Hillstone Networks

Virtual Hillstone Security Management

User Guide
Version 4.19.0

TechDocs | docs.hillstonenet.com
Copyright 2022 Hillstone Networks. All rights reserved.
Information in this document is subject to change without notice. The software described in
this document is furnished under a license agreement or nondisclosure agreement. The software
may be used or copied only in accordance with the terms of those agreements. No part of this
publication may be reproduced, stored in a retrieval system, or transmitted in any form or any
means electronic or mechanical, including photocopying and recording for any purpose other
than the purchaser's personal use without the written permission of Hillstone Networks.
Hillstone Networks
Commercial use of the document is forbidden.
Contact Information:
US Headquarters:
Hillstone Networks
5201 Great America Pkwy, #420
Santa Clara, CA 95054
Phone: 1-408-508-6750
https://www.hillstonenet.com/about-us/contact/

About this Guide:

This guide gives you comprehensive configuration instructions of Hillstone Networks HSM .
For more information, refer to the documentation site: https://docs.hillstonenet.com.
To provide feedback on the documentation, please write to us at:
hs-doc@hillstonenet.com

Hillstone Networks
TWNO: TW-HSM-WUG-4.19.0-EN-V1.0-12/7/2022
Contents

Contents 1

Preface 1

Conventions 1

Overview 1

About This Guide 1

Targeted Readers 1

vHSM Models 1

Supported Features 2

Deploy vHSM 4

vHSM Deployment Scenarios 4

Installing vHSM on VMware ESXi 4

Deployment Scenario 4

System Requirements 5

Deploying vHSM 5

Installing vHSM 5

Visiting vHSM via Console 7

Visiting WebUI of vHSM 7

Disk Expansion 9

Installing vHSM on Workstation 16

TOC - 1
 System Requirements 16

Deploying vHSM 17

Installing vHSM 17

Starting and Visiting vHSM 17

Visiting WebUI of vHSM 18

Disk Expansion 19

Installing vHSM on AWS 19

Deploying 19

Installing vHSM on AWS 19

Step 1: Installing AWS CLI version 1 19

Step 2: Configuring AWS CLI 19

Step 3: Importing Mirror 20

Step 4: Launching Image 23

Visiting vHSM 24

Disk Expansion 24

Deploying vHSM on KVM 26

Deploying vHSM on KVM Running on Ubuntu 26

System Requirements 26

Installing vHSM on KVM Host 27

Step 1: Importing system package 27

Step 2: Creating a virtual bridge 27

TOC - 2
 Step 3: Installing system package 28

Step 4: Initial login of vHSM 32

Visiting WebUI of vHSM 32

Deploying vHSM on KVM Running on CentOS 32

System Requirements 32

Installing vHSM on KVM Host 33

Step 1: Importing system package 33

Step 2: Creating a virtual bridge 34

Step 3: Installing system package 34

Step 4: Initial login of vHSM 39

Visiting WebUI of vHSM 39

Disk Expansion 39

Deploying HSM Management Environment 43

Configuring System Time 43

Adding Hillstone Devices to HSM System 43

Managing the Added Hillstone Devices 47

Upgrading vHSM to Official Version 48

Upgrading Method 48

Upgrade Guideline for vHSM 50

HSM WebUI Layout 52

Level-1 Navigation Pane 52

TOC - 3
 Login Information 52

Editing User Information 53

Exit HSM 54

About 54

Task Panel 54

Alarm & Message 55

Dashboard 57

Pre-defined Panel 57

Overview 57

System Statistics 58

System Information 59

System Resources 59

Device Traffic Ranking TOP10 60

Last 60 Minutes Threat Type Ranking TOP 10 60

Last 60 Minutes CPU Utilization Ranking TOP 10 60

Last 60 Minutes Memory Utilization Ranking TOP 10 60

Log Tread (Last 24 Hours) 61

Time Axis 61

VPN 63

Traffic 63

Last 5 Minutes App Traffic Ranking TOP10 64

TOC - 4
 Last 5 Minutes User Traffic Ranking TOP10 64

Security 64

Last 60 Minutes Attacker Ranking TOP10 65

Last 60 Minutes Victim Ranking TOP10 65

User-defined Panel 65

Creating the User-defined Panel 66

Deleting the Panel 66

Viewing the Panel 66

Customizing the Panel 67

Tool Bar 70

Introduction to System Management 71

User Management 73

Creating a User 74

Enabling/Disabling the Two Factors Authentication 76

Editing a User 76

Deleting a User 77

Enabling/Disabling a User 77

Resetting Password 77

Modifying Default Password 78

Creating a Role 79

Deleting a Role 80

TOC - 5
User Authentication 80

AAA Server 82

Configuring Trusted Host 85

Configuring HSM System Time 86

HSM Network Management 88

Service Configuration 89

WEB PORT 90

REST API 91

REST API Token 92

Encryption Protocol 93

Service Status 94

SNMP 95

Configuring SNMP 95

Resource Management 96

Disk Management 96

Auto Cleanup 97

Manual Cleanup 97

MySQL Memory Management 98

Distribute Management 99

Switch Modes 100

Master Mode 101

TOC - 6
Monitor Configuration 104

Password Management 107

HSM System Status Monitor 109

Viewing Status 109

Setting Threshold 112

Insufficient System Resources 112

HSM System Configuration Management 114

Back up a System Configuration File 115

Export a System Configuration File 115

Restore a System Configuration File 115

Delete a System Configuration File 116

HA Management 117

HSM System Upgrade 121

System Upgrade 121

Rollback 122

Restoring to Factory Defaults 122

Upgrading Signature Database for HSM 122

License 125

Viewing License Information 126

Applying for a License 126

Installing a License 126

TOC - 7
SMS Gateway 126

Configuring SMS Gateway 127

Configuring an Email Account 129

Proxy server 130

Creating a proxy server 130

SMS Modem Configuration 131

SMS Modem Baud Rate 131

SMS Modem Signal Intensity 132

SMS Modem Status 132

Configuring SMS Parameters 132

Testing SMS 132

Log 133

FTP Server Configuration 133

Log Import 135

Log Backup 136

Manual Backup 136

Auto Backup 137

Log Clean 137

Log Forwarding 138

Forwarding to FTP Server 138

Forwarding to Third Party Syslog Server 140

TOC - 8
 Log Filtering 141

Diagnose Tools 141

Device Management 143

Device Management 144

Device Management Window Introduction 144

Device Navigation Pane 144

Information Bar 144

Toolbar 145

Main Window 145

ZTP Configuration 148

Editing ZTP Configuration 152

Importing the Preconfiguration 153

Creating a Device Group 154

Adding a Device to a Device Group 154

Auto Group 155

Backuping / Restoring Device Group 156

Deleting a Device from a Device Group 157

Editing a Device Group 157

Deleting a Device Group 158

Favorite Device 158

Viewing Device Details 158

TOC - 9
 Session Query 162

Deleting a Device from HSM 163

Online Reboot 163

Immediate Reboot 163

Reboot on Schedule 164

Setting Restart Parameter 165

HA management for the managed devices 165

SD-WAN Start 166

Adding an SD-WAN Device 166

Editing an SD-WAN Device 174

ZTP Configuration Templates 174

Introduction to Device Upgrade 182

Configuring a Device Upgrading Task 182

Importing/Deleting a Firmware 183

Specifying the Upgrade Management IP 184

Configuring a Device Upgrading Task 185

Checking the Task Status 186

Viewing Device Upgrading Logs 186

Upgrading Navigation Pane 187

Filter 187

Main Window 188

TOC - 10
 Upgrading Signature Database 189

As a Update server 189

Configuring Upgrade Templates 190

Configuration File Management 193

Managing Configuration File 193

Retrieving Configuration File 194

Retrieving Configuration Files Automatically 194

Retrieving Configuration Files Manually 195

Retrieving Configuration Files on Schedule 195

Viewing Configuration File 196

View Change History 197

Restoring Configuration Files 197

Exporting Configuration Files 198

Importing Configuration Files 199

Comparing Configuration Files 199

Editing Configuration File 200

Deleting Configuration File 201

Searching Configuration File 201

Managing Configuration Change History 202

Editing Change Record 202

Deleting Change Record 203

TOC - 11
 Searching Change History 203

User Management 204

Creating the User 204

Editing the User 206

Deleting the User 207

Viewing User Password 208

Viewing Operation Record 209

Device Inspection 209

Manual Inspection 209

Auto Inspection 210

Batch Inspection 212

View the Inspection Report 216

License Management 216

License Overview 216

Synchronizing Device License 217

License Distribution 218

Importing Licenses 218

Installing Licenses in Batch 218

Deleting Licenses in Batches 219

Cleaning All Expired Licenses 220

Device Management Configuration Example 221

TOC - 12
 Deployment Scenario 221

Requirement 221

Configuration Steps 221

Introduction to Configuration Management 224

Device Configuration 227

Device Configuration 227

Policy Configuration 228

Creating a Policy Rule 228

Editing Rules 235

Creating a Rule Group 236

Moving Rules and Groups 238

Deleting a Rule Group 238

Creating a Partition Group 239

Deploying a Batch of Rules 239

Choose Partition Group 240

Choose Deploying Position 240

Configure Policy Rules 241

Delivering Batch CLI 241

Viewing Policy Rules 243

Exporting Policy Rules 244

Opening Local Snapshot 244

TOC - 13
 Rule Match Analysis 245

Policy Rule Management 246

Enable/Disable Rules 246

Rule Conflict Check 246

Rule Hit Statistics 247

Converting a Policy from Private to Shared 248

Configuring the Policy-based Protection Function 249

Policy Assistant 252

Configuring Policy Assistant 253

Opening Policy Assistant 253

Analyzing Traffic 254

Generating And Deploying Policy 255

Policy Analysis 256

iQoS 258

Implement Mechanism 258

Pipes and Traffic Control Levels 259

Pipes 259

Traffic Control Levels 262

Enabling/Disabling Traffic Control 263

Pipe Configuration 264

Basic Operations 264

TOC - 14
 Creating a Pipe 265

NAT 277

Creating a SNAT Rule 277

Editing/Deleting a SNAT Rule 281

Creating an IP Mapping Rule 281

Creating a Port Mapping Rule 283

Creating an Advanced DNAT Rule 284

Route 287

Creating an Destination Route Item 287

Creating an Policy Route Item 289

Creating a Policy-based Route Rule 291

LLB 295

Creating a LLB Rule 296

Configuration Management 297

Synchronizing Configuration 297

Specifying Configuration 301

Snapshot Management 303

Locking Configuration 305

Device Object 307

Zone 307

Address Books 309

TOC - 15
Service Books 310

Application Books 314

Schedules 315

Interface 317

SLB Server Pool 325

Intrusion Protection System 329

Viewing the IPS rules 329

Avti-Virus 331

Configuring Anti-Virus Global Parameters 331

Creating Anti-Virus Rule 332

Enabling the Zone-based or Policy-based Anti-Vrius Function 334

URL Filter 335

Configuring URL Filter 335

Predefined URL DB 339

User-defined URL DB 339

Configuring User-defined URL DB 339

Keyword Category 341

Configuring a Keyword Category 341

Warning Page 343

Configuring Block Warning 343

Configuring Audit Warning 344

TOC - 16
 Botnet Defense 345

Configuring Botnet Defense 345

Configuring a Botnet Prevention 345

Converting the Private Object to Shared Object 347

Viewing the Operation Records 347

Checking the Redundant Object 348

VPN 349

PKI 368

User 371

Role 380

AAA Server 386

Track Object 407

Creating a Track Object 407

Introduction to Global Configuration 410

Global Configuration 410

Policy Configuration 411

Creating a Shared Policy 411

Rule Configuration 412

Creating a Policy Rule 412

Creating a Rule Group 413

Moving Rules and Groups 413

TOC - 17
 Deleting a Rule Group 413

Viewing Operation Record 413

Opening Local Snapshot 414

Rule Match Analysis 414

Rule Conflict Check 414

Setting Head or Tail Policy 414

Viewing Policy Relationship 416

Viewing Topology Map 416

Configuring the Policy-based Protection Function 416

iQoS 420

NAT 420

Creating a SNAT 420

Editing/Deleting a SNAT 421

Creating a SNAT Rule 422

Editing/Deleting a SNAT Rule 426

Creating a DNAT 426

Editing/Deleting a DNAT 427

Creating an IP Mapping Rule 428

Creating a Port Mapping Rule 429

Creating an Advanced DNAT Rule 430

Editing NAT 433

TOC - 18
 Setting Father NAT 433

Viewing Relationship 434

Viewing Topology Map 434

Editing Topology Map 435

Viewing Operation Record 435

Route 436

Creating a Destination Route 436

Editing/Deleting a Destination Route 437

Creating an Route Item 437

Editing/Deleting a Route Item 438

Configuration Bundle 439

Creating a Configuration Bundle 439

Method 1: 439

Method 2: 440

Joining Configuration Bundle 442

Copying a Configuration Bundle 442

Global Object 443

Zone 444

Address Books 445

Service Book 446

Application Books 449

TOC - 19
Schedules 450

Virtual Router 451

Interface 453

SLB Server Pool 454

IPS Profile 457

Viewing the Shared IPS Rules 457

Anti-Virus 459

Configuring Anti-Virus Global Parameters 460

Creating a Shared Anti-Virus Rule 460

Enabling the Policy-based Anti-Virus Function 462

URL Filter 462

Configuring URL Filter 463

Predefined URL DB 467

User-defined URL DB 467

Configuring User-defined URL DB 467

Keyword Category 469

Configuring a Keyword Category 470

Warning Page 471

Configuring Block Warning 471

Configuring Audit Warning 473

Role 473

TOC - 20
 AAA Server 473

Botnet Defense 474

Editing/Deleting an Object 475

SD-WAN Business Deployment 475

Creating a Business 476

Configuration Example 1 478

Step 1 Creating a VPN Star Network 478

Step 2 Adding an SD-WAN Device 479

Step 3 Creating an SD-WAN Business 480

Step 4 Deploying an SD-WAN Business 481

Result 481

Configuration Example 2 482

Step 1 Creating a VPN Star Network 482

Step 2 Adding an SD-WAN Device 482

Step 3 Creating an SD-WAN Business 483

Step 4 Deploying an SD-WAN Business 484

Result 484

Viewing the Business Details 484

Deploying a Business 485

Deleting a Business 486

Default Parameters 487

TOC - 21
Task Management 489

Task Management Window 489

Viewing Task Logs 492

Ticket 493

Ticket Management 493

Policy ticket 493

Creating a ticket 493

Importing an ticket 494

Processing an Ticket 495

Reviewing a Ticket 496

Deploying a Ticket 497

Viewing the Completed Ticket 498

Configuration Ticket 499

Creating a ticket 499

Processing an Ticket 499

Reviewing a Ticket 500

Deploying a Ticket 501

Viewing the Completed Ticket 501

Object Naming Configuration 502

Name Conflict Handling 502

Object Naming Rules 503

TOC - 22
 Matching Mode 506

Auto Matching 507

Manual Matching 507

Customized Matching 507

Create Matching Mode 508

Create Matching Rule 509

Matching Order of Matching Rules 512

Edit Matching Mode 513

Network 513

Destination Route Network 514

User-defined Network 515

Create User-defined Network 515

Edit User-defined Network 515

Import User-defined Network 516

Delete User-defined Network 516

Monitor 517

Device Monitor 519

Main Page 519

Details Page 522

Drill-down Sub-page 523

Trend Page 524

TOC - 23
User Monitor 525

Main Page 526

Details Page 528

Drill-down Sub-page 529

Trend Page 529

Application Monitor 530

Main Page 530

Details Page 532

Drill-down Sub-page 533

Trend Page 534

Network Threat Monitor 535

Main Page 535

Traditional 535

Intelligence 537

Statistics Period 537

Details Page 538

Drill-down Sub-page 540

Trend Page 540

Network Behavior Monitor 542

Main Page 543

Details Page 544

TOC - 24
 Drill-down Sub-page 546

Trend Page 546

MyMonitor 548

Adding to MyMonitor 549

Creating a New Monitor Group 549

Deleting a Monitor Group 550

Viewing Information in MyMonitor 550

VPN 551

VPN Monitor 551

Overview 551

Tunnel 557

Tunnel Link page 559

WAN Link page 561

Topology 563

Map 566

Lines 567

VPN Network 567

Star Network 567

Mesh Network 570

Creating a Mesh Network 571

Adding/Deleting a Network Device 573

TOC - 25
 Network Topology 575

Address Pool 575

Introduction to the Alarm Function 577

Introduction to Alarm 578

Searching Alarm Information 578

Searching Alarm Information 578

Reading Alarm Information 579

Alarm Analysis 580

Device Analysis 580

Trend Analysis 583

Introduction to the Alarm Rule 585

Configuring the Alarm Rule 585

Viewing a Predefined Alarm Rule 585

Creating a User-defined Alarm Rule 587

Editing an Alarm Rule 589

Configuring an Alarm Recipient 589

Enabling/Disabling an Alarm Rule 590

Deleting an Alarm Rule 590

Emptying Recycle Bin 591

Introduction to Report 592

Introduction to Report File 593

TOC - 26
 Viewing a Report File 593

Managing a Report File 596

Downloading a Report File 596

Deleting a Report File 597

Restoring a Report File 598

Deleting a Report File Permanently 598

Introduction to Report Template 600

Configuring a Report Template 600

Creating a User-defined Template 601

Editing a User-defined Template 611

Deleting a User-defined Template 611

Restoring a User-defined Template 612

Deleting a User-defined Template Permanently 612

Managing a Report Schedule 613

Adding a Report Schedule 613

Viewing a Report Schedule/Report Schedule Running Log 613

Deleting a Report Schedule 614

Enabling/Disabling a Report Schedule 614

Report Server 615

Configuring Servers 615

Introduction to Log 616

TOC - 27
Introduction to Log 616

Log 616

Log Severity 617

Introduction to Log Window 618

Level-1 Navigation Pane 618

Log Navigation Pane 619

Log Filter 619

Log Chart 620

Toolbar 620

Log Window 621

Searching Log Messages 621

Online/Offline Log 622

Operation Log 623

Exporting Logs 624

TOC - 28
Preface
Thanks for choosing the network security products from Hillstone Networks. This document is
an online help for HSM, mainly covering the following contents:

l vHSM deploying environment;

l HSM management introduction and configuration.

Conventions
This manual uses the following conventions for your convenience to read and understand:

l Tip: provides related reference, such as links to other chapters or sections.

l Note: indicates important instructions for you better understanding, or cautions for possible
system failure.

l Bold font: indicates links, tags, buttons, checkboxes, textboxes, or options. For example,
"Click Login to log into the homepage of the device", or "To change MTU, select Manual,
and type an appropriate value into the textbox."

l CLI: brace ({ }) indicates a required element; square bracket ([ ]) indicates an optional ele-
ment; vertical bar (|) separates multiple mutually exclusive options; bold indicates an essential
keyword in the command, and you must enter this part correctly; italic indicates a user-spe-
cified parameter.

l The command examples may vary from different platforms. In the command examples, the
hostname in the prompt is referred to as host-name.

Preface 1
Overview
The Virtual Hillstone Security Management (vHSM) is a software product, a HSM system running
on a virtual machine.HSM can centralize the control and management of multiple Hillstone
devices in the network.

About This Guide

This guide introduces how to install HSM on VMware virtualization platform (VMware ESXi and
Workstation) and KVM platform and how to configure the operating system itself.

Targeted Readers
This guide is intended for administrators who want to install HSM of Hillstone Networks. Before
deploying vHSM, the administrator should be familiar with the concept and components of
VMware or KVM. This document is written with readers in mind that have already known basic
virtualization knowledge, and it will only introduce operations of how to install vHSM.

vHSM Models
vHSM is available in three models in terms of hard disk capacity: 100G, 500G and 2T. All models
can be installed on VMware ESXi and VMware Workstation. You can choose product according
to your actual needs.
The capacity is as listed below:

Capacity vHSM

CPU 4 Cores

Memory 8 GB

Hard Drive 100 GB (extendible)

Interface Physical server requires creating at least 2 interfaces.

Note: You are recommended to select different interface
groups for the two interfaces. When the selected inter-

Overview 1
Capacity vHSM

face groups are the same, you need to configure an IP

address for each interface.

Maximum Number 1000

of Managed Devices

Maximum Shared 1,000

Policies

Maximum Nested 8
Levels of Shared
Object

Shared Address 1,024/512

Books/Maximum
Number of Members

Shared Service Book- 4,096/8

s/Maximum Number
of Members

Shared Service 512/2,048

Groups/Maximum
Number of Members

Shared Sched- 512/16

ules/Maximum Num-
ber of Members

Supported Features
vHSM supports the following features:

Overview 2
 l Viewing the running status, resource utilization, logs, etc. of the managed devices;

l Monitoring the managed devices and viewing monitor details, including traffic monitor, user
monitor, NBC monitor, etc.;

l Monitoring the operation status of managed devices by alarms. This function can help you to
learn problems in network devices timely, speed up response to network problems, and lower
risks of network failures;

l Obtaining device statistics reports periodically. This function allows you to learn network
status and analyze network accurately;

l Centralizing policy management and batch deploying rules. This function improves availability
and usability of policy management;

l Centralizing device upgrade. This function simplifies software management.

Overview 3
Deploy vHSM
This chapter introduces for administrators who want to install HSM of Hillstone Networks on
Workstation, ESXi Server, KVM and AWS host . Before deploying vHSM, the administrator
should be familiar with the concept and components of VMware or KVM. This document is writ-
ten with readers in mind that have already known basic virtualization knowledge, and it will only
introduce operations of how to install vHSM.

vHSM Deployment Scenarios

l To install vHSM on Workstation host, please refer to Deploying vHSM on Workstation.

l To install vHSM on ESXi Server host, please refer to Deploying vHSM on VMware ESXi.

l To install vHSM on KVM host, please refer to Deploying vHSM on KVM.

l To install vHSM on AWS host, please refer to Deploying vHSM on AWS.

Installing vHSM on VMware ESXi

vHSM is packed in an OVA file, and can be installed on a VMware ESXi server running on a 64-
bit system.
Before installing vHSM, you should be already familiar with VMware vSphere hypervisor, ESXi
host and VMware virtual machines.

Deployment Scenario
You may refer to the following deployment scenario to deploy your vHSM.

Deploy vHSM 4
System Requirements
To deploy vHSM:

l VMware ESXi 5.1, 5.5 or 6.0.

l The physical server should have at least 4 vCPU and 4 GB memory available.

l At least 2 NICs will be created.

l The USB interfaces of physical server should be able to be virtualized.

Deploying vHSM
To improve manageability and make full use of vSphere Hypervisor, we suggest you to use
vCenter and vSphere Client to manage ESXi servers.

Installing vHSM

Before installation of vHSM, please set up your ESXi Server, vCenter Server and vSphere Client
host, then get the vHSM disk.

1. Save the OVA file in your local computer.

2. In vSphere Client, enter the IP address or name of vCenter Server, then username and pass-
word, click Login.

Deploy vHSM 5
 3. After logging in vCenter, from left list, click the ESXi host which vHSM will belong to,
then select File > Deploy OVF Template.

4. In the pop-up dialog box, click Browse, browse your PC and import vHSM's OVA file to
vCenter, click Next.

5. Confirm the details of the OVF template, click Next.

6. Enter the name of the OVF template, and select the location of list, click Next.

7. Select the host or cluster to deploy the OVF template on it, click Next.

8. Select the resource pool to run the OVF template in it, click Next.
This page is displayed only when the cluster contains a resource pool.

Deploy vHSM 6
 9. Select data storage to store the deployed OVF template, then choose the Thick Provision
Lazy Zeroed format, click Next.

10. Click Finish to start the deployment.

Wait for a while, and your vHSM will be deployed successfully.

Visiting vHSM via Console

After all the setups above, you can now start your vHSM.

1. In vCenter, click Home > Inventory > VMs and Templates.

2. Right click vHSM on virtual machine, and select Open Console. In the prompt, you are
accessing to vHSM's console port.

3. Click the green button to start the vHSM virtual machine.

4. Wait for a while, and the system will be up.

5. When the prompt shows the command line interface below, enter default username and pass-
word (hillstone/hillstone) to log in vHSM.

Visiting WebUI of vHSM

In order to operate vHSM easily, it is recommended to log in and configure via WebUI. For the
first time to access vHSM via WebUI, take the following steps:

Deploy vHSM 7
 1. Collect necessary information from your network administrator. You need to have eth0's IP
address, network mask, and gateway IP address.

2. Modify eth0's default IP address to a static IP address you collected from administrator
(192.168.1.1 by default). To modify IP address for eth0, use the following command:

[hillstone] ipconfig eth0 ip-address netmask up

3. Add a static route. Use the command below to add a route whose next hop is the gateway.

[hillstone]route addip-address

4. Test if the gateway is accessible.

5. In the Web browser of the management PC, type http://192.168.1.1 or

https://192.168.1.1 , and press Enter. If you use HTTPS, select Continue when the Web
Browser displays security tips. The login page is shown below:

6. Type the default username (admin), password (hillstone) and verification code into the
boxes respectively. If typing the wrong password for three times, HSM will lock your

Deploy vHSM 8
 account for 30 minutes, and disable your account for 30 minutes when you type wrong pass-
word the fourth times.

7. Click Login to log into the main page of vHSM.

Notes: To make vHSM to manage devices normally, make sure that the vHSM is
routed up to the managed devices.

Disk Expansion

You can expand disks if necessary. Take the vHSM deployed on EXSi server as an example, take
the following steps:

1. In VMware, click Home > Inventory > VMs and Templates.

2. You can expand the disk capacity only when powering off the virtual machine. Right-click
the virtual machine in the left list and choose Power> Power Off.

3. Right-click the virtual machine in the left list and choose Edit Settings. The Virtual
Machine Properties dialog box appears. Select Hardware tab, and then click Add to enter

Deploy vHSM 9
 the Add Hardware dialog box.

Deploy vHSM 10
 4. Select Hard Disk tab, and then click Next .

Deploy vHSM 11
 5. Select Create a new virtual disk , and then click Next .

Deploy vHSM 12
 6. Set the disk capacity by requirement, and then click Next .

Deploy vHSM 13
 7. Select the default virtual device node, and then click Next .

Deploy vHSM 14
 8. Click Finish to add the hardware. When the Hardware tab appears, click OK .

9. Right click vHSM on virtual machine, and select Open Console. In the prompt, you are
accessing to vHSM's console port.

10. Click the green button to start the vHSM virtual machine.

11. Wait for a while, and the system will be up.

Deploy vHSM 15
 12. When the prompt shows the command line interface below, enter default username and pass-
word to log in vHSM.

13. To expand the disk, use the following command:

[hillstone] extendLVM

14. Restart vHSM.

Installing vHSM on Workstation

vHSM is packed in an OVA file, and can be installed on a VMware Workstation host running on a
64-bit system.
Before installing vHSM, you should be already familiar with VMware Workstation virtual
machines.

System Requirements
To deploy vHSM:

l VMware Workstation 12 Pro and above.

l The physical server should have at least 4 vCPU and 4 GB memory available.

l At least 2 NICs will be created.

l The USB interfaces of physical server should be able to be virtualized.

Deploy vHSM 16
Deploying vHSM

Installing vHSM

Before installation of vHSM, please set up your Workstation host, then get the vHSM disk and
USB Key.

1. Copy the OVA file in the disk to your local computer.

2. In Workstation, select File > Open, browse your PC and click Open to import vHSM's
OVA file in the pop-up dialog box.

3. Enter the name of the virtual machine, and type or select the directory where stores virtual
machine, click Import.

4. Wait for a while, and your vHSM will be installed successfully.

Workstation will perform OVFs' specification and conformance checks and virtual hard-
wares' compliance checks. The progress dialog box will display the installing progress.After
the successful installation in Workstation, the vHSM virtual machine appears in the virtual
machine library.

Starting and Visiting vHSM

After all the setups above, you can now start your vHSM.

Deploy vHSM 17
 1. In Workstation, click the virtual machine which vHSM will run on.

2. Click Power on this virtual machine on right page, in the prompt, you are accessing to
vHSM's console port.

3. Wait for a while, and the system will be up.

4. When the prompt shows the command line interface below, enter default username and pass-
word (hillstone/hillstone) to log in vHSM.

Visiting WebUI of vHSM

Please refer to Visiting WebUI of vHSM in Installing vHSM on VMware ESXi chapter.

Deploy vHSM 18
Disk Expansion

Please refer to Disk Expansion in Installing vHSM on VMware ESXi chapter.

Installing vHSM on AWS

vHSM can be installed on Amazon Web Services(AWS) through mirror of vmdk or vhd.
Before installing vHSM, you should be already with AWS configurations.

Deploying

Installing vHSM on AWS

To install vHSM on AWS, use the following steps:

Step 1: Installing AWS CLI version 1

The following steps use Python and pip to install AWS CLI version 1 on Windows.

1. Open the command prompt from the start menu.

2. Enter the following command to install AWS CLI version 1.

pip install awscli。

Step 2: Configuring AWS CLI

Configure the settings that the AWS CLI uses to interact with AWS, including access key ID,
secret access key and AWS region, use the following steps:

1. Enter the following command to configure access key, secret access key and region name.
you can click User Name > My Security Credentials on AWS platform to view.

Deploy vHSM 19
 aws configure

Step 3: Importing Mirror

1. Enter the following to create a role named vmimport, and provide VM Import / Emport
with access to the role.
aws iam create-role --role-name vmimport --assume-role-policy-document file://trust-
policy.json

The content of the trust-policy.json file is:

"Version":"2012-10-17",
"Version":"2012-10-17",
"Statement":[
{ "Sid":"",
"Effect":"Allow",
"Principal":{
"Service":"vmie.amazonaws.com",
"AWS": "arn:aws-cn:iam::969408142281:
user/hillstonerd"
},
"Action":"sts:AssumeRole",
"Condition":{
"StringEquals":{
"sts:ExternalId":"vmimport"

Deploy vHSM 20
 }
}
}
]
}

Notes:
l The external ID needs to be commanded as vmimport.

l The "Version" in the trust-policy.json file is not a user-defined ver-

sion number, but the version of vmimport in AWS.

l "AWS": "arn: aws-cn: iam :: 969408142281: user / hillstonerd" is the

actual account name, which can be viewed on AWS.

2. Enter the following conmand to create policy for vmimport.

aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document
file://role-policy.json

The content of the role-policy.json file is:

{
"Version": "2012-10-17",
"Statement": [
{ "Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "*"
},

Deploy vHSM 21
 { "Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": "*"
}
]
}

Notes:
l The "Version" in the role-policy.json file is not a user-defined ver-
sion number, but the version of vmimport in AWS.

3. Click Services > S3 on AWS Management Console, and Select a bucket or create a new
bucket, click Upload to upload the VMDK file to the specified bucket.

4. Enter the following command to create a new mirror importing task.

aws ec2 import-snapshot --disk-container “file://containers.json”

The content of thecontainers.json file is:

{
"Description": "VHSM",
"Format": "VMDK",
"UserBucket": {
"S3Bucket": "zylu-test",
"S3Key": "VHSM4.2.0_IN_TEST-disk1.vmdk"
}
}

Deploy vHSM 22
 Notes:
l The "format" need to be VMDK or VHD.

l The “S3Bucket” is the name of bucket.

l The “S3Key” is the name of VMDK/VHD in the bucket.

5. Click Service > EC2 > ELASTIC BLOCK STORE > Snapshots on AWS Management
Console, select a snapshot and right click Create Image to create a 250GB image that root
device name is /dev/xvda.

Step 4: Launching Image

Click Image > AMI in the EC2 page, select the image and click Launch.

1. Select an insrance type of t2/m4, 8vCPU,32G and click Next.

2. Configure the instance details. it is recommended to use the default configuration. Click
Next.

3. Add storage, it is recommended to use the default configuration. Click Next.

4. Add tags as needed and click Next.

5. Select a security group and click Next.

6. Review thecongfiruration such as instace type, security groups. click Launch.

7. Select a key pair or create a new key pair and click Launch Instance.
Note: Download the established key pair and decrypt it with PuTTYGen.

Deploy vHSM 23
Visiting vHSM

After all the setups above, you can nowvisit your vHSM.
Visiting vHSM via PuTTY

1. Click PuTTY, type the HostName, port number as 22 and select SSH in the PuTTY Con-
figuration dialog.
Note: The HostName is root@public DNS(IPv4) or hillstone@public DNS(IPv4).

2. Click Connection > SSH > Auth, select the key file decrypted by PuTTYGen and click
Open.

3. At the command interface, enter the password corresponding to the user name and log in
vHSM.
Note: Port 8080/80/443 is disabled by default. After login, you can modify the HTTP /
HTTPS port number.

Visiting vHSM via WebUI

You can use visit vHSM throughWebUI in two ways:

l Close iptables and log in via https: // public DNS: 8443.

l After modifying the HTTP / HTTPS port, log in through the public DNS (public IP): port.

Disk Expansion

You can expand disks if necessary. To expand disks on AWS, take the following steps:

Deploy vHSM 24
 1. On AWS Management Console, select EC2 > Volumesand click Create Volume.

2. Select the new volume and right click Attach Volume, select the specified instance.

3. Click Attach.

4. Login vHSM thourgh PuTTY, enter the following command to expand disk.
extendLVM

5. Restart vHSM.

Deploy vHSM 25
Deploying vHSM on KVM
vHSM is packed in an qcow2 file, and can be installed on a KVM host running on a Linux system
with libvirt library whose version is 1.2.2 or later.
To deploy vHSM on Kernel-based Virtual Machine (KVM), you should be already familiar with
Linux system and KVM installation.
Now we respectively use Ubuntu and CentOS as example to describe how to deploy vHSM on
KVM.

Deploying vHSM on KVM Running on Ubuntu

System Requirements

To deploy vHSM on KVM running on Ubuntu, the host should meet the following requirements:

l Support Intel VT or AMD-V

l At least 2 NICs will be created

l 64 bit CPU which can provide four virtual cores, and its virtualization is enabled

l at least 4 GB memory

l Support virtual SATA, SCSI, IDE or VD hard disk

l Ubuntu 14.04 or later is recommended

l Graphical interface of Ubuntu is recommended

l For KVM environment establishment, the Linux system should have installed KVM, qemu,
qemu-kvm, lrzsz, bridge-utils, libvirt, virtinst , python-libvirt, virt-viewer and virt-manager
(To install these components, use command: sudo apt-get install kvm qemu qemu-kvm lrzsz
bridge-utils libvirt-bin virtinst python-libvirt virt-manager virt-viewer).

Deploy vHSM 26
Installing vHSM on KVM Host

To install vHSM on a KVM host, use the following steps:

Step 1: Importing system package

The following steps use Windows system to access KVM host.

1. Copy the qcow2 file in the disk to your local PC.

2. In Windows, log into the KVM host, enter the following command to create a directory
which will be used to store qcow2 file.
sudo mkdir /images/disk/

3. In this directory, enter the following command, a dialog box will prompt.
rz

4. In the dialog box, browse your computer and select the qcow2 file. The files will be
uploaded to the above directory of KVM host.

5. Enter the following command to check if the file is uploaded.

ls

6. If there is an qcow2 file in the file list, it means file is uploaded successfully.

Step 2: Creating a virtual bridge

If the vHSM wants to access to external networks, you should create a virtual bridge on the KVM
host, and then place the host's two interfaces i.e. eth0 and eth1 under the virtual bridge. Once
vHSM is installed successfully, each interface becomes a virtual bridge, and automatically con-
nects to a vnet interface of KVM. So, when you install the qcow2 file, place the vnet interface of
KVM under the new created virtual bridge, then the external networks can be accessible.

1. In the root directory of KVM host, enter the following command to create a virtual bridge.
sudo brctl addbr br0

Deploy vHSM 27
 2. Add eth0 and eth1 to the virtual bridge.
sudo brctl addif br0 eth0
sudo brctl addif br0 eth1

3. Modify the IP address of eth0 or eth1 to arbitrary one, then assign the original IP address of
eth0 or eth1 to the virtual bridge interface.
sudo ifconfig eth0 ip-address netmask netmask
sudo ifconfig br0 ip-address netmask netmask

4. In Linux, use command brctl show to show virtual bridge and interfaces.

5. Reconfigure the default route.

sudo route del defaule gw gateway
sudo route add defaule gw gateway

Step 3: Installing system package

Enter into the Linux graphical interface, to install and start vHSM, use the following steps:

1. Search and open Virtual Machine Manager.

Deploy vHSM 28
 2. Click the icon which is used to create a new virtual machine, and set as shown below.

3. Browse the file system of KVM host and select the qcow2 file in step 1.

4. Choose an OS type and version.

Deploy vHSM 29
 5. Choose Memory and CPU settings.

6. Check the Customize configuration before install check box, then select virtual bridge.

Deploy vHSM 30
 7. Select the Boot Options tab, then check Hard Disk in the right page.

8. Select the SATA Disk 1 tab, then set Disk bus and Storage format in the right page.

9. Add the vnet interface to the virtual bridge created in step 2 and set device model.

Deploy vHSM 31
 10. Create a virtual network interface and add it to the virtual bridge created in step 2.

11. Click Begin Installation to install and start vHSM.

Step 4: Initial login of vHSM

After vHSM started, enter username and password "hillstone"/"hillstone".

From now on, you can use command line interface to manage vHSM. It is recommended to
change your password at earliest convenience.

Visiting WebUI of vHSM

Please refer to Visiting WebUI of vHSM in Installing vHSM on VMware ESXi chapter.

Deploying vHSM on KVM Running on CentOS

System Requirements

To deploy vHSM on KVM running on CentOS, the host should meet the following requirements:

l Support Intel VT or AMD-V

l At least 2 NICs will be created

l 64 bit CPU which can provide four virtual cores, and its virtualization is enabled

Deploy vHSM 32
 l at least 4 GB memory

l Support virtual SATA, SCSI or IDE hard disk

l CentOS 7 or later is recommended

l Graphical interface of CentOS is recommended

l For KVM environment establishment, the Linux system should have installed KVM, qemu,
qemu-kvm, lrzsz, bridge-utils, libvirt, virtinst , python-libvirt, virt-viewer and virt-manager
(To install these components, use command: yum -y install kvm qemu qemu-kvm lrzsz
bridge-utils libvirt-bin virtinst python-libvirt virt-manager virt-viewer).

Installing vHSM on KVM Host

To install vHSM on a KVM host, use the following steps:

Step 1: Importing system package

The following steps use Windows system to access KVM host.

1. Copy the qcow2 file in the disk to your local PC.

2. In Windows, log into the KVM host, enter the following command to create a directory
which will be used to store qcow2 file.
sudo mkdir /images/release/

3. In this directory, enter the following command, a dialog box will prompt.
rz

4. In the dialog box, browse your computer and select the qcow2 file. The files will be
uploaded to the above directory of KVM host.

5. Enter the following command to check if the file is uploaded.

ls

6. If there is an qcow2 file in the file list, it means file is uploaded successfully.

Deploy vHSM 33
Step 2: Creating a virtual bridge

If the vHSM wants to access to external networks, you should create a virtual bridge on the KVM
host, and then place the host's two interfaces i.e. eth0 and eth1 under the virtual bridge. Once
vHSM is installed successfully, each interface becomes a virtual bridge, and automatically con-
nects to a vnet interface of KVM. So, when you install the qcow2 file, place the vnet interface of
KVM under the new created virtual bridge, then the external networks can be accessible.

1. In the root directory of KVM host, enter the following command to create a virtual bridge.
sudo brctl addbr br0

2. Add eth0 and eth1 to the virtual bridge.

sudo brctl addif br0 eth0
sudo brctl addif br0 eth1

3. Modify the IP address of eth0 or eth1 to arbitrary one, then assign the original IP address of
eth0 or eth1 to the virtual bridge interface.
sudo ifconfig eth0 ip-address netmask netmask
sudo ifconfig br0 ip-address netmask netmask

4. In Linux, use command brctl show to show virtual bridge and interfaces.

5. Reconfigure the default route.

sudo route del defaule gw gateway
sudo route add defaule gw gateway

Step 3: Installing system package

Enter into the Linux graphical interface, to install and start vHSM, use the following steps:

Deploy vHSM 34
 1. Open Virtual Machine Manager.

2. Click the icon which is used to create a new virtual machine, and set as shown below.

Deploy vHSM 35
 3. Browse the file system of KVM host and select the qcow2 file in step 1.

4. Choose an OS type and version.

Deploy vHSM 36
 5. Choose Memory and CPU settings.

6. Set the virtual machine name, and check the Customize configuration before install check
box, then select virtual bridge.

Deploy vHSM 37
 7. Select the IDE Disk 1 tab, then set Disk bus and Storage format in the right page.

8. Select the Boot Options tab, then check SATA Disk 1 in the right page.

9. Add the vnet interface to the virtual bridge created in step 2 and set device model.

Deploy vHSM 38
 10. Create a virtual network interface and add it to the virtual bridge created in step 2.

11. Click Begin Installation to install and start vHSM.

Step 4: Initial login of vHSM

After vHSM started, enter username and password "hillstone"/"hillstone".

From now on, you can use command line interface to manage vHSM. It is recommended to
change your password at earliest convenience.

Visiting WebUI of vHSM

Please refer to Visiting WebUI of vHSM in Installing vHSM on VMware ESXi chapter.

Disk Expansion
Take the vHSM deployed on KVM server as an example, take the following steps:

Deploy vHSM 39
 1. powering off the virtual machine and click open.

2. Click the icon which is used to display the dedails of virtual machine.

Deploy vHSM 40
 3. Click Add Hardware to create a new disk.

4. In the Add New Virtual Hardware dialog, set the disk capacity by requirement, and then
click Finish .

Deploy vHSM 41
 5. Click the icon which is used to start the virtual machine.

6. Wait for a while, When the prompt shows the command line interface below, enter default
username and password to log in vHSM.

7. To expand the disk, use the following command:

[hillstone] extendLVM

8. Restart vHSM.

Deploy vHSM 42
Deploying HSM Management Environment
To deploy HSM management environment, take the following steps:

1. Configure system time for HSM.

2. Configure options related to HSM management on Hillstone devices, and make sure HSM
can recognize the devices.

Completing the above configurations, you can centralize device management on HSM.

Configuring System Time

System time of HSM affects many HSM modules, such as report, log, upgrade, etc. By default, the
system time of HSM is set to Beijing time. You can modify the system time as needed, or syn-
chronize the system time of managed devices and HSM via an NTP server. Since the system time
is related to many modules, you are recommended to configure the system time properly during
initial setup, and do not make any modification thereafter.
To configure system time for HSM, on the level-1 navigation pane, click System > Device Man-
agement > Date & Time. In the HSM System Date and Time dialog, configure options. For more
details, see Configuring Date & Time.

Adding Hillstone Devices to HSM System

You can add the Hillstone devices to HSM by using one of the following methods:

l Configure settings on Hillstone devices. Hillstone devices will automatically register them-
selves to HSM when the network is connected between HSM and Hillstone devices.

l Configure settings on HSM to add Hillstone devices. You can add single device or multiple
devices.

Deploy vHSM 43
 Notes:

l HSM will get all the VSYS devices of the physical device to manage them
when registering.

l After the registration is complete, the zero configuration IPS rules and the
zero configuration anti-virus rules of IPS devices will not appear in the HSM
system until the implementation of importing configuration.

To configure setting on Hillstone devices, take the following steps:

1. Log into StoneOS. Select System > HSM from the menu bar.

2. In the HSM Agent Configuration dialog, configure the following options:

l HSM Agent: Select the Enable checkbox to enable HSM agent, i.e., allowing HSM to
manage the device.

l Status: Shows the status of HSM management.

l HSM Server IP: Specify the IP address of the HSM. This IP address cannot be
0.0.0.0, 255.255.255.255 or multicast address.

l HSM Server Port: Specify the port number of HSM. The value range is 1 to 65535,
the default value is 9090. For StoneOS 4.5R4 and higher versions, port number 9091
is recommended.

l HSM Password: Specify the password for accessing HSM. HSM authenticates the
device using this password. The value is 1 to 31 characters, the default value is
123456.

l Confirm Password: Type the password again to make confirmation.

Deploy vHSM 44
 l OK: Click this button to save the settings and make the settings take effect.

l Cancel: Click this button to cancel the settings.

3. With the above options configured, the device can register to the accessible HSM in the net-
work, and be managed by HSM.

To configure settings on HSM to add Hillstone devices, take the following steps. You can add
single device or multiple devices.

l Add single device

1. Select Device > Device Management, and enter the Device Management page.

2. Click the triangle icon ( ) next to the Add Device button and select Add Single

Device from the drop-down menu. The Add Multiple Devices dialog pops up.

3. Configure the following options in the dialog:

l Device Name: Specify the device name to be displayed in HSM.

l IP Address: Specify the device IP address.

l WebUI IP Address: Specify the device WebUI IP address.

l Username: Specify the device login name.

l Password: Specify the corresponding password.

l Device Description: Specify the description for your reference.

l Access Protocol: Specify the protocol for the connection between HSM and
the device. Enter ssl to use the SSL protocol or enter telnet to use the Telnet
protocol. If not specified, HSM will use SSL by default.

Deploy vHSM 45
 l SSH Port: Specify the SSH port number. SSH port number is not only used for
adding devices, but also for deploying a batch of rules, configuring tickets and
inspecting devices.The value range is 1 to 65535. The default value is 22.

l Geographic Location: Specify the geographic loaction of the device, and select
the province, city and district from the drop-down list.

l Device Group: Specify a device group for this device.

4. Click OK to add and register this device to HSM.

l Add multiple devices

1. Select Device > Device Management, and enter the Device Management page.

2. Click the triangle icon ( ) next to the Add Device button and select Add Multiple

Devices from the drop-down menu. The Add Multiple Devices dialog pops up.

3. Click Download Device Info File Template. The Save As dialog appears.

4. Select the location and save the template deviceinfo.xls.

5. Open the template and configure the following options:

l Device Name: Specify the device name to be displayed in HSM.

l IP Address: Specify the device IP address.

l Protocol: Specify the protocol for the connection between HSM and the
device. Enter ssh to use the SSH protocol or enter telnet to use the Telnet pro-
tocol. If not specified, HSM will use SSL by default.

l Username: Specify the device login name.

l Password: Specify the corresponding password.

l Device Description: Specify the description for your reference.

Deploy vHSM 46
 6. Save the changes and close the template.

7. In the Add Multiple Devices dialog, click Browse. The Open dialog appears.

8. Locate the modified template and click OK. HSM starts to load the template.

9. After loading the template, click Upload. HSM starts to read the template and add the
devices in it to HSM. If failed to register one device, all devices in the template will
be failed to be registered. To view the error information, hover over the exclamation
mark ( ) in the Status column.

Managing the Added Hillstone Devices

You can edit, delete and register the device which has been added to HSM.

Notes: HSM supports for HA management of Active-Passive, Active-Active and

Active-Peer modes for the managed devices. When HSM manages the HA function
of the managed devices, you can view, configure and share information of the mas-
ter device in HA. For slave device, you can only view the configuration information
on HSM.

When the properties of the IP address, username, password and so on change, you can edit device
and modify property values. Take the following steps:

1. Select Device > Device Management, and enter the Device Management page.

2. Select the device that needs to be edited.

3. Click Edit Device in the toolbar and the Edit Device dialog pops up.

4. You can modify the property values which need to change.

5. Click OK to save the configurations and close the dialog.

You can delete the related device when there's no need to manage the specified devices. Take the
following steps.

Deploy vHSM 47
 1. Select Device > Device Management, and enter the Device Management page.

2. Select one or more device(s) that need(s) to be deleted.

3. Click Delete Device in the toolbar, and the device will be deleted when you click OK in
the pop-up dialog.

You can manually register the device when the device is in an offline state or error state. You can
check the link state between the Hillstone device and HSM, as well as make sure that the device's
IP address, login username and password are correct to make device register in HSM successfully.
Take the following steps:

1. Select Device > Device Management, and enter the Device Management page.

2. Select one or more device(s) that need(s) to be registered.

3. Click Register Device in the toolbar and the device will be registered on HSM. You can
view the registration result of the device according to the displaying of status.

Upgrading vHSM to Official Version

To make vHSM to manage multiple devices, you need to upgrade the trial version to the official
version. vHSM product includes official version and trial version:

l official version:After being activated, the system becomes into an official version. By
default, the official version can manage 15 devices.

l trial version:If not being activated, vHSM is a trial version. The trial version only can manage
three devices. You can use trial version for 30 days.
Within the time limit, you can use all the functions of vHSM. After the trial version expired,
functions including configuration management, task management, alarm management and log
management are not supported, however, the system can still collect logs.

Upgrading Method
To upgrade to official version, please take the following steps:

Deploy vHSM 48
 1. Log in vHSM via WebUI.

2. Select System > License > System Activation to enter the Activation Guide page. Click
Add in the pop-up dialog box.

3. Enter the SN registration code(please contact salesperson to acquire), then click Next.

4. Select activation type.

When vHSM can connect to Internet, we recommend you to select online activation. Other-
wise, please select offline activation.

5. Click Next.
If online activation is selected, the Online Activation page pops up and the system will be
activated automatically.
If offline activation is selected, please copy the code in step 1 in Offline Activation dialog
box, then visit vHSM activation system(activation.hillstonenet.com) and paste the code to
the text box. Click the Activate button, the activation code will be displayed in the below
area. Paste the activation code to the step 2 text box in Offline Activation dialog box, then
click Activate.

6. Finish the activation.

If you want to apply and install an official license, please refer to Licensing vHSM.

Notes:
l When not being activated, the system will display the remaining time dynam-
ically in the upper-right corner of the WebUI page. Click on the link to enter
the Activation Guide page.

l In the process of offline activation, vHSM can not be restarted, otherwise

activation may be failed.

Deploy vHSM 49
Upgrade Guideline for vHSM
When vHSM can work normally, the maximum number of the devices that can be managed by
vHSM is determined by the installed licenses. The maximum number of vHSM is different from
each other, so the hardware resources which vHSM needs is different. For more information, see
"Recommended Configuration of vHSM".
When log in to vHSM via WebUI, if the current hardware configuration does not reach the recom-
mended configuration, the following prompt box will pop up.

l If vHSM is installed on a VMware ESXi server, for more information about upgrading hard-
ware, see Installing vHSM on VMware ESXi > Disk Expansion.

l If vHSM is installed on a VMware Workstation host, for more information about upgrading
hardware, see Installing vHSM on Workstation > Disk Expansion.

l If vHSM is installed on a KVM host, for more information about upgrading hardware, see
Installing vHSM on KVM > Disk Expansion.

l If vHSM is installed on on Amazon Web Services(AWS), for more information about upgrad-
ing hardware, see Installing vHSM on AWS > Disk Expansion.

Deploy vHSM 50
Deploy vHSM 51
HSM WebUI Layout
This chapter introduces the WebUI layout of HSM, including the level-1 navigation pane, login
information, task panel and alarm & message.
The following is the layout picture of HSM WebUI:

Level-1 Navigation Pane

The level-1 navigation pane displays the main functions of HSM, including Dashboard, Device,
Configuration, Monitor, VPN, Alarm, Report, Log and System.

Login Information
In the Login Information part, you can check the name of current login user. Click the user name,
you can view and edit the information of current user, as well as exit HSM.

HSM WebUI Layout 52

Editing User Information
Click the user name and My Information, then My Information dialog pops up. Configure the
options as follows:

Option Description

Username Displays the name of current user. If a RADIUS server is con-

figured for the Authencation Server , you can click Change
Password button to reset login password.

Authencation Displays the anthencation server of user.

Server

Timeout(min) Specify the timeout value. If no operation is executed within

the timeout time, the login connection will be interrupted.

Department Specify the department of user.

Cell Specify the mobile number of user.

HSM WebUI Layout 53

 Option Description

Email Specify the email address of user.

Create Time Displays the time of creating the user.

Login Time Displays the time of the latest login.

Comment Enter the comment about the user.

Exit HSM
Click the user name and Log off, then you will exit HSM system.

About

Click the icon, and the About dialog pops up. Click Help, and the page will redirect to the
Help page.

Task Panel
HSM uses tasks to track the system operations that need to know the running status and the run-
ning results. When the system executes the task, the related logs will be generated, and you can
learn the detailed task information and task failure reason from the logs. To view the tasks, click
the task panel at the bottom of the page. The task panel includes two parts: toolbar and task list.
In the toolbar, you can execute the following operations:

HSM WebUI Layout 54

 l Select a task in the task list, and click the , , and

buttons.

l Select the Type, Status and Task ID from the drop-down list at the right corner of the task
panel, and the filtered tasks will be displayed in the list.

In the task list, you can view the Task ID, Type, Status, Create Time, Run Time, Result, Oper-
ator and User name.

Option Description

Result Displays the result of task. You can view the result via the
following methods:

l View the color of process bar: means the task

has completed; means the task is failed;
means the task has not started yet. Hover the

mouse over the process bar to view the description.

l For the log related tasks, click "View" to check the

query result of the logs.

l Download Report: Click "Report" to download and

view the task report.

Operator Click the icon to view the logs of the task Click the

icon to view the details of the task.

User Name Displays the name of the operator.

Alarm & Message

HSM WebUI Layout 55

 Alarm: Displays the number of unread alarms. Click Alarm, and the page will redirected to the
Alarm page.
Message: Displays the number of unread massages. Click Message, and you can view the messages
in the message list. When system receives a new message, the new message will display at the bot-
tom of the page. The message in the white color means normal message, while the message in the
red color means alarms. Click the message which needs to be processed and system will redirect
to related pages.

HSM WebUI Layout 56

Dashboard
The chapter introduces the device information summary, VPN topology, traffic and security
related statistics via the pre-defined panels: Overview, VPN, Traffic and Security, as well as intro-
duces how to customize the panel.

l Pre-defined Panel

l User-defined Panel

Pre-defined Panel
In the Dashboard page, there are 4 pre-defined panels: Overview, VPN, Traffic and Security.

Overview
In the Overview panel, you can view the System Statistics, System Information, System
Resources, Device Traffic Ranking TOP10, Last 60 Minutes Threat Type Ranking TOP 10, Last
60 Minutes CPU Utilization Ranking TOP 10, Last 60 Minutes Memory Utilization Ranking TOP
10, Log Tread (Last 24 Hours) and the time axis.

Dashboard 57
System Statistics

In the System Statistics, you can view the following statistics in the format of doughnut and the
statistics data refresh automatically every 10 minutes.

l All Devices: Displays the distribution of devices types. The number in the center of dough-
nut means the total managed devices, and the legend under the doughnut displays the device
types. Hover the mouse over the doughnut to view the number of the specified device type.

l Online Devices: Displays the distribution of online devices. The number in the center of
doughnut means the total online devices, and the legend under the doughnut displays the
device types. Hover the mouse over the doughnut to view the number of specified online
devices.

l Last 60 Minutes Alarms: Displays the distribution of alarm severity. The number in the center
of doughnut means the total alarms in the last 60 minutes. Hover the mouse over the

Dashboard 58
 doughnut to view the number of specified alarm severity. Click the specified severity and the
page will redirect to the Alarm page.

l Last 60 Minutes Threats: Displays the distribution of threat types. The number in the center
of doughnut means the total threats in the last 60 minutes. Hover the mouse over the dough-
nut to view the number of specified threat type. Click the specified threat type and the page
will redirect to the Log page.

System Information

In the System Information, you can view the following statistics and the statistics data refresh
automatically every 10 minutes.

l SN: Displays the serial number of the HSM.

l Software Version: Displays the version of the software.

l Platform: Displays the model of the hardware platform.

l System Uptime: Displays the running time of system.

l License Expiration Time: Displays the expired time of license.

l License Devices: Displays the number of firewall devices that HSM can manage.

l Estimate the remain storage days of the disk: Displays the estimate the remain storage days of
the disk. According to the usage of the used capacity of the disk, system estimates the num-
ber of days of use of the remaining capacity of the disk.

System Resources

In the System Resources, you can view the following statistics:

Dashboard 59
 l Click , and view the resources utilization of the latest day in the line chart. Select the Show

Legend check box to view the legend of the utilization of CPU, memory and disk. The stat-
istics data refresh automatically every 10 minutes.

l Click , and view the resources utilization in the real time. The statistics data refresh auto-

matically every 1 minute.

Device Traffic Ranking TOP10

In the Device Traffic Ranking TOP10, you can view the traffic ranking of the manged devices in
the past 1 minute. The statistics data refresh automatically every 1 minute.

Click and to switch statistical graph between table and bar chart.

Last 60 Minutes Threat Type Ranking TOP 10

In the Last 60 Minutes Threat Type Ranking TOP 10, you can view the threats ranking in the last
60 minutes. The ranking information refresh automatically every 10 minutes.

Click and to switch statistical graph between table and bar chart.

Last 60 Minutes CPU Utilization Ranking TOP 10

In the Last 60 Minutes CPU Utilization Ranking TOP 10, you can view the CPU utilization rank-
ing of the managed devices in the last 60 minutes. The ranking information refresh automatically
every 10 minutes.

Click and to switch statistical graph between table and bar chart.

Last 60 Minutes Memory Utilization Ranking TOP 10

In the Last 60 Minutes Memory Utilization Ranking TOP 10, you can view the memory util-
ization ranking of the managed devices in the last 60 minutes. The ranking information refresh
automatically every 10 minutes.

Dashboard 60
 Click and to switch statistical graph between table and bar chart.

Log Tread (Last 24 Hours)

In the Log Tread (Last 24 Hours), you can view the log receiving rate of system at different times
in the last day. When the log increase rate continues to be too large, causing the accumulation of
log information, system will automatically generate a log accumulation alarm, which you can view
in the main window of Alarm> Alarm Search.

Time Axis

You can check the latest event messages in the time axis from top to bottom. The events mes-
sages refresh automatically every 1 minute. You can check the messages of the latest week at
most.

l Click the button at the upper-right corner to hide the time axis and click the button to

display it.

l Hover the mouse over the message, and you can view Time, Type, Severity, Count and
Detail. Click View Detail and the page will redirect to the corresponded function.

Dashboard 61
 l You can also execute following operations on the time axis:

1. Click the icon, and the Settings dialog pops up.

2. Select the type and click Edit to change the Icon, Color and Ignore for the type. If
Ignore for the type is selected, the type of messages will be hided in the time axis.

3. Click OK.

4. To restore to the default settings for the selected type, click Reset.

l You also can right-click the icon before the event message to select the following operations:

l Ignore this type: Hide the selected event type from the time axis.

l Mark Icon: Specify the icon for the event type.

l Mark Color: Specify the color for the event type.

Dashboard 62
 l Settings: Edit the Icon, Color and Ignore for the event type. To restore to the default
settings for the selected type, click Reset.

l You can click the button and button to slide the time axis and click the but-

ton to move to the top of the time axis.

VPN
In the VPN panel, you can view the typology of tunnels. For the detailed steps, please refer to
VPN > VPN > Topology.

Traffic
In the Traffic panel, you can view the Last 5 Minutes App Traffic Ranking TOP10 and Last 5
Minutes User Traffic Ranking TOP10.

Dashboard 63
Last 5 Minutes App Traffic Ranking TOP10

In the Last 5 Minutes App Traffic Ranking TOP10, you can view the application ranking by
traffic in the latest 5 minutes. The ranking information refresh automatically every 1 minute.

Click and to switch statistical graph between table and bar chart.

Last 5 Minutes User Traffic Ranking TOP10

In the Last 5 Minutes User Traffic Ranking TOP10, you can view the users ranking by traffic in
the latest 5 minutes. The ranking information refresh automatically every 1 minute.

Click and to switch statistical graph between table and bar chart.

Security
In the Security panel, you can view the Last 60 Minutes Attacker Ranking TOP10 and Last 60
Minutes Victim Ranking TOP10.

Dashboard 64
 Last 60 Minutes Attacker Ranking TOP10

In the Last 60 Minutes Attacker Ranking TOP10, you can view the ranking of attack sources in
the past 60 minutes. The ranking information refresh automatically every 1 minute.

Click and to switch statistical graph between table and bar chart.

Last 60 Minutes Victim Ranking TOP10

In the Last 60 Minutes Victim Ranking TOP10, you can view the ranking of attack destinations in
the past 60 minutes. The ranking information refresh automatically every 1 minute.

Click and to switch statistical graph between table and bar chart.

User-defined Panel
You not only can view the default Overview, VPN, Traffic and Security panels, but also can cus-
tom a panel and add widgets as needed.

Dashboard 65
Creating the User-defined Panel
To create a custom panel, take the following steps:

1. Click the button on the right of the panel line and enter the name of the newly created

panel. At most 32 characters.

2. Click or press Enter to save the panel.

Notes:
l At most 10 tabs can be displayed in the panel line.

l You can change the order of panels, while the Overview panel should always
be the first.

Deleting the Panel

You can delete the Traffic, Security and user-defined panels.

1. Click the icon and the Confirm dialog pops up.

2. Click OK.

Viewing the Panel

You can view the specified panel in the new window and in the full screen.

Dashboard 66
 l Click the button, and a new window will be opened in the browser.

You can view the specified panel in the new window without logging to HSM again.

l Click the button, and view the specified panel in the full screen. Click

or press Esc to exit the full screen mode.

Customizing the Panel

You can customize the statistics displayed on the panel. To customize the panel, take the fol-
lowing steps:

1. Select one panel, click on the bottom, and the Add Widget dialog pops up.

2. Select Predefine or Custom to add widgets:

If you need to add a predefined widget, select the Predefine tab. The predefined widget
includes System Information, System Resources, Device Traffic Ranking, App Traffic Rank-
ing, User Traffic Ranking, Threat Type Ranking, Attacker Ranking, Victim Ranking, CPU

Dashboard 67
 Utilization Ranking and Memory Utilization Ranking.
If you need to add a user-defined widget, select the Custom tab. The data that can be coun-
ted include traffic, threats and logs. You can specify the statistic fields of traffic, threats or
logs, and the ranking of the statistic fields will be displayed on the panel.

Option Description

Title Specifies the name of the widget.

Data Source

Data Types Select the data type from the drop-down list,
including traffic, threat and log.

l Threat: Threats will be counted as stat-

istical data.

l Traffic Types: Displays when Traffic is

selected as data type. You can select

Dashboard 68
 Option Description

User Traffic or Application Traffic from

the drop-down list.

l Log Type: Displays when Log is selected

as data type. Select the log type from the
drop-down list.

Statistical Fields Specify the object that will be counted for rank-
ing.

Device Filter Select the device or device group to be

filtered.

Conditions Specify the filtering conditions. Click Add and

set the filtering conditions in the pop-up dia-
log.

Statistical Graph

Graph Type Specify the graph type, including pie chart( ),

line chart( ) and bar chart( ).

Top Specify the number of ranking.

Time Limit Specify the statistical period, including 30, 40,

50 minutes or 1, 6, 12, 24 hours.

X/Y Axis When line chart or bar chart is selected, the X

and Y axis is defined automatically.

3. Click OK.

Dashboard 69
 Notes:
l At most 8 widgets can be displayed in each panel.

l You can change the location of widgets except System Statistics and time
axis.

Tool Bar
Click the tool bar of the widget to edit the widget:

l Graph Type: Select the graph type, including pie chart( ), line chart( ) and bar chart( ).

l Edit: Click the button to edit the title and graph type.

l Refresh: Click the button to refresh the widget manually.

l Resize: Click the button and select the size of widget as needed.

l Maximum: Click the button to enlarge the widget.

l Delete: Click the button to delete the specified widget.

Dashboard 70
Introduction to System Management
Configurations related to HSM system management include:

l System Management

l User: Configuring HSM system administrator.

l Authentication Settings: Specifying the mode of authenticating users who logs in HSM.

l AAA Server: Configuring the AAA server , including the server name, type, address,
port, and key.

l Trusted host: Configuring IP range of the host which is allowed to log in or manage
HSM.

l Date & Time: Configuring HSM system date and time. HSM supports synchronization
with NTP servers. HSM system time can be referenced by other modules, such as mon-
itor, alarm, log, upgrade, etc.

l Network Management: Configuring parameters for Internet management, including IP

address, gateway and DNS servers.

l Service Configure: Specifying the port number for accessing HSM via Web.

l Resource Management : Managing the storage space of system.

l Distribute Management: Configuring multiple HSM devices to manage a large number

of managed devices.

l Monitor Configuration: Enabling or disabling the Monitor function. The monitor func-
tion is disabled by default because it consumes more system performance. When the
monitor function is disabled, monitor, alarm, report, and monitor charts shown in the

Introduction to System Management 71

 single device page are not available.

l Password Management: Configuring policy of password.

l System Monitor: Viewing system status, including CPU utilization, memory utilization, and
disk utilization.

l Configuration Management: Back up configuration and running data for HSM system.

l Upgrade: Upgrading or rolling back HSM system, or restoring to the factory defaults.

l License: Viewing, applying for and installing a license.

l Email: Configuring parameters for the Email server that is used to send alarm mails.

l Proxy Server: Configuring parameters for the proxy server that is used to upgrade signature
databases.

l SMS Modem Configuration: Configuring parameters for sending SMS and viewing SMS
Modem status information, etc.

l Diagnose Tools: Testing the devices connection status with HSM, including DNS query,
Ping, and Traceroute.

l Log: Backing up, importing, cleaning, forwarding and filtering logs.

l Language: Changing the system language. Chinese and English are supported.

l Power

l Reboot: Click this menu item to reboot the HSM device.

l Shutdown: Click this menu item to shut the HSM device down.

Introduction to System Management 72

 User Management
HSM supports user access control, and role-based access control mechanism. You can assign dif-
ferent privileges for users in different roles, which helps different users do different operations.
User and its privilege management has the following characteristics:

1. System admin can specify privileges for every user, and the privilege can be accurate to
every HSM function module(eg: Device, Configuration, Report).

2. A user can have one or more roles, and a role can be given to one or more users.

3. Allows to set a physical device or VSYS privileges for a user.

After login the HSM system administrator can use HSM to manage Hillstone devices. HSM users
consist of super administrator and administrator. Super administrator has all the privileges of a sys-
tem administrator, which can create/delete/enable/disable administrator and specify role/device
resources for administrator. The username and password for the default super administrator of
HSM are admin and hillstone respectively.
By default, HSM predefines three roles: system administrator, operator, log auditor. Predefined
role cannot be modified and deleted. And user-defined role can be created according to your
need. The followings are descriptions about predefined role:

Role Privilege Descriptions

System Privilege of all operations.

Administrator

Operator Privilege of Device, Configurations, Monitor, Alarm.

Log Auditor Privilege of log management.

The administrator can do the following operations in HSM:

l Creating a User

l Enabling/Disabling the Two Factors Authentication

l Editing a User

Introduction to System Management 73

 l Deleting a User

l Enabling/Disabling a User

l Restting Password

l Modifying Default Password

l Creating a Role

l Deleting a Role

Creating a User
Only the user who has the privilege of a system administrator can create a user. To create a user,
take the following steps:

1. Select System > User > User.

2. In the User tab, click New. In the User dialog, configure the following options:

l Authentication：Specify the authentication for the user. The default authentication is

local. When the authentication is local, the authorization can only be local. When the
authentication is remote, the password item is hidden.

l Authorization：Specify the anthorization for the user. The default anthorization is

local. When a local server or a RADIUS server is configured as the user's authen-
tication server, the anthorization server only can be the local server.

l User: Specify the username for the user.

l Password: .Specify the password for the user. It should be 8-32 characters, including
numbers, English characters(case sensitive), and special characters. The default pass-
word is hillstone, and you can change the password as needed.

l Password Strength: Shows the hints of password complexity.

Introduction to System Management 74

 l Escape Mode: When a TACACS+ server or a RADIUS server is configured as the
user's authentication server, click the check box to enable this function and enter the
escape password. After this function is enabled, system will authenticate the user's
name and escape password by the local server when the RADIUS/TACACS+ is not
reachable.

l Enable: Specify the status of the new user. By default the new user is enabled. Clear
the checkbox to disable the user, and the user will not be able to log into HSM.

l Timeout (min): Specify the timeout for the user. If the user did not configure any
option after timeout, the system will log off.

l Department: Specify the department for the user.

l Email: Specify the Email for the user.

l Comment: Specify the comment for the user.

l Cell: Specify the cell phone number for the user.

3. Only when you specify "local" as the Authorization, you can click Privilege tab and con-
figure the role for the current user. Specify the role in the Role text box, and then select
which device the user can manage in the Resource Device box. When the selected role is
not the system administrator, select the device group which you can manage. Then once a
new device is added into the device group, you can get the management privilege for it auto-
matically.
Note: When the check box behind the device group is selected, you will lose the privilege
of the device once it is moved from the group. When the "All" check box is selected, you
will still have the privilege of the device even it is moved from the group.

4. Click OK to save the settings.

Also, you can create a new user by a faster way, i.e., copying. To create a user by copying, take the
following steps:

Introduction to System Management 75

 1. In the User tab, select a user by selecting the corresponding checkbox from the user list.

2. Click Copy in the toolbar. In the User dialog, all the configurations of the selected user is
copied. You only need to configure the name for the new user, and modify other options as
needed.

