Easy Configuration Guide StoneOS 5.5

Hillstone Multi-Core Security
Appliance Easy Configuration Guide

Version 5.5
www.hillstonenet.com
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Table of Contents
Hillstone Multi-Core Security Appliance Easy Configuration Guide Version 5.5 .................................. 1
Table of Contents ..................................................................................................................................................... 2

Preface ..................................................................................................................................................................... 4
Contents ........................................................................................................................................................... 4
Conventions ..................................................................................................................................................... 4
Chapter 1 Device Management ............................................................................................................................... 5
Introduction ..................................................................................................................................................... 5
Accessing a Device via Console Port ................................................................................................................ 5
Accessing a Device via WebUI.......................................................................................................................... 5
Restoring to Factory Default ............................................................................................................................ 6
CLI ............................................................................................................................................................ 6
WebUI ...................................................................................................................................................... 6
Physical CLR button .................................................................................................................................. 7
StoneOS Upgrading .......................................................................................................................................... 7
Upgrading StoneOS via CLI (TFTP)............................................................................................................ 7
Upgrade the system via WebUI................................................................................................................ 9
License installation......................................................................................................................................... 10
License installation via CLI ..................................................................................................................... 10
License installation via WebUI ............................................................................................................... 10
Chapter 2 Connecting to Internet .......................................................................................................................... 12
Introduction ................................................................................................................................................... 12
Configuring Interfaces.................................................................................................................................... 12
Configuring Route .......................................................................................................................................... 13
Configuring Policy .......................................................................................................................................... 14
Configuring SNAT ........................................................................................................................................... 15
Chapter 3 Commonly Used Function Configuration .............................................................................................. 16
Introduction ................................................................................................................................................... 16
PPPoE ............................................................................................................................................................. 16
DHCP .............................................................................................................................................................. 17
IP-MAC binding .............................................................................................................................................. 20
Peer to peer IPSec VPN .................................................................................................................................. 21
SCVPN ............................................................................................................................................................ 26
DNAT .............................................................................................................................................................. 30
One to one IP mapping .......................................................................................................................... 31
One to one port mapping ...................................................................................................................... 34
One to multiple mapping (Including server load balance) .................................................................... 35
Chapter 4 Link Load Balance .................................................................................................................................. 38
Introduction ................................................................................................................................................... 38
Destination route based load balance ........................................................................................................... 38
Smart link load balance.................................................................................................................................. 39
2
Chapter 5 Quality of Service .................................................................................................................................. 42

Introduction ................................................................................................................................................... 42
Pipe condition and action .............................................................................................................................. 42
QoS Configuration Example ........................................................................................................................... 44
Requirement 1 ....................................................................................................................................... 44
Requirement 2 ....................................................................................................................................... 44
Requirement Analysis ............................................................................................................................ 44
Solution .................................................................................................................................................. 45
WebUI configuration guide .................................................................................................................... 45
Chapter 6 Network Behavior Control..................................................................................................................... 53
URL filter (URL license needed) ..................................................................................................................... 53
User-defined URL DB ..................................................................................................................................... 55
Chapter 7 Advanced VPN Configuration ................................................................................................................ 57
SCVPN configuration based on USB Key ........................................................................................................ 57
Create PKI trust domain ......................................................................................................................... 57
SCVPN configuration .............................................................................................................................. 58
Make USB key ........................................................................................................................................ 59
Login SCVPN by USB key ........................................................................................................................ 59
Hub-Spoke IPSecVPN ..................................................................................................................................... 61
Topology ................................................................................................................................................. 61
Configuring IKE VPN ............................................................................................................................... 62
Configuring Tunnel Interface.................................................................................................................. 66
Configuring Tunnel Route ...................................................................................................................... 69
Configuring Policy .................................................................................................................................. 71
Chapter 8 High Availability..................................................................................................................................... 73
Introduction ................................................................................................................................................... 73
HA configuration – A/P mode ........................................................................................................................ 74
Chapter 9: WebAuth based on Windows AD server .............................................................................................. 81
Introduction for AAA ...................................................................................................................................... 81
Configure the string format of the parameters in Active Directory ............................................................... 81
Configure the WebAuth ................................................................................................................................. 84
3
Preface
Contents
This manual is the basic configuration guide for the Hillstone Multi-Core Security Appliance. It only applies for
StoneOS 5.5. This guide contains configuration steps for major functions of the Hillstone appliance via the Web User
Interface. The content is divided into the following chapters:
• Chapter 1: Device Management. Includes device access method, StoneOS upgrades and license installation.
• Chapter 2: Connecting to Internet. Includes basic Internet configurations such as Interface, Route, and Policy.
• Chapter 3: Commonly used function configurations. Includes PPPoE, DHCP, and DNAT.
• Chapter 4: Link load balance. Includes Destination route, SBR, PBR based load balance.
• Chapter 5: QoS. Includes QoS function and configuration.
• Chapter 6: Network behavior control. Includes URL filtering and web content filtering.
• Chapter 7: Advanced VPN configuration. Includes USB Key based SCVPN and PnPVPN.
• Chapter 8: High Availability (HA) configuration. Includes A/P and A/A mode
• Chapter 9: WebAuth based on Windows AD. Includes configuration for different directory structure.
Conventions
This document follows the conventions below:

