Professional Documents
Culture Documents
Easy Configuration Guide StoneOS 5.5
Easy Configuration Guide StoneOS 5.5
www.hillstonenet.com
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Table of Contents
Hillstone Multi-Core Security Appliance Easy Configuration Guide Version 5.5 .................................. 1
3
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Preface
Contents
This manual is the basic configuration guide for the Hillstone Multi-Core Security Appliance. It only applies for
StoneOS 5.5. This guide contains configuration steps for major functions of the Hillstone appliance via the Web User
Interface. The content is divided into the following chapters:
• Chapter 1: Device Management. Includes device access method, StoneOS upgrades and license installation.
• Chapter 2: Connecting to Internet. Includes basic Internet configurations such as Interface, Route, and Policy.
• Chapter 3: Commonly used function configurations. Includes PPPoE, DHCP, and DNAT.
• Chapter 4: Link load balance. Includes Destination route, SBR, PBR based load balance.
• Chapter 5: QoS. Includes QoS function and configuration.
• Chapter 6: Network behavior control. Includes URL filtering and web content filtering.
• Chapter 7: Advanced VPN configuration. Includes USB Key based SCVPN and PnPVPN.
• Chapter 8: High Availability (HA) configuration. Includes A/P and A/A mode
• Chapter 9: WebAuth based on Windows AD. Includes configuration for different directory structure.
Conventions
4
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Introduction
In order to facilitate management and configuration by the Administrator, the Hillstone security appliance can
support both local (Console interface) as well as remote (Telnet, SSH, HTTP and HTTPS) configuration methods
through the command line interface (CLI) and the WebUI.
The WebUI is a more direct and effective configuration option, which supports both http and https access.
Interface ethernet0/0 with default IP address 192.168.1.1/24, has all its services enabled. The first time you log into
the device, you can use this interface to access the WebUI.
5
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Hillstone provides you three methods to restore the device to factory default:
CLI:Using command via CLI to reset
WebUI:Clearing settings via WebUI to reset
Physical button:Using CLR button to reset
CLI
To restore to factory default using CLI:
1. Type”unset all” in execution mode.
2. Follow the prompts to type y to remove all configuration.
3. Type y to reboot the device
4. The device will be restored to factory default after reboot.
WebUI
To restore to factory default using WebUI:
1. Click tab [System] in the WebUI
2. Choose menu [Configuration File Management]
3. Click button [Backup Restore]
4. Click button [Restore]
6
Hillstone Multi-Core Security Appliance Easy Configuration Guide
After these steps, all configurations will be cleared, and the device will reboot automatically.
StoneOS Upgrading
DRAM: 2048 MB
BOOTROM: 512 KB
Press ESC to stop autoboot: 4 // Press “ESC” during the 5-second countdown
7
Hillstone Multi-Core Security Appliance Easy Configuration Guide
4. Specify the Sysloader IP, TFTP server IP, gateway IP and name of StoneOS:
Local ip address [ ]: 10.2.2.10/16 // Type Sysloader IP and press Enter
Server ip address [ ]: 10.2.2.3 // Type TFTP server IP and press Enter
Gateway ip address [ ]: 10.2.2.1 // If Sysloader and TFTP server are not in the same network segment, you
should input the gateway IP and press Enter; otherwise, just press Enter
8
Hillstone Multi-Core Security Appliance Easy Configuration Guide
File name : StoneOS-3.5R2 // Type the name of StoneOS and press Enter, and then the system starts to
transfer the file via TFTP
#########################################################################################
#######################################################
5. Save StoneOS:
File total length 10482508
Checking the image...
Verified OK
Save this image? [y]/n: y // Type “y” or press Enter to save the transferred StoneOS
Saving .........................................
Set StoneOS-3.5R2 as active boot image
6. Reboot the device. The system will be restarted with the new StoneOS:
Please reset board to boot this image
1 Load firmware via TFTP
2 Load firmware via FTP
3 Load firmware from USB disks (not available)
4 Select backup firmware as active
5 Show on-board firmware
6 Reset
Please select: 6 // Type “6” and press Enter, system starts rebooting
The device Flash can only store two versions of StoneOS. If you want to store a new StoneOS but the device
already has two StoneOS saved, delete an existing one according to the prompt.