3. Click OK to save the settings.

Enabling/Disabling the Two Factors Authentication

Two factors authentication means that when users log in HSM, HSM will not only verify your
username and password, but also use SMS authentication. To enable this function, you need to fin-
ish the configuration of the SMS gateway and ensure that the cell phone numbers of admin-
istraters are right. For more information about, see "SMS Gateway" on Page 126.
To enable/disable the two factors authentication function, take the following steps:

1. Select System > System Management > User.

2. Select User tab and select users in the list as needed.

3. Click or

button, and the click OK in the Ok dialog box to enable or disable this function for the
selected users in batches.

Editing a User
To edit a user, take the following steps:

1. In the User tab, click the username you want to edit.

2. In the Details dialog, edit the user as needed.

3. Click Apply to save the changes. If needed, click Previous/Next to edit other users.

4. Click OK to save the settings.

Introduction to System Management 76

 Notes:
Only the user who has the system administrator privilege can edit the con-
figuration of Authentication or Authorization for another user:

l The system administrator can edit other users' configuration of Authentic-

ation.

l The system administrator cannot edit the configuration of Authentication or

Authorization for itself.

Deleting a User
To delete a user, take the following steps:

1. In the User tab, select a user by selecting the corresponding checkbox from the user list.

2. Click Delete in the toolbar.

3. In the OK dialog, Click OK.

Enabling/Disabling a User
The disabled users will not be able to log into HSM. To enable/disable a user, take the following
steps:

1. In the User tab, select a user by selecting the corresponding checkbox from the user list.

2. Click Enable/Disable in the toolbar.

Resetting Password
This operation will reset the user password to the default password hillstone. Only the default
administrator admin can reset password by one of the following methods:

Introduction to System Management 77

 l In the User tab, select a user by selecting the corresponding checkbox from the user list, and
click Reset Password in the toolbar.

l In the User tab, click the username you want to edit. In the Details dialog, click Reset Pass-
word.

Modifying Default Password

When logging into the device with default password, the system supports to modify the default
password.
To modify the default password, take the following steps:

1. After entering the device management IP in the browser to open the login page and enter
the user name and password.

2. In the prompt box, select the Change the Default Password" and click OK.

Introduction to System Management 78

 3. Enter the default password, new password, and verification code in the text box.

4. Click OK.

Creating a Role
To create a role, take the following steps:

1. Select System > User > User.

2. In the Role tab, click New and the Add Role dialog pops up. Options are described as
belows:

Introduction to System Management 79

 l Role: Specify the name for the role.

l Comment: Specify the comment information.

l User: Click the text box and select which users the role belongs to.

l Privilege: Specify the privileges for the role on each HSM modules.

3. Click OK to save the settings.

Also, you can create a new role by a faster way, i.e., copying. To create a role by copying, take the
following steps:

1. In the Role tab, select a role by selecting the corresponding checkbox from the role list.

2. Click Copy in the toolbar. In the Add Role dialog, all the configurations of the selected role
is copied. You only need to configure the name for the new role, and modify other options
as needed.

3. Click OK to save the settings.

Deleting a Role
Predefined role cannot be deleted. The user who has the system administrator privilege can delete
user-defined roles. And once the role is deleted, the users who has specified to the role will lost
all the privileges of the role.
To delete a role, take the following steps:

1. In the Role tab, select a role by selecting the corresponding checkbox from the role list.

2. Click Delete in the toolbar.

User Authentication
User authentication is used to identify if the logged in user is legitimate. If passing the authen-
tication, you can login and operate HSM successfully. If not, you will not be able to login. HSM
supports the following authentication modes:

Introduction to System Management 80

 l Local authentication: Configures user information (including username, password and prop-
erties) on HSM. Local authentication is fast, and can reduce operation cost, but the amount
of information that will be stored is limited by the hardware of the device.

l Radius/TACACS+ authentication: User information is stored in an external

RADIUS/TACACS+ server, and HSM authenticate users by the RADIUS /TACACS+
server.

To configure the authentication mode for HSM, take the following steps:

1. Select System > User > AAA Server.

2. Click Authentication Configuration , configure the following options:

l Select Yes, users not existed in the local server will authenticated by the selected
external AAA server.

l Select default authentication server: Select an external AAA server for the
authentication.

l Default User Role: Specify a configured role. When the user authenticated by
an external AAA server is not assigned a role, system will assign the specified
role for the user.

Introduction to System Management 81

 l Select No, users not existed in the local server cannot log in to HSM.

l Default User Role: Specify a configured role. When the user authenticated by
the local AAA server is not assigned a role, system will assign the specified role
for the user.

3. Click OK to save the settings.

Notes:
l After the successful modification of the authentication mode, the current
online users will be offline, and you need to login again.

l In Radius authentication mode, system will save the privilege configuration

of users who have been authenticated successfully by the RADIUS server to
the local, and authorize user with corresponding privilege.

l In local authentication mode, all local users will be displayed in the user list;
in Radius authentication mode, users who have been authenticated suc-
cessfully by the RADIUS server will be displayed in the user list, the user
name format is "user name" + "@" + "IP address of RADIUS server".

AAA Server
AAA is the abbreviation for Authentication, Authorization and Accounting. Details are as fol-
lows:

Introduction to System Management 82

 l Authentication: Authenticates users' identities.

l Authorization: Grants certain privileges according to the configuration.

l Accounting: Records the fees users should pay for their network resource usage.

Here in HSM system, authentication supports the following 3 types of AAA server:

l Local server: a local server is HSM itself.

l External servers: Radius server and TACACS+ server.

To configure the AAA server, take the following steps:

1. Select System > System Management > AAA Server .

2. Click the New .

Configure the following.

Option Description

Server Name Specify the server name. You can specify at most 31 char-
acters.

Introduction to System Management 83

 Option Description

Server Type Specify the server type, including Radius and

TACACS+.

Server Specify the IP address or domain name of the AAA

Address server. You can specify at most 64 characters.

Port Specify the port number of the AAA server. The value
range is 1 to 65535.

Password Specify the password for communication between the

AAA server and HSM.

Authenticaion Specify the authentication protocol to establish the con-

Type nection between HSM and the AAA server. You can spe-
cify more than one protocol.

l If you specify a RADIUS server, the following pro-

tocols are supported: PAP, CHAP, MSCHAP and
MSCHAPV2.

l If you specify a TACACS+ server, the following

protocols are supported: PAP, CHAP and ASCII.
Notes: You need to configrue this option based on the
authentication protocols supported by the specified
AAA server.

nas-ip This option is supported only when a RADIUS server is

specified. Click button after Advanced and specify

the IP address which will be the value of "NAS-IP-

Address" in the authentication message. The nas-ip iden-

Introduction to System Management 84

 Option Description

tifies the NAS when HSM sends an authentication

request to the RADIUS server.

Link Test Click Link Test button, system will verify whether the
configured AAA address is available. If available, the sys-
tem will prompt AAA server reach. If not, the system
will prompt AAA server can not reach

3. Click OK.

Notes: The system supports adding up to 9 AAA servers.

Configuring Trusted Host

HSM device allows only trusted host to manage the system. Trusted hosts are recognized by their
IP addresses. If the host IP address is in the specified IP range, the host is a trusted host. Trusted
host includes the following rules:

1. Only system admin can configure a trusted host.

2. By default, the trusted IP range is 0.0.0.0/0, which means all hosts are trusted.

3. Trusted host can be a IP address, IP range or multiple IP addresses.

To configure trusted host, take the following steps:

Introduction to System Management 85

 1. Select System > Device Management > Trusted Host.

2. Click New, options are described as belows:

l Host Name: Specify the name for the trusted host. It can be null.

l IP Address: Specify the IP address or IP range for the trusted host, eg:10.188.1.10 -
10.188.1.15, or 192.168.10.0/24

l Remarks: Specify the remark information for the trusted host.

3. Click OK to save the settings.

To edit/delete trusted host, take the following steps:

1. Select System > Device Management > Trusted Host.

2. Select a trusted host by selecting the corresponding checkbox from the list, and then click
Edit or Delete.

3. Click OK to save the settings.

Configuring HSM System Time

HSM system time can be referenced by other modules, such as log, upgrade, etc. To assure the
system time of HSM and the managed devices are synchronized, you are recommended to con-
figure the same NTP server for HSM and the managed devices. You can configure HSM system
time manually or by synchronizing with an NTP server.
To configure HSM system time manually, take the following steps:

Introduction to System Management 86

 1. Select System > Device Management > Date & Time.

2. Select appropriate time zone from the HSM System Time Zone drop-down list. If the selec-
ted time zone uses DST, the "Automatically adjustment of daylight time clock" check box
will be selected automatically.

3. The current date and time is shown in the HSM System Time box. If you still need to
modify the date or time, type correct date and time into the box.

4. Click OK to save the settings.

5. The changed time will be applied to new data and time of existing data won't be updated. In
the pop-up Warning dialog , click the yes button to confirm the update.
If the time zone is adjusted from east to west, the time of new business data may be the
same as the existing business data.

6. Restart the device and log in again.

To configure HSM system time by synchronizing with an NTP server, take the following steps:

1. Select System > Device Management > Date & Time from the Level-1 navigation bar.

2. Select the Sync with NTP Server check box.

Introduction to System Management 87

 3. Type the IP address for the NTP server into the Server 1 box; if needed, type the IP
address for the NTP server into the Server 2 box, and the system will try to synchronized
with Server 2 if synchronization with Server 1 failed.

4. Click OK to save the settings.

Notes: Configure the system time properly during the initial setup, and if possible,
do not change the system time thereafter. Otherwise, modules that rely on system
time (such as report, log) will be affected.

HSM Network Management

HSM network management refers to the configuration of IP address, gateway and DNS servers.
These configurations can assure the connectivity between HSM and the managed devices. To facil-
itate network configuration, eth0 port of HSM is configured with a default IP address
192.168.1.1/255.255.255.0.
To configure parameters for HSM network management, take the following steps:

Introduction to System Management 88

 1. Select System > Device Management > Network Management.

2. In the Internet Management dialog, configure the following options:

l IP Address: Specify the IP addresses for eth0 and eth1 according to network topo-
logy.

l Netmask: Specify the netmasks for eth0 and eth1 according to network topology.

l Gateway: Specify the IP address for the gateway of HSM.

l Preferred: Specify the IP address for the preferred DNS server of HSM.

l Backup: Specify the IP address for the backup DNS server of HSM.

3. Click OK to save the settings.

Service Configuration
HSM supports to modify service configuration, including WEB port number, REST API, REST
API Token, data transmission encryption protocol, and SSH and syslog service status.
Contents related to service corresponding configuration include:

l WEB PORT

l REST API

Introduction to System Management 89

 l REST API Token

l Encryption Protocol

l Service Status

l SNMP

WEB PORT
You can modify the port number used to access HSM by Web, in order to ensure the system
security.
To configure the port number, take the following steps:

1. Select System > Device Management > Service Config.

2. Select WEB PORT, and enter the WEB PORT page.

3. Configure the following options.

l HTTP WEB Port: Specify the port number used to access the HTTP service for
HSM. The default value is 80. The value ranges from 1025 to 65535 except 80,
wherein 2003-3003, 3306, 6514, 8005, 8080, 8161, 8443, 9000, 9090, 9091, 9092,
61616, and 61617 are preoccupied by system. The preoccupied port numbers cannot
be configured.

l HTTPS WEB Port: Specify the port number used to access the HTTPS service for
HSM. The default value is 443. The value ranges from 1025 to 65535 except 443,

Introduction to System Management 90

 wherein 2003-3003, 3306, 6514, 8005, 8080, 8161, 8443, 9000, 9090, 9091, 9092,
61616, and 61617 are preoccupied by system. The preoccupied port numbers cannot
be configured.

4. Click OK.

Notes: After the web port number is modified successfully, the web service will be
restarted, and you need to access the web service by using the new port number
after the restart.

REST API
System supports the ticket function to allow accesses from users with non-certified tokens
through API. You can deliver configuration to the HSM system through API, review the con-
figuration in the form of tickets, and deploy the tickets to the corresponding devices. HSM
provides a unified interface for configuring IP forbidden policies, and deploys them to firewall
devices to block access from specific IP addresses.
To configure the REST API, take the following steps:

1. Select System > Device Management > Service Config.

2. Select REST API, and enter the REST API page.

Introduction to System Management 91

 3. Configure the following options.

l Ticket (Do not need Token): Click the button to allow users with non-cer-

tified tokens to deliver ticket configuration to the HSM system.

l IP Forbidden: Click the button to allow users whose tokens have not expired

to deliver the IP Forbidden policy configuration to the HSM system. In the Device
that enable IP Forbidden list, you can view the status of managed devices, including
disabled, enabling, failed to enable and enabled. Administrators whose tokens have
not expired can deliver the configuration through API to the devices that have
enabled the function.

l Click Add Device, and in the Add Device dialog box, select the online device
that needs to enable the IP Forbidden function, and then click OK.

l Click Batch Delete to disable the IP Forbidden function of one or more selec-
ted devices.

l Click the button to re-enable the IP Forbidden function for the device.

l Click the button to disable the IP Forbidden function for the device.

REST API Token

Administrators whose tokens are within the validity period can deliver configuration to the HSM
system through API. System supports to configure tokens for administrators, and administrators
can operate on tokens of themselves or other administrators' tokens.
To configure the REST API Token, take the following steps:

Introduction to System Management 92

 1. Select System > Device Management > Service Config.

2. Select REST API Token, and enter the REST API Token page.

3. Configure the following options.

l Click here above the list to generate the token of the current administrator.

l Click the button or the button in the Operation column to regen-

erate the token of the current or specified administrator. In the pop-up Generate
Token (admin) dialog box, specify the period of validity the token, including 1 day(s),
7 day(s), 30 day(s), 90 day(s) and custom.

l Click the button or the button in the Operation column to copy the

token of the current or specified administrator.

l Click the button or the button in the Operation column to delete the

token of the current or specified administrator.

Encryption Protocol
You can configure the encryption protocol used when transmitting data between the HSM system
and firewall devices, including FTPS and HTTPS. This configuration is only valid for firewall
devices of 5.5R7F6 and above.
To configure the encryption protocol, take the following steps:

Introduction to System Management 93

 1. Select System > Device Management > Service Config.

2. Select Encryption Protocol, and enter the Encryption Protocol page.

3. Configure the following options.

l FTPS: Click the radio button, and data will be transmitted between the HSM system
and firewall devices over FTPS. FTPS is enabled by default.

l HTTPS: Click the radio button, and data will be transmitted between the HSM sys-
tem and firewall devices over HTTPS.

4. Click OK.

Service Status
System supports to configure the service status of SSH and syslog.
To configure the system service status, take the following steps:

1. Select System > Device Management > Service Config.

2. Select Service Status, and enter the Service Status page.

Introduction to System Management 94

 3. Configure the following options.

l SSH Service Status: Click the Enable or Disable button to enable or disable the func-
tion of logging in to HSM via SSH. With the function enabled, you can type the port
number into the SSH Port text box. The default value is 22. The value ranges from
1025 to 65535 except 22, wherein 2003-3003, 3306, 5029, 6379, 6514, 8005, 8080,
8161, 8443, 9000, 9090, 9091, 9092, 9093, 9100, 9101, 9200, 61616, and 61617 are
preoccupied by system. The preoccupied port numbers cannot be configured.

l Syslog Service Status: Click the Enable or Disable button to enable or disable the sys-
log function. With the function disabled, system will no longer receive log data from
managed devices.

4. Click OK.

SNMP
System supports SNMP function so that HSM can receive the operation request from the Net-
work Management System and give the corresponding information of itself. Now, system sup-
ports SNMPv1 protocol and SNMPv2c protocol. Both SNMPv1 protocol and SNMPv2c protocol
use community-based authentication to limit the Network Management System to get device
information.
Hillstone Networks provides private MIB which includes the system information of HSM, such
as serial number, software version, CPU utilization, etc.

Configuring SNMP

To configure the SNMP function, take the following steps:

1. Select System > Device Management > Service Config.

2. Select SNMP to enter the SNMP page.

Introduction to System Management 95

 3. Click the Enable button to enable the SNMP function and configure the following:

l SNMP Version: Indicates that HSM supports SNMPv1 protocol and SNMPv2c pro-
tocol.

l SNMP Port: Indicates that the port number used to provide SNMP service is 161.

l Community: Specify the community. Only when the SNMP message includes the spe-
cified community, the HSM information is available.

l Privilege: Indicates that the Network Management System only can read the HSM
information.

4. Click OK.

Resource Management
l Disk Management

l MySQL Memory Management

Disk Management
Disk management refers to the configuration of cleanup threshold of disk in order to manage the
storage space of system. When the actual storage exceeds the specified threshold, system will dis-
able monitor function and start to clear monitor and log data. You can manually clear the log or
monitor data as requried.

Introduction to System Management 96

Auto Cleanup

To configure the auto-cleanup of HSM disk, take the following steps:

1. Select System > System Management > Resource Management, click disk management tab.

2. Click Edit button in the "Auto Cleanup" module, and then enter the threshold in the text
box. The range of this value is 60% to 90%. When the storage exceeds the specified
threshold, system will disable monitor function and start to clear monitor and log data. Sys-
tem will first clean the monitor data 8 hours ago. If the actual disk utilization is still not
lower than the specified threshold, system begins to clean the log data that has been saved
for a long time.
Note: System keeps log information for at least 1 day.

3. Click OK to save the settings.

Manual Cleanup

To configure the manual-cleanup of HSM disk, take the following steps:

Introduction to System Management 97

 1. Select System > System Management > Resource Management, click disk management tab.

2. In the "Auto Cleanup" module, select the data which needs to be cleaned from the Select
cleaning content drop-down list.

l Log: If "Log" is selected, you need to specify the type of log to be cleaned, including
online logs within the specified time and offline logs.

l Monitor: If "Monitor" is selected, system will cleanup monitor data generated 8 hours
ago.

3. Click Manual Cleanup button, and click OK in the dialog. System will begin to clean the
specified log data or monitor data.

MySQL Memory Management

To configure the MySQL Memory Management, take the following steps:

1. Select System > System Management > Resource Management, click MySQL memory man-
agement tab.

Introduction to System Management 98

 2. In the Disk Management dialog, configure the following options:

l The current physical memory is less than or equal to 8G, you can select the default
value, 1G or 2G. The default value is 3072M.

l The current physical memory is greater than 8G and less than or equal to 16G, you
can select the default value, 2G or 3G. The default value is 4068M.

l The current physical memory is greater than 16G, MySOL memory cannot be mod-
ified.

3. Click OK to save the settings.

Distribute Management
For users who need to manage a large number of devices, one HSM cannot meet their require-
ments. To resolve the problem, you can use the distributed management function, which means
when you configure multiple HSM or HSA devices, you can specify one device as master device
and others as slave devices. With this function, you can view information of the slave devices and
their firewalls on the master device. It can alleviate the pressure of single HSM. The distributed
management includes standalone mode, master mode and slave mode.

l Master Mode: When one HSM device manages multiple HSM and HSA devices ,you can
view information of these slave devices and the firewalls managed by HSM, the current
device is the master HSM, and the mode is master mode. The master HSM cannot manage
firewalls directly. One master HSM can register up to 16 slave HSM devices and 16 slave

Introduction to System Management 99

 HSA devices.

l Slave Mode: When one HSM device is managed by one master HSM, the current device is
slave HSM, and the mode is slave Mode. The slave HSM can manage firewalls directly. The
slave HSM can only be registered with the user of admin on the master HSM.

l Standalone Mode: The HSM device in the standalone mode or in the slave mode can man-
age the firewalls directly, while the standalone HSM cannot be registered on the master
HSM. The default mode is standalone mode.

Notes: When the master mode switches to the salve mode or standalone mode, the
association relationship between all users and devices under the master mode will
be cleared. When the salve mode or standalone mode switches to the master mode,
the association relationship between all users and devices under the slave mode or
standalone mode will be cleared too.

Switch Modes
To switch modes of the distributed management, take the following steps:

1. Select System > Distribute Management.

2. Select the mode check box that you need in the Distribute Management page.

3. Click OK to complete the switching of distributed management modes and jump to the
main Web interface of the corresponding mode.

Introduction to System Management 100

 Master Mode
When the HSM system is in the master mode, click Device>Distributed Devices to enter the
distributed device list interface. You can view the information of the slave devices, including
status, address, CPU utilization, memory utilization, disk utilization, the number of safe
devices (the total number of firewall devices managed by the slave device) and the number of
logs in the last ten minutes. In addition, you can click the address of the slave device without
logging in and jump directly to the main web interface of the corresponding slave device, facil-
itating the unified management of the slave devices.
To add slave HSM devices, take the following steps:

1. Click Device > Distributed Devices to enter the Device List page.

2. Select HSM Device List tab.

3. Click Add Device, and configure parameters in the Add Device dialog.

Option Description

Name Specifies the name of the slave HSM

Introduction to System Management 101

 Option Description

device.

Address Specifies the IP address or domain name of

the slave HSM device.

Port Specifies the port number of the slave HSM

device to connect to the master HSM ,the
default number is 443.

Password Specifies the password to log in the slave

HSM device.

Device Description Specifies the descriptions of the slave HSM

device.

4. Click OK .

To add slave HSA devices, take the following steps:

1. Click Device>Distributed Devices to enter the distributed device list interface.

2. Select HSA Device List tab.

Introduction to System Management 102

 3. Click Add Device, and configure parameters in the Add Device dialog.

Option Description

Name Specifies the name of the slave HSA

device.

Address Specifies the IP address or domain name of

the slave HSA device.

Port Specifies the port number of the slave HSA

device to connect to the master HSM ,the
default number is 443.

Password Specifies the password to log in the slave

HSA device.

Device Description Specifies the descriptions of the slave HSA

device.

Introduction to System Management 103

 4. Click OK.

When the HSM system is in the master mode, system supports the following operations on
slave devices:

l Click Edit Device in the toolbar or in the list of corresponding item. In the pop Edit

Device dialog bos, you can modify port number、password and description of the slave
device.

l Click Delete Device in the toolbar or in the list of corresponding item to delete selec-

ted slave devices.

l Click Register Device in the toolbar or in the list of corresponding item to register the

dropped slave devices.

l Select Name or Address in the drop down list of and enter keywords to

search for related slave devices.

Monitor Configuration
To ensure the performance of HSM, HSM does not enable the monitor function for any device by
default. If desired, you can enable the monitor function according to your requirements. After
enabling the monitor function, the HSM performance will be affected. To ensure the adequate per-
formance, it is recommended that the number of monitored devices is less than 500.
To configure the monitor function on HSM, take the following steps:

1. Select System > Device Management > Monitor Configuration .

2. To enable or disable the monitor function on HSM for certain devices, choose devices from
the device list, and then click Monitor Configure . The Monitor Configure dialog appears.

Introduction to System Management 104

 3. In the Email Configuration dialog, configure the following options:

l VPN: Enable or disable the VPN monitor function.

l Traffic: Enable or disable the traffic monitor function.

l Other: Enable or disable the network threat and network behavior monitor function.

l Priority: You can select Low, Middle, and High priority. When the monitor data
exceed system capacity, system will disable the monitor function of low priority
device, so as to ensure the monitor data of higher priority device can be processed.

4. Click OK button, the following dialog box pops up.

l Click OK button, Monitor Configure dialog will be closed. save the settings. then
Update Configure progress bar disappears. Click OK button to close the dialog.

If enable monitor, system's performance will be affected. To ensure the normal operation of the
system, it is recommended that no more than 500 managed devices be monitored. Following func-
tions will be affected after the monitor function is disabled.

Module Details

Monitor Statistics of CPU utilizations, memory utilizations, and total

traffic keep updating. Other statistics will not update and can
be viewed during a particular period.

Alarm Following alarm rules cannot take effect: VPN Tunnel Inter-

Introduction to System Management 105

 Module Details

rupt, VPN Tunnel Traffic Beyond Threshold, AV Attack

Count Beyond Threshold, APP Block Count Beyond
Threshold, Email Receiving and Sending Times Beyond
Threshold, URL Category Hit Count Beyond Threshold, Port
Traffic Beyond Threshold, and all user-defined alarm rules that
are based on above alarm rules.

Report Since statistics of CPU utilizations, memory utilizations, and

total traffic keep updating, you can generate the report. Other
historical statistics will not update and you can generate the
report that contains historical statistics during a particular
period.

Introduction to System Management 106

Password Management
The system supports for password strategy, including the minimum length and complexity of the
password. At the same time, the system supports for lock strategy, including the maximum num-
ber of login failures and the lock time after the maximum number of login failures is exceeded.
To configure the lock strategy, take the following steps:

1. Log into HSM. Click System from the Level-1 navigation pane to enter the system page.

2. In the system navigation pane, click System Manage> Password Management.

3. In the Lock Strategy Configuration area, configure the following options:

l Lock When Exceeded: Specify the maximum number of login failures for the same
user. The value range is 1-10 times.

l Lock Time: Specify the lock time after the maximum number of login failures is
exceeded. The value range is 1-440 minutes.

4. Click OK.

To configure the password strategy, take the following steps:

Introduction to System Management 107

 1. Log into HSM. Click System from the Level-1 navigation pane to enter the system page.

2. In the system navigation pane, click System Manage> Password Management.

3. In the Password Strategy Configuration area, configure the following options:

l Minimum Length: Specifies the minimum length of password. When the password
complexity is not configured, the value range is 4-16; when the password complexity
is configured, the value range is 8-16.

l Password Complexity: Unlimited means no restriction on the selection of password

characters.You can select Password Complexity Settings to enable password com-
plexity checking and configure password complexity.

l Minimum Capital Letter Settings：The default value is 2 and the range is 0 to

16.

l Minimum lowercase Letter Settings：The default value is 2 and the range is 0

to 16.

l Minimum Number Length：The default value is 2 and the range is 0 to 16.。

Introduction to System Management 108

 l Minimum Special Charactor Length：The default value is 2 and the range is 0
to 16.

l Validity Period：The unit is day. The range is 0 to 365.The default value is 0,

which indicates that there is no restriction on validity period of the password.

4. Click OK.

HSM System Status Monitor

The status monitor function monitors the CPU utilization, memory utilization, hardware resource
information and disk utilization of HSM. Users can have a well understanding of system status. By
configuring the threshold for each monitored object, HSM can generate the alarm when the status
of an object keeps exceeding the threshold within the specified period (1 minute by default). You
can take measures to deal with the alarms.

Viewing Status
System provides the following statistics of the monitored objects: the trend within a specified
time cycle, the current status, and other detailed information.
To view the status, select System > Device Management > Status Monitor.

l The line chart shows the trend of the monitored objects. Based on the specified time cycle,
HSM will take samples accordingly and display the trend in the chart. By default, HSM dis-

Introduction to System Management 109

 plays the trend within the latest 1 hour.

l The right chart displays the current status of the monitored objects. HSM will refresh the data
in every 5 minutes.

l View detail: Click the View link of each monitored object to view the detailed information.
You can view the column charts of the top 5 processes that occupy the CPU resources and
the memory resources individually, and the pie charts of all objects that occupy the disk. The
following chart displays the top 5 processes that occupy the memory resources.

Introduction to System Management 110

 HSM supports the predefined time cycle and the custom time cycle. Click Latest 1 Hour on the
top right corner to set the time cycle.

l Predefined time cycle: Click Latest 1 Hour and then select a predefined one.

l Latest 1 Hour: Displays the statistics of each monitored object within the latest 1 hour.
HSM will take samples every minute.

l Latest 1 Day: Displays the statistics of each monitored object within the latest 1 day.
HSM will take samples every 10 minutes.

l Latest 1 Week: Displays the statistics of each monitored object within the latest 1
week. HSM will take samples every hour.

l Latest 1 Month: Displays the statistics of each monitored object within the latest 1
month. HSM will take samples every 6 hours.

l Custom time cycle: Click Latest 1 Hour and then select Custom. The Select Time dialog
appears. You can select the start time and the end time according to your requirements.

l If the custom time cycle is within 6 hours, HSM takes samples every minute.

l If the custom time cycle exceeds 6 hours and is less than 1 week, HSM takes samples
every 10 minutes.

l If the custom time cycle exceeds 1 week and is less than 6 months, HSM takes samples
every 6 hours.

l If the custom time cycle exceeds 6 months and is less than 1 year, HSM takes samples
every 24 hours.

Introduction to System Management 111

Setting Threshold
If the utilization of the monitored objects keeps exceeding the threshold within the specified
period (1 minute by default), HSM will generate the alarm.
To set the threshold for monitored objects, take the following steps:

1. Select System > Device Management > Status Monitor.

2. Click Set Threshold. The Set Threshold dialog appears.

3. Set the threshold for each object using one of the methods:

l Drag the slider. The exact value will update in the text box.

l Enter the value. The slider will move to the exact location.

4. Click OK to save the configuration settings and return to the System Status Monitor dialog.
The red line representing the threshold moves to the correct location.

For more information about configuring alarm rules, refer to Configuring the Alarm Rule.

Insufficient System Resources

When vHSM starts, it will check whether hardware resources of the host server is lower than the
recommended hardware configuration according to the maximum number of its managed devices.
When the actual hardware configuration is lower than the recommended hardware configuration,
the system will pop up a warning and prompt the risk on the login page.

Introduction to System Management 112

 l View Upgrade Instructions: Jump to the online help page to view the upgrade guide. For spe-
cific steps, please refer to the disk expansion part of the corresponding platform for vHSM
deployment.

According to the maximum number of managed devices, the recommended hardware con-
figuration is as follows:

Maximum Num- Recommended Hardware Configuration

ber of Managed
Devices

25 System is configured as follows by default.

l Memory: 16G

l CPU Thread: 4

l Disk IO: 15M/s

l Disk Capacity: 250G

Introduction to System Management 113

 100 l Memory: 16G

l CPU Thread: 8

l Disk IO: 30M/s

l Disk Capacity: 2T

500 l Memory: 32G

l CPU Thread: 16

l Disk IO: 30M/s

l Disk Capacity: 4T

1000 l Memory: 64G

l CPU Thread: 24

l Disk IO: 30M/s

l Disk Capacity: 8T

HSM System Configuration Management

As a centralized security management system in network, HSM system must guarantee its own sta-
bility. For this purpose, HSM is developed to support the following management of its own sys-
tem configuration file:

l Backup: Back up the system configuration file.

l Restore: Restore the system configuration file.

l Export: Export the system configuration file to the local disk.

l Deletion: Delete the backed-up system configuration file.

With these facilities, HSM can quickly resume after accidental breakdown.

Introduction to System Management 114

Back up a System Configuration File
To back up the system configuration file, take the following steps:

1. Select System > Device Management > Configuration Management.

2. Click Backup. The Backup dialog appears.

3. Specify the name of the backup file. By default, the file is named as backup_date_time, for
example, backup_201311171035.

4. If desired, specify the description for this backup file.

5. Click OK. HSM starts to back up the system configuration file.

After backing up the file, HSM lists this file in the list of the HSM System Configuration Man-
agement dialog. You can view the detailed information, including the file name, the size, the
backup time, the operated user, and the description.

Export a System Configuration File

To export the system configuration file from HSM to the local disk, take the following steps:

1. Select System > Device Management > Configuration Management.

2. Select a file to be exported.

3. Click Export. The Save As dialog appears.

4. Select a location and click OK to save the file.

Restore a System Configuration File

After HSM resumes from a breakdown, or changes or upgrades to a new hardware platform, you
can restore the system configuration file. Considering the compatibility, it is strongly recom-
mended to restore the configuration file to HSM that has the same version.
To restore HSM system configurations to a file saved in HSM, take the following steps:

Introduction to System Management 115

 1. Select a backup file from the file list.

2. Click the triangle ( ) next to the Restore button. Then select Selected File. The Restoring

window pops up. HSM starts to analyze the file.

3. After analyzing the file, HSM starts to restore the file.

4. After restoring the file, HSM restarts.

To restore HSM system configurations to a local-saved file, take the following steps.

1. With the HSM System Configuration Management dialog active, click the triangle ( ) next

to the Restore button. Then select Local File. The Restoring window pops up.

2. Click the magnifying glass ( ) to locate the local file and then open it.

l When restoring a file backed up by the current HSM itself, the historical data of Mon-
itor, Log, and Alarm in HSM will remain the same.

l When restoring a file that is not backed up by the current HSM, the historical data of
Monitor, Log, and Alarm in HSM will be cleared.

3. Click Upload. HSM uploads the file to HSM.

4. After uploading the file, HSM analyzes the file and then starts to restore the file.

5. After restoring the file, HSM restarts.

Delete a System Configuration File

To delete a system configuration file, take the following steps:

1. Select the files to be deleted.

2. Click Delete. The Delete dialog appears.

3. Click OK to delete the selected files.

Introduction to System Management 116

HA Management
HA, the abbreviation for High Availability, provides a fail-over solution for communications line
or device failure to ensure the smooth communication and effectively improve the reliability of
the network. To implement the HA function of the two HSM devices, you need to use the
identical hardware platform, firmware version, as well as install the same device license whose ser-
vice is within the validity. When one HSM device is not available or cannot handle the request
from the client properly, the request will be promptly directed to the other device that works nor-
mally, thus ensuring uninterrupted network communication and greatly improving the reliability
of communications.
To configure the HA management in the HSM system, take the following steps:

1. Select System > Device Management > HA Management.

2. Configure the parameters in the HA Management page.

The parameters of HA management are explained as follows.

Option Description

Current Role Displays current device's role. When the HA link is

not built, the name of role is standalone. When the HA
link has been built, the current name is the name of the
specified management device's role.

Introduction to System Management 117

 Option Description

Role Specifies the role of the management device. When the

role is Master, the configurations can be issued. When
the role is Slave, the configurations only can be
viewed. When the role is Standalone, the page will dis-
play Disable HA and system will disable HA function.

HA Control Specifies a name of the HA control link interface. The

link interface control link can synchronize all data of the two
devices.

Local IP Specifies the IP address and netmask of the HA con-

trol link interface.

Peer IP Specifies the peer IP address of the HA control link

interface.

Virtual IP Specifies the virtual IP address of the HA management

device.

Hello interval Specifies the Hello interval value. Hello interval refers
to the interval for the HA device to send heartbeats
(Hello packets) to other devices in the HA group. The
Hello interval in the same HA group must be identical.

Preempt Specifies whether the device enables the preemption

mode. Only the master device can be configured in the
preemption mode currently. If the preemption mode is
enabled, the master device will preempt to be master
again when it recovered from breaking down. The pree-
mption mode is disabled by default.

Introduction to System Management 118

 Option Description

Track Object System uses the track object to monitor the working
status of the device. Once the device cannot work nor-
mally, system will take corresponding measures imme-
diately. ping: type a legal IP address or domain name. If
the typed IP address or domain can be connected, it
indicates that the device is running normally. If not,
the master and backup device will switch.

Monitor/Log Select the Enable check box. System will synchronize

Synchronization monitoring and log data.

Manual Syn- Click the Synchronize, the Manual Synchronization dia-

chronization log will pop up.

l Select Use data in peer device to cover data in

local device. The Submit prompt box will pop
up and display Data in local device will be reset,
whether to continue? Click OK. When the syn-
chronization completes, the local data will be
covered.

l Select Use data in local device to cover data in

peer device. The Submit prompt box will pop up
and display Data in peer device will be reset,
whether to continue? Click OK. When the syn-
chronization completes, the peer data will be
covered.

HA Alarm Select the Enable check box. When the status of inter-

Introduction to System Management 119

 Option Description

face changes, the device will alarm.

Database Syn- Displays synchronization status of current database.

chronize Status The statuses include Normal, Synchronizing and Failed
to synchronize.

File Syn- Displays synchronization status of current file. The

chronize Status statuses include Normal, Synchronizing and Failed to
synchronize.

HA HeartBeat Displays HeartBeat status of current HA. The statuses

Status include Normal and Failed.

3. Click OK, and the HA Creating dialog will pop up. You can view the process of HA cre-
ating in the dialog.

The parameters are explained as follws.

Option Description

Interface modification You can view the result of modifying the HA

connection interface in system.

Wait for configuration You can view the result of the peer con-
of the peer and con- figuration and the connection between the local
necting to the peer device and peer device in system. You need to
configure the peer parameters before the HA
being built or when the HA is built in process.
You also need to make sure HSM has connected
with the peer device. Otherwise, it cannot be
connected successfully.

Introduction to System Management 120

 Option Description

HA Establish Condi- You can view the result of checking if the con-
tion Checking dition of establishing HA is met in system.

HA Environment You can view the result of building the HA

Build environment in system.

Master/Slave Device You can view the result of synchronizing data of

Data Synchronization the master and slave device in system. If the
Monitor/Log Synchronization is enabled, the
device will synronize all data. Otherwise the
device will synchronize data except Mon-
itor/Log data.

HA Build Suc- You can view the result that whether HA is built
cessfully successfully.

4. Click Done to complete the HA building.

HSM System Upgrade

HSM supports system upgrade, rollback and restoring to the factory defaults.

System Upgrade
To upgrade HSM system, take the following steps:

1. Select System > Upgrade .

2. In the Upgrade page, click Browse to select an HSM system file.

3. Click Upload.

4. Complete the upgrade procedure as prompted.

Introduction to System Management 121

Rollback
To roll back to the previous version, take the following steps:

1. Select System > Upgrade .

2. In the Upgrade page, click Rollback, and then click OK under the tag.

Restoring to Factory Defaults

To restore to the factory defaults, take the following steps:

1. Select System > Upgrade.

2. In the Upgrade page, click Factory Defaults, and then click OK under the tag.

Upgrading Signature Database for HSM

To upgrade IPS signature database, application signature database, Anti-Virus signature database
or URL database for HSM:

Notes:
l When HSM manages the HA function of the managed devices, it supports
the upgrade of signature database of the managed devices. If the signature
databases of the master device and slave device are upgraded to different vis-
ions, the signature database of the master device will be synchronized to that
of the slave device.

l System supports to upgrade the application signature database of the managed

devices of the following firewall devices only: SG-6000 E-Series, SG-6000
T-Series, SG-6000 X-Series, and SG-6000 X-Series (excluding SG-6000-
K2680 and SG-6000-K9180).

Introduction to System Management 122

 1. Select System > Upgrade and then click the target signature upgrade tab.

2. In the pop-up Library Upgrade dialog box, configure as follows.

Option Description

Current Ver- Show the current version number of signature database.

sion

SN Show the product series number of HSM.

Magic Show the Magic code of HSM. Magic code is an encryp-

ted string generated according to the SN of HSM, which
is required when you download the latest signature file
from a default update server.

Remote Configure remote online upgrade for signature database.

Upgrade
l Upgrade Now: Click Upgrade Online to upgrade
the signature database right now.

l Auto Upgrade: Select Enable Auto Update and spe-

cify the auto upgrade time. Click Save to save your
changes. This function is enabled by default.

l Configure Update Server: System updates the sig-

nature database everyday automatically by default.
HSM provides three default update servers:
update1.hillstonenet.com, update2.hill-
stonenet.com and HSM device. You can customize
the servers according to your need. Click Update
Server Configuration, then in the pop-up Update
Server dialog, specify the server IP or domain
name.

Introduction to System Management 123

 Option Description

l Configure Update Proxy Server: When device

needs to access the Internet through a proxy server
to update the signature database online, you need
to specify the proxy server first. Select Enable The
Agent , and select proxy servers from the drop-
down list for the main proxy server and the backup
proxy server. Click OK to save configuration. For
information of creating a new proxy server, refer to
System > Proxy Server.

Note: System upgrades signature database online over

HTTPS by default. If you choose to upgrade signature
database through a proxy server, which does not sup-
port HTTPS protocol, the online upgrade for signature
database will fail.

Local Click and select the IPS signature file , application sig-

Upgrade nature file, Anti-Virus signature file or URL database file

in your local PC, and then click Upload.
Note: To get the latest signature file, please enter
update1.hillstonenet.com or update2.hillstonenet.com in
the browser's address bar, then click target signature
upgrade link in the upper-left corner of the page. Copy
the SN number and Magic code displayed in HSM, then
paste them into the SN and Magic text fields respectively.
Fill in the engine version, platform or current version in
accordance with the instruction, then click Download to
download the latest signature file(e.g. ips.sig).

Introduction to System Management 124

License
System supports three types of licenses:

l Official license: Controls the number of maximum devices HSM can manage.It is restrict to
time: within the validity period, vHSM supports system upgrading; when it expires, vHSM
can still manage the specified number of devices, but can not be upgraded to the higher ver-
sion after expiring date. If there are more than 15 to be managed, you can contact sales person
to purchase an official license.

l Time limit license: Controls the service time of HSM. After expiration, Hillstone will not
provide any upgrade or maintenance service for the HSM. If multiple time limit licenses are
installed, the service will expire on the latest date of the licenses.

l Professional license: Provide the ticket management function.

l Professional trial license: System cannot provide the ticket management function when the
license expires.

l SDWAN license: Provides ZTP (Zero Touch Provisioning) function, including adding ZTP
device, adding VPN network and VPN map monitor etc. After expiration, you cannot add
ZTP devices, manage license and configure VPN network. The original services will not be
affected. The number of devices supported by the SD-WAN base license needs to be greater
than the maximum number of devices that can be managed by the HSM system for the license
to take effect.

l SDWAN trial license: System cannot provide the SD-WAN management function when the
license expires.

To expand the number of maximum devices HSM can manage or extend the service time, take the
following steps:

1. Apply for a license, i.e., generate a string for license application, and send to Hillstone.

2. Hillstone will generate a license file based on the string, and send to the applicant.

Introduction to System Management 125

 3. Install the license file on HSM.

Viewing License Information

To view the license information of HSM, select System > License > Register . In the License
List tab, view license information include customer name, type, license information and SN. Click
Apply License to apply a license in the Apply for License tab.

Applying for a License

To apply for a license, take the following steps:

1. Select System > License > Register.

2. In the Apply for License tab, fill in the contents in the License Application section.

3. Click Apply.

4. Click Copy, paste the string to your Email and send to Hillstone.

Installing a License
To install a license, take the following steps:

1. Select System > License > Register.

2. In the Install License tab, click Browse to select a license file.

3. Click Upload.

SMS Gateway
System supports to use SMS authentication when administraters login HSM. SMS authentication
is a kind of the two-factor authentication. When you login HSM via WebUI, you need to enter the
the received SMS verification code after entering the correct username and password.

Introduction to System Management 126

Configuring SMS Gateway
System supports the ALIYUN service provider for SMS authentication. ALIYUN SMS indicates
the SMS service platform of Alibaba Cloud. Configuring the ALIYUN SMS gateway, take the fol-
lowing steps:

1. Select System > SMS Gateway.

2. Click Edit to congifure the corresponding parameters.

On the SMS Gateway page, configure the following options:

Option Description

AccessKeyId Specify the AccessKeyId which will be used as the

username for authentication between the device and
the SMS gateway of Alibaba Cloud. This parameter
should be the same with the template AccessKeyId
applied in the SMS of Alibaba Cloud.

AccessKeySecret Specify the AccessKeySecret which will be used as

the password for authentication between the device
and the SMS gateway of Alibaba Cloud. This para-
meter should be the same with the template

Introduction to System Management 127

 Option Description

AccessKeySecret applied in the SMS of Alibaba

Cloud.

SMS Signature Specify the SMS signature applied from the Alibaba
Cloud platform, which will displayed in the text mes-
sage.

User Authentic- Copy the template in the grey text box and use it to
ation SMS Tem- apply for a template code on the Alibaba Cloud plat-
plate Code form. After it is verified by the Alibaba Cloud plat-
form, you will get a template code. Enter the template
code in the text box.

Verification Specify the length of the SMS verification code. The

Code Length value range is 4 to 6. The default value is 4.

Verification Specify the effective time of the SMS verification

Code Effective code. When you receive the SMS verification code, if
Time you do not enter it for logging in the effective time,
you need to obtain it again. The value range is 1 to 10
minutes. The default value is 5 minutes.

Test Phone Num- This function is used to test if the Alibaba Cloud can
ber send message successfully. Specify a phone number in
the text box, and then click Test. If it succeeds, the
phone using the specified number will receive a text
message.
Tips: You need to configure the correct DNS before
testing.

3. Click OK to save your settings.

Introduction to System Management 128

Configuring an Email Account
You can configure the email server to send reports or alarms by mails.
To configure the Email account in HSM, take the following steps:

1. Select System > Email.

2. In the Email Configuration dialog, configure the following options:

l Mail Server: Specify the IP address of mail server.

l Username: Specify the username of Email account.

l Password: Specify the password of Email account.

l Email Address: Specify the Email address of the Email account.

l Testing Recipient: Specify the recipient that is used to test the Email account. Click
Test to test if Email can be sent by the Email account successfully.

3. Click OK to save the settings.

Introduction to System Management 129

Proxy server
When managed device cannot directly access the Internet to upgrade signature databases, it needs
to access the Internet through an HTTP proxy server. You can add a proxy server on the Proxy
Server page to update signature databases online.

Creating a proxy server

To create a proxy server, take the following steps:

1. Click System >Proxy Server to enter the Proxy Server page.

2. Click New, the Add new network setting dialog pops up.

l Name : Specify the name of the proxy server. The value range is 1 to 31 characters.

l IP : Specify the IP address or domain name for the proxy server. The value of domain
is 1 to 64 characters.

l Port: Specify the port number for the proxy server. The value range is 1024 to 65535.

l Username : Specify the username of proxy server.

l Password: Specify the corresponding password.

Introduction to System Management 130

 l Link Test: Click Link test , system will verify the connection with the proxy server.
If system is connected to the proxy server, system will prompt Test successful.

3. Click OK.

You can also perform other operations:

l Select proxy servers , and click  , you can modify the configuration in the Modify net-

work settings dialog.

l Click  to delete the specified proxy servers.

SMS Modem Configuration

SMS alarm refers to the alarm information will be sent to the designated administrator by SMS
modem.
An external GSM modem device is required for sending SMS messages. First, you need to prepare
a mobile phone SIM card and a GSM SMS Modem. Insert the SIM card into your modem and
then, connect the modem and HSM using a USB cable.
The following two models of SMS modem are recommended:

Model Type Chip Interface

Huatengtongyu GSM WAVECOM USB Interface

GSM MODEM

Jindi GSM GSM WAVECOM USB Interface

MODEM

SMS Modem Baud Rate

You can view the communication baud rate of SMS modem in Modem SMS Modem Con-
figuration page.

Introduction to System Management 131

SMS Modem Signal Intensity
You can view the communication signal intensity of SMS modem in Modem SMS Modem Con-
figuration page. Only when the signal intensity between 16~31 can the alarm message be sent nor-
mally. If the signal intensity is under 15, the alarm message may fail to be sent.

SMS Modem Status

The system will show the modem connection status: sms modem is online, sms modem is offline
or no sim in sms modem.

Configuring SMS Parameters

You can define the maximum SMS message number in one hour or in one day. If the messages
exceed the maximum number, the system will not make the modem to send messages, but it will
keep a log for this behavior.

Option Description

Maximum Defines the maximum message number the modem can send in
sending num- one hour, the value ranges from 1 to 1000.
ber per hour

Maximum Defines the maximum messages number the modem can send
sending num- in one day, the value ranges from 1 to 1000.
ber per day

Testing SMS
To test if the message sending works, you can send a test text to a mobile.
To send a text message to a specified mobile number:

1. Select System > SMS Modem Configuration.

2. Enter a mobile phone number in the text box.

Introduction to System Management 132

 3. click Send.
If the SMS modem is correctly configured and connected, the phone using that number will
receive a text message.

Notes: vHSM does not support SMS alarm.

Log
HSM system supports to back up, import, clean, filter and forward logs. Before backing up or
importing logs, you need to configure the FTP server settings.

l FTP Server Configuration: Specify a FTP server for storing the backed-up logs or storing the
logs that is for import.

l Log Import: Import logs from the FTP server to HSM.

l Log Backup: Back up logs and store them in the FTP server.

l Log Clean: Clear the offline logs or the running logs within the specified period.

l Log Forwarding: Forward logs to the FTP server or third-party syslog server.

l Log Filtering: Configure the filter conditions, system will receive the managed devices' logs
that meet the conditions.

FTP Server Configuration

Configuring FTP server settings is the prerequisite to back up and import logs. To configure set-
tings, take the following steps:

1. Select System > Log > FTP/SFTP Configuration .

2. Click New. The New FTP Server Configuration dialog appears.

Introduction to System Management 133

 3. In the Basic tab, configure the following options:

l Type: Specify the type of server as, FTP or SFTP.

l Config Name: Specify the FTP server name. You can also enter other names to mark
this entry. You can enter at most 20 characters.

l Address/Port: Specify the IP address and the corresponding port of the FTP server.

l User name: Specify the user name that has access right to the FTP server.

l Password: Specify the password for the user.

l Path: Specify the path of the directory in the FTP server for storing logs. Use "/" as
the separator.

4. In the Advanced tab, configure the following options:

l Work Type: Specify the working mode of server as active or passive.

l active: The FTP server initiates a request to HSM.

l passive: The FTP server passively receives the request initiated by HSM.

l Server Type: Specify the operating system of the FTP server as Auto-decection, Unix
or Windows.

Introduction to System Management 134

 l Encoding: Specify the character encoding of the FTP server as UTF-8, GBK or ISO-
8859-1..

l Timeout: Specify the timeout value of data transmission for the FTP server, after
which system will transfer again. If a file fails to be transferred more than 10 times,
system will no longer upload the file. The value range is 1 to 30 seconds. The default
value is 5 seconds.

5. After configuring the settings, click Detection to verify the connection between HSM and
FTP server. After testing successfully, click OK to save this entry and return to the FTP
Configuration dialog. This entry is displayed in the FTP server list. You can also click OK
directly instead of clicking Detection. HSM will not verify the connection and save this
entry to the FTP Configuration dialog. Click the Detection link in the Detect column to
verify the connection.

If you want to edit the FTP server settings, select an entry from the FTP server list and then click
Edit in the toolbar. To delete the undesired FTP servers, select the entries from the list and then
click Delete in the toolbar.

Log Import
HSM system supports the import and viewing logs. To import logs, take the following steps:

1. Select System > Log > Log Import.

2. Configure the following options:

l FTP Server: From the drop-down list, select the FTP server where you store the log
files. Then the corresponding FTP server settings are displayed. You can click Detec-
tion to verify the connection between HSM and the FTP server. If you want to
modify the FTP server settings, click FTP Config.

l Choose File: From the drop-down list, select log files. You can select folders and/or
files. HSM supports the following file types: ZIP, TXT, and CVS.

Introduction to System Management 135

 l Log Type: From the drop-down list, select the type of logs you want to import. More
than one log type can be selected.

l Time Set: You can customize the time of logs.

3. Click Import to start the import task. The task progress will be displayed in task list. For
more informatin, see task.

Log Backup
HSM supports the backup of the logs. You can back up logs manually or automatically.

l For the imported logs, HSM cannot back up them again.

l For the backed-up logs, HSM can import them for viewing.

Manual Backup

To back up logs manually, take the following steps :

1. Select System > Log > Log Backup.

2. Click Manual Backup tab, configure the following options:

l Log Type: From the drop-down list, select the log types to be backed up.

l Start Time: Specify the start time of logs.

l End Time: Specify the end time of logs.

l FTP Server: From the drop-down list, select the FTP server where to store the log
files. Then the corresponding FTP server settings are displayed. You can click Detec-
tion to verify the connection between HSM and the FTP server. If you want to
modify the FTP server settings, click FTP Config.

3. Click Backup to start the backup task. The task progress will be displayed in task list. For
more informatin, see task.

Introduction to System Management 136

Auto Backup

To back up logs automatically, configure the following options:

1. Select System > Log > Log Backup .

2. Click Auto Backup tab, configure the following options:

Enable Auto Backup: Select the check box to enable backing up logs automatically func-
tion.
Interval: Specify the periodical backup cycle, including Every Day, Every Week, Every
Month.
Time: Specify the customized time for backing up logs automatically.
Backup Relative Time: From the drop-down list, select the number of days to be backed
up. Logs of the specifies days will be exported, 90 days at most.
FTP Server: From the drop-down list, select the FTP server where to store the log files.
Then the corresponding FTP server settings are displayed. You can click Detection to
verify the connection between HSM and the FTP server. If you want to modify the FTP
server settings, click FTP Config.
Delete date after backup: Select the check box to delete the specified date after backup.

3. Click OK to start the backup task. The task progress will be displayed in task list. For more
informatin, see task.

Log Clean
You can clean the offline/online/system logs stored in system. Log which has been cleaned can-
not be recovered. For more information about cleaning online or offline logs manually, refer to
Manual Cleanup.
To clean system logs manually, take the following steps:

Introduction to System Management 137

 1. Select Log > Operation Log > System Log .

l Click Delete button in the upper left corner of the list to clean the selected system
logs.

l Click Clear All Operation Log button in the lower left corner in the page to clean all
the system logs which is displayed for the current administrator.

2. Click OK in the pop-up dialog and system will begin to clean.

Log Forwarding
HSM supports the forwarding of logs. You can forward the logs to the specified FTP/SFTP
server or third-party syslog server automatically.

Forwarding to FTP Server

To forward logs to the FTP server, take the following steps:

1. Select System > Log > Log Forwarding.

2. Click the FTP Server tab and configure the following options:

Enable Auto Forwarding: Select the check box to enable forwarding logs automatically
function.

Introduction to System Management 138

 Name: Specifies a name of the forwarded file (compressed as a .zip file) in the text box.
This custom file name ' %Y%m%d%H%M_%T_%3i' includes 'date and time +log type+
file number', in which each placeholder means as follows:

l %Y: year;

l %m: month;

l %d: day;

l %H: hour;

l %M: minute;

l %T: log type;

l %3i: file number, the length of it could be set, between 1 and 9. e.g: %3i means
001, 002, 003 .etc.

Forwarding Limit: Specifies the limitation for forwarding logs, including "No Limit"，"By
Size" and "By Count".

l No Limit: Different types of logs are stored in their corresponding folders;

l By Size: Specify the size of a single file. The value range is 50 to 500MB;

l By Count: Specify the number of logs in a single file. The value range is 10 to
1000K.

Forwarding Interval: From the drop-down list, select the time interval of forwarding, 10
minutes or 60 minutes. If the forwarding limit is not selected or the specified forwarding
limit is not reached, system will forward the log according to the forwarding interval.
FTP/SFTP Server: Select the FTP server to store the forwarded log files from the drop-
down list, then the corresponding FTP server settings will be displayed. You can click
Detect to verify the connection between HSM and the FTP server, or click FTP Setting if
you want to modify the FTP server settings.

Introduction to System Management 139

 3. Click OK to start the forward task. The task progress will be displayed in task list. For more
information, see Task.

Forwarding to Third Party Syslog Server

To forward logs to the third-party syslog server, take the following steps:

1. Select System > Log > Log Forwarding.

2. Click the Third Party Syslog Server tab and configure the following options:

Enable Third Party Syslog Server: If the check box is selected, system will forward logs to
the specified third party syslog server automatically once receiving new logs.
IP Address: Specify the IP address of the third party syslog server.
Port: Specify the port of the third party syslog server.

3. Click OK to start the forwarding task.

4. After the third party syslog server receives the logs forwarded by system, you can receive
the ID of devices which sent logs to system. If you want to search the corresponded name
and SN of source devices, log in to the system and click System > Log > Log Forwarding >
Third Party Syslog Server. In the Log Source List area, select Device ID from the drop-

Introduction to System Management 140

 down list after the search box, and enter the obtained device ID to search the device name
and SN. On the page, you can also search the device information according to the Device
Name or SN, as well as download the list of source devices in the Excel format.

To forward logs to the third-party syslog server, take the following steps:

Log Filtering
System supports to configure log filtering conditions, including "firewall", "log type" and "log
level". System will receive logs that meet the filtering conditions. To configure log filtering con-
ditions, take the following steps:

1. Select System > Log > Log Filtering.

2. Click Firewall , Log Type and Log Level tab enter the corresponding page, and you can
select the log filtering conditions as needed.

Notes:
l If HSM system starts for the first time, or, system has not received
session log in the last three months after upgrading, system will not
select the "session log" by default.

l If system has received session log in the last three months after
upgrading, system will select the "session log" by default.

3. Click OK to save the settings.

Diagnose Tools
During HSM managing the devices, diagnose tools can help you test network availability and dia-
gnose system errors qulickly. You can choose the tools according to your requirements.
To use HSM diagnose tools, take the following steps:

Introduction to System Management 141

 1. Select System > Diagnose Tools > Test tools .

2. You can choose the tools according to your requirements, configure the following options:

l DNS Query : Specify the DNS domain name. Check the legitimacy of domain name,
and then the domain's IP address and fault messages will be displayed. If the DNS
server is not configured, a dialog will pop up to prompt.

l Ping: Specify the DNS domain name or IP address, click Test, and then the results of
ping will be displayed.

l Traceroute: Specify the DNS domain name or IP address, click Test, and then the res-
ults of traceroute will be displayed.

3. Click Test, and then the results will be displayed in the below text box.

Introduction to System Management 142

Device Management
This chapter describes the device management operations:

l Device Management: Introduction to the operational processes for device management.

l Device Upgrade: HSM supports device upgrade functionality.

l Device Configuration File Manage: The configuration file management function in HSM facil-
itates the management of configuration files located in different Hillstone Networks devices
and the management of configuration file's change history.

l User Management: HSM supports to manage the user information in the firewall devices.

l Device Inspection: HSM supports to inspect the device running status, license and signature
database, as well as to generate inspection report.

l Device Management Configuration Example: Describes a typical deployment scenario and

some configuration examples for your understanding of adding devices and retrieving con-
figuration files.

Device Management 143

Device Management
HSM supports the management of devices.

Device Management Window Introduction

Click Device > Device Management to enter the device management page.

Device Navigation Pane

Device navigation pane allows you to navigate to the managed devices. Select a node from the
pane to display corresponding devices information in the main window. For example, if you select
a device group, all devices in the group will be displayed in the main window; if you select a
device, information about the device will be displayed in the main window. Click the icon in
the top-right corner of the device list to filter IPS device, WAF device, NGFW device, BDS
device, IDS device or ADC device. Enter the key words into the Name or IP or SN text box to
search the device quickly. Select the Favourite Only check box to display the favourite devices.

Information Bar

Functions of information bar are described as below:

Option Description

All Devices Shows the statistics of the managed devices.

Include Select the check box to display all the devices in the selected

Device Management 144

Option Description

Devices in group and all the devices in the sub-groups of the selected
Sub-groups group; clear the checkbox to only display all the devices in the
selected group.

Toolbar
Function buttons of the toolbar are described as below:

Option Description

Delete Device Click the button to delete the device(s) selected in the main
window.

Manual Specify the refreshing mode. Select Manual refresh from the
refresh drop-down list, and click Manual refresh to refresh the page
immediately; select a refreshing period from the drop-down
list to refresh the page at the specified interval.

Main Window

Managed devices and main information about the devices is displayed in the main window. Click a
device or device group in the device navigation pane to show corresponding information in the
main window. You can customize the columns displayed in the list from the Column drop-down
list. Columns of the list are described as below:

Option Description

Name Shows the name of managed device. Different icons before

device names mean different device types: NGFW , NIPS

, WAF , BDS , NIDS , ADC .

Status Shows the status of connection between the managed device

and HSM:：

Device Management 145

Option Description

l Online ( ): The device has been registered successfully

and is properly managed by HSM.

l Registering ( ): The device is being registered to HSM.

l Offline ( ): The device has been registered suc-

cessfully but is not running or connected. After the

device is running or the connection works, the device
will automatically register itself to HSM. You can also
register the device manually.

l Error ( ): The device fails to register in HSM. Hover

over the icon to view the error message.

Host Name Shows the host name of the managed device.

New Sessions Shows the newly created sessions of the managed device.

Concurrent Shows the concurrent sessions of the managed device.

Sessions

Configuration Shows the last modified time of the configurations of the man-
Modified aged device.
Time

Address Shows the IP address of the managed device.

SN Shows the SN of the managed device.

HA Cluster Shows the cluster ID of the managed device. "--" represents

ID that this managed device is standalone.

StoneOS Shows the StoneOS version running on the managed device.

System Shows the system uptime of the managed device.

Device Management 146

Option Description

Uptime

Unread Warn- Shows the number of unread warnings related to the managed
ings device.

CPU Shows the average CPU utilization in the latest 5 seconds of

the managed device.

Memory Shows the current memory utilization of the managed device.

Traffic (bps) Shows the current traffic of the managed device.

Packet For- Shows the packet forwarding rate of the managed device.
warding Rate

Session Shows the session of the managed device. In the Session

Query dialog, you can filter the source address, source port,
destination address, destination port and protocol to view the
information.

License Shows the license of the managed device. In the License List
dialog, you can view customer, type, valid time and other
information of the license.

Platform Shows the platform of the managed device.

Description Shows the other information of the managed device.

Reboot log Shows the reboot log of the managed device. In the Log dia-
log, you can filter the operation result and protocol and then
view the information.

l Operation Result：You can select All, Waiting, Success

or Failure from the Operation Result drop-down list
below.

Device Management 147

Option Description

l Time：You can select All, Last 1 hour, Last 1 day, Last

1 week, Last 1 month or Custom from the Time drop-
down list below. Click Custom, the Time dialog
appears. You can specify the period and then select
Period specified below, Before time specified below or
Aafter time specified below.

This section describes the device management operations:

l Creating a Device Group

l Adding a Device to a Device Group

l Deleting a Device from a Device Group

l Editing a Device Group

l Deleting a Device Group

l Favorite Device

l Viewing Device Details

l Session Query

l Deleting a Device from HSM

l Online Reboot

l HA management for the managed devices

ZTP Configuration
Zero Touch Provisioning (ZTP) allows newly delivered or unconfigured devices to automatically
load version files, after they start. If a large number of devices are sparsely distributed across a net-
work, manually configuring these device results in poor device deployment efficiency. HSM

Device Management 148

 supports to configure basic configuration bundle and VPN network for firewall devices, obtain
and load version files from a USB flash drive or file server, allowing the administrator to configure
and deploy devices without physically being onsite. In this way, ZTP reduces labor costs and
increases device deployment efficiency.
To add a single device of ZTP, take the following steps:

1. Select Device > Device Management, and enter the Device Management page.

2. Click the triangle icon ( ) next to the Add Device button and select Add Single Device

from the drop-down menu. The Add Multiple Devices dialog pops up.

3. In the Add Multiple Devices dialog, select Whether ZTP configuration is supported, con-
figure the following options in the dialog:

l Device Name: Specify the device name to be displayed in HSM.

l SN: Specify the SN of the device.

l Platform:Select the platform of the device in the drop-down list.

l Initial Version: Select the initial version of the device in the drop-down list.

l VPN Net: Select the VPN network of the device in the drop-down list. For more
information about configuring VPN Network, refer to VPN Network.

l Correlate Configuration Packge: Select the configuration bundle of the device in the
drop-down list. For more information about configuring bundle, refer to Con-
figuration Bundle.

l Relate Business: Select the business of the device in the drop-down list. For more
information about configuring relate business, refer to SD-WAN Business Deploy-
ment.

l Geographic Location: Specify the geographic location of the device, select the
province, city, district and county where the device is located in the drop-down list.

Device Management 149

 l WAN:

o WAN Interface Name: Select the name of the WAN interface in the drop-
down list.

o Port: Select the port of the WAN interface in the drop-down list.

o Operator: Select the operator to which the device belongs in the drop-down
list, including China Telecom, China Unicom, China Mobile and Other.

o Internet Access: Specify the internet access of the device, including Static IP,
PPPoE, 3G/4G and DHCP.

n When selecting the Static IP, you need to specify the IP address, net-
mask and default gateway.

n When selecting the PPPoE, you need to specify the user name, password
and confirm password.

n When selecting the 3G/4G, you need to specify the access point, user
name, password, confirm password and dialer number.

l Device Group: Specify a device group for this device.

4. Click OK to add and register this device to HSM.

To add multiple devices of ZTP, take the following steps:

1. Select Device > Device Management, and enter the Device Management page.

2. Click the triangle icon ( ) next to the Add Device button and select Add Multiple

Devices from the drop-down menu. The Add Multiple Devices dialog pops up.

3. Click Download Device Info File Template. The Save As dialog appears.

4. Select the location and save the template deviceinfo.xls.

Device Management 150

 5. Open the template, select ZTP Information-static IP, ZTP Information-DHCP, ZTP
Information-PPPoE or ZTP Infor、mation-4G tab, and configure the following options:

l Device Name: Specify the device name to be displayed in HSM.

l SN: Specify the SN of the device.

l Device Platform:Select the platform of the device in the drop-down list.

l Device Version: Select the initial version of the device in the drop-down list.

l Device Group: Specify a device group for this device.

l Province: Specify the province where the device is located in the drop-down list.

l City: Specify the city where the device is located in the drop-down list.

l Country: Specify the county where the device is located in the drop-down list.

l WAN: Select the name of the WAN interface in the drop-down list.

l Interface: Select the port of the WAN interface in the drop-down list.

l Service Provider: Select the operator to which the device belongs in the drop-down
list, including China Telecom, China Unicom, China Mobile and Other.

l Association Network Name: Specify the VPN network of the device.

l Association Configuration Package Name: Specify the configuration bundle of the

device.

l Association Business Name List: Specify the business of the device.

l When selecting the Static IP tab, you need to specify the IP address, netmask and
default gateway.

Device Management 151

 l When selecting the PPPoE tab, you need to specify the user name, password and con-
firm password.

l When selecting the 4G tab, you need to specify the access point, user name, pass-
word, confirm password and dialer number.

6. Save the changes and close the template.

7. In the Add Multiple Devices dialog, click Browse. The Open dialog appears.

8. Locate the modified template and click OK. HSM starts to load the template.

9. After loading the template, click Upload. HSM starts to read the template and add the
devices in it to HSM. If failed to register one device, all devices in the template will be
failed to be registered. To view the error information, hover over the exclamation mark ( )

in the Status column.

Editing ZTP Configuration

HSM supports to edit the VPN network and configuration package of ZTP, and support editing
the configuration package of multiple devices
To edit ZTP configuration, please take the following steps:

1. Select Device > Device Management, and enter the Device Management page.

2. Select the device needed to be edit in the list, click Edit ZTP Configuration from the tool-
bar, select Correlate VPN or Correlate Configuration Package in the drop-down list.

3. In the Correlate VPN dialog or Correlate Configuration Package dialog, specify the VPN net-
work or configuration package.

4. Click OK.

Device Management 152

Importing the Preconfiguration
The ZTP configuration file generated by the HSM contains the factory pre-configuration file, you
can import the factory pre-configuration file of the specified model into the HSM system as
needed.
To import the pre-configuration file, take the following steps:

1. Select Device > Device Management, and enter the Device Management page.

2. Click Preconfiguration from the toolbar, import the pre-configuration file in the Pre-
configuration dialog.

3. In the Network Configuration area, specify a mapped public network IP for HSM , and the
devices can register to the HSM through the public network. Specify the public network IP
or domain name, registration Port, FTP port and syslog port, click the Save.

4. In the Preconfiguration area, type the name and description for the platform, click Upload,
select the configuration file to upload.

5. In the Preconfiguration list, you can view, download and delete the pre-configuration file.

Device Management 153

Creating a Device Group
A device group is a logical managing unit for the devices. You can add related devices into one
device group. One device can be added to different device groups.
To create a device group, take the following steps:

1. Move the cursor to the All Devices area of the device navigation pane, right-click and select
Create Device Group. The Device Group Configuration dialog pops up.

2. Type the device group name in the Name text box. If necessary, give a description to the
device group in the Description text box.

3. Select a device group for the newly created device group in the selecting box under the
Description text box. The created device group will belong to the selected device group.

4. Click OK to save the changes and close the dialog.

The newly created device group will be displayed in the device navigation pane. You can adjust
the position of the device group by drag-and-dropping.

Adding a Device to a Device Group

Two methods are supported to add a device to a device group:

Device Management 154

 l Drag and drop: In the device navigation pane, select the device to be added, drag and drop it
to the device group (the the color of the target device group will become red and release the
mouse after the color changed); or you can select the device to be added from the device table
and drag it to the device group in the device navigation pane.

l Cut and paste: You can add multiple devices to a device group. The operating steps are listed
below.

To add devices to a device group by cutting and pasting, take the following step:

1. Select the devices to be added from the device table (check the corresponding check
boxes).

2. Right-click and select Cut Device.

3. Select the device group from the device navigation pane.

4. Move the mouse back to the device table area, right-click and select Paste Device.

Auto Group
System supports auto group by geographic location or VPN network. When adding or editing
devices, if no device group is specified, the devices will be grouped according to the configured
auto group type. When the device has no geographic location or VPN network, it will be placed in
the ungrouped group. By default, the auto group function is not enabled.
To auto group, take the following steps:

Device Management 155

 1. Click Auto Group in the device navigation pane, click Edit in the Auto Group dialog.

2. Select Group by Geographic Location or Group by VPN Net in the Group by drop-down
list.

3. Click Save.

Notes: When the device belongs to two different VPN networks at the same time,
only put the device into the star network.

Backuping / Restoring Device Group

System supports to back up the current device and device group views to restore the previous
device grouping as needed.

l Click Achive to save the current device group. The archive will overwrite the original backup.

l Click Preview to view the detail of the backup device group.

l Click Restore to restore the backup device group.