• Content
• Tip: provides related reference to a customer
• Note：provides further explanations and context
• Caution：System error may have occurred if the setting is incorrect
• []：Indicates a link, tab or button on the WebUI.
• < >：Indicates text information for the WebUI, including single choice button, multiple choice button, text
box, option name and text descriptions.
4
Chapter 1 Device Management
Introduction
In order to facilitate management and configuration by the Administrator, the Hillstone security appliance can
support both local (Console interface) as well as remote (Telnet, SSH, HTTP and HTTPS) configuration methods
through the command line interface (CLI) and the WebUI.
Accessing a Device via Console Port
To use command line interface via Console port:

1. Take a console cable, connect to your computer, and then plug it into the CON port of the device.
2. Launch a terminal emulation program (e.g. super terminal, SecureCRT, XShell etc.)
3. Configure the emulation program according to Table 1 - the configured parameters in the terminal.
Parameter Value
Baud Rate 9600 bit/s
Data Bit 8
Parity Check No
Stop Bit 1
Table1: Configure parameters for console
Accessing a Device via WebUI
The WebUI is a more direct and effective configuration option, which supports both http and https access.
Interface ethernet0/0 with default IP address 192.168.1.1/24, has all its services enabled. The first time you log into
the device, you can use this interface to access the WebUI.
To access the WebUI interface:

1. Assign an IP address to your system (PC). This IP address should be on the same subnet as 192.168.1.1/24.
Use an Ethernet cable to connect your PC and port ethernet0/0 of the Hillstone appliance.
2. Open a Web browser on your PC and type http://192.168.1.1. The login page is shown below.
5
Restoring to Factory Default
Hillstone provides you three methods to restore the device to factory default:
CLI：Using command via CLI to reset
WebUI：Clearing settings via WebUI to reset
Physical button：Using CLR button to reset
CLI
To restore to factory default using CLI:
1. Type”unset all” in execution mode.
2. Follow the prompts to type y to remove all configuration.
3. Type y to reboot the device
4. The device will be restored to factory default after reboot.
WebUI
To restore to factory default using WebUI:
1. Click tab [System] in the WebUI
2. Choose menu [Configuration File Management]
3. Click button [Backup Restore]
4. Click button [Restore]
6
After these steps, all configurations will be cleared, and the device will reboot automatically.
Physical CLR button

To restore to factory default by pressing the physical button “CLR”:
1. Power off the device
2. Press down CLR button using a pin through the pin hole and power on the device
3. Keep pressing CLR until STA and ALM led indicator turns red, then release the CLR button. The device will
start to reset
After resetting, the device will reboot automatically
StoneOS Upgrading
Upgrading StoneOS via CLI (TFTP)

Sysloader could download StoneOS from TFTP server, ensuring a fast system upgrade from the network.
To upgrade StoneOS using TFTP:
1. Power on the device and enter Sysloader by pressing ESC in 5 seconds after the prompt:
HILLSTONE NETWORKS
Hillstone Bootloader 1.3.2 Aug 14 2008-19:09:37
DRAM: 2048 MB
BOOTROM: 512 KB
Press ESC to stop autoboot: 4 // Press “ESC” during the 5-second countdown
7
Run on-board sysloader? [y]/n: y // Type “y” or press Enter

Loading: ##########################
2. Select Load firmware via TFTP from Sysloader menu:

Sysloader 1.2.13 Aug 14 2008 - 16:53:42
1 Load firmware via TFTP

2 Load firmware via FTP
3 Load firmware from USB disks (not available)
4 Select backup firmware as active
5 Show on-board firmware
6 Reset
Please select: 1 // Type “1” and press Enter

3. Ensure the connectivity between device and your PC, and copy the required StoneOS into the specified
directory.
4. Specify the Sysloader IP, TFTP server IP, gateway IP and name of StoneOS:
Local ip address [ ]: 10.2.2.10/16 // Type Sysloader IP and press Enter
Server ip address [ ]: 10.2.2.3 // Type TFTP server IP and press Enter
Gateway ip address [ ]: 10.2.2.1 // If Sysloader and TFTP server are not in the same network segment, you
should input the gateway IP and press Enter; otherwise, just press Enter
8
File name : StoneOS-3.5R2 // Type the name of StoneOS and press Enter, and then the system starts to
transfer the file via TFTP
#########################################################################################
#######################################################
5. Save StoneOS:
File total length 10482508
Checking the image...
Verified OK
Save this image? [y]/n: y // Type “y” or press Enter to save the transferred StoneOS
Saving .........................................
Set StoneOS-3.5R2 as active boot image
6. Reboot the device. The system will be restarted with the new StoneOS:
Please reset board to boot this image
1 Load firmware via TFTP
2 Load firmware via FTP
3 Load firmware from USB disks (not available)
4 Select backup firmware as active
5 Show on-board firmware
6 Reset
Please select: 6 // Type “6” and press Enter, system starts rebooting
The device Flash can only store two versions of StoneOS. If you want to store a new StoneOS but the device
already has two StoneOS saved, delete an existing one according to the prompt.
Upgrade the system via WebUI

Click tab [System], in the [Upgrade Management] tab, click button [Browse], choose the new firmware from your
hard disk, then click button [Apply] to perform the upgrade.
9
You could switch the firmware version in the area [Choose a Firmware for the next startup].
If you choose NOT to restart the device immediately, the device would load the new firmware in next startup.
License installation
License installation via CLI

To install a license via CLI:
Login to the StoneOS CLI, in execution mode, type command exec license install license-string（license-string –
input the string after “license： ”）. Refer the screenshot below:
Some of the licenses would take effect after rebooting the device.
License installation via WebUI

To install a license via WebUI:
1. Log into StoneOS from WebUI, select [License] menu from the [System] tab.
2. At [License installation], you can manually input the license or upload the local file.
• Upload file: select [Upload file] (the license is in .txt format) ,click [Browse] button and select a license file
from your local PC;
• Manual input: select [Manual input],input or paste the license string (include “license：”and the
10
following contents) into the box.