9
Hillstone Multi-Core Security Appliance Easy Configuration Guide
You could switch the firmware version in the area [Choose a Firmware for the next startup].
If you choose NOT to restart the device immediately, the device would load the new firmware in next startup.
License installation
Some of the licenses would take effect after rebooting the device.
10
Hillstone Multi-Core Security Appliance Easy Configuration Guide
11
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Introduction
In order to obtain Internet connection, the basic configuration includes: interface configuration, route
configuration, policy configuration and SNAT configuration.
Configuring Interfaces
12
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Note:If the WAN interface use a PPPoE link, please refer PPPoE configuration
Configuring Route
13
Hillstone Multi-Core Security Appliance Easy Configuration Guide
2. Click the [New] button at the top left of the destination route list, and edit the route at the pop-up
<Destination Route Configuration> dialog:
• Destination: set the destination IP for this route.
• Subnet mask: set the subnet mask for this destination IP.
• Next hop: select the next hop type, and select <Gateway>or<Interface>. If <Gateway> is selected, Gateway
IP address should be added at <Gateway> text box; when selecting <Interface>, you need to select the
interface name at <Interface>dropdown list, if this interface is tunnel interface, the peer gateway address
of this tunnel should be added. For example, the next hop gateway is 122.193.30.97 (This gateway IP is
provided by the ISP).
• Precedence: the smaller this value is, the higher the precedence. If multiple routes are available, the route
with higher precedence will be prioritized. The value range is from 1 to 255, and the default value is 1.
When the value is configured as 255, this route will be invalid.
• Weight: The weight value specifies the weight of traffic forwarding in load balance. The value range is
from 1 to 255, and the default value is 1.
3. If needed, you can specify the description for this destination route at the <Description> text box.
4. Click [OK] to complete this new destination route.
Configuring Policy
14
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Configuring SNAT
15
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Introduction
This chapter includes configuration details for commonly used functions on the Hillstone Multi-Core Security
Appliance, such as PPPoE, DHCP, IP-MAC binding, peer to peer IPSec VPN, SCVPN and DNAT.
PPPoE
Method 2:
1. Log into StoneOS via WebUI, Click [Network] tab, [PPPoE] menu, and then click [New] button on the top-left
16
Hillstone Multi-Core Security Appliance Easy Configuration Guide
corner.
2. Edit parameters in the pop-up <PPPoE Configuration> dialog. Usually input the PPPoE username and
password would be enough.
DHCP
17
Hillstone Multi-Core Security Appliance Easy Configuration Guide
18
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Method 2:
1. Log into StoneOS via WebUI, Click [Network] tab and [DHCP] menu, and then click [New] –> [DHCP Server]
button on the top-left corner.
2. In the pop-up <DHCP Configuration> dialogue, fill the DHCP server parameters.
3. Click [OK] to save your settings and to go back to DHCP list dialog. Connect your PC or switch on the specific
interface to receive the IP address.
19
Hillstone Multi-Core Security Appliance Easy Configuration Guide
IP-MAC binding
4. By default, the ARP learning function is enabled on the security appliance, and this function of interface
needs to be disabled when the IP-MAC binding is enabled.
5. Click [Network] tab and then [interface] menu, from the left navigation bar to visit the interface page. Select
the interface from the list, double-click or click the [Edit] button.
6. At the <Ethernet Interface> dialog, click the [Properties] tab, un-check the [Enable] check box next of ARP
learning at <Parameters> part to disable ARP learning.
20
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Create a secure tunnel between security appliance A and B, with PC1 connected to A and PC2 connected to B.
Both appliances will have a fixed public IP. The peer-to-peer IPSec VPN, topology is shown below:
Use IKE VPN, the automatic association method to configure the IPSec VPN, including:
• P1 proposal
• VPN peer
• P2 proposal
• IPSec tunnel
• Bind interface to tunnel
• Configure tunnel route and policy
Please follow the below steps for configuration:
1. Configure P1 proposal. Log into StoneOS via the WebUI, Click [Network] tab, [VPN] menu and then [IPSec
VPN] sub-menu to visit the IPSec VPN page. Click [P1 proposal] tab to the P1 proposal page.