Notes: If a device is added after the backup, the device will be placed in the
ungrouped device group after the backup is restored; if the device is deleted after
the backup, the device will be moved out of the device group after the backup is
restored.

Device Management 156

Deleting a Device from a Device Group
Two methods are supported to delete a device from a device group:

l Drag and drop: In the device navigation pane, select the device to be deleted, and then drag it
out of the device group.

l Cut and paste: You can delete multiple devices from a device group. The operating steps are
listed below.

To delete devices from a device group by cutting and pasting, take the following steps:

1. Select the device group from the device navigation pane, and the device table shows all the
devices in the selected device group.

2. Select the devices to be deleted from the device table (check the corresponding check
boxes).

3. Right-click and select Cut Device.

4. Select another device group from the device navigation pane.

5. Move the mouse back to the device table area, right-click and select Paste Device.

Editing a Device Group

To edit a device group, take the following steps:

1. Select the device group to be edited from the device navigation pane.

2. Right-click and select Edit Device Group.

3. Edit on the Device Group Configuration dialog.

4. Click OK to save the changes and close the dialog.

Device Management 157

Deleting a Device Group
To delete a device group, take the following steps:

1. Select the device to be deleted from the device navigation pane.

2. Right-click and select Delete Device.

3. Click Yes on the Information dialog.

Favorite Device
You can mark your important devices as favorite to make them easy to be find and managed.

Click the button in the tool bar to add the specified device as the favourite device.
Click the Filters icon on the right of All Devices, select the Favourite Only check box to display
the favourite devices.
To remove from favorite, click Remove From Favorite.

Viewing Device Details

The device details are displayed in the device detail page, including basic information, interface
information, alarm information, resource information, traffic information and threat information.
To get the detailed information, select the device you want to read details from the device table.
Here is the illustration of device detail page:

Device Management 158

 Options of the device detail page are described as below:

Option Description

Device Information SN Shows the serial number of

the managed device.

Name Shows the host name of the

managed device.

Platform Shows the platform of the

managed device.

System Time Shows the system time of

the managed device.

StoneOS Shows the version of the

firmware in the device.
Click Upgrade to upgrade
the device. For more inform-
ation about device upgrade,
see Device Upgrade.

Device Management 159

Option Description

Running File Shows the name of the run-

ning firmware.

AV Signature Shows the version of the

AV signature database in the
managed device.

IPS Signature Shows the version of the

IPS signature database in
the managed device.

URL DB Shows the version of the

URL database in the man-
aged device.

APP Signature Shows the version of the

APP signature database in
the managed device.

Device Information SN Shows the serial number of

the managed device.

Name Shows the host name of the

managed device.

Platform Shows the platform of the

managed device.

System Time Shows the system time of

the managed device.

StoneOS Shows the version of the

firmware in the device.

Device Management 160

Option Description

Click Upgrade to upgrade

the device. For more inform-
ation about device upgrade,
see Device Upgrade.

Running File Shows the name of the run-

ning firmware.

AV Signature Shows the version of the

AV signature database in the
managed device.

IPS Signature Shows the version of the

IPS signature database in
the managed device.

URL DB Shows the version of the

URL database in the man-
aged device.

APP Signature Shows the version of the

APP signature database in
the managed device.

Interface Information The device front panel illustration is used to show

the interface status and information. The interface
statuses are:

l : The interface is connected normally.

l : The interface is not connected or the

interface connection failed.

Device Management 161

Option Description

Move the mouse over the icon of a interface, the

interface information will pop up. This function
works on the version of StoneOS 4.5R4 and
above.

Unread Warnings Shows the unread warnings in the managed device.

CPU Utilization Shows the CPU utilization in the last 10 minutes.

Memory Utilization Shows the memory utilization in the last 10

minutes.

Traffic Trend Shows the traffic trend in the last 10 minutes.

Session Query
You can search current sessions of managed device according to the specified criteria by session
query.
To query sessions, take the following steps:

1. Select the device which you want to query sessions from the device table, then click View
in Session column to enter session query page.

2. Enter value in one or more text fields in the pop-up dialog box, then click the Search but-
ton.
Source Addr: Specify the source IP address, you may enter IPv4 or IPv6 address.
Src Port: Specify the source port of service.
Destination Addr: Specify the destination IP address, you may enter IPv4 or IPv6 address.
Dst Port: Specify the destination port of service.
Protocol: Specify the transport layer protocol of service.
The search result will be displayed in the session list. If you don't enter any value and click
Search button directly, all current sessions will be displayed in the list.

Device Management 162

Deleting a Device from HSM
To delete a device from HSM, take the following steps:

1. Select the device to be deleted from the device table, and click the Delete Device button
above the device table; or select the device to be deleted from the device navigation pane,
right-click and then select Delete Device.

2. Click Yes on the Information dialog. The device is moved to the recycle bin.

3. Click the Recycle Bin label from the device navigation pane, and the device table shows all
the devices in the recycle bin. Select the device to be deleted, and click the Delete Device
button above the device table again.

4. Click Yes on the Warning dialog. Now the device is permanently deleted from HSM.

Online Reboot
The managed devices can be restarted immediately or restarted on schedule through HSM.

Immediate Reboot

To restart the managed devices immediately, take the following steps:

1. Select Device > Device Management .

2. Select the devices to be restarted from the device list, and then click the Reboot Imme-
diately button at the upper right corner of the toolbar, or click the small triangle to the right
of the button and select Reboot Immediately.

3. Click OK in the pop-up dialog.

The devices will be restarted immediately, and the icon in the Status column will be changed from
to . If the reboot is successful, the icon will be changed from to .

Device Management 163

Reboot on Schedule

You can configure a scheduled reboot task so that one or more managed devices can be restarted
according to the time set in the task.
To configure a scheduled reboot task, take the following steps:

1. Select Device > Device Management .

2. Click the small triangle to the right of the Reboot Immediately button at the upper right
corner of the toolbar and select Reboot Schedule Configuration in the menu.

3. Click New in the Timing Task dialog.

4. Configure the parameters in the pop-up dialog.

Task Name: Specifies the name of the scheduled reboot task, which is 1 to 31 characters.
Select Device: Select the devices that need to be restarted on schedule. You can click the fil-
ter icon at the upper right corner to filter the device type.
Set Reboot Time: Specifies the detailed time that the device reboots, including both the
absolute time and the periodic time. In the periodic time scenario, you can set the device to
restart at a specific time on a day, certain day of the week, or the month. If you want to
restart the device on the last day of each month, select the last day in Every Month.

5. Click OK, the newly created task will be displayed in the task list.
The newly created task is enabled by default. Check the task, and then click Disable in the
toolbar to disable the task. Click Edit or Delete in the toolbar to edit or delete the task sep-
arately. Click the Log link of the corresponding task in the Log column to view the logs gen-
erated by the task. You can also view the device's reboot log by clicking the icon in the
Reboot Log column on the Device Management page.

When the reboot task which is absolute time type has been executed, its status will become
invalid. Invalid task also can be disabled. The invalid status can be changed to enabled by editing
the reboot time to an valid time.

Device Management 164

Setting Restart Parameter

You can set the restart parameters to determine whether the configuration of the managed device
can be saved or not before restart. This feature is only applicable for NGFW devices of 5.5R4P1
and higher version.
To set restart parameter, take the following steps:

1. Select Device > Device Management.

2. Click the small triangle to the right of the Reboot Immediately button at the upper right
corner of the toolbar and select Restart Param in the menu.

3. Select Save configuration before restart or Do not save configuration before restart radio
button in the Restart Param dialog.
By default, Save configuration before restart is selected. If you select the Do not save con-
figuration before restart radio button, when you want to reboot device immediately, a
prompt box will pop up to prompt you that the configuration will be lost after reboot. You
can click the Modify Restart Parameter link to enter the Restart Param page to modify
restart parameters.

HA management for the managed devices

HSM supports for HA management of Active-Passive, Active-Active and Active-Peer modes for
the managed devices. When HSM manages the HA function of the managed devices, you can
view, configure and share information of the master device in HA. For slave device, you can only
view the configuration information on HSM.
After configuring the Active-Peer mode, you need to create a virtual interface on the master
device of the managed devices. When the virtual interface is synchronized to slave device, HA
cluster can be registered on HSM. For more information about HA function of the managed
devices, refer to the StoneOS CLI User Guide.

Device Management 165

SD-WAN Start
SD-WAN Start enables multiple firewall devices to be automatically configured, which is espe-
cially suitable for the situation that a large number of managed devices are sparsely distributed
across a network and can significantly improve the device deployment efficiency. HSM supports
to configure VPN networks, configuration bundles, SD-WAN businesses, and ZTP configuration
templates for SD-WAN devices (spoken devices) to generate configuration files. After being
powered on, firewall devices obtain and load the configuration files from a USB flash drive, which
can realize rapid deployment and register the devices to HSM.
Zero Touch Provisioning (ZTP) allows newly delivered or unconfigured devices to automatically
load configuration files, after they start.

Adding an SD-WAN Device

To add an SD-WAN device, take the following steps:

1. Select Device > SD-WAN Start, and enter the SD-WAN Start page.

2. Click Add Device, or click the triangle icon next to the Add Device button on the toolbar
and select Add Single Device from the drop-down list.

Device Management 166

 n the Add Single SD-WAN Device dialog box, configure the following options.

Device Management 167

 Option Description

Device Name Specify the device name to be displayed in HSM.

SN Specify the SN of the device.

Platform Select the platform of the device from the drop-down

list.

Initial Ver- Select the initial version of the device from the drop-
sion down list.

VPN Net Select the star network to which you want to add the
device from the drop-down list. To create a star Net-
work, see VPN Network.

Correlate Select the configuration bundle of the device from the

Configuration drop-down list. To create a bundle, see Configuration
Package Bundle.

Relate Busi- Select the business to be deployed to the device from the
ness drop-down list. To create a business, see SD-WAN Busi-
ness Deployment.

Relate ZTP Select the ZTP configuration template to be referenced

Template by the device. To create a template, see ZTP Con-
figuration Templates.

Geographic Specify the geographic location of the device. Select the

Location province, city, and district/county where the device is
located from the drop-down list.

Interface Configuration

WAN Inter- Specify the WAN interface for the device. You can add

Device Management 168

 Option Description

face up to two WAN interfaces. When the device is con-

figured with two WAN interfaces and there are two HUB
devices in the star network, two tunnel links will be
established between the device and the two HUB devices
through the two interfaces respectively. On the WAN
Interface tab, click New, and in the pop-up WAN Inter-
face Configuration dialog box, configure the following
options:

l Name: Select the name of the WAN interface from

the drop-down list.

l Port: Select the port of the WAN interface from

the drop-down list, including physical interfaces
and redundant interfaces.

l Operator: Select the operator to which the device

belongs from the drop-down list, including China
Telecom, China Unicom, China Mobile and Other.

l Priority: Specify the priority for the WAN inter-

face, including Regardless, High, Medium and
Low. If the device joins the VPN network for the
first time, the WAN interface priority is the pri-
ority of the destination route of the link cor-
responding to the WAN interface.
Note:

Device Management 169

 Option Description

l If both the WAN interface priority and the

SD-WAN business priority are configured,
the latter shall prevail. For details, see SD-
WAN Business Deployment > Creating a
Business > Configuration Example 1.

l Selecting Regardless and High for two inter-

faces respectively means that link routes
have the same priority. For details, see SD-
WAN Business Deployment > Creating a
Business > Configuration Example 2.

l Internet Access: Specify the Internet access of the

device, including Static IP, PPPoE, 3G/4G and
DHCP.

l When selecting the Static IP, you need to

specify the IP address, netmask and default
gateway.

l When selecting the PPPoE, you need to spe-

cify the user name, password and confirm
password.

l When selecting the 3G/4G, you need to spe-

cify the access point, user name, password,
confirm password and dialer number.

LAN Inter- Specify the LAN interface for the device. You can add up

Device Management 170

 Option Description

face to two LAN interfaces. On the LAN Interface tab, click

New, and in the pop-up LAN Interface Configuration dia-
log box, configure the following options:

l Name: Select the name of the LAN interface from

the drop-down list.

l IP Address: Specify the IP address of the LAN

interface.

l NetMask: Specify the netmask of the LAN inter-

face.

l Port: Select the port of the LAN interface from the

drop-down list.

l DHCP: Select the check box to enable the DHCP

function. Type the start IP and end IP for the IP
range of the address pool into the Address Pool
Start IP and Address Pool End IP text boxes
respectively.

Device Select a device group for the device, and then the device
Group will be added to the selected device group.

3. Click OK.

4. Select the device that has completed the SD-WAN start configuration, click Export ZTP
Configuration on the toolbar to save the configuration file "ZTP_Configs.zip" to the local,
and then copy the configuration file to a USB flash drive for the firewall device to load.

Device Management 171

 To add multiple devices configured with SD-WAN start configuration in batch, take the following
steps:

1. Select Device > SD-WAN Start, and enter the SD-WAN Start page.

2. Click the triangle icon next to the Add Device button on the toolbar, and select Add Mul-
tiple Device from the drop-down list. The Add Multiple Device dialog box will pop up.

3. Click Download Device Info File Template to download and save the template. The default
template name is "ztpdeviceinfo.xls".

4. Open the template, select ZTP Information, ZTP Information - static IP, ZTP Information
- DHCP, ZTP Information - PPPoE, ZTP Information - 4G or ZTP Information - LAN
tab, and configure the following options:

l Device Name: Specify the device name to be displayed in HSM. You can enter up to
32 characters.

l SN: Specify the SN of the device.

l Device Platform: Select the platform of the device from the drop-down list.

l Device Version: Select the initial version of the device from the drop-down list.

l Device Group: Select a device group for the device, and then the device will be
added to the selected device group. You can enter up to 64 characters.

l Province: Specify the province where the device is located from the drop-down list.

l City: Specify the city where the device is located from the drop-down list.

l Country: Specify the county where the device is located from the drop-down list.

l Association Network Name: Specify the VPN network to which you want to add the
device.

Device Management 172

 l Association Configuration Package Name: Specify the configuration bundle of the
device.

l Association Business Name List: Specify the business to be deployed to the device.

l Association ZTP Global Config Template Name: Specify the ZTP configuration tem-
plate to be deployed to the device.

l When selecting the ZTP Information - Static IP tab, you need to specify the SN,
WAN, interface, service provider, preference, IP address, netmask and default gate-
way.

l When selecting the ZTP Information - DHCP tab, you need to specify the SN,
WAN, interface, service provider, and preference.

l When selecting the ZTP Information - PPPoE tab, you need to specify the SN,
WAN, interface, service provider, preference, username, and password.

l When selecting the ZTP Information – 4G tab, you need to specify the SN, WAN,
interface, service provider, preference, 4G access point, username, password, and 4G
dial string.

l When selecting the ZTP Information – LAN tab, you need to specify the SN, LAN,
interface, IP address, netmask, enable DHCP, address pool start IP, and address pool
termination IP.

5. Save the changes and close the template.

6. In the Add Multiple Device dialog box, click Browse, and the Open dialog box will pop up.

7. Locate the modified template and click OK. HSM starts to load the template.

8. After loading is complete, click Upload. HSM starts to read the template and add the
devices in it to HSM. If failed to register one device, all devices in the template will be

Device Management 173

 failed to be registered. To view the error information, hover over the exclamation mark in
the Status column.

Editing an SD-WAN Device

HSM supports to edit the configuration of SD-WAN devices.
To edit an SD-WAN device, take the following steps:

1. Select Device > SD-WAN Start, and enter the SD-WAN Start page.

2. Select the device you want to edit from the device list, click Edit Device on the toolbar,
and edit the device configuration in the pop-up Edit Device dialog box.

l If the device has not been activated, you can edit the device's SN, VPN network, con-
figuration package, business, etc. Alternatively, you can edit the device by clicking
Relate VPN Net, Correlate Configuration Package, Relate Business and Relate ZTP
Template on the toolbar.

l If the device is activated, you can specify a VPN network, configuration package,
business, and ZTP configuration template for the device, but if one of them is already
configured for the device, you cannot edit it.

3. Click OK.

ZTP Configuration Templates

HSM supports to configure ZTP configuration templates, consisting of global pre-configuration of
DNS, NTP, CloudView, WLAN, and user-defined commands, which can meet demands of dif-
ferent scenarios. Besides, HSM supports up to 1,000 ZTP configuration templates. To create a
template, take the following steps:

Device Management 174

 1. Select Device > SD-WAN Start, and enter the SD-WAN Start page.

2. Click ZTP Configuration Template on the toolbar, and the ZTP Configuration Template
dialog box will pop up

Device Management 175

 3. On the Configuration Template tab, click Add, and the Add Template dialog box will pop
up.

Device Management 176

Device Management 177
 Configure the following options

Option Description

Name Specify the name of the template. The value range is 1 to

32 characters.

Description Specify the description for the template. The value range
is 0 to 255 characters.

Connection Type parameters for the device to connect to the con-

Controller troller into the text box.
Parameters
l Controller IP/Domain: Specify the IP address or
domain name of the HSM.

l Register port: Specify the connection port of the

HSM. The default port is 9091 or 9092.

l Data Transmission Port (FTPS Port): Specify the

port on the HSM for receiving FTPS data. The
default port is 21.

l Data Transmission Port (HTTPS Port): Specify the

port on the HSM for receiving HTTPS data. The
default port is 9093.

l Log Port: Specify the port on the HSM for receiv-

ing log data. The default port is 514.

DNS Config Select the check box, and then specify the DNS server
for the device. You can specify up to two DNS servers.

NTP Config Select the check box, and then specify the NTP server
that the device needs to synchronize with. You can spe-

Device Management 178

 Option Description

cify up to three NTP servers.

CloudView Select the check box, and then configure CloudView.

Config
l Address: Specify the address of the cloud platform.

l Username: Specify the username registered to the

cloud platform, and then the device will be
registered under this username.

l Password: Enter the password of the username.

WLAN Con- Select the check box, and then configure WLAN.
fig
l WLAN Name: Specify the name of the WLAN.

l WLAN Password: Enter the password of the

WLAN.

l WLAN Interface: Specify the WLAN interface to

which the WLAN is bound.

l IP: Specify the IP address of the WLAN.

l Netmask: Specify the netmask of the WLAN.

l DHCP: Select the check box to enable DHCP of

the WLAN. The function is enabled by default.

l DNS1: Enter the IP address of the DNS server to

configure the DNS server for the clients connected
to the WLAN.

l DNS2: Enter the IP address of the DNS server to

Device Management 179

 Option Description

configure the DNS server for the clients connected

to the WLAN.

l Begin IP: Enter the start IP of the externally alloc-

ated IP address range.

l End IP: Enter the end IP of the externally allocated

IP address range.

CLI Config Select the check box, and then type commands into the
textbox. The value range is 0 to 10240 characters. System
will not check the syntax correctness of the user-defined
commands.

4. Click OK.

To import the pre-configuration file, take the following steps:

1. Select Device > SD-WAN Start, and enter the SD-WAN Start page.

2. Click ZTP Configuration Template on the toolbar, and the ZTP Configuration Template
dialog box will pop up.

Device Management 180

 3. Click the Configuration File tab.

4. Type the name and description for the platform, click Select to select the configuration file
to be uploaded, and click Open.

5. In the Uploaded Files list, you can view, download and delete the imported pre-con-
figuration files.

You can perform the following operations on the templates in the configuration template list:

l Click to edit the selected template. The name of the template cannot be modified.

l Click to delete the selected one or more templates.

l Click the name of a template to view the template details.

Device Management 181

Introduction to Device Upgrade
HSM supports device upgrade functionality, which enables you to upgrade the firmware of the
managed Hillstone Networks devices. To upgrade StoneOS through HSM, take the following
steps:

1. Import the StoneOS firmware to the HSM system first. HSM will match the proper firm-
ware to the managed devices automatically.

2. Create upgrading tasks according to your own requirements.

HSM also supports to upgrade signature database of the managed Hillstone Networks devices,
including two parts: one is that the managed device can obtain the signature database file from
HSM who is as a update server for online upgrade, and the other is to configure the signature data-
base upgrade template in HSM to be delivered to the managed device. IPS signature database,
application signature database, Anti-Virus signature database and URL database can be upgraded.

You can check the upgrading task status in the Status page, and also you can get the upgrading logs
in the Upgrade Log page or Task Log page.

This section describes:

l Configuring a Device Upgrading task

l Viewing Device Upgrading Logs

l Upgrading Signature Database

Configuring a Device Upgrading Task

NGFW, NIPS , WAF , BDS and NIDS devices of Hillstone Networks can be upgraded through
HSM by batch. To upgrade the managed devices through HSM, take the following steps:

1. Import StoneOS firmware to HSM.

2. Specify the upgrading management IP address.

Device Management 182

 3. Configure the device upgrading task.

After the task is successfully configured, you can check the upgrading status from the Current
Upgrade Task dialog, and also you can view the upgrading logs from the upgrading log page.

Importing/Deleting a Firmware

Three importing methods are supported by HSM: importing from the local PC, importing via
HTTP, and importing via FTP.
To import from the local PC, take the following steps:

1. Select Device > Device Upgrade.

2. Click the Import button from the toolbar.

3. On the Importing Firmware dialog, select Local, click the browse button and select

the firmware to be uploaded on the pop-up dialog.

4. Click OK to upload.

To import via HTTP, take the following steps:

1. Select Device > Device Upgrade.

2. Click the Import button from the toolbar.

3. On the Importing Firmware dialog, select HTTP, and configure the following options:

l HTTP URL: Specify the HTTP address of the firmware to be uploaded.

l Username: Specify the username which is used to log into the HTTP server.

l Password: Specify the password of the user.

4. Click OK to upload.

To import via FTP, take the following steps:

Device Management 183

 1. Select Device > Device Upgrade .

2. Click the Import button from the toolbar.

3. On the Importing Firmware dialog, select FTP, and configure the following options:

l FTP URL: Specify the FTP address of the firmware to be uploaded.

l Username: Specify the username which is used to log into the FTP server.

l Password: Specify the password of the user.

l Anonymous: Specify to access the FTP server anonymously.

4. Click OK to upload.

To delete a firmware from HSM, select the firmware to be deleted from the firmware table, and
then click the Delete button from the toolbar.

Specifying the Upgrade Management IP

When upgrading devices through HSM, in order to successfully push the firmware to the managed
devices, you must specify a upgrade management IP before executing the upgrading task. The
management IP must be a reachable IP for the managed devices (usually, it is the management IP
of the HSM device)
To specify the upgrade management IP, take the following steps:

1. Select Device > Device Upgrade .

2. Click the Upgrade Configuration button from the toolbar.

3. On the Upgrade Management IP Configuration dialog, type the address into the IP text box.

4. Click Save to save the changes and close the dialog.

Device Management 184

Configuring a Device Upgrading Task

When the firmware is uploaded into HSM, HSM will match the firmware with the managed
devices automatically. The upgrading task specifies the device to be upgraded, the upgrade time
and so on.
To configure the device upgrading task, take the following steps:

1. Select Device > Device Upgrade .

2. Select a firmware from the firmware table (check the corresponding check box), and then
click the Task button from the toolbar. The Device Upgrade dialog pops up. This dialog
shows all devices matching with the selected firmware.

3. Specify the upgrade type, including:

l Immediately: Upgrade the devices to the specified firmware immediately.

l On Schedule: Upgrade the devices to the specified firmware at a specified time.

4. Select the devices to be upgraded from the device table.

5. Configure the upgrading options. The options are:

l Backup Version: Select a version to be the backup firmware on the device (up to 2
versions can be saved on a device). You can choose the backup version by selecting
from the drop-down list. "Active" refers to the version currently running on the
device; "Backup" refers to the backup version on the device.

l Backup Configuration: It this check box is selected, HSM will back up the con-
figuration on the device when upgrading.

l Reboot: If this check box is selected, HSM will reboot the device after pushing the
firmware to the device successfully to make the new firmware take effect.

Device Management 185

 To configure the upgrading options for all the devices to be upgraded, click the Upgrade
Options button and configure on the pop-up dialog.

6. Click the Upgrade button to create the upgrading task.

Checking the Task Status

You can check the task status on the Current Upgrade Task (in the device upgrade page, click the
Status button) dialog. There are 7 task statuses:

l Waiting for upgrade: The device is waiting for loading the firmware from HSM.

l Upgrading: HSM is pushing the firmware to the device.

l Waiting for reboot: When multiple devices are configured in the task, the devices which have
finished uploading the firmware will be marked as this status.

l Rebooting: The firmware is uploaded successfully and the device is rebooting.

l Cancelling: The administrator cancelled the task and the device is cancelling the task.

l Upgrade succeeded: The device has rebooted with the newly upgraded firmware.

l Upgrade failed: You can get the failure reason from the upgrade logs.

To check the upgrading task status, take the following steps:

1. Configure the upgrading task.

2. On the upgrading page, click the Task button, and on the Current Upgrade Task dialog,
check the upgrading status for each device.

If you want to cancel the upgrading task, click the Cancel Upgrade button in the bottom-right
corner of the dialog. The executing task cannot be cancelled.

Viewing Device Upgrading Logs

Device upgrading logs record the upgrading status of devices.
To view the device upgrading logs, take the following steps:

Device Management 186

 1. Select Log > Operation Log > Upgrade Log.

2. The upgrading logs will be displayed in the main window.

You can filter the log messages by selecting the conditions above the log message table.
The following illustration shows the layout of the device upgrade page.

Upgrading Navigation Pane

Select different options from the upgrading navigation pane to go to the corresponding upgrading
pages. Functions of the upgrading navigation pane are described as below:

Option Description

Device Goes to the device upgrading page which includes the toolbar
Upgrade and the table of the StoneOS firmware. You can configure the
upgrading tasks and view the upgrading status on this page.

Upgrade Log Shows the upgrading logs. The search function is supported
for you to see required log messages.

Filter

You can filter the log messages by selecting the conditions provided here. The filter conditions
are described as below:

Option Description

Status Filter the log messages with the task status.

Device Name Filter the log message with the device name.

Keyword Filter the log messages with keywords. To filter with a

Device Management 187

Option Description

keyword, take the following steps:

1. Select a type from the drop-down list before the

keyword text box to restrain the keyword scope.

2. Type the keyword in the text box and click the Enter
key. The messages in the specified scope include the
specified keyword will be displayed in the log message
table.
To cancel the keyword filter, you can take either of the fol-
lowing two methods:

l Delete the keyword from the text box and then click the
Enter key.

l Select None from the drop-down list, move the cursor

to the text box and then click the Enter key.

Time Filter the log messages with time.

Main Window

The main window shows all the upgrading log messages. Columns of the log messages table are
described as below:

Option Description

Start Time Shows the start time of the task.

End Time Shows the end time of the task.

Device Name Shows the name of the upgraded device.

Platform Shows the platform of the upgraded device.

Device Management 188

Option Description

IP Shows the IP address of the upgraded device.

Name Shows the firmware name.

Version Shows the firmware version.

Status Shows the upgrading status.

Executor Shows the administrator name who executes the upgrading

task.

Log Shows the content of the message.

Upgrading Signature Database

As a Update server

After you have configured the signature database update server with IP address of HSM in the
managed device, the managed device can obtain the signature database file from HSM and upgrade
it online. Currently, HSM only supports one managed device to obtain a signature database file
from HSM simultaneously. If multiple managed devices obtain signature database files from HSM
at the same time, or a managed device simultaneously obtains multiple signature database files
from HSM, then only one of the devices can successfully obtain a signature database file.
In addition, you can also upgrade the managed device's signature database immediately via HSM:

1. Select Device > Upgrade > Signature Update.

2. Click the target signature upgrade tab, and then select signature version from the drop-down
menu in the upper-right corner of the toolbar.

3. Click the Update Right Now button from the toolbar.

4. According to the current version of signature database, select devices to be upgraded from
the device list.

Device Management 189

 5. Click the Upgrade button to start upgrading the signature database for the selected devices.
You can view the Status column to see if the signature database has been upgraded suc-
cessfully.

Configuring Upgrade Templates

If the configurations in an signature database upgrade template is delivered to managed device, the
signature database of the managed device will be upgraded according to the template. At most 100
signature database upgrade templates can be created respectively.
To create an signature database upgrade template, take the following steps:

1. Select Device > Upgrade > Signature Update.

2. Select the target signature upgrade tab, and then click the New button from the toolbar, the
corresponding Update Server Configuration dialog appears.

3. In the dialog, configure the signature database upgrade template information.

Option Description

Configuration Specifies the name of signature database upgrade tem-

Name plate. You can use the system default name or customize
it.

Device Select the device type to apply the upgrade template.

Configure Update Server: HSM provides three default
update servers: update1.hillstonenet.com, update2.hill-
stonenet.com and HSM's IP address. Click the text box,
the above three servers will be prompted. You can cus-
tomize the servers according to your need. Entering or
selecting are both supported. In the subsequent drop-
down menu, specify the virtual router(Only applicable for
NGFW). You can also create a new virtual router by click-

Device Management 190

 Option Description

ing Add a vrouter from the drop-down menu.

Whether Select the check box and set the update time, the sig-
Automatic nature database of managed device will be automatically
updated according to the settings.

Primary When the device accesses the Internet through a HTTP

Proxy proxy server, you need to specify the IP address and the
port number of the HTTP proxy server. With the HTTP
proxy server specified, signature database can be updated
normally. It is optional.

Stand-by When the primary proxy server can not access the Inter-
Proxy net, the backup proxy server will take effect. It is
optional.

Relevant Select the device or device group to which the upgrade

Device template will be delivered.

4. Click OK, the upgrade template will appear in the template list.
In The Device To SendDown colunm, click the corresponding link to view all relevant
devices and their status.

To deliver an upgrade template, take the following steps:

1. Select Device > Upgrade > Signature Update .

2. Click the target signature upgrade tab, and then select the upgrade template which you want
to deliver, and then click the SendDown button from the toolbar.

Device Management 191

 3. In the upper left corner of the dialog, select device type to view devices and their status.

l The device to SendDown refers to device whose update server settings are different
from the template.

l All devices, i.e. the relevant devices, include the device to senddown, the offline
device, and device whose update server settings are the same as the template.

4. Click OK, the configuration in upgrade template starts being delivered, and a task has been
generated.
Click View Task Log to view the deliver log for the signature upgrade template. You can
also go to the Task Management page to view information such as the status of the task.

Notes: HSM cannot deliver an upgrade template to the StoneOS 5.5R8F4 or above.

Device Management 192

Configuration File Management
A configuration file includes all configurations in a Hillstone Networks device. The configuration
file management function in HSM facilitates the management of configuration files located in dif-
ferent Hillstone Networks devices and the management of configuration file's change history. You
can perform the management in the following two tabs:

l Configuration File List tab: Displays configuration files of Hillstone Networks devices and the
corresponding information.

l Configuration Change History tab: Displays change history of configuration files.

For detailed information about configuration file management, see the following topics:

l Managing Configuration File

l Managing Configuration Change History

Managing Configuration File

The Configuration File List tab displays the retrieved configuration files and related information.
You can manage the configuration files as follows:

l Retrieving Configuration File

l Viewing Configuration File

l Viewing Change History

l Restoring Configuration Files

l Exporting Configuration Files

l Importing Configuration Files

l Comparing Configuration Files

l Editing Configuration File

Device Management 193

 l Deleting Configuration File

l Searching Configuration File

Retrieving Configuration File

After you perform the retrieval action, HSM retrieved the running configuration file from the
selected Hillstone Networks device. HSM supports the automatic retrieving of configuration
files, manual retrieving of configuration files and retrieving of configuration files on schedule. The
maximum number of configuration files can be stored by HSM is 10,000.

Retrieving Configuration Files Automatically

HSM will automatically retrieve the configuration files in following situations:

l Before performing the Deploy Configuration action in Configuration > Device Configuration

l After performing the Import Configuration action in Configuration > Device Configuration

The configuration file retrieved automatically is named as full_xml_config_date_time, for

example, full_xml_config_20130929033151. During the process of retrieving the configuration
files, HSM will check the number of files stored in HSM. If the total number of configuration
files does not exceed the limitation, HSM can store the retrieved file successfully. If the total
number of configuration files reaches the limitation, HSM will delete the oldest deletable files of
this device and then store the retrieved file in HSM. If HSM failed to retrieve the configuration
files, you can manually retrieve them.
For the following situations, there is a green up arrow ( ) next to the device name which indicates
that the configurations in the device have changed:

l HSM fails to retrieve the configuration files automatically

l The configuration file in Hillstone Networks devices changes

Notes: If a device contains VSYS devices, green up arrow ( ) is not supported on

the device node.

Device Management 194

Retrieving Configuration Files Manually

To manually retrieve the configuration files, take the following steps:

1. With the Configuration File List tab active, select a device from the device navigation pane.

Click the icon in the top-right corner of the device list to filter device type, including

NGFW, IPS and WAF.

2. Click Retrieve Configurations in the toolbar. The Retrieve Configurations dialog pops up.

3. In the dialog, modify the file name and enter the description (optional).

4. Click OK to start the retrieving.

After retrieving the configuration file successfully, you can view the retrieved file in the main win-
dow in the Configuration File List tab.

Retrieving Configuration Files on Schedule

You can set a schedule to obtain configuration files for the specified device at a specified time. To
retrieve the configuration files on schedule, take the following steps:

1. Enter the Configuration File List tab.

2. Click Retrieve Configurations Schedule in the top-right corner, the Retrieve Configurations
Schedule dialog pops up.

3. Choose devices that will be retrieved configuration files in the left device list.

Click the icon in the top-right corner of the device list to filter device type, including

NGFW, IPS and WAF.

Device Management 195

 4. Set retrieving time for configuration files in the right panel.

l Every Day: Select the radio button to specify the specific time each day to get the
configuration files.

l Every Week: Select the radio button to specify the specific time every week to get
the configuration files.

l Every Month: Select the radio button to specify the specific time every month to get
the configuration files.

l No plan: There is no retrieving schedule for configuration files. This option is selec-
ted by default.

5. Click OK , the system will retrieve configuration files at the specified time.
You can enter the HSM System Log page to know whether the configuration file is retrieved
successfully or not by viewing logs of the Get Configuration operation type.

Viewing Configuration File

To view the detailed configurations in a configuration file, take the following steps. The con-
figurations will display in CLI format.

Device Management 196

 1. With the Configuration File List tab active, select a device from the device navigation pane.
The related configuration files are displayed in the main window.

2. Select a configuration file.

3. Click View Configurations in the toolbar. The View Configurations dialog pops up and dis-
plays the detailed configurations.

View Change History

The change history of a configuration file records the detailed information about each change
record.
To view the change history, take the following steps:

1. With the Configuration File List tab active, select a device from the device navigation pane.
The related configuration files are displayed in the main window.

2. Select a configuration file.

3. Click the View link in the Change History column. The Configuration Change History dia-
log pops up and displays the change history of this selected configuration file.

Restoring Configuration Files

In order to apply the backup configuration files to the device, you can restore the configuration
files.
To restore a configuration file, take the following steps:

1. With the Configuration File List tab active, select a device from the device navigation pane.
The related configuration files are displayed in the main window.

2. Select a configuration file. Only one configuration file can be restored to the corresponding
device.

Device Management 197

 3. Click Recover from the toolbar. The Restoring page appears. You may select save the con-
figuration and reboot the device according to your need. You can take one of the following
two methods:

l Immediately: Selecting Immediately radio button to restore the specified con-

figuration file immediately.

l On Schedule: Selecting On Schedule radio button to specify a time to restore the con-
figuration file. The time point must be after the current time of HSM system, oth-
erwise, the configuration might not be restored.

4. Click OK to save your settings and close the dialog. A notice of the detailed task will pop
up from the below. Click the information to enter the task schedule page.

Notes: The device restoring the configuration file can not execute other tasks of
restoring configuration file, otherwise the task will fail.

Exporting Configuration Files

In order to get the backup configuration files, you can export the configuration files from HSM to
your local PC.
To export a configuration file, take the following steps:

1. With the Configuration File List tab active, select a device from the device navigation pane.
The related configuration files are displayed in the main window.

2. Select a configuration file.

3. Click Export from the toolbar. The Save page appears.

4. Click OK, and then Save as page appears. You can select the save path and rename the con-
figuration file according to your need.

Device Management 198

 5. Click OK to export the configuration file, and then the system will prompt configuration
file had been exported successfully.

Notes: Format of the configuration file which be export from HSM is ZIP.

Importing Configuration Files

In order to backup the local configuration files, you can import the local configuration files to
HSM.
To import a configuration file, take the following steps:

1. With the Configuration File List tab active, select a device from the device navigation pane.
The related configuration files are displayed in the main window.

2. Select a configuration file.

3. Click Import Configuration File from the toolbar. The Import Configuration File page and
Browse page appears. Select the local configuration file from the Browse dialog. Click OK,
and the open dialog closes. The name of configuration file to be imported and the loading
progress bar will be displayed in the Import Configuration File dialog.

4. Click Upload, and then the upload progress bar will be displayed. You can see the con-
figuration file which be imported successfully in the main window.

Notes: Only DAT and ZIP files can be imported.

Comparing Configuration Files

Use the Compare function to view the differences between two configuration files. The con-
figuration files for comparison can be from one device or from two different devices.
To compare configuration files, take the following steps:

Device Management 199

 1. With the Configuration File List tab active, select a device or a device group from the
device navigation pane. The related configuration files are displayed in the main window.

2. Select the two files for comparison by selecting their checkboxes.

3. Click Add to Compare. The File Comparison List dialog appears. The selected two files are
added to this list with the device name and the file name displayed. To change files, you can
delete them from the list by clicking Delete, and then select new configuration files.

4. In File Comparison List, click Compare. The Compare Configuration dialog pops up and dis-
plays the detailed configurations in each file. The differences are marked with red.

Editing Configuration File

By editing a configuration file, you can achieve the following aims：

l Modify the file name

l Add the file description

l Set the file status

To edit the configuration file, take the following steps:

1. With the Configuration File List tab active, select a device from the device navigation pane.
The related configuration files are displayed in the main window.

2. Select a configuration file.

3. Click Edit in the toolbar. The Edit dialog appears.

Device Management 200

 4. Configure the following options:

l File Name: Modify the file name.

l Status: Select status for this file: Deletable or Permanently Saved. Deletable is the
default status and represents that this file can be deleted. Permanently Saved rep-
resents that this file cannot be deleted. For each device, the maximum number of files
with the Permanently Saved status is 10.

l Description (optional): Add or modify the description.

5. Click OK to save the changes and close the dialog.

Deleting Configuration File

To delete configuration files, take the following steps:

1. With the Configuration File List tab active, select a device from the device navigation pane.
The related configuration files are displayed in the main window.

2. Select files to be deleted by selecting the checkboxes before the file name.

3. Click Delete in the toolbar to delete the selected files. If the selected files contain the Per-
manently Saved files, the Delete button becomes grey.

Searching Configuration File

Use the Filter function to quickly locate the desired configuration files that meets the filter con-
ditions.
To use the Filter function, take the following steps:

1. With the Configuration File List tab active, select a device or a device group. The related
configuration files of this device or this device group are displayed in the main window.

2. Specify the filter conditions.

Device Management 201

 Filter Condi-
Description
tion

Time Search the configuration files whose retrieved time is

within the specified period.

Status Search the configuration files that matched the specified

file status.

Keyword Search the configuration files whose columns contained

the entered keywords. You can search the contents in
the following columns: Device Name, File Name, SN,
and Description.

3. Click Search. The configuration files that meet all filter conditions are displayed in the main
window.

Managing Configuration Change History

The Configuration Change History tab displays the change records and related information. You
can manage the change records as follows:

l Editing Change Record

l Deleting Change Record

l Searching Change Record

Editing Change Record

To edit a change record, take the following steps:

1. With the Configuration Change History tab active, select a device from the device nav-
igation pane. The related change records of this device are displayed in the main window.

2. Select a change record.

3. Click Edit in the toolbar. The Edit dialog appears.

Device Management 202

 4. Enter the description in the Description text box.

5. Click OK to save the changes and close the dialog.

Deleting Change Record

To delete change records, take the following steps:

1. With the Configuration Change History tab active, select a device from the device nav-
igation pane. The related change records of this device are displayed in the main window.

2. Select change records.

3. Click Delete in the toolbar. The Delete dialog appears.

4. Click OK to delete the selected change records.

Searching Change History

Use the Filter function to quickly locate the desired configuration files that meets the filter con-
ditions.
To use the Filter function, take the following steps:

1. With the Configuration Change History tab active, select a device or a device group. The
related change records of this device or this device group are displayed in the main window.

2. Specify the filter conditions.

Filter Condi-
Description
tion

Time Search the change records whose retrieved time was

within the specified period.

Operation Search the change records that matched the specified

operation.

Device Management 203

 Filter Condi-
Description
tion

Keyword Search the change records whose columns contained the

entered keywords. You can search the contents in the
following columns: User, Device Name, File Name, and
Description.

3. Click Search. The change records that meet all filter conditions are displayed in the main
window.

User Management
HSM supports to manage the users of the devices that registered to HSM, as well as batch modify
the user information. At present, only the 5.5R1 and above NGFW devices are supported.
The operations about users include:

l Creating the User

l Editing the User

l Deleting the User

l Viewing User Password

l Viewing Operation Record

Creating the User

You can create an user on HSM and deliver the user information to the specified firewall devices.

l After the user is delivered, if the user already exists on the specified devices, the password
will be changed to the delivered one;

l After the user is delivered, if the user doesn't exist on the specified devices, the delivered
user and password will be added on the devices automatically. The role of the added user is

Device Management 204

 "System Administrator (Read-only)" and the Console, Telnet, SSH, HTTP abd HTTPS login
types are disabled by default.

To create an user, take the following steps:

1. Click Device > User Management.

2. Click New, and the User Configuration dialog will pop up.

3. Enter the name into the Username text box.

4. Enter the password into the Password text box, and enter it again into the Confirm Pass-
word text box.

5. Input the description of the user into the Description text box.

6. Click OK.

Device Management 205

 7. Select the created user, click Deliver, and the Batch Deliver User dialog will pop up.

8. Select the firewall devices that need to modify password. Only the 5.5R1 and above NGFW
online devices will be displayed in the list.

9. Click OK.

Editing the User

You can edit the created user information. Currently, only the user password can be edited and be
delivered to the firewall devices.
To edit the user, take the following steps:

1. Click Device > User Management.

2. Select the user that needs to change the password, click Edit and the User Configuration dia-
log will pop up.

Device Management 206

 3. You can edit password and description in the dialog box, while the user name cannot be
edited.

4. Click OK.

5. Refer to Step 7-9 in the above to deliver user password to the firewall devices.

Deleting the User

Users can only be deleted in HSM, while the delivered users on the firewall devices won't be
deleted.
To delete the user, take the following steps:

1. Click Device > User Management.

2. Select the users to delete, click Delete, and the Confirm dialog box will pop up.

3. Click OK.

Device Management 207

Viewing User Password
You can view the user name and latest password of firewall delivered by HSM. If the user name
and password are changed on firewall device, you cannot view the changed information in HSM.
To view the user password, take the following steps:

1. Click Device > User Management.

2. Click Check Password, and the dialog will pop up.

There are two columns: Device and User.

Option Description
Device Displays the firewall devices that managed by
HSM (5.5R1 and above NGFW devices).
User Displays the user name that is delivered to the
firewall device.

3. Hover the mouse over the icon and the User Verification dialog will pop up.

Device Management 208

 4. In the Password text box, type the password of current login user. If the user verification is

passed, click the icon again, you can view the user name and password of the firewall

device, and vice versa.

Viewing Operation Record

You can view the operation record of the created user and the record of the deleted user cannot
be viewed.
To view the operation record, take the following steps:

1. Select the user, click the icon in the Operation Record list, and view the Operation

Type, Operation Result, Operator, Client IP, Time and Modification.

2. Click "detail" in the Modification column, and you can view the Username, Password,
Description, Delivered Device List and Delivered Device Status. If HSM fails to deliver
user information to the firewall devices, you can view the reason in the Delivered Device
Status row.

3. Select the "only difference" check box to view the differences between before modification
and after modification.

Device Inspection
HSM supports inspection function on NGFW device , NIPS/IDS device. You can check the
CPU usage, memory usage, resource usage, device operating environment, signature database, and
license status of the device by device inspection function and generate inspection reports. HSM
supports manual inspection, auto inspection, and smart inspection for a single device. It also sup-
ports batch auto inspection of multiple devices. Smart inspection refers to the auto inspection of
devices whose average utilization exceeds the specified threshold.

Manual Inspection
To check the status of the specified online device by manual inspection, take the following steps:

Device Management 209

 1. Click Device > Device Inspection.

2. Click the Start button, check the specified device. Select multiple devices, click Batch Start
to check the status of devices at the same time.

3. Click Cancel, and click OK to cancel the inspection task in the prompt dialog.

Auto Inspection
You can configure a inspection task to check the device automatically at a specified time and send
the report to the specified mailbox. At the same time, you can also configure the smart inspection
task to check the device whose average utilization exceeds the specified threshold. After the
smart inspection is enabled, system will check the status of the device every hour. Both online
and offline devices can be configured with auto inspection task. Select the Hide Offline Devices
check box to display the online devices.
To check the status of the specified online device by auto inspection, take the following steps:

Device Management 210

 1. Click Device > Device Inspection.

2. Click Config.

In the Regular Config tab, configure the options for regular inspection.

Option Description

Enable reg- Select the check box to enable the regular inspection
ular inspec- function.
tion

Period Specify the period of inspection, and select the time in

the drop down list.

l Day: Select the time of everyday, such as everyday

9:00.

l Week : Select the time of a specified day during a

week, such as Monday 9:00.

Device Management 211

 Option Description

l Month: Select the time of a specified day during a

month, such as 1st 9:00.

l Disposable: Select the time of a specified day, such

as 2019/7/1 9:00.

Enable Email Select the check box to send the inspection report to spe-
cified Email address. To add a recipient, type an Email
address to Receiver box, separate multiple recipients by
";".

In the Advanced Config tab, configure the options for smart inspection.

Option Description

Enable smart inspec- Select the check box to enable smart inspection
tion function.

Threshold Specified the threshold of CPU, Memory and Ses-

sion. The default value is 80%。

3. Click Apply.

4. Click OK.

Batch Inspection
HSM supports the configuration of batch inspection to perform scheduled inspection or intel-
ligent inspection tasks on multiple devices. Only one inspection task can be configured for one
device. The last one takes effect on the configuration specified by the device. System supports 10
scheduled tasks.
To configure the batch inspection task, take the following steps:

Device Management 212

 1. Click Device > Device Inspection.

2. Click Batch Config.

3. In the Regular Config tab, click Add Regular Task.

In the Add Regular Task dialog, configure the options for batch regular inspection

Option Description

Name Specified the name of the inspection task. This name can-
not be repeated.

Enable reg- Select the check box to enable the regular inspection
ular inspec- function.
tion

Period Specified the period of inspection, and select the time in

the drop down list.

l Day: Select the time of everyday, such as everyday

9:00.

Device Management 213

 Option Description

l Week : Select the time of a specified day during a

week, such as Monday 9:00.

l Month: Select the time of a specified day during a

month, such as 1st 9:00.

l Disposable: Select the time of a specified day, such

as 2019/7/1 9:00.

Enable Email Select the check box to send the inspection report to spe-
cified Email address. To add a recipient, type an Email
address to Receiver box, separate multiple recipients by
";".

Device List Specified the devices that needed to be checked in the

drop-down list.

4. Click Apply.

5. Click OK.

You can also perform the following operations:

l Edit Regular Task: Click Edit Regular Task to enable or disable the regular inspection task,
modify the user-defined inspection threshold and device list.

l Click Delete Regular Taskto delete the regular inspection task.

To configure the batch smart inspection task, take the following steps:

1. Click Device > Device Inspection.

2. Click Batch Config.

Device Management 214

 3. In the Advanced Config tab, click Add Config.

In the Add Config dialog, configure the options for batch smart inspection.

Option Description

Name Specified the name of the inspection task. This

name cannot be repeated.

Enable smart inspec- Select the check box to enable smart inspection
tion function.

Threshold Specified the threshold of CPU, Memory and Ses-

sion. The default value is 80%。

Device List Specified the devices that needed to be checked

in the drop-down list.

4. Click Apply.

5. Click OK.

You can also perform other operations:

Device Management 215

 l Click Edit Config to enable or disable the smart inspection task, modify the user-defined
inspection threshold and device list.

l Click Delete Configto delete the smart inspection task.

View the Inspection Report

Click the Report to view and download the report of specified devices. The list shows 10 reports
by default. Click Show All Reports to view all the reports of the specified device. Each device
can view the reports of the last 60 inspection tasks.

l Click button to view and download the detail of the report in the new window.

l Click button to download the report to local PC. The reports type can be ZIP.

License Management
HSM provides license management on managed devices, including:

l License Overview: displays the details about all licenses installed on the managed devices.

l License Distribution: You can install multiple licenses onto a managed device at a time.

License Overview
You can view information, such as status, type, effective time, and customer name, about all
licenses installed on managed devices on HSM.
Select Device > License Overview > License Overview.

Device Management 216

 l Click the name of a device in the device list to view all licenses installed on the device.

l You can filter licenses by license status and license type.

Synchronizing Device License

When the device is registered with HSM for the first time or you install a license onto a managed
device on HSM, the system automatically obtain the information about all licenses installed on the
managed device. In addition, the system automatically obtains and updates the information about
licenses installed on online managed devices at a fixed point in time every day.
You can also manually synchronize the license information of an online managed device to HSM.
To do this, take the following steps:

1. Select Device > License Overview > License Overview. Then, click the name of the
required device in the device list.

2. Click next to the device list to synchronize the license information of the

device to HSM.

Tips: When you log in to HSM or the system completes license information syn-
chronization, if a license expires, the system sends the corresponding notification to
you. You can click this notification to view the details in the License Overview tab.

Device Management 217

License Distribution
You can import multiple licenses of managed devices to HSM at a time and then install multiple
imported licenses onto a required managed device at a time.

Importing Licenses

To import licenses, take the following steps:

1. Click Device > License Overview > License Distribution.

2. Click Import. In the Import License dialog box, click Browser and select the license files.
HSM supports the following file types: zip, tar, and gz.

3. Click Upload to import the licenses.

Installing Licenses in Batch

To install licenses in batches, take the following steps:

Device Management 218

 1. Click Device > License Overview > License Distribution.

2. Select all the devices or the devices needed to install incenses in the device list.

3. In the Not Installed tab, select the licenses needed to be installed and click Install.

4. In the prompt dialog, click Restart Immediately to restart device. You can also click Restart
Later and then restart the device through the system management page of the device to
make the license effect.

5. After installed, you can view the detail of the licenses in the Installed tab, such as file name,
device name, license type, license status, expired time, and install time.

6. The licenses that failed to be install will be displayed in the Failed Installation tab. Click
"+" to view the failed reason. Select the licenses needed to be re-installed, click Install to
re-install the license.

Notes: Click Install All in the upper-left corner to install all the uninstalled licenses
or all the licenses that are failed to be installed. This way, you can install these
licenses onto all managed devices.

Deleting Licenses in Batches

To delete licenses in batches, take the following steps:

1. Click Device > License Overview > License Distribution.

2. Select all the devices or the devices needed to delete incenses in the device list.

3. Select the licenses needed to be deleted in the Installed, Not Installed, or Failed Install-
ation tab, click Delete.

Device Management 219

 4. In the prompt dialog, click OK to delete the licenses.

Cleaning All Expired Licenses

The system allows you to delete all licenses that are installed on managed devices on HSM and
whose status is expired. To do this, take the following steps:

1. Select Device > License Overview > License Distribution.

2. Click Clean All in the upper-left corner to delete all the expired licenses in the Installed tab.

Device Management 220

Device Management Configuration Example
This page describes a typical deployment scenario and some configuration examples for your
understanding of adding devices and retrieving configuration files. The requirements and con-
figurations are shown below.

Deployment Scenario
A company is headquartered in Beijing and has branches in Shanghai and Guangzhou. Each office
is deployed with a Hillstone Networks security appliance to control Internet access. The require-
ment is to deploy an HSM in Beijing to manage the three devices, as shown below:

Requirement
Requirement 1: Add three security appliances
Requirement 2: Retrieve configuration files

Configuration Steps

Preparation

Configure a management IP address and the system time on HSM as described in Deploying HSM
Management Environment.

Configuration Steps (Requirement 1)

Device Management 221

 To add three security appliances to HSM, take the following steps:

1. Click Device > Management from the level-1 navigation pane to enter the Device Man-
agement page.

2. Click the triangle icon ( ) next to the Add Device button and select Add Multiple

Devices from the drop-down menu. The Add Multiple Devices dialog pops up.

3. Click Download Device Info File Template. The Save As dialog appears.

4. Select the location and save the template deviceinfo.xls.

5. Open the template and configure the options as shown below:

6. Save the changes and close the template.

7. In the Add Multiple Devices dialog, click Browse. The Open dialog appears.

8. Locate the modified template and click OK. HSM starts to load the template.

9. After loading the template, click Upload. HSM starts to read the template and add the
devices in it to HSM. If failed to register one device, all devices in the template will be
failed to be registered.

Configuration Steps (Requirement 2)

When there is a green up arrow ( ) next to the device name, it indicates that the configurations
in the device have changed.

Device Management 222

 To retrieve the running configuration file to HSM, take the following steps:

1. Select Device > Management and then click the Device Management tab.

2. In the device navigation pane, select the device from which you want to retrieve the con-
figuration file.

3. With the Configuration File Management tab active, click Retrieve Configuration in the tool-
bar. The Retrieve Configurations dialog appears.

4. Change the file name to test by myself_201311191354 and add the description: this is a
test.

5. Click OK. HSM starts to retrieve the configuration file.

Device Management 223

Introduction to Configuration Management
Configuration management manages all kinds of rules (policy rule, NAT rule, route rule) and
related objects on devices. By using HSM, you can get the rule configurations of each device, and
also you can deploy rules from HSM to devices, in which way, the devices can be centrally man-
aged. In order to reduce the configuration errors, HSM provides the following functions to help
administrators find and resolve problems: rule conflict check, redundant object check, object ref-
erence check, etc.
Here are the descriptions of configuration management related concepts:

l Policy: HSM supports to configure policy rules for device. One policy can be deployed to mul-
tiple devices, but one device can only have one policy. HSM supports private policy and
shared policy.

l Private Policy: The policy that only belongs to one certain device, and cannot be used
by other devices. A private policy can be converted to a shared policy.

l Shared Policy: One shared policy can be used by any device. A shared policy can be

copied as a private policy. There is a in front of the shared policy name.

l NAT: HSM supports to configure SNAT and DNAT rules, and supports private NAT rule
and shared NAT rule.

l Private NAT : The NAT that only belongs to one certain device, and cannot be used by
other devices. A private NAT cannot be converted to a shared NAT.

l Shared NAT : One shared NAT can be used by any device. A shared NAT cannot be

copied as a private NAT . There is a in front of the shared NAT rule name.

l Route: HSM supports to configure destination route rules, and supports private destination
route rule and shared destination route rule.

Introduction to Configuration Management 224

 l Private Route: The route that only belongs to one certain device, and cannot be used by
other devices. A private route cannot be converted to a shared route .

l Shared Route: One shared route can be used by any device. A route NAT cannot be

copied as a private route . There is a in front of the shared route rule name.

l Object: The objects referenced by rules in policies/NAT/routes. HSM supports private

object and shared object.

l Private Object: The object that only belongs to one certain device. When a private
policy is converted to a shared policy, the private objects of the private policy are con-
verted to shared objects as well.

l Shared Object: A shared object can be referenced by all rules, including the private
rules. A shared object cannot be converted to a private object.

l Device Configuration Sync: HSM checks the configuration of a device on both the local
device and HSM, and list the configuration differences. Administrators can choose to upload
the configuration from the local device to HSM or deploy configuration from HSM to local
device according to the differences.

l Rule Redundance check: In order to make the rules in the policy are effective, HSM provides
a method to check the conflicts among rules in a policy. With this method, administrators can
get the rule shadow information.

l Rule hit statistics: For the rules running on the devices, HSM gathers the hitting statistics and
shows the result with a pie chart, helping administrators learn the traffic matching status in
their networks.

l Redundant object check: Redundant objects refers to the objects those unreferenced by any
policy or the objects having different names but with same contents.

HSM supports single device policy management (device configuration) and global policy man-
agement (shared configuration). HSM provides the task management method to track the policy

Introduction to Configuration Management 225

 related tasks, and also the log messages are generated for you to know the task status and results.
For more information, see task.
System supports to modify the basic configuration of the HA group, such as importing con-
figuration, deliverying configuration , and deliverying global configuration. The basic con-
figuration of the HA group is defined as follows:

l When a group of HA devices are registered to the HSM system, the configuration of master
device is basic configuration. When the master and backup status of the HA group is
switched, basic configuration remains unchanged.

l After managed devices are registered to HSM , the configuration of master device when the
HA group is first established is basic configuration.

l If the managed device unbinds HA group and re-establishes another HA group, the con-
figuration of master device in the new HA group is basic configuration.

For the detailed information about policy management, see the following sections:

l Device Configuration

l Global Configuration

Introduction to Configuration Management 226

Device Configuration
Device configuration manages the rules and objects on a certain device. On HSM, all the rules and
objects in the device configuration on a device are listed, and you can specify a new rule/object
or edit the existing rule/object on the device according to your own requirements.
For more information about device configuration, see the following sections:

l Device Configuration

l Device Object

Device Configuration
Click Configuration > Device Configuration to enter the device configuration page. The related
configurations are:

l Policy

l Policy Assistant

l Policy Analysis

l iQoS

l NAT

l Route

l LLB

l Configuration Management

The rules created on the device configuration page are all private rules, and belong to a certain
device. On HSM, you can create, edit, and delete the private rules. After configuring the private
rules, you need to deploy the private rules to the managed device if you want to take effect on the
device. For more detailed information about deploying configuration, see Synchronizing Con-
figuration.

Introduction to Configuration Management 227

Policy Configuration

Policy configuration includes creating/editing/deleting/moving a rule or rule group, enabling/dis-

abling a rule and so on.

Creating a Policy Rule

Two ways can be used to create a new rule as below.

To create a rule by inserting, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. Select a device from the devices navigation pane.

3. Click Policies node in the object navigation pane at the bottom.

Option Description

ID Displays the policy ID.

Name Displays the policy name.

Status Edit the policy status as needed.

Src Zone Specifies a source zone of the policy rule. There are 8 pre-
defined security zones in system, which are trust, untrust,
dmz, L2-trust, L2-untrust, L2-dmz, vpnhub (VPN func-
tional zone) and ha (HA functional zone). You can also
use the customized zones of StoneOS.

Src Address Specifies the source addresses.

Dst Zone Specifies a destination zone of the policy rule. There are
8 predefined security zones in system, which are trust,
untrust, dmz, L2-trust, L2-untrust, L2-dmz, vpnhub
(VPN functional zone) and ha (HA functional zone). You

Introduction to Configuration Management 228

 Option Description

can also use the customized zones of StoneOS.

Dst Address Specifies the destination addresses.

User Specifies a user or user group for the security policy rule.

Service Specifies a service or service group.

Application Specifies an application/application group/application fil-

ters.

Schedule Specifies a schedule when the security policy rule will

take effect. Select a desired schedule from the Schedule
drop-down list. This option supports fuzzy search. After
selecting the desired schedules, click the blank area in
this dialog to complete the schedule configuration. To
create a new schedule, click New Schedule.

Action Specifies an action for the traffic that is matched to the

policy rule, including:

l Permit - Select Permit to permit the traffic to pass

through.

l Deny - Select Deny to deny the traffic.

l Secured connection:

l From tunnel (VPN) - For the traffic from a

peer to local, if this option is selected, the
system will first determine if the traffic ori-
ginates from a tunnel. Only such traffic will

Introduction to Configuration Management 229

 Option Description

be permitted. Select From tunnel (VPN)

from the drop-down list after selecting the
Security Connection option, and then select
a tunnel from the following drop-down list.

l Tunnel (VPN) - For the traffic from local to

a peer, select this option to allow the traffic
to pass through the VPN tunnel. Select Tun-
nel (VPN) from the drop-down list after
selecting the Security Connection option,
and then select a tunnel from the following
drop-down list.

Record Log You can log policy rule matching in system logs according
to your needs.

l For the policy rules of Permit, logs will be gen-

erated in two conditions: the traffic that is matched
to policy rules starts and ends its session.

l For the policy rules of Deny, logs will be generated

when the traffic that is matched to policy rules is
denied.
Select one or more check boxes to enable the cor-
responding log types.

l Deny - Generates logs when the traffic that is

matched to policy rules is denied.

Introduction to Configuration Management 230

 Option Description

l Session start - Generates logs when the traffic that

is matched to policy rules starts its session.

l Session end - Generates logs when the traffic that

is matched to policy rules ends its session.

Defense You can edit defense status.

Status
l Antivirus: Specifies an antivirus profile. The com-
bination of security policy rule and antivirus profile
enables the devices to implement fine-grained
application layer policy control.

l IPS: Specifies an IPS profile. The combination of

security policy rule and IPS profile enables the
devices to implement fine-grained application layer
policy control.

l URL Filter: Specifies a URL filter profile. The com-

bination of security policy rule and URL filter pro-
file enables the devices to implement fine-grained
application layer policy control.

l Botnet Defense: Select the On check box to

enable Botnet Defense function and select a con-
figured botnet defense profile from the drop-down
list. The combination of security policy rule and
botnet defense profile enables the devices to imple-
ment fine-grained application layer policy control.

Introduction to Configuration Management 231

 Option Description

You can also click New from the drop-down list to

create a botnet defense profile to use.

Notes: The Antivirus/IPS/Botnet

Defense/URL filter function is con-
trolled by the license. The policy can be
correctly issued only after the device has
been installed with a corresponding
license.

Data Security You can view the state of data security on HSM.

l File Filter: Specifies a file filter profile. The com-

bination of security policy rule and file filter profile
enables the devices to implement fine-grained
application layer policy control.

l Content Filter:

l Web Content: Specifies a web content pro-

file. The combination of security policy rule
and Web Content profile enables the devices
to implement fine-grained application layer
policy control.

l Web Posting: Specifies a web posting pro-

file. The combination of security policy rule
and web posting profile enables the devices
to implement fine-grained application layer
policy control.

Introduction to Configuration Management 232

 Option Description

l Email Filter: Specifies an email filter profile.

The combination of security policy rule and
email filter profile enables the devices to
implement fine-grained application layer
policy control.

l HTTP/FTP Control: Specifies a

HTTP/FTP control profile. The com-
bination of security policy rule and
HTTP/FTP control profile enables the
devices to implement fine-grained applic-
ation layer policy control.

l Network Behavior Record: Specifies a NBR pro-

file. The combination of security policy rule and
NBR profile enables the devices to implement
fine-grained application layer policy control.

SSL Proxy Displays the SSL Proxy rule in the HSM device. The
device can be decrypted and HTTPS traffic can be con-
trolled by the combination of policies and the SSL Proxy
rule.

Description Type descriptions into the Description box.

QoS Tag Add QoS tag to the matched traffic by typing the value
into the box. The smaller the value of the QoS tag is, the
higher the priority of the device allowing the traffic to
pass will be.

Introduction to Configuration Management 233

 Option Description

Operation Record the detailed information about your operation of

Record some policy.

Hits Displays the number of user traffic which hits the secur-
ity policy.

Shadow Select the Rule Conflict Check box. You can view the
number of rules and ID which are covered, and delete the
rules as needed.

Last Hit Date The last date when user traffic hits the security policy.

4. In Security Policy page, three ways can be used to insert a new rule:

l Click the New IPv4 Rule or New IPv6 Rule arrow after, select the position ( Bottom,
Top, Bottom in group, Top in group, After, Before) from the menu where the inser-
ted rule locates;

l Right-click on a rule in the entry list and select New Rule, then choose Bot-
tom/Top/After/Before from the pop-up menu;

l Right-click on a rule group in the entry list and select New Rule, then choose Bot-
tom/Top/Bottom in group/Top in group/After/Before from the pop-up menu.
An all-deny rule will be created at the specified position. Click the New Rule button dir-
ectly without specifying the position, the system will create an all-deny rule at the bottom of
the rule list.

5. Edit the rule according to your own requirements. For more information, please refer to
"Editing Rules" on Page 235.

To create a rule by the copy/paste way, take the following steps:

Introduction to Configuration Management 234

 1. In Security Policy page, select a rule from the rule list, right-click on the rule and choose
Copy from the pop-up menu.
You can copy one or more security policy rules :

l Left-click or right-click to select one rule;

l Select one rule first and hold the Ctrl key to choose discontinuous rules;

l Select one rule first and hold the Shift key to choose continuous rules.

2. Paste rules. Three ways can be used to paste new rules:

l Right-click on the blank cell and select Paste, then choose Bottom/Top from the
pop-up menu;

l Right-click on a rule in the entry list and select Paste, then choose Bot-
tom/Top/After/Before from the pop-up menu;

l Right-click on a rule group in the entry list and select Paste, then choose Bot-
tom/Top/Bottom in group/Top in group/After/Before from the pop-up menu.
The copied rules will be pasted at the specified position.

3. Edit the rule according to your own requirements. For more information, please refer to
"Editing Rules" on Page 235.
The security policy rules will be displayed in the following order: head policy rules, policy
rules of the device, and tail policy rules.

Notes: HSM does not support to copy private policy rules to another private policy.

Editing Rules

To edit a rule, take one of the following methods:

Introduction to Configuration Management 235

 l In the rule list, double-click the cell of the object to be edited to edit.

l To enter into Advanced Edit mode, in the policy rule list page, hold the Ctrl key, click a cell
with the left mouse button, and then the cell content will be copied to clipboard. Click the
policy rule option which you want to modify with the left mouse button, select Cover Paste
to cover the clipboard contents to the policy option, or select Add Paste to add the clipboard
contents to the policy option.

Notes: Only Address/Service/Application/Schedule option support to be edited in

the Advanced Edit mode.

Creating a Rule Group

Security policy rule group is the management unit of rules . HSM will not deploy rule group to the
managed devices. You can organize the rule which has already existed to the rule group, and create
new rules in the rule group also. Rule groups can be folded and expanded. Two ways can be used
to create a new rule group as below.
To create a rule group by inserting, take the following steps:

Introduction to Configuration Management 236

 1. In Security Policy page, three ways can be used to insert a new rule group:

l Click the New Rule Group arrow after, select the position ( With selected rules, Bot-
tom, Top, After, Before) from the menu where the inserted rule locates;

l Select one rule, right-click and select New Rule Group, then choose With selected
rules/Bottom/Top/After/Before from the pop-up menu; or hold the Shift key to
choose continuous ungrouped rules in the entry list, right-click and select New Rule
Group, then choose With selected rules/Bottom/Top from the pop-up menu;
If With selected rules was selected, the specified rules would be added to the new
group.

l Right-click on a rule group in the entry list and select New Rule Group, then choose
Bottom/Top/After/Before from the pop-up menu.

2. In the New Rule Group dialog box, enter group name and click OK.
A rule group will be created at the specified position. Click the New Rule Group button dir-
ectly without specifying the position, the system will create a rule group with selected rules.
You can click the group name to modify the name.

To create a rule group by the copy/paste way, take the following steps:

1. In Security Policy page, select a rule group from the rule list, right-click on the rule group
and choose Copy from the pop-up menu.
You can copy one or more security policy rule groups:

l Left-click or right-click to select one rule group;

l Select one rule group first and hold the Ctrl key to choose discontinuous rule groups;

l Select one rule group first and hold the Shift key to choose continuous rule groups.

Introduction to Configuration Management 237

 2. Paste rule groups. Three ways can be used to paste new rule groups:

l Right-click on the blank cell and select Paste, then choose Bottom/Top from the
pop-up menu;

l Right-click on a rule in the entry list and select Paste, then choose Bot-
tom/Top/After/Before from the pop-up menu;

l Right-click on a rule group in the entry list and select Paste, then choose Bot-
tom/Top/After/Before from the pop-up menu.
The copied rule groups will be pasted at the specified position, in which all oringinal rules
are included. Meanwhile, group name remains unchanged.

Notes: HSM does not support to copy private rule groups to another private policy.

Moving Rules and Groups

To move a rule or group, select the rule or group to be moved, press and hold the left mouse but-
ton and move to the target position, then release the left button. If a rule group is moved, the rel-
ative position of the rules in the rule group will remain unchanged. Rules can be arbitrarily moved
in or out of rule group, but the rule group can not be moved into another rule group.

Deleting a Rule Group

To delete a rule group, take the following steps:

1. In Security Policy page, select a rule group from the rule list and click Delete from the tool-
bar.
In the pop-up dialog box, if the Delete rules check box is checked, the system will delete
the rule group and all the rules belonging to the group; if not, the system will only delete the
rule group.

2. Click OK in the dialog box.

Introduction to Configuration Management 238

 Notes: When all the rules in the rule group are deleted, the rule group will be
empty, rather than be deleted.