3. Click [OK] to save your settings, and reboot the device to complete the license installation.
11
Chapter 2 Connecting to Internet
Introduction
In order to obtain Internet connection, the basic configuration includes: interface configuration, route
configuration, policy configuration and SNAT configuration.
Configuring Interfaces
To configure interfaces in WebUI:

1. Log into StoneOS via WebUI, click tab [Network] and menu [Interface], select the interface and click [Edit].
2. Edit the interface on the pop-up <Interface Configuration> dialog:

• Binding zone: select the proper zone type for the interface. Bind the layer 3 interface to layer 3 zone, layer
2 interface to the layer 2 zone;
• Zone: select the name of the zone. Typically, trust and l2-trust is used for Intranet; untrust and l2-untrust
is used for Internet.
• IP configuration: configure the IP address for interface
• Management: specify the management method for the interface. Click the checkbox under <Management>
to choose the management type.
12
Note：If the WAN interface use a PPPoE link, please refer PPPoE configuration
Configuring Route
To add a route in WebUI:

1. Log into StoneOS via WebUI, Click [Network] tab and [Routing] menu, then the [Destination Route] menu.
13
2. Click the [New] button at the top left of the destination route list, and edit the route at the pop-up
<Destination Route Configuration> dialog:
• Destination: set the destination IP for this route.
• Subnet mask: set the subnet mask for this destination IP.
• Next hop: select the next hop type, and select <Gateway>or<Interface>. If <Gateway> is selected, Gateway
IP address should be added at <Gateway> text box; when selecting <Interface>, you need to select the
interface name at <Interface>dropdown list, if this interface is tunnel interface, the peer gateway address
of this tunnel should be added. For example, the next hop gateway is 122.193.30.97 (This gateway IP is
provided by the ISP).
• Precedence: the smaller this value is, the higher the precedence. If multiple routes are available, the route
with higher precedence will be prioritized. The value range is from 1 to 255, and the default value is 1.
When the value is configured as 255, this route will be invalid.
• Weight: The weight value specifies the weight of traffic forwarding in load balance. The value range is
from 1 to 255, and the default value is 1.
3. If needed, you can specify the description for this destination route at the <Description> text box.
4. Click [OK] to complete this new destination route.
Configuring Policy
To add a policy in WebUI:

1. Log into StoneOS via WebUI, Click [Policy] tab.
2. Click the [New] button at the top left of the policy list, and edit the policy rule on the pop-up <Policy
Configuration> dialog. The basic elements of the policy rule include source/destination zone,
source/destination address, service type, schedule, user, action and the policy name.
3. After finishing all the settings, click [OK] to save the configuration and go back to the policy page.
14
Configuring SNAT
To add an SNAT rule in WebUI:

1. Log into StoneOS via WebUI, Click [Policy] tab, [NAT] menu and [SNAT] sub menu.
2. Click the [New] button at the top left of the SNAT list, and edit the SNAT rule on the pop-up <SNAT
Configuration> dialog.
3. After finishing all the settings, click [OK] to save the configuration.
15
Chapter 3 Commonly Used Function Configuration
Introduction
This chapter includes configuration details for commonly used functions on the Hillstone Multi-Core Security
Appliance, such as PPPoE, DHCP, IP-MAC binding, peer to peer IPSec VPN, SCVPN and DNAT.
PPPoE
There are 2 methods to configure PPPoE in WebUI:

Method 1:
1. Log into StoneOS via WebUI, Click [Network] tab, [Interface] menu.
2. Select the interface from the list that to be edited，and double-click on it or click the『Edit』button.
3. Edit the interface on the pop-up <Ethernet Interface> dialog. Select layer 3 zone as well as PPPoE, input the
PPPoE username and password, and set the gateway from PPPoE server as default gateway route.
Method 2:
1. Log into StoneOS via WebUI, Click [Network] tab, [PPPoE] menu, and then click [New] button on the top-left
16
corner.
2. Edit parameters in the pop-up <PPPoE Configuration> dialog. Usually input the PPPoE username and
password would be enough.
DHCP
There are 2 methods to configure DHCP in WebUI:

Method 1:
1. Log into StoneOS via WebUI, Click [Network] tab, [Interface] menu.
2. Select the gateway interface, Select [DHCP Server] from the DHCP dropdown list to edit the DHCP
17
18
Method 2:
1. Log into StoneOS via WebUI, Click [Network] tab and [DHCP] menu, and then click [New] –> [DHCP Server]
button on the top-left corner.
2. In the pop-up <DHCP Configuration> dialogue, fill the DHCP server parameters.
3. Click [OK] to save your settings and to go back to DHCP list dialog. Connect your PC or switch on the specific
interface to receive the IP address.
19
IP-MAC binding
Please follow the below steps:

1. Log into StoneOS via the WebUI, and click [Policy] button, [ARP Defense] menu, and then the [IP-MAC
Binding] tab.
2. Select the IP-MAC item from the static IP-MAC binding list, double-click or click the [Edit] button to go to the
<IP-MAC Binding> dialog.
3. On the <IP-MAC Binding Configuration> dialog, select the <IP> check box to enable the IP-MAC binding, and
click [OK] to save the settings.
4. By default, the ARP learning function is enabled on the security appliance, and this function of interface
needs to be disabled when the IP-MAC binding is enabled.
5. Click [Network] tab and then [interface] menu, from the left navigation bar to visit the interface page. Select
the interface from the list, double-click or click the [Edit] button.
6. At the <Ethernet Interface> dialog, click the [Properties] tab, un-check the [Enable] check box next of ARP
learning at <Parameters> part to disable ARP learning.
20
Peer to peer IPSec VPN
Create a secure tunnel between security appliance A and B, with PC1 connected to A and PC2 connected to B.
Both appliances will have a fixed public IP. The peer-to-peer IPSec VPN, topology is shown below:
Use IKE VPN, the automatic association method to configure the IPSec VPN, including:
• P1 proposal
• VPN peer
• P2 proposal
• IPSec tunnel
• Bind interface to tunnel
• Configure tunnel route and policy
Please follow the below steps for configuration:
1. Configure P1 proposal. Log into StoneOS via the WebUI, Click [Network] tab, [VPN] menu and then [IPSec
VPN] sub-menu to visit the IPSec VPN page. Click [P1 proposal] tab to the P1 proposal page.
2. Click the[New]button, and edit the pop up <Phasae1 Proposal Configuration> dialog:
21
• Proposal name: Specify or display the name of p1 proposal.

• Authentication: Specify the IKE authentication method.
• Hash: specify the Hash algorithm for P1 proposal.
• Encryption: Specify the encryption algorithm.
• DH group: Select the DH group for P1 proposal.
• Lifetime: Specify the lifetime for p1 SA; the default value is 86400 seconds.
3. Configure VPN peer. Click [VPN Peer List] tab on the IPSec VPN page.
4. Click the [New] button, and configure the VPN peer on the pop up <Peer Configuration> dialog.
22
Note: If there are other NAT devices before the appliance, NAT traversal function should be configured under
<Advanced> tab
5. Configure P2 proposal. Click [Phase2 Proposal] tab on the IPSec VPN page.
6. Click the [New] button, and edit the pop up <Phasae2 Proposal Configuration> dialog.
7. Configure tunnel. Click the [New] button under <IKE VPN List> dialog at the IPSec VPN page.
8. Select an ISAKMP peer from the peer list, and then the name for the tunnel and the mode, proposal, proxy
ID for the tunnel.
23
24
Note: After configuring the tunnel, the VPN connection needs to be triggered with traffic. If auto connection is
required, please enable the auto connect function under <Advanced> tab.
9. Bind interface to tunnel. Click [Interface] menu to visit the Interface page. Click the [New] button at the top
left of interface list, select <Tunnel Interface> from the dropdown list, and bind the interface to tunnel at the
pop up <Interface Configuration> dialog.
25
10. Configure tunnel route and policy. Click [Routing] menu to visit the destination route page. Click the [New]
button, and configure the destination route on the pop up <Destination Route Configuration> dialog.
11. Click [Policy] tab to visit the policy page. Click the [New] button, and configure the policy rule on the pop up
<Policy Configuration> dialog. The Bidirectional policies need to be configured here.
12. After completing the settings, configure VPN at device B using the same steps.
13. After finishing these settings, a secure tunnel would be successfully connected between appliance A and B.
SCVPN
To help remote users safely access Intranet resources, the Hillstone security appliance provides an SSL based
remote access solution: Secure Connect VPN (SCVPN).
26
Please follow the below steps for SCVPN configuration:

1. Log into StoneOS via the WebUI, and click [Network] tab and [VPN] menu and then [SSL VPN] sub-menu to
visit the SSL VPN page.
2. Click the [New] button, then there would be a <SSL VPN Configuration> wizard pop up.
3. In the <Name/Access User> dialog, and specify the SSL VPN name at <SSL VPN name> text box, and also
select a AAA server for the SSL VPN authentication.
4. Click [Next] button to <Interface> configuration page. Configure the device access interface, tunnel interface
and address pool on this page.
Note: Tunnel interface’s IP address must be at the same network segment with address pool, and the tunnel
27
interface’s IP address is not included in the address pool.

5. Click [Next] to the <Tunnel route> configuration page. Configure the tunnel route on this page.
Note: System will automatically create a policy with VPNHub as the source zone and any as the destination
zone; Tunnel route is the Intranet resource network segment accessed by the remote users.
6. Click [Object] tab and then [User] menu to visit the user configuration page. Select the AAA server just
configured during the SSL VPN creating wizard in the page.
7. Click <New> button to create new users for the AAA server. Configure user name and password at the [Basic]
tab.
8. Launch SCVPN via Web (username/password). Type the URL: https://IP-Address:Port-Number (default port
28
is 4433) in IE browser to access the SSLVPN server.

