Chapter 13 – Monitor and Log

HCSA-NGFW 2022
 1 Monitor
Contents
2 Log

3 Report

4 Advanced Configuration
Monitor
Monitor
• System can monitor the following objects:
- User Monitor
- Application Monitor
- Cloud Application Monitor
- User Quota Monitor
- URL Hit
- Link Status Monitor
- iQoS Monitor
- Device Monitor
- Keyword Block
- Application Block
- Authenticated User

www.hillstonenet.com
User Monitor
• Displays the application statistics within the specified period. The statistics include the application traffic and
applications' concurrent sessions.

www.hillstonenet.com
Application Monitor
• Displays the statistics of applications, application categories, application subcategories, application risk levels,
application technologies, and application characteristics within the specified period

www.hillstonenet.com
Cloud Application Monitor
• Cloud application monitor page displays the statistics of cloud applications and users within a specified period

www.hillstonenet.com
Configure User Quota
Policy > Traffic Quota > Profile，click『New』to create profile、rule，and select zone

www.hillstonenet.com
User Quota Monitor
• Display the current used traffic, support to clear daily used/monthly used traffic.

www.hillstonenet.com
URL Hit
• Displays the URL statistics within the specified period, such as top 10 Users/URLs/URL categories

www.hillstonenet.com
Link Configuration
• Link Configuration
• Detection Destination

www.hillstonenet.com
Link Status

www.hillstonenet.com
iQoS Monitor
• Display the real-time traffic details or traffic trends of pipes and sub-pipes in Level-1 Control
or Level-2 Control

www.hillstonenet.com
Device Monitor
• Display the device statistics within the specified period, including the total traffic, interface traffic, zone traffic,
CPU/memory status, sessions, hardware status and online IP.

www.hillstonenet.com
Authenticated User
• Display the authenticated user information

15 www.hillstonenet.com
 Log

16
 Log
• StoneOS log type:
- Event Log
- Network Log
- Configuration Log
- Share Access Log
- Threat Log
- Session Log
- PBR Log
- NAT Log
- URL Log
- File Filter Log
- Content Filter Log
- Network Behavior Record
- Cloud Sandbox Log

www.hillstonenet.com
 Log Severity
Severity Level Description Log Definition
Emergency 0 Identifies illegitimate system events. LOG_EMERG

Alert 1 Identifies problems which need immediate LOG_ALERT

attention such as device is being attacked.
Critical 2 Identifies urgent problems, such as hardware LOG_CRIT
failure.
Error 3 Generates messages for system errors. LOG_ERR

Warning 4 Generates messages for warning. LOG_

WARNING
Notice 5 Generates messages for notice and special LOG_NOTICE
attention.
Informational 6 Generates informational messages. LOG_INFO

Debug 7 Generates all debugging messages, including LOG_DEBUG

daily operational messages.
www.hillstonenet.com
Event Log

www.hillstonenet.com
Network Log
• Log information related to network service operations, such as PPPoE 、DHCP and DDNS etc.

www.hillstonenet.com
Configuration Log

www.hillstonenet.com
Threat Log

www.hillstonenet.com
Session Log
• Enable the session log in policy
• Display the session start、session end and policy information

www.hillstonenet.com
PBR Log
• Enable the PBR log at Route> Policy-based Routing

www.hillstonenet.com
NAT Log
• Enable the NAT Log at SNAT/DNAT configuration page

www.hillstonenet.com
URL Log

26 www.hillstonenet.com
Destination of Exported Log
• Console
• Terminal
• Memory Buffer
• File
• Syslog Server
• Email address
• Local database (send log to local hard disk)
• SMS

27 www.hillstonenet.com
 Report

28
Report Template

www.hillstonenet.com
Report Task

www.hillstonenet.com
Report File

www.hillstonenet.com
 Advanced Configuration

32
Log Management（WebUI）
Monitor > Log > Log Management Session log、NAT log and URL log is disabled by default

www.hillstonenet.com
Log Configuration（WebUI）
• Log Server Configuration
• Web Mail Configuration
• Facility Configuration
• SMS Configuration

www.hillstonenet.com
Configure Syslog Sever
• Hostname is the IP address of the log server
• Default transit port is UDP 514

www.hillstonenet.com
Web Email Configuration
• Need to configure the mail server in advance
• Add the Email address for receiving logs

www.hillstonenet.com
Facility Configuration
• Support to change facility name, default is Local7

www.hillstonenet.com
SMS Configuration
• Need to configure the SMS modem or SMS gateway
• Add the mobile number here for receiving logs

www.hillstonenet.com
Operational Highlights 1 – Log Server Configuration
• Log Server provides the visibility to the configured multiple logs at same page, you can send logs separately
to different syslog server.

www.hillstonenet.com
Operational Highlights 2 – Log Export
• Log and session can be exported to txt file for analysis via ftp/tftp
SG-6000# show logging | redirect
ftp:// Uniform Resource Locator (ftp://[username:password@]x.x.x.x[:port:vrid]/filename)
tftp:// Uniform Resource Locator (tftp://x.x.x.x[:vrid]/filename)
SG-6000# show logging event | redirect tftp://1.1.1.20/log.txt

www.hillstonenet.com
Operational Highlights 3 – Log Analysis
• Provide the close reason for session in session log page. Help system Admin to do troubleshooting

www.hillstonenet.com
Operational Highlights 4 – Traceability of
Management Behavior
• Trace the management behaviors in configuration log page. Record all the configuration changes, to be
checked if there was some setting problems.

www.hillstonenet.com
Question
1. How many logs can be supported at Hillstone FW? What are the contents stored by each
type of log?
2. What types of output destination does a Hillstone device support?
3. What types of stat-sets does a Hillstone device support?
4. How can we find the root cause of disconnection from session logs?

www.hillstonenet.com
Thanks