Creating a Partition Group

Partition group is the management unit of devices. You can add correlated devices into one par-
tition group.
To create a partition group, take the following steps:

1. Click Configuration > Tools> Deploy a batch of rules , and the Deploy a batch of rules
guide dialog will pop up.

2. Click New in the pop-up dialog.

3. Type the partition group name into the Name text box.

4. Select the devices to be added from the Relevant Device drop-down list.

5. Click OK to save the configurations and close the dialog.

Deploying a Batch of Rules

HSM provides a guide to help you deploy a batch of rules.

To deploy a batch of rules, take the following steps:

1. Click Configuration > Tools> Deploy a batch of rules , and the Deploy a batch of rules
guide dialog will pop up.

The following are three steps in the guide. Click Next once one step is completed.

Introduction to Configuration Management 239

Choose Partition Group

You can select partition groups or click New to create one.

Choose Deploying Position

You can select the position for the incoming security policy rules: top or bottom.

Introduction to Configuration Management 240

Configure Policy Rules

You can configure policy rules for the partition groups. Policy configuration includes cre-
ating/editing/deleting/moving rules. For more detailed information about deploying con-
figuration, see Policy Configuration.

After the above configurations, click Deliver to add the policy rules to the devices in the partition
group.

Delivering Batch CLI

To deliver batch CLI in HSM, take the following steps:

1. Click Configuration > Tools > Batch Deliver CLI, and the Batch Deliver CLI dialog will
pop up.

Introduction to Configuration Management 241

 2. In the Edit CLI area, enter the CLI. Click Copy to copy the entered CLI.

3. Click Next to choose the device to deliver CLI.

4. Click Deliver.

Introduction to Configuration Management 242

 5. In the Deliver History area, you can viewed the delivered CLI. Click View Details to view
the CLI and deliver result.

Viewing Policy Rules

You can view the specified security policy rules by setting up filters.
To view the security policy rules, take the following steps:

1. In the Security Policy page, click +Filter from the toolbar.

2. Select filter conditions from the Filter drop-down list, and then select filter conditions as
needed.

Configure the options as follows.

Option Description

All Displays the policy rules of all filters. You can enter any
character and system will filter out the policy rules that
contain the character under all the filters.

Name Displays the policy rules of the specified rule name.

ID Displays the policy rules of the specified policy ID.

Sre Zone Displays the policy rules of the specified source zone.

Dst Zone Displays the policy rules of the specified destination

zone.

Sre Address Displays the policy rules of the specified source address.

Dst Address Displays the policy rules of the specified destination

address.

Server Name Displays the policy rules of the specified service name.

Server port Displays the policy rules of the specified server source or

Introduction to Configuration Management 243

 Option Description

destination port.

Application Displays the policy rules of the specified application.

Schedule Displays the policy rules of the specified schedule.

Reference Displays the policy rules that reference a schedule or do

Schedule not reference a schedule.

Schedule Displays the policy rules whose schedule has expired or

Expired not expired.

3. Click Enter to search the policy rules that matches the filter conditions.

4. To delete a filter condition, hover your mouse on that condition and then click the icon.

To delete all filter conditions, click the icon on the right side of the row.

Exporting Policy Rules

You can export and save the filtered policy rules in the local.
To export the specified security policy rules, take the following steps:

1. In the Security Policy page, click Policy Export from the toolbar.

2. Click OK in the Export dialog box.

3. In the Save as dialog box, select the path to save the policy rules.

4. Click OK.

Opening Local Snapshot

This feature is used to display the security policy section in the local snapshot file, in order to
facilitate users to copy the local modification to a shared or private policy. To copy rules or
groups in snapshot, take the following steps:

Introduction to Configuration Management 244

 1. In Security Policy page, click Open Local Snapshot from the toolbar to select local snap-
shot, then click Open.

2. Click Upload in the pop-up dialog box.

The system will display details of the security policy configuration in the local snapshot.

3. Right-click rules or groups and select Copy.

4. Click the minimize or close button to locate the target security policy page, right-click and
choose Paste to select the position from the menu where the copied rule locates.

Rule Match Analysis

Rule match analysis can search security policy rules that meet your requirements. For example, if
the source IP address you specified is included in the source address entries of a certain rule, then
this rule will be displayed in result list. You can view the result in the Match Details column. You
can view the specified match in the Match Details column.
Please take the following steps:

1. In Security Policy page, click Rule Match Analysis from the toolbar.

2. Enter value in one or more text fields in the pop-up dialog box.
Source Addr: Specify the source IP address.
Src Port: Specify the source port of service.
Destination Addr: Specify the destination IP address.
Dst Port: Specify the destination port of service.
Protocol: Specify the transport layer protocol of service.

3. Click Analysis to search.

The analysis result will be displayed in the rule list. Click Reset to clear all the contents of
text fields so that you can re-enter.

4. Click the button in the Match Details column to view the matched polities.

Introduction to Configuration Management 245

Policy Rule Management

Policy rule management includes:

l Enable/disable rules: Control policy rule whether comes into effect.

l Rule Conflict Check: Check whether the rules overshadow each other. The effectiveness of
the rules will be improved by using this function.

l Rule Hit Statistics: Gather the rule hit statistics and show the statistics by pie chart.

Enable/Disable Rules

In Security Policy page, select a rule to be operated from the rule list, then double click the icon
in Status column to change the status.

Rule Conflict Check

Two ways are supported to perform the rule conflict check function:

l Way 1: Select the Tools > Rule Conflict Check , system begins to check the conflicts among
rules in the policy. When the checking process is finished, the useless rules will become
hatched, and all the rule IDs that overshadow the rule will be listed in the last column
(shadow) of the rule list. You can select all of the redundant rules by clicking on the number
in brackets after the check box, so that you can delete them in batches.
When there are more than 2000 policy rules, you need to use way 2 for detection.

l Way 2: From the device navigation pane, right-click on the device you want to check the rule
conflict, and then select Rule Conflict Check from the pop-up menu. The system generates
the task and begins to check. When the checking process is finished, click the View Report

Introduction to Configuration Management 246

 button to read the detailed information.

l View Task: Open Task Management page to view the progress of the rule conflict in
the task list.

l View Report: Read the detailed information.

l Save: Save the PDF format report locally.

Notes:
l When system checks rule conflict, if there are more than 1500 policy rules,
only when one rule completely overshadows another one, system judges
there is rule conflict.

l System can only perform one task of check rule conflict at the same time.

Rule Hit Statistics

To view the rule hit statistics, take the following steps:

Introduction to Configuration Management 247

 1. Select Tools > Rule Hit Statistics.

2. Select the device you want to know the rule hit statistics, click Next.

3. In the Rule Hit Statistics dialog, specify a time period of statistics (the default time period is
the latest month), and click View Report. The report appears. Click Save to save the PDF
format report locally.

Converting a Policy from Private to Shared

The private policy only belongs to one device, and you can convert a private policy to a shared
one for other devices.

Notes: Private policies can not be converted to shared ones when security policies
are configured with Data Security , SSL Proxy , Botnet Defense and IPS rules or
linked with From Tunnel(VPN) or Tunnel(VPN).

To convert a policy from private to shared, take the following steps:

1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the
device configuration page.

2. From the device navigation pane, select the device whose policy will be converted. From
the object navigation pane, right-click on the policy and click Convert to Shared from the
pop-up menu.

3. Specify the name for the converted policy in the Policy Name text box.

4. Click OK to save the changes and close the dialog.

Introduction to Configuration Management 248

Configuring the Policy-based Protection Function

The HSM system currently supports policy-based anti-Virus, IPS, URL filtering, or sandbox pro-
tection check.
To realize the policy-based protection function,

1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the
device configuration page.

2. From the device navigation pane, select the device whose policy will be edited. From the
object navigation pane, and select Policies. The main window shows the policy rule list.

3. Click the policy entry list. The configuration dialog appears.

In the configuration dialog, configure the followings.

Option Description

Anti Virus Select the On check box to enable Anti Virus function.
Select the Anti Virus rule from the drop-down list. Two
ways can be used to configure an Anti Virus rule:

l Predefined: By default, HSM has three default Anti

Virus rules, including predef_low, predef_middle,
and predef_high. Depending on the different rules,
file types and protocol types can be filtered also dif-
ferent. The higher the Anti Virus rule is, the higher
security level is.

Introduction to Configuration Management 249

 Option Description

l User-defined: The user-defined Anti Virus rules.

According to the actual needs of users, select an
Anti Virus rule from the drop-down list, or you can
click New from the drop-down list to create an
Anti Virus rule. For more information, see Anti-
Vrius.
: In the drop-down list, you

can specify the filtering conditions. The system will dis-

play all Anti Virus rules that matches the searching con-
ditions.

Intrusion Pro- Select the On check box to enable IPS function. Select

tection Sys- the IPS rule from the drop-down list. You can select
predefined IPS rules or user-defined IPS rules in the
tem
managed device. System provides different predefined
IPS rules for firewalls in different versions. For more
information, see "Intrusion Protection System".
: In the drop-down list, you

can specify the searching conditions. The system will dis-

play all IPS rules that matches the searching conditions.

Botnet Select the On check box to enable Botnet Defense func-

Defense tion. Select a configured botnet defense profile from the
drop-down list.
Or you can click New from the drop-down list to create a
botnet defense profile to use. For more information, see
Configuring Botnet Prevention.

Introduction to Configuration Management 250

 Option Description
: In the drop-down list, you

can specify the filtering conditions. HSM will display all

botnet defense profiles that match the searching con-
ditions.

URL Filter Select the On check box to enable URL Filter function.
Select the URL Filter rule from the drop-down list.
According to the actual needs of users, select an URL Fil-
ter rule from the drop-down list. Or you can click New
from the drop-down list to create an URL Filter rule. For
more information, see URL Filter.

: In the drop-down list,

you can specify the filtering conditions. HSM will dis-
play all URL Filter rules that match the searching con-
ditions.

Sandbox You can view whether the sandbox protection is enabled

on the managed device. Sandbox protection con-
figurations are currently not supported on HSM. Two
ways can be used to configure a Sandbox rule:

l Predefined: HSM has three default sandbox rules,

including predef_low, predef_middle and predef_
high. predef_low rule whose file type is PE and pro-
tocol types are
HTTP/FTP/POP3/SMTP/IMAP4, with white list
and filter enabled. predef_middle rule whose file

Introduction to Configuration Management 251

 Option Description

types are PE/APK/JAR/MS-Office/PDF and pro-

tocol types are
HTTP/FTP/POP3/SMTP/IMAP4, with white list
and filter enabled.predef_high rule whose file types
are PE/APK/JAR/MS-
Office/PDF/SWF/RAR/ZIP and protocol types
are HTTP/FTP/POP3/SMTP/IMAP4, with white
list and filter enabled.

l User-defined: The user-defined Sandbox rules.

4. After configuring settings, displays the Anti Virus function status which is enabled,

displays the IPS function status which is enabled, displays the URL Filter function status

which is enabled, displays the Sandbox function status which is enabled.

Policy Assistant

The function of policy assistant can help users to optimize security policy of the managed
devices, improve operation and maintenance efficiency of system and improve security of net-
work.
For a managed device, policy assistant can analyze the traffic that hits the specified security policy
in the device to generate a refined policy, and deliver it to the managed device.
Before the system administrator enables policy assistant of the managed device, the device needs
to ensure session log enabled and be sent to system; when specifying the security policy rules of
the managed device for policy assistant, ensure that all the policies of the device have been syn-
chronized to system.

Introduction to Configuration Management 252

Configuring Policy Assistant

Configure the parameters of policy assistant. For specific information, refer to "Configuration >
Default Parameters".

Opening Policy Assistant

System allows to enable four rules of managed device's security policy to open policy assistant at
most. To open policy assistant, take the following steps:

1. Select Configuration > Device Configuration.

2. Select the managed device that needs to open policy assistant function in the left navigation
bar.

3. Select "Policies" from the drop down list in the navigation bar. Click Security Policy, the
security policy rule list will display in the main window.

4. Click Policy Assistant to enter the Policy Assistant page, you can also perform other oper-
ations:

l Click Object Naming Rule button to jump to the Object Naming Configuration page.
You can customize naming rule of service book in the generated policy rule and con-
figure how to handle name conflict, for more information, refer to Ticket > Object
Naming Configuration.

l Click button in the "Operation" column to enable corresponding policy rule.

Introduction to Configuration Management 253

 l You can hold down "Ctrl" to select multiple rules, and click Batch Start!button to
open policy assistant function of the specified rules in batches; Click Batch
Stop!button to stop traffic analysis of the specified rules in batches.

Analyzing Traffic

After the policy assistant of the policy rule is opened, system automatically starts to analyze the
traffic that hits the specified rule, and you can view the analysis progress in the "Traffic Analysis"
column. Click in the "Operation" column to enter the View Analysis Result page. The View
Analysis Result page displays the "Source IP", "Destination IP", "Protocol/Destination Port" and
"Hits" of traffic that hits the specified rule.

On the View Analysis Result page, you can also perform other operations:

l Screening Condition: Configure the screening conditions for traffic data, system will filter out
the traffic that meet the conditions based on the source IP or destination IP.

l Aggregation Condition: Configure the aggregation conditions for traffic data. System will
merge traffic that meet the aggregation conditions and displays the aggregated traffic in the
list. System supports to specify the following four aggregation conditions: Source IP + Destin-
ation IP 、Source IP + Protocol/Port 、Destination IP + Protocol/Port 、Don't aggregate.

l Generate Policy: Enter the Generate And Deploy Policy page. System will generate cor-
responding policy rules based on the Src Zone of the source IP, the Dst Zone of the

Introduction to Configuration Management 254

 destination IP, and service ifor each traffic entry in the list, and display it on the Generate
And Deploy Policy page.

l Back: Ruturn to the View Analysis Result page.

Generating And Deploying Policy

After the traffic is screened and aggregated, refined policy rules are generated and displayed in the
list on the Generate and Deploy Policy page. Before deploying policy, you can perform other oper-
ations on the policy rule：

l Select the policy rules in the list, click Batch Enable or Batch Disable button to enable or dis-
able selected policy rules.

l Select the policy rules in the list, click Batch Delete button to delete selected policy rules;
Click button in the "Operation" column to delete the corresponding policy rule.

l Click in the "Src Zone"、"Dst Zone"、"Status" or "Action" column to modify the Src
Zone、Dst Zone、Status or Action of a policy rule.

l Select the policy rules with the same Src Zone、Dst Zone、Status and Action in the list,
click Combine Rule button to combine the selected policy rules.

In order to ensure the validity of the policy rules depolyed by system in firewalls, system needs to
perform redundant checks on the policy rules before deploying them, that is, check whether the
rules are shadowed by other policy rules in firewall according to their Src Zone、Dst Zone and
Status, the specific steps are as follows：

1. Select the policy rules in the list, click Redundancy D button to detect.

2. On the Redundancy Detection page, you can view the result of redundancy detection. In
the "Is Redundant" column, you can view whether the corresponding policy rules are shad-
owed. If the detected policy rule is shadowed with the existing policy rule in firewall, you

Introduction to Configuration Management 255

 can view the ID of the policy rule in the "Shadow" column.

3. Select the policy rules in the list, click Deploy button to deploy them to managed device.

Notes: In the device's policy list, the rules deployed to the device will be before the
rule be analyzed.

Policy Analysis

HSM supports for policy hit analysis for StoneOS of 5.5 R7 or above. System checks the policy
rule hit counts, that is, when traffic matches a certain policy rule, the hit count will increase by 1
automatically. With the statistics of the first hit time, the last hit time, and the days since last hit,
you can identify the policy rule that need to be cleared. You can view the specified policy rules by
setting up filters.
To check the hit counts, take the following steps:

1. Select Configuration > Device Configuration.

2. Select the managed device that needs to open policy analysis function in the left navigation
bar.

3. Select "Policies" from the drop down list in the navigation bar. Click Security Policy >
Policy Analysis.

4. Select filter conditions from the Filter drop-down list, and configure filter conditions as
needed.

Configure the options as follows.

Option Description

Days Since First Specify the day after the first hit. Then the policy rules which were hit
Hit> before the specified day will be displayed.

Introduction to Configuration Management 256

 Option Description

Days Since Last Specify the day after the last hit. Then the policies rules before the spe-
Hit> cified day will be displayed.

Days Since Specify the day after the policy is created. Then the policy rules before
Create Time> the specified day will be displayed.

5. System will automatically display the latest result of Policy Analysis.

6. To delete a filter condition hover your mouse on that condition and then click icon.

To clear the hit counts of policy rules, take the following steps:

1. Select Configuration > Device Configuration.

2. Select the managed device in the left navigation bar.

3. Select "Policies" from the drop down list in the navigation bar. Then , click Security Policy
> Policy Analysis.

4. Click Clear button to open Clear dialog.

Configure the following options.

Option Description

All policies Clear the hit counts of all policy rules.

Introduction to Configuration Management 257

 Option Description

Default Policy Clear the hit counts of default policy rules.

Policy ID Clear the hit counts of a specified ID policy rule.

5. Click OK.

You can also click Refresh button to update the statistics of the hit counts of policy rules.

Notes: After system executes the "Clear" function , the hit counts of corresponding
policy rules will become 0 on Policy Analysis page in HSM system, Policy Hit Ana-
lysis page and Security Policy page in the managed device system.

iQoS

HSM can manage iQoS (intelligent quality of service) intensively which guarantees the customer's
network performance, manages and optimizes the key bandwidth for critical business traffic, and
helps the customer greatly in fully utilizing their bandwidth resources.
iQoS is used to provide different priorities to different traffic, in order to control the delay and
flapping, and decrease the packet loss rate. iQoS can assure the normal transmission of critical
business traffic when the network is overloaded or congested. iQoS is controlled by license. To
configure iQoS for managed device, please apply and install the iQoS license on managed device.

Notes: HSM only supports the centralized management of iQoS function whose
NGFW version is 5.5R1 or above.

Implement Mechanism

The packets are classified and marked after entering the system from the ingress interface. For the
classified and marked traffic, the system will smoothly forward the traffic through shaping mech-
anism, or drop the traffic through policing mechanism. If selecting shaping mechanism to forward
the traffic, the congestion management and congestion avoidance mechanisms give different pri-

Introduction to Configuration Management 258

orities to different types of packets so that the packets of higher priority can pass the gateway
earlier to avoid network congestion.
In general, implementing QoS includes:

l Classification and marking mechanism: Classification and marking is the process of identifying
the priority of each packet. This is the first step of iQoS.

l Policing and shaping mechanisms: Policing and shaping mechanisms are used to identify traffic
violation and make responses. The policing mechanism checks traffic in real time, and takes
immediate actions according to the settings when it discovers violation. The shaping mech-
anism works together with queuing mechanism. It makes sure that the traffic will never
exceed the defined flow rate so that the traffic can go through that interface smoothly.

l Congestion management mechanism: Congestion management mechanism uses queuing the-

ory to solve problems in the congested interfaces. As the data rate can be different among dif-
ferent networks, congestion may happen to both wide area network (WAN) and local area
network (LAN). Only when an interface is congested will the queuing theory begin to work.

l Congestion avoidance mechanism: Congestion avoidance mechanism is a supplement to the

queuing algorithm, and it also relies on the queuing algorithm. The congestion avoidance
mechanism is designed to process TCP-based traffic.

Pipes and Traffic Control Levels

The system supports two-level traffic control: level-1 control and level-2 control. In each level,
the traffic control is implemented by pipes.

Pipes

By configuring pipes, the devices implement iQoS. Pipe, which is a virtual concept, represents
the bandwidth of transmission path. The system classifies the traffic by using the pipe as the unit,
and control the traffic crossing the pipes according to the actions defined for the pipes. For all
traffic crossing the device, they will flow into virtual pipes according to the traffic matching con-

Introduction to Configuration Management 259

ditions they match. If the traffic does not match any condition, they will flow into the default
pipe predefined by the system.
Pipes, except the default pipe, include two parts of configurations: traffic matching conditions and
traffic management actions:

l Traffic matching conditions: Defines the traffic matching conditions to classify the traffic
crossing the device into matched pipes. The system will limit the bandwidth to the traffic that
matches the traffic matching conditions. You can define multiple traffic matching conditions
to a pipe. The logical relation between each condition is OR. When the traffic matches a
traffic matching condition of a pipe, it will enter this pipe. If the same conditions are con-
figured in different root pipes, the traffic will first match the root pipe listed at the top of the
Level-1 Control list in the Policy > iQoS page.

l Traffic management actions: Defines the actions adopted to the traffic that has been classified
to a pipe. The data stream control includes the forward control and the backward control. For-
ward control controls the traffic that flows from the source to the destination; backward con-
trol controls the traffic flows from the destination to the source.

To provide flexible configurations, the system supports the multiple-level pipes. Configuring mul-
tiple-level pipes can limit the bandwidth of different applications of different users. This can
ensure the bandwidth for the key services and users. Pipes can be nested to at most four levels.
Sub pipes cannot be nested to the default pipe. The logical relation between pipes is shown as
below:

Introduction to Configuration Management 260

 l You can create multiple root pipes that are independent individually. At most three levels of
sub pipes can be nested to the root pipe.

l For the sub pipes at the same level, the total of their minimum bandwidth cannot exceed the
minimum bandwidth of their upper-level parent pipe, and the total of their maximum band-
width cannot exceed the maximum bandwidth of their upper-level parent pipe.

l If you have configured the forward or backward traffic management actions for the root pipe,
all sub pipes that belongs to this root pipe will inherit the configurations of the traffic dir-
ection set on the root pipe.

l The root pipe that is only configured the backward traffic management actions cannot work.

The following chart illustrates the application of multiple-level pipes in a company. The admin-
istrator can create the following pipes to limit the traffic:

1. Create a root pipe to limit the traffic of the office located in Beijing.

2. Create a sub pipe to limit the traffic of its R&D department.

3. Create a sub pipe to limit the traffic of the specified applications so that each application has
its own bandwidth.

Introduction to Configuration Management 261

 4. Create a sub pipe to limit the traffic of the specified users so that each user owns the
defined bandwidth when using the specified application.

Traffic Control Levels

The system supports two-level traffic control: level-1 control and level-2 control. In each level,
the traffic control is implemented by pipes. Traffic that is dealt with by level-1 control flows into
the level-2 control, and then the system performs the further management and control according
to the pipe configurations of level-2 control. After the traffic flows into the device, the process of
iQoS is shown as below:

According to the chart above, the process of traffic control is described below:

Introduction to Configuration Management 262

 1. The traffic first flows into the level-1 control, and then the system classifies the traffic into
different pipes according to the traffic matching conditions of the pipe of level-1 control.
The traffic that cannot match any pipe will be classified into the default pipe. If the same
conditions are configured in different root pipes, the traffic will first match the root pipe lis-
ted at the top of the Level-1 Control list in the Policy > iQoS page. After the traffic flows
into the root pipe, the system classifies the traffic into different sub pipes according to the
traffic matching conditions of each sub pipe.

2. According to the traffic management actions configured for the pipes, the system manages
and controls the traffic that matches the traffic matching conditions.

3. The traffic dealt with by level-1 control flows into the level-2 control. The system manages
and controls the traffic in level-2 control. The principle of traffic matching, management and
control are the same as the one of the level-1 control.

4. Complete the process of iQoS.

Enabling/Disabling Traffic Control

The first level traffic control is enabled by default. To disable it, take the following steps:

1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the
device configuration page.

2. Select a device from the devices navigation pane.

3. Select Policies > iQoS to enter iQoS page.

4. In the Level-1 Control tab, click Disable First Level Control from the toolbar.
First level traffic control will be disabled. If you need to enable it, please click Enable First
Level Control from the toolbar.

The second level traffic control is disabled by default. To enable it, take the following steps:

Introduction to Configuration Management 263

 1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the
device configuration page.

2. Select a device from the devices navigation pane.

3. Select Policies > iQoS to enter iQoS page.

4. In the Level-2 Control tab, click Enable Second Level Control from the toolbar.
Second level traffic control will be enabled. If you need to disable it, please click Disable
Second Level Control from the toolbar.

Pipe Configuration

By using pipes, devices implement iQoS. Pipes in different traffic control levels will take effect in
different stages.
Configuring pipes includes the following sections:

1. Create the traffic matching conditions, which are used to capture the traffic that matches
these conditions. If configuring multiple traffic matching conditions for a pipe, the logical
relation between each condition is OR.

2. Create a white list according to your requirements. The system will not control the traffic in
the white list. Only root pipe and the default pipe support the white list.

3. Specify the traffic management actions, which are used to deal with the traffic that is clas-
sified into a pipe.

4. Specify the schedule. The pipe will take effect during the specified time period.

Basic Operations

Select Policy > iQoS to open the iQoS page.

You can perform the following actions in this page:

Introduction to Configuration Management 264

 l View pipe information: The pipe list displays the name, mode, action, schedule, and so on.

l Click the icon to expand the root pipe and display its sub pipes.

l Click the icon in Condition column to view the condition settings.

l Click the icon of the root pipe in Whitelist column to view the white list settings.

l If there is a red exclamation mark before pipe name, it means the pipe is not used. To
view the unusable reason, please hover over the exclamation mark.

l Create a root pipe: Select the Level-1 Control or Level-2 Control tab, then click New in the
menu bar to create a new root pipe.

l Create a sub pipe: Click the icon of the root pipe or the sub pipe to create the cor-

responding sub pipe.

l Click Enable in the menu bar to enable the selected pipe. By default, the newly-created pipe
will be enabled.

l Click Disable in the menu bar to disable the selected pipe. The disabled pipe will not take
effect.

l Click Delete to delete the selected pipe. The default pipe cannot be deleted.

Creating a Pipe

To create a pipe:

1. According to the methods above, create a root pipe or sub pipe. The Pipe Configuration
page appears.

Introduction to Configuration Management 265

 2. In the Basic tab, specify the basic pipe information.

l Parent Pipe/Control Level: Displays the control level or the parent pipe of the newly
created pipe.

l Pipe Name: Specify a name for the new pipe.

l Description: Specify the description of this pipe.

l QoS Mode: Shape, Policy, or Monitor.

l The Shape mode can limit the data transmission rate and smoothly forward the
traffic. This mode supports the bandwidth borrowing and priority adjusting for
the traffic within the root pipe.

l The Policy mode will drop the traffic that exceeds the bandwidth limit. This
mode does not support the bandwidth borrowing and priority adjusting, and
cannot guarantee the minimum bandwidth.

Introduction to Configuration Management 266

 l The Monitor mode will monitor the matched traffic, generate the statistics, and
will not control the traffic.

3. In the Condition tab, click New.

In the Condition Configuration tab, configure the corresponding options.

Source Information

Zone Specify the source zone of the traffic. Select the zone
name from the drop-down menu.

Interface Specify the source interface of the traffic. Select the inter-
face name from the drop-down menu.

Address Specify the source address of the traffic.

1. Select an address type from the Address drop-

down list.

2. Select or type the source addresses based on the

selected type.

3. Click to add the addresses to the right pane.

4. After adding the desired addresses, click the

blank area in this dialog to complete the address
configuration.
You can also perform other operations:

l When selecting the Address Book type, you can

click Add to create a new address entry.

l The default address configuration is any. To restore

the configuration to this default one, select the any

Introduction to Configuration Management 267

 check box.

Destination Information

Zone Specify the destination zone of the traffic. Select the zone
name from the drop-down menu.

Interface Specify the destination interface of the traffic. Select the

interface name from the drop-down menu.

Address Specify the destination address of the traffic.

1. Select an address type from the Address drop-

down list.

2. Select or type the source addresses based on the

selected type.

3. Click to add the addresses to the right pane.

4. After adding the desired addresses, click the

blank area in this dialog to complete the address
configuration.
You can also perform other operations:

l When selecting the Address Book type, you can

click Add to create a new address entry.

l The default address configuration is any. To restore

the configuration to this default one, select the any
check box.

User Inform- Specify a user or user group that the traffic belongs to.
ation
1. From the User drop-down menu, select the AAA

Introduction to Configuration Management 268

 server where the users and user groups reside.

2. Based on different types of AAA server, you can

execute one or more actions: search a user/user
group/role, expand the user/user group list, enter
the name of the user/user group.

3. After selecting users/user groups/roles, click

to add the them to the right pane.

4. After adding the desired objects, click the blank

area in this dialog to complete the user inform-
ation configuration.

Service Specify a service or service group that the traffic belongs

to.

1. From the Service drop-down menu, select a type:

Service, Service Group.

2. You can search the desired service/service group,

expand the service/service group list.

3. After selecting the desired services/service

groups, click to add them to the right pane.

4. After adding the desired objects, click the blank

area in this dialog to complete the service con-
figuration.
You can also perform other operations:

l To add a new service or service group, click Add.

Introduction to Configuration Management 269

 l The default service configuration is any. To restore
the configuration to this default one, select the any
check box.

Application Specify an application or application group that the traffic

belongs to. The system supports at most 8-layer nested
application group. Expand Application Group from the
left pane, select applications, application groups, or soft-
ware, and then click to add them to the right pane.

To remove a selected application or application group,

select it from the right pane, and then click . To add a

new application group, click New AppGroup.

URL Cat- Specifies the URL category that the traffic belongs to.
egory After the user specifies the URL category, the system
matches the traffic according to the specified category.

1. In the "URL category" drop-down menu, the user

can select one or more URL categories, up to 8
categories.

2. After selecting the desired filters, click the blank

area in this dialog to complete the configuration.
To add a new URL category, click the "New" button, the
page will pop up "URL category" dialog box. In this dialog
box, the user can configure the category name and URL.
Select a URL category, click the "Edit" button, the page
will pop up "URL category" dialog box. In this dialog box,
the user can edit the URL in the category.

Introduction to Configuration Management 270

 Advanced

VLAN Specify the VLAN information of the traffic.

TOS Specify the TOS fields of the traffic; or click Configure to

specify the TOS fields of the IP header of the traffic in
the appeared TOS Configuration dialog.

l Precedence: Specify the precedence.

l Delay: Specify the minimum delay.

l Throughput: Specify the maximum throughput.

l Reliability: Specify the highest reliability.

l Cost: Specify the minimum monetary cost.

l Reserved: Specify the normal service.

4. If you are configuring root pipes, you can specify the white list settings based on the descrip-
tion of configuring conditions.

5. In the Action tab, configuring the corresponding actions.

Forward (From source to destination)

The following configurations controls the traffic that flows from the
source to the destination. For the traffic that matches the conditions,
the system will perform the corresponding actions.

Pipe Band- When configuring the root pipe, specify the pipe band-
width width. When configuring the sub pipe, specify the max-
imum bandwidth and the minimum bandwidth of the
pipe:

Introduction to Configuration Management 271

 l Min Bandwidth: Specify the minimum bandwidth.
If you want this minimum bandwidth to be
reserved and cannot be used by other pipes, select
Enable Reserved Bandwidth.

l Max Bandwidth: Specify the maximum bandwidth.

Limit type Specify the maximum bandwidth and minimum band-

width of the pipe for each user/IP:

l Type: Select the type of the bandwidth limitation:

No Limit, Limit Per IP, or Limit Per User.

l No Limit represents that the system will not

limit the bandwidth for each IP or each user.

l Limit Per IP represents that the system will

limit the bandwidth for each IP. In the Limit
by section, select Source IP to limit the
bandwidth of the source IP in this pipe; or
select Destination IP to limit the bandwidth
of the destination IP in this pipe.

l Limit Per User represents that the system

will limit the bandwidth for each user. In the
Limit by section, specify the min-
imum/maximum bandwidth of the users.

l When configuring the root pipe, you can select the

Enable Average Bandwidth check box to make
each source IP, destination IP, or user to share an

Introduction to Configuration Management 272

 average bandwidth.

Limit by When the Limit type is Limit Per IP or Limit Per User,
you need to specify the minimum bandwidth or the max-
imum bandwidth:

l Min Bandwidth: Specify the minimum bandwidth.

l Max Bandwidth: Specify the maximum bandwidth.

Advanced

Priority Specify the priority for the pipes. Select a number,

between 0 and 7, from the drop-down menu. The smaller
the value is, the higher the priority is. When a pipe has
higher priority, the system will first deal with the traffic in
it and borrow the extra bandwidth from other pipes for it.
The priority of the default pipe is 7.

TOS Specify the TOS fields of the traffic; or click Configure to

specify the TOS fields of the IP header of the traffic in
the appeared TOS Configuration page.

l Precedence: Specify the precedence.

l Delay: Specify the minimum delay.

l Throughput: Specify the maximum throughput.

l Reliability: Specify the highest reliability.

l Cost: Specify the minimum monetary cost.

l Reserved: Specify the normal service.

Introduction to Configuration Management 273

 TrafficClass Specify the value of the TrafficClass field for IPv6 traffic,
The TrafficClass field value of IPv6 traffic matching suc-
cessfully will be set to the specified value. The value
range is 0 to 255.

Limit Oppos- Click the check box to configure the value of limit
ite Band- strength. The smaller the value, the smaller the limit. By
width default, this function is disabled. This function can make
that the actual bandwidth of traffic matches the band-
width allocated by users in order to reduce the packet
loss in the managed device.

Backward (From condition's destination to source)

The following configurations controls the traffic that flows from the des-
tination to the source. For the traffic that matches the conditions, the
system will perform the corresponding actions.

Pipe Band- When configuring the root pipe, specify the pipe band-
width width. When configuring the sub pipe, specify the max-
imum bandwidth and the minimum bandwidth of the
pipe:

l Min Bandwidth: Specify the minimum bandwidth.

If you want this minimum bandwidth to be
reserved and cannot be used by other pipes, select
Enable Reserved Bandwidth.

l Max Bandwidth: Specify the maximum bandwidth.

Limit type Specify the maximum bandwidth and minimum band-

width of the pipe for each user/IP:

Introduction to Configuration Management 274

 l Type: Select the type of the bandwidth limitation:
No Limit, Limit Per IP, or Limit Per User.

l No Limit represents that the system will not

limit the bandwidth for each IP or each user.

l Limit Per IP represents that the system will

limit the bandwidth for each IP. In the Limit
by section, select Source IP to limit the
bandwidth of the source IP in this pipe; or
select Destination IP to limit the bandwidth
of the destination IP in this pipe.

l Limit Per User represents that the system

will limit the bandwidth for each user. In the
Limit by section, specify the min-
imum/maximum bandwidth of the users.

l When configuring the root pipe, you can select the

Enable Average Bandwidth check box to make
each source IP, destination IP, or user to share an
average bandwidth.

Limit by When the Limit type is Limit Per IP or Limit Per User,
you need to specify the minimum bandwidth or the max-
imum bandwidth:

l Min Bandwidth: Specify the minimum bandwidth.

l Max Bandwidth: Specify the maximum bandwidth.

Introduction to Configuration Management 275

 Advanced

Priority Specify the priority for the pipes. Select a number,

between 0 and 7, from the drop-down menu. The smaller
the value is, the higher the priority is. When a pipe has
higher priority, the system will first deal with the traffic in
it and borrow the extra bandwidth from other pipes for it.
The priority of the default pipe is 7.

TOS Specify the TOS fields of the traffic; or click Configure to

specify the TOS fields of the IP header of the traffic in
the appeared TOS Configuration page.

l Precedence: Specify the precedence.

l Delay: Specify the minimum delay.

l Throughput: Specify the maximum throughput.

l Reliability: Specify the highest reliability.

l Cost: Specify the minimum monetary cost.

l Reserved: Specify the normal service.

TrafficClass Specify the value of the TrafficClass field for IPv6 traffic,
The TrafficClass field value of IPv6 traffic matching suc-
cessfully will be set to the specified value. The value
range is 0 to 255.

Limit Oppos- Click the check box to configure the value of limit
ite Band- strength. The smaller the value, the smaller the limit. By
width default, this function is disabled. This function can make

Introduction to Configuration Management 276

 that the actual bandwidth of traffic matches the band-
width allocated by users in order to reduce the packet
loss in the managed device.

6. In the Schedule tab, configure the time period when the pipe will take effect. Select the
schedule from the drop-down list, or create a new one.

7. Click OK to save the settings.

NAT

Creating a SNAT Rule

To create a SNAT Rule, take the following steps:

1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation
pane to enter the device configuration page.

2. From the device navigation pane, click the device you want to configure a SNAT rule.

3. From the object navigation pane, click SNAT. The main window shows the SNAT rule list.

4. From the toolbar of the SNAT rules list, click New. The SNAT Configuration page appears.

In the Basic tab in the SNAT Configuration dialog, configure the SNAT basic options.

l Virtual Router: Specify a Virtual Router for the SNAT rule.

l Type: Specify the type of the SNAT rule, including IPv4, NAT46, NAT64 and IPv6.
The configuration options for different types of SNAT rules may vary in this page,
please refer to the actual page.

l Source Addr: Specify the source IP address of the traffic, including:

IPv4 Address Entry - Select an Ipv4 address entry from the drop-down list.
IPv4 address - Type an IPv4 address into the IP address box.
IP/netmask - Type an IPv4 address and subnet mask into the box.

Introduction to Configuration Management 277

 IPv6 Address Entry - Select an IPv6 address entry from the drop-down list.
IPv6 address - Type an IPv6 address into the IP address box.
IPv6/Prefix - Type an IPv6 address and subnet prefix into the box.

l Destination Addr: Specify the destination IP address of the traffic, including:

IPv4 Address Entry - Select an Ipv4 address entry from the drop-down list.
IPv4 address - Type an IPv4 address into the IP address box.
IP/netmask - Type an IPv4 address and subnet mask into the box.
IPv6 Address Entry - Select an IPv6 address entry from the drop-down list.
IPv6 address - Type an IPv6 address into the IP address box.
IPv6/Prefix - Type an IPv6 address and subnet prefix into the box.

l Ingress: Specify the ingress traffic of the source NAT rule. The default ingress is all
traffic.
All Traffic: Specify the ingress traffic of the source NAT rule is all traffic. The traffic
from any interface will match the source NAT rule.
Ingress Interface: Specify the ingress interface of traffic in the source NAT rule.
Select an interface from the drop-down list. Only the traffic flowing from the con-
figured ingress interface will match the source NAT rule.

l Egress: Specify the egress traffic, including:

All Traffic - Specify all traffic as the egress traffic.
Egress interface - Specify the egress interface of traffic. Select an interface from the
drop-down list.
Next Virtual Router - Specify the next Virtual Router of traffic. Select a Virtual Router
from the drop-down list.

l Service: Select the service you need from the Service drop-down list.

l Translated to

Introduction to Configuration Management 278

 l NAT Address: Specify the translated NAT IP address, including:

l Egress IF IP(IPv4) - Specify the NAT IP address to be an egress interface IP

address. If Sticky is enabled, all sessions from an IP address will be mapped to
the same fixed IP address. Click the Enable checkbox behind Sticky to enable
Sticky.

l Specified IP - Specify the NAT IP address to be a specified IP address. And

you need to specify the translation mode, including:

l Static : Static mode means one-to-one translation. This mode requires the
translated address entry to contain the same number of IP addresses as
that of the source address entry.

l Dynamic IP: Dynamic IP mode means multiple-to-one translation. This

mode translates the source address to a specific IP address. Each source
address will be mapped to a unique IP address, until all specified
addresses are occupied.

l Dynamic port: Called PAT. Multiple source addresses will be translated

to one specified IP address in an address entry.
If Sticky is enabled, all sessions from an IP address will be mapped to the
same fixed IP address.
If Round-robin is enabled, all sessions from an IP address will be mapped
to the same fixed IP address. Click the Enable button behind Round-
robin to enable the Round-robin function.
If Sticky and Round-robin are not enabled, the first address in the address
entry will be used first; when the port resources of the first address are
exhausted, the second address will be used.
If Track is enabled, the system will track whether the translated public

Introduction to Configuration Management 279

 address is valid, i.e., use the translated address as the source address to
track if the destination website or host is accessible. The configured track
object can be a Ping track object, HTTP track object, TCP track object.
The type of a track object to be configured only can be "Protocol" and
the value of its Interval must be a multiple of 5.

l No NAT - Do not implement NAT.

l Sticky: Select the check box to enable the Sticky function.

l Round-robin: Select the check box to enable the Round-robin function.

Note: You can only enable one of the the Sticky function and the Round-robin func-
tion at the same time.

l Track: Select the check box to enable the Track function and select a track object
from the drop-down list.

l Description: Specify the description of the SNAT rule.

In the Advanced tab, configure the SNAT advanced options.

l HA Group: Specify the HA group that the SNAT rule belongs to. The default setting
is 0.

l NAT Log: Select the Enable check box to enable the log function for this SNAT rule
(generating log information when there is traffic matching to this NAT rule).

l Rule Position: Specify the position of the rule. Each SNAT rule has a unique ID.
When traffic flowing into the device, the device will search SNAT rules by sequence,
and then implement NAT on the source IP of the traffic according to the first
matched rule. The sequence of the ID showed in the SNAT rule list is the order of
the rule matching. Select one of the following items from the drop-down list:
Bottom - The rule is located at the bottom of all the rules in the SNAT rule list. By

Introduction to Configuration Management 280

 default, the system will put the newly-created SNAT rule at the bottom of all SNAT
rules.
Top - The rule is located at the top of all the rules in the SNAT rule list.
Before ID - Type the ID number into the text box. The rule will be located before the
ID you specified.
After ID - Type the ID number into the text box. The rule will be located after the ID
you specified.

l ID: Specify the method you get the rule ID. It can be automatically assigned by sys-
tem or manually assigned by yourself. If you click Manually assign ID, you should
type an ID number into the box behind.

5. Click OK to save your settings. The new SNAT rule will be shown in the SNAT rule list.

Editing/Deleting a SNAT Rule

To edit/delete a SNAT rule, take the following steps:

1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation
pane to enter the device configuration page.

2. From the device navigation pane, click the device you want to edit or delete a SNAT rule.

3. From the object navigation pane, click SNAT. The main window shows the SNAT rule list.

4. Select the SNAT rule you want to edit/delete from the SNAT rules list.

5. Click Edit/Delete from the toolbar.

Creating an IP Mapping Rule

To create an IP Mapping rule, take the following steps:

1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation
pane to enter the device configuration page.

Introduction to Configuration Management 281

 2. From the device navigation pane, click the device you want to configure an IP mapping
rule.

3. From the object navigation pane, click DNAT. The main window shows the DNAT rule
list.

4. From the toolbar of DNAT rules list, click New>IP Mapping, then IP Mapping Con-
figuration page appears.

In the IP Mapping Configuration page, configure the DNAT options.

l Virtual Router: Specify a Virtual Router for the DNAT rule.

l HA Group: Specify the HA group that the DNAT rule belongs to. The default setting
is 0.

l Destination Addr: Specify the destination IP address of the traffic, including:

IPv4 Address Entry - Select an Ipv4 address entry from the drop-down list.
IPv4 address - Type an IPv4 address into the IP address box.
IP/netmask - Type an IPv4 address and subnet mask into the box.
IPv6 Address Entry - Select an IPv6 address entry from the drop-down list.
IPv6 address - Type an IPv6 address into the IP address box.
IPv6/Prefix - Type an IPv6 address and subnet prefix into the box.

l Translated to : Specify translated IP address, including:

IPv4 Address Entry - Select an Ipv4 address entry from the drop-down list.
IPv4 address - Type an IPv4 address into the IP address box.
IP/netmask - Type an IPv4 address and subnet mask into the box.
IPv6 Address Entry - Select an IPv6 address entry from the drop-down list.
IPv6 address - Type an IPv6 address into the IP address box.
IPv6/Prefix - Type an IPv6 address and subnet prefix into the box.

l Description: Specify the description of the DNAT rule.

Introduction to Configuration Management 282

 5. Click OK to save your settings. The new DNAT rule will be shown in the DNAT rules list.

Creating a Port Mapping Rule

To create a Port Mapping rule, take the following steps:

1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation
pane to enter the device configuration page.

2. From the device navigation pane, click the device you want to configure a port mapping
rule.

3. From the object navigation pane, click DNAT. The main window shows the DNAT rule
list.

4. From the toolbar of DNAT rules list, click "New>Port Mapping", then Port Mapping Con-
figuration page appears.

In the Port Mapping Configuration page, configure the DNAT options.

l Virtual Router: Specify a Virtual Router for the DNAT rule.

l HA Group: Specify the HA group that the DNAT rule belongs to. The default setting
is 0.

l Destination Addr: Specify the destination IP address of the traffic, including:

IPv4 Address Entry - Select an Ipv4 address entry from the drop-down list.
IPv4 address - Type an IPv4 address into the IP address box.
IP/netmask - Type an IPv4 address and subnet mask into the box.
IPv6 Address Entry - Select an IPv6 address entry from the drop-down list.
IPv6 address - Type an IPv6 address into the IP address box.
IPv6/Prefix - Type an IPv6 address and subnet prefix into the box.

l Destination Addr: Specify the destination IP address of the traffic, including:

IPv4 Address Entry - Select an Ipv4 address entry from the drop-down list.
IPv4 address - Type an IPv4 address into the IP address box.

Introduction to Configuration Management 283

 IP/netmask - Type an IPv4 address and subnet mask into the box.
IPv6 Address Entry - Select an IPv6 address entry from the drop-down list.
IPv6 address - Type an IPv6 address into the IP address box.
IPv6/Prefix - Type an IPv6 address and subnet prefix into the box.

l Service: Select the service you need from the Service drop-down list.

l Translated to: Specify translated IP address, including:

IPv4 Address Entry - Select an Ipv4 address entry from the drop-down list.
IPv4 address - Type an IPv4 address into the IP address box.
IP/netmask - Type an IPv4 address and subnet mask into the box.
IPv6 Address Entry - Select an IPv6 address entry from the drop-down list.
IPv6 address - Type an IPv6 address into the IP address box.
IPv6/Prefix - Type an IPv6 address and subnet prefix into the box.

l Destination Port: Specify translated port, type the port number into the box.

l Description: Specify the description of the DNAT rule.

5. Click OK to save your settings. The new DNAT rule will be shown in the DNAT rules list.

Creating an Advanced DNAT Rule

To create an Advanced DNAT rule, take the following steps:

1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation
pane to enter the device configuration page.

2. From the device navigation pane, click the device you want to configure an advanced
DNAT rule.

3. From the object navigation pane, click DNAT. The main window shows the DNAT rule
list.

Introduction to Configuration Management 284

 4. From the toolbar of the DNAT rules list, click New > Advanced, then DNAT Con-
figuration page appears.

In the Basic tab in the DNAT Configuration dialog, configure the DNAT basic options.

l Virtual Router: Specify a Virtual Router for the DNAT rule.

l Source Addr: Specify the source IP address of the traffic, including:

IPv4 Address Entry - Select an Ipv4 address entry from the drop-down list.
IPv4 address - Type an IPv4 address into the IP address box.
IP/netmask - Type an IPv4 address and subnet mask into the box.
IPv6 Address Entry - Select an IPv6 address entry from the drop-down list.
IPv6 address - Type an IPv6 address into the IP address box.
IPv6/Prefix - Type an IPv6 address and subnet prefix into the box.

l Destination Addr: Specify the destination IP address of the traffic, including:

IPv4 Address Entry - Select an Ipv4 address entry from the drop-down list.
IPv4 address - Type an IPv4 address into the IP address box.
IP/netmask - Type an IPv4 address and subnet mask into the box.
IPv6 Address Entry - Select an IPv6 address entry from the drop-down list.
IPv6 address - Type an IPv6 address into the IP address box.
IPv6/Prefix - Type an IPv6 address and subnet prefix into the box.

l Server: Select the service you need from the Service drop-down list.

l Action: Specify the action for the traffic you specified, including:
NAT - Implements NAT for the eligible traffic.
Translated to: For the NAT option, you need to specify the translated IP address.
Select an address entry or SLB server pool from the Translated to drop-down list or
type an IP address in the Translated to box or type an IP address and netmask in the
Translated to box.
NAT Port: Select the Enable check box and type the translated port number into the

Introduction to Configuration Management 285

 Port box. The range is 1 to 65535. Translated to: For the NAT option, you need to
specify the translated IP address. Select an address entry or SLB server pool from the
Translated to drop-down list or type an IP address in the Translated to box or type an
IP address and netmask in the Translated to box.
NAT Port: Select the Enable check box and type the translated port number into the
Port box. The range is 1 to 65535.
Load Balancing: Select the Enable check box to enable the function. Then, traffic will
be balanced to different Intranet servers.
No NAT : Do not implement NAT for the eligible traffic.

l Description: Specify the description of the DNAT rule.

In the Advanced tab, configure the DNAT advanced options.

l Ping Track: Select the Enable check box to enable Ping track, which means the sys-
tem will send Ping packets to check whether the Intranet servers are reachable.

l TCP Track: Select the Enable check box to enable TCP track, which means the sys-
tem will send TCP packets to check whether the TCP ports of Intranet servers are
reachable.

l TCP Port: Specify the port number. The value range is 1 to 65535.

l NAT Log: Select the Enable check box to enable the log function for this DNAT rule
(generating log information when there is traffic matching to this NAT rule).

l HA Group: Specify the HA group that the DNAT rule belongs to. The default setting
is 0.

l Rule Position: Specify the position of the rule. Each DNAT rule has a unique ID.
When traffic flowing into the device, the device will search DNAT rules by sequence,
and then implement NAT on the destination IP of the traffic according to the first
matched rule. The sequence of the ID showed in the DNAT rule list is the order of

Introduction to Configuration Management 286

 the rule matching. Select one of the following items from the drop-down list:Bottom -
The rule is located at the bottom of all the rules in the DNAT rule list. By default, the
system will put the newly-created DNAT rule at the bottom of all DNAT rules.Top -
The rule is located at the top of all the rules in the DNAT rule list.Before ID - Type
the ID number into the box. The rule will be located before the ID you specified.
After ID - Type the ID number into the box. The rule will be located after the ID you
specified.

l ID: Specify the method you get the rule ID. It can be automatically assigned by sys-
tem or manually assigned by yourself. If you click Manually assign ID, you should
type an ID number into the box behind.

5. Click OK to save your settings. The new DNAT rule will be shown in the DNAT rules list.

Route

Creating an Destination Route Item

To create a Destination Route Item on the HSM device configuration page, take the following
steps:

1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation
pane to enter the device configuration page.

2. From the device navigation pane, click the device you want to create a destination route
entry.

3. From the object navigation pane, select Network > Route > Destination Route. The Route
items list will appear from the main window below.

4. From the toolbar of the Route items list, click New. The Destination Route Configuration
page appears.

Introduction to Configuration Management 287

 In the Destination Route Configuration dialog, configure the destination route options.

l Destination Address: Specify the destination IP address of the route item.

l Subnet Mask: Specify the corresponding subnet mask of destination IP address.

l Next Hop : Click Gateway or Interface or Virtual Router in current VSYS or Virtual
Router in other VSYS button. If Gateway is selected, type the IP address into the
Gateway box below; if Interface is selected, select a name from the Interface drop-
down list below; if Virtual Router is selected, select a name from the Virtual Router
drop-down list below.

l Gateway: Type the IP address into the Gateway text box.

Introduction to Configuration Management 288

 l Interface: Select en interface from the Interface drop-down list. Click Enable
check box of BFD, to enable the detection function of the related link, and type
the IP address into the Gateway text box.

l Virtual Router in current VSYS: Select a virtual router from the Virtual Router
drop-down list.

l Virtual Router in other VSYS: Select a virtual router from the Virtual Router
drop-down list.

l Schedule：Specifies a schedule when the rule will take effect. Select a desired sched-
ule from the Schedule drop-down list. After selecting the desired schedules, click the
blank area in this dialog to complete the schedule configuration.

l Precedence: Specify the precedence of route. The smaller the parameter is, the higher
the precedence is. If multiple routes are available, the route with higher precedence
will be prioritized. The value range is 1 to 255. The default value is 1. When the value
is set to 255, the route is invalid.

l Weight: Specify the weight of route. This parameter is used to determine the weight
of traffic forwarding in load balance. The value range is 1 to 255. The default value is
1.

l Description: If necessary, type description information for the route item in this text
box.

5. Click OK to save your settings. The new route item will be shown in the route items list.

Creating an Policy Route Item

To create a Policy Route Item on the HSM device configuration page, take the following steps:

Introduction to Configuration Management 289

 1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation
pane to enter the device configuration page.

2. From the device navigation pane, click the device you want to create a policy route entry.

3. From the object navigation pane, select Network > Route > Policy-based Routing. The
Route items list will appear from the main window below.

4. From the toolbar of the Route items list, click New, select Policy-based Routing. The
Policy-based Route Configuration dialog appears.

In the Policy-based Route Configuration dialog, configure the policy-based route options.

l PBR Name: Specifies a name for the policy-based route.

l Virtual Router: From the Virtual Router drop-down list, select the Virtual Router for
the new route. The default value is "trust-vr".

l Type : Specifies the object type that the policy-based route binds to. You can select
Zone or No Binding .

l Zone: Click this option button and select a zone from the Zone drop-down list.
The zone needs to be bound to the Virtual Router.

l No Binding: This policy-based route is no binding.

5. Click OK to save your settings. The new route item will be shown in the route items list.

Introduction to Configuration Management 290

Creating a Policy-based Route Rule

To create a Policy-based Route rule, take the following steps:

1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation
pane to enter the device configuration page.

2. From the device navigation pane, click the device you want to create a policy route rule.

3. From the object navigation pane, select Network > Route > Policy-based Routing. The
Route items list will appear from the main window below.

4. From the toolbar of the Route items list, click New, select Rule. The Policy-based Route
Rule Configuration dialog appears.

5. In the Rule Condition tab, configure the following.

PBR Name: Specifies a name for the policy-based route.

Description(Optional）:Type information about the PBR rule.
Source: Specifies the source address and user information.

l Address: Specifies the source address for the policy-based route.

i. Select an address type from the Address drop-down list.

ii. Select or type the source addresses based on the selected type.

iii. Click to add the addresses to the right pane.

iv. After adding the desired addresses, click the blank area in this dialog to com-
plete the source address configuration.
You can also perform other operations:

Introduction to Configuration Management 291

 l When selecting the Address Book type, you can click Add to create a new
address entry.

l The default address configuration is any. To restore the configuration to this

default one, select the any .Click to add any to the right pane.

l User: Specifies a role, user or user group for the PBR rule.

i. From the User drop-down menu, select the AAA server which the users and
user groups belongs to. To specify a role, select Role from the AAA Server
drop-down list.

ii. Based on different types of AAA server, you can execute one or more
actions: search a user/user group/role, expand the user-/user group list, enter
the name of the user/user group.

iii. After selecting users/user groups/roles, click to add them to the right

panes.

iv. After adding the desired objects, click the blank area in this dialog to com-
plete the user configuration.

Destination: Specifies the destination address.

l Address: Specifies the destination address for the policy-based route.

i. Select an address type from the Address drop-down list.

ii. Select or type the destination addresses based on the selected type.

iii. Click to add the addresses to the right pane.

Introduction to Configuration Management 292

 iv. After adding the desired addresses, click the blank area in this dialog to
complete the destination address configuration.
You can also perform other operations:

l When selecting the Address Book type, you can click Add to create a
new address entry.

l The default address configuration is any. To restore the configuration to

this default one, select the any .Click to add any to the right pane.

Other

l Service: Specifies a service or service group.

i. From the Service drop-down menu, select a type: Service, Service Group.

ii. You can search the desired service/service group, expand the service/ ser-
vice group list.

iii. After selecting the desired services/service groups, click to add them to

the right panes.

iv. After adding the desired objects, click OK.

You can also perform other operations:

l To add a new service or service group, click Add.

l The default service configuration is any. To restore the configuration to this

default one, select the any .Click to add any to the right pane.

Introduction to Configuration Management 293

 l Application: Specifies an application.

i. From the Application drop-down menu, you can search the desired applic-
ation, expand the list of applications.

ii. After selecting the desired applications, click to add them to the right

panes.

iii. After adding the desired objects, click OK.

To add a new application group, click New AppGroup.

l Schedule: Specifies a schedule when the PBR rule will take effect. Select a desired
schedule from the Schedule drop-down list. After selecting the desired schedules,
click the blank area in this dialog to complete the schedule configuration.To create a
new schedule, click New Schedule.

l Record log: Select the Enable check box to enable the logging function for PBR
rules.

6. Click OK to save your settings. The new route item will be shown in the route items list.

In the Next-hop tab, configure the following.

Set Next-hop: To specify the type of next hop, click IP Address or Interface.

l IP Address: Click this option button and enter IP address into the IP Address text box.

l Interface: Click this option button and select an interface from the Interface drop-down list
and specify the weight into the Weight text box.

Track Object: Select the track object from the drop-down list. See "Track Object" .
Weight: Specifies the weight for the next hop. If a PBR rule is configured with multiple next
hops, system will distribute the traffic in proportion to the corresponding weight.
Add: Click to add the specified next hop.

Introduction to Configuration Management 294

 Delete: Select next-hop entries from the next hop table and click this button to delete.

LLB

Creating a LLB Profile

To create a LLB Profil on the HSM device configuration page, take the following steps:

1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation
pane to enter the device configuration page.

2. From the device navigation pane, click the device you want to create a LLB profile.

3. From the object navigation pane, select Network > LLB > Profile. The LLB profiles list
will appear from the main window below.

4. From the toolbar of the LLB profiles list, click New. The LLB Profile Configurion dialog
appears.

In the LLB Profile Configurion, configure as follows:

Profile Name: Specifies the Profile name whose length range is 1-95 characters.
Bandwidth Utilization: Specifies the bandwidth utilization threshold of the interface.
When the rate does not exceed the threshold by the interface bandwidth, the system will
only analysis delay, jitter and packet loss rate to dynamically adjust the routing link; when
the rate exceeds the threshold by the interface bandwidth, system will analysis of each link
bandwidth utilization rate of the parameters at the same time to adjust the routing method.
Value ranges from 0 to 100 (0% to 100%) and defaults to 60.

Introduction to Configuration Management 295

 Balance Mode: There are two equalization modes: High Performance and High Com-
patibility.

l High Performance - In this mode, system adjusts link to keep the link balance as fast
as possible.

l High Compatibility - When the link loadchanges, system does not switch the link fre-
quently, but ensures that the service is as far as possible on the previous link. This
mode is suitable for services that are sensitive to link switching, such as banking ser-
vices, only when the previous link is overloaded.

Description: Configure Additional details for the LLB profile.

5. Click OK.

Creating a LLB Rule

To create a LLB rule on the HSM device configuration page, take the following steps:

1. Log into HSM, click Configuration > Device Configuration from the Level-1 navigation
pane to enter the device configuration page.

2. From the device navigation pane, click the device you want to create a LLB rule.

3. From the object navigation pane, select Network > LLB > Rule. The LLB rules list will
appear from the main window below.

4. From the toolbar of the LLB rules list, click New. The LLB Config Policy dialog appears.

Introduction to Configuration Management 296

 In the LLB Config Policy, configure as follows:

Rule Name: Specifies the Rule name,length of 1-95 characters.

LLB Profile: specifies the bandwidth utilization threshold.
Bind Route：Specify the route to be bound in the rule:Destination Route or Policy Based
Route.

l Destination Route - When this option is selected, specify the virtual router and des-
tination address of the destination route.

l Policy Based Routing - Select this option to specify the name and id of the policy
route.

5. Click OK.

Configuration Management

The Configuration Management of device include:

l Synchronizing Configuration: Synchronize the configuration between HSM and device.

l Specifying Configuration: Specify the shared rule on the device configuration page to a certain
device.

l Snapshot Management: Create a snapshot to back up the current configuration of the selected
device.

l Locking Configuration: Lock all configurations of the managed device.

Synchronizing Configuration

HSM can get the policy configuration of a device, and also, you can configure the policy of the
device on HSM. After the policy is modified on HSM or on the local device, the device con-
figuration saved on HSM will be not the same as local. In this case, you can decide whether to syn-
chronize the configuration according to the differences.
The icons shown in the device navigation pane indicate the differences:

Introduction to Configuration Management 297

 l : Configurations are not the same. The Configuration on HSM has been modified. The

detailed changes will be shown when the mouse hovers over the icon.

l : Configurations are not the same. The configuration on the local device has been modified.

The detailed changes will be shown when the mouse hovers over the icon.

On HSM, you can synchronize the configuration by two ways, they are:

l Import Configuration: Import the local configuration to HSM.

l Deploy Configuration: Deploy the HSM configuration to the device. The configuration on
device will be replaced by the deployed configuration.

HSM provides the function of viewing the latest configuration information of the managed
devices. To read the latest configuration information of the device, take the following steps:

1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the
device configuration page.

2. In the device navigation pane, right-click on the device, and then select View Latest Con-
figurations from the pop-up menu.

To import the local configuration to HSM, take the following steps:

1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the
device configuration page.

Introduction to Configuration Management 298

 2. In the device navigation pane, right-click on the device, and then select Import Con-
figuration from the pop-up menu.

3. Click OK on the confirmation dialog. HSM starts to uploading the local configuration to
HSM.

Notes: When you import the local configuration to HSM, if the association rela-
tionship or inheritance relationship between the device and the shared configuration
of the device on HSM is consistent, reserve and directly import the previous rela-
tionship. If not, the tooltip of The relation between shared configuration and
device will be changed, continue? will prompt on the HSM . Click OK, and then
the shared configuration of the device on HSM will be relieved. The imported con-
figuration is private. Click Cancel, and then the configuration of the local device
will be not imported to HSM.

To batch import the local configuration to HSM, take the following steps:

1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the
device configuration page.

2. In the device navigation pane, right-click and then select Batch Import Configuration from
the pop-up menu. The Batch Import Configuration dialog appears.

Introduction to Configuration Management 299

 3. Select the devices or VSYS from the device entry list.

4. Specify the import mode. If Immediately is selected, HSM will generate a task and execute
the taks immediately; if Generate Task is selected, HSM will generate a task, and you can
execute the task at the Task Management page. For more information about task, see Task.

5. Click OK.

Deploy HSM configuration to a device, take the following steps:

1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the
device configuration page.

2. In the device navigation pane, right-click on the device, and then select Deliver Con-
figuration from the pop-up menu. The Deploy Configuration dialog appears.

3. Specify the deployment mode. If Immediately is selected, HSM will generate a task and
execute the taks immediately; if Generate Task is selected, you can execute the tasks by
scheduling or manually. If On Schedule is selected, HSM will execute the task according
the user-defined time. Otherwise, you need execute the task manually in the Task Man-
agement page. You can view the task status and related logs at the Task Management page.
For more information about task, see Task.

4. Click OK.

Introduction to Configuration Management 300

 To batch deploy HSM configuration to the devices, take the following steps:

1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the
device configuration page.

2. In the device navigation pane, right-click and then select Batch Deploy Configuration from
the pop-up menu. The Batch Deploy Configuration dialog appears.

3. Select the devices or VSYS from the device entry list.

4. Specify the deployment mode. If Immediately is selected, HSM will generate a task and
execute the taks immediately; if Generate Task is selected, you can execute the tasks by
scheduling or manually. If On Schedule is selected, HSM will execute the task according
the user-defined time. Otherwise, you need execute the task manually in the Task Man-
agement page. You can view the task status and related logs at the Task Management page.
For more information about task, see Task.

5. Click OK.

Specifying Configuration

On HSM, the shared rule on the device configuration page can be specified to a certain device.
After specifying configuration to the device, the binding relationship between the device and con-
figuration is changed. However, you still have to deploy the specified configuration to the device
if you want the configuration take effect on the device. For more detailed information about
deploying configuration, see Synchronizing Configuration.
To specify a policy, take the following steps:

1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the
device configuration page.

2. In the device navigation pane, right-click on the decice you want to specify a policy on, and
then select Specify Configuration>Specify Policy from the pop-up menu. The Specify

Introduction to Configuration Management 301

 Policy dialog appears.

3. Choose a shared policy from the Choose a Shared Policy selective box for the device. If you
want to maintain the policy on the device as a private policy, select the Copy as a Private
Policy check box.

4. Click OK.

To specify a SNAT, take the following steps:

1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the
device configuration page.

2. In the device navigation pane, right-click on the decice you want to specify a SNAT on, and
then select Specify Configuration>Specify SNAT from the pop-up menu. The Specify
SNAT dialog appears.

3. Choose a shared SNAT from the Choose a Shared Source NAT selective box for the
device.

4. Click OK.

To specify a DNAT, take the following steps:

Introduction to Configuration Management 302

 1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the
device configuration page.

2. In the device navigation pane, right-click on the decice you want to specify a DNAT on,
and then select Specify Configuration>Specify DNAT from the pop-up menu. The Specify
DNAT dialog appears.

3. Choose a shared DNAT from the Choose a Shared Destination NAT selective box for the
device.

4. Click OK.

To specify a destination route, take the following steps:

1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the
device configuration page.

2. In the device navigation pane, right-click on the decice you want to specify a destination
route on, and then select Specify Configuration>Specify DRouter from the pop-up menu.
The Specify DRouter dialog appears.

3. Choose a shared destination route from the Choose a Shared Destination Route selective
box for the device.

4. Click OK.

Snapshot Management

On HSM, You can create a snapshot to back up the current configuration of the selected device.
And you can also restore the configurations of the snapshot to HSM according to your need.
To create a snapshot, take the following steps:

1. From the device navigation pane, right-click on the device you want to create a snapshot,
and then select Create Snapshot from the pop-up menu.

Introduction to Configuration Management 303

 2. On the Creating Snapshot dialog, specify a snapshot name and its description, and click OK.

To restore a snapshot, take the following steps:

1. From the device navigation pane, right-click on the device you want to restore a snapshot,
and then select Restore Snapshot from the pop-up menu.

2. On the Restoring Snapshot dialog, specify a version you want to restore in the Choose a
backup version drop-down list, and then Click Restore.

To manage snapshots, take the following steps:

1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the
device configuration page.

2. From the device navigation pane, select All Devices and the main window will show all the
devices list. Click Manage from the Snapshot column, Snapshot Management dialog appears.
Description of the options on the dialog:

Create Snapshot: Specify the snapshot name and its description, and click OK.

Introduction to Configuration Management 304

 View: Show the configurations of the snapshot.
Export: Export snapshot to the local, and the format is zip for XML. Please click OK in the
pop-up dialog box, then choose the location to save. You can edit the snapshot file in local.
Delete: Delete the selected snapshot.
Compare: Select Compared with Last Deployment, the current snapshot will be compared
with last deployed snapshot; select Compared with Configuration in Device, the current
snapshot will be compared with the current configurations of device which HSM manages;
select Compared with Configuration in HSM, the current snapshot will be compared with
the current configurations of HSM.
Restore: Restore the configurations of the snapshot.

3. Close the Snapshot Management dialog.

Locking Configuration

Configuration lock can lock all configurations of the managed device to prevent multiple admin-
istrators from modifying the device configuration simultaneously, in order to avoid confusion.
Once device configurations are locked by one administrator, only this administrator can configure
the device and unlock the device configuration as well, and other administrators can not deploy
the configuration to device during locking period.

Notes:
When HSM manages the HA function of the managed devices, as long as the mas-
ter(slave) device is locked, the slave(master) device will be automatically locked.
When the managed device has been registered and locked on HSM, if it is added
to HA cluster and specified as the slave device, when the HA cluster is syn-
chronized to HSM, its locking status will be decided by that of the master device.

To lock or unlock device configuration, take the following steps:

Introduction to Configuration Management 305

 1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the
device configuration page.

2. In the device navigation pane, click the lock icon after device which you want to lock or
unlock.
When the lock icon is , you can click it to lock device configuration; when the lock icon

is , you can click it to unlock device configuration.

After device configurations are locked by one administrator, please be noted that:

l If other administrators move the mouse to the lock icon, the name of locked administrator
will be displayed.

l Not only can the private configuration but also the shared configuration be locked. If the
shared configuration is locked by multiple administrators, no one can modify the shared con-
figuration.

l If the shared object is locked, system will prompt "locked by xxx, operation denied: locked
devices(xxx)" when non-locked administrators modify it; if the shared rule is locked, "Con-
figuration is locked by xxx" will be prompted on the location bar.

l If you cancel the relevant relationship between device and shared configuration, the shared
configuration will be unlocked, and private configuration will be locked.

l All configurations that relevant to device directly or indirectly will be locked, others can not
modify.

l When modifying the private configuration, if new shared configuration is cited, the shared con-
figuration will be locked. Conversely, the shared configuration will be unlocked.
For example, if user A locked configuration of device 1, modify a rule in security policy 1 to
cite shared address entry addr1. After modification, user A has locked addr1.

Introduction to Configuration Management 306

Device Object
On the device configuration page, you can create a private or shared object. The private object
that only belongs to one certain device, and cannot be used by other devices. The shared object
can be referenced by all devices.
On HSM, you can edit zone, and threat protection, and you can also create, edit, delete address
entry, service group, service entry, application group, schedule, SLB server pool, Anti-Virus rule,
threat prevention, URL filter, user, role and AAA server. You can also view the IPS rules in the
managed devices. After configuring the device object, you have to deploy the device object to the
security device if you want to take effect on the device. For more detailed information about
deploying configuration, see Synchronizing Configuration.

Notes:
l Only after licenses of the relevant functions had been installed, can cor-
responding functions be configured in HSM.

l Object names of different device types can be the same.