9. The browser will return to the login page. Enter the username and password, then click [login].
10. Download and launch the SCVPN client (username/password). After logging into the device via the web,
download and install the client application-Hillstone Secure Connect.
11. After installing the client, double-click the shortcut for Hillstone Secure Connect on your desktop, or click
“All applicationsHillstone Secure ConnectHillstone Secure Connect” at “start” menu. The system will
pop up the login dialog, click the [Mode] button on the popup <Login Mode> dialog, select
<Username/Password> and click [OK].
29
12. On the popup “username/password” login dialog, input the server IP address, port number, username and
password, and click [Login].
DNAT
DNAT is used to publish the Intranet server at Internet (such as HTTP service, FTP service and data base service
etc.), so that the user can access these services by visiting the public IP address.
The commonly used DNAT includes: one to one IP mapping, one to one port mapping, and one to multiple
mapping.
30
One to one IP mapping

Example: Map the public IP address 60.0.0.1 to private IP 192.168.1.100
Please take the below steps:
1. Create two address books (one is WAN address and another is LAN address). Click [Object] tab, [Address
Entry] menu and then click [New] to add new address book.
31
Note: For this instance, the netmask must be 32

2. Create IP mapping rule at DNAT. Click [Policy] tab, [NAT] menu and then [DNAT] sub menu. Click [New] button
and the [IP mapping] button.
3. You can select to fill the address or select the address book you just created, and click [OK] button to finish
creating the DNAT rule.
32
4. Create policy rule for the DNAT rule in the policy configuration page. For this instance as the traffic is from
WAN to LAN, so the policy direction is from untrust zone to trust zone
33
One to one port mapping

Example: Map the HTTP port 80 of public IP address 60.0.0.1 to port 8080 of private IP address 192.168.1.100
1. Create IP mapping rule at DNAT. Click [Policy] tab, [NAT] menu and then [DNAT] sub menu. Click [New] button
and the [Port mapping] button.
34
2. Fill the addresses and ports in the<Port Mapping Configuration>, and click [OK] button to finish creating the
DNAT rule.
3. Create policy rule for the DNAT rule in the policy configuration page.
One to multiple mapping (Including server load balance)

Example: Map the HTTP port 80 of public IP address 60.0.0.1 to port 80 of private IP addresses 192.168.1.2 and
192.168.1.3, configured multiple servers with load balance
1. Create SLB server address pool. Click [Object] tab, [SLB Server Pool] menu and then click [New] button.
35
2. Advanced configuration of DNAT. Click [Policy] tab, [NAT] menu and then [DNAT] sub menu. Click [New]
button and select [Advanced Configuration] from dropdown list.
36
3. Create policy rule for the DNAT rule in the policy configuration page.
37
Chapter 4 Link Load Balance
Introduction
For users who have multiple ISP links, the Link Load Balance function helps to assign traffic to different links
appropriately by using a dynamic link detection technique, thus making full use of all available link resources. The
LAN traffic can be distributed with load balance based on source address, destination address or service.
After configuring the load balance for both the source address and destination address, redundancy will be
achieved and the traffic can be successfully forwarded if one of the routes becomes invalid.
Before configuring the link load balance, make sure the interface, SNAT and policy has been configured on the
device.
1. Finish the configuration of interface IP address and net mask (the net mask digit should be confirmed with
your ISP)
2. Configure the SNAT rule; LAN traffic can be translated to the address of the public address pool, with the
ability to access the web.
3. Configure the policy rule to permit traffic forwarding through the device.
Destination route based load balance
Example: interface ethernet0/2 is connected to ISP A with 10M bandwidth, ethernet0/3 is connected to ISP B
with 20M bandwidth; all traffic going to WAN should be forwarded through ethernet0/2 and ethernet0/3 in a 1: 2
ratio. If there are 3 packs of traffic forwarded through the device, 1 pack will be forwarded from ethernet0/2 and 2
from ethernet0/3.
1. Log into StoneOS via WebUI, Click [Network] tab and [Routing] menu, then the [Destination Route] menu.
38
Click [New] to add a default for ISP A with weight value 1.
2. Create another route for ISP B with weight value 2.
3. After finishing configuring the settings, the traffic will be forwarded through ethernet0/2 and ethernet0/3 in
1: 2 ratio, which is 1:2 load balanced. The ratio could be configured according to the egress bandwidth and
actual usage.
Smart link load balance
When a LAN user attempts to visit a WAN IP address on the first attempt the system will detect the matched
default route traffic at qualified links. The static route will be generated on the first responding interface, the
following packets are forwarded without detection; if this static route is not targeted, it will be automatically aged.
1. Log into StoneOS via WebUI, Click [Network] tab and [Routing] menu, then the [Link Load Balancing] menu.
2. Click [Outbound] tab.
39
3. Click [Select Interface] on the popup <Select Interface> dialog box.

4. Select the enabled interface (the interface is enabled with the outbound load balance function), and click
[OK].
5. Configure the proximity route:

• Aging time: assign aging time for proximity route; unit is in mins from 1 to 1440 range, the default value
is 10 mins. If there is no traffic matched with this route after aging time, this route will be invalid and
deleted at route list.
• Subnet mask: assign subnet mask for proximity route. Security appliance supports 2 format: A.B.C.D and
num. The range of A.B.C.D is from 255.0.0.0 to 255.255.255.255, default value is 255.255.255.0; range of
number is from 8 to 32, default value is 24.
40
41
Chapter 5 Quality of Service
Introduction
QoS (Quality of Service) is used to provide different priorities to different traffic, in order to control the delay and
flapping, and decrease the packet loss rate. QoS can assure the normal transmission of critical business traffic when
the network is overloaded or congested.
Hillstone devices implement QoS by configuring pipes. Pipe is a virtual concept, it represents the bandwidth of
transmission path. The system classifies the traffic by using the pipe as the unit, and control the traffic crossing the
pipes according to the actions defined for the pipes. For all traffic crossing the device, they will flow into virtual
pipes according to the traffic matching conditions they match. If the traffic does not match any condition, they will
flow into the default pipe predefined by the system.
The system supports two-level traffic control: level-1 control and level-2 control. In each level, the traffic control
is implemented by pipes. Traffic that is dealt with by level-1 control flows into the level-2 control, and then the
system performs the further management and control according to the pipe configurations of level-2 control. After
the traffic flows into the device, the process of QoS is shown as below:
Pipes, except the default pipe, including two parts of configurations: traffic matching condition (map) and traffic
management action (rule). Each map is a matching condition, which is used to distinguish specific traffic, traffic will
match the map one by one in sequence until targeted (first configured map is positioned at front). The logical
relation between each map/condition is OR (When the traffic matches a map of a pipe, it will enter this pipe).
Pipe condition and action
1. Click [Policy] tab and then [QoS] menu, then click [NEW] to create a new pipe. In the pop-up Pipe
Configuration dialog, click new to create the pipe condition.
42
2. Then in the <Action> page, configure the action performed by the system.
43
Pipe direction is determined by its pipe-map, Forward pipe is in the same direction as map, backward pipe is in
opposite direction. You can configure the action for Forward or Bi-directional, if you only configure the backward
action, it will not work.
QoS Configuration Example
Requirement 1
The total link bandwidth is 100M, you should assure different bandwidth for each department:
R&D department 30M, production department 30M, the rest 40M is the shared bandwidth; Department is
differentiated based on IP address book: addressA is R&D, addressB is production department.
Requirement 2
Control the global applications:
Limit the p2p traffic to 10M (p2p downloading is limited to 2M, p2p video is limited to 8M);
Assure the bandwidth for http and Email service, bandwidth for each user is 500K
Requirement Analysis
You are requested to do two dimensional QoS
Dimension 1 – Distribute the total bandwidth
Dimension 2 – Control the global applications
44
Solution
Based on the requirement, we need do 2 levels of QoS control:
Level 1 QoS achieves the bandwidth distribution for requirement 1
Level 2 QoS achieves the control of global applications in requirement 2
WebUI configuration guide
45
46
47
48
49
50
51
You can also set the whitelist when configuring root pipe.
52
Chapter 6 Network Behavior Control

When configuring the URL filter, bypass the domain name and application behavior control and such functions
that relate with the network domain. Configure the DNS on the device; it is recommended that the DNS of firewall
should be the same as the one on your PC.
1. Log in StoneOS via the WebUI, and click [Network] tab and then [DNS] menu.
2. Click [NEW] button to add new DNS server address in the pop-up dialog.
URL filter (URL license needed)
For the URL filter configuration, refer to the following procedures：

1. Log into StoneOS via the WebUI, click [Policy] tab and then [URL filter] menu.
2. Click [New]; the <URL Filter Rule Configuration >dialog is displayed.
53
3. Specify User. User type could be address entry, IP address, IP range, role, user or user group. Default user is
any that contains all users. To modify a user, click [choose], and modify the user in the <User Configuration>
dialog.
4. Configure the LAN IP user to be limited as needed; notice that the net mask 32 only represents a single host
IP. Enter the specified subnet mask for the network segment; select ”IP” from the dropdown list of <User
type>, type IP address and net mask in <IP address>.
54
5. Configure the control content (URL category and URL keyword category) and control action (Block and Log).
6. Completing the above configuration will prohibit the private IP “192.168.1.2” from accessing the following
two websites categories “Advertisements & Pop-Ups”, “Alcohol & Tobacco” & “Anonymizers”.
User-defined URL DB
The user could customize the URL category as needed. User-defined URL category is same as the pre-defined URL
category, and it can be used for URL filter, web keyword filter, web posting.
To create a URL category, refer to the following procedure:
1. Log into StoneOS via the WebUI, click [Policy] tab and then [URL filter] menu.
2. Click [Configuration] button in the top-right corner, and then click [User-defined URL DB].
3. Click [New] button in the pop-up dialog, assign a name and add URLs to the list.
55
4. Click [OK] to save the configuration. Now the user-defined URL category can be used when configuring URL
filter.
56
Chapter 7 Advanced VPN Configuration
SCVPN configuration based on USB Key
SCVPN configuration base on the USB key contains the following:

• Create PKI trust domain
• Configure SCVPN
• Make USB Key
• Log in SCVPN by USB key
Create PKI trust domain

To create the PKI trust domain, refer to the following procedure:
1. Select [PKI] menu in the [System] tab; the <PKI Management >dialog box is displayed, click the <Trust domain>
tab to trust domain page.
2. Click [New]; the <PKI Configuration > dialog box is displayed.
3. Type trust domain name and select enrollment type; select <Manual enrollment >; click [Browse]; select CA
certificate, then click [Import] to import the certificate. There are two methods to obtain the CA certificate:
• Manual enrollment: Use terminal (cut and paste);
• Self-signed certificate: Use self–signed certificate.
4. Import required CA certificate

5. You will able to see the related information of this CA certificate once it has been successfully imported
6. Select the key pair from the dropdown list of <key pair>. Other fields are optional.
7. Click [Certificate Revocation List] menu; configure the related information for CRL.
57
SCVPN configuration
Follow the below steps:
1. To configure the SCVPN name, AAA server for user identification, access interface, port, tunnel interface,
address pool, policy and tunnel route. Please refer to procedures 1-7 of the SCVPN configuration.
2. Configure client and client certificate authentication on the <Client >page:
• USB key certification authentication: select <Enable> check box to enable digital certificate authentication
function. There are two types of authentication: one is “Username/Password + Digital Certificate”, and
another one is “Digital Certificate only.”
• Trust domain: select the trust domain created before from the dropdown list of <Trust domain>. Then click
[Add] to apply this instance.
58
Make USB key