2. Click the[New]button, and edit the pop up <Phasae1 Proposal Configuration> dialog:
21
Hillstone Multi-Core Security Appliance Easy Configuration Guide
3. Configure VPN peer. Click [VPN Peer List] tab on the IPSec VPN page.
4. Click the [New] button, and configure the VPN peer on the pop up <Peer Configuration> dialog.
22
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Note: If there are other NAT devices before the appliance, NAT traversal function should be configured under
<Advanced> tab
5. Configure P2 proposal. Click [Phase2 Proposal] tab on the IPSec VPN page.
6. Click the [New] button, and edit the pop up <Phasae2 Proposal Configuration> dialog.
7. Configure tunnel. Click the [New] button under <IKE VPN List> dialog at the IPSec VPN page.
8. Select an ISAKMP peer from the peer list, and then the name for the tunnel and the mode, proposal, proxy
ID for the tunnel.
23
Hillstone Multi-Core Security Appliance Easy Configuration Guide
24
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Note: After configuring the tunnel, the VPN connection needs to be triggered with traffic. If auto connection is
required, please enable the auto connect function under <Advanced> tab.
9. Bind interface to tunnel. Click [Interface] menu to visit the Interface page. Click the [New] button at the top
left of interface list, select <Tunnel Interface> from the dropdown list, and bind the interface to tunnel at the
pop up <Interface Configuration> dialog.
25
Hillstone Multi-Core Security Appliance Easy Configuration Guide
10. Configure tunnel route and policy. Click [Routing] menu to visit the destination route page. Click the [New]
button, and configure the destination route on the pop up <Destination Route Configuration> dialog.
11. Click [Policy] tab to visit the policy page. Click the [New] button, and configure the policy rule on the pop up
<Policy Configuration> dialog. The Bidirectional policies need to be configured here.
12. After completing the settings, configure VPN at device B using the same steps.
13. After finishing these settings, a secure tunnel would be successfully connected between appliance A and B.
SCVPN
To help remote users safely access Intranet resources, the Hillstone security appliance provides an SSL based
remote access solution: Secure Connect VPN (SCVPN).
26
Hillstone Multi-Core Security Appliance Easy Configuration Guide
4. Click [Next] button to <Interface> configuration page. Configure the device access interface, tunnel interface
and address pool on this page.
Note: Tunnel interface’s IP address must be at the same network segment with address pool, and the tunnel
27
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Note: System will automatically create a policy with VPNHub as the source zone and any as the destination
zone; Tunnel route is the Intranet resource network segment accessed by the remote users.
6. Click [Object] tab and then [User] menu to visit the user configuration page. Select the AAA server just
configured during the SSL VPN creating wizard in the page.
7. Click <New> button to create new users for the AAA server. Configure user name and password at the [Basic]
tab.
8. Launch SCVPN via Web (username/password). Type the URL: https://IP-Address:Port-Number (default port
28
Hillstone Multi-Core Security Appliance Easy Configuration Guide
10. Download and launch the SCVPN client (username/password). After logging into the device via the web,
download and install the client application-Hillstone Secure Connect.
11. After installing the client, double-click the shortcut for Hillstone Secure Connect on your desktop, or click
“All applicationsHillstone Secure ConnectHillstone Secure Connect” at “start” menu. The system will
pop up the login dialog, click the [Mode] button on the popup <Login Mode> dialog, select
<Username/Password> and click [OK].
29
Hillstone Multi-Core Security Appliance Easy Configuration Guide
12. On the popup “username/password” login dialog, input the server IP address, port number, username and
password, and click [Login].
DNAT
DNAT is used to publish the Intranet server at Internet (such as HTTP service, FTP service and data base service
etc.), so that the user can access these services by visiting the public IP address.
The commonly used DNAT includes: one to one IP mapping, one to one port mapping, and one to multiple
mapping.