Zone

Configuring the Zone-based Anti-Virus and Intrusion Protection System Function

To realize the zone-based Anti-Virus and IPS function, take the following steps:

1. Log on to HSM, click Configuration > Device Configuration to enter the device con-
figuration page.

2. From the device navigation pane, select the device whose zone will be configured. From
the object navigation pane, and select Zones. The main window shows the zone entry list.

3. In the zone entry list, click the zone you want to enable the Anti-Virus and IPS function,
and then click Edit from the toolbar. The Zone dialog appears.

Introduction to Configuration Management 307

 4. In the Zone dialog, specify the defense status configurations.

Option Description

Anti Virus Select the On check box to enable Anti Virus function.
Select the Anti-Virus rule from the drop-down list. Two
ways can be used to configure an Anti Virus rule:

l Predefined: By default, HSM has three default

Anti-Virus rules, including predef_low, predef_
middle, and predef_high. Depending on the dif-
ferent Anti-Virus rules, file types and protocol
types can be filtered also different. The higher the
Anti Virus rule is, the higher security level is.

l User-defined: The user-defined Anti-Virus rules.

According to the actual needs of users, select an
Anti-Virus rule from the drop-down list, or you can
click New from the drop-down list to create an
Anti Virus rule. For more information, see Anti-
Virus.
: In the drop-down list, you

Introduction to Configuration Management 308

 Option Description

can specify the filtering conditions. The security device

will display all Anti-Virus rules that matches the searching
conditions.

Intrusion Pro- Select the On check box to enable IPS function. Select
tection the IPS rule from the drop-down list.
defense direction: If IPS function is enabled, you need
configure a direction(bi-direct, egress, ingress) from
defense direction drop-down list. The IPS rule will be
applied to the traffic that is matched with the specified
secuity zone and direction.

: In the drop-down list,

you can specify the searching conditions. HSM will dis-
play all IPS rules that matches the searching con-
ditions.

5. Click OK.

Address Books

Creating an Address Entry

To create a new address entry on HSM, take the following steps:

1. Click Configuration > Device Configurationto enter the device configuration page.

2. In the device navigation pane, select the device you want to create address entry, go to the
object navigation pane and select Address Book. The main window shows the address entry
list.

3. Click New from the toolbar. The Address dialog appears.

Introduction to Configuration Management 309

 4. In the Address dialog, specify the address entry configurations.

Type : Specify the type of the object. It can be private or shared.

Name : Type the name of the address entry in the Name text box. If necessary, give a
description to the address entry in the Description text box.
Type : Specify the type of the IP address, IPv4 or IPv6.
Member : Select the member type from the drop-down list in the Member tab, and then
type the IPv4 address/mask, IPv4 range, IPv6 address/prefix, IPv6 range or hostname in
the text box or choose another address enrty. Click Add to add the member to the mem-
ber entry list. Repeat this step to add multiple members. Click Delete to delete the selec-
ted address entry.
Exclude Member : Specify the exclude member. In the Exclude Member tab, select the
exclude member type from the drop-down list, and then tap the IPv4 address/mask, IPv4
range, IPv6 address/prefix, IPv6 range in the text box. Click Add to add the exclude mem-
ber to the exclude member entry list. Repeat this step to add multiple exclude member.
Click Delete to delete the selected address entry.

5. Click OK to save the changes and close the dialog.

Service Books

Creating a Service Group

To create a new service group on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to create service group, go to the
object navigation pane and select Service Books>User-defined Service Group. The main
window shows the service group entry list.

3. Click New from the toolbar. The Service Group dialog appears.

Introduction to Configuration Management 310

 The options are described as below:
Type: The type of the object. It can be private or shared.
Name: The name of the service group.
Description: Give a description to the service group. It is optional.
Member: Select the service or service group from the left selective list, and click the righ-
arrow button to add it. To delete a selected service, select the service to be deleted from the
right selective list, and then click the left-arrow button.

4. Click OK to save the changes and close the dialog.

The created role will be displayed in the server group list. You can click Edit button on the
toolbar to edit the name, description and member of the server group. Click Delete button
to delete the server group.
Note: The name of server group can be edited only in the StoneOS 5.5R6F2 or above.

Introduction to Configuration Management 311

Creating a Service

To create a new service on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to create service, go to the object
navigation pane and select Service Books > User-defined Service. The main window shows
the user-defined service entry list.

3. Click New from the toolbar. The Service dialog appears.

The options are described as below:

Type: The type of the object. It can be private or shared.

Introduction to Configuration Management 312

 Name: The name of the service.
Description: Give a description to the service. It is optional.
Member: Specify the protocol type of the member, it can be TCP, UDP, ICMP or others.
The parameters of each protocl are described as below:
TCP/UDP

Dst Port: Specify the destination port range of the member. The value range is 1 to
65535.
Src Port: Specify the source port range of the member. The value range is 1 to 65535.
ICMP

Type: Specify the ICMP type value of the member. It can be one of the following: 3
(Destination-Unreachable), 4 (Source Quench), 5 (Redirect), 8 (Echo), 11 (Time
Exceeded), 12 (Parameter Problem), 13 (Timestamp), and 15 (Information).
Min Code: Specify the minimum ICMP code value of the member. The value range is 0
to 5.
Max Code: Specify the maximum ICMP code value of the member. The value range is 0
to 5.
Others

Protocol No.: Specify the protocol number of the member. The value range is 1 to 255.

Introduction to Configuration Management 313

 After specifying the values of parameters, click Add to add it to the service. Repeat the
above steps to add multiple members. Click Delete to delete the selected member.

4. Click OK to save the changes and close the dialog.

The created role will be displayed in the server list. You can click Edit button on the tool-
bar to edit the name, description and member of the server. Click Delete button to delete
the server.
Note: The name of server can be edited only in the StoneOS 5.5R6F2 or above.

Application Books

Creating an Application Group

To create a new application group on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to create application group,
expand Objects and select Application Books > User-defined Application Group. The main
window shows the user-defined application group information.

3. Click New from the toolbar. The APP Group dialog appears.

Introduction to Configuration Management 314

 Options are described as below:
Type: Specify the type of the application group. It can be private or shared.
Name: Specify the name of the application group.
Description: Give a description to the application group. It is optional.
Member: Specify members for the application group. Select the wanted applications from
the selective list, and click to add the selected objects to the application group.

4. Click OK to save the changes and close the dialog.

Schedules

Creating a Schedule

To create a schedule on HSM, take the following steps:

Introduction to Configuration Management 315

 1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to create application group,
expand Objects and select Schedule. The main window shows schedule entry list.

3. Click New from the toolbar. The Schedule dialog appears.

4. Specify the type for the schedule. It can be private or shared.

5. Enter the name in the Name text box.

6. In the Absolute Schedule section, specify the start time and end time in which the periodic
schedule will take effect.

7. Click New, and configure a periodic schedule in the dialog as below. The periodic schedule
will take effect repeatedly during the time range specified by the absolute schedule.

The options are described as below:

Daily: The periodic schedule will take effect everyday. Click the button and specify the
start time and end time.
Days: The periodic schedule will take effect in the specified days of a week. Click the but-
ton, select the days in the Periodic Schedule section, and specify the start time and end
time.

Introduction to Configuration Management 316

 Due: The periodic schedule will take effect during a continuous period of a week. Click
the button and specify the start date/time and end date/time.Click Preview to preview
the periodic schedule; click Save to add the periodic schedule to the schedule.

8. Repeat Step 7 to add more periodic schedules.

9. Click OK to save the changes and close the dialog.

Interface

HSM supports how to create, edit and delete a tunnel interface for the managed devices.

Creating a tunnel interface

To create a tunnel interface, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. Select the device in which you want to create an interface.

3. Select Interface in the Object navigation pane. The main window then shows the related
information about the interface and toolbar.

4. Click New Tunnel Interface from the toolbar and the Tunnel Interface dialog box will pop
up.

Introduction to Configuration Management 317

 In the Basic tab, configure basic options for the interface.

Option Description

Interface Specifies a name for the tunnel interface.

Introduction to Configuration Management 318

 Option Description

Name

Description Enter descriptions for the tunnel interface.

Binding If Layer 3 zone is selected, you should also select a secur-

Zone ity zone from the Zone drop-down list, and the interface
will bind to a Layer 3 zone. If TAP is selected, the inter-
face will bind to a tap zone. If No Binding is selected, the
interface will not bind to any zone.

Zone Select a security zone from the Zone drop-down list.

HA sync Select this check box to enable HA Sync function, which

means disable Local property and use virtual MAC, and
the primary device will synchronize its information with
the backup device; don’t select this check box to dis-
able HA Sync function, which means enable Local prop-
erty and use original MAC, and the primary device will
not synchronize its information with the backup device.

IP Type Specifies an IP type for the interface, including static IP

and DHCP.

IP address Specifies an IP address for the interface.

Netmask Specifies a netmask for the interface.

Set as Local In a HA environment, if specify this option, the interface

IP IP will not synchronize to the HA peer.

Enable DNS Select this check box to enable DNS proxy for the inter-
Proxy face.

Introduction to Configuration Management 319

 Option Description

l When the general DNS proxy is in use, the client in

the network still gets DNS replies from the DNS
server configured on itself. If the DNS server
address is configured as an interface address of Hill-
stone device, the device will work as a DNS
server;

l When the transparent DNS proxy is in use, all

DNS requests are replied by the Hillstone
device. In such a case, there is no need to edit
DNS configuration on each client. DNS service
can be easily controlled by modifying the
device's DNS configuration.

Enable DNS Select this check box to enable DNS bypass function for
Bypass the interface. The function means that if the DNS bypass
is enabled, the DNS packet will be forwarded to the ori-
ginal IP directly when the DNS proxy is disabled.

Advanced Management IP: Specifies a management IP for the inter-

face. Type the IP address into the box. Secondary IP: Spe-
cifies secondary IPs for the interface. You can specify up
to 6 secondary IP addresses.

Management Select one or more management method check boxes to

configure the interface management method.

Reverse Enable or Disable reverse route as needed:

Route
l Enable: Enforces to use a reverse route. If the
reverse route is not available, packets will be

Introduction to Configuration Management 320

 Option Description

dropped. This option is enabled by default.

l Close: Reverse route will not be used. When reach-

ing the interface the reverse data stream will be
returned to its original route without any reverse
route check. That is, reverse packets will be sent
from the ingress interface that initializes the pack-
ets.

l Packet-by-packet Check: Select the check

box to enable this function when the reverse
route is disabled, system will check the
MAC information of session by packet. If
the MAC information of session is not con-
sistent with the source MAC information of
the forward data, the MAC information of
session will be modified according to the
source MAC information of the forward data.
By default, this function is disabled.

l Auto: Reverse route will be prioritized. If available,

the reverse route will be used to send packets; oth-
erwise the ingress interface that initializes the pack-
ets will be used as the egress interface that sends
reverse packets.

Tunnel Bind- IPSec VPN: Specifies the name of IPsec VPN bound to
ing the tunnel interface, and then click Add from the Gate-

Introduction to Configuration Management 321

 Option Description

way options to add a next-hop address for the tunnel,

which can be either the IP address or the egress IP
address of the peering tunnel interface. This parameter,
which is 0.0.0.0 by default, is only valid when multiple
IPSec VPN tunnels should be bound to the tunnel inter-
face.

In the Properties tab, configure properties option for the tunnel interface.

Option Description

MTU Specifies a MTU for the interface. The value range is

1280 to 1500/1800 bytes. The default value is 1500. The
max MTU may vary from different Hillstone platforms.

Keep-alive- Specifies an IP address that receives the interface's keep-

IP alive packets.

In the Advanced tab, configure advanced option for the tunnel interface.

Option Description

Shutdown System supports interface shutdown. You can not only

enforce to shut down a specific interface, but also control
the time of shutdown by schedule, or control the shut-
down according to the link status of tracked objects. Con-
figure the options as below:

1. Select the Shut down check box to enable inter-

face shutdown.

2. To control the shutdown by schedule or tracked

Introduction to Configuration Management 322

 Option Description

objects, select an appropriate check box, and

then select an appropriate schedule or tracked
object from the drop-down list.

Monitor and Configure the options as below:

Backup
1. Select an appropriate check box, and then select
an appropriate schedule or tracked object from
the drop-down list.

2. Select an action:

l Shut down the interface: During the time

specified in the schedule, or when the
tracked object fails, the interface will be
shut down and its related route will fail;

l Migrate traffic to backup interface: During

the time specified in the schedule, or when
the tracked object fails, traffic to the inter-
face will be migrated to the backup inter-
face. In such a case you need to select a
backup interface from the Backup interface
drop-down list and type the time into the
Migrating time box. (Migrating time, 0 to
60 minutes, is the period during which
traffic is migrated to the backup interface
before the primary interface is switched to

Introduction to Configuration Management 323

 Option Description

the backup interface. During the migrating

time, traffic is migrated from the primary
interface to the backup interface smoothly.
By default the migrating time is set to 0,
i.e., all the traffic will be migrated to the
backup interface immediately.)

In the RIP tab, configure RIP option for the tunnel interface.

Option Description

Authentication Specifies a packet authentication mode for the system,

mode including plain text (the default) and MD5. The plain
text authentication, during which unencrypted string is
transmitted together with the RIP packet, cannot assure
security, so it cannot be applied to the scenarios that
require high security.

Authentication Specifies a RIP authentication string for the interface.

string

Transmit ver- Specifies a RIP information version number transmitted

sion by the interface. By default V1&V2 RIP information
will be transmitted.

Receive ver- Specifies a RIP information version number transmitted

sion by the interface. By default V1&V2 RIP information
will be transmitted.

Split horizon Select the Enable checkbox to enable split horizon.

With this function enabled, routes learned from an inter-

Introduction to Configuration Management 324

 Option Description

face will not be sent from the same interface, in order to

avoid routing loop and assure correct broadcasting to
some extent.

SLB Server Pool

Creating a SLB Server Pool

To create a SLB server pool on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to create SLB server pool, go to
the object navigation pane and select SLB Server Pool. The main window shows the user-
defined SLB server pool information.

3. Click New from the toolbar. The SLB Server Pool Configuration dialog appears.

Introduction to Configuration Management 325

 In the SLB Server Pool Configuration dialog, configure the following options.

Option Description

Type Specify the type of the object. It can be private or shared.

Name Specify the name of the SLB server pool.You can enter up
to 31 chars.

Algorithm Select an algorithm for load balancing, including:

l Weighted Hash: Assign requests to SLB server pool

members according to HASH algorithm.

Introduction to Configuration Management 326

 Option Description

l Weighted Least Connection: Assign requests to the

member who has the least connections in the cur-
rent SLB server pool.

l Weighted Round Robin: Assign requests according

to weighted value of every SLB server pool mem-
bers.

Sticky If selecting Sticky, the security device will consider all

requests from the same source IP to be the same client,
and then forward the requests to a server.

Member

Member Specify the member of the pool. You can type the IP
range or the IP address and the netmask.

Port Specify the port number of the server.

Maximum Specify the allowed maximum sessions of the server. The

Sessions value ranges from 0 to 1,000,000,000. The default value
is 0, which represents no limitation.

Weight Specify the traffic forwarding weight during the load bal-
ancing. The value ranges from 1 to 255.

Add Add the SLB address pool member to the SLB server
pool.

Delete Click Delete to delete the selected SLB address pool

member.

Track

Introduction to Configuration Management 327

 Option Description

Track Type Select a track type.

Port Specify the port number that will be tracked. The value
ranges from 1 to 65535.

Interval Specify the interval between each Ping/TCP/UDP

packet. The unit is second. The value ranges from 3 to
255.

Retries Specify a retry threshold. If no response packet is

received after the specified times of retries, the system
will consider this track entry failed, i.e., the track entry is
unreachable. The value range is 1 to 255.

Weight Specify a weight for the overall failure of the whole track
rule if this track entry fails. The value range is 1 to 255.

Add Click Add to add the configured track rule to the list.

Delete Click Delete to delete the selected track rule.

Threshold Types the threshold for the track rule into the Threshold
box. The value range is 1 to 255. If the sum of weights
for failed entries in the track rule exceeds the threshold,
the security device will conclude that the track rule fails.

Description Types the description for this track rule. You can enter up
to 95 chars.

4. Click OK to save the settings.

To view the details of the servers in the SLB pool:

Introduction to Configuration Management 328

 1. Click Configuration > Device Configuration from the Level-1 navigation pane to enter the
device configuration page.

2. In the device navigation pane, select the device you want to create SLB server pool, go to
the object navigation pane and select SLB Server Pool. The main window shows the user-
defined SLB server pool information.

3. Select an SLB pool entry.

4. In the Server List tab at the bottom of this page, view the information of the servers that are
in this SLB pool.

5. In the Server List tab, view the retries information of the SLB server pool. The retries
information include IP/mask, port, weight, and maximum sessions.

6. In the Monitoring tab, view the information of the track rules. The track rules information
include track type, prot, interval,and retries.

Intrusion Protection System

IPS, the abbreviation for Intrusion Protection System, is designed to monitor various network
attacks in real time and take appropriate actions (like block) against the attacks according to your
configuration. You can view the IPS rules configured in the managed device, including predefined
rules and user-defined rules.

Viewing the IPS rules

To view the IPS rules configured in the managed device on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. From the device navigation pane, select the device you want to veiw the IPS rules.

3. Go to the object navigation pane and select lntrusion Protection System.

The firewalls in different versions have different predefined IPS rules, the details are as follows:

Introduction to Configuration Management 329

 Applicable Software
Name Description
Version of StoneOS

no-ips This rule does not include any IPS signatures, that is, no All
intrusion prevention detection is performed.

predef_ This rule includes all IPS signatures and its default action All
default is reset. This rule is suitable for the general deployment
scenarios.

predef_loose This rule includes most of the IPS signatures with high All
severity or high popularity and its default action is log
only. This rule is suitable for the general deployment scen-
arios.

DMZ-server This rule includes all attack detection except TFTP and StoneOS 5.5R5 and
NETBIOS protocols, and its default action is log. This later
rule is suitable for the deployment scenarios with DMZ
servers.

web-server This rule includes all attack detection of all web attacks StoneOS 5.5R5 and
and general detection of SQL injection and XXS injection. later
Its default action is log. This rule is suitable for the deploy-
ment scenarios with web servers.

Windows- This rule includes the detection of attacks against the Win- StoneOS 5.5R5 and
server dows system and its default action is log. This rule is suit- later
able for the deployment scenarios with Windows-based
servers.

General- This rule includes attack detection for vulnerability scan- StoneOS 5.5R5 and
server ning, denial of service attacks and backdoor Trojan. Its later
default action is log. This rule is suitable for the general
deployment scenarios.

Introduction to Configuration Management 330

 Applicable Software
Name Description
Version of StoneOS

Unix-like- This rule includes the detection of attacks against the StoneOS 5.5R5 and
server Linux system and Solaris system. Its default action is log. later
This rule is suitable for the general deployment scenarios
with Unix-based servers.

Intrant-client This rule includes all IPS signatures and its default action From StoneOS 5.5R5
is log. to 5.5R8(including
StoneOS 5.5R5, but
not StoneOS 5.5R8)

predef_crit- This rule includes the detection of high-risk attacks in the StoneOS R5F4、R6F1
ical latest period and its default action is log. This rule is suit- and later
able for the general deployment scenarios or the scenarios
which need key protection.

Avti-Virus

To take the following steps to configure Anti-Virus function:

l Configuring Anti-Virus Global Parameters

l Creating a Shared Anti-Virus Rule

l Enabling the Policy-based Anti-Virus Function

Configuring Anti-Virus Global Parameters

You can enable/disable the Anti-Viurs functin, and configure the global parameters. About con-
figuring Anti-Virus global parameters, see Threat Protection.

Introduction to Configuration Management 331

Creating Anti-Virus Rule

To create an Anti-Virus rule on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to create AV rule, go to the
Objects navigation pane and select Anti-Virus. The main window shows the Anti-Virus rule
list.

3. Click New from the toolbar. The AntiVirus Rule Configuration dialog appears.

In the Anti-Virus dialog , enter the values.

Option Description
Type Specify the type of the object. It can be private or
shared.
Name Specify the rule name.
File Types Specify the file types you want to scan. It can be GZIP,

Introduction to Configuration Management 332

 Option Description
JPEG, MAIL, RAR, HTML., PE, BZIPE, RIFF, TAR,
ELF, RAWDATA, MSOFFICE, PDF and OTHERS.
Protocol Specify the protocol types (HTTP, SMTP, POP3,
Types IMAP4, FTP) you want to scan and specifies the action
the security device will take after virus is found.

l Fill Magic - Processes the virus file by filling

magic words, i.e., fills the file with the magic
words (Virus is found, cleaned) from the begin-
ning to the ending part of the infected section.

l Log Only - Only generates log.

l Warning - Pops up a warning page to prompt that

a virus has been detected. This option is only
effective to the messages transferred over HTTP.

l Reset Connection - If virus has been detected,

the security device will reset connections to the
files.

Capture Select the Enable check box before Capture Packet to

enable the capture function. The security device will
save the evidence messages, and support to view or
download the messages.
Malicious Select the check box behind Malicious Website Access
Website Control to enable the function.
Access Con-
trol
Action Specify the action the security device will take after the
malicious website is found.

Introduction to Configuration Management 333

 Option Description

l Log Only - Only generates log.

l Reset Connection - If malicious website has been

detected, the security device will reset con-
nections to the files.

l Warning - Pops up a warning page to prompt that

a malicious website has been detected.This option
is only effective to the messages transferred over
HTTP.

Enable Label If an email transferred over SMTP is scanned, you can

e-mail enable label email to scan the email and its attachment
(s). The scanning results will be included in the mail
body, and sent with the email. If no virus has been detec-
ted, the message of "No virus found" will be labeled;
otherwise information related to the virus will be dis-
played in the email, including the filename, result and
action. Type the end message content into the box. The
range is 1 to 128.

4. Click OK.

Notes:  By default, according to virus filtering protection level, HSM comes with
three default Anti-Virus rules: predef_low, predef_middle, predef_high. The default
rule is not allowed to edit or delete.

Enabling the Zone-based or Policy-based Anti-Vrius Function

To realize the zone-based or policy-based AV, take the following steps:

Introduction to Configuration Management 334

 l To enable the zoned-based AV on HSM, see zone.

l To enable the policy-based AV on HSM, see configuring the policy-based Protection

function.

URL Filter

URL filter controls the access to some certain websites and records log messages for the access
actions. URL filter helps you control the network behaviors in the following aspects:

l Access control to certain category of websites, such as gambling and pornographic websites.

l Access control to certain category of websites during the specified period. For example, for-
bid to access IM websites during the office hours.

l Access control to the website whose URL contains the specified keywords. For example, for-
bid to access the URL that contains keyword "game".

Notes: HSM only supports the centralized management of URL filter function
whose NGFW version is 5.5R1 or above.

Configuring URL Filter

Configuring URL filter contains two parts:

l Create a URL filter rule

l Bind a URL filter rule to a security policy rule

Part 1: Creating a URL filter rule

1. Select Configuration > Device Configuration > Objects > URL Filter Bundle > URL Fil-
ter.

Introduction to Configuration Management 335

 2. Click New.

In the URL Filter dialog, configure the following options.

Option Description

Type Specify the type of URL filter rule, including private and
shared.

Name Specify the name of the rule.

Control Type Control types are URL Category, URL Keyword

Category, and Web Surfing Record. You can select one
type for each URL filter rule. URL Category controls the
access to some certain category of website. The options
are:

Introduction to Configuration Management 336

 Option Description

l New: Create a new URL category. For more inform-

ation about URL category, see "User-defined URL
DB" on Page 339.

l Edit: Select a URL category from the list, and click

Edit to edit the selected URL category.

l URL category: Shows the name of pre-defined and

user-defined URL categories.

l Block: Select the check box to block access to the

corresponding URL category.

l Log: Select the check box to log access to the cor-

responding URL category.

l Other URLS: Specify the actions to the URLs that

are not in the list, including Block Access and
Record Log.
URL Keyword Category controls the access to the web-
site who's URL contains the specific keywords. Click the
URL Keyword Categoryoption to configure. The options
are:

l New: Create new keyword categories. For more

information about keyword category, see "Keyword
Category" on Page 341.

l Edit: Select a URL keyword category from the list,

and click Edit to edit the selected URL keyword

Introduction to Configuration Management 337

 Option Description

category.

l Keyword category: Shows the name of the con-

figured keyword categories.

l Block: Select the check box to block the access to

the website whose URL contains the specified
keywords.

l Log: Select the check box to log the access to the

website whose URL contains the specified
keywords.

l Other URLS: Specify the actions to the URLs that

do not contain the keywords in the list, including
Block Access and Record Log.
Web Surfing Record logs the GETand POST methods of
HTTP.

l Get: Records the logs when having GET methods.

l Post: Records the logs when having POST meth-

ods.

l Post Content: Records the posted content.

Relevant Specify the devices which you want to make a rela-

Device tionship with the shared URL filter rule. If choosing
VSYS devices of the device, the rule will only be relevant
to the root VSYS. After configuring the rule, you have to
deploy the rule to the relevant device if you want to take

Introduction to Configuration Management 338

 Option Description

effect on the device. For more detailed information about

deploying configuration, see Synchronizing Configuration.

3. Click OK to save the settings.

Part 2: Binding a URL filter rule to a security policy rule

After binding a URL filter rule to a security policy rule, the system will perform the URL filter
function on the traffic that matches the security policy rule. For more information, please refer to
Configuring the Policy-based Protection function.

Predefined URL DB

The system contains a predefined URL database.

The predefined URL database provides URL categories for the configurations of URL filter. It
includes dozens of categories and tens of millions of URLs .
When identifying the URL category, the user-defined URL database has a higher priority than the
predefined URL database.

Notes: The predefined URL database is controlled by a license controlled. Only

after a URL license is installed, the predefined URL database can be used.

User-defined URL DB

Besides categories in predefined URL database, you can also create user-defined URL categories,
which provides URL categories for the configurations of URL filter. When identifying the URL
category, the user-defined URL database has a higher priority than the predefined URL database.
System provides three user-defined URL categories by default: custom1, custom2, custom3.

Configuring User-defined URL DB

To configure a user-defined URL category:

Introduction to Configuration Management 339

 1. Select Objects > URL Filter Bundle > User-defined URL DB.

2. Click New in the toolbar. The URL Category dialog appears.

3. Type the category name in the Name text box. URL category name cannot only be a hyphen
(-). And you can create at most 1000 user-defined categories.

4. Type the category description in the Description text box. The value range is 0 to 255 char-
acters.

5. Type a URL into the URL http:// box.

6. Click Add to add the URL and its category to the table.

7. Repeat the above steps to add more URLs.

Introduction to Configuration Management 340

 8. To delete an existing one, select its check box and then click Delete.

9. Click OK to save the settings.

Keyword Category

You can customize the keyword category and use it in the URL filter function.
After configuring a URL filter rule, the system will scan traffic according to the configured
keywords and calculate the trust value for the hit keywords. The calculating method is: adding up
the results of times * trust value of each keyword that belongs to the category. Then the system
compares the sum with the threshold 100 and performs the following actions according to the
comparison result:

l If the sum is larger than or equal to category threshold (100), the configured category action
will be triggered;

l If more than one category action can be triggered and there is block action configured, the
final action will be Block;

l If more than one category action can be triggered and all the configured actions are Permit, the
final action will be Permit.

For example, a URL filter rule contains two keyword categories C1 with action block and C2 with
action permit. Both of C1 and C2 contain the same keywords K1 and K2. Trust values of K1 and
K2 in C1 are 20 and 40. Trust values of K1 and K2 in C2 are 30 and 80.
If the system detects 1 occurrence of K1 and K2 each on a URL, then C1 trust value is
20*1＋40*1=60<100, and C2 trust value is 30*1+80*1=110>100. As a result, the C2 action is
triggered and the URL access is permitted.
If the system detects 3 occurrences of K1 and 1 occurrence of K2 on a URL, then C1 trust value
is 20*3+40*1=100, and C2 trust value C2 is 30*3+80*1=170>100. Conditions for both C1 and
C2 are satisfied, but the block action for C1 is triggered, so the web page access is denied.

Configuring a Keyword Category

To configure a keyword category:

Introduction to Configuration Management 341

 1. Select Objects > URL Filter Bundle > Keyword Category. The Keyword Category dialog
appears.

2. Click New. The Keyword Category dialog appears.

3. Type the category name.

4. Type the category description in the Description text box. The value range is 0 to 255 char-
acters.

5. Specify the keyword, character matching method (simple/regular expression), and trust
value.

6. Click Add to add the keyword to the list below.

7. Repeat the above steps to add more keywords.

8. To delete a keyword, select the keyword you want to delete from the list and click Delete.

Introduction to Configuration Management 342

 9. Click OK to save your settings.

Warning Page

The warning page shows the user block information and user audit information.

Configuring Block Warning

If the Internet behavior is blocked by the URL filter function, the Internet access will be denied.
The information of Access Denied will be shown in your browser, and some web surfing rules
will be shown to you on the warning page at the same time. See the picture below:

After enabling the block warning function, block warning information will be shown in the
browser when one of the following actions is blocked:

l Visiting a certain type of URL

l Visiting the URL that contains a certain type of keyword category

The block warning function is disabled by default. To configure the block warning function:

1. From the device navigation pane, select the device you want to configure the block warning
function.

2. Click Objects > URL Filter Bundle > Warning Page, the Warning Page dialog appears.

Introduction to Configuration Management 343

 3. Select Enable check box in the Block Warning section.

4. Configure the display information in the blocking warning page.

Option Description

Default Use the default blocking warning page as shown above.

Redirect page Redirect to the specified URL. Type the URL in the URL
http:// box. You can click Detection to verify whether
the URL is valid.

Custom Customize the blocking warning page. Type the title in

the Title box and the description in the Description box.
You can click Preview to preview the blocking warning
page.

5. Click OK to save the settings.

Configuring Audit Warning

After enabling the audit warning function, when your network behavior matches the configured
URL filter rule, your HTTP request will be redirected to a warning page, on which the audit and
privacy protection information is displayed. See the picture below:

Introduction to Configuration Management 344

 The audit warning function is disabled by default. To configure the audit warning function:

1. From the device navigation pane, select the device you want to configure the audit warning
function.

2. Select Objects > URL Filter Bundle > Warning Page, the Warning Page dialog appears.

3. Select Enable check box in the Audit Warning section.

4. Click OK to save the settings.

Botnet Defense

Notes: HSM can only manage the botnet defense function of the firewall device
which version is StoneOS 5.5R8P4, 5.5R8F1 and higher versions.

Configuring Botnet Defense

Configuring a botnet defense profile contains two parts:

l Creating a botnet defense profile.

l Binding a botnet defense profile to a security policy rule.

Configuring a Botnet Prevention

System provides a predefined botnet defense profile "no-botnet-c2-prevention", you cannot edit
or delete it. You can create up to 32 botnet defense profiles.
To configure a botnet defense profile, take the following steps:

Introduction to Configuration Management 345

 1. Select Configuration > Device Configuration to enter the Device Configuration page.

2. Select the device in the Device navigation bar.

3. Select Objects > Botnet Defense > Profile. The main window will display the botnet
defense profiles configured in the device.

4. Click New in the toolbar. The Botnet Defense Rule Configuration dialog appears.

Configure the following options in the dialog.

Option Description

Type Specify the type of the botnet defense profile, including Private and
Shared.

Name Specify the name of the botnet defense profile. The length of the
name is 1 to 31 characters.

Protocol Type Specify the protocol types (TCP, HTTP, DNS) you
want to scan and specifies the action the system will
take after the botnet is found.

l Log Only: Only generates log.

l Reset Connection: If botnets has been detected, sys-

tem will reset connections to the files.

l Sinkhloe Address Replacement: When the protocol

Introduction to Configuration Management 346

 Option Description

type is DNS, you can specify the processing action

as "Sinkhole Address Replacement". After the threat
is discovered, the system will replace the IP address
in the DNS response packet with the Sinkhole IP
address.

5. Click OK.

Converting the Private Object to Shared Object

To convert the private object to shared object, enter the corresponding page, select the private
object, and then click Convert to Shared from the toolbar.
HSM can check whether the object is referenced by rules or other objects. To view the reference
information of an object, take the following steps:

1. From the device navigation pane, select the device you want to view the reference inform-
ation.

2. From the object navigation pane, select the object type, the main window shows the
detailed information of the object.

3. From the object table, click View in the Referenced by column. The security device shows
the Referenced by dialog of the corresponding object.

Viewing the Operation Records

HSM records the operations you have made to the objects, for example, editing a service, adding a
member, etc. To view the operation records, take the following steps:

Introduction to Configuration Management 347

 1. From the device navigation pane, select the device you want to view the operation records.

2. From the object navigation pane, select the object type, the main window shows the
detailed information of the object.

3. From the object table, click in the Operation Record column. The system shows the

Operation Record dialog of the corresponding object.

Checking the Redundant Object

To ensure the effectiveness of the objects in the system, HSM provides the Redundant Object
Check function. By using this function, the objects have not been referenced and the objects hav-
ing same elements except names will be listed. You can modify the object based on the checking
result according to your own requirement.
When the system performs the redundant object check function, please note that:

l The application type and timeout value of services are not checked.

l The descriptions of all objects are not checked.

l The IPv6 IP addresses are not checked.

l The hostnames in address entries are case-sensitive.

To execute the object redundant check function, take the following steps:

1. From the device navigation pane, click Tools > Redundant Object Check.

2. Select the device you want to check and then click Next.

Introduction to Configuration Management 348

 3. The system generates the related task and begins to check. After checking, a report will be
generated.

l View Task: Open Task Management page to view the progress of the object redund-
ant check in the task list.

l View Report: Read the detailed information.

Here is the description of the report:
Total Zone/Address Entry/Service Entry/Service Group/Schedule Number: Num-
ber of objects of a certain object type in the policy of the device.
Unreferenced Zone/Address Entry/Service Entry/Service Group/Schedule: Num-
ber of unreferenced objects of a certain type in the policy of the device.
Same Zone/Address Entry/Service Entry/Service Group/Schedule: Number of
objects having same elements except names of a certain object type in the policy of
the device.

l Save: Save the PDF format report locally.

4. Click Save button on the upper right corner to save the PDF format report locally.

VPN

IPSec is a widely used protocol suite for establishing VPN tunnel. IPSec is not a single protocol,
but a suite of protocols for securing IP communications. It includes Authentication Headers
(AH), Encapsulating Security Payload (ESP), Internet Key Exchange (IKE) and some authen-
tication methods and encryption algorithms. IPSec protocol defines how to choose the security
protocols and algorithms, as well as the method of exchanging security keys among com-
munication peers, offering the upper layer protocols with network security services including
access control, data source authentication, data encryption, etc.

l Authentication Header (AH): AH is a member of the IPsec protocol suite. AH guarantees con-
nectionless integrity and data source verification of IP packets, and furthermore, it protects

Introduction to Configuration Management 349

 against replay attacks. AH can provide sufficient authentications for IP headers and upper-
layer protocols.

l Encapsulating Security Payload (ESP): ESP is a member of the IPsec protocol suite. ESP
provides encryption for confidential data and implements data integrity check of IPsec ESP
data in order to guarantee confidentiality and integrity. Both ESP and AH can provide service
of confidentiality (encryption), and the key difference between them is the coverage.

l Internet Key Exchange (IKE): IKE is used to negotiate the AH and ESP password algorithm
and put the necessary key of the algorithm to the right place.

IPsec provides encrypted communication between two peers which are known as IPsec ISAKMP
gateways. There are two ways to set SA, one is manual and another is IKE ISAKMP. HSM sup-
port only IKE ISAKMP. HSM do not support share IP Seck VPN.

Creating IPSec VPN

IPSec VPN configuration page consists of four pages. They are IKE VPN List, VPN Peer List,
P1 Proposal and P2 Proposal. Take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. Select the device you want to change.

3. Select VPN > IPSec VPN in the Objects navigation pane. The main window then displays
the related information about IPSec VPN and toolbar.

4. Click New in the IKE VPN List and the IKE VPN Configuration dialog box will pop up.

Introduction to Configuration Management 350

 In the IKE VPN Configuration tab, configure the corresponding options.

Option Description

Peer Name Specifies the name of the ISAKMP gateway. To

edit an ISAKMP gateway, click Edit.

Information Shows the information of the selected peer.

Name Type a name for the tunnel.

Mode Specifies the mode, including tunnel mode and

transport mode.

P2 Proposal Specifies the P2 proposal for tunnel.

Proxy ID Specifies ID of Phase 2 for the tunnel which can

Introduction to Configuration Management 351

 Option Description

be Auto or Manual.

l Auto - The Phase 2 ID is automatically des-

ignated.

l Manual - The Phase 2 ID is manually des-

ignated. Manual configuration of P2 ID
includes the following options:

l Local IP/Netmask - Specifies the

local ID of Phase 2.

l Remote IP/Netmask - Specifies the

Phase 2 ID of the peer device.

l Service - Specifies the service.

DNS1/2 Specifies the IP address of the DNS server alloc-

ated to the client by the PnPVPN server. You can
define one primary DNS server and a backup DNS
server.

WINS1/2 Specifies the IP address of WINS server allocated

to the client by the PnPVPN server. You can
define one primary WINS server and a backup
WINS server.

Enable Idle Time Select the Enable check box to enable the idle
time function. By default, this function is disabled.
This time length is the longest time the tunnel can
exist without traffic passing through. When the

Introduction to Configuration Management 352

 Option Description

time is over, SA will be cleared.

DF-Bit Select the check box to allow the forwarding

device execute IP packet fragmentation. The
options are:

l Copy - Copies the IP packet DF options

from the sender directly. This is the default
value.

l Clear - Allows the device to execute packet

fragmentation.

l Set - Disallows the device to execute packet

fragmentation.

Anti-Replay Anti-replay is used to prevent hackers from attack-

ing the device by resending the sniffed packets,
i.e., the receiver rejects the obsolete or repeated
packets. By default, this function is disabled.

l Disabled - Disables this function.

l 32 -Specifies the anti-replay window as 32.

l 64 - Specifies the anti-replay window as 64.

l 128 - Specifies the anti-replay window as

128.

l 256 - Specifies the anti-replay window as

256.

Introduction to Configuration Management 353

 Option Description

l 512 - Specifies the anti-replay window as

512.

Commit Bit Select the Enable check box to make the cor-
responding party configure the commit bit func-
tion, which can avoid packet loss and time
difference. However, commit bit may slow the
responding speed.

Accept-all-proxy-ID This function is disabled by default. With this

function enabled, the device which is working as
the initiator will use the peer's ID as its Phase 2
ID in the IKE negotiation, and return the ID to its
peer.

Auto Connect Select the Enable check box to enable the auto
connection function. By default, this function is
disabled. The device has two methods of estab-
lishing SA: auto and traffic intrigued. When it is
auto, the device checks SA status every 60
seconds and initiates negotiation request when SA
is not established; when it is traffic intrigued, the
tunnel sends negotiation request only when there
is traffic passing through the tunnel. By default,
traffic intrigued mode is used. Note: Auto con-
nection works only when the peer IP is static and
the local device is initiator.

Tunnel Route This item only can be modified after this IKE

Introduction to Configuration Management 354

 Option Description

VPN is created. Click Choose to add one or more

tunnel routes in the appeared Tunnel Route Con-
figuration dialog. You can add up to 128 tunnel
routes.

Description Type the description for the tunnel.

VPN Track Select the Enable check box to enable the VPN
track function. The device can monitor the con-
nectivity status of the specified VPN tunnel, and
also allows backup or load sharing between two or
more VPN tunnels. This function is applicable to
both route-based and policy-based VPNs. The
options are:

l Track Interval - Specifies the interval of

sending Ping packets. The unit is second.

l Threshold - Specifies the threshold for

determining the track failure. If the system
did not receive the specified number of con-
tinuous response packets, it will identify a
track failure, i.e., the target tunnel is dis-
connected.

l Src Address - Specifies the source IP

address that sends Ping packets.

l Dst Address - Specifies the IP address of

the tracked object.

Introduction to Configuration Management 355

 Option Description

l Notify Track Event - Select the Enable

check box to enable the VPN tunnel status
notification function. With this function
enabled, for route-based VPN, the system
will inform the routing module about the
information of the disconnected VPN tun-
nel and update the tunnel route once detect-
ing any VPN tunnel disconnection; for
policy-based VPN, the system will inform
the policy module about the information of
the disconnected VPN tunnel and update
the tunnel policy once detecting any VPN
tunnel disconnection.

5. In the VPN Peer List tab, click New and the VPN Peer Configuration dialog box will pop
up.

Introduction to Configuration Management 356

 In the VPN Peer Configuration tab, configure the corresponding options.

Option Description

Name Specifies the name of the ISAKMP gateway.

Interface Specifies interface bound to the ISAKMP gate-

way.

Mode Specifies the mode of IKE negotiation. There

are two IKE negotiation modes: Main and
Aggressive. The main mode is the default
mode. The aggressive mode cannot protect
identity. You have no choice but use the
aggressive mode in the situation that the IP
address of the center device is static and the IP
address of client device is dynamic.

Introduction to Configuration Management 357

 Option Description

Type Specifies the type of the peer IP. If the peer IP is

static, type the IP address into the Peer IP box; if
the peer IP type is user group, select the AAA
server you need from the AAA Server drop-down
list.

Local ID Specifies the local ID. The system supports five

types of ID: FQDN, U-FQDN, Asn1dn (only for
license), KEY-ID and IP. Select the ID type you
want, and then type the content for this ID into
the Local ID box or the Local IP box.

Peer ID Specifies the peer ID. The system supports five

types of ID: FQDN, U-FQDN, Asn1dn (only for
license), KEY-ID and IP. Select the ID type you
want, and then type the content for this ID into
the Peer ID box or the Peer IP box.

Proposal1/2/3/4 Specifies a P1 proposal for ISAKMP gateway.

Select the suitable P1 proposal from the Pro-
posal1 drop-down list. You can define up to four
P1 proposals for an ISAKMP gateway

Pre-shared Key If you choose using pre-shared key to authen-

ticate, type the key into the box.

Trust Domain If you choose to use RSA signature or DSA sig-

nature, select a trust domain.

User Key Click Generate. In the Generate the User Key dia-

Introduction to Configuration Management 358

 Option Description

log, type the IKE ID into the IKE ID box, and

then click Generate. The generated user key will
be displayed in the Generate Result box.
PnPVPN client uses this key as the password to
authenticate the login users.

Connection Type Specifies the connection type for ISAKMP gate-

way.

l Bidirection - Specifies that the ISAKMP

gateway serves as both the initiator and
responder. This is the default value.

l Initiator - Specifies that the ISAKMP gate-

way serves only as the initiator.

l Responder - Specifies that the ISAKMP

gateway serves only as the responder.

NAT Traversal This option must be enabled when there is a NAT

device in the IPSec or IKE tunnel and the device
implements NAT. By default, this function is dis-
abled.

Any Peer ID Makes the ISAKMP gateway accept any peer ID

and not check the peer IDs.

Generate Route Select the Enable check box to enable the auto
routing function. By default, this function is dis-
abled. This function allows the device to auto-

Introduction to Configuration Management 359

 Option Description

matically add routing entries which are from the

center device to the branch, avoiding the prob-
lems caused by manual configured routing.

DPD Select the Enable check box to enable the

DPD (Delegated Path Discovery) function. By
default, this function is disabled. When the
responder does not receive the peer's packets
for a long period, it can enable DPD and initiate
a DPD request to the peer so that it can test if
the ISAKMP gateway exists.

l DPD Interval - The interval of sending

DPD request to the peer. The value range
is 1 to 10 seconds. The default value is 10
seconds.

l DPS Retries - The times of sending DPD

request to the peer. The device will keep
sending discovery requests to the peer until
it reaches the specified times of DPD
reties. If the device does not receive
response from the peer after the retry times,
it will determine that the peer ISAKMP
gateway is down. The value range is 1 to 10
times. The default value is 3.

Description Type the description for the ISAKMP gateway.

XAUTH Select Enable to enable the XAUTH server in

Introduction to Configuration Management 360

 Option Description

the device. Then select an address pool from

the drop-down list. After enabling the XAUTH
server, the device can verify the users that try
to access the IPSec VPN network by integ-
rating the configured AAA server.

6. In the P1 Proposal List tab, click New and the Phase1 Proposal Configuration dialog box
will pop up.

In the Phase1 Proposal Configuration tab, configure the corresponding options.

Option Description

Proposal Name Specifies the name of the Phase1 proposal.

Authentication Specifies the IKE identity authentication method.

IKE identity authentication is used to verify the
identities of both communication parties. There

Introduction to Configuration Management 361

 Option Description

are three methods for authenticating identity: pre-

shared key, RSA signature and DSA signature.
The default value is pre-shared key. For pre-
shared key method, the key is used to generate a
secret key and the keys of both parties must be
the same so that it can generate the same secret
keys.

Hash Specifies the authentication algorithm for

Phase1. Select the algorithm you want to use.

l MD5 – Uses MD5 as the authentication

algorithm. Its hash value is 128-bit.

l SHA – Uses SHA as the authentication

algorithm. Its hash value is 160-bit. This is
the default hash algorithm.

l SHA-256 – Uses SHA-256 as the authen-

tication algorithm. Its hash value is 256-bit.

l SHA-384 – Uses SHA-384 as the authen-

tication algorithm. Its hash value is 384-bit.

l SHA-512 – Uses SHA-512 as the authen-

tication algorithm. Its hash value is 512-bit.

Encryption Specifies the encryption algorithm for Phase1.

l 3DES - Uses 3DES as the encryption

algorithm. The key length is 192-bit. This is

Introduction to Configuration Management 362

 Option Description

the default encryption algorithm.

l DES – Uses DES as the encryption

algorithm. The key length is 64-bit.

l AES – Uses AES as the encryption

algorithm. The key length is 128-bit.

l AES-192 – Uses 192-bit AES as the

encryption algorithm. The key length is
192-bit.

l AES-256 – Uses 256-bit AES as the

encryption algorithm. The key length is
256-bit.

DH Group Specifies the DH group for Phase1 proposal.

l Group1 – Uses Group1 as the DH group.

The key length is 768-bit.

l Group2 – Uses Group2 as the DH group.

The key length is 1024-bit. Group2 is the
default value.

l Group5 – Uses Group5 as the DH group.

The key length is 1536-bit.

l Group14 – Uses Group14 as the DH

group. The key length is 2048-bit.

l Group15 – Uses Group5 as the DH

Introduction to Configuration Management 363

 Option Description

group. The key length is 3072-bit.

l Group16 – Uses Group5 as the DH

group. The key length is 4096-bit.

Lifetime Specifies the lifetime of SA Phase1. The value

range is 300 to 86400 seconds. The default value
is 86400. Type the lifetime value into the Life-
time box. When the SA lifetime runs out, the
device will send a SA P1 deleting message to its
peer, notifying that the P1 SA has expired and it
requires a new SA negotiation.

7. In the P2 Proposal List tab, click New and the Phase2 Proposal Configuration dialog box
will pop up.

Introduction to Configuration Management 364

 In the Phase2 Proposal Configuration tab, configure the corresponding options.

Option Description

Proposal Name Specifies the name of the Phase2 proposal.

Protocol Specifies the protocol type for Phase2. The

options are ESP and AH. The default value is
ESP.

Hash Specifies the authentication algorithm for Phase2.

Select the algorithm you want to use.

l MD5 – Uses MD5 as the authentication

algorithm. Its hash value is 128-bit.

Introduction to Configuration Management 365

 Option Description

l SHA – Uses SHA as the authentication

algorithm. Its hash value is 160-bit. This is
the default hash algorithm.

l SHA-256 – Uses SHA-256 as the authen-

tication algorithm. Its hash value is 256-bit.

l SHA-384 – Uses SHA-384 as the authen-

tication algorithm. Its hash value is 384-bit.

l SHA-512 – Uses SHA-512 as the authen-

tication algorithm. Its hash value is 512-bit.

l Null – No authentication.

Encryption Specifies the encryption algorithm for Phase2.

l 3DES - Uses 3DES as the encryption

algorithm. The key length is 192-bit. This is
the default encryption algorithm.

l DES – Uses DES as the encryption

algorithm. The key length is 64-bit.

l AES – Uses AES as the encryption

algorithm. The key length is 128-bit.

l AES-192 – Uses 192-bit AES as the

encryption algorithm. The key length is
192-bit.

l AES-256 – Uses 256-bit AES as the

Introduction to Configuration Management 366

 Option Description

encryption algorithm. The key length is

256-bit.

l Null – No authentication.

Compression Specifies the compression algorithm for

Phase2. By default, no compression algorithm
is used.

PFS Group Specifies the PFS function for Phase2. PFS is

used to protect DH algorithm.

l No PFS - Disables PFS. This is the default

value.

l Group1 – Uses Group1 as the DH group.

The key length is 768-bit.

l Group2 – Uses Group2 as the DH group.

The key length is 1024-bit. Group2 is the
default value.

l Group5 – Uses Group5 as the DH group.

The key length is 1536-bit.

l Group14 – Uses Group14 as the DH

group. The key length is 2048-bit.

l Group15 – Uses Group5 as the DH

group. The key length is 3072-bit.

l Group16 – Uses Group5 as the DH

group. The key length is 4096-bit.

Introduction to Configuration Management 367

 Option Description

Lifetime You can evaluate the lifetime by two standards

which are the time length and the traffic volume.
Type the lifetime length of P2 proposal into the
box. The value range is 180 to 86400 seconds.
The default value is 28800.

Lifesize Select Enable to enable the P2 proposal traffic-

based lifetime. By default, this function is dis-
abled. After selecting Enable, specifies the traffic
volume of lifetime. The value range is 1800 to
4194303 KBs. The default value is 1800. Type
the traffic volume value into the box.

PKI

PKI (Public Key Infrastructure) is a system that provides public key encryption and digital sig-
nature service. PKI is designed to automate secret key and certificate management, and assure the
confidentiality, integrity and non-repudiation of data transmitted over Internet. The certificate of
PKI is managed by a public key by binding the public key with a respective user identity by a trus-
ted third-party, thus authenticating the user over Internet. A PKI system consists of Public Key
Cryptography, CA (Certificate Authority), RA (Certificate Authority), Digital Certificate and
related PKI storage library.
PKI terminology:

l Public Key Cryptography: A technology used to generate a key pair that consists of a public
key and a private key. The public key is widely distributed, while the private key is known
only to the recipient. The two keys in the key pair complement each other, and the data
encrypted by one key can only be decrypted by another key of the key pair.

l CA: A trusted entity that issues digital certificates to individuals, computers or any other
entities. CA accepts requests for certificates and verifies the information provided by the

Introduction to Configuration Management 368

 applicants based on certificate management policy. If the information is legal, CA will sign
the certificates with its private key and issue them to the applicants.

l RA: The extension to CA. RA forwards requests for a certificate to CA, and also forwards
the digital certificate and CRL issued by CA to directory servers in order to provide dir-
ectory browsing and query services.

l CRL: Each certificate is designed with expiration. However, CA might revoke a certificate
before the date of expiration due to key leakage, business termination or other reasons.
Once a certificate is revoked, CA will issue a CRL to announce the certificate is invalid,
and list the series number of the invalid certificate.

Notes: HSM only support the display of trust domain in PKI.

Viewing the Trust Domain

To view the trust domain in the device configuration page, take the follwing steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. Select the device in which you want to view the trust domain.

3. Click PKI > Trust Domain and then main window will display the related information
about trust domain and toolbar.

4. Select the trust domain you want to view, and click View.

In the Basic tab, view basic parameters of the trust domain.

Option Description

Basic

Trust Domain Enter the name of the new trust domain.

Enrollment Use one of the two following methods:

Type l Select Manual Input, and click Browse to find

the certificate and click Import to import it into

Introduction to Configuration Management 369

 Option Description

Basic

the system.

l Select Self-signed Certificate, the certificate

will be generated by the device itself.

Key Pair Select a key pair.

Subject

Name Enter a name of the subject.

Country Enter the name of applicant's country or region. Only

(Region) an abbreviation of two letters are allowed, like CN.

Location Optional. The location of the applicant.

State/Province Optional. State or province name.

Organization Optional. Organization name.

Organization Optional. Department name within applicant's organ-

unit ization.

In the CRL tab, view CRL parameters.

Certification Revocation List

Check l No Check - The system does not check

CRL. This is the default option.

l Optional - The system accepts certificating

from peer, no matter if CRL is available or
not.

Introduction to Configuration Management 370

 Certification Revocation List

l Force - The system only accepts cer-

tificating from pper when CRL is available.

URL 1-3 The URL address for receiving CRL. At most 3

URLs are allowed, and their priority is from 1 to
3.

l Select http:// if you want to get CRL via

HTTP.

l Select ldap:// if you want to get CRL via

LDAP.

l If you use LDAP to receive CRL, you need

to enter the login-DN of LDAP server and
password. If not login-DN or password is
added, transmission will be anonymous.

Auto Update Update frequency of CRL list

Manual Update Get the CRL immediately by clicking Obtaining

CRL.

User

User refers to the user who uses the functions and services provided by the Hillstone device, or
who is authenticated or managed by the device. The authenticated users consist of local user and
external user. The local users are created by administrators. They belong to different local authen-
tication servers, and are stored in system's configuration files. The external users are stored in
external servers, such as AD server or LDAP server. System supports User Group to facilitate
user management. Users belonging to one local authentication server can be allocated to different
user groups, while one single user can belong to different user groups simultaneously; similarly,
user groups belonging to one local authentication server can be allocated to different user groups,
while one single user group can belong to different user groups simultaneously.

Introduction to Configuration Management 371

 Notes: Only when the managed device is online, you can configure the "Password"
in the User Configuration dialog.

Creating a Local User

To create a new local user on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to create local user, go to the
Objects navigation pane and select User> Local User. The main window shows the local
user list.

3. Click New from the toolbar. The User Configuration dialog appears.

Option Description

Name Specifies a name for the user.

Password Specifies a password for the user.

Confirm pass- Type the password again to make confirmation.

word

Mobile+country Specified the user's mobile number. When users log in

code the SCVPN client, system will send the verification

Introduction to Configuration Management 372

 Option Description

code to the mobile number.

Description If needed, type the description for the user.

Group Add the user to a selected usergroup. Click Choose,

and in the Choose User Group dialog, select the user-
group you want and click Add.

Expiration Select the Enable check box to enable expiration for

the user, and then specify a date and time. After expir-
ation, the user cannot be authenticated, therefore can-
not be used in the system. By default expiration is not
enabled.

4. Click OK to save the changes and close the dialog.

Click the View link in the user's Reference By column to view all policy rules, user groups,
and iQoS pipes that reference the user. Click the Remove link in Remove Relationship
column of each tab to release the reference relationship between this user and the cor-
responding policy rule, user group, or iQoS pipe. Before deleting a user that has been ref-
erenced by a user group, remove the reference or delete the user group first.

Creating a User Group

To create a new local user group on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to create local user group, go to
the Objects navigation pane and select User > Local User. The main window shows the
local user list.

3. Click New > User Group from the toolbar. The User Group Configuration dialog appears.

Introduction to Configuration Management 373

 4. Type the name for the user group into the Name box.

5. Specifies members for the user group. Expand User or User Group in the Available list,
select a user or user group and click Add to add it to the Selected list on the right. To
delete a selected user or user group, select it in the Selected list and then click Remove.
One user group can contain multiple users or user groups, but system only supports up to
5 layers of nested user groups, and does not support loopback nest, i.e., a user group
should not nest the upper-layer user group it belongs to.

6. Click OK to save the changes and close the dialog.

Importing List
You can import a local user binding list or user password list to HSM, and the existing con-
figurations will be updated by the imported configurations. If the imported list contains a user
that does not exist in the system, the user binding rule or user password item will be automatically
created. The list file format must be .txt. If the binding type is IP, the user binding list content
format is "AAA server name, user name, IP, virtual router, 0 or 1"; if the binding type is MAC,
the user binding list content format is "AAA server name , User name, MAC, virtual router, 0 ".
The last bit indicates the whether the check login IP for Webauth user function is enabled. "0"
means no, "1" means yes. User password list content format is "local server name, user name, pass-
word".
To import list on HSM, take the following steps:

Introduction to Configuration Management 374

 1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to import list, go to the Objects
navigation pane and select User > Local User. The main window shows the local user list.

3. Click the black triangle to the right of the Import button from the toolbar, and select Import
User Binding List or Import User Password List.

4. Browse the local directory and select the file you want to import.

5. Click Open to import.

Exporting List
You can export a local user binding list or user password list to your local PC.
To export list on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to export list, go to the Objects
navigation pane and select User > Local User. The main window shows the local user list.

3. Click the black triangle to the right of the Export button from the toolbar, and select Export
User Binding List or Export User Password List.

4. Click OK in the prompt dialog and select the location you want to export.

5. Click Save to export.

Creating a LDAP User

You can synchronize users in a LDAP server to the Hillstone device. To synchronize users from a
LDAP user, firstly, you need to configure a LDAP server. To configure a LDAP server, see
"AAA Server" on Page 386.
To synchronize users on HSM, take the following steps:

Introduction to Configuration Management 375

 1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to synchronize users, go to the
Objects navigation pane and select User > LDAP User. The main window shows the LDAP
user list.

3. Select a server from the LDAP Server drop-down list, and click Sync User from the toolbar.

Importing Binding
You can import a LDAP user binding list to HSM. The list file format must be .txt.
To import list on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to import list, go to the Objects
navigation pane and select User > LDAP User. The main window shows the LDAP user
list.

3. Click the Import Binding button from the toolbar.

4. Browse the local directory and select the file you want to import.

5. Click Open to import.

Exporting Binding
You can export a LDAP user binding list to your local PC.
To export list on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to export list, go to the Objects
navigation pane and select User > LDAP User. The main window shows the LDAP user
list.

3. Click the Export Binding button from the toolbar.

Introduction to Configuration Management 376

 4. Click OK in the prompt dialog and select the location you want to export.

5. Click Save to export.

Creating a Active Directory User

You can synchronize users in an Active Directory server to the Hillstone device. To synchronize
users from an Active Directory user, firstly, you need to configure an Active Directory server. To
configure an Active Directory server, see "AAA Server" on Page 386.
To synchronize users on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to synchronize users, go to the
Objects navigation pane and select User > Active Directory User. The main window shows
the Active Directory user list.

3. Select a server from the Active Directory Server drop-down list, and click Sync User from
the toolbar.

Importing Binding
You can import an Active Directory user binding list to HSM. The list file format must be .txt.
To import list on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to import list, go to the Objects
navigation pane and select User > Active Directory User. The main window shows the Act-
ive Directory user list.

3. Click the Import Binding button from the toolbar.

4. Browse the local directory and select the file you want to import.

5. Click Open to import.

Exporting Binding

Introduction to Configuration Management 377

 You can export an Active Directory user binding list to your local PC.
To export list on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to export list, go to the Objects
navigation pane and select User > Active Directory User. The main window shows the Act-
ive Directory user list.

3. Click the Export Binding button from the toolbar.

4. Click OK in the prompt dialog and select the location you want to export.

5. Click Save to export.

Creating User Binding

To bind an IP or MAC address to a user, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to add user binding, go to the
Objects navigation pane and select User > User Binding.

3. Click Add User Binding from the toolbar. The IP MAC Binding dialog appears.

User

AAA Server Select an AAA server from the drop-down list.

Introduction to Configuration Management 378

 User

User Select a user for the binding from the drop-down list.

Binding Type

Binding Type By specifying the binding type, you can bind the user
to a IPv4/IPv6 address or MAC address. In a virtual
router, the same IP or MAC address can only be bound
to one user. One user can bind multiple MAC
addresses.

l IP - If IP is selected, type the IP address into the

IP text box. And select a VR from the Virtual
Router drop-down list. Select the Check WebAuth
IP-User Mapping Relationship check box to apply
the IP-User mapping only to the check for IP-user
mapping during Web authentication if needed.
When the check box is checked, an AAA user can
only bind one IP address.

l MAC - If MAC is selected, type the MAC address

into the MAC text box. And select a VR from the
Virtual Router drop-down list.

4. Click OK to save the changes and close the dialog.

Importing List
You can import a user binding list to HSM.
To import list on HSM, take the following steps:

Introduction to Configuration Management 379

 1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to import list, go to the Objects
navigation pane and select User > User Binding.

3. Click the Import Binding button from the toolbar.

4. Browse the local directory and select the file you want to import.

5. Click Open to import.

Exporting List
You can export a user binding list to your local PC.
To export list on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to export list, go to the Objects
navigation pane and select User > User Binding.

3. Click the Export Binding button from the toolbar.

4. Click OK in the prompt dialog and select the location you want to export.

5. Click Save to export.

Searching for User Binding Items

You can select AAA server type, enter the IP address or MAC address to filter and search the user
binding items in the upper right corner of the toolbar.

Role

Roles are designed with certain privileges. For example, a specific role can gain access to some spe-
cified network resources, or make exclusive use of some bandwidth. In StoneOS, users and priv-
ileges are not directly associated. Instead, they are associated by roles.

Introduction to Configuration Management 380

 The mappings between roles and users are defined by role mapping rules. In function con-
figurations, different roles are assigned with different services. Therefore, the mapped users can
gain the corresponding services as well.
System supports role combination, i.e., the AND, NOT or OR operation on roles. If a role is used
by different modules, the user will be mapped to the result role generated by the specified oper-
ation.

Creating a Role

To create a role on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to create role, go to the Objects
navigation pane and select Role > Role. The main window shows the role list.

3. Click New from the toolbar. The Role Configuration dialog appears.

Option Description

Type Specifies the type for new role, including private and
shared.

Role Name Type the role name into the Role Name box.

Description Type the description for the role into the Description
box.

4. Click OK to save the changes and close the dialog.

The created role will be displayed in the role list. You can click the Edit or Delete button
on the toolbar to edit or delete roles. Click Convert to Shared to convert a private role into
a shared role. In the search box at the upper right corner of the toolbar , enter a appropriate
keyword about name to search for the role. Click the View link in the role's Reference By
column to view all policy rules, role mapping rule, and role combination that reference the
role. Click the Remove link in Remove Relationship column of each tab to release the ref-
erence relationship between this role and the corresponding policy rule or role mapping rule.

Introduction to Configuration Management 381

 Before deleting a role that has been referenced by a role mapping rule, remove the reference
or delete the role mapping rule first.

Associating to Existing Mapping Rule

You can associate the role with the user, user group, certificate name, or organization unit of the
existing mapping rule.
To associate the role on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want to associate the role, go to the
Objects navigation pane and select Role > Role. The main window shows the role list.

3. Select a role, and click Mapping To from the toolbar. The Mapping To dialog appears.

Select a role mapping rule from the first drop-down list, and then select a user, user group,
certificate name (the CN field of USB Key certificate) or organization unit (the OU field
of USB Key certificate) from the second drop-down list. If User, User group, CN or OU
is selected, also select or enter the corresponding user name, user group name, CN or OU
into the box behind.

4. Click Add to add to the role mapping list.

Introduction to Configuration Management 382

 5. If needed, repeat Step 3 and Step 4 to add more mappings. To delete a role mapping, select
the role mapping you want to delete from the mapping list, and click Delete.

6. Click OK to save the changes and close the dialog.

Creating a Role Mapping Rule

You can associate the role with the user, user group, certificate name, or organization unit. 64 role
mapping rules can be configured, and 256 mapping items can be added in each role mapping rule.
To create a role mapping rule on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want, go to the Objects navigation pane
and select Role > Role Mapping. The main window shows the role mapping rule list.

3. Click New from the toolbar. The Role Mapping Configuration dialog appears.

Type : Specifies the type for new role mapping rule, including private and shared.
Mapping Name : Type the name for the role mapping rule.
In the Member section, select a role from the first drop-down list, and then select a user,
user group, certificate name (the CN field of USB Key certificate) or organization unit
(the OU field of USB Key certificate) from the second drop-down list. If User, User

Introduction to Configuration Management 383

 group, CN or OU is selected, also select or enter the corresponding user name, user group
name, CN or OU into the box behind.

4. Click Add to add to the role mapping list.

5. If needed, repeat Step 3 and Step 4 to add more mappings. To delete a role mapping, select
the role mapping you want to delete from the mapping list, and click Delete.

6. Click OK to save the changes and close the dialog.

You can click the Edit or Delete button on the toolbar to edit or delete role mapping rules.
In the search box at the upper right corner of the toolbar , enter a appropriate keyword
about name to search for the role mapping rules. Click the View link in the role mapping
rule's Reference By column to view all AAA servers that reference the rule. Click the
Remove link in Remove Relationship column of each tab to release the reference rela-
tionship between this rule and the corresponding AAA server. Before deleting a role map-
ping rule that has been referenced by a AAA server, remove the reference or delete the
AAA server first.

Creating a Role Combination

Different roles can be grouped together logically to form a new role.

To create a role combination on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want, go to the Objects navigation pane
and select Role> Role Combination. The main window shows the role combination list.

Introduction to Configuration Management 384

 3. Click New from the toolbar. The Role Combination Configuration dialog appears.

Option Description

Type Specifies the type for new role combination, including

private and shared.

First Prefix Specifies a prefix for the first role in the role regular
expression.

First Role Select a role name from the First Role drop-down list to
specify a name for the first role in the role regular expres-
sion.

Operator Specifies an operator for the role regular expression.

Second Pre- Specifies a prefix for the second role in the role regular
fix expression.

Second Role Select a role name from the Second Role drop-down list
to specify a name for the second role in the role regular
expression.

Result Role Select a role name from the Result Role drop-down list to
specify a name for the result role in the role regular expres-

Introduction to Configuration Management 385

 Option Description

sion.

4. Click OK to save the changes and close the dialog.

You can click the Delete button on the toolbar to delete role combinations. Click Convert
to Shared to convert a private role combination into a shared one. In the search box at the
upper right corner of the toolbar , enter a appropriate keyword about name to search for the
role combination.

AAA Server

An AAA server is a server program that handles user requests for access to computer resources
and, for an enterprise, provides authentication, authorization, and accounting (AAA) services. The
AAA server typically interacts with network access and gateway servers and with databases and dir-
ectories containing user information.
Here in system, authentication supports the following five types of AAA server:

l Local server: a local server is the firewall itself. The firewall stores user identity information
and handles requests. A local server authentication is fast and cheap, but its storage space is
limited by the firewall hardware size.

l External servers:

l Radius server

l LDAP server

l Active-Directory server (AD server)

l TACACS+ server

Introduction to Configuration Management 386

 Notes: Only when the managed device is online, you can configure the "Password"
in the Radius Server Configuration/Active Directory Server Configuration/LDAP
Server Configuration/TACACS+ Server Configuration dialog.

Creating a Local Server

To create a local server on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want, go to the Objects navigation pane
and select AAA Server.

3. Click New from the toolbar. The Local Server Configuration dialog appears.

Option Description

Type Specifies the type for new local server, including private
and shared.

Server Name Type the name for the new server into the text box.

Role Mapping Specifies a role mapping rule for the server. With this
Rule option selected, system will allocate a role for users who
have been authenticated to the server according to the
specified role mapping rule.

Introduction to Configuration Management 387

 Option Description

Change Pass- If needed, select the Enable checkbox. With this func-
word tion enabled, the system allows users to change their
own passwords after the successful WebAuth or SCVPN
authentication.

Backup To configure a backup authentication server, select a

Authentication server from the drop-down list. After configuring a
Server backup authentication server for the local server, the
backup authentication server will take over the authen-
tication task when the primary server malfunctions or
authentication fails on the primary server. The backup
authentication server can be any existing local, Active-
Directory, RADIUS or LDAP server defined in the sys-
tem.

4. Click OK to save the changes and close the dialog.

You can click the Delete button on the toolbar to delete servers. Click Convert to Shared to
convert a private local server into a shared one. In the search box at the upper right corner
of the toolbar , enter a appropriate keyword about name to search for the local server, and
Fuzzy and Accurate can be selected in the searching drop-down menu.

Click the View link in the AAA server's Reference By column to view all objects that reference the
AAA server. Click the Remove link in Remove Relationship column of each tab to release the ref-
erence relationship between this AAA server and the corresponding object.

Creating a Radius Server

To create a Radius server on HSM, take the following steps:

Introduction to Configuration Management 388

 1. Click Configuration > Device Configurationto enter the device configuration page.

2. In the device navigation pane, select the device you want, go to the Objects navigation pane
and select AAA Server.

3. Click the black triangle to the right of the New button from the toolbar, and select Radius
Server. The Radius Server Configuration dialog appears.

Basic Configuration

Type Specifies the type for new Radius server, including

private and shared.

Server Name Specifies a name for the Radius server.

Introduction to Configuration Management 389

 Basic Configuration

Server Address Specifies an IP address or domain name for the Radius

server.

Virtual Router Specifies a VR for the Radius server.

Port Specifies a port number for the Radius server. The

value range is 1024 to 65535. The default value is
1812.

Password Specifies a password for the Radius server. You can spe-
cify at most 31 characters.

Optional

Role Mapping Specifies a role mapping rule for the server. With this
Rule option selected, system will allocate a role for users
who have been authenticated to the server according to
the specified role mapping rule.

Backup server Specifies an IP address or domain name for backup

1/Backup server 1 or backup server 2.
server 2

Virtual Router- Specifies a VR for the backup server.