The procedure for the UKEY is contingent on the type of UKEY used, therefore, refer to guidelines provided by the
UKEY developers. The below procedure is only provided for reference:
1. Format USB key
2. Import certificate
Login SCVPN by USB key

Refer to the following procedures to connect the client to the server.
1. Plug USB key to your PC.
2. Enter the below URL in the browser：https://IP-Address:Port-Number.
3. The <choose digital certificate> dialog box is displayed. Select the required certificate and click [OK]. Enter
the Ukey’s user password (default password is “1111”) in the dialog box of <input user password >, then
click[OK].
4. Input username and password in login page at browser, then click [login]. The username and password here
is the one that has been configured on the device.
59
5. The system will complete the download automatically in the IE browser. Follow the prompt to install it; if
using Firefox or other browsers, please click [Download] to download the client application scvpn.exe;
double-click scvpn.exe after downloading to install the client according to the installation wizard.
6. After completing the installation, double-click the shortcut for Hillstone Secure Connect on your desktop, or
click “All applications-Hillstone Secure Connect-Hillstone Secure Connect” from the “Start” menu. The system
will display the login dialog box.
7. Click [Mode], the <Login Mode > dialog box is displayed as shown below. Select <Username/Password>, then
click [OK].
8. The login dialog with “Username/Password” mode is displayed as shown below. Enter the server IP, port
number, user, password and PIN code. Then click [Login]
60
Hub-Spoke IPSecVPN
The Hub-spoke IPSec VPN applies with scenario which has single headquarters and multiple branches. The
configuration is a little bit complex, below is the configuration:
• Topology design
• Configure IKE VPN
• Configure an Tunnel interface
• Configure Tunnel route
• Configure Policy
Topology
For example, we have 1 headquarters and 2 branches:
61
192.168.10.0/24
Hub
200.0.0.10
Branch1 Branch2
192.168.20.0/24 192.168.30.0/24
Configuring IKE VPN

1. Hub side:
a) P1, P2 VPN configuration for branch1
62
b) P1, P2 VPN configuration for branch2
63
2. IKE VPN configuration at branch1:
64
3. IKE VPN configuration at branch2:
65
Configuring Tunnel Interface

1. Hub side:
a) Tunnel interface from hub to branch1:
66
b) Tunnel interface from hub to branch2:
2. Branch1 side: tunnel interface from branch1 to hub
67
3. Branch2 side: tunnel interface from branch2 to hub
68
Configuring Tunnel Route

1. Hub side:
a) VPN route from hub to branch1
69
b) VPN route from hub to branch2
2. Branch1: VPN route from branch1 to hub
70
3. Branch2: VPN route from branch2 to hub
Configuring Policy
Configure the permit policy according to the network deployment. There should be bidirectional policy between
71
Tunnel interface zone and LAN zone.
72
Chapter 8 High Availability
Introduction
HA (High Availability) provides a failover solution in the case of a malfunction in the communication line or devices
in order to ensure smooth communication and effectively improve the network reliability. To implement the HA
function, group two Hillstone devices as an HA cluster, using identical hardware platform and firmware version, and
with both devices enabled with VR and AV functions, as well as an installed anti-virus license. If one device is
unavailable or not able to handle the client request properly, the request will be promptly directed to the other
working device, thus ensuring uninterrupted network communication and improving the reliability of
communications.
Hillstone devices support two HA working modes: Active-Passive (A/P) and Active-Active (A/A):
• Active-Passive (A/P) mode: Two appliances are configured to form an HA group, with device A acting as a
master device and B acting as its backup device. Device A is active, forwarding packets, and meanwhile
synchronizing all of its network and configuration information and concurrent sessions to Device B. If Device
A fails to forward packets or TRACK function is valid, Device B will be promoted to master and will take over
its work to forward packets without impacting the normal transactions. The topology is shown below:
• Active-Active (A/A) mode: Both devices are enabled with HA function. Device A is selected as master device
of group0. Device A will synchronize its configuration to Device B. Device B will be promoted as the master
device of group1 after completing the synchronization. Typically, they can perform their own tasks
simultaneously, and monitor the operational status of each other: Device A forwards Internet accessing
packets for the financial department and R&D department; while Device B forwards internet accessing
packets for R&D server group. When one device fails to forward packets or TRACK function is valid, the other
will take over the work of the failed device and also run its own tasks simultaneously to ensure uninterrupted
73
service. For example, if Device B failed, Device A will take over the forwarding work of Device B and also run
its own tasks simultaneously. Topology is shown below:
HA configuration – A/P mode
Refer to the following procedures:

1. Select [HA] menu from the [System] tab. Configure details in the <HA> dialog. Below figures are the
configuration of HA in A/P mode on both devices (A and B):
• HA in Device A:
74
• HA in Device B:
• HA configuration in one device under A/A mode (just for reference):
75
2. Track object configuration. Select [Track Object] menu the [Objects] tab. Click [New] to go to the <Track Object
Configuration> dialog box.
3. If track type is selected as <interface>, click [Add] to add interface and track the physical status of this
interface. You can also add multiple interfaces; there is weight value for each interface, the value of the weight
translates to the value of release when the interface is down, this track will take effect when the released
value exceeds the threshold value. The weight value and threshold value can be modified independently.
76
4. When the track object is selected as <HTTP Ping ARP DNS TCP>, click [Add], select packet type from the
dropdown list, then add the related track entry to monitor the logic status of the link. Multiple types of tracks
can be configured. Take PING as an example, as shown below, device sends PING packet every 3 seconds. if it
fails 3 times, this track will take effect, the device will primarily use the management IP of configured packet
receiving interface as the source address (If no management IP, use the IP of this interface) to send out the
PING packet through the configured packet forwarding interface.
77
5. Interface configuration. The interface configuration in AP mode is same as the common interface
configuration. Please refer to interface configuration. The interface configuration in AA mode, group0 is the
same as the common interface configuration. Group1 needs to have the Virtual Forward interface configured.
Click the [New] on the upper left side of the interface list page; select <Virtual Forward Interface> from the
dropdown list. The <Interface Configuration> dialog box is displayed, as shown below:
78
6. Management IP configuration. Configure the management IP in the interface of group0 due to the standby
device not forwarding packets. The management IP is used for managing device and monitoring TRACK. Click
[Advanced] in <General> tab page of the <Interface Configuration> dialog box. Specify the management IP
for the interface.
Note: management IP could be the same network segment with interface IP or with a different segment. Simply
ensure that the route is reachable
7. NAT rule configuration. The configuration of NAT rule in AP mode is the same as the common NAT
configuration; refer to SNAT configuration. The group0 configuration is the same as well in AA mode, but you
need to select group1 for NAT configuration of group1.
8. SANT. Click [New] in <SNAT> tab page, the <SNAT configuration > dialog box is displayed; click [Advanced],
79
and specify the HA group to which the SNAT rule belongs.
9. DNAT. Click [Policy] tab, [NAT] menu; the <SNAT>page is displayed. Click [DNAT] tab to go to the DNAT page.
Specify the HA group to which the DNAT rule belongs.
10. Route and policy configuration. Refer to the route configuration and policy configuration sections.
80
Chapter 9: WebAuth based on Windows AD server
Introduction for AAA
AAA is the short term for Authentication, Authorization and Accounting.

• Authentication: Authenticate the user’s identity.
• Authorization: Authorize the user some certain service priority.
• Accounting: Account the user fee for some certain service.
StoneOS support following types of AAA server:
• Local AAA Server
• Active Directory Server
• Radius Server
• LDAP Server
Configure the string format of the parameters in Active Directory
Example 1: Sync all AD users to firewall.

The Active Directory structure is shown below:
The domain name is “hillstonenet.com”, the admin account is “administrator”, and the password is “hillstone”.
The string should be configured as:
Base-dn: dc=hillstonenet,dc=com
Login-dn: cn=administrator,cn=users,dc=hillstonenet,dc=com
81
Example 2: Only sync users under OU named TAC from AD.

Base-dn: ou=tac,dc=hillstonenet,dc=com
82
Example 3: Sync all users in OU “IT Dep” (the name of OU contains a “space”)
Base-dn: “ou=IT Dep,dc=hillstonenet,dc=com”
In this case, a pair of “” should add in front and end of the string.
83
Configure the WebAuth
Click <Network> tab and then <Authentication Management> menu, click the <WebAuth Wizard> button on the
top right corner. Then follow the wizard to finish the WebAuth configuration.
84
85

Easy Configuration Guide StoneOS 5.5

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Easy Configuration Guide StoneOS 5.5

Uploaded by

Copyright:

Available Formats

Hillstone Multi-Core Security

Appliance Easy Configuration Guide

Table of Contents ..................................................................................................................................................... 2

Chapter 5 Quality of Service .................................................................................................................................. 42

This document follows the conventions below:

Chapter 1 Device Management

Accessing a Device via Console Port

To use command line interface via Console port:

Accessing a Device via WebUI

To access the WebUI interface:

Restoring to Factory Default

Physical CLR button

Upgrading StoneOS via CLI (TFTP)

Run on-board sysloader? [y]/n: y // Type “y” or press Enter

2. Select Load firmware via TFTP from Sysloader menu:

1 Load firmware via TFTP

Please select: 1 // Type “1” and press Enter

Upgrade the system via WebUI

License installation via CLI

License installation via WebUI

following contents) into the box.

Chapter 2 Connecting to Internet

To configure interfaces in WebUI:

2. Edit the interface on the pop-up <Interface Configuration> dialog:

To add a route in WebUI:

To add a policy in WebUI:

To add an SNAT rule in WebUI:

Chapter 3 Commonly Used Function Configuration

There are 2 methods to configure PPPoE in WebUI:

There are 2 methods to configure DHCP in WebUI:

Please follow the below steps:

Peer to peer IPSec VPN

• Proposal name: Specify or display the name of p1 proposal.

Please follow the below steps for SCVPN configuration:

interface’s IP address is not included in the address pool.

is 4433) in IE browser to access the SSLVPN server.

One to one IP mapping

Note: For this instance, the netmask must be 32

One to one port mapping

One to multiple mapping (Including server load balance)

Chapter 4 Link Load Balance

Destination route based load balance

Click [New] to add a default for ISP A with weight value 1.

2. Create another route for ISP B with weight value 2.

Smart link load balance

3. Click [Select Interface] on the popup <Select Interface> dialog box.

5. Configure the proximity route:

Chapter 5 Quality of Service

Pipe condition and action

QoS Configuration Example

WebUI configuration guide

Chapter 6 Network Behavior Control

URL filter (URL license needed)

For the URL filter configuration, refer to the following procedures：

Chapter 7 Advanced VPN Configuration

SCVPN configuration based on USB Key

SCVPN configuration base on the USB key contains the following:

Create PKI trust domain

4. Import required CA certificate

Make USB key

Login SCVPN by USB key

Configuring IKE VPN

b) P1, P2 VPN configuration for branch2