30
Hillstone Multi-Core Security Appliance Easy Configuration Guide
31
Hillstone Multi-Core Security Appliance Easy Configuration Guide
3. You can select to fill the address or select the address book you just created, and click [OK] button to finish
creating the DNAT rule.
32
Hillstone Multi-Core Security Appliance Easy Configuration Guide
4. Create policy rule for the DNAT rule in the policy configuration page. For this instance as the traffic is from
WAN to LAN, so the policy direction is from untrust zone to trust zone
33
Hillstone Multi-Core Security Appliance Easy Configuration Guide
34
Hillstone Multi-Core Security Appliance Easy Configuration Guide
2. Fill the addresses and ports in the<Port Mapping Configuration>, and click [OK] button to finish creating the
DNAT rule.
3. Create policy rule for the DNAT rule in the policy configuration page.
35
Hillstone Multi-Core Security Appliance Easy Configuration Guide
2. Advanced configuration of DNAT. Click [Policy] tab, [NAT] menu and then [DNAT] sub menu. Click [New]
button and select [Advanced Configuration] from dropdown list.
36
Hillstone Multi-Core Security Appliance Easy Configuration Guide
3. Create policy rule for the DNAT rule in the policy configuration page.
37
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Introduction
For users who have multiple ISP links, the Link Load Balance function helps to assign traffic to different links
appropriately by using a dynamic link detection technique, thus making full use of all available link resources. The
LAN traffic can be distributed with load balance based on source address, destination address or service.
After configuring the load balance for both the source address and destination address, redundancy will be
achieved and the traffic can be successfully forwarded if one of the routes becomes invalid.
Before configuring the link load balance, make sure the interface, SNAT and policy has been configured on the
device.
1. Finish the configuration of interface IP address and net mask (the net mask digit should be confirmed with
your ISP)
2. Configure the SNAT rule; LAN traffic can be translated to the address of the public address pool, with the
ability to access the web.
3. Configure the policy rule to permit traffic forwarding through the device.
Example: interface ethernet0/2 is connected to ISP A with 10M bandwidth, ethernet0/3 is connected to ISP B
with 20M bandwidth; all traffic going to WAN should be forwarded through ethernet0/2 and ethernet0/3 in a 1: 2
ratio. If there are 3 packs of traffic forwarded through the device, 1 pack will be forwarded from ethernet0/2 and 2
from ethernet0/3.
Please follow the below steps:
1. Log into StoneOS via WebUI, Click [Network] tab and [Routing] menu, then the [Destination Route] menu.
38
Hillstone Multi-Core Security Appliance Easy Configuration Guide
3. After finishing configuring the settings, the traffic will be forwarded through ethernet0/2 and ethernet0/3 in
1: 2 ratio, which is 1:2 load balanced. The ratio could be configured according to the egress bandwidth and
actual usage.
When a LAN user attempts to visit a WAN IP address on the first attempt the system will detect the matched
default route traffic at qualified links. The static route will be generated on the first responding interface, the
following packets are forwarded without detection; if this static route is not targeted, it will be automatically aged.
Please follow the below steps:
1. Log into StoneOS via WebUI, Click [Network] tab and [Routing] menu, then the [Link Load Balancing] menu.
2. Click [Outbound] tab.
39
Hillstone Multi-Core Security Appliance Easy Configuration Guide
40
Hillstone Multi-Core Security Appliance Easy Configuration Guide
41
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Introduction
QoS (Quality of Service) is used to provide different priorities to different traffic, in order to control the delay and
flapping, and decrease the packet loss rate. QoS can assure the normal transmission of critical business traffic when
the network is overloaded or congested.
Hillstone devices implement QoS by configuring pipes. Pipe is a virtual concept, it represents the bandwidth of
transmission path. The system classifies the traffic by using the pipe as the unit, and control the traffic crossing the
pipes according to the actions defined for the pipes. For all traffic crossing the device, they will flow into virtual
pipes according to the traffic matching conditions they match. If the traffic does not match any condition, they will
flow into the default pipe predefined by the system.