1/Virtual
Router2

Retries Specifies a retry time for the authentication packets

sent to the AAA server. The value range is 1 to 10.
The default value is 3.

Timeout Specifies a timeout for the server response. The value

range is 1 to 30 seconds. The default value is 3.

Introduction to Configuration Management 390

 Basic Configuration

Backup Auth Specifies a backup authentication server. After con-

Server figuring a backup authentication server for the Radius
server, the backup authentication server will take over
the authentication task when the primary server mal-
functions or authentication fails on the primary server.
The backup authentication server can be any existing
local, Active-Directory, RADIUS or LDAP server
defined in the system.

Enable Account Select the Enable Account checkbox to enable

accounting for the Radius server, and then configure
options in the sliding out area.

Server Address Specifies an IP address or

domain name for the accounting
server.

Virtual Router Specifies a VR for the account-

ing server.

Port Specifies a port number for the

accounting server. The value
range is 1024 to 65535. The
default value is 1813.

Secret Specifies a password for the

accounting server.

Backup server Specifies an IP address or

1/Backup domain name for backup server
server 2 1 or backup server 2.

Introduction to Configuration Management 391

 Basic Configuration

Virtual Router- Specifies a VR for the backup

1/Virtual server.
Router2

4. Click OK to save the changes and close the dialog.

You can click the Delete button on the toolbar to delete servers. Click Convert to Shared to
convert a private Radius server into a shared one. In the search box at the upper right corner
of the toolbar , enter a appropriate keyword about name to search for the Radius server, and
Fuzzy and Accurate can be selected in the searching drop-down menu.

Creating a Active Directory Server

To create an Active Directory server on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want, go to the Objects navigation pane
and select AAA Server.

3. Click the black triangle to the right of the New button from the toolbar, and select Active

Introduction to Configuration Management 392

 Directory Server. The Active Directory Server Configuration dialog appears.

Introduction to Configuration Management 393

 Basic Configuration

Type Specifies the type for new Active Directory server,

including private and shared.

Server Name Specifies a name for the Active Directory server.

Server Address Specifies an IP address or domain name for the Act-

ive Directory server.

Virtual Router Specifies a VR for the Active Directory server.

Port Specifies a port number for the Active Directory

server. The value range is 1 to 65535. The default
value is 389.

Base-dn Specifies a Base-dn for the AD server. Base-dn is the

starting point at which your search will begin when
the AD server receives an authentication request.
Take the example of abc.xyz.com described above,
the format of Base-dn is "dc=abc,dc=xyz,dc=com".

Login-dn Specifies authentication characteristics for Login-dn

(typically a user account with query privilege pre-
defined by the AD server). DN (Distinguished name)
is a username of the AD server who has a read access
to read user information. The format of DN is"cn-
n=xxx, DC=xxx,...". For example, the server domain
is abc.xyz.com, and the AD server admin name is
administrator who locates in Users directory. Then
the login-dn should be "cn=a-
administrator,cn=users,dc=abc,dc=xyz,dc=com".

Introduction to Configuration Management 394

 Basic Configuration

sAMAc- Specifies the sAMAccountName, which is a string of

countName 1 to 63 characters and is case sensitive.

Authentication Specifies an authentication or synchronization

Mode method (either plain text or MD5). The default
method is MD5. If the sAMAccountName is not con-
figured after you specify the MD5 method, the plain
method will be used in the process of synchronizing
user from the server, and the MD5 method will be
used in the process of authenticating user.

Password Specifies a password for the AD server. This should

correspond to the password for Admin DN.

Optional

Role Mapping Specifies a role mapping rule for the server. With this
Rule option selected, system will allocate a role for users
who have been authenticated to the server according
to the specified role mapping rule.

Backup server Specifies an IP address or domain name for backup

1/Backup server server 1 or backup server 2.
2

Virtual Router- Specifies a VR for the backup server.

1/Virtual Router2

Synchronization Check the checkbox to enable the synchronization

function; clear the checkbox to disable the syn-
chronization function, and the system will stop syn-

Introduction to Configuration Management 395

 Basic Configuration

chronizing and clear the existed user information. By

default, the system will synchronize the user inform-
ation on the configured Active-Directory server to
the local every 30 minutes.

Automatic Syn- Click the radio button to specify the automatic syn-
chronization chronization.

Interval Synchronization Specifies the time inter-

val of automatic syn-
chronization. The value
range is 30 to 1440
minutes. The default
value is 30.

Daily Synchronization Specifies the time when

the user information is
synchronized everyday.
The format is HH:MM,
HH and MM indicates
hour and minute respect-
ively.

Once Synchronization If this parameter is spe-

cified, the system will
synchronize auto-
matically when the con-
figuration of Active-
Directory server is mod-

Introduction to Configuration Management 396

 Basic Configuration

ified. After executing

this command , the sys-
tem will synchronize
user information imme-
diately.

Synchronous Specifies user synchronization mode, including

Operation Mode Group Synchronization and OU Synchronization. By
default, user information will be synchronized to the
local based on Group.

OU maximum Specifies the maximum depth of OU to be syn-

depth chronized. The value range is 1 to 12, and the default
value is 12. OU structure that exceeds the maximum
depth will not be synchronized, but users that exceed
the maximum depth will be synchronized to the spe-
cified deepest OU where they belong to. If the total
characters of the OU name for each level(including
the “OU=” string and punctuation) is more than
128, OU information that exceeds the length will not
be synchronized to the local.

User Filter Specifies the user-filter conditions, the system can

only synchronize and authenticate users that are in
accordance with the filtering condition on the authen-
tication server. The length is 0 to 120 characters. For
example, if the condition is configured to “mem-

Introduction to Configuration Management 397

 Basic Configuration

berOf=CN=Admin,DC=test,DC=com”,which
manifests that the system only can synchronize or
authenticate user whose DN is “mem-
berOf=CN=Admin,DC=test,DC=com”. The com-
monly used operators are: =(equals a value)、&
(and）、|(or)、!(not)、*(Wildcard.Matches zero or
more charactors.)、～=( fuzzy query.)、>=(Be
equal or greater than a specified value in lex-
icographical order.)、<=( Be equal or less than a spe-
cified value in lexicographical order.).

Security Agent Select the Enable check box to enable Security

Agent. With this function enabled, the system will be
able to obtain the mappings between the usernames
of the domain users and IP addresses from the AD
server, so that the domain users can gain access to
network resources. Besides, by making use of the
obtained mappings, the system can also implement
other user-based functions, like security statistics, log-

Agent Specifies an agent port. The value

Port range is 1025 to 65535. The default
Introduction to Configuration Management 398
port is 6666.

Login Specifies a login info timeout. The

 Basic Configuration

Backup Authentic- Specifies a backup authentication server. After con-

ation Server figuring a backup authentication server for the Radius
server, the backup authentication server will take
over the authentication task when the primary server
malfunctions or authentication fails on the primary
server. The backup authentication server can be any
existing local, Active-Directory, RADIUS or LDAP
server defined in the system.

4. Click OK to save the changes and close the dialog.

You can click the Delete button on the toolbar to delete servers. Click Convert to Shared to
convert a private Active-Directory server into a shared one. In the search box at the upper
right corner of the toolbar , enter a appropriate keyword about name to search for the Act-
ive-Directory server, and Fuzzy and Accurate can be selected in the searching drop-down
menu.

Creating a LDAP Server

To create a LDAP server on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want, go to the Objects navigation pane
and select AAA Server.

3. Click the black triangle to the right of the New button from the toolbar, and select LDAP

Introduction to Configuration Management 399

 Server. The LDAP Server Configuration dialog appears.

Introduction to Configuration Management 400

 Basic Configuration

Type Specifies the type for new LDAP server, including

private and shared.

Server Name Specifies a name for the LDAP server.

Server Address Specifies an IP address or domain name for the LDAP

server.

Virtual Router Specifies a VR for the LDAP server.

Port Specifies a port number for the LDAP server. The

value range is 1 to 65535. The default value is 389.

Base-dn Specifies details for Base-dn. Base-dn is the starting

point at which your search will begin when the LDAP
server receives an authentication request.

Login-dn Specifies authentication characteristics for Login-dn

(typically a user account with query privilege pre-
defined by the LDAP server).

Authid Specifies the Authid, which is a string of 1 to 63 char-

acters and is case sensitive.

Authentication Specifies an authentication or synchronization method

Mode (either plain text or MD5). The default method is
MD5. If the Authid is not configured after you specify
the MD5 method, the plain method will be used in the
process of synchronizing user from the server, and the
MD5 method will be used in the process of authen-
ticating user.

Password Specifies a password for the LDAP server. This should

Introduction to Configuration Management 401

 Basic Configuration

correspond to the password for Admin DN.

Optional

Role Mapping Specifies a role mapping rule for the server. With this
Rule option selected, system will allocate a role for users
who have been authenticated to the server according to
the specified role mapping rule.

Backup server Specifies an IP address or domain name for backup

1/Backup server 1 or backup server 2.
server 2

Virtual Router- Specifies a VR for the backup server.

1/Virtual
Router2

Synchronization Check the checkbox to enable the synchronization

function; clear the checkbox to disable the syn-
chronization function, and the system will stop syn-
chronizing and clear the existed user information. By
default, the system will synchronize the user inform-
ation on the configured LDAP server to the local every
30 minutes.

Automatic Syn- Click the radio button to specify the automatic syn-
chronization chronization.

Interval Synchronization Specifies the time interval

of automatic syn-
chronization. The value

Introduction to Configuration Management 402

 Basic Configuration

range is 30 to 1440
minutes. The default value
is 30.

Daily Synchronization Specifies the time when

the user information is syn-
chronized everyday. The
format is HH:MM, HH
and MM indicates hour
and minute respectively.

Once Synchronization If this parameter is spe-

cified, the system will syn-
chronize automatically
when the configuration of
LDAP server is modified.
After executing this com-
mand , the system will syn-
chronize user information
immediately.

Synchronous Specifies user synchronization mode, including Group

Operation Synchronization and OU Synchronization. By default,
Mode user information will be synchronized to the local
based on Group.

OU maximum Specifies the maximum depth of OU to be syn-

depth chronized. The value range is 1 to 12, and the default

Introduction to Configuration Management 403

 Basic Configuration

value is 12. OU structure that exceeds the maximum

depth will not be synchronized, but users that exceed
the maximum depth will be synchronized to the spe-
cified deepest OU where they belong to. If the total
characters of the OU name for each level(including the
“OU=” string and punctuation) is more than 128,
OU information that exceeds the length will not be syn-
chronized to the local.

User Filter Specifies the user filters, the system can only syn-
chronize and authenticate users that match the filters
on the authentication server. The length is 0 to 120
characters. For example, if the condition is configured
to “(|(objectclass=inetOrgperson)(object-
class=person))”,which manifests that the system only
can synchronize or authenticate users which are defined
as inetOrgperson or person. The commonly used oper-
ators are as follows: =(equals a value)、&(and）、|
(or)、!(not)、*(Wildcard. Matches zero or more char-
acters.)、～=( fuzzy query.)、>=(Be equal or greater
than a specified value in lexicographical order.)、<=(
Be equal or less than a specified value in lexicographical
order.).

Naming Attrib- Specifies a naming attribute for the LDAP server. The
ute default naming attribute is uid.

Member Attrib- Specifies a member attribute for the LDAP server. The

Introduction to Configuration Management 404

 Basic Configuration

ute default member attribute is uniqueMember.

Group Class Specifies a group class for the LDAP server. The
default class is groupofuniquenames.

Backup Specifies a backup authentication server. After con-

Authentication figuring a backup authentication server for the LDAP
Server server, the backup authentication server will take over
the authentication task when the primary server mal-
functions or authentication fails on the primary server.
The backup authentication server can be any existing
local, Active-Directory, RADIUS or LDAP server
defined in the system.

4. Click OK to save the changes and close the dialog.

You can click the Delete button on the toolbar to delete servers. Click Convert to Shared to
convert a private LDAP server into a shared one. In the search box at the upper right corner
of the toolbar , enter a appropriate keyword about name to search for the LDAP server, and
Fuzzy and Accurate can be selected in the searching drop-down menu.

Creating a TACACS+ Server

To create a TACACS+ server on HSM, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want, go to the Objects navigation pane
and select AAA Server.

3. Click the black triangle to the right of the New button from the toolbar, and select

Introduction to Configuration Management 405

 TACACS+ Server. The TACACS+ Server Configuration dialog appears.

Basic Configuration

Type Specifies the type for new TACACS+ server, including

private and shared.

Server Name Enter a name for TACACS+ server.

Server Specify the IP address or host name of TACACS+ server.

Address

Virtual Specify the VRouter of TACACS+ server.

Router

Port Enter port number of TACACS+ server. Default value is

49. The value range is 1 to 65535.

Secret Enter the shared secret to connect TACACS+ server.

Confirm Re-enter shared key.

Secret

Introduction to Configuration Management 406

 Basic Configuration

Optional

Role mapping Select a role mapping rule for the server. With this option
rule selected, system will allocate a role for users who have
been authenticated to the server according to the spe-
cified role mapping rule.

Backup Enter the domain name or IP address of backup

Server 1 (2) TACACS+ server.

Virtual Select the VRouter of backup server.

Router 1 (2)

4. Click OK to save the changes and close the dialog.

You can click the Delete button on the toolbar to delete servers. Click Convert to Shared to
convert a private TACACS+ server into a shared one. In the search box at the upper right
corner of the toolbar , enter a appropriate keyword about name to search for the TACACS+
server, and Fuzzy and Accurate can be selected in the searching drop-down menu.

Track Object

The devices provide the track object to track if the specified object (IP address or host) is reach-
able or if the specified interface is connected. This function is designed to track HA and inter-
faces.

Creating a Track Object

To create a track object, take the following steps:

1. Click Configuration > Device Configuration to enter the device configuration page.

2. In the device navigation pane, select the device you want, go to the Objects navigation pane
and select Track Object.

Introduction to Configuration Management 407

 3. Click the New from the toolbar. The New Track Object dialog appears.

Configure the following options.

Option Description

Type System only supports for private track objects.

Name Specifies a name for the new track object.

Threshold Type the threshold for the track object into the text box.

Track Type Select a track object type. Only support for interface.

l Click Add in Add Track Members section and then

configure the following options in the Add Inter-
faces dialog box:

o Interface - Select a track interface from the

Introduction to Configuration Management 408

 Option Description

drop-down list.

o Weight - Specifies a weight for the interface,

i.e. the weight for overall failure of the whole
track object if this track entry fails.
Note:

l The track objects of the types "HTTP / Ping /

ARP / DNS / TCP" and "Traffic Quality " can be
dispalyed through HSM, but can not be addedd or
deleted.

l HSM only supports to view the track objects of the

Traffic Quality whose NGFW version is 5.5R6 or
above

HA sync Select this check box to enable HA sync function. The

primary device will synchronize its information with the
backup device.

4. Click OK.

Introduction to Configuration Management 409

Introduction to Global Configuration
Global configuration mainly provides a configuration method based on multiple devices sharing.
You can design your network configuration comprehensively, improving the managing efficiency.
You can configure two kinds of rules in global configuration page: private and shared. The shared
rules and objects can be used by all devices.The private rules can help users to understand all the
private rules from a global perspective. A shared security policy based on centralized management
allow to be configured and deployed to multiple devices, realizing the unified management of
device traffic and reducing the workload of configuration and error odds.
For more detailed configuration information, see the following topics:

l Global Configuration

l Global Object

Global Configuration
Click Configuration > Global Configuration to enter the global configuration page. In this page,
you can create, edit, delete the shared or private rules. The shared rules can be used by all devices.

Notes: HSM supports for HA management of Active-Passive, Active-Active and

Active-Peer modes for the managed devices. When HSM manages the HA function
of the managed devices, you can view, configure and share information of the mas-
ter device in HA. For slave device, you can only view the configuration information
on HSM.

After configuring the shared rules, you have to deploy the shard rules to the managed device if
you want to take effect on the device. For more detailed information about deploying con-
figuration, see Synchronizing Configuration.
The related configurations are:

l Policy

l iQoS

Introduction to Configuration Management 410

 l NAT

l Route

l Configuration Bundle

Policy Configuration

Creating a Shared Policy

To create a shared policy on the HSM global configuration page, take the following steps:

1. Log into HSM, click Configuration > Global Configuration > NGFW/NIPS/IDS to enter
the global configuration page.

2. In the left navigation pane, select device types tab, then expand Configure and Security
Policy nodes.

3. From the toolbar, click New. The Shared Policy Configuration dialog appears.

In the Shared Policy Configuration dialog, configure the followings.

Introduction to Configuration Management 411

 Policy Name: Specify the name of shared policy.
Description: If necessary, type description information for the policy in this text box.

4. Click OK. The new policy will be shown in the policy list.

5. Click on the policy name in the policy list or select the newly added policy from the con-
figuration navigation pane to enter the rule editing page.

6. Configure rules for the policy. For the detailed information about how to configure, see "
Rule Configuration" on Page 412.

After selecting a policy in the policy list, you can click the Edit button from the toolbar to edit
the shared or private policy, and click the Delete button to delete the shared policy.

Notes: The newly created policy only exists on HSM before the deployment, even
though you have specified devices for the policy, it will not take effect on the spe-
cified devices.

Rule Configuration

Creating a Policy Rule

In the global configuration page, click Security Policy > Shared/Private from the configuration
navigation pane, then select a shared or private policy to enter the policy configuration page. For
the details about how to create, please refer to "Creating a Policy Rule" on Page 228 in Device
Configuration.

Notes: HSM supports to copy shared policy rules to private or shared policy, but
does not support to copy private policy rules to shared policy or another private
policy.

Introduction to Configuration Management 412

Creating a Rule Group

In the global configuration page, click Security Policy > Shared/Private from the configuration
navigation pane, then select a shared or private policy to enter the policy configuration page. For
the details about how to create, please refer to "Creating a Rule Group" on Page 236 in Device
Configuration.

Notes: HSM supports to copy shared policy rule groups to private or shared policy,
but does not support to copy private policy rule groups to shared policy or another
private policy.

Moving Rules and Groups

please refer to "Moving Rules and Groups" on Page 238 in Device Configuration.

Deleting a Rule Group

please refer to "Deleting a Rule Group" on Page 238 in Device Configuration.

Viewing Operation Record

To view operation record of policy rule and rule group, take the following steps:

1. Click Configuration > Global Configuration from the Level-1 navigation pane to enter the
global configuration page.

2. In the left navigation pane, select device types tab, then expand Configure and Security
Policy nodes.

3. Click icon in Operation Record column. Operation record dialog for the security policy

appears.
You can view the detailed operation record of rules and rule groups, including add, edit,
delete, paste and so on.

Introduction to Configuration Management 413

 You can also view operation record in HSM System Log page, please refer to "Operation Log" on
Page 623.

Opening Local Snapshot

please refer to "Opening Local Snapshot" on Page 244 in Device Configuration.

Rule Match Analysis

please refer to "Rule Match Analysis" on Page 245 in Device Configuration.

Rule Conflict Check

This feature is used to check whether there is useless rule. Select the Rule Conflict Check check
box from the toolbar, system begins to check the conflicts among rules in the policy. When the
checking process is finished, the useless rules will become hatched, and all the rule IDs that over-
shadow the rule will be listed in the last column (shadow) of the rule list. You can select all of the
redundant rules by clicking on the number in brackets after the check box, so that you can delete
them in batches.

Setting Head or Tail Policy

You can specify a head policy or a tail policy for a private policy, and specify a head policy for a
shared policy. Through the inheritance relations of policy, one and multiple rules can be applied
on the device. The priority of head policy rules which are applied on the device is higher than the
existing rules on the device, and the priority of tail policy rules is lower than the existing rules on
the device.
To set a head or tail policy for private policy or shared policy, take the following steps:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. In the left navigation pane, select device types tab, then expand Configure and Security
Policy nodes, and then select the policy you want to set head or tail policy from the policy
list.

Introduction to Configuration Management 414

 3. If you choose a shared policy, click Apply Policy from the toolbar. The Apply Policy Guide
page appears. The configuration that can be performed is as follows:
As head policy of devices: Click Next to select the device to use this shared policy as the
head policy.
As tail policy of devices: Click Next to select the device to use this shared policy as the tail
policy.
Override policies of devices: Click Next to select the device to be replaced own policy with
this shared policy.
As head policy of shared policy: Click Next to select shared policies to use this shared
policy as the head policy.

4. If you choose a private policy, click Set Head Policy or Set Tail Policy from the toolbar.
Select shared policies in the pop-up dialog box.

5. Click OK.
The configuration you just made will be shown in the Head Policy and Tail Policy column.

Notes:
l Only shared policy can be specified to be head or tail policy.

l If a shared policy has been specified as a tail policy for a private policy, it is
not allowed to become the head policy for other policies.

l If a shared policy has been designated as the head policy for a policy, it is not
allowed to become the tail policy for another policy.

l A shared policy which has already been designated with a head policy is not
allowed to become a tail policy for other policies.

Introduction to Configuration Management 415

Viewing Policy Relationship

In order to make users to understand the relationship of all policies more intuitively, HSM sup-
ports to view policy topology map.

Viewing Topology Map

To view the topology map of the policy relationship, take the following steps:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. In the left navigation pane, select device types tab, and then expand Configure and Security
Policy node in turn.

3. Click Relationship View at the top right corner of the main window and view the topology
map of policy relationship.
Topology map shows the relationship of private policies that the current administrator can
access to and all the shared policies. Click Grid View to switch to the original view.

You can enter a policy name in the search box at the top right of the view, and the corresponding
policy will be highlighted. Click Back to Center at the top right of the view, all the security
policies will be displayed in the view. Click Auto Arrange to switch to the topology view. Click
Full Screen to switch to full screen mode. You can also right-click the policy icon to specify the
head policy or tail policy, and mark the policy icon with color (the shared policy can not be des-
ignated with a tail policy).

Configuring the Policy-based Protection Function

The HSM system currently supports policy-based anti-Virus, IPS, URL filtering, or viewing sand-
box protection.
To realize the policy-based protection function, take the following steps:

Introduction to Configuration Management 416

 1. Click Configuration > Global Configuration from the Level-1 navigation pane to enter the
global configuration page.

2. In the left navigation pane, select device types tab, then expand Configure and Security
Policy nodes, select the policy which will be edited. The main window shows the policy
entry list.

3. Click the policy entry list. The configuration dialog appears.

ln the configuration dialog, configure the followings.

Option Description

Anti-Virus Select the On check box to enable Anti-Virus function.

Select the Anti-Virus rule from the drop-down list. Two
ways can be used to configure an Anti Virus rule:

l Predefined: By default, HSM has three default

Anti-Virus rules, including predef_low, predef_
middle, and predef_high. Depending on the dif-
ferent Anti-Virus rules, file types and protocol
types can be filtered also different. The higher the
Anti-Virus rule is, the higher security level is.

l User-defined: The user-defined Anti-Virus rules.

According to the actual needs of users, select an
Anti-Virus rule from the drop-down list, or you can
click New from the drop-down list to create an
Anti-Virus rule. For more information, see Anti-
Virus.

: In the drop-down list,

you can specify the filtering conditions. HSM will dis-

Introduction to Configuration Management 417

 Option Description

play all Anti-Virus rules that matches the searching con-

ditions.

Intrusion Pro- Select the On check box to enable IPS function. Select
tection the IPS rule from the drop-down list. You can select pre-
defined IPS rules or user-defined IPS rules in the man-
aged device. System provides different predefined IPS
rules for firewalls in different versions. For more inform-
ation, see "Intrusion Protection System".

: In the drop-down list,

you can specify the searching conditions. HSM will dis-
play all IPS rules that matches the searching conditions.

Botnet Select the On check box to enable Botnet Defense func-

Defense tion. Select a configured botnet defense profile from the
drop-down list.
Or you can click New from the drop-down list to create a
botnet defense profile to use. For more information, see
Configuring Botnet Prevention.
: In the drop-down list, you

can specify the filtering conditions. HSM will display all

botnet defense profiles that match the searching con-
ditions.

URL Filter Select the On check box to enable URL Filter function.
Select the URL Filter rule from the drop-down list.
According to the actual needs of users, select an URL Fil-
ter rule from the drop-down list, or you can click New

Introduction to Configuration Management 418

 Option Description

from the drop-down list to create an URL Filter rule. For

more information, see URL Filter.

: In the drop-down list,

you can specify the filtering conditions. HSM will dis-
play all URL Filter rules that matches the searching con-
ditions.

Sandbox You can view whether the sandbox protection is enabled

on the managed device. Sandbox protection configuration
on HSM is currently not supported. Two ways can be
used to configure a Sandbox rule:

l Predefined: By default, HSM has three default Sand-

box rules, including predef_low, predef_middle and
predef_high. predef_low rule whose file type is PE
and protocol types are
HTTP/FTP/POP3/SMTP/IMAP4, with white list
and filter enabled. predef_middle rule whose file
types are PE/APK/JAR/MS-Office/PDF and pro-
tocol types are
HTTP/FTP/POP3/SMTP/IMAP4, with white list
and filter enabled.predef_high rule whose file types
are PE/APK/JAR/MS-
Office/PDF/SWF/RAR/ZIP and protocol types
are HTTP/FTP/POP3/SMTP/IMAP4, with white
list and filter enabled.

l User-defined: The user-defined Sandbox rules.

Introduction to Configuration Management 419

 4. After configuring the Shared Policy-based AV and IPS function on HSM, displays the

Anti Virus function status which is enabled, displays the IPS function status which is

enabled, displays the URL Filter function status which is enabled, displays the Sand-

box function status which is enabled.

iQoS

To create a shared iQoS on the HSM global configuration page, take the following steps:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. In the left navigation pane, expand Configure and iQoS nodes in NGFW tab.

3. From the toolbar, click New. The Add iQoS dialog appears.

Please enter iQoS name in the dialog, Relevant Device and Description are optional.

4. Click OK. The new iQoS will be shown in the iQoS list.

For more information about how to configure iQoS, please refer to iQoS in Device Configuration.

NAT

Creating a SNAT

SNAT is an assemblage of 0 and multiple SNAT rules.

Introduction to Configuration Management 420

 To create a SNAT on the HSM global configuration page, take the following steps:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. In the left navigation pane, select device types tab, then expand Configure and NAT nodes,
select SNAT or Shared.

3. From the toolbar, click New. The Add Shared SNAT page appears.

In the Add Shared SNAT dialog, configure the followings.

SNAT Name : Specify the name of the SNAT.

Relevant Device: Specify the devices which you want to make a relationship with SNAT.
If choosing VSYS devices of the device, the SNAT will be relevant to the VSYS devices
of the device, not the device itself. After configuring the SNAT, you have to deploy the
rule to the relevant device if you want to take effect on the device. For more detailed
information about deploying configuration, see Synchronizing Configuration.
Father NAT: Specify the father NAT for the SNAT. If specified, the SNAT will inherit
configuration of the father NAT.
Description: If necessary, type description information for the SNAT in this text box.

4. Click OK. The new SNAT will be shown in the SNAT list.

Editing/Deleting a SNAT

To edit/delete a SNAT, take the following steps:

Introduction to Configuration Management 421

 1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. In the left navigation pane, select device types tab, then expand Configure and NAT nodes,
select SNAT or Shared. Select the SNAT you want to edit/delete from the NAT list.

3. Click Edit/Delete from the toolbar.

Creating a SNAT Rule

To create a SNAT Rule, take the following steps:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. In the left navigation pane, select device types tab, then expand Configure and NAT nodes,
click Shared or Private. Double-click the SNAT name you want to create SNAT rules from
the SNAT list. The main window shows the SNAT rule list.

3. From the toolbar of the SNAT rules list, click New. The SNAT Configuration page appears.

In the Basic tab in the SNAT Configuration dialog, configure the followings.

l Virtual Router: Specify a Virtual Router for the SNAT rule.

l Type: Specify the type of the SNAT rule, including IPv4, NAT46, NAT64 and IPv6.
The configuration options for different types of SNAT rules may vary in this page,
please refer to the actual page.

l Source Addr: Specify the source IP address of the traffic, including:

IPv4 Address Entry - Select an Ipv4 address entry from the drop-down list.
IPv4 address - Type an IPv4 address into the IP address box.
IP/netmask - Type an IPv4 address and subnet mask into the box.
IPv6 Address Entry - Select an IPv6 address entry from the drop-down list.

Introduction to Configuration Management 422

 IPv6 address - Type an IPv6 address into the IP address box.
IPv6/Prefix - Type an IPv6 address and subnet prefix into the box.

l Destination Addr: Specify the destination IP address of the traffic, including:

IPv4 Address Entry - Select an Ipv4 address entry from the drop-down list.
IPv4 address - Type an IPv4 address into the IP address box.
IP/netmask - Type an IPv4 address and subnet mask into the box.
IPv6 Address Entry - Select an IPv6 address entry from the drop-down list.
IPv6 address - Type an IPv6 address into the IP address box.
IPv6/Prefix - Type an IPv6 address and subnet prefix into the box.

l Ingress: Specify the ingress traffic of the source NAT rule. The default ingress is all
traffic.
All Traffic: Specify the ingress traffic of the source NAT rule is all traffic. The traffic
from any interface will match the source NAT rule.
Ingress Interface: Specify the ingress interface of traffic in the source NAT rule.
Select an interface from the drop-down list. Only the traffic flowing from the con-
figured ingress interface will match the source NAT rule.

l Egress: Specify the egress traffic, including:

All Traffic - Specify all traffic as the egress traffic.
Egress interface - Specify the egress interface of traffic. Select an interface from the
drop-down list.
Next Virtual Router - Specify the next Virtual Router of traffic. Select a Virtual Router
from the drop-down list.

l Service: Select the service you need from the Service drop-down list.

l Translated to

Introduction to Configuration Management 423

 l NAT Address: Specify the translated NAT IP address, including:

l Egress IF IP(IPv4) - Specify the NAT IP address to be an egress interface IP

address. If Sticky is enabled, all sessions from an IP address will be mapped to
the same fixed IP address. Click the Enable checkbox behind Sticky to enable
Sticky.

l Specified IP - Specify the NAT IP address to be a specified IP address. And

you need to specify the translation mode, including:

l Static : Static mode means one-to-one translation. This mode requires the
translated address entry to contain the same number of IP addresses as
that of the source address entry.

l Dynamic IP: Dynamic IP mode means multiple-to-one translation. This

mode translates the source address to a specific IP address. Each source
address will be mapped to a unique IP address, until all specified
addresses are occupied.

l Dynamic port: Called PAT. Multiple source addresses will be translated

to one specified IP address in an address entry.
If Sticky is enabled, all sessions from an IP address will be mapped to the
same fixed IP address.
If Round-robin is enabled, all sessions from an IP address will be mapped
to the same fixed IP address. Click the Enable button behind Round-
robin to enable the Round-robin function.
If Sticky and Round-robin are not enabled, the first address in the address
entry will be used first; when the port resources of the first address are
exhausted, the second address will be used.
If Track is enabled, the system will track whether the translated public

Introduction to Configuration Management 424

 address is valid, i.e., use the translated address as the source address to
track if the destination website or host is accessible. The configured track
object can be a Ping track object, HTTP track object, TCP track object.

l No NAT - Do not implement NAT.

l Sticky: Select the check box to enable the Sticky function.

l Round-robin: Select the check box to enable the Round-robin function.

Note: You can only enable one of the the Sticky function and the Round-robin func-
tion at the same time.

l Track: Select the check box to enable the Track function and select a track object
from the drop-down list.

l Description: Specify the description of the SNAT rule.

In the Advanced tab, configure the followings.

l HA Group: Specify the HA group that the SNAT rule belongs to. The default setting
is 0.

l NAT Log: Select the Enable check box to enable the log function for this SNAT rule
(generating log information when there is traffic matching to this NAT rule).

l Rule Position: Specify the position of the rule. Each SNAT rule has a unique ID.
When traffic flowing into the device, the device will search SNAT rules by sequence,
and then implement NAT on the source IP of the traffic according to the first
matched rule. The sequence of the ID showed in the SNAT rule list is the order of
the rule matching. Select one of the following items from the drop-down list:
Bottom - The rule is located at the bottom of all the rules in the SNAT rule list. By
default, the system will put the newly-created SNAT rule at the bottom of all SNAT
rules.
Top - The rule is located at the top of all the rules in the SNAT rule list.

Introduction to Configuration Management 425

 Before ID - Type the ID number into the text box. The rule will be located before the
ID you specified.
After ID - Type the ID number into the text box. The rule will be located after the ID
you specified.

l ID: Specify the method you get the rule ID. It can be automatically assigned by sys-
tem or manually assigned by yourself. If you click Manually assign ID, you should
type an ID number into the box behind.

4. Click OK to save your settings. The new SNAT rule will be shown in the SNAT rules list.

Editing/Deleting a SNAT Rule

To edit/delete a SNAT rule, take the following steps:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. In the left navigation pane, select device types tab, then expand Configure and NAT nodes,
click Shared or Private. Double-click the SNAT name you want to edit/delete SNAT rules
from the SNAT list. The main window shows the SNAT rule list.

3. Select the SNAT rule you want to edit/delete from the SNAT rules list.

4. Click Edit/Delete from the toolbar.

Creating a DNAT

DNAT is an assemblage of 0 and multiple DNAT rules.

To create a DNAT on the HSM global configuration page, take the following steps:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

Introduction to Configuration Management 426

 2. In the left navigation pane, select device types tab, then expand Configure and NAT nodes,
select DNAT or Shared.

3. From the toolbar, click New. The Add Shared DNAT dialog appears.

In the Add Shared DNAT dialog, configure the followings.

DNAT Name : Specify the name of the DNAT.

Relevant Device: Specify the devices which you want to make a relationship with the
DNAT. If choosing VSYS devices of the device, the DNAT will be relevant to the VSYS
devices of the device, not the device itself. After configuring the DNAT, you have to
deploy the rule to the relevant device if you want to take effect on the device. For more
detailed information about deploying configuration, see Synchronizing Configuration.
Father NAT: Specify the father NAT for the DNAT. If specified, the DNAT will inherit
configuration of the father NAT.
Description: If necessary, type description information for the DNAT in this text box.

4. Click OK. The new DNAT will be shown in the DNAT list.

Editing/Deleting a DNAT

To edit/delete a DNAT, take the following steps:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

Introduction to Configuration Management 427

 2. In the left navigation pane, select device types tab, then expand Configure and NAT nodes,
select DNAT or Shared. Select the DNAT you want to edit/delete from the DNAT list.

3. Click Edit/Delete from the toolbar.

Creating an IP Mapping Rule

To create an IP Mapping rule, take the following steps:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. Expand NAT from the configuration navigation pane, and then select DNAT or Shared.
Double-click the DNAT name you want to create DNAT rules from the DNAT list. The
main window shows the DNAT rule list.

3. From the toolbar of the DNAT rules list, click New > IP Mapping, then IP Mapping Con-
figuration page appears.

In the IP Mapping Configuration dialog, configure the followings.

l Virtual Router: Specify a Virtual Router for the DNAT rule.

l HA Group: Specify the HA group that the DNAT rule belongs to. The default setting
is 0.

l Destination Addr: Specify the destination IP address of the traffic, including:

IPv4 Address Entry - Select an Ipv4 address entry from the drop-down list.
IPv4 address - Type an IPv4 address into the IP address box.
IP/netmask - Type an IPv4 address and subnet mask into the box.
IPv6 Address Entry - Select an IPv6 address entry from the drop-down list.
IPv6 address - Type an IPv6 address into the IP address box.
IPv6/Prefix - Type an IPv6 address and subnet prefix into the box.

l Translated to : Specify translated IP address, including:

IPv4 Address Entry - Select an Ipv4 address entry from the drop-down list.

Introduction to Configuration Management 428

 IPv4 address - Type an IPv4 address into the IP address box.
IP/netmask - Type an IPv4 address and subnet mask into the box.
IPv6 Address Entry - Select an IPv6 address entry from the drop-down list.
IPv6 address - Type an IPv6 address into the IP address box.
IPv6/Prefix - Type an IPv6 address and subnet prefix into the box.

l Description: Specify the description of the DNAT rule.

4. Click OK to save your settings. The new DNAT rule will be shown in the DNAT rules list.

Creating a Port Mapping Rule

To create a Port Mapping rule, take the following steps:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. Expand NAT from the configuration navigation pane, and then select DNAT or Shared.
Double-click the DNAT name you want to create DNAT rules from the DNAT list. The
main window shows the DNAT rule list.

3. From the toolbar of the DNAT rules list, click New > Port Mapping, then Port Mapping
Configuration page appears.

In the Port Mapping Configuration page, configure the DNAT options.

l Virtual Router: Specify a Virtual Router for the DNAT rule.

l HA Group: Specify the HA group that the SNAT rule belongs to. The default setting
is 0.

l Destination Addr: Specify the destination IP address of the traffic, including:

IPv4 Address Entry - Select an Ipv4 address entry from the drop-down list.
IPv4 address - Type an IPv4 address into the IP address box.
IP/netmask - Type an IPv4 address and subnet mask into the box.
IPv6 Address Entry - Select an IPv6 address entry from the drop-down list.

Introduction to Configuration Management 429

 IPv6 address - Type an IPv6 address into the IP address box.
IPv6/Prefix - Type an IPv6 address and subnet prefix into the box.

l Service: Select the service you need from the Service drop-down list.

l Translated to: Specify translated IP address, including:

IPv4 Address Entry - Select an Ipv4 address entry from the drop-down list.
IPv4 address - Type an IPv4 address into the IP address box.
IP/netmask - Type an IPv4 address and subnet mask into the box.
IPv6 Address Entry - Select an IPv6 address entry from the drop-down list.
IPv6 address - Type an IPv6 address into the IP address box.
IPv6/Prefix - Type an IPv6 address and subnet prefix into the box.

l Destination Port: Specify translated port, type the port number into the box.

l Description: Specify the description of the DNAT rule.

4. Click OK to save your settings. The new DNAT rule will be shown in the DNAT rules list.

Creating an Advanced DNAT Rule

To create an Advanced DNAT rule, take the following steps:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. Expand NAT from the configuration navigation pane, and then select DNAT or Shared.
Double-click the DNAT name you want to create DNAT rules from the DNAT list. The
main window shows the DNAT rule list.

3. From the toolbar of the DNAT rules list, click New > Advanced, then DNAT Con-
figuration page appears.

In the Basic tab in the DNAT Configuration dialog, configure the DNAT basic options.

Introduction to Configuration Management 430

 l Virtual Router: Specify a Virtual Router for the DNAT rule.

l Source Addr: Specify the source IP address of the traffic, including:

IPv4 Address Entry - Select an Ipv4 address entry from the drop-down list.
IPv4 address - Type an IPv4 address into the IP address box.
IP/netmask - Type an IPv4 address and subnet mask into the box.
IPv6 Address Entry - Select an IPv6 address entry from the drop-down list.
IPv6 address - Type an IPv6 address into the IP address box.
IPv6/Prefix - Type an IPv6 address and subnet prefix into the box.

l Destination Addr: Specify the destination IP address of the traffic, including:

IPv4 Address Entry - Select an Ipv4 address entry from the drop-down list.
IPv4 address - Type an IPv4 address into the IP address box.
IP/netmask - Type an IPv4 address and subnet mask into the box.
IPv6 Address Entry - Select an IPv6 address entry from the drop-down list.
IPv6 address - Type an IPv6 address into the IP address box.
IPv6/Prefix - Type an IPv6 address and subnet prefix into the box.

l Server: Select the service you need from the Service drop-down list.

l Action: Specify the action for the traffic you specified, including:
NAT - Implements NAT for the eligible traffic.
Translated to: For the NAT option, you need to specify the translated IP address.
Select an address entry or SLB server pool from the Translated to drop-down list or
type an IP address in the Translated to box or type an IP address and netmask in the
Translated to box.
NAT Port: Select the Enable check box and type the translated port number into the
Port box. The range is 1 to 65535.
Load Balancing: Select the Enable check box to enable the function. Then, traffic will
be balanced to different Intranet servers.
No NAT - Do not implement NAT for the eligible traffic.

Introduction to Configuration Management 431

 l Description: Specify the description of the DNAT rule.

In the Advanced tab, configure the DNAT advanced options.

l Ping Track: Select the Enable check box to enable Ping track, which means the sys-
tem will send Ping packets to check whether the Intranet servers are reachable.

l TCP Track: Select the Enable check box to enable TCP track, which means the sys-
tem will send TCP packets to check whether the TCP ports of Intranet servers are
reachable.

l TCP Port: Specify the port number. The value range is 1 to 65535.

l NAT Log: Select the Enable check box to enable the log function for this DNAT rule
(generating log information when there is traffic matching to this NAT rule).

l HA Group: Specify the HA group that the DNAT rule belongs to. The default setting
is 0.

l Rule Position: Specify the position of the rule. Each DNAT rule has a unique ID.
When traffic flowing into the device, the device will search DNAT rules by sequence,
and then implement NAT on the destination IP of the traffic according to the first
matched rule. The sequence of the ID showed in the DNAT rule list is the order of
the rule matching. Select one of the following items from the drop-down list:
Bottom - The rule is located at the bottom of all the rules in the DNAT rule list. By
default, the system will put the newly-created DNAT rule at the bottom of all DNAT
rules.
Top - The rule is located at the top of all the rules in the DNAT rule list.
Before ID - Type the ID number into the box. The rule will be located before the ID
you specified.
After ID - Type the ID number into the box. The rule will be located after the ID you
specified.

Introduction to Configuration Management 432

 l ID: Specify the method you get the rule ID. It can be automatically assigned by sys-
tem or manually assigned by yourself. If you click Manually Assign ID, you should
type an ID number into the box behind.

4. Click OK to save your settings. The new DNAT rule will be shown in the DNAT rules list.

Editing NAT

To edit a shared or private NAT, take the following steps:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. Expand NAT from the configuration navigation pane, and then select Shared or Private.
Select the NAT you want to edit from the NAT list.

3. Click Edit from the toolbar.

NAT name does not support the modification, and the relevant device of the private NAT
can not be modified either.

Setting Father NAT

Private NAT or shared NAT inherit the configuration of the other shared NAT. The inherited
NAT is father NAT which has higher priority than the sub NAT. Through the inheritance rela-
tions of NAT, one and multiple rules can be applied on the device. The priority of rules which are
applied on the device is higher than the existing rules on the device.
When there are multi-level inheritance relationship, the top-level father NAT rules are shown at
the top of the NAT rule list, and then the sub father NAT rules are displayed, and so on, the spe-
cified NAT rules are shown at last. The inherited NAT rules are marked to orange by default, and
they cannot be edited and moved. You can mark the color of NAT to distinguish the inherited
NAT rules, please refer to Viewing Relationship.
To set a father NAT for private NAT or shared NAT, take the following steps:

Introduction to Configuration Management 433

 1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. Select NAT from the configuration navigation pane, and then select Shared or Private.
Select the NAT you want to set father NAT from the NAT list.
When SNAT or DNAT is selected, the main window shows the private NAT of device that
the current administrator can access to and all shared NATs; when shared is selected, the
main window shows all of the shared NAT; when private is selected, the main window
shows all the private NAT of device that the current administrator can access to. The Father
NAT column displays the direct father NAT, and the Child NAT column displays all direct
and indirect child NAT.

3. Click Set Father NAT from the toolbar. The Set Father NAT page appears. You can select
NAT which need to set father NAT according to your requirements.

Notes: Only shared NAT can be inherited.

Viewing Relationship

In order to make users to understand the relationship of all NAT more intuitively, HSM supports
to view and edit NAT topology map.

Viewing Topology Map

To view the topology map of the NAT inheritance relationship, take the following steps:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. Select NAT from the configuration navigation pane, and then select SNAT or DNAT.

3. Click Relationship View at the top right corner of the main window.
Topology map shows the inheritance relationship of private NAT of device that the current

Introduction to Configuration Management 434

 administrator can access to and all the shared NAT. Click Grid View to switch to the ori-
ginal view.

The icon of private NAT is , and the icon of shared NAT is . Private NAT is folded by
default, while the shared NAT is expanded, NAT which has no inherit relationship will be dis-
played in the first level. The hidden private NAT list will be shown when the mouse hovers over
the private icon. If you need to expand the private NAT node, please click the input box on the
top right of the view, all NAT will be displayed, then select the check box in front of the private
NAT that you need to expand and click the blank space.

Editing Topology Map

You can change the inheritance relationship of NAT by editing the topology map. The operations
include:

l Right click on the blank space or shared NAT icon, select New in the pop-up menu to create
a new shared NAT.

l Right click on the private or shared NAT icon, select Edit in the pop-up menu to edit a NAT.

l Right click on the shared NAT icon, select Delete in the pop-up menu to delete a NAT.

l Right click on the private or shared NAT icon, select Cut in the pop-up menu, if select Paste
on shared NAT icon, it means the pasted NAT will inherit this shared NAT; if select Paste on
blank space, it means the pasted NAT will inherit no NAT.

l Right click on the shared NAT icon, select Mark in the pop-up menu to mark color for NAT,
then the NAT name will become the corresponding color.

Viewing Operation Record

To view operation record of NAT rule, take the following steps:

Introduction to Configuration Management 435

 1. Click Configuration > Global Configuration from the Level-1 navigation pane to enter the
global configuration page.

2. Select NAT from the configuration navigation pane, and then select Shared or Private.

3. Click icon in Operation Record column. Operation record dialog for the NAT appears.

You can view the detailed operation record of rules , including add, edit, delete, setting
father NAT, and so on.

Route

Creating a Destination Route

Destination Route is an assemblage of 0 and multiple route item.

To create a Destination Route on the HSM global configuration page, take the following steps:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. In the left navigation pane, select device types tab, then expand Configure and Route nodes.

3. From the toolbar, click New. The Add DRouter dialog appears.

In the Add DRouter dialog, configure the DRouter options.

Introduction to Configuration Management 436

 DRouter Name : Specify the name of the destination route.
Relevant Device: Specify the relevant devices or VSYS devices for destination route.
When deploying, the destination routewill be deployed to the relevant devices or VSYS
devices. For more detailed information about deploying configuration, see Synchronizing
Configuration.
Description: If necessary, type description information for the destination route in this
text box.

4. Click OK. The new destination route will be shown in the destination route list.

Editing/Deleting a Destination Route

To edit/delete a Destination Route on the HSM global configuration page, take the following
steps:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. Expend Route from the configuration navigation pane. Select the destination route you want
to edit/delete from the destination route list.

3. Click Edit/Delete from the toolbar.

Creating an Route Item

To create a Route Item on the HSM global configuration page, take the following steps:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. Select Route from the configuration navigation pane. Double-click the destination route
name you want to create route item from the destination route items list. The main window
shows the route item list.

3. From the toolbar of the Route items list, click New. The Destination Route Configuration
page appears.

Introduction to Configuration Management 437

 In the Destination Route Configuration dialog, configure the destination route options.

Destination: Specify the destination IP address of the route item.

Subnet Mask: Specify the corresponding subnet mask of destination IP address.
Next Hop : Click Gateway or Interface or Virtual Router radio button. If Gateway is
selected, type the IP address into the Gateway box below. If Interface is selected, select a
name from the Interface drop-down list below. If Virtual Router in Current VSYS is selec-
ted, select a name from the Virtual Router drop-down list below.
Schedule：Specifies a schedule when the rule will take effect. Select a desired schedule
from the Schedule drop-down list. After selecting the desired schedules, click the blank
area in this dialog to complete the schedule configuration.
Precedence: Specify the precedence of route. The smaller the parameter is, the higher the
precedence is. If multiple routes are available, the route with higher precedence will be pri-
oritized. The value range is 1 to 255. The default value is 1. When the value is set to 255,
the route is invalid.
Weight: Specify the weight of route. This parameter is used to determine the weight of
traffic forwarding in load balance. The value range is 1 to 255. The default value is 1.
Description: If necessary, type description information for the route item in this text box.

4. Click OK to save your settings. The new route item will be shown in the route items list.

Editing/Deleting a Route Item

To edit/delete a Route Item on the HSM global configuration page, take the following steps:

Introduction to Configuration Management 438

 1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. Select Route from the configuration navigation pane. Double-click the destination route
name you want to edit/delete route item from the destination route list. The main window
shows the route item list.

3. Select the route item you want to edit/delete from the route items list.

4. Click Edit/Delete from the toolbar.

Configuration Bundle

Security policy, NAT, and route can be joined in a configuration bundle. When the configuration
bundle is deployed to the device, the security policy, NAT, and route in the configuration bundle
can be deployed at the same time. A configuration bundle can be deployed to one and multiple
devices.

Creating a Configuration Bundle

To create a Configuration Bundle on the HSM global configuration page, take the following two
methods:

Method 1:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. In the left navigation pane, select device types tab, then expand Configuration Bundle
nodes.

Introduction to Configuration Management 439

 3. From the toolbar, click New. The Create Configuration Bundle dialog appears.

In the Create Configuration Bundle dialog, configure the configuration bundle options.

Name : Specify the name of configuration bundle.

Relevant Device: Specify the relevant devices or VSYS devices for the configuration
bundle. When deploying, the configuration bundle will be deployed to the relevant
devices or VSYS devices. For more detailed information about deploying configuration,
see Synchronizing Configuration.
Description: If necessary, type description information for the configuration bundle in this
text box.

4. Click OK. The new configuration bundle will be shown in the configuration bundle table.

5. Click the name of configuration bundle, you can check the content in the configuration
bundle.

Method 2:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. Select the configuration which need be added to the configuration bundle from the con-
figuration navigation pane, including security policy, NAT, and route. Right click the

Introduction to Configuration Management 440

 mouse, and click Create Configuration Bundle.

3. In the Create Configuration Bundle dialog appears. Configure the options as below.

In the Create Configuration Bundle, configure the configuration bundle options.

Name : Specify the name of configuration bundle.

Relevant Device: Specify the relevant devices or VSYS devices for the configuration
bundle. When deploying, the configuration bundle will be deployed to the relevant
devices or VSYS devices. For more detailed information about deploying configuration,
see Synchronizing Configuration.
Description: If necessary, type description information for the configuration bundle in this
text box.

4. Click OK. The new configuration bundle will be shown in the configuration bundle table.

Introduction to Configuration Management 441

 5. Click the name of configuration bundle, you can check the content in the configuration
bundle.

Joining Configuration Bundle

You can add the configurations to the configuration bundle according to your requirements. Take
the following steps:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. Select the configuration which need be added to the configuration bundle from the con-
figuration navigation pane, including security policy, NAT, and route. Right click the
mouse, and click Add to Configuration Bundle.

3. In the Add to Configuration Bundle dialog appears. Configure the options as below.

4. Select a configuration bundle from the drop-down list, then click OK. The configuration
will be joined in the configuration bundle you selected.

Copying a Configuration Bundle

To copy a configuration bundle, take the following steps:

Introduction to Configuration Management 442

 1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. Select Configuration Bundle from the configuration navigation pane, and then select the con-
figuration bundle you want to copy from the configuration bundle table.

3. Click Copy from the toolbar. The configuration bundle which is copied will be shown in the
configuration bundle table below. For example, the replicated configuration bundle called
"test", system will automatically named it "CopyOftest".

Global Object
The global objects created on the global configuration page are all shared objects, and can be used
by all devices. In the global configuration page, you can create, edit, delete zone, address entry,
service group entry, service group, application group, schedule, virtual router, interface, SLB
server pool, anti virus rule, URL filter, user, role, AAA server and botnet defense global con-
figuration. You can also view shared IPS rules. After configuring the global object, you have to
deploy the global object to the security device if you want to take effect on the device. For more
detailed information about deploying configuration, see Synchronizing Configuration.

Notes:
l If choosing VSYS devices of the device from the relevant device, the shared
object will be relevant to the VSYS devices of the device, not the device
itself.

l Only after licenses of the relevant functions had been installed, can cor-
responding functions be configured in HSM.

l Object names of different device types can be the same.

Introduction to Configuration Management 443

Zone

Creating a Shared Zone

You can create zones on HSM, but cannot deploy the created zones to devices successfully.
When the deployed policy contains zones that do not exist in the devices, to avoid mistakes, you
are required to create same zones on the devices before deploying.
To create a shared zone, take the following steps:

1. Log into HSM, click Configuration > Global Configuration > NGFW/NIPS/IDS to enter
the global configuration page.

2. In the left navigation pane, select Configure > Objects > Zone. The zone entry list will
appear on the main window.

3. From the toolbar, click New. The Share Zone dialog appears.

Name : Specify the name of the shared zone.

Matched Pattern : Specify the private zone which establishing the mapping relation with
the shared zone.
Description : If necessary, type description information for the shared zone in this text
box.

Introduction to Configuration Management 444

 Zone Device Override : If the name of private zone is different the shared zone, you can
map one private zone on the security deice to the shared zone according to your require-
ments. Click Add . The Zone Device Override dialog appears. Select the device from the
Device drop-down list, and select the mapping private zone from the Zone drop-down
list.

4. Click OK. The new shared zone will be shown in the zone entry list.

Address Books

Creating a Shared Address Entry

To create a shared address entry, take the following steps:

1. Log into HSM, click Configuration > Global Configuration > NGFW/NIPS/IDS to enter
the global configuration page.

2. In the left navigation pane, select Configure > Objects > Address Books. The main win-
dow shows the address entry list.

3. From the toolbar, click New. The Share Address dialog appears.

4. In the Share Address dialog, configure the following options.

Name : Type the name of the address entry in the Name text box.
Description : If necessary, give a description to the address entry in the Description text
box.
Type: Specify the type of the IP address, IPv4 or IPv6.
Member : Select the member type from the drop-down list in the Member tab, and then
type the IPv4 address/mask, IPv4 range, IPv6 address/prefix, IPv6 range or hostname in
the text box or choose another address entry. Click Add to add the member to the mem-
ber entry list. Repeat this step to add multiple members. Click Delete to delete the selec-
ted address entry.
Exclude Member : Specify the exclude member. In the Exclude Member tab, select the
exclude member type from the drop-down list, and then tap the IPv4 address/mask, IPv4

Introduction to Configuration Management 445

 range, IPv6 address/prefix, IPv6 range in the text box. Click Add to add the exclude mem-
ber to the exclude member entry list. Repeat this step to add multiple exclude member.
Click Delete to delete the selected address entry.

5. Click OK to save the changes and close the dialog.

After you select an address book, click Object Copy in the toolbar, and then rename the
address book to create a new shared address book. Shared address books of different device
types can be copied each other except address book which includes the country address
member when you copy from NGFW to IPS device .

Service Book

Creating a Shared Service Group

To create a shared service group on HSM, take the following steps:

1. Log into HSM, click Configuration > Global Configuration > NGFW/NIPS/IDS to enter
the global configuration page.

2. In the left navigation pane, select Configure > Objects > Service Books > User-defined Ser-
vice Group. The main window shows the user-defined service group list.

3. From the toolbar, click New. The Shared Service Group dialog appears.

4. In the Shared Service Group dialog, configure the following options.

Name: The name of the shared service group.

Description: Give a description to the shared service group. It is optional.
Member: Select the service or service group from the left selective list, and click the
right-arrow button to add it. To delete a selected service, select the service to be deleted
from the right selective list, and then click the left-arrow button.
Relevant Device: Specify the devices which you want to make a relationship with the
shared service group. If choosing VSYS devices of the device, the shared service group
will be relevant to the VSYS devices of the device, not the device itself. After configuring
the shared service group, you have to deploy the rule to the relevant device if you want to

Introduction to Configuration Management 446

 take effect on the device. For more detailed information about deploying configuration,
see Synchronizing Configuration.

5. Click OK. The new shared service group entry will be shown in service group list.

6. from the right selective list, and then click the left-arrow button.

7. Click OK to save the changes and close the dialog.

The created role will be displayed in the server group list. You can click Edit button on the
toolbar to edit the name, description and member of the server group. Click Delete button
to delete the server group.
Note: The name of server group can be edited only in the StoneOS 5.5R6F2 or above.

Creating a Shared Service

To create a shared service on HSM, take the following steps:

1. Log into HSM, click Configuration > Global Configuration > NGFW/NIPS/IDS to enter
the global configuration page.

2. In the left navigation pane, select Configure > Objects > Service Books >User-defined Ser-
vice. The main window shows the user-defined service list.

3. Click New from the toolbar. The Shared Service dialog appears.

4. In the Shared Service dialog, configure the following options.

Name: The name of the shared service.

Description: Give a description to the shared service. It is optional.
Member: Specify the protocol type of the member, it can be TCP, UDP, ICMP or others.
The parameters of each protocl are described as below:

TCP/UDP

Introduction to Configuration Management 447

 Dst Port: Specify the destination port range of the member. The value range is 1 to
65535.
Src Port: Specify the source port range of the member. The value range is 1 to 65535.
ICMP

Type: Specify the ICMP type value of the member. It can be one of the following: 3
(Destination-Unreachable), 4 (Source Quench), 5 (Redirect), 8 (Echo), 11 (Time
Exceeded), 12 (Parameter Problem), 13 (Timestamp), and 15 (Information).
Min Code: Specify the minimum ICMP code value of the member. The value range is 0
to 5.
Max Code: Specify the maximum ICMP code value of the member. The value range is 0
to 5.
Others

Protocol No.: Specify the protocol number of the member. The value range is 1 to 255.
After specifying the values of parameters, click Add to add it to the service. Repeat the
above steps to add multiple members. Click Delete to delete the selected member.
Relevant Device : Specify the devices which you want to make a relationship with the
user-defined service. If choosing VSYS devices of the device, the user-defined service
will be relevant to the VSYS devices of the device, not the device itself. After con-
figuring the user-defined service, you have to deploy the rule to the relevant device if
you want to take effect on the device. For more detailed information about deploying
configuration, see Synchronizing Configuration.

5. Click OK to save the changes and close the dialog.

After you select a service book, click Object Copy in the toolbar, and then rename the ser-
vice book to create a new shared service book. Shared service books of different device
types can be copied each other.
The created role will be displayed in the server list. You can click Edit button on the

Introduction to Configuration Management 448

 toolbar to edit the name, description and member of the server. Click Delete button to
delete the server.
Note: The name of server can be edited only in the StoneOS 5.5R6F2 or above.

Application Books

Creating a Shared Application Group

To create a shared application group on HSM, take the following steps:

1. Log into HSM, click Configuration > Global Configuration > NGFW/NIPS/IDS to enter
the global configuration page.

2. In the left navigation pane, select Configure > Objects > Application Books >User-defined
Application Group. The main window shows user-defined applicaton group list.

3. Click New from the toolbar. The Shared APP Group dialog appears.

4. In the Shared APP Group dialog, configure the following options.

Name: Specify the name of the shared application group.
Description: Give a description to the shared application group. It is optional.
Member: Specify members for the shared application group. Select the wanted applications
from the selective list, and click the righ-arrow button to add the selected objects to the
shared application group. To delete a selected application group, select the application group
to be deleted from the right selective list, and then click the left-arrow button.

Relevant Device: Specify the devices which you want to make a relationship with the
shared application group. If choosing VSYS devices of the device, the shared application
group will be relevant to the VSYS devices of the device, not the device itself. After con-
figuring the shared application group, you have to deploy the rule to the relevant device if
you want to take effect on the device. For more detailed information about deploying con-
figuration, see Synchronizing Configuration.

5. Click OK to save the changes and close the dialog.

After you select an application book, click Object Copy in the toolbar, and then rename the

Introduction to Configuration Management 449

 application book to create a new shared application book. Shared application books of dif-
ferent device types can be copied each other.

Schedules

Creating a Shared Schedule

To create a shared schedule on HSM, take the following steps:

1. Log into HSM, click Configuration > Global Configuration > NGFW/NIPS/IDS to enter
the global configuration page.

2. In the left navigation pane, select Configure > Objects > Schedules. The main window
shows the schedule list.

3. Click New from the toolbar. The Shared Schedule dialog appears.

4. Enter the name in the Name text box.

5. In the Absolute Schedule section, specify the start time and end time in which the periodic
schedule will take effect.

6. Click New, and configure a periodic schedule in the dialog as below. The periodic schedule
will take effect repeatedly during the time range specified by the absolute schedule.

The options are described as below:

Daily: The periodic schedule will take effect everyday. Click the button and specify the

Introduction to Configuration Management 450

 start time and end time.
Days: The periodic schedule will take effect in the specified days of a week. Click the but-
ton, select the days in the Periodic Schedule section, and specify the start time and end
time.
Due: The periodic schedule will take effect during a continuous period of a week. Click
the button and specify the start date/time and end date/time.
Click Preview to preview the periodic schedule; click Save to add the periodic schedule
to the schedule. To delete a select schedule, select the schedule to be deleted from the
schedule list, and then click Delete.

7. Repeat Step 6 to add more periodic schedules.

8. Click OK to save the changes and close the dialog.

After you select a schedule, click Object Copy in the toolbar, and then rename the schedule
to create a new shared schedule. Shared schedules of different device types can be copied
each other.

Virtual Router

Creating a Shared Virtual Router

The function of virtual routeris is same as the real router. Different virtual router has inde-
pendently of the routing list. The system has a default VRouter called "trust-vr". By default, all
three layers security domain will be bound to trust-vr automatically. Both NAT and route need to
be configured on the virtual router. In order to establish the mapping relation between the shared
virtual router and the virtual router on device, the name of virtual router need to be same.
To create a Shared Virtual Router on the HSM global configuration page, take the following steps:

1. Log into HSM, click Configuration > Global Configuration > NGFW/NIPS/IDS to enter
the global configuration page.

2. In the left navigation pane, select Configure > Objects > Virtual Router.

3. From the toolbar, click New. The Share Virtual Router page appears.

Introduction to Configuration Management 451

 Name : Specify the name of the shared virtual router.
Matched Pattern: Specify the private virtual router which establishing the mapping rela-
tion with the shared virtual router.
Description: If necessary, type description information for the shared virtual router in this
text box.
Virtual Router Device Override: If the name of private virtual router is different with the
shared virtual router, you can map one private virtual router on the device to the shared
virtual router according to your requirements.
Click New, Virtual Router Device Override page appears. Select the device from the
Device drop-down list, and select the private virtual router from the Virtual Router drop-
down list.

4. Click OK. The new shared virtual router will be shown in the virtual router list.

Notes: Only shared virtual router can be created.

Introduction to Configuration Management 452

Interface

Creating a Shared Interface

After creating a shared interface, the shared interface can be mapped to interface on one and mul-
tiple devices. In order to establish the mapping relation between the shared interface and the inter-
face on device, the interface name need to be the same.
To create a shared interface on the HSM global configuration page, take the following steps:

1. Log into HSM, click Configuration > Global Configuration > NGFW/NIPS/IDS to enter
the global configuration page.

2. In the left navigation pane, select Configure > Objects > Interface.

3. From the toolbar, click New. The Share Interface page appears.

Name : Specify the name of the shared interface.

Matched Pattern: Specify the interface which establishing the mapping relation with the
shared interface.
Description: If necessary, type description information for the shared interface in this text
box.

Introduction to Configuration Management 453

 Interface Device Override: If the name of the interface on the device is different with the
shared interface, you can map one interface on the device to the shared interface according
to your requirements.
Click New, Interface Device Override page appears. Select the device from the Device
drop-down list, and select the interface from the Interface drop-down list.

4. Click OK. The new shared interface will be shown in the interface list.

Notes: Only shared interface can be created.

SLB Server Pool

Creating a shared SLB Server Pool

To create a shared SLB server pool on HSM, take the following steps:

1. Log into HSM, click Configuration > Global Configuration > NGFW/NIPS/IDS to enter
the global configuration page.

2. In the left navigation pane, select Configure > Objects > SLB Server Pool. The main win-
dow shows the user-defined SLB server pool information.

3. Click New from the toolbar. The SLB Server Pool Configuration dialog appears.

4. In the SLB Server Pool Configuration dialog, configure the following options.

Option Description
Name Specify the name of the SLB server pool.You can enter
up to 31 chars.
Algorithm Select an algorithm for load balancing, including:

l Weighted Hash: Assign requests to SLB server

pool members according to HASH algorithm.

Introduction to Configuration Management 454

 Option Description

l Weighted Least Connection: Assign requests to

the member who has the least connections in the
current SLB server pool.

l Weighted Round Robin: Assign requests accord-

ing to weighted value of every SLB server pool
members.

Sticky If selecting Sticky, the security device will consider all

requests from the same source IP to be the same client,
and then forward the requests to a server.
Member
Member Specify the member of the pool. You can type the IP
range or the IP address and the netmask.
Port Specify the port number of the server.
Maximum Specify the allowed maximum sessions of the server.
Sessions The value ranges from 0 to 1,000,000,000. The default
value is 0, which represents no limitation.
Weight Specify the traffic forwarding weight during the load bal-
ancing. The value ranges from 1 to 255.
Add >Add the SLB address pool member to the SLB server
pool.
Delete Click Delete to delete the selected SLB address pool
member.
Track
Track Type Select a track type.
Port Specify the port number that will be tracked. The value
ranges from 1 to 65535.

Introduction to Configuration Management 455

 Option Description
Interval Specify the interval between each Ping/TCP/UDP
packet. The unit is second. The value ranges from 3 to
255.
Retries Specify a retry threshold. If no response packet is
received after the specified times of retries, the system
will consider this track entry failed , i.e., the track entry
is unreachable. The value range is 1 to 255.
Weight Specify a weight for the overall failure of the whole
track rule if this track entry fails. The value range is 1 to
255.
Add Click Add to add the configured track rule to the list.
Delete Click Delete to delete the selected track rule.
Threshold Type the threshold for the track rule into the Threshold
box. The value range is 1 to 255. If the sum of weights
for failed entries in the track rule exceeds the threshold,
the security device will conclude that the track rule fails.

Description Type the description for this track rule. You can enter
up to 95 chars.
Relevant Specify the devices which you want to make a rela-
Device tionship with the shared SLB server pool. If choosing
VSYS devices of the device, the shared SLB server pool
will be relevant to the VSYS devices of the device, not
the device itself. After configuring the shared SLB
server pool, you have to deploy the rule to the relevant
device if you want to take effect on the device. For
more detailed information about deploying con-
figuration, see Synchronizing Configuration.

5. Click OK to save the settings.

Introduction to Configuration Management 456

 To view the details of the servers in the SLB pool:

1. Log into HSM, click Configuration > Global Configuration from the Level-1 navigation
pane to enter the global configuration page.

2. In the left navigation pane, expand Configure and Objects nodes in NGFW tab, and then
select SLB Server Pool. The main window shows the user-defined SLB server pool inform-
ation.

3. Select an SLB pool entry.

4. In the Server List tab at the bottom of this page, view the information of the servers that are
in this SLB pool.

5. In the Server List tab, view the retries information of the SLB server pool. The retries
informaton include IP/mask, port, weight, and maximum sessions.

6. In the Monitoring tab, view the information of the track rules. The track rules information
include track type, prot, interval,and retries.

Notes: IPS device does not support the configuration of SLB server pool.

IPS Profile

System shows the global information of IPS rules, that is, you can view the shared IPS rules.

Viewing the Shared IPS Rules

To view the shares IPS rules, take the following steps:

1. Click Configuration > Global Configuration > NGFW to enter the global configuration
page.

2. In the left navigation pane, select Configure > Objects > IPS Profile. The main window
shows the IPS rule list. In the New Version tab, system displays the predefined IPS rules

Introduction to Configuration Management 457

 that can be configured to the firewalls in StoneOS 5.5R3 or later. In the Old Version tab,
system displays the predefined IPS rules that can be configured to the firewalls in StoneOS
5.5R2 or before.

The details of the predefined IPS rules is as follows:

Applicable Software
Name Description
Version of StoneOS

no-ips This rule does not include any IPS signatures, that is, no All
intrusion prevention detection is performed.

predef_ This rule includes all IPS signatures and its default action All
default is reset. This rule is suitable for the general deployment
scenarios.

predef_loose This rule includes most of the IPS signatures with high All
severity or high popularity and its default action is log
only. This rule is suitable for the general deployment scen-
arios.

DMZ-server This rule includes all attack detection except TFTP and StoneOS 5.5R5 and
NETBIOS protocols, and its default action is log. This later
rule is suitable for the deployment scenarios with DMZ
servers.

web-server This rule includes all attack detection of all web attacks StoneOS 5.5R5 and
and general detection of SQL injection and XXS injection. later
Its default action is log. This rule is suitable for the deploy-
ment scenarios with web servers.

Windows- This rule includes the detection of attacks against the Win- StoneOS 5.5R5 and
server dows system and its default action is log. This rule is suit- later
able for the deployment scenarios with Windows-based

Introduction to Configuration Management 458

 Applicable Software
Name Description
Version of StoneOS

servers.

General- This rule includes attack detection for vulnerability scan- StoneOS 5.5R5 and
server ning, denial of service attacks and backdoor Trojan. Its later
default action is log. This rule is suitable for the general
deployment scenarios.

Unix-like- This rule includes the detection of attacks against the StoneOS 5.5R5 and
server Linux system and Solaris system. Its default action is log. later
This rule is suitable for the general deployment scenarios
with Unix-based servers.

