constant red, then release the pin, the system
will start to reset itself.
4. System will reboot automatically once restoring complete.

www.hillstonenet.com
Configuration File Management
System > Current Configurations

www.hillstonenet.com
Firmware Upgrade
StoneOS Upgrade
System>Upgrade Management
• 2 copies of system firmware can be stored in the device. System will back up the firmware specified by admin while uploading
new StoneOS version. Firmware can be switched between 2 copies.

www.hillstonenet.com
Signature Database Update
• Support two update methods: online update (FW can access to Internet, and DNS server configured) and local offline update
- update1.hillstonenet.com
- update2.hillstonenet.com

www.hillstonenet.com
 Device Booting Process

The firewall start-up system consists of 3 parts:

–Bootloader – The first started program when the device is powered on. Bootloader loads StoneOS or
Sysloader and makes them start.
–Sysloader –The program that upgrades StoneOS.
–StoneOS – The operating system running on the device.

• When a device is powered on, the Bootloader tries to start StoneOS or Sysloader. The Sysloader is used to
select existing StoneOS in the system or upgrade StoneOS via FTP, TFTP or USB Host interface. Or you can
upgrade firmware in WebUI after login.

• The upgrade of Sysloader is performed by the Bootloader via TFTP.

www.hillstonenet.com
License Management
All License Display
• At license page, it displays not only all supported licenses by this device, but also the installed license / Not
installed license

www.hillstonenet.com
v
License Classes and Rules
• Platform license is the basis of the other licenses operation. If the platform license is invalid, the other licenses are not effective. The
device have been pre-installed platform trial license for 15 days in the factory.
• You can install the platform license after the device formal sale. The license provide basic firewall and VPN function.

License Type Commercial License（If expired） Trial License（If expired）

Platform License System cannot upgrade the OS You cannot modify the existing configuration
version when the license expires, when License expires.
but the system could still work The system will restore to factory defaults when
normally. the device reboot. (better to install new license
before reboot)
Function / Service System cannot upgrade the Function or service will be invalid
License function or update to latest
signature database.

34 www.hillstonenet.com.cn
Apply for a Trial License
• Step 1: Generate a license request
WebUI：System > License > Apply For, fill out the user information and click 『Generate』

www.hillstonenet.com
Apply for a Trial License
• Step 2: Send the license request to Hillstone Regional Sales/SE (via Email / copy and paste it at case
description filed)

• A license request email contains:

1. Device SN
2. Device Model
3. Deal registration ID
4. Requested trial license types (such as platform trial, AV, QoS, etc.)
5. Customer name
6. Contact name
7. Contact method
8. license requesting code that was generated by StoneOS

www.hillstonenet.com
Apply for a Trial License
An email as shown below will be sent from Hillstone if application is approved and license has
been issued
Copy the license code and install it at device.
A license code starts with “license:” and ends with “==“

www.hillstonenet.com
Install a License from WebUI
• Step 3: Install the license
WebUI： Click System > License > Import, and select Manual input. Paste the
license code here and then click 『Upload』. Or upload the license file

www.hillstonenet.com
Install a License via CLI
• Use the following command to install a license:
hostname# exec license install +license code
• Message “successfully install the license!” will be displayed in a few seconds.
• Reboot the device if needed to make the new license take effect.

www.hillstonenet.com
Questions
1. Does Hillstone firewall support 3rd party server as admin authentication server? Which protocol is supported?
2. How many admin roles exist at device by default, and what are they?
3. How many configuration files can be stored at StoneOS?
4. How to restore device to factory settings?
5. What is the difference between trial license and formal license once it expired?
6. What is the address of signature database update server?
7. How to manage the device via console interface？
8. How to enable the access IP of WAN interface？

www.hillstonenet.com
Thanks