The system supports two-level traffic control: level-1 control and level-2 control. In each level, the traffic control
is implemented by pipes. Traffic that is dealt with by level-1 control flows into the level-2 control, and then the
system performs the further management and control according to the pipe configurations of level-2 control. After
the traffic flows into the device, the process of QoS is shown as below:
Pipes, except the default pipe, including two parts of configurations: traffic matching condition (map) and traffic
management action (rule). Each map is a matching condition, which is used to distinguish specific traffic, traffic will
match the map one by one in sequence until targeted (first configured map is positioned at front). The logical
relation between each map/condition is OR (When the traffic matches a map of a pipe, it will enter this pipe).
1. Click [Policy] tab and then [QoS] menu, then click [NEW] to create a new pipe. In the pop-up Pipe
Configuration dialog, click new to create the pipe condition.
42
Hillstone Multi-Core Security Appliance Easy Configuration Guide
2. Then in the <Action> page, configure the action performed by the system.
43
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Pipe direction is determined by its pipe-map, Forward pipe is in the same direction as map, backward pipe is in
opposite direction. You can configure the action for Forward or Bi-directional, if you only configure the backward
action, it will not work.
Requirement 1
The total link bandwidth is 100M, you should assure different bandwidth for each department:
R&D department 30M, production department 30M, the rest 40M is the shared bandwidth; Department is
differentiated based on IP address book: addressA is R&D, addressB is production department.
Requirement 2
Control the global applications:
Limit the p2p traffic to 10M (p2p downloading is limited to 2M, p2p video is limited to 8M);
Assure the bandwidth for http and Email service, bandwidth for each user is 500K
Requirement Analysis
You are requested to do two dimensional QoS
Dimension 1 – Distribute the total bandwidth
Dimension 2 – Control the global applications
44
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Solution
Based on the requirement, we need do 2 levels of QoS control:
Level 1 QoS achieves the bandwidth distribution for requirement 1
Level 2 QoS achieves the control of global applications in requirement 2
45
Hillstone Multi-Core Security Appliance Easy Configuration Guide
46
Hillstone Multi-Core Security Appliance Easy Configuration Guide
47
Hillstone Multi-Core Security Appliance Easy Configuration Guide
48
Hillstone Multi-Core Security Appliance Easy Configuration Guide
49
Hillstone Multi-Core Security Appliance Easy Configuration Guide
50
Hillstone Multi-Core Security Appliance Easy Configuration Guide
51
Hillstone Multi-Core Security Appliance Easy Configuration Guide
You can also set the whitelist when configuring root pipe.
52
Hillstone Multi-Core Security Appliance Easy Configuration Guide
53
Hillstone Multi-Core Security Appliance Easy Configuration Guide
3. Specify User. User type could be address entry, IP address, IP range, role, user or user group. Default user is
any that contains all users. To modify a user, click [choose], and modify the user in the <User Configuration>
dialog.
4. Configure the LAN IP user to be limited as needed; notice that the net mask 32 only represents a single host
IP. Enter the specified subnet mask for the network segment; select ”IP” from the dropdown list of <User
type>, type IP address and net mask in <IP address>.
54
Hillstone Multi-Core Security Appliance Easy Configuration Guide
5. Configure the control content (URL category and URL keyword category) and control action (Block and Log).
6. Completing the above configuration will prohibit the private IP “192.168.1.2” from accessing the following
two websites categories “Advertisements & Pop-Ups”, “Alcohol & Tobacco” & “Anonymizers”.
User-defined URL DB
The user could customize the URL category as needed. User-defined URL category is same as the pre-defined URL
category, and it can be used for URL filter, web keyword filter, web posting.
To create a URL category, refer to the following procedure:
1. Log into StoneOS via the WebUI, click [Policy] tab and then [URL filter] menu.
2. Click [Configuration] button in the top-right corner, and then click [User-defined URL DB].
3. Click [New] button in the pop-up dialog, assign a name and add URLs to the list.
55
Hillstone Multi-Core Security Appliance Easy Configuration Guide
4. Click [OK] to save the configuration. Now the user-defined URL category can be used when configuring URL
filter.