Intrant-client This rule includes all IPS signatures and its default action From StoneOS 5.5R5
is log. to 5.5R8(including
StoneOS 5.5R5, but
not StoneOS 5.5R8)

predef_crit- This rule includes the detection of high-risk attacks in the StoneOS R5F4、R6F1
ical latest period and its default action is log. This rule is suit- and later
able for the general deployment scenarios or the scenarios
which need key protection.

Anti-Virus

To take the following steps to configure Anti-Virus function:

l Configuring Anti-Virus Global Parameters

l Creating a Shared Anti-Virus Rule

l Enabling the Policy-based Anti-Virus Function

Introduction to Configuration Management 459

Configuring Anti-Virus Global Parameters

You can enable or disable the Anti-Virus function, and configure the global parameters.

Creating a Shared Anti-Virus Rule

To create a shared Anti-Virus rule on HSM, take the following steps:

1. Log into HSM, click Configuration > Global Configuration > NGFW/NIPS/IDS to enter
the global configuration page.

2. In the left navigation pane, select Configure > Objects > Anti-Virus. The main window
shows the Anti-virus rule list.

3. Click New from the toolbar. The Anti-Virus dialog appears.

In the Anti-Virus dialog, configure the following options.

Option Description
Tpye Specify the type of the object. It can be private or
shared.
Name Specify the rule name.
File Types Specify the file types you want to scan. It can be GZIP,
JPEG, MAIL, RAR, HTML., PE, BZIPE, RIFF, and
TAR, ELF, RAWDATA, MSOFFICE, PDF and
OTHERS.
Protocol Specify the protocol types (HTTP, SMTP, POP3,
Types IMAP4, FTP) you want to scan and specifies the action
the security device will take after virus is found.

l Fill Magic - Processes the virus file by filling

magic words, i.e., fills the file with the magic
words (Virus is found, cleaned) from the begin-
ning to the ending part of the infected section.

Introduction to Configuration Management 460

 Option Description

l Log Only - Only generates log.

l Warning - Pops up a warning page to prompt that

a virus has been detected. This option is only
effective to the messages transferred over HTTP.

l Reset Connection - If virus has been detected,

the security device will reset connections to the
files.

Capture Select the Enable check box before Capture Packet to

enable the capture function. The security device will
save the evidence messages, and support to view or
download the messages.
Malicious Select the check box behind Malicious Website Access
Website Control to enable the function.
Access Con-
trol
Action Specify the action the security device will take after the
malicious website is found.

l Log Only - Only generates log.

l Reset Connection - If malicious website has been

detected, the security device will reset con-
nections to the files.

l Warning - Pops up a warning page to prompt that

a malicious website has been detected.This
option is only effective to the messages trans-

Introduction to Configuration Management 461

 Option Description

ferred over HTTP.

Enable Label If an email transferred over SMTP is scanned, you can

e-mail enable label email to scan the email and its attachment
(s). The scanning results will be included in the mail
body, and sent with the email. If no virus has been
detected, the message of "No virus found" will be
labeled; otherwise information related to the virus will
be displayed in the email, including the filename, result
and action. Type the end message content into the box.
The range is 1 to 128.

4. Click OK.

Notes:  By default, according to virus filtering protection level, HSM comes with
three default virus filtering rules: predef_low, predef_middle, predef_high. Depend-
ing on the different filtering rules, file types and protocol types can be filtered also
different. The higher the Anti Virus filtering rule is, the higher security level is. The
default rule is not allowed to edit or delete.

Enabling the Policy-based Anti-Virus Function

To enable the policy-based Anti-Virs on HSM, see configuring the policy-based protection func-
tion.

URL Filter

URL filter controls the access to some certain websites and records log messages for the access
actions. URL filter helps you control the network behaviors in the following aspects:

l Access control to certain category of websites, such as gambling and pornographic websites.

l Access control to certain category of websites during the specified period. For example, for-
bid to access IM websites during the office hours.

Introduction to Configuration Management 462

 l Access control to the website whose URL contains the specified keywords. For example, for-
bid to access the URL that contains the keyword of game.

Notes: HSM only supports the centralized management of URL filter function
whose NGFW version is 5.5R1 or above.

Configuring URL Filter

Configuring URL filter contains two parts:

l Create a URL filter rule

l Bind a URL filter rule to a security policy rule

Part 1: Creating a URL filter rule

1. Select Configuration > Global Configuration > NGFW/NIPS/IDS > Objects > URL Fil-
ter Bundle > URL Filter.

Introduction to Configuration Management 463

 2. Click New.

In the URL Filter dialog, configure the following options.

Option Description

Name Specify the name of the rule.

Control Type Control types are URL Category, URL Keyword

Category, and Web Surfing Record. You can select one
type for each URL filter rule. URL Category controls the
access to some certain category of website. The options
are:

l New: Create a new URL category. For more inform-

ation about URL category, see "User-defined URL
DB" on Page 467.

Introduction to Configuration Management 464

 Option Description

l Edit: Select a URL category from the list, and click

Edit to edit the selected URL category.

l URL category: Shows the name of pre-defined and

user-defined URL categories.

l Block: Select the check box to block access to the

corresponding URL category.

l Log: Select the check box to log access to the cor-

responding URL category.

l Other URLS: Specify the actions to the URLs that

are not in the list, including Block Access and
Record Log.
URL Keyword Category controls the access to the web-
site who's URL contains the specific keywords. Click the
URL Keyword Categoryoption to configure. The options
are:

l New: Create new keyword categories. For more

information about keyword category, see "Keyword
Category" on Page 469.

l Edit: Select a URL keyword category from the list,

and click Edit to edit the selected URL keyword
category.

l Keyword category: Shows the name of the con-

figured keyword categories.

Introduction to Configuration Management 465

 Option Description

l Block: Select the check box to block the access to

the website whose URL contains the specified
keywords.

l Log: Select the check box to log the access to the

website whose URL contains the specified
keywords.

l Other URLS: Specify the actions to the URLs that

do not contain the keywords in the list, including
Block Access and Record Log.
Web Surfing Record logs the GETand POST methods of
HTTP.

l Get: Records the logs when having GET methods.

l Post: Records the logs when having POST meth-

ods.

l Post Content: Records the posted content.

Relevant Specify the devices which you want to make a rela-

Device tionship with the URL filter rule. If choosing VSYS
devices of the device, the rule will only be relevant to the
root VSYS. After configuring the rule, you have to deploy
the rule to the relevant device if you want to take effect
on the device. For more detailed information about
deploying configuration, see Synchronizing Configuration.

3. Click OK to save the settings.

Part 2: Binding a URL filter rule to a security policy rule

Introduction to Configuration Management 466

 After binding a URL filter rule to a security policy rule, the system will perform the URL filter
function on the traffic that matches the security policy rule. For more information, please refer to
Configuring the Policy-based Anti-Virus, IPS and URL Filter Function.

Predefined URL DB

The system contains a predefined URL database.

The predefined URL database provides URL categories for the configurations of URL filter. It
includes dozens of categories and tens of millions of URLs .
When identifying the URL category, the user-defined URL database has a higher priority than the
predefined URL database.

Notes: The predefined URL database is controlled by a license controlled. Only

after a URL license is installed, the predefined URL database can be used.

User-defined URL DB

Besides categories in predefined URL database, you can also create user-defined URL categories,
which provides URL categories for the configurations of URL filter. When identifying the URL
category, the user-defined URL database has a higher priority than the predefined URL database.
System provides three user-defined URL categories by default: custom1, custom2, custom3.

Configuring User-defined URL DB

To configure a user-defined URL category:

Introduction to Configuration Management 467

 1. Select Objects > URL Filter Bundle > User-defined URL DB.

2. Click New in the toolbar. The URL Category dialog appears.

3. Type the category name in the Name text box. URL category name cannot only be a hyphen
(-). And you can create at most 1000 user-defined categories.

4. Type the category description in the Description text box. The value range is 0 to 255 char-
acters.

5. Type a URL into the URL http:// box.

6. Click Add to add the URL and its category to the table.

7. Repeat the above steps to add more URLs.

8. To delete an existing one, select its check box and then click Delete.

Introduction to Configuration Management 468

 9. Specify the deployment device for the URL category in the Relevant Device drop-down
menu if necessary.

10. Click OK to save the settings.

Keyword Category

Keyword can be grouped into different categories. URL filter that contains keyword category will
control the access to websites of certain categories.
When a URL filter rule includes keyword category, the system will scan traffic according to the
configured keywords and calculate the trust value for the hit keywords. The calculating method is:
adding up the results of times * trust value of each keyword that belongs to the category. Then
the system compares the sum with the threshold 100 and performs the following actions accord-
ing to the comparison result:

l If the sum is larger than or equal to category threshold (100), the configured category action
will be triggered;

l If more than one category action can be triggered and there is block action configured, the
final action will be Block;

l If more than one category action can be triggered and all the configured actions are Permit, the
final action will be Permit.

For example, a URL filter rule contains two keyword categories C1 with action block and C2 with
action permit. Both of C1 and C2 contain the same keywords K1 and K2. Trust values of K1 and
K2 in C1 are 20 and 40. Trust values of K1 and K2 in C2 are 30 and 80.
If the system detects 1 occurrence of K1 and K2 each on a URL, then C1 trust value is
20*1＋40*1=60<100, and C2 trust value is 30*1+80*1=110>100. As a result, the C2 action is
triggered and the URL access is permitted.
If the system detects 3 occurrences of K1 and 1 occurrence of K2 on a URL, then C1 trust value
is 20*3+40*1=100, and C2 trust value C2 is 30*3+80*1=170>100. Conditions for both C1 and
C2 are satisfied, but the block action for C1 is triggered, so the web page access is denied.

Introduction to Configuration Management 469

Configuring a Keyword Category

To configure a keyword category:

1. Select Object > URL Filter Bundle > Keyword Category. The Keyword Category dialog
appears.

2. Click New. The Keyword Category dialog appears.

3. Type a category name.

4. Type the category description in the Description text box. The value range is 0 to 255 char-
acters.

5. Specify the keyword, character matching method (simple/regular expression), and trust
value.

6. Click Add to add the keyword to the list below.

7. Repeat the above steps to add more keywords.

Introduction to Configuration Management 470

 8. To delete a keyword, select the keyword you want to delete from the list and click Delete.

9. Specify the deployment device for the keyword category in the Relevant Device drop-down
menu if necessary.

10. Click OK to save your settings.

Warning Page

To create a new warning page, take the following steps:

1. Select Object > URL Filter Bundle > Warning Page.

2. Click New in the toolbar. The Warning Page dialog appears.

Please enter Name, Description and Relevant Device are optional.

3. Click OK.
You can also click Edit in the toolbar to edit the selected page, and click Delete to delete
the page.

The warning page shows the user block information and user audit information.

Configuring Block Warning

If the Internet behavior is blocked by the URL filter function, the Internet access will be denied.
The information of Access Denied will be shown in your browser, and some web surfing rules
will be shown to you on the warning page at the same time. See the picture below:

After enabling the block warning function, block warning information will be shown in the
browser when one of the following actions is blocked:

l Visiting a certain type of URL

l Visiting the URL that contains a certain type of keyword category

Introduction to Configuration Management 471

 The block warning function is disabled by default. To configure the block warning function:

1. Click Object > URL Filter Bundle > Warning Page, choose the page you want to configure
the block warning function in left page list.

2. Select Enable check box in the Block Warning section.

3. Configure the display information in the blocking warning page.

Option Description

Default Use the default blocking warning page as shown above.

Redirect page Redirect to the specified URL. Type the URL in the URL
http:// box. You can click Detection to verify whether
the URL is valid.

Custom Customize the blocking warning page. Type the title in

the Title box and the description in the Description box.
You can click Preview to preview the blocking warning
page.

4. Click OK to save the settings.

Introduction to Configuration Management 472

Configuring Audit Warning

After enabling the audit warning function, when your network behavior matches the configured
URL filter rule, your HTTP request will be redirected to a warning page, on which the audit and
privacy protection information is displayed. See the picture below:

The audit warning function is disabled by default. To configure the audit warning function:

1. Select Object > URL Filter Bundle > Warning Page, choose the page you want to configure
the audit warning function in left page list.

2. Select Enable check box in the Audit Warning section.

3. Click OK to save the settings.

Role

To configure shared roles, click Configuration > Global Configuration> NGFW > Configure >
Objects >Role, and select the target node for the next configuration.
For the detailed configuration, see "Role" on Page 380 in Device Object.

AAA Server

To configure shared AAA servers, click Configuration > Global Configuration > NGFW > Con-
figure > Objects > AAA Server nodes in turn.
For the detailed configuration, see "AAA Server" on Page 386 in Device Object.

Introduction to Configuration Management 473

Botnet Defense

Notes: HSM can only manage the botnet defense function of the firewall device
which version is StoneOS 5.5R8P4, 5.5R8F1 and higher versions.

System provides a predefined shares botnet defense profile "no-botnet-c2-prevention", you can-
not edit or delete it. You can create up to 32 shared botnet defense profiles.
To configure a shared botnet defense profile, take the following steps:

1. Select Configuration > Global Configuration > NGFW > Objects > Botnet Defense > Pro-
file.

2. Click New in the main window to open the Botnet Defense Rule Configuration dialog .

Configure the following options in the dialog.

Option Description

Name Specify the name of the botnet defense profile. The length of the
name is 1 to 31 characters.

Protocol Type Specify the protocol types (TCP, HTTP, DNS) you want to scan and
specifies the action the system will take after the botnet is found.

l Log Only: Only generates log.

l Reset Connection: If botnets has been detected, sys-

Introduction to Configuration Management 474

 Option Description

tem will reset connections to the files.

l Sinkhloe Address Replacement: When the protocol

type is DNS, you can specify the processing action
as "Sinkhole Address Replacement". After the threat
is discovered, the system will replace the IP address
in the DNS response packet with the Sinkhole IP
address.

Relevant Device Specify the devices which you want to make a relationship with the
botnet defense profile. If choosing VSYS devices of the device, the
rule will only be relevant to the root VSYS. After configuring the rule,
you have to deploy the rule to the relevant device if you want to take
effect on the device. For more detailed information about deploying
configuration, see Synchronizing Configuration.

Editing/Deleting an Object

To edit or delete an object, enter the corresponding object page, select the object, and then click
the Edit or Delete button. For how to enter the object page and the description of the options of
each object, see the creating object sections.

Notes: Only shared virtual router and shared interface can be edited or deleted.

SD-WAN Business Deployment

System supports SD-WAN business deployment function to quickly deploy business to devices
in batches. Currently, system supports two predefined services, including network business and
intranet business. The network business is used to open Internet access permissions for devices
in batches, and the intranet business is used to enable branch devices to access the business of
headquarters and HUB. At the same time, the system supports to configure related business in the
ZTP configuration and deploy the business during the deployment process.

Introduction to Configuration Management 475

 You can only deploy SD-WAN businesses to managed devices that have joined the VPN net-
work. After an SD-WAN business is deployed to a managed device, the device will add cor-
responding configurations to its own system to enable the business, such as security policies and
destination routes.

Creating a Business
To treating a business, take the following steps:

1. Select Configuration > SD-WAN Business Deployment.

2. Click Add.

In the Add Business dialog box, enter values.

Option Description

Name Specify the name of the business.

Note: Business names are not allowed to be repeated and
cannot contain special characters.

Type Specify the business type in the drop-down list, including

network business and intranet business.

Priority Specify the route priority of the link where the headquar-
ters device is located, including Regardless, High,

Introduction to Configuration Management 476

 Option Description

Medium and Low. When a branch device in the VPN net-

work accesses the server where the business is located,
the route priority is the priority of the destination route
from the branch device to the server.
Note:

l If Regardless is selected, the route priority of the

link where the headquarters device is located is
determined by the priority of the WAN interface of
the corresponding spoken device.

l If both the SD-WAN business priority and the

WAN interface priority of the SD-WAN device are
configured, the former shall prevail. For details, see
Configuration Example 1.

Headquarters Specify the headquarters device needed to visit business

Device in the drop-down list.
Note:The headquarters device should be a device in the
VPN mesh network or a HUB device in the VPN star net-
work.

IP Type the IP address of server.

Mask Type the IP mask of server.

Protocol Select the protocol type from the drop-down list, includ-
ing TCP, UDP and ICMP.

Min Destin- Specified the minimum port number of the specified ser-

Introduction to Configuration Management 477

 Option Description

ation Port vice entry.

Max Destin- Specified the maximum port number of the specified ser-
ation Port vice entry.

Description Type the description for the business.

3. Click OK.

Configuration Example 1

There are the branch device "Spoken1", and headquarters devices "Hub1" and "Hub2". To enable
the branch device "Spoken1" to access the headquarters server "12.12.12.51/24" through a VPN
network, take the following steps.

Step 1 Creating a VPN Star Network

To create a VPN star network with the devices "Hub1" and "Hub2" as HUB devices, take the fol-
lowing steps:

1. Select VPN > VPN Network > Star Network, and enter the Star Network page.

2. Click New, and in the pop-up New Star Network dialog box, configure as follows:

l Name: Star1

l HUB Mode: Dual HUB

l HUB1 Configuration

l HUB Device1: Hub1

l Operator: China Telecom

Introduction to Configuration Management 478

 l HUB2 Configuration

l HUB Device2: Hub2

l Operator: China Unicom

3. Click OK.

Step 2 Adding an SD-WAN Device

To add the device "Spoken1" to the VPN star network "Star1", take the following steps:

1. Select Device > SD-WAN Start, and enter the SD-WAN Start page.

2. Click Add Device, and in the pop-up Add Single SD-WAN Device dialog box, configure as
follows:

l  Name: Spoken1

l SN: 261030B364521635

l VPN Net: Star1

l Interface Configuration: Select the WAN Interface tab. Click New, and configure the
WAN1 interface as follows

l Name: WAN1

l Operator: China Telecom

l Priority: High

l Internet Access: Static IP

l IP Address: 10.90.11.2

l Netmask: 255.255.255.0

l Default Gateway: 10.90.11.1

Introduction to Configuration Management 479

 Click New, and configure the WAN2 interface as follows:

l Name: WAN2

l Operator: China Unicom

l Priority: Low

l Internet Access: Static IP

l IP Address: 10.90.16.2

l Netmask: 255.255.255.0

l Default Gateway: 10.90.16.1

3. Click OK.

Step 3 Creating an SD-WAN Business

Create an SD-WAN intranet business for the VPN star network "Star1". To create an SD-WAN
business, take the following steps:

1. Select Configuration > SD-WAN Business Deployment, and enter the SD-WAN Business
page.

2. Click Add, and in the pop-up Add dialog box, configure as follows:

l Name: Business1

l Type: Intranet Business

l Priority: Regardless

l Headquarters Device: Hub1

l IP：12.12.12.51

Introduction to Configuration Management 480

 l Netmask: 255.255.255.0

l Protocol: ICMP

Click Add, and in the pop-up Add dialog box, configure as follows:

l Name: Business2

l Type: Intranet Business

l Priority: Medium

l Headquarters Device: Hub2

l IP：12.12.12.51

l Netmask: 255.255.255.0

l Protocol: ICMP

3. Click OK.

Step 4 Deploying an SD-WAN Business

Deploy SD-WAN businesses "Business1" and "Business2" to the device "Spoken1". To deploy an
SD-WAN business, take the following steps:

1. Select Configuration > SD-WAN Business Deployment, and enter the SD-WAN Business
page.

2. Select Business1 and Business2, click Deploy, and select the device "Spoken1" in the pop-
up Deploy dialog box.

3. Click OK.

Result

he branch device "Spoken1" will access the headquarters server "12.12.12.51/24" via the tunnel
link of the WAN1 interface.

Introduction to Configuration Management 481

Configuration Example 2

There are the branch device "spoken" and the headquarters device "hub". To enable the branch
device "spoken" to access the headquarters server "13.13.13.51/24" through a VPN network,
take the following steps.

Step 1 Creating a VPN Star Network

To create a VPN star network with the device "hub" the HUB device, take the following steps:

1. Select VPN > VPN Network > Star Network, and enter the Star Network page.

2. Click New, and in the pop-up New Star Network dialog box, configure as follows:

l Name: Star2

l HUB Mode: Single HUB

l HUB Device1: hub

3. Click OK.

Step 2 Adding an SD-WAN Device

To add the device "spoken" to the VPN star network "Star2", take the following steps:

1. Select Device > SD-WAN Start, and enter the SD-WAN Start page.

2. Click Add Device, and in the pop-up Add Single SD-WAN Device dialog box, configure as
follows:

l  Name: spoken

l  SN: 26103EK364522478

l  VPN Net: Star2

Introduction to Configuration Management 482

 l  Interface Configuration: Select the WAN Interface tab. Click New, and configure the
WAN1 interface as follows:

l Name: WAN1

l Priority: Regardless

l Internet Access: Static IP

l IP Address: 11.90.11.2

l Netmask: 255.255.255.0

l Default Gateway: 11.90.11.1

Click New, and configure the WAN2 interface as follows:

l Name: WAN2

l Priority: High

l Internet Access: Static IP

l IP Address: 11.90.16.2

l Netmask: 255.255.255.0

l Default Gateway: 11.90.16.1

3. Click OK.

Step 3 Creating an SD-WAN Business

Create an SD-WAN intranet business for the VPN star network "Star2". To create an SD-WAN
business, take the following steps:

1. Select Configuration > SD-WAN Business Deployment, and enter the SD-WAN Business
page.

Introduction to Configuration Management 483

 2. Click Add, and in the pop-up Add dialog box, configure as follows:

l Name: Business3

l Type: Intranet Business

l Priority: Regardless

l Headquarters Device: hub

l IP: 13.13.13.51

l Netmask: 255.255.255.0

l Protocol: ICMP

3. Click OK.

Step 4 Deploying an SD-WAN Business

Deploy the SD-WAN business "Business3" to the device "spoken". To deploy an SD-WAN busi-
ness, take the following steps:

1. Select Configuration > SD-WAN Business Deployment, and enter the SD-WAN Business
page.

2. Select Business3, click Deploy, and select the device "spoken" in the pop-up Deploy dialog
box.

3. Click OK.

Result

The branch device "spoken" will access the headquarters server "12.12.12.51/24" via either of
the tunnel links of the WAN1 interface and WAN2 interface.

Viewing the Business Details

To view the business detail, take the following steps:

Introduction to Configuration Management 484

 1. Select Configuration > SD-WAN Business Deployment.

2. Select the business entry in the list, and view the details under the list.

3. View the devices that have deployed the business in the Activated Devices area. Click
Recycle to recycle the business of the specified device.

4. View the business details in the Configuration area, including name, type, user name and cre-
ate time. Click Script Preview to view the script detail.

Deploying a Business
To deploy a business, take the following steps:

1. Select Configuration > SD-WAN Business Deployment.

2. Select the business needed to deploy in the list, click Deploy.

Introduction to Configuration Management 485

 3. In the Deploy dialog, select the device needed to deploy the business.

4. Click OK.

Deleting a Business
To delete a business, take the following steps:

1. Select Configuration > SD-WAN Business Deployment.

2. Select the business needed to delete, click Delete.

Notes:
l If the device has been deployed the business, please recycle the business
first.

Introduction to Configuration Management 486

Default Parameters
To configure the default action for a newly created security policy rule , take the following steps:

1. Select Configuration > Default Parameters, the Configure Parameters dialog pops up.

Option Description

Default Action Specify the action for new security policy rules, including Permit and
Deny.

Policy Assistant Configure the parameters of policy assistant.

Configuration
l Analysis Duration: Select the duration of traffic analysis.

l Maximum Number of Hits: Specify the maximum number of

traffic entries, the range is 0 to 1000. When the actual number is
over the specified number, the new traffic will overwrite the old-

Introduction to Configuration Management 487

 est traffic.

2. Click OK.

Introduction to Configuration Management 488

Task Management
HSM uses tasks to track the system operations that need to know the running status and the run-
ning results. When you do an operation on HSM, such as deploying a policy to devices, or check-
ing the rule conflicts, the related task is generated for you to track the operation. When the
system executes the task, the related logs will be generated, and you can learn the detailed task
information and task failure reason from the logs.
This chapter describes the task management configurations, including:

l Task Management Window

l Viewing Task Logs

Task Management Window

Click Task from the Level-1 navigation pane to enter the task management page. The following is
the layout of the page.

Level-1 Navigation Pane

Level-1 navigation pane allows you to navigate to different modules of HSM. For detailed inform-
ation, see Homepage.
Toolbar

Toolbar shows the available tools. Functions of toolbar are described as below:

Task Management 489

Option Description

Start For the tasks in the status of initializing

or pause, click this button to execute
the task. The executed tasks cannot be
executed again.

Pause After starting a task, when it is in the

status of waiting, click this button to
make the system stop executing the
task.

Delete For the tasks in the status of initializing,

pause, and terminate, click this button
to deleted the task.

Terminate For the tasks in the status of initializing,

pause, or waiting, click this button to
stop the task. The stopped task cannot
be executed again.

Task search. Enter the keyword in the

text box and then select type from the
drop-down list. The searching result will
be shown in the rule table.

Column Customizes the columns displayed in

the main window.

Main Window
The main window shows the task table. Columns in the task window are described as below:

Task Management 490

Option Description

Task ID Shows the ID of the task.

Task Name Shows the name of the task.

Operation Shows the operation type of the task.

Status Shows the status of the task. It can be one of the following:

l Initializing: The task is generated without execution,

and it is initializing. You can click Start to execute it.

l Check: After clicking Start, the system check the execut-

ing situations of the task.

l Waiting: When there is more than one task is started,

since the system does not support running multiple
tasks simultaneously, the other started tasks will be in
this status. The task in this status can be paused or ter-
minated.

l Running: The task is running. The running task cannot

be paused or terminated.

l Pause: The task is paused.

l Terminate: The task is terminated.

Result Shows the running result of the task.

l View Report: Click to view the task report.

l Failed: Failed to run the task. You can get the failure
reason from the related logs.

l : Shows the policy deploy-

Task Management 491

Option Description

ment process. Green indicates successful deployment,

orange indicates unsuccessful deployment, and grey
indicates have not deployed. Hover the mouse over the
bar, the text tip appears.

Create Time Shows the time when the task is generated.

Run Time Shows the time when the task is executed.

Log Click the icon to view the related logs. Logs will be generated
for each executed task. You can also read the logs in the page
of Log > HSM Log > Task Management.

Viewing Task Logs

In the task table, click the log icon in the Log column, the system will show the log window
of the responding task. By reading the log messages, you can analyze the failure reason for the
failed tasks. The system provides the log search function for you get the desired information
quickly.

Task Management 492

Ticket
HSM supports for the ticket function. You can transfer the information to the operation and main-
tenance department by configuring ticket. After receiving the request of ticket, the operation and
maintenance department will configure according to the information summarized in the ticket to
enable the service. The system can configure and deploy policy ticket and configuration delivery
ticket to managed devices.
This chapter include the following sections:

l Ticket Management

l Object Naming Configuration

l Matching Mode

l Network

Ticket Management
HSM system supports users to configure policy ticket and configuration ticket.

Policy ticket
Users can use network objects to configure matching rules composed corresponding matching
mode of tickets. According to the matching mode configured by users, when the system admin-
istrator processes tickets, system matches the five-tuple information in tickets with network
objects in matching rules, and selects the managed devices that meet the conditions. The system
supports users to manually add devices to be deployed for policy tickets.

Creating a ticket

To create a new ticket, take the following steps:

Ticket 493
 1. Select Ticket > Policy Management to enter the security policy ticket page.

2. Click Create Ticket from the toolbar. The Add Ticket dialog appears.

3. In the Basic Configuration tab, specify the following configures:

l Name: Specify the name of the ticket.

l Description: Types the description for the ticket.

4. Click Next, in the Quintuple tab, specify the following configures:

l Source Address: Specify the source address of the policy rules. Select the type of the
address from the drop-down list, type the address and then click Add to add the
address to the list.

l Destination Address: Specify the destination address of the policy rules. Select the
type of the address from the drop-down list, type the address and then click Add to
add the address to the list.

l Protocol/Port: Specify the type of protocol as TCP or UDP, type the port number or
port range and then then click Add to add the port to the list.

l Effective time: Specify the effective time of the polcy rules, always effective or a
period of time

5. Click Done to save the settings.

Importing an ticket

To import a new ticket, take the following steps:

1. Select Ticket > Policy Ticket to enter the security policy ticket page.

2. Click import from the toolbar.

Ticket 494
 3. In the Import Ticket dialog, click Download template to download the template of ticket
files and configure the information.

4. Click Browse to select the file needed to be imported.

5. Click Upload.

Processing an Ticket

To process an ticket, take the following steps:

1. Select Ticket > Policy Ticket to enter the security policy ticket page.

2. In To be Processed tab, click To be Processed in the list, Process Ticket dialog pops up.

3. Select the device needed to deploy the policy rules, click to add it to the right pane.

Click Reset to auto-recongnized Devices to recover the device automatically recognized by

the system.

4. Click Next, enter Security Policy Rule page.select whether to issue the policy rule in the
Redundant Rule Process drop-down list of the Security Policy Rule tab.

l Process Redundant: Select Continue to Deploy or Cancel Deploying the policy rule.

l Policy Location: Select the location from the drop-down list to deploy the rule ,
including Top、Bottom、Before ID and After ID. Select Before ID or After ID, spe-
cify the rule ID in the text box. Then the rule will be deployed before or after the spe-
cified ID. By default, system deploys the rule to the top of the policy list of managed
devices.

5. Click OK.

Ticket 495
 Notes:

l In the drop-down list, select "All", "To process" or

"Processing failure" to display the corresponding ticket.

l In the drop-down list, select "All Time" or "User

Defined" to display the ticket of specified creation time.

l In the search bar, display the work order of spe-

cified keyword by name or comment, click to display the corresponding

ticket.

Reviewing a Ticket

To review a ticket, take the following steps:

1. Select Ticket > Policy Ticket to enter the security policy ticket page.

2. In the To be Checked tab, click To be Checked in the list, Check Ticket dialog pops up.

3. View the detail of configurations in the Check Ticket dialog, including device, management
address and Cli script.

4. Type the handling opinions in the text box, click Approve or Reject. The approved ticket
will be displayed in the To be Deployed tab, and the rejected ticket will be displayed in the
Completed tab.

To batch review ticket, take the following steps:

1. Select Ticket > Policy Ticket to enter the security policy ticket page.

2. In the To be Checked tab, select the tickets needed to check and click Batch Check in the
list.

Ticket 496
 3. Click Approve or Reject. The approved ticket will be displayed in the To be Deployed tab,
and the rejected ticket will be displayed in the Completed tab.

Notes:

l In the drop-down list, select "All Time" or "User

Defined" to display the ticket of specified creation time.

l In the search bar, display the work order of spe-

cified keyword by name or comment, click to display the corresponding

ticket.

Deploying a Ticket

To deploy a ticket, take the following steps:

1. Select Ticket > Policy Ticket to enter the security policy ticket page.

2. Select the ticket needed to be deployed in the To be deployed tab, click To be Deploy from
the toolbar, the Deploy dialog pops up.

3. In the Deploy dialog, select the time to deploy ticket, Immediately or at a specified time.

4. Click OK.

Notes:

l In the drop-down list, select "All", "Undeployed",

"Deploying" or "Waiting for deploy" to display the corresponding ticket.

Ticket 497
 l In the drop-down list, select "All Time" or "User

Defined" to display the ticket of specified creation time.

l In the search bar, display the work order of spe-

cified keyword by name or comment, click to display the corresponding

ticket.

Viewing the Completed Ticket

To view the completed ticket, take the following steps:

1. Select Ticket > Policy Ticket to enter the security policy ticket page.

2. View the name, created time, remark and created in the Completed tab.

3. Select the ticket needed to view operation record, click , the Operation Record dialog

pops up.

4. Viewing the detail of operation record in the Operation Record dialog.

Notes:

l In the drop-down list, select "All Time" or "User

Defined" to display the work order of specified creation time.

l In the search bar, display the work order of spe-

cified keyword by name or comment, click to display the corresponding

ticket.

Ticket 498
Configuration Ticket
Systems supports to accept the configuration pushed through the API, review and deliver it in the
form of a ticket. You can also create a new configuration ticket for delivery.

Creating a ticket

To create a new ticket, take the following steps:

1. Select Ticket > Configuration Ticket to enter the configuration delivery ticket page.

2. Click Create Ticket from the toolbar. The Create Ticket dialog appears.

3. In the Basic tab, specify the following configures:

l Name: Specify the name of the ticket.

l Comments: Types the comment for the ticket.

l Enable Timing Delivery: Click the Enable button to enable the timing delivery func-
tion and specify the time for auto-delivery.

4. Click Next, in the Script Information tab, specify the following configures:

l Edit CLi: Type the command script of the configuration in the Edit CLi text box.
Click Copy button to copy the command. Click "+" button to add command script,
less than 128 scripts can be configured.

l Device: Specify the device for every command script in the drop-down list.

5. Click Submit Review to submit the ticket for review. Click Save Draft to save the ticket.

Processing an Ticket

To process a ticket, take the following steps:

Ticket 499
 1. Select Ticket > Configuration Ticket to enter the configuration delivery ticket page.

2. In To be Processed tab, click button to sumbit the specified ticket in the list. Select mul-

tiple tickets and click Batch submit review to batch submit the specified tickets for review.

You can also peform other operations:

l Click button to edit the comments, timing delivery and command sript of the specified

ticket.

l Click button to copy the specified ticket. Rename the ticket in the Copy Ticket dialog

box.

l Click button to delete the specified ticket. Select multiple tickets and click Delete to

delete the specified tickets.

l Click View to display the operation record of the specified ticket.

Reviewing a Ticket

To review a ticket, take the following steps:

1. Select Ticket > Configuration Ticket to enter the configuration delivery ticket page.

2. In the To be Checked tab, click button in the list, the Review Ticket dialog pops up.

3. View the detail of configurations in the Review Ticket dialog, including comment, script
information and device.

4. Type the handling opinions in the text box, click Approve, Reject or Discard. The approved
ticket will be displayed in the To be Deployed tab, the rejected ticket will be displayed in
the To be Processed tab and the discarded ticket will be displayed in the Completed tab.

5. In the Review Confirm dialog box, click OK.

Note: When the IP address is conflicted, the review will be failed.

Ticket 500
 You can also peform other operations:

l Select multiple tickets and click Batch Review. In the Review Ticket dialog box ,type the
handling opinions in the text box, click Approve, Reject or Discard.

l Click View to display the operation record of the specified ticket.

Deploying a Ticket

The ticket will be automatically deployed when timing delivery is configured. The ticket without
configuring timing delivery needed to be deployed manually.
To deploy a ticket, take the following steps:

1. Select Ticket > Configuration Ticket to enter the configuration delivery ticket page.

2. In the To be Deployed tab, Select the tickets needed to be deployed, click Deploy from the

toolbar, or click button to deploy the specified ticket.

3. In the Deploy dialog, click OK.

You can also peform other operations:

l Click button to terminate the deploying or the ticket that is in undeployed or waiting for

deploying status. Select multiple tickets and click Terminate button on the toolbar to batch
terminate the selected tickets. The ticket that has configured timing delivery and is in
undeployed state will not be automatically deploy when terminated.

l Click View to display the operation record of the specified ticket.

Viewing the Completed Ticket

To view the completed ticket, take the following steps:

1. Select Ticket > Configuration Ticket to enter the configuration delivery ticket page.

2. View the name, created time, comment and state in the Processed tab.

Ticket 501
 3. Click button to view the detail of the specified ticket.

You can also peform other operations:

l Click button to copy the specified ticket. Rename the ticket in the Copy Ticket dialog

box.

l Click button to delete the specified ticket. Select multiple tickets and click Delete to

delete the specified tickets.

l Click View to display the operation record of the specified ticket.

Object Naming Configuration

System supports users to customize the objects configured in ticket.

Name Conflict Handling

According to the object naming rules configured, when an object created in policy ticket has the
same name as an object in managed devices, system supports to configure naming conflict hand-
ling. When system administrators process tickets, objects in managed devices may be modified.
Therefore, system will perform the same object name detection when processing and deploying
tickets.
Select Ticket > Object Naming Configuration to enter Object Naming Configuration page. In
Name Conflict Handling area, select the conflict handling method:

l Do not process the ticket: When processing a policy ticket, if an object with same name is
detected, system will terminate the ticket processing; when deploying a policy ticket, an
object with same name is detected, system will fail to deploy the ticket. Users can view such
tickets in "To be Processed" ticket list.

l Use the existing object with the same name: When processing or deploying a ticket, if an
object with same name is detected, system will use the existing object in managed devices and
will not create a new object in ticket. This option is configured by default.

Ticket 502
 l Rename automatically: When processing or deploying a ticket, if an object with same name is
detected, system will add "- current timestamp" to rename it.

Object Naming Rules

Users can customize naming rules for objects of source address, destination address, protocol &
port, and schedule in policy ticket.
To configure object naming rules, take the following steps:

1. Select Ticket > Object Naming Configuration to enter Object Naming Configuration page.

2. In Object Naming Rules area, click Edit.

Select Source Address tab, configure as follows.

Option Descriptions

Type Select the type of source address naming rule. System

uses the "IP address" type by default.

l IP address: System will not create address book,

Ticket 503
 Option Descriptions

and ticket processing will not cause naming con-

flicts.

l Address Book: System will create source address

book according to the naming rules configured by
users.

Naming Rule When select "Address Book" type, users need to con-
figure the specific information of the rule. Users can
select the variables "Ticket Name" and "Line", which are
dynamically created according to Ticket Name and
Remark of actual tickets; or manually type characters.
The name of source address book can be 95 characters at
most. A variable, letter, number and symbol are all 1 char-
acter, and a Chinese is 3 characters.

Select Destination Address tab, configure as follows.

Option Descriptions

Type Select the type of destination address naming rule. Sys-

tem uses the "IP address" type by default.

l IP address: System will not create address book,

and ticket processing will not cause naming con-
flicts.

l Address Book: System will create destination

address book according to the naming rules con-
figured by users.

Ticket 504
 Option Descriptions

Naming Rule When select "Address Book" type, users need to con-
figure the specific information of the rule. Users can
select the variables "Ticket Name" and "Line", which are
dynamically created according to Ticket Name and
Remark of actual tickets; or manually type characters.
The name of a destination address book can be 95 char-
acters at most. A variable, letter, number and symbol are
all 1 character, and a Chinese is 3 characters.

Select Protocol & Port tab, configure as follows.

Option Descriptions

Keep-alive Click Enable button to enable persistent connection.

Service Book

Naming Rule Configure the specific information of a service book.

Users can select the variables "Ticket Name" 、"Line"、
"Protocol"、"Min Port"、"Max port"、"Timeout" and
"Timeout Unit", which are dynamically created according
to Ticket Name、Remark 、Protocol、Port、minimum
port、maximum port、Timeout and unit in Timeout of
actual tickets; or manually type characters. The name of a
service book can be 95 characters at most. A variable, let-
ter, number and symbol are all 1 character, and a Chinese
is 3 characters.

Service Group

Status Click Enable button to organize services created in ticket

Ticket 505
 Option Descriptions

together to form a service group.

Naming Rule Configure the specific information of a service group.

Users can select the variables "Ticket Name" and "Line",
which are dynamically created according to Ticket Name
and Remark of actual tickets; or manually type characters.
The name of a service group can be 95 characters at
most. A variable, letter, number and symbol are all 1 char-
acter, and a Chinese is 3 characters.

Select Schedule tab, configure as follows.

Option Descriptions

Naming Rule Configure the specific information of a schedule. Users

can select the variables "Begin Date"、"End Date"、
"Start Time" and "End Time", which are dynamically cre-
ated according to "Begin Date"、"End Date"、"Start
Time" and "End Time" of actual tickets; or manually type
characters. The name of a schedule can be 31 characters
at most. A variable, letter, number and symbol are all 1
character, and a Chinese is 3 characters.

3. Click Save.

Matching Mode
System supports users to configure matching rules to compose corresponding matching mode for
policy ticket. Matching mode meets users' different matching requirements for policy ticket and
managed devices, and facilitate the issuance of policy tickets.

Ticket 506
 System predefines three matching modes, including Auto Matching, Manual Matching and Cus-
tomized Matching. Auto Matching and Manual Matching can not be deleted or edited. Users can
edit the rules of Customized Matching or create new matching modes.
System only allows one matching mode to be enabled at the same time. To enable the specified
matching mode, click to enable specified matching mode.

Auto Matching
System enables Auto Matching by default. Auto Matching contains one matching rule predefined
by system.
If users enable Auto Matching, according to the predefined rule of it, when system administrator
processes policy ticket, system will traverse all the managed devices. When the source address or
destination address configured in policy ticket matches the destination route network of the man-
aged device, system will pick out such devices, and the administrator can deploy corresponding
policy ticket to these devices.
Uses cannot edit or delete Auto Matching.

Manual Matching
If users enable Manual Matching, when processing a policy ticket, the system administrator needs
to manually add managed devices to be deployed for this ticket.
Users cannot edit or delete Manual Matching. And users cannot create matching rules for Manual
Matching.

Customized Matching
Customized Matching contains three matching rules, which can be deleted and edited. Users can
also add new matching rules for Customized Matching. If users enable Customized Matching,
when the system administrator processes a policy ticket, system will pick out the managed
devices according to the matching rules in Customized Matching and deploy this policy ticket to
such devices.

Ticket 507
 l rule1: A rule of Net Object dimension. System will pick out the managed devices when both
source address and destination address of the policy ticket match User_Defined_Network1.

l rule2: A rule of Device dimension. System will traverse all the managed devices. System will
pick out the managed devices when the source address in the policy ticket matches User_
Defined_Network2 and Destination Route Network.

l rule3: A rule of Device dimension. System will traverse all the managed devices. System will
pick out the managed devices when the destination address in the policy ticket matches
Destination Route Network.

Create Matching Mode

To create new matching mode, take the following steps:

1. Select Ticket > Matching Mode.

2. Click New in the left navigation bar. In the New Matching Mode dialog box, configure basic
information of the mode.

l Name: Specify the name of the matching mode. The range is 1 to 31 characters.

l Description: Enter the descriptions for the matching mode. The range is 0 to 255
characters.

Ticket 508
 3. Click OK to save the settings.

Create Matching Rule

Users need to configure matching rules for a user-defined matching mode.

To create matching rules, take the following steps:

1. In the left navigation bar of Matching Mode, select the user-defined matching mode that
needs to be configured. The main window displays the matching rule list of the mode.

2. Click New button above the matching rule list and select the type of the rule.

l A quintuple will be matched with devices: System will pick out the managed devices
that meet the conditions from all managed devices according to the configured match-
ing rules.

l A quintuple will be matched with networks: Users need to specify managed devices
associated with the rule first. System will use the five-tuple configured in policy
ticket to traverse all the networks in the rule. When the matching rule is met, system
will pick out the devices associated with the matching rule for corresponding policy
ticket.

Ticket 509
 3. Click Next button to enter the New Matching Rule page.

l Configure matching rules of Device dimension.

Option Description

Rule Name Specify the name of the matching rule.

Matching Condi- Each condition contains three components, judgment-object, judg-

tion ment-action and judgment-target. Select the three components of
matching condition in the drop-down list, and click to add it to

the configuration box. When multiple conditions are added, use

logical operators to connect. Hold down the "Ctrl" and select two
conditions, click on the right side of logical operator. System

will automatically connect the selected two conditions.

l Judgment-object: SrcIP/DstIP

l Judgment-action: Match/Not Match

Ticket 510
 l Judgement-target: Destination Route Network/User-defined
Network

l Logical Operator: and/or

Action Specify the action corresponding to the match condition(s).

l Match: All managed devices will be traversed to search for

the devices that match the condition(s).

l Do Not Match: All managed devices will be traversed to fil-

ter out the devices that match the condition(s).

l Configure matching rules of Net Object dimension.

Option Description

Rule Name Specify the name of the matching rule.

Matching Condi- Each condition contains three components, judgment-object, judg-

tion ment-action and judgment-target. Select the three components of

Ticket 511
 matching condition in the drop-down list, and click to add it to

the configuration box. When multiple conditions are added, use

logical operators to connect. Hold down the "Ctrl" and select two
conditions, click on the right side of logical operator. System

will automatically connect the selected two conditions.

l Judgment-object: SrcIP/DstIP

l Judgment-action: Match/Not Match

l Judgement-target: Destination Route Network/User-defined

Network

l Logical Operator: and/or

Devices Specify the managed devices corresponding to the match condition

(s). When the five-tuple of policy ticket meets the matching con-
dition(s), system will pick out the specified devices for the ticket.

4. Click Done to save the settings.

Matching Order of Matching Rules

When multiple matching rules are configured in a matching mode, system automatically sorts all
the rules according to "rule of Net Object dimension > rule of Device dimension", an example is
shown below:

The matching mode "Mode1" contains four matching rules, "network1", "network2" ,"device1"
and "device2". The system administrator enables "Mode1". When the system administrator pro-
cesses the policy ticket "ticket1", system will executes the rules as follows:

Ticket 512
 1. If system picks out managed devices for "ticket1" according to "network1", the matching-
process of "Mode1" ends. If system does not pick out a managed device for "ticket1" accord-
ing to "network1", then "network2" works.

2. If system does not pick out a managed device for "ticket1" according to both "network1"
and "network2", then rules of Device dimension will work.

3. System will execute all the rules of Device dimension to pick out corresponding devices for
"ticket1". Now, "Mode1" ends.

For user-defined rules in the matching rule list, you can perform other operations:

l Click to edit the specified rule. Rule Name can not be edited.

l Click to delete the specified rule.

l Click to delete the multiple specified rules in batches.

l Select the specified rule and drag to sort. The rule of Device dimension can not be adjusted
before the rule of Network dimension.

Edit Matching Mode

System allows to delete and edit existing matching modes, or edit matching rules in matching
mode. The matching modes and rules predefined by system cannot be edited.

l Click to edit the description of specified mode.

l Click to delete the specified rule.

l Select the specified mode to enter its matching rule list. You can edit the rules in the list.

Network
System supports to configure network collections of different network segments according to
their needs, that is, User-defined Network. Both Destination Route Network and User-defined

Ticket 513
 Network can be referenced when configuring matching rules to meet the matching requirements
for policy tickets and managed devices, and system can quickly select managed devices that match
different security policy tickets.

Destination Route Network

System obtains destination route network list of managed devices when managed device goes
online for the first time. Or users can manually synchronize the destination route network list.

1. Select Ticket > Network > Destination Route Network. Users can view destination route
network list of managed devices in the page.

2. Enter the specified IP address in the text box of the toolbar, and click Search button to
quickly pick out the managed devices that contain the specified IP address in its destination
route network list.

3. Click the Device of an IP address in the list to jump to the destination route network page
of the managed device. In this page, users can operate as follows.

l Enter the specified IP/Mask in the text box of the toolbar, and click Add button to
add the address to the device's destination route network list.

l Click Delete button to remove the selected member. Members synchronized by man-
aged devices cannot be removed.

l Click Enable/Disable button to enable or disable the selected member.

Notes: Operations on members in this page will not be synchronized

to the actual device's destination route network list.

4. Click the managed device in the left navigation bar to view the destination route network
information of the device. Click the physical device, the destination route information of its
root vsys is displayed by default.

Ticket 514
User-defined Network
System supports users to create, edit, import and remove user-defined networks.
System has two default user-defined networks, "User_Defined_Network1" and "User_Defined_
Network2". Users can edit "User_Defined_Network1" and "User_Defined_Network2".

Create User-defined Network

To create user-defined network, take the following steps:

1. Select Ticket > Network > User-defined Network, click New button in the navigation bar.
The New Network dialog pops up.

2. Configure the following options in the dialog.

l Name: Specifies the name of the network. The range is 1 to 31 characters.

l Description: Enter the descriptions for the network. The range is 0 to 256 characters.

l IP/Netmask: Specifies address of the network. Enter IP address and its netmask in
the text box, click add button to add the configured member to the list.

l Click to delete the specified member.

l Select the multiple members , and click in the toolbar to

delete in batches.

3. Click OK to save the settings.

Edit User-defined Network

1. Select Ticket > Network > User-defined Network.

2. Specify a user-defined network and click Edit button in the main window to enter the net-

Ticket 515
 work configuration page.

3. Click Save.

Import User-defined Network

1. Select Ticket > Network > User-defined Network

2. Click Import button in the navigation bar to pop up the Import User-defined Network dia-
log box.

l Import Configuration File: Click Browse and select the EXCEL file for the user-
defined network.

l Download Template: Download and import the template of the user-defined network
file.

3. Click Upload to import the configuration file.

Delete User-defined Network

1. Select Ticket > Network > User-defined Network

2. Select the multiple user-defined networks, click in the toolbar to delete

in batches.

Ticket 516
Monitor
The HSM monitor function gathers data of managed devices and display the statistics by bar chart,
pie chart, line char, table and so on. You can learn the network situation and resolve network prob-
lems through the statistics. HSM provides monitor data in multiple aspects, include

l Device monitor: Shows the statistics in the aspect of the managed device (traffic, attack
defense, anti-virus, IPS, CPU, memory). When problem happens in the network, you can fig-
ure out the problem device according to the result of the device rank, and under the help of
the drill-down function, you can investigate further in different factors.

l User monitor: Shows the statistics in the aspect of user/IP (traffic, attack defense, anti-virus,
IPS). When problem happens in the network, you can figure out the problem user/IP accord-
ing to result of user/IP rank, and under the help of the drill-down function, you can invest-
igate further in different factors.

l Application monitor: Shows the statistics in the aspect of application (application traffic).
Application monitor helps you know the applications in the network and learn the network
behavior of the managed people. Under the help of the drill-down function, you can get the
application related statistics from different factors in details.

l Network threat: Shows the statistics in the aspect of network threats (attack defense, anti-
virus, IPS). When network threats occurs in the network, you can figure out the threat accord-
ing to the result of the threat rank, and under the help of the drill-down function, you can
investigate further.

l Network behavior: Shows the statistics in the aspect of network behavior (URL hit and URL
category hit). Network behavior monitor helps you know the network behavior of the man-
aged people and hold the network access information.

HSM provides the My Monitor function. With this function,

Monitor 517
 l you can continuously monitor a device in one aspect;

l you can access the favorite monitor page conveniently to get interested information;

l you can do customized monitor according to your own requirements.

By default, the monitor function is disabled. To enable/disable the monitor function, click System
> Device Management > Monitor Configuration from the Level-1 navigation pane. For detailed
information, refer to Monitor Configuration.

Monitor 518
Device Monitor
The device monitor page shows kinds of statistics in the aspect of the managed device. The
device monitor statistics is organized in the main page (summary of device monitor), details page
(detailed statistics of each module), drill-down sub-page (statistics in a specified factor), and trend
page.

Main Page
Select Monitor > Device to enter the device monitor main page. The page shows the following
information with bar charts:

l Top 10 devices by Average Rate: The device average rate rank in a specified time period.
With the drill-down function, namely click a bar of a device, and select a factor from the pop-
up menu to see the related statistics. The supported factors are zone, interface, user/IP,
application, and traffic trend.

l Top 10 Devices by Threat: The threat count rank of devices in a specified time period, includ-
ing virus attack counts, intrusion counts and AD attack counts. With the drill-down function,
namely click a bar of a device, and select a factor from the pop-up menu to see the related stat-

Monitor 519
 istics. The supported factors are interface, attacker, victim, and trend.

l Top 10 Devices by CPU Utilization: The CPU utilization rank of devices in a specified time
period. With the drill-down function, namely click a bar of a device, and select Trend to see
the CPU utilization trend statistics of the device.

l Top 10 Devices by Memory Utilization: The memory utilization rank of devices in a specified
time period. With the drill-down function, namely click a bar of a device, and select Trend to

Monitor 520
 see the memory utilization trend statistics of the device.

The managed devices and time period can be specified.

To specify the devices whose statistics will be showed, take the following steps:

1. Click Select Device (Group) from the up-left corner of the main page.

The Select Device (Group) dialog pops up.

2. Select the Device or Device Group radio option, and then select the device or device group
from the box.

3. Click OK to save the changes and close the dialog. The monitor page only shows the stat-
istics of the selected devices.

HSM support pre-defined time period and customized time period. You can specify the time
period by configuring the options in the upper-right corner.

l : The drop-down list of pre-defined time period. The menu items are

described as below:

l Latest 5 Minutes: Shows the statistics of the latest 5 minutes.

l Latest 15 Minutes: Shows the statistics of the latest 15 minutes.

l Latest 1 Hour: Shows the statistics of the latest 1 hour.

Monitor 521
 l Latest 1 Day: Shows the statistics of the latest 1 day.

l Latest 1 Month: Shows the statistics of the latest 1 month.

l : Customize the time period. Select this option, the Select Time dialog

appears. You can specify the time period according to your own requirements. The minimum
interval between the start time and the end time is 15 minutes, and at most the latest 1 year
statistics can be showed.

The devices and time period specified here will impact the details page, drill-down sub-page, and
trend page.

Details Page
In the main page, click Details of each chart to go to the corresponding details page.

The details page shows the detailed statistics with bar charts and tables. The bar charts are used to
show the device rank by different factors and you can switch factors by clicking the buttons in the
up-left corner.
Also the drill-down function and the specification of time period are supported; the tables are
used to display the detailed data, and you can get the interested data quickly by using the search
function.
What's more, the Add to MyMonitor function is provided in the details page. Click the Add to
MyMonitor button, the current chart and table information will be saved to MyMonitor. You can
get your interested monitor quickly in the MyMonitor module.

Monitor 522
 Take the details page of device average rate as the example:

As shown in the screenshot above, the Top 10 drop-down list is used to determine the number of
bar shown in the bar chart; the Average Rate, Forwarding Rate, and New Sessions Count buttons
are used to switch among different factors; the time options in the upper-right corner are used to
specify the time period of the statistics; use the drill-down function on the bars to get more
detailed statistics in the specified factors.

As shown in the screenshot above, the detailed data of each device is displayed in the table. At
most, the data of top 200 devices can be displayed. By using the search function, you can get the
information you want quickly.

Notes: High, Middle, Low factors of the IPS details page refer to the severities of
IPS signatures which are high, middle and low.

Drill-down Sub-page
On the main page or the details page, click a bar and select a menu option, the pop-up page is the
drill-down sub-page. For example, in the device monitor main page, click the bar named M2105,
and select Interface from the pop-up menu, a new page showing interface traffic rank of M2105
appears. The data in the drill-down sub-page is organized in the same way as the details page
(excluding the trend page).

Monitor 523
Trend Page
In the bar chart, click a bar and select Traffic Trend/Trend, the trend page of the selected factor
appears. HSM uses line charts to show the developing trend in multiple factors.
Real-time Trend Monitor
To monitor a device in real-time, take the following steps:

1. In the main page or details page, click a bar and select Traffic Trend/Trend.

2. In the trend page, select Real-time from drop-down list in the upper-right corner.

Drill-down in Trend Page

In the current trend page, if the further information based on user/IP or application is available,
you can get the information by the drill-down function. HSM uses pie chart to show the applic-
ation distribution status, and uses bar chart to show the user/IP rank.
To view the drill-down sub-page of the trend chart, take the following steps:

Monitor 524
 1. In the main page or details page, click a bar and select Traffic Trend/Trend.

2. In the trend chart, click a statistics value.

3. The dialog showing the application distribution or the user/IP rank appears.

4. Click the User/IP button to switch to the User/IP rank display.

User Monitor
The user monitor page shows kinds of statistics in the aspect of users on the managed device. The
user monitor statistics is organized in the main page (summary of user monitor), details page

Monitor 525
(detailed statistics of each module), drill-down sub-page (statistics in a specified factor), and trend
page.

Main Page
Select Monitor > User to enter the user monitor main page. The user monitor main page shows
the following information with bar charts:

l Top 10 User Traffic: The user traffic rank in a specified time period. With the drill-down func-
tion, namely click a bar of a user, and select Traffic Trend from the pop-up menu to see the
corresponding statistics.

l Top 10 Users by Threat Count: The threat count rank of users (attacker) in a specified time
period, including virus attack counts, intrusion counts and AD attack counts.. With the drill-
down function, namely click a bar of a user, and select Victim or Trend from the pop-up
menu to see the corresponding statistics.

The managed devices and time period can be specified.

Monitor 526
 To specify the devices whose statistics will be shown, take the following steps:

1. Click Select Device (Group) from the up-left corner of the main page.

The Select Device (Group) dialog pops up.

2. Select the Device or Device Group radio option, and then select the device or device group
from the box.

3. Click OK to save the changes and close the dialog. The monitor page only shows the stat-
istics of the selected devices.

HSM support pre-defined time period and customized time period. You can specify the time
period by configuring the options in the upper-right corner.

l : The drop-down list of pre-defined time period. The menu items are

described as below:

l Latest 5 Minutes: Shows the statistics of the latest 5 minutes.

l Latest 15 Minutes: Shows the statistics of the latest 15 minutes.

l Latest 1 Hour: Shows the statistics of the latest 1 hour.

l Latest 1 Day: Shows the statistics of the latest 1 day.

l Latest 1 Month: Shows the statistics of the latest 1 month.

l : Customize the time period. Select this option, the Select Time dialog

appears. You can specify the time period according to your own requirements. The minimum
interval between the start time and the end time is 15 minutes, and at most the latest 1 year
statistics can be showed.

The devices and time period specified here will impact the details page, drill-down sub-page, and
trend page.

Monitor 527
Details Page
In the main page, click Details of each chart to go to the corresponding details page.

The details page shows the detailed statistics with bar charts and tables. The bar charts are used to
show the user rank by different factors and you can switch factors by clicking the buttons in the
up-left corner.
Also the drill-down function and the specification of time period are supported; the tables are
used to display the detailed data, and you can get the interested data quickly by using the search
function.
What's more, the Add to MyMonitor function is provided in the details page. Click the Add to
MyMonitor button, the current chart and table information will be saved to MyMonitor. You can
get your interested monitor quickly in the MyMonitor module.
Take the details page of user traffic as the example:

As shown in the screenshot above, the Top 10 drop-down list is used to determine the number of
bar shown in the bar chart; the Average Rate, Sent, Received, Forwarding Rate, and New Sessions

Monitor 528
 buttons are used to switch among different factors; the time options in the upper-right corner are
used to specify the time period of the statistics; use the drill-down function on the bars to get
more detailed statistics in the specified factors.

As shown in the screenshot above, the detailed data of each user is displayed in the table. At
most, the data of top 200 users can be displayed. By using the search function, you can get the
information you want quickly.

Drill-down Sub-page
On the main page or the details page, click a bar and select a menu option, the pop-up page is the
drill-down sub-page. The drill-down page shows the detailed statistics in a specified factor of the
user or the trending information of the user. For example, in the user monitor main page, click a
bar from the user traffic rank chart, and select Traffic Trend from the pop-up menu, a new page
showing traffic trend. The data in the drill-down sub-page is organized in the same way as the
details page (excluding the trend page).

Trend Page
In the bar chart, click a bar and select Traffic Trend/Trend, the trend page of the selected factor
appears. HSM uses line charts to show the developing trend in multiple factors.
Real-time Trend Monitor
To monitor a user on a device in real-time, take the following steps:

1. In the user monitor main page, click , and select a device on the Select

Device (Group) dialog.

Monitor 529
 2. In the main page or details page, click a bar and select Traffic Trend/Trend.

3. In the trend page, select Real-time from drop-down list in the upper-right corner.

Application Monitor
The application monitor page shows kinds of statistics in the aspect of applications on the man-
aged device. The user monitor statistics is organized in the main page (summary of application
monitor), details page (detailed statistics of each module), drill-down sub-page (statistics in a spe-
cified factor), and trend page.

Main Page
Select Monitor> Application to enter the application monitor main page. The application monitor
main page shows the following information with bar charts:

Monitor 530
 l Top 10 Application Traffic: The application traffic rank in the specified time period. With the
drill-down function, namely click a bar of an application, and select a factor from the pop-up
menu to see the related statistics. The supported factors are device and Trend.

The managed devices and time period can be specified.

To specify the devices whose statistics will be showed, take the following steps:

1. Click Select Device (Group) from the up-left corner of the main page.

The Select Device (Group) dialog pops up.

2. Select the Device or Device Group radio option, and then select the device or device group
from the box.

3. Click OK to save the changes and close the dialog. The monitor page only shows the stat-
istics of the selected devices.

HSM support pre-defined time period and customized time period. You can specify the time
period by configuring the options in the upper-right corner.

l : The drop-down list of pre-defined time period. The menu items are

described as below:

l Latest 5 Minutes: Shows the statistics of the latest 5 minutes.

l Latest 15 Minutes: Shows the statistics of the latest 15 minutes.

Monitor 531
 l Latest 1 Hour: Shows the statistics of the latest 1 hour.

l Latest 1 Day: Shows the statistics of the latest 1 day.

l Latest 1 Month: Shows the statistics of the latest 1 month.

l : Customize the time period. Select this option, the Select Time dialog

appears. You can specify the time period according to your own requirements. The minimum
interval between the start time and the end time is 15 minutes, and at most the latest 1 year
statistics can be showed.

The devices and time period specified here will impact the details page, drill-down sub-page, and
trend page.

Details Page
In the main page, click Details of each chart to go to the corresponding details page.

The details page shows the detailed statistics with bar charts and tables. The bar charts are used to
show the application rank by different factors and you can switch factors by clicking the buttons
in the up-left corner.
Also the drill-down function and the specification of time period are supported; the tables are
used to display the detailed data, and you can get the interested data quickly by using the search
function.

Monitor 532
 What's more, the Add to MyMonitor function is provided in the details page. Click the Add to
MyMonitor button, the current chart and table information will be saved to MyMonitor. You can
get your interested monitor quickly in the MyMonitor module.
Take the details page of application traffic as the example:

As shown in the screenshot above, the Top 10 drop-down list is used to determine the number of
bar shown in the bar chart; the Average Rate, Forwarding Rate, and New Sessions buttons are
used to switch among different factors; the time options in the upper-right corner are used to spe-
cify the time period of the statistics; use the drill-down function on the bars to get more detailed
statistics in the specified factors.

As shown in the screenshot above, the detailed data of each application is displayed in the table.
At most, the data of top 200 applications can be displayed. By using the search function, you can
get the information you want quickly.

Drill-down Sub-page
On the main page or the details page, click a bar and select a menu option, the pop-up page is the
drill-down sub-page. The drill-down page shows the detailed statistics in a specified factor of the
application or the trending information of the application. For example, in the application monitor

Monitor 533
 main page, click the HTTP bar from the application traffic rank chart, and select Device from the
pop-up menu, a new page showing device rank of the HTTP application appears. The data in the
drill-down sub-page is organized in the same way as the details page (excluding the trend page).

Trend Page
In the bar chart, click a bar and select Traffic Trend/Trend, the trend page of the selected factor
appears. HSM uses line charts to show the developing trend in multiple factors.
Real-time Trend Monitor (Method 1)
To monitor an application on a device in real-time, take the following steps:

1. In the user monitor main page, click and select a device on the Select

Device (Group) dialog.

2. In the main page or details page, click a bar and select Traffic Trend/Trend.

3. In the trend page, select Real-time from drop-down list in the upper-right corner.

Monitor 534
 Real-time Trend Monitor (Method 2)
To monitor an application on a device in real-time, take the following steps:

1. In the main page or details page, click a bar and select Device.

2. In the device rank bar chart, click a bar and select Trend from the pop-up menu.

3. In the trend page, select Real-time from drop-down list in the upper-right corner.

Network Threat Monitor

The network threat monitor page shows kinds of statistics in the aspect of network threat on the
managed device. The user monitor statistics is organized in the main page (summary of application
monitor), details page (detailed statistics of each module), drill-down sub-page (statistics in a spe-
cified factor), and trend page.

Main Page

Traditional

Select Monitor > Network Threat > Traditional to enter the network traditional threat monitor
main page. The network threat monitor main page shows the following information with bar
charts:

l Top 10 Attacks: The AD attack count rank in the specified time period. With the drill-down
function, namely click a bar of an attack, and select a factor from the pop-up menu to see the
related statistics. The supported factors are attacker, victim, device, and trend.

Monitor 535
 l Top 10 Virus: The virus attack count in a specified time period. With the drill-down function,
namely click a bar of an virus, and select a factor from the pop-up menu to see the related stat-
istics. The supported factors are attack, victim, device, and trend.

l Top 10 Intrusions: The intrusion count in a specified time period. With the drill-down func-
tion, namely click a bar of an intrusion, and select a factor from the pop-up menu to see the
related statistics. The supported factors are attacker, victim, device, and trend.

The ID shown in the X-axis is the IPS signature ID.

Monitor 536
Intelligence

Select Monitor > Network Threat > Intelligence to enter the network Intelligence threat monitor
main page. Only NIPS and IDS devices support Intelligence threat monitor. The threat monitor
main page shows the following information:

l Threat Distribution: A pie chart shows the different threat types distributing in the specified
time period.

l Threat Deal Distribution: A doughnut chart shows threat deal distributing in the specified
time period. The inner ring displays proportion of blocking numbers and detecting numbers of
all threats, while the outer ring displays proportion of blocking numbers and detecting num-
bers of different types threats.

l Top 10 Threat: The threat count in a specified time period, including virus attack counts,
intrusion counts and AD attack counts.

l Top 10 Distribution: The subtypes threat count in a specified time period.

Statistics Period
The managed devices and time period can be specified.
To specify the devices whose statistics will be showed, take the following steps:

1. Click Select Device (Group) from the up-left corner of the main page.

The Select Device (Group) dialog pops up.

2. Select the Device or Device Group radio option, and then select the device or device group
from the box.

3. Click OK to save the changes and close the dialog. The monitor page only shows the stat-
istics of the selected devices.

HSM support pre-defined time period and customized time period. You can specify the time
period by configuring the options in the upper-right corner.

Monitor 537
 l : The drop-down list of pre-defined time period. The menu items are

described as below:

l Latest 5 Minutes: Shows the statistics of the latest 5 minutes.

l Latest 15 Minutes: Shows the statistics of the latest 15 minutes.

l Latest 1 Hour: Shows the statistics of the latest 1 hour.

l Latest 1 Day: Shows the statistics of the latest 1 day.

l Latest 1 Month: Shows the statistics of the latest 1 month.

l : Customize the time period. Select this option, the Select Time dialog

appears. You can specify the time period according to your own requirements. The minimum
interval between the start time and the end time is 15 minutes, and at most the latest 1 year
statistics can be showed.

The devices and time period specified here will impact the details page, drill-down sub-page, and
trend page.

Details Page
In the main page, click Details of each chart to go to the corresponding details page.

The details page shows the detailed statistics with bar charts and tables. The bar charts are used to
show the attack rank.

Monitor 538
 Also the drill-down function and the specification of time period are supported; the tables are
used to display the detailed data, and you can get the interested data quickly by using the search
function.
What's more, the Add to MyMonitor function is provided in the details page. Click the Add to
MyMonitor button, the current chart and table information will be saved to MyMonitor. You can
get your interested monitor quickly in the MyMonitor module.
Take the details page of attacks ranking as the example:

As shown in the screenshot above, the Top 10 drop-down list is used to determine the number of
bar shown in the bar chart; the time options in the upper-right corner are used to specify the time
period of the statistics; use the drill-down function on the bars to get more detailed statistics in
the specified factors.

As shown in the screenshot above, the detailed data of each attack is displayed in the table. At
most, the data of top 200 attack can be displayed. By using the search function, you can get the
information you want quickly.

Notes: High, Middle, Low factors of the IPS details page refer to the severities of
IPS signatures which are high, middle and low.

Monitor 539
Drill-down Sub-page
On the main page or the details page, click a bar and select a menu option, the pop-up page is the
drill-down sub-page. The drill-down page shows the detailed statistics in a specified factor of the
attack or the trending information of the attack. For example, in the network threat monitor main
page, click a bar of an attack from the threat count rank chart, and select Device from the pop-up
menu, a new page showing device rank of the specified threat appears. The data in the drill-down
sub-page is organized in the same way as the details page (excluding the trend page).

Trend Page
In the bar chart, click a bar and select Trend, the trend page of the selected factor appears. HSM
uses line charts to show the developing trend in multiple factors.
Real-time Trend Monitor (Method 1)
To monitor an attack on a device in real-time, take the following steps:

1. In the network threat monitor main page, click and select a device on

the Select Device (Group) dialog.

2. In the main page or details page, click a bar and select Trend.

Monitor 540
 3. In the trend page, select Real-time from drop-down list in the upper-right corner.

Real-time Trend Monitor (Method 2)

To monitor an attack on a device in real-time, take the following steps:

1. In the main page or details page, click a bar and select Device.

2. In the device rank bar chart, click a bar and select Trend from the pop-up menu.

3. In the trend page, select Real-time from drop-down list in the upper-right corner.

Drill-down in Trend Page

In the current trend page, if the further information based on user/IP or destination IP (victim) is
available, you can get the information by the drill-down function. HSM uses bar chart to show the
user/IP rank of the application.
To view the drill-down sub-page of the trend chart, take the following steps:

Monitor 541
 1. In the main page or details page, click a bar and select Trend.

2. In the trend chart, click a statistics value.

3. The dialog showing the attacker rank and victim rank appears.

4. Click the Victim button to switch to the victim rank display.

Network Behavior Monitor

The network behavior monitor page shows URL/URL category hit count statistics in the aspect
network behavior . The network behavior monitor statistics is organized in the main page (sum-
mary of device monitor), details page (detailed statistics of each module), drill-down sub-page
(statistics in a specified factor), and trend page.

Monitor 542
Main Page
Select Monitor > NBM to enter the network behavior monitor main page. The page shows the fol-
lowing information with bar charts:

l Top 10 URL Category Hit Count: The URL category hit count rank in a specified time period.
With the drill-down function, namely click a bar of an URL category, and select a factor from
the pop-up menu to see the related statistics. The supported factors are URL, user/IP, device,
and Trend.

l Top 10 URL Hit Count: The URL hit count rank in a specified time period. With the drill-
down function, namely click a bar of an URL, and select a factor from the pop-up menu to see
the related statistics. The supported factors are user/IP, device, and Trend.

The managed devices and time period can be specified. System supports to specify VSYS devices
if needed.
To specify the devices whose statistics will be showed, take the following steps:

Monitor 543
 1. Click Select Device (Group) from the up-left corner of the main page.

The Select Device (Group) dialog pops up.

2. Select the Device or Device Group radio option, and then select the device 、VSYS
devices or device group from the box.

3. Click OK to save the changes and close the dialog. The monitor page only shows the stat-
istics of the selected devices.

HSM support pre-defined time period and customized time period. You can specify the time
period by configuring the options in the upper-right corner.

l : The drop-down list of pre-defined time period. The menu items are

described as below:

l Latest 5 Minutes: Shows the statistics of the latest 5 minutes.

l Latest 15 Minutes: Shows the statistics of the latest 15 minutes.

l Latest 1 Hour: Shows the statistics of the latest 1 hour.

l Latest 1 Day: Shows the statistics of the latest 1 day.

l Latest 1 Month: Shows the statistics of the latest 1 month.

l : Customize the time period. Select this option, the Select Time dialog

appears. You can specify the time period according to your own requirements. The minimum
interval between the start time and the end time is 15 minutes, and at most the latest 1 year
statistics can be showed.

The devices and time period specified here will impact the details page, drill-down sub-page, and
trend page.

Details Page
In the main page, click Details of each chart to go to the corresponding details page.

Monitor 544
 The details page shows the detailed statistics with bar charts and tables. The bar charts are used to
show the URL category/URL hit count rank.
Also the drill-down function and the specification of time period are supported; the tables are
used to display the detailed data, and you can get the interested data quickly by using the search
function.
What's more, the Add to MyMonitor function is provided in the details page. Click the Add to
MyMonitor button, the current chart and table information will be saved to MyMonitor. You can
get your interested monitor quickly in the MyMonitor module.
Take the details page of URL category rank chart as the example:

As shown in the screenshot above, the Top 10 drop-down list is used to determine the number of
bar shown in the bar chart; the time options in the upper-right corner are used to specify the time
period of the statistics; use the drill-down function on the bars to get more detailed statistics in
the specified factors.

Monitor 545
 As shown in the screenshot above, the detailed data of each URL category/URL is displayed in
the table. At most, the data of top 200 attack can be displayed. By using the search function, you
can get the information you want quickly.

Drill-down Sub-page
On the main page or the details page, click a bar and select a menu option, the pop-up page is the
drill-down sub-page. The drill-down page shows the detailed statistics in a specified factor of the
URL category/URL or the trending information of the URL category/URL. For example, in the
network behavior monitor main page, click a bar of a URL category from the URL category hit
count rank chart, and select URL from the pop-up menu, a new page showing URL hit count rank
of the specified URL category appears. The data in the drill-down sub-page is organized in the
same way as the details page (excluding the trend page).

Trend Page
In the bar chart, click a bar and select Trend, the trend page of the selected factor appears. HSM
uses line charts to show the developing trend in multiple factors.
Real-time Trend Monitor (Method 1)
To monitor an URL category/URL on a device in real-time, take the following steps:

1. In the network behavior monitor main page, click and select a device on

the Select Device (Group) dialog.

Monitor 546
 2. In the main page or details page, click a bar and select Trend.

3. In the trend page, select Real-time from drop-down list in the upper-right corner.

Real-time Trend Monitor (Method 2)

To monitor an attack on a device in real-time, take the following steps:

1. In the main page or details page, click a bar and select Device.

2. In the device rank bar chart, click a bar and select Trend from the pop-up menu.

3. In the trend page, select Real-time from drop-down list in the upper-right corner.

Drill-down in Trend Page

In the current trend page, if the further information based on user/IP is available, you can get the
information by the drill-down function. HSM uses bar chart to show the user/IP rank of the URL
category/URL hit count.
To view the drill-down sub-page of the trend chart, take the following steps:

Monitor 547
 1. In the main page or details page, click a bar and select Trend.

2. In the trend chart, click a statistics value.

3. The dialog showing the user/IP rank appears.

MyMonitor
The MyMonitor function enables you to view the important monitor statistics easily and con-
veniently. The charts added to MyMonitor are organized by monitor groups (there is a default
monitor group named Default Group), all the charts in one group are displayed in one page. One
monitor group can contain 10 charts at most, and the maximum monitor group number is 10. The
default group (Default Group) cannot be deleted.

Monitor 548
Adding to MyMonitor
To add a monitor chart to MyMonitor, take the following steps:

1. Most of the monitor pages have the Add to MyMonitor button in the

upper-right corner. Click this button, and the Add To MyMonitor dialog appears.

2. Select a monitor group from the MyMonitor Group drop-down list. The chart will be added
to the group specified here.

3. Type a name for the added chart in the MyMonitor Name text box.

4. Click OK to save the changes and close the dialog.

Creating a New Monitor Group

To create a new monitor group, take the following steps:

1. Log in to HSM, select Monitor > MyMonitor to expand the monitor group, and click one of
the monitor groups.

2. In the main window, click the Monitor group config button and the dialog appears.

Monitor 549
 3. Type a name for the new monitor group in the Name text box.

4. Click Add Group to save the changes and close the dialog.

Deleting a Monitor Group

To delete a monitor group, take the following steps:

1. Log in to HSM, select Monitor > MyMonitor.

2. Click the Monitor group config button and the dialog appears.

3. Select the group and click the Delete button, and the Confirm dialog pops up.

4. Click OK.

Viewing Information in MyMonitor

To view the information in MyMonitor, take the following steps:

1. Log in to HSM, select Monitor > MyMonitor to expand the monitor group.

2. Select a monitor group and the charts added to the selected monitor group are displayed in
the main window.

Monitor 550
VPN
HSM system not only supports to show VPN statistics on the managed devices through VPN
Monitor page, but also supports to quickly deliver VPN configurations to the devices that need to
join the network through VPN Network configuration.

VPN Monitor
The VPN statistics is organized in the Overview(VPN traffic ranking and VPN traffic trend) page,
Tunnel page，Tunnel Link page, WAN Link page, Topology page and Map page.

Overview
Click VPN > VPN > Overview to enter the device VPN traffic statistics page. This page shows
the VPN traffic statistics information of all managed devices, including total VPN traffic ranking
(bar chart) and total traffic trend (line chart).
Device Rank by Total VPN Traffic
The system uses the bar chart to show the device ranking by total VPN traffic. You can click the
button to view the enlarged bar chart.

VPN 551
 You can select devices to be shown in the chart, specify the statistical time period, specify Top X
shown in the chart, and view the tunnel traffic trend/rank of a single device.
To specify the devices whose statistics will be shown, take the following steps:

1. Click Add Legend Item under the line chart, a dialog box with all managed devices appears.

2. Select the devices you want from the dialog box. Use the search function to find the desired
device from the upper-right corner if necessary.

3. Click anywhere outside the dialog box to close it. The selected devices will be shown on
the line chart.

HSM support pre-defined time period. You can specify the time period by configuring the options
in the upper-right corner.

: The drop-down list of pre-defined time period. The menu items are described
as below:

VPN 552
 l Latest 5 Minutes: Shows the statistics of the latest 5 minutes.

l Latest 15 Minutes: Shows the statistics of the latest 15 minutes.

l Latest 1 Hour: Shows the statistics of the latest 1 hour.

l Latest 1 Day: Shows the statistics of the latest 1 day.

l Latest 1 Week: Shows the statistics of the latest 1 week.

l Latest 1 Month: Shows the statistics of the latest 1 month.

To specify Top X shown in the chart, take the following steps:

: Top X filter drop-down list. Options are:

l TOP10: Shows statistical information of top 10 devices.

l TOP20: Shows statistical information of top 10 devices.

l Custom: Show statistical information of a customized number of devices. You can specify the
number by selecting devices from the Add Legend Item dialog.

To view the tunnel traffic trend/ranking page, select a bar and click VPN Traffic Rank.

VPN 553
 You can select tunnels to be shown in the chart, specify the statistical time period, and specify
Top X shown in the chart.
To select tunnels, take the following steps:

1. Click Add Legend Item under the line chart, a dialog box with all tunnels appears.

2. Select the tunnels you want from the dialog box. Use the search function to find the desired
tunnel from the upper-right corner if necessary

3. Click anywhere outside the dialog box to close it. The selected tunnels will be shown on the
line chart.

HSM support pre-defined time period. You can specify the time period by configuring the options
in the upper-right corner.

: The drop-down list of pre-defined time period. The menu items are described
as below:

l Latest 5 Minutes: Shows the statistics of the latest 5 minutes.

l Latest 15 Minutes: Shows the statistics of the latest 15 minutes.

l Latest 1 Hour: Shows the statistics of the latest 1 hour.

l Latest 1 Day: Shows the statistics of the latest 1 day.

l Latest 1 Week: Shows the statistics of the latest 1 week.

l Latest 1 Month: Shows the statistics of the latest 1 month.

To specify Top X shown in the chart, take the following steps:

: Top X filter drop-down list. Options are:

l TOP10: Shows statistical information of top 10 devices.

l TOP20: Shows statistical information of top 10 devices.

VPN 554
 l Custom: Show statistical information of a customized number of devices. You can specify the
number by selecting devices from the Add Legend Item dialog.

Device Total VPN Traffic Trend

The system uses line chart to show the total VPN traffic trend of all managed devices.

You can select devices to be shown in the chart, specify the statistical time period, and view the
tunnel traffic trend/rank.
To specify the devices whose statistics will be shown, take the following steps:

1. Click Add Legend Item under the line chart, a dialog box with all managed devices appears.

2. Select the devices you want from the dialog box. Use the search function to find the desired
device from the upper-right corner if necessary.

3. Click anywhere outside the dialog box to close it. The selected devices will be shown on
the line chart.

VPN 555
 HSM support pre-defined time period. You can specify the time period by configuring the options
in the upper-right corner.

: The drop-down list of pre-defined time period. The menu items are described
as below:

l Latest 5 Minutes: Shows the statistics of the latest 5 minutes.

l Latest 15 Minutes: Shows the statistics of the latest 15 minutes.

l Latest 1 Hour: Shows the statistics of the latest 1 hour.

l Latest 1 Day: Shows the statistics of the latest 1 day.

l Latest 1 Week: Shows the statistics of the latest 1 week.

l Latest 1 Month: Shows the statistics of the latest 1 month.

To view the tunnel traffic trend/rank chart, select a value point on the line chart, click VPN
Traffic Trend.

You can select tunnels to be shown in the chart, and specify the statistical time period.

VPN 556
 To select tunnels, take the following steps:

1. Click Add Legend Item under the line chart, a dialog box with all tunnels appears.

2. Select the tunnels you want from the dialog box. Use the search function to find the desired
tunnel from the upper-right corner if necessary

3. Click anywhere outside the dialog box to close it. The selected tunnels will be shown on the
line chart.

HSM support pre-defined time period. You can specify the time period by configuring the options
in the upper-right corner.

: The drop-down list of pre-defined time period. The menu items are described
as below:

l Latest 5 Minutes: Shows the statistics of the latest 5 minutes.

l Latest 15 Minutes: Shows the statistics of the latest 15 minutes.

l Latest 1 Hour: Shows the statistics of the latest 1 hour.

l Latest 1 Day: Shows the statistics of the latest 1 day.

l Latest 1 Week: Shows the statistics of the latest 1 week.

l Latest 1 Month: Shows the statistics of the latest 1 month.

Tunnel
Click VPN > VPN > Tunnel to enter the tunnel statistics page. This page shows a table with
detailed tunnel information. Options of the table are described as below:

Option Description

VPN Name Shows the tunnel name. Click the tunnel name, the system
enters the traffic trend/traffic rank page of the tunnel.

Comment Click button after Comment or click the configured VPN

VPN 557
Option Description

comment, the VPN Comment dialog will appear. You can cus-
tomize a comment or edit the configured comment for the tun-
nel. Only when the managed device is deleted from HSM,
HSM will clear the configured comment.
Notes：Users can only view VPN comments on HSM and
VPN comments will not be deployed to managed devices.

Status Shows the current status of the tunnel:

l : Connected.

l : Disconnected.

Peer IP Shows the IP address of the peer.

Received Rate Shows the received traffic rate of the tunnel interface.
(bps)

Sent Rate Shows the sent traffic rate of the tunnel interface.
(bps)

Created At Shows the time when the tunnel is created.

Keep Online/ If the tunnel is connected, shows the duration of the tunnel
Offline since it is connected. If the tunnel is disconnected, shows the
duration of the tunnel since it is disconnected.

Re-connecting Shows the re-connecting times of the tunnel. Click the num-
Times ber in the cell, the Reconnetion Time dialog appears. You can
check the detailed re-connecting information of the tunnel in a
specified time period.

VPN Type Shows the type of the tunnel. Only IPSec VPN is supported
in the version.

VPN 558
Option Description

Device Name Shows the device name the tunnel belongs to. Click the
device name, the system enters the VPN traffic trend/VPN
traffic rank page.

Algorithm Shows the algorithm used by the tunnel (protocol, encryption,

authentication, compression).

Latency Shows the time consumed between sending the packet and
receiving the response.

Packet Loss Shows the packet loss rate of the tunnel.

Rate

Description Shows the description of the tunnel.

The search function is supported for you to find the desired information. The search conditions
are listed above the tunnel table, and you can find information according to you own require-
ments.

l Search: Search for tunnels by VPN Name, VPN comment, Device Name, Peer IP, and Tun-
nel Status.

l Reset: Click Reset to clear all search conditions.

Tunnel Link page

After enabling the link status monitor function for the devices in the VPN network, you can view
the tunnel link statistics through HSM. Click VPN > VPN > Tunnel Link to enter the tunnel
link statistics page. This page shows a table with detailed tunnel link information of the managed
devices within the last 1 minute. Options of the table are described as below:

Option Description

Tunnel Interface Shows the tunnel interface name (IKE name). Click the tun-
(tunnel name) nel interface name to enter the tunnel details page. By

VPN 559
Option Description

default, system displays trend charts of the tunnel details

within the last 5 minutes, including the Delay Trend, Jitter
Trend, Loss Rate Trend, Upstream Traffic Trend, Down-
stream Traffic Trend, and Total Traffic Trend. You can spe-
cify different statistical periods for displaying the tunnel
details at the top right corner of the page.

l ：Select the radio button, and

select a statistical period from the drop-down list,

including Real-time, Latest 5 Minutes, Latest 15
Minutes, Latest 1 Hour, Latest 1 Day, Latest 1 Week,
and Latest 1 Month. Real-time indicates the latest 5
seconds.

l ：Select the radio button, and custom

a statistical period by specifying the start time and the

end time in the Custom dialog box.

srcDevice/WAN Shows the name of the source device/WAN port.

dstDevice/WAN Shows the name of the destination device/WAN port.

Status Shows the current status of the tunnel:

l : Connected.

l : Disconnected.

Upstream Traffic Shows the upstream traffic rate of the tunnel.

(bps)

Downstream Shows the downstream traffic rate of the tunnel.

VPN 560
Option Description

Traffic (bps)

Total Traffic Shows the total traffic rate of the tunnel.

(bps)

Latency (ms) Shows the time consumed between sending the packet and
receiving the response via the tunnel.

Jitter (ms) Shows the jitter between packets sent via the tunnel link.

Packet Loss Rate Shows the packet loss rate of the tunnel.
(%)

The search function is supported for you to find the desired information. The search conditions
are listed above the tunnel link table, and you can find information according to you own require-
ments.。

l Search: Search for tunnel links by Tunnel Name, srcDevice, and Tunnel Status.

l Reset: Click Reset to clear all search conditions.

WAN Link page

After enabling the link status monitor function for the devices in the VPN network, you can view
the WAN link statistics through HSM. Click VPN > VPN > WAN Link to enter the WAN link
statistics page. This page shows a table with detailed WAN link information of the managed
devices within the last 1 minute. Options of the table are described as below:

Option Description

Device Name Shows the name of the managed device. Click the device name
to enter the WAN link details page. By default, system dis-
plays trend charts of the link details within the last 5 minutes,
including the Delay Trend, Jitter Trend, Loss Rate Trend,
Upstream Traffic Trend, Downstream Traffic Trend, and Total

VPN 561
Option Description

Traffic Trend. You can specify different statistical periods for

displaying the tunnel details at the top right corner of the page.

l ：Select the radio button, and

select a statistical period from the drop-down list, includ-

ing Real-time, Latest 5 Minutes, Latest 15 Minutes,
Latest 1 Hour, Latest 1 Day, Latest 1 Week, and Latest
1 Month. Real-time indicates the latest 5 seconds.

l ：Select the radio button, and custom a

statistical period by specifying the start time and the end

time in the Custom dialog box.

WAN Name Shows the name of the WAN port.

Internet Shows the Internet access method of the device.

Access

Status Shows the current status of the WAN port:

l : Connected.

l : Disconnected.

Upstream Shows the upstream traffic rate of the tunnel.

Traffic (bps)

Downstream Shows the downstream traffic rate of the tunnel.

Traffic (bps)

Total Traffic Shows the total traffic rate of the tunnel.

(bps)

VPN 562
Option Description

Latency (ms) Shows the time consumed between sending the packet and
receiving the response via the tunnel.

Jitter (ms) Shows the jitter between packets sent via the tunnel link.

Packet Loss Shows the packet loss rate of the tunnel.

Rate (%)

The search function is supported for you to find the desired information. The search conditions
are listed above the WAN link table, and you can find information according to you own require-
ments.

l Search: Search for WAN links by Device Name.

l Reset: Click Reset to clear search conditions.

Topology
Click VPN > VPN > Topology to view the VPN of monitored devices. At present, only IPSec
VPN can be monitored in system.

VPN 563
 The line between devices means the tunnel has been build between devices. You can check
whether there's alarm via the tunnel color. When the tunnel is gray, it means the tunnel is normal.
Hover the mouse over the tunnel to view the loss rate and latency of bidirectional tunnels; when
the tunnel is orange, it means there're alarms of the tunnel. Hover the mouse over the tunnel to
view the loss rate and latency of bidirectional tunnels and the alarm rule.
Hover the mouse over a device, and you can check the device name, and utilization of CPU and
memory. The "Unknown Device" means the device hasn't registered in HSM. When there's a

cloud icon on the topology, it means that some devices are hided. Click the cloud icon
to enlarged the topology and view the hided devices.
You can execute the topology as follows:

l Add to Center Nodes: When there're a large of tunnels on the topology, you can specify one
or more devices as the center node of the VPN topology. Then all devices will be distributed
according to the center nodes and the devices which are specified as the center nodes will be
in the same level of the VPN. The device which has the most tunnels is the default center
node. Right-click the device, select Add to Center Nodes, and the device will be set as the

VPN 564
 center node. You can repeat the above operations to add more devices as center nodes. The
center node can be deleted in the center node list and at least one center node should be left.

l Hide Node: You can hide the device in the topology. Right-click the device, select Hide
Node, and unselect the devices that need to hide in the pop-up dialog. To show the device
again, right-click on the blank space and select the device that need to show in the pop-up dia-
log. All devices are selected by default.

l Auto Layout: Select Auto Layout > Circle/Tree(vertical)/Tree(horizontal), and the device

and tunnels will distributed in the order. You can also click to back the topology to

the last layout. When you log in again, the topology shows the latest distributed result.

l Back to Center: Click Back to Center or the icon to make the topology display in the cen-

ter of the page.

l Batch Mode: Click Batch Mode to select batch devices and move.

l Search: Type the device name into the search box, and the searched device will be highlighted
and displayed in the center of the topology.

l Alarm Board: Click Alarm Board to view the monitored object, alarm reason and handle
status:

l Alarm Source: Displays the alarm tunnel.

l Reason: Display the alarm reason. Double click the tunnel to locate the tunnel in the
topology.

l Handle: Click the icon to view the detailed alarm reason and handle status. Write

the handle methods and result in Comment, and the alarm will be handled. The handled
alarm will be removed from the Alarm Board.

VPN 565
 l Scale up topology: When there's cloud icon in the topology, it means there're devices being
hided. Click the“+”button, or double-click the cloud icon, or scroll the mouse to scale up
the topology.

l Move topology: Hold the mouse to move the topology.

l Full Screen: Click Full Screen and display the topology in the full screen. Click Exit to exit
the full screen mode.

Map
Log into HSM, click VPN > VPN > Map to display the VPN link information of the managed
device with location.
The shade of the background color indicates the number of devices in this province. The more
devices you have, the darker the color. When a VPN link is disconnected in the province, the
color of the provincial node icon is displayed in red.

l Click "+" to enlarge the map, click "-" to zoom out the map, click to restore the original

state.

l Click to view map in full screen mode, click to exit full screen mode.

l The list on the right shows the device status of each province and municipality, including the
number of devices and the number of offline devices. Click the provincial node to view the
detailed information of the device, including the device name, status, software version,
address, and device platform. Enter keywords in the search box to search for a specified city
or district. Click icon to return to the previous map.

l Click on a provincial area or icon in the map or click on the geographic location in the right
list to drill down to the map of the province and check the distribution of device in the
province. The list on the right shows device information for cities in the province, including
the number of devices and the number of offline devices. Click the city-level node to view

VPN 566
 the detailed information of the device, including the device name, status, software version,
address, and device platform. Enter keywords in the search box and search for a specific
device by device name or address. Click icon to return to the previous map.

l Click the line to view the link information between the two nodes, including the link name
and connection status. Click the "+" to view detailed information of the specified link. When

the link is disconnected, click the icon in the Edit column to delete the specified link.

Lines

The connection between VPN links is represented by the connections between provincial nodes
or municipal nodes. The color of connections lines have their own meaning:

l Red: Indicates that the status of all links is abnormal.

l Yellow: Indicates that the status of some links is abnormal.

l Green: Indicates that the status of all links is normal.

l Bold: If you click the line, it will become bold, which means this line is selected. The list on
the right side of the page displays information about all links between the current nodes.

VPN Network
HSM system supports for VPN network configuration, which helps users quickly establish a VPN
network and deliver configurations during the ZTP deployment. Currently, the system only sup-
ports for star network configuration.

Star Network
The star network connects many devices of point-to-point through the central device (HUB),
which is easy to maintain and manage. The system supports single HUB mode and dual HUB
mode.
To creating a star network, take the following steps:

VPN 567
 1. Select VPN > VPN Network > Star Network.

2. Click New and the Star Network dialog pops up.

3. In the Basic Configuration tab, configuration the corresponding options.

Option Description

Name Specifies the name of the VPN network.

Description Specifies the description of the VPN network.

4. In the HUB Configuration tab, configuration the corresponding options.

Option Description

HUB Mode Specify the HUB mode, select one or two HUB devices
as needed.

VPN 568
 Option Description

HUB Configuratin

HUB Device Select the HUB device in the drop-down list. Note:

l Only the online device can be specified as the

HUB device.

l Devices that have already been assigned can no

longer be specified as the HUB devices

HUB WAN Specifies the WAN interface mode of the HUB device as
Mode needed, including single WAN interface or dual WAN
interface mode.

HUB WAN Specifies the WAN interface of the HUB device, the car-
rier correspondence, and the tunnel address pool.

l Physical Interface : Select the name of the interface

in the drop-down list.

l Public Mapping IP: Specifies the IP address of the

VPN peer device. If the HUB device is behind a
NAT device, you need to type in the transformed
IP address.

l Operator： Select the operator in the drop-down

list, including China Telecom, China Unicom,
China Mobile and Other.

l Tunnel Address pool: Select the tunnnel address

pool in the drop-down list. Click Edit to edit the

VPN 569
 Option Description

start IP, end IP, reserved start IP and reserved end

IP.

More Config

P1 Proposal Specifies the P1 proposal in the drop-down list.

P2 Proposal Specifies the P2 proposal in the drop-down list.

Auto-gen- Select the Auto-generation of Pre-shared Key check box

eration of to generate random string automatically as pre-shared key.
Pre-shared When unchecked, manually type the key.
Key

5. Click OK.

You can also perform other operation:

l Edit: Select the star network needed to be edited, click Edit to modify the configuration in
the dialog. Note: When a branch device is added to the network, only the name and descrip-
tion of the network can be modified.

l Delete: Select the star network needed to be deleted, click Deleteto delete the configuration
in the dialog. Note: When a branch device is added to the network, the network can not be
deleted.

l Select a star network entry from the network list, and view the details under the list, including
the name and status of the HUB device and spoken device. In the HUB device area, click
detail to view the information of WAN interface.

Mesh Network
Mesh network connects headquarters device and HUB device to provide automatic VPN network
between headquarters and HUB device.

VPN 570
Creating a Mesh Network

To create a mesh network, take the following steps:

1. Select VPN > VPN Network > Mesh Network.

2. Click New and the New dialog pops up.

VPN 571
 3. In the Basic Configuration tab, configuration the corresponding options.

Option Description

Name Specifies the name of the VPN network.

Description Specifies the description of the VPN network.

More Config

P1 Proposal Specifies the P1 proposal in the drop-down list.

P2 Proposal Specifies the P2 proposal in the drop-down list.

Auto-gen- Select the Auto-generation of Pre-shared Key check box

eration of to generate random string automatically as pre-shared key.
Pre-shared When unchecked, manually type the key.
Key

4. Click OK.

You can also perform other operation:

l Edit: Select the mesh network needed to be edited, click Edit to modify the configuration in
the dialog. Note: The name of the network cannot be edited. When there are devices in the
network, the configuration in the more config cannot be edited.

l Delete: Select the mesh network needed to be deleted, click Deleteto delete the con-
figuration in the dialog. Note: When There is no device in the network, the network can be
deleted.

l Deploy: Select the mesh network needed to deploy the configuration, click Deploy to deploy
the network configuration and generate the corresponding deploy task. Click to view the

delploy record of the specified network.

VPN 572
Adding/Deleting a Network Device

You can add/delete devices for mesh networking and non-interconnected VPN connection
devices for specified devices. In the list of mesh network, select the entry to be edited and view
the detail of the network under the list.

o Click Refresh to refresh the information of the network device.

o Click Edit to add/delete devices for mesh networking and non-interconnected VPN con-
nection devices for specified devices.

o Click Topology View or Grid View to change the chart.

To add a network device, take the following steps:

1. Click Edit in the network detail area.

2. Click Add Device in the All Devices area and the Device Network Configuration dialog
pops up.

3. Select the devices needed to add to the network in the Device drop-down list.

4. Select the mode fot WAN port, single WAN interface or dual WAN interface mode.

VPN 573
 5. Specify the WAN interface of the device, including physical interface, public mapping IP
and Operator.

6. Click OK.

To delete the network device, take the following steps:

1. Click Edit in the network detail area.

2. Select the device needed to delete in the All Devices area, click Delete Device.

To add non-interconnected VPN connection device for the specified device, take the following
steps:

1. Click Edit in the network detail area.

2. Select the device needed to add non-interconnected VPN connection device in the All
Devices area, click Add in the non-interconnected VPN connection area and Add dialog
pops up.

VPN 574
 3. Select the devices and click to add them to the right pane.

4. Click OK.

To delete the non-interconnected VPN connection device for the specified device, take the fol-
lowing steps:

1. Click Edit in the network detail area.

2. Select the device needed to be deleted in the non-interconnected VPN connection area,
click Delete.

Network Topology

In the network detail area, click Topology View to view the topology of the mesh network.

l Click drop-down list, select Circle Layout or Spring Layout.

l Hover over your mouse on a device, "+" appears, drag and place the line on the unconnected
device and add the interconnection relationship between the specified devices.

l Select a line, right-click and select Delete to delete the connection relationship between the
specified devices.

l Click Edit and then click Add Device to add the network device in the Device Network Con-
figuration dialog. Right click the device, select Delete to delete the specified device.

l Click Full Screen to view the network topology in full screen, and click Exit Fullscreen to
exit full screen mode.

Address Pool
To edit the address pool, take the following steps:

VPN 575
 1. Click VPN > VPN Network > Star Network or VPN > VPN Network > Mesh Network.

2. Click and then AddressPool dialog pops up.

3. Select the address pool entry needed to be edit, click Edit.

4. In the Address Pool Configuration dialog, edit the start IP, end IP, reserved start IP and
reserved end IP.

5. Click OK.

VPN 576
Introduction to the Alarm Function
HSM is capable of 24-hour monitoring network performance, and send an alarm notification to
notice users there is abnormity. You can choose how to proceed according to alarm contents after
receiving alarms.
For more information about the alarm function, see the followings:

l Alarm

l Alarm Rule

Introduction to the Alarm Function 577

Introduction to Alarm
When the alarm event occurs, HSM will generate an alarm message. HSM collects alarm messages
which can help you know the status of devices.
The alarm messages are all in Alarm page. The related topics of Alarm are shown as below:

l Searching Alarm Information

l Alarm Analysis

Searching Alarm Information

When the alarm rules event occurs, HSM will generate an alarm message. HSM collects alarm mes-
sages which can help you know the status of devices. System automatically cleans up alarm inform-
ation every 7 days, and keeps up to 90 days of alarm data.
The configurations of this page include:

l Searching Alarm Information

l Reading Alarm Information

Searching Alarm Information

To search alarm information, take the following steps:

1. Click Alarm from the level-1 navigation pane.

2. Select Alarm Search from the alarm navigation pane, the alarm window will show all the
alarm information.

3. Specify searching conditions.

Searching
Description
Condition

Device Search the alarm information including the specified

Introduction to the Alarm Function 578

 Searching
Description
Condition

device name.

Alarm Rule Search the alarm information that matched the specified
alarm rules.

Level Search the alarm information that matched the specified

level.

Alarming Search the alarm information that matched the specified

Time alarming time. It can be user-defined.

Status Search the alarm information that matched the specified

alarm status.

Read Time Search the alarm information that matched the specified
read time of alarm rules.

Read by Search the alarm information that matched the specified

users who read the rules.

Comment Search the alarm information that matched the specified

comments.

Reason Search the alarm information that matched the specified

alarm reason.

4. Click Search, the alarm window will show all the alarm information that matched the spe-
cified rules.

Reading Alarm Information

Reading alarm information includes two actions: reading the message, and adding a comment.
You can operate one of the followings to read alarm information:

Introduction to the Alarm Function 579

 l Read one or multiple alarm information, select the checkbox of the alarm message and select
Read Selected, Add Comment dialog appears. Type comment information and then click OK.

l Read all the alarm information, select Read All and the Add Comment dialog appears. Type
comment information and then click OK.

Alarm Analysis
HSM provides the alarm analysis function, which can show you device statistics information or
time trend analysis.
The configurations of this page include:

l Device Analysis

l Trend Analysis

Device Analysis

To view the device analysis, take the following steps:

1. Click Alarm from the level-1 navigation pane to enter the alarm page.

Introduction to the Alarm Function 580

 2. Select Alarm Analysis > Device Analysis from the alarm navigation pane. This page shows
the alarm times of device with the view of bar chart.

3. Specify searching conditions to view the number of alarms that matched the specified con-
ditions.

Searching
Description
Condition

Status Search the alarm information that matched the specified

alarm status.

Ranking Search the alarm information on Top 5/10/15/50

devices ranked by alarming count.

Alarm Rule Search the alarm information that matched the specified
alarm rules.

Alarming Search the alarm information that matched the specified

Time alarming time. It can be user-defined.

Introduction to the Alarm Function 581

 4. To view the statistic information of alarm severity for one device, click the bar chart of this
device and select Level in the popup menu.

5. In the pie chart on the right side, click different colors of alarm severity, the table below
will show you alarm information for this severity.

6. Use one of the following ways to read alarm status information:

l Click the Status column in the table, and the Add Comment dialog appears. Type
alarm reason and comment in the text box and then click OK.

l Batch process multiple alarm information, multi-check the check box before alarm
information, and then click Read Selected button on the top of the table, the Add
Comment dialog appears. Type alarm reason and comment in the text box and then
click OK.

Introduction to the Alarm Function 582

Trend Analysis

The alarming time trend line chart shows the trend of alarm times for one period.
To view the alarm trend analysis, take the following steps:

1. Click Alarm from the level-1 navigation pane.

2. Select Alarm Analysis > Trend Analysis from the alarm navigation pane, the alarm trend ana-
lysis page appears.

3. Specify searching conditions to view the alarm trend analysis that matched the specified con-
dition.

Searching
Description
Condition

Level Search the alarm information that matched the spe-

cified level.

Status Search the alarm information that matched the spe-

cified alarm status.

Device Search the alarm information including the specified

Introduction to the Alarm Function 583

 Searching
Description
Condition

device name.

Alarm Rule Search the alarm information that matched the spe-
cified alarm rules.

Alarming Time Search the alarm information that matched the spe-
cified alarming time.

4. Use one of the following ways to read alarm status information:

l Click the Status column in the table, and the Add Comment dialog appears. Type
alarm reason and comment in the text box and then click Confirm.

l Batch process multiple alarm information, multi-check the check box before alarm
information, and then click Read Selected button on the top of the table, the Add
Comment dialog appears. Type alarm reason and comment in the text box and then
click Confirm.

Introduction to the Alarm Function 584

Introduction to the Alarm Rule
The alarm rule defines the generated condition of alarm. HSM will alarm according to the spe-
cified alarm rule, and the admin will handle the event after the alarm.
For more information about the alarm rule, see the followings:

l Configuring the Alarm Rule

Configuring the Alarm Rule

The alarm rule defines the generated condition of alarm. HSM will alarm according to the spe-
cified alarm rule, and the admin will handle the event after the alarm. HSM provides multiple
alarm rules including resource, status, traditional threat, intelligent threat, VPN and other. You
can use predefined and user-defined rules.
The configurations of this page include:

l Viewing a Predefined Alarm Rule

l Creating a User-defined Alarm Rule

l Editing an Alarm Rule

l Configuring an Alarm Email Recipient

l Enabling/Disabling an Alarm Rule

l Deleting an Alarm Rule

l Emptying Recycle Bin

Viewing a Predefined Alarm Rule

HSM provides multiple predefined alarm rules. Every predefined rule can be modified and it will
take effect after modifications.
To view the predefined alarm rule, take the following steps:

Introduction to the Alarm Function 585

 1. Click Alarm from the level-1 navigation pane to enter the alarm page.

2. Select Alarm Rule > Predefined from the alarm navigation pane.

3. Select the type of the alarm rule, and the alarm window will show you the predefined alarm
rule list.

4. Click the name of the predefined rule in the alarm window.

5. Configure the alarm rule as follows:

Introduction to the Alarm Function 586

 Rule Name: Show the alarm rule name. Predefined rule name cannot be modified.
Description: Type the descriptions of the rule.
Trigger: Specify the trigger condition that alarm occurs. When monitoring that there is
such an event happened on the selected device, HSM will generate an alarm message.
Only some rules need the trigger condition.
Device: Select the device which applied the alarm rule from the drop-down list. Rules of
intelligent threat can only be applied to NIPS devices.
Action: HSM can take the following actions when alarm occurs:

l Only alarm.

l Besides alarm, HSM can send an alarm email or message to the specified recipient.
(Select the check box before Send via Email or Send via SMS, and click New, con-
figure the recipient name, Email, Mobile Phone and Comment in the Send via Email
dialog.)

6. Click OK to finish configurations.

Creating a User-defined Alarm Rule

To create a user-defined alarm rule, take the following steps:

1. Select Alarm Rule > User-defined from the alarm navigation pane.

2. Click New in the alarm window.

Introduction to the Alarm Function 587

 3. Configure the alarm rule as follows:

Rule Name: Show the alarm rule name. Predefined rule name cannot be modified.
Description: Type the descriptions of the rule.
Trigger: Specify the trigger condition that alarm occurs. When monitoring that there is
such an event happened on the selected device, HSM will generate an alarm message.
Only some rules need the trigger condition.
Device: Select the device which applied the alarm rule from the drop-down list. Rules of
intelligent threat can only be applied to NIPS devices.
Action: HSM can take the following actions when alarm occurs:

Introduction to the Alarm Function 588

 l Only alarm.

l Besides alarm, HSM can send an alarm email or message to the specified recipient.
(Select the checkbox before Send via Email or Send via SMS, and click New, con-
figure the recipient name, Email, Mobile phone and Comment in the Send via Email
dialog.)

4. Click OK to finish configurations.

Editing an Alarm Rule

To edit an alarm rule that has already created, take the following steps:

1. In the alarm window of the Alarm Rule page, select the rule you want to modify.

2. Modify according to your need.

3. Click OK to save your changes.

Configuring an Alarm Recipient

To manage the mail or message recipients who receive the HSM alarm, take the following steps:

1. In the alarm window of the Alarm Rule page, Click Send via Email.

2. In the Send via Email dialog, configure as one of the methods below:

l Click New, and then specify the recipient name, Email, Mobile phone and comment in
the text box.

l Select the check box before the recipient who you want to delete, and then click
Delete. (If a recipient has been referenced by an alarm rule, the recipient cannot be
deleted.)

Introduction to the Alarm Function 589

Enabling/Disabling an Alarm Rule

Only the enabled alarm rule can be effective. The rule which is disabled cannot take effect.
To enable/disable an alarm rule, take the following steps:

1. In the alarm window of the Alarm Rule page, select the checkbox before the rule you want
to enable/disable.

2. Click Enable or Disable in the toolbar.

3. In the Submit dialog, click OK.

Deleting an Alarm Rule

Only the user-defined alarm rule can be deleted.

To delete an alarm rule, take the following steps:

1. Select Alarm Rule > All Rules > User-defined from the alarm navigation pane.

2. Select the checkbox before the rule you want to delete.

3. Click Delete in the toolbar.

4. In the Submit dialog, click OK.

Notes:
l The alarm rule will be stored in the Recycle Bin after being deleted. You can
click Restore in the Recycle Bin page to restore the rule to its origin place or
click Delete in the Recycle Bin page to permanently delete the rule.

l If the alarm rules are permanently deleted, the alarm information that matched
the rule are all deleted at the same time.

Introduction to the Alarm Function 590

Emptying Recycle Bin

All the deleted rules are stored in the recycle bin. To delete rules permanently, take the following
steps:

1. Select Alarm Rule > Recycle Bin from the alarm navigation pane.

2. Click Empty from the toolbar.

3. Click OK.

Notes:
If the alarm rules are permanently deleted, the alarm information that matched the
rule are all deleted at the same time.

Introduction to the Alarm Function 591

Introduction to Report
HSM provides rich and vivid reports that allow you to analyze device status, network access and
user behaviors comprehensively by all-around and multi-dimensional statistics and charts. HSM
can generate periodical reports daily, weekly, monthly and quarterly, and the statistic granularity
can be minute, hour and day. Reports can be rendered in HTML, PDF or Word files, and mailed
to specified recipients. At the time of writing HSM supports nearly 100 statistic items, including
traffic, AV, IPS, network behavior, VPN, system, etc. These items can be categorized as below:

l Traffic: Traffic information for the specified devices, zones, interfaces, applications, users or
time range.

l Network threat: Network threat information about AV, IPS and attack defense.

l Network behavior: Network behavior information about Internet surfing and IM.

l VPN: IPSec VPN traffic ranking and VPN disconnection statistics.

l System: CPU, memory and session information for the managed devices.

Note that the above items. may not be available on all devices. Please check your system's actual
page to see if your device delivers this items.
For more information about report, see the following chapters:

l Report File

l Report Template

l Server

Introduction to Report 592

Introduction to Report File
Report files, the final display of statistics and analysis, are designed to show the statistics of
device status, network traffic, user behaviors, etc. in form of chart and table combination.
HSM introduces three main concepts for the report: report template, report file and report sched-
ule. Report template and report schedule are the basis for the generation of report files and define
all the contents in the report files; report schedule is a part of the report template that defines the
generation cycle and life cycle of report files; report file shows the statistic result in form of charts
and tables. The statistic items of a report file rely on the configuration of the corresponding report
template, and the generation time relies on the corresponding report schedule.
For more information about reports files, see the following chapters:

l Viewing a Report File

l Managing a Report File

Viewing a Report File

Report file shows the statistic result in form of charts and tables. The contents, generation time
and file format of a report file rely on the configuraion of the corresponding report template.
To view a report file in the system, take the following steps:

1. Select Report from the Level-1 navigation pane to enter the report page.

Introduction to Report 593

 2. In the report navigation pane, click Report Summary > File Collection to list all the report
files in the system in the report window, as shown below:

3. By default the report files are sorted by the time of creation. Click the column name to sort
by the file name of the corresponding template, time of creation and author name of the cor-
responding template; click the column name again to sort the report files in the reversed
order.

4. To search for a report file by keywords, type a keyword into the searching box in the tool-
bar, and press Enter. All the report files that contain the keyword will be listed in the report
window.

Introduction to Report 594

 5. Expand a report category and double-click the file name to view the report in a new browser
window, as shown below:

Introduction to Report 595

 6. The report files consist of left and right panes. Report items are listed in the left pane; con-
tents are listed in the right pane, including the basic information, template modification his-
tory and charts and tables. Click an item in the left pane to jump to the corresponding
details in the left pane.

To view a deleted report file, click Report Summary > Deleted Files in the report navigation
pane, and repeat Step 3 to Step 6 above.

Notes: By default the report categories are not expanded. Each category may contain
several report files. Only 100 report files can be listed in one page, so possibly there
are more categories in other pages. To view the categories that are not listed in the
current page, click the Next button on the lower-right.

Managing a Report File

Report file shows the statistic result in form of charts and tables. You can download, delete or
restore a report file.
The configurations of report file management include:

l Downloading a Report File

l Deleting a Report File

l Restoring a Report File

l Deleting a Report File Permanenetly

Downloading a Report File

HSM can generate report files in PDF or HTML format. The file format is specified in the Output
of the file's template.
To download a report file in the system, take the following steps:

Introduction to Report 596

 1. Select Report to enter the report page.

2. In the report navigation pane, click Report Summary > File Collection to list all the report
files in the system in the report window. By default the report files are sorted by the time of
creation.

3. Take one of the following operations:

l To download a report file, click the icon under the File Type column ( indicates

HTML format, indicates PDF format, and indicates WORD format), and down-

load the file to your local disk as prompted.

l To batch download multiple report files, select the checkboxes for the files, click
Download in the toolbar, and download the compressed file package to your local
disk as prompted. The file format in the package is specified in the Output of the
file's template.

Deleting a Report File

To delete a report file in the system, take the following steps:

1. Select Report from the Level-1 navigation pane to enter the report page.

2. In the report navigation pane, click Report Summary > File Collection to list all the report
files in the system in the report window. By default the report files are sorted by the time of
creation.

3. Select the checkbox for the report file (or checkboxes for multiple report files) to be
deleted, and click Delete in the bool bar.

4. In the OK dialog, click OK to delete.

Notes: The deleted files are moved to Report Summary > Deleted Files.

Introduction to Report 597

Restoring a Report File

You can restore a deleted report file if the file is not cleared. To restore a deleted report file, take
the following steps:

1. Select Report from the Level-1 navigation pane to enter the report page.

2. In the report navigation pane, click Report Summary > Deleted Files to list all the deleted
report files in the report window.

3. Select the checkbox for the report file (or checkboxes for multiple report files) to be
restored, and click Restore in the bool bar.

4. In the OK dialog, click OK to restore.

Deleting a Report File Permanently

The deleted files are moved to Report File > Deleted Files, and can be restored anytime. For
more details, see Restoring a Report File.
To delete a deleted report file permanently, take the following steps:

1. Select Report from the Level-1 navigation pane to enter the report page.

2. In the report navigation pane, click Report Summary > Deleted Files to list all the deleted
report files in the report window.

3. Select the checkbox for the report file (or checkboxes for multiple report files) to be
cleared, and click Delete in the toolbar.

4. In the OK dialog, click OK to delete the file permanently.

You can also click Clear in the toolbar and then click OK in the OK dialog to delete all the
deleted files permanently.

Introduction to Report 598

 Notes: Report files that are deleted permanently cannot be restored. Take this oper-
ation with caution.

Introduction to Report 599

Introduction to Report Template
Report templates, the basis for the generation of report files, define all the contents in the report
files, including statistic items, chart format, schedule, output format, etc.
HSM report templates consist of predefined and user-defined templates. Predefined templates are
built in HSM and categorized by analysis contents. Nearly 100 report items in the predefined tem-
plates cover analysis data in traffic, network, network behaviors, VPN, system, etc. User-defined
templates are created by users as needed.
Note that some items in predefined templates can be only displayed in the report of NIPS
devices, such as Security Risk Summary, Risk Type Summary and Security Risk Detail.
For more information about the configuration of report template, see the following pages:

l Configuring a Report Template

l Managing a Report Schedule

Configuring a Report Template

Report templates, the basis for the generation of report files, define all the contents in the report
files, including statistic items, chart format, data time, schedule, output format, etc.
HSM report templates consist of predefined and user-defined templates. Predefined templates are
built in HSM, but you cannot run the predefined template to generate a report file directly; user-
defined templates are created by users as needed, and you can run the user-defined template to
generate a report file directly.
Note that some items in predefined templates can be only displayed in the report of NIPS and
IDS devices, such as Security Risk Summary, Risk Type Summary and Security Risk Detail.
The configurations of report template include:

l Creating a User-defined Template

l Editing a User-defined Template

l Deleting a User-defined Template

Introduction to Report 600

 l Restoring a User-defined Template

l Deleting a User-defined Template Permanently

Creating a User-defined Template

HSM provides a template wizard to help you create a user-defined template. You can create a
report template step by step as prompted by the template.
To start the template wizard, take the following steps:

1. Select Report from the Level-1 navigation pane to enter the report page.

2. In the report navigation pane, click Report Template > Existed to list all the user-defined
templates in the report window.

3. Click Add in the toolbar to start the template wizard.

You can also edit a predefined template to create a user-defined template. In the report navigation
pane, click the predefined template to be edited to start the template wizard.
To create a report template, you need to complete eight steps in different wizard tabs. Completing
one step, click Next to go to the next step. Options and notices in each step are shown below:

Basic

This tab contains the basic information of the report template, and will be shown in the first page
of the report file. Configure options as below:

Introduction to Report 601

 Option description:
Name: Specify the name of the template.
Company: Specify the company name in the report file.
Created by: Specify the creator of the template.
Description: Add description for the template.

Device

Select the analysis devices. Configure options as below:

Devices: Select one or more checkboxes for the devices to include the device(s) in the report file
for statistics. If configure Item as "NBM", system supports to generate report files of VSYS
devices.
Counting Type: Select Include Total Sum of Devices to count each device individually; select
Not Include Total Sum of Devices to count each devices and the total sum of all the selected
devices.Only when you choose Include Total Sum of Devices can the system show Security Risk
Summary, Risk Type Summary or Security Risk Detail of the NIPS devices.

Data Time

Configure statistic time range and frequency as below:

Data Time: Specify the data time for the statistics. Click Latest and select a time range from the
drop-down list which can be 1 day, 1 week, 1 month or 3 months; click Period and specify the
start time and end time of statistics.

Introduction to Report 602

Item

Report item, the key component of a report, defines the statistic contents. HSM contains nearly
100 built-in report items, covering analysis data in traffic, network, network behaviors, VPN, sys-
tem, etc. A report template can contain multiple report items.
To add a report item to the template, take the following steps:

1. Expand a report item category node in the left All box, select a category to list all the items
in the category in the Available box.

2. Select an item and click Add, or click Add All. All the selected report item categories will
be listed in the Selected box. To delete an item, select the item (or press Ctrl and left-click
to select multiple items) and click Delete, or click Delete All to delete all the items.

Notes: You need to select at least one report item, otherwise you can neither go to
the next step nor save the template.

Item Options

Configure the following detailed options for each report item under the tab:
Basic: Shows the title and description of the report item (editable). Select the checkbox for Show
the above chart to show the description in the upper of the chart.
Filter: The filter options vary from report items. By default the report item counts all the objects
of the selected devices. To edit a filter parameter, see filter parameter description below.

Parameter Description

Application By default the system counts all the application traffic of the
selected devices (all the checkboxes are not selected).
To only count traffic of the specified application, select Applic-
ation under Filter; under the Not Include tab, select the applic-
ations that will not be included in the traffic statistics. If an

Introduction to Report 603

 Parameter Description

application is selected under the Include and Not Include tabs

simultaneously, the traffic of the application will not be
included in traffic statistics.

Direction By default the system counts both the sent and received traffic
of the selected devices.
To only count the sent traffic, select the checkbox for Sent
Traffic, and clear the checkbox for Received Traffic; to only
count the received traffic, select the checkbox for Received
Traffic, and clear the checkbox for Sent Traffic.

Zone By default the system counts all the zone traffic of the selec-
ted devices (all the checkboxes are not selected).
To only count traffic of the specified zone, select Zone under
Filter; under the Not Include tab, select the zones that will
not be included in the traffic statistics. If a zone is selected
under the Include and Not Include tabs simultaneously, the
traffic of the zone will not be included in traffic statistics.

Interface By default the system counts all the interface traffic of the
selected devices.
To only count traffic of the specified interface, select Inter-
face under Filter; under the Not Include tab, select the inter-
faces that will not be included in the traffic statistics. If an
interface is selected under the Include and Not Include tabs
simultaneously, the traffic of the interface will not be included
in traffic statistics.

Src IP By default the system counts traffic from all users.

Introduction to Report 604

 Parameter Description

To only count traffic from the specified user, select Src IP

under Filter; under the Include tab, specify the IP or IP range,
and click Add. Under the Not Include tab, specify the IP or IP
range that not be included in the traffic statistics, and click
Add. If a user is selected under the Include and Not Include
tabs simultaneously, the user will not be included in attack stat-
istics.

Attacker By default the system counts attacks from all sources.

To only count attacks from the specified source, select
Attacker under Filter; under the Not Include tab, specify the
IP or IP range that will not be included in the attack statistics,
and click Add. If a source is selected under the Include and
Not Include tabs simultaneously, the source will not be
included in attack statistics.

Dst IP By default the system counts attacks against all destination

IPs.
To only count traffic against the specified IP, select Dst IP
under Filter; under the Include tab, specify the IP or IP range,
and click Add. Under the Not Include tab, specify the IP or IP
range that not be included in the attack statistics, and click
Add. If a destination IP is selected under the Include and Not
Include tabs simultaneously, the IP will not be included in
attack statistics.

Attack By default the system will count all attacks.

To only count the specified attack, under the Include tab, type

Introduction to Report 605

 Parameter Description

the attack name into the text box and click Add; under the
Not Include tab, type the attack name that will not be
included in the attack count into the text box and click Add.

Level Specify the severity of attacks which can be High and above,
Middle and above and Low and above.

URL By default the system counts accesses to all URLs.

To only count accesses to the specified website, select URL
under Filter; under the Include tab, type the URL into the text
box, and click Add. Under the Not Include tab, repeat the
above steps to specify the URL that will not be included in
URL access statistics. If a URL is specified under the Include
and Not Include tabs simultaneously, the URL will not be
included in URL access statistics.

IM By default the system counts all IM chats, including QQ,

MSN, 9158 and Fetion.
To only count the specified IM chat, select IM under Filter,
and select IM software in the right box.

Username By default the system counts traffic of all VPN users.

To only count traffic of the specified VPN user, select User-
name under Filter; under the Include tab, type the username
into the text box, and click Add. Under the Not Include tab,
repeat the above steps to specify the VPN user that will not be
included in traffic statistics. If a username is specified under
the Include and Not Include tabs simultaneously, the VPN
user will not be included in the traffic statistics.

Introduction to Report 606

 Parameter Description

Time Specify the time range of statistics. By default the time range is
the same as the schedule defined in the report template.
To modify the time range of the report item, clear the check-
box for Inherit from Template, and select a time range within
the time range specified by the report template.

Device Specify the object devices of statistics. By default the devices

are the same as the devices defined in the report template. To
count other devices, clear the checkbox for Inherit from Tem-
plate, and select devices from the Counting Type box. In the
Devices section, select Include Total Sum of Devices to
count each device individually; select Not Include Total Sum
of Devices to count each devices and the total sum of all the
selected devices.

Chart： Specify the number of ranking items in the tables and charts of reports. The system can
show maximum Top 10 ranking items.

Schedule

Report schedule specifies the time range the corresponding report template will take effect. Dur-
ing the time range specified by the report schedule, system will generate report files continuous.
A report template can contain multiple report schedules.
To add a report schedule to the report template, take the following steps:

Introduction to Report 607

 1. Under the Schedule tab, click Add. In the New dialog, configure the options as below:

Generation Cycle: Specify the generation cycle of report files which can be daily, weekly,
monthly, quarterly or one-time.
Effective: Specify the start time and end time of the schedule. Select No End to make the
template take effect for ever.
Delete Schedule after End Date: Select the checkbox to delete the schedule after end date.
Generated at: Specify the date and time the report file is generated.

2. Click OK to save the settings. The schedule is enabled by default.

You need to select at least one schedule, otherwise you will neither be able to go to the next step
nor save the template.

Output

Output specifies the format of report files and the destination the report files will be sent to. Con-
figure the options as below:

Introduction to Report 608

 File Format: Select the format of the report file which can be PDF, HTML or Word. You need to
select at least one file format, otherwise you will neither be able to go to the next step nor save
the template.
Send via Email: Select the check box to email the report files to the specified recipients.
There're two methods for adding recipients:
Method 1:

Introduction to Report 609

 Enter the email address of the recipient into the Email text box, click Add, and the added recip-
ients will be displayed under the text box.
Method 2:

1. Click the Manage button. In the Email Configuration dialog, click Add .

2. In the Add dialog, enter the name, email and comments of the recipient and click OK.

3. Close the dialogs and click Recipient.

4. In the Recipient dialog, select the recipient from the list, click OK and the added recipients
will be displayed under the text box.

If you need to delete the added recipient, click the icon.

Send via Email Text: Select the check box to edit the email title and text. If the check box is
unselected, system will send the default title and text.

l Title: Enter the email title, ranging from 1 to 120 characters. The item is required if the func-
tion is enabled.

l Text: Enter the mail text, ranging from 1 to 500 characters. The item is optional. If it's not spe-
cified, system will send the default text.

Send via FTP: Select the checkbox to send the report files to an FTP server.
Server Name/IP:Type the server name or IP address.
Username: Type the username to log into the FTP server.
Password: Type the password to log into the FTP server.
Anonymous: Select the checkbox to log into the FTP server anonymously (only applicable to the
FTP server that allows anonymous login).
Path: Type the filepath for the report files.
Test: Click the button to test if the FTP server is available.

Sample

Sample is used to demonstrate the report file based on the template. To view a sample, take the

Introduction to Report 610

 following steps:

1. Click Generate Sample to generate.

2. When the system prompts "Generation succeeded", click View Sample to view the report
file.

Editing a User-defined Template

To edit a user-defined report template, take the following steps:

1. Select Report from the Level-1 navigation pane to enter the report page.

2. In the report navigation pane, click Report Template > Existed to list all the user-defined
templates in the report window.

3. Double-click the report template to be edited, and edit options under each tab.

4. Click Save to save the settings.

Notes: To preview the report file based on the configured template, click Generate
Now on the upper-left to generate a report file immediately. Click Report File >
File Collection and double-click the report file with the name specified in the tem-
plate to open the report file in a new window of your web browser.

Deleting a User-defined Template

To delete a user-defined report template, take the following steps:

1. Select Report from the Level-1 navigation pane to enter the report page.

2. In the report navigation pane, click Report Template > Existed to list all the user-defined
templates in the report window.

3. Select the checkbox for the template to be deleted, and click Delete.

Introduction to Report 611

 4. In the OK dialog, click OK to delete. If any report file has been generated based on this
template, also select the checkbox for Delete Report Files Generated by This Schedule.

Restoring a User-defined Template

To restore a deleted user-defined report template, take the following steps:

1. Select Report from the Level-1 navigation pane to enter the report page.

2. In the report navigation pane, click Report Template > Deleted to list all the deleted tem-
plates in the report window.

3. Select the checkbox for the template to be restored, and click Restore.

4. In the OK dialog, click OK to restore.

Notes: To also restore the report files deleted along with the template, see the steps
described in Restoring a Report File.

Deleting a User-defined Template Permanently

The deleted report templates are moved to Report Template > Deleted. To delete a user-defined
report template permanently, take the following steps:

1. Select Report from the Level-1 navigation pane to enter the report page.

2. In the report navigation pane, click Report Template > Deleted to list all the deleted tem-
plates in the report window.

3. Select the checkbox for the template to be deleted permanently, and click Delete.

4. In the OK dialog, click OK.

You can also click Clear in the toolbar and then click OK in the OK dialog to delete all the
deleted report templates permanently.

Introduction to Report 612

Managing a Report Schedule
Report schedule defines the generation cycle and time of report files, and the time range the cor-
responding report template will take effect. The report schedule is configured under the Schedule
tab of a report template, and cannot be created separately. A report template can contain multiple
report schedules to facilitate report file management.
The configurations of report schedule include:

l Adding a Report Schedule

l Viewing a Report Schedule/Report Schedule Running Log

l Deleting a Report Schedule

l Enabling/Disabling a Report Schedule

Adding a Report Schedule

For more details about how to add a report schedule when creating a report template, see Sched-
ule in Creating a User-defined Template.
To add a report schedule to an existing report template, click Report Template > Existed in the
report navigation pane, and double-click the report template. Create a report schedule under the
Schedule tab.

Viewing a Report Schedule/Report Schedule Running Log

You can view the running log of a report schedule and report template, including the running log
of the report schedule and details, running log and modification history of the report template.
To view the running log of a report template and report schedule, take the following steps:

1. Select Report from the Level-1 navigation pane to enter the report page.

2. In the report navigation pane, click Report Schedule to list all the report schedules by cat-
egories in the report window.

Introduction to Report 613

 3. To view the details of a report template, click the name of the template and click a tab
below. Details, running logs and modification of the template will be shown under the cor-
responding tab. To view the running logs of a report schedule, expand a template and click
the report schedule. Running log of the report schedule will be shown under the tab below.

Deleting a Report Schedule

Report schedule is configured under the Schedule tab of a report template. If a report schedule is
deleted, the schedule in the corresponding report template will be deleted as well.
To delete a report schedule, take the following steps:

1. Select Report from the Level-1 navigation pane to enter the report page.

2. In the report navigation pane, click Report Schedule to list all the report schedules by cat-
egories in the report window.

3. Expand a report template and select the checkbox for the report schedule to be deleted.
Click Delete.

4. In the OK dialog, click OK to delete.

When editing a report template, you can also click Delete under the Schedule tab to delete the
report schedule.

Enabling/Disabling a Report Schedule

To enable/disable a report schedule, take the following steps:

1. Select Report from the Level-1 navigation pane to enter the report page.

2. In the report navigation pane, click Report Schedule to list all the report schedules by cat-
egories in the report window.

3. Expand a report template and select the checkbox for the report schedule to be enabled/dis-

Introduction to Report 614

 abled. Click Enable/Disable.

4. In the OK dialog, click OK.

When editing a report template, you can also click Enable/Disable under the Schedule tab to
enable/disable the report schedule.

Report Server
NIPS devices support Report Server function. By specifying the name and the IP address of the
intranet servers, the report with the security risk summary and security risk detail selected will dis-
play the reports of these servers.

Configuring Servers
To configure the servers, take the following steps:

1. Select Report > Report Server.

2. Click Add. The Server Configuration dialog appears.

Configure the following settings

Option Description

Name Enter the name of servers.

Member Specify the IP addresses of the servers.

Add Click Add to add these servers.

3. Click OK.

In the generated reports, you can search the name of servers you specified to view the cor-
responding information.

Introduction to Report 615

Introduction to Log
HSM collects log information in real-time, centralizes storage and maintenance, and provides mul-
tiple query combinations in order to view various types of log information. By default, HSM can
store up to the last 90 days of log information (when enough storage). Currently, HSM can man-
age logs of NGFW, IPS devices, ADC devices and WAF devices of Hillstone Networks.

Introduction to Log
This chapter contains log and old version log. The upgrading descriptions of log and old version
log are listed in the table below.

HSM Version Description

Before version After upgrading to version 2.5R2 or above, you can manage the
2.5R2, and collected logs in Old Version Log. For the new collected logs,
logs have been you can search and export the logs in Log module, and backup,
collected by import, and clean the logs in System>Log Backup Man-
HSM agement.

Before version After upgrading to version 2.5R2 or above, you can search and
2.5R2, and export the new collected logs in Log, and backup, import, and
logs are not clean the logs in System>Log Backup Management.
collected by
HSM

Version 2.5R2 You can search and export the logs in Log, and backup, import,
or above and clean the logs in System>Log Backup Management.

Log
HSM system optimizes the log management function, using a new searching, backup, importing,
and cleaning method to manage logs. The type of log can be categorized as online log, offline log
and operation log.

Introduction to Log 616

 Online/offline log types can be divided into the followings:

l System log: Logs of the managed devices, including event logs, alarm logs, networks logs and
configuration logs.

l Treat log: Logs of invasion and attack behaviors, including IPS logs, security logs, threat logs,
web security logs and anti defacement logs.

l NBC log: Logs related to network behavior of managed devices, including URL logs, IM logs,
webpost logs, email logs and FTP logs. URL logs, IM logs and webpost logs support binary
and text format.

l Traffic log: Logs of traffic, including NAT logs, NAT444 logs, session logs 、PBR logs and
SLB logs.

l Other log：The other Logs.

Operation log: Refers to HSM system logs, which record the local operation events of HSM sys-
tem.

Log Severity
Event logs are categorized into eight severity levels, each level has its own color.

Severity Level Description Log Color

Emergencies 0 Identifies illegitimate system events.

Alerts 1 Identifies problems which need imme-

diate attention such as device is being
attacked.

Critical 2 Identifies urgent problems, such as

hardware failure.

Errors 3 Generates messages for system errors.

Warnings 4 Generates messages for warning.

Introduction to Log 617

 Severity Level Description Log Color

Notifications 5 Generates messages for notice and spe-

cial attention.

Informational 6 Generates informational messages.

Debugging 7 Generates all debugging messages,

including daily operatiol messages.

Related Topics:
For more information about Log function, see the followings:
Introduction to Log Window
Searching Logs

Introduction to Log Window

Log main page is in the Level-1 Navigation Pane, as shown below.

Level-1 Navigation Pane

Level-1 navigation pane displays the general function modules, including dashboard, Device, Con-
figuration, Monitor, VPN, Alarm, Report, Log and System.

Introduction to Log 618

Log Navigation Pane
Log navigation pane has three tabs: online log, offline log and operation log. Click on the tab, the
right pane shows the corresponding log messages.

Log Filter
Searching is available for online and offline logs, not for operation logs. You may input values for
filters and keywords to query result that matches your criteria.

Option Description

Search Box Enter keywords or click filter name to insert into the search
box. When you hover your mouse over , search tips will be

shown; after query is done, click to save it as a bookmark;

click , you can view the history and books. If the

Auto

open is selected, the history and bookmarks will be auto-

matically open when you use search box.

Time Range Select the time range of logs for you query.

Search Click this button to start searching.

Click the pause button to suspend an on-going query.

Click the stop button to abort the on-going query.

Click Save button to save the searching task. When you switch
pages or make other queries, the run in background task keeps
running. When a query takes a long time, you may click the
Save & E-mail icon to put the query into background, when
the query is complete, you will receive an email notice.
Note：To send an email from HSM, you need to set up mail-
box first, refer to Configuring an Email Account.

Introduction to Log 619

 For operation log, you can search logs according to the filters below.

Option Description

Log Type Use log type as a filter.

Operation Search logs according to user's action

type

Operation res- Use the result of a query as a filter, including success, unkown,
ult failure.

Time Set the time range for logs.

Operator IP Search for logs of a specific IP address.

Search Click the button to start searching.

Log Chart
Log number of different time is shown in bar chart. You may view the detailed diagram by click-
ing a bar.

Toolbar
The toolbar contains operation icons.

Option Description

Export System support to export logs to local PC or FTP server. You

can select Local Export or FTP Export in the Local Export
drop-down list.

Column Customize your column list.

Merge Log System can merge logs which have the same firewall or the
same severity. Thus it can help reduce logs and avoid to
receive redundant logs.

Introduction to Log 620

 Option Description

l Select the merging types in the drop-down list:

l Do not merge: Do not merge any logs.

l FW: Merge the logs with the same firewall.

l Severity: Merge the logs with the same severity.

Log Window
Log window shows detailed log list. The log window may vary slightly on different navigation
pane.

Option Description

Received in The time when log is received.

FW The device where log is generated.

Severity Log severity

Log Details of the log

Searching Log Messages

You may view the online, offline and operation logs in HSM.

l Online log: logs that are received directly by HSM.

l Offline log: logs that are imported into HSM from other server. For more information about
how to import the logs, see Log Import.

l Operation log: system logs of HSM itself.

HSM supports viewing logs by log types. You can set conditions to filter log messages, including
FW, Generation Time, Severity, Category, Interface, Out Interface, Source Zone and Destination
Zone.

Introduction to Log 621

 Notes: You need to have the right to manage this device when searching logs.

Online/Offline Log
The type of searching can be divided into the followings:

l Temporarily searching: Click the search button for direct local searching. The temporarily

searching will be ended when you turn to other pages.

l Backstage searching: After temporarily searching, click the backstage running button

to create the backstage searching task. In case of closing the searching page or running other
searchings, the task of backstage searching will keep running.

To search log messages, take the following steps:

1. Select Log from the level-1 navigation pane. .

2. From the left Log Navigation Pane:

l Click Online Log to view online log messages.

l Click Offline Log to view offline log messages.

3. Select the log type you want to view.

4. In Log Filter, click a filter name, and input a value for this filer. You may select more than
one filters.

5. You can quickly add filter conditions for the three types below:

l Filter by devices: Click the device name from left navigation.

l Filter by log types: Click a log type from the left navigation.

Introduction to Log 622

 l Filter by log contents: In the search box, enter the keyword you want to see in the log
content.

6. Click Search, the matched results will be shown.

Notes:
l Hover your mouse over the icon to view search tips.

l To save your search filters, click to store them in the bookmark tab (in the

on the left of search box).

l The history and collection can automatically open while you use the search
box.

Operation Log
To view operation log, take the following steps:

1. Select Log from the level-1 navigation pane. The log window appears.

2. From the left Log Navigation Pane, Click Operation Log to view HSM system operation
logs.

3. Choose the log types you want in the log navigation bar, and set a filter condition in the fil-
ter bar, then click Search. The logs meeting requirements will be shown in the log window.

l Log Type: Choose a log type from the drop-down list.

l Operation Type: Choose an operation type from the drop-down list.

l Operation Result: Choose an operation result from the drop-down list, including All,
Waiting, Success, Failure.

Introduction to Log 623

 l Time: Choose the generated time of logs from the drop-down list. You can customize
the time yourself.

l Operator IP: Type the IP address of HSM in the text box.

Exporting Logs
To export logs, take the following steps:

1. Select Log from the level-1 navigation pane and the log window appears.

2. In the log navigation bar, choose the log types and time to export, and then set the filter con-
ditions to filter logs.

3. Select the "Export to local disk" or "Export to ftp server" from the dropdown list.

4. Configure the options as follows:

In the Export dialog box, configure the following options

Option Description

Name Enter a file name for the export file.

File Format Select a format for the export file.

Range Select the pages to be exported. The format for specific

pages is the page number separated by comma, for
example, 1, 3, 5-9.

In the FTP Export dialog box, configure the following options

Option Description

File Name Specifies a name of the forwarded file (compressed as a

.zip file) in the text box. This custom file name '
%Y%m%d%H%M_%T_%3i' includes 'date and time
+log type+ file number', in which each placeholder

Introduction to Log 624

 Option Description

means as follows:

l %Y: year;

l %m: month;

l %d: day;

l %H: hour;

l %M: minute;

l %T: log type;

l %3i: file number, the length of it could be set,

between 1 and 9. e.g: %3i means 001, 002, 003
.etc.

Export lim- Specifies the limitation for forwarding logs, include No

itation Limit，Limit by the file size and Limit by log count.

l No Limit: Different types of logs are stored in the

corresponded folders;

l Limit by file size: Specify the size of a single file.

The value range is 50 to 500MB;

l Limit by log count: Specify the number of logs in a

single file. The value range is 10 to 1000K.

FTP/SFTP Select the FTP server to store the forwarded log files
Server from the drop-down list, then the corresponding FTP
server settings will be displayed. You can click Detection

Introduction to Log 625

 Option Description

to verify the connection between HSM and the FTP

server, or click FTP Config if you want to modify the
FTP server settings.

5. Click OK to export the logs.

Introduction to Log 626