56
Hillstone Multi-Core Security Appliance Easy Configuration Guide
57
Hillstone Multi-Core Security Appliance Easy Configuration Guide
SCVPN configuration
Follow the below steps:
1. To configure the SCVPN name, AAA server for user identification, access interface, port, tunnel interface,
address pool, policy and tunnel route. Please refer to procedures 1-7 of the SCVPN configuration.
2. Configure client and client certificate authentication on the <Client >page:
• USB key certification authentication: select <Enable> check box to enable digital certificate authentication
function. There are two types of authentication: one is “Username/Password + Digital Certificate”, and
another one is “Digital Certificate only.”
• Trust domain: select the trust domain created before from the dropdown list of <Trust domain>. Then click
[Add] to apply this instance.
58
Hillstone Multi-Core Security Appliance Easy Configuration Guide
59
Hillstone Multi-Core Security Appliance Easy Configuration Guide
5. The system will complete the download automatically in the IE browser. Follow the prompt to install it; if
using Firefox or other browsers, please click [Download] to download the client application scvpn.exe;
double-click scvpn.exe after downloading to install the client according to the installation wizard.
6. After completing the installation, double-click the shortcut for Hillstone Secure Connect on your desktop, or
click “All applications-Hillstone Secure Connect-Hillstone Secure Connect” from the “Start” menu. The system
will display the login dialog box.
7. Click [Mode], the <Login Mode > dialog box is displayed as shown below. Select <Username/Password>, then
click [OK].
8. The login dialog with “Username/Password” mode is displayed as shown below. Enter the server IP, port
number, user, password and PIN code. Then click [Login]
60
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Hub-Spoke IPSecVPN
The Hub-spoke IPSec VPN applies with scenario which has single headquarters and multiple branches. The
configuration is a little bit complex, below is the configuration:
• Topology design
• Configure IKE VPN
• Configure an Tunnel interface
• Configure Tunnel route
• Configure Policy
Topology
For example, we have 1 headquarters and 2 branches:
61
Hillstone Multi-Core Security Appliance Easy Configuration Guide
192.168.10.0/24
Hub
200.0.0.10
Branch1 Branch2
192.168.20.0/24 192.168.30.0/24
62
Hillstone Multi-Core Security Appliance Easy Configuration Guide
63
Hillstone Multi-Core Security Appliance Easy Configuration Guide
64
Hillstone Multi-Core Security Appliance Easy Configuration Guide
65
Hillstone Multi-Core Security Appliance Easy Configuration Guide
66
Hillstone Multi-Core Security Appliance Easy Configuration Guide
67
Hillstone Multi-Core Security Appliance Easy Configuration Guide
68
Hillstone Multi-Core Security Appliance Easy Configuration Guide
69
Hillstone Multi-Core Security Appliance Easy Configuration Guide
70
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Configuring Policy
Configure the permit policy according to the network deployment. There should be bidirectional policy between
71
Hillstone Multi-Core Security Appliance Easy Configuration Guide
72
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Introduction
HA (High Availability) provides a failover solution in the case of a malfunction in the communication line or devices
in order to ensure smooth communication and effectively improve the network reliability. To implement the HA
function, group two Hillstone devices as an HA cluster, using identical hardware platform and firmware version, and
with both devices enabled with VR and AV functions, as well as an installed anti-virus license. If one device is
unavailable or not able to handle the client request properly, the request will be promptly directed to the other
working device, thus ensuring uninterrupted network communication and improving the reliability of
communications.
Hillstone devices support two HA working modes: Active-Passive (A/P) and Active-Active (A/A):
• Active-Passive (A/P) mode: Two appliances are configured to form an HA group, with device A acting as a
master device and B acting as its backup device. Device A is active, forwarding packets, and meanwhile
synchronizing all of its network and configuration information and concurrent sessions to Device B. If Device
A fails to forward packets or TRACK function is valid, Device B will be promoted to master and will take over
its work to forward packets without impacting the normal transactions. The topology is shown below:
• Active-Active (A/A) mode: Both devices are enabled with HA function. Device A is selected as master device
of group0. Device A will synchronize its configuration to Device B. Device B will be promoted as the master
device of group1 after completing the synchronization. Typically, they can perform their own tasks
simultaneously, and monitor the operational status of each other: Device A forwards Internet accessing
packets for the financial department and R&D department; while Device B forwards internet accessing
packets for R&D server group. When one device fails to forward packets or TRACK function is valid, the other
will take over the work of the failed device and also run its own tasks simultaneously to ensure uninterrupted
73
Hillstone Multi-Core Security Appliance Easy Configuration Guide
service. For example, if Device B failed, Device A will take over the forwarding work of Device B and also run
its own tasks simultaneously. Topology is shown below:
74
Hillstone Multi-Core Security Appliance Easy Configuration Guide
• HA in Device B:
75
Hillstone Multi-Core Security Appliance Easy Configuration Guide
2. Track object configuration. Select [Track Object] menu the [Objects] tab. Click [New] to go to the <Track Object
Configuration> dialog box.
3. If track type is selected as <interface>, click [Add] to add interface and track the physical status of this
interface. You can also add multiple interfaces; there is weight value for each interface, the value of the weight
translates to the value of release when the interface is down, this track will take effect when the released
value exceeds the threshold value. The weight value and threshold value can be modified independently.
76
Hillstone Multi-Core Security Appliance Easy Configuration Guide
4. When the track object is selected as <HTTP Ping ARP DNS TCP>, click [Add], select packet type from the
dropdown list, then add the related track entry to monitor the logic status of the link. Multiple types of tracks
can be configured. Take PING as an example, as shown below, device sends PING packet every 3 seconds. if it
fails 3 times, this track will take effect, the device will primarily use the management IP of configured packet
receiving interface as the source address (If no management IP, use the IP of this interface) to send out the
PING packet through the configured packet forwarding interface.
77
Hillstone Multi-Core Security Appliance Easy Configuration Guide
5. Interface configuration. The interface configuration in AP mode is same as the common interface
configuration. Please refer to interface configuration. The interface configuration in AA mode, group0 is the
same as the common interface configuration. Group1 needs to have the Virtual Forward interface configured.
Click the [New] on the upper left side of the interface list page; select <Virtual Forward Interface> from the
dropdown list. The <Interface Configuration> dialog box is displayed, as shown below:
78
Hillstone Multi-Core Security Appliance Easy Configuration Guide
6. Management IP configuration. Configure the management IP in the interface of group0 due to the standby
device not forwarding packets. The management IP is used for managing device and monitoring TRACK. Click
[Advanced] in <General> tab page of the <Interface Configuration> dialog box. Specify the management IP
for the interface.
Note: management IP could be the same network segment with interface IP or with a different segment. Simply
ensure that the route is reachable
7. NAT rule configuration. The configuration of NAT rule in AP mode is the same as the common NAT
configuration; refer to SNAT configuration. The group0 configuration is the same as well in AA mode, but you
need to select group1 for NAT configuration of group1.
8. SANT. Click [New] in <SNAT> tab page, the <SNAT configuration > dialog box is displayed; click [Advanced],
79
Hillstone Multi-Core Security Appliance Easy Configuration Guide
9. DNAT. Click [Policy] tab, [NAT] menu; the <SNAT>page is displayed. Click [DNAT] tab to go to the DNAT page.
Specify the HA group to which the DNAT rule belongs.
10. Route and policy configuration. Refer to the route configuration and policy configuration sections.
80
Hillstone Multi-Core Security Appliance Easy Configuration Guide
81
Hillstone Multi-Core Security Appliance Easy Configuration Guide
82
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Example 3: Sync all users in OU “IT Dep” (the name of OU contains a “space”)
The domain name is “hillstonenet.com”, the admin account is “administrator”, and the password is “hillstone”.
The string should be configured as:
Base-dn: “ou=IT Dep,dc=hillstonenet,dc=com”
In this case, a pair of “” should add in front and end of the string.
Login-dn: cn=administrator,cn=users,dc=hillstonenet,dc=com
83
Hillstone Multi-Core Security Appliance Easy Configuration Guide
Click <Network> tab and then <Authentication Management> menu, click the <WebAuth Wizard> button on the
top right corner. Then follow the wizard to finish the WebAuth configuration.
84
Hillstone Multi-Core Security Appliance Easy Configuration Guide
85